tìm hiểu về giao thức

n tt nghip
Tm hiu l thuyt v xy dng Firewall trn nn Linux
LI CM N
c c n ny, em xin by t lng bit n su sc n cc thy c
gio trong trng i hc Bch Khoa H Ni ni chung, khoa Cng ngh thng
tin, chng trnh o to k s cht lng cao ti Vit Nam ( P.F.I.E.V ) ni ring,
nhng ngi tn tnh ging dy, truyn t cho em nhng kin thc qu bu
trong 5 nm hc va qua.
Em xin chn thnh cm n thy gio hng dn, Thc s - Ging vin chnh
Vn Uy, b mn Cng ngh phn mm, khoa Cng ngh thng tin, trng i
hc Bch Khoa H Ni nhit tnh hng dn, ch bo v cung cp cho em nhiu
kin thc cng nh ti liu qu trong sut qu trnh lm n. Nh s gip ca
thy em mi c th hon thnh c n ny.
Em xin chn thnh cm n cc c ch, cc anh, cng cc bn ng nghip
ti phng gii php phn mm h thng v bo mt, cng ty pht trin phn mm
v h tr cng ngh b quc phng Misoft, nhng ngi to iu kin v c s
vt cht, phng tin lm vic cng nh truyn t nhng kinh nghim qy bu cho
em trong thi gian thc tp tt nghip v lm n tt nghip ti y.
Cui cng, xin cm n gia nh, bn b, nhng ngi lun bn ti v cho
ti nhng s ng vin ln lao trong thi gian thc hin n ny.
Ng Vn Chn HTTT&TT KSCLC K45
n tt nghip
MC LC
LI CM N...........................................................................................................1
Chng 1 : TNG QUAN AN TON AN NINH MNG.......................................7
I. Tnh hnh thc t ...................................................................................................8
II. M hnh mng.......................................................................................................9
III. Cc mc tiu cn bo v....................................................................................17
IV. Tn cng trn mng v cc chin lc bo v...................................................18
Chng 2 : INTERNET FIREWALL.....................................................................29
I. Khi nim ............................................................................................................30
II. Cc chc nng c bn ca Firewall....................................................................32
III. Kin trc Firewall..............................................................................................38
IV. Bo dng Firewall...........................................................................................44
Chng 3 : H IU HNH LINUX....................................................................46
I. Tng quan h iu hnh Linux.............................................................................47
II. Kt ni mng trong Linux...................................................................................51
III. IPTables............................................................................................................. 54
Chng 4 : XY DNG H THNG BKWALL.................................................60
I. Tng quan v h thng BKWall...........................................................................61
II. M hnh v c t chc nng h thng BKWall..................................................63
III. Phn tch thit k h thng BKWall .................................................................65
IV. Tch hp, ci t, kim th, nh gi kt qu h thng BKWall.......................80
MC LC HNH V
Hnh 1-1 : Kin trc OSI v TCP/IP........................................................................10
Hnh 1-2 : ng i ca d liu qua cc phn t trn mng...................................10
Hnh 1-3 : Cu trc gi tin IP ( IP datagram )..........................................................12
n tt nghip
Hnh 1-5 : Khun dng UDP datagram....................................................................15

Hnh 1-6: Tn cng kiu DOS v DDoS................................................................21
Hnh 1-7: Tn cng kiu DRDoS............................................................................21
Hnh 1-8: M hnh ng dng mail trn mng Internet.............................................22
Hnh 1-9: Kt ni Internet t LAN..........................................................................22
Hnh 1-10 : Thit lp kt ni TCP gia client v server.........................................23
Hnh 1-11 : Tn cng trn ngp SYN (1 )...............................................................24
Hnh 1-12 : Tn cng trn ngp SYN ( 2 )..............................................................25
Hnh 1-13 : Tn cng trn ngp gi tin ICMP.........................................................25
Hnh 1-14 : Bo v theo chiu su...........................................................................26
Hnh 2-1 : V tr Firewall trn mng........................................................................30
Hnh 2-2 : Screening Router s dng b lc gi......................................................32
Hnh 2-3 : Proxy Server...........................................................................................35
Hnh 2-4: Chuyn i a ch mng.........................................................................37
Hnh 2-5: Kin trc Dual home host......................................................................41
Hnh 2-6: Kin trc Screen host..............................................................................42
Hnh 2-7: Kin trc Screen subnet...........................................................................42
Hnh 3-1: M hnh chc nng Shell.........................................................................49
Hnh 3-2: Giao din, trnh iu khin v thit b.....................................................51
Hnh 3-3: S Netfilter hook................................................................................53
Hnh 3-4 : Qu trnh gi tin trong li h thng Linux..............................................57
Hnh 4-1: M hnh tng th h thng BKWall........................................................64
Hnh 4-2: c t chc nng h thng BKWall........................................................64
Hnh 4-3: M hnh trin khai BKWall.....................................................................65
Hnh 4-4: Biu phn cp chc nng....................................................................65
Hnh 4-5: Biu lung d liu mc bi cnh........................................................66
Hnh 4-6: Biu chc nng iu khin.................................................................66
Hnh 4-7: Biu chc nng Qun l cu hnh.......................................................67
Hnh 4-8: Biu chc nng Qun l lut lc gi...................................................67
Hnh 4-9: Biu chc nng Qun l lut Web Proxy............................................67
Hnh 4-10: Biu chc nng theo di hot ng..................................................68
Hnh 4-11: S khi module chng trnh chnh.................................................69
................................................................................................................................. 70
i vi qu trnh tt h thng th trc ht h thng s thc hin cc files scripts
xo tan b cc chains, cc rules hin ang p dng cho h thng Firewall, nhng
cc rules ny thc cht vn c lu tr trong cc files lut...................................74
Hnh 4-12: S khi module chuyn tip yu cu................................................75
Hnh 4-13:S khi module qun l cu hnh......................................................76
Hnh 4-14: S khi module qun l lut.............................................................77
Hnh 4-15: M hnh trin khai BKWall trong mng................................................82
Hnh 4-16: Trang ch - Home page.........................................................................85
Hnh 4-17: Cu hnh Packet Filtering......................................................................85
Hnh 4-18: Cc dch v: truy cp t xa, thay i password.....................................86
Hnh 4-19: Trang cu hnh Web Proxy....................................................................86
Hnh 4-20: Trang thng tin trng thi h thng.......................................................87
BNG CC T VIT TT
n tt nghip
ARP( Address Resolution Protocol ) : Giao thc chuyn i t a ch IP sang a

ch vt l
BKWall( Bach Khoa Firewall System )
CGI (Common Gateway Interface) : Giao tip gateway chung
DDoS(Distributed Denied of Service) : Tn cng t chi dch v phn tn
DMA(Direct Memory Access) : Truy nhp b nh trc tip
DMZ(DeMilitarized Zone) : Vng phi qun s
DNS(Domain Name Service) : Dch v tn min
DoS(Denied of Service) : Tn cng t chi dch v
DRDoS(Distributed Reflection Denied of Service) : DoS phn x, phn tn
FDDI(Fiber Distributed Data Interface )
FIB(Forwarding Information Table) : Bng thng tin chuyn i nh tuyn
FTP(File Transfer Protocol) : Giao thc truyn file
HTTP(Hyper Text Transfer Protocol) : Giao thc truyn siu vn bn
ICMP(Internet Control Message Protocol): Giao thc iu khin thng ip
Internet
IGMP(Internet Group Management Protocol) : Giao thc Internet cc host kt
ni, hu kt ni t cc nhm multicast.
IP(Internet Protocol) : Giao thc Internet
IPS(Intrusion Preventation System) : H thng phng chng xm nhp
ISP(Internet Services Provider) : Nh cung cp dch v Internet
ISDN( Integrated Services Digital Network) : Mng s hc cc dch v tch hp
LAN(Local Area Network) : Mng ni b
MAC(Media Access Control) : a ch thit b
MTU(Maximum Transmission Unit) : n v truyn ln nht
NIC(Network Interface Card) : Card giao tip mng
PSTN(Public Switched Telephone Network ) : Mng in thoi chuyn mch cng
cng
RARP(Reverse Address Resolution Protocol ) : Giao thc chuyn i t a ch vt
l sang a ch IP
RIP( Routing Information Protocol ) : Mt kiu giao thc dn ng
SSL(Secure Socket Layer) : Tng socket an ton
SSH( Secure Shell ) : Dch v truy cp t xa
STMP( Simple Mail Transfer Protocol ) : Giao thc truyn th n gin
TCP(Transmission Control Protocol) : Giao thc iu khin truyn tin
TELNET : dch v ng nhp h thng t xa
UDP(User Datagram Protocol) : Giao thc iu khin truyn tin khng tin cy
URI(Uniform Resouce Indentifier ) a ch nh v ti nguyn
URL(Uniform Resouce Locator) : a ch ti nguyn thng nht
LI NI U
n tt nghip
Trong nhng nm gn y, vic t chc v khai thc mng Internet rt pht

trin. Mng Internet cho php cc my tnh trao i thng tin mt cch nhanh
chng, thun tin. Mi i tng u c th s dng cc dch v v tin ch ca
Internet mt cch d dng nh trao i thng tin, tham kho cc th vin tri thc
s ca nhn loiTai thi im hin nay th li ch ca Internet l qu r rng v
khng th ph nhn. Nhng mt iu khng may l i km vi n l cc nguy c
mt an ton thng tin trn Internet ang l mt vn hang u cn tr s pht trin
ca Internet. Bo m an ton an ninh khng ch l nhu cu ring ca cc nh cung
cp dch v m n cn l nhu cu ca chnh ng ca mi ngi s dng. Cc thng
tin nhy cm v quc phng, thng mi l v gi v khng th lt vo tay i
th cnh tranh
Trn th gii c nhiu cng trnh nghin cu v lnh vc bo mt, bo v
an ton thng tin trn mng v kt qu chng tr thnh cc sn phm thng mi
nh : Vista Firewall, ZoneAlarm Firewall, VPN-1/Firewall-1, SmoothWall,
Astaro Tuy nhin mi loi c nhng u nhc im ring,pht trin theo nhng
hng khc nhau. Cc sn phm ny c xy dng trn nhng nn h iu hnh
khc nhau nhng ch yu l Windows ca Microsoft v h iu hnh m ngun m
Linux.
Linux l h iu hnh h UNIX min ph dng cho my tnh c nhn ang
c s dng rng ri hin nay. H iu hnh Linux thu nhng thnh cng nht
nh. Hin nay Linux ngy cng pht trin, c nh gi cao v thu ht nhiu s
quan tm ca cc nh tin hc.
Ti Vit Nam, mc d Internet mi ch tr ln ph bin my nm gn y
nhng nhng vn an ton an ninh mng cng khng l ngoi l. Mc d thc s
cha c tn tht ln v kinh t nhng vn tim n trong rt nhiu nguy c mt an
ton. Cc cuc tn cng vo h thng ca nh cung cp dch v, xo b d liu
ngy mt tng. Vit Nam hin nay cha c sn phm Firewall thng mi no
ca ngi Vit to ra. c bit l sn phm Firewall c xy dng trn nn h
iu hnh m ngun m Linux.
Do , mun khai thc v s dng Internet th vn an ton an ninh phi
c t ln hang u. C rt nhiu bin php khc nhau bo v h thng chng
li cc cuc tn cng t bn ngoi. Mt trong nhng bin php c p dng rng
ri l s dng tng la Firewall. Thc t cho thy y l mt bin php n
gin nhng hiu qu t c li rt kh quan.
Trn c s , em chn ti : Tm hiu l thuyt v xy dng
Firewall trn nn Linux
Mc tiu ca ti bao gm :
1. Tm hiu chung v an ton an ninh mng, cc k thut tn cng
trn mng. Cc chin lc bo v.
2. Tm hiu l thuyt v Firewall
3. Thc hin xy dng mt Firewall trn nn h iu hnh Linux
B cc ca n gm 4 chng c b tr nh sau :
Chng 1 : Tng quan an ton an ninh mng
n tt nghip
Trnh by cc khi nim chung v an ton an ninh mng, tnh cp thit

ca ti. Cc m hnh mng v cc giao thc c s dng truyn thng
trn mng.
Cc dng tn cng, mt s k thut tn cng ang c s dng ph
bin hin nay, t a ra cc chin lc bo v h thng khi cc nguy c
ny.
Chng 2 : Internet Firewall
Trnh by khi nim tng qut v Firewall. Cc chc nng c bn ca
Firewall. Cc m hnh hay kin trc trin khai ca mt Firewall trong h
thng.
Chng 3: H iu hnh Linux
Chng ny trnh by khi qut v h iu hnh Linux. Cu hnh
mng trong mi trng Linux. c bit l chng ta quan tm n mt gi
tin ch c tch hp hu ht trong cc bn phn phi Linux. l IPtables
N thc hin chc nng lc gi mc li ( kernel ) ca h thng. T
a ra mt vi m hnh Firewall n gin da trn IPtables.
Chng 4 : Xy dng h thng BKWall Bach Khoa Firewall
System.
Thc hin xy dng h thng BKWall da trn sn phm m ngun
m SmoothWall.
Ngoi ra, n cn c phn ph lc trnh by cc bng t vit tt s dng
trong bi, danh mc cc ti liu tham kho.
n tt nghip
Chng 1 : TNG QUAN AN TON AN NINH MNG
Tnh
Tnhhnh
hnhthc
thctt
M
Mhnh
hnhmng
mng
Cc
Ccmc
mctiu
tiucn
cnbo
bov
v
Tn
Tncng
cngtrn
trnmng
mngv
vcc
ccchin
chinlc
lcbo
bov
v
n tt nghip
Trong chng ny chng ta s trnh by cc khi nim chung v an ton an

ninh mng, tnh hnh thc t. Cc m hnh mng v cc giao thc c s dng
truyn thng trn mng.
Cc dng tn cng, mt s k thut tn cng ang c s dng ph bin
hin nay, t a ra cc chin lc bo v h thng khi cc nguy c ny.
I. Tnh hnh thc t

Mng Internet mng ton cu kt ni cc my tnh cung cp cc dch v
nh WWW, E_mail, tm kim thng tin l nn tng cho dch v in t ang
ngy cng pht trin nhanh chng. Internet v ang tr thnh mt phn khng th
thiu c trong cuc sng hng ngy. V cng vi n l nhng s nguy him m
mng Internet mang li.
Theo thng k ca CERT/CC ( Computer Emegency Response Team/
Coordination Center ) th s v tn cng v thm d ngy cng tng.
Dng tn cng
1999
2000
2001
2002
2003
Root Compromise
113
157
101
125
137
User Compromise
21
115
127
111
587
T chi dch v
34
36
760
36
25
M nguy him
4.764
265
191.306
Xa Website
236
46
90
Li dng ti nguyn
12
24
39
26
Cc dng tn cng khc 52
108
1268
535.304
Cc hnh ng do thm 222
71
452
488.000
706.441
Tng cng
412
6.555
489.890
1.433.916
454
Nhng k tn cng ngy cng tinh vi hn trong cc hot ng ca chng.

Thng tin v cc l hng bo mt, cc kiu tn cng c trnh by cng khai trn
mng. Khng k nhng k tn cng khng chuyn nghip, nhng ngi c trnh
cao m ch cn mt ngi c mt cht hiu bit v lp trnh, v mng khi c cc
thng tin ny l c th tr thnh mt hacker. Chnh v l do ny m s v tn cng
trn mng khng ngng ra tng v nhiu phng thc tn cng mi ra i, khng
th kim sot.
Theo iu tra ca Ernst & Young, th 4/5 cc t chc ln ( s lng nhn
vin ln hn 2500 ) u trin khai cc ng dng nn tng, quan trng trong mng
cc b LAN. Khi cc mng cc b ny kt ni vi mng Internet, cc thng tin thit
yu u nm di kh nng b t nhp, ly cp, ph hoi hoc cn tr lu thn.
Phn ln cc t chc ny tuy c p dng nhng bin php an ton nhng cha trit
v c nhiu l hng k tn cng c th li dng.
n tt nghip
Nhng nm gn y, tnh hnh bo mt mng my tnh tr ln nng bng

hn bao gi ht khi hng lot cc v tn cng, nhng l hng bo mt c pht
hin hoc b li dng tn cng. Theo Arthur Wong gim c iu hnh ca
SecurityFocus trung bnh mt tun, pht hin ra hn 30 l hng bo mt mi.
Theo iu tra ca SecurityFocus trong s 10.000 khch hng ca hng c ci t
phn mm pht hin xm nhp tri php th trung bnh mi khch hng phi chu
129 cuc thm d, xm nhp. Nhng phn mm web server nh IIS ca Microsoft
l mc tiu ph bin nht ca cc cuc tn cng.
Trc tnh hnh th vic bo v an ton thng tin cho mt hay mt h
thng my tnh trc nguy c b tn cng t bn ngoi khi kt ni vo Internet l
mt vn ht sc cp bch. thc hin cc yu cu trn, th gii xut hin
cc phn mm khc vi nhng tnh nng khc nhau m c gi l Firewall.
S dng Firewall bo v mng ni b, trnh s tn cng t bn ngoi l
mt gii php hu hiu, m bo c cc yu t :
- An ton cho s hot ng ca ton b h thng mng
- Bo mt cao trn nhiu phng din
- Kh nng kim sot cao
- Mm do v d s dng
- Trong sut vi ngi s dng
- m bo kin trc m
Bit ch bit ta, trm trn trm thng c th bo v c h thng, chng
li s tn cng ca hacker, ta phi bit nhng mc tiu cn bo v, cc k thut tn
cng khc nhau, v a ra chin lc bo v mng hp l.
II. M hnh mng

2.1 M hnh OSI v TCP/IP
Kin trc mng c m t theo hai dng m hnh OSI v TCP/IP nh hnh
v di y.
FTP File Transfer Protocol
SMTP Simple Mail Transfer Protocol
DSN Domain Name Protocol
SNMP Simple Network Management Protocol
ICMP Internet Control Message Protocol
ARP Address Resolution Protocol
FDDI Fiber Distributed Data Interface
RIP Routing Information Protocol.
TCP/IP thc cht l mt h giao thc cng lm vic vi nhau cung cp
phng tin truyn thng lin mng. D liu c truyn i trn mng theo s
sau :
n tt nghip
Hnh 1-1 : Kin trc OSI v TCP/IP
Hnh 1-2 : ng i ca d liu qua cc phn t trn mng
2.2 Cc tng ca m hnh TCP/IP
10
n tt nghip
Nh trong phn trn gii thiu v m hnh OSI v TCP/IP, chng ta c

th a ra s tng ng gia cc tng ca chng nh sau :
2.2.1 Tng truy nhp mng - Network Acces Layer

Tng truy nhp mng bao gm cc giao thc m n cung cp kh nng truy
nhp n mt kt ni mng. Ti tng ny, h thng giao tip vi rt nhiu kiu
mng khc nhau.Cung cp cc trnh iu khin tng tc vi cc thit b phn
cng v d nh Token Ring, Ethernet, FDDI
2.2.2 Tng Internet Internet Layer
Tng Internet cung cp chc nng dn ng cc gi tin. V vy ti tng ny
bao gm cc th tc cn thit gia cc hosts v gateways di chuyn cc gi gia
cc mng khc nhau. Mt gateway kt ni hai mng, v s dng kt ni mng bao
gm IP ( Internet Protocol ), ICMP ( Internet Control Message Protocol )
2.2.3 Tng giao vn - Transport Layer
Tng giao vn phn pht d liu gia hai tin trnh khc nhau trn cc my
tnh host. Mt giao thc u vo ti y cung cp mt kt ni logic gia cc thc
th cp cao.Cc dch v c th bao gm vic iu khin li v iu khin lung.
Ti tng ny bao gm cc giao thc Transmission Control Protocol ( TCP ) v User
Datagram Protocol ( UDP )
2.2.4 Tng ng dng Application Layer
Tng ny bao gm cc giao thc phc v cho vic chia s ti nguyn v iu
khin t xa ( remote access ). Tng ny bao gm cc giao thc cp cao m chng
c s dng cung cp cc giao din vi ngi s dng hoc cc ng dng. Mt
s giao thc quan trng nh File Transfer Protocol ( FTP ) cho truyn thng,
HyperText Transfer Protocol ( HTTP ) cho dch v World Wide Web, v Simple
Network Management Protocol ( SNMP ) cho iu khin mng. Ngoi ra cn c :
Domain Naming Service ( DNS ), Simple Mail Transport Protocol ( SMTP )
11
n tt nghip
Post Office Protocol ( POP ). Internet Mail Access Protocol ( IMAP ), Internet
Control Message Protocol ( ICMP ).
2.3 Cc giao thc,dch v trong mng TCP/IP

