Gii php bo mt Fortinet

Chun b cho:
Lp bi:
Techhorizon

Phn kim sot

Cc thay i
Ngy

Ngi thc hin

Nguyn Trung Cng

Version

Ni dung

0.1

To ti liu

Xem xt
Ngy

Tn v chc v

Nhn ti liu
Ngy

Tn v chc v

Mc Lc
MC LC.........................................................................................................................................3
1.

2.

TNG QUAN CHUNG .............................................................................................................4

1.1.

Gii thiu hng bo mt Fortinet ............................................................................4

1.2.

Quan im xy dng chnh sch bo mt .............................................................6

1.3.

Nguyn l xy dng chnh sch bo mt ...............................................................6

XUT GII PHP BO MT .............................................................................................7

2.1.

2.2.

3.

Gii thiu tnh nng Firewall Fortigate ...................................................................7

2.1.1.

Cc tnh nng ni bt ca phn cng .......................................................7

2.1.2.

Cc tnh nng UTM ................................................................................... 11

2.1.3.

Cc tnh nng ni bt ca dch v .......................................................... 14

xut gii php ................................................................................................... 15

2.2.1.

Lp bo v ngoi vi Phn h UTM ....................................................... 15

2.2.2.

Lp bo v trung tm d liu: ................................................................ 17

2.2.3.

Cc dng thit b bo mt Fortigate ...................................................... 20

M HNH GII PHP TNG TH ....................................................................................... 21

1. Tng quan chung

1.1.

Gii thiu hng bo mt Fortinet

Tng quan v Fortinet

Fortinet c thnh lp trong nm 2000 bi Ken Xie Trc y, ng Ken Xie l sng
lp vin, ng ch tch v CEO ca hng bo mt ni ting NetScreen

Vn phng chnh Sunnyvale, CA.

S lng nhn vin hin ti trn 1,500 nhn vin k thut v nghin cu pht
trin

C trn 30 vn phng cc chu M, chu v chu u

Tp trung chnh vo cc gii php bo mt.

L nh tin phong trong cc h thng antivirus chy trn ASIC, m bo tnh

bo v mng theo thi gian thc

ng u danh sch nh gi ca IDC v Gartner i vi dng sn phm UTM

C nng lc ti chnh mnh, pht trin nhanh.

L cng ty duy nht t c 8 chng nhn ca ICSA Lab v 2 chng ch NSS Lab
Cc sn phm bo mt ca Fortinet gm :
Fortigate Firewall : thit b bo mt tng la + VPN, c th tch hp cc tnh nng
Antivirus, IPS, AntiSpam, Web filtering, Application Control, Data Leak Prevention
FortiMail

thit

chuyn

dng

bo

ring

thng

email

khi

Antivirus/Worm/Spyware v AntiSpam
FortiAnalyzer : thit b ghi log tp trung v phn tch log, scan h thng tm ra l
hng
FortiManager : thit b qun l tp trung thit b Fortigate v FortiClient, cho php
ngi qun tr qun l, cu hnh, update v p dng chnh sch bo mt chung cho tt
t cc thit b Fortigate & FortiClient trong ton h thng
FortiClient : phn mm personal firewall + VPN cho ngi s dng di ng. C th mua
thm license c thm cc tnh nng Antivirus, AntiSpam & Web filtering
Fortiguard subscription service : license ng k s dng v update cc tnh nng
Antivirus, IPS, AntiSpam v Wen filtering. License c th mua mi hng nm hoc nhiu
nm
Forticare service : dch v h tr k thut, gia tng thi gian bo hnh ca sn phm
cng nh update cc OS/firmware mi nht cho sn phm. dch v ny c th mua hng
nm hoc nhiu nm.

Cc Gii thng v Chng nhn m Fortinet t c

Mt s khch hng ton cu ca Fortinet

Cc khch hng ln ca Fortinet ti Vit Nam

Fortinet gii thiu sn phm bo mt ca mnh vo Vit Nam t nhng nm 2002.
Tri qua thi gian gn 5 nm ti th trng Vit Nam, Fortinet c nhiu t chc v
doanh nghip ln ti Vit Nam tin tng s dng. Sau y l khch hng ni bt ca
Fortinet ti Vit Nam trin khai gii php VPN cho tr s chnh v cc chi nhnh trn
ton quc.

Ngoi ra cn rt nhiu c quan chnh ph ang s dng v trin khai gii php
VPN ca Fortinet nh : UBND LNG SN, H TNH, HI PHNG, BNH NH,
PH YN, QUNG NGI, THNG TN X VIT NAM,

1.2.

Quan im xy dng chnh sch bo mt

Quan im ca chng ti trong vn an ninh mng l: An ninh mng l mt tin trnh

lp i lp li, bao gm cc bc xoay vng nh sau:

Xc nh cc i tng cn c bo v (my ch, cc ti nguyn, cc ng

dng, cc thit b mng, my trm, ngi dng, .v.v.).

Xc nh cc him ha c th gy nn cho mng v h thng.

Thit lp chnh sch an ninh mng tng ng vi cc i tng nh cc nh lnh

o, qun l v tin hc, qun tr mng v ngi dng.

Thit lp cc chnh sch an ninh mng bng cc phng php in t v hnh

chnh. Cc phng php in t bao gm: thit k quy hoch li mng, Firewall,
VPN, IDP, bo mt cc lp ng dng UTM (Antivirus, Antispam, Web Content
Filtering, Intrusion Prevention System, Application control, Data leak prevention)
v qun tr an ninh mng.

Theo di an ninh mng v phn ng li cc biu hin bt thng.

Kim tra li chnh sch an ninh v cc thit b an ninh mng p ng li cc

thay i.

Tip tc theo di v qun l an ninh mng, thay i chnh sch an ninh v cu

hnh cc thit b an ninh mng ph hp vi ng cnh an ninh mi.

1.3.

Nguyn l xy dng chnh sch bo mt

An ninh mng phi da trn nguyn tc nh sau:

Bo v c chiu su (defense in depth): H thng phi c bo v theo chiu

su, phn thnh nhiu tng v tch thnh nhiu lp khc nhau. Mi tng v lp
s c thc hin cc chnh sch bo mt hay ngn chn khc nhau. Mt
khc cng l phng nga khi mt tng hay mt lp no b xm nhp th
xm nhp tri php ch b hp trong tng hoc lp thi v khng th nh
hng sang cc tng hay lp khc.

S dng nhiu cng ngh v gii php bo mt kt hp tng cng sc mnh

h thng phng v nh phi hp Firewall lm cng c ngn chn trc tip, IDP
lm cng c nh hi v ngn chn, phng nga cc hnh thc tn cng t
bn ngoi h thng. ng thi, cc cng ngh bt buc phi h tr cc tnh
nng nng cao UTM (Unified Threat Management) nh Antivirus, AntiSpam,
Email Content Filtering, Web Content Filtering, IPS, Data Leak Prevention (ngn
chn r r d liu), Application Control (cc ng dng nh Chat IAM, P2P,
Remote Access, Proxy tool ) ngn chn v phng chng nhiu lp ng dng
bn trong bi v ngy nay cc lp ng dng ny rt d b cc cuc tn cng bn
ngoi khai thc l hng cc lp ng dng ny bng nhiu hnh thc khc nhau.

2. xut gii php bo mt

2.1.

Gii thiu tnh nng Firewall Fortigate

2.1.1.

Cc tnh nng ni bt ca phn cng

FortiASIC : H thng

FortiGate l thit b bc tng la chuyn dng vi chng

trnh c thit k ngay trn phn cng cho php bo v mng theo thi gian thc. Vi
cng ngh mch in t thit k theo ng dng (Application-specific integrated circuit ASIC), FortiASIC gm 3 thnh

phn x l Network Processor, Content Processor,

Security Processor, nn tng phn cng FortiGate l h thng tng la v VPN c th

pht hin v loi b virus/su, spyware, trojan, grayware, adware, DoS, cc hng ng
tn cng v cc on m nguy him khc m khng lm gim tc hot ng ca
mng thm ch i vi cc ng dng theo thi gian thc nh duyt web. Cc cng c
bo mt ny nm trong h iu hnh nhn ca thit b Fortigate l FortiOS.

Tnh nng thnh phn x l nh sau:

FortiASIC Network Processor (NP): lm vic cp
giao din h tr chuyn tip lu lng IPec offload
v giao thc unicast UDP/TCP. Thng lng(throughput)
ti a v s lng cng giao tip ty theo model.
FortiASIC Content Processor (CP): lm vic cp h
thng, m bo chc nng cp pht key SSL VPN v
tng tc x l cc gi tin SSL, gii m cc thut ton
bo mt DES/3DES/MD5,SHA. Kh nng ty theo
model ca chip.
Security Processor (SP-Hybrid): nh modules ASM-CE4
v ADM-XE2, lm vic trn cp giao din v h
thng tng hiu sut tng th thc y mt s bo
mt v x l cc gi tin trn cng giao tip. SP cn m
nhim cc ng dng iu khin (application), IPS, flow based antivirus proctection, ..
Complete Content Protection :

Fortigate khng n thun ch l thit b bo mt

kim sot trng thi (stateful inspection) m bo mt lp ng dng v qut ton din
ni dung gi tin (application level security and content protection). Bng vic qut su
gi tin v bo mt lp ng dng, Fortigate gip ngi dng ngn chn c cc e da
v nguy c tn cng vo h thng m cc c ch ngn chn truyn thng khng thc
hin c, loi b cc on code nguy him nm su hoc ngy trang bn trong gi tin.

Virtual Domains and Security zones : Cc dng sn phm Fortigate cung cp cc

chc nng VLAN, Virtual Domain (VDOM) gip cho:

Cc doanh nghip ln c th phn chia cu hnh cc chnh sch bo mt cho h

thng mng ca tng phng ban.

Cc nh cung cp dch v c th cung cp phn chia firewall ca mnh thnh

cc firewall nh hn cho tng khch hng.

Cc thit b Fortigate tch hp sn t 2 n 10 VDOM, c th nng cp ln 250

VDOM thng qua vic mua license.

High Availability (HA) : H tr 2 mode Acitve-Active, Active-Passive cho c cc

dng sn phm dnh cho SOHO. Fortinet cho php cu hnh hai hay nhiu thit b
Fortigate hot ng trong mt h thng tr thnh mt thit b duy nht Fortigate (HA
cluster). Vi HA cluster, khi mt thit b Fortigate b h th cc thit b Fortigate cn li
s thay th, m ng cng vic ca thit b b h. Chc nng ny gip cho h thng
khch hng lun lun c bo mt v hot ng xuyn sut.

High concurrent sessions : Cc thit b Fortigate c s kt ni ng thi (concurrent

session) rt cao, ty theo dng sn phm m s kt ni c th t 25.000 cho n
132.000.000 v s kt ni mi trn giy ln n 250.000 gip p ng nhu cu cao ca
cc doanh nghip hot ng trong lnh vc dch v Web, thng mi in t hoc chy
cc ng dng ERP trn h thng WAN ca doanh nghip.

VoIP aware gateway : Fortigate h tr cc chun v thoi nh H.323 v SIP, gip

bo mt cc ng dng v thoi, thm ch c trong mi trng m NAT c trin khai.

Policy-based traffic shaping : Gip ngi qun tr phn nh mc u tin bng

thng cho tng chnh sch bo mt v ng dng.

Multi-Threat Security Appliance : Thit b Fortigate vi cc cng ngh bc tng la,

cng VPN, v c th tch hp ngay trn Fortigate cc chc nng

Phng chng vi-rt v chng spam ti gateway cho email

Pht hin v ngn chn xm nhp,

Lc ni dung Web v kim sot bng thng.

Chng mt mt d liu v kim sot cc ng dng truy cp internet.

Ti u mng WAN tit kim bng thng v gim chi ph vn hnh mng

10

VPN (IPSec, PPTP, SSL-VPN) : Gii php VPN ca Fortinet p ng cc yu cu v

hiu sut cng nh gi c, thit k dng ASIC. Tch hp cht ch vi tnh nng bo v
ng dng, tng la, antivirus v IPS, Fortinet mang n gii php VPN an ton nht
trn th trng hin nay.

WebUI (giao din cu hnh v qun l bng Web) : Hu ht cc ngi s dng u

nh gi cao Fortinet v phng din ny. Fortinet cung cp cho ngi s dng mt giao
din qun l v cu hnh tht tin li, trc gic v d hiu bng giao din Web. Bng
WebUI, ngi qun tr c th cu hnh, qun l cc tnh nng bo mt nng cao cng
nh truy cp cc chc nng logging v bo co nhanh chng ch sau vi c clik chut.
Ngi qun tr khng cn s dng n cc dng lnh (command line) mi cu hnh c.

2.1.2.

Cc tnh nng UTM

Antivirus: Phng chng ln n 60.000 loi vi-rt & t ng cp nht (push update)
thng qua h thng khong 50 cm server t khp ni trn ton th gii.
Lun lun c bo v trc cc loi virt mi v Fortinet c i ng k s cao cp
nghin cu, update lm vic 24x7
Chi ph u t thp (TCO) v Fortinet tnh license trn thit b (license per box) ch
khng tnh license theo ngi dng (license per user)
Tnh nng Antivirus ca Fortinet c chng nhn bi ICSALab, NSS v 100 Buletin
Intrusion Prevention System (IPS) :
Chc nng IPS ca Fortinet cung cp mt gii php ton din v ngn chn v phng
nga cc hnh thc tn cng vo cc ng dng v d liu quan trng ca doanh nghip,
cc hnh thc tn cng c th l cc cuc tn cng xut pht t bn ngoi v k c bn
trong h thng mng.
Cc tnh nng ni bt :

Kh nng nhn dng trn 7000 hnh thc tn cng & t ng cp nht (push
update) thng qua h thng khong 50 cm server t khp ni trn ton th
gii

Cho php khch hng kh nng t nh ngha hnh thc tn cng

Kim tra c ni dung cc gi d liu m ha VPN (IPSec v SSL)

H tr trn 50 loi protocol v ng dng

Cung cp cc kh nng phng chng v ngn chn tn cng thng qua i ng

k s nghin cu v pht trin ca Fortinet trn ton cu.

Chi ph u t thp (TCO) v Fortinet tnh license trn thit b (license per box)
ch khng tnh license theo ngi dng (license per user)

Tnh nng IPS ca Fortinet c chng nhn bi ICSALab, NSS

11

AntiSpam : Fortinet cung cp kh nng bo v my tnh khi spam v phishing cp

gateway. Vi mt lng th rc, th en khng l c gi i hng ngyth vic
chng spam l mt phn thit yu cami chin lc bo v an ninh mng. Spam lm
tiu tn thi gian ca ngi s dng (user) v gy hi n cc ti nguyn mng
(network resources).
Chc nng AntiSpam ca Fortinet cho php bo v h thng khi spam v phishing
cp gateway v nh th khch hng khng phi bn tm ci t hay update cc phn
mm chng spam cho tng desktop na.
Cc tnh nng ni bt :

Qut d tm th rc thng qua danh sch a ch IP, d tm a ch email, kim

tra NIME header, kim tra c ni dung email xc nhn email c phi l spam
khng.

T l pht hin spam cao nht (trn 97,4%) nh cng ngh lc Bayesian,
Heuristics, h tr RBL, ORDB, d tm DNS, lc theo theo t kha hay cm t,

Sai st thp nht nh tnh nng cp nht danh sch black/white,.

Database server ca Fortinet x l khong 500 triu yu cu v th rc hng

tun

Cung cp cc kh nng phng chng v ngn chn th rc tin tin nht thng
qua i ng k s nghin cu v pht trin ca Fortinet trn ton cu.

Chi ph u t thp (TCO) v Fortinet tnh license trn thit b (license per box)
ch khng tnh license theo ngi dng (license per user)

Web content filtering : Ngy nay, lt v truy cp internet tra cu v tm kim

thng tin tr thnh yu t rt quan trng trong hot ng hng ngy ca doanh nghip,
c th ng gp vo s thnh cng ca doanh nghip. Tuy nhin, hnh ng truy cp
cc trang web xu, en lm gim nng sut hot ng ca doanh nghip, tiu tn
thi gian ca nhn vin, tin bc v ti nguyn mng ca doanh nghip, v c th vi
phm cc quy nh ca php lut v chnh tr, o c,Chc nng Web content filtering
s gip quy nh v kim sot c vic truy cp web ca ngi dng tun th theo quy
nh ca php lut v chnh sch s dng internet ca doanh nghip
Cc tnh nng ni bt

Lc a ch Web, lc theo t kha, danh sch cc trang web cm, lc Java

Applet, Cookies, Active X,

H thng database server ca Fortinet cp nht c trn 47 triu trang web v

c chia thnh hn 72 chng loi.

Ngn chn v kha cc trang web nguy him nh P2P, mo danh, gin ip

URL caching : gip tng tc kh nng lc ni dung Web.

Online URL checker : cng c gip ngi dng kim tra mc nguy hi ca
trang Web.

12

i ng k s ca Fortinet qun l v cp nht hng ngy database.

Chi ph u t thp (TCO) v Fortinet tnh license trn thit b (license per box)
ch khng tnh license theo ngi dng (license per user)

Tnh nng AntiSpam ca Fortinet c chng nhn bi CIPA (Childrens Internet

Protection Act), NSS

Data leak prevention: Cho php xc nh hnh dng ca cc d liu nhy cm.
Gim st lu lng mng v ngn chn thng tin nhy cm t h thng mng (chng
hn nh email, HTTP )
Application control: Ngn chn cc mi e da v malware phc tp chng hn nh
Facebook, Skype, IM. Mc khc, gim st v kim sot cc ng dng trn mng bo
mt thng tin nhy cm.
Ngn chn nhiu ng dng m khng s dng ng cc port truyn thng.
Pht hin trn 2000 ng dng ca lu lng mng ci thin kim sot qua truyn
thng mng
WAN Optimization (ti u mng WAN)

Lm tng hiu sut mng bng vic lm gim s lng d liu c truyn qua
mng WAN.

Lm gim cc yu cu bng thng v ngun ti nguyn Server.

H tr cc dch v nh: CIFS, FTP hoc giao thc HTTP cng nh cc traffic TCP
..

H tr Byte caching, web caching, web proxy

H tr cho cc kt ni VPN site-to-site, client to site

Push Update : Hin ti Fortinet p dng mt c ch cp nht t ng thng qua cng

ngh y(Push Update) cho chc nng Antivirus, IPS v AntiSpam. Vi c ch ny,
Fortinet s gip cc h thng bo mt do Fortinet cung cp c cp nht cc hnh thc
tn cng, virus/spyware, Trojans, Spam mi trong vng vi pht, 24 gi/ngy v trn
ton th gii.
The FortiGuard Distribution Server
Network

Fast Response to Emerging

Threats

FortiGuard keeps your assets

continuously protected against threats

c bit cc tnh nng Antivirus, IPS, AntiSpam v Web filtering s :

13

Khng b v hiu ho (disable), vn s dng c trong trng hp license

ht hn. Tuy nhin, khch hng s khng c update.

c Fortinet cho php s dng th (c update) trong vng 1 thng tnh t ngy
ng k s dng sn phm.

2.1.3.

Cc tnh nng ni bt ca dch v

Fortiguard subscription Service :

y l dch v ng k s dng v cp nht cc tnh nng phn mm Antivirus, IPS,

AntiSpam hoc Web filtering. Dch v Fortiguard c cp nht v qun l 24x7 bi i
ng k thut chuyn nghip ca Fortinet trn ton cu, m bo h thng bo mt
Fortigate ca khch hng lun lun c cp nht cc signature mi.
u im ca dch v Fortiguard : Khch hng c th chn la mua license cho tng
phn mm hoc phi hp nhiu phn mm li vi nhau.
Khch hng c th chn la mua theo thi gian yu cu : 1 nm, 2 nm,, 5 nm
Dch v Fortiguard c chi ph tng i thp v Fortinet tnh chi ph license trn sn
phm (per box license fee), ch khng nh nhiu nh sn xut khc l tnh license theo
ngi dng (per user license fee).
Push Update : dnh cho tnh nng chng vi-rt v IPS
Forticare Service : y l dch v h tr k thut v cp nht cc phin bn mi nht
cho OS/firmware ca thit b phn cng Fortigate. Ngoi ra, khch hng cn nhn c
s h tr tch cc ca Fortinet v h thng ca i l ca Fortinet trn ton cu tho cc
hnh thc sau :

H tr qua web/ email 24x7

H tr qua in thoi 8x5 t Fortinet hoc cc i l ca Fortinet

c php truy cp vo cc trang web ca Fortinet tm kim v download cc

ti liu k thut, cc hnh mu v cu hnh, x l s c.

Fortinet c nhiu gi dch v cho khch hng la chn.

14

Global Escalation TAC

Canada

Americas TAC
California

APAC TAC
Japan

EMEA TAC
France
APAC
China

APAC TAC
Malaysia

Regional Technical Support Center (TSC)

Local Technical Support Center (TSC)
Global Escalation Technical Support Center (TSC)

License subscription : Hin ti Fortinet p dng mt c ch tnh thi gian ng k cc

dch v Fortiguard v Forticare ht sc d chu :

Fortinet cho ngi s dng c khong thi gian l 365 ngy (tnh t ngy license
c pht hnh) ng k cc license Fortiguard v Forticare vi Fortinet. Nu
qu thi gian l 365 ngy m ngi s dng khng ng k th license s khng
cn hiu lc.

Thi gian tnh license bt u t lc khch hng hon tt thnh cng vic ng
k. Fortinet cng khng tr li thi gian hiu lc ca license trong trng hp
license c ca khch hng ht hn trc thi gian thc hin ng k mi.

Nu license c ca khch hng vn cn hiu lc th Fortinet s cng dn thi

gian hiu lclicense cho khch hng.

2.2.

xut gii php

2.2.1.

Lp bo v ngoi vi Phn h UTM

Cc thit b firewall vng ngoi vi phi tch hp sn cc tnh nng an ninh mng p
ng cc yu cu gii php nh sau:

Bo v mng ni b ca Customer vi cc mng bn ngoi v Internet.

Khi s lng users hin ti l khong v tng ln hng nm hay s lng

cc chi nhnh tng ln trong khong t 3 n 5 nm th nng lc x l firewall
phi p ng ln hn ..Gbps bi v s lng session bn ngoi truy cp vo
vng DMZ server farm rt nhiu. ng thi, s lng session bn trong cng i
qua thit b ny.

Lc ni dung thng tin web khi cc users truy cp ra bn ngoi Internet hn

ch v kim sot cc users theo quy nh s dng Internet ca doanh nghip.

Xy dng h thng phng chng virus cho ton h thng mng khi cc my ch
v my trm truy cp ra bn ngoi Internet. V vy, hiu xut qut virus trn
firewall phi t ti thiu trn Mbps

15

Ngn chn v phng chng th rc (spam email) thng qua a ch IP, d tm a

ch email khi cc cuc tn cng bn ngoi internet truy cp vo Server Farm
DMZ.

Do vng ngoi vi ny s lng phin kt ni i qua firewall ln (bao gm bn

ngoi, bn trong v vng DMZ truy cp vo v ra) cho nn yu cu s lng
phin kt ni ng thi trn thit b ny phi ti thiu trn v s lng
phin kt ni thit lp mi ti thiu trn

Cc kt ni t chi nhnh ca cc vn phng ti qun huyn hay cc i tc truy

cp vo h thng phi bng kt ni VPN dng IPSEC m ha d liu vi cc
chun m ha DES (3DES) v AES (128-bit, 192-bit v 256-bit). V vy, hiu
sut kt ni VPN trn firewall phi t ti thiu trn 6Gbps v h tr kt ni SSL
trn .. User.

Cc users bn ngoi Internet vn c th truy cp vo h thng trung tm d liu

bng web portal (h tr tt c cc trnh duyt web trn tt c cc h iu hnh)
hoc phn mm chuyn dng ci t trn PC/Laptop/Tablet/Smartphone vi cc
phng thc m ha d liu (IPSEC). Thit b vng ny phi h tr tnh nng
SSL VPN vi s lng trn 800 users hoc cc users bn ngoi Internet kt ni
v trung tm d liu bng VPN dng IPSEC vi s lng h tr trn ..users.

Kim sot v nhn dng cc thit b di ng (Device Manager) da trn cc nn

tng di ng ph bin hin nay nh Android, IOS, Windowphone vi cc thit
b nh Tablet hay Smartphone, cho php thc thi cc chnh sch cho tng loi
thit b, em li kh nng bo mt cao nht cho h thng.

Ngn chn cc d liu nhy cm b r r t bn trong h thng mng ra bn

ngoi Internet (DLP).

Kim sot v ngn chn mt s ng dng (nh Instant Message, P2P, ng dng
download, cc chng trnh remote access ) khi cc users cc b truy cp ra
bn ngoi Internet.

Ngn chn v pht hin tn cng t h thng bn ngoi vo (Intrusion

Prevention System) v nng lc x l IPS ti vng ny phi p ng ti thiu ln
hn ..Gbps (do tn cng t internet vo Server Farm DMZ v vng mng bn
ngoi rt ln). H thng IPS gm c cc c im nh sau:

H thng IPS nhn din c nhng mi nguy him tim n trc

khi n tht s tn cng vo bn trong nh:

Ngn chn nhng m c hi, bao gm su, tn cng trc tip,

tn cng theo kiu t chi dch v, v tn cng theo cc ng
dng.

Xy dng v m rng bo mt an ninh mng c kh nng kim

tra v ngn chn cc mi nguy him trong ton b mng, t cc

16

ng dng cho n giao thc phn hoch a ch (ARP). K thut

m rng ca Firewall phi cung cp gii php ti u v chnh
sch bo mt cho h thng an ninh mng.

H thng IPS cung cp cc c ch bo mt khc, theo tng

nhm hay tng c nhn tn cng ring r. V d nh tn cng
theo kiu ngy zero, h thng IPSs c kh nng hc trn mng,
kim tra nhng phn ng ca ngi qun tr v sau cp nht
phng php bo v cho mng .

K thut v dch v ca IPSs c pht trin bi nhm chuyn

gia v bo mt trn ton cu. Cc chuyn gia ny lin tc nghin
cu v a ra nhiu gii php tt nht tch hp vo thit b
IPSs.

Tnh nng Client Reputation cho php thng k v gim st tng

hnh vi ngi dng, t c c s cch ly cc mi e da
nguy hi nghi ng.

H thng IPS c th cnh bo v phn tch cho ngi dng cch

phn ng tt nht i vi cc mi nguy him cng nh cc cuc
tn cng.

Cung cp kin thc su rng i vi cc cuc tn cng v tnh

ton theo thi gian thc nhng mi nguy him theo tng bin
c. N c th ghi li cc bin c vo cc file ngi qun tr
tin theo di v x l v sau.

Tp hp nhiu nht cc phn ng v tc v phc tp theo cc

chnh sch yu cu. Ta c th cu hnh tng chnh sch theo
tng mng ring r theo yu cu nh xa b cc gi tin, cc
phin kt ni xa, gii hn dng hay lm ch cc cuc tn cng
v bo v cc ng dng trong mng.

C th bo v cc bin c c th gy nguy hi cho h thng

mng cao. C th a ra cc xc lp u tin cho cc mi nguy
him cn x l.

Ghi cc thng tin cho mi cnh bo v cch gii quyt cc vn

t trc, trong v sau khi vn c gii quyt xong.

Thit b firewall phi h tr tnh nng HA (Active/Active, Active/Passive), kh

nng m rng h thng v h tr khe cm m rng.

2.2.2.

Lp bo v trung tm d liu:

Thit b firewall vng ny phi tch hp sn cc tnh nng an ninh mng p ng nhu
cu gii php nh sau:

17

Bo v vng mng trung tm ca Customer vi cc vng bn ngoi

Gia tng phng chng xm nhp, ngn chn cc loi virus, su worm v cc loi
tn cng vo cc lp ng dng ca trung tm d liu. ng thi, do s lng ln
users cc b v s lng ln cc chi nhnh truy cp vo vng trung tm rt ln
cho nn nng lc x l IPS vo vng trung tm phi t ti thiu ln hn 2Gbps
v c kh nng m rng trong khong t 3 n 5 nm. H thng IPS gm cc
c im nh sau:

H thng IPS nhn din c nhng mi nguy him tim n trc

khi n tht s tn cng vo bn trong nh:

Ngn chn nhng m c hi, bao gm su, tn cng trc tip,

tn cng theo kiu t chi dch v, v tn cng theo cc ng
dng.

Xy dng v m rng bo mt an ninh mng c kh nng kim

tra v ngn chn cc mi nguy him trong ton b mng, t cc
ng dng cho n giao thc phn hoch a ch (ARP). K thut
m rng ca Firewall phi cung cp gii php ti u v chnh
sch bo mt cho h thng an ninh mng.

H thng IPS cung cp cc c ch bo mt khc, theo tng

nhm hay tng c nhn tn cng ring r. V d nh tn cng
theo kiu ngy zero, h thng IPSs c kh nng hc trn mng,
kim tra nhng phn ng ca ngi qun tr v sau cp nht
phng php bo v cho mng .

K thut v dch v ca IPSs c pht trin bi nhm chuyn

gia v bo mt trn ton cu. Cc chuyn gia ny lin tc nghin
cu v a ra nhiu gii php tt nht tch hp vo thit b
IPSs.

Tnh nng Client Reputation cho php thng k v gim st tng

hnh vi ngi dng, t c c s cch ly cc mi e da
nguy hi nghi ng.

H thng IPS c th cnh bo v phn tch cho ngi dng cch

phn ng tt nht i vi cc mi nguy him cng nh cc cuc
tn cng.

Cung cp kin thc su rng i vi cc cuc tn cng v tnh

ton theo thi gian thc nhng mi nguy him theo tng bin
c. N c th ghi li cc bin c vo cc file ngi qun tr
tin theo di v x l v sau.

Tp hp nhiu nht cc phn ng v tc v phc tp theo cc

chnh sch yu cu. Ta c th cu hnh tng chnh sch theo

18

tng mng ring r theo yu cu nh xa b cc gi tin, cc

phin kt ni xa, gii hn dng hay lm ch cc cuc tn cng
v bo v cc ng dng trong mng.

C th bo v cc bin c c th gy nguy hi cho h thng

mng cao. C th a ra cc xc lp u tin cho cc mi nguy
him cn x l.

Ghi cc thng tin cho mi cnh bo v cch gii quyt cc vn

t trc, trong v sau khi vn c gii quyt xong.

Da trn thng tin c sn v nhn dng tn cng (Signaturebased): Cc du hiu v tn cng c nhp vo CSDL ca IPS
v cp nht nh k t nh sn xut. Khi IPS nhn thy lung d
liu chy qua Router c du hiu ging vi nhng du hiu tn
cng m n ang c, n s phn ng li bng cch ngt kt ni
ca k tn cng, chn IP ca k v gi cnh bo n nh
qun tr ng thi ghi li ton b qu trnh tn cng iu tra
v sau.

Da trn thng tin c sn v nhn dng tn cng (Signature-based):

Cc du hiu v tn cng c nhp vo CSDL ca IPS v cp nht nh
k t nh sn xut. Khi IPS nhn thy lung d liu chy qua Router c
du hiu ging vi nhng du hiu tn cng m n ang c, n s phn
ng li bng cch ngt kt ni ca k tn cng, chn IP ca k v gi
cnh bo n nh qun tr ng thi ghi li ton b qu trnh tn cng
iu tra v sau.

Da trn nhng hot ng bt thng ca mng pht hin tn cng

Tnh nng Client Reputation cho php thng k v gim st tng hnh vi
ngi dng, t c c s cch ly cc mi e da nguy hi nghi ng.

S lng users cc b, cc chi nhnh cng ty v cc i tc kt ni vo trung

tm d liu rt ln cho nn yu cu nng lc x l firewall rt cao v phi t
mc ti thiu khong .Gbps v c th kh nng m rng trong khong t 3
n 5 nm.

S lng phin kt ni d liu v ng dng truy cp rt ln t cc users cc b,

cc chi nhnh cng ty v cc vng i tc ca cng ty n vng trung tm d
liu i qua firewall rt ln. V vy, yu cu s lng phin kt ni ng thi qua
firewall phi t ti thiu l .v s lng phin kt ni thit lp mi phi t
ti thiu t trn

Xy dng h thng phng chng virus cho ton h thng mng khi cc my ch
v my trm truy cp ra bn ngoi Internet. V vy, hiu xut qut virus trn
firewall phi t ti thiu trn 900Mbps

19

Thit b phi h tr tnh nng HA (Active/Active, Active/Passive), kh nng m

rng h thng v h tr khe cm m rng

Thit b firewall phi tch hp vo h thng Active Directory, xc thc LDAP,

RADIUS RSA

Ngn chn cc d liu nhy cm b r r t bn trong h thng mng ra bn

ngoi Internet.

2.2.3.

Cc dng thit b bo mt Fortigate

20

3. M hnh gii php tng th

Gii php tng th xut cho mt h thng bo mt vi cc thit b Fortigate c m
t nh sau :

21