Cac Phuong Phap Lap Trinh Vuot Firewall

TRNG I HC KHOA HC T NHIN
KHOA CNG NGH THNG TIN

B MN MNG MY TNH & VIN THNG

PHAN TRUNG HIU - TRN L QUN

CC PHNG PHP LP TRNH VT
FIREWALL

KHA LUN C NHN TIN HC

NIN KHA 2001 - 2005

Lun vn tt nghip Mng my tnh GVHD: ThS Hong Cng

TRNG I HC KHOA HC T NHIN
KHOA CNG NGH THNG TIN
B MN MNG MY TNH & VIN THNG

PHAN TRUNG HIU 0112463
TRN L QUN 0112319

CC PHNG PHP LP TRNH VT
FIREWALL

KHA LUN C NHN TIN HC

GIO VIN HNG DN
Th.S HONG CNG

NIN KHA 2001 2005
Phan Trung Hiu - Trang 2 - Trn L Qun
Mssv: 0112463 Mssv:0112319

LI NHN XT CA GIO VIN HNG DN

Mssv: 0112463 Mssv:0112319

LI NHN XT CA GIO VIN PHN BIN

Mssv: 0112463 Mssv:0112319

LI CM N
Sau hn 6 thng n lc thc hin, lun vn nghin cu Cc phng php lp
trnh vt firewall phn no hon thnh. Ngoi s n lc ca bn thn, chng em
nhn c s khch l rt nhiu t pha nh trng, thy c, gia nh v bn b trong
khoa. Chnh iu ny mang li cho chng em s ng vin rt ln chng em c
th hon thnh tt lun vn ca mnh.
Trc ht, chng con xin cm n nhng bc lm cha, lm m lun ng h,
chm sc chng con v to mi iu kin tt nht chng con c th hon thnh
nhim v ca mnh.
Chng em xin cm n nh trng ni chung v Khoa CNTT ni ring em
li cho chng em ngun kin thc v cng qu gi chng em c kin thc hon
thnh lun vn cng nh lm hnh trang bc vo i.
Em xin cm n cc thy c thuc b mn MMT, c bit l thy Hong
Cng gio vin hng dn ca chng em tn tnh hng dn v gip chng
em mi khi chng em c kh khn trong qu trnh hc tp cng nh trong qu trnh
lm lun vn tt nghip.
Xin cm n tt c cc bn b thn yu ng vin, gip chng em trong
sut qu trnh hc tp cng nh lm ti.
Mt ln na, xin cm n tt c mi ngi
TPHCM 7/2005
Nhm sinh vin thc hin
Phan Trung Hiu Trn L Qun

Mssv: 0112463 Mssv:0112319

LI NI U
Ni dung lun vn c trnh by trong 8 chng thuc v 5 phn khc nhau :
Phn th nht: C S L THUYT
Chng 1: Gii thiu v firewall
Chng 2: Khi nim proxy
Chng 3: Cc phng php lp trnh vt firewall
Phn th hai: CC PHNG PHP LP TRNH VT FIREWALL
Chng 4: Vt firewall bng HTTP proxy Servers
Chng 5: Vt firewall bng Web-based proxy
Phn th ba: MODULE CHNG VT FIREWALL
Chng 6: Plug-in chng vt firewall cho trnh duyt Internet Explorer
Chng 7: Service chng vt Firewall
Phn th t: TNG KT
Chng 8: Kt lun.
Phn th nm: PH LC

Mssv: 0112463 Mssv:0112319

MC LC
Chng 1: GII THIU V FIREWALL ..............................................................11
1.1 t vn : ..........................................................................................11
1.2 Nhu cu bo v thng tin: .....................................................................11
1.2.1 Nguyn nhn: ................................................................................11
1.2.2 Bo v d liu:...............................................................................13
1.2.3 Bo v cc ti nguyn s dng trn mng:.......................................13
1.2.4 Bo v danh ting c quan: ............................................................13
1.3 Cc kiu tn cng: ................................................................................14
1.3.1 Tn cng trc tip:.........................................................................14
1.3.2 Nghe trm: ....................................................................................15
1.3.3 Gi mo a ch: .............................................................................15
1.3.4 V hiu cc chc nng ca h thng (DoS, DDoS): ...........................15
1.3.5 Li ca ngi qun tr h thng:......................................................16
1.3.6 Tn cng vo yu t con ngi: ......................................................17
1.4 Firewall l g ? ......................................................................................17
1.5 Cc chc nng chnh: ............................................................................19
1.5.1 Chc nng: ....................................................................................19
1.5.2 Thnh phn: ..................................................................................20
1.6 Nguyn l:............................................................................................21
1.7 Cc dng firewall: .................................................................................23
1.8 Cc nim chung v Firewall:................................................................25
1.8.1 Firewall da trn Application gateway:.............................................25
1.8.2 Cng vng(Circuit level gateway): ...................................................27
1.8.3 Hn ch ca Firewall: .....................................................................28
1.8.4 Firewall c d ph hay khng: .........................................................28
1.9 Mt s m hnh Firewall: .......................................................................30
1.9.1 Packet-Filtering Router: ..................................................................30
1.9.2 M hnh Single-Homed Bastion Host: ...............................................32
1.9.3 M hnh Dual-Homed Bastion Host: .................................................34
1.9.4 Proxy server: .................................................................................36
1.9.5 Phn mm Firewall Proxy server: ..................................................37
1.10 Li kt: ................................................................................................46
Chng 2: KHI NIM PROXY..........................................................................47
2.1 Proxy l g: ...........................................................................................47
2.2 Ti sao proxy li ra i: .........................................................................48
2.3 Tng kt chung v proxy: ......................................................................48
Chng 3: CC PHNG PHP LP TRNH VT FIREWALL.............................50
3.1 Vt firewall l g:.................................................................................50
3.2 Phng php th nht: HTTP Proxy .......................................................50
Mssv: 0112463 Mssv:0112319

3.3 Phng php th hai: Web-Based Proxy.................................................51
3.4 Phng php th ba: Http Tunneling......................................................51
Chng 4: VT FIREWALL BNG HTTP PROXY...............................................53
4.1 Khi cc HTTP Proxy Server tr nn hu ch: ............................................53
4.2 Chc nng chnh:..................................................................................56
4.2.1 Truy cp Internet: ..........................................................................56
4.2.2 Caching documents: .......................................................................57
4.2.3 iu khin truy cp Internet mt cch c chn lc:...........................59
4.2.4 Cung cp dch v Internet cho cc c quan s dng IP o: ................60
4.3 Mt phin giao dch (transaction) thng qua proxy : ................................60
4.4 Kt ni thng qua proxy server: .............................................................61
4.5 HTTP proxy: .........................................................................................61
4.6 FTP proxy:............................................................................................62
4.7 Tin li v bt tin khi cache cc trang Web:...........................................63
4.8 Nhng bt cp do proxy: .......................................................................63
4.9 K thut lp trnh mt HTTP Proxy c bn: ..............................................64
Chng 5: Vt firewall bng Web-Based Proxy................................................65
5.1 Th no l 1 web-based anonymous proxy ? ...........................................65
5.2 Cch thc hot ng ca 1 WBP : ..........................................................66
5.3 Gii thiu v trang Web Based Proxy: .....................................................67
5.3.1 Giao din: ......................................................................................67
5.3.2 Chc nng: ....................................................................................67
5.3.3 Thut ton:....................................................................................69
Chng 6: Plug-in chng vt firewall cho trnh duyt Internet Explorer .............73
6.1 Gii thiu s lc :................................................................................73
6.2 Cc tnh nng chnh: .............................................................................74
6.2.1 Lc cc trang web da trn vic duyt danh sch cc trang web c sn
trong c s d liu: .....................................................................................74
6.2.2 Lc cc trang web da trn c ch kim tra a ch (URL): ................74
6.2.3 Lc da trn ni dung ca cc Input Form trong trang web:..............75
6.2.4 Cp nht cc trang web based proxy:...............................................76
6.2.5 V hiu ha/kch hot plugin: ..........................................................76
6.3 Mt s vn cn lu khi vit plugin cho trnh duyt IE :......................76
6.3.1 Khi nim Browser Helper Objects (BHO): ........................................76
6.3.2 Mt s hm x l quan trng: ..........................................................78
6.4 Chi tit lu tr d liu : .........................................................................79
6.4.1 Bng Forbidden..............................................................................79
6.4.2 Bng Trusted .................................................................................79
6.5 Thut ton chnh ca ng dng : ...........................................................79
6.5.1 M hnh hot ng ca Plugin : .......................................................79
6.5.2 Din gii m hnh : .........................................................................81
Mssv: 0112463 Mssv:0112319

6.6 Nhng u im v hn ch: ..................................................................82
Chng 7: SERVICE CHNG VT FIREWALL ..................................................83
7.1 Gii thiu s lc :................................................................................83
7.2 Cc tnh nng chnh ca module:............................................................83
7.3 Module bt gi tin :...............................................................................84
7.3.1 c im ca gi tin HTTP request n HTTP Proxy Server: ..............84
7.3.2 Tm tt cc bc cn lu khi xy dng module;.............................84
7.3.3 Chi tit cc i tng, hm x l chnh ca module : .........................85
7.4 Module chn a ch IP: .........................................................................85
7.4.1 Gii thiu v Filter-Hook Driver :......................................................85
7.4.2 Tm tt cc bc xy dng Filter-Hook Driver bt gi tin:.............86
7.5 Chi tit lu tr d liu : .........................................................................86
7.5.1 Bng ForbiddenProxy......................................................................86
7.5.2 Bng TrustedProxy: ........................................................................86
7.6 S hot ng ca Module chn a ch IP : .........................................87
7.7 Din gii m hnh :................................................................................87
7.8 Nhn xt nh gi :............................................................................88
7.8.1 u im: .......................................................................................88
7.8.2 Khuyt im: .................................................................................89
Chng 8: KT LUN......................................................................................90
8.1 Nhng kt qu t c:.......................................................................90
8.2 Hng pht trin : ................................................................................91

DANH SCH HNH
Hnh 1 M hnh tn cng DDoS ...........................................................................16
Hnh 2 M hnh firewall .......................................................................................18
Hnh 3 Lc gi tin ti firewall ...............................................................................18
Hnh 4 Mt s chc nng ca Firewall. .................................................................20
Hnh 5 Lc gi tin ..............................................................................................21
Hnh 6 Firewall c cu hnh ti router...............................................................23
Hnh 7 Firewall mm ..........................................................................................26
Hnh 8 Tn cng h thng t bn ngoi ...............................................................29
Hnh 9 Packet filtering ........................................................................................31
Hnh 10 M hnh single-Homed Bastion Host ........................................................33
Hnh 11 M hnh Dual-Homed Bastion Host ..........................................................35
Hnh 12 M hnh 1 Proxy n gin ......................................................................37
Hnh 13 Mt s protocol sau proxy ......................................................................39
Hnh 14 M hnh proxy .......................................................................................48
Hnh 15 M hnh hot ng chung ca cc proxy..................................................55
Mssv: 0112463 Mssv:0112319

Hnh 16 Mt s protocol c h tr ...................................................................56
Hnh 17 Caching ................................................................................................58
Hnh 18 Caching b li (failure) ............................................................................59
Hnh 19 Mt transaction qua proxy ......................................................................60
Hnh 20 Truy xut thng tin thng qua HTTP proxy ..............................................62
Hnh 21 Truy xut thng tin thng qua FTP proxy ................................................62
Hnh 22 Giao din chnh ca Web Base Proxy .......................................................67
Hnh 23 Mini form trn mi u trang ..................................................................68
Hnh 24 S hot ng ca 1 trang Web-Based Proxy ........................................69
Hnh 25 Giao din chnh ca plug-in ....................................................................73
Hnh 26 Trang thng bo mi khi ngi dng duyt nhng trang web vi phm.......74
Hnh 27 Cch trnh by thng thng ca mt trang web base proxy .....................75
Hnh 28 Qu trnh trnh duyt khi ng v np cc BHO......................................77
Hnh 29 M hnh hot ng ca Plugin.................................................................80
Hnh 30 nh dng ca gi tin gi n proxy server ..............................................84
Hnh 31 S hot ng ca module chn a ch IP............................................87

DANH SCH BNG

Mssv: 0112463 Mssv:0112319

PHN TH NHT
C S L THUYT
Chng 1: GII THIU V FIREWALL
1.1 t vn :
Song song vi vic xy dng nn tng v cng ngh thng tin, cng nh pht
trin cc ng dng my tnh trong sn xut, kinh doanh, khoa hc, gio dc, x hi,...
th vic bo v nhng thnh qu l mt iu khng th thiu. S dng cc bc tng
la (Firewall) bo v mng ni b (Intranet), trnh s tn cng t bn ngoi l mt
gii php hu hiu, m bo c cc yu t:
An ton cho s hot ng ca ton b h thng mng
Bo mt cao trn nhiu phng din
Kh nng kim sot cao
m bo tc nhanh
Mm do v d s dng
Trong sut vi ngi s dng
m bo kin trc m
1.2 Nhu cu bo v thng tin:
1.2.1 Nguyn nhn:
Ngy nay, Internet, mt kho tng thng tin khng l, phc v hu hiu trong
sn xut kinh doanh, tr thnh i tng cho nhiu ngi tn cng vi cc mc
ch khc nhau. i khi, cng ch n gin l th ti hoc a bn vi ngi
khc.

Mssv: 0112463 Mssv:0112319

Cng vi s pht trin khng ngng ca Internet v cc dch v trn
Internet, s lng cc v tn cng trn Internet cng tng theo cp s nhn. Trong
khi cc phng tin thng tin i chng ngy cng nhc nhiu n Internet vi
nhng kh nng truy nhp thng tin dng nh n v tn ca n, th cc ti liu
chuyn mn bt u cp nhiu n vn bo m v an ton d liu cho cc
my tnh c kt ni vo mng Internet.
Theo s liu ca CERT (Computer Emegency Response Team), s lng
cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo nm
1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm 1994.
Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my
tnh ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc c quan
nh nc, cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l
(c ti 100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni
ca tng bng. Mt phn rt ln cc v tn cng khng c thng bo, v nhiu l
do, trong c th k n ni lo b mt uy tn, hoc n gin nhng ngi qun tr
h thng khng h hay bit nhng cuc tn cng nhm vo h thng ca h.
Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng
php tn cng cng lin tc c hon thin. iu mt phn do cc nhn vin
qun tr h thng c kt ni vi Internet ngy cng cao cnh gic. Cng theo
CERT, nhng cuc tn cng thi k 1988-1989 ch yu on tn ngi s dng-
mt khu (UserID-password) hoc s dng mt s li ca cc chng trnh v h
iu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng
vo thi gian gn y bao gm c cc thao tc nh gi mo a ch IP, theo di
thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin).
Nhu cu bo v thng tin trn Internet c th chia thnh ba loi gm: Bo v
d liu; Bo v cc ti nguyn s dng trn mng v Bo v danh ting ca c
quan.
Mssv: 0112463 Mssv:0112319

1.2.2 Bo v d liu:
Nhng thng tin lu tr trn h thng my tnh cn c bo v do cc yu
cu sau:
Bo mt: Nhng thng tin c gi tr v kinh t, qun s, chnh sch vv...
cn c gi kn.

Tnh ton vn: Thng tin khng b mt mt hoc sa i, nh tro.
Tnh kp thi: Yu cu truy nhp thng tin vo ng thi im cn thit.
Trong cc yu cu ny, thng thng yu cu v bo mt c coi l yu
cu s 1 i vi thng tin lu tr trn mng. Tuy nhin, ngay c khi nhng thng
tin ny khng c gi b mt, th nhng yu cu v tnh ton vn cng rt quan
trng. Khng mt c nhn, mt t chc no lng ph ti nguyn vt cht v thi
gian lu tr nhng thng tin m khng bit v tnh ng n ca nhng thng tin
.
1.2.3 Bo v cc ti nguyn s dng trn mng:
Trn thc t, trong cc cuc tn cng trn Internet, k tn cng, sau khi
lm ch c h thng bn trong, c th s dng cc my ny phc v cho mc
ch ca mnh nhm chy cc chng trnh d mt khu ngi s dng, s dng
cc lin kt mng sn c tip tc tn cng cc h thng khc vv...
1.2.4 Bo v danh ting c quan:
Mt phn ln cc cuc tn cng khng c thng bo rng ri, v mt
trong nhng nguyn nhn l ni lo b mt uy tn ca c quan, c bit l cc cng ty
ln v cc c quan quan trng trong b my nh nc. Trong trng hp ngi
qun tr h thng ch c bit n sau khi chnh h thng ca mnh c dng lm
bn p tn cng cc h thng khc, th tn tht v uy tn l rt ln v c th
li hu qu lu di.
Mssv: 0112463 Mssv:0112319

1.3 Cc kiu tn cng:
1.3.1 Tn cng trc tip:
Nhng cuc tn cng trc tip thng thng c s dng trong giai on
u chim c quyn truy nhp bn trong. Mt phng php tn cng c in
l d tm tn ngi s dng v mt khu. y l phng php n gin, d thc hin
v khng i hi mt iu kin c bit no bt u.
K tn cng c th s dng nhng thng tin nh tn ngi dng, ngy sinh,
a ch, s nh vv.. on mt khu. Trong trng hp c c danh sch ngi
s dng v nhng thng tin v mi trng lm vic, c mt trng trnh t ng
ho v vic d tm mt khu ny.
Mt chng trnh c th d dng ly c t Internet gii cc mt khu
m ho ca cc h thng unix c tn l crack, c kh nng th cc t hp cc t
trong mt t in ln, theo nhng quy tc do ngi dng t nh ngha. Trong mt
s trng hp, kh nng thnh cng ca phng php ny c th ln ti 30%.
Phng php s dng cc li ca chng trnh ng dng v bn thn h iu
hnh c s dng t nhng v tn cng u tin v vn c tip tc chim
quyn truy nhp. Trong mt s trng hp phng php ny cho php k tn cng
c c quyn ca ngi qun tr h thng (root hay administrator).
Hai v d thng xuyn c a ra minh ho cho phng php ny l v
d vi chng trnh sendmail v chng trnh rlogin ca h iu hnh UNIX.
Sendmail l mt chng trnh phc tp, vi m ngun bao gm hng ngn
dng lnh ca ngn ng C. Sendmail c chy vi quyn u tin ca ngi
qun tr h thng, do chng trnh phi c quyn ghi vo hp th ca nhng
ngi s dng my. V Sendmail trc tip nhn cc yu cu v th tn trn
mng bn ngoi. y chnh l nhng yu t lm cho sendmail tr thnh mt ngun
cung cp nhng l hng v bo mt truy nhp h thng.
Mssv: 0112463 Mssv:0112319

Rlogin cho php ngi s dng t mt my trn mng truy nhp t xa vo
mt my khc s dng ti nguyn ca my ny. Trong qu trnh nhn tn v mt
khu ca ngi s dng, rlogin khng kim tra di ca dng nhp, do k
tn cng c th a vo mt xu c tnh ton trc ghi ln m chng
trnh ca rlogin, qua chim c quyn truy nhp.
1.3.2 Nghe trm:
Vic nghe trm thng tin trn mng c th a li nhng thng tin c ch
nh tn, mt khu ca ngi s dng, cc thng tin mt chuyn qua mng. Vic
nghe trm thng c tin hnh ngay sau khi k tn cng chim c
quyn truy nhp h thng, thng qua cc chng trnh cho php bt cc gi
tin vo ch nhn ton b cc thng tin lu truyn trn mng. Nhng thng tin
ny cng c th d dng ly c trn Internet.
1.3.3 Gi mo a ch:
Vic gi mo a ch IP c th c thc hin thng qua vic s dng kh
nng dn ng trc tip (source-routing). Vi cch tn cng ny, k tn cng gi
cc gi tin IP ti mng bn trong vi mt a ch IP gi mo (thng thng l a
ch ca mt mng hoc mt my c coi l an ton i vi mng bn trong), ng
thi ch r ng dn m cc gi tin IP phi gi i.
1.3.4 V hiu cc chc nng ca h thng (DoS, DDoS):
y l ku tn cng nhm t lit h thng, khng cho n thc hin chc
nng m n thit k. Kiu tn cng ny khng th ngn chn c, do nhng
phng tin c t chc tn cng cng chnh l cc phng tin lm vic v truy
nhp thng tin trn mng. V d s dng lnh ping vi tc cao nht c th, buc
mt h thng tiu hao ton b tc tnh ton v kh nng ca mng tr li cc
lnh ny, khng cn cc ti nguyn thc hin nhng cng vic c ch khc.
Mssv: 0112463 Mssv:0112319


Hnh 1 M hnh tn cng DDoS
Client l mt attacker sp xp mt cuc tn cng
Handler l mt host c tha hip chy nhng chng trnh
c bit dng tn cng

Mi handler c kh nng iu khin nhiu agent
Mi agent c trch nhim gi stream data ti victim
1.3.5 Li ca ngi qun tr h thng:
y khng phi l mt kiu tn cng ca nhng k t nhp, tuy nhin li
ca ngi qun tr h thng thng to ra nhng l hng cho php k tn cng s
dng truy nhp vo mng ni b.
Mssv: 0112463 Mssv:0112319

1.3.6 Tn cng vo yu t con ngi:
K tn cng c th lin lc vi mt ngi qun tr h thng, gi lm mt
ngi s dng yu cu thay i mt khu, thay i quyn truy nhp ca mnh
i vi h thng, hoc thm ch thay i mt s cu hnh ca h thng thc hin
cc phng php tn cng khc. Vi kiu tn cng ny khng mt thit b no c
th ngn chn mt cch hu hiu, v ch c mt cch gio dc ngi s dng mng
ni b v nhng yu cu bo mt cao cnh gic vi nhng hin tng ng
nghi. Ni chung yu t con ngi l mt im yu trong bt k mt h thng bo v
no, v ch c s gio dc cng vi tinh thn hp tc t pha ngi s dng c th
nng cao c an ton ca h thng bo v.
1.4 Firewall l g ?
Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn
chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut
c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc
ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng
c th hiu Firewall l mt c ch (mechanism) bo v mng tin tng (Trusted
network) khi cc mng khng tin tng (Untrusted network).
Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty,
t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn
chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn
trong (Intranet) ti mt s a ch nht nh trn Internet.
Mssv: 0112463 Mssv:0112319


Hnh 2 M hnh firewall
Mt cch vn tt, firewall l h thng ngn chn vic truy nhp tri php t bn
ngoi vo mng cng nh nhng kt ni khng hp l t bn trong ra. Firewall thc
hin vic lc b nhng a ch khng hp l da theo cc quy tc hay ch tiu nh
trc.

Lc gi tin ti firewall Hnh 3
Firewall c th l h thng phn cng, phn mm hoc kt hp c hai. Nu l
phn cng, n c th ch bao gm duy nht b lc gi tin hoc l thit b nh tuyn
(router c tch hp sn chc nng lc gi tin). B nh tuyn c cc tnh nng bo
mt cao cp, trong c kh nng kim sot a ch IP. Quy trnh kim sot cho php
bn nh ra nhng a ch IP c th kt ni vi mng ca bn v ngc li. Tnh cht
Mssv: 0112463 Mssv:0112319

chung ca cc Firewall l phn bit a ch IP da trn cc gi tin hay t chi vic truy
nhp hp php cn c trn a ch ngun. bt
1.5 Cc chc nng chnh:
1.5.1 Chc nng:
Chc nng chnh ca Firewall l kim sot lung thng tin t gia Intranet
v Internet. Thit lp c ch iu khin dng thng tin gia mng bn trong
(Intranet) v mng Internet. C th l:
Cho php hoc cm nhng dch v truy nhp ra ngoi (t Intranet ra
Internet).
Cho php hoc cm nhng dch v php truy nhp vo trong (t Internet
vo Intranet).
Theo di lung d liu mng gia Internet v Intranet.
Kim sot a ch truy nhp, cm a ch truy nhp.
Kim sot ngi s dng v vic truy nhp ca ngi s dng. Kim
sot ni dung thng tin lu chuyn trn mng.
Mssv: 0112463 Mssv:0112319


t s chc nng ca Firewall. Hnh 4 M
1.5.2 Thnh phn:
Firewall chun bao gm mt hay nhiu cc thnh phn sau y:
B lc packet (packet-filtering router)
Cng ng dng (application-level gateway hay proxy server)
Cng mch (circuite level gateway)
B lc paket (Paket filtering router).
Mssv: 0112463 Mssv:0112319

1.6 Nguyn l:
Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th
iu c ngha rng Firewall hot ng cht ch vi giao thc TCI/IP. V giao thc
ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn
mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP,
DNS, SMNP, NFS...) thnh cc gi d liu (data pakets) ri gn cho cc paket ny
nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi
Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng.

Hnh 5 Lc gi tin
B lc packet cho php hay t chi mi packet m n nhn c. N kim tra
ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc
lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin
u mi packet (packet header), dng cho php truyn cc packet trn mng.
l:
Mssv: 0112463 Mssv:0112319

a ch IP ni xut pht ( IP Source address)
a ch IP ni nhn (IP Destination address)
Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel)
Cng TCP/UDP ni xut pht (TCP/UDP source port)
Cng TCP/UDP ni nhn (TCP/UDP destination port)
Dng thng bo ICMP ( ICMP message type)
Giao din packet n ( incomming interface of packet)
Giao din packet i ( outcomming interface of packet)
Nu lut l lc packet c tho mn th packet c chuyn qua Firewall. Nu
khng packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo
cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng
mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm
cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my
ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi
chy c trn h thng mng cc b.
u im:
a s cc h thng Firewall u s dng b lc packet. Mt trong nhng
u im ca phng php dng b lc packet l chi ph thp v c ch
lc packet c bao gm trong mi phn mm router.

Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng
dng, v vy n khng yu cu s hun luyn c bit no c.

Hn ch:
Vic nh ngha cc ch lc package l mt vic kh phc tp; i hi
ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc
dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi

Mssv: 0112463 Mssv:0112319

Do lm vic da trn header ca cc packet, r rng l b lc packet
khng kim sot c ni dung thng tin ca packet. Cc packet chuyn
qua vn c th mang theo nhng hnh ng vi n cp thng tin hay
ph hoi ca k xu.

1.7 Cc dng firewall:
Mi dng Firewall khc nhau c nhng thun li v hn ch ring. Dng ph bin
nht l Firewall mc mng (Network-level firewall). Loi Firewall ny thng da trn
b nh tuyn, v vy cc quy tc quy nh tnh hp php cho vic truy nhp c thit
lp ngay trn b nh tuyn. M hnh Firewall ny s dng k thut lc gi tin (packet-
filtering technique), l tin trnh kim sot cc gi tin qua b nh tuyn.

Firewall c cu hnh ti router Hnh 6
Mssv: 0112463 Mssv:0112319

Khi hot ng, Firewall s da trn b nh tuyn m kim tra a ch ngun
(source address) hay a ch xut pht ca gi tin. Sau khi nhn din xong, mi a ch
ngun IP s c kim tra theo cc quy tc do ngi qun tr mng nh trc.
Firewall da trn b nh tuyn lm vic rt nhanh do n ch kim tra lt trn
cc a ch ngun m khng h c yu cu thc s no i vi b nh tuyn, khng
tn thi gian x l nhng a ch sai hay khng hp l. Tuy nhin, bn phi tr gi:
ngoi tr nhng iu khin chng truy nhp, cc gi tin mang a ch gi mo vn c
th thm nhp mt mc no trn my ch ca bn.
Mt s k thut lc gi tin c th c s dng kt hp vi Firewall khc
phc nhc im ni trn. a ch IP khng phi l thnh phn duy nht ca gi tin c
th mc by b nh tuyn. Ngi qun tr nn p dng ng thi cc quy tc, s dng
thng tin nh danh km theo gi tin nh thi gian, giao thc, cng... tng cng
iu kin lc. Tuy nhin, s yu km trong k thut lc gi tin ca Firewall da trn b
nh tuyn khng ch c vy.
Mt s dch v gi th tc t xa (Remote Procedure Call - RPC) rt kh lc mt
cch hiu qu do cc server lin kt ph thuc vo cc cng c gn ngu nhin khi
khi ng h thng. Dch v gi l nh x cng (portmapper) s nh x cc li gi ti
dch v RPC thnh s dch v gn sn, tuy nhin, do khng c s tng ng gia s
dch v vi b nh tuyn lc gi tin, nn b nh tuyn khng nhn bit c dch v
no dng cng no, v th n khng th ngn chn hon ton cc dch v ny, tr khi
b nh tuyn ngn ton b cc gi tin UDP (cc dch v RPC ch yu s dng giao
thc UDP hay User Datagram Protocol). Vic ngn chn tt c cc gi tin UDP cng s
ngn lun c cc dch v cn thit, v d nh DNS (Domain Name Service dch v
t tn vng). V th, dn n tnh trng tin thoi lng nan.
Mssv: 0112463 Mssv:0112319

1.8 Cc nim chung v Firewall:
Mt trong nhng tng chnh ca Firewall l che chn cho mng ca bn khi
tm nhn ca nhng ngi dng bn ngoi khng c php kt ni, hay ch t cng
khng cho php h r ti mng. Qu trnh ny thc thi cc ch tiu lc b do ngi
qun tr n nh.
Trn l thuyt, Firewall l phng php bo mt an ton nht khi mng ca bn
c kt ni Internet. Tuy nhin, vn tn ti cc vn xung quanh mi trng bo mt
ny. Nu Firewall c cu hnh qu cht ch, tin trnh lm vic ca mng s b nh
hng, c bit trong mi trng ngi dng ph thuc hon ton vo ng dng phn
tn. Do Firewall thc thi tng chnh sch bo mt cht ch nn n c th b sa ly. Tm
li, c ch bo mt cng cht ch bao nhiu, th tnh nng cng b hn ch by nhiu.
Mt vn khc ca Firewall tng t nh vic xp trng vo r. Do l ro chn
chng kt ni bt hp php nn mt khe h cng c th d dng ph hu mng ca
bn. Firewall duy tr mi trng bo mt, trong n ng vai tr iu khin truy nhp
v thc thi s bo mt. Firewall thng c m t nh ca ng ca mng, ni xc
nhn quyn truy nhp. Tuy nhin iu g s xy ra khi n b v hiu ho? Nu mt k
thut ph Firewall c pht hin, cng c ngha ngi v s b tiu dit v c hi sng
st ca mng l rt mng manh. V vy trc khi xy dng Firewall, bn nn xem xt
k v tt nhin phi hiu tng tn v mng ca mnh.
Mt iu na, Firewall cng c kh nng cm cc kt ni khng c cho php t
bn trong ra. iu ny, nu suy ngh n gin th chng ta thy rt c li, tuy nhin
trong mt vi trng hp th n vn c mt hn ch ca n.
1.8.1 Firewall da trn Application gateway:
Mt dng ph bin l Firewall da trn ng dng application-proxy. Loi
ny hot ng hi khc vi Firewall da trn b nh tuyn lc gi tin. Application
gateway da trn c s phn mm. Khi mt ngi dng khng xc nh kt ni t
Mssv: 0112463 Mssv:0112319

xa vo mng chy application gateway, gateway s ngn chn kt ni t xa ny.
Thay v ni thng, gateway s kim tra cc thnh phn ca kt ni theo nhng quy
tc nh trc. Nu tho mn cc quy tc, gateway s to cu ni (bridge) gia trm
ngun v trm ch.

Hnh 7 Firewall mm
Cu ni ng vai tr trung gian gia hai giao thc. V d, trong mt m hnh
gateway c trng, gi tin theo giao thc IP khng c chuyn tip ti mng cc
b, lc s hnh thnh qu trnh dch m gateway ng vai tr b phin dch.
u im ca Firewall application gateway l khng phi chuyn tip IP.
Quan trng hn, cc iu khin thc hin ngay trn kt ni. Sau cng, mi cng c
u cung cp nhng tnh nng thun tin cho vic truy nhp mng. Do s lu
chuyn ca cc gi tin u c chp nhn, xem xt, dch v chuyn li nn
Mssv: 0112463 Mssv:0112319

Firewall loi ny b hn ch v tc . Qu trnh chuyn tip IP din ra khi mt
server nhn c tn hiu t bn ngoi yu cu chuyn tip thng tin theo nh dng
IP vo mng ni b. Vic cho php chuyn tip IP l li khng trnh khi, khi ,
hacker c th thm nhp vo trm lm vic trn mng ca bn.
Hn ch khc ca m hnh Firewall ny l mi ng dng bo mt (proxy
application) phi c to ra cho tng dch v mng. Nh vy mt ng dng dng
cho Telnet, ng dng khc dng cho HTTP, v.v..
Do khng thng qua qu trnh chuyn dch IP nn gi tin IP t a ch khng
xc nh s khng th ti my tnh trong mng ca bn, do h thng application
gateway c bo mt cao hn.
1.8.2 Cng vng(Circuit level gateway):
Cng vng l mt chc nng c bit c th thc hin c bi mt cng
ng dng(application gateway). Cng vng n gin ch chuyn tip (relay) cc kt
ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet no.
VD: Cng vng n gin chuyn tip kt ni telnet qua firewall m khng
thc hin mt s kim tra, lc hay iu khin cc th tc Telnet no.Cng vng lm
vic nh mt si dy, sao chp cc byte gia kt ni bn trong (inside connection)
v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut
hin t h thng firewall, nn n che du thng tin v mng ni b.
Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc
qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l
mt bastion host c th c cu hnh nh l mt hn hp cung cp Cng ng dng
cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng
Firewall d dng s dng cho nhng ngi trong mng ni b mun trc tip truy
nhp ti cc dch v Internet, trong khi vn cung cp chc nng Firewall bo v
mng ni b t nhng s tn cng bn ngoi.
Mssv: 0112463 Mssv:0112319

1.8.3 Hn ch ca Firewall:
Firewall khng thng minh nh con ngi c th c hiu tng loi
thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th
ngn chn s xm nhp ca nhng ngun thng tin khng mong mun
nhng phi xc nh r cc thng s a ch.
Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny
khng "i qua" n. Mt cch c th, firewall khng th chng li mt
cuc tn cng t mt ng dial-up, hoc s d r thng tin do d liu b
sao chp bt hp php ln a mm.
Firewall cng khng th chng li cc cuc tn cng bng d liu (data-
driven attack). Khi c mt s chng trnh c chuyn theo th in t,
vt qua firewall vo trong mng c bo v v bt u hot ng
y.
Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut
virus trn cc d liu c chuyn qua n, do tc lm vic, s xut
hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu,
thot khi kh nng kim sot ca firewall.
Tuy nhin, Firewall vn l gii php hu hiu c p dng rng ri.
1.8.4 Firewall c d ph hay khng:
Cu tr li l khng. L thuyt khng chng minh c c khe h trn
Firewall, tuy nhin thc tin th li c. Cc hacker nghin cu nhiu cch ph
Firewall. Qu trnh ph Firewall gm hai giai on: u tin phi tm ra dng
Firewall m mng s dng cng cc loi dch v hot ng pha sau n; tip theo l
pht hin khe h trn Firewall , giai on ny thng kh khn hn. Theo nghin
cu ca cc hacker, khe h trn Firewall tn ti l do li nh cu hnh ca ngi
qun tr h thng, sai st ny cng khng him khi xy ra. Ngi qun tr phi chc
Mssv: 0112463 Mssv:0112319

chn s khng c bt trc cho d s dng h iu hnh (HH) mng no, y l c
mt vn nan gii. Trong cc mng UNIX, iu ny mt phn l do HH UNIX
qu phc tp, c ti hng trm ng dng, giao thc v lnh ring. Sai st trong xy
dng Firewall c th do ngi qun tr mng khng nm vng v TCP/IP.
Mt trong nhng vic phi lm ca cc hacker l tch cc thnh phn thc ra
khi cc thnh phn gi mo. Nhiu Firewall s dng trm hy sinh (sacrificial
hosts) - l h thng c thit k nh cc server Web (c th sn sng b i) hay
by (decoys), dng bt cc hnh vi thm nhp ca hacker. By c th cn dng
ti nhng thit b ngy trang phc tp nhm che du tnh cht tht ca n, v d:
a ra cu tr li tng t h thng tp tin hay cc ng dng thc. V vy, cng
vic u tin ca hacker l phi xc nh y l cc i tng tn ti tht.

Tn cng h thng t bn ngoi Hnh 8
Mssv: 0112463 Mssv:0112319

c c thng tin v h thng, hacker cn dng ti thit b c kh nng
phc v mail v cc dch v khc. Hacker s tm cch nhn c mt thng ip
n t bn trong h thng, khi , ng i c kim tra v c th tm ra nhng
manh mi v cu trc h thng.
Ngoi ra, khng Firewall no c th ngn cn vic ph hoi t bn trong.
Nu hacker tn ti ngay trong ni b t chc, chng bao lu mng ca bn s b
hack. Thc t xy ra vi mt cng ty du la ln: mt tay hacker tr trn vo i
ng nhn vin v thu thp nhng thng tin quan trng khng ch v mng m cn
v cc trm Firewall.
1.9 Mt s m hnh Firewall:
1.9.1 Packet-Filtering Router:
H thng Internet firewall ph bin nht ch bao gm mt packet-filtering
router t gia mng ni b v Internet. Mt packet-filtering router c hai chc
nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi
cho php hay t chi truyn thng.
Mssv: 0112463 Mssv:0112319


Hnh 9 Packet filtering
Mssv: 0112463 Mssv:0112319

Cn bn, cc quy lut lc c nh ngha sao cho cc host trn mng ni b
c quyn truy nhp trc tip ti Internet, trong khi cc host trn Internet ch c
mt s gii hn cc truy nhp vo cc my tnh trn mng ni b. T tng ca m
cu trc firewall ny l tt c nhng g khng c ch ra r rng l cho php th c
ngha l b t chi.
u im:
Gi thnh thp, cu hnh n gin
Trong sut(transparent) i vi user.
Hn ch:
C rt nhiu hn ch i vi mt packet-filtering router, nh l d b tn
cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn
cng ngm di nhng dch v c php.

Bi v cc packet c trao i trc tip gia hai mng thng qua router,
nguy c b tn cng quyt nh bi s lng cc host v dch v c
php. iu dn n mi mt host c php truy nhp trc tip vo
Internet cn phi c cung cp mt h thng xc thc phc tp, v
thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca s
tn cng no khng.

Nu mt packet-filtering router do mt s c no ngng hot ng, tt
c h thng trn mng ni b c th b tn cng.

1.9.2 M hnh Single-Homed Bastion Host:
H thng ny bao gm mt packet-filtering router v mt bastion host. H
thng ny cung cp bo mt cao hn h thng trn, v n thc hin c bo
mt tng network (packet-filtering) v tng ng dng (application level).
ng thi, k tn cng phi ph v c hai tng bo mt tn cng vo
mng ni b.
Mssv: 0112463 Mssv:0112319


Hnh 10 M hnh single-Homed Bastion Host
Trong h thng ny, bastion host c cu hnh trong mng ni b. Qui
lut filtering trn packet-filtering router c nh ngha sao cho tt c cc
h thng bn ngoi ch c th truy nhp bastion host; Vic truyn thng ti
tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v
bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s
quyt nh xem cc h thng ni b c php truy nhp trc tip vo
bastion Internet hay l chng phi s dng dch v proxy trn bastion host.
Vic bt buc nhng user ni b c thc hin bng cch t cu hnh b
lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t
bastion host.
u im:
My ch cung cp cc thng tin cng cng qua dch v Web v FTP c th
t trn packet-filtering router v bastion. Trong trng hp yu cu an
ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc
Mssv: 0112463 Mssv:0112319

Bi v bastion host l h thng bn trong duy nht c th truy nhp c t
Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin,
nu nh user log on c vo bastion host th h c th d dng truy nhp
ton b mng ni b. V vy cn phi cm khng cho user logon vo bastion
host.
1.9.3 M hnh Dual-Homed Bastion Host:
Demilitarized Zone (DMZ) hay Screened-subnet Firewall
H thng bao gm hai packet-filtering router v mt bastion host. H c
an ton cao nht v n cung cp c mc bo mt network v application,
trong khi nh ngha mt mng "phi qun s". Mng DMZ ng vai tr nh
mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ
c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th
truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn
trc tip qua mng DMZ l khng th c.

Mssv: 0112463 Mssv:0112319


Hnh 11 M hnh Dual-Homed Bastion Host
Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun
(nh gi mo a ch IP), v iu khin truy nhp ti DMZ. H thng ch cho
php bn ngoi truy nhp vo bastion host. Router trong cung cp s bo v
th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng
truyn thng bt u t bastion host.
Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti
DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c
th c information server. Quy lut filtering trn router ngoi yu cu s
dung dich v proxy bng cch ch cho php thng tin ra bt ngun t bastion
host.
u im:
K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router
Mssv: 0112463 Mssv:0112319

Ch c mt s h thng
c chn ra trn DMZ l c bit n bi Internet qua routing table v
DNS information exchange ( Domain Name Server ).
Bi v router trong ch qung co DMZ network ti mng ni b, cc h
thng trong mng ni b khng th truy nhp trc tip vo Internet. iu
nay m bo rng nhng user bn trong bt buc phi truy nhp Internet qua
dch v proxy.
1.9.4 Proxy server:
Chng ta s xy dng Firewall theo kin trc application-level gateway, theo
mt b chng trnh proxy c t gateway ngn cch mt mng bn
trong (Intranet) vi Internet.
B chng trnh proxy c pht trin da trn b cng c xy dng
Internet Firewall TIS (Trusted Information System), bao gm mt b cc
chng trnh v s t li cu hnh h thng nhm mc ch xy dng
mt Firewall. B chng trnh c thit k chy trn h UNIX s dng
TCP/IP vi giao din socket Berkeley.

Mssv: 0112463 Mssv:0112319


Hnh 12 M hnh 1 Proxy n gin
B chng trnh proxy c thit k cho mt s cu hnh firewall, theo cc
dng c bn: dual-home gateway, screened host gateway, v screened subnet
gateway.
Thnh phn Bastion host trong Firewall, ng vai tr nh mt ngi chuyn
tip thng tin, ghi nht k truyn thng, v cung cp cc dch v, i hi
an ton cao.
Proxy server chng ta s tm hiu k hn phn sau.
1.9.5 Phn mm Firewall Proxy server:
B chng trnh proxy gm nhng chng trnh mc ng dng (application-
level programs), dng thay th hoc l thm vo phn mm h thng. i vi
mi dch v, cn c mt phn mm tng ng lm nhim v lc cc bn tin. Trn
Mssv: 0112463 Mssv:0112319

SMTP Gateway - Proxy server cho dch v SMTP (Simple Mail Tranfer
Protocol)

FTP Gateway - Proxy server cho dch v Ftp
Telnet Gateway - Proxy server cho dch v Telnet
HTTP Gateway - Proxy server cho dch v HTTP (World Wide Web)
Rlogin Gateway - Proxy server cho dch vu rlogin
Plug Gateway - Proxy server cho dch v kt ni server tc thi dng
giao thc TCP (TCP Plug-Board Connection server)

SOCKS - Proxy server cho cc dch v theo chun SOCKS
NETACL - iu khin truy nhp mng dng cho cc dch v khc
IP filter Proxy iu khin mc IP
SMTP Gateway - Proxy server cho cng SMTP
Mssv: 0112463 Mssv:0112319

SMTP Gateway - Proxy server cho dch v SMTP (Simple Mail
Tranfer Protocol)
1.9.5.1

Hnh 13 Mt s protocol sau proxy
Chng trnh SMTP Gateway c xy dng trn c s s dng hai phn
mm smap v smapd, dng chng li s truy nhp thng qua giao thc
SMTP. Nguyn l thc hin l chn trc chng trnh mail server nguyn
thu ca h thng, khng cho php cc h thng bn ngoi kt ni trc tip
vi mail server. V trong mng tin cy mail server thng c mt s quyn
Mssv: 0112463 Mssv:0112319

Khi mt h thng xa ni ti cng SMTP. Chng trnh smap s dnh
quyn phc v v chuyn ti th mc dnh ring v t user-id mc bnh
thng (khng c quyn u tin). Mc ch duy nht ca smap l i thoi
SMTP vi cc h thng khc, thu lm mail, ghi vo a, ghi nht k, v kt
thc. Smapd thng xuyn qut th mc ny, khi pht hin c th s chuyn
d liu cho sendmail phn pht vo cc hm th c nhn hoc chuyn
tip ti cc mail server khc.
Nh vy, mt user l trn mng khng th kt ni trc tip vi Mail Server.
Tt c cc thng tin i theo ng ny hon ton c th kim sot c. Tuy
nhin, chng trnh cng khng th gii quyt vn gi mo th hoc cc
loi tn cng bng ng khc.
FTP Gateway Proxy Server cho dch v FTP: 1.9.5.2
Proxy server cho dch v FTP cung cp kh nng kim sot truy nhp dch
v FTP da trn a ch IP v hostname, v cung cp iu khin truy nhp
th cp cho php tu chn kho hoc ghi nht k bt k lnh FTP no. Cc
a ch ch ca dch v ny cng c th tu chn c php hay b cm. Tt
c cc s kt ni v dung lng d liu chuyn qua u b ghi nht k li.
FTP Gateway t bn thn n khng e da an ton ca h thng Firewall,
bi v n chy ti mt th mc rng v khng thc hin mt th tc vo ra
file no c ngoi vic c file cu hnh ca n.
FTP Server ch cung cp dch v FTP, m khng quan tm n ai c quyn
hay khng c quyn kt xut (download) file. Do vy, vic xc nh quyn
phi c thit lp trn FTP Gateway v phi thc hin trc khi thc hin
vic kt xut (download) hay nhp (upload) file. Ftp Gateway nn c cu
Mssv: 0112463 Mssv:0112319

1.9.5.3 Telnet Gateway Proxy Server cho dch v Telnet:
Telnet Gateway l mt proxy server qun l truy nhp mng da trn a ch
IP v/hoc hostname, v cung cp s iu khin truy nhp th cp cho php
tu chn kho bt k ch no. Tt c cc s kt ni d liu chuyn qua u
c ghi nht k li. Mi mt ln user ni ti Telnet Gateway, ngi s
dng phi la chn phng thc kt ni.
Telnet Gateway khng phng hi ti an ton h thng, v n ch hot ng
trong mt phm vi cho php nht nh. C th, h thng s chuyn iu
khin ti mt th mc dnh ring. ng thi cm truy nhp ti cc th mc
v file khc.
Telnet Gateway c s dng kim sot cc truy nhp vo h thng mng
ni b. Cc truy nhp khng c php s khng th thc hin c cn cc
truy nhp hp php s b ghi li nht k v thi gian truy nhp v cc thao
tc thc hin.
HTTP Gateway - Proxy server cho web:
HTTP Gateway l mt Proxy Server qun l truy nhp h thng qua cng
HTTP (Web). Chng trnh ny, da trn a ch ch v a ch ngun
ngn cm hoc cho php yu cu truy nhp i qua.
ng thi cn c v m lnh ca giao thc HTTP, phn mm ny s cho
Mssv: 0112463 Mssv:0112319

Rlogin Gateway - Proxy server cho rlogin:
Cc terminal truy nhp qua th tc BSD rlogin c kim sot bi rlogin
gateway. Chng trnh cho php kim tra v iu khin truy nhp mng
tng t nh telnet gateway. Rlogin client c th ch ra mt h thng xa
ngay khi bt u ni vo proxy. Chng trnh s hn ch yu cu tng tc
gia user vi my.
Plug Gateway - TCP Plug-Board Connection server:
Firewall cung cp cc dch v thng thng nh Usernet news. Ngi qun
tr mng c th chn hoc l chy dch v ny ngay trong firewall, hoc ci
t mt proxy server cho dch v ny.
Do dch v News chy trc tip trn firewall th d gy li h thng, nn
cch an ton hn l s dng proxy. Plug gateway c thit k kim sot
dch v Usernet News v mt s dch v khc nh Lotus Notes, Oracle, etc.
Plug gateway da trn a ch IP hoc hostname, s cho php kim sot tt
c cc truy nhp h thng thng qua cc cng dch v c ng k. Trn c
s s cho php hoc cm cc yu cu truy nhp. Tt c yu cu kt ni
bao gm c d liu c th c ghi li nht k theo di v kim sot.
1.9.5.4 SQL Gateway Proxy Server cho SQL-Net:
SQL Net s dng giao thc ring khng ging nh ca News hay Lotus
Notes, Do vy, khng th s dng Plug Gateway cho dch v ny c. SQL
Mssv: 0112463 Mssv:0112319

SOCKS Gateway v NETACL: 1.9.5.5
SOCKS Gateway - Proxy server cho cc dch v theo chun SOCKS:
SOCKS l giao thc kt ni mng gia cc my ch cng h tr giao thc
ny. Hai my ch khi s dng giao thc ny s khng cn quan tm ti vic
gia chng c th ni ghp thng qua IP hay khng.
SOCKS s ch hng li cc yu cu ghp ni t my ch u kia. My
ch SOCKS s xc nh quyn truy nhp v thit lp knh truyn thng tin
gia hai my. SOCKS Gateway dng chng li cc truy nhp vo mng
thng qua cng ny.
NETACL - Cng c iu khin truy nhp mng:
Cc dch v thng thng trn mng khng cung cp kh nng kim sot
truy cp ti chng do vy chng l cc im yu tn cng. K c trn h
thng firewall cc dch v thng thng c lc b kh nhiu m
bo an ton h thng nhng mt s dich v vn cn thit duy tr h thng
nh telnet, rlogin...
Netacl l mt cng c iu khin truy nhp mng, da trn a ch
network ca my client, v dch v c yu cu. N bao trm nn cc dch
v c bn cung cp thm kh nng kim sot cho dch v . V vy mt
client (xc nh bi a ch IP hoc hostname) c th truy nhp ti telnet
server khi n ni vi cng dch v telnet trn firewall.
Mssv: 0112463 Mssv:0112319

Thng thng trong cc cu hnh firewall, NETACL c s dng cm
tt c cc my tr mt vi host c quyn login ti firewall qua hoc l
telnet hoc l rlogin, v kho cc truy nhp t nhng k tn cng.
an ton ca Netacl da trn a ch IP v/hoc hostname. Vi cc h
thng cn an ton cao, nn dng a ch IP trnh s gi mo DNS.
Netacl khng chng li c s gi a ch IP qua chuyn ngun (source
routing) hoc nhng phng tin khc. Nu c cc loi tn cng nh vy,
cn phi s dng mt router c kh nng soi nhng packet c chuyn
ngun (screening source routed packages).
Ch l netacl khng cung cp iu khin truy nhp UDP, bi v cng ngh
hin nay khng m bo s xc thc ca UDP. An ton cho cc dch v
UDP y ng ngha vi s khng cho php tt c cc dch v UDP.
1.9.5.6 Authentication:
B Firewall cha chng trnh server xc thc c thit k h tr c ch
phn quyn. Authsrv cha mt c s d liu v ngi dng trong mng, mi
bn ghi tng ng vi mt ngi dng, cha c ch xc thc cho mi anh ta,
trong bao gm tn nhm, tn y ca ngi dng, ln truy cp mi
nht. Mt khu khng m ho (Plain text password) c s dng cho ngi
dng trong mng vic qun tr c n gin. Mt khu khng m ho
khng nn dng vi nhng ngi s dng t mng bn ngoi.
Ngi dng trong c s d liu ca c th c chia thnh cc nhm khc
nhau c qun tr bi qun tr nhm l ngi c ton quyn trong nhm c
vic thm, bt ngi dng. iu ny thun li khi nhiu t chc cng dng
chung mt Firewall.
Authsrv qun l nhm rt mm do, qun tr c th nhm ngi dng thnh
nhm dng "group wiz", ngi c quyn qun tr nhm c th xo, thm, to
Mssv: 0112463 Mssv:0112319

IP Filter B lc mc IP: 1.9.5.7
IP Filter l b lc cc gi tin TCP/IP, c xem nh thnh phn khng th
thiu khi thit lp Firewall trong sut i vi ngi s dng. Phn mm ny
s c ci t trong li ca h thng (nh UNIX kernel), c chy ngm
khi h thng hot ng, n nhn v phn tch tt c cc gi IP (IP
Package).

B lc IP filter c th thc hin cc vic sau:
- Cho i qua hoc cm bt k mt gi tin no.
- Nhn bit c cc dch v khc nhau
Lc theo a ch IP hoc hosts -
- Cho php lc chn la giao thc IP bt k
- Cho php lc chn la theo cc mnh IP
- Cho php lc chn la theo cc tu chn IP
Gi tr li cc khi ICMP/TCP li v t li s hiu packet -
- Lu gi cc thng tin trng thi i vi cc dng TCP, UDP and ICMP
- Lu gi cc thng tin trng thi i vi cc mnh IP packet bt k
- C chc nng nh Network Address Translator (NAT)
Mssv: 0112463 Mssv:0112319

Lm c s thit lp cc kt ni trong sut i vi ngi s dng -
Cung cp cc header cho cc chng trnh ca ngi s dng xc
nhn.
-

- Ngoi ra h tr khng gian tm cho cc quy tc xc nhn i vi cc gi
tin i qua.
c bit i vi cc giao thc c bn ca Internet, TCP, UDP v ICMP,
th IP filter cho php lc theo:
Inverted host/net matching
S hiu cng ca cc gi tin TCP/UDP
Kiu hoc m ca cc gi tin ICMP
Thit lp cc gi tin TCP
T hp tu cc c trng thi TCP
Lc/loi b nhng gi IP cha kt thc
Lc theo kiu dch v
Cho php ghi nht k cc bn tin bao gm:
- Header ca cc gi tin TCP/UDP/ICMP and IP
Mt phn hoc tt c d liu ca gi tin -
1.10 Li kt:
Hin ti, Firewall l phng php bo v mng ph bin nht, 95% cng ng
hacker phi tha nhn l dng nh khng th vt qua Firewall. Song trn thc t,
Firewall tng b ph. Nu mng ca bn c kt ni Internet v cha d liu quan
trng cn c bo v, bn cnh Firewall, bn nn tng cng cc bin php bo v
khc nh l bo mt mc physical, thng xuyn back up d liu, chn lc nhn
vin
Mssv: 0112463 Mssv:0112319

Chng 2: KHI NIM PROXY
2.1 Proxy l g:
Theo www.learnthat.com: proxy l mt thit b cho php kt ni vo
internet, n ng gia cc workstation trong mt mng v internet, cho
php bo mt kt ni, ch cho php mt s cng v protocol no , vd:
tcp, http, telnet trn cc cng 80, 23. Khi mt client yu cu mt trang
no , yu cu ny s c chuyn n proxy server, proxy server s
chuyn tip yu cu ny n site . Khi yu cu c p tr, proxy s
tr kt qu ny li cho client tng ng. Proxy server c th c dng
ghi nhn vic s dng internet v ngn chn nhng trang b cm
Theo www.nyu.edu: proxy server l mt server ng gia mt ng dng
ca client, nh web browser, v mt server xa (remote server). Proxy
server xem xt cc request xem n c th x l bng cache ca n khng,
nu khng th, n s chuyn yu cu ny n remote server.
Theo www.webopedia.com: proxy server l mt server ng gia mt
ng dng client, nh web browser, v mt server thc. N chn tt c cc
yu cu n cc server thc xem xem n c kh nng ng c
khng, nu khng th, n s chuyn cc yu cu ny n cc server thc.
Theo www.stayinvisible.com: proxy server l mt loi buffer gia my
tnh ca bn v cc ti nguyn trn mng internet m bn ang truy cp,
d liu bn yu cu s n proxy trc, sau mi c chuyn n my
ca bn.

Mssv: 0112463 Mssv:0112319


Hnh 14 M hnh proxy
2.2 Ti sao proxy li ra i:
Tng tc kt ni: cc proxy c mt c ch gi l cache, c ch cache cho
php proxy lu tr li nhng trang c truy cp nhiu nht, iu ny
lm cho vic truy cp ca bn s nhanh hn, v bn c p ng yu
cu mt cch ni b m khng phi ly thng tin trc tip t internet.
Bo mt: mi truy cp u phi thng qua proxy nn vic bo mt c
thc hin trit .
Filtering: ngn cn cc truy cp khng c cho php nh cc trang i
try, cc trang phn ng
2.3 Tng kt chung v proxy:
Theo cc nh ngha cng nh nhng gi tr m proxy mng li nh
cp trn, ta c th thy proxy qu tht rt c li
Tuy nhin, li dng v tng proxy, mt s server trn mng t bin
mnh thnh nhng trm chung chuyn, nhng trung gian cho cc kt ni
khng c cho php. Chnh iu ny a ra thm mt nh ngha
mi, mt ngha mi ginh cho proxy.
Mssv: 0112463 Mssv:0112319

Rt nhiu a ch trn mng do mt l do no m b cm truy cp i
vi ngi dng nh l cc trang web i try, cc trang phn ng, ni
dung khng lnh mnh. Tuy nhin, chng li iu ny, nh ni
trn, mt s server bin mnh thnh proxy gip cho nhng kt ni
cm ny c th thc hin c.
Proxy ny c 2 loi, hay ni cch khc l c 2 cch thng qua cc proxy
ny truy cp, l HTTP proxy v web-based proxy m chng ta s
c tm hiu phn sau. V y cng chnh l 2 phng php lp trnh
vt firewall m chng em mun ni n trong lun vn ny.

Mssv: 0112463 Mssv:0112319

Chng 3: CC PHNG PHP LP TRNH
VT FIREWALL
3.1 Vt firewall l g:
Ni mt cch nm na, vt firewall l vt qua s truy cn ca cc
chng trnh bo mt (Firewall) c th truy cp n c ch mong
mun
Vt firewall c th l vt t bn trong ra hay t bn ngoi vo
y, chng ta ch cp n vt firewall t bn trong ra, do chng
ta c th tm gn li c 3 hnh thc vt firewall: HTTP proxy, web-
based proxy, http tunneling.

3.2 Phng php th nht: HTTP Proxy
L phng php m server s dng mt cng no trung chuyn cc
yu cu, cc server ny thng c gi l web proxy server hay http
proxy server
Khi cc yu cu ca client b t chi bi ngi qun tr (hay ni chnh
xc hn l cc chng trnh qun l trong mng LAN), th ngi s dng
c th s dng cc proxy server chuyn tip cc yu cu m trong ,
proxy server l mt a ch c cho php kt ni n.
Cc proxy server ny thng khng c nh, n thng c thi gian sng
rt ngn.
S dng proxy ny, bn ch cn cu hnh mc proxy m trong hu ht cc
Web browser u c h tr
Phng php ny s c tm hiu su phn 2
Mssv: 0112463 Mssv:0112319

3.3 Phng php th hai: Web-Based Proxy
Phng php ny cho php ngi s dng truy cp vo cc trang b cm
di hnh thc 1 truy cp vo 1 trang web trung gian.
u tin ngi dng truy cp vo trang web ny
Sau , ngi s dng cung cp thng tin v trang web m mnh mun
n (ch yu di hnh thc url)
Sau Web-base proxy ny s kt ni n trang m ngi dng yu cu,
ly thng tin, inh dng li thng tin, ri gi li cho ngi dng mt cch
hp php
Tt nhin, web-based proxy ny phi l mt trang web m cha b ngi
qun tr cm
Phng php ny s c tm hiu su phn 2
3.4 Phng php th ba: Http Tunneling
Cng nh cc phng php trn, htttp tunneling cho php ngi dng
truy cp vo nhng trang b cm
Bao gm mt chng trnh client pha ngi dng v mt chng trnh
pha server
u tin, chng trnh pha client s to ra mt ng hm kt ni my
ca bn n chng trnh server t trn mng, ng hm ny i ngang
qua firewall ca bn m khng h hn g, v a ch server khng b filter.
Khi ng hm thit lp xong mi yu cu truy cp n trang web s
thn qua server, ri a vo ng hm v n my bn m firewall
khng h hay bit. Do 1 s ng dng http-tunneling c vit theo m
hnh client-server, c ch hot ng da trn kch bn lm vic dng sn,
ta c th ch ng qua mt cc firewall bng cch m ha cc gi tin trao
Mssv: 0112463 Mssv:0112319

Do gii hn ca ti v gii hn v mt thi gian m phng php ny
s khng c tm hiu k trong lun vn.

Mssv: 0112463 Mssv:0112319

PHN TH HAI
VT FIREWALL
Chng 4: VT FIREWALL BNG HTTP
PROXY
4.1 Khi cc HTTP Proxy Server tr nn hu ch:
Nhim v chnh ca HTTP proxy server l cho php nhng client bn
trong truy cp ra internet m khng b ngn tr bi Firewall (firewall).
Lc ny tt c cc client pha sau Firewall u c th truy cp ra ngoi
Internet ch vi mt cht cng sc v khng b ngn tr bi cc dch v
bo mt
Proxy server lng nghe cc yu cu t cc client v chuyn tip
(forward) nhng yu cu ny n cc server bn ngoi Internet. Proxy
server c phn hi (response) t cc server bn ngoi ri gi tr chng
cho cc client bn trong.
Thng thng, nhng client m cng subnet th dng cng mt proxy
server. Do , proxy server c th cache cc document phc v cho
cc client c cng nhu cu (cng truy cp n mt trang chng hn).
Ngi dng khi s dng proxy cm thy h ang nhn cc phn hi
mt cch trc tip t bn ngoi. Nhng thc s th h ang ra ngoi
Internet mt cch gin tip thng qua proxy.
Cc client m khng s dng DNS vn c th duyt web v h ch cn
mt thng tin duy nht, l a ch IP ca proxy server. Tng t, cc
c quan, doanh nghip s dng cc a ch o (10.x.x.x, 192.168.x.x,
Mssv: 0112463 Mssv:0112319

172.16.x.x 172.32.x.x) vn c th ra ngoi Internet mt cch bnh
thng thng qua proxy server.
Cc proxy server c th cho php hay t chi cc yu cu da trn giao
thc ca cc kt ni. V d nh: mt proxy server c th cho php cc
kt ni HTTP trong khi t chi cc kt ni FTP
Khi bn dng proxy server nh mt cng ra ngoi Internet t mng
LAN, bn c th chn la cc ty chn nh sau:
- Cho php hay ngn chn client truy cp Internet da trn nn tng a ch
IP
- Caching document: lu gi li cc trang web phc v cho cc nhu cu
ging nhau
- Sng lc kt ni
- Cung cp dch v Internet cho cc cng ty dng mng ring (nn tng IP
o)
- Chuyn i d liu sang dng HTML c th xem bng trnh duyt

Mssv: 0112463 Mssv:0112319


Hnh 15 M hnh hot ng chung ca cc proxy

Mssv: 0112463 Mssv:0112319

4.2 Chc nng chnh:
4.2.1 Truy cp Internet:
Cc my trong mng LAN c th khng th truy cp n cc ti nguyn
trn Internet mt cch trc tip v chng ang hot ng pha sau mt
bc Firewall. Trong trng hp ny, proxy server c th gip chng thc
hin iu ny mt cch d dng.

Hnh 16 Mt s protocol c h tr
hnh trn, proxy server ang chy trn mt firewall host v thip lp
cc kt ni ra th gii bn ngoi. Chng ta cng c th s dng mt my
tnh khc lm proxy server, my ny phi c y cc quyn truy
cp Internet.
Mssv: 0112463 Mssv:0112319

Proxy nhn cc yu cu t trnh duyt, proxy truy vn n cc thng tin
c yu cu, chuyn i sang dng HTML ri gi tr li cho browser
pha bn trong firewall. Proxy server c th qun l tt c cc kt ni ra
ngoi Internet nu n l my tnh duy nht c kt ni trc tip ra ngoi
Internet.
4.2.2 Caching documents:
Thng thng, cc client ca cng mt subnet truy cp n mt Web
proxy server. Mt vi proxy server cho php bn cache (lu tr tm thi)
cc ti liu ny trn my phc v cho cc my khc c cng nhu cu.
Gi s: my A va truy cp vo trang http://mail.yahoo.com , sau my
B li yu cu n trang ny, trong trng hp ny, proxy server s dng
li documents ny c sn trong my m khng phi ln tn server ly v.
iu ny khin cho tc ci thin r rt
Mssv: 0112463 Mssv:0112319


Hnh 17 Caching
Caching trn proxy server hiu qu hn trn my n, n s tit
kim c khng gian lu tr bi v bn ch phi lu li mt ln.
Caching trn proxy server cho hiu qu hn, chng ta nn
caching li nhng trang m thng xuyn c tham chiu n
(c truy cp n)
Thng qua caching, chng ta cn c th truy cp n trang ngay
c trong trng hp server b down
Mt s loi proxy cho php cache nhiu ni phng khi
cache b down hay b li

Mssv: 0112463 Mssv:0112319


Caching b li (failure) Hnh 18
4.2.3 iu khin truy cp Internet mt cch c chn lc:
Khi s dng proxy server bn c th lc cc transaction ca cc
client. Mt vi proxy server cho php bn:
o Yu cu no c chp nhn, yu cu no khng
o Ngn chn cc trang m bn khng mun cho user truy cp
n
Mssv: 0112463 Mssv:0112319

o Gii hn cc dch v m bn mun, v d: bn c th cho php
user s dng dch v HTTP nhng li khng mun cho h s
dng dch v FTP
4.2.4 Cung cp dch v Internet cho cc c quan s dng IP o:
Cc t chc m s dng mt hay nhiu khng gian a ch o c th s
dng Internet, iu ny hon ton c th. Bng cch thng qua proxy
server v proxy server s gi a ch tht.
4.3 Mt phin giao dch (transaction) thng qua proxy :

Hnh 19 Mt transaction qua proxy
Cc client u c cc a ch IP ca n cng nh mt kt ni trc tip n cc
server trn Internet. Khi trnh duyt to ra mt yu cu HTTP th HTTP server
ch ly ng dn v phn t kha ca URL c yu cu, nhng phn khc
nh phn giao thc, hostname ca my ang chy HTTP server u r rng
i vi server.
V d: khi bn g: http://abc.com/class/th01.htm th trnh duyt s chuyn sang
l: GET /class/th01.htm. Trnh duyt kt ni n abc.com server, a ra lnh
v i phn hi. Trong v d ny, trnh duyt to ra mt yu cu n HTTP
server v ch r ti nguyn resource no cn c ti v, khng c giao thc
cng nh khng c bt k hostname no trong URL
Mssv: 0112463 Mssv:0112319

4.4 Kt ni thng qua proxy server:
Proxy server hot ng vi c 2 vai tr l client v server, n ng vai tr
server trong trng hp n tip nhn cc yu cu HTTP t cc trnh duyt v
hot ng nh mt client khi n kt ni n server xa truy vn cc ti
nguyn
Proxy s dng li tt c cc thng tin m trnh duyt gi cho n gi yu
cu n server xa nn s khng s b mt mt hay thiu ht thng tin
Mt proxy server hon chnh c th h tr ht tt c cc giao thc nh: HTTP,
FTP, Gopher, WAIS. Mt proxy cng c th ch h tr mt giao thc nh
HTTP nhng iu tht bt tin khi bn c nhu cu kt ni n FTP trong
qu trnh bn duyt Web
4.5 HTTP proxy:
Khi proxy server ng vai tr client, n hot ng nh mt trnh duyt nhn
cc resource.
Mt v d v qu trnh trao i thng tin:
o Khi bn g: http://abc.com/class/th01.htm
o Trnh duyt chuyn URL ny thnh: GET http://abc.com/class/th01.htm
o Yu cu ny c a n cho proxy server. Proxy server s da vo
URL tch ly phn abc.com kt ni n remote server, sau
chuyn URL thnh: GET /class/th01.com , chuyn lnh n server ri
i phn hi nh hnh bn di.
Mssv: 0112463 Mssv:0112319


Hnh 20 Truy xut thng tin thng qua HTTP proxy
4.6 FTP proxy:

Hnh 21 Truy xut thng tin thng qua FTP proxy
Hnh trn cho thy qu trnh mt yu cu FTP thng qua proxy. Proxy
server thng qua URL bit c y l mt yu cu FTP, do n s thc hin
mt kt ni FTP n server xa. Proxy server to mt kt ni v truy vn file
n FTP xa, ly file v ri gi tr li cho client.
Mssv: 0112463 Mssv:0112319

4.7 Tin li v bt tin khi cache cc trang Web:
Caching c ngha l lu tr ti liu trn my cc b, v vy m cc user khng
phi kt ni n server ly cc file v. Khi mt trnh duyt cc b yu cu
mt file no , proxy xem xt xem c c cache file li khng. Nu c, n
s gi file v cho trnh duyt. Nu bn s dng tnh nng ny, bn cn phi
quyt nh v:
o Cc trang no cn c cache li (tn s c truy cp nhiu)
o Thi gian bao lu phi cp nht li cc trang ny.
Nhng thun li ca tnh nng caching:
o Caching tit kim c mt lng ln thi gian cho cc user khi
thng xuyn truy cp n mt trang no . Proxy server s p ng
cc yu cu ny mt cch nhanh chng v ch phi truy vn n cc file
c lu tr cc b
o Tit kim c khng gian lu thng mng
o Tit kim c khng gian a dng lu tr v tt c cc my cc b
u dng chung mt file thay v cc my phi cache li trn my mnh
o Vn c th cung cp nhu cu Internet mt mc no ngay c khi
khng c kt ni Internet
4.8 Nhng bt cp do proxy:
Tuy proxy nh ni trn em li rt nhiu iu hu ch. Tuy nhin cc g
cng c 2 mt v proxy cng khng ngoi l. Li dng tng v proxy, hng
lot cc my tnh trn mng t bin mnh thnh nhng proxy server cho cc
client c th truy cp vo nhng trang c ni dung xu m nh cung cp dch
v ngn chn bng firewall.
Vn c t ra l lm th no cho cc client truy cp Internet vn c
th truy cp Internet bnh thng nhng khng th truy cp nhng trang b
Mssv: 0112463 Mssv:0112319

chn, hay ni cch khc l cm cn ngi dng s dng proxy bn ngoi h
thng.
4.9 K thut lp trnh mt HTTP Proxy c bn:
Lp trnh mt HTTP proxy cn qua cc bc sau:
Lng nghe cc kt ni n proxy server
Khi c kt ni n th to ra mt thread qun l kt ni ny
Tip nhn v sa i li gi tin HTTP Request cho hp l.
Phn tch URL, ly c phn tn trang Web v Port.
VD:www.yahoo.com:8080 c tn l www.yahoo.com v port l 8080 (nu
khng c gi tr port th mc nh port=8080).
S dng phn tn ny phn gii a ch ly s IP.
Kt ni n remote server
Chuyn yu cu n server
Ch i thng tin phn hi t remote server
Chuyn phn gi tin ny v li cho user.

Mssv: 0112463 Mssv:0112319

Chng 5: Vt firewall bng Web-Based Proxy
5.1 Th no l 1 web-based anonymous proxy ?
Web-based Anonymous Proxy l 1 dng khc ca Web Proxy Server, nhng
c xy dng di dng 1 trang web (tm gi l Web-based Proxy WBP) .
Sau y l cc c im khc bit ca n so vi Web Proxy :
- D dng, thn thin vi ngi dng do c Proxy tch hp sn bn
trong trang Web, ngi dng ch cn cung cp a ch trang web cn n
(URL) cho WBP v bt u duyt web. Ngoi ra ngi dng khng cn
phi tinh chnh cc thng s khc a ch IP ca WBP, s hiu cng,.. cho
trnh duyt ca mnh, ch cn bit tn hoc IP ca WBP v link n WBP
ny
- Khi c cc client yu cu, WBP s ly cc thng tin (Resource) t web
server ch, sau xy dng li thnh 1 trang web hon chnh ri y
ton b ni dung trang web hon chnh ny v cho trnh duyt ca Client.
Thng th trnh duyt pha Client s nhn c trang web mnh yu cu
c nh km theo phn tiu ca WBP.
- C kh nng chn lc cc web page components khi c yu cu. VD:
quyt nh xem c cho php s dng cookies,hnh nh,javascript,ca s
pop-up,... trong trang web hay khng.
- Do bn cht l lt web n danh thng qua 1 trang web trung gian nn
cc gi tin request ca Client gn nh ging hon ton vi cc gi tin
HTTP request thng thng .V vy cc phn mm lc gi tin s kh
lng pht hin ra u l gi tin c vn .
- a ch 1 s cc WBP tham kho khc trn internet :
http://www.anonymization.net
http://www.anonymizer.com
Mssv: 0112463 Mssv:0112319

http://www.stayinvisible.com
http://www.proxify.com
http://www.silentsuft.com
5.2 Cch thc hot ng ca 1 WBP :
Mi khi nhn c yu cu request t pha Client,WBP s :
Phn tch URL tin hnh tip nhn cc resource tng ng (links,hnh
nh,flash,) t trang web c client yu cu
Sau khi nhn xong,WBP s cp nht li cc URLs ca trang HTML c
yu cu sao cho ph hp. WBP s tin hnh sng lc cc thnh phn
(web page components) da theo yu cu Client v y ton b trang
HTML c xy dng li ny v pha Client
Pha trnh duyt Client ang lng nghe phn hi t pha WBP nn khi
nhn c phn hi, trnh duyt s th hin trang web cho ngi dng.

Mssv: 0112463 Mssv:0112319

5.3 Gii thiu v trang Web Based Proxy:
5.3.1 Giao din:

Hnh 22 Giao din chnh ca Web Base Proxy
Trang web c giao din n gin. Pha trn c mt thanh textbox, cho
php user nhp a ch trang web mun n
Pha di l cc option cho php user la chn
Cui cng l 2 nt, cho php ngi dng kch hot cho trang web
chy v nt reset li default.
5.3.2 Chc nng:
Cho php ngi dng nhp vo mt a ch dng url. Ngi dng ch
cn nhp a ch, bm Enter, trang web s ti ni dung m ngi
dng mun.
Cho php s dng cc option, trong
o Include a mini URL form: thm mt phn ca Web base
Proxy vo u trang
Mssv: 0112463 Mssv:0112319


Hnh 23 Mini form trn mi u trang
o Remove all scripts: Loi b tt c cc script
o Accept HTTP cookies: cho php s dng cookies ci thin
tc
o Show images: Ti ni dung trang web v trong c c hnh
(ly lun hnh, khng loi b)
o For future: dnh cho tng li
o New window: cho php browse trong mt ca s mi.
Mssv: 0112463 Mssv:0112319

5.3.3 Thut ton:
5.3.3.1 Gii thiu m hnh hot ng:
Khng
Khi ng
trang web
Kim tra
cookies
Load trang
web default
C
Load trang da
theo cookies
Nhp thng tin
Kim tra
hp l url
Khng
hp l
Hp l
Chnh
sa url
Kim tra
cc option
Duyt trang web
theo yu cu
Nu tht bi:
thng bo li
Nu thnh cng Chnh sa
theo option
Gi kt qu
cho client

Hnh 24 S hot ng ca 1 trang Web-Based Proxy
Mssv: 0112463 Mssv:0112319

5.3.3.2 Din gii m hnh:
Khi ng trang web: Bao gm vic load cc form, cc mc,
giao din trang web
Kim tra cookies:Kim tra xem trn my hin c s dng cookies
ca trang hay khng
Load trang web default:Nu kim tra cookies khng c, trnh
duyt s load trang mc nh, tc l url s trng, cc option mc
nh s c check
Load trang da theo cookies:Nu kim tra cookies c, th s load
theo cookies, bao gm cc url c s dng, cc trng thi ca
cc option.
Nhp thng tin:Client nhp cc thng tin nh url ca trang web
cn n, check hay b check cc option ty theo ngi dng.
Kim tra hp l url:Kim tra v hnh thc nhp nh c thiu http
hay khng, c thiu www hay khng, nu thiu s t ng add
thm vo cho hp l.
Kim tra cc option:Kim tra cc option xem option no c
check, option no khng c check thc hin ng theo yu
cu ca client.
Duyt trang web theo yu cu:Gi yu cu n webserver tng
ng: phn gii tn min, gi yu cu http n server
Tht bi, thng bo li:Nu khng c trang web, a ch sai do
ngi dng nh sai hay bt c nguyn nhn no lm cho vic gi
http request khng c p ng th u thng bo li
Thnh cng, chnh sa theo option:Nu thnh cng th s chnh
sa li trang: da theo cc option, xem c phi add thm phn ph
Mssv: 0112463 Mssv:0112319

vo u trang hay khng, ly hay loi b hnh nh, ly hay loi b
cc script(cc mc ny c thc hin khi gi http request).
Gi kt qu cho client:Gi kt qu cui cng n cho client l mt
trang web c tinh chnh li, c chnh sa li cho ph hp.
5.3.3.3 Din gii mt s hm quan trng :
Hm submit_form():Gi yu cu n server
File url_form.inc:Phn header ca trang gi cho client.
File style:Cha cc thng tin v giao din: mu sc, kch thc
Hm set_response(): cu trc ha li trang web
Hm set_url(): Kim tra v tinh chnh url li cho hp l
Hm open_socket():M sock
Hm encode_url(): M ha url
Hm decode_url(): Gi m url
Hm set_flags(): Set cc option
Hm set_cookies(): Ghi vo cookies
Hm get_cookies(): Ly cc thng tin t cookies
Hm delete_cookies(): Xa cookies
Hm include_form(): thm form ca web-base proxy vo phn
u ca trang (ty thuc vo option c c check)
Hm remove_scripts(): loi b cc script (ty thuc vo option c
c check)
Hm send_response_headers(): gi phn header cho client
Hm return_response():Gi cc phn cn li cho client.
Hm remove_images():Loi b cc hnh nh ra khi trang (ty
thuc vo option c c check)

Mssv: 0112463 Mssv:0112319

PHN TH BA
MODULE CHNG VT FIREWALL
Ni dung :
Do mc ch ca lun vn l nghin cu cc phng php lp trnh vt
firewall nhm tm hiu cc cch thc m ngi dng c th s dng vt qua
firewal. T m rng ra xy dng cc module chng vt firewall. Sau thi gian tm
hiu, chng em xy dng c 2 module ng dng trn Windows nhm ngn chn
ngi dng vt firewall bng 2 phng php trnh by bn trn :
- Module ng dng tch hp vo trnh duyt Internet Explorer, nhm
pht hin v ngn chn ngi dng vt firewall thng qua Web based
Proxy. Module hot ng da trn vic phn tch cch thc hot ng ca cc
trang Web-Based Proxy v a ra 3 chnh sch hnh thnh b lc cho
Module. Khi ngi dng duyt bt k 1 trang web no, b lc ca module s
tin hnh kim tra da trn cc chnh sch c quy nh sn, nu vi phm
bt k chnh sch no, trang web s b chn li v lu thng tin (a ch)
vo c s d liu ca module.
- Module ng dng di dng 1 service trong h thng, nhm pht hin
v ngn chn ngi dng vt firewall thng qua 1 HTTP Proxy server.
Module bao gm 2 phn chnh: Lc gi tin v chn gi tin. Module hot ng
da trn vic lc v kim tra ni dung cc gi tin HTTP. Theo ti liu RFC v
HTTP, cc gi tin HTTP request thng qua 1 HTTP Proxy Server s c ni
dung khc vi cc gi tin HTTP Request thng thng. Da trn c im
ny, module s xy dng chnh sch lc v kim tra cc gi tin gi i trn
Mng. Khi 1 gi tin no vi phm, a ch ch ca gi tin (trng hp
ny chnh l a ch IP ca HTTP Proxy Server) s c a vo b lc v
lu vo c s d liu.
Mssv: 0112463 Mssv:0112319

Chng 6: Plug-in chng vt firewall cho trnh
duyt Internet Explorer
Chng ny chng em xin php c trnh by v module th nht: Plug-in
chng vt firewall cho trnh duyt Internet Explorer
6.1 Gii thiu s lc :
Plugin l 1 ng dng c vit tch hp trong trnh duyt web Internet
Explorer, c nhim v kim sot ngi dng khi duyt web. Nu pht hin
ngi dng c nh mun vt qua firewall thng qua 1 trang Web Based
Proxy no , plugin s tin hnh ngn chn v lu thng tin v trang web
ny (a ch trang web) vo c s d liu lm c s lc v sau. ng dng
c vit trn mi trng Visual C 6.0 di dng ATL, chy tt trn cc
phin bn trnh duyt IE5 tr ln v cc phin bn t Windows 2000 tr ln.
Do nhu cu lu tr thng tin v danh sch cc Proxy Server, Web-based
proxy lm c s cho b lc nn cc thng tin ny c module lu tr vo
c s d liu Microsoft Access.

Giao din chnh ca plugin

Giao din chnh ca plug-in Hnh 25
Mssv: 0112463 Mssv:0112319


Hnh 26 Trang thng bo mi khi ngi dng duyt nhng trang web vi phm
6.2 Cc tnh nng chnh:
6.2.1 Lc cc trang web da trn vic duyt danh sch cc trang web c
sn trong c s d liu:
Nu ngi dng c nh mun duyt 1 trang web c a ch c lu trong c s
d liu, plugin s hin ra trang thng bo ngi dng b cm.
6.2.2 Lc cc trang web da trn c ch kim tra a ch (URL):
Khi ngi dng duyt n 1 trang web mi, nu trang web ny c th
gip ngi dng qua mt c firewall (hay cn gi l vi phm), plugin s
hin ra trang thng bo cho ngi dng v lu li a ch trang web ny vo c
s d liu. Do i a s cc trang Web-based Proxy khi hot ng th th hin
a ch ca mnh di dng http://domain_name ca WebProxy/a ch tht ca
trang web mun duyt nn da vo c ch ny, ta c th xc nh cc a ch
Mssv: 0112463 Mssv:0112319

V d: gi s trang web www.abc.com l 1 trang vi phm
Khi ngi dng thng qua trang ny lt vo nhng trang mnh mun n
www.yahoo.com th kt qu URL ca trang ny s th hin nh sau:
http://www.webproxy.com/www.yahoo.com
hay http://www.webproxy.com?url=www.yahoo.com
.....
Ta c th d dng tch a ch trn ra lm 2 a ch ring bit. Nu gp
nhng a ch qu r rng nh th ny th b lc chc chn s pht hin ra c
v lu a ch mi ny vo c s d liu cho nhng ln duyt tip theo.
6.2.3 Lc da trn ni dung ca cc Input Form trong trang web:
Trong trng hp cc trang tin hnh m ha a ch hay thm ch
khng th hin a ch ra trnh duyt th sao ???
Lc ny chc nng th 3 ca b lc li tr nn hu ch. y l 1 chc
nng b sung cho trng hp 2 nu trn. Khi ngi dng truy cp vo cc trang
Web-Proxy truy cp vo cc trang web khc th gn nh lun lun phi nhp
a ch trang web mnh mun n vo 1 textbox, sau tin hnh submit cho
webserver x l.
VD: 1 trang web-based proxy thng c cch trnh by nh sau

Hnh 27 Cch trnh by thng thng ca mt trang web base proxy
Mssv: 0112463 Mssv:0112319

C th thy c khi ngi dng g y tn trang web v click vo
nt Go.Trang web s submit ni dung text field va c nhp
(http://www.google.com) ln cho server v server tin hnh duyt
Da trn hnh ng ny, b lc s tin hnh lc cc Input tag ca trang
web v kim tra xem c Input tag no vi phm hay khng. Nu vi phm tc l
gn nh ngi dng ang c nh mun submit 1 URL n cho server v
mun truy cp n trang ny.
6.2.4 Cp nht cc trang web based proxy:
Cho php ngi dng c thm quyn c cp nht (thm xa) danh
sch cc trang web based proxy trong c s d liu.
6.2.5 V hiu ha/kch hot plugin:
Cho php ngi dng c thm quyn c v hiu ha/kch hot
plugin.
6.3 Mt s vn cn lu khi vit plugin cho trnh duyt IE :
6.3.1 Khi nim Browser Helper Objects (BHO):
Browser Helper Objects (BHO), tm dch l i tng tr gip cho
trnh duyt, l 1 khi nim do Microsoft a ra. y l 1 dng ng dng c
pht trin da trn mi trng COM (Component Object Model). Dng i ca
i tng ny gn lin vi dng i ca trnh duyt Internet Explorer, tc l khi
khi ng s s dng chung vng nh cng vi trnh duyt web Internet
Explorer v ch c hy khi trnh duyt b ng. Khi chy, i tng s c th
tng tc vi tt c mi thnh phn cng nh i tng khc ca trnh duyt (v
d: ca s, toolbar, textfield,),c th nhn c cc thng ip, s kin do
trnh duyt pht ra nh cc s kin tr v trang trc (GoBack), trang sau
Mssv: 0112463 Mssv:0112319

(GoForward), hay s kin Download thnh cng (DocumentComplete), Cc
BHO khi c khi to th trc ht phi tri qua qu trnh ng k vo Registry
cho h thng thng qua gi tr ca CLSID. Gi tr ny ng vai tr nh 1 gi tr
nh danh (Identifier) cho duy nht BHO.
Hnh di y minh ha qu trnh trnh duyt khi ng v np cc BHO
vo b nh x l:

Hnh 28 Qu trnh trnh duyt khi ng v np cc BHO
Qu trnh hot ng nh sau :
- Khi ng trnh duyt.
- Trnh duyt s tm trong Registry cc gi tr CLSID ca cc BHO
tng ng v load cc module ng dng ca cc BHO ny vo b
nh
- Mi BHO c khi to s c 1 Interface (tm dch l i tng giao
tip) ring bit. Khi tm thy cc Interface ny ca BHO, trnh duyt
s chuyn con tr tr n Interface ca chnh mnh (Interface
IUnkown) cho cc BHO. Chnh vic chuyn IUnkown cho cc BHO
m cc BHO ny mi c th can thip c vo cc i tng cng
nh cc s kin ca trnh duyt.
Mssv: 0112463 Mssv:0112319

6.3.2 Mt s hm x l quan trng:
- HRESULT SetSite(IUnknown* pUnkSite)
y chnh l hm khi to i tng BHO. Nhim v chnh ca hm ny
l nhn con tr i tng IUnkown v 1 s i tng quan trng khc
(IWebBrowser2, IConnectionPointContainer) t trnh duyt v lu li
x l.
- HRESULT Connect(void)
Bo cho trnh duyt bit rng BHO c nh mun bt cc s kin v x
l trc khi gi tr li cho trnh duyt.
- HRESULT Invoke()
Bt cc s kin do trnh duyt pht ra v chuyn n hm x l s kin
tng ng.
- HRESULT Disconnect(void)
Khi i tng b hy hay ch ng kt thc, cn gi s kin ny thng
bo chm dt vic x l cc s kin cho trnh duyt
- Cc hm x l s kin: Ty theo loi s kin m BHO s c cc x l
tng ng, cc s kin c x l trong Module ny ln lt l:
DISPID_BEFORENAVIGATE2: S kin chun b duyt n 1 trang
web khc trang hin hnh.
DISPID_ONQUIT : S kin ng trnh duyt
- Ni thm v vic ng k BHO vo registry cho trnh duyt
Mc d khi to 1 ng dng dng COM Plugin cho Internet Explorer,
Visual C++ 6.0 s t to cc dng lnh khi to cc thng s cho ng
dng trong regsitry trong tp tin c ui l rgs. Tuy nhin cc dng lnh
ng k ng dng vo Registry th ngi dng phi t thm vo. Ni
dung cn thm vo nh sau :
Mssv: 0112463 Mssv:0112319

HKLM{SOFTWARE{Microsoft{ Windows {CurrentVersion
{Explorer{'Browser Helper Objects'{ForceRemove {S ID c VC
to sn} = s 'Tn i tng BHO mun th hin'}}}}}}}
6.4 Chi tit lu tr d liu :
6.4.1 Bng Forbidden
Tn trng Kiu Ch thch
URL Text a ch trang web based proxy b cm
6.4.2 Bng Trusted
Tn trng Kiu Ch thch
URL Text a ch trang web tin cy

6.5 Thut ton chnh ca ng dng :
6.5.1 M hnh hot ng ca Plugin :

Mssv: 0112463 Mssv:0112319

s kin
Pht
Trnh duyt IE
Khi ng
Plugin
Hm x l s kin
Khi
ng
chuyn
y l s kin
BeforeNavigate
ng
B lc 1
Khng vi phm
B lc 2
B lc 3
Khng vi phm
Khng vi phm
Lu vo
CSDL
Vi phm
Vi phm
Vi phm
Trang web
ny tin cy ?
Khng
chuyn
1
2
3
4
6
Sai
ng
5
8
Trang
thng bo
7

Hnh 29 M hnh hot ng ca Plugin
Mssv: 0112463 Mssv:0112319

6.5.2 Din gii m hnh :
- BeforeNavigate: S kin do trnh duyt pht ra khi ngi dng chun b
duyt n 1 trang web mi no (khc vi trang hin hnh). V d: Khi
click chut vo 1 link, 1 nt trn trang web v chuyn sang 1 trang web mi,
khi g a ch vo thanh address bar chun b duyt,
- B lc 1: Nhn vo a ch trang web khng ng tin cy v tin hnh kim
tra. B lc s truy xut vo c s d liu duyt xem trang web ny c
nm sn trong danh sch cc trang b cm hay khng. Nu c th b lc s
lu a ch ny vo c s d liu v chuyn hng n trang thng bo cm
cho ngi dng. Nu khng th s chuyn n b lc tip theo.
- B lc 2: Nhn vo a ch trang web khng ng tin cy v tin hnh kim
tra. Nu a ch ny cha thm 1 a ch trang web khc th c xem nh vi
phm ( trnh by trn). B lc s lu a ch vi phm ny vo c s d
liu.
- B lc 3: Nhn vo con tr i tng IWebBrowser2 x l. Con tr ny
i din cho trang web hin hnh cn kim tra. Da vo con tr i tng
ny, ta c th ly c ton b ni dung trang web (cc th HTML, cc
script,.). Nh trnh by trn, b lc 3 hot ng da trn vic kim tra
ni dung cc INPUT FIELD ca trang web. Do b lc ch ch trng n
vic lc cc th INPUT ca trang HTML. 1 trang web c b lc xem l 1
trang Web Based Proxy khi v ch khi n cha khng qu 4 th INPUT
dng text, v t nht 1 trong cc th Input ny c ni dung l a ch 1
trang web no . Nu trang web no tha iu kin nu trn th s c
xem l vi phm v lu li vo c s d liu.
Mssv: 0112463 Mssv:0112319

6.6 Nhng u im v hn ch:
Plugin p dng 1 s thut gii Heuristic nhm pht hin cc trang Web-proxy mi
hoc cha c trong c s d liu, khin b lc thng minh hn do c kh nng t hc
cc a ch trang web mi mun qua mt Firewall. Khi chy th cc trang web-proxy
mi, b lc hot ng kh hiu qu v chnh xc.
a s cc thut gii ny c xy dng da trn vic quan st qu trnh vn hnh
ca cc trang Web-based Proxy v tm ra nhng im chung c trng v khc bit so
vi cc trang web khc lm c ch hot ng cho b lc. Do thut gii khng m bo
tnh chnh xc 100% nn c 1 s trng hp thiu st hay thm ch sai st ngoi
mun. a s nhng sai st u ri vo trng hp khi ngi dng s dng search
engine (nh google,yahoo,) tin hnh tm kim 1 a ch no trn internet.
Trong nhng trng hp ny, plugin s t cho rng cc trang web tm kim ny l cc
Web-Based Proxy v tin hnh ngn chn. Li trn c th khc phc c bng cch
thm vo danh sch cc trang web tin cy v buc b lc kim tra cc trang web tin
cy ny trc khi lc. Tuy nhin cch ny cng khng th khc phc hon ton.
Qu trnh hot ng ca Plugin ph thuc kh nhiu vo s tn ti ca tp tin
c s d liu lu tr cc trang Web-Based Proxy. Nn khi tp tin trn khng tn ti
hay b li, tnh nng lc ca Plugin chc chn khng th hot ng chnh xc c.
Trong qu trnh chy th v kim li, chng em c gng sa cha hu ht cc
sai st ny.Chng em xin c gng pht trin thm b lc ngy cng hon thin hn.

Mssv: 0112463 Mssv:0112319

Chng 7: SERVICE CHNG VT FIREWALL
Chng ny chng em xin php c trnh by v module th hai: Service
chng vt firewall cho h iu hnh Windows.
7.1 Gii thiu s lc :
Service chng vt Firewall l 1 ng dng c vit da trn m hnh Service
truyn thng ca Windows. Service l 1 ng dng chy nn trong h thng, hon ton
tun th theo cc yu cu v tnh nng bo mt do Windows quy nh (Ch c ngi
ch Service trng hp module ny l admin h thng mi c quyn tt/m/xa
serive m thi). Service chu trch nhim lc v bt cc gi tin gi ra mng ngoi
(Internet) nhm pht hin v ngn chn cc gi tin gi n cc HTTP Proxy Server
v lu li a ch cc HTTP Proxy Server ny lm c s hot ng cho b lc.
Service bao gm 2 module nh: module bt gi tin v module chn a ch IP.
7.2 Cc tnh nng chnh ca module:
Theo nh gii thiu, module ny c chia ra lm 2 module nh ring bit, h
tr nhau trong qu trnh Service hot ng: l module bt gi tin v module chn
a ch IP.
- Module bt gi tin: module c vit da trn th vin Winsock2.0 ca
Windows, nhim v bt cc gi tin lu thng ra/vo card mng ca h thng.
- Module chn a ch IP: module c vit da trn m hnh Filter-Hook
Driver c Microsoft gii thiu trong ti liu Windows 2000 DDK. ng
dng vit da trn m hnh ny c th lc cc gi tin ra vo card mng ca
h thng (theo ti Windows 2000 DDK). Theo ti liu RFC v HTTP
Protocol, cc gi tin gi n HTTP Proxy Server u c im c trng
ring so vi cc gi tin khc. Service da vo c im ny lm c s hot
ng cho b lc ca mnh.
Mssv: 0112463 Mssv:0112319

7.3 Module bt gi tin :
Module chu trch nhim bt v kim tra ni dung gi tin ra/vo card mng.
7.3.1 c im ca gi tin HTTP request n HTTP Proxy Server:
Theo ti liu RFC v HTTP Protocol, gi tin HTTP request n Proxy
server s c nh dng nh sau :

Hnh 30 nh dng ca gi tin gi n proxy server
Trong hnh minh ha trn, ta thy ni dung 1 gi tin HTTP Request
(cu lnh HTTP y chnh l lnh GET) c b sung thm trng Proxy-
Connection: Keep-Alive. y chnh l c im mu cht phn bit gi tin
HTTP Request n 1 Proxy Server so vi cc gi tin thng thng khc.
7.3.2 Tm tt cc bc cn lu khi xy dng module;
- Khi to cc thng tin cn thit (a ch,port,..) cho 1 SOCK_RAW
Socket.
- Chuyn ch hot ng ca Socket sang ch SIO_RCVALL (bt
tt c cc gi tin ra/vo h thng).
- Bt u nhn v x l gi tin. Lu : Do mc tiu ra ban u ca
module l bt v x l cc gi tin HTTP (TCP) nn cn phi g b cc
Header ca gi tin nhn c (y l cc gi IP) ri mi bt u x l.
- Tham kho thm ti liu v cu trc gi tin TCP/IP v HTTP Protocol
trong qu trnh x l cc gi TCP.
Mssv: 0112463 Mssv:0112319

7.3.3 Chi tit cc i tng, hm x l chnh ca module :
- socket(AF_INET, SOCK_RAW, IPPROTO_IP)
Hm to Socket. Lu phi khi to socket dng SOCK_RAW th
mi c th bt c gi tin tng IP.
- WSAIoctl(SOCKET s,DWORD dwIoControlCode, , , , , , ,)
Hm thit lp ch hot ng cho socket. Ch cn lu n 2
tham s u tin: SOCKET cn thit lp v ch hot ng. y
dwIoControlCode phi bng SIO_RCVALL th module mi c th
bt c cc gi tin ra/vo card mng
- Mt s hm lin quan khc: recv, WSAStartup,
7.4 Module chn a ch IP:
Module chu trch nhim lc v chn cc gi tin ra/vo card mng da trn a ch
IP. Module c xy dng da trn m hnh Filter-Hook Driver ca Windows 2000
DDK.
7.4.1 Gii thiu v Filter-Hook Driver :
Filter-Hook Driver l khi nim c Microsoft a ra trong ti liu v
Windows 2000 DDK. y l Driver m rng cc tnh nng ca IP Filter Driver
(C sn trong h diu hnh Windows 2000 tr v sau).
Thc cht Filter-Hook Driver khng phi l 1 trnh iu khin dnh cho
mi trng mng, n c xem nh 1 trnh iu khin dnh cho nhn ca h
thng (Kernel Mode Driver). Bn trong trnh iu khin ny, chng ta ch cn
nh ngha 1 hm CALLBACK (1 dng hm bt s kin) v ng k hm
CALLBACK ny cho trnh iu khin b lc a ch IP ca h thng (IP Filter
Mssv: 0112463 Mssv:0112319

Driver). Khi ng k thnh cng, b lc a ch s gi li hm CALLBACK khi
1 gi tin c gi ra hay nhn vo h thng x l.
7.4.2 Tm tt cc bc xy dng Filter-Hook Driver bt gi tin:
- Khi to Filter-Hook Driver. Cung cp tn v cc thng s c bn cho
Driver nh sau:
LoadDriver("IpFilterDriver","System32\\Drivers\\IpFltDrv.sys", null, true)
- Ly con tr a ch ca Ip Filter Driver khi to bc 1 khi to
v ng k hm CALLBACK.
- Khi to v ng k hm CALLBACK bng cch gi con tr hm
CALLBACK nh ngha sn cho IP Filter Driver.
- Bt u lc gi tin. Gi hm StartFilter.
- Khi mun kt thc, khng lc gi tin na th ta phi g b thng tin ng
k khi IP Filter Driver. Lc ny, ta ch cn ng k li vi Driver vi con
tr hm CALLBACK l Null.
7.5 Chi tit lu tr d liu :
7.5.1 Bng ForbiddenProxy
Tn trng Kiu Ch thch
ProxyIP Text a ch IP ca proxy b cm (do
service lu li c trong qu trnh
hot ng)
7.5.2 Bng TrustedProxy:
Tn
trn
g
Kiu Ch thch
Mssv: 0112463 Mssv:0112319

ProxyIP
Text a ch IP ca cc Proxy server tin cy (thng l
a ch Proxy Server trong mng LAN)

7.6 S hot ng ca Module chn a ch IP :

Service
Khi ng
Module chn IP
1
Module bt gi tin
Khi ng
2
Card mng
Gi tin IP
Request n
Proxy Server?
Pht/Nhn
Bt u lc
Thm IP
vo b lc
4
3
5
6
7
8
Hnh 31 S hot ng ca module chn a ch IP
7.7 Din gii m hnh :
Khi khi ng, service s kch hot 2 module con l module bt gi tin v
module chn a ch IP tng ng. Module chn a ch IP khi c khi ng s
truy xut vo c s d liu v thm cc a ch IP ca cc Proxy Server b cm sn vo
b lc IP Filter Driver v bt u lc a ch. Khi Card mng nhn/pht cc gi tin,
module bt gi tin s nhn cc gi tin ny v tin hnh phn tch. Module s kim tra
Mssv: 0112463 Mssv:0112319

xem cc gi tin ny c phi l gi tin HTTP Request n Proxy Server hay khng. Nu
phi th a ch IP ca Proxy Server s c truyn tip cho Module lc a ch IP x
l. a ch mi ny s c thm vo b lc a ch v lu vo c s d liu.

7.8 Nhn xt nh gi :
7.8.1 u im:
t ra ban u ca Module l tm cch chn phng php
vt Fir
n

a
Trong qu trnh chy th nghim, module c th hot ng tt trn cc
loi CAR
t gi tin, Module c th pht hin v hc c
cc a c
Do yu cu
ewall thng qua HTTP Proxy Server, nn chng em c gng pht
trin module di dng 1 ng dng Mini Firewall. Trong sut qu trnh nghi
cu v tm hiu, chng em thng nht chn m hnh Service ng dng trn
Windows lm c s xy dng v trin khai Module. u im ca m hnh ny
l n k tha c nhng yu cu v tnh an ton v bo mt do chnh h iu
hnh qui nh. Khi khi ng vo mi trng Windows, cc Services h thng
cng nh ca ngi dng s ln lt c np v chy nn trn h thng, ch
duy nht ngi qun tr hay ch Service mi c quyn tt/m/xa service.
Module nhng hn chc nng iu khin Service cho h iu hnh, nn
Module ng dng ch tp trung vo hai tnh nng chnh l bt gi tin v lc
ch IP.
D mng, MODEM trn Windows. Do cc module con ca ng dng
c vit hon ton da trn mi trng Winsock ca Windows (b th vin
dng pht trin ng dng mng TCP/IP trn mi trng Windows), nn bo
m tnh tng thch rt cao.
Do h tr tnh nng b
h Proxy Server mi (cha c trong c s d liu). Sau lu li cc
a ch ny lm c s cho b lc hot ng
Mssv: 0112463 Mssv:0112319

7.8.2 Khuyt im:
Trong qu trnh chy th nghim, module chn c gn nh hu ht
cc a ch HTTP Proxy Server. Tuy nhin i vi cc Proxy Server mi (cha
c trong c s d liu), b lc phi hc c a ch mi ny th mi ngn
chn c. Do trong phin lm vic u tin, b lc vn cha chn c cc
a ch mi ny. i vi nhng phin lm vic sau th b lc m bo chy tt.
Trong qu trnh th nghim, vic b lc hc c qu nhiu a ch
mi v lu vo c s d liu tn kh nhiu ti nguyn h thng (CPU,RAM)
nn Service chy chm hn (i lc Serive c th b treo). ng tic l n lc
ny chng em vn cha khc phc c vn ny
Qu trnh hot ng ca Service ph thuc kh nhiu vo s tn ti
ca tp tin c s d liu lu tr cc Proxy Server. Nn khi tp tin trn khng tn
ti hay b li, tnh nng lc ca Service chc chn khng th hot ng chnh
xc c.

Mssv: 0112463 Mssv:0112319

PHN TH 4
TNG KT
Chng 8: KT LUN
Sau hn su thng lm lun vn, t nhiu chng em cng tm hiu tng i
thnh cng cc phng php lp trnh vt firewall cng nh nhng chng trnh km
theo: Http proxy, Web based Proxy, Plug-in chng vt firewall, service chng vt
firewall. Qua nhng g tm hiu c, chng em cm thy vn cn nhiu iu phi lm
c th hon thin hn chng trnh cng nh cn c s hng dn nhiu hn na
ca cc thy c, bn b
Kt qu cui cng l kt qu ca nhng thng ngy c gng, n lc ca bn thn,
s gip ca gia nh, nh trng, bn b v c bit l s hng dn tn tnh ca
thy Hong Cng chng em c th hon tt mt cch tt p lun vn so vi
nhng g t ra.
Cui cng, mt ln na, chng em xin cm n tt c gip chng em c
th hon thnh tt kha lun ny. Xin chn thnh cm n.
8.1 Nhng kt qu t c:
Theo yu cu t ra ban u l Nghin cu cc phng php lp trnh vt
firewall. T lm c s xy dng cc module chng vt Firewall v bo mt
Web, cho n thi im hin ti lun vn t c cc ni dung sau:
- Phn yu cu:
Tm hiu v trin khai thnh cng 2 phng php: HTTP Proxy Server
v Web-based Proxy.
- Phn m rng:
Tm hiu v trin khai thnh cng 2 module chng vt Firewall: Plugin
chng vt Firewall dnh cho trnh duyt Internet Explorer v
Service chng vt Firewall trn h iu hnh Windows.
Ngoi ra, trong qu trnh nghin cu v hon thnh ti, chng em tip thu
thm c mt s kt qu sau:
Mssv: 0112463 Mssv:0112319

Tm hiu su thm v cc phng php lp trnh ng dng mng da trn
b th vin Winsock ca Windows.
Tm hiu c phng php xy dng v trin khai Service ng dng
trn Windows
Tm hiu cch xy dng v trin khai ng dng Plugin cho trnh duyt
Internet Explorer.
c hiu c cch xy dng v pht trin ng dng da trn mi
trng COM (Component Object Model).
Ngy nay, Internet ngy cng pht trin mnh m, l ngun ti nguyn
bao la v tn, nn nhu cu s dng Internet tm kim thng tin cng
nh giao dch, thng mi l iu tt yu. Yu cu an ton v bo mt
thng tin (ty theo mc ch ca c nhn hay doanh nghip) lm ny
sinh thm vn kh au u cho cc nh qun tr mng l: Kim sot v
qun l qu trnh s dng Internet ca ngi dng. Vi vic nghin cu
v a ra c cc gii php kh thi v yu cu m rng ca ti: Xy
dng cc module chng vt Firewall, chng em thit ngh c th ng
gp 1 phn vo vic gii quyt vn nan gii trn.
8.2 Hng pht trin :
Trong qu trnh nghin cu v tm hiu v ti, chng em thng nht v
xut ra c 3 phng php ch yu vt Firewall: HTTP Proxy Server, Web
Based Proxy v HTTP Tunneling. Tt c 3 phng php trn u c pht trin da
trn m hnh ng dng mng Client-Server truyn thng. Trong 3 phng php nu
trn th phng php th 3: HTTP Tunneling l phng php cao cp v kh pht
hin nht. Qu trnh nghin cu v trin khai phng php ny cng tn kh nhiu
thi gian v cng sc. Mc d chng em rt c gng trin khai, tng trn vn
cha mang tnh kh thi cao v c th p dng c vo thc t. Sau y chng em xin
Mssv: 0112463 Mssv:0112319

ra 1 s hng pht trin v sau nhm m rng thm ngha khoa hc cng nh thc
tin ca ti:
Ci thin vn tc truy xut b lc cho module th 2: Service chng
vt Firewall.
Nghin cu tip phng php http tunneling
Trin khai ng dng minh ha cho phng php http tunneling
Hon thin hn na Plug-in v Service t hiu qu ti u
Trin khai thnh cng module chng vt Firewall bng phng php
HTTP Tunneling
Trin khai ti thnh sn phm hon chnh p dng vo thc tin.

Mssv: 0112463 Mssv:0112319

PHN TH 5
PH LC
DANH SCH CC TI LIU THAM KHO
- Website:
http://www.microsoft.com
http://www.quantrimang.com
http://www.codeproject.com
http://www.sourceforge.net
http://www.experts-exchange.com
http://www.webopedia.com
http://www.nyu.edu
http://www.learnthat.com
http://www.stayinvisible.com
http://www.proxify.com
http://www.silentsurf.net
http://www.adminvietnam.net
http://www.anonimizer.com
http://www.tcpipguide.com
http://www.vnsecurity.net
- Danh sch cc ti liu, sch, gio trnh tham kho
Ti liu in t MSDN ca Microsoft.
Anthony Jones v Jim Ohlund, Network Programming for Microsoft
Windows, 1999 (ebooks)
O'Reilly, Learning PHP 5,June-2004
Addision Wesley, The C++ Programming Language,June-97
Mssv: 0112463 Mssv:0112319

Wrox Press,Beginning PHP 4,2001
Sams Publishing ,Teach Yourself PHP, MySQL and Apache in 24h,12-2002
Addision Wesley,C/C++ Network Programming I & II,10-2001
Mssv: 0112463 Mssv:0112319

Cac Phuong Phap Lap Trinh Vuot Firewall

Uploaded by

Copyright:

Available Formats

You might also like

Cac Phuong Phap Lap Trinh Vuot Firewall

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cac Phuong Phap Lap Trinh Vuot Firewall

Uploaded by

Copyright:

Available Formats

TRNG I HC KHOA HC T NHIN

KHOA CNG NGH THNG TIN

Phan Trung Hiu - Trang 4 - Trn L Qun

You might also like