NETWORK SECURITY

( GRADUATED )

1-TRNH BY KIN TRC IPSEC. CC TNH NNG M IPSEC B SUNG CHO GIAO THC IP?

P N: IPSec l thnh phn m rng ca giao thc IP. B sung mt s tnh nng cho giao thc IP

KIN TRC IPSec

IPSec l mt giao thc phc tp, da trn nn ca nhiu k thut c s khc nhau nh mt m,

xc thc, trao i kha, Xt v mt kin trc, IPSec c xy dng da trn cc thnh phn bo mt c

bn sau y:

-Kin trc IPSec (RFC 2401): Quy nh cu trc, cc khi nim v yu cu ca IPSec.

-Giao thc ESP (RFC 2406): M t giao thc ESP, l mt giao thc mt m v xc thc thng tin

trong IPSec.

-Giao thc AH (RFC 2402): nh ngha mt giao thc khc vi chc nng gn ging ESP. Nhng

vy, khi trin khai IPSec, ngi s dng c th chn dng ESP hoc AH. Mi giao thc c u v nhc

im ring.

-Thut tan mt m: nh ngha cc thut tan m ha v gii m s dng trong IPSec. IPSec da

ch yu vo cc gii thut m ha i xng.

Kin trc IPSec

Giao thc ESP Giao thc AH

Thut tan mt m Thut tan xc thc

DOI

Qun l kha

Kin trc IPSec

-Thut tan xc thc: nh ngha cc thut tan xc thc thng tin s dng trong AH v ESP.

-Qun l kha (RFC 2408): M t cc c ch qun l v trao i kha trong IPSec.

-Min thc thi (Domain of Interpretation_DOI): nh ngha mi trng thc thi, xc nh mt tp

cc ch cn thit trin khai IPSec trong mt tnh hung c th.

Xt v mt ng dng, IPSec thc cht l mt giao thc hat ng song song vi IP nhm cung cp hai chc nng c bn m IP nguyn thy cha c, l m ha v xc thc gi d liu. Mt cch khi qut, c th xem IPSec l mt t hp gm 2 thnh phn:

-Giao thc ng gi, bao gm AH v ESP.

-Giao thc trao i kha IKE (Internet Key Exchange).

CC TNH NNG M IPSec B SUNG CHO GIAO THC IP

IPSec cung cp cc c ch m ha v xc thc thng tin cho chui thng tin truyn i trn mng

bng giao thc IP v n c thit k nh l phn m rng ca giao thc IP. N b sung cho giao thc

IP cc tnh nng thng qua cc ng dng in hnh v cc dch v c chnh n cung cp:

Cc ng dng in hnh ca IPSec:

- Kt ni gia cc chi nhnh ca mt t chc thng qua mng Internet: bng cch xy dng

mng ring o VPN trn nn mng WAN cng cng hoc Internet.

- Truy xut t xa thng qua mng Internet: thc cht y l mt dng khc ca VPN

(Remote Access VPN). Ngi dng c th truy xut mng v ti nguyn ni b ca mnh t mt

im bt k trn Internet m vn an ton.

- Nng cao tnh an ton ca cc giao dch thng mi trn Internet: p dng cho cc h thng

thanh ton trc tuyn, .Cc kt ni thit lp n h thng ny c h tr IPSec nn tnh bo

mt vn c m bo d truyn qua mng Internet cng cng.

Cc dch v c cung cp bi IPSec:

- Qun l truy xut.

- Ton vn d liu ch khng kt ni.

- Xc thc ngun gc d liu

- Chng pht li.

- M ha d liu.

- Bo mt dng lu lng.

2-M T C CH HOT NG CA GIAO THC NG GI AH TRONG IPSEC ? DCH V

CHNG PHT LI TRONG AH DA TRN C CH NO ? C CH XC THC THNG TIN

TRONG AH ? PHN BIT HAI CH HOT NG CA AH L TRANSPORT V TUNNEL ?

P N:

C CH HOT NG CA GIAO THC NG GI AH:

AH cho php xc thc ngi dng, xc thc ng dng v thc hin cc c ch lc gi tng ng m

bo tnh ton vn ca d liu di chuyn trn mng. Ngoi ra, AH cn c kh nng hn ch cc tn cng

gi danh v tn cng pht li. C ch xc th ca AH da trn m xc thc MAC, do thc thi u

cui ca SA phi dng chung mt kha b mt d khng dng mt thut ton mt m no.

DCH V CHNG PHT LI TRONG AH DA TRN C CH NO ?

