Tng cng bo mt cho mng IP

Ni dung chnh Tng cng bo mt cho mng IP Tm hiu cch tip cn ca Cisco vi vn bo mt mng iu khin truy cp ti Cisco Routers Truy cp Console Password cho ch nonprivileged ( bnh thng ) Password cho ch privileged ( c quyn ) Gii hn thi gian phin lm vic M ha password Truy cp Telnet Password cho ch nonprivileged Password cho ch privileged Hn ch truy cp Telnet vi nhng a ch IP c th Hn ch truy cp Telnet vi nhng sn phm ca Cisco thng qua cc cng TCP Terminal Access Controller Access Control System (TACACS) Ch nonprivileged Ch privileged Simple Network Management Protocol ( SNMP) Ch nonprivileged Ch privileged Thit lp kin trc cho mt firewall iu khin lu thng trong mng Cu hnh cho mt Firewall Router Lp danh sch truy cp p dng danh sch truy cp vi cc interface Cu hnh cho mt Firewall Communication Server Lp danh sch truy cp p dng danh sch truy cp vi cc interface S dng banner to cc thng bo Bo v nhng dch v ngoi chun khc Tng kt Danh sch ti liu nn c ********************************************* Tng cng Bo mt cho mng IP Bo mt mng l mt vn rt rng, c th c xem xt mc d liu (ni m nhng vn v trm gi tin v m ha d liu c th xy ra), mc giao thc, v mc ng dng. Ngy cng c nhiu ngi kt ni Internet v cc cng ty ngy cng m rng mng, vn bo mt cho mng ni b tr nn kh khn hn. Cng ty phi xc nh khu vc no ca mng ni b cn bo v, tm cch hn ch ngi dng truy cp ti nhng khu vc , xc nh loi dch v mng no cn

sng lc ngn chn nhng l hng bo mt. Cisco Systems cung cp rt nhiu tnh nng tng giao thc (protocol hay network layer) tng cng bo mt cho mng IP. Nhng tnh nng ny bao gm iu khin hn ch truy cp ti routers v servers bng console port, Telnet, Simple Network Management Protocol (SNMP), Terminal Access Control System (TACACS), th cha m ngi dng v danh sch truy cp Vic thit lp kin trc ca mt firewal cng s c ni ti. Bi vit ny ch ni n nhng vn bo mt mc network-layer, nhng nu b qua nhng vn bo mt mc host-level cng s rt nguy him. V nhng bin php bo mt host-level bn hy xem hng dn v cc ng dng ca bn, v danh sch lit k cui bi vit ny. Tm hiu cch tip cn ca Cisco vi vn bo mt mng Khi ngi ta ni ti bo mt, h mun chc chn rng ngi dng ch thc hin c nhng vic c cho php, ch nhn c nhng thng tin c cho php, v khng th gy ra h hi vi d liu, ng dng hay h iu hnh ca h thng T bo mt cn bao hm ngha bo v khi nhng tn cng c t bn ngoi. Bo mt cng lin quan n iu khin hiu ng ca cc li v s c thit b. Nhng g c th bo v chng li nhng tn cng c tnh ton k lng th cng ngn chn c nhng ri ro ngu nhin. Bi vit ny cung cp nhng vic m bn c th lm tng cng bo mt cho mng ca bn. Trc khi i vo chi tit, s rt c ch nu bn hiu nhng khi nim c bn khng th thiu vi bt c h thng no (*) Bit r k th y mun ni ti nhng k tn cng. Hy tm hiu xem ai mun vt qua cc bin php bo mt ca bn, xc nh ng lc thc y h. Xc nh h mun lm g v nhng h hi h c th gy ra cho h thng ca bn. Cc bin php bo mt khng th ngn chn tuyt i cc hnh ng khng c php, m ch khin vic tr nn kh khn hn. Mc tiu l khin s bo mt ca mng vt qua kh nng hay ng lc thc y k tn cng. (*) Tnh ton chi ph Cc bin php bo mt hu ht u lm gim i s tin li. Bo mt c th khin cng vic nh tr v to thm chi ph o to v qun tr. N c th i hi nhiu ti nguyn quan trng

cng nh nhng phn cng chuyn dng. Khi thit k cc bin php bo mt, bn cn hiu c chi ph ca chng, so snh vi li ch c th c. lm c nh vy bn phi hiu chi ph cho bn thn cc bin php v chi ph cho nhng l hng bo mt c th c. (*) Nhng gi nh ca bn Mi h thng bo mt u c nhng gi nh ca n. V d, bn c th gi s rng k tn cng bit t hn bn, rng h dng nhng phn mm tiu chun. Hy kim tra v nh gi cn thn cc gi nh ca bn. Mi gi nh cha c xem xt s l mt l hng bo mt tim n. (*) iu khin cc thng tin b mt Hu ht bo mt l da trn cc thng tin b mt, chng hn nh password v cc kha m ha. iu quan trng nht l hiu c khu vc bn cn bo v. Nhng kin thc no s gip ai vt qua h thng ca bn ? Bn phi bo v cn thn vi kin thc . Cng nhiu thng tin b mt, cng khn cho vic bo v tt c chng. H thng bo mt ch nn thit k cho mt gii hn nht nh thng tin cn gi. (*) Hy nh n yu t con ngi Rt nhiu phng php bo mt tht bi v nhng ngi thit k khng n vic ngi dng ngh g. V d, do chng rt kh nh, password to 1 cch t ng thng thy c ghi mt di bn phm.Nu cc bin php bo mt gy tr ngi cho vic s dng thit yu ca h thng, nhng bin php s b b qua. t c mun, bn phi chc chn rng ngi dng c th hon thnh cng vic ca h, bn phi lm cho h hiu c v chp nhn s cn thit ca bo mt. Ngi dng nn c mt s hp tc vi h thng bo mt, t nht mc no .Password, chng hn, c th nhn c bng cch n gin gi in n ngi dng, gi lm ngi qun tr. Nu ngi dng ca bn hiu nhng vn bo mt v nu h hiu l do nhng bin php ca bn, h s khng khin cho k xm nhp cm thy d dng. t nht, ngi dng nn c hng dn khng bao gi a password hay thng tin b mt qua ng in thoi hay email khng c bo v, cnh gic vi nhng cu hi qua in thoi. Mt vi cng ty lp ra nhng chng trnh o to v bo mt thng thng cho nhn vin, nhn vin khng c truy cp Internet khi cha hon thnh chng trnh ny.

