n c s: mng my tnh

I MC TIU N An ninh mng l vn cn thit bi Internet l mt mng kt ni cc mng c mi lin h vi nhau nhng khng c ranh gii. Bi vy, mng c th c s dng v b tn cng bi mt my tnh bt k trn th gii. Tng la l thit b phn cng hoc phn mm hot ng trn mi trng mng my tnh dng ngn chn ngi dng mng Internet truy cp nhng thng tin khng mong mun hoc chn cc kt ni b cm t ngoi mng theo chnh sch ca c nhn/t chc. Mc tiu khi hon thnh n l c th hiu c PIX Firewall l g, nhn bit c cc c tnh ca PIX Firewall, cc kiu , cc thnh phn v li ch ca n. Trn c s c th m phng ci t, cu hnh truy cp vo ra, cu hnh a cng trn PIX Firewall.

SV: Nguyn Ngc Hong

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

II CU TRC N

CHNG I
GII THIU PIX FIREWALL 1.1 Tng la v cc kiu tng la ph bin a.Tng la Theo cch nh ngha thng thng th tng la l mt phn to nn vt liu chng chy, c thit k ngn cn s lan rng ca la t mt phn n phn khc. N cng c th c s dng cch ly mt phn vi phn khc. Khi p dng thut ng tng la cho mng my tnh, mt tng la l mt h thng hoc mt nhm h thng yu cu mt chnh sch iu khin vic truy cp gia hai hoc nhiu hn hai mng

Hnh 1.1: Firewall b. Cc kiu tng la ph bin C 3 kiu tng la ph bin hin nay da trn 3 k thut bo v tng ng - Packet Filtering: Gii hn truyn thng tin gia cc mng da trn a ch ngun v ch. Mt tng la c th s dng packet filtering gii hn thng tin i vo mt mng hoc thng tin di chuyn t mt on mng ny sang mt on mng khc. Packet filtering s dng danh sch iu khin truy cp (ACLs), n cho php mt tng la xc nhn hay ph nhn vic truy cp da trn kiu ca gi tin v cc bin khc. Phng php ny rt c hiu qu khi mt mng c bo v nhn cc gi tin t mt mng khc. Nhng gi tin no khng tun theo cc tiu chun c nh ngha trong ACLs th s b hy. * Nhng vn vi Packet Filtering + Cc gi tin bt k c th c gi qua b lc ch cn tha cc tiu ch trong ACLs. + Cc gi tin c th qua c b lc theo tng on. + ACL phc tp, kh thc thi v duy tr ng n.

SV: Nguyn Ngc Hong

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

+ Mt s dch v khng th a vo b lc. - Proxy Server: Yu cu s kt ni chuyn tip gia Client bn trong tng la vi mng ngoi. Proxy Server l mt thit b tng la kim tra cc gi tin lp cao hn trong m hnh OSI. Thit b ny n d liu bng cch yu cu ngi dng giao tip vi mt h thng bo mt chnh l proxy. Ngi s dng dnh quyn truy cp n mt mng bng cch i qua mt tin trnh, tin trnh s thit lp mt trng thi phin, chng thc ngi dng v chnh sch cp quyn. iu ny c ngha l ngi dng kt ni n cc dch v bn ngoi thng qua cc chng trnh ng dng (Proxies) chy trn cng dng kt ni n vng khng c bo v bn ngoi. * Nhng vn n vi Proxy Server + To cng mt li chung, iu c ngha nu cng vo mng b sp th ton b mng cng b sp theo + Kh khn khi thm mt dch v mi vo tng la + Hiu sut chm - Stateful Packet Filtering: Gii hn thng tin n mt mng khng ch da vo a ch ch, ngun m cn da vo ni dung gi tin. Stateful Packet Filtering l phng thc c s dng trong h thng thng ca PIX Firewall. K thut ny duy tr trng thi phin y , mi khi mt kt ni TCP/UDP c thit lp cho cc kt ni vo/ra, thng tin c tp hp trong Stateful session flow table. Stateful session flow table cha a ch ngun, ch, s cng, thng tin v s th t TCP v thm thng s cc c cho mi kt ni TCP/UDP kt hp vi cc phin . Thng tin ny to nn cc i tng kt ni v do cc gi tin vo v ra c so snh vi lu lng phin trong Stateful session flow table. D liu ch c php qua tng la nu c mt kt ni hp l ca d liu . *Nhng hiu qu ca phng php ny + N lm vic trn cc gi tin v cc kt ni + N hot ng mc cao hn so vi packet filtering hoc s dng proxy + N ghi d liu trong mt bng cho mi kt ni. Bng ny nh l mt im tham chiu xc ng gi tin c thuc v mt kt ni ang tn ti hay khng hoc l t mt ngun tri php 1.2 Tng quan v PIX Firewall 1.2.1 PIX Firewall l g ? PIX (Private Internet Exchange) Firewall l thnh phn chnh trong ton b gii php an ninh end-to-end ca hng Cisco. PIX Firewall l gii php an ninh phn cng v phn mm chuyn dng vi mc bo mt cao hn m khng nh hng n s thc thi ca h thng mng. N l h thng lai ghp (Hybrid System ) bi v n s dng c hai k thut Packet Filtering v Proxy Server. Khng nh nhng CPU chuyn su, cc Proxy server ton thi gian thc thi mt cch su rng trn mi gi d liu ca tng ng dng. PIX Firewall s dng h iu hnh thch hp, bo m s bo mt, thi gian thc v l mt h thng nhng.

SV: Nguyn Ngc Hong

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

1.2.2 c tnh v Chc nng Khng nh nhng CPU thng thng, cc proxy server thc thi su rng trn mi gi d liu, PIX Firewall l mt h thng an ninh theo thi gian thc dng h thng nhng nn n tng cng an ninh cho mng. Apdaptive Security Algorithm (ASA) thc hin vic iu khin cc kt ni stateful thng qua PIX Firewall . Cut-through proxy- mt ngi dng c chng thc da vo cc kt ni vo ra s c mt hiu qu cao hn so vi Proxy server. Stateful failover- PIX Firewall cho php cu hnh 2 n v PIX Firewall trong cng mt topology mt cch thoi mi. Stateful Packeet Filtering- Mt phng php phn tch gi tin d liu trong thng tin v gi d liu c tri rng trong mt bng. khi phin mun thit lp, thng tin v cc kt ni ca phin phi c kt hp vi cc thng tin trong bng. PIX Firewall c th tng thch v kh nng m rng vi cc IPSec. IPSec bao gm mt h thng an ninh v cc giao thc chng thc ging nh Internet Key Exchange (IKE) v Public Key Infracstructure (PKI). PIX Firewall da trn nn tng tng t nh Virtual Private Network (VPN) trong cc my Client xa c th truy cp n mng cng ty thng qua cc IPS ca h. 1.2.3 Cc dng PIX Firewall PIX Firewall cung cp cho ngi dng kh nhiu dng khc nhau ph hp cho cc mi trng mng khc nhau. Cc kiu trong h 500 hin c bao gm 501, 506, 506E, 515, 515E, 520, 525, 535 v c th hin trong hnh sau:

Hnh 1.1: S cc dng PIX Firewall hin c

SV: Nguyn Ngc Hong

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

a) PIX Firewall 501

Hnh 1.2: PIX Firewall 501 Cisco PIX Firewall 501 c kch thc ch 1.0 x 6.25 x5.5 inch v nng 0.75 pounds (~340,2 gram). Dng ny thng dng cho cc vn phng nh v cc hot ng t xa. Kh nng bo mt cao, mi trng bng thng rng lun c bt, Cisco PIX 501 Firewall cung cp cc c tnh, sc mnh cho mng ca cc vn phng nh, c kh nng qun l cc thit b t xa trong cng mt quy tc, gii php tt c trong mt. y l dng cn bn ca PIX Firewall v c cu hnh c nh. N c mt switch 4 port cho cc kt ni bn trong v mt interface 10Mbps cho kt ni n cc thit b bn ngoi nh cable modem hay Router DSL. Dng ny cng cung cp n 3Mbps cho kt ni 3DES Ipsec (Vt qu yu cu kt ni ca User trong mng SOHO) * Thng s k thut ca PIX Firewall 501 - H tr ti a 3500 kt ni ng thi - H tr ng thi 5VPN ngang hng - i vi vn bn thng thng, thng lng ln n 10Mbps - B x l 133MHz AMD SC250 - SDRAM 16MB, flash 8MB - 1 port console - 1 port half-duplex RJ45 10BaseT cho kt ni ngoi - 1 switch tch hp , auto-sensing (kh nng t ng phn on) , auto-MDIX 4 port RJ45 10/100 cho kt ni bn trong PIX Firewall 506

Hnh 1.3: PIX Firewall 506e

SV: Nguyn Ngc Hong

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Cisco PIX Firewall 506 c kch thc 8x12x1.7inch, c thit k cho cc cng ty cho php nhn vin hot ng t xa thng qua mng Internet. N a ra mt c ch bo v ton din v b sung thm cc kh nng ca mng ring o VPN. * Thng s k thut ca PIX Firewall 506 - H tr ti a cng lc n 10000 kt ni - H tr ng thi 25 VPN ngang hng - i vi vn bn thng thng, thng lng ln n 20Mbps - B x l 200MHz Intel Petium MMX - RAM 32MB, flash 8MB - Thng lng ca 3DES l 10Mbps - 2 interface (10BaseT) - 2 cng RJ 45 BaseT trong 1 cho kt ni bn trong v 1 cho kt ni ngoi. - S dng TFTP cho download image v upgrade. Dng 506E l dng c ci tin t 506 vi mt s thay i ng ch nh b x l 300MHz Intel Celeron, thng lng 3DES tng ln 16Mbps. Thng lng vn bn thng thng 100Mbps. b) PIX Firewall 515

Hnh 1.4: PIX Firewall 515e Cisco PIX Firewall 515 l dng c thit k dnh cho cc doanh nghip va v nh vi kh nng bo v ton din, kt hp cc tnh nng ca VPN v s h tr y ca chun IPSec. H tr khi to v ngt kt ni thng qua VPN gia 2 PIX Firewall, gia PIX Firewall v bt c Router c h tr VPN no khc. y cng l dng c kh nng h tr iu khin t xa m ch yu cu 2 kt ni n chng.

SV: Nguyn Ngc Hong

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

* Thng s k thut ca PIX Firewall 515 - H tr ti a cng lc n 128000 kt ni - i vi vn bn thng thng, thng lng ln n 147Mbps - B x l 200MHz Intel Petium MMX - RAM 64MB, flash 8MB - Thng lng ca 3DES l 10Mbps - 6 interface (10BaseT) - H tr Failover Dng nng cp ca 515 l 515E vi nhng ci tin vt tri. Thng lng vn bn thng thng 190Mbps, kt ni ng thi 130000, thng lng 3DES ln n 35Mbps, b x l 433MHz Intel Celeron, flash tng ln 16MB, RAM tng l 128MB. c) PIX Firewall 520

Hnh 1.5: PIX Firewall 520 Cisco PIX Firewall c thit k dnh cho cc doanh nghip ln v phc tp, c mt lu lng ng truyn ln. C ch bao mt y , s h tr ca VPN Ipsec. S dng a mm download v upgrade image * Thng s k thut ca PIX Firewall 520 - H tr ti a cng lc n 256000 kt ni - i vi vn bn thng thng, thng lng ln n 240Mbps - B x l 350MHz - RAM 128MB, flash 16MB - Thng lng ca 3DES l 20Mbps - 6 interface (10BaseT) - H tr Failover

SV: Nguyn Ngc Hong

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

d) PIX Firewall 525

Hnh 1.6: PIX Firewall 525 Cisco PIX Firewall 525 c thit k cho cc doanh nghip v nhng nh cung cp dch v. p ng mi trng bo mt l tng. Cung cp dy nhiu Interface card network, cc chun card bao gm cng n hoc 4 cng 10/100 Fast Ethernet v Gigabit Ethernet vi UR Licence. Ngoi ra, PIX Firewall 525 cn h tr c b gia tc VPN gip cho tc kt ni thng qua VPN c ci thin ng k. * Thng s k thut ca PIX Firewall 525 - H tr ti a cng lc n 280000 kt ni - i vi vn bn thng thng, thng lng ln n 330Mbps - B x l 600MHz Intel Pentium III - RAM 128 hoc 256 MB, flash 16MB - Thng lng ca 3DES l 145Mbps - H tr Failover

e) PIX Firewall 535

Hnh 1.7: PIX Firewall 535 Cisco PIX Firewall 535 c thit k dnh cho cc Enterprise hoc Services Provider, c thng lng 1.7 Gbps, kh nng qun l ng thi 500,000 kt ni, h tr ng thi c 2 dng ng dng VPn l site to site v remote access vi 56 bit DES hoc 168 bit 3-DES. Chc nng tch hp ca PIX firewall 535 c th thc hin vi VPN Accelerator card phn phi 10Mbps throughput v 2000 IPSEC tunnel . PIX firewall 535 cung cp Fast Ethernet , Gigabit Ethernet v VPN Accelerator interface . Flash l 16MB v s dng software c version t 5.3 tr v sau.

SV: Nguyn Ngc Hong

10

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

* Thng s k thut ca PIX Firewall 535 - H tr ti a cng lc n 500000 kt ni - i vi vn bn thng thng, thng lng ln n 1.7Gbps - B x l 1GHz Intel Pentium III - RAM 512MB hoc 1GB, flash 16MB - Thng lng ca 3DES l 425Mbps - H tr Failover

SV: Nguyn Ngc Hong

11

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

CHNG II
CU HNH C BN PIX FIREWALL 2.1 Cc kiu truy cp ca PIX Firewall PIX Firewall cha cc tp lnh da trn h iu hnh Cisco IOS v cung cp n ngi dng 4 ch truy cp nh sau: 2.1.1 Unprivileged mode (ch khng c quyn) Ch ny l mc nh khi truy cp ln u vo PIX Firewall, t du nhc lnh < cho php ngi dng xem cc thit lp mt cch hn ch. 2.1.2 Privileged mode (ch c quyn) Du hiu ca ch ny l du nhc lnh # cho php ngi dng thay i cc cu hnh hin ti. Bt k lnh no ca ch khng c quyn u c th thc thi trong ch c quyn. 2.1.3 Configuration mode (ch cu hnh) Ch ny hin th du nhc lnh (Config)# cho php ngi dng thay i cu hnh h thng, tt c lnh ca ch c quyn v khng c quyn u c th thc thi ch ny. 2.1.4 Monitor mode (ch theo di kim tra) y l ch c bit, n cho php ngi dng cp nht file image trn mng. trong ch ny, ngi dng c th nhp lnh nh v tr ca TFTP v image dng nh phn download image. tit kim thi gian nhp lnh, ngi dng hon ton c th ghi tt cc k t lnh ( gii hn k t c xc nh trc bi nh cung cp ). V d ngi dng c th nhp lnh write t xem cc lnh cu hnh thay v phi g y write terminal cng tng t vi lnh en thay v phi nhp enable, Trong qu trnh cu hnh, ngi dng c th s dng lnh help hoc k t ? xem cc gi v lnh. S gi ny ph thuc vo ch cu hnh m ngi dng ang lm vic, theo ch cu hnh s lit k ton b cc lnh v ch khng c quyn s a ra s gi t nht. Ngoi ra, ngi dng hon ton c th copy v paste cc lnh cu hnh t mt trnh son tho vn bn khc min l m bo cc lnh u c cu hnh ng. 2.2 Cc lnh duy tr thng thng ca PIX Firewall Mt s lnh duy tr thng thng ca PIX Firewall: Lnh enable, enable password v passwd: s dng truy cp cc phn mm PIX Firewall hoc thay i mt khu. - enable: cho php truy cp ch c quyn - enable password: thit lp mt khu cho ch truy cp c quyn. Mt khu c quy nh ti a l 16 k t, ti thiu l khng k t (rng), phn bit ch hoa, thng, k t s. bao gm tt c cc k t ch tr 3 k t l

SV: Nguyn Ngc Hong

12

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

du chm hi, du cch v du hai chm. Mt khu sau khi c thit lp s c m ha v ngi dng khng th xem li mt khu mt khi qun. Passwd: cho php thit lp mt khu dnh cho telnet PIX Firewall, mc nh mt khu ny l cisco (khng du )

