Professional Documents
Culture Documents
Bảo mật mạng bằng công nghệ firewall
Bảo mật mạng bằng công nghệ firewall
LI NI U
Voi su bung n ngay cang mnh m cua mng Internet, cac quc gia cac t
chuc, cac cng ty va tt c moi nguoi dang ngay cang xich li gn nhau hon. Khong
cach v dia ly ngay cang tro nn mo dn va khai nim mt th gioi 'phng dang tro
nn r net. Tht kho ma k ht nhung loi ich ma Internet mang li cho con nguoi va
cung khng th tuong tuong duoc mt ngay thiu Internet thi con nguoi s phi xoay
so nhu th nao. Do khng chi la mt cng cu trao di thng tin nhanh chong tin cy ma
con la kho thng tin v tn, cp nht, da dng va dy du nht. Co th noi rng Internet
la ngun tai nguyn v gia trong ki nguyn s hin nay. Chinh vi vy vic khai thac va
tn dung duoc tai nguyn mng la mi quan tm hang du cua cac doanh nghip. Cng
ngh mng Lan va mng Wan phat trin d thoa mn nhu cu do.
Tuy nhin ngoai nhung loi ich to lon mng Internet cung n chua nhung nguy
co khn luong v kh nng danh cp, pha hoi nhung tai sn thng tin cua t chuc dn
dn nhung hu qu nghim trong. Chinh vi vy cng vic va trong trach dt ln vai cua
nhung nguoi lam cng ngh thng tin trn th gioi noi chung va o Vit Nam noi ring
khng chi la nghin cuu xy dung va phat trin nhanh chong mng may tinh trong
nuoc d moi nguoi co th khai thac tim nng ht suc phong phu trn Internet ma dng
thoi cung phi nghin cuu thuc hin tt cac bin phap ngn chn, phong chng, phat
hin va phuc hi duoc cac hanh vi tn cng pha hoi trai phep trn mng, nhm dm
bo duoc ti da su phat trin cho cac t chuc kinh doanh.
Voi muc dich do trong thoi gian thuc tp ti d tu tim hiu cac khai nim co bn
v bo mt cung voi nhung kin thuc v mng may tinh d hoc duoc ti hoc vin mng
cua Cisco, ti mong mun xy dung duoc mt h thng bo mt su dung cng ngh
Iirewall co nhiu tinh ung dung trong thuc tin.
D an tt nghip nay s gioi thiu cac kin thuc chung v bo mt mng may
tinh, cac cng ngh thuong duoc su dung d bo mt trn nn b giao thuc TCP/IP,
Lop Din Tu 7 - K48
1
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
giao thuc chinh trn Intenet va cu th di su vao cng ngh Firewall mt cng ngh bo
mt ph bin nht hin nay.
Phn cui cua d an ti s dua ra phuong phap xy dung mt m hinh bo mt
bng Firewall cho h thng mng doanh nghip.
Ti xin chn thanh cm on su chi bo huong dn tn tinh cua Thy inh Hu
Thanh - ging vin khoa Din tu vin thng i Hc Bch Khoa H Ni , CCNP
Trn Thanh Long ging vin CCNA Giam dc hoc vin mng Cisco - DH Cng
ngh - DH Quc gia Ha Ni , Giam dc - ging vin hoc vin ITLAB Nguyn Anh
Thao , Mr Christian Tusborg IT manager Skills Group d giup ti thuc hin d an
nay.
Vi thoi gian hn hep, vn d cn tim hiu qua rng, luong thng tin va tai liu
cn doc rt lon, kin thuc hn ch nn chc chn rng bn d an nay s khng tranh
khoi nhung thiu sot, ti rt mong nhn duoc su chi bo gop y thng thn tu phia hi
dng va cac bn.
Trn trong cm on .
Lop Din Tu 7 - K48
2
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
TM TT N
Bo mt la mt phm tru rng va phuc tp, trong linh vuc cng ngh thng tin
no la tng hoa nhiu cng ngh khac nhau nhm mang li su an toan cho h thng
thng tin cua mt t chuc nao do.
Ngay nay bt ki mt h thng thng tin nao cung phi tun theo cac tiu chun
mang tinh cht quc t, do la quy dinh bt buc khi phm vi truyn thng co tinh cht
toan cu chu khng chi bo hep trong phm vi cua chinh t chuc do hay phm vi khu
vuc. Vi vy d bo dm an toan thng tin trong qua trinh truyn thng thi cac phuong
phap bo mt cung cn tuong thich voi cac chun mang tinh cht quc t do.
Phn I cua d an nay s dua ra mt cai nhin toan din v m hinh truyn thng
trn mng Internet va nhung hinh dung chung nht v cac cng ngh bo mt trong
mt buc tranh tng th. Trong cac cng ngh bo mt co bn va hiu qu nht hin nay
ti s di su phn tich va danh gia phuong phap bo mt bng cng ngh 'bc tng
la,
Phn II cua d an s tp trung gii quyt vn d nay . Trn co so ly lun d
nghin cuu vic co th dua ra duoc phuong an ap dung thanh cng cng ngh d lua
chon la diu rt cn thit. Voi mong mun d an la mt sn phm mang tinh thuc tin
cao ti s trinh bay cac phuong phap trin khai cng ngh buc tuong lua trong h thng
thng tin cua t chuc, kem theo do la nhung minh hoa co tinh cht truc quan.
Voi nhung ni dung trn hy vong mang li cho nguoi doc mt cai nhin toan
cnh v buc tranh bo mt noi chung va cng ngh buc tuong lua noi ring. Theo nhip
d phat trin mau le cua cng ngh cac bin phap tn cng ngay cang tinh vi hon,
chinh vi vy cac cng ngh cung cn khng ngung duoc ci tin khng ngung d dm
bo cho mt nn thng tin an toan va bn vung.
Lop Din Tu 7 - K48
3
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
THESIS SUMMARY
InIormation security is a wide-reaching and complex term because it is made up
oI many high technologies in order to make our inIormation system more secure.
Today, most inIormation systems must meet the international standards because
inIormation transportation takes place not only in a organization itseIt or in a region
but also all over the world. ThereIore to secure inIormation exchanged, the security
technologies used must meet international standards.
The Iirst Part oI my thesis will provide an overview oI inIormation
transportation process in the Internet and a genaral picture oI inIormation security
technologies. I will do a thorough research on Iirewall technology, one oI the most
popular and eIIective security methods in the second part oI my thesis.
It`s essential that research results be successIully applicable in real-liIe selected
technologies. Bearing this in mind, I will clariIy applications oI Iirewall technology
into inIormation systems in enterprises in addition to visual illustrations. All oI these
are presented in third part.
HopeIully, readers will have general understanding oI security technologies in
general and Iirewall technology in particular. As technological progresses take place
nearly every minute, hacking activities have become increasingly damaging and
seemingly uncontrollable. Hence, security technologies must be steadily improved Ior
the sake oI a well-sustained inIormation system.
