an ninh mạng p 4 Application Security

5/21/2018 an ninh ma ng p 4 Application Security

1/173

NETWORK SECURITY

Phn IVApplication Security


2/173

m bo an ninh phn ng dng

Mc1: An ninh cho truy cptxaRemote Access Security

Mc2: An ninh dchvwebSecurity web traffic

Mc3: An ninh dchvthint- Email Security

Mc4: Application Security Baselines


3/173

An ninh cho truy cp t xa Remote Access Security

Mngkhng dy Mngring oVPN

RADIUS

TACACS

PPTP

L2TP

SSH

IPSec


4/173

Mng khng dy (wireless LAN)


5/173

TNG QUAN V MNG WIRELESSS

Cc loiwireless networks C thphn chia tmnhsau:

Wireless LAN (Wifi):Ktnitrong mtphmvi nhnhtrong mtphng hc,mt ta nh, hocgiahai tanh gnnhauBn knh phsng bn trong (indoor)khongvi trmmtBn ngoi (outdoor) khongvi

km. Thng c s dng nhng ni ng cnh khch sn, ga tu in, trng hcs dngchun802.11..

Wireless MAN (WiMax): Kt ni wireless gia ccbuilding khc nhau, hay gia cc building trong cngmtthnh phbn knh phsng ln tivi chckm.

Thngcsdngnhngnithathtdn chay nic ahnh phctp.


6/173

Cc chun ca mng wireless

IEEE 802.15: Bluetooth, c s dng trong mngPersonal Area Network (PAN).

IEEE 802.11: Wifi, c s dng cho mng Local AreaNetwork (LAN).

IEEE 802.16: WiMax ( Worldwide Interoperability forMicrowave Access ), csdngcho Metropolitan AreaNetwork (MAN).

IEEE 802.20: c s dng cho Wide Area Network

(WAN).


7/173

WLAN

Mng da trn cng ngh 802.11 nn i khcn c gi l 802.11 network Ethernet. Vhinticn cgil mngWireless EthernehocWi-Fi (Wireless Fidelity).

Chun802.11 c IEEE pht trin v a ravo nm 1997. Gm c: 802.11, 802.11a802.11b, 802.11b+, 802.11g, 802.11h


8/173

WLAN

802.11: Tctruynkhongt1 n2 Mbps, hotngbngtn

2.4GHz. Tng vt l s dng phng thc DSSS ( Direct Sequence

Spread Spectrum ) hay FHSS ( Frequency Hoping SpreadSpectrum ) truyn.

802.11a: L phnmrngcachun802.11, cung cp tc truyn

ln ti54 Mbps, hotngdibng tn5 GHz. Sdngphngphp iuchghp knh theo vng tnsvung gcOrthogonal Frequency Division Multiplexing ( OFDM ).

C thsdngn8 Access Point cimny di tn2.4GHz, ch s dng c n 3 Access Point


9/173

WLAN

802.11b, 802.11b+:

Cung cp tc truyn l 11 Mpbs ( 802.11b ) hay 22 Mbps (802.11b+), hotngdibngtn2.4 GHz. C thtngthch v802.11 v 802.11g. Tcc th1, 2, hay 5,5 Mbps.

802.11g: Cung cptctruynkhong20+Mbps, hotngdibngtn2.4GHz. Phngthciuch: c thdng 1 trong 2 phngthc:

OFDM ( ging802.11a ) : tctruync thln ti54 Mbps. DSSS: tc gii hn 11 Mbps.

802.11h:

csdngchu u, hotngbngtn5 GHz.


10/173

WLAN

uimcaWLAN so vimngc dy truynthng MngWireless cung cpttccc tnh nngcacng nghmngLAN

nhl Ethernet v Token Ring m khng bgiihnvktnivtl (giihnvcable).

S thun li u tin ca mng Wireless l tnh linh ng. MngWLAN tora sthoimi trong victruyntidliugiacc thitbc

h tr m khng c s rng buc v khong cch v khng gian nhmngc dy thng thng. Ngidng mngWireless c thktnivomngtrong khi di chuynbtcnino trong phmvi phsng cathitbtptrung (Access Point).

Mng WLAN s dng sng hng ngoi (Infrared Light) v sng Radio(Radio Frequency) truynnhndliuthay v dng Twist-Pair v Fiber

Optic Cable. Thng thngth sng Radio cdung phbinhnv ntruynxa hn,lu hn,rnghn,bngthng cao hn.


11/173

WLAN

HnchcaWLAN Tc mngWireless bph thuc vo bng thng. Tc ca mng

Wireless thphnmngcnh,v mngWireless chunphixc nhncnthnnhngframe nhntrnh tnh trngmtdliu.

Bomt trn mngWireless l miquan tm hng uhinnay. Mng

Wireless lun l mibntm v sgiao tiptrong mngucho btkaitrong phmvi cho php vithitbph hp. Trong mngcnh truynthngth tn hiutruyntrong dy dnnn c thcbomtan tonhn. Cn trn mngWireless th vicnhhirtddng biv mngWireless sdngsng Radio th c thbbtv x l cbibtkthitbnhnno nmtrong phmvi cho php, ngoi ra mngWireless th

c ranh giikhng r rng cho nn rtkh qunl


12/173

c tnh k thut mng Wireless

WLAN hotngnhthno ? Wireless LAN sdng sng in t (Radio hocsng Hng

ngoi - Infrared) trao i thng tin gia cc thit b mkhng cnbtkmtktnivtl no (cable).

Trong cu hnh camngWLAN thng thng,mt thitbpht v nhn (transceiver) cgi l Access Point (AP) vcktnivi mng c dy thng thng thng qua cptheo chunEthernet.

AP thchinchcnngchnh l nhnthng tin, nhlivgid liugiamngWLAN v mngc dy thng thng

Mt AP c th h tr mt nhm ngi dng v trong mtkhongcch nhtnh(tutheo loiAP).


13/173


Ngidng mngWLAN truy cpvo mngthngqua Wireless NIC, thng thngc cc chunsau: PCMCIA - Laptop, Notebook

ISA, PCI, USBDesktop

Tch hpsntrong cc thitbcmtay


14/173


Cng ngh chnh c s dng cho mngWireless l da trn chun IEEE 802.11. Huhtcc mngWireless hinnay usdng tngs2.4GHz.

