TTLV Nguyen Anh Dung

HC VIN CNG NGH BU CHNH VIN THNG ---------------------------------------

Nguyn Anh Dng

NGHIN CU V CC BIN PHP IU KHIN TRUY CP V NG DNG

Chuyn ngnh: Truyn d liu v mng my tnh M s: 60.48.15

TM TT LUN VN THC S

H NI - 2013

Lun vn c hon thnh ti:

HC VIN CNG NGH BU CHNH VIN THNG

Ngi hng dn khoa hc: TS. Hong Xun Du

Phn bin 1:

Phn bin 2: ..

Lun vn s c bo v trc Hi ng chm lun vn thc s ti Hc vin Cng ngh Bu chnh Vin thng

Vo lc: ....... gi ....... ngy ....... thng ....... .. nm ...............

C th tm hiu lun vn ti:

- Th vin ca Hc vin Cng ngh Bu chnh Vin thng

H NI - 2013

1

Mc lc Mc lc ................................................................................................................................... 1

M U ................................................................................................................................. 4

Chng 1- TNG QUAN V IU KHIN TRUY CP ................................................... 6 1.1. Gii thiu v iu khin truy cp ................................................................................. 6

1.1.1. Khi nim v truy cp v iu khin truy cp ..................................................... 6

1.1.2. Cc thnh phn c bn ca iu khin truy cp ................................................... 6

1.1.3. Tin trnh iu khin truy cp .............................................................................. 7

1.2. Cc kiu xc thc ......................................................................................................... 8

1.3. Cc nguy c v cc im yu ca iu khin truy cp ................................................ 8

1.3.1. Cc nguy c (threats) ............................................................................................ 8 1.3.2. Cc im yu ......................................................................................................... 9

1.3.3. nh gi nh hng ca cc nguy c v im yu i vi iu khin truy cp .. 9

1.4. Mt s ng tiu biu ca iu khin truy cp .............................................................. 9

1.4.1. Kerberos .............................................................................................................. 10

1.4.2. ng nhp mt ln .............................................................................................. 10

1.4.3. Tng la ............................................................................................................ 10

1.5. Kt chng ................................................................................................................. 10

Chng 2 - CC BIN PHP IU KHIN TRUY CP THNG DNG ..................... 11 2.1. iu khin truy cp ty quyn (DAC - Discretionary Access Control) .................... 11

2.1.1. Cc kh nng (Capabilites) ................................................................................. 11 2.1.2. Cc h s (Profiles): ........................................................................................... 12 2.1.3. Access control lists (ACLs) ................................................................................ 12 2.1.4. Cc bit bo v (Protection bits) ........................................................................... 12 2.1.5. Mt khu ............................................................................................................. 12

2

2.2. iu khin truy cp bt buc (MAC Mandatory access control) ........................... 13 2.2.1. M hnh Bell-LaPadula ...................................................................................... 13

2.2.2. M hnh Biba ...................................................................................................... 13

2.3. M hnh iu khin truy cp trn c s vai tr (RBAC Role-based Access Control) ........................................................................................................................................... 14

2.3.1 Nn tng v ng lc ........................................................................................ 14

2.3.2. Cc vai tr v cc khi nim lin quan ............................................................... 15

2.3.3. Cc m hnh tham chiu ..................................................................................... 15

2.3.4. M hnh c s ..................................................................................................... 15

2.3.5. Role c cp bc ................................................................................................... 16

2.3.6. Cc rng buc ..................................................................................................... 16

2.3.7. M hnh hp nht ................................................................................................ 16

2.3.8. Cc m hnh qun l ........................................................................................... 17 2.4 iu khin truy cp da trn lut (Rule BAC Rule Based Access Control) ............ 17 2.5. Kt chng ................................................................................................................. 17

Chng 3 - PHN TCH C CH IU KHIN TRUY CP TRONG CC H IU HNH WINDOWS V LINUX .......................................................................................... 18

3.1. iu khin truy cp trong Windows .......................................................................... 18

3.1.1. Qun tr vin min (Domain Administrator) ...................................................... 18 3.1.2. Siu qun tr vin (Super Administrator) ............................................................ 18

3.2. iu khin truy cp trong UNIX/Linux: .................................................................... 19

3.2.1. Cc quyn trong UNIX/Linux ............................................................................ 19

3.2.2. H thng pht hin xm nhp Linux (Linux Intrusion Detection System - LIDS) ....................................................................................................................................... 19

3.2.3. Quyn root........................................................................................................... 20 3.2.4. Dch v thng tin mng NIS v NIS1 ................................................................. 20

3.2.5. H tr MAC v RBAC trong Unix/Linux .......................................................... 20

3

3.3. Kt chng ................................................................................................................. 20

Chng 4 XUT CC GII PHP M BO AN NINH, AN TON DA TRN IU KHIN TRUY CP ................................................................................................... 21

4.1. Cc chnh sch qun tr ngi dng an ton .............................................................. 21

4.2. Mt s bin php m bo an ninh, an ton da trn iu khin truy cp cho cc ng dng v cc dch v ........................................................................................................... 21

4.3. Kt chng ................................................................................................................. 22

KT LUN ........................................................................................................................... 23

DANH MC TI LIU THAM KHO .............................................................................. 24

4

M U Vi s pht trin mnh m ca Internet v mng web ton cu, cc ng dng v dch v trn nn mng Internet ngy cng phong ph. i km vi cc ng dng v dch v hu ch cho ngi dng l cc phn mm c hi v cc hnh ng tn cng, t nhp vo cc h thng my tnh v mng, nhm chim quyn kim sot cc h thng ny, hoc nh cp

cc d liu c gi tr. V th, vn m bo an ninh, an ton cho cc h thng my tnh v mng, an ton d liu tr nn rt cp thit. Nhiu gii php m bo an ninh, an ton c nghin cu, trin khai nh cc bin php iu khin truy cp, r qut pht hin phn mm c hi, pht hin tn cng, t nhp v m ha d liu. Cc gii php m bo an ninh, an ton thng c s dng kt hp vi nhau to thnh mt h thng an ninh c nhiu lp c kh nng gim thiu cc nguy c mt an ton cho h thng.

