You are on page 1of 68

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Mc lc
1.

An ton thng tin trn mng ____________________________________ 3


1.1 Ti sao cn c Internet Firewall __________________________________ 3 1.2 Bn mun bo v ci g?_________________________________________ 5 1.2.1 D liu ca bn _____________________________________________ 5 1.2.2 Ti nguyn ca bn __________________________________________ 5 1.2.3 Danh ting ca bn __________________________________________ 6 1.3 Bn mun bo v chng li ci g? ________________________________ 7 1.3.1 Cc kiu tn cng ___________________________________________ 7 1.3.2 Phn loi k tn cng _______________________________________ 10 1.4 Vy Internet Firewall l g? _____________________________________ 12 1.4.1 nh ngha________________________________________________ 12 1.4.2 Chc nng ________________________________________________ 12 1.4.3 Cu trc __________________________________________________ 13 1.4.4 Cc thnh phn ca Firewall v c ch hot ng _________________ 14 1.4.5 Nhng hn ch ca firewall __________________________________ 20 1.4.6 Cc v d firewall __________________________________________ 21

2. Cc dch v Internet ____________________________________ 28


2.1 World Wide Web - WWW ______________________________________ 29 2.2 Electronic Mail (Email hay th in t). __________________________ 30 2.3 Ftp (file transfer protocol hay dch v chuyn file) __________________ 31 2.4 Telnet v rlogin _______________________________________________ 32 2.5 Archie _______________________________________________________ 33 2.6 Finger _______________________________________________________ 34

3. H thng Firewall xy dng bi CSE ______________________ 35

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.1 Tng quan ___________________________________________________ 36 3.2 Cc thnh phn ca b chng trnh proxy: _______________________ 37 3.2.1 Smap: Dch v SMTP _______________________________________ 37 3.2.2 Netacl: cng c iu khin truy nhp mng ______________________ 38 3.2.3 Ftp-Gw: Proxy server cho Ftp _________________________________ 39 3.2.4 Telnet-Gw: Proxy server cho Telnet ____________________________ 40 3.2.5 Rlogin-Gw: Proxy server cho rlogin ____________________________ 41 3.2.6 Sql-Gw: Proxy Server cho Oracle Sql-net _______________________ 41 3.2.7 Plug-Gw: TCP Plug-Board Connection server ____________________ 41 3.3 Ci t ______________________________________________________ 42 3.4 Thit lp cu hnh: ____________________________________________ 43 3.4.1 Cu hnh mng ban u______________________________________ 43 3.4.2 Cu hnh cho Bastion Host ___________________________________ 44 3.4.3 Thit lp tp hp quy tc _____________________________________ 46 3.4.4 Xc thc v dch v xc thc _________________________________ 55 3.4.5 S dng mn hnh iu khin CSE Proxy: _______________________ 61 3.4.6 Cc vn cn quan tm vi ngi s dng ______________________ 65

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1. An ton thng tin trn mng


1.1 Ti sao cn c Internet Firewall
Hin nay, khi nim mng ton cu - Internet khng cn mi m. N tr nn ph bin ti mc khng cn phi ch gii g thm trong nhng tp ch k thut, cn trn nhng tp ch khc th trn ngp nhng bi vit di, ngn v Internet. Khi nhng tp ch thng thng ch trng vo Internet th gi y, nhng tp ch k thut li tp trung vo kha cnh khc: an ton thng tin. cng l mt qu trnh tin trin hp logic: khi nhng vui thch ban u v mt siu xa l thng tin, bn nht nh nhn thy rng khng ch cho php bn truy nhp vo nhiu ni trn th gii, Internet cn cho php nhiu ngi khng mi m t gh thm my tnh ca bn. Thc vy, Internet c nhng k thut tuyt vi cho php mi ngi truy nhp, khai thc, chia s thng tin. Nhng n cng l nguy c chnh dn n thng tin ca bn b h hng hoc ph hu hon ton. Theo s liu ca CERT(Computer Emegency Response Team - i cp cu my tnh), s lng cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo nm 1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm 1994. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc c quan nh nc, cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l (c ti 100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni ca tng bng. Mt phn rt ln cc v tn cng

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

khng c thng bo, v nhiu l do, trong c th k n ni lo b mt uy tn, hoc n gin nhng ngi qun tr h thng khng h hay bit nhng cuc tn cng nhm vo h thng ca h. Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng php tn cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr h thng c kt ni vi Internet ngy cng cao cnh gic. Cng theo CERT, nhng cuc tn cng thi k 19881989 ch yu on tn ngi s dng-mt khu (UserIDpassword) hoc s dng mt s li ca cc chng trnh v h iu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng vo thi gian gn y bao gm c cc thao tc nh gi mo a ch IP, theo di thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin).

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1.2 Bn mun bo v ci g?
Nhim v c bn ca Firewall l bo v. Nu bn mun xy dng firewall, vic u tin bn cn xem xt chnh l bn cn bo v ci g.

1.2.1 D liu ca bn
Nhng thng tin lu tr trn h thng my tnh cn c bo v do cc yu cu sau: Bo mt: Nhng thng tin c gi tr v kinh t, qun s, chnh sch vv... cn c gi kn. Tnh ton vn: Thng tin khng b mt mt hoc sa i, nh tro. Tnh kp thi: Yu cu truy nhp thng tin vo ng thi im cn thit. Trong cc yu cu ny, thng thng yu cu v bo mt c coi l yu cu s 1 i vi thng tin lu tr trn mng. Tuy nhin, ngay c khi nhng thng tin ny khng c gi b mt, th nhng yu cu v tnh ton vn cng rt quan trng. Khng mt c nhn, mt t chc no lng ph ti nguyn vt cht v thi gian lu tr nhng thng tin m khng bit v tnh ng n ca nhng thng tin .

1.2.2 Ti nguyn ca bn
Trn thc t, trong cc cuc tn cng trn Internet, k tn cng, sau khi lm ch c h thng bn trong, c th s dng cc my ny phc v cho mc ch ca mnh nh chy cc chng trnh d mt khu ngi s dng, s dng cc lin kt mng sn c tip tc tn cng cc h thng khc vv...

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1.2.3 Danh ting ca bn


Nh trn nu, mt phn ln cc cuc tn cng khng c thng bo rng ri, v mt trong nhng nguyn nhn l ni lo b mt uy tn ca c quan, c bit l cc cng ty ln v cc c quan quan trng trong b my nh nc. Trong trng hp ngi qun tr h thng ch c bit n sau khi chnh h thng ca mnh c dng lm bn p tn cng cc h thng khc, th tn tht v uy tn l rt ln v c th li hu qu lu di.

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1.3 Bn mun bo v chng li ci g?


Cn nhng g bn cn phi lo lng. Bn s phi ng u vi nhng kiu tn cng no trn Internet v nhng k no s thc hin chng?

1.3.1 Cc kiu tn cng


C rt nhiu kiu tn cng vo h thng, v c nhiu cch phn loi nhng kiu tn cng ny. y, chng ta chia thnh 3 kiu chnh nh sau: 1.3.1.1 Tn cng trc tip Nhng cuc tn cng trc tip thng thng c s dng trong giai on u chim c quyn truy nhp bn trong. Mt phng php tn cng c in l d cp tn ngi s dng-mt khu. y l phng php n gin, d thc hin v khng i hi mt iu kin c bit no bt u. K tn cng c th s dng nhng thng tin nh tn ngi dng, ngy sinh, a ch, s nh vv.. on mt khu. Trong trng hp c c danh sch ngi s dng v nhng thng tin v mi trng lm vic, c mt trng trnh t ng ho v vic d tm mt khu ny. mt trng trnh c th d dng ly c t Internet gii cc mt khu m ho ca cc h thng unix c tn l crack, c kh nng th cc t hp cc t trong mt t in ln, theo nhng quy tc do ngi dng t nh ngha. Trong mt s trng hp, kh nng thnh cng ca phng php ny c th ln ti 30%. Phng php s dng cc li ca chng trnh ng dng v bn thn h iu hnh c s dng t nhng v tn cng u tin v vn c tip tc chim quyn truy nhp. Trong mt s trng hp phng php ny cho php

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

k tn cng c c

quyn ca ngi qun tr h thng

(root hay administrator). Hai v d thng xuyn c a ra minh ho cho phng php ny l v d vi chng trnh sendmail v chng trnh rlogin ca h iu hnh UNIX. Sendmail l mt chng trnh phc tp, vi m ngun bao gm hng ngn dng lnh ca ngn ng C. Sendmail c chy vi quyn u tin ca ngi qun tr h thng, do chng trnh phi c quyn ghi vo hp th ca nhng ngi s dng my. V Sendmail trc tip nhn cc yu cu v th tn trn mng bn ngoi. y chnh l nhng yu t lm cho sendmail tr thnh mt ngun cung cp nhng l hng v bo mt truy nhp h thng. Rlogin cho php ngi s dng t mt my trn mng truy nhp t xa vo mt my khc s dng ti nguyn ca my ny. Trong qu trnh nhn tn v mt khu ca ngi s dng, rlogin khng kim tra di ca dng nhp, do k tn cng c th a vo mt xu c tnh ton trc ghi ln m chng trnh ca rlogin, qua chim c quyn truy nhp. 1.3.1.2 Nghe trm Vic nghe trm thng tin trn mng c th a li nhng thng tin c ch nh tn-mt khu ca ngi s dng, cc thng tin mt chuyn qua mng. Vic nghe trm thng c tin hnh ngay sau khi k tn cng chim c quyn truy nhp h thng, thng qua cc chng trnh cho php a v giao tip mng (Network Interface Card-NIC) vo ch nhn ton b cc thng tin lu truyn trn mng. Nhng thng tin ny cng c th d dng ly c trn Internet.

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1.3.1.3 Gi mo a ch Vic gi mo a ch IP c th c thc hin thng qua vic s dng kh nng dn ng trc tip (source-routing). Vi cch tn cng ny, k tn cng gi cc gi tin IP ti mng bn trong vi mt a ch IP gi mo (thng thng l a ch ca mt mng hoc mt my c coi l an ton i vi mng bn trong), ng thi ch r ng dn m cc gi tin IP phi gi i. 1.3.1.4 V hiu ho cc chc nng ca h thng (denial of service) y l ku tn cng nhm t lit h thng, khng cho n thc hin chc nng m n thit k. Kiu tn cng ny khng th ngn chn c, do nhng phng tin c t chc tn cng cng chnh l cc phng tin lm vic v truy nhp thng tin trn mng. V d s dng lnh ping vi tc cao nht c th, buc mt h thng tiu hao ton b tc tnh ton v kh nng ca mng tr li cc lnh ny, khng cn cc ti nguyn thc hin nhng cng vic c ch khc. 1.3.1.5 Li ca ngi qun tr h thng y khng phi l mt kiu tn cng ca nhng k t nhp, tuy nhin li ca ngi qun tr h thng thng to ra nhng l hng cho php k tn cng s dng truy nhp vo mng ni b. 1.3.1.6 Tn cng vo yu t con ngi K tn cng c th lin lc vi mt ngi qun tr h thng, gi lm mt ngi s dng yu cu thay i mt khu, thay i quyn truy nhp ca mnh i vi h thng, hoc thm ch thay i mt s cu hnh ca h thng thc

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

hin cc phng php tn cng khc. Vi kiu tn cng ny khng mt thit b no c th ngn chn mt cch hu hiu, v ch c mt cch gio dc ngi s dng mng ni b v nhng yu cu bo mt cao cnh gic vi nhng hin tng ng nghi. Ni chung yu t con ngi l mt im yu trong bt k mt h thng bo v no, v ch c s gio dc cng vi tinh thn hp tc t pha ngi s dng c th nng cao c an ton ca h thng bo v.

1.3.2 Phn loi k tn cng


C rt nhiu k tn cng trn mng ton cu Internet v chng ta cng khng th phn loi chng mt cch chnh xc, bt c mt bn phn loi kiu ny cng ch nn c xem nh l mt s gii thiu hn l mt cch nhn rp khun. 1.3.2.1 Ngi qua ng Ngi qua ng l nhng k bun chn vi nhng cng vic thng ngy, h mun tm nhng tr gii tr mi. H t nhp vo my tnh ca bn v h ngh bn c th c nhng d liu hay, hoc bi v h cm thy thch th khi s dng my tnh ca ngi khc, hoc ch n gin l h khng tm c mt vic g hay hn lm. H c th l ngi t m nhng khng ch nh lm hi bn. Tuy nhin, h thng gy h hng h thng khi t nhp hay khi xo b du vt ca h. 1.3.2.2 K ph hoi K ph hoi ch nh ph hoi h thng ca bn, h c th khng thch bn, h cng c th khng bit bn nhng h tm thy nim vui khi i ph hoi.

10

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Thng thng, trn Internet k ph hoi kh him. Mi ngi khng thch h. Nhiu ngi cn thch tm v chn ng nhng k ph hoi. Tuy t nhng k ph hoi thng gy hng trm trng cho h thng ca bn nh xo ton b d liu, ph hng cc thit b trn my tnh ca bn... 1.3.2.3 K ghi im Rt nhiu k qua ng b cun ht vo vic t nhp, ph hoi. H mun c khng nh mnh thng qua s lng v cc kiu h thng m h t nhp qua. t nhp c vo nhng ni ni ting, nhng ni phng b cht ch, nhng ni thit k tinh xo c gi tr nhiu im i vi h. Tuy nhin h cng s tn cng tt c nhng ni h c th, vi mc ch s lng cng nh mc ch cht lng. Nhng ngi ny khng quan tm n nhng thng tin bn c hay nhng c tnh khc v ti nguyn ca bn. Tuy nhin t c mc ch l t nhp, v tnh hay hu h s lm h hng h thng ca bn. 1.3.2.4 Gin ip Hin nay c rt nhiu thng tin quan trng c lu tr trn my tnh nh cc thng tin v qun s, kinh t... Gin ip my tnh l mt vn phc tp v kh pht hin. Thc t, phn ln cc t chc khng th phng th kiu tn cng ny mt cch hiu qu v bn c th chc rng ng lin kt vi Internet khng phi l con ng d nht gin ip thu lm thng tin.

11

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1.4 Vy Internet Firewall l g?


1.4.1 nh ngha
Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s xm nhp vo h thng ca mt s thng tin khc khng mong mun. Cng c th hiu rng Firewall l mt c ch bo v mng tin tng (trusted network) khi cc mng khng tin tng (untrusted network). Internet Firewall l mt thit b (phn cng+phn mm) gia mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet. N thc hin vai tr bo mt cc thng tin Intranet t th gii Internet bn ngoi.

1.4.2 Chc nng


Internet Firewall (t nay v sau gi tt l firewall) l mt thnh phn t gia Intranet v Internet kim sot tt c cc vic lu thng v truy cp gia chng vi nhau bao gm: Firewall quyt nh nhng dch v no t bn trong c php truy cp t bn ngoi, nhng ngi no t bn ngoi c php truy cp n cc dch v bn trong, v c nhng dch v no bn ngoi c php truy cp bi nhng ngi bn trong. firewall lm vic hiu qu, tt c trao i thng tin t trong ra ngoi v ngc li u phi thc hin thng qua Firewall.

12

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Ch c nhng trao i no c php bi ch an ninh ca h thng mng ni b mi c quyn lu thng qua Firewall.

S chc nng h thng ca firewall c m t nh trong hnh 2.1

Intranet

firewall

Internet

Hnh 2.1 S chc nng h thng ca firewall

1.4.3 Cu trc
Firewall bao gm: Mt hoc nhiu h thng my ch kt ni vi cc b nh tuyn (router) hoc c chc nng router. Cc phn mm qun l an ninh chy trn h thng my ch. Thng thng l cc h qun tr xc thc (Authentication), cp quyn (Authorization) v k ton (Accounting). Chng ta s cp k hn cc hot ng ca nhng h ny phn sau.

13

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1.4.4 Cc thnh phn ca Firewall v c ch hot ng


Mt Firewall chun bao gm mt hay nhiu cc thnh phn sau y: B lc packet ( packet-filtering router ) Cng ng dng (application-level gateway hay proxy server ) Cng mch (circuite level gateway)

1.4.4.1 B lc gi tin (Packet filtering router)


1.4.4.1.1 Nguyn l:

Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c ngha rng Firewall hot ng cht ch vi giao thc lin mng TCP/IP. V giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS...) thnh cc gi d liu (data packets) ri gn cho cc packet ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng. B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (packet header), dng cho php truyn cc packet trn mng. l:

14

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

a ch IP ni xut pht ( IP Source address) a ch IP ni nhn (IP Destination address) Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel) Cng TCP/UDP ni xut pht (TCP/UDP source port) Cng TCP/UDP ni nhn (TCP/UDP destination port) Dng thng bo ICMP ( ICMP message type) giao din packet n ( incomming interface of packet) giao din packet i ( outcomming interface of packet)

Nu lut l lc packet c tho mn th packet c chuyn qua firewall. Nu khng packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi chy c trn h thng mng cc b.
1.4.4.1.2 u im

a s cc h thng firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm router.

Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn c bit no c.

15

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1.4.4.1.3 Hn ch:

Vic nh ngha cc ch lc packet l mt vic kh phc tp, n i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th m h c th nhn trn mi trng. Khi i hi v s lc cng ln, cc lut l v lc cng tr nn di v phc tp, rt kh qun l v iu khin. Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu. 1.4.4.2 Cng ng dng (application-level gateway)
1.4.4.2.1 Nguyn l

y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi dch v, giao thc c cho php truy cp vo h thng mng. C ch hot ng ca n da trn cch thc gi l Proxy service (dch v i din). Proxy service l cc b chng trnh c bit ci t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t chng trnh proxy cho mt ng dng no , dch v tng ng s khng c cung cp v do khng th chuyn thng tin qua firewall. Ngoi ra, proxy code c th c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l chp nhn c trong khi t chi nhng c im khc. Mt cng ng dng thng c coi nh l mt pho i (bastion host), bi v n c thit k t bit chng li s tn cng t bn ngoi. Nhng bin php m bo an ninh ca mt bastion host l:

16

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Bastion host lun chy cc version an ton (secure version) ca cc phn mm h thng (Operating system). Cc version an ton ny c thit k chuyn cho mc ch chng li s tn cng vo Operating System, cng nh l m bo s tch hp firewall.

Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t trn bastion host, n gin ch v nu mt dch v khng c ci t, n khng th b tn cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet, DNS, FTP, SMTP v xc thc user l c ci t trn bastion host.

Bastion host c th yu cu nhiu mc xc thc khc nhau, v d nh user password hay smart card.

Mi proxy c t cu hnh cho php truy nhp ch mt s cc my ch nht nh. iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch ng vi mt s my ch trn ton h thng.

Mi proxy duy tr mt quyn nht k ghi chp li ton b chi tit ca giao thng qua n, mi s kt ni, khong thi gian kt ni. Nht k ny rt c ch trong vic tm theo du vt hay ngn chn k ph hoi.

Mi proxy u c lp vi cc proxies khc trn bastion host. iu ny cho php d dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn .

V d: Telnet Proxy V d mt ngi (gi l outside client) mun s dng dch v TELNET kt ni vo h thng mng qua mt bastion host c Telnet proxy. Qu trnh xy ra nh sau:

17

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1. Outside client telnets n bastion host. Bastion host kim tra password, nu hp l th outside client c php vo giao din ca Telnet proxy. Telnet proxy cho php mt tp nh nhng lnh ca Telnet, v quyt nh nhng my ch ni b no outside client c php truy nhp. 2. Outside client ch ra my ch ch v Telnet proxy to mt kt ni ca ring n ti my ch bn trong, v chuyn cc lnh ti my ch di s u quyn ca outside client. Outside client th tin rng Telnet proxy l my ch tht bn trong, trong khi my ch bn trong th tin rng Telnet proxy l client tht.
1.4.4.2.2 u im:

Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy nhp c bi cc dch v.

Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l cc dch v y b kho.

Cng ng dng cho php kim tra xc thc rt tt, v n c nht k ghi chp li thng tin v truy nhp h thng.

Lut l filltering (lc) cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc packet.

1.4.4.2.3 Hn ch:

Yu cu cc users bin i (mody) thao tc, hoc mody phn mm ci t trn my client cho truy nhp vo cc

18

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

dch v proxy. V d, Telnet truy nhp qua cng ng dng i hi hai bc ni vi my ch ch khng phi l mt bc thi. Tuy nhin, cng c mt s phn mm client cho php ng dng trn cng ng dng l trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng trn lnh Telnet. 1.4.4.3 Cng vng (circuit-Level Gateway) Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet no. Hnh 2.2 minh ho mt hnh ng s dng ni telnet qua cng vng. Cng vng n gin chuyn tip kt ni telnet qua firewall m khng thc hin mt s kim tra, lc hay iu khin cc th tc Telnet no.Cng vng lm vic nh mt si dy,sao chp cc byte gia kt ni bn trong (inside connection) v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut hin t h thng firewall, n che du thng tin v mng ni b. Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion host c th c cu hnh nh l mt hn hp cung cp Cng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng bc tng la d dng s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti cc dch v Internet, trong khi vn cung cp chc nng bc tng la bo v mng ni b t nhng s tn cng bn ngoi.

19

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

out out out outside host Circuit-level Gateway

in in in Inside host

Hnh 2.2 Cng vng

1.4.5 Nhng hn ch ca firewall


Firewall khng thng minh nh con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i qua" n. Mt cch c th, firewall khng th chng li mt cuc tn cng t mt ng dial-up, hoc s d r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn

cng bng d liu (data-driven attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca firewall.

20

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

1.4.6 Cc v d firewall
1.4.6.1 Packet-Filtering Router (B trung chuyn c lc gi) H thng Internet firewall ph bin nht ch bao gm mt packet-filtering router t gia mng ni b v Internet (Hnh 2.3). Mt packet-filtering router c hai chc nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi cho php hay t chi truyn thng. Cn bn, cc quy lut lc c nh ngha sao cho cc host trn mng ni b c quyn truy nhp trc tip ti Internet, trong khi cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my tnh trn mng ni b. T tng ca m cu trc firewall ny l tt c nhng g khng c ch ra r rng l cho php th c ngha l b t chi.

Bn ngoi

Packet filtering router

Bn trong Mng ni b

The Internet

Hnh 2.3 Packet-filtering router u im: gi thnh thp (v cu hnh n gin) trong sut i vi ngi s dng

Hn ch:

21

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

C tt c hn ch ca mt packet-filtering router, nh l d b tn cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di nhng dch v c php.

Bi v cc packet c trao i trc tip gia hai mng thng qua router , nguy c b tn cng quyt nh bi s lng cc host v dch v c php. iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca s tn cng no khng.

Nu mt packet-filtering router do mt s c no ngng hot ng, tt c h thng trn mng ni b c th b tn cng.

1.4.6.2 Screened Host Firewall H thng ny bao gm mt packet-filtering router v mt bastion host (hnh 2.4). H thng ny cung cp bo mt cao hn h thng trn, v n thc hin c bo mt tng network( packet-filtering ) v tng ng dng (application level). ng thi, k tn cng phi ph v c hai tng bo mt tn cng vo mng ni b.

22

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Bn trong

Bn ngoi

Packet filtering router

Bastion host

my ni b The Internet

Information server

Hnh 2.4 Screened host firewall (Single- Homed Bastion Host)

Trong h thng ny, bastion host c cu hnh trong mng ni b. Qui lut filtering trn packet-filtering router c nh ngha sao cho tt c cc h thng bn ngoi ch c th truy nhp bastion host; Vic truyn thng ti tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni b c php truy nhp trc tip vo bastion Internet hay l chng phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b c thc hin bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t bastion host.

u im: My ch cung cp cc thng tin cng cng qua dch v Web v FTP c th t trn packet-filtering router v

23

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

bastion. Trong trng hp yu cu an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user c trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hp khng yu cu an ton cao th cc my ni b c th ni thng vi my ch. Nu cn bo mt cao hn na th c th dng h thng firewall dual-home (hai chiu) bastion host (hnh 2.5). Mt h thng bastion host nh vy c 2 giao din mng (network interface), nhng khi kh nng truyn thng trc tip gia hai giao din qua dch v proxy l b cm.

Bn trong

Bn ngoi

Packet filtering router

Bastion host

my ni b The Internet

Information server

Hnh 2.5

Screened host firewall (Dual- Homed Bastion Host) Bi v bastion host l h thng bn trong duy nht c th truy nhp c t Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu nh ngi dng truy nhp c vo bastion host th h c th d dng truy

24

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

nhp ton b mng ni b. V vy cn phi cm khng cho ngi dng truy nhp vo bastion host. 1.4.6.3 Demilitarized Zone (DMZ - khu vc phi qun s) hay Screened-subnet Firewall H thng ny bao gm hai packet-filtering router v mt bastion host (hnh 2.6). H thng firewall ny c an ton cao nht v n cung cp c mc bo mt : network v application trong khi nh ngha mt mng phi qun s. Mng DMZ ng vai tr nh mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip qua mng DMZ l khng th c. Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N cho php h thng bn ngoi truy nhp ch bastion host, v c th c information server. Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng truyn thng bt u t bastion host. Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c information server. Quy lut filtering trn router ngoi yu cu s dung dich v proxy bng cch ch cho php thng tin ra bt ngun t bastion host. u im: K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router trong.

25

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Bi v router ngoi ch qung co DMZ network ti Internet, h thng mng ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange (Domain Name Server).

Bi v router trong ch qung co DMZ network ti mng ni b, cc h thng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.

Bn trong

DMZ Bn ngoi Packet filtering router Bastion host

The Internet Outside router Inside router

Information server

Hnh 2.6 Screened-Subnet Firewall

26

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

27

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

2. Cc dch v Internet
Nh trnh by trn, nhn chung bn phi xc nh bn bo v ci g khi thit lp lin kt ra mng ngoi hay Internet: d liu, ti nguyn, danh ting. Khi xy dng mt Firewall, bn phi quan tm n nhng vn c th hn: bn phi bo v nhng dch v no bn dng hoc cung cp cho mng ngoi (hay Internet). Internet cung cp mt h thng cc dch v cho php ngi dng ni vo Internet truy nhp v s dng cc thng tin trn mng Internet. H thng cc dch v ny v ang c b sung theo s pht trin khng ngng ca Internet. Cc dch v ny bao gm World Wide Web (gi tt l WWW hoc Web), Email (th in t), Ftp (file transfer protocols - dch v chuyn file), telnet (ng dng cho php truy nhp my tnh xa), Archie (h thng xc nh thng tin cc file v directory), finger (h thng xc nh cc user trn Internet), rlogin(remote login - vo mng t xa) v mt s cc dch v khc na.

28

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

2.1 World Wide Web - WWW


WWW l dch v Internet ra i gn y nht, nhng pht trin nhanh nht hin nay. Web cung cp mt giao din v cng thn thin vi ngi dng, d s dng, v cng thun li v n gin tm kim thng tin. Web lin kt thng tin da trn cng ngh hyper-link (siu lin kt), cho php cc trang Web lin kt vi nhau trc tip qua cc a ch ca chng. Thng qua Web, ngi dng c th : Pht hnh cc tin tc ca mnh v c tin tc t khp ni trn th gii Qung co v mnh, v cng ty hay t chc ca mnh cng nh xem cc loi qung co trn th gii, t kim vic lm, tuyn m nhn vin, cng ngh v sn phm mi, tm bn, vn vn. Trao i thng tin vi b bn, cc t chc x hi, cc trung tm nghin cu, trng hc, vn vn Thc hin cc dch v chuyn tin hay mua bn hng ho Truy nhp cc c s d liu ca cc t chc, cng ty (nu nh c php) V rt nhiu cc hot ng khc na.

