Mn AN NINH MNG ti TM HIU V TNG LA

M C L C
LI NI U......................................................................................................................... 3
CHNG I: TNG QUAN V FIREWALL..........................................................................4
1. Khi nim......................................................................................................................... 4
2. Chc nng........................................................................................................................ 4
3. Phn loi........................................................................................................................... 4
3.1 Firewall cng..............................................................................................................4
3.2 Firewall mm.............................................................................................................. 5
4. Nguyn l hot ng ca Firewall....................................................................................5
5. ng dng ca Firewall.....................................................................................................6
5.1 FireWall bo v ci g ?..............................................................................................6
5.2 FireWall bo v chng li ci g ?...............................................................................6
CHNG II: NHNG THIT K C BN CA FIREWALL.............................................8
1. Dual-homed Host.............................................................................................................8
2. Kin trc Screened Host...................................................................................................8
3. Kin trc Screened Subnet Host.......................................................................................9
4. S dng nhiu Bastion Host...........................................................................................10
5. Kin trc ghp chung Router trong v Router ngoi......................................................10
6. Kin trc ghp chung Bastion Host v Router ngoi......................................................11
CHNG III: CC THNH PHN V C CH HOT NG CA FIREWALL.........12
1.B lc gi (Packet Filtering)...........................................................................................12
1.1. Nguyn l hot ng................................................................................................12
1.2. u im v hn ch ca h thng Firewall s dng b lc Packet..........................12
2. Cng ng dng (Application-Level Gateway)...............................................................13
2.1. Nguyn l hot ng................................................................................................13
2.2 u im v hn ch..................................................................................................13
3. Cng vng (Circuit-level gateway)................................................................................14
CHNG IV: GII PHP TNG LA CHO DOANH NGHIP....................................15
1. Gii thiu....................................................................................................................... 15
2. Gii php firewall cho doanh nghip nh.......................................................................15
2.1 ISA Server Enterprise 2000, ISA Server Enterprise 2004.........................................15
2.2 Sonicwall PRO 2040................................................................................................15
3. THIT LP MT FIREWALL CHO DOANH NGHIP..............................................16

GVHD: Ts.Trng Minh Nht Quang Trang 1

Mn AN NINH MNG ti TM HIU V TNG LA

4. CI T V CU HNH FIREWALL........................................................................17
4.1. Tm hiu v phn mm ISA Server 2004 Firewall...................................................17
4.2. Ci t ISA Server...................................................................................................18
CHNG V - KT LUN....................................................................................................19
1. Kt lun.......................................................................................................................... 19
TI LIU THAM KHO......................................................................................................20
1. Ti liu tham kho..........................................................................................................20

GVHD: Ts.Trng Minh Nht Quang Trang 2

Mn AN NINH MNG ti TM HIU V TNG LA

LI NI U
An ton thng tin l nhu cu rt quan trng i vi c nhn cng nh i vi x hi v cc
quc gia trn th gii. Mng my tnh an ton thng tin c tin hnh thng qua cc
phng php vt l v hnh chnh. T khi ra i cho n nay mng my tnh em li hiu qu v
cng to ln trong tt c cc lnh vc ca i sng. Bn cnh ngi s dng phi i mt vi cc
him ha do thng tin trn mng ca h b tn cng. An ton thng tin trn mng my tnh
bao gm cc phng php nhm bo v thng tin c lu gi v truyn trn mng. An
ton thng tin trn mng my tnh l mt lnh vc ang c quan tm c bit ng thi cng l
mt cng vic ht sc kh khn v phc tp. Thc t chng t rng c mt tnh trng rt ng lo
ngi khi b tn cng thng tin trong qu trnh x l, truyn v lu gi thng tin. Nhng tc
ng bt hp php ln thng tin vi mc ch lm tn tht, sai lc, ly cp cc tp lu gi tin, sao
chp cc thng tin mt, gi mo ngi c php s dng thng tin trong cc mng my tnh.
Tng la khng ch l mt dng phn mm (nh tng la trn Windows), m n cn c th
l phn cng chuyn dng trong cc mng doanh nghip. Cc tng la l phn cng ny gip my
tnh ca cc cng ty c th phn tch d liu ra m bo rng malware khng th thm nhp vo
mng, kim sot hot ng trn my tnh m nhn vin ca h ang s dng. N cng c th lc d
liu ch cho php mt my tnh ch c th lt web, v hiu ha vic truy cp vo cc loi d liu
khc.
Vi s hng dn tn tnh ca Thy Trng Minh Nht Quang nhm em hon thnh bi
bo co ny. Tuy c gng ht sc tm hiu, phn tch nhng chc rng khng trnh khi nhng
thiu st. Nhm em rt mong nhn c s thng cm v gp ca qu Thy c v cc bn.

Nhm em xin chn thnh cm n!

GVHD: Ts.Trng Minh Nht Quang Trang 3

Mn AN NINH MNG ti TM HIU V TNG LA

CHNG I: TNG QUAN V FIREWALL

1. Khi nim
Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn
ch ha hon. Trong cng ngh thng tin, Firewall l mt k thut c tch hp vo h thng mng
chng s truy cp tri php, nhm bo v cc ngun thng tin ni b v hn ch s xm nhp
khng mong mun vo h thng. Firewall c miu t nh l h phng th bao quanh vi cc
cht kim sot tt c cc lung lu thng nhp xut. C th theo di v kha truy cp ti cc
cht ny.

Cc mng ring ni vi Internet thng b e da bi nhng k tn cng. bo v d liu

bn trong ngi ta thng dng Firewall. Firewall c cch no cho php ngi dng hp l i
qua v chn li nhng ngi dng khng hp l. Firewall c th l thit b phn cng hoc chng
trnh phn mm chy trn host bo m hoc kt hp c hai. Trong mi trng hp, n phi c t
nht hai giao tip mng, mt cho mng m n bo v, mt cho mng bn ngoi. Firewall c th l
gateway hoc im ni lin gia hai mng, thng l mt mng ring v mt mng cng cng nh
l Internet. Cc firewall u tin l cc router n gin.
2. Chc nng
Chc nng chnh ca Firewall l kim sot lung thng tin t gia Intranet v Internet. Thit
lp c ch iu khin dng thng tin gia mng bn trong (Intranet) v mng Internet. C th l:
o Cho php hoc cm nhng dch v truy nhp ra ngoi (t Intranet ra Internet).
o Cho php hoc cm nhng dch v php truy nhp vo trong (t Internet vo Intranet).
o Theo di lung d liu mng gia Internet v Intranet.
o Kim sot a ch truy nhp, cm a ch truy nhp.
o Kim sot ngi s dng v vic truy nhp ca ngi s dng.
o Kim sot ni dung thng tin thng tin lu chuyn trn mng.
3. Phn loi
3.1 Firewall cng
Tng la phn cng l mt la chn hp l nu bn ang dng cc phin bn Windows
trc y. Nhiu im truy cp (access point) khng dy s dng cho cc mng gia nh u c
ng gi di dng tng hp tt c-trong-mt, tch hp cc tng la phn cng vi cc broadband
router. Vic dng mt tng la cho h thng mng ca bn c th n gin nh vic thm mt my
tr li in thoi vo ng dy in thoi ca bn. Bn ch cn t tng la vo kt ni Ethernet
gia modem cp/DSL v my tnh ca bn. (ng vi hu ht cc loi tng la).

GVHD: Ts.Trng Minh Nht Quang Trang 4

Mn AN NINH MNG ti TM HIU V TNG LA

c im ca Firewall cng:
o Khng c linh hot nh Firewall mm: (Khng th thm chc nng, thm quy
tc nh firewall mm).
o C th qun l tp trung.
o n gin, d lp t, cu hnh, qun l.
o Firewall cng hot ng tng thp hn Firewall mm (Tng Network v tng
Transport).
o Firewall cng khng th kim tra c nt dung ca gi tin.
V d Firewall cng: NAT (Network Address Translate).
3.2 Firewall mm
C rt nhiu nh cung cp Tng la phn mm m bn c th s dng nu bn dng cc
phin bn Windows trc y. Cc nh cung cp cng c cc loi tng la khc c th s dng
trn Windows XP. Di y l danh sch mt s nh cung cp:
o Internet Security Systems (ISS): BlackICE PC Protection.
o Network Associates: McAfee Personal Firewall.
o Symantec: Norton Personal Firewall.
o Tiny Software: Tiny Personal Firewall.
o Zone Labs: ZoneAlarm.
c im ca Firewall mm: Tnh linh hot cao nh l c th thm, bt cc quy tc, cc
chc nng. Firewall mm hot ng tng cao hn Firewall cng (tng ng dng) Firewal mm c
th kim tra c ni dung ca gi tin (thng qua cc t kha).
V d v Firewall mm: Zone Alarm, Norton Firewall
4. Nguyn l hot ng ca Firewall
Firewall hot ng cht ch vi giao thc TCP/IP, v giao thc ny lm vic theo thut ton
chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v
chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS ) thnh cc gi d liu (data packets)
ri gn cho cc packet ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc
loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng. B lc
packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu
quyt nh xem on d liu c tha mn mt trong s cc lut l ca lc packet hay khng. Cc
lut l lc packet ny l da trn cc thng tin u mi packet (header), dng cho php truyn
cc packet trn mng. Bao gm:
o a ch IP ni xut pht (Source)
o a ch IP ni nhn ( Destination)
o Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel )

GVHD: Ts.Trng Minh Nht Quang Trang 5

Mn AN NINH MNG ti TM HIU V TNG LA

o Cng TCP/UDP ni xut pht

o Cng TCP/UDP ni nhn
o Dng thng bo ICMP
o Giao din packet n
o Giao din packet i
Nu packet tha cc lut l c thit lp trc ca Firewall th packet c chuyn
qua, nu khng tha th s b loi b. Vic kim sot cc cng lm cho Firewall c kh nng ch cho
php mt s loi kt ni nht nh c php mi vo c h thng mng cc b. Cng nn lu
l do vic kim tra da trn header ca cc packet nn b lc khng kim sot c ni dng thng
tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng
tin hay ph hoi ca k xu. Trong cc phn sau chng ta s cng tm hiu cc k thut vt
tng la.
5. ng dng ca Firewall

Nu my tnh ca bn khng c bo v, khi bn kt ni Internet, tt c cc giao thng ra

vo mng u c cho php, v th hacker, trojan, virus c th truy cp v ly cp thng tin c
nhn cu bn trn my tnh. Chng c th ci t cc on m tn cng file d liu trn my tnh.
Chng c th s dng my tnh cu bn tn cng mt my tnh ca gia nh hoc doanh nghip
khc kt ni Internet. Mt firewall c th gip bn thot khi gi tin him c trc khi n n h
thng ca bn.
5.1 FireWall bo v ci g ?
Nhim v c bn ca FireWall l bo v nhng vn sau :
o D liu: Nhng thng tin cn c bo v do nhng yu cu v tnh bo mt, tnh
ton vn v tnh kp thi.
o Ti nguyn h thng.
o Danh ting ca cng ty s hu cc thng tin cn bo v.
5.2 FireWall bo v chng li ci g ?
FireWall l h thng bo v chng li nhng s tn cng t bn ngoi.
Tn cng trc tip:
o Cch th nht l dng phng php d mt khu trc tip. Thng qua cc chng
trnh d tm mt khu vi mt s thng tin v ngi s dng nh ngy sinh, tui, a
ch v.vv kt hp vi th vin do ngi dng to ra, k tn cng c th d c mt

GVHD: Ts.Trng Minh Nht Quang Trang 6

Mn AN NINH MNG ti TM HIU V TNG LA

khu ca bn. Trong mt s trng hp kh nng thnh cng c th ln ti 30%. V d

nh chng trnh d tm mt khu chy trn h iu hnh Unix c tn l *****.
o Cch th hai l s dng li ca cc chng trnh ng dng v bn thn h iu hnh
c s dng t nhng v tn cng u tin v vn c chim quyn truy cp
(c c quyn ca ngi qun tr h thng).

Nghe trm: C th bit c tn, mt khu, cc thng tin chuyn qua mng thng qua cc
chng trnh cho php a v giao tip mng (NIC) vo ch nhn ton b cc thng tin lu
truyn qua mng.

Gi mo a ch IP: L Hacker thng dng cch ny mo danh l my tnh hp php

nhm chim quyn iu khin trnh duyt web trn my tnh b tn cng.

V hiu ho cc chc nng ca h thng (deny service): y l kiu tn cng nhm lm t

lit ton b h thng khng cho n thc hin cc chc nng m n c thit k. Kiu tn cng ny
khng th ngn chn c do nhng phng tin t chc tn cng cng chnh l cc phng tin
lm vic v truy nhp thng tin trn mng.

Li ngi qun tr h thng: Yu t con ngi vi nhng tnh cch ch quan v khng hiu
r tm quan trng ca vic bo mt h thng nn d dng l cc thng tin quan trng cho hacker.
Ngy nay, trnh ca cc hacker ngy cng gii hn, trong khi cc h thng mng vn cn
chm chp trong vic x l cc l hng ca mnh. iu ny i hi ngi qun tr mng phi c
kin thc tt v bo mt mng c th gi vng an ton cho thng tin ca h thng. i vi ngi
dng c nhn, h khng th bit ht cc th thut t xy dng cho mnh mt Firewall, nhng
cng nn hiu r tm quan trng ca bo mt thng tin cho mi c nhn, qua t tm hiu bit
mt s cch phng trnh nhng s tn cng n gin ca cc hacker. Vn l thc, khi c
thc phng trnh th kh nng an ton s cao hn.

GVHD: Ts.Trng Minh Nht Quang Trang 7

Mn AN NINH MNG ti TM HIU V TNG LA

CHNG II: NHNG THIT K C BN CA FIREWALL

1. Dual-homed Host
Firewall kin trc kiu Dual-homed host c xy dng da trn my tnh dual-homed host.
Mt my tnh c gi l dual-homed host nu n c t nht hai network interface, c ngha l my
c gn hai card mng giao tip vi hai mng khc nhau, do my tnh ny ng vai tr l router
mm. Kin trc dual - homed host rt n gin, my dual - homed host gia, mt bn c ni vi
internet v bn cn li ni vi mng ni b (mng cn c bo v).
Gm c cc c im sau:
o Phi disable chc nng routing ca dual-homed host cm han ton lu thng
IP t ngai vo.
o Cc h thng bn trong v bn ngoi dual-homed host ch c th lin lc vi
dual-homed host m chng khng lin lc trc tip c vi nhau.
o Dual-homed host cung cp dch v thng qua proxy server hoc login trc tip
vo dual-homed host.

2. Kin trc Screened Host

Trong kin trc ny chc nng bo mt chnh c cung cp bi chc nng packet filtering
ti screening router.
Packet filtering trn screening router c setup sao cho bastion host l my duy nht trong
internal network m cc host trn internet c th m kt ni n.Packet filtering cng cho php
bastion host m cc kt ni(hp php) ra bn ngoi(external network).
Thng Packet filtering thc hin cc cng vic nh sau :
o Cho php cc internal hosts m kt ni n cc host trn internet i vi mt s dch
v c php.
o Cm tt c kt ni t cc internal hosts .
Khi hacker tn cng c vo bastion host th khng cn mt ro chn no cho cc
internal hosts.

GVHD: Ts.Trng Minh Nht Quang Trang 8

Mn AN NINH MNG ti TM HIU V TNG LA

3. Kin trc Screened Subnet Host

Thm mt perimeter network c lp internal network vi internet. Nh vy d hacker
tn cng c vo bastion host vn cn mt ro chn na phi vt qua l interior router. Cc lu
thng trong internal network c bo v an ton cho d bastion bchim. Cc dch v no t
tin cy v c khnng d b tn cng th nn perimeter network. Bastion host l im lin lc
cho cc kt ni t ngoi vo nh: SMTP; FTP, DNS. Cn i vi vic truy cp cc dch v t
internal clients n cc server trn internet th c iu khin nh sau :
o Set up packet filtering trn c hai exterior v interior router cho php internal
clients truy cp cc servers bn ngoi mt cch trc tip.
o Set up proxy server trn bastion host cho php internal clients truy cp cc servers
bn ngoi mt cch gin tip.

GVHD: Ts.Trng Minh Nht Quang Trang 9

Mn AN NINH MNG ti TM HIU V TNG LA

4. S dng nhiu Bastion Host

Vi m hnh ny th tc p ng cho nhng ngi s dng bn trong (local user) mt
phn no khng b nh hng bi nhng hot ng ca ngi s dng bn ngoi mng (external
user).

5. Kin trc ghp chung Router trong v Router ngoi

Router phi cho php p dng cc lut cho dng packet i v v i ra trn mi interface.
Do ghp chung router trong v router ngoi nn kin trc ny lm gim i lp bo v mng
bn trong, c th ni kin trc ghp chung router trong v router ngoi nm gia kin trc
Screened host v Screened Subnet host.

GVHD: Ts.Trng Minh Nht Quang Trang 10

Mn AN NINH MNG ti TM HIU V TNG LA

6. Kin trc ghp chung Bastion Host v Router ngoi

Kin trc ny ch s dng cho mng ch c mt ng ni dng giao thc SLIP hoc PPP ra
internet.
Kiu ghp chung Bastion host v router ngoi (Exterior router) ny gn ging vi Screened
Subnet Host. N cho tc p ng thng thp nhng m vn c th chp nhn c do tt
ng truyn thp, chc nng lc ca router ngoi t, chc nng lc gi ch yu l router trong.

GVHD: Ts.Trng Minh Nht Quang Trang 11

Mn AN NINH MNG ti TM HIU V TNG LA

CHNG III: CC THNH PHN V C CH HOT NG CA

FIREWALL
1. B lc gi (Packet Filtering)
1.1 Nguyn l hot ng
Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c
ngha rng Firewall hot ng cht ch vi giao thc TCI/IP. V giao thc ny lm vic theo thut
ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch
v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS...) thnh cc gi d liu (data pakets)
ri gn cho cc paket ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do
cc loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng.
B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on
d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca lc packet hay
khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (packet header), dng
cho php truyn cc packet trn mng. l:
o a ch IP ni xut pht (Source)
o a ch IP ni nhn ( Destination)
o Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel )
o Cng TCP/UDP ni xut pht
o Cng TCP/UDP ni nhn
o Dng thng bo ICMP
o Giao din packet n
o Giao din packet i
Nu lut l lc packet c tho mn th packet c chuyn qua firewall. Nu khng packet
s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no
c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho
php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt
ni nht nh vo cc loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...)
c php mi chy c trn h thng mng cc b.
1.2 u im v hn ch ca h thng Firewall s dng b lc Packet
u im:
o Chi ph thp v c ch lc packet c bao gm trong mi phn mm router.
o Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n
khng yu cu s hun luyn c bit no c.
Hn ch:
o Vic nh ngha cc ch lc package l mt vic kh phc tp, i hi ngi qun
tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v
cc gi tr c th c th nhn trn mi trng. Khi i hi v s lc cng ln, cc lut
l v lc cng tr nn di v phc tp, rt kh qun l v iu khin.

GVHD: Ts.Trng Minh Nht Quang Trang 12

 Mn AN NINH MNG ti TM HIU V TNG LA

o Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot

c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo
nhng hnh ng vi n cp thng tin hay ph hoi ca k xu.
2. Cng ng dng (Application-Level Gateway)
2.1 Nguyn l hot ng
y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi dch v,
giao thc c cho php truy cp vo h thng mng. C ch hot ng ca n da trn cch thc
gi l Proxy service. Proxy service l cc b code c bit ci t trn gateway cho tng ng dng.
Nu ngi qun tr mng khng ci t proxy code cho mt ng dng no , dch v tng ng s
khng c cung cp v do khng th chuyn thng tin qua firewall. Ngoi ra, proxy code c th
c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l
chp nhn c trong khi t chi
Mt cng ng dng thng c coi nh l mt pho i (bastion host), bi v n c thit
k t bit chng li s tn cng t bn ngoi. Nhng bin php m bo an ninh ca mt bastion
host l:
o Bastion host lun chy cc version an ton (secure version) ca cc phn mm h
thng (Operating system). Cc version an ton ny c thit k chuyn cho mc ch
chng li s tn cng vo Operating System, cng nh l m bo s tch hp
firewall.
o Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t trn
bastion host, n gin ch v nu mt dch v khng c ci t, n khng th b tn
cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet, DNS,
FTP, SMTP v xc thc user l c ci t trn bastion host.
o Bastion host c th yu cu nhiu mc xc thc khc nhau, v d nh user
password hay smart card.
o Mi proxy c t cu hnh cho php truy nhp ch mt s cc my ch nht nh.
iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch ng vi mt
s my ch trn ton h thng.
o Mi proxy duy tr mt quyn nht k ghi chp li ton b chi tit ca giao thng qua
n, mi s kt ni, khong thi gian kt ni. Nht k ny rt c ch trong vic tm theo
du vt hay ngn chn k ph hoi.
o Mi proxy u c lp vi cc proxies khc trn bastion host. iu ny cho php d
dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn .
2.2 u im v hn ch
u im:
o Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng, bi
v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy nhp
c bi cc dch v.
o Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho
php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l cc dch
v y b kho.

GVHD: Ts.Trng Minh Nht Quang Trang 13

Mn AN NINH MNG ti TM HIU V TNG LA

o Cng ng dng cho php kim tra xc thc rt tt, v n c nht k ghi chp li
thng tin v truy nhp h thng.
o Lut l lc filltering cho cng ng dng l d dng cu hnh v kim tra hn so vi b
lc packet.
Hn ch: Yu cu cc users thay i thao tc, hoc thay i phn mm ci t trn my
client cho truy nhp vo cc dch v proxy. Chng hn, Telnet truy nhp qua cng ng dng i hi
hai bc ni vi my ch ch khng phi l mt bc thi. Tuy nhin, cng c mt s phn
mm client cho php ng dng trn cng ng dng l trong sut, bng cch cho php user ch ra
my ch ch khng phi cng ng dng trn lnh Telnet.
3. Cng vng (Circuit-level gateway)
Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng. Cng
vng n gin ch chuyn tip (relay) cc kt ni TCP m khng thc hin bt k mt hnh ng x
l hay lc packet no.

GVHD: Ts.Trng Minh Nht Quang Trang 14

Mn AN NINH MNG ti TM HIU V TNG LA

CHNG IV: GII PHP TNG LA CHO DOANH NGHIP

1. Gii thiu
Ngy nay vic s dng internet ph bin gn nh ton b trong cc doanh nghip. i vi
nhng ai chu trch nhim qun l h thng mng my tnh cho t chc - doanh nghip trong mi
trng kinh doanh hin nay th c l bo mt - an ton d liu l vn hng u trong mi tnh
hung.
Mt trong nhng cng c hiu qu nht v cng thng dng nht l s dng tng la (fire
wall) nhm kim sot s truy cp t bn ngoi vo mng ni b v cc giao dch ra/vo mng. Tuy
nhin, u t cho mt tng la kh tn km, nht l i vi cc t chc - doanh nghip va v nh.
Trong trng hp ny, c l gii php mt thit b c th x l mi chc nng an ton l hp
l nht. Thit b bo mt 'Tt c trong mt' ny phi p ng yu cu v bo mt - an ton d liu
ca t chc - doanh nghip mt cch hiu qu nht m khng cn n nhiu tng thit b t tin v
phc tp, cng thm mt nhn vin chuyn trch.
iu ny qu tht rt cn thit trong tnh trng Internet hin nay y ry cc mi e da nh
su my tnh, chng trnh ph hoi v n cp thng tin, l hng bo mt ca cc h iu hnh v
ng dng.
2. Gii php firewall cho doanh nghip nh
2.1 ISA Server Enterprise 2000, ISA Server Enterprise 2004
y l mt phn mm c cc chc nng chnh l :
o Bo v mng chng cc cuc tn cng t Internet.
o Cho php cc Client bn trong mng ni b truy cp cc dch v ngoi Internet,
c kim sot.

M hnh trin khai ISA Server gia Internal Network v Internet

2.2 Sonicwall PRO 2040
Firewall dnh cho doanh nghip loi va ny c th p ng mi yu cu, d dng nhn ra
ngay iu ny khi ly thit b ra khi hp, c th t n trn bn, trn k t, hoc lp vo rack 1U
u c c. SonicWALL Pro 2040 kt hp h iu hnh m rng SonicOS th h mi ca
SonicWALL v mt kin trc phn cng c kh nng chu ti tt, min l cu hnh ng, tt nhin l
khng n gin.
Khi s dng, ngi dng phi ci t OS m rng ca SonicWALL mi khai thc c nhiu
tnh nng cao cp nh kt ni n nhiu ISP d phng, cn bng ti vi cc Pro 2040 khc, thit
lp NAT da theo chnh sch v kt ni WAN d phng.

GVHD: Ts.Trng Minh Nht Quang Trang 15

Mn AN NINH MNG ti TM HIU V TNG LA

Mc d c th vn hnh Pro 2040 m khng cn h iu hnh SonicOS Enhanced, nhng

phi ci h iu hnh ny th mi c th kch hot cng giao tip th t ca thit b. Cng ny c
chc nng ca mt cng WAN, LAN, hay DMZ, hoc ni sang mt thit b Pro 2040 khc d
phng. SonicWall khng h thua km cc i th, n cng tch hp chc nng phng chng virus v
lc ni dung.
Pro 2040 hon ton lm va lng, chng hn, n c trang b mt b x l ch lm mi
nhim v m ha cho nn hiu sut chng c g khc bit khi dng ch m ha AES-256 hay
3DES. Hng lot cuc tn cng gi lp cng nh ngn chn virus khi th u b ngn cn bi
Firewall ny.
3. THIT LP MT FIREWALL CHO DOANH NGHIP
La chn cc gii php Firewall phn cng hoc Firewall phn mm xy dng mt
Firewall cho doanh nghip. Vic thit lp Firewall da vo cc yu t sau:
Trc ht cn xc nh ti nguyn cn bo v:
o My trm.
o My ch.
o Cc thit b mng: B nh tuyn (Router), Getway, Repeater
o Cc my ch u cui.
o Cc chng trnh phn mm.
o Cp mng.
o Thng tin lu tr trong cc tp d liu.
Nghin cu cc vn sau:
o Bo v ti nguyn khi b ai ph hoi.
o Xc sut ca nguy c e do.
o Mc quan trng ca ngun ti nguyn.
o Cc bin php c th thc hin bo v ti nguyn vi thi gian nhanh nht, tn
km nht.
o Kim tra chnh sch an ninh mng nh k.
Nhn dng cc mi e do:
o Truy nhp tri php: Ni chung vic s dng bt c ti nguyn no m khng c s
cho php trc u b coi l truy cp tri php.
o Nguy c l thng tin: Vic l thng tin cng l mt mi e do. Cn phi xc
nh r cc gi tr hay nhy cm ca thng tin lu tr trn my. mc h thng
vic lt mt khu truy nhp h thng c th to thun li cho vic truy nhp tri
php trong tng lai.
o T chi dch v: Cc mng dng kt ni cc ngun ti nguyn c gi tr nh cc
my tnh v cc c s d liu cung cp cc dch v m mt c quan da vo. Nu cc
dch v ny khng sn sng s dn n nh hng cng vic kinh doanh ca n v.
Rt kh c th on trc c hnh thc t chi dch v, di y lit k mt s v
d v t chi dch v:
H thng my b dng v mt gi tin ca k ph hoi.

GVHD: Ts.Trng Minh Nht Quang Trang 16

Mn AN NINH MNG ti TM HIU V TNG LA

Mng b dng v b trn lu lng.

Cc thit b bo v mng b ph hng.
o Cc im truy nhp: im truy nhp m nhng ngi s dng tri php i vo
h thng. Nu ta c cng nhiu im truy nhp th cng lm tng nguy c cho mng.
o Cc h thng c cu hnh khng ng: Nhng k t nhp vo mng chng thng c
gng ph hoi cc my ch trn mng. Cc my tnh ch ng vai tr nh cc Server
ca Telnet l cc mc tiu rt ph bin. Nu my tnh ch khng c cu hnh mt
cch ng n th h thng s rt d b ph hoi.
o Virus: Khi phc tp ca phn mm tng ln th phc tp ca Virus trong bt k
h thng no cng tng. C l s khng c phn mm no m khng b nhim Virus.
Cc Virus an ton c bit n mt cch rng ri cng l cc phng php ph bin
truy nhp tri php. Nu vic ci t h thng l m v c bit n mt cch
rng ri th k t nhp c th s dng nhng im yu ca chng trnh chy ch
u tin truy nhp h thng ch c quyn.
o Cc mi e do t bn ngoi: Nhng ngi trong cuc thng truy nhp trc tip
phn mm my tnh mng nhiu hn so vi phn cng. Nu nh mt ngi trong
cuc quyt nh ph hoi th ngi to ra mi e do ng k cho an ton ca
mng. Nu ngi tip cn d dng vi h thng th h thng cng d b ph hoi
hn. Ngi ph hoi c th d dng chy b gii m giao thc v nm bt phn mm
phn tch lu lng ca giao thc. Hu ht cc ng dng TCP/IP (Telnet, FTP) ch
c c ch xc minh rt yu trong mt khu c chuyn i di dng vn bn r
ngha.
An ton vt l: Nu bn thn my tnh khng c an ton v mt vt l th cc c ch an
ton phn mm c th d dng b b qua. Trong trng hp cc my trm DOS, WINDOWS u
khng c c ch bo v phn mm. i vi h iu hnh Unix khng c ngi qun l th cc a
vt l c th b nh tro, hoc nu ta h thng ny trong ch c quyn th my trm coi nh
b b ng. Ni cch khc k t nhp c th tm dng my tnh ny li v a n tr li ch u
i ri sau ly cc chng trnh Trojan-hores vo hoc c th thc hin cc hnh ng khc
nhm lm cho h thng tr nn rng m cho cc v tn cng trong tng lai.
4. CI T V CU HNH FIREWALL
Sau y s tin hnh ci t mt Firewall cho doanh nghip bng phn mm ISA
Server 2004 Firewall
4.1 Tm hiu v phn mm ISA Server 2004 Firewall
Trong s nhng sn phm tng la (firewall) trn th trng hin nay th ISA Server 2004
ca Microsoft c nhiu ngi yu thch do kh nng bo v h thng mnh m cng vi c ch
qun l linh hot. ISA Server 2004 Firewall c hai phin bn Standard v Enterprise phc v cho
nhng mi trng khc nhau.
ISA Server 2004 Standard p ng nhu cu bo v v chia s bng thng cho cc cng ty c
quy m trung bnh. Vi phin bn ny c th xy dng Firewall kim sot cc lung d liu vo
v ra h thng mng ni b ca cng ty, kim sot qu trnh truy cp ca ngi dng theo giao thc,
thi gian v ni dung nhm ngn chn vic kt ni vo nhng trang web c ni dung khng thch
hp. Bn cnh cn c th trin khai h thng VPN Site to Site hay Remote Access h tr cho
vic truy cp t xa, hoc trao i d liu gia cc vn phng chi nhnh. i vi cc cng ty c

GVHD: Ts.Trng Minh Nht Quang Trang 17

Mn AN NINH MNG ti TM HIU V TNG LA

nhng h thng my ch quan trng nh Mail Server, Web Server cn c bo v cht ch trong
mt mi trng ring bit th ISA 2004 cho php trin khai cc vng DMZ (thut ng ch vng phi
qun s) ngn nga s tng tc trc tip gia ngi bn trong v bn ngoi h thng. Ngoi cc
tnh nng bo mt thng tin trn, ISA 2004 cn c h thng m (cache) gip kt ni Internet nhanh
hn do thng tin trang web c th c lu sn trn RAM hay a cng, gip tit kim ng k bng
thng h thng. Chnh v l do m sn phm Firewall ny c tn gi l Internet Security &
Aceleration (bo mt v tng tc Internet).
ISA Server 2004 Enterprise c s dng trong cc m hnh mng ln, p ng nhiu yu
cu truy xut ca ngi dng bn trong v ngoi h thng. Ngoi nhng tnh nng c trn ISA
Server 2004 Standard, bn Enterprise cn cho php thit lp h thng mng cc ISA Server cng s
dng mt chnh sch, iu ny gip d dng qun l v cung cp tnh nng Load Balancing (cn
bng ti)
4.2 Ci t ISA Server
Yu cu ci t: ISA 2004 phi c ci t trn nn phn cng v phn mm nh sau:
Phn cng ti thiu:
- CPU: 500MHz.
- RAM: 256MB.
- Hard Disk: phn vng NTFS, >=150MB dung lng cn trng.
- My c 2 card mng.
Phn mm:
- Windows 2000 server, SP4.
- Windows 2003 server.
Sau khi thit lp y cc thng tin cn thit, tin hnh ci t ISA Server 2004 Standard
trn my tnh dng lm Firewall.
Bc 1: Chy file setup v click vo Install ISA Server 2004
Bc 2: Trong hp thoi Microsoft ISA Server 2004 - Installation Wizard, ta click Next.
Bc 3: Sau ta chn I accept the terms in the license agreement v sau click Next.
Bc 4: Ta in y thng tin v s serial vo ri click Next.
Bc 5: Ta chn ci t ch Custom ri click Next.
Bc 6: Mc nh ch c hai dch v Firewall Services v ISA Server Management, ta
chn thm Firewall Client Installation Share. Ri click Next.
Bc 7: Ta s click vo Add
Bc 8: Ta s cung cp dy a ch IP cha cc my tnh trong mng ni b (From, To). Lu
, dy a ch ny phi cha IP ca giao tip mng Inside. Ri click Add. Sau OK.
Bc 9: Trong hp thoi Internal Network ta click Next.
Bc 10: Ta chn Allow computers running earlier version of Firewall Client software to
connect. Ri chn Next.
Bc 11: Trong hp thoi Services ta click Next.
Bc 12: Trong hp thoi Ready to Install the Program ta click Install. Sau qu trnh
ci t s bt u. Xong th ta bm Finish hon tt.

GVHD: Ts.Trng Minh Nht Quang Trang 18

Mn AN NINH MNG ti TM HIU V TNG LA

CHNG V - KT LUN
1. Kt lun
Tng la ngy nay ng mt vai tr quan trng trong vic bo v mng ca mt t chc no
trnh c danh sch gn nh v tn cc tn cng n t Internet. S la chn tng la cng
thng quyt nh cch cc v tr t xa kt ni vi cc h thng trung tm truy cp vo cc ti
nguyn cn thit hoc thc hin cc nhim v quan trng d dng nh th no. Tng la l "bc
tng" nm gia mt mng (nh l Internet) v my tnh (hoc mng ni b) m n bo v. Mc
ch an ninh chnh ca n dnh cho ngi dng c nhn l kha cc Tuy nhin, tng la cn c th
lm nhiu hn th. Do nm gia 2 mng (internet v mng ni b), tng la c th phn tch tt c
cc lu lng vo v ra khi mng v quyt nh s lm g vi d liu vo ra . Tng la cng c
nhiu quy tc da vo cung cp quyn truy cp d liu vo mng.
Tng la khng ch l mt dng phn mm (nh tng la trn Windows), m n cn c th
l phn cng chuyn dng trong cc mng doanh nghip. Cc tng la l phn cng ny gip my
tnh ca cc cng ty c th phn tch d liu ra m bo rng malware khng th thm nhp vo
mng, kim sot hot ng trn my tnh m nhn vin ca h ang s dng. N cng c th lc d
liu ch cho php mt my tnh ch c th lt web, v hiu ha vic truy cp vo cc loi d liu
khc.

GVHD: Ts.Trng Minh Nht Quang Trang 19

Mn AN NINH MNG ti TM HIU V TNG LA

TI LIU THAM KHO

1. Ti liu tham kho
[1] http://vi.wikipedia.org/wiki/T%C6%B0%E1%BB%9Dng_l%E1%BB%ADa
[2] http://tailieu.vn/xem-tai-lieu/tim-hieu-ve-tuong-lua-tuong-lua-la-gi-.1242779.html
[3] http://www.microsoft.com/vietnam/security/protect/firewall.aspx
[4] http://doc.edu.vn/tai-lieu/tieu-luan-tim-hieu-va-xay-dung-he-thong-firewall-ma-nguon-
mo-su-dung-smoothwall-7436/
[5] http://tailieu.vn/xem-tai-lieu/tim-hieu-ve-tuong-lua-firewall.11250.html
[6] http://forum.cuasotinhoc.vn/topic/585147-bo-suu-tap-tim-hieu-ve-tuong-lua-firewall/
[7] http://docs.4share.vn/docs/8841/Tim_hieu_ve_tuong_lua_FIREWALL.html

GVHD: Ts.Trng Minh Nht Quang Trang 20