Bảo mật mạng bằng công nghệ firewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall
LI NI U
Voi su bung n ngay cang mnh m cua mng Internet, cac quc gia cac t
chuc, cac cng ty va tt c moi nguoi dang ngay cang xich li gn nhau hon. Khong
cach v dia ly ngay cang tro nn mo dn va khai nim mt th gioi 'phng dang tro
nn r net. Tht kho ma k ht nhung loi ich ma Internet mang li cho con nguoi va
cung khng th tuong tuong duoc mt ngay thiu Internet thi con nguoi s phi xoay
so nhu th nao. Do khng chi la mt cng cu trao di thng tin nhanh chong tin cy ma
con la kho thng tin v tn, cp nht, da dng va dy du nht. Co th noi rng Internet
la ngun tai nguyn v gia trong ki nguyn s hin nay. Chinh vi vy vic khai thac va
tn dung duoc tai nguyn mng la mi quan tm hang du cua cac doanh nghip. Cng
ngh mng Lan va mng Wan phat trin d thoa mn nhu cu do.
Tuy nhin ngoai nhung loi ich to lon mng Internet cung n chua nhung nguy
co khn luong v kh nng danh cp, pha hoi nhung tai sn thng tin cua t chuc dn
dn nhung hu qu nghim trong. Chinh vi vy cng vic va trong trach dt ln vai cua
nhung nguoi lam cng ngh thng tin trn th gioi noi chung va o Vit Nam noi ring
khng chi la nghin cuu xy dung va phat trin nhanh chong mng may tinh trong
nuoc d moi nguoi co th khai thac tim nng ht suc phong phu trn Internet ma dng
thoi cung phi nghin cuu thuc hin tt cac bin phap ngn chn, phong chng, phat
hin va phuc hi duoc cac hanh vi tn cng pha hoi trai phep trn mng, nhm dm
bo duoc ti da su phat trin cho cac t chuc kinh doanh.
Voi muc dich do trong thoi gian thuc tp ti d tu tim hiu cac khai nim co bn
v bo mt cung voi nhung kin thuc v mng may tinh d hoc duoc ti hoc vin mng
cua Cisco, ti mong mun xy dung duoc mt h thng bo mt su dung cng ngh
Iirewall co nhiu tinh ung dung trong thuc tin.
D an tt nghip nay s gioi thiu cac kin thuc chung v bo mt mng may
tinh, cac cng ngh thuong duoc su dung d bo mt trn nn b giao thuc TCP/IP,
Lop Din Tu 7 - K48
1
giao thuc chinh trn Intenet va cu th di su vao cng ngh Firewall mt cng ngh bo
mt ph bin nht hin nay.
Phn cui cua d an ti s dua ra phuong phap xy dung mt m hinh bo mt
bng Firewall cho h thng mng doanh nghip.
Ti xin chn thanh cm on su chi bo huong dn tn tinh cua Thy inh Hu
Thanh - ging vin khoa Din tu vin thng i Hc Bch Khoa H Ni , CCNP
Trn Thanh Long ging vin CCNA Giam dc hoc vin mng Cisco - DH Cng
ngh - DH Quc gia Ha Ni , Giam dc - ging vin hoc vin ITLAB Nguyn Anh
Thao , Mr Christian Tusborg IT manager Skills Group d giup ti thuc hin d an
nay.
Vi thoi gian hn hep, vn d cn tim hiu qua rng, luong thng tin va tai liu
cn doc rt lon, kin thuc hn ch nn chc chn rng bn d an nay s khng tranh
khoi nhung thiu sot, ti rt mong nhn duoc su chi bo gop y thng thn tu phia hi
dng va cac bn.
Trn trong cm on .
Lop Din Tu 7 - K48
2
TM TT N
Bo mt la mt phm tru rng va phuc tp, trong linh vuc cng ngh thng tin
no la tng hoa nhiu cng ngh khac nhau nhm mang li su an toan cho h thng
thng tin cua mt t chuc nao do.
Ngay nay bt ki mt h thng thng tin nao cung phi tun theo cac tiu chun
mang tinh cht quc t, do la quy dinh bt buc khi phm vi truyn thng co tinh cht
toan cu chu khng chi bo hep trong phm vi cua chinh t chuc do hay phm vi khu
vuc. Vi vy d bo dm an toan thng tin trong qua trinh truyn thng thi cac phuong
phap bo mt cung cn tuong thich voi cac chun mang tinh cht quc t do.
Phn I cua d an nay s dua ra mt cai nhin toan din v m hinh truyn thng
trn mng Internet va nhung hinh dung chung nht v cac cng ngh bo mt trong
mt buc tranh tng th. Trong cac cng ngh bo mt co bn va hiu qu nht hin nay
ti s di su phn tich va danh gia phuong phap bo mt bng cng ngh 'bc tng
la,
Phn II cua d an s tp trung gii quyt vn d nay . Trn co so ly lun d
nghin cuu vic co th dua ra duoc phuong an ap dung thanh cng cng ngh d lua
chon la diu rt cn thit. Voi mong mun d an la mt sn phm mang tinh thuc tin
cao ti s trinh bay cac phuong phap trin khai cng ngh buc tuong lua trong h thng
thng tin cua t chuc, kem theo do la nhung minh hoa co tinh cht truc quan.
Voi nhung ni dung trn hy vong mang li cho nguoi doc mt cai nhin toan
cnh v buc tranh bo mt noi chung va cng ngh buc tuong lua noi ring. Theo nhip
d phat trin mau le cua cng ngh cac bin phap tn cng ngay cang tinh vi hon,
chinh vi vy cac cng ngh cung cn khng ngung duoc ci tin khng ngung d dm
bo cho mt nn thng tin an toan va bn vung.
Lop Din Tu 7 - K48
3
THESIS SUMMARY
InIormation security is a wide-reaching and complex term because it is made up
oI many high technologies in order to make our inIormation system more secure.
Today, most inIormation systems must meet the international standards because
inIormation transportation takes place not only in a organization itseIt or in a region
but also all over the world. ThereIore to secure inIormation exchanged, the security
technologies used must meet international standards.
The Iirst Part oI my thesis will provide an overview oI inIormation
transportation process in the Internet and a genaral picture oI inIormation security
technologies. I will do a thorough research on Iirewall technology, one oI the most
popular and eIIective security methods in the second part oI my thesis.
It`s essential that research results be successIully applicable in real-liIe selected
technologies. Bearing this in mind, I will clariIy applications oI Iirewall technology
into inIormation systems in enterprises in addition to visual illustrations. All oI these
are presented in third part.
HopeIully, readers will have general understanding oI security technologies in
general and Iirewall technology in particular. As technological progresses take place
nearly every minute, hacking activities have become increasingly damaging and
seemingly uncontrollable. Hence, security technologies must be steadily improved Ior
the sake oI a well-sustained inIormation system.
Lop Din Tu 7 - K48
4
MJC LJC
LI NOI DAU ...................................................... Error: ReIerence source not Iound
TOM TAT D N ................................................ Error: ReIerence source not Iound
THESIS SUMMAR ............................................ Error: ReIerence source not Iound
ANH SCH HNH V ....................................... Error: ReIerence source not Iound
ANH SCH CC T VIT TAT ...................... Error: ReIerence source not Iound
LI M DAU ...................................................... Error: ReIerence source not Iound
PHAN I: KHI NIM CHUNG V B MT . . Error: ReIerence source not Iound
Chuong 1 ........................................................... Error: ReIerence source not Iound
M HNH SI V B GIA THC TCP/IP . Error: ReIerence source not Iound
1.1. GII THIU CHUNG ........................... Error: ReIerence source not Iound
1.2. M HNH SI ....................................... Error: ReIerence source not Iound
1.3. KIN TRC TCP/IP ............................. Error: ReIerence source not Iound
1.4. MT S GIA THC C BN TRNG B GIA THC TCP/IPError:
ReIerence source not Iound
1.4.1. Giao thuc IP Internet Protocol ...... Error: ReIerence source not Iound
1.4.2. Giao thuc UP User atagram Protocol Error: ReIerence source not
Iound
1.4.3. Giao thuc TCP Transmission Control Protocol Error: ReIerence source
not Iound
1.. QU TRNH DONG M GOI LIU KHI TRUN TIN QUA CC
LP ................................................................................................................. 3
Chuong 2 ............................................................................................................. 32
KHI NIM B MT .................................................................................... 32
2.1. KHI NIM B MT ......................................................................... 32
2.2. MC TIU CA B MT THNG TIN ... Error: ReIerence source not
Iound
2.3. B MT L MT QU TRNH ........................................................ 34
2.4. NHN BIT CC NGU C MT AN NINH LIU. ................... 3
Chuong 3 ............................................................................................................. 4
CC CNG NGH B MT ......................................................................... 4
3.1. CNG NGH B MT THE LP .................................................. 4
3.1.1. Bo mt o muc vt ly ........................................................................ 4
3.1.2. Bo mt su dung buc tuong lua ........................................................ 47
3.1.3. Bo mt su dung loc goi du liu ....................................................... 4
3.1.4. Bo mt su dung cac phuong phap m hoa .......................................
3.1.. Bo mt su dung xac thuc, cp quyn truy nhp va thng k. ........... 3
3.2. CC CHINH SCH CHUNG CH CN NGUI ................................. 4
Phn II. ....................................................................................................................
Lop Din Tu 7 - K48

CNG NGH FIREWALL V NG NG ........................................................
Chuong I .............................................................................................................
CC KHI NIM C BN V FIREWALL ...................................................
1.1. LICH SU RA DI V PHT TRIEN CA CNG NGH FIREWALL
1.2. DINH NGHA FIREWALL ..................................................................... 8
1.3. PHN LAI FIREWALL .......................................................................
1.3.1. Firewall phn mm ...........................................................................
1.3.2. Firewall phn cung ..........................................................................
1.4. CHC NNG CA FIREWALL ...........................................................
1.4.1. Diu khin truy nhp Access Control ............................................
1.4.1.1. Vi tri xy ra qua trinh loc goi ....................................................
1.4.1.2. Hot dng loc goi Packet Filtering .......................................... 1
1.4.1.3. Lut loc Filtering Rules ......................................................... 1
1.4.1.4. Hot dng cua tuong lua nguoi di din ung dung Proxy
Application ............................................................................................ 2
1.4.2. Qun ly xac thuc User Authentication. ........................................... 4
1.4.3. Kim tra va Cnh bao Activity Logging and Alarms. ....................
1.4.3.1. Chuc nng kim tra Activity logging ......................................
1.4.3.2. Chuc nng cnh bao Alarm .....................................................
Chuong 2 .............................................................................................................
CC KIN TRC FIREWALL C BN ..........................................................
2.1. FIREWALL B LOC GOI TIN PACKET FILTERING FIREWALL
2.2. FIREWALL ICH V THC PRX SERVER ........................ 7
2.2.1. Gateway muc mng Network Level Gateway ................................ 8
2.2.2. Gateway muc ung dung Application level Gateway ...................... 8
2.3. K THUT KIEM TRA TRANG THI StateIul packet Iiltering ....... 7
2.4. FIREWALL PH DI PHONG NGU BASTIN HST FIREWALL
........................................................................................................................ 71
2.4.1. ng thu nht la may phong thu co hai card mng ........................... 71
2.4.2. ng thu hai la may phong thu co mt card mng ............................ 71
Chuong 3 ............................................................................................................. 7 2
NGUN TAC HAT DNG CA CC LAI FIREWALL ........................ 72
3.1. HAT DNG CA FIREWALL 'MM ............................................. 72
3.2. HAT DNG CA FIREWALL 'CNG ............................................ 7
3.2.1. Co ch loc goi tin : ............................................................................ 7
3.2.2. Mt s dc dim ACL: ...................................................................... 7
3.2.3. Phn loi ACL .................................................................................. 7
3.2.3.1. anh sach diu khin truy nhp co bn Standard IP Access Control
Lists ....................................................................................................... 7
3.2.3.2. anh sach diu khin truy nhp mo rng Extended IP Access
Control Lists .......................................................................................... 77
3.2.3.3. So sanh giua standard ACL va extended ACL ........................... 78
3.2.4. ng dung ACL ................................................................................. 7
Lop Din Tu 7 - K48

3.3. NAT ........................................................................................................ 7
3.3.1. Cu hinh NAT trn nhiu cng ........................................................ 83
3.3.2. Phin dich dia chi dng .................................................................... 84
3.3.3. Phin dich dia chi tinh ...................................................................... 8
3.3.4. Co ch phin dich thng qua dia chi cng Port Address Translation
.................................................................................................................... 8
3.4. Co ch diu khin va giam sat cac kt ni qua Firewall ........................ 8
3.4.1. Vn chuyn giao thuc TCP ............................................................... 8
3.4.2. Vn chuyn giao thuc UP ............................................................... 88
3.. Mt s k thut khac duoc su dung trong Firewall ................................. 8
3..1. K thut thm k an toan .................................................................. 8
3..2. K thut li an toan ........................................................................... 8
3..3. K thut cn bng phu ti .................................................................
3.. Su kt hop cac bin phap k thut ..........................................................
Chuong 4 ............................................................................................................. 1
CC PHUNG PHP TRIEN KHAI FIREWALL ........................................... 1
4.1. CHC NNG PHN VUNG CA FIREWALL TRNG THIT K AN
NINH MANG ................................................................................................. 2
4.1.1. Mng bn trongInside Network ...................................................... 2
4.1.2. Mng bn ngoai utside Network .................................................. 2
4.1.3. Vung phi qun su emilitarized Zone -MZ ................................. 2
4.2. CC KIN TRC FIREWALL DN GIN THUNG GAP ............... 3
4.2.1. Kin truc co bn ................................................................................ 3
4.2.2. ual-Homed System ......................................................................... 4
4.2.3. Kin truc Screening Host ..................................................................
4.2.4. Kin truc Screened Subnet ................................................................
4.3. CC M HNH FIREWALL PHC TAP .............................................. 7
4.4. Danh gia Firewall ................................................................................... 1
KT LUN ........................................................................................................... 13
TI LI THAM KH ..................................................................................... 1
Lop Din Tu 7 - K48
7
DANH SCH HINH V
Hinh 1.1 . M hinh tham chiu SI 1
Hinh 1.2. Kin truc TCP/IP..................................................................................1
Hinh 1.3. Khun dng IP datagram........................................1
Hinh1. 4. Phn lop dia chi IP..............................................................................21
Hinh 1.. Khun dng UP datagram.............................23
Hinh 1.7. Khun dng TCP datagram.......................2
.............................................................................................................................2
Hinh 1.8. Thit lp va gii phong lin kt...........................................................2
Hinh 1.. Co ch cua s truot.........................................2
Hinh 1.11 . Muc tiu CIA.....................................................................................33
Hinh 1.12 . Quy trinh bo mt..............................................................................3
Hinh 1.13.Tn cng ke trung gian........................................................................3
Hinh 1.14. M hinh bo mt theo lop..................................4
Hinh 1.1 Bo mt su dung buc tuong lua......................47
Hinh 1.1 . Cac loi IPS...................................4
Hinh 1.17. Bo mt su dung loc goi du liu......................
Hinh 1.18 . Kt ni tu xa su dung VPN..................................2
..............................................................................................................................8
Hinh 2.1 . Firewall lam man chn ngn cach giua mng ni b va Internet........8
Hinh 2.2. Cac vi tri co th kim soat goi tin trong tng giao thuc.......................
Hinh 2.3. Cac thng tin duoc su dung trong lut loc cua goi tin IP.....................1
Hinh 2.4. Hot dng cua nguoi di din ung dung..............................................2
Hinh 2. Tuong lua loc goi tin.............................................................................7
Hinh 2.. Tuong lua dich vu uy thac.....................................7
Hinh 2.7. Giao tip trn mng thng qua proxy server........................................
Hinh 2.8. Phao dai phong ngu..............................................................................71
Hinh 2.. So d hot dng cua ISA Server...........................74
Hinh 2.1. Hot dng cua Standard ACL............................................................7
Hinh 2.11. i chuyn cua goi tin giua cac vung co d an toan khac nhau..........7
Hinh 2.12. Chuc nng phn vung cua Iirewall.....................................................81
Hinh 2.13 . Qua trinh phin dich dia chi..............................................................82
Hinh 2.14 . Cu hinh NAT trn nhiu cng.........................................................83
Hinh 2.1. Phin dich dia chi tu mng trong ra mng ngoai................................84
Lop Din Tu 7 - K48
8
Hinh 2.1 Qua trinh to mt kt ni TCP tu bn trong ra bn ngoai..................87
Hinh 2.17. Kin truc 3 vung co bn trong thit k an ninh mng........................1
4.2.1.Kin truc co bn..........................................................................................3
Trong kin truc Iirewall co bn, Iirewall co vai tro diu khin luu luong tu trong
mng ni b Inside Network di ra cac mng phia ngoai utside Network va
nguoc li...............................................................................................................3
Trong kin truc nay Iirewall su dung cu hinh mc dinh cua no la 3 cng: mt
cng ni voi mng phia trong co d an toan cao nht, mt cng ni voi vung
dm MZ co d anh toan thp hon va cng thu 3 co d an toan thp nht duoc
ni voi mng ngoai. Va nhu d noi o trn thi mc dinh tt c luu luong di tu
cng co d an toan cao hon ra cng co d an toan thp hon trn Iirewall du
duoc phep nhung khi di tu cng co d an toan thp dn cng co d an toan cao
thi du bi cm. Di khi co nhung ngoi l Exception la do chu y cua nguoi
qun tri.................................................................................................................3
Trong kin truc trn cac router ngn cach giua mng trong voi Iirewall va mng
ngoai voi Iirewall khng chi giu vai tro dinh tuyn va la cua ng di ra khoi mng
ma con giu vai tro la b loc goi Packet Iiltering khng co trng thai hoc co
trng thai. Cac server trong vung dm MZ khng chi la cac server cung cp cac
ung dung giao tip voi nguoi trn Internet ma con giu vai tro la proxy server. . 3
Hinh 2.18 . Kin truc Iirewall co bn...................................................................4
Dy la cu hinh co bn nht cua mt mng thng thuong khi giao tip voi
Internet, o dy Iirewall co cu hinh mc dinh la 3 cng. Khi quy m va s mng
trong vung ni b tng ln co nhu cu bo mt khac nhau thi ta su dung s cng
nhiu hon voi cu hinh d bo mt trn cac cng khac nhau. Khng chi co th
Iirewall con duoc su dung voi cac cng ngh bo mt khac nhm mang li hiu
qu an toan cao nht. Sau dy ta xet kin truc an ninh mo rng su dung Iirewall
kt hop voi mt cng ngh bo mt khac............................................................4
4.2.2. ual Homed System...............................................................................4
H thng la mt may tinh co it nht 2 card mng duoc chi ra trong hinh 2.1.
Truong hop nay thi vic dinh tuyn giua cac side tuong ung voi cac side cua
card mng duoc ngt do vy vic kim soat luu luong mng hoan toan co th
duoc mt cac thu cng .Gi su rng h thng dang chy WEB server .Nu dinh
tuyn bi n thi cac goi tin khng th duoc trao di giua cac mng khac nhau
duoc .Vi du ,nu mt vai b phn trong mt t chuc cn chia se cung 1 web
server nhung bn khng mun to mt bng dinh tuyn giua cac b phn thi bn
co th su dung cu hinh h thng nay .Tuy nhin ,cac hacker co th tn cng vao
so ho nay nu truong hop cac ung dung va bn va li chua duoc cai dt ........4
..............................................................................................................................
Hinh 2.1. H thng ual Homed co 2 card mng...........................................
4.2.3. Kin truc Screen Host................................................................................
Lop Din Tu 7 - K48

Truong hop nay thi Router chi cho phep nguoi dung Internet kt ni toi mt h
thng d duoc dinh nghia truoc trong phao dai phong ngu .Cng getway s dong
vai tro kim soat toan b goi tin vao ra ...............................................................
..............................................................................................................................
Hinh 2.2. Kin truc Screening Host...................................................................
Router loc tin s lam vic rt nhiu trong cu truc nay ,khng chi lam vic voi
cac goi tin d huong chung vao cac h thng bn trong mng ma no con cho
phep hay khng cho phep mng ni b mo kt ni voi Internet .Bn co th cai
dt cu hinh nay dua trn yu cu bo mt cua h thng cua bn .Chapman va
Zwicky d luu y rng cu truc nay co th bi hong vi no cho phep cac goi tin tu
Internet vao mng ni b ,khng ging voi ual Homed s khoa tt c goi tin
tu mng ngoai vao ni b ....................................................................................
4.2.4. Kin truc Screeded Subnet.........................................................................
Truong hop nay tuong tu voi Screening Host ,ngoi tru mt lop phu cua bo
mt duoc thm vao giua vung uu tin va vung ni b ........................................
..............................................................................................................................
hinh 2.21. Kin truc Screened Subnet..................................................................
Ly do cho cu truc nay la d bo v mng ni b trong truong hop phao dai
phong ngu khng th chng li duoc tn cng tu hacker ...................................
DANH SCH CC T VIET TT
T vit tt T dy du Ch thch
FW Firewall Buc tuong lua
VPN Virtual Private Network Mng ring o
NAT Network Address Translation Phin dich dia chi mng
SI pen Systems Interconnection M hinh lin kt cac h
thng mo
CSU/SU Chanel Service Unit/ igital Service
Unit
Don vi dich vu knh va
don vi dich vu s
LAN Local Area Network Mng cuc b
MAN Metropolitan Area Network Mng d thi
GAN Global Area Network Mng toan cu
CAN Campus Area Network Mng truong hoc
WAN Wide Area Network Mng din rng
SAN Storage Area Network Mng luu tru
VPN Vitual Private Network Mng ring o
Lop Din Tu 7 - K48
1
T vit tt T dy du Ch thch
IEEE Institue oI Electrical and Electronic
Engineers
T chuc chun IEEE
IBM International Business Machines Tp doan IBM
PC Personal Computer May vi tinh
RF Radio Frequency Tn s radio
NIC Network InterIace Card Card giao tip mng
AP Access Point Dim truy cp
IS International rganization Ior
Standardizations
T chuc chun IS
CSL Co so du liu
FTP Fire TransIer Protocol Giao thuc truyn Iile
SMTP Simple Mail TransIer Protocol Giao thuc truyn email
NS omain Name System H thng tn min
HTTP Hypertext TransIer Protocol Giao thuc truyn ti ni
dung trn mng
TCP Transmission Control Protocol Giao thuc diu khin
duong truyn
UP User atagram Protocol Giao thuc UP
IP Internet Protocol Giao thuc mng
IPX Internetwork Packet Exchange Giao thuc mng
oS enial oI Service Tu chi dich vu
ACL Access Control List anh sach diu khin truy
cp
RFC Request For Comments T chuc chun RFC
IETF Internet Engineering Task Force T chuc chun IETF
Lop Din Tu 7 - K48
11
LI MO U
Voi muc dich thu thp cac kin thuc co bn v bo mt mng Internet trn nn
b giao thuc TCP/IP va di su nghin cuu thit k h cng ngh bo mt Iirewall, bn
d an nay duoc ti chia thanh 3 phn voi nhung ni dung nhu sau:
PHN I: KHI NIJM CHUNG VE BAO MAT.
Phn nay trinh bay cac khai nim v m hinh truyn thng SI va b giao thuc
TCP/IP, khai nim bo mt va gioi thiu cac cng ngh bo mt trn nn b giao thuc
do. Cac ni dung duoc trinh theo cac chuong sau:
Chong 1: M hnh OSI v b giao thc TCP/IP
Trinh bay m hinh truyn thng tin trn mng Internet theo cac lop va di su tim
hiu 3 giao thuc co bn IP, UP, TCP.
Chong 2: Khi nim bao mt
Trinh bay khai nim bo mt la gi, muc tiu trong tm cua bo mt, cac phuong
phap tn cng thuong gp.
Chong 3: Cc cng ngh bao mt
Lop Din Tu 7 - K48
12
Tim hiu cac cng ngh bo mt thuong duoc su dung va cac bin phap kt hop
d bo mt h thng.
PHN II: BAO MAT SU DJNG CNG NGHJ BUC TUNG LUA
Phn nay trinh bay bo mt su dung cng ngh Buc tuong lua, voi cac ni dung
chi tit lin quan dn cng ngh nay. Ni dung do nm trong cac chuong sau:
Chong 4: Bc tng la
Gioi thiu cng ngh Iirewall, cac loi Iirewall, dc dim va ung dung cua tung
loi.
Chong 5: Ung dng Bc tng la trong cc doanh nghip
Mt s ung dung cua buc tuong lua trong bo mt thng tin cho cac doanh
nghip
KET LUAN
PHN I: KHI NIJM CHUNG VE BAO MAT
Chong 1
M HINH OSI V B GIAO THUC TCP/IP
Truyn thng tin trn mng la mt qua trinh phuc tp doi nhiu cng ngh h
tro va phi tri qua nhiu giai don khac nhau. Cng ngh cang hin di cho phep
thng tin duoc truyn di cang nhanh chong voi d tin cy cao. Tuy nhin d co th khai
thac va qun ly mng trn mt phm vi rng lon thi cn phi co su tuong thich va dng
b v cng ngh trong qua trinh truyn tin. Xut phat tu cac nhu cu do m hinh SI
va b giao thuc TCP/IP ra doi d lam quy chun cho vic xy dung cac h thng mng
hin nay.
Trong chuong nay ti gioi thiu m hinh SI va b giao thuc TCP/IP d dua ra
cai nhin tng quan v qua trinh truyn tin trn cac mng truyn thng noi chung va
Lop Din Tu 7 - K48
13
mng Internet noi ring. Va do cung la nn tng d phn tich, xy dung va trin khai
cac k hoch bo mt phuc vu cho muc tiu an ninh mng.
1.1. GII THIJU CHUNG
B giao thuc diu khin truyn dn / giao thuc Internet TCP/IP la mt trong
nhung giao thuc mng duoc su dung rng ri nht ngay nay. Ra doi va phat trin tu
nhung nm 17 boi APRA Advance Research Projects Agency, TCP/IP cho phep
cac h thng khng dng nht co th giao tip duoc voi nhau. Ngay nay TCP/IP duoc
ap dung rng ri trong c mng cuc b cung nhu cac mng din rng va trn toan
Internet.
Truoc khi xem xet giao thuc TCP/IP chung ta tim hiu 1 cach khai quat nht m
hinh tham chiu cho vic lin kt cac h thng mo ReIerence Model Ior pen System
Interconnection SI.
1.2. M HINH OSI
Nhu d noi o trn vic tn ti nhiu kin truc mng khac nhau va khng tuong
thich voi nhau gy ra tro ngi cho vic trao di thng tin giua cac mng nay. D to
kh nng hi tu cho cac sn phm mng, t chuc tiu chun hoa quc t d xy dung
mt m hinh tiu chun cho cac mng goi la m hinh tham chiu cho vic lin kt cac
h thng mo ReIerence Model Ior pen System Interconnection hay gon hon m
hinh tham chiu SI SI ReIerence Model.
M hinh SI gm 7 tng thuc hin cac chuc nng sau:
Tng vt l (Physical Layer): La tng thp nht, thuc hin vic bc xp cac chui
bit theo chi thi cua tng kt ni du liu.
Tng kt ni d liu (Datalink Layer): Cung cp phuong tin d truyn thng tin
qua giao din vt ly. Co 2 chuc nng co bn la diu khin cac lin kt logic va diu
khin truy nhp duong truyn.
Lop Din Tu 7 - K48
14
Tng mng (Network Layer): Thuc hin chuc nng dinh tuyn d tim duong di ti
uu trn mng ngoai ra con chuc nng chuyn mch.
Tng vn chuyn (Transport Layer): Vn chuyn du liu giua bn gui va bn
nhn, co co ch diu khin lung, phat hin va sua sai dm bo d tin cy.
Tng phin (Session Layer): Thit lp duy tri dng b hoa cac phin truyn thng.
Tng trnh din (Presentation Layer): Chuyn di cu phap du liu d dap ung yu
cu truyn du liu cua cac ung dung qua mi truong truyn SI.
Tng ng dng (Application Layer): Dong vai tro la giao din giua mi truong
SI va nguoi su dung, thu thp cac yu cu cua nguoi su dung, xu li va trao cho tng
duoi dng thoi nhn kt qu xu li cua tng duoi trao cho nguoi dung.
Hnh 1.1. M hnh tham chiu OSI
1.3. KIEN TRUC TCP/IP
Thng thuong cac giao thuc duoc phat trin trong cac tng ma mi tng li co
chuc nng ring trong vic xu ly thng tin. B giao thuc TCP/IP la t hop cua nhiu
giao thuc o cac tng khac nhau nhung thng thuong m hinh phn lop trong cac h
thng TCP/IP duoc xem la m hinh gin luoc cua m hinh SI gm 4 lop nhu sau:
Lop Din Tu 7 - K48
1
Hnh 1.2. Kin trc TCP/IP
1.Tng lin kt (Network Interface Layer) duoc goi la tng lin kt du liu hay
con goi la tng giao tip mng: la tng duoi cung cua m hinh TCP/IP bao gm
thit bi giao tip mng va chuong trinh cung cp cac thng tin cn thit d no co th
hot dng, truy nhp duong truyn vt ly qua thit bi giao tip mng do.
2. Tng Internet (Internet Layer): thuc hin vic chon duong va chuyn tip cac du
liu trn mng. Trong b giao thuc TCP/IP tng mng co mt s giao thuc h tro cho
vic vn chuyn cac goi du liu nhu IP Internet Protocol, ICMP Internet Control
Message Protocol va IGMP Internet Group Management Protocol.
Lop Din Tu 7 - K48
1
3. Tng giao vn (Transport Layer): bao gm cac dich vu phn phat dong du liu
giua 2 du cui, phuc vu tng ung dung o bn trn. Trong b giao thuc TCP/IP tng
giao vn co 2 giao thuc la TCP Transmission Control Protocol va UP User
atagram Protocol
- TCP la giao thuc cung cp dich vu vn chuyn du liu theo kiu huong lin kt
Connection riented va tin cy voi vic phn chia du liu thanh cac segment,
thit lp cac kt ni logic, phuc dap, thit lp thoi luong kim tra li .
- UP cung cp cac dich vu vn chuyn du liu mi don vi du liu goi la mt
datagram khng huong lin kt va thiu tin cy.
Lop Din Tu 7 - K48
17
Bt ky yu cu tin cy nao trong vic chuyn phat du liu du phi duoc thm
boi tng ung dung.
4. Tng ng dng (Application Layer) la tng trn cung cua m hinh TCP/IP bao
gm cac tin trinh va cac ung dung cung cp cho nguoi su dung d truy cp mng. Co
rt nhiu ung dung cung cp cho nguoi su dung trong tng nay ma ph bin la:
Telnet su dung trong vic truy cp mng tu xa.
FTP File TransIer Protocol dich vu truyn tp.
SMTP Simple Mail TransIer Protocol dich vu thu tin din tu.
WWW World Wide Web.
M hinh SI ra doi truoc do la m hinh tham chiu cho vic hoc tp va nghin
cuu khng co tinh ung dung cao trong thuc tin. M hinh TCP/IP la k thua cua m
hinh SI va co tinh ung dung cao cho vic quy chun d xy dung cac h thng mng
hin nay. Tuy nhin hai m hinh trn khng loi tru ln nhau ma tn ti song song
dng thoi vi muc dich su dung cua chung tuong h cho nhau nhm tiu chun hoa
vic xy dung va phat trin h thng mng truyn thng trn phm vi toan th gioi.
1.4. MT S GIAO THUC CO BAN TRONG B GIAO THUC TCP/IP
Lop Din Tu 7 - K48
18
1.4.1. Giao thc IP (Internet Protocol)
Muc dich cua giao thuc lin mng IP la cung cp kh nng kt ni cac mng con
thanh lin kt mng d truyn du liu. IP la giao thuc cung cp dich vu phn phat
datagram theo kiu khng lin kt va khng tin cy nghia la khng cn co giai don
thit lp lin kt truoc khi truyn du liu, khng dm bo rng IP datagram s toi dich
va khng duy tri bt ki thng tin nao v datagram d gui di.
Khun dng don vi du liu dung trong IP duoc th hin nhu trong hnh !"#
Y nghia tham s cac truong trong IP header:
Version 4bit chi version hin ti cua IP duoc cai dt.
Header length4 bit chi d dai phn mao du cua datagram. Bao gm c phn
lua chon ption tinh theo don vi 32 bits, ti thiu la tu 32 byte khi khng co
ption

Hnh !"#" Khu$n %ng &' %atagra(
TOS Type oI service 8 bits chi loi dich vu. Cac loi dich vu gm co:
o D tr nho nht
o Thng luong lon nht
o D tin cy cao nht
o Chi phi thp nht
Lop Din Tu 7 - K48
1
Total length 1 bits chi d dai toan b khung IP datagram tinh theo bytes.
ua vao truong nay va truong header length ta tinh duoc vi tri bt du cua du liu
trong IP datagram.
Identification 1 bits la truong dinh danh, cung cac tham s khac nhu Source
address va estination address d dinh danh duy nht cho mi datagram duoc gui
toi 1 host. Thng thuong phn IdentiIication duoc tng thm 1 khi datagram duoc
gui di.
Flags 3 bits cac co duoc su dung khi phn don cac datagram
1 2
F MF
o bit : reserved chua su dung co gia tri
o bit 1: F May Iragment
1 on`t Iragment
o bit 2 : MF Last Iragment
1 More Fragment
Fragment offset 13 bits chi vi tri cua don Fragment trong datagram tinh theo
don vi 4 bits.
TTL 8 bits thit lp thoi gian tn ti cua datagram d tranh tinh trng
datagram di lang thang trn mng. TTL thuong co gia tri 32 hoc 4 tuy theo h
diu hanh va duoc gim di 1 khi du liu di qua mi router. Khi truong nay bng
datagram s bi huy bo va s thng bao li cho trm gui.
Protocol 8 bits chi giao thuc tng trn k tip s nhn vung du liu o trm dich
thuong la TCP hay UP.
Header checksum 1 bits d kim soat li cho vung IP header.
Source address 32 bits dia chi IP trm ngun.
Destination Address 32 bits dia chi IP trm dich.
Options d dai thay di khai bao cac tuy chon do nguoi su dung yu cu,
thuong la:
Lop Din Tu 7 - K48
2
o D an toan va bo mt.
o Bng ghi tuyn ma datagram d di qua duoc ghi trn duong
truyn.
o Time stamp.
o Xac dinh danh sach dia chi IP ma datagram phi tri qua nhung
khng bt buc phi truyn qua router dinh truoc.
o Xac dinh tuyn trong do cac router ma IP datagram phi duoc
di qua
|a chi IP (IP address)
La s hiu m hoa d dinh danh mt trm trn mng Internet duoc goi la
dia chi IP. Mi dia chi IP co d dai 32 bits duoc tach thanh 4 vung mi vung
gm 1 byte thuong duoc biu din duoi dng thp phn co du chm
otted-decimal notation, nguoi ta chia dia chi IP thanh lop ky hiu
A,B,C,,E voi cu truc nhu
Hnh!" )" 'h*n +,- ./a ch0 &'
Lop Khong dia chi
A
B
C
... dn 127.2.2.2
128... dn 11.2.2.2
12... dn 223.2.2.2
Lop Din Tu 7 - K48
21
E
224... dn 23.2.2.2
24... dn 247.2.2.2

Hnh !"1 Cc +,- ./a ch0 &nt2rn2t
D phn bit giua cac lop dia chi nguoi ta dung cac bits du tin cua byte du tin d
dinh danh lop dia chi.
|nh tuyn (IP routing)
Bn cnh vic cung cp dia chi d chuyn phat cac goi tin, dinh tuyn la mt
chuc nng quan trong cua giao thuc IP.
Ta thy rng lop IP nhn datagram tu lop duoi chuyn ln va co trach nhim
dinh tuyn cho cac goi tin do. Ti lop IP mi thit bi dinh tuyn co mt bng dinh
tuyn chua duong di tt nht dn mt mng nao do. Cac thit bi dinh tuyn do la
Router hoc Switch Layer 3. Khi mt goi tin duoc chuyn dn Router hoc Switch dia
chi IP s duoc doc va xac dinh dia chi mng dich, duong di toi cac mng nay s duoc
tim trong bng dinh tuyn va nu tim thy thi goi tin s duoc gui dn router k tip trn
duong truyn xac dinh. Trong truong hop duong di khng duoc tim thy thi goi tin s
bi dy ra deIault gateway. Khi 1 goi tin di lang thang trn mng qua lu vuot qua gia tri
TTL ma vn chua tim duoc duong dn dich thi goi tin do s bi huy bo va s co 1 thng
bao li gui v cho may gui nho giao thuc ICMP. Co ch dinh tuyn co th duoc thuc
hin nho nhiu giao thuc dinh tuyn khac nhau nhu RIP, IGMP,EIGRP, SPF, IS-IS.
tuy vao quy m mng va d tin cy yu cu ta co th lua chon giao thuc dinh tuyn
thich hop.
1.4.2. Giao thc UDP ( User Datagram Protocol )
UP la giao thuc khng lin kt connectionless oriented, cung cp dich vu
giao vn khng tin cy unrealiable duoc su dung thay th cho TCP trong tng giao
vn. Khac voi TCP, UP khng co chuc nng thit lp va gii phong lin kt, khng
Lop Din Tu 7 - K48
22
co co ch bao nhn ACK, khng sp xp tun tu cac don vi du liu datagram dn va
co th dn dn tinh trng mt hoc trung du liu ma khng h co co ch thng bao li
cho nguoi gui. Khun dng cua UP datagram duoc m t nhu sau:

Hnh 1.6. Khun dng !P datagram
S hiu cng ngun 1 bits s hiu cng noi gui datagram.
S hiu cng dch 1 bits s hiu cng noi datagram duoc chuyn toi
di UDP 1 bits d dai tng cng k c phn header cua goi tin UP datagram.
UDP Checksum 1 bits dung d kim soat li, nu phat hin li thi datagram s bi
loi bo ma khng co mt thng bao nao tr li cho trm gui.
UP co co ch gan va qun ly cac s hiu cng port number d dinh danh duy nht
cho cac ung dung chy trn mt may cua mng. o co it chuc nng phuc tp nn
UP co xu th hot dng nhanh hon so voi TCP. No thuong dung cho cac ung dung
khng cn doi hoi d tin cy cao trong giao vn.
1.4.3. Giao thc TCP ( Transmission Control Protocol )
TCP va UP la 2 giao thuc o tng giao vn va cung su dung giao thuc IP trong
tng mng. Nhung khng ging nhu UP, TCP cung cp dich vu lin kt tin cy
realiable va co lin kt connetion oriented. Co nghia la 2 ung dung su dung TCP
phi thit lp lin kt voi nhau truoc khi trao di du liu. Su tin cy trong dich vu duoc
cung cp boi TCP th hin nhu sau :
u liu tu tng ung dung duoc gui dn duoc TCP chia thanh cac segment co
kich thuoc phu hop nht d truyn di.
Lop Din Tu 7 - K48
23
1 bits s hiu cng ngun 1 bits s hiu cng dich
1 bits d dai UP 1 bits UP checksum
u liu nu co
8 byte
Khi TCP gui di 1 segment, no duy tri mt thoi luong d cho phuc dap tu may
nhn. Nu trong khong thoi gian do phuc dap khng duoc gui dn thi segment
do duoc truyn li.
Khi TCP trn trm nhn nhn du liu tu trm gui no s gui toi trm gui mt
phuc dap, tuy nhin phuc dap nay khng duoc gui li ngay ma thuong tr mt
khong thoi gian.
TCP duy tri gia tri tng kim tra checksum trong phn header cua du liu d
nhn ra bt ki su thay di nao trong qua trinh truyn dn. Nu 1 segment bi li
thi TCP o phia trm nhn s bi loi bo va khng phuc dap li d trm gui
truyn li segment bi li do.
Ging nhu IP datagram, TCP segment co th toi dich mt cach khng tun tu.
o vy TCP o trm nhn s sp xp li du liu va sau do gui ln tng trn dm
bo tinh dung dn cua du liu. Khi IP datagram bi trung lp TCP ti trm nhn
s loi bo du liu trung lp do.
TCP cung cung cp kh nng diu khin lung, phn du cua lin kt TCP co
vung dm buIIer gioi hn do do TCP ti trm nhn chi cho phep trm gui
truyn mt luong du liu nht dinh nho hon khng gian buIer con li. Diu
nay tranh xy ra truong hop host co tc d cao chim toan b buIIer cua host
co tc d chm hon.
Khun dng cua TCP duoc m t trong hinh 1.7 :
1 bits source port number 1 bits destination port number
32 bits sequence number
32 bits acknowledgement number
4 bits
header
length
bits
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
N
F
I
N
1 bits windows size
Lop Din Tu 7 - K48
24
1 bits TCP checksum 1 bits urgent pointer
ptions Nu co
ata Nu co
Hnh 1.". Khun dng TCP datagram
Source Port (16 bits ) la s hiu cng cua trm ngun.
Destination Port (16 bits ) la s hiu cng cua trm dich.
Sequence Number (32 bits) la s hiu byte du tin cua segment tru khi bit SN
duoc thit lp. Nu bit SN duoc thit lp thi sequence number la s hiu tun tu
khoi du ISN Initial Sequence Number va byte du liu du tin la ISN 1. Thng
thuong truong nay la TCP thuc hin vic qun ly tung byte truyn di trn mt kt ni
TCP.
Acknowledgment Number (32 bits. S hiu cua segment tip theo ma trm ngun
dang cho nhn va ngm dinh bao nhn tt cac segment ma trm dich d gui cho trm
ngun.
Header Length (4 bits). S luong tu 32bit trong TCP header, chi ra vi tri bt du
cua tung vung du liu vi truong ption co d dai thay di. header length co gia tri tu
2 dn bytes.
Reserved (6 bits. anh d dung trong tuong lai.
Control bits : cac bit dung d diu khin
o URG : xac dinh vung con tro khn co hiu luc.
o ACK : vung bao nhn ACK number co hiu luc.
o PSH : chuc nng PUSH.
o RST : khoi dng li lin kt.
o SN : dng b hoa cac s hiu tun tu Sequence number.
o FIN : khng con du liu tu trm ngun .
Lop Din Tu 7 - K48
2
Window size (1 bits : cp phat the d kim soat lung du liu co ch cua s truot.
dy chinh la s luong cac byte du liu bt du tu byte duoc chi ra trong vung ACK
number ma trm ngun sn sang nhn
Checksum (1 bits. M kim soat li cho toan b segment c phn header va du
liu.
Urgent Pointer 1 bits. Con tro tro toi s hiu tun tu cua byte cui cung trong
dong du liu khn cho phep bn nhn bit duoc d dai du liu khn. Vung nay chi co
hiu luc khi bit du URG duoc thit lp.
Option (d di thay di). Khai bao cac tuy chon cua TCP trong do thng thuong la
kich thuoc cuc di cua 1 segment MSS Maximum Segment Size.
TCP data d dai thay di . Chua du liu cua tng ung dung co d dai ngm dinh la
3 byte. Gia tri nay co th diu chinh duoc bng cach khai bao trong vung ption.