Wireless Network Standards :

IEEE 802.11 standard

Bluetooth


15/173


802.11 Standard

MngWLANs hotngda trn chun802.11 chunny cxem l chundng cho cc thitbdi ngchtrWireless, phcvcho cc thitbc phmvi hot

ngtmtrung bnh. Cho nhintiIEEE 802.11 gmc 4 chuntrong h

802.11 v 1 chunangthnghim:


16/173


802.11 - l chunIEEE gccamngkhng dy (hotngtns2.4GHz, tc1 Mbps2Mbps) 802.11b - (pht trinvo nm1999, hotngtngs2.4-

2.48GHz, tct1Mpbs - 11Mbps) 802.11a - (pht trin vo nm 1999, hot ng tng s

5GHz6GHz, tc54Mbps) 802.11g - (mtchuntngtnhchunb nhngc tc

cao hnt20Mbps - 54Mbps, hinangphbinnht) 802.11e - l 1 chunang thnghim: ychmi l phin

bn thnghimcung cpc tnh QoS (Quality of Service)v h tr Multimedia cho gia nh v doanh nghip c mitrngmngkhng dy


17/173


Bluetooth Bluetooth l mtgiao thcngindng ktninhngthit

b di ng nh Mobile Phone, Laptop, Handheld computer,Digital Camera, Printer, v.v..

Bluetooth s dng chun IEEE 802.15 vi tn s 2.4GHz

2.5GHz Bluetooth l cng ngh c thit k nhm p ng mt cch

nhanh chng vic kt ni cc thit b di ng v cng l giiphp to mng WPAN, c th thc hin trong mi trng nhiutng s khc nhau.


18/173

Knh trong mng Wireless

Knh trong mngWireless Mng Wireless hot

ng 14 knh(nhng thc t khi

hotng th chc 1knh pht)


19/173

Knh trong mng Wireless

M hnh thit lp knhcho mngWireless Mt iu ch khi lp t

Access Point:

Cn c nhng vng giaonhau gia bn knh cc

Access Point.

Knh thit lp cho ccAccess Point phi lchnhau 5 knh.


20/173

Cc m hnh mng Wireless

MngWireless (hay mngdatrn chun802.11) cthitkrtlinhhot. C 3 s la chn khi bn mun pht trin mt h thng mngWireless: Independent Basic Service setsIBSS Basic Service setsBSS Extended Service sets - ESS

Basic Service sets (BSS) l mtnhm cc thitbgiamngWLAN vmngc dy thng thngthng qua AP cnh. MngWLAN sdngsng Radio (RF) pht tn hiubroadcast cho cc Client (receiver), ccClient phinmtrong phmvi pht sng. Giao tipgiacc thitbutin thng qua dch v service set identifier (SSID), cc Client s sdng SSID ny lc tn hiu nhn t thit b pht ra


21/173


Independent BSS/ Ad-hoc Trong m hnh Independent BSS, cc Client lin lctrc

tipvinhau m khng phi thng qua AP nhngphitrong phmvi cho php.

Mngnhnht theo chun802.11 ny bao gm2 mylin lctrctipvinhau.

M hnh IBSS cn cgivitn l mngad-hoc.


22/173


M hnh independent BSS/Ad-hoc network


23/173


BSS/Infracstructure BSS Trong m hnh Infrastructure BSS cc Client mun lin

lcvinhau phi thng qua mt thitbcbitgi lAccess Point (AP).

AP l im trung tm qun l mi s giao tip trongmng,khi cc Client khng th lin lc trc tipvinhtrong mngIndependent BSS.

giao tipvinhau cc Client phigicc Frame dliunAP, sau AP sginmy nhn.


24/173


M hnh Infracstructure BSS


25/173


ESS/Extend Service Set Nhiu m hnh BSS kt hp vi nhau gi l m hnh

mngESS.

L m hnh sdngt2 AP trln ktnimng. Khi

cc AP sktnivinhau thnh mtmnglnhn,phmvi phsng rnghn,thunliv pngttchocc Client di ng.mboshotngcattcccClient.


26/173


M hnh ESS network


27/173

CC KIU TN CNG TRN MNG WLAN

Hacker c thtncng mngWLAN bngcc cch sau: Passive Attack (eavesdropping)

Active Attack (ktni,thmd v cuhnh mng)

Jamming Attack

Man-in-the-middle Attack


28/173

Tn cng b ng (Passive Attack)

Tn cng b ng (passive) hay nghe ln(eavesdropping) l mt phng php tn cngWLAN nginnhtnhngvnrthiuqu.

Passive attack khng limtduvtno chngt c s hin din ca hacker trong mng vhacker khng thtktniviAP lngnghe ccgi tin truyntrn onmngkhng dy


29/173

Tn cng b ng (Passive Attack)

WLAN sniffer c th c sdng thu thp thng tin vmngkhng dy khongcchxa bng cch s dng antennhhng.

Phng php ny cho phphacker gi khong cch vimng, khng li du vttrong khi vn lng nghe v thuthpcnhng thng tin qu

gi.

V d: Tn cng b ng


30/173

Tn cng ch ng (Active Attack )

Tncng chngcsdngtruy cpvoserver v lycnhngdliuc gi trhay sdngngktni Internet cadoanh nghipthchinnhngmcchph hoihay thmch l

thay icuhnh cahtngmng.Bngcch ktnivimngkhng dy thng qua

AP, hacker c th xm nhp su hn vo mnghocc ththay icuhnh camng.


31/173

Tn cng ch ng (Active Attack )

V d: Mt hacker c thsa i thm MACaddress ca hacker vodanh sch cho php caMAC filter trn AP hay vhiu ha tnh nng MACfilter gip cho vic tnhp sau ny d dnghn.

V d: Kiu tn cng ch ng


32/173

Tn cng chn p (Jamming)

Jamming l mt k thut c s dng chn gin lm hng (shut down) mngkhng dy.

Khi mthacker chng tncng jamming,hacker c thsdngmtthitbWLAN cbit, thitbny l bpht tn hiuRF cngsutcao hay sweep generator.


33/173

Tn cng chn p (Jamming)

loi b kiu tncng ny th yu cuu tin l phi xc

nh c ngun tnhiu RF. Vic ny cth lm bng cch sdng mt Spectrum

Analyzer (my phntch ph) Tn cng jamming


34/173

Tn cng bng cch thu ht (Man in the Middle)

Tn cng theo kiu Man-in-the-middle l trnghptrong hacker sdngmtAP nhcpcc node di ngbngcch gitn hiuRF mnhhnAP hpphp ncc node .

Cc node di ngnhnthyc AP pht tn hiuRFtthnnn sktninAP gimony, truynd liuc th l nhngd liunhycmnAPgimov hacker c ton quynxl


35/173

Tn cng bng cch thu ht (Man in the Middle)

Hacker muntncng theokiu Man-in-the-middle nytrc tin phi bit cgi tr SSID m cc client

ang s dng (gi tr nyrt d dng c c). Sau, hacker phi bit cgi tr WEP key nu mngc sdngWEP

Tn cng Man in the Middle

TNG QUAN BO MT CHO MNG KHNG DY


36/173

TNG QUAN BO MT CHO MNG KHNG DY

Ti sao phi bo mt mng khng dy?