2.3.1 Cc giao thc tng mng Network Layer Protocols
a. Internet Protocol ( IP )
Mc ch chnh ca giao thc IP l cung cp kh nng kt ni cc mng con
thnh lin mng truyn d liu. Vai tr ca n tng t vai tr tng mng trong
m hnh OSI.. IP l giao thc kiu khng lin kt ( connectionless ) c ngha l
khng cn thit lp lin kt trc khi truyn d liu. n v d liu dng trong giao
thc IP c gi l IP datagram c khun dng bao gm phn header v phn d
liu.
Hnh 1-3 : Cu trc gi tin IP ( IP datagram )

nh danh cc host trn mng th trong giao thc dng a ch IP c
di 32 bits c tch thnh 4 vng mi vng 1 byte v chng thng c vit di
dng cc s thp phn. Ngi ta chia a ch IP ra lm 5 lp k hiu l A, B, C, D,
E. V d v mt a ch IP : 192.168.1.1
Mi a ch IP gm hai phn l : a ch mng ( network id ) v a ch my trm
( host id ). phn tch gia phn network id v host id ngi ta dng n subnet
mask do vy mt a ch IP y thng l : 192.168.1.1/24
b. Giao thc nh x a ch - Address Resolution Protocol (ARP)
a ch IP v a ch phn cng hay a ch vt l ( di 48 bits ) l c lp
nhau. Giao thc ARP lm nhim v chuyn i t a ch IP sang a ch vt l khi
cn thit. nh x t a ch IP sang a ch vt l theo hai cch l tnh hoc ng.
ARP v RARP s dng phng php nh x ng. N s dng cc gi tin ARP
request v ARP reply
c. Giao thc nh x ngc a ch - Reverse Address Resolution Protocol
(RARP)
Tung t nh ARP ch c iu n s nh x ngc t a ch vt l (MAC)
sang a ch IP. S n gin s hot ng ca giao thc nh sau :
12
n tt nghip
d. IP version6 or IP next generation ( IPv6 or IPng )

IPv6 v c bn vn ging nh IPv4. Sau y l mt s im khc bit gia chng :
- IP address c di l 128 bits so vi 32 bt ca IPv4. V d mt a ch
IPv6
flea:1075:fffb:110e:0000:0000:7c2d:a65f
- IPv6 c th t ng cu hnh a ch cc b v a ch router cc b gii
quyt cc vn cu hnh v thit lp
- IPv6 c phn header n gin v lc b mt s phn. N gp phn tng
hiu qu qu trnh dn ng v c th d dng b xung mt loi header
mi.
- H tr cho chng thc, bo mt d liu l mt phn ca kin trc Ipv6.
e. Internet Control Message Protocol (ICMP)
V IP l giao thc khng tin cy v vy phi cn n giao thc ICMP. Giao
thc ny thc hin truyn cc thng bo iu khin ( bo co v tnh trng li trn
mng, ) gia cc gateway hay cc trm ca lin mng. Tnh trng li c th l :
mt datagram khng th ti uc ch ca n, hoc mt router khng b m
lu v chuyn mt datagram. Mt thng bo ICMP c to ra v s chuyn cho IP
IP thc hin gi
( encapsulate ) vi mt IP header truyn cho trm hay router ch.
2.3.2 Cc giao thc tng giao vn Transport Layer Protocols
C hai giao thc ti tng giao vn l : TCP ( Transport Control Protocol ) v
UDP ( User Datagram Protocol ). C hai u nm gia tng ng dng v tng
mng. TCP v UDP c trch nhim truyn thng tin trnh vi tin trnh ti tng
giao vn (process to process)
a. Transport Layer Protocol ( TCP )
TCP l mt giao thc kiu hng lin kt ( connection oriented ) ngha
l cn phi thit lp lin kt locgic trc khi c th truyn d liu.
n v d liu dng trong TCP c gi l segment ( on d liu ) c khun dng
c m t di y :
Hnh 1-4 : Khun dng ca TCP segment

Cc tham s trong khun dng trn c ngha nh sau :
13
n tt nghip
Source port ( 16bits ) : S hiu cng ca trm ngun

Destrination port ( 16bits ) : S hiu cng ca trm ch
Sequence Number ( 32bits ): S hiu ca byte u tin ca segment tr khi
bit SYN c thit lp. Nu bit SYN c thit lp th n l s hiu tun t
khi u ( ISN )
- Acknowledment Number ( 32bits ) : S hiu ca segment tip theo m trm
ngun ang ch nhn c v n c ngha bo nhn tt
- Data offset ( 4bits ) : S lng t ( 32bits ) trong TCP header. N c tc
dng ch ra v tr bt u ca vng data.
- Reserved ( 6bits ) : dnh s dng sau ny
- Code bits hay cc bits iu khin ( 6bits ) theo th t t tri sang phi nh
sau :
URG : vng con tr khn ( Urgent Pointer ) c hiu lc
ACK : vng bo nhn ( ACK number ) c hiu lc
PSH : chc nng PUSH
RST : khi ng li lin kt
SYN : ng b ho cc s hiu tun t ( sequence number )
FIN : khng cn d liu t trm ngun
- Window ( 16bits ) : cp pht credit kim sot lung d liu( c ch ca s
). y chnh l s lng cc byte d liu, bt u t byte c ch ra trong
vng ACK number, m trm ngun sn sang nhn
- Check sum ( 16bits ) : m kim sot li ( theo phng php CRC )
- Urgent Poiter ( 16bits ) : con tr ny tr ti s hiu tun t ca byte i theo
sau s liu khn, cho php bn nhn bit c di ca d liu khn, ch c
hiu lc khi bit URG c thit lp.
- Options ( di thay i ) : khai bo cc options ca TCP
- Padding ( di thay i ) : Phn chn thm vo header m bo kch
thc.
- TCP data : phn d liu ca TCP segment.
b. User Datagram Protocol ( UDP )
UDP l giao thc khng kt ni, khng tin cy nh giao thc TCP, n c
s dng thay th TCP trong mt s ng dng. Khng ging nh TCP n khng c
chc nng thit lp v gii phng lin kt. N cng khng cung cp cc c ch bo
nhn, khng sp xp cc n v d liu theo th t n v c th dn n tnh trng
mt d liu hoc trng d liu m khng h c thng bo li cho ngi gi.
UDP cung cp c ch gn v qun l cc s hiu cng nh danh duy nht
cho cc ng dng chy trn mt trm ca mng. Do c t chc nng nn UDP c xu
hng chy nhanh hn so vi TCP. N thng c s dng cho cc ng dng i
hi tin cy khng cao. Khun dang mt UDP datagram nh sau :
14
n tt nghip
Hnh 1-5 : Khun dng UDP datagram

c. Cc giao thc dn ng Routing Protocols
Nh chng ta bit Internet bao gm cc mng c kt ni bi cc routers.
Khi mt gi c chuyn t trm ngun n trm ch, n phi i qua cc routers
m cc router ny c gn vi trm ch. Khong cch qung ng i ny c
xc nh khc nhau tu thuc vo tng giao thc c s dng. a c cc
gi tin n ch th ti cc trm hay cc router phi ci t cc giao thc dn ng.
Tu vo gii thut oc s dng m c cc loai giao thc dn ng khc nhau.
Bao gm cc giao thc dn ng tnh ( v d nh RIP Routing Information
Protocol ) v dn ng ng ( v d nh OSPF Open Shortest Path First )
2.3.3 Cc dch v tng ng dng
a. Dch v tn min Domain Name System ( DNS )
Dch v ny cho php nh danh cc phn t trn mng theo tn thay v cc
con s trong a ch IP. H thng ny c oc phn cp v mi cp c gi l
mt min ( domain) cc min c tch nhau bng du chm. Domain cao nht l
cp quc gia, mi quc gia c cp mt tn min ring gm hai k t v d vn
( Vit Nam ), fr ( France )v sau li tip tc uc phn cp nh hn. Vic nh
x gia a ch IP v cc tn min c thc hin bi hai thc th c tn l : Name
Resolver v Name Server. Name Resolever c ci t trn trm lm vic cn
Name Server c ci t trn mt my ch. Name Resolver gi yu cu nh x a
ch ti Name Server. Nu host name c tm thy th a ch IP tung ng s c
gi tr li trm lm vic. Sau trm lm vic s kt ni vi host bng a ch IP
ny.
b. ng nhp t xa - TELNET
Cho php ngi s dng t mt trm lm vic ca mnh c th ng nhp

( login ) vo mt trm xa thng qua mng v lm vic y nh ang ngi ti .
TELNET lm vic da trn giao thc TCP v trao i thng tin ti cng 23.
khi ng TELNET, t trm lm vic ca mnh ngi s dng ch vic g lnh sau
t ca s command line :
telnet <domain name or IP address >
c. Truyn tp File Transfer Protocol ( FTP )
Cho php chuyn cc tp tin t mt my trm ny sang mt trm khc, bt k

my u v s dng h iu hnh g, ch cn chng c ni vi nhau thng
qua mng Internet v c ci t FTP.
khi ng FTP ta s dng cu lnh :
ftp < domain name or IP address >
Sau ta phi ng nhp vi user name v password. Khi chng ta c th thc
hin cc cng vic nh ly v hay ti ln mt file.
d. Th in t - Electronic Mail ( E_mail )
Hin l mt dch v ph bin nht trn mng Internet. N l dch v kiu
15
n tt nghip
lu v chuyn tip ( store and forward ) tc l hai trm trao i th in t

cho nhau khng cn phi lin kt trc tip. Chng c lu chuyn thng qua cc
E_mail Server Cc giao thc c s dng cho dch v th in t bao gm :
- Simple Mail Transfer Protocol ( SMTP )
- Post Office Protocol Version 3 ( POP3 )
- Internet Message Access Protocol ( IMAP )
- Multipurpose Internet Mail Extension ( MIME )
e. Cc dch v tm kim :
Bao gm cc dch v nh :
- Tm kim file ( Archie )
- Tra cu thng tin theo thc n ( Gopher )
- Tm kim thng tin theo ch s ( WAIS )
- Tm kim thng tin da trn siu vn bn ( WWW )
2.4 Cc l hng trn mng

Vic s dng mng Internet lm tng nhanh kh nng kt ni, nhng ng
thi cha ng trong nhng him ho khng ng. Nhng l hng k tn cng
c th li dng, gy tn thng cho h thng c rt nhiu. Sau y l mt vi l
hng ph bin trn cng ng mng hin nay.
- Cc mt khn yu :
Mi ngi thng c thi quen s dng mt khu theo tn ca ngi thn
hay nhng g quen thuc vi mnh. Vi nhng mt khu d b phn on, k
tn cng c th chim ot c quyn qun tr trong mng, ph hu h
thng, ci t backdoor Ngy nay, mt ngi ngi t xa cng c th ng
nhp vo c h thng cho nn ta cn phi s dng nhng mt khu kh
on, kh d tm hn.
- D liu khng c m ho :
Cc d liu c truyn i trn mng rt d b xm phm, xem trm, sa
cha Vi nhng d liu khng c m ho, k tn cng chng tn thi
gian c th hiu c chng. Nhng thng tin nhy cm cng cn phi
phi m ho cn thn trc khi gi i trn mng.
- Cc file chia s :
Vic m cc file chia s thng tin l mt trong nhng vn bo mt rt d
gp. iu ny cho php bt k ai cng c th truy nhp cc file nu ta khng
c c ch bo mt, phn quyn tt.
- B giao thc ni ting TCP/IP c s dng rng ri trn mng hin nay
cng lun tim n nhng him ho khn lng. K tn cng c th s dng
ngay chnh cc qui tc trong b giao thc ny thc hin cch tn cng
DoS. Sau y l mt s l hng ng ch lin quan n b giao thc
TCP/IP
o CGI Scripts: Cc chng trnh CGI ni ting l km bo mt. V thng
thng cc hacker s dng cc l hng bo mt ny khai thc d liu
hoc ph hu chng trnh
16
n tt nghip
o Tn cng Web server: Ngoi cc l hng bo mt do vic thc thi cc

chng trnh CGI, cc Web server cn c th c cc l hng khc. V d
nh mt s Web server (IIS 1.0 ...) c mt l hng m do mt tn file c
th chn thm on ../ vo trong tn ng dn th c th di chuyn ti
mi ni trong h thng file v c th ly c bt k file no. Mt li thng
dng khc l li trn b m trong trng request hoc trong cc trng
HTTP khc.
o Tn cng trnh duyt Web: Do cc trnh duyt Web nh ca Microsoft,
Netscape c kh nhiu l hng bo mt nn xut hin cc tn cng
URL, HTTP, HTML, JavaScript, Frames, Java v ActiveX.
o Tn cng SMTP (Sendmail)
o Gi a ch IP (IP Spoofing)
o Trn b m (Buffer Overflows): c 2 kiu tn cng khai thc li trn
b m l : DNS overflow (Khi mt tn DNS qu di c gi ti
Server) v Statd overflow (khi mt tn file qu di c cung cp).
o Tn cng DNS (DNS attacks): DNS server thng l mc tiu chnh
hay b tn cng. Bi hu qu rt ln gy ra bi n l gy ch tc ton
mng.
-
Thng 4/2004 va qua, B An Ninh Ni V M v trung tm iu phi An

Ninh C s h tng quc gia Anh cnh bo v mt li bo mt TTO
nghim trng trong b giao thc TCP/IP ny.
Trong phn sau chng ta s xem xt cc k thut tn cng da trn cc l hng bo
mt ny.
III. Cc mc tiu cn bo v
c th bo v c h thng, chng li s tn cng ca hacker. Chng ta phi
bit nhng mc tiu cn bo v, cc k thut tn cng khc nhau t a ra cc
chin luc bo v hp l
Trong cc phn di y s trnh by c th cc vn ny.
C ba mc tiu cn c bo v l :
D liu: l nhng thng tin lu tr trong my tnh
Ti nguyn : l bn thn my tnh, my in, CPU
Danh ting
3.1 D liu
Mc tiu , chnh sch an ton ca mt h thng thng tin cng nh i vi
d liu bao gm :
17
n tt nghip
B mt
Ton vn
Sn sng
Thng thng mi ngi thng tp trung vo bo v tnh b mt ca d liu,
nhng thng tin c tnh nhy cm cao nh thng tin v quc phng, chin lc kinh
doanh th y l yu t sng cn. Khi d liu b sao chp bi nhng ngi khng
c thm quyn th ta ni d liu b mt tnh b mt
Khi d liu b sa i mt cch bt ng bi ngi khng c thm quyn th khi
c th ni d liu b mt tnh ton vn
Tnh sn sng l tnh cht quan trng nht i vi cc t chc hot ng cn s
dng nhiu thng tin. Khi ngi s dng hp php mun xem d kiu ca mnh
nhng d liu khng th p ng ngay v mt l do no , khi ta ni d liu
mt i tnh sn sng.
3.2 Ti nguyn
Xt mt v d nh sau :
Ta c mt my in ( mt dng ti nguyn ), ngoi ta ra ch nhng ai c
thm quyn th mi c s dng n. Tuy nhin, c nhng ngi khng thm
quyn vn mun s dng my in ny min ph. Khi ta ni chic my in ny b
xm phm
Khi nim xm phm l rt rng, v d nh b nh, CPU, u l ti
nguyn. Khi chng b nhng ngi khng c thm quyn khai thc mt cch bt
hp php th ta ni ti nguyn b xm phm.
3.3 Danh ting

Bo v danh ting l mt iu qu hin nhin i vi c c nhn v cc t
chc. Khng ch trn mng Internet m c trong thc t cuc sng hng ngy chng
ta u cn phi bo v danh ting. iu g s xy ra nu nh mt ngy no tn
ca chng ta c s dng cho nhng mc ch m m. V khi phc li danh
ting m trc c chc chn phi mt mt thi gian di v cng c th l
khng th.
IV. Tn cng trn mng v cc chin lc bo v

4.1 Cc dng tn cng
C nhiu dng tn cng khc nhau vo h thng, v cng c nhiu cch phn
loi cc dng tn cng ny. Trong mc ny, chng ta chia cc dng tn cng lm ba
phn c bn :
Xm nhp ( Intrusion )
T chi dch v ( Denial of Service DoS )
n trm thng tin ( Information thieft )
4.1.1 Xm nhp
Tn cng xm nhp l vic mt ngi hay nhm ngi c gng t nhp hay
lm dng h thng. Hacker v cracker l hai t dng ch nhng k xm nhp.
18
n tt nghip
Hu ht cc dng tn cng vo h thng ni chung l dng xm nhp. Vi

cch tn cng ny, k tn cng thc s c th s dng my tnh ca ta. Tt c nhng
k tn cng u mun s dng my tnh ca ta vi t cch l ngi hp php.
Nhng k tn cng c hng lot cch truy cp. Chng c th gi dng l
mt ngi c thm quyn cao hn yu cu cc thng tin v tn truy cp/mt khu
ca ta, hay n gin dng cch tn cng suy on, v ngoi ra chng cn nhiu
phng php phc tp khc truy cp m khng cn bit tn ngi dng v mt
khu.
K xm nhp c th c chia thnh hai loi:
+ T bn ngoi Outsider : nhng k xm nhp t bn ngoi h thng (xa Web
server, chuyn tip cc spam qua e-mail servers). Chng c th vt qua firewall
tn cng cc my trong mng ni b. Nhng k xm nhp c th n t Internet,
qua ng dy in thoi, t nhp vt l hoc t cc mng thnh vin c lin
kt n t chc mng (nh sn xut, khch hng,).
+ T bn trong Insider : nhng k xm nhp c quyn truy nhp hp php n
bn trong h thng (nhng ngi s dng c y quyn, hoc gi mo ngi dng
c y quyn mc cao hn ). Theo thng k th loi xm nhp ny chim ti
80%.
C hai cch thc chnh thc hin hnh vi xm nhp
Do thm - Reconnaissance : K tn cng c th dng cc cng c d qut
kim tra hay tm kim cc l hng bo mt ca mt mng no . Cc hnh
ng qut ny c th l theo kiu ping, qut cng TCP/UDP, chuyn vng
DNS, hay c th l qut cc Web server tm kim cc l hng CGI....Sau
y l mt s kiu qut thng dng:
Ping Sweep Qut Ping
Phng php ny n gin l ch ping cc a ch IP kim tra xem cc
host tng ng vi cc a ch cn sng hay khng. Cc kiu qut phc tp hn
s dng cc giao thc khc nh SNMP Sweep cng c c ch hot ng tng t.
TCP Scan Qut cng TCP
Kiu ny d qut cc cng TCP m tm cc dch v ang chy c th
khai thc, li dng hay ph hoi. My qut c th s dng cc kt ni TCP thng
dng hoc l cc kiu qut trm(s dng kt ni m mt bn) hoc l kiu qut FIN
(khng m cng m ch kim tra xem c ai ang lng nghe). C th qut danh
sch cc cng lin tc, ngu nhin hoc l c cu hnh.
UDP Scan Qut cng UDP
Loi qut ny kh hn mt cht v UDP l giao thc khng kt ni. K thut
l gi 1 gi tin UDP v ngha ti mt cng no . Hu ht cc my ch s tr li
bng 1 gi tin ICMP destination port unreachable , ch ra rng khng c dch v
no lng nghe cng . Tuy nhin, nhiu my iu tit cc messages ICMP nn ta
khng th lm iu ny rt nhanh c.
19
n tt nghip
OS identification Xc nh h iu hnh
Bng vic gi cc gi tin TCP hay ICMP khng ng qui cch, k tn cng
c th thu c thng tin v h iu hnh.
Account Scan Qut ti khon
o C gng ng nhp vo h thng vi cc Ti khon (Account):
o Cc Ti khon khng c password
o Cc Ti khon vi password trng vi username hoc l
password
o Cc Ti khon mc nh c dng chuyn sn phm
o Cc Ti khon c ci cng vi cc sn phm phn mm
o Cc vn v ti khon nc danh FTP
Li dng Exploits : li dng cc c tnh n hoc li truy cp vo h
thng.
Firewall c th gip ta ngn chn mt s cch xm nhp trn. Mt cch l
tng th Firewall s chn ton b mi ng ng vo h thng m khng cn bit
n tn truy cp hay mt khu. Nhng nhn chung, Firewall c cu hnh nhm
gim mt s lng cc ti khon truy cp t pha ngoi vo. Hu ht mi ngi u
cu hnh Firewall theo cch one time password nhm trnh tn cng theo cch
suy on.
4.1.2 T chi dch v
y l kiu tn cng vo tnh sn sng ca h thng, lm h thng cn kit
ti nguyn hoc chim dng bng thng ca h thng, lm mt i kh nng p ng
tr li cc yu cu n. Trong trng hp ny, nu h thng cn dng n ti
nguyn th rt c th h thng s gp li.
C mt s c im c bit trong cch tn cng ny l ngi b hi khng
th chng li c kiu tn cng ny v cng c c s dng trong cch tn
cng ny l cc cng c m h thng dng vn hnh hng ngy.
C th phn bit ra bn dng DoS sau :
Tiu th bng thng ( bandwidth consumption )
Lm ngho ti nguyn ( resource starvation )
Programming flaw
Tn cng Routing v DNS
V mt k thut c 3 kiu tn cng t chi dch v chnh l DoS, DDoS v DRDoS.
DoS Traditional DOS
20
n tt nghip
Hnh 1-6: Tn cng kiu DOS v DDoS

n thun my tn cng c bandwidth ln hn my nn nhn
DDoS Distributed DOS
S dng nhiu my cng tn cng vo mt my nn nhn
DRDoS Distributed Reflection DOS
S dng cc server phn x, my tn cng s gi yu cu kt ni ti cc
server c bandwidth rt cao trn mng server phn x, cc gi tin yu cu kt ni
ny mang a ch IP gi - chnh l a ch IP ca my nn nhn. Cc server phn x
ny gi li my nn nhn cc gi SYN/ACK dn ti hin tng nhn bng thng
bandwidth multiplication.
Tuy nhin vi cch tn cng ny, k tn cng cng khng thu c thng tin
g thm v h thng. N ch n thun lm h thng t lit, khng hot ng c
na m thi.
Hnh 1-7: Tn cng kiu DRDoS
21
n tt nghip
4.1.3 n trm thng tin

C mt vi cch tn cng cho php k tn cng c th ly c d liu m
khng cn phi trc tip truy cp, s dng my tnh ca chng ta. Thng thng k
tn cng khai thc cc dch v Internet phn phi thng tin. Cc dch v ny c th
a ra cc thng tin m ta khng mun hoc a cc thng tin n sai a ch nhn.
Nhiu dch v Internet c thit k s dng cho cc mng ni b v khng h c
thm cc lp bo v do thng tin s khng an ton khi lu thng trn mng
Internet.
Hu ht nhng k tn cng u c gng lng nghe tm kim cc thng tin
nh tn truy cp/ mt khu. Tht khng may y li l cc thng tin d b n cp
nht trn mng. Nh hnh v di y minh ha
Hnh 1-8: M hnh ng dng mail trn mng Internet

y l ng truyn cc packets khi user login vo h thng vo mt ISP,
ri gi i mt s messages. Cc packet khng m mt c truyn t client ti ISP
dialup, ri qua ISP firewall ti cc router trc khi c truyn trn Internet.
Mi qu trnh truyn khng m mt, cc messages c th b chn mt s im v
nh im c gi i. Mt user lm cho ISP c th gi cc packets li. Mt chuyn
gia tin hc cng c th c tt c cc message mt cch d dng. Bt c mt chuyn
gia bo dng cc router no u c tm ra nhiu cch lu cc messages li. V
c nhng ni cung cp cc dch v, h cng c th xem xt cc messages ca user.
Nu truy nhp vo internet t mng LAN thay v dialup, th c cng nhiu
ngi c th xem messages hn. Bt c ai trong h thng company trn cng mt
LAN c th t NIC vo v thu cc packets ca mng.
Hnh 1-9: Kt ni Internet t LAN

22
n tt nghip
Cc giao thc thng s dng cng nht nh trao i thng tin ln nhau,
v l im yu ca h thng gip cho cc tin tc c th d dng ly cp c cc
thng tin quan trng.
V d :
Khi user log on vo Yahoo! Mail, nhp username v password ri n Submit,
trong trng hp nhp thng tin chnh xc th thng tin c ng gi v gi i.
Package u tin ca giao thc HTTP cha thng tin username v password c
chuyn qua cng 1149, khi hacker c th truy nhp vo cng ny ly thng tin
log on ca user. Trong thng tin v password c truyn di dng text plain.
Khi log on vo sites th c khong 100-200 packets c truyn gia user v server,
trong c khong 10 packets u tin c cha thng tin v password.
C nhiu cch chng li cch tn cng ny. Mt Firewall c cu hnh
tt s bo v, chng li nhng k ang c gng ly nhng thng tin m ta a ra.
4.2 Mt s k thut tn cng

Sau y l mt s k thut tn cng ph bin m cc hacker thng s dng tn
cng mt h thng.Cc k thut tn cng ny ch yu thuc dng tn cng xm
nhp v t chi dch v
4.2.1 Gi mo a ch IP ( IP Spoofing )
Hu ht cc giao thc s dng trong mng u theo giao thc TCP, do
chng ta xem xt c ch thit lp kt ni ca giao thc ny. TCP l mt giao thc
hng lin kt, gia client v server mun thc hin kt ni trao i thng tin th
chng phi thc hin qua ba bc sau ( c ch bt tay ba bc ) :
- Bc 1 : Client gi gi tin SYN ti server thng bo yu cu thit lp kt
ni. Lc ny mt kt ni tim tng ( potential connection ) c thit lp
gia client v server.
- Bc 2 : Server sau khi nhn c tn hiu SYN trn s gi li cho client gi
tin SYN/ACK xc nhn vic thit lp lin kt
- Bc 3 : Client sau khi nhn c gi tin SYN/ACK trn, n s gi tip cho
Server gi tin ACK. Kt thc bc ny gia client v server hon thnh
mt kt ni
Hnh 1-10 : Thit lp kt ni TCP gia client v server

Nu nh mt client khng c yu cu i hi thit lp mt kt ni vi server
nhng n li nhn c gi tin SYN/ACK, khi n s gi tr li server gi tin
RST ( reset ). Nh m server s bit c hu b kt ni.
Ch rng ngay bc 1, khi client gi tn hiu SYN th server dnh ring cho
23
n tt nghip
client ny mt vng nh hot ng. Vng nh ny ch b hu b khi client c yu

cu hu b kt ni hay sau mt khong thi gian nht nh no ( gi l thi gian
Timeout ) nu khng c tn hiu g t client. Timeout ca tng server l khc nhau
v n nm trong khong t 75 giy n 23 pht.
Da vo c ch thit lp kt ni trong giao thc TCP m k tn cng a ra k thut
sau nhm gi mo a ch IP :
Gi s hai host X v Y tin tng nhau. K tn cng c tr Z, k tn cng s
to ra gi tin gi mo mnh l Y gi ti cho X nhm trng i nhng thng tin
phn hi li. Tuy nhin khi nhn c gi tin yu cu kt ni ny th X s coi l
gi tin do Y gi ti do n s phn hi li cho Y v Z khng thu c g c. Khi
Y nhn c gi tin phn hi t X ( khi bits ACK c thit lp ) th n s gi
tr li gi tin RST do vy kt ni s c hu b. K tn cng khng h mun X
hu b kt ni ny do vy hn s tm cch khng cho Y nhn c gi tin phn hi
ny, v d nh dng tn cng t chi dch v, lm Y b trn ngp bng thng v
khng th nhn thm thng tin g na.
Tuy nhin cch lm trn mang nhiu tnh cht l thuyt, thc t rt kh thc
hin c theo cch ny.
4.2.2. SYN flooding Tn cng trn ngp gi tin SYN
Chng ta vn ch ti c ch bt tay ba bc trong qu trnh thit lp kt
ni gia hai thc th TCP. K tn cng vn s dng mt a ch gi mo gi gi
tin SYN cho nn nhn. Khi nn nhn nhn c gi tin ny ngay lp tc n s
dnh mt phn b nh cho kt ni ny.
Hnh 1-11 : Tn cng trn ngp SYN (1 )

Cng tng t nh trn, khi nhn c gi tin SYN yu cu kt ni th n s
gi tr li gi tin SYN/ACK cho host c a ch m k tn cng gi mo s dng.
Nu nh gi tin ny n c ng host b gi mo th th n s gi gi tin RST, kt
ni s b hu b, phn b nh m host nn nhn cung cp cho kt ni ny s
c hu b. Trong trng hp ny, k tn cng cng khng thu c g.
khc phc k tn cng s thc hin nh sau : a ch m chng s dng
gi mo s l a ch m host ca nn nhn khng th gi cc gi tin n c.
Khi cc gi tin SYN/ACK m nn nhn gi tr li bc 2 trong m hnh bt
tay 3 bc s khng th ti ch, do cng s khng c gi tin RST gi li cho
nn nhn. Nh vy, nn nhn s c phi ch kt ni ny cho n khi thi gian
Timeout ht. iu c ngha l k tn cng thnh cng trong vic chim dng
mt phn ti nguyn hot ng my ca nn nhn.
24
n tt nghip
Hn th na, k tn cng khng ch gi mt gi tin SYN ti nn nhn m c

sau mt khong thi gian nht nh li gi mt gi tin SYN ti my nn nhn . Kt
qu l ton b ti nguyn trn my nn nhn s b s dng cho vic ch nhng kt
ni khng c thc.
Hnh 1-12 : Tn cng trn ngp SYN ( 2 )

u im ca phng php tn cng ny l ch cn mt lng bng thng nh
k tn cng cng c th lm t lit nn nhn. Ngoi ra cc gi tin SYN m k tn
cng gi ti nn nhn s dng a ch gi, v vy rt kh c th pht hin ra th
phm.
4.2.3 ICMP flooding Tn cng trn ngp gi tin ICMP
Ping l mt chng trnh dng bo cho ngi s dng bit hai host trn
mng c thng vi nhau khng. Ping da trn giao thc ICMP. N cho php ngi
s dng gi cc gi tin ti mt h thng xa v hin th khong thi gian t khi gi
gi tin n khi nhn c phn hi t pha nhn ( RTT : Round Trip Time ). Gi tin
c gi i l ICMP echo request, gi tin phn hi l ICMP echo receive
K tn cng s s dng giao thc ICMP ny tn cng nn nhn theo cch
sau :
Bc 1 : K tn cng gi mo l nn nhn, gi i mt lnh Ping vi a ch
IP l ca nn nhn v a ch ch l dng broadcast ca mt mng no .
Sau bc ny tt c cc host trong mng 10.0.0.x s nhn c gi tin ICMP t host
ca nn nhn.
Bc 2 : Do s nhm ln nh trn m tt c cc host trong mng 10.0.0.x
u gi v cho nn nhn mt gi tin ICMP echo receive. Hng lot cc gi tin dng
ny l nguyn nhn gy ln hn tng lm bng thng ti host ca nn nhn b
chim dng. Nn nhn s khng th giao dch vi cc host khc trn mng. Hin
nay c rt nhiu cng c thun tin thc hin kiu tn cng ny.
Hnh 1-13 : Tn cng trn ngp gi tin ICMP

25
n tt nghip
4.3 Cc chin lc bo v mng

4.3.1 Quyn hn ti thiu ( Least Privilege )
C l chin lc c bn nht v an ton ( khng ch cho an ninh mng m
cn cho mi c ch an ninh khc ) l quyn hn ti thiu. V c bn, nguyn tc ny
c ngha l : bt k mt i tng no ( ngi s dng, ngi qun tr h thng
) ch c nhng quyn hn nht nh nhm phc v cho cng vic ca i tng
v khng hn na. Quyn hn ti thiu l nguyn tc quan trng nhm gim bt
nhng s ph by m k tn cng c th tn cng vo h thng v hn ch s ph
hoi do cc v ph hoi gy ra.
Tt c mi ngi s dng hu nh chc chn khng th truy cp vo mi
dch v ca Internet, chnh sa ( hoc thm ch ch l c ) mi file trn h thng
ca ta, bit c mt khu root. Tt c mi nh qun tr cng khng th bit ht
c cc mt khu root ca tt c cc h thng. p dng nguyn tc quyn hn
ti thiu, ta nn tm cch gim quyn hn cn dng cho tng ngi, tng cng vic
c th.
4.3.2 Bo v theo chiu su ( Defence in Depth )
Mt nguyn tc khc ca mi c ch an ninh la bao ve theo chiu su. ng
ph thuc vo ch mt c ch an ninh, cho d l n mnh n u i na. Thay vo
l s dng nhiu c ch an ninh chng h tr nhau.
Hnh 1-14 : Bo v theo chiu su

4.3.3 Nt tht ( Choke Point )
Vi cch xy dng nt tht, ta buc tt c mi lung thng tin phi qua
v nhng k tn cng cng khng l ngoi l. Chnh nh c im ny m c th
kim tra v iu khin cc lung thng tin ra vo mng. C rt nhiu v d v nt
tht trong thc t cuc sng.
Vi an ninh mng th nt tht chnh l cc Firewall t gia mng cn bo v
v Internet. Bt k ai mun i vo trong mng cn bo v u phi i qua cc
Firewall ny.
26
n tt nghip
4.3.4 Lin kt yu nht ( Weakest Link )

i vi mootj h thng bo v th cho d c nhiu khu c mc an ton cao
nhng ch cn mt khu mt an ton th ton b h thng cng s mt an ton.
Nhng k tn cng thng minh s tm ra nhng im yu v tp trung tn cng vo
. Cn phi thn trng ti cc im yu ny bi k tn cng lun bit tm cch
khai thc n.
4.3.5 Hng an ton ( Fail Safe Stance )
Mt im yu c bn khc trong chin lc an ninh l kh nng cho php h
thng hng an ton ( faile safe ) c ngha l nu h thng c hng th s hng
theo cch chng li s tn cng ca i phng.S sp ny c th cng ngn cn
s truy cp ca ngi dung hp php nhng trong mt s trng hp th vn phi
p dng chin lc ny.
Hu ht cc ng dng hin nay u c c ch hng an ton. V d nh nu
mt router lc gi b down, n s khng cho bt k mt gi tin no i qua. Nu mt
proxy b down, n s khng cung cp mt dch v no c. Nhng nu mt h thng
lc gi c cu hnh m tt c cc gi tin c hng ti mt my chy ng dng
lc gi v mt my khc cung cp ng dng th khi my chy ng dng lc gi b
down, cc gi tin s di chuyn ton b n cc ng dng cung cp dch v. Kiu
thit k ny khng phi l dng hng an ton v cn phi uc ngn nga.
im quan trng trong chin lc ny l nguyn tc, quan im ca ta v an
ninh. Ta c xu hng hn ch, ngn cm hay cho php? C hai nguyn tc c bn
m ta c th quyt nh n chnh sch an ninh :
+ Mc nh t chi : Ch quan tm nhng g ta cho php v cm tt c nhng
ci cn ll
+ Mc nh cho php : Ch quan tm n nhng g m ta ngn cm v cho
qua tt c nhng ci cn li.
4.3.6 Tnh ton cc ( Universal Participation )
t c hiu qu cao, hu ht cc h thng an ton i hi phi c tnh
ton cc ca cc h thng cc b. Nu mt k no c th d dng b gy mt c
ch an ton th chng c th thnh cng bng cch tn cng h thng t do ca ai
ri tip tc tn cng h thng ni b t bn trong. C rt nhiu hnh thc lm cho
hng an ton h thng v chng ta cn c bo li nhng hin tng l xy ra c
th lin quan n an ton ca h thng cc b.
4.3.7 a dng trong bo v ( Diversity of Defence )
tng thc s ng sau a dng trong bo v chnh l s dng cc h
thng an ninh ca nhiu nh cung cp khc nhau nhm gim s ri ro v cc li ph
bin m mi h thng mc phi. Nhng bn cnh l nhng kh khn i km khi
s dng h thng bao gm nhiu sn phm ca nhng nh cung cp khc nhau nh :
Ci t, cu hnh kh hn, chi ph s ln hn, b ra nhiu thi gian hn c th
vn hnh h thng.
Chng ta hy thn trng vi tng a dng ny. V khi s dng nhiu h
thng khc nhau nh vy cha chc c s a dng trong bo v m cn c th
xy ra trng hp h thng ny hn ch hot ng ca h thng khc m khng h
27
n tt nghip
tr nhau nh ta mong mun.

4.3.8 n gin ( Simplicity )
n gin l mt trong nhng chin lc an ninh v hai l do sau :
Th nht : Vi nhng g n gin th cng c ngha l d hiu, nu ta khng hiu v
phn no , ta khng th chc chn liu n c an ton khng.
Th hai : S phc tp s to ra nhiu ngc nghch m ta khng th qun l ni,
nhiu th s n cha trong m ta khng bit.R rng, bo v mt cn h d dng
hn nhiu bo v mt to lu i ln!.
28
n tt nghip
Chng 2 : INTERNET FIREWALL
Khi
Khinim
nimFirewall
Firewall
Cc
Ccchc
chcnng
nngc
cbn
bnca
caFirewall
Firewall
Kin
Kintrc
trcFirewall
Firewall
Bo
Bodng
dngFirewall
Firewall
29
n tt nghip
Trong chng ny chng ta s nghin cu v Internet Firewall : Th no l

mt Firewall, cc chc nng c bn ca mt Firewall, kin trc ca mt Firewall
khi trin khai mt h thng mng an ton v cui cng l cng vic bo dng mt
Firewall.
I. Khi nim
1.1 Khi nim
Firewall l mt phn mm hay thit b phn cng hoc s kt hp gia chng
c thit k vi mc ch : chng li nhng ri ro, nguy him t pha ngoi vo
mng ni b. N thng c t gia mng ni b m ta cn bo v vi mng
Internet v thc hin ngn cm mt s lu thng mng.
Hnh 2-1 : V tr Firewall trn mng

Theo cch b tr ny th tt c cc lung thng tin i vo mng ni b t Internet
hay ngc li, i t mng ni b ra Internet u phi qua Firewall. Nh vy
Firewall c th kim sot c cc lung thng tin, t a ra cc quyt nh cho
php hay khng cho php. Cho php hay khng cho php y l da trn chnh
sch an ninh do ngi qun tr Firewall t ra.
1.2 u, nhc im ca Firewall

1.2.1 u im :
Firewall c th lm rt nhiu iu cho an ninh ca mng. Thc t nhng u
im khi s dng Firewall khng ch trong lnh vc an ninh
a. Firewall l im tp trung gii quyt cc vn an ninh
Quan st v tr cu Firewall trn hnh chng ta thy y l mt dng nt tht.
Firewall cho ta kh nng to ln bo v mng ni b bi cng vic cn lm ch tp
trung ti nt tht ny. Vic tp trung gii quyt ti mt im ny cn cho php c
hiu qu c v mt kinh t.
b. Firewall c th thit lp chnh sch an ninh
C rt nhiu dch v m mi ngi mun s dng vn khng an ton.
30
n tt nghip
Firewall ng vai tr kim sot cc dch v ny. N s thit lp chnh sch an ninh
cho php nhng dch v tho mn tp lut trn Firewall ang hot ng. Tu thuc
vo cng ngh la chn xy dng Firewall m n c kh nng thc hin cc
chnh sch an ninh vi hiu qu khc nhau.
c. Firewall c th ghi li cc hot ng mt cch hiu qu
Do mi lung thng tin u qua Firewall nn y s l ni l tng thu thp
cc thng tin v h thng v mng s dng. Firewall c th ghi chp li nhng g
xy ra gia mng c bo v v mng bn ngoi.
1.2.2 Nhc im
Firewall c th bo v mng c hiu qu nhng n khng phi l tt c.
Firewall cng tn ti cc nhc im ca n
a. Firewall khng th bo v khi c s tn cng t bn trong
Nu k tn cng pha trong Firewall, th n s khng th gip g c cho ta.
K tn cng s n cp d liu, ph hng phn cng, - phn mm, sa i chng
trnh m Firewall khng th bit c.
b. Firewall khng th bo v c nu cc cuc tn cng khng i qua n
Firewall c th iu khin mt cch hiu qu cc lung thng tin, nu nh chng
i qua Firewall. Tuy nhin, Firewall khng th lm g nu nh cc lung d liu
khng i qua n. V d cho php truy cp dial up kt ni vo h thng bn trong
ca Firewall? Khi n s khng chng li c s tn cng t kt ni modem
C th do vic ci t backdoor ca ngi qun tr hay nhng ngi s dng
trnh cao.
c. Firewall khng th bo v nu nh cch tn cng hon ton mi l
Firewall c thit k ch chng li nhng kiu tn cng bit. Nu mt
Firewall c thit k tt th cng c th chng li c nhng cuc tn cng theo
cch hon ton mi l. Ngi qun tr phi cp nht nhng cch tn cng mi, kt
hp vi kinh nghim bit c th b xung cho Firewall. Ta khng th ci
Firewall mt ln v s dng mi mi.
d. Firewall khng th chng li Virus
Firewall khng th gip cho my tnh chng li c Virus. Mc d nhiu
Firewall qut nhng lung thng tin i vo nhm kim tra tnh hp l ca n vi
cc tp lut t ra. Tuy nhin Firewall ch kim tra c a ch ngun, a ch ch,
s hiu cng cu gi tin ny ch khng th kim tra c ni dung ca n. l
cha k n c rt nhiu dng Virus v nhiu cch Virus n vo d liu.
Tip theo chng ta xem xt cc chc nng c bn cu Firewall. C th ni
mt Firewall thc s cn phi c t nht mt trong cc chc nng sau :
Kh nng lc gi ( Packet Filtering ) : Firewall s kim tra phn header
ca cc gi tin v a ra quyt nh l cho php qua hay loi b gi tin
ny theo tp lut c cu hnh.
Application Proxy : Vi kh nng ny th Firewall s kim tra k lng
header ca gi tin hn nh kh nng hiu giao thc c th m ng dng
s dng
Chuyn i a ch mng ( Network Address Translation NAT ) :
cc my bn ngoi ch thy mt hoc hai a ch mng ca firewall cn
cc my thuc mng trong c th ly cc gi tr trong mt khong bt
31
n tt nghip
k th cc gi tin i vo v i ra cn c chuyn i a ch ngun v

ia ch ch.
Theo di v ghi chp ( Monitoring and Logging ) : Vi kh nng ny
cung cp cho ngi qun tr bit iu g ang xy ra ti Firewall, t
a ra nhng phng n bo v tt hn.
Ngoi ra th mt Firewall cn c th c mt s chc nng m rng khc nh :
Data Caching : Bi v c nhng yu cu v cc Website l hon ton
ging nhau ca cc ngi dng khc nhau nn vic Caching d liu s
gip qu trnh tr li nhanh v hiu qu hn
Lc ni dung ( Content Filter ): Cc lut ca Firewall c kh nng ngn
chn cc yu cu trang Web m n cha cc t kho, URLs hay cc d
liu khc nh video streams, image
Instrustion Detection : L kh nng pht hin cc cuc xm nhp, tn
cng
Cc chc nng khc : kh nng pht hin v qut virus
Phn di y chng ta s xem xt k lng ba chc nng c bn ca mt Firewall
l Packet Filtering, Application Proxy v Network Address Translation
II. Cc chc nng c bn ca Firewall

2.1 Packet Filtering
2.1.1 Khi nim
Packet Filtering l mt chc nng c bn ca mt firewall, n l mt k thut
an ninh mng hot ng tng mng, bng cch iu khin d liu vo hoc ra mt
mng my tnh. Packet Filtering s nh tuyn mt cch c chn lc cc gi tin tu
thuc theo chnh sch an ninh do ngi qun tr t ra. Lc gi thng thng c tc
rt cao bi n ch kim tra phn header ca cc gi tin m khng kim tra phn
d liu trong . V k thut gi thg c tc nhanh, mm do v trong sut vi
ngi dng nn ngy nay hu ht cc router u c trang b kh nng lc gi. Mt
router s dng b lc gi c gi l screening router
Di y l m hnh mt screening router trong mng
Hnh 2-2 : Screening Router s dng b lc gi

32
n tt nghip
Nh gii thiu chng trc th bt k mt gi tin no cng c phn

header ca n. Nhng thng tin trong phn header bao gm cc trng sau :
- a ch IP ngun
- a ch IP ch
- Giao thc hot ng
- Cng TCP ( UDP ) ngun
- Cng TCP ( UDP ) ch
- ICMP message type
B lc gi s da vo nhng thng tin ny a ra quyt nh cui cng
cho php hay khng cho php gi tin i qua. Ngoi ra, b lc gi cn c th xc
nh thm cc thng tin khc khng c trong header ca gi tin nh :
- Giao din mng m gi tin t i ti ( v d trong Linux l eth0 )
- Giao din mng mng m gi i n ( v d l eth1 )
Trn thc t th cc Server hot ng cho cc dch v Internet thng tp
trung vo mt cng no , do vy n gin ta ch cn cu hnh tp lut lc gi
tin ca router theo s hiu cng tng ng l c th ngn chn c cc kt ni. V
d vi server HTTP : cng mc nh l 80, vi server FTP : cng 23
Do vy vi Screening router th ngoi chc nng nh mt router bnh
thng l dn ng cho cc gi tin n cn c kh nng lc cc gi tin i qua n.
Screening router s c gi tin mt cch cn thn hn t a ra quyt nh cho
php hay khng cho php gi tin ti ch. Vic cho php hay khng cho php cc
gi tin i qua ph thuc vo cc lut lc gi m screening router c cu hnh.
T ta c cc cch thc hin chc nng lc gi : Lc gi da vo a ch,
lc gi da vo loi dch v hay cng, lc gi theo c a ch v cng
Lc gi theo a ch
L cch n gin nht, lc theo cch ny gip chng ta iu hng cc gi
tin da theo a ch ngun hoc ch m khng cn bit cc gi tin ny thuc giao
thc no.
Ta thy ngay y cc ri ro vi cch lc gi da theo a ch :l vic k tn
cng s dng a ch IP gi mo vt qua module lc gi v truy cp cc my
trong mng ni b cn bo v. C hai kiu tn cng da trn vic gi mo a ch IP
l source address v man in the middle. Cch gii quyt vn ny l s dng
phng php xc thc ngi dng i vi cc gi tin.
Lc gi da theo dch v
Hu ht cc ng dng trn mng TCP/IP hot ng trn mt Socket bao gm
a ch IP v mt s hiu cng no .Do vy vic lc cc gi tin da trn dch v
cng chnh l vic lc cc gi tin da trn s hiu cng. V d nh cc ng dng
Web theo giao thc HTTP thng hot ng trn cng 80, dch v Telnet hot ng
trn cng 23, Vic lc gi c th da vo a ch cng ngun hay a ch cng
ch hoc c hai.
Cc ri ro xy ra i vi vic lc gi da trn s hiu cng l : rt nhiu
cc ng dng theo m hnh server/client hot ng vi s hiu cng ngu nhin
trong khong t 1023 65535. Khi vic thit lp cc lut theo cch ny l rt
kh khn v c th cho cc gi tin nguy him i qua m chn li cc gi tin cn
thit.
33
n tt nghip
2.1.2 Cc hot ng ca Packet Filtering

Sau khi thc hin kim tra mt gi tin, Packet Filtering c th thc hin mt trong
cc cng vic sau :
- Cho php gi tin i qua: nu gi tin tho mn cc iu kin trong cu hnh
ca b lc gi, gi tin s c chuyn tip ti ch ca n
- Loi b gi tin : nu gi tin khng tho mn cc iu kin trong cu hnh ca
Packet Filtering th gi tin s b loi b
- Ghi nht k cc hot ng
Ta khng cn thit phi ghi li tt c cc gi tin c cho php i qua m ch cn
ghi li mt s hot ng ca mt s gi tin loi ny. V d ghi li cc gi tin bt u
ca mt kt ni TCP c th theo di c cc kt ni TCP i vo v i ra khi
mng cn bo v. c bit l ghi li cc gi tin b loi b , ta cn theo di cc gi
tin no ang c gng i qua trong khi n b cm.
2.1.3 u, nhc im ca Packet Filtering
a. u im
-
Trong sut
C th lc bt c dch v no dng cc giao thc m Firewall h tr
Ch cn mt Screening Router l c th bo v c mng : y l mt u im
chnh ca Packet Filtering v n l n l, khng phi thay i cc host trong
mng bo v khi thay i qui m ca mng.
Khng nh Proxy n khng yu cu phi hc cch s dng
b. Nhc im
Cn phi hiu r mng c bo v v cc giao thc c s dng trn mng
Khng c s xc thc ngi s dng, vic lc gi tin ch da trn a ch
mng ca h thng phn cng
Khng che giu kin trc bn trong ca mng cn bo v
Khng bo v chng li cc yu im ca cc dch v khng lc
Vi giao thc DHCP th kt qu lc s khng chun xc
Mt s giao thc khng ph hp vi b lc gi.
2.2 Proxy
2.2.1 Khi nim
Cc host c ng kt ni trc tip vi mng bn ngoi thc hin cung
cp mt s dch v cho cc host khc trong mng cn bo v c gi l cc Proxy.
Cc Proxy thc s nh hot ng nh cc gateway i vi cc dch v. Do vy n
cn c gi l cc Application level gateways
Tnh trong sut i vi ngi dng l li ch ca Proxy. Proxy s thu thp cc yu
cu dch v ca cc host client v kim tra cc yu cu ny nu tho mn th n a
n cc server thch hp sau nhn cc tr li v tr li cho client.
34
n tt nghip
Hnh 2-3 : Proxy Server

Proxy chy trn Dual-home host hoc Bastion host. Tt c cc host trong
mng ni b mun truy cp vo Internet u phi qua Proxy, do ta c th thc
hin mt s chnh sch an ninh cho mng nh ghi log file, t quyn truy nhp
2.2.2 u nhc im ca Proxy
a. u im
- D nh ngha cc lut an ton
- Thc hin xc thc ngi s dng
- C th che du c kin trc bn trong ca mng cn bo v
- Tnh trong sut vi ngi s dng
- D dng ghi li cc log file
b. Nhc im
- Yu cu ngi qun tr h thng cao hn Packet Filtering
- Khng s dng c cho cc dch v mi
- Mi dch v cn mt mt Proxy ring
- Proxy khng thc hin c i vi mt s dch v
2.2.3 Cc hot ng ca Proxy
Thng thng cc dch v, Proxy yu cu phn mm Proxy tng ng vi
pha Server, cn i vi pha client, n i hi nhng iu sau :
- Phn mm khch hng ( Custom client software ) : Theo cch tip cn ny
th khi c yu cu t khch hng th phn mm ny s kt ni vi Proxy ch khng
kt ni trc tip vi Server v ch cho Proxy bit a ch ca Server cn kt ni.
- Th tc ngi s dng ( Custom user procedures ) : tc l ngi s dng
dng phn mm client tiu chun kt ni vi Proxy server v yu cu n kt ni
n server thc s.
2.2.4 Phn loi Proxy
C rt nhiu tiu ch phn loi cc Proxy, c th chia Proxy ra cc loi sau :
- Application-level & Circuit level Proxy
35
n tt nghip
L mt dng Proxy m n bit c cc ng dng c th m n phc v.

Application Level Proxy hiu v thng dch cc lnh giao thc tng ng dng.
V d nh ng dng Sendmail. Circuit level Proxy l mt Proxy c th to ra
ng kt ni gia client v server m khng thng dch cc lnh ca giao thc
tng ng dng. Mt dng Circuit- level Proxy ph bin l hybrid proxy gateway. N
c vai tr nh nh mt proxy vi mng pha ngoi nhng li nh mt packet
filtering i vi mng pha trong.
Nhn chung th Application level Proxy s dng th tc ngi s dng cn
Circuit-level Proxy s dng phn mm client. Application level Proxy c th nhn
cc thng tin t bn ngoi thng qua cc giao thc tng ng dng cn Circuit level
Proxy khng th thng dch cc c cc giao thc tng ng dng v cn phi cung
cp thm thng tin c th cho d liu i qua. u im ca n l cung cp dch v
cho nhiu giao thc khc nhau. Hu ht cc Circuit-level Proxy u dng Proxy
tng qut, tc l c th ph hp vi hu ht cc giao thc. Nhng nhc im ca
n l cung cp t cc ii\u khin trn Proxy v d dng b nh la bng cch gn
cc dch v ph bin vo cc cng khc cc cng m chng thng s dng.
- Generic Proxy & Dedicated Proxy
Mc d hai khi nim Application level Proxy v Circuit-level Proxy thng c
s dng nhng chng ta vn thng phn bit gia Dedicated Proxy Server:v
Generic Proxy Server hay Proxy chuyn dng v Proxy tng qut. Mt Dedicate
Proxy Server ch phc v cho mt giao thc , cn Generic Proxy Server li phc v
cho nhiu giao thc. Ta thy ngay Application level Proxy l mt dng Dedicate
Proxy Server cn Circuit-level Proxy l mt dng Genneric Proxy Server.
- Proxy thng minh
Mt Proxy server c th lm nhiu vic hn l ch n gin chuyn tip cc yu cu
t client Proxy c gi l Proxy server thng minh. V d nh CERN HTTP
Proxy hay Squid Proxy c kh nng cache d liu do khi c nhiu request cho
cng mt d liu th khng phi ra bn ngoi na m c tr kt qu c cache
ngay cho ngp s dng. V vy c th tit kim c thi gian chi ph ng
truyn. Cc proxy ny cung cp cc kh nng ghi nht k v iu khin truy nhp
tt hn l thc hin bng cc bin php khc.
2.2.5 S dng Proxy vi cc dch v Internet
Do Proxy can thip vo nhiu qu trnh truyn thng gia ckient v server,do
n phi thch ng c vi nhu dch v. Mt vi dch v hot ng mt cch
n gin, nhng khi c thm Proxy th n hot ng phc tp hn rt nhiu. Dch
v l tng s dng Proxy l to kt ni TCP ch theo mt hng, c b lnh an
ton. Do vy thc hin Proxy cho giao thc TCP hon ton n gin hn so vi
giao thc UDP, ring vi giao thc tng di nh ICMP th hu nh khng thc
hin c Proxy.
36
n tt nghip
2.3 Network Address Translation
Hnh 2-4: Chuyn i a ch mng

Ban u NAT c a ra tit kim cc a ch IP. Bi a ch IP c 32
bt cp cho cc n v s tr ln cn kit nhanh chng Nhng NAT em li mt
s tc dng bt ng so vi mc ch ban u khi thit k n.
Vi NAT tt c cc my tnh thuc mng trong c mt a ch IP thuc mt
di cc a ch IP ring v d 10.0.0.0/8 m cc da ch ny khng s dng trn
mng Internet. Khi mt my thuc mng trong mun kt ni ra Internet th NAT
computer s thay th a ch IP ring ( v d 10.65.1.7) bng a ch IP c nh
ISPs cung cp chng hn.( v d 23.1.8.3 )v khi gi tin s c gi i vi a
ch IP l 23.1.8.3 v khi nhn tin th n thay i i ch IP ch chng ta thu
c : 10.65.1.7 Ta c m hnh ca Network Address Translation nh hnh trn.
S d NAT tit kim ti nguyn a ch IP v a ch cho cc host trong mng
ni b ca cc t chc c th hon ging nhau.
Trong trng hp c nhiu hn mt my tnh trong mng ni b cn kt ni
ra ngoi Internet ng thi th my tnh NAT phi c nhiu a ch IP cng cng,
vi mi a ch ny cho mt my tnh trong mng ni b. Vi cc dch v NAT
ngy nay th my tnh NAT ch cn mt a ch IP cng cng bi v ngoi vic bin
i a ch IP th n cn thay i s hiu cng v mi my trong mng cc b s
c thay i vi mt s hiu cng khc nhau. V c khong 65355 s hiu cng
khc nhau nn mt my tnh NAT c th qun l mt mng cc b vi hng ngn
my tnh. K thut thay i s hiu cng c gi l Chuyn i da ch cng mng
Network Address Port Translation ( NAPT ).
Qua y ta cng thy tnh bo mt ca NAT l : N c kh nng du i
a ch IP ca cc my tnh thuc mng cn bo v. y cng chnh l mt u im
m firewall tn dng, khi th gii bn ngoi ch c th thy giao din mng
vi a ch IP cng cng.
2.4 Theo di v ghi chp ( Monitoring and Logging )

Mc ch ca theo di v ghi chp l gip ngi qun tr bit cc module
trong h thng Firewall c hot ng ng nh mong i hay khng? C chc chn
rng Packet Filtering lc cc gi tin c tin cy?
37
n tt nghip
NAT c du c cc a ch IP ca cc host trong mng ni b khng?

Proxy ng dng c chia r c mng bn trong cn bo v vi mng bn ngoi
khng ?
Ngoi ra n cn cho ta bit cc kt ni hin ti trong h thng, thng tin v cc gi
tin b loi b, my tnh no ang c gng xm nhp vo h thng ca ta. Sau y l
bn l do Firewall thc hin chc nng theo di v ghi chp :
Cc thng tin bo co hu ch : Chng ta mun tng hp cc thng tin
bit hiu nng ca h thng Firewall, cc thng tin trng thi v thm ch l
s thay i cc account ca ngi dng vi cc dch v.
Pht hin xm nhp : Nu mt hacker thm nhp vo mng ca chng
ta hacker ny c thi gian li trong thc hin cc hnh ng gy
tn thng cho h thng. S theo di thng xuyn cc log files c th
gip pht hin cc manh mi a ra cc chng c gip pht hin s xm
nhp vo mng ca chng ta.
Khm ph cc phng php tn cng mi : Khi chng ta pht hin thnh
cng s xm nhp th chng ta vn cn phi chc chn rng hacker dng
li v khng th thc hin li mt ln na theo ng cch m hn dng
lc trc. iu ny yu cu chng ta phi phn tch k cng tt c cc log
files. Vi hy vng rng chng ta s pht hin ra cc du vt m hacker t
i vo mng ca ta v ln u tin xm nhp vo mng ca ta l khi no.
Cng t nhng thng tin phn tch c chng ta c th pht hin ra cc
ng dng Trojan horse m n c ci t trong h thng ca chng ta.
Cc chng c php l : Mt li ch m rng ca cc log files l to ra cc
chng c c tnh php l. Cc log files l cc chng c cho bit ln u
xm nhp h thng ca hacker v nhng hnh ng tip theo ca hacker tc
ng vo h thng.
III. Kin trc Firewall

Khi trin khai mt Firewall trn mt mng thc t th s c rt nhiu cch
xy dng ln mt h thng da theo cc chc nng hay c th ni l cc thnh phn
c bn ca mt Firewall.Di y chng ta s tm hiu cc dng kin trc c bn
ca Firewall l :
Bastion host
Dual home host
Screened host
Screened subnet
Ngoi ra cn mt s kin trc kt hp hay bin th t cc kin trc c bn trn.
3.1 Bastion host

Bastion host ca mng ni b l v tr tip xc vi mi trng mng bn
ngoi.Mi kt ni t bn ngoi vo v ngc li u phi qua Bastion host. Do vy
Bastion host lun l mc tiu tn cng s mt, v y c coi l mt v tr sng
cn i vi mt mng.
Vi mt h thng Firewall khng phi ch c mt Bastion host m c th c
nhiu Bastion host nhiu v tr khc nhau. S lng v v tr ca chng l tu vo
38
n tt nghip
yu cu thc t v mc chBastion host c th c s dng mh mt dng kin

trc Firewall.
3.1.1 Nhng nguyn tc chnh ca mt Bastion host
C hai nguyn tc chnh khi thit k v xy dng mt Bastion host :
- n gin
- Lun trong tnh trng sn sng Bastion host b tn cng
a. n gin
Vi mt Bastion host n gin th vic bo m an ton cho n cng d. Bt
k dch v no ca Bastion host u c th tn ti li phn mm hay li cu hnh,
nhng li ny c th l nguyn nhn ca cc vn an ninh. Do Bastion host
hot ng vi cng t nhim v th cng tt. Ch nn hn ch mt s t cc dch v
trn Bastion host i km vi c ch quyn hn ti thiu.
b. Lun trong tnh trng sn sng Bastion host b tn cng
Bt k s bo v no th bastion host cng s c lc b tn cng v v.
Phi t ra tnh trng xu nht c th xy ra vi Bastion host, ng thi ln k
hoch phng vic ny xy ra.
Trong trng hp Bastion host b sp , cn phi c bin php k tn cng
khng tip tc lm hi n mng ni b bn trong.Mt trong cc cch l cu hnh
cho cc host bn trong mng ni b khng tin tng tuyt i vo bastion host. Cn
xem xt k ti cc dch v m bastion host cung cp cho cc host trong mng ni
b, kim tra tin cy v quyn hn ca tng dch v . C nhiu cch thc
hin iu ny, v d nh ci t b lc gi gia Bastion host v cc host bn trong
hoc ci mt khu cho tng host.
3.1.2 Cc dng Bastion host
C rt nhiu cch cu hnh Bastion trong mt mng. Ngoi hai kiu cu hnh
chnh ca Bastion host l screened host v cc host cung cp dch v trn screen
network, ta cn c nhiu dng Bastion host. Cch cu hnh cc dng Bastion host
ny cng tng t nh hai dng trn, ngoi ra n cn c nhng yu cu c bit.
Sau y l mt s m hnh Bastion :
- Nonrouting Dual- honed host
- Victim Machine
- Internal Bastion host
a. Nonrouting Dual- honed host
Mt Nonrouting Dual- honed host c nhiu kt ni mng n nhng khng
truyn d liu qua cc kt ni . Bn thn mi host loi ny cng c th l mt
firewall hoc mt b phn ca firewall.
b. Victim Machine
Vi mt dch v mi m chng ta cha m bo an ton cho n, th vic la
chn mt Victim Machine l hon ton hp l. Khng c thng tin g c bit trn
Victim Machine v cng khng c quyn truy nhp cc host khc t Victim
Machine. Ta ch cung cp mt cch ti thiu c th s dng c cc dch v m
ta mong mun trn Victim Machine. Nu c th ch cung cp cc dch v khng an
ton, cha c kim nh nhm ngn nga cc tc ng bt ng.
39
n tt nghip
2.3.4 V tr ca Bastion host trn mng

Bastion host nn c t v tr khng c cc lung thng tin b mt. Hu
ht cc giao tip mng Ethernet v Token ring c th hot ng ch pha tp,
trong ch ny chng c th bt tt v cc gi tin trn mng kt ni vi chng.
Mt s giao din mng khc nh FDDI li khng th bt c tt c cc gi tin,
nhng tu vo kin trc mng m chng c th bt c mt s gi tin khng ch
nh n.
Kh nng ny rt hu ch cho vic phn tch mng, kim tra v g ri.. v d
nh s dung chong trnh tcpdump. Nhng iu ny s l nguy him nh th no
nu k tn cng s dng n vo mc ch rnh m, can thip vo cc lung d liu
trn mng. Cn phi s phng trng hp xu nht l Bastion host b tn thng ,
trong trng hp ny ta khng mun k tn cng s dng Bastion host can thip
vo cc lung thng tin.
Mt trong cc phng n gii quyt vn trn l khng t Bastion host
trong mng ni b m ta a n vo mng vnh ai. Tt c cc lung thng tin
trong mng ni b s ch nm trong mng ni b, khng th quan st t pha mng
vnh ai. Tt c cc Bastion host trn mng vnh ai ch thy cc gi tin t n ra
Internet v t Internet vo n.
S dng mng vnh ai kt hp kt hp vi cc router lc gi gia chng v mng
ni b s gip thm nhiu u im. N hn ch s l din ca mng ni b vi
mng bn ngoi.
Hoc c th t Bastion host ti mt v tr trn mng t b nhm ng hn. V
d : c th t mt Bastion trn mt hub 10base thng minh, hoc mt Ethernet
Switch hay mt mng ATM. Nu thc hin theo phng n ny th cn m bo
khng host no tin tng tuyt i vo Bastion host.
Tm li cch tt nht l c lp Bastion host vi mng ni b. Phng n kh
thi l t n trn mng vnh ai. Theo cch ny mng ni b vn c bo v k c
trong trng hp Bastion host b tn thng.
Ch : Khng cho php cc ti khon ca ngi s dng trn Bastion host: Nu c
th khng cho php bt k ti khon ca ngi s dng no trn Bastion host. V cc
l do sau:
+ Vic tn thng ca chnh cc ti khon ny
+ Vic tn thng ca cc dch v phuc v cho cc ti khon ny
+ Gim tnh n nh, tin tng ca Bastion host
+ Kh pht hin k tn cng
+ Bastion host c th b tn thng ch v s s ca ngi no
3.2 Dual home host

