An Ninh M NG P 4 Application Security

NETWORK SECURITY
Phn IV
Application Security
m bo an ninh phn ng dng
Mc 1: An ninh cho truy cp t xa Remote Access Security
Mc 2: An ninh dch v web Security web traffic
Mc 3: An ninh dch v th in t - Email Security
Mc 4: Application Security Baselines

An ninh cho truy cp t xa Remote Access Security
Mng khng dy
Mng ring o VPN
RADIUS
TACACS
PPTP
L2TP
SSH
IPSec
Mng khng dy (wireless LAN)
TNG QUAN V MNG WIRELESSS
Cc loi wireless networks
C th phn chia tm nh sau:
Wireless LAN (Wifi):Kt ni trong mt phm vi nh nh
trong mt phng hc, mt ta nh, hoc gia hai ta
nh gn nhau Bn knh ph sng bn trong (indoor)
khong vi trm mtBn ngoi (outdoor) khong vi
km. Thng c s dng nhng ni ng c
nh khch sn, ga tu in, trng hcs dng
chun 802.11..
Wireless MAN (WiMax): Kt ni wireless gia cc
building khc nhau, hay gia cc building trong cng
mt thnh phbn knh ph sng ln ti vi chc km.
Thng c s dng nhng ni tha tht dn c
hay ni c a hnh phc tp.

Cc chun ca mng wireless
IEEE 802.15: Bluetooth, c s dng trong mng
Personal Area Network (PAN).
IEEE 802.11: Wifi, c s dng cho mng Local Area
Network (LAN).
IEEE 802.16: WiMax ( Worldwide Interoperability for
Microwave Access ), c s dng cho Metropolitan Area
Network (MAN).
IEEE 802.20: c s dng cho Wide Area Network
(WAN).

WLAN
Mng da trn cng ngh 802.11 nn i khi
cn c gi l 802.11 network Ethernet. V
hin ti cn c gi l mng Wireless Ethernet
hoc Wi-Fi (Wireless Fidelity).
Chun 802.11 c IEEE pht trin v a ra
vo nm 1997. Gm c: 802.11, 802.11a,
802.11b, 802.11b+, 802.11g, 802.11h
WLAN
802.11:
Tc truyn khong t 1 n 2 Mbps, hot ng bng tn
2.4GHz.
Tng vt l s dng phng thc DSSS ( Direct Sequence
Spread Spectrum ) hay FHSS ( Frequency Hoping Spread
Spectrum ) truyn.
802.11a:
L phn m rng ca chun 802.11, cung cp tc truyn
ln ti 54 Mbps, hot ng di bng tn 5 GHz. S dng
phng php iu ch ghp knh theo vng tn s vung gc
Orthogonal Frequency Division Multiplexing ( OFDM ).
C th s dng n 8 Access Point c im ny di tn
2.4GHz, ch s dng c n 3 Access Point

WLAN
802.11b, 802.11b+:
Cung cp tc truyn l 11 Mpbs ( 802.11b ) hay 22 Mbps (
802.11b+), hot ng di bng tn 2.4 GHz. C th tng thch vi
802.11 v 802.11g. Tc c th 1, 2, hay 5,5 Mbps.
802.11g:
Cung cp tc truyn khong 20+Mbps, hot ng di bng tn 2.4GHz.
Phng thc iu ch: c th dng 1 trong 2 phng thc:
OFDM ( ging 802.11a ) : tc truyn c th ln ti 54 Mbps.
DSSS: tc gii hn 11 Mbps.
802.11h:
c s dng chu u, hot ng bng tn 5 GHz.
WLAN
u im ca WLAN so vi mng c dy truyn thng
Mng Wireless cung cp tt c cc tnh nng ca cng ngh mng LAN
nh l Ethernet v Token Ring m khng b gii hn v kt ni vt l (gii
hn v cable).
S thun li u tin ca mng Wireless l tnh linh ng. Mng
WLAN to ra s thoi mi trong vic truyn ti d liu gia cc thit b c
h tr m khng c s rng buc v khong cch v khng gian nh
mng c dy thng thng. Ngi dng mng Wireless c th kt ni vo
mng trong khi di chuyn bt c ni no trong phm vi ph sng ca thit
b tp trung (Access Point).
Mng WLAN s dng sng hng ngoi (Infrared Light) v sng Radio
(Radio Frequency) truyn nhn d liu thay v dng Twist-Pair v Fiber
Optic Cable. Thng thng th sng Radio c dung ph bin hn v n
truyn xa hn, lu hn, rng hn, bng thng cao hn.
WLAN
Hn ch ca WLAN
Tc mng Wireless b ph thuc vo bng thng. Tc ca mng
Wireless thp hn mng c nh, v mng Wireless chun phi xc nhn
cn thn nhng frame nhn trnh tnh trng mt d liu.
Bo mt trn mng Wireless l mi quan tm hng u hin nay. Mng
Wireless lun l mi bn tm v s giao tip trong mng u cho bt k ai
trong phm vi cho php vi thit b ph hp. Trong mng c nh truyn
thng th tn hiu truyn trong dy dn nn c th c bo mt an ton
hn. Cn trn mng Wireless th vic nh hi rt d dng bi v mng
Wireless s dng sng Radio th c th b bt v x l c bi bt k
thit b nhn no nm trong phm vi cho php, ngoi ra mng Wireless th
c ranh gii khng r rng cho nn rt kh qun l
c tnh k thut mng Wireless
WLAN hot ng nh th no ?
Wireless LAN s dng sng in t (Radio hoc sng Hng
ngoi - Infrared) trao i thng tin gia cc thit b m
khng cn bt k mt kt ni vt l no (cable).
Trong cu hnh ca mng WLAN thng thng, mt thit b
pht v nhn (transceiver) c gi l Access Point (AP) v
c kt ni vi mng c dy thng thng thng qua cp
theo chun Ethernet.
AP thc hin chc nng chnh l nhn thng tin, nh li v
gi d liu gia mng WLAN v mng c dy thng thng.
Mt AP c th h tr mt nhm ngi dng v trong mt
khong cch nht nh (tu theo loi AP).
Ngi dng mng WLAN truy cp vo mng thng
qua Wireless NIC, thng thng c cc chun sau:
PCMCIA - Laptop, Notebook
ISA, PCI, USB Desktop
Tch hp sn trong cc thit b cm tay
Cng ngh chnh c s dng cho mng
Wireless l da trn chun IEEE 802.11. Hu ht
cc mng Wireless hin nay u s dng tng s
2.4GHz.
Wireless Network Standards:
IEEE 802.11 standard
Bluetooth
802.11 Standard
Mng WLANs hot ng da trn chun 802.11 chun
ny c xem l chun dng cho cc thit b di ng c
h tr Wireless, phc v cho cc thit b c phm vi hot
ng tm trung bnh.
Cho n hin ti IEEE 802.11 gm c 4 chun trong h
802.11 v 1 chun ang th nghim:
802.11 - l chun IEEE gc ca mng khng dy (hot ng
tn s 2.4GHz, tc 1 Mbps 2Mbps)
802.11b - (pht trin vo nm 1999, hot ng tng s 2.4-
2.48GHz, tc t 1Mpbs - 11Mbps)
802.11a - (pht trin vo nm 1999, hot ng tng s
5GHz 6GHz, tc 54Mbps)
802.11g - (mt chun tng t nh chun b nhng c tc
cao hn t 20Mbps - 54Mbps, hin ang ph bin nht)
802.11e - l 1 chun ang th nghim: y ch mi l phin
bn th nghim cung cp c tnh QoS (Quality of Service)
v h tr Multimedia cho gia nh v doanh nghip c mi
trng mng khng dy

