Tổng quan về IPSEC
of 15
Transcript of Tổng quan về IPSEC
Tng quan v IPSECIPSec l mt b khung ca nhng chun m cho cc traffic TC/IP c m ho c trong mi trng network. IPSec lm vic bng cch m ho thng tin cha trong cc gi d liu thng qua vic gi gn li. iu ny cung cp tnh ton vn d liu mc network, tnh tuyt mt ca d liu, chng nhn ban u d liu, v bo v replay. Nhng chc nng c bn ca IPSec l: Chng thc: bo v cc network c nhn v d liu c nhn cha trong . IPSec bo v d liu c nhn khi nhng tn cng man-in-the-middle, t kh nng la tn cng n nhng truy cp vo network, khi nhng k tn cng thay i ni dung ca gi d liu M ho: giu ni dung tht s ca cc gi d liu cc bn khng c quyn s hu khng th hiu c. IPSec cn c th dng cung cp cc kh nng lc gi. N cng c th chng thc cc traffic gia hai host v m ho cc traffic gia cc host. IPSec c th dng to mng ring o (VPN). IPSec c th dng kch hot cc giao tip gia cc vn phng xa v nhng khch hng truy cp t xa qua Internet. IPSec hot ng mc network cung cp m ho end-to-end. V c bn iu ny c ngha l cc d liu c m ho my tnh ngun gi d liu. Tt c cc h thng trung gian x l cc khc m ho ca cc gi nh l payload. Cc h thng trung gian nh cc router ch n thun forward gi n ch cui ca n. Cc h thng trung gian khng gii m cc d liu m ho. Cc d liu m ho ch c gii m khi n n c ch. IPSec giao tip vi layer transport TCP/UDP v layer Internet, v c p dng cho cc ng dng mt cch d dng. IPSec cng rt d ngi dng s dng. V c bn iu ny c ngha l IPSec c th cung cp bo mt cho phn ln cc giao thc c trong b giao thc TCP/IP. Khi ni n cc ng dng, tt c cc ng dng u dng TCP/IP c th dng cc chc nng bo mt ca IPSec. Bn s khng cn phi cu hnh bo mt cho mi ng dng xc nh da trn TCP/Ip. S dng nhng nguyn tc v cc b lc, IPSec c th nhn cc traffic network v chn nhng giao thc bo mt an ton, xc nh cn dng nhng thut ton no, v c th p dng cc key mt m do bt k mt thit b no yu cu. Nhng chc nng v kh nng bo mt ca IPSec c th dng bo mt mng c nhn v cc d liu c nhn tuyt mt khi b: Tn cng DOS n cp d liu Sa cha d liu n cp chng nhn ca ngi dng
Trong Windows Server 2003, IPSec dng giao thc Authentication Header (AH) v giao thc Encapsulating Security Payload (ESP) cung cp bo mt d liu: My tnh client Domain servers Workgroup tp on Mng cc b LANs Mng din rng WANs Cc vn phng xa Nhng chc nng v kh nng bo mt do IPSec cung cp c th tm tt nh sau: Chng nhn: mt ch k s c dng xc nh nhn din ca ngi gi thng tin. IPSec c th dng Kerberos, mt preshared key, hay cc chng nhn s cho vic chng nhn. Ton vn d liu: mt thut ton hash c dng m bo d liu s khng b can thip vo. Mt checksum c gi l mt m chng nhn tin nhn hash (HMAC) c tnh ton cho d liu ca gi. Khi mt gi c thay i trong khi ang di chuyn th HMAC c thay i s c lu li. Thay i ny s b xo bi my tnh nhn. Bo mt d liu: cc thut ton m ho c thc hin m bo d liu c di chuyn s khng th gii m c. Anti-replay: ngn chn k tn cng gi cc gi khi c gng truy cp vo mng c nhn Khng t chi: cc ch k s key public c s dng chng nhn tin nhn l nguyn vn Rekeying dynamic: cc key c th c to ra trong khi cc d liu ang c gi i bo v cc khc giao tip vi nhng key khc nhau To key: thut ton key ng thun Diffie-Hellman c s dng kch hot hai my tnh c th trao i cc key m ho c chia s. B lc IP Packet: chc nng lc gi ca IPSec c th dng lc v kha nhng dng traffic nht nh, da trn nhng thnh phn sau hoc kt hp tt c li: a ch IP Cc giao thc