Xy dng da trn mt my tnh dual home tc l cd t nht l hai card
mng ( ch rng mytnh ny phi c hu b kh nng dn ng ). N hot
ng nh mt router gia cc mng m n kt ni c vai tr qyt nh cc gi tin
t mng ny sang mng khc. H thng bn trong v bn ngoi u c th kt ni
vi Dual home host nhng khng th kt ni trc tip vi nhau.
40
n tt nghip
Hnh 2-5: Kin trc Dual home host

Kin trc ny tng i n gin: mt Dual home host ng gia, kt ni
vi mng bn ngoi v mng bn trong.
Dual home host cung cp kh nng iu khin mc cao. Tuy n c kin trc n
gin nhng khai thc trit cc u im ca n ta cn phi lm rt nhiu vic.
3.3 Screened host

Screened host cung cp cc dch v t mt host c kt ni ch vi mng ni
b. Xy dng da trn mt Bastion host v mt Screening Router.
Bastion host c t trong mng ni b, Packet Filtering trn Screening
Router c ci t lm sao cho bastion host l host duy nht trong mng ni b m
cc host ngoi Internet c th kt ni ti, thm ch l ch cho mt s dng kt ni
nht nh no y. Bt k host bn ngoi no mun kt ni ti h thng bn trong
u phi qua bastion host. V l do trn m bastion host cn c bo v tht cn
thn.
Packet Filtering cho php bastion host kt ni ti nhng im cho php
mng ngoi Packet Filtering c cu hnh thc hin cc nhim v sau:
+ Cho php cc host pha trong khc ( khng phi l bastion ) kt ni n cc
host bn ngoi thc hin dch v no .
+ Chn tt c cc kt ni n cc host mng ni b ( cc host ny s dng
Proxy server thng qua bastion host )
41
n tt nghip
Hnh 2-6: Kin trc Screen host

Do kin trc screen host cho gi tin di chuyn t Internet vo mng ni b
nn s c nhiu ri ro hn so vi kin trc Dual home host. Mc d vy thc t th
kin trc Dual home host c th b hng v cc gi tin i vo mng ni b . Hn
na vic bo v mt router d dabgf hn so vi mt host v vy kin trc ny s an
ton hn, tin li hn.
3.4 Screened Subnet

c xy dng bng cch thm vo kin trc Screen host mng vnh ai
nhm cch ly mng ni b vi mng bn ngoi Internet.
Hnh 2-7: Kin trc Screen subnet

Kin trc ny khc phc nhc im ca kin trc Screen host- bastion
host nm trong mng ni b v mt khi bastion host b tn thng th ton b mng
cn bo v s b tn thng ( nu c s tin tng tuyt i gia cc host vi bastion
host ).
42
n tt nghip
Bng cch cch ly bastion host trn mng vnh ai, c th gim c cc
nguy c trong trng hp bastion host b t nhp.
Vi kin trc Screen subnet n gin nht : hai screening router kt ni ti
mng vnh ai. Mt router ( interior router ) v tr mng vnh ai v mng ni b,
router cn li ( exterior router ) nm gia mng vnh ai v mng Internet. c
th t nhp vo mng ni b th k tn cng phi vt qua c hai router ny. V
nu trng hp chim c bastion host th vn phi vt qua Interior router. Tu
vo yu cu c th m ngi ta c th s dng mt hay nhiu mng vnh ai.
Cc thnh phn c bn ca kin trc screened subnet
a. Mng vnh ai
Mng vnh ai l mt lp bo v c thm vo gia mng ni b v mng
bn ngoi. Nu k tn cng t nhp c vo Firewall ca ta th mng vnh ai
cho ta thm mt lp bo v na.
Nu k tn cng chim c bastion host trn mng ny th hn cng ch c
th tm kim c thng tin trn bastion host m thi. Tt c lung thng tin mng
vnh ai c th xut pht/n t bastion host hoc xut pht/n t Internet. Do
hon ton khng c lung thng tin t mng ni b i qua mng vnh ai nn mng
ni b s n ton trong c trng hp bastion b tn thng.
b. Bastion host
Trong kin trc screen subnet, bastion host c thm vo mng vnh ai.
y l im lin lc quan trng nhn cc kt ni t bn ngoi. Cc dch v pha
ngoi ( t client bn rong n server Internet ) c x l theo mt trong hai cch
sau y :
+ Ci t Packet Filtering trn c exterior router v interior router v cho
php cc client trong mng ni b truy cp trc tip cc server mng ngoi.
+ Ci t Proxy server trn bastion host v cho php client trong mng truy
cp gin tip ti cc server mng ngoi . C th ci t Packet Filtering v cho
php nhng kt ni vi Proxy trn bastion host, nhng ngn chn nhng kt ni
trc tip gia client trong mng ni b vi server bn ngoi.
Trong c hai trng hp th Packet Filtering cho php bastion host kt ni
ti cc server hay host pha bn ngoi Internet.
c. Interior router
Cn c tn khc l choke-router- bo v mng ni b t mng Internet v
mng vnh ai.Thc t exterior cho php hu ht cc kt ni t mng vnh ai ra
ngoi, v thc hin chc nng lc gi cho Firewall. Cc dch v m interior cho
php gia bastion host v cc host trong mng ni b khng ging nh cc dch v
m exterior router cho php gia mng vnh ai v mng Internet. L do v s hn
ch cc dch v gia bastion host v mng ni b l gim s lng cc host b tn
cng khi bastion host b tn thng.
d. Exterior router
Cn c tn khc l access router dng bo v c mng ni b v mng
vnh ai. Thc t , n cho php hu ht cc kt ni t mng vnh ai ra ngoi, v
thc hin rt t vic lc cc gi tin. Ch c nhng lut lc gi thc s c bit trn
exterior mi bo v cc host v mng vnh ai. Nhng lut cn li thng l s lp
li cc lut trn interior router. Trn exterior c th ci t Proxy h tr cc kt
ni t bastion host ra ngoi.
43
n tt nghip
3.5 Mt s kin trc bin th khc

Phn trn l mt s kin trc ph bin ca Firewall. Tuy vy vn cn rt
nhiu kin trc khc. Cc kin trc ny l t hp ca cc thnh phn c bn ca mt
Firewall nhm p ng kh nng linh hot v bo mt.
Cc t hp ny c th l :
S dng nhiu Bastion host
Kt hp interior router v exterior router
S dng nhiu exterior router
S dng nhiu mng vnh ai
Nhng bn cnh cn phi trnh mt vi t hp sau :
Kt hp Bastion host v interior router
S dng nhiu interior router trong mng vnh ai
IV. Bo dng Firewall

Sau khi thit k v ci t mt Firewall ph hp vi yu cu, nhim v c
t ra th cng vic quan trng tip theo l bo tr, bo dng Firewall . C ba
nhim v quan trng trong cng vic ny l :
Qun l Firewall
Kim tra h thng Firewall
Lun lun cp nht cho Firewall
Trong c nhiu cng vic bo dng Firewall c th thc hin t ng ho c.
4.1 Qun l Firewall

Qun l Firewall gip cho Firewall ca ta c an ton v sng sa. C ba
cng vic m ta cn phi lm l :
- Sao lu Firewall
- Qun l cc ti khon
- Qun l dung lng a
4.1.1 Sao lu Firewall
l vic sao lu li cc thng tin cu hnh ca h thng phng trng
hp cn khi phc li cc thng tin cu hnh ny.
4.1.2 Qun l cc ti khon
Qun l cc ti khon bao gm cc cng vic : Thm ti khon mi, sa i
ti khon hoc xo b mt ti khon. y l mt cng vic tt yu trong cng tc
bo mt. Vi mt h thng Firewal th vic qun l tt ti khon ng gp mt phn
khng nh cho tnh an ton ca h thng.
4.1.3 Qun l dung lng a
D liu lun c xu hng y ln trong khng gian a ngay c khi khng c
ngi s dng no trong h thng. Ngi qun tr lun phi kim tra h thng tr
li cc thc mc sau:
+ Liu cc chng trnh ang hot ng trong h thng c phi l chng trnh
ca sau do k tn cng ci t hay khng?
44
n tt nghip
+ Liu cc d liu lu tr trong a c an ton hay tim n nhng nguy c mt an

ninh.
4.2 Kim tra h thng

Mt trong cc cng vic quan trng khc gip bo dng Firewall l kim
tra h thng. thc hin ngi qun tr cn tr li cc cu hi sau, m cng vic
ch yu l kim tra k lng cc log files ly ra cc thng tin hu ch phc v
cho cng vic qun tr ca mnh.
- Liu Firewall b tn thng cha?
- K tn cng ang s dng dng tn cng no vo Firewall ca ta
- Firwall lm vic theo ng trnh t cha?
- Firewall cung cp cc dch v m ngi s dng yu cu
Khi kim tra cc log files ngi qun tr cn quan tm n cc vn sau:
Nhng thng tin cn quan tm:
+ Cc gi tin b hu b, cc kt ni b ngn cm
+ Vi cc kt ni i qua Bastion host th cn ghi li cc thng tin v
thi gian kt ni, giao thc c s dng, thng tin ngi s dng
+ Cc thng bo li ca h thng
Cc du hiu
C rt nhiu cc du hiu cn quan tm nh khi c mt kt ni thnh cng th cn
c cc hnh ng cn thit nh cp nht cc log files, c du hiu l mt cuc tn
cng khng? Chng ta c th lit k cc du hiu ng nghi ng ca mt cuc tn
cng
+ Truy cp nhiu ln bng mt ti khon hp l nhng sai mt khu
+ Cc gi tin, cu lnh khc thng m ta khng gii thch c
+ Cc gi tin gi theo dng multicast hay broadcast
+ Cc truy nhp thnh cng t cc site khng mong i
4.3 Lun cp nht cho Firewall

im quan trng cui cng trong chin lc bo dng Firewall l lun lun
cp nht cho n . Bi l mi ngy mi gi tri qua c rt nhiu cc cuc tn cng
xy ra v trong lun c nhng cuc tn cng vi nhng hnh thc phng php
mi.V mt l do na l m bo h thng lun sn sng vi kh nng tt nht
Khi cp nht cho h thng Firewall cn ch mt s vn sau :
+ Khng qu nng vi, hp tp trong vic cp nht
+ Khng thc hin sa cc li m ta khng gp
+ Thn trng vi cc bn v m nh cung cp a ra
Trong trng hp khng s dng cc bn v khng cn thit nhng thn trng vi
cc bn v m ta s dng bi c th cc bn v ny lin quan vi nhau.
45
n tt nghip
Chng 3 : H IU HNH LINUX
Tng
Tngquan
quanv
vh
hiu
iuhnh
hnhLinux
Linux
Kt
Ktni
nimng
mngtrong
trongLinux
Linux
IPtables
IPtables
46
n tt nghip
Cc vn c cp trong chng ny l tm hiu mt cch tng quan v

h iu hnh Linux, vn kt ni mng trong mi trng h iu hnh Linux
Tip theo l tm hiu v IPTables- mt cng c phc v cho vic thit lp
mt h thng Firewall trn nn h iu hnh Linux.
I. Tng quan h iu hnh Linux

1.1 S lc v Linux
H iu hnh Linux l h iu hnh kiu phn chia thi gian c h tr x l
tng tc, n c bt ngun t h iu hnh Unix.M n c s dng t cc my
PCs n cc my Mainframe. N l mt h iu hnh m ngun m nn trn th
trung tn ti rt nhiu dng sn phm h iu hnh Linux ( tiu biu l d n
GNUs, h iu hnh Linux vi giao din ho Red Hat ( Fedora ), SuSe )
H thng c vit trn ngn ng bc cao nn d c, d hiu, d thay i
ci t trn nhiu loi thit b phn cng mi.
H tr a ngi dng v a tin trnh, mi ngi dng c th thc hin nhiu
chng trnh mi chng trnh c th c nhiu tin trnh.
Che du i cu trc my i vi ngi dng, c th vit chng trnh chy
trn cc iu kin phn cng khc nhau.
User Interface
Users
Library
Utility Prograns
(Shell, editor, )
Standard Library
(Open, close, read, write )
System Call
Interface
Linux Operating System ( Kernel mode )

Hardware ( CPU, memory, disks,
1.2 Mi trng Linux

Cc thnh phn chnh ca h iu hnh Linux :
o Windows & Graphic User Interface
o Shell
o Lnh v tin ch
o Cc b iu khin thit b
o Kernel
1.2.1. Kernel:
L thnh phn chnh ca h iu hnh. Nhim v chnh ca Kernel l :
o Qun l ti nguyn qun l b nh, v.v...
o Qun l h thng cc tp tin, th mc c th l cc b hay t xa
47
n tt nghip
o Qun l cc deamon thng tr

o Qun l b nh o : thc thi ng thi nhiu tin trnh trong khi dung
lng b nh c hn, Linux phi t chc mt vng trn a nh mt vng b
nh( b nh o). Kernel phi swap d liu gia b nh v b nh o.
o Qun l qu trnh :Nh a biet v Linux la mot he ieu
hanh a chng do o viec quan ly cac qua trnh
ong thi rat phc tap. No phai quan ly viec khi
tao va ket thuc cac qua trnh cung nh cac tranh
chap co the xay ra.
o Quan ly cac bo ieu khien thiet b.
o Quan ly mang: bao gom nhieu thiet b phan cng
khac va cac thu tuc khac.
o Quan ly viec khi ong va dng may.
1.2.2. B iu khin thit b:
Linux th hin cc thit b vt l nh cc tp tin c bit. Mt tp tin c bit
s c mt im vo trong th mc v c mt tn tp tin. Do Linux cho php
ngi s dng nh ngha tn thit b.
Cc thit b c chia lm hai loi : k t v khi
- Thit b k t c v ghi dng cc k t( v d cc thit b u cui )
- Thit b khi c v ghi d liu trong cc khi c kch thc c nh (v d a)
Thit b c th i tn nh i tn tp tin. Th mc cha cc iu khin thit
b l /dev
1.2.3. Lnh v tin ch:
Cc lnh v tin ch ca Linux rt a dng
Mt lnh ca Linux cdng:
$tn lnh [cc chn la][cc i s]
1.2.4. Shell:
L b x l lnh ca ngi s dng,n cho php ngi s dng to cc lnh
rt phc tp t cc lnh n gin. Chng ta c th coi shell nh mt ngn ng lp
trnh cp cao. Cc chc nng chnh ca shell l:
Linux shell:
o Kim sot I/O v i hng
o Cc bin mi trng
o Thc hin lnh
o Th vin lnh ni ti
o Tn tp tin m rng
o Ngn ng lp trnh v mi trng
Hin nay ngi ta s dng ba loi shell, tu theo loi m c c php khc nhau :
Bourne-Shell : l shell c bn nht,nhanh,hiu qu nhng t lnh
C-Shell : ging nh Bourne-Shell nhng cung cp thm cc cu trc iu khin,
48
n tt nghip
history, b danh
Korn-Shell : Kt hp c Bourne-Shell v C-Shell
1.2.5. Windows v Graphic User Interface:
Giao tip ho v ca s l mt kh nng rt mnh ca h iu hnh Linux,
n cho php h iu hnh giao tip thn thin hn vi ngi s dng. Hin nay
Linux ci t X-WINDOW( X11 ) l mi trng qun l ho l tng. Trong
Sun th s dng vi tn gi l OpenWin.
1.3 Lp trnh Shell script
1.3.1. Shell l g :
Vai tr ca Shell l chuyn i cc lnh c ngi s dng nhp vo thnh
cc lnh ca h iu hnh.
V d :
$ sort n phonelist > phonelist.inorder
S sp xp cc dng trong file phonelist theo th t s v t kt qu trong tp
phonelist.inorder.
Khi ta nhp dng lnh th Shell s chuyn i chng nh minh ho sau:
Hnh 3-1: M hnh chc nng Shell

1.3.2. Cc loi Shell :
Do Linux l hon ton t do, m ngun m nn cng c rt nhiu cc bn
Shell khc nhau. Hin nay c mt s bn Shell chnh chy di Linux sau :
Bourne Again shell ( BASH ), Bourne shell ( SH ), C shell ( CSH ), Korn shell
( KSH ), TSH : C shell ci tin, ZSH : Z shell
bit shell ang dng l g hy s dng cu lnh sau :
$ echo $SHELL
1.3.3. Vit v chy cc chng trnh shell :

mc n gin th chng trnh shell l mt tp cha cc cu lnh shell hay
Linux.
V d nh ta mun mount mt phn vng FAT32 ca Windows ta thc hin mt
chng trnh shell nh sau :
$ mkdir /mnt/windows
$ mount t vfat /dev/hda3 /mnt/windows
Lu chng vo mt file text v d nh : seewwinflinux.txt
chy seewwinflinux.txt ta c mt s cch nh sau:
$ chmod +x seewwinflinux
V chy ta ch gi seewwinflinux.txt t dng lnh
Hoc ta truyn n nh mt tham s :
V d vi tcsh : $ tcsh seewwinflinux
Hoc dng lnh (.)
49
n tt nghip
.. seewwinflinux
1.3.4. Cc cu trc lnh c bn ca shell :
Cu lnh iu kin
+ Cu lnh if :
+ Cu lnh case :
Cu lnh lp
+ Cu lnh for
+ Cu lnh while
+ Cu lnh until
+ Cu lnh repeat
Cu lnh shift :
Lnh shift s dch cc tham s trn dng lnh ( cc tham s m ta g khi gi
lnh s c lu trong cc bin c tn l cc s 1,2,)mt v tr sang phi hay c
th ch nh s v tr dch chuyn. C php nh sau :
Dch mt v tr : shift
Dch s v tr c ch nh : shift number
Mt s ton t dng trong cu lnh test hay biu thc iu
kin :
+ Cc ton t cho xu k t
+ Cc ton t cho kiu files v directory
+ Cc ton t logic
+ Cc ton t cho s nguyn
S dng chng trnh con hay hm trong shell script
Shell cho php ta nh ngha cc hm ca ring mnh, cc hm ny cng c i
x nh cc hm trong C v cc ngn ng lp trnh khc, cc hm lm cho chng
trnh r rang,sng sa hn v c b cc d hiu hn, mt khc trnh c vic vit
cc on m trng lp nhau.
C php ca mt hm trong shell nh sau :
function-name ( )
{
command1
command2
.....
...
commandN
return
}
Khi to xong cc hm ta c th gi hm nh sau :

fname [arg1 arg2 arg3 ]
Khi cc tham s c truyn cho hm th n cng nh cc tham s v tr
dng lnh nh cc chng trnh shell bnh thng khc.
Ta cn ch rng sau khi restart li computer th hm ca chng ta cng mt do cc
hm ch tn ti trong mt phin lm vic. khc phc vn ny th chng ta cn
lu cc hm vo file trong th mc sau : ( ch phi ng nhp vi t cch l root )
50
n tt nghip
II. Kt ni mng trong Linux

2.1 Gii thiu
Trong phn ny chng ta s trnh by tng quan v kt ni mng trong Linux
bao gm cc vn : Thit b, trnh iu khin, giao din mng, Cc ng kt ni
mng trong Linux.
2.2 Thit b, trnh iu khin v giao din mng

Trc ht l khi nim v thit b phn cng, v d card Ethernet. l mt
tp hp cc thit b in t, cc chip iu khin c cm vo my tnh thng qua
mt khe cm m rng.
c th truy cp vo thit b phn cng th ht nhn phi c phi c
ci t mt s hm c bit gi l trnh iu khin. Chng hn vi cc thit b thuc
h Ethernet th c cc trnh iu khin Becker.Vic truyn thng gia trnh iu
khin v thit b thng qua mt vng nh vo ra ( I/O ). Vng nh ny c thng
c nh x a ch ln cc thanh ghi vo ra. Cc lnh cng nh d liu trao i
gia chng u c truyn qua cc thanh ghi trn.
Ht nhn truy cp vo cc trnh iu khin thit b thng qua cc giao din.
Cc giao din cung cp cc hm vo ra ging nhau cho tt c cc dng thit b phn
cng, v d nh nhn hay truyn mt gi tin. Cc giao din c nh danh bi cc
tn. Cc tn ny c nh ngha bn trong ht nhn. Giao din Ethernet c tn l
eth0, eth1Ch c giao din SLIP l c gn tn ng mi khi kt ni SLIP doc
thit lp th mt giao din tng ng s c gn cho cng ni tip.
Kernel Networking code
Giao din
mng
Trnh iu
khin
Thit b
eth0
eth1
eth2
SMC Driver
eth3
3Com Driver
Networking Hardware
Hnh 3-2: Giao din, trnh iu khin v thit b

Mt s giao din trong Linux :
+ lo
Giao din loopback, n c s dng cho mc ch th nghim.
Trong ht nhn lun lun c mt trnh iu khin cho giao din ny
+ ethn
L giao din cho card mng Ethernet th n + 1. y l tn chung cho
51
n tt nghip
tt c cc card Ethernet.
+ dln
Giao din cho b iu hp D_Link DE-600, mt dng khc ca thit
b Ethernet, n oc iu khin thng qua cc cng song song thay v cc khe cm
ISA hay PCI ca my tnh.
+ sln
Giao din SLIP, oc lin kt vi mt cn ni tip, Linux h tr 4
giao din SLIP
+ pppn
Giao din PPP, ging nh giao din SLIP, mt giao din PPP c
lin kt vi mt cng ni tip khi cng ny chuyn sang ch PPP.
+ plpn
Giao din PLIP. Giao din ny thc hin truyn cc gi tin IP qua
cng song song . Ht nhn Linux h tr 3 giao din PLIP.
2.3 Thit lp cu hnh mng TCP/IP

Trong phn ny chng ta s thit lp cu hnh cho cc mng my tnh Linux
s dng giao thc TCP/IP. Cc vn bao gm gn a ch IP, cu hnh cho kt ni
qua ng ni tip. tin dng v ch phi lm mt ln th cc ln cu hnh ln
trong mt file scripts v t trong th mc /etc/rc.
H thng cc tp thit lp cu hnh : h thng tp proc, host , networks, cc
tp cu hnh cho giao thc SLIP, PPP, PLIP.
thit lp cu hnh cu hnh mng cho mt mng my tnh Linux ta phi
thc hin cc cng vic sau:
+ Cu hnh giao din cho IP: bao gm giao din loopback, giao din
Ethernet, chn ng qua gateway, thit lp cu hnh cho gateway, giao din
PLIP,giao din Dummy. Cng vic ny c thc hin thng qua cc cu lnh
ifconfig v route.
+ Lnh ifconfig : Lnh ny thng xuyn c s dng khi thit lp cu hnh
mng. C php ca n nh sau:
ifconfig interface [[-net | -host] address [parameters]]
interface l giao din, address l a ch IP n c th vit di dng k php thp
phn hay tn ch ra trong tp tin hosts v networks. Khi khng c tham s th n s
a li cc thng tin v ton b cc giao din mng.
+ Lnh route : Lnh ny c s dng khi ta mun cu hnh mt mng c
kh nng kt ni vi cc mng bn ngoi mng LAN nh : vi mt mng LAN
khc, vi InternetC php ca n nh sau:
route [[-net | defaut | -n ] gw] address
+ Kim tra mng bng lnh netstat : Khi thc hin ln ny th tu thuc vo
tham s a vo m ta c cc thng tin khc nhau v cu hnh mng ang c thit
lp. V d nh vi tham s -rn s in ra bng chn ng m h thng s dng vi
a ch IP c vit di dng k php thp phn. Vi tu chn I hin th cc
thng tin v giao din c s dng, vi tu chn a tt c cc giao din trong
ht nhn s c hin th. Vi tu chn t,-u,-w,-x s hin th cc soket TCP, UDP,
RAW, v UNIX ang kch hot. Nu thm tu chn a th s hin th tt c cc
socket ang ch yu cu kt ni, tc l tt c cc server ang chy trn h thng..
2.4 Truyn cc packet

Phn ny xem xt vic x l mt packet IP phi truyn qua mt box Linux.
Packet tng 3 c x l vi hm ip_rcv. Ti , ta c hook Netfilter th nht.
52
n tt nghip
Netfilter l mt b lc packet/ b gy chch packet/ framework NAP ca h

Linux
kernel 2.4. Netfilter l mt framework c tng qut ha ca cc hook trong ngn
xp mng. Mt module mc kernel bt k c th ci vo t nht mt trong s cc
hook ny v s nhn tng packet qua cc hook ny. Cc hook ca netfilter hin
ang hot ng trong IP v4, IP v6, DECnet. C nm loi hook trong nhn Linux,
nh minh ha trong hnh sau.
Hnh 3-3: S Netfilter hook

V c bn, cc hook ny c th quyt nh loi b hay tip tc truyn packet.
Gi s packet ny vn tn ti sau ln hook th nht, n s c tip tc nh tuyn
sau .
nh tuyn l vic tra trong cu trc ca bng FIB (Forwarding Information
Table) xc nh mt im nhp nh tuyn tng ng vi a ch IP ch ca
packet. Bc tip theo l ghp vi cc nh tuyn.
Bc ny l xc nh tuyn ta s truyn packet. Do vic tra trong cu trc bng FIB
c chi ph kh ln nn ta s dng mt cache nh tuyn lu cc tuyn ang c
dng. Dng mt hm bm tra trong cache ny, hm bm ny kt hp a ch
ngun v a ch ch. V th hai packet c chung trng ny s c nh tuyn
ging nhau trong bc tip theo, mt nh tuyn a ng l khng th nu khng
c chnh sa trong h thng cache.
Sau bc ny, packet sn sng c chuyn i. Trong sut pha nh tuyn,
trng skb->dst c thit lp. Tip theo l gi phng thc nhp liu input
tng ng vi ch n. Ti pha ny, trng TTL trong header IP s gim dn v
MTU(maximum transmission unit) ca giao tip mng sp n s c kim tra.
nu MTU c kch thc nh hn kch thc ca packet, packet s c phn mnh,
cn ngc li, c th trc tip truyn vo giao tip ny. Cc thng ip ICMP cng
to c trong pha ny.
Nu thng tin cn thit chuyn packet ti tuyn tip theo khng c bit, mt
packet arp s c gi i xc nh a ch phn cng ca giao tip mng tip
theo. Khi c c nhng thng tin ny ri, trng MAC s c sa li v gi tin
sn sng gi i theo tuyn k tip.
Th vin Packet Capture (libpcap) cung cp mt giao din mc cao cho h
thng nghe v bt packet. Mi packet trn mng, k c nhng packet qung b
(broadcast) u c th truy cp c theo c ch ny.
53
n tt nghip
Libipq l mt th vin c pht trin tr gip vic xp hng cc packet trn

khng gian ngi dng ca iptables.
Netfilter ca Linux cung cp mt c ch truyn cc packet ra ngoi stack sp
hng trong khng gian ngi dng sau nhn li cc packet ny vo trong kernel
v xc nh s lm g vi packet (chp nhn hay loi b). Nhng packet ny c th
c chnh sa trong khng gian ngi dng trc khi c nhn tr li vo
kernel.
III. IPTables
3.1. Gii thiu iptables
s dng Firewall xy dng trong Linux, chng ta phi chc chn rng h
iu hnh c ci t gi chc nng iptables. IPtables l firewall Linux thng dng
nht. Hu ht cc bn phn phi Linux u ci t phn ny nh mt mc mh.
IPtables l mt lnh thng bo cho li h thng x l lu thng mng nh th
no.v d bn c th x dng iptables drop cc gi IP, forward chng hoc thc
hin chuyn i a ch ( NAT ).
Cc khi nim cn thit, v cc thnh phn ca Linux :
Tables : cn gi l bng lc filter table.Ni lu tr tp hp cc lut.Ni m
chng ta nh ngha hu ht cc lut m p dng cho lu thng mng i vo v
ra.Nu chng ta khng nh ngha mt bng c th th bng mc nh s c s
dng. The NAT table cha cc lut dnh cho NAT. The MANGLE table nhim
v dn ng tng cng.
Chains : ti li ca Linux firewall. Linux s dng cc chain nh mt tp hp
cc lut m Linux p dng khi lc lu thng mng.Bao gm 3 chains chnh, mi
ci trong chng l mt phn ca filter table.
Input chain : Chain ny p dng cho tt c lu lng mng ch cho
firewall.V d nu chng ta mun cho admin iu khin firewall ca chng
ta thng qua phng thc remote, chng ta s cu hnh mt lut cho input
chain cho php mi th lu lng mng m cng c ca admin s dng.
Output chain : p dng cho mi lu lng mng i ra khi firewall. V d
nu firewall mun lin lc DNS server cho name lookups, chng ta cn cu
hnh output chain cho php lu thng ny.
Forward chain : p dng cho tt c lu lng mng m Linux firewall qun
l cho cc my tnh khc. V d nh nu firewall ca chng ta lu thng
mng t cc my tnh clients ra ngoi mng Internet, chng ta phi cu
hnh the forward chain cho php lu thng ny.
SNAT, DNAT, v Masquerading : Cc phn ny l mt kiu khc ca NAT.
SNAT bin i a ch ngun ca mt gi trc khi gi n i, thng thng l
giu a ch IP ca client khi kt ni vi bn ngoi. DNAT chuyn a ch ch
ca gi m thng thng lm trong sut proxy server i vi client.
Masquerading cng n cc client mng bn trong vi th gii bn ngoi v c
s dng khi a ch IP bn ngoi ca chng ta thay i mi ln kt ni- v d kt
ni quay s n Internet.
54
n tt nghip
3.2. Qu trnh di chuyn ca gi tin qua li ca h thng

Ta xt qu trnh di chuyn ca mt gi trong cc trng hp sau:
Destination local host :
Bng 1
Step Table
1
2
Chain
Mangle PREROUTING
Nat
5
6
Mangle INPUT
7
8
Filter
PREROUTING
INPUT
Comment
Trn ng truyn ( v d Internet )
i vo giao din mng ( v d nh
eth0,eth1)
Chain ny c s dng bin i cc gi
nh bin i loi dch v ( TOS )
S dng cho DNAT khng nn s dng
cho chc nng lc gi ti chain ny
Quyt nh dn ng
S dng bin i cc gi trc khi a
n cc tin trnh x l chng
Ti y lc tt c lu lng vo
Tin trnh hay cc ng dng x l cc gi.
Source localhost :
Bng 2
Step Table
1
2
3
4
Mangle
Nat
5
6
Filter
Mangle
7
8
9
Nat
Chain
Comment
Tin trnh /ng dng cc b ( v d nh
chng trnh server/client)
Quyt nh dn ng.a ch nhun s
dng,giao din mng s dng l g.
OUTPUT
Bin i cc gi
OUTPUT
Bin i NAT cho cc gi i ra mng bn
ngoi
OUTPUT
Lc ton b lu lng mng ra ngoi
POSTROUTING Chain ny c s dng khi chng ta mun
bin i cc gi trc khi chng ri khi
host
POSTROUTING Thc hin bin i a ch ngun SNAT
i ra qua giao din mng ( eth0 )
Forwarded packets :
Bng 3
Step Table
1
2
Chain
Comment
i vo giao din mng ( v d eth0)
55
n tt nghip
Mangle
Nat
5
6
Mangle
Filter
Mangle
9
10
11
Nat
PREROUTING
Chain ny c s dng bin i cc gi

nh thay i TOS
PREROUTING Chain ny ch yu s dng cho mc ch
DNAT
Quyt nh dn ng : nh gi tin c ch
n l localhost hay c chuyn tip
FORWARD
Chain ny c s dng cho mt s nhu
cu c bit, bin i cc gi tin sau quyt
nh dn ng ban u nhng trc quyt
nh dn ng cui cng a gi ra
ng truyn bn ngoi.
FORWARD
Ch c cc gi tin forward i vo chain ny,
ti y chng ta thc hin cc lut lc i
vi cc gi.
POSTROUTING Dng thc hin cc yu cu c bit sau
tt c cc quyt nh dn ng nhng gi
tin vn trong my.
POSTROUTING Chain ny s dung cho mc ch SNAT
i ra giao din mng ( v d nh eth1)
Trn ng truyn ( v d LAN )
Ta c th minh ho bng s sau :
56
n tt nghip
Hnh 3-4 : Qu trnh gi tin trong li h thng Linux
3.3. S dng IPtables Commands

Linux bao hm mt s lng cc iptables commands khc nhau. Tt c
chng u thng bt u bng iptables v thm vo mt s cc la chn cu lnh (
dng command line ). Cch tt nht l bt u s dng iptables commands l xem
c php c bn cu hnh cho firewall n gin.
ch dn cho Linux b sung hay loi b mt rule, th c php nh sau :
Iptables [-t table] CMD [chain] [filter_match] [target]
Cc tham s tu chn c trong cp ngoc vung, table l bng s b tc ng,
chain no c tc ng, loi lu thng filter match, tc ng n gi tin l g
target. V d cu lnh sau add mt rule vo input chain ca bng filter m n drop
tt c cc gi tin ICMP.
Iptables t filter A INPUT p icmp DROP
Bng sau m t cc cu lnh iptables thng dng :
Bng 4
Cu lnh
-A
-I
-D<chain>
<rule number>
-L<chain>
Tn
Append
Insert
Delete Rule
M t
B sung mt rule vo cui mt chain
Chn mt rule vo u mt chain
Xo mt rule
List
-N<chain>
New
-X<chain>
-F[<chain>]
Delete chain
Flush
-h
Help
a ra danh sch tt c cc rules trong mt

chain.Nu khng ch r chain no th n s lit
k rule trong tt c cc chain
To mt chain ca ngi dung.Chng ta c th
to new chain vi lut x l ring m c th x
l cc gi trc khi chng tr li qu trnh x l
bnh thng.
Xo mt chain ca ngi s dng
Xo tt c cc rules trong mt chain.Nu khng
ch r chain no th n s xo tt c cc rules
trong tt c cc chain.
a ra tt c cc iptables command nhm tr
gip.
Cc iptables target : l cc hnh ng ca Linux s thc hin vi gi tin.

Bng sau m t cc target thng dng
Bng 5
Target
M t
DROP
Khi rule gi mt gi vi DROP target, n s b thi hi m khng c
thng bo g
REJECT
Gi tin cng b thi hi nhng Linux s gi li mt gi tin ICMP n
ngun
57
n tt nghip
ACCEPT
LOG
SNAT
DNAT
MASQUE
RADE
user chain
Cho php gi tin i qua firewall cng nh i ra v i vo mng

C ngha rng cc gi tin c logged v n thng c s dng
trong cc chain ca ngi dung
Ch s dng vi PREROUTING chain trong bng NAT.N s bin
i a ch ngun thnh mt a ch m chng ta nh ngha.S dng
vi cc gi tin i vo mng bn trong firewall
Ch s dng vi PREROUTING chain trong bng NAT. N s bin
i a ch ch thnh mt a ch m chng ta nh ngha.Thng s
dng i vi cc gi tin i vo mng.
N thc hin NAT cho gi tin khi firewall c a ch IP ng khi
chng ta kt ni Internet thng qua quay s. Target ny ch s dng
cho POSTROUTING chain trong bng NAT.
Thay t user chain cho tn ca chain ngi sung nh ngha.
Iptables options and conditions :

Option l thnh phn cui cng trong iptables command m chng ta cn xc nh
trong xy dng cc rules cho firewall.Options xc nh cu lnh s c x l nh
th no.Thng thng cc options l cc iu kin ( condition ) m c kim tra
trc khi mt command c thc thi.Nhng biu thc iu kin ny c Linux
nh gi quyt nh la chn command s c thc thi hay b qua.Bng sau
y lit k cc biu thc iu kin thng dng.
Bng 6
Option
M t
Xc nh giao thc no m rule s thc thi .
tham s protocol c th l tcp,udp, or
icmp.Chng ta cng c th s dng tn ca giao
-p protocol
thc nu n lng nghe /ect/protocols hay
protocol number.Nu tt c cc giao thc th s
dng s 0 hoc t all.Cn nu mun s dng
mt s giao thc no th dung du phy
ngn cch.
Xc nh a ch ngun ca gi tin.V d khi s
192.168.1.1 th ch nh gi tin c a ch
-s source_address[/mask]
192.168.1.1. cn s 192.168.1.0/24 ch nh
mt di a ch IP t 192.168.1.0 n
192.168.1.255
-d destination_address[/mask] Xc nh a ch ch ca gi tin.Cng ging
nh a ch ngun IP.
Xc nh giao din mng m trn cc gi tin
-i interface
i vo c nhn.V d chng ta m ch n tt
c cc gi tin m n giao din mng eth0 th
tag hi nh sau : -i eth0.
--destination-port port
Tng t nh source-port
58
n tt nghip
--source-port port
-o interface
--syn
--icmp type type
!
-j target
Xc nh source port ca gi tin TCP hay UDP.

Bi v ch c nhng giao thc ny s dng cc
cng.N ch c s dng vi option p udp
hay p tcp.V d -p udp source-port 53 m ch
n tt c cc gi tin UDP vi source port l 53;
-p tcp source-port 0:1023 m ch tt c cc gi
tin vi source port t 0 n 1023.Nu mt dch
v ang lng nghe ti files /ect/services th
chng ta c th dng tn dch v thay v s
cng.
Tng t nh i option ch n cc gi tin i ra
bn ngoi qua cc giao din mng.
V d -p tcp syn s kim tra mt gi tin c l
mt phn ca mt kt ni TCP mi.
V d -p icmp icmp-type source-quench hay
p icmp icmp-type 0 tt c cc loi gi tin
ICMP
Mt mnh n khng phi l mt condition, n
c p dng cho tt c cc condition khc c
ngha ph nh.V d -p 47, -p !47.
N cng khng phi l mt biu thc la
chn.N ch ra rng mt gi tin s c gi ti
mt target no , v d : -j DROP tng ng
vi gi tin s bi loi b.
3.4. S dng Masquerading v NAT

Linux cung cp hai phin bn cho NAT. Masquerading c thit k cho a ch
IP ng.Nu l a ch IP tnh th chng ta s dng kt hp ca SNAT v DNAT.
Cho php Masquerading :
p dng cho tt c cc lu lng i ra khi mng ca chng ta,c ngha l firewall
s bin i a ch ngun ca cc gi tin.
cho php Masquerading c hiu lc, chng ta cn thc hin cu lnh iptable nh
sau :
iptables t nat A POSTROUTING o ppp0 j MASQUERADE
S dng SNAT
Cng ging nh Masquerading nhng ch khc l giao din mng cho lu thng
mng ra ngoi ( external interface ) phi c a ch ip tnh. cho php SNAT c
hiu lc ta thc hin iptables command sau :
iptables t nat A POSTROUTING o eth0 j
SNAT to-source
xxx.xxx.xxx.xxx
S dng DNAT
iptables t nat A PREROUTING i eth0 p tcp \
sport 1024:65635 -d xxx.xxx.xxx.xxx dport 80 \
-j DNAT to-destination 192.168.1.80
iptables A FORWARD -i eth0 o eth1 p tcp \
sport 1024:65635 -d 192.168.1.80 dport 80 m state --state N
59
n tt nghip
Chng 4 : XY DNG H THNG BKWALL
Tng
Tngquan
quanv
vh
hthng
thng
M
Mhnh,
hnh,c
cttchc
chcnng
nngh
hthng
thngBKWall
BKWall
Phn
Phntch
tchthit
thitk
kh
hthng
thngBKWall
BKWall
Tch
Tchhp,
hp,ci
cit,
t,kim
kimth,
th,nh
nhgi
gikt
ktqu
quh
hthng
thngBKWall
BKWall
60
n tt nghip
I. Tng quan v h thng BKWall

1.1 Mc tiu xy dng h thng BKWall
Mc tiu ca ti l pht trin mt h thng tng la cho cc mng my
tnh quy m doanh nghip va v nh. Trn c s , BKWall (Bch Khoa Firewall
System) c xy dng trn c s phn mm m ngun m SmoothWall v nn h
iu hnh Linux. Do thi gian thc hin ti ny khng c nhiu nn cc mc tiu
c th ra khi xy dng h thng BKWall bao gm:
Thit lp mt Firewall cho cc mng my tnh va v nh.
Tch hp cc thnh phn packet filtering, proxy server v cc dch v t cc
phn mm m ngun m thnh mt h thng hon chnh v thng nht.
Xy dng module iu khin v theo di tp trung cho ton b h thng.
Trin khai h thng trn cc my chuyn dng ( Application Server )
1.2 Gii php k thut c la chn

Sau khi tm hiu v cc k thut lc gi, web proxy cng nh tm hiu cc
gii php thng mi v m ngun m, gii php k thut xy dng BKWall c
la chn gm c cc vn sau.
Xy dng trn h iu hnh Linux
Vi vai tr l mt Firewall gateway, h thng BKWall cn c t ti cc
v tr thch hp trong mng. i vi cc mng quy m va v nh, v tr thch hp
nht ci t mt h thng nh BKWall l trn mt gateway. Mc d hin nay,
gateway cho cc mng va v nh Vit Nam thng s dng h iu hnh dng
Windows NT nhng xu hng trong tung lai s chuyn sang cc sn phm m
ngun m th Linux l mt s la chn rt tt. BKWall la chn Linux v nhng l
do sau :
+ M ngun m v min ph hon ton.
+ H tr mng y v mnh m.
+ C th ty bin d dng ci t ln cc my chuyn dng.
+ c bit l kh nng lc gi ca kernel, s dng Iptables lm cng c
xy dng cc rule cho module lc gi.
S dng Squid thc hin thnh phn Web Proxy
+ Squid l mt Cache Proxy hot ng trn nn h iu hnh Linux
+ Hot ng hiu qu, v m ngun m hon ton, c kh nng tch
hp thm cc thnh phn m rng nh kh nng lc theo URIs, banner,
S dng iptables lm cng c thc hin thnh phn lc gi ca h thng
BKWall
Iptables l phn mm firewall mc nh ca hu ht cc bn pht hnh ca h
iu hnh Linux. Iptables tng i n gin nhng sc mnh ca n c kim
chng khi rt nhiu sn phm thng mi c pht trin da trn n nh Astaro,
SmoothWall, Khi xy dng gii php BKWall, Iptables l s la chn u tin
cho thnh phn lc gi v :
+ M ngun m, sn c vi hu ht cc bn Linux ph bin.
+ Hot ng hiu qu, c kh nng kim sot ton b lu thng qua
gateway.
61
n tt nghip
+ H tr giao tip lp trnh thng qua th vin libipq, c th kt hp vi

inline-mode ca Snort.
Giao din iu khin qua Web
H thng BKWall c xy dng trn mt my ch Linux. Vic truy nhp
trc tip vo my ch ny thc hin vic cu hnh hay iu khin thng phi
qua cc knh telnet hoc ssh v bng giao din dng lnh. iu ny l rt bt tin.
V vy, h thng iu khin ca BKWall c xy dng theo kiu giao din web
vi cc c im sau :
Dng web server Apache, c tch hp sn trong hu ht cc bn Linux.
S dng giao thc https.
Xc thc ssl bng chng ch s.
Ngn ng Perl CGI: Ngn ng Perl v cng ngh CGI c s dng
xy dng phn iu khin v theo di ca BKWall v nhng l do sau :
Perl l ngn ng x l vn bn mnh, thch hp vi vic thao tc vi
cc file cu hnh v file lut ca Snort.
Perl c kh nng tng tc mnh vi h thng Linux. iu ny cn
thit cho vic iu khin mt h thng c tch hp t nhiu thnh
phn nh BKWall.
Xy dng ng dng web bng Perl i hi cng ngh CGI. Mc d
CGI khng cn l cng ngh c khuyn khch v cha nhiu l
hng bo mt nhng trong trng hp ca BKWall, ng dng CGI
ch c truy nhp t trong mng LAN v qua knh ssl nn c th tin
cy c.
1.3 Qui trnh pht trin

ti ny c thc hin theo hng nghin cu cng ngh v hin thc
ha cc kt qu nghin cu trong iu kin cho php. H thng BKWALL l sn
phm th hin cc kt qu nm bt c qua qu trnh lm ti. Bn cnh , vic
pht trin BKWALL theo mt m hnh pht trin phn mm chun l rt cn thit.
M hnh c la chn cho qu trnh pht trin BKWALL l m hnh thc nc
(water fall model ). M hnh ny ph hp vi cc iu kin v thi gian c hn cng
nh c im ca h thng BKWALL.
Trn c s , h thng BKWALL c thc hin vi cc pha nh sau :
Pha kho st : Tm hiu thc tin an ninh thng tin Vit Nam, nhu cu v
mt h thng Firewall cho cc mng va v nh. Qu trnh kho st c
thc hin ti phng gii php phn mm h thng v bo mt, cng ty Misoft
trong thi gian thc tp tt nghip.
Pha phn tch: Tin hnh tm hiu cc yu cu thu thp c trong pha kho
st. T tm hiu v phn tch cc thnh phn phn mm m ngun m
thch hp v xc nh cc cng vic cn phi thc hin khi xy dng h
thng BKWALL.
Pha thit k : Xy dng m hnh tng th v thit k chi tit cc module.
Cng vic ny bao gm c vic m hnh ha v sp xp li cc thnh phn
m ngun m cng nh thit k cc thnh phn cn xy dng mi.
62
n tt nghip
Pha xy dng module v kim th n v : Tin hnh xy dng cc module

mi v iu chnh cc module c. Kim th cc module .
Pha tch hp v kim th h thng : Tin hnh tch hp cc module c
xy dng, cc module m ngun m. Kim th tch hp ton b h thng.
Pha trin khai v bo tr : BKWALL c trin khai th nghim v tin hnh
qu trnh bo tr trn mng ni b ca phng gii php phn mm h thng
v bo mt, cng ty Misoft.
1.4 Cng c pht trin

BKWall tch hp mt s thnh phn m ngun m. Cc thnh phn ny u
c xy dng bng ngn ng C ngn ng dng xy dng h iu hnh Linux.
Cng c c s dng thay i, bin dch, cu hnh cng nh ci t cc thnh
phn ny gm c gcc v make.
1.5 D kin kt qu t c
T cc mc tiu ra v gii php k thut c la chn, h thng BKWall d
kin t c cc kt qu c th nh sau :
Tch hp thnh cng cc thnh phn c la chn.
Hot ng tt khi th nghim trn cc mng va v nh.
Cung cp y cc chc nng c bn v cn thit ca mt Firewall
gateway.
m bo tnh d dng cu hnh v tin cy.
II. M hnh v c t chc nng h thng BKWall

2.1 M hnh
BKWall gm cc thnh phn :
Packet Filtering : Thnh phn thc hin chc nng lc gi .
Web Proxy : Thnh phn thc hin chc nng ca mt Cache Proxy
BKWall Management Console : H thng iu khin v theo di.
Config files : Cc file cu hnh ca BKWall
Log files : Cc log files ca BKWall
Rule files : Cc file lut ca Packet Filtering
M hnh tng th h thng BKWall vi cc thnh phn ca n nh sau :
63
n tt nghip
Hnh 4-1: M hnh tng th h thng BKWall
2.2 c t chc nng

c t chc nng ca h thng BKWall. Di y l biu usecase m t cc
chc nng ca h thng:
Hnh 4-2: c t chc nng h thng BKWall

Chi tit cc Use case :
UC1 : Khi ng, Tt BKWall
Ngi qun tr h thng khi ng, tt hoc khi ng li BKWall
UC2 : Cu hnh BKWall
Ngi qun tr h thng thit lp, thay i cc tham s cu hnh chy BKWall
UC3 : Qun l cu hnh mng
Qun l cc kt ni mng ca h thng nh thit lp a ch cc giao din mng
UC4 : Qun l cc lut
Ngi qun tr c th theo di, thm, sa, xa cc lut lin quan n hot ng ca
cc module Packet Filtering v Web proxy
UC5 : Theo di lu thng mng
Hin th tnh trng lu thng qua mng bng cc biu .
64
n tt nghip
2.3 M hnh trin khai BKWall
Hnh 4-3: M hnh trin khai BKWall
III. Phn tch thit k h thng BKWall

3.1 Biu phn cp chc nng
Biu phn cp chc nng ca h thng BKWall Management Console
Hnh 4-4: Biu phn cp chc nng
65
n tt nghip
3.2 Biu lung d liu

3.2.1 Biu mc bi cnh
Hnh 4-5: Biu lung d liu mc bi cnh

3.2.2 Biu mc nh
Chc nng iu khin
Chc nng ny cho php ngi qun tr iu khin hot ng tt, m h thng
BKWall.
Hnh 4-6: Biu chc nng iu khin

Chc nng qun l cu hnh
Chc nng ny cho php thay i v theo di cc thng s cu hnh c thit lp

cho h thng BKWall.
66
n tt nghip
Hnh 4-7: Biu chc nng Qun l cu hnh
Chc nng qun l lut cho Packet Filtering
Chc nng ny cho php thit lp cc lut cho module lc gi bao gm cc mc

nh: Lc gi IP, chn cng, cng dch v, cc chc nng m rngQu trnh thit
lp c th l b sung, sa cha, xa b.
Hnh 4-8: Biu chc nng Qun l lut lc gi
Chc nng qun l lut cho Web Proxy
Chc nng ny cho php thit lp cc lut cho module Web Proxy bao gm cc mc
nh: host_name, http_port, dung lng cache,
Hnh 4-9: Biu chc nng Qun l lut Web Proxy

67
n tt nghip
Chc nng theo di hot ng
Chc nng ny hin th cc thng tin v qu trnh hot ng ca h thng BKWall

cng nh ton b cc lu thng mng i qua n.
Hnh 4-10: Biu chc nng theo di hot ng
3.3 Thit k module

Sau qu trnh phn tch, dng ln cc biu phn cp chc nng, biu
lung d liu th cng vic tip theo l thit k cc module hin thc ho chng. H
thng BKWall-Management Console c chia thnh 5 module, bao gm :
Module chng trnh chnh
Module chuyn tip yu cu
Module qun l cu hnh
Module qun l lut cho Packet Filtering, Web Proxy
Module theo di thng tin v h thng
Thit k chi tit ca cc module nh sau :
3.3.1 Module chng trnh chnh
Module chng trnh chnh l module chu trch nhim khi to, kt thc
hot ng ca h thng cng nh cc phin lm vic. ng thi n cng chu trch
nhim xy dng giao din Web ca ton b h thng phc v cho vic qun tr h
thng ca Admin. Ta c s khi ca n nh sau:
68
n tt nghip
Hnh 4-11: S khi module chng trnh chnh

Qu trnh khi to h thng c thc hin khi h thng BKWall thc hin
boot. Khi h thng s thc hin cc khi to cn thit nh : kch hot kt ni
mng dial up nu n c cu hnh kt ni t ng mi khi reboot h thng, khi
ng web server, web proxy ( squid ), httpd, v quan trng nht l khi to thnh
phn lc gi ( Packet Filtering ).
Qu trnh khi to ny c thc hin thng qua cc files scripts c t
trong th mc /etc/rc.d. Bao gm cc scripts thc hin cng vic khi to cu hnh
mng, cc kt ni mng, khi to cc chains, cp nht cc lut cho Firewall :
rc.sysinit, rc.network, rc.netaddress.up, rc.netaddress.down, rc.firewall.up,
rc.firewall.down, rc.adsl, rc.isdn, rc.updatered, rc.machineregister. Ta c th m t
th t thc hin cc files scripts ny khi h thng boot nh m hnh sau :
69
n tt nghip

Boot
rc.sysinit
rc.network
rc.netaddress.up
rc.adsl
rc.machineregister
rc.firewall.up
rc.firewall.down
rc.netaddress.
down
rc.isdn
rc.updatered
Trong quan trng nht l cc file thc hin khi to mt Firewall da trn
cng c IPtables l rc.firewall.up, rc.firewall.down
Ta c th xem xt y mt s thit lp c bn cho h thng BKWall khi khi to.
+ Trc ht h thng s xo ht cc rules v ton b cc chains v thit t
cc Policy cho cc gi tin trong cc chains : INPUT, FORWARD, OUTPUT
#Xoa cac rules va chains
/sbin/iptables -F
/sbin/iptables -X
# Thiet dat Policy
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
+ To cc chains mi dng thc hin cc chc nng ca ton b h thng

nh chn IP, lc cng, cng dch v, qun tr t xa, cc chc nng m rng nh
chn gi tin Ping, tn cng t chi dch v, chn cc gi tin IGMP( Internet Group
Management Protocol ) trong thnh phn Packet Filtering, cc chain cho Web
Proxy, cc dch v nh kt ni qua dial up, forward cng , DMZhole, Sau s
dn cc gi tin i vo h thng qua chain INPUT, FORWARD, OUTPUT n cc
chain tong ng.
# IP blocker
/sbin/iptables -N ipblock
/sbin/iptables -A INPUT -i ppp0 -j ipblock
/sbin/iptables -A INPUT -i ippp0 -j ipblock
if [ "$RED_DEV" != "" ]; then
70
n tt nghip
/sbin/iptables -A INPUT -i $RED_DEV -j ipblock

fi
/sbin/iptables -A FORWARD -i ppp0 -j ipblock
/sbin/iptables -A FORWARD -i ippp0 -j ipblock
/sbin/iptables -A FORWARD -i $RED_DEV -j ipblock
fi
/sbin/iptables -A FORWARD -i $GREEN_DEV -j ipblock
#Portfilter
/sbin/iptables -N portfilter
/sbin/iptables -A INPUT -i ppp0 -j portfilter
/sbin/iptables -A INPUT -i ippp0 -j portfilter
/sbin/iptables -A INPUT -i $RED_DEV -j portfilter
fi
/sbin/iptables -A FORWARD -i ppp0 -j portfilter
/sbin/iptables -A FORWARD -i ippp0 -j portfilter
/sbin/iptables -A FORWARD -i $RED_DEV -j portfilter
fi
/sbin/iptables -A FORWARD -i $GREEN_DEV -j portfilter
# External access. Rule set with setxtaccess setuid
/sbin/iptables -N xtaccess
/sbin/iptables -A block -j xtaccess
# Port forwarding
/sbin/iptables -N
/sbin/iptables -A
/sbin/iptables -N
/sbin/iptables -t
/sbin/iptables -t
portfwf
FORWARD -j portfwf
dmzholes
nat -N portfw
nat -A PREROUTING -j portfw
# All ICMP on ppp too.

/sbin/iptables -A block -p icmp
/sbin/iptables -A block -p icmp
/sbin/iptables -A block -p
$RED_NETADDRESS/$RED_NETMASK -j
fi
-i ppp0 -j ACCEPT
-i ippp0 -j ACCEPT
icmp -i $RED_DEV -d
ACCEPT
/sbin/iptables -A INPUT -j block

# last rule in INPUT chain is for logging.
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT
# Allow GREEN to talk to ORANGE.
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o
$GREEN_DEV -m state \
71
n tt nghip
--state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV
-m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# dmz pinhole chain. setdmzholes setuid prog adds
rules here to
allow
# ORANGE to talk to GREEN.
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV
-j dmzholes
fi
# For IGMP and multicast
/sbin/iptables -N advnet
/sbin/iptables -A INPUT -i ppp0 -j advnet
/sbin/iptables -A INPUT -i ippp0 -j advnet
/sbin/iptables -A INPUT -i $RED_DEV -j advnet
fi
# Spoof protection for RED (rp_filter does not work with
FreeS/WAN)
/sbin/iptables -N spoof
/sbin/iptables -A spoof -s $GREEN_NETADDRESS/
$GREEN_NETMASK -j DROP
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A spoof -s $ORANGE_NETADDRESS/
$ORANGE_NETMASK -j DROP
fi
/sbin/iptables -A INPUT -i ppp0 -j spoof
/sbin/iptables -A INPUT -i ippp0 -j spoof
/sbin/iptables -A INPUT -i $RED_DEV -j spoof
Fi
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A block -p tcp --source-port 67
--destination-port 68 \
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p tcp --source-port 68
/sbin/iptables -A block -p udp --source-port 67
72
n tt nghip
/sbin/iptables -A block -p udp --source-port 68

fi
# NAT table
/sbin/iptables -t nat -F
/sbin/iptables -t nat X
# squid
/sbin/iptables
/sbin/iptables
/sbin/iptables
RETURN
/sbin/iptables
RETURN
/sbin/iptables
RETURN
/sbin/iptables
RETURN
/sbin/iptables
/sbin/iptables
jmpsquid
-t nat -N squid
-t nat -N jmpsquid
-t nat -A jmpsquid -d 10.0.0.0/8 -j
-t nat -A jmpsquid -j squid
-t nat -A PREROUTING -i $GREEN_DEV -j
# Masqurade
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j
MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j
MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j
MASQUERADE
fi
Sau khi thit lp cc chains mi tng ng cho mi chc nng ca h thng

th trong phn qun l lut s thc hin b sung lut cho tng chains tng ng. V
d nh thm lut cho chc nng lc cng ( lut bao gm a ch ngun, cng
ngun, a ch ch, cng ch, hnh ng, kch hot, kh nng log ) s oc b
sung vo chain portfilter. V lut ny s c p dng lp tc khi n c kch hot
v khi h thng c khi ng li th lut ny s vn c p dng.
echo "Setting up firewall"
. /etc/rc.d/rc.firewall.up
echo "Starting dhcpd (if enabled)"
/usr/local/bin/restartdhcp
echo "Setting DMZ pinholes"
/usr/local/bin/setdmzholes
echo "Setting up advanced networking features"
/usr/local/bin/setadvnet
echo "Setting up IP block"
73
n tt nghip
/usr/local/bin/setipblock
echo "Setting up portfilter"
/usr/local/bin/setportfilter
echo "Updating RED..."
/etc/rc.d/rc.updatered
if [ "$RED_TYPE" != "PPPOE" ]; then
echo "Starting VPN (if enabled)"
/etc/rc.d/rc.vpn.up
echo "Refreshing update list (background)"
/usr/local/bin/updatelists.pl &
echo "Registering this BKWall (background)"
/etc/rc.d/rc.machineregister &
fi
fi
echo "Setting external access rules"
/usr/local/bin/setxtaccess
echo "Setting up IP accounting"
/etc/rc.d/helper/writeipac.pl
/usr/local/sbin/fetchipac -S -c yes
/usr/local/sbin/fetchipac
i vi qu trnh tt h thng th trc ht h thng s thc hin cc files

scripts xo tan b cc chains, cc rules hin ang p dng cho h thng
Firewall, nhng cc rules ny thc cht vn c lu tr trong cc files lut.
3.3.2 Module chuyn tip yu cu
Module ny tng hp cc yu cu ( request ) m ngi qun tr thc hin
thng qua giao din Web v chuyn cc yu cu n cc module khc chu trch
nhim x l cc yu cu ny.
Thc cht th module ny l tp hp cc trang HTML c sinh ra do cc
files scripts Perl. Chng to giao din cho ngi qun tr thc hin cc yu cu i
vi h thng.
74
n tt nghip
Hnh 4-12: S khi module chuyn tip yu cu

3.3.3 Module qun l cu hnh
Module ny c ci t cc chc nng gip cho cng vic cu hnh h thng
nh thay i password cho admin, setup, root, t a ch cho cc giao din mng
thc hin chc nng qun l cu hnh th module ny s hin th cc
thng tin cu hnh cho ngi qun tr. Trn c s ngi qun tr h thng s thay
i cc thng s cu hnh. Cc thng s cu hnh oc lu tr trong cc files cu
hnh. Chng bao gm cu hnh cho cc giao din mng, tn ca h thng, password
cho cc ngi dng trong h thng ( trong h thng BKWall c ba loi ngi dng
l root- c ton quyn tc ng vo h thng, setup ngi c quyn ci t hay
g b cc gi ng dng hay dch v trong h thng, Admin l ngi iu khin h
thng thng qua giao din Web.
Cc file cu hnh trong h thng bao gm : Trong h thng th s lng giao
din mng Ethernet c th l 3 : bao gm giao din mng cho cc host trong mng
LAN gi l GREEN, giao din mng ni vi min phi qun s - DMZ gi l
ORANGE, cn giao din mng ni vi mng bn ngoi gi l RED ( lu giao
din mng RED c th l mt ng kt ni qua cng ni tip ).Cc files thng
c tn l settings v c t trong cc th mc tng ng vi ng dng hay dch
v: adsl , advent, auth, backup, ddns, dhcp, dmzholes, Ethernet, isdn, langs, main,
modem, ppp, proxy, red, remote, time.
75
n tt nghip
Hnh 4-13:S khi module qun l cu hnh

3.3.4 Module qun l lut cho Packet Filtering, Web Proxy
Module ny ci t cc chc nng cho php ngi qun tr thc hin thit lp
cc lut cho hai thnh phn c bn ca h thng l BKWall l Packet Filtering v
Web Proxy. Cc thao tc ch yu l : thm lut mi, sa lut, xo lut, kch hot
lut v cho php kh nn log hay khng.
Trc ht ta xt cc lut cho thnh phn Web Proxy: V Web Proxy trong h
thng BKWall c pht trin trn sn phm m ngun m Squid mt Cache
Proxy tc l thuc dng Proxy thng minh n s thu thp cc yu cu t ngi s
dng v lu tr cc yu cu ny cng nh cc tr li ca server trong b nh Cache.
Do vy khi mt yu cu khc t mt client khc m yu cu ny tn ti trong b
nh Cache th Web Proxy s c thng tin trong b nh Cache v tr v cho trnh
duyt client m khng phi thc hin kt ni n Web server mng bn ngoi.
Cc lut p dng cho Web Proxy thc cht l cc thng s cu hnh cho Web
Proxy, chng bao gm :
+ Dung lng b nh Cache
+ a ch v cng phc v ca Web Proxy
+ Tn, mt khu ca Proxy t xa : N oc thit lp trong trng hp nh
cung cp ISPs cho chng ta bit cc thng tin v Proxy ca h.
+ Kch thc i tng ln nht
+ Kch thc i tng nh nht
+ Kch thc d liu ln nht ti v
+ Kch thc d liu nh nht ti v
+ Tnh trong sut ca Web Proxy i vi client.
76
n tt nghip
Hnh 4-14: S khi module qun l lut

