Tng quan v firewall [INDENT] Bo mt l vn c cp nhiu nht trong cc din n.

n. C nhiu cch thc bo mt h thng nhng cch in hnh v thng dng nht l dng firewall. Vy ti sao firewall li thng dng nh vy? chc nng ca n nh th no? mnh mo mui post mt s kin thc m mnh bit v firewall anh em gp . Anh em no c hng th v am m vi firewall v bo mt th gh box ny tm chi vi mnh cho vui Firewall C ngun gc t mt k thut thit k trong xy dng ngn chn v hn ch ha hon. Trong cng ngh mng, Firewall l mt k thut c tch hp vo h thng mng nhm ngn chn vic truy cp d liu tri php, nhm bo v ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng c th hiu FireWall l mt c ch bo v trust network (mng ni b) khi cc Untrust Network (mng internet). 1. Phn loi Chc nng Cu trc a Phn Loi: Tng la c chia lm 2 loi, firewall cng v firewall mm * Firewall cng L loi firewall c tch hp trc tip ln phn cng(nh Router Cisco, Check point , Planet, Juniper). c im : - Khng c linh hot nh firewall mm v hu nh cc firewall cng u hng theo xu hng tch hp tt c trong mt( v d : khng th thm quy tc hay chc nng ngoi nhng chc nng c tch hp sn) i vi nhng firewall cng trc kia.Hin ti xut hin xu hng mi ca firewall cng m i u l dng sn phm PIX ASA 5500 ca Cisco. Tuy l firewall cng nhng c kh nng tch hp nhng module khc ngoi module c sn. Cu trc chnh ca loi firewall ny bao gm : - Adaptive tch hp c bn hu ht cc tnh nng chnh ca 1 firewall nh DHCP, HTTPS, VPNs, h tr DMZ, PAT, NATv cc interface trn n. Mt Adaptive c th hot ng c lp m khng cn bt k module no khc. Adaptive h tr nhiu cch cu hnh : Cu hnh thng qua giao din web hoc cu hnh qua cng consol - Cc module ring l : mi module thc hin mt chc nng chuyn bit v kt ni trc tip vi Adaptive thng qua cable. Nu thit b u cui no mun s dng thm chc nng ca module no th s c kt ni trc tip vi module .C nhiu loi module thc hin nhiu chc nng khc nhau : cung cp cc giao tip n cc thit b c giao tip c bit, cung cp h thng cnh bo cao cp IPS, - C kh nng hot ng mi lp vi tc cao nhng gi c rt cao. * Firewall mm L nhng phn mm c ci t trn my tnh ng vai tr lm firewall. C 2 loi l Stateful Firewall (Tng la c trng thi) v Stateless Firewall (Tng la khng trng thi). c im : - C tnh linh hot cao :c th thm bt cc lut hoc cc chc nng v bn cht n ch l 1 phn mm. - Hot ng tng ng dng ( layer 7). - C kh nng kim tra ni dung ca cc gi tin thng qua cc t kha c quy nh trong chng trnh. b. Chc Nng :

Chc nng chnh ca firewall l kim sot lung d liu qua n ra vo gia intranet v internet. N thit lp c ch iu khin dng thng tin lu thng gia intranet v internet. C th l : - Cho php hoc cm nhng dch v truy nhp ra ngoi (t Intranet ra Internet). - Cho php hoc cm nhng dch v php truy nhp vo trong (t Internet vo Intranet). - Theo di lung d liu mng gia Internet v Intranet. - Kim sot a ch truy nhp, cm a ch truy nhp. - Kim sot ngi s dng v vic truy nhp ca ngi s dng. - Kim sot ni dung thng tin thng tin lun chuyn trn mng. c. Cu Trc : Tng la chun bao gm mt hay nhiu cc thnh phn sau y: - B lc gi tin (packet-filtering router). - Cng ng dng (application-level gateway hay proxy server). - Cng mch (circuite level gateway). 2. u - nhc im ca firewall: a. u im : -Firewall do con ngi cu hnh c th che du mng ni b bn trong, lc d liu v ni dung ca d liu ngn chn c cc xu t bn ngoi nh : mun nh cp thng tin mt, mun gy thit t lit h thng i th ca mnh gy thit hi v kinh t - Firewall c th ngn chn cc cuc tn cng vo cc server gy tn tht ln cho cc doanh nghip . - Ngoi ra firewall cn c kh nng qut virus, chng spam khi c tch hp nhng cng c cn thit. b. Nhc im : - Firewall khng thng minh nh con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. - Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng i qua n. Mt cch c th, firewall khng th chng li mt cuc tn cng t mt line dial-up, hoc s d r thng tin do d liu b sao chp bt hp php ln a mm. - Firewall cng khng th chng li cc cuc tn cng bng d liu (data-driven attack). - Khi c mt s chng trnh c chuyn theo th in t, vt qua firewall vo trong trust network v bt u hot ng y. Mt v d l cc virus my tnh. Firewall c th lm nhim v r qut virus trn cc d liu c chuyn qua n. Nhng do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu Virus vn thot khi kh nng r qut ca firewall. 3. C ch - nguyn l hot ng v u nhc im ca tng nguyn l : C 2 nguyn l c bn a. Firewall c xy dng da trn B lc d liu (Packet Filter) Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua firewall th iu c ngha rng firewall hot ng cht ch vi giao thc TCI/IP. V giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS) thnh cc gi d liu (data pakets) ri gn cho cc gi d liu (packet) ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng.

Packet filter cho php hay t chi mi packet m n nhn c. N kim tra ton b packet quyt nh xem packet c tho mn mt trong s cc lut l (rule) ca packet filtering hay khng. Cc rule ca packet filter ny l da trn cc thng tin u mi gi tin (packet header), dng cho php truyn cc gi tin trn mng. l cc thng tin nh: - a ch IP ni xut pht ( IP Source address). - a ch IP ni nhn (IP Destination address). - Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel). - Cng TCP/UDP ni xut pht (TCP/UDP source port). - Cng TCP/UDP ni nhn (TCP/UDP destination port). - Dng thng bo ICMP ( ICMP message type). - Giao din gi tin n ( incomming interface of packet). - Giao din gi tin i ( outcomming interface of packet) Nu lut l lc gi tin c tho mn th gi tin c thng qua. Nu khng gi tin s b b i. Nh vy m Tng la c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Tng la c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP) c php mi chy c trn h thng mng cc b. * u im: - a s cc h thng firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c tch hp sn trong mi phn mm router. - Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn c bit no c. * Nhc im: - Vic nh ngha cc ch lc package l mt vic kh phc tp; i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi i hi v s lc cng ln, cc rule v lc cng tr nn di v phc tp, rt kh qun l v iu khin. - Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu. b. Firewall c xy dng da vo Cng ng dng(Application-Level-Gateway) y l mt loi Tng la c thit k tng cng chc nng kim sot cc loi dch v, cc giao thc c cho php truy cp vo h thng mng. C ch hot ng ca n da trn cch thc gi l Proxy service. Proxy service l cc b m c bit ci t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t proxy code cho mt ng dng no , dch v tng ng s khng c cung cp v do khng th chuyn thng tin qua firewall. Ngoi ra, proxy code c th c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l chp nhn c trong khi t chi nhng c im khc. Mt cng ng dng thng c coi nh l mt pho i (bastion host), bi v n c thit k t bit chng li s tn cng t bn ngoi. Nhng bin php m bo an ninh ca mt bastion host l:

- Bastion host lun chy cc version an ton (secure version) ca cc phn mm h thng (Operating system). Cc version an ton ny c thit k chuyn cho mc ch chng li s tn cng vo Operating System, cng nh l m bo s tch hp firewall. - Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t trn bastion host, n gin ch v nu mt dch v khng c ci t, n khng th b tn cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet, DNS, FTP, SMTP v xc thc user l c ci t trn bastion host. + Bastion host c th yu cu nhiu mc xc thc khc nhau, v d nh user password hay smart card. Mi proxy c t cu hnh cho php truy nhp ch mt s cc my ch nht nh. iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch ng vi mt s my ch trn ton h thng. Mi proxy duy tr mt quyn nht k (logs) ghi chp li ton b chi tit ca giao thng qua n, m i s kt ni, khong thi gian kt ni. Nht k ny rt c ch trong vic tm theo du vt hay ngn chn k ph hoi. Mi proxy u c lp vi cc proxies khc trn bastion host. iu ny cho php d dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn . * u im : - Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy nhp c bi cc dch v. - Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l cc dch v y b kho. - Cng ng dng cho php kim tra xc thc rt tt, v n c cc logs ghi chp li thng tin v truy nhp h thng. - Lut l lc cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc packet * Nhc im : Yu cu cc ngi dng(users) phi thay i thao tc, hoc thay i phn mm ci t trn my khch (client) cho truy nhp vo cc dch v proxy. Chng hn, Telnet truy nhp qua cng ng dng i hi hai bc ni vi my ch ch khng phi l mt bc nh thng thng. Tuy nhin, cng c mt s phn mm client cho php ng dng trn cng ng dng l trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng v d trn lnh Telnet. Ch yu s dng Cng vng (circuit-Level Gateway) lm trong sut proxy. Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet no. Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc nh qun tr mng

tht s tin tng nhng ngi dng bn trong.

4. Mt s firewall thng dng : a. Check Point (Gii thiu Check Point Next Generation) L sn phm cung cp mt s kt hp cc cng c hng u v cc ng dng trong vic bo mt h thng mng s dng kin trc SVN (Secure Vitual Network) cho php Check Point a ra nhng cng c bo m s an ton cho d liu. VPN-1/Firewall-1 l mt phn ca NG cung cp vic bo mt mng v h thng mng o ring VPN(Vitual Private Network). thc hin VPN ta cn Secure Remote v Secure Client. Secure Remote chng thc ngi dng v m ha d liu, Secure Client thm mt personal firewall vo h thng. Mc d VPN-1/Firewall-1 l mt bn bo mt c bn nhng n cung cp nhiu cch bo v h thng mng, VPN v cc nhn dng trn k thut SVN. Check Point pht trin siu IP cung cp vic qun l DNS, dch v DHCP. Qun l v chia s cc ti khon v chng thc thng tin cho cc ti khon truy cp s dng ti nguyn. cho vic qun l cc ti khon d dng hn h thng cung cp thm 2 cng c : Account Management (LDAP sp xp cc ti khon v kt hp cc thng tin) v User Authority (cho php truy cp n cc ti khon c quyn). GUI (Graphical User Interface) c kh nng qun l t xa Security Policy v cung cp giao din chnh cho NG. GUI client l cng c to Security Policy v c sp xp trn Management Server. Cng c Management Module ca Management Server khng ch sp xp Security Policy m cn to v phn pht ACLs ging nh Routers v Switches. Ni tm li Check Point Next Generation bao gm cc tnh nng sau : - Firewall : h tr cc dch v NAT, iu khin truy cp (ACLs), logging, bo mt ni dung, v chng thc phin lm vic. - M ha v h tr kt ni mng ring o VPNs (vi hai kiu site-to-site v client-to-site da trn hai phng thc FWZ v IKE) - LDAP Account Management c th chy tch ri ng dng hoc kt hp vi Security Dashboard qun l LDAP(Lightweight Directory Access Protocol) sp xp c s d liu ti khon ngi dng rt d dng. - Cung cp c ch chng thc, m ha cho s thit lp v duy tr kt ni mng ring o(VPNs). - OPSEC (Open Platform for Security) - ng dng nn cho vic bo mt ca Check Point. Lc ni dung gi tin HTTP, SMTP, FTP v URL filtering. - Check Point High Availability to ra nhm firewalls lm gim thi gian cht cho h thng. - Cung cp Quality of Service dnh u tin cho lu lng trn mng. - Siu IP cung cp cc dch v DNS, DHCP. Ngoi ra cn c cc cng c nh Secure DHCP chng thc ngi dng.

- User Authority m rng quyn hn chng thc thng tin ngi dng thu t VPN-1/FireWall-1 gim bt ti cho ng dng th 3. - Mng DMZ cu hnh cho cc services trong h thng : SMTP, FTP, HTTP hoc HTTPs - C ch x l s c. b. ISA ISA Server 2004 c thit k bo v Network, chng cc xm nhp t bn ngoi ln kim sot cc truy cp t bn trong Ni b Network ca mt T chc. ISA Server 2004 Firewall lm iu ny thng qua c ch iu khin nhng g c th c php qua Firewall v nhng g s b ngn chn. Chng ta hnh dung n gin nh sau: C mt quy tc c p t trn Firewall cho php thng tin c truyn qua Firewall, sau nhng thng tin ny s c Pass qua, v ngc li nu khng c bt k quy tc no cho php nhng thng tin y truyn qua, nhng thng tin ny s b Firewall chn li. ISA Server Firewall cha nhiu tnh nng m cc Security Admin c th dng m bo an ton cho vic truy cp Internet, v cng bo m an ninh cho cc ti nguyn trong Ni b Network Cc Network Services v nhng tnh nng trn ISA Server s c ci t v cu hnh gm: - Ci t v cu hnh Microsoft Certificate Services : Dch v cung cp cc chng t k thut s phc v nhn dng an ton khi giao dch trn mng. - Ci t v cu hnh Microsoft Internet Authentication Services (RADIUS) : Dch v xc thc an ton cho cc truy cp t xa thng qua cc remote connections (Dial-up hoc VPN) - Ci t v cu hnh Microsoft DHCP Services (Dch v cung cp cc xc lp TCP/IP cho cc node trn v) v WINS Services (dch v cung cp gii php truy vn NETBIOS name ca cc my tnh trn m ng) - Cu hnh cc WPAD entries trong DNS h tr chc nng Autodiscovery (t ng khm ph) v Autoconfiguration (t ng cu hnh) cho Web Proxy v Firewall clients. Thun li cho cc ISA Clients (Web v Firewall clients) trong m t T chc khi h phi mang my tnh t mt mng (c mt ISA Server) n mng khc (c ISA Server khc) m vn t ng pht hin v lm vic c vi Web Proxy Service v Firewall Service trn ISA Server ny. - DNS : Ci t Microsoft DNS server trn Perimeter Network server (Mng cha cc my ch cung cp trc tuyn cho cc my khch bn ngoi, nm sau Firewall, nhng cng tch bit vi LAN) - Back up v phc hi thng tin cu hnh ca ISA Server Firewall - To cc chnh sch truy cp (Access Policy) trn ISA Server Firewall - Publish Web Server trn m t Perimeter Network . - Dng ISA Server Firewall ng vai tr mt Spam filtering SMTP relay (trm trung chuyn e-mails, c chc nng ngn chn Spam mails). Publish Microsoft Exchange Server services (h thng Mail v lm vic cng tc ca Microsoft, tng t Lotus Notes ca IBM) - VPN : Cu hnh ISA Server Firewall ng vai tr mt VPN server, to kt ni VPN theo kiu site-to-site gia hai Networks

c. IPCop - Firewall :Tch hp IPTable mt firewall mnh ca Linux Netfilter. - M rng cng giao tip h tr : Analog modem, an ISDN modem, an ADSL modem, h tr giao thc PPTP(point-to-point-tunneling-protocol) trong dch v SSH - H tr mt card mng ring cho phn vng DMZ cu hnh cho cc services trong h thng nu c. - H tr truy xut t xa qua SSH server. - Tch hp DHCP Server. - Caching DNS. - TCP/UDP port forwarding. - H tr IDS(Intrusion detection system) ca Snort :H thng d tm v pht hin xm nhp tri php ni ting ca Snort. - H tr Free S/WAN IPSec cho php chng ta xy dng cc my ch VPN cung cp truy cp ti nguyn ni b cho ngi dng t xa thng qua cc phin truyn c m ha v chng thc cht ch. - H tr Squid Web Proxy: chng trnh kim sot v tng tc truy cp internet c nhiu ngi yu thch v p dng, gip tit kim ng truyn. - Cho php backup v restore cc thng tin cu hnh ca IPCop mt cch nhanh chng v d dng do giao din thao tc l giao din web. - C c ch t v li v cp nht cc chnh sch bo mt mt cch t ng. e. Bng so snh chc nng Chc nng Check Point ISA IPCop Filtering Lc ni dung, URL Lc ni dung, URL Lc ni dung, URL VPN Site-to-site, client-to-site Site-to-site, client-to-site Site-to-site, client-to-site DNS - T ng khm ph,t ng cu hnh + DHCP Secure DHCP-chng thc ngi dng DHCP request, DHCP reply + IDS + + S dng Snort LDAP + + + OPSEC + - QoS + + DMZ + + + Authentication + + + Encrypt-decrypt + + + WINS Services + + + Proxy + + + Backup & restore + + + Spam filtering - + SMTP + + SSH + + + Port forwarding + + + Qua cc firewall va trnh by trn, chng ta a ra nhn xt sau : - Nhiu ngi cho rng ISA Server Firewall qu tht l mnh m trong vn bo v h thng cng nh qun l ngi dng ngoi tr chi ph bn quyn qu cao. Thi gian, chi ph v hiu qu l 3 yu t hng u c cc doanh nghip v t chc quan tm khi ng dng cc sn phm, gii php cng ngh thng tin cho h thng ca mnh. Chng ta ngh n vic vic xy dng 1 firewall cng mnh m khng

km, y chc nng nhng khng i hi cu hnh my tnh phi mnh m v hon ton min ph. - thc hin iu ny, chng ta c th s dng cc thit b phn cng ca hng bo mt ni ting Juniper, Cisco, CheckPoint hoc cc thit b phn mm nh ISA Server ca Microsoft. Mi sn phm c nhng mt mnh, yu ring. Tuy nhin, tt c u l nhng sn phm thng mi c gi tr bn quyn cao v i hi yu cu phn cng mnh m. V vy, i vi cc cng ty mun tit kim chi ph chng ta c th dng mt sn phm m ngun m thay th l IPCop Firewall, hoc IPTables hoc Endian mt gii php ti u cho vic tit kim bng thng v tng cng bo mt, gip xa tan nhng lo u v vn chi ph bn quyn khi Vit Nam gia nhp WTO . Cn c vo bng so snh trn chng ta d dng nhn thy IPCop Firewall/Router (m t cng c tch hp in hnh ca dng sn phm open source) c nhiu tnh nng mnh m m ngay c nhng sn phm tng la thng mi hng u nh ISA Server cng khng c c nh h thng phn phi cc a ch IP ng client c th d dng, nhanh chng truy cp internet. t cc gii hn download/upload. Bn cnh IPCop cn c kh nng pht hin d tm xm nhp bt hp php hay cc chng trnh kh nghi trn mng nh ettercap, dsniff thng qua h thng SNORT Network IDS, t ng cp nht cc chnh sch, quy tc bo mt .v.v

Mnh rt c hng th vi thng IPCop ny. Gi ui ri! i ng y Mai mt rnh ri up tip cho anh em a ln bn m x heeeeeeeeeeee [/INDENT]