HC VIN K THUT MT M KHOA AN TON THNG TIN *****

THC TP TT NGHIP
ti

NGHIN CU TRIN KHAI GII PHP BO MT H THNG MNG VI FIREWALL ASA V H THNG IDS

Gio vin hng dn : ThS Phm Duy Trung Sinh vin thc hin : Trn Mnh Hng Nguyn Nh Hong Lp : AT6A

H NI, 2/2014 i

MC LC MC LC ............................................................................................................ II LI NI U ..................................................................................................... V DANH MC VIT TT .................................................................................. VI DANH MC HNH NH V BNG BIU.................................................. VII CHNG 1. TNG QUAN ................................................................................ 9 1.1. nh gi tng quan v bo mt mng my tnh ........................................ 9 1.2. Cc mi e da ............................................................................................ 10 1.2.1. Mi e da bn trong ............................................................................ 11 1.2.2. Mi e da t bn ngoi ....................................................................... 12 1.2.3. Mi e da khng c cu trc ............................................................... 12 1.2.4. Mi e da c cu trc .......................................................................... 13 1.3. Cc l hng................................................................................................... 13 1.3.1. L hng bo mt ................................................................................... 13 1.3.2. Phn loi l hng bo mt ..................................................................... 13 1.3.2.1. Loi C t nguy him ................................................................... 14 1.3.2.2. Loi B Nguy him ...................................................................... 15 1.3.2.3. Loi A Rt nguy him. ............................................................... 16 1.4. Mt s tn cng ph bin ............................................................................ 17 1.5. Cc gii php pht hin v phng chng tn cng mng ........................ 20 1.5.1. Cc bin php pht hin h thng b tn cng ...................................... 20 1.5.2. Gii php pht hin v phng chng xm nhp .................................... 21 CHNG 2. TNG LA CISCO ASA ....................................................... 24 2.1. Gii thiu...................................................................................................... 24 2.2. Cc chc nng c bn ca tng la Cisco ASA ..................................... 25 ii

2.2.1. Cc ch lm vic ca tng la Cisco ASA .................................... 25 2.2.2. Qun l file............................................................................................ 26 2.2.3. Mc bo mt .................................................................................... 26 2.3. Network Access Translation(NAT) ........................................................... 29 2.3.1. Khi nim .............................................................................................. 29 2.3.2. Mt s k thut NAT ............................................................................ 29 2.3.3. NAT trn Cisco ASA ............................................................................ 31 2.4. Access Control List(ACL) .......................................................................... 32 2.5. VPN ............................................................................................................... 35 2.5.1. Gii thiu v VPN................................................................................. 35 2.5.2. Site to site VPN ............................................................................... 36 2.5.3. Remote access VPN .............................................................................. 36 2.5.4. AnyConnect VPN ................................................................................. 37 2.6. Mt s loi Cisco ASA................................................................................. 38 2.6.1. Cisco ASA 5510.................................................................................... 38 2.6.2. Cisco ASA 5520.................................................................................... 39 2.6.3. Cisco ASA 5540.................................................................................... 40 2.6.4. c im phn cng ca thit b bo mt Cisco ASA 5510, 5520, 5540 ......................................................................................................................... 40 2.6.5. Cisco ASA Security Services Module .................................................. 42 CHNG 3. H THNG PHT HIN V PHNG CHNG XM NHP IDS/IPS ................................................................................................................ 44 3.1. Lch s pht trin IDS/IPS ......................................................................... 44 3.2. Vai tr, chc nng IDS/IPS ........................................................................ 45 3.3. c im, kin trc h thng ca IDS/IPS ............................................... 46 iii

3.3.1. C s h tng ca h thng IDS/IPS..................................................... 46 3.3.2. Kin trc h thng pht hin xm nhp ................................................ 47 3.3.2.1. Cu trc ........................................................................................ 47 3.3.2.2. Kin trc ca h thng IDS/IPS.................................................... 48 3.4. Phn loi IDS/IPS ........................................................................................ 51 3.4.1. Host-based IDS/IPS .............................................................................. 52 3.4.2. Network based IDS/IPS ........................................................................ 54 3.4.3. Trin khai h thng IDS/IPS ................................................................. 55 3.4.4. Kh nng pht hin v phng chng ca IDS/IPS ................................ 58 3.5. H thng gim st lu lng mang ........................................................... 59 3.6. H thng bo ng ...................................................................................... 60 3.7. SNMP v h thng gim st mng............................................................. 61 CHNG 4. DEMO .......................................................................................... 63 KT LUN ......................................................................................................... 67 TI LIU THAM KHO. ................................................................................ 68

iv

LI NI U X hi pht trin ko theo s tin b ca khoa hc k thut. Nhng chic my tnh thng minh dn chim vai tr rt quan trng trong cuc sng ngy nay. Bt k lnh vc no cng cn n my tnh, mt thit b x l v hn th na l khng th thiu. Cng vi s ra i v pht trin ca my tnh v mng my tnh l vn bo mt thng tin, ngn chn s xm nhp v nh cp thng tin qua mng, thng tin c nhn trc tip v gin tip. Pht hin v ngn chn s tn cng ca cc Hacker nhm nh cp d liu v ph hoi t liu quan trng l rt cn thit. Thng qua n: Nghin cu v trin khai gii php bo mt h thng mng vi firewall ASA v h thng IDS. Chng ti gii thiu tng quan v xu hng qun tr v bo mt mng hin nay, cng vi ni dung tng quan v Firewall ASA, IDS/IPS bng cc bc cu hnh v trin khai m hnh mng.

DANH MC VIT TT T vit tt VPN TCP/IP IPSec NAT LAN WAN IDS IPS DoS NIDS HIDS ACL NIC ARP DMZ PAT Tn y Virtual Private Network Internet Protocol Suite Internet Protocol Security Network Address Translation Local Area Network Wide Area Network Intrusion Detection System Intrusion Prevention Systems Denial of Service Network Intrusion Detection System Host Intrusion Detection System Access Control List Network Interface Card Address Resolution Protocol Demilitarized Zone Port Address Translation

vi

DANH MC HNH NH V BNG BIU

Hinh 2.1. M t cc mc bo mt trong h thng mng. .......................... 28 Hinh 2.2. M t NAT tnh ca mt mng Lan ra ngoi Internet. .............. 30 Hinh 2.3. Bng NAT ng ca mt mng LAN. ........................................ 31 Hinh 2.4. M t c ch PAT (NAT overload). ........................................... 32 Hinh 2.5. S ACL iu khin truy cp mng. ....................................... 33 Hinh 2.6. S mng m t kt ni site to site IPSec VPN. ..................... 36 Hinh 2.7. S mng m t kt ni Remote Access VPN. ........................ 37 Hinh 2.8. S mng m t kt ni AnyConnect VPN. ............................ 37 Hinh 2.9. Cc dng sn phm Cisco ASA 5500. ....................................... 38 Hinh 2.10. Mt trc dng sn phm Cisco ASA 5510, 5520, 5540. ....... 41 Hinh 2.11. Mt sau dng sn phm Cisco ASA 5510, 5520, 5540............ 41 Hinh 2.12. Cc cng kt ni ca dng sn phm Cisco ASA 5510, 5520, 5540. ..................................................................................................................... 42 Hinh 2.13. Cisco ASA Security Services Module....................................... 43 Hinh 3.1. Hot ng ca h thng IDS/IPS. ............................................. 46 Hinh 3.2. C s h tng h thng IDS/IPS. ............................................... 47 Hinh 3.3. H thng mu pht hin xm nhp. ........................................... 48 Hinh 3.4. Thnh phn ca kin trc IDS. .................................................. 49 Hinh 3.5. Cc tc nhn t tr cho vic pht hin xm nhp. ..................... 51 Hinh 3.6. Phn loi IDS/IPS...................................................................... 52 Hinh 3.7. M hinh v tr ca HIDS/IPS trong h thng mng. .................. 54 Hinh 3.8. M hinh v tr NIDS/IPS trong mt h thng mng. .................. 55 Hinh 3.9. M hinh trin khai theo kiu thng hng................................... 56 Hinh 3.10. M hinh trin khai kiu th ng............................................. 57 Hinh 3.11. Thit b dng trong h thng bo ng. .................................. 61 Hinh 4.1. To 3 Card Loopback ................................................................ 63 Hinh 4.2. Cu hnh cho Card Loopback 1 ................................................. 63 Hinh 4.3. Ci Fiddler Web......................................................................... 64 vii

Hinh 4.4. Ci Named Pipe TCP Proxy v tr ng dn ti Serial Port ca ASA ....................................................................................................................... 64 Hinh 4.5. Chy Tftpd, chn a ch ca cng Loopback, tr Current Directory vo C: ............................................................................................... 65 Hinh 4.6. S dng SecureCRT cu hnh cho Firewall ASA.................. 65 Hinh 4.7. Truy nhp vo https://1.1.1.1/ tin hnh ci t ASDM ....... 66 Hinh 4.8. Giao din ASDM sau khi c ci t ...................................... 66

viii

CHNG 1. TNG QUAN 1.1. nh gi tng quan v bo mt mng my tnh Bo mt mng my tnh hin nay c nh gi l mt trong nhng vn quan trng bc nht ca tt c cc quc gia trong c Vit Nam, theo nhng thng k cha y ca Tng cc thng k th tnh n thng 03/2012 s thu bao s dng Internet vo khong 4,2 triu thu bao tng 17,5% v tng s ngi s dng Internet cng tng 15,3% tc vo khong 32,1 triu ngi so vi cng thi im nm 2011. S liu trn cho thy tnh hnh pht trin cng ngh thng tin ti Vit Nam trong nhng nm tr li y c tc rt ln v d kin s c chiu hng tng do s pht trin ca thit b thng minh v cc thit b khc. Mt s doanh nghip Vit Nam cha c k hoch hoc c k hoch u t nh vo vic bo mt cho h thng mng trong khi cc doanh nghip bt u pht trin cc ng dng cng ngh mng qung co hoc cung cp thng tin ca doanh nghip mnh trong th gii s. Theo bo co v an ton thng tin c cng b trong ngy An ton thng tin nm 2011 v vn n an ton thng tin trong cc t chc doanh nghip Vit Nam nm 2011, c n: 52% s t chc vn khng hoc cha c quy trnh thao tc chun ng ph vi nhng cuc tn cng my tnh T l s dng nhng cng ngh chuyn su hoc hp hn nh m ho, h thng pht hin xm nhp, chng ch s, ch k sch chim 20% . c bit t l s dng nhng gii php cp cao trong bo mt an ninh mng nh qun l nh danh, h thng qun l chng tht thot d liu, sinh trc hc ch chim 5% trong tt c cc gii php chng tn cng ca ti phm cng ngh cao.[1] Nhn nh v an ton thng tin trong nhng nm qua, cc chuyn gia bo mt hng u ti Vit Nam u c chung mt nhn nh c nhiu bin ng ln v mc tn cng l ngy cng rt nguy him v gy nhiu thit hi cho cc 9

doanh nghip trong nc[2]. gii quyt vn ny cc cng ty bo mt hng u trn th gii v ca Vit Nam vn tip tc nghin cu pht trin nhng gi gii php bo mt bao gm thit b phn cng v cc chng trnh phn mm phc v cho vic an ton thng tin v bo mt h thng mng, cc nh cung cp dch v gii php bo mt nh Juniper (vi cc sn phm phn cng tng la nh NetScreen), Cisco vi cc thit b tng la nh ASA, PIX hoc nh cc thit b tng la tin tin hn nh Checkpoint, IPS ca nh cung cp IBM l nhng thit b phn cng lin quan n bo mt h thng mng v an ton thng tin lin tc c a ra trn th trng, bn cnh nhng thit b phn cng cn phi k n nhng ng dng phn mm c cc nh cung cp gii php an ton thng tin a ra nhm phc v cho vic bo mt h thng thng tin. C th k n mt vi tn tui ni ting nh: Symantec (vi gii php phn mm Anti Virut, Spam, Malware), Microsoft, Kaspersky, TrenPC, McAfee, SolarWin vi nhng gi phn mm kh hon ho (theo nh gi ca cc nh cung cp) trong vic bo mt v an ton thng tin. Nhng sn phm thng mi ca cc nh cung cp gii php an ton thng tin c tung ra trn th trng trong nhng nm gn y c nh gi cao v mc bo mt v hiu nng hot ng ca n, tuy nhin vn u t cc gii php bo mt an ton thng tin cho doanh nghip mang tnh y em n cho cc doanh nghip va v nh mt chi ph u t ng k so vi hot ng kinh doanh ca doanh nghip. Theo cc nghin cu hin nay c ti Vit Nam cng nh trn th gii v xy dng mt h thng IDS pht hin v phng chng xm nhp mng tri php da trn m ngun m cng pht trin mnh, tuy nhin ti Vit Nam cc nghin cu ny c mc trin khai vo thc t l cha cao v cn l nhng bi ton ln cho gii php bo mt thng tin da trn phn mm m ngun m. 1.2. Cc mi e da Nh nu trn, vic bo mt i vi cc doanh nghip l mt vn ln hin nay, vic mt ti phm tin hc xm nhp to ra rt nhiu cch khc nhau c th thnh cng trong vic lm h hng hon ton mt h thng mng hoc 10

mt dch v ng dng Web ca mt doanh nghip. C nhiu phng php c trin khai nhm gim thiu kh nng tn cng nh pht trin h tng mng v truyn thng trn internet, dng tng la, m ha, mng ring o S pht hin xm nhp cng l mt k thut gn ging vi vic s dng tng la hay i loi nh th. Mc ch ca mt h thng pht hin xm nhp l thng bo cho nh qun tr khi c mt hnh vi xm nhp hoc mt s tn cng c pht hin. C th c nhiu cch khc nhau tn cng v h thng pht hin xm nhp cng c nhiu cch pht hin. lm r vn pht hin xm nhp trc tin cn hiu r mt s cc mi e da trong bo mt mt h thng mng hot ng ra sao. Thng thng c 4 mi e da cho vic bo mt h thng c m t nh sau: 1.2.1. Mi e da bn trong Thut ng mi e da bn trong c s dng m ta mt kiu tn cng c thc hin t mt ngi hoc mt t chc c quyn truy cp vo h thng mng. Cc cch tn cng t bn trong c thc hin t mt khu vc c coi l vng tin cy trong h thng mng. Mi e da ny c th kh phng chng hn v cc nhn vin hoc nhng t chc c quyn hn trong h thng mng s truy cp vo mng v d liu b mt ca doanh nghip. Phn ln cc doanh nghip hin nay u c tng la cc ng bin mng v h tin tng hon ton vo cc ACL (Access Control List) v quyn truy cp vo server qui nh cho s bo mt bn trong. Quyn truy cp server thng bo v ti nguyn trn server nhng khng cung cp bt k s bo v no cho mng. Mi e da bn trong thng c thc hin bi cc nhn vin, t chc bt bnh, mun quay mt li vi doanh nghip. Nhiu phng php bo mt lin quan n vnh ai ca h thng mng, bo v mng bn trong khi cc kt ni bn ngoi, nh l truy cp Internet. Khi vnh ai ca h thng mng c bo mt, cc phn tin cy bn trong c khuynh hng b bt nghim ngt hn. Khi mt k xm nhp vt qua v bc bo mt cng cp ca h thng mng, mi chuyn cn li thng l rt n gin. Cc mng khng dy gii thiu mt lnh vc mi v qun tr bo mt. Khng ging nh mng c dy, cc mng khng dy to ra mt khu vc bao ph c th b can thip v s dng bi bt k ai c phn mm ng v mt adapter ca mng khng 11

dy. Khng ch tt c cc d liu mng c th b xem v ghi li m cc s tn cng vo mng c th c thc hin t bn trong, ni m c s h tng d b nguy him hn nhiu. V vy, cc phng php m ha mnh lun c s dng trong mng khng dy. 1.2.2. Mi e da t bn ngoi Mi e da bn ngoi l t cc t chc, chnh ph, hoc c nhn c gng truy cp t bn ngoi mng ca doanh nghip v bao gm tt c nhng ngi khng c quyn truy cp vo mng bn trong. Thng thng, cc k tn cng t bn ngoi c gng t cc server quay s hoc cc kt ni Internet. Mi e da bn ngoi l nhng g m cc doanh nghip thng phi b nhiu hu ht thi gian v tin bc ngn nga. 1.2.3. Mi e da khng c cu trc Mi e da khng c cu trc l mi e da ph bin nht i vi h thng ca mt doanh nghip. Cc hacker mi vo ngh, thng c gi l script kiddies, s dng cc phn mm thu thp thng tin, truy cp hoc thc hin mt kiu tn cng DoS vo mt h thng ca mt doanh nghip. Script kiddies tin tng vo cc phn mm v kinh nghim ca cc hacker i trc. Khi script kiddies khng c nhiu kin thc v kinh nghim, h c th tin hnh ph hoi ln cc doanh nghip khng c chun b. Trong khi y ch l tr chi i vi cc kiddie, cc doanh nghip thng mt hng triu la cng nh l s tin tng ca cng ng. Nu mt web server ca mt doanh nghip b tn cng, cng ng cho rng hacker ph v c s bo mt ca doanh nghip , trong khi tht ra cc hacker ch tn cng c mt ch yu ca server. Cc server Web, FTP, SMTP v mt vi server khc cha cc dch v c rt nhiu l hng c th b tn cng, trong khi cc server quan trng c t sau rt nhiu lp bo mt. Cng ng thng khng hiu rng ph v mt trang web ca mt doanh nghip th d hn rt nhiu so vi vic ph v c s d liu th tn dng ca doanh nghip . Cng ng phi tin tng rng mt doanh nghip rt gii trong vic bo mt cc thng tin ring t ca n. 12

1.2.4. Mi e da c cu trc Mi e da c cu trc l kh ngn nga v phng chng nht v n xut pht t cc t chc hoc c nhn s dng mt vi loi phng php lun thc hin tn cng. Cc hacker vi kin thc, kinh nghim cao v thit b s to ra mi e da ny. Cc hacker ny bit cc gi tin c to thnh nh th no v c th pht trin m khai thc cc l hng trong cu trc ca giao thc. H cng bit c cc bin php c s dng ngn nga truy cp tri php, cng nh cc h thng IDS v cch chng pht hin ra cc hnh vi xm nhp. H bit cc phng php trnh nhng cch bo v ny. Trong mt vi trng hp, mt cch tn cng c cu trc c thc hin vi s tr gip t mt vi ngi bn trong. y gi l mi e da c cu trc bn trong. Cu trc hoc khng cu trc c th l mi e da bn ngoi cng nh bn trong. 1.3. Cc l hng 1.3.1. L hng bo mt Cc l hng bo mt trn mt h thng l cc im yu c th to nn s ngng tr ca dch v, thm quyn i vi ngi s dng hoc cho php truy cp bt hp php vo h thng. Cc l hng bo mt c th nm ngay cc dch v cung cp nh Web, Email, FTP, Ngoi ra cc chng trnh ng dng hay dng cng cha cc l hng bo mt nh Word, cc h c s d liu nh SQL 1.3.2. Phn loi l hng bo mt Thc hin phn loi v hiu c nhng phng thc bo mt thc s quan trng trong vic xy dng mt h thng lc v phn loi gi tin ca tng la vi mc ch pht hin c nhng l hng trong vic bo mt. Hin nay vic phn loi l hng bo mt c bn c phn thnh 03 loi. Cc l hng bo mt trn mt h thng l cc im yu c th to ra s ngng tr ca dch v, thm quyn i vi ngi s dng hoc cho php cc truy nhp khng hp php vo h thng. Cc l hng cng c th nm ngay cc dch v cung cp nh sendmail, Web, Ftp Ngoi ra cc l hng cn tn ti ngay chnh ti h iu hnh nh trong Windows NT, Windows 95, UNIX; hoc trong 13

cc ng dng m ngi s dng thng xuyn s dng nh Word processing, Cc h databases[4] 1.3.2.1. Loi C t nguy him Cc l hng bo mt thuc loi ny thng cho php thc hin vic tn cng DoS. DoS l mt hnh thc tn cng s dng cc giao thc tng ng dng trong b giao thc TCP/IP lm h thng ngng tr, trn m dn n tnh trng t chi tt c cc yu cu ca ngi s dng hp php truy cp hay s dng h thng. Mt s lng ln cc gi tin c gi ti server trong khong thi gian lin tc lm cho h thng tr nn qu ti, kt qu l server p ng chm hoc khng th p ng cc yu cu t client gi ti. Cc dch v c cha ng l hng cho php thc hin cc cuc tn cng DoS c th c nng cp hoc sa cha bng cc phin bn mi hn ca cc nh cung cp dch v. Hin nay, cha c mt gii php ton din no khc phc cc l hng loi ny v bn thn vic thit k giao thc tng Internet (IP) ni ring v b giao thc TCP/IP cha ng nhng nguy c tim tng ca cc l hng ny. Tuy nhin, mc nguy him ca cc l hng loi ny c xp loi C; t nguy him v chng ch lm gin on cung cp dch v ca h thng trong mt thi gian m khng lm nguy hi n d liu v ngi tn cng cng khng t c quyn truy nhp bt hp php vo h thng. Mt l hng loi C khc cng thng thy l cc im yu ca dch v cho php thc hin tn cng lm ngng tr h thng ca ngi s dng cui; Ch yu ca hnh thc tn cng ny l s dng dch v Web. Vi mt hnh thc tn cng n gin nh cng mt lc gi nhiu yu cu truy cp, iu ny c th lm treo h thng. y cng l mt hnh thc tn cng kiu DoS. Ngi qun tr h thng Website trong trng hp ny ch c th khi ng li h thng.[4] Mt l hng loi C khc cng thng gp i vi cc h thng mail l khng xy dng cc c ch anti-relay (chng relay) cho php thc hin cc hnh ng spam mail. Nh chng ta bit, c ch hot ng ca dch v th in t l lu v chuyn tip; mt s h thng mail khng c cc xc thc khi ngi dng gi th, dn n tnh trng cc i tng tn cng li dng cc my ch mail ny thc hin spam mail; Spam mail l hnh ng nhm t lit dch v mail ca h 14

