Tong Quan Firewall

8/2/2019 Tong Quan Firewall

1/51

Trng i hc Bch Khoa H Ni n tt nghip

Phn II: vn an ton trong mng my tnh

Chng 1: Khi qut v an ton mng

1.1. Cc nguy c e do h thng v mng my tnh

1.1.1. M t cc nguy c

Chng ta hy hnh dung vi mt h thng thng tin (Mng LAN, mngIntranet ...) ang hot ng, bng n mt ngy no n b t lit ton b(iu ny khng phi l khng th xy ra) bi mt k ph hoi c tnh no ;hoc nh nhng hn l pht hin thy cc d liu qu bu ca mnh b sai lcmt cch c , thm ch b mt mt. Hoc mt ngy no bn nhn thy

cng vic kinh doanh ca mnh b tht bi thm hi bi v thng tin trong hthng ca bn b k khc xm nhp v xem ln ...

X l, phn tch, tng hp v bo mt thng tin l hai mt ca mt vn khng th tch ri nhau. Ngay t khi my tnh ra i, cng vi n l s phttrin ngy cng ln mnh v a dng ca cc h thng x l thng tin ngi ta ngh ngay n cc gii php m bo an ton cho h thng thng tin camnh.

Vi mt mng my tnh bn s c bao nhiu nguy c b xm phm ? Cutr li chnh xc l mi thi im, mi v tr trong h thng u c kh

nng xut hin.Chng ta phi kim sot cc vn an ton mng theo cc mc khc

nhau l :

Mc mng: Ngn chn k xm nhp bt hp php vo h thng mng.

Mc Server: Kim sot quyn truy cp, cc c ch bo mt, qu trnhnhn dng ngi dng, phn quyn truy cp, cho php cc tc v

Mc CSDL: Kim sot ai? c quyn nh th no ? vi mi c s dliu.

Mc trng thng tin: Trong mi c s d liu kim sot c mitrng d liu cha thng tin khc nhau s cho php cc i tng khc nhauc quyn truy cp khc nhau.

Mc mt m: M ho ton b file d liu theo mt phng php no v ch cho php ngi c cha kho mi c th s dng c file d liu.

Nguyn Mnh Chin T2, C1A K45 Trang 1


2/51


3/51


- Cc cng c tn cng gi mo a ch (IP spoofing): hacker c th dngnhng cng c ny lm h thng tng lm my tnh ca hacker l mtmy trong mng ni b, hoc xo du vt trnh b pht hin.

Hnh 34: S tng quan mt h thng tin hc

- Phong to dch v (DoS Denial of Service): kiu tn cng ny nhmlm gin on hot ng ca mng, V D gy li ca chng trnh ng dng lm treo my, to nhng thng ip gi trn mng chim ng truynhoc lm cn cng sut x l ca my ch.

1.1.2. Cc mc bo v an ton mng

V khng th c mt gii php an ton tuyt i nn ngi ta phi s dngng thi nhiu mc bo v khc nhau to thnh nhiu lp ro chn i vicc hot ng xm phm. Vic bo v thng tin trn mng ch yu l bo vthng tin ct gi trn cc my tnh, c bit l trong cc Server ca mng. Vth mi c gng tp trung vo vic xy dng cc mc ro chn t ngoi votrong cho cc h thng kt ni vo mng.



4/51


1.2. Phn tch cc mc an ton mng

Hnh 35: Cc mc an ton mng

1.2.1. Quyn truy nhp (Access Rights)

y l lp bo v su nht, nhm kim sot cc ti nguyn (thng tin) camng v quyn hn (c th thc hin cc thao tc g) trn ti nguyn . Dnhin l kim sot c cu trc d liu cng chi tit cng tt. Hin ti vickim sot thng mc tp tin (file), v vic xc lp cc quyn thng do

ngi qun tr mng quyt nh. Quyn hn trn tp tin l nhng thao tc mngi s dng c th thc hin c trn tp tin : ch c, c php thayi Tuy nhin, kim sot c cu trc d liu cng chi tit th mc anton cng cao.

1.2.2. ng nhp/Mt khu (Login/Password)

Lp bo v ny thc ra cng l kim sot quyn truy nhp nhng khngphi truy nhp mc thng tin m mc h thng (tc l truy nhp vomng). y l phng php bo v ph bin nht v n n gin t ph tn vrt c hiu qu. Mi ngi s dng (k c ngi qun tr mng) mun cvo mng s dng cc ti nguyn ca mng u phi c tn ng k v mtkhu. Ngi qun tr mng c trch nhim qun l, kim sot mi hot ngca mng v xc nh quyn truy nhp ngi s dng khc tu theo thi gianv khng gian. Ngha l mt ngi s dng trn mng ch c th c phptruy nhp vo mng mt thi gian v mt v tr nht nh.


Bc tng la (Firewall)

Bo v vt l (Physical Protect)

M ha d liu(Data Encryption)

ng nhp/Mt khu (Login/Password)

Quyn truy nhp (Access Right)

Thng tin (Information)


5/51


Mt khu c th c cc dng nh: mt khu cho tng nhm ngi s dng,mt khu cho tng c nhn s dng ring bit, mt khu c thay i miln truy cp h thng, Mt nh qun tr khi to mt khu trn h thng vcho tng ngi s dng phi tun th nhng nguyn tc sau m bo anton cho ngi s dng cng nh cho c h thng

Mt khu khng c l tn ring hoc sp xp theo dng vit tn hay shon v ca tn.

Mt khu khng th ging nh mt t, mt ng m phi l mt tp hp cck t ty v khng c t hn 6 k t.

Mt khu khng c ton l k t hay s m phi kt hp c k t v s.

Lp bo v ny t hiu qu rt cao, trnh c cc truy nhp tri phpnu mi ngi s dng u gi c b mt v tn ng nhp v Mt khuca mnh. Nhng trn thc t, do nhiu l do khng m bo c b mt camt khu, do vy lm gim hiu qu ca n rt nhiu.

1.2.3. M ha d liu (Data Encryption)

bo mt thng tin truyn trn mng, ngi ta s dng cc phng phpm ho (Encryption). D liu c bin i t dng nhn thc c sangdng khng nhn thc c theo mt thut ton no (to mt m) v sc bin i ngc li (gii m) trm nhn. y l lp bo v thng tin rtquan trng v c s dng rng ri trong mi trng mng .

1.2.4. Bo v vt l (Physical Protection)

y l lp bo v rt quan trng, nhm ngn cn cc truy nhp vt l bthp php vo h thng. Thng dng cc bin php truyn thng nh ngncm tuyt i ngi khng phn s vo phng t my mng, dng khomy tnh, hoc ci t c ch bo ng khi c truy nhp vo h thng ...

1.2.5. Bc tng la (Firewall)

bo v t xa mt my tnh hay cho c mt mng ni b (Intranet),ngi ta thng dng cc h thng c bit l tng la (Firewall). Chcnng ca tng la l ngn chn cc truy nhp tri php (theo danh sch truynhp xc nh trc) v thm ch c th lc cc gi tin m ta khng mungi i hoc nhn vo v mt l do no . Phng thc bo v ny c dngnhiu trong mi trng lin mng Internet.



6/51


Chng 2: Cc bin php bo v an ton h thng

Trc khi thit k mt chnh sch bo v an ton cho mt h thng, ngithit k phi tm hiu mt s bin php c bn c dng lm nguyn tc

xy dng mt h thng an ninh nh sau:2.1. Quyn hn ti thiu (Least Privilege)

Mt nguyn tc c bn nht ca an ton ni chung l trao quyn ti thiu.C ngha l: Bt k mt i tng no trn mng ch nn c nhng quyn hnnht nh m i tng cn phi c thc hin cc nhim v ca mnh vch c nhng quyn m thi. y l nguyn tc quan trng nhm hn chs ph by cho ngi ngoi li dng t nhp v hn ch s ph hy nu ct nhp xy ra.

Nh vy, mi ngi s dng u khng nht thit c trao quyn truynhp mi dich v Internet, c v sa i tt c cc file trong h thng Ngi qun tr h thng khng nht thit phi bit cc mt khu Root hocmt khu ca mi ngi s dng

Nhiu vn an ton trn mng Internet b xem l tht bi khi thc hinnguyn tc Quyn hn ti thiu. V vy, cc chng trnh c quyn phic n gin n mc c th v nu mt chng trnh phc tp, ta phi tmcch chia nh v c lp tng phn m n yu cu quyn hn.

2.2. Bo v theo chiu su (Defense in Depth)

i vi mi h thng, khng nn ci t v ch s dng mt ch an toncho d n c th rt mnh, m nn lp t nhiu c ch an ton chng cth h tr ln nhau.

2.3. Nt tht (Choke Point)

Mt nt tht bt buc nhng k t nhp phi i qua mt li hp m chngta c th kim sot v iu khin c. Trong c ch an ton mng, Firewallnm gia h thng mng ca ta v mng Internet, n chnh l mt nt tht.Khi , bt k ai mun truy nhp vo h thng cng phi i qua n, v vy, tac th theo di, qun l c.

Nhng mt nt tht cng s tr nn v dng nu c mt ng khc voh thng m khng cn i qua n (trong mi trng mng, cn c nhngng Dialup khng c bo v khc c th truy nhp c vo h thng)



7/51


2.4. im xung yu nht (Weakest Link)

Mt nguyn tc c bn khc ca an ton l: Mt dy xch ch chc chnkhi mt ni yu nht c lm chc chn. Khi mun thm nhp vo h thngca chng ta, k t nhp thng tm im yu nht tn cng vo . Do

vy, vi tng h thng, cn phi bit im yu nht c phng n bo v.Trong m hnh Host Security, gia nt tht v ng yu nht c mi quan

h v tc ng ln nhau. Mt h thng m khng c im tht c ngha l nc rt nhiu ng vo, ra v do c nhiu im xung yu. Mt h thngnh vy i hi phi c phng n bo v phc tp, tn km hn.

2.5. Hng trong an ton (FailSafe Stance)

Nu mt h thng chng may b hng th n phi c hng theo mt cch

no ngn chn nhng k li dng tn cng vo h thng hng .ng nhin, vic hng trong an ton cng hy b s truy nhp hp php cangi s dng cho ti khi h thng c khi phc li.

Nguyn tc ny cng c p dng trong nhiu lnh vc. Chng hn, cara vo t ng c thit k c th chuyn sang m bng tay khi ngunin cung cp b ngt trnh gi ngi bn trong.

