Các Phương Pháp Lập Trình Vượt Firewall

TRNG I HC KHOA HC T NHIN KHOA CNG NGH THNG TIN B MN MNG MY TNH & VIN THNG
PHAN TRUNG HIU - TRN L QUN
CC PHNG PHP LP TRNH VT FIREWALL
KHA LUN C NHN TIN HC
NIN KHA 2001 - 2005
Lun vn tt nghip Mng my tnh
GVHD: ThS Hong Cng
TRNG I HC KHOA HC T NHIN KHOA CNG NGH THNG TIN B MN MNG MY TNH & VIN THNG
PHAN TRUNG HIU TRN L QUN
0112463 0112319
KHA LUN C NHN TIN HC
GIO VIN HNG DN Th.S HONG CNG
NIN KHA 2001 2005
Phan Trung Hiu Mssv: 0112463
- Trang 2 -
Trn L Qun Mssv:0112319
GVHD: ThS Hong Cng
LI NHN XT CA GIO VIN HNG DN

- Trang 3 -
GVHD: ThS Hong Cng
LI NHN XT CA GIO VIN PHN BIN

- Trang 4 -
GVHD: ThS Hong Cng
LI CM N
Sau hn 6 thng n lc thc hin, lun vn nghin cu Cc phng php lp trnh vt firewall phn no hon thnh. Ngoi s n lc ca bn thn, chng em nhn c s khch l rt nhiu t pha nh trng, thy c, gia nh v bn b trong khoa. Chnh iu ny mang li cho chng em s ng vin rt ln chng em c th hon thnh tt lun vn ca mnh. Trc ht, chng con xin cm n nhng bc lm cha, lm m lun ng h, chm sc chng con v to mi iu kin tt nht chng con c th hon thnh nhim v ca mnh. Chng em xin cm n nh trng ni chung v Khoa CNTT ni ring em li cho chng em ngun kin thc v cng qu gi chng em c kin thc hon thnh lun vn cng nh lm hnh trang bc vo i. Em xin cm n cc thy c thuc b mn MMT, c bit l thy Hong Cng gio vin hng dn ca chng em tn tnh hng dn v gip chng em mi khi chng em c kh khn trong qu trnh hc tp cng nh trong qu trnh lm lun vn tt nghip. Xin cm n tt c cc bn b thn yu ng vin, gip chng em trong sut qu trnh hc tp cng nh lm ti. Mt ln na, xin cm n tt c mi ngi TPHCM 7/2005 Nhm sinh vin thc hin Phan Trung Hiu Trn L Qun
- Trang 5 -
GVHD: ThS Hong Cng
LI NI U
Ni dung lun vn c trnh by trong 8 chng thuc v 5 phn khc nhau : Phn th nht: C S L THUYT Chng 1: Gii thiu v firewall Chng 2: Khi nim proxy Chng 3: Cc phng php lp trnh vt firewall Phn th hai: CC PHNG PHP LP TRNH VT FIREWALL Chng 4: Vt firewall bng HTTP proxy Servers Chng 5: Vt firewall bng Web-based proxy Phn th ba: MODULE CHNG VT FIREWALL Chng 6: Plug-in chng vt firewall cho trnh duyt Internet Explorer Chng 7: Service chng vt Firewall Phn th t: TNG KT Chng 8: Kt lun. Phn th nm: PH LC
- Trang 6 -
GVHD: ThS Hong Cng
MC LC
Chng 1: GII THIU V FIREWALL ..............................................................11 1.1 t vn : ..........................................................................................11 1.2 Nhu cu bo v thng tin: .....................................................................11 1.2.1 Nguyn nhn: ................................................................................11 1.2.2 Bo v d liu: ...............................................................................13 1.2.3 Bo v cc ti nguyn s dng trn mng: .......................................13 1.2.4 Bo v danh ting c quan: ............................................................13 1.3 Cc kiu tn cng: ................................................................................14 1.3.1 Tn cng trc tip: .........................................................................14 1.3.2 Nghe trm: ....................................................................................15 1.3.3 Gi mo a ch: .............................................................................15 1.3.4 V hiu cc chc nng ca h thng (DoS, DDoS): ...........................15 1.3.5 Li ca ngi qun tr h thng: ......................................................16 1.3.6 Tn cng vo yu t con ngi: ......................................................17 1.4 Firewall l g ? ......................................................................................17 1.5 Cc chc nng chnh: ............................................................................19 1.5.1 Chc nng: ....................................................................................19 1.5.2 Thnh phn: ..................................................................................20 1.6 Nguyn l:............................................................................................21 1.7 Cc dng firewall: .................................................................................23 1.8 Cc nim chung v Firewall:................................................................25 1.8.1 Firewall da trn Application gateway: .............................................25 1.8.2 Cng vng(Circuit level gateway): ...................................................27 1.8.3 Hn ch ca Firewall: .....................................................................28 1.8.4 Firewall c d ph hay khng: .........................................................28 1.9 Mt s m hnh Firewall: .......................................................................30 1.9.1 Packet-Filtering Router: ..................................................................30 1.9.2 M hnh Single-Homed Bastion Host: ...............................................32 1.9.3 M hnh Dual-Homed Bastion Host: .................................................34 1.9.4 Proxy server: .................................................................................36 1.9.5 Phn mm Firewall Proxy server: ..................................................37 1.10 Li kt: ................................................................................................46 Chng 2: KHI NIM PROXY..........................................................................47 2.1 Proxy l g: ...........................................................................................47 2.2 Ti sao proxy li ra i: .........................................................................48 2.3 Tng kt chung v proxy: ......................................................................48 Chng 3: CC PHNG PHP LP TRNH VT FIREWALL .............................50 3.1 Vt firewall l g:.................................................................................50 3.2 Phng php th nht: HTTP Proxy .......................................................50
- Trang 7 -
GVHD: ThS Hong Cng
3.3 Phng php th hai: Web-Based Proxy.................................................51 3.4 Phng php th ba: Http Tunneling......................................................51 Chng 4: VT FIREWALL BNG HTTP PROXY ...............................................53 4.1 Khi cc HTTP Proxy Server tr nn hu ch: ............................................53 4.2 Chc nng chnh:..................................................................................56 4.2.1 Truy cp Internet: ..........................................................................56 4.2.2 Caching documents: .......................................................................57 4.2.3 iu khin truy cp Internet mt cch c chn lc: ...........................59 4.2.4 Cung cp dch v Internet cho cc c quan s dng IP o: ................60 4.3 Mt phin giao dch (transaction) thng qua proxy : ................................60 4.4 Kt ni thng qua proxy server: .............................................................61 4.5 HTTP proxy: .........................................................................................61 4.6 FTP proxy:............................................................................................62 4.7 Tin li v bt tin khi cache cc trang Web:...........................................63 4.8 Nhng bt cp do proxy: .......................................................................63 4.9 K thut lp trnh mt HTTP Proxy c bn: ..............................................64 Chng 5: Vt firewall bng Web-Based Proxy................................................65 5.1 Th no l 1 web-based anonymous proxy ? ...........................................65 5.2 Cch thc hot ng ca 1 WBP : ..........................................................66 5.3 Gii thiu v trang Web Based Proxy: .....................................................67 5.3.1 Giao din: ......................................................................................67 5.3.2 Chc nng: ....................................................................................67 5.3.3 Thut ton: ....................................................................................69 Chng 6: Plug-in chng vt firewall cho trnh duyt Internet Explorer .............73 6.1 Gii thiu s lc : ................................................................................73 6.2 Cc tnh nng chnh: .............................................................................74 6.2.1 Lc cc trang web da trn vic duyt danh sch cc trang web c sn trong c s d liu: .....................................................................................74 6.2.2 Lc cc trang web da trn c ch kim tra a ch (URL): ................74 6.2.3 Lc da trn ni dung ca cc Input Form trong trang web: ..............75 6.2.4 Cp nht cc trang web based proxy:...............................................76 6.2.5 V hiu ha/kch hot plugin: ..........................................................76 6.3 Mt s vn cn lu khi vit plugin cho trnh duyt IE :......................76 6.3.1 Khi nim Browser Helper Objects (BHO): ........................................76 6.3.2 Mt s hm x l quan trng: ..........................................................78 6.4 Chi tit lu tr d liu : .........................................................................79 6.4.1 Bng Forbidden ..............................................................................79 6.4.2 Bng Trusted .................................................................................79 6.5 Thut ton chnh ca ng dng : ...........................................................79 6.5.1 M hnh hot ng ca Plugin : .......................................................79 6.5.2 Din gii m hnh : .........................................................................81
- Trang 8 -
GVHD: ThS Hong Cng
6.6 Nhng u im v hn ch: ..................................................................82 Chng 7: SERVICE CHNG VT FIREWALL ..................................................83 7.1 Gii thiu s lc : ................................................................................83 7.2 Cc tnh nng chnh ca module:............................................................83 7.3 Module bt gi tin :...............................................................................84 7.3.1 c im ca gi tin HTTP request n HTTP Proxy Server: ..............84 7.3.2 Tm tt cc bc cn lu khi xy dng module;.............................84 7.3.3 Chi tit cc i tng, hm x l chnh ca module : .........................85 7.4 Module chn a ch IP: .........................................................................85 7.4.1 Gii thiu v Filter-Hook Driver : ......................................................85 7.4.2 Tm tt cc bc xy dng Filter-Hook Driver bt gi tin: .............86 7.5 Chi tit lu tr d liu : .........................................................................86 7.5.1 Bng ForbiddenProxy ......................................................................86 7.5.2 Bng TrustedProxy: ........................................................................86 7.6 S hot ng ca Module chn a ch IP : .........................................87 7.7 Din gii m hnh :................................................................................87 7.8 Nhn xt nh gi :............................................................................88 7.8.1 u im: .......................................................................................88 7.8.2 Khuyt im: .................................................................................89 Chng 8: KT LUN ......................................................................................90 8.1 Nhng kt qu t c:.......................................................................90 8.2 Hng pht trin : ................................................................................91
DANH SCH HNH

Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh 1 M hnh tn cng DDoS ...........................................................................16 2 M hnh firewall.......................................................................................18 3 Lc gi tin ti firewall...............................................................................18 4 Mt s chc nng ca Firewall. .................................................................20 5 Lc gi tin ..............................................................................................21 6 Firewall c cu hnh ti router...............................................................23 7 Firewall mm ..........................................................................................26 8 Tn cng h thng t bn ngoi ...............................................................29 9 Packet filtering ........................................................................................31 10 M hnh single-Homed Bastion Host ........................................................33 11 M hnh Dual-Homed Bastion Host ..........................................................35 12 M hnh 1 Proxy n gin ......................................................................37 13 Mt s protocol sau proxy ......................................................................39 14 M hnh proxy .......................................................................................48 15 M hnh hot ng chung ca cc proxy ..................................................55
- Trang 9 -
GVHD: ThS Hong Cng
Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh Hnh
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Mt s protocol c h tr ...................................................................56 Caching ................................................................................................58 Caching b li (failure) ............................................................................59 Mt transaction qua proxy ......................................................................60 Truy xut thng tin thng qua HTTP proxy ..............................................62 Truy xut thng tin thng qua FTP proxy ................................................62 Giao din chnh ca Web Base Proxy .......................................................67 Mini form trn mi u trang ..................................................................68 S hot ng ca 1 trang Web-Based Proxy ........................................69 Giao din chnh ca plug-in ....................................................................73 Trang thng bo mi khi ngi dng duyt nhng trang web vi phm.......74 Cch trnh by thng thng ca mt trang web base proxy .....................75 Qu trnh trnh duyt khi ng v np cc BHO ......................................77 M hnh hot ng ca Plugin .................................................................80 nh dng ca gi tin gi n proxy server ..............................................84 S hot ng ca module chn a ch IP............................................87
DANH SCH BNG
- Trang 10 -
GVHD: ThS Hong Cng
PHN TH NHT
C S L THUYT
Chng 1:
1.1 t vn :
Song song vi vic xy dng nn tng v cng ngh thng tin, cng nh pht trin cc ng dng my tnh trong sn xut, kinh doanh, khoa hc, gio dc, x hi,... th vic bo v nhng thnh qu l mt iu khng th thiu. S dng cc bc tng la (Firewall) bo v mng ni b (Intranet), trnh s tn cng t bn ngoi l mt gii php hu hiu, m bo c cc yu t: An ton cho s hot ng ca ton b h thng mng Bo mt cao trn nhiu phng din Kh nng kim sot cao m bo tc nhanh Mm do v d s dng Trong sut vi ngi s dng m bo kin trc m
GII THIU V FIREWALL
1.2 Nhu cu bo v thng tin: 1.2.1 Nguyn nhn:

