Professional Documents
Culture Documents
tìm hiểu về giao thức
tìm hiểu về giao thức
LI CM N
c c n ny, em xin by t lng bit n su sc n cc thy c
gio trong trng i hc Bch Khoa H Ni ni chung, khoa Cng ngh thng
tin, chng trnh o to k s cht lng cao ti Vit Nam ( P.F.I.E.V ) ni ring,
nhng ngi tn tnh ging dy, truyn t cho em nhng kin thc qu bu
trong 5 nm hc va qua.
Em xin chn thnh cm n thy gio hng dn, Thc s - Ging vin chnh
Vn Uy, b mn Cng ngh phn mm, khoa Cng ngh thng tin, trng i
hc Bch Khoa H Ni nhit tnh hng dn, ch bo v cung cp cho em nhiu
kin thc cng nh ti liu qu trong sut qu trnh lm n. Nh s gip ca
thy em mi c th hon thnh c n ny.
Em xin chn thnh cm n cc c ch, cc anh, cng cc bn ng nghip
ti phng gii php phn mm h thng v bo mt, cng ty pht trin phn mm
v h tr cng ngh b quc phng Misoft, nhng ngi to iu kin v c s
vt cht, phng tin lm vic cng nh truyn t nhng kinh nghim qy bu cho
em trong thi gian thc tp tt nghip v lm n tt nghip ti y.
Cui cng, xin cm n gia nh, bn b, nhng ngi lun bn ti v cho
ti nhng s ng vin ln lao trong thi gian thc hin n ny.
n tt nghip
MC LC
LI CM N...........................................................................................................1
Chng 1 : TNG QUAN AN TON AN NINH MNG.......................................7
I. Tnh hnh thc t ...................................................................................................8
II. M hnh mng.......................................................................................................9
III. Cc mc tiu cn bo v....................................................................................17
IV. Tn cng trn mng v cc chin lc bo v...................................................18
Chng 2 : INTERNET FIREWALL.....................................................................29
I. Khi nim ............................................................................................................30
II. Cc chc nng c bn ca Firewall....................................................................32
III. Kin trc Firewall..............................................................................................38
IV. Bo dng Firewall...........................................................................................44
Chng 3 : H IU HNH LINUX....................................................................46
I. Tng quan h iu hnh Linux.............................................................................47
II. Kt ni mng trong Linux...................................................................................51
III. IPTables............................................................................................................. 54
Chng 4 : XY DNG H THNG BKWALL.................................................60
I. Tng quan v h thng BKWall...........................................................................61
II. M hnh v c t chc nng h thng BKWall..................................................63
III. Phn tch thit k h thng BKWall .................................................................65
IV. Tch hp, ci t, kim th, nh gi kt qu h thng BKWall.......................80
MC LC HNH V
Hnh 1-1 : Kin trc OSI v TCP/IP........................................................................10
Hnh 1-2 : ng i ca d liu qua cc phn t trn mng...................................10
Hnh 1-3 : Cu trc gi tin IP ( IP datagram )..........................................................12
Ng Vn Chn HTTT&TT KSCLC K45
n tt nghip
BNG CC T VIT TT
Ng Vn Chn HTTT&TT KSCLC K45
n tt nghip
LI NI U
Ng Vn Chn HTTT&TT KSCLC K45
n tt nghip
n tt nghip
n tt nghip
Tnh
Tnhhnh
hnhthc
thctt
M
Mhnh
hnhmng
mng
Cc
Ccmc
mctiu
tiucn
cnbo
bov
v
Tn
Tncng
cngtrn
trnmng
mngv
vcc
ccchin
chinlc
lcbo
bov
v
n tt nghip
113
157
101
125
137
User Compromise
21
115
127
111
587
T chi dch v
34
36
760
36
25
M nguy him
4.764
265
191.306
Xa Website
236
46
90
Li dng ti nguyn
12
24
39
26
108
1268
535.304
71
452
488.000
706.441
Tng cng
412
6.555
489.890
1.433.916
454
n tt nghip
n tt nghip
10
n tt nghip
11
n tt nghip
Post Office Protocol ( POP ). Internet Mail Access Protocol ( IMAP ), Internet
Control Message Protocol ( ICMP ).
12
n tt nghip
13
n tt nghip
14
n tt nghip
15
n tt nghip
16
n tt nghip
III. Cc mc tiu cn bo v
c th bo v c h thng, chng li s tn cng ca hacker. Chng ta phi
bit nhng mc tiu cn bo v, cc k thut tn cng khc nhau t a ra cc
chin luc bo v hp l
Trong cc phn di y s trnh by c th cc vn ny.
C ba mc tiu cn c bo v l :
D liu: l nhng thng tin lu tr trong my tnh
Ti nguyn : l bn thn my tnh, my in, CPU
Danh ting
3.1 D liu
Mc tiu , chnh sch an ton ca mt h thng thng tin cng nh i vi
d liu bao gm :
Ng Vn Chn HTTT&TT KSCLC K45
17
n tt nghip
B mt
Ton vn
Sn sng
Thng thng mi ngi thng tp trung vo bo v tnh b mt ca d liu,
nhng thng tin c tnh nhy cm cao nh thng tin v quc phng, chin lc kinh
doanh th y l yu t sng cn. Khi d liu b sao chp bi nhng ngi khng
c thm quyn th ta ni d liu b mt tnh b mt
Khi d liu b sa i mt cch bt ng bi ngi khng c thm quyn th khi
c th ni d liu b mt tnh ton vn
Tnh sn sng l tnh cht quan trng nht i vi cc t chc hot ng cn s
dng nhiu thng tin. Khi ngi s dng hp php mun xem d kiu ca mnh
nhng d liu khng th p ng ngay v mt l do no , khi ta ni d liu
mt i tnh sn sng.
3.2 Ti nguyn
Xt mt v d nh sau :
Ta c mt my in ( mt dng ti nguyn ), ngoi ta ra ch nhng ai c
thm quyn th mi c s dng n. Tuy nhin, c nhng ngi khng thm
quyn vn mun s dng my in ny min ph. Khi ta ni chic my in ny b
xm phm
Khi nim xm phm l rt rng, v d nh b nh, CPU, u l ti
nguyn. Khi chng b nhng ngi khng c thm quyn khai thc mt cch bt
hp php th ta ni ti nguyn b xm phm.
18
n tt nghip
19
n tt nghip
OS identification Xc nh h iu hnh
Bng vic gi cc gi tin TCP hay ICMP khng ng qui cch, k tn cng
c th thu c thng tin v h iu hnh.
Account Scan Qut ti khon
o C gng ng nhp vo h thng vi cc Ti khon (Account):
o Cc Ti khon khng c password
o Cc Ti khon vi password trng vi username hoc l
password
o Cc Ti khon mc nh c dng chuyn sn phm
o Cc Ti khon c ci cng vi cc sn phm phn mm
o Cc vn v ti khon nc danh FTP
Li dng Exploits : li dng cc c tnh n hoc li truy cp vo h
thng.
Firewall c th gip ta ngn chn mt s cch xm nhp trn. Mt cch l
tng th Firewall s chn ton b mi ng ng vo h thng m khng cn bit
n tn truy cp hay mt khu. Nhng nhn chung, Firewall c cu hnh nhm
gim mt s lng cc ti khon truy cp t pha ngoi vo. Hu ht mi ngi u
cu hnh Firewall theo cch one time password nhm trnh tn cng theo cch
suy on.
4.1.2 T chi dch v
y l kiu tn cng vo tnh sn sng ca h thng, lm h thng cn kit
ti nguyn hoc chim dng bng thng ca h thng, lm mt i kh nng p ng
tr li cc yu cu n. Trong trng hp ny, nu h thng cn dng n ti
nguyn th rt c th h thng s gp li.
C mt s c im c bit trong cch tn cng ny l ngi b hi khng
th chng li c kiu tn cng ny v cng c c s dng trong cch tn
cng ny l cc cng c m h thng dng vn hnh hng ngy.
C th phn bit ra bn dng DoS sau :
Tiu th bng thng ( bandwidth consumption )
Lm ngho ti nguyn ( resource starvation )
Programming flaw
Tn cng Routing v DNS
V mt k thut c 3 kiu tn cng t chi dch v chnh l DoS, DDoS v DRDoS.
DoS Traditional DOS
20
n tt nghip
21
n tt nghip
22
n tt nghip
Cc giao thc thng s dng cng nht nh trao i thng tin ln nhau,
v l im yu ca h thng gip cho cc tin tc c th d dng ly cp c cc
thng tin quan trng.
V d :
Khi user log on vo Yahoo! Mail, nhp username v password ri n Submit,
trong trng hp nhp thng tin chnh xc th thng tin c ng gi v gi i.
Package u tin ca giao thc HTTP cha thng tin username v password c
chuyn qua cng 1149, khi hacker c th truy nhp vo cng ny ly thng tin
log on ca user. Trong thng tin v password c truyn di dng text plain.
Khi log on vo sites th c khong 100-200 packets c truyn gia user v server,
trong c khong 10 packets u tin c cha thng tin v password.
C nhiu cch chng li cch tn cng ny. Mt Firewall c cu hnh
tt s bo v, chng li nhng k ang c gng ly nhng thng tin m ta a ra.
23
n tt nghip
24
n tt nghip
25
n tt nghip
26
n tt nghip
27
n tt nghip
28
n tt nghip
Khi
Khinim
nimFirewall
Firewall
Cc
Ccchc
chcnng
nngc
cbn
bnca
caFirewall
Firewall
Kin
Kintrc
trcFirewall
Firewall
Bo
Bodng
dngFirewall
Firewall
29
n tt nghip
I. Khi nim
1.1 Khi nim
Firewall l mt phn mm hay thit b phn cng hoc s kt hp gia chng
c thit k vi mc ch : chng li nhng ri ro, nguy him t pha ngoi vo
mng ni b. N thng c t gia mng ni b m ta cn bo v vi mng
Internet v thc hin ngn cm mt s lu thng mng.
30
n tt nghip
Firewall ng vai tr kim sot cc dch v ny. N s thit lp chnh sch an ninh
cho php nhng dch v tho mn tp lut trn Firewall ang hot ng. Tu thuc
vo cng ngh la chn xy dng Firewall m n c kh nng thc hin cc
chnh sch an ninh vi hiu qu khc nhau.
c. Firewall c th ghi li cc hot ng mt cch hiu qu
Do mi lung thng tin u qua Firewall nn y s l ni l tng thu thp
cc thng tin v h thng v mng s dng. Firewall c th ghi chp li nhng g
xy ra gia mng c bo v v mng bn ngoi.
1.2.2 Nhc im
Firewall c th bo v mng c hiu qu nhng n khng phi l tt c.
Firewall cng tn ti cc nhc im ca n
a. Firewall khng th bo v khi c s tn cng t bn trong
Nu k tn cng pha trong Firewall, th n s khng th gip g c cho ta.
K tn cng s n cp d liu, ph hng phn cng, - phn mm, sa i chng
trnh m Firewall khng th bit c.
b. Firewall khng th bo v c nu cc cuc tn cng khng i qua n
Firewall c th iu khin mt cch hiu qu cc lung thng tin, nu nh chng
i qua Firewall. Tuy nhin, Firewall khng th lm g nu nh cc lung d liu
khng i qua n. V d cho php truy cp dial up kt ni vo h thng bn trong
ca Firewall? Khi n s khng chng li c s tn cng t kt ni modem
C th do vic ci t backdoor ca ngi qun tr hay nhng ngi s dng
trnh cao.
c. Firewall khng th bo v nu nh cch tn cng hon ton mi l
Firewall c thit k ch chng li nhng kiu tn cng bit. Nu mt
Firewall c thit k tt th cng c th chng li c nhng cuc tn cng theo
cch hon ton mi l. Ngi qun tr phi cp nht nhng cch tn cng mi, kt
hp vi kinh nghim bit c th b xung cho Firewall. Ta khng th ci
Firewall mt ln v s dng mi mi.
d. Firewall khng th chng li Virus
Firewall khng th gip cho my tnh chng li c Virus. Mc d nhiu
Firewall qut nhng lung thng tin i vo nhm kim tra tnh hp l ca n vi
cc tp lut t ra. Tuy nhin Firewall ch kim tra c a ch ngun, a ch ch,
s hiu cng cu gi tin ny ch khng th kim tra c ni dung ca n. l
cha k n c rt nhiu dng Virus v nhiu cch Virus n vo d liu.
Tip theo chng ta xem xt cc chc nng c bn cu Firewall. C th ni
mt Firewall thc s cn phi c t nht mt trong cc chc nng sau :
Kh nng lc gi ( Packet Filtering ) : Firewall s kim tra phn header
ca cc gi tin v a ra quyt nh l cho php qua hay loi b gi tin
ny theo tp lut c cu hnh.
Application Proxy : Vi kh nng ny th Firewall s kim tra k lng
header ca gi tin hn nh kh nng hiu giao thc c th m ng dng
s dng
Chuyn i a ch mng ( Network Address Translation NAT ) :
cc my bn ngoi ch thy mt hoc hai a ch mng ca firewall cn
cc my thuc mng trong c th ly cc gi tr trong mt khong bt
Ng Vn Chn HTTT&TT KSCLC K45
31
n tt nghip
32
n tt nghip
33
n tt nghip
Trong sut
C th lc bt c dch v no dng cc giao thc m Firewall h tr
Ch cn mt Screening Router l c th bo v c mng : y l mt u im
chnh ca Packet Filtering v n l n l, khng phi thay i cc host trong
mng bo v khi thay i qui m ca mng.
Khng nh Proxy n khng yu cu phi hc cch s dng
b. Nhc im
Cn phi hiu r mng c bo v v cc giao thc c s dng trn mng
Khng c s xc thc ngi s dng, vic lc gi tin ch da trn a ch
mng ca h thng phn cng
Khng che giu kin trc bn trong ca mng cn bo v
Khng bo v chng li cc yu im ca cc dch v khng lc
Vi giao thc DHCP th kt qu lc s khng chun xc
Mt s giao thc khng ph hp vi b lc gi.
2.2 Proxy
2.2.1 Khi nim
Cc host c ng kt ni trc tip vi mng bn ngoi thc hin cung
cp mt s dch v cho cc host khc trong mng cn bo v c gi l cc Proxy.
Cc Proxy thc s nh hot ng nh cc gateway i vi cc dch v. Do vy n
cn c gi l cc Application level gateways
Tnh trong sut i vi ngi dng l li ch ca Proxy. Proxy s thu thp cc yu
cu dch v ca cc host client v kim tra cc yu cu ny nu tho mn th n a
n cc server thch hp sau nhn cc tr li v tr li cho client.
34
n tt nghip
35
n tt nghip
36
n tt nghip
37
n tt nghip
38
n tt nghip
39
n tt nghip
40
n tt nghip
41
n tt nghip
42
n tt nghip
Bng cch cch ly bastion host trn mng vnh ai, c th gim c cc
nguy c trong trng hp bastion host b t nhp.
Vi kin trc Screen subnet n gin nht : hai screening router kt ni ti
mng vnh ai. Mt router ( interior router ) v tr mng vnh ai v mng ni b,
router cn li ( exterior router ) nm gia mng vnh ai v mng Internet. c
th t nhp vo mng ni b th k tn cng phi vt qua c hai router ny. V
nu trng hp chim c bastion host th vn phi vt qua Interior router. Tu
vo yu cu c th m ngi ta c th s dng mt hay nhiu mng vnh ai.
Cc thnh phn c bn ca kin trc screened subnet
a. Mng vnh ai
Mng vnh ai l mt lp bo v c thm vo gia mng ni b v mng
bn ngoi. Nu k tn cng t nhp c vo Firewall ca ta th mng vnh ai
cho ta thm mt lp bo v na.
Nu k tn cng chim c bastion host trn mng ny th hn cng ch c
th tm kim c thng tin trn bastion host m thi. Tt c lung thng tin mng
vnh ai c th xut pht/n t bastion host hoc xut pht/n t Internet. Do
hon ton khng c lung thng tin t mng ni b i qua mng vnh ai nn mng
ni b s n ton trong c trng hp bastion b tn thng.
b. Bastion host
Trong kin trc screen subnet, bastion host c thm vo mng vnh ai.
y l im lin lc quan trng nhn cc kt ni t bn ngoi. Cc dch v pha
ngoi ( t client bn rong n server Internet ) c x l theo mt trong hai cch
sau y :
+ Ci t Packet Filtering trn c exterior router v interior router v cho
php cc client trong mng ni b truy cp trc tip cc server mng ngoi.
+ Ci t Proxy server trn bastion host v cho php client trong mng truy
cp gin tip ti cc server mng ngoi . C th ci t Packet Filtering v cho
php nhng kt ni vi Proxy trn bastion host, nhng ngn chn nhng kt ni
trc tip gia client trong mng ni b vi server bn ngoi.
Trong c hai trng hp th Packet Filtering cho php bastion host kt ni
ti cc server hay host pha bn ngoi Internet.
c. Interior router
Cn c tn khc l choke-router- bo v mng ni b t mng Internet v
mng vnh ai.Thc t exterior cho php hu ht cc kt ni t mng vnh ai ra
ngoi, v thc hin chc nng lc gi cho Firewall. Cc dch v m interior cho
php gia bastion host v cc host trong mng ni b khng ging nh cc dch v
m exterior router cho php gia mng vnh ai v mng Internet. L do v s hn
ch cc dch v gia bastion host v mng ni b l gim s lng cc host b tn
cng khi bastion host b tn thng.
d. Exterior router
Cn c tn khc l access router dng bo v c mng ni b v mng
vnh ai. Thc t , n cho php hu ht cc kt ni t mng vnh ai ra ngoi, v
thc hin rt t vic lc cc gi tin. Ch c nhng lut lc gi thc s c bit trn
exterior mi bo v cc host v mng vnh ai. Nhng lut cn li thng l s lp
li cc lut trn interior router. Trn exterior c th ci t Proxy h tr cc kt
ni t bastion host ra ngoi.
Ng Vn Chn HTTT&TT KSCLC K45
43
n tt nghip
44
n tt nghip
45
n tt nghip
Tng
Tngquan
quanv
vh
hiu
iuhnh
hnhLinux
Linux
Kt
Ktni
nimng
mngtrong
trongLinux
Linux
IPtables
IPtables
46
n tt nghip
System Call
Interface
47
n tt nghip
48
n tt nghip
history, b danh
Korn-Shell : Kt hp c Bourne-Shell v C-Shell
1.2.5. Windows v Graphic User Interface:
Giao tip ho v ca s l mt kh nng rt mnh ca h iu hnh Linux,
n cho php h iu hnh giao tip thn thin hn vi ngi s dng. Hin nay
Linux ci t X-WINDOW( X11 ) l mi trng qun l ho l tng. Trong
Sun th s dng vi tn gi l OpenWin.
1.3 Lp trnh Shell script
1.3.1. Shell l g :
Vai tr ca Shell l chuyn i cc lnh c ngi s dng nhp vo thnh
cc lnh ca h iu hnh.
V d :
$ sort n phonelist > phonelist.inorder
S sp xp cc dng trong file phonelist theo th t s v t kt qu trong tp
phonelist.inorder.
Khi ta nhp dng lnh th Shell s chuyn i chng nh minh ho sau:
49
n tt nghip
.. seewwinflinux
1.3.4. Cc cu trc lnh c bn ca shell :
Cu lnh iu kin
+ Cu lnh if :
+ Cu lnh case :
Cu lnh lp
+ Cu lnh for
+ Cu lnh while
+ Cu lnh until
+ Cu lnh repeat
Cu lnh shift :
Lnh shift s dch cc tham s trn dng lnh ( cc tham s m ta g khi gi
lnh s c lu trong cc bin c tn l cc s 1,2,)mt v tr sang phi hay c
th ch nh s v tr dch chuyn. C php nh sau :
Dch mt v tr : shift
Dch s v tr c ch nh : shift number
Mt s ton t dng trong cu lnh test hay biu thc iu
kin :
+ Cc ton t cho xu k t
+ Cc ton t cho kiu files v directory
+ Cc ton t logic
+ Cc ton t cho s nguyn
S dng chng trnh con hay hm trong shell script
Shell cho php ta nh ngha cc hm ca ring mnh, cc hm ny cng c i
x nh cc hm trong C v cc ngn ng lp trnh khc, cc hm lm cho chng
trnh r rang,sng sa hn v c b cc d hiu hn, mt khc trnh c vic vit
cc on m trng lp nhau.
C php ca mt hm trong shell nh sau :
function-name ( )
{
command1
command2
.....
...
commandN
return
}
50
n tt nghip
Giao din
mng
Trnh iu
khin
Thit b
eth0
eth1
eth2
SMC Driver
eth3
3Com Driver
Networking Hardware
51
n tt nghip
tt c cc card Ethernet.
+ dln
Giao din cho b iu hp D_Link DE-600, mt dng khc ca thit
b Ethernet, n oc iu khin thng qua cc cng song song thay v cc khe cm
ISA hay PCI ca my tnh.
+ sln
Giao din SLIP, oc lin kt vi mt cn ni tip, Linux h tr 4
giao din SLIP
+ pppn
Giao din PPP, ging nh giao din SLIP, mt giao din PPP c
lin kt vi mt cng ni tip khi cng ny chuyn sang ch PPP.
+ plpn
Giao din PLIP. Giao din ny thc hin truyn cc gi tin IP qua
cng song song . Ht nhn Linux h tr 3 giao din PLIP.
52
n tt nghip
53
n tt nghip
III. IPTables
3.1. Gii thiu iptables
s dng Firewall xy dng trong Linux, chng ta phi chc chn rng h
iu hnh c ci t gi chc nng iptables. IPtables l firewall Linux thng dng
nht. Hu ht cc bn phn phi Linux u ci t phn ny nh mt mc mh.
IPtables l mt lnh thng bo cho li h thng x l lu thng mng nh th
no.v d bn c th x dng iptables drop cc gi IP, forward chng hoc thc
hin chuyn i a ch ( NAT ).
Cc khi nim cn thit, v cc thnh phn ca Linux :
Tables : cn gi l bng lc filter table.Ni lu tr tp hp cc lut.Ni m
chng ta nh ngha hu ht cc lut m p dng cho lu thng mng i vo v
ra.Nu chng ta khng nh ngha mt bng c th th bng mc nh s c s
dng. The NAT table cha cc lut dnh cho NAT. The MANGLE table nhim
v dn ng tng cng.
Chains : ti li ca Linux firewall. Linux s dng cc chain nh mt tp hp
cc lut m Linux p dng khi lc lu thng mng.Bao gm 3 chains chnh, mi
ci trong chng l mt phn ca filter table.
Input chain : Chain ny p dng cho tt c lu lng mng ch cho
firewall.V d nu chng ta mun cho admin iu khin firewall ca chng
ta thng qua phng thc remote, chng ta s cu hnh mt lut cho input
chain cho php mi th lu lng mng m cng c ca admin s dng.
Output chain : p dng cho mi lu lng mng i ra khi firewall. V d
nu firewall mun lin lc DNS server cho name lookups, chng ta cn cu
hnh output chain cho php lu thng ny.
Forward chain : p dng cho tt c lu lng mng m Linux firewall qun
l cho cc my tnh khc. V d nh nu firewall ca chng ta lu thng
mng t cc my tnh clients ra ngoi mng Internet, chng ta phi cu
hnh the forward chain cho php lu thng ny.
SNAT, DNAT, v Masquerading : Cc phn ny l mt kiu khc ca NAT.
SNAT bin i a ch ngun ca mt gi trc khi gi n i, thng thng l
giu a ch IP ca client khi kt ni vi bn ngoi. DNAT chuyn a ch ch
ca gi m thng thng lm trong sut proxy server i vi client.
Masquerading cng n cc client mng bn trong vi th gii bn ngoi v c
s dng khi a ch IP bn ngoi ca chng ta thay i mi ln kt ni- v d kt
ni quay s n Internet.
54
n tt nghip
Chain
Mangle PREROUTING
Nat
5
6
Mangle INPUT
7
8
Filter
PREROUTING
INPUT
Comment
Trn ng truyn ( v d Internet )
i vo giao din mng ( v d nh
eth0,eth1)
Chain ny c s dng bin i cc gi
nh bin i loi dch v ( TOS )
S dng cho DNAT khng nn s dng
cho chc nng lc gi ti chain ny
Quyt nh dn ng
S dng bin i cc gi trc khi a
n cc tin trnh x l chng
Ti y lc tt c lu lng vo
Tin trnh hay cc ng dng x l cc gi.
Source localhost :
Bng 2
Step Table
1
2
3
4
Mangle
Nat
5
6
Filter
Mangle
7
8
9
Nat
Chain
Comment
Tin trnh /ng dng cc b ( v d nh
chng trnh server/client)
Quyt nh dn ng.a ch nhun s
dng,giao din mng s dng l g.
OUTPUT
Bin i cc gi
OUTPUT
Bin i NAT cho cc gi i ra mng bn
ngoi
OUTPUT
Lc ton b lu lng mng ra ngoi
POSTROUTING Chain ny c s dng khi chng ta mun
bin i cc gi trc khi chng ri khi
host
POSTROUTING Thc hin bin i a ch ngun SNAT
i ra qua giao din mng ( eth0 )
Trn ng truyn ( v d Internet )
Forwarded packets :
Bng 3
Step Table
1
2
Chain
Comment
Trn ng truyn ( v d Internet )
i vo giao din mng ( v d eth0)
55
n tt nghip
Mangle
Nat
5
6
Mangle
Filter
Mangle
9
10
11
Nat
PREROUTING
56
n tt nghip
Tn
Append
Insert
Delete Rule
M t
B sung mt rule vo cui mt chain
Chn mt rule vo u mt chain
Xo mt rule
List
-N<chain>
New
-X<chain>
-F[<chain>]
Delete chain
Flush
-h
Help
57
n tt nghip
ACCEPT
LOG
SNAT
DNAT
MASQUE
RADE
user chain
M t
Xc nh giao thc no m rule s thc thi .
tham s protocol c th l tcp,udp, or
icmp.Chng ta cng c th s dng tn ca giao
-p protocol
thc nu n lng nghe /ect/protocols hay
protocol number.Nu tt c cc giao thc th s
dng s 0 hoc t all.Cn nu mun s dng
mt s giao thc no th dung du phy
ngn cch.
Xc nh a ch ngun ca gi tin.V d khi s
192.168.1.1 th ch nh gi tin c a ch
-s source_address[/mask]
192.168.1.1. cn s 192.168.1.0/24 ch nh
mt di a ch IP t 192.168.1.0 n
192.168.1.255
-d destination_address[/mask] Xc nh a ch ch ca gi tin.Cng ging
nh a ch ngun IP.
Xc nh giao din mng m trn cc gi tin
-i interface
i vo c nhn.V d chng ta m ch n tt
c cc gi tin m n giao din mng eth0 th
tag hi nh sau : -i eth0.
--destination-port port
Tng t nh source-port
58
n tt nghip
--source-port port
-o interface
--syn
--icmp type type
!
-j target
59
n tt nghip
Tng
Tngquan
quanv
vh
hthng
thng
M
Mhnh,
hnh,c
cttchc
chcnng
nngh
hthng
thngBKWall
BKWall
Phn
Phntch
tchthit
thitk
kh
hthng
thngBKWall
BKWall
Tch
Tchhp,
hp,ci
cit,
t,kim
kimth,
th,nh
nhgi
gikt
ktqu
quh
hthng
thngBKWall
BKWall
60
n tt nghip
61
n tt nghip
62
n tt nghip
1.5 D kin kt qu t c
T cc mc tiu ra v gii php k thut c la chn, h thng BKWall d
kin t c cc kt qu c th nh sau :
Tch hp thnh cng cc thnh phn c la chn.
Hot ng tt khi th nghim trn cc mng va v nh.
Cung cp y cc chc nng c bn v cn thit ca mt Firewall
gateway.
m bo tnh d dng cu hnh v tin cy.
63
n tt nghip
64
n tt nghip
65
n tt nghip
Chc nng ny cho php ngi qun tr iu khin hot ng tt, m h thng
BKWall.
66
n tt nghip
Chc nng ny cho php thit lp cc lut cho module Web Proxy bao gm cc mc
nh: host_name, http_port, dung lng cache,
67
n tt nghip
68
n tt nghip
69
n tt nghip
rc.sysinit
rc.network
rc.netaddress.up
rc.adsl
rc.machineregister
rc.firewall.up
rc.firewall.down
rc.netaddress.
down
rc.isdn
rc.updatered
Trong quan trng nht l cc file thc hin khi to mt Firewall da trn
cng c IPtables l rc.firewall.up, rc.firewall.down
Ta c th xem xt y mt s thit lp c bn cho h thng BKWall khi khi to.