Da trn nguyn tc ny, ngi ta a ra hai quy tc p dng vo hthng an ton:

Default deny Stance: Ch trng vo nhng ci c php v ngn chn ttc nhng ci cn li. Ngm nh l ngn chn tt c mi th v sau quytnh nhng ci c php.

Default permit Stance: Ch trng vo nhng ci b ngn cm v cho phptt c nhng ci cn li. Nhng g khng b ngn cm th c php.

Theo quan im v vn an ton trn th nn dng quy tc th nht, cntheo quan im ca cc nh qun l th li l quy tc th hai.

2.6. S tham gia ton cu

t c hiu qu an ton cao, tt c cc h thng trn mng ton cuphi tham gia vo gii php an ton. Nu tn ti mt h thng c c ch anton km, ngi truy nhp bt hp php c th truy nhp vo h thng ny vsau dng chnh h thng ny truy nhp vo cc h thng khc.



8/51


2.7. Kt hp nhiu bin php bo v

Trn lin mng, c nhiu loi h thng khc nhau c s dng, do vy,phi c nhiu bin php bo v m bo chin lc bo v theo chiu su.Nu tt c cc h thng ca chng ta u ging nhau v mt ngi no bit

cch thm nhp vo mt h thng th cng c th thm nho c vo cc hthng khc.

Vic s dng nhiu bin php bo v khc nhau c th hn ch cc c hipht sinh li v an ton cao hn. Song, ta phi gii quyt cc vn v gi cv tnh phc tp nhiu hn.

2.8. n gin ha

Nu ta khng hiu mt ci g , ta cng khng th bit c liu n c an

ton hay khng. Chnh v vy, ta cn phi n gin ha h thng c th pdng cc bin php an ton mt cch hiu qu hn.



9/51


Chng 3: Thit k chnh sch an ninh cho mng my tnh

3.1. Chnh sch an ninh cho mng

K hoch an ton thng tin phi tnh n cc nguy c t bn ngoi v ttrong ni b, ng thi phi kt hp c cc bin php k thut v cc binphp qun l. Sau y l cc bc cn tin hnh:

Xc nh cc yu cu v chnh sch an ton thng tin: Bc u tintrong k hoch an ton thng tin l xc nh cc yu cu truy nhp v tp hpnhng dch v cung cp cho ngi s dng trong v ngoi c quan, trn c s c c cc chnh sch tng ng.

Thit k an ton vng ngoi: Vic thit k da trn cc chnh sch anton c xc nh trc. Kt qu ca bc ny l kin trc mng cng vi

cc thnh phn phn cng v phn mm s s dng. Trong cn c bit ch h thng truy cp t xa v c ch xc thc ngi dng.

Bin php an ton cho cc my ch v my trm: Cc bin php an tonvng ngoi, d y n u, cng c th khng chng li s tncng, c bit l s tn cng t bn trong. Cn phi kim tra cc my ch vmy trm pht hin nhng s h v bo mt. i vi Filewall v cc mych ngoi cn kim tra nhng dng tn cng denial of service.

Kim tra thng k: Cn c k hoch kim tra nh k ton b h thngan ton thng tin, ngoi ra cn kim tra li mi khi c s thay i v cu hnh

3.1.1. K hoch an ninh mng

C mt chnh sch an ninh mng ng n v hiu qu c th bo vcc thng tin, cc ti nguyn ca mt cng ty, t chc ni ring hay ca mt

b, ngnh, ca mt quc gia ni chung l vn ht sc quan trng. Nu nhcc ti nguyn v thng tin m cng ty c trn mng l ng c bo vth mt chnh sch an ninh mng l ng c thc hin. Hu ht cc c quanu c cc thng tin nhy cm v cc b mt cnh tranh trn mng my tnh

ca h, chng cng cn c bo v khi s ph hoi theo cng mt cch nhbo v cc ti sn gi tr khc ca cng ty .

Chng ta s cn mt chnh sch an ninh mng nu ti nguyn v thng tinca cng ty cn c bo v. a s cc cng ty v t chc u c cc thngtin ring, cc b mt cnh tranh trn mng. Nhng thng tin ny cng phic bo v nh cc ti sn khc ca cng ty.



10/51


c mt chnh sch an ninh mng hiu qu th chng ta phi tr li ccu hi: loi dch v no, loi ti nguyn no ngi dng c php truy nhpv loi no th b cm ?

Nu hin thi nhng ngi dng trn mng ca chng ta vn truy nhp

khng hn ch th cng tng i kh khn khi p dng mt chnh sch hnch truy nhp ca h. Chnh sch mng khng phi l lm gim chc nngca t chc chng ta bi v nu chnh sch y lm hn ch kh nng thc hincng vic ca ngi dng th hu qu s l: Nhng ngi dng trn mng stm cch b qua thc hin chnh sch, lm cho chnh sch mt hiu lc.

3.1.2. Chnh sch an ninh ni b

Mt t chc c th c nhiu b phn nhiu ni, mi b phn c mngring. Nu t chc ln th mi mng phi c t nht mt ngi qun tr mng.

Nu cc ni khng ni vi nhau thnh mng ni b th chnh sch an ninhcng c nhng im khc nhau.

Thng thng th ti nguyn mng mi ni bao gm:

Cc trm lm vic

Cc thit b kt ni: Gateway, Router, Bridge, Repeater

Cc Server

Phn mm mng v phn mm ng dng

Cp mng Thng tin trong cc tp v cc CSDL

Chnh sch an ninh ti ch phi cn nhc n vic bo v cc ti nguynny. ng thi cng phi cn nhc gia cc yu cu an ninh vi cc yu cukt ni mng bi v mt chnh sch bo v tt cho mng ny li bt li chomng khc

3.2. Phng thc thit k

To ra mt chnh sch mng c ngha l lp ln cc th tc v k hochbo v ti nguyn ca chng ta khi mt mt v h hi. Mt hng tip cnkh thi l tr li cc cu hi sau :

Chng ta mun bo v ti nguyn no ?

Chng ta cn bo v ti nguyn trn khi nhng ngi no ?



11/51


C cc mi e do nh th no ?

Ti nguyn quan trng ti mc no ?

Chng ta s dng cch no bo v ti nguyn theo cch tit kim vhp l nht

Kim tra li chnh sch theo chu k no ph hp vi cc thay i vmc ch cng nh v hin trng ca mng ?

Thng th chi ph bo v an ninh mng vn cn t hn chi ph phc hi limng khi him ho xy ra. Nu ngi qun tr mng khng kin thc vvic bo v ny nht thit phi hi nhng ngi khc, chuyn v phn tinguyn m ngi qun tr khng bit. ng thi cng phi c mt nhmngi thuc nhiu khu vc tham gia vo vic thit k chnh sch an ninh thchnh sch mi ton din, c tnh hp tc v mi ngi u chp nhn.

3.3. Thit k chnh sch an ninh mng

3.3.1. Phn tch nguy c mt an ninh

Trc khi thit lp chnh sch ta cn phi bit r ti nguyn no cn cbo v, tc l ti nguyn no c tm quan trng ln hn i n mt giiphp hp l v kinh t. ng thi ta cng phi xc nh r u l ngun edo ti h thng. Nhiu nghin cu cho thy rng, thit hi do nhng k tnhp bn ngoi vn cn nh hn nhiu so vi s ph hoi ca nhng ngi

bn trong. Phn tch nguy c bao gm nhng vic : Ta cn bo v nhng g ?

Ta cn bo v nhng ti nguyn khi nhng g ?

Lm th no bo v ?

Cc nguy c cng phi c xp hng theo tm quan trng v mc trm trng ca thit hi. C hai h s sau:

1. Ri l nguy c mt mt ti nguyn i

2. Wi l tm quan trng ca ti nguyn i

Ri c cc gi tr t 0.0 n 1.0 trong :

Ri = 0.0 l khng c nguy c mt mt ti nguyn

Ri = 1.0 l c nguy c mt mt ti nguyn cao nht

Wi c cc gi tr t 0.0 n 1.0 trong :



12/51


Wi = 0.0 l ti nguyn khng c tm quan trng

Wi = 1.0 l ti nguyn c tm quan trng cao nht

Khi trng s nguy c ca ti nguyn l tch ca hai h s :

WRi = Ri * WiCc h s khc cn xem xt l tnh hiu lc, tnh ton vn v tnh cn

mt. Tnh hiu lc ca mt ti nguyn l mc quan trng ca vic tinguyn lun sn sng dng c mi lc. Tnh ton vn l tm quan trngcho cc ti nguyn CSDL. Tnh cn mt p dng cho cc ti nguyn nh tpd liu m ta c hn ch c truy nhp ti chng.

3.3.2. Xc nh ti nguyn cn bo v

Khi thc hin phn tch ta cng cn xc nh ti nguyn no c nguy c bxm phm. Quan trng l phi lit k c ht nhng ti nguyn mng c thb nh hng khi gp cc vn v an ninh.

- Phn cng: Vi x l, bn mch, bn phm, Terminal, trm lm vic,my tnh cc nhn, my in, a, ng lin lc, Server, Router

- Phn mm: Chng trnh ngun, chng trnh i tng, tin ch,chng trnh kho st, h iu hnh, chng trnh truyn thng.

- D liu: Trong khi thc hin, lu tr trc tuyn, ct gi offline,backup, cc nht k kim tra, CSDL truyn trn cc phng tin lin lc.

- Con ngi: Ngi dng, ngi cn khi ng h thng.

- Ti liu: V chng trnh , v phn cng, v h thng, v th tc quntr cc b.

- Ngun cung cp: giy in, cc bng biu, bng mc, thit b t.

3.3.3. Xc nh mi e da an ninh mng

Sau khi xc nh nhng ti nguyn no cn c bo v, chng ta cng

cn xc nh xem c cc mi e do no nhm vo cc ti nguyn . C thc nhng mi e do sau:

Truy nhp bt hp php:

Ch c nhng ngi dng hp php mi c quyn truy nhp ti nguynmng, khi ta gi l truy nhp hp php. C rt nhiu dng truy nhp cgi l bt hp php chng hn nh dng ti khon ca ngi khc khi khng



13/51


c php. Mc trm trng ca vic truy nhp bt hp php tu thuc vobn cht v mc thit hi do truy nhp gy nn.

l thng tin:

l thng tin do v tnh hay c cng l mt mi e da khc. Chng ta

nn nh ra cc gi tr phn nh tm quan trng ca thng tin. V D ivi cc nh sn xut phn mm th l: m ngun, chi tit thit k, biu ,thng tin cnh tranh v sn phm... Nu l cc thng tin quan trng, tchc ca chng ta c th b thit hi v cc mt nh uy tn, tnh cnh tranh,li ch khch hng ...

