BẢO VỆ MẠNG NỘI BỘ CHO CÔNG TY CỔ PHẦN CÔNG NGHỆ THÔNG TIN HTTP

MC LC
MC LC..............................................................................................................1 LI CM N.........................................................................................................4 LI M U........................................................................................................5 Chng 1: VN AN NINH AN TON MNG MY TNH..............................................7
1.1. Tng quan v vn an ninh an ton mng my tnh..................7

1.1.1. e do an ninh t u?................................................................................................................7 1.1.2. Cc gii php c bn m bo an ninh........................................................................................8
1.2. Vn bo mt h thng v mng...............................................10

1.2.1. Cc vn d chung v bo mt h thng v mng.....................................................................10 1.2.2. Mt s khi nim v lch s bo mt h thng..........................................................................11 1.2.3. Cc loi l hng bo mt v phng thc tn cng mng ch yu..........................................12
1.3. Vn bo mt cho mng LAN...................................................16

1.3.1. Mng ring o (Virtual Private Network- VPN) ......................................................................16 1.3.2. Tng la (Firewall).................................................................................................................17
Chng 2: TNG QUAN V FIREWALL..........................................................18
2.1. Gii thiu v firewall....................................................................18

2.1.1. Khi nim firewall....................................................................................................................18 2.1.2. Cc chc nng c bn ca firewall............................................................................................18 2.1.3. Phn loi firewall......................................................................................................................19 2.1.4 Mt s h thng firewall khc....................................................................................................22
2.2. Cc chin lc xy dng firewall ...............................................27

2.2.1. Quyn hn ti thiu(Least Privilege)........................................................................................27 2.2.2. Bo v theo chiu su (Defense in Depth)................................................................................27 2.2.3. Nt tht (Choke Point)..............................................................................................................27 2.2.4. im xung yu nht (Weakest Link)........................................................................................27 2.2.5. Hng trong an ton (Fail-Safe Stance)......................................................................................28 2.2.6. S tham gia ton cu.................................................................................................................28
2.2.7. Tnh a dng ca vic bo v....................................................................................................28 2.2.8. n gin ho.............................................................................................................................29
2.3. Cch thc xy dng firewall........................................................29

2.3.1. Xy dng cc nguyn tc cn bn(Rule Base)..........................................................................29 2.3.2. Xy dng chnh sch an ton (Security Policy)........................................................................29 2.3.3. Xy dng kin trc an ton.......................................................................................................30 2.3.4. Th t cc quy tc trong bng (Sequence of Rules Base).........................................................31 2.3.5. Cc quy tc cn bn (Rules Base).............................................................................................31
2.4. Lc gi v c ch hot ng ........................................................32

2.4.1. B lc gi (packet filtering)......................................................................................................33 2.4.2. Cng ng dng (Application Gateway)....................................................................................33 2.4.3. B lc Sesion thng minh (Smart Sesion Filtering)..................................................................34 2.4.4. Firewall hn hp (Hybrid Firewall)..........................................................................................35
2.5. Kt lun .........................................................................................35

Chng 3: TM HIU IPTALES TRONG H IU HNH LINUX..................................36
3.1. Firewall IPtable trn Redhat.........................................................36

3.1.1. Gii thiu v IPtables................................................................................................................37 3.1.2. Qu trnh chuyn gi d liu qua Netfilter................................................................................40 3.1.3. Cu trc ca Iptable..................................................................................................................40 3.1.4. Ci t iptables..........................................................................................................................41
3.2. Cc tham s dng lnh thng gp..............................................41

3.2.1 Gi tr gip................................................................................................................................41 3.2.2 Cc ty chn ch nh thng s.............................................................................................41 3.2.3. Cc ty chn thao tc vi chain............................................................................................42 3.2.4. Cc ty chn thao tc vi lut..............................................................................................42 3.2.5 Phn bit gia ACCEPT, DROP v REJECT packet...............................................................42 3.2.6 Phn bit gia NEW, ESTABLISHED v RELATED..............................................................43 3.2.7 Ty chn --limit, --limit-burst....................................................................................................43
3.3. Gii thiu v bng NAT (Network Address Traslation) ...........44

3.3.1. Khi nim cn bn v NAT.......................................................................................................44
3.3.2. Cch i a ch IP ng (Dynamic - NAT).............................................................................45 3.3.3. Cch ng gi a ch IP (masquerade).....................................................................................46 3.3.4. Mt s v d s dng k thut NAT..........................................................................................46
Chng 4: THIT LP FIREWALL BO V MNG NI B BNG IPTABLES TRONG H IU HNH LINUX....................................................................................49
4.1. Cch lm vic ca Firewall c vng DMZ..................................49 4.2. Cu trc file cu hnh v cu hnh................................................50
4.2.1. Cu hnh cc tu chn:..............................................................................................................50 4.2.2. Ti cc module cn thit k vo Kernel....................................................................................51 4.2.3. Ci t cu hnh cn thit cho h thng file proc......................................................................51 4.2.4. Ci t cc nguyn tc...............................................................................................................51
4.3. Cu hnh cho my ni b truy cp mng bn ngoi....................56 4.4. Kim tra Firewall..........................................................................56 4.5. Xy dng phn mm qun tr Firewall IPTables t xa ..............59
4.5.1. M t bi ton............................................................................................................................59 4.5.2. Mt s giao din chng trnh..................................................................................................59 4.5.3. nh gi phn mm ..................................................................................................................62
KT LUN...........................................................................................................64 TI LIU THAM KHO.....................................................................................65
Tm hiu vn bo mt mng LAN
LI CM N
Trc tin em xin gi li cm n chn thnh n GS, TS.Trn Hu Ngh hiu trng nh trng ngi c cng ln trong vic sng lp ra trng HDL Hi Phng. ng thi em xin gi li cm n xu sc ti cc thy, cc c trong t B mn tin hc ca trng HDL Hi Phng nhng ngi tn tnh ging dy v cung cp nhng kin thc qu bu cho em trong sut bn nm hc qua. c bit em xin chn thnh cm n TS. Phm Hng Thi v CN. Lng Vit Nguyn - trng i hc cng ngh cc thy dnh nhiu thi gian v cng qu bu tn tnh hng dn em cng nh to mi iu kin thun li em c th hon thnh tt ti. Cui cng em cng xin cm n gia nh, bn b nhng ngi thn lun bn cnh ng vin, gip v to mi iu kin thun li cho em . Do cn hn ch v kin thc v kinh nghim nn lun vn cn nhiu thiu st em rt mong c s ph bnh, nh gi v gp ca thy c v cc bn.
Em xin chn thnh cm n!
Hi Phng, Ngy thng 8 nm 2007. Sinh vin
Nguyn Th Thy
MSSV: 10419 - Nguyn Th Thy CT 701
Trang - 4 -
LI M U
Vi nhu cu trao i thng tin, bt buc cc c quan, t chc phi ho mnh vo mng ton cu Internet. An ton v bo mt thng tin l mt trong nhng vn quan trng hng u, khi thc hin kt ni mng ni b ca cc c quan, doanh nghip, t chc vi Internet. Ngy nay, cc bin php an ton thng tin cho my tnh c nhn cng nh cc mng ni b c nghin cu v trin khai. Tuy nhin, vn thng xuyn c cc mng b tn cng, c cc t chc b nh cp thng tin,gy nn nhng hu qu v cng nghim trng. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh ca cc cng ty ln nh AT&T, IBM, cc trng i hc v cc c quan nh nc, cc t chc qun s, nh bng,mt s v tn cng vi quy m khng l (c ti 100.000 my tnh b tn cng). Hn na nhng con s ny ch l phn ni ca tng bng tri. Mt phn rt ln cc v tn cng khng c thng bo v nhiu l do, trong c th k n ni lo mt uy tn hoc ch n gin nhng ngi qun tr d n khng h hay bit nhng v tn cng nhm vo h thng ca h. Khng ch cc v tn cng tng ln nhanh chng m cc phng php tn cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr h thng ngy cng cao cnh gic. V vy vic kt ni mng ni b ca c quan t chc mnh vo mng Internet m khng c cc bin php m bo an ninh th cng c xem l t st. T nhu cu pht trin, i hi cc c quan, t chc phi ha mnh vo mng ton cu, mng Internet song vn phi m bo an ton thng tin trong qu trnh kt ni. Bi vy, em quyt nh chn ti: Nghin cu gii php bo v mng ni b, nhm iu khin lung thng tin ra, vo v bo v cc mng ni b khi s tn cng t Internet. Ni dung ti ny s trnh by mt cch khi qut cc khi nim v mng v Firewall, cch bo v mng bng Firewall, cch xy dng Firewall.
Trang - 5 -

ng thi, dng Iptables trong h iu hnh Linux thit lp Firewall bo v cc mng ni b. Ni dung chnh ca ti gm 4 chng nh sau: Chng 1: Vn an ninh trong mng my tnh. Trnh by tng quan v vn an ninh trong mng my tnh, cc nguy c v vn bo mt h thng mng. Chng 2: Tng quan v Firewall. Trnh by cc khi nim Firewall, chc nng Firewall, phn loi Firewall v cc kin trc Firewall. a ra cc chnh sch xy dng Firewall, t cc chnh sch ta c cch xy dng nn cc Firewall bo v mng. Chng 3: Tm hiu IPTables trong h iu hnh Linux. Tm hiu v Iptables v cc tham s ca dng lnh thng gp. Chng 4: Thit lp Firewall bo v mng ni b bng Iptables trong h iu hnh Linux. T vic tm hiu v Iptables chng 3 t thit lp bc tng la bo v cho cc mng ni b bng Iptables trong Linux.
Trang - 6 -
Chng 1: VN AN NINH AN TON MNG MY TNH

1.1. Tng quan v vn an ninh an ton mng my tnh
1.1.1. e do an ninh t u?
Trong x hi, ci thin v ci c lun song song tn ti nh hai mt khng tch ri, chng lun ph nh nhau. C bit bao nhiu ngi mun hng ti ci chn thin, ci tt p, th cng c khng t k v mc ch ny hay mc ch khc li lm cho ci c ny sinh, ln lt ci thin. S ging co gia ci thin v ci c y lun l vn bc xc ca x hi, cn phi loi tr ci c, th nhng ci c li lun ny sinh theo thi gian. Mng my tnh cng vy, c nhng ngi phi mt bit bao nhiu cng sc nghin cu ra cc bin php bo v cho an ninh ca t chc mnh, th cng li c k tm mi cch ph v lp bo v vi nhiu khc nhau. Mc ch ca ngi lng thin l lun mun to ra cc kh nng bo v an ninh cho t chc rt r rng. Ngc li, ca k xu li nhiu gc , cung bc khc nhau. C k mun ph v lp v an ninh chng t kh nng ca mnh, tho mn thi h ch k. Loi ngi ny thng lm hi ngi khc bng cch ph hoi cc ti nguyn trn mng, xm phm quyn ring t hoc bi nh danh d ca h. Nguy him hn, c nhng k li mun ot khng cc ngun li ca ngi khc nh vic ly cp cc thng tin mt ca cc cng ty, t nhp vo ngn hng chuyn trm tin... Bi trn thc t, hu ht cc t chc cng ty tham gia vo mng my tnh ton cu u c mt lng ln cc thng tin kt ni trc tuyn. Trong lng ln cc thng tin y, c cc thng tin b mt nh: cc b mt thng mi, cc k hoch pht trin sn phm, chin lc maketing, phn tch ti chnh... hay cc thng tin v nhn s, b mt ring t... Cc thng tin ny ht sc quan trng, vic l ra cc thng tin cho cc i th cnh tranh s dn n mt hu qu ht sc nghim trng. Tuy nhin, khng phi bt c khi no mun nhng k xu cng c th thc hin c mc ch ca mnh. Chng cn phi c thi gian, nhng s h, yu km ca chnh nhng h thng bo v an ninh mng. V thc hin c iu , chng cng phi c tr tu thng minh cng vi c mt chui di kinh nghim. Cn xy dng c cc bin php m bo an ninh, i hi ngi xy dng cng MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 7 -

