Mt s m hnh firewall

Cng vng (circuite level gateway)

Packet-Filtering Router (B trung chuyn c lc gi) H thng Internet firewall ph bin nht ch bao gm mt packet -filtering router t gia mng ni b v Internet. Mt packet-filtering router c hai chc nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi cho php hay t chi truyn thng. Cn bn, cc quy lut lc c nh ngha sao cho cc host trn mng ni b c quyn truy nhp trc tip ti Internet, trong khi cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my tnh trn mng ni b. T tng ca m cu trc firewall ny l tt c nhng g khng c ch ra r rng l cho php th c ngha l b t chi.

M hnh Packet-filtering router u im Gi thnh thp, cu hnh n gin Trong sut i vi user

Hn ch C tt c hn ch ca mt packet-filtering router, nh l d b tn cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di nhng dch v c php. Bi v cc packet c trao i trc tip gia hai mng thng qua router, nguy c b tn cng quyt nh bi s lng cc host v dch v c php. iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca s tn cng no khng. Nu mt packet-filtering router do mt s c no ngng hot ng, tt c h thng trn mng ni b c th b tn cng.

Screened Host Firewall H thng ny bao gm mt packet-filtering router v mt bastion host. H thng ny cung cp bo mt cao hn h thng trn, v n thc hin c bo mt tng network (packet -filtering) v tng ng dng (application level). ng thi, k tn cng phi ph v c hai tng bo mt tn cng vo mng ni b.

M hnh Single-Homed Bastion Host Trong h thng ny, bastion host c cu hnh trong mng ni b. Qui lut filtering trn packet filtering router c nh ngha sao cho tt c cc h thng bn ngoi ch c th truy nhp bastion host; Vic truyn thng ti tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni b c php truy nhp trc tip vo bastion Internet hay l chng phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b c thch hin bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t bastion host. u im My ch cung cp cc thng tin cng cng qua dch v Web v FTP c th t trn packet -filtering router v bastion. Trong trng hp yu cu an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user c trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hp khng yu cu an ton cao th cc my ni b c th ni thng vi my ch.

Nu cn bo mt cao hn na th c th dng h thng firewall dual-home (hai chiu) bastion host. Mt h thng bastion host nh vy c 2 giao din mng (network interface), nhng khi kh nng truyn thng trc tip gia hai giao din qua dch v proxy l b cm. Bi v bastion host l h thng bn trong duy nht c th truy nhp c t Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu nh user log on c vo bastion host th h c th d dng truy nhp ton b mng ni b. V vy cn phi cm khng cho user logon vo bastion host.

M hnh Dual- Homed Bastion Host Demilitarized Zone (DMZ) hay Screened-subnet Firewall H thng bao gm hai packet-filtering router v mt bastion host. H c an ton cao nht v n cung cp c mc bo mt network v application, trong khi nh ngha mt mng "phi qun s". Mng DMZ ng vai tr nh mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip qua mng DMZ l khng th c. Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. H thng ch cho php bn ngoi truy nhp vo bastion host. Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng truyn thng bt u t bastion host. Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c information server. Quy lut filtering trn router ngoi yu cu s dung dich v proxy bng cch ch cho php thng tin ra bt ngun t bastion host.

Screened-Subnet Firewall u im K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router trong. Bi v router ngoi ch qung co DMZ network ti Internet, h thng mng ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange ( Domain Name Server ). Bi v router trong ch qung co DMZ network ti mng ni b, cc h thng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m bo rng nhng user bn trong bt buc phi truy n hp Internet qua dch v proxy.

http://vdconline.vn/ids/dich-vu-quan-tri-may-chu/c410-s463-d482