Do an Tot Nghiep Thuy 927

7/31/2019 Do an Tot Nghiep Thuy 927

1/62

n Tt Nghip

Tm hiu vn bo mtmng LAN


2/62

Tm hiu vn bo mt mng LAN

Trang - 1 -

LI MUVi nhu cu trao i thng tin, bt buc cc c quan, t chc phi ho

mnh vo mng ton cu Internet. An ton v bo mt thng tin l mt trong

nhng vn quan trng hng u, khi thc hin kt ni mng ni b ca cc c

quan, doanh nghip, t chc vi Internet. Ngy nay, cc bin php an ton thng

tin cho my tnh c nhn cng nh cc mng ni b c nghin cu v trin

khai. Tuy nhin, vn thng xuyn c cc mng b tn cng, c cc t chc b

nh cp thng tin,gy nn nhng hu qu v cng nghim trng.

Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet,

cc my tnh ca cc cng ty ln nh AT&T, IBM, cc trng i hc v cc c

quan nh nc, cc t chc qun s, nh bng,mt s v tn cng vi quy m

khng l (c ti 100.000 my tnh b tn cng). Hn na nhng con s ny ch l

phn ni ca tng bng tri. Mt phn rt ln cc v tn cng khng c thng

bo v nhiu l do, trong c th kn ni lo mt uy tn hoc chn ginnhng ngi qun tr d n khng h hay bit nhng v tn cng nhm vo h

thng ca h.

Khng ch cc v tn cng tng ln nhanh chng m cc phng php tn

cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr

h thng ngy cng cao cnh gic. V vy vic kt ni mng ni b ca cquan

t chc mnh vo mng Internet m khng c cc bin php m bo an ninh th

cng c xem l t st.

T nhu cu pht trin, i hi cc c quan, t chc phi ha mnh vo

mng ton cu, mng Internet song vn phi m bo an ton thng tin trong qu

trnh kt ni. Bi vy, em quyt nh chn ti: Nghin cu gii php bo v

mng ni b, nhm iu khin lung thng tin ra, vo v bo v cc mng ni b


3/62


Trang - 2 -

khi s tn cng t Internet. Ni dung ti ny s trnh by mt cch khi qut

cc khi nim v mng v Firewall, cch bo v mng bng Firewall, cch xy

dng Firewall. ng thi, dng Iptables trong h iu hnh Linux thit lp

Firewall bo v cc mng ni b.

Ni dung chnh ca ti gm 4 chng nh sau:

Chng 1: Vn an ninh trong mng my tnh.

Trnh by tng quan v vn an ninh trong mng my tnh, cc nguy c

v vn bo mt h thng mng.

Chng 2: Tng quan v Firewall.

Trnh by cc khi nim Firewall, chc nng Firewall, phn loi Firewallv cc kin trc Firewall.

a ra cc chnh sch xy dng Firewall, t cc chnh sch ta c

cch xy dng nn cc Firewall bo v mng.

Chng 3: Tm hiu IPTables trong hiu hnh Linux.

Tm hiu v Iptables v cc tham s ca dng lnh thng gp.

Chng 4: Thit lp Firewall bo v mng ni b bng Iptables trong h

iu hnh Linux.

T vic tm hiu v Iptables chng 3 t thit lp bc tng la

bo v cho cc mng ni b bng Iptables trong Linux.


4/62


Trang - 3 -

Chng 1:

VN AN NINH AN TON MNG MY TNH

1.1. Tng quan v vn an ninh an ton mng my tnh

1.1.1.e do an ninh tu?

Trong x hi, ci thin v ci c lun song song tn ti nh hai mt khng

tch ri, chng lun phnh nhau. C bit bao nhiu ngi mun hng ti ci

chn thin, ci tt p, th cng c khng t k v mc ch ny hay mc ch khc

li lm cho ci c ny sinh, ln lt ci thin. S ging co gia ci thin v ci c

y lun l vn bc xc ca x hi, cn phi loi tr ci c, th nhng ci c li

lun ny sinh theo thi gian. Mng my tnh cng vy, c nhng ngi phi mt

bit bao nhiu cng sc nghin cu ra cc bin php bo v cho an ninh ca t

chc mnh, th cng li c k tm mi cch ph v lp bo v vi nhiu

khc nhau.

Mc ch ca ngi lng thin l lun mun to ra cc kh nng bo v

an ninh cho t chc rt r rng. Ngc li, ca k xu li nhiu gc ,

cung bc khc nhau. C k mun ph vlp v an ninh chng t kh nng ca

mnh, tho mn thi h ch k. Loi ngi ny thng lm hi ngi khc bng

cch ph hoi cc ti nguyn trn mng, xm phm quyn ring t hoc bi nh

danh d ca h. Nguy him hn, c nhng k li mun ot khng cc ngun li

ca ngi khc nh vic ly cp cc thng tin mt ca cc cng ty, t nhp vo

ngn hng chuyn trm tin... Bi trn thc t, hu ht cc t chc cng ty

tham gia vo mng my tnh ton cu u c mt lng ln cc thng tin kt ni

trc tuyn. Trong lng ln cc thng tin y, c cc thng tin b mt nh: cc b

mt thng mi, cc k hoch pht trin sn phm, chin lc maketing, phn tch

ti chnh... hay cc thng tin v nhn s, b mt ring t... Cc thng tin ny ht

sc quan trng, vic l ra cc thng tin cho cc i th cnh tranh s dn n

mt hu qu ht sc nghim trng.Tuy nhin, khng phi bt c khi no mun nhng k xu cng c th thc

hin c mc ch ca mnh. Chng cn phi c thi gian, nhng sh, yu km

ca chnh nhng h thng bo v an ninh mng. V thc hin c iu ,

chng cng phi c tr tu thng minh cng vi c mt chui di kinh nghim.

Cn xy dng c cc bin php m bo an ninh, i hi ngi xy dng


5/62


Trang - 4 -

cng khng km v tr tu v kinh nghim thc tin. Nh th, c hai mt tch cc

v tiu cc y u c thc hin bi bn tay khi c ca con ngi, khng c

my mc no c th thay thc. Vy, vn an ninh an ton mng my tnh

hon ton mang tnh con ngi.

Ban u, nhng tr ph hoi ch mang tnh cht l tr chi ca nhngngi c tr tu khng nhm mc ch v li, xu xa. Tuy nhin, khi mng my

tnh trnn ph dng, c s kt ni ca nhiu t chc, cng ty, c nhn vi nhiu

thng tin b mt, th nhng tr ph hoi y li khng ngng gia tng. S ph hoi

y gy ra nhiu hu qu nghim trng, n trthnh mt loi ti phm. Theo

s liu thng k ca CERT (Computer Emegency Response Team) th s lng

cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo

nm 1989, khong 400 vo nm 1991, 1400 nm 1993 v 2241 nm 1994. Nhng

v

tn cng ny nh

m vo t

t c

cc my tnh c mt trn Internet, t

cc my tnh

ca cc cng ty ln nh AT & T, IBM, cc trng i hc, cc cquan nh nc,

cc nh bng... Nhng con sa ra ny, trn thc t ch l phn ni ca tng

bng. Mt phn ln cc v tn cng khng c thng bo v nhiu l do khc

nhau, nh s mt uy tn, hoc chn gin l h khng h bit mnh b tn cng.

Thc t, e do an ninh khng chbn ngoi t chc, m bn trong t

chc vn cng ht sc nghim trng. e do bn trong t chc xy ra ln hn

bn ngoi, nguyn nhn chnh l do cc nhn vin c quyn truy nhp h thng

gy ra. V h c quyn truy nhp h thng nn h c th tm c cc im yu

ca h thng, hoc v tnh h cng c th ph hy hay to chi cho nhng k

khc xm nhp h thng. V nguy him hn, mt khi h l k bt mn hay phn

bi th hu qu khng th lng trc c.

Tm li, vn an ninh an ton mng my tnh hon ton l vn con

ngi v khng ngng gia tng, n c th be do t bn ngoi hoc bn trong t

chc. Vn ny trthnh mi lo ngi ln cho bt k ch th no tham gia vo

mng my tnh ton cu. V nh vy, m bo vic trao i thng tin an ton

v an ninh cho mng my tnh, buc cc t chc phi trin khai cc bin php

bo vm bo an ninh, m trc ht l cho chnh mnh.

1.1.2. Cc gii php cbn m bo an ninh

Nh trn ta thy, an ninh an ton mng my tnh c th be do t rt

nhiu gc v nguyn nhn khc nhau. e do an ninh c th xut pht t bn

ngoi mng ni b hoc cng c th xut pht t ngay bn trong t chc. Do ,


6/62


Trang - 5 -

vic m bo an ninh an ton cho mng my tnh cn phi c nhiu gii php c

th khc nhau. Tuy nhin, tng quan nht c ba gii php cbn sau:

Gii php v phn cng. Gii php v phn mm. Gii php v con ngi.y l ba gii php tng qut nht m bt k mt nh qun tr an ninh no

cng phi tnh n trong cng tc m bo an ninh an ton mng my tnh. Mi

gii php c mt u nhc im ring m ngi qun tr an ninh cn phi bit

phn tch, tng hp v chn la to kh nng m bo an ninh ti u nht cho

t chc mnh.

Gii php phn cng l gii php s dng cc thit b vt l nh cc h

thng my chuyn dng, cng c th l cc thit lp trong m hnh mng (thit lpknh truyn ring, mng ring)... Gii php phn cng thng thng i km vi

n l h thng phn mm iu khin tng ng. y l mt gii php khng ph

bin, v khng linh hot trong vic p ng vi cc tin b ca cc dch v mi

xut hin, v chi ph rt cao.

Khc vi gii php phn cng, gii php v phn mm ht sc a dng.

Gii php phn mm c th ph thuc hay khng ph thuc vo phn cng. C

th cc gii php v phn mm nh: cc phng php xc thc, cc phng php

m ho, mng ring o, cc h thng bc tng la,... Cc phng php xc thcv m ho m bo cho thng tin truyn trn mng mt cch an ton nht. V vi

cch thc lm vic ca n, thng tin tht trn ng truyn c m ho di

dng m nhng k nhm trm khng th thy c, hoc nu thng tin b sa

i th ti ni nhn s c cch pht hin s sa i . Cn phng php s

dng h thng bc tng la li m bo an ninh gc khc. Bng cch thit

lp cc lut ti mt im c bit (thng gi l im nght) gia h thng mng

bn trong (mng cn bo v) vi h thng mng bn ngoi (mng c coi l

khng an ton v bo mt - hay l Internet), h thng bc tng la hon ton c

th kim sot cc kt ni trao i thng tin gia hai mng. Vi cch thc ny, h

thng tng la m bo an ninh kh tt cho h thng mng cn bo v. Nh th,

gii php v phn mm gn nh hon ton gm cc chng trnh my tnh, do

chi ph cho gii php ny s t hn so vi gii php v phn cng.

Bn cnh hai gii php trn, gii php v chnh sch con ngi l mt gii

php ht sc cbn v khng th thiu c. V nh phn trn thy, vn an


7/62


Trang - 6 -

ninh an ton mng my tnh hon ton l vn con ngi, do vic a ra mt

hnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y, hnh

lang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn bn

di lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi tng

c im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng my,s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh an

ton cho h thng mng my tnh mt khi ta thc hin trit gii php v chnh

sch con ngi.

Tm li, vn an ninh an ton mng my tnh l mt vn ln, n yu

cu cn phi c mt gii php tng th, khng ch phn mm, phn cng my tnh

m n i hi c vn chnh sch v con ngi. V vn ny cn phi c

thc hin mt cch thng xuyn lin tc, khng bao gitrit c v n lun

ny sinh theo th

i gian. Tuy nhin, b

ng cc gi

i php t

ng th

hp l,

c bi

t l

gii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an ton

chc chn hn.

1.2. Vn bo mt h thng v mng

1.2.1. Cc vn d chung v bo mt h thng v mng

c im chung ca mt h thng mng l c nhiu ngi s dng chung

v phn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng

hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc mtngi s dng.

Hot ng ca ngi qun tr h thng mng phi m bo cc thng tin

trn mng l tin cy v s dng ng mc ch, i tng ng thi m bo

mng hot ng n nh khng b tn cng bi nhng k ph hoi.

Nhng trn thc t l khng mt mng no m bo l an ton tuyt i,

mt h thng d c bo v chc chn n mc no th cng c lc b v hiu

ha bi nhng k c xu.

Trong ni dung ti ca em l tm hiu v cc phng php bo mt cho

mng LAN. Trong ni dung v l thuyt ca ti em xin trnh by v mt s

khi nim sau:


8/62


Trang - 7 -

1.2.2. Mt skhi nim v lch sbo mt h thng

a.i tng tn cng mng (intruder)

i tng l nhng c nhn hoc t chc s dng nhng kin thc v

mng v cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc

im yu v cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp

v chim ot ti nguyn tri php.

Mt si tng tn cng mng nh:

Hacker: l nhng k xm nhp vo mng tri php bng cch s dng cc

cng c ph mt khu hoc khai thc cc im yu ca thnh phn truy nhp trn

h thng

Masquerader : L nhng k gi mo thng tin trn mng nh gi mo a

ch IP, tn min, nh danh ngi dng

Eavesdropping: L nhng i tng nghe trm thng tin trn mng, s

dng cc cng c Sniffer, sau dng cc cng c phn tch v debug ly c

cc thng tin c gi tr.

Nhng i tng tn cng mng c th nhm nhiu mc ch khc nhau

nhn cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c chnh,

hoc c th l nhng hnh ng v thc

b. Cc lhng bo mt

Cc l hng bo mt l nhng im yu trn h thng hoc n cha trong

mt dch v m da vo k tn cng c th xm nhp tri php vo h thng

thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.

C nhiu nguyn nhn gy ra nhng l hng bo mt: c th do li ca bn

thn h thng, hoc phn mm cung cp hoc ngi qun tr yu km khng hiu

su v cc dch v cung cp

Mc nh hng ca cc l hng ti h thng l khc nhau. C l hng

chnh hng ti cht lng dch v cung cp, c l hng nh hng ti ton b

h thng hoc ph hy h thng.

c. Chnh sch bo mt

Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi tham

gia qun tr mng, c s dng cc ti nguyn v cc dch v mng.


9/62


Trang - 8 -

i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh sch

bo mt gip ngi s dng bit trch nhim ca mnh trong vic bo v cc ti

nguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp cc bin

php m bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot ng

ca h thng v mng.1.2.3. Cc loi lhng bo mt v phng thc tn cng mng ch

yu

a. Cc loi lhng

C nhiu cc t chc tin hnh phn loi cc dng l hng c bit.

Theo b quc phng M cc loi l hng c phn lm ba loi nh sau:

L hng loi C: Cho php thc hin cc hnh thc tn cng theo DoS(Denial of Services- T chi dch v) Mc nguy him thp chnh hng ti

cht lng dch v, lm ngng tr gin on h thng, khng lm ph hng d

liu hoc t c quyn truy cp bt hp php.

DoS l hnh thc tn cng s dng cc giao thc tng Internet trong b

giao thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi s

dng hp php truy nhp hay s dng h thng.

Cc dch v c l hng cho php cc cuc tn cng DoS c thc nng

cp hoc sa cha bng cc phin bn mi hn ca cc nh cung cp dch v.Hin nay cha c mt bin php hu hiu no khc phc tnh trng tn cng

kiu ny v bn thn thit ktng Internet (IP) ni ring v b giao thc TCP/IP

ni chung n cha nhng nguy ctim tang ca cc l hng loi ny.

Lhng loi B : Cho php ngi s dng c thm cc quyn trn h thngm khng cn kim tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.

L hng ny thng c trong cc ng dng trn h thng . C mc nguy him

trung bnh.

L hng loi B ny c mc nguy him hn l hng loi C. Cho php

ngi s dng ni b c th chim c quyn cao hn hoc truy nhp khng hp

php.Nhng l hng loi ny thng xut hin trong cc dch v trn h thng.

Ngi s dng local c hiu l ngi c quyn truy nhp vo h thng vi

mt s quyn hn nht nh.


10/62


Trang - 9 -

Mt dng khc ca l hng loi B xy ra vi cc chng trnh vit bng m

ngun C. Nhng chng trnh vit bng m ngun C thng s dng mt vng

m, mt vng trong b nhs dng lu tr d liu trc khi x l. Ngi lp

trnh thng s dng vng m trong b nh trc khi gn mt khong khng

gian b nhcho tng khi d liu. V d khi vit chng trnh nhp trng tnngi s dng quy nh trng ny di 20 k t bng khai bo:

Char first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20

k t. Khi nhp d liu ban u d liu c lu vng m. Khi ngi s dng

nhp nhiu hn 20 k t s trn vng m. Nhng k t nhp tha s nm ngoi

vng m khin ta khng th kim sot c. Nhng i vi nhng k tn cng

chng c th li dng nhng l hng ny nhp vo nhng k tc bit

thc thi mt s lnh c bit trn h thng. Thng thng nhng l hng ny c

l

i dng b

i nh

ng ng

i s

dng trn h

thng

t

c quyn root khng

hp l. hn chc cc l hng loi B phi kim sot cht ch cu hnh h

thng v cc chng trnh.

L hng loi A: Cho php ngi ngoi h thng c th truy cp bt hpphp vo h thng. C th lm ph hu ton b h thng. Loi l hng ny c mc

rt nguy him e da tnh ton vn v bo mt ca h thng. Cc l hng ny

thng xut hin nhng h thng qun tr yu km hoc khng kim sot c

cu hnh mng. V d vi cc web server chy trn hiu hnh Novell cc server

ny c mt scripst l convert.bas chy scripst ny cho php c ton b ni dung

cc file trn h thng.

Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn

mm s dng, ngi qun tr nu khng hiu su v dch v v phn mm s dng

c th b qua im yu ny. V vy thng xuyn phi kim tra cc thng bo ca

cc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lot

cc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP,

Gopher, Telnet, Sendmail, ARP, finger...

b. Cc hnh thc tn cng mng phbin

ScannerScanner l mt trng trnh tng r sot v pht hin nhng im yu v

bo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s


11/62


Trang - 10 -

dng chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mt

Server d xa.

Cch hot ng l r sot v pht hin nhng cng TCP/UDP c s

dng trn h thng cn tn cng v cc dch v s dng trn h thng . Scanner

ghi li nhng p ng trn h thng t xa tng ng vi dch v m n pht hinra. T n c th tm ra im yu ca h thng.

Nhng yu t mt Scanner hot ng nh sau:

Yu cu thit b v h thng: Mi trng c h trTCP/IP

H thng phi kt ni vo mng Internet.

Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo

mt, v chng c kh nng pht hin ra nhng im yu km trn mt h thng

mng.

Password CrackerL mt chng trnh c kh nng gii m mt mt khu c m ho

hoc c th v hiu ho chc nng bo v mt khu ca mt h thng.

Mt s chng trnh ph kho c nguyn tc hot ng khc nhau. Mt s

chng trnh to ra danh sch cc t gii hn, p dng mt s thut ton m ho t

kt qu so snh vi Password m ho cn b kho to ra mt danh sch khc

theo mt logic ca chng trnh.Khi thy ph hp vi mt khu m ho, k ph hoi c c mt

khu di dng text . Mt khu text thng thng sc ghi vo mt file.

Bin php khc phc i vi cch thc ph hoi ny l cn xy dng mt

chnh sch bo v mt khu ng n.

SnifferSniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin lu

chuyn trn mng v ly cc thng tin c gi tr trao i trn mng.Sniffer c th bt c cc thng tin trao i gia nhiu trm lm vic

vi nhau. Thc hin bt cc gi tin t tng IP trxung. Giao thc tng IP c

nh ngha cng khai, v cu trc cc trng header r rng, nn vic gii m cc

gi tin ny khng kh khn.


12/62


Trang - 11 -

Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous

(mode dng chung) trn cc card mng ethernet - ni cc gi tin trao i trong

mng - t "bt" c thng tin.

Cc thit b sniffer c th bt c ton b thng tin trao i trn mng l

da vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.

Tuy nhin vic thit lp mt h thng sniffer khng phi n gin v cn

phi xm nhp c vo h thng mng v ci t cc phn mm sniffer.

ng thi cc chng trnh sniffer cng yu cu ngi s dng phi hiu

su v kin trc, cc giao thc mng.

Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng

tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v h

thng cung cp.

Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu kh

khn nu ta tun th cc nguyn tc v bo mt nh:

Khng cho ngi l truy nhp vo cc thit b trn h thng Qun l cu hnh h thng cht ch Thit lp cc kt ni c tnh bo mt cao thng qua cc cch m ho.

TrojansTrojans l mt chng trnh chy khng hp l trn mt h thng. Vi vai

tr nh mt chng trnh hp php. Trojans ny c th chy c l do cc

chng trnh hp php b thay i m ca n thnh m bt hp php.

V d nh cc chng trnh virus l loi in hnh ca Trojans. Nhng

chng trnh virus thng che du cc on m trong cc chng trnh s dng

hp php. Khi nhng chng trnh ny c kch hot th nhng on m n du

s thc thi v chng thc hin mt s chc nng m ngi s dng khng bit

nh: n cp mt khu hoc copy file m ngi s dng nh ta thng khng haybit.

Mt chng trnh Trojans s thc hin mt trong nhng cng vic sau:

Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hinnhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc

ch trn mt vi thnh phn ca h thng .


13/62


Trang - 12 -

Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhngthng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trn

mt vi thnh phn ca h thng.

Ngoi ra cn c cc chng trnh Trojan c th thc hin c c hai chcnng ny. C chng trnh Trojan cn c th ph hy h thng bng cch ph hoi

cc thng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng b pht

hin v kh pht huy c tc dng.

Tuy nhin c nhng trng hp nghim trng hn nhng k tn cng to ra

nhng l hng bo mt thng qua Trojans v k tn cng ly c quyn root trn

h thng v li dng quyn ph hy mt phn hoc ton b h thng hoc

dng quyn root thay i logfile, ci t cc chng trnh trojans khc m

ngi qun tr khng th pht hin c gy ra mc nh hng rt nghim

trng v ngi qun tr ch cn cch ci t li ton b h thng.

1.3. Vn bo mt cho mng LAN

Khi ni n vn bo mt cho mng LAN ta thng quan tm ti nhng

vn chnh l bo mt thng tin d liu trao i bn trong mng ni b, bo mt

thng tin d liu trao i t trong mng ra bn ngoi v t bn ngoi vo trongmng. Vic kim sot c nhng truy cp bt hp php t bn ngoi vo cng

nh kim sot nhng truy cp khng cho php t trong ni b mng ra bn ngoi.

Cng vi s pht trin mnh m ca Internet v s kt ni mng ni b vi

Internet th vn m bo an ton, an ninh mng cng trnn kh khn v cn

thit.