Bluetooth
Bluetooth l mt giao thc n gin dng kt ni nhng thit
b di ng nh Mobile Phone, Laptop, Handheld computer,
Digital Camera, Printer, v.v..
Bluetooth s dng chun IEEE 802.15 vi tn s 2.4GHz
2.5GHz
Bluetooth l cng ngh c thit k nhm p ng mt cch
nhanh chng vic kt ni cc thit b di ng v cng l gii
php to mng WPAN, c th thc hin trong mi trng nhiu
tng s khc nhau.

Knh trong mng Wireless
Knh trong mng
Wireless
Mng Wireless hot
ng 14 knh
(nhng thc t khi
hot ng th ch c 1
knh pht)
Knh trong mng Wireless
M hnh thit lp knh
cho mng Wireless
Mt iu ch khi lp t
Access Point:
Cn c nhng vng giao
nhau gia bn knh cc
Access Point.
Knh thit lp cho cc
Access Point phi lch
nhau 5 knh.
Cc m hnh mng Wireless
Mng Wireless (hay mng da trn chun 802.11) c thit k rt linh
hot. C 3 s la chn khi bn mun pht trin mt h thng mng
Wireless:
Independent Basic Service sets IBSS
Basic Service sets BSS
Extended Service sets - ESS

Basic Service sets (BSS) l mt nhm cc thit b gia mng WLAN v
mng c dy thng thng thng qua AP c nh. Mng WLAN s dng
sng Radio (RF) pht tn hiu broadcast cho cc Client (receiver), cc
Client phi nm trong phm vi pht sng. Giao tip gia cc thit b u
tin thng qua dch v service set identifier (SSID), cc Client s s
dng SSID ny lc tn hiu nhn t thit b pht ra.

Independent BSS/ Ad-hoc
Trong m hnh Independent BSS, cc Client lin lc trc
tip vi nhau m khng phi thng qua AP nhng phi
trong phm vi cho php.
Mng nh nht theo chun 802.11 ny bao gm 2 my
lin lc trc tip vi nhau.
M hnh IBSS cn c gi vi tn l mng ad-hoc.

M hnh independent BSS/Ad-hoc network
BSS/Infracstructure BSS
Trong m hnh Infrastructure BSS cc Client mun lin
lc vi nhau phi thng qua mt thit b c bit gi l
Access Point (AP).
AP l im trung tm qun l mi s giao tip trong
mng, khi cc Client khng th lin lc trc tip vi
nh trong mng Independent BSS.
giao tip vi nhau cc Client phi gi cc Frame d
liu n AP, sau AP s gi n my nhn.

M hnh Infracstructure BSS
ESS/Extend Service Set
Nhiu m hnh BSS kt hp vi nhau gi l m hnh
mng ESS.
L m hnh s dng t 2 AP tr ln kt ni mng. Khi
cc AP s kt ni vi nhau thnh mt mng ln hn,
phm vi ph sng rng hn, thun li v p ng tt cho
cc Client di ng. m bo s hot ng ca tt c cc
Client.

M hnh ESS network
CC KIU TN CNG TRN MNG WLAN
Hacker c th tn cng mng WLAN bng
cc cch sau:
Passive Attack (eavesdropping)
Active Attack (kt ni, thm d v cu hnh mng)
Jamming Attack
Man-in-the-middle Attack

Tn cng b ng (Passive Attack)
Tn cng b ng (passive) hay nghe ln
(eavesdropping) l mt phng php tn cng
WLAN n gin nht nhng vn rt hiu qu.
Passive attack khng li mt du vt no chng
t c s hin din ca hacker trong mng v
hacker khng tht kt ni vi AP lng nghe cc
gi tin truyn trn on mng khng dy

Tn cng b ng (Passive Attack)
WLAN sniffer c th c s
dng thu thp thng tin v
mng khng dy khong cch
xa bng cch s dng anten
nh hng.
Phng php ny cho php
hacker gi khong cch vi
mng, khng li du vt
trong khi vn lng nghe v thu
thp c nhng thng tin qu
gi.

V d: Tn cng b ng
Tn cng ch ng (Active Attack )
Tn cng ch ng c s dng truy cp vo
server v ly c nhng d liu c gi tr hay s
dng ng kt ni Internet ca doanh nghip
thc hin nhng mc ch ph hoi hay thm ch l
thay i cu hnh ca h tng mng.
Bng cch kt ni vi mng khng dy thng qua
AP, hacker c th xm nhp su hn vo mng
hoc c th thay i cu hnh ca mng.
Tn cng ch ng (Active Attack )
V d: Mt hacker c th
sa i thm MAC
address ca hacker vo
danh sch cho php ca
MAC filter trn AP hay v
hiu ha tnh nng MAC
filter gip cho vic t
nhp sau ny d dng
hn.
V d: Kiu tn cng ch ng
Tn cng chn p (Jamming)
Jamming l mt k thut c s dng ch
n gin lm hng (shut down) mng
khng dy.
Khi mt hacker ch ng tn cng jamming,
hacker c th s dng mt thit b WLAN c
bit, thit b ny l b pht tn hiu RF cng
sut cao hay sweep generator.
Tn cng chn p (Jamming)
loi b kiu tn
cng ny th yu cu
u tin l phi xc
nh c ngun tn
hiu RF. Vic ny c
th lm bng cch s
dng mt Spectrum
Analyzer (my phn
tch ph)
Tn cng jamming
Tn cng bng cch thu ht (Man in the Middle)
Tn cng theo kiu Man-in-the-middle l trng
hp trong hacker s dng mt AP nh cp
cc node di ng bng cch gi tn hiu RF mnh
hn AP hp php n cc node .
Cc node di ng nhn thy c AP pht tn hiu RF
tt hn nn s kt ni n AP gi mo ny, truyn
d liu c th l nhng d liu nhy cm n AP
gi mo v hacker c ton quyn x l
Tn cng bng cch thu ht (Man in the Middle)
Hacker mun tn cng theo
kiu Man-in-the-middle ny
trc tin phi bit c
gi tr SSID m cc client
ang s dng (gi tr ny
rt d dng c c). Sau
, hacker phi bit c
gi tr WEP key nu mng
c s dng WEP
Tn cng Man in the Middle
TNG QUAN BO MT CHO MNG KHNG DY
Ti sao phi bo mt mng khng dy?

