Professional Documents
Culture Documents
3.3.2. Cch i a ch IP ng (Dynamic - NAT).............................................................................45 3.3.3. Cch ng gi a ch IP (masquerade).....................................................................................46 3.3.4. Mt s v d s dng k thut NAT..........................................................................................46
4.1. Cch lm vic ca Firewall c vng DMZ..................................49 4.2. Cu trc file cu hnh v cu hnh................................................50
4.2.1. Cu hnh cc tu chn:..............................................................................................................50 4.2.2. Ti cc module cn thit k vo Kernel....................................................................................51 4.2.3. Ci t cu hnh cn thit cho h thng file proc......................................................................51 4.2.4. Ci t cc nguyn tc...............................................................................................................51
4.3. Cu hnh cho my ni b truy cp mng bn ngoi....................56 4.4. Kim tra Firewall..........................................................................56 4.5. Xy dng phn mm qun tr Firewall IPTables t xa ..............59
4.5.1. M t bi ton............................................................................................................................59 4.5.2. Mt s giao din chng trnh..................................................................................................59 4.5.3. nh gi phn mm ..................................................................................................................62
LI CM N
Trc tin em xin gi li cm n chn thnh n GS, TS.Trn Hu Ngh hiu trng nh trng ngi c cng ln trong vic sng lp ra trng HDL Hi Phng. ng thi em xin gi li cm n xu sc ti cc thy, cc c trong t B mn tin hc ca trng HDL Hi Phng nhng ngi tn tnh ging dy v cung cp nhng kin thc qu bu cho em trong sut bn nm hc qua. c bit em xin chn thnh cm n TS. Phm Hng Thi v CN. Lng Vit Nguyn - trng i hc cng ngh cc thy dnh nhiu thi gian v cng qu bu tn tnh hng dn em cng nh to mi iu kin thun li em c th hon thnh tt ti. Cui cng em cng xin cm n gia nh, bn b nhng ngi thn lun bn cnh ng vin, gip v to mi iu kin thun li cho em . Do cn hn ch v kin thc v kinh nghim nn lun vn cn nhiu thiu st em rt mong c s ph bnh, nh gi v gp ca thy c v cc bn.
Nguyn Th Thy
Trang - 4 -
LI M U
Vi nhu cu trao i thng tin, bt buc cc c quan, t chc phi ho mnh vo mng ton cu Internet. An ton v bo mt thng tin l mt trong nhng vn quan trng hng u, khi thc hin kt ni mng ni b ca cc c quan, doanh nghip, t chc vi Internet. Ngy nay, cc bin php an ton thng tin cho my tnh c nhn cng nh cc mng ni b c nghin cu v trin khai. Tuy nhin, vn thng xuyn c cc mng b tn cng, c cc t chc b nh cp thng tin,gy nn nhng hu qu v cng nghim trng. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh ca cc cng ty ln nh AT&T, IBM, cc trng i hc v cc c quan nh nc, cc t chc qun s, nh bng,mt s v tn cng vi quy m khng l (c ti 100.000 my tnh b tn cng). Hn na nhng con s ny ch l phn ni ca tng bng tri. Mt phn rt ln cc v tn cng khng c thng bo v nhiu l do, trong c th k n ni lo mt uy tn hoc ch n gin nhng ngi qun tr d n khng h hay bit nhng v tn cng nhm vo h thng ca h. Khng ch cc v tn cng tng ln nhanh chng m cc phng php tn cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr h thng ngy cng cao cnh gic. V vy vic kt ni mng ni b ca c quan t chc mnh vo mng Internet m khng c cc bin php m bo an ninh th cng c xem l t st. T nhu cu pht trin, i hi cc c quan, t chc phi ha mnh vo mng ton cu, mng Internet song vn phi m bo an ton thng tin trong qu trnh kt ni. Bi vy, em quyt nh chn ti: Nghin cu gii php bo v mng ni b, nhm iu khin lung thng tin ra, vo v bo v cc mng ni b khi s tn cng t Internet. Ni dung ti ny s trnh by mt cch khi qut cc khi nim v mng v Firewall, cch bo v mng bng Firewall, cch xy dng Firewall.
Trang - 5 -
Trang - 6 -
Trang - 8 -
Trang - 10 -
Trang - 11 -
Trang - 12 -
Trang - 14 -
Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vai tr nh mt chng trnh hp php. Trojans ny c th chy c l do cc chng trnh hp php b thay i m ca n thnh m bt hp php. V d nh cc chng trnh virus l loi in hnh ca Trojans. Nhng chng trnh virus thng che du cc on m trong cc chng trnh s dng hp php. Khi nhng chng trnh ny c kch hot th nhng on m n du s thc thi v chng thc hin mt s chc nng m ngi s dng khng bit nh: n cp mt khu hoc copy file m ngi s dng nh ta thng khng hay bit. Mt chng trnh Trojans s thc hin mt trong nhng cng vic sau: Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hin nhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trn mt vi thnh phn ca h thng . MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 15 -
Trang - 16 -
Trang - 17 -
Trang - 18 -
Trang - 19 -
Hnh 1: M hnh s dng Firewall phn cng. Trong m hnh ny thng tin t mng Internet khng th trc tip i vo vng mng c bo v v ngc li m n phi thng qua Firewall phn cng. Qu trnh kim duyt xy ra nu cc thng tin trong phn header ca gi tin bao gm ia chi ngun (source IP address), ia chi ch (destination IP address), cng (Port) ... c chp nhn th n s c chuyn tip vo mng bn trong hay chuyn ra mng internet bn ngoi. Hin nay trn th gii co mt s hang san xut firewall phn cng rt ni ting nh CISCO, D-LINK, PLANET... b. Firewall phn mm Loi firewall ny l mt chng trnh ng dng nguyn tc hot ng da trn trn ng dng proxy - l mt phn mm cho php chuyn cc gi tin m my ch nhn c n nhng a im nht nh theo yu cu. V cc quy tc lc gi tin c ngi s dng t thit lp. Ngi ta thng s dng firewall loi ny khi mt mng my tnh c my ch v mi thng tin u thng qua my ch ny ri mi chuyn n my con trong mng hoc dng cho my tnh c nhn khi tham gia mng ... Firewall phn mm ny rt tin li ch phn mm c th d dng thay i cp nht cac phin ban mi. Cch thc hot ng ca firewall dng ny cng rt n gin. Phn mm firewall c chy thng tr trn my ch hay my tnh c nhn. May tinh nay co th am ng nhiu nhim vu ngoai cng vic la Firewall. Mi khi c cc gi tin c chuyn n hay chuyn i n u c phn mm firewall ny kim tra phn header ca gi tin bao gm cc thng tin v a ch n, a ch i, giao thc, cng dch v ....Firewall phn mm mi hin nay cn c th kim tra c ni dung ca gi tin. Cc thng tin m firewall kim tra c ngi dng quy nh trc trong tp lut. Nu gi tin c phn mm firewall cho qua th tip theo n s c a n cc my con trong mng hoc l cc ng dng chy trc tip trn my . MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 20 -
Hnh 2: M hnh s dng Firewall phn mm. Trong m hnh ny my tnh chy ng dng firewall c vai tr trung gian. N s nhn cc gi tin t Internet v Protected Network sau thc hin qu trnh kim tra phn header ca cc gi tin gm thng tin nh : a ch n, a ch i, giao thc, cng dch v ... sau nu phn mm firewall chp nhn cho gi tin i qua th gi tin s tip tc chuyn n ch. Ngc li nu gi tin khng c chp nhn chuyn tip th phn mm firewall s a ra quyt nh hy b. Cch hy b cng c nhiu kiu nh hy b khng cn tr li cho my gi ti bit l do (DROP), hy b nhng vn tr li cho my gi ti bit l do (REJECT) ... Chnh vic x l vic hy b gi tin nh vy dn n tc ca loi firewall ny b hn ch. Mt s phn mm firewall s dung nhiu va c anh gia cao v kha nng loc goi tin nh ZoneAlarm Pro, SmoothWall, McAfee Personal Firewall Plus, ZoneAlarm Pro , Sygate Personal Firewall ... c. u v nhc im ca firewall Mi loai tng la co nhng u im, nhc im va c s dung trong nhng trng hp khac nhau. Tng la phn cng thng c s dung am bao an ninh cho cac mang ln vi nu khng s dung firewall phn cng thi se cn h thng firewall phn mm tc la se co mt tinh may chu. May chu nay se nhn moi goi tin va kim duyt ri chuyn tip cho cac may trong mang. Ma tc cua firewall phn mm hoat ng chm hn so vi firewall phn cng nn anh hng ln n tc cua toan h thng mang. Mt khac h thng tng la phn mm thng c s dung am bao an ninh cho cac may tinh ca nhn hoc mt mang nho. Vic s dung h thng firewall phn mm se giup giam chi phi vi gia ca thit bi firewall phn cng t gp nhiu ln so vi h thng firewall phn mm. Hn na, khi ta s dung h thng firewall phn mm trong vic am bao an ninh cho may tinh ca nhn hay mang vi MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 21 -
Bn ngoi
router The Internet
Bn trong
Mng ni b
Trang - 22 -
cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di nhng dch v c php. Bi v cc packet c trao i trc tip gia hai mng thng qua
router , nguy c b tn cng quyt nh bi s lng cc host v dch v c php. iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca s tn cng no khng. Nu mt packet-filtering router do mt s c no ngng hot
ng, tt c h thng trn mng ni b c th b tn cng. b. Screened Host Firewall H thng ny bao gm mt packet-filtering router v mt bastion host. Screened Host Firewall cung cp bo mt cao hn Packet-Filtering Router, v n thc hin c bo mt tng network( packet-filtering ) v tng ng dng (application level). ng thi, k tn cng phi ph v c hai tng bo mt tn cng vo mng ni b.
Trang - 23 -
Information server
Hnh 4: Screened Host Firewall Trong h thng ny, bastion host c cu hnh trong mng ni b. Quy lut filtering trn packet-filtering router c nh ngha sao cho tt c cc h thng bn ngoi ch c th truy nhp bastion host. Vic truyn thng ti tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni b c php truy nhp trc tip vo bastion Internet hay l chng phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b c thc hin bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t bastion host. u im My ch cung cp cc thng tin cng cng qua dch v Web v
FTP c th t trn packet-filtering router v bastion. Trong trng hp yu cu an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user c trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hp khng yu cu an ton cao th cc my ni b c th ni thng vi my ch. Nu cn bo mt cao hn na th c th dng h thng firewall dualhome (hai chiu) bastion host. Mt h thng bastion host nh vy c 2 giao din
Trang - 24 -
Information server
Hnh 5: H thng firewall dual-home (hai chiu) bastion host. Hn ch Bi v bastion host l h thng bn trong duy nht c th truy nhp c t Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu nh user log on c vo bastion host th h c th d dng truy nhp ton b mng ni b. V vy cn phi cm khng cho user logon vo bastion host. c. Demilitarized Zone (DMZ - khu vc phi qun s) hay Screened-subnet Firewall H thng ny bao gm hai packet-filtering router v mt bastion host. H thng firewall ny c an ton cao nht v n cung cp c mc bo mt network v application trong khi nh ngha mt mng phi qun s. Mng DMZ ng vai tr nh mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip qua mng DMZ l khng th c. Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N cho php h thng MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 25 -
Bn trong
D MZ
Bn ngoi The Internet Outside Packet filtering router Bastion host
router
Hnh 6: Screened-subnet Firewall u im K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router trong. Bi v router ngoi ch qung co DMZ network ti Internet, h thng mng ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange ( Domain Name Server ).
Trang - 26 -
2.2.8. n gin ho
Mi th n gin s tr nn d hiu. Nu ta khng hiu r mt ci g , ta cng khng th bit c liu n c an ton hay khng.
Trang - 31 -
2.4. Lc gi v c ch hot ng
Khi ni n vic chuyn thng tin d liu gia cc mng vi nhau thng tin qua tng la th iu c ngha rng bc tng la hot ng kt hp cht ch vi giao thc TCP/IP v giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng. Tc l: D liu nhn c t cc dch v chy trn cc giao thc ph cp trn mng (v d nh: telnet, SMTP, DNS, SMNP,..) c phn thnh cc gi gi liu (data packet). Cc gi tin ny c gn nhng a ch v thng tin c th nhn v ti hp li thnh d liu ban u. Chnh v vy cc loi tng la cng lin quan rt nhiu n cc gi tin v cc a ch ca chng sau y chng ta s cng tm hiu lc gi l g v c ch ca n nh th no.
Trang - 32 -
Trang - 34 -
2.5. Kt lun
Cc h thng firewall thit lp nhm mc ch m bo an ninh mng thng qua vic kim sot phn header ca cc gi tin. Nhng s dng firewall m bo c an ninh mng mt cc hiu qu th ngi qun tr h thng cn c nhng hiu bit su sc v a ch IP ch, a ch IP ngun, cng dch v, cc giao thc mng (TCP, UDP, SMTP)v c bit cn c nhng cng c gip cu hnh h thng firewall hiu qu. Trong chng tip theo ny em s trnh by v cng c FirewallIptable c tch hp trn h iu hnh m ngun m Linux bo v cho mng ni b.
Trang - 35 -
Chng 3:
TM HIU IPTALES TRONG H IU HNH LINUX
Hin nay c nhiu phn mm firewall c thc hin trn cc h iu hnh nh Windows NT, Linux, Solaris. Nhng vi h iu hnh m ngun m Linux th phn mm IPtables Firewall phin bn mi ny thc s l mt cng c mnh dng m bo an ninh mng. Ngi qun tr mng c th s dng n cng nhiu ty chn hu ch. Nhng do phn mm c qu nhiu tham s v s dng c th i hi ngi s dng phi c kin thc chuyn su v h thng mng my tnh. Nh vy vi nhng ngi t kin thc v mng my tnh v khng bit r v tham s ca chng trnh th khng th s dng cng c IPtables c. Trong phm vi ti ny em s tm hiu v cng c Iptables ca firewall trn Linux vi vic kim sot ngi dng trong mng ni b c quyn gi bt c yu cu truy cp trn bt c giao thc no t bn trong my ra ngoi cng nh cn bt c yu cu truy cp trn mi giao thc t bn ngoi vo. Ngoi ra nh ta bit, trong khi my chy trn Linux s c mt s dch v ang lng nghe (LISTEN). Nhng dch v ny ch phc v cho ring bn v bn khng mun bt c ai t Internet truy cp vo cc dch v ny. Cho nn ta phi xy dng cc lut n nh: khi cc packet i vo (INPUT) firewall, firewall s kim tra xem c lut INPUT no thch hp cho php n i vo, nu khng firewall s cn n theo quy nh ca quy ch mc nh. iu nay se lam tng kha nng bao mt v tnh linh ng cho ngi qun tr mng may tinh. Trong chng ny em s i gii thiu tng quan v cng c Firewall IPtable v tm hiu mt s tp lut c bn trong IPtable:
Hnh 7: Firewall IPTable trong Linux. Iptables l mt tng la ng dng lc gi d liu rt mnh, c sn bn trong kernel Linux 2.4.x v 2.6.x. Netfilter/Iptable gm 2 phn l Netfilter trong nhn Linux v Iptables nm ngoi nhn. IpTables chu trch nhim giao tip gia ngi dng v Netfilter y cc lut ca ngi dng vo cho Netfilter x l. Netfilter tin hnh lc cc gi d liu mc IP. Netfilter lm vic trc tip trong nhn, nhanh v khng lm gim tc ca h thng. c thit k thay th cho linux 2.2.x Ipchains v linux 2.0.x ipfwadm v c nhiu c tnh hn Ipchains v n c xy dng hp l hn vi nhng im sau: Netfilter/Iptables c kh nng g? Xy dng bc tng la da trn c ch lc gi stateless v stateful Dng bng NAT v masquerading chia s s truy cp mng nu khng c a ch mng. MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 37 -
Trang - 38 -
Trang - 39 -
Trang - 40 -
Trang - 41 -
Trang - 42 -
Trang - 43 -
Trang - 44 -
Hnh 8: Cch i ia ch IP ng. NAT Router m nhn vic chuyn dy IP ni b 169.168.0.x sang dy IP mi 203.162.2.x. Khi c gi liu vi IP ngun l 192.168.0.200 n router, router
Trang - 45 -
Hnh 9: Cch ng gi a ch IP NAT Router chuyn dy IP ni b 192.168.0.x sang mt IP duy nht l 203.162.2.4 bng cch dng cc s hiu cng (port-number) khc nhau. Chng hn khi c gi d liu IP vi ngun 192.168.0.168:1204, ch 211.200.51.15:80 n router, router s i ngun thnh 203.162.2.4:26314 v lu d liu ny vo mt bng gi l bng masquerade ng. Khi c mt gi d liu t ngoi vo vi ngun l 221.200.51.15:80, ch 203.162.2.4:26314 n router, router s cn c vo bng masquerade ng hin ti i ch t 203.162.2.4:26314 thnh 192.168.0.164:1204. Lin lc gia cc my trong mng LAN vi my khc bn ngoi hon ton trong sut qua router.
Trang - 46 -
to kt ni `transparent` gia mng LAN 192.168.0.1 vi Internet thi lp cu hnh cho tng la Iptables nh sau: # echo 1 > /proc/sys/net/ipv4/ip_forward Cho php forward cc packet qua my ch t Iptables # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 210.40.2.71 i IP ngun cho cc packet ra card mng eth0 l 210.40.2.71. Khi nhn c packet vo t Internet, Iptables s t ng i IP ch 210.40.2.71 thnh IP ch tng ng ca my tnh trong mng LAN 192.168.0/24. Hoc c th dng MASQUERADE thay cho SNAT nh sau: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (MASQUERADE thng c dng khi kt ni n Internet l pp0 v dng a ch IP ng) DNAT
Trang - 47 -
Gi s t cc my ch Proxy, Mail v DNS trong mng DMZ. to kt ni trong sut t Internet vo cc my ch ny : # echo 1 > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --todestination 192.168.1.2 # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --todestination 192.168.1.3 # iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --todestination 192.168.1.4
Trang - 48 -
Hnh 10: Firewall c vung DMZ Firewall cho php my bn trong mng ni b truy cp ti nguyn mng bn ngoi bng k thut SNAT Ch cho php cc my ca mng bn ngoi truy cp ti nguyn Web Server v DNS Server trong vng DMZ bng k thut DNAT. Cc yu cu i vi Firewall 2.4.x , cc modules cn thit cho Firewall, gn a ch cho mng ni b v DMZ thc hin ging nh i vi ng dng IP NAT. Cc chain do ngi dng nh ngha: gm 3 chains bad_tcp_packets, allowed v icmp_packets ging nh trong ng dng IP NAT.
Trang - 49 -
Trang - 50 -
Trang - 51 -
Trang - 52 -
Trang - 53 -
Trang - 54 -
Trang - 55 -
Trang - 56 -
Trang - 57 -
PING 194.236.50.152(194.236.50.152): 56 data bytes 64 bytes from 194.236.50.152: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 194.236.50.152: icmp_seq=1 ttl=255 time=0.4 ms 64 bytes from 194.236.50.152: icmp_seq=2 ttl=255 time=0.4 ms 64 bytes from 194.236.50.152: icmp_seq=3 ttl=255 time=0.5 ms ^C --- 194.236.50.152 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.8 ms
Mt s ty chn
Trang - 60 -
Hnh 13: Giao din khi thit lp xong ty chn v thc thi chng trnh.
Trang - 61 -
4.5.3. nh gi phn mm
u im phn mm - Thit k di dng website nn ti mi my tnh trong mng u c th thc hin cng vic cu hnh iptables. - Gip ngi dng khng cn kin thc qu su sc v cc tham s ca iptables vn c th cu hnh c firewall nh vic to sn cc lut. - Vic ti s dng, chnh sa vi cc lut, cu lnh iptables l rt d dng. - Chng trnh thit k dng m ngun m nn ngi dng c th t thay i theo yu cu. Nhc im phn mm - Hin ti mi h tr mt ngn ng. - Ci t cn kh khn v phi ci nhiu phn mm h tr nh HTTP Server, Crond tab ... - Mi ngi dng u c quyn nh nhau. MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 62 -
Trang - 63 -
KT LUN
ti v Firewall lun l mi quan tm hng u ca cc nh qun tr mng ni ring v ca nhng nh tin hc ni chung. c th xy dng c mt mng ring m c th trnh khi mi s tn cng l khng th, nhng chng ta c th xy dng c nhng mng c tnh an ton cao theo nhng yu cu c th. c th xy dng c nhng mng nh vy, ngi qun tr mng phi nm r c nhng kin thc c bn v Firewall. ti trnh by kh chi tit v Firewall, v nhng vn lin quan n bo v thng tin cho cc mng ni b. ti cng thit lp c m hnh Firewall bo v mng ni b bng IPTABLES trong h iu hnh LINUX. Vi h thng Firewall s dng Iptables trn Linux t c s n nh cao ca h iu hnh Linux v mt Iptables vi nhiu chc nng p ng c cho nhu cu ca cc n v c nhu cu xy dng h thng Firewall khi c mng ni b kt ni Internet. H thng Firewall ny mang tnh ng dng thc t cao v: Phn cng s dng cho h thng ny khng cn c cu hnh mnh. Tt c cc phn mm s dng cho h thng ny u l phn mm m ngun m. Ti liu h tr cho cc phn mm ny c y trn Internet v min ph. Trn Internet c nhiu din n v ch ny. H thng c thit k mm do tu vo chnh sch an ton ca n v. S dng h iu hnh c n nh cao v bo mt tt.
Trang - 64 -
Trang - 65 -