Đang tải... (xem toàn văn)
Chương 1. Internet kết nối liên mạng với giao thức IP81.1Quá trình hình thành và phát triển mạng Internet81.1.1ARPANET91.1.2NSFNET91.1.3Thương mại hóa mạng Internet101.1.4Internet thế hệ 2111.2Mô hình TCPIP kết nối liên mạng (internetworking)121.2.1Internetworking121.2.2The TCPIP protocol layers151.2.3Họ giao thức TCPIP171.3Giải pháp kết nối liên mạng tại tầng Internet171.3.1Internet Protocol (IP)181.3.1.1IP addressing181.3.1.2IP subnets211.3.1.3IP routing241.3.1.4Intranets: Private IP addresses281.3.1.5Network Address Translation (NAT)291.3.1.6IP datagram321.3.2Internet Control Message Protocol (ICMP)391.3.2.1ICMP messages401.3.2.2ICMP applications431.4Routing Protocols441.4.1Autonomous systems451.4.2Types of IP routing and IP routing algorithms461.4.2.1Static routing471.4.2.2Distance vector routing471.4.2.3Link state routing481.4.2.4Path vector routing491.4.3Routing Information Protocol (RIP)501.4.3.1RIP packet types501.4.3.2RIP packet format501.4.3.3RIP modes of operation511.4.3.4Calculating distance vectors511.4.3.5Convergence and counting to infinity521.4.3.6RIP limitations551.4.4Routing Information Protocol Version 2 (RIP2)551.4.4.1RIP2 packet format561.4.4.2RIP2 limitations571.4.5Open Shortest Path First (OSPF)571.4.5.1OSPF terminology571.4.5.2Neighbor communication621.4.5.3OSPF neighbor state machine631.4.5.4OSPF route redistribution651.4.5.5OSPF stub areas661.4.5.6OSPF route summarization661.5Các bài thực hành kết nối liên mạng671.5.1Bài số 1: Cấu hình liên mạng với các router671.5.2Bài số 2: Cấu hình router tự động bằng giao thức chọn đường RIP721.5.3Bài số 3: Cấu hình router tự động bằng giao thức chọn đường OSPF72 1.5.4Bài số 4: Bắt gói tin và phân tích cách thức làm việc của lệnh ping721.5.5Bài số 5: Bắt gói tin và phân tích cách thức làm việc của lệnh traceroute72Chương 2. Ứng dụng TCPIP Intranet732.1Mô hình các ứng dụng TCPIP732.1.1The clientserver model732.1.2Ứng dụng TCPIP cho mạng nội bộ Mô hình Intranet742.1.3Các mô hình triển khai mạng Intranet772.1.3.1Intranet như là một Internet phía sau bức tường lửa772.1.3.2Intranet Extranet772.1.3.3Intranet Cloud782.2Xây dựng ứng dụng trên tầng Transport792.2.1Ports and sockets792.2.1.1Ports792.2.1.2Sockets802.2.2User Datagram Protocol (UDP)812.2.2.1UDP datagram format812.2.2.2UDP application programming interface822.2.3Transmission Control Protocol (TCP)822.2.3.1TCP concept832.2.3.2TCP state transition diagram902.2.3.3TCP application programming interface922.2.3.4TCP congestion control algorithms922.2.4Application programming interfaces: The socket API962.3Các bài thực hành992.3.1Bài số 1: Xây dựng ứng dụng clientserver với TCPIP Socket992.3.2Bài số 2: Xây dựng ứng dụng clientserver với UDPIP Socket992.3.3Bài số 3: Phân tích cơ chế window trong giao thức TCP992.3.4Bài số 4: Phân tích cơ chế chống tắc nghẽn (congestion) trong giao thức TCP 99Chương 3. Gateway, NAT Port Forwarding1003.1Intranet Gateway1003.1.1Vai trò của Gateway trong kết nối Intranet – Internet1003.1.2How Gateway work1003.1.3Default Gateway1023.2Network Address Translation Port Forwarding1033.2.1Giới thiệu chung về NAT1033.2.2Address space1053.2.3Static translation1063.2.4Dynamic translation1063.2.5Port Forwarding1063.3Tìm hiểu về chức năng NAT trong iptables1073.3.1Giới thiệu chung về iptables1073.3.2Xử lý gói tin trong iptables1073.3.3Làm việc với table nat1133.4Các bài thực hành1133.4.1Bài số 1: Thiết lập Gateway cho MyCompany Intranet113 3.4.2Bài số 2: Thiết lập NAT cho Gateway1183.4.3Bài số 3: Thiết lập Port forwarding cho NAT Gateway121Chương 4. Dịch vụ DNS1234.1Giới thiệu chung về dịch vụ DNS1234.1.1A Brief History of Name Servers1234.1.2Name Server Basics1234.2Kiến trúc dịch vụ DNS1244.2.1Domains and Delegation1244.2.2Domain Authority1254.2.3DNS Implementation and Structure1254.2.4Root DNS Operations1264.2.5TopLevel Domains1274.3Mô hình hoạt động của hệ thống DNS1294.3.1Giao thức DNS1294.3.2Cấu trúc dữ liệu DNS – Resource Record1324.3.2.1The SOA Resource Record1344.3.2.2The NS Resource Record1364.3.2.3The MX Resource Record1374.3.2.4The A Resource Record1384.3.2.5CNAME Resource Record1394.3.2.6Additional Resource Records1404.3.3DNS Queries1414.3.3.1Recursive Queries1414.3.3.2Iterative (Nonrecursive) Queries1434.3.3.3Inverse Queries1444.3.4Cập nhật dữ liệu zone1444.3.5Security Issues1474.3.6Các kiểu hoạt động của máy chủ DNS1484.3.6.1Master (Primary) Name Servers1494.3.6.2Slave (Secondary) Name Servers1504.3.6.3Caching Name Servers1514.3.6.4Forwarding (Proxy) Name Servers1534.3.6.5Stealth (DMZ or Split) Name Server1544.3.6.6Authoritativeonly Name Server1564.4Giải pháp Load Balancing bằng DNS1564.5Các bài thực hành thiết lập dịch vụ DNS1574.5.1Cài đặt cấu hình BIND1574.5.2DNS Tools1604.5.3Bài số 1: DNS nội bộ1614.5.4Bài số 2: Kết nối DNS trên Internet1644.5.5Bài số 3: Master Slave DNS1704.5.6Bài số 4: Sử dụng DNS phụ vụ load balancing172Chương 5. Dịch vụ Email1735.1Giới thiệu chung về dịch vụ Email1735.1.1Email Components1735.1.2Major Email Protocols174 5.1.3Email Routing1745.2Simple Mail Transfer Protocol (SMTP)1765.2.1How SMTP works1785.2.2SMTP and the Domain Name System1815.2.2.1Addressing mailboxes on server systems1825.2.2.2Using the Domain Name System to direct mail1835.3Multipurpose Internet Mail Extensions (MIME)1835.3.1How MIME works1855.3.2The ContentTransferEncoding field1905.3.3Using nonASCII characters in message headers1935.4Post Office Protocol (POP)1945.4.1Connection states1945.4.2POP3 commands and responses1955.5Internet Message Access Protocol (IMAP4)1955.5.1Fundamental IMAP4 electronic mail models1965.5.2IMAP4 states1965.5.3IMAP4 commands and response interaction1975.5.4IMAP4 messages2005.6Các bài thực hành2005.6.1Cài đặt môi trường2005.6.2Bài số 1: Thiết lập hệ thống email cho một domain2025.6.3Bài số 2: Thiết lập hệ thống email giữa 2 máy chủ2045.6.4Bài số 3: POP IMAP2085.6.5Bài số 4: Máy chủ mail chuyển tiếp (Mail Relay)2085.6.6Bài số 5: Email security208Chương 6. Web, FTP và Intranet Zone2096.1Giới thiệu chung2096.1.1Web giao thức HTTP2096.1.2FTP2126.2Hoạt động của HTTP2126.2.1User Operations2126.2.1.1Web Page Retrieval – GET2136.2.1.2Web Forms – POST2136.2.1.3File Upload – PUT2146.2.1.4File Deletion – DELETE2146.2.1.5Behind the Scenes2156.2.2Cooperating Servers2166.2.2.1Virtual Hosts2176.2.2.2Redirection2186.2.2.3Proxies, Gateways, and Tunnels2196.2.2.4Cache Servers2216.2.3Cookies and State Maintenance2236.2.3.1Cookies2246.2.3.2Cookie Attributes2256.2.3.3Accepting Cookies2266.2.3.4Returning Cookies2276.3Hoạt động của FTP228 6.3.1Active FTP2286.3.2Passive FTP2296.3.3Regular FTP2296.3.4Anonymous FTP2296.3.5Client Protected By A Firewall Problem2306.3.5.1Table 151 Client Protected by Firewall Required Rules for FTP2306.3.5.2Server Protected By A Firewall Problem2316.4Các giải pháp thiết lập Intranet zone2326.4.1Intranet zone sử dụng Web Authentication2326.4.1.1Basic Authentication2326.4.1.2Original Digest Authentication2346.4.1.3Improved Digest