Ngy nay, Internet, mt kho tng thng tin khng l, phc v hu hiu trong sn xut kinh doanh, tr thnh i tng cho nhiu ngi tn cng vi cc mc ch khc nhau. i khi, cng ch n gin l th ti hoc a bn vi ngi khc.
- Trang 11 -
GVHD: ThS Hong Cng
Cng vi s pht trin khng ngng ca Internet v cc dch v trn Internet, s lng cc v tn cng trn Internet cng tng theo cp s nhn. Trong khi cc phng tin thng tin i chng ngy cng nhc nhiu n Internet vi nhng kh nng truy nhp thng tin dng nh n v tn ca n, th cc ti liu chuyn mn bt u cp nhiu n vn bo m v an ton d liu cho cc my tnh c kt ni vo mng Internet. Theo s liu ca CERT (Computer Emegency Response Team), s lng cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo nm 1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm 1994. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc c quan nh nc, cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l (c ti 100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni ca tng bng. Mt phn rt ln cc v tn cng khng c thng bo, v nhiu l do, trong c th k n ni lo b mt uy tn, hoc n gin nhng ngi qun tr h thng khng h hay bit nhng cuc tn cng nhm vo h thng ca h. Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng php tn cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr h thng c kt ni vi Internet ngy cng cao cnh gic. Cng theo CERT, nhng cuc tn cng thi k 1988-1989 ch yu on tn ngi s dngmt khu (UserID-password) hoc s dng mt s li ca cc chng trnh v h iu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng vo thi gian gn y bao gm c cc thao tc nh gi mo a ch IP, theo di thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin). Nhu cu bo v thng tin trn Internet c th chia thnh ba loi gm: Bo v d liu; Bo v cc ti nguyn s dng trn mng v Bo v danh ting ca c quan.
- Trang 12 -
GVHD: ThS Hong Cng
1.2.2 Bo v d liu:
Nhng thng tin lu tr trn h thng my tnh cn c bo v do cc yu cu sau: Bo mt: Nhng thng tin c gi tr v kinh t, qun s, chnh sch vv... cn c gi kn. Tnh ton vn: Thng tin khng b mt mt hoc sa i, nh tro. Tnh kp thi: Yu cu truy nhp thng tin vo ng thi im cn thit. Trong cc yu cu ny, thng thng yu cu v bo mt c coi l yu cu s 1 i vi thng tin lu tr trn mng. Tuy nhin, ngay c khi nhng thng tin ny khng c gi b mt, th nhng yu cu v tnh ton vn cng rt quan trng. Khng mt c nhn, mt t chc no lng ph ti nguyn vt cht v thi gian lu tr nhng thng tin m khng bit v tnh ng n ca nhng thng tin .
1.2.3 Bo v cc ti nguyn s dng trn mng:

Trn thc t, trong cc cuc tn cng trn Internet, k tn cng, sau khi lm ch c h thng bn trong, c th s dng cc my ny phc v cho mc ch ca mnh nhm chy cc chng trnh d mt khu ngi s dng, s dng cc lin kt mng sn c tip tc tn cng cc h thng khc vv...
1.2.4 Bo v danh ting c quan:

Mt phn ln cc cuc tn cng khng c thng bo rng ri, v mt trong nhng nguyn nhn l ni lo b mt uy tn ca c quan, c bit l cc cng ty ln v cc c quan quan trng trong b my nh nc. Trong trng hp ngi qun tr h thng ch c bit n sau khi chnh h thng ca mnh c dng lm bn p tn cng cc h thng khc, th tn tht v uy tn l rt ln v c th li hu qu lu di.
- Trang 13 -
GVHD: ThS Hong Cng
1.3 Cc kiu tn cng: 1.3.1 Tn cng trc tip:

Nhng cuc tn cng trc tip thng thng c s dng trong giai on u chim c quyn truy nhp bn trong. Mt phng php tn cng c in l d tm tn ngi s dng v mt khu. y l phng php n gin, d thc hin v khng i hi mt iu kin c bit no bt u. K tn cng c th s dng nhng thng tin nh tn ngi dng, ngy sinh, a ch, s nh vv.. on mt khu. Trong trng hp c c danh sch ngi s dng v nhng thng tin v mi trng lm vic, c mt trng trnh t ng ho v vic d tm mt khu ny. Mt chng trnh c th d dng ly c t Internet gii cc mt khu m ho ca cc h thng unix c tn l crack, c kh nng th cc t hp cc t trong mt t in ln, theo nhng quy tc do ngi dng t nh ngha. Trong mt s trng hp, kh nng thnh cng ca phng php ny c th ln ti 30%. Phng php s dng cc li ca chng trnh ng dng v bn thn h iu hnh c s dng t nhng v tn cng u tin v vn c tip tc chim quyn truy nhp. Trong mt s trng hp phng php ny cho php k tn cng c c quyn ca ngi qun tr h thng (root hay administrator). Hai v d thng xuyn c a ra minh ho cho phng php ny l v d vi chng trnh sendmail v chng trnh rlogin ca h iu hnh UNIX. Sendmail l mt chng trnh phc tp, vi m ngun bao gm hng ngn dng lnh ca ngn ng C. Sendmail c chy vi quyn u tin ca ngi qun tr h thng, do chng trnh phi c quyn ghi vo hp th ca nhng ngi s dng my. V Sendmail trc tip nhn cc yu cu v th tn trn mng bn ngoi. y chnh l nhng yu t lm cho sendmail tr thnh mt ngun cung cp nhng l hng v bo mt truy nhp h thng.
- Trang 14 -
GVHD: ThS Hong Cng
Rlogin cho php ngi s dng t mt my trn mng truy nhp t xa vo mt my khc s dng ti nguyn ca my ny. Trong qu trnh nhn tn v mt khu ca ngi s dng, rlogin khng kim tra di ca dng nhp, do k tn cng c th a vo mt xu c tnh ton trc ghi ln m chng trnh ca rlogin, qua chim c quyn truy nhp.
1.3.2 Nghe trm:

Vic nghe trm thng tin trn mng c th a li nhng thng tin c ch nh tn, mt khu ca ngi s dng, cc thng tin mt chuyn qua mng. Vic nghe trm thng c tin hnh ngay sau khi k tn cng chim c quyn truy nhp h thng, thng qua cc chng trnh cho php bt cc gi tin vo ch nhn ton b cc thng tin lu truyn trn mng. Nhng thng tin ny cng c th d dng ly c trn Internet.
1.3.3 Gi mo a ch:
Vic gi mo a ch IP c th c thc hin thng qua vic s dng kh nng dn ng trc tip (source-routing). Vi cch tn cng ny, k tn cng gi cc gi tin IP ti mng bn trong vi mt a ch IP gi mo (thng thng l a ch ca mt mng hoc mt my c coi l an ton i vi mng bn trong), ng thi ch r ng dn m cc gi tin IP phi gi i.
1.3.4 V hiu cc chc nng ca h thng (DoS, DDoS):

y l ku tn cng nhm t lit h thng, khng cho n thc hin chc nng m n thit k. Kiu tn cng ny khng th ngn chn c, do nhng phng tin c t chc tn cng cng chnh l cc phng tin lm vic v truy nhp thng tin trn mng. V d s dng lnh ping vi tc cao nht c th, buc mt h thng tiu hao ton b tc tnh ton v kh nng ca mng tr li cc lnh ny, khng cn cc ti nguyn thc hin nhng cng vic c ch khc.
- Trang 15 -
GVHD: ThS Hong Cng
Hnh 1 M hnh tn cng DDoS
Client l mt attacker sp xp mt cuc tn cng Handler l mt host c tha hip chy nhng chng trnh c bit dng tn cng Mi handler c kh nng iu khin nhiu agent Mi agent c trch nhim gi stream data ti victim
1.3.5 Li ca ngi qun tr h thng:

y khng phi l mt kiu tn cng ca nhng k t nhp, tuy nhin li ca ngi qun tr h thng thng to ra nhng l hng cho php k tn cng s dng truy nhp vo mng ni b.
- Trang 16 -
GVHD: ThS Hong Cng
1.3.6 Tn cng vo yu t con ngi:

K tn cng c th lin lc vi mt ngi qun tr h thng, gi lm mt ngi s dng yu cu thay i mt khu, thay i quyn truy nhp ca mnh i vi h thng, hoc thm ch thay i mt s cu hnh ca h thng thc hin cc phng php tn cng khc. Vi kiu tn cng ny khng mt thit b no c th ngn chn mt cch hu hiu, v ch c mt cch gio dc ngi s dng mng ni b v nhng yu cu bo mt cao cnh gic vi nhng hin tng ng nghi. Ni chung yu t con ngi l mt im yu trong bt k mt h thng bo v no, v ch c s gio dc cng vi tinh thn hp tc t pha ngi s dng c th nng cao c an ton ca h thng bo v.
1.4 Firewall l g ?
Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng c th hiu Firewall l mt c ch (mechanism) bo v mng tin tng (Trusted network) khi cc mng khng tin tng (Untrusted network). Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty, t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet.
- Trang 17 -
GVHD: ThS Hong Cng
Hnh 2 M hnh firewall
Mt cch vn tt, firewall l h thng ngn chn vic truy nhp tri php t bn ngoi vo mng cng nh nhng kt ni khng hp l t bn trong ra. Firewall thc hin vic lc b nhng a ch khng hp l da theo cc quy tc hay ch tiu nh trc.
Hnh 3 Lc gi tin ti firewall
Firewall c th l h thng phn cng, phn mm hoc kt hp c hai. Nu l phn cng, n c th ch bao gm duy nht b lc gi tin hoc l thit b nh tuyn (router c tch hp sn chc nng lc gi tin). B nh tuyn c cc tnh nng bo mt cao cp, trong c kh nng kim sot a ch IP. Quy trnh kim sot cho php bn nh ra nhng a ch IP c th kt ni vi mng ca bn v ngc li. Tnh cht
- Trang 18 -
GVHD: ThS Hong Cng
chung ca cc Firewall l phn bit a ch IP da trn cc gi tin hay t chi vic truy nhp bt hp php cn c trn a ch ngun.
1.5 Cc chc nng chnh: 1.5.1 Chc nng:

Chc nng chnh ca Firewall l kim sot lung thng tin t gia Intranet v Internet. Thit lp c ch iu khin dng thng tin gia mng bn trong (Intranet) v mng Internet. C th l: Cho php hoc cm nhng dch v truy nhp ra ngoi (t Intranet ra Internet). Cho php hoc cm nhng dch v php truy nhp vo trong (t Internet vo Intranet). Theo di lung d liu mng gia Internet v Intranet. Kim sot a ch truy nhp, cm a ch truy nhp. Kim sot ngi s dng v vic truy nhp ca ngi s dng. Kim sot ni dung thng tin lu chuyn trn mng.
- Trang 19 -
GVHD: ThS Hong Cng
Hnh 4 M t s chc nng ca Firewall.
1.5.2 Thnh phn:

Firewall chun bao gm mt hay nhiu cc thnh phn sau y: B lc packet (packet-filtering router) Cng ng dng (application-level gateway hay proxy server) Cng mch (circuite level gateway)
B lc paket (Paket filtering router).
- Trang 20 -
GVHD: ThS Hong Cng
1.6 Nguyn l:
Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c ngha rng Firewall hot ng cht ch vi giao thc TCI/IP. V giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS...) thnh cc gi d liu (data pakets) ri gn cho cc paket ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng.
Hnh 5 Lc gi tin
B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (packet header), dng cho php truyn cc packet trn mng. l:
- Trang 21 -
GVHD: ThS Hong Cng
a ch IP ni xut pht ( IP Source address) a ch IP ni nhn (IP Destination address) Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel) Cng TCP/UDP ni xut pht (TCP/UDP source port) Cng TCP/UDP ni nhn (TCP/UDP destination port) Dng thng bo ICMP ( ICMP message type) Giao din packet n ( incomming interface of packet) Giao din packet i ( outcomming interface of packet) Nu lut l lc packet c tho mn th packet c chuyn qua Firewall. Nu khng packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi chy c trn h thng mng cc b. u im: a s cc h thng Firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm router. Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn c bit no c. Hn ch: Vic nh ngha cc ch lc package l mt vic kh phc tp; i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi
- Trang 22 -
GVHD: ThS Hong Cng
Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu.
1.7 Cc dng firewall:

Mi dng Firewall khc nhau c nhng thun li v hn ch ring. Dng ph bin nht l Firewall mc mng (Network-level firewall). Loi Firewall ny thng da trn b nh tuyn, v vy cc quy tc quy nh tnh hp php cho vic truy nhp c thit lp ngay trn b nh tuyn. M hnh Firewall ny s dng k thut lc gi tin (packetfiltering technique), l tin trnh kim sot cc gi tin qua b nh tuyn.
Hnh 6 Firewall c cu hnh ti router
- Trang 23 -
GVHD: ThS Hong Cng
Khi hot ng, Firewall s da trn b nh tuyn m kim tra a ch ngun (source address) hay a ch xut pht ca gi tin. Sau khi nhn din xong, mi a ch ngun IP s c kim tra theo cc quy tc do ngi qun tr mng nh trc. Firewall da trn b nh tuyn lm vic rt nhanh do n ch kim tra lt trn cc a ch ngun m khng h c yu cu thc s no i vi b nh tuyn, khng tn thi gian x l nhng a ch sai hay khng hp l. Tuy nhin, bn phi tr gi: ngoi tr nhng iu khin chng truy nhp, cc gi tin mang a ch gi mo vn c th thm nhp mt mc no trn my ch ca bn. Mt s k thut lc gi tin c th c s dng kt hp vi Firewall khc phc nhc im ni trn. a ch IP khng phi l thnh phn duy nht ca gi tin c th mc by b nh tuyn. Ngi qun tr nn p dng ng thi cc quy tc, s dng thng tin nh danh km theo gi tin nh thi gian, giao thc, cng... tng cng iu kin lc. Tuy nhin, s yu km trong k thut lc gi tin ca Firewall da trn b nh tuyn khng ch c vy. Mt s dch v gi th tc t xa (Remote Procedure Call - RPC) rt kh lc mt cch hiu qu do cc server lin kt ph thuc vo cc cng c gn ngu nhin khi khi ng h thng. Dch v gi l nh x cng (portmapper) s nh x cc li gi ti dch v RPC thnh s dch v gn sn, tuy nhin, do khng c s tng ng gia s dch v vi b nh tuyn lc gi tin, nn b nh tuyn khng nhn bit c dch v no dng cng no, v th n khng th ngn chn hon ton cc dch v ny, tr khi b nh tuyn ngn ton b cc gi tin UDP (cc dch v RPC ch yu s dng giao thc UDP hay User Datagram Protocol). Vic ngn chn tt c cc gi tin UDP cng s ngn lun c cc dch v cn thit, v d nh DNS (Domain Name Service dch v t tn vng). V th, dn n tnh trng tin thoi lng nan.
- Trang 24 -
GVHD: ThS Hong Cng
1.8 Cc nim chung v Firewall:

Mt trong nhng tng chnh ca Firewall l che chn cho mng ca bn khi tm nhn ca nhng ngi dng bn ngoi khng c php kt ni, hay ch t cng khng cho php h r ti mng. Qu trnh ny thc thi cc ch tiu lc b do ngi qun tr n nh. Trn l thuyt, Firewall l phng php bo mt an ton nht khi mng ca bn c kt ni Internet. Tuy nhin, vn tn ti cc vn xung quanh mi trng bo mt ny. Nu Firewall c cu hnh qu cht ch, tin trnh lm vic ca mng s b nh hng, c bit trong mi trng ngi dng ph thuc hon ton vo ng dng phn tn. Do Firewall thc thi tng chnh sch bo mt cht ch nn n c th b sa ly. Tm li, c ch bo mt cng cht ch bao nhiu, th tnh nng cng b hn ch by nhiu. Mt vn khc ca Firewall tng t nh vic xp trng vo r. Do l ro chn chng kt ni bt hp php nn mt khe h cng c th d dng ph hu mng ca bn. Firewall duy tr mi trng bo mt, trong n ng vai tr iu khin truy nhp v thc thi s bo mt. Firewall thng c m t nh ca ng ca mng, ni xc nhn quyn truy nhp. Tuy nhin iu g s xy ra khi n b v hiu ho? Nu mt k thut ph Firewall c pht hin, cng c ngha ngi v s b tiu dit v c hi sng st ca mng l rt mng manh. V vy trc khi xy dng Firewall, bn nn xem xt k v tt nhin phi hiu tng tn v mng ca mnh. Mt iu na, Firewall cng c kh nng cm cc kt ni khng c cho php t bn trong ra. iu ny, nu suy ngh n gin th chng ta thy rt c li, tuy nhin trong mt vi trng hp th n vn c mt hn ch ca n.
1.8.1 Firewall da trn Application gateway:

Mt dng ph bin l Firewall da trn ng dng application-proxy. Loi ny hot ng hi khc vi Firewall da trn b nh tuyn lc gi tin. Application gateway da trn c s phn mm. Khi mt ngi dng khng xc nh kt ni t
- Trang 25 -
GVHD: ThS Hong Cng
xa vo mng chy application gateway, gateway s ngn chn kt ni t xa ny. Thay v ni thng, gateway s kim tra cc thnh phn ca kt ni theo nhng quy tc nh trc. Nu tho mn cc quy tc, gateway s to cu ni (bridge) gia trm ngun v trm ch.
Hnh 7 Firewall mm
Cu ni ng vai tr trung gian gia hai giao thc. V d, trong mt m hnh gateway c trng, gi tin theo giao thc IP khng c chuyn tip ti mng cc b, lc s hnh thnh qu trnh dch m gateway ng vai tr b phin dch. u im ca Firewall application gateway l khng phi chuyn tip IP. Quan trng hn, cc iu khin thc hin ngay trn kt ni. Sau cng, mi cng c u cung cp nhng tnh nng thun tin cho vic truy nhp mng. Do s lu chuyn ca cc gi tin u c chp nhn, xem xt, dch v chuyn li nn
- Trang 26 -
GVHD: ThS Hong Cng
Firewall loi ny b hn ch v tc . Qu trnh chuyn tip IP din ra khi mt server nhn c tn hiu t bn ngoi yu cu chuyn tip thng tin theo nh dng IP vo mng ni b. Vic cho php chuyn tip IP l li khng trnh khi, khi , hacker c th thm nhp vo trm lm vic trn mng ca bn. Hn ch khc ca m hnh Firewall ny l mi ng dng bo mt (proxy application) phi c to ra cho tng dch v mng. Nh vy mt ng dng dng cho Telnet, ng dng khc dng cho HTTP, v.v.. Do khng thng qua qu trnh chuyn dch IP nn gi tin IP t a ch khng xc nh s khng th ti my tnh trong mng ca bn, do h thng application gateway c bo mt cao hn.
1.8.2 Cng vng(Circuit level gateway):

Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng(application gateway). Cng vng n gin ch chuyn tip (relay) cc kt ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet no. VD: Cng vng n gin chuyn tip kt ni telnet qua firewall m khng thc hin mt s kim tra, lc hay iu khin cc th tc Telnet no.Cng vng lm vic nh mt si dy, sao chp cc byte gia kt ni bn trong (inside connection) v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut hin t h thng firewall, nn n che du thng tin v mng ni b. Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion host c th c cu hnh nh l mt hn hp cung cp Cng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng Firewall d dng s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti cc dch v Internet, trong khi vn cung cp chc nng Firewall bo v mng ni b t nhng s tn cng bn ngoi.
- Trang 27 -
GVHD: ThS Hong Cng
1.8.3 Hn ch ca Firewall:
Firewall khng thng minh nh con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i qua" n. Mt cch c th, firewall khng th chng li mt cuc tn cng t mt ng dial-up, hoc s d r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn cng bng d liu (datadriven attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca firewall. Tuy nhin, Firewall vn l gii php hu hiu c p dng rng ri.
1.8.4 Firewall c d ph hay khng:

Cu tr li l khng. L thuyt khng chng minh c c khe h trn Firewall, tuy nhin thc tin th li c. Cc hacker nghin cu nhiu cch ph Firewall. Qu trnh ph Firewall gm hai giai on: u tin phi tm ra dng Firewall m mng s dng cng cc loi dch v hot ng pha sau n; tip theo l pht hin khe h trn Firewall , giai on ny thng kh khn hn. Theo nghin cu ca cc hacker, khe h trn Firewall tn ti l do li nh cu hnh ca ngi qun tr h thng, sai st ny cng khng him khi xy ra. Ngi qun tr phi chc
- Trang 28 -
GVHD: ThS Hong Cng
chn s khng c bt trc cho d s dng h iu hnh (HH) mng no, y l c mt vn nan gii. Trong cc mng UNIX, iu ny mt phn l do HH UNIX qu phc tp, c ti hng trm ng dng, giao thc v lnh ring. Sai st trong xy dng Firewall c th do ngi qun tr mng khng nm vng v TCP/IP. Mt trong nhng vic phi lm ca cc hacker l tch cc thnh phn thc ra khi cc thnh phn gi mo. Nhiu Firewall s dng trm hy sinh (sacrificial hosts) - l h thng c thit k nh cc server Web (c th sn sng b i) hay by (decoys), dng bt cc hnh vi thm nhp ca hacker. By c th cn dng ti nhng thit b ngy trang phc tp nhm che du tnh cht tht ca n, v d: a ra cu tr li tng t h thng tp tin hay cc ng dng thc. V vy, cng vic u tin ca hacker l phi xc nh y l cc i tng tn ti tht.
Hnh 8 Tn cng h thng t bn ngoi
- Trang 29 -
GVHD: ThS Hong Cng
c c thng tin v h thng, hacker cn dng ti thit b c kh nng phc v mail v cc dch v khc. Hacker s tm cch nhn c mt thng ip n t bn trong h thng, khi , ng i c kim tra v c th tm ra nhng manh mi v cu trc h thng. Ngoi ra, khng Firewall no c th ngn cn vic ph hoi t bn trong. Nu hacker tn ti ngay trong ni b t chc, chng bao lu mng ca bn s b hack. Thc t xy ra vi mt cng ty du la ln: mt tay hacker tr trn vo i ng nhn vin v thu thp nhng thng tin quan trng khng ch v mng m cn v cc trm Firewall.
1.9 Mt s m hnh Firewall: 1.9.1 Packet-Filtering Router:

H thng Internet firewall ph bin nht ch bao gm mt packet-filtering router t gia mng ni b v Internet. Mt packet-filtering router c hai chc nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi cho php hay t chi truyn thng.
- Trang 30 -
GVHD: ThS Hong Cng
Hnh 9 Packet filtering
- Trang 31 -
GVHD: ThS Hong Cng
Cn bn, cc quy lut lc c nh ngha sao cho cc host trn mng ni b c quyn truy nhp trc tip ti Internet, trong khi cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my tnh trn mng ni b. T tng ca m cu trc firewall ny l tt c nhng g khng c ch ra r rng l cho php th c ngha l b t chi. u im: Gi thnh thp, cu hnh n gin Trong sut(transparent) i vi user. Hn ch: C rt nhiu hn ch i vi mt packet-filtering router, nh l d b tn cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di nhng dch v c php. Bi v cc packet c trao i trc tip gia hai mng thng qua router, nguy c b tn cng quyt nh bi s lng cc host v dch v c php. iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca s tn cng no khng.
Nu mt packet-filtering router do mt s c no ngng hot ng, tt c h thng trn mng ni b c th b tn cng.
1.9.2 M hnh Single-Homed Bastion Host:

H thng ny bao gm mt packet-filtering router v mt bastion host. H thng ny cung cp bo mt cao hn h thng trn, v n thc hin c bo mt tng network (packet-filtering) v tng ng dng (application level). ng thi, k tn cng phi ph v c hai tng bo mt tn cng vo mng ni b.
- Trang 32 -
GVHD: ThS Hong Cng
Hnh 10 M hnh single-Homed Bastion Host
Trong h thng ny, bastion host c cu hnh trong mng ni b. Qui lut filtering trn packet-filtering router c nh ngha sao cho tt c cc h thng bn ngoi ch c th truy nhp bastion host; Vic truyn thng ti tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni b c php truy nhp trc tip vo bastion Internet hay l chng phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b c thc hin bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t bastion host. u im: My ch cung cp cc thng tin cng cng qua dch v Web v FTP c th t trn packet-filtering router v bastion. Trong trng hp yu cu an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc
- Trang 33 -
GVHD: ThS Hong Cng
Bi v bastion host l h thng bn trong duy nht c th truy nhp c t Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu nh user log on c vo bastion host th h c th d dng truy nhp ton b mng ni b. V vy cn phi cm khng cho user logon vo bastion host.
1.9.3 M hnh Dual-Homed Bastion Host:

Demilitarized Zone (DMZ) hay Screened-subnet Firewall H thng bao gm hai packet-filtering router v mt bastion host. H c an ton cao nht v n cung cp c mc bo mt network v application, trong khi nh ngha mt mng "phi qun s". Mng DMZ ng vai tr nh mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip qua mng DMZ l khng th c.
- Trang 34 -
GVHD: ThS Hong Cng
Hnh 11 M hnh Dual-Homed Bastion Host
Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. H thng ch cho php bn ngoi truy nhp vo bastion host. Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng truyn thng bt u t bastion host. Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c information server. Quy lut filtering trn router ngoi yu cu s dung dich v proxy bng cch ch cho php thng tin ra bt ngun t bastion host. u im: K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router
- Trang 35 -
GVHD: ThS Hong Cng
Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange ( Domain Name Server ). Bi v router trong ch qung co DMZ network ti mng ni b, cc h thng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.
1.9.4 Proxy server:

Chng ta s xy dng Firewall theo kin trc application-level gateway, theo mt b chng trnh proxy c t gateway ngn cch mt mng bn trong (Intranet) vi Internet. B chng trnh proxy c pht trin da trn b cng c xy dng Internet Firewall TIS (Trusted Information System), bao gm mt b cc chng trnh v s t li cu hnh h thng nhm mc ch xy dng mt Firewall. B chng trnh c thit k chy trn h UNIX s dng TCP/IP vi giao din socket Berkeley.
- Trang 36 -
GVHD: ThS Hong Cng
Hnh 12 M hnh 1 Proxy n gin
B chng trnh proxy c thit k cho mt s cu hnh firewall, theo cc dng c bn: dual-home gateway, screened host gateway, v screened subnet gateway. Thnh phn Bastion host trong Firewall, ng vai tr nh mt ngi chuyn tip thng tin, ghi nht k truyn thng, v cung cp cc dch v, i hi an ton cao. Proxy server chng ta s tm hiu k hn phn sau .
1.9.5 Phn mm Firewall Proxy server:

B chng trnh proxy gm nhng chng trnh mc ng dng (applicationlevel programs), dng thay th hoc l thm vo phn mm h thng. i vi mi dch v, cn c mt phn mm tng ng lm nhim v lc cc bn tin. Trn
- Trang 37 -
GVHD: ThS Hong Cng
SMTP Gateway - Proxy server cho dch v SMTP (Simple Mail Tranfer Protocol) FTP Gateway - Proxy server cho dch v Ftp Telnet Gateway - Proxy server cho dch v Telnet HTTP Gateway - Proxy server cho dch v HTTP (World Wide Web) Rlogin Gateway - Proxy server cho dch vu rlogin Plug Gateway - Proxy server cho dch v kt ni server tc thi dng giao thc TCP (TCP Plug-Board Connection server) SOCKS - Proxy server cho cc dch v theo chun SOCKS NETACL - iu khin truy nhp mng dng cho cc dch v khc IP filter Proxy iu khin mc IP SMTP Gateway - Proxy server cho cng SMTP
- Trang 38 -
GVHD: ThS Hong Cng
1.9.5.1 SMTP Gateway - Proxy server cho dch v SMTP (Simple Mail Tranfer Protocol)
Hnh 13 Mt s protocol sau proxy
Chng trnh SMTP Gateway c xy dng trn c s s dng hai phn mm smap v smapd, dng chng li s truy nhp thng qua giao thc SMTP. Nguyn l thc hin l chn trc chng trnh mail server nguyn thu ca h thng, khng cho php cc h thng bn ngoi kt ni trc tip vi mail server. V trong mng tin cy mail server thng c mt s quyn
- Trang 39 -
GVHD: ThS Hong Cng
Khi mt h thng xa ni ti cng SMTP. Chng trnh smap s dnh quyn phc v v chuyn ti th mc dnh ring v t user-id mc bnh thng (khng c quyn u tin). Mc ch duy nht ca smap l i thoi SMTP vi cc h thng khc, thu lm mail, ghi vo a, ghi nht k, v kt thc. Smapd thng xuyn qut th mc ny, khi pht hin c th s chuyn d liu cho sendmail phn pht vo cc hm th c nhn hoc chuyn tip ti cc mail server khc. Nh vy, mt user l trn mng khng th kt ni trc tip vi Mail Server. Tt c cc thng tin i theo ng ny hon ton c th kim sot c. Tuy nhin, chng trnh cng khng th gii quyt vn gi mo th hoc cc loi tn cng bng ng khc. 1.9.5.2 FTP Gateway Proxy Server cho dch v FTP: Proxy server cho dch v FTP cung cp kh nng kim sot truy nhp dch v FTP da trn a ch IP v hostname, v cung cp iu khin truy nhp th cp cho php tu chn kho hoc ghi nht k bt k lnh FTP no. Cc a ch ch ca dch v ny cng c th tu chn c php hay b cm. Tt c cc s kt ni v dung lng d liu chuyn qua u b ghi nht k li. FTP Gateway t bn thn n khng e da an ton ca h thng Firewall, bi v n chy ti mt th mc rng v khng thc hin mt th tc vo ra file no c ngoi vic c file cu hnh ca n. FTP Server ch cung cp dch v FTP, m khng quan tm n ai c quyn hay khng c quyn kt xut (download) file. Do vy, vic xc nh quyn phi c thit lp trn FTP Gateway v phi thc hin trc khi thc hin vic kt xut (download) hay nhp (upload) file. Ftp Gateway nn c cu
- Trang 40 -
GVHD: ThS Hong Cng
1.9.5.3 Telnet Gateway Proxy Server cho dch v Telnet: Telnet Gateway l mt proxy server qun l truy nhp mng da trn a ch IP v/hoc hostname, v cung cp s iu khin truy nhp th cp cho php tu chn kho bt k ch no. Tt c cc s kt ni d liu chuyn qua u c ghi nht k li. Mi mt ln user ni ti Telnet Gateway, ngi s dng phi la chn phng thc kt ni. Telnet Gateway khng phng hi ti an ton h thng, v n ch hot ng trong mt phm vi cho php nht nh. C th, h thng s chuyn iu khin ti mt th mc dnh ring. ng thi cm truy nhp ti cc th mc v file khc. Telnet Gateway c s dng kim sot cc truy nhp vo h thng mng ni b. Cc truy nhp khng c php s khng th thc hin c cn cc truy nhp hp php s b ghi li nht k v thi gian truy nhp v cc thao tc thc hin. HTTP Gateway - Proxy server cho web: HTTP Gateway l mt Proxy Server qun l truy nhp h thng qua cng HTTP (Web). Chng trnh ny, da trn a ch ch v a ch ngun ngn cm hoc cho php yu cu truy nhp i qua. ng thi cn c v m lnh ca giao thc HTTP, phn mm ny s cho
- Trang 41 -
GVHD: ThS Hong Cng
Rlogin Gateway - Proxy server cho rlogin: Cc terminal truy nhp qua th tc BSD rlogin c kim sot bi rlogin gateway. Chng trnh cho php kim tra v iu khin truy nhp mng tng t nh telnet gateway. Rlogin client c th ch ra mt h thng xa ngay khi bt u ni vo proxy. Chng trnh s hn ch yu cu tng tc gia user vi my. Plug Gateway - TCP Plug-Board Connection server: Firewall cung cp cc dch v thng thng nh Usernet news. Ngi qun tr mng c th chn hoc l chy dch v ny ngay trong firewall, hoc ci t mt proxy server cho dch v ny. Do dch v News chy trc tip trn firewall th d gy li h thng, nn cch an ton hn l s dng proxy. Plug gateway c thit k kim sot dch v Usernet News v mt s dch v khc nh Lotus Notes, Oracle, etc. Plug gateway da trn a ch IP hoc hostname, s cho php kim sot tt c cc truy nhp h thng thng qua cc cng dch v c ng k. Trn c s s cho php hoc cm cc yu cu truy nhp. Tt c yu cu kt ni bao gm c d liu c th c ghi li nht k theo di v kim sot. 1.9.5.4 SQL Gateway Proxy Server cho SQL-Net: SQL Net s dng giao thc ring khng ging nh ca News hay Lotus Notes, Do vy, khng th s dng Plug Gateway cho dch v ny c. SQL
- Trang 42 -
GVHD: ThS Hong Cng
1.9.5.5 SOCKS Gateway v NETACL: SOCKS Gateway - Proxy server cho cc dch v theo chun SOCKS: SOCKS l giao thc kt ni mng gia cc my ch cng h tr giao thc ny. Hai my ch khi s dng giao thc ny s khng cn quan tm ti vic gia chng c th ni ghp thng qua IP hay khng. SOCKS s ch hng li cc yu cu ghp ni t my ch u kia. My ch SOCKS s xc nh quyn truy nhp v thit lp knh truyn thng tin gia hai my. SOCKS Gateway dng chng li cc truy nhp vo mng thng qua cng ny. NETACL - Cng c iu khin truy nhp mng: Cc dch v thng thng trn mng khng cung cp kh nng kim sot truy cp ti chng do vy chng l cc im yu tn cng. K c trn h thng firewall cc dch v thng thng c lc b kh nhiu m bo an ton h thng nhng mt s dich v vn cn thit duy tr h thng nh telnet, rlogin... Netacl l mt cng c iu khin truy nhp mng, da trn a ch network ca my client, v dch v c yu cu. N bao trm nn cc dch v c bn cung cp thm kh nng kim sot cho dch v . V vy mt client (xc nh bi a ch IP hoc hostname) c th truy nhp ti telnet server khi n ni vi cng dch v telnet trn firewall.
- Trang 43 -
GVHD: ThS Hong Cng
Thng thng trong cc cu hnh firewall, NETACL c s dng cm tt c cc my tr mt vi host c quyn login ti firewall qua hoc l telnet hoc l rlogin, v kho cc truy nhp t nhng k tn cng. an ton ca Netacl da trn a ch IP v/hoc hostname. Vi cc h thng cn an ton cao, nn dng a ch IP trnh s gi mo DNS. Netacl khng chng li c s gi a ch IP qua chuyn ngun (source routing) hoc nhng phng tin khc. Nu c cc loi tn cng nh vy, cn phi s dng mt router c kh nng soi nhng packet c chuyn ngun (screening source routed packages). Ch l netacl khng cung cp iu khin truy nhp UDP, bi v cng ngh hin nay khng m bo s xc thc ca UDP. An ton cho cc dch v UDP y ng ngha vi s khng cho php tt c cc dch v UDP. 1.9.5.6 Authentication: B Firewall cha chng trnh server xc thc c thit k h tr c ch phn quyn. Authsrv cha mt c s d liu v ngi dng trong mng, mi bn ghi tng ng vi mt ngi dng, cha c ch xc thc cho mi anh ta, trong bao gm tn nhm, tn y ca ngi dng, ln truy cp mi nht. Mt khu khng m ho (Plain text password) c s dng cho ngi dng trong mng vic qun tr c n gin. Mt khu khng m ho khng nn dng vi nhng ngi s dng t mng bn ngoi. Ngi dng trong c s d liu ca c th c chia thnh cc nhm khc nhau c qun tr bi qun tr nhm l ngi c ton quyn trong nhm c vic thm, bt ngi dng. iu ny thun li khi nhiu t chc cng dng chung mt Firewall. Authsrv qun l nhm rt mm do, qun tr c th nhm ngi dng thnh nhm dng "group wiz", ngi c quyn qun tr nhm c th xo, thm, to
- Trang 44 -
GVHD: ThS Hong Cng
1.9.5.7 IP Filter B lc mc IP: IP Filter l b lc cc gi tin TCP/IP, c xem nh thnh phn khng th thiu khi thit lp Firewall trong sut i vi ngi s dng. Phn mm ny s c ci t trong li ca h thng (nh UNIX kernel), c chy ngm khi h thng hot ng, n nhn v phn tch tt c cc gi IP (IP Package). B lc IP filter c th thc hin cc vic sau: Cho i qua hoc cm bt k mt gi tin no. Nhn bit c cc dch v khc nhau Lc theo a ch IP hoc hosts Cho php lc chn la giao thc IP bt k Cho php lc chn la theo cc mnh IP Cho php lc chn la theo cc tu chn IP Gi tr li cc khi ICMP/TCP li v t li s hiu packet Lu gi cc thng tin trng thi i vi cc dng TCP, UDP and ICMP Lu gi cc thng tin trng thi i vi cc mnh IP packet bt k C chc nng nh Network Address Translator (NAT)
- Trang 45 -
GVHD: ThS Hong Cng
Lm c s thit lp cc kt ni trong sut i vi ngi s dng Cung cp cc header cho cc chng trnh ca ngi s dng xc nhn. Ngoi ra h tr khng gian tm cho cc quy tc xc nhn i vi cc gi tin i qua. c bit i vi cc giao thc c bn ca Internet, TCP, UDP v ICMP, th IP filter cho php lc theo: Inverted host/net matching S hiu cng ca cc gi tin TCP/UDP Kiu hoc m ca cc gi tin ICMP Thit lp cc gi tin TCP T hp tu cc c trng thi TCP Lc/loi b nhng gi IP cha kt thc Lc theo kiu dch v Cho php ghi nht k cc bn tin bao gm:
Header ca cc gi tin TCP/UDP/ICMP and IP Mt phn hoc tt c d liu ca gi tin
1.10 Li kt:
Hin ti, Firewall l phng php bo v mng ph bin nht, 95% cng ng hacker phi tha nhn l dng nh khng th vt qua Firewall. Song trn thc t, Firewall tng b ph. Nu mng ca bn c kt ni Internet v cha d liu quan trng cn c bo v, bn cnh Firewall, bn nn tng cng cc bin php bo v khc nh l bo mt mc physical, thng xuyn back up d liu, chn lc nhn vin
- Trang 46 -
GVHD: ThS Hong Cng
Chng 2:
2.1 Proxy l g:
KHI NIM PROXY
Theo www.learnthat.com: proxy l mt thit b cho php kt ni vo internet, n ng gia cc workstation trong mt mng v internet, cho php bo mt kt ni, ch cho php mt s cng v protocol no , vd: tcp, http, telnet trn cc cng 80, 23. Khi mt client yu cu mt trang no , yu cu ny s c chuyn n proxy server, proxy server s chuyn tip yu cu ny n site . Khi yu cu c p tr, proxy s tr kt qu ny li cho client tng ng. Proxy server c th c dng ghi nhn vic s dng internet v ngn chn nhng trang b cm Theo www.nyu.edu: proxy server l mt server ng gia mt ng dng ca client, nh web browser, v mt server xa (remote server). Proxy server xem xt cc request xem n c th x l bng cache ca n khng, nu khng th, n s chuyn yu cu ny n remote server. Theo www.webopedia.com: proxy server l mt server ng gia mt ng dng client, nh web browser, v mt server thc. N chn tt c cc yu cu n cc server thc xem xem n c kh nng ng c khng, nu khng th, n s chuyn cc yu cu ny n cc server thc. Theo www.stayinvisible.com: proxy server l mt loi buffer gia my tnh ca bn v cc ti nguyn trn mng internet m bn ang truy cp, d liu bn yu cu s n proxy trc, sau mi c chuyn n my ca bn.
- Trang 47 -
GVHD: ThS Hong Cng
Hnh 14 M hnh proxy
2.2 Ti sao proxy li ra i:

Tng tc kt ni: cc proxy c mt c ch gi l cache, c ch cache cho php proxy lu tr li nhng trang c truy cp nhiu nht, iu ny lm cho vic truy cp ca bn s nhanh hn, v bn c p ng yu cu mt cch ni b m khng phi ly thng tin trc tip t internet. Bo mt: mi truy cp u phi thng qua proxy nn vic bo mt c thc hin trit .
Filtering: ngn cn cc truy cp khng c cho php nh cc trang i try, cc trang phn ng
2.3 Tng kt chung v proxy:

Theo cc nh ngha cng nh nhng gi tr m proxy mng li nh cp trn, ta c th thy proxy qu tht rt c li
Tuy nhin, li dng v tng proxy, mt s server trn mng t bin mnh thnh nhng trm chung chuyn, nhng trung gian cho cc kt ni khng c cho php. Chnh iu ny a ra thm mt nh ngha mi, mt ngha mi ginh cho proxy.
- Trang 48 -
GVHD: ThS Hong Cng
Rt nhiu a ch trn mng do mt l do no m b cm truy cp i vi ngi dng nh l cc trang web i try, cc trang phn ng, ni dung khng lnh mnh. Tuy nhin, chng li iu ny, nh ni trn, mt s server bin mnh thnh proxy gip cho nhng kt ni cm ny c th thc hin c.
Proxy ny c 2 loi, hay ni cch khc l c 2 cch thng qua cc proxy ny truy cp, l HTTP proxy v web-based proxy m chng ta s c tm hiu phn sau. V y cng chnh l 2 phng php lp trnh vt firewall m chng em mun ni n trong lun vn ny.
- Trang 49 -
GVHD: ThS Hong Cng
Chng 3:
3.1 Vt firewall l g:
Ni mt cch nm na, vt firewall l vt qua s truy cn ca cc chng trnh bo mt (Firewall) c th truy cp n c ch mong mun Vt firewall c th l vt t bn trong ra hay t bn ngoi vo y, chng ta ch cp n vt firewall t bn trong ra, do chng ta c th tm gn li c 3 hnh thc vt firewall: HTTP proxy, webbased proxy, http tunneling.
3.2 Phng php th nht: HTTP Proxy

L phng php m server s dng mt cng no trung chuyn cc yu cu, cc server ny thng c gi l web proxy server hay http proxy server Khi cc yu cu ca client b t chi bi ngi qun tr (hay ni chnh xc hn l cc chng trnh qun l trong mng LAN), th ngi s dng c th s dng cc proxy server chuyn tip cc yu cu m trong , proxy server l mt a ch c cho php kt ni n. Cc proxy server ny thng khng c nh, n thng c thi gian sng rt ngn. S dng proxy ny, bn ch cn cu hnh mc proxy m trong hu ht cc Web browser u c h tr Phng php ny s c tm hiu su phn 2
- Trang 50 -
GVHD: ThS Hong Cng
3.3 Phng php th hai: Web-Based Proxy

Phng php ny cho php ngi s dng truy cp vo cc trang b cm di hnh thc 1 truy cp vo 1 trang web trung gian. u tin ngi dng truy cp vo trang web ny Sau , ngi s dng cung cp thng tin v trang web m mnh mun n (ch yu di hnh thc url) Sau Web-base proxy ny s kt ni n trang m ngi dng yu cu, ly thng tin, inh dng li thng tin, ri gi li cho ngi dng mt cch hp php Tt nhin, web-based proxy ny phi l mt trang web m cha b ngi qun tr cm Phng php ny s c tm hiu su phn 2
3.4 Phng php th ba: Http Tunneling

Cng nh cc phng php trn, htttp tunneling cho php ngi dng truy cp vo nhng trang b cm Bao gm mt chng trnh client pha ngi dng v mt chng trnh pha server u tin, chng trnh pha client s to ra mt ng hm kt ni my ca bn n chng trnh server t trn mng, ng hm ny i ngang qua firewall ca bn m khng h hn g, v a ch server khng b filter. Khi ng hm thit lp xong mi yu cu truy cp n trang web s thn qua server, ri a vo ng hm v n my bn m firewall khng h hay bit. Do 1 s ng dng http-tunneling c vit theo m hnh client-server, c ch hot ng da trn kch bn lm vic dng sn, ta c th ch ng qua mt cc firewall bng cch m ha cc gi tin trao
- Trang 51 -
GVHD: ThS Hong Cng
Do gii hn ca ti v gii hn v mt thi gian m phng php ny s khng c tm hiu k trong lun vn.
- Trang 52 -
GVHD: ThS Hong Cng
PHN TH HAI
VT FIREWALL
Chng 4:
VT FIREWALL BNG HTTP PROXY
4.1 Khi cc HTTP Proxy Server tr nn hu ch:

Nhim v chnh ca HTTP proxy server l cho php nhng client bn trong truy cp ra internet m khng b ngn tr bi Firewall (firewall). Lc ny tt c cc client pha sau Firewall u c th truy cp ra ngoi Internet ch vi mt cht cng sc v khng b ngn tr bi cc dch v bo mt Proxy server lng nghe cc yu cu t cc client v chuyn tip (forward) nhng yu cu ny n cc server bn ngoi Internet. Proxy server c phn hi (response) t cc server bn ngoi ri gi tr chng cho cc client bn trong. Thng thng, nhng client m cng subnet th dng cng mt proxy server. Do , proxy server c th cache cc document phc v cho cc client c cng nhu cu (cng truy cp n mt trang chng hn). Ngi dng khi s dng proxy cm thy h ang nhn cc phn hi mt cch trc tip t bn ngoi. Nhng thc s th h ang ra ngoi Internet mt cch gin tip thng qua proxy. Cc client m khng s dng DNS vn c th duyt web v h ch cn mt thng tin duy nht, l a ch IP ca proxy server. Tng t, cc c quan, doanh nghip s dng cc a ch o (10.x.x.x, 192.168.x.x,
- Trang 53 -
GVHD: ThS Hong Cng
172.16.x.x
172.32.x.x) vn c th ra ngoi Internet mt cch bnh
thng thng qua proxy server. Cc proxy server c th cho php hay t chi cc yu cu da trn giao thc ca cc kt ni. V d nh: mt proxy server c th cho php cc kt ni HTTP trong khi t chi cc kt ni FTP Khi bn dng proxy server nh mt cng ra ngoi Internet t mng LAN, bn c th chn la cc ty chn nh sau: Cho php hay ngn chn client truy cp Internet da trn nn tng a ch IP Caching document: lu gi li cc trang web phc v cho cc nhu cu ging nhau Sng lc kt ni Cung cp dch v Internet cho cc cng ty dng mng ring (nn tng IP o) Chuyn i d liu sang dng HTML c th xem bng trnh duyt
- Trang 54 -
GVHD: ThS Hong Cng
Hnh 15 M hnh hot ng chung ca cc proxy
- Trang 55 -
GVHD: ThS Hong Cng
4.2 Chc nng chnh: 4.2.1

Truy cp Internet:
Cc my trong mng LAN c th khng th truy cp n cc ti nguyn trn Internet mt cch trc tip v chng ang hot ng pha sau mt bc Firewall. Trong trng hp ny, proxy server c th gip chng thc hin iu ny mt cch d dng.
Hnh 16 Mt s protocol c h tr
hnh trn, proxy server ang chy trn mt firewall host v thip lp cc kt ni ra th gii bn ngoi. Chng ta cng c th s dng mt my tnh khc lm proxy server, my ny phi c y cc quyn truy cp Internet.
- Trang 56 -
GVHD: ThS Hong Cng
Proxy nhn cc yu cu t trnh duyt, proxy truy vn n cc thng tin c yu cu, chuyn i sang dng HTML ri gi tr li cho browser pha bn trong firewall. Proxy server c th qun l tt c cc kt ni ra ngoi Internet nu n l my tnh duy nht c kt ni trc tip ra ngoi Internet.
4.2.2
Caching documents:
Thng thng, cc client ca cng mt subnet truy cp n mt Web proxy server. Mt vi proxy server cho php bn cache (lu tr tm thi) cc ti liu ny trn my phc v cho cc my khc c cng nhu cu. Gi s: my A va truy cp vo trang http://mail.yahoo.com , sau my B li yu cu n trang ny, trong trng hp ny, proxy server s dng li documents ny c sn trong my m khng phi ln tn server ly v. iu ny khin cho tc ci thin r rt
- Trang 57 -
GVHD: ThS Hong Cng
Hnh 17 Caching
Caching trn proxy server hiu qu hn trn my n, n s tit kim c khng gian lu tr bi v bn ch phi lu li mt ln. Caching trn proxy server cho hiu qu hn, chng ta nn caching li nhng trang m thng xuyn c tham chiu n (c truy cp n)
Thng qua caching, chng ta cn c th truy cp n trang ngay c trong trng hp server b down Mt s loi proxy cho php cache nhiu ni phng khi cache b down hay b li
- Trang 58 -
GVHD: ThS Hong Cng
Hnh 18 Caching b li (failure)
4.2.3
iu khin truy cp Internet mt cch c chn lc: Khi s dng proxy server bn c th lc cc transaction ca cc client. Mt vi proxy server cho php bn: o Yu cu no c chp nhn, yu cu no khng o Ngn chn cc trang m bn khng mun cho user truy cp n
- Trang 59 -
GVHD: ThS Hong Cng
o Gii hn cc dch v m bn mun, v d: bn c th cho php user s dng dch v HTTP nhng li khng mun cho h s dng dch v FTP
4.2.4
Cung cp dch v Internet cho cc c quan s dng IP o: Cc t chc m s dng mt hay nhiu khng gian a ch o c th s dng Internet, iu ny hon ton c th. Bng cch thng qua proxy server v proxy server s gi a ch tht.
4.3 Mt phin giao dch (transaction) thng qua proxy :
Hnh 19 Mt transaction qua proxy
Cc client u c cc a ch IP ca n cng nh mt kt ni trc tip n cc server trn Internet. Khi trnh duyt to ra mt yu cu HTTP th HTTP server ch ly ng dn v phn t kha ca URL c yu cu, nhng phn khc nh phn giao thc, hostname ca my ang chy HTTP server u r rng i vi server.
V d: khi bn g: http://abc.com/class/th01.htm th trnh duyt s chuyn sang l: GET /class/th01.htm. Trnh duyt kt ni n abc.com server, a ra lnh v i phn hi. Trong v d ny, trnh duyt to ra mt yu cu n HTTP server v ch r ti nguyn resource no cn c ti v, khng c giao thc cng nh khng c bt k hostname no trong URL
- Trang 60 -
GVHD: ThS Hong Cng
4.4 Kt ni thng qua proxy server:

Proxy server hot ng vi c 2 vai tr l client v server, n ng vai tr server trong trng hp n tip nhn cc yu cu HTTP t cc trnh duyt v hot ng nh mt client khi n kt ni n server xa truy vn cc ti nguyn Proxy s dng li tt c cc thng tin m trnh duyt gi cho n gi yu cu n server xa nn s khng s b mt mt hay thiu ht thng tin Mt proxy server hon chnh c th h tr ht tt c cc giao thc nh: HTTP, FTP, Gopher, WAIS. Mt proxy cng c th ch h tr mt giao thc nh HTTP nhng iu tht bt tin khi bn c nhu cu kt ni n FTP trong qu trnh bn duyt Web
4.5 HTTP proxy:

Khi proxy server ng vai tr client, n hot ng nh mt trnh duyt nhn cc resource. Mt v d v qu trnh trao i thng tin: o Khi bn g: http://abc.com/class/th01.htm o Trnh duyt chuyn URL ny thnh: GET http://abc.com/class/th01.htm o Yu cu ny c a n cho proxy server. Proxy server s da vo URL tch ly phn abc.com kt ni n remote server, sau chuyn URL thnh: GET /class/th01.com , chuyn lnh n server ri i phn hi nh hnh bn di.
- Trang 61 -
GVHD: ThS Hong Cng
Hnh 20 Truy xut thng tin thng qua HTTP proxy
4.6 FTP proxy:
Hnh 21 Truy xut thng tin thng qua FTP proxy
Hnh trn cho thy qu trnh mt yu cu FTP thng qua proxy. Proxy server thng qua URL bit c y l mt yu cu FTP, do n s thc hin mt kt ni FTP n server xa. Proxy server to mt kt ni v truy vn file n FTP xa, ly file v ri gi tr li cho client.
- Trang 62 -
GVHD: ThS Hong Cng
4.7 Tin li v bt tin khi cache cc trang Web:

Caching c ngha l lu tr ti liu trn my cc b, v vy m cc user khng phi kt ni n server ly cc file v. Khi mt trnh duyt cc b yu cu mt file no , proxy xem xt xem c c cache file li khng. Nu c, n s gi file v cho trnh duyt. Nu bn s dng tnh nng ny, bn cn phi quyt nh v: o Cc trang no cn c cache li (tn s c truy cp nhiu) o Thi gian bao lu phi cp nht li cc trang ny. Nhng thun li ca tnh nng caching: o Caching tit kim c mt lng ln thi gian cho cc user khi thng xuyn truy cp n mt trang no . Proxy server s p ng cc yu cu ny mt cch nhanh chng v ch phi truy vn n cc file c lu tr cc b o Tit kim c khng gian lu thng mng o Tit kim c khng gian a dng lu tr v tt c cc my cc b u dng chung mt file thay v cc my phi cache li trn my mnh o Vn c th cung cp nhu cu Internet mt mc no ngay c khi khng c kt ni Internet
4.8 Nhng bt cp do proxy:

Tuy proxy nh ni trn em li rt nhiu iu hu ch. Tuy nhin cc g cng c 2 mt v proxy cng khng ngoi l. Li dng tng v proxy, hng lot cc my tnh trn mng t bin mnh thnh nhng proxy server cho cc client c th truy cp vo nhng trang c ni dung xu m nh cung cp dch v ngn chn bng firewall. Vn c t ra l lm th no cho cc client truy cp Internet vn c th truy cp Internet bnh thng nhng khng th truy cp nhng trang b
- Trang 63 -
GVHD: ThS Hong Cng
chn, hay ni cch khc l cm cn ngi dng s dng proxy bn ngoi h thng.
4.9 K thut lp trnh mt HTTP Proxy c bn:

Lp trnh mt HTTP proxy cn qua cc bc sau: Lng nghe cc kt ni n proxy server Khi c kt ni n th to ra mt thread qun l kt ni ny Tip nhn v sa i li gi tin HTTP Request cho hp l. Phn tch URL, ly c phn tn trang Web v Port. VD:www.yahoo.com:8080 c tn l www.yahoo.com v port l 8080 (nu khng c gi tr port th mc nh port=8080). S dng phn tn ny phn gii a ch ly s IP. Kt ni n remote server Chuyn yu cu n server Ch i thng tin phn hi t remote server Chuyn phn gi tin ny v li cho user.
- Trang 64 -
GVHD: ThS Hong Cng
Chng 5:
Vt firewall bng Web-Based Proxy
5.1 Th no l 1 web-based anonymous proxy ?

Web-based Anonymous Proxy l 1 dng khc ca Web Proxy Server, nhng c xy dng di dng 1 trang web (tm gi l Web-based Proxy WBP) . Sau y l cc c im khc bit ca n so vi Web Proxy : D dng, thn thin vi ngi dng do c Proxy tch hp sn bn trong trang Web, ngi dng ch cn cung cp a ch trang web cn n (URL) cho WBP v bt u duyt web. Ngoi ra ngi dng khng cn phi tinh chnh cc thng s khc a ch IP ca WBP, s hiu cng,.. cho trnh duyt ca mnh, ch cn bit tn hoc IP ca WBP v link n WBP ny Khi c cc client yu cu, WBP s ly cc thng tin (Resource) t web server ch, sau xy dng li thnh 1 trang web hon chnh ri y ton b ni dung trang web hon chnh ny v cho trnh duyt ca Client. Thng th trnh duyt pha Client s nhn c trang web mnh yu cu c nh km theo phn tiu ca WBP. C kh nng chn lc cc web page components khi c yu cu. VD: quyt nh xem c cho php s dng cookies,hnh nh,javascript,ca s pop-up,... trong trang web hay khng. Do bn cht l lt web n danh thng qua 1 trang web trung gian nn cc gi tin request ca Client gn nh ging hon ton vi cc gi tin HTTP request thng thng .V vy cc phn mm lc gi tin s kh lng pht hin ra u l gi tin c vn . a ch 1 s cc WBP tham kho khc trn internet : http://www.anonymization.net http://www.anonymizer.com
- Trang 65 -
GVHD: ThS Hong Cng
http://www.stayinvisible.com http://www.proxify.com http://www.silentsuft.com
5.2 Cch thc hot ng ca 1 WBP :

Mi khi nhn c yu cu request t pha Client,WBP s : Phn tch URL tin hnh tip nhn cc resource tng ng (links,hnh nh,flash,) t trang web c client yu cu Sau khi nhn xong,WBP s cp nht li cc URLs ca trang HTML c yu cu sao cho ph hp. WBP s tin hnh sng lc cc thnh phn (web page components) da theo yu cu Client v y ton b trang HTML c xy dng li ny v pha Client Pha trnh duyt Client ang lng nghe phn hi t pha WBP nn khi nhn c phn hi, trnh duyt s th hin trang web cho ngi dng.
- Trang 66 -
GVHD: ThS Hong Cng
5.3 Gii thiu v trang Web Based Proxy: 5.3.1

Giao din:
Hnh 22 Giao din chnh ca Web Base Proxy
Trang web c giao din n gin. Pha trn c mt thanh textbox, cho php user nhp a ch trang web mun n Pha di l cc option cho php user la chn Cui cng l 2 nt, cho php ngi dng kch hot cho trang web chy v nt reset li default.
5.3.2
Chc nng: Cho php ngi dng nhp vo mt a ch dng url. Ngi dng ch cn nhp a ch, bm Enter, trang web s ti ni dung m ngi dng mun. Cho php s dng cc option, trong o Include a mini URL form: thm mt phn ca Web base Proxy vo u trang
- Trang 67 -
GVHD: ThS Hong Cng
Hnh 23 Mini form trn mi u trang
o Remove all scripts: Loi b tt c cc script o Accept HTTP cookies: cho php s dng cookies ci thin tc o Show images: Ti ni dung trang web v trong c c hnh (ly lun hnh, khng loi b) o For future: dnh cho tng li o New window: cho php browse trong mt ca s mi.
- Trang 68 -
GVHD: ThS Hong Cng
5.3.3
Thut ton:
5.3.3.1 Gii thiu m hnh hot ng:

Khi ng trang web
Khng Kim tra cookies Load trang web default
Load trang da theo cookies
Nhp thng tin
Khng hp l Kim tra hp l url Hp l Chnh sa url
Nu tht bi: thng bo li
Duyt trang web theo yu cu
Kim tra cc option
Nu thnh cng
Chnh sa theo option
Gi kt qu cho client
Hnh 24 S hot ng ca 1 trang Web-Based Proxy
- Trang 69 -
GVHD: ThS Hong Cng
5.3.3.2 Din gii m hnh: Khi ng trang web: Bao gm vic load cc form, cc mc, giao din trang web Kim tra cookies:Kim tra xem trn my hin c s dng cookies ca trang hay khng Load trang web default:Nu kim tra cookies khng c, trnh duyt s load trang mc nh, tc l url s trng, cc option mc nh s c check Load trang da theo cookies:Nu kim tra cookies c, th s load theo cookies, bao gm cc url c s dng, cc trng thi ca cc option. Nhp thng tin:Client nhp cc thng tin nh url ca trang web cn n, check hay b check cc option ty theo ngi dng. Kim tra hp l url:Kim tra v hnh thc nhp nh c thiu http hay khng, c thiu www hay khng, nu thiu s t ng add thm vo cho hp l. Kim tra cc option:Kim tra cc option xem option no c check, option no khng c check thc hin ng theo yu cu ca client. Duyt trang web theo yu cu:Gi yu cu n webserver tng ng: phn gii tn min, gi yu cu http n server Tht bi, thng bo li:Nu khng c trang web, a ch sai do ngi dng nh sai hay bt c nguyn nhn no lm cho vic gi http request khng c p ng th u thng bo li Thnh cng, chnh sa theo option:Nu thnh cng th s chnh sa li trang: da theo cc option, xem c phi add thm phn ph
- Trang 70 -
GVHD: ThS Hong Cng
vo u trang hay khng, ly hay loi b hnh nh, ly hay loi b cc script(cc mc ny c thc hin khi gi http request). Gi kt qu cho client:Gi kt qu cui cng n cho client l mt trang web c tinh chnh li, c chnh sa li cho ph hp. 5.3.3.3 Din gii mt s hm quan trng : Hm submit_form():Gi yu cu n server File url_form.inc:Phn header ca trang gi cho client. File style:Cha cc thng tin v giao din: mu sc, kch thc Hm set_response(): cu trc ha li trang web Hm set_url(): Kim tra v tinh chnh url li cho hp l Hm open_socket():M sock Hm encode_url(): M ha url Hm decode_url(): Gi m url Hm set_flags(): Set cc option Hm set_cookies(): Ghi vo cookies Hm get_cookies(): Ly cc thng tin t cookies Hm delete_cookies(): Xa cookies Hm include_form(): thm form ca web-base proxy vo phn u ca trang (ty thuc vo option c c check) Hm remove_scripts(): loi b cc script (ty thuc vo option c c check) Hm send_response_headers(): gi phn header cho client Hm return_response():Gi cc phn cn li cho client.
Hm remove_images():Loi b cc hnh nh ra khi trang (ty thuc vo option c c check)
- Trang 71 -
GVHD: ThS Hong Cng
PHN TH BA
MODULE CHNG VT FIREWALL

Ni dung :
Do mc ch ca lun vn l nghin cu cc phng php lp trnh vt firewall nhm tm hiu cc cch thc m ngi dng c th s dng vt qua firewal. T m rng ra xy dng cc module chng vt firewall. Sau thi gian tm hiu, chng em xy dng c 2 module ng dng trn Windows nhm ngn chn ngi dng vt firewall bng 2 phng php trnh by bn trn : Module ng dng tch hp vo trnh duyt Internet Explorer, nhm pht hin v ngn chn ngi dng vt firewall thng qua Web based Proxy. Module hot ng da trn vic phn tch cch thc hot ng ca cc trang Web-Based Proxy v a ra 3 chnh sch hnh thnh b lc cho Module. Khi ngi dng duyt bt k 1 trang web no, b lc ca module s tin hnh kim tra da trn cc chnh sch c quy nh sn, nu vi phm bt k chnh sch no, trang web s b chn li v lu thng tin (a ch) vo c s d liu ca module. Module ng dng di dng 1 service trong h thng, nhm pht hin v ngn chn ngi dng vt firewall thng qua 1 HTTP Proxy server. Module bao gm 2 phn chnh: Lc gi tin v chn gi tin. Module hot ng da trn vic lc v kim tra ni dung cc gi tin HTTP. Theo ti liu RFC v HTTP, cc gi tin HTTP request thng qua 1 HTTP Proxy Server s c ni dung khc vi cc gi tin HTTP Request thng thng. Da trn c im ny, module s xy dng chnh sch lc v kim tra cc gi tin gi i trn Mng. Khi 1 gi tin no vi phm, a ch ch ca gi tin (trng hp ny chnh l a ch IP ca HTTP Proxy Server) s c a vo b lc v lu vo c s d liu.
- Trang 72 -
GVHD: ThS Hong Cng
Chng 6:
Plug-in chng vt firewall cho trnh duyt Internet Explorer
Chng ny chng em xin php c trnh by v module th nht: Plug-in chng vt firewall cho trnh duyt Internet Explorer
6.1 Gii thiu s lc :

Plugin l 1 ng dng c vit tch hp trong trnh duyt web Internet Explorer, c nhim v kim sot ngi dng khi duyt web. Nu pht hin ngi dng c nh mun vt qua firewall thng qua 1 trang Web Based Proxy no , plugin s tin hnh ngn chn v lu thng tin v trang web ny (a ch trang web) vo c s d liu lm c s lc v sau. ng dng c vit trn mi trng Visual C 6.0 di dng ATL, chy tt trn cc phin bn trnh duyt IE5 tr ln v cc phin bn t Windows 2000 tr ln. Do nhu cu lu tr thng tin v danh sch cc Proxy Server, Web-based proxy lm c s cho b lc nn cc thng tin ny c module lu tr vo c s d liu Microsoft Access. Giao din chnh ca plugin
Hnh 25 Giao din chnh ca plug-in
- Trang 73 -
GVHD: ThS Hong Cng
Hnh 26 Trang thng bo mi khi ngi dng duyt nhng trang web vi phm
6.2 Cc tnh nng chnh: 6.2.1

Lc cc trang web da trn vic duyt danh sch cc trang web c sn trong c s d liu: Nu ngi dng c nh mun duyt 1 trang web c a ch c lu trong c s d liu, plugin s hin ra trang thng bo ngi dng b cm.
6.2.2
Lc cc trang web da trn c ch kim tra a ch (URL): Khi ngi dng duyt n 1 trang web mi, nu trang web ny c th
gip ngi dng qua mt c firewall (hay cn gi l vi phm), plugin s hin ra trang thng bo cho ngi dng v lu li a ch trang web ny vo c s d liu. Do i a s cc trang Web-based Proxy khi hot ng th th hin a ch ca mnh di dng http://domain_name ca WebProxy/a ch tht ca trang web mun duyt nn da vo c ch ny, ta c th xc nh cc a ch
- Trang 74 -
GVHD: ThS Hong Cng
V d: gi s trang web www.abc.com l 1 trang vi phm Khi ngi dng thng qua trang ny lt vo nhng trang mnh mun n www.yahoo.com th kt qu URL ca trang ny s th hin nh sau: http://www.webproxy.com/www.yahoo.com hay ..... Ta c th d dng tch a ch trn ra lm 2 a ch ring bit. Nu gp nhng a ch qu r rng nh th ny th b lc chc chn s pht hin ra c v lu a ch mi ny vo c s d liu cho nhng ln duyt tip theo. http://www.webproxy.com?url=www.yahoo.com
6.2.3
Lc da trn ni dung ca cc Input Form trong trang web: Trong trng hp cc trang tin hnh m ha a ch hay thm ch
khng th hin a ch ra trnh duyt th sao ??? Lc ny chc nng th 3 ca b lc li tr nn hu ch. y l 1 chc nng b sung cho trng hp 2 nu trn. Khi ngi dng truy cp vo cc trang Web-Proxy truy cp vo cc trang web khc th gn nh lun lun phi nhp a ch trang web mnh mun n vo 1 textbox, sau tin hnh submit cho webserver x l. VD: 1 trang web-based proxy thng c cch trnh by nh sau
Hnh 27 Cch trnh by thng thng ca mt trang web base proxy
- Trang 75 -
GVHD: ThS Hong Cng
C th thy c khi ngi dng g y tn trang web v click vo nt Go.Trang web s submit ni dung text field va c nhp (http://www.google.com) ln cho server v server tin hnh duyt Da trn hnh ng ny, b lc s tin hnh lc cc Input tag ca trang web v kim tra xem c Input tag no vi phm hay khng. Nu vi phm tc l gn nh ngi dng ang c nh mun submit 1 URL n cho server v mun truy cp n trang ny.
6.2.4
Cp nht cc trang web based proxy: Cho php ngi dng c thm quyn c cp nht (thm xa) danh
sch cc trang web based proxy trong c s d liu.
6.2.5
plugin.
V hiu ha/kch hot plugin: Cho php ngi dng c thm quyn c v hiu ha/kch hot
6.3 Mt s vn cn lu khi vit plugin cho trnh duyt IE : 6.3.1

Khi nim Browser Helper Objects (BHO): Browser Helper Objects (BHO), tm dch l i tng tr gip cho trnh duyt, l 1 khi nim do Microsoft a ra. y l 1 dng ng dng c pht trin da trn mi trng COM (Component Object Model). Dng i ca i tng ny gn lin vi dng i ca trnh duyt Internet Explorer, tc l khi khi ng s s dng chung vng nh cng vi trnh duyt web Internet Explorer v ch c hy khi trnh duyt b ng. Khi chy, i tng s c th tng tc vi tt c mi thnh phn cng nh i tng khc ca trnh duyt (v d: ca s, toolbar, textfield,),c th nhn c cc thng ip, s kin do trnh duyt pht ra nh cc s kin tr v trang trc (GoBack), trang sau
- Trang 76 -
GVHD: ThS Hong Cng
(GoForward), hay s kin Download thnh cng (DocumentComplete), Cc BHO khi c khi to th trc ht phi tri qua qu trnh ng k vo Registry cho h thng thng qua gi tr ca CLSID. Gi tr ny ng vai tr nh 1 gi tr nh danh (Identifier) cho duy nht BHO. Hnh di y minh ha qu trnh trnh duyt khi ng v np cc BHO vo b nh x l:
Hnh 28 Qu trnh trnh duyt khi ng v np cc BHO
Qu trnh hot ng nh sau : Khi ng trnh duyt. Trnh duyt s tm trong Registry cc gi tr CLSID ca cc BHO tng ng v load cc module ng dng ca cc BHO ny vo b nh Mi BHO c khi to s c 1 Interface (tm dch l i tng giao tip) ring bit. Khi tm thy cc Interface ny ca BHO, trnh duyt s chuyn con tr tr n Interface ca chnh mnh (Interface IUnkown) cho cc BHO. Chnh vic chuyn IUnkown cho cc BHO m cc BHO ny mi c th can thip c vo cc i tng cng nh cc s kin ca trnh duyt.
- Trang 77 -
GVHD: ThS Hong Cng
6.3.2
-
Mt s hm x l quan trng: HRESULT SetSite(IUnknown* pUnkSite) l nhn con tr i tng IUnkown v 1 s i tng quan trng khc (IWebBrowser2, IConnectionPointContainer) t trnh duyt v lu li x l.
y chnh l hm khi to i tng BHO. Nhim v chnh ca hm ny
HRESULT Connect(void) l trc khi gi tr li cho trnh duyt.
Bo cho trnh duyt bit rng BHO c nh mun bt cc s kin v x HRESULT Invoke() tng ng. HRESULT Disconnect(void) bo chm dt vic x l cc s kin cho trnh duyt Cc hm x l s kin: Ty theo loi s kin m BHO s c cc x l tng ng, cc s kin c x l trong Module ny ln lt l: DISPID_BEFORENAVIGATE2: S kin chun b duyt n 1 trang web khc trang hin hnh. DISPID_ONQUIT : S kin ng trnh duyt Ni thm v vic ng k BHO vo registry cho trnh duyt Visual C++ 6.0 s t to cc dng lnh khi to cc thng s cho ng dng trong regsitry trong tp tin c ui l rgs. Tuy nhin cc dng lnh ng k ng dng vo Registry th ngi dng phi t thm vo. Ni dung cn thm vo nh sau : Mc d khi to 1 ng dng dng COM Plugin cho Internet Explorer, Khi i tng b hy hay ch ng kt thc, cn gi s kin ny thng
Bt cc s kin do trnh duyt pht ra v chuyn n hm x l s kin
- Trang 78 -
GVHD: ThS Hong Cng
HKLM{SOFTWARE{Microsoft{ Windows {CurrentVersion {Explorer{'Browser Helper Objects'{ForceRemove {S ID c VC to sn} = s 'Tn i tng BHO mun th hin'}}}}}}}
6.4 Chi tit lu tr d liu : 6.4.1

URL Bng Forbidden Kiu Text Bng Trusted Kiu Text Ch thch a ch trang web tin cy Ch thch a ch trang web based proxy b cm
Tn trng
6.4.2
Tn trng URL
6.5 Thut ton chnh ca ng dng : 6.5.1

M hnh hot ng ca Plugin :
- Trang 79 -
GVHD: ThS Hong Cng
Trnh duyt IE Pht 3 s kin
Khi ng 1
Plugin 2 Khi ng
chuyn 8 chuyn 4
Hm x l s kin 5 y l s kin BeforeNavigate

ng
Sai
7 Trang thng bo Trang web ny tin cy ?

Khng
ng
Vi phm 6 Lu vo CSDL Vi phm
B lc 1
Khng vi phm
B lc 2
Khng vi phm
Vi phm
B lc 3
Khng vi phm
Hnh 29 M hnh hot ng ca Plugin
- Trang 80 -
GVHD: ThS Hong Cng
6.5.2
-
Din gii m hnh :
BeforeNavigate: S kin do trnh duyt pht ra khi ngi dng chun b duyt n 1 trang web mi no (khc vi trang hin hnh). V d: Khi click chut vo 1 link, 1 nt trn trang web v chuyn sang 1 trang web mi, khi g a ch vo thanh address bar chun b duyt,
B lc 1: Nhn vo a ch trang web khng ng tin cy v tin hnh kim tra. B lc s truy xut vo c s d liu duyt xem trang web ny c nm sn trong danh sch cc trang b cm hay khng. Nu c th b lc s lu a ch ny vo c s d liu v chuyn hng n trang thng bo cm cho ngi dng. Nu khng th s chuyn n b lc tip theo.
B lc 2: Nhn vo a ch trang web khng ng tin cy v tin hnh kim tra. Nu a ch ny cha thm 1 a ch trang web khc th c xem nh vi phm ( trnh by trn). B lc s lu a ch vi phm ny vo c s d liu.
B lc 3: Nhn vo con tr i tng IWebBrowser2 x l. Con tr ny i din cho trang web hin hnh cn kim tra. Da vo con tr i tng ny, ta c th ly c ton b ni dung trang web (cc th HTML, cc script,.). Nh trnh by trn, b lc 3 hot ng da trn vic kim tra ni dung cc INPUT FIELD ca trang web. Do b lc ch ch trng n vic lc cc th INPUT ca trang HTML. 1 trang web c b lc xem l 1 trang Web Based Proxy khi v ch khi n cha khng qu 4 th INPUT dng text, v t nht 1 trong cc th Input ny c ni dung l a ch 1 trang web no . Nu trang web no tha iu kin nu trn th s c xem l vi phm v lu li vo c s d liu.
- Trang 81 -
GVHD: ThS Hong Cng
6.6 Nhng u im v hn ch:

Plugin p dng 1 s thut gii Heuristic nhm pht hin cc trang Web-proxy mi hoc cha c trong c s d liu, khin b lc thng minh hn do c kh nng t hc cc a ch trang web mi mun qua mt Firewall. Khi chy th cc trang web-proxy mi, b lc hot ng kh hiu qu v chnh xc. a s cc thut gii ny c xy dng da trn vic quan st qu trnh vn hnh ca cc trang Web-based Proxy v tm ra nhng im chung c trng v khc bit so vi cc trang web khc lm c ch hot ng cho b lc. Do thut gii khng m bo tnh chnh xc 100% nn c 1 s trng hp thiu st hay thm ch sai st ngoi mun. a s nhng sai st u ri vo trng hp khi ngi dng s dng search engine (nh google,yahoo,) tin hnh tm kim 1 a ch no trn internet. Trong nhng trng hp ny, plugin s t cho rng cc trang web tm kim ny l cc Web-Based Proxy v tin hnh ngn chn. Li trn c th khc phc c bng cch thm vo danh sch cc trang web tin cy v buc b lc kim tra cc trang web tin cy ny trc khi lc. Tuy nhin cch ny cng khng th khc phc hon ton. Qu trnh hot ng ca Plugin ph thuc kh nhiu vo s tn ti ca tp tin c s d liu lu tr cc trang Web-Based Proxy. Nn khi tp tin trn khng tn ti hay b li, tnh nng lc ca Plugin chc chn khng th hot ng chnh xc c. Trong qu trnh chy th v kim li, chng em c gng sa cha hu ht cc sai st ny.Chng em xin c gng pht trin thm b lc ngy cng hon thin hn.
- Trang 82 -
GVHD: ThS Hong Cng
Chng 7:
SERVICE CHNG VT FIREWALL
Chng ny chng em xin php c trnh by v module th hai: Service chng vt firewall cho h iu hnh Windows.
7.1 Gii thiu s lc :

Service chng vt Firewall l 1 ng dng c vit da trn m hnh Service truyn thng ca Windows. Service l 1 ng dng chy nn trong h thng, hon ton tun th theo cc yu cu v tnh nng bo mt do Windows quy nh (Ch c ngi ch Service trng hp module ny l admin h thng mi c quyn tt/m/xa serive m thi). Service chu trch nhim lc v bt cc gi tin gi ra mng ngoi (Internet) nhm pht hin v ngn chn cc gi tin gi n cc HTTP Proxy Server v lu li a ch cc HTTP Proxy Server ny lm c s hot ng cho b lc. Service bao gm 2 module nh: module bt gi tin v module chn a ch IP.
7.2 Cc tnh nng chnh ca module:

Theo nh gii thiu, module ny c chia ra lm 2 module nh ring bit, h tr nhau trong qu trnh Service hot ng: l module bt gi tin v module chn a ch IP. Module bt gi tin: module c vit da trn th vin Winsock2.0 ca Windows, nhim v bt cc gi tin lu thng ra/vo card mng ca h thng. Module chn a ch IP: module c vit da trn m hnh Filter-Hook Driver c Microsoft gii thiu trong ti liu Windows 2000 DDK. ng dng vit da trn m hnh ny c th lc cc gi tin ra vo card mng ca h thng (theo ti Windows 2000 DDK). Theo ti liu RFC v HTTP Protocol, cc gi tin gi n HTTP Proxy Server u c im c trng ring so vi cc gi tin khc. Service da vo c im ny lm c s hot ng cho b lc ca mnh.
- Trang 83 -
GVHD: ThS Hong Cng
7.3 Module bt gi tin :

Module chu trch nhim bt v kim tra ni dung gi tin ra/vo card mng.
7.3.1
c im ca gi tin HTTP request n HTTP Proxy Server: Theo ti liu RFC v HTTP Protocol, gi tin HTTP request n Proxy
server s c nh dng nh sau :
Hnh 30 nh dng ca gi tin gi n proxy server
Trong hnh minh ha trn, ta thy ni dung 1 gi tin HTTP Request (cu lnh HTTP y chnh l lnh GET) c b sung thm trng ProxyConnection: Keep-Alive. y chnh l c im mu cht phn bit gi tin HTTP Request n 1 Proxy Server so vi cc gi tin thng thng khc.
7.3.2
-
Tm tt cc bc cn lu khi xy dng module; Khi to cc thng tin cn thit (a ch,port,..) cho 1 SOCK_RAW Socket. Chuyn ch hot ng ca Socket sang ch SIO_RCVALL (bt tt c cc gi tin ra/vo h thng). Bt u nhn v x l gi tin. Lu : Do mc tiu ra ban u ca module l bt v x l cc gi tin HTTP (TCP) nn cn phi g b cc Header ca gi tin nhn c (y l cc gi IP) ri mi bt u x l.
Tham kho thm ti liu v cu trc gi tin TCP/IP v HTTP Protocol trong qu trnh x l cc gi TCP.
- Trang 84 -
GVHD: ThS Hong Cng
7.3.3
-
Chi tit cc i tng, hm x l chnh ca module : socket(AF_INET, SOCK_RAW, IPPROTO_IP) Hm to Socket. Lu phi khi to socket dng SOCK_RAW th mi c th bt c gi tin tng IP.
WSAIoctl(SOCKET s,DWORD dwIoControlCode, , , , , , ,) Hm thit lp ch hot ng cho socket. Ch cn lu n 2 tham s u tin: SOCKET cn thit lp v ch hot ng. y dwIoControlCode phi bng SIO_RCVALL th module mi c th bt c cc gi tin ra/vo card mng
Mt s hm lin quan khc: recv, WSAStartup,
7.4 Module chn a ch IP:

Module chu trch nhim lc v chn cc gi tin ra/vo card mng da trn a ch IP. Module c xy dng da trn m hnh Filter-Hook Driver ca Windows 2000 DDK.
7.4.1
Gii thiu v Filter-Hook Driver : Filter-Hook Driver l khi nim c Microsoft a ra trong ti liu v
Windows 2000 DDK. y l Driver m rng cc tnh nng ca IP Filter Driver (C sn trong h diu hnh Windows 2000 tr v sau). Thc cht Filter-Hook Driver khng phi l 1 trnh iu khin dnh cho mi trng mng, n c xem nh 1 trnh iu khin dnh cho nhn ca h thng (Kernel Mode Driver). Bn trong trnh iu khin ny, chng ta ch cn nh ngha 1 hm CALLBACK (1 dng hm bt s kin) v ng k hm CALLBACK ny cho trnh iu khin b lc a ch IP ca h thng (IP Filter
- Trang 85 -
GVHD: ThS Hong Cng
Driver). Khi ng k thnh cng, b lc a ch s gi li hm CALLBACK khi 1 gi tin c gi ra hay nhn vo h thng x l.
7.4.2
-
Tm tt cc bc xy dng Filter-Hook Driver bt gi tin: Khi to Filter-Hook Driver. Cung cp tn v cc thng s c bn cho Driver nh sau:
LoadDriver("IpFilterDriver","System32\\Drivers\\IpFltDrv.sys", null, true)
Ly con tr a ch ca Ip Filter Driver khi to bc 1 khi to v ng k hm CALLBACK. Khi to v ng k hm CALLBACK bng cch gi con tr hm CALLBACK nh ngha sn cho IP Filter Driver. Bt u lc gi tin. Gi hm StartFilter. Khi mun kt thc, khng lc gi tin na th ta phi g b thng tin ng k khi IP Filter Driver. Lc ny, ta ch cn ng k li vi Driver vi con tr hm CALLBACK l Null.
7.5 Chi tit lu tr d liu : 7.5.1

Bng ForbiddenProxy Kiu Text Ch thch a ch IP ca proxy b cm (do service lu li c trong qu trnh hot ng)
Tn trng ProxyIP
7.5.2
Tn
Bng TrustedProxy: Kiu Ch thch
trn g
- Trang 86 -
GVHD: ThS Hong Cng
ProxyIP
Text
a ch IP ca cc Proxy server tin cy (thng l a ch Proxy Server trong mng LAN)
7.6 S hot ng ca Module chn a ch IP :

Khi ng 1 Card mng 4 Module bt gi tin 6 5 Pht/Nhn Module chn IP 3 Bt u lc Request n Proxy Server?
Hnh 31 S hot ng ca module chn a ch IP
Service
Khi ng 2
Gi tin IP
8 Thm IP vo b lc
7.7 Din gii m hnh :

Khi khi ng, service s kch hot 2 module con l module bt gi tin v module chn a ch IP tng ng. Module chn a ch IP khi c khi ng s truy xut vo c s d liu v thm cc a ch IP ca cc Proxy Server b cm sn vo b lc IP Filter Driver v bt u lc a ch. Khi Card mng nhn/pht cc gi tin, module bt gi tin s nhn cc gi tin ny v tin hnh phn tch. Module s kim tra
- Trang 87 -
GVHD: ThS Hong Cng
xem cc gi tin ny c phi l gi tin HTTP Request n Proxy Server hay khng. Nu phi th a ch IP ca Proxy Server s c truyn tip cho Module lc a ch IP x l. a ch mi ny s c thm vo b lc a ch v lu vo c s d liu.
7.8 Nhn xt nh gi : 7.8.1

u im: Do yu cu t ra ban u ca Module l tm cch chn phng php vt Firewall thng qua HTTP Proxy Server, nn chng em c gng pht trin module di dng 1 ng dng Mini Firewall. Trong sut qu trnh nghin cu v tm hiu, chng em thng nht chn m hnh Service ng dng trn Windows lm c s xy dng v trin khai Module. u im ca m hnh ny l n k tha c nhng yu cu v tnh an ton v bo mt do chnh h iu hnh qui nh. Khi khi ng vo mi trng Windows, cc Services h thng cng nh ca ngi dng s ln lt c np v chy nn trn h thng, ch duy nht ngi qun tr hay ch Service mi c quyn tt/m/xa service. Module nhng hn chc nng iu khin Service cho h iu hnh, nn Module ng dng ch tp trung vo hai tnh nng chnh l bt gi tin v lc a ch IP. Trong qu trnh chy th nghim, module c th hot ng tt trn cc loi CARD mng, MODEM trn Windows. Do cc module con ca ng dng c vit hon ton da trn mi trng Winsock ca Windows (b th vin dng pht trin ng dng mng TCP/IP trn mi trng Windows), nn bo m tnh tng thch rt cao. Do h tr tnh nng bt gi tin, Module c th pht hin v hc c cc a ch Proxy Server mi (cha c trong c s d liu). Sau lu li cc a ch ny lm c s cho b lc hot ng
- Trang 88 -
GVHD: ThS Hong Cng
7.8.2
Khuyt im: Trong qu trnh chy th nghim, module chn c gn nh hu ht
cc a ch HTTP Proxy Server. Tuy nhin i vi cc Proxy Server mi (cha c trong c s d liu), b lc phi hc c a ch mi ny th mi ngn chn c. Do trong phin lm vic u tin, b lc vn cha chn c cc a ch mi ny. i vi nhng phin lm vic sau th b lc m bo chy tt. Trong qu trnh th nghim, vic b lc hc c qu nhiu a ch mi v lu vo c s d liu tn kh nhiu ti nguyn h thng (CPU,RAM) nn Service chy chm hn (i lc Serive c th b treo). ng tic l n lc ny chng em vn cha khc phc c vn ny Qu trnh hot ng ca Service ph thuc kh nhiu vo s tn ti ca tp tin c s d liu lu tr cc Proxy Server. Nn khi tp tin trn khng tn ti hay b li, tnh nng lc ca Service chc chn khng th hot ng chnh xc c.
- Trang 89 -
GVHD: ThS Hong Cng
PHN TH 4
TNG KT
Chng 8:
KT LUN
Sau hn su thng lm lun vn, t nhiu chng em cng tm hiu tng i thnh cng cc phng php lp trnh vt firewall cng nh nhng chng trnh km theo: Http proxy, Web based Proxy, Plug-in chng vt firewall, service chng vt firewall. Qua nhng g tm hiu c, chng em cm thy vn cn nhiu iu phi lm c th hon thin hn chng trnh cng nh cn c s hng dn nhiu hn na ca cc thy c, bn b Kt qu cui cng l kt qu ca nhng thng ngy c gng, n lc ca bn thn, s gip ca gia nh, nh trng, bn b v c bit l s hng dn tn tnh ca thy Hong Cng chng em c th hon tt mt cch tt p lun vn so vi nhng g t ra. Cui cng, mt ln na, chng em xin cm n tt c gip chng em c th hon thnh tt kha lun ny. Xin chn thnh cm n.
8.1 Nhng kt qu t c:
Theo yu cu t ra ban u l Nghin cu cc phng php lp trnh vt firewall. T lm c s xy dng cc module chng vt Firewall v bo mt Web, cho n thi im hin ti lun vn t c cc ni dung sau: Phn yu cu: Tm hiu v trin khai thnh cng 2 phng php: HTTP Proxy Server v Web-based Proxy. Phn m rng: Tm hiu v trin khai thnh cng 2 module chng vt Firewall: Plugin chng vt Firewall dnh cho trnh duyt Internet Explorer v Service chng vt Firewall trn h iu hnh Windows. Ngoi ra, trong qu trnh nghin cu v hon thnh ti, chng em tip thu thm c mt s kt qu sau:
- Trang 90 -
GVHD: ThS Hong Cng
Tm hiu su thm v cc phng php lp trnh ng dng mng da trn b th vin Winsock ca Windows. Tm hiu c phng php xy dng v trin khai Service ng dng trn Windows Tm hiu cch xy dng v trin khai ng dng Plugin cho trnh duyt Internet Explorer. c hiu c cch xy dng v pht trin ng dng da trn mi trng COM (Component Object Model). Ngy nay, Internet ngy cng pht trin mnh m, l ngun ti nguyn bao la v tn, nn nhu cu s dng Internet tm kim thng tin cng nh giao dch, thng mi l iu tt yu. Yu cu an ton v bo mt thng tin (ty theo mc ch ca c nhn hay doanh nghip) lm ny sinh thm vn kh au u cho cc nh qun tr mng l: Kim sot v qun l qu trnh s dng Internet ca ngi dng. Vi vic nghin cu v a ra c cc gii php kh thi v yu cu m rng ca ti: Xy dng cc module chng vt Firewall, chng em thit ngh c th ng gp 1 phn vo vic gii quyt vn nan gii trn.
8.2 Hng pht trin :

Trong qu trnh nghin cu v tm hiu v ti, chng em thng nht v xut ra c 3 phng php ch yu vt Firewall: HTTP Proxy Server, Web Based Proxy v HTTP Tunneling. Tt c 3 phng php trn u c pht trin da trn m hnh ng dng mng Client-Server truyn thng. Trong 3 phng php nu trn th phng php th 3: HTTP Tunneling l phng php cao cp v kh pht hin nht. Qu trnh nghin cu v trin khai phng php ny cng tn kh nhiu thi gian v cng sc. Mc d chng em rt c gng trin khai, tng trn vn cha mang tnh kh thi cao v c th p dng c vo thc t. Sau y chng em xin
- Trang 91 -
GVHD: ThS Hong Cng
ra 1 s hng pht trin v sau nhm m rng thm ngha khoa hc cng nh thc tin ca ti: Ci thin vn tc truy xut b lc cho module th 2: Service chng vt Firewall. Nghin cu tip phng php http tunneling Trin khai ng dng minh ha cho phng php http tunneling Hon thin hn na Plug-in v Service t hiu qu ti u Trin khai thnh cng module chng vt Firewall bng phng php HTTP Tunneling Trin khai ti thnh sn phm hon chnh p dng vo thc tin.
- Trang 92 -
GVHD: ThS Hong Cng
PHN TH 5
PH LC
DANH SCH CC TI LIU THAM KHO - Website:
http://www.microsoft.com http://www.quantrimang.com http://www.codeproject.com http://www.sourceforge.net http://www.experts-exchange.com http://www.webopedia.com http://www.nyu.edu http://www.learnthat.com http://www.stayinvisible.com http://www.proxify.com http://www.silentsurf.net http://www.adminvietnam.net http://www.anonimizer.com http://www.tcpipguide.com http://www.vnsecurity.net Danh sch cc ti liu, sch, gio trnh tham kho Ti liu in t MSDN ca Microsoft. Anthony Jones v Jim Ohlund, Network Programming for Microsoft Windows, 1999 (ebooks) O'Reilly, Learning PHP 5,June-2004 Addision Wesley, The C++ Programming Language,June-97
- Trang 93 -
GVHD: ThS Hong Cng
Wrox Press,Beginning PHP 4,2001 Sams Publishing ,Teach Yourself PHP, MySQL and Apache in 24h,12-2002 Addision Wesley,C/C++ Network Programming I & II,10-2001
- Trang 94 -

Các Phương Pháp Lập Trình Vượt Firewall

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Các Phương Pháp Lập Trình Vượt Firewall

Uploaded by

Copyright:

Available Formats

TRNG I HC KHOA HC T NHIN KHOA CNG NGH THNG TIN B MN MNG MY TNH & VIN THNG

PHAN TRUNG HIU - TRN L QUN

CC PHNG PHP LP TRNH VT FIREWALL

KHA LUN C NHN TIN HC

NIN KHA 2001 - 2005

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

PHAN TRUNG HIU TRN L QUN

CC PHNG PHP LP TRNH VT FIREWALL

KHA LUN C NHN TIN HC

GIO VIN HNG DN Th.S HONG CNG

NIN KHA 2001 2005

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

LI NHN XT CA GIO VIN HNG DN

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

LI NHN XT CA GIO VIN PHN BIN

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

DANH SCH HNH

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

DANH SCH BNG

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

GII THIU V FIREWALL

1.2 Nhu cu bo v thng tin: 1.2.1 Nguyn nhn:

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

Phan Trung Hiu Mssv: 0112463

Trn L Qun Mssv:0112319

Lun vn tt nghip Mng my tnh

GVHD: ThS Hong Cng

1.2.3 Bo v cc ti nguyn s dng trn mng: