Professional Documents
Culture Documents
Firewall PDF
Firewall PDF
phng chng
Sut t khi Cheswick v Bellovin vit cun anh hng ca v cch xy dng cc bc tng la v
theo di mt hc c qu quyt tn Berferd, tng thit t mt h phc v web trn Internet m khng
trin khai mt bc tng la c xem l t st. Cng bng nh t st nu quyt nh ph mc cc
nhim v v bc tng la vo tay cc k s mng. Tuy gii ny c th tm hiu cc quan h mt thit v
k thut ca mt bc tng la, song li khng ha chung nhp th vi h bo mt v tm hiu no trng
cng nh cc k thut ca cc tay hc c qu quyt. Kt qu l, cc bc tng la c th b chc thng
do cu hnh sai, cho php bn tn cng nhy b vo mng v gy ra i ha.
http://www.llion.net 1
ca chng gii hn chng vo lung lu thng i ra cng ty thay v lung lu thng i vo h
phc v web ca cng ty. Trong khi , ta c th gp cc ng thng loc gi tin, hoc cc ng thng lc
gi tin hu trng (stateful) phc hp hn, mt khc, trong nhiu t chc ln c cc yu cu kh nng
vn hnh cao.
Nhiu ngi tin rng hin cha xut hin bcc tng la hon ho, nhng tng lai y sn ln. Mt
s hng kinh doanh nh Network Associates Inc. (NAI), AXENT, Internet Dynamics, v Microsoft
pht trin cng ngh cung cp tnh nng bo mt ca cng ngh gim qun vi kh nng vn hnh ca
cng ngh lc gi tin (mt dng lai ghp gia hai cng ngh). Nhng chng vn cha gi dn.
Sut t khi bc tng la u tin c ci t, cc bc tng la bo v v s mng trnh c
nhng cp mt t m v bn ph hoi nhng cn lu chng mi tr thnh phng thuc tr bch bnh bo
mt. Cc ch yu bo mt u c pht hin hng nm vi hu nh mi kiu bc tng la trn th trng.
T hi hn, hu ht cc bc tng la thng b cu hnh sai, khng bo tr, v khng gim st, bin
chng tr thnh mt vt cn ca in t (gi cho cc ng thng lun rng m).
Nn khng phm sai lm, mt bc tng la c thit k, cu hnh, v bo tr k lng hu nh kh
ng th t nhp. Thc t, hu ht cc k tn cng c tay ngh cao u bit iu ny v s n gin
trnh vng qua bc tng la bng cch khai thc cc tuyn quan h y qun (trust relationships) v cc
ch yu bo mt ni kt lng lo nht, hoc trnh n hon ton bng cch tn cng qna mt ti khon
http://www.llion.net 2
quay s.
im cn bn: hu ht bn tn cng dn mi n lc vng qua mt bc tng la mnh - mc
tiu y l to mt bc tng la mnh.
Vi t cch l iu hnh vin bc tng la, ta bit r tm quan trng ca vic tm hiu k ch. Nm c
cc bc u tin m mt bn tn cng thc hin b qua cc bc tng la s gip bn rt nhiu trong
vic pht hin v phn ng li mt cuc tn cng. Chng ny s hng dn bn qua cc k thut thng
dng hin nay pht hin v im danh cc bc tng la, ng thi m t vi cch m bn tn cng
gng b qua chng. Vi tng k thut, ta s tm hiu cch pht hin v ngn chn cc cuc tn cng.
http://www.llion.net 3
1. Qut trc tip : K thut Noisy
Cch d nht tm kim cc bc tng la l qut cc cng ngm nh c th. Mt s bc t-
ng la trn th trng s t nh danh duy nht bng cc t qut cng n gin bn ch cn bit ni
dung tm kim.
V d, Firewall-1 ca Check point lng ch trn cc cng TCP 256, 257, 258, v Proxy Server
ca Microsoft thng lng ch trn cc cng TCP 1080 v 1745. Vi s hiu bit ny, qu trnh tm
kim cc kiu bc tng la ny chng c g kh vi mt b qut cng nh nmap:
nmap -n -vv -P0 -p256,1080,1745 192.168.50.1 - 60.254
Dng kha chuyn -PO v hiu ha tnh nng ping ICMP trc khi qut. iu ny quan trng
bi hu ht bc tng la khng p ng cc yu cu di ICMP.
C bn tn cng nht nht ln hung bo u tin hnh qut rng ri mng ca bn theo cch ny, tm
kim cc bc tng la ny v tm kim mi khe h trong kt st vnh ai ca bn. Nhng bn tn cng
nguy him hn s lng sc
vnh ai ca bn cng ln lt cng tt. C nhiu k thut m bn tn cng c th s dng h sp
radar ca bn, bao gm ngu nhin ha cc ping, cc cng ch, cc a ch ch, v cc cng ngun;
dng cc h ch c mi; v thc hin cc t qut ngun c phn phi.
Nu cho rng h thng pht hin xm nhp (IDS) ca bn nh RealSecure ca Internet Security Systems
http://www.llion.net 4
hoc SessionWall-3 ca Abirnet s pht hin bn tn cng nguy him ny, bn nn suy ngh li. Hu
ht cc IDS u ngm nh cu hnh ch nghe cc t qut cng ngu n v n o nht. Tr phi bn
s dng IDS nhanh nhy v tinh chnh cc k danh pht hin, hu ht cc cuc tn cng s hon ton
lm ng. Bn c th to mt t qut ngu nhin ha nh vy bng cch dng cc k m Perl cung cp
trn chuyn khu web www.osborne.com/ <http://www.osborne.com/> hacking .
Cc bin php phng chng
Bn cn phong ta cc kiu qut ny ti cc b nh tuyn bin hoc dng mt kiu cng c pht hin
t nhp no min ph hoc thng mi. Mc d th, cc t qut cng n l s khng c thu nht
theo ngm nh trong hu ht cc IDS do bn phi tinh chnh nhy cm ca n trc khi c th
da vo tnh nng pht hin.
Pht Hin
chnh xc pht hin cc t qut cng bng tnh nng ngu nhin ha v cc h ch c mi, bn
cn tinh chnh tng l danh pht hin qut cng. Tham kho ti liu hng dn s dng ca hng kinh
doanh IDS bit thm chi tit.
Nu mun dng RealSecure 3.0 pht hin tin trnh qut trn y, bn t phi nng cao nhy
cm ca n theo cc t qut cng n l bng cch sa i cc tham s ca k danh qut cng. Bn
nn thay i cc ni dung di y to nhy cm cho qut ny:
http://www.llion.net 5
1. La v ty bin (Customize) Network Engine Policy.
2. Tm "Port Scan" v la ty chn Options.
3. Thay i ports thnh 5 cng.
4. Thay i Delta thnh 60 giy.
Nu ang dng Firewall-l vi UNIX, bn c th dng trnh tin ch ca Lance Spitzner pht hin
cc t qut cng Firewall-1 www.enteract.com/~lspitz/intrusion.html <http://www.enteract.com/
~lspitz/intrusion.html>. K m alert.sh ca ng s cu hnh Check point pht hin v gim st cc
t qut cng v chy mt User Defined Alert khi c ng tc.
http://www.llion.net 6
Phng Chng
ngn cn cc t qut cng bc tng la t Internet, bn cn phong ta cc cng ny trn cc b
nh tuyn ng trc cc bc tng la. Nu cc thit b ny do ISP qun l, bn cn lin h vi h
tin hnh phong ta. Nu t bn qun l chng, bn c th dng cc Cisco ACL d y phong ta
r rt cc t qut nu trn y:
access - list 101 deny tcp any any eq 256 log ! Block Firewall-l scans
access - list 101 deny tcp any any eq 257 log ! Block Firewall-l scans
access - list 101 deny tcp any any eq 258 log ! Block Firewall-l scans
access - list 101 deny tcp any any eq 1080 log ! Block Socks scans
access - list 101 deny tcp any any eq 1745 log ! Block Winsock scans
Ghi ch : Nu phong ta cc cng ca Check Point (256-258) ti cc b dnh tuyn bin, bn s khng
th qun la bc tng la t lnternet.
