![\"B\u1ea3o](\"http:\/\/dl.dropbox.com\/u\/1552467\/pctips\/2012\/bao-mat-wi-fi-tu-nhung-buoc-co-ban\/SecureWifi.jpg\")
<\/p>\n\n\t<\/p>\n
\n\tB\u1ea3o m\u1eadt WEP (wired equivalent privacy) t\u1eeb lâu \u0111ã ch\u1ebft. Kh\u1ea3 n\u0103ng mã hóa c\u1ee7a nó có th\u1ec3 d\u1ec5 dàng và nhanh chóng b\u1ecb phá v\u1ee1 b\u1edfi h\u1ea7u h\u1ebft các hacker không chuyên. Do v\u1eady, b\u1ea1n không nên s\u1eed d\u1ee5ng WEP m\u1ed9t chút nào c\u1ea3. N\u1ebfu \u0111ang s\u1eed d\u1ee5ng, hãy nâng c\u1ea5p ngay lên WPA2 (Wi-Fi protected access) v\u1edbi ch\u1ee9ng th\u1ef1c 802.1X. N\u1ebfu m\u1edbi \u0111\u01b0\u1ee3c cho m\u1ed9t chi\u1ebfc router wifi ho\u1eb7c access point không h\u1ed7 tr\u1ee3 WPA2, hãy th\u1eed c\u1eadp nh\u1eadt firmware ho\u1eb7c \u0111\u01a1n gi\u1ea3n nh\u1ea5t là thay thi\u1ebft b\u1ecb m\u1edbi.<\/p>\n
\n\tCh\u1ebf \u0111\u1ed9 pre-shared key<\/strong> (PSK) c\u1ee7a WPA và WPA2 không \u0111\u01b0\u1ee3c b\u1ea3o m\u1eadt \u0111\u1ed1i v\u1edbi môi tr\u01b0\u1eddng doanh nghi\u1ec7p cho l\u1eafm. Khi s\u1eed d\u1ee5ng ch\u1ebf \u0111\u1ed9 này, c\u1ea7n ph\u1ea3i \u0111i\u1ec1n key PSK cho m\u1ed7i thi\u1ebft b\u1ecb phát wifi. Do \u0111ó, key này c\u1ea7n \u0111\u01b0\u1ee3c thay \u0111\u1ed5i m\u1ed7i l\u1ea7n m\u1ed9t nhân viên r\u1eddi kh\u1ecfi công ty và khi m\u1ed9t thi\u1ebft b\u1ecb phát b\u1ecb m\u1ea5t ho\u1eb7c b\u1ecb tr\u1ed9m – nh\u1eefng \u0111i\u1ec1u v\u1eabn ch\u01b0a th\u1ef1c s\u1ef1 \u0111\u01b0\u1ee3c chú tr\u1ecdng v\u1edbi h\u1ea7u h\u1ebft các môi tr\u01b0\u1eddng doanh nghi\u1ec7p.<\/p>\n \n\tCh\u1ebf \u0111\u1ed9 EAP (extensible authentication protocol) c\u1ee7a b\u1ea3o m\u1eadt WPA và WPA2 s\u1eed d\u1ee5ng ch\u1ee9ng th\u1ef1c 802.1X thay vì dùng PSKs, cung c\u1ea5p cho kh\u1ea3 n\u0103ng \u0111\u01b0a cho m\u1ed7i ng\u01b0\u1eddi dùng ho\u1eb7c thi\u1ebft b\u1ecb m\u1ed9t thông tin \u0111\u0103ng nh\u1eadp riêng: tên ng\u01b0\u1eddi dùng và m\u1eadt kh\u1ea9u ho\u1eb7c m\u1ed9t ch\u1ee9ng th\u1ef1c \u0111i\u1ec7n t\u1eed.<\/p>\n \n\tCác key mã hóa th\u1ef1c s\u1ef1 s\u1ebd th\u01b0\u1eddng xuyên \u0111\u01b0\u1ee3c thay \u0111\u1ed5i và trao \u0111\u1ed5i “âm th\u1ea7m” trong background. Do \u0111ó, n\u1ebfu mu\u1ed1n thay \u0111\u1ed5i ho\u1eb7c có thay \u0111\u1ed5i v\u1ec1 nhân s\u1ef1, t\u1ea5t c\u1ea3 nh\u1eefng gì b\u1ea1n c\u1ea7n ph\u1ea3i làm là \u0111i\u1ec1u ch\u1ec9nh thông tin \u0111\u0103ng nh\u1eadp \u1edf server t\u1eadp trung, thay vì thay \u0111\u1ed5i PSK \u1edf m\u1ed7i thi\u1ebft b\u1ecb. Key PSK c\u0169ng ng\u0103n ch\u1eb7n ng\u01b0\u1eddi dùng kh\u1ecfi vi\u1ec7c nghe tr\u1ed9m l\u01b0u l\u01b0\u1ee3ng m\u1ea1ng c\u1ee7a ng\u01b0\u1eddi khác – m\u1ed9t công vi\u1ec7c r\u1ea5t d\u1ec5 th\u1ef1c hi\u1ec7n v\u1edbi nh\u1eefng công c\u1ee5 nh\u01b0 add-on Firesheep <\/strong>c\u1ee7a Mozilla Firefox<\/a> hay \u1ee9ng d\u1ee5ng DroidSheep <\/strong>dành cho Google Android.<\/p>\n \n\t \n\tHãy nh\u1edb trong \u0111\u1ea7u r\u1eb1ng, \u0111\u1ec3 có \u0111\u01b0\u1ee3c b\u1ea3o m\u1eadt cao nh\u1ea5t có th\u1ec3, b\u1ea1n nên s\u1eed d\u1ee5ng WPA2 v\u1edbi 802.1X, hay 802.11i.<\/p>\n \n\t\u0110\u1ec3 kích ho\u1ea1t ch\u1ee9ng th\u1ef1c 802.1X, b\u1ea1n c\u1ea7n ph\u1ea3i có m\u1ed9t server RADIUS\/AAA. N\u1ebfu \u0111ang ch\u1ea1y Windows Server 2008 ho\u1eb7c cao h\u01a1n, hãy cân nh\u1eafc s\u1eed d\u1ee5ng Network Policy Server (NPS) ho\u1eb7c Internet Authenticate Service (IAS) (hay phiên b\u1ea3n server tr\u01b0\u1edbc \u0111ó). N\u1ebfu b\u1ea1n không ch\u1ea1y Windows Server, b\u1ea1n có th\u1ec3 s\u1eed d\u1ee5ng server mã ngu\u1ed3n m\u1edf FreeRADIUS.<\/p>\n \n\tB\u1ea1n có th\u1ec3 áp d\u1ee5ng cài \u0111\u1eb7t 802.1X cho các thi\u1ebft b\u1ecb qua Group Policy n\u1ebfu \u0111ang ch\u1ea1y Windows Server 2008 R2. N\u1ebfu không, hãy th\u1eed cân nh\u1eafc s\u1eed d\u1ee5ng m\u1ed9t gi\u1ea3i pháp bên th\u1ee9 3 nào \u0111ó \u0111\u1ec3 c\u1ea5u hình thi\u1ebft b\u1ecb.<\/p>\n \n\tCh\u1ebf \u0111\u1ed9 EPA c\u1ee7a WPA\/WPA2 v\u1eabn có kh\u1ea3 n\u0103ng b\u1ecb t\u1ea5n công b\u1edfi các hacker bán chuyên. Tuy nhiên, b\u1ea1n có th\u1ec3 ng\u0103n ch\u1eb7n chúng t\u1ea5n công b\u1eb1ng cách b\u1ea3o m\u1eadt cài \u0111\u1eb7t EAP cho thi\u1ebft b\u1ecb. Ví d\u1ee5, trong cài \u0111\u1eb7t EAP cho Windows, b\u1ea1n có th\u1ec3 kích ho\u1ea1t ch\u1ebf \u0111\u1ed9 xác nh\u1eadn ch\u1ee9ng th\u1ef1c server b\u1eb1ng cách ch\u1ecdn ch\u1ee9ng th\u1ef1c CA, gán \u0111\u1ecba ch\u1ec9 server và disable nó kh\u1ecfi vi\u1ec7c h\u1ecfi ng\u01b0\u1eddi dùng trust server m\u1edbi ho\u1eb7c xác th\u1ef1c CA.<\/p>\n \n\tB\u1ea1n có th\u1ec3 áp d\u1ee5ng cài \u0111\u1eb7t 802.1X cho các thi\u1ebft b\u1ecb qua Group Policy ho\u1eb7c s\u1eed d\u1ee5ng gi\u1ea3i pháp bên th\u1ee9 3, ví nh\u01b0 Quick1X c\u1ee7a Avenda.<\/p>\n \n\tB\u1ea3o m\u1eadt m\u1ea1ng không dây là \u0111i\u1ec1u nên làm thay vì t\u1eadp trung vào \u0111ánh b\u1ea1i nh\u1eefng k\u1ebb c\u1ed1 g\u1eafng chi\u1ebfm quy\u1ec1n truy c\u1eadp vào m\u1ea1ng c\u1ee7a b\u1ea1n. Ví d\u1ee5, hacker có th\u1ec3 thi\u1ebft l\u1eadp m\u1ed9t \u0111i\u1ec3m truy c\u1eadp \u1ea3o ho\u1eb7c th\u1ef1c hi\u1ec7n t\u1ea5n công DOS <\/a>– denial-of-service. \u0110\u1ec3 có \u0111\u01b0\u1ee3c kh\u1ea3 n\u0103ng dò tìm và \u0111ánh b\u1ea1i nh\u1eefng ki\u1ec3u t\u1ea5n công nh\u01b0 v\u1eady, b\u1ea1n nên tri\u1ec3n khai m\u1ed9t h\u1ec7 th\u1ed1ng ng\u0103n ch\u1eb7n xâm nh\u1eadp m\u1ea1ng không dây (WIPS). Thi\u1ebft k\u1ebf và ph\u01b0\u01a1ng pháp \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong WIPS khác bi\u1ec7t theo t\u1eebng nhà s\u1ea3n xu\u1ea5t nh\u01b0ng nhìn chung chúng có th\u1ec3 giám sát m\u1ea1ng, thông báo cho ng\u01b0\u1eddi dùng và có th\u1ec3 ng\u0103n ch\u1eb7n \u0111i\u1ec3m truy c\u1eadp \u1ea3o hay các ho\u1ea1t \u0111\u1ed9ng mã \u0111\u1ed9c.<\/p>\n \n\t\n\t3. Tri\u1ec3n khai 802.11i<\/h2>\n
![\"B\u1ea3o](\"http:\/\/dl.dropbox.com\/u\/1552467\/pctips\/2012\/bao-mat-wi-fi-tu-nhung-buoc-co-ban\/SecureWifi3.jpg\")
<\/p>\n\n\t4. Th\u1ef1c hi\u1ec7n cài \u0111\u1eb7t b\u1ea3o m\u1eadt 802.1X<\/h2>\n
\n\t5. Nên s\u1eed d\u1ee5ng m\u1ed9t h\u1ec7 th\u1ed1ng ng\u0103n ch\u1eb7n xâm nh\u1eadp trái phép vào m\u1ea1ng không dây<\/h2>\n
![\"B\u1ea3o](\"http:\/\/dl.dropbox.com\/u\/1552467\/pctips\/2012\/bao-mat-wi-fi-tu-nhung-buoc-co-ban\/SecureWifi4.jpg\")
<\/p>\n
![\"B\u1ea3o](\"http:\/\/dl.dropbox.com\/u\/1552467\/pctips\/2012\/bao-mat-wi-fi-tu-nhung-buoc-co-ban\/SecureWifi5.jpg\")
<\/p>\n![\"B\u1ea3o](\"http:\/\/dl.dropbox.com\/u\/1552467\/pctips\/2012\/bao-mat-wi-fi-tu-nhung-buoc-co-ban\/SecureWifi6.jpg\")
<\/p>\n