Tn cng dng pht li tc l bt gi, lu tr ri pht li.

Bn gi: nh s th t cc gi c gi i trn mt SA. Gi tr khi to bng 0, tng dn sau mi gi

gi, khng c gi lp li, khi s th t t gi tr cc i bng 232 -1 th s khng quay li gi tr 0 m

thay vo , mt SA cng vi kha mi c thit lp truyn d liu, iu ny m bo khng c 2

gi trng s th t trn cng 1 SA.

Bn nhn: qu trnh x l phc tp hn nhm pht hin cc gi lp nhau, dng c ch dch ca s

pht hin lp, mt v sai th t gi.

C CH XC THC THNG TIN TRONG AH ?

Dng 2 cch:

1. HMAC-MD5-96: dng phng php HMAC, hm bm l MD5, ct ly 96 bit u tin

2. HMAC-SHA-1-96 dng phng php HMAC, hm bm l SHA-1, ct ly 96 bit u tin.

Phn bit hai ch hot ng ca AH l Transport v Tunnel ?

AH Transport Tunnel

Ging nhau - u cung cp c ch bo v d liu cho cc gi tin

- u l nhng ch nm trong giao thc ng gi AH.

Khc nhau - dng cho trng hp xc thc

t u cui n u cui.

- Gi IP ch ny c chn

thm giao thc ng gi AH

theo th t IP, AH, TCP, DATA.

- dng cho trng hp xc thc

t u cui n trung gian.

- Gi IP ch ny ngoi vic

c chn thm AH th cn chn

thm mt a ch IP mi

bao bc gi d liu hin

hnh.

- Phm vi thng tin xc thc

nhiu hn Transport.

- thng dng trong cc SA ni

gia 2 Gateway

3-M T C CH HOT NG CA GIAO THC NG GI ESP ? PHN BIT HAI CH

HOT NG CA ESP L TRANSPORT V TUNNEL ?

P N:

M T C CH HOT NG CA GIAO THC NG GI ESP ?

ESP (Encapsulating Security Payload) cung cp tnh bo mt cho d liu truyn trn mng IP bng cc k

thut mt m. Tuy nhin n cn c ty chn khc l cung cp dch v m bo tnh ton vn ca d liu

thng qua c ch xc thc. Ngi dng c th chn hoc khng chn chc nng xc thc cn m ha l

chc nng mc nh ca ESP.

PHN BIT HAI CH HOT NG CA ESP L TRANSPORT V TUNNEL ?

ESP Transport Tunnel

Ging nhau - u cung cp c ch bo v d liu cho cc gi tin

- u l nhng ch nm trong giao thc ng gi ESP.

- u thm vo gi IP gc cc trng ESP header, ESP trailer, ESP

auth.

Khc nhau - chc nng m ha v xc thc

thng tin c thc hin trn

phn d liu (payload data) ca

gi IP.

- gi ESP header t sau a ch

IP

- Ton b gi IP c m ha

v xc thc

- Gi ESP header t trc ia

ch IP c (a ch IP ca gi IP

gc)

- Phm vi thng tin xc thc

nhiu hn Transport.

- Gi IP ch ny cn chn

thm mt a ch IP mi

bao bc gi d liu hin

hnh.

- ESP header nm sau a ch IP

mi (a ch IP c tao khi

dng ch Tunnel).

4-CC DCH V CA SSL? CC THNH PHN CA GIAO THC SSL? M T C CH BO V

D LIU (M HA V XC THC D LIU) CA SSL RECORD PROTOCOL?

P N:

CC DCH V CA SSL ?

- M ha d liu

- Xc thc d liu

- Xc thc u cui

CC THNH PHN CA GIAO THC SSL ?

- Giao thc truyn d liu SSL (SSL Record Protocol): xc nh cc nh dng dng truyn d liu,

cung cp 2 dch v c bn cho cc kt ni SSL: bo mt v ton vn d liu.

- Giao thc thay i thng s m (Change cipher spec protocol): l giao thc n gin nht trong cu

truc SSL. Dng thay i cc thng s m ha tr kt ni SSL, c gi i trong cu trc gi ca SSL

Record.

- Giao thc cnh bo (Alert Protocol): dng trao i cc bn tin cnh bo gia 2 u ca kt ni SSL.

C 2 mc cnh bo: WARNING (thng bo cho u kia c s kin bt thng din ra) v FATAL( yu

cu kt thc kt ni hin hnh).