Cc cng Mt vi chc nng IPSec mi c trong Windows Server 2003, cng vi nhng cng c cho mt s chc nng IPSec c trong cc h iu hnh Windows trc y: Windows Server 2003 c cng c mi IP Security Monitor thc thi nh l mt snap-in MMC. Cng c IP Security Monitor cng c vic qun l bo mt IPSec. Vi cng c IP Security Monitor, bn c th thc hin nhng hot ng qun tr sau: Tu chnh hin th IP Security Monitor Qun l thng tin IPSec trn my tnh cc b Qun l thng tin IPSec trn cc my tnh t xa Xem cc phn tch IPSec Xem cc thng tin v nhng chnh sch ca IPSec Xem cc b lc c c im chung Xem cc b lc nht nh Tm cc b lc xc nh da trn a ch IP Bn c th cu hnh IPSec bng cch cng c dng lnh Netsh. Cng c dng lnh Netsh thay th cng c dng lnh trc l Ipsecpol.exe IPSec h tr chc nng mi Resultant Set of Policy (RSoP) ca Windows Server 2003. My tnh Resultant Set of Policies (RSoP) c th dng xc nh nhng chnh sch no s c p dng cho mt my tnh hay mt ngi dng nht nh. Resultant Set of Policy (RSoP) tng tt c cc nhm chnh sch c p dng cho mt my tnh v mt ngi dng trong mt domain. N cng cha tt c cc b lc v ngoi l. Bn c th dng chc nng thng qua Resultant Set Of Policy (RSoP) Wizard hay t dng lnh quan st chnh sch IPSec ang c p dng. Tch hp IPSec vi Active Directory cho php bn qun l mt cch tp trung cc chnh sch bo mt Chng nhn Kerberos 5 l phng php chng nhn mc nh c cc chnh sch IPSec s dng xc nh nhn din ca cc my tnh Ngc li IPSec cng tng thch vi Windows 2000 Security Framework. Nu mt chnh sch cc b khng th p dng cho mt my tnh, bn phi c la chn to ra mt chnh sch lin tc cho nhng my tnh nht nh. Tnh cht ca nhng chnh sch lin tc l: Cc chnh sch lin tc ch c th cu hnh thng qua cng c dng lnh Netsh Cc chnh sch lin tc lc no cng positive Cc chnh sch lin tc khng th b chy Trong cc trin khai Windows Server 2003 IPSec, ch traffic Internet Key Exchange (IKE) l c min khi IPSec. Trc y, traffic Resource Reservation Protocol (RSVP), traffic Kerberos v traffic IKE cng c min IPSec. IPSec trong Windows Server 2003 c c h tr cho thay i kho Group 3 2048-bit DiffieHellman. Key Group 3 mnh hn v phc tp hn thay i kho Group 2 1024-bit Diffie-
Hellman trc y. Tuy nhin nu bn cn tng thch vi Windows 2000 v Windows XP, th bn phi c i kho Group 2 1024-bit Diffie-Hellman Cc gi IPSec ESP c th i qua Network Address Translation (NAT) thng qua User Datagram Protocol-Encapsulating Security Payload (UDP-ESP)Tm hiu thut ng ca IPSec Phn ny s lit k nhng thut ng v khi nim IPSec thng dng: Authentication Header (AH): y l mt trong nhng giao thc bo mt chnh m IPSec s dng. AH cung cp chng nhn d liu v tnh ton vn, v do c th t n s dng khi tnh ton vn ca d liu v chng thc l nhng yu t ph hp v s tuyt mt th khng phi. L do l v AH khng cung cp cho m ho v do khng th cung cp s bo mt d liu. Authentication Header (AH) v Encapsulating Security Payload (ESP) l nhng giao thc bo mt chnh c IPSec s dng. Nhng giao thc an ninh ny c th s dng tch bit hoc kt hp.
