You are on page 1of 91

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

LI CM N
c c n ny, em xin by t lng bit n su sc n cc thy c gio trong trng i hc Bch Khoa H Ni ni chung, khoa Cng ngh thng tin, chng trnh o to k s cht lng cao ti Vit Nam ( P.F.I.E.V ) ni ring, nhng ngi tn tnh ging dy, truyn t cho em nhng kin thc qu bu trong 5 nm hc va qua. Em xin chn thnh cm n thy gio hng dn, Thc s - Ging vin chnh Vn Uy, b mn Cng ngh phn mm, khoa Cng ngh thng tin, trng i hc Bch Khoa H Ni nhit tnh hng dn, ch bo v cung cp cho em nhiu kin thc cng nh ti liu qu trong sut qu trnh lm n. Nh s gip ca thy em mi c th hon thnh c n ny. Em xin chn thnh cm n cc c ch, cc anh, cng cc bn ng nghip ti phng gii php phn mm h thng v bo mt, cng ty pht trin phn mm v h tr cng ngh b quc phng Misoft, nhng ngi to iu kin v c s vt cht, phng tin lm vic cng nh truyn t nhng kinh nghim qy bu cho em trong thi gian thc tp tt nghip v lm n tt nghip ti y. Cui cng, xin cm n gia nh, bn b, nhng ngi lun bn ti v cho ti nhng s ng vin ln lao trong thi gian thc hin n ny.

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

MC LC
LI CM N...........................................................................................................1 Chng 1 : TNG QUAN AN TON AN NINH MNG.......................................7 I. Tnh hnh thc t ...................................................................................................8 II. M hnh mng.......................................................................................................9 III. Cc mc tiu cn bo v....................................................................................17 IV. Tn cng trn mng v cc chin lc bo v...................................................18 Chng 2 : INTERNET FIREWALL.....................................................................29 I. Khi nim ............................................................................................................30 II. Cc chc nng c bn ca Firewall....................................................................32 III. Kin trc Firewall..............................................................................................38 IV. Bo dng Firewall...........................................................................................44 Chng 3 : H IU HNH LINUX....................................................................46 I. Tng quan h iu hnh Linux.............................................................................47 II. Kt ni mng trong Linux...................................................................................51 III. IPTables............................................................................................................. 54 Chng 4 : XY DNG H THNG BKWALL.................................................60 I. Tng quan v h thng BKWall...........................................................................61 II. M hnh v c t chc nng h thng BKWall..................................................63 III. Phn tch thit k h thng BKWall .................................................................65 IV. Tch hp, ci t, kim th, nh gi kt qu h thng BKWall.......................80

MC LC HNH V
Hnh 1-1 : Kin trc OSI v TCP/IP........................................................................10 Hnh 1-2 : ng i ca d liu qua cc phn t trn mng...................................10 Hnh 1-3 : Cu trc gi tin IP ( IP datagram )..........................................................12
Ng Vn Chn HTTT&TT KSCLC K45 2

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 1-5 : Khun dng UDP datagram....................................................................15 Hnh 1-6: Tn cng kiu DOS v DDoS................................................................21 Hnh 1-7: Tn cng kiu DRDoS............................................................................21 Hnh 1-8: M hnh ng dng mail trn mng Internet.............................................22 Hnh 1-9: Kt ni Internet t LAN..........................................................................22 Hnh 1-10 : Thit lp kt ni TCP gia client v server.........................................23 Hnh 1-11 : Tn cng trn ngp SYN (1 )...............................................................24 Hnh 1-12 : Tn cng trn ngp SYN ( 2 )..............................................................25 Hnh 1-13 : Tn cng trn ngp gi tin ICMP.........................................................25 Hnh 1-14 : Bo v theo chiu su...........................................................................26 Hnh 2-1 : V tr Firewall trn mng........................................................................30 Hnh 2-2 : Screening Router s dng b lc gi......................................................32 Hnh 2-3 : Proxy Server...........................................................................................35 Hnh 2-4: Chuyn i a ch mng.........................................................................37 Hnh 2-5: Kin trc Dual home host......................................................................41 Hnh 2-6: Kin trc Screen host..............................................................................42 Hnh 2-7: Kin trc Screen subnet...........................................................................42 Hnh 3-1: M hnh chc nng Shell.........................................................................49 Hnh 3-2: Giao din, trnh iu khin v thit b.....................................................51 Hnh 3-3: S Netfilter hook................................................................................53 Hnh 3-4 : Qu trnh gi tin trong li h thng Linux..............................................57 Hnh 4-1: M hnh tng th h thng BKWall........................................................64 Hnh 4-2: c t chc nng h thng BKWall........................................................64 Hnh 4-3: M hnh trin khai BKWall.....................................................................65 Hnh 4-4: Biu phn cp chc nng....................................................................65 Hnh 4-5: Biu lung d liu mc bi cnh........................................................66 Hnh 4-6: Biu chc nng iu khin.................................................................66 Hnh 4-7: Biu chc nng Qun l cu hnh.......................................................67 Hnh 4-8: Biu chc nng Qun l lut lc gi...................................................67 Hnh 4-9: Biu chc nng Qun l lut Web Proxy............................................67 Hnh 4-10: Biu chc nng theo di hot ng..................................................68 Hnh 4-11: S khi module chng trnh chnh.................................................69 ................................................................................................................................. 70 i vi qu trnh tt h thng th trc ht h thng s thc hin cc files scripts xo tan b cc chains, cc rules hin ang p dng cho h thng Firewall, nhng cc rules ny thc cht vn c lu tr trong cc files lut...................................74 Hnh 4-12: S khi module chuyn tip yu cu................................................75 Hnh 4-13:S khi module qun l cu hnh......................................................76 Hnh 4-14: S khi module qun l lut.............................................................77 Hnh 4-15: M hnh trin khai BKWall trong mng................................................82 Hnh 4-16: Trang ch - Home page.........................................................................85 Hnh 4-17: Cu hnh Packet Filtering......................................................................85 Hnh 4-18: Cc dch v: truy cp t xa, thay i password.....................................86 Hnh 4-19: Trang cu hnh Web Proxy....................................................................86 Hnh 4-20: Trang thng tin trng thi h thng.......................................................87

BNG CC T VIT TT
Ng Vn Chn HTTT&TT KSCLC K45 3

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

ARP( Address Resolution Protocol ) : Giao thc chuyn i t a ch IP sang a ch vt l BKWall( Bach Khoa Firewall System ) CGI (Common Gateway Interface) : Giao tip gateway chung DDoS(Distributed Denied of Service) : Tn cng t chi dch v phn tn DMA(Direct Memory Access) : Truy nhp b nh trc tip DMZ(DeMilitarized Zone) : Vng phi qun s DNS(Domain Name Service) : Dch v tn min DoS(Denied of Service) : Tn cng t chi dch v DRDoS(Distributed Reflection Denied of Service) : DoS phn x, phn tn FDDI(Fiber Distributed Data Interface ) FIB(Forwarding Information Table) : Bng thng tin chuyn i nh tuyn FTP(File Transfer Protocol) : Giao thc truyn file HTTP(Hyper Text Transfer Protocol) : Giao thc truyn siu vn bn ICMP(Internet Control Message Protocol): Giao thc iu khin thng ip Internet IGMP(Internet Group Management Protocol) : Giao thc Internet cc host kt ni, hu kt ni t cc nhm multicast. IP(Internet Protocol) : Giao thc Internet IPS(Intrusion Preventation System) : H thng phng chng xm nhp ISP(Internet Services Provider) : Nh cung cp dch v Internet ISDN( Integrated Services Digital Network) : Mng s hc cc dch v tch hp LAN(Local Area Network) : Mng ni b MAC(Media Access Control) : a ch thit b MTU(Maximum Transmission Unit) : n v truyn ln nht NIC(Network Interface Card) : Card giao tip mng PSTN(Public Switched Telephone Network ) : Mng in thoi chuyn mch cng cng RARP(Reverse Address Resolution Protocol ) : Giao thc chuyn i t a ch vt l sang a ch IP RIP( Routing Information Protocol ) : Mt kiu giao thc dn ng SSL(Secure Socket Layer) : Tng socket an ton SSH( Secure Shell ) : Dch v truy cp t xa STMP( Simple Mail Transfer Protocol ) : Giao thc truyn th n gin TCP(Transmission Control Protocol) : Giao thc iu khin truyn tin TELNET : dch v ng nhp h thng t xa UDP(User Datagram Protocol) : Giao thc iu khin truyn tin khng tin cy URI(Uniform Resouce Indentifier ) a ch nh v ti nguyn URL(Uniform Resouce Locator) : a ch ti nguyn thng nht

LI NI U
Ng Vn Chn HTTT&TT KSCLC K45 4

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Trong nhng nm gn y, vic t chc v khai thc mng Internet rt pht trin. Mng Internet cho php cc my tnh trao i thng tin mt cch nhanh chng, thun tin. Mi i tng u c th s dng cc dch v v tin ch ca Internet mt cch d dng nh trao i thng tin, tham kho cc th vin tri thc s ca nhn loiTai thi im hin nay th li ch ca Internet l qu r rng v khng th ph nhn. Nhng mt iu khng may l i km vi n l cc nguy c mt an ton thng tin trn Internet ang l mt vn hang u cn tr s pht trin ca Internet. Bo m an ton an ninh khng ch l nhu cu ring ca cc nh cung cp dch v m n cn l nhu cu ca chnh ng ca mi ngi s dng. Cc thng tin nhy cm v quc phng, thng mi l v gi v khng th lt vo tay i th cnh tranh Trn th gii c nhiu cng trnh nghin cu v lnh vc bo mt, bo v an ton thng tin trn mng v kt qu chng tr thnh cc sn phm thng mi nh : Vista Firewall, ZoneAlarm Firewall, VPN-1/Firewall-1, SmoothWall, Astaro Tuy nhin mi loi c nhng u nhc im ring,pht trin theo nhng hng khc nhau. Cc sn phm ny c xy dng trn nhng nn h iu hnh khc nhau nhng ch yu l Windows ca Microsoft v h iu hnh m ngun m Linux. Linux l h iu hnh h UNIX min ph dng cho my tnh c nhn ang c s dng rng ri hin nay. H iu hnh Linux thu nhng thnh cng nht nh. Hin nay Linux ngy cng pht trin, c nh gi cao v thu ht nhiu s quan tm ca cc nh tin hc. Ti Vit Nam, mc d Internet mi ch tr ln ph bin my nm gn y nhng nhng vn an ton an ninh mng cng khng l ngoi l. Mc d thc s cha c tn tht ln v kinh t nhng vn tim n trong rt nhiu nguy c mt an ton. Cc cuc tn cng vo h thng ca nh cung cp dch v, xo b d liu ngy mt tng. Vit Nam hin nay cha c sn phm Firewall thng mi no ca ngi Vit to ra. c bit l sn phm Firewall c xy dng trn nn h iu hnh m ngun m Linux. Do , mun khai thc v s dng Internet th vn an ton an ninh phi c t ln hang u. C rt nhiu bin php khc nhau bo v h thng chng li cc cuc tn cng t bn ngoi. Mt trong nhng bin php c p dng rng ri l s dng tng la Firewall. Thc t cho thy y l mt bin php n gin nhng hiu qu t c li rt kh quan. Trn c s , em chn ti : Tm hiu l thuyt v xy dng Firewall trn nn Linux Mc tiu ca ti bao gm : 1. Tm hiu chung v an ton an ninh mng, cc k thut tn cng trn mng. Cc chin lc bo v. 2. Tm hiu l thuyt v Firewall 3. Thc hin xy dng mt Firewall trn nn h iu hnh Linux B cc ca n gm 4 chng c b tr nh sau : Chng 1 : Tng quan an ton an ninh mng

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Trnh by cc khi nim chung v an ton an ninh mng, tnh cp thit ca ti. Cc m hnh mng v cc giao thc c s dng truyn thng trn mng. Cc dng tn cng, mt s k thut tn cng ang c s dng ph bin hin nay, t a ra cc chin lc bo v h thng khi cc nguy c ny. Chng 2 : Internet Firewall Trnh by khi nim tng qut v Firewall. Cc chc nng c bn ca Firewall. Cc m hnh hay kin trc trin khai ca mt Firewall trong h thng. Chng 3: H iu hnh Linux Chng ny trnh by khi qut v h iu hnh Linux. Cu hnh mng trong mi trng Linux. c bit l chng ta quan tm n mt gi tin ch c tch hp hu ht trong cc bn phn phi Linux. l IPtables N thc hin chc nng lc gi mc li ( kernel ) ca h thng. T a ra mt vi m hnh Firewall n gin da trn IPtables. Chng 4 : Xy dng h thng BKWall Bach Khoa Firewall System. Thc hin xy dng h thng BKWall da trn sn phm m ngun m SmoothWall. Ngoi ra, n cn c phn ph lc trnh by cc bng t vit tt s dng trong bi, danh mc cc ti liu tham kho.

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Chng 1 : TNG QUAN AN TON AN NINH MNG

Tnh Tnhhnh hnhthc thct t M Mhnh hnhmng mng Cc Ccmc mctiu tiucn cnbo bov v Tn Tncng cngtrn trnmng mngv vcc ccchin chinlc lcbo bov v

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Trong chng ny chng ta s trnh by cc khi nim chung v an ton an ninh mng, tnh hnh thc t. Cc m hnh mng v cc giao thc c s dng truyn thng trn mng. Cc dng tn cng, mt s k thut tn cng ang c s dng ph bin hin nay, t a ra cc chin lc bo v h thng khi cc nguy c ny.

I. Tnh hnh thc t


Mng Internet mng ton cu kt ni cc my tnh cung cp cc dch v nh WWW, E_mail, tm kim thng tin l nn tng cho dch v in t ang ngy cng pht trin nhanh chng. Internet v ang tr thnh mt phn khng th thiu c trong cuc sng hng ngy. V cng vi n l nhng s nguy him m mng Internet mang li. Theo thng k ca CERT/CC ( Computer Emegency Response Team/ Coordination Center ) th s v tn cng v thm d ngy cng tng. Dng tn cng 1999 2000 2001 2002 2003 Root Compromise User Compromise T chi dch v M nguy him Xa Website Li dng ti nguyn 113 21 34 0 0 12 157 115 36 0 0 24 9 71 412 101 127 760 4.764 236 7 108 452 6.555 125 111 36 265 46 39 1268 488.000 489.890 137 587 25 191.306 90 26 535.304 706.441 1.433.916

Cc dng tn cng khc 52 Cc hnh ng do thm 222 Tng cng 454

Nhng k tn cng ngy cng tinh vi hn trong cc hot ng ca chng. Thng tin v cc l hng bo mt, cc kiu tn cng c trnh by cng khai trn mng. Khng k nhng k tn cng khng chuyn nghip, nhng ngi c trnh cao m ch cn mt ngi c mt cht hiu bit v lp trnh, v mng khi c cc thng tin ny l c th tr thnh mt hacker. Chnh v l do ny m s v tn cng trn mng khng ngng ra tng v nhiu phng thc tn cng mi ra i, khng th kim sot. Theo iu tra ca Ernst & Young, th 4/5 cc t chc ln ( s lng nhn vin ln hn 2500 ) u trin khai cc ng dng nn tng, quan trng trong mng cc b LAN. Khi cc mng cc b ny kt ni vi mng Internet, cc thng tin thit yu u nm di kh nng b t nhp, ly cp, ph hoi hoc cn tr lu thn. Phn ln cc t chc ny tuy c p dng nhng bin php an ton nhng cha trit v c nhiu l hng k tn cng c th li dng.
Ng Vn Chn HTTT&TT KSCLC K45 8

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Nhng nm gn y, tnh hnh bo mt mng my tnh tr ln nng bng hn bao gi ht khi hng lot cc v tn cng, nhng l hng bo mt c pht hin hoc b li dng tn cng. Theo Arthur Wong gim c iu hnh ca SecurityFocus trung bnh mt tun, pht hin ra hn 30 l hng bo mt mi. Theo iu tra ca SecurityFocus trong s 10.000 khch hng ca hng c ci t phn mm pht hin xm nhp tri php th trung bnh mi khch hng phi chu 129 cuc thm d, xm nhp. Nhng phn mm web server nh IIS ca Microsoft l mc tiu ph bin nht ca cc cuc tn cng. Trc tnh hnh th vic bo v an ton thng tin cho mt hay mt h thng my tnh trc nguy c b tn cng t bn ngoi khi kt ni vo Internet l mt vn ht sc cp bch. thc hin cc yu cu trn, th gii xut hin cc phn mm khc vi nhng tnh nng khc nhau m c gi l Firewall. S dng Firewall bo v mng ni b, trnh s tn cng t bn ngoi l mt gii php hu hiu, m bo c cc yu t : - An ton cho s hot ng ca ton b h thng mng - Bo mt cao trn nhiu phng din - Kh nng kim sot cao - Mm do v d s dng - Trong sut vi ngi s dng - m bo kin trc m Bit ch bit ta, trm trn trm thng c th bo v c h thng, chng li s tn cng ca hacker, ta phi bit nhng mc tiu cn bo v, cc k thut tn cng khc nhau, v a ra chin lc bo v mng hp l.

II. M hnh mng


2.1 M hnh OSI v TCP/IP
Kin trc mng c m t theo hai dng m hnh OSI v TCP/IP nh hnh v di y. FTP File Transfer Protocol SMTP Simple Mail Transfer Protocol DSN Domain Name Protocol SNMP Simple Network Management Protocol ICMP Internet Control Message Protocol ARP Address Resolution Protocol FDDI Fiber Distributed Data Interface RIP Routing Information Protocol. TCP/IP thc cht l mt h giao thc cng lm vic vi nhau cung cp phng tin truyn thng lin mng. D liu c truyn i trn mng theo s sau :

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 1-1 : Kin trc OSI v TCP/IP

Hnh 1-2 : ng i ca d liu qua cc phn t trn mng

2.2 Cc tng ca m hnh TCP/IP


10

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Nh trong phn trn gii thiu v m hnh OSI v TCP/IP, chng ta c th a ra s tng ng gia cc tng ca chng nh sau :

2.2.1 Tng truy nhp mng - Network Acces Layer Tng truy nhp mng bao gm cc giao thc m n cung cp kh nng truy nhp n mt kt ni mng. Ti tng ny, h thng giao tip vi rt nhiu kiu mng khc nhau.Cung cp cc trnh iu khin tng tc vi cc thit b phn cng v d nh Token Ring, Ethernet, FDDI 2.2.2 Tng Internet Internet Layer Tng Internet cung cp chc nng dn ng cc gi tin. V vy ti tng ny bao gm cc th tc cn thit gia cc hosts v gateways di chuyn cc gi gia cc mng khc nhau. Mt gateway kt ni hai mng, v s dng kt ni mng bao gm IP ( Internet Protocol ), ICMP ( Internet Control Message Protocol ) 2.2.3 Tng giao vn - Transport Layer Tng giao vn phn pht d liu gia hai tin trnh khc nhau trn cc my tnh host. Mt giao thc u vo ti y cung cp mt kt ni logic gia cc thc th cp cao.Cc dch v c th bao gm vic iu khin li v iu khin lung. Ti tng ny bao gm cc giao thc Transmission Control Protocol ( TCP ) v User Datagram Protocol ( UDP ) 2.2.4 Tng ng dng Application Layer Tng ny bao gm cc giao thc phc v cho vic chia s ti nguyn v iu khin t xa ( remote access ). Tng ny bao gm cc giao thc cp cao m chng c s dng cung cp cc giao din vi ngi s dng hoc cc ng dng. Mt s giao thc quan trng nh File Transfer Protocol ( FTP ) cho truyn thng, HyperText Transfer Protocol ( HTTP ) cho dch v World Wide Web, v Simple Network Management Protocol ( SNMP ) cho iu khin mng. Ngoi ra cn c : Domain Naming Service ( DNS ), Simple Mail Transport Protocol ( SMTP )
Ng Vn Chn HTTT&TT KSCLC K45 11

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Post Office Protocol ( POP ). Internet Mail Access Protocol ( IMAP ), Internet Control Message Protocol ( ICMP ).

2.3 Cc giao thc,dch v trong mng TCP/IP


2.3.1 Cc giao thc tng mng Network Layer Protocols a. Internet Protocol ( IP ) Mc ch chnh ca giao thc IP l cung cp kh nng kt ni cc mng con thnh lin mng truyn d liu. Vai tr ca n tng t vai tr tng mng trong m hnh OSI.. IP l giao thc kiu khng lin kt ( connectionless ) c ngha l khng cn thit lp lin kt trc khi truyn d liu. n v d liu dng trong giao thc IP c gi l IP datagram c khun dng bao gm phn header v phn d liu.

Hnh 1-3 : Cu trc gi tin IP ( IP datagram ) nh danh cc host trn mng th trong giao thc dng a ch IP c di 32 bits c tch thnh 4 vng mi vng 1 byte v chng thng c vit di dng cc s thp phn. Ngi ta chia a ch IP ra lm 5 lp k hiu l A, B, C, D, E. V d v mt a ch IP : 192.168.1.1 Mi a ch IP gm hai phn l : a ch mng ( network id ) v a ch my trm ( host id ). phn tch gia phn network id v host id ngi ta dng n subnet mask do vy mt a ch IP y thng l : 192.168.1.1/24 b. Giao thc nh x a ch - Address Resolution Protocol (ARP) a ch IP v a ch phn cng hay a ch vt l ( di 48 bits ) l c lp nhau. Giao thc ARP lm nhim v chuyn i t a ch IP sang a ch vt l khi cn thit. nh x t a ch IP sang a ch vt l theo hai cch l tnh hoc ng. ARP v RARP s dng phng php nh x ng. N s dng cc gi tin ARP request v ARP reply c. Giao thc nh x ngc a ch - Reverse Address Resolution Protocol (RARP) Tung t nh ARP ch c iu n s nh x ngc t a ch vt l (MAC) sang a ch IP. S n gin s hot ng ca giao thc nh sau :
Ng Vn Chn HTTT&TT KSCLC K45 12

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

d. IP version6 or IP next generation ( IPv6 or IPng ) IPv6 v c bn vn ging nh IPv4. Sau y l mt s im khc bit gia chng : - IP address c di l 128 bits so vi 32 bt ca IPv4. V d mt a ch IPv6 flea:1075:fffb:110e:0000:0000:7c2d:a65f - IPv6 c th t ng cu hnh a ch cc b v a ch router cc b gii quyt cc vn cu hnh v thit lp - IPv6 c phn header n gin v lc b mt s phn. N gp phn tng hiu qu qu trnh dn ng v c th d dng b xung mt loi header mi. - H tr cho chng thc, bo mt d liu l mt phn ca kin trc Ipv6. e. Internet Control Message Protocol (ICMP) V IP l giao thc khng tin cy v vy phi cn n giao thc ICMP. Giao thc ny thc hin truyn cc thng bo iu khin ( bo co v tnh trng li trn mng, ) gia cc gateway hay cc trm ca lin mng. Tnh trng li c th l : mt datagram khng th ti uc ch ca n, hoc mt router khng b m lu v chuyn mt datagram. Mt thng bo ICMP c to ra v s chuyn cho IP IP thc hin gi ( encapsulate ) vi mt IP header truyn cho trm hay router ch. 2.3.2 Cc giao thc tng giao vn Transport Layer Protocols C hai giao thc ti tng giao vn l : TCP ( Transport Control Protocol ) v UDP ( User Datagram Protocol ). C hai u nm gia tng ng dng v tng mng. TCP v UDP c trch nhim truyn thng tin trnh vi tin trnh ti tng giao vn (process to process) a. Transport Layer Protocol ( TCP ) TCP l mt giao thc kiu hng lin kt ( connection oriented ) ngha l cn phi thit lp lin kt locgic trc khi c th truyn d liu. n v d liu dng trong TCP c gi l segment ( on d liu ) c khun dng c m t di y :

Hnh 1-4 : Khun dng ca TCP segment Cc tham s trong khun dng trn c ngha nh sau :
Ng Vn Chn HTTT&TT KSCLC K45 13

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Source port ( 16bits ) : S hiu cng ca trm ngun Destrination port ( 16bits ) : S hiu cng ca trm ch Sequence Number ( 32bits ): S hiu ca byte u tin ca segment tr khi bit SYN c thit lp. Nu bit SYN c thit lp th n l s hiu tun t khi u ( ISN ) - Acknowledment Number ( 32bits ) : S hiu ca segment tip theo m trm ngun ang ch nhn c v n c ngha bo nhn tt - Data offset ( 4bits ) : S lng t ( 32bits ) trong TCP header. N c tc dng ch ra v tr bt u ca vng data. - Reserved ( 6bits ) : dnh s dng sau ny - Code bits hay cc bits iu khin ( 6bits ) theo th t t tri sang phi nh sau : URG : vng con tr khn ( Urgent Pointer ) c hiu lc ACK : vng bo nhn ( ACK number ) c hiu lc PSH : chc nng PUSH RST : khi ng li lin kt SYN : ng b ho cc s hiu tun t ( sequence number ) FIN : khng cn d liu t trm ngun - Window ( 16bits ) : cp pht credit kim sot lung d liu( c ch ca s ). y chnh l s lng cc byte d liu, bt u t byte c ch ra trong vng ACK number, m trm ngun sn sang nhn - Check sum ( 16bits ) : m kim sot li ( theo phng php CRC ) - Urgent Poiter ( 16bits ) : con tr ny tr ti s hiu tun t ca byte i theo sau s liu khn, cho php bn nhn bit c di ca d liu khn, ch c hiu lc khi bit URG c thit lp. - Options ( di thay i ) : khai bo cc options ca TCP - Padding ( di thay i ) : Phn chn thm vo header m bo kch thc. - TCP data : phn d liu ca TCP segment. b. User Datagram Protocol ( UDP ) UDP l giao thc khng kt ni, khng tin cy nh giao thc TCP, n c s dng thay th TCP trong mt s ng dng. Khng ging nh TCP n khng c chc nng thit lp v gii phng lin kt. N cng khng cung cp cc c ch bo nhn, khng sp xp cc n v d liu theo th t n v c th dn n tnh trng mt d liu hoc trng d liu m khng h c thng bo li cho ngi gi. UDP cung cp c ch gn v qun l cc s hiu cng nh danh duy nht cho cc ng dng chy trn mt trm ca mng. Do c t chc nng nn UDP c xu hng chy nhanh hn so vi TCP. N thng c s dng cho cc ng dng i hi tin cy khng cao. Khun dang mt UDP datagram nh sau :

Ng Vn Chn HTTT&TT KSCLC K45

14

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 1-5 : Khun dng UDP datagram c. Cc giao thc dn ng Routing Protocols Nh chng ta bit Internet bao gm cc mng c kt ni bi cc routers. Khi mt gi c chuyn t trm ngun n trm ch, n phi i qua cc routers m cc router ny c gn vi trm ch. Khong cch qung ng i ny c xc nh khc nhau tu thuc vo tng giao thc c s dng. a c cc gi tin n ch th ti cc trm hay cc router phi ci t cc giao thc dn ng. Tu vo gii thut oc s dng m c cc loai giao thc dn ng khc nhau. Bao gm cc giao thc dn ng tnh ( v d nh RIP Routing Information Protocol ) v dn ng ng ( v d nh OSPF Open Shortest Path First ) 2.3.3 Cc dch v tng ng dng a. Dch v tn min Domain Name System ( DNS ) Dch v ny cho php nh danh cc phn t trn mng theo tn thay v cc con s trong a ch IP. H thng ny c oc phn cp v mi cp c gi l mt min ( domain) cc min c tch nhau bng du chm. Domain cao nht l cp quc gia, mi quc gia c cp mt tn min ring gm hai k t v d vn ( Vit Nam ), fr ( France )v sau li tip tc uc phn cp nh hn. Vic nh x gia a ch IP v cc tn min c thc hin bi hai thc th c tn l : Name Resolver v Name Server. Name Resolever c ci t trn trm lm vic cn Name Server c ci t trn mt my ch. Name Resolver gi yu cu nh x a ch ti Name Server. Nu host name c tm thy th a ch IP tung ng s c gi tr li trm lm vic. Sau trm lm vic s kt ni vi host bng a ch IP ny.
b. ng nhp t xa - TELNET

Cho php ngi s dng t mt trm lm vic ca mnh c th ng nhp ( login ) vo mt trm xa thng qua mng v lm vic y nh ang ngi ti . TELNET lm vic da trn giao thc TCP v trao i thng tin ti cng 23. khi ng TELNET, t trm lm vic ca mnh ngi s dng ch vic g lnh sau t ca s command line : telnet <domain name or IP address >
c. Truyn tp File Transfer Protocol ( FTP )

Cho php chuyn cc tp tin t mt my trm ny sang mt trm khc, bt k my u v s dng h iu hnh g, ch cn chng c ni vi nhau thng qua mng Internet v c ci t FTP. khi ng FTP ta s dng cu lnh : ftp < domain name or IP address > Sau ta phi ng nhp vi user name v password. Khi chng ta c th thc hin cc cng vic nh ly v hay ti ln mt file. d. Th in t - Electronic Mail ( E_mail ) Hin l mt dch v ph bin nht trn mng Internet. N l dch v kiu
Ng Vn Chn HTTT&TT KSCLC K45 15

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

lu v chuyn tip ( store and forward ) tc l hai trm trao i th in t cho nhau khng cn phi lin kt trc tip. Chng c lu chuyn thng qua cc E_mail Server Cc giao thc c s dng cho dch v th in t bao gm : - Simple Mail Transfer Protocol ( SMTP ) - Post Office Protocol Version 3 ( POP3 ) - Internet Message Access Protocol ( IMAP ) - Multipurpose Internet Mail Extension ( MIME ) e. Cc dch v tm kim : Bao gm cc dch v nh : - Tm kim file ( Archie ) - Tra cu thng tin theo thc n ( Gopher ) - Tm kim thng tin theo ch s ( WAIS ) - Tm kim thng tin da trn siu vn bn ( WWW )

2.4 Cc l hng trn mng


Vic s dng mng Internet lm tng nhanh kh nng kt ni, nhng ng thi cha ng trong nhng him ho khng ng. Nhng l hng k tn cng c th li dng, gy tn thng cho h thng c rt nhiu. Sau y l mt vi l hng ph bin trn cng ng mng hin nay. - Cc mt khn yu : Mi ngi thng c thi quen s dng mt khu theo tn ca ngi thn hay nhng g quen thuc vi mnh. Vi nhng mt khu d b phn on, k tn cng c th chim ot c quyn qun tr trong mng, ph hu h thng, ci t backdoor Ngy nay, mt ngi ngi t xa cng c th ng nhp vo c h thng cho nn ta cn phi s dng nhng mt khu kh on, kh d tm hn. - D liu khng c m ho : Cc d liu c truyn i trn mng rt d b xm phm, xem trm, sa cha Vi nhng d liu khng c m ho, k tn cng chng tn thi gian c th hiu c chng. Nhng thng tin nhy cm cng cn phi phi m ho cn thn trc khi gi i trn mng. - Cc file chia s : Vic m cc file chia s thng tin l mt trong nhng vn bo mt rt d gp. iu ny cho php bt k ai cng c th truy nhp cc file nu ta khng c c ch bo mt, phn quyn tt. - B giao thc ni ting TCP/IP c s dng rng ri trn mng hin nay cng lun tim n nhng him ho khn lng. K tn cng c th s dng ngay chnh cc qui tc trong b giao thc ny thc hin cch tn cng DoS. Sau y l mt s l hng ng ch lin quan n b giao thc TCP/IP o CGI Scripts: Cc chng trnh CGI ni ting l km bo mt. V thng thng cc hacker s dng cc l hng bo mt ny khai thc d liu hoc ph hu chng trnh

Ng Vn Chn HTTT&TT KSCLC K45

16

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

o Tn cng Web server: Ngoi cc l hng bo mt do vic thc thi cc chng trnh CGI, cc Web server cn c th c cc l hng khc. V d nh mt s Web server (IIS 1.0 ...) c mt l hng m do mt tn file c th chn thm on ../ vo trong tn ng dn th c th di chuyn ti mi ni trong h thng file v c th ly c bt k file no. Mt li thng dng khc l li trn b m trong trng request hoc trong cc trng HTTP khc. o Tn cng trnh duyt Web: Do cc trnh duyt Web nh ca Microsoft, Netscape c kh nhiu l hng bo mt nn xut hin cc tn cng URL, HTTP, HTML, JavaScript, Frames, Java v ActiveX. o Tn cng SMTP (Sendmail) o Gi a ch IP (IP Spoofing) o Trn b m (Buffer Overflows): c 2 kiu tn cng khai thc li trn b m l : DNS overflow (Khi mt tn DNS qu di c gi ti Server) v Statd overflow (khi mt tn file qu di c cung cp). o Tn cng DNS (DNS attacks): DNS server thng l mc tiu chnh hay b tn cng. Bi hu qu rt ln gy ra bi n l gy ch tc ton mng. Thng 4/2004 va qua, B An Ninh Ni V M v trung tm iu phi An Ninh C s h tng quc gia Anh cnh bo v mt li bo mt TTO nghim trng trong b giao thc TCP/IP ny. Trong phn sau chng ta s xem xt cc k thut tn cng da trn cc l hng bo mt ny. -

III. Cc mc tiu cn bo v
c th bo v c h thng, chng li s tn cng ca hacker. Chng ta phi bit nhng mc tiu cn bo v, cc k thut tn cng khc nhau t a ra cc chin luc bo v hp l Trong cc phn di y s trnh by c th cc vn ny. C ba mc tiu cn c bo v l : D liu: l nhng thng tin lu tr trong my tnh Ti nguyn : l bn thn my tnh, my in, CPU Danh ting

3.1 D liu
Mc tiu , chnh sch an ton ca mt h thng thng tin cng nh i vi d liu bao gm :
Ng Vn Chn HTTT&TT KSCLC K45 17

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

B mt Ton vn Sn sng Thng thng mi ngi thng tp trung vo bo v tnh b mt ca d liu, nhng thng tin c tnh nhy cm cao nh thng tin v quc phng, chin lc kinh doanh th y l yu t sng cn. Khi d liu b sao chp bi nhng ngi khng c thm quyn th ta ni d liu b mt tnh b mt Khi d liu b sa i mt cch bt ng bi ngi khng c thm quyn th khi c th ni d liu b mt tnh ton vn Tnh sn sng l tnh cht quan trng nht i vi cc t chc hot ng cn s dng nhiu thng tin. Khi ngi s dng hp php mun xem d kiu ca mnh nhng d liu khng th p ng ngay v mt l do no , khi ta ni d liu mt i tnh sn sng.

3.2 Ti nguyn
Xt mt v d nh sau : Ta c mt my in ( mt dng ti nguyn ), ngoi ta ra ch nhng ai c thm quyn th mi c s dng n. Tuy nhin, c nhng ngi khng thm quyn vn mun s dng my in ny min ph. Khi ta ni chic my in ny b xm phm Khi nim xm phm l rt rng, v d nh b nh, CPU, u l ti nguyn. Khi chng b nhng ngi khng c thm quyn khai thc mt cch bt hp php th ta ni ti nguyn b xm phm.

3.3 Danh ting


Bo v danh ting l mt iu qu hin nhin i vi c c nhn v cc t chc. Khng ch trn mng Internet m c trong thc t cuc sng hng ngy chng ta u cn phi bo v danh ting. iu g s xy ra nu nh mt ngy no tn ca chng ta c s dng cho nhng mc ch m m. V khi phc li danh ting m trc c chc chn phi mt mt thi gian di v cng c th l khng th.

IV. Tn cng trn mng v cc chin lc bo v


4.1 Cc dng tn cng
C nhiu dng tn cng khc nhau vo h thng, v cng c nhiu cch phn loi cc dng tn cng ny. Trong mc ny, chng ta chia cc dng tn cng lm ba phn c bn : Xm nhp ( Intrusion ) T chi dch v ( Denial of Service DoS ) n trm thng tin ( Information thieft ) 4.1.1 Xm nhp Tn cng xm nhp l vic mt ngi hay nhm ngi c gng t nhp hay lm dng h thng. Hacker v cracker l hai t dng ch nhng k xm nhp.
Ng Vn Chn HTTT&TT KSCLC K45 18

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hu ht cc dng tn cng vo h thng ni chung l dng xm nhp. Vi cch tn cng ny, k tn cng thc s c th s dng my tnh ca ta. Tt c nhng k tn cng u mun s dng my tnh ca ta vi t cch l ngi hp php. Nhng k tn cng c hng lot cch truy cp. Chng c th gi dng l mt ngi c thm quyn cao hn yu cu cc thng tin v tn truy cp/mt khu ca ta, hay n gin dng cch tn cng suy on, v ngoi ra chng cn nhiu phng php phc tp khc truy cp m khng cn bit tn ngi dng v mt khu. K xm nhp c th c chia thnh hai loi: + T bn ngoi Outsider : nhng k xm nhp t bn ngoi h thng (xa Web server, chuyn tip cc spam qua e-mail servers). Chng c th vt qua firewall tn cng cc my trong mng ni b. Nhng k xm nhp c th n t Internet, qua ng dy in thoi, t nhp vt l hoc t cc mng thnh vin c lin kt n t chc mng (nh sn xut, khch hng,). + T bn trong Insider : nhng k xm nhp c quyn truy nhp hp php n bn trong h thng (nhng ngi s dng c y quyn, hoc gi mo ngi dng c y quyn mc cao hn ). Theo thng k th loi xm nhp ny chim ti 80%. C hai cch thc chnh thc hin hnh vi xm nhp Do thm - Reconnaissance : K tn cng c th dng cc cng c d qut kim tra hay tm kim cc l hng bo mt ca mt mng no . Cc hnh ng qut ny c th l theo kiu ping, qut cng TCP/UDP, chuyn vng DNS, hay c th l qut cc Web server tm kim cc l hng CGI....Sau y l mt s kiu qut thng dng: Ping Sweep Qut Ping Phng php ny n gin l ch ping cc a ch IP kim tra xem cc host tng ng vi cc a ch cn sng hay khng. Cc kiu qut phc tp hn s dng cc giao thc khc nh SNMP Sweep cng c c ch hot ng tng t. TCP Scan Qut cng TCP Kiu ny d qut cc cng TCP m tm cc dch v ang chy c th khai thc, li dng hay ph hoi. My qut c th s dng cc kt ni TCP thng dng hoc l cc kiu qut trm(s dng kt ni m mt bn) hoc l kiu qut FIN (khng m cng m ch kim tra xem c ai ang lng nghe). C th qut danh sch cc cng lin tc, ngu nhin hoc l c cu hnh. UDP Scan Qut cng UDP Loi qut ny kh hn mt cht v UDP l giao thc khng kt ni. K thut l gi 1 gi tin UDP v ngha ti mt cng no . Hu ht cc my ch s tr li bng 1 gi tin ICMP destination port unreachable , ch ra rng khng c dch v no lng nghe cng . Tuy nhin, nhiu my iu tit cc messages ICMP nn ta khng th lm iu ny rt nhanh c.
Ng Vn Chn HTTT&TT KSCLC K45 19

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

OS identification Xc nh h iu hnh Bng vic gi cc gi tin TCP hay ICMP khng ng qui cch, k tn cng c th thu c thng tin v h iu hnh. Account Scan Qut ti khon o C gng ng nhp vo h thng vi cc Ti khon (Account): o Cc Ti khon khng c password o Cc Ti khon vi password trng vi username hoc l password o Cc Ti khon mc nh c dng chuyn sn phm o Cc Ti khon c ci cng vi cc sn phm phn mm o Cc vn v ti khon nc danh FTP Li dng Exploits : li dng cc c tnh n hoc li truy cp vo h thng. Firewall c th gip ta ngn chn mt s cch xm nhp trn. Mt cch l tng th Firewall s chn ton b mi ng ng vo h thng m khng cn bit n tn truy cp hay mt khu. Nhng nhn chung, Firewall c cu hnh nhm gim mt s lng cc ti khon truy cp t pha ngoi vo. Hu ht mi ngi u cu hnh Firewall theo cch one time password nhm trnh tn cng theo cch suy on. 4.1.2 T chi dch v y l kiu tn cng vo tnh sn sng ca h thng, lm h thng cn kit ti nguyn hoc chim dng bng thng ca h thng, lm mt i kh nng p ng tr li cc yu cu n. Trong trng hp ny, nu h thng cn dng n ti nguyn th rt c th h thng s gp li. C mt s c im c bit trong cch tn cng ny l ngi b hi khng th chng li c kiu tn cng ny v cng c c s dng trong cch tn cng ny l cc cng c m h thng dng vn hnh hng ngy. C th phn bit ra bn dng DoS sau : Tiu th bng thng ( bandwidth consumption ) Lm ngho ti nguyn ( resource starvation ) Programming flaw Tn cng Routing v DNS V mt k thut c 3 kiu tn cng t chi dch v chnh l DoS, DDoS v DRDoS. DoS Traditional DOS

Ng Vn Chn HTTT&TT KSCLC K45

20

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 1-6: Tn cng kiu DOS v DDoS n thun my tn cng c bandwidth ln hn my nn nhn DDoS Distributed DOS S dng nhiu my cng tn cng vo mt my nn nhn DRDoS Distributed Reflection DOS S dng cc server phn x, my tn cng s gi yu cu kt ni ti cc server c bandwidth rt cao trn mng server phn x, cc gi tin yu cu kt ni ny mang a ch IP gi - chnh l a ch IP ca my nn nhn. Cc server phn x ny gi li my nn nhn cc gi SYN/ACK dn ti hin tng nhn bng thng bandwidth multiplication. Tuy nhin vi cch tn cng ny, k tn cng cng khng thu c thng tin g thm v h thng. N ch n thun lm h thng t lit, khng hot ng c na m thi.

Hnh 1-7: Tn cng kiu DRDoS

Ng Vn Chn HTTT&TT KSCLC K45

21

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

4.1.3 n trm thng tin C mt vi cch tn cng cho php k tn cng c th ly c d liu m khng cn phi trc tip truy cp, s dng my tnh ca chng ta. Thng thng k tn cng khai thc cc dch v Internet phn phi thng tin. Cc dch v ny c th a ra cc thng tin m ta khng mun hoc a cc thng tin n sai a ch nhn. Nhiu dch v Internet c thit k s dng cho cc mng ni b v khng h c thm cc lp bo v do thng tin s khng an ton khi lu thng trn mng Internet. Hu ht nhng k tn cng u c gng lng nghe tm kim cc thng tin nh tn truy cp/ mt khu. Tht khng may y li l cc thng tin d b n cp nht trn mng. Nh hnh v di y minh ha

Hnh 1-8: M hnh ng dng mail trn mng Internet y l ng truyn cc packets khi user login vo h thng vo mt ISP, ri gi i mt s messages. Cc packet khng m mt c truyn t client ti ISP dialup, ri qua ISP firewall ti cc router trc khi c truyn trn Internet. Mi qu trnh truyn khng m mt, cc messages c th b chn mt s im v nh im c gi i. Mt user lm cho ISP c th gi cc packets li. Mt chuyn gia tin hc cng c th c tt c cc message mt cch d dng. Bt c mt chuyn gia bo dng cc router no u c tm ra nhiu cch lu cc messages li. V c nhng ni cung cp cc dch v, h cng c th xem xt cc messages ca user. Nu truy nhp vo internet t mng LAN thay v dialup, th c cng nhiu ngi c th xem messages hn. Bt c ai trong h thng company trn cng mt LAN c th t NIC vo v thu cc packets ca mng.

Hnh 1-9: Kt ni Internet t LAN


Ng Vn Chn HTTT&TT KSCLC K45 22

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Cc giao thc thng s dng cng nht nh trao i thng tin ln nhau, v l im yu ca h thng gip cho cc tin tc c th d dng ly cp c cc thng tin quan trng. V d : Khi user log on vo Yahoo! Mail, nhp username v password ri n Submit, trong trng hp nhp thng tin chnh xc th thng tin c ng gi v gi i. Package u tin ca giao thc HTTP cha thng tin username v password c chuyn qua cng 1149, khi hacker c th truy nhp vo cng ny ly thng tin log on ca user. Trong thng tin v password c truyn di dng text plain. Khi log on vo sites th c khong 100-200 packets c truyn gia user v server, trong c khong 10 packets u tin c cha thng tin v password. C nhiu cch chng li cch tn cng ny. Mt Firewall c cu hnh tt s bo v, chng li nhng k ang c gng ly nhng thng tin m ta a ra.

4.2 Mt s k thut tn cng


Sau y l mt s k thut tn cng ph bin m cc hacker thng s dng tn cng mt h thng.Cc k thut tn cng ny ch yu thuc dng tn cng xm nhp v t chi dch v 4.2.1 Gi mo a ch IP ( IP Spoofing ) Hu ht cc giao thc s dng trong mng u theo giao thc TCP, do chng ta xem xt c ch thit lp kt ni ca giao thc ny. TCP l mt giao thc hng lin kt, gia client v server mun thc hin kt ni trao i thng tin th chng phi thc hin qua ba bc sau ( c ch bt tay ba bc ) : - Bc 1 : Client gi gi tin SYN ti server thng bo yu cu thit lp kt ni. Lc ny mt kt ni tim tng ( potential connection ) c thit lp gia client v server. - Bc 2 : Server sau khi nhn c tn hiu SYN trn s gi li cho client gi tin SYN/ACK xc nhn vic thit lp lin kt - Bc 3 : Client sau khi nhn c gi tin SYN/ACK trn, n s gi tip cho Server gi tin ACK. Kt thc bc ny gia client v server hon thnh mt kt ni

Hnh 1-10 : Thit lp kt ni TCP gia client v server Nu nh mt client khng c yu cu i hi thit lp mt kt ni vi server nhng n li nhn c gi tin SYN/ACK, khi n s gi tr li server gi tin RST ( reset ). Nh m server s bit c hu b kt ni. Ch rng ngay bc 1, khi client gi tn hiu SYN th server dnh ring cho
Ng Vn Chn HTTT&TT KSCLC K45 23

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

client ny mt vng nh hot ng. Vng nh ny ch b hu b khi client c yu cu hu b kt ni hay sau mt khong thi gian nht nh no ( gi l thi gian Timeout ) nu khng c tn hiu g t client. Timeout ca tng server l khc nhau v n nm trong khong t 75 giy n 23 pht. Da vo c ch thit lp kt ni trong giao thc TCP m k tn cng a ra k thut sau nhm gi mo a ch IP : Gi s hai host X v Y tin tng nhau. K tn cng c tr Z, k tn cng s to ra gi tin gi mo mnh l Y gi ti cho X nhm trng i nhng thng tin phn hi li. Tuy nhin khi nhn c gi tin yu cu kt ni ny th X s coi l gi tin do Y gi ti do n s phn hi li cho Y v Z khng thu c g c. Khi Y nhn c gi tin phn hi t X ( khi bits ACK c thit lp ) th n s gi tr li gi tin RST do vy kt ni s c hu b. K tn cng khng h mun X hu b kt ni ny do vy hn s tm cch khng cho Y nhn c gi tin phn hi ny, v d nh dng tn cng t chi dch v, lm Y b trn ngp bng thng v khng th nhn thm thng tin g na. Tuy nhin cch lm trn mang nhiu tnh cht l thuyt, thc t rt kh thc hin c theo cch ny. 4.2.2. SYN flooding Tn cng trn ngp gi tin SYN Chng ta vn ch ti c ch bt tay ba bc trong qu trnh thit lp kt ni gia hai thc th TCP. K tn cng vn s dng mt a ch gi mo gi gi tin SYN cho nn nhn. Khi nn nhn nhn c gi tin ny ngay lp tc n s dnh mt phn b nh cho kt ni ny.

Hnh 1-11 : Tn cng trn ngp SYN (1 ) Cng tng t nh trn, khi nhn c gi tin SYN yu cu kt ni th n s gi tr li gi tin SYN/ACK cho host c a ch m k tn cng gi mo s dng. Nu nh gi tin ny n c ng host b gi mo th th n s gi gi tin RST, kt ni s b hu b, phn b nh m host nn nhn cung cp cho kt ni ny s c hu b. Trong trng hp ny, k tn cng cng khng thu c g. khc phc k tn cng s thc hin nh sau : a ch m chng s dng gi mo s l a ch m host ca nn nhn khng th gi cc gi tin n c. Khi cc gi tin SYN/ACK m nn nhn gi tr li bc 2 trong m hnh bt tay 3 bc s khng th ti ch, do cng s khng c gi tin RST gi li cho nn nhn. Nh vy, nn nhn s c phi ch kt ni ny cho n khi thi gian Timeout ht. iu c ngha l k tn cng thnh cng trong vic chim dng mt phn ti nguyn hot ng my ca nn nhn.
Ng Vn Chn HTTT&TT KSCLC K45 24

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hn th na, k tn cng khng ch gi mt gi tin SYN ti nn nhn m c sau mt khong thi gian nht nh li gi mt gi tin SYN ti my nn nhn . Kt qu l ton b ti nguyn trn my nn nhn s b s dng cho vic ch nhng kt ni khng c thc.

Hnh 1-12 : Tn cng trn ngp SYN ( 2 ) u im ca phng php tn cng ny l ch cn mt lng bng thng nh k tn cng cng c th lm t lit nn nhn. Ngoi ra cc gi tin SYN m k tn cng gi ti nn nhn s dng a ch gi, v vy rt kh c th pht hin ra th phm. 4.2.3 ICMP flooding Tn cng trn ngp gi tin ICMP Ping l mt chng trnh dng bo cho ngi s dng bit hai host trn mng c thng vi nhau khng. Ping da trn giao thc ICMP. N cho php ngi s dng gi cc gi tin ti mt h thng xa v hin th khong thi gian t khi gi gi tin n khi nhn c phn hi t pha nhn ( RTT : Round Trip Time ). Gi tin c gi i l ICMP echo request, gi tin phn hi l ICMP echo receive K tn cng s s dng giao thc ICMP ny tn cng nn nhn theo cch sau : Bc 1 : K tn cng gi mo l nn nhn, gi i mt lnh Ping vi a ch IP l ca nn nhn v a ch ch l dng broadcast ca mt mng no . Sau bc ny tt c cc host trong mng 10.0.0.x s nhn c gi tin ICMP t host ca nn nhn. Bc 2 : Do s nhm ln nh trn m tt c cc host trong mng 10.0.0.x u gi v cho nn nhn mt gi tin ICMP echo receive. Hng lot cc gi tin dng ny l nguyn nhn gy ln hn tng lm bng thng ti host ca nn nhn b chim dng. Nn nhn s khng th giao dch vi cc host khc trn mng. Hin nay c rt nhiu cng c thun tin thc hin kiu tn cng ny.

Hnh 1-13 : Tn cng trn ngp gi tin ICMP


Ng Vn Chn HTTT&TT KSCLC K45 25

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

4.3 Cc chin lc bo v mng


4.3.1 Quyn hn ti thiu ( Least Privilege ) C l chin lc c bn nht v an ton ( khng ch cho an ninh mng m cn cho mi c ch an ninh khc ) l quyn hn ti thiu. V c bn, nguyn tc ny c ngha l : bt k mt i tng no ( ngi s dng, ngi qun tr h thng ) ch c nhng quyn hn nht nh nhm phc v cho cng vic ca i tng v khng hn na. Quyn hn ti thiu l nguyn tc quan trng nhm gim bt nhng s ph by m k tn cng c th tn cng vo h thng v hn ch s ph hoi do cc v ph hoi gy ra. Tt c mi ngi s dng hu nh chc chn khng th truy cp vo mi dch v ca Internet, chnh sa ( hoc thm ch ch l c ) mi file trn h thng ca ta, bit c mt khu root. Tt c mi nh qun tr cng khng th bit ht c cc mt khu root ca tt c cc h thng. p dng nguyn tc quyn hn ti thiu, ta nn tm cch gim quyn hn cn dng cho tng ngi, tng cng vic c th. 4.3.2 Bo v theo chiu su ( Defence in Depth ) Mt nguyn tc khc ca mi c ch an ninh la bao ve theo chiu su. ng ph thuc vo ch mt c ch an ninh, cho d l n mnh n u i na. Thay vo l s dng nhiu c ch an ninh chng h tr nhau.

Hnh 1-14 : Bo v theo chiu su 4.3.3 Nt tht ( Choke Point ) Vi cch xy dng nt tht, ta buc tt c mi lung thng tin phi qua v nhng k tn cng cng khng l ngoi l. Chnh nh c im ny m c th kim tra v iu khin cc lung thng tin ra vo mng. C rt nhiu v d v nt tht trong thc t cuc sng. Vi an ninh mng th nt tht chnh l cc Firewall t gia mng cn bo v v Internet. Bt k ai mun i vo trong mng cn bo v u phi i qua cc Firewall ny.

Ng Vn Chn HTTT&TT KSCLC K45

26

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

4.3.4 Lin kt yu nht ( Weakest Link ) i vi mootj h thng bo v th cho d c nhiu khu c mc an ton cao nhng ch cn mt khu mt an ton th ton b h thng cng s mt an ton. Nhng k tn cng thng minh s tm ra nhng im yu v tp trung tn cng vo . Cn phi thn trng ti cc im yu ny bi k tn cng lun bit tm cch khai thc n. 4.3.5 Hng an ton ( Fail Safe Stance ) Mt im yu c bn khc trong chin lc an ninh l kh nng cho php h thng hng an ton ( faile safe ) c ngha l nu h thng c hng th s hng theo cch chng li s tn cng ca i phng.S sp ny c th cng ngn cn s truy cp ca ngi dung hp php nhng trong mt s trng hp th vn phi p dng chin lc ny. Hu ht cc ng dng hin nay u c c ch hng an ton. V d nh nu mt router lc gi b down, n s khng cho bt k mt gi tin no i qua. Nu mt proxy b down, n s khng cung cp mt dch v no c. Nhng nu mt h thng lc gi c cu hnh m tt c cc gi tin c hng ti mt my chy ng dng lc gi v mt my khc cung cp ng dng th khi my chy ng dng lc gi b down, cc gi tin s di chuyn ton b n cc ng dng cung cp dch v. Kiu thit k ny khng phi l dng hng an ton v cn phi uc ngn nga. im quan trng trong chin lc ny l nguyn tc, quan im ca ta v an ninh. Ta c xu hng hn ch, ngn cm hay cho php? C hai nguyn tc c bn m ta c th quyt nh n chnh sch an ninh : + Mc nh t chi : Ch quan tm nhng g ta cho php v cm tt c nhng ci cn ll + Mc nh cho php : Ch quan tm n nhng g m ta ngn cm v cho qua tt c nhng ci cn li. 4.3.6 Tnh ton cc ( Universal Participation ) t c hiu qu cao, hu ht cc h thng an ton i hi phi c tnh ton cc ca cc h thng cc b. Nu mt k no c th d dng b gy mt c ch an ton th chng c th thnh cng bng cch tn cng h thng t do ca ai ri tip tc tn cng h thng ni b t bn trong. C rt nhiu hnh thc lm cho hng an ton h thng v chng ta cn c bo li nhng hin tng l xy ra c th lin quan n an ton ca h thng cc b. 4.3.7 a dng trong bo v ( Diversity of Defence ) tng thc s ng sau a dng trong bo v chnh l s dng cc h thng an ninh ca nhiu nh cung cp khc nhau nhm gim s ri ro v cc li ph bin m mi h thng mc phi. Nhng bn cnh l nhng kh khn i km khi s dng h thng bao gm nhiu sn phm ca nhng nh cung cp khc nhau nh : Ci t, cu hnh kh hn, chi ph s ln hn, b ra nhiu thi gian hn c th vn hnh h thng. Chng ta hy thn trng vi tng a dng ny. V khi s dng nhiu h thng khc nhau nh vy cha chc c s a dng trong bo v m cn c th xy ra trng hp h thng ny hn ch hot ng ca h thng khc m khng h
Ng Vn Chn HTTT&TT KSCLC K45 27

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

tr nhau nh ta mong mun. 4.3.8 n gin ( Simplicity ) n gin l mt trong nhng chin lc an ninh v hai l do sau : Th nht : Vi nhng g n gin th cng c ngha l d hiu, nu ta khng hiu v phn no , ta khng th chc chn liu n c an ton khng. Th hai : S phc tp s to ra nhiu ngc nghch m ta khng th qun l ni, nhiu th s n cha trong m ta khng bit.R rng, bo v mt cn h d dng hn nhiu bo v mt to lu i ln!.

Ng Vn Chn HTTT&TT KSCLC K45

28

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Chng 2 : INTERNET FIREWALL

Khi Khinim nimFirewall Firewall Cc Ccchc chcnng nngc cbn bnca caFirewall Firewall Kin Kintrc trcFirewall Firewall Bo Bodng dngFirewall Firewall

Ng Vn Chn HTTT&TT KSCLC K45

29

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Trong chng ny chng ta s nghin cu v Internet Firewall : Th no l mt Firewall, cc chc nng c bn ca mt Firewall, kin trc ca mt Firewall khi trin khai mt h thng mng an ton v cui cng l cng vic bo dng mt Firewall.

I. Khi nim
1.1 Khi nim
Firewall l mt phn mm hay thit b phn cng hoc s kt hp gia chng c thit k vi mc ch : chng li nhng ri ro, nguy him t pha ngoi vo mng ni b. N thng c t gia mng ni b m ta cn bo v vi mng Internet v thc hin ngn cm mt s lu thng mng.

Hnh 2-1 : V tr Firewall trn mng Theo cch b tr ny th tt c cc lung thng tin i vo mng ni b t Internet hay ngc li, i t mng ni b ra Internet u phi qua Firewall. Nh vy Firewall c th kim sot c cc lung thng tin, t a ra cc quyt nh cho php hay khng cho php. Cho php hay khng cho php y l da trn chnh sch an ninh do ngi qun tr Firewall t ra.

1.2 u, nhc im ca Firewall


1.2.1 u im : Firewall c th lm rt nhiu iu cho an ninh ca mng. Thc t nhng u im khi s dng Firewall khng ch trong lnh vc an ninh a. Firewall l im tp trung gii quyt cc vn an ninh Quan st v tr cu Firewall trn hnh chng ta thy y l mt dng nt tht. Firewall cho ta kh nng to ln bo v mng ni b bi cng vic cn lm ch tp trung ti nt tht ny. Vic tp trung gii quyt ti mt im ny cn cho php c hiu qu c v mt kinh t. b. Firewall c th thit lp chnh sch an ninh C rt nhiu dch v m mi ngi mun s dng vn khng an ton.
Ng Vn Chn HTTT&TT KSCLC K45 30

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Firewall ng vai tr kim sot cc dch v ny. N s thit lp chnh sch an ninh cho php nhng dch v tho mn tp lut trn Firewall ang hot ng. Tu thuc vo cng ngh la chn xy dng Firewall m n c kh nng thc hin cc chnh sch an ninh vi hiu qu khc nhau. c. Firewall c th ghi li cc hot ng mt cch hiu qu Do mi lung thng tin u qua Firewall nn y s l ni l tng thu thp cc thng tin v h thng v mng s dng. Firewall c th ghi chp li nhng g xy ra gia mng c bo v v mng bn ngoi. 1.2.2 Nhc im Firewall c th bo v mng c hiu qu nhng n khng phi l tt c. Firewall cng tn ti cc nhc im ca n a. Firewall khng th bo v khi c s tn cng t bn trong Nu k tn cng pha trong Firewall, th n s khng th gip g c cho ta. K tn cng s n cp d liu, ph hng phn cng, - phn mm, sa i chng trnh m Firewall khng th bit c. b. Firewall khng th bo v c nu cc cuc tn cng khng i qua n Firewall c th iu khin mt cch hiu qu cc lung thng tin, nu nh chng i qua Firewall. Tuy nhin, Firewall khng th lm g nu nh cc lung d liu khng i qua n. V d cho php truy cp dial up kt ni vo h thng bn trong ca Firewall? Khi n s khng chng li c s tn cng t kt ni modem C th do vic ci t backdoor ca ngi qun tr hay nhng ngi s dng trnh cao. c. Firewall khng th bo v nu nh cch tn cng hon ton mi l Firewall c thit k ch chng li nhng kiu tn cng bit. Nu mt Firewall c thit k tt th cng c th chng li c nhng cuc tn cng theo cch hon ton mi l. Ngi qun tr phi cp nht nhng cch tn cng mi, kt hp vi kinh nghim bit c th b xung cho Firewall. Ta khng th ci Firewall mt ln v s dng mi mi. d. Firewall khng th chng li Virus Firewall khng th gip cho my tnh chng li c Virus. Mc d nhiu Firewall qut nhng lung thng tin i vo nhm kim tra tnh hp l ca n vi cc tp lut t ra. Tuy nhin Firewall ch kim tra c a ch ngun, a ch ch, s hiu cng cu gi tin ny ch khng th kim tra c ni dung ca n. l cha k n c rt nhiu dng Virus v nhiu cch Virus n vo d liu. Tip theo chng ta xem xt cc chc nng c bn cu Firewall. C th ni mt Firewall thc s cn phi c t nht mt trong cc chc nng sau : Kh nng lc gi ( Packet Filtering ) : Firewall s kim tra phn header ca cc gi tin v a ra quyt nh l cho php qua hay loi b gi tin ny theo tp lut c cu hnh. Application Proxy : Vi kh nng ny th Firewall s kim tra k lng header ca gi tin hn nh kh nng hiu giao thc c th m ng dng s dng Chuyn i a ch mng ( Network Address Translation NAT ) : cc my bn ngoi ch thy mt hoc hai a ch mng ca firewall cn cc my thuc mng trong c th ly cc gi tr trong mt khong bt
Ng Vn Chn HTTT&TT KSCLC K45 31

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

k th cc gi tin i vo v i ra cn c chuyn i a ch ngun v ia ch ch. Theo di v ghi chp ( Monitoring and Logging ) : Vi kh nng ny cung cp cho ngi qun tr bit iu g ang xy ra ti Firewall, t a ra nhng phng n bo v tt hn. Ngoi ra th mt Firewall cn c th c mt s chc nng m rng khc nh : Data Caching : Bi v c nhng yu cu v cc Website l hon ton ging nhau ca cc ngi dng khc nhau nn vic Caching d liu s gip qu trnh tr li nhanh v hiu qu hn Lc ni dung ( Content Filter ): Cc lut ca Firewall c kh nng ngn chn cc yu cu trang Web m n cha cc t kho, URLs hay cc d liu khc nh video streams, image Instrustion Detection : L kh nng pht hin cc cuc xm nhp, tn cng Cc chc nng khc : kh nng pht hin v qut virus Phn di y chng ta s xem xt k lng ba chc nng c bn ca mt Firewall l Packet Filtering, Application Proxy v Network Address Translation

II. Cc chc nng c bn ca Firewall


2.1 Packet Filtering
2.1.1 Khi nim Packet Filtering l mt chc nng c bn ca mt firewall, n l mt k thut an ninh mng hot ng tng mng, bng cch iu khin d liu vo hoc ra mt mng my tnh. Packet Filtering s nh tuyn mt cch c chn lc cc gi tin tu thuc theo chnh sch an ninh do ngi qun tr t ra. Lc gi thng thng c tc rt cao bi n ch kim tra phn header ca cc gi tin m khng kim tra phn d liu trong . V k thut gi thg c tc nhanh, mm do v trong sut vi ngi dng nn ngy nay hu ht cc router u c trang b kh nng lc gi. Mt router s dng b lc gi c gi l screening router Di y l m hnh mt screening router trong mng

Hnh 2-2 : Screening Router s dng b lc gi


Ng Vn Chn HTTT&TT KSCLC K45 32

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Nh gii thiu chng trc th bt k mt gi tin no cng c phn header ca n. Nhng thng tin trong phn header bao gm cc trng sau : - a ch IP ngun - a ch IP ch - Giao thc hot ng - Cng TCP ( UDP ) ngun - Cng TCP ( UDP ) ch - ICMP message type B lc gi s da vo nhng thng tin ny a ra quyt nh cui cng cho php hay khng cho php gi tin i qua. Ngoi ra, b lc gi cn c th xc nh thm cc thng tin khc khng c trong header ca gi tin nh : - Giao din mng m gi tin t i ti ( v d trong Linux l eth0 ) - Giao din mng mng m gi i n ( v d l eth1 ) Trn thc t th cc Server hot ng cho cc dch v Internet thng tp trung vo mt cng no , do vy n gin ta ch cn cu hnh tp lut lc gi tin ca router theo s hiu cng tng ng l c th ngn chn c cc kt ni. V d vi server HTTP : cng mc nh l 80, vi server FTP : cng 23 Do vy vi Screening router th ngoi chc nng nh mt router bnh thng l dn ng cho cc gi tin n cn c kh nng lc cc gi tin i qua n. Screening router s c gi tin mt cch cn thn hn t a ra quyt nh cho php hay khng cho php gi tin ti ch. Vic cho php hay khng cho php cc gi tin i qua ph thuc vo cc lut lc gi m screening router c cu hnh. T ta c cc cch thc hin chc nng lc gi : Lc gi da vo a ch, lc gi da vo loi dch v hay cng, lc gi theo c a ch v cng Lc gi theo a ch L cch n gin nht, lc theo cch ny gip chng ta iu hng cc gi tin da theo a ch ngun hoc ch m khng cn bit cc gi tin ny thuc giao thc no. Ta thy ngay y cc ri ro vi cch lc gi da theo a ch :l vic k tn cng s dng a ch IP gi mo vt qua module lc gi v truy cp cc my trong mng ni b cn bo v. C hai kiu tn cng da trn vic gi mo a ch IP l source address v man in the middle. Cch gii quyt vn ny l s dng phng php xc thc ngi dng i vi cc gi tin. Lc gi da theo dch v Hu ht cc ng dng trn mng TCP/IP hot ng trn mt Socket bao gm a ch IP v mt s hiu cng no .Do vy vic lc cc gi tin da trn dch v cng chnh l vic lc cc gi tin da trn s hiu cng. V d nh cc ng dng Web theo giao thc HTTP thng hot ng trn cng 80, dch v Telnet hot ng trn cng 23, Vic lc gi c th da vo a ch cng ngun hay a ch cng ch hoc c hai. Cc ri ro xy ra i vi vic lc gi da trn s hiu cng l : rt nhiu cc ng dng theo m hnh server/client hot ng vi s hiu cng ngu nhin trong khong t 1023 65535. Khi vic thit lp cc lut theo cch ny l rt kh khn v c th cho cc gi tin nguy him i qua m chn li cc gi tin cn thit.
Ng Vn Chn HTTT&TT KSCLC K45 33

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

2.1.2 Cc hot ng ca Packet Filtering Sau khi thc hin kim tra mt gi tin, Packet Filtering c th thc hin mt trong cc cng vic sau : - Cho php gi tin i qua: nu gi tin tho mn cc iu kin trong cu hnh ca b lc gi, gi tin s c chuyn tip ti ch ca n - Loi b gi tin : nu gi tin khng tho mn cc iu kin trong cu hnh ca Packet Filtering th gi tin s b loi b - Ghi nht k cc hot ng Ta khng cn thit phi ghi li tt c cc gi tin c cho php i qua m ch cn ghi li mt s hot ng ca mt s gi tin loi ny. V d ghi li cc gi tin bt u ca mt kt ni TCP c th theo di c cc kt ni TCP i vo v i ra khi mng cn bo v. c bit l ghi li cc gi tin b loi b , ta cn theo di cc gi tin no ang c gng i qua trong khi n b cm. 2.1.3 u, nhc im ca Packet Filtering a. u im Trong sut C th lc bt c dch v no dng cc giao thc m Firewall h tr Ch cn mt Screening Router l c th bo v c mng : y l mt u im chnh ca Packet Filtering v n l n l, khng phi thay i cc host trong mng bo v khi thay i qui m ca mng. Khng nh Proxy n khng yu cu phi hc cch s dng b. Nhc im Cn phi hiu r mng c bo v v cc giao thc c s dng trn mng Khng c s xc thc ngi s dng, vic lc gi tin ch da trn a ch mng ca h thng phn cng Khng che giu kin trc bn trong ca mng cn bo v Khng bo v chng li cc yu im ca cc dch v khng lc Vi giao thc DHCP th kt qu lc s khng chun xc Mt s giao thc khng ph hp vi b lc gi.

2.2 Proxy
2.2.1 Khi nim Cc host c ng kt ni trc tip vi mng bn ngoi thc hin cung cp mt s dch v cho cc host khc trong mng cn bo v c gi l cc Proxy. Cc Proxy thc s nh hot ng nh cc gateway i vi cc dch v. Do vy n cn c gi l cc Application level gateways Tnh trong sut i vi ngi dng l li ch ca Proxy. Proxy s thu thp cc yu cu dch v ca cc host client v kim tra cc yu cu ny nu tho mn th n a n cc server thch hp sau nhn cc tr li v tr li cho client.

Ng Vn Chn HTTT&TT KSCLC K45

34

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 2-3 : Proxy Server Proxy chy trn Dual-home host hoc Bastion host. Tt c cc host trong mng ni b mun truy cp vo Internet u phi qua Proxy, do ta c th thc hin mt s chnh sch an ninh cho mng nh ghi log file, t quyn truy nhp 2.2.2 u nhc im ca Proxy a. u im - D nh ngha cc lut an ton - Thc hin xc thc ngi s dng - C th che du c kin trc bn trong ca mng cn bo v - Tnh trong sut vi ngi s dng - D dng ghi li cc log file b. Nhc im - Yu cu ngi qun tr h thng cao hn Packet Filtering - Khng s dng c cho cc dch v mi - Mi dch v cn mt mt Proxy ring - Proxy khng thc hin c i vi mt s dch v 2.2.3 Cc hot ng ca Proxy Thng thng cc dch v, Proxy yu cu phn mm Proxy tng ng vi pha Server, cn i vi pha client, n i hi nhng iu sau : - Phn mm khch hng ( Custom client software ) : Theo cch tip cn ny th khi c yu cu t khch hng th phn mm ny s kt ni vi Proxy ch khng kt ni trc tip vi Server v ch cho Proxy bit a ch ca Server cn kt ni. - Th tc ngi s dng ( Custom user procedures ) : tc l ngi s dng dng phn mm client tiu chun kt ni vi Proxy server v yu cu n kt ni n server thc s. 2.2.4 Phn loi Proxy C rt nhiu tiu ch phn loi cc Proxy, c th chia Proxy ra cc loi sau : - Application-level & Circuit level Proxy
Ng Vn Chn HTTT&TT KSCLC K45 35

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

L mt dng Proxy m n bit c cc ng dng c th m n phc v. Application Level Proxy hiu v thng dch cc lnh giao thc tng ng dng. V d nh ng dng Sendmail. Circuit level Proxy l mt Proxy c th to ra ng kt ni gia client v server m khng thng dch cc lnh ca giao thc tng ng dng. Mt dng Circuit- level Proxy ph bin l hybrid proxy gateway. N c vai tr nh nh mt proxy vi mng pha ngoi nhng li nh mt packet filtering i vi mng pha trong. Nhn chung th Application level Proxy s dng th tc ngi s dng cn Circuit-level Proxy s dng phn mm client. Application level Proxy c th nhn cc thng tin t bn ngoi thng qua cc giao thc tng ng dng cn Circuit level Proxy khng th thng dch cc c cc giao thc tng ng dng v cn phi cung cp thm thng tin c th cho d liu i qua. u im ca n l cung cp dch v cho nhiu giao thc khc nhau. Hu ht cc Circuit-level Proxy u dng Proxy tng qut, tc l c th ph hp vi hu ht cc giao thc. Nhng nhc im ca n l cung cp t cc ii\u khin trn Proxy v d dng b nh la bng cch gn cc dch v ph bin vo cc cng khc cc cng m chng thng s dng. - Generic Proxy & Dedicated Proxy Mc d hai khi nim Application level Proxy v Circuit-level Proxy thng c s dng nhng chng ta vn thng phn bit gia Dedicated Proxy Server:v Generic Proxy Server hay Proxy chuyn dng v Proxy tng qut. Mt Dedicate Proxy Server ch phc v cho mt giao thc , cn Generic Proxy Server li phc v cho nhiu giao thc. Ta thy ngay Application level Proxy l mt dng Dedicate Proxy Server cn Circuit-level Proxy l mt dng Genneric Proxy Server. - Proxy thng minh Mt Proxy server c th lm nhiu vic hn l ch n gin chuyn tip cc yu cu t client Proxy c gi l Proxy server thng minh. V d nh CERN HTTP Proxy hay Squid Proxy c kh nng cache d liu do khi c nhiu request cho cng mt d liu th khng phi ra bn ngoi na m c tr kt qu c cache ngay cho ngp s dng. V vy c th tit kim c thi gian chi ph ng truyn. Cc proxy ny cung cp cc kh nng ghi nht k v iu khin truy nhp tt hn l thc hin bng cc bin php khc. 2.2.5 S dng Proxy vi cc dch v Internet Do Proxy can thip vo nhiu qu trnh truyn thng gia ckient v server,do n phi thch ng c vi nhu dch v. Mt vi dch v hot ng mt cch n gin, nhng khi c thm Proxy th n hot ng phc tp hn rt nhiu. Dch v l tng s dng Proxy l to kt ni TCP ch theo mt hng, c b lnh an ton. Do vy thc hin Proxy cho giao thc TCP hon ton n gin hn so vi giao thc UDP, ring vi giao thc tng di nh ICMP th hu nh khng thc hin c Proxy.

Ng Vn Chn HTTT&TT KSCLC K45

36

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

2.3 Network Address Translation

Hnh 2-4: Chuyn i a ch mng Ban u NAT c a ra tit kim cc a ch IP. Bi a ch IP c 32 bt cp cho cc n v s tr ln cn kit nhanh chng Nhng NAT em li mt s tc dng bt ng so vi mc ch ban u khi thit k n. Vi NAT tt c cc my tnh thuc mng trong c mt a ch IP thuc mt di cc a ch IP ring v d 10.0.0.0/8 m cc da ch ny khng s dng trn mng Internet. Khi mt my thuc mng trong mun kt ni ra Internet th NAT computer s thay th a ch IP ring ( v d 10.65.1.7) bng a ch IP c nh ISPs cung cp chng hn.( v d 23.1.8.3 )v khi gi tin s c gi i vi a ch IP l 23.1.8.3 v khi nhn tin th n thay i i ch IP ch chng ta thu c : 10.65.1.7 Ta c m hnh ca Network Address Translation nh hnh trn. S d NAT tit kim ti nguyn a ch IP v a ch cho cc host trong mng ni b ca cc t chc c th hon ging nhau. Trong trng hp c nhiu hn mt my tnh trong mng ni b cn kt ni ra ngoi Internet ng thi th my tnh NAT phi c nhiu a ch IP cng cng, vi mi a ch ny cho mt my tnh trong mng ni b. Vi cc dch v NAT ngy nay th my tnh NAT ch cn mt a ch IP cng cng bi v ngoi vic bin i a ch IP th n cn thay i s hiu cng v mi my trong mng cc b s c thay i vi mt s hiu cng khc nhau. V c khong 65355 s hiu cng khc nhau nn mt my tnh NAT c th qun l mt mng cc b vi hng ngn my tnh. K thut thay i s hiu cng c gi l Chuyn i da ch cng mng Network Address Port Translation ( NAPT ). Qua y ta cng thy tnh bo mt ca NAT l : N c kh nng du i a ch IP ca cc my tnh thuc mng cn bo v. y cng chnh l mt u im m firewall tn dng, khi th gii bn ngoi ch c th thy giao din mng vi a ch IP cng cng.

2.4 Theo di v ghi chp ( Monitoring and Logging )


Mc ch ca theo di v ghi chp l gip ngi qun tr bit cc module trong h thng Firewall c hot ng ng nh mong i hay khng? C chc chn rng Packet Filtering lc cc gi tin c tin cy?

Ng Vn Chn HTTT&TT KSCLC K45

37

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

NAT c du c cc a ch IP ca cc host trong mng ni b khng? Proxy ng dng c chia r c mng bn trong cn bo v vi mng bn ngoi khng ? Ngoi ra n cn cho ta bit cc kt ni hin ti trong h thng, thng tin v cc gi tin b loi b, my tnh no ang c gng xm nhp vo h thng ca ta. Sau y l bn l do Firewall thc hin chc nng theo di v ghi chp : Cc thng tin bo co hu ch : Chng ta mun tng hp cc thng tin bit hiu nng ca h thng Firewall, cc thng tin trng thi v thm ch l s thay i cc account ca ngi dng vi cc dch v. Pht hin xm nhp : Nu mt hacker thm nhp vo mng ca chng ta hacker ny c thi gian li trong thc hin cc hnh ng gy tn thng cho h thng. S theo di thng xuyn cc log files c th gip pht hin cc manh mi a ra cc chng c gip pht hin s xm nhp vo mng ca chng ta. Khm ph cc phng php tn cng mi : Khi chng ta pht hin thnh cng s xm nhp th chng ta vn cn phi chc chn rng hacker dng li v khng th thc hin li mt ln na theo ng cch m hn dng lc trc. iu ny yu cu chng ta phi phn tch k cng tt c cc log files. Vi hy vng rng chng ta s pht hin ra cc du vt m hacker t i vo mng ca ta v ln u tin xm nhp vo mng ca ta l khi no. Cng t nhng thng tin phn tch c chng ta c th pht hin ra cc ng dng Trojan horse m n c ci t trong h thng ca chng ta. Cc chng c php l : Mt li ch m rng ca cc log files l to ra cc chng c c tnh php l. Cc log files l cc chng c cho bit ln u xm nhp h thng ca hacker v nhng hnh ng tip theo ca hacker tc ng vo h thng.

III. Kin trc Firewall


Khi trin khai mt Firewall trn mt mng thc t th s c rt nhiu cch xy dng ln mt h thng da theo cc chc nng hay c th ni l cc thnh phn c bn ca mt Firewall.Di y chng ta s tm hiu cc dng kin trc c bn ca Firewall l : Bastion host Dual home host Screened host Screened subnet Ngoi ra cn mt s kin trc kt hp hay bin th t cc kin trc c bn trn.

3.1 Bastion host


Bastion host ca mng ni b l v tr tip xc vi mi trng mng bn ngoi.Mi kt ni t bn ngoi vo v ngc li u phi qua Bastion host. Do vy Bastion host lun l mc tiu tn cng s mt, v y c coi l mt v tr sng cn i vi mt mng. Vi mt h thng Firewall khng phi ch c mt Bastion host m c th c nhiu Bastion host nhiu v tr khc nhau. S lng v v tr ca chng l tu vo
Ng Vn Chn HTTT&TT KSCLC K45 38

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

yu cu thc t v mc chBastion host c th c s dng mh mt dng kin trc Firewall. 3.1.1 Nhng nguyn tc chnh ca mt Bastion host C hai nguyn tc chnh khi thit k v xy dng mt Bastion host : - n gin - Lun trong tnh trng sn sng Bastion host b tn cng a. n gin Vi mt Bastion host n gin th vic bo m an ton cho n cng d. Bt k dch v no ca Bastion host u c th tn ti li phn mm hay li cu hnh, nhng li ny c th l nguyn nhn ca cc vn an ninh. Do Bastion host hot ng vi cng t nhim v th cng tt. Ch nn hn ch mt s t cc dch v trn Bastion host i km vi c ch quyn hn ti thiu. b. Lun trong tnh trng sn sng Bastion host b tn cng Bt k s bo v no th bastion host cng s c lc b tn cng v v. Phi t ra tnh trng xu nht c th xy ra vi Bastion host, ng thi ln k hoch phng vic ny xy ra. Trong trng hp Bastion host b sp , cn phi c bin php k tn cng khng tip tc lm hi n mng ni b bn trong.Mt trong cc cch l cu hnh cho cc host bn trong mng ni b khng tin tng tuyt i vo bastion host. Cn xem xt k ti cc dch v m bastion host cung cp cho cc host trong mng ni b, kim tra tin cy v quyn hn ca tng dch v . C nhiu cch thc hin iu ny, v d nh ci t b lc gi gia Bastion host v cc host bn trong hoc ci mt khu cho tng host. 3.1.2 Cc dng Bastion host C rt nhiu cch cu hnh Bastion trong mt mng. Ngoi hai kiu cu hnh chnh ca Bastion host l screened host v cc host cung cp dch v trn screen network, ta cn c nhiu dng Bastion host. Cch cu hnh cc dng Bastion host ny cng tng t nh hai dng trn, ngoi ra n cn c nhng yu cu c bit. Sau y l mt s m hnh Bastion : - Nonrouting Dual- honed host - Victim Machine - Internal Bastion host a. Nonrouting Dual- honed host Mt Nonrouting Dual- honed host c nhiu kt ni mng n nhng khng truyn d liu qua cc kt ni . Bn thn mi host loi ny cng c th l mt firewall hoc mt b phn ca firewall. b. Victim Machine Vi mt dch v mi m chng ta cha m bo an ton cho n, th vic la chn mt Victim Machine l hon ton hp l. Khng c thng tin g c bit trn Victim Machine v cng khng c quyn truy nhp cc host khc t Victim Machine. Ta ch cung cp mt cch ti thiu c th s dng c cc dch v m ta mong mun trn Victim Machine. Nu c th ch cung cp cc dch v khng an ton, cha c kim nh nhm ngn nga cc tc ng bt ng.
Ng Vn Chn HTTT&TT KSCLC K45 39

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

2.3.4 V tr ca Bastion host trn mng Bastion host nn c t v tr khng c cc lung thng tin b mt. Hu ht cc giao tip mng Ethernet v Token ring c th hot ng ch pha tp, trong ch ny chng c th bt tt v cc gi tin trn mng kt ni vi chng. Mt s giao din mng khc nh FDDI li khng th bt c tt c cc gi tin, nhng tu vo kin trc mng m chng c th bt c mt s gi tin khng ch nh n. Kh nng ny rt hu ch cho vic phn tch mng, kim tra v g ri.. v d nh s dung chong trnh tcpdump. Nhng iu ny s l nguy him nh th no nu k tn cng s dng n vo mc ch rnh m, can thip vo cc lung d liu trn mng. Cn phi s phng trng hp xu nht l Bastion host b tn thng , trong trng hp ny ta khng mun k tn cng s dng Bastion host can thip vo cc lung thng tin. Mt trong cc phng n gii quyt vn trn l khng t Bastion host trong mng ni b m ta a n vo mng vnh ai. Tt c cc lung thng tin trong mng ni b s ch nm trong mng ni b, khng th quan st t pha mng vnh ai. Tt c cc Bastion host trn mng vnh ai ch thy cc gi tin t n ra Internet v t Internet vo n. S dng mng vnh ai kt hp kt hp vi cc router lc gi gia chng v mng ni b s gip thm nhiu u im. N hn ch s l din ca mng ni b vi mng bn ngoi. Hoc c th t Bastion host ti mt v tr trn mng t b nhm ng hn. V d : c th t mt Bastion trn mt hub 10base thng minh, hoc mt Ethernet Switch hay mt mng ATM. Nu thc hin theo phng n ny th cn m bo khng host no tin tng tuyt i vo Bastion host. Tm li cch tt nht l c lp Bastion host vi mng ni b. Phng n kh thi l t n trn mng vnh ai. Theo cch ny mng ni b vn c bo v k c trong trng hp Bastion host b tn thng. Ch : Khng cho php cc ti khon ca ngi s dng trn Bastion host: Nu c th khng cho php bt k ti khon ca ngi s dng no trn Bastion host. V cc l do sau: + Vic tn thng ca chnh cc ti khon ny + Vic tn thng ca cc dch v phuc v cho cc ti khon ny + Gim tnh n nh, tin tng ca Bastion host + Kh pht hin k tn cng + Bastion host c th b tn thng ch v s s ca ngi no

3.2 Dual home host


Xy dng da trn mt my tnh dual home tc l cd t nht l hai card mng ( ch rng mytnh ny phi c hu b kh nng dn ng ). N hot ng nh mt router gia cc mng m n kt ni c vai tr qyt nh cc gi tin t mng ny sang mng khc. H thng bn trong v bn ngoi u c th kt ni vi Dual home host nhng khng th kt ni trc tip vi nhau.

Ng Vn Chn HTTT&TT KSCLC K45

40

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 2-5: Kin trc Dual home host Kin trc ny tng i n gin: mt Dual home host ng gia, kt ni vi mng bn ngoi v mng bn trong. Dual home host cung cp kh nng iu khin mc cao. Tuy n c kin trc n gin nhng khai thc trit cc u im ca n ta cn phi lm rt nhiu vic.

3.3 Screened host


Screened host cung cp cc dch v t mt host c kt ni ch vi mng ni b. Xy dng da trn mt Bastion host v mt Screening Router. Bastion host c t trong mng ni b, Packet Filtering trn Screening Router c ci t lm sao cho bastion host l host duy nht trong mng ni b m cc host ngoi Internet c th kt ni ti, thm ch l ch cho mt s dng kt ni nht nh no y. Bt k host bn ngoi no mun kt ni ti h thng bn trong u phi qua bastion host. V l do trn m bastion host cn c bo v tht cn thn. Packet Filtering cho php bastion host kt ni ti nhng im cho php mng ngoi Packet Filtering c cu hnh thc hin cc nhim v sau: + Cho php cc host pha trong khc ( khng phi l bastion ) kt ni n cc host bn ngoi thc hin dch v no . + Chn tt c cc kt ni n cc host mng ni b ( cc host ny s dng Proxy server thng qua bastion host )

Ng Vn Chn HTTT&TT KSCLC K45

41

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 2-6: Kin trc Screen host Do kin trc screen host cho gi tin di chuyn t Internet vo mng ni b nn s c nhiu ri ro hn so vi kin trc Dual home host. Mc d vy thc t th kin trc Dual home host c th b hng v cc gi tin i vo mng ni b . Hn na vic bo v mt router d dabgf hn so vi mt host v vy kin trc ny s an ton hn, tin li hn.

3.4 Screened Subnet


c xy dng bng cch thm vo kin trc Screen host mng vnh ai nhm cch ly mng ni b vi mng bn ngoi Internet.

Hnh 2-7: Kin trc Screen subnet Kin trc ny khc phc nhc im ca kin trc Screen host- bastion host nm trong mng ni b v mt khi bastion host b tn thng th ton b mng cn bo v s b tn thng ( nu c s tin tng tuyt i gia cc host vi bastion host ).
42

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Bng cch cch ly bastion host trn mng vnh ai, c th gim c cc nguy c trong trng hp bastion host b t nhp. Vi kin trc Screen subnet n gin nht : hai screening router kt ni ti mng vnh ai. Mt router ( interior router ) v tr mng vnh ai v mng ni b, router cn li ( exterior router ) nm gia mng vnh ai v mng Internet. c th t nhp vo mng ni b th k tn cng phi vt qua c hai router ny. V nu trng hp chim c bastion host th vn phi vt qua Interior router. Tu vo yu cu c th m ngi ta c th s dng mt hay nhiu mng vnh ai. Cc thnh phn c bn ca kin trc screened subnet a. Mng vnh ai Mng vnh ai l mt lp bo v c thm vo gia mng ni b v mng bn ngoi. Nu k tn cng t nhp c vo Firewall ca ta th mng vnh ai cho ta thm mt lp bo v na. Nu k tn cng chim c bastion host trn mng ny th hn cng ch c th tm kim c thng tin trn bastion host m thi. Tt c lung thng tin mng vnh ai c th xut pht/n t bastion host hoc xut pht/n t Internet. Do hon ton khng c lung thng tin t mng ni b i qua mng vnh ai nn mng ni b s n ton trong c trng hp bastion b tn thng. b. Bastion host Trong kin trc screen subnet, bastion host c thm vo mng vnh ai. y l im lin lc quan trng nhn cc kt ni t bn ngoi. Cc dch v pha ngoi ( t client bn rong n server Internet ) c x l theo mt trong hai cch sau y : + Ci t Packet Filtering trn c exterior router v interior router v cho php cc client trong mng ni b truy cp trc tip cc server mng ngoi. + Ci t Proxy server trn bastion host v cho php client trong mng truy cp gin tip ti cc server mng ngoi . C th ci t Packet Filtering v cho php nhng kt ni vi Proxy trn bastion host, nhng ngn chn nhng kt ni trc tip gia client trong mng ni b vi server bn ngoi. Trong c hai trng hp th Packet Filtering cho php bastion host kt ni ti cc server hay host pha bn ngoi Internet. c. Interior router Cn c tn khc l choke-router- bo v mng ni b t mng Internet v mng vnh ai.Thc t exterior cho php hu ht cc kt ni t mng vnh ai ra ngoi, v thc hin chc nng lc gi cho Firewall. Cc dch v m interior cho php gia bastion host v cc host trong mng ni b khng ging nh cc dch v m exterior router cho php gia mng vnh ai v mng Internet. L do v s hn ch cc dch v gia bastion host v mng ni b l gim s lng cc host b tn cng khi bastion host b tn thng. d. Exterior router Cn c tn khc l access router dng bo v c mng ni b v mng vnh ai. Thc t , n cho php hu ht cc kt ni t mng vnh ai ra ngoi, v thc hin rt t vic lc cc gi tin. Ch c nhng lut lc gi thc s c bit trn exterior mi bo v cc host v mng vnh ai. Nhng lut cn li thng l s lp li cc lut trn interior router. Trn exterior c th ci t Proxy h tr cc kt ni t bastion host ra ngoi.
Ng Vn Chn HTTT&TT KSCLC K45 43

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

3.5 Mt s kin trc bin th khc


Phn trn l mt s kin trc ph bin ca Firewall. Tuy vy vn cn rt nhiu kin trc khc. Cc kin trc ny l t hp ca cc thnh phn c bn ca mt Firewall nhm p ng kh nng linh hot v bo mt. Cc t hp ny c th l : S dng nhiu Bastion host Kt hp interior router v exterior router S dng nhiu exterior router S dng nhiu mng vnh ai Nhng bn cnh cn phi trnh mt vi t hp sau : Kt hp Bastion host v interior router S dng nhiu interior router trong mng vnh ai

IV. Bo dng Firewall


Sau khi thit k v ci t mt Firewall ph hp vi yu cu, nhim v c t ra th cng vic quan trng tip theo l bo tr, bo dng Firewall . C ba nhim v quan trng trong cng vic ny l : Qun l Firewall Kim tra h thng Firewall Lun lun cp nht cho Firewall Trong c nhiu cng vic bo dng Firewall c th thc hin t ng ho c.

4.1 Qun l Firewall


Qun l Firewall gip cho Firewall ca ta c an ton v sng sa. C ba cng vic m ta cn phi lm l : - Sao lu Firewall - Qun l cc ti khon - Qun l dung lng a 4.1.1 Sao lu Firewall l vic sao lu li cc thng tin cu hnh ca h thng phng trng hp cn khi phc li cc thng tin cu hnh ny. 4.1.2 Qun l cc ti khon Qun l cc ti khon bao gm cc cng vic : Thm ti khon mi, sa i ti khon hoc xo b mt ti khon. y l mt cng vic tt yu trong cng tc bo mt. Vi mt h thng Firewal th vic qun l tt ti khon ng gp mt phn khng nh cho tnh an ton ca h thng. 4.1.3 Qun l dung lng a D liu lun c xu hng y ln trong khng gian a ngay c khi khng c ngi s dng no trong h thng. Ngi qun tr lun phi kim tra h thng tr li cc thc mc sau: + Liu cc chng trnh ang hot ng trong h thng c phi l chng trnh ca sau do k tn cng ci t hay khng?
Ng Vn Chn HTTT&TT KSCLC K45 44

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

+ Liu cc d liu lu tr trong a c an ton hay tim n nhng nguy c mt an ninh.

4.2 Kim tra h thng


Mt trong cc cng vic quan trng khc gip bo dng Firewall l kim tra h thng. thc hin ngi qun tr cn tr li cc cu hi sau, m cng vic ch yu l kim tra k lng cc log files ly ra cc thng tin hu ch phc v cho cng vic qun tr ca mnh. - Liu Firewall b tn thng cha? - K tn cng ang s dng dng tn cng no vo Firewall ca ta - Firwall lm vic theo ng trnh t cha? - Firewall cung cp cc dch v m ngi s dng yu cu Khi kim tra cc log files ngi qun tr cn quan tm n cc vn sau: Nhng thng tin cn quan tm: + Cc gi tin b hu b, cc kt ni b ngn cm + Vi cc kt ni i qua Bastion host th cn ghi li cc thng tin v thi gian kt ni, giao thc c s dng, thng tin ngi s dng + Cc thng bo li ca h thng Cc du hiu C rt nhiu cc du hiu cn quan tm nh khi c mt kt ni thnh cng th cn c cc hnh ng cn thit nh cp nht cc log files, c du hiu l mt cuc tn cng khng? Chng ta c th lit k cc du hiu ng nghi ng ca mt cuc tn cng + Truy cp nhiu ln bng mt ti khon hp l nhng sai mt khu + Cc gi tin, cu lnh khc thng m ta khng gii thch c + Cc gi tin gi theo dng multicast hay broadcast + Cc truy nhp thnh cng t cc site khng mong i

4.3 Lun cp nht cho Firewall


im quan trng cui cng trong chin lc bo dng Firewall l lun lun cp nht cho n . Bi l mi ngy mi gi tri qua c rt nhiu cc cuc tn cng xy ra v trong lun c nhng cuc tn cng vi nhng hnh thc phng php mi.V mt l do na l m bo h thng lun sn sng vi kh nng tt nht Khi cp nht cho h thng Firewall cn ch mt s vn sau : + Khng qu nng vi, hp tp trong vic cp nht + Khng thc hin sa cc li m ta khng gp + Thn trng vi cc bn v m nh cung cp a ra Trong trng hp khng s dng cc bn v khng cn thit nhng thn trng vi cc bn v m ta s dng bi c th cc bn v ny lin quan vi nhau.

Ng Vn Chn HTTT&TT KSCLC K45

45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Chng 3 : H IU HNH LINUX

Tng Tngquan quanv vh hiu iuhnh hnhLinux Linux Kt Ktni nimng mngtrong trongLinux Linux IPtables IPtables

Ng Vn Chn HTTT&TT KSCLC K45

46

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Cc vn c cp trong chng ny l tm hiu mt cch tng quan v h iu hnh Linux, vn kt ni mng trong mi trng h iu hnh Linux Tip theo l tm hiu v IPTables- mt cng c phc v cho vic thit lp mt h thng Firewall trn nn h iu hnh Linux.

I. Tng quan h iu hnh Linux


1.1 S lc v Linux
H iu hnh Linux l h iu hnh kiu phn chia thi gian c h tr x l tng tc, n c bt ngun t h iu hnh Unix.M n c s dng t cc my PCs n cc my Mainframe. N l mt h iu hnh m ngun m nn trn th trung tn ti rt nhiu dng sn phm h iu hnh Linux ( tiu biu l d n GNUs, h iu hnh Linux vi giao din ho Red Hat ( Fedora ), SuSe ) H thng c vit trn ngn ng bc cao nn d c, d hiu, d thay i ci t trn nhiu loi thit b phn cng mi. H tr a ngi dng v a tin trnh, mi ngi dng c th thc hin nhiu chng trnh mi chng trnh c th c nhiu tin trnh. Che du i cu trc my i vi ngi dng, c th vit chng trnh chy trn cc iu kin phn cng khc nhau.
User Interface Users Library Utility Prograns (Shell, editor, ) Standard Library (Open, close, read, write ) Linux Operating System ( Kernel mode ) Hardware ( CPU, memory, disks, System Call Interface

1.2 Mi trng Linux


Cc thnh phn chnh ca h iu hnh Linux : o Windows & Graphic User Interface o Shell o Lnh v tin ch o Cc b iu khin thit b o Kernel 1.2.1. Kernel: L thnh phn chnh ca h iu hnh. Nhim v chnh ca Kernel l : o Qun l ti nguyn qun l b nh, v.v... o Qun l h thng cc tp tin, th mc c th l cc b hay t xa
Ng Vn Chn HTTT&TT KSCLC K45 47

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

o Qun l cc deamon thng tr o Qun l b nh o : thc thi ng thi nhiu tin trnh trong khi dung lng b nh c hn, Linux phi t chc mt vng trn a nh mt vng b nh( b nh o). Kernel phi swap d liu gia b nh v b nh o. o Qun l qu trnh :Nh a biet v Linux la mot he ieu hanh a chng do o viec quan ly cac qua trnh ong thi rat phc tap. No phai quan ly viec khi tao va ket thuc cac qua trnh cung nh cac tranh chap co the xay ra. o Quan ly cac bo ieu khien thiet b. o Quan ly mang: bao gom nhieu thiet b phan cng khac va cac thu tuc khac. o Quan ly viec khi ong va dng may. 1.2.2. B iu khin thit b: Linux th hin cc thit b vt l nh cc tp tin c bit. Mt tp tin c bit s c mt im vo trong th mc v c mt tn tp tin. Do Linux cho php ngi s dng nh ngha tn thit b. Cc thit b c chia lm hai loi : k t v khi - Thit b k t c v ghi dng cc k t( v d cc thit b u cui ) - Thit b khi c v ghi d liu trong cc khi c kch thc c nh (v d a) Thit b c th i tn nh i tn tp tin. Th mc cha cc iu khin thit b l /dev 1.2.3. Lnh v tin ch: Cc lnh v tin ch ca Linux rt a dng Mt lnh ca Linux cdng: $tn lnh [cc chn la][cc i s] 1.2.4. Shell: L b x l lnh ca ngi s dng,n cho php ngi s dng to cc lnh rt phc tp t cc lnh n gin. Chng ta c th coi shell nh mt ngn ng lp trnh cp cao. Cc chc nng chnh ca shell l: Linux shell: o Kim sot I/O v i hng o Cc bin mi trng o Thc hin lnh o Th vin lnh ni ti o Tn tp tin m rng o Ngn ng lp trnh v mi trng Hin nay ngi ta s dng ba loi shell, tu theo loi m c c php khc nhau : Bourne-Shell : l shell c bn nht,nhanh,hiu qu nhng t lnh C-Shell : ging nh Bourne-Shell nhng cung cp thm cc cu trc iu khin,
Ng Vn Chn HTTT&TT KSCLC K45 48

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

history, b danh Korn-Shell : Kt hp c Bourne-Shell v C-Shell 1.2.5. Windows v Graphic User Interface: Giao tip ho v ca s l mt kh nng rt mnh ca h iu hnh Linux, n cho php h iu hnh giao tip thn thin hn vi ngi s dng. Hin nay Linux ci t X-WINDOW( X11 ) l mi trng qun l ho l tng. Trong Sun th s dng vi tn gi l OpenWin. 1.3 Lp trnh Shell script 1.3.1. Shell l g : Vai tr ca Shell l chuyn i cc lnh c ngi s dng nhp vo thnh cc lnh ca h iu hnh. V d : $ sort n phonelist > phonelist.inorder S sp xp cc dng trong file phonelist theo th t s v t kt qu trong tp phonelist.inorder. Khi ta nhp dng lnh th Shell s chuyn i chng nh minh ho sau:

Hnh 3-1: M hnh chc nng Shell 1.3.2. Cc loi Shell : Do Linux l hon ton t do, m ngun m nn cng c rt nhiu cc bn Shell khc nhau. Hin nay c mt s bn Shell chnh chy di Linux sau : Bourne Again shell ( BASH ), Bourne shell ( SH ), C shell ( CSH ), Korn shell ( KSH ), TSH : C shell ci tin, ZSH : Z shell bit shell ang dng l g hy s dng cu lnh sau :
$ echo $SHELL

1.3.3. Vit v chy cc chng trnh shell : mc n gin th chng trnh shell l mt tp cha cc cu lnh shell hay Linux. V d nh ta mun mount mt phn vng FAT32 ca Windows ta thc hin mt chng trnh shell nh sau : $ mkdir /mnt/windows $ mount t vfat /dev/hda3 /mnt/windows Lu chng vo mt file text v d nh : seewwinflinux.txt chy seewwinflinux.txt ta c mt s cch nh sau: $ chmod +x seewwinflinux V chy ta ch gi seewwinflinux.txt t dng lnh Hoc ta truyn n nh mt tham s : V d vi tcsh : $ tcsh seewwinflinux Hoc dng lnh (.)
Ng Vn Chn HTTT&TT KSCLC K45 49

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

.. seewwinflinux 1.3.4. Cc cu trc lnh c bn ca shell : Cu lnh iu kin + Cu lnh if : + Cu lnh case : Cu lnh lp + Cu lnh for + Cu lnh while + Cu lnh until + Cu lnh repeat Cu lnh shift : Lnh shift s dch cc tham s trn dng lnh ( cc tham s m ta g khi gi lnh s c lu trong cc bin c tn l cc s 1,2,)mt v tr sang phi hay c th ch nh s v tr dch chuyn. C php nh sau : Dch mt v tr : shift Dch s v tr c ch nh : shift number Mt s ton t dng trong cu lnh test hay biu thc iu kin : + Cc ton t cho xu k t + Cc ton t cho kiu files v directory + Cc ton t logic + Cc ton t cho s nguyn S dng chng trnh con hay hm trong shell script Shell cho php ta nh ngha cc hm ca ring mnh, cc hm ny cng c i x nh cc hm trong C v cc ngn ng lp trnh khc, cc hm lm cho chng trnh r rang,sng sa hn v c b cc d hiu hn, mt khc trnh c vic vit cc on m trng lp nhau. C php ca mt hm trong shell nh sau :
function-name ( ) { command1 command2 ..... ... commandN return }

Khi to xong cc hm ta c th gi hm nh sau : fname [arg1 arg2 arg3 ] Khi cc tham s c truyn cho hm th n cng nh cc tham s v tr dng lnh nh cc chng trnh shell bnh thng khc. Ta cn ch rng sau khi restart li computer th hm ca chng ta cng mt do cc hm ch tn ti trong mt phin lm vic. khc phc vn ny th chng ta cn lu cc hm vo file trong th mc sau : ( ch phi ng nhp vi t cch l root )

Ng Vn Chn HTTT&TT KSCLC K45

50

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

II. Kt ni mng trong Linux


2.1 Gii thiu
Trong phn ny chng ta s trnh by tng quan v kt ni mng trong Linux bao gm cc vn : Thit b, trnh iu khin, giao din mng, Cc ng kt ni mng trong Linux.

2.2 Thit b, trnh iu khin v giao din mng


Trc ht l khi nim v thit b phn cng, v d card Ethernet. l mt tp hp cc thit b in t, cc chip iu khin c cm vo my tnh thng qua mt khe cm m rng. c th truy cp vo thit b phn cng th ht nhn phi c phi c ci t mt s hm c bit gi l trnh iu khin. Chng hn vi cc thit b thuc h Ethernet th c cc trnh iu khin Becker.Vic truyn thng gia trnh iu khin v thit b thng qua mt vng nh vo ra ( I/O ). Vng nh ny c thng c nh x a ch ln cc thanh ghi vo ra. Cc lnh cng nh d liu trao i gia chng u c truyn qua cc thanh ghi trn. Ht nhn truy cp vo cc trnh iu khin thit b thng qua cc giao din. Cc giao din cung cp cc hm vo ra ging nhau cho tt c cc dng thit b phn cng, v d nh nhn hay truyn mt gi tin. Cc giao din c nh danh bi cc tn. Cc tn ny c nh ngha bn trong ht nhn. Giao din Ethernet c tn l eth0, eth1Ch c giao din SLIP l c gn tn ng mi khi kt ni SLIP doc thit lp th mt giao din tng ng s c gn cho cng ni tip.
Kernel Networking code

Giao din mng

eth0

eth1

eth2

eth3

Trnh iu khin

SMC Driver

3Com Driver

Thit b

Networking Hardware

Hnh 3-2: Giao din, trnh iu khin v thit b Mt s giao din trong Linux : + lo Giao din loopback, n c s dng cho mc ch th nghim. Trong ht nhn lun lun c mt trnh iu khin cho giao din ny + ethn L giao din cho card mng Ethernet th n + 1. y l tn chung cho
Ng Vn Chn HTTT&TT KSCLC K45 51

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

tt c cc card Ethernet. + dln Giao din cho b iu hp D_Link DE-600, mt dng khc ca thit b Ethernet, n oc iu khin thng qua cc cng song song thay v cc khe cm ISA hay PCI ca my tnh. + sln Giao din SLIP, oc lin kt vi mt cn ni tip, Linux h tr 4 giao din SLIP + pppn Giao din PPP, ging nh giao din SLIP, mt giao din PPP c lin kt vi mt cng ni tip khi cng ny chuyn sang ch PPP. + plpn Giao din PLIP. Giao din ny thc hin truyn cc gi tin IP qua cng song song . Ht nhn Linux h tr 3 giao din PLIP.

2.3 Thit lp cu hnh mng TCP/IP


Trong phn ny chng ta s thit lp cu hnh cho cc mng my tnh Linux s dng giao thc TCP/IP. Cc vn bao gm gn a ch IP, cu hnh cho kt ni qua ng ni tip. tin dng v ch phi lm mt ln th cc ln cu hnh ln trong mt file scripts v t trong th mc /etc/rc. H thng cc tp thit lp cu hnh : h thng tp proc, host , networks, cc tp cu hnh cho giao thc SLIP, PPP, PLIP. thit lp cu hnh cu hnh mng cho mt mng my tnh Linux ta phi thc hin cc cng vic sau: + Cu hnh giao din cho IP: bao gm giao din loopback, giao din Ethernet, chn ng qua gateway, thit lp cu hnh cho gateway, giao din PLIP,giao din Dummy. Cng vic ny c thc hin thng qua cc cu lnh ifconfig v route. + Lnh ifconfig : Lnh ny thng xuyn c s dng khi thit lp cu hnh mng. C php ca n nh sau: ifconfig interface [[-net | -host] address [parameters]] interface l giao din, address l a ch IP n c th vit di dng k php thp phn hay tn ch ra trong tp tin hosts v networks. Khi khng c tham s th n s a li cc thng tin v ton b cc giao din mng. + Lnh route : Lnh ny c s dng khi ta mun cu hnh mt mng c kh nng kt ni vi cc mng bn ngoi mng LAN nh : vi mt mng LAN khc, vi InternetC php ca n nh sau: route [[-net | defaut | -n ] gw] address + Kim tra mng bng lnh netstat : Khi thc hin ln ny th tu thuc vo tham s a vo m ta c cc thng tin khc nhau v cu hnh mng ang c thit lp. V d nh vi tham s -rn s in ra bng chn ng m h thng s dng vi a ch IP c vit di dng k php thp phn. Vi tu chn I hin th cc thng tin v giao din c s dng, vi tu chn a tt c cc giao din trong ht nhn s c hin th. Vi tu chn t,-u,-w,-x s hin th cc soket TCP, UDP, RAW, v UNIX ang kch hot. Nu thm tu chn a th s hin th tt c cc socket ang ch yu cu kt ni, tc l tt c cc server ang chy trn h thng..

2.4 Truyn cc packet


Phn ny xem xt vic x l mt packet IP phi truyn qua mt box Linux. Packet tng 3 c x l vi hm ip_rcv. Ti , ta c hook Netfilter th nht.
Ng Vn Chn HTTT&TT KSCLC K45 52

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Netfilter l mt b lc packet/ b gy chch packet/ framework NAP ca h Linux kernel 2.4. Netfilter l mt framework c tng qut ha ca cc hook trong ngn xp mng. Mt module mc kernel bt k c th ci vo t nht mt trong s cc hook ny v s nhn tng packet qua cc hook ny. Cc hook ca netfilter hin ang hot ng trong IP v4, IP v6, DECnet. C nm loi hook trong nhn Linux, nh minh ha trong hnh sau.

Hnh 3-3: S Netfilter hook V c bn, cc hook ny c th quyt nh loi b hay tip tc truyn packet. Gi s packet ny vn tn ti sau ln hook th nht, n s c tip tc nh tuyn sau . nh tuyn l vic tra trong cu trc ca bng FIB (Forwarding Information Table) xc nh mt im nhp nh tuyn tng ng vi a ch IP ch ca packet. Bc tip theo l ghp vi cc nh tuyn. Bc ny l xc nh tuyn ta s truyn packet. Do vic tra trong cu trc bng FIB c chi ph kh ln nn ta s dng mt cache nh tuyn lu cc tuyn ang c dng. Dng mt hm bm tra trong cache ny, hm bm ny kt hp a ch ngun v a ch ch. V th hai packet c chung trng ny s c nh tuyn ging nhau trong bc tip theo, mt nh tuyn a ng l khng th nu khng c chnh sa trong h thng cache. Sau bc ny, packet sn sng c chuyn i. Trong sut pha nh tuyn, trng skb->dst c thit lp. Tip theo l gi phng thc nhp liu input tng ng vi ch n. Ti pha ny, trng TTL trong header IP s gim dn v MTU(maximum transmission unit) ca giao tip mng sp n s c kim tra. nu MTU c kch thc nh hn kch thc ca packet, packet s c phn mnh, cn ngc li, c th trc tip truyn vo giao tip ny. Cc thng ip ICMP cng to c trong pha ny. Nu thng tin cn thit chuyn packet ti tuyn tip theo khng c bit, mt packet arp s c gi i xc nh a ch phn cng ca giao tip mng tip theo. Khi c c nhng thng tin ny ri, trng MAC s c sa li v gi tin sn sng gi i theo tuyn k tip. Th vin Packet Capture (libpcap) cung cp mt giao din mc cao cho h thng nghe v bt packet. Mi packet trn mng, k c nhng packet qung b (broadcast) u c th truy cp c theo c ch ny.
Ng Vn Chn HTTT&TT KSCLC K45 53

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Libipq l mt th vin c pht trin tr gip vic xp hng cc packet trn khng gian ngi dng ca iptables. Netfilter ca Linux cung cp mt c ch truyn cc packet ra ngoi stack sp hng trong khng gian ngi dng sau nhn li cc packet ny vo trong kernel v xc nh s lm g vi packet (chp nhn hay loi b). Nhng packet ny c th c chnh sa trong khng gian ngi dng trc khi c nhn tr li vo kernel.

III. IPTables
3.1. Gii thiu iptables
s dng Firewall xy dng trong Linux, chng ta phi chc chn rng h iu hnh c ci t gi chc nng iptables. IPtables l firewall Linux thng dng nht. Hu ht cc bn phn phi Linux u ci t phn ny nh mt mc mh. IPtables l mt lnh thng bo cho li h thng x l lu thng mng nh th no.v d bn c th x dng iptables drop cc gi IP, forward chng hoc thc hin chuyn i a ch ( NAT ). Cc khi nim cn thit, v cc thnh phn ca Linux : Tables : cn gi l bng lc filter table.Ni lu tr tp hp cc lut.Ni m chng ta nh ngha hu ht cc lut m p dng cho lu thng mng i vo v ra.Nu chng ta khng nh ngha mt bng c th th bng mc nh s c s dng. The NAT table cha cc lut dnh cho NAT. The MANGLE table nhim v dn ng tng cng. Chains : ti li ca Linux firewall. Linux s dng cc chain nh mt tp hp cc lut m Linux p dng khi lc lu thng mng.Bao gm 3 chains chnh, mi ci trong chng l mt phn ca filter table. Input chain : Chain ny p dng cho tt c lu lng mng ch cho firewall.V d nu chng ta mun cho admin iu khin firewall ca chng ta thng qua phng thc remote, chng ta s cu hnh mt lut cho input chain cho php mi th lu lng mng m cng c ca admin s dng. Output chain : p dng cho mi lu lng mng i ra khi firewall. V d nu firewall mun lin lc DNS server cho name lookups, chng ta cn cu hnh output chain cho php lu thng ny. Forward chain : p dng cho tt c lu lng mng m Linux firewall qun l cho cc my tnh khc. V d nh nu firewall ca chng ta lu thng mng t cc my tnh clients ra ngoi mng Internet, chng ta phi cu hnh the forward chain cho php lu thng ny. SNAT, DNAT, v Masquerading : Cc phn ny l mt kiu khc ca NAT. SNAT bin i a ch ngun ca mt gi trc khi gi n i, thng thng l giu a ch IP ca client khi kt ni vi bn ngoi. DNAT chuyn a ch ch ca gi m thng thng lm trong sut proxy server i vi client. Masquerading cng n cc client mng bn trong vi th gii bn ngoi v c s dng khi a ch IP bn ngoi ca chng ta thay i mi ln kt ni- v d kt ni quay s n Internet.

Ng Vn Chn HTTT&TT KSCLC K45

54

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

3.2. Qu trnh di chuyn ca gi tin qua li ca h thng


Ta xt qu trnh di chuyn ca mt gi trong cc trng hp sau: Destination local host : Bng 1 Step Table 1 2 3 4 5 6 7 8 Chain Comment Trn ng truyn ( v d Internet ) i vo giao din mng ( v d nh eth0,eth1) Chain ny c s dng bin i cc gi nh bin i loi dch v ( TOS ) S dng cho DNAT khng nn s dng cho chc nng lc gi ti chain ny Quyt nh dn ng S dng bin i cc gi trc khi a n cc tin trnh x l chng Ti y lc tt c lu lng vo Tin trnh hay cc ng dng x l cc gi.

Mangle PREROUTING Nat PREROUTING

Mangle INPUT Filter INPUT

Source localhost : Bng 2 Step Table 1 2 3 4 5 6 7 8 9 Mangle Nat Filter Mangle Nat Chain Comment Tin trnh /ng dng cc b ( v d nh chng trnh server/client) Quyt nh dn ng.a ch nhun s dng,giao din mng s dng l g. OUTPUT Bin i cc gi OUTPUT Bin i NAT cho cc gi i ra mng bn ngoi OUTPUT Lc ton b lu lng mng ra ngoi POSTROUTING Chain ny c s dng khi chng ta mun bin i cc gi trc khi chng ri khi host POSTROUTING Thc hin bin i a ch ngun SNAT i ra qua giao din mng ( eth0 ) Trn ng truyn ( v d Internet )

Forwarded packets : Bng 3 Step Table 1 2 Chain Comment Trn ng truyn ( v d Internet ) i vo giao din mng ( v d eth0)
55

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

3 4 5 6

Mangle Nat

PREROUTING

Mangle

7 8 9 10 11

Filter Mangle Nat

Chain ny c s dng bin i cc gi nh thay i TOS PREROUTING Chain ny ch yu s dng cho mc ch DNAT Quyt nh dn ng : nh gi tin c ch n l localhost hay c chuyn tip FORWARD Chain ny c s dng cho mt s nhu cu c bit, bin i cc gi tin sau quyt nh dn ng ban u nhng trc quyt nh dn ng cui cng a gi ra ng truyn bn ngoi. FORWARD Ch c cc gi tin forward i vo chain ny, ti y chng ta thc hin cc lut lc i vi cc gi. POSTROUTING Dng thc hin cc yu cu c bit sau tt c cc quyt nh dn ng nhng gi tin vn trong my. POSTROUTING Chain ny s dung cho mc ch SNAT i ra giao din mng ( v d nh eth1) Trn ng truyn ( v d LAN )

Ta c th minh ho bng s sau :

Ng Vn Chn HTTT&TT KSCLC K45

56

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 3-4 : Qu trnh gi tin trong li h thng Linux

3.3. S dng IPtables Commands


Linux bao hm mt s lng cc iptables commands khc nhau. Tt c chng u thng bt u bng iptables v thm vo mt s cc la chn cu lnh ( dng command line ). Cch tt nht l bt u s dng iptables commands l xem c php c bn cu hnh cho firewall n gin. ch dn cho Linux b sung hay loi b mt rule, th c php nh sau : Iptables [-t table] CMD [chain] [filter_match] [target] Cc tham s tu chn c trong cp ngoc vung, table l bng s b tc ng, chain no c tc ng, loi lu thng filter match, tc ng n gi tin l g target. V d cu lnh sau add mt rule vo input chain ca bng filter m n drop tt c cc gi tin ICMP. Iptables t filter A INPUT p icmp DROP Bng sau m t cc cu lnh iptables thng dng : Bng 4 Cu lnh -A -I -D<chain> <rule number> -L<chain> -N<chain> Tn Append Insert Delete Rule List New M t B sung mt rule vo cui mt chain Chn mt rule vo u mt chain Xo mt rule a ra danh sch tt c cc rules trong mt chain.Nu khng ch r chain no th n s lit k rule trong tt c cc chain To mt chain ca ngi dung.Chng ta c th to new chain vi lut x l ring m c th x l cc gi trc khi chng tr li qu trnh x l bnh thng. Xo mt chain ca ngi s dng Xo tt c cc rules trong mt chain.Nu khng ch r chain no th n s xo tt c cc rules trong tt c cc chain. a ra tt c cc iptables command nhm tr gip.

-X<chain> -F[<chain>] -h

Delete chain Flush Help

Cc iptables target : l cc hnh ng ca Linux s thc hin vi gi tin. Bng sau m t cc target thng dng Bng 5 Target M t DROP Khi rule gi mt gi vi DROP target, n s b thi hi m khng c thng bo g REJECT Gi tin cng b thi hi nhng Linux s gi li mt gi tin ICMP n ngun
Ng Vn Chn HTTT&TT KSCLC K45 57

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

ACCEPT LOG SNAT DNAT MASQUE RADE user chain

Cho php gi tin i qua firewall cng nh i ra v i vo mng C ngha rng cc gi tin c logged v n thng c s dng trong cc chain ca ngi dung Ch s dng vi PREROUTING chain trong bng NAT.N s bin i a ch ngun thnh mt a ch m chng ta nh ngha.S dng vi cc gi tin i vo mng bn trong firewall Ch s dng vi PREROUTING chain trong bng NAT. N s bin i a ch ch thnh mt a ch m chng ta nh ngha.Thng s dng i vi cc gi tin i vo mng. N thc hin NAT cho gi tin khi firewall c a ch IP ng khi chng ta kt ni Internet thng qua quay s. Target ny ch s dng cho POSTROUTING chain trong bng NAT. Thay t user chain cho tn ca chain ngi sung nh ngha.

Iptables options and conditions : Option l thnh phn cui cng trong iptables command m chng ta cn xc nh trong xy dng cc rules cho firewall.Options xc nh cu lnh s c x l nh th no.Thng thng cc options l cc iu kin ( condition ) m c kim tra trc khi mt command c thc thi.Nhng biu thc iu kin ny c Linux nh gi quyt nh la chn command s c thc thi hay b qua.Bng sau y lit k cc biu thc iu kin thng dng. Bng 6 Option M t Xc nh giao thc no m rule s thc thi . tham s protocol c th l tcp,udp, or icmp.Chng ta cng c th s dng tn ca giao -p protocol thc nu n lng nghe /ect/protocols hay protocol number.Nu tt c cc giao thc th s dng s 0 hoc t all.Cn nu mun s dng mt s giao thc no th dung du phy ngn cch. Xc nh a ch ngun ca gi tin.V d khi s 192.168.1.1 th ch nh gi tin c a ch -s source_address[/mask] 192.168.1.1. cn s 192.168.1.0/24 ch nh mt di a ch IP t 192.168.1.0 n 192.168.1.255 -d destination_address[/mask] Xc nh a ch ch ca gi tin.Cng ging nh a ch ngun IP. Xc nh giao din mng m trn cc gi tin -i interface i vo c nhn.V d chng ta m ch n tt c cc gi tin m n giao din mng eth0 th tag hi nh sau : -i eth0. --destination-port port Tng t nh source-port

Ng Vn Chn HTTT&TT KSCLC K45

58

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

--source-port port

-o interface --syn --icmp type type ! -j target

Xc nh source port ca gi tin TCP hay UDP. Bi v ch c nhng giao thc ny s dng cc cng.N ch c s dng vi option p udp hay p tcp.V d -p udp source-port 53 m ch n tt c cc gi tin UDP vi source port l 53; -p tcp source-port 0:1023 m ch tt c cc gi tin vi source port t 0 n 1023.Nu mt dch v ang lng nghe ti files /ect/services th chng ta c th dng tn dch v thay v s cng. Tng t nh i option ch n cc gi tin i ra bn ngoi qua cc giao din mng. V d -p tcp syn s kim tra mt gi tin c l mt phn ca mt kt ni TCP mi. V d -p icmp icmp-type source-quench hay p icmp icmp-type 0 tt c cc loi gi tin ICMP Mt mnh n khng phi l mt condition, n c p dng cho tt c cc condition khc c ngha ph nh.V d -p 47, -p !47. N cng khng phi l mt biu thc la chn.N ch ra rng mt gi tin s c gi ti mt target no , v d : -j DROP tng ng vi gi tin s bi loi b.

3.4. S dng Masquerading v NAT


Linux cung cp hai phin bn cho NAT. Masquerading c thit k cho a ch IP ng.Nu l a ch IP tnh th chng ta s dng kt hp ca SNAT v DNAT. Cho php Masquerading : p dng cho tt c cc lu lng i ra khi mng ca chng ta,c ngha l firewall s bin i a ch ngun ca cc gi tin. cho php Masquerading c hiu lc, chng ta cn thc hin cu lnh iptable nh sau : iptables t nat A POSTROUTING o ppp0 j MASQUERADE S dng SNAT Cng ging nh Masquerading nhng ch khc l giao din mng cho lu thng mng ra ngoi ( external interface ) phi c a ch ip tnh. cho php SNAT c hiu lc ta thc hin iptables command sau : iptables t nat A POSTROUTING o eth0 j SNAT to-source xxx.xxx.xxx.xxx S dng DNAT iptables t nat A PREROUTING i eth0 p tcp \ sport 1024:65635 -d xxx.xxx.xxx.xxx dport 80 \ -j DNAT to-destination 192.168.1.80 iptables A FORWARD -i eth0 o eth1 p tcp \ sport 1024:65635 -d 192.168.1.80 dport 80 m state --state N
Ng Vn Chn HTTT&TT KSCLC K45 59

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Chng 4 : XY DNG H THNG BKWALL

Tng Tngquan quanv vh hthng thng M Mhnh, hnh,c ct tchc chcnng nngh hthng thngBKWall BKWall Phn Phntch tchthit thitk kh hthng thngBKWall BKWall Tch Tchhp, hp,ci cit, t,kim kimth, th,nh nhgi gikt ktqu quh hthng thngBKWall BKWall

Ng Vn Chn HTTT&TT KSCLC K45

60

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

I. Tng quan v h thng BKWall


1.1 Mc tiu xy dng h thng BKWall
Mc tiu ca ti l pht trin mt h thng tng la cho cc mng my tnh quy m doanh nghip va v nh. Trn c s , BKWall (Bch Khoa Firewall System) c xy dng trn c s phn mm m ngun m SmoothWall v nn h iu hnh Linux. Do thi gian thc hin ti ny khng c nhiu nn cc mc tiu c th ra khi xy dng h thng BKWall bao gm: Thit lp mt Firewall cho cc mng my tnh va v nh. Tch hp cc thnh phn packet filtering, proxy server v cc dch v t cc phn mm m ngun m thnh mt h thng hon chnh v thng nht. Xy dng module iu khin v theo di tp trung cho ton b h thng. Trin khai h thng trn cc my chuyn dng ( Application Server )

1.2 Gii php k thut c la chn


Sau khi tm hiu v cc k thut lc gi, web proxy cng nh tm hiu cc gii php thng mi v m ngun m, gii php k thut xy dng BKWall c la chn gm c cc vn sau. Xy dng trn h iu hnh Linux Vi vai tr l mt Firewall gateway, h thng BKWall cn c t ti cc v tr thch hp trong mng. i vi cc mng quy m va v nh, v tr thch hp nht ci t mt h thng nh BKWall l trn mt gateway. Mc d hin nay, gateway cho cc mng va v nh Vit Nam thng s dng h iu hnh dng Windows NT nhng xu hng trong tung lai s chuyn sang cc sn phm m ngun m th Linux l mt s la chn rt tt. BKWall la chn Linux v nhng l do sau : + M ngun m v min ph hon ton. + H tr mng y v mnh m. + C th ty bin d dng ci t ln cc my chuyn dng. + c bit l kh nng lc gi ca kernel, s dng Iptables lm cng c xy dng cc rule cho module lc gi. S dng Squid thc hin thnh phn Web Proxy + Squid l mt Cache Proxy hot ng trn nn h iu hnh Linux + Hot ng hiu qu, v m ngun m hon ton, c kh nng tch hp thm cc thnh phn m rng nh kh nng lc theo URIs, banner, S dng iptables lm cng c thc hin thnh phn lc gi ca h thng BKWall Iptables l phn mm firewall mc nh ca hu ht cc bn pht hnh ca h iu hnh Linux. Iptables tng i n gin nhng sc mnh ca n c kim chng khi rt nhiu sn phm thng mi c pht trin da trn n nh Astaro, SmoothWall, Khi xy dng gii php BKWall, Iptables l s la chn u tin cho thnh phn lc gi v : + M ngun m, sn c vi hu ht cc bn Linux ph bin. + Hot ng hiu qu, c kh nng kim sot ton b lu thng qua gateway.
Ng Vn Chn HTTT&TT KSCLC K45 61

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

+ H tr giao tip lp trnh thng qua th vin libipq, c th kt hp vi inline-mode ca Snort. Giao din iu khin qua Web H thng BKWall c xy dng trn mt my ch Linux. Vic truy nhp trc tip vo my ch ny thc hin vic cu hnh hay iu khin thng phi qua cc knh telnet hoc ssh v bng giao din dng lnh. iu ny l rt bt tin. V vy, h thng iu khin ca BKWall c xy dng theo kiu giao din web vi cc c im sau : Dng web server Apache, c tch hp sn trong hu ht cc bn Linux. S dng giao thc https. Xc thc ssl bng chng ch s. Ngn ng Perl CGI: Ngn ng Perl v cng ngh CGI c s dng xy dng phn iu khin v theo di ca BKWall v nhng l do sau : Perl l ngn ng x l vn bn mnh, thch hp vi vic thao tc vi cc file cu hnh v file lut ca Snort. Perl c kh nng tng tc mnh vi h thng Linux. iu ny cn thit cho vic iu khin mt h thng c tch hp t nhiu thnh phn nh BKWall. Xy dng ng dng web bng Perl i hi cng ngh CGI. Mc d CGI khng cn l cng ngh c khuyn khch v cha nhiu l hng bo mt nhng trong trng hp ca BKWall, ng dng CGI ch c truy nhp t trong mng LAN v qua knh ssl nn c th tin cy c.

1.3 Qui trnh pht trin


ti ny c thc hin theo hng nghin cu cng ngh v hin thc ha cc kt qu nghin cu trong iu kin cho php. H thng BKWALL l sn phm th hin cc kt qu nm bt c qua qu trnh lm ti. Bn cnh , vic pht trin BKWALL theo mt m hnh pht trin phn mm chun l rt cn thit. M hnh c la chn cho qu trnh pht trin BKWALL l m hnh thc nc (water fall model ). M hnh ny ph hp vi cc iu kin v thi gian c hn cng nh c im ca h thng BKWALL. Trn c s , h thng BKWALL c thc hin vi cc pha nh sau : Pha kho st : Tm hiu thc tin an ninh thng tin Vit Nam, nhu cu v mt h thng Firewall cho cc mng va v nh. Qu trnh kho st c thc hin ti phng gii php phn mm h thng v bo mt, cng ty Misoft trong thi gian thc tp tt nghip. Pha phn tch: Tin hnh tm hiu cc yu cu thu thp c trong pha kho st. T tm hiu v phn tch cc thnh phn phn mm m ngun m thch hp v xc nh cc cng vic cn phi thc hin khi xy dng h thng BKWALL. Pha thit k : Xy dng m hnh tng th v thit k chi tit cc module. Cng vic ny bao gm c vic m hnh ha v sp xp li cc thnh phn m ngun m cng nh thit k cc thnh phn cn xy dng mi.
62

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Pha xy dng module v kim th n v : Tin hnh xy dng cc module mi v iu chnh cc module c. Kim th cc module . Pha tch hp v kim th h thng : Tin hnh tch hp cc module c xy dng, cc module m ngun m. Kim th tch hp ton b h thng. Pha trin khai v bo tr : BKWALL c trin khai th nghim v tin hnh qu trnh bo tr trn mng ni b ca phng gii php phn mm h thng v bo mt, cng ty Misoft.

1.4 Cng c pht trin


BKWall tch hp mt s thnh phn m ngun m. Cc thnh phn ny u c xy dng bng ngn ng C ngn ng dng xy dng h iu hnh Linux. Cng c c s dng thay i, bin dch, cu hnh cng nh ci t cc thnh phn ny gm c gcc v make.

1.5 D kin kt qu t c
T cc mc tiu ra v gii php k thut c la chn, h thng BKWall d kin t c cc kt qu c th nh sau : Tch hp thnh cng cc thnh phn c la chn. Hot ng tt khi th nghim trn cc mng va v nh. Cung cp y cc chc nng c bn v cn thit ca mt Firewall gateway. m bo tnh d dng cu hnh v tin cy.

II. M hnh v c t chc nng h thng BKWall


2.1 M hnh
BKWall gm cc thnh phn : Packet Filtering : Thnh phn thc hin chc nng lc gi . Web Proxy : Thnh phn thc hin chc nng ca mt Cache Proxy BKWall Management Console : H thng iu khin v theo di. Config files : Cc file cu hnh ca BKWall Log files : Cc log files ca BKWall Rule files : Cc file lut ca Packet Filtering M hnh tng th h thng BKWall vi cc thnh phn ca n nh sau :

Ng Vn Chn HTTT&TT KSCLC K45

63

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-1: M hnh tng th h thng BKWall

2.2 c t chc nng


c t chc nng ca h thng BKWall. Di y l biu usecase m t cc chc nng ca h thng:

Hnh 4-2: c t chc nng h thng BKWall Chi tit cc Use case : UC1 : Khi ng, Tt BKWall Ngi qun tr h thng khi ng, tt hoc khi ng li BKWall UC2 : Cu hnh BKWall Ngi qun tr h thng thit lp, thay i cc tham s cu hnh chy BKWall UC3 : Qun l cu hnh mng Qun l cc kt ni mng ca h thng nh thit lp a ch cc giao din mng UC4 : Qun l cc lut Ngi qun tr c th theo di, thm, sa, xa cc lut lin quan n hot ng ca cc module Packet Filtering v Web proxy UC5 : Theo di lu thng mng Hin th tnh trng lu thng qua mng bng cc biu .

Ng Vn Chn HTTT&TT KSCLC K45

64

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

2.3 M hnh trin khai BKWall

Hnh 4-3: M hnh trin khai BKWall

III. Phn tch thit k h thng BKWall


3.1 Biu phn cp chc nng
Biu phn cp chc nng ca h thng BKWall Management Console

Hnh 4-4: Biu phn cp chc nng

Ng Vn Chn HTTT&TT KSCLC K45

65

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

3.2 Biu lung d liu


3.2.1 Biu mc bi cnh

Hnh 4-5: Biu lung d liu mc bi cnh


3.2.2 Biu mc nh Chc nng iu khin

Chc nng ny cho php ngi qun tr iu khin hot ng tt, m h thng BKWall.

Hnh 4-6: Biu chc nng iu khin


Chc nng qun l cu hnh

Chc nng ny cho php thay i v theo di cc thng s cu hnh c thit lp cho h thng BKWall.

Ng Vn Chn HTTT&TT KSCLC K45

66

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-7: Biu chc nng Qun l cu hnh


Chc nng qun l lut cho Packet Filtering

Chc nng ny cho php thit lp cc lut cho module lc gi bao gm cc mc nh: Lc gi IP, chn cng, cng dch v, cc chc nng m rngQu trnh thit lp c th l b sung, sa cha, xa b.

Hnh 4-8: Biu chc nng Qun l lut lc gi


Chc nng qun l lut cho Web Proxy

Chc nng ny cho php thit lp cc lut cho module Web Proxy bao gm cc mc nh: host_name, http_port, dung lng cache,

Hnh 4-9: Biu chc nng Qun l lut Web Proxy


Ng Vn Chn HTTT&TT KSCLC K45 67

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Chc nng theo di hot ng

Chc nng ny hin th cc thng tin v qu trnh hot ng ca h thng BKWall cng nh ton b cc lu thng mng i qua n.

Hnh 4-10: Biu chc nng theo di hot ng

3.3 Thit k module


Sau qu trnh phn tch, dng ln cc biu phn cp chc nng, biu lung d liu th cng vic tip theo l thit k cc module hin thc ho chng. H thng BKWall-Management Console c chia thnh 5 module, bao gm : Module chng trnh chnh Module chuyn tip yu cu Module qun l cu hnh Module qun l lut cho Packet Filtering, Web Proxy Module theo di thng tin v h thng Thit k chi tit ca cc module nh sau : 3.3.1 Module chng trnh chnh Module chng trnh chnh l module chu trch nhim khi to, kt thc hot ng ca h thng cng nh cc phin lm vic. ng thi n cng chu trch nhim xy dng giao din Web ca ton b h thng phc v cho vic qun tr h thng ca Admin. Ta c s khi ca n nh sau:

Ng Vn Chn HTTT&TT KSCLC K45

68

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-11: S khi module chng trnh chnh Qu trnh khi to h thng c thc hin khi h thng BKWall thc hin boot. Khi h thng s thc hin cc khi to cn thit nh : kch hot kt ni mng dial up nu n c cu hnh kt ni t ng mi khi reboot h thng, khi ng web server, web proxy ( squid ), httpd, v quan trng nht l khi to thnh phn lc gi ( Packet Filtering ). Qu trnh khi to ny c thc hin thng qua cc files scripts c t trong th mc /etc/rc.d. Bao gm cc scripts thc hin cng vic khi to cu hnh mng, cc kt ni mng, khi to cc chains, cp nht cc lut cho Firewall : rc.sysinit, rc.network, rc.netaddress.up, rc.netaddress.down, rc.firewall.up, rc.firewall.down, rc.adsl, rc.isdn, rc.updatered, rc.machineregister. Ta c th m t th t thc hin cc files scripts ny khi h thng boot nh m hnh sau :

Ng Vn Chn HTTT&TT KSCLC K45

69

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux Boot

rc.sysinit

rc.network

rc.netaddress.up

rc.netaddress. down

rc.adsl

rc.firewall.up

rc.isdn

rc.machineregister

rc.firewall.down

rc.updatered

Trong quan trng nht l cc file thc hin khi to mt Firewall da trn cng c IPtables l rc.firewall.up, rc.firewall.down Ta c th xem xt y mt s thit lp c bn cho h thng BKWall khi khi to. + Trc ht h thng s xo ht cc rules v ton b cc chains v thit t cc Policy cho cc gi tin trong cc chains : INPUT, FORWARD, OUTPUT
#Xoa cac rules va chains /sbin/iptables -F /sbin/iptables -X # Thiet dat Policy /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT

+ To cc chains mi dng thc hin cc chc nng ca ton b h thng nh chn IP, lc cng, cng dch v, qun tr t xa, cc chc nng m rng nh chn gi tin Ping, tn cng t chi dch v, chn cc gi tin IGMP( Internet Group Management Protocol ) trong thnh phn Packet Filtering, cc chain cho Web Proxy, cc dch v nh kt ni qua dial up, forward cng , DMZhole, Sau s dn cc gi tin i vo h thng qua chain INPUT, FORWARD, OUTPUT n cc chain tong ng.
# IP blocker /sbin/iptables -N ipblock /sbin/iptables -A INPUT -i ppp0 -j ipblock /sbin/iptables -A INPUT -i ippp0 -j ipblock if [ "$RED_DEV" != "" ]; then Ng Vn Chn HTTT&TT KSCLC K45 70

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

/sbin/iptables -A INPUT -i $RED_DEV -j ipblock fi /sbin/iptables -A FORWARD -i ppp0 -j ipblock /sbin/iptables -A FORWARD -i ippp0 -j ipblock if [ "$RED_DEV" != "" ]; then /sbin/iptables -A FORWARD -i $RED_DEV -j ipblock fi /sbin/iptables -A FORWARD -i $GREEN_DEV -j ipblock #Portfilter /sbin/iptables -N portfilter /sbin/iptables -A INPUT -i ppp0 -j portfilter /sbin/iptables -A INPUT -i ippp0 -j portfilter if [ "$RED_DEV" != "" ]; then /sbin/iptables -A INPUT -i $RED_DEV -j portfilter fi /sbin/iptables -A FORWARD -i ppp0 -j portfilter /sbin/iptables -A FORWARD -i ippp0 -j portfilter if [ "$RED_DEV" != "" ]; then /sbin/iptables -A FORWARD -i $RED_DEV -j portfilter fi /sbin/iptables -A FORWARD -i $GREEN_DEV -j portfilter # External access. Rule set with setxtaccess setuid /sbin/iptables -N xtaccess /sbin/iptables -A block -j xtaccess # Port forwarding /sbin/iptables -N /sbin/iptables -A /sbin/iptables -N /sbin/iptables -t /sbin/iptables -t portfwf FORWARD -j portfwf dmzholes nat -N portfw nat -A PREROUTING -j portfw -i ppp0 -j ACCEPT -i ippp0 -j ACCEPT icmp -i $RED_DEV -d ACCEPT

# All ICMP on ppp too. /sbin/iptables -A block -p icmp /sbin/iptables -A block -p icmp if [ "$RED_DEV" != "" ]; then /sbin/iptables -A block -p $RED_NETADDRESS/$RED_NETMASK -j fi /sbin/iptables -A INPUT -j block

# last rule in INPUT chain is for logging. /sbin/iptables -A INPUT -j LOG /sbin/iptables -A INPUT -j REJECT # Allow GREEN to talk to ORANGE. if [ "$ORANGE_DEV" != "" ]; then /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state \ Ng Vn Chn HTTT&TT KSCLC K45 71

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

--state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT # dmz pinhole chain. setdmzholes setuid prog adds rules here to allow # ORANGE to talk to GREEN. /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholes fi # For IGMP and multicast /sbin/iptables -N advnet /sbin/iptables -A INPUT -i ppp0 -j advnet /sbin/iptables -A INPUT -i ippp0 -j advnet if [ "$RED_DEV" != "" ]; then /sbin/iptables -A INPUT -i $RED_DEV -j advnet fi # Spoof protection for RED (rp_filter does not work with FreeS/WAN) /sbin/iptables -N spoof /sbin/iptables -A spoof -s $GREEN_NETADDRESS/ $GREEN_NETMASK -j DROP if [ "$ORANGE_DEV" != "" ]; then /sbin/iptables -A spoof -s $ORANGE_NETADDRESS/ $ORANGE_NETMASK -j DROP fi /sbin/iptables -A INPUT -i ppp0 -j spoof /sbin/iptables -A INPUT -i ippp0 -j spoof if [ "$RED_DEV" != "" ]; then /sbin/iptables -A INPUT -i $RED_DEV -j spoof Fi # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT # DHCP if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then /sbin/iptables -A block -p tcp --source-port 67 --destination-port 68 \ -i $RED_DEV -j ACCEPT /sbin/iptables -A block -p tcp --source-port 68 --destination-port 67 \ -i $RED_DEV -j ACCEPT /sbin/iptables -A block -p udp --source-port 67 --destination-port 68 \ -i $RED_DEV -j ACCEPT 72

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

/sbin/iptables -A block -p udp --source-port 68 --destination-port 67 \ -i $RED_DEV -j ACCEPT fi # NAT table /sbin/iptables -t nat -F /sbin/iptables -t nat X # squid /sbin/iptables /sbin/iptables /sbin/iptables RETURN /sbin/iptables RETURN /sbin/iptables RETURN /sbin/iptables RETURN /sbin/iptables /sbin/iptables jmpsquid -t nat -N squid -t nat -N jmpsquid -t nat -A jmpsquid -d 10.0.0.0/8 -j -t nat -A jmpsquid -d 172.16.0.0/12 -j -t nat -A jmpsquid -d 192.168.0.0/16 -j -t nat -A jmpsquid -d 169.254.0.0/16 -j -t nat -A jmpsquid -j squid -t nat -A PREROUTING -i $GREEN_DEV -j

# Masqurade /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE if [ "$RED_DEV" != "" ]; then /sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADE fi

Sau khi thit lp cc chains mi tng ng cho mi chc nng ca h thng th trong phn qun l lut s thc hin b sung lut cho tng chains tng ng. V d nh thm lut cho chc nng lc cng ( lut bao gm a ch ngun, cng ngun, a ch ch, cng ch, hnh ng, kch hot, kh nng log ) s oc b sung vo chain portfilter. V lut ny s c p dng lp tc khi n c kch hot v khi h thng c khi ng li th lut ny s vn c p dng.
echo "Setting up firewall" . /etc/rc.d/rc.firewall.up echo "Starting dhcpd (if enabled)" /usr/local/bin/restartdhcp echo "Setting DMZ pinholes" /usr/local/bin/setdmzholes echo "Setting up advanced networking features" /usr/local/bin/setadvnet echo "Setting up IP block" Ng Vn Chn HTTT&TT KSCLC K45 73

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

/usr/local/bin/setipblock echo "Setting up portfilter" /usr/local/bin/setportfilter if [ "$RED_DEV" != "" ]; then echo "Updating RED..." /etc/rc.d/rc.updatered if [ "$RED_TYPE" != "PPPOE" ]; then echo "Starting VPN (if enabled)" /etc/rc.d/rc.vpn.up echo "Refreshing update list (background)" /usr/local/bin/updatelists.pl & echo "Registering this BKWall (background)" /etc/rc.d/rc.machineregister & fi fi echo "Setting external access rules" /usr/local/bin/setxtaccess echo "Setting up IP accounting" /etc/rc.d/helper/writeipac.pl /usr/local/sbin/fetchipac -S -c yes /usr/local/sbin/fetchipac

i vi qu trnh tt h thng th trc ht h thng s thc hin cc files scripts xo tan b cc chains, cc rules hin ang p dng cho h thng Firewall, nhng cc rules ny thc cht vn c lu tr trong cc files lut. 3.3.2 Module chuyn tip yu cu Module ny tng hp cc yu cu ( request ) m ngi qun tr thc hin thng qua giao din Web v chuyn cc yu cu n cc module khc chu trch nhim x l cc yu cu ny. Thc cht th module ny l tp hp cc trang HTML c sinh ra do cc files scripts Perl. Chng to giao din cho ngi qun tr thc hin cc yu cu i vi h thng.

Ng Vn Chn HTTT&TT KSCLC K45

74

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-12: S khi module chuyn tip yu cu 3.3.3 Module qun l cu hnh Module ny c ci t cc chc nng gip cho cng vic cu hnh h thng nh thay i password cho admin, setup, root, t a ch cho cc giao din mng thc hin chc nng qun l cu hnh th module ny s hin th cc thng tin cu hnh cho ngi qun tr. Trn c s ngi qun tr h thng s thay i cc thng s cu hnh. Cc thng s cu hnh oc lu tr trong cc files cu hnh. Chng bao gm cu hnh cho cc giao din mng, tn ca h thng, password cho cc ngi dng trong h thng ( trong h thng BKWall c ba loi ngi dng l root- c ton quyn tc ng vo h thng, setup ngi c quyn ci t hay g b cc gi ng dng hay dch v trong h thng, Admin l ngi iu khin h thng thng qua giao din Web. Cc file cu hnh trong h thng bao gm : Trong h thng th s lng giao din mng Ethernet c th l 3 : bao gm giao din mng cho cc host trong mng LAN gi l GREEN, giao din mng ni vi min phi qun s - DMZ gi l ORANGE, cn giao din mng ni vi mng bn ngoi gi l RED ( lu giao din mng RED c th l mt ng kt ni qua cng ni tip ).Cc files thng c tn l settings v c t trong cc th mc tng ng vi ng dng hay dch v: adsl , advent, auth, backup, ddns, dhcp, dmzholes, Ethernet, isdn, langs, main, modem, ppp, proxy, red, remote, time.

Ng Vn Chn HTTT&TT KSCLC K45

75

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-13:S khi module qun l cu hnh 3.3.4 Module qun l lut cho Packet Filtering, Web Proxy Module ny ci t cc chc nng cho php ngi qun tr thc hin thit lp cc lut cho hai thnh phn c bn ca h thng l BKWall l Packet Filtering v Web Proxy. Cc thao tc ch yu l : thm lut mi, sa lut, xo lut, kch hot lut v cho php kh nn log hay khng. Trc ht ta xt cc lut cho thnh phn Web Proxy: V Web Proxy trong h thng BKWall c pht trin trn sn phm m ngun m Squid mt Cache Proxy tc l thuc dng Proxy thng minh n s thu thp cc yu cu t ngi s dng v lu tr cc yu cu ny cng nh cc tr li ca server trong b nh Cache. Do vy khi mt yu cu khc t mt client khc m yu cu ny tn ti trong b nh Cache th Web Proxy s c thng tin trong b nh Cache v tr v cho trnh duyt client m khng phi thc hin kt ni n Web server mng bn ngoi. Cc lut p dng cho Web Proxy thc cht l cc thng s cu hnh cho Web Proxy, chng bao gm : + Dung lng b nh Cache + a ch v cng phc v ca Web Proxy + Tn, mt khu ca Proxy t xa : N oc thit lp trong trng hp nh cung cp ISPs cho chng ta bit cc thng tin v Proxy ca h. + Kch thc i tng ln nht + Kch thc i tng nh nht + Kch thc d liu ln nht ti v + Kch thc d liu nh nht ti v + Tnh trong sut ca Web Proxy i vi client.

Ng Vn Chn HTTT&TT KSCLC K45

76

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-14: S khi module qun l lut Trong phn tip theo s trnh by v cch t chc cc file lut trong h thng v cu trc cc lut p dng trong thnh phn Packet Filtering. Lc cng o Cch t chc file lut lc cng trong h thng c s dng lc gi tin theo a ch IP v cng. File lut c lu tr trong /var/DFF/portfilter/config Mi lut ca ngi qun tr a vo s c lu tr trn mt dng File lut c lu tr di dng file plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP ngun + Cng ngun + a ch ch + Cng ch
Ng Vn Chn HTTT&TT KSCLC K45 77

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

+ Giao thc + Hnh ng : DROP, ACCEPT, REJECT + Kch hot chc nng log + C kch hot hay khng V d v mt lut
tcp,230.10.1.1,80,192.168.1.1,80,on,DROP,on

C chn tt c cc gi tin c a ch ngun, cng ngun, a ch ch, cng ch ln lt l 203.10.1.1, 80, 192.168.1.1, 80 theo giao thc TCP. Lut ny c c kch hot v log. Chn IP o Cch t chc file lut chn IP trong h thng Cho php chn cc gi tin c a ch IP ngun c ngi qun tr ch ra. File lut c lu tr trong /var/DFF/ipblock/config Mi lut ngi qun tr a vo c lu tr trn mt dng File lut cng c lu tr di dng plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP cn chn + Hnh ng : DROP, REJECT + Kch hot chc nng log + C kch hot hay khng V d v mt lut
230.10.1.1,on,DROP,on

C ngha : Chn tt c cc gi tin c a ch ngun l 230.10.1.1. Lut ny c c kch hot v c log. Cng dch v o Cch t chc file lut Cng dch v trong h thng Cho php cc my mng ngoi truy cp vo dch v c cung cp bi my mng bn trong. File lut c lu tr trong /var/DFF/portfw/config Mi lut ngi qun tr a vo c lu tr trn mt dng File lut cng c lu tr di dng plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP truy cp dch v + Cng truy cp dch v + a ch cung cp dch v + Cng cung cp dch v + C kch hot hay khng + Giao thc s dng V d v mt lut
tcp,203.10.1.1,2203,192.168.1.1,2203,on

C ngha l : My cung cp dch v c a ch IP v s hiu cng ln lt l 192.168.1.1, 2203. My truy cp dch v c a ch IP v s hiu cng ln lt l 203.10.1.1, 2203. Giao thc s dng l TCP, c kch hot. Qun tr t xa
Ng Vn Chn HTTT&TT KSCLC K45 78

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

o Cch t chc file lut Qun tr t xa trong h thng Qun tr h thng dng chc nng ny m mt cng cho php cc my mng ngoi iu khin BKWall thng qua giao thc https hay SSH. File lut c lu tr trong /var/DFF/xtaccess Mi lut ngi qun tr a vo c lu tr trn mt dng File lut cng c lu tr di dng plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP my mng ngoi + Cng truy cp + C kch hot hay khng + Giao thc s dng V d mt lut
tcp,0.0.0.0/0,113,on

Cng dch v cho DMZ o Cch t chc file lut Qun tr t xa trong h thng Cho php mt my ch vng DMZ truy cp vo mng cc b LAN vi mt s hiu cng no c cung cp bi mt my trong mng LAN. File lut c lu tr trong /var/DFF/dmzholes Mi lut ngi qun tr a vo c lu tr trn mt dng File lut cng c lu tr di dng plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP my ch trong vng DMZ + a ch my cung cp dch v trong mng LAN + Cng truy cp + C kch hot hay khng + Giao thc s dng V d mt lut DHCP Bao gm kch hot dch v cp pht a ch IP ng cho cc my trong mng ring LAN. Ngoi ra cn cho php cp pht a ch tnh cho cc my trong mng ni b da theo a ch vt l MAC v ch nhng my c ch ra trong phn ny mi c kh nng kt ni ra Internet. File lu tr cc i ch ny c lu trong /var/DFF/dhcp/staticconfid. V d nh Chc nng m rng Cho php kch hot cc chc nng m rng nh : Chn cc gi Ping theo giao thc ICMP, cc gi tin IGMP, chn tn cng DoS, chn cc lung thng tin multicast. c lu tr trong /var/DFF/advent/settings Tt c cc lut ny s c cp nht cho h thng thng qua cc chng trnh tong ng. Cc chng trnh ny oc lu tr trong /usr/local/bin. V d nh : setipblock.o, setportfilter.o, restartdhcp.o, dmzholes.o. + Cc chng trnh ny c vit bng ngn ng C nn tc thc hin rt nhanh
Ng Vn Chn HTTT&TT KSCLC K45 79 nvc,AA:BB:CC:DD:DE:FF,192.168.1.2 tcp,10.10.1.1,192.168.1.1,1000,on

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

+ Chng thc hin c cc file lut theo tng dng v thc hin cp nht cc lut cho h thng + V vic lu tr c s d liu v cc file lut di dng cc files text nn tc x l tong i nhanh. c bit l chng ta tn dng c kh nng x l vn bn tuyt vi ca Perl. Mt khc theo yu cu ca mt h thng Firewall m chng ta khng th ci t v s dng mt h thng qun tr c s d liu nh My SQL chng hn. 3.3.5 Module theo di thng tin v h thng Module ny a ra cc thng tin v h thng nh : + Trng thi cc dch v ca h thng : Running or Stop + Trng thi cc kt ni + Lu lng cc gi tin qua cc giao din mng: Green ( giao din mng ni b ), Orange ( giao din mng cho min phi qun s - DMZ ), Red ( giao din mng kt ni ra mng ngoi v d nh Internet ). Module ny s dng cng c sinh biu l rrdtool thc hin sinh cc biu biu din cc lu lng mng i qua cc giao din mng l : RED, ORANGE, GREEN.

3.4 Tnh bo mt ca h thng


L mt h thng Firewall nhm m bo an ninh mng nn vic m bo tnh an ninh cho chnh h thng BKWall l mt vic cn thit. T cc vn c a ra trong qu trnh thit k cc module th cc phng n bo mt cho BKWall c xut gm c : S dng knh ssl v giao thc https cho vic truy cp vo BKWall Management console. Vic truy cp vo cn xc thc qua chng ch s do Apache server cp. Trnh nhng l hng bo mt ca cng ngh CGI bng cch cp quyn hn ch cho user chy my ch Apache trn h thng Linux. Hn ch ti a cc gi phn mm v th vin ci t trong Linux khi ng gi BKWall tch hp thnh mt bn pht hnh (distro) Linux ring .

IV. Tch hp, ci t, kim th, nh gi kt qu h thng BKWall


4.1 Tch hp h thng
BKWall l h thng c xy dng trn c s mt s thnh phn m ngun m kt hp vi vic xy dng thm mt s thnh phn nn vic tch hp cc thnh phn li vi nhau trong mt h thng thng nht l rt quan trng. Cc phn mm m ngun m cng nh cc gi th vin ca Linux thung c pht hnh
Ng Vn Chn HTTT&TT KSCLC K45 80

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

theo rt nhiu phin bn v do nhiu nh cung cp khc nhau. V mt nguyn tc, BKWall c th hot ng vi tt c cc phin bn ca cc thnh phn tng thch vi cc phin bn c la chn nh sau :

H iu hnh
H iu hnh Linux, phin bn RedHat 7.2 do hng Redhat pht hnh. Linux kernel phin bn 2.4.

Smoothwall
Smoothwall phin bn 2.0 (http://smoothwall.org)

Th vin libpcap
Th vin libpcap (http://tcpdump.org) phin bn 0.8.0.

iptables
iptables phin bn 1.2.8 (http://iptables.org), bn i km vi th vin libipq.

Apache web server


Apache web server phin bn 1.3.39, ci t mod_perl v mod_ssl h tr https v perl cgi.

Perl
Perl 5 phin bn 5.8.0 (http://perl.org), v cng c sinh biu rrdtool.

4.2 Ci t h thng
H thng BKWall c trin khai ci t v th nghim ti phng gii php phn mm h thng v bo mt, cng ty Misoft. Cu trc v thit b mng ca phng nh sau : Mt ng kt ni ADSL tc 2Mbps. Mt my ch Linux c cu hnh : CPU Pentium II 400Mhz, 128 MB RAM, 3 NIC 100Mbps, dng lm my gateway. c dng ci t h thng BKWall trn Mt my ch Windows Server 2003 c cu hnh : CPU Pentium IV 1,8GHz, 1GB RAM, NIC 100Mbps, dng lm my ch mail, http, ftp, vpn, 8 my PC c cu hnh : CPU Pentium III 1GHz, 256 MB RAM, NIC 100Mbps hoc tng ng. H iu hnh Windows XP SP2. Cu hnh yu cu khi ci t h thng BKWall: + CPU : Tc ti thiu l 300 Mhz ( tng ng vi mt CPU Pentium II )
Ng Vn Chn HTTT&TT KSCLC K45 81

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

+ B nh trong ( RAM ): > 64MB + B nh ngoi ( HDD ) : > 1GB + Card mng: Tu theo cu hnh cho h thng BKWall m s card mng c th l 1( nu ch c giao din mng cho mng ni b - giao din mng ny gi l Green ), nu c ni ra mng ngoi ( v d nh Internet ) th cn mt card mng na ( giao din mng ny c goi l Red ). Nu mun c vng phi qun s ( DMZ DeMilitary Zone ) dnh cho cc my ch - nh my ch Web- HTTP, FTP, Mail th cn thm mt card mng na ( giao din mng ny gi l Orange ). + Ngoi ra l cc thit b ngoi vi khc. Trong mn hnh v chut, CD ch cn thit trong qu trnh ci t, sau ta c th b cc thit b ny m khng cn s dng chng. S b tr mng vi m hnh ( Green Orange Red ) nh sau:

Hnh 4-15: M hnh trin khai BKWall trong mng H thng BKWall c ci t th nghim trn my gateway Linux, do c th theo di ton b cc lu thng trong mng v p dng cc lut c thit lp cho module Packet Filtering , module Web Proxy.. Vic trin khai h thng l kh mm do : H thng c th trin khai vi m hnh m BK Wall c mt card mng khi ng kt ni ra mng Internet thng qua
82

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

mt ng kt ni qua cng ni tip hay quay s. Vi m hnh hai card mng khi khng c min phi qun s ( DMZ ). Tng qut nht l trng hp h thng c ba card mng ln lt p dng cho cc giao din GREEN, ORANGE, RED.

4.3 Kim th h thng


H thng BKWall c kim tra th nghim trn my gateway chy phin bn Linux kernel 2.4. Bng sau y m t kt qu th nghim tch hp cc thnh phn trong h thng BKWall nh m t trong phn tch hp h thng. BKWall Kt qu Kernel 2.4 Tt Iptables 1.2.8 Tt Perl 5.8.0 Tt Apache Server 1.3.39 Tt Kim th kh nng chu ng ca Firewall + H thng c kim tra bng cch p dng lut cho tt c cc chc nng trong thnh phn thc hin Packet Filtering ca h thng BKWall + Thc hin qun tr t xa h thng thng qua hai my tnh trong mng LAN dng trnh duyt IE ca Microsoft. + Thc hin remote h thng bng Putty v WinScp t ba my trm trong mng LAN Kt qu h thng vn p ng tt cc yu cu t ra v hot ng tt. S nh hng ca h thng BKWall n tc mng Packet Filtering trong h thng BKWall kim t tt c cc gi tin m n theo di c nn nh hng ca n n tc truy cp internet ca cc my trong mng l rt r. Vic kim th sc cng ca h thng BKWall c tin hnh da trn trng hp kim th c thit k nh sau : Khi ng BKWall trn my gateway. Ln lt khi ng chng trnh Flashget trn cc my con v download ng thi 1 file t site vietnamnet.vn. o tc download trung bnh ti cc my con.Thc hin kim th vi ln lt 2,4,6,8 v 10 my con. Kt qu kim th c ghi li trong bng sau :
S my 2 4 6 8 10 Tc download trung bnh (Kb/s)

H thng iu khin BKWall Management System l mt h thng iu khin qua giao din Web. Do vy vic kim th c tin hnh c hai pha server v client.
Ng Vn Chn HTTT&TT KSCLC K45 83

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

o Pha server BKWall Management System c ci t th nghim trn my ch. + Linux kernel 2.4, Apache 1.3.39 o Pha client Truy cp vo BKWall Management System t cc my con chy cc h iu hnh khc nhau v dng cc trnh duyt khc nhau. Kt qu nh sau : Kt qu trn c hai pha Server v Client l rt kh quan. Ch c iu mt s li v hin th phng Ting Vit trn trnh duyt Mozilla trong mi trung h iu hnh Linux. Sau y l mt s hnh nh pha Client trn trnh duyt IE ( Internet Explosrer ) trong mi trung Windows ca Microsoft:
H iu hnh Windows Windows Linux Linux Trnh duyt IE 6.0 Firefox 1.0.3 Mozilla Konqueror Kt qu Tt H thng menu hin th sai v tr Khng hin th c ting Vit Khng hin th c ting Vit

Bao gm cc giao din : Home Page, trang thit lp lut cho Packet Filter, cu hnh Web Proxy, cc dch v, thng tin v h thng.

Ng Vn Chn HTTT&TT KSCLC K45

84

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-16: Trang ch - Home page

Hnh 4-17: Cu hnh Packet Filtering

Ng Vn Chn HTTT&TT KSCLC K45

85

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-18: Cc dch v: truy cp t xa, thay i password

Hnh 4-19: Trang cu hnh Web Proxy


Ng Vn Chn HTTT&TT KSCLC K45 86

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 4-20: Trang thng tin trng thi h thng

4.4 nh gi kt qu
Trong khun kh ca mt n tt nghip i hc, h thng firewall BKWall t c mt s yu cu ra i vi mt sn phm Firewall nhng bn cnh cn nhng im hn ch khng trnh khi. Phn di y em xin c a ra mt s kt qu t c v nhng mt hn ch cn khc phc trong thi gian ti.. Nhng kt qu t c + Tch hp thnh cng cc thnh phn Kernel Linux, Smoothwall, Apache Server Iptables xy dng mt h thng firewall thng nht. + xy dng c mt h thng iu khin t xa thng qua giao din Web tp trung cho ton b h thng. + H thng hot ng tng i n nh trong qu trnh trin khai th nghim. Nhng hn ch cn khc phc trong thi gian ti Bn cnh cc kt qu t c, h thng BKWall vn cn tn ti nhiu im hn ch cn phi khc phc nh : + H thng hot ng cha hiu qu, c bit l module Web Proxy

Ng Vn Chn HTTT&TT KSCLC K45

87

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

+ Chnh sch ngn chn vn phi do ngi qun tr thit lp. Cha xy dng c mt kh nng t chc cc lut do ngi qun tr a vo nhm ti u ho cc lut ny. + H thng iu khin cha khai thc c ht kh nng ty bin Iptables. + H thng cha c kh nng tch hp vi cc cng c khc nh : VPN ( Virtual Private Network ), IDS ( Intrustion Detechtion System ) vo h thng BKWall Trong thi gian ti cc hn ch ny s c khc phc nu nh iu kin cho php em tip tc c pht trin ti ny.

KT LUN
hon thnh n ny ti xin by t lng bit n su sc n thy gio hng dn Vn Uy, s gip ln lao ca TS V Quc Khnh, cc anh Vng Vn Tuyn, Ng Quang Huy cng cc bn ng nghip ti phng pht trin h thng v bo mt cng ty Misoft v ton th bn b bn em trong sut thi gian qua. n cp n nhng vn chung ca an ninh thng tin, an ninh mng ni chung v i su nghin cu l thuyt v Firewall cng nh cc cng c xy dng mt Firewall hon chnh. C th n ny t c mt s thnh qu nh sau : Tm hiu v cc vn ca an ninh thng tin v an ninh mng. i su nghin cu v l thuyt v Firewall v cc cng c lin quan nhm mc ch xy dng mt sn phm tng la. Phn tch kin trc v lm ch c phn mm m ngun m Smoothwall. Tch hp cc thnh phn m ngun m, xy dng thnh cng h thng BKWall Trin khai th nghim t mt s kt qu.
Ng Vn Chn HTTT&TT KSCLC K45 88

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Bn cnh , do hn ch v thi gian v trnh nn n ny khng trnh khi nhng thiu xt v hn ch c th nhng hn ch l : H thng hot ng cha hiu qu, c bit l module Web Proxy Chnh sch ngn chn vn phi do ngi qun tr thit lp. Cha xy dng c mt kh nng t chc cc lut do ngi qun tr a vo nhm ti u ho cc lut ny. H thng iu khin cha khai thc c ht kh nng ty bin Iptables. H thng cha c kh nng tch hp vi cc cng c khc nh : VPN ( Virtual Private Network ), IDS ( Intrustion Detection System ) vo h thng BKWall Cha khai thc trit cc sn phm m ngun m v cha thc s pht trin c nhiu da trn cc sn phm ny Trong tng lai, vi mong mun tip tc pht trin ti ny thnh mt sn phm Firewall hu ch, c th ng dng rng di, phc v cho vic m bo an ninh thng tin Vit Nam, em xin xut mt s hng pht trin ca mnh nh sau : Ti u ha cu hnh cc thnh phn m ngun m s dng tng hiu qu v tin cy. Tip tc pht trin h thng iu khin, tn dng c ht cc kh nng ty bin ca h thng vi giao din v kh nng tng tc thn thin hn. Nghin cu mt chc nng qun l lut do ngi qun tr a vo hiu qu hn, c kh nng ti u ho cc lut do ngi qun tr a vo Nghin cu kh nng cng ha h thng nh cc thit b chuyn dng ca cc hng sn xut thit b v an ninh mng nh Cisco hay Checkpoint. Cui cng, mt ln na em xin c ni li cm n n thy gio hng dn, thc s Vn Uy, cc thy c ti khoa CNNT, i hc Bch khoa H Ni, chng trnh o to k s cht lng cao ti Vit Nam ( P.F.I.E.V ) cc anh ch v cc bn ng nghip ti cng ty Misoft cng tt c nhng ngi thn gip em rt nhiu trong sut qu trnh lm n em c th hon thnh c n ny. H ni, ngy 09 thng 06 nm 2005 Ngi thc hin n Ng Vn Chn
Ng Vn Chn HTTT&TT KSCLC K45 89

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

TI LIU THAM KHO


[1] Building Internet Firewall D.Brent Chapman & Elizabeth D.Zwicky

OReilly & Asscociates 1995


[2] Firewalls Complete Marcus Goncalves Mc Graw Hill 1997 [3] Hacking Expose Sturt McClure, Joel Scambray, George Kurtz -1997 [4] Mng my tnh v cc h thng m - Nguyn Thc Hi NXB Gio Dc

2000
[5] Qun tr H thng Linux Nguyn Thanh Thu - NXB Khoa hc v k

thut 2000 [6] Firewall for Dummies 2nd Edition Brian Komar, Ronald Beekelaar, and Joern Wettern,PhD Wiley Publishing, Inc -2003
[7] http://iptablestutorial.frozentux.net/iptablestutorial.html 90

Ng Vn Chn HTTT&TT KSCLC K45

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

[8] http://www.vnsecurity.com [9] http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking [10] http://smoothwall.org

Ng Vn Chn HTTT&TT KSCLC K45

91

You might also like