khng km v tr tu v kinh nghim thc tin. Nh th, c hai mt tch cc v tiu cc y u c thc hin bi bn tay khi c ca con ngi, khng c my mc no c th thay th c. Vy, vn an ninh an ton mng my tnh hon ton mang tnh con ngi. Ban u, nhng tr ph hoi ch mang tnh cht l tr chi ca nhng ngi c tr tu khng nhm mc ch v li, xu xa. Tuy nhin, khi mng my tnh tr nn ph dng, c s kt ni ca nhiu t chc, cng ty, c nhn vi nhiu thng tin b mt, th nhng tr ph hoi y li khng ngng gia tng. S ph hoi y gy ra nhiu hu qu nghim trng, n tr thnh mt loi ti phm. Theo s liu thng k ca CERT (Computer Emegency Response Team) th s lng cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo nm 1989, khong 400 vo nm 1991, 1400 nm 1993 v 2241 nm 1994. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, t cc my tnh ca cc cng ty ln nh AT & T, IBM, cc trng i hc, cc c quan nh nc, cc nh bng... Nhng con s a ra ny, trn thc t ch l phn ni ca tng bng. Mt phn ln cc v tn cng khng c thng bo v nhiu l do khc nhau, nh s mt uy tn, hoc ch n gin l h khng h bit mnh b tn cng. Thc t, e do an ninh khng ch bn ngoi t chc, m bn trong t chc vn cng ht sc nghim trng. e do bn trong t chc xy ra ln hn bn ngoi, nguyn nhn chnh l do cc nhn vin c quyn truy nhp h thng gy ra. V h c quyn truy nhp h thng nn h c th tm c cc im yu ca h thng, hoc v tnh h cng c th ph hy hay to c hi cho nhng k khc xm nhp h thng. V nguy him hn, mt khi h l k bt mn hay phn bi th hu qu khng th lng trc c. Tm li, vn an ninh an ton mng my tnh hon ton l vn con ngi v khng ngng gia tng, n c th b e do t bn ngoi hoc bn trong t chc. Vn ny tr thnh mi lo ngi ln cho bt k ch th no tham gia vo mng my tnh ton cu. V nh vy, m bo vic trao i thng tin an ton v an ninh cho mng my tnh, buc cc t chc phi trin khai cc bin php bo v m bo an ninh, m trc ht l cho chnh mnh.
1.1.2. Cc gii php c bn m bo an ninh

Nh trn ta thy, an ninh an ton mng my tnh c th b e do t rt nhiu gc v nguyn nhn khc nhau. e do an ninh c th xut pht t bn ngoi mng ni b hoc cng c th xut pht t ngay bn trong t chc. Do ,
Trang - 8 -

vic m bo an ninh an ton cho mng my tnh cn phi c nhiu gii php c th khc nhau. Tuy nhin, tng quan nht c ba gii php c bn sau: Gii php v phn cng. Gii php v phn mm. Gii php v con ngi. y l ba gii php tng qut nht m bt k mt nh qun tr an ninh no cng phi tnh n trong cng tc m bo an ninh an ton mng my tnh. Mi gii php c mt u nhc im ring m ngi qun tr an ninh cn phi bit phn tch, tng hp v chn la to kh nng m bo an ninh ti u nht cho t chc mnh. Gii php phn cng l gii php s dng cc thit b vt l nh cc h thng my chuyn dng, cng c th l cc thit lp trong m hnh mng (thit lp knh truyn ring, mng ring)... Gii php phn cng thng thng i km vi n l h thng phn mm iu khin tng ng. y l mt gii php khng ph bin, v khng linh hot trong vic p ng vi cc tin b ca cc dch v mi xut hin, v chi ph rt cao. Khc vi gii php phn cng, gii php v phn mm ht sc a dng. Gii php phn mm c th ph thuc hay khng ph thuc vo phn cng. C th cc gii php v phn mm nh: cc phng php xc thc, cc phng php m ho, mng ring o, cc h thng bc tng la,... Cc phng php xc thc v m ho m bo cho thng tin truyn trn mng mt cch an ton nht. V vi cch thc lm vic ca n, thng tin tht trn ng truyn c m ho di dng m nhng k nhm trm khng th thy c, hoc nu thng tin b sa i th ti ni nhn s c c ch pht hin s sa i . Cn phng php s dng h thng bc tng la li m bo an ninh gc khc. Bng cch thit lp cc lut ti mt im c bit (thng gi l im nght) gia h thng mng bn trong (mng cn bo v) vi h thng mng bn ngoi (mng c coi l khng an ton v bo mt - hay l Internet), h thng bc tng la hon ton c th kim sot cc kt ni trao i thng tin gia hai mng. Vi cch thc ny, h thng tng la m bo an ninh kh tt cho h thng mng cn bo v. Nh th, gii php v phn mm gn nh hon ton gm cc chng trnh my tnh, do chi ph cho gii php ny s t hn so vi gii php v phn cng. Bn cnh hai gii php trn, gii php v chnh sch con ngi l mt gii php ht sc c bn v khng th thiu c. V nh phn trn thy, vn an MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 9 -

ninh an ton mng my tnh hon ton l vn con ngi, do vic a ra mt hnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y, hnh lang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn bn di lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi tng c im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng my, s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh an ton cho h thng mng my tnh mt khi ta thc hin trit gii php v chnh sch con ngi. Tm li, vn an ninh an ton mng my tnh l mt vn ln, n yu cu cn phi c mt gii php tng th, khng ch phn mm, phn cng my tnh m n i hi c vn chnh sch v con ngi. V vn ny cn phi c thc hin mt cch thng xuyn lin tc, khng bao gi trit c v n lun ny sinh theo thi gian. Tuy nhin, bng cc gii php tng th hp l, c bit l gii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an ton chc chn hn.
1.2. Vn bo mt h thng v mng

1.2.1. Cc vn d chung v bo mt h thng v mng
c im chung ca mt h thng mng l c nhiu ngi s dng chung v phn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc mt ngi s dng. Hot ng ca ngi qun tr h thng mng phi m bo cc thng tin trn mng l tin cy v s dng ng mc ch, i tng ng thi m bo mng hot ng n nh khng b tn cng bi nhng k ph hoi. Nhng trn thc t l khng mt mng no m bo l an ton tuyt i, mt h thng d c bo v chc chn n mc no th cng c lc b v hiu ha bi nhng k c xu. Trong ni dung ti ca em l tm hiu v cc phng php bo mt cho mng LAN. Trong ni dung v l thuyt ca ti em xin trnh by v mt s khi nim sau:
Trang - 10 -
Tm hiu vn bo mt mng LAN 1.2.2. Mt s khi nim v lch s bo mt h thng

a. i tng tn cng mng (intruder) i tng l nhng c nhn hoc t chc s dng nhng kin thc v mng v cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc im yu v cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp v chim ot ti nguyn tri php. Mt s i tng tn cng mng nh: Hacker: l nhng k xm nhp vo mng tri php bng cch s dng cc cng c ph mt khu hoc khai thc cc im yu ca thnh phn truy nhp trn h thng Masquerader : L nhng k gi mo thng tin trn mng nh gi mo a ch IP, tn min, nh danh ngi dng Eavesdropping: L nhng i tng nghe trm thng tin trn mng, s dng cc cng c Sniffer, sau dng cc cng c phn tch v debug ly c cc thng tin c gi tr. Nhng i tng tn cng mng c th nhm nhiu mc ch khc nhau nh n cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c ch nh, hoc c th l nhng hnh ng v thc b. Cc l hng bo mt Cc l hng bo mt l nhng im yu trn h thng hoc n cha trong mt dch v m da vo k tn cng c th xm nhp tri php vo h thng thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php. C nhiu nguyn nhn gy ra nhng l hng bo mt: c th do li ca bn thn h thng, hoc phn mm cung cp hoc ngi qun tr yu km khng hiu su v cc dch v cung cp Mc nh hng ca cc l hng ti h thng l khc nhau. C l hng ch nh hng ti cht lng dch v cung cp, c l hng nh hng ti ton b h thng hoc ph hy h thng. c. Chnh sch bo mt Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi tham gia qun tr mng, c s dng cc ti nguyn v cc dch v mng.
Trang - 11 -

i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh sch bo mt gip ngi s dng bit trch nhim ca mnh trong vic bo v cc ti nguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp cc bin php m bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot ng ca h thng v mng.
1.2.3. Cc loi l hng bo mt v phng thc tn cng mng ch yu

a. Cc loi l hng C nhiu cc t chc tin hnh phn loi cc dng l hng c bit. Theo b quc phng M cc loi l hng c phn lm ba loi nh sau: L hng loi C: Cho php thc hin cc hnh thc tn cng theo DoS (Denial of Services- T chi dch v) Mc nguy him thp ch nh hng ti cht lng dch v, lm ngng tr gin on h thng, khng lm ph hng d liu hoc t c quyn truy cp bt hp php. DoS l hnh thc tn cng s dng cc giao thc tng Internet trong b giao thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi s dng hp php truy nhp hay s dng h thng. Cc dch v c l hng cho php cc cuc tn cng DoS c th c nng cp hoc sa cha bng cc phin bn mi hn ca cc nh cung cp dch v. Hin nay cha c mt bin php hu hiu no khc phc tnh trng tn cng kiu ny v bn thn thit k tng Internet (IP) ni ring v b giao thc TCP/IP ni chung n cha nhng nguy c tim tang ca cc l hng loi ny. L hng loi B : Cho php ngi s dng c thm cc quyn trn h thng m khng cn kim tra tnh hp l dn n mt mt thng tin yu cu cn bo mt. L hng ny thng c trong cc ng dng trn h thng . C mc nguy him trung bnh. L hng loi B ny c mc nguy him hn l hng loi C. Cho php ngi s dng ni b c th chim c quyn cao hn hoc truy nhp khng hp php.Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ngi s dng local c hiu l ngi c quyn truy nhp vo h thng vi mt s quyn hn nht nh.
Trang - 12 -

Mt dng khc ca l hng loi B xy ra vi cc chng trnh vit bng m ngun C. Nhng chng trnh vit bng m ngun C thng s dng mt vng m, mt vng trong b nh s dng lu tr d liu trc khi x l. Ngi lp trnh thng s dng vng m trong b nh trc khi gn mt khong khng gian b nh cho tng khi d liu. V d khi vit chng trnh nhp trng tn ngi s dng quy nh trng ny di 20 k t bng khai bo: Char first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20 k t. Khi nhp d liu ban u d liu c lu vng m. Khi ngi s dng nhp nhiu hn 20 k t s trn vng m. Nhng k t nhp tha s nm ngoi vng m khin ta khng th kim sot c. Nhng i vi nhng k tn cng chng c th li dng nhng l hng ny nhp vo nhng k t c bit thc thi mt s lnh c bit trn h thng. Thng thng nhng l hng ny c li dng bi nhng ngi s dng trn h thng t c quyn root khng hp l. hn ch c cc l hng loi B phi kim sot cht ch cu hnh h thng v cc chng trnh. L hng loi A: Cho php ngi ngoi h thng c th truy cp bt hp php vo h thng. C th lm ph hu ton b h thng. Loi l hng ny c mc rt nguy him e da tnh ton vn v bo mt ca h thng. Cc l hng ny thng xut hin nhng h thng qun tr yu km hoc khng kim sot c cu hnh mng. V d vi cc web server chy trn h iu hnh Novell cc server ny c mt scripst l convert.bas chy scripst ny cho php c ton b ni dung cc file trn h thng. Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn mm s dng, ngi qun tr nu khng hiu su v dch v v phn mm s dng c th b qua im yu ny. V vy thng xuyn phi kim tra cc thng bo ca cc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lot cc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP, Gopher, Telnet, Sendmail, ARP, finger... b. Cc hnh thc tn cng mng ph bin Scanner Scanner l mt trng trnh t ng r sot v pht hin nhng im yu v bo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 13 -

dng chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mt Server d xa. C ch hot ng l r sot v pht hin nhng cng TCP/UDP c s dng trn h thng cn tn cng v cc dch v s dng trn h thng . Scanner ghi li nhng p ng trn h thng t xa tng ng vi dch v m n pht hin ra. T n c th tm ra im yu ca h thng. Nhng yu t mt Scanner hot ng nh sau: Yu cu thit b v h thng: Mi trng c h tr TCP/IP H thng phi kt ni vo mng Internet. Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo mt, v chng c kh nng pht hin ra nhng im yu km trn mt h thng mng. Password Cracker L mt chng trnh c kh nng gii m mt mt khu c m ho hoc c th v hiu ho chc nng bo v mt khu ca mt h thng. Mt s chng trnh ph kho c nguyn tc hot ng khc nhau. Mt s chng trnh to ra danh sch cc t gii hn, p dng mt s thut ton m ho t kt qu so snh vi Password m ho cn b kho to ra mt danh sch khc theo mt logic ca chng trnh. Khi thy ph hp vi mt khu m ho, k ph hoi c c mt khu di dng text . Mt khu text thng thng s c ghi vo mt file. Bin php khc phc i vi cch thc ph hoi ny l cn xy dng mt chnh sch bo v mt khu ng n. Sniffer Sniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin lu chuyn trn mng v ly cc thng tin c gi tr trao i trn mng. Sniffer c th bt c cc thng tin trao i gia nhiu trm lm vic vi nhau. Thc hin bt cc gi tin t tng IP tr xung. Giao thc tng IP c nh ngha cng khai, v cu trc cc trng header r rng, nn vic gii m cc gi tin ny khng kh khn.
Trang - 14 -

Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous (mode dng chung) trn cc card mng ethernet - ni cc gi tin trao i trong mng - t "bt" c thng tin. Cc thit b sniffer c th bt c ton b thng tin trao i trn mng l da vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet. Tuy nhin vic thit lp mt h thng sniffer khng phi n gin v cn phi xm nhp c vo h thng mng v ci t cc phn mm sniffer. ng thi cc chng trnh sniffer cng yu cu ngi s dng phi hiu su v kin trc, cc giao thc mng. Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v h thng cung cp. Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu kh khn nu ta tun th cc nguyn tc v bo mt nh: Khng cho ngi l truy nhp vo cc thit b trn h thng Qun l cu hnh h thng cht ch Thit lp cc kt ni c tnh bo mt cao thng qua cc c ch m ho. Trojans
Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vai tr nh mt chng trnh hp php. Trojans ny c th chy c l do cc chng trnh hp php b thay i m ca n thnh m bt hp php. V d nh cc chng trnh virus l loi in hnh ca Trojans. Nhng chng trnh virus thng che du cc on m trong cc chng trnh s dng hp php. Khi nhng chng trnh ny c kch hot th nhng on m n du s thc thi v chng thc hin mt s chc nng m ngi s dng khng bit nh: n cp mt khu hoc copy file m ngi s dng nh ta thng khng hay bit. Mt chng trnh Trojans s thc hin mt trong nhng cng vic sau: Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hin nhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trn mt vi thnh phn ca h thng . MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 15 -

Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trn mt vi thnh phn ca h thng. Ngoi ra cn c cc chng trnh Trojan c th thc hin c c hai chc nng ny. C chng trnh Trojan cn c th ph hy h thng bng cch ph hoi cc thng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng b pht hin v kh pht huy c tc dng. Tuy nhin c nhng trng hp nghim trng hn nhng k tn cng to ra nhng l hng bo mt thng qua Trojans v k tn cng ly c quyn root trn h thng v li dng quyn ph hy mt phn hoc ton b h thng hoc dng quyn root thay i logfile, ci t cc chng trnh trojans khc m ngi qun tr khng th pht hin c gy ra mc nh hng rt nghim trng v ngi qun tr ch cn cch ci t li ton b h thng.
1.3. Vn bo mt cho mng LAN

Khi ni n vn bo mt cho mng LAN ta thng quan tm ti nhng vn chnh l bo mt thng tin d liu trao i bn trong mng ni b, bo mt thng tin d liu trao i t trong mng ra bn ngoi v t bn ngoi vo trong mng. Vic kim sot c nhng truy cp bt hp php t bn ngoi vo cng nh kim sot nhng truy cp khng cho php t trong ni b mng ra bn ngoi. Cng vi s pht trin mnh m ca Internet v s kt ni mng ni b vi Internet th vn m bo an ton, an ninh mng cng tr nn kh khn v cn thit. Hin nay bo mt cho mng LAN c nhiu phng php trong c mt s phng php ph bin v ng tin cy l:
1.3.1. Mng ring o (Virtual Private Network- VPN)

Mng ring o (Virtual Private Network - VPN) l s m rng mng ring ca cc cng ty, t chc thng qua s dng cc kt ni mng cng cng hoc mng chia s nh Internet. VPN cung cp cho khch hng y cc tnh nng m mt knh thu ring c c nhng vi gi thnh r hn do s dng h tng c s mng cng cng.
Trang - 16 -

VPN s dng giao thc to ng hm truyn tin ring v cc bin php an ninh bo v d liu trn ng truyn nh m ho, xc thc
1.3.2. Tng la (Firewall)

Thut ng Firewall (Bc tng ngn la) c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s xm nhp vo h thng ca mt s thng tin khc khng mong mun. Cng c th hiu rng Firewall l mt c ch bo v mng tin tng (Trusted network) khi cc mng khng tin tng (Untrusted network). Firewall gia mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet. N thc hin vai tr bo mt cc thng tin Intranet t th gii Internet bn ngoi. Qua qu trnh tm hiu em thy rng Firewall l phng php hu hiu v ph bin nht hin nay do n c nhiu u im, cung cp nhng tnh nng bo mt tt cho vn bo v an ninh mng hin nay. Trong khun kh bi bo co ny em xin trnh by v phng php bo mt mng LAN bng Firewall.
Trang - 17 -
Chng 2: TNG QUAN V FIREWALL

bo v mng ni b Firewall l mt trong nhng gii php bo v mng hu hiu v ph bin hin nay. N gip cho cc mng ni b trnh khi nhng truy nhp tri php t bn ngoi bng cch iu khin thng tin ra vo gia cc mng ni b. Ni dung chnh ca chng ny em s i gii thiu tng quan v Firewall, khi nim, cc chc nng ca Firewall, phn loi Firewall, u nhc im ca tng loi Firewall, cc chin lc xy dng Firewall v gii thiu v c ch lc gi tin.
2.1. Gii thiu v firewall

2.1.1. Khi nim firewall
Firewall l thit b nhm ngn chn s truy nhp khng hp l t mng ngoi vo mng trong. H thng firewall thng bao gm c phn cng v phn mm. Firewall thng c dng theo phng thc ngn chn hay to cc lut i vi cc a ch khc nhau.
2.1.2. Cc chc nng c bn ca firewall

Chc nng chnh ca Firewall l kim sot lung thng tin gia mng cn bo v (Trusted Network) v Internet thng qua cc chnh sch truy nhp c thit lp. - Cho php hoc cm cc dch v truy nhp t trong ra ngoi v t ngoi vo trong. - Kim sot a ch truy nhp, v dch v s dng. - Kim sot kh nng truy cp ngi s dng gia 2 mng. - Kim sot ni dung thng tin truyn ti gia 2 mng. - Ngn nga kh nng tn cng t cc mng ngoi. Xy dng firewalls l mt bin php kh hu hiu, n cho php bo v v kim sot hu ht cc dch v do c p dng ph bin nht trong cc bin php bo v mng.
Trang - 18 -
Tm hiu vn bo mt mng LAN 2.1.3. Phn loi firewall

Firewall c nhiu loi tuy nhin mi loi c u v nhc im ring. Nhng thng thng firewall c chia lm 2 loi chnh l: Firewall phn cng Firewall phn mm. a. Firewall phn cng. L mt thit b phn cng c tch hp b nh tuyn, cc quy tc cho vic lc gi tin c thit lp ngay trn b nh tuyn . Firewall phn cng ny nh mt chic my tnh ch thc hin chc nng duy nht l lc gi tin bng cch chy mt phn mm c cng ha trong v ch c th thit lp cc tp lut cn khng th thay i b nh tuyn c cng ha v tch hp bn trong. Ty vo tng loi firewall phn cng ca cc hng khc nhau m cho php ngi qun tr c kh nng cp nht nhng quy tc lc gi tin khc nhau. Khi hot ng, tng la s da trn cc quy tc c thit lp trong b nh tuyn m kim tra thng tin header ca gi tin nh a chi ngun (source IP address), a chi ch (destination IP address), cng (Port) ... Nu mi thng tin trong header ca gi tin l hp l n s c cho qua v nu khng hp l n s b b qua. Chnh vic khng mt thi gian x l nhng gi tin c a ch khng hp l lm cho tc x l ca firewall phn cng rt nhanh v y chnh l u im ln nht ca h thng firewall phn cng. Mt im ng ch l tt c cc loi firewall phn cng trn th gii hin nay u cha th lc c ni dung ca gi tin m ch c th lc c phn ni dung trong header ca gi tin. Di y s gii thiu m hnh s dng firewall phn cng m bo an ninh mng: M hnh s dng firewall phn cng: (Thit bi phn cng Firewall trong m hinh ny ch c mt chc nng duy nht l lc gi tin m khng th thc hin bt ki mt cng vic no khc)
Trang - 19 -
Hnh 1: M hnh s dng Firewall phn cng. Trong m hnh ny thng tin t mng Internet khng th trc tip i vo vng mng c bo v v ngc li m n phi thng qua Firewall phn cng. Qu trnh kim duyt xy ra nu cc thng tin trong phn header ca gi tin bao gm ia chi ngun (source IP address), ia chi ch (destination IP address), cng (Port) ... c chp nhn th n s c chuyn tip vo mng bn trong hay chuyn ra mng internet bn ngoi. Hin nay trn th gii co mt s hang san xut firewall phn cng rt ni ting nh CISCO, D-LINK, PLANET... b. Firewall phn mm Loi firewall ny l mt chng trnh ng dng nguyn tc hot ng da trn trn ng dng proxy - l mt phn mm cho php chuyn cc gi tin m my ch nhn c n nhng a im nht nh theo yu cu. V cc quy tc lc gi tin c ngi s dng t thit lp. Ngi ta thng s dng firewall loi ny khi mt mng my tnh c my ch v mi thng tin u thng qua my ch ny ri mi chuyn n my con trong mng hoc dng cho my tnh c nhn khi tham gia mng ... Firewall phn mm ny rt tin li ch phn mm c th d dng thay i cp nht cac phin ban mi. Cch thc hot ng ca firewall dng ny cng rt n gin. Phn mm firewall c chy thng tr trn my ch hay my tnh c nhn. May tinh nay co th am ng nhiu nhim vu ngoai cng vic la Firewall. Mi khi c cc gi tin c chuyn n hay chuyn i n u c phn mm firewall ny kim tra phn header ca gi tin bao gm cc thng tin v a ch n, a ch i, giao thc, cng dch v ....Firewall phn mm mi hin nay cn c th kim tra c ni dung ca gi tin. Cc thng tin m firewall kim tra c ngi dng quy nh trc trong tp lut. Nu gi tin c phn mm firewall cho qua th tip theo n s c a n cc my con trong mng hoc l cc ng dng chy trc tip trn my . MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 20 -