Hin nay bo mt cho mng LAN c nhiu phng php trong c

mt s phng php ph bin v ng tin cy l:

1.3.1. Mng ringo (Virtual Private Network- VPN)

Mng ring o (Virtual Private Network - VPN) l s mrng mng ring

ca cc cng ty, t chc thng qua s dng cc kt ni mng cng cng hoc

mng chia s nh Internet. VPN cung cp cho khch hng y cc tnh nng

m mt knh thu ring c c nhng vi gi thnh r hn do s dng h tng c

smng cng cng.


14/62


Trang - 13 -

VPN s dng giao thc to ng hm truyn tin ring v cc bin php

an ninh bo v d liu trn ng truyn nh m ho, xc thc

1.3.2. Tng la (Firewall)

Thut ng Firewall (Bc tng ngn la) c ngun gc t mt k thut

thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng

thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s

truy cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s

xm nhp vo h thng ca mt s thng tin khc khng mong mun. Cng c

th hiu rng Firewall l mt c ch bo v mng tin tng (Trusted network)

khi cc mng khng tin tng (Untrusted network).

Firewall gia mng ca mt t chc, mt cng ty, hay mt quc gia

(Intranet) v Internet. N thc hin vai tr bo mt cc thng tin Intranet t th

gii Internet bn ngoi.

Qua qu trnh tm hiu em thy rng Firewall l phng php hu hiu v

ph bin nht hin nay do n c nhiu u im, cung cp nhng tnh nng bo mt

tt cho vn bo v an ninh mng hin nay. Trong khun kh bi bo co ny

em xin trnh by v phng php bo mt mng LAN bng Firewall.


15/62


Trang - 14 -

Chng 2: TNG QUAN V FIREWALL

bo v mng ni b Firewall l mt trong nhng gii php bo v mng

hu hiu v ph bin hin nay. N gip cho cc mng ni b trnh khi nhng

truy nhp tri php t bn ngoi bng cch iu khin thng tin ra vo gia ccmng ni b. Ni dung chnh ca chng ny em si gii thiu tng quan v

Firewall, khi nim, cc chc nng ca Firewall, phn loi Firewall, u nhc

im ca tng loi Firewall, cc chin lc xy dng Firewall v gii thiu v

cch lc gi tin.

2.1. Gii thiu v firewall

2.1.1. Khi nim firewall

Firewall l thit b nhm ngn chn s truy nhp khng hp l t mngngoi vo mng trong. H thng firewall thng bao gm c phn cng v phn

mm. Firewall thng c dng theo phng thc ngn chn hay to cc lut i

vi cc a ch khc nhau.

2.1.2. Cc chc nng cbn ca firewall

Chc nng chnh ca Firewall l kim sot lung thng tin gia mng cn

bo v (Trusted Network) v Internet thng qua cc chnh sch truy nhp c

thit lp.

- Cho php hoc cm cc dch v truy nhp t trong ra ngoi v t ngoi

vo trong.

- Kim sot a ch truy nhp, v dch v s dng.

- Kim sot kh nng truy cp ngi s dng gia 2 mng.

- Kim sot ni dung thng tin truyn ti gia 2 mng.

- Ngn nga kh nng tn cng t cc mng ngoi.

Xy dng firewalls l mt bin php kh hu hiu, n cho php bo v v

kim sot hu ht cc dch v do c p dng ph bin nht trong cc bin

php bo v mng.


16/62


Trang - 15 -

2.1.3. Phn loi firewall

Firewall c nhiu loi tuy nhin mi loi c u v nhc im ring.

Nhng thng thng firewall c chia lm 2 loi chnh l:

Firewall phn cng Firewall phn mm.

a. Firewall phn cng.

L mt thit b phn cng c tch hp bnh tuyn, cc quy tc cho

vic lc gi tin c thit lp ngay trn bnh tuyn . Firewall phn cng ny

nh mt chic my tnh ch thc hin chc nng duy nht l lc gi tin bng cch

chy mt phn mm c cng ha trong v ch c th thit lp cc tp lut

cn khng th thay i bnh tuyn c cng ha v tch hp bn trong. Ty

vo tng loi firewall phn cng ca cc hng khc nhau m cho php ngi quntr c kh nng cp nht nhng quy tc lc gi tin khc nhau.

Khi hot ng, tng la s da trn cc quy tc c thit lp trong b

nh tuyn m kim tra thng tin header ca gi tin nha ch ngun (source IP

address), a chch (destination IP address), cng (Port) ... Nu mi thng tin

trong header ca gi tin l hp l n sc cho qua v nu khng hp l n s b

b qua. Chnh vic khng mt thi gian x l nhng gi tin c a ch khng hp

l lm cho tc x l ca firewall phn cng rt nhanh v y chnh l u im

ln nht ca h thng firewall phn cng.

Mt im ng ch l tt c cc loi firewall phn cng trn th gii hin

nay u cha th lc c ni dung ca gi tin m ch c th lc c phn ni

dung trong header ca gi tin.

Di y s gii thiu m hnh s dng firewall phn cng m bo an

ninh mng:

M hnh s dng firewall phn cng: (Thit b phn cng Firewall trong

m hnh ny ch c mt chc nng duy nht l lc gi tin m khng th thc hinbt k mt cng vic no khc)


17/62


Trang - 16 -

Hnh 1: M hnh s dng Firewall phn cng.

Trong m hnh ny thng tin t mng Internet khng th trc tip i vo

vng mng c bo v v ngc li m n phi thng qua Firewall phn cng.

Qu trnh kim duyt xy ra nu cc thng tin trong phn header ca gi tin bao

gm a ch ngun (source IP address), a chch (destination IP address), cng

(Port) ... c chp nhn th n s c chuyn tip vo mng bn trong hay

chuyn ra mng internet bn ngoi.

Hin nay trn th gii c mt s hng sn xut firewall phn cng rt ni

ting nh CISCO, D-LINK, PLANET...

b. Firewall phn mm

Loi firewall ny l mt chng trnh ng dng nguyn tc hot ng da

trn trn ng dng proxy - l mt phn mm cho php chuyn cc gi tin m my

ch nhn c n nhng a im nht nh theo yu cu. V cc quy tc lc gi

tin c ngi s dng t thit lp. Ngi ta thng s dng firewall loi ny khimt mng my tnh c my ch v mi thng tin u thng qua my ch ny ri

mi chuyn n my con trong mng hoc dng cho my tnh c nhn khi tham

gia mng ... Firewall phn mm ny rt tin li ch phn mm c th d dng

thay i cp nht cc phin bn mi.

Cch thc hot ng ca firewall dng ny cng rt n gin. Phn mm

firewall c chy thng tr trn my ch hay my tnh c nhn. My tnh ny

c thm ng nhiu nhim v ngoi cng vic l Firewall. Mi khi c cc gi

tin c chuyn n hay chuyn i n u c phn mm firewall ny kim traphn header ca gi tin bao gm cc thng tin va chn, a chi, giao thc,

cng dch v ....Firewall phn mm mi hin nay cn c th kim tra c ni

dung ca gi tin. Cc thng tin m firewall kim tra c ngi dng quy nh

trc trong tp lut. Nu gi tin c phn mm firewall cho qua th tip theo n

sc a n cc my con trong mng hoc l cc ng dng chy trc tip trn

my .


18/62


Trang - 17 -

Di y l m hnh thng s dng firewall phn mm: (My tnh dng

lm firewall c th m ng nhiu nhim v khc nhau ngoi vic l mt

Firewall v d DNS server, Mail server, Web server ...)

Hnh 2: M hnh s dng Firewall phn mm.

Trong m hnh ny my tnh chy ng dng firewall c vai tr trung gian.

N s nhn cc gi tin t Internet v Protected Network sau thc hin qu trnh

kim tra phn header ca cc gi tin gm thng tin nh : a chn, a ch

i, giao thc, cng dch v ... sau nu phn mm firewall chp nhn cho gi tini qua th gi tin s tip tc chuyn n ch. Ngc li nu gi tin khng c

chp nhn chuyn tip th phn mm firewall sa ra quyt nh hy b. Cch

hy b cng c nhiu kiu nh hy b khng cn tr li cho my gi ti bit l do

(DROP), hy b nhng vn tr li cho my gi ti bit l do (REJECT) ... Chnh

vic x l vic hy b gi tin nh vy dn n tc ca loi firewall ny b hn

ch.

Mt s phn mm firewall s dng nhiu v c nh gi cao v kh nng

lc gi tin nh ZoneAlarm Pro, SmoothWall, McAfee Personal Firewall Plus,ZoneAlarm Pro , Sygate Personal Firewall ...

c. u v nhc im ca firewall

Mi loi tng la c nhng u im, nhc im v c s dng trong

nhng trng hp khc nhau. Tng la phn cng thng c s dng m

bo an ninh cho cc mng ln v nu khng s dng firewall phn cng th s cn

h thng firewall phn mm tc l s c mt tnh my ch. My ch ny s nhn

mi gi tin v kim duyt ri chuyn tip cho cc my trong mng. M tc ca

firewall phn mm hot ng chm hn so vi firewall phn cng nn nh hng

ln n tc ca ton h thng mng.

Mt khc h thng tng la phn mm thng c s dng m bo

an ninh cho cc my tnh c nhn hoc mt mng nh. Vic s dng h thng

firewall phn mm s gip gim chi ph v gi c thit b firewall phn cng t

gp nhiu ln so vi h thng firewall phn mm. Hn na, khi ta s dng h


19/62


Trang - 18 -

thng firewall phn mm trong vic m bo an ninh cho my tnh c nhn hay

mng vi quy m nh th vic nh hng n tc chuyn cc gi tin trong

mng l khng ng k.

im yu khc ca firewall phn mm l vi mi firewall phn mm

c chy trn tng hiu hnh nht nh. V d ZoneAlarm Pro l mt h thngfirewall phn mm ch chy trn h iu hnh Windows. Hay vi phn mm

SmoothWall th li ch c th chy trn hiu hnh Linux. Nhng vi firewall

phn cng th c th chy mt cc hon ton c lp khng b ph thuc vo h

iu hnh nh firewall phn mm.

Firewall phn mm hin gi c th lc c ni dung gi tin cn

firewall phn cng ch c th lc thng tin trong phn header ca gi tin cn phn

ni dung chnh ca gi tin th firewall phn cng khng th kim sot c. Bi

vy m Firewall phn cng khng th gip ngn chn cc loi virus h thngnhng firewall phn mm th c th.

2.1.4 Mt sh thng firewall khc

a. Packet-Filtering Router (B trung chuyn c lc gi)

H thng Internet firewall ph bin nht ch bao gm mt packet-filtering

routert gia mng ni b v Internet. Mt packet-filtering router c hai chc

nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi

cho php hay t chi truyn thng. Cn bn, cc quy lut lc c nh nghasao cho cc host trn mng ni bc quyn truy nhp trc tip ti Internet,

trong khi cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my

tnh trn mng ni b. T tng ca m hnh cu trc firewall ny l tt c nhng

g khng c ch ra r rng l cho php th c ngha l b t chi.

Hnh 3: Packet-Filtering Router

Bn ngoi

Packet filtering

router

The InternetMng ni b


20/62


Trang - 19 -

u im

Gi thnh thp (v cu hnh n gin) Trong sut i vi user

Hn ch

C tt c hn ch ca mt packet-filtering router, nh l d b tn cng vocc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di

nhng dch v c php.

Bi v cc packet c trao i trc tip gia hai mng thng qua router ,nguy cb tn cng quyt nh bi s lng cc host v dch vc php. iu

dn n mi mt host c php truy nhp trc tip vo Internet cn phi ccung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi

qun tr mng xem c du hiu ca s tn cng no khng.

Nu mt packet-filtering router do mt s c no ngng hot ng, ttc h thng trn mng ni b c th b tn cng.

b. Screened Host Firewall

H thng ny bao gm mt packet-filtering router v mt bastion host.Screened Host Firewall cung cp bo mt cao hn Packet-Filtering Router, v

n thc hin c bo mt tng network( packet-filtering ) v tng ng dng

(application level). ng thi, k tn cng phi ph vc hai tng bo mt tn

cng vo mng ni b.


21/62


Trang - 20 -

Hnh 4: Screened Host Firewall

Trong h thng ny, bastion host c cu hnh trong mng ni b. Quylut filtering trn packet-filtering router c nh ngha sao cho tt c cc h

thng bn ngoi ch c th truy nhp bastion host. Vic truyn thng ti tt c

cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host

trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc

h thng ni bc php truy nhp trc tip vo bastion Internet hay l chng

phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b

c thc hin bng cch t cu hnh b lc ca router sao cho ch chp nhn

nhng truyn thng ni b xut pht t bastion host.

u im

My ch cung cp cc thng tin cng cng qua dch v Web v FTP c tht trn packet-filtering router v bastion. Trong trng hp yu cu an ton

cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user c

trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hpkhng yu cu an ton cao th cc my ni b c th ni thng vi my ch.

Nu cn bo mt cao hn na th c th dng h thng firewall dual-home (hai chiu) bastion host. Mt h thng bastion host nh vy c 2 giao din

The Internet

Bn ngoi

Packet filtering

router

Bn trong

Information server

Bastion host

Mng ni b


22/62


Trang - 21 -

mng (network interface), nhng khi kh nng truyn thng trc tip gia hai

giao din qua dch v proxy l b cm.

Hnh 5: H thng firewall dual-home (hai chiu) bastion host.

Hn ch

Bi v bastion host l h thng bn trong duy nht c th truy nhp c tInternet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu

nh user log on c vo bastion host th h c th d dng truy nhp ton b

mng ni b. V vy cn phi cm khng cho user logon vo bastion host.

c. Demilitarized Zone (DMZ - khu vc phi qun s) hay Screened-subnet

Firewall

H thng ny bao gm hai packet-filtering router v mt bastion host. H

thng firewall ny c an ton cao nht v n cung cp c mc bo mt network

v application trong khi nh ngha mt mng phi qun s. Mng DMZ ng vai

tr nh mt mng nh, c lp t gia Internet v mng ni b. Cbn, mt DMZ

c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy

nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip

qua mng DMZ l khng thc.

Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun

(nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N cho php h thng

The internet

Bnngoi

Packet filtering

router

Information server

Bastion host

Bn trong

Mng ni b


23/62


Trang - 22 -

bn ngoi truy nhp ch bastion host, v c th c information server. Router trong

cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch

vi nhng truyn thng bt u t bastion host.

Vi nhng thng tin i, router trong iu khin mng ni b truy nhp tiDMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c

information server. Quy lut filtering trn router ngoi yu cu s dung dich v

proxy bng cch ch cho php thng tin ra bt ngun t bastion host.

Hnh 6: Screened-subnet Firewall

u im

K tn cng cn ph vba tng bo v: router ngoi, bastion host v routertrong.

Bi v router ngoi ch qung co DMZ network ti Internet, h thngmng ni b l khng th nhn thy (invisible). Ch c mt s h thng c

chn ra trn DMZ l c bit n bi Internet qua routing table v DNS

information exchange ( Domain Name Server ).

The Internet

Bn ngoi Packet filtering

router

Bn trong

Information server

Bastion host

Outside Inside router


24/62


Trang - 23 -

Bi v router trong ch qung co DMZ network ti mng ni b, cc hthng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m

bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.

2.2. Cc chin lc xy dng firewall

Khi nghin cu chi tit v Firewall, chng ta cn hiu mt s chin lc c

bn c dng xy dng Firewall.

2.2.1. Quyn hn ti thiu(Least Privilege)

Mt nguyn tc cbn nht ca an ton (khng phi ch p dng cho an

ton mng) l trao quyn ti thiu. V cbn, nguyn tc ny c ngha l bt k

mt i tng no (ngi s dng, ngi qun tr, chng trnh, h thng.) Ch

nn c nhng quyn hn nht nh m i tng cn phi c thc hin ccnhin v ca mnh v ch nh vy. Quyn hn ti thiu l nguyn tc quan trng

trnh cho ngi ngoi li dng t nhp v hn ch s ph hu do cc t nhp

gy ra.

2.2.2. Bo v theo chiu su (Defense in Depth)

Mt nguyn tc khc ca an ton v bo v theo chiu su. i vi mi h

thng, khng nn ci t v ch s dng mt ch an ton cho d n c th

mnh, m nn lp t nhiu cch an ton chng c th h trln nhau. V vy

firewall c xy dng theo cch c nhiu lp bo v.

2.2.3. Nt tht (Choke Point)

Mt nt tht bt buc nhng kt nhp phi i qua mt ca khu hp

m chng ta c th kim sot v iu khin c ging nh vic mun vo rp

xem ht, ta phi i qua cng kim sot v.

Trong c ch an ton mng, Firewall nm gia h thng ca ta v mng

Internet, n chnh l mt nt tht. Bt k ai c nh t nhp h thng t Internet

s phi qua ca khu ny, v ta c th theo di, qun l c.

2.2.4.im xung yu nht (Weakest Link)

Khi mun xm nhp vo h thng, kt nhp tinh ranh thng tm cc

im yu nht tn cng vo . Do vy, i vi tng h thng cn phi bit

im yu nht c phng n bo v an ton h thng. Thng ta hay quan tm


25/62


Trang - 24 -

n nhng kt nhp trn mng hn l nhng k tip nhn h thng, cho nn an

ton v mt vt l c coi l im yu nht trong mi h thng.

2.2.5. Hng trong an ton (Fail-Safe Stance)

Mt nguyn tc nn tng khc ca an ton l hng trong an ton; iu

ny c ngha l nu h thng ang hng th n phi c hng theo mt cch no

ngn chn s truy nhp bt hp php tt hn l cho kt nhp lt vo

ph h thng. ng nhin vic hng trong an ton cng hu b s truy nhp hp

php ca ngi s dng cho n khi h thng c khi phc li.

Da trn nguyn tc ny ngi ta a ra hai quy tc cbn p dng cho

cc quy nh v bin php an ton:

Mt l, Default deny Stance: Ch trng vo nhng ci c php v ngn

chn t

t c

ci g cn li. Nh

ng g khng r rng c

th

s

b

ngn c

m.

Hai l, Default permit stance: Tr trng vo nhng ci b ngn cm v cho

php tt c nhng ci cn li, nhng g khng b ngn cm th c php.

Hu ht nhng ngi s dng v nh qun l quy tc default pernmit stance

cho rng mi th mc nh ngha l cho php v mt s dch v, hnh ng rc

ri, khng r rng s b ngn cm. V d:

NFS khng cho php qua firewall.

Truy nhp WWW b hn chi vi nhng chuyn gia o to v nhng

vn an ton ca WWW.

Ngi s dng khng c ci t cc Server khng c php. Vy vn

dng quy tc no th tt hn? Theo quan im v an ton th nn dng quy tc

Default deny stance. Cn theo quan im ca cc nh qun l th li l quy tc

Default pernmit Stance.

2.2.6. Stham gia ton cu

t hiu qu an ton cao, tt c cc h thng trn mng phi tham gia

vo gii php an ton. Nu tn ti mt h thng c cch an ton km, ngi truynhp bt hp php c th truy nhp vo h thng ny sau truy nhp cc h

thng khc t bn trong.

2.2.7. Tnh a dng ca vic bo v

Do s dng nhiu h thng khc nhau, ta phi c nhiu bin php bo v

m bo chin lc bo v theo chiu su. Bi v, nu tt c cc h thng ca ta


26/62


Trang - 25 -

u nh nhau v mt ngi no bit cch t nhp vo mt trong s cc h

thng th anh ta cng c tht nhp vo tt cc h thng cn li. S dng nhiu

h thng khc nhau c th hn ch cc cc chi pht sinh li v an ton hn.

Song i li, ta phi i mt vi cc vn v gi c v tnh cht phc tp. Vic

mua bn, lp t nhiu h thng khc nhau s kh hn, tn km thi gian hn cch thng cng chng loi. Ngoi ra , cng cn nhiu s h trv thi gian o

to cn b vn hnh, qun tr h thng t pha cc nh cung cp.

2.2.8.n gin ho

Mi thn gin s trnn d hiu. Nu ta khng hiu r mt ci g , ta

cng khng th bit c liu n c an ton hay khng.

2.3. Cch thc xy dng firewall

Trong qu trnh xy dng mt tng la i hi bc tin hnh u phi

c nn k hoch trc v phi hp cht ch vi nhau. V gii quyt vn

ln nht l xy dng thnh cng mt tng la hot ng theo hiu qu th ta phi

xy dng tng bc tht vng chc, hn ch ti a nhng sai st ng tic c th

xy ra trong qu trnh xy dng.

2.3.1. Xy dng cc nguyn tc cn bn(Rule Base)

Mun xy dng c mt Firewall thnh cng th n phi thc hin theo

mt s quy tc cn bn nht nh (Rule base). Khi c mt gi tin IP i qua tngla th n s phi da cc quy tc cn bn ny phn tch v lc gi tin. V th

chng ta phi a ra cc quy tc tht n gin, ngn gn v d hiu nhm tng tc

s l gi tin trong tng la v s trnh c tc nghn, ng thi n cn gip

cho vic thay i v bo tr h thng c d dng hn rt nhiu. Thng thng

th ta nn dng khng qu 30 quy tc cn bn v ti a khng oc qu 50 quy tc

v nu dng qu nhiu s lm cho vic lc gi s chm hn v cng s d gy ra

li v cc quy tc c th b chng cho ln nhau.

2.3.2. Xy dng chnh sch an ton (Security Policy)Mt tng la phi c cc chnh sch an ton (security policy) v thc cht

tng la ch l mt cng c thc thi cc chnh sch an ton. Vic qun l v xy

dng chnh sch an ton mt cch cht ch s to ra c sc mnh cho tng la.

V vy trc khi chng ta xy dng cc quy tc cn bn th chng ta phi hiu

c chnh sch an ton ca tng la cn xy dng l g ?


27/62


Trang - 26 -

V ng thi cng phi xy dng cc chnh sch an ton sao cho d hiu v

n gin mt cch tng i v khng nn xy dng mt cch qu phc tp dn

n chng cho d gy nhm ln v d kim tra, bo tr. Chng ta c tha ra

mt s chnh sch an ton rt n gin nh sau:

Nhng my trong mng ni bc truy nhp ra Internet khng gii hn.

Cho php s truy cp vo Web v Mail Server ca mng ni b t Internet

Tt c cc thng tin i vo trong mch ni bu phi c xc thc v

m ho.

T nhng chnh sch rt n gin nh v d trn y chng ta c th pht

trin thnh nhng chnh sch hot ng mt cch hiu qu v phc tp hn rt

nhiu. v d gii hn mng ni b chc s dng internet mt cch hn ch vi

mt vi dch v cbn nh Mail, HTTP m thi, cn li ngn cm hon ton

dch v truyn tp FTP v.v

2.3.3. Xy dng kin trc an ton

Cc bc cn lm khi xy dng mt kin trc an ton:

u tin th ta cho php tt c cc my trong mng ni b c th truy cp ra

Internet.

Sau ta thc hin ci t cc phn thng tin khng cn bo v (v d:

Web Server v Mail Server) vo mt vng c tn k thut l vng phi qun s

(Demilitarized Zone - MDZ). DMZ l mt mng tch bit ni m ta st cc h

thng m chng ta khng hon ton tin tng (v mt khi t Internet c th truy

cp vo c trong DMZ ca chng ta nn khng th tin tng chng). Bi vy

nhng h thng trong DMZ s khng bao gikt ni trc tip vi mng bn trong

mt khi chng cha c tin cy. C hai loi DMZ l: DMZ c bo v v DMZ

khng c bo v. DMZ c bo v l mt phn tch ri ra bn ngoi ca

tng la. DMZ khng c bo v l phn mng nm gia Router v tng la.

Chng ta nn dng loi DMZ c bo v, v ni l ni chng ta thng t c

Web Server v Mail Server

Con ng duy nht c thi vo mng ni b l phi i qua s kim sot

ca nh qun tr mng (cng c th cho php thc hin mng t xa)

Ci m chng ta c th ni n na l DNS (Domain Name Server). Chng

ta s phi thc hin chia DNS ra lm nhiu phn. Chia DNS thnh nhiu phn c

ngha l chia cc thao tc ca DNS s thuc hai my ch DNS khc nhau. Chng


28/62


Trang - 27 -

ta lm iu ny v ta s mt my ch DNS s lo cho chng ta vic gii quyt

thng tin tn min ca cng ty vi mng bn ngoi. V mt my ch DNS bn

trong gii quyt vn ca mng bn trong. My ch DNS ngoi s nm trong

DMS c c bo v cng vi Web v Mail Server. My DNS bn trong s nm

mng bn trong vi vic ny s gip cho chng ta khng cho bit thng tin v tnmin trong mng ni b. V my ch DNS cha thng tin v s ca mng bn

trong nn cng ta cn phi t di s bo v trnh l thng tin v bn mng.

2.3.4. Thtcc quy tc trong bng (Sequence of Rules Base)

Trc khi chng ta xy dng cc quy tc cn bn th iu chng ta cn phi

quan tm n chnh l th t ca cc quy tc (hay cn gi l cp ca cc

quy tc) v trong c mt quy tc c bit, n s gi vai tr then cht trong

chnh sch bo mt tng la ca chng ta. C nhiu quy tc c cp tng t

nh nhau nhng vn phi t chng theo mt th t trc/sau, vic ny lm thayi phng thc lm vic cn bn ca tng la. a s cc tng la kim tra cc

gi tin mt cch tun t v lin tc. Khi tng la nhn c mt gi tin, n s

xem xt gi tin c ng vi quy tc no trong bng Rules base hay khng bng

cch cho xt bt u t quy tc th nht, ri quy tc th hai cho n khi c quy

tc no tho mn th n s dng cng vic kim tr v n s thc thi theo quy

tc . Nu gi tin c so snh vi tt c cc quy tc trong bng m khng c

quy tc no thong th gi tin s b t chi (lc b). Vn then cht l phi

sm tm c quy tc u tin tho mn khp c vi quy tc Rules Base cho gi tin c nhanh chng c i qua. V khi tm hiu r c iu ny th ta

nn t cc quy tc c bit trc tin, ri sau mi n cc quy tc thng

thng. Vic ny ngn chn vic cc quy tc thng thng cho php gi tin i qua

nhng trong trng hp c bit li khng cho gi tin i qua gy chng cho.

Chnh v vy phi lun ch v phi t cc quy tc c bit ln trc tin ri ti

cc nguyn tc thng thng. Phi tun th nguyn tc ny trnh vic cu hnh

b sai gip tng la lm vic hiu qu, ng thi d dng trong cng tc nng cp

bo tr v thay i sa cha.

2.3.5. Cc quy tc cn bn (Rules Base)

Default properties (nguyn tc mc nh): Phi loi tr tt c cc trng

hp ny v phi chc chn mt iu l khng c mt gi tin no c thi qua

c, bt k gi tin y l gi tin g.


29/62


Trang - 28 -

Internal Outbound (i t mng bn trong ra ngoi): Bc u tin ta cho

php vic i t trong ra ngoi m khng c hn ch no. V tt c cc dch v c

bn nh Web, Mail, FTP v.v u cho php

Lockdown (): Hn ch tt c khng cho php mt s sm nhp no vo

tng la ca chng ta. y l quy tc chun m quy tc cn bn cn phi c.Khng c bt k s sm nhp no vo tng la nhng chng ta li cn c ngi

qun tr tng la (Firewall Admins).

Admin Access (): Khng ai c th kt ni vi tng la, bao gm c

Admin. Chng ta cng phi to ra mt quy tc cho php Admin truy nhp vo

c tng la

Drop All (): Thng thng th ta s loi b tt c cc gi tin m khng ph

hp vi quy tc no. Nhng ta nn a gi tin ny vo mt bn ghi v ta s thm

vo cui danh sch cc quy tc. y l mt quy tc chun m ta nn c.

No Logging (): Thng thng s c rt nhiu gi tin c gin tt c

cc a ch (vd: nh tin qung co) trn mng. Khi n tng la th n s b loi

b v sau c ghi vo bn ghi, nhng vic ny s lm cho bn ghi nhanh

chng by. Chnh v vy ta phi to mt quy tc sao cho khi ta b gi tin y i

m li khng ghi li vo bn ghi. y cng l mt nguyn tc cn bn m i khi

ta cng phi dng n.

DNS Access (): M hnh v cc thnh phn ca tng la.

2.4. Lc gi v cch hot ng

Khi ni n vic chuyn thng tin d liu gia cc mng vi nhau thng tin

qua tng la th iu c ngha rng bc tng la hot ng kt hp cht ch

vi giao thc TCP/IP v giao thc ny lm vic theo thut ton chia nh cc d

liu nhn c t cc ng dng trn mng. Tc l:

D liu nhn c t cc dch v chy trn cc giao thc ph cp trn

mng (v d nh: telnet, SMTP, DNS, SMNP,..) c phn thnh cc gi giliu (data packet).

Cc gi tin ny c gn nhng a ch v thng tin c th nhn v ti

hp li thnh d liu ban u. Chnh v vy cc loi tng la cng lin quan rt

nhiu n cc gi tin v cc a ch ca chng sau y chng ta s cng tm hiu

lc gi l g v cch ca n nh th no.


30/62


Trang - 29 -

2.4.1. B lc gi (packet filtering)

B lc gi c nhng chc nng thc hin vic kim tra s nhn dng a

ch ca gi tin kim tra c th cho php chng i qua tng la hay khng. Cc

thng tin c th lc c mt gi tin bao gm :

a ch ni xut pht hay cn gi l a ch ngun (source IP Address)

a ch ni nhn hay cn gi l a chch (destination IP Address).

S cng ca ni xut pht (source port).

S cng ca ni nhn (destination).

Nh vy m tng la c th chn c cc kt ni t mng ngoi vo

nhng my ch ni b hoc vo trong mng ni b. T nhng a ch khng cho

php.

Hn na vic kim sot cc cng lm cho tng la c kh nng ch cho

php mt s loi kt ni nht nh vo my ch c nh sn m phc v cho

mt s dch v no (Telnet, SMTP,mail) c php s dng trn mng

ni b.

2.4.2. Cngng dng (Application Gateway)

Application Gateway c thit k tng cng chc nng kim sot cc

loi dich v vo giao thc c cho php truy cp vo h thng mng. C ch

hot ng ca n d trn ci gi l dch vi din (proxy Service).

Proxy Service hot ng theo cch: Mt ng dng no c quy chiu

n (hay i din bi) mt proxy Service chy trn cc h thng my ch th c

quy chiu n ApplicationGateway ca firewall. Cch lc ca packet filtering

phi hp kim sot vi cch i din ca Application gateway cung cp mt

kh nng an ton hn cho firewall trong vic giao tip thng tin vi mng ngoi.

V d mt h thng mng c chc nng lc gi tin, n s ngn cc kt ni

bng Telnet vo h thng ch tr mt cng duy nht -Telnet Application Gateway-

l c php. Mt ngi s dng dch v Telnet mun kt ni vo h thng phithc hin cc bc sau:

Thc hin dch v Telnet n Telnet Application Gateway ri cho bit tn

ca my ch bn trong cn truy cp.

Gateway kim tra a ch IP ni xut pht ca ngi truy cp ri cho php

hoc t chi tu theo ch an ninh ca h thng.


31/62


Trang - 30 -

Ngi truy cp phi vt qua c h thng kim tra xc nh.

Proxy service lin kt lu thng gia ngi truy cp vi my ch.

Cch hot ng ny c ngha quan trng trong vic thit k an ninh h

thng. N c th cung cp nhiu kh nng, v d nh:

Che du cc thng tin: ngi dng ch c th nhn thy trc tip cc

Gateway c php.

Tng cng kim tra truy cp bng cc dch v xc thc (Authentication).

Gim ng k gi thnh cho vic pht trin cc h qun tr xc thc v h

thng ny c thit k ch quy chiu n Application Gateway.

Gim thiu cc quy tc kim sot ca b lc (Packet Filtering). iu ny

lm tng mt cch ng k tc hot ng ca Firewall.

2.4.3. B lc Sesion thng minh (Smart Sesion Filtering)

Cch hot ng phi hp gia b lc packet v cng ng dng nh

cp trn cung cp mt ch an ninh cao tuy nhin n cng tn ti mt vi hn

ch. Vn chnh hin nay l lm sao cung cp Proxy Service cho rt nhiu

ng dng khc nhau ang pht trin t. iu ny c ngha l nguy c, p lc i

vi vic firewall bnh la gia tng ln rt ln nu cc Proxy khng kp p ng.

Trong khi gim st cc packet nhng mc pha trn, nu nh lp

Networki hi nhiu cng sc i vi vic lc cc packet n gin, th vicgim st cc giao dch lu thng mc mng (Sesion) i hi t cng vic hn.

Cch ny cng loi bc cc dch vc th cho tng loi ng dng khc

nhau.

Cch hot ng ca b lc sesion thng minh chnh l vic kt hp kh

nng ghi nhn thng tin v cc Sesion v s dng n to cc quy tc cho b lc.

Bit rng, mt Sesion mc networkc to bi hai packet lu thng hai

chiu:

Mt kim sot cc packet lu thng t host pht sinh ra n n my ch

cn ti.

Mt kim sot packet trv t my ch pht sinh

Mt b lc thng minh s nhn bit c rng packet tr v theo chiu

ngc li nn quy tc th hai l khng cn thit. Do vy, cch tip nhn cc

packet khng mong mun sinh ra t bn ngoi firewall s khc bit rt r vi cch


32/62


Trang - 31 -

tip nhn cho cc packet do nhng kt ni c php (ra bn ngoi). V nh vy

d dng nhn dng c cc packet bt hp php.

2.4.4. Firewall hn hp (Hybrid Firewall)

Trong thc t xy dng, cc firewall c s dng l kt hp ca nhiu k

thut to ra hiu qu an ninh ti a. V d vic lt li ti cc kim sot ca

b lc packet c thc thc hin ti b lc sesion thng minh mc ng dng.

Cc gim st ca b lc lt cht ch bi cc dch v Proxy ca Application

Gateway.

2.5. Kt lun

Cc h thng firewall thit lp nhm mc ch m bo an ninh mng

thng qua vic kim sot phn header ca cc gi tin. Nhng s dng firewall

m bo c an ninh mng mt cc hiu qu th ngi qun tr h thng cn c

nhng hiu bit su sc va ch IP ch, a ch IP ngun, cng dch v, cc

giao thc mng (TCP, UDP, SMTP)v c bit cn c nhng cng c gip cu

hnh h thng firewall hiu qu. Trong chng tip theo ny em s trnh by v

cng c FirewallIptable c tch hp trn hiu hnh m ngun mLinux

bo v cho mng ni b.


33/62


Trang - 32 -

Chng 3:

TM HIU IPTALES TRONG HIU HNH LINUX

Hin nay c nhiu phn mm firewall c thc hin trn cc hiu

hnh nh Windows NT, Linux, Solaris. Nhng vi hiu hnh m ngun m

Linux th phn mm IPtables Firewall phin bn mi ny thc s l mt cng c

mnh dng m bo an ninh mng. Ngi qun tr mng c th s dng n

cng nhiu ty chn hu ch. Nhng do phn mm c qu nhiu tham s v s

dng c th i hi ngi s dng phi c kin thc chuyn su v h thng

mng my tnh. Nh vy vi nhng ngi t kin thc v mng my tnh v khng

bit r v tham s ca chng trnh th khng th s dng cng c IPtables c.

Trong phm vi ti ny em s tm hiu v cng c Iptables ca firewall

trn Linux vi vic kim sot ngi dng trong mng ni bc quyn gi bt

c yu cu truy cp trn bt c giao thc no t bn trong my ra ngoi cng nh

cn bt c yu cu truy cp trn mi giao thc t bn ngoi vo. Ngoi ra nh ta

bit, trong khi my chy trn Linux s c mt s dch v ang lng nghe

(LISTEN). Nhng dch v ny ch phc v cho ring bn v bn khng mun bt

c ai t Internet truy cp vo cc dch v ny. Cho nn ta phi xy dng cc lut

n nh: khi cc packet i vo (INPUT) firewall, firewall s kim tra xem c lut

INPUT no thch hp cho php n i vo, nu khng firewall s cn n theo quy

nh ca quy ch mc nh.

iu ny s lm tng kh nng bo mt v tnh linh ng cho ngi qun

tr mng my tnh.

Trong chng ny em s i gii thiu tng quan v cng c Firewall

IPtable v tm hiu mt s tp lut cbn trong IPtable:

3.1. Firewall IPtable trn Redhat

Phin bn nhn Linux version 2.4.x c a ra vi rt nhiu tnh nng

mi gip Linux hot ng tin cy hn v h tr cho nhiu thit b. Mt trong

nhng tnh nng mi ca n l h trNetfilter iptables ngay trong kernel, gip

thao tc trn packet hiu qu hn so vi cc ng dng trc nh ipfwadm trong

kernel 2.0 v ipchains trong kernel 2.2, tuy vn h trcho cc b lnh c. Thit

lp firewall theo kiu lc packet (packet filtering lc gi thng tin) vi ipfwadm

hoc ipchains c nhiu hn ch: thiu cc tch hp cn thit mrng tnh nng,


34/62


Trang - 33 -

khi s dng lc packet cho cc giao thc thng thng v chuyn i a ch

mng (Network Address Translation - NAT) th thc hin hon ton tch bit m

khng c c tnh kt hp. Netfilter v iptables trn kernel 2.4 gii quyt tt cc

hn ch trn v c thm nhiu tnh nng khc m Ipfwadm v Ipchains khng c.

3.1.1. Gii thiu v IPtables

Trong h thng Linux c rt nhiu firewall. Trong c mt s firewall

c cu hnh v hot ng trn nn console rt nh v tin dng l Iptable v

Ipchain.

a. Netfilter/IPtables

Gii thiuIptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h

thng Linux.

Hnh 7: Firewall IPTable trong Linux.

Iptables l mt tng la ng dng lc gi d liu rt mnh, c sn bn

trong kernel Linux 2.4.x v 2.6.x. Netfilter/Iptable gm 2 phn l Netfiltertrong

nhn Linux v Iptables nm ngoi nhn. IpTables chu trch nhim giao tip gia

ngi dng v Netfiltery cc lut ca ngi dng vo cho Netfilter x l.

Netfilter tin hnh lc cc gi d liu mc IP. Netfilter lm vic trc tip trong

nhn, nhanh v khng lm gim tc ca h thng. c thit k thay th

cho linux 2.2.x Ipchains v linux 2.0.x ipfwadm v c nhiu c tnh hn Ipchainsv n c xy dng hp l hn vi nhng im sau:

Netfilter/Iptables c kh nng g?Xy dng bc tng la da trn cch lc gi stateless v stateful

Dng bng NAT v masquerading chia s s truy cp mng nu khng c

a ch mng.


35/62


Trang - 34 -

Dng bng NAT ci t transparent proxy

Gip cc h thng tc v iproute2 to cc chnh sch router phc tp v

QoS

Lm cc thay i cc bit(mangling) TOS/DSCP/ECN ca IP header

C kh nng theo di s kt ni, c kh nng kim tra nhiu trng thi ca

packet. N lm vic ny cho UDP v ICMP tt nht l kt ni TCP, v d tnh

trng y ca lc ICMP ch cho php hi m khi c yu cu pht i, ch khng

chn cc yu cu nhng vn chp nhn hi m vi gi s rng chng lun p li

lnh ping. S hi m khng do yu cu c th l tn hiu ca s tn cng hoc ca

sau.

X sn gin ca cc packet tho thun trong cc chains (mt danh sch

cc nguyn tc) INPUT, OUTPUT, FORWARD. Trn cc host c nhiu giao din

mng, cc packet di chuyn gia cc giao din ch trn chain FORWARD hn l

trn 3 chain.

Phn bit r rng gia lc packet v NAT (Nework Address Translation)

C kh nng gii hn tc kt ni v ghi nht k. Bn c th gii hn kt

ni v ghi nht k t trnh s tn cng t chi dch v (Deinal of service).

C kh nng lc trn cc cv a ch vt l ca TCP.

L mt firewall c nhiu trng thi, nn n c th theo di trong sut s kt

ni, do n an ton hn firewall c t trng thi.

Iptables bao gm 4 bng, mi bng vi mt chnh sch (police) mc nh

v cc nguyn tc trong chain xy dng sn.

b. Ipchain

Mt trong nhng phn mm m Linux s dng cu hnh bng NAT ca

kernel l Ipchain. Bn trong chng trnh Ipchain c 2 trnh kch bn (scrip) chnh

c s dng n gin ha cng tc qun tr Ipchains.

Ipchain c dng ci t, duy tr v kim tra cc lut ca Ip firewall

trong Linux kernel. Nhng lut ny c th chia lm nhm chui lut khc nhau l:

Ip Input chain (chui lut p dng cho cc gi tin i n firewall).

Ip Output chain (chui lut p dng cho cc gi tin c pht sinh cc b

trn firewall v i ra khi firewall).


36/62


Trang - 35 -

Ip forwarding chain (p dng cho cc gi tin c chuyn tip ti my

hoc mng khc qua firewall). V cc chui lut do ngi dng nh ngha (user

defined).

Ipchains s dng khi nim chui lut (chain ) x l cc gi tin. Mt

chui lut l mt danh sch cc lut dng x l cc gi tin c cng kiu l gitin n, gi tin chuyn tip hay gi tin i ra. Nhng lut ny ch r hnh ng no

c p dng cho gi tin. Cc lut c lu tr trong bng NAT l nhng cp a

ch IP ch khng phi tng a ch IP ring l.

Mt lut firewall ch ra cc tiu chun packet v ch n. Nu packet

khng ng lut k tip sc xem xt, nu ng th lut k tip s chnh r

gi tr ca ch c th cc chain do ngi dng nh ngha hay c th l mt trong

cc gi tr c th sau: ACCEPT, DENY, REJECT, MASQ, REDICRECT hay

RETURN.

ACCEPT: cho php packet i qua. DENY: Hy packet m khng c tr li thng bo cho pha client

bit iu ny.

REJECT: Tng t nh DENY nhng c tr li cho client bit gitin b hy b.

MASQ: Ch hp li vi chain forward v chain do ngi dngnh ngha v c dng khi kernel c bin dch viCONFIG_IP_MASQUERADE. Vi chain ny packet s c

masquerade nh l n c sinh ra t my cc b, hn th na cc

packet ngc sc nhn ra v chng sc demasqueraded mt

cch tng, b qua forwarding chain.

REDIRECT: Ch hp l vi chain input v chain do ngi dngnh ngha v chc dng khi Linux kernel c bin dch vi

tham s CONFIG_IP_TRANSPARENT_PROXY c nh ngha.

Vi iu ny packets sc chuyn ti socket cc b, thm chchng c gi n host xa.

Mt s c php hay c s dng:

Ipchains [ADC] chain rule-specification [options]

Ipchains [RI] chain rulenum rule-specification


37/62


Trang - 36 -

[options]

Ipchains D chain rulenum [options]

Ipchains [LFZNX] [chain] [options] Ipchains P chain target

[options]

Ipchains M [-L | -S] [options]

3.1.2. Qu trnh chuyn gi dliu qua Netfilter

Gi d liu (packet) chy trn cp, sau i vo card mng (chng hn nh

eth0). u tin packet s qua chain PREROUTING (trc khi nh tuyn). Ti

y, packet c th b thay i thng s (mangle) hoc b i a ch IP ch

(DNAT). i vi packet i vo my, n s qua chain INPUT. Ti chain INPUT,

packet c thc chp nhn hoc b hy b. Tip theo packet sc chuyn

ln cho cc ng dng (client/server) x l v tip theo l c chuyn ra chainOUTPUT. Ti chain OUTPUT, packet c th b thay i cc thng s v b lc

chp nhn ra hay b hy b. i vi packet forward qua my, packet sau khi ri

chain PREROUTING s qua chain FORWARD. Ti chain FORWARD, n cng

b lc ACCEPT hoc DENY. Packet sau khi qua chain FORWARD hoc chain

OUTPUT s n chain POSTROUTING (sau khi nh tuyn). Ti chain

POSTROUTING, packet c th c i a ch IP ngun (SNAT) hoc

MASQUERADE. Packet sau khi ra card mng sc chuyn ln cp i n

my tnh khc trn mng.

3.1.3. Cu trc ca Iptable.

Iptables c chia lm 4 bng (table):

Bng filter dng lc gi d liu.

Bng nat dng thao tc vi cc gi d liu c NAT ngun hay

NAT ch.

Bng mangle dng thay i cc thng s trong gi IP.

Bng conntrack dng theo di cc kt ni.

Mi table gm nhiu mc xch (chain). Chain gm nhiu lut (rule) thao

tc vi cc gi d liu. Rule c th l ACCEPT (chp nhn gi d liu), DROP

(th gi), REJECT (loi b gi) hoc tham chiu (reference) n mt chain khc.


38/62


Trang - 37 -

3.1.4. Cit iptables

Iptables c ci t mc nh trong h thng Linux, package ca iptables

l iptablesversion.rpm hoc iptables-version.tgz , ta c th dng lnh ci t

package ny:

$ rpm ivh iptables-version.rpm i Red Hat

$ apt-get install iptables i vi Debian

Khi ng iptables: service iptables start Tt iptables: service iptables stop Ti khi ng iptables: service iptables restart Xc nh trng thi iptables: service iptables status3.2. Cc tham s dng lnh thng gp

3.2.1 Gi trgip

gi trgip v Iptables, bn g lnh $ man iptables hoc $ iptables --

help. Chng hn nu bn cn bit v cc ty chn ca match limit, bn g lnh $

iptables -m limit --help.

3.2.2 Cc ty chn chnh thng s

Chnh tn table: -t , v d -t filter, -t nat, .. nu khng chnh table,gi tr mc nh l filter

Chinh loi giao thc: -p , v d -p tcp, -p udp hoc -p ! udp chnh cc giao thc khng phi l udp

Chnh card mng vo: -i , v d: -i eth0, -i lo Chnh card mng ra: -o , v d: -o eth0, -o pp0 Ch nh a ch IP ngun: -s , v d: -s

192.168.0.0/24 (mng 192.168.0 vi 24 bt mng), -s 192.168.0.1-

192.168.0.3 (cc IP 192.168.0.1, 192.168.0.2, 192.168.0.3).


39/62


Trang - 38 -

Ch nh a ch IP ch: -d , tng t nh -sChnh cng ngun: --sport , v d: --sport 21 (cng 21), --sport 22:88

(cc cng 22 .. 88), --sport :80 (cc cng =22)

Chnh cng ch: --dport , tng t nh sport3.2.3. Cc ty chn thao tc vi chain

To chain mi: iptables -N Xa ht cc lut to trong chain: iptables -X t chnh sch cho cc chain `built-in` (INPUT, OUTPUT &

FORWARD): iptables -P , v d: iptables -P INPUT ACCEPT chp

nhn cc packet vo chain INPUT

Lit k cc lut c trong chain: iptables -L Xa cc lut c trong chain (flush chain): iptables -F Reset bm packet v 0: iptables -Z3.2.4. Cc ty chn thao tc vi lut

Thm lut: -A (append) Xa lut: -D (delete) Thay th lut: -R (replace) Chn thm lut: -I (insert)3.2.5 Phn bit gia ACCEPT, DROP v REJECT packet

ACCEPT: chp nhn packet DROP: th packet (khng hi m cho client) REJECT: loi b packet (hi m cho client bng mt packet khc)Mt s v d:


40/62


Trang - 39 -

# iptables -A INPUT -i eth0 --dport 80 -j ACCEPT chp nhn cc packet

vo cng 80 trn card mng eth0

# iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP th cc packet n

cng 23 dng giao thc TCP trn card mng eth0

# iptables -A INPUT -i eth1 -s ! 10.0.0.1-10.0.0.5 --dport 22 -j REJECT --

reject-with tcp-reset

Gi gi TCP vi cRST=1 cho cc kt ni khng n t dy a ch IP

10.0.0.1..5 trn cng 22, card mng eth1

# iptables -A INPUT -p udp --dport 139 -j REJECT --reject-with icmp-

port-unreachable

Gi gi ICMP `port-unreachable` cho cc kt ni n cng 139, dng giao

thc UDP

3.2.6 Phn bit gia NEW, ESTABLISHED v RELATED

NEW: mkt ni mi ESTABLISHED: thit lp kt ni RELATED: mmt kt ni mi trong kt ni hin ti

Mt s v d:

# iptables -P INPUT DROP

t chnh sch cho chain INPUT l DROP

# iptables -A INPUT -p tcp --syn -m state --state NEW -j ACCEPT

Ch chp nhn cc gi TCP mkt ni set cSYN=1

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j

ACCEPT

Khng ng cc kt ni ang c thit lp, ng thi cng cho php m

cc kt ni mi trong kt ni c thit lp# iptables -A INPUT -p tcp -j DROP cc gi TCP cn li u b DROP

3.2.7 Ty chn --limit, --limit-burst

--limit-burst: mc nh, tnh bng s packet


41/62


Trang - 40 -

--limit: tc khi chm mc nh, tnh bng s packet/s(giy), m(pht),

d(gi) hoc h(ngy).

3.3. Gii thiu v bng NAT (Network Address

Traslation)C mt vn c t ra hin nay l s khan him a ch IP, mt c

quan khi c rt nhiu my tnh nhng chc cp pht mt a ch IP duy nht.

Vy lm th no ch vi mt a ch IP duy nht ny tt c cc my tnh trong

mt cquan c th truy cp c Internet. C mt cch thc hin iu ,

chnh l NAT (Network Address Translation).

3.3.1. Khi nim cn bn v NAT

NAT c dng khi c nhn dng a ch mng ring ca mnh kt nivo Internet (Trong khi mun kt ni c vi Internet th yu cu bn phi c a

ch mng chung Public Address)

a ch mng chung s dng trn Internet ch tn ti duy nht v thng

thng c cung cp bi cc nh cung cp dch v Internet (Internet Service

Providers ISPs) hay cn gi l a ch IP hp l. a ch mng ring c s

dng trong mng ni b (Local Address Networt- LAN). a ch ny th khng

cn phi cung cp t nh dch v m c thc cung cp bi ngi qun tr

mng ni b. Nhng khng bao gia ch mng ring li c s dng trnInternet.

NAT c th gip bn vo Internet ngay trong khi bn ang s dng a ch

mng ring . Thc hin c iu l do NAT cho php bn chuyn i gia

hai kiu a ch, bt k bn ang mng ni b c kch thc nh th no

trong khi ISPS ch cung cp cho bn duy nht mt a ch chung duy nht.

NAT s bin i a ch ngun v khi ra khi mng ni b th n s s

dng a ch mng chung vo Internet. V nu ng t Internet th s khng th

bit c a ch ring ca my m ch bit c a ch chung ca mng ni b.NAT s nhn bit cc a ch mng ca cc my trong mng ni b thng qua s

cng dch v.

Vi nhng c im ny th NAT c nhng u im sau:

B mt c a ch mng ni b vi mng bn ngoi.


42/62


Trang - 41 -

Nu kt ni vo Internet th n s tit kim c a ch chung (ach Internet).

N s phc v cn bng ti v c th chia ra nhiu server khc nhaubn trong mng ni b.

Qu trnh phn phi kho sc m bo b mt.Nu thay i a ch Internet cng khng cn phi cu hnh li cho

tng my s rt thun li cho ngi qun tr.

Gim c chi ph u t.Nhng cng vi nhng u im nu trn th n cng khng trnh khi cc

nhc im: Tc x l chm v phi phn tch li gi tin, ghi li a ch v tnh

ton a ch gi tin.

D xy ra tc nghn nu qu nhiu thng tin cng qua li mt thiim.

Chng ta s tm hiu v mt s phng thc i a ch ca NAT sau y.

3.3.2. Cch ia chIPng (Dynamic - NAT)

NAT ng l mt trong nhng k thut chuyn i a ch IP NAT

(Network Address Translation). Cc a ch IP ni bc chuyn sang IP NAT

nh sau:

Hnh 8: Cch i ia ch IP ng.


43/62

Tm

mi

s

SN

NA203.

203.

DN

203.

tin

v n

203.

hn

n

mt

ngu

vo

192.

ngo

hiu vn

NAT Ro

203.162.2.

i IP ngun

T (Source-

ng. Ng162.2.200,

162.2.200

T (Desti

162.2.200 l

hnh chuy

c li.

3.3.3. C

NAT R

162.2.4 b

khi c gi

router, rou

bng gi l

n l 221.2

bng mas

168.0.164:1

i hon to

bo m

uterm n

. Khi c g

thnh 203.

NAT, NA

c li, khrouter s c

thnh a

ation-NA

hon to

n tip (fo

ch ng

uter chuy

g cch d

d liu IP

er si

bng mas

00.51.15:8

uerade

204. Lin

trong sut

mng LA

hn vic c

i liu vi

162.2.200

ngun).

i c mt gn c vo

ch ch

, NAT

n trong su

ward) gi

ia ch

Hnh 9:

n dy IP

ng cc s

vi ngun

gun thn

querade

, ch 203

ng hin t

lc gia c

qua router

N

uyn dy

IP ngun l

sau mi

outer lu

i t liu tbng NAT

i l 192.

ch). Li

t (transpar

d liu t

IP (masq

ch ng

i b 192.

hiu cng

192.168.0

h 203.162.

ng. Khi c

.162.2.4:2

i i

c my tro

.

P ni b 1

192.168.

gi ra ngo

liu tron

gi t nng hin

168.0.200.

n lc gi

ent) qua N

192.168.0.

uerade)

ia ch

168.0.x sa

(port-num

.168:1204,

.4:26314

mt gi d

314 n r

ch t 20

g mng L

69.168.0.x

.200 n r

i. Qu tr

g mt bn

oi vo vti i

Qu trnh

a 192.16

T router.

00 n 2

P

g mt IP

er) khc

ch 211.

lu d l

liu t n

uter, rout

3.162.2.4:

AN vi m

sang dy I

outer, rout

h ny gi l

gi l bn

i IP ch la chc

ny gi l

8.0.200

NAT rout

3.162.2.20

duy nht l

hau. Chn

00.51.15:8

iu ny v

oi vo v

r s cn c

6314 thn

y khc b

P

r

g

h

r

0

g

0

o

i

h

n


44/62


Trang - 43 -

3.3.4. Mt sv d sdng kthut NAT

Iptables h trty chn -j REDIRECT cho php i hng cng mt cch

d dng. V d nh SQUID ang listen trn cng 3128/tcp. redirect cng 80

n cng 3128 ny:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT -

-to-port 3128

Lu : ty chn -j REDIRECT c trong chain PREROUTING

SNAT & MASQUERADE

to kt ni `transparent` gia mng LAN 192.168.0.1 vi Internet th

lp cu hnh cho tng la Iptables nh sau:

# echo 1 > /proc/sys/net/ipv4/ip_forward

Cho php forward cc packet qua my cht Iptables

# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

210.40.2.71

i IP ngun cho cc packet ra card mng eth0 l 210.40.2.71. Khi nhn

c packet vo t Internet, Iptables s tng i IP ch 210.40.2.71 thnh IP

ch tng ng ca my tnh trong mng LAN 192.168.0/24.

Hoc c th dng MASQUERADE thay cho SNAT nh sau:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


45/62


Trang - 44 -

(MASQUERADE thng c dng khi kt ni n Internet l pp0 v

dng a ch IP ng)

DNAT

Gi s t cc my ch Proxy, Mail v DNS trong mng DMZ. to kt

ni trong sut t Internet vo cc my ch ny :

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-

destination 192.168.1.2

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.3

# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-

destination 192.168.1.4


46/62


Trang - 45 -

Chng 4:

THIT LP FIREWALL BO V MNG NI B

BNG IPTABLES TRONG HIU HNH LINUX

Trong ng dng ny dng iptables trn my ch Linux lm Firewall cho

php mng bn ngoi truy cp vo vng DMZ v cho php mng ni b truy cp

mng bn ngoi qua Firewall. Khng cho php mng bn ngoi truy cp vo mng

ni b.

4.1. Cch lm vic ca Firewall c vng DMZ

Hnh 10: Firewall c vung DMZ

Firewall cho php my bn trong mng ni b truy cp ti nguynmng bn ngoi bng k thut SNAT

Ch cho php cc my ca mng bn ngoi truy cp ti nguyn WebServer v DNS Server trong vng DMZ bng k thut DNAT.

Cc yu cu i vi Firewall 2.4.x , cc modules cn thit choFirewall, gn a ch cho mng ni b v DMZ thc hin ging nh

i vi ng dng IP NAT.

Cc chain do ngi dng nh ngha: gm 3 chainsbad_tcp_packets, allowed v icmp_packets ging nh trong

ng dng IP NAT.


47/62


Trang - 46 -

4.2. Cu trc file cu hnh v cu hnh

File cu hnh cho Firewall:

4.2.1. Cu hnh cc tu chn:

#!/bin/sh

# rc.firewall_dmz Firewall DMZ cho Linux 2.4.x v iptables

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# 1. Configuration options.

# 1.1 Cu hnh giao din vi Internet.

#

INET_IP="194.236.50.152"

HTTP_IP="194.236.50.153"

DNS_IP="194.236.50.154"

INET_IFACE="eth0"

# 1.2 Cu hnh giao din mng cc b.

LAN_IP="192.168.0.1"

LAN_IFACE="eth1"

# 1.3 Cu hnh giao din vng DMZ.#

DMZ_HTTP_IP="192.168.1.2"

DMZ_DNS_IP="192.168.1.3"

DMZ_IP="192.168.1.1"

DMZ_IFACE="eth2"

# 1.4 Cu hnh Localhost.

LO_IFACE="lo"

LO_IP="127.0.0.1"

# 1.5 V tr chng trnh iptables.

IPTABLES="/usr/sbin/iptables"


48/62


Trang - 47 -

4.2.2. Ti cc module cn thit kvo Kernel.

# 2. Ti cc module cn thit vo Kernel.

/sbin/depmod -a

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

4.2.3. Cit cu hnh cn thit cho h thng file proc.

# 3. t cu hnh cn thit cho h thng file.

echo "1" > /proc/sys/net/ipv4/ip_forward

4.2.4. Cit cc nguyn tc.

# 4. Ci t cc nguyn tc.

# 4.1 Filter table

# 4.1.1 Nguyn tc cp nht lut trong cc chain.

#

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

# 4.1.2 To cc chain do ngi dng nh ngha# To chain bad_tcp_packets.

$IPTABLES -N bad_tcp_packets

# To chain allowed, icmp_packets.

$IPTABLES -N allowed


49/62


Trang - 48 -

$IPTABLES -N icmp_packets

#

# 4.1.3 To ni dung ca chains do ngi dng nh ngha

# chain bad_tcp_packets.

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \

-m state --state NEW -j REJECT --reject-with tcp-reset

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j

LOG \

--log-prefix "New not syn:"

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j

DROP

# chain allowed.

#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j

ACCEPT

$IPTABLES -A allowed -p TCP -j DROP

#

# chain icmp_packets

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# 4.1.4 INPUT chain

# Cc packet d dng khng mun

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# Cc packets t Internet n Firewall.

#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Cc packets t LAN, DMZ hoc LOCALHOST

#


50/62


Trang - 49 -

# T giao din DMZ n firewall IP DMX

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#

# T giao din LAN n firewall IP LAN

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT

#

# T giao din Localhost n IP Localhost

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# Cc nguyn tc yu cu DHCP t LAN.

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j

ACCEPT

# tt c cc packet c thit lp kt ni v c quan h vi mt kt ni thit lp i

vo t #Internet n Firewall.

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state

ESTABLISHED,RELATED \

-j ACCEPT

#

# Ghi li nhng packet khng khp vi nguyn tc trn.

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \

--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#

# 4.1.5 FORWARD chain

# Cc packet d dng khng mun$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#

# Phn DMZ

# Cc nguyn tc chung


51/62


Trang - 50 -

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT

$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \

--state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \

--state ESTABLISHED,RELATED -j ACCEPT

# HTTP server

#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d

$DMZ_HTTP_IP \

--dport 80 -j allowed

$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d

$DMZ_HTTP_IP \

-j icmp_packets

#

# DNS server

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d

$DMZ_DNS_IP \

--dport 53 -j allowed

$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d

$DMZ_DNS_IP \

--dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d

$DMZ_DNS_IP \

-j icmp_packets

#

# Phn LAN

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


52/62


Trang - 51 -

# ghi li nhng packet khng khp vi cc nguyn tc trn

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG\

--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#

# 4.1.6 OUTPUT chain

# Cc packet d dng khng mun

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#

# Cc nguyn tc cho php packet i ra.

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# ghi li nhng packet khng khp vi cc nguyn tc trn

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG\

--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

# 4.2 nat table

# 4.2.4 PREROUTING chain

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --

dport 80 \

-j DNAT --to-destination $DMZ_HTTP_IP

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --

dport 53 \

-j DNAT --to-destination $DMZ_DNS_IP

$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --

dport 53 \

-j DNAT --to-destination $DMZ_DNS_IP

# 4.2.5 POSTROUTING chain

# Nguyn tc cho php cc my trong mng ni b truy cp Internet

#


53/62


Trang - 52 -

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source

$INET_IP

4.3. Cu hnh cho my ni b truy cp mng bn ngoi

Bn cnh vic t a ch IP thch hp cho cc my ni b bn trong

Firewall (gn a ch IP tnh hoc ng), t a ch IP Gateway thch hp ca

Server Linux Firewall, a ch DNS Server.

Cu hnh Microsoft Windows 2000 sau khi ci card mng thch hp vo

my tnh.

Thc hin cc cu hnh nh trong IP NAT.

4.4. Kim tra FirewallBc 1: kim tra kt ni cc b ca cc my ni b

------------------------------------

client# ping 192.168.0.10

PING 192.168.0.10 (192.168.0.10): 56 data bytes

64 bytes from 192.168.0.10: icmp_seq=0 ttl=255 time=0.8 ms




--- 192.168.0.10 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss

round-trip min/avg/max = 0.4/0.5/0.8 ms

Bc 2: Kim tra kt ni my ni bn server Firewall.

client# ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1): 56 data bytes




54/62


Trang - 53 -



^C

--- 192.168.0.1 ping statistics ---4 packets transmitted, 4 packets received, 0% packet loss


Bc 3: Kim tra kt ni cc b ca Server Firewall vi LAN

firewall-server# ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1): 56 data bytes





^C

--- 192.168.0.1 ping statistics ---



Bc 4: Kim tra kt ni cc b ca Server Firewall vi DMZ.


PING 192.168.1.1 (192.168.1.1): 56 data bytes





^C

--- 192.168.1.1 ping statistics ---


55/62


Trang - 54 -



Bc 5: Kim tra kt ni vi Server Firewall n my cc b.


PING 192.168.0.10 (192.168.0.10): 56 data bytes





^C

--- 192.168.0.10 ping statistics ---



Bc 6: Kim tra kt ni giao din vi bn ngoi ca Server Firewall.

-------------------------------------


PING 194.236.50.152(194.236.50.152): 56 data bytes





^C

--- 194.236.50.152 ping statistics ---




56/62


Trang - 55 -

Bc 7: Kim tra kt ni t my ni bn giao din bn ngoi ca Server

Firewall.

client# ping 194.236.50.152

PING 194.236.50.152(194.236.50.152): 56 data bytes64 bytes from 194.236.50.152: icmp_seq=0 ttl=255 time=0.8 ms




^C

--- 194.236.50.152 ping statistics ---



4.5. Xy dng phn mm qun tr Firewall IPTables t

xa

4.5.1. M t bi ton

Cng c Firewall IP-Tables chy trn nn hiu hnh Linux phin bnRedhat l mt cng c rt mnh. Ngi qun tr c th s dng cng c ny

m bo an ninh mng my tnh rt hiu qu. Nhng mun s dng cng c ny

mt cch hiu qu nht th i hi ngi qun tr phi hiu bit su sc v kin

thc mng my tnh v nh chc chn mt s lng ln cc tham s phc tp.

Chnh iu ny gy nn kh khn cho ngi qun tr.

V l do nu trn m ti xy dng phn mm tr gip vic qun tr

firewall t xa. Phn mm c xy dng bng ngn ng PHP v chy trn

Webserver Apache nn ti mi my tnh trong mng ta u c th truy xut nphn mm v cu hnh h thng firewall ny. Ngoi ra gii quyt vn ngi

s dng phi nhqu nhiu tham s phc tp th chng trnh s c sn cc tp

lut v mi lut ny s c ch thch v m t r rng cng dng.


57/62


Trang - 56 -

4.5.2. Mt sgiao din chng trnh

Nh phn trn nu, c th s dng cng c firewall iptables ngi s

dng cn phi c kin thc rt su sc v mng nh cc giao thc, a ch IP, cng

dch v hn na l rt nhiu tham s ca tng la iptables. Vi mc ch gip d

dng cho vic cu hnh firewall nh iptables th phn mm qun l IP-Tables c xy dng trn nn tng l ngn ng PHP. Phn mm vi nhiu tnh nng ni

tri nh cho php ngi dng c th cu hnh tng la t xa, cho php lu tr

cc cu hnh c v c th cp nht li, ngi dng d dng thm/xa/sa/ di

chuyn cc cu lnh....

Kh nng cu hnh firewall t xa:

V chng trnh c xy dng trn cscc trang web nn ti mi thi

im ch cn ngi s dng c trnh duyt v kt ni n my tnh cn cu hnh

firewall.

Trang ch

Hnh 11: Giao din chnh ca chng trnh


58/62


Trang - 57 -

Mt s ty chn

Hnh 12: Giao din chng trnh vi mt s ty chn

Hnh 13: Giao din khi thit lp xong ty chn v thc thi chng trnh.


59/62


Trang - 58 -

Sau khi la chn cc ty chn. Kt qu tr li mt file di dng text

cc tp lut IPtables.

Hnh 14: Kt qu chng trnh tr v tp lut IPtables

4.5.3.nh gi phn mm

u im phn mm

- Thit k di dng website nn ti mi my tnh trong mng u c th

thc hin cng vic cu hnh iptables.

- Gip ngi dng khng cn kin thc qu su sc v cc tham s ca

iptables vn c th cu hnh c firewall nhvic to sn cc lut.

- Vic ti s dng, chnh sa vi cc lut, cu lnh iptables l rt d dng.

- Chng trnh thit k dng m ngun mnn ngi dng c th t thay

i theo yu cu.

Nhc im phn mm

- Hin ti mi h tr mt ngn ng.

- Ci t cn kh khn v phi ci nhiu phn mm h tr nh HTTP

Server, Crond tab ...

- Mi ngi dng u c quyn nh nhau.


60/62


Trang - 59 -

Spht trin trong tng lai

- Mt website s c thit k vi mc ch gii thiu v cng b cc

phin bn mi ca phn mm.

- Phin bn tip theo s cung cp kh nng cp nht cc lut mi. V cc

file lut ny sc cung cp trn website.

- Mi ngi dng sc cp quyn s dng cc lut khc nhau trong tp

lut.

Yu cu v cu hnh phn mm

- Hiu hnh Linux (Redhat 9.0)

- WebServer (Apache Server 2.0...)

- Iptables firewall 1.2.9

- PHP 4.03 (hoc mi hn)


61/62


Trang - 60 -

KT LUN

ti v Firewall lun l mi quan tm hng u ca cc nh qun tr

mng ni ring v ca nhng nh tin hc ni chung. c th xy dng c mt

mng ring m c th trnh khi mi s tn cng l khng th, nhng chng ta cth xy dng c nhng mng c tnh an ton cao theo nhng yu cu c th.

c th xy dng c nhng mng nh vy, ngi qun tr mng phi nm r

c nhng kin thc c bn v Firewall. ti trnh by kh chi tit v

Firewall, v nhng vn lin quan n bo v thng tin cho cc mng ni b.

ti cng thit lp c m hnh Firewall bo v mng ni b bng

IPTABLES trong hiu hnh LINUX. Vi h thng Firewall s dng Iptables

t

Documents

Do an Tot Nghiep Thuy 927