Chng I: Tng quan v tng la. I. 1.1. Gii thiu. S ra i ca Firewall.

Thut ng FireWall c ngun gc t mt k thut thit k trong xy dng ngn chn hn ch ha hon. Trong cng ngh mng thng tin, FireWall l mt k thut c tch hp vo h thng mng chng li s truy cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s xm nhp vo h thng ca mt s thng tin khc khng mong mun. Cng c th hiu Firewall l mt c ch (Mechanism) bo v mng tin tng (Trusted network) khi cc mng khng tin tng (Untrusted network). Thng thng Firewall c t bn trong (Intranet) ca mt cng ty, t chc, ngnh hay quc gia, v Internet. Vai tr chnh ca Firewall l bo mt thng tin, ngn chn s truy cp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet. Internet Firewall l mt tp hp thit b (bao gm phn cng v phn mm) gia mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet: (INTRANET FIREWALL - INTERNET). Trong mt s trng hp, Firewall c th c thit lp trong cng mt mng ni b v c lp cc min an ton. V d nh mt mng cc b s dng Firewall ngn cch phng my v h thng mng tng di. Mt Firewall Internet c th gip ngn chn ngi ngoi trn Internet khng xm nhp c vo my tnh. Mt Firewall lm vic bng cch kim tra thng tin n v ra Internet. N nhn dng v b qua cc thng tin n t ni huy him hoc c v nghi ng. Nu ci t Firewall mt cch thch hp, cc tin tc tm kim trn cc my tnh d b tn cng khng th pht hin ra my tnh. Firewall l mt gii php da trn phn cng hoc phn mm dng kim tra d liu.

1.2.

Mc ch ca Firewall.

Vi Firewall, ngi dng c th yn tm ang c thc thi quyn gim st cc d liu truyn thng gia my tnh ca h vi cc my tnh hoc h thng khc. C th xem Firewall l mt ngi bo v c nghim v kim tra giy thng hnh ca bt c gi d liu no i vo my tnh hay i ra ngoi my tnh ca ngi s dng, ch cho php nhng gi d liu hp l i qua v loi b tt c cc gi d liu khng hp l. Cc gii php Firewall l thc s cn thit, xut pht t chnh cch thc cc d liu di chuyn trn Internet. Gi s gi cho mt ngi thn ca mnh mt bc th th bc th c chuyn qua mng Internet, trc ht phi phn chia thnh tng gi nh. Cc gi d liu ny s tm cc con ng ti u nht ti a ch ngi nhn th sau lp rp li (theo th t c nh s trc ) v khi phc nguyn dng nh ban u. Vic phn chia gi lm n gin ha vic chuyn d liu trn Internet nhng c th dn ti mt s vn . Nu mt ngi no vi dng khng tt gi ti mt s gi d liu, nhng li ci by lm cho my tnh ca ngi nhn khng bit cn phi x l cc gi d liu ny nh th no hoc lm cho cc gi d liu lp ghp theo th t sai, th c th nm quyn kim sot t xa i vi my tnh ca ngi nhn v gy nn nhng vn nghim trng. K nm quyn kim sot tri php sau c th s dng kt ni Internet ti ngi nhn pht ng cc cuc tn cng khc m khng b l tung tch ca mnh. Firewall s m bo tt c cc d liu i vo l hp l, ngn nga nhng ngi s dng bn ngoi ot quyn kim sot i vi my tnh ca bn. Chc nng kim sot cc d liu i ra ca Firewall cng rt quan trng v s ngn nga nhng k xm nhp tri php cy nhng virus c hi vo my tnh pht ng cc cuc tn cng ca sau vo nhng my tnh khc trn mng Internet.

Hnh 1.1. Firewall c t gia mng ring v mng cng cng. Mt Firewall gm t nht hai giao din mng: Chung v ring, giao din chung kt ni vi Internet, l pha m mi ngi c th truy cp, giao din ring l pha m cha cc d liu c bo v. Trn mt Firewall c th c nhiu giao din ring ty thuc vo s on mng cn c tch ri. ng vi mt giao din c mt b quy tc bo v ring xc nh kiu lu thng c th qua t nhng mng chung v mng ring. Firewall cng c th lm c nhiu vic hn v cng c nhiu thun li v kh khn. Thng thng nh qun tr mng s dng Firewall nh mt thit b u ni VPN, my ch xc thc hoc my ch DNS. Tuy nhin nh bt k mt thit b mng khc, nhiu dch v hot ng trn cng mt my ch th ri ro cng nhiu. Do , mt Firewall khng nn chy nhiu dch v. Firewall l lp bo v th hai trong h thng mng , lp th nht l b nh tuyn mc nh tuyn s cho php hoc b t chi cc a ch IP no v pht hin nhng gi tin bt bnh thng. Firewall xem nhng cng no c php hay t chi. Firewall i lc cng hu ch cho nhng on mng nh hoc a ch IP ring l. Bi v b nh tuyn thng lm vic qu ti, nn vic s
3

dng b nh tuyn lc ra b nh tuyn IP n, hoc mt lp a ch nh c th to ra mt ti trng khng cn thit. Firewall c ch cho vic bo v nhng mng t nhng lu lng khng mong mun. Nu mt mng khng c cc my ch cng cng th Firewall l mt cng c rt tt t chi nhng lu lng i vo, nhng lu lng m khng bt u t mt my sau Firewall, mt Firewall cng c th c cu hnh t chi tt c cc lu lng ngoi tr cng 53 dnh ring cho my ch DNS.

Hnh 1.2. Mng gm c Firewall v cc my ch.

Sc mnh ca Firewall nm trong kh nng lc lu lng da trn mt tp hp cc quy tc bo v, cn gi l quy tc bo v do cc nh qun tr a vo. y cng c th l nhc im ln nht ca Firewall, b quy tc xu hoc khng y c th m li cho k tn cng, v mng c th khng c an ton. Nhiu nh qun tr mng khng ngh rng Firewall hot ng nh mt thit b mng phc tp. Ngi ta quan tm n vic gi li nhng lu lng khng mong mun n mng ring, t quan tm n vic gi li nhng lu lng khng mong mun n mng cng cng. Nn quan tm n c hai kiu ca tp cc quy lut bo v. Nu mt k tn cng mun tm cch xm nhp vo mt my ch, chng khng th s dng my ch tn cng vo cc thit b mng xa. bo v v gip cho cc lu lng bn trong on mng cc nh qun l thng chy hai b Firewall, b th nht bo v ton b mng, v b cn li bo v cc on mng khc. Nhiu lp Firewall cng cho php cc nh qun tr an ton mng kim sot tt hn nhng dng thng tin, c bit l cc c s bn trong v bn ngoi cng ty phi x l cc thng tin nhy cm. Cc hot ng trao i thng tin c th cho php phn no ca mng th c th b gii hn trn nhng vng nhy cm hn.

Hnh 1.3. S dng nhiu Firewall nhm tng kh nng bo mt. 1.3. Cc la chn Firewall.

C mt s cng ty sn xut Firewall v c hai loi chn: Firewall phn cng v Firewall phn mm. 1.3.1. Firewall phn cng. V tng th, Firewall phn cng cung cp mc bo v cao hn so vi Firewall phn mm v d bo tr hn. Firewall phn cng cng c mt u im khc l khng chim dng ti nguyn h thng trn my tnh nh Firewall phn mm. Firewall phn cng l mt la chn rt tt i vi cc doanh nghip nh, c bit cho nhng cng ty c chia s kt ni Internet. C th kt hp Firewall v mt b nh tuyn trn cng mt h thng phn cng v s dng h thng ny bo v cho ton b mng. Firewall phn cng l mt la chn tn chi ph hn so vi Firewall phn mm thng phi ci trn mi my tnh c nhn trong mng. Trong s cc cng ty cung cp Firewall phn cng c th k ti Linksys (http://.www.linksys.com) v NetGear (http://.www.netgear.com). Tnh nng Firewall phn cng do cc cng ty ny cung cp thng c tch hp sn trong cc b nh tuyn dng cho mng ca cc doanh nghip nh v mng gia nh. 1.3.2. Firewall phn mm. Nu khng mun tn tin mua Firewall phn cng th bn c th s dng Firewall phn mm. V gi c, Firewall phn mm thng khng t bng Firewall phn cng, thm ch mt s cn min ph (phn mm Comodo Firewall Pro 3.0, PC Tools Firewall Pluus 3.0, ZoneAlarm Firewall 7.1...) v bn c th ti v t mng Internet. So vi Firewall phn cng, Firewall phn mm cho php linh ng hn, nht l khi cn t li cc thit lp cho ph hp vi nhu cu ring ca tng cng ty. Chng c th hot ng tt trn nhiu h thng khc nhau, khc vi Firewall phn cng tch hp vi b nh tuyn ch lm vic tt trong mng c quy mi nh. Firewall phn mm cng l mt la chn ph hp i vi cc my tnh xch tay v my tnh s c bo v cho d mng my tnh i bt k ni no.
6

Cc Firewall phn mm lm vic tt vi Windows 98, Windows ME v Windows 2000. Chng l mt la chn tt cho cc my tnh n l. Cc cng ty phn mm khc lm cc tng la ny. Chng khng cn thit cho Windows XP, Windows 7, Windows 8. Bi v cc Windows ny c mt tng la ci sn. * u im: * Khng yu cu phn cng b sung. Khng yu cu chy thm dy my tnh. Mt la chn tt cho my tnh n l. Nhc im: Chi ph thm: hu ht cc tng la phn mm tn chi ph. Vic ci t v ci t cu hnh c th cn bt u. Cn mt bn sao ring cho mi my tnh.