Di y l m hnh thng s dng firewall phn mm: (May tinh dng lm firewall co th am ng nhiu nhim vu khac nhau ngoai vic la mt Firewall vi du DNS server, Mail server, Web server ...)
Hnh 2: M hnh s dng Firewall phn mm. Trong m hnh ny my tnh chy ng dng firewall c vai tr trung gian. N s nhn cc gi tin t Internet v Protected Network sau thc hin qu trnh kim tra phn header ca cc gi tin gm thng tin nh : a ch n, a ch i, giao thc, cng dch v ... sau nu phn mm firewall chp nhn cho gi tin i qua th gi tin s tip tc chuyn n ch. Ngc li nu gi tin khng c chp nhn chuyn tip th phn mm firewall s a ra quyt nh hy b. Cch hy b cng c nhiu kiu nh hy b khng cn tr li cho my gi ti bit l do (DROP), hy b nhng vn tr li cho my gi ti bit l do (REJECT) ... Chnh vic x l vic hy b gi tin nh vy dn n tc ca loi firewall ny b hn ch. Mt s phn mm firewall s dung nhiu va c anh gia cao v kha nng loc goi tin nh ZoneAlarm Pro, SmoothWall, McAfee Personal Firewall Plus, ZoneAlarm Pro , Sygate Personal Firewall ... c. u v nhc im ca firewall Mi loai tng la co nhng u im, nhc im va c s dung trong nhng trng hp khac nhau. Tng la phn cng thng c s dung am bao an ninh cho cac mang ln vi nu khng s dung firewall phn cng thi se cn h thng firewall phn mm tc la se co mt tinh may chu. May chu nay se nhn moi goi tin va kim duyt ri chuyn tip cho cac may trong mang. Ma tc cua firewall phn mm hoat ng chm hn so vi firewall phn cng nn anh hng ln n tc cua toan h thng mang. Mt khac h thng tng la phn mm thng c s dung am bao an ninh cho cac may tinh ca nhn hoc mt mang nho. Vic s dung h thng firewall phn mm se giup giam chi phi vi gia ca thit bi firewall phn cng t gp nhiu ln so vi h thng firewall phn mm. Hn na, khi ta s dung h thng firewall phn mm trong vic am bao an ninh cho may tinh ca nhn hay mang vi MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 21 -

quy m nho thi vic anh hng n tc chuyn cac goi tin trong mang la khng ang k. im yu khac cua firewall phn mm o la vi mi firewall phn mm c chay trn tng h iu hanh nht inh. Vi du ZoneAlarm Pro la mt h thng firewall phn mm chi chay trn h iu hanh Windows. Hay vi phn mm SmoothWall thi lai chi co th chay trn h iu hanh Linux. Nhng vi firewall phn cng thi co th chay mt cac hoan toan c lp khng bi phu thuc vao h iu hanh nh firewall phn mm. Firewall phn mm hin gi c th lc c ni dung gi tin cn firewall phn cng ch c th lc thng tin trong phn header ca gi tin cn phn ni dung chnh ca gi tin th firewall phn cng khng th kim sot c. Bi vy m Firewall phn cng khng th gip ngn chn cc loi virus h thng nhng firewall phn mm th c th.
2.1.4 Mt s h thng firewall khc

a. Packet-Filtering Router (B trung chuyn c lc gi) H thng Internet firewall ph bin nht ch bao gm mt packet-filtering router t gia mng ni b v Internet. Mt packet-filtering router c hai chc nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi cho php hay t chi truyn thng. Cn bn, cc quy lut lc c nh ngha sao cho cc host trn mng ni b c quyn truy nhp trc tip ti Internet, trong khi cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my tnh trn mng ni b. T tng ca m hnh cu trc firewall ny l tt c nhng g khng c ch ra r rng l cho php th c ngha l b t chi.
Packet filtering
Bn ngoi
router The Internet
Bn trong
Mng ni b
Hnh 3: Packet-Filtering Router u im
Trang - 22 -

Gi thnh thp (v cu hnh n gin) Trong sut i vi user Hn ch C tt c hn ch ca mt packet-filtering router, nh l d b tn
cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di nhng dch v c php. Bi v cc packet c trao i trc tip gia hai mng thng qua
router , nguy c b tn cng quyt nh bi s lng cc host v dch v c php. iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca s tn cng no khng. Nu mt packet-filtering router do mt s c no ngng hot
ng, tt c h thng trn mng ni b c th b tn cng. b. Screened Host Firewall H thng ny bao gm mt packet-filtering router v mt bastion host. Screened Host Firewall cung cp bo mt cao hn Packet-Filtering Router, v n thc hin c bo mt tng network( packet-filtering ) v tng ng dng (application level). ng thi, k tn cng phi ph v c hai tng bo mt tn cng vo mng ni b.
Trang - 23 -

Bn trong Packet filtering Bn ngoi The Internet Bastion host router Mng ni b
Information server
Hnh 4: Screened Host Firewall Trong h thng ny, bastion host c cu hnh trong mng ni b. Quy lut filtering trn packet-filtering router c nh ngha sao cho tt c cc h thng bn ngoi ch c th truy nhp bastion host. Vic truyn thng ti tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni b c php truy nhp trc tip vo bastion Internet hay l chng phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b c thc hin bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t bastion host. u im My ch cung cp cc thng tin cng cng qua dch v Web v
FTP c th t trn packet-filtering router v bastion. Trong trng hp yu cu an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user c trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hp khng yu cu an ton cao th cc my ni b c th ni thng vi my ch. Nu cn bo mt cao hn na th c th dng h thng firewall dualhome (hai chiu) bastion host. Mt h thng bastion host nh vy c 2 giao din
Trang - 24 -

mng (network interface), nhng khi kh nng truyn thng trc tip gia hai giao din qua dch v proxy l b cm.
Bn trong Bastion host Mng ni b
Packet filtering Bnngoi The internet router
Information server
Hnh 5: H thng firewall dual-home (hai chiu) bastion host. Hn ch Bi v bastion host l h thng bn trong duy nht c th truy nhp c t Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu nh user log on c vo bastion host th h c th d dng truy nhp ton b mng ni b. V vy cn phi cm khng cho user logon vo bastion host. c. Demilitarized Zone (DMZ - khu vc phi qun s) hay Screened-subnet Firewall H thng ny bao gm hai packet-filtering router v mt bastion host. H thng firewall ny c an ton cao nht v n cung cp c mc bo mt network v application trong khi nh ngha mt mng phi qun s. Mng DMZ ng vai tr nh mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip qua mng DMZ l khng th c. Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N cho php h thng MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 25 -

bn ngoi truy nhp ch bastion host, v c th c information server. Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng truyn thng bt u t bastion host. Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c information server. Quy lut filtering trn router ngoi yu cu s dung dich v proxy bng cch ch cho php thng tin ra bt ngun t bastion host.
Bn trong
D MZ
Bn ngoi The Internet Outside Packet filtering router Bastion host
router
Inside router Information server
Hnh 6: Screened-subnet Firewall u im K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router trong. Bi v router ngoi ch qung co DMZ network ti Internet, h thng mng ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange ( Domain Name Server ).
Trang - 26 -

Bi v router trong ch qung co DMZ network ti mng ni b, cc h thng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.
2.2. Cc chin lc xy dng firewall

Khi nghin cu chi tit v Firewall, chng ta cn hiu mt s chin lc c bn c dng xy dng Firewall.
2.2.1. Quyn hn ti thiu(Least Privilege)

Mt nguyn tc c bn nht ca an ton (khng phi ch p dng cho an ton mng) l trao quyn ti thiu. V c bn, nguyn tc ny c ngha l bt k mt i tng no (ngi s dng, ngi qun tr, chng trnh, h thng.) Ch nn c nhng quyn hn nht nh m i tng cn phi c thc hin cc nhin v ca mnh v ch nh vy. Quyn hn ti thiu l nguyn tc quan trng trnh cho ngi ngoi li dng t nhp v hn ch s ph hu do cc t nhp gy ra.
2.2.2. Bo v theo chiu su (Defense in Depth)

Mt nguyn tc khc ca an ton v bo v theo chiu su. i vi mi h thng, khng nn ci t v ch s dng mt ch an ton cho d n c th mnh, m nn lp t nhiu c ch an ton chng c th h tr ln nhau. V vy firewall c xy dng theo c ch c nhiu lp bo v.
2.2.3. Nt tht (Choke Point)

Mt nt tht bt buc nhng k t nhp phi i qua mt ca khu hp m chng ta c th kim sot v iu khin c ging nh vic mun vo rp xem ht, ta phi i qua cng kim sot v. Trong c ch an ton mng, Firewall nm gia h thng ca ta v mng Internet, n chnh l mt nt tht. Bt k ai c nh t nhp h thng t Internet s phi qua ca khu ny, v ta c th theo di, qun l c.
2.2.4. im xung yu nht (Weakest Link)

Khi mun xm nhp vo h thng, k t nhp tinh ranh thng tm cc im yu nht tn cng vo . Do vy, i vi tng h thng cn phi bit im yu nht c phng n bo v an ton h thng. Thng ta hay quan tm n nhng k t nhp trn mng hn l nhng k tip nhn h thng, cho nn an ton v mt vt l c coi l im yu nht trong mi h thng. MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 27 -
Tm hiu vn bo mt mng LAN 2.2.5. Hng trong an ton (Fail-Safe Stance)

Mt nguyn tc nn tng khc ca an ton l hng trong an ton; iu ny c ngha l nu h thng ang hng th n phi c hng theo mt cch no ngn chn s truy nhp bt hp php tt hn l cho k t nhp lt vo ph h thng. ng nhin vic hng trong an ton cng hu b s truy nhp hp php ca ngi s dng cho n khi h thng c khi phc li. Da trn nguyn tc ny ngi ta a ra hai quy tc c bn p dng cho cc quy nh v bin php an ton: Mt l, Default deny Stance: Ch trng vo nhng ci c php v ngn chn tt c ci g cn li. Nhng g khng r rng c th s b ngn cm. Hai l, Default permit stance: Tr trng vo nhng ci b ngn cm v cho php tt c nhng ci cn li, nhng g khng b ngn cm th c php. Hu ht nhng ngi s dng v nh qun l quy tc default pernmit stance cho rng mi th mc nh ngha l cho php v mt s dch v, hnh ng rc ri, khng r rng s b ngn cm. V d: NFS khng cho php qua firewall. Truy nhp WWW b hn ch i vi nhng chuyn gia o to v nhng vn an ton ca WWW. Ngi s dng khng c ci t cc Server khng c php. Vy vn dng quy tc no th tt hn? Theo quan im v an ton th nn dng quy tc Default deny stance. Cn theo quan im ca cc nh qun l th li l quy tc Default pernmit Stance.
2.2.6. S tham gia ton cu

t hiu qu an ton cao, tt c cc h thng trn mng phi tham gia vo gii php an ton. Nu tn ti mt h thng c c ch an ton km, ngi truy nhp bt hp php c th truy nhp vo h thng ny sau truy nhp cc h thng khc t bn trong.
2.2.7. Tnh a dng ca vic bo v

Do s dng nhiu h thng khc nhau, ta phi c nhiu bin php bo v m bo chin lc bo v theo chiu su. Bi v, nu tt c cc h thng ca ta u nh nhau v mt ngi no bit cch t nhp vo mt trong s cc h thng th anh ta cng c th t nhp vo tt cc h thng cn li. S dng nhiu h MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 28 -

thng khc nhau c th hn ch cc cc c hi pht sinh li v an ton hn. Song i li, ta phi i mt vi cc vn v gi c v tnh cht phc tp. Vic mua bn, lp t nhiu h thng khc nhau s kh hn, tn km thi gian hn cc h thng cng chng loi. Ngoi ra , cng cn nhiu s h tr v thi gian o to cn b vn hnh, qun tr h thng t pha cc nh cung cp.
2.2.8. n gin ho
Mi th n gin s tr nn d hiu. Nu ta khng hiu r mt ci g , ta cng khng th bit c liu n c an ton hay khng.
2.3. Cch thc xy dng firewall

Trong qu trnh xy dng mt tng la i hi bc tin hnh u phi c nn k hoch trc v phi hp cht ch vi nhau. V gii quyt vn ln nht l xy dng thnh cng mt tng la hot ng theo hiu qu th ta phi xy dng tng bc tht vng chc, hn ch ti a nhng sai st ng tic c th xy ra trong qu trnh xy dng.
2.3.1. Xy dng cc nguyn tc cn bn(Rule Base)

Mun xy dng c mt Firewall thnh cng th n phi thc hin theo mt s quy tc cn bn nht nh (Rule base). Khi c mt gi tin IP i qua tng la th n s phi da cc quy tc cn bn ny phn tch v lc gi tin. V th chng ta phi a ra cc quy tc tht n gin, ngn gn v d hiu nhm tng tc s l gi tin trong tng la v s trnh c tc nghn, ng thi n cn gip cho vic thay i v bo tr h thng c d dng hn rt nhiu. Thng thng th ta nn dng khng qu 30 quy tc cn bn v ti a khng oc qu 50 quy tc v nu dng qu nhiu s lm cho vic lc gi s chm hn v cng s d gy ra li v cc quy tc c th b chng cho ln nhau.
2.3.2. Xy dng chnh sch an ton (Security Policy)

Mt tng la phi c cc chnh sch an ton (security policy) v thc cht tng la ch l mt cng c thc thi cc chnh sch an ton. Vic qun l v xy dng chnh sch an ton mt cch cht ch s to ra c sc mnh cho tng la. V vy trc khi chng ta xy dng cc quy tc cn bn th chng ta phi hiu c chnh sch an ton ca tng la cn xy dng l g ? V ng thi cng phi xy dng cc chnh sch an ton sao cho d hiu v n gin mt cch tng i v khng nn xy dng mt cch qu phc tp dn MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 29 -

n chng cho d gy nhm ln v d kim tra, bo tr. Chng ta c th a ra mt s chnh sch an ton rt n gin nh sau: Nhng my trong mng ni b c truy nhp ra Internet khng gii hn. Cho php s truy cp vo Web v Mail Server ca mng ni b t Internet Tt c cc thng tin i vo trong mch ni b u phi c xc thc v m ho. T nhng chnh sch rt n gin nh v d trn y chng ta c th pht trin thnh nhng chnh sch hot ng mt cch hiu qu v phc tp hn rt nhiu. v d gii hn mng ni b ch c s dng internet mt cch hn ch vi mt vi dch v c bn nh Mail, HTTP m thi, cn li ngn cm hon ton dch v truyn tp FTP v.v
2.3.3. Xy dng kin trc an ton

Cc bc cn lm khi xy dng mt kin trc an ton: u tin th ta cho php tt c cc my trong mng ni b c th truy cp ra Internet. Sau ta thc hin ci t cc phn thng tin khng cn bo v (v d: Web Server v Mail Server) vo mt vng c tn k thut l vng phi qun s (Demilitarized Zone - MDZ). DMZ l mt mng tch bit ni m ta s t cc h thng m chng ta khng hon ton tin tng (v mt khi t Internet c th truy cp vo c trong DMZ ca chng ta nn khng th tin tng chng). Bi vy nhng h thng trong DMZ s khng bao gi kt ni trc tip vi mng bn trong mt khi chng cha c tin cy. C hai loi DMZ l: DMZ c bo v v DMZ khng c bo v. DMZ c bo v l mt phn tch ri ra bn ngoi ca tng la. DMZ khng c bo v l phn mng nm gia Router v tng la. Chng ta nn dng loi DMZ c bo v, v ni l ni chng ta thng t c Web Server v Mail Server Con ng duy nht c th i vo mng ni b l phi i qua s kim sot ca nh qun tr mng (cng c th cho php thc hin mng t xa) Ci m chng ta c th ni n na l DNS (Domain Name Server). Chng ta s phi thc hin chia DNS ra lm nhiu phn. Chia DNS thnh nhiu phn c ngha l chia cc thao tc ca DNS s thuc hai my ch DNS khc nhau. Chng ta lm iu ny v ta s mt my ch DNS s lo cho chng ta vic gii quyt thng tin tn min ca cng ty vi mng bn ngoi. V mt my ch DNS bn trong MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 30 -

gii quyt vn ca mng bn trong. My ch DNS ngoi s nm trong DMS c c bo v cng vi Web v Mail Server. My DNS bn trong s nm mng bn trong vi vic ny s gip cho chng ta khng cho bit thng tin v tn min trong mng ni b. V my ch DNS cha thng tin v s ca mng bn trong nn cng ta cn phi t di s bo v trnh l thng tin v bn mng.
2.3.4. Th t cc quy tc trong bng (Sequence of Rules Base)

Trc khi chng ta xy dng cc quy tc cn bn th iu chng ta cn phi quan tm n chnh l th t ca cc quy tc (hay cn gi l cp ca cc quy tc) v trong c mt quy tc c bit, n s gi vai tr then cht trong chnh sch bo mt tng la ca chng ta. C nhiu quy tc c cp tng t nh nhau nhng vn phi t chng theo mt th t trc/sau, vic ny lm thay i phng thc lm vic cn bn ca tng la. a s cc tng la kim tra cc gi tin mt cch tun t v lin tc. Khi tng la nhn c mt gi tin, n s xem xt gi tin c ng vi quy tc no trong bng Rules base hay khng bng cch cho xt bt u t quy tc th nht, ri quy tc th hai cho n khi c quy tc no tho mn th n s dng cng vic kim tr v n s thc thi theo quy tc . Nu gi tin c so snh vi tt c cc quy tc trong bng m khng c quy tc no tho ng th gi tin s b t chi (lc b). Vn then cht l phi sm tm c quy tc u tin tho mn khp c vi quy tc Rules Base cho gi tin c nhanh chng c i qua. V khi tm hiu r c iu ny th ta nn t cc quy tc c bit trc tin, ri sau mi n cc quy tc thng thng. Vic ny ngn chn vic cc quy tc thng thng cho php gi tin i qua nhng trong trng hp c bit li khng cho gi tin i qua gy chng cho. Chnh v vy phi lun ch v phi t cc quy tc c bit ln trc tin ri ti cc nguyn tc thng thng. Phi tun th nguyn tc ny trnh vic cu hnh b sai gip tng la lm vic hiu qu, ng thi d dng trong cng tc nng cp bo tr v thay i sa cha.
2.3.5. Cc quy tc cn bn (Rules Base)

Default properties (nguyn tc mc nh): Phi loi tr tt c cc trng hp ny v phi chc chn mt iu l khng c mt gi tin no c th i qua c, bt k gi tin y l gi tin g. Internal Outbound (i t mng bn trong ra ngoi): Bc u tin ta cho php vic i t trong ra ngoi m khng c hn ch no. V tt c cc dch v c bn nh Web, Mail, FTP v.v u cho php
Trang - 31 -

Lockdown (): Hn ch tt c khng cho php mt s sm nhp no vo tng la ca chng ta. y l quy tc chun m quy tc cn bn cn phi c. Khng c bt k s sm nhp no vo tng la nhng chng ta li cn c ngi qun tr tng la (Firewall Admins). Admin Access (): Khng ai c th kt ni vi tng la, bao gm c Admin. Chng ta cng phi to ra mt quy tc cho php Admin truy nhp vo c tng la Drop All (): Thng thng th ta s loi b tt c cc gi tin m khng ph hp vi quy tc no. Nhng ta nn a gi tin ny vo mt bn ghi v ta s thm vo cui danh sch cc quy tc. y l mt quy tc chun m ta nn c. No Logging (): Thng thng s c rt nhiu gi tin c gi n tt c cc a ch (vd: nh tin qung co) trn mng. Khi n tng la th n s b loi b v sau c ghi vo bn ghi, nhng vic ny s lm cho bn ghi nhanh chng b y. Chnh v vy ta phi to mt quy tc sao cho khi ta b gi tin y i m li khng ghi li vo bn ghi. y cng l mt nguyn tc cn bn m i khi ta cng phi dng n. DNS Access (): M hnh v cc thnh phn ca tng la.
2.4. Lc gi v c ch hot ng
Khi ni n vic chuyn thng tin d liu gia cc mng vi nhau thng tin qua tng la th iu c ngha rng bc tng la hot ng kt hp cht ch vi giao thc TCP/IP v giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng. Tc l: D liu nhn c t cc dch v chy trn cc giao thc ph cp trn mng (v d nh: telnet, SMTP, DNS, SMNP,..) c phn thnh cc gi gi liu (data packet). Cc gi tin ny c gn nhng a ch v thng tin c th nhn v ti hp li thnh d liu ban u. Chnh v vy cc loi tng la cng lin quan rt nhiu n cc gi tin v cc a ch ca chng sau y chng ta s cng tm hiu lc gi l g v c ch ca n nh th no.
Trang - 32 -
Tm hiu vn bo mt mng LAN 2.4.1. B lc gi (packet filtering)

B lc gi c nhng chc nng thc hin vic kim tra s nhn dng a ch ca gi tin kim tra c th cho php chng i qua tng la hay khng. Cc thng tin c th lc c mt gi tin bao gm : a ch ni xut pht hay cn gi l a ch ngun (source IP Address) a ch ni nhn hay cn gi l a ch ch (destination IP Address). S cng ca ni xut pht (source port). S cng ca ni nhn (destination). Nh vy m tng la c th chn c cc kt ni t mng ngoi vo nhng my ch ni b hoc vo trong mng ni b. T nhng a ch khng cho php. Hn na vic kim sot cc cng lm cho tng la c kh nng ch cho php mt s loi kt ni nht nh vo my ch c nh sn m phc v cho mt s dch v no (Telnet, SMTP,mail) c php s dng trn mng ni b.
2.4.2. Cng ng dng (Application Gateway)

Application Gateway c thit k tng cng chc nng kim sot cc loi dich v vo giao thc c cho php truy cp vo h thng mng. C ch hot ng ca n d trn ci gi l dch v i din (proxy Service). Proxy Service hot ng theo c ch: Mt ng dng no c quy chiu n (hay i din bi) mt proxy Service chy trn cc h thng my ch th c quy chiu n ApplicationGateway ca firewall. C ch lc ca packet filtering phi hp kim sot vi c ch i din ca Application gateway cung cp mt kh nng an ton hn cho firewall trong vic giao tip thng tin vi mng ngoi. V d mt h thng mng c chc nng lc gi tin, n s ngn cc kt ni bng Telnet vo h thng ch tr mt cng duy nht -Telnet Application Gatewayl c php. Mt ngi s dng dch v Telnet mun kt ni vo h thng phi thc hin cc bc sau: Thc hin dch v Telnet n Telnet Application Gateway ri cho bit tn ca my ch bn trong cn truy cp. Gateway kim tra a ch IP ni xut pht ca ngi truy cp ri cho php hoc t chi tu theo ch an ninh ca h thng. MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 33 -

Ngi truy cp phi vt qua c h thng kim tra xc nh. Proxy service lin kt lu thng gia ngi truy cp vi my ch. C ch hot ng ny c ngha quan trng trong vic thit k an ninh h thng. N c th cung cp nhiu kh nng, v d nh: Che du cc thng tin: ngi dng ch c th nhn thy trc tip cc Gateway c php. Tng cng kim tra truy cp bng cc dch v xc thc (Authentication). Gim ng k gi thnh cho vic pht trin cc h qun tr xc thc v h thng ny c thit k ch quy chiu n Application Gateway. Gim thiu cc quy tc kim sot ca b lc (Packet Filtering). iu ny lm tng mt cch ng k tc hot ng ca Firewall.
2.4.3. B lc Sesion thng minh (Smart Sesion Filtering)

C ch hot ng phi hp gia b lc packet v cng ng dng nh cp trn cung cp mt ch an ninh cao tuy nhin n cng tn ti mt vi hn ch. Vn chnh hin nay l lm sao cung cp Proxy Service cho rt nhiu ng dng khc nhau ang pht trin t. iu ny c ngha l nguy c, p lc i vi vic firewall b nh la gia tng ln rt ln nu cc Proxy khng kp p ng. Trong khi gim st cc packet nhng mc pha trn, nu nh lp Network i hi nhiu cng sc i vi vic lc cc packet n gin, th vic gim st cc giao dch lu thng mc mng (Sesion) i hi t cng vic hn. Cch ny cng loi b c cc dch v c th cho tng loi ng dng khc nhau. C ch hot ng ca b lc sesion thng minh chnh l vic kt hp kh nng ghi nhn thng tin v cc Sesion v s dng n to cc quy tc cho b lc. Bit rng, mt Sesion mc network c to bi hai packet lu thng hai chiu: Mt kim sot cc packet lu thng t host pht sinh ra n n my ch cn ti. Mt kim sot packet tr v t my ch pht sinh Mt b lc thng minh s nhn bit c rng packet tr v theo chiu ngc li nn quy tc th hai l khng cn thit. Do vy, cch tip nhn cc packet khng mong mun sinh ra t bn ngoi firewall s khc bit rt r vi cch tip
Trang - 34 -

nhn cho cc packet do nhng kt ni c php (ra bn ngoi). V nh vy d dng nhn dng c cc packet bt hp php.
2.4.4. Firewall hn hp (Hybrid Firewall)