Authentication2376.4.1.4Protecting Against Replay Attacks2386.4.1.5Mutual Authentication2406.4.1.6Protection for Frequent Clients2426.4.1.7Integrity Protection2436.4.2Intranet zone sử dụng SSL TLS2466.4.2.1Security Secoket Layer (SSL) and Other Protocols2466.4.2.2Public Key Cryptography2476.4.2.3SSL Operation2496.4.2.4Transport Layer Security (TLS)2536.4.2.5Control of the Protocol in TLS2536.4.2.6Upgrading to TLS within an HTTP Session2546.4.3Intranet zone sử dụng chức năng lọc địa chỉ IP phía Client2556.5Các bài thực hành257Chương 7. Tường lửa (Firewall)2587.1Khái niệm tường lửa2587.1.1Defining a Firewall2587.1.2Types of Firewalls2597.2Networking and Firewalls2617.2.1Firewall Interfaces: Inside, Outside, and DMZ2617.2.2Firewall Policies2647.3DMZ2647.3.1DMZ Basics2657.3.2DMZ Concepts2687.3.3Traffic Flow Concepts2747.3.4Networks with and without DMZs2777.3.5Pros and Cons of DMZ Basic Designs2787.4DMZ Design Fundamentals2797.4.1Why Design Is So Important2797.4.2Designing EndtoEnd Security for Data Transmission between Hosts on the Network2797.4.3Designing for Protection in Relation to the Inherent Flaws of TCPIPv42807.4.4Ports2807.4.5Using Firewalls to Protect Network Resources2817.4.6Using Screened Subnets to Protect Network Resources2827.4.7Securing Public Access to a Screened Subnet2827.4.8Application Servers in the DMZ283 7.5NETWORK LAYE R A TTACKS AND DE F ENS E2837.5.1Logging Network Layer Headers with iptables2847.5.2Network Layer Attack Definitions2867.5.3Abusing the Network Layer2867.5.3.1Nmap ICMP Ping2867.5.3.2IP Spoofing2877.5.3.3IP Fragmentation2887.5.3.4Low TTL Values2887.5.3.5The Smurf Attack2897.5.3.6DDoS Attacks2897.5.3.7Linux Kernel IGMP Attack2907.5.4Network Layer Responses2907.5.4.1Network Layer Filtering Response2907.5.4.2Network Layer Thresholding Response2917.5.4.3Combining Responses Across Layers2917.6TRAN SPORT LAYE R A T T A CKS AND D E FE NSE2927.6.1Logging Transport Layer Headers with iptables2927.6.2Transport Layer Attack Definitions2947.6.3Abusing the Transport Layer2947.6.3.1Port Scans2957.6.3.2Port Sweeps3007.6.3.3TCP Sequence Prediction Attacks3007.6.3.4SYN Floods3017.6.4Transport Layer Responses3017.6.4.1TCP Responses3017.6.4.2UDP Responses3047.6.4.3Firewall Rules and Router ACLs3057.7APPL I C A T I ON LAYE R A T TACKS AND D E FE NSE3057.7.1Application Layer String Matching with iptables3057.7.1.1Observing the String Match Extension in Action3067.7.1.2Matching NonPrintable Application Layer Data3067.7.2Application Layer Attack Definitions3077.7.3Abusing the Application Layer3077.7.3.1Snort Signatures3087.7.3.2Buffer Overflow Exploits3087.7.3.3SQL Injection Attacks3097.7.3.4Gray Matter Hacking3107.7.4Encryption and Application Encodings3117.7.5Application Layer Responses3127.8Các bài thực hành312Chương 8. Mạng riêng ảo – Virtual Private Network3138.1Khái niệm mạng riêng ảo và vai trò của nó đối với Intranet3138.1.1What is a VPN? A quick review3138.1.1.1VPN benefits3148.1.1.2VPN requirements3158.1.2Security Considerations for VPNs3158.1.2.1A typical endtoend path3158.1.2.2Exposures in a dialin client3178.1.2.3Exposures in a dialin segment3178.1.2.4Exposures in the Internet3178.1.2.5Exposures in a security gateway3178.1.2.6VPN through firewalls and routers3188.1.2.7Exposures in an intranet3188.2Một số giải pháp mạng riêng ảo3198.2.1IPSecBased VPN Solutions3208.2.2Layer 2Based VPN Solutions3218.2.2.1Overview and standards3228.2.2.2Securing the tunnels with IPSec3238.2.3NonIPSec Network LayerBased Components of a VPN Solution3258.2.3.1Network Address Translation3258.2.3.2Packet Filtering3268.2.4Application LayerBased Components of a VPN Solution3278.2.4.1SOCKS3278.2.4.2Secure Sockets Layer (SSL) and Transport Layer Security (TLS)3288.3Ứng dụng mạng riêng ảo trong Intranet3318.3.1Branch Office Connection Network3318.3.2Business PartnerSupplier Networks3318.3.3Remote access scenarios3338.4Một số vấn đề kỹ thuật bên trong mạng riêng ảo3338.4.1Mã hóa3338.4.1.1Terminology3338.4.1.2Symmetric or SecretKey Algorithms3348.4.1.3Usage of Symmetric Keys with IPSec3358.4.1.4Asymmetric or PublicKey Algorithms3368.4.1.5Authentication and NonRepudiation3368.4.1.6Usage of Asymmetric Keys with IPSec3378.4.2IPSec3388.4.2.1Security Associations Concept3388.4.2.2Tunneling Concept3398.4.2.3Terminology3398.4.2.4IP Authentication Header (AH)3408.4.2.5Encapsulating Security Payload (ESP)3418.4.2.6Why Two Authentication Protocols?3428.4.2.7Combining IPSec Protocols3428.5Các bài thực hành344Chương 9. Works Cited346Chương 10. Phụ lục Cài đặt môi trường thực hành34810.1Danh mục34810.1.1Oracle VirtualBox34810.1.2VirtualBox Image34810.2Chuẩn bị môi trường thực hành34810.2.1Cài đặt VirtualBox34910.2.2Tạo các máy ảo CentOS34910.2.3Sử dụng PuTTY351
Thieết keế & ca i đa t mang Intranet Chương Internet & kết nối liên mạng với giao thức IP .8 1.1 Quá trình hình thành phát triển mạng Internet 1.1.1 1.1.2 1.1.3 1.1.4 1.2 Mô hình TCP/IP & kết nối liên mạng (internetworking) 12 1.2.1 1.2.2 1.2.3 1.3 ARPANET NSFNET .9 Thương mại hóa mạng Internet 10 Internet hệ .11 Internetworking 12 The TCP/IP protocol layers .15 Họ giao thức TCP/IP .17 Giải pháp kết nối liên mạng tầng Internet 17 1.3.1 Internet Protocol (IP) .18 1.3.2 Internet Control Message Protocol (ICMP) .39 1.3.1.1 1.3.1.2 1.3.1.3 1.3.1.4 1.3.1.5 1.3.1.6 IP addressing 18 IP subnets 21 IP routing 24 Intranets: Private IP addresses 28 Network Address Translation (NAT) 29 IP datagram 32 1.3.2.1 ICMP messages 40 1.3.2.2 ICMP applications .43 1.4 Routing Protocols 44 1.4.1 1.4.2 Autonomous systems 45 Types of IP routing and IP routing algorithms 46 1.4.3 Routing Information Protocol (RIP) 50 1.4.2.1 1.4.2.2 1.4.2.3 1.4.2.4 1.4.3.1 1.4.3.2 1.4.3.3 1.4.3.4 1.4.3.5 1.4.3.6 Static routing 47 Distance vector routing 47 Link state routing .48 Path vector routing .49 RIP packet types 50 RIP packet format 50 RIP modes of operation .51 Calculating distance vectors 51 Convergence and counting to infinity 52 RIP limitations 55 1.4.4 Routing Information Protocol Version (RIP-2) .55 1.4.5 Open Shortest Path First (OSPF) 57 1.4.4.1 RIP-2 packet format 56 1.4.4.2 RIP-2 limitations 57 1.4.5.1 1.4.5.2 1.4.5.3 1.4.5.4 1.4.5.5 1.4.5.6 1.5 OSPF terminology .57 Neighbor communication 62 OSPF neighbor state machine 63 OSPF route redistribution 65 OSPF stub areas 66 OSPF route summarization 66 Các thực hành kết nối liên mạng .67 1.5.1 1.5.2 1.5.3 Bài số 1: Cấu hình liên mạng với router 67 Bài số 2: Cấu hình router tự động giao thức chọn đường RIP 72 Bài số 3: Cấu hình router tự động giao thức chọn đường OSPF 72 Trang 1.5.4 Bài số 4: Bắt gói tin phân tích cách thức làm việc lệnh ping 72 1.5.5 Bài số 5: Bắt gói tin phân tích cách thức làm việc lệnh traceroute .72 Chương Ứng dụng TCP/IP & Intranet .73 2.1 Mô hình ứng dụng TCP/IP 73 2.1.1 2.1.2 2.1.3 The client/server model 73 Ứng dụng TCP/IP cho mạng nội - Mô hình Intranet 74 Các mô hình triển khai mạng Intranet .77 2.1.3.1 Intranet Internet phía sau tường lửa 77 