第八章 遠端存取與身份識別
DESCRIPTION
教育部資通訊人才培育先導型計畫 寬頻有線教學推動聯盟中心. 第八章 遠端存取與身份識別. 前言. 現今的企業網路不可能為一封閉式的架構,通常需要透過公用 (Public) 網路 ( 如 Internet) 將企業分佈在世界各地的網路連接起來;為了安全地交換企業資料,管理者必須在公用網路虛擬建立企業專用的通訊管道,稱為 Virtual Private Network (VPN) 。本章先介紹目前建立 VPN 最常被使用的技術 - IPSec ,接著說明如何在企業網路上建立 Site-to-Site VPN 及 Remote Access VPN 。 - PowerPoint PPT PresentationTRANSCRIPT
-
*(Public)(Internet)Virtual Private Network (VPN)VPN - IPSecSite-to-Site VPNRemote Access VPN
(user name)(password)(replay)one-time passwords & token cardsdigital certificatesbiometrics authentication
8.1 VPN8.1.1 IPSec8.1.2 Site-to-Site VPN8.1.3 Remote Access VPN
8.2 8.2.1 one-time passwords and token cards8.2.2 digital certificates8.2.3 biometrics authentication
-
*8.1 VPN(Virtual Private NetworkVPN)VPN(Hash function)(tunnel)(Private)(Public)VPNVPN
VPN(Data Link)Layer 2 Tunneling Protocol(L2TP)Ciscos Layer 2 Forwarding (L2F)Microsofts Point-to-Point Tunneling Protocol (PPTP)(Network)IPSec(Transport)SSL/TLS(Network)IPSec
TunnelVPN (Virtual Private Network)
-
*8.1.1 IPSec IP(IP SecurityIPSec)IETFIPSecTCP/IPIPv4IPv6IPSecIPSecIP(IP)IPIPSecAuthentication Header (AH) Encapsulating Security Payload (ESP) AH ESPIPSec(Transport Mode)(Tunnel Mode)IPSec(Manual management) (Automated management) (Security AssociationSA):IPSec(AHESP)
IPSecRFCRFC 2401 IPSecRFC 2402 AH RFC 2406 ESPRFC 2407 ISAKMPIPSec(IPSec Dol)RFC 2408 ISAKMPRFC 2409 (IKE)RFC Web-site http://www.rfc-editor.org/
-
*8.1.1 IPSec (AH)Authentication Header (AH) AHAH(Authentication Data) (Next Header8 bits)AHTCP6AHTCP (Length8 bits)AH(Security Parameter Index32 bits)IP(unidirectional)VPN()(Sequence Number32 bits)(replay) (Authentication Data)
IPAHtcp/udpAH
-
*8.1.1 IPSec (ESP)Encapsulating Security Payload (ESP) AHESP
ESPESPESPESPESPESP
AHESPAHESPIPIP
ESP- ESP- IPESPTcp/udpESPESP
-
*8.1.1 IPSec (IPSec -)IPSec(Transport Mode)
IPSecAH(ESP)IPIP
ABIPSec IPSecIP HeaderTCP / UDP segmentIP HeaderTCP / UDP segmentIPSec HeaderIPSecTrailerIPSecInternet
-
*8.1.1 IPSec (IPSec -)IPSec(Tunnel Mode) IPSec(unidirectional)AHESPAHESPIPSecIPSec(security gateway)IPSec
HAHBIPSecHAIP(IPHAHB)G1G1IPSecIPIPIPSecIP(G1G2)G2IPG2G2IPSecHB HAHBIP HAHBIP HAHBIPIPSecIP HAHBG1G2IPSec Security Gateway G1
-
*8.1.1 IPSec ():IPsec(SA) (Secret keys)
: (Manual Management) IPSec(Automated Management)IKE (Internet Key Exchange)IKEISAKMPOakleySKEMI
-
*8.1.1 IPSec (-IKE)IKE (Internet Key Exchange)IKEUDPIKEUDP500IKEIPSec(AH/ESP)
IKEIKEpreshared keyDigital sinaturePublic key encryptionIKEIKE SA
(SA)IPSecAHESP
Router ARouter BIKE SARouter ARouter BIPSecSARouter ARouter B IKE
-
*8.1.2 Configure site-to-site VPNVPNVPN:
VPN ( Site-to-Site VPN) VPN (router to router VPN connection) VPN()VPN Tunnel VPN Tunnel
VPN (Remote Access VPN)VPNISPISP
VPN(Windows)IPSecVPN Tunnel VPNTunnelVPNSite-to-site VPNRemote Access VPN VPNVPNVPN
-
*8.1.2 Configure site-to-site VPNIPSecsite-to-site VPN:()transform set(AHESPAH+ESP)()(SA)access control listcrypto mapIPSec SAtransform setACLIPcrypto map
IKEIKE(Pre-share key) Step1-transform set - crypto ipsec transform-setStep2-IPSec - crypto ipsec security-association lifetimeStep3-access list -access-listStep4-crypto map -crypto mapStep5-crypto map - interface serial 0/0 - crypto mapciscoIPSec
-
*8.1.2 Configure site-to-site VPN()-IKEVPN TunnelIKEPre-share keyIKEpre-share keyCisco VPN ISBN:957-493-630-9
cisco routerIKE:IKEIKEpre-share keyIP
Step1-IKE- crypto isakmp enableStep2-IKE - crypto isakmp policy num - encryption {des|3des} - hash {sha|md5} - authentication {rsa-sig|rsa-encr|pre-share} - lifetime seconds - crypto mapStep3-pre-share key - crypto isakmp key string address peer_addressciscoIKE
-
*8.1.2 Configure site-to-site VPN(IKE)IKEIKE Router(config)#crypto isakmp enable
IKEIKESAIKEIKE SA
pre-share key()IPRouter(config) #crypto isakmp enableIKERouter(config) #crypto isakmp policy 50IKE50Router(config-isakmp) #authentication pre-sharepre-share keyRouter(config-isakmp) #encryption desDESRouter(config-isakmp) #hash md5MD5Router(config-isakmp) #lifetime 86400IKE SA86400Router(config)#crypto isakmp key ipsec5566 address 140.125.50.5pre-share keyipsec5566 pre-share keyIP140.125.50.5
-
*8.1.2 Configure site-to-site VPN(transform set)transform settransform setIPSectransform setVPN Tunnel(AHESPAH+ESP)(Transport modeTunnel mode)()
transform settransform-set(SA)
cisco routertransform setcrypto ipsec transform-set TS ah-md5-hmac esp-des esp-md5-hmacTStransform setAHmd5hmacESPdesmd5hmacmode tunnelIPSectunnel
Router(config)#crypto ipsec transform-set TS ah-md5-hmac esp-des esp-md5-hmacRouter(cfg-crypto-tran)#mode tunneltransform set AH ESP
Transform typeProtocolAHAh-md5-hmacAh-sha-hmacESP()Esp-desEsp-3desEsp-nullESP()Esp-md5-hmacEsp-sha-hmacmd5sha des3desHMAC
-
*8.1.2 Configure site-to-site VPN((SA))(SA)IKEIPSec(SA)SA
cisco routerSAcrypto ipsec security-association lifetime seconds 86400SA86,400()SAIPsecRouter(config)#crypto ipsec security-association lifetime { seconds seconds | kilobytes kilobytes }Router(config)# crypto ipsec security-association lifetime seconds 86400Router ARouter BInternet
-
*8.1.2 Configure site-to-site VPN()access control list (ACL)VPN(extended access control list)VPNVPN cisco routerACLaccess-list 101 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255IP10.0.1.0~ 10.0.1.255IP10.0.2.0~10.0.2.255TCPVPNRouter(config)#Access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol Source source-wildcard destination destination-wildcard [precedence prece dence ][ tos tos] [log]Router(config)# access-list 101 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255Router ARouter B10.0.1.010.0.2.010.0.2.310.0.1.3Internet access control list
-
*8.1.2 Configure site-to-site VPN(crypto map)crypto mapCrypto map VPNIPSec SAtransform setACLIP(interfaces)VPNCrypto map
cisco routercrypto mapcrypto map MyMap 90 ipsec-isakmpCrypto mapMyMapIKE IPSec SAmatch address 101access-list 101VPN set peer 172.30.2.2 set peer 172.30.3.2VPNIP172.30.2.2172.30.3.2set transform-set TSVPN/
crypto mapcisco routerethernet 0/1VPNinterface ethernet 0/1config-ifcrypto map MyMapethernet 0/1vpn
RouterA(config)#crypto map MyMap 90 ipsec-isakmpRouterA(config-crypto-map)#match address 101RouterA(config-crypto-map)#set peer 172.30.2.2RouterA(config-crypto-map)#set peer 172.30.3.2RouterA(config-crypto-map)#set transform-set TS Router ARouter B1(extended access list)100~19910.0.1.3Router C172.30.2.210.0.2.3172.30.3.22Internet RouterA(config)# interface ethernet 0/1RouterA(config-if)#crypto map MyMapcrypto mapcrypto map
-
*8.1.3 Remote access VPNVPN (Remote Access VPN)VPNVPNISPVPNWindows XPVPNVPN
VPN Windows XPVPN()IP:VPN(PPTPL2TPIPSec) Windows XPPPTPVPN client
Remote userInternet VPNVPNVPN
-
*8.1.3 Remote access VPN(VPN Server)VPNicon
-
*8.1.3 Remote access VPN(VPN Server)VPN(N)VPN
-
*8.1.3 Remote access VPN(VPN Server)VPN
-
*8.1.3 Remote access VPN(VPN Server)VPN(E) (A)VPN Client
-
*8.1.3 Remote access VPN(VPN Server)VPNOptionalVPN Client(A)VPN
-
*8.1.3 Remote access VPN(VPN Server)VPN - VPN clientVPN clientVPN Server
-
*8.1.3 Remote access VPN(VPN Server)VPN - VPN clientVPN ServerIP Internet Protocol (TCP/IP) VPN ClientVPN ServerTCP/IPDHCPTCP/IPTCP/IP(VPN ServerVPN ClientIP)IP() VPN
-
*8.1.3 Remote access VPN(VPN Client)VPNWindows XPVPNVPN
-
*8.1.3 Remote access VPN(VPN Client)VPN(V)
-
*8.1.3 Remote access VPN(VPN Client)VPN VPNIP
-
*8.1.3 Remote access VPN(VPN Client)VPNVPN
-
*(user name)(password):One time passwordDigital CertificatesBiometrics
:
-
*8.2.1 One time password and Token cardOne time password()One time passwordOne time password web-ATMSmart cardone time passwordRFC 2289 One time password
-
*8.2.1 One time password and Token cardOne time passwordICIC(calculator)(012 9)(random number)F: (C, S) N CS (CSIC(seed number) )CS
ICIC((challenge))CCIC(SSIC)ICCS One time password
SWITCH
IBM
IC
C
IC
C
IC S
-
*8.2.1 One time password and Token card One time password One time passwordICICIC One time password
IBM
SWITCH
AlanKellyPaul
IC
IC
0DFE45EF32BCDF340D
MD5MD5MD5
Alan
Kelly
Paul
IBM
SWITCH
Paul
-
*8.2.2 Digital CertificatesDigital CertificatesRSA(PS)PTedPaulTed(PtedSted)PaulPtedTedStedTedPaul()
(Certificate Authority )(Digital Certificate)
http://www.taica.com.tw/
-
*8.2.2 Digital CertificatesDigital Certificates (digest)
GeorgeRSA 12345George
-
*8.2.2 Digital CertificatesDigital Certificates GeorgeGeorgeGeorgeMaryMaryGeorgeGeorgeMaryMaryGeorge
MaryGeorgeRSA George1234Digital Certificates
-
8.2.3Biometrics Biometrics
* ITISI~IEK-ITIS
Chart1
33.6
25.3
12.9
4.7
5.1
3.2
5.4
3
2.9
4
Sheet1
33.625.312.94.75.13.25.432.94
-
Cisco VPN (http://www.eettaiwan.com/)Microsoft Technet(http://www.microsoft.com/taiwan/technet/default.mspx)VPN (http://www.iii.org.tw/ncl/document/VPN-1.html)RFC Web-site http://www.rfc-editor.org/ TWCERT (http://www.cert.org.tw/index.php)
*