Trong thc t xy dng, cc firewall c s dng l kt hp ca nhiu k thut to ra hiu qu an ninh ti a. V d vic lt li ti cc kim sot ca b lc packet c th c thc hin ti b lc sesion thng minh mc ng dng. Cc gim st ca b lc lt cht ch bi cc dch v Proxy ca Application Gateway.
2.5. Kt lun
Cc h thng firewall thit lp nhm mc ch m bo an ninh mng thng qua vic kim sot phn header ca cc gi tin. Nhng s dng firewall m bo c an ninh mng mt cc hiu qu th ngi qun tr h thng cn c nhng hiu bit su sc v a ch IP ch, a ch IP ngun, cng dch v, cc giao thc mng (TCP, UDP, SMTP)v c bit cn c nhng cng c gip cu hnh h thng firewall hiu qu. Trong chng tip theo ny em s trnh by v cng c FirewallIptable c tch hp trn h iu hnh m ngun m Linux bo v cho mng ni b.
Trang - 35 -
Chng 3:
TM HIU IPTALES TRONG H IU HNH LINUX
Hin nay c nhiu phn mm firewall c thc hin trn cc h iu hnh nh Windows NT, Linux, Solaris. Nhng vi h iu hnh m ngun m Linux th phn mm IPtables Firewall phin bn mi ny thc s l mt cng c mnh dng m bo an ninh mng. Ngi qun tr mng c th s dng n cng nhiu ty chn hu ch. Nhng do phn mm c qu nhiu tham s v s dng c th i hi ngi s dng phi c kin thc chuyn su v h thng mng my tnh. Nh vy vi nhng ngi t kin thc v mng my tnh v khng bit r v tham s ca chng trnh th khng th s dng cng c IPtables c. Trong phm vi ti ny em s tm hiu v cng c Iptables ca firewall trn Linux vi vic kim sot ngi dng trong mng ni b c quyn gi bt c yu cu truy cp trn bt c giao thc no t bn trong my ra ngoi cng nh cn bt c yu cu truy cp trn mi giao thc t bn ngoi vo. Ngoi ra nh ta bit, trong khi my chy trn Linux s c mt s dch v ang lng nghe (LISTEN). Nhng dch v ny ch phc v cho ring bn v bn khng mun bt c ai t Internet truy cp vo cc dch v ny. Cho nn ta phi xy dng cc lut n nh: khi cc packet i vo (INPUT) firewall, firewall s kim tra xem c lut INPUT no thch hp cho php n i vo, nu khng firewall s cn n theo quy nh ca quy ch mc nh. iu nay se lam tng kha nng bao mt v tnh linh ng cho ngi qun tr mng may tinh. Trong chng ny em s i gii thiu tng quan v cng c Firewall IPtable v tm hiu mt s tp lut c bn trong IPtable:
3.1. Firewall IPtable trn Redhat

Phin bn nhn Linux version 2.4.x c a ra vi rt nhiu tnh nng mi gip Linux hot ng tin cy hn v h tr cho nhiu thit b. Mt trong nhng tnh nng mi ca n l h tr Netfilter iptables ngay trong kernel, gip thao tc trn packet hiu qu hn so vi cc ng dng trc nh ipfwadm trong kernel 2.0 v ipchains trong kernel 2.2, tuy vn h tr cho cc b lnh c. Thit lp firewall theo kiu lc packet (packet filtering lc gi thng tin) vi ipfwadm hoc ipchains c nhiu hn ch: thiu cc tch hp cn thit m rng tnh nng, khi s MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 36 -

dng lc packet cho cc giao thc thng thng v chuyn i a ch mng (Network Address Translation - NAT) th thc hin hon ton tch bit m khng c c tnh kt hp. Netfilter v iptables trn kernel 2.4 gii quyt tt cc hn ch trn v c thm nhiu tnh nng khc m Ipfwadm v Ipchains khng c.
3.1.1. Gii thiu v IPtables

Trong h thng Linux c rt nhiu firewall. Trong c mt s firewall c cu hnh v hot ng trn nn console rt nh v tin dng l Iptable v Ipchain. a. Netfilter/IPtables Gii thiu Iptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h thng Linux.
Hnh 7: Firewall IPTable trong Linux. Iptables l mt tng la ng dng lc gi d liu rt mnh, c sn bn trong kernel Linux 2.4.x v 2.6.x. Netfilter/Iptable gm 2 phn l Netfilter trong nhn Linux v Iptables nm ngoi nhn. IpTables chu trch nhim giao tip gia ngi dng v Netfilter y cc lut ca ngi dng vo cho Netfilter x l. Netfilter tin hnh lc cc gi d liu mc IP. Netfilter lm vic trc tip trong nhn, nhanh v khng lm gim tc ca h thng. c thit k thay th cho linux 2.2.x Ipchains v linux 2.0.x ipfwadm v c nhiu c tnh hn Ipchains v n c xy dng hp l hn vi nhng im sau: Netfilter/Iptables c kh nng g? Xy dng bc tng la da trn c ch lc gi stateless v stateful Dng bng NAT v masquerading chia s s truy cp mng nu khng c a ch mng. MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 37 -

Dng bng NAT ci t transparent proxy Gip cc h thng tc v iproute2 to cc chnh sch router phc tp v QoS Lm cc thay i cc bit(mangling) TOS/DSCP/ECN ca IP header C kh nng theo di s kt ni, c kh nng kim tra nhiu trng thi ca packet. N lm vic ny cho UDP v ICMP tt nht l kt ni TCP, v d tnh trng y ca lc ICMP ch cho php hi m khi c yu cu pht i, ch khng chn cc yu cu nhng vn chp nhn hi m vi gi s rng chng lun p li lnh ping. S hi m khng do yu cu c th l tn hiu ca s tn cng hoc ca sau. X s n gin ca cc packet tho thun trong cc chains (mt danh sch cc nguyn tc) INPUT, OUTPUT, FORWARD. Trn cc host c nhiu giao din mng, cc packet di chuyn gia cc giao din ch trn chain FORWARD hn l trn 3 chain. Phn bit r rng gia lc packet v NAT (Nework Address Translation) C kh nng gii hn tc kt ni v ghi nht k. Bn c th gii hn kt ni v ghi nht k t trnh s tn cng t chi dch v (Deinal of service). C kh nng lc trn cc c v a ch vt l ca TCP. L mt firewall c nhiu trng thi, nn n c th theo di trong sut s kt ni, do n an ton hn firewall c t trng thi. Iptables bao gm 4 bng, mi bng vi mt chnh sch (police) mc nh v cc nguyn tc trong chain xy dng sn. b. Ipchain Mt trong nhng phn mm m Linux s dng cu hnh bng NAT ca kernel l Ipchain. Bn trong chng trnh Ipchain c 2 trnh kch bn (scrip) chnh c s dng n gin ha cng tc qun tr Ipchains. Ipchain c dng ci t, duy tr v kim tra cc lut ca Ip firewall trong Linux kernel. Nhng lut ny c th chia lm nhm chui lut khc nhau l: Ip Input chain (chui lut p dng cho cc gi tin i n firewall). Ip Output chain (chui lut p dng cho cc gi tin c pht sinh cc b trn firewall v i ra khi firewall).
Trang - 38 -

Ip forwarding chain (p dng cho cc gi tin c chuyn tip ti my hoc mng khc qua firewall). V cc chui lut do ngi dng nh ngha (user defined). Ipchains s dng khi nim chui lut (chain ) x l cc gi tin. Mt chui lut l mt danh sch cc lut dng x l cc gi tin c cng kiu l gi tin n, gi tin chuyn tip hay gi tin i ra. Nhng lut ny ch r hnh ng no c p dng cho gi tin. Cc lut c lu tr trong bng NAT l nhng cp a ch IP ch khng phi tng a ch IP ring l. Mt lut firewall ch ra cc tiu chun packet v ch n. Nu packet khng ng lut k tip s c xem xt, nu ng th lut k tip s ch nh r gi tr ca ch c th cc chain do ngi dng nh ngha hay c th l mt trong cc gi tr c th sau: ACCEPT, DENY, REJECT, MASQ, REDICRECT hay RETURN. ACCEPT: cho php packet i qua. DENY: Hy packet m khng c tr li thng bo cho pha client bit iu ny. REJECT: Tng t nh DENY nhng c tr li cho client bit gi tin b hy b. MASQ: Ch hp l i vi chain forward v chain do ngi dng nh ngha v c dng khi kernel c bin dch vi CONFIG_IP_MASQUERADE. Vi chain ny packet s c masquerade nh l n c sinh ra t my cc b, hn th na cc packet ngc s c nhn ra v chng s c demasqueraded mt cch t ng, b qua forwarding chain. REDIRECT: Ch hp l vi chain input v chain do ngi dng nh ngha v ch c dng khi Linux kernel c bin dch vi tham s CONFIG_IP_TRANSPARENT_PROXY c nh ngha. Vi iu ny packets s c chuyn ti socket cc b, thm ch chng c gi n host xa. Mt s c php hay c s dng: Ipchains [ADC] chain rule-specification [options] Ipchains [RI] chain rulenum rule-specification
Trang - 39 -

[options] Ipchains D chain rulenum [options] Ipchains [LFZNX] [chain] [options] Ipchains P chain target [options] Ipchains M [-L | -S] [options]
3.1.2. Qu trnh chuyn gi d liu qua Netfilter

Gi d liu (packet) chy trn cp, sau i vo card mng (chng hn nh eth0). u tin packet s qua chain PREROUTING (trc khi nh tuyn). Ti y, packet c th b thay i thng s (mangle) hoc b i a ch IP ch (DNAT). i vi packet i vo my, n s qua chain INPUT. Ti chain INPUT, packet c th c chp nhn hoc b hy b. Tip theo packet s c chuyn ln cho cc ng dng (client/server) x l v tip theo l c chuyn ra chain OUTPUT. Ti chain OUTPUT, packet c th b thay i cc thng s v b lc chp nhn ra hay b hy b. i vi packet forward qua my, packet sau khi ri chain PREROUTING s qua chain FORWARD. Ti chain FORWARD, n cng b lc ACCEPT hoc DENY. Packet sau khi qua chain FORWARD hoc chain OUTPUT s n chain POSTROUTING (sau khi nh tuyn). Ti chain POSTROUTING, packet c th c i a ch IP ngun (SNAT) hoc MASQUERADE. Packet sau khi ra card mng s c chuyn ln cp i n my tnh khc trn mng.
3.1.3. Cu trc ca Iptable.

Iptables c chia lm 4 bng (table): Bng filter dng lc gi d liu. Bng nat dng thao tc vi cc gi d liu c NAT ngun hay NAT ch. Bng mangle dng thay i cc thng s trong gi IP. Bng conntrack dng theo di cc kt ni. Mi table gm nhiu mc xch (chain). Chain gm nhiu lut (rule) thao tc vi cc gi d liu. Rule c th l ACCEPT (chp nhn gi d liu), DROP (th gi), REJECT (loi b gi) hoc tham chiu (reference) n mt chain khc.
Trang - 40 -
Tm hiu vn bo mt mng LAN 3.1.4. Ci t iptables

Iptables c ci t mc nh trong h thng Linux, package ca iptables l iptablesversion.rpm hoc iptables-version.tgz , ta c th dng lnh ci t package ny: $ rpm ivh iptables-version.rpm i Red Hat $ apt-get install iptables i vi Debian Khi ng iptables: service iptables start Tt iptables: service iptables stop Ti khi ng iptables: service iptables restart Xc nh trng thi iptables: service iptables status
3.2. Cc tham s dng lnh thng gp

3.2.1 Gi tr gip
gi tr gip v Iptables, bn g lnh $ man iptables hoc $ iptables --help. Chng hn nu bn cn bit v cc ty chn ca match limit, bn g lnh $ iptables -m limit --help.
3.2.2 Cc ty chn ch nh thng s

Ch nh tn table: -t , v d -t filter, -t nat, .. nu khng ch nh table, gi tr mc nh l filter Ch inh loi giao thc: -p , v d -p tcp, -p udp hoc -p ! udp ch nh cc giao thc khng phi l udp Ch nh card mng vo: -i , v d: -i eth0, -i lo Ch nh card mng ra: -o , v d: -o eth0, -o pp0 Ch nh a ch IP ngun: -s <a_ch_ip_ngun>, v d: -s 192.168.0.0/24 (mng 192.168.0 vi 24 bt mng), -s 192.168.0.1192.168.0.3 (cc IP 192.168.0.1, 192.168.0.2, 192.168.0.3).
Trang - 41 -

Ch nh a ch IP ch: -d <a_ch_ip_ch>, tng t nh -s Ch nh cng ngun: --sport , v d: --sport 21 (cng 21), --sport 22:88 (cc cng 22 .. 88), --sport :80 (cc cng <=80), --sport 22: (cc cng >=22) Ch nh cng ch: --dport , tng t nh sport
3.2.3. Cc ty chn thao tc vi chain

To chain mi: iptables -N Xa ht cc lut to trong chain: iptables -X t chnh sch cho cc chain `built-in` (INPUT, OUTPUT & FORWARD): iptables -P , v d: iptables -P INPUT ACCEPT chp nhn cc packet vo chain INPUT Lit k cc lut c trong chain: iptables -L Xa cc lut c trong chain (flush chain): iptables -F Reset b m packet v 0: iptables -Z
3.2.4. Cc ty chn thao tc vi lut

Thm lut: -A (append) Xa lut: -D (delete) Thay th lut: -R (replace) Chn thm lut: -I (insert)
3.2.5 Phn bit gia ACCEPT, DROP v REJECT packet

ACCEPT: chp nhn packet DROP: th packet (khng hi m cho client) REJECT: loi b packet (hi m cho client bng mt packet khc) Mt s v d:
Trang - 42 -

# iptables -A INPUT -i eth0 --dport 80 -j ACCEPT chp nhn cc packet vo cng 80 trn card mng eth0 # iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP th cc packet n cng 23 dng giao thc TCP trn card mng eth0 # iptables -A INPUT -i eth1 -s ! 10.0.0.1-10.0.0.5 --dport 22 -j REJECT --reject-with tcp-reset Gi gi TCP vi c RST=1 cho cc kt ni khng n t dy a ch IP 10.0.0.1..5 trn cng 22, card mng eth1 # iptables -A INPUT -p udp --dport 139 -j REJECT --reject-with icmp-portunreachable Gi gi ICMP `port-unreachable` cho cc kt ni n cng 139, dng giao thc UDP
3.2.6 Phn bit gia NEW, ESTABLISHED v RELATED

NEW: m kt ni mi ESTABLISHED: thit lp kt ni RELATED: m mt kt ni mi trong kt ni hin ti Mt s v d: # iptables -P INPUT DROP t chnh sch cho chain INPUT l DROP # iptables -A INPUT -p tcp --syn -m state --state NEW -j ACCEPT Ch chp nhn cc gi TCP m kt ni set c SYN=1 # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Khng ng cc kt ni ang c thit lp, ng thi cng cho php m cc kt ni mi trong kt ni c thit lp # iptables -A INPUT -p tcp -j DROP cc gi TCP cn li u b DROP
3.2.7 Ty chn --limit, --limit-burst

--limit-burst: mc nh, tnh bng s packet
Trang - 43 -

--limit: tc khi chm mc nh, tnh bng s packet/s(giy), m(pht), d(gi) hoc h(ngy).
3.3. Gii thiu v bng NAT (Network Address Traslation)

C mt vn c t ra hin nay l s khan him a ch IP, mt c quan khi c rt nhiu my tnh nhng ch c cp pht mt a ch IP duy nht. Vy lm th no ch vi mt a ch IP duy nht ny tt c cc my tnh trong mt c quan c th truy cp c Internet. C mt c ch thc hin iu , chnh l NAT (Network Address Translation).
3.3.1. Khi nim cn bn v NAT

NAT c dng khi c nhn dng a ch mng ring ca mnh kt ni vo Internet (Trong khi mun kt ni c vi Internet th yu cu bn phi c a ch mng chung Public Address) a ch mng chung s dng trn Internet ch tn ti duy nht v thng thng c cung cp bi cc nh cung cp dch v Internet (Internet Service Providers ISPs) hay cn gi l a ch IP hp l. a ch mng ring c s dng trong mng ni b (Local Address Networt- LAN). a ch ny th khng cn phi cung cp t nh dch v m c th c cung cp bi ngi qun tr mng ni b. Nhng khng bao gi a ch mng ring li c s dng trn Internet. NAT c th gip bn vo Internet ngay trong khi bn ang s dng a ch mng ring . Thc hin c iu l do NAT cho php bn chuyn i gia hai kiu a ch , bt k bn ang mng ni b c kch thc nh th no trong khi ISPS ch cung cp cho bn duy nht mt a ch chung duy nht. NAT s bin i a ch ngun v khi ra khi mng ni b th n s s dng a ch mng chung vo Internet. V nu ng t Internet th s khng th bit c a ch ring ca my m ch bit c a ch chung ca mng ni b. NAT s nhn bit cc a ch mng ca cc my trong mng ni b thng qua s cng dch v. Vi nhng c im ny th NAT c nhng u im sau: B mt c a ch mng ni b vi mng bn ngoi. Nu kt ni vo Internet th n s tit kim c a ch chung (a ch Internet).
Trang - 44 -

N s phc v cn bng ti v c th chia ra nhiu server khc nhau bn trong mng ni b. Qu trnh phn phi kho s c m bo b mt. Nu thay i a ch Internet cng khng cn phi cu hnh li cho tng my s rt thun li cho ngi qun tr. Gim c chi ph u t. Nhng cng vi nhng u im nu trn th n cng khng trnh khi cc nhc im: Tc x l chm v phi phn tch li gi tin, ghi li a ch v tnh ton a ch gi tin. D xy ra tc nghn nu qu nhiu thng tin cng qua li mt thi im. Chng ta s tm hiu v mt s phng thc i a ch ca NAT sau y.
3.3.2. Cch i a ch IP ng (Dynamic - NAT)

NAT ng l mt trong nhng k thut chuyn i a ch IP NAT (Network Address Translation). Cc a ch IP ni b c chuyn sang IP NAT nh sau:
Hnh 8: Cch i ia ch IP ng. NAT Router m nhn vic chuyn dy IP ni b 169.168.0.x sang dy IP mi 203.162.2.x. Khi c gi liu vi IP ngun l 192.168.0.200 n router, router
Trang - 45 -

s i IP ngun thnh 203.162.2.200 sau mi gi ra ngoi. Qu trnh ny gi l SNAT (Source-NAT, NAT ngun). Router lu d liu trong mt bng gi l bng NAT ng. Ngc li, khi c mt gi t liu t gi t ngoi vo vi IP ch l 203.162.2.200, router s cn c vo bng NAT ng hin ti i a ch ch 203.162.2.200 thnh a ch ch mi l 192.168.0.200. Qu trnh ny gi l DNAT (Destination-NAT, NAT ch). Lin lc gia 192.168.0.200 v 203.162.2.200 l hon ton trong sut (transparent) qua NAT router. NAT router tin hnh chuyn tip (forward) gi d liu t 192.168.0.200 n 203.162.2.200 v ngc li.
3.3.3. Cch ng gi a ch IP (masquerade)
Hnh 9: Cch ng gi a ch IP NAT Router chuyn dy IP ni b 192.168.0.x sang mt IP duy nht l 203.162.2.4 bng cch dng cc s hiu cng (port-number) khc nhau. Chng hn khi c gi d liu IP vi ngun 192.168.0.168:1204, ch 211.200.51.15:80 n router, router s i ngun thnh 203.162.2.4:26314 v lu d liu ny vo mt bng gi l bng masquerade ng. Khi c mt gi d liu t ngoi vo vi ngun l 221.200.51.15:80, ch 203.162.2.4:26314 n router, router s cn c vo bng masquerade ng hin ti i ch t 203.162.2.4:26314 thnh 192.168.0.164:1204. Lin lc gia cc my trong mng LAN vi my khc bn ngoi hon ton trong sut qua router.
3.3.4. Mt s v d s dng k thut NAT

Iptables h tr ty chn -j REDIRECT cho php i hng cng mt cch d dng. V d nh SQUID ang listen trn cng 3128/tcp. redirect cng 80 n cng 3128 ny:
Trang - 46 -

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 Lu : ty chn -j REDIRECT c trong chain PREROUTING SNAT & MASQUERADE
to kt ni `transparent` gia mng LAN 192.168.0.1 vi Internet thi lp cu hnh cho tng la Iptables nh sau: # echo 1 > /proc/sys/net/ipv4/ip_forward Cho php forward cc packet qua my ch t Iptables # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 210.40.2.71 i IP ngun cho cc packet ra card mng eth0 l 210.40.2.71. Khi nhn c packet vo t Internet, Iptables s t ng i IP ch 210.40.2.71 thnh IP ch tng ng ca my tnh trong mng LAN 192.168.0/24. Hoc c th dng MASQUERADE thay cho SNAT nh sau: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (MASQUERADE thng c dng khi kt ni n Internet l pp0 v dng a ch IP ng) DNAT
Trang - 47 -
Gi s t cc my ch Proxy, Mail v DNS trong mng DMZ. to kt ni trong sut t Internet vo cc my ch ny : # echo 1 > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --todestination 192.168.1.2 # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --todestination 192.168.1.3 # iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --todestination 192.168.1.4
Trang - 48 -
Chng 4: THIT LP FIREWALL BO V MNG NI B BNG IPTABLES TRONG H IU HNH LINUX

Trong ng dng ny dng iptables trn my ch Linux lm Firewall cho php mng bn ngoi truy cp vo vng DMZ v cho php mng ni b truy cp mng bn ngoi qua Firewall. Khng cho php mng bn ngoi truy cp vo mng ni b.
4.1. Cch lm vic ca Firewall c vng DMZ
Hnh 10: Firewall c vung DMZ Firewall cho php my bn trong mng ni b truy cp ti nguyn mng bn ngoi bng k thut SNAT Ch cho php cc my ca mng bn ngoi truy cp ti nguyn Web Server v DNS Server trong vng DMZ bng k thut DNAT. Cc yu cu i vi Firewall 2.4.x , cc modules cn thit cho Firewall, gn a ch cho mng ni b v DMZ thc hin ging nh i vi ng dng IP NAT. Cc chain do ngi dng nh ngha: gm 3 chains bad_tcp_packets, allowed v icmp_packets ging nh trong ng dng IP NAT.
Trang - 49 -
4.2. Cu trc file cu hnh v cu hnh

File cu hnh cho Firewall:
4.2.1. Cu hnh cc tu chn:

#!/bin/sh # rc.firewall_dmz Firewall DMZ cho Linux 2.4.x v iptables ############################################ # 1. Configuration options. # 1.1 Cu hnh giao din vi Internet. # INET_IP="194.236.50.152" HTTP_IP="194.236.50.153" DNS_IP="194.236.50.154" INET_IFACE="eth0" # 1.2 Cu hnh giao din mng cc b. LAN_IP="192.168.0.1" LAN_IFACE="eth1" # 1.3 Cu hnh giao din vng DMZ. # DMZ_HTTP_IP="192.168.1.2" DMZ_DNS_IP="192.168.1.3" DMZ_IP="192.168.1.1" DMZ_IFACE="eth2" # 1.4 Cu hnh Localhost. LO_IFACE="lo" LO_IP="127.0.0.1" # 1.5 V tr chng trnh iptables. IPTABLES="/usr/sbin/iptables"
Trang - 50 -
Tm hiu vn bo mt mng LAN 4.2.2. Ti cc module cn thit k vo Kernel.

# 2. Ti cc module cn thit vo Kernel. /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state
4.2.3. Ci t cu hnh cn thit cho h thng file proc.