2.1.3.2 Intranet & Extranet 77 2.1.3.3 Intranet & Cloud 78 2.2 Xây dựng ứng dụng tầng Transport .79 2.2.1 Ports and sockets .79 2.2.1.1 Ports 79 2.2.1.2 Sockets .80 2.2.2 User Datagram Protocol (UDP) 81 2.2.3 Transmission Control Protocol (TCP) .82 2.2.4 Application programming interfaces: The socket API 96 2.2.2.1 UDP datagram format 81 2.2.2.2 UDP application programming interface 82 2.2.3.1 2.2.3.2 2.2.3.3 2.2.3.4 2.3 TCP concept .83 TCP state transition diagram 90 TCP application programming interface 92 TCP congestion control algorithms 92 Các thực hành 99 2.3.1 2.3.2 2.3.3 2.3.4 Bài số 1: Xây dựng ứng dụng client/server với TCP/IP Socket 99 Bài số 2: Xây dựng ứng dụng client/server với UDP/IP Socket .99 Bài số 3: Phân tích chế window giao thức TCP 99 Bài số 4: Phân tích chế chống tắc nghẽn (congestion) giao thức TCP 99 Chương Gateway, NAT & Port Forwarding 100 3.1 Intranet Gateway 100 3.1.1 3.1.2 3.1.3 3.2 Network Address Translation & Port Forwarding 103 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.3 Giới thiệu chung NAT 103 Address space 105 Static translation 106 Dynamic translation .106 Port Forwarding 106 Tìm hiểu chức NAT iptables 107 3.3.1 3.3.2 3.3.3 3.4 Vai trò Gateway kết nối Intranet – Internet 100 How Gateway work 100 Default Gateway 102 Giới thiệu chung iptables 107 Xử lý gói tin iptables .107 Làm việc với table nat 113 Các thực hành 113 3.4.1 Bài số 1: Thiết lập Gateway cho MyCompany Intranet 113 3.4.2 3.4.3 Bài số 2: Thiết lập NAT cho Gateway 118 Bài số 3: Thiết lập Port forwarding cho NAT Gateway 121 Chương Dịch vụ DNS .123 4.1 Giới thiệu chung dịch vụ DNS .123 4.1.1 4.1.2 4.2 Kiến trúc dịch vụ DNS 124 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.3 A Brief History of Name Servers 123 Name Server Basics .123 Domains and Delegation 124 Domain Authority 125 DNS Implementation and Structure 125 Root DNS Operations .126 Top-Level Domains 127 Mô hình hoạt động hệ thống DNS 129 4.3.1 4.3.2 Giao thức DNS .129 Cấu trúc liệu DNS – Resource Record 132 4.3.3 DNS Queries 141 4.3.2.1 4.3.2.2 4.3.2.3 4.3.2.4 4.3.2.5 4.3.2.6 The SOA Resource Record 134 The NS Resource Record 136 The MX Resource Record .137 The A Resource Record 138 CNAME Resource Record .139 Additional Resource Records 140 4.3.3.1 Recursive Queries 141 4.3.3.2 Iterative (Nonrecursive) Queries 143 4.3.3.3 Inverse Queries 144 4.3.4 4.3.5 4.3.6 Cập nhật liệu zone 144 Security Issues 147 Các kiểu hoạt động máy chủ DNS 148 4.3.6.1 4.3.6.2 4.3.6.3 4.3.6.4 4.3.6.5 4.3.6.6 Master (Primary) Name Servers 149 Slave (Secondary) Name Servers .150 Caching Name Servers .151 Forwarding (Proxy) Name Servers 153 Stealth (DMZ or Split) Name Server .154 Authoritative-only Name Server 156 4.4 Giải pháp Load Balancing DNS 156 4.5 Các thực hành thiết lập dịch vụ DNS 157 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.5.6 Cài đặt & cấu hình BIND .157 DNS Tools 160 Bài số 1: DNS nội 161 Bài số 2: Kết nối DNS Internet .164 Bài số 3: Master & Slave DNS .170 Bài số 4: Sử dụng DNS phụ vụ load balancing 172 Chương Dịch vụ Email .173 5.1 Giới thiệu chung dịch vụ Email 173 5.1.1 5.1.2 Email Components 173 Major Email Protocols 174 5.1.3 5.2 Email Routing 174 Simple Mail Transfer Protocol (SMTP) 176 5.2.1 5.2.2 How SMTP works 178 SMTP and the Domain Name System .181 5.2.2.1 Addressing mailboxes on server systems 182 5.2.2.2 Using the Domain Name System to direct mail .183 5.3 Multipurpose Internet Mail Extensions (MIME) 183 5.3.1 5.3.2 5.3.3 5.4 Post Office Protocol (POP) 194 5.4.1 5.4.2 5.5 Connection states 194 POP3 commands and responses 195 Internet Message Access Protocol (IMAP4) .195 5.5.1 5.5.2 5.5.3 5.5.4 5.6 How MIME works 185 The Content-Transfer-Encoding field .190 Using non-ASCII characters in message headers 193 Fundamental IMAP4 electronic mail models 196 IMAP4 states 196 IMAP4 commands and response interaction 197 IMAP4 messages 200 Các thực hành 200 5.6.1 5.6.2 5.6.3 5.6.4 5.6.5 5.6.6 Cài đặt môi trường 200 Bài số 1: Thiết lập hệ thống email cho domain .202 Bài số 2: Thiết lập hệ thống email máy chủ 204 Bài số 3: POP & IMAP 208 Bài số 4: Máy chủ mail chuyển tiếp (Mail Relay) 208 Bài số 5: Email security 208 Chương Web, FTP Intranet Zone 209 6.1 Giới thiệu chung 209 6.1.1 6.1.2 6.2 Web & giao thức HTTP 209 FTP 212 Hoạt động HTTP 212 6.2.1 User Operations .212 6.2.2 Cooperating Servers 216 6.2.1.1 6.2.1.2 6.2.1.3 6.2.1.4 6.2.1.5 6.2.2.1 6.2.2.2 6.2.2.3 6.2.2.4 6.2.3 Web Page Retrieval – GET 213 Web Forms – POST 213 File Upload – PUT 214 File Deletion – DELETE 214 Behind the Scenes 215 Virtual Hosts 217 Redirection .218 Proxies, Gateways, and Tunnels 219 Cache Servers 221 Cookies and State Maintenance .223 6.2.3.1 6.2.3.2 6.2.3.3 6.2.3.4 Cookies 224 Cookie Attributes .225 Accepting Cookies 226 Returning Cookies 227 6.3 Hoạt động FTP 228 6.3.1 6.3.2 6.3.3 6.3.4 6.3.5 Active FTP .228 Passive FTP 229 Regular FTP 229 Anonymous FTP .229 Client Protected By A Firewall Problem 230 6.3.5.1 Table 15-1 Client Protected by Firewall - Required Rules for FTP 230 6.3.5.2 Server Protected By A Firewall Problem 231 6.4 Các giải pháp thiết lập Intranet zone 232 6.4.1 Intranet zone sử dụng Web Authentication .232 6.4.1.1 6.4.1.2 6.4.1.3 6.4.1.4 6.4.1.5 6.4.1.6 6.4.1.7 6.4.2 Intranet zone sử dụng SSL & TLS 246 6.4.2.1 6.4.2.2 6.4.2.3 6.4.2.4 6.4.2.5 6.4.2.6 6.4.3 6.5 Basic Authentication 232 Original Digest Authentication 234 Improved Digest Authentication 237 Protecting Against Replay Attacks 238 Mutual Authentication .240 Protection for Frequent Clients 242 Integrity Protection 243 Security Secoket Layer (SSL) and Other Protocols 246 Public Key Cryptography 247 SSL Operation 249 Transport Layer Security (TLS) .253 Control of the Protocol in TLS 253 Upgrading to TLS within an HTTP Session 254 Intranet zone sử dụng chức lọc địa IP phía Client 255 Các thực hành 257 Chương Tường lửa (Firewall) 258 7.1 Khái niệm tường lửa 258 7.1.1 7.1.2 7.2 Networking and Firewalls 261 7.2.1 7.2.2 7.3 7.4.1 7.4.2 7.4.3 7.4.4 7.4.5 7.4.6 7.4.7 Firewall Interfaces: Inside, Outside, and DMZ 261 Firewall Policies 264 DMZ 264 7.3.1 7.3.2 7.3.3 7.3.4 7.3.5 7.4 Defining a Firewall 258 Types of Firewalls 259 DMZ Basics 265 DMZ Concepts .268 Traffic Flow Concepts 274 Networks with and without DMZs 277 Pros and Cons of DMZ Basic Designs 278 DMZ Design Fundamentals 279 Why Design Is So Important 279 Designing End-to-End Security for Data Transmission between Hosts on the Network 279 Designing for Protection in Relation to the Inherent Flaws of TCP/IPv4 .280 Ports 280 Using Firewalls to Protect Network Resources .281 Using Screened Subnets to Protect Network Resources 282 Securing Public Access to a Screened Subnet 282 7.4.8 Application Servers in the DMZ 283 7.5 7.5.1 7.5.2 7.5.3 NETWORK LAYE R A TTACKS AND DE F ENS E 283 Logging Network Layer Headers with iptables 284 Network Layer Attack Definitions 286 Abusing the Network Layer 286 7.5.3.1 7.5.3.2 7.5.3.3 7.5.3.4 7.5.3.5 7.5.3.6 7.5.3.7 7.5.4 