PHN TCH M HNH PHNG TH THEO CHIU SU

M HNH PHNG TH THEO CHIU SU

Data Application
AAA, Encryption, Digital Signature Application Control, Antivirus,

Host Internal Perimeter

Physical Security Policy

OS, Update Management, Enpoint Security,

VLAN, IPS, IDS, UTM, Firewall, VPN, Routers, Lock, Camera

Ni dung
1. 2.
Layer 1 : Data

Layer 2 : Application Layer 3 : Host

Layer 4 : Internal Layer 5 : Perimeter Layer 6 : Physical Layer 7 : Security Policy
Xy dng chnh sch ATTT
3

3.
4.

5.
6. 7.

Layer 1 : DATA
Ni dung :
Data l g ? AAA l g ? M ha thng tin Ch k in t H thng chng nhn kha cng cng

Xy dng chnh sch ATTT

Layer 1 : DATA

Data l g ?
Data l d liu chng ta cn bo v.
D liu nn c phn chia thnh 3 cp :
Tuyt mt Cng cng Quyn hn s dng

Bo v y c chia vo 3 kha cnh chnh :

m bo tnh bo mt ca d liu m bo tnh ton vn ca d liu m bo tnh sn sng ca d liu

Xy dng chnh sch ATTT

Layer 1 : DATA AAA l mt nhm qui trnh c s dng bo mt thng tin. Mt trong nhng mc ch ca AAA l CIA
C : Confidential I : Integrity A : Availability

AAA l g ?

Ch vit tt ca AAA :
A : Access Control A : Authentication A : Accounting
Xy dng chnh sch ATTT
6

Layer 1 : DATA

AAA l g ?
Access Control l cng c cp quyn truy cp vo ti nguyn : Policy, NTFS, Smart Card, VPN, 3 k thut c s dng trong Access Control
Mandatory Access Control (MAC)
Build-in trong h iu hnh S dng hard-code thit lp trn cc objects

Discretionary Access Control (DAC)

Thit lp quyn truy cp vo cc i tng Ngi s hu ti nguyn c th thao tc thit lp quyn

Role-Based Access Control (RBAC)

Thit lp quyn truy cp da vo Group
Xy dng chnh sch ATTT
7

Layer 1 : DATA

AAA l g ?
Authentication l qui trnh xc nhn mt i tng no l hp l hay khng hp l. Sau khi xc nhn xong s cp cho i tng quyn tng ng hot ng trong mi trng mng my tnh. Phng thc xc thc :
Username/Password Smart card Biometric One-Time Password Kerberos RADIUS

Xy dng chnh sch ATTT

Layer 1 : DATA

AAA l g ?
Accounting l qu trnh theo di v ghi nhn nhng hnh ng ca i tng S dng chnh sch ca Windows theo di

Xy dng chnh sch ATTT

Layer 1 : DATA

AAA l g ?
Thc hnh :
Tm hiu nhng chnh sch theo di ngi dng ca Windows Server Tm hiu nhng cng c theo di , qun l hot ng ca ngi dng v h thng

Xy dng chnh sch ATTT

10

Layer 1 : DATA

M ha thng tin
1.
2. 3. 4.
M ha l g ? M ha i xng

M ha bt i xng
Ch k in t H thng chng nhn kha cng cng Summary
Xy dng chnh sch ATTT
11

5.
6.

Layer 1 : DATA

M ha thng tin
M ha l mt dng ca mt m. M ha cch thc xo trn hay bin thng tin t dng c th c c sang dng khng th c c. V d :
Xo trn d liu : 2 k t ng cnh nhau th hon i v tr cho nhau, nhng k t no l th gi nguyn v tr
ABCDEF BADCFE

Bin i thng tin : tng gi tr mi k t ln 1 n v ABCDEF BCDEFG

\ Xy dng chnh sch ATTT
12

Layer 1 : DATA

M ha thng tin
M ha i xng l c ch m ha v gii m s dng chung 1 key Key : l gi tr c s dng m ha v gii m

Xy dng chnh sch ATTT

13

Layer 1 : DATA

M ha thng tin
M ha bt i xng l c ch m ha v gii m s dng 2 key khc nhau
Public Key : l key dng m ha Private Key : l key dng gii ha

M ha bt i xng cn c s dng to ra ch k in t

Xy dng chnh sch ATTT

14

Layer 1 : DATA

M ha thng tin

Xy dng chnh sch ATTT

15

Layer 1 : DATA

Ch k in t
Ch k in t : l mt chui s cho php xc nh ngun gc/xut x/thc th to ra thng ip Ch k in t dng :
Xc thc (Authentication) m bo tnh ton vn d liu (Integrity) Khng th t chi trch nhim (Non-Repudiation)

Thut ton to ch k in t : RSA DSA

Xy dng chnh sch ATTT
16

Demo1
Vn phng B cn thc hin giao dch hng rt tin vi Ngn hng A Khch phi n tn ni giao dch. $ 5,000,000 OK !

Gi bng email Ngi gi: Vn phng B

Ngi nhn: Ngn hng A
Ngy gi: Ni dung: .. 1 / 8 / 2003 Ngi gi: Vn phng B Ngi nhn: Ngn hng A Ngy gi: Ni dung: 1 / 8 / 2003

Rt $5,000,000
M ti khon: NHB-212551245 ....
GV.Nguyn Duy

..
Rt $5,000,000 M ti khon: NHB-212551245 Ngn hng A .... Gi

Vn phng B

17

Layer 1 : DATA

Ch k in t
Qui trnh to ch k in t
D liu D liu

Hash

MessageHash

Sign

Signature

Kho b mt
Xy dng chnh sch ATTT
18

Layer 1 : DATA

Ch k in t
Qui trnh xc nhn ch k in t
D liu

Hash

Signature

Verify

Kho cng cng

Xy dng chnh sch ATTT
19

Layer 1 : DATA

Ch k in t

Xy dng chnh sch ATTT

20

Demo2
Gii m & kim tra ch k

$ 5,000,000
email
Ngi gi: Vn phng B M ha & K

Ok! Chp nhn yu cu & gi tin

Ngi gi: Vn phng B

Ngi nhn: Ngn hng A

Ngy gi: Ni dung: .. 1 / 8 / 2003

Ngi nhn: Ngn hng A

Ngy gi: Ni dung: .. 1 / 8 / 2003

Rt $5,000,000
M ti khon: NHB-212551245 ....
GV.Nguyn Duy

Rt $5,000,000
M ti khon: NHB-212551245 ....
21

Layer 1 : DATA

Ch k in t
Qui trnh xc nhn ch k in t
D liu

Hash

Signature

Verify

Kho cng cng

Xy dng chnh sch ATTT
22

Layer 1 : DATA

H thng chng nhn kha cng cng

Xy dng chnh sch ATTT

23

Demo3
D liu b tn cng trn ng truyn. MIM (Man in Middle)

..
Rt Chuyn $5,000,000 khon $5,000,000 M quati tikhon: khon NHB-8888888 -212551245 GV.Nguyn Duy M ti khon: NHB-212551245 .... .... 24

Layer 1 : DATA

H thng chng nhn kha cng cng

Chng nhn in t l chng thc s s hu kha cng khai
Ni dung chng nhn
Thng tin ngi s hu kha cng khai
Kha cng cng

Ch k ca t chc th ba ng tin cy

Xy dng chnh sch ATTT

25

Layer 1 : DATA

H thng chng nhn kha cng cng

Qui trnh to ra chng nhn Frans X509
Subject Name Public Key (Other fields)

certificate Subject Name

Public Key (Other fields) Signature

Hash algorithm Encryption Hash digest Signature

CAs Private key

Xy dng chnh sch ATTT
26

Layer 1 : DATA

H thng chng nhn kha cng cng

Qui trnh xc nhn chng nhn Frans X509 certificate CAs X509 certificate
Subject Name Public Key (Other fields) Signature CAs public key Subject Name Public Key (Other fields) Signature

Signature
Decryption Frans Cert Info Subject Name Public Key (Other fields)

Hash digest Hash algorithm

=?
Hash digest

Xy dng chnh sch ATTT

27

Demo4
Gii m &

Ti liu Xc nhn ch k

Chng nhn hp l Thng tin & cn giPublic tr

T chc chng nhn (CA)

Ok! ng Tin tng chp tin & cy ?

nhn ngh.