Ti sao phi bo mt mng khng dy?
bo mt trong mng
Wireless ti thiu bn cn
c hai thnh phn sau:
Authentication: Chng thc
cho ngi dng: quyt nh ai
c th s dng mng WLAN
Encryption- M ha d liu:
cung cp tnh bo mt d liu
Bo mt Lan khng dy
Mt WLAN gm c 3 phn: Wireless Client,
Access Points v Access Server.
Wireless Client: in hnh l mt chic laptop vi NIC
(Network Interface Card) khng dy c ci t
cho php truy cp vo mng khng dy.
Access Points (AP): Cung cp s bao ph ca sng v
tuyn trong mt vng no v kt ni n mng
khng dy.
Access Server: iu khin vic truy cp. Mt Access
Server (nh l Enterprise Access Server (EAS) ) cung
cp s iu khin, qun l, cc c tnh bo mt tin
tin cho mng khng dy Enterprise .
Cc thit lp bo mt trong WLAN
Device Authorization: Cc Client khng
dy c th b ngn chn theo a ch phn
cng ca h (v d nh a ch MAC).
Encryption: WLAN cng h tr WEP,
3DES v chun TLS(Transport Layer
Sercurity). Cc kha WEP c th to trn
mt per-user, per session basic.
Authentication: WLAN h tr s y
quyn ln nhau (bng vic s dng
802.1x EAP-TLS) bo m ch c cc
Client khng dy c y quyn mi
c truy cp vo mng.
Firewall: Hp nht packet filtering v port
blocking firewall da trn cc chui IP.
VPN: Bao gm mt IPSec VPN server
cho php cc Client khng dy thit lp
cc session VPN.
M ha
M ha l bin i d liu
ch c cc thnh phn
c xc nhn mi c th
gii m c n. Qu trnh
m ha l kt hp plaintext
vi mt kha to thnh
vn bn mt (Ciphertext).
S gii m c bng
cch kt hp Ciphertext
vi kha ti to li
plaintext
Qu trnh xp xp v phn
b cc kha gi l s qun
l kha.
Qu trnh m ha v gii m
M ha
C hai phng php m:
M dng (stream ciphers)
M khi ( block ciphers)
C hai loi mt m ny hot ng bng cch
sinh ra mt chui kha ( key stream) t mt gi
tr kha b mt. Chui kha sau s c trn
vi d liu (plaintext) sinh d liu c
m ha.
Hai loi mt m ny khc nhau v kch thc
ca d liu m chng thao tc ti mt thi im
M dng
M dng phng thc m ha
theo tng bit, m dng pht
sinh chui kha lin tc da
trn gi tr ca kha
V d: mt m dng c th sinh
ra mt chui kha di 15 byte
m ha mt frame v mt
chui kha khc di 200 byte
m ha mt frame khc.
Mt m dng l mt thut ton
m ha rt hiu qu, t tiu tn
ti nguyn (CPU).
Hot ng ca m dng
M khi
M khi sinh ra mt chui kha
duy nht v c kch thc c
nh(64 hoc 128 bit).
Chui k t cha c m ha(
plaintext) s c phn mnh
thnh nhng khi(block) v mi
khi s c trn vi chui kha
mt cch c lp.
Nu nh khi plaintext nh hn
khi chui kha th plaintext s
c m thm vo c c
kch thc thch hp
Hot ng ca m khi
Nhn xt
Tin trnh m ha dng v m ha khi cn c
gi l ch m ha khi m in t ECB (
Electronic Code Block).
Ch m ha ny c c im l cng mt u
vo plaintext ( input plain) s lun lun sinh ra
cng mt u ra ciphertext (output ciphertext).
y chnh l yu t m k tn cng c th li
dng nhn dng ca ciphertext v on c
plaintext ban u
WEP Wired Equivalent Privacy
WEP l mt h thng m ha dng cho vic bo
mt d liu cho mng Wireless. WEP l mt phn
ca chun 802.11 v da trn thut ton m ha
RC4, m ha d liu 40 bit.
c tnh k thut ca WEP
iu khin vic truy cp, ngn chn s truy cp ca
nhng Client khng c kha ph hp
Bo mt nhm bo v d liu trn mng bng m ha
chng v ch cho nhng client c kha WEP ng gii
m
Thut ton WEP
Thut ton m ha RC4 l
thut ton m ha i
xng( thut ton s dng
cng mt kha cho vic m
ha v gii m).
WEP l thut ton m ha
c s dng bi tin trnh
xc thc kha chia s
xc thc ngi dng v m
ha d liu trn phn on
mng khng dy.
Frame c m ha bi WEP
Thut ton WEP
trnh ch ECB(Electronic Code Block)
trong qu trnh m ha, WEP s dng 24 bit IV,
n c kt ni vo kha WEP trc khi c
x l bi RC4.
Gi tr IV phi c thay i theo tng frame
trnh hin tng xung t. Hin tng xung t
IV xy ra khi s dng cng mt IV v kha WEP
kt qu l cng mt chui kha c s dng
m ha frame.

Thut ton WEP
Chun 802.11 yu cu kha WEP phi c cu hnh
trn c client v AP khp vi nhau th chng mi c
th truyn thng c.
M ha WEP ch c s dng cho cc frame d liu
trong sut tin trnh xc thc kha chia s. WEP m ha
nhng trng sau y trong frame d liu:
Phn d liu (payload)
Gi tr kim tra tnh ton vn ca d liu ICV (Integrity Check
value)
Tt c cc trng khc c truyn m khng c m
ha. Gi tr IV c truyn m khng cn m ha cho
trm nhn s dng n gii m phn d liu v ICV
Intergrity Algorithm
Integrity Check Value (ICV)
Message
Ciphertext
Key Sequence
Seed
Initalization
Vector
IV
Secret Key
Plaintext
WEP
PRNG
IV
S QU TRNH M HA S DNG WEP
Message
Ciphertext
IV
Intergrity Algorithm
Key Sequence
Seed
Secret Key
WEP
PRNG
Plaintext
ICV
ICV
ICV = ICV?
S QU TRNH GII M WEP
WPA - Wi-fi Protected Access
WPA c thit k nhm thay th cho WEP v c tnh
bo mt cao hn. Temporal Key Intergrity Protocol
(**IP), cn c gi l WPA key hashing l mt s ci
tin da trn WEP, n t ng thay i kha, iu ny
gy kh khn rt nhiu cho cc Attacker d thy kha
ca mng.
Mt khc WPA cng ci tin c phng thc chng
thc v m ha. WPA bo mt mnh hn WEP rt
nhiu. V WPA s dng h thng kim tra v bo m
tnh ton vn ca d liu tt hn WEP
WPA2 Wi-fi Protected Access 2
WPA2 l mt chun ra i sau v c kim nh ln
u tin vo ngy 1/9/2004. WPA2 c National Institute
of Standards and Technology (NIST) khuyn co s dng,
WPA2 s dng thut ton m ha Advance Encryption
Standar (AES).
WPA2 cng c cp bo mt rt cao tng t nh
chun WPA, nhm bo v cho ngi dng v ngi qun
tr i vi ti khon v d liu.
Trn thc t WPA2 cung cp h thng m ha mnh hn
so vi WPA, WPA2 s dng rt nhiu thut ton m
ha d liu nh **IP, RC4, AES v mt vi thut ton
khc. Nhng h thng s dng WPA2 u tng thch vi
WPA.
Nhng gii php da trn AES
Kin trc tng th s dng EAS trong Gateway
Mode hay Controller Mode.
Trong Gateway Mode EAS c t gia
mng AP v phn cn li ca mng Enterprise.
V vy EAS iu khin tt c cc lung lu
lng gia cc mng khng dy v c dy v
thc hin nh mt tng la
Nhng gii php da trn AES
Trong Controll Mode, EAS qun l cc AP v iu
khin vic truy cp n mng khng dy, nhng n
khng lin quan n vic truyn ti d liu ngi
dng.
Trong ch ny, mng khng dy c th b phn
chia thnh mng dy vi firewall thng thng hay
tch hp hon ton trong mng dy Enterprise.
M hnh Enterprise Access Server trong ch Controller Mode
Mng ring o (VPN)
L phng thc m bo an ninh truy cp t xa
Da trn cc phng thc m ha v c ch chng thc
Cung cp c ch tunnel cho php truyn thng tin t h
thng mng ny sang h thng khc
Mng ring o (VPN)
C hai hnh thc hot ng
Site to Site VPN Remote Access
Mng ring o (VPN)
Cc cng ngh s dng:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
IPSec
Public Key Infrastructure (PKI)
Phn mm Remote Control
Cc vn v VPN
Lm tng thng lng s dng ca mng
Cc vn v ci t v duy tr h thng
Cc vn v c ch an ninh
Vn v trnh ngi s dng
Vn v kh nng tng thch
An ninh cho VPN
S dng giao thc an ninh mi nht (L2TP, IPSec)
S dng thay th cho cc dch v truy cp t xa
(Terminal Services, PC Anywhere, VNC)
Thng xuyn cp nht cc bn v li cho phn
mm v cho h iu hnh
Lp k hoch trin khai tht cn thn
RADIUS
Remote Access Dial-In User Service
c cc ISP s dng trong vic chng thc trong dch v Dial-in
c s dng trong vic thc hin chng thc gia cc thit b mng
nh Router vi Domain Controller (Active Directory, iPlannet...)
RADIUS
Tnh cht
Ch m ha password
Phm vi s dng rng
Ci t tng i phc tp
M ngun m
S dng cng UDP 1812
RADIUS
An ninh
S dng m ha Kerberos chng thc
Thng xuyn cp nht phn mm cho cc ng
dng s dng RADIUS

TACACS
Terminal Access controller
Access Control System.
Giao thc chng thc ca UNIX
Qun l tp chung vic chng
thc ngi dng

TACACS
Tnh cht
Khng ph bin
Giao thc TACACS+ khng tng thch vi cc phin
bn trc
S dng cng TCP 49
PPTP
Point-to-Point Tunnelling Protocol (PPTP)
Hot ng trn m hnh Client/Server
Nn d liu cc gi tin PPP
S dng cng 1723 TCP khi to
PPTP
Tnh cht
L giao thc khng th m rng vic m ha
D b li dng tn cng
Vic chng thc l mt nguy c d b tn cng

L2TP
Kt hp gia giao thc PPTP v giao thc L2P
(Layer 2 Protocol, Cisco)
C th m rng phng thc m ha
C th s dng giy php trong c vic chng thc
v m ha
L2TP
Tnh cht
Ci t phc tp
Mt s thit b khng tng thch
Chi ph t
Khng tng thch vi NAT (Network Address
Translation)
SSH
Secure Shell
L mt cng c qun tr
truy nhp t xa s dng
dng lnh (CLI
Command Line Interface)
Thng c s dng
thay th cho Telnet v
login
SSH
`
1. Client request SSH session with host
2. Client and host perform handshake
3. Client and host exchange and verify
sesion keys
4. Client begins secure session
4 Bc khi to mt giao dch ca SSH
SSH
Tnh cht
S dng m ha cng khai trong vic chng thc
v m ha
Cung cp cc tnh nng copy file v FTP
c pht trin bi mt s nh sn xut v c m
ngun m (Open SSH)
Giao tip gia Client v Server thng qua tunnel
Cc dch v (mail, web...) c th s dng trao
i thng tin thng qua tunnel.
SSH
Mt s vn
S dng c ch cha kha chng thc
Nhng phin bn u tin c nhiu li
Hin nay cc li security vn c tm thy
Giao din dng CLI vn l tr ngi cho ngi qun
tr
IPSec
IPSec l g?
IPSec (Internet Protocol Security).
N c quan h ti mt s b giao
thc (AH, ESP, v mt s chun
khc) c pht trin bi Internet
Engineering Task Force (IETF).
Mc ch chnh ca vic pht trin
IPSec l cung cp mt c cu bo
mt tng 3 (Network layer) ca
m hnh OSI.
IPSec Security Associations (SA)
Security Associations (SAs) l mt kt ni lun l theo
mt phng hng duy nht gia hai thc th s dng
cc dch v IPSec.
Cc giao thc xc thc, cc kha, v cc thut ton
Phng thc v cc kha cho cc thut ton xc thc c dng
bi cc giao thc Authentication Header (AH) hay Encapsulation
Security Payload (ESP) ca b IPSec.
Thut ton m ha v gii m v cc kha.
Thng tin lin quan kha, nh khong thi gian thay i hay
khong thi gian lm ti ca cc kha.
Thng tin lin quan n chnh bn thn SA bao gm a ch
ngun SA v khong thi gian lm ti.
Cch dng v kch thc ca bt k s ng b m ha dng,
nu c.
IPSec Security Associations (SA)

IPSec SA gm c 3 trng:
SPI (Security Parameter Index). y l mt trng 32 bit dng nhn
dng giao thc bo mt, c nh ngha bi trng Security protocol.
SPI thng c chn bi h thng ch trong sut qu trnh tha
thun ca SA.
Destination IP address. y l a ch IP ca nt ch. Mc d n c
th l a ch broadcast, unicast, hay multicast, nhng c ch qun l
hin ti ca SA ch c nh ngha cho h thng unicast.
Security protocol. Phn ny m t giao thc bo mt IPSec, c th l
AH hoc ESP.
IPSec Security Protocols
B IPSec a ra 3 kh nng chnh bao gm :
Tnh xc thc v Tnh ton vn d liu (Authentication and
data integrity). IPSec cung cp mt c ch xc nhn tnh cht
xc thc ca ngi gi v kim chng bt k s sa i ni
dung gi d liu bi ngi nhn. Cc giao thc IPSec a ra
kh nng bo v mnh chng li cc dng tn cng gi mo,
nh hi v t chi dch v.
S b mt (Confidentiality). Cc giao thc IPSec m ha d
liu bng cch s dng k thut m ha gip ngn cn ngi
cha chng thc truy cp d liu trn ng i ca n. IPSec
cng dng c ch to hm n a ch IP ca nt ngun (ngi
gi) v nt ch (ngi nhn) t nhng k nghe ln.
IPSec Security Protocols
Qun l kha (Key management). IPSec dng mt giao thc th ba,
Internet Key Exchange (IKE), tha thun cc giao thc bao mt v
cc thut ton m ha trc v trong sut phin giao dch. Mt phn
quan trng na, IPSec phn phi v kim tra cc kha m v cp nht
nhng kha khi c yu cu.
Hai tnh nng u tin ca b IPSec, xc thc v ton vn, v b mt,
c cung cp bi hai giao thc chnh ca trong b giao thc IPSec.
Nhng giao thc ny bao gm Authentication Header (AH) v
Encapsulating Security Payload (ESP).
Tnh nng th ba, key management, nm trong b giao thc khc, c
b IPSec chp nhn bi n l mt dch v qun l kha mnh. Giao thc
ny l IKE.
Technical details
C hai giao thc c pht trin v cung cp bo mt
cho cc gi tin:
IP Authentication Header gip m bo tnh ton vn
v cung cp xc thc.
IP Encapsulating Security Payload cung cp bo mt,
v l option bn c th la chn c tnh nng
authentication v Integrity m bo tnh ton vn d
liu.
Thut ton m ho c s dng trong IPsec bao gm:
HMAC-SHA1 cho tnh ton vn d liu (integrity protection)
TripleDES-CBC v AES-CBC cho m m ho v m bo
an ton ca gi tin.
Authentication Header (AH)
AH c s dng trong cc kt ni khng c tnh m
bo d liu.
AH l la chn nhm chng li cc tn cng replay attack
bng cch s dng cng ngh tn cng sliding windows
v discarding older packets.
AH bo v qu trnh truyn d liu khi s dng IP. Trong
IPv4, IP header c bao gm TOS, Flags, Fragment
Offset, TTL, v Header Checksum.
AH thc hin trc tip trong phn u tin ca gi tin IP.
Authentication Header (AH)
Next header: Nhn dng giao thc trong s
dng truyn thng tin.
Payload length: ln ca gi tin AH.
RESERVED: S dng trong tng lai (cho
ti thi im ny n c biu din bng cc
s 0).
Security parameters index (SPI): Nhn ra
cc thng s bo mt, c tch hp vi a
ch IP, v nhn dng cc thng lng bo
mt c kt hp vi gi tin.
Sequence number: Mt s t ng tng ln
mi gi tin, s dng nhm chng li tn cng
dng replay attacks.
Authentication data: Bao gm thng s
Integrity check value (ICV) cn thit trong gi
tin xc thc. M hnh AH header
Encapsulating Security Payload (ESP)
Giao thc ESP cung cp xc thc,
ton vn, m bo tnh bo mt cho
gi tin.
ESP cng h tr tnh nng cu hnh
s dng trong tnh hung ch cn tnh
nng m ho hoc xc thc.
Encapsulating Security Payload (ESP)
Security parameters index (SPI): Nhn ra
cc thng s c tch hp vi a ch IP.
Sequence number:T ng tng c tc
dng chng tn cng kiu replay attacks.
Payload data: D liu truyn i
Padding: S dng vi block m ho
Pad length: ln ca padding.
Next header: Nhn ra giao thc c s
dng trong qu trnh truyn thng tin.
Authentication data: Bao gm d liu
xc thc cho gi tin.
M hnh ESP
Cc ch IPSec
SAs trong IPSec hin
ti c trin khai
bng 2 ch .
Transport.
Tunnel.
C AH v ESP c th
lm vic vi mt trong
hai ch ny
Hai ch IPSec
Transport Mode
Transport mode bo
v giao thc tng trn
v cc ng dng.
Trong Transport
mode, phn IPSec
header c chn vo
gia phn IP header
v phn header ca
giao thc tng trn

Biu din ca IPSec Transport Modes
AH Transport mode
ESP Transport mode
Tunnel Mode
Tunnel mode bo v
ton b gi d liu.
Ton b gi d liu IP
c ng gi trong
mt gi d liu IP khc
v mt IPSec header
c chn vo gia
phn u nguyn bn
v phn u mi ca IP
Biu din chung ca IPSec Tunnel Modes
AH Tunnel mode
Trong AH Tunnel mode, phn u mi
(AH) c chn vo gia phn header mi
v phn header nguyn bn, nh hnh bn
di
ESP Tunnel mode
Internet Key Exchange
V c bn c bit nh ISAKMP/Oakley, ISAKMP l ch vit tc ca
Internet Security Association and Key Management Protocol.
IKE gip cc bn giao tip tha thun cc tham s bo mt v kha xc
nhn trc khi mt phin bo mt IPSec c trin khai.
Ngoi vic tha thun v thit lp cc tham s bo mt v kha m ha,
IKE cng sa i nhng tham s khi cn thit trong sut phin lm vic.
IKE cng m nhim vic xo b nhng SAs v cc kha sau khi mt
phin giao dch hon thnh.
Chc nng ch yu ca IKE l thit lp v duy tr cc SA.
Cc thuc tnh sau y l mc ti thiu phi c thng
nht gia hai bn nh l mt phn ca ISAKMP.
Thut ton m ha c dng
Thut ton bm c dng
Phng thc xc thc c dng
Thng tin v nhm v gii thut Diffie-Hellman
IKE thc hin qu trnh d tm, qu trnh xc thc, qun
l vo trao i kha.
Sau khi d tm thnh cng, cc thng s SA hp l s
c lu trong c s d liu ca SA.
Thun li chnh ca IKE include bao gm:
IKE khng phi l mt cng ngh c lp, do n c
th dng vi bt k c ch bo mt no.
C ch IKE, mc d khng nhanh, nhng hiu qu cao
bi v mt lng ln nhng hip hi bo mt tha
thun vi nhau vi mt vi thng ip kh t.
IKE Phases
Giai on I v II l hai giai on
to nn phin lm vic da trn
IKE.
Trong mt phin lm vic IKE,
n gi s c mt knh bo
mt c thit lp sn. Knh
bo mt ny phi c thit lp
trc khi c bt k tha thun
no xy ra.
Hai I KE phases Phase I v Phase I I
Giai on I ca IKE
Giai on I ca IKE u tin xc nhn cc im
thng tin, v sau thit lp mt knh bo mt cho
s thit lp SA. Tip , cc bn thng tin tha
thun mt ISAKMP SA ng ln nhau, bao gm
cc thut ton m ha, hm bm, v cc phng
php xc thc, m kha.

Giai on I ca IKE
Sau khi c ch m ha v hm bm c tha thun, mt kha chia
s b mt c to. Theo sau l nhng thng tin c dng to
kha b mt :
Gi tr Diffie-Hellman
SPI ca ISAKMP SA dng cookies
S ngu nhin - nonces
Nu hai bn ng s dng phng php xc thc da trn public
key, chng cng cn trao i IDs. Sau khi trao i cc thng tin cn
thit, c hai bn pht sinh nhng key ring ca chnh mnh s dng
chng chia s b mt. Theo cch ny, nhng kha m ha c
pht sinh m khng cn thc s trao i bt k kha no thng qua
mng.
Giai on II ca IKE
Giai on II gii quyt vic thit lp SAs cho IPSec. Trong
giai on ny, SAs dng nhiu dch v khc nhau tha
thun. C ch xc nhn, hm bm, v thut ton m ha
bo v gi d liu IPSec tip theo (s dng AH v ESP).
S tha thun ca giai on xy ra thng xuyn hn
giai on I. in hnh, s tha thun c th lp li sau 4-5
pht. S thay i thng xuyn cc m kha ngn cn
cc hacker b gy nhng kha ny v sau l ni dung
ca gi d liu.
IKE Modes
4 ch IKE ph bin thng c trin
khai :
Ch chnh (Main mode)
Ch linh hot (Aggressive mode)
Ch nhanh (Quick mode)
Ch nhm mi (New Group mode)
Main Mode
Main mode xc nhn v bo v tnh
ng nht ca cc bn c lin quan
trong qua trnh giao dch. Trong ch
ny, 6 thng ip c trao i
gia cc im:
2 thng ip u tin dng tha
thun chnh sch bo mt cho s thay
i.
2 thng ip k tip phc v thay
i cc kha Diffie-Hellman v
nonces. Nhng kha sau ny thc
hin mt vai tro quan trng trong c
ch m ha.
Hai thng ip cui cng ca ch
ny dng xc nhn cc bn giao
dch vi s gip ca ch k, cc
hm bm, v tu chn vi chng
nhn.
Aggressive Mode
Aggressive mode v bn cht ging
Main mode. Ch khc nhau thay v
main mode c 6 thng ip th cht
ny ch c 3 thng ip c trao i.
Do , Aggressive mode nhanh hn
mai mode. Cc thng ip bao gm
:
Thng ip u tin dng a ra
chnh sch bo mt, trao i nonces
cho vic k v xc minh tip theo.
Thng ip k tip hi p li cho
thng tin u tin. N xc thc ngi
nhn v hon thnh chnh sch bo
mt bng cc kha.
Thng ip cui cng dng xc
nhn ngi gi (hoc b khi to ca
phin lm vic).
Quick Mode
Ch th ba ca IKE,
Quick mode, l ch
trong giai on II. N
dng tha thun SA
cho cc dch v bo mt
IPSec.
New Group Mode
New Group mode c dng
tha thun mt private
group mi nhm to iu kin
trao i Diffie-Hellman key
c d dng.
Mc d ch ny c thc
hin sau giai on I, nhng
n khng thuc giai on II.
Secure Web Traffic
Secure Sockets Layer
Bo mt trong m hnh TCP/IP

Giao thc bo mt SSL
(Secure Sockets Layer)
c pht trin bi Netscape
Phin bn u tin (SSL 1.0): Khng cng b
SSL 2.0: Cng b nm 1994, cha nhiu li bo
mt.
SSL 3.0: Cng b nm 1996.
SSL 3.1: Nm 1999, c chun ha thnh TLS
1.0 (Transport Layer Security)
Hin nay: SSL 3.2 (Tng ng TLS 1.1)
Cng dng ca SSL
M ha d liu v xc thc cho dch v web.
M ha d liu v xc thc cho dch v mail
(SMTP v POP)
Bo mt cho FTP v cc ng dng khc
Thc thi SSL khng trong sut vi ng dng nh
IPSec.
Cu trc SSL
Cu trc SSL
SSL Handshake protocol: Giao thc bt tay, thc
hin khi bt u kt ni.
SSL Change Cipher Spec protocol: Giao thc cp
nht thng s m ha.
SSL Alert protocol: Giao thc cnh bo.
SSL Record protocol: Giao thc chuyn d liu (
thc hin m ha v xc thc)
Connection v session
Kt ni (connection): quan h truyn d liu gia
hai h thng lp vn chuyn d liu.
Phin (session): Quan h bo mt gia hai h
thng. Mi quan h c th khi to nhiu
connection.
Gia hai h thng c th tn ti nhiu connection
=> c th tn ti nhiu session theo l thuyt.
Session state
Trng thi ca phin lm vic c xc nh bng
cc thng s:
Session identifier:nhn dng phin.
Peer Certificate: Chng ch s ca i tc.
Compression method: thut ton nn.
Cipher spec: thng s m ha v xc thc.
Master secret: kha dng chung.
Is resumable: c phc hi kt ni khng.
Connection state
Trng thi kt ni xc nh vi cc thng s:
Server and client random: Chui byte ngu nhin.
Server write MAC secret: Kha dng chung cho
thao tc MAC pha server.
Server write key: Kha m ha pha server.
Client write key: Kha m ha pha client.
IV v sequence number.
Gio thc SSL record
Cung cp hai dch v c bn:
Confidentiality
Message integrity
Giao thc SSL record
Giao thc SSL record
Phn on (fragmentation): mi khi d liu gc
c chia thnh on, kch thc mi on ti a
= 2
14
byte.
Nn (compression): c th s dng cc thut ton
nn gim kch thc d liu truyn i, tuy nhin
trong cc phin bn thc thi t chp nhn thao tc
ny
Giao thc SSL record
To m xc thc MAC

Giao thc SSL record
M ha

Giao thc SSL record
Cu trc tiu SSL record

Giao thc SSL Change Cipher Spec
C chc nng cp nht thng s m ha cho kt
ni hin ti.
Ch gm mt message duy nht c kch thc 1
byte c gi i cng giao thc SSL record.
Giao th SSL Alert
Mt s bn tin cnh bo trong SSL:
Unexpected_message: bn tin khng ph hp.
Bad_record_mac: MAC khng ng.
Decompression_failure: gii nn khng thnh cng.
Handshake_failure: khng thng lng c cc
thng s bo mt.
Illegal_parameter: bn tin bt tay khng hp l.
Close_notify: thng bo kt thc kt ni
Giao thc SSL Alert
Mt s bn tin cnh bo trong SSL (tt):
No_certificate: Khng c certificate cung cp theo yu cu.
Bad_certificate: Certificate khng hp l (ch k sai).
Unsupported_certificate: Kiu certificate khng chun.
Certificate_revoked: Certificate b thu hi.
Certificate_expired: Certificate ht hn.
Certificate_unknown: Khng x l c certificate (khc
vi cc l do trn)
Giao thc SSL handshake
L phn quan trng nht ca SSL.
C chc nng tha thut cc thng s bo mt
gia hai thc th.
Th tc bt tay phi c thc hin trc khi trao
i d liu.
SSL handshake gm 4 giai on (phase).
Phase 1:
Phase 2:
Certificate: Chng ch ca server.
Server_key_exchange: Thng s
trao i kha (***).
Certificate_request: yu cu client
gi chng ch.
Server_hello_done: kt thc
thng lng pha server.
Phase 3:
Certificate: Chng ch ca client.
Client_key_exchange: Thng s
trao i kha (***).
Certificate_verify: Thng tin xc
minh chng ch ca client (xc
thc kha PR ca client).

Phase 4:
Chang_cipher_spec: cp nht
thng s m.
Finish: Kt thc qu trnh bt
tay thnh cng.
Trao i kha trong SSL handshake:
Dng RSA (certificate cha PU)
Fixed Diffie-Hellman: Dng Diffie-Hellman vi kha c
nh.
Ephemeral Diffie-Hellman: Dng Diffie-Hellman vi kha
tc thi.
Anonymous Diffie-Hellman: Dng kha Diffie-Hellman
nguyn thy.
Tn cng kt ni SSL
Nu chn c cc thng s ca qu trnh trao
i kha Diffie-Hellman, c th thu c kha b
mt bng k thut Man-in-the-midle.
Dng kha b mt gii m thng tin ca giao
thc SSL record.
Trin khai SSL vi dch v web
Cc web client (internet browser) tch hp sn
giao thc SSL.
Pha server:
m bo h tr ca server i vi SSL (IIS,
Apache,)
To v ci t certificate cho server.
Rng buc SSL i vi tt c cc giao dch.
Cc vn v SSL
Trong qu trnh chng thc c Client v Server
u phi cn PKI
Cn phi thit lp cc qui nh chung cho h thng
nh hng n Performance ca h thng mng
Vic trin khai tim tng mt s vn : Cch
trin khai, cu hnh h thng, chn phn mm....
Kiu tn cng Man-in-the-Middle
m bo an ninh trong SSL
Trin khai PKI
Thng xuyn cp nht, v li phn mm s dng
Ci t vic chng thc trong giao dch gia Client
v Server
Hng dn ngi s dng du hiu nhn bit tn
cng Man-in-the-Middle
Cc im yu ca Web Client
javaScript
ActiveX
Cookies
Applets
JavaScript
L mt on m lnh c tch hp trong trang web v
c thc thi bi trnh duyt web.
c s dng rt ph bin v hu ch
JavaScript
Cc nguy c:
n trm a ch Email
n trm thng tin ngi s dng
Kill mt s tin trnh
Chim ti nguyn CPU v b nh
Shutdown h thng
Relay email phc v cho gi spam
Phc v cho vic chim ot website
JavaScript
Cc bin php phng
chng
Disable chc nng chy
JavaScript trong trnh
duyt.
Thng xuyn cp
nhp phin bn mi ca
trnh duyt
Kim tra k m lnh ca
web Server
ActiveX
ActiveX cung cp nhng ni dung ng cho trnh duyt
web
ActiveX c th giao tip vi nhng ng dng khc, tip
nhn cc thng s t ngi dng, cung cp cc ng dng
hu ch cho ngi s dng.
ActiveX
Cc nguy c:
n cp thng tin
K tn cng c th li dng cc l hng bo mt
ca cc trnh ng dng ActiveX xm nhp, tn
cng h thng
ActiveX
Cc bin php phng
chng
Disable ActiveX trn trnh
duyt web v mail client
Lc cc ActiveX t firewall
Hng dn ngi s dng
ch s dng cc ActiveX
c chng thc
Cookies
File cookies lu tr mt s cc thng tin c nhn
ca ngi dng:
S th tn dng
Username/Password
C th s dng chung cho nhiu website khc
nhau
Trnh duyt c th cho php web server lu tr
thng tin trn
Cookies
Cc nguy c:
K tn cng c th s dng Telnet gi cc dng
cookies m chng mun nh la web server.
K tn cng c th li dng cookies ly trm cc
thng tin v ngi dng, v t chc v cu hnh Security
ca mng ni b
K tn cng c th li dng li Script Injection ci cc
script nguy him ln h thng nhm chuyn cc cookies
v h thng thay v phi chuyn ln web server
Cookies
Cc bin php phng chng:
Disable Cookies trn trnh duyt web
S dng nhng trnh xa cookies khng cn thit
Cu hnh web server khng c tin tng vo cc
cookies dng yu cu cung cp thng tin, yu cu iu
khin hoc yu cu dch v.. c lu client
Khng lu tr cc thng tin nhy cm trn cookies
S dng SSL/TLS
Applets
L nhng chng trnh Java nh, c th thc thi trn cc
trnh duyt.
Java Applets chy trn nhng client da vo Java Virtual
Machine (VM) c hu ht cc h iu hnh h tr.
Applets
Cc nguy c:
Cc chng trnh Applets c th truy cp cc ti nguyn
h thng
C th s dng gi mo ch k
C th dng ci t Virus, Trojan, worm
C th s dng ti nguyn mng tn cng, thm d
h thng mng khc.
Applets
Cc bin php phng chng:
Khng s dng Applets, tt h tr Java trn cc trnh
duyt
Tuyn truyn, hng dn ngi s dng
Email Security
Email Security
E-mail
MIME
S/MIME
Cc vn v S/MIME
PGP
Cc vn v PGP
Cc nguy c
Bo v h thng E-mail
E-Mail
K thut gi th in t
n SMTP Server
C rt nhiu li bo mt
S dng giao thc SMTP
(TCP 25) gi mail
S dng giao thc
POP3/IMAP (TCP
110/143) nhn mail
MIME
S dng text m ha e-mail
RFC 1521, v RFC 1522
S/MIME
L mt chun mi ca MIME (Multipurpose Internet
mail Extentions)
M ha v s ha cc du hiu nhn bit ca email
S dng m ha cng khai
c tch hp vi cc trnh mail client thng dng
Cc vn v S/MIME
Ngi gi phi c Public key ca ngi nhn nu
mun m ha
Ngi nhn phi c Public Key ca ngi gi nu
mun chng thc ngi gi
Ngi s dng phi mt thm thi gian cho cc
bc truy vn, kim ha kha vi PKI (Public Key
Infrashtructure).
PGP
Pretty Good Privacy
Phng thc m ha cng khai
Cung cp kh nng m ha ch k in t, ni
dung v cc thng tin khc ca email
Ngi dng c cung cp mt Public Key v 1
Private key.
Cc tin ch h tr PGP thng c tch hp vo
mail client hoc s dng ring bit
Cc vn v PGP
Hin nay c nhiu phin bn ng dng khc nhau
nn i khi khng tng thch.
Mt s cc trnh ng dng mail client khng cn
c pht trin na nhng vn c ngi dng
s dng
trin khai cn c ngi ph trch vic qun l
key
Cc nguy c
Spam
S dng email qung co
Gi kiu bomb th
Ngi gi khng h bit ngi nhn
Ngi nhn phi chu s phin phc, kh chu
Cu hnh mail server khng tt s tip tay cho spam.
Cc nguy c
Hoax (La o)
Hnh thc: Gi thng bo cnh bo virus, cc vn an
ninh, bo mt....
Ly lan da vo s lo s v km hiu bit ca ngi
dng.
Mc : Kh nguy him
Cc nguy c
Virus, worm, Trojan
Hu ht cc loi virus v trojan hin nay u ly qua
email
Ly lan da trn s mt cnh gic v thiu kin thc ca
ngi s dng.
Mc : rt nguy him
Cc nguy c
Mail relay
Cho php gi mail khng cn kim tra
Gi mo
Li dng gi spam
Bo v h thng Email
S dng S/MIME nu c th
S dng phn mm Mail gateway Scan
Cu hnh mail server tt, khng b open relay
Ngn chn spam trn Server
Hng dn s dng cho ngi dng
Cnh gic vi nhng email l, c ni dung ng nghi
Security Baselines Ghi ti liu
Ghi ti liu c th v cu hnh security mng
Nn xem li v sa cha mi khi c mt s thay
i trong mng
Security Baselines
Lit k nhng th cn thit
Cc dch v
Cc giao thc
Cc ng dng
Ti khon ngi dng
Quyn truy nhp file
Quyn truy nhp h thng
Security Baselines OS Update
Kim tra cc bn update ca h iu hnh thng
xuyn.
Trin khai WSUS (Windows Update Services)
Security Baselines Bn v (patching)
Bn v li c cho OS v phn mm
V d:
Bn v windows chng Blaster v Sasser
Bn v Oracle chng 80 l hng (10/2005)
Cc bn v c a ra nhanh v nhng l
hng no . C th cha c kim nghim
Security Baselines Service Packs
Khi c qu nhiu bn v nh sn xut tp hp
chng li v a ra bn SP
Security Baselines Network Hardening
Cp nht cc bn sa li
Bc bo mt quan trng sau bc duy tr l dit virus
L sn phm ca cc nh sn xut
ng k mailing list ca nh sn xut nhn c
thng tin sm, y
Cp nht nh k
Security Baselines Network Hardening
ng nhng dch v khng cn thit
Dch v mng
ng dng mng
Cng
Giao thc
Security Baselines Application Hardening
Qun l tt c cc phn mm ang chy
m bo chng c cp nht v sa li y

Mc bo mt ca my ch bng vi mc
bo mt thp nht ca mt ng dng chy trn
my
Security Baselines web server
Xa nhng m v d mu
Trin khai tng la/IDS trn server
Ghi li log
p dng cnh bo thi gian thc
C h thng sao lu cn bng ti v phng
hng hc
Security Baselines Email
L h thng quan trng, cha rt nhiu thng tin
ca cng ty
Ci t chng trnh qut mail
phng spam
Cp nht bn v li thng xuyn
Security Baselines FTP
L ng dng khng c bo mt
Nn trin khai VPN hoc SSH
Nn h thng ti khon do server khc qun l
Kim tra virus thng xuyn
Security Baselines DNS
DNS trn nn UNIX hay c im yu
Cp nht cc bn v thng xuyn
Trin khai h thng DNS d phng (secondary)
Security Baselines Cu hnh
Nn c ghi li thnh ti liu
Th nghim k trc khi a vo trin khai tht
Tun theo hng dn ca nh sn xut
Tt/bt cc dch v v giao thc
Hu ht cc cuc tn cng mng u da vo
im yu ca dch v hay giao thc no
V nhng l hng an ninh mng
ng nhng dch v khng cn thit gim
phc tp
Access Control List
Tng cng cho xc thc
Qui nh quyn hn cho mi c nhn
Dng ghi li cc truy cp mng

An Ninh M NG P 4 Application Security

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

An Ninh M NG P 4 Application Security

Hochgeladen von

Copyright:

Verfügbare Formate

NETWORK SECURITY

Das könnte Ihnen auch gefallen