Professional Documents
Culture Documents
Các Phương Pháp Lập Trình Vượt Firewall
Các Phương Pháp Lập Trình Vượt Firewall
TRNG I HC KHOA HC T NHIN KHOA CNG NGH THNG TIN B MN MNG MY TNH & VIN THNG
0112463 0112319
- Trang 2 -
- Trang 3 -
- Trang 4 -
LI CM N
Sau hn 6 thng n lc thc hin, lun vn nghin cu Cc phng php lp trnh vt firewall phn no hon thnh. Ngoi s n lc ca bn thn, chng em nhn c s khch l rt nhiu t pha nh trng, thy c, gia nh v bn b trong khoa. Chnh iu ny mang li cho chng em s ng vin rt ln chng em c th hon thnh tt lun vn ca mnh. Trc ht, chng con xin cm n nhng bc lm cha, lm m lun ng h, chm sc chng con v to mi iu kin tt nht chng con c th hon thnh nhim v ca mnh. Chng em xin cm n nh trng ni chung v Khoa CNTT ni ring em li cho chng em ngun kin thc v cng qu gi chng em c kin thc hon thnh lun vn cng nh lm hnh trang bc vo i. Em xin cm n cc thy c thuc b mn MMT, c bit l thy Hong Cng gio vin hng dn ca chng em tn tnh hng dn v gip chng em mi khi chng em c kh khn trong qu trnh hc tp cng nh trong qu trnh lm lun vn tt nghip. Xin cm n tt c cc bn b thn yu ng vin, gip chng em trong sut qu trnh hc tp cng nh lm ti. Mt ln na, xin cm n tt c mi ngi TPHCM 7/2005 Nhm sinh vin thc hin Phan Trung Hiu Trn L Qun
- Trang 5 -
LI NI U
Ni dung lun vn c trnh by trong 8 chng thuc v 5 phn khc nhau : Phn th nht: C S L THUYT Chng 1: Gii thiu v firewall Chng 2: Khi nim proxy Chng 3: Cc phng php lp trnh vt firewall Phn th hai: CC PHNG PHP LP TRNH VT FIREWALL Chng 4: Vt firewall bng HTTP proxy Servers Chng 5: Vt firewall bng Web-based proxy Phn th ba: MODULE CHNG VT FIREWALL Chng 6: Plug-in chng vt firewall cho trnh duyt Internet Explorer Chng 7: Service chng vt Firewall Phn th t: TNG KT Chng 8: Kt lun. Phn th nm: PH LC
- Trang 6 -
MC LC
Chng 1: GII THIU V FIREWALL ..............................................................11 1.1 t vn : ..........................................................................................11 1.2 Nhu cu bo v thng tin: .....................................................................11 1.2.1 Nguyn nhn: ................................................................................11 1.2.2 Bo v d liu: ...............................................................................13 1.2.3 Bo v cc ti nguyn s dng trn mng: .......................................13 1.2.4 Bo v danh ting c quan: ............................................................13 1.3 Cc kiu tn cng: ................................................................................14 1.3.1 Tn cng trc tip: .........................................................................14 1.3.2 Nghe trm: ....................................................................................15 1.3.3 Gi mo a ch: .............................................................................15 1.3.4 V hiu cc chc nng ca h thng (DoS, DDoS): ...........................15 1.3.5 Li ca ngi qun tr h thng: ......................................................16 1.3.6 Tn cng vo yu t con ngi: ......................................................17 1.4 Firewall l g ? ......................................................................................17 1.5 Cc chc nng chnh: ............................................................................19 1.5.1 Chc nng: ....................................................................................19 1.5.2 Thnh phn: ..................................................................................20 1.6 Nguyn l:............................................................................................21 1.7 Cc dng firewall: .................................................................................23 1.8 Cc nim chung v Firewall:................................................................25 1.8.1 Firewall da trn Application gateway: .............................................25 1.8.2 Cng vng(Circuit level gateway): ...................................................27 1.8.3 Hn ch ca Firewall: .....................................................................28 1.8.4 Firewall c d ph hay khng: .........................................................28 1.9 Mt s m hnh Firewall: .......................................................................30 1.9.1 Packet-Filtering Router: ..................................................................30 1.9.2 M hnh Single-Homed Bastion Host: ...............................................32 1.9.3 M hnh Dual-Homed Bastion Host: .................................................34 1.9.4 Proxy server: .................................................................................36 1.9.5 Phn mm Firewall Proxy server: ..................................................37 1.10 Li kt: ................................................................................................46 Chng 2: KHI NIM PROXY..........................................................................47 2.1 Proxy l g: ...........................................................................................47 2.2 Ti sao proxy li ra i: .........................................................................48 2.3 Tng kt chung v proxy: ......................................................................48 Chng 3: CC PHNG PHP LP TRNH VT FIREWALL .............................50 3.1 Vt firewall l g:.................................................................................50 3.2 Phng php th nht: HTTP Proxy .......................................................50
- Trang 7 -
3.3 Phng php th hai: Web-Based Proxy.................................................51 3.4 Phng php th ba: Http Tunneling......................................................51 Chng 4: VT FIREWALL BNG HTTP PROXY ...............................................53 4.1 Khi cc HTTP Proxy Server tr nn hu ch: ............................................53 4.2 Chc nng chnh:..................................................................................56 4.2.1 Truy cp Internet: ..........................................................................56 4.2.2 Caching documents: .......................................................................57 4.2.3 iu khin truy cp Internet mt cch c chn lc: ...........................59 4.2.4 Cung cp dch v Internet cho cc c quan s dng IP o: ................60 4.3 Mt phin giao dch (transaction) thng qua proxy : ................................60 4.4 Kt ni thng qua proxy server: .............................................................61 4.5 HTTP proxy: .........................................................................................61 4.6 FTP proxy:............................................................................................62 4.7 Tin li v bt tin khi cache cc trang Web:...........................................63 4.8 Nhng bt cp do proxy: .......................................................................63 4.9 K thut lp trnh mt HTTP Proxy c bn: ..............................................64 Chng 5: Vt firewall bng Web-Based Proxy................................................65 5.1 Th no l 1 web-based anonymous proxy ? ...........................................65 5.2 Cch thc hot ng ca 1 WBP : ..........................................................66 5.3 Gii thiu v trang Web Based Proxy: .....................................................67 5.3.1 Giao din: ......................................................................................67 5.3.2 Chc nng: ....................................................................................67 5.3.3 Thut ton: ....................................................................................69 Chng 6: Plug-in chng vt firewall cho trnh duyt Internet Explorer .............73 6.1 Gii thiu s lc : ................................................................................73 6.2 Cc tnh nng chnh: .............................................................................74 6.2.1 Lc cc trang web da trn vic duyt danh sch cc trang web c sn trong c s d liu: .....................................................................................74 6.2.2 Lc cc trang web da trn c ch kim tra a ch (URL): ................74 6.2.3 Lc da trn ni dung ca cc Input Form trong trang web: ..............75 6.2.4 Cp nht cc trang web based proxy:...............................................76 6.2.5 V hiu ha/kch hot plugin: ..........................................................76 6.3 Mt s vn cn lu khi vit plugin cho trnh duyt IE :......................76 6.3.1 Khi nim Browser Helper Objects (BHO): ........................................76 6.3.2 Mt s hm x l quan trng: ..........................................................78 6.4 Chi tit lu tr d liu : .........................................................................79 6.4.1 Bng Forbidden ..............................................................................79 6.4.2 Bng Trusted .................................................................................79 6.5 Thut ton chnh ca ng dng : ...........................................................79 6.5.1 M hnh hot ng ca Plugin : .......................................................79 6.5.2 Din gii m hnh : .........................................................................81