iu khin truy cp (Access Control) l k thut cho php kim sot vic truy nhp n mt ti nguyn tnh ton cho mt ngi dng hoc mt nhm ngi dng no . iu khin truy cp thng c s dng nh lp phng v th nht, nhm ngn chn cc cc phn mm c hi v cc hnh ng tn cng, t nhp vo cc h thng my tnh v mng,

hoc truy cp tri php vo d liu v cc ti nguyn tnh ton. Lp phng v da trn iu khin truy cp rt quan trng v n c th gip ngn chn a s cc tn cng, t nhp

thng thng. Trong iu kin h tng mng cng nh nhn lc qun tr h thng ca cc

c quan, t chc Vit Nam hin nay cn hn ch, vic nghin cu su v iu khin truy

cp tm gii php ng dng ph hp l thc s cn thit. Lun vn "Nghin cu cc bin php iu khin truy cp v ng dng" c a ra vi mc ch nghin cu su v cc bin php iu khin truy cp v ng dng phn tch h thng iu khin truy cp ca cc h iu hnh ph bin l Windows v Linux. Hn na, lun vn cng xut mt s bin php m bo an ninh, an ton da trn iu khin truy cp cho h iu hnh v cc ng dng. Lun vn gm 4 chng vi ni dung nh sau: Chng 1- Tng quan v iu khin truy cp gii thiu khi qut v iu khin truy cp, cc k thut thc hin iu khin truy cp v gii thiu mt s ng dng thc t ca iu khin truy cp.

Chng 2- Cc bin php iu khin truy cp thng dng i su phn tch 4 c ch iu khin truy cp ph bin l iu khin truy cp ty quyn (DAC), iu khin truy cp bt

5

buc (MAC), iu khin truy cp da trn vai tr (Role-Based AC) v iu khin truy cp da trn lut (Rule-Based AC). Chng 3- Phn tch c ch iu khin truy cp ca cc h iu hnh h Windows v Unix/Linux i su phn tch cc bin php iu khin truy cp c ng dng trong cc h iu hnh ny.

Chng 4- xut cc gii php m bo an ninh, an ton da trn iu khin truy cp, trong cp cc bin php m bo an ton mc h iu hnh, mc ngi dng v mc ng dng.

6

Chng 1- TNG QUAN V IU KHIN TRUY CP

1.1. Gii thiu v iu khin truy cp 1.1.1. Khi nim v truy cp v iu khin truy cp Truy cp (access) l kh nng tng tc gia ch th (subject) v i tng (object). iu khin truy nhp l qu trnh m trong ngi dng c nhn dng v trao quyn truy nhp n cc thng tin, cc h thng v ti nguyn. iu khin truy cp to nn kh

nng cho chng ta c th cp php hoc t chi mt ch th - mt thc th ch ng, chng

hn nh mt ngi hay mt quy trnh no - s dng mt i tng - mt thc th th ng, chng hn nh mt h thng, mt tp tin - no trong h thng.

C ba khi nim c bn trong mi ng cnh iu khin truy cp, bao gm:

Chnh sch (policy): L cc lut do b phn qun tr ti nguyn ra. Ch th (subject): C th l ngi s dng, mng, cc tin trnh hay cc ng dng

yu cu c truy cp vo ti nguyn.

i tng (object): L cc ti nguyn m ch th c php truy cp. 1.1.2. Cc thnh phn c bn ca iu khin truy cp 1.1.2.1. Cc h thng iu khin truy cp (Access control systems) Mt h thng iu khin truy cp hon chnh bao gm 3 thnh phn:

Cc chnh sch (Policies): Cc lut c a ra bi b phn qun l ti nguyn quy nh phng thc truy cp vo ti nguyn.

Cc th tc (Procedures) Cc bin php phi k thut c s dng thc thi cc chnh sch.

Cc cng c (Tools) Cc bin php k thut c s dng thc thi cc chnh sch.

1.1.2.2.Cc ch th iu khin truy cp (Access control subjects) Cc ch th (subject) trong ng cnh iu khin truy cp l mt c nhn hoc mt ng dng ang yu cu truy xut vo mt ti nguyn nh mng, h thng file hoc my in. C 3 loi ch th:

xc thc : L nhng ngi c s y quyn hp php c php truy cp vo ti

nguyn.

7

Cha xc thc: L nhng ngi cha c s y quyn hp php hoc khng c quyn

truy cp vo ti nguyn.

Cha bit (Unknown) : Nhng ngi cha r, khng xc nh v quyn hn truy cp. 1.1.2.3. Cc i tng iu khin truy cp (Access control objects) Ba danh mc chnh ca i tng cn c bo v bng iu khin truy cp:

Thng tin: L tt c d liu.

Cng ngh: L cc ng dng, h thng v mng.

a im vt l: Nh cc ta nh, vn phng... Thng tin l d liu ph bin nht trong cc chnh sch iu khin truy cp ca cng ngh thng tin. C th t mt khu cho cc ng dng v c s d liu hn ch vic truy cp. Cc i tng cng ngh cng quan trng bi v khi c th truy nhp vo cc i tng cng ngh th cng c kh nng truy nhp vo cc thng tin.

1.1.3. Tin trnh iu khin truy cp Ba bc thc hin iu khin truy cp:

Nhn dng (Identification): X l nhn dng mt ch th khi truy cp vo h thng. Xc thc (Authentication): Chng thc nhn dng ch th . Trao quyn (Authorization): Gn quyn c php hoc khng c php truy cp

vo i tng.

1.1.3.1. Nhn dng (Identification) Nhn dng l phng php ngi dng bo cho h thng bit h l ai (chng hn nh bng cch s dng tn ngi dng). B phn nhn dng ngi dng ca mt h thng iu khin truy cp thng l mt c ch tng i n gin.