Lop Din Tu 7 - K48
4
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
MJC LJC
LI NOI DAU ...................................................... Error: ReIerence source not Iound
TOM TAT D N ................................................ Error: ReIerence source not Iound
THESIS SUMMAR ............................................ Error: ReIerence source not Iound
ANH SCH HNH V ....................................... Error: ReIerence source not Iound
ANH SCH CC T VIT TAT ...................... Error: ReIerence source not Iound
LI M DAU ...................................................... Error: ReIerence source not Iound
PHAN I: KHI NIM CHUNG V B MT . . Error: ReIerence source not Iound
Chuong 1 ........................................................... Error: ReIerence source not Iound
M HNH SI V B GIA THC TCP/IP . Error: ReIerence source not Iound
1.1. GII THIU CHUNG ........................... Error: ReIerence source not Iound
1.2. M HNH SI ....................................... Error: ReIerence source not Iound
1.3. KIN TRC TCP/IP ............................. Error: ReIerence source not Iound
1.4. MT S GIA THC C BN TRNG B GIA THC TCP/IPError:
ReIerence source not Iound
1.4.1. Giao thuc IP Internet Protocol ...... Error: ReIerence source not Iound
1.4.2. Giao thuc UP User atagram Protocol Error: ReIerence source not
Iound
1.4.3. Giao thuc TCP Transmission Control Protocol Error: ReIerence source
not Iound
1.. QU TRNH DONG M GOI LIU KHI TRUN TIN QUA CC
LP ................................................................................................................. 3
Chuong 2 ............................................................................................................. 32
KHI NIM B MT .................................................................................... 32
2.1. KHI NIM B MT ......................................................................... 32
2.2. MC TIU CA B MT THNG TIN ... Error: ReIerence source not
Iound
2.3. B MT L MT QU TRNH ........................................................ 34
2.4. NHN BIT CC NGU C MT AN NINH LIU. ................... 3
Chuong 3 ............................................................................................................. 4
CC CNG NGH B MT ......................................................................... 4
3.1. CNG NGH B MT THE LP .................................................. 4
3.1.1. Bo mt o muc vt ly ........................................................................ 4
3.1.2. Bo mt su dung buc tuong lua ........................................................ 47
3.1.3. Bo mt su dung loc goi du liu ....................................................... 4
3.1.4. Bo mt su dung cac phuong phap m hoa .......................................
3.1.. Bo mt su dung xac thuc, cp quyn truy nhp va thng k. ........... 3
3.2. CC CHINH SCH CHUNG CH CN NGUI ................................. 4
Phn II. ....................................................................................................................
Lop Din Tu 7 - K48
E
224... dn 23.2.2.2
24... dn 247.2.2.2
Hnh !"1 Cc +,- ./a ch0 &nt2rn2t
D phn bit giua cac lop dia chi nguoi ta dung cac bits du tin cua byte du tin d
dinh danh lop dia chi.
|nh tuyn (IP routing)
Bn cnh vic cung cp dia chi d chuyn phat cac goi tin, dinh tuyn la mt
chuc nng quan trong cua giao thuc IP.
Ta thy rng lop IP nhn datagram tu lop duoi chuyn ln va co trach nhim
dinh tuyn cho cac goi tin do. Ti lop IP mi thit bi dinh tuyn co mt bng dinh
tuyn chua duong di tt nht dn mt mng nao do. Cac thit bi dinh tuyn do la
Router hoc Switch Layer 3. Khi mt goi tin duoc chuyn dn Router hoc Switch dia
chi IP s duoc doc va xac dinh dia chi mng dich, duong di toi cac mng nay s duoc
tim trong bng dinh tuyn va nu tim thy thi goi tin s duoc gui dn router k tip trn
duong truyn xac dinh. Trong truong hop duong di khng duoc tim thy thi goi tin s
bi dy ra deIault gateway. Khi 1 goi tin di lang thang trn mng qua lu vuot qua gia tri
TTL ma vn chua tim duoc duong dn dich thi goi tin do s bi huy bo va s co 1 thng
bao li gui v cho may gui nho giao thuc ICMP. Co ch dinh tuyn co th duoc thuc
hin nho nhiu giao thuc dinh tuyn khac nhau nhu RIP, IGMP,EIGRP, SPF, IS-IS.
tuy vao quy m mng va d tin cy yu cu ta co th lua chon giao thuc dinh tuyn
thich hop.
1.4.2. Giao thc UDP ( User Datagram Protocol )
UP la giao thuc khng lin kt connectionless oriented, cung cp dich vu
giao vn khng tin cy unrealiable duoc su dung thay th cho TCP trong tng giao
vn. Khac voi TCP, UP khng co chuc nng thit lp va gii phong lin kt, khng
Lop Din Tu 7 - K48
22
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
co co ch bao nhn ACK, khng sp xp tun tu cac don vi du liu datagram dn va
co th dn dn tinh trng mt hoc trung du liu ma khng h co co ch thng bao li
cho nguoi gui. Khun dng cua UP datagram duoc m t nhu sau:
Hnh 1.6. Khun dng !P datagram
S hiu cng ngun 1 bits s hiu cng noi gui datagram.
S hiu cng dch 1 bits s hiu cng noi datagram duoc chuyn toi
di UDP 1 bits d dai tng cng k c phn header cua goi tin UP datagram.
UDP Checksum 1 bits dung d kim soat li, nu phat hin li thi datagram s bi
loi bo ma khng co mt thng bao nao tr li cho trm gui.
UP co co ch gan va qun ly cac s hiu cng port number d dinh danh duy nht
cho cac ung dung chy trn mt may cua mng. o co it chuc nng phuc tp nn
UP co xu th hot dng nhanh hon so voi TCP. No thuong dung cho cac ung dung
khng cn doi hoi d tin cy cao trong giao vn.
1.4.3. Giao thc TCP ( Transmission Control Protocol )
TCP va UP la 2 giao thuc o tng giao vn va cung su dung giao thuc IP trong
tng mng. Nhung khng ging nhu UP, TCP cung cp dich vu lin kt tin cy
realiable va co lin kt connetion oriented. Co nghia la 2 ung dung su dung TCP
phi thit lp lin kt voi nhau truoc khi trao di du liu. Su tin cy trong dich vu duoc
cung cp boi TCP th hin nhu sau :
u liu tu tng ung dung duoc gui dn duoc TCP chia thanh cac segment co
kich thuoc phu hop nht d truyn di.
Lop Din Tu 7 - K48
23
1 bits s hiu cng ngun 1 bits s hiu cng dich
1 bits d dai UP 1 bits UP checksum
u liu nu co
8 byte
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Khi TCP gui di 1 segment, no duy tri mt thoi luong d cho phuc dap tu may
nhn. Nu trong khong thoi gian do phuc dap khng duoc gui dn thi segment
do duoc truyn li.
Khi TCP trn trm nhn nhn du liu tu trm gui no s gui toi trm gui mt
phuc dap, tuy nhin phuc dap nay khng duoc gui li ngay ma thuong tr mt
khong thoi gian.
TCP duy tri gia tri tng kim tra checksum trong phn header cua du liu d
nhn ra bt ki su thay di nao trong qua trinh truyn dn. Nu 1 segment bi li
thi TCP o phia trm nhn s bi loi bo va khng phuc dap li d trm gui
truyn li segment bi li do.
Ging nhu IP datagram, TCP segment co th toi dich mt cach khng tun tu.
o vy TCP o trm nhn s sp xp li du liu va sau do gui ln tng trn dm
bo tinh dung dn cua du liu. Khi IP datagram bi trung lp TCP ti trm nhn
s loi bo du liu trung lp do.
TCP cung cung cp kh nng diu khin lung, phn du cua lin kt TCP co
vung dm buIIer gioi hn do do TCP ti trm nhn chi cho phep trm gui
truyn mt luong du liu nht dinh nho hon khng gian buIer con li. Diu
nay tranh xy ra truong hop host co tc d cao chim toan b buIIer cua host
co tc d chm hon.
Khun dng cua TCP duoc m t trong hinh 1.7 :
1 bits source port number 1 bits destination port number
32 bits sequence number
32 bits acknowledgement number
4 bits
header
length
bits
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
N
F
I
N
1 bits windows size
Lop Din Tu 7 - K48
24
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
1 bits TCP checksum 1 bits urgent pointer
ptions Nu co
ata Nu co
Hnh 1.". Khun dng TCP datagram
Source Port (16 bits ) la s hiu cng cua trm ngun.
Destination Port (16 bits ) la s hiu cng cua trm dich.
Sequence Number (32 bits) la s hiu byte du tin cua segment tru khi bit SN
duoc thit lp. Nu bit SN duoc thit lp thi sequence number la s hiu tun tu
khoi du ISN Initial Sequence Number va byte du liu du tin la ISN 1. Thng
thuong truong nay la TCP thuc hin vic qun ly tung byte truyn di trn mt kt ni
TCP.
Acknowledgment Number (32 bits. S hiu cua segment tip theo ma trm ngun
dang cho nhn va ngm dinh bao nhn tt cac segment ma trm dich d gui cho trm
ngun.
Header Length (4 bits). S luong tu 32bit trong TCP header, chi ra vi tri bt du
cua tung vung du liu vi truong ption co d dai thay di. header length co gia tri tu
2 dn bytes.
Reserved (6 bits. anh d dung trong tuong lai.
Control bits : cac bit dung d diu khin
o URG : xac dinh vung con tro khn co hiu luc.
o ACK : vung bao nhn ACK number co hiu luc.
o PSH : chuc nng PUSH.
o RST : khoi dng li lin kt.
o SN : dng b hoa cac s hiu tun tu Sequence number.
o FIN : khng con du liu tu trm ngun .
Lop Din Tu 7 - K48
2
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Window size (1 bits : cp phat the d kim soat lung du liu co ch cua s truot.
dy chinh la s luong cac byte du liu bt du tu byte duoc chi ra trong vung ACK
number ma trm ngun sn sang nhn
Checksum (1 bits. M kim soat li cho toan b segment c phn header va du
liu.
Urgent Pointer 1 bits. Con tro tro toi s hiu tun tu cua byte cui cung trong
dong du liu khn cho phep bn nhn bit duoc d dai du liu khn. Vung nay chi co
hiu luc khi bit du URG duoc thit lp.
Option (d di thay di). Khai bao cac tuy chon cua TCP trong do thng thuong la
kich thuoc cuc di cua 1 segment MSS Maximum Segment Size.
TCP data d dai thay di . Chua du liu cua tng ung dung co d dai ngm dinh la
3 byte. Gia tri nay co th diu chinh duoc bng cach khai bao trong vung ption.
Hnh 1.#. Thit $%& '( gi)i &h*ng $i+n ,t
Lop Din Tu 7 - K48
2
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Khi 1 trm mun gui du liu toi cho 1 trm khac thi mt lin kt duoc thit lp
giua 2 trm d trao di du liu. Qua trinh thit lp 1 lin kt dung 3 segment duoc goi
la bt tay 3 buoc Three way handshake din ra nhu sau:
1. Trm yu cu thuong goi la Client gui di 1 SN segment d xac dinh s
hiu cng cua Server ma no mun kt ni va thng bao s hiu tun tu khoi
du ISN cua Client.
2. Server tr loi bng cach gui di SN segment va ISN cua no toi client
dng thoi server cung xac nhn ISN cua Client bng cach dt gia tri ACK
sequence bng ISN cua Client 1.
3. Client cung phi phuc dap SN segment tu server gui toi bng cach bao
nhn va gui li ISN cua server 1. K tu luc nay qua trinh truyn du liu bt
du.
Lop Din Tu 7 - K48
27
FIN
FIN
ack
ack
ack
SYN
SYN
segment 1
segment 3
segment 4
segment 7
segment
2
segment
5
segment
6
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
4. Khi d gui ht du liu Client gui toi Server 1 segment voi bit FIN duoc
thit lp FIN segment.
5. TCP o server s thng bao cho tng ung dung la d truyn ht du liu va
lin kt duoc gii phong. TCP o Server gui phuc dap bao nhn FIN segment
ma Client chuyn toi voi Sequence number nhn duoc 1.
6. Server tip tuc gui toi Client FIN segment bao hiu dong lin kt o
Server.
7. Client gui phuc dap toi Server voi sequence number nhn duoc 1 bao
hiu kt thuc lin kt.
Trn mt kt ni TCP du liu duoc truyn theo 2 chiu dc lp voi nhau, do do
mi huong lin kt duoc thit lp va gii phong mt cach dc lp. Co 4 segment to ra
d gii phong lin kt nhu m t trong hinh trn.
Khoi dng li lin kt
Nu mt segment toi dich nhung khng dung trong vic tham chiu lin kt
gm dia chi IP va s hiu cng cua trm dich thi TCP s thit lp bit RTS trong TCP
header d gui mt segment yu cu thit lp li lin kt. Thng thuong yu cu thit
lp li lin kt duoc sinh ra khi yu cu kt ni toi cng khng tn ti hoc khng duoc
su dung. Di voi UP, TCP port unreachable duoc sinh ra d thng bao cho nguoi su
dung con di voi TCP, yu cu thit lp li lin kt duoc su dung thay vao do. Ngoai ra
trm gui co th huy bo lin kt sau khi d xp du liu vao hang doi bng cach gui RTS
segment. Huy bo lin kt cung cp cho tng ung dung hai dc dim sau :
Bt ki du liu nao o trong hang doi du bi huy bo va tin hiu khoi dng
li RTS duoc gui di ngay lp tuc.
Trm nhn RTS co th cho phep huy bo lin kt thay vi gii phong lin
kt nhu binh thuong va thng bao cho tng ung dung la lin kt d bi huy
bo.
Co ch ca s trt (sliding window)
Nhu ta d bit du liu duoc trm gui truyn di sau do phi dung li d cho trm
nhn phuc dap rng d nhn duoc khi du liu do truoc khi nhn khi du liu tip theo.
Lop Din Tu 7 - K48
28
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Nhung TCP su dung phuong thuc diu khin lung su dung cua s truot tuc la cho
phep trm gui co th truyn nhiu goi du liu truoc khi dung li d cho phuc dap. Diu
nay lam tng tc d truyn du liu dc bit la voi khi luong du liu lon. Voi co ch
cua s truot trm nhn khng phi phuc dap mi goi du liu nhn duoc ma thay vao do
phuc dap chung cho trm gui rng d nhn duoc tt c cac goi du liu tu goi du tin
dn goi thu sequence number -1. Co ch cua s truot co quy trinh nhu sau:
Hnh 1.-. C. ch c/a 01 tr23t
Nhu trn hinh trn ta thy oIIer window la cua s thng bao boi trm nhn co
kich thuoc la byte tu byte thu 4 toi byte thu diu do co nghia rng trm nhn d
phuc dap nhn tt cac byte tu 1 toi 3 va thng bao cho trm gui kich thuoc cua s la .
Trm gui s tinh kich thuoc cua s su dung hay cua s luong du liu ma no co th gui
di. Trong qua trinh truyn du liu, cua s truot v phia phi khi trm nhn gui phuc
dap.
TCP cung cp mt ch d khn cho phep trm gui thng bao cho trm nhn rng
co mt vai goi du liu uu tin duoc truyn trong dong du liu thng thuong. Trm nhn
s xac nhn boi bit URG duoc thit lp trong phn TCP Header. Con tro Urgent pointer
s tro toi s hiu tun tu cua byte cui cung trong du liu khn. Tng ung dung duoc
thng bao d xu li du liu trong ch d khn cho toi khi nhn duoc segment co
sequence number lon hon sequence number duoc chi ra boi urgent pointer. telnet va
Lop Din Tu 7 - K48
2
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Rlogin su dung ch d khn giua server va client d tranh tinh trng ngt duong truyn
boi co ch diu khin lung cua TCP thng bao window bng khi do cua s s duoc
mo cho phep bn nhn vn co th doc du liu. Nu trm gui thit lp nhiu ln ch d
khn trong khi trm nhn chua xu ly du liu cua ch d khn du tin thi urgent pointer
s vit de ln cac gia tri truoc do. Diu nay co nghia la trm nhn chi quy dinh mt
urgent pointer va ni dung du liu khn gui di boi trm ngun s vit de ln ni dung
truoc do.