+ Trc ht h thng s xo ht cc rules v ton b cc chains v thit t
cc Policy cho cc gi tin trong cc chains : INPUT, FORWARD, OUTPUT
#Xoa cac rules va chains
/sbin/iptables -F
/sbin/iptables -X
# Thiet dat Policy
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
70
n tt nghip
portfwf
FORWARD -j portfwf
dmzholes
nat -N portfw
nat -A PREROUTING -j portfw
-i ppp0 -j ACCEPT
-i ippp0 -j ACCEPT
icmp -i $RED_DEV -d
ACCEPT
71
n tt nghip
72
n tt nghip
-t nat -N squid
-t nat -N jmpsquid
-t nat -A jmpsquid -d 10.0.0.0/8 -j
-t nat -A jmpsquid -d 172.16.0.0/12 -j
-t nat -A jmpsquid -d 192.168.0.0/16 -j
-t nat -A jmpsquid -d 169.254.0.0/16 -j
-t nat -A jmpsquid -j squid
-t nat -A PREROUTING -i $GREEN_DEV -j
# Masqurade
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j
MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j
MASQUERADE
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j
MASQUERADE
fi
73
n tt nghip
/usr/local/bin/setipblock
echo "Setting up portfilter"
/usr/local/bin/setportfilter
if [ "$RED_DEV" != "" ]; then
echo "Updating RED..."
/etc/rc.d/rc.updatered
if [ "$RED_TYPE" != "PPPOE" ]; then
echo "Starting VPN (if enabled)"
/etc/rc.d/rc.vpn.up
echo "Refreshing update list (background)"
/usr/local/bin/updatelists.pl &
echo "Registering this BKWall (background)"
/etc/rc.d/rc.machineregister &
fi
fi
echo "Setting external access rules"
/usr/local/bin/setxtaccess
echo "Setting up IP accounting"
/etc/rc.d/helper/writeipac.pl
/usr/local/sbin/fetchipac -S -c yes
/usr/local/sbin/fetchipac
74
n tt nghip
75
n tt nghip
76
n tt nghip
77
n tt nghip
+ Giao thc
+ Hnh ng : DROP, ACCEPT, REJECT
+ Kch hot chc nng log
+ C kch hot hay khng
V d v mt lut
tcp,230.10.1.1,80,192.168.1.1,80,on,DROP,on
78
n tt nghip
DHCP
Bao gm kch hot dch v cp pht a ch IP ng cho cc my trong mng
ring LAN. Ngoi ra cn cho php cp pht a ch tnh cho cc my trong
mng ni b da theo a ch vt l MAC v ch nhng my c ch ra
trong phn ny mi c kh nng kt ni ra Internet. File lu tr cc i ch
ny c lu trong /var/DFF/dhcp/staticconfid. V d nh
nvc,AA:BB:CC:DD:DE:FF,192.168.1.2
79
n tt nghip
+ Chng thc hin c cc file lut theo tng dng v thc hin cp nht cc lut
cho h thng
+ V vic lu tr c s d liu v cc file lut di dng cc files text nn tc x
l tong i nhanh. c bit l chng ta tn dng c kh nng x l vn bn
tuyt vi ca Perl. Mt khc theo yu cu ca mt h thng Firewall m chng ta
khng th ci t v s dng mt h thng qun tr c s d liu nh My SQL
chng hn.
3.3.5 Module theo di thng tin v h thng
Module ny a ra cc thng tin v h thng nh :
+ Trng thi cc dch v ca h thng : Running or Stop
+ Trng thi cc kt ni
+ Lu lng cc gi tin qua cc giao din mng: Green ( giao din mng
ni b ), Orange ( giao din mng cho min phi qun s - DMZ ), Red
( giao din mng kt ni ra mng ngoi v d nh Internet ).
Module ny s dng cng c sinh biu l rrdtool thc hin sinh cc biu
biu din cc lu lng mng i qua cc giao din mng l : RED, ORANGE,
GREEN.
80
n tt nghip
H iu hnh
H iu hnh Linux, phin bn RedHat 7.2 do hng Redhat pht hnh.
Linux kernel phin bn 2.4.
Smoothwall
Smoothwall phin bn 2.0 (http://smoothwall.org)
Th vin libpcap
Th vin libpcap (http://tcpdump.org) phin bn 0.8.0.
iptables
iptables phin bn 1.2.8 (http://iptables.org), bn i km vi th vin libipq.
Perl
Perl 5 phin bn 5.8.0 (http://perl.org), v cng c sinh biu rrdtool.
4.2 Ci t h thng
H thng BKWall c trin khai ci t v th nghim ti phng gii php
phn mm h thng v bo mt, cng ty Misoft. Cu trc v thit b mng ca
phng nh sau :
Mt ng kt ni ADSL tc 2Mbps.
Mt my ch Linux c cu hnh : CPU Pentium II 400Mhz, 128 MB RAM, 3
NIC 100Mbps, dng lm my gateway. c dng ci t h thng
BKWall trn
Mt my ch Windows Server 2003 c cu hnh : CPU Pentium IV 1,8GHz,
1GB RAM, NIC 100Mbps, dng lm my ch mail, http, ftp, vpn,
8 my PC c cu hnh : CPU Pentium III 1GHz, 256 MB RAM, NIC
100Mbps hoc tng ng. H iu hnh Windows XP SP2.
Cu hnh yu cu khi ci t h thng BKWall:
+ CPU : Tc ti thiu l 300 Mhz ( tng ng vi mt CPU Pentium
II )
Ng Vn Chn HTTT&TT KSCLC K45
81
n tt nghip
82
n tt nghip
mt ng kt ni qua cng ni tip hay quay s. Vi m hnh hai card mng khi
khng c min phi qun s ( DMZ ).
Tng qut nht l trng hp h thng c ba card mng ln lt p dng cho cc
giao din GREEN, ORANGE, RED.
Tc download trung
bnh (Kb/s)
2
4
6
8
10
83
n tt nghip
o Pha server
BKWall Management System c ci t th nghim trn my ch.
+ Linux kernel 2.4, Apache 1.3.39
o Pha client
Truy cp vo BKWall Management System t cc my con chy cc h iu
hnh khc nhau v dng cc trnh duyt khc nhau. Kt qu nh sau :
Kt qu trn c hai pha Server v Client l rt kh quan. Ch c iu mt s
li v hin th phng Ting Vit trn trnh duyt Mozilla trong mi trung h iu
hnh Linux.
Sau y l mt s hnh nh pha Client trn trnh duyt IE ( Internet Explosrer )
trong mi trung Windows ca Microsoft:
H iu hnh
Windows
Trnh duyt
IE 6.0
Kt qu
Tt
Windows
Linux
Linux
Firefox 1.0.3
Mozilla
Konqueror
Bao gm cc giao din : Home Page, trang thit lp lut cho Packet Filter,
cu hnh Web Proxy, cc dch v, thng tin v h thng.
84
n tt nghip
85
n tt nghip
86
n tt nghip
4.4 nh gi kt qu
Trong khun kh ca mt n tt nghip i hc, h thng firewall
BKWall t c mt s yu cu ra i vi mt sn phm Firewall nhng bn
cnh cn nhng im hn ch khng trnh khi. Phn di y em xin c a
ra mt s kt qu t c v nhng mt hn ch cn khc phc trong thi gian ti..
Nhng kt qu t c
+ Tch hp thnh cng cc thnh phn Kernel Linux, Smoothwall, Apache
Server Iptables xy dng mt h thng firewall thng nht.
+ xy dng c mt h thng iu khin t xa thng qua giao din
Web tp trung cho ton b h thng.
+ H thng hot ng tng i n nh trong qu trnh trin khai th
nghim.
Nhng hn ch cn khc phc trong thi gian ti
Bn cnh cc kt qu t c, h thng BKWall vn cn tn ti nhiu im
hn ch cn phi khc phc nh :
+ H thng hot ng cha hiu qu, c bit l module Web Proxy
87
n tt nghip
+ Chnh sch ngn chn vn phi do ngi qun tr thit lp. Cha xy
dng c mt kh nng t chc cc lut do ngi qun tr a vo nhm
ti u ho cc lut ny.
+ H thng iu khin cha khai thc c ht kh nng ty bin Iptables.
+ H thng cha c kh nng tch hp vi cc cng c khc nh : VPN
( Virtual Private Network ), IDS ( Intrustion Detechtion System ) vo h
thng BKWall
Trong thi gian ti cc hn ch ny s c khc phc nu nh iu kin cho php
em tip tc c pht trin ti ny.
KT LUN
hon thnh n ny ti xin by t lng bit n su sc n thy gio
hng dn Vn Uy, s gip ln lao ca TS V Quc Khnh, cc anh Vng
Vn Tuyn, Ng Quang Huy cng cc bn ng nghip ti phng pht trin h
thng v bo mt cng ty Misoft v ton th bn b bn em trong sut thi gian
qua. n cp n nhng vn chung ca an ninh thng tin, an ninh mng
ni chung v i su nghin cu l thuyt v Firewall cng nh cc cng c xy
dng mt Firewall hon chnh. C th n ny t c mt s thnh qu nh
sau :
Tm hiu v cc vn ca an ninh thng tin v an ninh mng.
i su nghin cu v l thuyt v Firewall v cc cng c lin quan nhm
mc ch xy dng mt sn phm tng la.
Phn tch kin trc v lm ch c phn mm m ngun m Smoothwall.
Tch hp cc thnh phn m ngun m, xy dng thnh cng h thng
BKWall
Trin khai th nghim t mt s kt qu.
Ng Vn Chn HTTT&TT KSCLC K45
88
n tt nghip
89
n tt nghip
2000
[5] Qun tr H thng Linux Nguyn Thanh Thu - NXB Khoa hc v k
thut 2000
[6] Firewall for Dummies 2nd Edition Brian Komar, Ronald Beekelaar, and
Joern Wettern,PhD Wiley Publishing, Inc -2003
[7] http://iptablestutorial.frozentux.net/iptablestutorial.html
90
n tt nghip
[8] http://www.vnsecurity.com
[9] http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking
[10] http://smoothwall.org
91