VPN Secure

  • Published on
    16-Jul-2015

  • View
    45

  • Download
    0

Embed Size (px)

Transcript

KT NI VPN THUN TIN V AN TON HN I. Gii thiu Nh chng ta c bit VPN l mt gii php h tr truy cp t xa c chi ph v hiu qu tt nht hin nay cho mt h thng mng doanh nghip. Ta c th trin khai h thng VPN phc v cc nhu cu: - H tr truy cp t xa vo h thng mng ni b (VPN Client-to-Gateway) - Kt ni cc h thng mng nm nhiu v tr a l khc nhau (VPN Site-to-Site) T trc n nay, h thng VPN h tr 2 c ch kt ni l: - Point-to-Point Tunneling Protocol (PPTP) - Layer Two Tunneling Protocol (L2TP) Nhng hin nay, ngoi 2 c ch PPTP v L2TP trn Windows Server 2008 v Windows Vista Service Pack 1 cn h tr thm mt c ch kt ni mi l: - Secure Socket Tunneling Protocol (SSTP) S bt tin ca PPTP v L2TP: - PPTP s dng TCP port 1723, v ng gi gi tin bng phng php Generic Routing Encapsulation (GRE). Vi phng php GRE c th ni gi tin PPTP c cp bo mt rt thp v gi tin PPTP ch c m ha sau khi cc thng tin quan trng c trao i. - C ch kt ni VPN c cp bo mt tt hn l L2TP chy port 1701, v L2TP s dng IPSec Encapsulating Security Payload (ESP) port 4500 v Internet Key Exchange (IKE) port 500 m ha gi tin. Nhng nu VPN Client kt ni n VPN Server bng L2TP/IPSec thng qua NAT yu cu VPN Server v VPN Client phi c h tr NAT-Traversal (NAT-T) - Vi hai c im trn, nu cc Firewall v thit b NAT ti cc im internet cng cng (trung tm hi tho, internet cafe) ch cho php cc my tnh kt ni Web (HTTP v HTTPS), hoc khi cc my Client truy cp internet thng qua Proxy server th VPN Client s khng th kt ni ti VPN Server thnh cng bng c ch PPTP v L2TP/IPSec S thun tin ca VPN-SSTP: SSTP l c ch kt ni VPN bng HTTP over Secure Socket Layer (HTTP over SSL) port 443. Thng thng, trong mt h thng mng hin nay d l cc Firewall hay Proxy server u cho php truy cp HTTP v HTTPS. V vy, d bt c u cc my Client u c th kt ni VPN bng c ch SSTP v m bo bo mt c gi tin v p dng phng php m ha SSL Mt s c trng ca SSTP: - SSTP c tch hp h tr NAP bo v ngun ti nguyn mng tt hn bng cch thi hnh cc chnh sch v system health. Bn c th xem bi vit chi tit v NAP ti http://msopenlab.com/index.php?article=37 - SSTP h tr IPV6: ng hm SSTP v IPV6 da trn vic kt ni SSTP thng qua IPV6 - Hn na, SSTP thit lp HTTP ring l thng qua session SSL t SSTP client n SSTP server. Dng HTTP thng qua SSL Session s gim thiu c chi ph v cn bng ti tt hn - SSTP khng h tr VPN Site-to-Site Bng so snh:

Attributes Encapsulation Encryption

PPTP GRE Microsoft Point-toPoint Encryption (MPPE) with RC4 PPTP

L2TP/IPsec L2TP over UDP IPsec ESP with Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES) L2TP

SSTP SSTP over TCP SSL with RC4 or AES

Tunnel maintenance protocol Before encryption When user authentication occurs begins Certificates required to None establish the VPN tunnel

SSTP

After the SSL session is After the IPsec session is established established Computer certificates on both the VPN client and VPN server

Computer certificate on the VPN server and root CA certificate on the VPN client

C ch kt ni ca SSTP: 1. VPN Client kt ni ti VPN Server bng port 443 2. VPN Client gi gi tin SSL Client-Hello cho VPN Server yu cu to kt ni SSL vi VPN Server 3. VPN Server gi Computer Certificate (gm Public Key ca VPN Server) cho VPN Client 4. VPN Client kim tra tnh hp l ca Certificate, nu Certificate l hp l, VPN Client s pht sinh mt SSL session Key ngu nhin, v m ha SSL session Key ny bng Public key ca VPN Server 5. VPN Client gi SSL session Key c m ha ti VPN Server 6. VPN Server gii m SSL session Key c m ha bng Private Key 7. VPN Client gi yu cu c kt ni ti VPN Server bng HTTP over SSL (HTTPS) 8. VPN Client thng lng (negotiates) kt ni PPP (Point-to-Point Protocol) vi VPN Server. Qu trnh thng lng bao gm vic chng thc User, phng php chng thc (MSCHAPv2,EAP.) 9. VPN Client bt u gi gi tin thng qua kt ni PPP Bi lab bao gm cc bc: 1. Ci t Enterprise CA 2. Xin Computer Certificate cho VPN Server 3. Ci t Routing and Remote Access 4. Cu hnh VPN Client-to-Gateway 5. Cu hnh NAT Inbound 6. Download CA Certificate 7. Cu hnh Trusted Root CA trn VPN Client 8. To VPN Connection 9. Kim tra kt ni VPN-SSTP

II. Chun b M hnh bi lab gm 3 my: - My DC: Windows Server 2008 nng cp Domain Controller - My VPN Server: Windows Server 2008 join domain - My VPN Client: Windows Server 2008 hoc Windows Vista Service Pack 1 (khng join domain)

- Cu hnh TCP/IP cho 3 my nh trong bng sau:Card External My DC Card Internal IP: 172.16.1.2/24 GW: 172.16.1.1 DNS: 172.16.1.2 IP: 172.16.1.1/24 GW: DNS: 172.16.1.2 IP: 192.168.23.100/24

My VPN Server

IP: 192.168.23.11/24 GW: 192.168.23.200 DNS:

My VPN Client

- To cc User v group nh trong hnh, cho user Hieu v Trong lm thnh vin ca group VPNUsers

- Cp quyn Remote Access cho user Hieu v Trong

- Ti my DC to share folder C:\DATA c cha d liu nh trong hnh

III. Thc hin 1. Ci t Enterprise CA - Ti my DC, logon MSOpenLab\Administrator - M Server Manager t Administrative Tools, trong ca s Server Manager chut phi Role chn Add Roles

- Hp thoi Before You Begin, chn Next - Trong hp thoi Select Server Roles, nh du chn Active Directory Certificate Services, chn Next

- Hp thoi Introduction to Active Directory Certificate Services, chn Next - Trong hp thoi Select Role Services, nh du chn Certification Authority Web Enrollment

- Hp thoi Add role services and feature required for Certification Authority Web Enrollment, chn Add Required Role Services, chn Next

- Trong hp thoi Specify Setup Type, chn Enterprise, chn Next

- Hp thoi Specify CA Type, chn Root CA, chn Next

- Hp thoi Set Up Private Key, chn Create a new private key, chn Next

- Hp thoi Configure Cryptography for CA, chn Next

- Trong hp thoi Configure CA Name, t tn cho CA l MSOpenlab-CA, chn Next

- Hp thoi Set Validity Period, chn Next - Hp thoi Configure Certificate Database, chn Next - Hp thoi Web Server (IIS), chn Next, Hp thoi Select Role Services, gi cu hnh mc nh, chn Next

- Hp thoi Confirm Installation Selections, chn Install - Trong hp thoi Installation Results, kim tra qu trnh ci t thnh cng, chn Close

2. Xin Computer Certificate cho VPN Server Ti my VPN Server, restart my nhn Trusted Root CA. Logon MSOPenLab\Administrator. Vo Start\Run, g mmc Trong ca s Console1, bung File, chn Add/Remove Snap-in, chn Certificate, chn Add

-

Hp thoi Certificate snap-in, chn Computer account, chn Next

-

Hp thoi Select Computer, chn Local Computer, chn Finish, OK

Trong ca s Console1, bung Certificate\Trusted Root Certification Authorities\Certificate, kim tra c certificate MSOpenLab-CA

Trong ca s Console1, chut phi Personal chn All Tasks, chn Request New Certificate

-

Hp thoi Before You Begin, chn Next

Trong hp thoi Request Certificates, nh du chn certificate Computer, chn Enroll, Finish

Trong ca s Console1, vo Personal\Certificate, double click VPNServer.MSOpenLab.com

-

Kim tra Certificate va xin cho VPN Server

3. Ci t Routing and Remote Access Ti my VPN Server, m Server Manager t Administrative Tools Trong ca s Server Manager, chut phi Roles, chn Add Role. Hp thoi Before You Begin, chn Next

Trong hp thoi Select Server Roles, nh du chn Network Policy and Access Sevices, chn Next

Hp thoi Network Policy and Access Services, chn Next. Hp thoi Select Role Services, nh du chn Routing and Remote Access Services, chn Next

-

Hp thoi Confirm Installation Selections, chn Install

-

Hp thoi Installation Results, chn Close

4. Cu hnh VPN Client-to-Gateway

Ti my VPN Server, m Routing and Remote Access t Administrative Tools, chut phi VPNSERVER, chon Configure and Enable Routing and Remote Access

-

Hp thoi Welcome to the Routing ang Remote Access Server Setup Wizard, chn Next

Trong hp thoi Configuration, chn Virtual private network (VPN) access and NAT, chn Next

-

Hp thoi VPN Connection, chn card External, chn Next

-

Hp thoi IP Address Assignment, chn From a specified range of addresses, chn Next

-

Trong hp thoi Address Range Assignment, chn New

- Hp thoi New IPv4 Address Range, nhp dy IP nh hnh bn di, chn OK

-

Trong hp thoi Address Range Assignment, chn Next Hp thoi Managing Multiple Remote Access Servers, gi cu hnh mc nh, chn Next

Hp thoi Completing the Routing and Remote Access Server Setup Wizard, chn Finish, OK

5. Cu hnh NAT Inbound Khi VPN Client kt ni VPN bng SSTP, VPN Client phi kim tra tnh hp l ca certificate bng cch kt ni ti danh sch Certificate Revocation List (CRL) ca CA server. V vy ta phi cu hnh NAT Inbound cho php cc my bn ngoi lin lc c my CA Server Ti my VPN Server, m Routing and Remote Access t Administrative Tools, bung VPNSERVER\IPv4\NAT, chut phi interface External chn Properties

Hp thoi External Properties, tab Services and Ports, nh du chn Web Server (HTTP)

Hp thoi Edit Service, nhp a ch 172.16.1.2 (a ch ca my DC) vo IP address, chn OK 2 ln. Restart Routing and Remote Access Services

6. Download CA Certificate

Ti my DC, m Internet Explorer, truy cp vo a ch http://172.16.1.2/certsrv bng quyn Administrator Lu : Add a ch http://172.16.1.2 vo Trusted Site

-

Trong ca s Welcome, chn Download a CA certificate, certificate chain,or CRL

Ca s Download a CA certificate, Certificate Chain,or CRL, chn Download CA certificate

-

Hp thoi file Download- Security, chn Save

-

Lu file certnew.cer vo a C:\

Bn c th s dng my VPN Client download CA Certificate trc tip t CA Server vi a ch http://192.168.23.11/certsrv 7. Cu hnh Trusted Root CA trn VPN Client Ti my VPN Client, copy file certnew.cer t my DC vo a C:\ Lu : Trong bi lab ny s dng cng USB copy

-

Vo Start\Run, g mmc, trong ca s Console1, bung File, chn Add/Remove Snap-in Trong ca s Add or Remove Sn