Upload
tuan-vu-pham-bui
View
214
Download
0
Embed Size (px)
Citation preview
7/31/2019 Do an Tot Nghiep Thuy 927
1/62
n Tt Nghip
Tm hiu vn bo mtmng LAN
7/31/2019 Do an Tot Nghiep Thuy 927
2/62
Tm hiu vn bo mt mng LAN
Trang - 1 -
LI MUVi nhu cu trao i thng tin, bt buc cc c quan, t chc phi ho
mnh vo mng ton cu Internet. An ton v bo mt thng tin l mt trong
nhng vn quan trng hng u, khi thc hin kt ni mng ni b ca cc c
quan, doanh nghip, t chc vi Internet. Ngy nay, cc bin php an ton thng
tin cho my tnh c nhn cng nh cc mng ni b c nghin cu v trin
khai. Tuy nhin, vn thng xuyn c cc mng b tn cng, c cc t chc b
nh cp thng tin,gy nn nhng hu qu v cng nghim trng.
Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet,
cc my tnh ca cc cng ty ln nh AT&T, IBM, cc trng i hc v cc c
quan nh nc, cc t chc qun s, nh bng,mt s v tn cng vi quy m
khng l (c ti 100.000 my tnh b tn cng). Hn na nhng con s ny ch l
phn ni ca tng bng tri. Mt phn rt ln cc v tn cng khng c thng
bo v nhiu l do, trong c th kn ni lo mt uy tn hoc chn ginnhng ngi qun tr d n khng h hay bit nhng v tn cng nhm vo h
thng ca h.
Khng ch cc v tn cng tng ln nhanh chng m cc phng php tn
cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr
h thng ngy cng cao cnh gic. V vy vic kt ni mng ni b ca cquan
t chc mnh vo mng Internet m khng c cc bin php m bo an ninh th
cng c xem l t st.
T nhu cu pht trin, i hi cc c quan, t chc phi ha mnh vo
mng ton cu, mng Internet song vn phi m bo an ton thng tin trong qu
trnh kt ni. Bi vy, em quyt nh chn ti: Nghin cu gii php bo v
mng ni b, nhm iu khin lung thng tin ra, vo v bo v cc mng ni b
7/31/2019 Do an Tot Nghiep Thuy 927
3/62
Tm hiu vn bo mt mng LAN
Trang - 2 -
khi s tn cng t Internet. Ni dung ti ny s trnh by mt cch khi qut
cc khi nim v mng v Firewall, cch bo v mng bng Firewall, cch xy
dng Firewall. ng thi, dng Iptables trong h iu hnh Linux thit lp
Firewall bo v cc mng ni b.
Ni dung chnh ca ti gm 4 chng nh sau:
Chng 1: Vn an ninh trong mng my tnh.
Trnh by tng quan v vn an ninh trong mng my tnh, cc nguy c
v vn bo mt h thng mng.
Chng 2: Tng quan v Firewall.
Trnh by cc khi nim Firewall, chc nng Firewall, phn loi Firewallv cc kin trc Firewall.
a ra cc chnh sch xy dng Firewall, t cc chnh sch ta c
cch xy dng nn cc Firewall bo v mng.
Chng 3: Tm hiu IPTables trong hiu hnh Linux.
Tm hiu v Iptables v cc tham s ca dng lnh thng gp.
Chng 4: Thit lp Firewall bo v mng ni b bng Iptables trong h
iu hnh Linux.
T vic tm hiu v Iptables chng 3 t thit lp bc tng la
bo v cho cc mng ni b bng Iptables trong Linux.
7/31/2019 Do an Tot Nghiep Thuy 927
4/62
Tm hiu vn bo mt mng LAN
Trang - 3 -
Chng 1:
VN AN NINH AN TON MNG MY TNH
1.1. Tng quan v vn an ninh an ton mng my tnh
1.1.1.e do an ninh tu?
Trong x hi, ci thin v ci c lun song song tn ti nh hai mt khng
tch ri, chng lun phnh nhau. C bit bao nhiu ngi mun hng ti ci
chn thin, ci tt p, th cng c khng t k v mc ch ny hay mc ch khc
li lm cho ci c ny sinh, ln lt ci thin. S ging co gia ci thin v ci c
y lun l vn bc xc ca x hi, cn phi loi tr ci c, th nhng ci c li
lun ny sinh theo thi gian. Mng my tnh cng vy, c nhng ngi phi mt
bit bao nhiu cng sc nghin cu ra cc bin php bo v cho an ninh ca t
chc mnh, th cng li c k tm mi cch ph v lp bo v vi nhiu
khc nhau.
Mc ch ca ngi lng thin l lun mun to ra cc kh nng bo v
an ninh cho t chc rt r rng. Ngc li, ca k xu li nhiu gc ,
cung bc khc nhau. C k mun ph vlp v an ninh chng t kh nng ca
mnh, tho mn thi h ch k. Loi ngi ny thng lm hi ngi khc bng
cch ph hoi cc ti nguyn trn mng, xm phm quyn ring t hoc bi nh
danh d ca h. Nguy him hn, c nhng k li mun ot khng cc ngun li
ca ngi khc nh vic ly cp cc thng tin mt ca cc cng ty, t nhp vo
ngn hng chuyn trm tin... Bi trn thc t, hu ht cc t chc cng ty
tham gia vo mng my tnh ton cu u c mt lng ln cc thng tin kt ni
trc tuyn. Trong lng ln cc thng tin y, c cc thng tin b mt nh: cc b
mt thng mi, cc k hoch pht trin sn phm, chin lc maketing, phn tch
ti chnh... hay cc thng tin v nhn s, b mt ring t... Cc thng tin ny ht
sc quan trng, vic l ra cc thng tin cho cc i th cnh tranh s dn n
mt hu qu ht sc nghim trng.Tuy nhin, khng phi bt c khi no mun nhng k xu cng c th thc
hin c mc ch ca mnh. Chng cn phi c thi gian, nhng sh, yu km
ca chnh nhng h thng bo v an ninh mng. V thc hin c iu ,
chng cng phi c tr tu thng minh cng vi c mt chui di kinh nghim.
Cn xy dng c cc bin php m bo an ninh, i hi ngi xy dng
7/31/2019 Do an Tot Nghiep Thuy 927
5/62
Tm hiu vn bo mt mng LAN
Trang - 4 -
cng khng km v tr tu v kinh nghim thc tin. Nh th, c hai mt tch cc
v tiu cc y u c thc hin bi bn tay khi c ca con ngi, khng c
my mc no c th thay thc. Vy, vn an ninh an ton mng my tnh
hon ton mang tnh con ngi.
Ban u, nhng tr ph hoi ch mang tnh cht l tr chi ca nhngngi c tr tu khng nhm mc ch v li, xu xa. Tuy nhin, khi mng my
tnh trnn ph dng, c s kt ni ca nhiu t chc, cng ty, c nhn vi nhiu
thng tin b mt, th nhng tr ph hoi y li khng ngng gia tng. S ph hoi
y gy ra nhiu hu qu nghim trng, n trthnh mt loi ti phm. Theo
s liu thng k ca CERT (Computer Emegency Response Team) th s lng
cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo
nm 1989, khong 400 vo nm 1991, 1400 nm 1993 v 2241 nm 1994. Nhng
v
tn cng ny nh
m vo t
t c
cc my tnh c mt trn Internet, t
cc my tnh
ca cc cng ty ln nh AT & T, IBM, cc trng i hc, cc cquan nh nc,
cc nh bng... Nhng con sa ra ny, trn thc t ch l phn ni ca tng
bng. Mt phn ln cc v tn cng khng c thng bo v nhiu l do khc
nhau, nh s mt uy tn, hoc chn gin l h khng h bit mnh b tn cng.
Thc t, e do an ninh khng chbn ngoi t chc, m bn trong t
chc vn cng ht sc nghim trng. e do bn trong t chc xy ra ln hn
bn ngoi, nguyn nhn chnh l do cc nhn vin c quyn truy nhp h thng
gy ra. V h c quyn truy nhp h thng nn h c th tm c cc im yu
ca h thng, hoc v tnh h cng c th ph hy hay to chi cho nhng k
khc xm nhp h thng. V nguy him hn, mt khi h l k bt mn hay phn
bi th hu qu khng th lng trc c.
Tm li, vn an ninh an ton mng my tnh hon ton l vn con
ngi v khng ngng gia tng, n c th be do t bn ngoi hoc bn trong t
chc. Vn ny trthnh mi lo ngi ln cho bt k ch th no tham gia vo
mng my tnh ton cu. V nh vy, m bo vic trao i thng tin an ton
v an ninh cho mng my tnh, buc cc t chc phi trin khai cc bin php
bo vm bo an ninh, m trc ht l cho chnh mnh.
1.1.2. Cc gii php cbn m bo an ninh
Nh trn ta thy, an ninh an ton mng my tnh c th be do t rt
nhiu gc v nguyn nhn khc nhau. e do an ninh c th xut pht t bn
ngoi mng ni b hoc cng c th xut pht t ngay bn trong t chc. Do ,
7/31/2019 Do an Tot Nghiep Thuy 927
6/62
Tm hiu vn bo mt mng LAN
Trang - 5 -
vic m bo an ninh an ton cho mng my tnh cn phi c nhiu gii php c
th khc nhau. Tuy nhin, tng quan nht c ba gii php cbn sau:
Gii php v phn cng. Gii php v phn mm. Gii php v con ngi.y l ba gii php tng qut nht m bt k mt nh qun tr an ninh no
cng phi tnh n trong cng tc m bo an ninh an ton mng my tnh. Mi
gii php c mt u nhc im ring m ngi qun tr an ninh cn phi bit
phn tch, tng hp v chn la to kh nng m bo an ninh ti u nht cho
t chc mnh.
Gii php phn cng l gii php s dng cc thit b vt l nh cc h
thng my chuyn dng, cng c th l cc thit lp trong m hnh mng (thit lpknh truyn ring, mng ring)... Gii php phn cng thng thng i km vi
n l h thng phn mm iu khin tng ng. y l mt gii php khng ph
bin, v khng linh hot trong vic p ng vi cc tin b ca cc dch v mi
xut hin, v chi ph rt cao.
Khc vi gii php phn cng, gii php v phn mm ht sc a dng.
Gii php phn mm c th ph thuc hay khng ph thuc vo phn cng. C
th cc gii php v phn mm nh: cc phng php xc thc, cc phng php
m ho, mng ring o, cc h thng bc tng la,... Cc phng php xc thcv m ho m bo cho thng tin truyn trn mng mt cch an ton nht. V vi
cch thc lm vic ca n, thng tin tht trn ng truyn c m ho di
dng m nhng k nhm trm khng th thy c, hoc nu thng tin b sa
i th ti ni nhn s c cch pht hin s sa i . Cn phng php s
dng h thng bc tng la li m bo an ninh gc khc. Bng cch thit
lp cc lut ti mt im c bit (thng gi l im nght) gia h thng mng
bn trong (mng cn bo v) vi h thng mng bn ngoi (mng c coi l
khng an ton v bo mt - hay l Internet), h thng bc tng la hon ton c
th kim sot cc kt ni trao i thng tin gia hai mng. Vi cch thc ny, h
thng tng la m bo an ninh kh tt cho h thng mng cn bo v. Nh th,
gii php v phn mm gn nh hon ton gm cc chng trnh my tnh, do
chi ph cho gii php ny s t hn so vi gii php v phn cng.
Bn cnh hai gii php trn, gii php v chnh sch con ngi l mt gii
php ht sc cbn v khng th thiu c. V nh phn trn thy, vn an
7/31/2019 Do an Tot Nghiep Thuy 927
7/62
Tm hiu vn bo mt mng LAN
Trang - 6 -
ninh an ton mng my tnh hon ton l vn con ngi, do vic a ra mt
hnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y, hnh
lang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn bn
di lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi tng
c im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng my,s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh an
ton cho h thng mng my tnh mt khi ta thc hin trit gii php v chnh
sch con ngi.