Nmap ICMP Ping .286 IP Spoofing 287 IP Fragmentation 288 Low TTL Values 288 The Smurf Attack .289 DDoS Attacks 289 Linux Kernel IGMP Attack .290 Network Layer Responses 290 7.5.4.1 Network Layer Filtering Response 290 7.5.4.2 Network Layer Thresholding Response 291 7.5.4.3 Combining Responses Across Layers 291 7.6 7.6.1 7.6.2 7.6.3 TRAN SPORT LAYE R A T T A CKS AND D E FE NSE .292 Logging Transport Layer Headers with iptables 292 Transport Layer Attack Definitions 294 Abusing the Transport Layer 294 7.6.3.1 7.6.3.2 7.6.3.3 7.6.3.4 7.6.4 Port Scans 295 Port Sweeps 300 TCP Sequence Prediction Attacks 300 SYN Floods 301 Transport Layer Responses 301 7.6.4.1 TCP Responses 301 7.6.4.2 UDP Responses 304 7.6.4.3 Firewall Rules and Router ACLs .305 7.7 7.7.1 APPL I C A T I ON LAYE R A T TACKS AND D E FE NSE 305 Application Layer String Matching with iptables 305 7.7.1.1 Observing the String Match Extension in Action 306 7.7.1.2 Matching Non-Printable Application Layer Data 306 7.7.2 7.7.3 Application Layer Attack Definitions 307 Abusing the Application Layer 307 7.7.3.1 7.7.3.2 7.7.3.3 7.7.3.4 7.7.4 7.7.5 Snort Signatures .308 Buffer Overflow Exploits 308 SQL Injection Attacks 309 Gray Matter Hacking .310 Encryption and Application Encodings 311 Application Layer Responses 312 7.8 Các thực hành 312 Chương Mạng riêng ảo – Virtual Private Network .313 8.1 Khái niệm mạng riêng ảo vai trò Intranet .313 8.1.1 What is a VPN? A quick review 313 8.1.1.1 VPN benefits 314 8.1.1.2 VPN requirements 315 8.1.2 Security Considerations for VPNs 315 8.1.2.1 8.1.2.2 8.1.2.3 8.1.2.4 8.1.2.5 8.1.2.6 A typical end-to-end path 315 Exposures in a dial-in client .317 Exposures in a dial-in segment 317 Exposures in the Internet 317 Exposures in a security gateway 317 VPN through firewalls and routers 318 8.1.2.7 Exposures in an intranet 318 8.2 Một số giải pháp mạng riêng ảo 319 8.2.1 8.2.2 IPSec-Based VPN Solutions 320 Layer 2-Based VPN Solutions 321 8.2.2.1 Overview and standards 322 8.2.2.2 Securing the tunnels with IPSec 323 8.2.3 Non-IPSec Network Layer-Based Components of a VPN Solution 325 8.2.3.1 Network Address Translation 325 8.2.3.2 Packet Filtering 326 8.2.4 Application Layer-Based Components of a VPN Solution 327 8.2.4.1 SOCKS .327 8.2.4.2 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) 328 8.3 Ứng dụng mạng riêng ảo Intranet 331 8.3.1 8.3.2 8.3.3 8.4 Branch Office Connection Network 331 Business Partner/Supplier Networks 331 Remote access scenarios 333 Một số vấn đề kỹ thuật bên mạng riêng ảo 333 8.4.1 Mã hóa 333 8.4.1.1 8.4.1.2 8.4.1.3 8.4.1.4 8.4.1.5 8.4.1.6 8.4.2 IPSec 338 8.4.2.1 8.4.2.2 8.4.2.3 8.4.2.4 8.4.2.5 8.4.2.6 8.4.2.7 8.5 Terminology .333 Symmetric or Secret-Key Algorithms .334 Usage of Symmetric Keys with IPSec .335 Asymmetric or Public-Key Algorithms 336 Authentication and Non-Repudiation 336 Usage of Asymmetric Keys with IPSec 337 Security Associations Concept 338 Tunneling Concept 339 Terminology .339 IP Authentication Header (AH) .340 Encapsulating Security Payload (ESP) 341 Why Two Authentication Protocols? .342 Combining IPSec Protocols .342 Các thực hành 344 Chương Works Cited 346 Chương 10 Phụ lục - Cài đặt môi trường thực hành 348 10.1 Danh mục 348 10.1.1 Oracle VirtualBox 348 10.1.2 VirtualBox Image 348 10.2 Chuẩn bị môi trường thực hành 348 10.2.1 Cài đặt VirtualBox 349 10.2.2 Tạo máy ảo CentOS 349 10.2.3 Sử dụng PuTTY 351 Chương Internet & kết nối liên mạng với giao thức IP 1.1 Quá trình hình thành phát triển mạng Internet Networks have become a fundamental, if not the most important, part of today's information systems They form the backbone for information sharing in enterprises, governmental groups, and scientific groups That information can take several forms It can be notes and documents, data to be processed by another computer, files sent to colleagues, and multimedia data streams A number of networks were installed in the late 1960s and 1970s, when network design was the “state of the art” topic of computer research and sophisticated implementers It resulted in multiple networking models such as packet-switching technology, collision-detection local area networks, hierarchical networks, and many other excellent communications technologies The result of all this great know-how was that any group of users could find a physical network and an architectural model suitable for their specific needs This ranges from inexpensive asynchronous lines with no other error recovery than a bit-per-bit parity function, through full-function wide area networks (public or private) with reliable protocols such as public packet-switching networks or private SNA networks, to high-speed but limited-distance local area networks The down side of the development of such heterogeneous protocol suites is the rather painful situation where one group of users wants to extend its information system to another group of users who have implemented a different network technology and different networking protocols As a result, even if they could agree on some network technology to physically interconnect the two environments, their applications (such as mailing systems) would still not be able to communicate with each other because of different application protocols and interfaces This situation was recognized in the early 1970s by a group of U.S researchers funded by the Defense Advanced Research Projects Agency (DARPA) Their work addressed internetworking, or the interconnection of networks Other official organizations became involved in this area, such as ITU-T (formerly CCITT) and ISO The main goal was to define a set of protocols, detailed in a well-defined suite, so that applications would be able to communicate with other applications, regardless of the underlying network technology or the operating systems where those applications run The official organization of these researchers was the ARPANET Network Working Group, which had its last general meeting in October 1971 DARPA continued its research for an internetworking protocol suite, from the early Network Control Program (NCP) host-to-host protocol to the TCP/IP protocol suite, which took its current form around 1978 At that time, DARPA was well known for its pioneering of packet-switching over radio networks and satellite channels The first real implementations of the Internet were found around 1980 when DARPA started converting the machines of its research network (ARPANET) to use the new TCP/IP protocols In 1983, the transition was completed and DARPA demanded that all computers willing to connect to its ARPANET use TCP/IP DARPA also contracted Bolt, Beranek, and Newman (BBN) to develop an implementation of the TCP/IP protocols for Berkeley UNIX® on the VAX and funded the University of California at Berkeley to distribute the code free of charge with their UNIX operating system The first release of the Berkeley Software Distribution (BSD) to include the TCP/IP protocol