(*) Bit im yu ca bn Mi h thng u c im yu. Bn cn hiu cc im yu trong h thng ca bn v cch khai thc nhng im yu . Bn cng nn bit khu vc c nguy c cao nht v ngn chn s truy cp n . Hiu c nhng im yu l bc u tin a chng thnh nhng khu vc an ton. (*) Gii hn phm vi truy cp Bn nn t nhng gii hn thch hp trong h thng sao cho nu k xm nhp c th truy cp n mt phn h thng, h khng th t ng c quyn truy cp n phn cn li ca h thng. (*) Hiu mi trng lm vic ca bn Hiu h thng ca bn hot ng ra sao, bit c ci g c mong i v ci g khng, quen vi vic cc thit b thng c s dng th no, s gip bn pht hin nhng vn bo mt. Ch n nhng s kin khng bnh thng gip bn pht hin k xm nhp trc khi chng ph hoi h thng. Nhng cng c gim st c th gip bn pht hin nhng s kin khng bnh thng . (*) Gii hn s tin tng Bn nn bit chnh xc bn phn mm no bn tin tng, v h thng bo mt ca bn khng nn da trn gi nh rng tt c cc phn mm khng c li (*) Nh n physical security Truy cp mt cch trc tip vo 1 my tnh ( hay mt router ), mt ngi kinh nghim c th chim ton b iu khin trn .S chng c ngha g nu ci t nhng phn mm bo mt khi quyn s dng trc tip phn cng khng c quan tm. (*) Bo mt khp ni Hu ht nhng thay i trong h thng ca bn c th c nh hng n bo mt. iu ny c bit ng khi mt dch v mi c to ra. Nhng nh qun tr, lp trnh, v ngi dng phi lun n vn bo mt trong mi thay i h to ra. Hiu c kha cnh bo mt ca mi thay i i hi thc hnh, khm ph mi dch v c th c s dng theo nhng cch no. iu khin truy cp ti Cisco Routers Vic iu khin truy cp ti Cisco routers ca bn l rt quan trng. Bn c th iu khin truy cp ti routers s dng cc phng php sau : - Truy cp console - Truy cp telnet - Truy cp bng Simple Network Management Protocol (SNMP)

- iu khin truy cp ti servers c nhng file cu hnh h thng Bn c th bo v 3 phng php u tin bng cch s dng tnh nng ca phn mm router. Vi mi phng php, bn c th cho php privileged access (truy cp vi c quyn ) hay nonprivileged access (truy cp thng thng) i vi mi ngi dng (hay nhm ngi dng). Nonprivileged access cho php ngi dng theo di router nhng khng c thay i router. Privileged access cho ngi dng ton quyn thay i cu hnhcho router. Vi truy cp qua console port v Telnet, bn c th thit lp 2 loi password. Loi th nht l password ng nhp, cho php nonprivileged access. Sau khi truy cp vo router, ngi dng c th chuyn sang ch privileged bng cch nhp password ph hp. ch privileged ngi dng c ton quyn thay i thit lp Truy cp SNMP cho php bn t nhng chui SNMP khc nhau cho c nonprivileged v privileged access. Nonprivileged access cho php ngi dng 1 host gi n router nhng thng ip SNMP get-request v SNMP get-next-request. Nhng thng ip ny c dng ly thng tin t router. Privileged access cho php ngi dng gi nhng thng ip SNMP set-request thay i cu hnhv trng thi hot ng ca router. Truy cp Console Console l thit b u cui gn trc tip vi router qua cng console. Vic bo mt c p dng vi console bng cch buc ngi dng xc nhn bn thn qua password. Theo mc nh, khng c password i km vi console access. Password cho ch nonprivileged Bn thit lp password cho ch nonprivileged bng cch nh dng lnh sau vo file cu hnhca router. Password phn bit ch hoa, ch thng. v d, password l "1forAll" line console 0 login password 1forAll Khi bn ng nhp vo router, s nhn c thng bo login nh sau User Access Verification Password: Bn phi nhp password "1forAll" c quyn nonprivileged access n router. Router s tr li nh sau :

router>Du nhc > bo hiu y l ch nonprivileged. By gi bn c th dng rt nhiu lnh xem thng tin v hot ng ca router. Khng bao gi dng "cisco", hay nhng bin th khc nh "pancho" cho password ca Cisco router. s l nhng password u tin k xm nhp th khi h nhn thy du ng nhp Cisco. Password cho ch privileged Thit lp password cho ch privileged bng cch a dng lnh sau vo file cu hnhca router. Trong v d ny password l "san-tran". enable-password san-fran truy cp ch privileged, nh lnh sau: router> enable Password: G password "san-fran" c privileged access ti router. Router tr li nh sau : router# Du nhc # bo hiu ch privileged. ch privileged, bn c th nh tt c cc lnh xem thng tin v cu hnhcho router. Gii hn thi gian phin lm vic t password ng nhp v password enable c th cha an ton trong 1 s trng hp. Gii hn thi gian cho mt console khng c iu khin ( mc nh 10 pht ) cung cp thm mt bin php an ton.Bn c th thay i gii hn ny bng lnh exec-timeout mm ss trong mm l s pht, ss l s giy. Lnh sau thay i gii hn thnh 1 phut 30 giy line console 0 exec-timeout 1 30 M ha password Tt c password trn router u c th xem c bng lnh xem cu hnhca router trong ch privileged. Nu bn c quyn truy cp ch privileged , bn c th xem tt c password dng cleartext, theo mc nh. C mt cch giu cleartext password. Lnh password-encryption lu cc password di dng m ha.Tuy nhin, nu bn qun password, ly li quyn truy cp, bn phi c quyn truy cp trc tip (physical access) i vi router. Truy cp bng Telnet Bn c th truy cp theo ch nonprivileged hoc privileged ti router thng qua Telnet. Ging nh vi

Console, s bo mt vi Telnet c c khi ngi dng xc nhn bn thn bng password. Thc t, rt nhiu khi nim tng t m t phn "Console Access" trn cng p dng cho truy cp Telnet. Bn phi nhp password chuyn t ch nonprivileged sang privileged, c th m ha password, t gii hn thi gian cho phin lm vic. Password cho ch nonprivileged Mi cng Telnet ca router c coi nh mt thit b u cui "o" ( virtual terminal ). C ti a 5 cng dnh cho virtual terminal (VTY) trn router , cho php 5 phin lm vic Telnet ng thi. Trn router, cc ny nh s t 0 n 4. Bn c th t nonprivileged password cho cc cng vi lnh cu hnh sau.Trong v d ny, cng virtual terminal t 0 n 4 s dng password "marin" : line vty 0 4 login password marin Khi ngi dng telnet n IP ca router, router tr li tng t nh sau : % telnet router Trying ... Connected to router Escape character is '^]' User Access Verification Password: Nu ngi dng nhp ng nonprivileged password, du nhc sau s xut hin: router> Password cho ch privileged By gi ngi dng c nonprivileged access v c th chuyn sang ch privileged bng cch g lnh enable ging nh i vi Console Access. Hn ch truy cp Telnet i vi nhng a ch IP c th Nu bn mun ch nhng IP nht nh c th dng Telnet truy cp router, bn phi dng lnh access-class nn in xc nh danh sch truy cp (t 1 n 99). Lnh cu hnh sau cho php truy cp Telnet n router t cc host trong mng 192.85.55.0: access-list 12 permit 192.85.55.0 0.0.0.255 line vty 0 4 access-class 12 in Hn ch truy cp Telnet i vi cc sn phm Cisco thng qua cng TCP C th truy cp ti 1 sn phm ca Cisco thng qua Telnet n nhng cng TCP nht nh. Kiu truy cp Telnet thay i ty theo nhng phin bn phn mm Cisco: - Software Release 9.1 (11.4) v c hn, 9.21 (3.1) v c hn

- Software Release 9.1 (11.5) , 9.21 (3.2), 10.0 v mi hn Vi Software Release 9.1 (11.4) v c hn, 9.21 (3.1) v c hn, c th , theo mc nh, thit lp kt ni TCP ti sn phm ca Cisco thng qua cc cng TCP trong Bng 3-1 Bng 3-1 : Cng TCP truy cp Telnet ti cc sn phm Cisco ( cc phin bn c) Cng TCP Phng thc truy cp 7 Echo 9 Discard 23 Telnet ( ti cng VTY theo kiu quay vng) 79 Finger 1993 SNMP thng qua TCP 2001-2999 Telnet ti cng h tr (auxiliary - AUX ), cng terminal (TTY), v cng virtual terminal (VTY) 3001-3999 Telnet ti nhng cng quay vng ( ch c th khi c cu hnh vi lnh rotary ) 4001-4999 Telnet ( stream mode ) , mirror ca cc cng trong khong 2000 5001-5999 Telnet ( stream mode), mirror ca khong 3000 ( ch khi cu hnh rotary) 6001-6999 Telnet (binary mode), mirror ca khong 2000 7001-7999 Telnet (binary mode), mirror ca khong 300 ( ch khi cu hnh rotary) 8001-8999 Xremote ( ch vi communication servers) 9001-9999 Reverse Xremote ( ch vi communication servers) 10001-19999 Reverse Xremote rotary (ch vi communication servers, khi cu hnh rotary trc) Ch : V Cisco routers khng c ng TTY, thit lp truy cp ( trn communicaiton servers) ti cc cng 2002,2003,2004 v ln hn c th cung cp truy cp ti VTY (trn routers) ti cc cng tng ng. cung cp truy cp ti cc cng TTY, bn c th to danh sch truy cp trong hn ch truy cp i vi VTYs. Khi thit lp nhng nhm quay vng, lun nh rng c th truy cp n bt c cng no trong nhm (tr khi c danh sch gii hn truy cp). Sau y l v d minh ha mt danh sch truy cp t chi truy cp n cng h tr (AUX) v ch cho php truy cp telnet t a ch 192.32.6.7 : access-class 51 deny 0.0.0.0 255.255.255.255 access-class 52 permit 192.32.6.7 line aux 0 access-class 51 in line vty 0 4 Ch : nu lnh ip alias c cho php trn sn phm Cisco, mi kt ni TCP ti bt c cng no cng c coi l hp l. C th bn s mun v hiu ha lnh ny C th bn mun to danh sch truy cp hn ch truy cp ti sn phm Cisco qua

cng TCP. n router. Vi Software Release 9.1 (11.5), 9.21 (3.2), v bt c phin bn no ca Software Release 10, nhng ci tin sau c thc hin : - Truy cp trc tip n virtual terminal lines (VTYs) qua cng trong cc khong 2000,4000 v 6000 c v hiu ha theo mc nh - Kt ni ti cng echo v discard (7 v 9) c th c v hiu ha vi lnh no service tcp-small-servers - Tt c sn phm Cisco cho php kt ni ti IP alias ch vi cng 23 Vi nhng phin bn sau ny, Cisco router chp nhn kt ni TCP qua cc cng mc nh trong Bng 3-2 Bng 3-2 : Cng TCP cho truy cp Telnet ti cc sn phm Cisco ( nhng phin bn sau ) Cng TCP Phng thc truy cp 7 Echo 9 Discard 23 Telnet 79 Finger 1993 Cng h tr (AUX) 4001 Cng AUX (stream) 6001 Cng AUX (binary) Truy cp qua cng 23 c th b hn ch bng cch to danh sch truy cp v gn n cho mt ng virtual terminal. Truy cp qua cng 79 c th v hiu ha bng lnh no service finger. Truy cp qua cng 1993 c th c kim sot bng danh sch truy cp SNMP. Truy cp qua cng 2001,4001 v 6001 c th c kim sot bng 1 danh sch truy cp t 1 cng h tr (AUX) Terminal Access Conroller Access Control System ( TACACS) Password ch nonprivileged v privileged c p dng cho mi ngi dng truy cp router t console port hay Telnet. Ngoi ra, Terminal Access Controller Access Control System (TACACS) cung cp 1 cch xc nhn mi ngi dng da trn tng c s ring bit trc khi h c th c quyn truy cp vo router hay communication server. TACACS c xy dng B quc phng m v c m t trong Request For Comments (RFC) 1492. TACACS c Cisco s dng cho php qun l tt hn, xem ai c quyn truy cp ti router trong ch

nonprivileged v privileged . Vi TACACS enabled, router nhc ngi dng nhp username v password. Sau , router gi TACACS server xc nh password c ng khng. Mt TACACS server thng chy trn mt trm lm vic UNIX. Domain TACACS servers c th nhn c thng qua anonymous ftp n ftp.cisco.com trong th mc /pub. S dng /pub/README tim tn file. Mt server h tr TACACS y c km trong CiscoWorks Version 3. Lnh cu hnh tacacs-server host xc nh UNIX host chy mt TACACS server s xc nhn li yu cu gi t routers. Bn c th nh lnh tacacs-server host nhiu ln ch ra nhiu TACACS server cho mt router. Nonprivileged Access Nu tt c server u khng sn sng, bn c th b kha i vi router. Lc ny, lnh cu hnh tacacs-server last resort [password | succeed] cho php bn xc nh xem c cho ngi dng ng nhp khng cn password ( t kha succeed) hay buc ngi dng cung cp password chun ( t kha password) Cc lnh sau ch ra mt TACACS server v cho php ng nhp nu server gp s c: tacacs-server host 129.140.1.1 tacacs-server last-resort succeed Buc ngi dng truy cp qua Telnet xc nhn bn thn qua lnh cu hnhsau : line vty 0 4 login tacacs Privileged Access (truy cp vi c quyn) Phng php kim tra password ny cng c th p dng vi ch privileged dng lnh enable use-tacacs. Nu tt c server u khng sn sng tip nhn, lnh cu hnhenable last-resort [succeed | password] cho bit c ngi dng ng nhp khng cn password hay khng. Nu bn dng lnh enable use-tacacs, bn cng phi dng lnh tacacs-server authenticate enable. Lnh tacacs-server extended cho php thit b Cisco chy ch TACACS m rng. H thng UNIX phi chy extended TACACS daemon, c th nhn c bng anonymous ftp ti ftp.cisco.com, tn file l xtacacsd.shar. Daemon ny cho php communication servers v nhng thit b khc giao tip vi h thng UNIX v cp nht thng tin m thit b gi. Lnh username <user> password [0 | 7] <password> cho php bn lu mt danh sch user v password trong thit b Cisco thay v trn mt TACACS server. S 0 lu password dng cleartext trong file cu hnh. S 7 lu dng m ha. Nu bn khng c mt TACACS server v vn mun xc nh tng

user bn c th dng nhng lnh cu hnhsau : username steve password 7 steve-pass username allan password 7 allan-pass Token Card Access ( truy cp bng th ) S dng TACACS cho routers v communication server, c th h tr cc loi key devices , hay token card. M ca TACACS server c th thay i h tr vic ny m khng cn thay i cu hnh ca router hay communication server. S thay i ny khng th trc tip t Cisco H thng token card da trn mt tm th bn phi c xc nhn bn thn. Bng cch mc ni ( hook ) vi m ca TACACS server, cc cng ty th 3 ( third-party) c th cung cp nhng dch v ny. Mt trong nhng sn phm nh vy l Enigma Logic SafeWord, ngoi ra cn c Security Dynamics SmartCard.

Simple Network Management Protocol (SNMP) Access SNMP l mt phng php khc dng truy cp router. Vi SNMP, bn c th thu thp thng tin hay cu hnh routers. Thu thp thng tin vi thng ip get-request v get-next-request, cu hnh routers vi thng ip set-request. Mi thng ip SNMP c mt community string ( chui cng cng ! ), l 1 password dng cleartext c gi trong mi gi tin gia trung tm iu khin( management station ) v router, ni c cha mt SNMP agent. Chui SNMP c dng xc nhn cc thng tin gi i gia manager v agent. Ch khi manager gi thng ip vi community string ng th agent mi tr li. SNMP agent trn router cho php bn thit lp nhng community string cho truy cp ch nonprivileged v privileged. Bn c th thit lp community strings trn router thng qua lnh cu hnh snmp-server community <string> [RO | RW ] [access-list]. Tuy nhin, SNMP community strings c gi dng cleartext. Do , bt c ai c kh nng ly c 1 gi tin no c th s tm ra chui ny, c th gi mo ngi dng sa i routers qua SNMP. V vy s dng lnh no snmp-server trap-authentication c th ngn chn nhng k xm nhp bt cc thng ip (gi gia SNMP managers v agents) tm community strings. Ngi ta ci tin bo mt ca SNMP version 2 (SNMPv2) , c m t trong RFC 1446. SNMPv2 dng thut ton MD5 xc nhn giao tip gia server v agent. MD5 xc nhn tnh tng thch ca d liu, ngun gc cng

nh thi gian. Hn na SNMPv2 c th dng chun m ha d liu DES m ha thng tin. Ch nonprivileged Dng t kha RO ca lnh snmp-server community cung cp truy cp nonprivileged ti routers qua SNMP. Lnh cu hnh sau lm agent trong router ch cho php cc thng ip SNMP getrequest v get-next-request, c gi i vi community string "public" : snmp-server community pubic RO 1 Bn c th ch r danh sch a ch IP c php gi thng ip ti router bng ty chn access-list vi lnh snmp-server community. v d sau, ch hosts 1.1.1.1 v 2.2.2.2 c php truy cp nonprivileged ti router qua SNMP: access-list 1 permit 1.1.1.1 access-list 1 permit 2.2.2.2 snmp-server community public RO 1 Ch privileged S dng t kha RW ca lnh snmp-server community cung cp truy cp privileged ti router qua SNMP. Lnh sau khin agent trong router ch cho php thng ip SNMP set-request, c gi vi community string l "private" : snmp-server community private RW 1 Bn c th ch r danh sch IP c php gi thng ip ti router bng ty chn access-list ca lnh snmp-server community. v d sau , ch c hosts 5.5.5.5 v 6.6.6.6 c php truy cp privileged ti router qua SNMP : access-list 1 permit 5.5.5.5 access-list 1 permit 6.6.6.6 snmp-server community private RW 1 iu khin vic truy cp n cc Servers cha cc file cu hnh Nu 1 router thng xuyn download file cu hnh t mt server Trivial File Transfer Protocol (TFTP) hay Maintenance Operations Protocol (MOP), bt c ai c th truy cp server ny cng c th thay i file cu hnh ca router trn server . Communication servers c th c cu hnh chp nhn mt kt ni LAT ( Local Area Transport).Protocol translator v cc translating router c th chp nhn kt ni X.29. S khc bit v kiu truy cp ny cn c ch khi to mt kin trc firewall.

Thit lp kin trc firewall ca bn Mt kin trc firewall l 1 m hnh tn ti gia bn v th gii bn ngoi nhm bo v bn khi nhng k xm nhp. Trong phn ln tnh hung, nhng k xm nhp c i din bi mng Internet v hng ngn mng kt ni vi n. in hnh nh mt firewall da trn nhiu b my khc nhau trong hnh 3-1 Hnh 3-1 : <khng c> Trong kin trc ny, mt router c ni vi Internet (exterior router), buc mi giao tip mng i vo application gateway (cng ng dng ). Mt router c ni vi mng ni b (interior router) ch tip nhn nhng gi tin t cng ng dng. Cng ng dng thit lp policies ( chnh sch ) i vi tng ngi dng v tng ng dng. H qu l n iu khin c s phn pht ca cc dch v c n v i t mng ni b. V d, ch mt s ngi dng c php giao tip vi Internet, hay ch mt s ng dng c php thit lp kt ni vi bn ngoi. Nu ch 1 ng dng c php gi th, ch nhng gi th c i qua router. iu khin lu thng trong mng Phn ny s dng tnh hung minh ha trong hnh 3-2 m t vic s dng danh sch truy cp ngn chn lu thng d liu n v i t mt firewall router v mt firewall communication server Hnh 3-2 : <khng c> Trong bi vit ny firewall router cho php kt ni "n" t 1 hay nhiu server hay host. Mt router c thit k hot ng nh 1 firewall l iu ta mong mun, v n nh r mc ch ca router l external gateway v trnh lm phin cc router khc vi nhim v ny. Trong tnh hung mng ni b cn c c lp, firewall router s cung cp im c lp m khng nh hng n phn cn li ca mng.

Cu hnh mt Firewall Router

Trong cu hnh ca firewall router di y, subnet 13 ca Class B l firewall subnet, trong khi subnet 14 cung cp kt ni Internet qua mt nh cung cp dch v : interface ethernet 0

ip address B.B.13.1 255.255.255.0 interface serial 0 ip address B.B.14.1 255.255.255.0 router igrp network B.B.0.0 Cu hnh n gin ny khng c s bo mt v cho php tt c mi lu thng t th gii bn ngoi n mng. c s bo mt vi firewall router, s dng danh sch truy cp v nhm truy cp nh m t di y. Xc nh danh sch truy cp Danh sch truy cp xc nh nhng lu thng thc t s c cho php hay t chi, trong khi 1 nhm truy cp p dng 1 danh sch truy cp nht nh cho 1 interface. Danh sch truy cp c th dng t chi kt ni n cha mi nguy hi v bo mt v cho php tt c cc kt ni khc, hoc cho php nhng kt ni chp nhn c v t chi tt c kt ni cn li. i vi mt firewall, cch th 2 l cch an ton hn. Trong bi vit ny, email v news n c cho php vi 1 s hosts, nhng FTP, Telnet v rlogin ch cho php nhng host nm trong firewall subnet.Khong IP m rng (t 100 n 199) v cc s cng TCP hay UDP c dng lc lu thng .Khi mt kt ni sp c hnh thnh cho email,Telnet, FTP,... n s c m mt dch v mt cng xc nh. Do bn c th lc nhng kt ni bng cch t chi cc gi tin tm cch s dng dch v . V danh sch ca nhng dch v v cng thng gp, xem phn "Lc cc dch v TCP v UDP" phn sau. Mt danh sch truy cp c gi sau quyt nh ca router nhng trc khi gi tin c gi n 1 interface. Ch tt nht xc nh danh sch truy cp l to 1 file cha cc lnh access-list, t file trong th mc TFTP mc nh v np file vo router. Server cha file fi chy TFTP daemon v c kt ni TCP n firewall router. Trc khi np, mi xc nh trc ca danh sch truy cp ny c g b bng lnh no access-list 101 Lnh access-list c th c dng cho php cc gi tin tr v t nhng kt ni c thit lp trc . Vi t kha established, s c s ph hp nu gi TCP cha acknowledgement (ACK) hay reset(RST) bits set. access-list 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established Nu firewall routers no chia s mng vi 1 nh cung cp bn ngoi, bn s mun cho php truy cp t cc host ti mng ca bn. Trong bi vit ny, nh cung cp bn ngoi c mt cng ni tip s dng firewall router

Class B a ch (B.B.14.2) l a ch ngun nh sau : access-list 101 permit ip B.B.14.2 0.0.0.0 0.0.0.0 255.255.255.255 V d sau minh ha cch t chi lu thng t 1 ngi dng c gng che giu mt a ch ni b ca bn vi bn ngoi ( khng dng danh sch truy cp "u vo" 9.21 ) : access-list 101 deny ip B.B.0.0 0.0.255.255 0.0.0.0 255.255.255.255 Lnh sau cho php Domain Name System (DNS) v Network Time Protocol (NTP) gi yu cu v tr li : access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53 access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 123 Lnh sau t chi cng Network File Server (NFS) User Datagram Protocol (UDP) : access-list 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2049 Lnh sau t chi OpenWindows cng 2001 v 2002, t chi X11 cng 6001 v 6002 : access-list 101 deny tcp 0.0.0.0 255.255.255.2550.0.0.0 255.255.255.255 eq 6001 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 6002 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2001 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2002 Lnh sau cho php Telnet n communication server (B.B.13.2) : access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.2 0.0.0.0 eq 23 Lnh sau cho php FTP n host subnet 13 : access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 eq 21 access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 eq 20 nhng v d sau, mng B.B.1.0 nm trong mng ni b.Cc lnh sau cho php kt ni TCP v UDP ti cc cng ln hn 1023 vi nhng host ht sc gii hn. Nh ng communication servers b dch giao thc ( protocol translator ) nm trong danh sch ny : access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.1.100 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.1.101 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 B.B.1.100 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 B.B.1.101 0.0.0.0 gt 1023 Ch : chun FTP s dng cng >1023 cho kt ni d liu ca n; do , cng >1023 phi c m. Chi tit hn c phn "Cng File Transfer Protocol (FTP) " pha di Lnh sau cho php DNS truy cp ti DNS server(s) lit k bi Network Information Center (NIC) : access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 eq 53 access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.1.100 0.0.0.0 eq 53

Lnh sau cho php SMPT email theo chiu n vi 1 s my : access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 eq 25 access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.1.100 0.0.0.0 eq 25 Lnh sau cho php news transfer protocol (NNTP) server ca mng ni b nhn kt ni NNTP t danh sch cho php : access-list 101 permit tcp 16.1.0.18 0.0.0.1 B.B.1.100 0.0.0.0 eq 119 access-list 101 permit tcp 128.102.18.32 0.0.0.0 B.B.1.100 0.0.0.0 eq 119 Lnh sau cho php Internet control message protocole (ICMP) cho thng ip bo li : access-list 101 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Mi danh sch truy cp c n cu lnh "t chi tt c nhng th khc" cui danh sch chc chn cc thuc tnh khng c cp n s b t chi. Cng File Transfer Protocol (FTP) Hin nay nhiu site chn cc phin lm vic TCP t ngoi vo nhng cho php kt ni ra ngoi. Vn ch chn kt ni t ngoi vo s ngn cn nhng chng trnh FTP client truyn thng, v nhng chng trnh ny dng lnh "PORT" cho server bit ch gi file. My khch m mt kt ni "iu khin" n server, nhng server sau s m mt kt ni "d liu" mt cng no ( >1023) trn my khch. Rt may , cn c 1 cch khc cho php my khc m mt socket "d liu" v cho php bn c c firewall v FTP. My khch gi 1 lnh PASV n server, nhn li mt s hiu cng cho socket d liu, m socket d liu trn cng v bt u gi . thc hin phng php ny, chng trnh FTP client phi h tr lnh PASV. Vn duy nht vi phng php ny l n khng thc hin c nu server chn lun kt ni bt k t ngoi vo M ngun cho 1 chng trnh FPT hot ng c vi firewall c th nhn c bng anonymous FTP ti ftp.cisco.com, file /pub/passive-ftp.tar.Z .y l phin bn BSD 4.3 FTP c sa cha h tr PASV. Ch : Cn thn khi cung cp dch v anonymous FTP. Rt nhiu FTP server c li khu vc ny. p dng danh sch truy cp vi cc Interfaces Sau khi danh sch truy cp c np vo router v lu trn NVRAM, phi gn n cho mt interface ph hp. Trong bi vit ny, lu thng n t bn ngoi qua cng ni tip 0 c lc trc khi c t vo subnet 13 (ethernet 0). Do lnh access-group , dng 1 danh sch truy cp lc cc kt ni n, phi c gn cho Ethernet 0 nh sau : interface ethernet 0 ip access-group 101 iu khin truy cp Internet t mng ni b, lp mt danh sch truy cp v p dng n vi gi tin gi i trn

cng ni tip 0 ca router. lm c vy, nhng gi tin gi v t cc hosts s dng Telnet hay FTP phi c cho php truy cp n firewall subnetwork B.B.13.0 Sng lc dch v TCP v UDP Vi cng TCP v UDP thng gp c lit k bng 3-3 Bng 3-3 : Mt s cng v dch v TCP v UDP thng gp Dch v Loi cng S cng FTP-Data TCP 20 FTP-Commands TCP 21 Telnet TCP 23 SMTP-Email TCP 25 TACACS UDP 49 DNS TCP v UDP 53 TFTP UDP 69 finger TCP 79 Sun Remote Procedure Call(RPC) UDP 111 Network News Transfer Protocol (NNTP) TCP 119 Network Time Protocol (NTP) TCP v UDP 123 NeWS TCP 144 Simple Management Network Protocol (SNMP) UDP 161 SNMP (traps) UDP 162 Border Gateway Protocol (BGP) TCP 179 rlogin TCP 513 rexec TCP 514 talk TCP v UDP 517 ntalk TCP v UDP 518 Open Windows TCP v UDP 2000 Network File System (NFS) UDP 2049 X11 TCP v UDP 6000 Li khuyn ca CERT Computer Emergency Response Team (CERT) khuyn nn lc nhng dch v trong bng 3-4 Bng 3-4 : Li khuyn ca CERT vi cc dch v TCP, UDP v cng Dch v Loi cng S cng DNS zone transfers TCP 53 TFTP daemon (tftpd) UDP 69 link TCP 87

Sun RPC TCP v UDP 1111 NFS UDP 2049 BSD UNIX cc lnh bt u bng r- TCP t 512 n 514 line printer daemon (lpd) TCP 515 UNIX-to-UNIX copy program daemon (uucpd) TCP 540 Open Windows TCP v UDP 2000 X Windows TCP v UDP 6000+ Phn ln dch v RPC khng c s cng c nh. Bn nn tm nhng cng c dch v ny v chn li. Cisco khuyn nn chn tt c cng UDP tr DNS nu c th. Ch : Cisco khuyn bn nn lc dch v finger cng 79 ngn chn ngi ngoi tm hiu cu trc th mc ca ngi dng v tn ca host m ngi dng ng nhp danh sch truy cp "u vo" Trong Software Release 9.21, Cisco gii thiu kh nng gn danh sch truy cp "u vo" cho 1 interface. iu ny cho php ngi qun tr c th lc cc gi tin trc khi chng i qua router. Trong nhiu trng hp, danh sch truy cp "u vo" v danh sch truy cp "u ra" t c nhng tnh nng nh nhau; tuy nhin, danh sch truy cp "u vo" c a thch hn vi 1 s ngi v c th dng ngn chn mt vi kiu che giu a ch trong khi danh sch truy cp "u ra" s khng cung cp bo mt. Hnh 3-3 minh ha 1 host ang b nh la. Ai bn ngoi ang mo nhn rng n t mng 131.108.17.0.Router interface cho rng gi tin n t 131.108.17.0. trnh vic ny, 1 input access list c p dng cho router interface i vi bn ngoi. N s chn bt c gi tin no t ngoi vo vi a ch ngun trong mng ni b m router bit (17.0 v 18.0) Hnh 3-3 : <khng c> Nu bn c nhiu mng ni b ni vi firewall router v router ang dng b lc "u ra", lu thng gia cc mng ni b s b nh hng bi b lc. Nu b lc "u vo" ch c dng vi router interface vi bn ngoi, mng ni b s khng b nh hng ng k. Ch : Nu 1 a ch s dng source routing, n c th gi v nhn thng qua firewall router. V l do ny, bn nn v hiu ha source routing trn router vi lnh no ip source-route Cu hnh mt Firewall Communication Server

Trong bi vit ny, firewall communication server c 1 modem line 2 interface Ethernet 0 ip address B.B.13.2 255.255.255.0 ! access-list 10 deny B.B.14.0 0.0.0.255 access-list 10 permit B.B.0.0 0.0.255.255 ! access-list 11 deny B.B.13.2 0.0.0.0 access-list 11 permit B.B.0.0 0.0.255.255 ! line 2 login tacacs location FireWallCS#2 ! access-class 10 in access-class 11 out ! modem answer-timeout 60 modem InOut telnet transparent terminal-type dialup flowcontrol hardware stopbits 1 rxspeed 38400 txspeed 38400 ! tacacs-server host B.B.1.100 tacacs-server host B.B.1.101 tacacs-server extended ! line vty 0 15 login tacacs Xc nh danh sch truy cp Trong v d ny, s hiu mng c dng cho php hay t chi truy cp;do khong IP chun c s dng (t 1 n 99 ). Vi nhng kt ni t bn ngoi n modem lines, ch nhng gi tin t nhng host trong mng ni b Class B v nhng gi tin t cc host trong firewall subnetwork c cho php: access-list 10 deny B.B.14.0 0.0.0.255 access-list 10 permit B.B.0.0 0.0.255.255 Nhng kt ni i ch c cho php n cc hosts trong mng ni b v communication server access-list 11 deny B.B.13.2 0.0.0.0 access-list 11 permit B.B.0.0 0.0.255.255 p dng danh sch truy cp vi cc ng kt ni p dng 1 danh sch truy cp vi 1 ng kt ni bng lnh access-class. Trong

bi vit ny, s hn ch trong danh sch truy cp 10 c p dng cho cc kt ni n vi ng kt ni 2, s hn ch trong danh sch truy cp 11 c p dng cho cc kt ni i vi ng kt ni 2 line 2. access-class 10 in access-class 11 out S dng banners to mt thng bo Ta c th dng cu hnh banner exec to ra cc thng bo, s c hin trong tt c cc kt ni. V d, trn mt communication server, bn c th a vo thng ip sau : banner exec ^C If you have problems with the dial-in lines, please send mail to helpdesk@CorporationX.com. If you get the message "% Your account is expiring", please send mail with name and voicemail box to helpdesk@CorporationX.com, and someone will contact you to renew your account. Unauthorized use of these resources is prohibited. Bo v nhng dch v ngoi chun C rt nhiu dch v ngoi chun t Internet. Trong trng hp ca 1 kt ni vo Internet, nhng dch v ny c th rt tinh vi v phc tp. V d ca nhng dch v ny l World Wide Web (WWW), Wide Area Information Service (WAIS), Gopher v Mosaic. Hu ht nhng h thng ny lin quan n vic cung cp thng tin cho ngi dng theo nhng cch t chc khc nhau, cho php tim kim thng tin mt cch c cu trc. Phn ln nhng h thng ny c nhng giao thc ring. Mt vi trng hp nh Mosaic s dng nhiu giao thc nhn c thng tin. Bn phi cn thn khi thit k mt danh sch truy cp p dng vi mi dch v. Trong nhiu trng hp, cc danh sch truy cp c lin quan n nhau v mi lin quan gia cc dch v. Tng kt Mc d bi vit ny minh ha cch s dng cc tnh nng mc network-layer ca Cisco tng cng tnh bo mt cho mng IP, c c s bo mt ng ngha, bn phi quan tm n tt c h thng tt c cc mc Ti liu tham kho Cheswick, B. and Bellovin, S. Firewalls and Internet Security. Addison-Wesley.

Comer, D.E and Stevens, D.L., Internetworking with TCP/IP. Volumes I-III. Englewood Cliffs, New Jersey: Prentice Hall; 1991-1993. Curry, D. UNIX System SecurityA Guide for Users and System Administrators. Garfinkel and Spafford. Practical UNIX Security.O'Reilly & Associates. Quarterman, J. and Carl-Mitchell, S. The Internet Connection, Reading, Massachusetts: Addison-Wesley Publishing Company; 1994. Ranum, M. J. Thinking about Firewalls, Trusted Information Systems, Inc. Stoll, C. The Cuckoo's Egg. Doubleday. Treese, G. W. and Wolman, A. X through the Firewall and Other Application Relays. Requests For Comments (RFCs) RFC 1118. "The Hitchhiker's Guide to the Internet." September 1989. RFC 1175. "A Bibliography of Internetworking Information." August 1990. RFC1244. "Site Security Handbook." July 1991. RFC 1340. "Assigned Numbers." July 1992. RFC 1446. "Security Protocols for SNMPv2." April 1993. RFC 1463. "FYI on Introducing the InternetA Short Bibliography of Introductory Internetworking Readings for the Network Novice." May 1993. RFC 1492. "An Access Control Protocol, Sometimes Called TACACS." July 1993. Internet Directories Documents at gopher.nist.gov. The "Computer Underground Digest" in the /pub/cud directory at ftp.eff.org. Documents in the /dist/internet_security directory at research.att.com.