Encapsulating Security Payload (ESP): y l mt trong nhng giao thc an ninh chnh c IPSec s dng. ESP m bo tnh tuyt mt d liu qua vic m ho, tnh ton vn d liu, chng nhn d liu v nhng chc nng khc h tr thng qua vic m ho, v cc dch v anti-replay. m bo tnh tuyt mt d liu, n s dng mt s cc thut ton m ho i xng
Certificate Authorities (CAs): y l mt c th to v xc nhn cc chng nhn s. CA thm ch k ca ring n vo key public ca client. Cc CA to v thu hi cc chng nhn s Cc nhm Diffie-Hellman: Diffie-Hellman Key Agreement cho php hai my tnh c to mt key c nhn chia s gip chng nhn d liu v m ho gi d liu IP
C nhng nhm Diffie-Hellman c lit k sau: Nhm 1: cung cp sc mnh key768-bit Nhm 2: cung cp sc mnh key 1024-bit Nhm 3; cung cp sc mnh key 2048-bit
Internet Key Exchange (IKE): giao thc IKE c cc my tnh dng to ra mt tng ng an ninh (SA) v trao i thng tin to cc key Diffie-Hellman. IKE qun l v trao i cc key mt m cc my tnh c th c mt set gm nhng ci t an ninh thng thng. Thon thun din ra trn nhng phng php chng thc, v thut ton m ho v thut ton hash m cc my tnh s dng. IPSec Driver: Driver IPSec thc hin mt s cc hot ng kch hot giao tip mng an ton, bao gm nhng vic sau: To nhng gi IPSec To cc checksum Khi to cc giao tip IKE M ho d liu trc khi n c di chuyn i
Tnh ton cc hash v checksum cho cc gi i n IPSec Policies: cc nguyn tc IPSec xc nh khi no v nh th no th d liu s c an ton, v xc nh nhng phng php an ninh no cn dng bo mt d liu. Cc chnh sch IPSec cha mt s cc thnh phn sau: Hnh ng Cc nguyn tc Cc danh sch b lc Cc hnh ng b lc
IPSec Policy Agent: y l mt dch v chy trn mt my tnh chy Windows Server 2003 truy cp n cc thng tin chnh sch IPSec. IPSec Policy Agent truy cp thng tin chnh sch IPSec hoc trong registry Windows hoc l trong Active Directory.
Oakley key determination protocol: thut ton Diffie-Hellman c s dng cho hai t chc c chng nhn c th tho thun v c th ng chung trn mt key b mt
Security Association (SA): Mt SA l mt mi quan h gia cc thit b xc nh cch thc chng s dng cc dch v an ninh v ci t nh th no
Triple Data Encryption (3DES): y l mt thut ton m ho mnh c s dng trn cc msy client chy Windows, v trn cc my tnh Windows Server 2003. 3DES dng cc key 56-bit m ho
Tm hiu cch thc IPSec lm vic Mt t chc an ninh (SA) u tin phi c thit lp gia hai my tnh trc khi cc d liu c th di chuyn gia cc my tnh. Mt Security Association (SA) l mt mi quan h gia cc thit b xc nh cch thc chng dng cc thit b v ci t an ninh. SA cung cp cc thng tin cn thit cho hai my tnh giao tip mt cch bo mt. Internet Security Association and Key Management Protocol (ISAKMP) v giao thc IKE l nhng h thng kch hot hai my c thit lp cc t chc an ninh. Khi mt SA c thit lp gia hai my tnh, cc my tnh tho thun nhng ci t an ninh s dng d liu bo mt. Mt key bo mt c trao i v dng kch hot cc my tnh giao tip mt cch bo mt.