Ngoi ra, tt c cc b nh tuyn phi c mt quy tc dn dp (nu khng khc t cc gi tn
theo ngm nh), s c cng hiu ng nh khi ch nh cc tc v khc t:
access - list 101 deny ip any any log ! Deny and log any packet that got through our ACLs above
2. R Tuyn ng
http://www.llion.net 7
Mt cch thinh lng v tinh t hn tm cc bc tng la trn mt mng l dng traceroute . Bn
c th dng traceroute ca UNIX hoc tracert.exe ca NT tm tng chng dc trn trn ng truyn
n ch v tin hnh suy din. Traceroute ca Linux c ty chn -I, thc hin r ng bng cch gi
cc gi tin ICMP, tri vi k thut gi tin UDP ngm nh.
[ sm@atsunami sm] $ traceroute - I www.yourcompany.com
traceroute to www.yourcompany.com ( 172.17.100.2 ) , 30 hops max, 140 byte packets
1 attack-gw ( 192.168.50.21) 5.801 ms 5.105 ms 5.445 ms
2 gw1.smallisp.net ( 192.168.51.l)
3 gw2.smallisp.net ( 192.168.52.2)
.....
13 hssi.bigisp.net ( 10.55.201.2 )
14 seriall.bigisp.net ( 10.55.202.l)
15 www.yourcompany.com ( 172.29.11.2)
C c may chng ng ngay trc ch ( 10.55.202.1) l bc tng la, nhng ta cha bit chc. Cn
phi o su thm mt cht.
V d trn y l tuyt vi nu cc b nh tuyn gia bn v cc h phc v ch p ng cc
gi tin c TTL ht hn. Nhng mt s b nh tuyn v bc tng la c xc lp khng tr v cc gi
tin ICMP c TTL ht hn (t cc
http://www.llion.net 8
gi tin ICMP ln UDP). Trong trng hp ny, s suy din t khoa hc hn. Tt c nhng g bn c th
thc hin l chy traceroute v xem chng no p ng cui cng, v suy ra y l mt bc tng la
hoc ch t l b nh tuyn u tin trong ng truyn bt u phong ta tnh nng tracerouting. V d,
y ICMP ang b phong ta n ch ca n, v khng c p ng no t cc b nh tuyn vt qu
client - gw.smallisp.net :
1 stoneface (192.168.10.33) 12.640 ms 8.367 ms
2 gw1.localisp.net (172.31.10.1) 214.582 ms 197.992 ms
3 gw2.localisp.net (172.31.10.2) 206.627 ms 38.931 ms
4 dsl.localisp.net (172.31.12.254) 47.167 ms 52.640 ms
........
14 ATM6.LAX2.BIGISP.NET (10.50.2.1) 250.030 ms 391.716 ms
15 ATM7.SDG.BIGISP.NET (10.50.2.5) 234.668 ms 384.525 ms
16 client-gw.smallisp.net (10.50.3.250) 244.065 ms ! X * *
17 * * *
18 * * *
http://www.llion.net 9
c th nm di s iu khin ca ISP.
Pht Hin
pht hin cc traceroute chun trn bin, bn cn gim st cc gi tin UDP v ICMP c gi tr TTL
l 1. thc hin iu ny vi RealSecure 3.0, bn bo m nh du TRACE_ROUTE decode name
trong Security Events ca Network Engine Policy.
Phng chng
ngn cn cc traceroute chy trn bin, bn c th cu hnh cc b nh tuyn khng p ng cc th
ng ip TTL EXPIRED khi n nhn mt gi tin c TTL l 0 hoc 1. ACL di y s lm vic vi cc
b nh tuyn Cisco:
access - list 101 deny ip any any 11 0 ! ttl-exceeded
Hoc theo l tng, bn nn phong ta ton b lung lu thng UDP khng cn thit ti cc b nh
tuyn bin.
3. Nm Gi Biu Ng
http://www.llion.net 10
K thut qut tm cc cng bc tng la l hu ch trong vic nh v cc bc tng la, nhng hu
ht cc bc tng la khng lng ch trn cc cng ngm nh nh Check point v Microsoft, do vic
pht hin phi c suy din. Nhiu bc tng la ph dng s cng b s hin din ca chng bng
cch n gin ni vi chng. V d , nhiu bc tng la gim qun s cng b chc nng ca chng
vi t cch mt bc tng la, v mt s s qung co kiu v phin bn ca chng. V d, khi ta ni vi
mt my c tin l mt bc tng la bng netcat trn cng 21 (FTP ), ta s thy mt s thng tin th v
:
C:\TEMP>nc -v -n 192.168.51.129 2 l
[UNKNOWN] [ 192.168.5l.129 ] 2 l ( ? ) open
220 Secure Gateway FTP server ready .
Biu ng "Secure Gateway server FTP ready" l mt du hiu l ty ca mt hp Eagle Raptor c.
Vic ni thm vi cng 23 (telnet) s xc nhn tn bc tng la l "Eagle."
C:\TEMP>nc -v -n 192.168.51.129 23
[UNKNOWN] [ 192.168.5l.129 ] 23 ( ? ) open
Eagle Secure Gateway . Hostname :
V cui cng. nu vn cha b thuyt phc h ch ca bn l mt bc tng la. bn c th netcat vi
cng 25 ( SMTP ), v n s bo cho ban bit n l g:
C:\TEMP>nc -v -n 192.168.51.129 25
http://www.llion.net 11
[UNKNOWN] [ 192.168.5l.129 ] 25 ( ? ) open
421 fw3.acme.com Sorry, the firewall does not provide mail service to you.
Nh thy trong cc v d trn y, thng tin biu ng c th cung cp cc thng tin qu gi
cho bn tn cng trong khi nh danh cc bc tng la. Dng thng tin ny, chng c th khai thc cc
ch yu ph bin hoc cc cu hnh sai chung.
Phng Chng
ngn cn bn tn cng ginh c qu nhiu thng tin v cc bc tng la t cc biu ng qung
co, bn c th thay i cc tp tin cu hnh biu ng. Cc khuyn ngh c th thng ty thuc vo h
ng kinh doanh bc tng la.
http://www.llion.net 12
Trn cc bc tng la Eagle Raptor, bn c th thay i cc biu ng ftp v telnet bng cch sa i
cc tp tin thng bo trong ngy: tp tin ftp.motd v telnet.motd.
http://www.llion.net 13
Khng nhn gi tin RST/ACK no.
nhn mt thng bo ICMP type 3 (Destination Unreachable ) c mt m 13 (
Communication Administratively Prohibited - [RFC1812]).
Nmap gom chung c ba iu kin ny v bo co n di dng mt cng " lc." V d, khi qut
www.mycompany.com <http://www.mycompany.com>, ta nhn hai gi tin ICMP cho bit bc tng
la phong ta cc cng 23 v 111 t h thng c th ca chng ta.
[ root@bldg_043 /opt ] # nmap -p20, 21, 23, 53, 80, 111 - P0 -vv
www.mycompany.com
Starting nmap V. 2.08 by Fyodor ( fyodor@dhp.com <mailto:fyodor@dhp.com>, www.insecure.org/nmap/ )
Initiating TCP connect ( ) scan agains t ( 172.32.12.4 )
Adding TCP port 53 (state Open)
Adding TCP port 111 ( state Firewalled )
Adding TCP port 80 ( state Open)
Adding TCP port 23 ( state Firewalled) .
