Professional Documents
Culture Documents
LI CM N
c c n ny, em xin by t lng bit n su sc n cc thy c gio trong trng i hc Bch Khoa H Ni ni chung, khoa Cng ngh thng tin, chng trnh o to k s cht lng cao ti Vit Nam ( P.F.I.E.V ) ni ring, nhng ngi tn tnh ging dy, truyn t cho em nhng kin thc qu bu trong 5 nm hc va qua. Em xin chn thnh cm n thy gio hng dn, Thc s - Ging vin chnh Vn Uy, b mn Cng ngh phn mm, khoa Cng ngh thng tin, trng i hc Bch Khoa H Ni nhit tnh hng dn, ch bo v cung cp cho em nhiu kin thc cng nh ti liu qu trong sut qu trnh lm n. Nh s gip ca thy em mi c th hon thnh c n ny. Em xin chn thnh cm n cc c ch, cc anh, cng cc bn ng nghip ti phng gii php phn mm h thng v bo mt, cng ty pht trin phn mm v h tr cng ngh b quc phng Misoft, nhng ngi to iu kin v c s vt cht, phng tin lm vic cng nh truyn t nhng kinh nghim qy bu cho em trong thi gian thc tp tt nghip v lm n tt nghip ti y. Cui cng, xin cm n gia nh, bn b, nhng ngi lun bn ti v cho ti nhng s ng vin ln lao trong thi gian thc hin n ny.
n tt nghip
MC LC
LI CM N...........................................................................................................1 Chng 1 : TNG QUAN AN TON AN NINH MNG.......................................7 I. Tnh hnh thc t ...................................................................................................8 II. M hnh mng.......................................................................................................9 III. Cc mc tiu cn bo v....................................................................................17 IV. Tn cng trn mng v cc chin lc bo v...................................................18 Chng 2 : INTERNET FIREWALL.....................................................................29 I. Khi nim ............................................................................................................30 II. Cc chc nng c bn ca Firewall....................................................................32 III. Kin trc Firewall..............................................................................................38 IV. Bo dng Firewall...........................................................................................44 Chng 3 : H IU HNH LINUX....................................................................46 I. Tng quan h iu hnh Linux.............................................................................47 II. Kt ni mng trong Linux...................................................................................51 III. IPTables............................................................................................................. 54 Chng 4 : XY DNG H THNG BKWALL.................................................60 I. Tng quan v h thng BKWall...........................................................................61 II. M hnh v c t chc nng h thng BKWall..................................................63 III. Phn tch thit k h thng BKWall .................................................................65 IV. Tch hp, ci t, kim th, nh gi kt qu h thng BKWall.......................80
MC LC HNH V
Hnh 1-1 : Kin trc OSI v TCP/IP........................................................................10 Hnh 1-2 : ng i ca d liu qua cc phn t trn mng...................................10 Hnh 1-3 : Cu trc gi tin IP ( IP datagram )..........................................................12
Ng Vn Chn HTTT&TT KSCLC K45 2
n tt nghip
Hnh 1-5 : Khun dng UDP datagram....................................................................15 Hnh 1-6: Tn cng kiu DOS v DDoS................................................................21 Hnh 1-7: Tn cng kiu DRDoS............................................................................21 Hnh 1-8: M hnh ng dng mail trn mng Internet.............................................22 Hnh 1-9: Kt ni Internet t LAN..........................................................................22 Hnh 1-10 : Thit lp kt ni TCP gia client v server.........................................23 Hnh 1-11 : Tn cng trn ngp SYN (1 )...............................................................24 Hnh 1-12 : Tn cng trn ngp SYN ( 2 )..............................................................25 Hnh 1-13 : Tn cng trn ngp gi tin ICMP.........................................................25 Hnh 1-14 : Bo v theo chiu su...........................................................................26 Hnh 2-1 : V tr Firewall trn mng........................................................................30 Hnh 2-2 : Screening Router s dng b lc gi......................................................32 Hnh 2-3 : Proxy Server...........................................................................................35 Hnh 2-4: Chuyn i a ch mng.........................................................................37 Hnh 2-5: Kin trc Dual home host......................................................................41 Hnh 2-6: Kin trc Screen host..............................................................................42 Hnh 2-7: Kin trc Screen subnet...........................................................................42 Hnh 3-1: M hnh chc nng Shell.........................................................................49 Hnh 3-2: Giao din, trnh iu khin v thit b.....................................................51 Hnh 3-3: S Netfilter hook................................................................................53 Hnh 3-4 : Qu trnh gi tin trong li h thng Linux..............................................57 Hnh 4-1: M hnh tng th h thng BKWall........................................................64 Hnh 4-2: c t chc nng h thng BKWall........................................................64 Hnh 4-3: M hnh trin khai BKWall.....................................................................65 Hnh 4-4: Biu phn cp chc nng....................................................................65 Hnh 4-5: Biu lung d liu mc bi cnh........................................................66 Hnh 4-6: Biu chc nng iu khin.................................................................66 Hnh 4-7: Biu chc nng Qun l cu hnh.......................................................67 Hnh 4-8: Biu chc nng Qun l lut lc gi...................................................67 Hnh 4-9: Biu chc nng Qun l lut Web Proxy............................................67 Hnh 4-10: Biu chc nng theo di hot ng..................................................68 Hnh 4-11: S khi module chng trnh chnh.................................................69 ................................................................................................................................. 70 i vi qu trnh tt h thng th trc ht h thng s thc hin cc files scripts xo tan b cc chains, cc rules hin ang p dng cho h thng Firewall, nhng cc rules ny thc cht vn c lu tr trong cc files lut...................................74 Hnh 4-12: S khi module chuyn tip yu cu................................................75 Hnh 4-13:S khi module qun l cu hnh......................................................76 Hnh 4-14: S khi module qun l lut.............................................................77 Hnh 4-15: M hnh trin khai BKWall trong mng................................................82 Hnh 4-16: Trang ch - Home page.........................................................................85 Hnh 4-17: Cu hnh Packet Filtering......................................................................85 Hnh 4-18: Cc dch v: truy cp t xa, thay i password.....................................86 Hnh 4-19: Trang cu hnh Web Proxy....................................................................86 Hnh 4-20: Trang thng tin trng thi h thng.......................................................87
BNG CC T VIT TT
Ng Vn Chn HTTT&TT KSCLC K45 3
n tt nghip
ARP( Address Resolution Protocol ) : Giao thc chuyn i t a ch IP sang a ch vt l BKWall( Bach Khoa Firewall System ) CGI (Common Gateway Interface) : Giao tip gateway chung DDoS(Distributed Denied of Service) : Tn cng t chi dch v phn tn DMA(Direct Memory Access) : Truy nhp b nh trc tip DMZ(DeMilitarized Zone) : Vng phi qun s DNS(Domain Name Service) : Dch v tn min DoS(Denied of Service) : Tn cng t chi dch v DRDoS(Distributed Reflection Denied of Service) : DoS phn x, phn tn FDDI(Fiber Distributed Data Interface ) FIB(Forwarding Information Table) : Bng thng tin chuyn i nh tuyn FTP(File Transfer Protocol) : Giao thc truyn file HTTP(Hyper Text Transfer Protocol) : Giao thc truyn siu vn bn ICMP(Internet Control Message Protocol): Giao thc iu khin thng ip Internet IGMP(Internet Group Management Protocol) : Giao thc Internet cc host kt ni, hu kt ni t cc nhm multicast. IP(Internet Protocol) : Giao thc Internet IPS(Intrusion Preventation System) : H thng phng chng xm nhp ISP(Internet Services Provider) : Nh cung cp dch v Internet ISDN( Integrated Services Digital Network) : Mng s hc cc dch v tch hp LAN(Local Area Network) : Mng ni b MAC(Media Access Control) : a ch thit b MTU(Maximum Transmission Unit) : n v truyn ln nht NIC(Network Interface Card) : Card giao tip mng PSTN(Public Switched Telephone Network ) : Mng in thoi chuyn mch cng cng RARP(Reverse Address Resolution Protocol ) : Giao thc chuyn i t a ch vt l sang a ch IP RIP( Routing Information Protocol ) : Mt kiu giao thc dn ng SSL(Secure Socket Layer) : Tng socket an ton SSH( Secure Shell ) : Dch v truy cp t xa STMP( Simple Mail Transfer Protocol ) : Giao thc truyn th n gin TCP(Transmission Control Protocol) : Giao thc iu khin truyn tin TELNET : dch v ng nhp h thng t xa UDP(User Datagram Protocol) : Giao thc iu khin truyn tin khng tin cy URI(Uniform Resouce Indentifier ) a ch nh v ti nguyn URL(Uniform Resouce Locator) : a ch ti nguyn thng nht
LI NI U
Ng Vn Chn HTTT&TT KSCLC K45 4
n tt nghip
Trong nhng nm gn y, vic t chc v khai thc mng Internet rt pht trin. Mng Internet cho php cc my tnh trao i thng tin mt cch nhanh chng, thun tin. Mi i tng u c th s dng cc dch v v tin ch ca Internet mt cch d dng nh trao i thng tin, tham kho cc th vin tri thc s ca nhn loiTai thi im hin nay th li ch ca Internet l qu r rng v khng th ph nhn. Nhng mt iu khng may l i km vi n l cc nguy c mt an ton thng tin trn Internet ang l mt vn hang u cn tr s pht trin ca Internet. Bo m an ton an ninh khng ch l nhu cu ring ca cc nh cung cp dch v m n cn l nhu cu ca chnh ng ca mi ngi s dng. Cc thng tin nhy cm v quc phng, thng mi l v gi v khng th lt vo tay i th cnh tranh Trn th gii c nhiu cng trnh nghin cu v lnh vc bo mt, bo v an ton thng tin trn mng v kt qu chng tr thnh cc sn phm thng mi nh : Vista Firewall, ZoneAlarm Firewall, VPN-1/Firewall-1, SmoothWall, Astaro Tuy nhin mi loi c nhng u nhc im ring,pht trin theo nhng hng khc nhau. Cc sn phm ny c xy dng trn nhng nn h iu hnh khc nhau nhng ch yu l Windows ca Microsoft v h iu hnh m ngun m Linux. Linux l h iu hnh h UNIX min ph dng cho my tnh c nhn ang c s dng rng ri hin nay. H iu hnh Linux thu nhng thnh cng nht nh. Hin nay Linux ngy cng pht trin, c nh gi cao v thu ht nhiu s quan tm ca cc nh tin hc. Ti Vit Nam, mc d Internet mi ch tr ln ph bin my nm gn y nhng nhng vn an ton an ninh mng cng khng l ngoi l. Mc d thc s cha c tn tht ln v kinh t nhng vn tim n trong rt nhiu nguy c mt an ton. Cc cuc tn cng vo h thng ca nh cung cp dch v, xo b d liu ngy mt tng. Vit Nam hin nay cha c sn phm Firewall thng mi no ca ngi Vit to ra. c bit l sn phm Firewall c xy dng trn nn h iu hnh m ngun m Linux. Do , mun khai thc v s dng Internet th vn an ton an ninh phi c t ln hang u. C rt nhiu bin php khc nhau bo v h thng chng li cc cuc tn cng t bn ngoi. Mt trong nhng bin php c p dng rng ri l s dng tng la Firewall. Thc t cho thy y l mt bin php n gin nhng hiu qu t c li rt kh quan. Trn c s , em chn ti : Tm hiu l thuyt v xy dng Firewall trn nn Linux Mc tiu ca ti bao gm : 1. Tm hiu chung v an ton an ninh mng, cc k thut tn cng trn mng. Cc chin lc bo v. 2. Tm hiu l thuyt v Firewall 3. Thc hin xy dng mt Firewall trn nn h iu hnh Linux B cc ca n gm 4 chng c b tr nh sau : Chng 1 : Tng quan an ton an ninh mng
n tt nghip
Trnh by cc khi nim chung v an ton an ninh mng, tnh cp thit ca ti. Cc m hnh mng v cc giao thc c s dng truyn thng trn mng. Cc dng tn cng, mt s k thut tn cng ang c s dng ph bin hin nay, t a ra cc chin lc bo v h thng khi cc nguy c ny. Chng 2 : Internet Firewall Trnh by khi nim tng qut v Firewall. Cc chc nng c bn ca Firewall. Cc m hnh hay kin trc trin khai ca mt Firewall trong h thng. Chng 3: H iu hnh Linux Chng ny trnh by khi qut v h iu hnh Linux. Cu hnh mng trong mi trng Linux. c bit l chng ta quan tm n mt gi tin ch c tch hp hu ht trong cc bn phn phi Linux. l IPtables N thc hin chc nng lc gi mc li ( kernel ) ca h thng. T a ra mt vi m hnh Firewall n gin da trn IPtables. Chng 4 : Xy dng h thng BKWall Bach Khoa Firewall System. Thc hin xy dng h thng BKWall da trn sn phm m ngun m SmoothWall. Ngoi ra, n cn c phn ph lc trnh by cc bng t vit tt s dng trong bi, danh mc cc ti liu tham kho.
n tt nghip
Tnh Tnhhnh hnhthc thct t M Mhnh hnhmng mng Cc Ccmc mctiu tiucn cnbo bov v Tn Tncng cngtrn trnmng mngv vcc ccchin chinlc lcbo bov v
n tt nghip
Trong chng ny chng ta s trnh by cc khi nim chung v an ton an ninh mng, tnh hnh thc t. Cc m hnh mng v cc giao thc c s dng truyn thng trn mng. Cc dng tn cng, mt s k thut tn cng ang c s dng ph bin hin nay, t a ra cc chin lc bo v h thng khi cc nguy c ny.
Nhng k tn cng ngy cng tinh vi hn trong cc hot ng ca chng. Thng tin v cc l hng bo mt, cc kiu tn cng c trnh by cng khai trn mng. Khng k nhng k tn cng khng chuyn nghip, nhng ngi c trnh cao m ch cn mt ngi c mt cht hiu bit v lp trnh, v mng khi c cc thng tin ny l c th tr thnh mt hacker. Chnh v l do ny m s v tn cng trn mng khng ngng ra tng v nhiu phng thc tn cng mi ra i, khng th kim sot. Theo iu tra ca Ernst & Young, th 4/5 cc t chc ln ( s lng nhn vin ln hn 2500 ) u trin khai cc ng dng nn tng, quan trng trong mng cc b LAN. Khi cc mng cc b ny kt ni vi mng Internet, cc thng tin thit yu u nm di kh nng b t nhp, ly cp, ph hoi hoc cn tr lu thn. Phn ln cc t chc ny tuy c p dng nhng bin php an ton nhng cha trit v c nhiu l hng k tn cng c th li dng.
Ng Vn Chn HTTT&TT KSCLC K45 8
n tt nghip
Nhng nm gn y, tnh hnh bo mt mng my tnh tr ln nng bng hn bao gi ht khi hng lot cc v tn cng, nhng l hng bo mt c pht hin hoc b li dng tn cng. Theo Arthur Wong gim c iu hnh ca SecurityFocus trung bnh mt tun, pht hin ra hn 30 l hng bo mt mi. Theo iu tra ca SecurityFocus trong s 10.000 khch hng ca hng c ci t phn mm pht hin xm nhp tri php th trung bnh mi khch hng phi chu 129 cuc thm d, xm nhp. Nhng phn mm web server nh IIS ca Microsoft l mc tiu ph bin nht ca cc cuc tn cng. Trc tnh hnh th vic bo v an ton thng tin cho mt hay mt h thng my tnh trc nguy c b tn cng t bn ngoi khi kt ni vo Internet l mt vn ht sc cp bch. thc hin cc yu cu trn, th gii xut hin cc phn mm khc vi nhng tnh nng khc nhau m c gi l Firewall. S dng Firewall bo v mng ni b, trnh s tn cng t bn ngoi l mt gii php hu hiu, m bo c cc yu t : - An ton cho s hot ng ca ton b h thng mng - Bo mt cao trn nhiu phng din - Kh nng kim sot cao - Mm do v d s dng - Trong sut vi ngi s dng - m bo kin trc m Bit ch bit ta, trm trn trm thng c th bo v c h thng, chng li s tn cng ca hacker, ta phi bit nhng mc tiu cn bo v, cc k thut tn cng khc nhau, v a ra chin lc bo v mng hp l.
n tt nghip
n tt nghip
Nh trong phn trn gii thiu v m hnh OSI v TCP/IP, chng ta c th a ra s tng ng gia cc tng ca chng nh sau :
2.2.1 Tng truy nhp mng - Network Acces Layer Tng truy nhp mng bao gm cc giao thc m n cung cp kh nng truy nhp n mt kt ni mng. Ti tng ny, h thng giao tip vi rt nhiu kiu mng khc nhau.Cung cp cc trnh iu khin tng tc vi cc thit b phn cng v d nh Token Ring, Ethernet, FDDI 2.2.2 Tng Internet Internet Layer Tng Internet cung cp chc nng dn ng cc gi tin. V vy ti tng ny bao gm cc th tc cn thit gia cc hosts v gateways di chuyn cc gi gia cc mng khc nhau. Mt gateway kt ni hai mng, v s dng kt ni mng bao gm IP ( Internet Protocol ), ICMP ( Internet Control Message Protocol ) 2.2.3 Tng giao vn - Transport Layer Tng giao vn phn pht d liu gia hai tin trnh khc nhau trn cc my tnh host. Mt giao thc u vo ti y cung cp mt kt ni logic gia cc thc th cp cao.Cc dch v c th bao gm vic iu khin li v iu khin lung. Ti tng ny bao gm cc giao thc Transmission Control Protocol ( TCP ) v User Datagram Protocol ( UDP ) 2.2.4 Tng ng dng Application Layer Tng ny bao gm cc giao thc phc v cho vic chia s ti nguyn v iu khin t xa ( remote access ). Tng ny bao gm cc giao thc cp cao m chng c s dng cung cp cc giao din vi ngi s dng hoc cc ng dng. Mt s giao thc quan trng nh File Transfer Protocol ( FTP ) cho truyn thng, HyperText Transfer Protocol ( HTTP ) cho dch v World Wide Web, v Simple Network Management Protocol ( SNMP ) cho iu khin mng. Ngoi ra cn c : Domain Naming Service ( DNS ), Simple Mail Transport Protocol ( SMTP )
Ng Vn Chn HTTT&TT KSCLC K45 11
n tt nghip
Post Office Protocol ( POP ). Internet Mail Access Protocol ( IMAP ), Internet Control Message Protocol ( ICMP ).
Hnh 1-3 : Cu trc gi tin IP ( IP datagram ) nh danh cc host trn mng th trong giao thc dng a ch IP c di 32 bits c tch thnh 4 vng mi vng 1 byte v chng thng c vit di dng cc s thp phn. Ngi ta chia a ch IP ra lm 5 lp k hiu l A, B, C, D, E. V d v mt a ch IP : 192.168.1.1 Mi a ch IP gm hai phn l : a ch mng ( network id ) v a ch my trm ( host id ). phn tch gia phn network id v host id ngi ta dng n subnet mask do vy mt a ch IP y thng l : 192.168.1.1/24 b. Giao thc nh x a ch - Address Resolution Protocol (ARP) a ch IP v a ch phn cng hay a ch vt l ( di 48 bits ) l c lp nhau. Giao thc ARP lm nhim v chuyn i t a ch IP sang a ch vt l khi cn thit. nh x t a ch IP sang a ch vt l theo hai cch l tnh hoc ng. ARP v RARP s dng phng php nh x ng. N s dng cc gi tin ARP request v ARP reply c. Giao thc nh x ngc a ch - Reverse Address Resolution Protocol (RARP) Tung t nh ARP ch c iu n s nh x ngc t a ch vt l (MAC) sang a ch IP. S n gin s hot ng ca giao thc nh sau :
Ng Vn Chn HTTT&TT KSCLC K45 12
n tt nghip
d. IP version6 or IP next generation ( IPv6 or IPng ) IPv6 v c bn vn ging nh IPv4. Sau y l mt s im khc bit gia chng : - IP address c di l 128 bits so vi 32 bt ca IPv4. V d mt a ch IPv6 flea:1075:fffb:110e:0000:0000:7c2d:a65f - IPv6 c th t ng cu hnh a ch cc b v a ch router cc b gii quyt cc vn cu hnh v thit lp - IPv6 c phn header n gin v lc b mt s phn. N gp phn tng hiu qu qu trnh dn ng v c th d dng b xung mt loi header mi. - H tr cho chng thc, bo mt d liu l mt phn ca kin trc Ipv6. e. Internet Control Message Protocol (ICMP) V IP l giao thc khng tin cy v vy phi cn n giao thc ICMP. Giao thc ny thc hin truyn cc thng bo iu khin ( bo co v tnh trng li trn mng, ) gia cc gateway hay cc trm ca lin mng. Tnh trng li c th l : mt datagram khng th ti uc ch ca n, hoc mt router khng b m lu v chuyn mt datagram. Mt thng bo ICMP c to ra v s chuyn cho IP IP thc hin gi ( encapsulate ) vi mt IP header truyn cho trm hay router ch. 2.3.2 Cc giao thc tng giao vn Transport Layer Protocols C hai giao thc ti tng giao vn l : TCP ( Transport Control Protocol ) v UDP ( User Datagram Protocol ). C hai u nm gia tng ng dng v tng mng. TCP v UDP c trch nhim truyn thng tin trnh vi tin trnh ti tng giao vn (process to process) a. Transport Layer Protocol ( TCP ) TCP l mt giao thc kiu hng lin kt ( connection oriented ) ngha l cn phi thit lp lin kt locgic trc khi c th truyn d liu. n v d liu dng trong TCP c gi l segment ( on d liu ) c khun dng c m t di y :
Hnh 1-4 : Khun dng ca TCP segment Cc tham s trong khun dng trn c ngha nh sau :
Ng Vn Chn HTTT&TT KSCLC K45 13
n tt nghip
Source port ( 16bits ) : S hiu cng ca trm ngun Destrination port ( 16bits ) : S hiu cng ca trm ch Sequence Number ( 32bits ): S hiu ca byte u tin ca segment tr khi bit SYN c thit lp. Nu bit SYN c thit lp th n l s hiu tun t khi u ( ISN ) - Acknowledment Number ( 32bits ) : S hiu ca segment tip theo m trm ngun ang ch nhn c v n c ngha bo nhn tt - Data offset ( 4bits ) : S lng t ( 32bits ) trong TCP header. N c tc dng ch ra v tr bt u ca vng data. - Reserved ( 6bits ) : dnh s dng sau ny - Code bits hay cc bits iu khin ( 6bits ) theo th t t tri sang phi nh sau : URG : vng con tr khn ( Urgent Pointer ) c hiu lc ACK : vng bo nhn ( ACK number ) c hiu lc PSH : chc nng PUSH RST : khi ng li lin kt SYN : ng b ho cc s hiu tun t ( sequence number ) FIN : khng cn d liu t trm ngun - Window ( 16bits ) : cp pht credit kim sot lung d liu( c ch ca s ). y chnh l s lng cc byte d liu, bt u t byte c ch ra trong vng ACK number, m trm ngun sn sang nhn - Check sum ( 16bits ) : m kim sot li ( theo phng php CRC ) - Urgent Poiter ( 16bits ) : con tr ny tr ti s hiu tun t ca byte i theo sau s liu khn, cho php bn nhn bit c di ca d liu khn, ch c hiu lc khi bit URG c thit lp. - Options ( di thay i ) : khai bo cc options ca TCP - Padding ( di thay i ) : Phn chn thm vo header m bo kch thc. - TCP data : phn d liu ca TCP segment. b. User Datagram Protocol ( UDP ) UDP l giao thc khng kt ni, khng tin cy nh giao thc TCP, n c s dng thay th TCP trong mt s ng dng. Khng ging nh TCP n khng c chc nng thit lp v gii phng lin kt. N cng khng cung cp cc c ch bo nhn, khng sp xp cc n v d liu theo th t n v c th dn n tnh trng mt d liu hoc trng d liu m khng h c thng bo li cho ngi gi. UDP cung cp c ch gn v qun l cc s hiu cng nh danh duy nht cho cc ng dng chy trn mt trm ca mng. Do c t chc nng nn UDP c xu hng chy nhanh hn so vi TCP. N thng c s dng cho cc ng dng i hi tin cy khng cao. Khun dang mt UDP datagram nh sau :
14
n tt nghip
Hnh 1-5 : Khun dng UDP datagram c. Cc giao thc dn ng Routing Protocols Nh chng ta bit Internet bao gm cc mng c kt ni bi cc routers. Khi mt gi c chuyn t trm ngun n trm ch, n phi i qua cc routers m cc router ny c gn vi trm ch. Khong cch qung ng i ny c xc nh khc nhau tu thuc vo tng giao thc c s dng. a c cc gi tin n ch th ti cc trm hay cc router phi ci t cc giao thc dn ng. Tu vo gii thut oc s dng m c cc loai giao thc dn ng khc nhau. Bao gm cc giao thc dn ng tnh ( v d nh RIP Routing Information Protocol ) v dn ng ng ( v d nh OSPF Open Shortest Path First ) 2.3.3 Cc dch v tng ng dng a. Dch v tn min Domain Name System ( DNS ) Dch v ny cho php nh danh cc phn t trn mng theo tn thay v cc con s trong a ch IP. H thng ny c oc phn cp v mi cp c gi l mt min ( domain) cc min c tch nhau bng du chm. Domain cao nht l cp quc gia, mi quc gia c cp mt tn min ring gm hai k t v d vn ( Vit Nam ), fr ( France )v sau li tip tc uc phn cp nh hn. Vic nh x gia a ch IP v cc tn min c thc hin bi hai thc th c tn l : Name Resolver v Name Server. Name Resolever c ci t trn trm lm vic cn Name Server c ci t trn mt my ch. Name Resolver gi yu cu nh x a ch ti Name Server. Nu host name c tm thy th a ch IP tung ng s c gi tr li trm lm vic. Sau trm lm vic s kt ni vi host bng a ch IP ny.
b. ng nhp t xa - TELNET
Cho php ngi s dng t mt trm lm vic ca mnh c th ng nhp ( login ) vo mt trm xa thng qua mng v lm vic y nh ang ngi ti . TELNET lm vic da trn giao thc TCP v trao i thng tin ti cng 23. khi ng TELNET, t trm lm vic ca mnh ngi s dng ch vic g lnh sau t ca s command line : telnet <domain name or IP address >
c. Truyn tp File Transfer Protocol ( FTP )
Cho php chuyn cc tp tin t mt my trm ny sang mt trm khc, bt k my u v s dng h iu hnh g, ch cn chng c ni vi nhau thng qua mng Internet v c ci t FTP. khi ng FTP ta s dng cu lnh : ftp < domain name or IP address > Sau ta phi ng nhp vi user name v password. Khi chng ta c th thc hin cc cng vic nh ly v hay ti ln mt file. d. Th in t - Electronic Mail ( E_mail ) Hin l mt dch v ph bin nht trn mng Internet. N l dch v kiu
Ng Vn Chn HTTT&TT KSCLC K45 15
n tt nghip
lu v chuyn tip ( store and forward ) tc l hai trm trao i th in t cho nhau khng cn phi lin kt trc tip. Chng c lu chuyn thng qua cc E_mail Server Cc giao thc c s dng cho dch v th in t bao gm : - Simple Mail Transfer Protocol ( SMTP ) - Post Office Protocol Version 3 ( POP3 ) - Internet Message Access Protocol ( IMAP ) - Multipurpose Internet Mail Extension ( MIME ) e. Cc dch v tm kim : Bao gm cc dch v nh : - Tm kim file ( Archie ) - Tra cu thng tin theo thc n ( Gopher ) - Tm kim thng tin theo ch s ( WAIS ) - Tm kim thng tin da trn siu vn bn ( WWW )
16
n tt nghip
o Tn cng Web server: Ngoi cc l hng bo mt do vic thc thi cc chng trnh CGI, cc Web server cn c th c cc l hng khc. V d nh mt s Web server (IIS 1.0 ...) c mt l hng m do mt tn file c th chn thm on ../ vo trong tn ng dn th c th di chuyn ti mi ni trong h thng file v c th ly c bt k file no. Mt li thng dng khc l li trn b m trong trng request hoc trong cc trng HTTP khc. o Tn cng trnh duyt Web: Do cc trnh duyt Web nh ca Microsoft, Netscape c kh nhiu l hng bo mt nn xut hin cc tn cng URL, HTTP, HTML, JavaScript, Frames, Java v ActiveX. o Tn cng SMTP (Sendmail) o Gi a ch IP (IP Spoofing) o Trn b m (Buffer Overflows): c 2 kiu tn cng khai thc li trn b m l : DNS overflow (Khi mt tn DNS qu di c gi ti Server) v Statd overflow (khi mt tn file qu di c cung cp). o Tn cng DNS (DNS attacks): DNS server thng l mc tiu chnh hay b tn cng. Bi hu qu rt ln gy ra bi n l gy ch tc ton mng. Thng 4/2004 va qua, B An Ninh Ni V M v trung tm iu phi An Ninh C s h tng quc gia Anh cnh bo v mt li bo mt TTO nghim trng trong b giao thc TCP/IP ny. Trong phn sau chng ta s xem xt cc k thut tn cng da trn cc l hng bo mt ny. -
III. Cc mc tiu cn bo v
c th bo v c h thng, chng li s tn cng ca hacker. Chng ta phi bit nhng mc tiu cn bo v, cc k thut tn cng khc nhau t a ra cc chin luc bo v hp l Trong cc phn di y s trnh by c th cc vn ny. C ba mc tiu cn c bo v l : D liu: l nhng thng tin lu tr trong my tnh Ti nguyn : l bn thn my tnh, my in, CPU Danh ting
3.1 D liu
Mc tiu , chnh sch an ton ca mt h thng thng tin cng nh i vi d liu bao gm :
Ng Vn Chn HTTT&TT KSCLC K45 17
n tt nghip
B mt Ton vn Sn sng Thng thng mi ngi thng tp trung vo bo v tnh b mt ca d liu, nhng thng tin c tnh nhy cm cao nh thng tin v quc phng, chin lc kinh doanh th y l yu t sng cn. Khi d liu b sao chp bi nhng ngi khng c thm quyn th ta ni d liu b mt tnh b mt Khi d liu b sa i mt cch bt ng bi ngi khng c thm quyn th khi c th ni d liu b mt tnh ton vn Tnh sn sng l tnh cht quan trng nht i vi cc t chc hot ng cn s dng nhiu thng tin. Khi ngi s dng hp php mun xem d kiu ca mnh nhng d liu khng th p ng ngay v mt l do no , khi ta ni d liu mt i tnh sn sng.
3.2 Ti nguyn
Xt mt v d nh sau : Ta c mt my in ( mt dng ti nguyn ), ngoi ta ra ch nhng ai c thm quyn th mi c s dng n. Tuy nhin, c nhng ngi khng thm quyn vn mun s dng my in ny min ph. Khi ta ni chic my in ny b xm phm Khi nim xm phm l rt rng, v d nh b nh, CPU, u l ti nguyn. Khi chng b nhng ngi khng c thm quyn khai thc mt cch bt hp php th ta ni ti nguyn b xm phm.
n tt nghip
Hu ht cc dng tn cng vo h thng ni chung l dng xm nhp. Vi cch tn cng ny, k tn cng thc s c th s dng my tnh ca ta. Tt c nhng k tn cng u mun s dng my tnh ca ta vi t cch l ngi hp php. Nhng k tn cng c hng lot cch truy cp. Chng c th gi dng l mt ngi c thm quyn cao hn yu cu cc thng tin v tn truy cp/mt khu ca ta, hay n gin dng cch tn cng suy on, v ngoi ra chng cn nhiu phng php phc tp khc truy cp m khng cn bit tn ngi dng v mt khu. K xm nhp c th c chia thnh hai loi: + T bn ngoi Outsider : nhng k xm nhp t bn ngoi h thng (xa Web server, chuyn tip cc spam qua e-mail servers). Chng c th vt qua firewall tn cng cc my trong mng ni b. Nhng k xm nhp c th n t Internet, qua ng dy in thoi, t nhp vt l hoc t cc mng thnh vin c lin kt n t chc mng (nh sn xut, khch hng,). + T bn trong Insider : nhng k xm nhp c quyn truy nhp hp php n bn trong h thng (nhng ngi s dng c y quyn, hoc gi mo ngi dng c y quyn mc cao hn ). Theo thng k th loi xm nhp ny chim ti 80%. C hai cch thc chnh thc hin hnh vi xm nhp Do thm - Reconnaissance : K tn cng c th dng cc cng c d qut kim tra hay tm kim cc l hng bo mt ca mt mng no . Cc hnh ng qut ny c th l theo kiu ping, qut cng TCP/UDP, chuyn vng DNS, hay c th l qut cc Web server tm kim cc l hng CGI....Sau y l mt s kiu qut thng dng: Ping Sweep Qut Ping Phng php ny n gin l ch ping cc a ch IP kim tra xem cc host tng ng vi cc a ch cn sng hay khng. Cc kiu qut phc tp hn s dng cc giao thc khc nh SNMP Sweep cng c c ch hot ng tng t. TCP Scan Qut cng TCP Kiu ny d qut cc cng TCP m tm cc dch v ang chy c th khai thc, li dng hay ph hoi. My qut c th s dng cc kt ni TCP thng dng hoc l cc kiu qut trm(s dng kt ni m mt bn) hoc l kiu qut FIN (khng m cng m ch kim tra xem c ai ang lng nghe). C th qut danh sch cc cng lin tc, ngu nhin hoc l c cu hnh. UDP Scan Qut cng UDP Loi qut ny kh hn mt cht v UDP l giao thc khng kt ni. K thut l gi 1 gi tin UDP v ngha ti mt cng no . Hu ht cc my ch s tr li bng 1 gi tin ICMP destination port unreachable , ch ra rng khng c dch v no lng nghe cng . Tuy nhin, nhiu my iu tit cc messages ICMP nn ta khng th lm iu ny rt nhanh c.
Ng Vn Chn HTTT&TT KSCLC K45 19
n tt nghip
OS identification Xc nh h iu hnh Bng vic gi cc gi tin TCP hay ICMP khng ng qui cch, k tn cng c th thu c thng tin v h iu hnh. Account Scan Qut ti khon o C gng ng nhp vo h thng vi cc Ti khon (Account): o Cc Ti khon khng c password o Cc Ti khon vi password trng vi username hoc l password o Cc Ti khon mc nh c dng chuyn sn phm o Cc Ti khon c ci cng vi cc sn phm phn mm o Cc vn v ti khon nc danh FTP Li dng Exploits : li dng cc c tnh n hoc li truy cp vo h thng. Firewall c th gip ta ngn chn mt s cch xm nhp trn. Mt cch l tng th Firewall s chn ton b mi ng ng vo h thng m khng cn bit n tn truy cp hay mt khu. Nhng nhn chung, Firewall c cu hnh nhm gim mt s lng cc ti khon truy cp t pha ngoi vo. Hu ht mi ngi u cu hnh Firewall theo cch one time password nhm trnh tn cng theo cch suy on. 4.1.2 T chi dch v y l kiu tn cng vo tnh sn sng ca h thng, lm h thng cn kit ti nguyn hoc chim dng bng thng ca h thng, lm mt i kh nng p ng tr li cc yu cu n. Trong trng hp ny, nu h thng cn dng n ti nguyn th rt c th h thng s gp li. C mt s c im c bit trong cch tn cng ny l ngi b hi khng th chng li c kiu tn cng ny v cng c c s dng trong cch tn cng ny l cc cng c m h thng dng vn hnh hng ngy. C th phn bit ra bn dng DoS sau : Tiu th bng thng ( bandwidth consumption ) Lm ngho ti nguyn ( resource starvation ) Programming flaw Tn cng Routing v DNS V mt k thut c 3 kiu tn cng t chi dch v chnh l DoS, DDoS v DRDoS. DoS Traditional DOS
20
n tt nghip
Hnh 1-6: Tn cng kiu DOS v DDoS n thun my tn cng c bandwidth ln hn my nn nhn DDoS Distributed DOS S dng nhiu my cng tn cng vo mt my nn nhn DRDoS Distributed Reflection DOS S dng cc server phn x, my tn cng s gi yu cu kt ni ti cc server c bandwidth rt cao trn mng server phn x, cc gi tin yu cu kt ni ny mang a ch IP gi - chnh l a ch IP ca my nn nhn. Cc server phn x ny gi li my nn nhn cc gi SYN/ACK dn ti hin tng nhn bng thng bandwidth multiplication. Tuy nhin vi cch tn cng ny, k tn cng cng khng thu c thng tin g thm v h thng. N ch n thun lm h thng t lit, khng hot ng c na m thi.
21
n tt nghip
4.1.3 n trm thng tin C mt vi cch tn cng cho php k tn cng c th ly c d liu m khng cn phi trc tip truy cp, s dng my tnh ca chng ta. Thng thng k tn cng khai thc cc dch v Internet phn phi thng tin. Cc dch v ny c th a ra cc thng tin m ta khng mun hoc a cc thng tin n sai a ch nhn. Nhiu dch v Internet c thit k s dng cho cc mng ni b v khng h c thm cc lp bo v do thng tin s khng an ton khi lu thng trn mng Internet. Hu ht nhng k tn cng u c gng lng nghe tm kim cc thng tin nh tn truy cp/ mt khu. Tht khng may y li l cc thng tin d b n cp nht trn mng. Nh hnh v di y minh ha
Hnh 1-8: M hnh ng dng mail trn mng Internet y l ng truyn cc packets khi user login vo h thng vo mt ISP, ri gi i mt s messages. Cc packet khng m mt c truyn t client ti ISP dialup, ri qua ISP firewall ti cc router trc khi c truyn trn Internet. Mi qu trnh truyn khng m mt, cc messages c th b chn mt s im v nh im c gi i. Mt user lm cho ISP c th gi cc packets li. Mt chuyn gia tin hc cng c th c tt c cc message mt cch d dng. Bt c mt chuyn gia bo dng cc router no u c tm ra nhiu cch lu cc messages li. V c nhng ni cung cp cc dch v, h cng c th xem xt cc messages ca user. Nu truy nhp vo internet t mng LAN thay v dialup, th c cng nhiu ngi c th xem messages hn. Bt c ai trong h thng company trn cng mt LAN c th t NIC vo v thu cc packets ca mng.
n tt nghip
Cc giao thc thng s dng cng nht nh trao i thng tin ln nhau, v l im yu ca h thng gip cho cc tin tc c th d dng ly cp c cc thng tin quan trng. V d : Khi user log on vo Yahoo! Mail, nhp username v password ri n Submit, trong trng hp nhp thng tin chnh xc th thng tin c ng gi v gi i. Package u tin ca giao thc HTTP cha thng tin username v password c chuyn qua cng 1149, khi hacker c th truy nhp vo cng ny ly thng tin log on ca user. Trong thng tin v password c truyn di dng text plain. Khi log on vo sites th c khong 100-200 packets c truyn gia user v server, trong c khong 10 packets u tin c cha thng tin v password. C nhiu cch chng li cch tn cng ny. Mt Firewall c cu hnh tt s bo v, chng li nhng k ang c gng ly nhng thng tin m ta a ra.
Hnh 1-10 : Thit lp kt ni TCP gia client v server Nu nh mt client khng c yu cu i hi thit lp mt kt ni vi server nhng n li nhn c gi tin SYN/ACK, khi n s gi tr li server gi tin RST ( reset ). Nh m server s bit c hu b kt ni. Ch rng ngay bc 1, khi client gi tn hiu SYN th server dnh ring cho
Ng Vn Chn HTTT&TT KSCLC K45 23
n tt nghip
client ny mt vng nh hot ng. Vng nh ny ch b hu b khi client c yu cu hu b kt ni hay sau mt khong thi gian nht nh no ( gi l thi gian Timeout ) nu khng c tn hiu g t client. Timeout ca tng server l khc nhau v n nm trong khong t 75 giy n 23 pht. Da vo c ch thit lp kt ni trong giao thc TCP m k tn cng a ra k thut sau nhm gi mo a ch IP : Gi s hai host X v Y tin tng nhau. K tn cng c tr Z, k tn cng s to ra gi tin gi mo mnh l Y gi ti cho X nhm trng i nhng thng tin phn hi li. Tuy nhin khi nhn c gi tin yu cu kt ni ny th X s coi l gi tin do Y gi ti do n s phn hi li cho Y v Z khng thu c g c. Khi Y nhn c gi tin phn hi t X ( khi bits ACK c thit lp ) th n s gi tr li gi tin RST do vy kt ni s c hu b. K tn cng khng h mun X hu b kt ni ny do vy hn s tm cch khng cho Y nhn c gi tin phn hi ny, v d nh dng tn cng t chi dch v, lm Y b trn ngp bng thng v khng th nhn thm thng tin g na. Tuy nhin cch lm trn mang nhiu tnh cht l thuyt, thc t rt kh thc hin c theo cch ny. 4.2.2. SYN flooding Tn cng trn ngp gi tin SYN Chng ta vn ch ti c ch bt tay ba bc trong qu trnh thit lp kt ni gia hai thc th TCP. K tn cng vn s dng mt a ch gi mo gi gi tin SYN cho nn nhn. Khi nn nhn nhn c gi tin ny ngay lp tc n s dnh mt phn b nh cho kt ni ny.
Hnh 1-11 : Tn cng trn ngp SYN (1 ) Cng tng t nh trn, khi nhn c gi tin SYN yu cu kt ni th n s gi tr li gi tin SYN/ACK cho host c a ch m k tn cng gi mo s dng. Nu nh gi tin ny n c ng host b gi mo th th n s gi gi tin RST, kt ni s b hu b, phn b nh m host nn nhn cung cp cho kt ni ny s c hu b. Trong trng hp ny, k tn cng cng khng thu c g. khc phc k tn cng s thc hin nh sau : a ch m chng s dng gi mo s l a ch m host ca nn nhn khng th gi cc gi tin n c. Khi cc gi tin SYN/ACK m nn nhn gi tr li bc 2 trong m hnh bt tay 3 bc s khng th ti ch, do cng s khng c gi tin RST gi li cho nn nhn. Nh vy, nn nhn s c phi ch kt ni ny cho n khi thi gian Timeout ht. iu c ngha l k tn cng thnh cng trong vic chim dng mt phn ti nguyn hot ng my ca nn nhn.
Ng Vn Chn HTTT&TT KSCLC K45 24
n tt nghip
Hn th na, k tn cng khng ch gi mt gi tin SYN ti nn nhn m c sau mt khong thi gian nht nh li gi mt gi tin SYN ti my nn nhn . Kt qu l ton b ti nguyn trn my nn nhn s b s dng cho vic ch nhng kt ni khng c thc.
Hnh 1-12 : Tn cng trn ngp SYN ( 2 ) u im ca phng php tn cng ny l ch cn mt lng bng thng nh k tn cng cng c th lm t lit nn nhn. Ngoi ra cc gi tin SYN m k tn cng gi ti nn nhn s dng a ch gi, v vy rt kh c th pht hin ra th phm. 4.2.3 ICMP flooding Tn cng trn ngp gi tin ICMP Ping l mt chng trnh dng bo cho ngi s dng bit hai host trn mng c thng vi nhau khng. Ping da trn giao thc ICMP. N cho php ngi s dng gi cc gi tin ti mt h thng xa v hin th khong thi gian t khi gi gi tin n khi nhn c phn hi t pha nhn ( RTT : Round Trip Time ). Gi tin c gi i l ICMP echo request, gi tin phn hi l ICMP echo receive K tn cng s s dng giao thc ICMP ny tn cng nn nhn theo cch sau : Bc 1 : K tn cng gi mo l nn nhn, gi i mt lnh Ping vi a ch IP l ca nn nhn v a ch ch l dng broadcast ca mt mng no . Sau bc ny tt c cc host trong mng 10.0.0.x s nhn c gi tin ICMP t host ca nn nhn. Bc 2 : Do s nhm ln nh trn m tt c cc host trong mng 10.0.0.x u gi v cho nn nhn mt gi tin ICMP echo receive. Hng lot cc gi tin dng ny l nguyn nhn gy ln hn tng lm bng thng ti host ca nn nhn b chim dng. Nn nhn s khng th giao dch vi cc host khc trn mng. Hin nay c rt nhiu cng c thun tin thc hin kiu tn cng ny.
n tt nghip
Hnh 1-14 : Bo v theo chiu su 4.3.3 Nt tht ( Choke Point ) Vi cch xy dng nt tht, ta buc tt c mi lung thng tin phi qua v nhng k tn cng cng khng l ngoi l. Chnh nh c im ny m c th kim tra v iu khin cc lung thng tin ra vo mng. C rt nhiu v d v nt tht trong thc t cuc sng. Vi an ninh mng th nt tht chnh l cc Firewall t gia mng cn bo v v Internet. Bt k ai mun i vo trong mng cn bo v u phi i qua cc Firewall ny.
26
n tt nghip
4.3.4 Lin kt yu nht ( Weakest Link ) i vi mootj h thng bo v th cho d c nhiu khu c mc an ton cao nhng ch cn mt khu mt an ton th ton b h thng cng s mt an ton. Nhng k tn cng thng minh s tm ra nhng im yu v tp trung tn cng vo . Cn phi thn trng ti cc im yu ny bi k tn cng lun bit tm cch khai thc n. 4.3.5 Hng an ton ( Fail Safe Stance ) Mt im yu c bn khc trong chin lc an ninh l kh nng cho php h thng hng an ton ( faile safe ) c ngha l nu h thng c hng th s hng theo cch chng li s tn cng ca i phng.S sp ny c th cng ngn cn s truy cp ca ngi dung hp php nhng trong mt s trng hp th vn phi p dng chin lc ny. Hu ht cc ng dng hin nay u c c ch hng an ton. V d nh nu mt router lc gi b down, n s khng cho bt k mt gi tin no i qua. Nu mt proxy b down, n s khng cung cp mt dch v no c. Nhng nu mt h thng lc gi c cu hnh m tt c cc gi tin c hng ti mt my chy ng dng lc gi v mt my khc cung cp ng dng th khi my chy ng dng lc gi b down, cc gi tin s di chuyn ton b n cc ng dng cung cp dch v. Kiu thit k ny khng phi l dng hng an ton v cn phi uc ngn nga. im quan trng trong chin lc ny l nguyn tc, quan im ca ta v an ninh. Ta c xu hng hn ch, ngn cm hay cho php? C hai nguyn tc c bn m ta c th quyt nh n chnh sch an ninh : + Mc nh t chi : Ch quan tm nhng g ta cho php v cm tt c nhng ci cn ll + Mc nh cho php : Ch quan tm n nhng g m ta ngn cm v cho qua tt c nhng ci cn li. 4.3.6 Tnh ton cc ( Universal Participation ) t c hiu qu cao, hu ht cc h thng an ton i hi phi c tnh ton cc ca cc h thng cc b. Nu mt k no c th d dng b gy mt c ch an ton th chng c th thnh cng bng cch tn cng h thng t do ca ai ri tip tc tn cng h thng ni b t bn trong. C rt nhiu hnh thc lm cho hng an ton h thng v chng ta cn c bo li nhng hin tng l xy ra c th lin quan n an ton ca h thng cc b. 4.3.7 a dng trong bo v ( Diversity of Defence ) tng thc s ng sau a dng trong bo v chnh l s dng cc h thng an ninh ca nhiu nh cung cp khc nhau nhm gim s ri ro v cc li ph bin m mi h thng mc phi. Nhng bn cnh l nhng kh khn i km khi s dng h thng bao gm nhiu sn phm ca nhng nh cung cp khc nhau nh : Ci t, cu hnh kh hn, chi ph s ln hn, b ra nhiu thi gian hn c th vn hnh h thng. Chng ta hy thn trng vi tng a dng ny. V khi s dng nhiu h thng khc nhau nh vy cha chc c s a dng trong bo v m cn c th xy ra trng hp h thng ny hn ch hot ng ca h thng khc m khng h
Ng Vn Chn HTTT&TT KSCLC K45 27
n tt nghip
tr nhau nh ta mong mun. 4.3.8 n gin ( Simplicity ) n gin l mt trong nhng chin lc an ninh v hai l do sau : Th nht : Vi nhng g n gin th cng c ngha l d hiu, nu ta khng hiu v phn no , ta khng th chc chn liu n c an ton khng. Th hai : S phc tp s to ra nhiu ngc nghch m ta khng th qun l ni, nhiu th s n cha trong m ta khng bit.R rng, bo v mt cn h d dng hn nhiu bo v mt to lu i ln!.
28
n tt nghip
Khi Khinim nimFirewall Firewall Cc Ccchc chcnng nngc cbn bnca caFirewall Firewall Kin Kintrc trcFirewall Firewall Bo Bodng dngFirewall Firewall
29
n tt nghip
Trong chng ny chng ta s nghin cu v Internet Firewall : Th no l mt Firewall, cc chc nng c bn ca mt Firewall, kin trc ca mt Firewall khi trin khai mt h thng mng an ton v cui cng l cng vic bo dng mt Firewall.
I. Khi nim
1.1 Khi nim
Firewall l mt phn mm hay thit b phn cng hoc s kt hp gia chng c thit k vi mc ch : chng li nhng ri ro, nguy him t pha ngoi vo mng ni b. N thng c t gia mng ni b m ta cn bo v vi mng Internet v thc hin ngn cm mt s lu thng mng.
Hnh 2-1 : V tr Firewall trn mng Theo cch b tr ny th tt c cc lung thng tin i vo mng ni b t Internet hay ngc li, i t mng ni b ra Internet u phi qua Firewall. Nh vy Firewall c th kim sot c cc lung thng tin, t a ra cc quyt nh cho php hay khng cho php. Cho php hay khng cho php y l da trn chnh sch an ninh do ngi qun tr Firewall t ra.
n tt nghip
Firewall ng vai tr kim sot cc dch v ny. N s thit lp chnh sch an ninh cho php nhng dch v tho mn tp lut trn Firewall ang hot ng. Tu thuc vo cng ngh la chn xy dng Firewall m n c kh nng thc hin cc chnh sch an ninh vi hiu qu khc nhau. c. Firewall c th ghi li cc hot ng mt cch hiu qu Do mi lung thng tin u qua Firewall nn y s l ni l tng thu thp cc thng tin v h thng v mng s dng. Firewall c th ghi chp li nhng g xy ra gia mng c bo v v mng bn ngoi. 1.2.2 Nhc im Firewall c th bo v mng c hiu qu nhng n khng phi l tt c. Firewall cng tn ti cc nhc im ca n a. Firewall khng th bo v khi c s tn cng t bn trong Nu k tn cng pha trong Firewall, th n s khng th gip g c cho ta. K tn cng s n cp d liu, ph hng phn cng, - phn mm, sa i chng trnh m Firewall khng th bit c. b. Firewall khng th bo v c nu cc cuc tn cng khng i qua n Firewall c th iu khin mt cch hiu qu cc lung thng tin, nu nh chng i qua Firewall. Tuy nhin, Firewall khng th lm g nu nh cc lung d liu khng i qua n. V d cho php truy cp dial up kt ni vo h thng bn trong ca Firewall? Khi n s khng chng li c s tn cng t kt ni modem C th do vic ci t backdoor ca ngi qun tr hay nhng ngi s dng trnh cao. c. Firewall khng th bo v nu nh cch tn cng hon ton mi l Firewall c thit k ch chng li nhng kiu tn cng bit. Nu mt Firewall c thit k tt th cng c th chng li c nhng cuc tn cng theo cch hon ton mi l. Ngi qun tr phi cp nht nhng cch tn cng mi, kt hp vi kinh nghim bit c th b xung cho Firewall. Ta khng th ci Firewall mt ln v s dng mi mi. d. Firewall khng th chng li Virus Firewall khng th gip cho my tnh chng li c Virus. Mc d nhiu Firewall qut nhng lung thng tin i vo nhm kim tra tnh hp l ca n vi cc tp lut t ra. Tuy nhin Firewall ch kim tra c a ch ngun, a ch ch, s hiu cng cu gi tin ny ch khng th kim tra c ni dung ca n. l cha k n c rt nhiu dng Virus v nhiu cch Virus n vo d liu. Tip theo chng ta xem xt cc chc nng c bn cu Firewall. C th ni mt Firewall thc s cn phi c t nht mt trong cc chc nng sau : Kh nng lc gi ( Packet Filtering ) : Firewall s kim tra phn header ca cc gi tin v a ra quyt nh l cho php qua hay loi b gi tin ny theo tp lut c cu hnh. Application Proxy : Vi kh nng ny th Firewall s kim tra k lng header ca gi tin hn nh kh nng hiu giao thc c th m ng dng s dng Chuyn i a ch mng ( Network Address Translation NAT ) : cc my bn ngoi ch thy mt hoc hai a ch mng ca firewall cn cc my thuc mng trong c th ly cc gi tr trong mt khong bt
Ng Vn Chn HTTT&TT KSCLC K45 31
n tt nghip
k th cc gi tin i vo v i ra cn c chuyn i a ch ngun v ia ch ch. Theo di v ghi chp ( Monitoring and Logging ) : Vi kh nng ny cung cp cho ngi qun tr bit iu g ang xy ra ti Firewall, t a ra nhng phng n bo v tt hn. Ngoi ra th mt Firewall cn c th c mt s chc nng m rng khc nh : Data Caching : Bi v c nhng yu cu v cc Website l hon ton ging nhau ca cc ngi dng khc nhau nn vic Caching d liu s gip qu trnh tr li nhanh v hiu qu hn Lc ni dung ( Content Filter ): Cc lut ca Firewall c kh nng ngn chn cc yu cu trang Web m n cha cc t kho, URLs hay cc d liu khc nh video streams, image Instrustion Detection : L kh nng pht hin cc cuc xm nhp, tn cng Cc chc nng khc : kh nng pht hin v qut virus Phn di y chng ta s xem xt k lng ba chc nng c bn ca mt Firewall l Packet Filtering, Application Proxy v Network Address Translation
n tt nghip
Nh gii thiu chng trc th bt k mt gi tin no cng c phn header ca n. Nhng thng tin trong phn header bao gm cc trng sau : - a ch IP ngun - a ch IP ch - Giao thc hot ng - Cng TCP ( UDP ) ngun - Cng TCP ( UDP ) ch - ICMP message type B lc gi s da vo nhng thng tin ny a ra quyt nh cui cng cho php hay khng cho php gi tin i qua. Ngoi ra, b lc gi cn c th xc nh thm cc thng tin khc khng c trong header ca gi tin nh : - Giao din mng m gi tin t i ti ( v d trong Linux l eth0 ) - Giao din mng mng m gi i n ( v d l eth1 ) Trn thc t th cc Server hot ng cho cc dch v Internet thng tp trung vo mt cng no , do vy n gin ta ch cn cu hnh tp lut lc gi tin ca router theo s hiu cng tng ng l c th ngn chn c cc kt ni. V d vi server HTTP : cng mc nh l 80, vi server FTP : cng 23 Do vy vi Screening router th ngoi chc nng nh mt router bnh thng l dn ng cho cc gi tin n cn c kh nng lc cc gi tin i qua n. Screening router s c gi tin mt cch cn thn hn t a ra quyt nh cho php hay khng cho php gi tin ti ch. Vic cho php hay khng cho php cc gi tin i qua ph thuc vo cc lut lc gi m screening router c cu hnh. T ta c cc cch thc hin chc nng lc gi : Lc gi da vo a ch, lc gi da vo loi dch v hay cng, lc gi theo c a ch v cng Lc gi theo a ch L cch n gin nht, lc theo cch ny gip chng ta iu hng cc gi tin da theo a ch ngun hoc ch m khng cn bit cc gi tin ny thuc giao thc no. Ta thy ngay y cc ri ro vi cch lc gi da theo a ch :l vic k tn cng s dng a ch IP gi mo vt qua module lc gi v truy cp cc my trong mng ni b cn bo v. C hai kiu tn cng da trn vic gi mo a ch IP l source address v man in the middle. Cch gii quyt vn ny l s dng phng php xc thc ngi dng i vi cc gi tin. Lc gi da theo dch v Hu ht cc ng dng trn mng TCP/IP hot ng trn mt Socket bao gm a ch IP v mt s hiu cng no .Do vy vic lc cc gi tin da trn dch v cng chnh l vic lc cc gi tin da trn s hiu cng. V d nh cc ng dng Web theo giao thc HTTP thng hot ng trn cng 80, dch v Telnet hot ng trn cng 23, Vic lc gi c th da vo a ch cng ngun hay a ch cng ch hoc c hai. Cc ri ro xy ra i vi vic lc gi da trn s hiu cng l : rt nhiu cc ng dng theo m hnh server/client hot ng vi s hiu cng ngu nhin trong khong t 1023 65535. Khi vic thit lp cc lut theo cch ny l rt kh khn v c th cho cc gi tin nguy him i qua m chn li cc gi tin cn thit.
Ng Vn Chn HTTT&TT KSCLC K45 33
n tt nghip
2.1.2 Cc hot ng ca Packet Filtering Sau khi thc hin kim tra mt gi tin, Packet Filtering c th thc hin mt trong cc cng vic sau : - Cho php gi tin i qua: nu gi tin tho mn cc iu kin trong cu hnh ca b lc gi, gi tin s c chuyn tip ti ch ca n - Loi b gi tin : nu gi tin khng tho mn cc iu kin trong cu hnh ca Packet Filtering th gi tin s b loi b - Ghi nht k cc hot ng Ta khng cn thit phi ghi li tt c cc gi tin c cho php i qua m ch cn ghi li mt s hot ng ca mt s gi tin loi ny. V d ghi li cc gi tin bt u ca mt kt ni TCP c th theo di c cc kt ni TCP i vo v i ra khi mng cn bo v. c bit l ghi li cc gi tin b loi b , ta cn theo di cc gi tin no ang c gng i qua trong khi n b cm. 2.1.3 u, nhc im ca Packet Filtering a. u im Trong sut C th lc bt c dch v no dng cc giao thc m Firewall h tr Ch cn mt Screening Router l c th bo v c mng : y l mt u im chnh ca Packet Filtering v n l n l, khng phi thay i cc host trong mng bo v khi thay i qui m ca mng. Khng nh Proxy n khng yu cu phi hc cch s dng b. Nhc im Cn phi hiu r mng c bo v v cc giao thc c s dng trn mng Khng c s xc thc ngi s dng, vic lc gi tin ch da trn a ch mng ca h thng phn cng Khng che giu kin trc bn trong ca mng cn bo v Khng bo v chng li cc yu im ca cc dch v khng lc Vi giao thc DHCP th kt qu lc s khng chun xc Mt s giao thc khng ph hp vi b lc gi.
2.2 Proxy
2.2.1 Khi nim Cc host c ng kt ni trc tip vi mng bn ngoi thc hin cung cp mt s dch v cho cc host khc trong mng cn bo v c gi l cc Proxy. Cc Proxy thc s nh hot ng nh cc gateway i vi cc dch v. Do vy n cn c gi l cc Application level gateways Tnh trong sut i vi ngi dng l li ch ca Proxy. Proxy s thu thp cc yu cu dch v ca cc host client v kim tra cc yu cu ny nu tho mn th n a n cc server thch hp sau nhn cc tr li v tr li cho client.
34
n tt nghip
Hnh 2-3 : Proxy Server Proxy chy trn Dual-home host hoc Bastion host. Tt c cc host trong mng ni b mun truy cp vo Internet u phi qua Proxy, do ta c th thc hin mt s chnh sch an ninh cho mng nh ghi log file, t quyn truy nhp 2.2.2 u nhc im ca Proxy a. u im - D nh ngha cc lut an ton - Thc hin xc thc ngi s dng - C th che du c kin trc bn trong ca mng cn bo v - Tnh trong sut vi ngi s dng - D dng ghi li cc log file b. Nhc im - Yu cu ngi qun tr h thng cao hn Packet Filtering - Khng s dng c cho cc dch v mi - Mi dch v cn mt mt Proxy ring - Proxy khng thc hin c i vi mt s dch v 2.2.3 Cc hot ng ca Proxy Thng thng cc dch v, Proxy yu cu phn mm Proxy tng ng vi pha Server, cn i vi pha client, n i hi nhng iu sau : - Phn mm khch hng ( Custom client software ) : Theo cch tip cn ny th khi c yu cu t khch hng th phn mm ny s kt ni vi Proxy ch khng kt ni trc tip vi Server v ch cho Proxy bit a ch ca Server cn kt ni. - Th tc ngi s dng ( Custom user procedures ) : tc l ngi s dng dng phn mm client tiu chun kt ni vi Proxy server v yu cu n kt ni n server thc s. 2.2.4 Phn loi Proxy C rt nhiu tiu ch phn loi cc Proxy, c th chia Proxy ra cc loi sau : - Application-level & Circuit level Proxy
Ng Vn Chn HTTT&TT KSCLC K45 35
n tt nghip
L mt dng Proxy m n bit c cc ng dng c th m n phc v. Application Level Proxy hiu v thng dch cc lnh giao thc tng ng dng. V d nh ng dng Sendmail. Circuit level Proxy l mt Proxy c th to ra ng kt ni gia client v server m khng thng dch cc lnh ca giao thc tng ng dng. Mt dng Circuit- level Proxy ph bin l hybrid proxy gateway. N c vai tr nh nh mt proxy vi mng pha ngoi nhng li nh mt packet filtering i vi mng pha trong. Nhn chung th Application level Proxy s dng th tc ngi s dng cn Circuit-level Proxy s dng phn mm client. Application level Proxy c th nhn cc thng tin t bn ngoi thng qua cc giao thc tng ng dng cn Circuit level Proxy khng th thng dch cc c cc giao thc tng ng dng v cn phi cung cp thm thng tin c th cho d liu i qua. u im ca n l cung cp dch v cho nhiu giao thc khc nhau. Hu ht cc Circuit-level Proxy u dng Proxy tng qut, tc l c th ph hp vi hu ht cc giao thc. Nhng nhc im ca n l cung cp t cc ii\u khin trn Proxy v d dng b nh la bng cch gn cc dch v ph bin vo cc cng khc cc cng m chng thng s dng. - Generic Proxy & Dedicated Proxy Mc d hai khi nim Application level Proxy v Circuit-level Proxy thng c s dng nhng chng ta vn thng phn bit gia Dedicated Proxy Server:v Generic Proxy Server hay Proxy chuyn dng v Proxy tng qut. Mt Dedicate Proxy Server ch phc v cho mt giao thc , cn Generic Proxy Server li phc v cho nhiu giao thc. Ta thy ngay Application level Proxy l mt dng Dedicate Proxy Server cn Circuit-level Proxy l mt dng Genneric Proxy Server. - Proxy thng minh Mt Proxy server c th lm nhiu vic hn l ch n gin chuyn tip cc yu cu t client Proxy c gi l Proxy server thng minh. V d nh CERN HTTP Proxy hay Squid Proxy c kh nng cache d liu do khi c nhiu request cho cng mt d liu th khng phi ra bn ngoi na m c tr kt qu c cache ngay cho ngp s dng. V vy c th tit kim c thi gian chi ph ng truyn. Cc proxy ny cung cp cc kh nng ghi nht k v iu khin truy nhp tt hn l thc hin bng cc bin php khc. 2.2.5 S dng Proxy vi cc dch v Internet Do Proxy can thip vo nhiu qu trnh truyn thng gia ckient v server,do n phi thch ng c vi nhu dch v. Mt vi dch v hot ng mt cch n gin, nhng khi c thm Proxy th n hot ng phc tp hn rt nhiu. Dch v l tng s dng Proxy l to kt ni TCP ch theo mt hng, c b lnh an ton. Do vy thc hin Proxy cho giao thc TCP hon ton n gin hn so vi giao thc UDP, ring vi giao thc tng di nh ICMP th hu nh khng thc hin c Proxy.
36
n tt nghip
Hnh 2-4: Chuyn i a ch mng Ban u NAT c a ra tit kim cc a ch IP. Bi a ch IP c 32 bt cp cho cc n v s tr ln cn kit nhanh chng Nhng NAT em li mt s tc dng bt ng so vi mc ch ban u khi thit k n. Vi NAT tt c cc my tnh thuc mng trong c mt a ch IP thuc mt di cc a ch IP ring v d 10.0.0.0/8 m cc da ch ny khng s dng trn mng Internet. Khi mt my thuc mng trong mun kt ni ra Internet th NAT computer s thay th a ch IP ring ( v d 10.65.1.7) bng a ch IP c nh ISPs cung cp chng hn.( v d 23.1.8.3 )v khi gi tin s c gi i vi a ch IP l 23.1.8.3 v khi nhn tin th n thay i i ch IP ch chng ta thu c : 10.65.1.7 Ta c m hnh ca Network Address Translation nh hnh trn. S d NAT tit kim ti nguyn a ch IP v a ch cho cc host trong mng ni b ca cc t chc c th hon ging nhau. Trong trng hp c nhiu hn mt my tnh trong mng ni b cn kt ni ra ngoi Internet ng thi th my tnh NAT phi c nhiu a ch IP cng cng, vi mi a ch ny cho mt my tnh trong mng ni b. Vi cc dch v NAT ngy nay th my tnh NAT ch cn mt a ch IP cng cng bi v ngoi vic bin i a ch IP th n cn thay i s hiu cng v mi my trong mng cc b s c thay i vi mt s hiu cng khc nhau. V c khong 65355 s hiu cng khc nhau nn mt my tnh NAT c th qun l mt mng cc b vi hng ngn my tnh. K thut thay i s hiu cng c gi l Chuyn i da ch cng mng Network Address Port Translation ( NAPT ). Qua y ta cng thy tnh bo mt ca NAT l : N c kh nng du i a ch IP ca cc my tnh thuc mng cn bo v. y cng chnh l mt u im m firewall tn dng, khi th gii bn ngoi ch c th thy giao din mng vi a ch IP cng cng.
37
n tt nghip
NAT c du c cc a ch IP ca cc host trong mng ni b khng? Proxy ng dng c chia r c mng bn trong cn bo v vi mng bn ngoi khng ? Ngoi ra n cn cho ta bit cc kt ni hin ti trong h thng, thng tin v cc gi tin b loi b, my tnh no ang c gng xm nhp vo h thng ca ta. Sau y l bn l do Firewall thc hin chc nng theo di v ghi chp : Cc thng tin bo co hu ch : Chng ta mun tng hp cc thng tin bit hiu nng ca h thng Firewall, cc thng tin trng thi v thm ch l s thay i cc account ca ngi dng vi cc dch v. Pht hin xm nhp : Nu mt hacker thm nhp vo mng ca chng ta hacker ny c thi gian li trong thc hin cc hnh ng gy tn thng cho h thng. S theo di thng xuyn cc log files c th gip pht hin cc manh mi a ra cc chng c gip pht hin s xm nhp vo mng ca chng ta. Khm ph cc phng php tn cng mi : Khi chng ta pht hin thnh cng s xm nhp th chng ta vn cn phi chc chn rng hacker dng li v khng th thc hin li mt ln na theo ng cch m hn dng lc trc. iu ny yu cu chng ta phi phn tch k cng tt c cc log files. Vi hy vng rng chng ta s pht hin ra cc du vt m hacker t i vo mng ca ta v ln u tin xm nhp vo mng ca ta l khi no. Cng t nhng thng tin phn tch c chng ta c th pht hin ra cc ng dng Trojan horse m n c ci t trong h thng ca chng ta. Cc chng c php l : Mt li ch m rng ca cc log files l to ra cc chng c c tnh php l. Cc log files l cc chng c cho bit ln u xm nhp h thng ca hacker v nhng hnh ng tip theo ca hacker tc ng vo h thng.
n tt nghip
yu cu thc t v mc chBastion host c th c s dng mh mt dng kin trc Firewall. 3.1.1 Nhng nguyn tc chnh ca mt Bastion host C hai nguyn tc chnh khi thit k v xy dng mt Bastion host : - n gin - Lun trong tnh trng sn sng Bastion host b tn cng a. n gin Vi mt Bastion host n gin th vic bo m an ton cho n cng d. Bt k dch v no ca Bastion host u c th tn ti li phn mm hay li cu hnh, nhng li ny c th l nguyn nhn ca cc vn an ninh. Do Bastion host hot ng vi cng t nhim v th cng tt. Ch nn hn ch mt s t cc dch v trn Bastion host i km vi c ch quyn hn ti thiu. b. Lun trong tnh trng sn sng Bastion host b tn cng Bt k s bo v no th bastion host cng s c lc b tn cng v v. Phi t ra tnh trng xu nht c th xy ra vi Bastion host, ng thi ln k hoch phng vic ny xy ra. Trong trng hp Bastion host b sp , cn phi c bin php k tn cng khng tip tc lm hi n mng ni b bn trong.Mt trong cc cch l cu hnh cho cc host bn trong mng ni b khng tin tng tuyt i vo bastion host. Cn xem xt k ti cc dch v m bastion host cung cp cho cc host trong mng ni b, kim tra tin cy v quyn hn ca tng dch v . C nhiu cch thc hin iu ny, v d nh ci t b lc gi gia Bastion host v cc host bn trong hoc ci mt khu cho tng host. 3.1.2 Cc dng Bastion host C rt nhiu cch cu hnh Bastion trong mt mng. Ngoi hai kiu cu hnh chnh ca Bastion host l screened host v cc host cung cp dch v trn screen network, ta cn c nhiu dng Bastion host. Cch cu hnh cc dng Bastion host ny cng tng t nh hai dng trn, ngoi ra n cn c nhng yu cu c bit. Sau y l mt s m hnh Bastion : - Nonrouting Dual- honed host - Victim Machine - Internal Bastion host a. Nonrouting Dual- honed host Mt Nonrouting Dual- honed host c nhiu kt ni mng n nhng khng truyn d liu qua cc kt ni . Bn thn mi host loi ny cng c th l mt firewall hoc mt b phn ca firewall. b. Victim Machine Vi mt dch v mi m chng ta cha m bo an ton cho n, th vic la chn mt Victim Machine l hon ton hp l. Khng c thng tin g c bit trn Victim Machine v cng khng c quyn truy nhp cc host khc t Victim Machine. Ta ch cung cp mt cch ti thiu c th s dng c cc dch v m ta mong mun trn Victim Machine. Nu c th ch cung cp cc dch v khng an ton, cha c kim nh nhm ngn nga cc tc ng bt ng.
Ng Vn Chn HTTT&TT KSCLC K45 39
n tt nghip
2.3.4 V tr ca Bastion host trn mng Bastion host nn c t v tr khng c cc lung thng tin b mt. Hu ht cc giao tip mng Ethernet v Token ring c th hot ng ch pha tp, trong ch ny chng c th bt tt v cc gi tin trn mng kt ni vi chng. Mt s giao din mng khc nh FDDI li khng th bt c tt c cc gi tin, nhng tu vo kin trc mng m chng c th bt c mt s gi tin khng ch nh n. Kh nng ny rt hu ch cho vic phn tch mng, kim tra v g ri.. v d nh s dung chong trnh tcpdump. Nhng iu ny s l nguy him nh th no nu k tn cng s dng n vo mc ch rnh m, can thip vo cc lung d liu trn mng. Cn phi s phng trng hp xu nht l Bastion host b tn thng , trong trng hp ny ta khng mun k tn cng s dng Bastion host can thip vo cc lung thng tin. Mt trong cc phng n gii quyt vn trn l khng t Bastion host trong mng ni b m ta a n vo mng vnh ai. Tt c cc lung thng tin trong mng ni b s ch nm trong mng ni b, khng th quan st t pha mng vnh ai. Tt c cc Bastion host trn mng vnh ai ch thy cc gi tin t n ra Internet v t Internet vo n. S dng mng vnh ai kt hp kt hp vi cc router lc gi gia chng v mng ni b s gip thm nhiu u im. N hn ch s l din ca mng ni b vi mng bn ngoi. Hoc c th t Bastion host ti mt v tr trn mng t b nhm ng hn. V d : c th t mt Bastion trn mt hub 10base thng minh, hoc mt Ethernet Switch hay mt mng ATM. Nu thc hin theo phng n ny th cn m bo khng host no tin tng tuyt i vo Bastion host. Tm li cch tt nht l c lp Bastion host vi mng ni b. Phng n kh thi l t n trn mng vnh ai. Theo cch ny mng ni b vn c bo v k c trong trng hp Bastion host b tn thng. Ch : Khng cho php cc ti khon ca ngi s dng trn Bastion host: Nu c th khng cho php bt k ti khon ca ngi s dng no trn Bastion host. V cc l do sau: + Vic tn thng ca chnh cc ti khon ny + Vic tn thng ca cc dch v phuc v cho cc ti khon ny + Gim tnh n nh, tin tng ca Bastion host + Kh pht hin k tn cng + Bastion host c th b tn thng ch v s s ca ngi no
40
n tt nghip
Hnh 2-5: Kin trc Dual home host Kin trc ny tng i n gin: mt Dual home host ng gia, kt ni vi mng bn ngoi v mng bn trong. Dual home host cung cp kh nng iu khin mc cao. Tuy n c kin trc n gin nhng khai thc trit cc u im ca n ta cn phi lm rt nhiu vic.
41
n tt nghip
Hnh 2-6: Kin trc Screen host Do kin trc screen host cho gi tin di chuyn t Internet vo mng ni b nn s c nhiu ri ro hn so vi kin trc Dual home host. Mc d vy thc t th kin trc Dual home host c th b hng v cc gi tin i vo mng ni b . Hn na vic bo v mt router d dabgf hn so vi mt host v vy kin trc ny s an ton hn, tin li hn.
Hnh 2-7: Kin trc Screen subnet Kin trc ny khc phc nhc im ca kin trc Screen host- bastion host nm trong mng ni b v mt khi bastion host b tn thng th ton b mng cn bo v s b tn thng ( nu c s tin tng tuyt i gia cc host vi bastion host ).
42
n tt nghip
Bng cch cch ly bastion host trn mng vnh ai, c th gim c cc nguy c trong trng hp bastion host b t nhp. Vi kin trc Screen subnet n gin nht : hai screening router kt ni ti mng vnh ai. Mt router ( interior router ) v tr mng vnh ai v mng ni b, router cn li ( exterior router ) nm gia mng vnh ai v mng Internet. c th t nhp vo mng ni b th k tn cng phi vt qua c hai router ny. V nu trng hp chim c bastion host th vn phi vt qua Interior router. Tu vo yu cu c th m ngi ta c th s dng mt hay nhiu mng vnh ai. Cc thnh phn c bn ca kin trc screened subnet a. Mng vnh ai Mng vnh ai l mt lp bo v c thm vo gia mng ni b v mng bn ngoi. Nu k tn cng t nhp c vo Firewall ca ta th mng vnh ai cho ta thm mt lp bo v na. Nu k tn cng chim c bastion host trn mng ny th hn cng ch c th tm kim c thng tin trn bastion host m thi. Tt c lung thng tin mng vnh ai c th xut pht/n t bastion host hoc xut pht/n t Internet. Do hon ton khng c lung thng tin t mng ni b i qua mng vnh ai nn mng ni b s n ton trong c trng hp bastion b tn thng. b. Bastion host Trong kin trc screen subnet, bastion host c thm vo mng vnh ai. y l im lin lc quan trng nhn cc kt ni t bn ngoi. Cc dch v pha ngoi ( t client bn rong n server Internet ) c x l theo mt trong hai cch sau y : + Ci t Packet Filtering trn c exterior router v interior router v cho php cc client trong mng ni b truy cp trc tip cc server mng ngoi. + Ci t Proxy server trn bastion host v cho php client trong mng truy cp gin tip ti cc server mng ngoi . C th ci t Packet Filtering v cho php nhng kt ni vi Proxy trn bastion host, nhng ngn chn nhng kt ni trc tip gia client trong mng ni b vi server bn ngoi. Trong c hai trng hp th Packet Filtering cho php bastion host kt ni ti cc server hay host pha bn ngoi Internet. c. Interior router Cn c tn khc l choke-router- bo v mng ni b t mng Internet v mng vnh ai.Thc t exterior cho php hu ht cc kt ni t mng vnh ai ra ngoi, v thc hin chc nng lc gi cho Firewall. Cc dch v m interior cho php gia bastion host v cc host trong mng ni b khng ging nh cc dch v m exterior router cho php gia mng vnh ai v mng Internet. L do v s hn ch cc dch v gia bastion host v mng ni b l gim s lng cc host b tn cng khi bastion host b tn thng. d. Exterior router Cn c tn khc l access router dng bo v c mng ni b v mng vnh ai. Thc t , n cho php hu ht cc kt ni t mng vnh ai ra ngoi, v thc hin rt t vic lc cc gi tin. Ch c nhng lut lc gi thc s c bit trn exterior mi bo v cc host v mng vnh ai. Nhng lut cn li thng l s lp li cc lut trn interior router. Trn exterior c th ci t Proxy h tr cc kt ni t bastion host ra ngoi.
Ng Vn Chn HTTT&TT KSCLC K45 43
n tt nghip
n tt nghip
45
n tt nghip
Tng Tngquan quanv vh hiu iuhnh hnhLinux Linux Kt Ktni nimng mngtrong trongLinux Linux IPtables IPtables
46
n tt nghip
Cc vn c cp trong chng ny l tm hiu mt cch tng quan v h iu hnh Linux, vn kt ni mng trong mi trng h iu hnh Linux Tip theo l tm hiu v IPTables- mt cng c phc v cho vic thit lp mt h thng Firewall trn nn h iu hnh Linux.
n tt nghip
o Qun l cc deamon thng tr o Qun l b nh o : thc thi ng thi nhiu tin trnh trong khi dung lng b nh c hn, Linux phi t chc mt vng trn a nh mt vng b nh( b nh o). Kernel phi swap d liu gia b nh v b nh o. o Qun l qu trnh :Nh a biet v Linux la mot he ieu hanh a chng do o viec quan ly cac qua trnh ong thi rat phc tap. No phai quan ly viec khi tao va ket thuc cac qua trnh cung nh cac tranh chap co the xay ra. o Quan ly cac bo ieu khien thiet b. o Quan ly mang: bao gom nhieu thiet b phan cng khac va cac thu tuc khac. o Quan ly viec khi ong va dng may. 1.2.2. B iu khin thit b: Linux th hin cc thit b vt l nh cc tp tin c bit. Mt tp tin c bit s c mt im vo trong th mc v c mt tn tp tin. Do Linux cho php ngi s dng nh ngha tn thit b. Cc thit b c chia lm hai loi : k t v khi - Thit b k t c v ghi dng cc k t( v d cc thit b u cui ) - Thit b khi c v ghi d liu trong cc khi c kch thc c nh (v d a) Thit b c th i tn nh i tn tp tin. Th mc cha cc iu khin thit b l /dev 1.2.3. Lnh v tin ch: Cc lnh v tin ch ca Linux rt a dng Mt lnh ca Linux cdng: $tn lnh [cc chn la][cc i s] 1.2.4. Shell: L b x l lnh ca ngi s dng,n cho php ngi s dng to cc lnh rt phc tp t cc lnh n gin. Chng ta c th coi shell nh mt ngn ng lp trnh cp cao. Cc chc nng chnh ca shell l: Linux shell: o Kim sot I/O v i hng o Cc bin mi trng o Thc hin lnh o Th vin lnh ni ti o Tn tp tin m rng o Ngn ng lp trnh v mi trng Hin nay ngi ta s dng ba loi shell, tu theo loi m c c php khc nhau : Bourne-Shell : l shell c bn nht,nhanh,hiu qu nhng t lnh C-Shell : ging nh Bourne-Shell nhng cung cp thm cc cu trc iu khin,
Ng Vn Chn HTTT&TT KSCLC K45 48
n tt nghip
history, b danh Korn-Shell : Kt hp c Bourne-Shell v C-Shell 1.2.5. Windows v Graphic User Interface: Giao tip ho v ca s l mt kh nng rt mnh ca h iu hnh Linux, n cho php h iu hnh giao tip thn thin hn vi ngi s dng. Hin nay Linux ci t X-WINDOW( X11 ) l mi trng qun l ho l tng. Trong Sun th s dng vi tn gi l OpenWin. 1.3 Lp trnh Shell script 1.3.1. Shell l g : Vai tr ca Shell l chuyn i cc lnh c ngi s dng nhp vo thnh cc lnh ca h iu hnh. V d : $ sort n phonelist > phonelist.inorder S sp xp cc dng trong file phonelist theo th t s v t kt qu trong tp phonelist.inorder. Khi ta nhp dng lnh th Shell s chuyn i chng nh minh ho sau:
Hnh 3-1: M hnh chc nng Shell 1.3.2. Cc loi Shell : Do Linux l hon ton t do, m ngun m nn cng c rt nhiu cc bn Shell khc nhau. Hin nay c mt s bn Shell chnh chy di Linux sau : Bourne Again shell ( BASH ), Bourne shell ( SH ), C shell ( CSH ), Korn shell ( KSH ), TSH : C shell ci tin, ZSH : Z shell bit shell ang dng l g hy s dng cu lnh sau :
$ echo $SHELL
1.3.3. Vit v chy cc chng trnh shell : mc n gin th chng trnh shell l mt tp cha cc cu lnh shell hay Linux. V d nh ta mun mount mt phn vng FAT32 ca Windows ta thc hin mt chng trnh shell nh sau : $ mkdir /mnt/windows $ mount t vfat /dev/hda3 /mnt/windows Lu chng vo mt file text v d nh : seewwinflinux.txt chy seewwinflinux.txt ta c mt s cch nh sau: $ chmod +x seewwinflinux V chy ta ch gi seewwinflinux.txt t dng lnh Hoc ta truyn n nh mt tham s : V d vi tcsh : $ tcsh seewwinflinux Hoc dng lnh (.)
Ng Vn Chn HTTT&TT KSCLC K45 49
n tt nghip
.. seewwinflinux 1.3.4. Cc cu trc lnh c bn ca shell : Cu lnh iu kin + Cu lnh if : + Cu lnh case : Cu lnh lp + Cu lnh for + Cu lnh while + Cu lnh until + Cu lnh repeat Cu lnh shift : Lnh shift s dch cc tham s trn dng lnh ( cc tham s m ta g khi gi lnh s c lu trong cc bin c tn l cc s 1,2,)mt v tr sang phi hay c th ch nh s v tr dch chuyn. C php nh sau : Dch mt v tr : shift Dch s v tr c ch nh : shift number Mt s ton t dng trong cu lnh test hay biu thc iu kin : + Cc ton t cho xu k t + Cc ton t cho kiu files v directory + Cc ton t logic + Cc ton t cho s nguyn S dng chng trnh con hay hm trong shell script Shell cho php ta nh ngha cc hm ca ring mnh, cc hm ny cng c i x nh cc hm trong C v cc ngn ng lp trnh khc, cc hm lm cho chng trnh r rang,sng sa hn v c b cc d hiu hn, mt khc trnh c vic vit cc on m trng lp nhau. C php ca mt hm trong shell nh sau :
function-name ( ) { command1 command2 ..... ... commandN return }
Khi to xong cc hm ta c th gi hm nh sau : fname [arg1 arg2 arg3 ] Khi cc tham s c truyn cho hm th n cng nh cc tham s v tr dng lnh nh cc chng trnh shell bnh thng khc. Ta cn ch rng sau khi restart li computer th hm ca chng ta cng mt do cc hm ch tn ti trong mt phin lm vic. khc phc vn ny th chng ta cn lu cc hm vo file trong th mc sau : ( ch phi ng nhp vi t cch l root )
50
n tt nghip
eth0
eth1
eth2
eth3
Trnh iu khin
SMC Driver
3Com Driver
Thit b
Networking Hardware
Hnh 3-2: Giao din, trnh iu khin v thit b Mt s giao din trong Linux : + lo Giao din loopback, n c s dng cho mc ch th nghim. Trong ht nhn lun lun c mt trnh iu khin cho giao din ny + ethn L giao din cho card mng Ethernet th n + 1. y l tn chung cho
Ng Vn Chn HTTT&TT KSCLC K45 51
n tt nghip
tt c cc card Ethernet. + dln Giao din cho b iu hp D_Link DE-600, mt dng khc ca thit b Ethernet, n oc iu khin thng qua cc cng song song thay v cc khe cm ISA hay PCI ca my tnh. + sln Giao din SLIP, oc lin kt vi mt cn ni tip, Linux h tr 4 giao din SLIP + pppn Giao din PPP, ging nh giao din SLIP, mt giao din PPP c lin kt vi mt cng ni tip khi cng ny chuyn sang ch PPP. + plpn Giao din PLIP. Giao din ny thc hin truyn cc gi tin IP qua cng song song . Ht nhn Linux h tr 3 giao din PLIP.
n tt nghip
Netfilter l mt b lc packet/ b gy chch packet/ framework NAP ca h Linux kernel 2.4. Netfilter l mt framework c tng qut ha ca cc hook trong ngn xp mng. Mt module mc kernel bt k c th ci vo t nht mt trong s cc hook ny v s nhn tng packet qua cc hook ny. Cc hook ca netfilter hin ang hot ng trong IP v4, IP v6, DECnet. C nm loi hook trong nhn Linux, nh minh ha trong hnh sau.
Hnh 3-3: S Netfilter hook V c bn, cc hook ny c th quyt nh loi b hay tip tc truyn packet. Gi s packet ny vn tn ti sau ln hook th nht, n s c tip tc nh tuyn sau . nh tuyn l vic tra trong cu trc ca bng FIB (Forwarding Information Table) xc nh mt im nhp nh tuyn tng ng vi a ch IP ch ca packet. Bc tip theo l ghp vi cc nh tuyn. Bc ny l xc nh tuyn ta s truyn packet. Do vic tra trong cu trc bng FIB c chi ph kh ln nn ta s dng mt cache nh tuyn lu cc tuyn ang c dng. Dng mt hm bm tra trong cache ny, hm bm ny kt hp a ch ngun v a ch ch. V th hai packet c chung trng ny s c nh tuyn ging nhau trong bc tip theo, mt nh tuyn a ng l khng th nu khng c chnh sa trong h thng cache. Sau bc ny, packet sn sng c chuyn i. Trong sut pha nh tuyn, trng skb->dst c thit lp. Tip theo l gi phng thc nhp liu input tng ng vi ch n. Ti pha ny, trng TTL trong header IP s gim dn v MTU(maximum transmission unit) ca giao tip mng sp n s c kim tra. nu MTU c kch thc nh hn kch thc ca packet, packet s c phn mnh, cn ngc li, c th trc tip truyn vo giao tip ny. Cc thng ip ICMP cng to c trong pha ny. Nu thng tin cn thit chuyn packet ti tuyn tip theo khng c bit, mt packet arp s c gi i xc nh a ch phn cng ca giao tip mng tip theo. Khi c c nhng thng tin ny ri, trng MAC s c sa li v gi tin sn sng gi i theo tuyn k tip. Th vin Packet Capture (libpcap) cung cp mt giao din mc cao cho h thng nghe v bt packet. Mi packet trn mng, k c nhng packet qung b (broadcast) u c th truy cp c theo c ch ny.
Ng Vn Chn HTTT&TT KSCLC K45 53
n tt nghip
Libipq l mt th vin c pht trin tr gip vic xp hng cc packet trn khng gian ngi dng ca iptables. Netfilter ca Linux cung cp mt c ch truyn cc packet ra ngoi stack sp hng trong khng gian ngi dng sau nhn li cc packet ny vo trong kernel v xc nh s lm g vi packet (chp nhn hay loi b). Nhng packet ny c th c chnh sa trong khng gian ngi dng trc khi c nhn tr li vo kernel.
III. IPTables
3.1. Gii thiu iptables
s dng Firewall xy dng trong Linux, chng ta phi chc chn rng h iu hnh c ci t gi chc nng iptables. IPtables l firewall Linux thng dng nht. Hu ht cc bn phn phi Linux u ci t phn ny nh mt mc mh. IPtables l mt lnh thng bo cho li h thng x l lu thng mng nh th no.v d bn c th x dng iptables drop cc gi IP, forward chng hoc thc hin chuyn i a ch ( NAT ). Cc khi nim cn thit, v cc thnh phn ca Linux : Tables : cn gi l bng lc filter table.Ni lu tr tp hp cc lut.Ni m chng ta nh ngha hu ht cc lut m p dng cho lu thng mng i vo v ra.Nu chng ta khng nh ngha mt bng c th th bng mc nh s c s dng. The NAT table cha cc lut dnh cho NAT. The MANGLE table nhim v dn ng tng cng. Chains : ti li ca Linux firewall. Linux s dng cc chain nh mt tp hp cc lut m Linux p dng khi lc lu thng mng.Bao gm 3 chains chnh, mi ci trong chng l mt phn ca filter table. Input chain : Chain ny p dng cho tt c lu lng mng ch cho firewall.V d nu chng ta mun cho admin iu khin firewall ca chng ta thng qua phng thc remote, chng ta s cu hnh mt lut cho input chain cho php mi th lu lng mng m cng c ca admin s dng. Output chain : p dng cho mi lu lng mng i ra khi firewall. V d nu firewall mun lin lc DNS server cho name lookups, chng ta cn cu hnh output chain cho php lu thng ny. Forward chain : p dng cho tt c lu lng mng m Linux firewall qun l cho cc my tnh khc. V d nh nu firewall ca chng ta lu thng mng t cc my tnh clients ra ngoi mng Internet, chng ta phi cu hnh the forward chain cho php lu thng ny. SNAT, DNAT, v Masquerading : Cc phn ny l mt kiu khc ca NAT. SNAT bin i a ch ngun ca mt gi trc khi gi n i, thng thng l giu a ch IP ca client khi kt ni vi bn ngoi. DNAT chuyn a ch ch ca gi m thng thng lm trong sut proxy server i vi client. Masquerading cng n cc client mng bn trong vi th gii bn ngoi v c s dng khi a ch IP bn ngoi ca chng ta thay i mi ln kt ni- v d kt ni quay s n Internet.
54
n tt nghip
Source localhost : Bng 2 Step Table 1 2 3 4 5 6 7 8 9 Mangle Nat Filter Mangle Nat Chain Comment Tin trnh /ng dng cc b ( v d nh chng trnh server/client) Quyt nh dn ng.a ch nhun s dng,giao din mng s dng l g. OUTPUT Bin i cc gi OUTPUT Bin i NAT cho cc gi i ra mng bn ngoi OUTPUT Lc ton b lu lng mng ra ngoi POSTROUTING Chain ny c s dng khi chng ta mun bin i cc gi trc khi chng ri khi host POSTROUTING Thc hin bin i a ch ngun SNAT i ra qua giao din mng ( eth0 ) Trn ng truyn ( v d Internet )
Forwarded packets : Bng 3 Step Table 1 2 Chain Comment Trn ng truyn ( v d Internet ) i vo giao din mng ( v d eth0)
55
n tt nghip
3 4 5 6
Mangle Nat
PREROUTING
Mangle
7 8 9 10 11
Chain ny c s dng bin i cc gi nh thay i TOS PREROUTING Chain ny ch yu s dng cho mc ch DNAT Quyt nh dn ng : nh gi tin c ch n l localhost hay c chuyn tip FORWARD Chain ny c s dng cho mt s nhu cu c bit, bin i cc gi tin sau quyt nh dn ng ban u nhng trc quyt nh dn ng cui cng a gi ra ng truyn bn ngoi. FORWARD Ch c cc gi tin forward i vo chain ny, ti y chng ta thc hin cc lut lc i vi cc gi. POSTROUTING Dng thc hin cc yu cu c bit sau tt c cc quyt nh dn ng nhng gi tin vn trong my. POSTROUTING Chain ny s dung cho mc ch SNAT i ra giao din mng ( v d nh eth1) Trn ng truyn ( v d LAN )
56
n tt nghip
-X<chain> -F[<chain>] -h
Cc iptables target : l cc hnh ng ca Linux s thc hin vi gi tin. Bng sau m t cc target thng dng Bng 5 Target M t DROP Khi rule gi mt gi vi DROP target, n s b thi hi m khng c thng bo g REJECT Gi tin cng b thi hi nhng Linux s gi li mt gi tin ICMP n ngun
Ng Vn Chn HTTT&TT KSCLC K45 57
n tt nghip
Cho php gi tin i qua firewall cng nh i ra v i vo mng C ngha rng cc gi tin c logged v n thng c s dng trong cc chain ca ngi dung Ch s dng vi PREROUTING chain trong bng NAT.N s bin i a ch ngun thnh mt a ch m chng ta nh ngha.S dng vi cc gi tin i vo mng bn trong firewall Ch s dng vi PREROUTING chain trong bng NAT. N s bin i a ch ch thnh mt a ch m chng ta nh ngha.Thng s dng i vi cc gi tin i vo mng. N thc hin NAT cho gi tin khi firewall c a ch IP ng khi chng ta kt ni Internet thng qua quay s. Target ny ch s dng cho POSTROUTING chain trong bng NAT. Thay t user chain cho tn ca chain ngi sung nh ngha.
Iptables options and conditions : Option l thnh phn cui cng trong iptables command m chng ta cn xc nh trong xy dng cc rules cho firewall.Options xc nh cu lnh s c x l nh th no.Thng thng cc options l cc iu kin ( condition ) m c kim tra trc khi mt command c thc thi.Nhng biu thc iu kin ny c Linux nh gi quyt nh la chn command s c thc thi hay b qua.Bng sau y lit k cc biu thc iu kin thng dng. Bng 6 Option M t Xc nh giao thc no m rule s thc thi . tham s protocol c th l tcp,udp, or icmp.Chng ta cng c th s dng tn ca giao -p protocol thc nu n lng nghe /ect/protocols hay protocol number.Nu tt c cc giao thc th s dng s 0 hoc t all.Cn nu mun s dng mt s giao thc no th dung du phy ngn cch. Xc nh a ch ngun ca gi tin.V d khi s 192.168.1.1 th ch nh gi tin c a ch -s source_address[/mask] 192.168.1.1. cn s 192.168.1.0/24 ch nh mt di a ch IP t 192.168.1.0 n 192.168.1.255 -d destination_address[/mask] Xc nh a ch ch ca gi tin.Cng ging nh a ch ngun IP. Xc nh giao din mng m trn cc gi tin -i interface i vo c nhn.V d chng ta m ch n tt c cc gi tin m n giao din mng eth0 th tag hi nh sau : -i eth0. --destination-port port Tng t nh source-port
58
n tt nghip
--source-port port
Xc nh source port ca gi tin TCP hay UDP. Bi v ch c nhng giao thc ny s dng cc cng.N ch c s dng vi option p udp hay p tcp.V d -p udp source-port 53 m ch n tt c cc gi tin UDP vi source port l 53; -p tcp source-port 0:1023 m ch tt c cc gi tin vi source port t 0 n 1023.Nu mt dch v ang lng nghe ti files /ect/services th chng ta c th dng tn dch v thay v s cng. Tng t nh i option ch n cc gi tin i ra bn ngoi qua cc giao din mng. V d -p tcp syn s kim tra mt gi tin c l mt phn ca mt kt ni TCP mi. V d -p icmp icmp-type source-quench hay p icmp icmp-type 0 tt c cc loi gi tin ICMP Mt mnh n khng phi l mt condition, n c p dng cho tt c cc condition khc c ngha ph nh.V d -p 47, -p !47. N cng khng phi l mt biu thc la chn.N ch ra rng mt gi tin s c gi ti mt target no , v d : -j DROP tng ng vi gi tin s bi loi b.
n tt nghip
Tng Tngquan quanv vh hthng thng M Mhnh, hnh,c ct tchc chcnng nngh hthng thngBKWall BKWall Phn Phntch tchthit thitk kh hthng thngBKWall BKWall Tch Tchhp, hp,ci cit, t,kim kimth, th,nh nhgi gikt ktqu quh hthng thngBKWall BKWall
60
n tt nghip
n tt nghip
+ H tr giao tip lp trnh thng qua th vin libipq, c th kt hp vi inline-mode ca Snort. Giao din iu khin qua Web H thng BKWall c xy dng trn mt my ch Linux. Vic truy nhp trc tip vo my ch ny thc hin vic cu hnh hay iu khin thng phi qua cc knh telnet hoc ssh v bng giao din dng lnh. iu ny l rt bt tin. V vy, h thng iu khin ca BKWall c xy dng theo kiu giao din web vi cc c im sau : Dng web server Apache, c tch hp sn trong hu ht cc bn Linux. S dng giao thc https. Xc thc ssl bng chng ch s. Ngn ng Perl CGI: Ngn ng Perl v cng ngh CGI c s dng xy dng phn iu khin v theo di ca BKWall v nhng l do sau : Perl l ngn ng x l vn bn mnh, thch hp vi vic thao tc vi cc file cu hnh v file lut ca Snort. Perl c kh nng tng tc mnh vi h thng Linux. iu ny cn thit cho vic iu khin mt h thng c tch hp t nhiu thnh phn nh BKWall. Xy dng ng dng web bng Perl i hi cng ngh CGI. Mc d CGI khng cn l cng ngh c khuyn khch v cha nhiu l hng bo mt nhng trong trng hp ca BKWall, ng dng CGI ch c truy nhp t trong mng LAN v qua knh ssl nn c th tin cy c.
n tt nghip
Pha xy dng module v kim th n v : Tin hnh xy dng cc module mi v iu chnh cc module c. Kim th cc module . Pha tch hp v kim th h thng : Tin hnh tch hp cc module c xy dng, cc module m ngun m. Kim th tch hp ton b h thng. Pha trin khai v bo tr : BKWALL c trin khai th nghim v tin hnh qu trnh bo tr trn mng ni b ca phng gii php phn mm h thng v bo mt, cng ty Misoft.
1.5 D kin kt qu t c
T cc mc tiu ra v gii php k thut c la chn, h thng BKWall d kin t c cc kt qu c th nh sau : Tch hp thnh cng cc thnh phn c la chn. Hot ng tt khi th nghim trn cc mng va v nh. Cung cp y cc chc nng c bn v cn thit ca mt Firewall gateway. m bo tnh d dng cu hnh v tin cy.
63
n tt nghip
Hnh 4-2: c t chc nng h thng BKWall Chi tit cc Use case : UC1 : Khi ng, Tt BKWall Ngi qun tr h thng khi ng, tt hoc khi ng li BKWall UC2 : Cu hnh BKWall Ngi qun tr h thng thit lp, thay i cc tham s cu hnh chy BKWall UC3 : Qun l cu hnh mng Qun l cc kt ni mng ca h thng nh thit lp a ch cc giao din mng UC4 : Qun l cc lut Ngi qun tr c th theo di, thm, sa, xa cc lut lin quan n hot ng ca cc module Packet Filtering v Web proxy UC5 : Theo di lu thng mng Hin th tnh trng lu thng qua mng bng cc biu .
64
n tt nghip
65
n tt nghip
Chc nng ny cho php ngi qun tr iu khin hot ng tt, m h thng BKWall.
Chc nng ny cho php thay i v theo di cc thng s cu hnh c thit lp cho h thng BKWall.
66
n tt nghip
Chc nng ny cho php thit lp cc lut cho module lc gi bao gm cc mc nh: Lc gi IP, chn cng, cng dch v, cc chc nng m rngQu trnh thit lp c th l b sung, sa cha, xa b.
Chc nng ny cho php thit lp cc lut cho module Web Proxy bao gm cc mc nh: host_name, http_port, dung lng cache,
n tt nghip
Chc nng ny hin th cc thng tin v qu trnh hot ng ca h thng BKWall cng nh ton b cc lu thng mng i qua n.
68
n tt nghip
Hnh 4-11: S khi module chng trnh chnh Qu trnh khi to h thng c thc hin khi h thng BKWall thc hin boot. Khi h thng s thc hin cc khi to cn thit nh : kch hot kt ni mng dial up nu n c cu hnh kt ni t ng mi khi reboot h thng, khi ng web server, web proxy ( squid ), httpd, v quan trng nht l khi to thnh phn lc gi ( Packet Filtering ). Qu trnh khi to ny c thc hin thng qua cc files scripts c t trong th mc /etc/rc.d. Bao gm cc scripts thc hin cng vic khi to cu hnh mng, cc kt ni mng, khi to cc chains, cp nht cc lut cho Firewall : rc.sysinit, rc.network, rc.netaddress.up, rc.netaddress.down, rc.firewall.up, rc.firewall.down, rc.adsl, rc.isdn, rc.updatered, rc.machineregister. Ta c th m t th t thc hin cc files scripts ny khi h thng boot nh m hnh sau :
69
n tt nghip
rc.sysinit
rc.network
rc.netaddress.up
rc.netaddress. down
rc.adsl
rc.firewall.up
rc.isdn
rc.machineregister
rc.firewall.down
rc.updatered
Trong quan trng nht l cc file thc hin khi to mt Firewall da trn cng c IPtables l rc.firewall.up, rc.firewall.down Ta c th xem xt y mt s thit lp c bn cho h thng BKWall khi khi to. + Trc ht h thng s xo ht cc rules v ton b cc chains v thit t cc Policy cho cc gi tin trong cc chains : INPUT, FORWARD, OUTPUT
#Xoa cac rules va chains /sbin/iptables -F /sbin/iptables -X # Thiet dat Policy /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT
+ To cc chains mi dng thc hin cc chc nng ca ton b h thng nh chn IP, lc cng, cng dch v, qun tr t xa, cc chc nng m rng nh chn gi tin Ping, tn cng t chi dch v, chn cc gi tin IGMP( Internet Group Management Protocol ) trong thnh phn Packet Filtering, cc chain cho Web Proxy, cc dch v nh kt ni qua dial up, forward cng , DMZhole, Sau s dn cc gi tin i vo h thng qua chain INPUT, FORWARD, OUTPUT n cc chain tong ng.
# IP blocker /sbin/iptables -N ipblock /sbin/iptables -A INPUT -i ppp0 -j ipblock /sbin/iptables -A INPUT -i ippp0 -j ipblock if [ "$RED_DEV" != "" ]; then Ng Vn Chn HTTT&TT KSCLC K45 70
n tt nghip
/sbin/iptables -A INPUT -i $RED_DEV -j ipblock fi /sbin/iptables -A FORWARD -i ppp0 -j ipblock /sbin/iptables -A FORWARD -i ippp0 -j ipblock if [ "$RED_DEV" != "" ]; then /sbin/iptables -A FORWARD -i $RED_DEV -j ipblock fi /sbin/iptables -A FORWARD -i $GREEN_DEV -j ipblock #Portfilter /sbin/iptables -N portfilter /sbin/iptables -A INPUT -i ppp0 -j portfilter /sbin/iptables -A INPUT -i ippp0 -j portfilter if [ "$RED_DEV" != "" ]; then /sbin/iptables -A INPUT -i $RED_DEV -j portfilter fi /sbin/iptables -A FORWARD -i ppp0 -j portfilter /sbin/iptables -A FORWARD -i ippp0 -j portfilter if [ "$RED_DEV" != "" ]; then /sbin/iptables -A FORWARD -i $RED_DEV -j portfilter fi /sbin/iptables -A FORWARD -i $GREEN_DEV -j portfilter # External access. Rule set with setxtaccess setuid /sbin/iptables -N xtaccess /sbin/iptables -A block -j xtaccess # Port forwarding /sbin/iptables -N /sbin/iptables -A /sbin/iptables -N /sbin/iptables -t /sbin/iptables -t portfwf FORWARD -j portfwf dmzholes nat -N portfw nat -A PREROUTING -j portfw -i ppp0 -j ACCEPT -i ippp0 -j ACCEPT icmp -i $RED_DEV -d ACCEPT
# All ICMP on ppp too. /sbin/iptables -A block -p icmp /sbin/iptables -A block -p icmp if [ "$RED_DEV" != "" ]; then /sbin/iptables -A block -p $RED_NETADDRESS/$RED_NETMASK -j fi /sbin/iptables -A INPUT -j block
# last rule in INPUT chain is for logging. /sbin/iptables -A INPUT -j LOG /sbin/iptables -A INPUT -j REJECT # Allow GREEN to talk to ORANGE. if [ "$ORANGE_DEV" != "" ]; then /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state \ Ng Vn Chn HTTT&TT KSCLC K45 71
n tt nghip
--state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT # dmz pinhole chain. setdmzholes setuid prog adds rules here to allow # ORANGE to talk to GREEN. /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholes fi # For IGMP and multicast /sbin/iptables -N advnet /sbin/iptables -A INPUT -i ppp0 -j advnet /sbin/iptables -A INPUT -i ippp0 -j advnet if [ "$RED_DEV" != "" ]; then /sbin/iptables -A INPUT -i $RED_DEV -j advnet fi # Spoof protection for RED (rp_filter does not work with FreeS/WAN) /sbin/iptables -N spoof /sbin/iptables -A spoof -s $GREEN_NETADDRESS/ $GREEN_NETMASK -j DROP if [ "$ORANGE_DEV" != "" ]; then /sbin/iptables -A spoof -s $ORANGE_NETADDRESS/ $ORANGE_NETMASK -j DROP fi /sbin/iptables -A INPUT -i ppp0 -j spoof /sbin/iptables -A INPUT -i ippp0 -j spoof if [ "$RED_DEV" != "" ]; then /sbin/iptables -A INPUT -i $RED_DEV -j spoof Fi # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT # DHCP if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then /sbin/iptables -A block -p tcp --source-port 67 --destination-port 68 \ -i $RED_DEV -j ACCEPT /sbin/iptables -A block -p tcp --source-port 68 --destination-port 67 \ -i $RED_DEV -j ACCEPT /sbin/iptables -A block -p udp --source-port 67 --destination-port 68 \ -i $RED_DEV -j ACCEPT 72
n tt nghip
/sbin/iptables -A block -p udp --source-port 68 --destination-port 67 \ -i $RED_DEV -j ACCEPT fi # NAT table /sbin/iptables -t nat -F /sbin/iptables -t nat X # squid /sbin/iptables /sbin/iptables /sbin/iptables RETURN /sbin/iptables RETURN /sbin/iptables RETURN /sbin/iptables RETURN /sbin/iptables /sbin/iptables jmpsquid -t nat -N squid -t nat -N jmpsquid -t nat -A jmpsquid -d 10.0.0.0/8 -j -t nat -A jmpsquid -d 172.16.0.0/12 -j -t nat -A jmpsquid -d 192.168.0.0/16 -j -t nat -A jmpsquid -d 169.254.0.0/16 -j -t nat -A jmpsquid -j squid -t nat -A PREROUTING -i $GREEN_DEV -j
# Masqurade /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE if [ "$RED_DEV" != "" ]; then /sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADE fi
Sau khi thit lp cc chains mi tng ng cho mi chc nng ca h thng th trong phn qun l lut s thc hin b sung lut cho tng chains tng ng. V d nh thm lut cho chc nng lc cng ( lut bao gm a ch ngun, cng ngun, a ch ch, cng ch, hnh ng, kch hot, kh nng log ) s oc b sung vo chain portfilter. V lut ny s c p dng lp tc khi n c kch hot v khi h thng c khi ng li th lut ny s vn c p dng.
echo "Setting up firewall" . /etc/rc.d/rc.firewall.up echo "Starting dhcpd (if enabled)" /usr/local/bin/restartdhcp echo "Setting DMZ pinholes" /usr/local/bin/setdmzholes echo "Setting up advanced networking features" /usr/local/bin/setadvnet echo "Setting up IP block" Ng Vn Chn HTTT&TT KSCLC K45 73
n tt nghip
/usr/local/bin/setipblock echo "Setting up portfilter" /usr/local/bin/setportfilter if [ "$RED_DEV" != "" ]; then echo "Updating RED..." /etc/rc.d/rc.updatered if [ "$RED_TYPE" != "PPPOE" ]; then echo "Starting VPN (if enabled)" /etc/rc.d/rc.vpn.up echo "Refreshing update list (background)" /usr/local/bin/updatelists.pl & echo "Registering this BKWall (background)" /etc/rc.d/rc.machineregister & fi fi echo "Setting external access rules" /usr/local/bin/setxtaccess echo "Setting up IP accounting" /etc/rc.d/helper/writeipac.pl /usr/local/sbin/fetchipac -S -c yes /usr/local/sbin/fetchipac
i vi qu trnh tt h thng th trc ht h thng s thc hin cc files scripts xo tan b cc chains, cc rules hin ang p dng cho h thng Firewall, nhng cc rules ny thc cht vn c lu tr trong cc files lut. 3.3.2 Module chuyn tip yu cu Module ny tng hp cc yu cu ( request ) m ngi qun tr thc hin thng qua giao din Web v chuyn cc yu cu n cc module khc chu trch nhim x l cc yu cu ny. Thc cht th module ny l tp hp cc trang HTML c sinh ra do cc files scripts Perl. Chng to giao din cho ngi qun tr thc hin cc yu cu i vi h thng.
74
n tt nghip
Hnh 4-12: S khi module chuyn tip yu cu 3.3.3 Module qun l cu hnh Module ny c ci t cc chc nng gip cho cng vic cu hnh h thng nh thay i password cho admin, setup, root, t a ch cho cc giao din mng thc hin chc nng qun l cu hnh th module ny s hin th cc thng tin cu hnh cho ngi qun tr. Trn c s ngi qun tr h thng s thay i cc thng s cu hnh. Cc thng s cu hnh oc lu tr trong cc files cu hnh. Chng bao gm cu hnh cho cc giao din mng, tn ca h thng, password cho cc ngi dng trong h thng ( trong h thng BKWall c ba loi ngi dng l root- c ton quyn tc ng vo h thng, setup ngi c quyn ci t hay g b cc gi ng dng hay dch v trong h thng, Admin l ngi iu khin h thng thng qua giao din Web. Cc file cu hnh trong h thng bao gm : Trong h thng th s lng giao din mng Ethernet c th l 3 : bao gm giao din mng cho cc host trong mng LAN gi l GREEN, giao din mng ni vi min phi qun s - DMZ gi l ORANGE, cn giao din mng ni vi mng bn ngoi gi l RED ( lu giao din mng RED c th l mt ng kt ni qua cng ni tip ).Cc files thng c tn l settings v c t trong cc th mc tng ng vi ng dng hay dch v: adsl , advent, auth, backup, ddns, dhcp, dmzholes, Ethernet, isdn, langs, main, modem, ppp, proxy, red, remote, time.
75
n tt nghip
Hnh 4-13:S khi module qun l cu hnh 3.3.4 Module qun l lut cho Packet Filtering, Web Proxy Module ny ci t cc chc nng cho php ngi qun tr thc hin thit lp cc lut cho hai thnh phn c bn ca h thng l BKWall l Packet Filtering v Web Proxy. Cc thao tc ch yu l : thm lut mi, sa lut, xo lut, kch hot lut v cho php kh nn log hay khng. Trc ht ta xt cc lut cho thnh phn Web Proxy: V Web Proxy trong h thng BKWall c pht trin trn sn phm m ngun m Squid mt Cache Proxy tc l thuc dng Proxy thng minh n s thu thp cc yu cu t ngi s dng v lu tr cc yu cu ny cng nh cc tr li ca server trong b nh Cache. Do vy khi mt yu cu khc t mt client khc m yu cu ny tn ti trong b nh Cache th Web Proxy s c thng tin trong b nh Cache v tr v cho trnh duyt client m khng phi thc hin kt ni n Web server mng bn ngoi. Cc lut p dng cho Web Proxy thc cht l cc thng s cu hnh cho Web Proxy, chng bao gm : + Dung lng b nh Cache + a ch v cng phc v ca Web Proxy + Tn, mt khu ca Proxy t xa : N oc thit lp trong trng hp nh cung cp ISPs cho chng ta bit cc thng tin v Proxy ca h. + Kch thc i tng ln nht + Kch thc i tng nh nht + Kch thc d liu ln nht ti v + Kch thc d liu nh nht ti v + Tnh trong sut ca Web Proxy i vi client.
76
n tt nghip
Hnh 4-14: S khi module qun l lut Trong phn tip theo s trnh by v cch t chc cc file lut trong h thng v cu trc cc lut p dng trong thnh phn Packet Filtering. Lc cng o Cch t chc file lut lc cng trong h thng c s dng lc gi tin theo a ch IP v cng. File lut c lu tr trong /var/DFF/portfilter/config Mi lut ca ngi qun tr a vo s c lu tr trn mt dng File lut c lu tr di dng file plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP ngun + Cng ngun + a ch ch + Cng ch
Ng Vn Chn HTTT&TT KSCLC K45 77
n tt nghip
+ Giao thc + Hnh ng : DROP, ACCEPT, REJECT + Kch hot chc nng log + C kch hot hay khng V d v mt lut
tcp,230.10.1.1,80,192.168.1.1,80,on,DROP,on
C chn tt c cc gi tin c a ch ngun, cng ngun, a ch ch, cng ch ln lt l 203.10.1.1, 80, 192.168.1.1, 80 theo giao thc TCP. Lut ny c c kch hot v log. Chn IP o Cch t chc file lut chn IP trong h thng Cho php chn cc gi tin c a ch IP ngun c ngi qun tr ch ra. File lut c lu tr trong /var/DFF/ipblock/config Mi lut ngi qun tr a vo c lu tr trn mt dng File lut cng c lu tr di dng plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP cn chn + Hnh ng : DROP, REJECT + Kch hot chc nng log + C kch hot hay khng V d v mt lut
230.10.1.1,on,DROP,on
C ngha : Chn tt c cc gi tin c a ch ngun l 230.10.1.1. Lut ny c c kch hot v c log. Cng dch v o Cch t chc file lut Cng dch v trong h thng Cho php cc my mng ngoi truy cp vo dch v c cung cp bi my mng bn trong. File lut c lu tr trong /var/DFF/portfw/config Mi lut ngi qun tr a vo c lu tr trn mt dng File lut cng c lu tr di dng plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP truy cp dch v + Cng truy cp dch v + a ch cung cp dch v + Cng cung cp dch v + C kch hot hay khng + Giao thc s dng V d v mt lut
tcp,203.10.1.1,2203,192.168.1.1,2203,on
C ngha l : My cung cp dch v c a ch IP v s hiu cng ln lt l 192.168.1.1, 2203. My truy cp dch v c a ch IP v s hiu cng ln lt l 203.10.1.1, 2203. Giao thc s dng l TCP, c kch hot. Qun tr t xa
Ng Vn Chn HTTT&TT KSCLC K45 78
n tt nghip
o Cch t chc file lut Qun tr t xa trong h thng Qun tr h thng dng chc nng ny m mt cng cho php cc my mng ngoi iu khin BKWall thng qua giao thc https hay SSH. File lut c lu tr trong /var/DFF/xtaccess Mi lut ngi qun tr a vo c lu tr trn mt dng File lut cng c lu tr di dng plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP my mng ngoi + Cng truy cp + C kch hot hay khng + Giao thc s dng V d mt lut
tcp,0.0.0.0/0,113,on
Cng dch v cho DMZ o Cch t chc file lut Qun tr t xa trong h thng Cho php mt my ch vng DMZ truy cp vo mng cc b LAN vi mt s hiu cng no c cung cp bi mt my trong mng LAN. File lut c lu tr trong /var/DFF/dmzholes Mi lut ngi qun tr a vo c lu tr trn mt dng File lut cng c lu tr di dng plain text o Cu trc mt lut Mi lut bao gm cc trng sau : + a ch IP my ch trong vng DMZ + a ch my cung cp dch v trong mng LAN + Cng truy cp + C kch hot hay khng + Giao thc s dng V d mt lut DHCP Bao gm kch hot dch v cp pht a ch IP ng cho cc my trong mng ring LAN. Ngoi ra cn cho php cp pht a ch tnh cho cc my trong mng ni b da theo a ch vt l MAC v ch nhng my c ch ra trong phn ny mi c kh nng kt ni ra Internet. File lu tr cc i ch ny c lu trong /var/DFF/dhcp/staticconfid. V d nh Chc nng m rng Cho php kch hot cc chc nng m rng nh : Chn cc gi Ping theo giao thc ICMP, cc gi tin IGMP, chn tn cng DoS, chn cc lung thng tin multicast. c lu tr trong /var/DFF/advent/settings Tt c cc lut ny s c cp nht cho h thng thng qua cc chng trnh tong ng. Cc chng trnh ny oc lu tr trong /usr/local/bin. V d nh : setipblock.o, setportfilter.o, restartdhcp.o, dmzholes.o. + Cc chng trnh ny c vit bng ngn ng C nn tc thc hin rt nhanh
Ng Vn Chn HTTT&TT KSCLC K45 79 nvc,AA:BB:CC:DD:DE:FF,192.168.1.2 tcp,10.10.1.1,192.168.1.1,1000,on
n tt nghip
+ Chng thc hin c cc file lut theo tng dng v thc hin cp nht cc lut cho h thng + V vic lu tr c s d liu v cc file lut di dng cc files text nn tc x l tong i nhanh. c bit l chng ta tn dng c kh nng x l vn bn tuyt vi ca Perl. Mt khc theo yu cu ca mt h thng Firewall m chng ta khng th ci t v s dng mt h thng qun tr c s d liu nh My SQL chng hn. 3.3.5 Module theo di thng tin v h thng Module ny a ra cc thng tin v h thng nh : + Trng thi cc dch v ca h thng : Running or Stop + Trng thi cc kt ni + Lu lng cc gi tin qua cc giao din mng: Green ( giao din mng ni b ), Orange ( giao din mng cho min phi qun s - DMZ ), Red ( giao din mng kt ni ra mng ngoi v d nh Internet ). Module ny s dng cng c sinh biu l rrdtool thc hin sinh cc biu biu din cc lu lng mng i qua cc giao din mng l : RED, ORANGE, GREEN.
n tt nghip
theo rt nhiu phin bn v do nhiu nh cung cp khc nhau. V mt nguyn tc, BKWall c th hot ng vi tt c cc phin bn ca cc thnh phn tng thch vi cc phin bn c la chn nh sau :
H iu hnh
H iu hnh Linux, phin bn RedHat 7.2 do hng Redhat pht hnh. Linux kernel phin bn 2.4.
Smoothwall
Smoothwall phin bn 2.0 (http://smoothwall.org)
Th vin libpcap
Th vin libpcap (http://tcpdump.org) phin bn 0.8.0.
iptables
iptables phin bn 1.2.8 (http://iptables.org), bn i km vi th vin libipq.
Perl
Perl 5 phin bn 5.8.0 (http://perl.org), v cng c sinh biu rrdtool.
4.2 Ci t h thng
H thng BKWall c trin khai ci t v th nghim ti phng gii php phn mm h thng v bo mt, cng ty Misoft. Cu trc v thit b mng ca phng nh sau : Mt ng kt ni ADSL tc 2Mbps. Mt my ch Linux c cu hnh : CPU Pentium II 400Mhz, 128 MB RAM, 3 NIC 100Mbps, dng lm my gateway. c dng ci t h thng BKWall trn Mt my ch Windows Server 2003 c cu hnh : CPU Pentium IV 1,8GHz, 1GB RAM, NIC 100Mbps, dng lm my ch mail, http, ftp, vpn, 8 my PC c cu hnh : CPU Pentium III 1GHz, 256 MB RAM, NIC 100Mbps hoc tng ng. H iu hnh Windows XP SP2. Cu hnh yu cu khi ci t h thng BKWall: + CPU : Tc ti thiu l 300 Mhz ( tng ng vi mt CPU Pentium II )
Ng Vn Chn HTTT&TT KSCLC K45 81
n tt nghip
+ B nh trong ( RAM ): > 64MB + B nh ngoi ( HDD ) : > 1GB + Card mng: Tu theo cu hnh cho h thng BKWall m s card mng c th l 1( nu ch c giao din mng cho mng ni b - giao din mng ny gi l Green ), nu c ni ra mng ngoi ( v d nh Internet ) th cn mt card mng na ( giao din mng ny c goi l Red ). Nu mun c vng phi qun s ( DMZ DeMilitary Zone ) dnh cho cc my ch - nh my ch Web- HTTP, FTP, Mail th cn thm mt card mng na ( giao din mng ny gi l Orange ). + Ngoi ra l cc thit b ngoi vi khc. Trong mn hnh v chut, CD ch cn thit trong qu trnh ci t, sau ta c th b cc thit b ny m khng cn s dng chng. S b tr mng vi m hnh ( Green Orange Red ) nh sau:
Hnh 4-15: M hnh trin khai BKWall trong mng H thng BKWall c ci t th nghim trn my gateway Linux, do c th theo di ton b cc lu thng trong mng v p dng cc lut c thit lp cho module Packet Filtering , module Web Proxy.. Vic trin khai h thng l kh mm do : H thng c th trin khai vi m hnh m BK Wall c mt card mng khi ng kt ni ra mng Internet thng qua
82
n tt nghip
mt ng kt ni qua cng ni tip hay quay s. Vi m hnh hai card mng khi khng c min phi qun s ( DMZ ). Tng qut nht l trng hp h thng c ba card mng ln lt p dng cho cc giao din GREEN, ORANGE, RED.
H thng iu khin BKWall Management System l mt h thng iu khin qua giao din Web. Do vy vic kim th c tin hnh c hai pha server v client.
Ng Vn Chn HTTT&TT KSCLC K45 83
n tt nghip
o Pha server BKWall Management System c ci t th nghim trn my ch. + Linux kernel 2.4, Apache 1.3.39 o Pha client Truy cp vo BKWall Management System t cc my con chy cc h iu hnh khc nhau v dng cc trnh duyt khc nhau. Kt qu nh sau : Kt qu trn c hai pha Server v Client l rt kh quan. Ch c iu mt s li v hin th phng Ting Vit trn trnh duyt Mozilla trong mi trung h iu hnh Linux. Sau y l mt s hnh nh pha Client trn trnh duyt IE ( Internet Explosrer ) trong mi trung Windows ca Microsoft:
H iu hnh Windows Windows Linux Linux Trnh duyt IE 6.0 Firefox 1.0.3 Mozilla Konqueror Kt qu Tt H thng menu hin th sai v tr Khng hin th c ting Vit Khng hin th c ting Vit
Bao gm cc giao din : Home Page, trang thit lp lut cho Packet Filter, cu hnh Web Proxy, cc dch v, thng tin v h thng.
84
n tt nghip
85
n tt nghip
n tt nghip
4.4 nh gi kt qu
Trong khun kh ca mt n tt nghip i hc, h thng firewall BKWall t c mt s yu cu ra i vi mt sn phm Firewall nhng bn cnh cn nhng im hn ch khng trnh khi. Phn di y em xin c a ra mt s kt qu t c v nhng mt hn ch cn khc phc trong thi gian ti.. Nhng kt qu t c + Tch hp thnh cng cc thnh phn Kernel Linux, Smoothwall, Apache Server Iptables xy dng mt h thng firewall thng nht. + xy dng c mt h thng iu khin t xa thng qua giao din Web tp trung cho ton b h thng. + H thng hot ng tng i n nh trong qu trnh trin khai th nghim. Nhng hn ch cn khc phc trong thi gian ti Bn cnh cc kt qu t c, h thng BKWall vn cn tn ti nhiu im hn ch cn phi khc phc nh : + H thng hot ng cha hiu qu, c bit l module Web Proxy
87
n tt nghip
+ Chnh sch ngn chn vn phi do ngi qun tr thit lp. Cha xy dng c mt kh nng t chc cc lut do ngi qun tr a vo nhm ti u ho cc lut ny. + H thng iu khin cha khai thc c ht kh nng ty bin Iptables. + H thng cha c kh nng tch hp vi cc cng c khc nh : VPN ( Virtual Private Network ), IDS ( Intrustion Detechtion System ) vo h thng BKWall Trong thi gian ti cc hn ch ny s c khc phc nu nh iu kin cho php em tip tc c pht trin ti ny.
KT LUN
hon thnh n ny ti xin by t lng bit n su sc n thy gio hng dn Vn Uy, s gip ln lao ca TS V Quc Khnh, cc anh Vng Vn Tuyn, Ng Quang Huy cng cc bn ng nghip ti phng pht trin h thng v bo mt cng ty Misoft v ton th bn b bn em trong sut thi gian qua. n cp n nhng vn chung ca an ninh thng tin, an ninh mng ni chung v i su nghin cu l thuyt v Firewall cng nh cc cng c xy dng mt Firewall hon chnh. C th n ny t c mt s thnh qu nh sau : Tm hiu v cc vn ca an ninh thng tin v an ninh mng. i su nghin cu v l thuyt v Firewall v cc cng c lin quan nhm mc ch xy dng mt sn phm tng la. Phn tch kin trc v lm ch c phn mm m ngun m Smoothwall. Tch hp cc thnh phn m ngun m, xy dng thnh cng h thng BKWall Trin khai th nghim t mt s kt qu.
Ng Vn Chn HTTT&TT KSCLC K45 88
n tt nghip
Bn cnh , do hn ch v thi gian v trnh nn n ny khng trnh khi nhng thiu xt v hn ch c th nhng hn ch l : H thng hot ng cha hiu qu, c bit l module Web Proxy Chnh sch ngn chn vn phi do ngi qun tr thit lp. Cha xy dng c mt kh nng t chc cc lut do ngi qun tr a vo nhm ti u ho cc lut ny. H thng iu khin cha khai thc c ht kh nng ty bin Iptables. H thng cha c kh nng tch hp vi cc cng c khc nh : VPN ( Virtual Private Network ), IDS ( Intrustion Detection System ) vo h thng BKWall Cha khai thc trit cc sn phm m ngun m v cha thc s pht trin c nhiu da trn cc sn phm ny Trong tng lai, vi mong mun tip tc pht trin ti ny thnh mt sn phm Firewall hu ch, c th ng dng rng di, phc v cho vic m bo an ninh thng tin Vit Nam, em xin xut mt s hng pht trin ca mnh nh sau : Ti u ha cu hnh cc thnh phn m ngun m s dng tng hiu qu v tin cy. Tip tc pht trin h thng iu khin, tn dng c ht cc kh nng ty bin ca h thng vi giao din v kh nng tng tc thn thin hn. Nghin cu mt chc nng qun l lut do ngi qun tr a vo hiu qu hn, c kh nng ti u ho cc lut do ngi qun tr a vo Nghin cu kh nng cng ha h thng nh cc thit b chuyn dng ca cc hng sn xut thit b v an ninh mng nh Cisco hay Checkpoint. Cui cng, mt ln na em xin c ni li cm n n thy gio hng dn, thc s Vn Uy, cc thy c ti khoa CNNT, i hc Bch khoa H Ni, chng trnh o to k s cht lng cao ti Vit Nam ( P.F.I.E.V ) cc anh ch v cc bn ng nghip ti cng ty Misoft cng tt c nhng ngi thn gip em rt nhiu trong sut qu trnh lm n em c th hon thnh c n ny. H ni, ngy 09 thng 06 nm 2005 Ngi thc hin n Ng Vn Chn
Ng Vn Chn HTTT&TT KSCLC K45 89
n tt nghip
2000
[5] Qun tr H thng Linux Nguyn Thanh Thu - NXB Khoa hc v k
thut 2000 [6] Firewall for Dummies 2nd Edition Brian Komar, Ronald Beekelaar, and Joern Wettern,PhD Wiley Publishing, Inc -2003
[7] http://iptablestutorial.frozentux.net/iptablestutorial.html 90
n tt nghip
91