Tm li, vn an ninh an ton mng my tnh l mt vn ln, n yu
cu cn phi c mt gii php tng th, khng ch phn mm, phn cng my tnh
m n i hi c vn chnh sch v con ngi. V vn ny cn phi c
thc hin mt cch thng xuyn lin tc, khng bao gitrit c v n lun
ny sinh theo th
i gian. Tuy nhin, b
ng cc gi
i php t
ng th
hp l,
c bi
t l
gii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an ton
chc chn hn.
1.2. Vn bo mt h thng v mng
1.2.1. Cc vn d chung v bo mt h thng v mng
c im chung ca mt h thng mng l c nhiu ngi s dng chung
v phn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng
hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc mtngi s dng.
Hot ng ca ngi qun tr h thng mng phi m bo cc thng tin
trn mng l tin cy v s dng ng mc ch, i tng ng thi m bo
mng hot ng n nh khng b tn cng bi nhng k ph hoi.
Nhng trn thc t l khng mt mng no m bo l an ton tuyt i,
mt h thng d c bo v chc chn n mc no th cng c lc b v hiu
ha bi nhng k c xu.
Trong ni dung ti ca em l tm hiu v cc phng php bo mt cho
mng LAN. Trong ni dung v l thuyt ca ti em xin trnh by v mt s
khi nim sau:
7/31/2019 Do an Tot Nghiep Thuy 927
8/62
Tm hiu vn bo mt mng LAN
Trang - 7 -
1.2.2. Mt skhi nim v lch sbo mt h thng
a.i tng tn cng mng (intruder)
i tng l nhng c nhn hoc t chc s dng nhng kin thc v
mng v cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc
im yu v cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp
v chim ot ti nguyn tri php.
Mt si tng tn cng mng nh:
Hacker: l nhng k xm nhp vo mng tri php bng cch s dng cc
cng c ph mt khu hoc khai thc cc im yu ca thnh phn truy nhp trn
h thng
Masquerader : L nhng k gi mo thng tin trn mng nh gi mo a
ch IP, tn min, nh danh ngi dng
Eavesdropping: L nhng i tng nghe trm thng tin trn mng, s
dng cc cng c Sniffer, sau dng cc cng c phn tch v debug ly c
cc thng tin c gi tr.
Nhng i tng tn cng mng c th nhm nhiu mc ch khc nhau
nhn cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c chnh,
hoc c th l nhng hnh ng v thc
b. Cc lhng bo mt
Cc l hng bo mt l nhng im yu trn h thng hoc n cha trong
mt dch v m da vo k tn cng c th xm nhp tri php vo h thng
thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.
C nhiu nguyn nhn gy ra nhng l hng bo mt: c th do li ca bn
thn h thng, hoc phn mm cung cp hoc ngi qun tr yu km khng hiu
su v cc dch v cung cp
Mc nh hng ca cc l hng ti h thng l khc nhau. C l hng
chnh hng ti cht lng dch v cung cp, c l hng nh hng ti ton b
h thng hoc ph hy h thng.
c. Chnh sch bo mt
Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi tham
gia qun tr mng, c s dng cc ti nguyn v cc dch v mng.
7/31/2019 Do an Tot Nghiep Thuy 927
9/62
Tm hiu vn bo mt mng LAN
Trang - 8 -
i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh sch
bo mt gip ngi s dng bit trch nhim ca mnh trong vic bo v cc ti
nguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp cc bin
php m bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot ng
ca h thng v mng.1.2.3. Cc loi lhng bo mt v phng thc tn cng mng ch
yu
a. Cc loi lhng
C nhiu cc t chc tin hnh phn loi cc dng l hng c bit.
Theo b quc phng M cc loi l hng c phn lm ba loi nh sau:
L hng loi C: Cho php thc hin cc hnh thc tn cng theo DoS(Denial of Services- T chi dch v) Mc nguy him thp chnh hng ti
cht lng dch v, lm ngng tr gin on h thng, khng lm ph hng d
liu hoc t c quyn truy cp bt hp php.
DoS l hnh thc tn cng s dng cc giao thc tng Internet trong b
giao thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi s
dng hp php truy nhp hay s dng h thng.
Cc dch v c l hng cho php cc cuc tn cng DoS c thc nng
cp hoc sa cha bng cc phin bn mi hn ca cc nh cung cp dch v.Hin nay cha c mt bin php hu hiu no khc phc tnh trng tn cng
kiu ny v bn thn thit ktng Internet (IP) ni ring v b giao thc TCP/IP
ni chung n cha nhng nguy ctim tang ca cc l hng loi ny.
Lhng loi B : Cho php ngi s dng c thm cc quyn trn h thngm khng cn kim tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.
L hng ny thng c trong cc ng dng trn h thng . C mc nguy him
trung bnh.
L hng loi B ny c mc nguy him hn l hng loi C. Cho php
ngi s dng ni b c th chim c quyn cao hn hoc truy nhp khng hp
php.Nhng l hng loi ny thng xut hin trong cc dch v trn h thng.
Ngi s dng local c hiu l ngi c quyn truy nhp vo h thng vi
mt s quyn hn nht nh.
7/31/2019 Do an Tot Nghiep Thuy 927
10/62
Tm hiu vn bo mt mng LAN
Trang - 9 -
Mt dng khc ca l hng loi B xy ra vi cc chng trnh vit bng m
ngun C. Nhng chng trnh vit bng m ngun C thng s dng mt vng
m, mt vng trong b nhs dng lu tr d liu trc khi x l. Ngi lp
trnh thng s dng vng m trong b nh trc khi gn mt khong khng
gian b nhcho tng khi d liu. V d khi vit chng trnh nhp trng tnngi s dng quy nh trng ny di 20 k t bng khai bo:
Char first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20
k t. Khi nhp d liu ban u d liu c lu vng m. Khi ngi s dng
nhp nhiu hn 20 k t s trn vng m. Nhng k t nhp tha s nm ngoi
vng m khin ta khng th kim sot c. Nhng i vi nhng k tn cng
chng c th li dng nhng l hng ny nhp vo nhng k tc bit
thc thi mt s lnh c bit trn h thng. Thng thng nhng l hng ny c
l
i dng b
i nh
ng ng
i s
dng trn h
thng
t
c quyn root khng
hp l. hn chc cc l hng loi B phi kim sot cht ch cu hnh h
thng v cc chng trnh.
L hng loi A: Cho php ngi ngoi h thng c th truy cp bt hpphp vo h thng. C th lm ph hu ton b h thng. Loi l hng ny c mc
rt nguy him e da tnh ton vn v bo mt ca h thng. Cc l hng ny
thng xut hin nhng h thng qun tr yu km hoc khng kim sot c
cu hnh mng. V d vi cc web server chy trn hiu hnh Novell cc server
ny c mt scripst l convert.bas chy scripst ny cho php c ton b ni dung
cc file trn h thng.
Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn
mm s dng, ngi qun tr nu khng hiu su v dch v v phn mm s dng
c th b qua im yu ny. V vy thng xuyn phi kim tra cc thng bo ca
cc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lot
cc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP,
Gopher, Telnet, Sendmail, ARP, finger...
b. Cc hnh thc tn cng mng phbin
ScannerScanner l mt trng trnh tng r sot v pht hin nhng im yu v
bo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s
7/31/2019 Do an Tot Nghiep Thuy 927
11/62
Tm hiu vn bo mt mng LAN
Trang - 10 -
dng chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mt
Server d xa.
Cch hot ng l r sot v pht hin nhng cng TCP/UDP c s
dng trn h thng cn tn cng v cc dch v s dng trn h thng . Scanner
ghi li nhng p ng trn h thng t xa tng ng vi dch v m n pht hinra. T n c th tm ra im yu ca h thng.
Nhng yu t mt Scanner hot ng nh sau:
Yu cu thit b v h thng: Mi trng c h trTCP/IP
H thng phi kt ni vo mng Internet.
Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo
mt, v chng c kh nng pht hin ra nhng im yu km trn mt h thng
mng.
Password CrackerL mt chng trnh c kh nng gii m mt mt khu c m ho
hoc c th v hiu ho chc nng bo v mt khu ca mt h thng.
Mt s chng trnh ph kho c nguyn tc hot ng khc nhau. Mt s
chng trnh to ra danh sch cc t gii hn, p dng mt s thut ton m ho t
kt qu so snh vi Password m ho cn b kho to ra mt danh sch khc
theo mt logic ca chng trnh.Khi thy ph hp vi mt khu m ho, k ph hoi c c mt
khu di dng text . Mt khu text thng thng sc ghi vo mt file.
Bin php khc phc i vi cch thc ph hoi ny l cn xy dng mt
chnh sch bo v mt khu ng n.
SnifferSniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin lu
chuyn trn mng v ly cc thng tin c gi tr trao i trn mng.Sniffer c th bt c cc thng tin trao i gia nhiu trm lm vic
vi nhau. Thc hin bt cc gi tin t tng IP trxung. Giao thc tng IP c
nh ngha cng khai, v cu trc cc trng header r rng, nn vic gii m cc
gi tin ny khng kh khn.
7/31/2019 Do an Tot Nghiep Thuy 927
12/62
Tm hiu vn bo mt mng LAN
Trang - 11 -
Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous
(mode dng chung) trn cc card mng ethernet - ni cc gi tin trao i trong
mng - t "bt" c thng tin.
Cc thit b sniffer c th bt c ton b thng tin trao i trn mng l
da vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.
Tuy nhin vic thit lp mt h thng sniffer khng phi n gin v cn
phi xm nhp c vo h thng mng v ci t cc phn mm sniffer.
ng thi cc chng trnh sniffer cng yu cu ngi s dng phi hiu
su v kin trc, cc giao thc mng.
Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng
tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v h
thng cung cp.
Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu kh
khn nu ta tun th cc nguyn tc v bo mt nh:
Khng cho ngi l truy nhp vo cc thit b trn h thng Qun l cu hnh h thng cht ch Thit lp cc kt ni c tnh bo mt cao thng qua cc cch m ho.
TrojansTrojans l mt chng trnh chy khng hp l trn mt h thng. Vi vai
tr nh mt chng trnh hp php. Trojans ny c th chy c l do cc
chng trnh hp php b thay i m ca n thnh m bt hp php.
V d nh cc chng trnh virus l loi in hnh ca Trojans. Nhng
chng trnh virus thng che du cc on m trong cc chng trnh s dng
hp php. Khi nhng chng trnh ny c kch hot th nhng on m n du
s thc thi v chng thc hin mt s chc nng m ngi s dng khng bit
nh: n cp mt khu hoc copy file m ngi s dng nh ta thng khng haybit.
Mt chng trnh Trojans s thc hin mt trong nhng cng vic sau:
Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hinnhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc
ch trn mt vi thnh phn ca h thng .
7/31/2019 Do an Tot Nghiep Thuy 927
13/62
Tm hiu vn bo mt mng LAN
Trang - 12 -
Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhngthng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trn
mt vi thnh phn ca h thng.
Ngoi ra cn c cc chng trnh Trojan c th thc hin c c hai chcnng ny. C chng trnh Trojan cn c th ph hy h thng bng cch ph hoi
cc thng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng b pht
hin v kh pht huy c tc dng.
Tuy nhin c nhng trng hp nghim trng hn nhng k tn cng to ra
nhng l hng bo mt thng qua Trojans v k tn cng ly c quyn root trn
h thng v li dng quyn ph hy mt phn hoc ton b h thng hoc
dng quyn root thay i logfile, ci t cc chng trnh trojans khc m
ngi qun tr khng th pht hin c gy ra mc nh hng rt nghim
trng v ngi qun tr ch cn cch ci t li ton b h thng.
1.3. Vn bo mt cho mng LAN
Khi ni n vn bo mt cho mng LAN ta thng quan tm ti nhng
vn chnh l bo mt thng tin d liu trao i bn trong mng ni b, bo mt
thng tin d liu trao i t trong mng ra bn ngoi v t bn ngoi vo trongmng. Vic kim sot c nhng truy cp bt hp php t bn ngoi vo cng
nh kim sot nhng truy cp khng cho php t trong ni b mng ra bn ngoi.
Cng vi s pht trin mnh m ca Internet v s kt ni mng ni b vi
Internet th vn m bo an ton, an ninh mng cng trnn kh khn v cn
thit.