# 3. t cu hnh cn thit cho h thng file. echo "1" > /proc/sys/net/ipv4/ip_forward
4.2.4. Ci t cc nguyn tc.

# 4. Ci t cc nguyn tc. # 4.1 Filter table # 4.1.1 Nguyn tc cp nht lut trong cc chain. # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # 4.1.2 To cc chain do ngi dng nh ngha # To chain bad_tcp_packets. $IPTABLES -N bad_tcp_packets # To chain allowed, icmp_packets. $IPTABLES -N allowed $IPTABLES -N icmp_packets
Trang - 51 -

# # 4.1.3 To ni dung ca chains do ngi dng nh ngha # chain bad_tcp_packets. $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \ -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # chain allowed. # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # chain icmp_packets $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # 4.1.4 INPUT chain # Cc packet d dng khng mun $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # Cc packets t Internet n Firewall. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # Cc packets t LAN, DMZ hoc LOCALHOST # # T giao din DMZ n firewall IP DMX
Trang - 52 -

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # # T giao din LAN n firewall IP LAN $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT # # T giao din Localhost n IP Localhost $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # Cc nguyn tc yu cu DHCP t LAN. $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT # tt c cc packet c thit lp kt ni v c quan h vi mt kt ni thit lp i vo t #Internet n Firewall. $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT # # Ghi li nhng packet khng khp vi nguyn tc trn. $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # 4.1.5 FORWARD chain # Cc packet d dng khng mun $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # # Phn DMZ # Cc nguyn tc chung $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
Trang - 53 -

$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT # HTTP server # $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ --dport 80 -j allowed $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \ -j icmp_packets # # DNS server $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \ -j icmp_packets # # Phn LAN $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ghi li nhng packet khng khp vi cc nguyn tc trn
Trang - 54 -

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG\ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # 4.1.6 OUTPUT chain # Cc packet d dng khng mun $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # # Cc nguyn tc cho php packet i ra. $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # ghi li nhng packet khng khp vi cc nguyn tc trn $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG\ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " # 4.2 nat table # 4.2.4 PREROUTING chain $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP -dport 80 \ -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP -dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP -dport 53 \ -j DNAT --to-destination $DMZ_DNS_IP # 4.2.5 POSTROUTING chain # Nguyn tc cho php cc my trong mng ni b truy cp Internet # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
Trang - 55 -

$INET_IP
4.3. Cu hnh cho my ni b truy cp mng bn ngoi

Bn cnh vic t a ch IP thch hp cho cc my ni b bn trong Firewall (gn a ch IP tnh hoc ng), t a ch IP Gateway thch hp ca Server Linux Firewall, a ch DNS Server. Cu hnh Microsoft Windows 2000 sau khi ci card mng thch hp vo my tnh. Thc hin cc cu hnh nh trong IP NAT.
4.4. Kim tra Firewall

Bc 1: kim tra kt ni cc b ca cc my ni b -----------------------------------client# ping 192.168.0.10 PING 192.168.0.10 (192.168.0.10): 56 data bytes 64 bytes from 192.168.0.10: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 192.168.0.10: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 192.168.0.10: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 192.168.0.10: icmp_seq=3 ttl=255 time=0.5 ms --- 192.168.0.10 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.8 ms Bc 2: Kim tra kt ni my ni b n server Firewall. client# ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1): 56 data bytes 64 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.4 ms
Trang - 56 -

64 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.5 ms ^C --- 192.168.0.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.8 ms Bc 3: Kim tra kt ni cc b ca Server Firewall vi LAN firewall-server# ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1): 56 data bytes 64 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.5 ms ^C --- 192.168.0.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.8 ms Bc 4: Kim tra kt ni cc b ca Server Firewall vi DMZ. firewall-server# ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.5 ms ^C --- 192.168.1.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
Trang - 57 -

round-trip min/avg/max = 0.4/0.5/0.8 ms Bc 5: Kim tra kt ni vi Server Firewall n my cc b. firewall-server# ping 192.168.0.10 PING 192.168.0.10 (192.168.0.10): 56 data bytes 64 bytes from 192.168.0.10: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 192.168.0.10: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 192.168.0.10: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 192.168.0.10: icmp_seq=3 ttl=255 time=0.5 ms ^C --- 192.168.0.10 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.8 ms Bc 6: Kim tra kt ni giao din vi bn ngoi ca Server Firewall. ------------------------------------firewall-server# ping 194.236.50.152 PING 194.236.50.152(194.236.50.152): 56 data bytes 64 bytes from 194.236.50.152: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 194.236.50.152: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 194.236.50.152: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 194.236.50.152: icmp_seq=3 ttl=255 time=0.5 ms ^C --- 194.236.50.152 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.8 ms Bc 7: Kim tra kt ni t my ni b n giao din bn ngoi ca Server Firewall. client# ping 194.236.50.152 MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 58 -
PING 194.236.50.152(194.236.50.152): 56 data bytes 64 bytes from 194.236.50.152: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 194.236.50.152: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 194.236.50.152: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 194.236.50.152: icmp_seq=3 ttl=255 time=0.5 ms ^C --- 194.236.50.152 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.8 ms
4.5. Xy dng phn mm qun tr Firewall IPTables t xa

4.5.1. M t bi ton
Cng c Firewall IP-Tables chy trn nn h iu hnh Linux phin bn Redhat l mt cng c rt mnh. Ngi qun tr c th s dng cng c ny m bo an ninh mng my tnh rt hiu qu. Nhng mun s dng cng c ny mt cch hiu qu nht th i hi ngi qun tr phi hiu bit su sc v kin thc mng my tnh v nh chc chn mt s lng ln cc tham s phc tp. Chnh iu ny gy nn kh khn cho ngi qun tr. V l do nu trn m ti xy dng phn mm tr gip vic qun tr firewall t xa. Phn mm c xy dng bng ngn ng PHP v chy trn Webserver Apache nn ti mi my tnh trong mng ta u c th truy xut n phn mm v cu hnh h thng firewall ny. Ngoi ra gii quyt vn ngi s dng phi nh qu nhiu tham s phc tp th chng trnh s c sn cc tp lut v mi lut ny s c ch thch v m t r rng cng dng.
4.5.2. Mt s giao din chng trnh

Nh phn trn nu, c th s dng cng c firewall iptables ngi s dng cn phi c kin thc rt su sc v mng nh cc giao thc, a ch IP, cng dch v hn na l rt nhiu tham s ca tng la iptables. Vi mc ch gip d dng cho vic cu hnh firewall nh iptables th phn mm qun l IP-Tables c xy dng trn nn tng l ngn ng PHP. Phn mm vi nhiu tnh nng ni MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 59 -

tri nh cho php ngi dng c th cu hnh tng la t xa, cho php lu tr cc cu hnh c v c th cp nht li, ngi dng d dng thm/xa/sa/ di chuyn cc cu lnh.... Kh nng cu hnh firewall t xa: V chng trnh c xy dng trn c s cc trang web nn ti mi thi im ch cn ngi s dng c trnh duyt v kt ni n my tnh cn cu hnh firewall. Trang ch
Hnh 11: Giao din chnh ca chng trnh
Mt s ty chn
Trang - 60 -
Hnh 12: Giao din chng trnh vi mt s ty chn
Hnh 13: Giao din khi thit lp xong ty chn v thc thi chng trnh.
Trang - 61 -

Sau khi la chn cc ty chn. Kt qu tr li mt file di dng text cc tp lut IPtables.
Hnh 14: Kt qu chng trnh tr v tp lut IPtables
4.5.3. nh gi phn mm
u im phn mm - Thit k di dng website nn ti mi my tnh trong mng u c th thc hin cng vic cu hnh iptables. - Gip ngi dng khng cn kin thc qu su sc v cc tham s ca iptables vn c th cu hnh c firewall nh vic to sn cc lut. - Vic ti s dng, chnh sa vi cc lut, cu lnh iptables l rt d dng. - Chng trnh thit k dng m ngun m nn ngi dng c th t thay i theo yu cu. Nhc im phn mm - Hin ti mi h tr mt ngn ng. - Ci t cn kh khn v phi ci nhiu phn mm h tr nh HTTP Server, Crond tab ... - Mi ngi dng u c quyn nh nhau. MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 62 -

S pht trin trong tng lai - Mt website s c thit k vi mc ch gii thiu v cng b cc phin bn mi ca phn mm. - Phin bn tip theo s cung cp kh nng cp nht cc lut mi. V cc file lut ny s c cung cp trn website. - Mi ngi dng s c cp quyn s dng cc lut khc nhau trong tp lut. Yu cu v cu hnh phn mm - H iu hnh Linux (Redhat 9.0) - WebServer (Apache Server 2.0...) - Iptables firewall 1.2.9 - PHP 4.03 (hoc mi hn)
Trang - 63 -
KT LUN
ti v Firewall lun l mi quan tm hng u ca cc nh qun tr mng ni ring v ca nhng nh tin hc ni chung. c th xy dng c mt mng ring m c th trnh khi mi s tn cng l khng th, nhng chng ta c th xy dng c nhng mng c tnh an ton cao theo nhng yu cu c th. c th xy dng c nhng mng nh vy, ngi qun tr mng phi nm r c nhng kin thc c bn v Firewall. ti trnh by kh chi tit v Firewall, v nhng vn lin quan n bo v thng tin cho cc mng ni b. ti cng thit lp c m hnh Firewall bo v mng ni b bng IPTABLES trong h iu hnh LINUX. Vi h thng Firewall s dng Iptables trn Linux t c s n nh cao ca h iu hnh Linux v mt Iptables vi nhiu chc nng p ng c cho nhu cu ca cc n v c nhu cu xy dng h thng Firewall khi c mng ni b kt ni Internet. H thng Firewall ny mang tnh ng dng thc t cao v: Phn cng s dng cho h thng ny khng cn c cu hnh mnh. Tt c cc phn mm s dng cho h thng ny u l phn mm m ngun m. Ti liu h tr cho cc phn mm ny c y trn Internet v min ph. Trn Internet c nhiu din n v ch ny. H thng c thit k mm do tu vo chnh sch an ton ca n v. S dng h iu hnh c n nh cao v bo mt tt.
Trang - 64 -
TI LIU THAM KHO

[1] Nguyn Hng Sn - Gio trnh H thng mng CCNA NXB Gio dc nm 2001 [2] Nguyn Thanh Thuy, Nguyn Quang Huy, Nguyn Hu c, inh Lan Anh - Nhp mn h iu hnh Linux NXB Khoa hc k thut 2000. [3] Dave Hucaby Cisco ASA and PIX Firewall Handbook- Cisco Press nm 2005 [4] Michael Hasenstein IP Network Address Translation - 1997 [5] Elizabeth, D. Ziwicky, Simon Cooper & D. Brent Chapman - Building Internet Firewall. [6] Website: http://www.Proxyfree.com [7] http://www.pscs.co.uk [8] http://www.Quantrimang.com.vn [9] http://www.Unix.org.ua/orelly/networking/firewall [10] http://www.Iptables.org
Trang - 65 -

BẢO VỆ MẠNG NỘI BỘ CHO CÔNG TY CỔ PHẦN CÔNG NGHỆ THÔNG TIN HTTP

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BẢO VỆ MẠNG NỘI BỘ CHO CÔNG TY CỔ PHẦN CÔNG NGHỆ THÔNG TIN HTTP

Uploaded by

Copyright:

Available Formats

MC LC

1.1. Tng quan v vn an ninh an ton mng my tnh..................7

1.2. Vn bo mt h thng v mng...............................................10

1.3. Vn bo mt cho mng LAN...................................................16

Chng 2: TNG QUAN V FIREWALL..........................................................18

2.1. Gii thiu v firewall....................................................................18

2.2. Cc chin lc xy dng firewall ...............................................27

2.2.7. Tnh a dng ca vic bo v....................................................................................................28 2.2.8. n gin ho.............................................................................................................................29

2.3. Cch thc xy dng firewall........................................................29

2.4. Lc gi v c ch hot ng ........................................................32

2.5. Kt lun .........................................................................................35

3.1. Firewall IPtable trn Redhat.........................................................36

3.2. Cc tham s dng lnh thng gp..............................................41

3.3. Gii thiu v bng NAT (Network Address Traslation) ...........44

Chng 4: THIT LP FIREWALL BO V MNG NI B BNG IPTABLES TRONG H IU HNH LINUX....................................................................................49

KT LUN...........................................................................................................64 TI LIU THAM KHO.....................................................................................65

Tm hiu vn bo mt mng LAN

Em xin chn thnh cm n!

Hi Phng, Ngy thng 8 nm 2007. Sinh vin

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

Chng 1: VN AN NINH AN TON MNG MY TNH

Tm hiu vn bo mt mng LAN

1.1.2. Cc gii php c bn m bo an ninh

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

Tm hiu vn bo mt mng LAN

1.2. Vn bo mt h thng v mng

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN 1.2.2. Mt s khi nim v lch s bo mt h thng

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

1.2.3. Cc loi l hng bo mt v phng thc tn cng mng ch yu

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

Tm hiu vn bo mt mng LAN

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

Tm hiu vn bo mt mng LAN

1.3. Vn bo mt cho mng LAN

1.3.1. Mng ring o (Virtual Private Network- VPN)

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

1.3.2. Tng la (Firewall)

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

Chng 2: TNG QUAN V FIREWALL

2.1. Gii thiu v firewall

2.1.2. Cc chc nng c bn ca firewall

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN 2.1.3. Phn loi firewall

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

Tm hiu vn bo mt mng LAN

Tm hiu vn bo mt mng LAN

2.1.4 Mt s h thng firewall khc

Hnh 3: Packet-Filtering Router u im

MSSV: 10419 - Nguyn Th Thy CT 701

Tm hiu vn bo mt mng LAN

MSSV: 10419 - Nguyn Th Thy CT 701