Trong phn tip theo s trnh by v cch t chc cc file lut trong h thng v cu
trc cc lut p dng trong thnh phn Packet Filtering.
Lc cng
o Cch t chc file lut lc cng trong h thng
c s dng lc gi tin theo a ch IP v cng. File lut c lu tr
trong /var/DFF/portfilter/config
Mi lut ca ngi qun tr a vo s c lu tr trn mt dng
File lut c lu tr di dng file plain text
o Cu trc mt lut
Mi lut bao gm cc trng sau :
+ a ch IP ngun
+ Cng ngun
+ a ch ch
+ Cng ch
77
n tt nghip
+ Giao thc
+ Hnh ng : DROP, ACCEPT, REJECT
+ Kch hot chc nng log
+ C kch hot hay khng
V d v mt lut
tcp,230.10.1.1,80,192.168.1.1,80,on,DROP,on
C chn tt c cc gi tin c a ch ngun, cng ngun, a ch ch, cng

ch ln lt l 203.10.1.1, 80, 192.168.1.1, 80 theo giao thc TCP. Lut ny
c c kch hot v log.
Chn IP
o Cch t chc file lut chn IP trong h thng
Cho php chn cc gi tin c a ch IP ngun c ngi qun tr ch ra.
File lut c lu tr trong /var/DFF/ipblock/config
Mi lut ngi qun tr a vo c lu tr trn mt dng
File lut cng c lu tr di dng plain text
o Cu trc mt lut
+ a ch IP cn chn
+ Hnh ng : DROP, REJECT
+ Kch hot chc nng log
V d v mt lut
230.10.1.1,on,DROP,on
C ngha : Chn tt c cc gi tin c a ch ngun l 230.10.1.1. Lut ny

c c kch hot v c log.
Cng dch v
o Cch t chc file lut Cng dch v trong h thng
Cho php cc my mng ngoi truy cp vo dch v c cung cp bi
my mng bn trong. File lut c lu tr trong /var/DFF/portfw/config
o Cu trc mt lut
+ a ch IP truy cp dch v
+ Cng truy cp dch v
+ a ch cung cp dch v
+ Cng cung cp dch v
+ Giao thc s dng
V d v mt lut
tcp,203.10.1.1,2203,192.168.1.1,2203,on
C ngha l : My cung cp dch v c a ch IP v s hiu cng ln lt l

192.168.1.1, 2203. My truy cp dch v c a ch IP v s hiu cng ln
lt l 203.10.1.1, 2203. Giao thc s dng l TCP, c kch hot.
Qun tr t xa
78
n tt nghip
o Cch t chc file lut Qun tr t xa trong h thng

Qun tr h thng dng chc nng ny m mt cng cho php cc my
mng ngoi iu khin BKWall thng qua giao thc https hay SSH. File lut
c lu tr trong /var/DFF/xtaccess
o Cu trc mt lut
+ a ch IP my mng ngoi
+ Cng truy cp
+ Giao thc s dng
V d mt lut
tcp,0.0.0.0/0,113,on
Cng dch v cho DMZ

o Cch t chc file lut Qun tr t xa trong h thng
Cho php mt my ch vng DMZ truy cp vo mng cc b LAN vi
mt s hiu cng no c cung cp bi mt my trong mng LAN. File
lut c lu tr trong /var/DFF/dmzholes
o Cu trc mt lut
+ a ch IP my ch trong vng DMZ
+ a ch my cung cp dch v trong mng LAN
+ Cng truy cp
+ Giao thc s dng
V d mt lut
tcp,10.10.1.1,192.168.1.1,1000,on
DHCP
Bao gm kch hot dch v cp pht a ch IP ng cho cc my trong mng
ring LAN. Ngoi ra cn cho php cp pht a ch tnh cho cc my trong
mng ni b da theo a ch vt l MAC v ch nhng my c ch ra
trong phn ny mi c kh nng kt ni ra Internet. File lu tr cc i ch
ny c lu trong /var/DFF/dhcp/staticconfid. V d nh
nvc,AA:BB:CC:DD:DE:FF,192.168.1.2
Chc nng m rng

Cho php kch hot cc chc nng m rng nh : Chn cc gi Ping theo
giao thc ICMP, cc gi tin IGMP, chn tn cng DoS, chn cc lung thng
tin multicast. c lu tr trong /var/DFF/advent/settings
Tt c cc lut ny s c cp nht cho h thng thng qua cc chng trnh tong
ng. Cc chng trnh ny oc lu tr trong /usr/local/bin. V d nh :
setipblock.o, setportfilter.o, restartdhcp.o, dmzholes.o.
+ Cc chng trnh ny c vit bng ngn ng C nn tc thc hin rt nhanh
79
n tt nghip
+ Chng thc hin c cc file lut theo tng dng v thc hin cp nht cc lut
cho h thng
+ V vic lu tr c s d liu v cc file lut di dng cc files text nn tc x
l tong i nhanh. c bit l chng ta tn dng c kh nng x l vn bn
tuyt vi ca Perl. Mt khc theo yu cu ca mt h thng Firewall m chng ta
khng th ci t v s dng mt h thng qun tr c s d liu nh My SQL
chng hn.
3.3.5 Module theo di thng tin v h thng
Module ny a ra cc thng tin v h thng nh :
+ Trng thi cc dch v ca h thng : Running or Stop
+ Trng thi cc kt ni
+ Lu lng cc gi tin qua cc giao din mng: Green ( giao din mng
ni b ), Orange ( giao din mng cho min phi qun s - DMZ ), Red
( giao din mng kt ni ra mng ngoi v d nh Internet ).
Module ny s dng cng c sinh biu l rrdtool thc hin sinh cc biu
biu din cc lu lng mng i qua cc giao din mng l : RED, ORANGE,
GREEN.
3.4 Tnh bo mt ca h thng

L mt h thng Firewall nhm m bo an ninh mng nn vic m bo
tnh an ninh cho chnh h thng BKWall l mt vic cn thit. T cc vn c
a ra trong qu trnh thit k cc module th cc phng n bo mt cho BKWall
c xut gm c :
S dng knh ssl v giao thc https cho vic truy cp vo BKWall
Management console. Vic truy cp vo cn xc thc qua chng ch s do
Apache server cp.
Trnh nhng l hng bo mt ca cng ngh CGI bng cch cp quyn hn
ch cho user chy my ch Apache trn h thng Linux.
Hn ch ti a cc gi phn mm v th vin ci t trong Linux khi ng
gi BKWall tch hp thnh mt bn pht hnh (distro) Linux ring .
IV. Tch hp, ci t, kim th, nh gi kt qu h thng

BKWall
4.1 Tch hp h thng
BKWall l h thng c xy dng trn c s mt s thnh phn m ngun
m kt hp vi vic xy dng thm mt s thnh phn nn vic tch hp cc thnh
phn li vi nhau trong mt h thng thng nht l rt quan trng. Cc phn
mm m ngun m cng nh cc gi th vin ca Linux thung c pht hnh
80
n tt nghip
theo rt nhiu phin bn v do nhiu nh cung cp khc nhau. V mt nguyn tc,

BKWall c th hot ng vi tt c cc phin bn ca cc thnh phn tng thch
vi cc phin bn c la chn nh sau :
H iu hnh
H iu hnh Linux, phin bn RedHat 7.2 do hng Redhat pht hnh.
Linux kernel phin bn 2.4.
Smoothwall
Smoothwall phin bn 2.0 (http://smoothwall.org)
Th vin libpcap
Th vin libpcap (http://tcpdump.org) phin bn 0.8.0.
iptables
iptables phin bn 1.2.8 (http://iptables.org), bn i km vi th vin libipq.
Apache web server

Apache web server phin bn 1.3.39, ci t mod_perl v mod_ssl h tr https v
perl cgi.
Perl
Perl 5 phin bn 5.8.0 (http://perl.org), v cng c sinh biu rrdtool.
4.2 Ci t h thng
H thng BKWall c trin khai ci t v th nghim ti phng gii php
phn mm h thng v bo mt, cng ty Misoft. Cu trc v thit b mng ca
phng nh sau :
Mt ng kt ni ADSL tc 2Mbps.
Mt my ch Linux c cu hnh : CPU Pentium II 400Mhz, 128 MB RAM, 3
NIC 100Mbps, dng lm my gateway. c dng ci t h thng
BKWall trn
Mt my ch Windows Server 2003 c cu hnh : CPU Pentium IV 1,8GHz,
1GB RAM, NIC 100Mbps, dng lm my ch mail, http, ftp, vpn,
8 my PC c cu hnh : CPU Pentium III 1GHz, 256 MB RAM, NIC
100Mbps hoc tng ng. H iu hnh Windows XP SP2.
Cu hnh yu cu khi ci t h thng BKWall:
+ CPU : Tc ti thiu l 300 Mhz ( tng ng vi mt CPU Pentium
II )
81
n tt nghip
+ B nh trong ( RAM ): > 64MB

+ B nh ngoi ( HDD ) : > 1GB
+ Card mng: Tu theo cu hnh cho h thng BKWall m s card mng
c th l 1( nu ch c giao din mng cho mng ni b - giao din
mng ny gi l Green ), nu c ni ra mng ngoi ( v d nh
Internet ) th cn mt card mng na ( giao din mng ny c goi l
Red ). Nu mun c vng phi qun s ( DMZ DeMilitary Zone )
dnh cho cc my ch - nh my ch Web- HTTP, FTP, Mail th cn
thm mt card mng na ( giao din mng ny gi l Orange ).
+ Ngoi ra l cc thit b ngoi vi khc. Trong mn hnh v chut,
CD ch cn thit trong qu trnh ci t, sau ta c th b cc thit b
ny m khng cn s dng chng.
S b tr mng vi m hnh ( Green Orange Red ) nh sau:
Hnh 4-15: M hnh trin khai BKWall trong mng

H thng BKWall c ci t th nghim trn my gateway Linux, do
c th theo di ton b cc lu thng trong mng v p dng cc lut c thit lp
cho module Packet Filtering , module Web Proxy..
Vic trin khai h thng l kh mm do : H thng c th trin khai vi m hnh
m BK Wall c mt card mng khi ng kt ni ra mng Internet thng qua
82
n tt nghip
mt ng kt ni qua cng ni tip hay quay s. Vi m hnh hai card mng khi
khng c min phi qun s ( DMZ ).
Tng qut nht l trng hp h thng c ba card mng ln lt p dng cho cc
giao din GREEN, ORANGE, RED.
4.3 Kim th h thng

H thng BKWall c kim tra th nghim trn my gateway chy phin
bn Linux kernel 2.4. Bng sau y m t kt qu th nghim tch hp cc
thnh phn trong h thng BKWall nh m t trong phn tch hp h
thng.
BKWall
Kt qu
Kernel 2.4
Tt
Iptables 1.2.8
Tt
Perl 5.8.0
Tt
Apache Server 1.3.39
Tt
Kim th kh nng chu ng ca Firewall
+ H thng c kim tra bng cch p dng lut cho tt c cc chc nng
trong thnh phn thc hin Packet Filtering ca h thng BKWall
+ Thc hin qun tr t xa h thng thng qua hai my tnh trong mng LAN
dng trnh duyt IE ca Microsoft.
+ Thc hin remote h thng bng Putty v WinScp t ba my trm trong
mng LAN
Kt qu h thng vn p ng tt cc yu cu t ra v hot ng tt.
S nh hng ca h thng BKWall n tc mng
Packet Filtering trong h thng BKWall kim t tt c cc gi tin m n theo di
c nn nh hng ca n n tc truy cp internet ca cc my trong mng l
rt r. Vic kim th sc cng ca h thng BKWall c tin hnh da trn trng
hp kim th c thit k nh sau :
Khi ng BKWall trn my gateway.
Ln lt khi ng chng trnh Flashget trn cc my con v download ng thi
1 file t site vietnamnet.vn. o tc download trung bnh ti cc my con.Thc
hin kim th vi ln lt 2,4,6,8 v 10 my con.
Kt qu kim th c ghi li trong bng sau :
S my
Tc download trung
bnh (Kb/s)
2
4
6
8
10
H thng iu khin BKWall Management System l mt h thng iu

khin qua giao din Web. Do vy vic kim th c tin hnh c hai pha
server v client.
83
n tt nghip
o Pha server
BKWall Management System c ci t th nghim trn my ch.
+ Linux kernel 2.4, Apache 1.3.39
o Pha client
Truy cp vo BKWall Management System t cc my con chy cc h iu
hnh khc nhau v dng cc trnh duyt khc nhau. Kt qu nh sau :
Kt qu trn c hai pha Server v Client l rt kh quan. Ch c iu mt s
li v hin th phng Ting Vit trn trnh duyt Mozilla trong mi trung h iu
hnh Linux.
Sau y l mt s hnh nh pha Client trn trnh duyt IE ( Internet Explosrer )
trong mi trung Windows ca Microsoft:
H iu hnh
Windows
Trnh duyt
IE 6.0
Kt qu
Tt
Windows
Linux
Linux
Firefox 1.0.3
Mozilla
Konqueror
H thng menu hin th sai v tr

Khng hin th c ting Vit
Khng hin th c ting Vit
Bao gm cc giao din : Home Page, trang thit lp lut cho Packet Filter,
cu hnh Web Proxy, cc dch v, thng tin v h thng.
84
n tt nghip
Hnh 4-16: Trang ch - Home page
Hnh 4-17: Cu hnh Packet Filtering
85
n tt nghip
Hnh 4-18: Cc dch v: truy cp t xa, thay i password
Hnh 4-19: Trang cu hnh Web Proxy

86
n tt nghip
Hnh 4-20: Trang thng tin trng thi h thng
4.4 nh gi kt qu
Trong khun kh ca mt n tt nghip i hc, h thng firewall
BKWall t c mt s yu cu ra i vi mt sn phm Firewall nhng bn
cnh cn nhng im hn ch khng trnh khi. Phn di y em xin c a
ra mt s kt qu t c v nhng mt hn ch cn khc phc trong thi gian ti..
Nhng kt qu t c
+ Tch hp thnh cng cc thnh phn Kernel Linux, Smoothwall, Apache
Server Iptables xy dng mt h thng firewall thng nht.
+ xy dng c mt h thng iu khin t xa thng qua giao din
Web tp trung cho ton b h thng.
+ H thng hot ng tng i n nh trong qu trnh trin khai th
nghim.
Nhng hn ch cn khc phc trong thi gian ti
Bn cnh cc kt qu t c, h thng BKWall vn cn tn ti nhiu im
hn ch cn phi khc phc nh :
+ H thng hot ng cha hiu qu, c bit l module Web Proxy
87
n tt nghip
+ Chnh sch ngn chn vn phi do ngi qun tr thit lp. Cha xy
dng c mt kh nng t chc cc lut do ngi qun tr a vo nhm
ti u ho cc lut ny.
+ H thng iu khin cha khai thc c ht kh nng ty bin Iptables.
+ H thng cha c kh nng tch hp vi cc cng c khc nh : VPN
( Virtual Private Network ), IDS ( Intrustion Detechtion System ) vo h
thng BKWall
Trong thi gian ti cc hn ch ny s c khc phc nu nh iu kin cho php
em tip tc c pht trin ti ny.
KT LUN
hon thnh n ny ti xin by t lng bit n su sc n thy gio
hng dn Vn Uy, s gip ln lao ca TS V Quc Khnh, cc anh Vng
Vn Tuyn, Ng Quang Huy cng cc bn ng nghip ti phng pht trin h
thng v bo mt cng ty Misoft v ton th bn b bn em trong sut thi gian
qua. n cp n nhng vn chung ca an ninh thng tin, an ninh mng
ni chung v i su nghin cu l thuyt v Firewall cng nh cc cng c xy
dng mt Firewall hon chnh. C th n ny t c mt s thnh qu nh
sau :
Tm hiu v cc vn ca an ninh thng tin v an ninh mng.
i su nghin cu v l thuyt v Firewall v cc cng c lin quan nhm
mc ch xy dng mt sn phm tng la.
Phn tch kin trc v lm ch c phn mm m ngun m Smoothwall.
Tch hp cc thnh phn m ngun m, xy dng thnh cng h thng
BKWall
Trin khai th nghim t mt s kt qu.
88
n tt nghip
Bn cnh , do hn ch v thi gian v trnh nn n ny khng trnh

khi nhng thiu xt v hn ch c th nhng hn ch l :
H thng hot ng cha hiu qu, c bit l module Web Proxy
Chnh sch ngn chn vn phi do ngi qun tr thit lp. Cha xy dng
c mt kh nng t chc cc lut do ngi qun tr a vo nhm ti u
ho cc lut ny.
H thng iu khin cha khai thc c ht kh nng ty bin Iptables.
H thng cha c kh nng tch hp vi cc cng c khc nh : VPN
( Virtual Private Network ), IDS ( Intrustion Detection System ) vo h thng
BKWall
Cha khai thc trit cc sn phm m ngun m v cha thc s pht
trin c nhiu da trn cc sn phm ny
Trong tng lai, vi mong mun tip tc pht trin ti ny thnh mt sn
phm Firewall hu ch, c th ng dng rng di, phc v cho vic m bo an ninh
thng tin Vit Nam, em xin xut mt s hng pht trin ca mnh nh sau :
Ti u ha cu hnh cc thnh phn m ngun m s dng tng hiu qu
v tin cy.
Tip tc pht trin h thng iu khin, tn dng c ht cc kh nng ty
bin ca h thng vi giao din v kh nng tng tc thn thin hn.
Nghin cu mt chc nng qun l lut do ngi qun tr a vo hiu qu
hn, c kh nng ti u ho cc lut do ngi qun tr a vo
Nghin cu kh nng cng ha h thng nh cc thit b chuyn dng ca
cc hng sn xut thit b v an ninh mng nh Cisco hay Checkpoint.
Cui cng, mt ln na em xin c ni li cm n n thy gio hng
dn, thc s Vn Uy, cc thy c ti khoa CNNT, i hc Bch khoa H Ni,
chng trnh o to k s cht lng cao ti Vit Nam ( P.F.I.E.V ) cc anh ch v
cc bn ng nghip ti cng ty Misoft cng tt c nhng ngi thn gip em
rt nhiu trong sut qu trnh lm n em c th hon thnh c n ny.
H ni, ngy 09 thng 06 nm 2005
Ngi thc hin n
Ng Vn Chn
89
n tt nghip
TI LIU THAM KHO

[1] Building Internet Firewall D.Brent Chapman & Elizabeth D.Zwicky
OReilly & Asscociates 1995

[2] Firewalls Complete Marcus Goncalves Mc Graw Hill 1997
[3] Hacking Expose Sturt McClure, Joel Scambray, George Kurtz -1997
[4] Mng my tnh v cc h thng m - Nguyn Thc Hi NXB Gio Dc
2000
[5] Qun tr H thng Linux Nguyn Thanh Thu - NXB Khoa hc v k
thut 2000
[6] Firewall for Dummies 2nd Edition Brian Komar, Ronald Beekelaar, and
Joern Wettern,PhD Wiley Publishing, Inc -2003
[7] http://iptablestutorial.frozentux.net/iptablestutorial.html
90
n tt nghip
[8] http://www.vnsecurity.com
[9] http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking
[10] http://smoothwall.org
91

tìm hiểu về giao thức

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

tìm hiểu về giao thức

Uploaded by

Copyright:

Available Formats

n tt nghip

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 1-5 : Khun dng UDP datagram....................................................................15

Tm hiu l thuyt v xy dng Firewall trn nn Linux

ARP( Address Resolution Protocol ) : Giao thc chuyn i t a ch IP sang a

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Trong nhng nm gn y, vic t chc v khai thc mng Internet rt pht

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Trnh by cc khi nim chung v an ton an ninh mng, tnh cp thit

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Chng 1 : TNG QUAN AN TON AN NINH MNG

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Trong chng ny chng ta s trnh by cc khi nim chung v an ton an

I. Tnh hnh thc t

Cc dng tn cng khc 52

Cc hnh ng do thm 222

Nhng k tn cng ngy cng tinh vi hn trong cc hot ng ca chng.

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Nhng nm gn y, tnh hnh bo mt mng my tnh tr ln nng bng

II. M hnh mng

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 1-1 : Kin trc OSI v TCP/IP

Hnh 1-2 : ng i ca d liu qua cc phn t trn mng

2.2 Cc tng ca m hnh TCP/IP

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Nh trong phn trn gii thiu v m hnh OSI v TCP/IP, chng ta c

2.2.1 Tng truy nhp mng - Network Acces Layer

Tm hiu l thuyt v xy dng Firewall trn nn Linux

2.3 Cc giao thc,dch v trong mng TCP/IP

Hnh 1-3 : Cu trc gi tin IP ( IP datagram )

Tm hiu l thuyt v xy dng Firewall trn nn Linux

d. IP version6 or IP next generation ( IPv6 or IPng )

Hnh 1-4 : Khun dng ca TCP segment

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Source port ( 16bits ) : S hiu cng ca trm ngun

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 1-5 : Khun dng UDP datagram

Cho php ngi s dng t mt trm lm vic ca mnh c th ng nhp

Cho php chuyn cc tp tin t mt my trm ny sang mt trm khc, bt k

Tm hiu l thuyt v xy dng Firewall trn nn Linux

lu v chuyn tip ( store and forward ) tc l hai trm trao i th in t

2.4 Cc l hng trn mng

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

o Tn cng Web server: Ngoi cc l hng bo mt do vic thc thi cc

Thng 4/2004 va qua, B An Ninh Ni V M v trung tm iu phi An

Tm hiu l thuyt v xy dng Firewall trn nn Linux

3.3 Danh ting

IV. Tn cng trn mng v cc chin lc bo v

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hu ht cc dng tn cng vo h thng ni chung l dng xm nhp. Vi

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Ng Vn Chn HTTT&TT KSCLC K45

Tm hiu l thuyt v xy dng Firewall trn nn Linux

Hnh 1-6: Tn cng kiu DOS v DDoS