- Giao thc bt tay (Handshake Protocol):

+ l giao thc quan trng nht ca SSL

+ c 2 pha dng xc thc ln nhau v thng nht cc thut ton xc thc MAC v m ha

+ cng c dng trai i kha b mt

+ phi thc hin trc khi d liu c truyn.

M T C CH BO V D LIU (M HA V XC THC D LIU) CA SSL RECORD

PROTOCOL ?

Cc thao tc m SSL thc hin trn d liu bao gm: phn on d liu, nn d liu, xc thc d liu,

m ha, thm cc tiu cn thit v cui cng l gi ton b thng tin trn trong 1 segment TCP.

pha nhn th qu trnh thc hin ngc li.

5-M T C CH BT TAY TRONG GIAO THC SSL HANDSHAKE PROTOCOL? CC LOI KHA

S DNG TRONG MT KT NI SSL?

P N:

- L giao thc quan trng nht ca SSL

- c 2 pha dng xc thc ln nhau v thng nht cc thut ton xc thc MAC v m ha

- cng c dng trai i kha b mt

- phi thc hin trc khi d liu c truyn.

D liu gc

Phn on

Nn

Gn thng tin

xc thc (MAC)

Mt m ho

Gn tiu giao

thc SSL record

Hnh 3.14: Hot ng ca giao thc truyn d liu SSL

C CH BT TAY GM 4 GIAI ON:

GIAI ON 1: Thit lp cc thng s bo mt nh phin bn ca giao thc, nhn dng phin giao dch,

thut ton mt m, phng php nn, s ngu nhin ban u. Cc thnh phn cn bn ca bn tin

Client_Hello v Server_Hello:

+ VERSION: phin bn SLL

+ RANDOM: s ngu nhin dng xc thc

+ SESSION ID:

+ CIPHER SUITE: tp cc thut ton mt m h thng h tr

+ COMPRESSION METHOD: thut ton nn h thng h tr

GIAI ON 2: Server c th gi chng thc kha cng khai, trao i kha v yu cu client cung cp

chng thc kha.

GIAI ON 3: Client gi chng thc kha khi c yu cu t pha server , trao i kha vs Server.

Client cng c th gi xc minh chng thc kha cng khai cho Server.

GIAI ON 4: Thay i cc thng s ca thut ton mt m v kt thc giao thc bt tay.

CC LOI KHA S DNG TRONG MT KT NI SSL ?

(ci ny khng chc ng, ch kim tra li th)

- S nhn dng ngu nhin: chui byte chn ngu nhin bi Server v Client, c chc nng phn bit cc

kt ni vs nhau.

- Kha xc thc ca my ch: Kha b mt dng tnh gi tr xc thc MAC trn d liu c gi i t

Server.

- Kha xc thc ca my con: Kha b mt dng tnh gi tr xc thc MAC trn d liu c gi i t

my con.

- Kha mt m ca my ch: Kha b mt dng mt m ha d liu gi i t server.

- Kha mt m ca my con: Kha b mt dng mt m ha d liu gi i t my con.

- Vector khi to: dng trong ch m ha CBC. Gi tr ny c khi to bi giao thc SSL Record.

- S th t gi: S th t cc bn tin c gi i v nhn v trn kt ni.

6. M T CC GIAI ON CA GIAO THC BO MT MNG KHNG DY 802.11i? CHO BIT

NHNG NNG CP CA 802.11i SO VI GII PHP BO MT TRONG 802.11?

* CC GIAI ON CA GIAO THC BO MT MNG 802.11i :

Trong m hnh tng qut, c ch ny p dng cho mng WLAN vi cc thnh phn bao gm STA (thit b

u cui di ng), AP (Access point), AS (Authentication Server).

- Discovery: AP gi cc bn tin Beacon v Probe Response qung b thng tin v mng v cc chnh sch bo mt ca mng WLAN. STA da trn cc thng tin ny kt ni n AP.

Mc ch ca giai on ny l AP v STA nhn din nhau, thng lng cc thng s mt m v thit lp lin kt vi nhau chun b cho cc bc tip theo. Cc chi tit c xc lp trong giai on ny bao gm:

+ Giao thc mt m v xc thc d liu gia AP v STA.

+ Phng php xc thc u cui.

+ C ch qun l kha.

- Authentication: STA tin hnh xc thc vi AS thng qua AP. Trong qu trnh ny, AP khng tham gia vo qu trnh xc thc m ch c vai tr chuyn tip cc bn tin gia STA v AS.

y l giai on xc thc 2 chiu gia STA v AS. C ch xc thc c thc hin theo m t ca 802.11X, s dng giao thc xc thc EAP (Extensible Authentication Protocol).

