Scribd Logo
Upload

Welcome to Scribd!

  • 08 - Firewall PDF

    Uploaded by

    Bùi Thị Kiều
    11 views27 pages

    Original Title

    08_-_Firewall.pdf

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views27 pages

    08 - Firewall PDF

    Uploaded by

    Bùi Thị Kiều

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 27

    Firewall

    MC TIU
    Gii thch c cc khi nim c bn v Firewall M t hot ng ca Packet Filtering, Session Filtering

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    NI DUNG
    t vn Gii thiu Firewall Packet filtering Session filtering

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    04/2011

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Kim sot??

    T VN

    Inside Network

    Outside Network

    NI DUNG
    t vn Gii thiu Firewall Packet filtering Session filtering

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    FIREWALL

    04/2011

    Bc tng la (Firewall): nm gia 2 networks

    Bo v h thng
    Cung cp kt ni an ton gia cc mng (inside <> outside) Ngn chn cc ngi dng/chng trnh khng c quyn truy cp vo private network/computer Access Policy Ci t cc chnh sch bo mt

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Kim sot lung d liu


    t mng bn trong i ra ngoi T bn ngoi i vo mng bn trong

    HTTP
    Allow All Destinations

    Phn mm /phn Streaming Media

    cng

    SMTP

    DNS Intrusion
    Outside Network

    Firewall

    6
    Inside Network

    FIREWALL

    04/2011

    C th:
    Gii hn c lung d liu (traffic) i ra i vo mng Kho cc gi tin khng hp l

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Khng th kim sot


    Cc lung d liu khng-i-qua firewall

    Cc lung d liu lu chuyn bn trong

    Cu hnh khng ng

    CC PHNG PHP BO V

    04/2011

    Packet filtering
    Mi gi tin c kim tra trc khi cho qua firewall stateless

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Session filtering
    Quyt nh da trn ng cnh ca gi tin stateful

    NAT

    Chuyn a ch local thnh global bn ngoi


    Dng IP gi (bn ngoi ch nhn thy 1 IP) Bn ngoi khng t truy cp vo mng bn trong c

    CC PHNG PHP BO V

    04/2011

    VPN
    Cho php cc ngi dng/mng tin cy c php truy cp Gi tin c m ho trn knh truyn

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Proxy service

    Proxy server thay mt cc host bn trong thc hin kt ni vi bn ngoi

    Giu cc ngi dng bn trong

    Application level: mi ng dng dng 1 proxy ring Circuit level: c lp ng dng, ch thc thi trn IP

    Virus Scanning

    Pht hin thng qua cc du hiu virus quyt nh block gi tin


    9

    FIREWALL THIT K
    Firewall: bao nhiu v t u?

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Firewall khng th kim sot khi


    Inside Network
    Cc lung d liu khng-i-qua firewall Cu hnh khng ng

    10

    04/2011

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    FIREWALL THIT K

    Inside Network

    11

    04/2011

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    SCREENING ROUTER

    12

    SINGLE-HOMED BASTION HOST

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    If packet filter is compromised, traffic can flow to internal network

    13

    DUAL-HOMED BASTION HOST

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    No physical connection between internal and external networks

    14

    SCREENED SUBNET

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Only the screened subnet is visible to the external network; internal network is invisible
    15

    04/2011

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    INTERNAL FIREWALLS

    16

    NI DUNG
    t vn Gii thiu Firewall Packet filtering Session filtering

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    17

    PACKET FILTERING

    04/2011

    So snh gi tin vi CSDL cc lut v cho php cc gi tin hp l

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Access Control List (ACL)

    Cm (block/deny) hoc cho php(permit/allow) gi tin no?

    Thc hin trn tng gi tin Khng lu li thng tin (stateless) S dng thng tin

    IP ngun, IP ch n Port ngun, port ch n Giao thc TCP flag ICMP type
    18

    04/2011

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    PACKET FILTERING - QU TRNH X L

    19

    PACKET FILTERING V D
    172.29.1.0/24

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    172.29.2.0/24

    172.29.3.3/24
    Inside Network

    Khng cho php cc my bn trong truy cp vo trang www.hcmus.edu.vn

    20

    PACKET FILTERING V D
    172.29.1.0/24 203.162.44.68

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    HTTP Request
    172.29.2.0/24 Src: inside IP: * Dst: 203.162.44.68:80

    Action

    Type Outbound

    Src IP * *

    Port * *

    Dst IP 203.162.44.68 *

    Port 80

    172.29.3.3/24

    block

    Allow Outbound Inside Network

    * Default Rule

    Khng cho php cc my bn trong truy cp vo trang www.hcmus.edu.vn

    21

    PACKET FILTERING V D
    172.29.1.0/24

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    172.29.2.0/24

    172.29.3.3/24
    Inside Network
    Khng cho php cc my bn trong truy cp vo trang www.hcmus.edu.vn Ch cho php bn ngoi truy cp vo webserver t ti my 172.29.3.3
    22

    PACKET FILTERING V D

    04/2011

    Cho php cc gi inbound email i vo v ch n my 172.29.3.3 v khng cho php cc host t SPIGOT gi vo

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Cc my bn trong c php send email ra ngoi

    23

    PACKET FILTERING IM YU

    04/2011

    Khng chn c cc tn cng c trng ca ng dng

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Buffer overflow

    Khng c c ch chng thc ngi dng Khng chng li cc tn cng da trn im yu ca TCP

    Spoofing SYN flood


    DoS

    24

    NI DUNG
    t vn Gii thiu Firewall Packet filtering Session filtering

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    25

    SESSION FILTERING
    Thc thi trn mi gi tin Da trn ng cnh

    04/2011 TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    Kt ni mi: check policy Kt ni c: kim tra state table

    Stateful Kh lc cc gi tin UDP v ICMP


    C bn: cm nhng g khng cho php

    Filter c th pass vi cc IP Tunneling

    26

    04/2011

    TTMTRANG - BM MMT&VT - KHOA CNTT - H KHTN TP.HCM

    SESSION FILTERING V D

    27

    You might also like