Authentication: WLAN hd trg sy uy quyen lan nhau (bing viec sir dung 802.Ix EAP- TLS) de bio dim chi cd cie Client khdng diy dugc uy quyin mdi dugc tiny cap vao mang.. EAS si dung mdt [r]
(1)i TAY C N G N G H I
BAO MAT MANG KHONG DMY
Danh Chieu
Khi cdc mang wireless LAN duac trien khai rdng rdi vi cd nhieu lai ich, tien lai, xong viec bdo mat rat khd khdn Vdy cdu true cua nd Id gi? Vi phdi bdo mat vd md hinh chung nhu thendo?
Cau true mang LAN khdng day
Mdt mang LAN khdng diy gdm cd phin: Wireless Client, Access Points va Access Server Wireless Client diin hinh li mgt chiic laptgp vdi NIC (Network Interface Card) khdng diy dugc cii dit de cho phep tiny cap vao mang khdng diy Access Pgints (AP) cung cip su bag phi cua sdng vd tuyin mOt ving nio dd (dugc biit din nhu li cic cell (te bio)) vi kit ndi din mang khdng diy Cdn Access Server diiu khien viec tray cap Ci hai chuan 802.11b (LAN IlMbps tai tan sd 2,4GHz) vi APs Bluetooth dugc hd ttg d diy Mdt Access Server (nhu li Enterprise Access Server or EAS) cung cap sy diiu khiin, quin ly, cic dac tinh bio mil tien tien cho mang khdng day Enterprise
Enterprise Access Server Gateway Mode
MOt bo phan khdng diy cd thi dugc ket ndi din cic mang khdng diy tdn tai theo mgt sd cich Kien tnic tdng thi sir dyng EAS tiong "Gateway Mode" hay "Contioller Mode" Trong Gateway Mode (xem hinh d tren) EAS dugc dit d gitta mang AP vi phan cdn lai ciia mang Enterprise Vi vay EAS dieu khiin tat ci cic luong lim lirgng gitta cic mang khdng day vi cd diy va tiiyc hien nhu mOt firewall
Trong Conlroll Mode (hinh dudi) EAS quin ly APs vi diiu khiin viec tray cap din mang khdng day nhung nd khdng lien quan den viec tnivin tii du lieu naudi duns Trong chi
do niy, mang khdng diy cd thi bi phan chia thinh mang diy vdi firewall thdng diudng hay tich hgp hgin toin ttong mang diy Enterprise
Enterprise Access Server Controller Mode
Tai pliai bao mat?
Tai chung ta lai phii quan tam din van de bio mat cua mang wireless LAN? Dieu niy bit ngudn tu tinh cd httu cia mdi tradng khdng day De kit ndi tdi mdt mang LAN huu tuyen ban cin phai tiny cip dieo dudng tinyin bing day cip, phii kit ndi mdt PC vio mOt cdng mang Vdi mang khdng diy ban chi cin ed miy cia ban vung sdng bao phi cua mang khdng diy Diiu khien cho mang hun tuyen Ii don giin: dudng trayin bing cip thdng thudng dugc di cic tda nhi cao ting vi cic port khdng sir dung cd thi lim cho nd disable bing cic tmg dung quin ly Cac mang khdng day (hay vd tuyin) su dung sdng vd tuyin xuyen qua vat lieu eua cic tda nhi vi nhu viy sy bao phu li khdng gidi han d ben ttong mgt tda nhi Sdng vd tuyin cd the xuat hiin tren dudng phd, tii cic ttam phit tu cic mang LAN niy, vi nhu vay dd cd the tray cip nhd thiit bi thich hgp Dg dd mang khdng day cia mgt cdng ty cung ed the bj tray cap tu ben ngoii tda nhi cdng ty cua hg Hinh dudi tlli hien mgt ngudi la cd thi tray cip den mdt LAN khdng day tu ben ngoii nhu thi nio Giii phip d day li phii lim de cd dugc sy bio mit cho mang chdng dugc viec tray cap bit hgp phip
Vi du ve mot ngudi /? tmy c$p vao mang
Cac diem yeu Irong bao mat 802.11
