Upload
an-ninh-mang
View
157
Download
0
Embed Size (px)
DESCRIPTION
tài liệu học tập an ninh mạng
Citation preview
5/21/2018 an ninh ma ng p 4 Application Security
1/173
NETWORK SECURITY
Phn IVApplication Security
5/21/2018 an ninh ma ng p 4 Application Security
2/173
m bo an ninh phn ng dng
Mc1: An ninh cho truy cptxaRemote Access Security
Mc2: An ninh dchvwebSecurity web traffic
Mc3: An ninh dchvthint- Email Security
Mc4: Application Security Baselines
5/21/2018 an ninh ma ng p 4 Application Security
3/173
An ninh cho truy cp t xa Remote Access Security
Mngkhng dy Mngring oVPN
RADIUS
TACACS
PPTP
L2TP
SSH
IPSec
5/21/2018 an ninh ma ng p 4 Application Security
4/173
Mng khng dy (wireless LAN)
5/21/2018 an ninh ma ng p 4 Application Security
5/173
TNG QUAN V MNG WIRELESSS
Cc loiwireless networks C thphn chia tmnhsau:
Wireless LAN (Wifi):Ktnitrong mtphmvi nhnhtrong mtphng hc,mt ta nh, hocgiahai tanh gnnhauBn knh phsng bn trong (indoor)khongvi trmmtBn ngoi (outdoor) khongvi
km. Thng c s dng nhng ni ng cnh khch sn, ga tu in, trng hcs dngchun802.11..
Wireless MAN (WiMax): Kt ni wireless gia ccbuilding khc nhau, hay gia cc building trong cngmtthnh phbn knh phsng ln tivi chckm.
Thngcsdngnhngnithathtdn chay nic ahnh phctp.
5/21/2018 an ninh ma ng p 4 Application Security
6/173
Cc chun ca mng wireless
IEEE 802.15: Bluetooth, c s dng trong mngPersonal Area Network (PAN).
IEEE 802.11: Wifi, c s dng cho mng Local AreaNetwork (LAN).
IEEE 802.16: WiMax ( Worldwide Interoperability forMicrowave Access ), csdngcho Metropolitan AreaNetwork (MAN).
IEEE 802.20: c s dng cho Wide Area Network
(WAN).
5/21/2018 an ninh ma ng p 4 Application Security
7/173
WLAN
Mng da trn cng ngh 802.11 nn i khcn c gi l 802.11 network Ethernet. Vhinticn cgil mngWireless EthernehocWi-Fi (Wireless Fidelity).
Chun802.11 c IEEE pht trin v a ravo nm 1997. Gm c: 802.11, 802.11a802.11b, 802.11b+, 802.11g, 802.11h
5/21/2018 an ninh ma ng p 4 Application Security
8/173
WLAN
802.11: Tctruynkhongt1 n2 Mbps, hotngbngtn
2.4GHz. Tng vt l s dng phng thc DSSS ( Direct Sequence
Spread Spectrum ) hay FHSS ( Frequency Hoping SpreadSpectrum ) truyn.
802.11a: L phnmrngcachun802.11, cung cp tc truyn
ln ti54 Mbps, hotngdibng tn5 GHz. Sdngphngphp iuchghp knh theo vng tnsvung gcOrthogonal Frequency Division Multiplexing ( OFDM ).
C thsdngn8 Access Point cimny di tn2.4GHz, ch s dng c n 3 Access Point
5/21/2018 an ninh ma ng p 4 Application Security
9/173
WLAN
802.11b, 802.11b+:
Cung cp tc truyn l 11 Mpbs ( 802.11b ) hay 22 Mbps (802.11b+), hotngdibngtn2.4 GHz. C thtngthch v802.11 v 802.11g. Tcc th1, 2, hay 5,5 Mbps.
802.11g: Cung cptctruynkhong20+Mbps, hotngdibngtn2.4GHz. Phngthciuch: c thdng 1 trong 2 phngthc:
OFDM ( ging802.11a ) : tctruync thln ti54 Mbps. DSSS: tc gii hn 11 Mbps.
802.11h:
csdngchu u, hotngbngtn5 GHz.
5/21/2018 an ninh ma ng p 4 Application Security
10/173
WLAN
uimcaWLAN so vimngc dy truynthng MngWireless cung cpttccc tnh nngcacng nghmngLAN
nhl Ethernet v Token Ring m khng bgiihnvktnivtl (giihnvcable).
S thun li u tin ca mng Wireless l tnh linh ng. MngWLAN tora sthoimi trong victruyntidliugiacc thitbc
h tr m khng c s rng buc v khong cch v khng gian nhmngc dy thng thng. Ngidng mngWireless c thktnivomngtrong khi di chuynbtcnino trong phmvi phsng cathitbtptrung (Access Point).
Mng WLAN s dng sng hng ngoi (Infrared Light) v sng Radio(Radio Frequency) truynnhndliuthay v dng Twist-Pair v Fiber
Optic Cable. Thng thngth sng Radio cdung phbinhnv ntruynxa hn,lu hn,rnghn,bngthng cao hn.
5/21/2018 an ninh ma ng p 4 Application Security
11/173
WLAN
HnchcaWLAN Tc mngWireless bph thuc vo bng thng. Tc ca mng
Wireless thphnmngcnh,v mngWireless chunphixc nhncnthnnhngframe nhntrnh tnh trngmtdliu.
Bomt trn mngWireless l miquan tm hng uhinnay. Mng
Wireless lun l mibntm v sgiao tiptrong mngucho btkaitrong phmvi cho php vithitbph hp. Trong mngcnh truynthngth tn hiutruyntrong dy dnnn c thcbomtan tonhn. Cn trn mngWireless th vicnhhirtddng biv mngWireless sdngsng Radio th c thbbtv x l cbibtkthitbnhnno nmtrong phmvi cho php, ngoi ra mngWireless th
c ranh giikhng r rng cho nn rtkh qunl
5/21/2018 an ninh ma ng p 4 Application Security
12/173
c tnh k thut mng Wireless
WLAN hotngnhthno ? Wireless LAN sdng sng in t (Radio hocsng Hng
ngoi - Infrared) trao i thng tin gia cc thit b mkhng cnbtkmtktnivtl no (cable).
Trong cu hnh camngWLAN thng thng,mt thitbpht v nhn (transceiver) cgi l Access Point (AP) vcktnivi mng c dy thng thng thng qua cptheo chunEthernet.
AP thchinchcnngchnh l nhnthng tin, nhlivgid liugiamngWLAN v mngc dy thng thng
Mt AP c th h tr mt nhm ngi dng v trong mtkhongcch nhtnh(tutheo loiAP).
5/21/2018 an ninh ma ng p 4 Application Security
13/173
c tnh k thut mng Wireless
Ngidng mngWLAN truy cpvo mngthngqua Wireless NIC, thng thngc cc chunsau: PCMCIA - Laptop, Notebook
ISA, PCI, USBDesktop
Tch hpsntrong cc thitbcmtay
5/21/2018 an ninh ma ng p 4 Application Security
14/173
c tnh k thut mng Wireless
Cng ngh chnh c s dng cho mngWireless l da trn chun IEEE 802.11. Huhtcc mngWireless hinnay usdng tngs2.4GHz.