set was made available in 1983 (4.2BSD) From that point on, TCP/IP spread rapidly among universities and research centers and has become the standard communications subsystem for all UNIX connectivity The second release (4.3BSD) was distributed in 1986, with updates in 1988 (4.3BSD Tahoe) and 1990 (4.3BSD Reno) 4.4BSD was released in 1993 Due to funding constraints, 4.4BSD was 14 TCP/IP Tutorial and Technical Overview the last release of the BSD by the Computer Systems Research Group of the University of California at Berkeley logarithms in finite fields of size m.) Similar to RSA, advances in adversary computing power can be countered by choosing larger initial values, in this case a larger modulus m Please see Chapter 10, “The Internet Key Exchange (IKE) Protocol” on page 193 for more details on how ISAKMP/Oakley uses Diffie-Hellman exchanges 8.4.2 IPSec In this chapter we discuss IPSec, a VPN technology that operates on the network layer, and its supporting component, the Internet Key Exchange (IKE) protocol Even though IPSec is the architecture that implements layer-3 security and IKE uses an application running at or above layer-5, there is an inherent relationship between the two IPSec protocols require symmetric keys to secure traffic between peers, but IPSec itself does not provide a mechanism for generating and distributing those keys This is the role that IKE is playing to support IPSec peers by enabling key management for security associations IKE, as you will see later, provides security for its own traffic in addition to providing IPSec protocols with the necessary cryptographic keys for authentication and encryption 8.4.2.1 Security Associations Concept Two major IPSec concepts should be clarified before entering the details: the Security Associations and the tunneling In fact they are not new, IPSec just makes use of them These concepts are described in the following sections The concept of a security association (SA) is fundamental to IPSec An SA is a unidirectional (simplex) logical connection between two IPSec systems, uniquely identified by the following triple: The definition of the members is as follows: Security Parameter Index (SPI) This is a 32-bit value used to identify different SAs with the same destination address and security protocol The SPI is carried in the header of the security protocol (AH or ESP) The SPI has only local significance, as defined by the creator of the SA The SPI values in the range to 255 are reserved by the Internet Assigned Numbers Authority (IANA) The SPI value of must be used for local implementation-specific purposes only Generally, the SPI is selected by the destination system during the SA establishment IP Destination Address This address may be a unicast, broadcast or multicast address However, currently SA management mechanisms are defined only for unicast addresses Security Protocol This can be either AH or ESP An SA can be in either of two modes: transport or tunnel, depending on the mode of the protocol in that SA You can find the explanation of these protocol modes later in this chapter Because SAs are simplex, for bidirectional communication between two IPSec systems, there must be two SAs defined, one in each direction An SA gives security services to the traffic carried by it either by using AH or ESP, but not both In other words, for a connection that should be protected by both AH and ESP, two SAs must be defined for each direction In this case, the set of SAs that define the connection is referred to as an SA bundle The SAs in the bundle not have to terminate at the same endpoint For example, a mobile host could use an AH SA between itself and a firewall and a nested ESP SA that extends to a host behind the firewall An IPSec implementation maintains two databases related to SAs: Security Policy Database (SPD) The Security Policy Database specifies what security services are to be offered to the IP traffic, depending on factors such as source, destination, whether it is inbound, outbound, etc It contains an ordered list of policy entries, separate for inbound and/or outbound traffic These entries might specify that some traffic must not go through IPSec processing, some must be discarded and the rest must be processed by the IPSec module Entries in this database are similar to the firewall rules or packet filters Security Associations Database (SAD) The Security Associations Database contains parameter information about each SA, such as AH or ESP algorithms and keys, sequence numbers, protocol mode and SA lifetime For outbound processing, an SPD entry points to an entry in the SAD That is, the SPD determines which SA is to be used for a given packet For inbound processing, the SAD is consulted to determine how the packet must be processed Notes: The user interface of an IPSec implementation usually hides or presents these databases in a more friendly way and makes the life of the administrator easier While IPSec SAs are unidirectional as described above, ISAKMP SAs used by IKE (see 3.2.1, “Overview and standards” on page 45) are essentially bidirectional because an IKE peer can usually act as both initiator or responder For ISAKMP SAs, the cookies generated by the peers to identify the ongoing exchange are also used as SPI values 8.4.2.2 Tunneling Concept Tunneling or encapsulation is a common technique in packet-switched networks It consists of wrapping a packet in a new one That is, a new header is attached to the original packet The entire original packet becomes the payload of the new one, as it is shown in Figure 18 on page 41 In general tunneling is used to carry traffic of one protocol over a network that does not support that protocol directly For example, NetBIOS or IPX can be encapsulated in IP to carry it over a TCP/IP WAN link In the case of IPSec, IP is tunneled through IP for a slightly different purpose: to provide total protection, including the header of the encapsulated packet If the encapsulated packet is encrypted, an intruder cannot figure out for example the destination address of that packet (Without tunneling he or she could.) The internal structure of a private network can be concealed in this way Tunneling requires intermediate processing of the original packet on its route The destination specified in the outer header, usually an IPSec firewall or router, retrieves the original packet and sends it to the ultimate destination The processing overhead is compensated by the extra security A notable advantage of IP tunneling is the possibility to exchange packets with private IP addresses between two intranets over the public Internet, which requires globally unique addresses Since the encapsulated header is not processed by the Internet routers, only the endpoints of the tunnel (the gateways) have to have globally assigned addresses; the hosts in the intranets behind them can be assigned private addresses, for example 10.x.x.x As globally unique IP addresses are becoming a scarce resource, this interconnection method gains importance Note: IPSec tunneling is modeled after RFC 2003 ″IP Encapsulation within IP″ It has originally been designed for Mobile IP, an architecture that allows a mobile host to keep its home IP address even if attached to remote or foreign subnets 8.4.2.3 Terminology IPSec is a relatively new technology and it has a less coherent terminology than IP in general In this section we summarize how the IPSec terms are used by us Gateway, Router and Firewall Although these are separate entities, often they can be used interchangeably when the IPSec functionality is in focus Usually we use the term gateway to denote a machine which routes IP traffic, as opposed to a host, which generates or consumes that traffic The term security gateway is analogous It is more precise since the name implies that the box is IPSec-capable IPSec Tunnel This term is used to denote a pair of SAs that realize a bidirectional connection between two IPSec systems It does not imply either transport or tunnel mode Sometimes it is called simply a tunnel Selectors Selectors define the IPSec processing of the outbound packets The SPD entries consist of one or more selectors Packet Filters These are rules that steer traffic into or out of the tunnel The traffic might be either inbound or outbound 8.4.2.4 IP Authentication Header (AH) AH provides origin authentication for a whole IP datagram and is an effective measure against IP spoofing and session hijacking attacks AH has the following features: • Provides data integrity and replay protection • Uses hashed message authentication codes (HMAC), based on shared secrets • Cryptographically strong but economical on CPU load • Datagram content is not encrypted • Does not use changeable IP header fields to compute integrity check value (ICV), which are: • TOS, Flags, Fragment Offset, TTL, Checksum AH adds approximately 24 bytes per packet that can be a consideration for throughput calculation, fragmentation, and path MTU discovery AH is illustrated in Figure 20: AH Header Format The current AH header format is described in the Internet Draft draft-ietf-ipsec-auth-header-06.txt, which contains important modifications compared to the previous AH specification, RFC 1826 The information in this section is based on the respective Internet Draft The following transforms are supported with AH: • Mandatory authentication transforms • HMAC-MD5-96 (RFC 2403) Trang 340 • HMAC-SHA-1-96 (RFC 2404) • Optional authentication transforms • DES-MAC • Obsolete authentication transforms • Keyed-MD5 (RFC 1828) AH can be used in tunnel or transport mode (see 3.1.5, “Tunnel and transport mode” on page 41) and also in combination with ESP (see 3.1.6, “SA combinations” on page 42) 8.4.2.5 Encapsulating Security Payload (ESP) ESP encrypts the payload of an IP packet using shared secrets The Next Header field actually identifies the protocol carried in the payload ESP also optionally provides data origin authentication, data integrity, and replay protection in a similar way as AH However, the protection of ESP does not extend over the whole IP datagram as opposed to AH ESP adds approximately 24 bytes per packet that can be a consideration for throughput calculation, fragmentation, and path MTU discovery ESP is illustrated in Figure 21: ESP Packet Format The current ESP packet format is described in the Internet Draft draft-ietf-ipsec-esp-v2-05.txt, dated March 1998 It contains important modifications compared to the previous ESP specification, RFC 1827 The information in this section is based on the respective Internet Draft The format of the ESP packet is more complicated than that of the AH packet Actually there is not only an ESP header, but also an ESP trailer and ESP authentication data (see Figure 23) The payload is located (encapsulated) between the header and the trailer, hence the name of the the protocol The following transforms are supported with ESP: • Mandatory encryption transforms • DES_CBC (RFC 2405) • NULL (RFC 2410) • Optional encryption transforms • CAST-128 (RFC 2451) • RC5 (RFC 2451) • IDEA (RFC 2451) • Blowfish (RFC 2451) • 3DES (RFC 2451) Trang 374 • Mandatory authentication transforms • HMAC-MD5-96 (RFC 2403) • HMAC-SHA-1-96 (RFC 2404) • NULL (RFC 2410) • Optional authentication transforms • DES-MAC Note: The NULL transform cannot be used for both encryption and authentication at the same time ESP can be used in tunnel or transport mode (see 3.1.5, “Tunnel and transport mode” on page 41) and also in combination with AH (see 3.1.6, “SA combinations” on page 42) 8.4.2.6 Why Two Authentication Protocols? Knowing about the security services of ESP, one might ask if there is really a requirement for AH Why does ESP authentication not cover the IP header as well? There is no official answer to these questions, but here are some points that justify the existence of two different IPSec authentication protocols: • ESP requires strong cryptographic algorithms to be implemented, whether it will actually be used or not Strong cryptography is an over-hyped and sensitive topic in some countries, with restrictive regulations in place It might be troublesome to deploy ESP-based solutions in such areas However, authentication is not regulated and AH can be used freely around the world • Often only authentication is needed While ESP could have been specified to cover the IP header as well, AH is more performant compared to ESP with authentication only, because of the simpler format and lower processing overhead It makes sense to use AH in these cases • Having two different protocols means finer-grade control over an IPSec network and more flexible security options By nesting AH and ESP for example, one can implement IPSec tunnels that combine the strengths of both protocols 8.4.2.7 Combining IPSec Protocols The AH and ESP protocols can be applied alone or in combination Given the two modes of each protocol, there is quite a number of possible combinations To make things even worse, the AH and ESP SAs not need to have identical endpoints, so the picture becomes rather complicated Luckily, out of the many possibilities only a few make sense in real-world scenarios We mentioned in 3.1.1, “Security Associations” on page 39 that the combinations of IPSec protocols are realized with SA bundles There are two approaches for an SA bundle creation: • Transport adjacency: Both security protocols are applied in transport mode to the same IP datagram This method is practical for only one level of combination • Iterated (nested) tunneling: The security protocols are applied in tunnel mode in sequence After each application a new IP datagram is created and the next protocol is applied to it This method has no limit in the nesting levels However, more than three levels are inpractical These approaches can be combined, for example an IP packet with transport adjacency IPSec headers can be sent through nested tunnels When designing a VPN, one should limit the IPSec processing stages applied to a certain packet to a reasonable level In our view three applications is that limit over which further processing has no benefits Two stages are sufficient for almost all the cases Note that in order to be able to create an SA bundle in which the SAs have different endpoints, at least one level of tunneling must be applied Transport adjacency does not allow for multiple source/destination addresses, because only one IP header is present The practical principle of the combined usage is that upon the receipt of a packet with both protocol headers, the IPSec processing sequence should be authentication followed by decryption It is a common sense decision not to bother with the decryption of packets of uncertain origin Following the above principle, the sender first applies ESP and then AH to the outbound traffic In fact this sequence is an explicit requirement for transport mode IPSec processing When using both ESP and AH, a new question arises: should ESP authentication be turned on? AH authenticates the packet anyway The answer is simple Turning ESP authentication on makes sense only when the ESP SA extends beyond the AH SA, as in the case of the supplier scenario In this case, not only does it make sense to use ESP authentication, but it is highly recommended to so, to avoid spoofing attacks in the intranet As far as the modes are concerned, the usual way is that transport mode is used between the endpoints of a connection and tunnel mode is used between two machines when at least one of them is a gateway Let′s take a systematic look on the plausible ways of using the IPSec protocols, from the simplest to the more complicated nested setups You learn the details on how these cases are applied to real life scenarios in Part 3, “VPN Scenarios and Implementation” on page 79 Case 1: End-to-End Security As it is shown in Figure 27, two hosts are connected through the Internet (or an intranet) without any IPSec gateway between them They can use ESP, AH or both Either transport or tunnel mode can be applied The combinations required to be supported by any IPSec implementation are the following: Transport Mode AH alone ESP alone AH applied after ESP (transport adjacency) Tunnel Mode AH alone ESP alone Case 2: Basic VPN Support Figure 28 illustrates the simplest VPN The gateways G1 and G2 run the IPSec protocol stack The hosts in the intranets are not required to support IPSec Combined Tunnels between Gateways Although the gateways are required to support only an AH tunnel or ESP tunnel, often it is desirable to have tunnels between gateways that combine the features of both IPSec protocols The IBM IPSec implementations support this type of combined AH-ESP tunnels The order of the headers is user selectable by setting the tunnel policy (See 4.1.1.2, “Policies” on page 59 for more details.) A combined tunnel between the gateways does not mean that iterated tunneling takes place Since the SA bundle comprising the tunnel have identical endpoints, it is inefficient to iterated tunneling Instead, one IPSec protocol is applied in tunnel mode and the other in transport mode, which can be conceptually thought of as a combined AH-ESP tunnel An equivalent approach is to IP tunnel the original datagram and then apply transport adjacency IPSec processing to it The result is that we have an outer IP header followed by the IPSec headers in the order set by the tunnel policy, then the original IP packet, as it is shown in the figure below This is the packet format in a combined AH-ESP tunnel between two IBM firewalls Note: The ESP authentication data is not present because the IPSec implementation in the IBM firewall does not support the new specifications yet Case 3: End-to-End Security with VPN Support This case is a combination of cases and and it does not raise new IPSec requirements for the machines involved (see Figure 30) The big difference from case is that now the hosts are also required to support IPSec In a typical setup, the gateways use AH in tunnel mode, while the hosts use ESP in transport mode An enhanced security version could use a combined AH-ESP tunnel between the gateways In this way the ultimate destination addresses would be encrypted, the whole packet traveling the Internet would be authenticated and the carried data double encrypted This is the only case when three stages of IPSec processing might be useful, however, at a cost; the performance impact is considerable Case 4: Remote Access This case, shown in Figure 31, applies to the remote hosts that use the Internet to reach a server in the organization protected by a firewall The remote host commonly uses a PPP dial-in connection to an ISP Between the remote host H1 and the firewall G2 only tunnel mode is required The choices are the same as in case Between the hosts themselves either tunnel mode or transport mode can be used, with the same choices as in case A typical setup is to use AH in tunnel mode between H1 and G2 and ESP in transport mode between H1 and H2 Older IPSec implementations that not support AH in tunnel mode cannot implement this It is also common to create a combined AH-ESP tunnel between the remote host H1 and the gateway G2 In this case H1 can access the whole intranet with using just one SA bundle, whereas if it were using the setup shown in Figure 31, it only could access one host with one SA bundle 8.5 Các thực hành Tham khảo link bên tiến hành cài đặt kịch VPN nêu phần với IPSec Sử dụng phần mềm openswan cho gateway VPN http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Co nfiguring_Linux_VPNs https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.html Internet PC outside MyCompany Gateway openswan MyCompany Intranet PC in MyCompany > yum list openswan Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile base: centos-hn.viettelidc.com.vn extras: centos-hn.viettelidc.com.vn updates: centos-hn.viettelidc.com.vn Installed Packages openswan.x86_642.6.32-37.el6 Gateway openswanMail Server MyCompany Intranet DNS Server PC in MyCompany @base > yum install openswan.x86_64 Cài đặt openswan: Tắt chế độ redirect Đây chức router, cập nhật đường mà router tính toán thấy hiệu đường gói tin route, thông báo lại cho trạm nguồn gói tin ICMP có đường tốt Chạy đoạn lệnh sau để tắt chức này: > echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf > echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf > echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf > for vpn in /proc/sys/net/ipv4/conf/*; echo > $vpn/accept_redirects; echo > $vpn/send_redirects; done sysctl -p Tắt chế độ enforce, tắt firewall iptables kiểm tra ipsec: > setenforce > service iptables stop > ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path[OK] Linux Openswan U2.6.32/K2.6.32-504.el6.x86_64 (netkey) Checking for IPsec support in