Professional Documents
Culture Documents
MC LC
Phn I : TNG QUAN V FIREWALL .............................................................................. 3
I. Gii thiu v Firewall ...................................................................................................... 3
1. Firewall l g? ....................................................................................................................................... 3
2. Cc loi Firewall: .................................................................................................................................. 3
3. Cu trc Firewall : ................................................................................................................................ 4
4. Chc nng ca Firewall ........................................................................................................................ 7
Page 1
Chuyn S1
Nhm 10
Page 2
Chuyn S1
2. Cc loi Firewall:
Firewall cng : L nhng firewall c tch hp trn Router.
c im ca Firewall cng:
- Khng c linh hot nh Firewall mm: (Khng th thm chc nng, thm quy tc
nh firewall mm)
- Firewall cng hot ng tng thp hn Firewall mm (Tng Network v tng
Transport)
- Firewall cng khng th kim tra c nt dung ca gi tin.
V d v Firewall cng: NAT (Network Address Translate).
Nhm 10
Page 3
Chuyn S1
B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton
b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut
l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin
u mi packet (packet header), dng cho php truyn cc packet trn mng.)
Nhm 10
Page 4
Chuyn S1
Hn ch
-
qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header,
v cc gi tr c th c th nhn trn mi trng. Khi i hi v s lc cng ln, cc
lut l v lc cng tr nn di v phc tp, rt kh qun l v iu khin.
-
sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo
nhng hnh ng vi n cp thng tin hay ph hoi ca k xu.
Cng ng dng (Application-level gateway hay proxy server)
Nguyn l:
- y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi
dch v, giao thc c cho php truy cp vo h thng mng. C ch hot ng ca
n da trn cch thc gi l Proxy service. Proxy service l cc b code c bit ci
t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t proxy
code cho mt ng dng no , dch v tng ng s khng c cung cp v do
khng th chuyn thng tin qua firewall. Ngoi ra, proxy code c th c nh cu
hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l
chp nhn c trong khi t chi nhng c im khc.
- Mt cng ng dng thng c coi nh l mt pho i (bastion host), bi v n
c thit k t bit chng li s tn cng t bn ngoi. Nhng bin php m
bo an ninh ca mt bastion host l:
Page 5
Chuyn S1
DNS, FTP, SMTP v xc thc user l c ci t trn bastion host. Bastion host c
th yu cu nhiu mc xc thc khc nhau, v d nh user password hay smart
card. Mi proxy c t cu hnh cho php truy nhp ch mt s cc my ch
nht nh. iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch
ng vi mt s my ch trn ton h thng. Mi proxy duy tr mt quyn nht k
ghi chp li ton b chi tit ca giao thng qua n, mi s kt ni, khong thi gian
kt ni. Nht k ny rt c ch trong vic tm theo du vt hay ngn chn k ph hoi.
Mi proxy u c lp vi cc proxies khc trn bastion host. iu ny cho php d
dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn .
u im:
Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng,
bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy
nhp c bi cc dch v. Cho php ngi qun tr mng hon ton iu khin c
nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng
ng c ngha l cc dch v y b kho. Cng ng dng cho php kim tra xc
thc rt tt, v n c nht k ghi chp li thng tin v truy nhp h thng. Lut l lc
filltering cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc
packet.
Hn ch:
Yu cu cc users thay i thao tc, hoc thay i phn mm ci t trn my
client cho truy nhp vo cc dch v proxy. Chng hn, Telnet truy nhp qua cng
ng dng i hi hai bc ni vi my ch ch khng phi l mt bc thi. Tuy
nhin, cng c mt s phn mm client cho php ng dng trn cng ng dng l
trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng
trn lnh Telnet.
Nhm 10
Page 6
Chuyn S1
Nhm 10
Page 7
Chuyn S1
Firewall hot ng cht ch vi giao thc TCP/IP, v giao thc ny lm vic theo
thut tan chia nh cc d liu nhn c t cc ng dng trn mng. V vy,
Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng.
III. u im ca Firewall
-
IV. Nhc im
-
Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong
mun nhng phi xc nh r cc thng s a ch.
Nhm 10
Page 8
Chuyn S1
qua n.
-
V d :
+ S d r thng tin do d liu b sao chp bt hp php ln a mm , USB , CD
+ Firewall cng khng th chng li cc cuc tn cng bng d liu (data-drivent
attack).
+ V in hnh l cc virus my tnh
V. Mt s sn phm ca Firewall
-
Nhm 10
Page 9
Chuyn S1
II. Ci t Iptables
-
Nhm 10
Page 10
Chuyn S1
Nhm 10
Page 11
Chuyn S1
Nhm 10
Page 12
Chuyn S1
Iptables s kim tra tt c cc package khi n i qua iptables host, qu trnh kim tra
ny c thc hin mt cch tun t entry u tin n entry cui cng.
1. Mangle table:
Chu trch nhim thay i cc bits cht lng dch v trong TCP header nh TOS ,
TTL, MARK. Thng thng loi table ny c ng dng trong mng SOHO (Small
Office and Home Office).
+ PREROUTING
+ POSTROUTING
+ OUTPUT
+ INPUT
+ FORWARD
2. Filter queue:
Chu trch nhim thit lp b lc packet (packet filtering). C ba loi built-in chain
c m t thc hin cc chnh sch v firewall ( firewall policy rules)
+ Forward chain: Lc gi tin i qua firewall.
+ Input chain: Lc gi tin i vo firewall.
+ Output chain: Lc gi tin i ra firewall.
3. NAT queue:
Thc thi chc nng NAT (Network Address Translation), cung cp hai loi built-in
chains sau y:
+ Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin
trc khi thc thi c ch routing. iu ny thun li cho vic i a ch ch
Nhm 10
Page 13
Chuyn S1
Nhm 10
Page 14
Chuyn S1
Page 15
Chuyn S1
Page 16
Chuyn S1
Page 17
Chuyn S1
Nhm 10
Page 18
Chuyn S1
M hnh mng
Ci t :
My Client c mt card mng ch Host vi IP 10.0.0.4
My Web-Mail c mt card mng ch Host vi IP 10.0.0.2
My Firewall c 2 card mng 1 ch host vi a ch IP 10.0.0.1 , mt card mng
ra ngoi Internet vi IP 192.168.0.1
My ngoi Internet c 1 card mng vi IP 192.168.0.2
Yu cu :
Cc my Client , Web-Mail , Firewall ping thy nhau
My ngoi Internet ping thy my Firewall v ngc li
Nhm 10
Page 19
Chuyn S1
II.
Ci t c bn Iptables
1. Kim tra dch v Iptables ci t cha
2. Khi ng Iptables
Dng lnh :
Nhm 10
Page 20
Chuyn S1
Nhm 10
Page 21
Chuyn S1
# iptables L
Nhm 10
Page 22
Chuyn S1
5. Lu Iptables
Dng lnh :
# chkconfig iptables on
III.
Cu hnh Filter
1. Ping
Nhm 10
Page 23
Chuyn S1
dng 13 l Rule cho php ping , chng ta mun chn ping th thm #
trc Rule ny , hoc i ACCPECT thnh DROP
Nhm 10
Page 24
Chuyn S1
Hoc l Drop
Nhm 10
Page 25
Chuyn S1
2. SSH : Port 22
M t : Iptables ca my Firewall cho php hoc chn khng cho cc my
trong mng Lan SSH ti my Firewall
Trong phn ci t ta cho php dch v SSH c thng qua
Nhm 10
Page 26
Chuyn S1
Nhm 10
Page 27
Chuyn S1
3. Telnet : Port 23
M t : Iptables ca my Firewall cho php hoc chn khng cho cc my
trong mng Lan telnet ti my Firewall
Trong phn ci t ta cho php dch v telnet c thng qua
Nhm 10
Page 28
Chuyn S1
Nhm 10
Page 29
Chuyn S1
4. HTTP : Port 80
M t : cc my trong mng Lan c th kt ni c Internet v vo c cc
trang web thng qua cc trnh duyt , ni cch khc i qua port 80 : HTTP v
HTTPS port 443 trn iptables ta cho php hoc chn cc my trong mng Lan
s dng web
Trong phn ci t ta cho php dch v HTTP hoc l HTTPS c thng qua
Nhm 10
Page 30
Chuyn S1
Nhm 10
Page 31
Chuyn S1
Nhm 10
Page 32
Chuyn S1
IV.
Cu hnh Nat
1. Nat In
M t : Cc my ngoi Internet , mun truy cp vo Web-Mail server ca
mng Lan , th ta phi dng k thut Nat In
my Firewall vo setup ta cho php cc cc dch v c thng qua cc
card mng
Trusted Devices ta nh du vo cc card mng
Nhm 10
Page 33
Chuyn S1
Nhm 10
Page 34
Chuyn S1
Nhm 10
Page 35
Chuyn S1
Nhm 10
Page 36
Chuyn S1
2. Nat Out
M t : Cho php cc my trong mng Lan kt ni c ra ngoi Internet
my Firewall vo setup ta cho php cc cc dch v c thng qua cc card
mng
Trusted Devices ta nh du vo cc card mng
Nhm 10
Page 37
Chuyn S1
Nhm 10
Page 38
Chuyn S1
Nhm 10
Page 39