Baocaotongdaiip

Nhn xt ca gio vin hng dn
NHN XT CA GIO VIN HNG DN

.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
Tp H Ch Minh, ngy.thng.nm
Gio vin hng dn
Nhn xt ca gio vin phn bin
NHN XT CA GIO VIN PHN BIN

.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
Tp H Ch Minh, ngy.thng.nm
Gio vin phn bin
Li cm n
LI CM N
Trong sut thi gian hc tp ti Khoa o to Cht lng cao trng i
Hc S Phm K Thut Tp H Ch Minh, chng em c cc thy c trong khoa
CNTT, Khoa Cht lng cao ging dy nhit tnh, truyn t nhiu kin thc qu
bu lm tin cho qu trnh nghin cu ti ny.
Ngoi ra cng xin cm n nhng gp , chia s v gip t mt s anh ch,
bn b trong qu trnh nghin cu v trin khai.
c bit chng em xin cm n C Nguyn Th Thanh Vn tn tnh ch
bo, hng dn chng em. Cm n c theo st v nh hng cho chng em
trong sut qu trnh nghin cu ti. Gip chng em c th hon thnh ng tin
ti nghin cu ny.
Sau 4 thng nghin cu v thc hin th ti Tm hiu v firewall v
trin khai trn m ngun m cng hon thnh. Chng em xin chn thnh gi
li cm n su sc n tt c cc thy c, bn b gip , ng gp kin cho
ti ny!
Mc lc
Mc lc
Phn m u
DANH MC HNH V
Hnh 1.1: Cc lp trong an ton mng ----------------------------------------------------Hnh 1.2 - Firewall. --------------------------------------------------------------------------Hnh 1.3: Phn loi Firewall. ---------------------------------------------------------------Hnh 1.4: Cc k thut s dng trn firewall. --------------------------------------------Hnh 1.5: Packet Filters ---------------------------------------------------------------------Hnh 1.6: Circult-Level Gateways ---------------------------------------------------------Hnh 1.7:Application-Level Gateways ----------------------------------------------------Hnh 1.8: Stateful MutilayerInspection Firewalls ---------------------------------------Hnh 1.9: Kin trc Dual Homed Host ----------------------------------------------------Hnh 1.10: Kin trc Screened host -------------------------------------------------------Hnh 1.11: Kin trc Screened Subnet ----------------------------------------------------Hnh 2.1: Qu trnh pht trin ca ClearOS. ----------------------------------------------
Hnh 2.2 : Giao din chnh ClearOS -----------------------------------------------Hnh 2.3 : Menu Network -------------------------------------------------------------------Hnh 2.4: Menu Gateway. ------------------------------------------------------------------Hnh 2.5: Menu System ---------------------------------------------------------------------Hnh 2.5: Menu Report ----------------------------------------------------------------------Hnh 3.1: M hnh thc t.. -----------------------------------------------------------------Hnh 3.2: M hnh Demo.-------------------------------------------------------------------Hnh 3.3: Start Web Proxy v Content Filter. --------------------------------------------Hnh 3.3: Enabled Transparent Mode v Content Filter. -------------------------------Hnh 3.4: Thm Domain Block.------------------------------------------------------------Hnh 3.5: Thm t kha chn. --------------------------------------------------------------Hnh 3.6: Chnh sa file weighted. --------------------------------------------------------Hnh 3.7: Restart dch v dansguardian-av. -----------------------------------------------
Phn m u
Hnh 3.8: Test domain http://zing.vn -----------------------------------------------------Hnh 3.8: Test domain http://vnexpress.net ----------------------------------------------Hnh 3.9: Cu hnh publish Webserver ra ngoi Internet. ------------------------------Hnh 3.10: Kim tra truy cp ---------------------------------------------------------------Hnh 3.10: Cu hnh block mt IP public.
Hnh 3.11: Kim tra block.
Hnh 3.12: Cu hnh chn tt c SSH.
Hnh 3.13: Cu hnh cho php 1 ip public SSH.
Hnh 3.14: Cu hnh cho php 1 ip private SSH.
Hnh 3.15:Cu hnh chn scan port.
Hnh 3.16: Kim tra vi scan FIN.
Hnh 3.17: Kim tra vi scan NULL.
Hnh 3.18: Kim tra vi Scan XMAS.
Hnh 3.19: Rule chng SYN Flood.
Phn m u
PHN M U
Thc trng v tnh kh thi ca ti.
Nm 1997 Internet bt u du nhp vo Vit Nam, t nhng nm u Internet
Vit Nam vn l mt dch v cao cp v hn ch i vi phn ng ngi dng.
Tri qua hn 10 nm pht trin n nay Internet t mt dch v cao cp tr thnh
mt dch v bnh dn, ph bin trong mi gia nh, cng s, trng hc, lm thay
i cuc sng ca ngi dn v x hi Vit Nam. Theo thng k ca website TT
Internet Vit Nam - VNNIC vo thng 9 nm 2011 th s ngi s dng Internet
VN t 30.248.846, t l dn s s dng Internet chim 34,79%, tng s tn min
ting Vit ng k l 237.342.Vic s dng Internet phc v cho cuc sng
tr ln ph bin nh giao tip vi nhau qua email, s dng Internet tra cu thng
tin phc v cho cng vic hay hc tp, s dng Internet gii tr, giao lu, kt
bn....
Ngy 7/11/2006 Vit Nam gia nhp t chc thng mi th gii WTO, t
Internet c nhn nhn l cng c mi nhn h tr, thc y tch cc cho s pht
trin ca nn kinh t. a s cc doanh nghip v cc t chc u c h thng mng
v website qung b thng hiu v sn phm (237.342 tn min ting Vit v
hng triu tn min thng mi khc). Cng vi s pht trin ca Internet th
thng mi in t cng pht trin theo. i vi cc doanh nghip v t chc vic
s dng th in t (email), thanh ton trc tuyn (electronic payment), trao i d
liu in t, s ha d liu, lu tr d liu, h tr cho cng vic kinh doanh
khng cn qu xa l. Ngoi ra, chnh ph v cc t chc chnh ph khc cng s
dng Internet thng bo, trao i, giao tip vi ngi dn.
Tm li, Internet v h thng mng my tnh tr thnh mt phn khng th thiu
phc v cho c nhn ngi dng, cho cc t chc, doanh nghip kinh t v c
cho cc t chc chnh ph...
Cng vi s pht trin v nhng li ch m Internet v my tnh em li, n cng
to ra nhng nguy c v ri ro cho nn kinh t v x hi hin i. Cc vn v
truy cp bt hp php, virus, r r thng tin, l hng trn h thng... tr thnh mi
Phn m u
lo ngi cho cc nh qun l bt k mt quc gia no t cc c quan, b, ngnh

n tng doanh nghip, n v hay c nhn ngi dng.
Theo TS. V Quc Khnh, G TT ng cu khn cp my tnh VNCERT nh gi:
"Nm 2011 xut hin cc xu hng ti phm v s c an ninh v mng, tn cng
trn mng ngy cng tinh vi hn, pht trin c t chc, c quy m v c s phi
hp c trong v ngoi nc. C cc nh hng v mt tn cng thu li ti chnh,
ph hoi cc dch v. Khng t m c trn th gii nhanh chng lan truyn n
Vit Nam".
Tin tc Vit Nam pht trin vi tc nhanh hn bao gi ht c v quy m, tnh
chuyn nghip, trnh k thut v c tim lc v ti chnh. iu ng bo ng l
s ph hoi ca tin tc hin nay khng nhm mc ch trc li c nhn hay khoe
khoang na m chuyn sang hng tn cng cc t chc doanh nghip kinh t v
c bit hn na l h tng cng nghip quc gia.
Thi gian gn y mt lot cc website ca cc c quan nh nc v doanh nghip
b hacker tn cng nh website ca Vin khoa hc thanh tra chnh ph b hack vo
thng 4/2007, tn min ca cng ty P.A Vietnam b cp vo thng 7/2008, website
ca Techcombank vo thng 7/2008. Nm 2010, cuc tn cng nh m nht chnh
l cuc tn cng vo h thng in t ca bo Vietnamnet, cuc tn cng din ra
nhiu thng v nhiu ln vi cc hnh thc tn cng khc nhau. Cng trong nm ny
th hn 1000 website ln Vit Nam b tn cng. Cc hnh thc tn cng th rt a
dng t thay i giao din, nh cp cc thng tin nhy cm trong website, tn
cng lm t lit website . Mi y nht l cuc tn cng nh cp tn min
diadiem.com v vozforums.vn xy ra vo thng 10/2011.
T nhng s liu v cnh bo trn nn vn bo v an ninh mng ngy cng nng
bng hn na. i vi c nhn ngi dng vic bo v thng tin c nhn ca mnh
trc nhng k nh cp. i vi t chc chnh ph, s ban ngnh, doanh nghip
bo v h thng mng ca mnh v d liu, v thng tin khch hng, v website, v
ti chnh, v uy tn.... Chnh v l do chng em chn ti "Tm hiu v
Firewall v trin khai trn m ngun m" nhm mc ch nghin cu v mt
gii php an ton cho mng my tnh.
Phn m u
Mc ch v nhim v nghin cu.

Trc khi tm hiu chng em cng hiu rng khng c mt gii php no l ton
din cho an ninh mng, mt h thng d vng chc ti u ri cng s b v hiu
ha bi nhng k tn cng. V khng th c mt gii php an ton tuyt i nn
bo v thng tin trn mng my tnh th cn xy dng nhiu "lp" bo v khc nhau.
V Firewall l lp ngoi cng ca h thng . Mc ch ca ti l:
Tm hiu cc mi e da i vi mt h thng mng my tnh.
Tm hiu v cc khi nim c bn ca firewall.
Nghin cu v cc cng ngh firewall v cch lm vic ca chng.
Gii thiu mt s sn phm firewall ang c s dng trn th trng v

cch l vic ca chng.
Demo trin khai sn phm firewall trn m ngun m.
i tng nghin cu.