Wireless Network Standards :
IEEE 802.11 standard
Bluetooth
5/21/2018 an ninh ma ng p 4 Application Security
15/173
c tnh k thut mng Wireless
802.11 Standard
MngWLANs hotngda trn chun802.11 chunny cxem l chundng cho cc thitbdi ngchtrWireless, phcvcho cc thitbc phmvi hot
ngtmtrung bnh. Cho nhintiIEEE 802.11 gmc 4 chuntrong h
802.11 v 1 chunangthnghim:
5/21/2018 an ninh ma ng p 4 Application Security
16/173
c tnh k thut mng Wireless
802.11 - l chunIEEE gccamngkhng dy (hotngtns2.4GHz, tc1 Mbps2Mbps) 802.11b - (pht trinvo nm1999, hotngtngs2.4-
2.48GHz, tct1Mpbs - 11Mbps) 802.11a - (pht trin vo nm 1999, hot ng tng s
5GHz6GHz, tc54Mbps) 802.11g - (mtchuntngtnhchunb nhngc tc
cao hnt20Mbps - 54Mbps, hinangphbinnht) 802.11e - l 1 chunang thnghim: ychmi l phin
bn thnghimcung cpc tnh QoS (Quality of Service)v h tr Multimedia cho gia nh v doanh nghip c mitrngmngkhng dy
5/21/2018 an ninh ma ng p 4 Application Security
17/173
c tnh k thut mng Wireless
Bluetooth Bluetooth l mtgiao thcngindng ktninhngthit
b di ng nh Mobile Phone, Laptop, Handheld computer,Digital Camera, Printer, v.v..
Bluetooth s dng chun IEEE 802.15 vi tn s 2.4GHz
2.5GHz Bluetooth l cng ngh c thit k nhm p ng mt cch
nhanh chng vic kt ni cc thit b di ng v cng l giiphp to mng WPAN, c th thc hin trong mi trng nhiutng s khc nhau.
5/21/2018 an ninh ma ng p 4 Application Security
18/173
Knh trong mng Wireless
Knh trong mngWireless Mng Wireless hot
ng 14 knh(nhng thc t khi
hotng th chc 1knh pht)
5/21/2018 an ninh ma ng p 4 Application Security
19/173
Knh trong mng Wireless
M hnh thit lp knhcho mngWireless Mt iu ch khi lp t
Access Point:
Cn c nhng vng giaonhau gia bn knh cc
Access Point.
Knh thit lp cho ccAccess Point phi lchnhau 5 knh.
5/21/2018 an ninh ma ng p 4 Application Security
20/173
Cc m hnh mng Wireless
MngWireless (hay mngdatrn chun802.11) cthitkrtlinhhot. C 3 s la chn khi bn mun pht trin mt h thng mngWireless: Independent Basic Service setsIBSS Basic Service setsBSS Extended Service sets - ESS
Basic Service sets (BSS) l mtnhm cc thitbgiamngWLAN vmngc dy thng thngthng qua AP cnh. MngWLAN sdngsng Radio (RF) pht tn hiubroadcast cho cc Client (receiver), ccClient phinmtrong phmvi pht sng. Giao tipgiacc thitbutin thng qua dch v service set identifier (SSID), cc Client s sdng SSID ny lc tn hiu nhn t thit b pht ra
5/21/2018 an ninh ma ng p 4 Application Security
21/173
Cc m hnh mng Wireless
Independent BSS/ Ad-hoc Trong m hnh Independent BSS, cc Client lin lctrc
tipvinhau m khng phi thng qua AP nhngphitrong phmvi cho php.
Mngnhnht theo chun802.11 ny bao gm2 mylin lctrctipvinhau.
M hnh IBSS cn cgivitn l mngad-hoc.
5/21/2018 an ninh ma ng p 4 Application Security
22/173
Cc m hnh mng Wireless
M hnh independent BSS/Ad-hoc network
5/21/2018 an ninh ma ng p 4 Application Security
23/173
Cc m hnh mng Wireless
BSS/Infracstructure BSS Trong m hnh Infrastructure BSS cc Client mun lin
lcvinhau phi thng qua mt thitbcbitgi lAccess Point (AP).
AP l im trung tm qun l mi s giao tip trongmng,khi cc Client khng th lin lc trc tipvinhtrong mngIndependent BSS.
giao tipvinhau cc Client phigicc Frame dliunAP, sau AP sginmy nhn.
5/21/2018 an ninh ma ng p 4 Application Security
24/173
Cc m hnh mng Wireless
M hnh Infracstructure BSS
5/21/2018 an ninh ma ng p 4 Application Security
25/173
Cc m hnh mng Wireless
ESS/Extend Service Set Nhiu m hnh BSS kt hp vi nhau gi l m hnh
mngESS.
L m hnh sdngt2 AP trln ktnimng. Khi
cc AP sktnivinhau thnh mtmnglnhn,phmvi phsng rnghn,thunliv pngttchocc Client di ng.mboshotngcattcccClient.
5/21/2018 an ninh ma ng p 4 Application Security
26/173
Cc m hnh mng Wireless
M hnh ESS network
5/21/2018 an ninh ma ng p 4 Application Security
27/173
CC KIU TN CNG TRN MNG WLAN
Hacker c thtncng mngWLAN bngcc cch sau: Passive Attack (eavesdropping)
Active Attack (ktni,thmd v cuhnh mng)
Jamming Attack
Man-in-the-middle Attack
5/21/2018 an ninh ma ng p 4 Application Security
28/173
Tn cng b ng (Passive Attack)
Tn cng b ng (passive) hay nghe ln(eavesdropping) l mt phng php tn cngWLAN nginnhtnhngvnrthiuqu.
Passive attack khng limtduvtno chngt c s hin din ca hacker trong mng vhacker khng thtktniviAP lngnghe ccgi tin truyntrn onmngkhng dy
5/21/2018 an ninh ma ng p 4 Application Security
29/173
Tn cng b ng (Passive Attack)
WLAN sniffer c th c sdng thu thp thng tin vmngkhng dy khongcchxa bng cch s dng antennhhng.
Phng php ny cho phphacker gi khong cch vimng, khng li du vttrong khi vn lng nghe v thuthpcnhng thng tin qu
gi.
V d: Tn cng b ng
5/21/2018 an ninh ma ng p 4 Application Security
30/173
Tn cng ch ng (Active Attack )
Tncng chngcsdngtruy cpvoserver v lycnhngdliuc gi trhay sdngngktni Internet cadoanh nghipthchinnhngmcchph hoihay thmch l
thay icuhnh cahtngmng.Bngcch ktnivimngkhng dy thng qua
AP, hacker c th xm nhp su hn vo mnghocc ththay icuhnh camng.
5/21/2018 an ninh ma ng p 4 Application Security
31/173
Tn cng ch ng (Active Attack )
V d: Mt hacker c thsa i thm MACaddress ca hacker vodanh sch cho php caMAC filter trn AP hay vhiu ha tnh nng MACfilter gip cho vic tnhp sau ny d dnghn.
V d: Kiu tn cng ch ng
5/21/2018 an ninh ma ng p 4 Application Security
32/173
Tn cng chn p (Jamming)
Jamming l mt k thut c s dng chn gin lm hng (shut down) mngkhng dy.
Khi mthacker chng tncng jamming,hacker c thsdngmtthitbWLAN cbit, thitbny l bpht tn hiuRF cngsutcao hay sweep generator.
5/21/2018 an ninh ma ng p 4 Application Security
33/173
Tn cng chn p (Jamming)
loi b kiu tncng ny th yu cuu tin l phi xc
nh c ngun tnhiu RF. Vic ny cth lm bng cch sdng mt Spectrum
Analyzer (my phntch ph) Tn cng jamming
5/21/2018 an ninh ma ng p 4 Application Security
34/173
Tn cng bng cch thu ht (Man in the Middle)
Tn cng theo kiu Man-in-the-middle l trnghptrong hacker sdngmtAP nhcpcc node di ngbngcch gitn hiuRF mnhhnAP hpphp ncc node .
Cc node di ngnhnthyc AP pht tn hiuRFtthnnn sktninAP gimony, truynd liuc th l nhngd liunhycmnAPgimov hacker c ton quynxl
5/21/2018 an ninh ma ng p 4 Application Security
35/173
Tn cng bng cch thu ht (Man in the Middle)
Hacker muntncng theokiu Man-in-the-middle nytrc tin phi bit cgi tr SSID m cc client
ang s dng (gi tr nyrt d dng c c). Sau, hacker phi bit cgi tr WEP key nu mngc sdngWEP
Tn cng Man in the Middle
TNG QUAN BO MT CHO MNG KHNG DY
5/21/2018 an ninh ma ng p 4 Application Security
36/173
TNG QUAN BO MT CHO MNG KHNG DY
Ti sao phi bo mt mng khng dy?
5/21/2018 an ninh ma ng p 4 Application Security
37/173
Ti sao phi bo mt mng khng dy?
bo mt trong mngWireless ti thiu bn cnc hai thnh phnsau: Authentication: Chng thc
cho ngidng: quytnhaic thsdngmngWLAN
Encryption- M ha dliu:cung cptnh bomtdliu
Bo mt Lan khng dy
5/21/2018 an ninh ma ng p 4 Application Security
38/173
Bo mt Lan khng dy
Mt WLAN gm c 3 phn: Wireless Client,Access Points v Access Server. Wireless Client: inhnh l mtchic laptop viNIC
(Network Interface Card) khng dy c ci t cho php truy cpvo mngkhng dy.
Access Points (AP): Cung cpsbao phcasng v
tuyn trong mt vng no v kt ni n mngkhng dy. Access Server: iu khin vic truy cp. MtAccess
Server (nhl Enterprise Access Server (EAS) ) cungcpsiukhin,qun l, cc c tnh bomt tin
tincho mngkhng dy Enterprise .
Cc thit lp bo mt trong WLAN
5/21/2018 an ninh ma ng p 4 Application Security
39/173
Cc thit lp bo mt trong WLAN
Device A uthor izat ion: Cc Client khng
dy c thbngnchntheo achphncngcah(v dnhachMAC). Encrypt ion: WLAN cng h tr WEP,
3DES v chun TLS(Transport LayerSercurity). Cc kha WEP c thtotrnmtper-user, per session basic.
Authent icat ion: WLAN h tr s yquyn ln nhau (bng vic s dng802.1x EAP-TLS) bomchc ccClient khng dy c y quyn mictruy cpvo mng.
Firewall: Hpnhtpacket filteringvport
blocking firewalldatrn cc chuiIP. VPN: Bao gm mt IPSec VPN servercho php cc Client khng dy thit lpcc session VPN.
M ha
5/21/2018 an ninh ma ng p 4 Application Security
40/173
M ha
M ha l binid liu
ch c cc thnh phncxc nhnmic thgiim cn. Qu trnhm ha l kthpplaintextvimtkha to thnh
vnbnmt(Ciphertext). S gii m c bng
cch kt hp Ciphertextvi kha ti to liplaintext
Qu trnh xpxpv phnbcc kha gil squnl kha.
Qu trnh m ha v gii m
M ha
5/21/2018 an ninh ma ng p 4 Application Security
41/173
M ha
C hai phngphp m: M dng (stream ciphers) M khi( block ciphers)
C hai loi mt m ny hot ng bng cchsinh ra mtchuikha ( key stream) tmtgi
trkha b mt.Chuikha sau sctrnvi d liu (plaintext) sinh d liu cm ha.
Hai loi mt m ny khc nhau v kch thc
cadlium chng thao tc timtthiim
M dng
5/21/2018 an ninh ma ng p 4 Application Security
42/173
M dng
M dng phng thcm ha
theo tng bit, m dng phtsinh chui kha lin tc datrn gi trcakha
V d: mtm dng c thsinhra mt chui kha di 15 byte
m ha mt frame v mtchui kha khc di 200 bytem ha mtframe khc.
Mtm dng l mt thut tonm ha rthiuqu,t tiu tnti nguyn (CPU).
Hot ng ca m dng
M khi
5/21/2018 an ninh ma ng p 4 Application Security
43/173
M khi M khi sinh ra mt chui kha
duy nht v c kch thc cnh(64 hoc128 bit).
Chuik tchacm ha(plaintext) s c phn mnhthnh nhng khi(block) v mikhisctrnvichuikha
mtcch clp. Nu nh khi plaintext nh hn
khi chui kha th plaintext scmthm vo c ckch thcthch hp
Hot ng ca m khi
Nhn xt
5/21/2018 an ninh ma ng p 4 Application Security
44/173
Nhn xt
Tintrnh m ha dng v m ha khicn cgi l ch m ha khimintECB (Electronic Code Block).
Chm ha ny c ciml cng mtu
vo plaintext ( input plain) s lun lun sinh racng mtura ciphertext (output ciphertext).
y chnh l yu t m k tn cng c th lidngnhndngcaciphertext v onc
plaintext ban u
WEP Wired Equivalent Privacy
5/21/2018 an ninh ma ng p 4 Application Security
45/173
WEPWired Equivalent Privacy
WEP l mth thngm ha dng cho vicbomtdliucho mngWireless. WEP l mtphncachun802.11 v da trn thut ton m haRC4, m ha dliu40 bit.
ctnh kthutcaWEP iu khin vic truy cp, ngn chn s truy cp ca
nhngClient khng c kha ph hp Bomtnhmbovd liutrn mngbngm ha
chng v chcho nhngclient c kha WEP nggii
m
Th t t WEP
5/21/2018 an ninh ma ng p 4 Application Security
46/173
Thut ton WEP
Thut ton m ha RC4 lthut ton m ha ixng( thut ton s dngcng mtkha cho vicmha v giim).
WEP l thut ton m hacsdngbitintrnhxc thc kha chia s xc thcngidng v m
ha d liu trn phn onmngkhng dy.Frame c m ha bi WEP
Thut ton WEP
5/21/2018 an ninh ma ng p 4 Application Security
47/173
Thut ton WEP
trnh chECB(Electronic Code Block)trong qu trnh m ha, WEP sdng24 bit IV,n cktnivo kha WEP trckhi cxl biRC4.
Gi trIV phicthay itheo tngframe trnh hintngxung t. Hintngxung tIV xyra khi sdngcng mtIV v kha WEPktqu l cng mtchui kha csdng
m ha frame.
Thut ton WEP
5/21/2018 an ninh ma ng p 4 Application Security
48/173
Thut ton WEP
Chun802.11 yu cukha WEP phiccuhnhtrn cclient v AP khpvinhau th chng micthtruynthng c.
M ha WEP chcsdng cho cc frame d liutrong suttintrnh xc thckha chia s. WEP m hanhngtrngsau ytrong frame dliu: Phndliu(payload) Gi tr kim tra tnh ton vn ca d liu ICV (Integrity Check
value)
Ttccc trngkhc ctruynm khng cmha. Gi trIV ctruynm khng cnm ha chotrmnhnsdngn giim phndliuv ICV
S QU TRNH M HA S DNG WEP
5/21/2018 an ninh ma ng p 4 Application Security
49/173
Intergrity Algorithm
Integrity Check Value (ICV)
Message
Ciphertext
Key SequenceSeed
Initalization
Vector
IV
Secret Key
Plaintext
WEP
PRNG
IV
Q
S QU TRNH GII M WEP
5/21/2018 an ninh ma ng p 4 Application Security
50/173
Message
Ciphertext
IV
Intergrity Algorithm
Key Sequence
Seed
Secret Key
WEP
PRNG
Plaintext
ICV
ICV ICV = IC
S QU TRNH GII M WEP
WPA - Wi-fi Protected Access
5/21/2018 an ninh ma ng p 4 Application Security
51/173
WPA Wi fi Protected Access
WPA c thitknhm thay thcho WEP v c tnhbo mt cao hn. Temporal Key Intergrity Protocol(**IP), cn cgi l WPA key hashing l mtscitinda trn WEP, n tng thay ikha, iunygy kh khn rtnhiu cho cc Attacker d thy khacamng.
Mt khc WPA cng ci tin c phng thc chngthc v m ha. WPA bo mt mnh hn WEP rtnhiu. V WPA sdngh thngkim tra v bomtnh ton vncadliutthnWEP
WPA2Wi-fi Protected Access 2
5/21/2018 an ninh ma ng p 4 Application Security
52/173
WPA2 l mtchun ra isau v ckimnh ln
utin vo ngy 1/9/2004. WPA2 cNational Instituteof Standards and Technology (NIST) khuynco sdng,WPA2 s dng thut ton m ha Advance EncryptionStandar (AES).
WPA2 cng c cp bo mt rt cao tng t nh
chunWPA, nhmbovcho ngidng v ngiquntriviti khonv dliu. Trn thctWPA2 cung cphthngm ha mnhhn
so vi WPA, WPA2 s dng rt nhiu thut ton mha d liu nh **IP, RC4, AES v mt vi thut tonkhc. NhnghthngsdngWPA2 utngthch v
WPA.
Nhng gii php da trn AES
5/21/2018 an ninh ma ng p 4 Application Security
53/173
Nhng gii php da trn AES
Kintrc tngthsdngEAS trong GatewayModehay ControllerMode.
Trong Gateway Mode EAS c t gia
mngAP v phncn licamngEnterpriseV vy EAS iu khin tt c cc lung lulnggia cc mng khng dy v c dy vthchinnhmttngla
5/21/2018 an ninh ma ng p 4 Application Security
54/173
Nhng gii php da trn AES
5/21/2018 an ninh ma ng p 4 Application Security
55/173
g g p p
Trong Controll Mode, EAS qunl cc AP v iukhinvictruy cpnmngkhng dy, nhngnkhng lin quan nvic truyn tid liungidng.
Trong chny, mngkhng dy c thbphnchia thnh mngdy vifirewall thng thnghaytch hphon ton trong mngdy Enterprise.
5/21/2018 an ninh ma ng p 4 Application Security
56/173
M hnh Enterprise Access Server trong ch Controller Mode
M i (VPN)
5/21/2018 an ninh ma ng p 4 Application Security
57/173
Mng ring o (VPN)
L phngthcmboan ninh truy cptxa
Datrn cc phngthcm ha v cchchngthc
Cung cpcchtunnelcho php truynthng tin th
thngmngny sang hthngkhc
M i (VPN)
5/21/2018 an ninh ma ng p 4 Application Security
58/173
Mng ring o (VPN)
C hai hnh thc hot ng
Site to Site VPN Remote Access
Mng ring o (VPN)
5/21/2018 an ninh ma ng p 4 Application Security
59/173
g g ( )
Cc cng nghsdng: Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IPSec Public Key Infrastructure (PKI) PhnmmRemote Control
Cc vn v VPN
5/21/2018 an ninh ma ng p 4 Application Security
60/173
Lm tngthng lngsdngcamng Cc vnvci tv duy tr hthng Cc vnvcchan ninh
Vnvtrnh ngisdngVnvkhnngtngthch
An ninh cho VPN
5/21/2018 an ninh ma ng p 4 Application Security
61/173
Sdnggiao thcan ninh minht(L2TP, IPSec)S dng thay th cho cc dch v truy cp t xa
(Terminal Services, PC Anywhere, VNC)
Thng xuyn cp nht cc bn v li cho phn
mmv cho hiuhnhLpkhochtrinkhai thtcnthn
RADIUS
5/21/2018 an ninh ma ng p 4 Application Security
62/173
Remote Access Dial-In User Service
ccc ISP sdngtrong vicchngthctrong dchvDial-in
csdngtrong victhchinchngthcgiacc thitbmngnhRouter viDomain Controller (Active Directory, iPlannet...)
RADIUS
5/21/2018 an ninh ma ng p 4 Application Security
63/173
RADIUS
Tnh cht Chm ha password
Phmvi sdngrng
Ci ttngiphctp
M ngunm SdngcngUDP 1812
RADIUS
5/21/2018 an ninh ma ng p 4 Application Security
64/173
An ninhSdngm ha Kerberos chngthcThng xuyn cp nht phn mm cho cc ng
dngsdngRADIUS
TACACS
5/21/2018 an ninh ma ng p 4 Application Security
65/173
TACACS
Terminal Access controllerAccess Control System.
Giao thc chng thc ca UNIX
Qun l tp chung vic chngthc ngi dng
TACACS
5/21/2018 an ninh ma ng p 4 Application Security
66/173
TACACS
Tnh cht Khng phbin
Giao thc TACACS+ khng tng thch vi cc phinbntrc
SdngcngTCP 49
PPTP
5/21/2018 an ninh ma ng p 4 Application Security
67/173
Point-to-Point Tunnelling Protocol (PPTP) Hotngtrn m hnh Client/Server Nn dliucc gi tin PPP Sdngcng1723 TCP khito
PPTP
5/21/2018 an ninh ma ng p 4 Application Security
68/173
Tnh chtL giao thc khng th m rng vic m haD b li dng tn cngVic chng thc l mt nguy c d b tn cng
L2TP
5/21/2018 an ninh ma ng p 4 Application Security
69/173
L2TP
Kt hp gia giao thc PPTP v giao thc L2P(Layer 2 Protocol, Cisco)
C thmrngphngthcm ha
C thsdnggiyphp trong cvicchngthcv m ha
L2TP
5/21/2018 an ninh ma ng p 4 Application Security
70/173
L2TP
Tnh cht Ci t phc tp
Mt s thit b khng tng thch
Chi ph t
Khng tng thch vi NAT (Network AddressTranslation)
SSH
5/21/2018 an ninh ma ng p 4 Application Security
71/173
SSH
Secure Shell L mt cng c qun tr
truy nhp t xa s dngdng lnh (CLI Command Line Interface)
Thng c s dngthay th cho Telnet vlogin
SSH
5/21/2018 an ninh ma ng p 4 Application Security
72/173
SSH
`
1. Client request SSH session with host
2. Client and host perform handshake
3. Client and host exchange and verify
sesion keys
4. Client begins secure session
4 Bc khi to mt giao dch ca SSH
SSH
5/21/2018 an ninh ma ng p 4 Application Security
73/173
SSH
Tnh chtSdngm ha cng khai trong vicchng thc
v m ha Cung cpcc tnh nngcopy file v FTP
cpht trinbimtsnh snxutv c mngunm(Open SSH) Giao tipgiaClient v Server thng qua tunnel Cc dchv (mail, web...) c th sdng trao
ithng tin thng qua tunnel.
SSH
5/21/2018 an ninh ma ng p 4 Application Security
74/173
SSH
Mt s vn S dng c ch cha kha chng thc
Nhng phin bn u tin c nhiu li
Hin nay cc li security vn c tm thy
Giao din dng CLI vn l tr ngi cho ngi quntr
5/21/2018 an ninh ma ng p 4 Application Security
75/173
IPSec
IPSec l g?
5/21/2018 an ninh ma ng p 4 Application Security
76/173
g
IPSec (Internet Protocol Security).N c quan h ti mtsbgiaothc (AH, ESP, v mt s chunkhc) c pht trin bi InternetEngineering Task Force (IETF).
Mcch chnh cavic pht trin
IPSec l cung cpmtccubomt tng 3 (Network layer) cam hnh OSI.
IPSec Security Associations (SA)
5/21/2018 an ninh ma ng p 4 Application Security
77/173
Security Associations (SAs) l mt kt ni lun l theomtphnghngduy nhtgiahai thc thsdng
cc dchvIPSec. Cc giao thcxc thc,cc kha, v cc thutton Phngthcv cc kha cho cc thutton xc thccdng
bicc giao thcAuthentication Header (AH) hay EncapsulationSecurity Payload (ESP) cabIPSec.
Thutton m ha v giim v cc kha. Thng tin lin quan kha, nh khong thi gian thay i hay
khongthigian lm ticacc kha. Thng tin lin quan n chnh bn thn SA bao gm a ch
ngunSA v khongthigian lm ti. Cch dng v kch thccabtksngbm ha dng,
nuc.
IPSec Security Associations (SA)
5/21/2018 an ninh ma ng p 4 Application Security
78/173
IPSec SA gmc 3 trng: SPI (Security Parameter Index). y l mt trng32 bit dng nhn
dnggiao thcbomt,cnhnghabitrngSecurity protocol.SPI thng c chn bi h thng ch trong sut qu trnh tha
thuncaSA. Destination IP address.y l achIP cant ch. Mcd n c
th l achbroadcast, unicast, hay multicast, nhngcchqun lhinticaSA chcnhnghacho hthngunicast.