kernel[OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects[OK] NETKEY detected, testing for disabled ICMP accept_redirects[OK] [OK] Testing against enforced SElinux mode Checking that pluto is running Pluto listening for IKE on udp 500 Pluto listening for NAT-T on udp 4500 [OK] [OK] [OK] Two or more interfaces found, checking IP forwarding Checking NAT and MASQUERADEing [OK] [OK] Checking for 'ip' command[OK] Checking /bin/sh is not /bin/dash[OK] Checking for 'iptables' command[OK] Opportunistic Encryption Support[DISABLED] Works Cited (n.d.) Retrieved from Linux Home Networking: http://www.linuxhomenetworking.com/ Aitchison, R (2011) Pro DNS and BIND 10 Carasik-Henmi, A (2003) The Best Damn Firewall Book Period Dent, K D (2004) Postfix: The Definitive Guide O’Reilly IBM Red books (2006) TCP/IP Tutorial & Technical Overview Rash, M (2007) LINUX FIREWALLS San Francisco: No Starch Press, Inc Redbooks, I (1998) A Comprehensive Guide to Virtual Private Networks (3 volumes) Thomas, S (2001) HTTP Essentials: Protocols for Secure, Scaleable Wiley Introduction to Networking: How the Internet Works: http://www.amazon.com/Introduction-Networking-How-InternetWorks/dp/1511654945/ref=sr_1_55?s=books&ie=UTF8&qid=1447490074&sr=155&keywords=%22network+address+translation%22 Books on Virtual Private Networks: http://www.cse.wustl.edu/~jain/refs/vpn_book.htm Phụ lục - Cai đa t mô i trường thực hanh 8.6 8.6.1 Danh mục Oracle VirtualBox Ảo hóa máy tính, tương tự VMWare phiên open source VirtualBox 5.0.2 r102096: https://www.virtualbox.org/ 8.6.2 VirtualBox Image CentOS 6.6 minimal x86_64 Size: 323 MBytes MD5SUM of ova image: 9cacb27b67fcd2de01a4860e0e4b855c Link: https://s3-eu-west-1.amazonaws.com/virtualboxes.org/CentOS-6.6-x86_64- minimal.ova.torrent Active user account(s)(username/password): root/reverse Notes: Installed from CentOS-6.6-x86_64-minimal.iso; Guest Additions NOT installed, fix eth0 up at boot http://virtualboxes.org/images 8.7 Chuẩn bị môi trường thực hành Hình bên mô tả kiến trúc logic môi trường thực hành, bao gồm nhiều máy chủ kết nối vào hệ thống mạng Internet địa IP xác định Các máy chủ cấu hình & điều khiển thông qua phiên kết nối ssh từ máy tính người quản trị hệ thống (Administrator) Server #2 Server #1 IP address: IP1 IP address: IP2 Server #3 IP address: IP3 Internet ssh: connect to Server Administrator’s PC #3 h: connect to Server ss #2 ssh: connect to Server #1 login: password: Môi trường logic nêu giả lập hệ thống phần mêm chạy máy tính cá nhân bao gồm: • Oracle VirtualBox: cho phép tạo nhiều máy ảo máy tính cá nhân (gọi máy host) • VirtualBox CentOS image: máy chủ CentOS ghi lại định dạng VirtualBox image, cho phép import vào VirtualBox để tạo máy chủ ảo CentOS nhanh chóng máy host • PuTTY: chương trình chạy máy host, cho phép mở nhiều phiên kết nối ssh đế máy ảo CentOS hệ thống VirtualBox 8.7.1 Cài đặt VirtualBox 8.7.2 Tạo máy ảo CentOS Import từ image CentOS-6.6 Cấu hình network mặc định (NAT) Khi khởi động máy ảo, card mạng có tên eth0 (sử dụng lệnh ifconfig -a để xem thông tin card mạng) Card mạng thường đặt địa tự động 10.0.2.x cho phép kết nối Internet thông qua card mạng máy host (windows) Cấu hình network thêm card mạng thứ hai thuộc kiểu Host-only Adapter phép kết nối máy ảo máy ảo với máy host Chú ý tạo thêm card mạng tạo nhiều máy ảo, cần đảm bảo card mạng có địa vật lý khác Để thay đổi địa vật lý card mạng, chọn Advanced, mục MAC Address click chuột vào button bên phải (Generates a new random MAC address) để tạo địa MAC Khi chọn cấu hình này, máy host windows tự động tạo thêm card mạng (ảo) có tên Ethernet adapter VirtualBox Host-Only Network Mở command line windows dùng lệnh ipconfig /all để xem địa IP card mạng (thường 192.168.56.1) Vào máy ảo CentOS đặt địa IP cho card mạng cách phù hợp (giả sử 192.168.56.2) Có thể thiết lập địa IP mặc định cho máy ảo CentOS cách tạo sửa đổi file cấu hình /etc/sysconfig/network-scripts/ifcfg-eth1 với nội dung sau: DEVICE="eth1" IPADDR=192.168.56.2 NETMASK=255.255.255.0 Khởi động lại máy ảo CentOS sử dụng lệnh ping để kiểm tra kết nối máy ảo với máy ảo với máy host Trang 350 Để dễ theo dõi, nên đặt tên máy ảo CentOS theo chức thay dùng tên mặc định localhost Sửa đổi tham số HOSTNAME file /etc/sysconfig/network reboot máy ảo 8.7.3 Sử dụng PuTTY PuTTY SSH client phổ dụng Bằng cách dùng PuTTY tạo session từ máy host đến máy ảo dễ dàng Trang 351 [...]... Merit, National Institutes of Health (NIH), and the State University System of Florida For more information about Internet2, see their Web page at: http://www.internet2.edu 1.2 Mô hình TCP/IP & kết nối liên mạng (internetworking) The TCP/IP protocol suite is so named for two of its most important protocols: Transmission Control Protocol (TCP) and Internet Protocol (IP) A less used name for it is the... protocols per se; they only standardize ways of accessing those protocols from the internetwork layer A more detailed layering model is included in Figure 1-3 1.2.3 Họ giao thức TCP/IP 1.3 Giải pháp kết nối liên mạng tại tầng Internet This chapter provides an overview of the most important and common protocols associated with the TCP/IP internetwork layer These include: _ Internet Protocol (IP) _ Internet... Network Service) NSFNET has played a key role in the development of the Internet However, many other networks have also played their part and also make up a part of the Internet today 1.1.3 Thương mại hóa mạng Internet In recent years the Internet has grown in size and range at a greater rate than anyone could have predicted A number of key factors have influenced this growth Some of the most significant... hosts It does require changes on routers between subnets in the network (refer to 3.4.4, “Proxy-ARP or transparent subnetting” on page 123) Figure 3-9 illustrates the entire IP routing algorithm 1.3.1.4 Intranets: Private IP addresses Another approach to conserve the IP address space is described in RFC 1918 This RFC relaxes the rule that IP addresses must be globally unique It reserves part of the global... all hosts that compose a given virtual private network use globally unique (public) IP addresses Address hiding can be achieved by the IPSec tunnel mode If a company uses private addresses within its intranet, the IPSec tunnel mode can keep them from ever appearing in cleartext from in the public Internet, which eliminates the need for NAT 1.3.1.6 IP datagram The unit of transfer in an IP network is ... 5.6.5 5.6.6 Cài đặt môi trường 200 Bài số 1: Thiết lập hệ thống email cho domain .202 Bài số 2: Thiết lập hệ thống email máy chủ 204 Bài số 3: POP & IMAP 208 Bài số 4:... thực hành 113 3.4.1 Bài số 1: Thiết lập Gateway cho MyCompany Intranet 113 3.4.2 3.4.3 Bài số 2: Thiết lập NAT cho Gateway 118 Bài số 3: Thiết lập Port forwarding cho NAT... cho mạng nội - Mô hình Intranet 74 Các mô hình triển khai mạng Intranet .77 2.1.3.1 Intranet Internet phía sau tường lửa 77 2.1.3.2 Intranet & Extranet 77 2.1.3.3 Intranet