BÀI GI NG AN TOÀN M NGP 1 Security Overview

FIS,2008 Network Security 1
Tng quan v bo mt
Ni dung
1. Network overview
2. Security overview
S cn thit phi c an ninh mng
Bn cn bo v nhng g
D liu
Ti nguyn
Danh ting
An ninh mng cn phi c gii php tng th
Khng c g gi l an ton tuyt i
Cc nguy c tn cng
C mc ch
Khng c mc ch
T bn ngoi
T bn trong
Nguy c tn cng - c mc ch

C mc tiu c th
c h tr: Thi gian, tin bc, cng c
C kin thc su v mt lnh vc no

Nguy c tn cng Khng c mc ch
Tn cng ch v thch
Khng c kin thc
su rng
i khi ch l nn nhn
k khc li dng tn
cng (DDoS)

Nguy c tn cng T bn ngoi

K tn cng l ngi khng c php truy
nhp
T bn ngoi h thng mng

Nguy c tn cng T bn trong

T bn trong h thng mng
K tn cng l nhng ngi dng c php
truy cp mng
70% nguy c tn cng l t bn trong
Network overview
Network overview
H tng mng
Dch v mng
H tng mng
M hnh mng
Router
Switch
....
M hnh mng OSI v TCP/IP
International Organization for
Standardization (ISO)
m bo s tng thch gia
cc h thng, thit b ca cc
nh sn xut khc nhau
L mt m hnh tham chiu
M hnh mng OSI v TCP/IP
US Department of
Defense.
Tr thnh m hnh
thc hin ph bin

TCP/IP (US DoD)
TCP/IP Layers & Protocols
Layers
Protocols
Network Access = Host-to-network = Data link + Physical
Network = Internet
Internet Data
application
transport
network
link
physical
application
transport
network
link
physical
application
transport
network
link
physical
application
transport
network
link
physical
network
link
physical
data
data
Network Data Flow Review
H tng mng
M hnh mng
Router
Switch
....
Cu to ca b nh tuyn
CPU : iu khin mi hot ng ca Router
ROM : Cha cc chng trnh t ng kim
tra
RAM : Gi cc bng nh tuyn, cc vng
m, tp tin cu hnh khi chy, cc thng s
m bo hot ng ca b nh tuyn khc.
NVRAM (None-volatile RAM): l ni cha
file cu hnh khi ng (Startup-Configure ),
khng b mt thng tin khi mt ngun.
Flash : l thit b nh / lu tr c kh nng
xo v ghi c, khng mt d liu khi ct
ngun. H iu hnh ca b nh tuyn c
cha y. Khi khi ng router s t c
ROM np IOS trc khi np file Startup-
Config trong NVRAM.
H iu hnh (IOS): m ng hot ng
ca b nh tuyn.
Router
Router vai tr ca b nh tuyn
Vai tr ca router trong mng ni b LAN (Local Area
Network):
Kt ni cc mng ni b
Gim kch thc qung b broadcast domain, gim cc lu
lng mng khng cn thit.

Router
` `
`
`
` `
`
`
Vai tr ca router trong mng din rng WAN (Wide
Area network): Kt ni mng LAN vi Internet.
internet
Router
` `
`
`
Modem
LAN
Switch nhu cu kt ni
Trao i d liu ?
`
`
`
Switch gii php ban u
`
`
Switch kh khn
`
`
`
Kt ni
...
Switch - Hub
Switch - Hub
Switch Hub, vn ?
ng
Switch - Switch
Star topology
Truyn vi tc ti a
(full-duplex, dedicated access):

+ A to A
+ B to B
+ C to C
Switch - Switch
Hub + switch + router
Qu trnh x l Packet ti
switch, router v host

Tng kt mt s c tnh ca hub,
router, switch
hubs routers switches
traffic
isolation
no yes yes
plug & play yes no yes
optimal
routing
no yes no
cut
through
yes no yes

Network Overview

Dch v
DNS nh ngha
DNS (Domain Name System)
L h thng dch tn min (d nh i vi con
ngi) sang a ch IP m my tnh lm vic.
Domain
i vi Internet min l tp hp cc my tnh c
chung v tr a l hay lnh vc kinh doanh
Cc thnh phn DNS
DNS Domain Name Space
Zones
Name Servers
DNS ca Internet
DNS Khng gian tn min
DNS root (topmost level) ca Internet Domain
namespace c qun l bi Internet
Corporation for Assigned Names and
Numbers (ICANN).
C 3 loi top-level domains tn ti
Organization domains
Geographical domains
Reverse domains: c nhng domain c bit, tn
l in-addr.arpa, s dng cho nh x t a ch IP
sang tn.
DNS Khng gian tn min Internet
11/2000, ICANN cng b thm 7 top-level
domain:
.biz
.coop
.info
.museum
.name
.pro
.aero
H thng DNS l mt h thng c cu trc
phn cp.
Gc ca Domain Root Domain nm trn cng v
c k hiu .
Root Domain (root layer): Gm 13 siu my tnh c
tc cc cao.
Top layer: bao gm cc tn min .com, .vn,...
Second level: c th l subdomain (vd: .com.vn) hoc
hostname (vd: microsoft.com.)

Cng thc tng qut ca tn min
Hostname + Domain Name + Root
Domain Name = Subdomain. Second Level Domain. Top Level Domain. Root
V d
Webserver.training.microsoft.com.
Trong :
Webserver l tn Host
Training l Subdomain
Microsoft l Second Level Domain
Com l Top Level Domain
Du chm l Root

DNS Khng gian tn min ni b
Mt t chc c th c khng gian tn min
ni b c lp vi khng gian tn min ca
Internet.
Private name c th khng c phn gii
trn Internet.
V d: mycompany.local
Zone trong DNS
H thng tn min c chia ra cc phn
nh hn d qun l l cc Zone.
Primary Zone
Mt my ch cha d liu Primary Zone l my
ch c th ton quyn trong vic update d liu
Zone.
Secondary Zone
L mt bn copy ca Primary Zone
Name Server
my ch cha d liu Primary Zone
DNS Hot ng

FIS,2008
Network Security 48
DNS Cc kiu bn ghi
A (host name): a ch IP -> hostname
PTR (pointer): hostname -> a ch IP
SOA (Start Of Authority): DNS server, u tin c
quyn yu cu tr li DNS client
NS (Name Server): My ch qun l DNS Zone
CNAME: Tn thay th (b danh)
MX: Xc nh mail server nhn mail cho domain
tng ng
.......
Mail Khi nim
Electronic Mail (e-mail): Th in t.
L c ch gip gi nhn th qua mng my tnh.
Dng giao thc v (s hiu cng) SMTP (25),
POP3 (110), IMAP(143)
Mail hot ng
M hnh thng ip trc tip
Cc thng ip c gi trc tip, ngay lp tc ti
cc my ang hot ng trn mt mng ni b.

from: A
to: D
D
C
B
M hnh thng ip th lu

Cc thng ip c gi gin tip ti mt my phc v
ang hot ng trn mt mng ni b.

from: A
to: D
may phuc vu thu
Mail SERVER
B C
D
may nguoi dung
Mail CLIENT
M hnh Internet

VDC,
VIETNAM
TOYOTA,JAPAN
KMA-VNU
from: ha@vnu.edu.vn
to: asimo@toyo.com.jp
user name : asimo
password : it2kjp
SMTP
SMTP
POP3
from: hoang@hn.vnn.vn
to: asimo@toyo.com.jp

t ng
chuyn th
SMTP
mail SERVER
theo di v
qun l tin
trnh
theo doi quan ly
cac tai khoan thu

cac phan mem thong dung:MDAEMON, MS-EXCHANGE...

mail client
thu muc chua thu
danh sach thu
gui/nhan
cac nut chuc nang
so dia chi
hien thi noi dung
thu
cac phan mem thong dung: OUTLOOK EXPRESS, INCREDIT MAIL,...

Ti khon th in t
Ti khon ng nhp dch v th in t gm:
tn ngi s dng ng k (user name)
mt khu (password)
a ch th ca ngi s dng sau khi ng k
tn_ng_k@tn_min
V d: iti@kma.edu.vn
- iti l tn ngi s dng ng k,
- kma.edu.vn l tn min ca my phc v th ca hoc
Vin mat ma
- k hiu @ - c c theo ting Anh l at
Cc tn min thng gp: hn.vnn.vn, yahoo.com,...
Web M hnh hot ng
Giao thc hot ng l HTTP (HTTPs) cng
mc nh l 80 (443)
Hot ng theo m hnh client server.
Web client (web browse)
Web server l ni lu tr cc website web
client truy cp n.
Web M hnh hot ng
M hnh Web n gin

Thng tin
ca cc trang
Web
Internet
Trinh duyet may khach may chu web
HTML
Mo hinh web don gian
Web M hnh hot ng
M hnh Web hin nay
Internet
trinh duyet may khach My Host
mo hinh web hien nay
Web server
Database
Server
Application server
M hnh tng tc CSDL
thng qua giao din Web
du lieu cua
cac trang web
Internet
nguoi dung co so du lieu
cac giao dien Web
Mo hinh tuong tac csdl thong qua giao dien web
Security overview
Ni dung
1. M hnh bo mt theo quan nim c in
2. M hnh bo mt X.800
3. Cc nguy c bo mt h thng hin nay
Bo mt thng tin
Information security =
Computer security
Network security
+
M hnh CIA
C = Confidentiality
I = Integrity
A = Availability
Tnh b mt (C)
Gii hn cc i tng c php truy xut
n cc ti nguyn h thng.
Bao gm tnh b mt v ni dung thng tin v
b mt v s tn ti thng tin.
M ha (Encryption) v iu khin truy xut
(Access Control) l c ch m bo tnh b
mt ca h thng.
Tnh ton vn (I)
m bo thng tin khng b mt mt hoc
thay i ngoi mun.
Bao gm tnh ton vn v ni dung v ton
vn v ngun gc.
Cc c ch xc thc (peer authentication,
message authentication) c dng
m bo tnh ton vn thng tin.
Tnh Sn sng (A)
Tnh sn sng cho cc truy xut hp l.
L c trng c bn nht ca h thng thng
tin.
Cc m hnh bo mt hin i (v d X.800)
khng m bo tnh sn sng.
Tn cng dng DoS/DDoS nhm vo tnh
sn sng ca h thng.
Tnh hon thin ca CIA
Khng m bo tnh khng th t chi
hnh vi (non-repudiation).
Khng c s tng quan vi m hnh h
thng m OSI.
=> Cn xy dng m hnh mi.
Chin lc AAA
L tp cc c ch nhm xy dng h thng
bo mt theo m hnh CIA.
Access Control.
Authentication.
Auditing.
Phn bit vi thut ng AAA ca Cisco
(Authentication, Authorization, Accouting)
Chnh sch bo mt
Tp cc quy c nh ngha cc trng thi an ton
ca h thng.
P: tp hp tt c cc trng thi ca h thng
Q: tp hp cc trng thi an ton theo nh ngha ca policy.
R: tp hp cc trng thi ca h thng sau khi p dng cc
c ch bo mt.
:H thng tuyt i an ton.
Nu khng tn ti trng thi sao cho : h
thng khng an ton.

C ch bo mt
Tp hp cc bin php k thut hoc th tc
c trin khai m bo thc thi chnh
sch. V d:
Dng c ch cp quyn trn partition NTFS.
Dng c ch cp quyn h thng (user rights).
a ra cc quy nh mang tnh th tc.
..
Xy dng h thng bo mt
1. nh ngha chnh sch bo mt (security
policy).
2. Xy dng c ch bo mt (security
machanism)
M hnh bo mt X.800
Xem xt vn bo mt trong tng quan vi
m hnh h thng m OSI theo 3 phng
din:
Security attack
Security mechanism
Security service

Security attack
Passive attacks:
Tit l thng tin.
Phn tch lu lng
Ative attacks:
Thay i thng tin.
T chi dch v

Security service
Authentication.
Access Control.
Data Confidentiality.
Data Integrity.
Non-repudiation.
Availability????

Security mechanism
Encipherment.
Digital Signature.
Access Control.
Data Integrity.
Authentication Exchange.
Traffic padding.
.
Cc nguy c bo mt h thng
Cc tn cng c ch ch (attacks).
Cc phn mm ph hoi (malicious code).
Tn cng h thng mng
Da vo s h ca h thng.
Da vo cc l hng phn mm.
Da vo l hng ca giao thc.
Tn cng vo c ch bo mt.
Tn cng t chi dch v (DoS/DDoS)
Phn mm ph hoi
Virus.
Worm
Logic bomb.
Trojan horse.
Backdoor.
Spammer.
Zoombie.
Spyware
Case study

Cc hnh thc tn cng mng ph bin
Attack Methods
Tn cng thm d
Tn cng truy nhp
Tn cng t chi dch v

Attack Methods Thm d
Sniffing (nghe ln)
K tn cng tm cch nghe trm trn ng truyn
thu thp thng tin quan trng nh username/password.
Kh thc hin hn trong mng switch
Thch hp i vi cc thng tin khng c m ho
V d: Ethereal, Dsniff, Packet Inspector
Ping sweep
Dng kim tra nhng
my tnh no ang tham
gia vo mng.
S dng ICMP echo
reply/request
V d: Superscan, Pinger

Port sweep
Kim tra trn server
nhng cng no ang m
dch v ang chy l g.
Mt s cng thng dng
HTTP: 80
FTP: 20, 21
SMTP: 25
DNS: 53
V d: Nmap, SuperScan
Xc nh h iu hnh
K tn cng gi thng tin
kim tra my ch ang
chy h iu hnh no.
Telnet vo h thng, cc
h iu hnh khc nhau
th c tr li khc nhau.
V d: Nmap
Attack Methods
Tn cng thm d
Tn cng truy nhp
Tn cng t chi dch v

Attack Mothods - Tn cng truy nhp
Relay (truyn li)
Hacker nghe ln trong mng
Mt khu, thng tin chng thc c hacker
ghi li
Hacker thay i thng tin xc thc v truyn
li c gng ng gi ngi dng
V d: Ngi dng gi cu lnh chuyn tin
(qua web) hacker bt c URL , c gng
gi li, khin ngi dng b mt ht tin.

Attack Methods - Tn cng truy nhp
Man-in-the-middle
Hacker ng gia lung
d liu gia hai my tnh
Thu thp d liu/Mt khu
Sau thng tin c tr
v my nn nhn
V d: Ethercap

Backdoor
L on m chn vo 1
chng trnh cho php
k tn cng c th li
dng cc k h truy
nhp vo h thng.
V d: Sobig, Mydoom li
dng l hng ca
windows, ci backdoor,
vi mc ch gi th
spam.

Social Engineering
K tn cng li dng yu t con ngi tn
cng.

Khai thc im yu cng ngh
Cng ngh c s pht trin quay vng
Ban u c to ra, a vo s dng, sau sa cha,
cp nht khi pht hin ra c li, im yu.

Khai thc im yu cng ngh - im yu ca giao thc
TCP/IP
Tn cng giao thc IP, ICMP tng 3
Tn cng giao thc TCP, UDP tng 4
Tn cng cc ng dng tng 7: SMTP, FTP...

Khai thc im yu cng ngh - im yu ca giao thc -
Application
V d: li ca oracle, khin c th b tn cng SQL injection.

Khai thc im yu cng ngh - im yu ca h iu hnh
V d: nng quyn user, khai thc li plug and play

Khai thc im yu cng ngh - buffer over flow

Tn cng ly mt
khu
K tn cng mun
chim ot mt khu
Window: administrator
Unix: root
C hai loi :
brute force
dictionary

Tn cng ly mt khu
v d
pwdump2
L0pht Crack
YDump
Attack Methods
Tn cng thm d
Tn cng truy nhp
Tn cng t chi dch v

Attack Methods - Tn cng t chi dch v
Denial of Service (DoS)
Tn cng t mt my n l
Mc tiu l phong to dch v
Distribution Denial of Service (DDoS)
Tn cng t nhiu my
c s dng tn cng cc mc tiu cng cng
Master
My tnh ca hacker iu khin cc my tnh
khc (Zombie) tn cng nn nhn
Slaver
Dch v chy trn my Zombie cho php hacker
c th iu khin
Victim
My nn nhn
Attack Methods - Tng kt
Tn cng thm d
Sniffing
Ping Sweep
Port Sweep
Tn cng truy nhp
Relay
Session Hijacking
MIMD
Backdoor
Social Engineering
Technology
Password
Tn cng t chi dch v
DOS
DDOS

Tm kim thng tin
Cc t chc CERT (Computer Emergency
Response Team)
Ti liu o to chng ch Security Plus
(CompTIA).
Ti liu CEH (Cirtified Ethical Hacker).
Tp ch an ton thng tin.
Cc din n bo mt.

BÀI GI NG AN TOÀN M NGP 1 Security Overview

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BÀI GI NG AN TOÀN M NGP 1 Security Overview

Uploaded by

Copyright:

Available Formats

FIS,2008 Network Security 1

You might also like