1.5. QU TRINH NG MO GI D LIJU KHI TRUYEN TIN QUA CC
LP
Hnh 1.14. 5u6 trnh 7*ng /m8 g*i d9 $i:u
Khi truyn du liu qua trinh tin hanh tu tng trn xung tng duoi, qua mi
tng du liu duoc thm vao mt thng tin diu khin duoc goi la phn header. Khi
nhn du liu thi qua trinh nay xy ra nguoc li, du liu duoc chuyn tu tng duoi ln,
qua mi tng phn header tuong ung duoc boc ra va khi ln dn tng trn cung thi du
Lop Din Tu 7 - K48
3
user data
user data
Appl
header
application data
!"
header
application data
!"
header
I"
header
application data
!"
header
I"
header
#thernet
header
#thernet
trailer
application
!"
I"
#thernet
dri$er
#thernet
!" segment
I" datagram
#thernet %rame
46 to 15&& '(tes
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
liu khng con phn header nua. Khi ung dung su dung giao thuc TCP d truyn tin
trn mng luoc d du liu ti mi tng tuong ung nhu hinh 1.1.
Trong tng ung dung du liu la cac lung duoc goi la str2a("
Trong tng giao vn don vi du liu ma TCP gui xung IP duoc goi la TCP s2g(2nt"
Trong tng mng du liu ma IP gui toi giao tip mng duoc goi la IP -ac32t
Trong tng lin kt du liu duoc truyn di goi la 4ra(2"
Chong 2
KHI NIJM BAO MAT
Lop Din Tu 7 - K48
31
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Thng tin du liu di voi cac t chuc, doanh nghip ngay cang la tai nguyn
quan trong, di khi tm quan trong mang tinh sng con di voi toan b t chuc,
doanh nghip, din hinh nht la cac t chuc hot dng trong cac linh vuc tai chinh,
ngn hang, bo him, cac t chuc an ninh nhu qun di, quc phong .. Mt khi
cac thng tin ti mt bi lot ra thi nguy him xy ra khng chi di voi ring t chuc
do ma la c 1 nganh hay rng hon nua la toan b nn an ninh quc gia cung bi de
doa. Chinh vi th ma tu lu bo mt d rt duoc chu trong. Trong giai don hin nay
cung voi su phat trin thn ki cua khoa hoc ki thut, cac bin phap danh cp thng
tin ngay cang tinh vi chuyn nghip thi vic bo mt li cang kho khn hon va doi hoi
phi du tu nhiu hon, chung ta cn phi nhn thuc duoc dung dn vai tro sng con
cua bo mt di voi t chuc cua ta tu do co su du tu thich dang cho bo mt thng
tin h thng. Vy bo mt la gi?
2.1. KHI NIJM BAO MAT
Bo mt thng tin la mt khai nim rng, no bao gm tt c moi hot dng co t
chuc nhm ngn chn, phat hin va di pho voi su tn cng vao h thng thng tin cua
cac t chuc doanh nghip voi muc dich danh cp va pha hoi thng tin gy thit hi lon
cho cac t chuc, doanh nghip do. Cac hanh vi pha hoi co th la chinh sua, xuyn tc,
xoa bo hay chi don gin la lam cho thng tin mt kh nng phuc vu khi cn thit.
Kha nng bao mt la mt y u t ht suc quan trong di voi mt h thng mang,
dc bit la trong mi truong doanh nghip thng tin la tai sn co gia tri hang du. Cung
voi su gia tng ca c him hoa tn cng tu ca bn trong va bn ngoai h thng mang, cac
nhu cu v vic xy dung mt h thng an ninh bao mt voi cac cng ngh tin tin
cung gia tng khng ngung. Mt h thng an ninh bao mt phai dam bao duoc vic bao
v cac du liu kinh doanh va cac thng tin khac.
2.2. MJC TIU CUA BAO MAT THNG TIN
Mt h thng thng tin an ton phai dam bao dc 3 yu cu sau:
Lop Din Tu 7 - K48
32
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Tnh bao mt (confidentially): Dm bo chi co nhung ca nhn duoc cp quyn
moi duoc phep truy cp vao h thng. Dy la yu cu quan trong cua bo mt thng
tin boi vi di voi cac t chuc doanh nghip thi thng tin la tai sn co gia tri hang
du, vic cac ca nhn khng duoc cp quyn truy nhp trai phep vao h thng s
lam cho thng tin bi tht thoat dng nghia voi vic tai sn cua cng ty bi xm hi,
co th dn dn pha sn.
D dm bo duoc tinh bo mt thi vic cp quyn truy nhp phi duoc tin hanh
ht suc cn thn, chi cho phep nhung ca nhn co nhu cu chinh dang moi duoc
phep truy nhp, hn ch ti thiu s nguoi duoc phep truy nhp, xac minh chinh xac
di tuong duoc phep truy nhp bng cac cng cu xac thuc tin tin tin cy.
Tnh ton vn (integrity: Dm bo rng thng tin lun o trng thai dung,
chinh xac, nguoi su dung lun duoc lam vic voi cac thng tin tin cy chn thuc.
Chi cac ca nhn duoc cp quyn moi duoc phep chinh sua thng tin. Ke tn cng
khng chi co y dinh danh cp thng tin ma con mong mun lam cho thng tin bi
mt gia tri su dung bng cach to ra cac thng tin sai lch gy thit hi cho cng ty.
D dm bo tinh toan ven thi khng co cach nao khac la ngn chn moi su truy
nhp trai phep vao h thng, thm vao do la xy dung cac h thng sao luu du
phong d phong truong hop h thng bi danh sp.
Hnh 1.11 . M;c ti+u CI<
Tnh sn sng (availabillity): dm bo cho thng tin lun o trng thai sn sang
phuc vu, bt cu luc nao nguoi su dung hop phap co nhu cu du co th truy nhp
duoc vao h thng. Co th noi rng dy yu cu quan trong nht, vi thng tin chi
Lop Din Tu 7 - K48
Data
Integrity
Data
Availability
Data
Confidentiality
33
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
huu ich khi nguoi su dung cn la co th dung duoc, nu 2 yu cu trn duoc dm
bo nhung yu cu cui cung khng duoc dm bo thi thng tin cung tro nn mt
gia tri.
Thng tin mt tinh sn sang khi h thng la nn nhn cua tn cng tu chi dich
vu denial oI service- oS, dy la mt ki thut tn cng don gin khai thac cac dim
yu cua cac giao thuc truyn tin trong chng giao thuc ICP/IP nhm lam qua ti kh
nng phuc vu cua h thng dn dn hu qu la h thng bi treo.
D di pho voi kiu tn cng nay cn phi co cac cng cu ngn chn, phat hin va loc
cac goi tin..
Muc tiu cua bo mt thng tin la dm bo duoc 3 yu cu trn, trong ki thut
bo mt goi la muc tiu CIA. D dt duoc muc tiu CIA khng chi don gin la thuc
hin mt vai bin phap phong chng, trin khai mt vai thit bi hay phn mm cho h
thng ma bo mt la mt Chu trnh lin tuc theo thoi gian.
