Tìm hiểu vấn đề bảo mật mạng thông tin bằng công cụ của microsoft ứng dụng xây dựng hệ thống bảo mật cho tổ chức có quy mô vừa và nhỏ
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (42.09 MB, 83 trang )
BO GIA.O DUC vA DAo TAO
TRUONG DAI HOC DAN LAp NGOAI NGU.- TIN HOC TP.HCM
. KHOA CONG NGH~ .THONG TIN
.
KHOA LuAN
TOT NGHIEP
•
•
TIM HIEU VAN DE BAo MAT MANG THONG TIN
BANG CONG CU CVA MICROSOFT. UNG DUNG
XAY DUNG
THONG BAo MAT CHO TO
CHUC CO QUY MO VITA VA NHO
HE
GIANG vrEN HUONG nAN:
SINH vrEN THVC HI~N
NGUYEN BINH DUONG.
NGUYEN THANH LIEM.
NGUYEN TAN PHAT .
TP HO CHi MINH -2005
LOi cam on
Nh6m sinh vien lam d~ tai xin gui lai cam an chan thanh d~n thfiy NguySn
Binh Duang giang vien tIVc ti~p huang dful.Trang subt thai gian thlJC hi~n d~
tai, dti con nhi~u cong vi~c nhung nh6m vfin nh~n dugc rftt nhi~u SlJh6 trg tu
phia thfiy, cac y ki~n, nh~ xet va danh gia cua thfiy dff lam cho d~ tai dugc hoan
thi~n han. Tuy nh6m chua c6 kinh nghi~m thlJc t~ nhi~u nhung qua thfiy cling dff
thfty dugc cac nhu cfiu v~ bao m~t trong thlJc t~ hi~n nay.Va tu d6 huang di cua
d~ tai cling sat thlJc t~ va dap tmg dugc cac yeu cfiu cua thlJc t~.
Ngoai ra nh6m thlJc hi~n cling gui lai cam an d~n thfiy Vli Thanh Hi~n
(quy~n truang khoa CNTT truang DHDL Ngo~i ngu - Tin hQc TP.HCM). Tuy
thfiy khong trlJc ti~p huang dful nhung nh6m cfing dff nh~n dugc SlJh6 trg cua
thfiy v~ nhi~u m~t. Tu nhung SlJgiup dO't~n tinh d6 nh6m m6i c6 th@hoan thanh
d~ tai.
M<)tIfill nua xin dugc gui lai cam an d~n thfiy NguySn Binh Duong va
thfiy Vli Thanh Hi~n vi nhfrng SlJgiup dO'rna cac thfiy dff danh cho nh6m .
Nhom thl}.'c hi~n d~ titi .
Phin m6'diu
,
"
.
'w
J
,
•j
,.J
Tr~mg cu(>cs6ng hang l}gay, nSu mQi vi~c dSu diSn ra suong se thi khon~
con gi de noi. Nhung cu(>csong thuemg khong co gi suong se. Khi co m(>tso
nguai c6 xay d\fl1gva giu gin m(>tcai gi do thi l~i co m(>ts6 nguai khac mu6n
pha no di. Vi thS v~n dS xay d\Ing luon luon di doi vai v~n dS baa v~.
Co nhiSu d6i tugng cfin duQ'c baa v~ nhu dS baa v~ cac cong trinh kiSn
truc kh6i h6a ha~ nguai ta xay dVng h~ th6ng phong chay chua chay, dS baa v~
can nguai truac nhfrng cai x~u nguai ta t~a ra phap lu~t hay dS ch6ng h;linhung
cu(>ct~n cong cua m(>tnhom nguai, nguai ta xay d\fng nhung thanh tri ... Va dS
baa v~ m(>th~ th6ng m~ng, nguai ta xay d\fng h~ th6ng baa m~t cha h~ th6ng
m~ng do.
DS xay d\ffig m(>th~ th6ng baa v~ m(>th~ th6ng m~ng, nguai ta co nhiSu
cach va nhiSu cong ClfdS xay d\fng. DS tai nay t~p trung tim hiSu cac bi~n phap
va cac cong Clfbaa m~t duQ'cdua ra boi Micrasaft nh~m xay d\fng m(>tgiai phap
baa v~ cha m(>tm~ng.
Giai phap rna dS tai dua ra khong nh~m vaa m(>tmo hinh ClfthS nao rna la
m(>tgiai phap t6ng quat co t)1Sap dlf~g cha nhiSu mo hinh ClfthS.
Vai mlfc dich tim hieu van de baa m~t hi~n nay va dua ra giai phap baa
m~t taan Vttncha m(>th~ th6ng m~ng, dS tai duQ'cchia lam 5 chuang. Co thS noi
m6i chu~g la m(>tbu~c trcung. Phan I " Tim hieu van de baa m~t hi~n nay " tu chuang 1 den chuang 4
t~p trung tim hiSu cac v~ dS trang baa m~t h~ th6ng m~ng hi~n nay, cac nguy
co co thS co, cac d6i tugng cua v~ dS baa m~t m~ng thong tin, cac phuang phap
baa m~t cha tUng la~i d6i tugng va cac cong Clfrna Microsaft dS th\Ic hi~n xay
d\ffig m(>tgiai phap. Phfin II " Giai phap baa m~t " chuang 5 neu len cac yeu cfiu
chung cua m(>tt6 chuc co quy mo vua (ha~c nh6), co nhiSu chi nhanh trai tren
di~n r(>ngva giai phap duQ'c dua ra d\fa tren cac cong Clfva phuang phap baa
m~t cua Microsaft .
M1)C Ll)C
pRAN I : TiM HIED VAN DE BAa MAT ~NG
HIBN NAY.
Chuang 1 : Vfu1dS bao m?t m"mgthong tin va cac d6i tm;mg cua vfu1dS bao
m?t m"mg thong tin
Trang 3
1.1 Vfu1dS bao m?t m~ng thong tin
Trang 3
1.2 Xac dinh cac d6i tuqng cua vfu1dS bao m?t m~ng TT
Trang 3
1.3 KSt lu?n
Trang 7
Chuang 2 : Cac phuang phap bao m?t
Trang 8
2.1 Cac phuang phap (] muc V?t ly
Trang 8
2.2 Cac phuang phap (] muc lu?n ly
Trang 10
2.3 KSt lu?n
Trang 13
Chuang 3 : Tim hi~u m<)ts6 leythu?t bao m?t
Trang 15
3.1 Ky thu?t DMZ
Trang 15
3.2 Ky thu?t VPN
Trang 18
3.3 KSt lu?n
Trang 21
Chuang 4 : Gi6i thi~u m<)ts6 cong C\l bao m?t cua Microsoft .. Trang 22
4.1 Microsoft Windows 2003 Server Enterprise
Trang 22
4.2 Active Directory
Trang 30
4.3 Internet Security and Acceleration Server (ISA) 2000 Trang 34
pRAN II : GIAI PIMP BAa MAT.
Chuang 5 : Giai phap bao m?t h~ th6ng m~ng cho t6 chuc co quy mo vua va
nh6
Trang 42
5.1 Mo hinh cua t6 chuc
Trang 42
5.2 Cac yeu d.u cua t6 chuc khi tri~n khai h~ th6ng m~g va h~ th6ng bao
m?t
Trang 42
5.3 Cac vfu1dS quan Himkhi tri~n khai giai phap
Trang 42
5.4 Mo hinh
Trang 42
5.5 KSt qua cua mo hinh
Trang 48
Chuang 6 : Xay d\ffig h~ th6ng bao m?t h~ th6ng m~ng cho cac t6 chuc co
quy mo vlia va nh6
Trang 51
6.1 Lfiy yeu cfiu cua t6 chuc
Trang 51
6.2 Phan tich yeu cfiu cua t6 chuc
Trang 53
6.3 Thi~t l?p chuA~bao m?t cho h~ th6ng m~ng
Trang 55
6.4 Thiet ket h~ thong
Trang 58
6.5 Nh?n xet va danh gia
Trang 74
6.6 KSt lu?n
Trang 75
Demo
Trang 76
KSt lu~n de Uli
Ph\ll\lc
Trang 76
Trang 79
Trang 6/83
Chuang 1 V~n d~ bao m~t m~g thong tin va cac d6i tugng ...
.
.
pHAN I : TIM HIED VAN DE BAo MAT
. MANG HIEN
NAY.
ChU'ong 1
,
"
Van de bao m~t m~ng thong tin va cac dBi tU'Q'ngclla van
de" bao m~t m~ng thong tin.
'\
Tom t~t:
1.1-V~ d~ bao m~t m~ng thong tin.
1.2-Xac diOOcac d6i tugng cua v~n d~ bao m~t m~ng thong tin.
1.2.1.-Nhung thanh phfuI trong m~ng (tai nguyen).
1.2.1.1-Muc v~t Iy.
1.2.1.2-Muc lu~n Iy.
1.2.2-NhUng nguy ca va hiSm hQa ti~m nang.
1.3-KSt lu~.
1.1 - yin d~ bao mat mang thong tin:
Trong thai d~i CNTT hi~n nay, vi~c lien kSt cac may tiOOI~i v6i
nhau t~o thaOOm9t m~ng dS thu~n ti~n cho vi~c chia se cac tai nguyen
giua cac may trong m~g (may in, may scan, du li~u, cac t~p tin dung
chung ... ) la m9t v~ d~ thiSt ySu, vira lam giam chi phi dftu tu vua tang
hi~u qua su d\lng cac thiSt bi.Hftu nhu cac cong ty, xi nghi~p,truang hQc
d~u co thiSt I~p m9t m~ng rieng cho cong ty minh va da s6 la co kSt n6i
vao internet (m9t m~ng toan cftu, hiOOthanh d\fa tren S\f kSt n6i giua cac
m~ng 006 han) ho~c kSt n6i v6i h~ th6ng m~ng khac. Vi~c kSt n6i vao
internet d6i v6i m9t t6 chuc khong chi dan gian la c~p OO~tOOungthong
tin m6i, gui nh~n thu di~n ill (e-mail) ... rna con la cach rna t6 chuc do
giao tiSp v6i thS gi6i ben ngoai, thlJc hi~n cac giao dich v6i cac d6i tac a
xa, quang ba hiOOaOOcua minh v6i thS gi6i, th\fc hi~n cac dich V\lthong
qu~ i~ternet ... Ben ,c~nh OOung thu~ Igi ~a intern~t ~an~ I~i, ta cU1?-g
thay rang internet rat r9ng Ian, mQi nguai deu co the ket noi vao va hau
nhu chfulg dugc ai quan Iy, chinh vi thS internet fin hi~n OOUngnguy ca
gay nguy h~i dSn h~ th6ng m~ng cua ta vi h~ th6ng m~ng cua ta co kSt n6i
dSn internet. Va khong chi a internet rna cac m6i hiSm hQa ti~m tang do
con dSn ill OOungh~ th6ng m~ng khac co kSt n6i v6i h~ th6ng m~ng cua ta
rna khong dugc ta kiSm soat.
Chuang 1 V~n d@bao m~t m~g thong tin va cac d6i tugng '"
Trang 7/83
Nhfrng m6i nguy hi~m ti@mnang do co th~ 1a OOfrngY\l pha ho~i
hay OOungV\l thfun OO~pb~t hgp phap OO~mdanh x~p cac dich V\l dugc
cung c~p bai mQt t6 chilc nao do d~ gianh 19i th@c~h tranh, hay nh~m d~
danh c~p cac thong tin OO~ycam co tiOOch~t quan tn;mg d6i vm mQt cong
ty, t6 chilc nao do, Nhfrng m6i nguy hi~m ti@mnang do doi khi chi 1a S\f
xam OO~pcua mQthacker(OOfrngnguai co ki@nthilc t6t v@h~ di@uhaOOva
l~p triOO)va d~ l~i mQt d~u ~n OO~mchUng t6 r~g h~ th6ng m~ng nay dff
bi anh ta xam OO~p,Tuy m\lc dich cua nhung cUQct~ cong do khac nhau
nhung chUng co chung mQt di~m 1a gay nguy h~i d@nh~ th6ng m~mgcua
chung tao
D~ ch6ng l~i OOfrngnguy co gay h~i, ta cAnxay d\filg mQt h~ th6ng
m~ng rna trong do co nhfrng co ch@bao m~t, OOung co ch@bao m~t nay 1a
t~t ca OOfrnggiai phap, pheln cUng ding nhu pheln m@m,nhung chiOOsach
nh~m bao v~ h~ th6ng m~ng va cac tai nguyen ben trong no,lam giam t6i
da thi~t h~i khi co S\f c6, va hoan toan trong su6t d6i vai nguai su d\lng
ho~c gay phi@nha cho nguai su d\lng a muc th~p OO~td~ d~t dugc dQ an
toan rna miOOmong mu6n.
1.2 - Xac dinh cac d8i tU'O'ngclla vin d~ bao mat mang thong tin.
D@ xay d\fng mQt h~ th6ng m~ng co tiOObao m~t cao, ta co th~ tham
khao cac buac sau (theo rfc2196):
1) Xac diOO nhfrng thanh pheln co trong h~ th6ng (Ia OOung tai
nguyen celnbao v~ ).
2) Xac dinh chung ta celnphai ch6ng l~i OOungnguy co nao.
3) Xac dinh nhfrng m6i de d9a ti@mnang.
4) Tri~n khai mQt h~ th6ng bao m~t hi~u qua.
5) C~p OO~tOOfrngdi~m y@umai phcit hi~n ho~c dff timg m~c phai
d~ phong tranh va sua chua kip thai.
1.2.1-Nhu'ng thilnh ph~n trong he th8ng mang (tili nguyen)
1.2.1.1- Mu'c vat It (phisical):
- May chu (Server) : La mQt may tiOOm~nh dung d~ ch~y cac ung
d\lng cung c~p cac dich Y\lOOuweb, mail, database ... 1atrung tam 1uu tru
dfr li~u. Vi v~y server thuang 1am\lc tieu cua cac cUQct~n congo
- May tr~m (Workstation) : La cac may tiOOco c~u hiOOvira, ch~y
cac Ung d\lng dan gian va 1acelun6i giua nguai dung va server. Thuang 1a
vung d~m cua cac cUQct~n congo
Chuang 1 Vfin d~ bao m?t m~g thong tin va cac d6i tuQ11g...
Trang 8/83
- Cac thiSt bi m~ng (Network devices) : La cac thiSt bi dung d~ lien
kSt cac may server, workstation l~i vai nhau t~o thanh m~ng.
1.2.1.2- Mu'c luan Iy (logical):
- Dfr li~u (Data) : G6m tfit ca cac t?P tin (files), cac thu m\lc
(folder), cac co sa dfr li~u (database).Nhfrng dfr li~u nay chinh la thong tin
dugc luu trfr. Cac dfr li~u nay dugc luu trfr theo d~ng tho (khong dugc rna
hoa hay nen), nen thuang bi nhfrng ke xam nh?p danh c~p, thay d6i.
- Vng d\lng (Application) : G6m cac tmg d\lng ch~y a cac may
workstation nhu Microsoft Offices, Adobe Photoshop, AutoCAD,
Antivirus for Client. .. va cac tmg d\lng cung cfip dich V\l ch~y a cac may
server nhu Internet Information Services (IIS),Microsoft SQL Server,
Anti virus for Server .... Day thuang la m\lc tieu tfin cong hong lam be gfty
hay vo hi~u hoa tinh nang, bao m?t cua m9t ~~ th6n~ m~g. Ho~c cai
nhfrng chuang trinh nguy hiem (virus) gay h~i den h~ thong.
- Cac dich V\l (Services) : G6m cac dich V\l rna h~ th6ng do cung
cfip nhu Web, FTP, DNS, .... Day thuang la noi d~ b9n tfin cong co th~
theo d5i, tim va khai thac cac 16h6ng bao m?t (nhfrng vfin d~ rna nha thiSt
kS m~ng chua luang truac dugc ho~c nha quan tri chua biSt hay da biSt
nhung chua kh~c ph\lc ).
- Cac nghi thuc (Protocols) : Cac nghi thuc dugc tri~n khai d~ ph\lc
V\l cho cac ung d\lng va cac dich V\l dang ch~y nhu Web:http, FTP:ftp,
MAIL: SMTP, IMAP, POP .... SlJ kern bao m?t tren cac nghi thuc nay
thuang dugc nhfrng ke tfin cong nghe len, danh c~p hay thay d6i thong tin
tren duang truy~n.
1.2.2-Nhfi'ng nguy cO'va mBi hi~m hoa ti~m nan~.
Da so cac m~g hi~n nay thuang bi tan cong vao cac dich V\l dang
cung cfip va bi xam nh?P d~ danh c~p nhfrng thong tin nh~y cam ho~c
nhfrng thong tin co gia trio
Cac ySu t6 de d9a dSn SlJan toan cua m9t h~ th6ng m~ng, no ti l~
thu?n dSn kich thuac va ph~m vi cua m9t h~ th6ng m~ng :
1) Han 50% la l6i do nguai dung d~ 19m?t khAu (password), hay da
d~t m?t khAu dan gian d~ dS dang bi doan ra.
2) Khoang 20% Ia do SlJ bfit binh va thiSu trung thlJc cua nguai
dung nhfrng nguai dang su d\lng h~ th6ng m~ng do.
3) Khm'ing 10% la do S\f tin cong cua ke I~ (Ia vfin d~ chinh trong
vi~c xay dlJllg giai phap bao m?t toan v~n cua d~ tai nay).
Chuong 1 V~n d~ bflOrn~t rnl~mgthong tin va cac d6i tuQ11g...
Trang 9/83
4) Con l~i la do cac ySu t6 khach quan (thien tai, hoa ho~, cac 16
h6ng bao rn~t chua dugc phat hi~n ... )
S\l t~ cong ill ben ngoai van h~ th6ng rn~ng nhfun cac rn\lc dich
tfl,lC19i hay chi don gian la dS hQc hoi. DS tr\lc 19i nhung k6 t~ cong t~n
cong van h~ th6ng dich Vl,ldang cung c~p lam gian do~ chung, dfin dSn
vi~c khach hang co thS rm bo nha cung cap dich V\l, k6 t~ cong cling co
thS chui van h~ th6ng rn~ng nQi bQ va l~y di nhfrng thong tin nh~y cam.
Ngoai ra chung cling co thS sir d\lng cong C\lley thu~t cao ph:1n rn~rn hay
ph:1n cung dS co thS danh c~p thong tin dang dugc truy~n tren rn~ng cong
cQng, dfin dSn vi~c lQ,rn~t mat thong tin. Nhfrng cUQct~n cong nh~rn rn\lc
dich tfl,lC19i thuang dugc chuAn bi ki va thuang dugc nhfrng k6 t~n cong
co trinh dQ cao th\lc hi~n, qui rno t~n cong thuang 100 va thi~t h~i se
khong thS biSt truac dugc nSu h~ th6ng rn~ng cua chung ta dugc bao rn~t
khong t6t. DS hQc hoi, nhung k6 t~n cong co thS t~ cong van rnQithu ill
t~n cong dich V\l,thfun nh~p trai phep dSn l~y trQrn thong tin trai phep tren
duang truy~n, .. b~t cu gi rna chung co thS lam dugc. Nhung cUQct~n
cong nhu thS nay thuang diSn ra a quy rno nho, don 16 va thucmg do
nhfrng k6 t~ cong rnai van ngh~ hay co trinh dQ khong cao th\lc hi~n,
thuang khong co thi~t h~i gi dang kS.
S\l kern an toan cua h~ th6ng bao rn~t do nhi~u nguyen nhan : Quan
tri kern, d:1utu khong cao va thiSu quan Him cho h~ th6ng bao rn~t, cac 16
h6ng bao rn~t ngay cang nhi~u do S\l thiSt kS va xay dVng khong cAnth~n
cua nhfrng nha san xu~t ph:1nrn~rn ...
Quan tri kern, h:1uhSt cac nha quan tri hi~n nay d~u dugc dao t~o r~t
bai ban, va cac nha tuySn d\lng cling yeu c:1ucao v~ rn~t kiSn thuc d6i vai
nhfrng nha quan trioNguyen nhan la do S\l thiSu nhi~t tinh trong cong vi~c
cua cac nha quan trio HQ hoan toan co thS lam cho h~ th6ng an toan hon
nhung di~u nay thuang rn~t nhi~u thai gian va t6n cong suc, nen rnQi vi~c
thuang dugc lam qua loa, d.u tha dfin dSn vi~c h~ th6ng rn~ng kern an
toano Cling co nhi~u twang hgp la do nha quan tri thiSu nang h,rc (kern
coi) tron~ vi~c quan trio
,
, ,
Van de dau tu va S\l quan tam van h~ thong bao rn~t, nhieu to chuc,
doanh nghi~p chua y thuc dugc vi~c c:1nphai bao v~ h~ th6ng rn~ng nQi
bQ cua hQ, don gian la vi t6n kern va hQ ch~ng co gi c:1nphai bao rn~t. Suy
nghi chu quan do r~t co thS dfin dSn nhfrng h~u qua nghiern trQng, vi rnQi
thu trong may tinh co thS bi danh c~p, cac van ban, ban tinh, bao cao d~u
co thS bi danh c~p, k6 gian co thS nb b~t tinh hinh cua t6 chuc, xi nghi~p.
Chuang 1 V~n d@bao rn?t rn~g thong tin va cac d6i tuQllg ...
Trang 10/83
Cac 16h6ng bao rn?t ngay cang dugc phat hi~n ra nhi@uhan, khong
chi do 16i cua nha san xu~t rna con do SlJnghien Clm r~t ti rni cua hacker,
va vi~c ch?m C?Pnh?t cac ban sua 16i hay khong thlJc hi~n cac bi~n phap
d@tranh 16icling dang la nhfrng di@rny@ucua cac h~ th6ng bao rn?t.
1.3 - K~t Iuan :
V~n d@bao rn?t rn~g thong tin la tim cach d~ gift an toan cho h~
th6ng rnc.mgcua ta rna khong anh huang d@nvi~c giao ti@pv6i th@gi6i
ben ngoai.
Chuang 2 Cac phuang phap bao m~t
Trang 11/83
ChU'ong 2.
Cae phU'ong phap bao m~t.
Tom t~t:
2.1- Cac bi~n phap a muc v~t ly.
2. 1.I-May Server.
2.1.2-May Workstation.
2.1.3-Cac thiSt bi m:;mg.
2.2 -Cac bi~n phap a muc lu~n ly.
2.2.1- Server
- H~ diSu hanh.
- Cac lIng dVng va dich V\l.
-Cac t~p tin, thu mvc, co sa du li~u.
2.2.2- Workstation.
2.2.3- Cac thiSt bi m~ng.
2.2.4- vfin dS con nguo'i.
2.3 - KSt lu~n.
2.1 - Cac bien phap (y IDtfC vat IV :
2.1.1-May chit (S~rver}....:.
,
-S\f can thiet :S\f tiep c~n v6i server cua mQt nguai l~ (nhfrng nguai
khong dugc phep) gay anh huang nghiem trc;mg dSn S\f an toan cua h~
th6ng. HQ co th~ lam bfit cu gi rna hQ mu6n : hQ co th~ t~o mQt tai khoan
(account) rbi dung no d~ truy c~p vao server bfit cu khi nao rna hQ thich,
hQ co th~ cai nhfrng truong trinh nguy hi~m vao server d~ danh c~p m~t
khAu cua nguai quan tri hay d~ lam te li~t server, ho~c hQ co th~ chep
nhfrng du li~u quan trQng di ... hay mQt cach dan gian vo tinh ho~c c6 y hQ
restart/shutdown server lam h~ th6ng te li~t.
-Bi~n phap :Server phai dugc d~t a nhfrng noi an toan va phai dugc
ki~m soat ch~t che, mQi S\ftiSp c~ server dSu phai dugc S\f cho phep cua
nguai quan trio
+ Server nen dugc d~t a nhung noi rieng bi~t, co th~ t~p trung
l~i va d~t vao cac tu, k~ dugc thiSt kS d~c bi~t cho vi~c chua server
co cac tinh nang an toan nhu co khoa, m~t rna, cac hinh thuc ki~m
tra van tay, giQng noi, the thong minh (smart card) ... khi tiSp c~
cac thiSt bi ding nhu khu V\fCnay.
Chuang 2 Cac phuang phap bao m~t
Trang 12/83
+ Cac khu V\fC chua server se do nha qulin tri m~mgchiu trach
nhi~m. HQ co m~t rna, the thong minh ... dS co thS tiSp c~n cac khu
V\fC nay.
+ Kim V\fC dS server ngoai vi~c bao v~ server traOOkh6i vi~c
bi xam OO~ptrai phep, con phai bao v~ server tranh kh6i cac dieu
ki~n kh~c nghi~t dS tang tu<3ithQ va giam h6ng hoc cho server. vd :
khu V\fC dS server nen duQ'c d~t 0 OOung nO'ithoang, dQ ~m thap,
nen d~t cac may lam mat nSu thay OOi~tdQ cao hay cac may hut ~m
nSu thay dQ~m cao ...
2.1.2- May tram (Work;station) ;
-S\f can thiet : S\f tiep c~ v6i Workstation cua nguai 1/;1
gay nguy
hiSm khong kern S\f tiSp c~ v6i server th~ chi con nguy hiSm han vi cac
may workstation trong m/;1ngthuang it bi kiSm soat ch~t che boi h~ th6ng
bao v~ va S\f dS dai cua nguai dung nO.Ke 1/;1co thS danh c~p thong tin,
phat tan virus, tim cach gian tiSp truy c~p t6i server,hay tho thiSn han la
thao may ra va lay <3cling di ...
-Bi~n phap : Workstation phai duQ'c kiSm soat ch~t che boi nguai
dung no, mQi S\f tiSp c~n phai duQ'c S\f cho phep cua nguai dung va nguai
quan trio Workstation phai duQ'c d~t trong cac khu V\fC an ninh va duQ'c
bao du5ng thuang xuyen boi OOaqulin trio
+ Nguai dung nao thi chiu trach nhi~m may cua hQ, khuySn
cao nguai dung khong nen dS the xac thllc, viSt m~t kh~u va dS 0
dau do tren ban lam vi~c, h/;1nchS cho OOung nguai khac tiSp c~n
may, muqn may.
+ May cua nguai dung phai duQ'c nha qu~n tri ,m/;1n~thuang
xuyen c~p OO~tcac chuang triOOdi~t virus, sua loi phan mem, nang
cap phfuI mem cli, bao tri phfuI cling, khuySn cao nguai dung nen
lUllnhfrng thong tin quan trQng len server.
2.1.3- Cae thi~t bi, man~ :"
,
-S\f can thiet : S\f tiep c~ cac thiet bi m/;lllgcua nhfrng ke 1/;1
dong
nghia v6i vi~c h~ th6ng bao m~t gfin OOuvo nghIa, h~ th6ng m/;1ngluc do
se gi6ng nhu mQt ngoi OOarna trong do ke c~p va chu nha cung chung
s6ng, mQi thu co thS bi danh c~p, mQi thu co thS bi pha huy. Cac thiSt bi
m/;1ngcling gi6ng OOucac con duang, nSu cac thiSt bi m/;1ngkhong hO/;1t
dQng, h~ th6ng m/;1ngse bi te li~t.
-Bi~n phap : Cac thiSt bi m/;1ng(switch,router,hub,cable ... ) phai
duQ'c kiSm soat ch~t che, cac thiSt bi nhu switch, router, hub phai duQ'c
Chuang 2 Cac phuang phap bao rn?t
Trang 13/83
bao v~ nghiern ng~t nhu server, rn9i S\f tiSp c?n d6i v6i cac thiSt bi miy
d~u phai duqc S\f cho phep Clla nha quan tri ho~c nhfrng nguai co trach
nhi~rn.
+ Cac thiSt bi rn~g c~n nen duqc d~t trong tll ho~c k~ duqc
thiSt kS d~c bi~t co cac tinh nang an toan nhu khoa, rn?t rna, the
thong rninh ... nen d~t cac thiSt bi nay chung noi d@cua cac server
d@thu?n lqi trong vi~c bao duOng, bao v~ va giam sat.
+ Day cap nen duqc di am tuang hay duqc di trong cac
duang ong rieng bi~t, duqc thiSt kS d@chi di day cap. Di~u nay se
thu?n ti~n cho vi~c bao dUOng va phong tranh cac S\f c6 dang tiSc
xay ra.
+ Cac thiSt bi rn~ng (router, switch) nen duqc cfiu hinh cac
phuang thuc bao rn?t t\f co. vd : thiSt l?p rn?t khfru rn6i l~n dang
nh?p d@cfiu hinh. Cac c6ng tren router hay switch nen duqc cfiu
hinh d@chi cac thiSt hi rn~ng duqc phep rn6i duqc giao tiSp ...
DLtIi~udl
ra tit c;l
cacdng
Hinh 1 : S\ftiSp c?n thiSt hi rn~ng Cllake l~.
2.2 - Cac bien pbap o' mtfc luan It :
2.2.1- May cbB (Server) :
Setyer a rnuc lu?n l~ dong v,ai tro nhu rnQt trung tam trao ~6i du
li~u,no tiep nh?n cac yeu cau trao doi du li~u va tra lai nhung yeu cau do.
Server bao g6rn rnQth~ di~u hanh rn~g duqc cai nhi~u lo~i trng d1,1ngtren
no nhu : lIS, Mail Deamon,Oracle,SQL ... d@cung cfip cac dich V1,1
nhu :
Web server, Mail server, Data server ...
Chuang 2 Cac phuang phap bao m~t
Trang 14/83
- D6i v6'i h~ di~u hanh tren se~er : Cac bi~n phap co, ban,la su
d\lllg tiOOnang bao m~t cua chiOOh~ dieu hanh do cung cap, hau het cac
h~ di~u hanh m?llg d~u co cac tioo nang bao m~t OOu : t~o nguai dung
(user), cac OOomnguai dUng (group), phan quy~n troy c~p dS quan ly hQ.
Cac chlic nang ghi OO~tleY, cho phep OOaquan tri co thS giam sat qua triOO
dang OO~phay troy c~p t6i server cua cac nguai dung ... Ngoai ra dS tang
ti~ bao m~t, con co t!J.Ssu d~g cac bQ con~ C\lbao m~t khac (khong oofit
thiet la do OOasan xuat h~ dieu hanh cung cap rna co the do mQt hang khac
cung cfip) tuang thich v6i h~ di~u hanh cua chung ta, vi d\l OOu :cac lo~i
tuang lua (Firewall) danh cho dong Unix, cac lo~i tuang lua danh cho
dong Windows Server, cac cong C\lphat hi~n xam nh~p ... (DS co thS xem
xet ffiQth~ di~u haOOtren may chu d~c trung, xin xem chuang 5 Gi6i thi~u
cac cong C\l bao m~t cua Microsoft - Microsoft Windows Server 2003
Enterprise)
- D6i v6'i cac frng d\lng va cac djch V\l : Nen dugc cfiu hiOOcAn
th~n khi cai d~t cling OOukhi bao dUOng.Qua triOOho~t dQng phai dugc
kiSm soat ch~t che boi h~ di~u hanh va nguai quan trio Chung phai dugc
phan quy~n C\l thS, ai dugc phep va khong dugc phep su d\lng. Thuang
xuyen c~p OO~tcac phien ban m6i cling OOucac ban sua l6i nh&m nang
cao tiOO6n diOOva dQtin c~y.
+ Khi dugc cai d~t cac ling d\lng nay cftn dugc xac diOOra :
ling d\lng nay cung cfip OOUngdich V\lnao, OOUngdich V\lnay dugc
cung cfip qua cac c6ng nao, cac c6ng khong lien quan nen dugc
dong 1~i.Anh huang cua ling d\lng t6i h~ th5ng (cac ling d\lng khac
), neu khong th~t S\f cftn thiet ho~c chua biet ra thi khong nen cai
d~t.
+ Nen cai d~t OOUngling d\lng do OOUngOOasan xufit dugc
tin tuang viet, nh&mtranh cac 16h6ng bao m~t do vo tiOOhay c5 y.
- D6i vm cac t~p tin, thO' IDt}C, cO'sir dfr li~u :cac bi~n phap huu
hi~u la rna hoa va h~n che troy c~p, tfit ca cac S\f troy c~p phai dugc xac
th\fc va dugc uy quy~n cac CA server (Certification Authority server). Cac
du li~u quan trQng phai thuang xuyen dugc sao luu cAn th~n dS co thS
ph\lc h6i l~i nhaOOchong khi co S\fc5 xay ra.
+ Cac t~p tin, thu m\lc : cac h~ di~u hanh thuang cung cfip
s~n cac cong C\lrna hoa, OOuhQ Windows 2003 Server co h~ th5ng
rna hoa (Ecryption File System) v6i cac thu~t toan rna hoa m~oo
..
Trang 15/83
Chuang 2 Cac phuang phap bao m~t
(DES, 3DES). DS co duQ'cphuang thuc rna hoa t6i uu han, co thS
sir d\lllg cac cong C\lcua cac hang thu 3.
+ Cac ca sa du li~u : ban than cac h~ quan tri ca sa du li~u
cling co cac phuang thuc bao m~t nhu diSu khiSn truy c~p va xac
thlJc nguai truy c~p. Me>ica sa du li~u dSu co chua mQt danh sach
nhfrng nguai duQ'c phep truy c~p va nhung thao tac h<;>duQ'Cth,!c
hi~n tren ca sa du li~u nay. DS co duQ'cSlJan toan han nen ap d\lng
lu~t diSu khiSn truy c~p va xac th\l'c nguai dung cua h~ diSu hanh,
vua tang dQ an toan hilikhong gay them phiSn ha cho nguai dung
(do duQ'che>trQ'tinh nang single-logon ).
- DBi VOl cac nghi tht'fc : Phuang phap bao m~t hi~u qua cho cac
nghi thuc hi~n nay la goi chung trong cac nghi thuc duQ'c thi@tk@danh
rieng cho bao m~t nhu : PPTP (Point to Point Tunneling Protocol), L2TP
(Layer 2 Tunneling Protocol) ... hay sir d\lng cac nghi thuc co s~n tinh
nang bao m~t nhu Kerberos, IPSec ...
, + Vi~c goi cac n~hi ~huc,duQ'cti@nhanh nhu sau : dftu ti,en h~
thong th\l'c hi~n mQt ket noi bang nghi thuc duQ'c goi (vd : doi vai
PPTP thi dftu tien, mQt k@tn6i PPP se duQ'cthlJc hi~n ). Sau do mQt
k@tn6i rna thong tin truySn tren do da duQ'c rna hoa se duQ'c thlJc
hi~n tren k@tn6i vira t~o (sau khi t~o mQt k@tn6i PPP, h~ th6ng se
t~o ti@pmQt k@tn6i PPTP). Qua trinh giai phong k@tn6i thi nguQ'c
l~i (k@tn6i PPTP duQ'cgiai phong truac, ti@pden la k@tn6i PPP).
Client
Connection #1 -{
Network
access
server
PPPconnection
PPTP
server
--8--B)
PPTPcontrol connection
Connection # 2 -{
PPTPdata connection
Hinh 2: K@tn6i PPTP.
+ D6i vai cac nghi thuc da co tinh bao m~t s~n thi thong tin
tren duang truySn da duQ'c rna hoa va nen theo nhung cach rieng,
chi cftn cai d~t va sir d\mg.
Chuong 2 Cac phuong phap bao m~t
•
Trang 16/83
2.2.2- May tram (Workstation) :
Cac may tr~ thuemg it duqc trang bi cac cong C\Jbao v~ hon cac
may chu do cac may tr~ nay dff duqc bao bQc boi h~ th6ng bao v~ (h~
th6ng cac may duqc trang bi cong C\Jbao m~t ). Tuy nhien dS phong tranh
cac cUQct&1 cong xufit phat tiT cac may nay, co thS khong phai tr\fC tiep
nguai dung may nay la ke tfin cong rna la do vo tinh may bi nhi6m nhung
v,irus nhu troj an? back door ... va tro thanh cong C\Jtier tay cho nhUn,gke
tan cong, nen tien hanh nhUng bi~n phap bao m~t du de ngan ch~ moi de
dQatren.
+ Khuyen cao nguai dun!? khong nen truy c~p vao nhUng
trang web khong tin tuang. Tai ve va cai d~t nhUng chuong trinh tiT
nhUng trang web do.
+ Ngan cfim nguai dung cai d~t nhung chuong trinh rna chua
co S\fcho phep cua nha quan trio
+ Cai d~t va thuemg xuyen c~p nh~t nhUng chuong trinh
ch6ng virus, ch6ng ph~n mSm gian di~p (spyware) len cac may
tr?m.
+ Trong t~emg hgp may tr?m co nhiSu nguai cung sir d\Jng
thi nen phan quyen C\Jthe cho tUng nguai dung. Xac dinh ra nguai
dung nao duqc phep sir d\Jllg va duqc phep sir d\Jng tai nguyen nao
maytr~nay.
2.2.3- Cae thi~t bi mang :
-------,-~-,
,
Da so cac thiet bi m?ng nhu router hay switch hi~n nay deu cung
cfip cac tinh nang bao m~t nhu ACL(Access Control List), Filter
Protocol. . .. DS h~ th6ng m?ng duqc an toan hon, nhung thiet bi nhu
router nen duqc cfiu hinh thanh nhUng Firewall thu hai.
2.2.4-Hu~n luyen n~U'oidung:
,
Vi~c huan luy~n nguai dung la cong vi~c quan trQng va can duqc
tien hanh thuemg xuyen khi h~ th6ng duqc nang cfip ho~c co S\f thay d6i.
Day cling la cong vi~c kho khan nhfit vi da s6 nguai dung thuemg la nhUng
n~uai kh~ng ~hu?c chuyen mon maY,tinh vi the rfit kho dS hQ co thS n~m
bat cac van de ve may tinh. Vi~c huan luy~n nguai dung giup cho nguai
dung co thS n~m b~t duqc nhung vi~c hQ nen lam va khong nen lam tren
may tinh cua hQ nh~m gill' an toan cho h~ th6ng m?ng.
2.3 - K~t luan :
NhUng phuang_phap bao m~t la nhung cach thuc bao v~ nhung d6i
tuqng trong m?llg, moi doi tUQ'llgco mQt cach thuc bao v~ rieng. TiT vi~c
Chuang 2 Cac phuang phap bao m~t
Trang 17/83
bao v~ tung d6i tuqng trong m(;lngdful dSn ca h~ th6ng m(;lllgse dugc an
toan han.
Trang 18/83
Chuang 3 Tim hieu m(>ts6 Icythu~t bao m~t
Chrrong 3.
Tim hien mQt so ky thn~t bao m~t.
?
,
Tom t~t:
3.1 - H~ th6ng m~g sir d\lng Icythu~t DMZ (Demilitarized Zone) de bao
v~.
3.1.1 - Cac thanh phfin cua rna hinh.
3.1.2 - HO(;ltd(>ngcua rna hinh.
3.1.3 - Vu diSm va khuySt diem.
3.2 - Ky thu~t VPN.
3.2.1 - Cac thanh phfin cua rna hinh.
3.2.2 - HO(;ltd(>ngcua rna hinh.
3.2.3 - Vu diSm va khuySt diem.
3.3 - KSt lu~n.
30t - Philo tieh mot rno hloh rnaog Stf duog
301.t-Cae thaoh ph~o ella rno hloh :
ky
thuilt DMZ d~ bao
veo
Ma hinh bao g6m cac thanh phfin sau :
+ M(>th~ th6ng m(;lnghoan chinh, g6m nhiSu may con (workstation)
va cac may chu (server) cung cApcac dich V\l.
+ M(>th~ th6ng cac may chu co dfr li~u va dich V\l gi6ng y h~t nhu
cac may chu trong h~ th6ng m(;lnghoan chinh 0 tren (duqc anh X(;lill
h~ th6ng cac may chu 0 tren ).Va hoan toan n~m tach bi~t boi h~
th6ng m(;lng 0 tren boi m(>t buc tuang lira (Firewall).Day g9i la
DMZ (Demilitarized Zone).
+ Buc tuang lira (Firewall) ngan cach h~ th6ng m(;lnghoan chinh
v6'i cac h~ th6ng m(;lngkhac.
Chuang 3 Tim hi@um9t s6 ley thu~t bao m~t
Trang 19/83
Hinh 3 : M9t h~ th6ng m~mgsir d\mg ky thu~t DMZ d@bao v~.
3.1.2- Hoat dong ella he thBng :
V 6i ky thu~t DMZ thi h~ th6ng m~ng trong va h~ th6ng cung c<1p
dich V\l cho m~ng ngoai duQ'Ctach ra thanh hai khu V\fCrieng bi~t. Khu
V\fCchua h~ th6ng cung c<1pdich V\l cho m~ng ngoai duQ'cg9i la DMZ.
Cac du li~u trong DMZ thuemg duQ'c d6ng b9 hay c~p nh~t v6i cac
server trong m~g trong.
Cac may con trong m~g mu6n troy c~p ra m~ng ngoai (duQ'cphep)
se hoan toan khong bi anh hu<'mgboi DMZ.
Buc tuemg lira (Firewall), th\fc hi~n vi~c 19Ccac lu6ng du li~u va
huang cac huang kSt n6i theo dung ffi\lCdich. Cac yeu cfiu troy c~p dich
v}l ill phia ngoai se duQ'cchuy@ncho cac may chli trong DMZ, b<1tcu yeu
cau nao khong phai la yeu cau dich V\l (duQ'c xet theo nghi thuc) hay co
dich dSn khong phai la cac may chli trong DMZ d@ubi ill ch6i. Chi co cac
may chli trong DMZ duQ'c yeu cfiu troy c~p du li~u, t<1tca cac yeu cfiu
khong xu<1tphat tu DMZ d@ubi lo~i bo. Cac may con trong m~ng duQ'c
phep troy c~p ra m~g ngoai nhung chi nhung m~ng duQ'cphep troy c~p,
t<1tca cac truy c~p ra cac m~ng khong duQ'cphep d@ubi ill ch6i.
Khi bi t<1ncong thi chi co DMZ chiu thi~t h~i con toan b9 dfr li~u va
h~ th6ng m~g con van nguyen vyn.
Hinh 4 cho th<1ycach trao d6i dfr li~u giua h~ th6ng m~ng ben trong va
ngoai DMZ.
Chuang 3 Tim hieu m9t s6 ky thu~t bao m~t
Trang 20/83
HTIP:
Port
so....
HTTP:
Port
so ....
,XL;;AN!3~t,~
Hinh 4 : Trao doi dfr li~u thong qua DMZ.
3.1.3 -Un va khny~t di~m ella k£ thnat DMZ:
3.1.3.1-U n di~m :
- T(;lora m9t h~ th6ng thS m(;lngcho h~ th6ng may chti can bao v~ trong
khi v~n dam bao vi~c trao d6i dfr li~u.
- DMZ duqc ph\Jc h6i nhanh sau cac CU9Ct~n cong vi toan b9 dfr li~u d~u
n~m trong h~ th6ng m(;lngben trong.
- £>9an toan cao.
3.1.3.2 - Khuy~t di~m :
- Chi phi cao cho vi~c xay d\ffig m9t DMZ.
- T6c d9 trao d6i dfr li~u khong cao do phai di qua buc tUOnglira.
Trang 21/83
Chuang 3 Tim hi@umQt s6 leY thu~t bao m~t
3.2 - Phan tieh mot he thang Stf dung ky thuat VPN :
3.2.1 - Cae thanh ph~n eua he thang :
+ MQt h~ thong m~ng C\JCbQ(LAN) co cac tai nguyen nhu : may in,
scan,database ...
+ MQt VPN server.
+ MQt buc tuOng hia (d~t truac ho~c sau VPN server) nhftm ki@msoat cac
kSt n6i.
+ MQt h~ th6ng m~ng C\JCbQ( hay mQt may) khac.
+ T~p nghi thuc (protocol) su d\Jng : L2TP, PPTP, PPP,IPSec.
VPN connection
VPN
client
Hinh 5 : H~ th6ng su d\Jng leY thu~t VPN vai Firewall d~t phia sau VPN Server.
VPN connection
Tunnel
Hinh 6 : H~ th6ng su d\Jng ky thu~t VPN vai Firewall d~t phia truac VPN
Server.
3.2.2 - Hoat dong eua he thang :
Ky thu~t VPN cho phep kSt hqp hai hay nhi@uh~ th6ng m~ng l~i
vai nhau thanh mQt h~ th6ng m~ng, co th@cling chia se cac tai nguyen cua
Chuang 3 Tim hiSu mQt s6 ky thu?t bim m?t
Trang 22/83
m6i h~ th6ng mQt cach dS dang nhu hi trong cung mQt m~mg. (Hinh 7 se
cho thfiy r5 han ky thu?t nay).
VPN Server se t(;10ra cac k~t n6i VPN tren cac kenh truyen.
Vfin de bilo m?t 0 day la lam cach nao dS bilo v~ cac k~t n6i VPN
khi chung duqc th1Jc hi~n qua mQt m(;1ngc6ng cQng (ch~ng h(;1llnhu
internet). DS lam vi~c nay ky thu?t VPN dUng mQt t?P cac nghi thuc g6m
L2TP, PPTP.Cac nghi thuc nay se rna h6a dfr li~u tren cac k~t n6i VPN
d6ng thai t(;10ra mQt kenh truyen ngfun (tunneling) dS truyen dfr li~u qua
m(;1ngc6ng cQng. GQi la kenh truyen ngfun la vi cac g6i tin ban d~u da bi
che ?fiu ho~c duqc bao bQc boi cac ~6i tin khac va cac g6i tin nay duqc
truyen theo mQt duang IU?nly tir ngu6n t6i dich.
Buc tuang lira trong h~ th6ng c6 nhi~m V\l kiSm soat cac k~t n6i tu
trong m(;1ngC\lCbQra ngoai ho~c tu ngoai vao trong.
D6i v6i h~ th6ng rna buc tuang lira n~m phia sau VPN (Hinh 5). Vi
n~m sau VPN Server nen tllang lira nay chi c6 tac d\lng la xac dinh nguai
dung nao duqc sir d\lng tai nguyen nao cua m(;1llgben trong, con cac k~t
n6i nao kh6ng phili la k~t n6i VPN thi da duqc VPN Server IQc.
r
~
VPN connection
..•.
Hinh 7 : M6 hinh IU?nly sau khi th1Jchi~n mQt k~t n6i VPN.
Trang 23/83
Chuang 3 Tim hieu rnQt s6 ky thu~t bao rn~t
Network
access
server
Client
Connection #1 -(
PPPconnection
PPTP
server
--8--rJ
PPTPcontrol connection
Connection # 2 -[
PPTPdata connection
Hinh 8 : Quy trinh t~o rnQtkSt n6i PPTP.
D6i vai h~ th6ng rna buc tuang lira n~rn phia truac VPN Server
(Hinh 6). Buc tuang lira co tac d\mg lo~i b6 cac kSt n6i khang phai la kSt
n6i VPN va giai h~n cac h~ th6ng rn~ng khac th\l'c hi~n kSt n6i VPN dSn
rn~ng nay.
3.2.2.1- PPTP (Point-to-Point Tunneling Protocol):
La nghi thuc duCJcphat triSn d\l'a tren PPP (Point-to-Point Protocol)
de tang tinh bao rn~t cho du li~u tren duang truy~n. De th\l'Chi~n duCJc
vi~c bao rn~t cac du li~u tren duang truy~n, truang chua tin cua goi PPP
duCJcrna hoa hay nen l~i ho~c ca hai, sau do duCJcgoi vao goi PPTP.
Datalink
Header
IP
PPTP
Control
Message
TCP
Datalink
Trailer
Hinh 9 : Cdu truc goi di~u khien cua PPTP.
?a~a~~ader
IP
Header
GRE
Header
PPP
Header
Encr}'Ptl:l(hPB~PClyl
(IP Datagram,
IBXDatagram),
oed
Datalink
Trailer
N etBEUI Fram~)
OKh6ng rna h6a
0
Ma h6a .
Hinh 10 : Cdu truc goi PPTP.
3.2.2.2 - L2TP (Layer 2 Tunneling Protocol):
La nghi thuc duQ'ct~o ra dva tren S\l'kSt hCJPgiua PPTP va ky thu~t
L2F (Cisco's Layer 2 Forwarding).DuQ'C th\l'c thi tren lap Datalink (trong
rna hinh OSI ) nen co kha nang h6 trQ'nhi~u giao thuc khac ngoai TCP/IP
vi d\l nhu : IPX, Apple Talk ...
L2TP thuang duQ'c dung kSt hCJPvai nghi thuc IPSec de nang cao
tinh bao rn~t.
Chuang 3 Tim hiSu mQt s6 ky thu~t bflOm~t
Trang 24/83
Cac dfr li~u trong goi PPTP dugc rna hoa ho~c nen ho~c vUa rna hoa
vua nen r6i dugc goi van goi L2TP.
Datalink
Header
IP
Header
IPSec
ESP
Header
UDP
Header
L2TP
Message
~
IPSec
ESP
Auth
Trailer
IPSec
ESP
Trailer
Datalink
Trailer
I
[EnCrypted
by IPSec
Hinh 11 : cAu truc mQt goi diSu khiSn L2TP.
Datalink
Header
IP
Header
[Encrypted
[ Authenticated
:
.
by IPSec
ESP auth trai ler
Hinh 12 : cAu truc mQt goi L2TP.
3.2.3 - ITu va khuy~t di~m eua he th8ng SUo dung ky thu~it VPN :
3.2.3.1 - ITu di~m :
- ThlJc hi~n kSt n6i va chia se tai nguyen cua cac h~ th6ng m~g
khac nhau n~m cach xa nhau mQt cach d~ dang.
- Chi phi khong cao.
- La giai phap hi~u qua vS m~t kinh tS thay cho duemg day thue bao
rieng (leaseline).
3.2.3.2 - Khuy~t di~m :
- Tinh phuc t:;tpcao khi kSt n6i nhiSu m:;tng.
- Nhfrng ke xam nh~p co thS lAythong tin hay xam nh~p van h~
th6ng VPN illm~g cong cQng mQt khi chung giai rna dugc nhfrng thong
di~p truySn tren do.
3.3 - K~t luan :
M6i ky thu~t bao m~t dugc xay dvng huang dSn cac m\lc dich bao
m~t khac nhau, va nhfrng m\lc dich do khong la gi khac rna chinh la dS bao
v~ cac d6i tugng trong m:;tng. Ky thu~t DMZ dugc thiSt kS dS bao m~t dfr
li~u t:;tinai luu trfr, ky thu~t VPN dugc thiSt kS dS bao m~t dfr li~u truySn
tren m:;tng.
Chuang 4 Gi6i thi~u cac cong
C\l
bao m~t cua Microsoft
Trang 25/83
Chrrong 4
Gi6i thi~u cac cong Cl}. bao m~t clla Microsoft.
Microsoft Windows Server 2003, Active Directory &
Internet Security and Acceleration Server.
,
Tom Hit
4.1- Tim hiSu cac tinh nang bao m~t trong Microsoft Windows Server
2003 Enterprise.
4.1.1 Xac th\fc (Authentication)
4.1.2 DiSu khiSn truy c~p tren co sa d6i tugng (Object-based
access control).
4.1.3 Chinh sach bao m~t (Security policy).
4.1.4 KiSm tra giam sat (Auditing).
4.1.5 Active Directory va bao m~t.
4.1.6 Bao m~t dfr li~u.
4.1.7 Bao v~ dfr li~u m~ng.
4.1.8 M6i quan h~ tin tuang.
4.2- Tim hiSu Active Directory.
4.2.1 DiSu khiSn truy c~p trong Active Directory.
4.2.2 Xac th\fc nguai dung.
4.3- Internet Security and Acceleration (ISA) Server.
4.3.1 Gi6i thi~u.
4.3.2 T6ng quan vS cac chilc nang cua ISA.
4.3.2.1
Firewall va Security.
4.3.2.2
Publishing.
4.3.2.3
Cache.
4.3.2.4
Ma r(lng.
4.3.2.5
T6ng quan ki~n truc.
-.
4.1 - Tim hi~u cac tlnh nang bao mat trong Microsoft Windows Server
2003 Enterprise:
Chilc nang bao m~t chinh cua hQ Windows Server 2003 la xac th\fc
(Authentication) va diSu khiSn truy c~p (Access control) cua nguai dung.
Active Directory cho phep nha quan trj co thS th\fc hi~n cac chilc nang nay
m(lt cach dS dang va hi~u qua.