Hnh 1.#. Thit $%& '( gi)i &h*ng $i+n ,t
Lop Din Tu 7 - K48
2
Khi 1 trm mun gui du liu toi cho 1 trm khac thi mt lin kt duoc thit lp
giua 2 trm d trao di du liu. Qua trinh thit lp 1 lin kt dung 3 segment duoc goi
la bt tay 3 buoc Three way handshake din ra nhu sau:
1. Trm yu cu thuong goi la Client gui di 1 SN segment d xac dinh s
hiu cng cua Server ma no mun kt ni va thng bao s hiu tun tu khoi
du ISN cua Client.
2. Server tr loi bng cach gui di SN segment va ISN cua no toi client
dng thoi server cung xac nhn ISN cua Client bng cach dt gia tri ACK
sequence bng ISN cua Client 1.
3. Client cung phi phuc dap SN segment tu server gui toi bng cach bao
nhn va gui li ISN cua server 1. K tu luc nay qua trinh truyn du liu bt
du.
Lop Din Tu 7 - K48
27
FIN
FIN
ack
ack
ack
SYN
SYN
segment 1
segment 3
segment 4
segment 7
segment
2
segment
5
segment
6
4. Khi d gui ht du liu Client gui toi Server 1 segment voi bit FIN duoc
thit lp FIN segment.
5. TCP o server s thng bao cho tng ung dung la d truyn ht du liu va
lin kt duoc gii phong. TCP o Server gui phuc dap bao nhn FIN segment
ma Client chuyn toi voi Sequence number nhn duoc 1.
6. Server tip tuc gui toi Client FIN segment bao hiu dong lin kt o
Server.
7. Client gui phuc dap toi Server voi sequence number nhn duoc 1 bao
hiu kt thuc lin kt.
Trn mt kt ni TCP du liu duoc truyn theo 2 chiu dc lp voi nhau, do do
mi huong lin kt duoc thit lp va gii phong mt cach dc lp. Co 4 segment to ra
d gii phong lin kt nhu m t trong hinh trn.
Khoi dng li lin kt
Nu mt segment toi dich nhung khng dung trong vic tham chiu lin kt
gm dia chi IP va s hiu cng cua trm dich thi TCP s thit lp bit RTS trong TCP
header d gui mt segment yu cu thit lp li lin kt. Thng thuong yu cu thit
lp li lin kt duoc sinh ra khi yu cu kt ni toi cng khng tn ti hoc khng duoc
su dung. Di voi UP, TCP port unreachable duoc sinh ra d thng bao cho nguoi su
dung con di voi TCP, yu cu thit lp li lin kt duoc su dung thay vao do. Ngoai ra
trm gui co th huy bo lin kt sau khi d xp du liu vao hang doi bng cach gui RTS
segment. Huy bo lin kt cung cp cho tng ung dung hai dc dim sau :
Bt ki du liu nao o trong hang doi du bi huy bo va tin hiu khoi dng
li RTS duoc gui di ngay lp tuc.
Trm nhn RTS co th cho phep huy bo lin kt thay vi gii phong lin
kt nhu binh thuong va thng bao cho tng ung dung la lin kt d bi huy
bo.
Co ch ca s trt (sliding window)
Nhu ta d bit du liu duoc trm gui truyn di sau do phi dung li d cho trm
nhn phuc dap rng d nhn duoc khi du liu do truoc khi nhn khi du liu tip theo.
Lop Din Tu 7 - K48
28
Nhung TCP su dung phuong thuc diu khin lung su dung cua s truot tuc la cho
phep trm gui co th truyn nhiu goi du liu truoc khi dung li d cho phuc dap. Diu
nay lam tng tc d truyn du liu dc bit la voi khi luong du liu lon. Voi co ch
cua s truot trm nhn khng phi phuc dap mi goi du liu nhn duoc ma thay vao do
phuc dap chung cho trm gui rng d nhn duoc tt c cac goi du liu tu goi du tin
dn goi thu sequence number -1. Co ch cua s truot co quy trinh nhu sau:
Hnh 1.-. C. ch c/a 01 tr23t
Nhu trn hinh trn ta thy oIIer window la cua s thng bao boi trm nhn co
kich thuoc la byte tu byte thu 4 toi byte thu diu do co nghia rng trm nhn d
phuc dap nhn tt cac byte tu 1 toi 3 va thng bao cho trm gui kich thuoc cua s la .
Trm gui s tinh kich thuoc cua s su dung hay cua s luong du liu ma no co th gui
di. Trong qua trinh truyn du liu, cua s truot v phia phi khi trm nhn gui phuc
dap.
TCP cung cp mt ch d khn cho phep trm gui thng bao cho trm nhn rng
co mt vai goi du liu uu tin duoc truyn trong dong du liu thng thuong. Trm nhn
s xac nhn boi bit URG duoc thit lp trong phn TCP Header. Con tro Urgent pointer
s tro toi s hiu tun tu cua byte cui cung trong du liu khn. Tng ung dung duoc
thng bao d xu li du liu trong ch d khn cho toi khi nhn duoc segment co
sequence number lon hon sequence number duoc chi ra boi urgent pointer. telnet va
Lop Din Tu 7 - K48
2
Rlogin su dung ch d khn giua server va client d tranh tinh trng ngt duong truyn
boi co ch diu khin lung cua TCP thng bao window bng khi do cua s s duoc
mo cho phep bn nhn vn co th doc du liu. Nu trm gui thit lp nhiu ln ch d
khn trong khi trm nhn chua xu ly du liu cua ch d khn du tin thi urgent pointer
s vit de ln cac gia tri truoc do. Diu nay co nghia la trm nhn chi quy dinh mt
urgent pointer va ni dung du liu khn gui di boi trm ngun s vit de ln ni dung
truoc do.
1.5. QU TRINH NG MO GI D LIJU KHI TRUYEN TIN QUA CC
LP
Hnh 1.14. 5u6 trnh 7*ng /m8 g*i d9 $i:u
Khi truyn du liu qua trinh tin hanh tu tng trn xung tng duoi, qua mi
tng du liu duoc thm vao mt thng tin diu khin duoc goi la phn header. Khi
nhn du liu thi qua trinh nay xy ra nguoc li, du liu duoc chuyn tu tng duoi ln,
qua mi tng phn header tuong ung duoc boc ra va khi ln dn tng trn cung thi du
Lop Din Tu 7 - K48
3
user data
user data
Appl
header
application data
!"
header
application data
!"
header
I"
header
application data
!"
header
I"
header
#thernet
header
#thernet
trailer
application
!"
I"
#thernet
dri$er
#thernet
!" segment
I" datagram
#thernet %rame
46 to 15&& '(tes
liu khng con phn header nua. Khi ung dung su dung giao thuc TCP d truyn tin
trn mng luoc d du liu ti mi tng tuong ung nhu hinh 1.1.
Trong tng ung dung du liu la cac lung duoc goi la str2a("
Trong tng giao vn don vi du liu ma TCP gui xung IP duoc goi la TCP s2g(2nt"
Trong tng mng du liu ma IP gui toi giao tip mng duoc goi la IP -ac32t
Trong tng lin kt du liu duoc truyn di goi la 4ra(2"
Chong 2
KHI NIJM BAO MAT
Lop Din Tu 7 - K48
31
Thng tin du liu di voi cac t chuc, doanh nghip ngay cang la tai nguyn
quan trong, di khi tm quan trong mang tinh sng con di voi toan b t chuc,
doanh nghip, din hinh nht la cac t chuc hot dng trong cac linh vuc tai chinh,
ngn hang, bo him, cac t chuc an ninh nhu qun di, quc phong .. Mt khi
cac thng tin ti mt bi lot ra thi nguy him xy ra khng chi di voi ring t chuc
do ma la c 1 nganh hay rng hon nua la toan b nn an ninh quc gia cung bi de
doa. Chinh vi th ma tu lu bo mt d rt duoc chu trong. Trong giai don hin nay
cung voi su phat trin thn ki cua khoa hoc ki thut, cac bin phap danh cp thng
tin ngay cang tinh vi chuyn nghip thi vic bo mt li cang kho khn hon va doi hoi
phi du tu nhiu hon, chung ta cn phi nhn thuc duoc dung dn vai tro sng con
cua bo mt di voi t chuc cua ta tu do co su du tu thich dang cho bo mt thng
tin h thng. Vy bo mt la gi?
2.1. KHI NIJM BAO MAT
Bo mt thng tin la mt khai nim rng, no bao gm tt c moi hot dng co t
chuc nhm ngn chn, phat hin va di pho voi su tn cng vao h thng thng tin cua
cac t chuc doanh nghip voi muc dich danh cp va pha hoi thng tin gy thit hi lon
cho cac t chuc, doanh nghip do. Cac hanh vi pha hoi co th la chinh sua, xuyn tc,
xoa bo hay chi don gin la lam cho thng tin mt kh nng phuc vu khi cn thit.
Kha nng bao mt la mt y u t ht suc quan trong di voi mt h thng mang,
dc bit la trong mi truong doanh nghip thng tin la tai sn co gia tri hang du. Cung
voi su gia tng ca c him hoa tn cng tu ca bn trong va bn ngoai h thng mang, cac
nhu cu v vic xy dung mt h thng an ninh bao mt voi cac cng ngh tin tin
cung gia tng khng ngung. Mt h thng an ninh bao mt phai dam bao duoc vic bao
v cac du liu kinh doanh va cac thng tin khac.

2.2. MJC TIU CUA BAO MAT THNG TIN
Mt h thng thng tin an ton phai dam bao dc 3 yu cu sau:
Lop Din Tu 7 - K48
32
Tnh bao mt (confidentially): Dm bo chi co nhung ca nhn duoc cp quyn
moi duoc phep truy cp vao h thng. Dy la yu cu quan trong cua bo mt thng
tin boi vi di voi cac t chuc doanh nghip thi thng tin la tai sn co gia tri hang
du, vic cac ca nhn khng duoc cp quyn truy nhp trai phep vao h thng s
lam cho thng tin bi tht thoat dng nghia voi vic tai sn cua cng ty bi xm hi,
co th dn dn pha sn.
D dm bo duoc tinh bo mt thi vic cp quyn truy nhp phi duoc tin hanh
ht suc cn thn, chi cho phep nhung ca nhn co nhu cu chinh dang moi duoc
phep truy nhp, hn ch ti thiu s nguoi duoc phep truy nhp, xac minh chinh xac
di tuong duoc phep truy nhp bng cac cng cu xac thuc tin tin tin cy.
Tnh ton vn (integrity: Dm bo rng thng tin lun o trng thai dung,
chinh xac, nguoi su dung lun duoc lam vic voi cac thng tin tin cy chn thuc.
Chi cac ca nhn duoc cp quyn moi duoc phep chinh sua thng tin. Ke tn cng
khng chi co y dinh danh cp thng tin ma con mong mun lam cho thng tin bi
mt gia tri su dung bng cach to ra cac thng tin sai lch gy thit hi cho cng ty.
D dm bo tinh toan ven thi khng co cach nao khac la ngn chn moi su truy
nhp trai phep vao h thng, thm vao do la xy dung cac h thng sao luu du
phong d phong truong hop h thng bi danh sp.

Hnh 1.11 . M;c ti+u CI<
Tnh sn sng (availabillity): dm bo cho thng tin lun o trng thai sn sang
phuc vu, bt cu luc nao nguoi su dung hop phap co nhu cu du co th truy nhp
duoc vao h thng. Co th noi rng dy yu cu quan trong nht, vi thng tin chi
Lop Din Tu 7 - K48
Data
Integrity
Data
Availability
Data
Confidentiality
33
huu ich khi nguoi su dung cn la co th dung duoc, nu 2 yu cu trn duoc dm
bo nhung yu cu cui cung khng duoc dm bo thi thng tin cung tro nn mt
gia tri.
Thng tin mt tinh sn sang khi h thng la nn nhn cua tn cng tu chi dich
vu denial oI service- oS, dy la mt ki thut tn cng don gin khai thac cac dim
yu cua cac giao thuc truyn tin trong chng giao thuc ICP/IP nhm lam qua ti kh
nng phuc vu cua h thng dn dn hu qu la h thng bi treo.
D di pho voi kiu tn cng nay cn phi co cac cng cu ngn chn, phat hin va loc
cac goi tin..
Muc tiu cua bo mt thng tin la dm bo duoc 3 yu cu trn, trong ki thut
bo mt goi la muc tiu CIA. D dt duoc muc tiu CIA khng chi don gin la thuc
hin mt vai bin phap phong chng, trin khai mt vai thit bi hay phn mm cho h
thng ma bo mt la mt Chu trnh lin tuc theo thoi gian.
2.3. BAO MAT L MT QUY TRINH
So di bo mt phi duoc t chuc va thuc hin theo chu trinh la d dm bo tinh cht
ch va hiu qu. Hon th nua chu trinh do con co tinh k thua va phat trin vi cac ki
thut tn cng pha hoi ngay cang tinh vi hin di, mt h thng bo mt duoc cho la
ti uu trong thoi dim hin ti vn co th ny sinh cac vn d trong tuong lai vi ke tn
cng lun tim cach d khai thac cac l hng trong h thng bo mt do bng cac bin
phap tinh vi hon. D phong ngua va di pho duoc thi nhung nguoi xy dung cac chin
luoc bo mt cung phi lun lun vch ra cac chin luoc moi va su dung cng ngh
tin tin hon.
Lop Din Tu 7 - K48
34
Hnh !"!5 " 6uy trnh b7o (8t
Nhu hinh v ta thy chu trinh bo mt quy dinh 4 qua trinh rt r rang d phat
trin mt h thng an ninh noi chung. Cac qua trinh du duoc xy dung va phat trin
dua nn mt nguyn tc chung do la chinh sach bo mt cua doanh nghip Corporate
Security Policy. Tuy tung t chuc, doanh nghip ma cac chinh sach duoc ban hanh
khac nhau, nhung noi chung do la cac quy tc bo mt hoan chinh duoc ban hanh cho
toan b nhn su trong t chuc nhm dt duoc muc tiu CIA ti uu.
am bao an ninh (Secure): sau khi nghin cuu toan b chinh sach bo mt cua
doanh nghip, cng vic tip theo la phi thuc hin cac hanh dng bo mt cu th
bng cac bin phap thich hop. Chi tit cac bin phap va cac cng ngh bo mt ti s
trinh bay trong chuong sau.
Gim st (Monitoring): trong khi cac bin phap bo mt duoc tin hanh cn co
su giam sat cht ch d danh gia duoc cht luong hot dng dng thoi co th tim cac
bin phap thay th, ci tin nu chua dap ung duoc yu cu an ninh dt ra.
Kim th (Test): dy la giai don kim tra h thng bao gm toan b h thng
thng tin du liu, kim tra cac ki thut va quy trinh su dung d danh gia d tin cy,
cung nhu muc d tn tht, d tu do co chin luoc thay th phu hop. Vic kim thu
cn duoc din ra dinh ki du dn.
Nng cp (Improve: do la cac k hoch nng cp ci to cac cng ngh bo
mt moi d dap ung duoc nhu cu thay di, thay th cac k hoch bo mt moi, vic
nay cn tin hanh nhanh chong kip thoi cho toan b h thng thng tin cua doanh
Lop Din Tu 7 - K48
3
nghip.Cac buoc trn khng nhung duoc tin hanh ln luot cht ch ma con phi tin
hanh song song dng thoi boi tn cng co th din ra trong 1 thoi gian dang k truoc
khi ta co th nhn bit duoc chung. Va diu quan trong nht la cac qua trinh du phi
xut phat tu chinh sach chung, va cung tu cac quy trinh thuc hin ma xy dung hoan
thin chinh sach bo mt cho t chuc.
2.4. NHAN BIET CC NGUY CO MT AN NINH D LIJU.
Cac nguy co xy ra co th la do nguyn nhn khach quan hoc do chu quan cua
con nguoi. Cac nguyn nhn do khach quan mang li duoc goi la cac thm hoa
isaster la cac su c xy ra dt ngt khng luong truoc, co th la cac thin tai nhu
dng dt, nui lua, song thn. hoc cung co th la do con nguoi gy nn nhu la hoa
hon, mt din hay sup d h thng. Cac thm hoa dn ngu nhin va khng th
ngn cn duoc vi vy phi tin hanh cng tac du bao va phi co cac chin luoc phuc
hi sau thm hoa. Con cac nguyn nhn chu quan chinh la cac hanh vi tn cng. Tn
cng la cac hanh vi nhm pha hoi muc tiu CIA. Tn cng thuong xy ra hon va
cung kho di pho hon vi hinh thuc thay di lin tuc, d di pho duoc thi cn phi
hiu duoc cac ki thut duoc su dung d tn cng o muc nay ti s trinh bay chi tit v
cac ki thut tn cng thuong gp.
Phn loi tn cng
Cac loi tn cng duoc phn lam 3 loi chinh:
Social Engineering Attacks : ke tn cng loi dung su bt cn hay su c tin cua
nhung nguoi trong cng ty d ly duoc thng tin xac nhn quyn truy nhp cua
user va co th truy nhp h thng vao bng thng tin do.
Software Attacks: loi nay nhm vao cac ung dung applications, h diu
hanh S va cac giao thuc protocols. Muc dich la d pha huy hay v hiu hoa
cac ung dung, h diu hanh hay cac giao thuc dang chy trn cac may tinh, d dt
duoc quyn truy nhp vao h thng va khai thac thng tin. Loi tn cng nay co
dung dc lp hoc kt hop voi 1 s loi khac.
Lop Din Tu 7 - K48
3
Hardware Attacks: nhm vao cung, bo mch chu, CPU, cap mng .muc
dich la d pha huy phn cung v hiu hoa phn mm, la co so cho tn cng tu chi
dich vu oS.
Cc k thut tn cng thng gp
Cac ki thut tn nguy him va thuong gp nht la tn cng nhm vao phn mm
Software Attacks cu th nhu sau:
1. Tn cng qut cng (Port Scanning Attacks)
- Ke tn cng theo di may tinh va cac thit bi kt ni di ra Internet va tim xem cng
TCP hay UP nao dang trao di thng tin va dich vu nao dang hot dng.
- Ta co th giam sat duoc cac may o bn ngoai bi quet cng o trn h thng cua minh
- Tn cng nay la buoc du tin d xac dinh dim yu cua h thng
- Mt s cng cu d thuc hin: Supper Scan, Nmap, Strobe
2. Tn cng nghe trm (Eavesdropping Attacks) con duoc goi la danh hoi sniIIing
- Ke tn cng c gng truy nhp vao cac cuc trao di thng tin co tinh cht ring
tu bng cac thit bi chuyn dung d n cp thng tin v ni dung cuc trao di
hay n cp username & password
- Co th thuc hin bng cac duong dy lin lc thng thuong hay cac tuyn thng
tin khng dy.
- Cac cng cu thuc hin la: sniII, Ethereal, Ettercap
3. Tn cng gia mo d|a chi IP (IP Spoofing Attacks):
Ke tn cng to ra cac goi tin IP voi di chi IP la gi mo va su dung cac goi tin
do nhm dt duoc quyn truy nhp vao cac h thng o xa. Ki thut nay dua trn co so:
Cac ung dung va dich vu duoc xac thuc du trn dia chi IP ngun
Lop Din Tu 7 - K48
37
Cac thit bi chy Sun RPC, X Windows
Cac dich vu d duoc bo mt su dung giao thuc TCP
Network File System NFS, UNIX Rlogin command
4. Tn cng chim dot quyn diu khin (Hiacking Attacks):
Ke tn cng danh ly quyn diu khin cac phin TCP sau thu tuc xac thuc khi
bt du mi phin d dt duoc quyn truy nhp vao du liu hay tai nguyn cua mng
voi danh nghia la nguoi su dung hop l.
5. Tn cng truyn li (Replay Attacks)
- Ke tn cng bt giu cac goi tin trn mng sau do luu va truyn li d dt duoc
quyn truy nhp vao 1 host hay 1 mng nao do.
- Phuong phap tn cng nay s thanh cng nu cac ke tn cng bt giu duoc cac
goi tin mang Username & Password hay cac thng tin xac thuc khac.
- Replay Attack khac voi Eavesdropping vi tn cng nghe lom chi lng nghe ni
dung thng tin chu khng luu li cac goi tin d truyn li.
6. Tn cng k trung gian (ManinMiddle Attacks)
- Ke tn cng chen ngang vao giua 2 bn dang trao di thng tin d truy nhp
duoc vao cuc trao di do
- Ke tn cng gi dng la bn gui va bn nhn thng tin khi trao di giua Client &
Server
Lop Din Tu 7 - K48
38
Hnh !"!#"T9n c$ng 3: trung gian
May tinh trung gian mo danh la may chu khi giao tip voi may trm va mo danh la
may trm khi giao tip voi may chu .Diu nay cho phep cho may trung gian ghi li ht
duoc ni dung trao di giua may trm va may chu.
7. Tn cng t chi d|ch v Denial of Services):
duoc chia lam hai loi la oS va oS
DoS attacks: ke tn cng c tinh lam sp cac h thng cung cp cac dich vu mng
bng cach:
- Lam nghn cac duong link cua h thng bng dn vao do nhiu data hon hn
kh nng truyn ti co th
- Gui du liu d khai thac cac l hng trong 1 ung dung
- Chi phi cac tai nguyn cua 1 h thng dn muc ma no phi shuts down
DDoS Attacks: Ke tn cng danh duoc quyn diu khin hay thao tung duoc nhiu
may tinh trn cac mng khac nhau nm phn tan d thuc hin 1 tn cng oS.
. Tn cng s dng m ngun dc (Malicious Code Attacks):
Ke tn cng dua cac don m ngun dc vao h thng cua nguoi su dung d pha hong
hay v hiu hoa h diu hanh hay cac ung dung. Mt s loi m ngun dc:
- Virus: La 1 don m ngun co kh nng ly lan tu may nay sang may khac bng
cach gn vao cac Iile, khi truyn cac Iile co gn thm cac don m dc nay giua cac
may lam cho virus ly lan ,tinh nng cua no la ly lan va pha huy
Lop Din Tu 7 - K48
A Attacker ttacker
Client Client
Server Server
1chn cac goi tin 1chn cac goi tin
tu Client tu Client
2 gui cac thng 2 gui cac thng
bao tr loi gi bao tr loi gi
mo cho client mo cho client
3 gui cac goi 3 gui cac goi
tin gi mo cho tin gi mo cho
Server Server
4tr loi cho ke 4tr loi cho ke
tn cng tn cng
gi dng lam gi dng lam
client tr loi cho client tr loi cho
server server
3
- Worm Su: cung la 1 don m ngun co kh nng ly lan tu may nay sang may
khac nhung tu no sao chep va ly lan chu khng cn vt ki sinh la cac Iile nhu
virus. Su co th pha huy va xoa cac Iile trn cung.
- Trojan: La 1loi m ngun dc nhung no li co kh nng gi vo nhu v hi bng
cach ci trang thanh cac Iile nhu binh thuong d chng li su d y cua cac phn
mm dit virus. Khi hot dng no cung co th pha huy cac Iile trn cung.
- Logic Bomb: La 1 don m ngun dc nm cho trn may tinh cho dn khi no bi
kich hot bng 1 su kin dc bit va no co th pha huy hoc xoa du liu trn may
tinh.
. Tn cng chng li cu hnh bao mt mc d|nh (Attacks Against Default
Security Configuration) thuong la nhu sau:
- Ke tn cng truy nhp vao may tinh d pha huy hot dng cua may tinh bng
cach khai thac cac l hng trong cng tac bo mt cua h diu hanh.
- ua trn cac dim yu trong cac cu hinh mc dinh cua h diu hanh.
1. Tn cng khai thc phn mm (Software Eploitation Attacks):
Ke tn cng truy nhp vao h thng hay cac du liu nhy cm bng cach khai thac cac
dim yu hay tinh nng cua ung dung.
11. Tn cng n cp password(Password Attacks):
Ke tn cng c gng doan bit password hay tim cach pha Iile mt khu duoc m hoa.
12. Backdoor Attacks:
Ke tn cng truy nhp vao h thng bng cach su dung 1 chuong trinh phn mm nho
h tro hay bng cach to ra 1 user gi khng tn ti
13. Tn cng tip quan (Takeover Attack):
Ke tn cng truy nhp duoc vao h thng o xa va danh duoc quyn kim soat h thng
do bng cach su dung cac phuong phap tn cng o trn.
Lop Din Tu 7 - K48
4
Nhn dng tn cng ay ra trn cc lp cua m hnh TCP/IP
a. Nhn dng tn cng o lp giao din mng
lop giao din mng, cac goi tin duoc truyn trn cac dy dn duoc goi la cac khung
Irames, trong 1 goi tin gm co 3 truong: phn mao du the header, phn ti trong
payload , va phn kim tra li FCS, vi lop giao din mng duoc dung d trao di
thng tin trn trong mng ni b nn tn cng o lop nay cung xy ra trong mng ni b
local network. Sau dy la 1 s phuong phap su dung d xm hi dn muc tiu CIA.
Gi mo dia chi MAC MAC Address spooIing
Phn mao du co chua dia chi MAC cua c may ngun va may dich, va do la diu kin
d goi tin duoc truyn thanh cng tu ngun dn dich. Ke tn cng co th d dang lam
gi dia chi MAC cua 1 may khac. Va moi co ch an ninh dua trn dia chi MAC du co
th bi lam hi boi loi tn cng nay.
Tu chi dich vu enial oI service
Mt tn cng tu chi dich vu lam cho 1 h thng bi qua ti vuot xa kh nng ma dich
vu cua no co th dap ung. Mt tn cng su dung giao thuc ARP co th lam cho 1 may
tinh bi chim ngp trong cac bn tin broadcast va s lam cho may tinh mt di kh nng
sn sang phuc vu cua muc tiu CIA triad
Pha hoi b nho dm ARP cache poisoning
B dm ARP ct giu dia chi MAC cua may tinh trong mng ni b, nu thng tin trong
no bi sai lch hoc gi mo thi may tinh s khng th gui goi tin dn dich mt cach
chinh xac duoc.
b. Nhn dng tn cng o lp Internet
Ti lop Internet, goi tin IP duoc to ra, no gm co 2 truong la phn mao du va
phn ti trong. Sau dy la mt s phuong phap co th duoc su dung d lam tn hi dn
muc tiu CIA:
Gi mo dia chi IP IP address spooIing
Nu bit truong mao du va d dai cua dia chi IP, thi dia chi IP co th d dang bi phat
hin va gi mo. Va moi co ch bo mt dua trn dia chi IP ngun co the bi xm hi.
Lop Din Tu 7 - K48
41
Tn cng ke trung gian Man-in-the-middle attacks
Loi tn cng nay xy ra khi ke tn cng dt minh o giua may ngun va may dich theo
mt cach nao do ma c 2 khng th bit duoc. Trong khi do ke tn cng co th chinh
sua va xem duoc ni dung cac goi tin trao di cua c hai bn.
Tn cng tu chi dich vu oS
lop nay tn cng tu chi dich vu co th su dung cac giao thuc o lop IP d lam qua ti
kh nng xu ly cua may tinh, do do pha hoi muc tiu CIA.
Lam sai lch kh nng tai hop cua cac cu truc khung bi phn mnh Incorrect
reassembly oI Iragmented datagrams
Di voi cac khung tin bi phn mnh, truong IIset duoc su dung d tai hop li cac goi
tin. Nu nhu truong IIset bi thay di thi cac goi tin s bi tai hop sai lch. Va diu nay
co th lam cho mt goi tin co th khng di qua duoc Firewall va truy nhp duoc vao
mng phia bn trong, va lam tn hi dn muc tiu CIA.
Pha hoi cac goi tin Corrupting packets
Vi goi tin IP phi di qua 1 s may truoc khi di dn dich nn thng tin trong truong mao
du bi doc va co th bi thay di chng hn mi khi di dn 1 router. Nu goi tin bi chn
li thi ni dung trong truong mao du co th bi chinh sua va lam cho khung tin IP bi sai
di. Diu nay co th lam cho goi tin do khng bao gio co th dn duoc dich hoc lam
cho cac giao thuc hoc phn thng tin ti di bi thay di.
c. Nhn dng tn cng o lp vn chuyn
lop vn chuyn thi phn mao du UP hoc TCP co th duoc gn vao trong bn tin.
trn lop ung dung dang yu cu dich vu co th dua vao do ma xac dinh duoc la s su
dung loi giao thuc nao. Lop vn chuyn cung co th duoc loi dung d lam tn hi dn
muc tiu CIA theo mt s cach nhu sau:
Su dung cac cng UP va TCP
Bng cach bit duoc truong va d dai cua don mao du, cac cng duoc su dung d
trao di thng tin giua 2 may tinh co th duoc xac dinh va thng tin do co th duoc su
dung d pha hoi.
Lop Din Tu 7 - K48
42
Tn cng tu chi dich vu
Voi tn cng tu chi dich vu o muc nay, cac giao thuc IP don gin va cac tin ich co
th duoc su dung d lam qua ti kh nng phuc vu cua may tinh, vi th lam tn hi dn
muc tiu CIA. Vi du nhu bng cac hiu bit v phuong phap bt tay 3 buoc TCP, ke
tn cng co th gui di cac goi tin theo cac thu tu sai va pha hoi tinh sn sang phuc vu
cua mt may chu. Vi du chung gui di rt nhiu cac goi tin SN va bo do phin kt ni
lam cho server phi tn b dm va thoi gian cho cac thng tin thit lp kt ni k tip
theo thu tuc bt tay 3 buoc. Nu hacker thanh cng trong vic mo ra toan b cac phin
kt ni co th thi cac cac kt ni tht su khac khng th mo ra duoc khi khng co yu
cu va r rang la server khng th phuc vu duoc.
anh quyn tip qun phin truyn
Loi tn cng nay xy ra sau khi ma may ngun va may dich thit lp duoc kt ni
trao di thng tin voi nhau. May tinh thu 3 lam mt kh nng trao di thng tin cua 1
may va sau do gi dng may tinh do. Vi kt ni d duoc thit lp nn may thu 3 co th
pha hoi muc tiu CIA.
d. Nhn dng tn cng o lp ng dng
Tn cng xy ra o lop ung dung la tn cng kho di pho nht vi no loi dung duoc cac
dim yu trong cac ung dung va su thiu hiu bit cua nguoi su dung v cng tac bo
mt. Mt s phuong phap duoc su dung d tn cng o lop ung dung la:
Khai thac ung dung gui thu din tu
Cac bn dinh kem co th duoc gui kem theo cac thu din tu va duoc chuyn vao trong
hp thu nhn cua nguoi su dung. Khi mo thu va xem cac bn dinh kem thi thuong la
phi chy cac ung dung. Cac bn dinh kem do co th gy hi ngay lp tuc hoc co th
chua gy nh huong. Tuong tu hacker thuong gn thm vao cac don m ngun dc
trong cac bn tin duoc dinh dng HTML ngn ngu danh du siu vn bn. Bng cac
phuong phap do co th loi dung duoc cac dim yu cua cac ung dung gui thu din tu
cung nhu su thiu hiu bit cua nguoi su dung v vn d bo dm an toan cua email
Khai thac cac trinh duyt Web
Lop Din Tu 7 - K48
43
Khi mt may tinh trm su dung 1 trinh duyt Web d kt ni dn 1 Web server va ti
v mt trang Web, ni dung cua trang Web do co th dang kich hot, co nghia la ni
dung do co th chi la nhung thng tin tinh nhung cung co th la m ngun chy. Nu
m ngun do la m ngun dc thi s lam tn hi dn muc tiu CIA.
Khai thac ung dung truyn Iile
Giao thuc truyn Iile duoc su dung d truyn cac Iile giua cac may tinh voi nhau. Khi
mt may khach phi cung cp tn dng nhp va mt khu d xac thuc, thng tin do
duoc truyn trn Internet su dung cac ki tu text d hiu. Ti mt dim nao do trn
duong truyn thng tin do co th duoc ghi li. Nu khach hang do su dung li tn truy
nhp va mt khu do d dng nhp vao may chu cua cng ty bn thi thng tin do co
th bi hacker bit duoc va dung d truy nhp vao cac thng tin cua cng ty.
=h2 '%> c* th? th@> c* th? cAng 'Bi 1 ,C thu%t t@n cng nh2ng $3i d;ng 7i?m >u trDng
c6c giaD thEc 723c 0/ d;ng 8 mFi $B& ,G t@n cng c* th? tin h(nh nhiHu c6ch t@n
cng ,h6c nhau. ChInh ' '%> m( ti mFi $B& $i cJn &h)i c* nh9ng Ki:n &h6& 7Li &h*
thIch h3& 7? K)D ': m;c ti+u CI<. =Mi dung n(> ti 0N trnh K(> chi tit 8 trDng
ch2.ng ti& thOD.