thng bng cch gi mt s lng ln cc messages ti mt a ch khng xc nh, v my ch mail lun phi tn nng lc i tm nhng a ch khng c thc dn n tnh trng ngng tr dch v. S lng cc messages c th sinh ra t cc chng trnh lm bom th rt ph bin trn mng Internet. 1.3.2.2. Loi B Nguy him Cc l hng loi ny c mc nguy him hn l hng loi C, cho php ngi s dng ni b c th chim c quyn cao hn hoc truy nhp khng hp php. Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ngi s dng local c hiu l ngi c quyn truy nhp vo h thng vi mt s quyn hn nht nh. Mt dng khc ca l hng loi B xy ra i vi cc chng trnh c m ngun vit bng ngn ng lp trnh C. Nhng chng trnh vit bng ngn ng lp trnh C thng s dng mt vng m l mt vng trong b nh s dng lu d liu trc khi x l. Nhng ngi lp trnh thng s dng vng m trong b nh trc khi gn mt khong khng gian b nh cho tng khi d liu. V d, ngi s dng vit chng trnh nhp trng tn ngi s dng; qui nh trng ny di 20 k t. Do h s khai bo: char first_name [20]; Vi khai bo ny, cho php ngi s dng nhp vo ti a 20 k t. Khi nhp d liu, trc tin d liu c lu vng m; nu ngi s dng nhp vo 35 k t; s xy ra hin tng trn vng m v kt qu 15 k t d tha s nm mt v tr khng kim sot c trong b nh. i vi nhng ngi tn cng, c th li dng l hng ny nhp vo nhng k t c bit, thc thi mt s lnh c bit trn h thng. Thng thng, l hng ny thng c li dng bi nhng ngi s dng trn h thng t c quyn root khng hp l. Vic kim sot cht ch cu hnh h thng v cc chng trnh s hn ch c cc l hng loi B.[4]

15

1.3.2.3. Loi A Rt nguy him. Cc l hng loi A c mc rt nguy him; e da tnh ton vn v bo mt ca h thng. Cc l hng loi ny thng xut hin nhng h thng qun tr yu km hoc khng kim sot c cu hnh mng. Mt v d thng thy l trn nhiu h thng s dng Web Server l Apache, i vi Web Server ny thng cu hnh th mc mc nh chy cc on scripts l cgi-bin; trong tn ti mt on scripts c vit sn th hot ng ca apache l test-cgi. i vi cc phin bn c ca Apache (trc version 1.1), c dng sau trong file test-cgi: echo QUERY_STRING = $QUERY_STRING Bin mi trng QUERY_STRING do khng c t trong c du (quote) nn khi pha client thc hin mt yu cu trong chui k t gi n gm mt s k t c bit; v d k t *, web server s tr v ni dung ca ton b th mc hin thi (l cc th mc cha cc scipts cgi). Ngi s dng c th nhn thy ton b ni dung cc file trong th mc hin thi trn h thng server. Mt v d khc cng xy ra tng t i vi cc Web server chy trn h iu hnh Novell; Cc web server ny c mt scripts l convert.bas, chy scripts ny cho php c ton b ni dung cc files trn h thng. Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn mm s dng; ngi qun tr nu khng hiu su v dch v v phn mm s dng s c th b qua nhng im yu ny. i vi nhng h thng c, thng xuyn phi kim tra cc thng bo ca cc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lot cc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP, Gopher, Telnet, Sendmail, ARP, finger[2] Cc loi bo mt nu trn c th phn loi chung thnh 03 mc c bn ca im yu bo mt nh sau:

16

im yu v k thut: bao gm nhng k thut gm c im yu trong cc giao thc, h iu hnh v cc thit b phn cng nh Server, Router, Switch im yu v cu hnh h thng: bao gm li do nh qun tr to ra, li ny do cc thiu st trong vic cu hnh h thng nh: khng m bo thng tin mt ti khon khch hng, h thng ti khon vi mt khu d dng on bit, s dng cc cu hnh mc nh trn thit b. im yu trong chnh sch bo mt: chnh sch bo mt m t vic lm th no v u chnh sch bo mt c thc hin. y l iu kin quan trng gip vic bo mt c hiu qu tt nht. 1.4. Mt s tn cng ph bin C rt nhiu dng tn cng mng ang c bit n hin nay, da vo hnh ng tn cng ca ti phm mng c th phn lm 02 loi l ch ng v b ng. Tn cng ch ng (active attack): K tn cng thay i hot ng ca h thng v hot ng ca mng khi tn cng v lm nh hng n tnh ton vn, sn sng v xc thc ca d liu. Tn cng b ng (passive attack): K tn cng c gng thu thp thng tin t hot ng ca h thng v hot ng ca mng lm ph v tnh b mt ca d liu. Da vo ngun gc ca cuc tn cng th c th phn loi tn cng thnh 2 loi hnh tn cng bao gm: tn cng t bn trong v tn cng t bn ngoi, tn cng trc tip. Tn cng bn trong bao gm nhng hnh vi mang tnh cht xm nhp h thng nhm mc ch ph hoi. K tn cng bn trong thng l nhng ngi nm trong mt h thng mng ni b, ly thng tin nhiu hn quyn cho php. Tn cng bn ngoi l nhng tn cng xut pht t bn ngoi h thng nh Internet hay cc kt ni truy cp t xa. Tn cng bn ngoi c th l nhng dng tt cng trc tip, cc dng tn cng ny thng thng l s dng trong giai 17

on u chim quyn truy cp. Ph bin nht vn l cch d tm tn ngi s dng v mt khu. Ti phm mng c th s dng nhng thng tin lin quan n ch ti khon nh ngy thng nm sinh, tn v (chng) hoc con ci hoc s in thoi d tm thng tin ti khon v mt khu vi mc ch chim quyn iu khin ca mt ti khon, thng thng i vi nhng ti khon c mt khu n gin th ti phm mng ch d tm mt khu qua thng tin ch ti khon, mt cch tip cn vic chim quyn truy nhp bng cch tm ti khon v mt khu ti khong khc l dng chng trnh d tm mt khu. Phng php ny trong mt s kh nng hu dng th c th thnh cng n 30%. Mt kiu tn cng bn ngoi khc c cp n na chnh l hnh thc nghe trm, vic nghe trm thng tin trn mng c th a li nhng thng tin c ch nh tn, mt khu ca ngi s dng, cc thng tin mt chuyn qua mng. Vic nghe trm thng c tin hnh ngay sau khi k tn cng chim c quyn truy nhp h thng, thng qua cc chng trnh cho php a card giao tip mng (Network Interface CardNIC) vo ch nhn ton b cc thng tin lu truyn trn mng. Nhng thng tin ny cng c th d dng ly c trn Internet. Mt s cc li khc lin quan n con ngi, h thng cng l nhng kiu tn cng trc tip t bn ngoi nhng c mc phc tp v kh khn hn, nguy him nht l yu t con ngi bi n l mt trong nhiu im yu nht trong bt k h thng bo mt no[3] (trch website quantrimang.com) Khi mt mng my tnh b tn cng, n s b chim mt lng ln ti nguyn trn my ch, mc chim lng ti nguyn ny ty thuc vo kh nng huy ng tn cng ca ti phm mng, n mt gii hn nht nh kh nng cung cp ti nguyn ca my ch s ht v nh vy vic t chi cc yu cu s dng dch v ca ngi dng hp php b t chi. Vic pht ng tn cng ca ti phm mng cn ty thuc vo s lng cc my tnh ma m ti phm mng ang kim sot, nu kh nng kim sot ln th thi gian tn cng v lm sp hon ton mt h thng mng s nhanh v cp tn cng s tng nhanh hn, ti phm mng c th mt lc tn cng nhiu h thng mng khc nhau ty vo mc kim sot chi phi cc my tnh ma nh th no. 18

Cc kiu tn cng c nhiu hnh thc khc nhau, nhng thng thng u thc hin qua cc bc theo hng m t sau: + Kho st thu thp thng tin v ni chun b tn cng bng cc cng c tm hiu y v h thng mng. + Sau khi thu thp thng tin, ti phm mng s d tm nhng thng tin v l hng ca bo mt h thng da trn nhng thng tin tm c, phn tch im yu ca h thng mng, s dng cc b cng c d qut tm li trn h thng mng . + Khi c trong tay nhng im yu ca h thng mng, ti phm mng s tin hnh xm nhp h thng mng bng cc cng c nh lm trn b m hoc tn cng t chi dch v. + mt s cuc tn cng, ngi xm nhp sau khi xm nhp thnh cng v khai thc c h thng mng ri s thc hin vic duy tr xm nhp vi mc ch khai thc v xm nhp trong tng lai gn. Ti phm mng c th s dng nhng th thut nh m ca sau (backdoor) hoc ci t mt trojan nhm mc ch duy tr s xm nhp ca mnh. Vic duy tr v lm ch mt h thng mng to cho ti phm mng c nhng iu kin khai thc, phc v nhng nhu cu v thng tin. Ngoi ra, h thng mng ny khi b chim quyn xm nhp cng s tr thnh nn nhn ca mt h thng botnet c s dng trong cc cuc tn cng khc m c th l tn cng t chi dch v n mt h thng mng khc. + Xa du vt. Khi mt k tn cng xm nhp thnh cng s c gng duy tr s xm nhp ny. Bc tip theo l chng phi lm sao xa ht du vt khng cn chng c php l xm nhp. K tn cng phi xa cc tp tin log, xa cc cnh bo t h thng pht hin xm nhp. cc giai on thu thp thng tin v d tm l hng trong bo mt, k tn cng thng lm lu lng kt ni mng thay i khc vi lc mng bnh thng rt nhiu, ng thi ti nguyn ca h thng my ch s b nh hng ng k. Nhng du hiu ny rt c ch cho ngi qun tr mng c th phn tch v nh gi tnh hnh hot ng ca h thng mng. Hu ht cc cuc tn cng u tin 19

hnh tun t nh cc bc nu trn. Lm sao nhn bit h thng mng ang b tn cng, xm nhp ngay t hai bc u tin l ht sc quan trng. giai on xm nhp, bc ny khng d dng i vi k tn cng. Do vy, khi khng th xm nhp c vo h thng, ph hoi c nhiu kh nng k tn cng s s dng tn cng t chi dch v ngn cn khng cho ngi dng hp l truy xut ti nguyn h thng. 1.5. Cc gii php pht hin v phng chng tn cng mng 1.5.1. Cc bin php pht hin h thng b tn cng Khng c mt h thng no c th m bo an ton tuyt i; bn thn mi dch v u c nhng l hng bo mt tim tng. ng trn gc ngi qun tr h thng, ngoi vic tm hiu pht hin nhng l hng bo mt cn lun phi thc hin cc bin php kim tra h thng xem c du hiu tn cng hay khng. Cc bin php l: Kim tra cc du hiu h thng b tn cng: h thng thng b treo hoc b crash bng nhng thng bo li khng r rng, kh xc nh nguyn nhn h thng b treo do thiu thng tin lin quan. Trc tin, xc nh cc nguyn nhn v phn cng hay khng, nu khng phi phn cng hy ngh n kh nng my b tn cng Kim tra cc ti khon ngi dng mi trn h thng: mt s ti khon l, nht l uid ca ti khon l zero Kim tra xut hin cc tp tin l. Thng pht hin thng qua cch t tn cc tp tin, mi ngi qun tr h thng nn c thi quen t tn tp tin theo mt mu nht nh d dng pht hin tp tin l. Thc hin cc lnh lit k danh sch tp tin trong h thng kim tra thuc tnh setuid v setgid i vi nhng tp tin ng ch (c bit l cc tp tin scripts). Kim tra thi gian thay i trn h thng, c bit l cc chng trnh login, sh hoc cc scripts khi ng trong /etc/init.d, /etc/rc.d

20

Kim tra hiu nng ca h thng. S dng cc tin ch theo di ti nguyn v cc tin trnh ang hot ng trn h thng nh ps hoc top Kim tra hot ng ca cc dch v m h thng cung cp. Chng ta bit rng mt trong cc mc ch tn cng l lm cho t lit h thng (Hnh thc tn cng DoS). S dng cc lnh nh ps, pstat, cc tin ch v mng pht hin nguyn nhn trn h thng. Kim tra truy nhp h thng bng cc account thng thng, phng trng hp cc account ny b truy nhp tri php v thay i quyn hn m ngi s dng hp php khng kim sat c. Kim tra cc file lin quan n cu hnh mng v dch v nh /etc/inetd.conf; b cc dch v khng cn thit; i vi nhng dch v khng cn thit chy di quyn root th khng chy bng cc quyn yu hn. Kim tra cc phin bn ca sendmail, /bin/mail, ftp; tham gia cc nhm tin v bo mt c thng tin v l hng ca dch v s dng Cc bin php ny kt hp vi nhau to nn mt chnh sch v bo mt i vi h thng. 1.5.2. Gii php pht hin v phng chng xm nhp Pht hin xm nhp l mt tp hp cc k thut v phng php dng d tm nhng hot ng ng nghi ng trn mng. Mt h thng pht hin xm nhp c nh ngha l mt tp hp cc cng c, phng thc, v ti nguyn gip ngi qun tr xc nh, nh gi, v bo co hot ng khng c php trn mng. Pht hin xm nhp c xem l mt tin trnh c quyt nh khi mt ngi khng xc thc ang c gng xm nhp h thng mng tri php. H thng pht hin xm nhp s kim tra tt c cc gi tin i qua h thng v quyt nh gi tin c vn kh nghi hay khng. H thng pht hin xm nhp uc trang b hng triu tnh hung nhn dng tn cng v uc cp nht thng

21

xuyn. Chng thc s quan trng v l la chn hng u phng th trong vic pht hin v phng chng xm nhp mng. Vic nghin cu xy dng h thng pht hin v phng chng xm nhp (IDS/IPS) ang c pht trin mnh v cn pht trin mnh m trong thi gian ti. Cc sn phm thng mi trn th trng c chi ph rt ln, vt qu kh nng u t ca nhiu doanh nghip. Bn cnh , cc nghin cu v m ngun m cng c u t nghin cu v trin khai. C nhiu ti trong nc nghin cu lin quan n IDS/IPS bng m ngun m ch yu tp trung vo Snort. Nhng nhn chung cha c p dng rng ri, cn tn ti nhiu hn ch nh: do chng trnh m ngun m nn hu ht khng c giao din thn thin; thnh phn bo ng khng c tch hp sn, hoc nu c cng ch qua giao din console, hoc qua giao din Web cha to c s linh ng v tin dng cho ngi qun tr mng; phn mm mang tnh n l (ch tp trung nghin cu v Snort) trong khi nhu cu tch hp nhiu tnh nng gim st khc nng cao hiu qu s dng cha c ch trng v pht trin. Hn na, cc du hiu ca cc kiu tn cng ngy mt tinh vi phc tp i hi h thng pht hin v phng chng xm nhp (IDS/IPS) phi c thng xuyn cp nht nhng du hiu mi. Ngi qun tr mng cn c th da vo nhng phn tch khc nh nhng du hiu bt thng v lu lng ra vo h thng, hot ng ca CPU, RAM... c nhng phn ng kp thi. Bn cnh , h thng bo ng cng cn trin khai mang tnh cht a dng nhiu hnh thc, linh ng, tin dng thc s h tr thit thc cho ngi qun tr mng. Cc nghin cu chng minh rng hu ht cc h thng c c im chung l tnh a dng v thay i. Vic nghin cu v trin khai mt h thng gim st mng, pht hin v phng chng xm nhp vi cc yu t: chnh xc, nhanh chng, trc quan, linh ng v tin li l vn cp thit trong thc t. Pht trin h thng gim st trc quan theo di cc din bin trn mng nh lu lng ra vo mt Server, Switch, hay hot ng ca CPU, b nh, gip ngi qun tr mng c nhng phn tch a ra ng ph kp thi. 22

H thng pht hin xm nhp da vo nhng mu du hiu tn cng trin khai gip pht hin nhanh cc cuc tn cng mng. H thng pht hin ny kt hp vi tng la s chng li cc cuc tn cng xm nhp. Tuy nhin, cc du hiu ca cc kiu tn cng ngy mt tinh vi phc tp th h thng pht hin phi c thng xuyn cp nht nhng du hiu mi. c th pht hin nhanh chng cc bt thng trn mng, ngi qun tr mng cn c th da vo nhng th trc quan v lu lng ra vo h thng c nhng phn ng kp thi. H thng bo ng cng cn trin khai thng bo cho ngi qun tr trong mt s trng hp: Server ngng hot ng, mt dch v mng ngng hot ng hay c tn cng mng. H thng bo ng c th c trin khai qua nhiu hnh thc pht bo ng nh: bng Web, E-mail hay qua tin nhn SMS n ngi qun tr mng.

23

CHNG 2. TNG LA CISCO ASA 2.1. Gii thiu Tng la Cisco ASA l cng ngh mi nht trong cc gii php tng la c a ra bi Cisco, hin nay ang thay th cc tng la PIX rt tt. ASA vit tt ca Adaptive Security Appliances, lm c hai nhim v l mt tng la v ng dng anti-malware. Cisco ASA hot ng theo c ch gim st gi tin theo trng thi (Stateful Packet Inspection), thc hin iu khin trng thi kt ni khi qua thit b bo mt (ghi nhn trng thi ca tng gi thuc kt ni xc nh theo loi giao thc hay ng dng). Cho php kt ni mt chiu (outbuond-i ra) vi rt t vic cu hnh. Mt kt ni i ra l mt kt ni t thit b trn cng c mc bo mt cao n thitb trn mng c mc bo mt thp hn. Trng thi c ghi nhn s dng gim st v kim tra gi tr v. Thay i ngu nhin gi tr tun t (sequence number) trong gi TCP gim ri ro ca s tn cng. Cisco ASA hot ng theo kin trc phn vng bo mt da theo cng, cng tin cy (trusted) hay mc bo mt cao v cng khng tin cy (untrusted) hay mc bo mt thp. Quy tc chnh cho mc bo mt l thit b t vng tin cy c th truy cp c thit b truy cp vng khng tin cy hay cn gi l Outbound. Ngc li t vng bo mt thp khng th truy cp vng bo mt cao tr khi c cho php bi ACL hay cn gi l Inbound : Mc bo mt (Security Level) 100 : y l mc bo mt cao nht, thng c gn cho cng thuc mng bn trong (inside). Mc bo mt 0 : y l mc bo mt thp nht, thng c gn cho cng kt ni ra Internet hay vng khng tin cy cn gi l vng bn ngoi (outside). Mc bo mt t 1-99 : Cho php s dng gn cho nhng cng cn li nu yu cu m rng vng mng. 24

Do trong qu trnh cu hnh thng tin cho cng m bo mi cng c gn gi tr mc bo mt da vo chnh sch phn vng bo v thng qua cu lnh Security-level. 2.2. Cc chc nng c bn ca tng la Cisco ASA 2.2.1. Cc ch lm vic ca tng la Cisco ASA Firewall Cisco ASA c 4 ch lm vic chnh: - Ch gim st (Monitor Mode): Hin th du nhc monitor>. y l ch c bit cho php cp nht cc hnh nh qua mng hoc khi phc mt khu. ch gim st, c th nhp lnh xc nh v tr ca mt my ch TFTP v v tr ca phn mm hoc file khi phc mt khu ti v. Truy cp vo ch ny bng cch nhn "Break" hoc "ESC"ngay lp tc sau khi bt ngun thit b. - Ch khng c quyn (Unprivileged Mode): Hin th du nhc>. Ch ny cung cp tm nhn hn ch ca cc thit b an ninh. cu hnh, s dng lnh Enable. Cc mt khu ban u l trng, do nhn Enter mt ln na chuyn sang ch truy cp tip theo (Privileged Mode). - Ch c quyn (Privileged Mode): Hin th du nhc #. Cho php thay i cc thit lp hin hnh. Bt k lnh trong ch khng c quyn cng lm vic trong ch ny. T ch ny, c th xem cu hnh hin ti bng cch s dng show running config.Tuy nhin, khng th cu hnh ngay ch ny m phi vo ch cu hnh (Configuration Mode). Truy cp vo ch cu hnh bng cch s dng lnh configure terminal t ch c quyn. - Ch cu hnh (Configuration Mode): ch ny hin th du nhc(config)#. Cho php thay i tt c thit lp cu hnh h thng. S dng Exit t mi ch tr v ch trc .

25

2.2.2. Qun l file C hai loi file cu hnh trong cc thit b an ninh Cisco : runningconfiguration v startup-configuration. - Loi file u tin Running-configuration l mt trong nhng file hin ang chy trn thit b, v c lu tr trong b nh RAM ca Firewall. Xem cu hnh ny bng cch g show running-config t cc ch Privileged. Bt k lnh nhp vo Firewall c lu trc tip trong running-config v c hiu lc thi hnh ngay lp tc. K t khi cu hnh chy c lu trong b nh RAM, nu thit b b mt ngun, n s mt bt k thay i cu hnh m khng c lu trc . lu li cu hnh ang chy, s dng copy run start hoc write memory. Hai lnh ny s copy running-config vo startupconfig c lu tr trong b nh flash. - Loi th hai Startup-configuration l cu hnh sao lu ca Running-configuration. N c lu tr trong b nh Flash, v vy n khng b mt khi cc thit b khi ng li. Ngoi ra, startupconfiguration c ti khi thit b khi ng. xem startupconfiguration c lu tr, g lnh show startup-config. 2.2.3. Mc bo mt Security Level c gn cho Interface, c gi tr t 0-100 ch nh tin cy ca Interface lin quan n mt Interface khc trn thit b. Mc bo mt cao hn th Interface cng ng tin cy hn nn cc mng kt ni pha sau n c coi l tin cy. Mi Interface Firewall i din cho mt mng c th (hoc khu vc an ninh), bng cch s dng mc bo mt c th ch nh mc tin tng ca tng vng mng. Cc quy tc chnh cho mc bo mt l mt Interface (hoc zone) vi mt mc bo mt cao hn c th truy cp vo mt Interface vi mt mc bo mt thp hn. Mt khc, mt Interface vi mt mc bo mt thp hn 26

khng th truy cp vo mt Interface vi mt mc bo mt cao hn, m khng c s cho php r rng ca mt quy tc bo mt (AccessControl List - ACL). Mt s mc bo mt in hnh : - Security Level 0 : y l mc bo mt thp nht v n c gn mc nh cho Interface bn ngoi ca Firewall. Mc bo mt ny thng c gn cho Interface kt ni vi Internet. Tt c cc thit b kt ni Internet khng th c quyn truy cp vo bt k mng pha sau Firewall, tr khi c cho php theo mt quy tc trong ACL. - Security Level 1 n 99 : Nhng mc bo mt c th c p dng cho khu vc bo mt vng ngoi nh khu vc DMZ. - Security Level 100 : y l mc bo mt cao nht v c gn mc nh cho Interface bn trong ca Firewall. y l mc bo mt ng tin cy nht v phi c gn cho mng (interface ) m mun p dng bo v nhiu nht t cc thit b an ninh. Mc bo mt ny thng c gn cho Interface kt ni mng ni b.

27

Hinh 2.1. M t cc mc bo mt trong h thng mng. Vic truy cp gia Security Level tun theo cc quy nh sau : - Truy cp t Security Level cao hn ti Security Level thp hn: Cho php tt c lu lng truy cp c ngun gc t Security Level cao hn tr khi quy nh c th b hn ch bi mt Access Control List (ACL). - Truy cp t Security Level thp hn Security Level cao hn : Chn tt c lu lng truy cp tr khi c cho php bi mt ACL. Nu NATControl c kch hot trn thit b ny, sau c phi l mt NAT tnh gia cc interface c Security Level t cao ti thp. - Truy cp gia cc Interface c cng mt Security Level : theo mc nh l khng c php (tr khi cu hnh lnh same-security-traffic permit).

28

2.3. Network Access Translation(NAT) 2.3.1. Khi nim S suy gim ca khng gian a ch cng cng IPv4 buc cc cng ng Internet tm cch thay th ca a ch my ch ni mng. NAT do c to ra gii quyt cc vn xy ra vi vic m rng ca Internet. Mt s trong nhng li th ca vic s dng NAT trong cc mng IP nh sau: - NAT gip gim thiu v s cn kit a ch IP cng cng. - NAT tng cng an ninh bng cch n Networks Topology v Addressing. - NAT ging nh mt router, n chuyn tip cc gi tin gia nhng lp mng khc nhau trn mt mng ln. - NAT cng c th coi nh mt Firewall c bn. 2.3.2. Mt s k thut NAT K thut NAT tnh (STATIC NAT) : - Vi NAT tnh, a ch IP thng c nh x tnh vi nhau thng qua cc lnh cu hnh. - C ch NAT tnh cho php mt my ch bn trong hin din ra ngoi Internet, bi v my ch s lun dng cng mt a ch IP thc.

29

Hinh 2.2. M t NAT tnh ca mt mng Lan ra ngoi Internet. K thut NAT ng (Dynamic NAT) : - Vi NAT, khi s IP ngun khng bng s IP ch. S host chia s ni chung b gii hn bi s IP ch c sn. Khi k thut NAT ng (Dynamic NAT) c s dng gii quyt vn trn vi vic nh x mt a ch c th tng ng vi nhiu a ch.

30

Hinh 2.3. Bng NAT ng ca mt mng LAN. K thut NAT overloading ( hay PAT) : - Dng nh x nhiu a ch IP ring sang mt a ch cng cng v mi a ch ring c phn bit bng s port. - C ti 65. 356 a ch ni b c th chuyn i sang 1 a ch cng cng. - Mt s thit b cung cp NAT, nh broadband routers, thc t cung cp PAT. Nhn chung ngi ta s dng NAT bao gm nhng thit b PAT. 2.3.3. NAT trn Cisco ASA Cisco ASA Firewall h tr hai loi chuyn i a ch chnh : - Dynamic NAT translation: Chuyn i Source Address trn Interface bo mt cao hn vo mt phm vi (hay pool) ca a ch IP trn mt Interface km an ton hn, cho kt ni ra ngoi. Lnh nat xc nh my ch ni b s c dch, v lnh global xc nh cc di a ch trn outgoing interface . Cu hnh Dynamic NAT translation : 31

ciscoasa(config)# nat (internal_interface_name) nat-id internal network IPsubnet ciscoasa(config)# global (external_interface_name) nat-id external IP poolrange - Static NAT translation : Chuyn i theo c ch mt-mt gia mt IP trn mt Interface an ton hn v mt IP trn mt Interface km an ton. Static NAT cho php cc host trn mt Interface km an ton (v d nh Internet ) truy cp my ch trn mt Interface bo mt cao hn. Cu hnh Static NAT translation: ciscoasa(config)# (real_interface_name,mapped_interface_name) mapped_IP real_IP netmasksubnet_mask static

S dng PAT cng cho nhiu kt ni t cc my ch khc nhau ni b c th c ghp trn mt a ch IP public nhng s dng s cng ngun khc nhau

Hinh 2.4. M t c ch PAT (NAT overload). 2.4. Access Control List(ACL) Mt trong nhng yu t quan trng cn thit qun l giao tip lu lng mng l c ch iu khin truy cp, cn c gi l Access Control List. 32

Hinh 2.5. S ACL iu khin truy cp mng. Access Control List(danh sch iu khin truy cp) l mt danh sch cc cho php hoc t chi lu lng truy cp t mt ngun n mt ch n. Sau khi mt ACL c cu hnh, n c p dng cho mt giao din vi mt lnh access-group. Nu khng c ACL c p dng cho mt Interface, lu lng truy cp ra bn ngoi (from inside to outside ) c php theo mc nh, v lu lng truy cp trong ni b (from outside to inside) b t chi theo mc nh. ACL c th c p dng (bng cch s dng lnh access-group) theo 2 hng "in" v"out" ca traffic i vi cc Interface . Chiu "in" ca ACL kim sot lu lng truy cp vo mt interface, v theo hng "out"ca ACL kim sot traffic ra khi mt interface. Cch thc hin cc ACL : - i vi Outbound Traffic (t vng c Security-level cao hn n thp hn), tham s a ch ngun mt mc ACL l a ch thc s thc t ca my ch hoc mng. - i vi Inbound Traffic (t vng c Security-level thp hn n cao hn), tham s a ch ch ACL l a ch IP chuyn dch. - ACL l lun lun kim tra trc khi chuyn dch a ch c thc hin trn thit b bo mt. - ACL ngoi vic hn ch lu lng thng qua tng la, n c th c s dng cng nh l mt ng truyn la chn c ch p dng 33

mt vi hnh ng khc lu lng truy cp c la chn nh m ha, dch thut, lp chnh sch, cht lng dch v Lnh cu hnh default ACL : ciscoasa(config)# access-list access_list_name [line line_number] [extended]{deny | permit} protocol source_address mask [operator source_port]dest_address mask [operator dest_port] Lnh cho php truy cp ca mt nhm s dng p dng cho ACL: ciscoasa(config)# access-group access_list_name [in|out] interface interface_name Cc tham s trong lnh: - access_list_name : mt tn m t ca ACL c th. Cng tn c s dng trong lnh access-group. - lineline_number: mi mc ACL c s dng ring ca mnh. - extended: s dng khi xc nh c hai ngun v a ch ch trong ACL. - deny|permit : xc nh truy cp c th c php hoc b t chi. - protocol: ch nh giao thc giao thng (IP, TCP, UDP,). - source_address mask: ch nh a ch IP ngun v subnet mask. Nu l mt a ch IP duy nht, c th s dng t kho "host" m khng cn subnet mask, c th s dng t kha "any" ch nh bt k a ch. - [operator source_port] : ch nh s cng ngun. - dest_address mask : y l a ch IP ch v subnet mask. C th s dng nhng t kha host hoc any. - [operator dest_port]: Ch nh s cng ch m cc ngun lu lng yu cu truy cp vo.

34

2.5. VPN 2.5.1. Gii thiu v VPN VPN (Virtual Private Network) v c bn y l kt ni t 1 v tr ny ti v tr khc hnh thnh m hnh mng LAN vi nhng dch v h tr nh email, intranet... ch c truy cp khi ngi dng khai bo ng cc thng tin c thit lp sn. Cc thit b Cisco ASA, ngoi chc nng tng la, c th c s dng kt ni bo mt mng LAN t xa (VPN Site-to-Site) hoc cho php Remote user/teleworkers an ton giao tip vi mng cng ty (VPN Remote Access). Cisco h tr mt s dng VPN trn ASA nhng ni chung l phn ra 2 loi hoc l "IPSec VPNs " hoc "SSL VPNs": - IPSec Based VPNs : Lan-to-Lan IPSec VPN: c s dng kt ni cc mng LAN t xa thng qua phng tin truyn thng khng an ton. N chy gia ASA-to-ASA hoc Router ASA-to-Cisco. Remote Access with IPSec VPN Client: Mt phn mm VPN Client c ci t trn my tnh ca ngi dng cung cp truy cp t xa vo mng trung tm. - SSL Based VPNs (WebVPN): Clientless Mode WebVPN: y l trin khai u tin WebVPN SSL h tr t ASA phin bn 7.0 v sau . N cho php ngi dng thit lp bo mt t xa truy cp VPN ng hm bng cch s dng ch l mt trnh duyt Web. Khngcn cho mt phn mm hoc phn cng no. Tuy nhin, ch cc ng dng gii hn c th c truy cp t xa. AnyConnect WebVPN: cung cp kt ni mng y (tng t nh vi IPSec cho php truy cp t xa). Tt c cc ng dng ti trang Web trung tm c th c truy cp t xa. 35

2.5.2. Site to site VPN

Hinh 2.6. S mng m t kt ni site to site IPSec VPN. Site-to-Site IPSec VPN c gi l LAN-to-LAN VPN. y lloi VPN kt ni hai mng LAN xa qua Internet. Bng cch cu hnh Site-to-Site IPSec VPN gia hai bc tng la ASA, c th thit lp mt ng hm an ton qua Internet. 2.5.3. Remote access VPN Remote Access VPN l loi VPN cho php remote users/teleworkers vi truy cp Internet thit lp mt ng hm IPSec VPN an ton gia mng ca cng ty, t chc. Ngi s dng phi c mt phn mm CiscoVPN client c ci t trn my tnh ca h s cho php mt giao tip an ton vi ASAFirewall trong vn phng trung tm. Sau khi VPN c thit lp gia ngi dng t xa v cc bc tng la ASA, ngi dng c gn mt a ch IP ring c xc nh trc, v sau c xc lp trn mng LAN doanh nghip.

36

Hinh 2.7. S mng m t kt ni Remote Access VPN. 2.5.4. AnyConnect VPN AnyConnect VPN cung cp y kt ni mng ti ngi dng xa. Firewall Cisco ASA lm vic nh mt my ch WebVPN, gn mt a ch IP cho ngi dng xa v ngi s dng mng. V vy, tt c cc giao thc IP v nhng ng dng thng qua ng hm VPN m khng c bt k vn g.

Hinh 2.8. S mng m t kt ni AnyConnect VPN. 37

C hai la chn ci t ban u : - S dng clientless WebVPN portal. - Ci t bng tay bi ngi s dng. 2.6. Mt s loi Cisco ASA Hin nay, tng la Cisco ASA c mt s dng sn phm ASA seri 5500, phn chia theo cha nng v mc i vi tng i tng c m hnh t b n ln, v theo mc gi ca cc sn phm.

Hinh 2.9. Cc dng sn phm Cisco ASA 5500. 2.6.1. Cisco ASA 5510 Dng sn phm ASA 5510 nng cao an ninh v cung cp dch v mng, bao gm c cc dch v VPN, cho cc doanh nghip nh. - Cung cp ln ti 130,000 kt ni ng thi. - Thng lng c th p ng ti 300-Mbps. - Cc interface c h tr: Ln ti 5 cng 10/100 Fast Ethernet. Ln ti 25 VLANs. 38

 Ln ti 5 ng cnh (contexts). - H tr failover: Active/standby. - H tr VPNs : Site to site (250 peers). Remote access. WebVPN. - H tr thm cc module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, v Gigabit Ethernet SSM loi 4 port). 2.6.2. Cisco ASA 5520 - Cung cp cc dch v bo mt , k c vpn cho cc doanh nghip c va. - Cung cp ln ti 280,000 kt ni ng thi. - Thng lng c th p ng 450-Mbps. - Cc interface c h tr : 4 10/100/1000 Gigabit Ethernet interfaces. 1 10/100 Fast Ethernet interface. Ln ti 100 VLANs. Ln ti 20 contexts. - H tr failover : Active/standby. Active/active. - H tr VPNs Site to site (750 peers). Remote access. WebVPN. - H tr thm cc module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, v Gigabit Ethernet SSM loi 4 port).

39

2.6.3. Cisco ASA 5540 - Cung cp cc dch v cn hiu qu cao, cc loi dch v bo mt , k c VPN cho cc doanh nghip ln v cc nh cung cp dch v. - Cung cp ln ti 400,000 kt ni ng thi. - Thng lng p ng 650-Mbps. - Cc interface h tr : 4 10/100/1000 Gigabit Ethernet interfaces. 1 10/100 Fast Ethernet interface. Ln ti 200 VLANs. Ln ti 50 contexts. - H tr failover : Active/standby. Active/active. - H tr VPNs : Site to site (5,000 peers). Remote access. WebVPN. - H tr thm cc module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, 4 port Gigabit Ethernet SSM). 2.6.4. c im phn cng ca thit b bo mt Cisco ASA 5510, 5520, 5540 - Mt trc ca dng thit b ASA gm cc loi n bo: Power Status Active Flash VPN

40

Hinh 2.10. Mt trc dng sn phm Cisco ASA 5510, 5520, 5540. Mt sau ca dng thit b ASA gm: B nh flash. Cc module SSMs. Cc Interface c nh. Cng tc ngun.

Hinh 2.11. Mt sau dng sn phm Cisco ASA 5510, 5520, 5540. - Cc cng kt ni ca dng thit b ASA bao gm : Cng qun tr outband. Cng Console. 2 cng USB 2.0. 41

 4 cng 10/100/1000 Gigabit Ethernet. Cng AUX. Ngun in (AC hoc DC).

Hinh 2.12. Cc cng kt ni ca dng sn phm Cisco ASA 5510, 5520, 5540. 2.6.5. Cisco ASA Security Services Module - Module cung cp cc dch v m rng cho thit b bo mt. - S dng b nh flash tng cng tin cy. - C cng Gigabit ethernet cho php qun tr outband.

42

Hinh 2.13. Cisco ASA Security Services Module.

43

CHNG 3. H THNG PHT HIN V PHNG CHNG XM NHP IDS/IPS 3.1. Lch s pht trin IDS/IPS c ra i t cc nghin cu v h thng pht hin xm nhp cch y 25 nm nhng trong khong thi gian t nm 1983 n nm 1988 cc nghin cu v h thng pht hin xm nhp IDS (Intrusion Detection System) mi chnh thc c cng b chnh thc v n 1996 c mt s cc h thng IDS c ng dng ch yu trong cc phng th nghim v cc vin nghin cu mng. n nm 1997 h thng pht hin xm nhp IDS mi c bit n rng ri v a vo thc nghim em li nhiu li nhun cho ISS - cng ty i u trong vic nghin cu h thng pht hin xm nhp mng. IPS c hiu l mt h thng chng xm nhp (Intrusion Prevention System-IPS) c nh ngha l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin xm nhp v c th ngn chn cc nguy c gy mt an ninh. IDS v IPS c rt nhiu im chung, do h thng IDS v IPS c th c gi chung l IDP- Intrusion Detection and Prevention. Trc nhng mt hn ch ca IDS th vic pht trin mt h thng IPS l cn thit, nht l sau khi xut hin cc cuc tn cng t trn quy m ln nh Code Red, NIMDA, SQL Slammer, mt vn c t ra l lm sao c th t ng ngn chn c cc tn cng ch khng ch a ra cc cnh bo mc ch nhm gim thiu cng vic ca ngi qun tr h thng. H thng IPS c ra i vo nm 2003 v ngay sau , nm 2004 n c ph bin rng ri. Kt hp vi vic nng cp cc thnh phn qun tr, h thng IPS xut hin dn thay th cho IDS bi n gim bt c cc yu cu tc ng ca con ngi trong vic p tr li cc nguy c pht hin c, cng nh gim bt c phn no gnh nng ca vic vn hnh. Hn na trong mt s trng hp c bit, mt IPS c th hot ng nh mt IDS bng vic ngt b tnh nng ngn chn xm nhp. Ngy nay cc h thng mng u hng ti s dng cc gii php IPS thay v h thng IDS v cn pht trin mnh trong cng ngh an ninh mng. 44

3.2. Vai tr, chc nng IDS/IPS H thng pht hin xm nhp dng lng nghe, d tm cc gi tin qua h thng mng pht hin nhng du hiu bt thng trong mng. Thng thng nhng du hiu bt thng l nhng du hiu ca nhng cuc tn cng xm nhp mng. IDS s pht nhng tn hiu cnh bo ti ngi qun tr mng. H thng phng chng xm nhp (Intrusion Prevention System IPS) l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin xm nhp v c th ngn chn cc nguy c mng b tn cng. IDS v IPS c rt nhiu im chung, do h thng IDS v IPS c th c gi chung l h thng pht hin v phng chng xm nhp (IDS/IPS). H thng IPS l mt k thut an ninh mi, kt hp cc u im ca k thut tng la (firewall) vi h thng pht hin xm nhp, c kh nng pht hin s xm nhp, cc cuc tn cng v t ng ngn chn cc cuc tn cng . H thng IDS/IPS thng c t phn bin mng bo v tt c cc thit b trong mng. Mt vi chc nng c bn ca IDS/IPS: + Nhn din cc nguy c c th xy ra. + Ghi nhn thng tin, log phc v cho vic kim sot nguy c. + Nhn din cc hot ng thm d h thng. + Nhn din cc yu khuyt ca chnh sch bo mt. + Ngn chn vi phm chnh sch bo mt. + Lu gi thng tin lin quan n cc i tng quan st + Cnh bo nhng s kin quan trng lin quan n i tng quan st + Ngn chn cc tn cng (IPS) + Xut bo co

45

3.3. c im, kin trc h thng ca IDS/IPS 3.3.1. C s h tng ca h thng IDS/IPS Nhim v chnh ca h thng IDS/IPS l phng th my tnh bng cch pht hin mt cuc tn cng v c th y li n. Pht hin v tn cng th ch ph thuc vo s lng v loi hnh ng thch hp.

Hinh 3.1. Hot ng ca h thng IDS/IPS. Cng tc phng chng xm nhp i hi mt s kt hp tt c la chn ca "mi v by" nhm iu tra cc mi e da, nhim v chuyn hng s ch ca k xm nhp t cc h thng cn bo v sang cc h thng gi lp l nhim v ca 1 dng IDS ring bit (Honeypot IDS), c hai h thng thc v gi lp c lin tc gim st v d liu thu c c kim tra cn thn (y l cng vic chnh ca mi h IDS/IPS) pht hin cc cuc tn cng c th (xm nhp). Mt khi xm nhp c pht hin, h thng IDS/IPS pht cc cnh bo n ngi qun tr v s kin ny. Bc tip theo c thc hin, hoc bi cc qun tr vin hoc bi chnh h thng IDS/IPS , bng cch p dng cc bin php i ph (chm dt phin lm vic, sao lu h thng, nh tuyn cc kt ni n

46

Honeypot IDS hoc s dng cc c s h tng php l v.v) ty thuc vo chnh sch an ninh ca mi t chc. H thng IDS/IPS l mt thnh phn ca chnh sch bo mt. Trong s cc nhim v IDS khc nhau, nhn dng k xm nhp l mt trong nhng nhim v c bn. N c th hu ch trong cc nghin cu gim nh s c v tin hnh ci t cc bn patches thch hp cho php pht hin cc cuc tn cng trong tng lai nhm vo mc tiu c th.

Hinh 3.2. C s h tng h thng IDS/IPS. 3.3.2. Kin trc h thng pht hin xm nhp 3.3.2.1. Cu trc Sensor/Agent: Gim st v phn tch cc hot ng. Sensor thng c dng cho dng Network-base IDS/IPS trong khi Agent thng c dng cho dng Host-base IDS/IPS Management Server: L mt thit b trung tm dng thu nhn cc thng tin t Sensor/Agent v qun l chng. Mt s Management Server c th thc hin vic phn tch cc thng tin s vic c cung cp bi Sensor / Agent v c th nhn dng c cc s kin ny d cc Sensor/Agent n l khng th nhn din c 47

Database server: Dng lu tr cc thng tin t Sensor/Agent hay Management Server Console: L 1 chng trnh cung cp giao din cho IDS/IPS users/Admins. C th ci t trn mt my tnh bnh thng dng phc v cho tc v qun tr, hoc gim st, phn tch. 3.3.2.2. Kin trc ca h thng IDS/IPS

Hinh 3.3. H thng mu pht hin xm nhp. Trong h thng pht hin xm nhp, sensor c tch hp vi thnh phn su tp d liu mt b to s kin. Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Trong trng hp no , v d, khi lung d liu s kin c truyn ti trc tip n b phn tch m khng c s lu d liu no c thc hin. iu ny cng lin quan mt cht no n cc gi mng. Kin trc ca h thng IDS bao gm cc thnh phn chnh: + Thnh phn thu thp thng tin (information collection). 48

+ Thnh phn phn tch gi tin (Detection). + Thnh phn phn hi (response).

Hinh 3.4. Thnh phn ca kin trc IDS. Trong ba thnh phn ny th thnh phn phn tch gi tin l quan trng nht v trong thnh phn ny sensor ng vai tr quyt nh. Sensor c tch hp vi thnh phn thu thp d liu. Cch thu thp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Vai tr ca sensor l dng lc thng tin v loi b d liu khng tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho mc ny. Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo , c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi module p 49

tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau). IDS c th c sp t tp trung hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c chng truyn thng vi nhau c gi l cu trc a tc nhn. Nhiu h thng tinh vi i theo nguyn l cu trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v. Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c bo v v ph thuc vo phng php c a. Mng cc tc nhn hp tc bo co n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. IDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh khi ni n ngha bo v lin quan n cc kiu tn cng mi. Cc gii php da trn tc nhn IDS cng s dng cc c ch t phc tp hn cho vic nng cp chnh sch p tr. Gii php kin trc a tc nhn c a ra nm 1994. Gii php ny s dng cc tc nhn kim tra mt kha cnh no v cc hnh vi h thng mt thi im no . V d nh mt tc nhn c th cho bit mt s thng tin khng bnh thng ca cc phin Telnet bn trong h thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc tc nhn c th c sao chp v thay i bn trong cc h thng khc (tnh nng t tr). Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht. Cc b kim tra nhn thng tin t cc mng (khng ch t mt host), iu c ngha l chng c th tng quan vi thng tin phn tn. Thm vo , mt s b lc c th c a ra chn lc v thu thp d liu.

50

Hinh 3.5. Cc tc nhn t tr cho vic pht hin xm nhp. 3.4. Phn loi IDS/IPS C hai phng php khc nhau trong vic phn tch cc s kin pht hin cc v tn cng: pht hin da trn cc du hiu v pht hin s bt thng. Cc sn phm IDS c th s dng mt trong hai cch hoc s dng kt hp c hai. - Pht hin da trn du hiu: Phng php ny nhn dng cc s kin hoc tp hp cc s kin ph hp vi mt mu cc s kin c nh ngha l tn cng. - Pht hin s bt thng: cng c ny thit lp mt hin trng cc hot ng bnh thng v sau duy tr mt hin trng hin hnh cho mt h thng. Khi hai yu t ny xut hin s khc bit, ngha l c s xm nhp. Cc h thng IDS khc nhau u da vo pht hin cc xm nhp tri php v nhng hnh ng d thng. Qu trnh pht hin c th c m t bi 3 yu t c bn nn tng sau: - Thu thp thng tin (information collection): Kim tra tt c cc gi tin trn mng. - S phn tch (Analysis): Phn tch tt c cc gi tin thu thp cho bit hnh ng no l tn cng. 51

- Cnh bo (response): hnh ng cnh bo cho s tn cng c phn tch trn.

Hinh 3.6. Phn loi IDS/IPS. 3.4.1. Host-based IDS/IPS Bng cch ci t mt phn mm trn tt c cc my tnh ch, IPS da trn my ch quan st tt c nhng hot ng h thng, nh cc file log v nhng lu lng mng thu thp c. H thng da trn my ch cng theo di OS, nhng cuc gi h thng, lch s s sch (audit log) v nhng thng ip bo li trn h thng my ch. Trong khi nhng u d ca mng c th pht hin mt cuc tn cng, th ch c h thng da trn my ch mi c th xc nh xem cuc tn cng c thnh cng hay khng. Thm na l, h thng da trn my ch c th ghi nhn nhng vic m ngi tn cng lm trn my ch b tn cng (compromised host). Khng phi tt c cc cuc tn cng c thc hin qua mng. Bng cch ginh quyn truy cp mc vt l (physical access) vo mt h thng my tnh, k xm nhp c th tn cng mt h thng hay d liu m khng cn phi to ra bt c lu lng mng (network traffic) no c. H thng da trn my ch c th pht hin cc cuc tn cng m khng i qua ng cng cng hay mng c theo di, hay thc hin t cng iu khin (console), nhng vi mt k xm nhp 52

c hiu bit, c kin thc v h IDS th hn c th nhanh chng tt tt c cc phn mm pht hin khi c quyn truy cp vt l. Mt u im khc ca IDS da trn my ch l n c th ngn chn cc kiu tn cng dng s phn mnh hoc TTL. V mt host phi nhn v ti hp cc phn mnh khi x l lu lng nn IDS da trn host c th gim st chuyn ny. HIDS thng c ci t trn mt my tnh nht nh. Thay v gim st hot ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh. HIDS thng c t trn cc host xung yu ca t chc, v cc server trong vng DMZ - thng l mc tiu b tn cng u tin. Nhim v chnh ca HIDS l gim st cc thay i trn h thng, bao gm (khng phi l tt c): Cc tin trnh. Cc entry ca Registry. Mc s dng CPU. Kim tra tnh ton vn v truy cp trn h thng file. Mt vi thng s khc.

Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trn h thng file s gy ra bo ng.

53

Hinh 3.7. M hnh v tr ca HIDS/IPS trong h thng mng. 3.4.2. Network based IDS/IPS H thng IDS da trn mng s dng b d v sensor ci t trn ton mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng vi nhng m t s lc c nh ngha hay l nhng du hiu. Nhng sensor thu nhn v phn tch lu lng trong thi gian thc. Khi ghi nhn c mt mu lu lng hay du hiu, b cm bin gi tn hiu cnh bo n trm qun tr v c th c cu hnh nhm tm ra bin php ngn chn nhng xm nhp xa hn. NIPS l tp nhiu sensor c t ton mng theo di nhng gi tin trong mng so snh vi vi mu c nh ngha pht hin l tn cng hay khng. c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng. Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao

54

Hinh 3.8. M hnh v tr NIDS/IPS trong mt h thng mng. Mt cch m cc hacker c gng nhm che y cho hot ng ca h khi gp h thng IDS da trn mng l phn mnh nhng gi thng tin ca h. Mi giao thc c mt kch c gi d liu gii hn, nu d liu truyn qua mng ln hn kch c ny th gi d liu s c phn mnh. Phn mnh n gin ch l qu trnh chia nh d liu ra nhng mu nh. Th t ca vic sp xp li khng thnh vn min l khng xut hin hin tng chng cho. Nu c hin tng phn mnh chng cho, b cm bin phi bit qu trnh ti hp li cho ng. Nhiu hacker c gng ngn chn pht hin bng cch gi nhiu gi d liu phn mnh chng cho. Mt b cm bin s khng pht hin cc hot ng xm nhp nu b cm bin khng th sp xp li nhng gi thng tin mt cch chnh xc. 3.4.3. Trin khai h thng IDS/IPS Thng thng c nhiu cch trin khai mt h thng IDS/IPS, tuy nhin thng c dng nhiu trin khai trong mt h thng mng l 02 cch thc trin khai nh sau: - In-line (thng hng) 55

Hinh 3.9. M hnh trin khai theo kiu thng hng. Ngi ta t mt sensor thng hng sao cho n c th gim st c cc lu lng mng i qua n nh trong trng hp ca firewall. Thc t l mt s Sensor thng hng c s dng nh mt loi lai gia firewall v NIDS/IPS, mt s khc l NIDS thun ty. ng c chnh ca vic trin khai Sensor kiu thng hng l n c th dng cc tn cng bng vic chn lu lng mng ( blocking network traffic ). Sensor thng hng thng c trin khai ti v tr tng t vi firewall v cc thit b bo mt khc: ranh gii gia cc mng. Sensor thng hng c th c trin khai nhng vng mng km bo mt hn hoc pha trc cc thit b bo mt, firewall mc ch gim ti cho cc thit b ny. Tuy nhin v tr ny s lm cho tc lung thng tin qua ra vo mng chm hn, vi mc tiu ngn chn cc cuc tn cng, h thng IDS/IPS phi hot ng theo thi gian thc. Tc hot ng ca h thng l mt yu t rt quan trng. Qu trnh pht hin xm nhp phi nhanh c th ngn chn cc cuc tn cng ngay lp tc. - Passive (Th ng) 56

Sensor kiu th ng c trin khai sao cho n c th gim st 01 bn sao ca cc lu lng trn mng. Thng c trin khai gim st cc v tr quan trng trong mng nh ranh gii gia cc mng, cc on mng quan trng v d nh Server farm hoc DMZ. Sensor th ng c th gim st lu lng mng qua nhiu cch nh Spanning port (hoc Mirror port), Network tap hoc IDS loadbalancer.

Hinh 3.10. M hnh trin khai kiu th ng. Kh nng thu thp thng tin bao gm nhn dng cc host, h iu hnh, cc ng dng, c im mng. Kh nng ghi log file. Kh nng nhn din nhng hot ng thm d, vi phm chnh sch hoc cc dch v ng dng khng mong i. Kh nng ngn chn ca kiu th ng l ngt phin TCP hin ti Cn lu khi trin khai h thng IDS/IPS l phi trin khai cc Sensor dng n (Stealth mode). Trong dng ny, cc giao din ca Sensor khng c gn a ch IP (tr giao din qun l) trnh vic khi to kt ni t cc host khc nhm n Sensor khi s pht hin ca k tn cng.

57

im yu ca h thng NIDS/IPS chnh l vic n rt d b nh hng bi nhiu loi tn cng lin quan n khi lng lu lng mng ln ( large volume of network traffic ) v kin trc Single-point of Failure khi trin khai Sensor kiu thng hng. 3.4.4. Kh nng pht hin v phng chng ca IDS/IPS H thng IDS/IPS hot ng theo kiu nhn dng mu gi tin (packet). N s so snh nhng gi tin trng vi gi tin mu tn cng m n c, nu trng khp th kt lun y l loi gi tin tn cng v h thng s pht cnh bo hoc gi tn hiu ti tng la ngn cn gi tin i vo mng bn trong. Hin nay a s IDS/IPS hot ng theo kiu ny. Tuy nhin nu kiu tn cng mi th IDS/IPS khng nhn bit c, nn phi cp nht cc lut (du hiu tn cng) thng xuyn ging nh cp nht virus. Nu hot ng theo kiu thng minh th IDS theo di mng xem c hin tng bt thng hay khng v phn ng li. Li im l c th nhn bit cc kiu tn cng mi, nhng nhiu trng hp b bo ng nhm c ngha l khng phi trng hp tn cng m vn gy bo ng. Nh vy, sau khi h thng IDS pht hin ra tn cng, xm nhp th c th thc hin cc hnh ng sau: - Gi tn hiu n tng la ngn chn tn cng. Trng hp ny gi l h thng pht hin v phng chng xm nhp (IDS/IPS) - Ch a ra cnh bo cho ngi qun tr mng: h thng pht hin xm nhp tri php (IDS). phng chng tn cng xm nhp, c th kt hp h thng pht hin vi h thng tng la ngn cn nhng gi tin tn cng i vo mng bn trong. Mt trong nhng h thng tng la c s dng ph bin trong cc phn mm ngun m l Iptables. C nhiu cng c ngun m cho php chuyn i cc lut trong Snort thnh cc lut trong Iptables nh Snort-inline, SnortSam, Fwsnort, Trong lun vn ny s s dng Fwsnort ci t thc nghim.

58

3.5. H thng gim st lu lng mang Ngoi vic theo di nhng gi tin pht hin vic xm nhp v phng chng vic xm nhp tri php, vic theo di gim st lu lng mng, cc dch v mng v thit b tham gia hot ng trong h thng mng cng khng km phn quan trng, vic gim st bao gm cc lu lng mng, hot ng ca CPU, RAM hay cc trng thi hot ng ca cc my ch cung cp cc dch v mng. Theo di hot ng ca cc thit b mng nh Router, Switch cng l nhng nhu cu ang c quan tm hin nay nhm mc ch nng cao hot ng ca h thng mng, m bo n nh v em li hiu qu cao. Vic gim st lu lng mng, cc dch v v thit b gip cho qun tr vin nhanh chng bit c vn cng nh tnh hnh hot ng ca h thng mng mnh ang qun l, nhanh chng a ra nhng phng n c th nhm ti u ha h thng hay nhng chnh sch nhm khc phc s c v tng cng an ninh bo mt cho h thng mng. H thng IDS/IPS nu trn hon ton c th pht hin c nhng hnh vi xm nhp mng v c kh nng phng chng vic nhng hnh vi xm nhp tri php da vo cc du hiu nhn bit tn cng c lu tr v cp nht thng xuyn. Tuy nhin hu nh cc h thng pht hin xm nhp v phng chng xm nhp u khng hon ton an ton, ngnh bo mt lun phi tm ra gii php sau nhng cuc xm nhp tri php trc v h thng pht hin v phng chng xm nhp cng s d dng b loi b nu c nhng du hiu tn cng mi nhng cha c h thng cp nht y hoc cha bit ti, cc tp lut ca h thng pht hin cha cp nht y s d dng b qua mt bi nhng du hiu tn cng mi . Cng s kt hp vi h thng gim st lu lng mng, nhng hot ng ca thit b mng, dch v mng trong h thng s c theo di theo thi gian thc trn h thng, gip m t trc quan s hot ng ca ton h thng, cc biu , th hin th cc trng thi ca h thng mng gip qun tr vin d tng hp, phn tch nhng vic ang din ra nhm xut gii php cho nhng s c mang tnh nguy hi cho h thng c th xy ra. 59

Ngoi ra, ngi qun tr c th thit lp nhng ngng cnh bo kt hp vi h thng bo ng gip ngi qun tr nhanh chng c c nhng thng tin v nhng cuc tn cng hay pht hin nhng bt thng trong h thng. Nhng bt thng y nh l mt dch v mng ngng hot ng, my ch ngng hot ng, hay CPU hot ng qu ti (t ngng cnh bo). Trong phm vi lun vn ny, tc gi xut s dng chc nng gim st lu lng mng, dch v mng v thit b hot ng trong mng da trn 02 chng trnh m ngun m l Nagios v Cacti. Hai chng trnh m ngun m ny s c s kt hp vi h thng IDS/IPS to nn mt h thng gim st y , c th gip qun tr vin hot ng tt hn trong vic theo di gim st v qun tr hiu qu hn h thng mng do mnh qun tr. 3.6. H thng bo ng Mt trong nhng thnh phn quan trng trong vic theo di tnh trng hot ng ca h thng i vi ngi qun tr mng l c th pht hin cc s c h thng mt cch nhanh chng. y cng l mt yu cu ln t ra cho h thng pht hin v phng chng xm nhp. Nh cp phn trn, h thng bo ng l mt thnh phn quan trng trong h thng gim st mng, n kt hp vi h thng d tm xm nhp v h thng gim st trng thi hot ng ca cc thit b (host) v dch v (service) pht ra nhng tn hiu cnh bo n ngi qun tr khi h thng c s c xm nhp hay s c bt thng khc xy ra Nhng thng tin t h thng pht hin xm nhp hay h thng pht hin nhng du hiu bt thng c chuyn ti h thng bo ng pht cnh bo ti ngi qun tr. H thng bo ng trong lun vn ny s c trnh by v ci t trong m hnh thc nghim bao gm: h thng bo ng trn giao din Web, qua e-mail v gi tin nhn SMS qua in thoi di ng. c bit trong lun vn ny, phn bo ng SMS s dng gii php GSM/GPRS gateway. N c kh nng bo ng thng n in thoi di ng m khng thng qua bc trung gian no. C ngha l trong trng hp kt ni 60

Internet b ngt th h thng vn lm vic bnh thng. Thnh phn kt ni vi thit b SMS Gateway s s dng l phn mm ngun m Gnokii SMS kt hp vi thit b phn cng GSM/GPRS modem hoc Mobile phone thc nghim.

Hinh 3.11. Thit b dng trong h thng bo ng. Hot ng ca h thng bo ng c m t nh sau: H thng gim st mng s theo di tnh trng hot ng ca ton h thng, ngay khi pht hin ra nhng du hiu bt thng. Cc du hiu bt thng s c ngay lp tc gi n GSM/GPRS modem v pht cnh bo SMS ti ngi qun tr mng. 3.7. SNMP v h thng gim st mng SNMP (Simple Network Management Protocol) l mt giao thc c s dng trong h thng mng nhm mc ch theo di trng thi ca cc thit b. SNMP lm nhim v thu thp thng tin t cc thit b mng (Router, Switch, Server) cn gim st v gi v cho chng trnh gim st phn tch v s dng hin th ra giao din qun tr cc thng tin cn thit theo mc ch ca chng trnh gim st. Trong SNMP c 3 vn cn quan tm: Manager, Agent v MIB (Management Information Base). - MIB: l c s d liu dng phc v cho Manager v Agent. - Manager: nm trn my ch gim st h thng mng - Thnh phn Agent: l mt chng trnh nm trn cc thit b cn gim st, qun l. Agent c th l mt chng trnh ring bit (v d nh daemon trn Unix) hay c tch hp vo H iu hnh, v d nh trong IOS ca cc thit b Cisco. Nhim v ca cc Agent l thng bo cc thng tin n cho thnh phn iu khin c cu hnh nm trn my ch gim st. SNMP s dng UDP (User Datagram Protocol) nh l giao thc truyn ti thng tin gia cc Manager v 61

Agent. Vic s dng UDP, thay v TCP, bi v UDP l phng thc truyn m trong hai u thng tin khng cn thit lp kt ni trc khi d liu c trao i (connectionless), thuc tnh ny ph hp trong iu kin mng gp trc trc, h hng.

62

CHNG 4. DEMO Bo v h thng mng vi firewall ASA v IDS trn my o VMWare hoc GNS3. To card Looopback:

Hinh 4.1. To 3 Card Loopback Cu hnh card Loopback 1

Hinh 4.2. Cu hnh cho Card Loopback 1 Ci Fiddler Web: 63

Hinh 4.3. Ci Fiddler Web Ci Named Pipe TCP Proxy v tr ng dn ti Serial Port ca ASA:

Hinh 4.4. Ci Named Pipe TCP Proxy v tr ng dn ti Serial Port ca ASA Chy Tftpd, chn a ch ca cng Loopback, tr Current Directory vo C: 64

Hinh 4.5. Chy Tftpd, chn a ch ca cng Loopback, tr Current Directory vo C: S dng SecureCRT cu hnh cho Firewall ASA:

Hinh 4.6. S dng SecureCRT cu hnh cho Firewall ASA Truy nhp vo https://1.1.1.1/ tin hnh ci t ASDM: 65

Hinh 4.7. Truy nhp vo https://1.1.1.1/ tin hnh ci t ASDM Giao din ASDM sau khi c ci t:

Hinh 4.8. Giao din ASDM sau khi c ci t

66

KT LUN 1. Kt qu t c Thng qua ti Nghin cu v trin khai gii php bo mt h thng mng vi firewall ASA v h thng IDS, chng em c th thy r c nhng tnh nng an ton, li ch m loi tng la ASA v h thng IDS em li nhm bo v h thng mng cho cc cng ty, t chc trc nhng nguy c mt an ton, truy cp tri php nhm nh cp thng tin, d liu quan trng. T vic nh gi cc mc bo mt, c ch an ton, h tr cc gii php khc nhau ca tng la Cisco ASA v IDS c th a ra la chn ph hp khi trin khai, thit lp tng la Cisco ASA v h thng IDS trong h thng mng ti nhng v tr quan trng, cu hnh nhng chc nng cn thit em li hiu qu tt nht trong vic bo v h thng. Vic gi lp tng la Cisco ASA s dng ASDM thy r c tnh nng ca Cisco ASA, cch s dng cc chc nng, thit lp c cc lut c bn cho tng la, hay nng cao an ton hn khi s dng ACL, NAT hay VPN. Bn cnh vic kt hp thm IDS vo h thng s gip cho h thng tr nn an ton hn. 2. Hn ch Bn cnh nhng kt qu t c, ti vn cn mt s hn ch nh cha a ra c m hnh trin khai thc t ph hp ca tng la Cisco ASA v h thng IDS, cha thit lp v trin khai tng la ASA v h thng IDS c th t hiu qu bo mt ti u nht. 3. Hng pht trin Khc phc cc hn ch nu trn. Ngoi ra, hng pht trin chnh ca ti l trin khai gi lp h thng tng la ASA kt hp IDS/IPS trn GNS3 cng nh tin ti trin khai trong cc mng doanh nghip va v nh.

67

TI LIU THAM KHO. Ting vit [1] Ng Vi ng (2009),Hin trng v ATTT khu vc pha Nam, Ngy an ton thng tin 2009. [2] Trng Cm, Bo in t Vietnamnet.vn (2010) An ton thng tin Vit Nam: tha nhn thc, thiu thc thi. [3] Cc kiu tn cng mng tc gi LeHoanPC 3/2008,Website http://www.quantrimang.com.vn/baomat/giaiphapbaomat/22_Cac-kieu-tan-congmang.aspx. [4] L hng bo mt mng. Website http://vinasupport.com/2010/lo-hongbao-mat/ tc gi manlivo189, 25/3/2010. [7] [5] Gio trnh Bc Tng La, Hc vin K Thut Mt M. [6] Slide bi ging Bc tng la, ging vin Phm Minh Thun, khoa An ton thng tin Hc vin K Thut Mt M. [7] Slide Bo mt Cisco Firewall, trung tm FPT. Ting anh [8] David Hucaby, Anthony Sequeria, CCNP Security 642 618,2012. [9] Jazib Frahim, Cisco ASA All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, 2nd Edition. Ngoi ra cn c cc trang web: [10] http://www.cisco.com/en/US/products/ps6120/index.html [11] http://en.wikipedia.org/wiki/User:Gigs/Cisco_ASA [12] http://www.quantrimang.com.vn/cisco-asa-5585-x-thiet-bi-bao-matmanh-nhat-hien-nay-80137 [13] http://www.netcomvn.com/products/view/18 68

[14] https://sites.google.com/site/networkdivices/firewall-cisco-asa [15]http://vnpro.org/forum/showthread.php/24818H%C6%B0%E1%BB%9Bng-d%E1%BA%ABn-gi%E1%BA%A3l%E1%BA%ADp-ASA-v%C3%A0-c%C3%A0i-%C4%91%E1%BA%B7tADSM

69