1.4.

M hnh v kin trc ca Firewall. Kin trc ca h thng s dng Firewall nh sau:

Hnh 1.4. Kin trc ca h thng s dng Firewall.

Cc h thng Firewall u c im chung cc cu trc c th nh sau:

Hnh 1.5. Cu trc chung ca mt h thng Firewall. Trong : Screening Router: l chng kim sot u tin cho LAN. DMS: l vng c nguy c b tn cng t Internet. Gateway Host: l cng ra vo gia mng LAN v DMZ, kim sot mi lin lc, thc thi cc c ch bo mt. IF1 (Interface 1): l card giao tip vi vng DMZ. IF2 (Interface 2): l card giao tip vi vng mng LAN.
9

FTP Gateway: kim sot truy cp FTP gia LAN v vng FTP t mng LAN ra Internet l t do. Cc truy cp FTP vo LAN i hi xc thc thng qua Authentication server. Telnet Gateway: kim sot truy cp telnet tng t nh FTP, ngi dng c th telnet ra ngoi t do, cc telnet t ngoi vo yu cu phi xc thc thng qua Authentication server. Authentication server: l ni xc thc quyn truy cp dng cc k thut xc thc mnh nh one-time password/token (mt khu s dng mt ln).

Tt c cc Firewall u c chung mt thuc tnh l cho php phn bit i x hay kh nng t chi truy nhp da trn cc a ch ngun. Nh m hnh Firewall m cc my ch dch v trong mng LAN c bo v an ton, mi thng tin trao i vi Internet u c kim sot thng qua Gateway. 1.4.1. kin trc Dual Homed host (my ch trung gian). Firewall kin trc kiu Dual homed host c xy dng da trn my tnh Dual homed host. Mt my tnh c gi l Dual homed host nu c t nht hai Network interface, c ngha l my c gn hai card mng giao tip vi hai mng khc nhau v nh th my tnh ny ng vai tr l router phn mm. Kin trc Dual homed host rt n gin. Dual homed host gia, mt bn c kt ni vi Internet v bn cn li ni vi mng ni b (LAN). Dual homed host ch c th cung cp cc dch v bng cch y quyn (proxy) chng hoc cho php users ng nhp trc tip vo Dual homed host. Mt giao tip t mt host trong mng ni b v host bn ngoi u b cm, Dual homed host l ni giao tip duy nht.

10

Hnh 1.6. Kin trc Dual homed host. 1.4.2. Kin trc Screend Host. Screened host c cu trc ngc li vi cu trc Dual homed host, kin trc ny cung cp cc dch v t mt host bn trong mng ni b, dng mt router tch ri vi mng bn ngoi. Trong kiu kin trc ny, bo mt chnh l phng php packet Filtering. Bastion host c t bn trong mng ni b, Packet Filtering c ci trn router. Theo cch ny, Bastion host l h thng duy nht mng ni b m nhng host trn Internet c kt ni ti. Mc d vy, ch nhng kiu kt ni ph hp (c thit lp trong Bastion host) mi c php kt ni. Bt k mt h thng bn ngoi no c gng truy cp vo hn thng hoc c dch v bn trong u phi kt ni ti host ny. V th, Bastion host l host cn phi c duy tr ch bo mt cao. Packet Filtering cng cho php Bastion host c th m kt ni ra bn ngoi.

Cu hnh ca Packet Filtering trn Screening router nh sau:

11

Cho php tt c cc host bn trong m kt ni ti host bn ngoi thng qua mt s dch v c nh. Khng cho php tt c cc kt ni t host bn trong (cm nhng host ny s dng dch v proxy thng qua Bastion host). Bn c th kt hp nhiu li vo cho nhng dch v khc nhau. Mt s dch v c php i vo trc tip qua Packet Filtering. Mt s dch v khc th ch c php i vo gin tip qua proxy.

Bi v cc kin trc ny cho php cc Packet i t bn ngoi vo mng bn trong, n dng nh nguy him hn kin trc Dual homed host, v th n c thit k khng mt Packet no c th ti c mng bn trong. Tuy nhin trn thc t th kin trc Dual homed host i khi cng c li m cho php mt packet tht s i t bn ngoi vo bn trong (bi v nhng li ny hon ton khng bit trc, n hu nh khng c bo v chng li nhng kiu tn cng ny). Hn na, kin trc Dual homed host th d dng bo v router (l my cung cp t nht cc dch v) hn l bo v cc host bn trong mng. Xt v ton din th kin trc Screened host cung cp tin cy cao hn v an ton hn kin trc Dual homed host. So snh vi mt s kin trc khc, chng hn nh kin trc Screened subnet th kin trc Screened host c mt s bt li. Bt li chnh l nu k tn cng tm cch xm nhp Bastion hsst th khng c cch no ngn tch gia Bastion host v cc host cn li bn trong mng ni b. Router cng c mt s im yu nu l router b tn thng, ton b mng s b tn cng. V l do ny m Screened subnet tr thnh kin trc ph bin nht.

12

Hnh 1.7. Kin trc Screened host. 1.4.3. Kin trc Screened subnet. Nhm tng cng kh nng bo v mng ni b, thc hin chin lc phng th theo chiu su, tng cng s an ton cho Bastion host, tch Bastion host khi cc host khc, phn no trnh ly lan mt khi Bastion host b tn thng, ngi ta a ra kin trc Firewall c tn l Screened subnet. Kin trc Screened subnet dn xut t kin trc Screened host bng cch thm vo phn an ton: mng ngoi (perimeter network) nhm c lp mng ni b ra khi mng bn ngoi, tch Bastion host ra khi cc host thng thng khc. Kin trc Screened subnet n gin bao gm hai screened router: Router ngoi (External router cn gi l access router): nm gia mng ngoi vi v mng ngoi ch chc nng bo v cho mng ngoi vi (Bastion host, Interior router). N cho php nhng g outbound t mng ngoi vi. Mt s quy tc Packet Filtering c bit c ci mc cn thit bo v Bastion host v Interior router v Bastion host cn l host c ci t an ton mc cao. Ngoi cc quy tc , cc quy tc khc cn ging nhau gia hai router.
13

Router trong (Interior router cn gi l choke router): nm gia mng ngoi vi v mng ni b, nhm bo v mng ni b trc khi ra ngoi v mng ngoi vi. N khng thc hin ht cc quy tc Packet Filtering ca ton b Firewall. Cc dch v m Interior router cho php gia Bastion host v mng ni b, gia bn ngoi v mng ni b khng nht thit phi ging nhau. Gii hn dch v gia Bastion host v mng ni b nhm gim s lng my (s lng dch v trn cc my ny) c th b tn cng khi Bastion host b tn thng v tha hip vi bn ngoi. Chng hn nn gii hn cc dch v c php gia Bastion host v mng ni b nh SMTP gia Bastion host v Email server bn trong.

Hnh 1.8. Screened subnet.

14

II.

Vai tr ng dng ca Firewall.

Firewall quyt nh nhng dch v no t bn trong c php truy cp t bn ngoi, nhng ngi no t bn ngoi c php truy cp n cc dch v bn trong, v c nhng dch v no bn ngoi c php truy cp bi nhng ngi bn trong. 2.1. Firewall bo v nhng vn g.

Bo v d liu: Theo di lung d liu mng gia Internet v Intranet. Nhng thng tin cn c bo v do nhng yu cu sau: Bo mt: Mt s chc nng ca Firewall l c th ct giu thng tin mng tin cy v ni b so vi mng khng ng tin cy v cc mng bn ngoi khc. Firewall cng cung cp mt mi nhn trung tm m bo s qun l, rt c li khi ngun nhn lc v ti chnh ca mt t chc c gii hn. Tnh ton vn: Firewall cng c th bo v d liu hay thng tin khng b thay i, mt mt trong khi lu tr hay truyn ti. Tnh kp thi: Khi xy ra li no trong qu trnh x l, th Firewall lun lun c mt tnh nng l tnh kp thi khc phc li .

2.2.

Firewall bo v chng li nhng vn g. Firewall bo v chng li nhng s tn cng t bn ngoi. 2.2.1. Chng li vic hacking.

Hacker l nhng ngi hiu bit v s dng my tnh rt thnh tho v l nhng ngi lp trnh rt gii. Khi phn tch v khm ph ra cc l hng h thng no , s tm ra nhng cch thch hp truy cp v tn cng h thng. C th s dng cc k nng khc nhau tn cng vo h thng my tnh. V d c th truy cp vo h thng m khng c php truy cp v to thng tin gi, ly cp thng tin. Nhiu cng ty ang lo ngi v d liu bo mt b nh cp bi cc hacker. V vy, tm ra cc phng php bo v d liu th Firewall c th lm c iu ny.

2.2.2. Chng li vic sa i m.

15

Kh nng ny xy ra khi k tn cng sa i, xa hoc thay th tnh xc thc ca cc on m bng cch s dng virus, worm v nhng chng trnh c ch tm. Khi ti file trn Internet c th dn ti download cc on m c d tm, thiu kin thc v bo mt my tnh, nhng file download c th thc thi nhng quyn theo mc ch ca nhng ngi dng trn mt s trang website. 2.2.3. T chi cc dch v nh km. T chi dch v l mt loi ngt hot ng ca s tn cng. Li e da ti tnh lin tc ca h thng mng l kt qu t nhiu phng thc tn cng ging nh lm trn ngp thng tin, l mt ngi xm nhp to ra mt s thng tin khng xc thc gia tng lu lng trn mng v lm gim cc dch v ti ngi dng thc s. Hoc mt k tn cng c th ngm phn ph hoi h thng my tnh v thm vo phn mm c d tm, m phn mm ny s tn cng h thng theo thi gian xc nh trc. 2.2.4. Tn cng trc tip. Cch th nht: l dng phng php d mt khu trc tip. Thng qua cc chng trnh d tm mt khu vi mt s thng tin v ngi s dng nh ngy sinh, tui, a ch... v kt hp vi th vin do ngi dng to ra, k tn cng c th d c mt khu. Trong mt s trng hp kh nng thnh cng c th ln ti 30%. V d nh chng trnh d tm mt khu chy trn h iu hnh Unix c tn l Crack. Cch th hai: l s dng li ca cc chng trnh ng dng v bn thn h iu hnh c s dng t nhng v tn cng u tin v vn c chim quyn truy cp (c c quyn ca ngi qun tr h thng). 2.2.5. Nghe trm. C th bit c tn, mt khu, cc thng tin truyn qua mng thng qua cc chng trnh cho php a giao tip mng Network Interface Card (NIC cc giao tip mng) vo ch nhn ton b cc thng tin lu truyn trn mng.

2.2.6. V hiu ha cc chc nng ca h thng (Deny service).

16

y l kiu tn cng nhm lm t lit ton b h thng khng cho thc hin cc chc nng c thit k. Kiu tn cng ny khng th ngn chn c do nhng phng tin t chc tn cng cng chnh l cc phng tin lm vic v truy cp thng tin trn mng. 2.2.7. Li ngi qun tr h thng. Ngy nay, trnh ca cc hacker ngy cng gii hn, trong khi cc h thng vn cn chm chp trong vic x l cc l hng ca mnh. iu ny i hi ngi qun tr mng phi c kin thc tt v bo mt mng c th gi vng an ton cho thng tin ca h thng. i vi ngi dng c nhn, khng th bit ht cc th thut t xy dng cho mnh mt Firewall, nhng cng nn hiu r tm quan trng ca bo mt thng tin cho mi c nhn. Qua , t tm hiu bit mt s cch phng trnh nhng s tn cng n gin ca hacker. Vn l thc, khi c thc phng trnh th kh nng an ton s cao hn. 2.2.8. Yu t con ngi. Vi nhng cch ch quan v khng hiu r tm quan trng ca vic bo mt h thng nn d dng l cc thng tin quan trng cho hacker.

17

III. 3.1.

Cc loi Firewall. Network layer or Packet filters (lp mng hoc b lc gi tin).

Cc tng la lp mng, cng c gi l b lc gi tin, hot ng mc tng i thp ca giao thc TCP / IP, khng cho php cc gi tin i qua cc bc tng la, tr khi n ph hp vi b quy tc thnh lp. Cc qun tr tng la c th xc nh cc quy tc hoc quy tc mc nh c th p dng. Thut ng "b lc gi tin" c ngun gc trong bi cnh ca cc h thng iu hnh (Berkeley Software Distribution) BSD. Cc tng la lp mng ni chung c chia thnh hai tiu mc, stateful v khng quc tch. Tng la Stateful duy tr bi cnh v bui hot ng, v s dng "thng tin trng thi" tng tc x l gi. Bt k kt ni mng hin ti c th c m t bi mt s ti nguyn, bao gm c ngun v a ch IP ch, UDP hoc cng TCP, v giai on hin ti ca cuc i ca kt ni (bao gm c phin khi u, bt tay chuyn giao d liu, hoc kt ni hon thnh). Nu mt gi tin khng ph hp vi kt ni hin ti, n s c nh gi theo cc nguyn tc cho cc kt ni mi. Nu mt gi tin ph hp vi kt ni hin ti da trn s so snh vi bng trng thi ca tng la, n s c cho php vt qua m khng cn tip tc x l. Cc tng la khng quc tch yu cu t b nh, v c th lm vic c nhanh cho cc b lc n gin m i hi t thi gian hn lc hn tm kim mt phin. H cng c th cn thit cho vic lc cc giao thc mng khng quc tch m khng c khi nim v mt phin. Tuy nhin, h khng th a ra nhng quyt nh phc tp hn da trn nhng g v giai on truyn thng gia cc my t n. Tng la hin i c th lc lu lng truy cp da trn cc thuc tnh gi tin nh a ch IP ngun, cng ngun, a ch IP ch hoc cng dch v, im n nh WWW hoc FTP. H c th b lc da trn cc giao thc, gi tr TTL, netblock ca ngi khi ca ngun, v cc thuc tnh khc. B lc gi tin thng c s dng trn cc phin bn khc nhau ca Unix l IPFilter (khc nhau), ipfw (FreeBSD / Mac OS X), NPF (NetBSD), PF (OpenBSD, v mt s BSDs khc), iptables / ipchains (Linux).

3.2.

Application-layer (tng ng dng).

18

Tng la lp ng dng lm vic trn cp ng dng ca giao thc TCP / IP (v d, tt c lu lng truy cp trnh duyt, hoc lu lng truy cp tt c cc telnet hay ftp), v c th nh chn tt c cc gi tin i n hoc t mt ng dng. H chn cc gi khc (thng th chng m khng cn phi thng bo cho ngi gi). Ngy kim tra tt c cc gi tin cho ni dung khng ph hp, tng la c th hn ch hoc ngn chn hon ton s ly lan ca su my tnh ni mng v trojan. Cc tiu ch thanh tra b sung c th thm tr thm chuyn tip cc gi tin n ch ca h. Tng la ng dng hot ng bng cch xc nh mt quy trnh cn chp nhn bt k kt ni c. Tng la ng dng thc hin chc nng ca mnh bng cch gn vo cc cuc gi cm lc cc kt ni gia lp ng dng v cc lp di ca m hnh OSI. ng dng tng la mc vo cc cuc gi cm cng c gi l b lc cm. Tng la ng dng lm vic ging nh mt b lc gi nhng b lc ng dng p dng cc quy tc lc (cho php / block) trn c s qu trnh mi thay v lc cc kt ni trn mt c s cho mi cng. Ni chung, nhc nh c s dng xc nh cc quy tc cho cc qu trnh cha nhn c mt kt ni. N l him tm thy cc bc tng la ng dng khng kt hp hoc s dng kt hp vi mt b lc gi tin. Ngoi ra, tng la ng dng b lc thm kt ni bng cch kim tra qu trnh ID ca gi d liu so vi cc nguyn tc cho qu trnh a phng lin quan trong vic truyn ti d liu. Mc lc xy ra c xc nh bi cc nguyn tc c cung cp. Vi s a dng ca phn mm tn ti, tng la ng dng ch c cc tp quy tc phc tp hn cho cc dch v tiu chun, chng hn nh dch v chia s. Nhng rulesets qu trnh mi hn ch hiu qu lc tt c cc hip hi c th c th xy ra vi cc qu trnh khc. Ngoi ra, cc ruleset mi qu trnh khng th bo v chng li cc thay i ca qu trnh thng qua khai thc, chng hn nh khai thc tham nhng b nh. Do nhng hn ch, tng la ng dng ang bt u c thay th bi mt th h mi ca cc bc tng la ng dng da trn iu khin truy cp bt buc (MAC), cng c gi l sandboxing, bo v cc dch v d b tn thng.

3.3.

Proxy.