Lop Din Tu 7 - K48
44
Chong 3
CC CNG NGHJ BAO MAT
Thng thuong di voi h thng mng doanh nghip hang rao an ninh cn phi
xy dung theo nhiu lop thi moi dm bo duoc muc tiu CIA. Trong chuong nay ti
s phn tich cac cng ngh bo mt duoc su dung tuong ung voi tung lop trong m
hinh TCP/IP d hn ch di pho voi cac nguy co co th xy ra nhu d phn tich ti
chuong 2
3.1. CNG NGHJ BAO MAT THEO LP
Nguoi su dung chi quan tm toi cac ung dung ho co th su dung, nhung d tip
cn duoc voi cac ung dung thng tin phi duoc truyn di trn mng theo nhiu lop
phuc tp. Va ti mi dim trn mng thng tin du co th la muc tiu cua cac hacker,
nguoi lam cng tac bo mt cn xy dung duoc mt buc tranh toan cnh v duong di
cua thng tin va cac bin phap bo mt thich hop ti mi lop.
Trong cac lop cua m hinh TCP/IP thuong tin hanh cac phuong phap bo mt
kt hop.
Lp 1: ti dy s co cac chinh sach loc goi tin ngay trn cac router kt
ni toi nha cung cp dich vu, chung ta s su dung cac ACL, Iirewall, IPS tich
hop trn phn mm IS d buoc du ngn chn ngay cac dich vu khng cn
thit.
Lp 2: su dung NIPS network IPS d quan sat nhung du liu vao ra
Internet, khi co cac du hiu cua su tn cng hay xm nhp lp tuc thng bao
cho trung tm qun ly hoc trong truong hop khn cp co th khoa ngay cac kt
ni nay li.
Lp 3: ti dy su dung buc tuong lua Iirewall voi chuc nng du phong-
Iailover cho phep ngn cach lam 3 vung MZ, utside va Inside. Cac Server
cng cng s thuc vung MZ va duoc bo v rt nghim ngt.
Lop Din Tu 7 - K48
4
Lp 4: Dy la lop bo v cui cung su dung NIPS va HIPS cai trn cac
Server. H thng nay s phat hin nhung tn cng d lot qua duoc vong ngoai.
Ti dy, HIPS s quan sat cac du hiu tn cng ngay trn cac h diu hanh va
cho phep co nhung thng bao cho qun tri mng hoc dong bng cac kt ni
trong truong hop khn cp.
Cu th cac cng ngh bo mt do duoc t chuc phn lop ln luot nhu sau:

Hnh !"!)" ;$ hnh b7o (8t th2o +,-
3.1.1. Bao mt o mc vt l
Bo mt h thng mng o muc vt ly la yu cu tin quyt cho vic thuc hin
muc tiu CIA cho h thng thng tin cua cac doanh nghip.
Muc vt ly noi toi cac thit bi mng, bo v cac thit bi mng do nghia la phi co cac
quy ch gioi hn quyn truy cp cac tai nguyn mng dng nghia voi vic bo v o
muc vt ly cac thit bi mng khng bi xm phm boi cac nhn vin khng duoc phep.
Diu nay cung cho phep bo v h thng mng khoi cac Hacker, ke tn cng, k xm
nhp truc tip vao thit bi va thay di cu hinh.
Tuy thuc vao cp d bo mt khac nhau ma cac nhn vin s co quyn truy cp
vao phong chua thit bi mng khac nhau. Tt c cac thit bi mng du phi duoc dm
bo an toan tu cac Core router, h thng cap, modem, may chu, cac hosts, thit bi luu
tru, v.v.v. Nhm tng ti da kh nng bo v, cac thit bi mng nay phi duoc tp
Lop Din Tu 7 - K48
4
trung vao mt vi tri va phi co h thng bo v nhu khoa cua, h thng bao trm, h
thng bao chay, h thng diu hoa nhit d, h thng cung cp ngun din du phong,
v.v.v.
3.1.2. Bao mt s dng bc tng la
Buc tuong lua Firewall s cho phep chung ta loc, ngn chn hay cho phep goi
tin di qua dua trn dia chi ngun, dich hay cac dich vu dang su dung. Cac Iirewall s
chia h thng mng ra lam nhiu vung khac nhau va vic truy cp tu vung nay sang
vung khac s duoc kim soat cht ch. Vic su dung buc tuong lua vao nhung vi tri
thich hop s giup ngn chn ti da kh nng truy cp trai phep cua cac hacker .
Hnh !"!1 B7o (8t s< %=ng b>c t?@ng +<a
Hin nay, co rt nhiu huong gii phap d xy dung h thng tuong lua, duoc chia ra
lam 2 nhom sau: Gii phap dung phn cung va Gii phap dung phn mm.
Giai php dng phn cng la dung thit bi Firewall phn cung chuyn dung
hay con goi la 'Firewall cung. Trong s nay co hai nha cung cp ni ting hang
du th gioi la PIX cua Cisco va Netscreen cua JuniIer.
Giai php dng phn mm la dung cac phn mm co chuc nng Firewall hay
con goi la 'Firewall mm. Nha cung cp sn phm Firewall mm hang du trn
th gioi hin nay la Checkpoint cua Nokia.
Lop Din Tu 7 - K48
47
Vic su dung Firewall 'cung hay 'mm con tuy thuc rt nhiu vao vi tri cua cac
Iirewall nay cung nhu cac thit bi mng dang duoc su dung trong h thng. Chi tit
hon v vic su dung loi nao ti vi tri nao ti s trinh bay chi tit trong phn II cua d
an nay .
H thng gim st canh bo v ngn chn m nhp IPS
Chung ta bit rng cac Firewall chi co kh nng ngn chn theo cac dich vu va
dia chi dich, dia chi ngun. Xong khi mt s dich vu bt buc phi mo nhu: WEB,
Mail, cac ung dung.s to diu kin cho hackers tn cng, va khi hacker tn cng
ngay trn chinh cac dich nay thi Iirewall hoan toan mt tac dung. Mt trong nhung
phuong thuc su dung d ro quet va ngn chn nhung hanh dng nay la su dung IPS
Instrusion Prevention System.
IPS duoc phat trin ln tu IS Instrusion etection System La h thng phat
hin cac hanh vi tn cng xm nhp mng. No 'bt cac goi tin luu thng trong mng
d phn tich va dua ra cac cnh bao va dong vai tro nhu la 'camera theo di trong
mng.
Cung ging IS, IPS la h thng giam sat thoi gian thuc an ninh mng nhm
nhanh chong phat hin, nhn dng cac cuc tn cng nguy him tu bn ngoai va ngay
lp tuc cnh bao voi nguoi qun tri thng qua e-mail, tin nhn, hay ghi nhn li. Hon
th nua, h thng con co th tu dng phn hi li cac cuc tn cng nhu chn dung cac
goi du liu nguy him, cp nht vao cac chinh sach cho Firewall, Router hay Switch.
H thng giam sat duoc phn loi dua trn phuong phap giam sat monitoring method
gm : Network Base IPS NIPS& Host Base IPS HIPS va Application Base IPS
AIPS:
Host Base IPS dung d giam sat mt may tinh, mt host nao do, dc bit la cac
may chu.
Network Base IPS dung d giam sat tt c cac dong du liu luu thng trn
mng va so sanh voi cac mu nhn dng nguy him d duoc thng bao truoc.
Network IPS cho h thng mng cua doanh nghip co th duoc dt ti mt mng
Lop Din Tu 7 - K48
48
nao do kt ni truc tip dn Firewall sao cho tt c cac dong du liu s duoc phn
tich va co hanh dng thich hop.
Application Base IPS dung d giam sat cac ung dung .

Hnh !"!A " Cc +oi &'B
3.1.3. Bao mt s dng lc gi d liu
Mt h thng an ninh mng thng minh cho cac doanh nghip khng chi co cac
thit bi bo mt va giam sat ma chinh nhung thit bi mng cung co kh nng bo mt.
Kh nng loc goi du liu co th ung dung hoan ho cho cac thanh phn nay nhu router,
tuong lua, may chu co th duoc cu hinh chp nhn hoc loi bo cac goi du liu khng
hop l dua trn dia chi hay cac dich vu. Phuong phap nay co th ngn chn hay hn ch
dn ti da cac truy cp trai phep vao tai nguyn mng nhu danh cp thng tin hay tn
cng tu chi dich vu oS.
Co ch hot dng cua phuong phap nay dua trn cac goi du liu va co hanh dng
thich hop la:
- Cm cac loi goi du liu xac dinh va chp nhn tt c cac goi du liu con li.
- Chp nhn cac loi goi du liu xac dinh va cm tt c cac goi du liu con li.
Cac thit bi mng Cisco cung h tro phuong phap loc goi du liu nay thng qua cac
danh sach diu khin truy cp access control lists ACLs. ACL cho phep cac dong
Lop Din Tu 7 - K48
4
du liu trn mng d dang qun ly hon bao gio ht dua trn dia chi , cac giao thuc, cac
cng ngun va dich.
Hnh 1.1". P)D m%t 0/ d;ng $Qc g*i d9 $i:u
3.1.4. Bao mt s dng cc phong php m ha
Dy la qua trinh mt m du liu khi truyn di khoi may tinh theo mt quy tc
nht dinh va may tinh du xa co th gii m duoc. Hu ht cac h thng m hoa may
tinh thuc v 1 trong 2 loi sau: M hoa su dung khoa ring Symmetric-key
encryption va m hoa su dung khoa cng khai Public-key encryption
Trong h symmetrickey encryption, mi may tinh co mt m bi mt su dung
d m hoa cac goi tin truoc khi truyn di. Khoa ring nay cn duoc cai trn mi may
tinh co trao di thng tin su dung m hoa ring va may tinh phi bit duoc trinh tu gii
m d duoc quy uoc truoc. M bi mt thi su dung d gii m goi tin. Vi du: Bn to ra
mt buc thu m hoa ma trong ni dung thu mi ky tu duoc thay th bng ky tu o sau
Lop Din Tu 7 - K48

no 2 vi tri trong bng ky tu . Nhu vy A s duoc thay bng C, va B s duoc thay bng
. Bn d noi voi nguoi bn khoa ring la ich di 2 vi tri ShiIt by 2. Bn cua bn
nhn duoc thu s gii m su dung chia khoa ring do. Con nhung nguoi khac s khng
doc duoc ni dung thu.
May tinh gui m hoa du liu cn gui bng khoa bi mt symetric key, sau do
m hoa chinh khoa bi mt symetric key bng khoa cng khai cua nguoi nhn public
key. May tinh nhn su dung khoa ring cua no private key tuong ung voi khoa
public key d gii m khoa bi mt symetric key, sau do su dung khoa bi mt nay d
gii m du liu
H Publickey encryption su dung mt t hop khoa ring va khoa cng cng
d thuc hin m hoa, gii m. Khoa ring chi su dung ti may tinh do, con khoa cng
cng duoc truyn di dn cac may tinh khac ma no mun trao di thng tin bo mt. D
gii m du liu m hoa, may tinh kia phi su dung khoa cng cng nhn duoc, va khoa
ring cua chinh no. Mt phn mm m hoa cng khai thng dung la Pretty Good
Privacy PGP cho phep bn m hoa duoc hu ht moi thu.
Sau dy la 2 ung dung din hinh cua bo mt su dung ki thut m hoa:
Giao thc bao mt IPSec ( Internet Protocol Security Protocol)
IPSec cung cp cac tinh nng bo mt mo rng bao gm cac thut toan m hoa
va xac thuc tt hon. IPSec co hai ch d m hoa: knh tunnel va lop truyn ti
transport. M hoa knh Tunnel m hoa c header va ni dung mi goi tin trong khi m
hoa lop truyn ti chi m hoa ni dung goi tin. Chi co nhung h thng su dung IPSec
tuong thich moi co kh nng tin tin nay. Mc du vy, tt c cac thit bi phi su dung
mt khoa dung chung va cac tuong lua o mi mng phi co chinh sach cu hinh bo
mt tuong duong nhau. IPSec co th m hoa du liu truyn giua rt nhiu thit bi,
chng hn nhu:
o Tu router dn router
o Tu Iirewall dn router
o Tu PC dn router
o Tu PC dn server
Lop Din Tu 7 - K48
1
Bao mt su dng kt ni knh ring ao VPN (Virtual Private Network )
Mt trong nhung bin phap m hoa du liu di voi nhung nguoi dung tu xa la
su dung cng ngh VPN nhm tng cuong kh nng bo mt cho du liu duoc truyn
trn mng cng cng. V cn bn, mi VPN la mt mng ring r su dung mt mng
chung thuong la Internet d kt ni cung voi cac site cac mng ring le hay nhiu
nguoi su dung tu xa. Thay cho vic su dung boi mt kt ni thuc, chuyn dung nhu
duong leased line, mi VPN su dung cac kt ni o duoc dn duong qua Internet tu
mng ring cua cac cng ty toi cac site hay cac nhn vin tu xa.
Hnh 1.1# . Kt nLi tR Sa 0/ d;ng TP=
Phu thuc vao kiu VPN truy nhp tu xa Remote-Access hay kt ni ngang hang Site-
to-Site,ta cn mt s thanh phn nht dinh d hinh thanh VPN, bao gm:
Phn mm may trm cho mi nguoi dung xa
Cac thit bi phn cung ring bit, vi du nhu: b tp trung VPN
Concentrator hoc tuong lua Secure PIX Firewall
Cac may chu VPN su dung cho dich vu quay s
May chu truy cp NAS Network Access Server dung cho cac nguoi
dung VPN o xa truy nhp
Trung tm qun ly mng va chinh sach VPN
Lop Din Tu 7 - K48
2
Mt mng VPN duoc thit k tt s dap ung duoc cac yu cu sau:
Bo mt Security
Tin cy Reliability
mo rng, nng cp Scalability
Qun tri mng thun tin Network management
Qun tri chinh sach mng tt Policy management
3.1.5. Bao mt s dng c thc cp quyn truy nhp v thng k.
Bao mt dng c thc (Authentication)
Phuong thuc bo mt dung xac thuc duoc ung dung vao h thng mng cho phep nhn
dng nguoi dung mun truy xut cac ung dung dich vu mng va lam nhim vu cho
phep hay hn ch truy cp.
Voi phuong thuc bo mt nay, nguoi dung s co login I va password d khai bao cho
cac may chu bo mt khi co nhu cu truy xut tai nguyn h thng, cac login I va
password nay sau do s duoc kim tra boi mt may chu chy dich vu xac thuc nhu
RAIUS, TACACS, TACACS.
Cp quyn truy cp (Authorization)
Kt hop voi phuong thuc bo mt dung xac thuc, phuong phap cp quyn truy cp co
th dinh nghia va qun ly nguoi dung truy cp dn muc d nao trong tai nguyn h
thng nhu cac thu muc, cac tp tin, v.v.v.
Cac t chuc doanh nghip nn cp quyn truy cp h thng cho cac thanh vin dua trn
yu cu cn thit ti thiu khi co nhu cu thuc su sao cho quyn truy cp la thp nht
nhm lam tng ti da d bo mt, an toan du liu. Ngoai ra, d d dang qun ly thi vic
cp quyn con phi dua trn su dng nht, ging nhau cua nguoi dung nhm to ra cac
nhom nguoi dung co quyn truy xut du liu nhu nhau.
Thng k (Accouting)
H thng thng k accouting co th thu thp hot dng du liu, thng k, bao cao
cac truy cp tu phia nguoi dung la dc bit cn thit.
Lop Din Tu 7 - K48
3
Phuong phap nay cho phep nguoi qun tri d dang xac dinh cac xm phm co th xy
ra, nhanh chong khc phuc su c va truy cuu trach nhim do tt c cac thng tin nguoi
dung truy nhp tai nguyn mng du duoc luu li duoi nhiu dng tp tin khac nhau
nhu .txt, .xls, v.v.v.
Nhung thng tin thu thp duoc tu nguoi dung bao gm c login I, s ln truy
nhp, cac quyn truy cp d co va cac quyn truy cp moi.
3.2. CC CHNH SCH CHUNG CHO CON NGUI
Trong moi hoan cnh thi con nguoi vn la yu t quyt dinh cho su thanh cng
cua chin luoc chung va trong cng tac bo mt cung khng nm ngoai quy lut do.
Con nguoi o dy y noi toi toan b nhn vin cua t chuc doanh nghip, bt ki ai cung
phi y thuc duoc trach nhim cua minh di voi an ninh cho h thng thng tin cua cng
ty ,va nghim tuc thuc hin nhung chinh sach (Policies) chung cua cng ty d ra. Sau
dy la mt s chinh sach chung din hinh trong mi truong doanh nghip:
Xac dinh cac tai nguyn va thanh phn cn bo v.
Phn tich cac mi de doa co th dn toi mt an toan v thng tin.
Phn tich cu th v muc d va yu cu bo mt di voi tung thanh phn.
Ln k hoch tng th cho vic thuc hin an ninh mng.
Dinh nghia cac chinh sach v bo mt.
Ln k hoch cho vic ap dung cac chinh sach bo mt trong toan ngn
hang.
Thuc hin chinh sach di voi nguoi dung, lnh do va cac nhn vin k
thut.
Dao to cho nguoi dung, lnh do va cac nhn vin k thut.
Trin khai v phuong din k thut va thuc hin cac qua trinh bo mt
theo k hoch.
Thu nghim va cp nht cac li nu co nhung vn d tn ti.
Lop Din Tu 7 - K48
4
Tin hanh cac qua trinh ghi li thng tin, doc cac thng tin, cac cnh bao
d tip tuc cp nht va thay di cac chinh sach bo mt cho phu hop va lp li
cac buoc d dua cac chinh sach moi vao hot dng. Vi cac phuong thuc tn
cng va mi de doa di voi h thng lin tuc thay di theo thoi gian cho nn dy
la cng vic lin tuc va thuong xuyn.
Tr+n 7U> $( mMt 0L &h2.ng &h6& K)D m%t c. K)n nh@t '( hi:u Vu) nh@t hi:n
7ang 723c 0/ d;ng r@t rMng rWi trDng m hnh tru>Hn thng tr+n mng. MFi
&h2.ng &h6& 7Hu c* nh9ng 2u nh23c 7i?m ,h6c nhau nh2 0/ d;ng t2Xng $/a th c*
th? ngYn chZn 723c tru> nh%& K@t h3& &h6& 'Bi tLc 7M tLt '( hi:u nYng caD. Tu>
nhi+n n* $i ,hng th? ngYn chZn 723c c6c d9 $i:u ,hng 7i Vua [irO\a$$ ] ,hng
gi6m 06t 723c c6c d9 $i:u 723c mW h*a '( ,hng ngYn chZn 723c c6c dng t@n
cng mBi. C^n 0/ d;ng I!S '( IPS th c* th? nh%n dng 723c c6c $Di t@n cng
mBi d_a tr+n d@u hi:u hDt 7Mng K@t th2Xng cà h: thLng '( c* ,h) nYng nh%n ra
723c c6c cuMc t@n cng tR K+n trDng tu> nhi+n $i gZ& &h)i '@n 7H 'H hi:u nYng '(
ta $: c)nh K6D 0ai $( ,h6 caDb=hn ,h6i Vu6t trDng mMt KEc tranh t1ng th? th mFi
&h2.ng &h6& gi9 mMt 'ai tr^ ,h6c nhau 8 c6c 'c trI '( nhi:m '; ,h6c nhau. Thng
th2Xng trDng h: thLng thng tin cà t1 chEc cJn &h)i 0/ d;ng ,t h3& h(i hâ] h3&
$d tA> thOD nhu cJu K)D m%t '( ,h) nYng t(i chInh cà t1 chEc 7*.
Lop Din Tu 7 - K48

Phn II.
CNG NGHJ FIREWALL V UNG DJNG
Nhu d noi o trn, vic su dung cng ngh buc tuong lua la mt trong nhung
phuong phap bo mt duoc su dung rng ri nht hin nay. Vy buc tuong lua la gi?
duoc xy dung dua trn ki thut gi, ung dung thuc t nhu th nao.s duoc nghin cuu
ki trong phn nay. D thun tin hon cho vic din dt, tu phn nay ti s su dung thut
ngu 'Iirewall` thay cho 'buc tuong lua.
Chong I
CC KHI NIJM CO BAN VE FIREWALL
1.1. LCH SU RA I V PHT TRIN CUA CNG NGHJ FIREWALL
Cng ngh Firewall bt du xut hin vao cui nhung nm 18 khi Internet vn
con la mt cng ngh kha moi me theo khia cnh kt ni va su dung trn toan cu. Y
tuong du tin duoc d hinh thanh sau khi hang lot cac vu xm phm nghim trong
di voi an ninh lin mng xy ra vao cui nhung nm 18. Nm 188, mt nhn vin
ti trung tm nghin cuu NASA Ames ti CaliIornia gui mt bn ghi nho qua thu din
tu toi dng nghip rng: "Chung ta dang bi mt con VIRUS Internet tn cng! No d
danh Berkeley, UC San iego, Lawrence Livermore, StanIord, va NASA Ames." Con
virus duoc bit dn voi tn Su Morris nay d duoc phat tan qua thu din tu va khi do d
la mt su kho chiu chung ngay c di voi nhung nguoi dung v thuong v pht nht.
Su Morris la cuc tn cng din rng du tin di voi an ninh Internet. Cng dng
Lop Din Tu 7 - K48

mng d khng h chun bi cho mt cuc tn cng nhu vy va d hoan toan bi bt ngo.
Sau do, cng dng Internet d quyt dinh rng uu tin ti cao la phi ngn chn khng
cho mt cuc tn cng bt ky nao nua co th xy ra, ho bt du cng tac dua ra cac y
tuong moi, nhung h thng va phn mm moi d lam cho mng Internet co th tro li
an toan.
Nm 188, bai bao du tin v cng ngh tuong lua duoc cng b, khi eff
Mogul thuc igital Equipment Corp phat trin cac h thng loc du tin duoc bit
dn voi tn cac t2Xng $/a $Qc g*i tine&ac,Ot [i$tOring [irO\a$$ f. H thng kha co bn
nay d la th h du tin cua cai ma sau nay s tro thanh mt tinh nng k thut an toan
mng duoc phat trin cao. Tu nm 18 dn nm 1, hai nha nghin cuu ti phong
thi nghim AT&T Bell, Dave Presetto va Howard Trickey, d phat trin th h tuong
lua thu hai, duoc bit dn voi tn cac t2Xng $/a tJng mch ecircuit $O'O$ [irO\a$$f. Cac
bai bao cua Gene Spafford o Di hoc Purdue, Bill Cheswick o phong thi nghim
AT&T va Marcus Ranum d m t th h tuong lua thu ba, voi tn goi t2Xng $/a
tJng Eng d;ng a&&$icatiDn $a>Or [irO\a$$, hay t2Xng $/a d_a &rDS> e&rDS>gKa0Od
[irO\a$$f. Nghin cuu cng ngh cua Marcus Ranum d khoi du cho vic to ra sn
phn thuong mi du tin. Sn phm nay d duoc igital Equipment Corporation's
EC phat hanh voi tn SEAL. Dot ban hang lon du tin cua EC la vao ngay 13
thang nm 11 cho mt cng ty hoa cht ti bo bin phia Dng cua M.
Ti AT&T, Bill Cheswick va Steve Bellovin tip tuc nghin cuu cua ho v loc
goi tin va d phat trin mt m hinh chy duoc cho cng ty cua chinh ho, dua trn kin
truc cua th h tuong lua thu nht cua minh. Nm 12, Bob Braden va Annette
DeSchon ti Di hoc Nam CaliIornia d phat trin h thng tuong lua loc goi tin th h
thu tu. Sn phm co tn 'Visas nay la h thng du tin co mt giao din voi mau sc
va cac biu tuong, co th d dang cai dt thanh phn mm cho cac h diu hanh chng
hn MicrosoIt Windows va Mac/S cua Apple va truy nhp tu cac h diu hanh do. Nm
14, mt cng ty Israel co tn Check Point SoItware Technologies d xy dung sn
phm nay thanh mt phn mm sn sang cho su dung, do la FireWall-1. Mt th h thu
hai cua cac tuong lua proxy d duoc dua trn cng ngh Kernel Proxy. Thit k nay
Lop Din Tu 7 - K48
7
lin tuc duoc ci tin nhung cac tinh nng va m chuong trinh co bn hin dang duoc
su dung rng ri trong c cac h thng may tinh gia dinh va thuong mi. Cisco, mt
trong nhung cng ty sn xut thit bi mng lon nht trn th gioi d phat hanh sn
phm nay nm 17.
Th h FireWall-1 moi to thm hiu luc cho dng co kim tra su goi tin bng
cach chia se chuc nng nay voi mt h thng ngn chn xm nhp.
1.2. NH NGHA FIREWALL
Firewall theo ting vit co nghia la Bc Tng la . ung d ngn chn va bo
v nhung thng tin va chng vic truy cp bt hop phap cua cac hacker. Firewall la
mt gii phap dua trn phn cung va phn mm dung d kim tra du liu di tu bn
ngoai vao may tinh hoc tu may tinh ra ngoai mng Internet, rng hon la giua mang
ni b va Internet, va giua ca c mang con trong h thng mng ni b cua cng ty.
Hnh 2.1 . hirO\a$$ $(m m(n chin ngYn c6ch gi9a mng nMi KM '( IntOrnOt
Co th noi Firewall la nguoi bo v co nhim vu kim tra 'giy thng hanh cua
bt ki goi du liu di vao hoc di ra. No chi cho phep nhung goi du liu hop l di qua va
loi bo tt c cac goi du liu khng hop l .Vi vy ma Firewall rt cn thit cho vic
dm bo an toan trn h thng mng
Lop Din Tu 7 - K48
8
1.3. PHN LOI FIREWALL
1.3.1. Firewall phn mm:
La cac ung dung chy trn cac h diu hanh nhu MicrosoIt Window hay
Mac/S , di voi window XP d duoc tich hop sn. Firewall phn mm thuong khng
dt tin bng phn cung thm chi con duoc cho su dung min phi, so voi Firewall phn
cung thi Firewall phn mm linh dng hon no co th chy tt trn nhiu H Diu Hanh
khac nhau. Mt trong nhung Firewall phn mm ph bin la Zonealarm, ISA,
Checkpoint.
1.3.2. Firewall phn cng:
La cac thit bi phn cung chuyn dung co chuc nng va muc d bo v cao hon
so voi Firewall phn mm va d bo tri hon do khng chim dung tai nguyn h thng
nhu Firewall phn mm. Mt trong nhung hng chuyn cung cp Firewall phn cung la
Linkksys va NetGar. Cac sn phm Iirewall cung duoc su dung rng ri hin nay la
dong ASA, PIX cua Cisco System va Netscreen cua Juniper
1.4. CHUC NNG CUA FIREWALL
Firewall thuc hin 3 chuc nng diu khin truy nhp Access control, qun ly xac thuc
Authentication va ghi nht ky truy nhp activity logging.
1.4.1. iu khin truy nhp (Access Control)
Nhu o trn d gioi thiu co hai loi tuong lua voi 2 cach diu khin truy nhp
khac nhau la quy ch b loc goi packet Iilter va chinh sach nguoi di din ung dung
proxy server
1.4.1.1. V| tr ay ra qu trnh l gi
D hiu duoc Iirewall hot dng nhu th nao thi truoc ht hy quan tm dn
duong di cua cac goi tin s dn dn Iirewall do. Co 3 duong dn ph bin ma mt goi
tin co th di qua tuy thuc vao dng tuong lua duoc cai dt. Mt goi tin co th vuot qua
Lop Din Tu 7 - K48

mt tuong lua o mEc tJng Eng d;ng, 8 mEc nhUn h: 7iHu h(nh hoc la mEc card giaD
ti& mng. Hu ht cac tuong lua du kim soat va cho phep cac goi di qua 3 muc nay.
Hnh 5"5" Cc C/ trD cE thF 3iF( sot gEi tin trong tng giao th>c
D co duoc tc d xu ly cao hon o cac router, b loc goi duoc thit lp trn
phn mo rng cua thit bi trn card giao tip mng voi mt b xu ly dc bit ti uu qua
trinh xu ly cac goi. D luu chua o dy voi tc d cao b xu ly trn card giao tip mng
chi h tro nhung lut xu ly don gin nhu cac phep so sanh nhi phn. Nhung dich vu
khac khng duoc h tro o dy.
Nhung router va nhung trm lun chuyn goi khac thi qua trinh loc cac goi tin
thuong din ra o muc nhn h diu hanh hon la muc card giao tip mng. Thng
thuong qua trinh loc duoc thuc thi trn cac b xu ly chuyn dung cho phep tuong lua
co th thuc hin qua trinh loc va kim dinh mt cach chun xac, tinh xo hon la trn
cac card giao tip mng tich hop tinh loc. Hon nua qua trinh xu ly cac goi ti muc nhn
h diu hanh nhanh hon o muc tng ung dung boi vi qua trinh lp lich va tran b nho
duoc tranh. Tuy nhin qua trinh xu ly nhn thuong doi hoi tt c cac thng tin cn thit
cho vic loc goi phi duoc chua trong b nho thay vi trn dia. Mt goi phi duoc xu ly
Lop Din Tu 7 - K48

va duoc cho qua ma khng cn phi doi trn dia diu nay s lam hn ch cac dng goi
va s luong cac goi duoc xu ly o muc nay.
Qua trinh xu ly o muc tng ung dung co th cung cp mt chinh sach an ninh tt
nht. Muc ung dung co th truy cp dn tt c cac tai nguyn h thng bao gm dia,
card mng, b nho, thu vin cac chuong trinh va c nhung tin trinh khac. Tng ung
dung la tng trn cung trong cu truc phn tng cua giao thuc mng do do no khng bi
gioi hn boi cac tng thp hon no.
1.4.1.2. Hot dng lc gi (Packet Filtering)
Hot dng loc cac goi co th din ra o mt trong 3 muc xu ly goi nhu trn d
trinh bay nhung no thuong duoc h tro o muc card giao tip mng hoc muc nhn h
diu hanh. Mt b loc goi s cn cu vao phn dia chi IP chua trong goi tin d quyt
dinh xem goi do co duoc cho phep vuot qua hay bi chn li. Goi duoc cho qua s duoc
chuyn dn trm dich hoc router tip theo. Goi bi chn li s bi loi bo.
1.4.1.3. Lut lc ( Filtering Rules)
B loc s kim tra mng thng tin trong khi IP o phn du cua goi tin cac
thng tin do bao gm :
Field Perpose
Source IP address Dia chi IP cua trm ngun gui goi tin
estination IP address Dia chi IP cua trm dich goi tin s di toi
Upper Level Protocol Do la TCP hoc UP
TCP or UP source port number S hiu cng cua trm ngun gui goi ra
TCP or UP destination port
number
S hiu cng cua trm dich s nhn goi tin
Hnh 2.j. C6c thng tin 723c 0/ d;ng trDng $u%t $Qc cà g*i tin IP
Khi co duoc cac thng tin trn cua cac goi, b loc s so sanh chung voi mt tp
hop cac lut d dua ra quyt dinh. MMt $u%t $Qc $( 0_ ,t h3& mMt gi6 trc hDZc miHn gi6
trc cà mFi tr2Xng thng tin tr+n '( Vu>t 7cnh 0N 723c 72a ra nu t@t c) c6c thng tin
cà g*i 723c 0D ,hB& 'Bi c6c thng tin cà c6c $u%t. Mt b loc goi s thuc hin vic
kim tra su hop l cua cac goi rt don gin va rt nhanh chi bng cac phep so sanh nhi
phn. Quyt dinh cho phep hoc cm s duoc dua ra ngay sau khi b loc tim thy mt
Lop Din Tu 7 - K48
1
lut nao do hoan toan so khop voi thng tin ma no co duoc v goi tin, do do trt tu sp
xp cac lut cung rt quan trong no gop phn lam cho qua trinh loc duoc nhanh hon.
Co mt diu dang quan tm o dy do la danh sach lut la huu hn va ta khng th
luong ht duoc cac tinh hung d dua ra tt c cac lut duoc vi vy phi co mt lut
mc dinh o dy d nu nhu khi xem xet ht tt c cac lut trong danh sach lut ri ma
b loc vn khng th dua ra duoc quyt dinh thi lut mc dinh nay s giup b loc dua
ra quyt dinh. Co 2 y tuong chu do trong vic to ra lut mc dinh nay do la hoc la tu
chi tt c hoc chp nhn tt c, co nghia la tt c cac goi co thng tin khng tho mn
tp lut thi bi tu chi cho qua hoc chp nhn cho qua ht.
1.4.1.4. Hot dng cua tng la ngi di din ng dng ( Proy ApplicationG
Hnh 2.k. HDt dMng cà ng2Xi 7i di:n Eng d;ng
Nguoi su dung truoc ht phi thit lp mt kt ni dn nguoi di din ung dung
trn tuong lua 1. Di din ung dung nay s tp hop cac thng tin lin quan dn mi
lin kt va yu cu cua nguoi su dung 2. Tuong lua s su dung thng tin nay d
quyt dinh liu yu cu co duoc cho phep thuc thi hay khng. Nu yu cu tu phia
nguoi dung la tho dang thi nguoi di din trn tuong lua s to mt kt ni khac tu
Lop Din Tu 7 - K48
2
tuong lua dn dich du kin 3. Sau do nguoi di din s dong vai tro nhu mt con thoi
d truyn ti du liu giua 2 mi kt ni 4
Co 2 dim cn luu y o dy la:
Thu nht, kt ni du tin phi duoc thit lp dn nguoi di din trn tuong
lua thay vi ni truc tip dn trm mong mun kt ni.
Thu hai, nguoi di din trn tuong lua phi co duoc dia chi IP cua trm dich.
Truoc khi nguoi su dung hoc mt ung dung nao do mun kt ni dn nguoi di
din ung dung thi phi thit lp kt ni dn tuong lua, kt ni nay phi su dungphuong
phap chun d cung cp tn hoc dia chi IP cua trm trm dich mong mun. Dy khng
phi la mt cng vic d dang vi giao thuc tng ung dung lun c dinh va thuong
khng h tro su vuot qua cua nhung thng tin duoc thm vao. D khc phuc dc dim
nay co rt nhiu gii phap bt buc nguoi su dung va cac ung dung phi tun theo.
Kt ni trc tip.
Dy la gii phap du tin cho phep nguoi su dung thit lp kt ni truc tip dn
tuong lua thng qua dia chi va s hiu cng nguoi di din sau do nguoi di din s hoi
nguoi su dung d bit duoc dia chi cua trm mong mun kt ni. Dy la mt phuong
phap th duoc su dung boi nhung tuong lua so khai vi th khng duoc ua dung.
S dng chong trnh h tr my khch.
Gii phap tip theo su dung trong vic cai dt nguoi di din la phi co mt
chuong trinh h tro dt trn may cua nguoi su dung. Nguoi su dung s chy ung dung
dc bit d to kt ni dn tuong lua. Nguoi su dung chi vic cung cp dia chi hoc tn
cua trm dich cho ung dung b tro. Dia chi tuong lua s duoc ung dung b tro nay ly
ra tu Iile cu hinh cuc b sau do no s thit lp kt ni dn nguoi di din trn tuong
lua. Gii phap nay to ra huu hiu va trong sut di voi nguoi su dung tuy nhin hn
ch cua no la mi chuong trinh h tro may khach chi thuc hin tuong ung voi mt dich
vu nao do cua mng ma thi.
Lop Din Tu 7 - K48
3
S dng ngi di din tng hnh.
Mt phuong phap nua duoc su dung hin nay cho vic kt ni dn di din ung
dung trn tuong lua la su dung di din tang hinh n. Voi gii phap nay thi nguoi su
dung khng cn dn chuong trinh h tro may khach hoc kt ni truc tip dn tuong
lua.
dy nguoi ta su dung phuong phap do duong cn bn, moi kt ni dn cac
mng bn ngoai du phi dinh huong thng qua tuong lua. Cac goi khi vao trong tuong
lua tu dng s di huong dn mt di din ung dung mong mun. ng dung di din
co duoc dia chi trm dich mt cach chinh xac bng cach ly dia chi trm dich cua
phin. Trong truong hop nay tuong lua gi mo thanh mt trm dich va chn cac phin
li. Khi mt kt ni duoc thit lp dn di din trn tuong lua thi trinh ung dung may
khach s nghi rng no dang kt ni dn mt trm dich tht su. Nu duoc phn quyn thi
di din ung dung trn tuong lua s dung mt ham di din d to ra lin kt thu hai
dn trm dich tht.
1.4.2. Quan l c thc (User Authentication).
Dy la chuc nng ngn cn vic truy cp trai phep vao h thng mng ni b.
Cac h diu hanh qun ly mng chi kim soat mt cach khng cht ch tn nguoi su
dung va password duoc dng ky, va di luc chinh nguoi su dung duoc uy nhim li v
y d l password cua minh. Hu qu cua vic nay co khi la rt nghim trong. No tro
nn cang quan trong hon di voi nhung h thng mng lon co nhiu nguoi su dung. Co
hai giao thuc chun thng dung nht hin nay d kt hop lam vic voi LAN.
RAIUS Remote Authen-tication ial-In User Service
TACAS Terminal Access Controller Access Control System Extended
Thng thuong chuc nng authentication duoc thuc hin voi su phi hop cua mt
thit bi phn cung hoc phn mm duoc tich hop sn bn trong cac phn mm gii m
theo thut toan va tiu chun khoa m dinh truoc. Khi mt thao tac truy cp vao mng
duoc thuc hin kim tra dung User Name va Password, h qun ly xac thuc s gui
dn may tinh cua nguoi dung dang xin truy cp vao mng mt chui cac ky tu goi la
Challenge cu thach d, nguoi dung nay s nhp vao Token chui Challenge va s
Lop Din Tu 7 - K48
4
nhn duoc mt chui ky tu moi goi la PIN Personal IdentiIication Number - s nhn
dng ca nhn. Nho PIN ma nguoi dung co th truy cp vao h thng mng. Diu dc
bit la Challenge va PIN thay di tung phut mt, cac Token co th duoc dinh va thay
di Cryptor Key khoa m tuy nguoi su dung nn vic bo mt gn nhu la tuyt di.
1.4.3. Kim tra v Canh bo (Activity Logging and Alarms).
1.4.3.1. Chc nng kim tra (Activity logging)
D cung cp thng tin v nhung hot dng cua mng toi nguoi qun tri hu ht
cac tuong lua ghi chep cac thng tin vao Iiles log Iiles va luu giu trn dia. Mt tuong
lua hoan chinh phi ghi chep dy du cac thng tin v cac kt ni thanh cng va c
khng thanh cng. Cac thng tin nay rt huu ich cho vic phat hin kip thoi nhung l
hng trn tuong lua. Mt log Iile chun phi co cac thng tin sau:
Thoi gian bt du va kt thuc cua mt phin
Dia chi trm ngun.
Dia chi trm dich
Giao thuc su dung TCP hay UP
Cng duoc mo trn trm dich.
Kt qu cua vic kt ni thanh cng hay bi tu chi.
Tn nguoi su dung nu xac thuc duoc su dung.
Ngoai ra con co th co thm cac thng tin v s goi duoc chuyn qua, s ln lp li cua
kt ni do.
1.4.3.2. Chc nng canh bo (Alarm)
Hot dng bao dng cung rt quan trong di voi nguoi qun tri. Khi co mt kt
ni dn mng thi tuong lua s phat tin hiu d nguoi qun tri bit. Dng thoi hot dng
cnh bao cung dua ra tinh trng li cua cac goi.
Khi mt goi bi chn li khng qua duoc tuong lua thi hot dng cnh bao cua tuong
lua cung gui mt cnh bao dn trm ngun thng bao v nguyn nhn loi bo goi do.
Lop Din Tu 7 - K48

Chong 2
CC KIEN TRUC FIREWALL CO BAN
Khi noi dn vic luu thng du liu giua cac mng voi nhau thng qua Iirewall
thi diu do co nghia rng Iirewall hot dng kt hop cht ch voi giao thuc TCP/IP. Vi
giao thuc nay lam vic theo thut toan chia nho cac du liu nhn duoc tu cac ung dung
trn mng, hay chinh xac hon la cac dich vu chy trn cac giao thuc Telnet, SMTP,
SN, SMNP, NFS,... thanh cac goi du liu data packets ri gan cho cac packet nay
nhung dia chi d co th duoc dinh tuyn, nhn dng va tai lp li o dich cn gui dn, do
do cac loi Iirewall cung lin quan rt nhiu dn cac packet va nhung con s dia chi
cua chung. Ngay nay Firewall duoc xy dung dua trn co so b loc goi packet Iilter,
trn cng ung dung Application gateway, ki thut giam sat trng thai StateIul
inspecting va mt s Iirewall khac Bastion Host Firewall phao Dai Phong Ngu.
Trong chuong nay ti s trinh bay 3 kin truc Iirewall co bn dua theo su phn loi do.
2.1. FIREWALL B LC GI TIN (PACKET FILTERING FIREWALL)
Loi Iirewall nay thuc hin vic kim cac thng s diu khin trong truong
header cua cac goi tin IP d cho phep chung co th luu thng qua li hay khng. Cac
thng s co th loc duoc cua mt goi tin nhu sau:
Dia chi IP ngun source IP address
Dia chi IP dich destination IP address
Cng TCP ngun TCP source port
Cng TCP dich TCP destination port
Nho vy ma Iirewall co th ngn cn duoc cac kt ni vao nhung may chu hoc
mng nao do d duoc xac dinh, hoc khoa vic truy cp vao h thng ni b tu nhung
dia chi ngun khng cho phep. Hon nua vic kim soat cac cng lam cho Iirewall co
kh nng chi cho phep mt s loi kt ni nht dinh vao may chu nao do, hoc chi co
nhung dich vu nao do Telnet, SMTP, FTP,... duoc phep moi chy duoc trn h thng
mng ni b.
Lop Din Tu 7 - K48

Hnh 5"1 T?Hng +<a +c gEi tin"
2.2. FIREWALL DCH VJ UY THC (PROXY SERVER)
Firewall dich vu uy thac la mt thit bi bnh -hong bo mt dung d phn tich
cac goi du liu duoc chuyn vao. Khi cac goi du liu tu bn ngoai dn proxy server,
chung duoc kim tra va danh gia d xac dinh xem chinh sach bo mt co cho phep
chung vao mng hay khng. Proxy server khng chi dinh gia tri cac dia chi IP ma con
xem xet du liu trong cac goi d tim li va sua sai
.
Hnh 2.6. T2Xng $/a dcch '; `> th6c
Lop Din Tu 7 - K48
7
Co 2 loi proxy server co bn do la: cng muc mng va cng muc ung dung nhu m t
duoi dy.
2.2.1. Gateway mc mng (Network Level Gateway)
Loai proxy server nay cung cp kt ni co diu khin giua ca c h thng ni va
ngoai. Co mt ma ch ao giua nguoi dung ni va proxy server. Cac yu cu Internet di
qua ma ch nay dn proxy server, va proxy server chuyn giao yu cu nay dn Internet
sau khi thay di dia chi IP. Nguoi dung ngoai chi thy di a chi IP cua proxy server. Cac
phan hi duo c proxy server nhn va goi dn nguoi dung thng qua ma ch a o. M c du
lung luu thng duo c phep di qua, ca c h thng ngoai khng bao gio thy duoc h
thng ni. Loai kt ni nay thuong duoc dung d kt ni nguoi dung ni 'duoc u y
tha c voi Internet.
2.2.2. Gateway mc ng dng (Application level Gateway)
Proxy server muc ung dung cung cp tt ca ca c chuc nng co ban cua proxy
server va con phn tich cac goi du liu. Khi ca c goi tu bn ngoai dn cng nay, chung
duoc kim tra va danh gia d xac dinh chinh sa ch an toan co cho phep goi nay di vao
mang ni b hay khng. Proxy server khng chi danh gia dia chi IP, no con nhin vao
du liu trong goi d ngn nhung ke dt nhp ct du thng tin trong do.
Voi ca c proxy server, cac chinh sa ch an toan manh hon va mm deo hon nhiu vi tt ca
thng tin trong ca c goi duo c nguoi diu hanh su dung d ghi ca c lut xa c dinh ca ch xu
ly ca c goi. Co th giam sat d dang moi vic xay ra trn proxy server. Ban cung co th
bo ca c tn ma y tinh d che du h thng bn trong, va co th danh gia ni dung cua ca c
goi du liu vi muc dich hop ly va an toan. Tinh 'hop ly la mt tu y chon thu vi . Ban co
th thit lp b loc d loai bo moi ban tin din tu chua cac ni dung khng duoc phep.
Lop Din Tu 7 - K48
8
Hnh 2.". liaD ti& tr+n mng thng Vua &rDS> 0Or'Or
Mt proxy server din hinh co th cung cp cac dich vu uy quyn cho cac ung
dung va giao thuc nhu Telnet, FTP File TransIer Protool, HTTP Hypertext TransIer
Protocol, va SMTP Simple Mail TransIer Protocol. Proxy server nay khng cho
phep bt ky mt goi tin nao di thng truc tip giua hai mng, ma loi Firewall nay duoc
thit k d tng cuong kh nng kim soat thng qua dich vu nguoi di din Proxy
Service. Khi mt trm bn ngoai mun kt ni voi cac trm bn trong tuong lua thng
qua mt dich vu nao do thi trm bn ngoai phi thng qua Proxy Server. Nu dich vu
va cac trm bn ngoai khng thuc din cm thng qua di voi Proxy thi Proxy
Server s di tim trm dich bn trong tuong lua d to kt ni voi trm bn ngoai va
nguoc li cac trm bn trong mun kt ni ra ngoai cung vy. Voi cach thuc nay thi s
danh bi duoc mt s loi tn cng co bn nhu gy tran b dm cua tuong lua.
Tuy nhin cung co mt s hn ch di voi dng tuong lua loi nay la: Dy la
loi tuong lua duoc cai dt cho tung loi dich vu ring r trn mng vi du nhu Telnet,
Mail, FPT.. Nu chung ta mun h tro mt dich vu nao do cho mng cua minh thng
qua tuong lua thi chung ta nht thit phi thm vao proxy cho loi dich vu do. Vi vy
nu trn mng bn ngoai co thm mt dich vu moi nao do thi nguoi qun tri tuong lua
phi xy dung chinh sach di din thich hop voi dich vu do. Co hai nguyn tc d to
ra chinh sach di din mc dinh o dy do la hoc tu chi tt c nhung thu khng duoc
di din, hoc la chp nhn tt c nhung dich vu khng co dich vu di din trn tuong
Lop Din Tu 7 - K48

lua. Nhung c hai cach nay du gy ra nhung nguy co an ninh va bt tin moi cho h
thng mng bn trong tuong lua.
2.3. K THUAT KIM TRA TRNG THI (Stateful packet filtering)
Mt trong nhung vn d voi proxy server la no phai danh gia mt luong lon
thng tin trong mt luong lon cac goi du liu. Ngoai ra, phai ca i dt tung proxy cho
mi ung dung. Diu nay a nh huong dn hiu sut va lam tng chi phi. Voi ky thut
kim tra trang thai, ca c mu bit cu a goi du liu duoc so sanh voi ca c goi 'tin c y da
bit.
Vi du, nu ban truy cp mt dich vu bn ngoai, proxy server se nho moi thu v
yu cu ban du, nhu s hiu cng, di a chi ngun va dich. Ca ch 'nho nay duoc goi la
luu trang thai. Khi h thng bn ngoai phan hi yu cu cua ban, Iirewall server so
sanh ca c goi nhn duoc voi trang thai da luu d xac dinh chung duoc phep vao hay
khng.
Vao thoi dim ma kt ni TCP hoc UP duoc thit lp theo huong di vao hay
di ra khoi mng thi thng tin duoc dua vao 1 bng goi la bng 'stateIul session Ilow
table.
Bng nay con duoc goi la b7ng trng thi, no bao gm nhung thng tin v dia chi
ngun, dia chi dich, dia chi cng, thng tin v s hiu goi tin TCP va co du thm vao
mi kt ni TCP hay UP, cac kt ni nay du lin kt voi 1 phin nao do. Thng tin
nay to ra cac di tuong kt ni va do do cac goi tin di vao hoc di ra duoc so sanh voi
cac phin trong 'bng phin co trng thai. u liu chi duoc phep di qua Iirewall nu
d tn ti mt kt ni tuong ung xac nhn su lun chuyn do.
2.4. FIREWALL PHO I PHNG NGJ (BASTION HOST FIREWALL )
La mt trm duoc cu hinh d chn dung moi cuc tn cng tu phia bn ngoai
vao. Dy la dim giao tip truc tip voi mng khng tin cy bn ngoai do do d bi tn
cng nht. Co hai dng cua may phong thu
Lop Din Tu 7 - K48
7
Hnh 5"I" 'ho .i -hJng ngK
2.4.1. Dng th nht l my phng thu c hai card mng
Trong do co mt ni voi h thng bn trong mng ni b va card con li ni
voi bn ngoai mng Internet. Dy la dng tuong lua co tu rt som, no yu cu nguoi su
dung bn trong phi kt ni voi tuong lua truoc khi lam vic voi mng bn ngoai. Voi
gii phap nay tuong lua d c lp duoc mng bn trong voi mng bn ngoai bng
nhung may phong thu host nhung no cung to ra mt su thiu tu nhin trong vic kt
ni giua nguoi su dung bn trong voi mng bn ngoai.
2.4.2. Dng th hai l my phng thu c mt card mng
No duoc ni truc tip dn mt h ring bit trn mng proxy server hay
gateway muc ung dung. Gateway nay cung cp diu khin vao ra. B dinh tuyn
rounter co nhiu chuc nng trong cu hinh nay. No khng chi dinh huong cac goi dn
h ni b, ma con cho phep cac h thng ni mo kt ni voi Internet hoc khng cho
phep kt ni. Kin truc screening subnet con b sung thm tng an toan d tach mng
ni b voi Internet. Ly do d lam vic nay la tranh cho mng ni b khoi bi tn cng
nu nhu bastion host bi danh sp.
Lop Din Tu 7 - K48
71
Chong 3
NGUYN TC HOT NG CUA CC LOI
FIREWALL
3.1. HOT NG CUA FIREWALL ~MEM
Nhu d noi trong chuong 1 cua phn nay, Firewall 'mm la cac ung dung co
tinh cht diu khin luu thng giua cac mng hay giua 1 h thng voi Internet. Mt
trong nhung Iirewall mm don gin va duoc su dung rng ri hin nay la ISA Server
24. Cac sn phm Iirewall mm khac du co nhung dc dim hot dng chung nht
tuong tu nhu ISA va phn nay ti s gioi thiu chi tit v phn mm nay la mt din
hinh cua Iirewall mm:
c dim cua ISA Server 26
Cac dc dim cua ISA Server 2 la:
- Cung cp tinh nng Multi Networking: Ki thut thit lp cac chinh sach truy cp
dua trn dia chi mng, thit lp Iirewall d loc thng tin dua trn tung dia chi mng
con, .
Unique per network policies: dc dim cua multi networking duoc cung cp trong
ISA cho phep bo v h thng mng cuc b bng cach gioi hn truy xut cua cac Client
ra bn ngoai Internet, chi cho phep cac Client bn ngoai truy xut cac server trn mng
ngoi vi, khng cho phep Client bn ngoai truy xut vao mng ni b.
o StateIul inspection oI all traIIic: cho phep giam sat tt c cac luu luong
mng.
o NAT and Route network relationships: Cung cp ki thut NAT va dinh
tuyn du liu cho cac mng con.
o Network template: Cung cp cac m hinh mu v mt s kin truc mng,
kem theo mt s lut cn thit cho cac network template tuong ung.
- Cung cp mt s dc dim moi d thit lp mng ring o VPN Network va cac truy
cp tu xa, ghi nhn log, qun ly session cho tung VPN Server, thit lp chinh sach truy
Lop Din Tu 7 - K48
72
cp cho tung VPN Client, cung cp tinh nng tuong thich voi VPN trn cac h thng
khac.
- Cung cp mt s ki thut bo mt va thit lp tuong lua cho h thng nhu
Authentication, Publish Server.
- Cung cp mt s ki thut Cache thng minh d tng tc d truy xut mng, gim ti
cho duong truyn, Web Proxy d chia se cung cp Web.
- Cung cp mt s tinh nng qun ly nhu: giam sat luu luong, reporting qua Web,
export va import cu hinh tu XML,.
Application Layer Filtering ALF: la mt trong nhung dc dim mnh cua
ISA Server 2, khng ging nhu packet Iiltering Iirewall truyn thng, ISA 2 co
th thao tac su hon nhu co th loc goi tin trong tng ung dung.
Lop Din Tu 7 - K48
73
Hnh 2.-. S. 7m hDt 7Mng cà IS< SOr'Or
Lop Din Tu 7 - K48
74
3.2. HOT NG CUA FIREWALL ~CUNG
3.2.1. Co ch lc gi tin (packet filtering)
Co ch loc goi tin cua Iirewall cung nhu dong ASA, PIX cua CISC dua trn
hot dng cua Access Control List ACL hay con goi la danh sach diu khin truy
nhp. Vy nguyn tc hot dng cua ACL nhu th nao.
ACL dinh nghia ra cac lut duoc su dung d ngn chn cac goi tin luu thng trn
mng. Mt ACL la tp hop cua nhiu cu lnh statements lin tip dung d so sanh
voi cac thng tin diu khin trong truong header cua goi tin IP, thng qua do ma thit
bi Iirewall thuc hin mt trong 2 hanh vi la chn goi tin li hoc cho phep di qua.
anh sach diu khin truy nhp IP IP access control lists khin b dinh tuyn huy bo
nhung goi tin dua trn nhung tiu chi dt ra cua nguoi qun tri mng. Muc dich la d
ngn chn nhung luu luong khng duoc phep luu thng trn mng do co th la ngn
chn ke pha hoi tn cng vao mng ni b cua cng ty hay chi don gin la nguoi su
dung truy nhp vao tai nguyn h thng ma ho khng nn va khng duoc phep vao.
ACL lun dong vai tro quan trong trong chin luoc kim soat an ninh cua cng ty.
3.2.2. Mt s dc dim ACL:
- Goi tin co th bi loc khi chung di vao hoc di vao mt cng, truoc khi duoc dinh
tuyn.
- Goi tin co th bi loc khi chung di ra khoi mt cng, sau khi duoc dinh tuyn.
- Tu chi eny la mt thut ngu dung d noi rng goi tin bi chn li hay bi loc
Iiltered, con cho phep Permit thi co nghia la goi tin khng bi loc ma duoc
phep di qua.
- Cac logic loc hay thu tu cua cac lut loc duoc cu hinh trong cac danh sach diu
khin truy nhp ACLs.
- Kt thuc mi ACL nu cac luu luong di qua khng thoa mn mt diu kin nao
trong cac logic cua ACL thi tt c s bi tu chi tuc la s khng duoc phep di
qua cng do.
Lop Din Tu 7 - K48
7
3.2.3. Phn loi ACL
C 2 loi ACL co ban: danh sach diu khin truy nhp co bn va danh sach diu
khin truy nhp mo rng Standard ACL va Extended ACL. Standard <Cn co cu truc
don gin d thuc hin trong khi do oStOndOd <Cn co cu truc phuc tp va kho thuc
hin hon.
3.2.3.1. Danh sch diu khin truy nhp co ban (Standard IP Access Control
Lists)
Chi c ngn chn goi tin dua trn thng tin v d|a chi IP dch IP source address
trong truong header cua goi tin IP.
Hot dng cua standard ACL nhu sau, gi su la ACL duoc dt trn Router 1 voi cng
vao cua luu luong la cng S1 con cng ra la cng E.
Hnh 2.14. HDt 7Mng cà Standard <Cn
Lop Din Tu 7 - K48
7
1. Khi goi tin IP vao cng S1, dia chi IP ngun cua goi tin do s duoc so sanh voi cac
lut dt ra trong cu lnh ACL, liu rng ung voi dia chi ngun do thi goi tin s duoc
phep di qua hay chn li.
2. Nu co mt goi tin nao do thoa mn phu hop diu kin cua mt cy lnh duoc dinh
nghia trong ACL, thi goi tin s duoc cho phep di qua hoc bi chn li.
3. Nu khng co mt su phu hop nao xy ra o buoc 2 thi, li quay tro li buoc 1 va 2
cho dn khi tim duoc mt diu kin thoa mn.
4. Nu kim tra xong voi tt c cac cu lnh ma vn khng thoa mn voi mt diu kin
nao thi goi tin do s bi tu chi deny.
3.2.3.2. Danh sch diu khin truy nhp mo rng (Etended IP Access Control
Lists)
Extended ACL vua co nhung dim tuong tu vua khac so voi Standard ACL.
Cung nhu Standard ACL, bn co th cho phep ap dt Extended ACL ln cng theo
chiu di vao hoc di ra cua goi tin. IS cua Iirewall cung so sanh goi tin voi cac lnh
theo thu tu ln luot cua cac cu lnh do. Nu cu lnh du tin ma thoa mn thi no s
dung vic so sanh voi cac lnh con li o trong list va xac dinh ngay hanh dng cn tin
hanh voi goi tin do. Tt c cac tinh nng nay cung du ging voi cach xu su cua
Standard ACL.
Dim khac nhau chu yu giua 2 loi nay la extended ACL co th su dung nhiu
thng tin diu khin trong truong header d so sanh hon la standard ACL. Standard
ACL chi kim tra duoc dia chi IP ngun thi Extended con su dung duoc thm c dia
chi IP dich, dia chi cng, loi ung dung, dia chi MAC, loi giao thuc.Diu nay lam
cho Extended ACL co th kim tra va loc duoc nhiu luu luong voi d chinh xac va an
toan cao hon. Tuy nhin no cung kho thuc hin hon vi phuc tp hon Standard ACL rt
nhiu.
Lop Din Tu 7 - K48
77
3.2.3.3. So snh gia standard ACL v etended ACL
Loi ACL Cac tham s co th so sanh
Standard ACL va Extandard ACL Dia chi IP ngun
Phn dia chi IP ngun su dung wildcard
mark chi ra dia chi mng ngun.
Extandard ACL Dia chi IP dich
Phn dia chi IP dich su dung wildcard
mark chi ra dia chi mng dich
Loi giao thuc TCP, UP, ICMP,
IGRP, IGMP, va cac giao thuc khac
Cng ngun
Cng dich
All TCP Ilows except the Iirst
IP TS
IP precedence quyn uu tin
Mt s vi du v Extended ACL va logic thuc hin cua no
Cu lnh ACL Diu kin thoa mn
access-list 11 deny ip any host
1.1.1.1
Tu chi tt c cac goi tin IP co dia chi
ngun bt ki di dn may co dia chi la
1.1.1.1
access-list 11 deny tcp any gt 123
host 1.1.1.1 eq 23
Tu chi bt ki goi tin dong goi TCP co
dia chi IP dich bt ki nhung dia chi
cng lon hon 123 di dn may
1.1.1.1 trn cng 23.
access-list 11 deny tcp any host
1.1.1.1 eq 23
Tu chi bt ki goi tin chy giao thuc
TCP di dn may co dia chi 1.1.1.1 trn
cng 23
access-list 11 deny tcp any host
1.1.1.1 eq telnet
Tu chi bt ki goi tin chy TCP telnet
vao may co dia chi 1.1.1.1
access-list 11 deny udp 1... Tu chi bt ki goi tin chy giao thuc
Lop Din Tu 7 - K48
78
.255.255.255 lt 123 any UP xut phat tu mng 1.../24 voi
dia chi cng ngun nho hon 123 di dn
bt ki du
3.2.4. Ung dng ACL
Cac phn mm IS trong cac thit bi dinh tuyn hay Iirewall cung ap dt cac
logic loc cua ACL khi cac goi tin di vao hoc di ra mt cng nao do trn thit bi do.
Hay noi cach khac, IS lin kt mt IS voi mt cng va danh ring cho nhung luu
luong vao hay ra trn cng do. Sau khi chon duoc b dinh tuyn hay Iirewall ma ta
mun dt ACL tip do phi chon cng, cung nhu chiu cac goi tin di ra hay di vao
cng d ap logic loc vao do.
Hnh 2.11. !i chu>?n cà g*i tin gi9a c6c 'Ang c* 7M an tD(n ,h6c nhau
Cu hinh mc dinh cua cac thit bi Iirewall la di voi cng co chiu di vao thi
muc an toan la 1 do la muc an toan cao nht, con cng co chiu di ra thi muc an
toan la muc an toan kem nht . Khng co gi an toan bng mng ni b va cung
khng co gi kem an toan hon la mng phia ngoai. Sau khi cu hinh co ch phin dich
dia chi, thi mc dinh tt c cac giao tip theo huong di ra con theo chiu tu noi co muc
an toan hon ra dn noi co muc an toan kem hon con tt c cac luu luong tu noi co muc
an toan kem hon di dn noi co muc an toan cao hon thi du bi cm.
Quy tc xu su cua ACL dua trn mt cng theo 1 chiu, tuc la ung voi mt cng theo
chiu di ra hoc di vao thi ap duoc 1 ACL.
Lop Din Tu 7 - K48
7
ACL trn cng cho phep hoc tu chi goi tin khoi to theo chiu di vao hay di ra trn
cng do.
ACL chi cn m t goi tin khoi to cua ung dung; khng cn bit dn cac goi tin quay
tro li cua ung dung do, diu nay dua trn co so cua co ch bt tay 3 buoc.
Nu khng co mt ACL nao duoc ap ln mt cng cua Iirewall thi o cng do s ap
dung chinh sach mc dinh la:
Cac goi tin di ra duoc cho phep
Cac goi tin di vao bi cm
ACL su dung cu lnh ' access-list d cho phep hoc chn luu luong
trn mng. Sau dy la nhung quy tc d thit k va thuc hin cac ACL
Khi luu luong di tu vung co d an toan cao hon sang vung co d an toan thp hon thi:
ACL duoc dung d ngn chn luu luong co chiu di ra outbound traIIic
Dia chi ngun dung d so sanh cua ACL phi la dia chi thuc cua 1 may
trm o trn mng
Khi di tu noi co muc an toan thp hon sang noi co muc an toan cao hon thi:
ACL s chn cac luu thng co chiu di vao inbound traIIic
Dia chi dich dung d so sanh cua cu lnh ACL phi la dia chi duoc
phin dich thanh dia chi IP global tuc la dia chi co th su dung trn mng trn
Internet.
C* mMt 7iHu $2u d $(p <Cn $un $un 723c ,i?m tra tr2Bc ,hi th_c hi:n Vu6 trnh
&hi+n dcch 7ca cha tr+n c6c thit Kc [irO\a$$.
Lop Din Tu 7 - K48
8
Hnh 2.12. ChEc nYng &hUn 'Ang cà [irO\a$$
Hot dng cua lu lng HTTP di vo vng dm DMZ
Trn hinh v nguoi qun tri mng cn cho phep nguoi su dung trn mng
Internet truy cp vao cac may chu Web cng cng cua cng ty. May chu Web do duoc
dt trn vung MZ duoc ngn cach voi cac vung con li trn mng cuc b boi Iirewall.
Theo cu hinh mc dinh thi tt c cac truy nhp tu Internet vao cac may chu trn vung
nay du bi tu chi. D cp quyn truy nhp cho nguoi su dung trn Internet, nguoi
qun tri phi thuc hin 1 s buoc sau:
Cu hinh phin dich dia chi tinh cho cac may chu Web, theo cach nay thi
dia chi tht cua cac may chu Web s khng bi nhin thy tu phia nguoi su dung
trn Internet.
Cu hinh mt ACL theo huong di vao d cho no cp quyn truy nhp vao
cac may trm hay cac giao thuc nao do cua mng ni b.
p ACL ln cac cng thich hop
Co ch phin d|ch d|a chi NAT (Network Address Translation)
Ra doi vao nm 14, NAT d tro thanh mt ki thut ph bin d tit kim dia
chi cho cac tru so vn phong va cung la cach d du di topo mng cua minh khi nhin tu
Internet. Francis and Egevang d dua ra mt s khuyn nghi su dung v NAT Request
For Comments about NAT .
Ngay nay NAT la cng cu chu do d lam diu di su thiu thn dia chi IP trn
mng Internet. Thng thuong thi mng ni b su dung cac nhom dia chi IP duoc dinh
Lop Din Tu 7 - K48
81
nghia trong RFC 118. Vi cac dia chi nay duoc chi dinh dung cho muc dich ni b hay
la cac dia chi dung ring, NAT duoc dt ra d thoa mn nhu cu kt ni trn Internet.
Di luc NAT duoc dung d danh cac dia chi ni b cho doanh nghip vi du d phong
khi thay di nha cung cp Internet.
NAT cho phep ngn chn cac mng phia bn ngoai khng hoc duoc dia chi IP
trong mng ni b nm o phia sau Iirewall. NAT lam duoc diu nay bng cach phin
dich nhung dia chi IP khng co duy nht trn mng Internet dia chi IP cuc b thanh
cac dia chi duy nht dia chi Global duoc chp nhn trn Internet truoc khi cac goi tin
duoc chuyn ra mng phia bn ngoai.
Hnh 5"!# " 6u trnh -hiLn %ich ./a ch0
Khi mt goi tin IP duoc gui tu mt thit bi o mng bn trong di ra phia ngoai thi
no s phi di qua Iirewall duoc cu hinh d phin dich dia chi NAT. Nu nhu dia chi
cua thit bi khng co sn trong bng thi no s duoc phin dich. Mt bn ghi moi s
duoc to ra cho thit bi nay va no duoc gan mt dia chi IP nm trong 1 di dia chi IP
duoc anh x goi la Pool. Pool dia chi anh x nay la nhung dia chi global. Sau khi qua
trinh phin dich din ra thi bng chuyn di dia chi s duoc cp nht va cac goi tin IP
duoc chuyn di dia chi s duoc chuyn di. Trong sut khong thoi gian cho cho phep
Lop Din Tu 7 - K48
82
thuong mc dinh la 3 gio userconfigurable timeout period ma khng co co goi tin
nao duoc phin dich cho dia chi IP do thi bn ghi do s bi xoa di khoi bng va dia chi
dung d anh x s li duoc d trng cho cho mt thit bi nao do tu phia trong di ra
ngoai.
Trong hinh v host 1...11 khoi to kt ni ra bn ngoai. Firewall phin dich
dia chi ngun thanh 12.18..2. Cac goi tin tu host 1...11 duoc tu phia ngoai vao
voi dia chi ngun la 12.18..2. cac goi tin tr loi li host do tu may chu phia bn
ngoai ti dia chi 12.18.1.11 duoc danh dia chi anh x la 12.18..2.
3.3. Cu hnh NAT
3.3.1. Cu hnh NAT trn nhiu cng
Hnh 5"!) " C9u hnh NAT trLn nhiMu cNng
Khi cu hinh trn nhiu cng, co 1 diu cn nho la muc d bo mt chi r xem
la mt cng la bn trong dang tin cy hay la bn ngoai khng dang tin cy lin quan
dn cac cng khac. Mt cng duoc xem la bn trong so voi cac cng khac nu d bo
mt cua no la cao hon cac cng khac, va mt cng duoc coi la bn ngoai voi cac cng
khac nu d bo mt cua no la thp hon so voi cac cng khac .
Lop Din Tu 7 - K48
83
Lut du tin v cac muc d bo mt la mt cng co muc bo mt cao hon co
th truy nhp duoc vao mt cng co muc bo mt thp hon. Cac kt ni giua chung
du duoc cho phep tru khi chung bi tu chi do nguoi qun tri. Cac cu lnh NAT va
global kt hop voi nhau cho phep mng cua ta co th su dung bt ki k hoch dia chi
nao d co th n dia chi thuc cua minh voi mng bn ngoai.
Hnh 5"!1" 'hiLn %/ch ./a ch0 tO (ng trong ra (ng ngoi
Firewall h tro 2 loi phin dich dia chi nhu sau:
3.3.2. Phin d|ch d|a chi dng:
Phin dich dia chi cac host trn cac cng co muc bo mt cao hon sang gii dia
chi trn cac cng co muc bo mt thp hon. Diu nay cho phep nguoi su dung co th
chia nhau cac dia chi duoc dng ki ma du di dia chi IP thuc o bn trong cua minh,lam
cho nguoi su dung trn Internet khng th nhin thy duoc.
3.3.3. Phin d|ch d|a chi tnh:
Dua ra su anh x mt-mt, c dinh giua mt dia chi IP trn cng co d bo mt
cao hon va mt dia chi IP trn cng co d bo mt thp hon. Diu nay cho phep mt
host nm o mng bn trong co th truy nhp toi mt host co d bo mt thp hon ma
Lop Din Tu 7 - K48
84
khng d l ra dia chi IP thuc su cua minh vi du nhu mt may chu nm ngoai Internet.
Nhung vi du cua phin dich dia chi tinh la NAT tinh va NAT dng nht.
3.3.4. Co ch phin d|ch thng qua d|a chi cng (Port Address Translation)
Thng thuong thi mng cua mt doanh nghip chi nhn duoc mt s luong nho
dia chi IP tu nha cung cp dich vu Internet ISP, trong khi s luong may tinh cua trong
mng li rt lon. D gii quyt tinh hung nay, ta cu hinh PAT la ki thut ci tin cua
NAT.
Khi su dung PAT nhiu kt ni khac nhau xut phat tu nhiu host khac nhau o
mng trong co th duoc su dung kt hop bng cach anh x cung mt dia chi IP. S
hiu kt hop la dia chi cng ngun. Trong hinh v dia chi IP cua 2 host trong mng
trong duoc phin dich sang dia chi phin dich cng la 12.18..2 va dia chi cng
ngun la 124 va 12.
Cac thit bi Iirewall su dung cac tinh nng cua PAT mo rng di dia chi cng ty
co th dung boi vi:
Mt dia chi IP global co th su dung cho gn 4 may trm o trong
vung ni b di ra bn ngoai.
PAT anh x s hiu cng TCP, UP cho cung 1 dia chi IP d phn bit
cac may trong mng ni b.
PAT n di dia chi IP ngun cua may trong mng ni bng cach su dung
dia chi IP duoc gan boi Iirewall.
PAT co th duoc su dung cung voi NAT.
Mt dia chi PAT co th la 1 dia chi o, khac voi dia chi global
Khng su dung PAT khi chy cac ung dung multimedia qua Iirewall vi cac ung
dung nay cn truy nhp mt s cng nht dinh va diu nay co th dn xung dt voi s
hiu cng duoc cp boi PAT.
Trong vi du sau v PAT, cng ty XZ chi duoc co dia chi duoc dng ki. Mt
dia chi danh cho router nm trn vung bin, mt danh cho Iirewall va mt danh d anh
x.
Lop Din Tu 7 - K48
8
Vi du nhu sau
i- a%%r2ss insi%2 !P"P"P"! 511"511"511"P
i- a%%r2ss outsi%2 !Q5"!AI"P"5 511"511"511"P
rout2 outsi%2 P"P"P"P P"P"P"P !Q5"!AI"P"!
Cac dia chi IP duoc gan cho cac cng phia bn trong va bn ngoai. Mt dia chi
IP duoc dng ki 12.18..3 duoc dt vao trong gii dia chi dung d anh x. Va dia chi
do duoc mng ni b 1... dung chung d truy nhp ra bn ngoai thng qua cac
lnh:
nat Rinsi%2G ! !P"P"P"P 511"511"P"P
g+oba+ Routsi%2G ! !Q5"!AI"P"# n2t(as3 511"511"511"511
Mi cng duoc gan cho mt may trong mng la duy nht va s hiu cng do phi lon
123.
3.4. Co ch diu khin v gim st cc kt ni qua firewall
Trong cac sn phm Iirewall mt trong nhung tinh nng quan trong cua no la
vn chuyn va kt ni, voi giao thuc IP co 2 giao thuc dung d vn chuyn cac phin
trn mng duoc quy dinh lop vn chuyn do la UP va TCP:
3.4.1. Vn chuyn giao thc TCP
TCP: giao thuc vn chuyn huong kt ni tin cy va n dinh. No co th d dang theo
di , giam sat va bo v.
Khi mt phin duoc khoi to tu 1 host trong vung ni b co d tin cy cao hon
thi Iirewall to ra mt ni dung trong b loc trng thai phin. Firewall co th loi di
nhung phin tu nhung cac luu luong trn mng va tich cuc xac dinh su tn ti cua
chung trong thoi gian thuc. B loc trng thai nay duy tri trng thai cua cac kt ni trn
mng va kim tra cac giao thuc tip theo . Khi mt phin TCP duoc khoi to qua
Iirewall thi Iirewall ghi li trng thai luu luong mng va tim su xac nhn tu phia thit
bi la dim dn cua luu luong do. Sau do Firewall cho phep 2 thit bi do trao di thng
tin. Khi mt phin TCP duoc thit lp di qua Iirewall thi s xy ra qua trinh sau
Lop Din Tu 7 - K48
8
Buoc 1: goi tin IP du tin tu cac host thuc mng bn trong gy ra su phat sinh
mt translation slot. Thng tin TCP duoc gn vao sau do duoc su dung d to nn 1
khe kt ni trong thit bi Iirewall
Buoc 2: khe kt ni do duoc danh du la khoi du embryonic- chua duoc thit
lp
Buoc 3: Iirewall ngu nhin hoa s hiu khoi to cua kt ni, luu giu gia tri
delta va chuyn goi tin dn du ra.
Firewall by gio mong nhn duoc goi tin dng b xac nhn SN- ACK tu
phia may dich. Sau do Iirewall s ghep goi tin nhn duoc voi khe kt ni do, tinh
toan thng tin thu tu sequencing inIormation va chuyn goi tin tro v toi host o
mng phia bn trong.
Hnh 2.16 5u6 trnh tD mMt ,t nLi TCP tR K+n trDng ra K+n ngD(i
Khoi to kt ni TCP t bn trong ra bn ngoi:
Lop Din Tu 7 - K48
87
Buoc 1: may o phia bn trong hoan thanh vic khoi to kt ni, bng co ch bt tay 3
buoc , voi vic nhn duoc xac nhn d thanh cng trong thit lp kt ni
Buoc 2: khe kt ni trn Iirewall duoc danh du la d duoc kt ni connected, hay la
duoc thit lp tich cuc active-established. Sau do b dm ban du duoc reset li cho
kt ni nay
3.4.2. Vn chuyn giao thc UDP
UDP la giao thuc khng huong kt ni, no la giao thuc hiu qu cho mt s
dich vu ko cn d tin cy cao va cung la giao thuc truyn rt kho d giam sat va bo
mt.
Firewall phi dung cac phuong phap khac d dm bo cho su an toan cua no.
Cac ung dung su dung UP rt kho dm bo an toan tuyt di vi no khng co co ch
bt tay hay la s hiu lin tip. Rt kho d xac dinh duoc trng thai hin ti cua vic
trao di thng tin UP. Va cung rt kho d duy tri trng thai cua mt phin vi no
khng co su bt du, trng thai trao di va kt thuc mt cach r rang. Tuy nhin cac
thit bi Iirewall to ra cac khe kt ni UP khi 1 goi tin UP duoc gui tu cng co d
an toan cao hon dn cng co d an toan thp hon.
Tt c cac goi tin UP quay tro li ln luot ma khop voi khe kt ni do s duoc
chuyn dn mng bn trong.
Khi khe kt ni UP im lng trong khong thoi gian lon hon khong im lng
duoc quy dinh thi kt ni do s bi xoa khoi bng trng thai kt ni, sau dy la mt s
dc tinh cua UP:
UP khng dang tin cy nhung la giao thuc vn chuyn hiu qu
Vic gi mo goi tin UP rt d dang boi vi khng co co ch bt tay 3
buoc hay danh s tun tu. o khng co kim tra trng thai nn cung rt kho xac
dinh duoc trng thai hin ti cua phin truyn.
UP khng co co ch dm bo giao nhn
Khng co co ch thit lp va kt thuc kt ni
UP khng co co ch phong chng va kim soat vic tc nghn
Lop Din Tu 7 - K48
88
Cac dich vu su dung UP co th duoc chia thanh 2 loi:
- Cac dich vu yu cu-dap ung hay dich vu ping-pong, nhu la h thng
phn gii tn min NS
- Cac dich vu truyn du liu nhu la video, VoIP, h thng truyn Iile trn
mng
3.5. Mt s k thut khc dc s dng trong firewall
3.5.1. Ky thut thm k an toan
An toan tuyt di la khng th co, vi th nht thit phai tin hanh ghi giu va
phn tich nhung su vi c phat sinh trn mang luoi, di voi mt s khai thac tin tuc nhay
cam duoc bao h cua mang luoi phai duy tri vic lun lun ghi giu, va thng qua cac
loai bin bao, ca nh bao kha c nhau tin hanh bao cao cho nhn vin quan ly h thng. Vi
du nhu trn dai khng ch cua buc tuong lua biu thi nhung tin tuc thuc t co lin quan
dn an toan, phai tin hanh truy tim dng thai di voi thu bao mt khu phi phap, khai
tha c phi phap.
3.5.2. Ky thut loi an toan
Ngoai vi c dung dai ly ra, nguoi ta bt du suy nghi dn:
- Vn d an toan trn tng thu cua h thng khai thac. Vi du xem xet vic ct bo
b phn co th gy nn vn d an toan trong li kernel h thng, hinh thanh mt loi
co dng c p an toan cao hon, tu do lam cho h thng cang an toan, vi du nhu buc tuong
lua PIX cua Cisco...
- H diu hanh an toan nho gia c an toan va cai tao di voi h diu hanh ma co,
nhin tu ca c san phm hin co thi vn d gia c va cai tao di voi loi h diu hanh an
toan chu y u duoc tin hanh o nhung mt sau dy:
Bo vi c diu dng su dung h thng nguy him.
Han ch quy n han chp hanh mnh lnh.
Thu tiu chuc nng chuy n phat IP.
Kim tra mi mt cua ni phn nhom.
ung s thu tu serial number ni tip ngu nhin.
Lop Din Tu 7 - K48
8
Giu lai module loc phn nhom.
Thu tiu chuc nng dn duong dng thai.
ung nhiu loi an toan.
3.5.3. Ky thut cn bng phu tai
Phu tai cu a b phuc vu cn bng, la do nhiu b phuc vu cung cp di ch vu ung
dung ging nhau cho ca c thu bao bn ngoai mang luoi. Khi co mt yu cu cng
mang luoi bn ngoai dn buc tuong lua, thi buc tuong lua co th dung phep tinh cn
bng duoc dinh ra d xac dinh yu cu do la do b phu c vu nao hoan thanh. Nhung di
voi thu bao, nhung diu do du la trong sut.
3.6. S kt hp cc bin php k thut
Gii phap dung dn d xy dung 1 Iirewall him khi chi dua trn 1 k thut
ring le . No thuong la 1 su kt hop cac k thut d gii quyt cac vn d khac nhau .
Vn d nao ta cn gii quyt phu thuc vao cac dich vu ma ta mun cung cp cho user
va muc d rui ro ma ta co th chp nhn . K thut nao ta su dung d gii quyt cac
vn d phu thuc vao muc d tai chinh , thoi gian , cung nhu chuyn mn .
Lop Din Tu 7 - K48

Chong 4
CC PHUONG PHP TRIN KHAI FIREWALL
4.1. CHC NNG PHN VUNG CA FIREWALL TRNG THIT K AN
NINH MANG
Trong thit k an ninh mng co 3 loi mng co bn cn xet toi do la: mng phia trong
hay mng ni b inside network, mng phia ngoai outside network va mt loi
mng nua khng co tinh bt buc do la vung phi qun su hay con goi la vung dm
MZ demilitarized zone. Firewall la mt thit bi co chuc nng chia tach hay lin kt
giua cac vung nay. Mt Iirewall co th la mt router co chy mt tp cac tinh nng
Iirewall hay la mt may chu co chy cac dich vu Iirewall va cung co th la mt thit bi
chuyn dung nhu la dong PIX Iirewall cua CISC, do la cac thit bi chi chy duy nht
cac dich vu Iirewall khng giu thm chuc nng khac nhu chuyn mch, dinh tuyn ..
Hinh v sau minh hoa 3 vung co bn trong thit k an ninh mng va cac vi tri dt
Iirewall.
Hnh 2.1". Kin trc j 'Ang c. K)n trDng thit , an ninh mng
Lop Din Tu 7 - K48
1
Mt Iirewall phn tach cac khu vuc ra lam 3 vung an ninh. Mt thit bi Iirewall
thng thuong co 3 hoc hon 3 giao din LAN: mi giao din danh cho mt mng bn
trong va mt mng bn ngoai , va mt danh cho MZ. Cac Iirewall truoc dy dung
cho cac t chuc co quy m nho va hoc khu vuc danh cho nguoi lam vic o xa thi co
th chi co 2 giao din d ngn cach mng bn trong voi mng bn ngoai
4.1.1. Mng bn trong(Inside Network)
Mng bn trong y noi toi mng ring, nm trong ni b cua mt t chuc hay
doanh nghip. No co th la mt hoc nhiu mng bao gm tt c cac may trm
workstations va cac may chu servers chi dung trong phm vi ni b, khng chia se
voi bn ngoai. Cac thit bi duoc coi la dang tin cy tru0tOd va cn co duoc bo v
voi th gioi bn ngoai outside world.
Thng thuong khu vuc mng bn trong nm duoi su qun tri phn quyn va
hot dng duoi mt chinh sach bo mt chung cua t chuc. Mt Iirewall thuong duoc
su dung d ngn cach giua khu vuc mng bn trong voi bn ngoai, nhung cung co th
no phn tach mt khu vuc ni b voi cac khu vuc khac trong mng ni b nhu cu an
ninh gia tng duoc yu cu cho khu vuc do. Vi du nhu mt truong hoc co th dt
Iirewall giua mng cua sinh vin voi mng cua cac khoa.
4.1.2. Mng bn ngoi (Outside Network)
Mng bn ngoai la mng nm o khu vuc chung, khng thuc ring mng ni b
cua mt t chuc hay doanh nghip nao c, bn ngoai khu vuc mng ni b. Khu vuc do
con duoc goi la vung khng dang tin cy untru0tOd arOa, no bao gm tt c cac thit
bi va cac mng khng truc tip nm trong phm vi qun va cac chinh sach an ninh cua
t chuc. Thng thuong mng bn ngoai bao gm cac router vung bin, nha cung cp
dich vu Internet, mng Internet va tt c cac mng gn vao no. Va cac mi de doa v su
tn cng co th dn tu bt cu du trn khu vuc nay.
4.1.3. Vng phi qun s (Demilitarized Zone DMZ)
Vung phi qun su duoc to nn boi mt hay nhiu mng LAN bi c lp, no co
th la gm nhiu tai nguyn may chu duoc dung chung nhu la cac may chu Web, may
chu NS va email. Cac may chu nay co th duoc nhin thy tu th gioi bn ngoai. Va
Lop Din Tu 7 - K48
2
cac may chu duoc chia se nay co th goi la cac cac may trm phong thu, cac may chu
phong thu Ka0tiDn hD0t0] Ka0tiDn 0Or'Or0 hay thm chi la cac host d thi mng
0acri[icia$ hD0t0
Cac host phong thu nay phi duoc bo v va phi nhn duoc su duy tri muc d
bo mt cao nht vi chung rt d bi tn cng tu th gioi bn ngoai. Cac may chu phong
thu thng thuong chi chy mt ung dung dc bit d chia se va dung chung, tt c cac
dich vu khac bi dung li hoc bi tt di.
Firewall phi duoc cu hinh d cho phep truy nhp tu th gioi bn ngoai vao
vung MZ mt cach tuong di d dang nhung diu chinh duoc, trong khi do bo v
duoc khu vuc mng bn trong. Nguoi su dung trong khu vuc mng ni b bi hn ch
truy nhp vao cac may chu trong vung MZ va cung co th la gioi hn nhung phin
xut phat tu mng bn trong. Nhin chung thi Iirewall ngn cn su truy nhp tu bn
ngoai vao mng bn trong. Va hu ht cac truong hop cac truy nhp tu bn ngoai di
vao du bi khoa. Nhung co mt ngoi l di voi may chu e mail nu no nm trong
mng ni b thay vi MZ.
4.2. KIEN TRUC FIREWALL CO BAN
4.2.1.Kin trc co ban
Trong kin truc Iirewall co bn, Iirewall co vai tro diu khin luu luong tu trong
mng ni b Inside Network di ra cac mng phia ngoai utside Network va nguoc
li.
Trong kin truc nay Iirewall su dung cu hinh mc dinh cua no la 3 cng: mt
cng ni voi mng phia trong co d an toan cao nht, mt cng ni voi vung dm MZ
co d anh toan thp hon va cng thu 3 co d an toan thp nht duoc ni voi mng
ngoai. Va nhu d noi o trn thi mc dinh tt c luu luong di tu cng co d an toan cao
hon ra cng co d an toan thp hon trn Iirewall du duoc phep nhung khi di tu cng
co d an toan thp dn cng co d an toan cao thi du bi cm. Di khi co nhung ngoi
l Exception la do chu y cua nguoi qun tri.
Trong kin truc trn cac router ngn cach giua mng trong voi Iirewall va mng
ngoai voi Iirewall khng chi giu vai tro dinh tuyn va la cua ng di ra khoi mng ma
Lop Din Tu 7 - K48
3
con giu vai tro la b loc goi Packet Iiltering khng co trng thai hoc co trng thai.
Cac server trong vung dm MZ khng chi la cac server cung cp cac ung dung giao
tip voi nguoi trn Internet ma con giu vai tro la proxy server.
Hnh 2.1# . Kin trc [irO\a$$ c. K)n
Dy la cu hinh co bn nht cua mt mng thng thuong khi giao tip voi
Internet, o dy Iirewall co cu hinh mc dinh la 3 cng. Khi quy m va s mng trong
vung ni b tng ln co nhu cu bo mt khac nhau thi ta su dung s cng nhiu hon
voi cu hinh d bo mt trn cac cng khac nhau. Khng chi co th Iirewall con duoc
su dung voi cac cng ngh bo mt khac nhm mang li hiu qu an toan cao nht.
Sau dy ta xet kin truc an ninh mo rng su dung Iirewall kt hop voi mt cng ngh
bo mt khac.
4.2.2. Dual - Homed System
H thng la mt may tinh co it nht 2 card mng duoc chi ra trong hinh 2.1.
Truong hop nay thi vic dinh tuyn giua cac side tuong ung voi cac side cua card
mng duoc ngt do vy vic kim soat luu luong mng hoan toan co th duoc mt cac
thu cng .Gi su rng h thng dang chy WEB server .Nu dinh tuyn bi n thi cac
goi tin khng th duoc trao di giua cac mng khac nhau duoc .Vi du ,nu mt vai b
Lop Din Tu 7 - K48
4
phn trong mt t chuc cn chia se cung 1 web server nhung bn khng mun to mt
bng dinh tuyn giua cac b phn thi bn co th su dung cu hinh h thng nay .Tuy
nhin ,cac hacker co th tn cng vao so ho nay nu truong hop cac ung dung va bn
va li chua duoc cai dt
Hnh 2.1-. H: thLng !ua$ q HDmOd c* 2 card mng
4.2.3. Kin trc Screen Host
Truong hop nay thi Router chi cho phep nguoi dung Internet kt ni toi mt h
thng d duoc dinh nghia truoc trong phao dai phong ngu .Cng getway s dong vai
tro kim soat toan b goi tin vao ra
Hnh 2.24. Kin trc ScrOOning HD0t
Lop Din Tu 7 - K48

Router loc tin s lam vic rt nhiu trong cu truc nay ,khng chi lam vic voi
cac goi tin d huong chung vao cac h thng bn trong mng ma no con cho phep hay
khng cho phep mng ni b mo kt ni voi Internet .Bn co th cai dt cu hinh nay
dua trn yu cu bo mt cua h thng cua bn .Chapman va Zwicky d luu y rng cu
truc nay co th bi hong vi no cho phep cac goi tin tu Internet vao mng ni b ,khng
ging voi ual Homed s khoa tt c goi tin tu mng ngoai vao ni b
4.2.4. Kin trc Screeded Subnet
Truong hop nay tuong tu voi Screening Host ,ngoi tru mt lop phu cua bo
mt duoc thm vao giua vung uu tin va vung ni b
hnh 2.21. Kin trc ScrOOnOd SuKnOt
Ly do cho cu truc nay la d bo v mng ni b trong truong hop phao dai
phong ngu khng th chng li duoc tn cng tu hacker
Lop Din Tu 7 - K48

4.3. M HINH FIREWALL PHUC TP
So d b tr firewall cua b ti chnh
Hnh 2.24. S. 7m h tJng mng KM t(i chInh
Trong so d trn b tai chinh d su dung 2 hang rao bo v la 2 Iirewall dt lin
tip nhau FW1 va FW2. Firewall thu nht FW1 co 3 cng lam nhim vu diu khin
Lop Din Tu 7 - K48
7
truy nhp cua mng bn trong ra Internet, Iirewall nay vn su dung cu hinh 3 cng
mc dinh. Firewall thu 2 FW2 nm sau FW1 co nhim vu ngn cach giua cac vung co
d an toan khac nhau trong vung ni mng voi cu hinh 4 cng, trong do co 3 cng gn
voi 3 mng ni b khac nhau la GE3 di ra khu vuc trung tm du liu, noi tp trung cac
server cho nganh tai chinh co d bo mt cao nht, GE4 di ra mng danh cho nguoi su
dung ni b co d an toan thp hon va FE2 di ra khu vuc mng danh cho cac server
dong vai tro qun ly. Cng con li trn Iirewall nay lam nhim vu di ra cac mng phia
ngoai. Trong cac vung voi d an toan khac nhau thi cac cng trn Iirewall cung duoc
cu hinh voi muc d an toan tuong ung. Cung ging nhu b tai chinh techcombank la
don vi hot dng trong linh vuc tai chinh co nhu cu bo mt rt cao. dy ngoai vic
su dung cac sn phm Iirewall cung nhu ASA cua Cisco hay Iirewall mm nhu
Checkpoit cua Nokia ho con dung kt hop voi IPS. Cac thit bi bo mt du duoc su
dung sanh di d to nn cu truc du phong tin cy.
Vy ti sao o dy li su dung IPS kt hop voi Iirewall? Firewall la buc tuong
phong thu du tin d chng li cac tn cng xm nhp tu bn ngoai va thuong la h
thng du tin ma nhung ke tn cng phi vuot qua . Khng may la trong 1 s truong
hop Firewall co th rt phuc tp dn dn kh nng cu hinh sai va vic nay co th lam
cho h thng tro nn khng duoc bo v .
o do Firewall cn phi di kem voi 1 s bin phap b sung d co th thuc hin
tt cac chinh sach an ninh cua minh. Cac h thng IPS o dy duoc trin khai duoi hinh
thuc cac Gateway d phat hin va ngn chn mt cach hiu qu cac cuc tn cng
mng, gim thiu thoi gian cht cua mng va cac chi phi nh huong dn hiu qu hoat
dng cua mng. Cac h thng nay duoc trin khai o nhung vi tri nm ngoai phm vi
kim soat cua tuong lua, co kh nng phat hin cac cuc tn cng mt cach chinh xac
thng qua phn tich luu luong mng duoi nhiu phuong phap nhm di dn kt lun
chinh xac v muc dich tht su cua mt kt ni dn mng
Lop Din Tu 7 - K48
8
Lop Din Tu 7 - K48

Lop Din Tu 7 - K48
1
Hnh 2.21 0. 7m h tJng mng ngUn h(ng TOchcDmKan,
4.4. NH GI FIREWALL
Lop Din Tu 7 - K48
11
4.4.1 Firewall c th lm dc g ?
a. Firewall l 1 trung tm cho cc quyt d|nh an ninh
Coi nhu Firewall la 1 dim nut c chai choke point . Tt c luu luong ra va
va vao phi di qua nut c chai hep va duy nht nay . Firewall cho phep tp trung cac
bin phap an ninh ti dim nay : dim ma mng ni b kt ni vao mng Internet .
Vic nay s hiu qu va kinh t hon la phn b cac quyt dinh an ninh va cng ngh
xung quanh mng .
b. Firewall c th thc hin cc chnh sch an ninh mng
Nhiu loi dich vu ma nguoi su dung cn tu Internet vn di d khng an toan .
Firewall vai tro nhu 1 cnh sat giao thng cho cac loi dich vi nay .No thi hanh cac
chinh sach an ninh, cho phep chi cac loi dich vu 'duoc phep di qua va chi trong
phm vi cac quy tc d duoc thit lp cho chung .
Firewall co th thi hanh 1 s chinh sach an ninh phuc tp hon . Vi du , chi co 1 s h
thng trong phm vi Firewall la duoc phep truyn va nhn Iile tu internet ,bng cach su
dung cac bin phap khac Firewall co th kim soat user nao co quyn truy nhp vao
nhung h thng nhu trn .
Phu thuc vao cac cng ngh ta chon d xy dung Firewall, mt Firewall co th
co kh nng nhiu hay it d thi hanh cac chinh sach nhu vy.
c. Firewall c th ghi chp li cc hot dng internet mt cch hiu qua
o tt c cac luu luong di qua Firewall , nn no co 1 kh nng thu thp thng tin
v vic su dung h thng va mng cung nhu su lm dung no. Cung do la 1 dim truy
nhp ring bit , Firewall co th ghi li nhung gi xy ra giua mng duoc bo v va
mng bn ngoai .
d. Firewall c th kim sot cc phn trong mt mng ni b
Di khi , Firewall duoc su dung d ngn cach cac phn khac nhau cua cung 1
mng ni b . o do giu cho cac vn d tac dng dn 1 phn khng tac dng dn cac
phn khac . Trong 1 s truong hop, 1 phn nay cua mng co th tin cy hon phn khac,
phn nay co th nhy cm hon phn khac . Voi tt c cac ly do do , su tn ti cua
Lop Din Tu 7 - K48
12
Firewall s hn ch thit hi ma 1 vn d an ninh mng co th nh huong dn toan
mng .
4.1.2. Firewall khng th lm dc nhng g ?
Firewall co th mang li su bo v chng li cac mi de doa tu mng bn ngoai
nhung Firewall khng phi la 1 bin phap an ninh toan din, 1 s cac mi de doa nm
ngoai tm kim soat cua Firewall . o do ta cn tim ra cac bin phap d chng li cac
mi de doa do bng cach kt hop voi an ninh muc vt ly , an ninh may chu cung nhu su
giao duc nguoi dung vao cung 1 chinh sach an ninh chung.
Mt s hn ch cua Firewall :
a. Firewall khng th chng li cc mi nguy hi d m nhp vo bn trong
Mt Firewall co th kim soat cac thng tin bi mt ma 1 user gui ra khoi mng
ni b di qua 1 kt ni mng. Tuy nhin user vn co th copy du liu vao dia, bng hay
ra giy va mang no di ma Firewall khng th ngn cn .
Nu nhu ke tn cng d o bn trong Firewall ri thi co th Firewall hu nhu
khng th lam gi duoc nua .Cac user bn trong co th n cp du liu, pha huy phn
cung, phn mm hay thay di cac chuong trinh ma khng cn tip cn Firewall .
Cac mi de doa o ni b doi hoi cac bin phap an ninh ni b nhu an ninh may
chu hay vic giao duc di voi nguoi dung .
b. Firewall khng th chng li cc kt ni m khng di qua n .
Mt Firewall co th kim soat hiu qu cac luu luong di qua no tuy nhin ,
Firewall khng th lam gi duoc nu nhu luu luong do khng di qua no. Vi du , diu gi
s xy ra nu nhu 1 site cho phep su truy nhp quay s qua duong din thoi vao 1 h
thng dng sau Firewall .Firewall hoan toan khng co cach nao ngn cn su xm nhp
qua 1 modem nhu vy.
Di khi cac chuyn gia k thut qun tri h thng mo ra nhung cua hu
Backoor vao trong mng nhu la 1 kt ni qua modem dng quay s tm thoi hay
c dinh . Firewall khng th lam gi trong truong hop nay. Do la 1 vn d v qun ly
nhn su chu khng phi la 1 vn d k thut .
Lop Din Tu 7 - K48
13
c. Firewall kh c th chng li cc mi de da kiu mi
Firewall duoc thit k d bo v li cac mi de doa d bit . Mt Firewall duoc
thit k tt co th chng li mi de doa moi. Vi du, bng cach tu chi tt c tru 1 vai
dich vu tin cy, Firewall s ngn chn moi nguoi thit lp cac dich vu moi khng an
toan.
Tuy nhin, khng co Firewall nao co th tu dng bo v d chng li cac mi
nguy hi moi ny sinh. Cac ke tn cng s tim ra cac cach thuc tn cng moi, co th su
dung cac dich vu tin cy truoc do hay su dung cac cach tn cng chua tung co truoc
do. o do khng th thit lp Firewall 1 ln va hy rng no co th bo v ta mi mi .
d. Firewall kh c th bao v ta chng li cc loi virus
Firewall khng th giu cho mng khoi tm nh huong cua virus . Mc du nhiu
loi Firewall quet tt c cac luu luong dn d quyt dinh xem no co duoc phep di vao
mng ni b hay khng . Nhung vic quet nay chu yu la di voi cac dia chi dich , dia
chi ngun va s cng chu phi la ni dung cua du liu .Thm chi voi cac phn mm loc
goi va proxy phuc tp , vic bo v chng li virus ti Firewall la khng thuc t lm .
Don gin la co nhiu loi virus va cung co qua nhiu cach d virus co th giu minh
trong du liu .Vic phat hin virus trong 1 goi du liu ngu nhin di qua Firewall la rt
kho . No doi hoi :
Nhn dng packet nhu la 1 phn cua du liu
Xac dinh chuong trinh virus do nhu th nao .
Xac dinh xem co su thay di nao khi co virus.
Thm chi ngay c cai diu thu nht d la 1 thu thach. Hu ht nhung may ma
Firewall bo v , mi may co 1 loi dinh dng khac nhau. Hon nua hu ht cac chuong
trinh duoc dong goi cho vic vn chuyn cung nhu duoc nen li. Cac Packet duoc
chuyn qua email hoc Usenet news cung nhu duoc m hoa duoi dng ky tu ASCII
theo nhiu cach khac nhau .
Voi tt c cac ly do do User co th mang virus qua Firewall ma khng cn d y
dn Firewall nhu th nao .
Lop Din Tu 7 - K48
14
Phuong phap thuc t nht d gii quyt vn d virus la su dung phn mm bo v
chng li virus dua trn may chu , va vic giao duc nguoi dung lin qua toi cac mi
nguy him cua virus va su d phong chung.
KET LUAN
Khng co mt tai liu nao co th luong ht duoc moi l hng trong h thng va
cung khng co nha sn xut nao co th cung cp du cac cng cu cn thit. Cach tt nht
vn la su dung kt hop cac gii phap, sn phm nhm to ra co ch bo mt da nng.
Trong cac lua chon v gii phap an ninh hin nay thi Iirewall la mt trong nhung uu
tin hang du.
Xem xet va lua chon mt sn phm Iirewall hop ly va dua va hot dng phu hop
voi chinh sach cua cng ty la mt trong nhung vic du tin trong qua trinh bo mt h
thng. Firewall co th la gii phap phn cung hoc phn mm hoc kt hop c hai.
Nhim vu cua Iirewall la ngn chn cac tn cng truc tip vao cac thng tin quan trong
cua h thng, kim soat cac thng tin ra vao h thng. Vic lua chon Iirewall thich hop
cho mt h thng khng phi la d dang. Cac Iirewall du phu thuc trn mt mi
truong, cu hinh mng, ung dung cu th. Khi xem xet lua chon mt Iirewall, cn tp
trung tim hiu tp cac chuc nng cua Iirewall, tinh nng loc dia chi, goi tin, ...
Mt cng ngh khng th la mt gii phap hoan ho cho toan b chin luoc bo mt
cua t chuc, cac sn phm Iirewall du co tt dn my cung bc l nhung nhuoc dim
cua minh, nhung nhuoc dim do co th duoc khc phuc bng cac cng ngh khac nhu
IPS, IPSec vv...
Khi xem xet lua chon cng ngh bo mt cac cng ngh bo mt phi lun co
mt cai nhin khai quat trong mt buc tranh tng th. Va m hinh bo mt phn lop la
mt co so khoa hoc d cac t chuc cn cu vao do lua chon cac cng ngh bo mt cho
phu hop voi nhu cu va kh nng tai chinh cua minh.
Lop Din Tu 7 - K48
1
Cho du cac cng ngh co duoc trang bi hoan ho dn du ma khng chu y dn
yu t con nguoi thi cung la mt sai lm lon. Trong moi k hoch d thanh cng thi
con nguoi bao gio cung duoc dt o vi tri trung tm. Trong k hoch bo mt cung th,
con nguoi la nhn t co y nghia quyt dinh toi d an toan nu co y thuc bo mt cao va
cung la him hoa khn luong nu chinh la ke tn cng tu ngay trong ni b cua t
chuc. Vic ban hanh cac policy cho con nguoi cn phi tun theo cac tiu chun quc
t d co sn nhu IS 177.
Trn th gioi ki thut phat trin theo tung ngay, cac bin phap tn cng ngay
cang moi me va tinh vi hon. Cac cng ngh bo mt trang bi cho t chuc cung cn phi
duoc ci tin, cp nht ngay gio d kip thoi chng li moi su pha hoi do. Y thuc cua
con nguoi cung cn khng ngung duoc nng cao.
Bo mt hin nay dang la mt vn d rt nong bong khi ma thng tin la tai sn
quy gia hang du cua cac t chuc doanh nghip, vi vy ti rt hy vong thng qua d an
nay s mang li cho nguoi doc duoc nhung hiu bit chung nht v cac khai nim lin
quan dn bo mt thng tin va cai nhin chi tit v cng ngh Iirewall, mt trong cac
cng ngh duoc su dung rt ph bin hin nay.
Vi thoi gian co hn va kinh nghim thuc t it nn trong khun kh d an nay ti
chi gioi thiu duoc phn nao nhung vn d d nu ra. Hy vong tip theo d an nay ti
s co mt buoc nghin cuu su hon nua v cac cng ngh bo mt noi chung va
Iirewall noi ring nhm dem nhung diu minh hoc duoc vao phuc vu cng vic cung
nhu cuc sng.
Lop Din Tu 7 - K48
1
TI LIJ THAM KHAO
1. Nguyn Thuc Hi, Giao trinh 'Mng may tinh va cac h thng mo, Nha xut
bn Giao uc,1.
2. CCSP -Cisco CertiIied Security ProIessional CertiIication Examguide-All in
ne oI Robert E. Larson and Lance CorkcroIt published by Mc GrawHill
3. SNPA- Securing Networks with PIX and ASA Volume 1 Copyright 2,
Cisco Systems, Inc. All rights reserved.
4. Cisco Networking Academy Program Companion Guide Student book -Third
Edition
. William Stallings, 'ata & Computer Communication, Sixth Edition, Prentice-
Hall, 2.
. Michael Howard, Marc Levy, Richard Waymire 'esigning Secure Web-Based
Application Ior MicrosoIt Windows 2 eBook, MicrosoIt Press, 2.
7. Tony Northrup, rin Thomas 'Implementing and Aministering Security in a
MicrosoIt Windows Server 23 Network, MicrosoIt Press, 24.
8. JeIIrey Richter, 'Programing Server - Side Applications Ior MicrosoIt Windows
2 eBook, MicrosoIt Press, 2.
. Firewalls 24Seven, Second Edition ; Matthew Strebe ,Charles Perkins
1.Firewall Technologies , Habtamu Abie ;Norwegian Computing Center P. .
Box 114 Blindern, 314 slo, Norway
11. Website: http://w ww.verisign.com
12. Website: http://phamtrongdiem.wordpress.com
13. Website: http://vi.wikipedia.org
14. Website: http://www.quantrimang.com
1. Website: http://www.cItdnet.com
Lop Din Tu 7 - K48
17

Bảo mật mạng bằng công nghệ firewall

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bảo mật mạng bằng công nghệ firewall

Uploaded by

Copyright:

Available Formats

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

Nguyn Ba Hiu Bo mt mng bng cng ngh Iirewall

You might also like