Mt t chc an ninh cha: Tho thun chnh sch tuyn b cc thut ton no v di key no m hai my tnh s dng bo mt d liu Cc key an ninh dng bo mt giao tip d liu
Index cc thng s bo mt (SPI) Vi IPSec, hai SA tch bit c thnh lp cho mi hng ca giao tip d liu: Mt SA bo mt outbound traffic Mt SA bo mt inbound traffic Ngoi ra, cn c mt SA duy nht cho mi giao thc IPSec bo mt. Do c hai loi SA sau:
ISAKMP SA: khi flow traffic c tnh hai hng v IPSec cn thnh lp mt kt ni gia cc my tnh, mt ISAKMP SA c thit lp. ISAKMP SA xc nh v qun l cc thng s bo mt gia hai my tnh. Hai my tnh ng mt s cc thnh phn thit lp ISAKMP SA: Xc nh cc thnh phn nn c chng nhn Xc nh thut ton m ho s dng Xc nh thut ton xc nh tnh ton vn tin nhn Sau khi cc thnh phn sau c tho thun gia hai my tnh, cc my tnh s dng giao thc Oakley ng key master ISAKMP. y l key master c chia s s c dng vi nhng thnh phn trn kch hot giao tip d liu bo mt Sau khi mt knh giao tip bo mt c thit lp gia hai my tnh, cc my tnh bt u tho thun nhng thnh phn sau: Xc nh liu c nn dng giao thc Authentication Header (AH) IPSec cho kt ni Xc nh giao thc chng nhn nn s dng vi giao thc AH cho kt ni Xc nh liu c nn dng giao thc Encapsulating Security Payload (ESP) IPSec cho kt ni Xc nh thut ton m ho nn dng vi giao thc ESp cho kt ni IPSec SA: IPSec SA i lin vi IPSec tunnel v gi IP, v xc nh cc thng s an nnh dng trong sut mt kt ni. IPSec SA c ly ra t bn thnh phn trn ch c tho thun gia hai my tnh. bo mt v bo v d liu, IPSec s dng mt m cung cp nhng kh nng sau: Chng nhn: chng nhn x l vic xc nhn nhn din ca my tnh gi d liu, hay nhn din ca my tnh nhn d liu. Cc phng php m IPSec c th dng chng nhn ngi gi hay ngi nhn ca d liu l: Chng nhn s: cung cp nhng cch an ton nht chng nhn cc nhn din. Cc t chc chng nhn (CA) nh Netscape, Entrust, VeriSign, v Microsoft cung cp cc chng nhn c th dng cho mc ch chng nhn Chng nhn Kerberos: mt hn ch khi s dng giao thc chng nhn Kerberos v5 l nhn din ca msy tnh vn cha c m ho n lc ton b payload c m ho chng nhn Cc key pre-shared: nn s dng khi khng cn cc phng php chng nhn no trn kia c th s dng Vi khng t chi, ngi gi d liu khng th bc sau t chi tht s gi d liu Tnh ton vn d liu: ton vn d liu lm vic m bo d liu nhn c khch hng khng b can thip. Mt thut ton hashing c dng m bo d liu khng b thay i khi n i qua network. Cc thut ton hash IPSec c th dng l: Message Digest (MD5): mt hash one-way a n mt hash 128-bit dng kim tra tnh ton vn Secure Hash Algorithm 1 (SHA1): mt key b mt 160-bit to mt message digest 160-bit cung cp bo
mt hn MD5. 5. Tuyt mt d liu: IPSec m bo tnh tuyt mt ca d liu bng cch p dng cc thut ton m ho d liu trc khi c gi qua network. Nu d liu b can thip, m ho m bo k xm nhp s khng th gii ngha c d liu. o bo tnh tuyt mt ca d liu, IPSec c th dng mt trong nhng thut ton m ho sau: M ho d liu chun (DES): thut ton m ho chun dng trong Windows Server 2003 s dng m ho 56-bit Triple DEC (3DES): d liu c m ha vi mt key, gii m vi nhng key khc, v m ho li vi mt key khc. DES 40-bit: thut ton m ho t an ton nht Tm hiu IPSec Modes IPSec c th hot ng theo mt trong nhng ch sau: Ch tunnel: ch IPSec tunnel c th dng cung cp bo mt cho WAN v cc kt ni VPN dng Internet nh l mt kt ni trung gian. Trong ch tunnel, IPSec m ho header IP v payload IP. Vi tunnel, d liu cha trong gi c gi gn bn trong mt gi thm vo. Gi mi sau c gi qua network. Ch tunnel thng