- Trang 8 -
6.6 Nhng u im v hn ch: ..................................................................82 Chng 7: SERVICE CHNG VT FIREWALL ..................................................83 7.1 Gii thiu s lc : ................................................................................83 7.2 Cc tnh nng chnh ca module:............................................................83 7.3 Module bt gi tin :...............................................................................84 7.3.1 c im ca gi tin HTTP request n HTTP Proxy Server: ..............84 7.3.2 Tm tt cc bc cn lu khi xy dng module;.............................84 7.3.3 Chi tit cc i tng, hm x l chnh ca module : .........................85 7.4 Module chn a ch IP: .........................................................................85 7.4.1 Gii thiu v Filter-Hook Driver : ......................................................85 7.4.2 Tm tt cc bc xy dng Filter-Hook Driver bt gi tin: .............86 7.5 Chi tit lu tr d liu : .........................................................................86 7.5.1 Bng ForbiddenProxy ......................................................................86 7.5.2 Bng TrustedProxy: ........................................................................86 7.6 S hot ng ca Module chn a ch IP : .........................................87 7.7 Din gii m hnh :................................................................................87 7.8 Nhn xt nh gi :............................................................................88 7.8.1 u im: .......................................................................................88 7.8.2 Khuyt im: .................................................................................89 Chng 8: KT LUN ......................................................................................90 8.1 Nhng kt qu t c:.......................................................................90 8.2 Hng pht trin : ................................................................................91
- Trang 9 -
Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Mt s protocol c h tr ...................................................................56 Caching ................................................................................................58 Caching b li (failure) ............................................................................59 Mt transaction qua proxy ......................................................................60 Truy xut thng tin thng qua HTTP proxy ..............................................62 Truy xut thng tin thng qua FTP proxy ................................................62 Giao din chnh ca Web Base Proxy .......................................................67 Mini form trn mi u trang ..................................................................68 S hot ng ca 1 trang Web-Based Proxy ........................................69 Giao din chnh ca plug-in ....................................................................73 Trang thng bo mi khi ngi dng duyt nhng trang web vi phm.......74 Cch trnh by thng thng ca mt trang web base proxy .....................75 Qu trnh trnh duyt khi ng v np cc BHO ......................................77 M hnh hot ng ca Plugin .................................................................80 nh dng ca gi tin gi n proxy server ..............................................84 S hot ng ca module chn a ch IP............................................87
- Trang 10 -
PHN TH NHT
C S L THUYT
Chng 1:
1.1 t vn :
Song song vi vic xy dng nn tng v cng ngh thng tin, cng nh pht trin cc ng dng my tnh trong sn xut, kinh doanh, khoa hc, gio dc, x hi,... th vic bo v nhng thnh qu l mt iu khng th thiu. S dng cc bc tng la (Firewall) bo v mng ni b (Intranet), trnh s tn cng t bn ngoi l mt gii php hu hiu, m bo c cc yu t: An ton cho s hot ng ca ton b h thng mng Bo mt cao trn nhiu phng din Kh nng kim sot cao m bo tc nhanh Mm do v d s dng Trong sut vi ngi s dng m bo kin trc m
- Trang 11 -
Cng vi s pht trin khng ngng ca Internet v cc dch v trn Internet, s lng cc v tn cng trn Internet cng tng theo cp s nhn. Trong khi cc phng tin thng tin i chng ngy cng nhc nhiu n Internet vi nhng kh nng truy nhp thng tin dng nh n v tn ca n, th cc ti liu chuyn mn bt u cp nhiu n vn bo m v an ton d liu cho cc my tnh c kt ni vo mng Internet. Theo s liu ca CERT (Computer Emegency Response Team), s lng cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo nm 1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm 1994. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc c quan nh nc, cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l (c ti 100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni ca tng bng. Mt phn rt ln cc v tn cng khng c thng bo, v nhiu l do, trong c th k n ni lo b mt uy tn, hoc n gin nhng ngi qun tr h thng khng h hay bit nhng cuc tn cng nhm vo h thng ca h. Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng php tn cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr h thng c kt ni vi Internet ngy cng cao cnh gic. Cng theo CERT, nhng cuc tn cng thi k 1988-1989 ch yu on tn ngi s dngmt khu (UserID-password) hoc s dng mt s li ca cc chng trnh v h iu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng vo thi gian gn y bao gm c cc thao tc nh gi mo a ch IP, theo di thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin). Nhu cu bo v thng tin trn Internet c th chia thnh ba loi gm: Bo v d liu; Bo v cc ti nguyn s dng trn mng v Bo v danh ting ca c quan.
- Trang 12 -
1.2.2 Bo v d liu:
Nhng thng tin lu tr trn h thng my tnh cn c bo v do cc yu cu sau: Bo mt: Nhng thng tin c gi tr v kinh t, qun s, chnh sch vv... cn c gi kn. Tnh ton vn: Thng tin khng b mt mt hoc sa i, nh tro. Tnh kp thi: Yu cu truy nhp thng tin vo ng thi im cn thit. Trong cc yu cu ny, thng thng yu cu v bo mt c coi l yu cu s 1 i vi thng tin lu tr trn mng. Tuy nhin, ngay c khi nhng thng tin ny khng c gi b mt, th nhng yu cu v tnh ton vn cng rt quan trng. Khng mt c nhn, mt t chc no lng ph ti nguyn vt cht v thi gian lu tr nhng thng tin m khng bit v tnh ng n ca nhng thng tin .
- Trang 13 -
- Trang 14 -
Rlogin cho php ngi s dng t mt my trn mng truy nhp t xa vo mt my khc s dng ti nguyn ca my ny. Trong qu trnh nhn tn v mt khu ca ngi s dng, rlogin khng kim tra di ca dng nhp, do k tn cng c th a vo mt xu c tnh ton trc ghi ln m chng trnh ca rlogin, qua chim c quyn truy nhp.
1.3.3 Gi mo a ch:
Vic gi mo a ch IP c th c thc hin thng qua vic s dng kh nng dn ng trc tip (source-routing). Vi cch tn cng ny, k tn cng gi cc gi tin IP ti mng bn trong vi mt a ch IP gi mo (thng thng l a ch ca mt mng hoc mt my c coi l an ton i vi mng bn trong), ng thi ch r ng dn m cc gi tin IP phi gi i.
- Trang 15 -
Client l mt attacker sp xp mt cuc tn cng Handler l mt host c tha hip chy nhng chng trnh c bit dng tn cng Mi handler c kh nng iu khin nhiu agent Mi agent c trch nhim gi stream data ti victim
- Trang 16 -
1.4 Firewall l g ?
Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng c th hiu Firewall l mt c ch (mechanism) bo v mng tin tng (Trusted network) khi cc mng khng tin tng (Untrusted network). Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty, t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet.
- Trang 17 -
Mt cch vn tt, firewall l h thng ngn chn vic truy nhp tri php t bn ngoi vo mng cng nh nhng kt ni khng hp l t bn trong ra. Firewall thc hin vic lc b nhng a ch khng hp l da theo cc quy tc hay ch tiu nh trc.
Firewall c th l h thng phn cng, phn mm hoc kt hp c hai. Nu l phn cng, n c th ch bao gm duy nht b lc gi tin hoc l thit b nh tuyn (router c tch hp sn chc nng lc gi tin). B nh tuyn c cc tnh nng bo mt cao cp, trong c kh nng kim sot a ch IP. Quy trnh kim sot cho php bn nh ra nhng a ch IP c th kt ni vi mng ca bn v ngc li. Tnh cht
- Trang 18 -
chung ca cc Firewall l phn bit a ch IP da trn cc gi tin hay t chi vic truy nhp bt hp php cn c trn a ch ngun.
- Trang 19 -
- Trang 20 -
1.6 Nguyn l:
Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c ngha rng Firewall hot ng cht ch vi giao thc TCI/IP. V giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS...) thnh cc gi d liu (data pakets) ri gn cho cc paket ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng.
Hnh 5 Lc gi tin
B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (packet header), dng cho php truyn cc packet trn mng. l:
- Trang 21 -
a ch IP ni xut pht ( IP Source address) a ch IP ni nhn (IP Destination address) Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel) Cng TCP/UDP ni xut pht (TCP/UDP source port) Cng TCP/UDP ni nhn (TCP/UDP destination port) Dng thng bo ICMP ( ICMP message type) Giao din packet n ( incomming interface of packet) Giao din packet i ( outcomming interface of packet) Nu lut l lc packet c tho mn th packet c chuyn qua Firewall. Nu khng packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi chy c trn h thng mng cc b. u im: a s cc h thng Firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm router. Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn c bit no c. Hn ch: Vic nh ngha cc ch lc package l mt vic kh phc tp; i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi
- Trang 22 -
Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu.
- Trang 23 -
Khi hot ng, Firewall s da trn b nh tuyn m kim tra a ch ngun (source address) hay a ch xut pht ca gi tin. Sau khi nhn din xong, mi a ch ngun IP s c kim tra theo cc quy tc do ngi qun tr mng nh trc. Firewall da trn b nh tuyn lm vic rt nhanh do n ch kim tra lt trn cc a ch ngun m khng h c yu cu thc s no i vi b nh tuyn, khng tn thi gian x l nhng a ch sai hay khng hp l. Tuy nhin, bn phi tr gi: ngoi tr nhng iu khin chng truy nhp, cc gi tin mang a ch gi mo vn c th thm nhp mt mc no trn my ch ca bn. Mt s k thut lc gi tin c th c s dng kt hp vi Firewall khc phc nhc im ni trn. a ch IP khng phi l thnh phn duy nht ca gi tin c th mc by b nh tuyn. Ngi qun tr nn p dng ng thi cc quy tc, s dng thng tin nh danh km theo gi tin nh thi gian, giao thc, cng... tng cng iu kin lc. Tuy nhin, s yu km trong k thut lc gi tin ca Firewall da trn b nh tuyn khng ch c vy. Mt s dch v gi th tc t xa (Remote Procedure Call - RPC) rt kh lc mt cch hiu qu do cc server lin kt ph thuc vo cc cng c gn ngu nhin khi khi ng h thng. Dch v gi l nh x cng (portmapper) s nh x cc li gi ti dch v RPC thnh s dch v gn sn, tuy nhin, do khng c s tng ng gia s dch v vi b nh tuyn lc gi tin, nn b nh tuyn khng nhn bit c dch v no dng cng no, v th n khng th ngn chn hon ton cc dch v ny, tr khi b nh tuyn ngn ton b cc gi tin UDP (cc dch v RPC ch yu s dng giao thc UDP hay User Datagram Protocol). Vic ngn chn tt c cc gi tin UDP cng s ngn lun c cc dch v cn thit, v d nh DNS (Domain Name Service dch v t tn vng). V th, dn n tnh trng tin thoi lng nan.
- Trang 24 -
- Trang 25 -
xa vo mng chy application gateway, gateway s ngn chn kt ni t xa ny. Thay v ni thng, gateway s kim tra cc thnh phn ca kt ni theo nhng quy tc nh trc. Nu tho mn cc quy tc, gateway s to cu ni (bridge) gia trm ngun v trm ch.
Hnh 7 Firewall mm
Cu ni ng vai tr trung gian gia hai giao thc. V d, trong mt m hnh gateway c trng, gi tin theo giao thc IP khng c chuyn tip ti mng cc b, lc s hnh thnh qu trnh dch m gateway ng vai tr b phin dch. u im ca Firewall application gateway l khng phi chuyn tip IP. Quan trng hn, cc iu khin thc hin ngay trn kt ni. Sau cng, mi cng c u cung cp nhng tnh nng thun tin cho vic truy nhp mng. Do s lu chuyn ca cc gi tin u c chp nhn, xem xt, dch v chuyn li nn
- Trang 26 -
Firewall loi ny b hn ch v tc . Qu trnh chuyn tip IP din ra khi mt server nhn c tn hiu t bn ngoi yu cu chuyn tip thng tin theo nh dng IP vo mng ni b. Vic cho php chuyn tip IP l li khng trnh khi, khi , hacker c th thm nhp vo trm lm vic trn mng ca bn. Hn ch khc ca m hnh Firewall ny l mi ng dng bo mt (proxy application) phi c to ra cho tng dch v mng. Nh vy mt ng dng dng cho Telnet, ng dng khc dng cho HTTP, v.v.. Do khng thng qua qu trnh chuyn dch IP nn gi tin IP t a ch khng xc nh s khng th ti my tnh trong mng ca bn, do h thng application gateway c bo mt cao hn.
- Trang 27 -
1.8.3 Hn ch ca Firewall:
Firewall khng thng minh nh con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i qua" n. Mt cch c th, firewall khng th chng li mt cuc tn cng t mt ng dial-up, hoc s d r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn cng bng d liu (datadriven attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca firewall. Tuy nhin, Firewall vn l gii php hu hiu c p dng rng ri.
- Trang 28 -
chn s khng c bt trc cho d s dng h iu hnh (HH) mng no, y l c mt vn nan gii. Trong cc mng UNIX, iu ny mt phn l do HH UNIX qu phc tp, c ti hng trm ng dng, giao thc v lnh ring. Sai st trong xy dng Firewall c th do ngi qun tr mng khng nm vng v TCP/IP. Mt trong nhng vic phi lm ca cc hacker l tch cc thnh phn thc ra khi cc thnh phn gi mo. Nhiu Firewall s dng trm hy sinh (sacrificial hosts) - l h thng c thit k nh cc server Web (c th sn sng b i) hay by (decoys), dng bt cc hnh vi thm nhp ca hacker. By c th cn dng ti nhng thit b ngy trang phc tp nhm che du tnh cht tht ca n, v d: a ra cu tr li tng t h thng tp tin hay cc ng dng thc. V vy, cng vic u tin ca hacker l phi xc nh y l cc i tng tn ti tht.
- Trang 29 -
c c thng tin v h thng, hacker cn dng ti thit b c kh nng phc v mail v cc dch v khc. Hacker s tm cch nhn c mt thng ip n t bn trong h thng, khi , ng i c kim tra v c th tm ra nhng manh mi v cu trc h thng. Ngoi ra, khng Firewall no c th ngn cn vic ph hoi t bn trong. Nu hacker tn ti ngay trong ni b t chc, chng bao lu mng ca bn s b hack. Thc t xy ra vi mt cng ty du la ln: mt tay hacker tr trn vo i ng nhn vin v thu thp nhng thng tin quan trng khng ch v mng m cn v cc trm Firewall.
- Trang 30 -
- Trang 31 -
Cn bn, cc quy lut lc c nh ngha sao cho cc host trn mng ni b c quyn truy nhp trc tip ti Internet, trong khi cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my tnh trn mng ni b. T tng ca m cu trc firewall ny l tt c nhng g khng c ch ra r rng l cho php th c ngha l b t chi. u im: Gi thnh thp, cu hnh n gin Trong sut(transparent) i vi user. Hn ch: C rt nhiu hn ch i vi mt packet-filtering router, nh l d b tn cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di nhng dch v c php. Bi v cc packet c trao i trc tip gia hai mng thng qua router, nguy c b tn cng quyt nh bi s lng cc host v dch v c php. iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca s tn cng no khng.
- Trang 32 -
Trong h thng ny, bastion host c cu hnh trong mng ni b. Qui lut filtering trn packet-filtering router c nh ngha sao cho tt c cc h thng bn ngoi ch c th truy nhp bastion host; Vic truyn thng ti tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni b c php truy nhp trc tip vo bastion Internet hay l chng phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b c thc hin bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t bastion host. u im: My ch cung cp cc thng tin cng cng qua dch v Web v FTP c th t trn packet-filtering router v bastion. Trong trng hp yu cu an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc
- Trang 33 -
Bi v bastion host l h thng bn trong duy nht c th truy nhp c t Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu nh user log on c vo bastion host th h c th d dng truy nhp ton b mng ni b. V vy cn phi cm khng cho user logon vo bastion host.
- Trang 34 -
Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. H thng ch cho php bn ngoi truy nhp vo bastion host. Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng truyn thng bt u t bastion host. Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c information server. Quy lut filtering trn router ngoi yu cu s dung dich v proxy bng cch ch cho php thng tin ra bt ngun t bastion host. u im: K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router
- Trang 35 -
Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange ( Domain Name Server ). Bi v router trong ch qung co DMZ network ti mng ni b, cc h thng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.
- Trang 36 -
B chng trnh proxy c thit k cho mt s cu hnh firewall, theo cc dng c bn: dual-home gateway, screened host gateway, v screened subnet gateway. Thnh phn Bastion host trong Firewall, ng vai tr nh mt ngi chuyn tip thng tin, ghi nht k truyn thng, v cung cp cc dch v, i hi an ton cao. Proxy server chng ta s tm hiu k hn phn sau .
- Trang 37 -
SMTP Gateway - Proxy server cho dch v SMTP (Simple Mail Tranfer Protocol) FTP Gateway - Proxy server cho dch v Ftp Telnet Gateway - Proxy server cho dch v Telnet HTTP Gateway - Proxy server cho dch v HTTP (World Wide Web) Rlogin Gateway - Proxy server cho dch vu rlogin Plug Gateway - Proxy server cho dch v kt ni server tc thi dng giao thc TCP (TCP Plug-Board Connection server) SOCKS - Proxy server cho cc dch v theo chun SOCKS NETACL - iu khin truy nhp mng dng cho cc dch v khc IP filter Proxy iu khin mc IP SMTP Gateway - Proxy server cho cng SMTP
- Trang 38 -
1.9.5.1 SMTP Gateway - Proxy server cho dch v SMTP (Simple Mail Tranfer Protocol)
Chng trnh SMTP Gateway c xy dng trn c s s dng hai phn mm smap v smapd, dng chng li s truy nhp thng qua giao thc SMTP. Nguyn l thc hin l chn trc chng trnh mail server nguyn thu ca h thng, khng cho php cc h thng bn ngoi kt ni trc tip vi mail server. V trong mng tin cy mail server thng c mt s quyn
- Trang 39 -
Khi mt h thng xa ni ti cng SMTP. Chng trnh smap s dnh quyn phc v v chuyn ti th mc dnh ring v t user-id mc bnh thng (khng c quyn u tin). Mc ch duy nht ca smap l i thoi SMTP vi cc h thng khc, thu lm mail, ghi vo a, ghi nht k, v kt thc. Smapd thng xuyn qut th mc ny, khi pht hin c th s chuyn d liu cho sendmail phn pht vo cc hm th c nhn hoc chuyn tip ti cc mail server khc. Nh vy, mt user l trn mng khng th kt ni trc tip vi Mail Server. Tt c cc thng tin i theo ng ny hon ton c th kim sot c. Tuy nhin, chng trnh cng khng th gii quyt vn gi mo th hoc cc loi tn cng bng ng khc. 1.9.5.2 FTP Gateway Proxy Server cho dch v FTP: Proxy server cho dch v FTP cung cp kh nng kim sot truy nhp dch v FTP da trn a ch IP v hostname, v cung cp iu khin truy nhp th cp cho php tu chn kho hoc ghi nht k bt k lnh FTP no. Cc a ch ch ca dch v ny cng c th tu chn c php hay b cm. Tt c cc s kt ni v dung lng d liu chuyn qua u b ghi nht k li. FTP Gateway t bn thn n khng e da an ton ca h thng Firewall, bi v n chy ti mt th mc rng v khng thc hin mt th tc vo ra file no c ngoi vic c file cu hnh ca n. FTP Server ch cung cp dch v FTP, m khng quan tm n ai c quyn hay khng c quyn kt xut (download) file. Do vy, vic xc nh quyn phi c thit lp trn FTP Gateway v phi thc hin trc khi thc hin vic kt xut (download) hay nhp (upload) file. Ftp Gateway nn c cu
- Trang 40 -
1.9.5.3 Telnet Gateway Proxy Server cho dch v Telnet: Telnet Gateway l mt proxy server qun l truy nhp mng da trn a ch IP v/hoc hostname, v cung cp s iu khin truy nhp th cp cho php tu chn kho bt k ch no. Tt c cc s kt ni d liu chuyn qua u c ghi nht k li. Mi mt ln user ni ti Telnet Gateway, ngi s dng phi la chn phng thc kt ni. Telnet Gateway khng phng hi ti an ton h thng, v n ch hot ng trong mt phm vi cho php nht nh. C th, h thng s chuyn iu khin ti mt th mc dnh ring. ng thi cm truy nhp ti cc th mc v file khc. Telnet Gateway c s dng kim sot cc truy nhp vo h thng mng ni b. Cc truy nhp khng c php s khng th thc hin c cn cc truy nhp hp php s b ghi li nht k v thi gian truy nhp v cc thao tc thc hin. HTTP Gateway - Proxy server cho web: HTTP Gateway l mt Proxy Server qun l truy nhp h thng qua cng HTTP (Web). Chng trnh ny, da trn a ch ch v a ch ngun ngn cm hoc cho php yu cu truy nhp i qua. ng thi cn c v m lnh ca giao thc HTTP, phn mm ny s cho
- Trang 41 -
Rlogin Gateway - Proxy server cho rlogin: Cc terminal truy nhp qua th tc BSD rlogin c kim sot bi rlogin gateway. Chng trnh cho php kim tra v iu khin truy nhp mng tng t nh telnet gateway. Rlogin client c th ch ra mt h thng xa ngay khi bt u ni vo proxy. Chng trnh s hn ch yu cu tng tc gia user vi my. Plug Gateway - TCP Plug-Board Connection server: Firewall cung cp cc dch v thng thng nh Usernet news. Ngi qun tr mng c th chn hoc l chy dch v ny ngay trong firewall, hoc ci t mt proxy server cho dch v ny. Do dch v News chy trc tip trn firewall th d gy li h thng, nn cch an ton hn l s dng proxy. Plug gateway c thit k kim sot dch v Usernet News v mt s dch v khc nh Lotus Notes, Oracle, etc. Plug gateway da trn a ch IP hoc hostname, s cho php kim sot tt c cc truy nhp h thng thng qua cc cng dch v c ng k. Trn c s s cho php hoc cm cc yu cu truy nhp. Tt c yu cu kt ni bao gm c d liu c th c ghi li nht k theo di v kim sot. 1.9.5.4 SQL Gateway Proxy Server cho SQL-Net: SQL Net s dng giao thc ring khng ging nh ca News hay Lotus Notes, Do vy, khng th s dng Plug Gateway cho dch v ny c. SQL
- Trang 42 -
1.9.5.5 SOCKS Gateway v NETACL: SOCKS Gateway - Proxy server cho cc dch v theo chun SOCKS: SOCKS l giao thc kt ni mng gia cc my ch cng h tr giao thc ny. Hai my ch khi s dng giao thc ny s khng cn quan tm ti vic gia chng c th ni ghp thng qua IP hay khng. SOCKS s ch hng li cc yu cu ghp ni t my ch u kia. My ch SOCKS s xc nh quyn truy nhp v thit lp knh truyn thng tin gia hai my. SOCKS Gateway dng chng li cc truy nhp vo mng thng qua cng ny. NETACL - Cng c iu khin truy nhp mng: Cc dch v thng thng trn mng khng cung cp kh nng kim sot truy cp ti chng do vy chng l cc im yu tn cng. K c trn h thng firewall cc dch v thng thng c lc b kh nhiu m bo an ton h thng nhng mt s dich v vn cn thit duy tr h thng nh telnet, rlogin... Netacl l mt cng c iu khin truy nhp mng, da trn a ch network ca my client, v dch v c yu cu. N bao trm nn cc dch v c bn cung cp thm kh nng kim sot cho dch v . V vy mt client (xc nh bi a ch IP hoc hostname) c th truy nhp ti telnet server khi n ni vi cng dch v telnet trn firewall.
- Trang 43 -
Thng thng trong cc cu hnh firewall, NETACL c s dng cm tt c cc my tr mt vi host c quyn login ti firewall qua hoc l telnet hoc l rlogin, v kho cc truy nhp t nhng k tn cng. an ton ca Netacl da trn a ch IP v/hoc hostname. Vi cc h thng cn an ton cao, nn dng a ch IP trnh s gi mo DNS. Netacl khng chng li c s gi a ch IP qua chuyn ngun (source routing) hoc nhng phng tin khc. Nu c cc loi tn cng nh vy, cn phi s dng mt router c kh nng soi nhng packet c chuyn ngun (screening source routed packages). Ch l netacl khng cung cp iu khin truy nhp UDP, bi v cng ngh hin nay khng m bo s xc thc ca UDP. An ton cho cc dch v UDP y ng ngha vi s khng cho php tt c cc dch v UDP. 1.9.5.6 Authentication: B Firewall cha chng trnh server xc thc c thit k h tr c ch phn quyn. Authsrv cha mt c s d liu v ngi dng trong mng, mi bn ghi tng ng vi mt ngi dng, cha c ch xc thc cho mi anh ta, trong bao gm tn nhm, tn y ca ngi dng, ln truy cp mi nht. Mt khu khng m ho (Plain text password) c s dng cho ngi dng trong mng vic qun tr c n gin. Mt khu khng m ho khng nn dng vi nhng ngi s dng t mng bn ngoi. Ngi dng trong c s d liu ca c th c chia thnh cc nhm khc nhau c qun tr bi qun tr nhm l ngi c ton quyn trong nhm c vic thm, bt ngi dng. iu ny thun li khi nhiu t chc cng dng chung mt Firewall. Authsrv qun l nhm rt mm do, qun tr c th nhm ngi dng thnh nhm dng "group wiz", ngi c quyn qun tr nhm c th xo, thm, to
- Trang 44 -
1.9.5.7 IP Filter B lc mc IP: IP Filter l b lc cc gi tin TCP/IP, c xem nh thnh phn khng th thiu khi thit lp Firewall trong sut i vi ngi s dng. Phn mm ny s c ci t trong li ca h thng (nh UNIX kernel), c chy ngm khi h thng hot ng, n nhn v phn tch tt c cc gi IP (IP Package). B lc IP filter c th thc hin cc vic sau: Cho i qua hoc cm bt k mt gi tin no. Nhn bit c cc dch v khc nhau Lc theo a ch IP hoc hosts Cho php lc chn la giao thc IP bt k Cho php lc chn la theo cc mnh IP Cho php lc chn la theo cc tu chn IP Gi tr li cc khi ICMP/TCP li v t li s hiu packet Lu gi cc thng tin trng thi i vi cc dng TCP, UDP and ICMP Lu gi cc thng tin trng thi i vi cc mnh IP packet bt k C chc nng nh Network Address Translator (NAT)
- Trang 45 -
Lm c s thit lp cc kt ni trong sut i vi ngi s dng Cung cp cc header cho cc chng trnh ca ngi s dng xc nhn. Ngoi ra h tr khng gian tm cho cc quy tc xc nhn i vi cc gi tin i qua. c bit i vi cc giao thc c bn ca Internet, TCP, UDP v ICMP, th IP filter cho php lc theo: Inverted host/net matching S hiu cng ca cc gi tin TCP/UDP Kiu hoc m ca cc gi tin ICMP Thit lp cc gi tin TCP T hp tu cc c trng thi TCP Lc/loi b nhng gi IP cha kt thc Lc theo kiu dch v Cho php ghi nht k cc bn tin bao gm:
1.10 Li kt:
Hin ti, Firewall l phng php bo v mng ph bin nht, 95% cng ng hacker phi tha nhn l dng nh khng th vt qua Firewall. Song trn thc t, Firewall tng b ph. Nu mng ca bn c kt ni Internet v cha d liu quan trng cn c bo v, bn cnh Firewall, bn nn tng cng cc bin php bo v khc nh l bo mt mc physical, thng xuyn back up d liu, chn lc nhn vin
- Trang 46 -
Chng 2:
2.1 Proxy l g:
Theo www.learnthat.com: proxy l mt thit b cho php kt ni vo internet, n ng gia cc workstation trong mt mng v internet, cho php bo mt kt ni, ch cho php mt s cng v protocol no , vd: tcp, http, telnet trn cc cng 80, 23. Khi mt client yu cu mt trang no , yu cu ny s c chuyn n proxy server, proxy server s chuyn tip yu cu ny n site . Khi yu cu c p tr, proxy s tr kt qu ny li cho client tng ng. Proxy server c th c dng ghi nhn vic s dng internet v ngn chn nhng trang b cm Theo www.nyu.edu: proxy server l mt server ng gia mt ng dng ca client, nh web browser, v mt server xa (remote server). Proxy server xem xt cc request xem n c th x l bng cache ca n khng, nu khng th, n s chuyn yu cu ny n remote server. Theo www.webopedia.com: proxy server l mt server ng gia mt ng dng client, nh web browser, v mt server thc. N chn tt c cc yu cu n cc server thc xem xem n c kh nng ng c khng, nu khng th, n s chuyn cc yu cu ny n cc server thc. Theo www.stayinvisible.com: proxy server l mt loi buffer gia my tnh ca bn v cc ti nguyn trn mng internet m bn ang truy cp, d liu bn yu cu s n proxy trc, sau mi c chuyn n my ca bn.
- Trang 47 -
Filtering: ngn cn cc truy cp khng c cho php nh cc trang i try, cc trang phn ng
Tuy nhin, li dng v tng proxy, mt s server trn mng t bin mnh thnh nhng trm chung chuyn, nhng trung gian cho cc kt ni khng c cho php. Chnh iu ny a ra thm mt nh ngha mi, mt ngha mi ginh cho proxy.
- Trang 48 -
Rt nhiu a ch trn mng do mt l do no m b cm truy cp i vi ngi dng nh l cc trang web i try, cc trang phn ng, ni dung khng lnh mnh. Tuy nhin, chng li iu ny, nh ni trn, mt s server bin mnh thnh proxy gip cho nhng kt ni cm ny c th thc hin c.
Proxy ny c 2 loi, hay ni cch khc l c 2 cch thng qua cc proxy ny truy cp, l HTTP proxy v web-based proxy m chng ta s c tm hiu phn sau. V y cng chnh l 2 phng php lp trnh vt firewall m chng em mun ni n trong lun vn ny.
- Trang 49 -
Chng 3:
3.1 Vt firewall l g:
Ni mt cch nm na, vt firewall l vt qua s truy cn ca cc chng trnh bo mt (Firewall) c th truy cp n c ch mong mun Vt firewall c th l vt t bn trong ra hay t bn ngoi vo y, chng ta ch cp n vt firewall t bn trong ra, do chng ta c th tm gn li c 3 hnh thc vt firewall: HTTP proxy, webbased proxy, http tunneling.
- Trang 50 -
- Trang 51 -
Do gii hn ca ti v gii hn v mt thi gian m phng php ny s khng c tm hiu k trong lun vn.
- Trang 52 -
PHN TH HAI
VT FIREWALL
Chng 4:
- Trang 53 -
172.16.x.x
thng thng qua proxy server. Cc proxy server c th cho php hay t chi cc yu cu da trn giao thc ca cc kt ni. V d nh: mt proxy server c th cho php cc kt ni HTTP trong khi t chi cc kt ni FTP Khi bn dng proxy server nh mt cng ra ngoi Internet t mng LAN, bn c th chn la cc ty chn nh sau: Cho php hay ngn chn client truy cp Internet da trn nn tng a ch IP Caching document: lu gi li cc trang web phc v cho cc nhu cu ging nhau Sng lc kt ni Cung cp dch v Internet cho cc cng ty dng mng ring (nn tng IP o) Chuyn i d liu sang dng HTML c th xem bng trnh duyt
- Trang 54 -
- Trang 55 -
Cc my trong mng LAN c th khng th truy cp n cc ti nguyn trn Internet mt cch trc tip v chng ang hot ng pha sau mt bc Firewall. Trong trng hp ny, proxy server c th gip chng thc hin iu ny mt cch d dng.
Hnh 16 Mt s protocol c h tr
hnh trn, proxy server ang chy trn mt firewall host v thip lp cc kt ni ra th gii bn ngoi. Chng ta cng c th s dng mt my tnh khc lm proxy server, my ny phi c y cc quyn truy cp Internet.
- Trang 56 -
Proxy nhn cc yu cu t trnh duyt, proxy truy vn n cc thng tin c yu cu, chuyn i sang dng HTML ri gi tr li cho browser pha bn trong firewall. Proxy server c th qun l tt c cc kt ni ra ngoi Internet nu n l my tnh duy nht c kt ni trc tip ra ngoi Internet.
4.2.2
Caching documents:
Thng thng, cc client ca cng mt subnet truy cp n mt Web proxy server. Mt vi proxy server cho php bn cache (lu tr tm thi) cc ti liu ny trn my phc v cho cc my khc c cng nhu cu. Gi s: my A va truy cp vo trang http://mail.yahoo.com , sau my B li yu cu n trang ny, trong trng hp ny, proxy server s dng li documents ny c sn trong my m khng phi ln tn server ly v. iu ny khin cho tc ci thin r rt
- Trang 57 -
Hnh 17 Caching
Caching trn proxy server hiu qu hn trn my n, n s tit kim c khng gian lu tr bi v bn ch phi lu li mt ln. Caching trn proxy server cho hiu qu hn, chng ta nn caching li nhng trang m thng xuyn c tham chiu n (c truy cp n)
Thng qua caching, chng ta cn c th truy cp n trang ngay c trong trng hp server b down Mt s loi proxy cho php cache nhiu ni phng khi cache b down hay b li
- Trang 58 -
4.2.3
iu khin truy cp Internet mt cch c chn lc: Khi s dng proxy server bn c th lc cc transaction ca cc client. Mt vi proxy server cho php bn: o Yu cu no c chp nhn, yu cu no khng o Ngn chn cc trang m bn khng mun cho user truy cp n
- Trang 59 -
o Gii hn cc dch v m bn mun, v d: bn c th cho php user s dng dch v HTTP nhng li khng mun cho h s dng dch v FTP
4.2.4
Cung cp dch v Internet cho cc c quan s dng IP o: Cc t chc m s dng mt hay nhiu khng gian a ch o c th s dng Internet, iu ny hon ton c th. Bng cch thng qua proxy server v proxy server s gi a ch tht.
Cc client u c cc a ch IP ca n cng nh mt kt ni trc tip n cc server trn Internet. Khi trnh duyt to ra mt yu cu HTTP th HTTP server ch ly ng dn v phn t kha ca URL c yu cu, nhng phn khc nh phn giao thc, hostname ca my ang chy HTTP server u r rng i vi server.
V d: khi bn g: http://abc.com/class/th01.htm th trnh duyt s chuyn sang l: GET /class/th01.htm. Trnh duyt kt ni n abc.com server, a ra lnh v i phn hi. Trong v d ny, trnh duyt to ra mt yu cu n HTTP server v ch r ti nguyn resource no cn c ti v, khng c giao thc cng nh khng c bt k hostname no trong URL
- Trang 60 -
- Trang 61 -
Hnh trn cho thy qu trnh mt yu cu FTP thng qua proxy. Proxy server thng qua URL bit c y l mt yu cu FTP, do n s thc hin mt kt ni FTP n server xa. Proxy server to mt kt ni v truy vn file n FTP xa, ly file v ri gi tr li cho client.
- Trang 62 -
- Trang 63 -
chn, hay ni cch khc l cm cn ngi dng s dng proxy bn ngoi h thng.
- Trang 64 -
Chng 5:
- Trang 65 -
- Trang 66 -
Trang web c giao din n gin. Pha trn c mt thanh textbox, cho php user nhp a ch trang web mun n Pha di l cc option cho php user la chn Cui cng l 2 nt, cho php ngi dng kch hot cho trang web chy v nt reset li default.
5.3.2
Chc nng: Cho php ngi dng nhp vo mt a ch dng url. Ngi dng ch cn nhp a ch, bm Enter, trang web s ti ni dung m ngi dng mun. Cho php s dng cc option, trong o Include a mini URL form: thm mt phn ca Web base Proxy vo u trang
- Trang 67 -
o Remove all scripts: Loi b tt c cc script o Accept HTTP cookies: cho php s dng cookies ci thin tc o Show images: Ti ni dung trang web v trong c c hnh (ly lun hnh, khng loi b) o For future: dnh cho tng li o New window: cho php browse trong mt ca s mi.
- Trang 68 -
5.3.3
Thut ton:
Nu thnh cng
Gi kt qu cho client
- Trang 69 -
5.3.3.2 Din gii m hnh: Khi ng trang web: Bao gm vic load cc form, cc mc, giao din trang web Kim tra cookies:Kim tra xem trn my hin c s dng cookies ca trang hay khng Load trang web default:Nu kim tra cookies khng c, trnh duyt s load trang mc nh, tc l url s trng, cc option mc nh s c check Load trang da theo cookies:Nu kim tra cookies c, th s load theo cookies, bao gm cc url c s dng, cc trng thi ca cc option. Nhp thng tin:Client nhp cc thng tin nh url ca trang web cn n, check hay b check cc option ty theo ngi dng. Kim tra hp l url:Kim tra v hnh thc nhp nh c thiu http hay khng, c thiu www hay khng, nu thiu s t ng add thm vo cho hp l. Kim tra cc option:Kim tra cc option xem option no c check, option no khng c check thc hin ng theo yu cu ca client. Duyt trang web theo yu cu:Gi yu cu n webserver tng ng: phn gii tn min, gi yu cu http n server Tht bi, thng bo li:Nu khng c trang web, a ch sai do ngi dng nh sai hay bt c nguyn nhn no lm cho vic gi http request khng c p ng th u thng bo li Thnh cng, chnh sa theo option:Nu thnh cng th s chnh sa li trang: da theo cc option, xem c phi add thm phn ph
- Trang 70 -
vo u trang hay khng, ly hay loi b hnh nh, ly hay loi b cc script(cc mc ny c thc hin khi gi http request). Gi kt qu cho client:Gi kt qu cui cng n cho client l mt trang web c tinh chnh li, c chnh sa li cho ph hp. 5.3.3.3 Din gii mt s hm quan trng : Hm submit_form():Gi yu cu n server File url_form.inc:Phn header ca trang gi cho client. File style:Cha cc thng tin v giao din: mu sc, kch thc Hm set_response(): cu trc ha li trang web Hm set_url(): Kim tra v tinh chnh url li cho hp l Hm open_socket():M sock Hm encode_url(): M ha url Hm decode_url(): Gi m url Hm set_flags(): Set cc option Hm set_cookies(): Ghi vo cookies Hm get_cookies(): Ly cc thng tin t cookies Hm delete_cookies(): Xa cookies Hm include_form(): thm form ca web-base proxy vo phn u ca trang (ty thuc vo option c c check) Hm remove_scripts(): loi b cc script (ty thuc vo option c c check) Hm send_response_headers(): gi phn header cho client Hm return_response():Gi cc phn cn li cho client.
- Trang 71 -
PHN TH BA
- Trang 72 -
Chng 6:
Chng ny chng em xin php c trnh by v module th nht: Plug-in chng vt firewall cho trnh duyt Internet Explorer
- Trang 73 -
Hnh 26 Trang thng bo mi khi ngi dng duyt nhng trang web vi phm
6.2.2
Lc cc trang web da trn c ch kim tra a ch (URL): Khi ngi dng duyt n 1 trang web mi, nu trang web ny c th
gip ngi dng qua mt c firewall (hay cn gi l vi phm), plugin s hin ra trang thng bo cho ngi dng v lu li a ch trang web ny vo c s d liu. Do i a s cc trang Web-based Proxy khi hot ng th th hin a ch ca mnh di dng http://domain_name ca WebProxy/a ch tht ca trang web mun duyt nn da vo c ch ny, ta c th xc nh cc a ch
- Trang 74 -
V d: gi s trang web www.abc.com l 1 trang vi phm Khi ngi dng thng qua trang ny lt vo nhng trang mnh mun n www.yahoo.com th kt qu URL ca trang ny s th hin nh sau: http://www.webproxy.com/www.yahoo.com hay ..... Ta c th d dng tch a ch trn ra lm 2 a ch ring bit. Nu gp nhng a ch qu r rng nh th ny th b lc chc chn s pht hin ra c v lu a ch mi ny vo c s d liu cho nhng ln duyt tip theo. http://www.webproxy.com?url=www.yahoo.com
6.2.3
Lc da trn ni dung ca cc Input Form trong trang web: Trong trng hp cc trang tin hnh m ha a ch hay thm ch
khng th hin a ch ra trnh duyt th sao ??? Lc ny chc nng th 3 ca b lc li tr nn hu ch. y l 1 chc nng b sung cho trng hp 2 nu trn. Khi ngi dng truy cp vo cc trang Web-Proxy truy cp vo cc trang web khc th gn nh lun lun phi nhp a ch trang web mnh mun n vo 1 textbox, sau tin hnh submit cho webserver x l. VD: 1 trang web-based proxy thng c cch trnh by nh sau
- Trang 75 -
C th thy c khi ngi dng g y tn trang web v click vo nt Go.Trang web s submit ni dung text field va c nhp (http://www.google.com) ln cho server v server tin hnh duyt Da trn hnh ng ny, b lc s tin hnh lc cc Input tag ca trang web v kim tra xem c Input tag no vi phm hay khng. Nu vi phm tc l gn nh ngi dng ang c nh mun submit 1 URL n cho server v mun truy cp n trang ny.
6.2.4
Cp nht cc trang web based proxy: Cho php ngi dng c thm quyn c cp nht (thm xa) danh
6.2.5
plugin.
V hiu ha/kch hot plugin: Cho php ngi dng c thm quyn c v hiu ha/kch hot
- Trang 76 -
(GoForward), hay s kin Download thnh cng (DocumentComplete), Cc BHO khi c khi to th trc ht phi tri qua qu trnh ng k vo Registry cho h thng thng qua gi tr ca CLSID. Gi tr ny ng vai tr nh 1 gi tr nh danh (Identifier) cho duy nht BHO. Hnh di y minh ha qu trnh trnh duyt khi ng v np cc BHO vo b nh x l:
Qu trnh hot ng nh sau : Khi ng trnh duyt. Trnh duyt s tm trong Registry cc gi tr CLSID ca cc BHO tng ng v load cc module ng dng ca cc BHO ny vo b nh Mi BHO c khi to s c 1 Interface (tm dch l i tng giao tip) ring bit. Khi tm thy cc Interface ny ca BHO, trnh duyt s chuyn con tr tr n Interface ca chnh mnh (Interface IUnkown) cho cc BHO. Chnh vic chuyn IUnkown cho cc BHO m cc BHO ny mi c th can thip c vo cc i tng cng nh cc s kin ca trnh duyt.
- Trang 77 -
6.3.2
-
Mt s hm x l quan trng: HRESULT SetSite(IUnknown* pUnkSite) l nhn con tr i tng IUnkown v 1 s i tng quan trng khc (IWebBrowser2, IConnectionPointContainer) t trnh duyt v lu li x l.
Bo cho trnh duyt bit rng BHO c nh mun bt cc s kin v x HRESULT Invoke() tng ng. HRESULT Disconnect(void) bo chm dt vic x l cc s kin cho trnh duyt Cc hm x l s kin: Ty theo loi s kin m BHO s c cc x l tng ng, cc s kin c x l trong Module ny ln lt l: DISPID_BEFORENAVIGATE2: S kin chun b duyt n 1 trang web khc trang hin hnh. DISPID_ONQUIT : S kin ng trnh duyt Ni thm v vic ng k BHO vo registry cho trnh duyt Visual C++ 6.0 s t to cc dng lnh khi to cc thng s cho ng dng trong regsitry trong tp tin c ui l rgs. Tuy nhin cc dng lnh ng k ng dng vo Registry th ngi dng phi t thm vo. Ni dung cn thm vo nh sau : Mc d khi to 1 ng dng dng COM Plugin cho Internet Explorer, Khi i tng b hy hay ch ng kt thc, cn gi s kin ny thng
- Trang 78 -
HKLM{SOFTWARE{Microsoft{ Windows {CurrentVersion {Explorer{'Browser Helper Objects'{ForceRemove {S ID c VC to sn} = s 'Tn i tng BHO mun th hin'}}}}}}}
Tn trng
6.4.2
Tn trng URL
- Trang 79 -
Khi ng 1
Plugin 2 Khi ng
chuyn 8 chuyn 4
Sai
ng
B lc 1
Khng vi phm
B lc 2
Khng vi phm
Vi phm
B lc 3
Khng vi phm
- Trang 80 -
6.5.2
-
BeforeNavigate: S kin do trnh duyt pht ra khi ngi dng chun b duyt n 1 trang web mi no (khc vi trang hin hnh). V d: Khi click chut vo 1 link, 1 nt trn trang web v chuyn sang 1 trang web mi, khi g a ch vo thanh address bar chun b duyt,
B lc 1: Nhn vo a ch trang web khng ng tin cy v tin hnh kim tra. B lc s truy xut vo c s d liu duyt xem trang web ny c nm sn trong danh sch cc trang b cm hay khng. Nu c th b lc s lu a ch ny vo c s d liu v chuyn hng n trang thng bo cm cho ngi dng. Nu khng th s chuyn n b lc tip theo.
B lc 2: Nhn vo a ch trang web khng ng tin cy v tin hnh kim tra. Nu a ch ny cha thm 1 a ch trang web khc th c xem nh vi phm ( trnh by trn). B lc s lu a ch vi phm ny vo c s d liu.
B lc 3: Nhn vo con tr i tng IWebBrowser2 x l. Con tr ny i din cho trang web hin hnh cn kim tra. Da vo con tr i tng ny, ta c th ly c ton b ni dung trang web (cc th HTML, cc script,.). Nh trnh by trn, b lc 3 hot ng da trn vic kim tra ni dung cc INPUT FIELD ca trang web. Do b lc ch ch trng n vic lc cc th INPUT ca trang HTML. 1 trang web c b lc xem l 1 trang Web Based Proxy khi v ch khi n cha khng qu 4 th INPUT dng text, v t nht 1 trong cc th Input ny c ni dung l a ch 1 trang web no . Nu trang web no tha iu kin nu trn th s c xem l vi phm v lu li vo c s d liu.
- Trang 81 -
- Trang 82 -
Chng 7:
Chng ny chng em xin php c trnh by v module th hai: Service chng vt firewall cho h iu hnh Windows.
- Trang 83 -
7.3.1
c im ca gi tin HTTP request n HTTP Proxy Server: Theo ti liu RFC v HTTP Protocol, gi tin HTTP request n Proxy
Trong hnh minh ha trn, ta thy ni dung 1 gi tin HTTP Request (cu lnh HTTP y chnh l lnh GET) c b sung thm trng ProxyConnection: Keep-Alive. y chnh l c im mu cht phn bit gi tin HTTP Request n 1 Proxy Server so vi cc gi tin thng thng khc.
7.3.2
-
Tm tt cc bc cn lu khi xy dng module; Khi to cc thng tin cn thit (a ch,port,..) cho 1 SOCK_RAW Socket. Chuyn ch hot ng ca Socket sang ch SIO_RCVALL (bt tt c cc gi tin ra/vo h thng). Bt u nhn v x l gi tin. Lu : Do mc tiu ra ban u ca module l bt v x l cc gi tin HTTP (TCP) nn cn phi g b cc Header ca gi tin nhn c (y l cc gi IP) ri mi bt u x l.
Tham kho thm ti liu v cu trc gi tin TCP/IP v HTTP Protocol trong qu trnh x l cc gi TCP.
- Trang 84 -
7.3.3
-
Chi tit cc i tng, hm x l chnh ca module : socket(AF_INET, SOCK_RAW, IPPROTO_IP) Hm to Socket. Lu phi khi to socket dng SOCK_RAW th mi c th bt c gi tin tng IP.
WSAIoctl(SOCKET s,DWORD dwIoControlCode, , , , , , ,) Hm thit lp ch hot ng cho socket. Ch cn lu n 2 tham s u tin: SOCKET cn thit lp v ch hot ng. y dwIoControlCode phi bng SIO_RCVALL th module mi c th bt c cc gi tin ra/vo card mng
7.4.1
Gii thiu v Filter-Hook Driver : Filter-Hook Driver l khi nim c Microsoft a ra trong ti liu v
Windows 2000 DDK. y l Driver m rng cc tnh nng ca IP Filter Driver (C sn trong h diu hnh Windows 2000 tr v sau). Thc cht Filter-Hook Driver khng phi l 1 trnh iu khin dnh cho mi trng mng, n c xem nh 1 trnh iu khin dnh cho nhn ca h thng (Kernel Mode Driver). Bn trong trnh iu khin ny, chng ta ch cn nh ngha 1 hm CALLBACK (1 dng hm bt s kin) v ng k hm CALLBACK ny cho trnh iu khin b lc a ch IP ca h thng (IP Filter
- Trang 85 -
Driver). Khi ng k thnh cng, b lc a ch s gi li hm CALLBACK khi 1 gi tin c gi ra hay nhn vo h thng x l.
7.4.2
-
Tm tt cc bc xy dng Filter-Hook Driver bt gi tin: Khi to Filter-Hook Driver. Cung cp tn v cc thng s c bn cho Driver nh sau:
LoadDriver("IpFilterDriver","System32\\Drivers\\IpFltDrv.sys", null, true)
Ly con tr a ch ca Ip Filter Driver khi to bc 1 khi to v ng k hm CALLBACK. Khi to v ng k hm CALLBACK bng cch gi con tr hm CALLBACK nh ngha sn cho IP Filter Driver. Bt u lc gi tin. Gi hm StartFilter. Khi mun kt thc, khng lc gi tin na th ta phi g b thng tin ng k khi IP Filter Driver. Lc ny, ta ch cn ng k li vi Driver vi con tr hm CALLBACK l Null.
Tn trng ProxyIP
7.5.2
Tn
trn g
- Trang 86 -
ProxyIP
Text
Service
Khi ng 2
Gi tin IP
8 Thm IP vo b lc
- Trang 87 -
xem cc gi tin ny c phi l gi tin HTTP Request n Proxy Server hay khng. Nu phi th a ch IP ca Proxy Server s c truyn tip cho Module lc a ch IP x l. a ch mi ny s c thm vo b lc a ch v lu vo c s d liu.
- Trang 88 -
7.8.2
cc a ch HTTP Proxy Server. Tuy nhin i vi cc Proxy Server mi (cha c trong c s d liu), b lc phi hc c a ch mi ny th mi ngn chn c. Do trong phin lm vic u tin, b lc vn cha chn c cc a ch mi ny. i vi nhng phin lm vic sau th b lc m bo chy tt. Trong qu trnh th nghim, vic b lc hc c qu nhiu a ch mi v lu vo c s d liu tn kh nhiu ti nguyn h thng (CPU,RAM) nn Service chy chm hn (i lc Serive c th b treo). ng tic l n lc ny chng em vn cha khc phc c vn ny Qu trnh hot ng ca Service ph thuc kh nhiu vo s tn ti ca tp tin c s d liu lu tr cc Proxy Server. Nn khi tp tin trn khng tn ti hay b li, tnh nng lc ca Service chc chn khng th hot ng chnh xc c.
- Trang 89 -
PHN TH 4
TNG KT
Chng 8:
KT LUN
Sau hn su thng lm lun vn, t nhiu chng em cng tm hiu tng i thnh cng cc phng php lp trnh vt firewall cng nh nhng chng trnh km theo: Http proxy, Web based Proxy, Plug-in chng vt firewall, service chng vt firewall. Qua nhng g tm hiu c, chng em cm thy vn cn nhiu iu phi lm c th hon thin hn chng trnh cng nh cn c s hng dn nhiu hn na ca cc thy c, bn b Kt qu cui cng l kt qu ca nhng thng ngy c gng, n lc ca bn thn, s gip ca gia nh, nh trng, bn b v c bit l s hng dn tn tnh ca thy Hong Cng chng em c th hon tt mt cch tt p lun vn so vi nhng g t ra. Cui cng, mt ln na, chng em xin cm n tt c gip chng em c th hon thnh tt kha lun ny. Xin chn thnh cm n.
8.1 Nhng kt qu t c:
Theo yu cu t ra ban u l Nghin cu cc phng php lp trnh vt firewall. T lm c s xy dng cc module chng vt Firewall v bo mt Web, cho n thi im hin ti lun vn t c cc ni dung sau: Phn yu cu: Tm hiu v trin khai thnh cng 2 phng php: HTTP Proxy Server v Web-based Proxy. Phn m rng: Tm hiu v trin khai thnh cng 2 module chng vt Firewall: Plugin chng vt Firewall dnh cho trnh duyt Internet Explorer v Service chng vt Firewall trn h iu hnh Windows. Ngoi ra, trong qu trnh nghin cu v hon thnh ti, chng em tip thu thm c mt s kt qu sau:
- Trang 90 -
Tm hiu su thm v cc phng php lp trnh ng dng mng da trn b th vin Winsock ca Windows. Tm hiu c phng php xy dng v trin khai Service ng dng trn Windows Tm hiu cch xy dng v trin khai ng dng Plugin cho trnh duyt Internet Explorer. c hiu c cch xy dng v pht trin ng dng da trn mi trng COM (Component Object Model). Ngy nay, Internet ngy cng pht trin mnh m, l ngun ti nguyn bao la v tn, nn nhu cu s dng Internet tm kim thng tin cng nh giao dch, thng mi l iu tt yu. Yu cu an ton v bo mt thng tin (ty theo mc ch ca c nhn hay doanh nghip) lm ny sinh thm vn kh au u cho cc nh qun tr mng l: Kim sot v qun l qu trnh s dng Internet ca ngi dng. Vi vic nghin cu v a ra c cc gii php kh thi v yu cu m rng ca ti: Xy dng cc module chng vt Firewall, chng em thit ngh c th ng gp 1 phn vo vic gii quyt vn nan gii trn.
- Trang 91 -
ra 1 s hng pht trin v sau nhm m rng thm ngha khoa hc cng nh thc tin ca ti: Ci thin vn tc truy xut b lc cho module th 2: Service chng vt Firewall. Nghin cu tip phng php http tunneling Trin khai ng dng minh ha cho phng php http tunneling Hon thin hn na Plug-in v Service t hiu qu ti u Trin khai thnh cng module chng vt Firewall bng phng php HTTP Tunneling Trin khai ti thnh sn phm hon chnh p dng vo thc tin.
- Trang 92 -
PHN TH 5
PH LC
DANH SCH CC TI LIU THAM KHO - Website:
http://www.microsoft.com http://www.quantrimang.com http://www.codeproject.com http://www.sourceforge.net http://www.experts-exchange.com http://www.webopedia.com http://www.nyu.edu http://www.learnthat.com http://www.stayinvisible.com http://www.proxify.com http://www.silentsurf.net http://www.adminvietnam.net http://www.anonimizer.com http://www.tcpipguide.com http://www.vnsecurity.net Danh sch cc ti liu, sch, gio trnh tham kho Ti liu in t MSDN ca Microsoft. Anthony Jones v Jim Ohlund, Network Programming for Microsoft Windows, 1999 (ebooks) O'Reilly, Learning PHP 5,June-2004 Addision Wesley, The C++ Programming Language,June-97
- Trang 93 -
Wrox Press,Beginning PHP 4,2001 Sams Publishing ,Teach Yourself PHP, MySQL and Apache in 24h,12-2002 Addision Wesley,C/C++ Network Programming I & II,10-2001
- Trang 94 -