2.3. BAO MAT L MT QUY TRINH
So di bo mt phi duoc t chuc va thuc hin theo chu trinh la d dm bo tinh cht
ch va hiu qu. Hon th nua chu trinh do con co tinh k thua va phat trin vi cac ki
thut tn cng pha hoi ngay cang tinh vi hin di, mt h thng bo mt duoc cho la
ti uu trong thoi dim hin ti vn co th ny sinh cac vn d trong tuong lai vi ke tn
cng lun tim cach d khai thac cac l hng trong h thng bo mt do bng cac bin
phap tinh vi hon. D phong ngua va di pho duoc thi nhung nguoi xy dung cac chin
luoc bo mt cung phi lun lun vch ra cac chin luoc moi va su dung cng ngh
tin tin hon.
Lop Din Tu 7 - K48
34
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Hnh !"!5 " 6uy trnh b7o (8t
Nhu hinh v ta thy chu trinh bo mt quy dinh 4 qua trinh rt r rang d phat
trin mt h thng an ninh noi chung. Cac qua trinh du duoc xy dung va phat trin
dua nn mt nguyn tc chung do la chinh sach bo mt cua doanh nghip Corporate
Security Policy. Tuy tung t chuc, doanh nghip ma cac chinh sach duoc ban hanh
khac nhau, nhung noi chung do la cac quy tc bo mt hoan chinh duoc ban hanh cho
toan b nhn su trong t chuc nhm dt duoc muc tiu CIA ti uu.
am bao an ninh (Secure): sau khi nghin cuu toan b chinh sach bo mt cua
doanh nghip, cng vic tip theo la phi thuc hin cac hanh dng bo mt cu th
bng cac bin phap thich hop. Chi tit cac bin phap va cac cng ngh bo mt ti s
trinh bay trong chuong sau.
Gim st (Monitoring): trong khi cac bin phap bo mt duoc tin hanh cn co
su giam sat cht ch d danh gia duoc cht luong hot dng dng thoi co th tim cac
bin phap thay th, ci tin nu chua dap ung duoc yu cu an ninh dt ra.
Kim th (Test): dy la giai don kim tra h thng bao gm toan b h thng
thng tin du liu, kim tra cac ki thut va quy trinh su dung d danh gia d tin cy,
cung nhu muc d tn tht, d tu do co chin luoc thay th phu hop. Vic kim thu
cn duoc din ra dinh ki du dn.
Nng cp (Improve: do la cac k hoch nng cp ci to cac cng ngh bo
mt moi d dap ung duoc nhu cu thay di, thay th cac k hoch bo mt moi, vic
nay cn tin hanh nhanh chong kip thoi cho toan b h thng thng tin cua doanh
Lop Din Tu 7 - K48
3
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
nghip.Cac buoc trn khng nhung duoc tin hanh ln luot cht ch ma con phi tin
hanh song song dng thoi boi tn cng co th din ra trong 1 thoi gian dang k truoc
khi ta co th nhn bit duoc chung. Va diu quan trong nht la cac qua trinh du phi
xut phat tu chinh sach chung, va cung tu cac quy trinh thuc hin ma xy dung hoan
thin chinh sach bo mt cho t chuc.
2.4. NHAN BIET CC NGUY CO MT AN NINH D LIJU.
Cac nguy co xy ra co th la do nguyn nhn khach quan hoc do chu quan cua
con nguoi. Cac nguyn nhn do khach quan mang li duoc goi la cac thm hoa
isaster la cac su c xy ra dt ngt khng luong truoc, co th la cac thin tai nhu
dng dt, nui lua, song thn. hoc cung co th la do con nguoi gy nn nhu la hoa
hon, mt din hay sup d h thng. Cac thm hoa dn ngu nhin va khng th
ngn cn duoc vi vy phi tin hanh cng tac du bao va phi co cac chin luoc phuc
hi sau thm hoa. Con cac nguyn nhn chu quan chinh la cac hanh vi tn cng. Tn
cng la cac hanh vi nhm pha hoi muc tiu CIA. Tn cng thuong xy ra hon va
cung kho di pho hon vi hinh thuc thay di lin tuc, d di pho duoc thi cn phi
hiu duoc cac ki thut duoc su dung d tn cng o muc nay ti s trinh bay chi tit v
cac ki thut tn cng thuong gp.
Phn loi tn cng
Cac loi tn cng duoc phn lam 3 loi chinh:
Social Engineering Attacks : ke tn cng loi dung su bt cn hay su c tin cua
nhung nguoi trong cng ty d ly duoc thng tin xac nhn quyn truy nhp cua
user va co th truy nhp h thng vao bng thng tin do.
Software Attacks: loi nay nhm vao cac ung dung applications, h diu
hanh S va cac giao thuc protocols. Muc dich la d pha huy hay v hiu hoa
cac ung dung, h diu hanh hay cac giao thuc dang chy trn cac may tinh, d dt
duoc quyn truy nhp vao h thng va khai thac thng tin. Loi tn cng nay co
dung dc lp hoc kt hop voi 1 s loi khac.
Lop Din Tu 7 - K48
3
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Hardware Attacks: nhm vao cung, bo mch chu, CPU, cap mng .muc
dich la d pha huy phn cung v hiu hoa phn mm, la co so cho tn cng tu chi
dich vu oS.
Cc k thut tn cng thng gp
Cac ki thut tn nguy him va thuong gp nht la tn cng nhm vao phn mm
Software Attacks cu th nhu sau:
1. Tn cng qut cng (Port Scanning Attacks)
- Ke tn cng theo di may tinh va cac thit bi kt ni di ra Internet va tim xem cng
TCP hay UP nao dang trao di thng tin va dich vu nao dang hot dng.
- Ta co th giam sat duoc cac may o bn ngoai bi quet cng o trn h thng cua minh
- Tn cng nay la buoc du tin d xac dinh dim yu cua h thng
- Mt s cng cu d thuc hin: Supper Scan, Nmap, Strobe
2. Tn cng nghe trm (Eavesdropping Attacks) con duoc goi la danh hoi sniIIing
- Ke tn cng c gng truy nhp vao cac cuc trao di thng tin co tinh cht ring
tu bng cac thit bi chuyn dung d n cp thng tin v ni dung cuc trao di
hay n cp username & password
- Co th thuc hin bng cac duong dy lin lc thng thuong hay cac tuyn thng
tin khng dy.
- Cac cng cu thuc hin la: sniII, Ethereal, Ettercap
3. Tn cng gia mo d|a chi IP (IP Spoofing Attacks):
Ke tn cng to ra cac goi tin IP voi di chi IP la gi mo va su dung cac goi tin
do nhm dt duoc quyn truy nhp vao cac h thng o xa. Ki thut nay dua trn co so:
Cac ung dung va dich vu duoc xac thuc du trn dia chi IP ngun
Lop Din Tu 7 - K48
37
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Cac thit bi chy Sun RPC, X Windows
Cac dich vu d duoc bo mt su dung giao thuc TCP
Network File System NFS, UNIX Rlogin command
4. Tn cng chim dot quyn diu khin (Hiacking Attacks):
Ke tn cng danh ly quyn diu khin cac phin TCP sau thu tuc xac thuc khi
bt du mi phin d dt duoc quyn truy nhp vao du liu hay tai nguyn cua mng
voi danh nghia la nguoi su dung hop l.
5. Tn cng truyn li (Replay Attacks)
- Ke tn cng bt giu cac goi tin trn mng sau do luu va truyn li d dt duoc
quyn truy nhp vao 1 host hay 1 mng nao do.
- Phuong phap tn cng nay s thanh cng nu cac ke tn cng bt giu duoc cac
goi tin mang Username & Password hay cac thng tin xac thuc khac.
- Replay Attack khac voi Eavesdropping vi tn cng nghe lom chi lng nghe ni
dung thng tin chu khng luu li cac goi tin d truyn li.
6. Tn cng k trung gian (ManinMiddle Attacks)
- Ke tn cng chen ngang vao giua 2 bn dang trao di thng tin d truy nhp
duoc vao cuc trao di do
- Ke tn cng gi dng la bn gui va bn nhn thng tin khi trao di giua Client &
Server
Lop Din Tu 7 - K48
38
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Hnh !"!#"T9n c$ng 3: trung gian
May tinh trung gian mo danh la may chu khi giao tip voi may trm va mo danh la
may trm khi giao tip voi may chu .Diu nay cho phep cho may trung gian ghi li ht
duoc ni dung trao di giua may trm va may chu.
7. Tn cng t chi d|ch v Denial of Services):
duoc chia lam hai loi la oS va oS
DoS attacks: ke tn cng c tinh lam sp cac h thng cung cp cac dich vu mng
bng cach:
- Lam nghn cac duong link cua h thng bng dn vao do nhiu data hon hn
kh nng truyn ti co th
- Gui du liu d khai thac cac l hng trong 1 ung dung
- Chi phi cac tai nguyn cua 1 h thng dn muc ma no phi shuts down
DDoS Attacks: Ke tn cng danh duoc quyn diu khin hay thao tung duoc nhiu
may tinh trn cac mng khac nhau nm phn tan d thuc hin 1 tn cng oS.
. Tn cng s dng m ngun dc (Malicious Code Attacks):
Ke tn cng dua cac don m ngun dc vao h thng cua nguoi su dung d pha hong
hay v hiu hoa h diu hanh hay cac ung dung. Mt s loi m ngun dc:
- Virus: La 1 don m ngun co kh nng ly lan tu may nay sang may khac bng
cach gn vao cac Iile, khi truyn cac Iile co gn thm cac don m dc nay giua cac
may lam cho virus ly lan ,tinh nng cua no la ly lan va pha huy
Lop Din Tu 7 - K48
A Attacker ttacker
Client Client
Server Server
1chn cac goi tin 1chn cac goi tin
tu Client tu Client
2 gui cac thng 2 gui cac thng
bao tr loi gi bao tr loi gi
mo cho client mo cho client
3 gui cac goi 3 gui cac goi
tin gi mo cho tin gi mo cho
Server Server
4tr loi cho ke 4tr loi cho ke
tn cng tn cng
gi dng lam gi dng lam
client tr loi cho client tr loi cho
server server
3
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
- Worm Su: cung la 1 don m ngun co kh nng ly lan tu may nay sang may
khac nhung tu no sao chep va ly lan chu khng cn vt ki sinh la cac Iile nhu
virus. Su co th pha huy va xoa cac Iile trn cung.
- Trojan: La 1loi m ngun dc nhung no li co kh nng gi vo nhu v hi bng
cach ci trang thanh cac Iile nhu binh thuong d chng li su d y cua cac phn
mm dit virus. Khi hot dng no cung co th pha huy cac Iile trn cung.
- Logic Bomb: La 1 don m ngun dc nm cho trn may tinh cho dn khi no bi
kich hot bng 1 su kin dc bit va no co th pha huy hoc xoa du liu trn may
tinh.
. Tn cng chng li cu hnh bao mt mc d|nh (Attacks Against Default
Security Configuration) thuong la nhu sau:
- Ke tn cng truy nhp vao may tinh d pha huy hot dng cua may tinh bng
cach khai thac cac l hng trong cng tac bo mt cua h diu hanh.
- ua trn cac dim yu trong cac cu hinh mc dinh cua h diu hanh.
1. Tn cng khai thc phn mm (Software Eploitation Attacks):
Ke tn cng truy nhp vao h thng hay cac du liu nhy cm bng cach khai thac cac
dim yu hay tinh nng cua ung dung.
11. Tn cng n cp password(Password Attacks):
Ke tn cng c gng doan bit password hay tim cach pha Iile mt khu duoc m hoa.
12. Backdoor Attacks:
Ke tn cng truy nhp vao h thng bng cach su dung 1 chuong trinh phn mm nho
h tro hay bng cach to ra 1 user gi khng tn ti
13. Tn cng tip quan (Takeover Attack):
Ke tn cng truy nhp duoc vao h thng o xa va danh duoc quyn kim soat h thng
do bng cach su dung cac phuong phap tn cng o trn.
Lop Din Tu 7 - K48
4
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Nhn dng tn cng ay ra trn cc lp cua m hnh TCP/IP
a. Nhn dng tn cng o lp giao din mng
lop giao din mng, cac goi tin duoc truyn trn cac dy dn duoc goi la cac khung
Irames, trong 1 goi tin gm co 3 truong: phn mao du the header, phn ti trong
payload , va phn kim tra li FCS, vi lop giao din mng duoc dung d trao di
thng tin trn trong mng ni b nn tn cng o lop nay cung xy ra trong mng ni b
local network. Sau dy la 1 s phuong phap su dung d xm hi dn muc tiu CIA.
Gi mo dia chi MAC MAC Address spooIing
Phn mao du co chua dia chi MAC cua c may ngun va may dich, va do la diu kin
d goi tin duoc truyn thanh cng tu ngun dn dich. Ke tn cng co th d dang lam
gi dia chi MAC cua 1 may khac. Va moi co ch an ninh dua trn dia chi MAC du co
th bi lam hi boi loi tn cng nay.
Tu chi dich vu enial oI service
Mt tn cng tu chi dich vu lam cho 1 h thng bi qua ti vuot xa kh nng ma dich
vu cua no co th dap ung. Mt tn cng su dung giao thuc ARP co th lam cho 1 may
tinh bi chim ngp trong cac bn tin broadcast va s lam cho may tinh mt di kh nng
sn sang phuc vu cua muc tiu CIA triad
Pha hoi b nho dm ARP cache poisoning
B dm ARP ct giu dia chi MAC cua may tinh trong mng ni b, nu thng tin trong
no bi sai lch hoc gi mo thi may tinh s khng th gui goi tin dn dich mt cach
chinh xac duoc.
b. Nhn dng tn cng o lp Internet
Ti lop Internet, goi tin IP duoc to ra, no gm co 2 truong la phn mao du va
phn ti trong. Sau dy la mt s phuong phap co th duoc su dung d lam tn hi dn
muc tiu CIA:
Gi mo dia chi IP IP address spooIing
Nu bit truong mao du va d dai cua dia chi IP, thi dia chi IP co th d dang bi phat
hin va gi mo. Va moi co ch bo mt dua trn dia chi IP ngun co the bi xm hi.
Lop Din Tu 7 - K48
41
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Tn cng ke trung gian Man-in-the-middle attacks
Loi tn cng nay xy ra khi ke tn cng dt minh o giua may ngun va may dich theo
mt cach nao do ma c 2 khng th bit duoc. Trong khi do ke tn cng co th chinh
sua va xem duoc ni dung cac goi tin trao di cua c hai bn.
Tn cng tu chi dich vu oS
lop nay tn cng tu chi dich vu co th su dung cac giao thuc o lop IP d lam qua ti
kh nng xu ly cua may tinh, do do pha hoi muc tiu CIA.
Lam sai lch kh nng tai hop cua cac cu truc khung bi phn mnh Incorrect
reassembly oI Iragmented datagrams
Di voi cac khung tin bi phn mnh, truong IIset duoc su dung d tai hop li cac goi
tin. Nu nhu truong IIset bi thay di thi cac goi tin s bi tai hop sai lch. Va diu nay
co th lam cho mt goi tin co th khng di qua duoc Firewall va truy nhp duoc vao
mng phia bn trong, va lam tn hi dn muc tiu CIA.
Pha hoi cac goi tin Corrupting packets
Vi goi tin IP phi di qua 1 s may truoc khi di dn dich nn thng tin trong truong mao
du bi doc va co th bi thay di chng hn mi khi di dn 1 router. Nu goi tin bi chn
li thi ni dung trong truong mao du co th bi chinh sua va lam cho khung tin IP bi sai
di. Diu nay co th lam cho goi tin do khng bao gio co th dn duoc dich hoc lam
cho cac giao thuc hoc phn thng tin ti di bi thay di.
c. Nhn dng tn cng o lp vn chuyn
lop vn chuyn thi phn mao du UP hoc TCP co th duoc gn vao trong bn tin.
trn lop ung dung dang yu cu dich vu co th dua vao do ma xac dinh duoc la s su
dung loi giao thuc nao. Lop vn chuyn cung co th duoc loi dung d lam tn hi dn
muc tiu CIA theo mt s cach nhu sau:
Su dung cac cng UP va TCP
Bng cach bit duoc truong va d dai cua don mao du, cac cng duoc su dung d
trao di thng tin giua 2 may tinh co th duoc xac dinh va thng tin do co th duoc su
dung d pha hoi.
Lop Din Tu 7 - K48
42
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Tn cng tu chi dich vu
Voi tn cng tu chi dich vu o muc nay, cac giao thuc IP don gin va cac tin ich co
th duoc su dung d lam qua ti kh nng phuc vu cua may tinh, vi th lam tn hi dn
muc tiu CIA. Vi du nhu bng cac hiu bit v phuong phap bt tay 3 buoc TCP, ke
tn cng co th gui di cac goi tin theo cac thu tu sai va pha hoi tinh sn sang phuc vu
cua mt may chu. Vi du chung gui di rt nhiu cac goi tin SN va bo do phin kt ni
lam cho server phi tn b dm va thoi gian cho cac thng tin thit lp kt ni k tip
theo thu tuc bt tay 3 buoc. Nu hacker thanh cng trong vic mo ra toan b cac phin
kt ni co th thi cac cac kt ni tht su khac khng th mo ra duoc khi khng co yu
cu va r rang la server khng th phuc vu duoc.
anh quyn tip qun phin truyn
Loi tn cng nay xy ra sau khi ma may ngun va may dich thit lp duoc kt ni
trao di thng tin voi nhau. May tinh thu 3 lam mt kh nng trao di thng tin cua 1
may va sau do gi dng may tinh do. Vi kt ni d duoc thit lp nn may thu 3 co th
pha hoi muc tiu CIA.
d. Nhn dng tn cng o lp ng dng
Tn cng xy ra o lop ung dung la tn cng kho di pho nht vi no loi dung duoc cac
dim yu trong cac ung dung va su thiu hiu bit cua nguoi su dung v cng tac bo
mt. Mt s phuong phap duoc su dung d tn cng o lop ung dung la:
Khai thac ung dung gui thu din tu
Cac bn dinh kem co th duoc gui kem theo cac thu din tu va duoc chuyn vao trong
hp thu nhn cua nguoi su dung. Khi mo thu va xem cac bn dinh kem thi thuong la
phi chy cac ung dung. Cac bn dinh kem do co th gy hi ngay lp tuc hoc co th
chua gy nh huong. Tuong tu hacker thuong gn thm vao cac don m ngun dc
trong cac bn tin duoc dinh dng HTML ngn ngu danh du siu vn bn. Bng cac
phuong phap do co th loi dung duoc cac dim yu cua cac ung dung gui thu din tu
cung nhu su thiu hiu bit cua nguoi su dung v vn d bo dm an toan cua email
Khai thac cac trinh duyt Web
Lop Din Tu 7 - K48
43
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Khi mt may tinh trm su dung 1 trinh duyt Web d kt ni dn 1 Web server va ti
v mt trang Web, ni dung cua trang Web do co th dang kich hot, co nghia la ni
dung do co th chi la nhung thng tin tinh nhung cung co th la m ngun chy. Nu
m ngun do la m ngun dc thi s lam tn hi dn muc tiu CIA.
Khai thac ung dung truyn Iile
Giao thuc truyn Iile duoc su dung d truyn cac Iile giua cac may tinh voi nhau. Khi
mt may khach phi cung cp tn dng nhp va mt khu d xac thuc, thng tin do
duoc truyn trn Internet su dung cac ki tu text d hiu. Ti mt dim nao do trn
duong truyn thng tin do co th duoc ghi li. Nu khach hang do su dung li tn truy
nhp va mt khu do d dng nhp vao may chu cua cng ty bn thi thng tin do co
th bi hacker bit duoc va dung d truy nhp vao cac thng tin cua cng ty.
=h2 '%> c* th? th@> c* th? cAng 'Bi 1 ,C thu%t t@n cng nh2ng $3i d;ng 7i?m >u trDng
c6c giaD thEc 723c 0/ d;ng 8 mFi $B& ,G t@n cng c* th? tin h(nh nhiHu c6ch t@n
cng ,h6c nhau. ChInh ' '%> m( ti mFi $B& $i cJn &h)i c* nh9ng Ki:n &h6& 7Li &h*
thIch h3& 7? K)D ': m;c ti+u CI<. =Mi dung n(> ti 0N trnh K(> chi tit 8 trDng
ch2.ng ti& thOD.
Lop Din Tu 7 - K48
44
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Chong 3
CC CNG NGHJ BAO MAT
Thng thuong di voi h thng mng doanh nghip hang rao an ninh cn phi
xy dung theo nhiu lop thi moi dm bo duoc muc tiu CIA. Trong chuong nay ti
s phn tich cac cng ngh bo mt duoc su dung tuong ung voi tung lop trong m
hinh TCP/IP d hn ch di pho voi cac nguy co co th xy ra nhu d phn tich ti
chuong 2
3.1. CNG NGHJ BAO MAT THEO LP
Nguoi su dung chi quan tm toi cac ung dung ho co th su dung, nhung d tip
cn duoc voi cac ung dung thng tin phi duoc truyn di trn mng theo nhiu lop
phuc tp. Va ti mi dim trn mng thng tin du co th la muc tiu cua cac hacker,
nguoi lam cng tac bo mt cn xy dung duoc mt buc tranh toan cnh v duong di
cua thng tin va cac bin phap bo mt thich hop ti mi lop.
Trong cac lop cua m hinh TCP/IP thuong tin hanh cac phuong phap bo mt
kt hop.
Lp 1: ti dy s co cac chinh sach loc goi tin ngay trn cac router kt
ni toi nha cung cp dich vu, chung ta s su dung cac ACL, Iirewall, IPS tich
hop trn phn mm IS d buoc du ngn chn ngay cac dich vu khng cn
thit.
Lp 2: su dung NIPS network IPS d quan sat nhung du liu vao ra
Internet, khi co cac du hiu cua su tn cng hay xm nhp lp tuc thng bao
cho trung tm qun ly hoc trong truong hop khn cp co th khoa ngay cac kt
ni nay li.
Lp 3: ti dy su dung buc tuong lua Iirewall voi chuc nng du phong-
Iailover cho phep ngn cach lam 3 vung MZ, utside va Inside. Cac Server
cng cng s thuc vung MZ va duoc bo v rt nghim ngt.
Lop Din Tu 7 - K48
4
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Lp 4: Dy la lop bo v cui cung su dung NIPS va HIPS cai trn cac
Server. H thng nay s phat hin nhung tn cng d lot qua duoc vong ngoai.
Ti dy, HIPS s quan sat cac du hiu tn cng ngay trn cac h diu hanh va
cho phep co nhung thng bao cho qun tri mng hoc dong bng cac kt ni
trong truong hop khn cp.
Cu th cac cng ngh bo mt do duoc t chuc phn lop ln luot nhu sau:
Hnh !"!)" ;$ hnh b7o (8t th2o +,-
3.1.1. Bao mt o mc vt l
Bo mt h thng mng o muc vt ly la yu cu tin quyt cho vic thuc hin
muc tiu CIA cho h thng thng tin cua cac doanh nghip.
Muc vt ly noi toi cac thit bi mng, bo v cac thit bi mng do nghia la phi co cac
quy ch gioi hn quyn truy cp cac tai nguyn mng dng nghia voi vic bo v o
muc vt ly cac thit bi mng khng bi xm phm boi cac nhn vin khng duoc phep.
Diu nay cung cho phep bo v h thng mng khoi cac Hacker, ke tn cng, k xm
nhp truc tip vao thit bi va thay di cu hinh.
Tuy thuc vao cp d bo mt khac nhau ma cac nhn vin s co quyn truy cp
vao phong chua thit bi mng khac nhau. Tt c cac thit bi mng du phi duoc dm
bo an toan tu cac Core router, h thng cap, modem, may chu, cac hosts, thit bi luu
tru, v.v.v. Nhm tng ti da kh nng bo v, cac thit bi mng nay phi duoc tp
Lop Din Tu 7 - K48
4
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
trung vao mt vi tri va phi co h thng bo v nhu khoa cua, h thng bao trm, h
thng bao chay, h thng diu hoa nhit d, h thng cung cp ngun din du phong,
v.v.v.
3.1.2. Bao mt s dng bc tng la
Buc tuong lua Firewall s cho phep chung ta loc, ngn chn hay cho phep goi
tin di qua dua trn dia chi ngun, dich hay cac dich vu dang su dung. Cac Iirewall s
chia h thng mng ra lam nhiu vung khac nhau va vic truy cp tu vung nay sang
vung khac s duoc kim soat cht ch. Vic su dung buc tuong lua vao nhung vi tri
thich hop s giup ngn chn ti da kh nng truy cp trai phep cua cac hacker .
Hnh !"!1 B7o (8t s< %=ng b>c t?@ng +<a
Hin nay, co rt nhiu huong gii phap d xy dung h thng tuong lua, duoc chia ra
lam 2 nhom sau: Gii phap dung phn cung va Gii phap dung phn mm.
Giai php dng phn cng la dung thit bi Firewall phn cung chuyn dung
hay con goi la 'Firewall cung. Trong s nay co hai nha cung cp ni ting hang
du th gioi la PIX cua Cisco va Netscreen cua JuniIer.
Giai php dng phn mm la dung cac phn mm co chuc nng Firewall hay
con goi la 'Firewall mm. Nha cung cp sn phm Firewall mm hang du trn
th gioi hin nay la Checkpoint cua Nokia.
Lop Din Tu 7 - K48
47
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
Vic su dung Firewall 'cung hay 'mm con tuy thuc rt nhiu vao vi tri cua cac
Iirewall nay cung nhu cac thit bi mng dang duoc su dung trong h thng. Chi tit
hon v vic su dung loi nao ti vi tri nao ti s trinh bay chi tit trong phn II cua d
an nay .
H thng gim st canh bo v ngn chn m nhp IPS
Chung ta bit rng cac Firewall chi co kh nng ngn chn theo cac dich vu va
dia chi dich, dia chi ngun. Xong khi mt s dich vu bt buc phi mo nhu: WEB,
Mail, cac ung dung.s to diu kin cho hackers tn cng, va khi hacker tn cng
ngay trn chinh cac dich nay thi Iirewall hoan toan mt tac dung. Mt trong nhung
phuong thuc su dung d ro quet va ngn chn nhung hanh dng nay la su dung IPS
Instrusion Prevention System.
IPS duoc phat trin ln tu IS Instrusion etection System La h thng phat
hin cac hanh vi tn cng xm nhp mng. No 'bt cac goi tin luu thng trong mng
d phn tich va dua ra cac cnh bao va dong vai tro nhu la 'camera theo di trong
mng.
Cung ging IS, IPS la h thng giam sat thoi gian thuc an ninh mng nhm
nhanh chong phat hin, nhn dng cac cuc tn cng nguy him tu bn ngoai va ngay
lp tuc cnh bao voi nguoi qun tri thng qua e-mail, tin nhn, hay ghi nhn li. Hon
th nua, h thng con co th tu dng phn hi li cac cuc tn cng nhu chn dung cac
goi du liu nguy him, cp nht vao cac chinh sach cho Firewall, Router hay Switch.
H thng giam sat duoc phn loi dua trn phuong phap giam sat monitoring method
gm : Network Base IPS NIPS& Host Base IPS HIPS va Application Base IPS
AIPS:
Host Base IPS dung d giam sat mt may tinh, mt host nao do, dc bit la cac
may chu.
Network Base IPS dung d giam sat tt c cac dong du liu luu thng trn
mng va so sanh voi cac mu nhn dng nguy him d duoc thng bao truoc.
Network IPS cho h thng mng cua doanh nghip co th duoc dt ti mt mng
Lop Din Tu 7 - K48
48
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
nao do kt ni truc tip dn Firewall sao cho tt c cac dong du liu s duoc phn
tich va co hanh dng thich hop.
Application Base IPS dung d giam sat cac ung dung .
Hnh !"!A " Cc +oi &'B
3.1.3. Bao mt s dng lc gi d liu
Mt h thng an ninh mng thng minh cho cac doanh nghip khng chi co cac
thit bi bo mt va giam sat ma chinh nhung thit bi mng cung co kh nng bo mt.
Kh nng loc goi du liu co th ung dung hoan ho cho cac thanh phn nay nhu router,
tuong lua, may chu co th duoc cu hinh chp nhn hoc loi bo cac goi du liu khng
hop l dua trn dia chi hay cac dich vu. Phuong phap nay co th ngn chn hay hn ch
dn ti da cac truy cp trai phep vao tai nguyn mng nhu danh cp thng tin hay tn
cng tu chi dich vu oS.
Co ch hot dng cua phuong phap nay dua trn cac goi du liu va co hanh dng
thich hop la:
- Cm cac loi goi du liu xac dinh va chp nhn tt c cac goi du liu con li.
- Chp nhn cac loi goi du liu xac dinh va cm tt c cac goi du liu con li.
Cac thit bi mng Cisco cung h tro phuong phap loc goi du liu nay thng qua cac
danh sach diu khin truy cp access control lists ACLs. ACL cho phep cac dong
Lop Din Tu 7 - K48
4
Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
du liu trn mng d dang qun ly hon bao gio ht dua trn dia chi , cac giao thuc, cac
cng ngun va dich.
Hnh 1.1". P)D m%t 0/ d;ng $Qc g*i d9 $i:u
3.1.4. Bao mt s dng cc phong php m ha
Dy la qua trinh mt m du liu khi truyn di khoi may tinh theo mt quy tc
nht dinh va may tinh du xa co th gii m duoc. Hu ht cac h thng m hoa may
tinh thuc v 1 trong 2 loi sau: M hoa su dung khoa ring Symmetric-key
encryption va m hoa su dung khoa cng khai Public-key encryption
Trong h symmetrickey encryption, mi may tinh co mt m bi mt su dung
d m hoa cac goi tin truoc khi truyn di. Khoa ring nay cn duoc cai trn mi may
tinh co trao di thng tin su dung m hoa ring va may tinh phi bit duoc trinh tu gii
m d duoc quy uoc truoc. M bi mt thi su dung d gii m goi tin. Vi du: Bn to ra
mt buc thu m hoa ma trong ni dung thu mi ky tu duoc thay th bng ky tu o sau
Lop Din Tu 7 - K48