Interesting ports on ( 172.17.12.4 ) :
port State Protocol Service
23 filtered tcp telnet
http://www.llion.net 14
53 open tcp domain
80 open tcp http
111 filtered tcp sunrpc
Trng thi "Firewalled", trong kt xut trn y, l kt qu ca vic nhn mt ICMP type 3, m
13 (Admin Prohibited Filter), nh gp trong kt xut tcpdump:
23 : 14 : 01.229743 10.55.2.1 > 172.29.11.207 : icmp : host 172.32.12.4
nreachable - admin prohibited filter
23 : 14 : 01.97 9743 10.55.2.l > 172.29.11.207 : icmp : host 172.32.12.4
nreachable - admin prohibited filter
Lm sao nmap kt hp cc gi tin ny vi cc gi tin ban u, nht l khi chng ch l mt
vi trong bin c cc gi tin ang ru rt trn mng? Vng, gi tin ICMP c gi tr li cho my qut s
cha ng tt c cc d liu cn
thit tm hiu ni dung ang xy ra. Cng ang b phong ta l phn mt byte trong phn u ICMP
ti byte 0x41 ( 1 byte), v bc tng la lc gi thng ip s nm trong phn IP ca gi tin ti byte
0x1b (4 byte).
Cui cng, mt cng cha lc nmap ch xut hin khi bn qut mt s cng v nhn tr li mt gi tin
RST/ACK. Trong trng thi "unfiltered", t qut ca chng ta hoc ang i qua bc tng la v h
ch ca chng ta ang bo cho bit n khng lng ch trn cng , hoc bc tng la ang p ng
http://www.llion.net 15
ch v nh la a ch IP ca n vi c RST/ACK c n nh. V d, t qut mt h thng cc b
cho ta hai cng cha lc khi n nhn hai gi tin RST/ACK t cng h ch. S kin ny cng c th xy
ra vi mt s bc tng la nh Check point (vi quy tc REJECT) khi n p ng ch ang gi tr mt
gi tin RST/ACK v nh la a ch IP ngun ca ch. .
[ root@bldg_043 sniffers ] # nmap - sS -p1 -300 172.18.20.55
Starting nmap V . 2.08 by Fyodor ( fyodor@dhp.com <mailto:fyodor@dhp.com>, www.insecure.org/nmap/ )
Interesting ports on ( 172.18.20.55 ) :
(Not showing ports in state : filtered)
Port State Protocol Service
7 unfiltered tcp echo
53 unfilteres tcp domain
256 open tcp rap
257 open tcp set
258 open tcp yak-chat
Nmap run completed - 1 IP address ( 1 host up ) scanned in 15 seconds
t r gi tin tcpdump kt hp nu cc gi tin RST/ACK nhn.
21 :26 :22.742482 172.18.20.55.258 > 172.29.11.207.39667 : S
415920470 : 1415920470 ( 0 ) ack 3963453111 win 9112 <mss 536> (DF )
(ttl 254, id 50438 )
http://www.llion.net 16
21 :26 :23.282482 172.18.20.55.53 > 172.29.11.207.39667 :
R 0 : 0 ( 0 ) ack 3963453111 win 0 (DF ) ( ttl 44, id 50439 )
21 :2 6: 24.362482 172.18.20.55.257 > 172.29.111.207.39667 : S
1416174328 : 1416174328 ( 0 ) ack 396345311 win X112
<mss 5 3 6 >
( DF ) ( ttl 254, id 504 0 )
21: 26: 26.282482 172.18.20.55.7 > 17.2.29.11.207.39667 :
R 0 : 0 ( 0 ) ack 3963453111 win 0 ( DF ) ( ttl 44, id 50441)
http://www.llion.net 17
Cc Bin Php Phng Chng
Phng Chng
ngn cn bn tn cng im danh cc ACL b nh tuyn v bc tng la thng qua k thut
admin prohibited filter", bn c th v hiu ha kh nng p ng vi gi tin ICMP type 13 ca b
nh tuyn. Trn Cisco, bn c th thc hin iu ny bng cch phong ta thit b p ng cc thng
ip IP khng th ng n
no ip unreachables
5. nh Danh Cng
Mt s bc tng la c mt du n duy nht xut hn di dng mt sri con s phn bit vi cc bc t-
ng la khc. V d, Check Point s hin th mt sri cc con s khi bn ni vi cng qun l SNMP
ca chng, TCP 257. Tuy s hin din n thun ca cc cng 256-259 trn mt h thng thng cng
l mt du ch bo v s hin din ca Firewall-1 ca Check Point song trc nghim sau y s xc
nhn n :
[ root@bldg_043 # nc -v -n 192.168.51.1 257
( UNKNOWN) [ 192.168.51.1] 257 ( ? ) open
30000003
http://www.llion.net 18
[ root@bldg_043 # nc -v -n 172.29.11.19l 257
(UNKNOWN ) [ 172.29.11.191] 257 ( ? ) open
31000000
http://www.llion.net 19
Phng Chng
ngn cn cc tuyn ni vi cng TCP 257, bn phong ta chng ti cc b nh tuyn thng
ngun. Mt Cisco ACL n gin nh di y c th khc t r rt mt n lc ca bn tn cng:
access -list 101 deny tcp any any eq 257 log ! Block Firewall- l scans
1. hping
hping (www.Genocide2600.com/-tattooman/scanners/hping066.tgz), ca Salvatore Sanfilippo,
lm vic bng cch gi cc gi tin TCP n mt cng ch v bo co cc gi tin m n nhn tr li.