29

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

2.2 Electronic Mail (Email hay th in t).


Email l dch v Internet c s dng rng ri nht hin nay. Hu ht cc thng bo dng text (vn bn) n gin, nhng ngi s dng c th gi km theo cc file cha cc hnh nh nh s , nh . H thng email trn Internet l h thng th in t ln nht trn th gii, v thng c s dng cng vi cc h thng chuyn th khc. Kh nng chuyn th in t trn Web c b hn ch hn so vi cc h thng chuyn th in t trn Internet, bi v Web l mt phng tin trao i cng cng, trong khi th l mt ci g ring t. V vy, khng phi tt c cc Web brower u cung cp chc nng email. (Hai browser ln nht hin nay l Netscape v Internet Explorer u cung cp chc nng email).

30

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

2.3 Ftp (file transfer protocol hay dch v chuyn file)


Ftp l mt dch v cho php sao chp file t mt h thng my tnh ny n h thng my tnh khc ftp bao gm th tc v chng trnh ng dng, v l mt trong nhng dch v ra i sm nht trn Internet. Fpt c th c dng mc h thng (g lnh vo command-line), trong Web browser hay mt s tin ch khc. Fpt v cng hu ch cho nhng ngi dng Internet, bi v khi sc so trn Internet, bn s tm thy v s nhng th vin phn mm c ch v rt nhiu lnh vc v bn c th chp chng v s dng.

31

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

2.4 Telnet v rlogin


Telnet l mt ng dng cho php bn truy nhp vo mt my tnh xa v chy cc ng dng trn my tnh . Telnet l rt hu ch khi bn mun chy mt ng dng khng c hoc khng chy c trn my tnh ca bn, v d nh bn mun chy mt ng dung Unix trong khi my ca bn l PC. Hay bn my tnh ca bn khng mnh chy mt ng dng no , hoc khng c cc file d liu cn thit. Telnet cho bn kh nng lm vic trn my tnh xa bn hng ngn cy s m bn vn c cm gic nh ang ngi trc my tnh . Chc nng ca rlogin(remote login - vo mng t xa) cng tng t nh Telnet.

32

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

2.5 Archie
Archie l mt loi th vin thng xuyn t ng tm kim cc my tnh trn Internet, to ra mt kho d liu v danh sch cc file c th np xung (downloadable) t Internet. Do , d liu trong cc file ny lun lun l mi nht. Archie do rt tin dng cho ngi dng tm kim v download cc file. Ngi dng ch cn gi tn file, hoc cc t kho ti Archie; Archie s cho li a ch ca cc file c tn hoc c cha nhng t .

33

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

2.6 Finger
Finger l mt chng trnh ng dng cho php tm a ch ca cc user khc trn Internet. Ti thiu, finger c th cho bn bit ai ang s dng mt h thng my tnh no , tn login ca ngi l g. Finger hay c s dng tm a ch email ca b bn trn Internet. Finger cn c th cung cp cho bn nhiu thng tin khc, nh l mt ngi no login vo mng bao lu. V th finger c th coi l mt ngi tr gip c lc nhng cng l mi him ho cho s an ton ca mng.

34

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3. H thng Firewall xy dng bi CSE


B chng trnh Firewall 1.0 ca CSE c a ra vo thng 6/1998. B chng trnh ny gm hai thnh phn: B lc gi tin IP Filtering B chng trnh cng ng dng proxy servers

Hai thnh phn ny c th hot ng mt cch ring r. Chng cng c th kt hp li vi nhau tr thnh mt h thng firewall hon chnh. Trong tp ti liu ny, chng ti ch cp n b chng trnh cng ng dng c ci t ti VPCP.

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.1 Tng quan


B chng trnh proxy ca CSE (phin bn 1.0) c pht trin da trn b cng c xy dng Internet Firewall TIS (Trusted Information System) phin bn 1.3. TIS bao gm mt b cc chng trnh v s t li cu hnh h thng nhm mc ch xy dng mt Firewall. B chng trnh c thit k chy trn h UNIX s dng TCP/IP vi giao din socket Berkeley. Vic ci t b chng trnh proxy i hi kinh nghim qun l h thng UNIX, v TCP/IP networking. Ti thiu, ngi qun tr mng firewall phi quen thuc vi: vic qun tr v duy tr h thng UNIX hot ng vic xy dng cc package cho h thng

S khc nhau khi t cu hnh cho h thng quyt nh mc an ton mng khc nhau. Ngi ci t firewall phi hiu r yu cu v an ton ca mng cn bo v, nm chc nhng ri ro no l chp nhn c v khng chp nhn c, thu lm v phn tch chng t nhng i hi ca ngi dng. B chng trnh proxy c thit k cho mt s cu hnh firewall, trong cc dng c bn nht l dual-home gateway (hnh 2.4), screened host gateway(hnh 2.5), v screened subnet gateway(hnh 2.6). Nh chng ta bit, trong nhng cu trc firewall ny, yu t cn bn nht l bastion host, ng vai tr nh mt ngi chuyn tip thng tin (forwarder), ghi nht k truyn thng, v cung cp cc dch v. Duy tr an ton trn bastion host l cc k quan trng, bi v l ni tp trung hu ht cc c gng ci t mt h thng firewall.

36

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.2 Cc thnh phn ca b chng trnh proxy:


B chng trnh proxy gm nhng chng trnh bc ng dng (application-level programs), hoc l thay th hoc l c cng thm vo phn mm h thng c. B chng trnh proxy c nhng thnh phn chnh bao gm: Smap: dch v SMTP(Simple Mail Tranfer Protocol) Netacl: dch v Telnet, finger, v danh mc cc iu khin truy nhp mng Ftp-Gw: Proxy server cho Ftp Telnet-Gw: Proxy server cho Telnet Rlogin-Gw: Proxy server cho rlogin Plug-Gw: TCP Plug-Board Connection server (server kt ni tc thi dng th tc TCP)

3.2.1 Smap: Dch v SMTP


SMTP c xy dng bng cch s dng cp cng c phn mm smap v smapd. C th ni rng SMTP chng li s e do ti h thng, bi v cc chng trnh mail chy mc h thng phn pht mail ti cc hp th ca user. Smap v smapd thc hin iu bng cch c lp chng trnh mail, bt n chy trn mt th mc dnh ring (restricted directory) qua chroot (thay i th mc gc), nh mt user khng c quyn u tin. Mc ch ca smap l c lp chng trnh mail vn gy ra rt nhiu li trn h thng. Phn ln cc cng vic x l mail thng c

37

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

thc hin bi chng trnh sendmail. Sendmail khng yu cu mt s thay i hay t li cu hnh g c. Khi mt h thng xa ni ti mt cng SMTP, h iu hnh khi ng smap. Smap lp tc chroot ti th mc dnh ring v t user-id mc bnh thng (khng c quyn u tin). Bi v smap khng yu cu h tr bi mt file h thng no c, th mc dnh ring ch cha cc file do smap to ra. Do vy, bn khng cn phi lo s l smap s thay i file h thng khi n chroot. Mc ch duy nht ca smap l i thoi SMTP vi cc h thng khc, thu lm thng bo mail, ghi vo a, ghi nht k, v thot. Smapd c trch nhim thng xuyn qut th mc kho ca smap v a ra cc thng bo c xp theo th t (queued messages) ti sendmail cui cng phn pht. Ch rng nu sendmail c t cu hnh mc bnh thng, v smap chy vi uucp user-id (?), mail c th c phn pht bnh thng m khng cn smapd chy vi mc u tin cao. Khi smapd phn pht mt thng bo, n xo file cha thng bo trong kho. Theo ngha ny, sendmail b c lp, v do mt user l trn mng khng th kt ni vi sendmail m khng qua smap. Tuy nhin, smap v smapd khng th gii quyt vn gi mo th hoc cc loi tn cng khc qua mail. Smap c kch thc rt nh so vi sendmail (700 dng so vi 20,000 dng) nn vic phn tch file ngun tm ra li n gin hn nhiu.

3.2.2 Netacl: cng c iu khin truy nhp mng


Chng ta bit rng inetd khng cung cp mt s iu khin truy nhp mng no c: n cho php bt k mt h thng no trn mng cng c th ni ti cc dch v lit k trong file inetd.conf.

38

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Netacl l mt cng c iu khin truy nhp mng, da trn a ch network ca my client, v dch v c yu cu. V vy mt client (xc nh bi a ch IP hoc hostname) c th khi ng telnetd (mt version khc ca telnet) khi n ni vi cng dch v telnet trn firewall. Thng thng trong cc cu hnh firewall, netacl c s dng cm tt c cc my tr mt vi host c quyn login ti firewall qua hoc l telnet hoc l rlogin, v kho cc truy nhp t nhng k tn cng. an ton ca netacl da trn a ch IP v/hoc hostname. Vi cc h thng cn an ton cao, nn dng a ch IP trnh s gi mo DNS. Netacl khng chng li c s gi a ch IP qua chuyn ngun (source routing) hoc nhng phng tin khc. Nu c cc loi tn cng nh vy, cn phi s dng mt router c kh nng soi nhng packet c chuyn ngun (screening source routed packages). Ch l netacl khng cung cp iu khin truy nhp UDP, bi v cng ngh hin nay khng m bo s xc thc ca UDP. An ton cho cc dch v UDP y ng ngha vi s khng cho php tt c cc dch v UDP. Netacl ch bao gm 240 dng m C (c gii thch) cho nn rt d dng kim tra v hiu chnh. Tuy nhin vn cn phi cn thn khi cu hnh n.

3.2.3 Ftp-Gw: Proxy server cho Ftp


Ftp-Gw l mt proxy server cung cp iu khin truy nhp mng da trn a ch IP v/hoc hostname, v cung cp iu khin truy nhp th cp cho php tu chn kho hoc ghi nht k bt k lnh ftp no. ch cho dch v ny cng c th tu chn c php hay kho. Tt c cc s kt ni v byte d liu chuyn qua u b ghi nht k li.

39

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Ftp-Gw t bn thn n khng e do an ton ca h thng firewall, bi v n chy chroot ti mt th mc rng, khng thc hin mt th tc vo ra file no c ngoi vic c file cu hnh ca n. Kch thc ca Ftp-gw l khong 1,300 dng. Ftp gateway ch cung cp dch v ftp, m khng quan tm n ai c quyn hay khng c quyn kt xut (export) file. Do vy, vic xc nh quyn phi c thit lp trn gateway v phi thc hin trc khi thc hin kt xut (export) hay nhp (import) file. Ftp gateway nn c ci t da theo chnh sch an ton ca mng. B chng trnh ngun cho php ngi qun tr mng cung cp c dch v ftp v ftp proxy trn cng mt h thng.

3.2.4 Telnet-Gw: Proxy server cho Telnet


Telnet-Gw l mt proxy server cung cp iu khin truy nhp mng da trn a ch IP v/hoc hostname, v cung cp s iu khin truy nhp th cp cho php tu chn kho bt k ch no. Tt c cc s kt ni v byte d liu chuyn qua u b ghi nht k li. Mi mt ln user ni ti telnet-gw, s c mt menu n gin ca cc chn la ni ti mt host xa. Telnet-gw khng phng hi ti an ton h thng, v n chy chroot n mt th mc dnh ring (restricted directory). File ngun bao gm ch 1,000 dng lnh. Vic x l menu l hon ton din ra trong b nh, v khng c mt subsell hay chng trnh no tham d. Cng khng c vic vo ra file ngoi vic c cu hnh file. V vy, telnet-gw khng th cung cp truy nhp ti bn thn h thng firewall.

40

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.2.5 Rlogin-Gw: Proxy server cho rlogin


Cc terminal truy nhp qua th tc BSD rlogin c th c cung cp qua rlogin proxy. rlogin cho php kim tra v iu khin truy nhp mng tng t nh telnet gateway. Rlogin client c th ch ra mt h thng xa ngay khi bt u ni vo proxy, cho php hn ch yu cu tng tc ca user vi my (trong trng hp khng yu cu xc thc).

3.2.6 Sql-Gw: Proxy Server cho Oracle Sql-net


Thng thng, vic khai thc thng tin t CSDL Oracle c tin hnh thng qua dch v WWW. Tuy nhin h tr ngi s dng dng chng trnh plus33 ni vo my ch Oracle, b firewall ca CSE c a km vo chng trnh Sql-net proxy. Vic kim sot truy nhp c thc hiu qua tn my hay a ch IP ca my ngun v my ch.

3.2.7 Plug-Gw: TCP Plug-Board Connection server


Firewall cung cp cc dch v thng thng nh Usernet news. Ngi qun tr mng c th chn hoc l chy dch v ny trn bn thn firewall, hoc l ci t mt proxy server. Do chy news trc tip trn firewall d gy li h thng trn phn mm ny, cch an ton hn l s dng proxy. Plug-gw c thit k cho Usernet News. Plug-gw c th c t cu hnh cho php hay t chi mt s kt ni da trn a ch IP hoc l hostname. Tt c s kt ni v cc byte d liu chuyn qua u c ghi nht k li.

41

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.3 Ci t
B ci t gm 2 a mm 1.44 Mb, R1 v R2. Mi b ci t u c mt s Serial number khc nhau v ch hot ng c trn my c hostname xc nh trc. Vic ci t c tin hnh bnh thng bng cch dng lnh custom. Khi ci t, mt ngi s dng c tn l proxy c ng k vi h thng thc hin cc chc nng qun l proxy. Ngi ci t phi t mt khu cho user ny. Mt th mc /usr/proxy c t ng thit lp, trong c cc th mc con: bin cha cc chng trnh thc hin etc cha cc tp cu hnh Firewall v mt s v d cc file cu hnh ca h thng khi chy vi Firewall nh inetd.conf, services, syslog.conf log cha cc tp nht k report cha cc tp bo co sau ny.

Vic t cu hnh v qun tr CSE Firewall u thng qua cc chc nng trn menu khi login vo my Firewall bng tn ngi s dng l proxy. Sau khi ci t nn i tn nhng tp h thng v lu li trc khi t cu hnh: /etc/inetd.conf /etc/services /etc/syslog.conf.

42

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.4 Thit lp cu hnh:


3.4.1 Cu hnh mng ban u
Vi Firewall host-base Chng ta c th chc chn vo vic mng c ci t theo mt chnh sch an ton c la chn nhm ngn cn mi lung thng tin khng mong mun gia mng c bo v v mng bn ngoi. iu ny c th c thc hin bi screening router hay dual-home gateway. Thng thng, cc thit b mng u s dng c ch an ton ci t trn router ni m mi lin kt u phi i qua. Mt iu cn quan tm l trong khi ang ci t, nhng my ch cng khai (Firewall bastion host) c th b tn cng trc khi c ch an ton ca n c cu hnh hon chnh c th chy c. Do , nn cu hnh tp inetd.conf cm tt c cc dch v mng t ngoi vo v s dng thit b u cui ci t. Ti thi im , chng ta c th quy nh nhng truy nhp gia mng c bo v v mng bn ngoi no s b kho. Tu theo mc ch, chng ta c th ngn cc truy nhp tu theo hng ca chng. Chng trnh cng cn c th nghim k cng trc khi s dng. Nu cn thit c th dng chng trnh /usr/proxy/bin/netscan th kt ni ti tt c my tnh trong mng con kim tra. N s c gng th lt qua Firewall theo mi hng chc chn rng cc truy nhp bt hp php l khng th xy ra. Ngn cm truy nhp vo ra l ci cht trong c ch an ton ca Firewall khng nn s dng nu n cha c ci t v th nghim k lng.

43

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.4.2 Cu hnh cho Bastion Host


Mt nguyn nhn c bn ca vic xy dng Firewall l ngn chn cc dch v khng cn thit v cc dch v khng nm r. Ngn chn cc dch v khng cn thit i hi ngi ci t phi c hiu bit v cu hnh h thng. Cc bc thc hin nh sau: Sa i tp /etc/inetd.conf, /etc/services,

/etc/syslog.conf, /etc/sockd.conf. Sa i cu hnh h diu hnh, loi b nhng dch v c th gy li nh NFS, sau rebuild kernel. Vic ny c thc hin cho ti khi h thng cung cp dch v ti thiu m ngi qun tr tin tng. Vic cu hnh ny c th lm ng thi vi vic kim tra dch v no chy chnh xc bng cch dng cc lnh ps v netstat. Phn ln cc server c cu hnh cng vi mt s dng bo mt khc, cc cu hnh ny s m t phn sau. Mt cng c chung thm d cc dch v TCP/IP l /usr/proxy/bin/portscan c th dng xem dch v no ang c cung cp. Nu khng c yu cu c bit c th dng cc file cu hnh ni trn c to sn v t ti /usr/proxy/etc khi ci t, ngc li c th tham kho sa i theo yu cu. Ton b cc thnh phn ca b Firewall i hi c cu hnh chung (mc nh l /usr/proxy/etc/netperms). Phn ln cc thnh phn ca b Firewall c gi bi dch v ca h thng l inetd, khai bo trong /etc/inetd.conf tng t nh sau:

ftp

stream

tcp

nowait

root

/usr/proxy/bin/netacl

ftpd

44

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

ftp-gw telnet-a telnet login

stream stream stream stream

tcp tcp tcp tcp

nowait nowait nowait nowait

root root root root

/usr/proxy/bin/ftp-gw /usr/proxy/bin/netacl /usr/proxy/bin/tn-gw /usr/proxy/bin/rlogingw /usr/proxy/bin/netacl /usr/proxy/bin/netacl /usr/proxy/bin/smap

ftp-gw telnetd tn-gw rlogin-gw

finger http smtp

stream stream stream

tcp tcp tcp

nowait nowait nowait

nobody root root

fingerd httpd smap

Chng trnh netacl l mt v bc TCP (TCP Wrapper) cung cp kh nng iu khin truy cp cho nhng dch v TCP v cng s dng mt tp cu hnh vi Firewall. Bc u tin cu hnh netacl l cho php mng ni b truy nhp c gii hn vo Firewall, nu nh n cn thit cho nhu cu qun tr. Tu thuc vo TELNET gateway tn-gw c c ci t hay khng, qun tr c th truy cp vo Firewall qua cng khc vi cng chun ca telnet (23). Bi v telnet thng khng cho php chng trnh truy cp ti mt cng khng phi l cng chun ca n. Dch v proxy s chy trn cng 23 v telnet thc s s chy trn cng khc v d dch v c tn l telnet-a trn (Xem file inetd.conf trn). C th kim tra tnh ng n ca netacl bng cch cu hnh cho php hoc cm mt s host ri th truy cp cc dch v t chng. Mi khi netacl c cu hnh, TELNET v FTP gateway cn phi c cu hnh theo. Cu hnh TELNET gateway ch n gin l coi n nh mt dch v v trong netacl.conf vit mt s miu t h thng no c th s dng n. Tr gip c th c cung cp cho ngi s dng khi cn thit. Vic cu hnh FTP proxy cng nh vy. Tuy nhin, FTP c th s dng cng khc khng ging TELNET. Rt nhiu cc FTP client h tr cho vic s dng cng khng chun.

45

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Dch v rlogin l mt tu chn c th dng v phi c ci t trn cng ng dng ca bastion host (cng 512) giao thc rlogin i hi mt cng c bit, mt qu trnh i hi s cho php ca h thng UNIX. Ngi qun tr mun s dng c ch an ton phi ci t th mc cho proxy n gii hn n trong th mc . Smap v smapd l cc tin trnh lc th c th c ci t s dng th mc ring ca proxy x l hoc s dng mt th mc no trong h thng. Smap v smapd khng thay th sendmail do vn cn cu hnh sendmail cho Firewall. Vic ny khng m t trong ti liu ny.

3.4.3 Thit lp tp hp quy tc


Khi cu hnh cho proxy server v chng trnh iu khin truy cp mng iu cn thit l thit lp chnh xc tp quy tc th hin ng vi m hnh an ton mong mun. Mt cch tt bt u cu hnh Firewall l mi ngi trong mng s dng t do cc dch v ng thi cm tt c mi ngi bn ngoi. Vic t cu hnh cho firewall khng qu rc ri, v n c thit k h tr cho mi hon cnh. Tp tin /usr/proxy/etc/netperms l CSDL cu hnh v quyn truy nhp (configuration/permissions) cho cc thnh phn ca Firewall: netacl, smap, smapd, ftp-gw, tn-gw, http-gw, v plug-gw. Khi mt trong cc ng dng ny khi ng, n c cu hnh v quyn truy nhp ca n t netperms v lu tr vo mt CSDL trong b nh. File configuration/permissions c thit lp thnh nhng quy tc, mi quy tc cha trn mt dng. Phn u tin ca mi quy tc l tn ca ng dng, tip theo l du hai chm (:). Nhiu ng dng c th dng chung mt quy tc vi tn ngn cch bi du phy. Dng ch thch c th chn vo file cu hnh bng cch thm vo u dng k t #.

46

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.4.3.1 Thit lp tp hp cc quy tc cho dch v HTTP, FTP Vic thit lp cu hnh cho cc dch v HTTP, FTP l tng t nh nhau. Chng ti ch a ra chi tit v thit lp cu hnh v quy tc cho dch v FTP.
#Example ftp gateway rules: #--------------------------------ftp-gw: ftpgw: ftp-gw: ftp-gw: ftp-gw: denial-msg welcome-msg help-msg permit-hosts timeout 3600 /usr/proxy/etc/ftp-deny.txt /usr/proxy/etc/ftp-welcome.txt /usr/proxy/etc/ftp-help.txt 10.10.170.* -log {retr stor}

Trong v d trn, mng 10.10.170 c cho php dng proxy trong khi mi host khc khng c trong danh sch, mi truy cp khc u b cm. Nu mt mng khc mun truy cp proxy, n nhn c mt thng bo t chi trong /usr/proxy/etc/ftp-deny.txt v sau lin kt b ngt. Nu mng c bo v pht trin thm ch cn thm vo cc dng cho php.
ftp-gw: permit-hosts 16.67.32.* -log {retr stor}

or
ftp-gw: ftp-gw: permit-hosts permit-hosts 16.67.32.* -log {retr stor} 10.10.170.* -log {retr stor}

Mi b phn ca Firewall c mt tp cc tu chn v c c m t trong manual page ring ca phn . Trong v d trn, Tu chn -log {retr stor} cho php FTP proxy ghi li nht k vi tu chn retr v stor.

47

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.4.3.2 Anonymous FTP Anonymous FTP server c s dng trong h iu hnh UNIX t lu. Cc l hng trong vic bo m an ton (Security hole) thng xuyn sinh ra do cc chc nng mi c thm vo, s xut hin ca bug v do cu hnh sai. Mt cch tip cn vi vic m bo an ton cho anonymous FTP l s dng netacl chc chn FTP server b hn ch trong th mc ca n trc khi c gi. Vi cu hinh nh vy, kh khn cho anonymous FTP lm tn hi n h thng bn ngoi khu vc ca FTP. Di y l mt v d s dng netacl quyt nh gii hn hay khng gii hn vng s dng ca FTP i vi mi lin kt. Gi s l mng c bo v l 192.5.12
netacl-ftpd: netacl-ftpd: netacl-ftpd: hosts 192.5.12.* hosts unknown hosts * -exec /etc/ftpd -exec /bin/cat /usr/proxy/etc/noftp.txt -chroot /ftpdir -exec /etc/ftpd

Trong v d ny, ngi dng ni vi dch v FTP t mng c bo v c kh nng FTP bnh thng. Ngi dng kt ni t h thng khc domain nhn c mt thng bo rng h khng c quyn s dng FTP. Mi h thng khc kt ni vo FTP u s dng vi vng file FTP. iu ny c mt s thun li cho vic bo m an ton. Th nht, khi kim tra xc thc, ftpd kim tra mt khu ca ngi s dng trong vng FTP, cho php ngi qun tr a ra account cho FTP. iu ny cn thit cho nhng ngi khng c account trong bastion host cung cp s kim tra v xc thc n cn cho php qun tr s dng nhng im mnh ca ftpd cho d n cha mt s l hng v an ton.

48

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.4.3.3 Telnet v rlogin Ni chung truy cp ti bastion host nn b cm, ch ngi qun tr c quyn login. Thng thng khi chy proxy, chng trnh telnet v rlogin khng th chy trn cc cng chun ca chng. C 3 cch gii quyt vn ny: Chy telnet v rloggin proxy trn cng chun vi telnet v rlogin trn cng khc v bo v truy cp ti chng bng netacl Cho php login ch vi thit b u cui. Dng netacl chuyn i tu thuc vo im xut pht ca kt ni, da trn proxy thc hin kt ni thc s. Cch gii quyt cui cng rt tin li nhng cho php mi ngi c quyn dng proxy login vo bastion host. Nu bastion host s dng xc thc mc cao qun l truy cp ca ngi dng, s ri ro do vic tn cng vo h bastion host s c gim thiu. cu hnh h thng trc ht, tt c cc thit b c ni vo h thng qua netacl v dng n gi cc chng trnh server hay proxy server tu thuc vo ni xut pht ca kt ni. Ngi qun tr mun vo bastion host trc ht phi kt ni vo netacl sau ra lnh kt ni vo bastion host. Vic ny n gin v mt s bn telnet v rlogin khng lm vic nu khng c kt ni vo ng cng.

netacl-telnetd: netacl-telnetd: netacl-telnetd: netacl-rlogin: netacl-rlogin:

permit-hosts permit-hosts permit-hosts permit-hosts permit-hosts

127.0.0.1 myaddress * 127.0.0.1 myaddress

-exec /etc/telnetd -exec /etc/telnetd -exec /usr/proxy/bin/tn-gw -exec /etc/rlogin -exec /etc/rlogin

49

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

netacl-rlogin:

permit-hosts

-exec /usr/proxy/bin/rlogin-gw

3.4.3.4 Sql-net proxy Gi thit l c hai CSDL STU nm trn my 190.2.2.3 v VPCP nm trn my 190.2.0.4. cu hnh cho sql-net proxy, phi tin hnh cc bc nh sau:
3.4.3.4.1 Cu hnh trn firewall

t cu hnh cho tp netperms nh sau:

#Oracle proxy for STU Database ora_stu1: ora_stu1: ora_stu2: ora_stu2: timeout 3600 port 1521 * -plug-to 190.2.2.3 -port 1521 timeout 3600 port 1526 * -plug-to 190.2.2.3 -port 1526

#Oracle proxy for VBPQ Database ora_vpcp1: ora_vpcp1: ora_vpcp2: ora_vpcp2: timeout 3600 port 1421 * -plug-to 190.2.0.4 -port 1521 timeout 3600 port 1426 * -plug-to 190.2.0.4 -port 1526

t li tp /etc/services nh sau:

#Oracle Proxy for STU Database ora_stu1 ora_stu2 1521/tcp 1526/tcp oracle proxy oracle proxy

50

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

#Oracle Proxy for VBPQ Database ora_vpcp1 ora_vpcp2 1421/tcp 1426/tcp oracle proxy oracle proxy

t li tp /etc/inetd.conf nh sau:

#Oracle Proxy for VBPQ Database ora_stu1 ora_stu2 stream tcp stream tcp nowait root nowait root /usr/proxy/bin/plug-gw /usr/proxy/bin/plug-gw ora_stu1 ora_stu2

#Oracle Proxy for VBPQ Database ora_vpcp1 ora_vpcp2 stream tcp stream tcp nowait root nowait root /usr/proxy/bin/plug-gw /usr/proxy/bin/plug-gw ora_vpcp1 ora_vpcp2

#Logfile for Sql-gw sql-gw

t li tp /etc/syslog.conf nh sau:

/usr/proxy/log/plug-gw

3.4.3.4.2 Cu hnh trn my trm

t li tp oracle_home\network\admin\tnsnames.ora nh sau:

#Logfile for Sql-gw stu.world = (DESCRIPTION =

51

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

(ADDRESS_LIST = (ADDRESS = (COMMUNITY = tcp.world) (PROTOCOL = TCP) (Host = firewall) (Port = 1521) ) (ADDRESS = (COMMUNITY = tcp.world) (PROTOCOL = TCP) (Host = firewall) (Port = 1526) ) ) (CONNECT_DATA = (SID = STU) ) )

vpcp.world = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (COMMUNITY = tcp.world) (PROTOCOL = TCP) (Host = firewall) (Port = 1421) ) (ADDRESS = (COMMUNITY = tcp.world) (PROTOCOL = TCP) (Host = firewall)

52

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

(Port = 1426) ) ) (CONNECT_DATA = (SID = ORA1) ) )

Bn c th d dng m rng cho nhiu CSDL khc nm trn nhiu my khc nhau. 3.4.3.5 Cc dch v khc Tng t nh trn l cc v d cu hnh cho cc dch v khc khai bo trong file netperms:
# finger gateway rules:

# --------------------netacl-fingerd: permit-hosts 190.2.* ws1 -exec /etc/fingerd netacl-fingerd: deny-hosts * -exec /bin/cat /usr/proxy/etc/finger.txt # http gateway rules:

# --------------------netacl-httpd: permit-hosts * -exec /usr/proxy/bin/http-gw http-gw: #http-gw: #http-gw: #http-gw: http-gw: http-gw: http-gw: # # smap (E-mail) rules: timeout 3600 denial-msg welcome-msg help-msg /usr/proxy/etc/http-deny.txt /usr/proxy/etc/http-welcome.txt /usr/proxy/etc/http-help.txt

permit-hosts 190.2.* 10.* 192.2.0.* -log { all } deny-hosts 220.10.170.32 ws1 default-httpd hpnt

53

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

# ---------------------smap, smapd: smap, smapd: smapd: smapd: smap: # userid root directory /usr/spool/mail executable /usr/proxy/bin/smapd sendmail /usr/lib/sendmail timeout 3600

Ngoi ra, trong CSE Firewall cn c dch v socks kim sot cc phn mm ng dng c bit nh Lotus Notes. Cn phi thm vo cc file cu hnh h thng nh sau: File /etc/services:
socks 1080/tcp

File /etc/inetd.conf:
socks stream tcp nowait root /etc/sockd sockd

Cu hnh v quy tc cho dch v ny nm file /etc/sockd.conf, ch c hai t kho cn phi quan tm l permit v deny cho php hay khng cc host i qua, dch v ny khng kt hp vi dch v xc thc. a ch IP v Netmask t trong file ny ging nh vi lnh dn ng route ca UNIX.
permit 190.2.0.0 255.255.0.0 permit 10.10.170.50 255.255.255.255 permit 10.10.170.40 255.255.255.255 permit 10.10.170.31 255.255.255.255 deny 0.0.0.0 0.0.0.0 : mail -s 'SOCKD: rejected -- from %u@%A to host %Z (service %S)' root

54

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.4.4 Xc thc v dch v xc thc


B Firewall cha chng trnh server xc thc c thit k h tr c ch phn quyn. Authsrv cha mt c s d liu v ngi dng trong mng, mi bn ghi tng ng vi mt ngi dng, cha c ch xc thc cho mi anh ta, trong bao gm tn nhm, tn y ca ngi dng, ln truy cp mi nht. Mt khu khng m ho (Plain text password) c s dng cho ngi dng trong mng vic qun tr c n gin. Mt khu khng m ho khng nn dng vi nhng ngi s dng t mng bn ngoi. Authsrv c chy trn mt host an ton thng thng l bastion host. n gin cho vic qun tr authsrv ngi qun tr c th s dng mt shell authmsg qun tr c s d liu c cung cp c ch m ho d liu. Ngi dng trong 1 c s d liu ca authsrv c th c chia thnh cc nhm khc nhau c qun tr bi qun tr nhm l ngi c ton quyn trong nhm c vic thm, bt ngi dng. iu ny thun li khi nhiu t chc cng dng chung mt Firewall. cu hnh authsrv, u tin cn xc nh 1 cng TCP trng v thm vo mt dng vo trong inetd.conf gi authsrv mi khi c yu cu kt ni. Authsrv khng phi mt tin trnh deamon chy lin tc, n l chng trnh c gi mi khi c yu cu v cha mt bn sao CSDL trnh ri ro. Thm authsrv vo inet.conf i hi to thm im vo trong /etc/services. V authsrv khng chp nhn tham s, m phi thm vo inetd.conf v services cc dng nh sau: Trong /etc/services:
authsrv 7777/tcp

Trong /etc/inetd.conf:

55

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

authsrv stream tcp nowait root /usr/proxy/bin/authsrv

authsrv

Cng dch v dng cho authsvr s c dng t cu hnh cho cc ng dng client c s dng dch v xc thc. Dch v xc thc khng cn p dng cho tt c cc dch v hay tt c cc client.

#Example ftp gateway rules: ftp-gw: ftp-gw: ftp-gw: ftp-gw: ftp-gw: ftp-gw: ftp-gw: ftp-gw: authserver denial-msg welcome-msg help-msg permit-host permit-host permist-host timeout local host 7777 /usr/proxy/etc/ftp-deny.txt /usr/proxy/etc/ftp-welcome.txt /usr/proxy/etc/ftp-help.txt 192.33.112.100 192.33.112.* -log {retr stor} -auth {stor} * -authall 36000

Trong v d trn, xc thc dng vi FTP proxy. Dng u tin nh ngha a ch mng cng dch v ca chng trnh xc thc. Dng permist-host cho thy mt trong s s mm do ca h thng xc thc, mt host c la chn khng phi chu c ch xc thc, ngi dng t host ny c th truy cp t do ti mi dch v ca proxy. Permist-host th 2 i hi xc thc mi h thng trong mng 192.33.112 mun truyn ra ngoi vi -auth {store} nhng thao tc ca FTP s b kho ti khi ngi dng hon thnh vic xc thc vi server. Khi , lnh c m kho v ngi dng c th vo h thng. V d cui nh ngha mi ngi c th ni vi server nhng trc ht h phi c xc thc. Authsrv server phi c cu hnh bit my no c cho php kt ni. iu ny cm tt c nhng c gng truy nhp bt hp php vo server t nhng server khng chy

56

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

nhng phn mm xc thc. Trong Firewall authsrv s chy trn bastion host cng vi proxy trn . Nu khng c h thng no i hi truy cp, mi client v server coi local host nh mt a ch truyn thng. Cu hnh authsrv nh ngha n s vn hnh CSDL v client h tr.
#Example authhsrv rules:

authsrv: authsrv: authsrv:

database permit-host permit-host

/usr/proxy/bin/authsrv.db localhost 192.5.214..32

Trong v d trn, ng dn ti CSDL nh ngha v 2 host c nhn ra. Ch CSDL trn trong h thng c bo v hoc c bo v nghim ngt bi c ch truy cp file. Bo v CSDL rt quan trng do nn CSDL trn bastion host. Li vo th 2 l mt v d v client s dng m ho DES trong khi truyn thng vi authsrv. Kho m cha trong tp cu hnh i hi file cu hnh phi c bo v. Ni chung, vic m ho l khng cn thit. Kt qu ca vic m ho l cho php qun tr c th qun l c s d liu xc thc t trm lm vic. Lung d liu duy nht cn phi bo v l khi ngi qun tr mng t li mt khu qua mng cc b, hay khi qun l c s d liu xc thc qua mng din rng. Duy tr CSDL xc thc da vo 2 cng c authload v authdump load v dump CSDL xc thc. Ngi qun tr nn chy authdump trong crontab to bn sao dng ASCII ca CSDL trnh trng hp xu khi CSDL b hng hay b xo. Authsrv qun l nhm rt mm do, qun tr c th nhm ngi dng thnh nhm dng group wiz, ngi c quyn

57

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

qun tr nhm c th xo, thm, to sa bn ghi trong nhm, cho php hay cm ngi dng, thay i password ca mt khu ca user trong nhm ca mnh. Qun tr nhm khng thay i c ngi dng ca nhm khc, to ra nhm mi hay thay i quan h gia cc nhm. Qun tr nhm ch c quyn hn trong nhm ca mnh. Vic ny c ch i vi t chc c nhiu nhm lm vic cng s dng Firewall. To mt ngi s dng bng lnh adduser
adduser mrj Marcus J. Ranum

Khi mt user record mi c to n cha c hot ng v ngi s dng cha th login. Trc khi ngi s dng login, qun tr mng c th thay i mt khu v s hiu nhm ca ngi s dng
group users mjr password whumpus mjr proto SecurID mjr enable mjr

Khi mt user record to ra bi ngi qun tr nhm, n tha hng s hiu nhm cng nh giao thc xc thc. User record c th xem bi lnh display hay list. V d mt phin lm vic vi Authmsg:
%-> authmgs Connected to server authmgr-> login Username: wizard Challenge Logged in authmgs-> disp wizard Report for user wizard (Auth DBA) 200850 : 182312

58

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Last authenticated: Fri Oct 8 17:11:07 1993 Authentication protocol: Snk Flags: WIZARD authmgr-> list Report for user in database user --group longname ----- -------y W y flags proto ----- ----Snk passwd last --8 17:02:56 1993

wizard users Auth DBA avolio users Fred Avolio rnj 1993 mjr

Fri Oct

Fri Sep 24 10:52:14 1993 passwd Wed Sep 29 18:35:45

users Robert N. Jesse y

users Marcus J. Ranum y

none ri Oct

8 17:02:10 1993

authmgr-> adduser dalva Dave dalva ok - user added initially disable authmgr-> enable dalva enabled authmgr-> group dalva users set group authmgr-> proto dalva Skey changed authmgr-> disp dalva Report for user dalva, group users (Dave Dalva) Authentication protocol: Skey Flags: none authmgr-> password dalva Password: ####### Repeat Password: ####### ID dalva s/key is 999 sol32 authmgr-> quit

Trong v d trn qun tr ni vo authsrv qua mng s dng giao din authmsg sau khi xc thc user record hin th

59

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

thi gian xc thc. Sau khi login, list CSDL user, to ngi dng, t password, enable v a vo nhm.