19

Mt my ch proxy (chy hoc phn cng chuyn dng hoc l phn mm trn mt my tnh mc ch chung) c th hot ng nh mt bc tng la bng cch p ng vi cc gi tin u vo (yu cu kt ni, v d) theo cch thc ca mt ng dng, trong khi ngn chn cc gi khc. Mt my ch proxy l mt ca ng t mt mng khc cho mt ng dng mng c th, trong ngha l n c chc nng nh mt proxy thay mt cho ngi s dng mng. Proxy lm gi mo vi mt h thng ni b t mng bn ngoi kh khn hn v lm dng ca mt h thng ni b s khng nht thit gy ra vi phm an ninh khai thc t bn ngoi cc bc tng la (min l cc proxy ng dng vn cn nguyn vn v cu hnh ng). Ngc li, k xm nhp c th chim quyn iu khin h thng c th truy cp v s dng n nh l mt proxy cho mc ch ring ca h, proxy sau gi dng m h thng my ni b khc. Trong khi s dng khng gian a ch ni b tng cng an ninh, bnh vn c th s dng phng php nh gi mo IP c gng vt qua cc gi tin vi mt mng mc tiu. 3.4. Network address translation (dch a ch mng).

Tng la thng c dch a ch mng (NAT) chc nng, v cc my ch c bo v ng sau mt bc tng la thng c a ch trong "phm vi a ch t nhn", nh c nh ngha trong RFC 1918. Tng la thng c chc nng nh vy n a ch thc s ca my ch c bo v. Ban u, cc chc nng NAT c pht trin gii quyt hn ch s lng a ch IPv4 c kh nng nh tuyn c th c s dng hoc c giao cho cc cng ty hoc c nhn cng nh gim c s lng v do chi ph cho cc a ch cng cng cho mi my tnh trong mt t chc. n cc a ch ca cc thit b bo v tr thnh mt quc phng ngy cng quan trng i vi mng li trinh st. IV. Phn loi Firewall. Firewall c th c phn loi theo hai loi sau: - Personal firewall. - Network firewall.

4.1.

Personal Firewall.

20

Personal firewalls c thit k bo v mt my trc nhng truy cp tri php. Trong qu trnh pht trin, personal firewall c tch hp thm nhiu chc nng b sung nh theo di phn mm chng virus, phn mm pht hin xm nhp bo v thit b. Mt s personal firewalls ph bin nh Cisco Security Agent, Microsoft Internet connection firewall, Symantec personal firewall Personal firewall rt hu ch i vi ngi dng gia nh v c nhn bi v h n gin ch cn bo v tng my tnh ring r ca h nhng i vi doanh nghip iu ny li gy bt tin, khi s lng host qu ln th chi ph cho vic thit lp, cu hnh v vn hnh personal firewall l mt iu cn phi xem xt. 4.2. Network Firewall.

Network firewall c thit k bo v cc host trong mng trc s tn cng. Mt s v d v appliance-based network firewalls nh Cisco PIX, Cisco ASA, Juniper NetScreen firewall, Nokia firewalls, Symantecs Enterprise Firewall. V mt s v d v software-base firewalls include Check Points Firewall, Microsoft ISA Server, Linux-based IPTables. Cng vi s pht trin ca cng ngh, firewall dn c tch hp nhiu tnh nng mi nh pht hin xm nhp, thit lp kt ni VPN cng nh nhiu sn phm firewall mi ra i. 4.2.1. Cc sn phm Firewall. * Software firewalls (sn phm Firewall).

- Software firewalls firewall mm l nhng firewall c ci t trn mt h iu hnh. Firewall mm bao gm cc sn phm nh SunScreen firewall, IPF, Microsoft ISA server, Check Point NG, Linuxs IPTables Firewall mm thng m nhn nhiu vai tr hn firewall cng, n c th ng vai tr nh mt DNS server hay mt DHCP server. - Mt nhc im ca firewall mm l n c ci t trn mt h iu hnh v do kh nng c l hng trn h iu hnh ny l c th xy ra. Khi l hng c pht hin v c cp nht bn v li, rt c th sau khi cp nht bn v li cho h iu hnh th firewall khng hot ng bnh thng nh trc, do cn tin hnh cp nht bn v cho firewall t nh cung cp sn phm firewall.
21

- Mt u im ni tri ca firewall mm l vic thay i v nng cp thit b phn cng l tng i d dng v nhanh chng. - Do h iu hnh m firewall mm chy trn n khng c thit k ti u cho firewall nn firewall mm c hiu sut thp hn firewall cng. * Appliance firewalls (tng la ng dng).

- Appliance firewalls firewall cng l nhng firewall c tch hp sn trn cc phn cng chuyn dng, thit k dnh ring cho firewall. Cc sn phm firewall cng ng ch nh Cisco PIX, NetScreen firewall, SonicWall Appliaces, WatchGuard Fireboxes, Nokia firewall - Trong nhiu trng hp firewall cng cung cp hiu sut tt hn so firewall mm v h iu hnh ca firewall cng c thit k ti u cho firewall. - Li ch in hnh khi s dng firewall cng l hiu sut tng th tt hn firewall mm, tnh bo mt c nng cao, tng chi ph thp hn so vi firewall mm. - Firewall cng khng c linh hot nh firewall mm ( khng th thm chc nng, thm cc quy tc nh trn firewall mm) - Hn ch ca firewall cng l kh nng tch hp thm cc chc nng b sung kh khn hn firewall mm, chng hn nh chc nng kim sot th rc i vi firewall mm ch cn ci t chc nng ny nh mt ng dng cn i vi firewall cng phi c thit b phn cng h tr cho chc nng ny. * Integrated firewalls (tng la tch hp).

- Integrated firewalls firewall tch hp ngoi chc nng c bn ca firewall th n cn m nhn cc chc nng khc nh VPN, pht hin phng chng xm nhp, lc th rc, chng virus. Li ch ca vic dng firewall tch hp l n gin ha thit k mng bng cch gim lng thit b mng cng nh gim chi ph qun l, gim gnh nng cho cc chuyn vin qun tr, ngoi ra n cn tit kim chi ph hn so vi vic dng nhiu thit b cho nhiu mc ch khc nhau. - Tuy nhin vic tch hp nhiu chc nng trn cng mt thit b dn n kh khn trong khc phc s c v tnh phc tp ca h thng khi tch hp.
22

4.2.2. Cc cng ngh Firewall. Da vo cng ngh s dng trong firewall ngi ta chia firewall thnh cc loi nh sau: + + + + + + + + Personal firewalls. Packet filters. Network Address Translations (NAT) firewalls. Circuit-level firewalls. Proxy firewalls. Stateful firewalls. Transparent firewall. Virtual firewalls.

* Personal firewalls: c thit k bo v mt host duy nht, thng c tch hp sn trong cc laptop, desktop * Packet filters: L thit b c thit k lc gi tin da trn nhng c im n gin ca gi tin. Packet filters tiu biu cho dng statless v n khng gi bng trng thi cc kt ni v khng kim tra trng thi cc kt ni.

Packet filtering firewall.

* Network Address Translations (NAT) firewalls: Thc hin chc nng chuyn i a ch IP public thnh a IP private v ngc li, n cung cp c ch che du IP cc host bn trong.
23

* Circuit-level firewalls: Hot ng ti lp session ca m hnh OSI, n gim st cc gi tin handsahking i qua firewall, gi tin c chnh sa sao cho n xut pht t circuit-level firewall, iu ny gip che du thng tin ca mng c bo v.

Circuit-level firewalls. * Proxy firewalls: Hot ng ti lp ng dng ca m hnh OSI, n ng vai tr nh ngi trung gian gia hai thit b u cui. Khi ngi dng truy cp dch v ngoi internet, proxy m nhn vic yu cu thay cho client v nhn tr li t server trn internet v tr li li cho ngi dng bn trong.

Proxy firewalls.

* Stateful firewalls: c kt hp vi cc firewall khc nh NAT firewall, circuit-level firewall, proxy firewall thnh mt h thng firewall, n khng nhng kim tra cc c im ca gi tin m lu gi v kim tra trng thi ca cc gi tin i qua firewall, mt v d cho statefull firewall l sn phm PIX firewall ca Cisco.
24

Stateful firewalls. * Transparent firewall: Hot ng layer 2 ca m hnh OSI, n h tr kh nng lc cc gi tin IP (bao gm IP, TCP, UDP v ICMP). Transparent firewall thc cht ch l tnh nng layer 2 brigde kt hp vi tnh nng filter trn nn IP bng cch s dng tnh nng Context Based Access Control. V n hot ng layer 2 nn ta khng cn cu hnh IP cng nh thay i IP ca cc thit b c n bo v. * Virtual firewalls: Bao gm nhiu logical firewall hot ng trn mt thit b tht. Mt trong nhng ng dng ca n hin nay l dng trong vic qun l cc my o trong vmware hay hyper-v. 4.2.3. Firewall m ngun m v Firewall m ngun ng. C nhiu loi firewall trn th trng hin nay, mt loi l m ngun m nh Linux IPTables, OpenDSD pf, Solaris IPF firewalls, v mt loi khc l m ngun ng nh Cisco PIX, ASA firewall, Juniper ScreenOS, Check Points firewall. S khc bit ng ch nht i vi hai loi firewall ny l kh nng thng mi ha ca cc firewall. Hu ht cc firewall thng mi u c tch hp cc tnh nng thm nh VPN, pht hin xm nhp v kh nng kim tra su bn trong gi tin. Trong khi , cc firewall m ngun m ch tp trung vo vic lc cc gi tin m khng tch hp thm cc chng nng khc v nhng ch cc chc nng ny cho cc phn mm khc.

25

Chng II Tng la lp ng dng.

I. Network based application firewalls (mng da trn tng la lp ng dng). Mt mng li da trn tng la lp ng dng l mt my tnh kt ni mng tng la hot ng lp ng dng ca mt giao thc ngn xp, v cng c bit n nh mt tng la da trn proxy hoc tng la o ngc proxy. Tng la ng dng ring cho mt loi c th ca lu lng truy cp vo mng c th c t tn vi tn dch v, chng hn nh mt bc tng la ng dng web. H c th c thc hin thng qua phn mm chy trn mt my ch hoc mt phn c lp ca phn cng mng. Thng thng, n l mt my ch s dng cc hnh thc khc nhau ca my ch proxy lu lng trn proxy trc khi qua n cho khch hng hoc my ch. Bi v n hot ng trn lp ng dng, n c th kim tra cc ni dung ca giao thng, ngn chn ni dung quy nh, chng hn nh cc trang web nht nh, virus, hoc c gng khai thc l hng logic c bit n trong phn mm my khch. Tng la ng dng hin i cng c th m ha gim ti t my ch, ng dng khi u vo / u ra khi s xm nhp pht hin hoc b thay i thng tin lin lc, qun l, cng c chng thc hoc ni dung khi m vi phm chnh sch. 1.1 Lch s. Gene Spafford ca i hc Purdue, Bill Cheswick phng th nghim AT & T, v Marcus Ranum m t mt bc tng la th h th ba c bit n nh mt tng la lp ng dng. Cng vic Marcus Ranum v cng ngh dn u vic to ra cc sn phm thng mi u tin. Sn phm c pht hnh bi DEC v t tn n l sn phm DEC SEAL. DEC bn chnh ln u tin vo ngy 13, thng 6, nm 199, mt cng ty ha cht nm trn b bin pha ng ca Hoa K. Theo hp ng DARPA rng hn TIS, Marcus Ranum, Wei Xu, v Peter Churchyard pht trin b cng c tng la (FWTK), v lm cho n c sn min ph theo giy php trn 01 Thng 10 nm 1993. Cc mc ch pht hnh t do c sn, khng cho s dng thng mi, FWTK l: chng minh, thng qua phn mm, ti liu v phng php s dng, lm th no mt cng ty c (lc ) 11 nm kinh nghim trong phng php bo mt chnh thc, v c
26

nhn vi kinh nghim tng la, pht trin phn mm tng la, to ra mt c s chung ca phn mm tng la rt tt cho nhng ngi khc xy dng ( mi ngi khng phi tip tc "cun ca ring mnh" t u) v "tng vch" ca phn mm tng la ang c s dng. Tuy nhin, FWTK l mt proxy ng dng c bn yu cu tng tc ngi dng. Trong nm 1994, Wei Xu m rng FWTK vi vic tng cng ht nhn ca b lc IP v cm trong sut. y l tng la u tin trong sut hn mt proxy ng dng truyn thng, pht hnh cc sn phm thng mi c gi l bc tng la Gauntlet. Tng la Gauntlet c nh gi l mt trong nhng s 1 bc tng la t nm 1995 cho n khi n c mua li bi Hip hi mng vo nm 1998. Cc li ch quan trng ca b lc lp ng dng l n c th "hiu" mt s ng dng v cc giao thc (chng hn nh File Transfer Protocol, DNS, hoc trnh duyt web), v n c th pht hin xem mt giao thc khng mong mun c ln qua mt cng khng chun hay mt giao thc ang b lm dng trong bt k cch no c hi. II. Host-based application firewalls (tng la lp ng dng da trn my ch). Mt bc tng la ng dng da trn my ch c th theo di bt k ng dng u vo, u ra, v / hoc dch v cuc gi t h thng, n hay bng ng dng. N c thc hin bng cch kim tra thng tin i qua h thng gi thay th hoc b sung vo mng chng. Mt bc tng la ng dng da trn my ch c c th cung cp bo v cho cc ng dng chy trn cng mt may ch. Tng la lp ng dng hot ng bng cch xc nh liu mt qu trnh nn chp nhn bt k kt ni. Tng la lp ng dng thc hin chc nng ca mnh bng cch gn vo cc cuc gi cm lc cc kt ni gia cc lp ng dng v cc lp di ca m hnh OSI. Tng la ng dng m mc vo cc cuc gi cm cng c gi l b lc cm. Tng la lp ng dng lm vic ging nh mt b lc gi tin nhng b lc ng dng p dng cc quy tc lc (cho php / khi) trn c s mi qu trnh thay v lc cc kt ni trn mt c s trn mi cng. Nhc li xc nh c cc quy trnh cha nhn c mt kt ni. N l him tm thy cc bc tng la ng dng khng kt hp hoc s dng kt hp vi b lc gi tin. Ngoi ra, cc bc tng la ng dng thm b lc cc kt ni bng cch kim tra qu trnh ID ca gi d liu chng li cc nguyn tc cho qu trnh lin quan n vic truyn ti d liu. Mc lc xy ra c xc nh bi cc
27

nguyn tc cung cp. Vi s a dng ca cc phn mm tn ti, tng la ng dng ch c cc tp quy tc phc tp hn cho cc dch v tiu chun, chng hn nh dch v chia s. Nhng qu trnh mi tp quy tc hn ch hiu qu trong vic lc tt c cc hip hi c th xy ra vi cc qu trnh khc. Ngoi ra, cc qu trnh cc nguyn tc khng th bo v chng li sa i ca qu trnh ny thng qua s khai thc, chng hn nh khai thc tham nhng b nh. Do nhng hn ch, tng la ng dng ang bt u thay th bi mt th h mi ca tng la ng dng da trn kim sot truy cp bt buc (MAC), cng c gi l sandbox, bo v dch v d b tooenr thng. V d v cc th h tip theo ca bc tng la ng dng da trn my ch m kim sot cc cuc gi dch v h thng bng mt ng dng l AppArmor v TrustedBSD MAC framework (sandbox) trong Mac OS X. Tng la ng dng da trn my ch cng c th cung cp ng dng firewall da trn mng.

28

Chng III. Xy dng tng la cho my ch web Apache bng Modsecurity. I. 1.1. C ch hot ng ca my ch Apache. Khi qut v Apache. Apache l mt phn mm c nhiu tnh nng mnh v linh hot dng lm Web Server. - H tr y nhng giao thc HTTP trc y nh HTTP/1.1. - C th cu hnh v m rng vi nhng module ca cng ty th ba. - Cung cp source code y vi license khng hn ch. - Chy trn nhiu h iu hnh nh: Windows NT/9X, N etware 5.x, OS/2 v hu ht cc h iu hnh Unix. Khi c pht hnh ln u, Apache l chng trnh my ch m ngun m duy nht c kh nng cnh tranh vi chng trnh my ch tng t ca Netscape Communications Corporation m ngy nay c bit n c tn thng mi Sun Java System Web Server. T tr i, Apache khng ngng tin trin v tr thnh mt phn mm c sc cnh tranh mnh so vi cc chng trnh my ch khc v mt hiu sut v tnh nng phong ph. 1.2. Tnh nng c bn ca Apache. * My ch Web Apache c th c b sung bng chng trnh cho php tch hp chc nng tm kim vi mt website. Cc n v phn mm khc nhau c sn vi h thng tm kim HTDig cho php nh ch s ton b website. Trnh Iprogram s dng robot to ra mt ch s tm kim m ch s ny c th c duyt bng mt CGI script ph hp. * To ra mt ch s ca my tm kim (cho mt hoc nhiu website v/hoc cc phn ca mt website). * S dng b lc hn ch cc chc nng nh ch s. Tiu chun lc c th l dng tp v URL c bit. * Cc chng trnh b sung bn ngoi c th c s dng nh ch s cc nh dng tp (PDF, DOC,...). * Cc la chn yu cu s tn ti v cc thut ton tm kim khc nhau c th c s dng (cc t, phn ca t, cc t ng ngha...). * Trang tm kim v bn lit k tng ng c th c chnh bng vic s dng cc tp mu template n gin. * Cc nguyn m bin m sc trong chui tm kim c h tr. * Robot h tr chun cho vic Loi tr Robot v Xc thcWWW c bn cho vic nh ch s cc ni dung c bo v.
29

1.3.

Phng thc hot ng ca Apache. Sau khi qu trnh ci t hon tt, Apache s ng k mt windows service c trn l Apache.... y l ng dng httpd.exe trong bin\httpd.exe c khi ng ngay khi my tnh khi ng windows. Khi bn lp trnh web c ngha l bn lp trnh mt ng dng gm 2 phn chnh, client v server. ng dng chy trn web server (my tnh ci Apache) v ngi dng s dng mt phn mm lm vic vi ng dng. Vi web, phn mm client l cc web browser nh: FireFox, Chrome, Internet Explorer... Client v Server cn mt cch ni chuyn m i bn cng hiu, cch ni chuyn ca ng dng web l giao thc HTTP. Giao thc ny hot ng da trn mt giao thc khc na gi l TCP v s dng port 80. Ni n gin hn, HTTP l giao thc tng ng dng (cao nht), TCP l giao thc tng thp hn trong m hnh giao tip qua mng gia hai my tnh (m hnh OSI 7 lp). Do client c th trn mt my tnh khc, client cn kt ni vi server bng mt cch no v ng nhin n gin nht l dng mng Internet. Internet, n gin ch kt ni cc my tnh trn th gii vi nhau, n gip cho web hot ng v khng ch c web m cn nhiu dch v khc na. Hai my tnh trong mt mng LAN cng c th gi lp nn mt mi trng web. Do cc my tnh cn trao i vi nhau cn c tn tui nn mi thy ci gi l IP (hay IP Address). Ngi lp trnh web quen vi IP l 127.0.0.1 y l IP loopback hay l IP quy nh cho bn thn my tnh v khng bao gi c hiu bi my tnh khc bi v my tnh khc cng c 127.0.0.1 ca n ri. Khi bn ci Apache, gi khi ng FireFox v g a ch 127.0.0.1, bn s thy Apache hot ng. L do bi v: * Apache ci trn my tnh l 1 web server, client no gi yu cu ti my (127.0.0.1) th Apache s tr li. * Apache ch nhn yu cu trn port 80, nu client thch gi port 81 hay 8080 th s khng c phn hi g ht. * FireFox mc nh gi yu cu bng port 80 khi g vo Address (URL) a ch ca web server. * Kt qu mc nh ca Apache tr v thng l ch It worrks.

30

II. 2.1.

Gii thiu Firewall Modsecurity. Tng quan v Modsecurity. Modsecurity l mt Opensource web application firewall c Ivan Ristic pht trin dnh cho Web Server Apache. Ivan Ristic cng l tc gi quyn sch Modsecurity Handbook. Ivan Ristic l mt ngi c rt nhiu kinh nghim trong bo v Web Server Apache. Ivan Ristic c nhiu thi gian nghin cu Web Application Security, Web Intrusion Security, v Security Patterms. Trc khi chuyn sang lnh vc security, Ivan Ristic c nhiu nm lm vic nh mt nh pht trin, h thng kin trc s, gim c k thut trong pht trin phn mm. Ivan Ristic l ngi sng lp ra cng ty ThingKingStone lm cc dch v lin quan n web application security. Hin ti Modsecurity s dng giy php GPL, hon ton min ph.

Hnh 3.1. M hnh tng quan ca Modsecurity. 2.2. Cc kh nng ca Modsecurity. Request filtering: Tt c cc request gi n web server u c phn tch v cn lc (filter) trc khi chng c chuyn n cc modules khc x l. Understanding HTTP protocol: Modsecurity l mt tng la ng dng nn n c kh nng hiu c giao thc HTTP. Modsecurity c kh nng cn lc da trn cc thng tin HTTP Header hay c th xem xt n tng thng s hay cookie ca cc request...vv. POST payload analysis: Ngoi vic cn lc da trn HTTP Header, Modsecurity c th da trn ni dung (payload) ca POST requests. Audit logging: Mi request u c th c ghi li (bao gm c POST) ngi qun tr c th theo di nu cn. HTTPS filtering: Modsecurity c th phn tch HTTPS . Compressed content filtering: Modsecurity s phn tch sau khi gii nn cc d liu c yu cu.

31

Hnh 3.2. Qu trnh x l cc request ca Apache v Modsecurity. Modsecurity cho php chng ta dt rule ti mt trong nm thi im trong chu k x l ca Apache nh sau: - Phase Request Header: Rule c t ti y s c thc hin ngay sau khi Apache c request header, lc ny phn request body vn cha c c. - Phase Request Body: y l thi im cc thng tin chc nng chung a vo c phn tch v xem xt, cc Rule mang tnh ng dng hng kt ni (application-oriented) thng c t y. thi im ny, server nhn cc thng s ca request v phn request body c c. Modsecurity h tr 3 loi m ha request body: + Application/X-WWW-form-urlencoded: dng truyn form d liu. + Mutipart/form-data : dng d truyn file. + Text/XML: dng phn tch d liu XML. - Phase Response Header: y l thi im ngay sau khi phn Response Header c gi tr v cho client. Chng ts t Rule y nu mun gim st qu trnh sau khi phn Response c gi i.
32

- Phase Response Body: y l thi im chng ta mun kim tra nhng d liu HTML gi tr v. - Phase Logging: L thi im cc hot ng log c thc hin, cc Rules t y s nh r vic log s nh th no, n s kim tra cc error mesege log ca Apache. y cng l thi im cui cng chng ta chn cc kt ni khng mong mun, kim tra cc Response Header m chng ta khng th kim tra phase3 v phase4. 2.3. Kin trc Modsecurity. 2.4. Lut ca Modsecurity. 2.3.1. Xy dng tp lut nh th no? HTTP request GET/documentation/index.html HTTP/1.1 Host: www.modsecurity.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Ecko/20060124 Firefox/1.5.0.1 Accept: Text/xml,application/xml,application/xhtml+xml, Text/html; q=0.9, text/plian; q=0.8, image/png,*/*; q=0.5 Accept-Language: en-us, en; q=0.5 Accept-Encoding: gzip, daflate Accept-Charset: ISO-8859-1, utf-8; q=0.7, *; ; q=0.7 Keep-Alive: 300 Connection: keep-alive Referet: http://www.modsecurity.org/index.php Cookie:_utmz=129890064.1139909500.1.1.utmccn=(direct)\utmcs r=(direct)\utmcmd=(none); _utma=129890064.347942152.1139909500.1140275483.11404255 27.13; _utmb=129890064; _utmc=129890064 Xem xt request trn chng ta c th thy cc HTTP Header sau: GET y l request method Host User-Agent Accept Accept-Language Accept-Encoding Keep-Alive
33

Connection Referer Modsecurity s s dng thng tin ny trong cc rules ca n cn lc cc request. V khng ch trong header, modsecurity s c th xem xt cc POST payload. Chng hn ta cm request c Referer l www.abc.com ta c rule nh sau: SecRule HTTP_Referer www\abc\.com Khng ch php User-Agent c t HotBar: SecRule HTTP_User-Agent HotBar 2.3.2. Cu trc ca Rule. SecRule VARIABLES OPERATOR [ACTIONS] 2.3.2.1. Variables. SecRule ARGS dirty C th dng mt hay nhiu variables. SecRule ARGS\REQUEST_HEADER:User-Agent dirty REMOTE_ADDR: a ch IP ca client REMOTE_HOST: hostname ca client (nu tn ti) REMOTE_USER: Authenicated Username (nu tn ti) REMOTE_IDENT: Remote Username (ly t inetd, t dng) REMOTE_METHOD: Request Method (GET, HEAD, POST) SCRIPT_FILENAME: ng dn y ca script c thc thi PASH_INFO: Phn m rng ca URI pha sau tn ca mt script, v d: /archive.php/5 th PASH_INFO l /5 QUERY_STRING: URI pha sau du ?. V d: /index.php? i=1 th QUERY_STRING: l i=1 AUTH_TYPE: Basic hoc Digest Authentication DOCUMENT_ROOT: ng dn n documentroot SERVER_ADMIN: Email ca Server Administrator SERVER_NAME: Hostname ca Server SERVER_ADDR: a ch IP ca Server SERVER_PORT: Server port SERVER_PROTOCOL: protocol, (v d HTTP/1.1) SERVER_SOFTWARE: Apache version TIME_YEAR: Nm hin ti
34

TIME_MON: Thng hin ti TIME_DAY: Ngy TIME_HOUR: Gi TIME_MIN: Pht TIME_SEC: Giy TIME_WDAY: Th t ngy trong tun (v d 4-Thursday) TIME: Thi im hin ti c vit theo cu trc: YmdHMS v d 20130418173839: 18/04/2013 17h 38 39 API_VERSION THE_REQUEST: Dng u tin ca request. V d: GET/HTTP/1.1 REQUEST_URI: Request URI REQUEST_FILENAME: Tn file c yu cu n IS_SUBREQ 2.3.2.2. Collections. Mt Variables c th bao gm hay nhiu d liu. Khi Variable c nhiu hn mt gi tr th ta gi n l Collection. V d: vi Variable ARGS ta c hai thng s p, v q SecRule ARGS: p dirty SecRule ARGS: q dirty 2.3.2.3. Operators. S dng @ ch ra y l mt operation SecRule ARGS @ rx dirty S dng !@ ch ra mt operation negative SecRule &ARGS !@ rx^0$ y chng ta cp n mt operation l rx (regular expression). RX quy nh cc th hin [Jj]oy : th hin mi chui c cha Joy hoc joy [0-9] : mi s t 0 ti 9 [a-zA-Z] : mi ch t a n z c ch thng ln ch in hoa ^ : bt u mt chui $ : kt thc chui ^abc$ : chui ch bao gm t abc . : mi k t p.t : v d nh pat, pet, pzt.
35

2.3.2.4. Actions. Khi question vi phm mt rule no th modsecurity s thc thi mt hnh ng (action). Khi action khng c ch r trong rule th rule s s dng default action. C 4 loi action: * Primary Action. Primary Action s quyt nh cho php request tip tc hay khng. Mi rule ch c mt primary action. C 4 primary action: - Deny: Request s b ngt, modsecurity s tr v HTTP status code 500 hoc l status code ca bn thit lp trong ch th status. - Pass: Cho php request tip tc c x l cc rule tip theo. - Allow: Cho php truy cp ngay lp tc v b qua cc phases khc (tr phases logging). Nu mun ch cho phase hin ti th cn ch r allow: phase khi s vn c kim tra bi cc lut ti cc phases sau. Ch cho php truy cp ti cc request phases: allow:request, n s cho qua phase 1,2 v vn kim tra phase 3 tr i. - Redirect: redirect mt request n mt url no .

* Secondary Action. Secondary action s b sung cho primary action, mt rule c th c nhiu secondary actions. - Status: n khi mt request vi phm mt rule no th modsecurity c th tr v cc HTTP status code n thay v status code 500 mc nh. - Exec: thc thi mt lnh no nu mt request vi phm - Log: ghi log nhng request vi phm rule. - Nolog: khng ghi log. - Pause: n modsecurity s i mt thi gian n ms ri mi tr v kt qu. * Flow Action. - Chain: kt ni 2 hay nhiu rules li vi nhau. - Skipnext: n modsecurity s b qua n rules theo sau n.
36

* Default Action. Khi mt rule khng ch r action th rule s dng default action c thit lp trong SecDefaultAction phase:2, deny, log, status:403.

37

III. Xy dng Firewall lp ng dng da trn Modsecurity cho Apache. 3.1. M hnh trin khai. 3.1.1. M hnh tham kho. Di y l mt s m hnh trin khai Modsecurity tham kho ti www.Modsecurity.org nhm pht hin v phng chng cc tn cng vo ng dng web. a) M hnh trin khai Modsecurity nh mt Reverse Proxy.

Hnh 3.3. M hnh Reverse Proxy. M hnh ny Modsecurity c ci t ring trn mt my, khng ci chung vi Web Server Content. My ci Modsecurity s nm gia Web Server v Client, kim sot tt c cc lung d liu trao i gia hai bn. u im ca m hnh ny l p ng cho cc h thng Web Server ln c nhiu my ch Web Content. p ng vic kim sot s lng ln cc request t client, la b cc request nguy him trc khi cho php i ti Web Content. Qu trnh x l ca Apache trn Web Content khng b nh hng. b) M hnh ci t Modsecurity trn local server.

38

3.4. M hnh ci t Modsecurity trn local server. M hnh p dng cho cc h thng va v nh, Modsecurity c ci t lun trn Web Server. Vi m hnh ny Modsecurity ch bo v c chnh my local. Qu trnh n x l lung d liu cng s nh hng ti tc ca Apache, do vy nn xem xt cc lut s dng cho hp l, lm sao nh hng ti thiu ti Apache.

39

3.1.2. M hnh d kin trin khai.

3.5. M hnh d kin trin khai. Xy dng Modsecurity trn my ch Web Server public vi IP tnh. Modsecurity s c ci t trn local server. 3.2. Tp lut Modsecurity cn xy dng. 3.2.1. SQL Injection: Cc t kha chnh thng s dng trong tn cng SQL Injection v cc regular expressions tng ng UNION SELECT union\s+select UNION ALL SELECT union\s+all+select INTO OUTFILE into\s+outfile DROP TABLE drop\s+table ALTER TABLE alter\s+table LOAD_FILE load_file SELECT* select\s+* \s: c nh ngha trong PCRE l mt regular expression cho php pht hin mi khong trng v cc m thay th (%20). chng li tn cng SQL Injection, ta da vo cc c im trn t a ra rule sau: SecRule ARGS union\s+select t:lowercase, deny, msg: SQL Injection SecRule ARGS union\s+all\s+select t:lowercase, deny, msg:SQL Injection
40

SecRule ARGS into\s+outfile t:lowercase, deny, msg:SQL Injection SecRule ARGS drop\s+table t:lowercase, deny, msg:SQL Injection SecRule ARGS alter\s+table t:lowercase, deny, msg:SQL Injection SecRule ARGS load_file t:lowercase, deny, msg:SQL Injection SecRule ARGS select\s+from t:lowercase, deny, msg:SQL Injection 3.2.2. XSS Attack. 3.2.2.1. nh ngha. Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS trnh nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng cch chn vo cc website ng (ASP, PHP, CGI, JSP) nhng th HTML hay nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Trong , nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site Script nh JavaScript, Jscript, DHTML v cng c th l c cc th HTML. K thut tn cng XSS nhanh chng tr thnh mt trong nhng li ph bin nht ca Web Applications v mi e da ca chng i vi ngi s dng ngy cng ln. 3.2.2.2. Hot ng ca XSS. V c bn XSS cng nh SQL Injection hay Source Injection, n cng l cc request c gi t cc my client ti server nhm chn vo cc thng tin vt qu tm kim sot ca server. N c th l mt request c gi t from d liu hoc cng c nm trong request URI, v d: http://www.example.com/search.cgi?query=<script>alter(XSSwas found !);</script> Nu truy cp vo a ch trn, rt c th trnh duyt s hin ln mt thng bo XSS was found !. Cc on m trong th <scrip> khng h b gii hn bi chng hon ton c th thay th bng mt file ngun trn mt server khc thng qua thuc tnh src ca th <script>. Cng chnh v l m chng ta cha th lng ht c nguy him ca cc li XSS. Nhng nu nh cc k thut tn cng khc c th lm thay i c d liu ngun ca web server (m ngun, cu trc, c s d liu) th XSS ch gy tn hi i vi website pha client m nn nhn trc tip l nhng ngi khch duyt site . Tt nhin i khi cc hacker cng s
41

dng k thut ny chim quyn iu khin cc website nhng vn ch tn cng vo b mt ca website. Tht vy, XSS l nhng ClientSideScript, nhng on m ny s ch chy bi trnh duyt pha client do XSS khng lm nh hng n h thng website nm trn server. Mc tiu tn cng ca XSS khng ai khc chnh l nhng ngi s dng khc ca website, khi h v tnh vo cc trang c cha cc on m nguy him do cc hacker li, h c th b chuyn ti cc website khc, t li homepage, hay nng hn l mt mt khu, mt cookie thm ch my tnh ngi truy cp c th s b ci cc loi virus, backdoor, worm

42

3.2.2.3. Ngn chn tn cng XSS. ngn chn tn cng XSS, chng ta phi m bo tt c d liu m ngi dng gi ln u c cn lc. C th, chng ta c th thay th hoc loi b cc k t cc chui thng c dng trong tn cng XSS nh du ngoc gc (< v >), script Di y l danh sch cc k t nn m ha khi c client cung cp lu vo c s d liu.

Hnh 3.3.

Cc k t nn m ha ngn chn tn cng XSS.

Nu chng ta mun ngn chn tn cng vi Modsecurity, di y l cc on script XSS ph bin v cc biu thc chnh quy ngn chn ngi dng request cha cc chui ny.

Hnh 3.4. Cc script XSS v biu thc chnh quy. Sau y l lut thc hin:
43

SecRule ARGS alert\s+*\( t:lowercase, deny, msg:XSS SecRule ARGS &\{.+} t:lowercase, deny, msg:XSS SecRule ARGS <.+> t:lowercase, deny, msg:XSS SecRule ARGS javascript t:lowercase, deny, msg:XSS SecRule ARGS vbscript t:lowercase, deny, msg:XSS 3.2.3. Tn cng BRUTE FORCE. Vi tn cng Brute Force, hacker thc hin on cc thng tin ng nhp nh trn ngi dng, mt khu, email v thc hin ng nhp lin tc n khi no thng tin ng nhp l ng. Hu ht ngi dng u s dng thng tin ng nhp ging nhau trn tt c cc website m h thng ng nhp, dn n ti khon ca h b xm nhp trn hng lot cc website khi thng tin ng nhp b l bi mt website khc. Cch tt nht ngn chn hnh thc tn cng ny l gii hn s ln ng nhp khng ng. V d nh ngi s dng ng nhp khng ng qu 3 ln, thc hin kha ng nhp ca ngi ny trong 5 pht. Di y l cc rule cu Modsecurity cho chng ta thc hin iu ny: # kha ng nhp sau 3 ln ng nhp khng thnh cng <LocationMatch^/login> #khi to collection ip SecAction initcol:ip=%{REMOTE_ADDR}, pass,nolog #Pht hin ng nhp khng thnh cng SecRule RESPONSE_BODY Username does not exist phase:4,pass,setvar:ip.failed_logins=+1,expirevar:ip.failed_logins=300 #kha ng nhp khi so ln ng nhp khng thnh cng bang 3 SecRule IP:FAILED_LOGIN @gt3 deny <Location> Cc rule trn da vo t im tr v ca website khi ng truy cp ng nhp khng thnh cng: Username does not exist. Cc rule trn s kh to collection IP v tng gi tr bin ip.failed_login ln mt n v sau mi ln ng nhp khng thnh cng. Action expirevar s
44

thit lp bin ip.failed_login v 0 sau 5 pht. V vy, khi bin ip.failed ln hn hoc bng 3, rule cui s kha ng nhp ca ngi dng trong 5 pht. Hoc chng ta c th thc hin tr hon (hay dng) request cu ngi dng khi s ln ng nhp sai vt qu quy nh. Do , khng cn phi t chi truy cp nh cc rule c nu on u. Sau y l rule thc hin iu trn: # Tr hon request 3 giy sau 3 ln ng nhp khng thnh cng <LocationMacth^/login> SecAction initcol:ip=%{REMOTE_ADDR}, pass,nolog SecRule RESPONSE_BODY Username does not exist phase:4,pass,setvar: Ip.failed_login=+1,expirevar:ip.failed_login=10 SecRule IP:FAILED_LOGIN@gt3 phase:4,allow,pause:3000 </Location> Thi gian tr hon c tnh bng mili giy, cc rule trn s tr hon response trong 3 giy khi s ln truy cp khng thnh cng ln hn hoc bng 3. 3.2.4. Tn cng HTTP FINGEPRINTING. Ch c nhng hacker nghip d mi thc hin tn cng mt server m khng bit server c hot ng hay khng. Phc tp hn, hacker s thu thp cng nhiu thng tin cng tt v kin trc mng v phn mm ang chy trn server. C th vi web server, phng thc tm kim thng tin ny gi l HTTP Fingerprinting (du vn tn tay HTTP). HTTP Fingerprinting hot ng bng cch kim tra cc c tnh ring ca web server bng cc response khi c thm d v ly du vn tay ca server t nhng thng tin thu thp c. Sau du vn tay ny c so snh vi mt c s d liu v du vn tay cho cc web server c bit n xc nh trn web server v phin bn m n ang chy. S dng Modsecurity ngn chn HTTP Fingerprinting, chng ta s cung cp y cc thng tin cho hacker tm hiu, nhng khng phi l thng tin chnh xc. Modsecurity cho php chng ta ty chnh v nh la cc cng c HTTP Fingerprinting. V d: - Chn cc request khng cha Host header. - t ch k l Microsoft-IIS/6.0. - Thm X-Powered-By: ASP.NET 2.0 header. - G b Etag header.
45

Di y l cc rule thc hin: #Thay i ch k server SecServerSignature Microsoft-IIS/6.0 #Thm X-Powered-By header Header set X-Powered-By ASP.NET 2.0 #G b Etag header Header unset ETag 3.2.5. Tn cng Directory Travesal. Thng thng, tt c cc my ch web phi c cu hnh t chi n lc truy cp cc ti liu khng nm di th mc gc ca web server. V d, nu my ch gc web ca bn l / home / www, sau c gng ly / home / joan / .bashrc khng th t tp tin ny m khng nm trong th mc / home / www gc my ch web. N lc r rng truy cp vo th mc / home / joan th mc, tt nhin, d dng cho cc my ch web ngn chn, tuy nhin c mt cch tinh t hn truy cp th mc ny m vn cho php con ng bt u vi / home / www, v l lm cho vic s dng lin kt th mc mang tnh biu tng lin kt n cc th mc cha trong bt k th mc nht nh. Mc d hu ht cc my ch web c cng chng li loi tn cng ny, cc ng dng web m chp nhn u vo t ngi s dng vn c th khng c kim tra chnh xc, c kh nng cho php ngi dng truy cp vo tp tin m h khng th xem qua th mc n gin ca cc cuc tn cng theo cy. iu ny ring l l do thc hin bo v chng li loi tn cng ny s dng quy tc ModSecurity. Hn na, ph hp vi cc nguyn tc Quc phng trong su, c nhiu bin php bo v chng li l hng ny c th c li trong trng hp my ch web, nn cha mt l hng cho php loi tn cng ny trong mt s trng hp. Cn nhiu hn mt cch i din cho mt cch hp l, lin kt n th mc m. M ha URL casn lng %2e%2e, v thm gch cho cui cng, chng ta kt thc vi %2e%2e%2f.
46

Di y l danh sch nhng g cn phi ngn chn: ../ ..% 2f .% 2e/ % 2e% 2e% 2f % 2e% 2e/ % 2e./

Chng ta c th s dng Modsecurity chuyn i t: URLDecode. Chc nng ny lm tt c cc gii m URL cho chng ta, v s cho php chng ta b qua cc gi tr phn trm m ha, v do ch c mt nguyn tc l cn thit ngn chn cc cuc tn cng, ta thit lp lut nh sau: SecRule REQUEST_URI ../ T:urlDecode, deny

3.2.6. Tn cng DoS. Mt cuc tn cng t chi dch v (tn cng DoS - Vit tt ca Denial of Service) hay tn cng t chi dch v phn tn (tn cng DDoS - Vit tt ca Distributed Denial of Service) l s c gng lm cho ti nguyn ca mt my tnh khng th s dng c nhm vo nhng ngi dng ca n. Mc d phng tin tin hnh, ng c, mc tiu ca tn cng t chi dch v l khc nhau, nhng ni chung n gm c s phi hp, s c gng c ca mt ngi hay nhiu ngi chng li Internet site hoc service (dch v Web) vn hnh hiu qu hoc trong tt c, tm thi hay mt cch khng xc nh. Th phm tn cng t chi dch v nhm vo cc mc tiu site hay server tiu biu nh ngn hng, cng thanh ton th tn dng v thm ch DNS root servers. Mt phng thc tn cng ph bin ko theo s bo ha my mc tiu vi cc yu cu lin lc bn ngoi, n mc n khng th p ng giao thng hp php, hoc p ng qu chm. Trong iu kin chung, cc cuc tn cng DoS c b sung bi p my mc tiu khi ng li hoc tiu th ht ti nguyn ca n n mc n khng cung cp dch v, hoc lm tc nghn lin lc gia ngi s dng v nn nhn.

47

3.2.6.1. Phng thc tn cng DoS. Tn cng t chi dch v l mt loi hnh tn cng nhm ngn chn nhng ngi dng hp l c s dng mt dch v no . Cc cuc tn cng c th c thc hin nhm vo bt k mt thit b mng no bao gm l tn cng vo cc thit b nh tuyn, web, th in t v h thng DNS. Tn cng t chi dch v c th c thc hin theo mt s cch nht nh. C 5 kiu tn cng c bn sau y: 1. Nhm tiu tn ti nguyn tnh ton nh bng thng, dung lng a cng hoc thi gian x l. 2. Ph v cc thng tin cu hnh nh thng tin nh tuyn. 3. Ph v cc trng thi thng tin nh vic t ng reset li cc phin TCP. 4. Ph v cc thnh phn vt l ca mng my tnh 5. Lm tc nghn thng tin lin lc c ch ch gia cc ngi dng v nn nhn dn n vic lin lc gia hai bn khng c thng sut. Mt cuc tn cng t chi dch v c th bao gm c vic thc thi malware nhm: * Lm qu ti nng lc x l, dn n h thng khng th thc thi bt k mt cng vic no khc. * Nhng li gi tc th trong microcode ca my tnh. * Nhng li gi tc th trong chui ch th, dn n my tnh ri vo trng thi hot ng khng n nh hoc b . * Nhng li c th khai thc c h iu hnh dn n vic thiu thn ti nguyn hoc b thrashing. V d: nh s dng tt c cc nng lc c sn dn n khng mt cng vic thc t no c th hon thnh c. * Gy sp h thng. * Tn cng t chi dch v iFrame: trong mt trang HTML c th gi n mt trang web no vi rt nhiu yu cu vo trong rt nhiu ln cho n khi bng thng ca trang web b qu hn.

48

Di y l tp lut chng tn cng DoS. SecDataDir/tmp/modsec_data SecAction initcol:ip=%{REMOTE_ADDR},nolog SecRule REQUEST_URI/data\.php nolog,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600 SecRule IP:DDOS@gt 5 deny,log,status:404,msg:DdoS SecRule IP:DDOS@gt 7 log,msg:Ddos from% {RMOTE_ADDR},exec:/path/to/a/script/blocker.sh

49