1.1.3.2. Xc thc (Authentication) Xc thc l mt quy trnh xc minh nhn dng ca mt ngi dng - chng hn bng cch so snh mt khu m ngi dng ng nhp vi mt khu c lu tr trong h thng i vi mt tn ngi dng cho trc no . C nhiu phng php xc thc mt ch th. Mt s phng php xc thc c s dng ph bin:

Mt khu.

Token.

Kha chia s b mt (shared secret).

8

1.1.3.3. Trao quyn (Authorization) Khi mt subject c nhn dng v xc thc c php truy cp vo h thng, h thng iu khin truy cp phi xc nh subject ny c cp quyn hn g khi truy cp vo ti nguyn c yu cu. Trao quyn cp cc quyn ph hp theo nh ngha

t trc ca h thng cho subject truy nhp vo object. 1.2. Cc kiu xc thc C ba kiu xc thc cc ch th c s dng ph bin nht:

Xc thc da trn ci ngi s dng bit (something you know). Xc thc da trn nhng th ngi s dng c (something you have). Xc thc da trn nhng th ngi s dng s hu bm sinh (something you are). Xc thc da trn ci ngi s dng bit nh mt khu (password), mt ng (pass

phrase) hoc m s nh danh c nhn (PIN) 1.3. Cc nguy c v cc im yu ca iu khin truy cp 1.3.1. Cc nguy c (threats) C ba nguy c chnh i vi bt k h thng iu khin truy cp:

Ph mt khu (password cracking). Chim quyn iu khin (heightened access). Social engineering.

1.3.1.1. Ph mt khu (Password Cracking) Ngi qun tr h thng s thit lp cc lut cho mt khu m bo ngi s dng

to mt khu an ton nht. K tn cng c th s dng kt hp k thut tn cng Brute force v cc thut ton tinh vi ph mt khu, truy cp vo h thng mt cch bt hp php. Cc chnh sch m bo mt khu t kh trnh b ph bao gm: mt khu phi ti thiu 8 k t bao gm ch ci hoa, ch ci thng, s v k t c bit. Bn cnh thc ngi s dng cng cn c nng cao nh nh k nn thay i mt khu, t mt khu phi t kh nhng d nh...

1.3.1.2. Chim quyn iu khin (Heightened Access) K tn cng c th khai thc cc im yu trn h iu hnh, dng cng c ph mt khu ca ngi dng v ng nhp vo h thng tri php, sau s tip theo tm cch nng quyn truy cp mc cao hn. C hi l cc thng tin c gi tr trn h thng ( nh

9

cc d liu nhy cm) c bo v bi vic phn quyn cho nhm v file khng cho php mi ngi s dng c th c v vit chng.

1.3.1.3. Social Engineering Social engineering s dng s nh hng v s thuyt phc nh la ngi dng nhm khai thc cc thng tin c li cho cuc tn cng hoc thuyt phc nn nhn thc hin mt hnh ng no . Social engineer (ngi thc hin cng vic tn cng bng phng php social engineering) thng s dng in thoi hoc internet d d ngi dng tit l thng tin nhy cm. Bng phng php ny, Social engineer tin hnh khai thc cc thi quen t nhin ca ngi dng, hn l tm cc l hng bo mt ca h thng.

1.3.2. Cc im yu Hu ht cc h thng bo mt u c cc im yu no v cc h thng iu khin truy cp cng khng phi ngoi l. im yu chnh khi s dng mt khu trong iu khin truy cp chnh l vic s dng mt khu yu, d on, d ph. Nh tho lun phn trn, hn ch im yu ny th vic s dng mt khu cn tun theo cc chnh sch nh vic to mt khu phi t nht 8 k t tr ln trong c ch hoa, ch thng, s, d nh v kh on. Vic s dng cc thit b phn cng kt hp vi s dng mt khu nh security token v thit b sinh mt khu mt ln (OTP) cng l cc gii php hn ch im yu v mt khu ca iu khin truy cp.

1.3.3. nh gi nh hng ca cc nguy c v im yu i vi iu khin truy cp Trn c s phn tch cc nguy c v im yu ca iu khin truy cp, chng ta c

th nh cc tc ng ca chng. C hai cch nh gi: nh gi theo nh lng v theo

nh tnh.

nh gi theo nh lng l vic c lng cc chi ph phi tr khc phc hu

qu ca cc tn cng, ph hoi v khi phc d liu. nh gi theo nh tnh: nh gi ri ro v cht lng a vo ti khon phi ti

chnh ri ro i vi mt t chc.

1.4. Mt s ng tiu biu ca iu khin truy cp Mt s ng dng tiu biu ca iu khin truy cp nh:

Kerberos.

ng nhp mt ln (Single Sign On - SSO).

10

Tng la

1.4.1. Kerberos Kerberos l h xc thc da trn nguyn l m ha s dng kha mt. Trong h Kerberos, mt bn th ba c tin cy cp kha phin bn ngi dng v bn cung cp dch v c th trao i thng tin vi nhau trn mng mt cch an ton. y l mt cng ngh chn mui v c s dng rng ri, tuy cn mt s mt hn ch ang c tip tc khc phc.

1.4.2. ng nhp mt ln ng nhp mt ln (Single Sign On hay SSO) l gii php s dng mt dch v chng thc trung tm chng thc ngi dng cho rt nhiu dch v khc. V vy, ch cn mt ti khon, khch hng c th ng nhp v s dng rt nhiu dch v chy trn cc my ch v tn min khc nhau. Gii php ny c th gip doanh nghip gim thiu chi ph, tng cng an ninh v c bit l mang li s thun tin cho khch hng.

1.4.3. Tng la Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut c

tch hp vo h thng mng chng s truy cp tri php nhm bo v cc ti nguyn mng ni b cng nh hn ch s xm nhp ca mt s thng tin khng mong mun. Cng c th hiu rng Firewall l mt c ch bo v mng tin tng (trusted network) khi cc mng khng tin tng (untrusted network). 1.5. Kt chng Mc ch ca iu khin truy cp l qun l s tng tc gia ch th (thng l ngi s dng) v i tng (nh d liu, mng hay thit b). S khc bit ch th v i tng th hin tnh th ng. iu khin truy cp gm 3 thnh phn chnh: nhn dng, xc thc v trao quyn. u tin c ch th v i tng cn phi c nhn dng. Th hai, thng tin nhn dng ca ch th phi c xc thc. Cui cng, ch th c xc thc c trao quyn tng tc trn i tng. Cc phng thc xc thc c th c thc

hin da trn ci ngi s dng bit, da trn nhng th ngi s dng c v da trn nhng th ngi s dng s hu bm sinh. Trong chng tip theo, lun vn s nghin cu su v cc k thut iu khin truy cp.

11

Chng 2 - CC BIN PHP IU KHIN TRUY CP THNG DNG

2.1. iu khin truy cp ty quyn (DAC - Discretionary Access Control) DAC hay cn gi l m hnh iu khin truy cp ty quyn l mt phng php

nhm hn ch truy cp cc i tng trn c s nhn dng v nhu cu cn bit ca nhiu ngi dng v/hoc ca mt nhm cc i tng trc thuc. Phng php iu khin truy cp c coi l ty quyn l v mt ch th vi mt quyn truy cp no c th chuyn

nhng quyn truy cp (trc tip hay gin tip) sang bt c mt ch th no khc trong h thng. Ni cch khc, k thut ny cho php ngi dng c ton quyn quyt nh quyn truy cp c cng nhn cho cc ti nguyn ca h, c ngha l h c th (tnh c hay c ) cp quyn truy cp cho nhng ngi dng bt hp php. Hin nay, cc h iu hnh thng h tr nm c ch c bn:

Cc kh nng (Capabilities). H s (Profiles). Danh sch iu khin truy cp (Access Control Lists ACLs). Cc bit bo v (Protection bits). Mt khu (Passwords).

2.1.1. Cc kh nng (Capabilites) Cc kh nng tng ng vi cc hng ca ma trn iu khin truy cp. Khi phng

php ny c s dng, lin kt vi mi tin trnh l mt danh sch cc i tng c

12

th c truy cp, cng vi mt du hiu ca hot ng no c cho php, ni cch khc, l min ca n. Danh sch ny c gi l mt danh sch cc kh nng hoc C-list v cc thnh phn trn c gi l nhng kh nng.

2.1.2. Cc h s (Profiles): Profiles c trin khai trn nhiu dng h thng, s dng mt danh sch bo v i tng kt hp vi tng ngi dng. Nu mt ngi dng c truy cp n nhiu i tng c bo v, profiles c th rt ln v kh qun l. Vic to, xa v thay i truy cp n i tng c bo v yu cu nhiu thao tc khi nhiu profile ca ngi dng phi c cp nht. Vic xa mt i tng c th yu cu mt vi thao tc xc nh mt ngi

dng c cc i tng trong profile ca mnh. Vi profile, tr li cu hi ai c quyn truy cp vo i tng c bo v l rt kh. Nhn chung, khng nn trin khai profiles trong h thng DAC.

2.1.3. Access control lists (ACLs) Danh sch iu khin truy cp (Access control lists ACLs) l danh sch m t vic lin kt cc quyn truy nhp ca ngi dng vi mi i tng. l mt danh sch c cha tt c cc min c th truy cp vo cc i tng. Thng thng trong cc ti liu

bo mt, ngi dng c gi l cc ch th (subject), tng ng vi nhng th h s hu, cc i tng, chng hn nh cc file. Mi tp tin c mt bn ghi ACL lin kt vi n. ACL khng thay i nu ngi dng khi ng mt tin trnh hoc 100 tin trnh. Quyn truy nhp c gn cho ch s hu, khng phi gn trc tip cho tin trnh. 2.1.4. Cc bit bo v (Protection bits) Cc bit bo v c trng ma trn iu khin truy cp theo ct. Trong c ch bit bo v trn cc h thng nh UNIX, bit bo v cho mi i tng c s dng thay v lit k danh sch ngi dng c th truy cp vo i tng. Trong UNIX cc bit bo v ch ra hoc mi ngi, nhm i tng hoc ngi s hu mi c cc quyn truy cp n i tng

c bo v. Ngi to ra i tng c gi l ch s hu (owner), ch s hu ny c th thay i bit bo v. H thng khng th cho php hay khng cho php truy cp ti mt i tng c bo v trn bt k ngi dng no.

2.1.5. Mt khu Mt khu bo v cc i tng i din cho ma trn kim sot truy cp ca hng. Nu mi ngi s dng s hu mt khu ca mnh cho tng i tng, sau mt khu l mt v cho i tng, tng t nh mt h thng kh nng. Trong hu ht cc ci t thc

13

hin bo v mt khu, ch c mt mt khu cho mi i tng hoc mt khu mi i tng cho mi ch truy cp tn ti.

2.2. iu khin truy cp bt buc (MAC Mandatory access control) Kim sot truy nhp bt buc (Mandatory Access Control - MAC) l mt chnh sch truy nhp khng do c nhn s hu ti nguyn quyt nh, m do h thng quyt nh. MAC c dng trong cc h thng a cp, l nhng h thng x l cc loi d liu nhy cm, nh cc thng tin c phn loi theo mc bo mt trong c quan chnh ph v trong qun i. Mt h thng a cp l mt h thng my tnh duy nht chu trch nhim x l nhiu cp thng tin nhy cm gia cc ch th v cc i tng trong h thng. Khi nim MAC c hnh thc ho ln u tin bi m hnh Bell v LaPadula. M hnh ny h tr MAC bng vic xc nh r cc quyn truy nhp t cc mc nhy cm kt hp vi cc ch th v i tng. M hnh ton vn Biba c a ra nm 1977 ti tng cng ty MITRE. Mt nm sau khi m hnh Bell-LaPadula c a ra. Cc ng lc chnh cho vic to m hnh ny l s bt lc ca m hnh Bell-LaPadula i ph vi tnh ton vn ca d liu.

2.2.1. M hnh Bell-LaPadula M hnh Bell-La Padula l m hnh bo mt a cp c s dng rng ri nht. M hnh ny c thit k x l an ninh qun s, nhng n cng c th p dng cho cc t chc khc. Mt tin trnh chy nhn danh mt ngi s dng c c mc bo mt ca ngi dng . V c nhiu mc bo mt, m hnh ny c gi l mt h thng a bo mt. M hnh Bell-La Padula c nhng quy nh v thng tin c th lu thng:

Ti nguyn bo mt n gin: Mt tin trnh ang chy mc bo mt k c th c cc i tng ch cng mc hoc thp hn.

Ti nguyn *: Mt tin trnh ang chy mc bo mt k ch c th ghi cc i tng cng cp hoc cao hn.

2.2.2. M hnh Biba M hnh ton vn Biba c a ra nm 1977 ti tng cng ty MITRE. Mt nm sau khi m hnh Bell-LaPadula c a ra. Cc ng lc chnh cho vic to m hnh ny l s bt lc ca m hnh Bell-LaPadula i ph vi tnh ton vn ca d liu. M hnh ny ch trng vo tnh ton vn, da trn 2 quy tc:

14

i tng khng c xem cc ni dung mc an ninh ton vn thp hn (no read-down).

i tng khng c to/ghi cc ni dung mc an ninh ton vn cao hn (no write-up).

Vn vi m hnh Padula Bell-La l n c a ra gi b mt, khng m bo tnh ton vn ca d liu. m bo tnh ton vn ca d liu, cc nguyn tc sau c p dng:

Nguyn tc ton vn n gin: Mt tin trnh ang chy mc bo mt k c th ch c th ghi ln cc i tng cng mc hoc thp hn (khng vit ln mc cao hn).

Tnh ton vn ti nguyn: Mt tin trnh ang chy mc bo mt k ch th c cc i tng cng mc hoc cao hn (khng c xung mc thp hn).

2.3. M hnh iu khin truy cp trn c s vai tr (RBAC Role-based Access Control) Khi nim iu khin truy cp da trn vai tr (Role-Based Access Control) bt u vi h thng a ngi s dng v a ng dng trc tuyn c a ra ln u vo nhng nm 70. tng trng tm ca RBAC l permission (quyn hn) c kt hp vi role (vai tr) v user (ngi s dng) c phn chia da theo cc role thch hp.

iu ny lm n gin phn ln vic qun l nhng permission. To ra cc role cho cc chc nng cng vic khc nhau trong mt t chc v user cng c phn cc role da vo trch nhim v trnh ca h. Nhng role c cp cc permission mi v cc ng

dng gn kt cht ch vi cc h thng v cc permission c hy khi cc role khi cn thit.

2.3.1 Nn tng v ng lc Vi RBAC, ngi ta c th xc nh c cc mi quan h role permission. iu

ny gip cho vic gn cho cc user ti cc role xc nh d dng. Cc permission c phn cho cc role c xu hng thay i tng i chm so vi s thay i thnh vin nhng user

cc role.

Chnh sch iu khin truy cp c th hin cc thnh t khc nhau ca RBAC

nh mi quan h role permission, mi quan h user role v mi quan h role role.

Nhng thnh t ny cng xc nh xem liu mt user c th c c php truy cp vo mt

15

mng d liu trong h thng hay khng. RBAC khng phi l gii php cho mi vn kim sot truy cp. Ngi ta cn nhng dng kim sot truy cp phc tp hn khi x l cc tnh hung m trong chui cc thao tc cn c kim sot.

2.3.2. Cc vai tr v cc khi nim lin quan Mt cu hi thng c hi l s khc nhau gia cc role v cc group l g?.

Cc nhm user nh mt n v kim sot truy cp thng c nhiu h thng kim sot

truy cp cung cp. im khc bit chnh gia hu ht cc group v khi nim role l group thng c i x nh mt tp hp nhng user ch khng phi l mt tp hp cc

permission. Mt role mt mt va l mt tp hp cc user mt khc li l mt tp hp cc

permission. Role ng vai tr trung gian kt ni hai tp hp ny li vi nhau.

2.3.3. Cc m hnh tham chiu hiu cc chiu khc nhau ca RBAC, cn xc nh 4 m hnh RBAC khi nim.

Mi quan h gia 4 m hnh ny c trnh by hnh 2.5 v cc c im c bn c minh ha hnh 2.6. RBAC0, m hnh c bn nm di cng cho thy l yu cu ti thiu cho bt k mt h thng no h tr RBAC. RBAC1 v RBAC2 u bao gm RBAC0 nhng c thm mt s nt khc vi RBAC0. Chng c gi l cc m hnh tin tin.

RBAC1 c thm khi nim cp bc role (khi cc role c th k tha permission t role khc). RBAC2 c thm nhng rng buc (t ra cc hn ch chp nhn cc dng ca cc thnh t khc nhau ca RBAC). RBAC1 v RBAC2 khng so snh c vi nhau. M hnh hp nht RBAC3 bao gm c RBAC1 v RBAC2 v c RBAC0 na.

2.3.4. M hnh c s M hnh c s RBAC0 khng phi l mt trong 3 m hnh tin tin. M hnh c 3

nhm thc th c gi l User (U), Role (R), Permission (P) v mt tp hp cc Session (S) c th hin trn hnh 2.7. User trong m hnh ny l con ngi. Khi nim user s c khi qut ha bao gm c cc tc nhn thng minh v t ch khc nh robot, my tnh c nh, thm ch l cc mng li my tnh. cho n gin, nn tp trung vo user l con ngi. Mt role l mt

chc nng cng vic hay tn cng vic trong t chc theo thm quyn v trch nhim trao

cho tng thnh vin. Mt permission l mt s cho php ca mt ch c th no truy

cp vo mt hay nhiu object trong h thng. Cc thut ng authorization (s trao quyn), access right (quyn truy cp) v privilege (quyn u tin) u ch mt permission. Cc permission lun tch cc v trao cho ngi c permission kh nng thc hin mt vi cng

16

vic trong h thng. Cc object l cc s liu object cng nh l cc ngun object c th hin bng s liu trong h thng my tnh. M hnh chp nhn mt lot cc cch din gii khc nhau cho cc permission.