Khi to CSDL Authsrv:


# authsrv -administrator modeauthsrv# list Report for user in database user --group longname ----- -------flags proto ----- ----last ---

authsrv# adduser admin Auth DBA ok - user added initially disable authsrv# enable admin enabled authsrv# superwiz admin set wizard authsrv# proto admin Snk changed authsrv# pass 160 270 203 065 022 034 232 162 admin Secret key changed authsrv# list Report for user in database user --admin authsrv# quit group longname ----- -------Auth DBA flags ----y W roto ---Snk last --never

60

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Trong v d, mt CSDL mi c to cng vi mt record cho ngi qun tr. Ngi qun tr c gn quyn, gn protocol xc thc.

3.4.5 S dng mn hnh iu khin CSE Proxy:


Sau khi ci t xong, khi login vo user proxy mn hnh iu khin s hin nn menu cc chc nng ngi qun tr c th la chn.

PROXY SERVICE MENU 1 Configuration 2 View TELNET log 3 View FTP log 4 View HTTP log 5 View E-MAIL log 6 View AUTHENTICATE log 7 View FINGER log 8 View RLOGIN log 9 View SOCKD log a Report b Authentication c Change system time d Change password e Shutdown q Exit Select option> _

Con s hay ch ci u tin th hin phm bm thc hin chc nng. Sau khi mi chc nng thc hin xong xut hin

61

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

thng bo

Press ENTER to continue

ri ch cho ti khi

phm Enter c bm tr li mn hnh iu khin chnh. 3.4.5.1 1 Configuration Chc nng ny cho php son tho trc tip ti file cu hnh ca proxy. Trong file ny cha cc quy tc ca cc dch v nh netacl, ftp-gw, tn-gw... C php ca cc quy tc ny c m t phn trn. Sau khi s i cc quy tc chn chc nng Save th cc quy tc mi s lp tc c p dng. Ch : B son tho vn bn son tho file cu hnh c cc phm chc nng tng t nh chc nng son tho ca Turbo Pascal 3.0. (Cc chc nng cn thit u c th thy trn Status Bar dng cui cng ca mn hnh). i vi mt s trng hp b son tho ny khng hot ng th chng trnh son tho vi ca UNIX s c dng thay th. 3.4.5.2 2 View TELNET log Chc nng xem ni dung nht k ca tn-gw. Nht k ghi li ton b cc truy nhp qua proxy i vi dch v tn-gw. i vi cc dch v khc nh ftp-gw, http-gw u dc ghi li nht k v c th theo di bi cc chc nng tng t (Xem cc mc di y). 3.4.5.3 3 View FTP log Chc nng xem ni dung nht k ca ftp-gw. 3.4.5.4 4 View HTTP log Chc nng xem ni dung nht k ca http-gw.

62

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

3.4.5.5 5 View E-MAIL log Chc nng xem ni dung nht k ca dch v email. 3.4.5.6 6 View AUTHENTICATE log Chc nng xem ni dung nht k ca dch v xc thc. 3.4.5.7 7 View FINGER log Chc nng xem ni dung nht k ca finger. 3.4.5.8 8 View RLOGIN log Chc nng xem ni dung nht k ca rlogin-gw. 3.4.5.9 9 View SOCKD log Chc nng xem ni dung nht k ca sockd. 3.4.5.10 a Report Chc nng lm bo co thng k i vi tt c cc dch v trong mt khong thi gian nht nh. u tin mn hnh s hin ln mt lch chn khong thi gian mun lm bo co. Sau khi tnh ton xong bo co. Ngi s dng s phi chn mt trong cc u ra ca bo co gm : xem (a ra mn hnh), save (ra a mm) hay print (in ra my in gn trc tip vi my server). Nu mun in t cc my in khc ta c th a ra a mm ri in cc tp t cc trm lm vic.
Fri May 8 10:39:13 1998 Apr S M Tu W Th 1 5 6 7 8 2 F 3 S 4 3 4 5 6 7 S M Tu May W Th F 1 8 S 2 9 7 S M Tu 1 8 2 Jun W Th 3 4 F 5 S 6

9 10 11

9 10 11 12 13

63

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

From date (dd/mm[/yy]) (08/05/98):01/05/98 To date (dd/mm[/yy]): (08/05/98):05/05/09 Calculating... View, save to MS-DOS floppy disk or print report (v/s/p/q)? v

3.4.5.11 b Authentication Chc nng ny gi authsrv qun tr ngi s dng v chc nng xc thc cho ngi . authrv c m t kh r rng trn.

authsrv# list Report for users in database user ---dalva ruth authsrv# group ----cse cse longname -------status proto ------ ----n y passw passw last ---never never

3.4.5.12 c Change system time Chc nng i thi gian h thng. Chc nng ny c tc dng iu chnh chnh xc gi ca h thng. Bi v gi h thng c nh hng quan trng ti chnh xc ca nht k. Gip cho ngi qun tr c th theo di ng cc truy nhp ti proxy.

64

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Dng nhp thi gian s nh di y. Ngy thng nm c th khng cn nhp nhng cn ch ti dng ca s a vo. Di y l v d i gi thnh 11 gi 28.

Current System Time is Fri May 08 10:32:00 HN 1998 Enter new time ([yymmdd]hhmm): 1128

3.4.5.13 d Change password Chc nng i mt khu ca user proxy. 3.4.5.14 e Shutdown Chc nng shut down ton b h thng. Chc nng ny c dng tt my mt cch an ton i vi ngi s dng. 3.4.5.15 q Exit Chc nng ny logout khi mn hnh iu khin proxy.

3.4.6 Cc vn cn quan tm vi ngi s dng


Vi ngi s dng, khi dng CSE Proxy cn phi quan tm n cc vn sau: 3.4.6.1 Vi cc Web Browser Cn phi t ch proxy chng c th truy nhp n cc trang Web thng qua proxy. Trong Microsoft Internet Explore (version 4.0) ta phi chn View -> Internet option -> Connection -> Proxy Server v t ch Access the Internet using a proxy, t a ch IP v port ca proxy vo.

65

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Trong Netscape Nevigator (version 4.0) ta phi chn Edit >Preferences -> Advanced -> Proxies v t a ch proxy v cng dch v (port) (80) qua phn Manual proxy configuration. 3.4.6.2 Vi ngi s dng telnet, Nu khng c t chc nng xc thc th qu trnh nh sau:

$ telnet vectra Trying 192.1.1.155... connect hostname [serv/ port] connect to vectra. Escape character is^]. Vectra.sce.gov.vn telnet proxy (version V1.0) ready: tn-gw -> help Valid commands are: (unique abbreviations may be used) connect hostname [serv/ port] telnet hostname [serv/ port] x-gw [hostname/ display] help/ ? quit/ exit password tn-gw -> c 192.1.1.1 Trying 192.1.1.1 port 23... SCO Openserver
TM

Release 5 (sco5.cse.gov.vn) (ttysO)

Login: ngoc password: ####### ... $

66

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

Nu c dng chc nng xc thc, th sau khi my proxy tr li:

Vectra.sce.gov.vn telnet proxy (version V1.0) ready:

Nhc ta phi a vo tn v mt khu thc hin xc thc:

Username: ngoc password: ####### Login accepted tn-gw ->

3.4.6.3 i vi ngi dng dch v FTP Nu c dng chc nng xc thc th quy trnh nh sau:
$ftp vectra Connected to vectra. 220 -Proxy first requres authentication 220 Vectra.sce.gov.vn FTP Name (vectra: root): ngoc 331 Enter authentication password for ngoc Password: ####### 230 User authenticated to proxy ftp>user ngoc@192.1.1.1 331 -(----GATEWAY CONNECTED TO 192.1.1.1----) 331-(220 sco5.cse,gov.vn FTP server (Version 2.1 WU(1)) ready.) 331 Password required for ngoc. Password: 230 User ngoc logged in. ftp> ... proxy (version V1.0) ready:

67

Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.

ftp>bye 221 Goodbye. $

Cn nu khng s dng chc nng xc thc th n gin hn:


$ftp vectra Connected to vectra. 220 Vectra.sce.gov.vn FTP proxy (version V1.0) ready:

Name (vectra: root): ngoc@192.1.1.1 331 -(----GATEWAY CONNECTED TO 192.1.1.1----) 331-(220 sco5.cse,gov.vn FTP server (Version 2.1 WU(1)) ready.) 331 Password required for ngoc. Password: 230 User ngoc logged in. ftp> ... ftp>bye 221 Goodbye $

Nu s dng chng trnh WS_FTP trn Window ca Ipswitch, Inc th cn phi t ch Use Firewall trong phn Advanced khi ta cu hnh mt phin ni kt. Trong phn Firewall Informatic ta s a a ch IP ca proxy vo phn Hostname, tn ngi dng v mt khu (UserID v Password) cho phn xc thc trn proxy v cng dch v (21). ng thi phi chn kiu USER after logon phn Firewall type.

68