- Key Management: AP v STA thc hin qu trnh trao i kha.

Hai c ch trao i kha c th dng trong giai on ny: preshared key v Master Session Key (MSK). Preshared dng kha tnh c ci t i xng trn AP v STA, ngc li MSK th c to ra trong giai on xc thc dng giao thc EAP. Cc kha sau c sinh ra t hai kha chnh ny. Qu trnh thit lp kha c thc thng qua th tc bt tay 4 bc.

- Protected Data Transfer: Qu trnh truyn d liu gia cc STA thng qua AP. AP s ng vai tr trung gian trong vic m ha v gii m d liu.

D liu c trao i gia AP v STA c bo v bng mt trong 2 c ch: TKIP v CCMP:

+ TKIP (Temporal Key Integrity Protocol): D liu c xc thc bng MIC (da trn thut ton bm Michael) v m ha bng RC4.

+ CCMP (Counter Mode CBC MAC protocol): D liu c xc thc bng CMAC (CBC-based MAC) v m ha bng AES ch CTR (counter mode).

- Connection Termination: AP v STA thc hin th tc xa kt ni.

* NHNG CI TIN CA 802.11I SO VI C CH BO MT C:

- Mng LAN 802.11 c thit k c ch bo mt n gin, c gi l WEP (Wired Equivalent Privacy).

WEP s dng c ch bo mt yu nn c th b b kha d dng vi cc cng c c sn hin nay. Nhng

im yu c bn trong WEP:

+ S dng thut ton mt m yu (RC4) vi chiu di kha ngn (40 bit).

+ S dng CRC-32 cho c ch xc thc d liu khng an ton.

+ S dng kha tnh chung cho m ha v xc thc.

+ Khng c c ch trao i kha.

- Khc phc nhng nhc im , 802.11i cung cp cc ci tin sau:

+ S dng thut ton m ha mng (AES)

+ B sung c ch trao i kha

+ Thay th CRC-32 bi thut ton xc thc da trn hm bm Michael.

+ Phn bit c ch m ha v xc thc.

7. TRNH BY C CH HOT NG CA GII PHP BO MT EMAIL PGP (PRETTY GOOD

PRIVACY)? M T C CH M HA V XC THC P DNG TRONG PGP?

* C CH HOT NG CA PGP:

Files c M HA bng mt PUBLIC KEY. Public key ny ca bn c th c cng b rng ri. Nu bn

mun bn b, khch hng, i tc... ca bn m ha th gi n cho bn th bn cn phi cung cp

cho h public key ca bn. Files c GII M bng mt PRIVATE KEY. Ch c ai nm gi private key ny

mi c th gii m nhng bc th c m ha bng Public key ca bn.

- Xc thc ni dung th:

+ Bn tin gc ca ngi gi c bm bng hm bm SHA-1, m bm sau c m ha bng

RSA vi kha ring ca ngi gi to thnh ch k s c gi km vi bn tin gc.

+ Pha nhn tch bn tin gc v a vo hm bm SHA-1, ng thi gii m ch k s bng kha

cng khai ca ngi gi kim tra.

- Bo mt ni dung th:

+ Pha gi to mt s ngu nhin 128 bit v dng lm kha m ha bn tin gc ca ngi gi

bng cc thut ton mt m i xng (CAST_128 hoc DES/3DES) theo ch Cipher Feedback

64 bit (CFB).

+ Kha sinh ra c m ha bng RSA vi kha cng khai ca ngi nhn v gi km theo th.

+ Ngi nhn dng kha ring ca mnh gii m phc hi kha i xng v dng kha ny

gii m bn tin gc.

- Nn th:

+ Vic nn th nhm mc ch lm gim kch thc th vic truyn c thc hin nhanh hn,

ng thi lm tng hiu qu ca thut ton mt m.

- Chuyn m:

+ Sau khi x l th (xc thc, nn, m ha) th ni dung th s tr thnh mt khi d liu nh

phn, c th khng tng thch vi cc h thng th vn ch h tr nh dng vi m ASCII. Do

vy, PGP phi thc hin thao tc chuyn m nhm m bo ni dung th sau khi x l vn c th

c chuyn tip bnh thng trn cc mail server.

+ C ch chuyn m trong PGP c thc hin theo bng m base64 encoding (radix-64).

- Qun l kha:

+ Mi user duy tr mt tp cc kha cng khai ca nhng user khc, tp kha ny c qun l

bi mt keyring.

+ Trong PGP, ngi dng t to ra chng ch s, cc chng ch s ny c phn phi bi chnh

ngi dng.

+ Quan h tin cy gia cc user c thit lp thng qua m hnh Web of Trust.

* M T C CH M HA V XC THC P DNG TRONG PGP:

- PGP thc hin thao tc xc thc th trc v m ha sau.

+ Bm ni dung th bng hm bm SHA_1 v m ha m bm bng kha b mt ca ngi gi.

Gn kt qu vo u th lm ch k.

+ To kha i xng K v m ha ton b ni dung th (k c phn ch k va to ra)

+ M ha kha K bng kha cng khai ca ngi nhn v gn tip vo u th.

+ pha nhn, ngi nhn th gii m phn u th bng kha ring ca mnh ly kha K.

+ Gii m ni dung th (cng vi ch k s) bng kha K. Hon tt chc nng bo mt.

+ Gii m ch k s bng kha cng khai ca ngi gi. Hon tt chc nng xc thc.

M ha v xc thc th pha gi

M ha v xc thc th pha nhn.

8. TRNH BY C CH HOT NG S/MIME TRONG BO MT DCH V EMAIL? SO SNH C

CH M HA V XC THC CA S/MIME VI PGP?

* C CH HOT NG CA S/MINE:

- S/MIME a vo hai phng php an ninh cho email. Th nht l m ha email, th hai l chng thc.

C hai cch u da trn m ha bt i xng v PKI.

+ Chng thc email s dng cp kha authentication (authentication pair). ng tc k = m ha

message bng private key ca ngi gi. Chng thc = dng public key ca ngi gi gii m bn

tin.

+ M ha email s dng cp kha encryption (encryption pair). ng tc m ha = m ha

message bng public key ca ngi nhn. Gii m bng private key ca ngi nhn.

- M ha ni dung th:

+ To kha i xng tng ng vi thut ton m ha dng trong m ha ni dung th.

+ M ha kha i xng ny bng RSA vi kha cng khai ca tng ngi nhn.

+ To khi thng tin ngi nhn (ReceipientInfo block) m t thng tin v ngi nhn gm

certificate ca ngi nhn, thut ton m ha bt i xng c dng m ha cng vi kha

i xng c m ha. Trng hp mt bn tin gc c gi cho nhiu ngi th c mi ngi

nhn s c mt khi thng tin tng ng.

+ M ha bn tin gc vi kha i xng va to ra.

- Xc thc ni dung th:

+ Chn mt hm bm thch hp (MD5 hoc SHA_1)

+ To m bm ca bn tin gc dng hm bm va chn.

+ M ha m bm bng kha ring ca ngi gi.

+ To khi thng tin ngi gi (SignerInfo) cha cc thng tin bao gm certificate ca ngi

gi, tn hm bm, tn thut ton m ha v khi m bm m ha.

- Ton b cc thng tin bao gm bn tin gc v khi thng tin ngi gi c chuyn thnh m base64.

9. CHC NNG V C CH HOT NG CA H THNG PHT HIN XM NHP IDS? PHN

LOI CC H THNG IDS? CC THNH PHN CHNH CA MT H THNG IDS IN HNH?

* CHC NNG CA IDS:

- Th ng gim st cc hot ng ca h thng.

- Pht hin cc du hiu xm nhp v a ra cnh bo (alert).

- Khng thc hin chc nng ngn chn xm nhp(Intrusion Prevention System hay IPS).

* C CH HOT NG CA IDS:

- Mt host to ra mt gi tin mng, gi tin ny khng khc g so vi mt gi tin khc tn ti v c

gi t host khc trong mng.

- Cc cm bin trong mng c cc gi tin trong khong thi gian trc khi n c gi ra khi mng cc

b (cm bin ny cn phi c t sao cho n c th c tt c cc gi tin).

- Chng trnh pht hin nm trong b cm bin kim tra xem c gi tin no c du hiu vi phm hay

khng. Khi c du hiu vi phm th mt cnh bo s c to ra v gi n giao din iu khin.

- Khi giao din iu khin lnh nhn c cnh bo n s gi thng bo cho mt ngi hoc mt nhm

c ch nh t trc (thng qua email,ca s popup,trang web.v.v).

- Phn hi c khi to theo quy nh ng vi du hiu xm nhp ny.

- Cc cnh bo c lu li tham kho trong tng lai (trn a ch cc b hoc trn c s d liu).

- Mt bo co tm tt v chi tit ca s c c to ra.

- Cnh bo c so snh vi cc d liu khc xc nh xem y c phi l cuc tn cng hay khng.

* PHN LOI IDS:

- Phn loi theo phm vi gim st

+ Network-based IDS (NIDS): l nhng IDS gim st trn ton b mng. Ngun thng tin ch yu

ca NIDS l cc gi d liu ang lu thng trn mng. NIDS thng c lp t ti ng vo ca

mng, c th ng trc hoc sau tng la.

+ Host-based IDS (HIDS): l nhng IDS gim st hot ng ca tng my tnh ring bit. Do vy,

ngun thng tin ch yu ca HIDS ngoi lu lng d liu n v i t my ch cn c h thng

d liu nht k h thng (system log) v kim tra h thng (system audit).

- Phn loi theo k thut thc hin

+ Signature-based IDS: pht hin xm nhp da trn du hiu ca hnh vi xm nhp, thng qua

phn tch lu lng mng v nht k h thng. K thut ny i hi phi duy tr mt c s d liu

v cc du hiu xm nhp (signature database), v c s d liu ny phi c cp nht thng

xuyn mi khi c mt hnh thc hoc k thut xm nhp mi.

+ Anomaly based IDS: pht hin xm nhp bng cch so snh (mang tnh thng k) cc hnh vi

hin ti vi hot ng bnh thng ca h thng pht hin cc bt thng (anomaly) c th l

du hiu ca xm nhp.

* CC THNH PHN CHNH CA MT H THNG IDS IN HNH:

- Thnh phn thu thp gi tin (information collection).

- Thnh phn phn tch gi tin (Detection).

- Thnh phn phn hi (response) nu gi tin c pht hin l mt cuc tn cng.

10. CHC NNG V C CH HOT NG CA H THNG FIREWALL? PHN LOI FIREWALL?

SO SNH C CH HOT NG CA APPLICATION PROXY V SOCKS PROXY?

* CHC NNG CA FIREWALL:

- Kh nng bt gi(packet firewall): firewall s kim tra phn header ca cc gi tin v a ra quyt nh

l cho php hay loi b gi tin ny theo tp lut c cu hnh.

- Chuyn i a ch mng(NAT): cc my bn ngoi ch thy mt hoc hai a ch mng ca firewall

cn cc my thuc mng trong c th ly cc gi tr trong mt khong bt k th cc gi tin i vo v i ra

cn c chuyn i a ch ngun v a ch ch.

- Theo di v ghi chp(monitoring v logging): vi kh nng ny cung cp cho ngi qun tr bit iu g

ang xy ra ti firewall t a ra nhng phng n bo v tt hn.

- Data caching: caching d liu s gip qu trnh tr li nhanh v hiu qu hn.

- Lc ni dung(content filter): cc lut ca firewall c kh nng ngn chn cc yu cu trang WEB m n

cha cc t kha, url hay cc d liu khc nh video stream, image

- Intrustion detection: l kh nng pht hin cc cuc xm nhp, tn cng.

* C CH HOT NG CA FIREWALL:

- Firewall hot ng cht ch vi giao thc TCP/IP, v giao thc ny lm vic theo thut tan chia nh cc

d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao

thc (Telnet, SMTP, DNS, SMNP, NFS ) thnh cc gi d liu ri gn cho cc packet ny nhng a ch

c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc

packet v nhng con s a ch ca chng.

- B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu

quyt nh xem on d liu c tha mn mt trong s cc lut l ca lc packet hay khng. Cc lut

l lc packet ny l da trn cc thng tin u mi packet (header), dng cho php truyn cc packet

trn mng:

+ a ch IP ngun (IP Source Address)

+ a ch IP ch (IP Destination Address)

+ Protocol (TCP, UDP, ICMP, IP tunnel)

+ TCP/UDP source port

+ TCP/UDP destination port

+ Dng thng bo ICMP (ICMP message type)

+ Cng gi tin n (Incomming interface of packet)

+ Cng gi tin i (Outcomming interface of packet)

- Nu packet tha cc lut l c thit lp trc ca Firewall th packet c chuyn qua, nu

khng tha th s b loi b.

* PHN LOI FIREWALL:

C 2 loi firewall:

- Packet filter firewall

+ Stateless: Kim tra tng gi tin mt cch c lp.

+ Stateful: Ch kim tra trng thi.

- Application firewall

+ Application proxy

+ Socks proxy

* SO SNH APPLICATION PROXY V SOCKS PROXY: