xay dựng hệ thống tường lửa ip table

7/31/2019 Xay Dng H Thng Tng La IP Table

1/65

MC LC

MC LC ..............................................................................................................1

LI CM N .........................................................................................................4

LI M U ........................................................................................................5

Chng 1:

VN AN NINH AN TON MNG MY TNH ..............................................7

1.1. Tng quan v vn an ninh an ton mng my tnh ..................7

1.1.1. e do an ninh t u? ................................................................................................................7

1.1.2. Cc gii php c bn m bo an ninh ........................................................................................8

1.2. Vn bo mt h thng v mng ...............................................10

1.2.1. Cc vn d chung v bo mt h thng v mng .............................................................. .......10

1.2.2. Mt s khi nim v lch s bo mt h thng ..........................................................................11

1.2.3. Cc loi l hng bo mt v phng thc tn cng mng ch yu ..........................................12

1.3. Vn bo mt cho mng LAN ...................................................16

1.3.1. Mng ring o (Virtual Private Network- VPN) ......................................................................16

1.3.2. Tng la (Firewall) .................................................................................................................17

Chng 2: TNG QUAN V FIREWALL ..........................................................18

2.1. Gii thiu v firewall ....................................................................18

2.1.1. Khi nim firewall ....................................................................................................................18

2.1.2. Cc chc nng c bn ca firewall ............................................................................................18

2.1.3. Phn loi firewall ............................................................................................................ ........ ..19

2.1.4 Mt s h thng firewall khc ....................................................................................................22

2.2. Cc chin lc xy dng firewall ...............................................27

2.2.1. Quyn hn ti thiu(Least Privilege) ............................................................................ ......... ...27

2.2.2. Bo v theo chiu su (Defense in Depth) ............................................................................. ...27

2.2.3. Nt tht (Choke Point) ....................................................................................................... .......27

2.2.4. im xung yu nht (Weakest Link) ............................................................................... .........27

2.2.5. Hng trong an ton (Fail-Safe Stance) ......................................................................................28

2.2.6. S tham gia ton cu .............................................................................................................. ...28


2/65

2.2.7. Tnh a dng ca vic bo v ....................................................................................................28

2.2.8. n gin ho .......................................................................................................................... ...29

2.3. Cch thc xy dng firewall ........................................................29

2.3.1. Xy dng cc nguyn tc cn bn(Rule Base) ..........................................................................29

2.3.2. Xy dng chnh sch an ton (Security Policy) .................................................................. ......29

2.3.3. Xy dng kin trc an ton ................................................................................................ .......30

2.3.4. Th t cc quy tc trong bng (Sequence of Rules Base) .........................................................31

2.3.5. Cc quy tc cn bn (Rules Base) .......................................................................................... ...31

2.4. Lc gi v c ch hot ng ........................................................32

2.4.1. B lc gi (packet filtering) ................................................................................................. .....33

2.4.2. Cng ng dng (Application Gateway) ........................................................................... .........33

2.4.3. B lc Sesion thng minh (Smart Sesion Filtering) ..................................................................34

2.4.4. Firewall hn hp (Hybrid Firewall) ....................................................................................... ...35

2.5. Kt lun .........................................................................................35

Chng 3:

TM HIU IPTALES TRONG H IU HNH LINUX ..................................36

3.1. Firewall IPtable trn Redhat .........................................................363.1.1. Gii thiu v IPtables ................................................................................................................37

3.1.2. Qu trnh chuyn gi d liu qua Netfilter ................................................................................40

3.1.3. Cu trc ca Iptable..................................................................................................................40

3.1.4. Ci t iptables ..........................................................................................................................41

3.2. Cc tham s dng lnh thng gp ..............................................41

3.2.1 Gi tr gip ............................................................................................................................. ...41

3.2.2 Cc ty chn ch nh thng s .................................................................................... .........41

3.2.3. Cc ty chn thao tc vi chain ............................................................................................42

3.2.4. Cc ty chn thao tc vi lut ........................................................................................ ......42

3.2.5 Phn bit gia ACCEPT, DROP v REJECT packet ................................................... ......... ...42

3.2.6 Phn bit gia NEW, ESTABLISHED v RELATED ..............................................................43

3.2.7 Ty chn --limit, --limit-burst ....................................................................................................43

3.3. Gii thiu v bng NAT (Network Address Traslation) ...........44

3.3.1. Khi nim cn bn v NAT .......................................................................................................44


3/65

3.3.2. Cch i a ch IP ng (Dynamic - NAT) ................................................................... ........ ..45

3.3.3. Cch ng gi a ch IP (masquerade) .....................................................................................46

3.3.4. Mt s v d s dng k thut NAT ..........................................................................................46

Chng 4:THIT LP FIREWALL BO V MNG NI B BNG IPTABLES TRONG

H IU HNH LINUX ....................................................................................49

4.1. Cch lm vic ca Firewall c vng DMZ ..................................49

4.2. Cu trc file cu hnh v cu hnh ................................................50

4.2.1. Cu hnh cc tu chn: ..............................................................................................................50

4.2.2. Ti cc module cn thit k vo Kernel....................................................................................51

4.2.3. Ci t cu hnh cn thit cho h thng file proc......................................................................51

4.2.4. Ci t cc nguyn tc...............................................................................................................51

4.3. Cu hnh cho my ni b truy cp mng bn ngoi ....................56

4.4. Kim tra Firewall ..........................................................................56

4.5. Xy dng phn mm qun tr Firewall IPTables t xa ..............59

4.5.1. M t bi ton ............................................................................................................................59

4.5.2. Mt s giao din chng trnh ............................................................................................ ......59

4.5.3. nh gi phn mm ..................................................................................................................62

KT LUN ...........................................................................................................64

TI LIU THAM KHO .....................................................................................65


4/65

Tm hiu vn bo mt mng LAN

LI CM N

Trc tin em xin gi li cm n chn thnh n GS, TS.Trn Hu Ngh

hiu trng nh trng ngi c cng ln trong vic sng lp ra trng HDLHi Phng. ng thi em xin gi li cm n xu sc ti cc thy, cc c trong t

B mn tin hc ca trng HDL Hi Phng nhng ngi tn tnh ging dy v

cung cp nhng kin thc qu bu cho em trong sut bn nm hc qua.

c bit em xin chn thnh cm n TS. Phm Hng Thi v CN. Lng Vit

Nguyn - trng i hc cng ngh cc thy dnh nhiu thi gian v cng qu

bu tn tnh hng dn em cng nh to mi iu kin thun li em c th hon

thnh tt ti.Cui cng em cng xin cm n gia nh, bn b nhng ngi thn lun bn

cnh ng vin, gip v to mi iu kin thun li cho em .

Do cn hn ch v kin thc v kinh nghim nn lun vn cn nhiu thiu

st em rt mong c s ph bnh, nh gi v gp ca thy c v cc bn.

Em xin chn thnh cm n!

Hi Phng, Ngy thng 8 nm 2007.

Sinh vin

Nguyn Th Thy

MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 4 -


5/65


LI M U

Vi nhu cu trao i thng tin, bt buc cc c quan, t chc phi ho mnh

vo mng ton cu Internet. An ton v bo mt thng tin l mt trong nhng vn

quan trng hng u, khi thc hin kt ni mng ni b ca cc c quan, doanh

nghip, t chc vi Internet. Ngy nay, cc bin php an ton thng tin cho my

tnh c nhn cng nh cc mng ni b c nghin cu v trin khai. Tuy

nhin, vn thng xuyn c cc mng b tn cng, c cc t chc b nh cp thng

tin,gy nn nhng hu qu v cng nghim trng.

Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet,

cc my tnh ca cc cng ty ln nh AT&T, IBM, cc trng i hc v cc c

quan nh nc, cc t chc qun s, nh bng,mt s v tn cng vi quy m

khng l (c ti 100.000 my tnh b tn cng). Hn na nhng con s ny ch l

phn ni ca tng bng tri. Mt phn rt ln cc v tn cng khng c thng

bo v nhiu l do, trong c th k n ni lo mt uy tn hoc ch n gin nhng

ngi qun tr d n khng h hay bit nhng v tn cng nhm vo h thng cah.

Khng ch cc v tn cng tng ln nhanh chng m cc phng php tn

cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr h

thng ngy cng cao cnh gic. V vy vic kt ni mng ni b ca c quan t

chc mnh vo mng Internet m khng c cc bin php m bo an ninh th cng

c xem l t st.

T nhu cu pht trin, i hi cc c quan, t chc phi ha mnh vo mng

ton cu, mng Internet song vn phi m bo an ton thng tin trong qu trnh kt

ni. Bi vy, em quyt nh chn ti: Nghin cu gii php bo v mng ni

b, nhm iu khin lung thng tin ra, vo v bo v cc mng ni b khi s tn

cng t Internet. Ni dung ti ny s trnh by mt cch khi qut cc khi nim

v mng v Firewall, cch bo v mng bng Firewall, cch xy dng Firewall.



6/65


ng thi, dng Iptables trong h iu hnh Linux thit lp Firewall bo v cc

mng ni b.

Ni dung chnh ca ti gm 4 chng nh sau:

Chng 1: Vn an ninh trong mng my tnh.

Trnh by tng quan v vn an ninh trong mng my tnh, cc nguy c v

vn bo mt h thng mng.

Chng 2: Tng quan v Firewall.

Trnh by cc khi nim Firewall, chc nng Firewall, phn loi Firewall v

cc kin trc Firewall.

a ra cc chnh sch xy dng Firewall, t cc chnh sch ta c cch

xy dng nn cc Firewall bo v mng.

Chng 3: Tm hiu IPTables trong h iu hnh Linux.

Tm hiu v Iptables v cc tham s ca dng lnh thng gp.

Chng 4: Thit lp Firewall bo v mng ni b bng Iptables trong hiu hnh Linux.

T vic tm hiu v Iptables chng 3 t thit lp bc tng la bo

v cho cc mng ni b bng Iptables trong Linux.



7/65


Chng 1:

VN AN NINH AN TON MNG MY TNH

1.1. Tng quan v vn an ninh an ton mng my tnh

1.1.1. e do an ninh t u?

Trong x hi, ci thin v ci c lun song song tn ti nh hai mt khng

tch ri, chng lun ph nh nhau. C bit bao nhiu ngi mun hng ti ci

chn thin, ci tt p, th cng c khng t k v mc ch ny hay mc ch khc

li lm cho ci c ny sinh, ln lt ci thin. S ging co gia ci thin v ci c

y lun l vn bc xc ca x hi, cn phi loi tr ci c, th nhng ci c lilun ny sinh theo thi gian. Mng my tnh cng vy, c nhng ngi phi mt

bit bao nhiu cng sc nghin cu ra cc bin php bo v cho an ninh ca t chc

mnh, th cng li c k tm mi cch ph v lp bo v vi nhiu khc

nhau.

Mc ch ca ngi lng thin l lun mun to ra cc kh nng bo v an

ninh cho t chc rt r rng. Ngc li, ca k xu li nhiu gc , cung

bc khc nhau. C k mun ph v lp v an ninh chng t kh nng ca mnh, tho mn thi h ch k. Loi ngi ny thng lm hi ngi khc bng cch

ph hoi cc ti nguyn trn mng, xm phm quyn ring t hoc bi nh danh d

ca h. Nguy him hn, c nhng k li mun ot khng cc ngun li ca ngi

khc nh vic ly cp cc thng tin mt ca cc cng ty, t nhp vo ngn hng

chuyn trm tin... Bi trn thc t, hu ht cc t chc cng ty tham gia vo mng

my tnh ton cu u c mt lng ln cc thng tin kt ni trc tuyn. Trong

lng ln cc thng tin y, c cc thng tin b mt nh: cc b mt thng mi, cc

k hoch pht trin sn phm, chin lc maketing, phn tch ti chnh... hay ccthng tin v nhn s, b mt ring t... Cc thng tin ny ht sc quan trng, vic

l ra cc thng tin cho cc i th cnh tranh s dn n mt hu qu ht sc

nghim trng.

Tuy nhin, khng phi bt c khi no mun nhng k xu cng c th thc

hin c mc ch ca mnh. Chng cn phi c thi gian, nhng s h, yu km

ca chnh nhng h thng bo v an ninh mng. V thc hin c iu ,

chng cng phi c tr tu thng minh cng vi c mt chui di kinh nghim. Cn xy dng c cc bin php m bo an ninh, i hi ngi xy dng cng



8/65


khng km v tr tu v kinh nghim thc tin. Nh th, c hai mt tch cc v tiu

cc y u c thc hin bi bn tay khi c ca con ngi, khng c my mc

no c th thay th c. Vy, vn an ninh an ton mng my tnh hon ton

mang tnh con ngi.

Ban u, nhng tr ph hoi ch mang tnh cht l tr chi ca nhng ngi

c tr tu khng nhm mc ch v li, xu xa. Tuy nhin, khi mng my tnh tr

nn ph dng, c s kt ni ca nhiu t chc, cng ty, c nhn vi nhiu thng tin

b mt, th nhng tr ph hoi y li khng ngng gia tng. S ph hoi y gy ra

nhiu hu qu nghim trng, n tr thnh mt loi ti phm. Theo s liu thng

k ca CERT (Computer Emegency Response Team) th s lng cc v tn cng

trn Internet c thng bo cho t chc ny l t hn 200 vo nm 1989, khong

400 vo nm 1991, 1400 nm 1993 v 2241 nm 1994. Nhng v tn cng nynhm vo tt c cc my tnh c mt trn Internet, t cc my tnh ca cc cng ty

ln nh AT & T, IBM, cc trng i hc, cc c quan nh nc, cc nh bng...

Nhng con s a ra ny, trn thc t ch l phn ni ca tng bng. Mt phn ln

cc v tn cng khng c thng bo v nhiu l do khc nhau, nh s mt uy tn,

hoc ch n gin l h khng h bit mnh b tn cng.

Thc t, e do an ninh khng ch bn ngoi t chc, m bn trong t chc

vn cng ht sc nghim trng. e do bn trong t chc xy ra ln hn bnngoi, nguyn nhn chnh l do cc nhn vin c quyn truy nhp h thng gy ra.

V h c quyn truy nhp h thng nn h c th tm c cc im yu ca h

thng, hoc v tnh h cng c th ph hy hay to c hi cho nhng k khc xm

nhp h thng. V nguy him hn, mt khi h l k bt mn hay phn bi th hu

qu khng th lng trc c.

Tm li, vn an ninh an ton mng my tnh hon ton l vn con

ngi v khng ngng gia tng, n c th b e do t bn ngoi hoc bn trong t

chc. Vn ny tr thnh mi lo ngi ln cho bt k ch th no tham gia vo

mng my tnh ton cu. V nh vy, m bo vic trao i thng tin an ton v

an ninh cho mng my tnh, buc cc t chc phi trin khai cc bin php bo

v m bo an ninh, m trc ht l cho chnh mnh.

1.1.2. Cc gii php c bn m bo an ninh

Nh trn ta thy, an ninh an ton mng my tnh c th b e do t rt

nhiu gc v nguyn nhn khc nhau. e do an ninh c th xut pht t bn

ngoi mng ni b hoc cng c th xut pht t ngay bn trong t chc. Do ,



9/65


vic m bo an ninh an ton cho mng my tnh cn phi c nhiu gii php c th

khc nhau. Tuy nhin, tng quan nht c ba gii php c bn sau:

Gii php v phn cng.

Gii php v phn mm.

Gii php v con ngi.

y l ba gii php tng qut nht m bt k mt nh qun tr an ninh no

cng phi tnh n trong cng tc m bo an ninh an ton mng my tnh. Mi gii

php c mt u nhc im ring m ngi qun tr an ninh cn phi bit phn

tch, tng hp v chn la to kh nng m bo an ninh ti u nht cho t chc

mnh.

Gii php phn cng l gii php s dng cc thit b vt l nh cc h

thng my chuyn dng, cng c th l cc thit lp trong m hnh mng (thit lp

knh truyn ring, mng ring)... Gii php phn cng thng thng i km vi n

l h thng phn mm iu khin tng ng. y l mt gii php khng ph bin,

v khng linh hot trong vic p ng vi cc tin b ca cc dch v mi xut hin,

v chi ph rt cao.

Khc vi gii php phn cng, gii php v phn mm ht sc a dng. Gii

php phn mm c th ph thuc hay khng ph thuc vo phn cng. C th ccgii php v phn mm nh: cc phng php xc thc, cc phng php m ho,

mng ring o, cc h thng bc tng la,... Cc phng php xc thc v m ho

m bo cho thng tin truyn trn mng mt cch an ton nht. V vi cch thc

lm vic ca n, thng tin tht trn ng truyn c m ho di dng m nhng

k nhm trm khng th thy c, hoc nu thng tin b sa i th ti ni nhn

s c c ch pht hin s sa i . Cn phng php s dng h thng bc tng

la li m bo an ninh gc khc. Bng cch thit lp cc lut ti mt im

c bit (thng gi l im nght) gia h thng mng bn trong (mng cn bo

v) vi h thng mng bn ngoi (mng c coi l khng an ton v bo mt - hay

l Internet), h thng bc tng la hon ton c th kim sot cc kt ni trao i

thng tin gia hai mng. Vi cch thc ny, h thng tng la m bo an ninh

kh tt cho h thng mng cn bo v. Nh th, gii php v phn mm gn nh

hon ton gm cc chng trnh my tnh, do chi ph cho gii php ny s t hn

so vi gii php v phn cng.

Bn cnh hai gii php trn, gii php v chnh sch con ngi l mt giiphp ht sc c bn v khng th thiu c. V nh phn trn thy, vn an



10/65


ninh an ton mng my tnh hon ton l vn con ngi, do vic a ra mt

hnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y, hnh

lang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn bn

di lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi tng

c im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng my,

s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh an

ton cho h thng mng my tnh mt khi ta thc hin trit gii php v chnh

sch con ngi.

Tm li, vn an ninh an ton mng my tnh l mt vn ln, n yu

cu cn phi c mt gii php tng th, khng ch phn mm, phn cng my tnh

m n i hi c vn chnh sch v con ngi. V vn ny cn phi c

thc hin mt cch thng xuyn lin tc, khng bao gi trit c v n lunny sinh theo thi gian. Tuy nhin, bng cc gii php tng th hp l, c bit l

gii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an ton

chc chn hn.

1.2. Vn bo mt h thng v mng

1.2.1. Cc vn d chung v bo mt h thng v mng

c im chung ca mt h thng mng l c nhiu ngi s dng chung vphn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng

hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc mt

ngi s dng.

Hot ng ca ngi qun tr h thng mng phi m bo cc thng tin trn

mng l tin cy v s dng ng mc ch, i tng ng thi m bo mng hot

ng n nh khng b tn cng bi nhng k ph hoi.

Nhng trn thc t l khng mt mng no m bo l an ton tuyt i, mth thng d c bo v chc chn n mc no th cng c lc b v hiu ha bi

nhng k c xu.

Trong ni dung ti ca em l tm hiu v cc phng php bo mt cho

mng LAN. Trong ni dung v l thuyt ca ti em xin trnh by v mt s khi

nim sau:



11/65


1.2.2. Mt s khi nim v lch s bo mt h thng

a. i tng tn cng mng (intruder)

i tng l nhng c nhn hoc t chc s dng nhng kin thc v mng

v cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc im yu

v cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp v chim

ot ti nguyn tri php.

Mt s i tng tn cng mng nh:

Hacker: l nhng k xm nhp vo mng tri php bng cch s dng cc

cng c ph mt khu hoc khai thc cc im yu ca thnh phn truy nhp trn h

thng

Masquerader : L nhng k gi mo thng tin trn mng nh gi mo a ch

IP, tn min, nh danh ngi dng

Eavesdropping: L nhng i tng nghe trm thng tin trn mng, s dng

cc cng c Sniffer, sau dng cc cng c phn tch v debug ly c cc

thng tin c gi tr.

Nhng i tng tn cng mng c th nhm nhiu mc ch khc nhau nh

n cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c ch nh, hoc

c th l nhng hnh ng v thc

b. Cc l hng bo mt

Cc l hng bo mt l nhng im yu trn h thng hoc n cha trong

mt dch v m da vo k tn cng c th xm nhp tri php vo h thng

thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.

C nhiu nguyn nhn gy ra nhng l hng bo mt: c th do li ca bn

thn h thng, hoc phn mm cung cp hoc ngi qun tr yu km khng hiusu v cc dch v cung cp

Mc nh hng ca cc l hng ti h thng l khc nhau. C l hng

ch nh hng ti cht lng dch v cung cp, c l hng nh hng ti ton b h

thng hoc ph hy h thng.

c. Chnh sch bo mt

Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi tham

gia qun tr mng, c s dng cc ti nguyn v cc dch v mng.



12/65


i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh sch

bo mt gip ngi s dng bit trch nhim ca mnh trong vic bo v cc ti

nguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp cc bin php

m bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot ng ca h

thng v mng.

1.2.3. Cc loi l hng bo mt v phng thc tn cng mng ch yu

a. Cc loi l hng

C nhiu cc t chc tin hnh phn loi cc dng l hng c bit. Theo

b quc phng M cc loi l hng c phn lm ba loi nh sau:

L hng loi C: Cho php thc hin cc hnh thc tn cng theo DoS

(Denial of Services- T chi dch v) Mc nguy him thp ch nh hng ti

cht lng dch v, lm ngng tr gin on h thng, khng lm ph hng d liu

hoc t c quyn truy cp bt hp php.

DoS l hnh thc tn cng s dng cc giao thc tng Internet trong b

giao thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi s

dng hp php truy nhp hay s dng h thng.

Cc dch v c l hng cho php cc cuc tn cng DoS c th c nngcp hoc sa cha bng cc phin bn mi hn ca cc nh cung cp dch v. Hin

nay cha c mt bin php hu hiu no khc phc tnh trng tn cng kiu ny

v bn thn thit k tng Internet (IP) ni ring v b giao thc TCP/IP ni chung

n cha nhng nguy c tim tang ca cc l hng loi ny.

L hng loi B : Cho php ngi s dng c thm cc quyn trn h thng

m khng cn kim tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.

L hng ny thng c trong cc ng dng trn h thng . C mc nguy him

trung bnh.

L hng loi B ny c mc nguy him hn l hng loi C. Cho php

ngi s dng ni b c th chim c quyn cao hn hoc truy nhp khng hp

php.Nhng l hng loi ny thng xut hin trong cc dch v trn h thng.

Ngi s dng local c hiu l ngi c quyn truy nhp vo h thng vi

mt s quyn hn nht nh.



13/65


Mt dng khc ca l hng loi B xy ra vi cc chng trnh vit bng m

ngun C. Nhng chng trnh vit bng m ngun C thng s dng mt vng

m, mt vng trong b nh s dng lu tr d liu trc khi x l. Ngi lp

trnh thng s dng vng m trong b nh trc khi gn mt khong khng gian

b nh cho tng khi d liu. V d khi vit chng trnh nhp trng tn ngi s

dng quy nh trng ny di 20 k t bng khai bo:

Char first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20

k t. Khi nhp d liu ban u d liu c lu vng m. Khi ngi s dng

nhp nhiu hn 20 k t s trn vng m. Nhng k t nhp tha s nm ngoi

vng m khin ta khng th kim sot c. Nhng i vi nhng k tn cng

chng c th li dng nhng l hng ny nhp vo nhng k t c bit thc

thi mt s lnh c bit trn h thng. Thng thng nhng l hng ny c lidng bi nhng ngi s dng trn h thng t c quyn root khng hp l.

hn ch c cc l hng loi B phi kim sot cht ch cu hnh h thng v

cc chng trnh.

L hng loi A: Cho php ngi ngoi h thng c th truy cp bt hp php

vo h thng. C th lm ph hu ton b h thng. Loi l hng ny c mc rt

nguy him e da tnh ton vn v bo mt ca h thng. Cc l hng ny thng

xut hin nhng h thng qun tr yu km hoc khng kim sot c cu hnh

mng. V d vi cc web server chy trn h iu hnh Novell cc server ny c

mt scripst l convert.bas chy scripst ny cho php c ton b ni dung cc file

trn h thng.

Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn

mm s dng, ngi qun tr nu khng hiu su v dch v v phn mm s dng

c th b qua im yu ny. V vy thng xuyn phi kim tra cc thng bo cacc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lot

cc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP,

Gopher, Telnet, Sendmail, ARP, finger...

b. Cc hnh thc tn cng mng ph bin

Scanner

Scanner l mt trng trnh t ng r sot v pht hin nhng im yu vbo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s



14/65


dng chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mt

Server d xa.

C ch hot ng l r sot v pht hin nhng cng TCP/UDP c s

dng trn h thng cn tn cng v cc dch v s dng trn h thng . Scannerghi li nhng p ng trn h thng t xa tng ng vi dch v m n pht hin

ra. T n c th tm ra im yu ca h thng.

Nhng yu t mt Scanner hot ng nh sau:

Yu cu thit b v h thng: Mi trng c h tr TCP/IP

H thng phi kt ni vo mng Internet.

Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo mt,

v chng c kh nng pht hin ra nhng im yu km trn mt h thng mng.

Password Cracker

L mt chng trnh c kh nng gii m mt mt khu c m ho

hoc c th v hiu ho chc nng bo v mt khu ca mt h thng.

Mt s chng trnh ph kho c nguyn tc hot ng khc nhau. Mt s

chng trnh to ra danh sch cc t gii hn, p dng mt s thut ton m ho t

kt qu so snh vi Password m ho cn b kho to ra mt danh sch khctheo mt logic ca chng trnh.

Khi thy ph hp vi mt khu m ho, k ph hoi c c mt khu

di dng text . Mt khu text thng thng s c ghi vo mt file.

Bin php khc phc i vi cch thc ph hoi ny l cn xy dng mt

chnh sch bo v mt khu ng n.

Sniffer

Sniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin lu

chuyn trn mng v ly cc thng tin c gi tr trao i trn mng.

Sniffer c th bt c cc thng tin trao i gia nhiu trm lm vic vi

nhau. Thc hin bt cc gi tin t tng IP tr xung. Giao thc tng IP c nh

ngha cng khai, v cu trc cc trng header r rng, nn vic gii m cc gi tin

ny khng kh khn.



15/65


Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous

(mode dng chung) trn cc card mng ethernet - ni cc gi tin trao i trong

mng - t "bt" c thng tin.

Cc thit b sniffer c th bt c ton b thng tin trao i trn mng lda vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.

Tuy nhin vic thit lp mt h thng sniffer khng phi n gin v cn

phi xm nhp c vo h thng mng v ci t cc phn mm sniffer.

ng thi cc chng trnh sniffer cng yu cu ngi s dng phi hiu

su v kin trc, cc giao thc mng.

Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng

tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v hthng cung cp.

Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu kh

khn nu ta tun th cc nguyn tc v bo mt nh:

Khng cho ngi l truy nhp vo cc thit b trn h thng

Qun l cu hnh h thng cht ch

Thit lp cc kt ni c tnh bo mt cao thng qua cc c ch m ho.

Trojans

Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vai

tr nh mt chng trnh hp php. Trojans ny c th chy c l do cc chng

trnh hp php b thay i m ca n thnh m bt hp php.

V d nh cc chng trnh virus l loi in hnh ca Trojans. Nhng

chng trnh virus thng che du cc on m trong cc chng trnh s dng hpphp. Khi nhng chng trnh ny c kch hot th nhng on m n du s

thc thi v chng thc hin mt s chc nng m ngi s dng khng bit nh: n

cp mt khu hoc copy file m ngi s dng nh ta thng khng hay bit.

Mt chng trnh Trojans s thc hin mt trong nhng cng vic sau:

Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hin

nhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc

ch trn mt vi thnh phn ca h thng .



16/65


Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhng

thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trn

mt vi thnh phn ca h thng.

Ngoi ra cn c cc chng trnh Trojan c th thc hin c c hai chc nng

ny. C chng trnh Trojan cn c th ph hy h thng bng cch ph hoi cc

thng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng b pht hin v

kh pht huy c tc dng.

Tuy nhin c nhng trng hp nghim trng hn nhng k tn cng to ra

nhng l hng bo mt thng qua Trojans v k tn cng ly c quyn root trn

h thng v li dng quyn ph hy mt phn hoc ton b h thng hoc

dng quyn root thay i logfile, ci t cc chng trnh trojans khc m ngi

qun tr khng th pht hin c gy ra mc nh hng rt nghim trng v

ngi qun tr ch cn cch ci t li ton b h thng.

1.3. Vn bo mt cho mng LAN

Khi ni n vn bo mt cho mng LAN ta thng quan tm ti nhngvn chnh l bo mt thng tin d liu trao i bn trong mng ni b, bo mt

thng tin d liu trao i t trong mng ra bn ngoi v t bn ngoi vo trong

mng. Vic kim sot c nhng truy cp bt hp php t bn ngoi vo cng nh

kim sot nhng truy cp khng cho php t trong ni b mng ra bn ngoi. Cng

vi s pht trin mnh m ca Internet v s kt ni mng ni b vi Internet th

vn m bo an ton, an ninh mng cng tr nn kh khn v cn thit.

Hin nay bo mt cho mng LAN c nhiu phng php trong c mts phng php ph bin v ng tin cy l:

1.3.1. Mng ring o (Virtual Private Network- VPN)

Mng ring o (Virtual Private Network - VPN) l s m rng mng ring

ca cc cng ty, t chc thng qua s dng cc kt ni mng cng cng hoc mng

chia s nh Internet. VPN cung cp cho khch hng y cc tnh nng m mt

knh thu ring c c nhng vi gi thnh r hn do s dng h tng c s mng

cng cng.



17/65


VPN s dng giao thc to ng hm truyn tin ring v cc bin php

an ninh bo v d liu trn ng truyn nh m ho, xc thc

1.3.2. Tng la (Firewall)

Thut ng Firewall (Bc tng ngn la) c ngun gc t mt k thut thitk trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng

tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy

cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s xm

nhp vo h thng ca mt s thng tin khc khng mong mun. Cng c th

hiu rng Firewall l mt c ch bo v mng tin tng (Trusted network) khi

cc mng khng tin tng (Untrusted network).

Firewall gia mng ca mt t chc, mt cng ty, hay mt quc gia(Intranet) v Internet. N thc hin vai tr bo mt cc thng tin Intranet t th gii

Internet bn ngoi.

Qua qu trnh tm hiu em thy rng Firewall l phng php hu hiu v

ph bin nht hin nay do n c nhiu u im, cung cp nhng tnh nng bo mt

tt cho vn bo v an ninh mng hin nay. Trong khun kh bi bo co ny em

xin trnh by v phng php bo mt mng LAN bng Firewall.



18/65


Chng 2: TNG QUAN V FIREWALL

bo v mng ni b Firewall l mt trong nhng gii php bo v mng

hu hiu v ph bin hin nay. N gip cho cc mng ni b trnh khi nhng truynhp tri php t bn ngoi bng cch iu khin thng tin ra vo gia cc mng

ni b. Ni dung chnh ca chng ny em s i gii thiu tng quan v Firewall,

khi nim, cc chc nng ca Firewall, phn loi Firewall, u nhc im ca tng

loi Firewall, cc chin lc xy dng Firewall v gii thiu v c ch lc gi

tin.

2.1. Gii thiu v firewall

2.1.1. Khi nim firewall

Firewall l thit b nhm ngn chn s truy nhp khng hp l t mng

ngoi vo mng trong. H thng firewall thng bao gm c phn cng v phn

mm. Firewall thng c dng theo phng thc ngn chn hay to cc lut i

vi cc a ch khc nhau.

2.1.2. Cc chc nng c bn ca firewall

Chc nng chnh ca Firewall l kim sot lung thng tin gia mng cn

bo v (Trusted Network) v Internet thng qua cc chnh sch truy nhp c

thit lp.

- Cho php hoc cm cc dch v truy nhp t trong ra ngoi v t ngoi vo

trong.

- Kim sot a ch truy nhp, v dch v s dng.

- Kim sot kh nng truy cp ngi s dng gia 2 mng.

- Kim sot ni dung thng tin truyn ti gia 2 mng.

- Ngn nga kh nng tn cng t cc mng ngoi.

Xy dng firewalls l mt bin php kh hu hiu, n cho php bo v v

kim sot hu ht cc dch v do c p dng ph bin nht trong cc bin

php bo v mng.



19/65


2.1.3. Phn loi firewall

Firewall c nhiu loi tuy nhin mi loi c u v nhc im ring. Nhng

thng thng firewall c chia lm 2 loi chnh l:

Firewall phn cng

Firewall phn mm.

a. Firewall phn cng.

L mt thit b phn cng c tch hp b nh tuyn, cc quy tc cho vic

lc gi tin c thit lp ngay trn b nh tuyn . Firewall phn cng ny nh

mt chic my tnh ch thc hin chc nng duy nht l lc gi tin bng cch chy

mt phn mm c cng ha trong v ch c th thit lp cc tp lut cnkhng th thay i b nh tuyn c cng ha v tch hp bn trong. Ty vo

tng loi firewall phn cng ca cc hng khc nhau m cho php ngi qun tr c

kh nng cp nht nhng quy tc lc gi tin khc nhau.

Khi hot ng, tng la s da trn cc quy tc c thit lp trong b

nh tuyn m kim tra thng tin header ca gi tin nh a ch ngun (source IP

address), a ch ch (destination IP address), cng (Port) ... Nu mi thng tin

trong header ca gi tin l hp l n s c cho qua v nu khng hp l n s b

b qua. Chnh vic khng mt thi gian x l nhng gi tin c a ch khng hp l

lm cho tc x l ca firewall phn cng rt nhanh v y chnh l u im ln

nht ca h thng firewall phn cng.

Mt im ng ch l tt c cc loi firewall phn cng trn th gii hin

nay u cha th lc c ni dung ca gi tin m ch c th lc c phn ni

dung trong header ca gi tin.

Di y s gii thiu m hnh s dng firewall phn cng m bo an ninh

mng:

M hnh s dng firewall phn cng: (Thit b phn cng Firewall trong m

hnh ny ch c mt chc nng duy nht l lc gi tin m khng th thc hin bt k

mt cng vic no khc)



20/65


Hnh 1: M hnh s dng Firewall phn cng.

Trong m hnh ny thng tin t mng Internet khng th trc tip i vo

vng mng c bo v v ngc li m n phi thng qua Firewall phn cng.

Qu trnh kim duyt xy ra nu cc thng tin trong phn header ca gi tin baogm a ch ngun (source IP address), a ch ch (destination IP address), cng

(Port) ... c chp nhn th n s c chuyn tip vo mng bn trong hay

chuyn ra mng internet bn ngoi.

Hin nay trn th gii co mt s hng sn xut firewall phn cng rt ni

ting nh CISCO, D-LINK, PLANET...

b. Firewall phn mm

Loi firewall ny l mt chng trnh ng dng nguyn tc hot ng datrn trn ng dng proxy - l mt phn mm cho php chuyn cc gi tin m my

ch nhn c n nhng a im nht nh theo yu cu. V cc quy tc lc gi

tin c ngi s dng t thit lp. Ngi ta thng s dng firewall loi ny khi

mt mng my tnh c my ch v mi thng tin u thng qua my ch ny ri

mi chuyn n my con trong mng hoc dng cho my tnh c nhn khi tham gia

mng ... Firewall phn mm ny rt tin li ch phn mm c th d dng thay

i c p nht cc phin bn mi.

Cch thc hot ng ca firewall dng ny cng rt n gin. Phn mm

firewall c chy thng tr trn my ch hay my tnh c nhn. My tnh ny c

th m ng nhiu nhim v ngoi cng vic l Firewall. Mi khi c cc gi tin

c chuyn n hay chuyn i n u c phn mm firewall ny kim tra phn

header ca gi tin bao gm cc thng tin v a ch n, a ch i, giao thc, cng

dch v ....Firewall phn mm mi hin nay cn c th kim tra c ni dung ca

gi tin. Cc thng tin m firewall kim tra c ngi dng quy nh trc trong

tp lut. Nu gi tin c phn mm firewall cho qua th tip theo n s c an cc my con trong mng hoc l cc ng dng chy trc tip trn my .



21/65


Di y l m hnh thng s dng firewall phn mm: (My tnh dng

lm firewall c th m ng nhiu nhim v khc nhau ngoi vic l mt

Firewall v d DNS server, Mail server, Web server ...)

Hnh 2: M hnh s dng Firewall phn mm.

Trong m hnh ny my tnh chy ng dng firewall c vai tr trung gian.

N s nhn cc gi tin t Internet v Protected Network sau thc hin qu trnh

kim tra phn header ca cc gi tin gm thng tin nh : a ch n, a ch i,

giao thc, cng dch v ... sau nu phn mm firewall chp nhn cho gi tin i

qua th gi tin s tip tc chuyn n ch. Ngc li nu gi tin khng c chp

nhn chuyn tip th phn mm firewall s a ra quyt nh hy b. Cch hy b

cng c nhiu kiu nh hy b khng cn tr li cho my gi ti bit l do (DROP),

hy b nhng vn tr li cho my gi ti bit l do (REJECT) ... Chnh vic x l

vic hy b gi tin nh vy dn n tc ca loi firewall ny b hn ch.

Mt s phn mm firewall s dng nhiu v c nh gi cao v kh nnglc gi tin nh ZoneAlarm Pro, SmoothWall, McAfee Personal Firewall Plus,

ZoneAlarm Pro , Sygate Personal Firewall ...

c. u v nhc im ca firewall

Mi loi tng la c nhng u im, nhc im v c s dng trong

nhng trng hp khc nhau. Tng la phn cng thng c s dng m

bo an ninh cho cc mng ln v nu khng s dng firewall phn cng th s cn

h thng firewall phn mm tc l s c mt tnh my ch. My ch ny s nhn

mi gi tin v kim duyt ri chuyn tip cho cc my trong mng. M tc ca

firewall phn mm hot ng chm hn so vi firewall phn cng nn nh hng

ln n tc ca ton h thng mng.

Mt khc h thng tng la phn mm thng c s dng m bo

an ninh cho cc my tnh c nhn hoc mt mng nh. Vic s dng h thng

firewall phn mm s gip gim chi ph v gi c thit b firewall phn cng t gp

nhiu ln so vi h thng firewall phn mm. Hn na, khi ta s dng h thngfirewall phn mm trong vic m bo an ninh cho my tnh c nhn hay mng vi



22/65


quy m nh th vic nh hng n tc chuyn cc gi tin trong mng l khng

ng k.

im yu khc ca firewall phn mm l vi mi firewall phn mm

c chy trn tng h iu hnh nht nh. V d ZoneAlarm Pro l mt h thngfirewall phn mm ch chy trn h iu hnh Windows. Hay vi phn mm

SmoothWall th li ch c th chy trn h iu hnh Linux. Nhng vi firewall

phn cng th c th chy mt cc hon ton c l p khng b ph thuc vo h

iu hnh nh firewall phn mm.

Firewall phn mm hin gi c th lc c ni dung gi tin cn firewall

phn cng ch c th lc thng tin trong phn header ca gi tin cn phn ni dung

chnh ca gi tin th firewall phn cng khng th kim sot c. Bi vy m

Firewall phn cng khng th gip ngn chn cc loi virus h thng nhng

firewall phn mm th c th.

2.1.4 Mt s h thng firewall khc

a. Packet-Filtering Router (B trung chuyn c lc gi)

H thng Internet firewall ph bin nht ch bao gm mt packet-filtering

router t gia mng ni b v Internet. Mt packet-filtering router c hai chc

nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi cho php hay t chi truyn thng. Cn bn, cc quy lut lc c nh ngha sao

cho cc host trn mng ni b c quyn truy nhp trc tip ti Internet, trong khi

cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my tnh trn

mng ni b. T tng ca m hnh cu trc firewall ny l tt c nhng g khng

c ch ra r rng l cho php th c ngha l b t chi.

Hnh 3: Packet-Filtering Router

u im


Bn ngoi

Packet filtering

router

The Internet Mng ni b

Bn trong


23/65


Gi thnh thp (v cu hnh n gin)

Trong sut i vi user

Hn ch C tt c hn ch ca mt packet-filtering router, nh l d b tn

cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng

ngm di nhng dch v c php.

Bi v cc packet c trao i trc tip gia hai mng thng qua

router , nguy c b tn cng quyt nh bi s lng cc host v dch v c php.

iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi

c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi

ngi qun tr mng xem c du hiu ca s tn cng no khng.

Nu mt packet-filtering router do mt s c no ngng hot

ng, tt c h thng trn mng ni b c th b tn cng.

b. Screened Host Firewall

H thng ny bao gm mt packet-filtering router v mt bastion host.

Screened Host Firewall cung cp bo mt cao hn Packet-Filtering Router, v n

thc hin c bo mt tng network( packet-filtering ) v tng ng dng

(application level). ng thi, k tn cng phi ph v c hai tng bo mt tn

cng vo mng ni b.



24/65


Hnh 4: Screened Host Firewall

Trong h thng ny, bastion host c cu hnh trong mng ni b. Quy

lut filtering trn packet-filtering router c nh ngha sao cho tt c cc h thng

bn ngoi ch c th truy nhp bastion host. Vic truyn thng ti tt c cc h

thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng

mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni

b c php truy nhp trc tip vo bastion Internet hay l chng phi s dngdch v proxy trn bastion host. Vic bt buc nhng user ni b c thc hin

bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng

ni b xut pht t bastion host.

u im

My ch cung cp cc thng tin cng cng qua dch v Web v

FTP c th t trn packet-filtering router v bastion. Trong trng hp yu cu

an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user

c trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hp

khng yu cu an ton cao th cc my ni b c th ni thng vi my ch.

Nu cn bo mt cao hn na th c th dng h thng firewall dual-

home (hai chiu) bastion host. Mt h thng bastion host nh vy c 2 giao din


The Internet

Bn ngoi

Packet filtering

router

Bn trong

Information server

Bastion host

Mng ni b


25/65


mng (network interface), nhng khi kh nng truyn thng trc tip gia hai

giao din qua dch v proxy l b cm.

Hnh 5: H thng firewall dual-home (hai chiu) bastion host.

Hn ch

Bi v bastion host l h thng bn trong duy nht c th truy nhp c t

Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu

nh user log on c vo bastion host th h c th d dng truy nhp ton b mng

ni b. V vy cn phi cm khng cho user logon vo bastion host.

c. Demilitarized Zone (DMZ - khu vc phi qun s) hay Screened-subnet

Firewall

H thng ny bao gm hai packet-filtering router v mt bastion host. H

thng firewall ny c an ton cao nht v n cung cp c mc bo mt networkv application trong khi nh ngha mt mng phi qun s. Mng DMZ ng vai

tr nh mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ

c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy

nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip qua

mng DMZ l khng th c.

Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun(nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N cho php h thng


The internet

Bnngoi

Packet filtering

router

Information server

Bastion host

Bn trong

Mng ni b


26/65


bn ngoi truy nhp ch bastion host, v c th c information server. Router trong

cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch

vi nhng truyn thng bt u t bastion host.

Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti

DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c

information server. Quy lut filtering trn router ngoi yu cu s dung dich v

proxy bng cch ch cho php thng tin ra bt ngun t bastion host.

Hnh 6: Screened-subnet Firewall

u im

K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router

trong.

Bi v router ngoi ch qung co DMZ network ti Internet, h thng mng

ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra

trn DMZ l c bit n bi Internet qua routing table v DNS information

exchange ( Domain Name Server ).


The Internet

Bn ngoi Packet filtering

router

Bn trong

Information server

Bastion host

Outside

routerInside router

D

MZ


27/65


Bi v router trong ch qung co DMZ network ti mng ni b, cc h

thng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m

bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.

2.2. Cc chin lc xy dng firewall

Khi nghin cu chi tit v Firewall, chng ta cn hiu mt s chin lc c

bn c dng xy dng Firewall.

2.2.1. Quyn hn ti thiu(Least Privilege)

Mt nguyn tc c bn nht ca an ton (khng phi ch p dng cho an ton

mng) l trao quyn ti thiu. V c bn, nguyn tc ny c ngha l bt k mt itng no (ngi s dng, ngi qun tr, chng trnh, h thng.) Ch nn c

nhng quyn hn nht nh m i tng cn phi c thc hin cc nhin v

ca mnh v ch nh vy. Quyn hn ti thiu l nguyn tc quan trng trnh cho

ngi ngoi li dng t nhp v hn ch s ph hu do cc t nhp gy ra.

2.2.2. Bo v theo chiu su (Defense in Depth)

Mt nguyn tc khc ca an ton v bo v theo chiu su. i vi mi h

thng, khng nn ci t v ch s dng mt ch an ton cho d n c th mnh,m nn lp t nhiu c ch an ton chng c th h tr ln nhau. V vy

firewall c xy dng theo c ch c nhiu lp bo v.

2.2.3. Nt tht (Choke Point)

Mt nt tht bt buc nhng k t nhp phi i qua mt ca khu hp m

chng ta c th kim sot v iu khin c ging nh vic mun vo rp xem

ht, ta phi i qua cng kim sot v.

Trong c ch an ton mng, Firewall nm gia h thng ca ta v mngInternet, n chnh l mt nt tht. Bt k ai c nh t nhp h thng t Internet

s phi qua ca khu ny, v ta c th theo di, qun l c.

2.2.4. im xung yu nht (Weakest Link)

Khi mun xm nhp vo h thng, k t nhp tinh ranh thng tm cc

im yu nht tn cng vo . Do vy, i vi tng h thng cn phi bit im

yu nht c phng n bo v an ton h thng. Thng ta hay quan tm n

nhng k t nhp trn mng hn l nhng k tip nhn h thng, cho nn an tonv mt vt l c coi l im yu nht trong mi h thng.



28/65


2.2.5. Hng trong an ton (Fail-Safe Stance)

Mt nguyn tc nn tng khc ca an ton l hng trong an ton; iu ny

c ngha l nu h thng ang hng th n phi c hng theo mt cch no

ngn chn s truy nhp bt hp php tt hn l cho k t nhp lt vo ph hthng. ng nhin vic hng trong an ton cng hu b s truy nhp hp php

ca ngi s dng cho n khi h thng c khi phc li.

Da trn nguyn tc ny ngi ta a ra hai quy tc c bn p dng cho cc

quy nh v bin php an ton:

Mt l, Default deny Stance: Ch trng vo nhng ci c php v ngn

chn tt c ci g cn li. Nhng g khng r rng c th s b ngn cm.

Hai l, Default permit stance: Tr trng vo nhng ci b ngn cm v chophp tt c nhng ci cn li, nhng g khng b ngn cm th c php.

Hu ht nhng ngi s dng v nh qun l quy tc default pernmit stance

cho rng mi th mc nh ngha l cho php v mt s dch v, hnh ng rc ri,

khng r rng s b ngn cm. V d:

NFS khng cho php qua firewall.

Truy nhp WWW b hn ch i vi nhng chuyn gia o to v nhng

vn an ton ca WWW.

Ngi s dng khng c ci t cc Server khng c php. Vy vn

dng quy tc no th tt hn? Theo quan im v an ton th nn dng quy tc

Default deny stance. Cn theo quan im ca cc nh qun l th li l quy tc

Default pernmit Stance.

2.2.6. S tham gia ton cu

t hiu qu an ton cao, tt c cc h thng trn mng phi tham gia vogii php an ton. Nu tn ti mt h thng c c ch an ton km, ngi truy nhp

bt hp php c th truy nhp vo h thng ny sau truy nhp cc h thng khc

t bn trong.

2.2.7. Tnh a dng ca vic bo v

Do s dng nhiu h thng khc nhau, ta phi c nhiu bin php bo v

m bo chin lc bo v theo chiu su. Bi v, nu tt c cc h thng ca ta

u nh nhau v mt ngi no bit cch t nhp vo mt trong s cc hthng th anh ta cng c th t nhp vo tt cc h thng cn li. S dng nhiu h



29/65


thng khc nhau c th hn ch cc cc c hi pht sinh li v an ton hn. Song

i li, ta phi i mt vi cc vn v gi c v tnh cht phc tp. Vic mua

bn, lp t nhiu h thng khc nhau s kh hn, tn km thi gian hn cc h

thng cng chng loi. Ngoi ra , cng cn nhiu s h tr v thi gian o to

cn b vn hnh, qun tr h thng t pha cc nh cung cp.

2.2.8. n gin ho

Mi th n gin s tr nn d hiu. Nu ta khng hiu r mt ci g , ta

cng khng th bit c liu n c an ton hay khng.

2.3. Cch thc xy dng firewall

Trong qu trnh xy dng mt tng la i hi bc tin hnh u phic nn k hoch trc v phi hp cht ch vi nhau. V gii quyt vn

ln nht l xy dng thnh cng mt tng la hot ng theo hiu qu th ta phi

xy dng tng bc tht vng chc, hn ch ti a nhng sai st ng tic c th

xy ra trong qu trnh xy dng.

2.3.1. Xy dng cc nguyn tc cn bn(Rule Base)

Mun xy dng c mt Firewall thnh cng th n phi thc hin theo

mt s quy tc cn bn nht nh (Rule base). Khi c mt gi tin IP i qua tngla th n s phi da cc quy tc cn bn ny phn tch v lc gi tin. V th

chng ta phi a ra cc quy tc tht n gin, ngn gn v d hiu nhm tng tc

s l gi tin trong tng la v s trnh c tc nghn, ng thi n cn gip

cho vic thay i v bo tr h thng c d dng hn rt nhiu. Thng thng th

ta nn dng khng qu 30 quy tc cn bn v ti a khng oc qu 50 quy tc v

nu dng qu nhiu s lm cho vic lc gi s chm hn v cng s d gy ra li v

cc quy tc c th b chng cho ln nhau.

2.3.2. Xy dng chnh sch an ton (Security Policy)

Mt tng la phi c cc chnh sch an ton (security policy) v thc cht

tng la ch l mt cng c thc thi cc chnh sch an ton. Vic qun l v xy

dng chnh sch an ton mt cch cht ch s to ra c sc mnh cho tng la.

V vy trc khi chng ta xy dng cc quy tc cn bn th chng ta phi hiu c

chnh sch an ton ca tng la cn xy dng l g ?

V ng thi cng phi xy dng cc chnh sch an ton sao cho d hiu vn gin mt cch tng i v khng nn xy dng mt cch qu phc tp dn



30/65


n chng cho d gy nhm ln v d kim tra, bo tr. Chng ta c th a ra mt

s chnh sch an ton rt n gin nh sau:

Nhng my trong mng ni b c truy nhp ra Internet khng gii hn.

Cho php s truy cp vo Web v Mail Server ca mng ni b t Internet

Tt c cc thng tin i vo trong mch ni b u phi c xc thc v m

ho.

T nhng chnh sch rt n gin nh v d trn y chng ta c th pht

trin thnh nhng chnh sch hot ng mt cch hiu qu v phc tp hn rt

nhiu. v d gii hn mng ni b ch c s dng internet mt cch hn ch vi

mt vi dch v c bn nh Mail, HTTP m thi, cn li ngn cm hon ton

dch v truyn tp FTP v.v

2.3.3. Xy dng kin trc an ton

Cc bc cn lm khi xy dng mt kin trc an ton:

u tin th ta cho php tt c cc my trong mng ni b c th truy cp ra

Internet.

Sau ta thc hin ci t cc phn thng tin khng cn bo v (v d: Web

Server v Mail Server) vo mt vng c tn k thut l vng phi qun s(Demilitarized Zone - MDZ). DMZ l mt mng tch bit ni m ta s t cc h

thng m chng ta khng hon ton tin tng (v mt khi t Internet c th truy cp

vo c trong DMZ ca chng ta nn khng th tin tng chng). Bi vy nhng

h thng trong DMZ s khng bao gi kt ni trc tip vi mng bn trong mt khi

chng cha c tin cy. C hai loi DMZ l: DMZ c bo v v DMZ khng

c bo v. DMZ c bo v l mt phn tch ri ra bn ngoi ca tng la.

DMZ khng c bo v l phn mng nm gia Router v tng la. Chng ta

nn dng loi DMZ c bo v, v ni l ni chng ta thng t c WebServer v Mail Server

Con ng duy nht c th i vo mng ni b l phi i qua s kim sot

ca nh qun tr mng (cng c th cho php thc hin mng t xa)

Ci m chng ta c th ni n na l DNS (Domain Name Server). Chng

ta s phi thc hin chia DNS ra lm nhiu phn. Chia DNS thnh nhiu phn c

ngha l chia cc thao tc ca DNS s thuc hai my ch DNS khc nhau. Chng ta

lm iu ny v ta s mt my ch DNS s lo cho chng ta vic gii quyt thngtin tn min ca cng ty vi mng bn ngoi. V mt my ch DNS bn trong



31/65


gii quyt vn ca mng bn trong. My ch DNS ngoi s nm trong DMS c

c bo v cng vi Web v Mail Server. My DNS bn trong s nm mng bn

trong vi vic ny s gip cho chng ta khng cho bit thng tin v tn min trong

mng ni b. V my ch DNS cha thng tin v s ca mng bn trong nn

cng ta cn phi t di s bo v trnh l thng tin v bn mng.

2.3.4. Th t cc quy tc trong bng (Sequence of Rules Base)

Trc khi chng ta xy dng cc quy tc cn bn th iu chng ta cn phi

quan tm n chnh l th t ca cc quy tc (hay cn gi l cp ca cc quy

tc) v trong c mt quy tc c bit, n s gi vai tr then cht trong chnh sch

bo mt tng la ca chng ta. C nhiu quy tc c cp tng t nh nhau

nhng vn phi t chng theo mt th t trc/sau, vic ny lm thay i phng

thc lm vic cn bn ca tng la. a s cc tng la kim tra cc gi tin mt

cch tun t v lin tc. Khi tng la nhn c mt gi tin, n s xem xt gi tin

c ng vi quy tc no trong bng Rules base hay khng bng cch cho xt bt

u t quy tc th nht, ri quy tc th hai cho n khi c quy tc no tho

mn th n s dng cng vic kim tr v n s thc thi theo quy tc . Nu gi tin

c so snh vi tt c cc quy tc trong bng m khng c quy tc no tho

ng th gi tin s b t chi (lc b). Vn then cht l phi sm tm c quy

tc u tin tho mn khp c vi quy tc Rules Base cho gi tin cnhanh chng c i qua. V khi tm hiu r c iu ny th ta nn t cc quy

tc c bit trc tin, ri sau mi n cc quy tc thng thng. Vic ny ngn

chn vic cc quy tc thng thng cho php gi tin i qua nhng trong trng hp

c bit li khng cho gi tin i qua gy chng cho. Chnh v vy phi lun ch

v phi t cc quy tc c bit ln trc tin ri ti cc nguyn tc thng thng.

Phi tun th nguyn tc ny trnh vic cu hnh b sai gip tng la lm vic

hiu qu, ng thi d dng trong cng tc nng cp bo tr v thay i sa cha.

2.3.5. Cc quy tc cn bn (Rules Base)

Default properties (nguyn tc mc nh): Phi loi tr tt c cc trng hp

ny v phi chc chn mt iu l khng c mt gi tin no c th i qua c, bt

k gi tin y l gi tin g.

Internal Outbound (i t mng bn trong ra ngoi): Bc u tin ta cho

php vic i t trong ra ngoi m khng c hn ch no. V tt c cc dch v c

bn nh Web, Mail, FTP v.v u cho php



32/65


Lockdown (): Hn ch tt c khng cho php mt s sm nhp no vo

tng la ca chng ta. y l quy tc chun m quy tc cn bn cn phi c.

Khng c bt k s sm nhp no vo tng la nhng chng ta li cn c ngi

qun tr tng la (Firewall Admins).

Admin Access (): Khng ai c th kt ni vi tng la, bao gm c Admin.

Chng ta cng phi to ra mt quy tc cho php Admin truy nhp vo c

tng la

Drop All (): Thng thng th ta s loi b tt c cc gi tin m khng ph

hp vi quy tc no. Nhng ta nn a gi tin ny vo mt bn ghi v ta s thm

vo cui danh sch cc quy tc. y l mt quy tc chun m ta nn c.

No Logging (): Thng thng s c rt nhiu gi tin c gi n tt c cca ch (vd: nh tin qung co) trn mng. Khi n tng la th n s b loi b v

sau c ghi vo bn ghi, nhng vic ny s lm cho bn ghi nhanh chng b

y. Chnh v vy ta phi to mt quy tc sao cho khi ta b gi tin y i m li

khng ghi li vo bn ghi. y cng l mt nguyn tc cn bn m i khi ta cng

phi dng n.

DNS Access (): M hnh v cc thnh phn ca tng la.

2.4. Lc gi v c ch hot ng

Khi ni n vic chuyn thng tin d liu gia cc mng vi nhau thng tin

qua tng la th iu c ngha rng bc tng la hot ng kt hp cht ch

vi giao thc TCP/IP v giao thc ny lm vic theo thut ton chia nh cc d liu

nhn c t cc ng dng trn mng. Tc l:

D liu nhn c t cc dch v chy trn cc giao thc ph cp trn mng

(v d nh: telnet, SMTP, DNS, SMNP,..) c phn thnh cc gi gi liu (data

packet).

Cc gi tin ny c gn nhng a ch v thng tin c th nhn v ti

hp li thnh d liu ban u. Chnh v vy cc loi tng la cng lin quan rt

nhiu n cc gi tin v cc a ch ca chng sau y chng ta s cng tm hiu lc

gi l g v c ch ca n nh th no.



33/65


2.4.1. B lc gi (packet filtering)

B lc gi c nhng chc nng thc hin vic kim tra s nhn dng a ch

ca gi tin kim tra c th cho php chng i qua tng la hay khng. Cc

thng tin c th lc c mt gi tin bao gm :a ch ni xut pht hay cn gi l a ch ngun (source IP Address)

a ch ni nhn hay cn gi l a ch ch (destination IP Address).

S cng ca ni xut pht (source port).

S cng ca ni nhn (destination).

Nh vy m tng la c th chn c cc kt ni t mng ngoi vo

nhng my ch ni b hoc vo trong mng ni b. T nhng a ch khng chophp.

Hn na vic kim sot cc cng lm cho tng la c kh nng ch cho

php mt s loi kt ni nht nh vo my ch c nh sn m phc v cho

mt s dch v no (Telnet, SMTP,mail) c php s dng trn mng

ni b.

2.4.2. Cng ng dng (Application Gateway)

Application Gateway c thit k tng cng chc nng kim sot ccloi dich v vo giao thc c cho php truy cp vo h thng mng. C ch hot

ng ca n d trn ci gi l dch v i din (proxy Service).

Proxy Service hot ng theo c ch: Mt ng dng no c quy chiu

n (hay i din bi) mt proxy Service chy trn cc h thng my ch th c

quy chiu n ApplicationGateway ca firewall. C ch lc ca packet filtering

phi hp kim sot vi c ch i din ca Application gateway cung cp mt

kh nng an ton hn cho firewall trong vic giao tip thng tin vi mng ngoi.V d mt h thng mng c chc nng lc gi tin, n s ngn cc kt ni

bng Telnet vo h thng ch tr mt cng duy nht -Telnet Application Gateway-

l c php. Mt ngi s dng dch v Telnet mun kt ni vo h thng phi

thc hin cc bc sau:

Thc hin dch v Telnet n Telnet Application Gateway ri cho bit tn

ca my ch bn trong cn truy cp.

Gateway kim tra a ch IP ni xut pht ca ngi truy cp ri cho phphoc t chi tu theo ch an ninh ca h thng.



34/65


Ngi truy cp phi vt qua c h thng kim tra xc nh.

Proxy service lin kt lu thng gia ngi truy cp vi my ch.

C ch hot ng ny c ngha quan trng trong vic thit k an ninh h

thng. N c th cung cp nhiu kh nng, v d nh:

Che du cc thng tin: ngi dng ch c th nhn thy trc tip cc

Gateway c php.

Tng cng kim tra truy cp bng cc dch v xc thc (Authentication).

Gim ng k gi thnh cho vic pht trin cc h qun tr xc thc v h

thng ny c thit k ch quy chiu n Application Gateway.

Gim thiu cc quy tc kim sot ca b lc (Packet Filtering). iu ny lm

tng mt cch ng k tc hot ng ca Firewall.

2.4.3. B lc Sesion thng minh (Smart Sesion Filtering)

C ch hot ng phi hp gia b lc packet v cng ng dng nh cp

trn cung cp mt ch an ninh cao tuy nhin n cng tn ti mt vi hn ch.

Vn chnh hin nay l lm sao cung cp Proxy Service cho rt nhiu ng

dng khc nhau ang pht trin t. iu ny c ngha l nguy c, p lc i vi

vic firewall b nh la gia tng ln rt ln nu cc Proxy khng kp p ng.Trong khi gim st cc packet nhng mc pha trn, nu nh lp Network

i hi nhiu cng sc i vi vic lc cc packet n gin, th vic gim st cc

giao dch lu thng mc mng (Sesion) i hi t cng vic hn. Cch ny cng

loi b c cc dch v c th cho tng loi ng dng khc nhau.

C ch hot ng ca b lc sesion thng minh chnh l vic kt hp kh

nng ghi nhn thng tin v cc Sesion v s dng n to cc quy tc cho b lc.

Bit rng, mt Sesion mc network c to bi hai packet lu thng haichiu:

Mt kim sot cc packet lu thng t host pht sinh ra n n my ch

cn ti.

Mt kim sot packet tr v t my ch pht sinh

Mt b lc thng minh s nhn bit c rng packet tr v theo chiu

ngc li nn quy tc th hai l khng cn thit. Do vy, cch tip nhn cc packet

khng mong mun sinh ra t bn ngoi firewall s khc bit rt r vi cch tip



35/65


nhn cho cc packet do nhng kt ni c php (ra bn ngoi). V nh vy d

dng nhn dng c cc packet bt hp php.

2.4.4. Firewall hn hp (Hybrid Firewall)

Trong thc t xy dng, cc firewall c s dng l kt hp ca nhiu kthut to ra hiu qu an ninh ti a. V d vic lt li ti cc kim sot ca

b lc packet c th c thc hin ti b lc sesion thng minh mc ng dng.

Cc gim st ca b lc lt cht ch bi cc dch v Proxy ca Application

Gateway.

2.5. Kt lun

Cc h thng firewall thit lp nhm mc ch m bo an ninh mng thngqua vic kim sot phn header ca cc gi tin. Nhng s dng firewall m bo

c an ninh mng mt cc hiu qu th ngi qun tr h thng cn c nhng hiu

bit su sc v a ch IP ch, a ch IP ngun, cng dch v, cc giao thc mng

(TCP, UDP, SMTP)v c bit cn c nhng cng c gip cu hnh h thng

firewall hiu qu. Trong chng tip theo ny em s trnh by v cng c

FirewallIptable c tch hp trn h iu hnh m ngun m Linux bo v cho

mng ni b.



36/65


Chng 3:

TM HIU IPTALES TRONG H IU HNH LINUX

Hin nay c nhiu phn mm firewall c thc hin trn cc h iu

hnh nh Windows NT, Linux, Solaris. Nhng vi h iu hnh m ngun m

Linux th phn mm IPtables Firewall phin bn mi ny thc s l mt cng c

mnh dng m bo an ninh mng. Ngi qun tr mng c th s dng n cng

nhiu ty chn hu ch. Nhng do phn mm c qu nhiu tham s v s dng

c th i hi ngi s dng phi c kin thc chuyn su v h thng mng my

tnh. Nh vy vi nhng ngi t kin thc v mng my tnh v khng bit r v

tham s ca chng trnh th khng th s dng cng c IPtables c.Trong phm vi ti ny em s tm hiu v cng c Iptables ca firewall

trn Linux vi vic kim sot ngi dng trong mng ni b c quyn gi bt c

yu cu truy cp trn bt c giao thc no t bn trong my ra ngoi cng nh cn

bt c yu cu truy cp trn mi giao thc t bn ngoi vo. Ngoi ra nh ta

bit, trong khi my chy trn Linux s c mt s dch v ang lng nghe (LISTEN).

Nhng dch v ny ch phc v cho ring bn v bn khng mun bt c ai t

Internet truy cp vo cc dch v ny. Cho nn ta phi xy dng cc lut n nh:

khi cc packet i vo (INPUT) firewall, firewall s kim tra xem c lut INPUT no

thch hp cho php n i vo, nu khng firewall s cn n theo quy nh ca quy

ch mc nh.

iu ny s lm tng kh nng bo mt v tnh linh ng cho ngi qun tr

mng my tnh.

Trong chng ny em s i gii thiu tng quan v cng c Firewall IPtable

v tm hiu mt s tp lut c bn trong IPtable:

3.1. Firewall IPtable trn Redhat

Phin bn nhn Linux version 2.4.x c a ra vi rt nhiu tnh nng

mi gip Linux hot ng tin cy hn v h tr cho nhiu thit b. Mt trong nhng

tnh nng mi ca n l h tr Netfilter iptables ngay trong kernel, gip thao tc

trn packet hiu qu hn so vi cc ng dng trc nh ipfwadm trong kernel

2.0 v ipchains trong kernel 2.2, tuy vn h tr cho cc b lnh c. Thit lp

firewall theo kiu lc packet (packet filtering lc gi thng tin) vi ipfwadm hocipchains c nhiu hn ch: thiu cc tch hp cn thit m rng tnh nng, khi s



37/65


dng lc packet cho cc giao thc thng thng v chuyn i a ch mng

(Network Address Translation - NAT) th thc hin hon ton tch bit m khng

c c tnh kt hp. Netfilter v iptables trn kernel 2.4 gii quyt tt cc hn ch

trn v c thm nhiu tnh nng khc m Ipfwadm v Ipchains khng c.

3.1.1. Gii thiu v IPtables

Trong h thng Linux c rt nhiu firewall. Trong c mt s firewall

c cu hnh v hot ng trn nn console rt nh v tin dng l Iptable v

Ipchain.

a. Netfilter/IPtables

Gii thiu

Iptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h

thng Linux.

Hnh 7: Firewall IPTable trong Linux.

Iptables l mt tng la ng dng lc gi d liu rt mnh, c sn bn

trong kernel Linux 2.4.x v 2.6.x. Netfilter/Iptable gm 2 phn l Netfilter trong

nhn Linux v Iptables nm ngoi nhn. IpTables chu trch nhim giao tip gia

ngi dng v Netfilter y cc lut ca ngi dng vo cho Netfilter x l.Netfilter tin hnh lc cc gi d liu mc IP. Netfilter lm vic trc tip trong

nhn, nhanh v khng lm gim tc ca h thng. c thit k thay th cho

linux 2.2.x Ipchains v linux 2.0.x ipfwadm v c nhiu c tnh hn Ipchains v n

c xy dng hp l hn vi nhng im sau:

Netfilter/Iptables c kh nng g?

Xy dng bc tng la da trn c ch lc gi stateless v stateful

Dng bng NAT v masquerading chia s s truy cp mng nu khng c a ch mng.



38/65


Dng bng NAT ci t transparent proxy

Gip cc h thng tc v iproute2 to cc chnh sch router phc tp v

QoS

Lm cc thay i cc bit(mangling) TOS/DSCP/ECN ca IP header

C kh nng theo di s kt ni, c kh nng kim tra nhiu trng thi ca

packet. N lm vic ny cho UDP v ICMP tt nht l kt ni TCP, v d tnh trng

y ca lc ICMP ch cho php hi m khi c yu cu pht i, ch khng chn

cc yu cu nhng vn chp nhn hi m vi gi s rng chng lun p li lnh

ping. S hi m khng do yu cu c th l tn hiu ca s tn cng hoc ca sau.

X s n gin ca cc packet tho thun trong cc chains (mt danh sch

cc nguyn tc) INPUT, OUTPUT, FORWARD. Trn cc host c nhiu giao dinmng, cc packet di chuyn gia cc giao din ch trn chain FORWARD hn l

trn 3 chain.

Phn bit r rng gia lc packet v NAT (Nework Address Translation)

C kh nng gii hn tc kt ni v ghi nht k. Bn c th gii hn kt

ni v ghi nht k t trnh s tn cng t chi dch v (Deinal of service).

C kh nng lc trn cc c v a ch vt l ca TCP.

L mt firewall c nhiu trng thi, nn n c th theo di trong sut s kt

ni, do n an ton hn firewall c t trng thi.

Iptables bao gm 4 bng, mi bng vi mt chnh sch (police) mc nh v

cc nguyn tc trong chain xy dng sn.

b. Ipchain

Mt trong nhng phn mm m Linux s dng cu hnh bng NAT ca

kernel l Ipchain. Bn trong chng trnh Ipchain c 2 trnh kch bn (scrip) chnhc s dng n gin ha cng tc qun tr Ipchains.

Ipchain c dng ci t, duy tr v kim tra cc lut ca Ip firewall

trong Linux kernel. Nhng lut ny c th chia lm nhm chui lut khc nhau l:

Ip Input chain (chui lut p dng cho cc gi tin i n firewall).

Ip Output chain (chui lut p dng cho cc gi tin c pht sinh cc b

trn firewall v i ra khi firewall).



39/65


Ip forwarding chain (p dng cho cc gi tin c chuyn tip ti my hoc

mng khc qua firewall). V cc chui lut do ngi dng nh ngha (user

defined).

Ipchains s dng khi nim chui lut (chain ) x l cc gi tin. Mtchui lut l mt danh sch cc lut dng x l cc gi tin c cng kiu l gi tin

n, gi tin chuyn tip hay gi tin i ra. Nhng lut ny ch r hnh ng no c

p dng cho gi tin. Cc lut c lu tr trong bng NAT l nhng cp a ch IP

ch khng phi tng a ch IP ring l.

Mt lut firewall ch ra cc tiu chun packet v ch n. Nu packet

khng ng lut k tip s c xem xt, nu ng th lut k tip s ch nh r gi

tr ca ch c th cc chain do ngi dng nh ngha hay c th l mt trong cc

gi tr c th sau: ACCEPT, DENY, REJECT, MASQ, REDICRECT hay

RETURN.

ACCEPT: cho php packet i qua.

DENY: Hy packet m khng c tr li thng bo cho pha client bit

iu ny.

REJECT: Tng t nh DENY nhng c tr li cho client bit gi tin

b hy b. MASQ: Ch hp l i vi chain forward v chain do ngi dng

nh ngha v c dng khi kernel c bin dch vi

CONFIG_IP_MASQUERADE. Vi chain ny packet s c

masquerade nh l n c sinh ra t my cc b, hn th na cc

packet ngc s c nhn ra v chng s c demasqueraded mt

cch t ng, b qua forwarding chain.

REDIRECT: Ch hp l vi chain input v chain do ngi dng nhngha v ch c dng khi Linux kernel c bin dch vi tham s

CONFIG_IP_TRANSPARENT_PROXY c nh ngha. Vi iu

ny packets s c chuyn ti socket cc b, thm ch chng c

gi n host xa.

Mt s c php hay c s dng:

Ipchains [ADC] chain rule-specification [options]

Ipchains [RI] chain rulenum rule-specification



40/65


[options]

Ipchains D chain rulenum [options]

Ipchains [LFZNX] [chain] [options] Ipchains P chain target [options]

Ipchains M [-L | -S] [options]

3.1.2. Qu trnh chuyn gi d liu qua Netfilter

Gi d liu (packet) chy trn cp, sau i vo card mng (chng hn nh

eth0). u tin packet s qua chain PREROUTING (trc khi nh tuyn). Ti y,

packet c th b thay i thng s (mangle) hoc b i a ch IP ch (DNAT).

i vi packet i vo my, n s qua chain INPUT. Ti chain INPUT, packet c th

c chp nhn hoc b hy b. Tip theo packet s c chuyn ln cho cc ng

dng (client/server) x l v tip theo l c chuyn ra chain OUTPUT. Ti chain

OUTPUT, packet c th b thay i cc thng s v b lc chp nhn ra hay b hy

b. i vi packet forward qua my, packet sau khi ri chain PREROUTING s

qua chain FORWARD. Ti chain FORWARD, n cng b lc ACCEPT hoc

DENY. Packet sau khi qua chain FORWARD hoc chain OUTPUT s n chain

POSTROUTING (sau khi nh tuyn). Ti chain POSTROUTING, packet c th

c i a ch IP ngun (SNAT) hoc MASQUERADE. Packet sau khi ra card

mng s c chuyn ln cp i n my tnh khc trn mng.3.1.3. Cu trc ca Iptable.

Iptables c chia lm 4 bng (table):

Bng filter dng lc gi d liu.

Bng nat dng thao tc vi cc gi d liu c NAT ngun hay

NAT ch.

Bng mangle dng thay i cc thng s trong gi IP.

Bng conntrack dng theo di cc kt ni.

Mi table gm nhiu mc xch (chain). Chain gm nhiu lut (rule) thao

tc vi cc gi d liu. Rule c th l ACCEPT (chp nhn gi d liu), DROP (th

gi), REJECT (loi b gi) hoc tham chiu (reference) n mt chain khc.



41/65


3.1.4. Ci t iptables

Iptables c ci t mc nh trong h thng Linux, package ca iptables l

iptablesversion.rpm hoc iptables-version.tgz , ta c th dng lnh ci t

package ny:$ rpm ivh iptables-version.rpm i Red Hat

$ apt-get install iptables i vi Debian

Khi ng iptables: service iptables start

Tt iptables: service iptables stop

Ti khi ng iptables: service iptables restart

Xc nh trng thi iptables: service iptables status

3.2. Cc tham s dng lnh thng gp

3.2.1 Gi tr gip

gi tr gip v Iptables, bn g lnh $ man iptables hoc $ iptables

--help. Chng hn nu bn cn bit v cc ty chn ca match limit, bn g lnh $iptables -m limit --help.

3.2.2 Cc ty chn ch nh thng s

Ch nh tn table: -t , v d -t filter, -t nat, .. nu khng ch nh table,

gi tr mc nh l filter

Ch inh loi giao thc: -p , v d -p tcp, -p udp hoc -p ! udp ch nh

cc giao thc khng phi l udp

Ch nh card mng vo: -i , v d: -i eth0, -i lo

Ch nh card mng ra: -o , v d: -o eth0, -o pp0

Ch nh a ch IP ngun: -s , v d: -s

192.168.0.0/24 (mng 192.168.0 vi 24 bt mng), -s 192.168.0.1-

192.168.0.3 (cc IP 192.168.0.1, 192.168.0.2, 192.168.0.3).



42/65


Ch nh a ch IP ch: -d , tng t nh -s

Ch nh cng ngun: --sport , v d: --sport 21 (cng 21), --sport 22:88

(cc cng 22 .. 88), --sport :80 (cc cng =22)

Ch nh cng ch: --dport , tng t nh sport

3.2.3. Cc ty chn thao tc vi chain

To chain mi: iptables -N

Xa ht cc lut to trong chain: iptables -X

t chnh sch cho cc chain `built-in` (INPUT, OUTPUT &

FORWARD): iptables -P , v d: iptables -P INPUT ACCEPT chp

nhn cc packet vo chain INPUT

Lit k cc lut c trong chain: iptables -L

Xa cc lut c trong chain (flush chain): iptables -F

Reset b m packet v 0: iptables -Z

3.2.4. Cc ty chn thao tc vi lut

Thm lut: -A (append)

Xa lut: -D (delete)

Thay th lut: -R (replace)

Chn thm lut: -I (insert)

3.2.5 Phn bit gia ACCEPT, DROP v REJECT packet

ACCEPT: chp nhn packet

DROP: th packet (khng hi m cho client)

REJECT: loi b packet (hi m cho client bng mt packet khc)

Mt s v d:



43/65


# iptables -A INPUT -i eth0 --dport 80 -j ACCEPT chp nhn cc packet vo

cng 80 trn card mng eth0

# iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP th cc packet n

cng 23 dng giao thc TCP trn card mng eth0# iptables -A INPUT -i eth1 -s ! 10.0.0.1-10.0.0.5 --dport 22 -j REJECT

--reject-with tcp-reset

Gi gi TCP vi c RST=1 cho cc kt ni khng n t dy a ch IP

10.0.0.1..5 trn cng 22, card mng eth1

# iptables -A INPUT -p udp --dport 139 -j REJECT --reject-with icmp-port-

unreachable

Gi gi ICMP `port-unreachable` cho cc kt ni n cng 139, dng giaothc UDP

3.2.6 Phn bit gia NEW, ESTABLISHED v RELATED

NEW: m kt ni mi

ESTABLISHED: thit lp kt ni

RELATED: m mt kt ni mi trong kt ni hin ti

Mt s v d:

# iptables -P INPUT DROP

t chnh sch cho chain INPUT l DROP

# iptables -A INPUT -p tcp --syn -m state --state NEW -j ACCEPT

Ch chp nhn cc gi TCP m kt ni set c SYN=1

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j

ACCEPT

Khng ng cc kt ni ang c thit lp, ng thi cng cho php m

cc kt ni mi trong kt ni c thit lp

# iptables -A INPUT -p tcp -j DROP cc gi TCP cn li u b DROP

3.2.7 Ty chn --limit, --limit-burst

--limit-burst: mc nh, tnh bng s packet



44/65


--limit: tc khi chm mc nh, tnh bng s packet/s(giy), m(pht),

d(gi) hoc h(ngy).

3.3. Gii thiu v bng NAT (Network Address Traslation)

C mt vn c t ra hin nay l s khan him a ch IP, mt c quan

khi c rt nhiu my tnh nhng ch c cp pht mt a ch IP duy nht. Vy lm

th no ch vi mt a ch IP duy nht ny tt c cc my tnh trong mt c

quan c th truy cp c Internet. C mt c ch thc hin iu , chnh l

NAT (Network Address Translation).

3.3.1. Khi nim cn bn v NAT

NAT c dng khi c nhn dng a ch mng ring ca mnh kt nivo Internet (Trong khi mun kt ni c vi Internet th yu cu bn phi c a

ch mng chung Public Address)

a ch mng chung s dng trn Internet ch tn ti duy nht v thng

thng c cung cp bi cc nh cung cp dch v Internet (Internet Service

Providers ISPs) hay cn gi l a ch IP hp l. a ch mng ring c s dng

trong mng ni b (Local Address Networt- LAN). a ch ny th khng cn phi

cung cp t nh dch v m c th c cung cp bi ngi qun tr mng ni b.

Nhng khng bao gi a ch mng ring li c s dng trn Internet.

NAT c th gip bn vo Internet ngay trong khi bn ang s dng a ch

mng ring . Thc hin c iu l do NAT cho php bn chuyn i gia

hai kiu a ch , bt k bn ang mng ni b c kch thc nh th no trong

khi ISPS ch cung cp cho bn duy nht mt a ch chung duy nht.

NAT s bin i a ch ngun v khi ra khi mng ni b th n s s dng

a ch mng chung vo Internet. V nu ng t Internet th s khng th bit

c a ch ring ca my m ch bit c a ch chung ca mng ni b. NAT

s nhn bit cc a ch mng ca cc my trong mng ni b thng qua s cng

dch v.

Vi nhng c im ny th NAT c nhng u im sau:

B mt c a ch mng ni b vi mng bn ngoi.

Nu kt ni vo Internet th n s tit kim c a ch chung (a

ch Internet).



45/65


N s phc v cn bng ti v c th chia ra nhiu server khc nhau

bn trong mng ni b.

Qu trnh phn phi kho s c m bo b mt.

Nu thay i a ch Internet cng khng cn phi cu hnh li cho

tng my s rt thun li cho ngi qun tr.

Gim c chi ph u t.

Nhng cng vi nhng u im nu trn th n cng khng trnh khi cc

nhc im:

Tc x l chm v phi phn tch li gi tin, ghi li a ch v tnh

ton a ch gi tin.

D xy ra tc nghn nu qu nhiu thng tin cng qua li mt thi

im.

Chng ta s tm hiu v mt s phng thc i a ch ca NAT sau y.

3.3.2. Cch i a ch IP ng (Dynamic - NAT)

NAT ng l mt trong nhng k thut chuyn i a ch IP NAT (Network

Address Translation). Cc a ch IP ni b c chuyn sang IP NAT nh sau:

Hnh 8: Cch i ia ch IP ng.

NAT Router m nhn vic chuyn dy IP ni b 169.168.0.x sang dy IP

mi 203.162.2.x. Khi c gi liu vi IP ngun l 192.168.0.200 n router, router



46/65


s i IP ngun thnh 203.162.2.200 sau mi gi ra ngoi. Qu trnh ny gi l

SNAT (Source-NAT, NAT ngun). Router lu d liu trong mt bng gi l bng

NAT ng. Ngc li, khi c mt gi t liu t gi t ngoi vo vi IP ch l

203.162.2.200, router s cn c vo bng NAT ng hin ti i a ch ch

203.162.2.200 thnh a ch ch mi l 192.168.0.200. Qu trnh ny gi l DNAT

(Destination-NAT, NAT ch). Lin lc gia 192.168.0.200 v 203.162.2.200 l

hon ton trong sut (transparent) qua NAT router. NAT router tin hnh chuyn

tip (forward) gi d liu t 192.168.0.200 n 203.162.2.200 v ngc li.

3.3.3. Cch ng gi a ch IP (masquerade)

Hnh 9: Cch ng gi a ch IP

NAT Router chuyn dy IP ni b 192.168.0.x sang mt IP duy nht l

203.162.2.4 bng cch dng cc s hiu cng (port-number) khc nhau. Chng hn

khi c gi d liu IP vi ngun 192.168.0.168:1204, ch 211.200.51.15:80 n

router, router s i ngun thnh 203.162.2.4:26314 v lu d liu ny vo mt

bng gi l bng masquerade ng. Khi c mt gi d liu t ngoi vo vi ngun

l 221.200.51.15:80, ch 203.162.2.4:26314 n router, router s cn c vo bngmasquerade ng hin ti i ch t 203.162.2.4:26314 thnh

192.168.0.164:1204. Lin lc gia cc my trong mng LAN vi my khc bn

ngoi hon ton trong sut qua router.

3.3.4. Mt s v d s dng k thut NAT

Iptables h tr ty chn -j REDIRECT cho php i hng cng mt cch

d dng. V d nh SQUID ang listen trn cng 3128/tcp. redirect cng 80 n

cng 3128 ny:



47/65


# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT

--to-port 3128

Lu : ty chn -j REDIRECT c trong chain PREROUTING

SNAT & MASQUERADE

to kt ni `transparent` gia mng LAN 192.168.0.1 vi Internet th lp

cu hnh cho tng la Iptables nh sau:

# echo 1 > /proc/sys/net/ipv4/ip_forward

Cho php forward cc packet qua my ch t Iptables

# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

210.40.2.71

i IP ngun cho cc packet ra card mng eth0 l 210.40.2.71. Khi nhn

c packet vo t Internet, Iptables s t ng i IP ch 210.40.2.71 thnh IP

ch tng ng ca my tnh trong mng LAN 192.168.0/24.

Hoc c th dng MASQUERADE thay cho SNAT nh sau:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

(MASQUERADE thng c dng khi kt ni n Internet l pp0 v dng

a ch IP ng)

DNAT



48/65


Gi s t cc my ch Proxy, Mail v DNS trong mng DMZ. to kt ni

trong sut t Internet vo cc my ch ny :

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-

destination 192.168.1.2

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-


# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-




49/65


Chng 4:

THIT LP FIREWALL BO V MNG NI B

BNG IPTABLES TRONG H IU HNH LINUXTrong ng dng ny dng iptables trn my ch Linux lm Firewall cho

php mng bn ngoi truy cp vo vng DMZ v cho php mng ni b truy cp

mng bn ngoi qua Firewall. Khng cho php mng bn ngoi truy cp vo mng

ni b.

4.1. Cch lm vic ca Firewall c vng DMZ

Hnh 10: Firewall c vung DMZ

Firewall cho php my bn trong mng ni b truy cp ti nguyn

mng bn ngoi bng k thut SNAT

Ch cho php cc my ca mng bn ngoi truy cp ti nguyn Web

Server v DNS Server trong vng DMZ bng k thut DNAT.

Cc yu cu i vi Firewall 2.4.x , cc modules cn thit cho

Firewall, gn a ch cho mng ni b v DMZ thc hin ging nh

i vi ng dng IP NAT.

Cc chain do ngi dng nh ngha: gm 3 chains

bad_tcp_packets, allowed v icmp_packets ging nh trong ng

dng IP NAT.



50/65


4.2. Cu trc file cu hnh v cu hnh

File cu hnh cho Firewall:

4.2.1. Cu hnh cc tu chn:

#!/bin/sh

# rc.firewall_dmz Firewall DMZ cho Linux 2.4.x v iptables

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# 1. Configuration options.

# 1.1 Cu hnh giao din vi Internet.

#INET_IP="194.236.50.152"

HTTP_IP="194.236.50.153"

DNS_IP="194.236.50.154"

INET_IFACE="eth0"

# 1.2 Cu hnh giao din mng cc b.

LAN_IP="192.168.0.1"

LAN_IFACE="eth1"

# 1.3 Cu hnh giao din vng DMZ.

#

DMZ_HTTP_IP="192.168.1.2"

DMZ_DNS_IP="192.168.1.3"

DMZ_IP="192.168.1.1"

DMZ_IFACE="eth2"

# 1.4 Cu hnh Localhost.

LO_IFACE="lo"

LO_IP="127.0.0.1"

# 1.5 V tr chng trnh iptables.

IPTABLES="/usr/sbin/iptables"



51/65


4.2.2. Ti cc module cn thit k vo Kernel.

# 2. Ti cc module cn thit vo Kernel.

/sbin/depmod -a

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

4.2.3. Ci t cu hnh cn thit cho h thng file proc.

# 3. t cu hnh cn thit cho h thng file.

echo "1" > /proc/sys/net/ipv4/ip_forward

4.2.4. Ci t cc nguyn tc.

# 4. Ci t cc nguyn tc.

# 4.1 Filter table

# 4.1.1 Nguyn tc cp nht lut trong cc chain.

#

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

# 4.1.2 To cc chain do ngi dng nh ngha

# To chain bad_tcp_packets.

$IPTABLES -N bad_tcp_packets

# To chain allowed, icmp_packets.

$IPTABLES -N allowed

$IPTABLES -N icmp_packets



52/65


#

# 4.1.3 To ni dung ca chains do ngi dng nh ngha

# chain bad_tcp_packets.

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \

-m state --state NEW -j REJECT --reject-with tcp-reset

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j

LOG \

--log-prefix "New not syn:"

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j

DROP

# chain allowed.

#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j

ACCEPT

$IPTABLES -A allowed -p TCP -j DROP#

# chain icmp_packets

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# 4.1.4 INPUT chain

# Cc packet d dng khng mun

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# Cc packets t Internet n Firewall.

#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Cc packets t LAN, DMZ hoc LOCALHOST

#

# T giao din DMZ n firewall IP DMX



53/65


$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#

# T giao din LAN n firewall IP LAN

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT

#

# T giao din Localhost n IP Localhost

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# Cc nguyn t

xay dựng hệ thống tường lửa ip table

Documents