Hin nay bo mt cho mng LAN c nhiu phng php trong c
mt s phng php ph bin v ng tin cy l:
1.3.1. Mng ringo (Virtual Private Network- VPN)
Mng ring o (Virtual Private Network - VPN) l s mrng mng ring
ca cc cng ty, t chc thng qua s dng cc kt ni mng cng cng hoc
mng chia s nh Internet. VPN cung cp cho khch hng y cc tnh nng
m mt knh thu ring c c nhng vi gi thnh r hn do s dng h tng c
smng cng cng.
7/31/2019 Do an Tot Nghiep Thuy 927
14/62
Tm hiu vn bo mt mng LAN
Trang - 13 -
VPN s dng giao thc to ng hm truyn tin ring v cc bin php
an ninh bo v d liu trn ng truyn nh m ho, xc thc
1.3.2. Tng la (Firewall)
Thut ng Firewall (Bc tng ngn la) c ngun gc t mt k thut
thit k trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng
thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s
truy cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s
xm nhp vo h thng ca mt s thng tin khc khng mong mun. Cng c
th hiu rng Firewall l mt c ch bo v mng tin tng (Trusted network)
khi cc mng khng tin tng (Untrusted network).
Firewall gia mng ca mt t chc, mt cng ty, hay mt quc gia
(Intranet) v Internet. N thc hin vai tr bo mt cc thng tin Intranet t th
gii Internet bn ngoi.
Qua qu trnh tm hiu em thy rng Firewall l phng php hu hiu v
ph bin nht hin nay do n c nhiu u im, cung cp nhng tnh nng bo mt
tt cho vn bo v an ninh mng hin nay. Trong khun kh bi bo co ny
em xin trnh by v phng php bo mt mng LAN bng Firewall.
7/31/2019 Do an Tot Nghiep Thuy 927
15/62
Tm hiu vn bo mt mng LAN
Trang - 14 -
Chng 2: TNG QUAN V FIREWALL
bo v mng ni b Firewall l mt trong nhng gii php bo v mng
hu hiu v ph bin hin nay. N gip cho cc mng ni b trnh khi nhng
truy nhp tri php t bn ngoi bng cch iu khin thng tin ra vo gia ccmng ni b. Ni dung chnh ca chng ny em si gii thiu tng quan v
Firewall, khi nim, cc chc nng ca Firewall, phn loi Firewall, u nhc
im ca tng loi Firewall, cc chin lc xy dng Firewall v gii thiu v
cch lc gi tin.
2.1. Gii thiu v firewall
2.1.1. Khi nim firewall
Firewall l thit b nhm ngn chn s truy nhp khng hp l t mngngoi vo mng trong. H thng firewall thng bao gm c phn cng v phn
mm. Firewall thng c dng theo phng thc ngn chn hay to cc lut i
vi cc a ch khc nhau.
2.1.2. Cc chc nng cbn ca firewall
Chc nng chnh ca Firewall l kim sot lung thng tin gia mng cn
bo v (Trusted Network) v Internet thng qua cc chnh sch truy nhp c
thit lp.
- Cho php hoc cm cc dch v truy nhp t trong ra ngoi v t ngoi
vo trong.
- Kim sot a ch truy nhp, v dch v s dng.
- Kim sot kh nng truy cp ngi s dng gia 2 mng.
- Kim sot ni dung thng tin truyn ti gia 2 mng.
- Ngn nga kh nng tn cng t cc mng ngoi.
Xy dng firewalls l mt bin php kh hu hiu, n cho php bo v v
kim sot hu ht cc dch v do c p dng ph bin nht trong cc bin
php bo v mng.
7/31/2019 Do an Tot Nghiep Thuy 927
16/62
Tm hiu vn bo mt mng LAN
Trang - 15 -
2.1.3. Phn loi firewall
Firewall c nhiu loi tuy nhin mi loi c u v nhc im ring.
Nhng thng thng firewall c chia lm 2 loi chnh l:
Firewall phn cng Firewall phn mm.
a. Firewall phn cng.
L mt thit b phn cng c tch hp bnh tuyn, cc quy tc cho
vic lc gi tin c thit lp ngay trn bnh tuyn . Firewall phn cng ny
nh mt chic my tnh ch thc hin chc nng duy nht l lc gi tin bng cch
chy mt phn mm c cng ha trong v ch c th thit lp cc tp lut
cn khng th thay i bnh tuyn c cng ha v tch hp bn trong. Ty
vo tng loi firewall phn cng ca cc hng khc nhau m cho php ngi quntr c kh nng cp nht nhng quy tc lc gi tin khc nhau.
Khi hot ng, tng la s da trn cc quy tc c thit lp trong b
nh tuyn m kim tra thng tin header ca gi tin nha ch ngun (source IP
address), a chch (destination IP address), cng (Port) ... Nu mi thng tin
trong header ca gi tin l hp l n sc cho qua v nu khng hp l n s b
b qua. Chnh vic khng mt thi gian x l nhng gi tin c a ch khng hp
l lm cho tc x l ca firewall phn cng rt nhanh v y chnh l u im
ln nht ca h thng firewall phn cng.
Mt im ng ch l tt c cc loi firewall phn cng trn th gii hin
nay u cha th lc c ni dung ca gi tin m ch c th lc c phn ni
dung trong header ca gi tin.
Di y s gii thiu m hnh s dng firewall phn cng m bo an
ninh mng:
M hnh s dng firewall phn cng: (Thit b phn cng Firewall trong
m hnh ny ch c mt chc nng duy nht l lc gi tin m khng th thc hinbt k mt cng vic no khc)
7/31/2019 Do an Tot Nghiep Thuy 927
17/62
Tm hiu vn bo mt mng LAN
Trang - 16 -
Hnh 1: M hnh s dng Firewall phn cng.
Trong m hnh ny thng tin t mng Internet khng th trc tip i vo
vng mng c bo v v ngc li m n phi thng qua Firewall phn cng.
Qu trnh kim duyt xy ra nu cc thng tin trong phn header ca gi tin bao
gm a ch ngun (source IP address), a chch (destination IP address), cng
(Port) ... c chp nhn th n s c chuyn tip vo mng bn trong hay
chuyn ra mng internet bn ngoi.
Hin nay trn th gii c mt s hng sn xut firewall phn cng rt ni
ting nh CISCO, D-LINK, PLANET...
b. Firewall phn mm
Loi firewall ny l mt chng trnh ng dng nguyn tc hot ng da
trn trn ng dng proxy - l mt phn mm cho php chuyn cc gi tin m my
ch nhn c n nhng a im nht nh theo yu cu. V cc quy tc lc gi
tin c ngi s dng t thit lp. Ngi ta thng s dng firewall loi ny khimt mng my tnh c my ch v mi thng tin u thng qua my ch ny ri
mi chuyn n my con trong mng hoc dng cho my tnh c nhn khi tham
gia mng ... Firewall phn mm ny rt tin li ch phn mm c th d dng
thay i cp nht cc phin bn mi.
Cch thc hot ng ca firewall dng ny cng rt n gin. Phn mm
firewall c chy thng tr trn my ch hay my tnh c nhn. My tnh ny
c thm ng nhiu nhim v ngoi cng vic l Firewall. Mi khi c cc gi
tin c chuyn n hay chuyn i n u c phn mm firewall ny kim traphn header ca gi tin bao gm cc thng tin va chn, a chi, giao thc,
cng dch v ....Firewall phn mm mi hin nay cn c th kim tra c ni
dung ca gi tin. Cc thng tin m firewall kim tra c ngi dng quy nh
trc trong tp lut. Nu gi tin c phn mm firewall cho qua th tip theo n
sc a n cc my con trong mng hoc l cc ng dng chy trc tip trn
my .
7/31/2019 Do an Tot Nghiep Thuy 927
18/62
Tm hiu vn bo mt mng LAN
Trang - 17 -
Di y l m hnh thng s dng firewall phn mm: (My tnh dng
lm firewall c th m ng nhiu nhim v khc nhau ngoi vic l mt
Firewall v d DNS server, Mail server, Web server ...)
Hnh 2: M hnh s dng Firewall phn mm.
Trong m hnh ny my tnh chy ng dng firewall c vai tr trung gian.
N s nhn cc gi tin t Internet v Protected Network sau thc hin qu trnh
kim tra phn header ca cc gi tin gm thng tin nh : a chn, a ch
i, giao thc, cng dch v ... sau nu phn mm firewall chp nhn cho gi tini qua th gi tin s tip tc chuyn n ch. Ngc li nu gi tin khng c
chp nhn chuyn tip th phn mm firewall sa ra quyt nh hy b. Cch
hy b cng c nhiu kiu nh hy b khng cn tr li cho my gi ti bit l do
(DROP), hy b nhng vn tr li cho my gi ti bit l do (REJECT) ... Chnh
vic x l vic hy b gi tin nh vy dn n tc ca loi firewall ny b hn
ch.
Mt s phn mm firewall s dng nhiu v c nh gi cao v kh nng
lc gi tin nh ZoneAlarm Pro, SmoothWall, McAfee Personal Firewall Plus,ZoneAlarm Pro , Sygate Personal Firewall ...
c. u v nhc im ca firewall
Mi loi tng la c nhng u im, nhc im v c s dng trong
nhng trng hp khc nhau. Tng la phn cng thng c s dng m
bo an ninh cho cc mng ln v nu khng s dng firewall phn cng th s cn
h thng firewall phn mm tc l s c mt tnh my ch. My ch ny s nhn
mi gi tin v kim duyt ri chuyn tip cho cc my trong mng. M tc ca
firewall phn mm hot ng chm hn so vi firewall phn cng nn nh hng
ln n tc ca ton h thng mng.
Mt khc h thng tng la phn mm thng c s dng m bo
an ninh cho cc my tnh c nhn hoc mt mng nh. Vic s dng h thng
firewall phn mm s gip gim chi ph v gi c thit b firewall phn cng t
gp nhiu ln so vi h thng firewall phn mm. Hn na, khi ta s dng h
7/31/2019 Do an Tot Nghiep Thuy 927
19/62
Tm hiu vn bo mt mng LAN
Trang - 18 -
thng firewall phn mm trong vic m bo an ninh cho my tnh c nhn hay
mng vi quy m nh th vic nh hng n tc chuyn cc gi tin trong
mng l khng ng k.
im yu khc ca firewall phn mm l vi mi firewall phn mm
c chy trn tng hiu hnh nht nh. V d ZoneAlarm Pro l mt h thngfirewall phn mm ch chy trn h iu hnh Windows. Hay vi phn mm
SmoothWall th li ch c th chy trn hiu hnh Linux. Nhng vi firewall
phn cng th c th chy mt cc hon ton c lp khng b ph thuc vo h
iu hnh nh firewall phn mm.
Firewall phn mm hin gi c th lc c ni dung gi tin cn
firewall phn cng ch c th lc thng tin trong phn header ca gi tin cn phn
ni dung chnh ca gi tin th firewall phn cng khng th kim sot c. Bi
vy m Firewall phn cng khng th gip ngn chn cc loi virus h thngnhng firewall phn mm th c th.
2.1.4 Mt sh thng firewall khc
a. Packet-Filtering Router (B trung chuyn c lc gi)
H thng Internet firewall ph bin nht ch bao gm mt packet-filtering
routert gia mng ni b v Internet. Mt packet-filtering router c hai chc
nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi
cho php hay t chi truyn thng. Cn bn, cc quy lut lc c nh nghasao cho cc host trn mng ni bc quyn truy nhp trc tip ti Internet,
trong khi cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my
tnh trn mng ni b. T tng ca m hnh cu trc firewall ny l tt c nhng
g khng c ch ra r rng l cho php th c ngha l b t chi.
Hnh 3: Packet-Filtering Router
Bn ngoi
Packet filtering
router
The InternetMng ni b
7/31/2019 Do an Tot Nghiep Thuy 927
20/62
Tm hiu vn bo mt mng LAN
Trang - 19 -
u im
Gi thnh thp (v cu hnh n gin) Trong sut i vi user
Hn ch
C tt c hn ch ca mt packet-filtering router, nh l d b tn cng vocc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di
nhng dch v c php.
Bi v cc packet c trao i trc tip gia hai mng thng qua router ,nguy cb tn cng quyt nh bi s lng cc host v dch vc php. iu
dn n mi mt host c php truy nhp trc tip vo Internet cn phi ccung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi
qun tr mng xem c du hiu ca s tn cng no khng.
Nu mt packet-filtering router do mt s c no ngng hot ng, ttc h thng trn mng ni b c th b tn cng.
b. Screened Host Firewall
H thng ny bao gm mt packet-filtering router v mt bastion host.Screened Host Firewall cung cp bo mt cao hn Packet-Filtering Router, v
n thc hin c bo mt tng network( packet-filtering ) v tng ng dng
(application level). ng thi, k tn cng phi ph vc hai tng bo mt tn
cng vo mng ni b.
7/31/2019 Do an Tot Nghiep Thuy 927
21/62
Tm hiu vn bo mt mng LAN
Trang - 20 -
Hnh 4: Screened Host Firewall
Trong h thng ny, bastion host c cu hnh trong mng ni b. Quylut filtering trn packet-filtering router c nh ngha sao cho tt c cc h
thng bn ngoi ch c th truy nhp bastion host. Vic truyn thng ti tt c
cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host
trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc
h thng ni bc php truy nhp trc tip vo bastion Internet hay l chng
phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b
c thc hin bng cch t cu hnh b lc ca router sao cho ch chp nhn
nhng truyn thng ni b xut pht t bastion host.
u im
My ch cung cp cc thng tin cng cng qua dch v Web v FTP c tht trn packet-filtering router v bastion. Trong trng hp yu cu an ton
cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user c
trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hpkhng yu cu an ton cao th cc my ni b c th ni thng vi my ch.
Nu cn bo mt cao hn na th c th dng h thng firewall dual-home (hai chiu) bastion host. Mt h thng bastion host nh vy c 2 giao din
The Internet
Bn ngoi
Packet filtering
router
Bn trong
Information server
Bastion host
Mng ni b
7/31/2019 Do an Tot Nghiep Thuy 927
22/62
Tm hiu vn bo mt mng LAN
Trang - 21 -
mng (network interface), nhng khi kh nng truyn thng trc tip gia hai
giao din qua dch v proxy l b cm.
Hnh 5: H thng firewall dual-home (hai chiu) bastion host.
Hn ch
Bi v bastion host l h thng bn trong duy nht c th truy nhp c tInternet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu
nh user log on c vo bastion host th h c th d dng truy nhp ton b
mng ni b. V vy cn phi cm khng cho user logon vo bastion host.
c. Demilitarized Zone (DMZ - khu vc phi qun s) hay Screened-subnet
Firewall
H thng ny bao gm hai packet-filtering router v mt bastion host. H
thng firewall ny c an ton cao nht v n cung cp c mc bo mt network
v application trong khi nh ngha mt mng phi qun s. Mng DMZ ng vai
tr nh mt mng nh, c lp t gia Internet v mng ni b. Cbn, mt DMZ
c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy
nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip
qua mng DMZ l khng thc.
Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun
(nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N cho php h thng
The internet
Bnngoi
Packet filtering
router
Information server
Bastion host
Bn trong
Mng ni b
7/31/2019 Do an Tot Nghiep Thuy 927
23/62
Tm hiu vn bo mt mng LAN
Trang - 22 -
bn ngoi truy nhp ch bastion host, v c th c information server. Router trong
cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch
vi nhng truyn thng bt u t bastion host.
Vi nhng thng tin i, router trong iu khin mng ni b truy nhp tiDMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c
information server. Quy lut filtering trn router ngoi yu cu s dung dich v
proxy bng cch ch cho php thng tin ra bt ngun t bastion host.
Hnh 6: Screened-subnet Firewall
u im
K tn cng cn ph vba tng bo v: router ngoi, bastion host v routertrong.
Bi v router ngoi ch qung co DMZ network ti Internet, h thngmng ni b l khng th nhn thy (invisible). Ch c mt s h thng c
chn ra trn DMZ l c bit n bi Internet qua routing table v DNS
information exchange ( Domain Name Server ).
The Internet
Bn ngoi Packet filtering
router
Bn trong
Information server
Bastion host
Outside Inside router
7/31/2019 Do an Tot Nghiep Thuy 927
24/62
Tm hiu vn bo mt mng LAN
Trang - 23 -
Bi v router trong ch qung co DMZ network ti mng ni b, cc hthng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m
bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.
2.2. Cc chin lc xy dng firewall
Khi nghin cu chi tit v Firewall, chng ta cn hiu mt s chin lc c
bn c dng xy dng Firewall.
2.2.1. Quyn hn ti thiu(Least Privilege)
Mt nguyn tc cbn nht ca an ton (khng phi ch p dng cho an
ton mng) l trao quyn ti thiu. V cbn, nguyn tc ny c ngha l bt k
mt i tng no (ngi s dng, ngi qun tr, chng trnh, h thng.) Ch
nn c nhng quyn hn nht nh m i tng cn phi c thc hin ccnhin v ca mnh v ch nh vy. Quyn hn ti thiu l nguyn tc quan trng
trnh cho ngi ngoi li dng t nhp v hn ch s ph hu do cc t nhp
gy ra.
2.2.2. Bo v theo chiu su (Defense in Depth)
Mt nguyn tc khc ca an ton v bo v theo chiu su. i vi mi h
thng, khng nn ci t v ch s dng mt ch an ton cho d n c th
mnh, m nn lp t nhiu cch an ton chng c th h trln nhau. V vy
firewall c xy dng theo cch c nhiu lp bo v.
2.2.3. Nt tht (Choke Point)
Mt nt tht bt buc nhng kt nhp phi i qua mt ca khu hp
m chng ta c th kim sot v iu khin c ging nh vic mun vo rp
xem ht, ta phi i qua cng kim sot v.
Trong c ch an ton mng, Firewall nm gia h thng ca ta v mng
Internet, n chnh l mt nt tht. Bt k ai c nh t nhp h thng t Internet
s phi qua ca khu ny, v ta c th theo di, qun l c.
2.2.4.im xung yu nht (Weakest Link)
Khi mun xm nhp vo h thng, kt nhp tinh ranh thng tm cc
im yu nht tn cng vo . Do vy, i vi tng h thng cn phi bit
im yu nht c phng n bo v an ton h thng. Thng ta hay quan tm
7/31/2019 Do an Tot Nghiep Thuy 927
25/62
Tm hiu vn bo mt mng LAN
Trang - 24 -
n nhng kt nhp trn mng hn l nhng k tip nhn h thng, cho nn an
ton v mt vt l c coi l im yu nht trong mi h thng.
2.2.5. Hng trong an ton (Fail-Safe Stance)
Mt nguyn tc nn tng khc ca an ton l hng trong an ton; iu
ny c ngha l nu h thng ang hng th n phi c hng theo mt cch no
ngn chn s truy nhp bt hp php tt hn l cho kt nhp lt vo
ph h thng. ng nhin vic hng trong an ton cng hu b s truy nhp hp
php ca ngi s dng cho n khi h thng c khi phc li.
Da trn nguyn tc ny ngi ta a ra hai quy tc cbn p dng cho
cc quy nh v bin php an ton:
Mt l, Default deny Stance: Ch trng vo nhng ci c php v ngn
chn t
t c
ci g cn li. Nh
ng g khng r rng c
th
s
b
ngn c
m.
Hai l, Default permit stance: Tr trng vo nhng ci b ngn cm v cho
php tt c nhng ci cn li, nhng g khng b ngn cm th c php.
Hu ht nhng ngi s dng v nh qun l quy tc default pernmit stance
cho rng mi th mc nh ngha l cho php v mt s dch v, hnh ng rc
ri, khng r rng s b ngn cm. V d:
NFS khng cho php qua firewall.
Truy nhp WWW b hn chi vi nhng chuyn gia o to v nhng
vn an ton ca WWW.
Ngi s dng khng c ci t cc Server khng c php. Vy vn
dng quy tc no th tt hn? Theo quan im v an ton th nn dng quy tc
Default deny stance. Cn theo quan im ca cc nh qun l th li l quy tc
Default pernmit Stance.
2.2.6. Stham gia ton cu
t hiu qu an ton cao, tt c cc h thng trn mng phi tham gia
vo gii php an ton. Nu tn ti mt h thng c cch an ton km, ngi truynhp bt hp php c th truy nhp vo h thng ny sau truy nhp cc h
thng khc t bn trong.
2.2.7. Tnh a dng ca vic bo v
Do s dng nhiu h thng khc nhau, ta phi c nhiu bin php bo v
m bo chin lc bo v theo chiu su. Bi v, nu tt c cc h thng ca ta
7/31/2019 Do an Tot Nghiep Thuy 927
26/62
Tm hiu vn bo mt mng LAN
Trang - 25 -
u nh nhau v mt ngi no bit cch t nhp vo mt trong s cc h
thng th anh ta cng c tht nhp vo tt cc h thng cn li. S dng nhiu
h thng khc nhau c th hn ch cc cc chi pht sinh li v an ton hn.
Song i li, ta phi i mt vi cc vn v gi c v tnh cht phc tp. Vic
mua bn, lp t nhiu h thng khc nhau s kh hn, tn km thi gian hn cch thng cng chng loi. Ngoi ra , cng cn nhiu s h trv thi gian o
to cn b vn hnh, qun tr h thng t pha cc nh cung cp.
2.2.8.n gin ho
Mi thn gin s trnn d hiu. Nu ta khng hiu r mt ci g , ta
cng khng th bit c liu n c an ton hay khng.
2.3. Cch thc xy dng firewall
Trong qu trnh xy dng mt tng la i hi bc tin hnh u phi
c nn k hoch trc v phi hp cht ch vi nhau. V gii quyt vn
ln nht l xy dng thnh cng mt tng la hot ng theo hiu qu th ta phi
xy dng tng bc tht vng chc, hn ch ti a nhng sai st ng tic c th
xy ra trong qu trnh xy dng.
2.3.1. Xy dng cc nguyn tc cn bn(Rule Base)
Mun xy dng c mt Firewall thnh cng th n phi thc hin theo
mt s quy tc cn bn nht nh (Rule base). Khi c mt gi tin IP i qua tngla th n s phi da cc quy tc cn bn ny phn tch v lc gi tin. V th
chng ta phi a ra cc quy tc tht n gin, ngn gn v d hiu nhm tng tc
s l gi tin trong tng la v s trnh c tc nghn, ng thi n cn gip
cho vic thay i v bo tr h thng c d dng hn rt nhiu. Thng thng
th ta nn dng khng qu 30 quy tc cn bn v ti a khng oc qu 50 quy tc
v nu dng qu nhiu s lm cho vic lc gi s chm hn v cng s d gy ra
li v cc quy tc c th b chng cho ln nhau.
2.3.2. Xy dng chnh sch an ton (Security Policy)Mt tng la phi c cc chnh sch an ton (security policy) v thc cht
tng la ch l mt cng c thc thi cc chnh sch an ton. Vic qun l v xy
dng chnh sch an ton mt cch cht ch s to ra c sc mnh cho tng la.
V vy trc khi chng ta xy dng cc quy tc cn bn th chng ta phi hiu
c chnh sch an ton ca tng la cn xy dng l g ?
7/31/2019 Do an Tot Nghiep Thuy 927
27/62
Tm hiu vn bo mt mng LAN
Trang - 26 -
V ng thi cng phi xy dng cc chnh sch an ton sao cho d hiu v
n gin mt cch tng i v khng nn xy dng mt cch qu phc tp dn
n chng cho d gy nhm ln v d kim tra, bo tr. Chng ta c tha ra
mt s chnh sch an ton rt n gin nh sau:
Nhng my trong mng ni bc truy nhp ra Internet khng gii hn.
Cho php s truy cp vo Web v Mail Server ca mng ni b t Internet
Tt c cc thng tin i vo trong mch ni bu phi c xc thc v
m ho.
T nhng chnh sch rt n gin nh v d trn y chng ta c th pht
trin thnh nhng chnh sch hot ng mt cch hiu qu v phc tp hn rt
nhiu. v d gii hn mng ni b chc s dng internet mt cch hn ch vi
mt vi dch v cbn nh Mail, HTTP m thi, cn li ngn cm hon ton
dch v truyn tp FTP v.v
2.3.3. Xy dng kin trc an ton
Cc bc cn lm khi xy dng mt kin trc an ton:
u tin th ta cho php tt c cc my trong mng ni b c th truy cp ra
Internet.
Sau ta thc hin ci t cc phn thng tin khng cn bo v (v d:
Web Server v Mail Server) vo mt vng c tn k thut l vng phi qun s
(Demilitarized Zone - MDZ). DMZ l mt mng tch bit ni m ta st cc h
thng m chng ta khng hon ton tin tng (v mt khi t Internet c th truy
cp vo c trong DMZ ca chng ta nn khng th tin tng chng). Bi vy
nhng h thng trong DMZ s khng bao gikt ni trc tip vi mng bn trong
mt khi chng cha c tin cy. C hai loi DMZ l: DMZ c bo v v DMZ
khng c bo v. DMZ c bo v l mt phn tch ri ra bn ngoi ca
tng la. DMZ khng c bo v l phn mng nm gia Router v tng la.
Chng ta nn dng loi DMZ c bo v, v ni l ni chng ta thng t c
Web Server v Mail Server
Con ng duy nht c thi vo mng ni b l phi i qua s kim sot
ca nh qun tr mng (cng c th cho php thc hin mng t xa)
Ci m chng ta c th ni n na l DNS (Domain Name Server). Chng
ta s phi thc hin chia DNS ra lm nhiu phn. Chia DNS thnh nhiu phn c
ngha l chia cc thao tc ca DNS s thuc hai my ch DNS khc nhau. Chng
7/31/2019 Do an Tot Nghiep Thuy 927
28/62
Tm hiu vn bo mt mng LAN
Trang - 27 -
ta lm iu ny v ta s mt my ch DNS s lo cho chng ta vic gii quyt
thng tin tn min ca cng ty vi mng bn ngoi. V mt my ch DNS bn
trong gii quyt vn ca mng bn trong. My ch DNS ngoi s nm trong
DMS c c bo v cng vi Web v Mail Server. My DNS bn trong s nm
mng bn trong vi vic ny s gip cho chng ta khng cho bit thng tin v tnmin trong mng ni b. V my ch DNS cha thng tin v s ca mng bn
trong nn cng ta cn phi t di s bo v trnh l thng tin v bn mng.
2.3.4. Thtcc quy tc trong bng (Sequence of Rules Base)
Trc khi chng ta xy dng cc quy tc cn bn th iu chng ta cn phi
quan tm n chnh l th t ca cc quy tc (hay cn gi l cp ca cc
quy tc) v trong c mt quy tc c bit, n s gi vai tr then cht trong
chnh sch bo mt tng la ca chng ta. C nhiu quy tc c cp tng t
nh nhau nhng vn phi t chng theo mt th t trc/sau, vic ny lm thayi phng thc lm vic cn bn ca tng la. a s cc tng la kim tra cc
gi tin mt cch tun t v lin tc. Khi tng la nhn c mt gi tin, n s
xem xt gi tin c ng vi quy tc no trong bng Rules base hay khng bng
cch cho xt bt u t quy tc th nht, ri quy tc th hai cho n khi c quy
tc no tho mn th n s dng cng vic kim tr v n s thc thi theo quy
tc . Nu gi tin c so snh vi tt c cc quy tc trong bng m khng c
quy tc no thong th gi tin s b t chi (lc b). Vn then cht l phi
sm tm c quy tc u tin tho mn khp c vi quy tc Rules Base cho gi tin c nhanh chng c i qua. V khi tm hiu r c iu ny th ta
nn t cc quy tc c bit trc tin, ri sau mi n cc quy tc thng
thng. Vic ny ngn chn vic cc quy tc thng thng cho php gi tin i qua
nhng trong trng hp c bit li khng cho gi tin i qua gy chng cho.
Chnh v vy phi lun ch v phi t cc quy tc c bit ln trc tin ri ti
cc nguyn tc thng thng. Phi tun th nguyn tc ny trnh vic cu hnh
b sai gip tng la lm vic hiu qu, ng thi d dng trong cng tc nng cp
bo tr v thay i sa cha.
2.3.5. Cc quy tc cn bn (Rules Base)
Default properties (nguyn tc mc nh): Phi loi tr tt c cc trng
hp ny v phi chc chn mt iu l khng c mt gi tin no c thi qua
c, bt k gi tin y l gi tin g.
7/31/2019 Do an Tot Nghiep Thuy 927
29/62
Tm hiu vn bo mt mng LAN
Trang - 28 -
Internal Outbound (i t mng bn trong ra ngoi): Bc u tin ta cho
php vic i t trong ra ngoi m khng c hn ch no. V tt c cc dch v c
bn nh Web, Mail, FTP v.v u cho php
Lockdown (): Hn ch tt c khng cho php mt s sm nhp no vo
tng la ca chng ta. y l quy tc chun m quy tc cn bn cn phi c.Khng c bt k s sm nhp no vo tng la nhng chng ta li cn c ngi
qun tr tng la (Firewall Admins).
Admin Access (): Khng ai c th kt ni vi tng la, bao gm c
Admin. Chng ta cng phi to ra mt quy tc cho php Admin truy nhp vo
c tng la
Drop All (): Thng thng th ta s loi b tt c cc gi tin m khng ph
hp vi quy tc no. Nhng ta nn a gi tin ny vo mt bn ghi v ta s thm
vo cui danh sch cc quy tc. y l mt quy tc chun m ta nn c.
No Logging (): Thng thng s c rt nhiu gi tin c gin tt c
cc a ch (vd: nh tin qung co) trn mng. Khi n tng la th n s b loi
b v sau c ghi vo bn ghi, nhng vic ny s lm cho bn ghi nhanh
chng by. Chnh v vy ta phi to mt quy tc sao cho khi ta b gi tin y i
m li khng ghi li vo bn ghi. y cng l mt nguyn tc cn bn m i khi
ta cng phi dng n.
DNS Access (): M hnh v cc thnh phn ca tng la.
2.4. Lc gi v cch hot ng
Khi ni n vic chuyn thng tin d liu gia cc mng vi nhau thng tin
qua tng la th iu c ngha rng bc tng la hot ng kt hp cht ch
vi giao thc TCP/IP v giao thc ny lm vic theo thut ton chia nh cc d
liu nhn c t cc ng dng trn mng. Tc l:
D liu nhn c t cc dch v chy trn cc giao thc ph cp trn
mng (v d nh: telnet, SMTP, DNS, SMNP,..) c phn thnh cc gi giliu (data packet).
Cc gi tin ny c gn nhng a ch v thng tin c th nhn v ti
hp li thnh d liu ban u. Chnh v vy cc loi tng la cng lin quan rt
nhiu n cc gi tin v cc a ch ca chng sau y chng ta s cng tm hiu
lc gi l g v cch ca n nh th no.
7/31/2019 Do an Tot Nghiep Thuy 927
30/62
Tm hiu vn bo mt mng LAN
Trang - 29 -
2.4.1. B lc gi (packet filtering)
B lc gi c nhng chc nng thc hin vic kim tra s nhn dng a
ch ca gi tin kim tra c th cho php chng i qua tng la hay khng. Cc
thng tin c th lc c mt gi tin bao gm :
a ch ni xut pht hay cn gi l a ch ngun (source IP Address)
a ch ni nhn hay cn gi l a chch (destination IP Address).
S cng ca ni xut pht (source port).
S cng ca ni nhn (destination).
Nh vy m tng la c th chn c cc kt ni t mng ngoi vo
nhng my ch ni b hoc vo trong mng ni b. T nhng a ch khng cho
php.
Hn na vic kim sot cc cng lm cho tng la c kh nng ch cho
php mt s loi kt ni nht nh vo my ch c nh sn m phc v cho
mt s dch v no (Telnet, SMTP,mail) c php s dng trn mng
ni b.
2.4.2. Cngng dng (Application Gateway)
Application Gateway c thit k tng cng chc nng kim sot cc
loi dich v vo giao thc c cho php truy cp vo h thng mng. C ch
hot ng ca n d trn ci gi l dch vi din (proxy Service).
Proxy Service hot ng theo cch: Mt ng dng no c quy chiu
n (hay i din bi) mt proxy Service chy trn cc h thng my ch th c
quy chiu n ApplicationGateway ca firewall. Cch lc ca packet filtering
phi hp kim sot vi cch i din ca Application gateway cung cp mt
kh nng an ton hn cho firewall trong vic giao tip thng tin vi mng ngoi.
V d mt h thng mng c chc nng lc gi tin, n s ngn cc kt ni
bng Telnet vo h thng ch tr mt cng duy nht -Telnet Application Gateway-
l c php. Mt ngi s dng dch v Telnet mun kt ni vo h thng phithc hin cc bc sau:
Thc hin dch v Telnet n Telnet Application Gateway ri cho bit tn
ca my ch bn trong cn truy cp.
Gateway kim tra a ch IP ni xut pht ca ngi truy cp ri cho php
hoc t chi tu theo ch an ninh ca h thng.
7/31/2019 Do an Tot Nghiep Thuy 927
31/62
Tm hiu vn bo mt mng LAN
Trang - 30 -
Ngi truy cp phi vt qua c h thng kim tra xc nh.
Proxy service lin kt lu thng gia ngi truy cp vi my ch.
Cch hot ng ny c ngha quan trng trong vic thit k an ninh h
thng. N c th cung cp nhiu kh nng, v d nh:
Che du cc thng tin: ngi dng ch c th nhn thy trc tip cc
Gateway c php.
Tng cng kim tra truy cp bng cc dch v xc thc (Authentication).
Gim ng k gi thnh cho vic pht trin cc h qun tr xc thc v h
thng ny c thit k ch quy chiu n Application Gateway.
Gim thiu cc quy tc kim sot ca b lc (Packet Filtering). iu ny
lm tng mt cch ng k tc hot ng ca Firewall.
2.4.3. B lc Sesion thng minh (Smart Sesion Filtering)
Cch hot ng phi hp gia b lc packet v cng ng dng nh
cp trn cung cp mt ch an ninh cao tuy nhin n cng tn ti mt vi hn
ch. Vn chnh hin nay l lm sao cung cp Proxy Service cho rt nhiu
ng dng khc nhau ang pht trin t. iu ny c ngha l nguy c, p lc i
vi vic firewall bnh la gia tng ln rt ln nu cc Proxy khng kp p ng.
Trong khi gim st cc packet nhng mc pha trn, nu nh lp
Networki hi nhiu cng sc i vi vic lc cc packet n gin, th vicgim st cc giao dch lu thng mc mng (Sesion) i hi t cng vic hn.
Cch ny cng loi bc cc dch vc th cho tng loi ng dng khc
nhau.
Cch hot ng ca b lc sesion thng minh chnh l vic kt hp kh
nng ghi nhn thng tin v cc Sesion v s dng n to cc quy tc cho b lc.
Bit rng, mt Sesion mc networkc to bi hai packet lu thng hai
chiu:
Mt kim sot cc packet lu thng t host pht sinh ra n n my ch
cn ti.
Mt kim sot packet trv t my ch pht sinh
Mt b lc thng minh s nhn bit c rng packet tr v theo chiu
ngc li nn quy tc th hai l khng cn thit. Do vy, cch tip nhn cc
packet khng mong mun sinh ra t bn ngoi firewall s khc bit rt r vi cch
7/31/2019 Do an Tot Nghiep Thuy 927
32/62
Tm hiu vn bo mt mng LAN
Trang - 31 -
tip nhn cho cc packet do nhng kt ni c php (ra bn ngoi). V nh vy
d dng nhn dng c cc packet bt hp php.
2.4.4. Firewall hn hp (Hybrid Firewall)
Trong thc t xy dng, cc firewall c s dng l kt hp ca nhiu k
thut to ra hiu qu an ninh ti a. V d vic lt li ti cc kim sot ca
b lc packet c thc thc hin ti b lc sesion thng minh mc ng dng.
Cc gim st ca b lc lt cht ch bi cc dch v Proxy ca Application
Gateway.
2.5. Kt lun
Cc h thng firewall thit lp nhm mc ch m bo an ninh mng
thng qua vic kim sot phn header ca cc gi tin. Nhng s dng firewall
m bo c an ninh mng mt cc hiu qu th ngi qun tr h thng cn c
nhng hiu bit su sc va ch IP ch, a ch IP ngun, cng dch v, cc
giao thc mng (TCP, UDP, SMTP)v c bit cn c nhng cng c gip cu
hnh h thng firewall hiu qu. Trong chng tip theo ny em s trnh by v
cng c FirewallIptable c tch hp trn hiu hnh m ngun mLinux
bo v cho mng ni b.
7/31/2019 Do an Tot Nghiep Thuy 927
33/62
Tm hiu vn bo mt mng LAN
Trang - 32 -
Chng 3:
TM HIU IPTALES TRONG HIU HNH LINUX
Hin nay c nhiu phn mm firewall c thc hin trn cc hiu
hnh nh Windows NT, Linux, Solaris. Nhng vi hiu hnh m ngun m
Linux th phn mm IPtables Firewall phin bn mi ny thc s l mt cng c
mnh dng m bo an ninh mng. Ngi qun tr mng c th s dng n
cng nhiu ty chn hu ch. Nhng do phn mm c qu nhiu tham s v s
dng c th i hi ngi s dng phi c kin thc chuyn su v h thng
mng my tnh. Nh vy vi nhng ngi t kin thc v mng my tnh v khng
bit r v tham s ca chng trnh th khng th s dng cng c IPtables c.
Trong phm vi ti ny em s tm hiu v cng c Iptables ca firewall
trn Linux vi vic kim sot ngi dng trong mng ni bc quyn gi bt
c yu cu truy cp trn bt c giao thc no t bn trong my ra ngoi cng nh
cn bt c yu cu truy cp trn mi giao thc t bn ngoi vo. Ngoi ra nh ta
bit, trong khi my chy trn Linux s c mt s dch v ang lng nghe
(LISTEN). Nhng dch v ny ch phc v cho ring bn v bn khng mun bt
c ai t Internet truy cp vo cc dch v ny. Cho nn ta phi xy dng cc lut
n nh: khi cc packet i vo (INPUT) firewall, firewall s kim tra xem c lut
INPUT no thch hp cho php n i vo, nu khng firewall s cn n theo quy
nh ca quy ch mc nh.
iu ny s lm tng kh nng bo mt v tnh linh ng cho ngi qun
tr mng my tnh.
Trong chng ny em s i gii thiu tng quan v cng c Firewall
IPtable v tm hiu mt s tp lut cbn trong IPtable:
3.1. Firewall IPtable trn Redhat
Phin bn nhn Linux version 2.4.x c a ra vi rt nhiu tnh nng
mi gip Linux hot ng tin cy hn v h tr cho nhiu thit b. Mt trong
nhng tnh nng mi ca n l h trNetfilter iptables ngay trong kernel, gip
thao tc trn packet hiu qu hn so vi cc ng dng trc nh ipfwadm trong
kernel 2.0 v ipchains trong kernel 2.2, tuy vn h trcho cc b lnh c. Thit
lp firewall theo kiu lc packet (packet filtering lc gi thng tin) vi ipfwadm
hoc ipchains c nhiu hn ch: thiu cc tch hp cn thit mrng tnh nng,
7/31/2019 Do an Tot Nghiep Thuy 927
34/62
Tm hiu vn bo mt mng LAN
Trang - 33 -
khi s dng lc packet cho cc giao thc thng thng v chuyn i a ch
mng (Network Address Translation - NAT) th thc hin hon ton tch bit m
khng c c tnh kt hp. Netfilter v iptables trn kernel 2.4 gii quyt tt cc
hn ch trn v c thm nhiu tnh nng khc m Ipfwadm v Ipchains khng c.
3.1.1. Gii thiu v IPtables
Trong h thng Linux c rt nhiu firewall. Trong c mt s firewall
c cu hnh v hot ng trn nn console rt nh v tin dng l Iptable v
Ipchain.
a. Netfilter/IPtables
Gii thiuIptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h
thng Linux.
Hnh 7: Firewall IPTable trong Linux.
Iptables l mt tng la ng dng lc gi d liu rt mnh, c sn bn
trong kernel Linux 2.4.x v 2.6.x. Netfilter/Iptable gm 2 phn l Netfiltertrong
nhn Linux v Iptables nm ngoi nhn. IpTables chu trch nhim giao tip gia
ngi dng v Netfiltery cc lut ca ngi dng vo cho Netfilter x l.
Netfilter tin hnh lc cc gi d liu mc IP. Netfilter lm vic trc tip trong
nhn, nhanh v khng lm gim tc ca h thng. c thit k thay th
cho linux 2.2.x Ipchains v linux 2.0.x ipfwadm v c nhiu c tnh hn Ipchainsv n c xy dng hp l hn vi nhng im sau:
Netfilter/Iptables c kh nng g?Xy dng bc tng la da trn cch lc gi stateless v stateful
Dng bng NAT v masquerading chia s s truy cp mng nu khng c
a ch mng.
7/31/2019 Do an Tot Nghiep Thuy 927
35/62
Tm hiu vn bo mt mng LAN
Trang - 34 -
Dng bng NAT ci t transparent proxy
Gip cc h thng tc v iproute2 to cc chnh sch router phc tp v
QoS
Lm cc thay i cc bit(mangling) TOS/DSCP/ECN ca IP header
C kh nng theo di s kt ni, c kh nng kim tra nhiu trng thi ca
packet. N lm vic ny cho UDP v ICMP tt nht l kt ni TCP, v d tnh
trng y ca lc ICMP ch cho php hi m khi c yu cu pht i, ch khng
chn cc yu cu nhng vn chp nhn hi m vi gi s rng chng lun p li
lnh ping. S hi m khng do yu cu c th l tn hiu ca s tn cng hoc ca
sau.
X sn gin ca cc packet tho thun trong cc chains (mt danh sch
cc nguyn tc) INPUT, OUTPUT, FORWARD. Trn cc host c nhiu giao din
mng, cc packet di chuyn gia cc giao din ch trn chain FORWARD hn l
trn 3 chain.
Phn bit r rng gia lc packet v NAT (Nework Address Translation)
C kh nng gii hn tc kt ni v ghi nht k. Bn c th gii hn kt
ni v ghi nht k t trnh s tn cng t chi dch v (Deinal of service).
C kh nng lc trn cc cv a ch vt l ca TCP.
L mt firewall c nhiu trng thi, nn n c th theo di trong sut s kt
ni, do n an ton hn firewall c t trng thi.
Iptables bao gm 4 bng, mi bng vi mt chnh sch (police) mc nh
v cc nguyn tc trong chain xy dng sn.
b. Ipchain
Mt trong nhng phn mm m Linux s dng cu hnh bng NAT ca
kernel l Ipchain. Bn trong chng trnh Ipchain c 2 trnh kch bn (scrip) chnh
c s dng n gin ha cng tc qun tr Ipchains.
Ipchain c dng ci t, duy tr v kim tra cc lut ca Ip firewall
trong Linux kernel. Nhng lut ny c th chia lm nhm chui lut khc nhau l:
Ip Input chain (chui lut p dng cho cc gi tin i n firewall).
Ip Output chain (chui lut p dng cho cc gi tin c pht sinh cc b
trn firewall v i ra khi firewall).
7/31/2019 Do an Tot Nghiep Thuy 927
36/62
Tm hiu vn bo mt mng LAN
Trang - 35 -
Ip forwarding chain (p dng cho cc gi tin c chuyn tip ti my
hoc mng khc qua firewall). V cc chui lut do ngi dng nh ngha (user
defined).
Ipchains s dng khi nim chui lut (chain ) x l cc gi tin. Mt
chui lut l mt danh sch cc lut dng x l cc gi tin c cng kiu l gitin n, gi tin chuyn tip hay gi tin i ra. Nhng lut ny ch r hnh ng no
c p dng cho gi tin. Cc lut c lu tr trong bng NAT l nhng cp a
ch IP ch khng phi tng a ch IP ring l.
Mt lut firewall ch ra cc tiu chun packet v ch n. Nu packet
khng ng lut k tip sc xem xt, nu ng th lut k tip s chnh r
gi tr ca ch c th cc chain do ngi dng nh ngha hay c th l mt trong
cc gi tr c th sau: ACCEPT, DENY, REJECT, MASQ, REDICRECT hay
RETURN.
ACCEPT: cho php packet i qua. DENY: Hy packet m khng c tr li thng bo cho pha client
bit iu ny.
REJECT: Tng t nh DENY nhng c tr li cho client bit gitin b hy b.
MASQ: Ch hp li vi chain forward v chain do ngi dngnh ngha v c dng khi kernel c bin dch viCONFIG_IP_MASQUERADE. Vi chain ny packet s c
masquerade nh l n c sinh ra t my cc b, hn th na cc
packet ngc sc nhn ra v chng sc demasqueraded mt
cch tng, b qua forwarding chain.
REDIRECT: Ch hp l vi chain input v chain do ngi dngnh ngha v chc dng khi Linux kernel c bin dch vi
tham s CONFIG_IP_TRANSPARENT_PROXY c nh ngha.
Vi iu ny packets sc chuyn ti socket cc b, thm chchng c gi n host xa.
Mt s c php hay c s dng:
Ipchains [ADC] chain rule-specification [options]
Ipchains [RI] chain rulenum rule-specification
7/31/2019 Do an Tot Nghiep Thuy 927
37/62
Tm hiu vn bo mt mng LAN
Trang - 36 -
[options]
Ipchains D chain rulenum [options]
Ipchains [LFZNX] [chain] [options] Ipchains P chain target
[options]
Ipchains M [-L | -S] [options]
3.1.2. Qu trnh chuyn gi dliu qua Netfilter
Gi d liu (packet) chy trn cp, sau i vo card mng (chng hn nh
eth0). u tin packet s qua chain PREROUTING (trc khi nh tuyn). Ti
y, packet c th b thay i thng s (mangle) hoc b i a ch IP ch
(DNAT). i vi packet i vo my, n s qua chain INPUT. Ti chain INPUT,
packet c thc chp nhn hoc b hy b. Tip theo packet sc chuyn
ln cho cc ng dng (client/server) x l v tip theo l c chuyn ra chainOUTPUT. Ti chain OUTPUT, packet c th b thay i cc thng s v b lc
chp nhn ra hay b hy b. i vi packet forward qua my, packet sau khi ri
chain PREROUTING s qua chain FORWARD. Ti chain FORWARD, n cng
b lc ACCEPT hoc DENY. Packet sau khi qua chain FORWARD hoc chain
OUTPUT s n chain POSTROUTING (sau khi nh tuyn). Ti chain
POSTROUTING, packet c th c i a ch IP ngun (SNAT) hoc
MASQUERADE. Packet sau khi ra card mng sc chuyn ln cp i n
my tnh khc trn mng.
3.1.3. Cu trc ca Iptable.
Iptables c chia lm 4 bng (table):
Bng filter dng lc gi d liu.
Bng nat dng thao tc vi cc gi d liu c NAT ngun hay
NAT ch.
Bng mangle dng thay i cc thng s trong gi IP.
Bng conntrack dng theo di cc kt ni.
Mi table gm nhiu mc xch (chain). Chain gm nhiu lut (rule) thao
tc vi cc gi d liu. Rule c th l ACCEPT (chp nhn gi d liu), DROP
(th gi), REJECT (loi b gi) hoc tham chiu (reference) n mt chain khc.
7/31/2019 Do an Tot Nghiep Thuy 927
38/62
Tm hiu vn bo mt mng LAN
Trang - 37 -
3.1.4. Cit iptables
Iptables c ci t mc nh trong h thng Linux, package ca iptables
l iptablesversion.rpm hoc iptables-version.tgz , ta c th dng lnh ci t
package ny:
$ rpm ivh iptables-version.rpm i Red Hat
$ apt-get install iptables i vi Debian
Khi ng iptables: service iptables start Tt iptables: service iptables stop Ti khi ng iptables: service iptables restart Xc nh trng thi iptables: service iptables status3.2. Cc tham s dng lnh thng gp
3.2.1 Gi trgip
gi trgip v Iptables, bn g lnh $ man iptables hoc $ iptables --
help. Chng hn nu bn cn bit v cc ty chn ca match limit, bn g lnh $
iptables -m limit --help.
3.2.2 Cc ty chn chnh thng s
Chnh tn table: -t , v d -t filter, -t nat, .. nu khng chnh table,gi tr mc nh l filter
Chinh loi giao thc: -p , v d -p tcp, -p udp hoc -p ! udp chnh cc giao thc khng phi l udp
Chnh card mng vo: -i , v d: -i eth0, -i lo Chnh card mng ra: -o , v d: -o eth0, -o pp0 Ch nh a ch IP ngun: -s , v d: -s
192.168.0.0/24 (mng 192.168.0 vi 24 bt mng), -s 192.168.0.1-
192.168.0.3 (cc IP 192.168.0.1, 192.168.0.2, 192.168.0.3).
7/31/2019 Do an Tot Nghiep Thuy 927
39/62
Tm hiu vn bo mt mng LAN
Trang - 38 -
Ch nh a ch IP ch: -d , tng t nh -sChnh cng ngun: --sport , v d: --sport 21 (cng 21), --sport 22:88
(cc cng 22 .. 88), --sport :80 (cc cng =22)
Chnh cng ch: --dport , tng t nh sport3.2.3. Cc ty chn thao tc vi chain
To chain mi: iptables -N Xa ht cc lut to trong chain: iptables -X t chnh sch cho cc chain `built-in` (INPUT, OUTPUT &
FORWARD): iptables -P , v d: iptables -P INPUT ACCEPT chp
nhn cc packet vo chain INPUT
Lit k cc lut c trong chain: iptables -L Xa cc lut c trong chain (flush chain): iptables -F Reset bm packet v 0: iptables -Z3.2.4. Cc ty chn thao tc vi lut
Thm lut: -A (append) Xa lut: -D (delete) Thay th lut: -R (replace) Chn thm lut: -I (insert)3.2.5 Phn bit gia ACCEPT, DROP v REJECT packet
ACCEPT: chp nhn packet DROP: th packet (khng hi m cho client) REJECT: loi b packet (hi m cho client bng mt packet khc)Mt s v d:
7/31/2019 Do an Tot Nghiep Thuy 927
40/62
Tm hiu vn bo mt mng LAN
Trang - 39 -
# iptables -A INPUT -i eth0 --dport 80 -j ACCEPT chp nhn cc packet
vo cng 80 trn card mng eth0
# iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP th cc packet n
cng 23 dng giao thc TCP trn card mng eth0
# iptables -A INPUT -i eth1 -s ! 10.0.0.1-10.0.0.5 --dport 22 -j REJECT --
reject-with tcp-reset
Gi gi TCP vi cRST=1 cho cc kt ni khng n t dy a ch IP
10.0.0.1..5 trn cng 22, card mng eth1
# iptables -A INPUT -p udp --dport 139 -j REJECT --reject-with icmp-
port-unreachable
Gi gi ICMP `port-unreachable` cho cc kt ni n cng 139, dng giao
thc UDP
3.2.6 Phn bit gia NEW, ESTABLISHED v RELATED
NEW: mkt ni mi ESTABLISHED: thit lp kt ni RELATED: mmt kt ni mi trong kt ni hin ti
Mt s v d:
# iptables -P INPUT DROP
t chnh sch cho chain INPUT l DROP
# iptables -A INPUT -p tcp --syn -m state --state NEW -j ACCEPT
Ch chp nhn cc gi TCP mkt ni set cSYN=1
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
Khng ng cc kt ni ang c thit lp, ng thi cng cho php m
cc kt ni mi trong kt ni c thit lp# iptables -A INPUT -p tcp -j DROP cc gi TCP cn li u b DROP
3.2.7 Ty chn --limit, --limit-burst
--limit-burst: mc nh, tnh bng s packet
7/31/2019 Do an Tot Nghiep Thuy 927
41/62
Tm hiu vn bo mt mng LAN
Trang - 40 -
--limit: tc khi chm mc nh, tnh bng s packet/s(giy), m(pht),
d(gi) hoc h(ngy).
3.3. Gii thiu v bng NAT (Network Address
Traslation)C mt vn c t ra hin nay l s khan him a ch IP, mt c
quan khi c rt nhiu my tnh nhng chc cp pht mt a ch IP duy nht.
Vy lm th no ch vi mt a ch IP duy nht ny tt c cc my tnh trong
mt cquan c th truy cp c Internet. C mt cch thc hin iu ,
chnh l NAT (Network Address Translation).
3.3.1. Khi nim cn bn v NAT
NAT c dng khi c nhn dng a ch mng ring ca mnh kt nivo Internet (Trong khi mun kt ni c vi Internet th yu cu bn phi c a
ch mng chung Public Address)
a ch mng chung s dng trn Internet ch tn ti duy nht v thng
thng c cung cp bi cc nh cung cp dch v Internet (Internet Service
Providers ISPs) hay cn gi l a ch IP hp l. a ch mng ring c s
dng trong mng ni b (Local Address Networt- LAN). a ch ny th khng
cn phi cung cp t nh dch v m c thc cung cp bi ngi qun tr
mng ni b. Nhng khng bao gia ch mng ring li c s dng trnInternet.
NAT c th gip bn vo Internet ngay trong khi bn ang s dng a ch
mng ring . Thc hin c iu l do NAT cho php bn chuyn i gia
hai kiu a ch, bt k bn ang mng ni b c kch thc nh th no
trong khi ISPS ch cung cp cho bn duy nht mt a ch chung duy nht.
NAT s bin i a ch ngun v khi ra khi mng ni b th n s s
dng a ch mng chung vo Internet. V nu ng t Internet th s khng th
bit c a ch ring ca my m ch bit c a ch chung ca mng ni b.NAT s nhn bit cc a ch mng ca cc my trong mng ni b thng qua s
cng dch v.
Vi nhng c im ny th NAT c nhng u im sau:
B mt c a ch mng ni b vi mng bn ngoi.
7/31/2019 Do an Tot Nghiep Thuy 927
42/62
Tm hiu vn bo mt mng LAN
Trang - 41 -
Nu kt ni vo Internet th n s tit kim c a ch chung (ach Internet).
N s phc v cn bng ti v c th chia ra nhiu server khc nhaubn trong mng ni b.
Qu trnh phn phi kho sc m bo b mt.Nu thay i a ch Internet cng khng cn phi cu hnh li cho
tng my s rt thun li cho ngi qun tr.
Gim c chi ph u t.Nhng cng vi nhng u im nu trn th n cng khng trnh khi cc
nhc im: Tc x l chm v phi phn tch li gi tin, ghi li a ch v tnh
ton a ch gi tin.
D xy ra tc nghn nu qu nhiu thng tin cng qua li mt thiim.
Chng ta s tm hiu v mt s phng thc i a ch ca NAT sau y.
3.3.2. Cch ia chIPng (Dynamic - NAT)
NAT ng l mt trong nhng k thut chuyn i a ch IP NAT
(Network Address Translation). Cc a ch IP ni bc chuyn sang IP NAT
nh sau:
Hnh 8: Cch i ia ch IP ng.
7/31/2019 Do an Tot Nghiep Thuy 927
43/62
Tm
mi
s
SN
NA203.
203.
DN
203.
tin
v n
203.
hn
n
mt
ngu
vo
192.
ngo
hiu vn
NAT Ro
203.162.2.
i IP ngun
T (Source-
ng. Ng162.2.200,
162.2.200
T (Desti
162.2.200 l
hnh chuy
c li.
3.3.3. C
NAT R
162.2.4 b
khi c gi
router, rou
bng gi l
n l 221.2
bng mas
168.0.164:1
i hon to
bo m
uterm n
. Khi c g
thnh 203.
NAT, NA
c li, khrouter s c
thnh a
ation-NA
hon to
n tip (fo
ch ng
uter chuy
g cch d
d liu IP
er si
bng mas
00.51.15:8
uerade
204. Lin
trong sut
mng LA
hn vic c
i liu vi
162.2.200
ngun).
i c mt gn c vo
ch ch
, NAT
n trong su
ward) gi
ia ch
Hnh 9:
n dy IP
ng cc s
vi ngun
gun thn
querade
, ch 203
ng hin t
lc gia c
qua router
N
uyn dy
IP ngun l
sau mi
outer lu
i t liu tbng NAT
i l 192.
ch). Li
t (transpar
d liu t
IP (masq
ch ng
i b 192.
hiu cng
192.168.0
h 203.162.
ng. Khi c
.162.2.4:2
i i
c my tro
.
P ni b 1
192.168.
gi ra ngo
liu tron
gi t nng hin
168.0.200.
n lc gi
ent) qua N
192.168.0.
uerade)
ia ch
168.0.x sa
(port-num
.168:1204,
.4:26314
mt gi d
314 n r
ch t 20
g mng L
69.168.0.x
.200 n r
i. Qu tr
g mt bn
oi vo vti i
Qu trnh
a 192.16
T router.
00 n 2
P
g mt IP
er) khc
ch 211.
lu d l
liu t n
uter, rout
3.162.2.4:
AN vi m
sang dy I
outer, rout
h ny gi l
gi l bn
i IP ch la chc
ny gi l
8.0.200
NAT rout
3.162.2.20
duy nht l
hau. Chn
00.51.15:8
iu ny v
oi vo v
r s cn c
6314 thn
y khc b
P
r
g
h
r
0
g
0
o
i
h
n
7/31/2019 Do an Tot Nghiep Thuy 927
44/62
Tm hiu vn bo mt mng LAN
Trang - 43 -
3.3.4. Mt sv d sdng kthut NAT
Iptables h trty chn -j REDIRECT cho php i hng cng mt cch
d dng. V d nh SQUID ang listen trn cng 3128/tcp. redirect cng 80
n cng 3128 ny:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT -
-to-port 3128
Lu : ty chn -j REDIRECT c trong chain PREROUTING
SNAT & MASQUERADE
to kt ni `transparent` gia mng LAN 192.168.0.1 vi Internet th
lp cu hnh cho tng la Iptables nh sau:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Cho php forward cc packet qua my cht Iptables
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
210.40.2.71
i IP ngun cho cc packet ra card mng eth0 l 210.40.2.71. Khi nhn
c packet vo t Internet, Iptables s tng i IP ch 210.40.2.71 thnh IP
ch tng ng ca my tnh trong mng LAN 192.168.0/24.
Hoc c th dng MASQUERADE thay cho SNAT nh sau:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
7/31/2019 Do an Tot Nghiep Thuy 927
45/62
Tm hiu vn bo mt mng LAN
Trang - 44 -
(MASQUERADE thng c dng khi kt ni n Internet l pp0 v
dng a ch IP ng)
DNAT
Gi s t cc my ch Proxy, Mail v DNS trong mng DMZ. to kt
ni trong sut t Internet vo cc my ch ny :
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-
destination 192.168.1.2
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.3
# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-
destination 192.168.1.4
7/31/2019 Do an Tot Nghiep Thuy 927
46/62
Tm hiu vn bo mt mng LAN
Trang - 45 -
Chng 4:
THIT LP FIREWALL BO V MNG NI B
BNG IPTABLES TRONG HIU HNH LINUX
Trong ng dng ny dng iptables trn my ch Linux lm Firewall cho
php mng bn ngoi truy cp vo vng DMZ v cho php mng ni b truy cp
mng bn ngoi qua Firewall. Khng cho php mng bn ngoi truy cp vo mng
ni b.
4.1. Cch lm vic ca Firewall c vng DMZ
Hnh 10: Firewall c vung DMZ
Firewall cho php my bn trong mng ni b truy cp ti nguynmng bn ngoi bng k thut SNAT
Ch cho php cc my ca mng bn ngoi truy cp ti nguyn WebServer v DNS Server trong vng DMZ bng k thut DNAT.
Cc yu cu i vi Firewall 2.4.x , cc modules cn thit choFirewall, gn a ch cho mng ni b v DMZ thc hin ging nh
i vi ng dng IP NAT.
Cc chain do ngi dng nh ngha: gm 3 chainsbad_tcp_packets, allowed v icmp_packets ging nh trong
ng dng IP NAT.
7/31/2019 Do an Tot Nghiep Thuy 927
47/62
Tm hiu vn bo mt mng LAN
Trang - 46 -
4.2. Cu trc file cu hnh v cu hnh
File cu hnh cho Firewall:
4.2.1. Cu hnh cc tu chn:
#!/bin/sh
# rc.firewall_dmz Firewall DMZ cho Linux 2.4.x v iptables
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# 1. Configuration options.
# 1.1 Cu hnh giao din vi Internet.
#
INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"
# 1.2 Cu hnh giao din mng cc b.
LAN_IP="192.168.0.1"
LAN_IFACE="eth1"
# 1.3 Cu hnh giao din vng DMZ.#
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"
# 1.4 Cu hnh Localhost.
LO_IFACE="lo"
LO_IP="127.0.0.1"
# 1.5 V tr chng trnh iptables.
IPTABLES="/usr/sbin/iptables"
7/31/2019 Do an Tot Nghiep Thuy 927
48/62
Tm hiu vn bo mt mng LAN
Trang - 47 -
4.2.2. Ti cc module cn thit kvo Kernel.
# 2. Ti cc module cn thit vo Kernel.
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
4.2.3. Cit cu hnh cn thit cho h thng file proc.
# 3. t cu hnh cn thit cho h thng file.
echo "1" > /proc/sys/net/ipv4/ip_forward
4.2.4. Cit cc nguyn tc.
# 4. Ci t cc nguyn tc.
# 4.1 Filter table
# 4.1.1 Nguyn tc cp nht lut trong cc chain.
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# 4.1.2 To cc chain do ngi dng nh ngha# To chain bad_tcp_packets.
$IPTABLES -N bad_tcp_packets
# To chain allowed, icmp_packets.
$IPTABLES -N allowed
7/31/2019 Do an Tot Nghiep Thuy 927
49/62
Tm hiu vn bo mt mng LAN
Trang - 48 -
$IPTABLES -N icmp_packets
#
# 4.1.3 To ni dung ca chains do ngi dng nh ngha
# chain bad_tcp_packets.
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
DROP
# chain allowed.
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# chain icmp_packets
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# 4.1.4 INPUT chain
# Cc packet d dng khng mun
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
# Cc packets t Internet n Firewall.
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Cc packets t LAN, DMZ hoc LOCALHOST
#
7/31/2019 Do an Tot Nghiep Thuy 927
50/62
Tm hiu vn bo mt mng LAN
Trang - 49 -
# T giao din DMZ n firewall IP DMX
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
#
# T giao din LAN n firewall IP LAN
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
#
# T giao din Localhost n IP Localhost
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
# Cc nguyn tc yu cu DHCP t LAN.
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j
ACCEPT
# tt c cc packet c thit lp kt ni v c quan h vi mt kt ni thit lp i
vo t #Internet n Firewall.
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
#
# Ghi li nhng packet khng khp vi nguyn tc trn.
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# 4.1.5 FORWARD chain
# Cc packet d dng khng mun$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Phn DMZ
# Cc nguyn tc chung
7/31/2019 Do an Tot Nghiep Thuy 927
51/62
Tm hiu vn bo mt mng LAN
Trang - 50 -
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# HTTP server
#
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_HTTP_IP \
-j icmp_packets
#
# DNS server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP \
-j icmp_packets
#
# Phn LAN
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
7/31/2019 Do an Tot Nghiep Thuy 927
52/62
Tm hiu vn bo mt mng LAN
Trang - 51 -
# ghi li nhng packet khng khp vi cc nguyn tc trn
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG\
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
# Cc packet d dng khng mun
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Cc nguyn tc cho php packet i ra.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
# ghi li nhng packet khng khp vi cc nguyn tc trn
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG\
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
# 4.2 nat table
# 4.2.4 PREROUTING chain
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --
dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --
dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --
dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
# 4.2.5 POSTROUTING chain
# Nguyn tc cho php cc my trong mng ni b truy cp Internet
#
7/31/2019 Do an Tot Nghiep Thuy 927
53/62
Tm hiu vn bo mt mng LAN
Trang - 52 -
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
$INET_IP
4.3. Cu hnh cho my ni b truy cp mng bn ngoi
Bn cnh vic t a ch IP thch hp cho cc my ni b bn trong
Firewall (gn a ch IP tnh hoc ng), t a ch IP Gateway thch hp ca
Server Linux Firewall, a ch DNS Server.
Cu hnh Microsoft Windows 2000 sau khi ci card mng thch hp vo
my tnh.
Thc hin cc cu hnh nh trong IP NAT.
4.4. Kim tra FirewallBc 1: kim tra kt ni cc b ca cc my ni b
------------------------------------
client# ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10): 56 data bytes
64 bytes from 192.168.0.10: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 192.168.0.10: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=255 time=0.5 ms
--- 192.168.0.10 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.8 ms
Bc 2: Kim tra kt ni my ni bn server Firewall.
client# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.4 ms
7/31/2019 Do an Tot Nghiep Thuy 927
54/62
Tm hiu vn bo mt mng LAN
Trang - 53 -
64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.5 ms
^C
--- 192.168.0.1 ping statistics ---4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.8 ms
Bc 3: Kim tra kt ni cc b ca Server Firewall vi LAN
firewall-server# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.5 ms
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.8 ms
Bc 4: Kim tra kt ni cc b ca Server Firewall vi DMZ.
firewall-server# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.5 ms
^C
--- 192.168.1.1 ping statistics ---
7/31/2019 Do an Tot Nghiep Thuy 927
55/62
Tm hiu vn bo mt mng LAN
Trang - 54 -
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.8 ms
Bc 5: Kim tra kt ni vi Server Firewall n my cc b.
firewall-server# ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10): 56 data bytes
64 bytes from 192.168.0.10: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 192.168.0.10: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=255 time=0.5 ms
^C
--- 192.168.0.10 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.8 ms
Bc 6: Kim tra kt ni giao din vi bn ngoi ca Server Firewall.
-------------------------------------
firewall-server# ping 194.236.50.152
PING 194.236.50.152(194.236.50.152): 56 data bytes
64 bytes from 194.236.50.152: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 194.236.50.152: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 194.236.50.152: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 194.236.50.152: icmp_seq=3 ttl=255 time=0.5 ms
^C
--- 194.236.50.152 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.8 ms
7/31/2019 Do an Tot Nghiep Thuy 927
56/62
Tm hiu vn bo mt mng LAN
Trang - 55 -
Bc 7: Kim tra kt ni t my ni bn giao din bn ngoi ca Server
Firewall.
client# ping 194.236.50.152
PING 194.236.50.152(194.236.50.152): 56 data bytes64 bytes from 194.236.50.152: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 194.236.50.152: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 194.236.50.152: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 194.236.50.152: icmp_seq=3 ttl=255 time=0.5 ms
^C
--- 194.236.50.152 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.8 ms
4.5. Xy dng phn mm qun tr Firewall IPTables t
xa
4.5.1. M t bi ton
Cng c Firewall IP-Tables chy trn nn hiu hnh Linux phin bnRedhat l mt cng c rt mnh. Ngi qun tr c th s dng cng c ny
m bo an ninh mng my tnh rt hiu qu. Nhng mun s dng cng c ny
mt cch hiu qu nht th i hi ngi qun tr phi hiu bit su sc v kin
thc mng my tnh v nh chc chn mt s lng ln cc tham s phc tp.
Chnh iu ny gy nn kh khn cho ngi qun tr.
V l do nu trn m ti xy dng phn mm tr gip vic qun tr
firewall t xa. Phn mm c xy dng bng ngn ng PHP v chy trn
Webserver Apache nn ti mi my tnh trong mng ta u c th truy xut nphn mm v cu hnh h thng firewall ny. Ngoi ra gii quyt vn ngi
s dng phi nhqu nhiu tham s phc tp th chng trnh s c sn cc tp
lut v mi lut ny s c ch thch v m t r rng cng dng.
7/31/2019 Do an Tot Nghiep Thuy 927
57/62
Tm hiu vn bo mt mng LAN
Trang - 56 -
4.5.2. Mt sgiao din chng trnh
Nh phn trn nu, c th s dng cng c firewall iptables ngi s
dng cn phi c kin thc rt su sc v mng nh cc giao thc, a ch IP, cng
dch v hn na l rt nhiu tham s ca tng la iptables. Vi mc ch gip d
dng cho vic cu hnh firewall nh iptables th phn mm qun l IP-Tables c xy dng trn nn tng l ngn ng PHP. Phn mm vi nhiu tnh nng ni
tri nh cho php ngi dng c th cu hnh tng la t xa, cho php lu tr
cc cu hnh c v c th cp nht li, ngi dng d dng thm/xa/sa/ di
chuyn cc cu lnh....
Kh nng cu hnh firewall t xa:
V chng trnh c xy dng trn cscc trang web nn ti mi thi
im ch cn ngi s dng c trnh duyt v kt ni n my tnh cn cu hnh
firewall.
Trang ch
Hnh 11: Giao din chnh ca chng trnh
7/31/2019 Do an Tot Nghiep Thuy 927
58/62
Tm hiu vn bo mt mng LAN
Trang - 57 -
Mt s ty chn
Hnh 12: Giao din chng trnh vi mt s ty chn
Hnh 13: Giao din khi thit lp xong ty chn v thc thi chng trnh.
7/31/2019 Do an Tot Nghiep Thuy 927
59/62
Tm hiu vn bo mt mng LAN
Trang - 58 -
Sau khi la chn cc ty chn. Kt qu tr li mt file di dng text
cc tp lut IPtables.
Hnh 14: Kt qu chng trnh tr v tp lut IPtables
4.5.3.nh gi phn mm
u im phn mm
- Thit k di dng website nn ti mi my tnh trong mng u c th
thc hin cng vic cu hnh iptables.
- Gip ngi dng khng cn kin thc qu su sc v cc tham s ca
iptables vn c th cu hnh c firewall nhvic to sn cc lut.
- Vic ti s dng, chnh sa vi cc lut, cu lnh iptables l rt d dng.
- Chng trnh thit k dng m ngun mnn ngi dng c th t thay
i theo yu cu.
Nhc im phn mm
- Hin ti mi h tr mt ngn ng.
- Ci t cn kh khn v phi ci nhiu phn mm h tr nh HTTP
Server, Crond tab ...
- Mi ngi dng u c quyn nh nhau.
7/31/2019 Do an Tot Nghiep Thuy 927
60/62
Tm hiu vn bo mt mng LAN
Trang - 59 -
Spht trin trong tng lai
- Mt website s c thit k vi mc ch gii thiu v cng b cc
phin bn mi ca phn mm.
- Phin bn tip theo s cung cp kh nng cp nht cc lut mi. V cc
file lut ny sc cung cp trn website.
- Mi ngi dng sc cp quyn s dng cc lut khc nhau trong tp
lut.
Yu cu v cu hnh phn mm
- Hiu hnh Linux (Redhat 9.0)
- WebServer (Apache Server 2.0...)
- Iptables firewall 1.2.9
- PHP 4.03 (hoc mi hn)
7/31/2019 Do an Tot Nghiep Thuy 927
61/62
Tm hiu vn bo mt mng LAN
Trang - 60 -
KT LUN
ti v Firewall lun l mi quan tm hng u ca cc nh qun tr
mng ni ring v ca nhng nh tin hc ni chung. c th xy dng c mt
mng ring m c th trnh khi mi s tn cng l khng th, nhng chng ta cth xy dng c nhng mng c tnh an ton cao theo nhng yu cu c th.
c th xy dng c nhng mng nh vy, ngi qun tr mng phi nm r
c nhng kin thc c bn v Firewall. ti trnh by kh chi tit v
Firewall, v nhng vn lin quan n bo v thng tin cho cc mng ni b.
ti cng thit lp c m hnh Firewall bo v mng ni b bng
IPTABLES trong hiu hnh LINUX. Vi h thng Firewall s dng Iptables
t