key

To chng nhn Xc thc chng nhn

Chng nhn Yu cu cp K X.509 chng nhn theo & Chun X.509 M ha Ti Public liu Thng tin Private key GV.Nguyn Duy key

28

Demo5

Xin Giao cp dch chng vi nhn Ngn hng

Yu cu chng thc Chng nhn Chp nhn giao dch xc thc. thc ?OK! Chng nhn xc thc Chng nhn khng tn ti 29

Layer 2 : Application
Ni dung :
Vai tr ca Application trong bo mt d liu Xc nh nhng ng dng trong h thng Phn loi ng dng C ch truy xut vo d liu ca ng dng Kim tra ng dng ng dng bo mt

Xy dng chnh sch ATTT

30

Layer 2 : Application
Vai tr ca Application trong bo mt d liu C th chy trc tip trn my cha d liu hoc khng Truy cp trc tip vo d liu

Nguy c nh cp d liu t ng dng rt cao

Xy dng chnh sch ATTT
31

Layer 2 : Application

Xc nh nhng ng dng trong h thng Lit k tt c nhng ng dng ang chy trong h thng
STT 1 2 3 Tn ng dng Windows Server 2003 SP2 Unikey MISA Nh cung cp Microsoft Phm Kim Long Cty CP MISA M t

Xy dng chnh sch ATTT

32

Layer 2 : Application

Phn loi ng dng

Networking hoc Local
Networking : Client/Server, Peer-Peer, Hybrid Local

System hoc Non-System

System : Operating System Non-System : Personal Firewall, Office,

License :
C ph Min ph Opensource
Xy dng chnh sch ATTT
33

Layer 2 : Application

Phn loi ng dng

STT Tn ng dng License Network System

Windows Server 2003 C SP2

Client/Server System

Unikey

Khng

Local

No
No (Integrated)

Endian Firewall

Opensource

Local

Xy dng chnh sch ATTT

34

Layer 2 : Application

C ch truy xut vo d liu

Nm r c ch thao tc d liu ca ng dng Phn quyn khi truy xut Hn ch quyn : Xa v Full ..

Xy dng chnh sch ATTT

35

Layer 2 : Application

Kim tra ng dng

Thng thng da vo uy tn ca nh cung cp Buffer overload SQL injection Vulnerability Software .

Xy dng chnh sch ATTT

36

Layer 2 : Application

ng dng bo mt
Endpoint Security Antivirus Personal Firewall Host Intrusion Detection System (HIDS) Bo mt ng dng
Update ng dng thng xuyn Application Control

..
Xy dng chnh sch ATTT

37

Layer 3 : Host
Host = Computer Bo mt Host :
Tnh sn sng ca Host Tnh tin cy ca Host Bo mt h iu hnh Bo mt ng dng chy trn Host Qun l vic truy cp Qun l cc thit b ngoi vi khi gn vo Host Kim tra vt l theo nh k .
Xy dng chnh sch ATTT
38

Layer 4 : Internal
Nhng mi e da :
Eavesdropping Data Modification Identity Spoofing Password-Based Attacks Sniffer Attack Application-Layer Attack Worm .
Xy dng chnh sch ATTT
39

Layer 4 : Internal
Nhng gii php hn ch tn cng :
Port security IP Security VLAN IDS/IPS Firewall .

Xy dng chnh sch ATTT

40

Layer 5 : Perimeter
c bo v ch yu Firewall v Router
Router : thit lp Access Control List Firewall : thit lp nhng chnh sch (Rule) qun l vic truy cp thng tin gia cc Zone

Unified Threat Management :

Checkpoint Astaro security gateway Cyberoam Fortinet
Xy dng chnh sch ATTT

41

Layer 6 : Physical
C ch qun l thit b phn cng C ch xc thc khi truy cp vo thit b phn cng chuyn dng Chnh sch bo hnh thit b phn cng Chnh sch h tr khi phn cng xy ra s c m bo cc thit b phn cng chuyn dng phi c giy t xc mnh hp chun

Xy dng chnh sch ATTT

42

Layer 7 : Policy
S c hc sau

Xy dng chnh sch ATTT

43

Summary
Nm c kin trc ca m hnh Nm c mi e da tn cng tng lp Nm c c ch bo mt tng lp

Xy dng chnh sch ATTT

44

Question ???