37/173

Ti sao phi bo mt mng khng dy?

bo mt trong mngWireless ti thiu bn cnc hai thnh phnsau: Authentication: Chng thc

cho ngidng: quytnhaic thsdngmngWLAN

Encryption- M ha dliu:cung cptnh bomtdliu

Bo mt Lan khng dy


38/173

Bo mt Lan khng dy

Mt WLAN gm c 3 phn: Wireless Client,Access Points v Access Server. Wireless Client: inhnh l mtchic laptop viNIC

(Network Interface Card) khng dy c ci t cho php truy cpvo mngkhng dy.

Access Points (AP): Cung cpsbao phcasng v

tuyn trong mt vng no v kt ni n mngkhng dy. Access Server: iu khin vic truy cp. MtAccess

Server (nhl Enterprise Access Server (EAS) ) cungcpsiukhin,qun l, cc c tnh bomt tin

tincho mngkhng dy Enterprise .

Cc thit lp bo mt trong WLAN


39/173

Cc thit lp bo mt trong WLAN

Device A uthor izat ion: Cc Client khng

dy c thbngnchntheo achphncngcah(v dnhachMAC). Encrypt ion: WLAN cng h tr WEP,

3DES v chun TLS(Transport LayerSercurity). Cc kha WEP c thtotrnmtper-user, per session basic.

Authent icat ion: WLAN h tr s yquyn ln nhau (bng vic s dng802.1x EAP-TLS) bomchc ccClient khng dy c y quyn mictruy cpvo mng.

Firewall: Hpnhtpacket filteringvport

blocking firewalldatrn cc chuiIP. VPN: Bao gm mt IPSec VPN servercho php cc Client khng dy thit lpcc session VPN.

M ha


40/173

M ha

M ha l binid liu

ch c cc thnh phncxc nhnmic thgiim cn. Qu trnhm ha l kthpplaintextvimtkha to thnh

vnbnmt(Ciphertext). S gii m c bng

cch kt hp Ciphertextvi kha ti to liplaintext

Qu trnh xpxpv phnbcc kha gil squnl kha.

Qu trnh m ha v gii m

M ha


41/173

M ha

C hai phngphp m: M dng (stream ciphers) M khi( block ciphers)

C hai loi mt m ny hot ng bng cchsinh ra mtchuikha ( key stream) tmtgi

trkha b mt.Chuikha sau sctrnvi d liu (plaintext) sinh d liu cm ha.

Hai loi mt m ny khc nhau v kch thc

cadlium chng thao tc timtthiim

M dng


42/173

M dng

M dng phng thcm ha

theo tng bit, m dng phtsinh chui kha lin tc datrn gi trcakha

V d: mtm dng c thsinhra mt chui kha di 15 byte

m ha mt frame v mtchui kha khc di 200 bytem ha mtframe khc.

Mtm dng l mt thut tonm ha rthiuqu,t tiu tnti nguyn (CPU).

Hot ng ca m dng

M khi


43/173

M khi M khi sinh ra mt chui kha

duy nht v c kch thc cnh(64 hoc128 bit).

Chuik tchacm ha(plaintext) s c phn mnhthnh nhng khi(block) v mikhisctrnvichuikha

mtcch clp. Nu nh khi plaintext nh hn

khi chui kha th plaintext scmthm vo c ckch thcthch hp

Hot ng ca m khi

Nhn xt


44/173

Nhn xt

Tintrnh m ha dng v m ha khicn cgi l ch m ha khimintECB (Electronic Code Block).

Chm ha ny c ciml cng mtu

vo plaintext ( input plain) s lun lun sinh racng mtura ciphertext (output ciphertext).

y chnh l yu t m k tn cng c th lidngnhndngcaciphertext v onc

plaintext ban u

WEP Wired Equivalent Privacy


45/173

WEPWired Equivalent Privacy

WEP l mth thngm ha dng cho vicbomtdliucho mngWireless. WEP l mtphncachun802.11 v da trn thut ton m haRC4, m ha dliu40 bit.

ctnh kthutcaWEP iu khin vic truy cp, ngn chn s truy cp ca

nhngClient khng c kha ph hp Bomtnhmbovd liutrn mngbngm ha

chng v chcho nhngclient c kha WEP nggii

m

Th t t WEP


46/173

Thut ton WEP

Thut ton m ha RC4 lthut ton m ha ixng( thut ton s dngcng mtkha cho vicmha v giim).

WEP l thut ton m hacsdngbitintrnhxc thc kha chia s xc thcngidng v m

ha d liu trn phn onmngkhng dy.Frame c m ha bi WEP

Thut ton WEP


47/173

Thut ton WEP

trnh chECB(Electronic Code Block)trong qu trnh m ha, WEP sdng24 bit IV,n cktnivo kha WEP trckhi cxl biRC4.

Gi trIV phicthay itheo tngframe trnh hintngxung t. Hintngxung tIV xyra khi sdngcng mtIV v kha WEPktqu l cng mtchui kha csdng

m ha frame.

Thut ton WEP


48/173

Thut ton WEP

Chun802.11 yu cukha WEP phiccuhnhtrn cclient v AP khpvinhau th chng micthtruynthng c.

M ha WEP chcsdng cho cc frame d liutrong suttintrnh xc thckha chia s. WEP m hanhngtrngsau ytrong frame dliu: Phndliu(payload) Gi tr kim tra tnh ton vn ca d liu ICV (Integrity Check

value)

Ttccc trngkhc ctruynm khng cmha. Gi trIV ctruynm khng cnm ha chotrmnhnsdngn giim phndliuv ICV

S QU TRNH M HA S DNG WEP


49/173

Intergrity Algorithm

Integrity Check Value (ICV)

Message

Ciphertext

Key SequenceSeed

Initalization

Vector

IV

Secret Key

Plaintext

WEP

PRNG

IV

Q

S QU TRNH GII M WEP


50/173

Message

Ciphertext

IV

Intergrity Algorithm

Key Sequence

Seed

Secret Key

WEP

PRNG

Plaintext

ICV

ICV ICV = IC

S QU TRNH GII M WEP

WPA - Wi-fi Protected Access


51/173

WPA Wi fi Protected Access

WPA c thitknhm thay thcho WEP v c tnhbo mt cao hn. Temporal Key Intergrity Protocol(**IP), cn cgi l WPA key hashing l mtscitinda trn WEP, n tng thay ikha, iunygy kh khn rtnhiu cho cc Attacker d thy khacamng.