hping tr v nhiu p ng khc nhau ty theo v s iu kin. Mi gi tin tng phn v ton th c
th cung cp mt bc tranh kh r v cc kiu kim sot truy cp ca bc tng la. V d, khi dng
hping ta c th pht hln cc gi tin m, b phong ta, th, v loi b.
http://www.llion.net 20
Trong v d sau y, hping bo co cng 80 ang m v sn sng nhn mt tuyn ni. Ta bit
iu ny bi n nhn mt gi tin vi c SA c n nh (mt gi tin SYN/ACK).
[ root@bldg_043 / opt ] # hping www.yourcompany.com -c2 - S
-p80 -n HPING www.yourcomapany.com ( eth0 172.30.1.2 0 ) : S
set, 40 data bytes 60 bytes from 172.30.1.20 : flags=SA
seq=0 ttl=242 id= 65121 win= 64240 time=144.4 ms
Gi y ta bit c mt cng m thng n ch, nhng cha bit ni ca bc tng la. Trong v d
k tip, hping bo co nhn mt ICMP unreachable type 13 t 192.168.70.2. Mt ICMP type 13 l mt
gi tin lc b ICMP admin ngn cm, thng c gi t mt b nh tuyn lc gi tin.
[root@bldg_043 /opt ] # hping www.yourcompany.com -c2 -S
-p23 -n HPING www.yourcompany.com ( eth0 172.30.1.20 ) : S
set, 40 data bytes ICMP Unreachable type 13 f rom
192.168.70.2
Gi y n c xc nhn, 192.168.70.2 t hn l bc tng la, v ta bit n ang r rt phong ta cng
23 n ch ca chng ta. Ni cch khc, nu h thng l mt b nh tuyn Cisco n t c mt dng
nh di y trong tp tin config:
access -list 101 deny tcp any any 23 ! telnet
Trong v d k tip, ta nhn c mt gi tin RST/ACK tr li bo hiu mt trong hai vic: (1) gi tin
http://www.llion.net 21
lt qua bc tng la v h ch khng lng ch cng c , hoc (2) bc tng la thi b gi tin (nh trng
hp ca quy tc reject ca Check Point).
[ root@bldg_043 /opt ] # hping 192.168.50.3 -c2 -S -p22 -n
HPING 192.168.50.3 ( eth0 192.168.50.3 ) : S set, 40 data
bytes 60 bytes from 192.168.50.3 : flags=RA seq= 0 ttl= 59
id= 0 win= 0 time=0.3 ms
Do nhn gi tin ICMP type 13 trn y, nn ta c th suy ra bc tng la ( 192.168.70.2)
ang cho php gi tin i qua bc tng la, nhng h ch khng lng ch trn cng .
Nu bc tng la m bn ang qut qua l Check point, hping s bo co a ch IP ngun ca
ch, nhng gi tin thc s ang c gi t NIC bn ngoi ca bc tng la Check Point. im rc ri
v Check Point l n s p ng cc h thng bn trong ca n , gi mt p ng v la bp a ch
ca ch. Tuy nhin, khi bn tn cng ng mt trong cc iu kin ny trn Internet, chng khng h
bit s khc bit bi a ch MAC s khng bao gi chm my ca chng.
Cui cng, khi mt bc tng la ang phong to cc gi tin n mt cng, bn thng khng
nhn c g tr li.
[ root@bldg_04 3 /opt ] # hping 192.168.50.3 -c2 -S -p2 2 -n
HPING 192.168.50.3 ( eth0 192.168.50.3 ) : S set, 40 data
K thut hping ny c th c hai ngha: (1) gi tin khng th t n ch v b mt trn -
http://www.llion.net 22
ng truyn, hoc (2) c nhiu kh nng hn, mt thit b (t l bc tng la ca chng ta
192.168.70.2 ) b gi tin trn sn di dng mt phn cc quy tc ACL ca n.
2. Cu La
Firewalk (http://www.packetfactory.net/firewalk/) l mt cng c nh tin dng, nh mt b qut
cng, c dng pht hin cc cng m ng sau mt bc tng la. c vit bi Mike Schiffnlan,
cn gi l Route v Dave Goldsmith, trnh tin ch ny s qut mt h ch xui dng t mt bc tng
la v bo co tr li cc quy tc c php n h ch m khng phi thc t chm n h ch.
Firewalk lm vic bng cch kin to cc gi tin vi mt IP TTL c tnh ton kt thc mt
chng vt qu bc tng la. V l thuyt, nu gi tin c bc tng la cho php, n s c php i qua
v s kt thc nh d kin, suy ra mt thng ip "ICMP TTL expired in transit." Mt khc, nu gi tin
http://www.llion.net 23
b ACL ca bc tng la phong ta, n s b th, v hoc khng c p ng no s c gi, hoc
mt gi tin lc b ICMP type 13 admin ngn cm s c gi.
[ root@exposed / root ] # firewalk -pTCP -S135 -140 10.22.3.1
192.168.1.1
Ramping up hopcounts to binding host . . .
probe : 1 TTL : 1 port 33434 : expired from [exposed.acme.com]
probe : 2 TTL : 2 port 33434 : expired from [rtr.isp.net]
probe : 3 TTL : 3 port 33434 : Bound scan at 3 hops [rtr.isp.net]
port open
port 136 : open
port 137 : open
port 138 : open
port 139 : *
port 140 : open
S c duy nht m chng ti gp khi dng Firewalk l n c th t hn d on, v mt s
bc tng la s pht hin gi tin ht hn trc khi kim tra cc ACL ca n v c th gi tr mt gi tin
ICMP TTL EXPIRED. Kt qu l, Firewalk mc nhn tt c cc cng u m.
http://www.llion.net 24
http://www.llion.net 25
Bin Php Phng Chng
Phng Chng
Bn c th phong ta cc gi tin ICMP TTL EXPIRED ti cp giao din bn ngoi, nhng iu
ny c th tc ng tiu ec n kh nng vn hnh ca n, v cc h khch hp php ang ni s kh
ng bao gi bit iu g xy ra vi tuyn ni ca chng.
IV. Lc gi tin
Cc bc tng la lc gi tin nh Firewall-1 ca Check Point, Cisco PIX, v IOS ca Cisco (vng,
Cisco IOS c th c xc lp di dng mt bc tng la) ty thuc vo cc ACL (danh sch kim sot
truy cp) hoc cc quy tc xc nh xem lung lu thng c c cp quyn truyn vo/ra mng
bn trong. a phn, cc ACL ny c sp t k v kh khc phc. Nhng thng thng, bn tnh c gp
mt bc tng la c cc ACL t do, cho php vi gi tin i qua tnh trng m. .
Cc ACL T Do
Cc danh sch kim sot truy cp (ACL) t do thng gp trn cc bc tng la nhiu hn ta t-
http://www.llion.net 26
ng. Hy xt trng hp c th mt t chc phi cho php ISP thc hin cc t chuyn giao
min. Mt ACL t do nh "Cho php tt c mi hot ng t cng ngun 53" c th c s dng thay v
cho php hot ng t h phc v DNS ca ISP vi cng ngun 53 v cng ch 53." Nguy c tn ti
cc cu hnh sai ny c th gy tn ph thc s, cho php mt hc c qut nguyn c mng t bn
ngoi. Hu ht cc cuc tn cng ny u bt u bng mt k tn cng tin hnh qut mt h ch
ng sau bc tng la v nh la ngun ca n di dng cng 53 (DNS).
Bin Php Phng Chng
Phng Chng
Bo m cc quy tc bc tng la gii hn ai c th ni u. V d, nu ISP yu cu kh nng
chuyn giao min, th bn phi r rng v cc quy tc ca mnh. Hy yu cu mt a ch IP ngun v
m ha cng a ch IP ch (h phc v DNS bn trong ca bn) theo quy tc m bn ngh ra.
Nu ang dng mt bc tng la Checkpoint, bn c th dng quy tc sau y hn ch mt
cng ngun 53 (DNS) ch n DNS ca ISP. V d, nu DNS ca ISP l 192.168.66.2 v DNS bn
trong ca bn l 172.30.140.1, bn c th dng quy tc di y:
Ngun gc ch Dch v Hnh ng Du vt
http://www.llion.net 27
192.168.66.2 172.30. 140.1 domain-tcp Accept Short
http://www.llion.net 28
Bin Php Phng Chng
Phng Chng
ngn cn kiu tn cng ny, bn v hiu ha kh nng truy cp ICMP thng qua bc tng la hoc
cung cp kh nng truy cp kim sot chi tit trn lung lu thng ICMP. V d, Cisco ACL di y s
v hiu ha ton b lung lu thng ICMP pha ngoi mng con 172.29.10.0 (DMZ) v cc mc tiu
iu hnh:
access - list 101 permit icmp any 172.29.10.0
0.255.255.255 8 ! echo
access - list 101 permit icmp any 172.29.10.0
0.255.255.255 0 !
echo- reply
access - list 102 deny ip any any log ! deny and log
all else
Cnh gic: nu ISP theo d thi gian hot ng ca h thng bn ng sau bc tng la ca bn
vi cc ping ICMP (hon ton khng nn!), th cc ACL ny s ph v chc nng trng yu ca chng.
Hy lin h vi ISP khm ph xem h c dng cc ping ICMP kim chng trn cc h thng ca
http://www.llion.net 29
bn hay khng.
http://www.llion.net 30
Tm Tt
Trong thc t mt bc tng la c cu hnh k c th v cng kh vt qua. Nhng dng cc c
ng c thu thp thng tin nh traceroute, hping, v nmap, bn tn cng c th pht hin (hoc ch t suy
ra) cc l trnh truy cp thng qua b nh tuyn v bc tng la cng nh kiu bc tng la m bn
ang dng. Nhiu ch yu hin hnh l do cu hnh sai trong bc tng la hoc thiu s gim st ep
iu hnh, nhng du th no, kt qu c th dn n mt cuc tn cng i ha nu c khai thc.
Mt s im yu c th tn ti trong cc h gim qun ln cc bc tng la lc gi tin, bao gm cc
kiu ng nhp web, telnet, v localhost khng thm nh quyn. a phn, c th p dng cc bin
php phng chng c th ngn
cm khai thc ch yu ny, v trong vi trng hp ch c th dng k thut pht hin.
Nhiu ngi tin rng tng li tt yu ca cc bc tng la s l mt dng lai ghp gia ng dng gim
qun v cng ngh lc gi tin hu trng [stateful] s cung cp vi k thut hn ch kh nng cu
hnh sai. Cc tnh nng phn ng cng s l mt phn ca bc tng la th h k tip. NAI thc thi
mt dng nh vy vi kin trc Active Security. Nh , ngay khi pht hin cuc xm phm, cc thay
i c thit k sn s t ng khi pht v p dng cho bc tng la b nh hng. V d, nu mt
IDS c th pht hin tin trnh phn lch ICMP, sn phm c th hng bc tng la ng cc yu cu
ICMP ECHO vo trong bc tng la. Bi cnh nh vy lun l c hi cho mt cuc tn cng khc t
http://www.llion.net 31
dch v; l l do ti sao lun cn c mt cc nhn vin bo mt kinh nghim.
http://www.llion.net 32