2.3.5. Role c cp bc M hnh RBAC1 gii thiu role c th bc (Role Hierarchies - RH). Role c th bc cng c ci t trong h thng tng t nh cc role khng th bc. Role c th bc c mt ng ngha t nhin cho cc role c cu trc phn nh mt t chc ca cc

permission v trch nhim. Trong mt s h thng hiu qu ca cc role ring t t c

bi khi bn trn tha k ca cc permission. Trong mt s trng hp ca h thng th bc khng m t s phn phi ca permission chnh xc. iu ny thch hp gii thiu cc role ring t v gi ng ngha ca h thng th bc lin quan xung quanh nhng role khng thay i.

2.3.6. Cc rng buc Cc rng buc l mt thnh phn quan trng ca RBAC v c cho l c tc dng thc y s pht trin ca RBAC. Cc rng buc trong RBAC c th c p dng cho cc quan h gia UA, PA, user v cc chc nng ca role trong vi cc session khc nhau. Cc

rng buc c p dng ti cc quan h v cc chc nng, s tr v mt gi tr c th chp nhn c hay khng th chp nhn c. Cc rng buc c th c xem nh cc cu trong mt vi ngn ng chnh thc thch hp.

2.3.7. M hnh hp nht RBAC3 l s kt hp ca RBAC1 v RBAC2 cung cp c hai h thng th bc role v cc rng buc. C mt s vn xy ra khi kt hp hai mn hnh trong mt h thng thng nht. Cc rng buc c th c p dng cho cc h thng role c th bc. H thng role th bc c yu cu tch nh ra tng phn. Cc rng buc l ct li ca m hnh RBAC3. Vic thm cc rng buc c th gii hn s cc role ca ngi cp cao (hay ngi cp thp) c th c. Hai hay nhiu role c th c rng buc khng c s ph bin role ca ngi cp cao (hay ngi cp thp). Cc loi rng buc ny l hu ch trong hon cnh m vic xc thc thay i h thng role c th bc c chuyn giao, nhng trng security officer chuyn ton b cc loi trong thay i c thc hin.

17

2.3.8. Cc m hnh qun l Cc rng buc c p dng ti tt c cc thnh phn. Cc role qun l AR v cc quyn qun l AP c tch bit ra gia cc role thng thng R v cc permission P. M hnh hin th cc permission c th c gn ti cc role v cc permission qun l c th ch c gn ti cc role qun l. iu ny gn lin cc rng buc. 2.4 iu khin truy cp da trn lut (Rule BAC Rule Based Access Control) Kim sot truy nhp da trn lut cho php ngi dng truy nhp vo h thng vo thng tin da trn cc lut (rules) c nh ngha trc. Firewalls/Proxies l v d in hnh v kim sot truy nhp da trn lut:

Da trn a ch IP ngun v ch ca cc gi tin.

Da trn phn m rng cc files lc cc m c hi.

Da trn IP hoc cc tn min lc/chn cc website b cm.

Da trn tp cc t kho lc cc ni dung b cm.

2.5. Kt chng Chng 2 gii thiu chi tt cc k thut iu khin truy cp chnh c p dng trong cc h thng thng tin hin nay. DAC cho php kim sot truy cp thc hin c i

vi object da trn c s cho php hoc t chi hoc c hai do mt user ring bit, thng do ngi s hu object quyt nh. MAC cho php vic kim sot truy cp da vo nhn bo mt gi km ti cc user (chnh xc hn l ch th) v object. RBAC kim sot truy cp n cc object thng qua cc role ca ngi dng trong h thng. RBAC c th c xem nh mt thnh t kim sot truy cp c lp, cng tn ti vi MAC v DAC khi thch hp. Trong trng hp ny vic truy cp s c php nu RBAC, MAC v DAC cng cho

php. Rule-BAC cho php vic kim sot truy cp da vo cc lut c nh ngha bi ngi qun tr. Ty vo tng hon cnh c th ca h thng thng tin p dng cc k thut ny vo nng cao tnh bo mt ca h thng.

18

Chng 3 - PHN TCH C CH IU KHIN TRUY CP TRONG CC H IU HNH WINDOWS V LINUX

3.1. iu khin truy cp trong Windows H iu hnh Microsoft Windows thc hin cc c ch iu khin truy cp rt chi tit. Trong vic qun tr h thng, cc qun tr vin thng lm vic vi ngi dng, nhm v cc i tng. Cc quyn c bn trong Windows:

Full control (Ton quyn): Cho php thay i quyn, ch s hu v xa th mc con, file.

Modify (Sa): C quyn sa cha nh to, xo, sa folder. Read & Execute (c v thc thi): Quyn c (bo hm c vic gi cc phng

thc, cc file ng dng chy ngm).List Folder Contents (Lit k ni dung th mc): Cho php xem tn file v subdomain trong th mc.

Read (c): Cho php xem cc file v th mc con trong mt th mc, ch s hu th mc, quyn v cc thuc tnh.

Write (Ghi): Cho php to file v th mc con mi trong th mc. Thay i cc thuc tnh ca th mc. Xem c ch s hu, quyn ca th mc. Ghi c file,

thay i thuc tnh file v xem c ch s hu, quyn ca file.

Quyn ca ngi s dng trn bt k i tng no c da trn tt c cc quyn tha k v quyn cng khai hoc c th b t chi bi tt c cc OU m n l thnh vin.

3.1.1. Qun tr vin min (Domain Administrator) Mi qun tr vin min trong Windows u l mt thnh vin ca nhm qun tr vin min c bit. Thnh vin ca nhm ny c ton quyn kim sot tt c cc my tnh trong min, bao gm bt k file hoc th mc m h khng ch nh t chi truy cp. Thnh vin ca nhm ny c kh nng phn cng v thay i ACL ca ngi s dng, files, v th mc trn tt c cc h thng trong min.

3.1.2. Siu qun tr vin (Super Administrator) Super Administrator c thit lp sn trong ti khon "b mt" Windows Vista v Windows 7. y l ti khon qun tr cc b c ci t c lp trong Windows v mc nh b v hiu ha. Ti khon ny c ton quyn trn h thng cc b, c th ot quyn

19

s hu ca tt c cc i tng. Thng th n khng cn thit, tuy nhin ngi s dng c th kch hot ti khon ny bi n c rt nhiu cc ng dng.

3.2. iu khin truy cp trong UNIX/Linux: Mc nh, h thng da trn UNIX bao gm UNIX v Linux, c 1 h thng cp quyn theo ma trn kim sot truy cp (ACL) c n gin ha. C ba quyn v ba lp m cc quyn c th c gn.

Cc quyn trong mi trng UNIX gm:

Read (c): Cung cp cho ngi dng hoc nhm kh nng c mt tp tin. Nu quyn l vo mt th mc, bn yu cu c th c danh sch cc file trong th mc .

Write (Ghi): Cp cho ngi yu cu kh nng sa i mt tp tin. Nu quyn c t vo mt th mc, ngi yu cu c th to, i tn, hoc loi b cc tp tin trong th mc.

Excute (Thc thi): cp quyn chy mt file. iu ny cho php ngi yu cu chy mt nh phn hoc file script.

C ba lp ngi s dng sau y: ch s hu (owner), nhm (group), v cc thnh phn khc (other). Lp group cp n file hoc th mc m trong chng l thnh vin. Mi mt trong cc lp ny c th c bt k, tt c, hoc khng c ng dng no. Nu khng c s cho php c thit lp, h thng s t chi truy cp vo file.

3.2.1. Cc quyn trong UNIX/Linux C hai cch chun cho php truy cp file trong UNIX c vit di dng: biu tng k t hoc k hiu bt phn. Biu tng k t ch n gin l danh sch cc quyn truy cp bng ch ci u tin ca quyn. Th t cc lp c lit k l lun lun ging nhau, u tin l owner , tip theo l group, v sau l other. Trnh t, trong mi b ba k t (c tnh) cng phi chun, c (read) trc, sau vit (write ), v tip theo l chy (excute).. 3.2.2. H thng pht hin xm nhp Linux (Linux Intrusion Detection System - LIDS) LIDS l mt bn v li nhn h iu hnh nhm mc ch lm cho Linux tr ln an ton hn bng cch hn ch quyn ca user gc (root), thm chc nng pht hin xm nhp v ci thin ACL. gip pht hin xm nhp, LIDS b sung thm mt my d qut cng

20

Linux. iu ny cho php cc qun tr vin xem hot ng trn h thng, cnh bo v cc hot ng bt thng.

3.2.3. Quyn root Root l user c bit trong Unix/Linux, cng c bit n nh superuser. User ny tng t nh user administrator trong Windows. Root c y cc quyn ca h thng. N c th thay i quyn cc file v chy mi tin trnh. Do , khng phi l mt kin hay khi thc thi cc tin trnh di quyn root.

3.2.4. Dch v thng tin mng NIS v NIS1 NIS cp cho UNIX mt mng li kho lu tr thng tin cu hnh nh ngi s dng v mt khu, groups, tn my ch lu tr, e-mail b danh v cu hnh thng tin khc da trn vn bn. C bn loi quyn NIS v i tng ACL :

Read - Kh nng c ni dung.

Modify Kh nng sa i ni dung.

Create - Kh nng to ra cc i tng mi trong bng th mc NIS1.

Destroy Kh nng hy i tng trong cc bng

3.2.5. H tr MAC v RBAC trong Unix/Linux SELinux l mt cng ngh tng cng an ninh cho nhn Linux. Cc bn Linux trc 2.6 ch dng phng php qun l truy cp ty quyn (DAC). SELinux thng qua c ch m un an ninh ( Linux Security Modules LSM) b sung thm hai phng php qun l truy cp MAC v RBAC vo nhn Linux. SELinux tuy tt v mt an ninh nhng phc tp,

kh s dng. AppArmor l b phn mm c xem l mt gii php thay th thn thin, d s dng hn

3.3. Kt chng Chng 3 i su phn tch cc c ch kim sot truy nhp c thc hin trn hai h iu hnh ph bin l Microsoft Windows v Unix/Linux. Trong Windows, cc k thut DAC v RBAC c s dng ph bin v cc quyn c th c cp mc c bn hoc chi tit mc nng cao. Trong cc h iu hnh thuc h Unix/Linux, DAC c s dng ph bin nht thng qua ACL vi cc tnh nng c bn. Vic h tr MAC v RBAC trong Unix/Linux ch yu c thc hin thng qua cc gi dch v m bo an ninh b sung.

21

Chng 4 XUT CC GII PHP M BO AN NINH, AN TON DA TRN IU KHIN TRUY CP

4.1. Cc chnh sch qun tr ngi dng an ton Nhng yu t di y l cc yu cu m bo an ton trong to v qun l ti khon sao cho an ton:

Ti khon phi c bo v bng mt khu phc hp ( di mt khu, kh mt khu).

Ch s hu ti khon ch c cung cp quyn hn truy cp thng tin v dch v cn thit (khng thiu quyn hn m cng khng th tha).

M ha ti khon trong giao dch trn mng (k c giao dch trong mng ni b). Lu tr ti khon an ton (nht nh c s d liu lu gi tai khon phi c t

trn nhng h thng an ton v c m ha). Nhng ngi to v qun l ti khon (c bit l nhng ti khon h thng v ti

khon vn hnh, kim sot cc dch v) cho ton b t chc l nhng ngi c xem l tin cy tuyt i.

nh ch hot ng nhng ti khon tm thi cha s dng, xa nhng ti khon khng cn s dng.

Trnh vic dng chung mt khu cho nhiu ti khon.

Kha ti khon sau mt s ln ngi s dng ng nhp khng thnh cng vo h thng.

C th khng cho php mt s ti khon qun tr h thng v dch v, khng c ng nhp t xa, v nhng h thng v dch v ny rt quan trng v thng thng ch cho php c kim sot t bn trong (internal network), nu c nhu cu qun tr v h tr t xa ngi qun tr vn d dng thay i chnh sch p ng nhu cu.

4.2. Mt s bin php m bo an ninh, an ton da trn iu khin truy cp cho cc ng dng v cc dch v Cc my ch ng dng v dch v lun l nhng vng t mu m cho cc tin tc tm kim cc thng tin c gi tr hay gy ri v mt mc ch no . Him ho c th l n

cp d liu, xo, thay i ni dung cc file hay ci t phn mm cha m nguy him...

22

Di y s l mt s chnh sch c khuyn ngh m bo an ton cho cc my ch ng dng v dch v:

t cc my ch trong vng DMZ. Thit lp firewall khng cho cc kt ni ti my

ch trn ton b cc cng, ngoi tr c s dng cho cc dch v v ng dng m my ch s dng.

Loi b ton b cc dch v khng cn thit khi my ch (ch gi li nu tht cn thit). Mi dch v khng cn thit s b li dng tn cng h thng nu khng c ch bo mt tt.

Khng cho php qun tr h thng t xa, tr khi n c ng nhp theo kiu mt

khu ch s dng mt ln hay ng kt ni c m ho.

Gii hn s ngi c quyn qun tr hay truy cp mc ti cao (root). To cc log file theo di hot ng ca ngi s dng v duy tr cc log file ny

trong mi trng c m ho.

H thng iu khin log file thng thng c s dng cho bt k hot ng no. Ci t cc by macro gim st cc tn cng vo my ch. To cc macro chy lin tc hoc t ra c th kim tra tnh nguyn vn ca file passwd v cc file h thng khc. Khi cc macro kim tra mt s thay i, chng nn gi mt email ti

nh qun l h thng. 4.3. Kt chng Gii php iu khin truy cp c tm quan trng trong cc chnh sch bo mt v cn thit cho mi t chc. Chng ny a ra mt s khuyn ngh v cc chnh sch trong

vic qun l ngi dng, ti khon v c bit lu cc chnh sch m bo an ton mt khu truy nhp. Cc chnh sch, qui tc m bo an ton cho cc ng dng v dch v da trn iu khin truy cp cng c cp.

23

KT LUN iu khin truy cp l mt trong cc bin php quan trng nhm m bo an ninh, an ton cho thng tin, h thng v mng. iu khin truy cp thuc lp cc bin php ngn chn tn cng, t nhp. Lun vn i su nghin cu cc k thut cc k thut iu khin

truy cp, bao gm iu khin truy cp ty quyn (DAC), iu khin truy cp bt buc (MAC), iu khin truy cp da trn vai tr (RBAC) v iu khin truy cp da trn lut (Rule-based AC). C th, cc ng gp ca lun vn bao gm:

Nghin cu tng quan v iu khin truy cp, cc nguy c, im yu v mt s ng

dng tiu biu ca iu khin truy cp.

Nghin cu su v cc k thut cc k thut iu khin truy cp, bao gm iu khin truy cp ty quyn (DAC), iu khin truy cp bt buc (MAC), iu khin truy cp da trn vai tr (RBAC) v iu khin truy cp da trn lut (Rule-based AC).

Phn tch cc k thut iu khin truy cp c ci t trong cc h h iu hnh

ph bin l Microsoft Windows v Unix/Linux.

a ra cc khuyn ngh m bo an ninh, an ton cho ti khon, mt khu, thng tin v h thng.

Lun vn c th c nghin cu pht trin theo hng sau:

Nghin cu cc gii php m bo an ninh, an ton hiu qu cho cc ng dng da trn iu khin truy cp. Cc c ch m bo an ton trong nhiu ng dng ph bin nh cc ng dng trong k ton, ti chnh hin c nhng cn kh n gin, nh ch yu da trn mt khu, khng thc s m bo an ton. Cn nghin cu pht trin cc gii php m bo an ninh, an ton hiu qu hn cho cc ng dng.

Nghin cu cc bin php iu khin truy cp cho cc h thng phn tn.

24

DANH MC TI LIU THAM KHO [1] Messaoud Benantar (2000). Access Control System: Security, Identity, Management and TrustModels. IBMCorp, Austin, Texas,USA. [2] Bill Ballad; Tricia Ballad; Erin Banks (2010). Access Control, Authentication, and Public Key Infrastructure. Jones & Bartlett Learning. [3] Sudhakar Govindavajhala, Andrew W. Appel (J31/01/2006). Windows Access Control Demystied. Princeton University, USA. [4] Jason Andress (2011). The Basics of Information Security. Syngress, USA. [5] Matej Csnyi (2006). Access control in operating. Brno, Czech Republic. [6] Prakash Kumar, Sajeev Maheshwari (2010). IT Security & Audit Policy. Department Of IT, Govt. Of NCT Of Delhi, India. [7] Luis Franco, Tony Sahama, Peter Croll (2007). Security Enhanced Linux to Enforce Mandatory Access Control in Health Information Systems. Faculty of Information Technology, Queensland University of Technology, Australia. [8] Beata Sarna-Starosta, Scott D. Stoller (2004). Policy Analysis for Security-Enhanced Linux. Queensland University of Technology, Australia. [9] Qamar Munawer (2000), Administrative models for role-based access control, George MasonUniversity, Virginia, The United States of America. [10] Huiying Li, Xiang Zhang, Honghan Wu, Yuzhong Qu (2007), Design and Application of Rule Based Access Control, Department of Computer Science and Engineering, Southeast University, Nanjing 210096, P.R.China. [11] Mark A. Sherer (2008), Rule Based Access Control for Granular Security in Databases, CPSC6126 Information Systems Assurance, Columbus State University, Columbus, GA USA.

Documents

TTLV Nguyen Anh Dung