dng cho nhng cu hnh sau: Server n server Server n gateway Gateway n gateway Qu trnh giao tip c th din ra khi ch tunnel c nh ngha nh ch IPSec chi tit y: 1. D liu c di chuyn s dng gi d liu IP khng c bo v t mt msay tnh trn network c nhn. 2. Khi cc gi n router, router gi gn gi s dng cc giao thc an ninh IPSec 3. Sau router forward gi n router cui mt kt ni khc 4. Router kim tra tnh ton vn ca gi 5. Gi c gii m 6. D liu ca gi sau c thm vo cc gi d liu IP khng c bo v v gi n my tnh ch trn mng c nhn Ch Transport: y l ch mc nh iu hnh do IPSec s dng m ch c payload IP c m ho thng qua giao thc AH hay giao thc ESP. Ch Transport c s dng cho giao tip an ninh end-to-end gia cc my tnh trn mng
Cc thnh phn IPSec C hai thnh phn chnh c ci t khi trin khai IPSec: IPSec Policy Agent: y l mt dch v chy trn mt my tnh chy Windows Server 2003 truy cp thng tin chinhs ch IPSec. IPSec Policy Agent truy cp thng tin chnh sch IPSec hoc t trong registry Windows hoc l trong Active Directory. Nhng chc nng chnh IPSec Policy Agent cung cp l: IPSec Policy Agent chuyn thng tin sang driver IPSec
IPSec Policy Agent truy cp thng tin chnh sch IPSec t registry Windows cc b khi msay tnh khng thuc v mt domain. IPSec Policy Agent truy cp thng tin chnh sch IPSec t Active Directory khi my tnh l mt thnh vin ca mt domain. Active Directory scan cc chnh sch IPSec tm bt k thay i cu hnh no Driver IPSec: diver IPSec thc hin mt s cc hot ng cho php giao tip network an ninh, gm: To cc gi IPSec To cc checksum Khi to giao tip IKE Thm cc header AH v ESP M ho d liu trc khi di chuyn Tnh ton cc hash v checksum cho cc gi n Tm hiu cc giao thc IPSec Nh nhc trc, cc giao thc an ninh IPSec chnh l Authentication Header (AH) v Encapsulating Security Payload (ESP). Cn c nhng giao thc IPSec khc nh ISAKMP, IKE, v Oakley s dng thut ton Diffie-Hellman Authentication Header (AH) Protocol Giao thc Authentication Header (AH) Giao thc AH cung cp nhng dch v an ninh m bo d liu nh sau: Chng nhn Anti-replay Ton vn d liu Giao thc AH m bo d liu khng b thay i khi n di chuyn qua c network. N cng m bo d liu ging nh ban u t ngi gi Giao thc AH khng cung cp tnh bo mt d liu v n khng m ho d liu cha trong cc gi IP. iu ny c ngha, nu giao thc AH c chnh n s dng, k xm nhp ly d liu c th c c n. Mc d vy chng s khng th thay i c d liu. Giao thc AH c th dng kt hp vi giao thc ESp nu bn cn m bo tnh tuyt mt ca d liu Qu trnh giao tip din ra khi giao thc AH c s dng nh sau: 1. Mt my tnh chuyn d liu sang mt my tnh khc 2. Header IP, header AH v chnh d liu c k kt m bo tnh ton vn d liu 3. Header AH c thm vo gia header IP v payload IP cung cp chng nhn v tnh ton vn Nhng trng c trong mt header AH, cng nhau vi role thc hin bi mi trng c lit k y: Next Header: dng xc nh dng payloay IP thng qua giao thc IP ID tn ti sau header AH ny Length: biu th di ca header AH Security Parameters Index (SPI): biu th t chc an ninh chnh xc cho giao tip thng qua vic kt hp nhng iu sau: - Giao thc an ninh IPSec - a ch IP n
Sequence Number: dng cung cp bo v anti-replay IPSec cho giao tip. S tip ni l 1, v tng thm 1 mi gi tip theo. Cc gi c s lin tip v t chc an ninh ging nhau b b i Chng nhn d liu: cha cc gi tr kim tra tnh ton vn (ICV) c tnh ton vng cch gi my tnh cung cp tnh ton vn d liu v chng nhn. My tnh Nhn tnh ton ICV qua header IP, header AH v payload IP sau so snh hai gi tr ICV. Giao thc Encapsulating Security Payload (ESP) Giao thc ESP cung cp nhng dch v an ninh m bo d liu sau: Chng nhn Anti-replay Ton vn d liu Tuyt mt d liu Khc bit chnh gia giao thc AH v giao thc ESP l giao thc ESP cung cp tt c cc dch v an ninh m giao thc AH cung cp, cng vi bo mt d liu thng qua m ho. ESp cng c th c dng, v c th dng cng vi giao thc AH. Trong ch transport, giao thc ESP ch k v bo v payload IP. Header IP khng c bo v. Nu giao thc ESP c dng cng vi giao thc AH, th c gi c k kt ESP thm mt header ESP v trailer ESP, v c bn l km mt payload ca gi d liu IP. Tt c d liu sau header ESP n header ESP, v trailer ESP tht s c m ho Nhng trng c trong mt header ESP, cng vi role thc hin bi mi trng c lit k y: Security Parameters Index (SPI): biu th t chc an ninh chnh xc cho giao tip thng qua vic kt hp gia: Giao thc an ninh IPSec a ch IP n Sequence Number: dng cung cp bo v anti-replay cho giao tip. S lin tip bt u t 1, v tng thm 1 mi gi tip theo. Cc gi c cng s v t chc an ninh s b loi b. Nhng trng trong mt trailer ESP, cng vi role thc hin bng mi trng c lit k y: Padding: c thut ton m ho yu cu m bo bin gii byte c hin th. Padding Length: biu th di (byte) ca padding c dng trong trng Padding. Next Header: dng xc nh dng payload IP thng qua giao thc IP ID Authentication Data: cha gi tr kim tra tnh ton vn (ICV) c tnh bi my tnh gi cung cp ton vn d liu v chng nhn. My tnh nhn tnh ICV qua header IP, header AH, v payload IP, sau so snh hai gi tr ICV. Tm hiu IPSec Security Filters, Security Methods, v Security Policies B lc an ninh c bn ging vi giao thc an ninh mt a ch network xc nh. Cc b lc IPSec c th dng lc cc traffic khng thuc v t chc. B lc cha nhng thng tin sau: a ch IP ngun v ch Giao thc s dng
Cc cng ngun v ch Mi a ch IP cha mt phn ID mng v mt phn ID host. Thng qua cc b lc an ninh, bn c th lc traffic theo nhng iu sau: Traffic c cho php i qua Traffic c bo m Traffic b kho Cc b lc an ninh c th nhm thnh mt danh sch b lc. Khng c gii hn s cc b lc trong mt danh sch cc b lc. Cc chnh sch IP dng cc b lc IP xc nh liu mt nguyn tc an ninh IP c nn dng trong mt gi hay khng Bn c th dng mt phng php an ninh xc nh chnh sch IPSec no nn lm vic vi traffic ph hp vi mt lc IP. Cc phng php an ninh cng lin quan n cc hnh ng ca b lc. Hnh ng ca b lc Th traffic Cho php traffic Thon thun an ninh p dng an ninh trong mng ca bn, cc chinhs ch IPSec c s dng. Cc chnh sch IPSec xc nh khi no v lm th no bo m cc d liu. Cc chnh sch IPSec cng xc nh phng php an ninh no nn dng khi bo m d liu nhng mc khc nhau trong network ca bn. Bn c th cu hnh cc chnh sch IPSec nhng dng traffic khc nhau c tc ng bng nhng chnh sch khcas nhau. Cc chnh sch IPSec c th p dng nhng mc sau trong mt network: Active Directory domain Active Directory site Active Directory organizational unit Computers Applications Nhng thnh phn khc nhau ca mt chnh sch IPSec c lit k y: IP filter: thng bo driver IPSec dng traffic inound v outbound nn c bo m IP filter list: dng nhm nhiu b lc IP vo mt danh tch bit mt nhm xc nh traffic mng Filter action: dng xc nh cch driver IPSec nn bo m traffic Security method: lin quan n dng an ninh v cc thut ton dng cho qu trnh trao i key v cho chng nhn Connection type: xc nh dng kt ni m chnh sch IPSec tc ng identifies the type of connection which the IPSec policy impacts.
