giao trinh cau hinh asa tieng viet

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin B GIO DC V O TO TRNG I HC S PHM K THUT HNG YN _______________________________

N 5 NGNH: CNG NGH THNG TIN CHUYN NGNH: MNG V TRUYN THNG TN TI: TM HIU FIREWALL TRN CNG NGH CISCO V DEMO MT S NG DNG THC TIN

Nhm sinh vin:

Phm Th Vin V Tin Dng

GV hng dn:

Vi Hoi Nam

Hng yn, thng 11, nm 2011

NHN XT CA GIO VIN HNG DN

Page 1

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. Gio vin hng dn

Page 2

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin NHN XT CA GIO VIN PHN BIN ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. Gio vin phn bin

Page 3

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

LI CM N Sau gn 3 thng n lc tm hiu v thc hin, n Tm hiu Firewall trn cng ngh Cisco v Demo mt s ng dng thc tin c hon thnh, ngoi s c gng ht mnh ca bn thn, chng ti cn nhn c nhiu s ng vin,khch l t gia nh, thy c v bn b. y l mt ti kh hay mang tnh thit thc cao. Nhm chng ti nghin cu v c gng thit k mt h thng mng cho n v hon chnh nht bng ht kh nng ca mnh. Tuy c gng ht sc song chc chn ti ny khng trnh khi nhng thit st. Rt mong nhn c s thng cm v ch bo tn tnh ca cc Thy c v cc bn. Chng ti xin by t lng bit n chn thnh nht n Thy Vi Hoi Nam tn tm ch bo v hng dn tn tnh trong sut thi gian nhm chng em thc hin ti ny. Chng ti cng xin chn thnh cm n qu Thy c trong Khoa Cng ngh thng tin, trng i hc s phm k thut Hng Yn tn tnh ging dy, hng dn, gip v to iu kin cho chng ti thc hin tt ti ny. Xin cm n tt c cc bn b v ang gip ng vin chng ti trong qu trnh hc tp v hon thnh n. Mc d c gn ht sc hon thnh n ny,nhng chc chn s khng trnh khi nhng sai st.Chng ti rt mong nhn c s thng cm v ng gp, ch bo tn tnh ca qu thy c v bn b! Hng Yn, ngy 25, thng 11 nm 2011 Sinh vin thc hin: Phm Th Vin V Tin Dng

Page 4

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin LI M U Trong thc t hin nay bo mt thng tin ang ng mt vai tr thit yu ch khng cn l th yu trong mi hot ng lin quan n vic ng dng cng ngh thng tin. Ti mun ni n vai tr to ln ca vic ng dng CNTT v ang din ra si ng, khng ch thun ty l nhng cng c (Hardware, software), m thc s c xem nh l gii php cho nhiu vn . Khi ng t nhng nm u thp nin 90, vi mt s t chuyn gia v CNTT, nhng hiu bit cn hn ch v a CNTT ng dng trong cc hot ng sn xut, giao dch, qun l cn kh khim tn v ch dng li mc cng c, v i khi ti cn nhn thy nhng cng c t tin ny cn gy mt s cn tr, khng em li nhng hiu qu thit thc cho nhng T chc s dng n. Internet cho php chng ta truy cp ti mi ni trn th gii thng qua mt s dch v. Ngi trc my tnh ca mnh bn c th bit c thng tin trn ton cu, nhng cng chnh v th m h thng my tnh ca bn c th b xm nhp vo bt k lc no m bn khng h c bit trc. Do vy vic bo v h thng l mt vn chng ta ng phi quan tm. Ngi ta a ra khi nim FireWall gii quyt vn ny. Cng c rt nhiu kiu, v loi firewall nhng Cisco a ra cng ngh bo mt vi firewall rt hu hiu lm r cc vn ny th n Tm hiu friewall trn cng ngh Cisco v demo mt s ng dng thc tin s cho chng ta ci nhn su hn v khi nim, cng nh chc nng, cch thc bo mt c th ca Firewall Cisco. Mt ln na nhm ti xin chn thnh cm n thy Vi Hoi Nam v cc thy c khoa CNTT hng dn nhm ti hon thnh n ca mnh!

I. Mc tiu

Page 5

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin n ny s gip cho chng ta bit c cc khi nim cng nh chc nng Firewall. Gip ta bit su hn v cc chnh sch bo mt Firewall ca Cisco c th nh th no? Cu hnh chng ra sao. II. Phng php nghin cu c k v nm bt c cc yu cu ca n ra. Phng php thit yu nht trong n ny l k nng c, dch v hiu ti liu Ting Anh

i su trong vic tm kim ti liu v trnh by mt cch hp l nht. Chm ch lng nghe v tip thu nhng kin ng gp ca gio vin hng dn. III. B cc * Ni dung ca n ny c chia lm 3 chng nh sau:

Chng 1: Ta tm hiu v tng quan Firewall. Chng 2: Cc vn bo mt Chng 3: Tm hiu su vo tm hiu Firewall ca Cisco Chng 4: Tng quan v VPNs Chng 5: Demo mt s m hnh ng dng trong thc t

Page 6


MC LCLI CM N............................................................................................................ 4 LI M U............................................................................................................ 5 MC LC................................................................................................................. 7 DANH MC CC HNH V, BNG BIU....................................................................10 DANH MC CC T VIT TT.................................................................................12 1.1. KHI NIM V FIREWALL...............................................................................13 1.1.1. Ti sao phi s dng mt Firewall cho mng my tnh kt ni Internet?......................13 1.1.2. S ra i ca Firewall .......................................................................................................14 1.1.3. Mc ch ca Firewall .......................................................................................................15 1.1.4. Cc la chn Firewall........................................................................................................19 1.1.4.1. Firewall phn cng...........................................................................19 1.1.4.2. Firewall phn mm.........................................................................................................20 1.2. CHC NNG CA FIREWALL ........................................................................21 1.2.1. Firewall bo v nhng vn g? .....................................................................................21 1.2.2. Firewall bo v chng li nhng vn g? ....................................................................21 1.2.2.1. Chng li vic Hacking ....................................................................21 1.2.2.2. Chng li vic sa i m................................................................21 1.2.2.3. T chi cc dch v nh km...........................................................22 1.2.2.4. Tn cng trc tip............................................................................22 1.2.2.5. Nghe trm .......................................................................................22 1.2.2.6. V hiu ho cc chc nng ca h thng (Deny service)..................22 1.2.2.7. Li ngi qun tr h thng..............................................................23 1.2.2.8. Yu t con ngi..............................................................................23 1.3. M HNH V KIN TRC CA FIREWALL........................................................23 1.3.1. Kin trc Dual - Homed host (my ch trung gian)........................................................24 1.3.2. Kin trc Screend Host .....................................................................................................25 1.3.3. Kin trc Screened Subnet................................................................................................27 Page 7

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin1.4. PHN LOI FIREWALL...................................................................................28 1.4.1. Packet Filtering Firewall ..................................................................................................28 1.4.2. Application-proxy firewall ................................................................................................30 1.5. MT S VN KHI LA CHN MT FIREWALL ..........................................31 1.5.1. S cn thit ca Firewall ..................................................................................................31 1.5.2. Firewall iu khin v bo v g ?.....................................................................................31 1.6. NHNG HN CH CA FIREWALL..................................................................32 2.1. Nguyn tc bo v h thng mng...............................................................35 2.1.1. Hoch nh h thng bo v mng....................................................................................35 2.1.2. M hnh bo mt................................................................................................................36 2.1.3. Nng cao mc bo mt.................................................................................................36 2.2. Kin trc bo mt ca h thng mng..........................................................37 2.2.1. Cc mc an ton thng tin trn mng..............................................................................37 2.2.2. nh hng ca cc l hng mng.....................................................................................38 CHNG 3. FIREWALL CISCO...............................................................................39 3.3 Tng quan v NAT.......................................................................................53 3.3.1 a ch Private.....................................................................................................................53 3.3.2 Nhu cu ca NAT................................................................................................................54 3.3.3 Li ch ca NAT.................................................................................................................55 3.3.4 Thut ng v nh ngha NAT...........................................................................................55 3.3.5 Mt vi v d in hnh NAT.............................................................................................56 3.4.2 Cu hnh NAT tnh.............................................................................................................69 3.4.2 Cu hnh PAT tnh .............................................................................................................71 3.5 Access Control.............................................................................................72 3.6 Web content................................................................................................80 3. 7 Khi to cc chnh sch bo mt trn ASA...................................................88 3.8 Cc chc nng nng cao ca ASA ...............................................................93 CHNG 4. VPNs.................................................................................................110 4.1 IPSec l g?.................................................................................................110 Page 8

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin4.2 Cch lm vic ca IPSec.............................................................................111 4.3 Cc loi kt ni:..........................................................................................111 4.4 Hng dn cu hnh...................................................................................113 4.4.4 Cu hnh anyconnect webvpn...........................................................................................125 KT LUN............................................................................................................135 TI LIU THAM KHO...........................................................................................137

Page 9


DANH MC CC HNH V, BNG BIU

S HIU Hnh 1.1 Hnh 1.2 Hnh 1.3 Hnh 1.4 Hnh 1.5 Hnh 1.6 Hnh 1.7 Hnh 1.8 Hnh 1.9 Hnh 1.10 Hnh 1.11 Hnh 2.1 Hnh 2.2 Hnh 2.3 Hnh 3.15 Hnh 3.16 Hnh 3.17 Hnh 3.18 Hnh 3.19 Hnh 3.20 Hnh 3.21 Hnh 3.22

M T Firewall c t gia mng ring v mng cng cng Mng gm c Firewall v cc my ch S dng nhiu Firewall nhm tng kh nng bo mt Kin trc ca h thng s dng Firewall Cu trc chung ca mt h thng Firewall Kin trc Dual - Homed host Kin trc Screened host Kin trc Screened Subnet Packet filtering firewall Circuit level gateway Application-proxy firewall Cc mc an ton thng tin trn mng Cu hnh t chi mt host theo standard -accesslist Cu hnh t chi telnet t subnet V d v chnh sch NAT V d chnh sch xc nh NAT V d cu hnh NAT tnh V d PAT tnh v d v NAT vi 2 interface V d NAT vi m hnh 3 interfaces Thay i proxy V d v cu hnh WCCPPage 10

TRANG 8 9 10 14 15 16 18 19 20 21 22 27 30 31 67 68 70 71 75 77 84 87


Hnh 3.23 Hnh 3.24 Hnh 3.25 Hnh 3.26 (a) Hnh 3.27 (b) Hnh 3.28 Hnh 4.1 Hnh 4.2 Hnh 4.3 Hnh 4.4 Hnh 4.5 Hnh 4.6 Hnh 4.7 Hnh 4.8 Hnh 4.9 Hnh 4.10 Hnh 4.11 Hnh 4.12 (a) Hnh 4.12(b) Bng 3.1 Bng 3.2 Bng 4.1 Bng 4.2

m hnh Active/Standby Stateful Failover M hnh chng thc ca ASA Chng thc bng Cut-through-Proxy cho kt ni Telnet,FTP,HTTP(S) nh tuyn tnh nh tuyn tnh M hnh s dng RIP vi mt mng nhiu Router m hnh site-to-site M hnh Access VPN Bc 8 cu hnh client sortware ci t VPN client Lu cu hnh ci t VPN client khi to kt ni Remote Access VPN ng nhp chng thc M hnh Active/Standby Hot ng ca AnyConnect VPN Cu hnh AnyConnect Truy cp ASA Thit lp kt ni SSL VPN Thit lp kt ni SSL VPN Tham s lnh Match Class map mc nh Lnh match cho kim sot lu lng mc nh Cc Trasform Thng tin d liu c m ha

94 97 99 101 103 105 110 111 120 135 121 121 122 123 125 126 132 133 133 92 93 115 117

Page 11

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin DANH MC CC T VIT TT

S HIU 1 2 3 4 5 7 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

CM T Network Interface Controller Internet Protocol Local Area Network Demilitarized Zone File Transfer Protocol Open Systems Interconnection Transmission Control Protocol Asymmetric Digital Subscriber Line Domain Name System Internet Security and Acceleration Virtual Private Network Network Address Translation Wide Area Network Operating System Post Office Protocol Access Con trol List Adaptive Security Appliance Internet Control Message Protocol User Datagram Protocol port Address Translation Authentication Authorization Accounting Virtual Private Network IP securityPage 12

VIT TT NIC IP LAN DMZ FTP OSI TCP ADSL DNS ISA VPN NAT WAN OS POP ACL ASA ICMP UDP PAT AAA VPNs IPsec


CHNG 1. TNG QUAN V FIREWALL

1.1. KHI NIM V FIREWALL 1.1.1. Ti sao phi s dng mt Firewall cho mng my tnh kt ni Internet? Internet ra i em li nhiu li ch rt ln cho con ngi, n l mt trong nhng nhn t hng u gp phn vo s pht trin nhanh chng ca c th gii v c th ni Internet kt ni mi ngi ti gn nhau hn. Chnh v mt kh nng kt ni rng ri nh vy m cc nguy c mt an ton ca mng my tnh rt ln. l cc nguy c b tn cng ca cc mng my tnh, tn cng ly d liu, tn cng nhm mc ch ph hoi lm t lit c mt h thng my tnh ln, tn cng thay i c s d liu Trc nhng nguy c , vn m bo an ton cho mng my tnh tr nn rt cp thit v quan trng hn bao gi ht. Cc nguy c b tn cng ngy cng nhiu v ngy cng tinh vi hn, nguy him hn. c nhiu gii php bo mt cho mng my tnh c a ra nh dng cc phn mm, chng trnh bo v ti nguyn, to nhng ti khon truy xut mng i hi c mt khu nhng nhng gii php ch bo v mt phn mng my tnh m thi, mt khi nhng k ph hoi mng my tnh thm nhp su hn vo bn trong mng th c rt nhiu cch ph hoi h thng mng. V vy t ra mt yu cu l phi c nhng cng c chng s xm nhp mng bt hp php ngay t bn ngoi mng, chnh l nguyn nhn dn ti s ra i ca Firewall (Tng la). Mt Firewall co th loc cac lu lng Internet nguy him nh hacker, cac loai su, va mt s loai virus trc khi chung co th gy ra truc trc trn h thng. Ngoai ra, Firewall co th giup cho may tinh tranh tham gia cac cuc tn cng vao cac may tinh khac ma khng hay bit. Vic s dung mt Firewall la cc ky quan trong i vi cc may tinh lun kt ni Internet, nh trng hp co mt kt ni bng thng rng hoc kt ni DSL/ADSL.

Page 13

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Trn Internet, cac tin tc s dung ma him c, nh la cac virus, su va Trojan, tim cach phat hin nhng ca khng khoa ca mt may tinh khng c bao v. Mt tng la co th giup bao v may tinh khoi bi nhng hoat ng nay va cac cuc tn cng bao mt khac. Vy mt tin tc co th lam gi? Tuy thuc vao ban cht cua vic tn cng. Trong khi mt s chi n gian la s quy ry vi nhng tro ua nghich n gian, mt s khac c tao ra vi nhng y inh nguy him. Nhng loai nghim trong hn nay tim cach xoa thng tin t may tinh, pha huy no, hoc thm chi n cp thng tin ca nhn, nh la cac mt khu hoc s the tin dung. Mt s tin tc chi thich t nhp vao cac may tinh d bi tn cng. Cac virus, su va Trojan rt ang s. May mn la co th giam nguy c ly nhim bng cach s dung mt Firewall. 1.1.2. S ra i ca Firewall Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ha hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng c th hiu Firewall l mt c ch (Mechanism) bo v mng tin tng (Trusted network) khi cc mng khng tin tng (Untrusted network). Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty, t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet. Internet FireWall l mt tp hp thit b (bao gm phn cng v phn mm) gia mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet: (INTRANET - FIREWALL - INTERNET) Trong mt s trng hp, Firewall c th c thit lp trong cng mt mng ni b v c lp cc min an ton. V d nh mt mng cc b s dng Firewall ngn cch phng my v h thng mng tng di.

Page 14

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mt Firewall Internet co th giup ngn chn ngi ngoai trn Internet khng xm nhp c vao may tinh. Mt Firewall lam vic bng cach kim tra thng tin n va ra Internet. No nhn dang va bo qua cac thng tin n t mt ni nguy him hoc co ve nghi ng. Nu ban cai t Firewall cua ban mt cach thich hp, cac tin tc tim kim cac may tinh d bi tn cng khng th phat hin ra may tinh. Firewall l mt gii php da trn phn cng hoc phn mm dng kim tra cc d liu. Mt li khuyn l nn s dng firewall cho bt k my tnh hay mng no c kt ni ti Internet. i vi kt ni Internet bng thng rng th Firewall cng quan trng, bi v y l loi kt ni thng xuyn bt (always on) nn nhng tin tc s c nhiu thi gian hn khi mun tm cch t nhp vo my tnh. Kt ni bng thng rng cng thun li hn cho tin tc khi c s dng lm phng tin tip tc tn cng cc my tnh khc. 1.1.3. Mc ch ca Firewall Vi Firewall, ngi s dng c th yn tm ang c thc thi quyn gim st cc d liu truyn thng gia my tnh ca h vi cc my tnh hay h thng khc. C th xem Firewall l mt ngi bo v c nhim v kim tra "giy thng hnh" ca bt c gi d liu no i vo my tnh hay i ra khi my tnh ca ngi s dng, ch cho php nhng gi d liu hp l i qua v loi b tt c cc gi d liu khng hp l. Cc gii php Firewall l thc s cn thit, xut pht t chnh cch thc cc d liu di chuyn trn Internet. Gi s gi cho ngi thn ca mnh mt bc th th bc th c chuyn qua mng Internet, trc ht phi c phn chia thnh tng gi nh. Cc gi d liu ny s tm cc con ng ti u nht ti a ch ngi nhn th v sau lp rp li (theo th t c nh s trc ) v khi phc nguyn dng nh ban u. Vic phn chia thnh gi lm n gin ho vic chuyn d liu trn Internet nhng c th dn ti mt s vn . Nu mt ngi no vi dng khng tt gi ti mt s gi d liu, nhng li ci by lm cho my tnh ca khng bit cn phi x l cc gi d liu ny nh th no hoc lm cho cc gi d liu lp ghp theo th t sai, th c th nm quyn kim sot t xa i vi my tnh ca v gy nn nhng vn

Page 15

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin nghim trng. K nm quyn kim sot tri php sau c th s dng kt ni Internet ca pht ng cc cuc tn cng khc m khng b l tung tch ca mnh. Firewall s m bo tt c cc d liu i vo l hp l, ngn nga nhng ngi s dng bn ngoi ot quyn kim sot i vi my tnh ca bn. Chc nng kim sot cc d liu i ra ca Firewall cng rt quan trng v s ngn nga nhng k xm nhp tri php "cy" nhng virus c hi vo my tnh ca pht ng cc cuc tn cng ca sau ti nhng my tnh khc trn mng Internet.

Hnh 1.1. Firewall c t gia mng ring v mng cng cng Mt Firewall gm c t nht hai giao din mng: Chung v ring, giao din chung kt ni vi Internet, l pha m mi ngi c th truy cp, giao din ring l pha m cha cc d liu c bo v. Trn mt Firewall c th c nhiu giao din ring tu thuc vo s on mng cn c tch ri. ng vi mi giao din c mt b quy tc bo v ring xc nh kiu lu thng c th qua t nhng mng chung v mng ring.Page 16

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Firewall cng c th lm c nhiu vic hn v cng c nhiu thun li v kh khn. Thng thng nh qun tr mng s dng Firewall nh mt thit b u ni VPN, my ch xc thc hoc my ch DNS. Tuy nhin nh bt k mt thit b mng khc, nhiu dch v hot ng trn cng mt my ch th cc ri ro cng nhiu .Do , mt Firewall khng nn chy nhiu dch v. Firewall l lp bo v th hai trong h thng mng, lp th nht l b nh tuyn mc nh tuyn s cho php hoc b t chi cc a ch IP no v pht hin nhng gi tin bt bnh thng. Firewall xem nhng cng no l c php hay t chi. Firewall i lc cng hu ch cho nhng on mng nh hoc a ch IP ring l. Bi v b nh tuyn thng lm vic qu ti, nn vic s dng b nh tuyn lc ra b nh tuyn IP n, hoc mt lp a ch nh c th to ra mt ti trng khng cn thit. Firewall c ch cho vic bo v nhng mng t nhng lu lng khng mong mun. Nu mt mng khng c cc my ch cng cng th Firewall l cng c rt tt t chi nhng lu lng i vo, nhng lu lng m khng bt u t mt my sau Firewall, Mt Firewall cng c th c cu hnh t chi tt c cc lu lng ngoi tr cng 53 dnh ring cho my ch DNS.

Page 17


Hnh 1.2. Mng gm c Firewall v cc my ch Sc mnh ca Firewall nm trong kh nng lc lu lng da trn mt tp hp cc quy tc bo v, cn gi l quy tc bo v do cc nh qun tr a vo. y cng c th l nhc im ln nht ca Firewall, b quy tc xu hoc khng y c th m li cho k tn cng, v mng c th khng c an ton. Nhiu nh qun tr mng khng ngh rng Firewall hot ng nh mt thit b mng phc tp. Ngi ta quan tm nhiu n vic gi li nhng lu lng khng mong mun n mng ring, t quan tm n vic gi li nhng lu lng khng mong mun n mng cng cng. Nn quan tm n c hai kiu ca tp cc quy lut bo v. Nu mt k tn cng mun tm cch xm nhp vo mt my ch, chng khng th s dng my ch tn cng vo cc thit b mng xa.

Page 18

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin bo v v gip cho cc lu lng bn trong on mng cc nh qun l thng chy hai b Firewall, b th nht bo v ton b mng, v b cn li bo v cc on mng khc. Nhiu lp Firewall cng cho php cc nh qun tr an ton mng kim sot tt hn nhng dng thng tin, c bit l cc c s bn trong v bn ngoi cng ty phi x l cc thng tin nhy cm. Cc hot ng trao i thng tin c th cho php trn phn no ca mng th c th b gii hn trn nhng vng nhy cm hn.

Hnh 1.3. S dng nhiu Firewall nhm tng kh nng bo mt 1.1.4. Cc la chn Firewall C mt s cng ty sn xut sn phm Firewall v c hai loi chn: Firewall phn cng v Firewall phn mm. 1.1.4.1. Firewall phn cng V tng th, Firewall phn cng cung cp mc bo v cao hn so vi Firewall phn mm v d bo tr hn. Firewall phn cng cng c mt u im khc l khng chim dng ti nguyn h thng trn my tnh nh Firewall phn mm. Firewall phn cng l mt la chn rt tt i vi cc doanh nghip nh, c bit cho nhng cng ty c chia s kt ni Internet. C th kt hp Firewall v mt b nh tuyn trn cng mt h thng phn cng v s dng h thng ny bo v cho ton b mng. Firewall phn cng c th l mt la chn tn chi ph hn so vi Firewall phn mm thng phi ci trn mi my tnh c nhn trong mng.Page 19

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Trong s cc cng ty cung cp Firewall phn cng c th k ti Linksys (http://www.linksys.com) v NetGear (http://www.netgear.com). Tnh nng Firewall phn cng do cc cng ty ny cung cp thng c tch hp sn trong cc b nh tuyn dng cho mng ca cc doanh nghip nh v mng gia nh. 1.1.4.2. Firewall phn mm Nu khng mun tn tin mua Firewall phn cng th bn c th s dng Firewall phn mm. V gi c, Firewall phn mm thng khng t bng firewall phn cng, thm ch mt s cn min ph (phn mm Comodo Firewall Pro 3.0, PC Tools Firewall Plus 3.0, ZoneAlarm Firewall 7.1 ) v bn c th ti v t mng Internet. So vi Firewall phn cng, Firewall phn mm cho php linh ng hn, nht l khi cn t li cc thit lp cho ph hp hn vi nhu cu ring ca tng cng ty. Chng c th hot ng tt trn nhiu h thng khc nhau, khc vi Firewall phn cng tch hp vi b nh tuyn ch lm vic tt trong mng c qui m nh. Firewall phn mm cng l mt la chn ph hp i vi my tnh xch tay v my tnh s vn c bo v cho d mang my tnh i bt k ni no. Cac Firewall phn mm lam vic tt vi Windows 98, Windows ME va Windows 2000. Chung la mt la chon tt cho cac may tinh n le. Cac cng ty phn mm khac lam cac tng la nay. Chung khng cn thit cho Windows XP bi vi XP a co mt tng la cai sn. * u im: Khng yu cu phn cng b sung. Khng yu cu chay thm dy may tinh. Mt la chon tt cho cac may tinh n le.

* Nhc im: Chi phi thm: hu ht cac tng la phn mm tn chi phi. Vic cai t va va t cu hinh co th cn bt u. Cn mt ban sao ring cho mi may tinh.

Page 20

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin 1.2. CHC NNG CA FIREWALL FireWall quyt nh nhng dch v no t bn trong c php truy cp t bn ngoi, nhng ngi no t bn ngoi c php truy cp n cc dch v bn trong, v c nhng dch v no bn ngoi c php truy cp bi nhng ngi bn trong. 1.2.1. Firewall bo v nhng vn g? Bo v d liu: Theo di lung d liu mng gia Internet v Intranet. Nhng thng tin cn c bo v do nhng yu cu sau: Bo mt: Mt s chc nng ca Firewall l c th ct giu thng tin mng

tin cy v ni b so vi mng khng ng tin cy v cc mng bn ngoi khc. Firewall cng cung cp mt mi nhn trung tm m bo s qun l, rt c li khi ngun nhn lc v ti chnh ca mt t chc c gii hn. Tnh ton vn. Tnh kp thi.

Ti nguyn h thng. Danh ting ca cng ty s hu cc thng tin cn bo v. 1.2.2. Firewall bo v chng li nhng vn g? FireWall bo v chng li nhng s tn cng t bn ngoi. 1.2.2.1. Chng li vic Hacking Hacker l nhng ngi hiu bit v s dng my tnh rt thnh tho v l nhng ngi lp trnh rt gii. Khi phn tch v khm ph ra cc l hng h thng no , s tm ra nhng cch thch hp truy cp v tn cng h thng. C th s dng cc k nng khc nhau tn cng vo h thng my tnh. V d c th truy cp vo h thng m khng c php truy cp v to thng tin gi, ly cp thng tin. Nhiu cng ty ang lo ngi v d liu bo mt b nh cp bi cc hacker. V vy, tm ra cc phng php bo v d liu th Firewall c th lm c iu ny. 1.2.2.2. Chng li vic sa i m Kh nng ny xy ra khi mt k tn cng sa i, xa hoc thay th tnh xc thc ca cc on m bng cch s dng virus, worm v nhng chng trnh c ch tm. Khi ti file trn internet c th dn ti download cc an m c d tm, thiu kin thc v

Page 21

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin bo mt my tnh, nhng file download c th thc thi nhng quyn theo mc ch ca nhng ngi dng trn mt s trang website. 1.2.2.3. T chi cc dch v nh km T chi dch v l mt loi ngt hot ng ca s tn cng. Li e da ti tnh lin tc ca h thng mng l kt qu t nhiu phng thc tn cng ging nh lm trn ngp thng tin hay l s sa i ng i khng c php. Bi thut ng lm trn ngp thng tin, l mt ngi xm nhp to ra mt s thng tin khng xc thc gia tng lu lng trn mng v lm gim cc dch v ti ngi dng thc s. Hoc mt k tn cng c th ngm ngm ph hoi h thng my tnh v thm vo phn mm c d tm, m phn mm ny s tn cng h thng theo thi gian xc inh trc. 1.2.2.4. Tn cng trc tip Cch th nht: l dng phng php d mt khu trc tip. Thng qua cc chng trnh d tm mt khu vi mt s thng tin v ngi s dng nh ngy sinh, tui, a ch v kt hp vi th vin do ngi dng to ra, k tn cng c th d c mt khu. Trong mt s trng hp kh nng thnh cng c th ln ti 30%. V d nh chng trnh d tm mt khu chy trn h iu hnh Unix c tn l Crack. Cch th hai: l s dng li ca cc chng trnh ng dng v bn thn h iu hnh c s dng t nhng v tn cng u tin v vn c chim quyn truy cp (c c quyn ca ngi qun tr h thng). 1.2.2.5. Nghe trm C th bit c tn, mt khu, cc thng tin truyn qua mng thng qua cc chng trnh cho php a giao tip mng (NIC) vo ch nhn ton b cc thng tin lu truyn qua mng. 1.2.2.6. V hiu ho cc chc nng ca h thng (Deny service) y l kiu tn cng nhm lm t lit ton b h thng khng cho thc hin cc chc nng c thit k. Kiu tn cng ny khng th ngn chn c do nhng phng tin t chc tn cng cng chnh l cc phng tin lm vic v truy nhp thng tin trn mng.

Page 22

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin 1.2.2.7. Li ngi qun tr h thng Ngy nay, trnh ca cc hacker ngy cng gii hn, trong khi cc h thng mng vn cn chm chp trong vic x l cc l hng ca mnh. iu ny i hi ngi qun tr mng phi c kin thc tt v bo mt mng c th gi vng an ton cho thng tin ca h thng. i vi ngi dng c nhn, khng th bit ht cc th thut t xy dng cho mnh mt Firewall, nhng cng nn hiu r tm quan trng ca bo mt thng tin cho mi c nhn. Qua , t tm hiu bit mt s cch phng trnh nhng s tn cng n gin ca cc hacker. Vn l thc, khi c thc phng trnh th kh nng an ton s cao hn. 1.2.2.8. Yu t con ngi Vi nhng tnh cch ch quan v khng hiu r tm quan trng ca vic bo mt h thng nn d dng l cc thng tin quan trng cho hacker. * Ngoi ra th cn dng Firewall chng li s gi mo a ch IP . 1.3. M HNH V KIN TRC CA FIREWALL Kin trc ca h thng s dng Firewall nh sau:

FIRE WA L L

The In te rn e t In te rn e t ro u te r

S erver

S erver

Router S erver Com puter Com puter Com puter

Com puter Com puter

Com puter

Hnh 1.4. Kin trc ca h thng s dng Firewall

Page 23


Cc h thng Firewall u c im chung cc cu trc c th nh sau:

Trong : Screening Router: l chng kim sot u tin cho LAN. DMZ: l vng c nguy c b tn cng t internet. Gateway Host: l cng ra vo gia mng LAN v DMZ, kim sot mi

lin lc, thc thi cc c ch bo mt. IF1 (Interface 1): l card giao tip vi vng DMZ. IF2 (Interface 2): l card giao tip vi vng mng LAN. FTP Gateway: Kim sot truy cp FTP gia LAN v vng FTP t mng

LAN ra internet l t do. Cc truy cp FTP vo LAN i hi xc thc thng qua Authentication server. Telnet gateway: Kim sot truy cp telnet tng t nh FTP, ngi dng

c th telnet ra ngoi t do, cc telnet t ngoi vo yu cu phi xc thc Hnh 1.5. Cu trc chung ca mt h thng Firewall thng qua Authentication server. Authentication server: l ni xc thc quyn truy cp dng cc k thut

xc thc mnh nh one-time password/token (mt khu s dng mt ln). Tt c cc Firewall u c chung mt thuc tnh l cho php phn bit i x hay kh nng t chi truy nhp da trn cc a ch ngun. Nh m hnh Firewall m cc my ch dch v trong mng LAN c bo v an ton, mi thn tin trao i vi internet u c kim sot thng qua gateway. 1.3.1. Kin trc Dual - Homed host (my ch trung gian) Firewall kin trc kiu Dual-homed host c xy dng da trn my tnh Dualhomed host. Mt my tnh c gi l Dual-homed host nu c t nht hai Network interfaces, c ngha l my c gn hai card mng giao tip vi hai mng khc nhau v nh th my tnh ny ng vai tr l router phn mm. Kin trc Dual-homed host rtPage 24

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin n gin. Dual-homed host gia, mt bn c kt ni vi Internet v bn cn li ni vi mng ni b (LAN). Dual-homed host ch c th cung cp cc dch v bng cch y quyn (proxy) chng hoc cho php users ng nhp trc tip vo Dual-homes host. Mi giao tip t mt host trong mng ni b v host bn ngoi u b cm, Dual-homed host l ni giao tip duy nht.

InternetRem ote Us er

Firewall

Dual-hom ed host

Internal network

Us er

Us er

Us er

Hnh 1.6. Kin trc Dual - Homed host

1.3.2. Kin trc Screend Host Screened host c cu trc ngc li vi cu trc Dual-homed host, kin trc ny cung cp cc dch v t mt host bn trong mng ni b, dng mt router tch ri vi mng bn ngoi. Trong kiu kin trc ny, bo mt chnh l phng php Packet Filtering. Bastion host c t bn trong mng ni b, Packet Filtering c ci trn router. Theo cch ny, Bastion host l h thng duy nht trong mng ni b m nhng host trn Internet c th kt ni ti. Mc d vy, ch nhng kiu kt ni ph hp (c thit lp trong Bastion host) mi c php kt ni. Bt k mt h thng bn ngoi no c gng truy cp vo h thng hoc cc dch v bn trong u phi kt ni ti host ny.Page 25

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin V th, Bastion host l host cn phi c duy tr ch bo mt cao. Packet Filtering cng cho php Bastion host c th m kt ni ra bn ngoi. Cu hnh ca packet filtering trn screening router nh sau : Cho php tt c cc host bn trong m kt nt ti host bn ngoi thng qua

mt s dch v c nh. Khng cho php tt c cc kt ni t host bn trong (cm nhng host ny

s dng dch v proxy thng qua Bastion host). Bn c th kt hp nhiu li vo cho nhng dch v khc nhau. Mt s dch v c php i vo trc tip qua packet filtering. Mt s dch v khc th ch c php i vo gin tip qua proxy.

Bi v kin trc ny cho php cc packet i t bn ngoi vo mng bn trong, n dng nh nguy him hn kin trc Dual-homed host, v th n c thit k khng mt packet no c th ti c mng bn trong. Tuy nhin trn thc t th kin trc Dual-homes host i khi cng c li m cho php mt packet tht s i t bn ngoi vo bn trong (bi v nhng li ny hon ton khng bit trc, n hu nh khng c bo v chng li nhng kiu tn cng ny) . Hn na, kin trc Dual-homes host th d dng bo v router (l my cung cp rt t cc dch v) hn l bo v cc host bn trong mng. Xt v ton din th kin trc Screened host cung cp tin cy cao hn v an ton hn kin trc Dual-homed host. So snh vi m s kin trc khc, chn hn nh kin trc Screened subnet th kin trc Screened host c mt s bt li. Bt li chnh l nu k tn cng tm cch xm nhp Bastion host th khng c cch no ngn tch gia Bastion host v cc host cn li bn trong mng ni b. Router cng c mt s im yu l nu router b tn thng, ton b mng s b tn cng. V l do ny m Screened subnet tr thnh kin trc ph bin nht.

Page 26


InternetRemoteUser

Firewall

Screening Router

Internal network

User

BastionHost

User

User

Hnh 1.7. Kin trc Screened host 1.3.3. Kin trc Screened Subnet Nhm tng cng kh nng bo v mng ni b, thc hin chin lc phng th theo chiu su, tng cng s an ton cho bastion host, tch bastion host khi cc host khc, phn no trnh ly lan mt khi bastion host b tn thng, ngi ta a ra kin trc Firewall c tn l Screened subnet. Kin trc Screened subnet dn xut t kin trc Screened host bng cch thm vo phn an ton: mng ngoi vi (perimeter network) nhm c lp mng ni b ra khi mng bn ngoi, tch bastion host ra khi cc host thng thng khc. Kiu Screen subnet n gin bao gm hai screened router:-

Router ngoi (External router cn gi l access router): nm gia mng

ngoi vi v mng ngoi c chc nng bo v cho mng ngoi vi (bastion host, interior router). N cho php ngng g outbound t mng ngoi vi. Mt s quy tc packet filtering c bit c ci mc cn thit bo v bastion host v interior router v bastion host cn l host c ci t an ton mc cao. Ngoi cc quy tc , cc quy tc khc cn ging nhau gia hai router. Router trong (Interior router cn gi l choke router): nm gia mng

ngoi vi v mng ni b, nhm bo v mng ni b trc khi ra ngoi v mng ngoi vi. N khng thc hin ht cc quy tc packet filtering ca ton b firewall. Cc dch v m interior router cho php gia bastion host v mng ni b, gia bn ngoi v mng ni b khng nht thit phi ging nhau. GiiPage 27

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin hn dch v gia bastion host v mng ni b nhm gim s lng my (s lng dch v trn cc my ny) c th b tn cng khi bastion host b tn thng v tha hip vi bn ngoi. Chng hn nn gii hn cc dch v c php gia bastion host v mng ni b nh SMTP khi c Email t bn ngoi vo, c l ch gii hn kt ni SMTP gia bastion host v email server bn trong.Internet

Bastion Host

ExteriorRouter PerimeterNetwork InteriorRouter

Internal Network

User

User

User

User

Hnh 1.8. Kin trc Screened Subnet 1.4. PHN LOI FIREWALL Hin nay c nhiu loi Firewall, tin cho qu trnh nghin cu v pht trin, ngi ta chia Firewall ra lm hai loi chnh bao gm: Packet Filtering Firewall: l h thng tng la gia cc thnh phn bn trong mng v bn ngoi mng c kim sot. Application-proxy Firewall: l h thng cho php kt ni trc tip gia cc my khch v cc host. 1.4.1. Packet Filtering Firewall y l kiu Firewall thng dng hot ng da trn m hnh OSI mc mng. Firewall mc mng thng hot ng theo nguyn tc router hay cn c gi l router, tc l to ra cc lut l v quyn truy cp mng da trn mc mng. M hnh ny hot ng theo nguyn tc lc gi tin. kiu hot ng ny cc gi tin u c kim

Page 28

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin tra a ch ngun ni chng xut pht. Sau khi a ch IP ngun c xc nh, n s tip tc c kim tra vi cc lut t ra trn router. Vi phng thc hot ng nh vy, cc Firewall hot ng lp mng c tc x l nhanh v n ch kim tra a ch IP ngun m khng cn bit a ch l a ch sai hay b cm. y chnh l hn ch ca kiu Firewall ny v n khng m bo tnh tin cy. L hng ca kiu Firewall ny l n ch s dng a ch IP ngun lm ch th. Khi mt gi tin mang a ch ngun l a ch gi th n s vt qua c mt s mc truy nhp vo bn trong mng. Firewall kiu packet filtering chia lm hai loi: Packet filtering firewall: Hot ng ti lp mng (Network Layer) ca m hnh OSI. Cc lut lc gi tin da trn cc trng trong IP header, transport header, a ch IP ngun v a ch IP ch

S e c u ri t y p e ri m e t e r P ri v a t e N e t w o rk P a c ke t f i l t e ri n g ro u te r

I n t e rn e t

Hnh 1.9. Packet filtering firewall

-

Circuit level gateway: Hot ng ti lp phin (Session Layer) ca m hnh OSI. M hnh ny khng cho php cc kt ni end to end.

Page 29


C i rcu i t l e v e l g a te w a y o u tsi d e c o n n e c ti o n outOu ts i d e h o s t

in in in

out out

i n si d e c o n n e cti o nIn s i d e h o s t

Hnh 1.10. Circuit level gateway

1.4.2. Application-proxy firewall Khi m kt ni t mt ngi dng no n mng s dng Firewall kiu ny th kt ni s b chn li, sau Firewall s kim tra cc trng c lin quan ca gi tin yu cu kt ni. Nu vic kim tra thnh cng, c ngha l cc trng thng tin p ng c cc lut t ra trn Firewall th Firewall s to m cu kt ni cho gi tin i qua. * u im: Khng c chc nng chuyn tip cc gi tin IP. iu khin mt cch chi tit hn cc kt ni thng qua Firewall. a ra cng c cho php ghi li qu trnh kt ni.

* Nhc im: Tc x l kh chm. S chuyn tip cc gi tin IP khi m my ch nhn c m yu cu t mng ngoi ri chuyn chng vo mng trong chnh l l hng cho hacker xm nhp. Kiu firewallny hot ng da trn ng dng phn mm nn phi to cho mi dch v trn mng mt trnh ng dng u quyn (proxy) trn Firewall (Ex. Ftp proxy, Http proxy). * Firewall kiu Application- proxy chia thnh hai loi:

Page 30

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Applicatin level gateway: Hot ng lp ng dng (Application Layer) trong m hnh TCP/IP.Application level gateway outside connectionOutsidehost

-

TELNET FTP SMTP HTTP

inside connectionInsidehost

Hnh 1.11. Application-proxy firewall Stateful multilayer inspection firewall: y l loi Firewall kt hp c tnh nng ca cc loi Firewall trn, m hnh ny lc cc gi tin ti lp mng v kim tra ni dung cc gi tin ti lp ng dng. Loi Firewall ny cho php cc kt ni trc tip gia client v host nn gim thiu c li, n cung cp cc tnh nng bo mt cao v trong sut i vi End Users. 1.5. MT S VN KHI LA CHN MT FIREWALL 1.5.1. S cn thit ca Firewall Gii quyt n thc thi vn Firewall s khng xy ra nu khng nghin cu v phn tch. Gii quyt n vn thc thi Firewall s da nhng i hi phi nh danh v chng minh. Bi v thc thi ca Firewall khng c nh danh nh hng gii quyt ca nhng t chc khc. To ra nhng Firewall da vo quy m nh, nhng ngha khng th to ra c bi l hng an ninh v c ch gy ra nhng vn mng li nhiu hn l thc hin Firewall. 1.5.2. Firewall iu khin v bo v g ? to ra mt Firewall th phi nh danh cho c chc nng no ca Firewall s cn thc hin. N s iu khin truy cp n t mng li no, hay n s bo v nhng dch v v ngi s dng no. Firewall iu khin g ? -

Truy cp vo mng. Truy cp ngoi mng.

Page 31

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Truy cp trong nhng mng li bn trong, nhng lnh vc hay nhng cng trnh kin trc. Truy cp nhng nhm t trng, nhng ngi s dng hoc a ch. Truy cp n nhng ti nguyn c th hoc nhng dch v.

Firewall cn bo v ci g? Nhng mng li hoc b iu khin c bit. Dch v c bit. Thng tin ring t hoc cng cng. Ngi s dng.

Sau khi nhn ra c Firewall cn bo v v iu khin ci g, quyt nh iu g c th xy ra lin tc vi s bo v v iu khin ny. iu g s xy ra khi ngi s dng truy cp n nhng trang m khng c quyn truy cp. iu ny s xy ra nu dch v khng c bo v v thng tin khng c bo mt tt. C phi s ri ro ca vic iu khin hoc bo v cho bc k tip trong c lng th cn phi c gii php Firewall. 1.6. NHNG HN CH CA FIREWALL Firewall khng thng minh nh con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i qua" n. Mt cch c th, Firewall khng th chng li mt cuc tn cng t mt ng dial-up, hoc s r r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn cng bng d liu (data-drivent attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua Firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca

Page 32

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Firewall. Firewall c th ngn chn nhng k xu t bn ngoi nhng cn nhng k xu bn trong th sao. Tuy nhin, Firewall vn l gii php hu hiu c p dng rng ri. c c kh nng bo mt ti u cho h thng, Firewall nn c s dng kt hp vi cc bin php an ninh mng nh cc phn mm dit virus, phn mm ng gi, m ho d liu. c bit, chnh sch bo mt c thc hin mt cch ph hp v c chiu su l vn sng cn khai thc ti u hiu qu ca bt c phn mm bo mt no. V cng cn nh rng cng ngh ch l mt phn ca gii php bo mt. Mt nhn t na ht sc quan trng quyt nh thnh cng ca gii php l s hp tc ca nhn vin, ng nghip.

CHNG 2. TM HIU CC VN BO MT

Bo mt l mt vn ln i vi tt c cc mng trong mi trng doanh nghip hin nay. Cc hacker v k xm nhp to ra rt nhiu cch c th thnh cng trong vic lm sp mt mng hoc dch v Web ca mt cng ty. Nhiu phng php c pht trin bo mt h tng mng v vic truyn thng trn Internet, bao gm cc cch nh s dng tng la, m ha, v mng ring o. Bo mt h thng mng bao gm 3 yu t: Tnh bo mt, tnh nguyn vn, tnh sn sng Tnh bo mt: Bo v thng tin nhy cm khng b truy cp bi nhng ngi khng c quyn hn - Tnh nguyn vn: Bo v thng tin h thng khi b sa bi hacker - Tnh sn sng: Lun m bo s sn c ti nguyn ti ngi dng bo v h thng ca bn, u tin bn phi nhn ra bn cn bo v chng khi ai v khi ci g. c th phng th i vi cc s tn cng, bn phi hiu cc kiu e da n s bo mt mng ca bn. C 4 mi e da bo mt Mi e da bn trong Mi e da bn ngoi

Page 33

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mi e da khng c cu trc Mi e da c cu trc

a)

Mi e da bn trong

Thut ng Mi e da bn trong c s dng m t mt kiu tn cng c thc hin t mt ngi hoc mt t chc c mt vi quyn truy cp mng ca bn. Cc cch tn cng t bn trong c thc hin t mt khu vc c tin cy trong mng. Mi e da ny c th kh phng chng hn v cc nhn vin c th truy cp mng v d liu b mt ca cng ty. Hu ht cc cng ty ch c cc tng la ng bin ca mng, v h tin tng hon ton vo cc ACL (Access Control Lists) v quyn truy cp server quy nh cho s bo mt bn trong. Quyn truy cp server thng bo v ti nguyn trn server nhng khng cung cp bt k s bo v no cho mng. Mi e da bn trong thng c thc hin bi cc nhn vin bt bnh, mun quay mt li vi cng ty. Nhiu phng php bo mt lin quan n vnh ai ca mng, bo v mng bn trong khi cc kt ni bn ngoi, nh l Internet. Khi vnh ai ca mng c bo mt, cc phn tin cy bn trong c khuynh hng b bt nghim ngt hn. Khi mt k xm nhp vt qua v bc bo mt cng cp ca mng, mi chuyn cn li thng l rt n gin. V vy cn phi c cc mc bo mt nh sau: -

Bo mt mc vt l: t thit b mng vo trong mt phng an ninh , lun kha Bo mt h iu hnh: S dng phin bn mi nht IOS p ng cc nhu cu ca doanh nghip. Lu tr bn sao file cu hnh Bo mt Router, Switch: Bo mt truy cp qun tr nh console, telnet Tt cc cng trn router, switch khng s dng, tt cc dch v khng cn thit b) Mi e da bn ngoi Mi e da bn ngoi l t cc t chc, chnh ph, hoc c nhn c gng truy cp t bn ngoi mng ca cng ty v bao gm tt c nhng ngi khng c quyn truy cp vo mng bn trong. Thng thng, cc k tn cng t bn ngoi c gng t cc server quay s hoc cc kt ni Internet. Mi e da bn ngoi l nhng g m cc cng ty thng phi b nhiu hu ht thi gian v tin bc ngn nga. Gii php nh sau:

-

Trin khai firewall bo v mng bn trong Ch cho php cc dch v cn thit p ng nhu cu ca t chc C cc bin php ngn nga v pht hin xm nhp vo mng bn trong

Page 34


c) Mi e da c cu trc Mi e da c cu trc l kh ngn nga v phng chng nht v n xut pht t cc t chc hoc c nhn s dng mt vi loi phng php lun thc hin tn cng. Cc hacker vi kin thc, kinh nghim cao v thit b s to ra mi e da ny. Cc hacker ny bit cc gi tin c to thnh nh th no v c th pht trin m khai thc cc l hng trong cu trc ca giao thc. H cng bit c cc bin php c s dng ngn nga truy cp tri php, cng nh cc h thng IDS v cch chng pht hin ra cc hnh vi xm nhp. H bit cc phng php trnh nhng cch bo v ny. Trong mt vi trng hp, mt cch tn cng c cu trc c thc hin vi s tr gip t mt vi ngi bn trong. y gi l mi e da c cu trc bn trong. Cu trc hoc khng cu trc c th l mi e da bn ngoi cng nh bn trong. 2.1. Nguyn tc bo v h thng mng 2.1.1. Hoch nh h thng bo v mng Trong mi trng mng, phi c s m bo rng nhng d liu c tnh b mt phi c ct gi ring, sao cho ch c ngi c thm quyn mi c php truy cp chng. Bo mt thng tin l vic lm quan trng, v vic bo v hot ng mng cng c tm quan trong khng km. Mng my tnh cn c bo v an ton, trnh khi nhng him ho do v tnh hay c . Tuy nhin mt nh qun tr mng cn phi bit bt c ci g cng c mc , khng nn thi qu. Mng khng nht thit phi c bo v qu cn mt, n mc ngi dng lun gp kh khn khi truy nhp mng thc hin nhim v ca mnh. Khng nn h tht vng khi c gng truy cp cc tp tin ca chnh mnh. Bn him ho chnh i vi s an ninh ca mng l: Truy nhp mng bt hp php. S can thip bng phng tin in t. K trm. Tai ha v tnh hoc c ch .

Mc bo mt: Tu thuc vo dng mi trng trong mng ang hot ng.

Page 35

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Chnh sch bo mt: H thng mng i hi mt tp hp nguyn tc, iu lut v chnh sch nhm loi tr mi ri ro. Gip hng dn vt qua cc thay i v nhng tnh hung khng d kin trong qu trnh pht trin mng. o to: Ngi dng mng c o to chu o s c t kh nng v ph hu mt ti nguyn. An ton cho thit b: Tu thuc quy m cng ty, b mt d liu, cc ti nguyn kh dng. Trong mi trng mng ngang hng, c th khng c chnh sch bo v phn cng c t chc no. Ngi dng chu trch nhim m bo an ton cho my tnh v d liu ca ring mnh. 2.1.2. M hnh bo mt Hai m hnh bo mt khc nhau pht trin, gip bo v an ton d liu v ti nguyn phn cng: Bo v ti nguyn dng chung bng mt m: Gn mt m cho tng ti nguyn dng chung. Truy cp khi c s cho php: L ch nh mt s quyn nht nh trn c s ngi dng, kim tra truy nhp ti nguyn dng chung cn c vo CSDL useraccess trn my server. 2.1.3. Nng cao mc bo mt Kim ton: Theo di hot ng trn mng thng qua ti khon ngi dng, ghi li nhiu dng bin c chn lc vo s nht k bo mt ca my server. Gip nhn bit cc hot ng bt hp l hoc khng ch nh. Cung cp cc thng tin v cch dng trong tnh hung c phng ban no thu ph s dng mt s ti nguyn nht nh, v cn quyt nh ph ca nhng ti nguyn ny theo cch thc no . My tnh khng a: Khng c a cng v mm. C th thi hnh mi vic nh my tnh thng thng, ngoi tr vic lu tr d liu trn a cng hay a mm cc b. Khng cn a khi ng. C kh nng giao tip vi server v ng nhp nh vo mt con chip ROM khi ng c bit c ci trn card mng. Khi bt my tnh khng a, chip ROM khi ng pht tn hiu cho server bit rng n mun khi ng. Server tr li bng cch ti phn mm khi ng vo RAM ca my tnh khng a v t ng hin th mn hnh ng nhp . Khi my tnh c kt ni vi mng.Page 36

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin M ho d liu: l m ho thng tin sang dng mt m bng mt phng php no sao cho m bo thng tin khng th nhn bit c nu ni nhn khng bit cch gii m. Mt ngi s dng hay mt host c th s dng thng tin m khng s nh hng n ngi s dng hay mt host khc. Chng virus : Ngn khng cho virus hot ng. Sa cha h hi mt mc no . Chn ng virus sau khi n bc pht.

Ngn chn tnh trng truy cp bt hp php l mt trong nhng gii php hiu nghim nht trnh virus. Do bin php ch yu l phng nga, nn ngi qun tr mng phi bo m sao cho mi yu t cn thit u sn sng: Mt m gim kh nng truy cp bt hp php. Ch nh cc c quyn thch hp cho mi ngi dng. Cc profile t chc mi trng mng cho ngi dng c th lp cu hnh v duy tr mi trng ng nhp, bao gm cc kt ni mng v nhng khon mc chng trnh khi ngi dng ng nhp. Mt chnh sch quyt nh c th ti phn mm no.

2.2. Kin trc bo mt ca h thng mng 2.2.1. Cc mc an ton thng tin trn mng

Hnh 2.1. Cc mc an ton thng tin trn mng Page 37


An ton hay bo mt khng phi l mt sn phm, n cng khng phi l mt phn mm. N l mt cch ngh. S an ton c th c khi ng v dng nh mt dch v. Bo mt l cch an ton. Ti liu bo mt l t liu m nhng thnh vin ca t chc mun bo v. Trch nhim ca vic bo mt l ngi qun tr mng. S an ton mng c vai tr quan trng ti cao. C ch bo mt cn phi bao gm cu hnh mng ca Server, chu vi ng dng ca t chc mng v thm ch ca nhng Client truy nhp mng t xa. C vi cch m ta cn phi xem xt: S an ton vt l. An ton h thng. An ton mng. An ton cc ng dng. S truy nhp t xa v vic chp nhn.

Cc l hng bo mt trn mt h thng l cc im yu c th to ra s ngng tr ca dch v, thm quyn i vi ngi s dng hoc cho php cc truy nhp khng hp php vo h thng. Cc l hng cng c th nm ngay cc dch v cung cp nh sendmail, web, ftp ... Ngoi ra cc l hng cn tn ti ngay chnh ti h iu hnh nh trong Windows NT, Windows 95, XP, UNIX hoc trong cc ng dng m ngi s dng thng xuyn s dng nh Word processing, cc h databases ... 2.2.2. nh hng ca cc l hng mng phn trn phn tch mt s trng hp c nhng l hng bo mt, nhng k tn cng c th li dng nhng l hng ny to ra nhng l hng khc to thnh mt chui mt xch nhng l hng. V d, mt k ph hoi mun xm nhp vo h thng m khng c ti khon truy nhp hp l trn h thng . Trong trng hp ny, trc tin k ph hoi s tm ra cc im yu trn h thng, hoc t cc chnh sch bo mt, hoc s dng cc cng c d xt thng tin trn h thng t c quyn truy nhp vo h thng. Sau khi mc tiu duy nht t c, k ph hoi c th tip tc tm hiu cc dch v trn h thng, nm bt c cc im yu v thc hin cc hnh ng ph hoi tinh vi hn.

Page 38

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Tuy nhin, c phi bt k l hng bo mt no cng nguy him n h thng hay khng. C rt nhiu thng bo lin quan n l hng bo mt trn mng Internet, hu ht trong s l cc l hng loi C, l khng c bit nguy him i vi h thng. V d, khi nhng l hng v sendmail c thng bo trn mng, khng phi ngay lp tc nh hng trn ton b h thng. Khi nhng thng bo v l hng c khng nh chc chn, cc nhm tin s a ra mt s phng php khc phc h thng. CHNG 3. FIREWALL CISCO3.1 FIREWALL ASA -

Cisco ASA vit tt ca t: Cisco Adaptive Security Appliance ASA l mt gii php bo mt u cui chnh ca Cisco. Hin ti ASA l sn phm bo mt dn u trn th trng v hiu nng v cung cp cc m hnh ph hp doanh nghip, tch hp gii php bo mt mng Dng sn phm ASA gip tit kim chi ph, d dng trin khai. N bao gm cc thuc tnh sau + Bo mt thi gian thc, h iu hnh c quyn ca Cisco + Cng ngh Stateful firewall s dng thut ton SA ca Cisco + S dng SNR bo mt kt ni TCP + S dng Cut through proxy chng thc telnet, http. ftp + Chnh sch bo mt mc nh gia tng bo v mc ti a v cng c kh nng ty chnh nhng chnh sch ny v xy dng ln chnh sch ca ring bn + VPN: IPSec, SSL v L2TP + Tch hp h thng ngn nga v pht hin xm nhp IDS/IPS + NAT ng, NAT tnh, NAT port + o ha cc chnh sch s dng Context 3.1.1 Dng sn phm ASA

-

-

-

C tt c 6 model khc nhau. Dng sn phm ny phn loi khc nhau t t chc nh n m hnh doanh nghip va hay cho nh cung cp dch v ISP. M hnh cng caoPage 39

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin th thng lng, s port, chi ph cng cao. Sn phm bao gm : ASA 5505, 5510, 5520, 5540, 5550, 5580-20, 5580-40

Hnh 3.1 Sn phm ASA 5550

V d nh thng s ca dng ASA 5550

3.1.2 Thut ton bo mt ASA Mt chc nng chnh ca ASA l stateful firewall.Stateful firewall thm v duy tr thng tin kt ni ca ngi dng. Thng tin ny c lu tr trong bng state table, thng c gi l conn table. ASA Firewall s dng conn table gia tng chnh sch bo mt cho kt ni ngi dng Di y l mt vi thng tin m stateful firewall gi trong bng conn table + a ch IP ngun + a ch IP ch + Giao thc: Nh TCP hay UDP + Thng tin giao thc IP nh l TCP/UDP port, TCP Syn v TCP flag 3.1.2.1 Gii thch c ch Stateful FirewallPage 40

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Ta c m hnh nh sau :

Hnh 3.2 C ch stateful Firewall a.Figure 1-1

-

PC-A trong mng ni b thc hin truy cp webserver bn ngoi mng Internet Gi tin Request http n firewall, firewall ly thng tin v kt ni ca PC-A l: a ch ngun, a ch ch, giao thc IP, v bt c thng tin giao thc khc v t n trong bng conn table Firewall sau chuyn tip gi tin http request ti webserver

-

Page 41


Hnh 3.2 C ch stateful firewall b. Figure 1-2

-

Webserver gi tr li trang web cho ngi dng PC-A Firewall kim tra gi tin tr li ny v so snh vi entrie trong bng conn table + Nu vic so snh l hp l trong bng conn table th gi tin c cho php + Nu so snh l khng hp l trong bng conn table th gi tin b xa

-

Mt stateful firewall duy tr bng kt ni ny. Nu firewall thy client ngt kt ni th stateful firewall s xa entry trong bng conn table i. Nu entry khng hot ng trong mt khong thi gian th entry s timeout v stateful firewall s xa entry khi bng conn table 3.1.2.2 So snh Stateful v Packet Filtering Firewall:

-

Mt stateful firewall c kh nng nhn bit v tnh trng ca kt ni i qua n. Mt khc Packet firewall khng thy c tnh trng ca kt niPage 42

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mt v d r rng cho vic hiu Packet filtering firewall l vic s dng Extended ACL m Router s dng. Vi loi ACL ny Router s ch thy c cc thng tin sau trong mi packet ring bit + a ch IP ngun + a ch IP ch + IP protocol + Thng tin giao thc IP nh TCP/UDP Port Ngay ci nhn u tin th c v thng tin m Packet filtering firewall s dng l ging Stateful Firewall. Tuy nhin Router s dng ACL s khng nhn bit c tnh trng kt ni l request hay kt ni ang tn ti, hay ngt kt ni, m n ch nhn c mi gi tin ring bit i qua interface . Ngha l Packet filtering firewall ch kim tra gi tin lp 3 v lp 4 thi.

3.1.2.3 Sequence Number Randomization (SNR) Firewall ASA c mt c nh c gi l Sequence Number Randomization (SNR). c tnh ny c khi to bng thut ton bo mt. SNR c s dng bo v bn chng li vic mt thng tin v tn cng cp phin kt ni TCP khi hacker.Nh chng ta bit mt vn vi giao thc TCP l hu ht giao thc TCP/IP khi to qu trnh kt ni bt tay 3 bc theo mt phng thc c th on trc c khi s dng SYN v ACK. Vi rt nhiu phng thc, hacker c th s dng cc cng c ny d on v tp thit lp ca d liu tip theo c gi trn mng v khi d on c s SYN ng. Hacker c th s dng thng tin ny cp phin kt ni v gi mo kt ni Firewall ASA c th gii quyt vn ny bng cch to ngu nhin s SYN v t n vo trong u mo ca gi tin TCP Segment. ASA s thay th s SYN c bng s SYN mi vo trong bng conn table. Tt c cc lu lng tr v t my ch thng qua Firewall tr v ngun, ASA tm kim thng tin ny v thay i tr li vi s ACK. V vy my ngun trong mng cc b c th nhn c gi tin tr v t ch. Sau y l v d v SNR

-

Page 43


Hnh 3.3 C ch hot ng ca SNR

-

Gi tin TCP i qua Firewall ASA vi s SYN =578. SNR ca ASA thay i gi tr SYN ny thnh mt gi tr SYN ngu nhin v t n vo trong bng conn table ( trong trng hp ny l 992), v chuyn tip gi tin ti ch. My ch khng th nhn bit c v s thay i ny v gi li cho ngun vi ACK =993. Firewall nhn gi tin tr v ny v thay i gi tr 993 thnh 579 v vy my ngun s khng t chi gi tin ny. Hy nh rng gi tin cha ACK tng ln 1 v s dng gi tr ny nh ACK number Ch rng: SNR i vi my ngun v my ich l mt qu trnh trong sut. Cisco khuyn co bn khng nn v hiu ha tnh nng ny. Nu v hiu ha tnh nng SNR th mng ca bn s i mt vi kiu tn cng TCP session hijacking.

-

3.1.2.4 Cut-through Proxy

Bo mt SA khi to rt nhiu c tnh bo mt ca h iu hnh CISCO. Bn cnh mt thut ton gia tng bo mt khc l Cut-through Proxy (CTP). CTP cho php firewall ASA kim tra nhng kt ni ra vo mng v chng thc chng trc khi chng c cho php i vo mng ni b. CTP thng c s dng trong trng hp khi ngi s dng kt ni n mt server m khng th thc hin c chng thc chnh n

Page 44

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Kt ni ngi dng khng c chng thc bi ASA. Nhng ta c th s dng mt Server chuyn dng cho vic chng thc ny nh l Cisco Secure Access Control Server (CSACS) Cisco cung cp c hai giao thc cho vic chng thc l TACACS+ v RADIUS. CTP c th thc hin chng thc theo cc loi kt ni sau + FTP + HTTP v HTTPS + Telnet Khi cu hnh Firewall ASA c cu hnh CTP, u tin n chng thc kt ni trc khi cho php chng i xuyn qua firewall. Hnh di y m t tng bc CTP lm vic

Hnh 3.4 Cc bc lm vic ca CTP

-

User Pong khi to kt ni n FTP Server c a ch IP: 200.200.200.2

Page 45

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Firewall ASA kim tra kt ni ny v ng thi kim tra xem c entry no trong bng conn table khng. Nu tn ti mt entry trong ASA th ASA cho php kt ni ny. Nhng trong trng hp ny User phi c chng thc trc Nu ASA khng tm thy bt c mt entry no ph hp vi kt ni trong bng conn table th n s yu cu chng thc User Pong vi Username v password v chuyn tip thng tin ny ti Server chng thc Server chng thc kim tra bng ngi dng m n c cu hnh sn v so snh. Nu cho php hay t chi truy cp th Server s gi gi tin Allow hay Deny ti ASA + Nu ASA nhn gi tin Allow th n s thm thng tin kt ni ca ngi dng vo bng conn table v cho php kt ni + Nu ASA nhn gi tin Denny n s xa b kt ni hoc yu cu cung cp li thng tin username/password Mt khi ngi dng c chng thc th tt c cc lu lng ca ngi dng s c x l bi ASA lp 3 v lp 4 ca m hnh OSI. S khc bit vi ng dng proxy truyn thng l tt c cc lu lng c x l lp 7 trong m hnh OSI. Vi CTP, qu trnh chng thc c x l lp 7 nhng lu lng d liu li c x l lp 3 v lp 4 trong hu ht cc trng hp 3.1.2.4 Khi to chnh sch Policy Implementation Thut ton bo mt c trch nhim cho vic khi to v gia tng chnh sch bo mt. Thut ton ny cng s dng m hnh k tha, ci cho php bn khi to nhiu mc bo mt khc nhau. hon thnh iu ny, mi Interface trn ASA cn phi ch nh mt gi tr t 0 n 100, ng vi 0 l t bo mt nht v 100 l mc bo mt cao nht. Thut ton bo mt s dng nhng mc bo mt ny gia tng chnh sch bo mt mc nh. Mt v d cho iu ny. Interface kt ni ra internet c mc bo mt thp nht, Interface kt ni ti mng LAN s c mc bo mt cao nht Sau y l 4 quy tc cho tt c cc lu lng i qua ASA + Mc nh lu lng t interface c mc bo mt cao n interface c mc bo mt thp l c cho php + Mc nh lu lng t interface c mc bo mt thp hn n interface c mc bo mt cao hn l b cm + Mc nh lu lng t mt interface n mt interface khc vi cng mc bo mt l b cm

Page 46

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin + Mc nh lu lng vo ra cng 1 interface l b cm V d sau ch ra lu lng no c cho php, lu lng no khng c php. Trong v d ny User trong mng cc b khi to kt ni ti webserver ngoi internet l c php i qua ASA. Nh vy thut ton bo mt thm kt ni ny vo trong bng conn table. Khi webserver gi tr v trang web t internet s c cho php. Mt khi User ngt kt ni, thng tin kt ni s b xa khi bng conn table. Nu User trn Internet c gng truy cp webserver trong mng cc b. Thut ton bo mt trn ASA t ng cm kt ni Nhng rule ny l mc nh. Chng ta c th to cc ngoi l i vi cc rule ny trn ASA. iu ny thng chia thnh 2 loi: + Cho php truy cp da trn ti khon + Truy cp da trn iu kin lc

Hnh 3.5 Thut ton khi to chnh sch Policy Implementation

Mt v d khc, khi User t ngoi Internet c gng truy cp FTP server nm trong mng cc b th mc nh b cm. Bn c th s dng hai phng thc m kt ni thng qua firewall + Khi to CTP cho php kt ni + S dng ACL m kt ni tm thiPage 47


3.2. Kim sot lu lng bng ASA 3.2.1 Tng quan v giao thc TCP/IP Trc khi i vo chi tit cc cu lnh cu hnh cho php cc lu lng qua ASA th cn phi nm chc c ch ca cc giao thc ph bin nh TCP,UDP v ICMP. iu ny rt quan trng bi ASA nhn bit cc lung lu lng ny khc nhau trong qu trnh lc gi tin theo c ch Stateful Firewall TCP l mt giao thc hng kt ni. C ngha l trc khi vn chuyn d liu qua mng th mt vi tham s kt ni phi c thng lng thit lp kt ni. thc hin vic thng lng ny, TCP s tri qua qu trnh bt tay ba bc: + Phn u ca qu trnh bt tay ba bc, a ch ngun gi mt TCP Syn, ch ra rng mun m mt kt ni + Khi my ch nhn c gi tin cha s SYN , n nhn bit iu ny vi s SYN cng vi s ACK. Qa trnh p tr ny thng c gi l SYN/ACK. Ga tr ACK ch ra ngun m ch nhn c vi s SYN do ngun yu cu + My ngun sau gi ACK li ch. iu ny chi ra qu trnh thit lp kt ni hon thnh Yu cu kt ni ra bn ngoi Khi mt kt ni ang c thit lp, lung d liu i theo hai hng qua Firewall ASA. Ga s rng mt ngi dng bn trong mng cc b khi to kt ni TCP n mt my ch bn ngoi Internet. Bi v ta cu hnh mt rule cho vic thit lp kt ni TCP nn n rt l d dng cho Firewall ASA hiu iu g ang xy ra vi qu trnh thit lp kt ni . Hay ni cch khc, rt d cho Firewall ASA kim tra lu lng ny. Nh c ni phn trc, stateful firewall gi ton b trng thi ca kt ni Nh trong v d ny, Firewall ASA nhn gi tin c cha s SYN v nhn ra y l mt gi tin yu cu kt ni t bn trong mng cc b. Bi v y l mt Stateful firewall nn ASA s thm kt ni ny vo trong bng conn table v th gi tin cha SYN/ACK t bn ngoi gi li s c cho php vo trong mng cc b v Us trong mng cc b c th hon thnh kt ni vi s ACK cui cng. ASA sau s cho php lu lng i li gia 2 my ny Khi ngt mt kt ni TCP, gi tin yu cu ngt kt ni s i qua firewall v c firewall nhn bit tnh trng ca kt ni nh vy. Qa trnh nhn bit da trn FIN v FIN/ACK hay RST. V sau Firewall s xa i tng kt ni khi bng connPage 48

-

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin table. V l khi mt i tng b xa khi bng conn table th thit b bn ngoi s khng th kt ni vo mng Lan ca chng ta, tt c cc traffic mc nh b drop Yu cu kt ni vo bn trong mng ni b Bi v firewall ASA hot ng nh mt stateful firewall nn mc nh tt c cc kt ni t bn ngoi i vo mng ni b mc nh b cm. cho php cc kt ni ny, bn s phi khi to cho php mt Rule TCP m bn mun Tuy nhin c mt vn vi TCP, l kh nng c th d on c trc cc tham s trong qu trnh bt tay ba bc, iu ny thng gip cho Hacker xm nhp vo mng ni b ca chng ta. V d cho iu ny, mt k tn cng c gng gi ng lot s lng ln TCP SYN n mt my tnh bn trong mng ni b, lm gi vic thit lp kt ni TCP. Tuy nhin mc ch ca k tn cng l khng cn phi hon thnh qu trnh bt tay ba bc m ch c gng lin tc gi SYN lm cn kit ngun ti nguyn ca my tnh trong mng cc b. 3.2.2 Tng quan v UDP UDP- User Datagram Protocol l mt giao thc khng hng kt ni. Khng ging nh TCP, n khng c nh ngha v tnh trng kt ni. iu ny c ngha l khng c qu trnh bt tay ba bc nh TCP. Thay v mt thit b ch vic gi gi tin UDP khi n mun giao lin lc vi mt thit b khc. V vy khng c qu trnh nh ngha lp 4 trong m hnh OSI v khng c xc minh tng Vn Chuyn ch ra kt thc qu trnh gi tin. UDP chnh n cng khng c chc nng iu khin lung d liu gia hai thit b. Bi v s hn ch ny nn UDP thng c s dng trong vic gi khi lng thng tin rt l nh gia 2 thit b Mt v d in hnh cho vic hiu UDP l giao thc DNS. DNS c s dng khi mt thit b cn phn gii mt hostname thnh mt a ch IP. Thit b gi mt gi tin truy vn DNS( Gi tin UDP) n DNS Server, DNS server tr li li vi ch mt gi tin Reply. Trong trng hp ny UDP l cch thc s dng hu hiu hn TCP bi v ch cn c 2 gi tin i v v. Yu cu kt ni ra bn ngoi Chng ta s nhn vo mt v d khc minh ha mt trong nhng vn m Firewall ASA lm g vi cc traffic UDP. Trong v d ny gi s rng mt User trong mng LAN thc hin vic kt ni ti mt TFTP server bn ngoi Internet. Khi User ny khi to kt ni TFTP, firewall s thc hin qu trnh stateful firewall v thm kt ni tm thi ny vo bng conn table. iu ny cho php bt c UDP segment t ngoi TFTP tr vo mng Lan

Page 49

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin `Vn y l mt khi User hon thnh vic truyn file TFTP, firewall khng bit rng kt ni hon thnh. Bn s khng mun gi mi kt ni tm thi ny trong bng conn table sau khi vic vn chuyn file thnh cng. gii quyt vn ny thit b Firewall c mt gii php l: Firewall kim sot thi gian ch ca kt ni UDP. Mt khi Firewakk thy khng c lu lng no c truyn trong mt khong thi gian ch, n s xa kt ni ra khi bng conn table. i vi UDP, thi gian ch mc nh l 2 pht, tuy nhin bn c th ty chnh iu ny. Vic s dng thi gian ch khng phi l mt gii php hon ton thng minh, bi v khong thi gian ch hp l c th xy ra trong khi hay thit b UDO ang thc hin qu trnh truyn file khc v s tip tc kt ni ca chng ngay sau . Trong v d ny, firewall c th xa kt ni tm thi ny khi bng conn table, khi thit b bn ngoi tip tc truyn file th firewall s cm traffic v thi gian kt ni ht hn, v kt ni khng cn tn ti trong bng conn table na Ch rng mt vi ng dng UDP nh DNS c th thy c s n gin trong kt ni ca n hn TFTP. Trong v d v DNS, User khi to truy vn DNS th ch c 1 v ch 1 gi tin tr v t DNS Server. Trong hon cnh ny, firewall c th nhn bit xa kt ni khi bng conn table khi gi tin DNS reply vo mng LAN Yu cu kt ni n Nh ni t trc, bi v firewall asa hot ng theo c ch Stateful Firewall, n s khng cho php cc traffic vo trong mng cc b Lan ca chng ta nu ngun ca traffic l bn ngoi Internet. Bn phi cu hnh cho php traffic UDP ny Bi v UDP l giao thc khng hng kt ni nn gii quyt vn vi nhng yu cu kt ni n ny s to ra nhiu vn bo mt Khi ngt mt kt ni UDP, firewall s khng nhn bit c iu ny v n vn gi thng tin ca kt ni ny trong bng conn table. Nh vy mt k tn cng s li dng iu ny lm gi a ch IP ngun, Firewall s khng nhn bit c s xm nhp ny Bi v UDP khng s dng bt c qu trnh thit lp kt ni no nn khi khi to mt lung d liu, s kh khn trong vic phn bit s khc nhau gi vic bt u khi to hay ang khi to hay kt thc kt ni. V s hacker c th thc hin vic duy tr phin tn cng.3.2.3 Tng quan v ICMP

ICMP Internet Control Management Protocol l mt giao thc khng hng kt ni, ngha l khng c nh ngha trng thi kt ni

Page 50

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ICMP c s dng trong rt nhiu mc ch bao gm vic kim tra kt ni, kt ni iu kin v cc thng tin cu hnh. ICMP c mt vi c tnh rt ging UDP, v n l khng hng kt ni v khng c iu khin lung. V l firewall c vn ging nh UDP Mc nh firewall khng thm cc gi tin ICMP vo trong bng conn table. V vy hoc bn phi s dng ACL cho php lung gi tin ICMP echo hoc bt tnh nng gim st ICMP trn firewall. Mt khi bn bt tnh nng gim st ICMP th khi mt gi tin ICMP c gi ra ngoi, n cha s SYN trong ICMP header v ng thi thng tin kt ni ny c a vo bng conn table. Firewall s thy gi tin ICMP echo quay tr li v cha s SYN nu n l 1 phn ca mt kt ni ang tn ti. Gi tin ICMP echo c cho php quay tr li vo mng ni b LAN Nhng giao thc khc Tt c cc giao thc khc v nhng kt ni lin quan ti chng l khng c kim tra bi firewall. Hay ni cch khc, firewall khng bao gi thm cc kt ni ny vo trong bng conn table. Nhng vn v ng dng v giao thc: C 3 vn chnh m stateful firewall phi i mt l:- ng dng c nhiu kt ni

- ng dng v giao thc c nhng a ch v thng tin kt ni trong phn payload ca tng ng dng ng dng v giao thc c cc vn bo mt Applications vi nhiu kt ni Mt vn vi firewall l gii quyt cc ng dng c nhiu hn 1 kt ni, ging nh FTP, thoi, kt ni CSDL v . Mt vi dng ca giao thc v ng dng l cn thit gia tng mc bo mt qua firewall Chng ta hy nhn vo v d sau minh ha vn ny v cung cp gii php

Page 51


Hnh 3.6 Application vi nhiu kt ni

Trong mng ny, client ang khi to mt kt ni FTP. Vi loi kt ni ny, client m mt kt ni iu khin TCP n cng 21 ca FTP Server. Bt c khi no user gi mt cu hnh FTP nh l get hay put thng qua kt ni ny th client gi lun port ca n ca FTP Server s dng. Sau FTP Server m mt kt ni th 2, thng gi l data connectionvi port ngun l 20 v port ch l port ca client gi trc . V th trong v s ny, client m mt kt ni iu khin ti server v server s m mt kt ni truyn d liu n Client-

i vi firewall ASA th User c kt ni vo Interface c mc bo mt cao hn gi l Inside, Server ngoi internet c kt ni vo Interface c mc bo mt thp hn gi l Outside Tuy nhin vi kt ni th 2 (port 20 cho vic truyn d liu ) l b cm mc nh, bi v n n t mc bo mt thp hn n mc bo mt cao hn Gii php cho vn ny l phi cu hnh lm sao cho Firewall ASA kim tra c payload ca tng ng dng ca kt ni iu khin FTP quyt nh xem ch l active hay standard, nhng cu lnh c th thi v port m client mun s dng truyn d liu. V l m firewall ASA c th thm kt ni ny vo bng conn table thm ch trc khi kt ni th 2 c khi to Thng tin a ch c nhng vo trong ng dng Mt vi ng dng c nhng thng tin a ch vo trong phn payload ca kt ni, iu ny mong i thit b ch s dng thng tin ny cho nhng kt ni ph. Tuy nhin thng tin a ch ny c th trong bng NAT ca firewall ri

Page 52


Hnh 3.7 Thng tin a ch c nhng vo trong ng dng

Trong v d ny, chng ta s s dng FTP ch active minh ha vn . i vi kt ni truyn d liu th kt ni cn phi c m, client mun s dng local port 51001. Tuy nhin tn ti mt kt ni vi port ny trong bng NAT ca firewall. Nu firewall khng gii quyt vn ny th bt c traffic no c th khng c NAT ng v c gi n mt thit b khc trong mng m khng phi l my khi to v yu cu kt ni Mt firewall tt nn thay thng tin a ch Payload thnh mt th g khc v nn to mt NAT khc trong bng NAT cho kt ni ny. Sn phm CISCO ASA cung cp nhiu giao thc v ng dng Firewall ASA dch chuyn s cng i vi kt ni truyn s liu 60000 v thm kt ni ny vo bng NAT. Firewakk cng ng thi cp nht payload ca kt ni iu khin FTP vi port 60000. V th khi server nhn yu cu kt ni cho kt ni iu khin, n s s dng port 60000 cho vic truyn d liu li cho client, v Firewall s dch chuyn thnh 51001 3.3 Tng quan v NAT Mt trong rt nhiu vn bn s phi lm vi h thng mng ca mnh l ch nh a ch IP cho tt c cc thit b mng. Bi v s cn kit a ch public Ipv4. Trong rt nhiu trng hp bn phi s dng a ch private cho cc thit b mng LAN 3.3.1 a ch Private gii quyt vn cn kit a ch IP, p ng nh cu pht trin ca cng ty kt ni ra Internet, t chc IETF pht trin RFC 1918

Page 53


Hnh 3.8 a ch Private Nh bn c th thy t bng a ch, bn nn c d a ch Private p ng nhu cu ca cng ty. Mi thit b trong mng s c ch nh bi mt a ch IP duy nht. Tuy nhin RFC 1918 nh ngha rng: Gi tin c cha a ch Private hoc trong a ch ngun hay a ch ch s khng c chuyn tip trn mng public Hy tng tng hai cng ty c tn l cng ty A v cng ty B, c hai u s dng di a ch private l 10.0.0.0/8 cho cc thit b bn trong mng cc b LAN. R rng iu ny to ra rt nhiu vn bi v c 2 cng ty u trng lp a ch. Trong trng hp ny, vic trng lp subnet khng cho php bn c th lin lc cc thit b mng vi nhau. V d: C hai cng ty u s dng 10.1.1.0/24 nh hnh di

Vi cc kt ni trong cng ty th khng c vn g nhng nu 2 subnet ny cn kt ni li vi nhau, th iu ny l khng th. Router bin gia hai mng ny s khng th lin kt hai h thng mng ny li. 3.3.2 Nhu cu ca NAT gii quyt vn trng lp a ch, cng nh gii quyt vn s dng a ch IP Private v truy cp mng Public, t chc IETF pht trin RFC 1631. RFC 1631 nh ngha qu trnh thc hin NAT. iu ny cho php bn dch chuyn t a ch Private trong mo u ca gi tin IP n mt a ch IP khc. Di y l mt vi v d chung m bn c th cn trin khai NAT - Bn ang cn kt hp hai mng li vi nhau.Page 54

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Nh cung cp dch v ISP ch nh cho bn khi lng a ch IP public gii hn v bn cn phi cung cp rt nhiu cc thit b truy cp Internet

- Bn c cung cp mt khng gian a ch IP public v khi bn chuyn sang nh cung cp dch v khc, nh cung cp dch v mi ny khng cung cp a ch IP public hin ti ang dng - Bn ang c mt dch v mng trn mt thit b v bn cn public chng ln mng Internet ai cng c th truy cp dch v ny 3.3.3 Li ch ca NAT Mt trong nhng li ch chnh ca NAT l vic thoi mi s dng s lng a ch ip private rng ln, hn 17 triu a ch/ iu ny bao gm 1 lp a ch mng lp A, 16 a ch mng lp B v 256 a ch mng lp C. Khi bn s dng a ch Ip private d cho bn c i nh cung cp dch v, bn s khng cn phi nh li a ch cho cc thit b trong mng cc b m bn ch phi thay i cu hnh NAT trn firewall trng vi a ch IP public mi Bi v tt c cc traffic phi i firewall n cc thit b c a ch IP private, bn c th iu khin iu ny bng cch sau: - Nhng ngun m Internet truy cp vo mng Inside ca chng ta - User no trn mng Inside c php truy cp Internet 3.3.4 Thut ng v nh ngha NAT Thit b thc hin NAT c th l rt nhiu dng. Thit b ny c th l mt firewall, mt router, mt proxy gateway hay thm ch l mt file server. Cisco router s dng IOS 11.2 v firewall c kh nng NAT. hiu tt hn v cc cu lnh c s dng trn firewall cu hnh NAT, bn phi hiu mt vi thut ng thng c s dng trong NAT -

Inside: Nhng a ch c translate, thng l a ch Ip private cho cc thit b bn trong mng LAN hay a ch public mua t ISP Outside: Nhng a ch c cp pht trn Internet Inside Local: Nhng a ch Private c gn cho cc host nm bn trong mng LAN Inside Global: Nhng a ch public c gn cho Inside host. Thng th y l pool a ch c cp bi ISP Outside Global: Nhng a ch c gn cho cc thit b Outside device

-

Page 55

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin 3.3.5 Mt vi v d in hnh NAT C nhiu loi NAT khc nhau c th c thc hin bi Firewall. Trong phn ny bn s thy hai v d: NAT v PAT

Hnh 3.8 V d v NAT V d v NAT Nh c ni trc , NAT thc hin vic dch chuyn t 1 a ch n 1 a ch. Bn thng s dng NAT tnh khi bn c mt Server, v bn mun mi ngi trn Internet c th truy cp Server ny. Tuy nhin, i vi cc User trn mng cc b bn s to mt pool a ch IP v thit b NAT ngu nhin ch nh cc a ch IP public cho cc thit b bn trong mng cc b. Trong v d ny User bn trong mng cc b ang truy cp ngun ti nguyn bn ngoi Internet(User c a ch 192.168.1.5 ang c gng truy cp 201.201.201.2)

Page 56


Hnh 3.9 V d v NAT (a) hnh 3.9, bn c th nhn thy thc s vic truyn d liu t 192.168.1.5. Firewall nhn gi tin t 192.168.1.5 v quyt nh xem n c cn thc hin NAT hay khng v chuyn tip gi tin ti ich Firewall nhn thy gi tin n n v so snh vi rule NAT. Bi v gi tin trng vi rule trong chnh sch NAT, Firewall s dch chuyn a ch ngun trong gi tin t 192.168.1.5 thnh 200.200.200.1, y l a ch ip public. Tip theo bn c th thy a ch ch 201.201.201.2 nhn gi tin. N nhn thy a ch ngun l 200.200.200.1. iu ny l trong sut vi ngi dng trong mng cc b v c my ch

Page 57


Hnh 3.9 V d v NAT (b) Khi my ch gi gi tin tr li tr li cho User, n s dng a ch IP public m n thy c sau khi Nat l 200.200.200.1 Tip theo Firewall nhn gi tin v kim tra chnh sch NAT ca n. Sau khi quyt nh cn thit dch chuyn li a ch ban u. N thy a ch 200.200.200.1 v thay i a ch Ip public ny tr li a ch Ip private ban u l 192.168.1.5, sau chuyn tip gi tin ny vo a ch User trong mng cc b V d v PAT Vi PAT, firewall s thay i a ch IP v TCP/UDP port ca gi tin. V d ny nh cung cp dch v ISP ch nh cho bn mt a ch IP public v bn cn phi s dng a ch ny cho tt c cc kt ni ca ngi dng ra ngoi Internet.

Page 58


Hnh 3.10 v d v PAT (a)

Trong hnh trn User a ch 192.168.1.5 telnet n 201.201.201.2. Firewall nhn gi tin v n so snh thng tin ca gi tin vi chnh sch NAT v quyt nh xem n c cn thc hin NAT hay khng. Do n trng vi chnh sch v th firewall thc hin vic NAT v thay i a ch private 192.168.1.5 thnh 200.200.200.1. Trong trng hp ny, thng s port ngun l 1024 khng c s dng trong bng NAT nn n vn c gi nguyn m khng thay i s Port. Ch rng firewall thm a ch NAT ny vo trong bng NAT m n c th gii quyt vn traffic quay tr li mng cc b. My ch nhn c gi tin sau khi NAT. Mt ln na qu trnh NAT ny l trong sut vi c my ngun v my ch Khi my ch gi gi tin tr v, n s s dng a ch IP ch l 200.200.200.1 v port ch l 1024. Khi firewall nhn gi tin n, n quyt nh xem c thc hin NAT hay khng v sau n tm kim xem c thuc rule no trong bng NAT khng. Khi thy trng, n thay i a ch ch t 200.200.200.1 thnh 192.168.1.5 v li port ngun nh ban u Mt v d khc, gi s c mt my cc b c a ch 192.168.1.6 cng telnet n 201.201.201.2 vi a ch port ngun l 1024

Page 59


Hnh 3.10 V d v PAT

Firewall nhn gi tin, v gi tin trng vi chnh sch NAT thit lp. Firewall to mt i tng NAT trong bng NAT cho kt ni ca User. Trong trng hp ny a ch IP public 200.200.200.1 c s dng. Tuy nhin bi v port ngun 1024 tn ti trong bng NAT, nn firewall ch nh mt port khc l 1025 cho kt ni ca User. Port ngun khc nhau nhm gip cho thit b ch nhn bit, phn bit gia cc kt ni l ca 192.168.1.5 hay 192.168.1.6 v cng cho php Firewall dch chuyn gi tin tr v t 201.201.201.23.4

Cu hnh NAT

Trong phn ny s tp trung ch yu vo chnh sch dch a ch chuyn i thng lng qua cc thit b ca bn. Chng ti s trnh by cch cu hnh mt a ch NAT, PAT ng . Mt a ch NAT, PAT tnh nh th no. Hn ch s lng kt ni TCP, ngn chn cc cuc tn cng trnTCP SYN , v kim tra cu hnh dch.Mt a ch c dch phi m bo cc yu cu sau y: Yu cu cu hnh: Trong phin bn 6 hoc phin bn trc . Bn lun phi cu hnh rule cho Nat cc gi tin. Hay ni cch khc, nu gi tin khng c cho php bi Rule NAT th n s b cm. Rule ny p dng cho c traffic vo v ra Trong phin bn 7, NAT l ty chn v khng c yu cu. khi ng tnh nng NAT, s dng cu lnh sau: Asa(config)#nat-control

Page 60

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Ln th nht ta yu cu a ch dch vi lnh nat-control, quy tc ny cng tng t trong phin bn 6.0. Nu chnh sch gia inbound v outbound khng lin kt c vi nhau v mt a ch dch c gi tr th packet b li. Tuy nhin, c mt ngoi l i vi quy tc ny l: nu c 2 interface tham gia vo qu trnh giaop tip c mc bo mt nh trn th chng ta khng cn n mt a ch dch theo quy tc chuyn paket gia chng. 3.4.1 Cu hnh NAT ng Vic cu hnh mt a ch dch ng ( c NAT hay PAT) tham gia vo 2 qu trnh s l sau: Xc nh a ch local s c NAT To nn mt a ch global m a ch local c th c NAT ti Theo chng ta c th cu hnh 2 loi ny m khng c vn g. Phn sau ta s bn ti vic tng bc ci t a ch NAT v PAT ng cng nh din t li nhiu v d khc nhau ca cc v d dch ng Xc nh a ch local trong vic dch

xc nh mt a ch local c th c dch, ta s dng lnh nat nh sau: ciscoasa(config)# nat (logical_if_name) NAT_ID local_IP_addr subnet_mask [tcp] max_TCP_conns [embryonic_conn_limit] [udp max_UDP_conns] [dns] [norandomseq]

Nhng quy nh c th ca lnh nat m a ch local s dch sang quy nh rt ngim khc trong lnh global. Tn logic ca interface ni m cc thit b vng c t xut hin trong du ngoc n (( )), v d nh : (inside) NAT_ID Cc mi quan h gia lnh nat v global, to ra mt chnh sch.Nhng trong mt s trng hp ngoi l, s lng bn s dng cho cc NAT_ID (s chnh sch) khng quan trng. C mt trng hp c bit bng cch s dng mt s NAT_ID: nu bn nhp s 0, bn ang ni vi cc thit b m cc a ch theo sau ny trong lnh nat khng nn translated.Cisco cp n tnh nng ny nh nhn dng NAT, c gii thiu trong phin bn 6.2. Bn c th mun s dng nhn dng NAT nu bn c mt hn hp cc a ch cng cng v c nhn ang c s dng bn trong mng ca bn cho cc my tnh vi a ch cng cng, bn c th v hiu ha NAT bng cch s dng lnhPage 61

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin nat 0 v quy nh c th a ch hoc a ch ca cc thit b.Nu bn quy nh s lng a ch mng cho mt a ch local, cng nh c lng xp x s mt n mng con, th ta in s mng v mt mt n mng con bn c th thay i a ch dch(nhng a ch inside ca interface). lm iu ta dng lnh sau: ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 lnh NAT-ID tng ng vi lnh global. Ch rng ta c th rt gn chui 0.0.0.0 0.0.0.0 ch thnh 0 0. Bn c th gii hn tng kt ni TCP bng ln: (max_TCP_conns), v cng c th gim mt na kt ni TCP: embryonic_conn_limit Bt u t phin bn 7.0 bn c th gii hn s lng ti a cho mt kt ni UDP. Tuy nhin nu bn khng cu hnh gii hn s kt ni cho thit b m dng cc chnh sch lin kt vi nhau th bng conn table vn h tr cho cc thit b c cho php hin th nhng lnh nat ca bn g lnh: show run nat command. Cch to mt di a ch global Chnh sch dch lun cu hnh gia mt cp interface, v d nh inside v outside, hoc dmz v outside. Lnh nat nh ngha local hoc interface gc ca mt a ch dch nh ngha ch n hay interface u ra cha a ch global, ta s dng lnh global nh sau: ciscoasa(config)# global (logical_if_name) NAT_ID {first_global_IP_addr[-last_global_IP_addr] [netmask subnet_mask] | interface} Logical_if_name l tham s miu t tn logic ca interface. Thng lng s c dch v chuyn ra trn interface ny. The NAT_ID l tham s c bn ca lnh. y l a ch global c th c s dng Vic dch PAT c th b xa khi bng khi khng c kt ni tng ng trong bng gii hn thi gian kt ni. Trong khi vic dch NAT th khng n s dng lnh iu khin thi gian (thi gian mc nh ht hn l 3 gi) S dng vi ACLs Mt vn vi lnh NAT l mc nh vic dch ch c th iu khin c cc gi tin gi i m c a ch l local, bn khng th iu khin c vic dch trn cc a ch

Page 62

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ngun v ch c a ra . y chng ta ang bn n khu vc xc nh a ch local dnh cho vic dch. gii quyt vn trn, Cisco cho php bn lin kt chnh sch dch vi mt access control list (ACL) iu khin truy cp. Nu thng lng tng ng vi mt trng hp cho php xc nh trong ACL th chnh sch tng ng ny c s dng y l c php s dng lnh nat vi ACL: ciscoasa(config)# nat [(logical_if_name)] NAT_ID access-list ACL_ID [tcp] max_TCP_conns [embryonic_conn_limit] [udp max_UDP_conns] [dns] [norandomseq] Di y l 2 v d s dng ACLs V d v dch a ch Gi th bn hiu v c php ca lnh global v lnh NAT. Hy cng hiu r hn chnh sch dch a ch trn cc thit b thng qua v d n gin sau: hnh 3.11, thit b s NAT cho bt k internal no c a ch: 192.168.3.0/24 v 192.168.4.0/24 Chnh sch cu hnh NAT cho v d ny l nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# global (outside) 1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 Trong v d ny th a ch c yu cu NAT thng qua lnh nat-control . Tt c nhng thit b bn trong interface s c a ch ngun c dch l 200.200.200.0 khi tn ti mt interface u ra. a ch s c thit b chn ng k mt cch t ng.

Page 63


Hnh 3.11 V d cu hnh NAT n gin V d n gin v cu hnh PAT

Hnh 3.12 V d n gin v cu hnh PAT Chng ta s s dng m hnh mng nh hnh v trn minh ha cho v d ny Lnh cu hnh nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0 0 ciscoasa(config)# global (outside) 1 interface y l mt v d v PAT, ni m thit b ang dng a ch interface bn ngoi cho PAT. a ch ny c th l a ch tnh cng c th l a ch c ng k mt cch t ng bi dch v DHCP hoc PPPoE. Trong v d ny cc thit b kt ni trc tip ti ISP v nhn a ch interface ra mt cch t ng.

Page 64

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin V d v cu hnh NAT v PAT minh ha cho vic s dng c chnh sch NAT v PAT trn mt thit b, ta s dng lnh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 192.168.3.0 255.255.255.0 ciscoasa(config)# global (outside) 1 200.200.200.1-200.200.200.125 netmask 255.255.255.128 ciscoasa(config)# nat (inside) 2 192.168.4.0 255.255.255.0 ciscoasa(config)# global (outside) 2 200.200.200.126 netmask 255.255.255.255 Trong v d ny, thit b bn trong s ni NAT v PAT li vi nhau 1, 192.168.3.0/24 c dch thnh 200.200.200.1125 (s dng NAT) 2, 192.168.4.0/24 c dch thnh 200.200.200.126 (s dng PAT)

Hnh 3.13 v d v cu hnh PAT v NAT V d v PAT vi 2 a ch global Minh ha cho ta thy vic s dng hai a ch global trn mt thit b. y ta s dng ly m hnh mng hnh 3.11 cu hnh nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# global (outside) 1 200.200.200.1Page 65

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin netmask 255.255.255.255 ciscoasa(config)# global (outside) 1 200.200.200.2 netmask 255.255.255.255 Lnh cu hnh ny thc hin PAT trn tt c cc kt ni bn trong bn ngoi bng cch s dng hai a ch trong lnh global PAT v xc nh NAT V d s dng PAT v xc nh NAT Trn mt thit b.S dng m hnh mng hnh 3.13. Thc thi lnh PAT cho a ch 192.168.3.0/24 nhng khng thc hin vic dch a ch t a ch 200.200.200.128/25, sau cc thit b sn sng public a ch IP. Lnh cu hnh nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 0 200.200.200.128 255.255.255.128 ciscoasa(config)# nat (inside) 1 192.168.3.0 255.255.255.0 50 25 ciscoasa(config)# global (outside) 1 200.200.200.1 netmask 255.255.255.255

Hnh 3.14 V d cu hnh PAT, khng NAT v d trn, s dng lnh PAT khi a ch i t bn trong 192.168.3.0/24 i qua interface ra ngoi n s c dch thnh 200.200.200.128/25. l v d NAT 3interface, cn trong trng hp vi nhiu thit b hn th vic cu hnh cng din ra tng t thy c s phc tp ta xem v d minh ha sau:

Page 66


Hnh 3.15 V d cu hnh NAT vi 3 interface ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# nat (dmz) 1 192.168.5.0 255.255.255.0 ciscoasa(config)# global (outside) 1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 ciscoasa(config)# global (dmz) 1 192.168.5.10-192.168.5.254 netmask 255.255.255.0 Trong

giao trinh cau hinh asa tieng viet

Documents