Security protocol.Phnny m tgiao thcbomtIPSec, c thl
AH hocESP.
IPSec Security Protocols
5/21/2018 an ninh ma ng p 4 Application Security
79/173
BIPSec ara 3 khnngchnh bao gm: Tnh xc thcv Tnh ton vnd liu (Authentication anddata integrity). IPSec cung cpmtcchxc nhn tnh cht
xc thc ca ngi gi v kim chng bt k s sa i nidung gi d liu bi ngi nhn. Cc giao thc IPSec a rakhnngbovmnhchnglicc dngtncng gimo,nhhiv tchidchv.
S b mt (Confidentiality). Cc giao thc IPSec m ha dliubng cch sdngk thut m ha gip ngncnngichachng thc truy cpd liu trn ngican. IPSeccngdng cchtohmnachIP cant ngun(ngigi)v nt ch(nginhn)tnhngknghe ln.
IPSec Security Protocols
5/21/2018 an ninh ma ng p 4 Application Security
80/173
Qun l kha (Key management). IPSec dng mtgiao thc thbaInternet Key Exchange (IKE), tha thuncc giao thcbao mtv
cc thut ton m ha trc v trong sut phin giao dch. Mt phnquan trngna,IPSec phn phiv kimtra cc kha m v cpnhnhngkha khi cyu cu.
Hai tnh nngutin cabIPSec, xc thcv ton vn, v b mtccung cpbihai giao thcchnh ca trong bgiao thc IPSecNhng giao thc ny bao gm Authentication Header (AH) v
Encapsulating Security Payload (ESP). Tnh nngthba, key management, nmtrong bgiao thckhc, c
bIPSec chpnhnbin l mtdchvqunl kha mnh. Giao thcny l IKE.
Technical details
5/21/2018 an ninh ma ng p 4 Application Security
81/173
C hai giao thccpht trinv cung cpbomtcho cc gi tin:
IP Authentication Header gip m bo tnh ton vnv cung cpxc thc.
IP Encapsulating Security Payload cung cp bo mt,v l option bn c th la chn c tnh nngauthentication v Integrity m bo tnh ton vn d
liu. Thutton m ho csdngtrong IPsec bao gm:
HMAC-SHA1 cho tnh ton vndliu(integrity protection) TripleDES-CBC v AES-CBC cho m m ho v mbo
an ton cagi tin.
Authentication Header (AH)
5/21/2018 an ninh ma ng p 4 Application Security
82/173
AH c s dng trong cc kt ni khng c tnh m
bodliu. AH l lachnnhmchnglicc tncng replay attack
bngcch sdngcng ngh tncng sliding windowsv discarding older packets.
AH bovqu trnh truyndliukhi sdngIP. Trong
IPv4, IP header c bao gm TOS, Flags, FragmentOffset, TTL, v Header Checksum.
AH thchintrctiptrong phnutin cagi tin IP.
Authentication Header (AH)
5/21/2018 an ninh ma ng p 4 Application Security
83/173
Next header: Nhndnggiao thctrong sdngtruynthng tin.
Payload length:lncagi tin AH. RESERVED: S dng trong tng lai (cho
tithiimny n cbiudinbngccs0).
Security parameters index (SPI): Nhn racc thng sbomt,ctch hpviachIP, v nhndngcc thng lngbomtckthpvigi tin.
Sequence number:Mtstngtnglnmigi tin, sdngnhmchnglitncngdngreplay attacks.
Authentication data: Bao gm thng sIntegrity check value (ICV) cnthittrong gitin xc thc. M hnh AH header
Encapsulating Security Payload (ESP)
5/21/2018 an ninh ma ng p 4 Application Security
84/173
Giao thcESP cung cpxc thc,ton vn, m bo tnh bo mt chogi tin.
ESP cng h tr tnh nng cu hnhsdng trong tnh hungchcn tnhnngm ho hocxc thc.
Encapsulating Security Payload (ESP)
5/21/2018 an ninh ma ng p 4 Application Security
85/173
Security parameters index (SPI):Nhnracc thng sctch hpviachIP.
Sequence number:T ng tng c tcdngchngtncng kiureplay attacks.
Payload data: Dliutruyni
Padding: Sdngvi block m ho
Pad length:lncapadding.
Next header: Nhn ra giao thccs
dngtrong qu trnh truynthng tin. Authentication data: Bao gmd liu
xc thccho gi tin.
M hnh ESP
Cc ch IPSec
5/21/2018 an ninh ma ng p 4 Application Security
86/173
SAs trong IPSec hin
ti c trin khaibng2 ch. Transport.
Tunnel.
C AH v ESP c thlm vic vi mt tronghai chny
Hai ch IPSec
Transport Mode
5/21/2018 an ninh ma ng p 4 Application Security
87/173
Transport mode bo
vgiao thc tng trnv cc ngdng. Trong Transport
mode, phn IPSecheader cchn vo
gia phn IP headerv phn header cagiao thctngtrn Biu din ca IPSec Transport Modes
AH Transport mode
5/21/2018 an ninh ma ng p 4 Application Security
88/173
ESP Transport mode
5/21/2018 an ninh ma ng p 4 Application Security
89/173
Tunnel Mode
5/21/2018 an ninh ma ng p 4 Application Security
90/173
Tunnel mode bo v
ton bgi dliu. Ton b gi d liu IP
c ng gi trongmtgi d liu IP khcv mt IPSec headerc chn vo giaphn u nguyn bnv phnumicaIP
Biu din chung ca IPSec Tunnel Modes
AH Tunnel mode
T AH T l d h
5/21/2018 an ninh ma ng p 4 Application Security
91/173
Trong AH Tunnel mode, phn u m
(AH) cchn vo giaphnheader mv phnheader nguyn bn,nhhnh bndi
ESP Tunnel mode
5/21/2018 an ninh ma ng p 4 Application Security
92/173
Internet Key Exchange
5/21/2018 an ninh ma ng p 4 Application Security
93/173
Vcbncbitnh ISAKMP/Oakley, ISAKMP l chvit tcca
Internet Security Association and Key Management Protocol. IKE gip cc bn giao tipthathuncc tham sbomtv kha xc
nhntrckhi mtphin bomtIPSec ctrinkhai. Ngoi victhathunv thitlpcc tham sbomtv kha m ha,
IKE cngsainhngtham skhi cnthittrong sutphin lm vic. IKE cngmnhimvic xo bnhngSAs v cc kha sau khi mt
phin giao dchhon thnh.
Internet Key Exchange
5/21/2018 an ninh ma ng p 4 Application Security
94/173
ChcnngchyucaIKE l thitlpv duy tr cc SA.
Cc thuctnh sau yl mctithiuphicthngnhtgiahai bn nhl mtphncaISAKMP. Thutton m ha cdng Thutton bmcdng Phngthcxc thccdng Thng tin vnhm v giithutDiffie-Hellman
IKE thchinqu trnh d tm, qu trnh xc thc,qunl vo trao ikha.
Sau khi d tm thnh cng, cc thng s SA hp l sclutrong csdliucaSA.
Internet Key Exchange
5/21/2018 an ninh ma ng p 4 Application Security
95/173
Thunlichnh caIKE include bao gm: IKE khng phil mtcng nghclp,do n cthdng vibtkcchbomtno.
CchIKE, mcd khng nhanh, nhnghiuqucaobi v mt lng ln nhng hip hi bo mt thathunvinhau vimtvi thng ipkh t.
IKE Phases
5/21/2018 an ninh ma ng p 4 Application Security
96/173
Giai onI v II l hai giai on
tonn phin lm vicdatrnIKE. Trong mt phin lm vic IKE,
n gi s c mt knh bomt c thit lp sn. Knhbomtny phicthitlp
trc khi c bt k tha thunno xyra. Hai I KE phasesPhase I vPhase I
Giai on I ca IKE
5/21/2018 an ninh ma ng p 4 Application Security
97/173
Giai on I ca IKE u tin xc nhn cc imthng tin, v sau thitlpmtknh bomtchos thit lp SA. Tip , cc bn thng tin thathunmt ISAKMP SA ng lnnhau, bao gmcc thut ton m ha, hm bm, v cc phngphp xc thc,m kha.
Giai on I ca IKE
5/21/2018 an ninh ma ng p 4 Application Security
98/173
Sau khi cchm ha v hm bmcthathun,mtkha chias b mt c to. Theo sau l nhng thng tin c dng tokha b mt: Gi trDiffie-Hellman SPI caISAKMP SA dngcookies Sngunhin - nonces
Nu hai bn ng s dng phng php xc thc da trn publickey, chng cng cn trao i IDs. Sau khi trao i cc thng tin cnthit, c hai bn pht sinh nhng key ring ca chnh mnh s dngchng chia s b mt. Theo cch ny, nhng kha m ha cpht sinh m khng cn thc s trao i bt k kha no thng quamng.
Giai on II ca IKE
5/21/2018 an ninh ma ng p 4 Application Security
99/173
Giai onII giiquytvicthitlpSAs cho IPSec. Tronggiai on ny, SAs dng nhiu dch v khc nhau thathun. Cchxc nhn,hm bm,v thutton m habovgi dliuIPSec tiptheo (sdngAH v ESP).
S tha thun ca giai on xy ra thng xuyn hn
giai onI.inhnh, sthathunc thlplisau 4-5pht. S thay i thng xuyn cc m kha ngncncc hacker bgy nhngkha ny v sau l nidungcagi dliu.
IKE Modes
5/21/2018 an ninh ma ng p 4 Application Security
100/173
4 ch IKE ph bin thng c trinkhai :Chchnh (Main mode)
Chlinh hot(Aggressive mode)
Chnhanh (Quick mode)
Chnhm mi(New Group mode)
Main Mode
5/21/2018 an ninh ma ng p 4 Application Security
101/173
Main mode xc nhn v bov tnhngnhtca cc bn c lin quantrong qua trnh giao dch. Trong ch ny, 6 thng ip c trao igiacc im: 2 thng ip u tin dng tha
thunchnh sch bomtcho sthayi.
2 thng ipk tipphcv thay
i cc kha Diffie-Hellman vnonces. Nhng kha sau ny thchin mt vai tro quan trng trong cchm ha.
Hai thng ipcuicng cachny dng xc nhn cc bn giaodch vi s gip ca ch k, cchm bm, v tu chn vi chng
nhn.
Aggressive Mode Aggressive mode v bn cht ging
Main mode. Ch khc nhau thay v
5/21/2018 an ninh ma ng p 4 Application Security
102/173
main mode c 6 thng ipth chtny chc 3 thng ipctrao i.Do , Aggressive mode nhanh hnmai mode. Cc thng ipbao gm: Thng ip u tin dng a ra
chnh sch bo mt, trao i noncescho vick v xc minh tiptheo.
Thng ip k tip hi p li cho
thng tin u tin. N xc thc nginhn v hon thnh chnh sch bomtbngcc kha.
Thng ip cui cng dng xcnhnngigi (hocbkhi tocaphin lm vic).
Quick Mode
Ch th ba ca IKE
5/21/2018 an ninh ma ng p 4 Application Security
103/173
Ch thba ca IKE,
Quick mode, l ch trong giai on II. Ndng tha thun SAcho cc dchvbomtIPSec.
New Group Mode
New Group mode c dng
5/21/2018 an ninh ma ng p 4 Application Security
104/173
New Group mode cdng tha thun mt privategroup minhmtoiukintrao i Diffie-Hellman keycddng.
Mcd chny cthchin sau giai on I, nhng
n khng thucgiai onII.
5/21/2018 an ninh ma ng p 4 Application Security
105/173
Secure Web Traffic
Secure Sockets Layer
Bo mt trong m hnh TCP/IP
5/21/2018 an ninh ma ng p 4 Application Security
106/173
Giao thc bo mt SSL(Secure Sockets Layer)
5/21/2018 an ninh ma ng p 4 Application Security
107/173
cpht trinbiNetscape
Phin bnutin (SSL 1.0): Khng cng b
SSL 2.0: Cng b nm 1994, cha nhiu li bomt.
SSL 3.0: Cng bnm1996. SSL 3.1: Nm 1999, c chun ha thnh TLS
1.0 (Transport Layer Security)
Hinnay: SSL 3.2 (TngngTLS 1.1)
Cng dng ca SSL
5/21/2018 an ninh ma ng p 4 Application Security
108/173
M ha dliuv xc thccho dchvweb. M ha d liu v xc thc cho dchvmail
(SMTP v POP)
Bomtcho FTP v cc ngdngkhcThcthi SSL khng trongsutvingdngnh
IPSec.
Cu trc SSL
5/21/2018 an ninh ma ng p 4 Application Security
109/173
Cu trc SSL
SSL Handshake protocol: Giao thc bt tay thc
5/21/2018 an ninh ma ng p 4 Application Security
110/173
SSL Handshake protocol: Giao thcbttay, thc
hinkhi btuktni. SSL Change Cipher Spec protocol: Giao thccp
nhtthng sm ha.
SSL Alert protocol: Giao thccnhbo. SSL Record protocol: Giao thcchuynd liu(
thchinm ha v xc thc)
Connection v session
Kt i ( ti ) h t d li i
5/21/2018 an ninh ma ng p 4 Application Security
111/173
Kt ni (connection): quan h truyn d liu giahai hthnglpvnchuyndliu.
Phin (session): Quan h bo mt gia hai hthng. Mi quan h c th khi to nhiu
connection.Giahai h thng c th tn tinhiu connection
=> c thtntinhiusession theo l thuyt.
Session state
T thi hi l i h b
5/21/2018 an ninh ma ng p 4 Application Security
112/173
Trngthi caphin lm viccxc nhbngcc thng s:
Session identifier:nhndngphin.
Peer Certificate: Chngchscaitc.
Compression method: thutton nn. Cipher spec: thng sm ha v xc thc.
Master secret: kha dng chung.
Is resumable: c phchiktnikhng.
Connection state
T thi kt i h i th
5/21/2018 an ninh ma ng p 4 Application Security
113/173
Trngthi ktnixc nhvicc thng s:
Server and client random: Chuibyte ngunhin.
Server write MAC secret: Kha dng chung chothao tc MAC pha server.
Server write key: Kha m ha pha server. Client write key: Kha m ha pha client.
IV v sequence number.
Gio thc SSL record
5/21/2018 an ninh ma ng p 4 Application Security
114/173
Cung cp hai dch v c bn: Confidentiality
Message integrity
Giao thc SSL record
5/21/2018 an ninh ma ng p 4 Application Security
115/173
Giao thc SSL record
Phn on (fragmentation): mi khi d liu gc
5/21/2018 an ninh ma ng p 4 Application Security
116/173
Phn on (fragmentation): mi khi d liu gc
cchia thnh on,kch thcmiontia= 214 byte.
Nn (compression): c thsdngcc thut ton
nn gimkch thcdliutruyni,tuy nhintrong cc phin bn thcthi t chpnhn thao tcny
Giao thc SSL record
To m xc thc MAC
5/21/2018 an ninh ma ng p 4 Application Security
117/173
To m xc thc MAC
Giao thc SSL record
M ha
5/21/2018 an ninh ma ng p 4 Application Security
118/173
M ha
Giao thc SSL record
Cu trc tiu SSL record
5/21/2018 an ninh ma ng p 4 Application Security
119/173
Giao thc SSL Change Cipher Spec
C h ht th h h kt
5/21/2018 an ninh ma ng p 4 Application Security
120/173
C chcnngcpnhtthng sm ha cho ktnihinti.
Chgmmtmessage duy nhtc kch thc1byte cgiicng giao thcSSL record.
Giao th SSL Alert
Mtsbntin cnhbo trong SSL:
5/21/2018 an ninh ma ng p 4 Application Security
121/173
Unexpected_message: bntin khng ph hp. Bad_record_mac: MAC khng ng.
Decompression_failure: giinn khng thnh cng.
Handshake_failure: khng thng lng c cc
thng sbomt. Illegal_parameter: bntin bttay khng hpl.
Close_notify: thng bo ktthc ktni
Giao thc SSL Alert
Mt b ti h b t SSL (tt)
5/21/2018 an ninh ma ng p 4 Application Security
122/173
Mtsbntin cnhbo trong SSL (tt): No_certificate: Khng c certificate cung cptheo yu cu.
Bad_certificate: Certificate khng hpl(chk sai).
Unsupported_certificate: Kiucertificate khng chun.
Certificate_revoked: Certificate bthu hi.
Certificate_expired: Certificate hthn. Certificate_unknown: Khng x l c certificate (khc
vi cc l do trn)
Giao thc SSL handshake
5/21/2018 an ninh ma ng p 4 Application Security
123/173
L phnquan trngnhtcaSSL. C chc nng tha thut cc thng s bo mt
giahai thcth.
Thtcbt tay phicthchintrckhi trao
idliu. SSL handshake gm4 giai on(phase).
Giao thc SSL handshake
Phase 1:
5/21/2018 an ninh ma ng p 4 Application Security
124/173
Phase 1:
Giao thc SSL handshake
Phase 2:
5/21/2018 an ninh ma ng p 4 Application Security
125/173
Certificate: Chngchcaserver. Server_key_exchange: Thng s
trao ikha (***).
Certificate_request: yu cuclientgichngch.
Server_hello_done: kt thcthnglngpha server.
Giao thc SSL handshake
5/21/2018 an ninh ma ng p 4 Application Security
126/173
Phase 3: Certificate: Chngchcaclient.
Client_key_exchange: Thng strao ikha (***).
Certificate_verify: Thng tin xc
minh chng ch ca client (xcthckha PR caclient).
Giao thc SSL handshake
Phase 4:
5/21/2018 an ninh ma ng p 4 Application Security
127/173
Phase 4: Chang_cipher_spec: cp nht
thng sm.
Finish: Kt thc qu trnh bttay thnh cng.
Giao thc SSL handshake
5/21/2018 an ninh ma ng p 4 Application Security
128/173
Trao ikha trong SSL handshake: Dng RSA (certificate chaPU)
Fixed Diffie-Hellman: Dng Diffie-Hellman vi kha cnh.
Ephemeral Diffie-Hellman: Dng Diffie-Hellman vikhatcthi.
Anonymous Diffie-Hellman: Dng kha Diffie-Hellmannguyn thy.
Tn cng kt ni SSL
5/21/2018 an ninh ma ng p 4 Application Security
129/173
Nuchnccc thng scaqu trnh traoikha Diffie-Hellman, c ththu ckha bmtbngkthutMan-in-the-midle.
Dng kha b mtgiim thng tin cagiaothcSSL record.
Trin khai SSL vi dch v web
Cc web client (internet browser) tch hp sn
5/21/2018 an ninh ma ng p 4 Application Security
130/173
giao thcSSL. Pha server:
m bo h tr ca server i vi SSL (IIS,
Apache,)Tov ci tcertificate cho server.
Rng bucSSL ivittccc giao dch.
Cc vn v SSL
Trong qu trnh chng thc c Client v Server
5/21/2018 an ninh ma ng p 4 Application Security
131/173
uphicnPKI Cnphithitlpcc qui nhchung cho hthng
nhhngnPerformance cahthngmng
Vic trin khai tim tng mt s vn : Cchtrinkhai, cuhnh hthng,chnphnmm....
Kiutncng Man-in-the-Middle
m bo an ninh trong SSL
Trinkhai PKI
5/21/2018 an ninh ma ng p 4 Application Security
132/173
Thngxuyn cpnht,v liphnmmsdng Ci tvicchngthctrong giao dchgiaClient
v Server
Hngdnngisdngduhiunhnbit tncng Man-in-the-Middle
Cc im yu ca Web Client
javaScript
5/21/2018 an ninh ma ng p 4 Application Security
133/173
ActiveX Cookies
Applets
JavaScript
5/21/2018 an ninh ma ng p 4 Application Security
134/173
L mt on m lnh c tch hp trong trang web vcthcthi bitrnh duytweb.
csdngrtphbinv huch
JavaScript
Cc nguy c:
5/21/2018 an ninh ma ng p 4 Application Security
135/173
ntrmachEmail ntrmthng tin ngisdng
Kill mtstintrnh
Chimti nguyn CPU v bnh
Shutdown hthng
Relay email phcvcho gispam
Phcvcho vicchimotwebsite
JavaScript
Cc bin php phng
5/21/2018 an ninh ma ng p 4 Application Security
136/173
chng Disable chcnngchy
JavaScript trong trnhduyt.
Thng xuyn cp
nhpphin bnmicatrnh duyt Kimtra km lnhca
web Server
ActiveX
5/21/2018 an ninh ma ng p 4 Application Security
137/173
ActiveX cung cp nhng ni dung ng cho trnh duytweb ActiveX c th giao tip vi nhng ng dng khc, tip
nhncc thng stngidng, cung cpcc ngdnghuch cho ngisdng.
ActiveX
Cc nguy c:
5/21/2018 an ninh ma ng p 4 Application Security
138/173
ncpthng tinK tn cng c th lidng cc lhngbomt
cacc trnh ngdngActiveX xm nhp, tncng hthng
ActiveX
Cc bin php phng
5/21/2018 an ninh ma ng p 4 Application Security
139/173
chng Disable ActiveX trn trnh
duytweb v mail client
Lccc ActiveX tfirewall
Hngdnngisdngchsdngcc ActiveX cchngthc
Cookies
File cookies lu trmts cc thng tin c nhn
5/21/2018 an ninh ma ng p 4 Application Security
140/173
cangidng: Sthtn dng
Username/Password
C th s dng chung cho nhiu website khcnhau
Trnh duyt c th cho php web server lu trthng tin trn
Cookies
Cc nguy c:
5/21/2018 an ninh ma ng p 4 Application Security
141/173
K tn cng c th s dng Telnet gi cc dngcookies m chng munnhlaweb server.
K tn cng c th li dng cookies ly trm ccthng tin vngidng, vtchcv cu hnh Security
camngnib Ktncng c thlidngliScript Injection ci cc
script nguy himln hthngnhmchuyncc cookiesvhthngthay v phichuynln web server
Cookies
Cc binphp phng chng:
5/21/2018 an ninh ma ng p 4 Application Security
142/173
Disable Cookies trn trnh duytweb Sdngnhngtrnh xa cookies khng cnthit
Cu hnh web server khng c tin tng vo cccookies dngyu cucung cp thng tin, yu cuiu
khinhocyu cudchv..cluclient Khng lutrcc thng tin nhycmtrn cookies
SdngSSL/TLS
Applets
5/21/2018 an ninh ma ng p 4 Application Security
143/173
L nhngchng trnh Java nh,c th thc thi trn cctrnh duyt.
Java Applets chy trn nhngclient davo Java VirtualMachine (VM) chuhtcc hiuhnh htr.
Applets
Cc nguy c:
5/21/2018 an ninh ma ng p 4 Application Security
144/173
Cc chngtrnh Applets c thtruy cpcc ti nguynhthng
C thsdnggimochk
C thdng ci tVirus, Trojan, worm
C thsdng ti nguyn mng tncng, thmdhthngmngkhc.
Applets
Cc bin php phng chng:
5/21/2018 an ninh ma ng p 4 Application Security
145/173
Khng s dng Applets, tt h tr Java trn cc trnhduyt
Tuyn truyn, hng dn ngi s dng
5/21/2018 an ninh ma ng p 4 Application Security
146/173
Email Security
Email Security
5/21/2018 an ninh ma ng p 4 Application Security
147/173
MIME S/MIME
Cc vnvS/MIME
PGP Cc vnvPGP
Cc nguy c
BovhthngE-mail
K thut gi th in tnSMTP Server
5/21/2018 an ninh ma ng p 4 Application Security
148/173
C rtnhiulibomt S dng giao thc SMTP
(TCP 25) gimail S dng giao thc
POP3/IMAP (TCP110/143) nhnmail
MIME
S dng text m ha e-mail
RFC 1 21 RFC 1 22
5/21/2018 an ninh ma ng p 4 Application Security
149/173
RFC 1521, v RFC 1522
S/MIME
L mtchunmicaMIME (Multipurpose Internet
il E t ti )
5/21/2018 an ninh ma ng p 4 Application Security
150/173
mail Extentions) M ha v sha cc duhiunhnbitcaemailSdngm ha cng khaictch hpvicc trnh mail client thng dng
Cc vn v S/MIME
Ngigiphic Public key canginhnnu
h
5/21/2018 an ninh ma ng p 4 Application Security
151/173
munm haNginhnphic Public Key cangiginu
munchngthcngigi
Ngi s dng phi mt thm thi gian cho ccbc truy vn,kimha kha viPKI (Public KeyInfrashtructure).
PGP
Pretty Good Privacy
Ph th h kh i
5/21/2018 an ninh ma ng p 4 Application Security
152/173
Phngthcm ha cng khai Cung cp kh nng m ha ch k in t, ni
dung v cc thng tin khc caemail
Ngi dng c cung cp mt Public Key v 1Private key.
Cc tinch htrPGP thngctch hpvomail client hocsdngring bit
Cc vn v PGP
Hin nay c nhiu phin bn ng dng khc nhau
i khi kh t th h
5/21/2018 an ninh ma ng p 4 Application Security
153/173
nn i khi khng tng thch.Mt s cc trnh ng dng mail client khng cn
c pht trin na nhng vn c ngi dngs dng
trin khai cn c ngi ph trch vic qun lkey
Cc nguy c
Spam S dng email qung co
5/21/2018 an ninh ma ng p 4 Application Security
154/173
Sdngemail qungco Gikiubomb th
Ngigikhng hbitnginhn
Nginhnphichusphinphc,kh chu
Cuhnh mail server khng ttstiptay cho spam.
Cc nguy c
Hoax (Lao) Hnh thc: Gi thng bo cnh bo virus cc vn an
5/21/2018 an ninh ma ng p 4 Application Security
155/173
Hnh thc: Githng bo cnhbo virus, cc vnanninh, bomt....
Ly lan da vo s lo s v km hiu bit ca ngidng.
Mc: Kh nguy him
Cc nguy c
Virus, worm, Trojan Hu ht cc loi virus v trojan hin nay u ly qua
5/21/2018 an ninh ma ng p 4 Application Security
156/173
Hu ht cc loi virus v trojan hin nay u ly quaemail
Ly lan datrn smtcnhgic v thiukinthccangisdng.
Mc: rtnguy him
Cc nguy c
Mail relay
Cho php gi mail khng cn kim tra
5/21/2018 an ninh ma ng p 4 Application Security
157/173
Cho php gimail khng cnkimtra Gimo
Lidnggispam
Bo v h thng Email
SdngS/MIME nuc th
S dng phn mm Mail gateway Scan
5/21/2018 an ninh ma ng p 4 Application Security
158/173
SdngphnmmMail gateway Scan Cuhnh mail server tt,khng bopen relay
Ngnchnspam trn Server
Hngdnsdngcho ngidng
Cnhgic vinhngemail l,c nidung ngnghi
Security BaselinesGhi ti liu
Ghi ti liu c th v cu hnh security mng
Nn xem li v sa cha mi khi c mt s thay
5/21/2018 an ninh ma ng p 4 Application Security
159/173
Nn xem li v sa cha mi khi c mt s thayi trong mng
Security Baselines
Lit k nhng th cn thit
Cc dch v
5/21/2018 an ninh ma ng p 4 Application Security
160/173
Cc dch v Cc giao thc
Cc ng dng
Ti khon ngi dng
Quyn truy nhp file Quyn truy nhp h thng
Security BaselinesOS Update
Kim tra cc bn update ca h iu hnh thng
xuyn
5/21/2018 an ninh ma ng p 4 Application Security
161/173
xuyn.Trin khai WSUS (Windows Update Services)
Security BaselinesBn v (patching)
Bnv liccho OS v phnmm
V d:
5/21/2018 an ninh ma ng p 4 Application Security
162/173
V d: Bnv windows chngBlaster v Sasser
Bnv Oracle chng80 lhng(10/2005)
Cc bn v c a ra nhanh v nhng lhngno . C thchackimnghim
Security BaselinesService Packs
Khi c qu nhiu bn v nh sn xut tp hp
chng li v a ra bn SP
5/21/2018 an ninh ma ng p 4 Application Security
163/173
chng li v a ra bn SP
Security BaselinesNetwork Hardening
Cpnhtcc bnsali
Bc bo mt quan trng sau bc duy tr l dit virus
5/21/2018 an ninh ma ng p 4 Application Security
164/173
Bcbomtquan trngsau bcduy tr l ditvirus L snphmcacc nh snxut
ng k mailing list ca nh sn xut nhn cthng tin sm,y
Cpnhtnhk
Security BaselinesNetwork Hardening
ngnhngdchvkhng cnthit
Dch v mng
5/21/2018 an ninh ma ng p 4 Application Security
165/173
Dchvmng ngdngmng
Cng
Giao thc
Security BaselinesApplication Hardening
Qunl ttccc phnmmangchy
m bo chng c cp nht v sa li y
5/21/2018 an ninh ma ng p 4 Application Security
166/173
mbo chng ccpnht v sa liy
Mc bo mt ca my ch bng vi mc bo mt thp nht ca mt ng dng chy trn
my
Security Baselinesweb server
Xa nhngm v dmu
Trin khai tng la/IDS trn server
5/21/2018 an ninh ma ng p 4 Application Security
167/173
Trinkhai tngla/IDStrn server Ghi lilog
p dngcnhbo thigian thc
C h thngsao lucn bngtiv phnghnghc
Security BaselinesEmail
L h thng quan trng, cha rt nhiu thng tin
ca cng tyCi t h t h t il
5/21/2018 an ninh ma ng p 4 Application Security
168/173
cacng ty Ci tchngtrnh qut mail
phng spam
Cpnhtbnv lithngxuyn
Security BaselinesFTP
L ngdngkhng c bomt
Nn trin khai VPN hoc SSH
5/21/2018 an ninh ma ng p 4 Application Security
169/173
Nn trinkhai VPN hocSSH Nn hthngti khondo server khc qunl
Kimtra virus thngxuyn
Security BaselinesDNS
DNS trn nnUNIX hay c imyu
Cp nht cc bn v thng xuyn
5/21/2018 an ninh ma ng p 4 Application Security
170/173
Cp t cc b t g uyTrinkhai hthngDNS dphng (secondary)
Security BaselinesCu hnh
Nn cghi lithnh ti liu
Thnghimktrckhi avo trinkhai tht
5/21/2018 an ninh ma ng p 4 Application Security
171/173
g Tun theo hngdncanh snxut
Security BaselinesCu hnh
Tt/btcc dchvv giao thc
Hu ht cc cuc tn cng mng u da voim yu ca dch v hay giao thc no
5/21/2018 an ninh ma ng p 4 Application Security
172/173
g g imyucadchvhay giao thcno
V nhnglhngan ninh mng
ng nhng dch v khng cn thit gim phctp
Security BaselinesCu hnh
Access Control List
Tngcngcho xc thc Qui nh quyn hn cho mi c nhn
5/21/2018 an ninh ma ng p 4 Application Security
173/173
Qui nhquynhncho mic nhn
Dng ghi licc truy cpmng