Tm hiu kin thc l thuyt v cc loi firewall, cch phn loi chng mt cch
tng quan. Cc thnh phn to ln mt firewall v cch lm vic ca chng.
Tm hiu v cc loi firewall trn nn tng m ngun m Linux, cch lm vic,
nhng u nhc im so vi cc sn phm khc.
Tm hiu v cc kin trc Firewall, mt s m hnh dnh cho h thng mng.
Sn phm ClearOS trin khai trn nn tng Linux.
Phm vi nghin cu.
Tp trung vo cch thc hot ng ca cc loi firewall
Trin khai thnh cng ClearOS cho mt m hnh mng c nh, to cc rule theo
cc tnh hung khc nhau, phn tch v gii thch ngha.
Chng I: Tng quan v Firewall
PHN NI DUNG
Chng 1: Tng quan v Firewall

Ti sao chng ta cn nhng gii php bo mt cho h thng mng?
Mng my tnh cng tng t nh th gii tht m chng ta ang sng v vic trin
khai cc gii php bo mt cho h thng mng cng tng t nh cch chng ta bo
v bn thn chng ta, ti sn ca chng ta, thng tin ca chng ta trc nhng k
tn cng. Tng t nh trong th gii tht, Internet em li cho chng ta nhiu th
hu ch nhng n cng em n cho chng ta nhng him ha tim tng nh virus,
worm, phn mm gin ip, phn mm nh cp password, th rc, hay cc cuc
tn cng.
Ngoi th gii tht chng ta phi i mt vi k khng tun th lut php, dng mi
bin php n cp hay xm phm thng tin c nhn hay ti sn ca ngi khc.
Tng t vy, trn h thng mng cng tn ti nhng k mun nh cp thng tin
c nhn, d liu hay ph hoi h thng ca bn. Ngoi nhng mc ch tn cng c
nhn, nhng k ny cn coi l mt cch kim sng. Chng c th t nhp
vo h thng mng ca bn hoc my tnh ca bn n cp cc thng tin nhy
cm, tn cng cc website, ngn chn cc kt ni, ph hy hoc lm sai lnh d
liu. Nhng k ny c nhiu mc ch khc nhau t nhng mc ch c nhn nh
tr th, khoe khoang kin thc hay nhng ng c nguy him hn nh tin bc, ph
hoi i th, chnh tr....
Chng ta khng th on c lc no cc cuc tn cng s xy ra v th bin
php tt nht chnh l "phng nga". Tng t nh trong th gii tht chng ta
xy ro chn, mua kha, thu v s bo v th trn h thng mng chng ta c th
trin khai cc gii php bo mt nh chng thc, cp quyn, xy dng firewall, xy
dng h thng gim st....
Tm li: Nhng thng tin, d liu nhy cm lun l ming mi bo b nhng k
tn cng trc li. Bi vy khi xy dng h thng mng bt k bn cn phi quan
tm n vic lm nh th no bo v nhng thng tin, nhng d liu quan trng

.
Cc mi nguy him.
Tn cng c mc tiu v tn cng khng c mc tiu.
S khc nhau ca hai kiu tn cng ny nm mc ch ca k tn cng. K tn
cng c mc tiu hn s tm mi cch c th t c mc ch ca mnh d cho
bn c ngn chn n nh th no i chng na. y chnh l im nguy him hn
rt nhiu so vi mt cuc tn cng khng c mc tiu n thun.
Nhng cuc tn cng khng c mc tiu thng khng c ch ch r rng, nhng
k tn cng thng r sot nhng h thng no d tn cng v c nhiu li hng.
Nu mt h thng c bo v tt th k tn cng s t b v chuyn sang mc tiu
mi, nhng k tn cng ny thng c t kin thc hoc mc ch nhm khoe
khoang l chnh. iu ny lm cho vic ngn chn n d dng hn rt nhiu.
Khc vi nhng cuc tn cng khng c mc tiu, nhng cuc tn cng c mc tiu
nguy him hn rt nhiu. Bi k tn cng c nhiu mc ch tn cng, c th
l tin bc, tr th, c i th ca bn thu ph hoi...Nhng k ny s tm mi
cch tn cng bn, d cho bn c bo v n u hn cng s khng t b. Chnh
v l do nn n kh l nguy him, bn cn phi lun phng v rt c th ngy
hm nay bn chn c cuc tn cng nhng ngy hm sau k tn cng s s
dng nhng th on tinh vi v nguy him hn. Cch tt nht chn cuc tn cng
loi ny l nh n php lut
Virus, worm v trojan.
Virus my tnh (hay thng c gi tt l virus) l mt chng trnh hay mt
on m c thit k t nhn bn v sao chp chnh n vo cc i tng ly
nhim khc nh file, th mc, a...Ban u n c vit ra nhm mc ch chng
t kh nng lp trnh nn c mt s hnh ng nh xa d liu, lm treo my tnh
hay thc hin cc tr a kh chu. Ngy nay th n c s dng nh cp cc
thng tin nhy cm, m ca sau cho tin tc t nhp hoc chim quyn iu khin
my tnh. c im quan trng ca virus l n khng th t ng ly lan m ban

u n cn s tc ng ca con ngi cho php n hot ng.
Worm (su my tnh): tng t nh virus n cng c kh nng t nhn bn v ly
lan. im c bit ca n l n c th ly lan qua h thng mng cn virus th
khng th. Nhim v chnh ca worm l ph hoi cc mng thng tin lm gim kh
nng hot ng hay hy hoi ton b mng . Mt im khc bit na ca worm
v virus l n khng cn s tc ng ca con ngi m vn c th hot ng
c. T nhng c im khin cho worm nguy him hn nhiu so vi cc virus
truyn thng bi v n c th ly lan sang hng trm, hng ngn my tnh.
Trojan: L mt chng trnh tng t nh virus, ch khc l n khng th t nhn
bn. Trojan s n mnh vo mt chng trnh tin cy no v khi bn thc thi
chng trnh th trojan n cng c khi ng. Mc ch chnh ca trojan l
nh cp cc thng tin c nhn nh password, s ti khon...v gi v cho k pht
tn hoc cng c th "m thm" m mt kt ni cho tin tc.
Virus, worm v trojan c th phng chng bng cch s dng firewall hoc cc
phn mm dit virus c tch hp sn firewall
Ni dung c hi v phn mm c hi.
Ni dung c hi chnh l nhng ni dung vn bn c vit ra nhm nhng mc
ch bt chnh. Thng thng th n yu cu ngi dng lm mt hnh ng g
cho php tin tc tip cn vi h thng ca bn. Nhng hnh ng ny kh l n
gin v d nh yu cu bn nhp mt link no truy cp ti mt website hay
yu cu bn c mt email. Nhng hnh ng tng chng nh n gin nhng
thc ra bn thc hin mt hnh ng rt l nguy him l v tnh cho php ni
dung c hi nh hng ti h thng ca bn. Kch bn chung ca ni dung c hi
l c gng "la" bn kin bn v tnh hoc c cho php ni dung c thc
hin. Thng thng ni dung c hi s thc hin cc chc nng nh truy cp/ph
hoi d liu hay ci t virus, worm, trojan hay m cng hu.
Malware. (Malicious v Software) l mt t dng ch chung cc phn mm c

tnh nng gy hi n bao gm c virus, worm, trojan, spyware, adware, keylogger,
rootkit...
Cch phng chng ni dung c hi v phn mm c hi l s dng tng la
gim st vic trao i thng tin trn mng, cnh bo ngi dng trc nhng
nguy hi kt hp vi s dng phn mm dit virus, worm, trojan...
Tn cng t chi dch v (Denial of Service)
C th m t DoS nh mt hnh ng ngn cn nhng ngi dng hp php ca
mt dch v no truy cp v s dng dch v . N bao gm c vic lm trn
ngp mng, lm mt kt ni ti dch v...m mc ch cui cng l lm cho server
khng th p ng c cc yu cu t client. DoS c th lm ngng hot ng ca
mt my tnh, mt mng ni b, thm ch c mt h thng mng rt ln. Thc cht
ca DoS l k tn cng s chim dng mt lng ti nguyn mng nh bng thng,
b nh... lm mt kh nng x l cc yu cu dch v t client.
DDoS l mt bin th ca DoS, s khc bit gia chng chnh l s lng my tnh
tham gia tn cng. Hacker s xm nhp vo nhiu my tnh v ci t cc chng
trnh iu khin t xa v s kch hot cc chng trnh ny vo cng mt thi im
tn cng mt mc tiu. Cch thc ny c th huy ng n hng trm thm ch
hng ngn my tnh cng tham gia tn cng (hacker chun b trc). Chnh v l
n kh nguy him v c th tiu tn bng thng mt cch nhy mt.
Rt kh c th chng li DDoS, cch hiu qu l tng bng thng ng
truyn, s dng firewall lc bt cc lu lng nguy him...
Zombie
Ta c th hiu Zombie l mt my tnh b nhim bnh v chu s kim sot ca
mt k tn cng no . Mt zombie PC vn c th hot ng bnh thng m
khng h pht hin ra rng n b kim sot. Tin tc c th s s dng zombie vo
mc ch tn cng DoS. Cch phng chng i vi cc zombie l dng firewall
chn nhng my tnh b nhim bnh. Tuy nhin iu ny c th lm nh hng
ti ngi dng bi h thc s c nhu cu truy cp h thng mng. Cch tt nht l

tm cch g b zombie v a my tnh v trng thi ban u.
S tn hi thng tin c nhn
Th tng tng mt ngy nhng thng tin c nhn ca bn trn ngp trn Internet
t tn tui, s in thoi, email, a ch hay nhng thng tin v ti chnh khc nh
s ti khon, mt khu.... bn s cm thy nh th no? Tt nhin bn s chng h
mong mun iu ny, tin tc c th li dng nhng thng tin ny la o, nh
cp ti sn ca bn, ni chung s tn hi v thng tin c nhn s gy cho bn nhng
phin toi.
i vi doanh nghip hay cc t chc s tn hi v thng tin cn nguy him hn.
V d nhng thng tin c quyn hoc b mt ca cng ty m bn cn giu kn. Bn
c mt tng v xy dng thnh mt cng trnh, bn chun b cng b n th bt
ng thy i th ca mnh cng b n trc bn. iu ny to mt s thiu cng
bng trong hot ng kinh doanh, nghin cu.
Gii php c a ra l firewall s phn loi v c lp cc h thng quan trng.
i vi vng ny firewall s p dng nhng chnh sch kim sot truy cp cht ch
hn.
Social Engineering.
Social Engineering l k thut li dng s nh hng v nim tin la mt ngi
no nhm ly cp thng tin hoc thuyt phc ngi lm mt vic g .
Chng ta c th xem tnh hung sau y r hn.
Attacker: Cho b, ti l Bob, ti mun ni chuyn vi c Alice
Alice: Xin cho, ti l Alice.
Attacker: Cho c Alice, ti gi t trung tm d liu, xin li v ti gi in cho
c sm th ny
Alice: Trung tm d liu , ti ang n sng, nhng khng sao u.
Attacker: Ti gi in cho c v nhng thng tin c nhn ca c trong phiu
thng tin to account c vn .
Alice: Ca ti .. vng.
Attacker: Ti thng bo vi c v vic server mail va b sp ti qua, v chng
ti ang c gng phc hi li h thng mail. V c l ngi s dng xa nn
chng ti x l trng hp ca c trc tin.
Alice: Vy mail ca ti c b mt khng?

Attacker: Khng u, chng ti c th phc hi li c m. Nhng v chng
ti l nhn vin phng d liu, v chng ti khng c php can thip vo h
thng mail ca vn phng, nn chng ti cn c password ca c, nu khng
chng ti khng th lm g c.
Alice: Password ca ti ? uhm..
Attacker: Vng, chng ti hiu, trong bn ng k ghi r chng ti khng c
hi v vn ny, nhng n c vit bi vn phng lut, nn tt c phi lm
ng theo lut. ( n lc lm tng s tin tng t nn nhn)
Attacker: Username ca c l AliceDxb phi khng? Phng h thng a cho
chng ti username v s in thoi ca c, nhng h khng a password cho
chng ti. Khng c password th khng ai c th truy cp vo mail ca c c,
cho d chng ti phng d liu. Nhng chng ti phi phc hi li mail ca c,
v chng ti cn phi truy cp vo mail ca c. Chng ti m bo vi c chng
ti s khng s dng password ca c vo bt c mc ch no khc.
Alice: Uhm, pass ny cng khng ring t lm u, pass ca ti l 123456
Attacker: Cm n s hp tc ca c. Chng ti s phc hi li mail ca c
trong vi pht na.
Alice: C chc l mail khng b mt khng?
Attacker: Tt nhin l khng ri. Chc c cha gp trng hp ny bao gi,
nu c thc mc g th hy lin h vi chng ti. C c th tm s lin lc trn
Internet.
Alice: Cm n.
Attacker: Cho c.
Do bn cht ca cuc tn cng ny l da vo s nh hng v nim tin nn n
khng th phng chng bng firewall c. Cch tt nht l bn nn o to cho
ngi dng v nhn vin ca mnh cnh gic trc nhng mi nguy him ny.
Cc hng tn cng mi.
Khi mt l hng bo mt c pht hin v cng b, n s c khai thc mt cch
ngay lp tc. Nu cc nh cung cp khng th tung ra mt bn v hoc a ra mt
gii php thch hp, h thng c th s d dng b tn cng v khai khc. Nu bn l
mt qun tr vin, cch hiu qu i ph vi kiu tn cng mi ny l bn phi
m bo h thng ca bn lun lun c cp nht y v nhanh chng nht cc
bn v.
ng dng c thit k km bo mt v an ton.
Mt ng dng c th c lp trnh km khin cho k tn cng c th d dng khai
thc nhng l hng. Cng c th kin thc ca ngi lp trnh km, vi phm cc
nguyn tc thit k lm cho ng dng d dng c khai thc. iu ny v tnh
lm cho mt phn mm thng thng khng c mc ch xu tr thnh mc tiu

ca cc k tn cng. V t y k tn cng c th thng qua ng dng khai thc
h thng ca bn.
Cc gii php bo mt dnh cho mng my tnh.
V khng c mt gii php an ton tuyt i nn ngi ta thng phi phi s dng
ng thi nhiu mc bo v khc nhau to thnh mt lp "ro chn" i vi cc
hot ng xm phm. Vic bo v thng tin trn mng ch yu l bo v thng tin
c lu tr trong my tnh, c bit l trong cc server mng. Hnh sau s m t
cc lp bo v thng dng hin nay bo v thng tin ti cc trm ca mng.
Bc tng la (Firewall)
M ha d liu (Data Encryption)
ng nhp/Mt khu (Login/Password)
Quyn truy cp (Access Right)
Thng tin (Infomation)
Hnh 1.1: Cc lp trong an ton mng

Lp bo v trong cng l quyn truy cp (Access Right) nhm kim sot cc
ti nguyn (thng tin) ca mng v quyn hn (ngi dng c th lm g trn ti
nguyn ). Vic kim sot c thc hin trn c partion, th mc v ti tp tin.
Lp bo v tip theo l hn ch theo ti khon truy cp gm username v
password tng ng (Login/Password). y l mt phng php bo v ph
bin v n kh n gin, t tn km v li c hiu qu kh cao. Ngi qun tr s
c trch nhim qun l, kim sot hot ng ca ngi s dng khc nhau ty
theo thi gian v khng gian.
Lp th ba s dng cc phng php m ha (Encryption). D liu s c
m ha bng mt thut ton no hn ch vic d ly c d liu nhng tin
tc cng cha chc c kh nng c n.
Lp th t l lp bo v vt l (Physical Protection) ngha l ta s ngn

chn cc quyn truy cp vt l vo h thng. V d nh khng cho php ngi
khng c nhim v vo phng t my tnh, yu cu truy cp t xa, s dng kha
bo v phng my tnh, h thng chung bo ng khi pht hin c truy cp
vt l.
Lp th nm (Firewall): Ci t cc h thng firewall (firewall) nhm ngn
chn cc thm nhp tri php, lc cc gi tin m ta khng mun gi i hoc nhn
vo....
Trong phm vi nghin cu ca ti, chng ta s ch nghin cu n lp bo
v th nm l firewall.
Firewall v m ngun m.
Mi doanh nghip, t chc hay c nhn u c nhu cu bo v thng tin ca mnh.
H c th la chn nhiu gii php xy dng firewall khc nhau phc v cho
mc ch ca mnh. Firewall th c rt nhiu loi t loi firewall cng, firewall
mm, cc sn phm thng mi hay cc sn phm m ngun m khc. Vic la
chn trin khai mt sn phm firewall no ty thuc vo nhiu yu t khc nhau
nh kinh ph, yu cu v tnh bo mt ca doanh nghip c nhn , hiu qu kinh
t, trnh ngi qun tr, s lng thng tin cn bo v. Trong cc phn tip theo
chng ta s nghin cu k hn v tng loi firewall khc nhau m ta cp ti.
Nhng u im ca firewall da trn m ngun m l:
Trc tin n l mt dng FOSS nn c nhng u th nh m m, cng ng
ngi s dng ln nn bn hon ton c th nhn c s gip mt cch
d dng, pht trin lin tc.
Da trn nn tng cc h iu hnh *nix. u im ca cc h iu hnh ny
so vi cc h iu hnh khc c chng minh qua thi gian, hiu qu v
tnh bo mt ca n.
Chi ph chi tr cho firewall da trn m ngun m gn nh bng khng,
bn c th download trc tip trn trang ch v s dng cng nh c th tr
tin nhn c s support tt hn t nh sn xut.
p ng c cc cng ngh tin tin nh lc gi theo trng thi, proxy,

ngoi ra cn c th kt hp nhiu tnh nng khc nh VPN, DHCP.... phn
ny chng ta s tho lun su hn nhng phn tip theo ca bi bo co.
Firewall l g?
tng v mt bc tng trnh nhng k xm nhp c t hng ngn nm
nay. V d, hn 2000 nm trc ngi Trung Quc xy Vn L Trng Thnh
nhm bo v h trc nhng b lc lng ging t phng Bc. Hay mt v d th
hai l cc v vua chu u xy dng lu i vi nhng bc tng cao v ho
(moats) nhm bo v h v nhng i tng ca h, c t qun xm lc v c t
nhng bng nhm c nh cp bc.
Thut ng Firewall c s dng sm nht bi Lightoler vo nm 1764 m t
mt bc tng tch cc b phn ca mt ta nh ra khi nhng ni d chy (v d
nh nh bp...). N l mt ro cn vt l ngn chn hoc lm chm li qu trnh lan
rng ca m chy ra khp ta nh nhm gim thiu thit hi v c mng sng v
ti sn.
Tuy nhin chng ta khng nghin cu v firewall trong xy dng m vn chng
ta quan tm y l firewall trong mt thit lp hin i hn l mng my tnh
(Computer Networks). Tin thn ca firewall trong an ninh mng l mt thit b
nh tuyn (router) c s dng vo cui nhng nm 1980 tch cc mng ra vi
nhau.
Vy firewall l g?
Firewall c th l mt thit b phn cng hoc mt chng trnh phn mm chy
trn my ch hoc l s kt hp ca c hai. c thit k nhm mc ch cho php
hoc t chi truyn thng mng da trn mt b cc quy tc v n thng c s
dng bo v mng khi nhng truy cp tri php ng thi cho php cc truyn
thng mng hp php i qua. Trong mi trng hp n phi c t nht hai giao tip
mng, mt cho mng m n bo v, mt cho mng cng cng bn ngoi nh
Internet. Lc n nh mt ci cng kim sot cc lung d liu ra/vo mng
ni b.
Hnh 1.2 - Firewall.

Lu : Bn c th c c nhiu khi nim v firewall t mt s quyn sch v
mt s website trn mng. iu cn lu y l khng c mt thut ng c nh
cho vic miu t mt bc firewall. (The thing to note here is that there is no fixed
terminology for the description of firewalls.) RFC 2196.
Firewall c th lm g?
Trc khi tm hiu v cch hot ng ca firewall chng ta cn phi hiu r rng
firewall c th lm g v khng th lm g. Tt c cc firewall u c mt s c
im chung v chc nng gip chng ta c th xc nh nhng vic m firewall c
th lm c.
V c bn firewall phi c kh nng thc hin cc nhim v sau:
Qun l v kim sot lu lng mng ( Manage and Control network
traffic)
Xc thc truy cp (Authenticate Access)
Hot ng nh mt thit b trung gian (Act as an intermediary)
Bo v ti nguyn (Protect Resources)
Ghi li v bo co cc s kin (Record and report on events)
Tt nhin firewall cng ch l mt gii php bo v lp ngoi nn khng phi n
c th lm c tt c mi th c. Mt s im m firewall khng th lm c
nh:
Firewall khng thng minh nh con ngi c hiu cc thng tin
v phn tch n tt hay xu. N ch c th chn thng tin khi c xc
nh r cc thng s.
Firewall khng th chn mt cuc tn cng nu cuc tn cng khng

"i qua" n. Ni chung n s khng th ngn chn s d r thng tin khi
m d liu b sao chp mt cch vt l.
N cng khng th kim lun nhim v qut virus trn d liu do tc
x l, s xut hin lin tc ca cc loi virus v nhng cch m ha d
liu che du virus nhm qua mt firewall.
Tuy nhin n vn l mt gii php hu hiu c s dng ph bin hin nay.
Qun l v kim sot lu lng mng.
Chc nng u tin v c bn nht m tt c cc firewall u phi thc hin c
l qun l v kim sot lu lng mng. iu ny c ngha l n s phi bit
c nhng gi tin no i qua n, c nhng kt ni no thng qua n. ng thi n
s kim sot cc gi tin vo ra v cc kt ni vi h thng ca bn. Firewall s lm
iu ny bng cch kim tra cc gi d liu v gim st cc kt ni ang c thc
hin. Sau da vo kt qu kim tra gi tin v cc kt ni b gim st n s a
ra quyt nh cho php hay t chi truy cp.
Kim tra gi tin (Packet Inspection): l qu trnh chn v x l d liu trong mt
gi tin nhm xc nh liu cho nn cho php hoc t chi gi tin theo nhng
chnh sch truy cp c xc nh. Qu trnh ny c th da vo bt k yu t
no hoc tt c cc yu t sau y a ra quyt nh lc gi hay khng.
Source IP Address
Source Port
Destination IP Address
Destination Port
IP Protocol
Phn Header ca gi tin (sequence number, checksum, data flags,
payload infomation v nhng thng tin khc)
Vic kim tra gi tin s phi c thc hin trn mi hng (c hng ra v hng
v) v trn mi interface, cc quy tc kim sot truy cp phi c p dng cho mi
gi tin i qua n.
Kt ni v trng thi ca kt ni (Connection v State)

Gi s chng ta c hai my tnh s dng giao thc TCP/IP mun giao tip vi nhau
th chng s phi thit lp mt vi kt ni vi nhau. Kt ni ny nhm mc ch
Th nht l hai my c th nh danh nhau, iu ny m bo rng h thng
ca bn khng cung cp d liu cho mt my tnh khng tham gia kt ni
Th hai n c s dng xc nh cch thc m hai my tnh lin lc vi
nhau, y ngha l n s s dng connection-oriented (TCP) hay
connectionless (UDP v ICMP).
Cu trc ca mt kt ni c th gip ta xc nh trng thi truyn thng gia hai
my tnh.
V d:
Nu Bob hi John mt cu hi, th phn ng thch hp ca John trong trng hp
ny l tr li cu hi ca Bob. Nh vy ta c th ni ti thi im Bob hi John
th trng thi ca cuc m thoi ny l ang ch i mt cu tr li t John.
Vic xc nh trng thi ca kt ni nhm mc ch g? Vic xc nh trng thi ca
kt ni v phn ng tip theo m my tnh s lm gip ta xy dng mt c ch lc
gi thng minh hn. V d firewall c th gim st trng thi ca mt kt ni v a
ra yu cu cho php hay t chi gi tin no . Mt my tnh khi to mt kt ni ti
mt my tnh u tin n gi yu cu kt ni ti my tnh (SYN). Firewall bit
rng sau yu cu kt ni ny th my tnh ch s phi tr v mt yu cu phn hi
no (v d SYN/ACK). Vic xc nh ny c firewall thc hin bng cch lu
mt bng trng thi theo di tt c cc kt ni i qua n t khi kt ni c khi to
cho n khi kt thc. Nu my tnh ch khng tr v mt phn hi ph hp vi yu
cu kt ni t my A hoc phn hi khng h c trong bng trng thi (State
Table) th gi tin s b hy.
Statefull Packet Inspection.
Packet Inspection mc d c u im v tc v kh nng kim sot cc gi tin
theo yu cu cho trc kh tt nhng n li c mt khuyt im kh nghim trng.
V d k tn cng c tnh thay i cc thng s v cc ty chn trong packet nhm

mc ch i qua firewall mt cch hp php.
V d:
Thng thng cc b lc gi tin s drop tt c cc gi ICMP Echo Request to ra t
cng c ping trnh tnh trng DDoS hoc b thm d thng tin. Tuy nhin k tn
cng c th s dng k thut ACK Scan Nmap, k thut ny ngha l thay v gi
mt gi tin ICMP k tn cng s to mt packet vi flag ACK c active ri gi
n port 80 chng hn. Cc Static Packet Filter khi kim tra gi tin s thy c ACK
c active nn n ngh rng y l packet tr li cho SYN packet t trc nn
n s cho qua.
Stateful Packet Inspection l mt c ch lc gi thng minh, n c th nhn dng
v theo di *state* ca mt connection bng cch lu tr tt c cc thng tin v
connection , t lc khi to cho n khi kt thc vo mt "table". Sau ny n s
s dng "table" ny kim tra cc gi tin tng t, v d nu my ch khng gi
mt gi SYN th khng th t nhin c mt gi ACK c tr li c.
Firewall Authentiaction Access.
Vic s dng c ch lc gi tin gip bn hn ch vic truy cp ti nguyn t
nhng ngun khng mong mun. iu ny hn ch c phn no mi nguy
him i vi ti nguyn ca bn. Tuy nhin, hay th tng tng k tn cng s gi
mo mt a ch IP no ng tin cy no v lc hn c th ng hong truy
cp ti nguyn ca bn. Lc ny bn cn thm mt c ch no gip cho ti
nguyn ca bn an ton hn.Firewall cung cp cho bn mt c ch xc thc truy
cp nhm loi b nhng nguy c trn.
C ch xc thc n gin nht l yu cu ngi dng cung cp username v
password khi h mun truy cp ti nguyn ca bn. Thng tin v username v
password ny phi c ngi qun tr to ra trn my ch cn truy cp t trc .
Khi ngi dng c gng truy cp vo mt my ch no , my ch s thng
bo yu cu ngi s dng nhp vo username v password trc khi kt ni. Nu
ng th my ch s cho php kt ni ngc li nu sai th kt ni s hy b.
u im ca c ch xc thc ny l ngoi xc thc bn hon ton c th p dng

nhng chnh sch bo mt ln tng username ring bit (v d cp cho user c
ch c quyn c trong th mc Data nhng c php to, xa sa ti liu trong
mc Chung)
Mt c ch xc thc th hai l s dng Certificate v kha cng khai (Public
Keys). u im ca vic s dng c ch xc thc ny so vi xc thc bng
username v password l n khng cn n s can thip ca ngi dng. Ngi
dng s khng cn phi vt v nhp username v password na. H thng s to ra
mt cp kha Private keys v Public key. C ch ny kh hiu qu khi trin khai
trn quy m ln.
Ngoi hai c ch xc thc trn th ngi ta cn s dng mt c ch xc thc khc
na l s dng Pre-shared key (PSKs). Kha ny c to ra t trc v chia
s cho ngi dng thng qua mt knh an ton. u im ca n l t phc tp hn
so vi vic xc thc bng Certificate ng thi n cng cho php xc thc m
khng cn s can thip ca ngi dng. Mt nhc im ca PSKs l n him
khi thay i v c s dng chung nn n c th lm hng qu trnh xc thc.
Bng cch xc thc truy cp, firewall b sung thm mt gii php m bo
mt kt ni c hp php hay khng. Ngay c khi gi tin vt qua c c ch
lc gi tin nhng khng th xc thc th n cng b hy.
Hot ng nh mt thit b trung gian.
Nhu cu kt ni Internet l mt nhu cu thit thc v khng th thiu i vi mi
doanh nghip. Tuy nhin vic cho php cc my tnh ni b trong h thng mng
ca bn kt ni trc tip ra ngoi mng Internet s em li nhiu nguy him. Ngi
s dng c th b li dng download v cc phn mm hay ni dung c hi gy
nguy him cho h thng mng ca bn.
Gii php c a ra l thay v cho cc my tnh ni b kt ni trc tip ra
ngoi ta s xy dng firewall thnh mt thit b c nhim v thay mt cc my
tnh ni b i ra ngoi Internet. Lc ny firewall hot ng nh mt Proxy Server.
Quy trnh lm vic ca n nh sau:
Khi mt client i ra ngoi Internet, v d y l mun truy cp website

http://www.abc.com th thay v client s gi mt request ti webserver n s gi
yu cu ti Proxy Server. Proxy Server s tip nhn yu cu v nu n hp l n
s x l yu cu . Lc ny Proxy s thay mt client i ra ngoi Internet ly thng
tin website http://www.abc.com v. Thng tin c ly v s c Proxy Server
kim tra sau n mi c tr li cho client.
Cc my tnh ni b s khng nhn thy s khc bit khi c Proxy Server, n gn
nh l trong sut.
Li ch ca Proxy Server l:
Cache: Tng hiu sut s dng dch v mng.
Cc Request c gi ra ngoi Internet bng a ch IP ca Proxy Server
nn ngn chn cc cuc tn cng khng hp l vo cc client t Internet.
D liu Response c gi t Internet v Proxy, s c Proxy x l
(kim tra c virus hay khng, c thng tin g c hi hay khng.) sau
mi c chuyn v cho client.
Bo v ti nguyn mng.
Nhim v quan trng nht ca firewall l bo v ti nguyn mng trc cc mi
de da t bn ngoi. Ti nguyn mng c th l cc my tnh c nhn trong h thng
ni b, cng c th l nhng Server ca cng ty nh mail server, web server v
quan trng nht l nhng d liu b mt ca cng ty. Bn c th p dng vic lc
gi tin, kim sot truy cp, ngn chn kt ni trc tip hoc p dng tt c cc cch
trn bo v ti nguyn ca bn. Tuy nhin bn nn nh rng firewall khng phi
l mt gii php ton din nn ng qu ph thuc vo n.
Ghi li v bo co cc s kin.
Mt thc t l d bn c gii n u, bn c trin khai bao nhiu bin php bo
mt i chng na th cng cha chc rng h thng ca bn an ton. Bn khng th
ngn chn mi cuc tn cng hay nhng th c hi xm nhp vo h thng mng
ca mnh c. Do bn cn phi chun b phng chng nhng l hng m
firewall khng th ngn chn c.
Do firewall cn phi c chc nng ghi chp li tt c cc thng tin lin lc vi

phm chnh sch bo li vi qun tr vin. Qun tr vin s da vo y phn
tch tnh hnh v a ra gii php c th. Bn c th ghi li cc s kin bng nhiu
cch khc nhau nhng hu ht cc firewall s dng mt trong hai phng php
l syslog hoc mt nh dng c quyn no .Nhng d liu ny s c s dng
thng xuyn phn tch cc s c v nguyn nhn gy ra trong h thng mng.
Ngoi vic ghi li cc s kin firewall cn h tr kh nng cnh bo khi chnh sch
bo mt b vi phm nh:
Giao din thng bo: y l cch n gin nht cnh bo khi c iu g
bt thng trong mng. Nhc im ca n l bn phi thng xuyn theo
di mn hnh iu khin c th cp nht kp thi cc thng bo ny.
Cnh bo SNMP gip bn theo di ton b trng thi ca h thng mng t
cc thit b nh router, switch, server n thng tin chi tit nh CPU, b nh,
bng thng.
S dng email cnh bo
Phn loi
Firewall c th l mt thit b phn cng chuyn dng hoc c th l mt sn phm
phn mm c ci trn mt my ch lm nhim v nh mt firewall hoc cng c
th l mt ng dng c ci trn my tnh c nhn. Vic phn loi firewall c th
c nhiu cch khc nhau, tuy nhin ta c th phn loi n thnh mt trong hai loi
sau.
Desktop hoc Personal Firewall: y l loi firewall dnh cho c nhn v
my tnh c nhn, ta c th lit firewall ca cc phn mm dit virus vo
nhm ny.
Network Firewall:
S khc nhau chnh gia hai loi firewall ny n gin l s lng my tnh m n
bo v.
Hnh 1.3: Phn loi Firewall.

Personal Firewalls. y l loi firewall c thit k bo v duy nht mt my
tnh trc cc truy cp tri php. Hin nay n c pht trin nn rt nhiu v
tch hp nhiu chc nng ng gi hn nh dit virus, dit cc phn mm c hi,
pht hin xm nhp. Mt s firewall c nhn thng mi ph bin nh BlackICE,
Cisco Security Agen. Cn trong th trng SOHO (Small Office/Home Office) th
c cc sn phm nh: Comodo Internet Security, Emsisoft Online Armor Premium,
KIS, ZoneAlam Pro Firewall, Trend Micro Titanium Internet Security [1]
[1].http://personal-firewall-software-review.toptenreviews.com/
V dnh cho ngi dng c nhn nn personal firewall phi tch hp gii php kim
sot tp trung, tch hp nhiu chc nng, d s dng, t cu hnh. Nhng chc nng
thng thy personal firewall l:
Bo v ngi dng trc nhng xm nhp tri php.
Cnh bo ngi dng v nhng mi nguy hi.
Gim st v iu tit tt c cc ng dng s dng internet.
Network firewall. c thit k bo v ton b mt h thng mng my tnh.

y chnh l im khc bit quan trng gia network firewall v personal firewall,
s lng my tnh m network firewall cn bo v ln hn rt nhiu so vi s my
tnh m personal firewall cn bo v. Chnh v l do m network firewall cn
phi c thit k v xy dng vi nhng chc nng chuyn bit hn nhm phc v
tt hn cng vic ca n.
Network firewall cung cp cho doanh nghip mt s linh hot v an ton ti a cho
h thng mng ca h. Hin ny network firewall c pht trin ln nhiu bng
cch tch hp nhiu tnh nng mi hn nh kh nng pht hin xm nhp, kh nng
c gi tin sauu hn. Ngoi ra network firewall khng ch kim sot giao thng
mng bng cch nhn vo thng tin Layer 3 hoc Layer 4 m n c th kim sot
cc d liu c tng ng dng.
Cc sn phm Firewall (Firewall Products)
Trn th trng hin nay chng ta c th tm thy ba loi network firewall c bn
sau: Server-based, Appliance-based v Integrated.
Server-based firewall l mt loi software firewall c ci t trn mt h iu
hnh mng (Network Operating System) v c chc nng ca mt firewall. N c
th c trin khai trn cc nn tng sau y
Apple Mac OS X
UNIX (Solaris, HP-UX, IBM-AIX)
GNU/Linux
Microsoft Windows NT.
C th k n mt s firewall loi ny nh Microsoft ISA Server, Check Point NG,
Gauntlet, iptable trn Linux hay FreeBSD hay b lc gi pf trn OpenBSD...u
im ca loi firewall ny l n kh a nng v d nh n c th c trin khai
thnh mt h thng DNS hay b lc cc spam mail. Firewall loi ny d dng m
nhim vai tr a nng hn cc thit b firewall cng chuyn dng khc. N cng d
trin khai v qun tr cng tng i l d dng.
Tuy nhin nhc im ca n do c ci t trn mt h iu hnh nn n ph

thuc vo h iu hnh . Nu h iu hnh tn ti c nhiu l hng bo mt
th k tn cng c th khai thc nhng l hng tn cng chnh firewall . Khi
qun tr mt firewall loi ny ngi qun tr cn phi cn nhc vic cp nht cc
bn v ca h iu hnh, liu n c tng thch vi firewall chng ta ang ci trn
hay khng. Mt nhc im na l do h iu hnh c vit ra thc hin
nhiu chc nng khc ch khng chuyn bit ci firewall ln nn khng c g
m bo rng n s t hiu sut ti a. Cui cng c th l s khng tng thch
gia firewall v h iu hnh, nguyn nhn ny do c nhiu software-firewall do
mt hng khc vit ra ch khng phi do hng cung cp h iu hnh.
Ni chung n kh thch hp cho mi trng doanh nghip va v nh do nhng u
im v gi c, qun tr d dng v p ng cc nhu cu.
Appliance-based firewall l mt loi firewall da trn nn tng phn cng v c
thit k c bit nh mt thit b firewall chuyn dng. Ngoi chc nng l firewall
n cn mt s chc nng th yu khc. C th k ti mt s sn phm nh Cisco
PIX, Jupiter's NetScreen Firewall hay Symantec Enterprise Firewall, cc sn phm
ca Nokia, Sonicwall....Loi firewall ny c mt s thng nht t phn cng, h
iu hnh, n phn mm qun l trn n nn n t c hiu sut kh l cao.
Ngoi ra n thng l cc sn phm thng mi nn bn c th d dng nhn s h
tr t nh sn xut.
Nhc im ca n l hn ch nhng chc nng m, nu mun b sung bn cn
phi mua v gn thm cc thit b phn cng khc. iu ny khin cho vic qun tr
c th tr nn kh khn hn.
Cui cng l Integrated firewall y l mt thit b "a nng" ngoi lm firewall
th n cn c th m nhn nhiu chc nng khc nh VPN, pht hin phng chng
xm nhp, chng spam mail....Ni chung y l mt thit b All-in-one.
Hin nay s phn bit gia Appliance-based firewall v Integrated firewall
khng cn r rng nh trc na bi nhu cu s dng v tnh cnh tranh. Hu ht c
hai loi ny u c tch hp nhiu chc nng khc nhau. iu ny khng ch lm
gim s lng thit b m cn gim chi ph trin khai v qun l cc thit b . Cc

firewall tch hp nh Cisco ASA hay Tipping Point X505
Firewall Technologies
Trong phn ny chng ta s tp trung vo cc cng ngh c s dng trong cc
loi firewall khc nhau v cch n lm vic nh th no. hnh 2.... ta c mt
ci nhn tng qut v cc loi firewall, tuy nhin mt loi firewall c th s dng
nhiu cng ngh khc nhau tng cao hiu sut s dng. Cc cng ngh bao
gm:
(Simple) Packet Filters.
Circuit-Level Firewalls.
Application-Level Firewalls.
Stateful Multilayer Inspection Firewall.
Hnh 1.4: Cc k thut s dng trn firewall.

Ch y khng phi l cch phn loi cc loi firewall, cc cng ngh ny hon
ton c th c p dng trn cng mt loi firewall. D cho firewall thuc loi
Server-based firewall hay Appliance-based firewall hay loi Intergrated firewall th
n cng c th p dng nhng cng ngh trn.
Packet Filters
Nguyn l hot ng
Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall
th iu c ngha rng Firewall hot ng cht ch vi giao thc TCI/IP. V giao
thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng
trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet,
SMTP, DNS, SMNP, NFS ...) thnh cc gi d liu (data pakets) ri gn cho cc
paket ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do
cc loi Firewall cng lin quan rt nhiu n cc Packet v nhng con s a ch
ca chng.
B lc gi cho php hay t chi mi Packet m n nhn c. N kim tra ton b
on d liu quyt nh xem on d liu c tho mn mt trong s cc lut
l ca lc gi hay khng. Cc lut l lc gi ny l da trn cc thng tin u mi
Packet (Packet Header ), dng cho php truyn cc Packet trn mng. l:
a ch IP ni xut pht ( IP Source address)
a ch IP ni nhn (IP Destination address)
Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel)
Cng TCP/UDP ni xut pht (TCP/UDP source port)
Cng TCP/UDP ni nhn (TCP/UDP destination port)
Dng thng bo ICMP (ICMP message type)
Giao din Packet n (Incomming interface of Packet)
Giao din Packet i (Outcomming interface of Packet)
Nu lut l lc gi c tho mn th Packet c chuyn qua Firewall. Nu khng
Packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc
my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng
mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng
lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc
loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...)
c php mi chy c trn h thng mng cc b.
Hnh 1.5: Packet Filters

u im v hn ch ca h thng Firewall s dng b lc gi
u im:
a s cc h thng Firewall u s dng b lc gi. Mt trong nhng u im ca
phng php dng b lc gi l chi ph thp v c ch lc gi c bao gm
trong mi phn mm Router.
Ngoi ra, b lc gi l trong sut i vi ngi s dng v cc ng dng, v vy n
khng yu cu s hun luyn c bit no c.
Hn ch:
Vic nh ngha cc ch lc gi l mt vic kh phc tp n i hi ngi qun
tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng Packet Header, v
cc gi tr c th m h c th nhn trn mi trng. Khi i hi v s lc cng ln,
cc lut l v lc cng tr nn di v phc tp, rt kh qun l v iu khin.
Do lm vic da trn Header ca cc Packet, r rng l b lc gi khng kim sot
c ni dung thng tin ca Packet. Cc Packet chuyn qua vn c th mang theo
nhng hnh ng vi n cp thng tin hay ph hoi ca k xu.
Circult-Level Gateways
Circuit-Level Gateways hot ng mc session ca m hnh OSI hoc lp TCP
ca m hnh TCP/IP. Chng gim st vic bt tay ( handshaking ) gia cc gi tin
xem xt phin yu cu c hp l hay khng. Khi mt thng tin no c trao
i vi mt my tnh xa, Circuit-Level Gateways c nhim v sa i thng tin
chng trng c v nh xut pht t Circuit-Level Gateways. N lm vic nh

mt si dy,sao chp cc byte gia kt ni bn trong (inside connection) v cc kt
ni bn ngoi (outside connection). iu ny tht s hu dng trong vic che giu
thng tin v mt mng ni b m n ang bo v, tuy nhin nhim v ca CircultLevel gateways n gin l chuyn tip cc packet nn c mt hn ch l khng
thc hin lc gi tin bn trong kt ni .
Circult-Level gateways thng c s dng cho nhng kt ni ra ngoi, ni m
nhng ngi qun tr tht s tin tng nhng ngi dng bn trong mng ni b.
Hnh 1.6: Circult-Level Gateways

Application-Level Gateways
Hay cn c gi l Proxy, hot ng nh k trung gian gia hai h thng ging
nh Circuit-Level Gateways nhng c chc nng lc gi tin v hot ng lp
Application ca m hnh OSI. Chng lm vic bng cch to ra v chy mt tin
trnh cc lu lng bt buc phi i qua n trc khi c truyn n ch.
h tr cho cc dch v khc nhau, proxy firewall bt buc phi to ra mt giao thc
t bit h tr dch v : mt SMTP Proxy cho Email, mt FTP Proxy cho vic
truyn ti tp tin, mt HTTP Proxy cho dch v Web.
Bt c khi no mt my tnh mun truy cp mt dch v trn internet, gi tin yu
cu kt ni phi c x l bi cc dch v proxy c th ca cc giao thc trc
khi c truyn n ch. Cc gi tin tr v t my ch trn internet cng phi c
x l mt cch tng t trc khi chuyn tip n h thng ni b. Trong mt s
proxy firewall, mt dch v proxy chung c th s dng cho nhiu dch v khc
nhau. Tuy nhin, khng phi tt c cc dch v u c th s dng proxy chung .

Hoc khi mt dch v khng th s dng proxy chung v chng cng khng c mt
proxy ring bit no th Application-Level Gateways khng th thc hin c bt
k bin php lc gi tin no.
Do c kh nng gim st, nn tng la proxy c kh nng kim tra su vo trong
cc gi tin ca mt kt ni v p dng cc dch v b sung xc nh xem gi tin
c c chuyn tip hay khng. Tuy nhin chng c mt vi hn ch l vic cu
hnh tng i phc tp v tc ca chng cng l mt tr ngi ln. Bi v loi
firewall ny kim tra su vo trong cc ng dng nn gy ra s chm tr trong kt
ni mng.
Hnh 1.7:Application-Level Gateways

Stateful Mutilayer Inspection Firewalls
M hnh Stateful Multilayer Inspection Firewalls kt hp cc kha cnh ca NAT
Firewalls, Packet Filters, Circuit-Level Gateways v Application-Level Gateways
li vi nhau. Firewall ny lc cc lu lng ban u da trn c tnh ca cc gi
tin nh Packet Filters Firewalls, nhng cng bao gm c vic kim tra phin lm
vic xem chng c hp l hay khng.
Stateful Multilayer Inspection Firewalls phc tp hn cc thnh phn cu to nn
chng nhng c coi l c s trong vn an ninh mng ngy nay v hu ht cc
firewall trn th trng ngy nay l Stateful Multilayer Inspection Firewalls.
Hnh 1.8: Stateful MutilayerInspection Firewalls
Nhng kin trc c bn ca firewall

Dual Homed Host:
Kin trc Dual homed host gm mt my tnh c t nht hai network interface, c
ngha l my c gn hai card mng giao tip vi hai mng khc nhau v nh th
my tnh ny ng vai tr l router phn mm.
Public interface: l card ni trc tip vi vng mng khng ng tin cy
(Internet)
Private interface: ni vi vng mng ni b.
Dual-homed host ch c th cung cp cc dch v bng cch y quyn (proxy)
chng hoc cho php users ng nhp trc tip vo Dual-homed host. Mi giao tip
t mt host trong mng ni b v host bn ngoi u b cm, Dual-homed host l
ni giao tip duy nht.
i vi kin trc ny, bastion host l ni thng xuyn b tn cng nht nn n phi
c cu hnh sao cho gim ti thiu nhng li m k tn cng c th li dng
khai thc. Mt s gi cu hnh tt mt bastion host:
V hiu ha hoc loi b bt k dch v no khng cn thit hoc khng
c s dng.
V hiu ha hoc loi b bt k ti khon ngi s dng no khng cn
thit.
V hiu ha hoc loi b bt k giao thc mng no khng cn thit.
Cp nht lin tc cc bn v ca h iu hnh.

ng tt c cc port khng cn thit hoc khng s dng.
S dng c ch m ha ng nhp.
Hnh 1.9: Kin trc Dual Homed Host

Screened Host:
Kin trc ny cung cp cc dch v t mt host bn trong mng ni b, dng mt
router tch ri vi mng bn ngoi. Trong kiu kin trc ny, bo mt chnh l
phng php Packet Filtering.
Kin trc ny cung cp mc bo mt cao hn v n thc hin bo mt tng
network v tng application. ng thi k tn cng phi ph v c hai tng bo mt
xm nhp c vo h thng mng ni b
Trong h thng ny bastion host c cu hnh mng ni b. Quy lut filter c
nh ngha sao cho tt c cc h thng bn ngoi internet ch c th truy cp c
vo bastion host, vic lin lc vi cc h thng trong mng ni b khc u b cm.
Bi v cc h thng ni b v bastion host trn cng mt mng, chnh sch bo
mt s quyt nh xem trong h thng mng ni b ni no c kt ni trc tip ra
internet, ni no phi s dng cc dch v proxy trn bastion host. Bt k mt h
thng bn ngoi no c gng truy cp vo h thng hoc cc dch v bn trong u
phi kt ni ti host ny. V th, Bastion host l host cn phi c duy tr ch
bo mt cao. Packet Filtering cng cho php Bastion host c th m kt ni ra bn
ngoi.
Bi v bastion host l h thng bn trong duy nht c th kt ni ra c internet, s

tn cng cng ch gii hn n bastion host m thi. Tuy nhin nu bastion host
b tn cng th k tn cng cng c th d dng lm tn thng h thng mng ni
b.
Hnh 1.10: Kin trc Screened host

Screened Subnet:
Kin trc ny c xem l kin trc an ton nht, bao gm hai packet filtering v
mt bastion host. H thng firewall ny c an ton rt cao. Kin trc Screened
subnet l kin trc m ta tch ring nhng dch v c cung cp cng cng ra mt
vng mng ring (DMZ) nhm tng cng kh nng bo v mng ni b, thc hin
chin lc phng th theo chiu su. Khi mt dch v no trong vng DMZ b
tn cng th cng khng nh hng n nhng my trong vng ni b. H thng
ny cn t nht ba network interfaces.
Vi nhng thng tin n t bn ngoi, Screened subnet c chc nng chng li
nhng s tn cng vo vng mng ni b.
Kiu Screened subnet n gin bao gm hai screened router:
Router ngoi: nm gia vng DMZ v vng External c chc nng bo v
cho vng DMZ (Mail server, Web server). Mt s quy tc packet filter c bit
c cu hnh mc cn thit bo v vng DMZ.
Router trong: nm gia vng DMZ v vng LAN nhm bo v mng ni b

trc khi ra ngoi internet v DMZ. N khng thc hin ht cc quy tc packet
filter ca ton b firewall.
u im:
K tn cng mun chim c quyn kim sot ti nguyn trong h thng mng
ni b th cn phi ph v ba tng bo v: router trong, bastion host, router ngoi.
H thng mng ni b dng nh l v hnh i vi bn ngoi.
Cc my trong mng ni b khng th truy cp trc tip vo internet m phi thng
qua cc proxy server.
Hnh 1.11: Kin trc Screened Subnet

Linux-based Firewall
Cc firewall da trn Linux c rt nhiu loi khc nhau. Ban u cc firewall-based
Linux da trn ipfw code (m ny c phn phi bi Berkeley Software
Distribution BSD). Sau th mt tin ch c vit ra l ipfwadm, n tr nn
hu ch v bt u c t trong kernel ca Linux t bn 1.0 v cung cp cho
ngi qun tr nhiu chc nng linh hot.
n phin bn kernel 2.2, mt h thng lc khc c pht trin v km sn
trong kernel ca Linux l ipchains. B lc ipchains m rng cc tnh nng c sn
ca ipfwadm. V n khi phin bn 2.4 c pht hnh th b lc trn Linux
c vit li mt cch hon chnh hn, v h thng lc c tn l netfilter.
Netfilter l mt phn rt quan trng ca kernel Linux trong vic bo mt, qun l
lu lng mng. Netfilter hot ng pha kernel v ngi qun tr c th d
dng giao tip vi netfilter v ch nh nhng yu cu vi netfilter th ta c th s

dng mt chng trnh rt ni ting l iptables. Iptables thc ra l mt tin ch
nm pha trn (front-end) netfilter, n s ni cho netfilter nhng g ngi qun tr
mun lm. c im chnh ca netfilter chnh l b lc gi tin v NAT (Network
Address Translation).
Stateless packet filtering (IPv4 v IPv6)
Stateful packet filtering (IPv4 v IPv6)
Tt c cc a ch mng v port c chuyn i v d NAT/NAPT (ch
IPv4)
Linh hot v cho php m rng s s h tng.
Nhiu lp ca th vin API cho php nhng phn m rng ca cc hng
th 3.
Hiu mt cch n gin cch lm vic ca netfilter nh sau:
Ngi qun tr s yu cu kernel nhng g n cn lm vi mt gi tin
bng cc s dng iptables.
H thng sau s phn tch header ca tt c cc gi tin i qua n.
Nu khi nhn vo phn header m kernel pht hin ra cc rule ph hp
gi tin s b iu khin theo cc rule .
C 3 loi bng trong netfilter l:
Mangle table: Chu trch nhim bin i quality of service bit trong TCP
Header.
Filter table: Chu trch nhim thit lp b lc packet (packet filtering). N
bao gm 3 quy tc (chain) nh gip cho bn thit lp cc nguyn tc lc gi
gm:
o Forward chain: Lc gi khi gi thng qua firewall v ti mt
server khc.
o Input chain: Lc gi khi gi i vo firewall.
o Output chain: Lc gi i ra khi firewall.

NAT table: Thc thi chc nng NAT bao gm hai chain sau:
o Pre-routing NAT: NAT t ngoi vo ni b (NAT Inbound) thc hin
trc qu trnh routing.
o Post-routing NAT: NAT t trong ra ngoi (NAT Outbound) thc hin
sau khi routing nhm thay i a ch ngun ca gi tin.
Chng 2: Gii thiu v ClearOS
Chng 2: Gii Thiu v ClearOS

Gii thiu v ClearOS
Trn thc t c rt nhiu sn phm firewall da trn Linux, c th k tn mt s sn
phm nh Monowall, SmoothWall Express, Endian, IPCop, pfsence.V c bn
chng hu nh u chy pha trn netfilter ca kernel Linux. Mt s bn phn phi
cn b sung mt s tnh nng v gii php khc nhm cung cp mt gii php ton
din hn nh Proxy, IDS, VPN
ClearOS c pht trin bi ClearFoundation mt t chc uy tn, vi cng ng
ngi s dng ln v l mt bn phn phi ph bin theo http://distrowatch.com
(xp hng 37). ClearOS (cn c mt tn khc l ClarkConnect) l mt Linux
Distribution da trn CentOS v Red Hat Enterprise, c thit k nh l mt
Network Gateway, Network Server vi giao din qun l hon ton trn Web.
ClearOS c pht trin bi ClearFoundation v ging nh nhng phn mm m
ngun m khc (FOSS) ClearOS c pht hnh di giy php GNU General
Public License v2, bn c th d dng download mt cch min ph v v ci t
s dng. y l mt gii php tt nhm thay th cho Windows Small Bussiness
Server ca Microsoft.
ClearOS c ba phin bn ty thuc vo nhu cu ca bn l ClearOS Enterprise,
ClearOS Home v ClearOS Core.
Hnh 2.1: Qu trnh pht trin ca ClearOS.

Nhng im ni tri ca ClearOS
Stateful firewall (iptables)
Web proxy, content filtering v antivirus (Squid, DansGuardian )
Intrusion Detection and prevention System (SNORT)

Virtual Private Networking (PPTP, IPSec, OpenVPN)
E-mail services (Webmail, Postfix, SMTP, POP3/s, IMAP/s)
Groupware (Kolab)
Database v Web Server (LAMP)
File v Print services (Samba, CUPS)
Flexshares (CIFS, HTTP/S, FTP/S, v SMTP)
MultiWAN.
Report, statistics (MRTG,)
Yu cu phn cng:
Tng t nh nhiu bn phn phi Linux khc, ClearOS Enterprise cho php bn
ci t c ch ha cng nh ch console. Bn hon ton c th ci t
ch console v qun tr d dng qua giao din web. Vi giao din console server
ca bn ch cn cu hnh thp vi 512 MB RAM v 2GB cng.
Nu ci t ch d Standalone th bn cn t nht mt card mng cn nu ci t
ch Gateway th bn cn t nht hai card mng.
Gii thiu giao din cu hnh web
Hnh 2.2 : Giao din chnh ClearOS
Menu Directory: Menu ny cha cc cu hnh c bn nht v h thng, nhng

thng tin ca h thng nh:
Account: cho php thm, xa, chnh sa thng tin v cc user v group
trn h thng.
Setup: Cc cu hnh v Domain, LDAP, cc thng tin v t chc ca bn,
cc quy nh ca password.
Menu Network: y l menu cu hnh chnh ca h thng.
Hnh 2.3 : Menu Network

Setting: cho php bn ty chnh cc thng s v a ch IP nh a ch IP
ca vng Internal, Extarnal, vng DMZ, cu hnh DNS, DHCP,
MultiWan...
Firewall: Cu hnh cc rule lin quan chnh n firewall.
o 1-to-1 NAT: nh x mt a ch IP Private thnh i ch IP Public.
o DMZ: Cu hnh cc lut lin quan n vng DMZ
o Incoming: Cu hnh cc kt ni vo bn trong h thng.
o Outcoming: Cu hnh cc kt ni i ra ngoi h thng.
Menu Gateway: Cc cu hnh v Antimalware, gii hn Bandwidth, lc cc

Protocol, Proxy
Hnh 2.4: Menu Gateway.

Menu System: Cu hnh cho my ch ch ci t ClearOS, cc ti nguyn ca
my ch nh cng, cc tin trnh ang chy, cc dch v ang c s dng
Hnh 2.5: Menu System
Menu Report: Bao gm cc bo co v lu lng mng, cc bo co v proxy,

cc log ca h thngMenu ny cho php bn theo di cc thng s ca h thng.
Hnh 2.5: Menu Report
Chng 3: Demo mt s tnh hung thc t

M hnh
Thc t
Hnh 3.1: M hnh thc t.

M hnh gm:
ClearOS l mt my ch c 3 interface kt ni vi ba vng mng l vng Local,
Internet, DMZ.
Modem: Thit b kt ni Internet.
Switch: Thit b phn chia kt ni gia nhiu Server trong vng DMZ.
Core Switch: Thit b Switch Layer 3 dng phn chia cc phng ban.
Cc my trm ca tng phng ban nh P. Kinh Doanh, Ban GDD, P. Nhn S.
Thc nghim
Hnh 3.2: M hnh Demo.

Gm cc thit b sau:
ClearOS l my ch c ci trn Virtualbox, gm 3 interface l eth0 (ni v i vng
mng gi nh Internet), eth1 (ni vi DMZ), eth2 (ni vi mng ni b).
Client: My ni b ci h iu hnh Windows XP, ci trn my o Virtualbox.
Web Server: Ci t h iu hnh CentOS v dch v httpd ci trn my o
Virtualbox.
User: My tht Ubuntu.
Attacker: H iu hnh Backtrack 5, ci trn my o Virtualbox
Danh sch demo thc nghim:
Chn web xu, ni dung c hi bng Web Proxy v Content Filter.
Publish WebServer ra ngoi Internet.
Thit lp mt s quy tc bo v WebServer.
Cho php duy nht mt a ch ngoi Internet v duy nht mt a ch trong
mng LAN (Administrator) SSH v Firewall.
Chn attacker scan port bng nmap.
Chng DoS v DDoS.
(m t phn test kt qu)
Chn web xu, ni dung c hi bng Web Proxy v Content Filter.
M t: Cng ty ca bn c nhu cu cho nhn vit kt ni Internet phc v cho

cng vic. Tuy nhin nhn vin thng xuyn s dng Internet truy cp vo
nhng website xu, lm cc cng vic c nhn nh chi game, chat, c bo, ti cc
tp tin nguy hi nh virus, su lm nh hng n h thng.
Yu cu: Chn ngi dng vo cc trang nh http://zing.vn, http://vnexpress.net
trong gi lm vic, cm tm vi t kha tim ban chat.
Hnh thc: Chn pha ngi s dng ni b.
Menu thc hin: Gateway Proxy and Filtering Content Filter v Web Proxy.
M hnh: M hnh thc t.
Cc bc thc hin:
B1: Start dch v Web Proxy v dch v Content Filter trong menu
System/Service ln.
Hnh 3.3: Start Web Proxy v Content Filter.

B2:
Config Web Proxy ch Transparent Mode ( ch ny tt c cc request t
ni b s phi i qua Proxy Server, pha ni b khng phi cu hnh g, Proxy s
trong sut i vi ngi dng)
Hnh 3.3: Enabled Transparent Mode v Content Filter.

Enabled ch Content Filter ln.
B3: To cc rule trong module Content Filter cm truy cp http://zing.vn,
http://vnexpress.net trong Content Filter / Configure Filter Group #1: Default v
Edit dng Site List.
Hnh 3.4: Thm Domain Block.

B4: Lc theo ni dung khng cho ngi dng vo cc trang c t tim ban chat
(mc nh ClearOS nh ngha mt s cm t thng dng nh chat, webchat,
game, sport, news,malware...). Ta s thm cm t tim ban chat vo danh mc cc
t cn lc.
Hnh 3.5: Thm t kha chn.

thm vo cm t tim ban chat ta tin hnh SSH v ClearOS vi quyn root v
thc hin chnh sa file.
vi /etc/dansguardian-av/lists/phraselists/chat/weighted
Hnh 3.6: Chnh sa file weighted.

Vi <100> l mc lc t.
Sau Restart li dch v tng ng. /etc/init.d/dansguardian-av restart
Hnh 3.7: Restart dch v dansguardian-av.

Kim tra li th
My ni b khng th truy cp vo hai domain zing.vn v vnexpress.net
Hnh 3.8: Test domain http://zing.vn
Hnh 3.8: Test domain http://vnexpress.net

My ni b khng th tm kim vi t kha tim ban chat
Publish WebServer ra ngoi Internet.

M t: Cng ty bn t mt Web Server trong h thng. Bn mun cho khch
hng, i tcca bn c th truy cp vo website ny.
Yu cu: Bn ngoi Internet c th truy cp website t trong DMZ
Hnh thc: NAT Inbound
Menu thc hin: Network Firewall 1-to-1 NAT
M hnh: M hnh Demo
Thc hin:
Nickname: t ty .
Interface: Card mng mt ngoi ca Firewall, giao tip vi Internet.

Private IP: a ch IP ca Web Server t trong vng DMZ
Public IP: a ch IP mt ngoi ca Firewall (eth0)
Protocol: TCP
Port: 80:80 (http)
Hnh 3.9: Cu hnh publish Webserver ra ngoi Internet.

Kim tra: truy cp web t my tht c a ch : 111.11.1.1
Hnh 3.10: Kim tra truy cp
Nh ta thy y my c a chi IP 111.11.1.1 c th truy cp vo web server

thng qua i ch IP mt ngoi ca Firewall l 111.11.1.10
Thit lp mt s quy tc bo v WebServer.
M t: Bn pht hin mt s a ch IP Public pha bn ngoi Internet thng xuyn
truy cp vo website, forum ca bn spam bi, vit cc ni dung ph hoi.
Yu cu: Chn khng cho cc a ch IP ny truy cp vo website, forum ca cng
ty bn, nhng ngi dng khc truy cp bnh thng. y ta chn User c a ch
IP l 111.11.1.1 .
Hnh thc: Chn pha bn ngoi Internet.
Menu thc hin: Network Firewall Incoming
M hnh: M hnh Demo
Thc hin:
Hnh 3.10: Cu hnh block mt IP public.

Lu : Bn cng c th chn mt di IP no bng cch thay a ch IP 111.11.1.1
bng mt di IP. V d: 111.11.1.0/24.
Kim tra: truy cp t my b chn 111.11.1.1
Hnh 3.11: Kim tra block.

Nh chng ta thy y, sau khi thit lp rule chn khng cho a ch 111.11.1.1
truy cp web server th my ny khng th truy cp vo web server.
Cho php duy nht mt a ch ngoi Internet v duy nht mt a ch trong
mng LAN (Administrator) SSH v Firewall.
M t: Bn l ngi qun tr h thng mng ca cng ty. Nhng khng phi lc
no bn cng c th c mt cng ty truy cp vo h thng. Bn cn truy cp
SSH vo Firewall t ngoi Internet. Hoc bn ang cng ty nhng bn ch mun
my tnh ca bn mi c th SSH v Firewall qun tr. Nhn vin cc phng ban
khc b cm.
Yu cu: m bo tnh bo mt, bn to rule cho php duy nht mt my tnh c
a ch IP xc nh c truy vp vo Firewall thng qua giao thc SSH t Internet.
V d y ch cho php IP 111.11.1.101 c php truy cp SSH t Internet, my
tnh 172.16.1.100 ca Administrator t mng LAN cn li chn tt c.
Hnh thc: Cho php SSH t ngoi Internet v SSH t LAN.
Menu thc hin: Network Firewall Custom
M hnh: M hnh Demo
Thc hin:
B1: Chn tt c SSH vo h thng
Hnh 3.12: Cu hnh chn tt c SSH.

B2: Cho php IP 111.11.1.101 c php SSH vo Firewall.
Hnh 3.13: Cu hnh cho php 1 ip public SSH.

B3: Cho php my Administrator truy cp Firewall.
Hnh 3.14: Cu hnh cho php 1 ip private SSH.
Chn attacker scan port bng nmap.

M t: K tn cng thng s dng cc cng c nh nmap scan port trn cc
server public nh Web, Mailnhm tm ra cc dch v d tha, cc port ang m
d tha ca h thng khai thc.Cc c ch scan port nh FIN Scan (-sF), Xmas
Scan (-sX), Null Scan (-sN), Ack Scan (-sA)
Yu cu: Da vo c im ca cc c ch scan port, chn cc c ch scan port .
Hnh thc: Chn pha bn ngoi Internet.
M hnh: M hnh Demo
Cc bc thc hin:
Hnh 3.15:Cu hnh chn scan port.

Kim tra: Chng ta s kim tra ln lt bng cch s dng chng trnh nmap.
Hnh 3.16: Kim tra vi scan FIN.
Hnh 3.17: Kim tra vi scan NULL.
Hnh 3.18: Kim tra vi Scan XMAS.

Kt lun: Nh chng ta thy, khi k tn cng s dng mt cng c scan port
nh nmap v scan h thng ca chng ta filewall s pht hin, thng bo v chn
ng cc cuc scan .
Chng DoS v DDoS.
M t: K tn cng flood mt lng ln gi tin n Web Server lm cho h thng
ca bn b treo v khng th cung cp dch v cho ngi dng thng thng. Cc
hnh thc tn cng nh SYN Flood, ICMP Flood
Yu cu: Gii hn s ln request trn giy, lc nhng IP c kh nng flood server
ca bn (gi nhiu request trong cng mt thi im).
Hnh thc: Lc pha Internet.

M hnh: M hnh Demo
Cc bc thc hin:
Thit lp cc rule sau:
Hnh 3.19: Rule chng SYN Flood.

Kim tra:
S dng my Back_Track demo tn cng vi cu lnh: # hping3 --flood S p
80 111.11.1.10
Vi:
hping3: l mt cng c cho php gi cc packet theo nhng ty chn khc nhau.
--flood: gi cc packet vi tc cc nhanh.
-S: packet c gn c SYN
-p 80: gi n port 80 ca firewall, firewall s NAT Inbound vo web server trong
vng DMZ.
111.11.1.10: a ch ip mt ngoi eth0 ca firewall.
Trn web server s dng cng c tcpdump (dng lnh) hoc wireshark ( ha)
bt gi tin v phn tch.
# tcpdump ni eth0 port 80 bt cc gi tin i vo card eth0 port 80.
Trn mt my khc c th truy cp ti web server s dng cu lnh
# time wget o /dev/null 111.11.1.10
kim tra thi gian p ng ca web server .
Phn kt lun
PHN KT LUN
Bi bo co l nhng ni dung l thuyt v firewall v phn demo thc nghim
nhng tnh hung thc t m ngi qun tr h thng s cn phi thit lp.Nhng
tnh hung ht sc thit thc nh cm nhng ai truy cp Web, cm nhng ai truy
cp firewall, chn scan port, chng DoS.
Nhn chung vic cu hnh trn giao din web gip ngi qun tr c th d dng
to cc rule v qun l chng mt cch trc quan. Nhng i vi mt administrator
c kinh nghim th khng nn b buc trong vic thit lp rule trn giao din web.
V nhng tnh hung demo thc nghim trn cng ch l nhng tnh hung
thng gp nht, ph bin v cn thit lp nht. Ty vo tnh hung c th, d liu,
dch v cn bo v ngi qun tr c th to cc rule khc tha yu cu ca mnh.
Tuy nhin do thi gian thc hin ti hn ch, cng vi vic thc hin demo trn
my o nn ngi nghin cu cha th kim tra nhng tnh hung tn cng phc
tp hn. i vi DoS cc dng trnh by trn ch l nhng phng php n gin
m k tn cng thc hin tng IP ca m hnh TCP. Rt c th k tn cng s s
dng nhng phng php tinh vi v phc tp hn tn cng. Ni dung phn ny
ngi nghin cu cha th kim tra c.
Mt s tnh nng hu ch khc ca ClearOS m ngi nghin cu do hn ch v
thi gian cng cha b sung c nh Antivirus, Antiphising bng cc module c
sn ClamAV cng nh tnh nng qun l Bandwidth v QoS.
Cc vn nu trn sau ny c iu kin c th pht trin su v rng hn. Ngoi ra
cn c th nghin cu trin khai m hnh ra thc t vi nhiu tnh nng khc ca
ClearOS nh VPN, chng thc LDAP, pht hin xm nhp Snort
Danh mc hnh v
TI LIU THAM KHO

[1] Wes Noonan, Ido Dubrawsky, Firewall Fundamental, Cisco, 2006.
[2] Module 16 Evading IDS, Firewalls, and Honeypots, CEH v7, 2010.
[3] http://www.hvaonline.net
[4] http://www.fhqs.com
[5] http://www.rfc-editor.org/rfc/rfc2196.txt
[6] http://www.clearfoundation.com
[7] http://www.netfilter.org/
[8] http://distrowatch.com
[9] Thc trng an ninh mng ti vit nam nm 2009 d bo xu hng an ninh mng
nm 2010 - Thiu tng TS: Nguyn Vit Th - Cc trng Cc Tin hc nghip v,
B Cng an
[10] Mt s t bo in t v thng tin trn Internet khc.
----- -----

Baocaotongdaiip

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Baocaotongdaiip

Uploaded by

Copyright:

Available Formats

Nhn xt ca gio vin hng dn

NHN XT CA GIO VIN HNG DN

Nhn xt ca gio vin phn bin

NHN XT CA GIO VIN PHN BIN

lo ngi cho cc nh qun l bt k mt quc gia no t cc c quan, b, ngnh

Mc ch v nhim v nghin cu.

Tm hiu cc mi e da i vi mt h thng mng my tnh.

Tm hiu v cc khi nim c bn ca firewall.

Nghin cu v cc cng ngh firewall v cch lm vic ca chng.

Gii thiu mt s sn phm firewall ang c s dng trn th trng v

Demo trin khai sn phm firewall trn m ngun m.

i tng nghin cu.

Chng I: Tng quan v Firewall

Chng 1: Tng quan v Firewall

Chng I: Tng quan v Firewall

tm n vic lm nh th no bo v nhng thng tin, nhng d liu quan trng

Chng I: Tng quan v Firewall

my tnh. c im quan trng ca virus l n khng th t ng ly lan m ban

Chng I: Tng quan v Firewall

Malware. (Malicious v Software) l mt t dng ch chung cc phn mm c

Chng I: Tng quan v Firewall

ti ngi dng bi h thc s c nhu cu truy cp h thng mng. Cch tt nht l

Chng I: Tng quan v Firewall

Alice: Vy mail ca ti c b mt khng?

Chng I: Tng quan v Firewall

lm cho mt phn mm thng thng khng c mc ch xu tr thnh mc tiu

Hnh 1.1: Cc lp trong an ton mng

Chng I: Tng quan v Firewall

Lp th t l lp bo v vt l (Physical Protection) ngha l ta s ngn

Chng I: Tng quan v Firewall

p ng c cc cng ngh tin tin nh lc gi theo trng thi, proxy,

Chng I: Tng quan v Firewall

Hnh 1.2 - Firewall.

Chng I: Tng quan v Firewall

Firewall khng th chn mt cuc tn cng nu cuc tn cng khng

Chng I: Tng quan v Firewall

Kt ni v trng thi ca kt ni (Connection v State)

Chng I: Tng quan v Firewall

V d k tn cng c tnh thay i cc thng s v cc ty chn trong packet nhm

Chng I: Tng quan v Firewall

u im ca c ch xc thc ny l ngoi xc thc bn hon ton c th p dng

Chng I: Tng quan v Firewall

Khi mt client i ra ngoi Internet, v d y l mun truy cp website

Chng I: Tng quan v Firewall

Do firewall cn phi c chc nng ghi chp li tt c cc thng tin lin lc vi

Chng I: Tng quan v Firewall

Hnh 1.3: Phn loi Firewall.

Chng I: Tng quan v Firewall

Network firewall. c thit k bo v ton b mt h thng mng my tnh.

Chng I: Tng quan v Firewall

Tuy nhin nhc im ca n do c ci t trn mt h iu hnh nn n ph

Chng I: Tng quan v Firewall

gim s lng thit b m cn gim chi ph trin khai v qun l cc thit b . Cc

Hnh 1.4: Cc k thut s dng trn firewall.

Chng I: Tng quan v Firewall

Chng I: Tng quan v Firewall

Hnh 1.5: Packet Filters

Chng I: Tng quan v Firewall

chng trng c v nh xut pht t Circuit-Level Gateways. N lm vic nh

Hnh 1.6: Circult-Level Gateways

Chng I: Tng quan v Firewall

nhau. Tuy nhin, khng phi tt c cc dch v u c th s dng proxy chung .

Hnh 1.7:Application-Level Gateways