T chi cung cp dch v:

Mng thng gm nhng ti nguyn qu bu nh my tnh, CSDL ... vcung cp cc dch v cho c t chc. a phn ngi dng trn mng u phthc vo cc dch v thc hin cng vic c hiu qu.

Chng ta rt kh bit trc cc dng t chi ca mt dch v. C th tmthi lit k ra mt s dng sau:

- Mng khng dng c do mt gi gy li

- Mng khng dng c do qu ti giao thng

- Mng b phn mnh do mt Router quan trng b v hiu ho

- Mt virus lm chm h thng do dng cc ti nguyn mng

- Thit b bo v mng b v hiu ho

3.3.4. Xc nh trch nhim ca ngi s dng mng

Ai c quyn dng ti nguyn mng

Ta phi lit k tt c ngi dng cn truy nhp ti ti nguyn mng. Khngnht thit lit k ton b ngi dng. Nu phn nhm cho ngi dng th viclit k s n gin hn. ng thi ta cng phi lit k mt nhm c bit gil cc ngi dng bn ngoi, l nhng ngi truy nhp t mt trm n lhoc t mt mng khc.

S dng ti nguyn th no cho ng

Sau khi xc nh nhng ngi dng c php truy nhp ti nguyn mng,chng ta phi tip tc xc nh xem cc ti nguyn s c dng nh thno. Nh vy ta phi ra ng li cho tng lp ngi s dng nh: Nhngnh pht trin phn mm, sinh vin, nhng ngi s dng ngoi.



14/51


Sau y l mt s iu khon cn c cho ng li ch o chung:

- S dng ti khon ngi khc c c php khng ?

- C c php dng chng trnh tm mt khu khng ?

-

C c php ngt mt dch v khng ?- C c sa i mt tp khng thuc s hu nhng li c quyn ghi

khng ?

- C c php cho ngi khc dng ti khon ring khng ?

Ai c quyn cp pht truy nhp

Chnh sch an ninh mng phi xc nh r ai c quyn cp pht dch vcho ngi dng. ng thi cng phi xc nh nhng kiu truy nhp mngi dng c th cp pht li. Nu bit ai l ngi c quyn cp pht truy

nhp th ta c th bit c kiu truy nhp c cp pht, bit c ngidng c c cp pht qu quyn hn khng. Ta phi cn nhc hai iu sau:

- Truy nhp dch v c c cp pht t mt im trung tm khng?

- Phng thc no c dng to ti khon mi v kt thc truy nhp?

Nu mt t chc ln m khng tp trung th tt nhin l c nhiu imtrung tm cp pht truy nhp, mi im trung tm phi chu trch nhimcho tt c cc phn m n cp pht truy nhp.

Ngi dng c quyn hn v trch nhim g

Sau y l danh sch cc iu khon p dng cho ngi dng:- Phi tun th mi ng li lin quan n vic s dng mng.

- Phi chu pht nu vi phm nhng g c coi l lm dng ti nguyn,nh hng n hot ng h thng.

- Ngi dng c c php chia s ti khon khng ?

- Ngi dng c c php tit l mt khu ngi khc lm vic hmnh khng ?

-

Tun theo mi chnh sch v mt khu bao gm: thi hn thay i mtkhu, nhng yu cu i vi mt khu ...

- Ngi dng c trch nhim sao lu d liu ca mnh khng hay y ltrch nhim ca ngi qun tr ?

- Hu qu ca vic ngi dng tit l cc thng tin c quyn, ngi nys b pht th no ?



15/51


- m bo cc iu khon v tnh ring t ca th tn in t.

Ngi qun tr h thng c quyn hn v trch nhim g

Ngi qun tr h thng thng xuyn phi thu thp thng tin v cc tptrong cc th mc ring ca ngi dng tm hiu cc vn h thng.

Ngc li, ngi dng phi gi gn b mt ring t v thng tin ca h. V thm chnh sch mng phi xc nh xem ngi qun tr c c php kim trath mc ca ngi dng khi c vi phm an ninh hay khng. Nu an ninh cnguy c th ngi qun tr phi c kh nng linh hot gii quyt vn .Cn cc iu khon c lin quan khc nh sau:

Ngi qun tr h thng c c theo di hay c cc tp ca ngi dngvi bt c l do g hay khng ?

Ngi qun tr mng c quyn kim tra giao thng mng v giao thng ntrm hay khng ?

Ngi dng, ngi qun tr h thng, cc t chc c trch nhim php lno i vi vic truy nhp tri php ti d liu ring t ca ngi khc, ca tchc khc?

Lm g vi cc thng tin quan trng

Theo quan im an ninh, cc d liu cc k quan trng phi c hn ch,ch mt s t my v t ngi c th truy nhp. Trc khi cp pht truy nhpcho mt ngi dng, phi cn nhc xem nu anh ta c kh nng th anh tac th thu c cc truy nhp khc khng ? Ngoi ra cng phi bo cho ngi

dng bit l dch v no tng ng vi vic lu tr thng tin quan trng caanh ta.

3.3.5. K hoch hnh ng khi chnh sch b vi phm

Mi khi chnh sch b vi phm cng c ngha l h thng ng trc nguyc mt an ninh. Khi pht hin vi phm, chng ta phi phn loi l do vi phmchng hn nh do ngi dng cu th, li hoc v , khng tun th chnhsch...

Phn ng khi c vi phmKhi vi phm xy ra th mi ngi dng c trch nhim u phi lin i.

Ta phi nh ra cc hnh ng tng ng vi cc kiu vi phm. ng thi mingi u phi bit cc quy nh ny bt k ngi trong t chc hoc ngingoi n s dng my. Chng ta phi lng trc trng hp vi phm khngc gii quyt linh hot, lp cc s ghi chp v nh k xem li pht



16/51


hin cc khuynh hng vi phm cng nh iu chnh cc chnh sch khicn.

Phn ng khi ngi dng cc b vi phm

Ngi dng cc b c cc vi phm sau:

- Vi phm chnh sch cc b.

- Vi phm chnh sch ca cc t chc khc.

Trng hp th nht chnh chng ta, di quan im ca ngi qun tr hthng s tin hnh vic x l. Trong trng hp th hai phc tp hn c thxy ra khi kt ni Internet, chng ta phi x l cng cc t chc c chnh schan ninh b vi phm.

Chin lc phn ng

Chng ta c th s dng mt trong hai chin lc sau:- Bo v v x l.

- Theo di v truy t.

Trong , chin lc th nht nn c p dng khi mng ca chng ta db xm phm. Mc ch l bo v mng ngay lp tc x l, phc hi v tnhtrng bnh thng ngi dng tip tc s dng c, nh th ta phi canthip vo hnh ng ca ngi vi phm v ngn cn khng cho truy nhp na.i khi khng th khi phc li ngay th chng ta phi cch ly cc phn onmng v ng h thng khng cho truy nhp bt hp php tip tc.

3.3.6. Xc nh cc li an ninh

Ngoi vic nu ra nhng g cn bo v, chng ta phi nu r nhng li ggy ra mt an ninh v lm cch no bo v khi cc li . Trc khi tinhnh cc th tc an ninh, nht nh chng ta phi bit mc quan trng cacc ti nguyn cng nh mc ca nguy c.

3.3.6.1. Li im truy nhpLi im truy nhp l im m nhng ngi dng khng hp l c th i

vo h thng, cng nhiu im truy nhp cng c nguy c mt an ninh. Vicnm bt, qun l cc im truy nhp vo h thng cng thng xuyn, chnhxc bao nhiu th nguy c mt an ton ca h thng cng c gim thiu bynhiu.



17/51


3.3.6.2. Li cu hnh h thng

Khi mt k tn cng thm nhp vo mng, hn thng tm cch ph hoicc my trn h thng. Nu cc my c cu hnh sai th h thng cng d b

ph hoi. L do ca vic cu hnh sai l phc tp ca h iu hnh,

phc tp ca phn mm i km v hiu bit ca ngi c trch nhim t cuhnh. Ngoi ra, mt khu v tn truy nhp d on cng l mt s h nhngk tn cng c c hi truy nhp h thng.

3.3.6.3. Li phn mm

Phn mm cng phc tp th li ca n cng phc tp. Kh c phn mmno m khng gp li. Nu nhng k tn cng nm c li ca phn mm,nht l phn mm h thng th vic ph hoi cng kh d dng. Chng hnnu dng h iu hnh ni ting th cc li an ninh cng ni ting, vic dngim yu ca phn mm thu c cc truy nhp u tin khng phi l kh.

Ngi qun tr cn c trch nhim duy tr cc bn cp nht, cc bn sa icng nh thng bo cc li cho ngi sn xut chng trnh.

3.3.6.4. Li ca ngi dng ni b

Ngi dng ni b thng c nhiu truy nhp h thng hn nhng ngibn ngoi, nhiu truy nhp ti phn mm hn phn cng do dng phhoi h thng. a s cc dch v TCP/IP nh Telnet, tfp, u c im yu

l truyn mt khu trn mng m khng m ho nn nu l ngi trong mngth h c kh nng rt ln c th d dng nm c mt khu vi s trgip ca cc chng trnh c bit.

3.3.6.5. Li an ninh vt l

Nu my tnh khng an ton v mt vt l th cc c cu an ninh phn mmc th d dng b vt qua. Nu cc trm khng c ai trng coi, d liu trn cng d b xo sch hoc nu n ang ch c quyn hn cao th quyn

hn ny c th b li dng lm nhng vic khng c php.Cc ti nguyn trong cc trc xng sng (backbone), ng lin lc,

Server quan trng ... u phi c gi trong cc khu vc an ton v vt l.An ton vt l c ngha l my c kho trong mt phng kn hoc t nhng ni ngi ngoi khng th truy nhp vt l ti d liu trong my.



18/51


3.3.6.6. Li bo mt

Bo mt m chng ta hiu y l hnh ng gi b mt mt iu g,thng tin rt d l ra trong nhng trng hp sau:

Khi thng tin lu trn my tnh.

Khi thng tin ang chuyn ti mt h thng khc.

Khi thng tin lu trn cc bng t sao lu.

i vi thng tin lu trn my tnh th vic truy nhp c truy nhp biquyn hn tp, danh sch iu khin truy nhp ACL (Access Control List) ...Vi cc thng tin trn ng truyn th c th bo v bng m ho hocGateway tng la. M ho c th dng bo v cho c ba trng hp. Cn vicc thng tin lu trn bng t th an ninh vt l l rt quan trng, nn ct bngt trong t bo mt.



19/51


Phn III: Bc tng la (Firewall)

Chng 1: Khi nim v bc tng la

Bc tng la (Firewall) hiu mt cch chung nht, l c cu bo vmt mng my tnh chng li s truy nhp bt hp php t cc (mng) mytnh khc. Firewall bao gm cc c cu nhm:

Ngn chn truy nhp bt hp php.

Cho php truy nhp sau khi kim tra tnh xc thc ca thc th yucu truy nhp.

Trn thc t, Firewall c th hin rt khc nhau: bng phn mm hoc

phn cng chuyn dng, s dng mt my tnh hoc mt mng cc my tnh Theo William Cheswick v Steven Beilovin th bc tng la c th cxc nh nh l mt tp hp cc cu kin t gia hai mng.

Nhn chung bc tng la c nhng thuc tnh sau :

- Thng tin giao lu c theo hai chiu.

- Ch nhng thng tin tho mn nhu cu bo v cc b mi c i qua.

- Bn thn bc tng la khng i hi qu trnh thm nhp.

1.1. Firewall lm c nhng g

Nhn chung, Firewall c th bo v h thng my tnh chng li nhngk t nhp qua kh nng ngn chn nhng phin lm vic t xa (remotelogin).

Ngn chn thng tin t bn ngoi (Internet) vo trong mng c bov, trong khi cho php ngi s dng hp php c truy nhp t do mng

bn ngoi.

Firewall cn l mt im quan trng trong chnh sch kim sot truynhp. N l ca khu duy nht ni mng c bo v vi bn ngoi, do c th ghi nhn mi cuc trao i thng tin, im xut pht v ch, thi gian, Firewall c th phc v nh mt cng c theo di cc cuc tn cng vi xu t bn ngoi nhm d bo kh nng b tn cng trc khi cuc tncng xy ra.



20/51


1.2. Firewall khng lm c nhng g

Firewall khng thng minh nh con ngi c th c hiu tngloi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c thngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng

phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny

khng i qua n. Mt cch c th, Firewall khng th chng li mt cuctn cng t mt ng dialup, hoc s d r thng tin do d liu b sao chp

bt hp php ln a mm.

Firewall cng khng th chng li cc cuc tn cng bng d liu(datadrivent attack). Khi c mt s chng trnh c chuyn theo th int, vt qua Firewall vo trong mng c bo v v bt u hot ng y.

Firewall khng th lm nhim v r qut virus trn cc d liu cchuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi vdo c rt nhiu cch m ha d liu, thot khi kh nng kim sot caFirewall (mt V D l cc virus my tnh)

Tuy nhin, Firewall vn l gii php hu hiu c p dng rng ri.

Chng 2: Nhng kin trc c bn ca Firewall



21/51


Di y s a ra mt s kin trc Firewall c bn, cc kin trc khc cth m rng t kin trc ny ty theo cu trc kt ni ca mng.

2.1. Kin trc Dual homed Host

Hnh 36: S kin trc Dualhomed HostDualhomed Host l hnh thc xut hin u tin trong cuc u bo v

mng ni b. Dualhomed Host l mt my tnh c hai giao tip mng: mtni vi mng cc b v mt ni vi mng ngoi (Internet).

H iu hnh ca Dualhomed Host c sa i chc nng chuyncc gi tin (Packet forwarding) gia hai giao tip mng ny khng hot ng. lm vic c vi mt my trn Internet, ngi dng mng cc b trcht phi login vo Dualhomed Host, v t bt u phin lm vic.

u im ca Dualhomed Host: Ci t d dng, khng yu cu phn cng hoc phn mm c bit.

Dualhomed Host ch yu cu cm kh nng chuyn cc gi tin, do vy,thng thng trn cc h Unix, ch cn cu hnh v dch li nhn (Kernel) cah iu hnh l .

Nhc im ca Dualhomed Host:



22/51


Khng p ng c nhng yu cu bo mt ngy cng phc tp, cngnh nhng h phn mm mi c tung ra th trng.

Khng c kh nng chng nhng cuc tn cng nhm vo chnh bnthn n, v khi Dualhomed Host b t nhp, n s tr thnh u cu l

tng tn cng vo mng ni b.nh gi v kin trc Dualhomed Host:

cung cp dch v cho nhng ngi s dng internal network c mt sgii php nh sau:

Kt hp vi cc Proxy Server cung cp nhng Proxy Service

Cp cc account cho user trn my dualhomed host ny v khi mngi s dng mun s dng dch v t Internet hay dch v t externalnetwork th h phi logging in vo my ny.

Nu dng phng php cp account cho user trn my dual homed hostth user khng thch s dng dch v phin phc nh vy, v mi ln h muns dng dch v th phi loging in vo my khc (dual homed host) khc vimy ca h y l vn rt l khng trong sut vi ngi s dng.

Nu dng Proxy Server : Kh c th cung cp c nhiu dch v chongi s dng v phn mm Proxy Server v Proxy Client khng phi loidch v no cng c sn. Hoc khi s dch v cung cp nhiu th kh nng png ca h thng c th gim xung v tt c cc Proxy Server u t trncng mt my.

Mt khuyt im c bn ca hai m hnh trn na l: khi m my dual homed host ni chung cng nh cc Proxy Server b t nhp vo. Ngi tncng (attacker) t nhp vo c qua n th lu thng bn trong internalnetwork b attacker ny thy ht iu ny th ht sc nguy him . Trong cc hthng mng dng Ethernet hoc Token Ring th d liu lu thng trong hthng c th b bt k my no ni vo mng nh cp d liu cho nn kintrc trn ch thch hp vi mt s mng nh .

2.2. Kin trc Screened HostKin trc ny kt hp 2 k thut l Packet Filtering v Proxy Services.

Packet Filtering: Lc mt s loi dch v m h thng mun cung cp sdng Proxy Server, bt ngi s dng nu mun dng dch v th phi kt nin Proxy Server m khng c b qua Proxy Server ni trc tip vi



23/51


mng bn trong/bn ngoi (internal/external network), ng thi c th chophp Bastion Host m mt s kt ni vi internal/external host.

Proxy Service: Bastion Host s cha cc Proxy Server phc v mt sdch v h thng cung cp cho ngi s dng qua Proxy Server.

Hnh 37: S kin trc Screened Host

nh gi mt s u, khuyt im chnh ca kin trc Screened Host

Kin trc screened host hay hn kin trc dualhomed host mt s imc th sau:

DualHomed Host: Kh c th bo v tt v my ny cng lc cung cpnhiu dch v, vi phm qui tc cn bn l mi phn t hay thnh phn nn git chc nng nu c th c (mi phn t nn gi t chc nng cng tt),cng nh tc p ng kh c th cao v cng lc m nhn nhiu chcnng.

Screened Host: tch chc nng lc cc gi IP v cc Proxy Server haimy ring bit. Packet Filtering ch gi chc nng lc gi nn c th kim

sot, cng nh kh xy ra li (tun th qui tc t chc nng). Proxy Serversc t my khc nn kh nng phc v (tc p ng) cng cao.

Cng tng t nh kin trc DualHomed Host khi m Packet Filteringsystem cng nh Bastion Host cha cc Proxy Server b t nhp vo (ngitn cng t nhp c qua cc hng ro ny) th lu thng ca internalnetwork b ngi tn cng thy.



24/51


T khuyt im chnh ca 2 kin trc trn ta c kin trc th 3 sau ykhc phc c phn no khuyt im trn .

2.3. Kin trc Screened Subnet Host

Hnh 38: S kin trc Screened Subnet Host

Vi kin trc ny, h thng ny bao gm hai PacketFiltering Router v

mt Bastion Host (hnh 38). Kin trc ny c an ton cao nht v n cungcp c mc bo mt: Network v Application trong khi nh ngha mt mng

perimeter network. Mng trung gian (DMZ) ng vai tr nh mt mng nh,c lp t gia Internet v mng ni b. C bn, mt DMZ c cu hnh saocho cc h thng trn Internet v mng ni b ch c th truy nhp c mts gii hn cc h thng trn mng DMZ, v s truyn trc tip qua mngDMZ l khng th c.

Vi nhng thng tin n, Router ngoi (Exterior Router) chng li nhngs tn cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ.

N ch cho php h thng bn ngoi truy nhp Bastion Host. Router trong(Interior Router) cung cp s bo v th hai bng cch iu khin DMZ truynhp mng ni b ch vi nhng truyn thng bt u t Bastion Host.

Vi nhng thng tin i, Router trong iu khin mng ni b truy nhp tiDMZ. N ch cho php cc h thng bn trong truy nhp Bastion. Quy lut



25/51


26/51


S dng 1 Bastion Host khc cung cp dch v cho Internet hoc nhngngi s dng bn ngoi (external user) s s dng. Nh l Anonymous FTPServer m Server ny nhng ngi s dng bn trong (local users) khng truyxut n.

Hnh 39: S kin trc s dng 2 Bastion Host

Vi cch ny th tc p ng cho nhng ngi s dng bn trong (localuser) mt phn no khng b nh hng (b lm chm i) bi hot ngca nhng ngi s dng bn ngoi (external users).

Cng c th s dng nhiu Bastion Host m cung cp cho 1 dch v no tng tc p ng (performance), nhng vic ny cng kh cn bng tigia cc Server tr khi on trc c mc s dng.

Vic s dng k thut d tha m bo tnh sn sng cao ca h thng, khi m mt Bastion Host hng th c ci khc thay th. Nhng ch c mts loi dch v tr gip dng ny: DNS Server, SMTP Server, ... c th dngnhiu Bastion Host lm DNS Server , SMTP Server. Khi mt Bastion Hosthng hoc qu ti, nhng yu cu v DNS Server v SNMP s c dng quaBastion Host khc nh l mt fallback system.

S dng nhiu Bastion Host trong trng hp mun cung cp dch v chonhiu mng khc nhau, v loi d liu cung cp cho mi mng cng khcnhau.



27/51


S dng nhiu Bastion Host cho cc Server khc nhau khi m mtServer no b t nhp vo hay b hng th Server khc vn hot ng tt.V D : Tch HTTP Server v FTP Server trn 2 my ring bit.

2.5. Kin trc ghp chung Router trong (Interior Router) vRouter ngoi (Exterior Router)

S dng kin trc ny th cn tng tc ca my lm Router.

Hnh 40: S kin trc ghp chung Router trong v Router ngoi

Kin trc ny gn ging vi Screened Host trong trng hp khi mexterior/interior Router b t nhp vo th lu thng trong mng bn trong s

b l ra bn ngoi nhng tt hn Screened Host l n cng s dng thmmt mng bn ngoi. Mng bn ngoi s cha cc Server c th ni ra Internetm nu cc Server ny b t nhp th lu thng ca mng bn trong cng

khng b l ra bn ngoi. Kin trc ny cng gn ging vi Screened Subnetnhng m exterior Router v interior Router c ghp chung nn n gim is lp bo v. Ni chung, kin trc ghp chung interior Router v exteriorRouter trung gian gia hai kin trc ny.



28/51


2.6. Kin trc ghp chung Bastion Host v Router ngoi(Exterior Router)

Kin trc ny s dng cho mng ch c mt ng ni dng nghi thcSLIP hoc PPP ra Internet.

Hnh 41: S kin trc ghp chung Bastion Host v Router ngoi

Kin ghp chung Bastion Host v Router ngoi (Exterior Router) ny gnging vi Screened Subnet. N cho tc p ng thng thp nhng m vnc th chp nhn c do tc ng truyn thp, chc nng lc ca Routerngoi t, chc nng lc gi ch yu l Router trong.



29/51


Chng 3: Cc thnh phn ca Firewall v c ch hot ng

Mt Firewall chun bao gm mt hay nhiu cc thnh phn sau y:

B lc gi (PacketFilter)

Cng ng dng (Applicationlevel Gateway hay Proxy Server) Cng mch (Circuite level Gateway)

3.1. B lc gi (Packet Filter)

3.1.1. Nguyn l hot ng

Khi ni n vic lu thng d liu gia cc mng vi nhau thng quaFirewall th iu c ngha rng Firewall hot ng cht ch vi giao thcTCI/IP. V giao thc ny lm vic theo thut ton chia nh cc d liu nhn

c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chytrn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS ...) thnh cc gi d liu(data pakets) ri gn cho cc paket ny nhng a ch c th nhn dng, tilp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiun cc Packet v nhng con s a ch ca chng.

B lc gi cho php hay t chi mi Packet m n nhn c. N kim traton b on d liu quyt nh xem on d liu c tho mn mttrong s cc lut l ca lc gi hay khng. Cc lut l lc gi ny l da trncc thng tin u mi Packet (Packet Header ), dng cho php truyn cc

Packet trn mng. l: a ch IP ni xut pht ( IP Source address)

a ch IP ni nhn (IP Destination address)

Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel)

Cng TCP/UDP ni xut pht (TCP/UDP source port)

Cng TCP/UDP ni nhn (TCP/UDP destination port)

Dng thng bo ICMP (ICMP message type)

Giao din Packet n (Incomming interface of Packet) Giao din Packet i (Outcomming interface of Packet)

Nu lut l lc gi c tho mn th Packet c chuyn qua Firewall.Nu khng Packet s b b i. Nh vy m Firewall c th ngn cn c cckt ni vo cc my ch hoc mng no c xc nh, hoc kho victruy cp vo h thng mng ni b t nhng a ch khng cho php. Hn



30/51


na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mts loi kt ni nht nh vo cc loi my ch no , hoc ch c nhngdch v no (Telnet, SMTP, FTP...) c php mi chy c trn hthng mng cc b.

3.1.2. u im v hn ch ca h thng Firewall s dng b lc gi

u im:

a s cc h thng Firewall u s dng b lc gi. Mt trong nhngu im ca phng php dng b lc gi l chi ph thp v c ch lc gi c bao gm trong mi phn mm Router.

Ngoi ra, b lc gi l trong sut i vi ngi s dng v cc ngdng, v vy n khng yu cu s hun luyn c bit no c.

Hn ch: Vic nh ngha cc ch lc gi l mt vic kh phc tp; n i hi

ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dngPacket Header, v cc gi tr c th m h c th nhn trn mi trng. Khii hi v s lc cng ln, cc lut l v lc cng tr nn di v phc tp, rtkh qun l v iu khin.

Do lm vic da trn Header ca cc Packet, r rng l b lc gikhng kim sot c ni dung thng tin ca Packet. Cc Packet chuyn quavn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoica k xu.

3.2. Cng ng dng (ApplicationLevel Gateway)

3.2.1. Nguyn l hot ng

y l mt loi Firewall c thit k tng cng chc nng kim sotcc loi dch v, giao thc c cho php truy cp vo h thng mng. Cch hot ng ca n da trn cch thc gi l Proxy Service (dch v i

din). Proxy Service l cc b code c bit ci t trn cng ra (gateway) chotng ng dng. Nu ngi qun tr mng khng ci t Proxy code cho mtng dng no , dch v tng ng s khng c cung cp v do khngth chuyn thng tin qua Firewall. Ngoi ra, Proxy code c th c nh cuhnh h tr ch mt s c im trong ng dng m ngi qun tr mngcho l chp nhn c trong khi t chi nhng c im khc.



31/51


Mt cng ng dng thng c coi nh l mt pho i (Bastion Host),bi v n c thit k t bit chng li s tn cng t bn ngoi. Nhngbin php m bo an ninh ca mt Bastion Host l:

Bastion Host lun chy cc version an ton (secure version) ca cc

phn mm h thng (Operating system). Cc version an ton ny c thit kchuyn cho mc ch chng li s tn cng vo h iu hnh (OperatingSystem), cng nh l m bo s tch hp Firewall.

Ch nhng dch v m ngi qun tr mng cho l cn thit mi cci t trn Bastion Host, n gin ch v nu mt dch v khng c ci t,n khng th b tn cng. Thng thng, ch mt s gii hn cc ng dngcho cc dch v Telnet, DNS, FTP, SMTP v xc thc user l c ci ttrn Bastion Host.

Bastion Host c th yu cu nhiu mc xc thc khc nhau, V Dnh user password hay smart card.

Mi Proxy c t cu hnh cho php truy nhp ch mt s ccmy ch nht nh. iu ny c ngha rng b lnh v c im thit lp chomi Proxy ch ng vi mt s my ch trn ton h thng.

Mi Proxy duy tr mt quyn nht k ghi chp li ton b chi tit cagiao thng qua n, mi s kt ni, khong thi gian kt ni. Nht k ny rtc ch trong vic tm theo du vt hay ngn chn k ph hoi.

Mi Proxy u c lp vi cc proxies khc trn Bastion Host. iu

ny cho php d dng qu trnh ci t mt Proxy mi, hay tho g mt Proxyang c vn .

V D: Telnet Proxy

V D mt ngi dng bn ngoi (gi l Outside Client) mun s dngdch v Telnet kt ni vo h thng mng qua mt Bastion Host c TelnetProxy. Qu trnh xy ra nh sau:

1. Outside Client Telnets n Bastion Host. Bastion Host kim trapassword, nu hp l th outside Client c php vo giao din ca Telnet

Proxy. Telnet Proxy cho php mt tp nh nhng lnh ca Telnet, v quytnh nhng my ch ni b no outside Client c php truy nhp.

2. Outside Client ch ra my ch ch v Telnet Proxy to mt kt ni caring n ti my ch bn trong, v chuyn cc lnh ti my ch di s uquyn ca outside Client. Outside Client th tin rng Telnet Proxy l my chtht bn trong, trong khi my ch bn trong th tin rng Telnet Proxy lClient tht.



32/51


3.2.2. u im v hn ch

u im:

Cho php ngi qun tr mng hon ton iu khin c tng dch vtrn mng, bi v ng dng Proxy hn ch b lnh v quyt nh nhng my

ch no c th truy nhp c bi cc dch v. Cho php ngi qun tr mng hon ton iu khin c nhng dch

v no cho php, bi v s vng mt ca cc Proxy cho cc dch v tng ngc ngha l cc dch v y b kho.

Cng ng dng cho php kim tra xc thc rt tt, v n c nht kghi chp li thng tin v truy nhp h thng.

Lut l filltering (lc) cho cng ng dng l d dng cu hnh v kimtra hn so vi b lc gi.

Hn ch: Yu cu cc users bin i (modify) thao tc, hoc modify phn mm

ci t trn my Client cho truy nhp vo cc dch v Proxy. V D, Telnettruy nhp qua cng ng dng i hi hai bc ni vi my ch ch khng

phi l mt bc thi. Tuy nhin, cng c mt s phn mm Client chophp ng dng trn cng ng dng l trong sut, bng cch cho php user chra my ch ch khng phi cng ng dng trn lnh Telnet.

3.3. Cng vng (CircuitLevel Gateway)

Hnh 42: Kt ni qua cng vng(CircuitLevel Gateway)

Cng vng l mt chc nng c bit c th thc hin c bi mt cngng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP mkhng thc hin bt k mt hnh ng x l hay lc gi no.

Hnh 42 minh ho mt hnh ng s dng ni Telnet qua cng vng. Cngvng n gin chuyn tip kt ni Telnet qua Firewall m khng thc hinmt s kim tra, lc hay iu khin cc th tc Telnet no. Cng vng lmvic nh mt si dy, sao chp cc byte gia kt ni bn trong (inside



33/51


connection) v cc kt ni bn ngoi (outside connection). Tuy nhin, v skt ni ny xut hin t h thng Firewall, n che du thng tin v mng ni

b.

Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc

nh qun tr mng tht s tin tng nhng ngi dng bn trong. u im lnnht l mt Bastion Host c th c cu hnh nh l mt hn hp cung cpcng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i. iuny lm cho h thng bc tng la d dng s dng cho nhng ngi trongmng ni b mun trc tip truy nhp ti cc dch v Internet, trong khi vncung cp chc nng bc tng la bo v mng ni b t nhng s tncng bn ngoi.



34/51


Chng 4: H thng Packet Filtering

4.1. Gii thiu v Packet Filtering

Firewall c th c hin thc nhng lp khc nhau ca Protocol stack.Hai dng thng dng c hin thc l lp ng dng bi Forwardingapplication Firewall v lp mng bi Filtering Router. Mt cch tngqut l Firewall c th hin thc bt k lp no ca Protocol stack cng nh

bt k b Protocol no. Nhng do Firewall thng c dng bo v hthng mng my tnh c ni vo Internet, m nghi thc giao tip trnInternet l TCP/IP nn trong phn ny s trnh by dng Firewall lp IP.

Hnh 43: S lm vic ca Packet Filtering

H thng Packet Filtering (Packet Filtering System) l mt h thng sdng cch lc (filter) cc Packet vo/ra khi mng bo v h thng mng.

truyn thng tin t mng ny sang mng khc, thng tin cn truyn iphi c chia nh thnh nhng gi, v nhng gi ny c gi i ring bit.Bng vic chia nh thng tin thnh tng gi m nhiu my c th dng chungmt knh truyn thng. Trong h thng mng IP, nhng gi thng tin ny

c gi l Packet. Tt c d liu truyn trn mng IP u dng Packet.Trong vic kt ni nhiu mng my tnh li vi nhau, thit b c bn c

dng l Router. Router c th l phn cng c bit chuyn bit lm Routerhoc n c th l mt phn mm chy trn nhng my UNIX hoc PC (MSDOS, Windows, ). Nhng Packet i qua mt lin mng (mng ca nhiu



35/51


mng), thng xut pht t my gi n Router ny, Router ny s gi Packetn Router khc n khi no Packet n my ch cui cng.

Chc nng c bn ca Router l nhn v gi mi Packet n nhn c. Nphi quyt nh lm th no gi Packet hng n my ch cui cng ca

n. Thng thng th mi Packet khng mang nhng thng tin gip Routertrong vic tm ung, ngoi tr a ch IP ca my m Packet s n. Thngtin trong Packet ch ra cho Router bit ni no n s n, m khng cung cpcho Router bit lm th no n ch. Router trao i thng tin vi miRouter khc dng giao thc nh tuyn (Routing Protocol) nh RoutingInformation Protocol (RIP) v Open Shortest Path First (OSPF) xy dng

bng routing (routing table) trong b nh tm ng gi Packet hng nni n ca n. gi mt Packet i, Router so snh a ch n ca Packetvi nhng im vo trong routing table xc nh ng i n ch choPacket. Thng thng nu khng c ng i n mt ni no , Router sdng mt con ng mc nh, thng l gi Packet n Router thng minhhn hoc gi Packet ra Internet.

xc nh lm th no gi Packet n ni n cui ca n, mtRouter thng thng ch da vo a ch my n gi Packet i. MtPacket Filtering Router cn phi thc hin thm mt vic khc l liu Packetny c c cho php gi i hay khng? bit c liu Router c thc gi Packet i hay khng, thng th n da vo chnh sch bo v c cu hnh trc, v thng chnh sch bo v ny l mt tp hp cc quitc gi l Filtering rules.

4.2. Nhng chc nng ca mt Packet Filtering Router

Packet Filtering (hay vic lc v gim st cc Packet vo v ra khi mng)cho php (hoc khng cho php) chng ta iu khin trao i d liu gia mtmng cn c bo v vi Internet ch yu da trn cc thng tin sau:

a ch ni xut pht ca d liu

a ch ni d liu s n

Nghi thc cp ng dng c s dng truyn d liu

Hu ht cc Packet filtering Router thc hin vic lc cc Packet khngda trn ni dung ca d liu. Packet Filtering Router thng s c nhng khnng c dng nh sau:



36/51


Khng cho php bt c ngi no dng Telnet (mt nghi thc cp ngdng application Protocol) login t bn ngoi vo h thng mng cn bov.

Cho php bt c ai c th gi email dng SMTP (mt nghi thc cp

ng dng) cho cc user trong mng cn bo v hoc ngc li. My c a ch X c th gi tin tc cho chng ta dng mt nghi thc

no , nhng nhng my khc khng c c c quyn ny.

Do Packet filter lc cc gi IP ch yu l da vo a ch my gi v mynhn cho nn n khng th cho php mt user A no c dng dch vTelnet m user khc th khng. Packet filter cng khng c kh nng cm victruyn file ny m khng cho php vic truyn cc file khc.

u im chnh ca Packet Filtering l kh nng tc dng ton cc ca n.

N cung cp kh nng bo v tng i cho ton mng m ch t mt ni.Mt v d cho thy iu l vic cm dch v Telnet. Nu chng ta cm dchv Telnet vo bng cch tt tt c cc Telnet Server ca chng ta cng chahn l chng ta cm hon ton c dch v Telnet t bn ngoi v rng cth c mt ngi no trong c quan ci t mt my mi (hoc ci t limy c) c Telnet Server ang chy. Nhng m nu Telnet b cm bi PacketFiltering Router th my mi c ci t ny cng c bo v mc dTelnet Server my c bt ln hay khng. Ni tm li Packet FilteringRouter c th bo v ton mng mt mc no mt cch trit .

Kh nng bo v mng mt mc no c th ch cn cung cp binhng Filtering Router. Nh Packet Filtering Router chng ta c th bo vc vic tn cng h thng mng dng nh la a ch (address spoofingattacks). Vi dng tn cng ny, ngi tn cng vo h thng thng ly ach my cc b m h mun tn cng lm a ch ngun ca d liu m h gii. Ch c Router mi bit c nhng Packet loi ny n t mng bn ngoi(Internet) m c a ch ngun ging nhng a trong mng m n bo v, nnn c th pht hin ra kiu nh la a ch ny.

4.3. u, nhc im ca h thng Packet FilteringH thng s dng Packet Filtering Router c nhng u im sau:

Mt Filtering Router c th bo v ton c mng: Mt u im quantrng nht ca Packet Filtering l ch cn mt v tr chin lc m PacketFiltering Router c th bo v ton b mng. Nu ch c mt Router ni mngcn bo v vi Internet, th ch cn mt Filtering Router l c th bo v ton



37/51


b mng m khng ph thuc vo mc ln nh ca mng cn bo v, mcd kh nng bo v ch mt mc no m thi (vic bo v mang tnh toncc global)

Packet Filtering System c th cm hoc cho php mt s loi dch v,

hay mt s a ch IP ca mt s h thng no . Packet Filtering c th khng nh hng n user : Packet Filtering

khng cn thay i phn mm Client hoc thay i cu hnh my ca Client,user cng khng cn phi hun luyn s dng h thng Packet filering mcd c s cng tc ca user th vn tt hn, y l tnh trong sut (tranparency)i vi user. Khi Filtering Router nhn c mt Packet, xem xt v thy ntha mn qui tc bo v, lc Router s forward Packet i nh nhng Routerthng thng lm cho nn khng thy r s khc bit gia Filtering Router vRouter thng thng.

Kh nng lc ch da trn a ch IP v s port m khng da trn user/application mc d c mt s Packet Filtering system cho php lc da trnhostname nhng khng nn c t cc qui tc lc da trn hostname v nhvy h thng s b tn cng bng cch khc V D lm t lit DNS Serverhot gi DNS Server tr li query tn my thnh a ch IP.

Hin nay c nhiu Router cung cp kh nng Packet Filtering: kh nnglc gi c nhiu nh sn xut phn cng cng nh phn mm h tr trongsn phm ca h, nhng sn phn thng mi cng nh min ph trnInternet.

Mc d Packet Filtering c nhiu u im nh trn nhng n cngc mts nhc im sau:

i vi Packet Filtering System c th b tn cng theo loi networkdenial of service attacks. Khi ngi tn cng bit h thng c Packet filter, hs c gng lm t lit hot ng h thng nh cc k thut messageflooding, service overloading. Message flooding l mt dng tn cng voh thng lm t lit hot ng ca h thng bng cch gy l d liu h thng

b tn cng. Ngi tn cng thng gi hng lot cc message vo h thngm h tn cng. Kt qu l h thng b tn cng khng cn thi gian x lnhng yu cu khc, i lc n c th lm treo h thng b tn cng. Dng tncng in hnh ca kiu ny l ngi tn cng cho thc hin vic gi hnhlot cc mailmessage vo h thng m h tn cng dn n kt qu l mailServer khng cn vng nh lu nhng mail hay thng tin khc, y l tnhtrng a y.



38/51


Nhng cng c Packet Filtering hin hnh l khng hon thin: Mc dkh nng Packet Filtering c cung cp bi nhiu nh cung cp phn cngcng nh phn mm nhng nhng sn phm ny vn cha c hon thin.

Nhng Packet Filtering thng c mt s hn ch sau:

Vic xc nh qui tc lc cc Packet thng kh thc hin v cngkh cu hnh. V phi thc hin vic chuyn chnh sch bo v thnh mt tpcc qui tc lc thng rt kh.

Khi c cu hnh th vic kim tra cc lut l (rules) cng khkhn.

Kh nng ca nhiu sn phm Packet Filtering thng khng honthin, cng nh kh nng tr gip cho vic hin thc mt s dng lc gi mc cao thng kh thc hin, nhiu lc l khng th thc hin c.

Ging nh bt k nhng sn phm khc, nhng Packet Filtering cngc th c mt s li m nhng li ny c th gy ra mt s kt qu khngmong mun. Nhng li ny c th gy ra cho n hot ng sai, l n c thcho php mt s Packet no i qua thay v cm.

Mt s giao thc (Protocol) khng thch hp vi Packet Filtering, thmch i vi nhng sn phm Packet Filtering hon ho, chng ta cng s thyrng c mt s nghi thc m nhng kh nng bo v ca Packet Filteringkhng th bo v mng c hoc l nhng dch v s dng nhng Protocolloi ny phi b cm. Nhng Protocol in hnh cho dng l cc Berkley

r command (rcp, rlogin, rdist, rsh, .. .) v nhng RPCbased Protocol nhNFS, NIS/YP.

Mt s chnh sch bo v khng th thc hin c nh vo PacketFiltering: Qui tc m mt Packet Filtering cho chng ta c t c th khng

ph hp vi yu cu thc s ca chng ta. Khng c kh nng bo v cpapplication, khng th thay i hot ng ca mt dch v, khng gim stc tng chc nng trn mt dch v c th c th cm hoc cho phpmt chc nng no trn dch v no (ni nh vy l ty thuc vo hinthc ca Packet Filtering System nhng m hu ht cc kh nng c th lm

c l nh trn) Packet Filtering cng khng cho php chng ta cm hoccho php user ny c th c s dng mt dch v no nhng m userkhc th khng c php.



39/51


4.4. Nguyn tc hot ng ca h thng Packet Filtering

Nh c gii thiu phn trn, Packet filter l mt b lc gi, cungcp kh nng lc cc IP Packet mc gi Packet (Packet routing level) vikt qu l quyt nh l cho qua (pass) hay t chi (drop) i vi mi Packet.

Kt qu ca vic x l mc thp ny l tc x l cao nhng t an tonhn applicationlevel gateway.

Filtering Router gi chc nng ca mt Router v thm chc nng filter.Nhim v ca Packet Filtering Router s gi (route) v nhn cho vo (receive)cc Packet c chn la gia internal host v external host. Packet Filtering cth thc hin nhiu cp hoc kt hp gia cc cp ny. Di y l s mts lun chuyn d liu in hnh (hnh 44)

Hnh 44: S lun chuyn d liu in hnh ca h thng Packet Filtering

Cc sn phm Packet Filtering hin nay ch c th lc cc Packet da trnheader ca Packet v thng tin Packet t interface card no (mi Packet gm 2

phn: header v data). Tm li vic lc ch da trn thng tin iu khin. Vi



40/51


cng ngh hin nay, Packet filter cha c kh nng lc cc Packet da vo nidung (not make contentbased decisions).

Do Packet filter lc cc Packet da trn cc thng tin iu khin ccheader mi Protocol stack, nn i vi cc IP Packet filter th thng tin

header c s dng l thng tin IP header v TCP header4.4.1. Lc cc Packet da trn a ch (address)

Dng n gin nht m mt Filtering Router c th thc hin l vic lccc Packet da tn a ch. Lc cc Packet theo dng ny cho php chng taiu khin d liu da trn a ch my gi v a ch my nhn Packet mkhng quan tm n nghi thc no ang c s dng. Kh nng lc gi theodng ny c th c dng cho php mt s my no bn ngoi c thtrao i d liu vi mt s my no trong mng cn bo v, hoc cng cth bo v c nhng dng nh la thng tin trong Packet (nhng Packet

xut pht t Internet (bn ngoi) m c a ch my gi li l a ch my trong mng mng bo v.

Nhng ri ro ca vic lc da trn a ch my gi:

Thng tin mi Packet header c cha a ch ngun ca my gi Packet(khng nn tin tng hon ton vo thng tin ny do vic a ch my gi cth b gi mo). Tr khi chng ta s dng nhng k thut chng thc nh(cryptographic authentication) gia hai my trao i d liu cho nhau, chngta thc s khng th bit chc chn rng my m chng ta ang trao i dliu vi n thc s chnh n hay mt my khc gi danh my ny (ging nhly a ch ca mt ngi khc gi th i). Qui tc lc trn ch loi trkh nng mt my bn ngoi gi mo thnh mt my bn trong, n khng

pht hin c vic mt my bn ngoi gi mo a ch ca mt my bnngoi khc.

Do , ngi tn cng c th c hai dng tn cng da trn vic gi moa ch l : gi mo a ch my gi source address v man in the middle.

Dng tn cng gi danh c bn nht l s gi mo a ch my gi(source address), ngi tn cng s gi d liu cho chng ta m s dng a

ch my gi khng phi l a ch my ca h, thng h s on mt s ach m h thng ca chng ta tin tng, sau h s s dng a ch ny nhl a ch my gi vi hy vng rng chng ta s cho nhng Packet h gi ivo mng ca chng ta, v cng khng mong ch nhng Packet kt qu tr lit nhng my trong h thng mng ca chng ta. Nu ngi tn cng khngquan tm n vic nhn nhng Packet tr v t h thng ca chng ta, th



41/51


42/51


43/51


cch gia outgoing UDP Packet v incoming UDP Packet gii hn no (ty chn sao cho thch hp) (time limited).

Mc d dng phng php trn c th lc c internal host hay externalhost ai l ngi a ra yu cu (request) v ai l tr li (reply) nhng n vn

l mt s l h dn n ngi tn cng (attacker) li dng vic cho voreply tng ng gi vo request in tng ng vi host/port trn v nu maymn, anh ta c th thnh cng.

Nhng thng tin dng cho vic c t cc rule trong Packet filter l:

IP source/destination address : a ch IP ca my gi v nhn Packet.

Protocol (TCP | UDP | ICMP ): nghi thc trn lp IP c s dng.

TCP or UDP source/destination port : dch v cp ng dng.

ICMP message type: loi ICMP message .

IP options.

Start of connection (ACK bit) information cho TCP packages.

Tt c cc thng tin trn l trong IP header v TCP| UDP header. Vthm mt thng tin quan trng l Packet t interface no (t Internet hay tinternal network). Mt s thng tin ph khc nh thi gian truy nhp, lngPacket trn mt dch v, thi im truy cp.



44/51


Chng 5: h thng Proxy

Proxy cung cp cho ngi s dng truy xut Internet vi nhng host n.Nhng Proxy Server phc v nhng nghi thc c bit hoc mt tp nhngnghi thc thc thi trn dualhomed host hoc Bastion Host. Nhng chngtrnh Client ca ngi s dng s qua trung gian Proxy Server thay th Servertht s m ngi s dng cn giao tip.

Proxy Server xc nh nhng yu cu t Client v quyt nh p ng haykhng p ng, nu yu cu c p ng, Proxy Server s kt ni n Servertht thay cho Client v tip tc chuyn tip nhng yu cu t Client nServer, cng nh chuyn tip nhng p ng ca Server tr li Client. V vyProxy Server ging nh cu ni trung gian gia Server tht v Client.

5.1. Tc dng v chc nng ca Proxy

p ng c nhng nhu cu ca ngi s dng khi cn truy xut nnhng ng dng c cung cp bi Internet nhng vn m bo c an toncho h thng cc b, trong hu ht nhng phng php c a ra giiquyt iu ny l cung cp mt host n truy xut n Internet cho tt cngi s dng. Tuy nhin, phng php ny khng phi l phng php giiquyt tha mn nht bi v nh vy n s to cho ngi s dng cm thykhng thoi mi. Khi truy xut n Internet th h khng th thc hin nhng

cng vic mt cch trc tip, phi log in vo dualhomed host, thc hintt c nhng cng vic y, v sau bng phng php no chuyn inhng kt qu t c ca cng vic tr li workstation s hu.

iu ny tr nn rt ti t nhng h thng vi nhiu h iu hnh khcnhau (V d trong trng hp nu h thng l Macintosh nhng ring dualhomed host l h thng Unix).

Khi dual homed host c thit k trn m hnh khng c Proxy, iu s khin cho ngi s dng thm bc bi v ng ch hn l lm gim inhng tin ch m Internet cung cp, ti t hn l chng thng khng cungcp an ton mt cch y , khi mt my gm nhiu ngi s dng tt nhin an ton ca n s gim, c bit khi h c gng nm bt vi vn vt bnngoi.

Proxy System gip ngi s dng thoi mi hn v an ton cho dualhomed host, thay th nhng yu cu ca ngi s dng bng cch gin tipthng qua dualhomed host. H thng Proxy cho php tt c nhng tng tc



45/51


nm di mt hnh thc no . Ngi s dng c cm gic trc tip lm vicvi Server trn Internet m h tht s mun truy xut.

Hnh 45 : Kt ni s dng ApplicationLevel Gateway

Proxy Application chnh l chng trnh trn applicationlevel gatewayFirewall hnh ng trn hnh thc chuyn i nhng yu cu ngi s dngthng qua Firewall, tin trnh ny c thc hin trnh t nh sau:

Thnh lp mt kt ni n Proxy application trn Firewall.

Proxy Application thu nhp thng tin v vic kt ni v yu cu cangi s dng.

S dng thng tin xc nh yu cu c c chp nhn khng, nuchp nhn, Proxy s to s kt ni khc t Firewall n my ch.

Sau thc hin s giao tip trung gian, truyn d liu qua li giaClient v Server.

Proxy System gii quyt c ri ro trn h thng bi trnh ngi s dnglog in vo h thng v p buc thng qua phn mm iu khin.

5.1.1. S cn thit ca Proxy

Proxy cho php ngi s dng truy xut nhng dch v trn Internet theongha trc tip. Vi dualhomed host th cn phi login vo host trc khi sdng bt k dch v no trn Internet. iu ny thng khng tin li, v mts ngi tr nn tht vng khi h c cm gic phi thng qua Firewall, vi



46/51


Proxy, n gii quyt c vn ny. Tt nhin n cn c nhng giao thcdi nhng ni chung n cng kh tin li vi ngi s dng. Bi v Proxycho php ngi s dng truy xut nhng dch v Internet t h thng c nhnca h, v vy n khng cho php nhng Packet i trc tip gia h thngngi s dng v Internet. ng i l gin tip thng qua dualhomed hosthoc thng qua s kt hp gia Bastion Host v screening Router.

Thc t Proxy hiu c nhng nghi thc di, nn qu trnh truy cp(logging) c thc hin theo hng hiu qu c bit. V D: thay v loggingtt c nhng thng tin ngang qua ng truyn, mt Proxy FTP Server ch lognhng lnh pht ra v Server p ng m nhn c. Kt qu ny n gin vhu dng hn rt nhiu.

5.1.2. Nhng nhc im ca Proxy

Mc d nhng phn mm Proxy c hiu qu rng ri cho nhng dch vlu i v n gin nh FTP v Telnet, nhng nhng phn mm mi v tc s dng rng ri th him khi tm thy. Thng th chnh l s chmtr gia thi gian xut hin mt dch v mi v Proxy cho dch v , khongthi gian c bn ph thuc vo phng php no thit k Proxy cho dchv , iu ny cho thy kh kh khn khi a dch v mi vo h thng.Thng a dch v mi vo h thng khi cha c Proxy cho n th nnt bn ngoi Firewall, bi v nu t bn trong h thng th chnh l yuim.

i khi cn mi Proxy Server khc nhau cho mi nghi thc, bi vProxy Server phi hiu nghi thc xc nh nhng g c php vkhng c php. thc hin nhim v nh l Client n Server tht vServer tht n Proxy Client, s kt hp, ci t (install) v cu hnh (config)tt c nhng Server khc nhau c th rt kh khn.

Nhng dch v Proxy thng sa i chng trnh Client, procedurehoc c hai. Loi tr mt vi dch v c thit k cho Proxying, ProxyServer yu cu sa i vi Client hoc procedure, mi s sa i c nhng

bt tin ring ca n, khng th lun lun s dng cng c c sn vi nhngcu trc hin ti ca n.

Proxying da vo kh nng chn vo Proxy Server gia Client vServer tht m yu cu nhng tc ng tng i thn thn i vi c hai.

Nhng dch v Proxy khng bo v cho h thng ng vi nhng nghithc km cht lng. Nh mt gii php an ton, Proxying da vo nhng



47/51


kh nng xc nh nhng tc v trong nghi thc an ton. khng phi tt ccc dch v u cng cp theo khuynh hng an ton ny, nh nghi thcXwindows cung cp kh nhiu tc v khng an ton.

5.2. S kt ni thng qua Proxy (Proxying)Nhng chi tit trong vic Proxying thc hin nh th no khc nhau t

dch v ny n dch v khc, khi ci t (set up) Proxying, c mt vi dchv c thc hin d dng hoc t ng, nhng vi dch v c s chuyn irt kh khn. Tuy nhin, trong hu ht nhng dch v, ngoi yu cu nhng

phn mm Proxy Server tng ng, trn Client cng phi cn nhng yu cunh sau:

Custom Client software: phn mm loi ny phi bit nh th no lin

kt vi Proxy Server thay Server tht khi ngi s dng yu cu v yu cuProxy Server nhng g Server tht kt ni n. Nhng phn mm customClient thng c hiu qu ch mt vi platform.

V D: Package igateway t Sun l mt Proxy package cho FTP v Telnet,nhng n ch c s dng trn h thng Sun bi v n cung cp recompiledSun binaries.

Hnh 46: Kt ni gia ngi dng (Client) vi Server qua Proxy

Mc d nu phn mm c hiu qu cho platform tng ng, n cng c thkhng phi iu m ngi s dng mong mun, V D: trn Macintosh c



48/51


hng chc chng trnh FTP Client, mt trong vi s tht s c nhng giaodin kh n tng vi ngi s dng, nhng phn khc c nhng c imhu dng khc. Anarchie l chng trnh m n kt hp mt archie Client vFTP Client bn trong chng trnh n, v vy ngi s dng c th tm filevi archie v dng FTP ly n, tt c vi giao din ngi s dng thchhp, iu ny s khng may mn cho chng ta nu mun h tr Proxy Server.

S dng nhng chuyn i Client cho Proxying khng d dng thuyt phcc ngi s dng. Trong hu ht nhng h thng s dng Client khngchuyn i nhng kt ni bn trong v mt s chuyn i ch vi nhng ktni bn ngoi, lc ny ngi s dng ch cn phi s dng thm nhngchng trnh thm vo to c s kt ni bn ngoi.

Custom user procedure: ngi s dng dng phn mm Client chun giao tip vi Proxy Server v n kt ni n Server tht, thay th trc tip

Server tht.Proxy Server c thit k thc thi vi phn mm Client chun. Tuy

nhin, chng yu cu nhng ngi s dng theo nhng custom procedure.Ngi s dng trc tin kt ni n Proxy Server v sau cung cp choProxy Server tn host m h mun kt ni n. Bi v mt vi nghi thc cthit k truyn nhng thng tin ny, ngi s dng khng nhng phi nhtn ca Proxy Server nhng cng phi nh nhng host khc m h mun giaotip.

Nh th no thc hin nhng cng vic ny, cn phi nm c nhng

th tc c trng theo sau mi nghi thc.

5.3. Cc dng Proxy

5.3.1. Dng kt ni trc tip

Phng php u tin c s dng trong k thut Proxy l cho ngi sdng kt ni trc tip n Firewall Proxy, s dng a ch ca Firewall v scng ca Proxy, sau Proxy hi ngi s dng cho a ch ca host hngn, l mt phng php brute force s dng bi Firewall mt cch ddng, v cng l mt vi nguyn nhn ti sao n l phng php t thchhp.

Trc tin, yu cu ngi s dng bit a ch ca Firewall, k tip n yucu ngi s dng nhp vo hai a ch cho mi s kt ni: a ch caFirewall v a ch ca ch hng n. Cui cng n ngn cn nhng ngdng hoc nhng nguyn bn trn my tnh ca ngi s dng iu to ra



49/51


s kt ni cho ngi s dng, bi v chng s khng bit nh th no iukhin nhng yu cu c bit cho s truyn thng vi Proxy.

5.3.2. Dng thay i Client

Phng php k tip s dng Proxy setup phi thm vo nhng ng dngti my tnh ca ngi s dng. Ngi s dng thc thi nhng ng dng c

bit vi vic to ra s kt ni thng qua Firewall. Ngi s dng vi ngdng hnh ng ch nh nhng ng dng khng sa i. Ngi s dngcho a ch ca host ch hng ti. Nhng ng dng thm vo bit c ach Firewall t file config cc b, set up s kt ni n ng dng Proxy trnFirewall, v truyn cho n a ch cung cp bi ngi s dng. Phng phpny rt c hiu qu v c kh nng che du ngi s dng, tuy nhin, cn cmt ng dng Client thm vo cho mi dch v mng l mt c tnh tr ngi.

5.4.3. Proxy v hnh

Mt s phng php pht trin gn y cho php truy xut n Proxy,trong vi h thng Firewall c bit nh Proxy v hnh. trong m hnh ny,khng cn phi c nhng ng dng thm vo vi ngi s dng v khng

phi kt ni trc tip n Firewall hoc bit rng Firewall c tn ti. S dngs iu khin ng i c bn, tt c s kt ni n mng bn ngoi c chng thng qua Firewall. Nh nhng Packet nhp vo Firewall, t ng

chng c i hng n ng dng Proxy ang ch. Theo hng ny,Firewall thc hin rt tt trong vic gi nh host ch. khi kt ni c to raFirewall Proxy, Client application ngh rng n c kt ni vi Server tht,nu c php, Proxy application sau thc hin hm Proxy chun trongvic to kt ni th hai n Server tht.

Proxy lp ng dng th i nghch vi Proxy lp circuit: applicationlevelProxy c thc thi lp ng dng. N cung cp cho tng dch v ring vinterpret nhng dng lnh trong nhng nghi thc . Mt circuitlevel Proxyto nn mt circuit gia Client v Server khng cn phi interpret nhng nghi

thc ny. Ni chung, applicationlevel Proxy s dng modified procedure vcircuitlevel Proxy s dng modified Client. to ra kt ni Proxy, phi bitv tr no mun kt ni n. Mt hybrid gateway n gin c th chn ngkt ni, nhng mt Proxy host ch c th nhn kt ni m ngh vi n, v

phi ch ra v tr mun kt ni. Mt applicationlevel Proxy c th th nhnthng tin trong tng nghi thc ring. Mt circuitlevel Proxy khng thinterpret theo tng nghi thc v cn phi c thng tin h tr cho n thng qua



50/51


mt cch no khc. u im ca circuitlevel Proxy l n cung cp chohu ht nhng nghi thc khc nhau, hu nh circuitlevel Proxy Server cngl nhng Proxy Server chung cho tt c cc dng nghi thc, tuy nhin khng

phi mi nghi thc u d dng c iu khin bi circuitlevel Proxy,khuyt im ca circuitlevel Proxy Server l n iu khin da vo nhng gxy ra thng qua Proxy ny nh l Packet filter, n iu khin nhng kt nic bn da vo a ch ngun v a ch a ch chv khng c th xc nhnhng lnh i qua n l an ton hoc nhng s kin m nghi thc mongmun, circuitlevel Proxy d dng b nh la bi nhng Server setup linhng cng gn n nhng Server khc.

Proxy chung th i nghch vi nhng Proxy chuyn bit: mc dapplicationlevel v circuitlevel thng c dng, nhng i khi cng

phn bit gia dedicated v generic Proxy Server. Mt dedicated ProxyServer l Server ch phc v mt nghi thc n, generic Proxy Server lServer phc v cho nhiu nghi thc. Tht ra, dedicated Proxy Server lapplicationlevel, v generic Proxy Server l circuitlevel.

Intelligent Proxy Server: mt Proxy Server c th lm nhiu iu chkhng phi ch l s chuyn tip nhng yu cu, chnh l mt intelligentProxy Server, V D: cern http Proxy Server caches data, v vy nhiu yu cudata khng i ra khi h thng khi cha c s x l ca Proxy Server. ProxyServer (c bit l applicationlevel Server ) c th cung cp logging d dngv iu khin truy xut tt hn, cn circuitlevel Proxy thng b gii hn binhng kh nng ny.

Using Proxying vi nhng dch v Internet: v Proxy chn vo gia s ktni Client v Server, n phi c thch ng vi tng dch v ring, i khimt s dch v rt d vi cch thc hin bnh thng nhng li rt kh khithm vo Proxy.

TCP cng i nghch vi nhng nghi thc khc: TCP l nghi thcconnection_oriented, nn n ch kh khn trong khong thi gian ban u to cu ni sau n tip tc s dng cu ni truyn thng, cn UDPth ngc li nn kh hn, ICMP l low Protocol nn c th dng Proxy.

Unidirectional versus multidirectional connection: n d dng cho mtProxy Server chn ng nhng kt ni khi u t mt Client n Server,nhng n rt kh cho vic ngn chn kt ni ngc li, Server c th phiinterpret hoc sa i thm vo Protocol to ra kt ni chnh xc.

V D: Normal mode FTP yu cu Proxy Server chn port Client gi nServer, m mt kt ni t Proxy n Client vi cng v gi mt cng khc



51/51


n Server tht. N khng cung cp cho Proxy Server n gin ch c porttrn hng , bi v c th cng c s dng, s kin ny lun lunny sinh i vi nghi thc yu cu kt ni ngc li.

Protocol sercurity: mt vi dch v thc hin Proxy cho n c th kh

n gin, nhng loi tr vn v security. Nu mt nghi thc vn khng anton, Proxy khng th lm iu g khc tng an ton cho n. Thngnu kh phn bit gia nhng tc v an ton v khng an ton th nn t dchv trn Victim host.

User specified data: vi dch v, c bit store and forward nh smtp,nntp, ..thng chnh n t h tr tnh Proxying. Nhng dch v ny cthit k truyn nhn nhng message bi Server v stored n khi chng c thgi c cc Server tng ng, nu xem nhng header nhn ca incomingInternet e_mail, nhng message i t ngi gi n ngi nhn thng qua cc

bc : My gi Outgoing mail gateway ti v tr ngi gi Incoming mailgateway ti v tr ngi nhn Cui cng n c my nhn.

Documents

Tong Quan Firewall