Chuan IEEE 802.11 dua mOt WEP (Wired Equivalent Privacy) de bio ve sy tinyin phit khOng day WEP dugc sir dyng mdt chudi sd ddi xung de ma hda cic ngudi dung ttong mang khdng diy 802.11 dua cic khoa WEP 64 bit nhung dugc cung cap them len khoa WEP 128 bit 802.11 khdng dua cic khoa dugc xip xep nhu the' nio MOt WEP bao gdm phin: vector khdi tao (IV) 24 bit vi key mat IV dugc phat plain text d phin header cua cac gdi 802.11 Tuy nhien nd rit di bi "crack" Vl viy giii phip tiep theo li phii su dung cic khda WEP ddng mi cd the thay ddi mgt cich thudng xuyen
Chuan 802.11 xic nhin cic miy khich su dung khda WEP Tiip sau dd chuan cdng nghiep da dugc dua thdng qua xac nhan 802 Ix (ban cd thi xem phin 7) di bd sung cho cic thieu xdt cQa chuan 802.11 trudc no Tuy nhiin gin diy, tiwmg dai hgc Maryland da minh chung bing tii lieu vi su ed cua van di bio mat tiim an vdi giao thuc 802 Ix niy Giii phip ngiy l i sii dung sy xic nhin lin de ngin cin "ai dd d gitta" tan cdng vi cic khda WEP ddng, cic khda niy dugc xip xip mOt cich can than vi cic kinh ma hda Ca hai ky thuit niy dugc hd trg bdi giao thuc (TLS: Transport Layer Security) Ndi bat hon ci la viec khda per-paeket vi kiim tra tinh toin ven cua message Diy chinh li chuan bio mat 802.Hi
M6 hinh bao mat I(ti6ng day
Kiin true LKH khdng day hd trg mdt md hinh bio mat md vi toin dien dya tren chuin cdng nghiep nhu thi hien tten hinh Mdi mgt phir tir ben md hinh diu cd the ciu hinh thee
(2)s d TAY C N G NGHf |
ngudi quin ly mang di tiida man va phi hgp vdi nhung gi hg can
Mo hinh bio m$t cho mang klidng day
Dievice Authgrisatign: cic Client khdng diy cd thi bj ngan chan theo dja ehi phin cung cua hg (vi du nhu dja chi MAC) EAS tri mdt CO sd dtt lieu cua cic Client khdng diy dugc cho phep vi cac AP rieng biet khda hay thdng luu lugng phu hgp
Encryption: WLAN cflng hd trg WEP, 3DES va chuin TLS su dung ma hda de trinh ngudi tray cip trOm Cic khda WEP cd the duock tao tren mOt per-user, per session basic Authentication: WLAN hd trg sy uy quyen lan (bing viec sir dung 802.Ix EAP-TLS) de bio dim chi cd cie Client khdng diy dugc uy quyin mdi dugc tiny cap vao mang EAS si dung mdt RADIUS server ben cho su uy quyin bing viec sii dung cie chung chi sd Cic chung chi sd niy cd thi dat dugc tir quyen chung nhin ben (CA) hay dugc nhap tu mOt CA ben ngoii Diiu da tang tdi da su bio mit vi giim tdi tiiiiu cic thu tuc hinh chinh
Firewall: EAS hgp nhi't customable packet filtering vi port blocking firewall dua tten cic chudi Linux IP Viec cau hinh tu trudc cho phep cic loai luu lugng chung dugc enable hay disable
VPN: EAS bao gdm mdt IPSee VPN server cho phip cic Client khdng day thiit lap cic session VPN vflng chic tiin mang
Ma hoa
Ma hda li biin ddi dtt lieu di chi cd cic tiiinh phan dugc xic nhan mdi cd thi giii ma dugc no Qui trinh ma hda li kit hgp vii plaintext \ di mOt khda di tao tiiinh van bin mat (Ci-phertext) Sy giii ma dugc bing cich kit hgp Ciphertext vdi khda di tii tao lai plaintext gdc nhu hinh Qui trinh xip xip va phan bd cic khda ggi li su quan ly khda
( i t a r U M a f M i M )
nsrr i s
E x v y t M n CctwTlni E«*«fdfop(>w
DtCfWtwn
Qua trinh ma hda va giii ma
Neu cilng mdt khda dugc su dung cho ci hai qui trinh ma hda vi giii ma thi cie khda dugc hiiu nhu Ii "symmetric" (ddi xung) Cdn neu cic khda khic dugc sii dung thi qui trinh dugc hiiu nhu l i "asymmetr-ric" Cic khda Asymmetric dugc sii dung nhiiu cic PKIs (Public Key Infrastrac-tures), noi mi mOt khda la "pubhc" vi cic cii cdn lai l i "private"
Cd hai phuong phip ma hda: Cipher khdi va Cipher chudi Cic Cipher khdi hoat dOng tiin plaintext ttong cic nhdm bit ggi l i cic block, diin hinh dai 64 hoac 128 bit Cic vi dy diin hinh cua Cipher khdi nhu Ii: DES, triple DES (3DES), AES vi Blowfish Cic Cipher chudi bien ddi mdt khda thinh mdt "keystream" ngiu nhien (dien hinh li bit), sau dd kit hgp vdi plaintext di ma hda nd Cic Cipher chudi dugc dung nhiiu hon so vdi cic Cipher khdi Cic vi dy vi Cipher chudi nhuli: RC4 (dugc su dung LANs khdng diy 802.11)
Xac nhan khong day
Sy xic nhan Ii viec cung cap hay hiy cung cip mOt dd hay cii gi dd da dugc xic nhin Sy xic nhin thdng thudng l i mdt qui trinh mOt chiiu (one-way), vi du nhumOt ngudi log on bing mOt miy tinh vi cung cap nhin dang cua hg vdi usemame v i password Trong mang khdng diy, su xic nhin lin nen dugc sir dung d nhung noi mi mang xic nhan Client vi cic Ghent xic nhin mang Dieu niy ngan cin cic thiit bj gii cd thi gii trang nhu thiet bj mang de tray cap den cac dtt Ueu quan ttgng tten cic Client khdng diy
Chuan LAN khdng diy 802.11 khdng cd sy xic nhin thdng minh, vi viy chuan cdng nghiep da thdng qua giao thuc 802.Ix cho sy xic nhin cua nd 802 Ix dua cich thiic diiu khiin tray cip mang co port-based, cii niy su dung EAP (Extensible Authentication Proto-col) vi RADIUS server 802.Ix khdng dua giao thuc xic nhin mOt cich cu thi nhung chi rd EAP tiong viec hd trg sd lugng cic giao
thuc xic nhan nhu li CHAP-MD5 TLS va Kerberos EAP cd the dugc md rgng vi vay cie giag thuc xic nhin mdi cd the dugc hd trg nhu ttong cic phien bin sau ciia nd EAP dugc dua de hoat ddng tten giag thuc Pgint-to-Point (PPP); de nd tuong thich vdi cic giao thu'c cia lap lien kit dtt lieu khic (nhu li Token Ring 802.5 hay Wireless LANs 802.11) EAP Over LANs (EAPOL) da dugc phit trien
802.Ix EAP-TLS dugc su dung cic md trudng cd bin vi an toin cao Su trao ddi cua cic message EAP-TLS cung ci'p su xac nhan lin nhau, sy bit tay cua giao thuc ma hda v i su ttao ddi khda bio ve giiia mOt Client khdng diy vi mang EAP-TLS li mdt ky thuit cung cap cic khda ma hda ddng cho ngudi dung vi session Diiu niy cii thien mOt cich ding ke va vugt qua nhieu diem yeu cic mang khdng day
Hinh dudi day chi mOt chudi cic su kien xuat hien mdt Client dugc xic nhan bing 802.Ix EAP-TLS Hai chung chi digital dugc yeu ciu d day: rngt tten RADIUS server (vi du EAS) vi mOt tten Client khdng diy Chu y ring su tray cip khdng diy dugc cung cap cho tdi sy xic nhin thinh cdng vi cic khda WEP ddng da dugc thiit lip
Xac nh$n802.1x EAP-TLS
802.Ix EAP-TLS vdi EAS Controller Mode dugc die hien tten hinh Client khdng diy cd chung ehi digital (dugc cai dat tir tindc) Ghent khdng day ttuyin thdng vdi EAS thdng qua hP Tat ci ba tiiinh phin (Wireless client, AP vi EAS) hd ttg qui ttinh 802 Ix EAP-TLS Client khdng diy cd the sir dung Windows XP (dugc xay dung de hd trg cho 802.1 x EAP-TLS) hay Wuidows 98/Me/2000 bang viec su dung Madge Wireless LAN Utility (WLU) Khi xac nhin, dtt lieu ngudi diing cflng cd thi dugc sir dung EAS mi da dugc ciu hinh Gateway Mode •