Tunnel setting: a ch IP, tn DNS ca im cui tunnel Rule: mt nhm cc thnh phn sau m bo mt tp hp nht nh traffic: IP filter Lc IP Hnh ng lc Phng php an ninh Dng kt ni Ci t tunnel
(Ngun: http://www.technet.com.vn)
IPSec Internet Protocol security: l giao thc cung cp nhng k thut bo v d liu, sao cho d liu c truyn i an ton t ni ny sang ni khc. IPSec VPN l s kt hp to ra mt mng ring an ton phc v cho vic truyn d liu bo mt. IPSec hot ng lp Network, n khng ph thuc vo lp Data-Link nh cc giao thc dng trong VPN khc nh L2TP, PPTP.
IPSEC hot ng lp network
IPSec h tr nhiu thut ton dng m bo tnh ton vn d liu, tnh nht qun,tnh b mt v xc thc ca truyn d liu trn mt h tng mng cng cng . Nhng k thut m IPSec dng cung cp 4 tnh nng ph bin sau:
- Tnh bo mt d liu Data confidentiality - Tnh ton vn d liu Data Integrity - Tnh chng thc ngun d liu Data origin authentication - Tnh trnh trng lp gi tin Anti-replay Cc giao thc ca IPSec trao i v tha thun cc thng s to nn mt mi trng bo mt gia 2 u cui, IPSec dng 3 giao thc: - IKE (Internet Key Exchange) - ESP (Encapsulation Security Payload) - AH (Authentication Header) IKE l giao thc thc hin qu trnh trao i kha v tha thun cc thng s bo mt vi nhau nh: m ha th no, m ha bng thut ton g, bau lu trao i kha 1 ln. Sau khi trao i xong th s c c mt hp ng gia 2 u cui, khi IPSec SA (Security Association) c to ra. SA l nhng thng s bo mt c tha thun thnh cng, cc thng s SA ny s c lu trong c s d liu ca SA Trong qu trnh trao i kha th IKE dng thut ton m ha i xng, nhng kha ny s c thay i theo thi gian. y l c tnh rt hay ca IKE, gip hn ch trnh trng b kha ca cc attacker. IKE cn dng 2 giao thc khc chng thc u cui v to kha: ISAKMP (Internet Security Association and Key Management Protocol) v Oakley. - ISAKMP: l giao thc thc hin vic thit lp, tha thun v qun l chnh sch bo mt SA - Oakley: l giao thc lm nhim v chng thc kha, bn cht l dng thut ton DiffieHellman trao i kha b mt thng qua mi trng cha bo mt. Giao thc IKE dng UDP port 500. Cc giai on (phase) hot ng ca IKE Giai on hot ng ca IKE cng c xem tng t nh l qu trnh bt tay trong TCP/IP. Qu trnh hot ng ca IKE c chia ra lm 2 phase chnh: Phase 1 v Phase 2, c hai phase ny nhm thit lp knh truyn an ton gia 2 im. Ngoi phase 1 v phase 2 cn c phase 1,5 ty chn.
Cc phase hot ng ca IKE IKE phase 1: y l giai on bt buc phi c. Pha ny thc hin vic chng thc v tha thun cc thng s bo mt, nhm cung cp mt knh truyn bo mt gia hai u cui. Cc thng s sau khi ng gia 2 bn gi l SA, SA trong pha ny gi l ISAKMP SA hay IKE SA. Pha ny s dng mt trong 2 mode thit lp SA: Main mode v Aggressive mode. Cc thng s bo mt bt buc phi tha thun trong phase 1 ny l: - Thut ton m ha: DES, 3DES, AES - Thut ton hash: MD5, SHA - Phng php chng thc: Preshare-key, RSA - Nhm kha Diffie-Hellman (version ca Diffie-Hellman) Main mode s dng 6 message trao i tha thun cc thng s vi nhau: - 2 message u dng tha thun cc thng s ca chnh sch bo mt - 2 message tip theo trao i kha Diffire-Hellman - 2 message cui cng thc hin chng thc gia cc thit b Aggressive mode: s dng 3 message - Message u tin gm cc thng s ca chnh sch bo mt, kha Diffie-Hellman - Message th 2 s phn hi li thng s ca chnh sch bo mt c chp nhn, kha c chp nhn v chng thc bn nhn - Message cui cng s chng thc bn va gi.
Phase 1.5 y l phase khng bt buc (optional). Phase 1 cung cp c ch chng thc gia 2 u cui to nn mt knh truyn bo mt. Phase 1.5 s dng giao thc Extended Authentication (Xauth). Phase ny thng s dng trong Remote Access VPN IKE phase 2 y l phase bt buc, n phase ny th thit b u cui c y cc thng s cn thit cho knh truyn an ton. Qua trnh tha thun cc thng s phase 2 l thit lp IPSec SA da trn nhng thng s ca phase 1. Quick mode l phng thc c s dng trong phase 2. Cc thng s m Quick mode tha thun trong phase 2: - Giao thc IPSec: ESP hoc AH - IPSec mode: Tunnel hoc transport - IPSec SA lifetime: dng tha thun li IPSec SA sau mt khong thi gian mc nh hoc c ch nh. - Trao i kha Diffie-Hellman IPSec SA ca phase 2 hon ton khc vi IKE SA phase 1, IKE SA cha cc thng s to nn knh truyn bo mt, cn IPSec SA cha cc thng s ng gi d liu theo ESP hay AH, hot ng theo tunnel mode hay transport mode Cc chc nng khc ca IKE gip cho IKE hot ng ti u hn bao gm: - Dead peer detection ( DPD ) and Cisco IOS keepalives l nhng chc nng b m thi gian. Ngha l sau khi 2 thit b to c VPN IPsec vi nhau ri th n s thng xuyn gi cho nhau gi keepalives kim tra tnh trng ca i tc. Mc ch chnh pht hin hng hc ca cc thit b. Thng thng cc gi keepalives s gi mi 10s - H tr chc nng NAT-Traversal: Chc nng ny c ngha l nu trn ng truyn t A ti B nu c nhng thit b NAT or PAT ng gia th lc ny IPSec nu hot ng ch tunel mode v enable chc nng NAT- Trasersal s vn chuyn gi tin i c bnh thng. Lu : Chc nng NAT-T bt u c Cisco h tr t phin bn IOS Release 122.2(13)T Nguyn nhn ti sao phi h tr chc nng NAT-T th cc packet mi tip tc i c? Khi thc hin qu trnh m ha bng ESP th lc ny cc source IP, port v destination IP, port u c m ha v nm gn tron ESP Header. Nh vy khi tt c cc thng tin IP v Port b
m ha th knh truyn IPSec khng th din ra qu trnh NAT.
PAT li do tng 4 b m ho trong gi ESP Do NAT Traversal ra i trong qu trnh hot ng ca IKE nhm pht hin v h tr NAT cho Ipsec. Cc d liu s khng b ng gi trc tip bi giao thc IP m n s ng gi thng qua giao thc UDP. V lc ny cc thng tin v IP v Port s nm trong gi UDP ny.
NAT Travesal gip h tr cc gi tin c m ho c th i qua cc thit b PAThttp://hoangho.wordpress.com/2011/03/15/khi-qut-ipsec/