Lnh write : s dng xem cu hnh h thng v lu tr lnh cu hnh mi. - write net: lu cc lnh cu hnh h thng thnh mt tp tin ring c lu trn TFTP server hoc trn mng. - write erase: xa cu hnh b nh flash - write floppy: Lu cu hnh hin ti vo a mm 3.5inch (t phin bn 520 tr v trc u c sn a mm ) - write memory: Ghi cu hnh hin ti vo b nh flash - write stanby: ghi lnh cu hnh c lu trong RAM trn Active Failover vo RAM trn stanby ca PIX Firewall. Khi PIX firewall hot ng, cu lnh cu hnh s c t ng ghi vo stanby PIX firewall. - write terminal: hin th cu hnh hin ti Lnh show: c s dng kim tra cu hnh h thng v nhng thng tin thch hp khc. - show history: hin th cc dng lnh trc - show memory: hin th b nh ti a v b nh hin ti ca PIX firewall - show version: hin th phin bn ca phn mm trong PIX Firewall, thi gian hot ng gn nht. loi vi x l, loi b nh flash, - show xlate: hin th thng tin v khe dch - show cpu usage: hin th CPU c s dng, dng trong ch cu hnh hoc c quyn. Lnh exit v reload: - exit: c s dng thot khi mt ch truy cp no . - reload: l lnh ti li cc cu hnh c lu v khi ng li h thng. Lnh hostname, ping, v telnet: c s dng xc nh mt IP c tn ti hay khng, thay i hostnam cng nh xc nh host cc b cho PIX firewall v ginh quyn truy cp vo console. - hostname: thay i nhn trc du nhc lnh, h tr ti a 16 k t ch hoa, thng, k t s. Mc nh l pixfirewall - ping: c s dng nu PIX firewall c kt ni hoc nu tn ti mt host ( c nhn din bi PIX Firewall) trn mng. Nu host tn ti th lnh ping nhn c cn nu ngc li th s c tr li NO response received. Mc nh lnh ping s ping n host dch 3 ln. - telnet: Cho php ngi dng ch nh host c th truy cp n PIX Firewall thng qua Telnet. Ngi dng c th ch nh mt host trn mt mng bn trong bt k nhng khng th ch nh host trn mng pha ngoi. H tr ti a 16 host hoc mng cho php truy cp ng thi n PIX Firewall thng qua Telnet.

SV: Nguyn Ngc Hong

13

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

show telnet: Hin th danh sch hin thi cc a ch IP c chng thc c th truy xut n PIX Firewall thng qua telnet clear telnet v no telnet: loi b mt a ch IP c th truy xut n PIX firewall thng qua telnet. telnet timeout: xc lp mc thi gian ti a m mt kt ni n PIX firewall thng qua telnet c th trng thi idle trc khi b ngt kt ni bi PIX Firewall. - kill: lnh ny dng kt thc mt phin telnet. Khi dng lnh ny, PIX firewall s t ng chn tt c cc lnh kch hot sau ngt kt ni m khng thng bo n ngi dng. - who: xem a ch IP no ang thc hin vic truy xut n PIX firewall thng qua telnet. * C php: telnet ip_address [netmask] [if_name] clear telnet [ip_address [netmask] [if_name]] no telnet [ip_address [netmask] [if_name]] telnet timeout [minutes ] kill [telnet_id ] who [local_ip ] * ngha cc ty chn Mt a ch IP ca mt host hoc mng c th telnet n PIX Ip_address Firewall Dng gii hn truy c n mt a ch IP n th s dng Netmask 255 cho mi octet (v d 255.255.255.255). mc nh l 255.255.255.255 i vi local_IP Nu Ipsec ang hot ng th PIX Firewall s cho php ngi dng a ra mt interface khng an ton. t nht th lnh If_name cryto map phi c cu hnh xc nh mt interface vi telnet. Thi gian xc nh trng thi idle ca kt ni trc khi b PIX Minutes firewall ngt kt ni. Mc nh l 6 pht, khong thi gian cho php l t 1 n 60 pht. Id xc nh phin lm vic ca telnet telnet_id Mt a ch IP internal ty chn gii hn danh sch n mt ip hoc mt mng. Lnh http: cc lnh trong nhm ny cho php ngi dng kch hot tnh nng HTTP server trong PIX Firewall v xc nh nhng client no c php truy cp vo. HTTP server phi c kch hot v iu khin bi PIX device manager (PDM). - http server enable: kch hot HTTP server ca PIX Firewall - http <ip_add>: lnh ny nhm xc nh client c php truy cp HTTP server Local_ip

SV: Nguyn Ngc Hong

14

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

* C php: http ip_address [netmask] [if_name] http server enable Ch nh mt host hoc mng c quyn khi to mt kt ni n PIX Firewall Netmask Ch nh netmask cho ip_address. Mc nh l 255.255.255.255 If_name Tn giao din ca PIX Firewall trn host hoc mng khi to vng kt ni HTTP. Mc nh l inside Lnh show interface: hin th thng tin giao din mng * Nhng thng tin nhn c khi nhp lnh show interface - Ethernet: - Line protocol up: - Line protocol down: - Network interface type: - Interrup vector - MAC address - MTU (maximum transmission unit) - Packet input - Packet output - Line duplex status - Line speed * Nhng thng tin bo vn gp phi vi interface khi dng show interface - No buffer - Runts - Giants: - CRC (cyclic redundancy check) - Network interface type: - Frame errors - Ignored and aborted errors - Underruns - Overruns - Unicast rpf drops - Output errors - Collisions - Interface resets - Babbles - Late collisions - Deferred - Lost carrier - No carrier - Input queue - Output queue Ip_address

SV: Nguyn Ngc Hong

15

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Lnh show ip address: hin th IP ang c dng gn cho interface. a ch IP c gn ging nh a ch IP h thng trn failover active (PIX active). Khi active unit b li, a ch IP hin ti tr thnh n v chun. Lnh name cho php ngi dng cu hnh mt danh sch cc a ch IP c nh x (mapping) n PIX Firewall * C php: Name ip_address name Ip_address name Ch nh Ip ca host c t tn Tn c gn cho a ch IP

2.3 Cc lnh cu hnh c bn PIX Firewall C 6 lnh cu hnh c bn cho PIX Firewall: - Nameif Dng ng k 1 tn cho mi interface ca PIX Firewall v ch ra cp an ninh ca interface . (Ngoi tr outside v inside interface , chng u c tn mc nh ) Vi cu hnh mc nh , e0 c tn l outside vi mc security l 0 , e1 c tn l inside vi mc security l 100 * C php: nameif hardware_id if_name security_level Hardware_id Ch ra interface v a ch vt l ca n trn PIX Firewall C 3 interface m ngi dng c th s dng nh: Ethernet, FDDI hoc Token ring. Mi interface c m t bi mt tn va c ch, va c s. V d nh Interface Ethernet s l e1, e2, e3,..FDDI c k hiu ffdi1, ffdi2,v Token Ring l tokenring1,token-ring2, Tn ca interface c kt ni, tn ny do ngi dng t v s c s dng trong sut cu hnh v sau. Mc an ninh do ngi dng quy nh nm trong phm vi t 1 n 99.

If_name Security_level

Interface Lnh ny dng xc nh phn cng, t tc v kch hot interface . Khi mt interface Ethernet c thm vo, PIX Firewall s t ng nhn din. * C php: interface hardware_id hardware_speed [shutdown] Hardware_id Hardware_speed Ch ra Interface v a ch vt l ca n trn PIX Firewwall Xc nh tc kt ni, i vi Ethernet: - 10baset: Giao tip Ethernet bn song cng 10Mbps - 10full: Giao tip Ethernet song cng 10Mbps - 100basetx:Giao tip Ethernet bn song cng 100Mbps - 100full: Giao tip Ethernet song cng 100Mbps - 1000sxfull:Giao tip Gigabit Ethernet song cng tc

SV: Nguyn Ngc Hong

16

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

1000Mbps - 1000basesx: Giao tip Gigabit Ethernet tc 1000Mbps t iu chnh song cng hoc bn song cng. Khng s dng tnh nng ny khi mun duy tr kh nng tng thch gia switch vi cc thit b mng. - 1000auto: - Aui: Giao tip Ethernet bn song cng 10Mbps dng cp aui - Auto: giao tip Ethernet tc t ng. Ch c hiu lc vi card mng Intel tc 10/100 tc - Bnc:Giao tip Ethernet bn song cng 10Mbps dng cp bnc - 4mbps: tc truyn l 4Mbps - 16mbps: mc nh l tc truyn 16Mbps Shutdown Ngi qun tr tt cng ny * Nu dng interface l FDDI hoc Token-ring th phi nh ngha trc v t phin bn PIX Firewall 6.0 cc loi interface ny khng cn c PIXFirewall h tr. - IP Address Gn IP cho mi interface * C php: ip address if_name ip_address [netmask] Ip_name Ip_address netmask Tn ca interface, do ngi dng t, c s dng trong sut qu trnh cu hnh v sau a ch IP ca interface Subnet mask tng ng

- Global Khi d liu c gi i t mt mng tin cy n mt mng khng tin cy, a ch ip ngun thng c chuyn i . PIX Firewall thc hin iu ny bng 2 cu lnh , cu lnh th nht l nat nh ngha a ch ngun ca mng tin cy s c chuyn i , cu lnh th hai l global - nh ngha tm a ch m source address s chuyn i thnh . * C php: global [(if_name)] nat_id global_ip [-global_ip] [netmask global_mask] | interface Ip_name Nat_id Global_ip Netmask global _mask -global_ip interface Tn ca interface Tn ca global pool v lnh nat tng ng Mt a ch IP n hocmt dy cc IP public Netmask cho global_ip Mt dy cc ip public Ch nh PAT s dng IP ti interface .

SV: Nguyn Ngc Hong

17

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

- NAT Network Address Translation (NAT) cho php ngi giu nhng a ch bn trong trc khi i ra ngoi mng nat [(if_name)] nat_id local_ip [netmask] Ip_name Tn ca interface bn trong do ngi dng t Nat_id Xc nh global pool v cc lnh nat tng ng Local_ip a ch IP c gn cho interface inside Netmask Subnet mask tng ng Khi khi to cu hnh PIX Firewall, cc host inside c th truy cp ra mng ngoi tng ng vi a ch trong lnh global, ngi dng cn cu hnh lnh nat 1 0.0.0.0 0.0.0.0 C th c s dng 0 thay th 0.0.0.0 - Route nh ngha mt static route cho mt interface . * C php route if_name ip_address netmask gateway_ip [metric] If_name Ip_address Netmask Gateway_ip Metric Tn ca interface Ip ca interface Subnet mask tng ng. 0.0.0.0 l mc nh v c th thay th bng 0 Ch nh gateway cho router Ch nh s lng hop n gateway. Nu khng chc chn th nhp l 1 hoc dng lnh traceroute c s lng hop chnh xc.

2.4 Cp an ninh ASA ( Adaptive Security Algorithm) ASA (Adaptive Security Algorithm) l mt cch tip cn an ninh ton din. mi gi tin u c kim tra da trn ASA v da trn thng tin v trng thi kt ni c lu tr trong b nh ca PIX Firewall. B nh ca PIX Firewall ng vai tr ht sc quan trng trong vic m bo an ninh cho h thng v n m ng cc chc nng: - iu khin ton b cc kt ni thng qua PIX Firewall - Cho php mt kt ni t trong ra ngoi m khng cn phi c cu hnh r rng cho tng ng dng h thng bn trong. - Kim sot cc gi tin c tr v m bo chng hp l - Ly ngu nhin cc s lm phin kt ni TCP gim thiu kh nng b tn cng. ASA duy tr mt vnh ai an ninh gia cc mng c kim sot bi PIX Firewall. Cc kt ni nh hng c thit k da trn cc a ch ngun v ch. Cp an ninh c thit k dnh cho cc Interface inside (tin cy ) v outside (khng tin cy) kt ni vi cc interface khc. Interface l inside khi c mc cp an ninh cao hn cc

SV: Nguyn Ngc Hong

18

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

interface khc trong cng mt cp an ninh. Interface l outside nu c cp an ninh thp hn cc interface khc trong cng mt cp an ninh. * Quy tc c bn cho cp an ninh: D liu c th thng qua PIX Firewall bng mt interface c cp an ninh cao v ra mt interface c cp an ninh thp. Ngc li d liu khng th i qua PIX Firewall t mt interface c cp an ninh thp v i ra interface c cp an ninh cao. iu ny ch c th thc hin nu PIX Firewall c cu hnh conduit hoc access-list thc hin iu ny. * Cc cp an nnh ca PIX Firewall - Cp an ninh 100: y l cp an ninh cao nht ca mt interface inside, mc nh y l cu hnh ca PIX Firewall v khng th thay i bi y cng l cp an ninh ng tin cy nht. Mng ca t chc thng sau interface ny , khng ai c th truy nhp vo mng ny tr khi c php thc hin iu . Vic cho php phi c cu hnh trn pix , cc thit b bn trong mng ny c th truy cp ra mng outside . Cp an ninh 0: y l Security level thp nht . Security level ny c s dng cho outside interface . y l cu hnh mc nh cho Pix v khng th thay i . V 0 l Security level t tin cy nht, cc mng khng tin cy thng sau interface ny . Cc thit b outside ch c php truy cp vo pix khi n c cu hnh lm iu . Interface ny thng c dng cho vic kt ni internet . Cp an ninh t 1-99: Cc cp an ninh ny c th c ng k cho interface nm trong mng kt ni n PIX , m thng thng l nhng kt ni n mt mng hot ng nh l demilitarized zone (DMZ). DMZ l mt thit b hay l mt mng thng c s dng cho php user t cc mng khng tin cy truy cp vo. DMZ l vng c cch ly vi mi trng bn trong v ng tin cy.

* Mc lu lng gia cc cp interface - Cp an ninh cao n cp an ninh thp: Cn phi c mt b chuyn (traslation) dng static hoc dynamic thc hin iu ny, khi c th lu lng c chuyn hon ton ch tr cc trng hp b chn bi access-list hoc chng thc (authentication ) hoc cp quyn (authorization). Cp an ninh thp n cp an ninh cao thc hin iu ny bt buc cn b chuyn dng static v cu hnh conduit hoc access-list. Nu conduit c cu hnh th user vn c th chn lu lng bng cch cu hnh thm chng thc hoc cp quyn. Cp an ninh bng nhau: Khng c lu lng gia cc interface c cp an ninh bng nhau.

SV: Nguyn Ngc Hong

19

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Hnh 2.1: M hnh v d c bn cp an ninh ASA vi 3 interface Theo m hnh trn ta c cc cp interface - Outsite Sercurity (e0) cp an ninh 0 n DMZ security (e2) cp an ninh 50: Do DMZ c cp an ninh cao hn nn s l inside. cu hnh lu lng gia 2 interface ny cn phi cu hnh conduit v b chuyn static. - Inside security (e1) cp an ninh 100 n DMZ security (e2) cp an ninh 50: e1 c cp an ninh l 100 nn mc nh l inside v e2 s l outside. cu hnh lu lng th globel v NAT c cu hnh, ngoi ra cng c th cu hnh thm b chuyn static cho DMZ interface m bo rng my ch dch v c cng a ch ngun. 2.5 B chuyn trong PIX Firewall 2.5.1 Giao thc vn chuyn TCP v UDP hiu r bn cht hot ng ca PIX Firewall, ngi dng cn phi hiu c c ch hot ng ca 2 giao thc vn chuyn chnh hin nay l TCP v UDP. - TCP: L mt giao thc kt ni nh hng, tin cy, mnh m v c hiu sut cao. Truyn d liu khng li (do c c ch sa li/truyn li) Truyn cc gi d liu theo ng th t Truyn li cc gi d liu mt trn ng truyn Loi b cc gi d liu trng lp C ch hn ch tc nghn ng truyn Cc kt ni TCP c ba pha (Quy trnh bt tay 3 bc) : Thit lp kt ni Truyn d liu Kt thc kt ni

SV: Nguyn Ngc Hong

20

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Quy trnh khi to TCP: Inside n outside

Hnh 2.2:Quy trnh khi to TCP: inside n outside Khi mt phin TCP c thnh lp thng qua PIX Firewall, cc bc din ra: 1. Gi tin IP u tin xut pht t mt host bn trong s pht sinh mt khe dch (translation slot). Thng tin TCP c nhng bn trong s c s dng khi to khe kt ni (connection slot) trn PIX Firewall. 2. Khe kt ni c nh du l cha c thnh lp (Embryonic).

SV: Nguyn Ngc Hong

21

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

3. Mt s th t ngu nhin ca chu trnh khi to c chn v lu gi tr delta v y ra interface ngoi. 4. PIX Firewall ch gi tin SYN/ACK ca my ch ch v kt hp vi gi tin nhn c t khe kt ni a ra tnh ton v th t sp xp v y gi tin ngc tr v my ch inside. 5. My ch inside hon thnh vic khi to kt ni vi mt gi tin ACK 6. Khe kt ni by gi c nh du l kt ni (kt ni thnh cng) v d liu bt u c truyn. b m embryonic li c reset cho kt ni ny *Ch : Thut ng outbound c ngha l nhng kt ni t nhng side tin cy n side c tnh tin cy t hn ca PIX Firewall. Thut ng inbound c ngha l nhng kt ni t side c tnh tin cy t hn n side c tnh tin cy nhiu hn ca PIX Firewall - UDP:

Hnh 2.3:UDP Khi mt khe kt ni UDP trng thi ngh (idle) vt qu thi gian c cu hnh th n s b xa khi danh sch kt ni. Mt vi c im ca giao thc UDP: - UDP l giao thc vn chuyn khng tin cu nhng hiu sut rt cao - Vic gi mo mt gi UDP l hon ton c th lm c mt cch d dng v khng phi tri qua qu trnh bt tay 3 bc nh TCP. - Vic vn chuyn bng UDP c th khin mt d liu m khng c thng bo hoc truyn li. - Khng c c ch chng tc nghn - Khng c thit lp kt ni v kt thc kt ni - Dch v s dng UDP c th chia lm 2 loi c bn:

SV: Nguyn Ngc Hong

22

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

o Yu cu-Hi p(Ping-Pong) nh DNS o Dch v lu lng nh video, VoIP, NFS 2.5.2 B chuyn i tnh v chuyn i ng PIX firewall c th c s dng chuyn i tt c a ch bn trong , khi d liu i t inside ra outside hay i n mt mng c cp an ninh thp hn . Nu user mng outside c gng thc hin kt ni n inside , user s khng thnh cng . Mt session khng th c to ra t Internet vi a ch ch l a ch private tr khi n c cu hnh cho php thc hin iu - Chuyn i a ch tnh (Static Address Translation)

Hnh 2.4: B chuyn i a ch tnh S dng b chuyn i a ch tnh khi ngi dng mn mt my ch inside lun xut hin vi mt a ch c nh trn PIX Firewall mng ngoi. B chuyn i ny c dng nh x mt a ch my ch inside n mt a ch ouside v global. - S dng lnh static cho cc kt ni bn ngoi m bo gi tin i ra khi mt host inside lun lun c nh x n mt a ch IP global c th ( v d: mt host inside DNS, SMTP). - S dng lnh static cho cc kt ni bn ngoi m cn nh x n cng mt a ch IP global Nhng thng tin sau gip xc nh khi no th nn dng b chuyn i a ch tnh: - Khng to statics vi ch IP tnh chng cho. Mi a ch IP nn l duy nht - Statics cn m bo th t trn cp lnh nat v global - Nu mt a ch IP global c s dng cho cho chuyn i a ch cng (PAT), th khng s dng cng a ch IP global cho chuyn i tnh.

SV: Nguyn Ngc Hong

23

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

- Chuyn i a ch ng (Dynamic Address Translation)

Hnh 2.5: B chuyn i a ch ng B chuyn i a ch ng c s dng cho local host v cc kt ni bn ngoi ca n v dng n a ch my ch khi ra ngoi mng. Trc tin, ngi dng cn phi xc nh my ch iu kin chuyn i vi lnh nat v sau phi xc nh pool a ch bng lnh global. Pool ny c c la chn da vo cc interface ra ngoi trn nat_id bng lnh nat. Lnh nat lm vic cng vi lnh global cho php bt tnh nng NAT. Lnh nat lin kt mt mng vi mt pool a ch IP global. N cho php ngi dng xc nh cc my c th s dng PIX Firewall chuyn i a ch. Trong hnh 2.5 global pool c xc nh bng lnh global s l 192.168.0.20 n 192.168.0.254, cho php 235IP a ch phn bit. 2.5.3 Truy cp thng qua PIX Firewall Ch c 2 cch cho php truy cp thng qua PIX Firewall : - Valid user request: Tt c cc phin t inside n outside. Khi mt server outside p ng yu cu, PIX Firewall kim tra bng translation xem translation slot c tn ti cho yu cu c th hay khng? Nu n tn ti th PIX Firewall cho php phin c tip tc. Sau khi phin kt thc, translation slot s b xa . Sau khi mt phin c thit lp cho yu cu UDP, mt cu hnh timer c thit lp. Phin kt thc da trn thi gian c php cho phin UDP v sau ng translation slot. - Predefined statics and conduits: S dng trong truyn thng t ouside n inside. nh ngha trc mt static translation s dng mt hoc mt dy cc a ch t global pool. Mt conduit c nhp nh ngha a ch, nhm a ch, cng TCP/UDP hoc di cc cng v ai, ng dng g c php qua PIX Firewall.

SV: Nguyn Ngc Hong

24

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Lnh static v conduit Phn ln cc kt ni xy ra t mt interface c cp an ninh cao hn n mt interface c cp an ninh thp hn. Nhng nu mun kt ni t mt interface c cp an ninh thp n interface c cp an ninh cao th lnh static v conduit s gip thc hin iu ny. - Lnh Static: c s dng to ra nh x c nh gia local host v global ip address . * C php: static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_ mask] [max_conns[em_limit]][norandomseq] internal_if_name external_if_name global_ip local_ip netmask mask max_conns em_limit norandomseq Tn ca interface bn trong do ngi dng t Tn ca interface bn ngoi do ngi dng t a ch IP global s dng nh hng (t outside n inside) a ch IP ca mng inside T kha yu cu trc khi t netmask Netmask dnh cho c global_ip v local_ip Kt ni ti a ng thi thng qua static Gii hn cc kt ni dng embryonic. Mc nh l 0 Khng ly ngu nhin th t cc gi tin TCP/IP. Ch s dng ty chn ny khi c mt firewall khc cng ang chy.

- Lnh Conduit: Cho php kt ni t interface c mc bo mt thp hn n interface c mc bo mt cao hn . * C php: conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]] permit Deny Protocol Cho php truy cp nu iu kin ph hp Khng cho php truy cp nu iu kin ph hp Ch nh giao thc vn chuyn cho kt ni nh eigrp, gre, icmp, igmp, rgp, ip, ipinip, nos, ospf, tcp, udp hoc mt s nguyn trong di t 0 n 255 m t mt giao thc IP. S dng ip ch dnh tt c cc giao thc vn chuyn. Cho php hoc cm ICMP truy cp t mt hoc nhiu hn a ch IP global. Ch nh kiu ICMP trong bin icmp_type hoc b qua tt c cc kiu ICMP Mt a ch IP global trc c nh ngha bi lnh global hoc static. C th s dng bt k a ch IP no nu global_ip v global_mask l 0.0.0.0 0.0.0.0. Lnh any p dng cho php hoc cm n a ch global trn tt c

Icmp

Global_ip

SV: Nguyn Ngc Hong

25

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Operator Global_mask Port Foreign_ip

cc interface. Mt ton hng so snh cho php ch nh mt port hoc di cc port. C th c cc gi tr l: eq, lt, any, gt, neq, range. nh netmask cho global ip nh cng tng ng dch v c php s dng nh 25 cho SMTP, 80 cho HTTP.0 cho tt c cc cng. nh a ch IP ngoi (host hoc mng) c th truy cp global_ip. Nu bn ch nh 0.0.0.0 hoc 0 th cho bt k host no. nh netmask cho foreign_ip

Foreign_mask

2.6 C ch Failover Failover l c ch cho php to ra cc PIX Firewall d phng. Khi c bt k mt PIX Firewall no gp vn th s c ngay mt PIX Firewall d phng c kch hot thnh active thay th cho PIX Firewall gp s c kia. 2.6.1 Tm hiu Failover a- Failover C ch d phng Failover l c quyn ch c trong cc thit b tng la ca Cisco, n khng ch cung cp c ch thay th tc th mt PIX Firewall cho mt PIX Firewall b h hng m cn gp phn nng cao kh nng bo mt cho h thng khi gp s c. b- Cc loi Failover C th chia Fialover thnh 2 loi: - Standard Failover: S dng Failover Cable ni 2 PIX Firewall vi nhau. C 2 loi l Failover v Stateful failover (t PIX OS 5.1 tr v sau). Failover: khi primary firewall b h , secondary tr nn active , tt c cc kt ni active qua firewall b rt , cc ng dng phi khi to kt ni mi khi ng li vic lin lc qua pix Stateful Failover: khi active pix b h , secondary tr nn active , th cc kt ni active m b hng v active failed s vn c duy tr PIX mi c active . Cc ng dng client vn tip tc hot ng. Khi s dng stateful failover , bn cnh thng tin cu hnh , cc thng tin sau phi c gi cho standby PIX firewall : - Bng translation (xlate) vi static v dynamic translation - Bng TCP connection (bao gm thng tin timeout cho mi kt ni) - ng h h thng v thng tin v uptime Hu ht cc kt ni UDP khng c sao li cho standby ngoi tr giao thc H.232, cc thnh phn sau khng c sao bn li l : - Thng tin trng thi ISAKMP v IPSEC , iu ny c ngha l ISAKMP v IPSEC SA khng b mt khi c failover xy ra .

SV: Nguyn Ngc Hong

26

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

- DHCP - Bng user authentication , khi failover xy ra th cc user c chng thc phi chng thc li . - Bng nh tuyn , ngha l tt c cc route ng (thng qua RIP) phi c hc li . - Bng ARP . - LAN-base failover: Cc PIX OS version 6.2 c h tr tnh nng LAN-based failover . Trong LAN-based failover , thay v s dng serial failover cable , Ethernet link c s dng gim st trng thi failover v trao i thng tin failover . u im ln nht khi s dng LAN-based failover l gii quyt c vn gii hn v khong cch m standard failover gp phi (serial failover cable di ti a ch 6 feet) . Ethernet link phi l interface LAN dnh ring . Tuy nhin , nu s dng stateful failover , th cng interface c th c s dng trao i thng tin trng thi . Mt hub hay switch dnh ring hoc l VLAN dnh ring trong switch c th c s dng kt ni 2 PIX firewall cho LAN-based failover , nhng crossover Ethernet cable khng dng c . Nhc im khi s dng LAN-based failover l mt ngun th firewall khc khng pht hin c . c- Yu cu cu hnh c c ch Failover, cn phi p ng mt s yu cu sau y: Failover lm vic vi 2 , v chnh xc l ch 2 , PIX Firewall . Hai firewall ny phi: C model ging nhau (v d pix 515 khng th s dng cng vi pix 515E ) Dung lng Flash v RAM phi ging nhau C cng s lng interface v cc loi interface Cng loi activation key Primary firewall phi chy unrestricted license Secondary firewall phi chy hoc l unrestricted hoc l failover license . Failover ch h tr cc dng cao cp nh PIX 515, 515E , 520 , 525 v 535. * Ch : c im failover ca PIX Firewall ch h tr chc nng redundancy. Tc l mt PIX Firewall s hot ng trng thi active , mt PIX Firewall khc hot ng ch standby mode v khng th s dng c hai Firewall cng vai tr active cng mt lc. PIX Firewall khng h tr tnh nng load balancing . Khi cu hnh Failover , 1 Firewall c vai tr l primary , mt firewall c vai tr l secondary . trng thi hot ng bnh thng , primary firewall l active v nm gi tt c cc lu lng mng . Secondary firewall ch standby v s c active khi primary firewall b h , lc primary firewall li ch standby . Standby firewall c th cng b h nhng khi failover s khng xy ra na. Mc d firewall c th chuyn i cc vai tr cho nhau nhng primary v secondary khng bao gi thay i . Ngha l khi c failover xy ra , primary ch standby , cn secondary ch active . 2.6.2 Failover Implementations - Active/Standby Failover

SV: Nguyn Ngc Hong

27

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Thc thi active/standby failover c hai thit b: primary v secondary. Mc nh primary s c vai tr lm active v secondary ng vai tr l standby. Ch c thit b ng vai tr l active s x l giao thng gia cc interfaces. Ngoi tr mt vi thng s, tt c cu hnh thay i thc thi trn active s c ng b sang thit b standby. Thit b l standby s nh l mt hot standby hoc backup cho thit b active. N khng chuyn giao thng qua cc interfaces. Chc nng chnh ca n l kim sot hot ng ca thit b active v t a n ln vai tr active nu thit b active khng cn hot ng.

Hnh 2.6: Active/Standby failover - Addressing and Failover Mi thit b tham gia vo failover cn c a ch duy nht IP v MAC cho mi subnet m n kt ni n. Nu failover xy ra, thit b hin ti lm standby s c chuyn i thnh active v thay i IP, MAC ca n ging vi thit b primary. Sau n s gi cc frames cha thng tin IP v MAC ra cc interface cp nht bng a ch. Sau khi PIX Firewall active hot ng bnh thng tr li th thit b chuyn i sang active trc s quay tr li trang thi standby vi cc a ch IP, MAC nh c. Trong active/standby failover, khng c qu trnh chim quyn, tuy nhin, trong active/active failover, l mt s la chn.

SV: Nguyn Ngc Hong

28

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Hnh 2.7: Addressing and failover

- Active/Active Failover Mi PIX Firewall ng vai tr nh nhau trong kiu cu hnh ny. Trong mi PIX Firewall s c 2 context c to ra. 1 context ng vai tr l active chuyn lu lng cho PIX Firewall v 1 ng vai tr standby cho PIX Firewall cn li. Trng hp cu hnh ny s cho php PIX Firewall chy theo kiu load balancing khi chy ch route. Khi c Failover xy ra cc context 1 PIX firewall s ng loi active chuyn lu lng.

Hnh 2.8: Active/Active Failover Failover Cable Failover Cable c s dng kt ni primary v secondary Firewall . Mt u ca Failover Cable c nh du l primary c ni n primary firewall , u kia c nh du l secondary c ni n secondary firewall . Cable ch nn ni n firewall khi tt secondary firewall i .

SV: Nguyn Ngc Hong

29

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Failover Cable trao i trng thi d liu gia 2 Firewall 115Kbps . i vi cc PIX OS trc phin bn 5.2 th failover cable hot ng tc 9600bps . Khng nn ni ngc failover cable v lm nh vy replication s xy ra t secondary firewall n primary firewall v khin ton b cu hnh s b xa. Nhng trng hp Failover xy ra B nh ca PIX Firewall active b cn kit t 15 giy tr ln Interface b down 2 ln trong mt poll (tr tnh hung do administrator down interface ) Khng c s trao i gi tin hello gia primary v secondary trn tt c cc interface. Gi tin hello c trao i gia primary v secondary mi 15 giy v c th c gia gim ty vo admin. Nu khng c gi tin hello no trong khong 2 poll, interface m khng respone gi tin ny s b t vo trang thi testing. Nu interface ny khng vt qua c trang thi testing n cng c xem l failed. Nu standby Firewall khng thy gi tin hello no t Active Firewall trong khong 2 poll, n s xem nh active firewall b failed v t chim quyn active, ngc li active firewall khng thy gi tin hello trong khong 2 poll t standby firewall n cng xem nh standby b h. Nu standby firewall nhn thy active failwall ang reboot hoc b tt n s t ng active. Nu failover link ang unplugged th failover khng th xy ra. Interface Monitoring( Trng thi testing) Link up/down test : interface s tt i v bt li, kim tra phn cng interface hot ng bnh thng. Network activity test : thit b tm kim cc frames ng, i vo cc interface c mi 5 giy. ARP test : thit b sinh ra cc truy vn ARP i vi hai u vo nhiu nht trong bng ARP, ni m thit b ang tm kim tt c cc frame ng(khng ch l ARP reply) i vo interface c mi 5 giy. Broadcast ping test : thit b sinh ra mt gi ping broadcast, sau s ch cc frame ng, i vo interface c mi 5 giy.

2.7 C ch chng thc AAA

2.7.1 Tng quan v chng thc AAA

Chng thc l quyt nh vic nhn dng mt ngi dng v kim tra thng tin v ngi dng . Vic chng thc truyn thng s dng mt ti khon bao gm tn v mt mt khu c nh . Khi truy nhp vo mt thit b hay mng vi ti khon th s bit c ngi dng l ai . Khi ngi dng c chng thc , authentication server s cp quyn cho ngi dng da trn thng tin v ti khon ngi dng m n nhn c. Authorization cho bit ti khon c th lm g . Khi ngi dng vo c v ang s dng mt dch v , host hay mt mng no . Accounting s c nhim v ghi chp li thng tin v phien ng nhp ca ti khon . Accounting cng c th c s dng cho vic thanh ton ha n , php l hay mt k hoch .

SV: Nguyn Ngc Hong

30

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

2.7.2 AAA trong PIX Firewall

AAA (Authentication , Authorization v Accounting) c PIX firewall s dng kim tra xem ti khon ngi dng. Cho php ti khon c php lm g v ghi chp li nhng g m ti khon lm trong mt phin ng nhp. PIX firewall c th iu khin vic truy nhp da trn port v a ch IP nhng phng php ny li khng th chng thc cng nh kim sot lu lng ca ti khon khi ng nhp. Ngi dng c th ch dng chng thc ti khon m khng cn cp quyn nhng li khng th cp quyn khi cha chng thc ti khon . *c im ca AAA khi s dng vi PIX firewall bao gm : Client cn truy nhp n mt dch v no . PIX firewall , lc ny ng vai tr l gateway gia client v thit b , s yu cu client gi user ID v password . PIX Firewall nhn c thng tin v chuyn n n AAA server. AAA server cung cp 3 chc nng Authentication, Authorization v Accounting . Server s tm xem thng tin v user ny c trong database ca n hay khng. Nu c th user s c php s dng dch v yu cu, ngc li yu cu b t chi. Vi vic s dng AAA server nn gip PIX Firewall gim c ti cho CPU , cu hnh v qun l n gin , lm tng kh nng m rng . Vic s dng AAA server cho php ch c cc ti khon c chng thc mi c quyn truy cp n mt mng no . V d nh cc ti khon c user v password nm trong database ca AAA server mi c truy cp internet , hoc l gii hn quyn ca ti khon sau khi xc thc thnh cng trong vic s dng mt dch v no . Bng vic cu hnh trn PIX Firewall v AAA server, Administrator hon ton c th gii hn, cp quyn truy cp cho cc ti khon mong mun. * Chng thc vi PIX Firewall bng 1 trong 3 phng php sau: Telnet : PIX Firewall a ra mu ng nhp, mi user c 4 ln ng nhp. Nu username hoc password sai sau ln th t , kt ni s b nh rt. Nu chng thc v cp quyn thnh cng , ti khon s c mt mu ng nhp c a ra bi server ca dch v m ti khon yu cu ng nhp li mt ln na. FTP : Chng trnh FTP s a ra mu ng nhp, nu password khng ng , kt ni s b rt ngay lp tc . Nu username hoc password trong authentication database khc vi username v password ca remote host m ta cn truy nhp vo thng qua FTP , s dng username v password theo mu sau : aaa_username@remote_username aaa_password@remote_password PIX Firewall gi aaa_username v aaa_password n AAA server , nu authentication v authorization thnh cng , remote_username v remote_password c gi chuyn FTP server ch .

SV: Nguyn Ngc Hong

31

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

HTTP : Trnh duyt s a ra mu ng nhp. Nu nhp vo khng ng password , user s c nhc nhp li. Nu username hoc password trong database authentication khc vi username v password remote host , th nhp username v password theo mu sau : aaa_username@remote_username aaa_password@remote_password

PIX Firewall gi aaa_username v aaa_password n AAA server , nu authentication v authorization thnh cng , remote_username v remote_password c gi chuyn HTTP server ch . PIX Firewall h tr ti khon c username di ti a 127 k t v password di ti a 63 k t v trong username cng nh mt khu khng cha k t @ * Cut-through proxy PIX firewall c th cu hnh nhn rng vic chng thc v cp quyn cho ti khon s dng dch v no thng qua n. c bit , PIX Firewall cho php thc hin vic chng thc v cp quyn cho cc phin FTP , HTTP , v Telnet theo c 2 hng inbound v outbound . Chc nng ny cn c gi l cutthrough proxy . Cut-through proxy cho php iu khin cc dch v thch hp thng qua firewall bng ti khon ch khng phi a ch IP . Khc vi proxy server phi phn tch mi gi d liu trong mt phin lp application , iu ny nh hng trc tip n vn thi gian v tc x l , s dng Cutthrough proxy , PIX firewall s ch gi query u tin cho vic chng thc ti mt TACACS+ hoc RADIUS database server . Khi mt user c chng thc thnh cng ng vi policy c thit lp , th PIX Firewall s chuyn session flow v traffic flow trc tip gia 2 host trong khi vn duy tr thng tin trng thi

SV: Nguyn Ngc Hong

32

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

CHNG III
THC NGHIM M PHNG C CH CHNG THC AAA V FAILOVER CA PIX FIREWALL A- MC TIU Thng qua qu trnh m phng gii thch cc bc chng thc mt ngi dng khi mun truy xut thng qua PIX Firewall bng giao thc chng thc TACACS+ v cch lm vic ca PIX Firewall khi c failover xy ra. B- M HNH THC NGHIM

Hnh 3.1: M hnh thc nghim *Bng cu hnh Thit b Primary Interface E0 E1 E2 E0 E1 E2 Fa1/0 IP Address 192.168.64.1 10.0.64.1 172.16.64.1 192.168.64.3 10.0.64.3 172.16.64.3 192.168.64.2 10.0.64.2

Secondary

Router7200 AAAServer

C- CNG C THC NGHIM - Phn mm gi lp my o VMWare - Cisco ACS 4.2 gi lp AAA server ci trn windows server 2003

SV: Nguyn Ngc Hong

33

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

H iu hnh windows server 2003 enterprise edition c ci trn my o Wireshark GNS3 0.7.4 IOS PIX 722, Router 7200 My Client (chy windows 7) ci GNS3, wireshark

D- CHI TIT CC BC THC HIN 1. Ci t GNS3 v thc hin gi lp PIX Firewall Download fle ci t ca GNS3 ti v Wireshark ti. Tin hnh ci t chng trnh GNS3 v wireshark trn my client theo cc bc mc nh Gi lp mt PIX Firewall Trong GNS3, chn menu Edit > Preferences > Qemu > PIX. nh tn cho PIX ti mc Indentifier name, click nt chn IOS ca PIX (trong n ny s dng PIX722.

Hnh 3.2: Cu hnh PIX Firewall trong GNS3

SV: Nguyn Ngc Hong

34

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

t tip key v serial trong phn PIX Specific setting. To mt PIX trong GNS3 v start n ln, vo ch config nhp lnh Pixfirewall# Activation-key < dy key ca PIX c th s dng tnh nng failover>

Hnh 3.4: Thm activation key cho PIX Firewall 2. Cu hnh trn PIX Firewall 2.1 Cu hnh PIX Primary Cu hnh cc interface s dng c ch failoveer d phng trong trng hp primary b fail. S dng interface ethernet 2 lm cp kt ni 2 PIX Firewall. pri(config)# interface e0 pri(config-if)# nameif outside pri(config-if)#ip address 192.168.64.1 255.255.255.0 standby 192.168.64.3 pri(config-if)#no shutdown pri(config)# interface e1 pri(config-if)# nameif inside pri(config-if)#ip address 10.0.64.1 255.255.255.0 standby 10.0.64.3 pri(config-if)#no shutdown pri(config-if)#exit pri(config)#interface e2 pri(config-if)#no shutdown pri(config-if)failover lan enable Cu hnh trng thi primary

SV: Nguyn Ngc Hong

35

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

pri(config-if)failover lan unit primary pri(config-if)failover lan interface hoang e2 pri(config-if)failover interface ip hoang 172.16.64.1 255.255.255.0 standby 172.16.64.3 Cu hnh vng a ch c NAT ra ngoi pri(config)# nat (inside) 1 0 0 0 pri(config)# global (outside) 1 192.168.64.30 Global 192.168.64.30 will be Port Address Translated Cu hnh nh tuyn cho mng inside ra outside pri(config)# route outside 0.0.0.0 0.0.0.0 192.168.64.1

Cu hnh cc mng inside c th ping thy cc mng outside

pri(config)#static (inside,outside) 192.168.64.5 10.0.64.1 netmask 255.255.255.255 pri(config)# access-list SERVER permit icmp any any pri(config)# global (outside) 1 192.168.64.10-192.168.64.250 netmask 255.255.255.0 pri(config)# nat (inside) 1 10.0.64.0 255.255.255.0 pri(config)# static (inside,outside) 192.168.64.5 10.0.64.1 netmask 255.255.255.255 pri(config)# access-group SERVER in interface outside pri(config)# route outside 0.0.0.0 0.0.0.0 192.168.64.1 1

Cu hnh cho php host mng inside c php telnet vo pix

pri(config)# telnet 10.0.64.2 255.255.255.255 inside

Bt tnh nng AAA server trn PIX

pri(config)# aaa-server ccsp protocol tacacs+ pri(config)# aaa-server ccsp (inside) host 10.0.64.2 pixfirewall Hai cu lnh trn s dng cc thng s: 10.0.64.2 chnh l a ch ca AAA server, vi share key l pixfirewall. To mt group tag gi l ccsp v ng k giao thc TACACS+ n n. 2.2 Cu hnh PIX Secondary sec(config)#interface e2 sec(config-if)#no shutdown sec(config-if)failover lan enable cu hnh trang thi secondary sec(config-if)failover lan unit secondary sec(config-if)failover lan interface hoang e2 sec(config-if)failover interface ip hoang 172.16.64.1 255.255.255.0 standby 172.16.64.3 3. Cu hnh trn Router Cu hnh interface

SV: Nguyn Ngc Hong

36

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

router(config)# hostname webserver webserver (config)#enable password cisco webserver (config)#interface fa1/0 webserver (config-if)#ip add 192.168.64.2 255.255.255.0 webserver (config-if)#no shutdown webserver (config-if)#exit webserver(config)#ip route 0.0.0.0 0.0.0.0 192.168.64.1 Cu hnh gi lp webserver webserver (config)#ip http server 4. Ci t & Cu hnh trn ACS Ci t ACS v4.2 theo cc bc mc nh (ci java trc) Cu hnh user setup: t tn cho User l nguyenhoang v click nt Add/Edit.

Hnh 3.5: Thm User mi trn ACS Trong ca s Edit t tn v m t cho ti khon va to trong mc real name v decription. phn Password authentication, chn l ACS Internal Database. nh mt khu l aaapass cho cc mc Cisco Secure PAP/CHAP/MS-CHAP/ARAP v Separate (CHAP/MS-CHAP/ARAP). Ko xung di chn Group to which user is assigned l Default Group

SV: Nguyn Ngc Hong

37

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Hnh 3.6: Cu hnh thng tin v User Cu hnh Group setup: Chn 0: Default Group trong phn Group v nhn Edit Settings

SV: Nguyn Ngc Hong

38

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Hnh 3.7: Chn nhm Trong trang k, trong mc Jump to chn l TACACS+ s dng giao thc chng thc TACACS+ cho qu trnh chng thc ngi dng. nh du tip vo mc Shell (exec) sau nhn Submit+Restart.

Hnh 3.8: chn Tacacs+ l giao thc chng thc Cu hnh network Configuration: Click nt Add Entry di bng AAA Clients. Trong ca s k, t tn cho AAA Client host l pix, AAA Client IP Address l 10.0.64.1 v shared secret l pixfirewall.

SV: Nguyn Ngc Hong

39

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Hnh 3.9: Cu hnh AAA server Mc Authentication Using chn l TACACS+ (cisco IOS). Sau nhn Submit+Apply. Click chn tn trong mc AAA Server name chuyn n bng setting. t AAA Server IP Address l 10.0.64.2, mc key t l pixfirewall v chn TACACS+ trong AAA Server Type. Nhn Submit+Apply kt thc.

SV: Nguyn Ngc Hong

40

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Hnh 3.10: bng cu hnh AAA server v AAA Client Khi s dng telnet truy xut vo PIX, khng th enable vo mode privileged c

bng user nguyenhoang v passaaa v cha cu hnh cp quyn TACACS+ nng cao.

Hnh 3.11: telnet vo Pri PIX vi mode privileged khng thnh cng sau 3 ln nhp mt khu

SV: Nguyn Ngc Hong

41

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Cu hnh Interface Configuration: trong ca s xut hin, chn TACACS+ (Cisco IOS)

Ti ca s TACACS + (cisco IOS), chn Advanced Configuration Options, tch chn Advanced TACACS+ features. Sau khi thao tc xong, click Submit bt tnh nng advanced features

Hnh 3.12: chn cu hnh TACACS+ nng cao

Tip theo vo User Setup, trong tu chn Advanced TACACS+ Setting chn Max privileged for any AAA client l Level 15. Sau n TACACS +enable password, nhp password m ta mun xc thc enable console, trong n ny password c nhp vo l hoang. Sau khi hon tt, click Submit.

SV: Nguyn Ngc Hong

42

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Hnh 3.13: Chn cp quyn cao nht (15)

Tin hnh Telnet li vi user: nguyenhoang v pass: aaapass sau enable mode privileged vi pass l hoang th thnh cng

Hnh 3.14 : sau khi cu hnh tacacs nng cao th telnet vo privileged mode thnh cng
Cu hnh xc thc user truy cp qua PIX C 3 ty chn xc thc user khi truy cp vo PIX. Cc bc cu hnh nh sau: pri(config)# aaa authentication telnet console ccsp pri(config)# aaa authentication http console ccsp pri(config)# aaa authentication enable console ccsp

Ngoi ra ta cng c th cu hnh mt vi option cho vic kim tra tr nn d dng: pri(config)# auth-prompt prompt Please Authentication pri(config)# auth-prompt accept Authentication successful Bt logging trn PIX quan st qu trnh xc thc:

SV: Nguyn Ngc Hong

43

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Pix(config)# logging console debug

E- KT QU THU C T AAA server tin hnh telnet n PIX theo IP 10.0.64.1, s dng Wiresshark bt gi tin TACACS+ thu c. user l nguyenhoang v pass l aaapass

Hnh 3.15: Telnet vo pix thnh cng

Hnh 3.16: bt gi tin TACACS bng wireshark Cho pri PIX chy c ch failover vi lnh pri(config)#failover pri(config)#show failover

SV: Nguyn Ngc Hong

44

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

Hnh 3.17: thng tin bng cu hnh failover trn primary pix trn sec PIX cng cho chy c ch failover sec(config)#failover sec(config)#show failover

Hnh 3.18: thng tin bng cu hnh failover trn secondary pix

SV: Nguyn Ngc Hong

45

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

By gi sec PIX chuyn sang pri PIX Tin hnh telnet vo webserver thnh cng

Hnh 3.19: Telnet vo webserver thnh cng

SV: Nguyn Ngc Hong

46

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

III PH LC

A-HNH NH
Hnh 1.1: Firewall Hnh 1.1: S cc dng PIX Firewall hin c Hnh 1.2: PIX Firewall 501 Hnh 1.3: PIX Firewall 506e Hnh 1.4: PIX Firewall 515e Hnh 1.5: PIX Firewall 520 Hnh 1.6: PIX Firewall 525 Hnh 1.7: PIX Firewall 535 Hnh 2.1: M hnh v d c bn cp an ninh ASA vi 3 interface Hnh 2.2:Quy trnh khi to TCP: inside n outside Hnh 2.3:UDP Hnh 2.4: B chuyn i a ch tnh Hnh 2.5: B chuyn i a ch ng Hnh 2.6: Active/Standby failover Hnh 2.7: Addressing and failover Hnh 2.8: Active/Active Failover Hnh 3.1: M hnh thc nghim Hnh 3.2: Cu hnh PIX Firewall trong GNS3 Hnh 3.4: Thm activation key cho PIX Firewall Hnh 3.5: Thm User mi trn ACS Hnh 3.6: Cu hnh thng tin v User Hnh 3.7: Chn nhm Hnh 3.8: chn Tacacs+ l giao thc chng thc Hnh 3.9: Cu hnh AAA server Hnh 3.10: bng cu hnh AAA server v AAA Client Hnh 3.11: telnet vo Pri PIX vi mode privileged khng thnh cng sau 3 ln nhp mt khu Hnh 3.12: chn cu hnh TACACS+ nng cao Hnh 3.13: Chn cp quyn cao nht (15) Hnh 3.14 : sau khi cu hnh tacacs nng cao th telnet vo privileged mode thnh cng Hnh 3.15: Telnet vo pix thnh cng Hnh 3.16: bt gi tin TACACS bng wireshark Hnh 3.17: thng tin bng cu hnh failover trn primary pix Hnh 3.18: thng tin bng cu hnh failover trn secondary pix Hnh 3.19: Telnet vo webserver thnh cng

SV: Nguyn Ngc Hong

47

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

B- T VIT TT
PIX AAA TELNET Private Internet eXchange Authentication, Authorization, Accounting TELecommunication NETwork TErminal NETwork TELetype NETwork Terminal Access Controller Access-Control System Network Address Translation Apdaptive Security Algorithm Trivial File Transfer Protocol Access control lists Internet Key Exchange Public Key Infracstructure Virtual Private Network Internet Protocol Security

TACACS NAT ASA TFTP ACLs IKE PKI VPN IPSec

SV: Nguyn Ngc Hong

48

GVHD: Nguyn Vn Sinh

 n c s: mng my tnh

C- TI LIU THAM KHO

Trong n c s ny c s dng mt s ti liu tham kho sau: Cisco Secure PIX Firewall Advanced student guide version 2.1 (chapter 1-19) ( Ti liu chnh thc t hng Cisco: www.cisco.com ) Cisco Secure PIX Firewall Advanced student guide version 2.1 (chng 1-8) (Bn dch Ting Vit ca Trn Gio) Bi Vit v PIX Firewall Nguyn Th Bng Tm (www.vnpro.org ) www.cisco.com www.vnpro.org

SV: Nguyn Ngc Hong

49

GVHD: Nguyn Vn Sinh