Mt khc WPA cng ci tin c phng thc chngthc v m ha. WPA bo mt mnh hn WEP rtnhiu. V WPA sdngh thngkim tra v bomtnh ton vncadliutthnWEP

WPA2Wi-fi Protected Access 2


52/173

WPA2 l mtchun ra isau v ckimnh ln

utin vo ngy 1/9/2004. WPA2 cNational Instituteof Standards and Technology (NIST) khuynco sdng,WPA2 s dng thut ton m ha Advance EncryptionStandar (AES).

WPA2 cng c cp bo mt rt cao tng t nh

chunWPA, nhmbovcho ngidng v ngiquntriviti khonv dliu. Trn thctWPA2 cung cphthngm ha mnhhn

so vi WPA, WPA2 s dng rt nhiu thut ton mha d liu nh **IP, RC4, AES v mt vi thut tonkhc. NhnghthngsdngWPA2 utngthch v

WPA.

Nhng gii php da trn AES


53/173


Kintrc tngthsdngEAS trong GatewayModehay ControllerMode.

Trong Gateway Mode EAS c t gia

mngAP v phncn licamngEnterpriseV vy EAS iu khin tt c cc lung lulnggia cc mng khng dy v c dy vthchinnhmttngla


54/173



55/173

g g p p

Trong Controll Mode, EAS qunl cc AP v iukhinvictruy cpnmngkhng dy, nhngnkhng lin quan nvic truyn tid liungidng.

Trong chny, mngkhng dy c thbphnchia thnh mngdy vifirewall thng thnghaytch hphon ton trong mngdy Enterprise.


56/173

M hnh Enterprise Access Server trong ch Controller Mode

M i (VPN)


57/173

Mng ring o (VPN)

L phngthcmboan ninh truy cptxa

Datrn cc phngthcm ha v cchchngthc

Cung cpcchtunnelcho php truynthng tin th

thngmngny sang hthngkhc

M i (VPN)


58/173

Mng ring o (VPN)

C hai hnh thc hot ng

Site to Site VPN Remote Access

Mng ring o (VPN)


59/173

g g ( )

Cc cng nghsdng: Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IPSec Public Key Infrastructure (PKI) PhnmmRemote Control

Cc vn v VPN


60/173

Lm tngthng lngsdngcamng Cc vnvci tv duy tr hthng Cc vnvcchan ninh

Vnvtrnh ngisdngVnvkhnngtngthch

An ninh cho VPN


61/173

Sdnggiao thcan ninh minht(L2TP, IPSec)S dng thay th cho cc dch v truy cp t xa

(Terminal Services, PC Anywhere, VNC)

Thng xuyn cp nht cc bn v li cho phn

mmv cho hiuhnhLpkhochtrinkhai thtcnthn

RADIUS


62/173

Remote Access Dial-In User Service

ccc ISP sdngtrong vicchngthctrong dchvDial-in

csdngtrong victhchinchngthcgiacc thitbmngnhRouter viDomain Controller (Active Directory, iPlannet...)

RADIUS


63/173

RADIUS

Tnh cht Chm ha password

Phmvi sdngrng

Ci ttngiphctp

M ngunm SdngcngUDP 1812

RADIUS


64/173

An ninhSdngm ha Kerberos chngthcThng xuyn cp nht phn mm cho cc ng

dngsdngRADIUS

TACACS


65/173

TACACS

Terminal Access controllerAccess Control System.

Giao thc chng thc ca UNIX

Qun l tp chung vic chngthc ngi dng

TACACS


66/173

TACACS

Tnh cht Khng phbin

Giao thc TACACS+ khng tng thch vi cc phinbntrc

SdngcngTCP 49

PPTP


67/173

Point-to-Point Tunnelling Protocol (PPTP) Hotngtrn m hnh Client/Server Nn dliucc gi tin PPP Sdngcng1723 TCP khito

PPTP


68/173

Tnh chtL giao thc khng th m rng vic m haD b li dng tn cngVic chng thc l mt nguy c d b tn cng

L2TP


69/173

L2TP

Kt hp gia giao thc PPTP v giao thc L2P(Layer 2 Protocol, Cisco)

C thmrngphngthcm ha

C thsdnggiyphp trong cvicchngthcv m ha

L2TP


70/173

L2TP

Tnh cht Ci t phc tp

Mt s thit b khng tng thch

Chi ph t

Khng tng thch vi NAT (Network AddressTranslation)

SSH


71/173

SSH

Secure Shell L mt cng c qun tr

truy nhp t xa s dngdng lnh (CLI Command Line Interface)

Thng c s dngthay th cho Telnet vlogin

SSH


72/173

SSH

`

1. Client request SSH session with host

2. Client and host perform handshake

3. Client and host exchange and verify

sesion keys

4. Client begins secure session

4 Bc khi to mt giao dch ca SSH

SSH


73/173

SSH

Tnh chtSdngm ha cng khai trong vicchng thc

v m ha Cung cpcc tnh nngcopy file v FTP

cpht trinbimtsnh snxutv c mngunm(Open SSH) Giao tipgiaClient v Server thng qua tunnel Cc dchv (mail, web...) c th sdng trao

ithng tin thng qua tunnel.

SSH


74/173

SSH

Mt s vn S dng c ch cha kha chng thc

Nhng phin bn u tin c nhiu li

Hin nay cc li security vn c tm thy

Giao din dng CLI vn l tr ngi cho ngi quntr


75/173

IPSec

IPSec l g?


76/173

g

IPSec (Internet Protocol Security).N c quan h ti mtsbgiaothc (AH, ESP, v mt s chunkhc) c pht trin bi InternetEngineering Task Force (IETF).

Mcch chnh cavic pht trin

IPSec l cung cpmtccubomt tng 3 (Network layer) cam hnh OSI.

IPSec Security Associations (SA)


77/173

Security Associations (SAs) l mt kt ni lun l theomtphnghngduy nhtgiahai thc thsdng

cc dchvIPSec. Cc giao thcxc thc,cc kha, v cc thutton Phngthcv cc kha cho cc thutton xc thccdng

bicc giao thcAuthentication Header (AH) hay EncapsulationSecurity Payload (ESP) cabIPSec.

Thutton m ha v giim v cc kha. Thng tin lin quan kha, nh khong thi gian thay i hay

khongthigian lm ticacc kha. Thng tin lin quan n chnh bn thn SA bao gm a ch

ngunSA v khongthigian lm ti. Cch dng v kch thccabtksngbm ha dng,

nuc.

IPSec Security Associations (SA)


78/173

IPSec SA gmc 3 trng: SPI (Security Parameter Index). y l mt trng32 bit dng nhn

dnggiao thcbomt,cnhnghabitrngSecurity protocol.SPI thng c chn bi h thng ch trong sut qu trnh tha

thuncaSA. Destination IP address.y l achIP cant ch. Mcd n c

th l achbroadcast, unicast, hay multicast, nhngcchqun lhinticaSA chcnhnghacho hthngunicast.

Security protocol.Phnny m tgiao thcbomtIPSec, c thl

AH hocESP.

IPSec Security Protocols


79/173

BIPSec ara 3 khnngchnh bao gm: Tnh xc thcv Tnh ton vnd liu (Authentication anddata integrity). IPSec cung cpmtcchxc nhn tnh cht

xc thc ca ngi gi v kim chng bt k s sa i nidung gi d liu bi ngi nhn. Cc giao thc IPSec a rakhnngbovmnhchnglicc dngtncng gimo,nhhiv tchidchv.

S b mt (Confidentiality). Cc giao thc IPSec m ha dliubng cch sdngk thut m ha gip ngncnngichachng thc truy cpd liu trn ngican. IPSeccngdng cchtohmnachIP cant ngun(ngigi)v nt ch(nginhn)tnhngknghe ln.

IPSec Security Protocols


80/173

Qun l kha (Key management). IPSec dng mtgiao thc thbaInternet Key Exchange (IKE), tha thuncc giao thcbao mtv

cc thut ton m ha trc v trong sut phin giao dch. Mt phnquan trngna,IPSec phn phiv kimtra cc kha m v cpnhnhngkha khi cyu cu.

Hai tnh nngutin cabIPSec, xc thcv ton vn, v b mtccung cpbihai giao thcchnh ca trong bgiao thc IPSecNhng giao thc ny bao gm Authentication Header (AH) v

Encapsulating Security Payload (ESP). Tnh nngthba, key management, nmtrong bgiao thckhc, c

bIPSec chpnhnbin l mtdchvqunl kha mnh. Giao thcny l IKE.

Technical details


81/173

C hai giao thccpht trinv cung cpbomtcho cc gi tin:

IP Authentication Header gip m bo tnh ton vnv cung cpxc thc.

IP Encapsulating Security Payload cung cp bo mt,v l option bn c th la chn c tnh nngauthentication v Integrity m bo tnh ton vn d

liu. Thutton m ho csdngtrong IPsec bao gm:

HMAC-SHA1 cho tnh ton vndliu(integrity protection) TripleDES-CBC v AES-CBC cho m m ho v mbo

an ton cagi tin.

Authentication Header (AH)


82/173

AH c s dng trong cc kt ni khng c tnh m

bodliu. AH l lachnnhmchnglicc tncng replay attack

bngcch sdngcng ngh tncng sliding windowsv discarding older packets.

AH bovqu trnh truyndliukhi sdngIP. Trong

IPv4, IP header c bao gm TOS, Flags, FragmentOffset, TTL, v Header Checksum.

AH thchintrctiptrong phnutin cagi tin IP.

Authentication Header (AH)


83/173

Next header: Nhndnggiao thctrong sdngtruynthng tin.

Payload length:lncagi tin AH. RESERVED: S dng trong tng lai (cho

tithiimny n cbiudinbngccs0).

Security parameters index (SPI): Nhn racc thng sbomt,ctch hpviachIP, v nhndngcc thng lngbomtckthpvigi tin.

Sequence number:Mtstngtnglnmigi tin, sdngnhmchnglitncngdngreplay attacks.

Authentication data: Bao gm thng sIntegrity check value (ICV) cnthittrong gitin xc thc. M hnh AH header

Encapsulating Security Payload (ESP)


84/173

Giao thcESP cung cpxc thc,ton vn, m bo tnh bo mt chogi tin.

ESP cng h tr tnh nng cu hnhsdng trong tnh hungchcn tnhnngm ho hocxc thc.

Encapsulating Security Payload (ESP)


85/173

Security parameters index (SPI):Nhnracc thng sctch hpviachIP.

Sequence number:T ng tng c tcdngchngtncng kiureplay attacks.

Payload data: Dliutruyni

Padding: Sdngvi block m ho

Pad length:lncapadding.

Next header: Nhn ra giao thccs

dngtrong qu trnh truynthng tin. Authentication data: Bao gmd liu

xc thccho gi tin.

M hnh ESP

Cc ch IPSec


86/173

SAs trong IPSec hin

ti c trin khaibng2 ch. Transport.

Tunnel.

C AH v ESP c thlm vic vi mt tronghai chny

Hai ch IPSec

Transport Mode


87/173

Transport mode bo

vgiao thc tng trnv cc ngdng. Trong Transport

mode, phn IPSecheader cchn vo

gia phn IP headerv phn header cagiao thctngtrn Biu din ca IPSec Transport Modes

AH Transport mode


88/173

ESP Transport mode


89/173

Tunnel Mode


90/173

Tunnel mode bo v

ton bgi dliu. Ton b gi d liu IP

c ng gi trongmtgi d liu IP khcv mt IPSec headerc chn vo giaphn u nguyn bnv phnumicaIP

Biu din chung ca IPSec Tunnel Modes

AH Tunnel mode

T AH T l d h


91/173

Trong AH Tunnel mode, phn u m

(AH) cchn vo giaphnheader mv phnheader nguyn bn,nhhnh bndi

ESP Tunnel mode


92/173

Internet Key Exchange


93/173

Vcbncbitnh ISAKMP/Oakley, ISAKMP l chvit tcca

Internet Security Association and Key Management Protocol. IKE gip cc bn giao tipthathuncc tham sbomtv kha xc

nhntrckhi mtphin bomtIPSec ctrinkhai. Ngoi victhathunv thitlpcc tham sbomtv kha m ha,

IKE cngsainhngtham skhi cnthittrong sutphin lm vic. IKE cngmnhimvic xo bnhngSAs v cc kha sau khi mt

phin giao dchhon thnh.



94/173

ChcnngchyucaIKE l thitlpv duy tr cc SA.

Cc thuctnh sau yl mctithiuphicthngnhtgiahai bn nhl mtphncaISAKMP. Thutton m ha cdng Thutton bmcdng Phngthcxc thccdng Thng tin vnhm v giithutDiffie-Hellman

IKE thchinqu trnh d tm, qu trnh xc thc,qunl vo trao ikha.

Sau khi d tm thnh cng, cc thng s SA hp l sclutrong csdliucaSA.



95/173

Thunlichnh caIKE include bao gm: IKE khng phil mtcng nghclp,do n cthdng vibtkcchbomtno.

CchIKE, mcd khng nhanh, nhnghiuqucaobi v mt lng ln nhng hip hi bo mt thathunvinhau vimtvi thng ipkh t.

IKE Phases


96/173

Giai onI v II l hai giai on

tonn phin lm vicdatrnIKE. Trong mt phin lm vic IKE,

n gi s c mt knh bomt c thit lp sn. Knhbomtny phicthitlp

trc khi c bt k tha thunno xyra. Hai I KE phasesPhase I vPhase I

Giai on I ca IKE


97/173

Giai on I ca IKE u tin xc nhn cc imthng tin, v sau thitlpmtknh bomtchos thit lp SA. Tip , cc bn thng tin thathunmt ISAKMP SA ng lnnhau, bao gmcc thut ton m ha, hm bm, v cc phngphp xc thc,m kha.

Giai on I ca IKE


98/173

Sau khi cchm ha v hm bmcthathun,mtkha chias b mt c to. Theo sau l nhng thng tin c dng tokha b mt: Gi trDiffie-Hellman SPI caISAKMP SA dngcookies Sngunhin - nonces

Nu hai bn ng s dng phng php xc thc da trn publickey, chng cng cn trao i IDs. Sau khi trao i cc thng tin cnthit, c hai bn pht sinh nhng key ring ca chnh mnh s dngchng chia s b mt. Theo cch ny, nhng kha m ha cpht sinh m khng cn thc s trao i bt k kha no thng quamng.

Giai on II ca IKE


99/173

Giai onII giiquytvicthitlpSAs cho IPSec. Tronggiai on ny, SAs dng nhiu dch v khc nhau thathun. Cchxc nhn,hm bm,v thutton m habovgi dliuIPSec tiptheo (sdngAH v ESP).

S tha thun ca giai on xy ra thng xuyn hn

giai onI.inhnh, sthathunc thlplisau 4-5pht. S thay i thng xuyn cc m kha ngncncc hacker bgy nhngkha ny v sau l nidungcagi dliu.

IKE Modes


100/173

4 ch IKE ph bin thng c trinkhai :Chchnh (Main mode)

Chlinh hot(Aggressive mode)

Chnhanh (Quick mode)

Chnhm mi(New Group mode)

Main Mode


101/173

Main mode xc nhn v bov tnhngnhtca cc bn c lin quantrong qua trnh giao dch. Trong ch ny, 6 thng ip c trao igiacc im: 2 thng ip u tin dng tha

thunchnh sch bomtcho sthayi.

2 thng ipk tipphcv thay

i cc kha Diffie-Hellman vnonces. Nhng kha sau ny thchin mt vai tro quan trng trong cchm ha.

Hai thng ipcuicng cachny dng xc nhn cc bn giaodch vi s gip ca ch k, cchm bm, v tu chn vi chng

nhn.

Aggressive Mode Aggressive mode v bn cht ging

Main mode. Ch khc nhau thay v


102/173

main mode c 6 thng ipth chtny chc 3 thng ipctrao i.Do , Aggressive mode nhanh hnmai mode. Cc thng ipbao gm: Thng ip u tin dng a ra

chnh sch bo mt, trao i noncescho vick v xc minh tiptheo.

Thng ip k tip hi p li cho

thng tin u tin. N xc thc nginhn v hon thnh chnh sch bomtbngcc kha.

Thng ip cui cng dng xcnhnngigi (hocbkhi tocaphin lm vic).

Quick Mode

Ch th ba ca IKE


103/173

Ch thba ca IKE,

Quick mode, l ch trong giai on II. Ndng tha thun SAcho cc dchvbomtIPSec.

New Group Mode

New Group mode c dng


104/173

New Group mode cdng tha thun mt privategroup minhmtoiukintrao i Diffie-Hellman keycddng.

Mcd chny cthchin sau giai on I, nhng

n khng thucgiai onII.


105/173

Secure Web Traffic

Secure Sockets Layer

Bo mt trong m hnh TCP/IP


106/173

Giao thc bo mt SSL(Secure Sockets Layer)


107/173

cpht trinbiNetscape

Phin bnutin (SSL 1.0): Khng cng b

SSL 2.0: Cng b nm 1994, cha nhiu li bomt.

SSL 3.0: Cng bnm1996. SSL 3.1: Nm 1999, c chun ha thnh TLS

1.0 (Transport Layer Security)

Hinnay: SSL 3.2 (TngngTLS 1.1)

Cng dng ca SSL


108/173

M ha dliuv xc thccho dchvweb. M ha d liu v xc thc cho dchvmail

(SMTP v POP)

Bomtcho FTP v cc ngdngkhcThcthi SSL khng trongsutvingdngnh

IPSec.

Cu trc SSL


109/173

Cu trc SSL

SSL Handshake protocol: Giao thc bt tay thc


110/173

SSL Handshake protocol: Giao thcbttay, thc

hinkhi btuktni. SSL Change Cipher Spec protocol: Giao thccp

nhtthng sm ha.

SSL Alert protocol: Giao thccnhbo. SSL Record protocol: Giao thcchuynd liu(

thchinm ha v xc thc)

Connection v session

Kt i ( ti ) h t d li i


111/173

Kt ni (connection): quan h truyn d liu giahai hthnglpvnchuyndliu.

Phin (session): Quan h bo mt gia hai hthng. Mi quan h c th khi to nhiu

connection.Giahai h thng c th tn tinhiu connection

=> c thtntinhiusession theo l thuyt.

Session state

T thi hi l i h b


112/173

Trngthi caphin lm viccxc nhbngcc thng s:

Session identifier:nhndngphin.

Peer Certificate: Chngchscaitc.

Compression method: thutton nn. Cipher spec: thng sm ha v xc thc.

Master secret: kha dng chung.

Is resumable: c phchiktnikhng.

Connection state

T thi kt i h i th


113/173

Trngthi ktnixc nhvicc thng s:

Server and client random: Chuibyte ngunhin.

Server write MAC secret: Kha dng chung chothao tc MAC pha server.

Server write key: Kha m ha pha server. Client write key: Kha m ha pha client.

IV v sequence number.

Gio thc SSL record


114/173

Cung cp hai dch v c bn: Confidentiality

Message integrity

Giao thc SSL record


115/173

Giao thc SSL record

Phn on (fragmentation): mi khi d liu gc


116/173

Phn on (fragmentation): mi khi d liu gc

cchia thnh on,kch thcmiontia= 214 byte.

Nn (compression): c thsdngcc thut ton

nn gimkch thcdliutruyni,tuy nhintrong cc phin bn thcthi t chpnhn thao tcny

Giao thc SSL record

To m xc thc MAC


117/173

To m xc thc MAC

Giao thc SSL record

M ha


118/173

M ha

Giao thc SSL record

Cu trc tiu SSL record


119/173

Giao thc SSL Change Cipher Spec

C h ht th h h kt


120/173

C chcnngcpnhtthng sm ha cho ktnihinti.

Chgmmtmessage duy nhtc kch thc1byte cgiicng giao thcSSL record.

Giao th SSL Alert

Mtsbntin cnhbo trong SSL:


121/173

Unexpected_message: bntin khng ph hp. Bad_record_mac: MAC khng ng.

Decompression_failure: giinn khng thnh cng.

Handshake_failure: khng thng lng c cc

thng sbomt. Illegal_parameter: bntin bttay khng hpl.

Close_notify: thng bo ktthc ktni

Giao thc SSL Alert

Mt b ti h b t SSL (tt)


122/173

Mtsbntin cnhbo trong SSL (tt): No_certificate: Khng c certificate cung cptheo yu cu.

Bad_certificate: Certificate khng hpl(chk sai).

Unsupported_certificate: Kiucertificate khng chun.

Certificate_revoked: Certificate bthu hi.

Certificate_expired: Certificate hthn. Certificate_unknown: Khng x l c certificate (khc

vi cc l do trn)

Giao thc SSL handshake


123/173

L phnquan trngnhtcaSSL. C chc nng tha thut cc thng s bo mt

giahai thcth.

Thtcbt tay phicthchintrckhi trao

idliu. SSL handshake gm4 giai on(phase).


Phase 1:


124/173

Phase 1:


Phase 2:


125/173

Certificate: Chngchcaserver. Server_key_exchange: Thng s

trao ikha (***).

Certificate_request: yu cuclientgichngch.

Server_hello_done: kt thcthnglngpha server.



126/173

Phase 3: Certificate: Chngchcaclient.

Client_key_exchange: Thng strao ikha (***).

Certificate_verify: Thng tin xc

minh chng ch ca client (xcthckha PR caclient).


Phase 4:


127/173

Phase 4: Chang_cipher_spec: cp nht

thng sm.

Finish: Kt thc qu trnh bttay thnh cng.



128/173

Trao ikha trong SSL handshake: Dng RSA (certificate chaPU)

Fixed Diffie-Hellman: Dng Diffie-Hellman vi kha cnh.

Ephemeral Diffie-Hellman: Dng Diffie-Hellman vikhatcthi.

Anonymous Diffie-Hellman: Dng kha Diffie-Hellmannguyn thy.

Tn cng kt ni SSL


129/173

Nuchnccc thng scaqu trnh traoikha Diffie-Hellman, c ththu ckha bmtbngkthutMan-in-the-midle.

Dng kha b mtgiim thng tin cagiaothcSSL record.

Trin khai SSL vi dch v web

Cc web client (internet browser) tch hp sn


130/173

giao thcSSL. Pha server:

m bo h tr ca server i vi SSL (IIS,

Apache,)Tov ci tcertificate cho server.

Rng bucSSL ivittccc giao dch.

Cc vn v SSL

Trong qu trnh chng thc c Client v Server


131/173

uphicnPKI Cnphithitlpcc qui nhchung cho hthng

nhhngnPerformance cahthngmng

Vic trin khai tim tng mt s vn : Cchtrinkhai, cuhnh hthng,chnphnmm....

Kiutncng Man-in-the-Middle

m bo an ninh trong SSL

Trinkhai PKI


132/173

Thngxuyn cpnht,v liphnmmsdng Ci tvicchngthctrong giao dchgiaClient

v Server

Hngdnngisdngduhiunhnbit tncng Man-in-the-Middle

Cc im yu ca Web Client

javaScript


133/173

ActiveX Cookies

Applets

JavaScript


134/173

L mt on m lnh c tch hp trong trang web vcthcthi bitrnh duytweb.

csdngrtphbinv huch

JavaScript

Cc nguy c:


135/173

ntrmachEmail ntrmthng tin ngisdng

Kill mtstintrnh

Chimti nguyn CPU v bnh

Shutdown hthng

Relay email phcvcho gispam

Phcvcho vicchimotwebsite

JavaScript

Cc bin php phng


136/173

chng Disable chcnngchy

JavaScript trong trnhduyt.

Thng xuyn cp

nhpphin bnmicatrnh duyt Kimtra km lnhca

web Server

ActiveX


137/173

ActiveX cung cp nhng ni dung ng cho trnh duytweb ActiveX c th giao tip vi nhng ng dng khc, tip

nhncc thng stngidng, cung cpcc ngdnghuch cho ngisdng.

ActiveX

Cc nguy c:


138/173

ncpthng tinK tn cng c th lidng cc lhngbomt

cacc trnh ngdngActiveX xm nhp, tncng hthng

ActiveX

Cc bin php phng


139/173

chng Disable ActiveX trn trnh

duytweb v mail client

Lccc ActiveX tfirewall

Hngdnngisdngchsdngcc ActiveX cchngthc

Cookies

File cookies lu trmts cc thng tin c nhn


140/173

cangidng: Sthtn dng

Username/Password

C th s dng chung cho nhiu website khcnhau

Trnh duyt c th cho php web server lu trthng tin trn

Cookies

Cc nguy c:


141/173

K tn cng c th s dng Telnet gi cc dngcookies m chng munnhlaweb server.

K tn cng c th li dng cookies ly trm ccthng tin vngidng, vtchcv cu hnh Security

camngnib Ktncng c thlidngliScript Injection ci cc

script nguy himln hthngnhmchuyncc cookiesvhthngthay v phichuynln web server

Cookies

Cc binphp phng chng:


142/173

Disable Cookies trn trnh duytweb Sdngnhngtrnh xa cookies khng cnthit

Cu hnh web server khng c tin tng vo cccookies dngyu cucung cp thng tin, yu cuiu

khinhocyu cudchv..cluclient Khng lutrcc thng tin nhycmtrn cookies

SdngSSL/TLS

Applets


143/173

L nhngchng trnh Java nh,c th thc thi trn cctrnh duyt.

Java Applets chy trn nhngclient davo Java VirtualMachine (VM) chuhtcc hiuhnh htr.

Applets

Cc nguy c:


144/173

Cc chngtrnh Applets c thtruy cpcc ti nguynhthng

C thsdnggimochk

C thdng ci tVirus, Trojan, worm

C thsdng ti nguyn mng tncng, thmdhthngmngkhc.

Applets

Cc bin php phng chng:


145/173

Khng s dng Applets, tt h tr Java trn cc trnhduyt

Tuyn truyn, hng dn ngi s dng


146/173

Email Security

Email Security

E-mail


147/173

MIME S/MIME

Cc vnvS/MIME

PGP Cc vnvPGP

Cc nguy c

BovhthngE-mail

E-Mail

K thut gi th in tnSMTP Server


148/173

C rtnhiulibomt S dng giao thc SMTP

(TCP 25) gimail S dng giao thc

POP3/IMAP (TCP110/143) nhnmail

MIME

S dng text m ha e-mail

RFC 1 21 RFC 1 22


149/173

RFC 1521, v RFC 1522

S/MIME

L mtchunmicaMIME (Multipurpose Internet

il E t ti )


150/173

mail Extentions) M ha v sha cc duhiunhnbitcaemailSdngm ha cng khaictch hpvicc trnh mail client thng dng

Cc vn v S/MIME

Ngigiphic Public key canginhnnu

h


151/173

munm haNginhnphic Public Key cangiginu

munchngthcngigi

Ngi s dng phi mt thm thi gian cho ccbc truy vn,kimha kha viPKI (Public KeyInfrashtructure).

PGP

Pretty Good Privacy

Ph th h kh i


152/173

Phngthcm ha cng khai Cung cp kh nng m ha ch k in t, ni

dung v cc thng tin khc caemail

Ngi dng c cung cp mt Public Key v 1Private key.

Cc tinch htrPGP thngctch hpvomail client hocsdngring bit

Cc vn v PGP

Hin nay c nhiu phin bn ng dng khc nhau

i khi kh t th h


153/173

nn i khi khng tng thch.Mt s cc trnh ng dng mail client khng cn

c pht trin na nhng vn c ngi dngs dng

trin khai cn c ngi ph trch vic qun lkey

Cc nguy c

Spam S dng email qung co


154/173

Sdngemail qungco Gikiubomb th

Ngigikhng hbitnginhn

Nginhnphichusphinphc,kh chu

Cuhnh mail server khng ttstiptay cho spam.

Cc nguy c

Hoax (Lao) Hnh thc: Gi thng bo cnh bo virus cc vn an


155/173

Hnh thc: Githng bo cnhbo virus, cc vnanninh, bomt....

Ly lan da vo s lo s v km hiu bit ca ngidng.

Mc: Kh nguy him

Cc nguy c

Virus, worm, Trojan Hu ht cc loi virus v trojan hin nay u ly qua


156/173

Hu ht cc loi virus v trojan hin nay u ly quaemail

Ly lan datrn smtcnhgic v thiukinthccangisdng.

Mc: rtnguy him

Cc nguy c

Mail relay

Cho php gi mail khng cn kim tra


157/173

Cho php gimail khng cnkimtra Gimo

Lidnggispam

Bo v h thng Email

SdngS/MIME nuc th

S dng phn mm Mail gateway Scan


158/173

SdngphnmmMail gateway Scan Cuhnh mail server tt,khng bopen relay

Ngnchnspam trn Server

Hngdnsdngcho ngidng

Cnhgic vinhngemail l,c nidung ngnghi

Security BaselinesGhi ti liu

Ghi ti liu c th v cu hnh security mng

Nn xem li v sa cha mi khi c mt s thay


159/173

Nn xem li v sa cha mi khi c mt s thayi trong mng

Security Baselines

Lit k nhng th cn thit

Cc dch v


160/173

Cc dch v Cc giao thc

Cc ng dng

Ti khon ngi dng

Quyn truy nhp file Quyn truy nhp h thng

Security BaselinesOS Update

Kim tra cc bn update ca h iu hnh thng

xuyn


161/173

xuyn.Trin khai WSUS (Windows Update Services)

Security BaselinesBn v (patching)

Bnv liccho OS v phnmm

V d:


162/173

V d: Bnv windows chngBlaster v Sasser

Bnv Oracle chng80 lhng(10/2005)

Cc bn v c a ra nhanh v nhng lhngno . C thchackimnghim

Security BaselinesService Packs

Khi c qu nhiu bn v nh sn xut tp hp

chng li v a ra bn SP


163/173

chng li v a ra bn SP

Security BaselinesNetwork Hardening

Cpnhtcc bnsali

Bc bo mt quan trng sau bc duy tr l dit virus


164/173

Bcbomtquan trngsau bcduy tr l ditvirus L snphmcacc nh snxut

ng k mailing list ca nh sn xut nhn cthng tin sm,y

Cpnhtnhk

Security BaselinesNetwork Hardening

ngnhngdchvkhng cnthit

Dch v mng


165/173

Dchvmng ngdngmng

Cng

Giao thc

Security BaselinesApplication Hardening

Qunl ttccc phnmmangchy

m bo chng c cp nht v sa li y


166/173

mbo chng ccpnht v sa liy

Mc bo mt ca my ch bng vi mc bo mt thp nht ca mt ng dng chy trn

my

Security Baselinesweb server

Xa nhngm v dmu

Trin khai tng la/IDS trn server


167/173

Trinkhai tngla/IDStrn server Ghi lilog

p dngcnhbo thigian thc

C h thngsao lucn bngtiv phnghnghc

Security BaselinesEmail

L h thng quan trng, cha rt nhiu thng tin

ca cng tyCi t h t h t il


168/173

cacng ty Ci tchngtrnh qut mail

phng spam

Cpnhtbnv lithngxuyn

Security BaselinesFTP

L ngdngkhng c bomt

Nn trin khai VPN hoc SSH


169/173

Nn trinkhai VPN hocSSH Nn hthngti khondo server khc qunl

Kimtra virus thngxuyn

Security BaselinesDNS

DNS trn nnUNIX hay c imyu

Cp nht cc bn v thng xuyn


170/173

Cp t cc b t g uyTrinkhai hthngDNS dphng (secondary)

Security BaselinesCu hnh

Nn cghi lithnh ti liu

Thnghimktrckhi avo trinkhai tht


171/173

g Tun theo hngdncanh snxut


Tt/btcc dchvv giao thc

Hu ht cc cuc tn cng mng u da voim yu ca dch v hay giao thc no


172/173

g g imyucadchvhay giao thcno

V nhnglhngan ninh mng

ng nhng dch v khng cn thit gim phctp


Access Control List

Tngcngcho xc thc Qui nh quyn hn cho mi c nhn


173/173

Qui nhquynhncho mic nhn

Dng ghi licc truy cpmng

Documents

an ninh mạng p 4 Application Security