NETWORK SECURITY

( GRADUATED )
1-TRNH BY KIN TRC IPSEC. CC TNH NNG M IPSEC B SUNG CHO GIAO THC IP?

P N: IPSec l thnh phn m rng ca giao thc IP. B sung mt s tnh nng cho giao thc IP
KIN TRC IPSec
Kin trc IPSec

Giao thc ESP

Giao thc AH

Thut tan mt m

Thut tan xc thc

DOI

Qun l kha

Kin trc IPSec

IPSec l mt giao thc phc tp, da trn nn ca nhiu k thut c s khc nhau nh mt m,
xc thc, trao i kha, Xt v mt kin trc, IPSec c xy dng da trn cc thnh phn bo mt c
bn sau y:

-Kin trc IPSec (RFC 2401): Quy nh cu trc, cc khi nim v yu cu ca IPSec.
-Giao thc ESP (RFC 2406): M t giao thc ESP, l mt giao thc mt m v xc thc thng tin
trong IPSec.

-Giao thc AH (RFC 2402): nh ngha mt giao thc khc vi chc nng gn ging ESP. Nhng
vy, khi trin khai IPSec, ngi s dng c th chn dng ESP hoc AH. Mi giao thc c u v nhc
im ring.

-Thut tan mt m: nh ngha cc thut tan m ha v gii m s dng trong IPSec. IPSec da
ch yu vo cc gii thut m ha i xng.

-Thut tan xc thc: nh ngha cc thut tan xc thc thng tin s dng trong AH v ESP.
-Qun l kha (RFC 2408): M t cc c ch qun l v trao i kha trong IPSec.
-Min thc thi (Domain of Interpretation_DOI): nh ngha mi trng thc thi, xc nh mt tp
cc ch cn thit trin khai IPSec trong mt tnh hung c th.
Xt v mt ng dng, IPSec thc cht l mt giao thc hat ng song song vi IP nhm cung
cp hai chc nng c bn m IP nguyn thy cha c, l m ha v xc thc gi d liu. Mt cch khi
qut, c th xem IPSec l mt t hp gm 2 thnh phn:
-Giao thc ng gi, bao gm AH v ESP.
-Giao thc trao i kha IKE (Internet Key Exchange).

CC TNH NNG M IPSec B SUNG CHO GIAO THC IP

IPSec cung cp cc c ch m ha v xc thc thng tin cho chui thng tin truyn i trn mng
bng giao thc IP v n c thit k nh l phn m rng ca giao thc IP. N b sung cho giao thc
IP cc tnh nng thng qua cc ng dng in hnh v cc dch v c chnh n cung cp:
Cc ng dng in hnh ca IPSec:
- Kt ni gia cc chi nhnh ca mt t chc thng qua mng Internet: bng cch xy dng
mng ring o VPN trn nn mng WAN cng cng hoc Internet.
- Truy xut t xa thng qua mng Internet: thc cht y l mt dng khc ca VPN
(Remote Access VPN). Ngi dng c th truy xut mng v ti nguyn ni b ca mnh t mt
im bt k trn Internet m vn an ton.
- Nng cao tnh an ton ca cc giao dch thng mi trn Internet: p dng cho cc h thng
thanh ton trc tuyn, .Cc kt ni thit lp n h thng ny c h tr IPSec nn tnh bo
mt vn c m bo d truyn qua mng Internet cng cng.
Cc dch v c cung cp bi IPSec:
- Qun l truy xut.
- Ton vn d liu ch khng kt ni.
- Xc thc ngun gc d liu
- Chng pht li.
- M ha d liu.
- Bo mt dng lu lng.

2-M T C CH HOT NG CA GIAO THC NG GI AH TRONG IPSEC ? DCH V

CHNG PHT LI TRONG AH DA TRN C CH NO ? C CH XC THC THNG TIN
TRONG AH ? PHN BIT HAI CH HOT NG CA AH L TRANSPORT V TUNNEL ?

P N:
C CH HOT NG CA GIAO THC NG GI AH:
AH cho php xc thc ngi dng, xc thc ng dng v thc hin cc c ch lc gi tng ng m
bo tnh ton vn ca d liu di chuyn trn mng. Ngoi ra, AH cn c kh nng hn ch cc tn cng
gi danh v tn cng pht li. C ch xc th ca AH da trn m xc thc MAC, do thc thi u
cui ca SA phi dng chung mt kha b mt d khng dng mt thut ton mt m no.

DCH V CHNG PHT LI TRONG AH DA TRN C CH NO ?

Tn cng dng pht li tc l bt gi, lu tr ri pht li.
Bn gi: nh s th t cc gi c gi i trn mt SA. Gi tr khi to bng 0, tng dn sau mi gi
gi, khng c gi lp li, khi s th t t gi tr cc i bng 232 -1 th s khng quay li gi tr 0 m
thay vo , mt SA cng vi kha mi c thit lp truyn d liu, iu ny m bo khng c 2
gi trng s th t trn cng 1 SA.

Bn nhn: qu trnh x l phc tp hn nhm pht hin cc gi lp nhau, dng c ch dch ca s

pht hin lp, mt v sai th t gi.
C CH XC THC THNG TIN TRONG AH ?
Dng 2 cch:
1. HMAC-MD5-96: dng phng php HMAC, hm bm l MD5, ct ly 96 bit u tin
2. HMAC-SHA-1-96 dng phng php HMAC, hm bm l SHA-1, ct ly 96 bit u tin.
Phn bit hai ch hot ng ca AH l Transport v Tunnel ?

AH

Transport

Tunnel

Ging nhau

- u cung cp c ch bo v d liu cho cc gi tin

- u l nhng ch nm trong giao thc ng gi AH.

Khc nhau

- dng cho trng hp xc thc

t u cui n u cui.
- Gi IP ch ny c chn
thm giao thc ng gi AH
theo th t IP, AH, TCP, DATA.

- dng cho trng hp xc thc

t u cui n trung gian.
- Gi IP ch ny ngoi vic
c chn thm AH th cn chn
thm mt a ch IP mi
bao bc gi d liu hin
hnh.
- Phm vi thng tin xc thc
nhiu hn Transport.
- thng dng trong cc SA ni
gia 2 Gateway

3-M T C CH HOT NG CA GIAO THC NG GI ESP ? PHN BIT HAI CH

HOT NG CA ESP L TRANSPORT V TUNNEL ?

P N:
M T C CH HOT NG CA GIAO THC NG GI ESP ?
ESP (Encapsulating Security Payload) cung cp tnh bo mt cho d liu truyn trn mng IP bng cc k
thut mt m. Tuy nhin n cn c ty chn khc l cung cp dch v m bo tnh ton vn ca d liu
thng qua c ch xc thc. Ngi dng c th chn hoc khng chn chc nng xc thc cn m ha l
chc nng mc nh ca ESP.

PHN BIT HAI CH HOT NG CA ESP L TRANSPORT V TUNNEL ?

ESP

Transport

Tunnel

Ging nhau

- u cung cp c ch bo v d liu cho cc gi tin

- u l nhng ch nm trong giao thc ng gi ESP.
- u thm vo gi IP gc cc trng ESP header, ESP trailer, ESP
auth.

Khc nhau

- chc nng m ha v xc thc

thng tin c thc hin trn
phn d liu (payload data) ca
gi IP.
- gi ESP header t sau a ch
IP

- Ton b gi IP c m ha
v xc thc
- Gi ESP header t trc ia
ch IP c (a ch IP ca gi IP
gc)
- Phm vi thng tin xc thc
nhiu hn Transport.
- Gi IP ch ny cn chn
thm mt a ch IP mi
bao bc gi d liu hin
hnh.
- ESP header nm sau a ch IP
mi (a ch IP c tao khi
dng ch Tunnel).

4-CC DCH V CA SSL? CC THNH PHN CA GIAO THC SSL? M T C CH BO V

D LIU (M HA V XC THC D LIU) CA SSL RECORD PROTOCOL?

P N:
CC DCH V CA SSL ?
- M ha d liu
- Xc thc d liu
- Xc thc u cui

CC THNH PHN CA GIAO THC SSL ?

- Giao thc truyn d liu SSL (SSL Record Protocol): xc nh cc nh dng dng truyn d liu,
cung cp 2 dch v c bn cho cc kt ni SSL: bo mt v ton vn d liu.
- Giao thc thay i thng s m (Change cipher spec protocol): l giao thc n gin nht trong cu
truc SSL. Dng thay i cc thng s m ha tr kt ni SSL, c gi i trong cu trc gi ca SSL
Record.
- Giao thc cnh bo (Alert Protocol): dng trao i cc bn tin cnh bo gia 2 u ca kt ni SSL.
C 2 mc cnh bo: WARNING (thng bo cho u kia c s kin bt thng din ra) v FATAL( yu
cu kt thc kt ni hin hnh).
- Giao thc bt tay (Handshake Protocol):

+
+
+
+

l giao thc quan trng nht ca SSL

c 2 pha dng xc thc ln nhau v thng nht cc thut ton xc thc MAC v m ha
cng c dng trai i kha b mt
phi thc hin trc khi d liu c truyn.

M T C CH BO V D LIU (M HA V XC THC D LIU) CA SSL RECORD

PROTOCOL ?
D liu gc

Phn on

Nn

Gn thng tin
xc thc (MAC)

Mt m ho

Gn tiu giao
thc SSL record

Hnh 3.14: Hot ng ca giao thc truyn d liu SSL

Cc thao tc m SSL thc hin trn d liu bao gm: phn on d liu, nn d liu, xc thc d liu,
m ha, thm cc tiu cn thit v cui cng l gi ton b thng tin trn trong 1 segment TCP.
pha nhn th qu trnh thc hin ngc li.
5-M T C CH BT TAY TRONG GIAO THC SSL HANDSHAKE PROTOCOL? CC LOI KHA
S DNG TRONG MT KT NI SSL?

P N:
-

L giao thc quan trng nht ca SSL

c 2 pha dng xc thc ln nhau v thng nht cc thut ton xc thc MAC v m ha
cng c dng trai i kha b mt
phi thc hin trc khi d liu c truyn.

C CH BT TAY GM 4 GIAI ON:

GIAI ON 1: Thit lp cc thng s bo mt nh phin bn ca giao thc, nhn dng phin giao dch,
thut ton mt m, phng php nn, s ngu nhin ban u. Cc thnh phn cn bn ca bn tin
Client_Hello v Server_Hello:
+ VERSION: phin bn SLL
+ RANDOM: s ngu nhin dng xc thc
+ SESSION ID:
+ CIPHER SUITE: tp cc thut ton mt m h thng h tr
+ COMPRESSION METHOD: thut ton nn h thng h tr

GIAI ON 2: Server c th gi chng thc kha cng khai, trao i kha v yu cu client cung cp
chng thc kha.

GIAI ON 3: Client gi chng thc kha khi c yu cu t pha server , trao i kha vs Server.
Client cng c th gi xc minh chng thc kha cng khai cho Server.

GIAI ON 4: Thay i cc thng s ca thut ton mt m v kt thc giao thc bt tay.

CC LOI KHA S DNG TRONG MT KT NI SSL ?
(ci ny khng chc ng, ch kim tra li th)
- S nhn dng ngu nhin: chui byte chn ngu nhin bi Server v Client, c chc nng phn bit cc
kt ni vs nhau.
- Kha xc thc ca my ch: Kha b mt dng tnh gi tr xc thc MAC trn d liu c gi i t
Server.
- Kha xc thc ca my con: Kha b mt dng tnh gi tr xc thc MAC trn d liu c gi i t
my con.
- Kha mt m ca my ch: Kha b mt dng mt m ha d liu gi i t server.
- Kha mt m ca my con: Kha b mt dng mt m ha d liu gi i t my con.
- Vector khi to: dng trong ch m ha CBC. Gi tr ny c khi to bi giao thc SSL Record.
- S th t gi: S th t cc bn tin c gi i v nhn v trn kt ni.
6. M T CC GIAI ON CA GIAO THC BO MT MNG KHNG DY 802.11i? CHO BIT
NHNG NNG CP CA 802.11i SO VI GII PHP BO MT TRONG 802.11?
* CC GIAI ON CA GIAO THC BO MT MNG 802.11i :
Trong m hnh tng qut, c ch ny p dng cho mng WLAN vi cc thnh phn bao gm STA (thit b
u cui di ng), AP (Access point), AS (Authentication Server).

- Discovery: AP gi cc bn tin Beacon v Probe Response qung b thng tin v mng v cc chnh
sch bo mt ca mng WLAN. STA da trn cc thng tin ny kt ni n AP.
Mc ch ca giai on ny l AP v STA nhn din nhau, thng lng cc thng s mt m
v thit lp lin kt vi nhau chun b cho cc bc tip theo. Cc chi tit c xc lp trong giai on ny
bao gm:
+ Giao thc mt m v xc thc d liu gia AP v STA.
+ Phng php xc thc u cui.
+ C ch qun l kha.
- Authentication: STA tin hnh xc thc vi AS thng qua AP. Trong qu trnh ny, AP khng tham gia
vo qu trnh xc thc m ch c vai tr chuyn tip cc bn tin gia STA v AS.
y l giai on xc thc 2 chiu gia STA v AS. C ch xc thc c thc hin theo m t ca
802.11X, s dng giao thc xc thc EAP (Extensible Authentication Protocol).
- Key Management: AP v STA thc hin qu trnh trao i kha.
Hai c ch trao i kha c th dng trong giai on ny: preshared key v Master Session Key
(MSK). Preshared dng kha tnh c ci t i xng trn AP v STA, ngc li MSK th c to ra
trong giai on xc thc dng giao thc EAP. Cc kha sau c sinh ra t hai kha chnh ny. Qu
trnh thit lp kha c thc thng qua th tc bt tay 4 bc.
- Protected Data Transfer: Qu trnh truyn d liu gia cc STA thng qua AP. AP s ng vai tr trung
gian trong vic m ha v gii m d liu.
D liu c trao i gia AP v STA c bo v bng mt trong 2 c ch: TKIP v CCMP:
+ TKIP (Temporal Key Integrity Protocol): D liu c xc thc bng MIC (da trn thut ton
bm Michael) v m ha bng RC4.
+ CCMP (Counter Mode CBC MAC protocol): D liu c xc thc bng CMAC (CBC-based MAC)
v m ha bng AES ch CTR (counter mode).
- Connection Termination: AP v STA thc hin th tc xa kt ni.

* NHNG CI TIN CA 802.11I SO VI C CH BO MT C:

- Mng LAN 802.11 c thit k c ch bo mt n gin, c gi l WEP (Wired Equivalent Privacy).
WEP s dng c ch bo mt yu nn c th b b kha d dng vi cc cng c c sn hin nay. Nhng
im yu c bn trong WEP:
+ S dng thut ton mt m yu (RC4) vi chiu di kha ngn (40 bit).
+ S dng CRC-32 cho c ch xc thc d liu khng an ton.
+ S dng kha tnh chung cho m ha v xc thc.
+ Khng c c ch trao i kha.

- Khc phc nhng nhc im , 802.11i cung cp cc ci tin sau:

+ S dng thut ton m ha mng (AES)
+ B sung c ch trao i kha
+ Thay th CRC-32 bi thut ton xc thc da trn hm bm Michael.
+ Phn bit c ch m ha v xc thc.
7. TRNH BY C CH HOT NG CA GII PHP BO MT EMAIL PGP (PRETTY GOOD
PRIVACY)? M T C CH M HA V XC THC P DNG TRONG PGP?
* C CH HOT NG CA PGP:
Files c M HA bng mt PUBLIC KEY. Public key ny ca bn c th c cng b rng ri. Nu bn
mun bn b, khch hng, i tc... ca bn m ha th gi n cho bn th bn cn phi cung cp
cho h public key ca bn. Files c GII M bng mt PRIVATE KEY. Ch c ai nm gi private key ny
mi c th gii m nhng bc th c m ha bng Public key ca bn.
- Xc thc ni dung th:
+ Bn tin gc ca ngi gi c bm bng hm bm SHA-1, m bm sau c m ha bng
RSA vi kha ring ca ngi gi to thnh ch k s c gi km vi bn tin gc.
+ Pha nhn tch bn tin gc v a vo hm bm SHA-1, ng thi gii m ch k s bng kha
cng khai ca ngi gi kim tra.

- Bo mt ni dung th:

+ Pha gi to mt s ngu nhin 128 bit v dng lm kha m ha bn tin gc ca ngi gi

bng cc thut ton mt m i xng (CAST_128 hoc DES/3DES) theo ch Cipher Feedback
64 bit (CFB).
+ Kha sinh ra c m ha bng RSA vi kha cng khai ca ngi nhn v gi km theo th.
+ Ngi nhn dng kha ring ca mnh gii m phc hi kha i xng v dng kha ny
gii m bn tin gc.

- Nn th:
+ Vic nn th nhm mc ch lm gim kch thc th vic truyn c thc hin nhanh hn,
ng thi lm tng hiu qu ca thut ton mt m.
- Chuyn m:
+ Sau khi x l th (xc thc, nn, m ha) th ni dung th s tr thnh mt khi d liu nh
phn, c th khng tng thch vi cc h thng th vn ch h tr nh dng vi m ASCII. Do
vy, PGP phi thc hin thao tc chuyn m nhm m bo ni dung th sau khi x l vn c th
c chuyn tip bnh thng trn cc mail server.
+ C ch chuyn m trong PGP c thc hin theo bng m base64 encoding (radix-64).
- Qun l kha:
+ Mi user duy tr mt tp cc kha cng khai ca nhng user khc, tp kha ny c qun l
bi mt keyring.
+ Trong PGP, ngi dng t to ra chng ch s, cc chng ch s ny c phn phi bi chnh
ngi dng.
+ Quan h tin cy gia cc user c thit lp thng qua m hnh Web of Trust.
* M T C CH M HA V XC THC P DNG TRONG PGP:
- PGP thc hin thao tc xc thc th trc v m ha sau.
+ Bm ni dung th bng hm bm SHA_1 v m ha m bm bng kha b mt ca ngi gi.
Gn kt qu vo u th lm ch k.
+ To kha i xng K v m ha ton b ni dung th (k c phn ch k va to ra)
+ M ha kha K bng kha cng khai ca ngi nhn v gn tip vo u th.

+ pha nhn, ngi nhn th gii m phn u th bng kha ring ca mnh ly kha K.
+ Gii m ni dung th (cng vi ch k s) bng kha K. Hon tt chc nng bo mt.
+ Gii m ch k s bng kha cng khai ca ngi gi. Hon tt chc nng xc thc.

M ha v xc thc th pha gi

M ha v xc thc th pha nhn.

8. TRNH BY C CH HOT NG S/MIME TRONG BO MT DCH V EMAIL? SO SNH C

CH M HA V XC THC CA S/MIME VI PGP?
* C CH HOT NG CA S/MINE:
- S/MIME a vo hai phng php an ninh cho email. Th nht l m ha email, th hai l chng thc.
C hai cch u da trn m ha bt i xng v PKI.
+ Chng thc email s dng cp kha authentication (authentication pair). ng tc k = m ha
message bng private key ca ngi gi. Chng thc = dng public key ca ngi gi gii m bn
tin.
+ M ha email s dng cp kha encryption (encryption pair). ng tc m ha = m ha
message bng public key ca ngi nhn. Gii m bng private key ca ngi nhn.
- M ha ni dung th:
+ To kha i xng tng ng vi thut ton m ha dng trong m ha ni dung th.
+ M ha kha i xng ny bng RSA vi kha cng khai ca tng ngi nhn.
+ To khi thng tin ngi nhn (ReceipientInfo block) m t thng tin v ngi nhn gm
certificate ca ngi nhn, thut ton m ha bt i xng c dng m ha cng vi kha

i xng c m ha. Trng hp mt bn tin gc c gi cho nhiu ngi th c mi ngi

nhn s c mt khi thng tin tng ng.
+ M ha bn tin gc vi kha i xng va to ra.
- Xc thc ni dung th:
+ Chn mt hm bm thch hp (MD5 hoc SHA_1)
+ To m bm ca bn tin gc dng hm bm va chn.
+ M ha m bm bng kha ring ca ngi gi.
+ To khi thng tin ngi gi (SignerInfo) cha cc thng tin bao gm certificate ca ngi
gi, tn hm bm, tn thut ton m ha v khi m bm m ha.
- Ton b cc thng tin bao gm bn tin gc v khi thng tin ngi gi c chuyn thnh m base64.

9. CHC NNG V C CH HOT NG CA H THNG PHT HIN XM NHP IDS? PHN

LOI CC H THNG IDS? CC THNH PHN CHNH CA MT H THNG IDS IN HNH?
* CHC NNG CA IDS:
- Th ng gim st cc hot ng ca h thng.
- Pht hin cc du hiu xm nhp v a ra cnh bo (alert).
- Khng thc hin chc nng ngn chn xm nhp(Intrusion Prevention System hay IPS).
* C CH HOT NG CA IDS:
- Mt host to ra mt gi tin mng, gi tin ny khng khc g so vi mt gi tin khc tn ti v c
gi t host khc trong mng.
- Cc cm bin trong mng c cc gi tin trong khong thi gian trc khi n c gi ra khi mng cc
b (cm bin ny cn phi c t sao cho n c th c tt c cc gi tin).
- Chng trnh pht hin nm trong b cm bin kim tra xem c gi tin no c du hiu vi phm hay
khng. Khi c du hiu vi phm th mt cnh bo s c to ra v gi n giao din iu khin.
- Khi giao din iu khin lnh nhn c cnh bo n s gi thng bo cho mt ngi hoc mt nhm
c ch nh t trc (thng qua email,ca s popup,trang web.v.v).
- Phn hi c khi to theo quy nh ng vi du hiu xm nhp ny.
- Cc cnh bo c lu li tham kho trong tng lai (trn a ch cc b hoc trn c s d liu).
- Mt bo co tm tt v chi tit ca s c c to ra.
- Cnh bo c so snh vi cc d liu khc xc nh xem y c phi l cuc tn cng hay khng.

* PHN LOI IDS:

- Phn loi theo phm vi gim st
+ Network-based IDS (NIDS): l nhng IDS gim st trn ton b mng. Ngun thng tin ch yu
ca NIDS l cc gi d liu ang lu thng trn mng. NIDS thng c lp t ti ng vo ca
mng, c th ng trc hoc sau tng la.
+ Host-based IDS (HIDS): l nhng IDS gim st hot ng ca tng my tnh ring bit. Do vy,
ngun thng tin ch yu ca HIDS ngoi lu lng d liu n v i t my ch cn c h thng
d liu nht k h thng (system log) v kim tra h thng (system audit).
- Phn loi theo k thut thc hin
+ Signature-based IDS: pht hin xm nhp da trn du hiu ca hnh vi xm nhp, thng qua
phn tch lu lng mng v nht k h thng. K thut ny i hi phi duy tr mt c s d liu
v cc du hiu xm nhp (signature database), v c s d liu ny phi c cp nht thng
xuyn mi khi c mt hnh thc hoc k thut xm nhp mi.
+ Anomaly based IDS: pht hin xm nhp bng cch so snh (mang tnh thng k) cc hnh vi
hin ti vi hot ng bnh thng ca h thng pht hin cc bt thng (anomaly) c th l
du hiu ca xm nhp.
* CC THNH PHN CHNH CA MT H THNG IDS IN HNH:
- Thnh phn thu thp gi tin (information collection).
- Thnh phn phn tch gi tin (Detection).
- Thnh phn phn hi (response) nu gi tin c pht hin l mt cuc tn cng.

10. CHC NNG V C CH HOT NG CA H THNG FIREWALL? PHN LOI FIREWALL?

SO SNH C CH HOT NG CA APPLICATION PROXY V SOCKS PROXY?
* CHC NNG CA FIREWALL:
- Kh nng bt gi(packet firewall): firewall s kim tra phn header ca cc gi tin v a ra quyt nh
l cho php hay loi b gi tin ny theo tp lut c cu hnh.
- Chuyn i a ch mng(NAT): cc my bn ngoi ch thy mt hoc hai a ch mng ca firewall
cn cc my thuc mng trong c th ly cc gi tr trong mt khong bt k th cc gi tin i vo v i ra
cn c chuyn i a ch ngun v a ch ch.
- Theo di v ghi chp(monitoring v logging): vi kh nng ny cung cp cho ngi qun tr bit iu g
ang xy ra ti firewall t a ra nhng phng n bo v tt hn.
- Data caching: caching d liu s gip qu trnh tr li nhanh v hiu qu hn.

- Lc ni dung(content filter): cc lut ca firewall c kh nng ngn chn cc yu cu trang WEB m n

cha cc t kha, url hay cc d liu khc nh video stream, image
- Intrustion detection: l kh nng pht hin cc cuc xm nhp, tn cng.
* C CH HOT NG CA FIREWALL:
- Firewall hot ng cht ch vi giao thc TCP/IP, v giao thc ny lm vic theo thut tan chia nh cc
d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao
thc (Telnet, SMTP, DNS, SMNP, NFS ) thnh cc gi d liu ri gn cho cc packet ny nhng a ch
c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc
packet v nhng con s a ch ca chng.
- B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu
quyt nh xem on d liu c tha mn mt trong s cc lut l ca lc packet hay khng. Cc lut
l lc packet ny l da trn cc thng tin u mi packet (header), dng cho php truyn cc packet
trn mng:
+ a ch IP ngun (IP Source Address)
+ a ch IP ch (IP Destination Address)
+ Protocol (TCP, UDP, ICMP, IP tunnel)
+ TCP/UDP source port
+ TCP/UDP destination port
+ Dng thng bo ICMP (ICMP message type)
+ Cng gi tin n (Incomming interface of packet)
+ Cng gi tin i (Outcomming interface of packet)
- Nu packet tha cc lut l c thit lp trc ca Firewall th packet c chuyn qua, nu
khng tha th s b loi b.
* PHN LOI FIREWALL:
C 2 loi firewall:
- Packet filter firewall
+ Stateless: Kim tra tng gi tin mt cch c lp.
+ Stateful: Ch kim tra trng thi.
- Application firewall
+ Application proxy
+ Socks proxy

* SO SNH APPLICATION PROXY V SOCKS PROXY: