LuanVanCNTT-CacPPLapTrinhVuotFirewall

8/14/2019 LuanVanCNTT-CacPPLapTrinhVuotFirewall

1/94

TRNG I HC KHOA HC TNHIN

KHOA CNG NGH THNG TIN

B MN MNG MY TNH & VIN THNG

PHAN TRUNG HIU - TRN L QUN

CC PHNG PHP LP TRNH VT

FIREWALL

KHA LUN CNHN TIN HC

NIN KHA 2001 - 2005


2/94

Lun vn tt nghip Mng my tnh GVHD: ThS Hong Cng

TRNG I HC KHOA HC TNHIN

KHOA CNG NGH THNG TIN

B MN MNG MY TNH & VIN THNG

PHAN TRUNG HIU 0112463

TRN L QUN 0112319

CC PHNG PHP LP TRNH VT

FIREWALL

KHA LUN CNHN TIN HC

GIO VIN HNG DN

Th.S HONG CNG

NIN KHA 2001 2005

Phan Trung Hiu - Trang 2 - Trn L QunMssv: 0112463 Mssv:0112319


3/94


LI NHN XT CA GIO VIN HNG DN



4/94


LI NHN XT CA GIO VIN PHN BIN



5/94


LI CM N

Sau hn 6 thng n lc thc hin, lun vn nghin cu Cc phng php lp

trnh vt firewall phn no hon thnh. Ngoi s n lc ca bn thn, chng em

nhn c s khch l rt nhiu t pha nh trng, thy c, gia nh v bn b trong

khoa. Chnh iu ny mang li cho chng em sng vin rt ln chng em c

th hon thnh tt lun vn ca mnh.

Trc ht, chng con xin cm n nhng bc lm cha, lm m lun ng h,

chm sc chng con v to mi iu kin tt nht chng con c th hon thnh

nhim v ca mnh.

Chng em xin cm n nh trng ni chung v Khoa CNTT ni ring emli cho chng em ngun kin thc v cng qu gi chng em c kin thc hon

thnh lun vn cng nh lm hnh trang bc vo i.

Em xin cm n cc thy c thuc b mn MMT, c bit l thy Hong

Cng gio vin hng dn ca chng em tn tnh hng dn v gip chng

em mi khi chng em c kh khn trong qu trnh hc tp cng nh trong qu trnh

lm lun vn tt nghip.

Xin cm n tt c cc bn b thn yu ng vin, gip chng em trongsut qu trnh hc tp cng nh lm ti.

Mt ln na, xin cm n tt c mi ngi

TPHCM 7/2005

Nhm sinh vin thc hin

Phan Trung Hiu Trn L Qun



6/94


LI NI U

Ni dung lun vn c trnh by trong 8 chng thuc v 5 phn khc nhau :

Phn thnht:CSL THUYT

Chng 1: Gii thiu v firewall Chng 2: Khi nim proxy Chng 3: Cc phng php lp trnh vt firewall

Phn thhai:CC PHNG PHP LP TRNH VT FIREWALL

Chng 4: Vt firewall bng HTTP proxy Servers Chng 5: Vt firewall bng Web-based proxy

Phn thba:MODULE CHNG VT FIREWALL

Chng 6: Plug-in chng vt firewall cho trnh duyt Internet Explorer Chng 7: Service chng vt Firewall

Phn tht:TNG KT

Chng 8: Kt lun.Phn thnm:PH LC



7/94


MC LC

Chng 1: GII THIU V FIREWALL ..............................................................111.1 t vn : ..........................................................................................11

1.2 Nhu cu bo v thng tin: .....................................................................111.2.1 Nguyn nhn:................................................................................111.2.2 Bo vdliu:...............................................................................131.2.3 Bo vcc ti nguyn sdng trn mng:.......................................131.2.4 Bo vdanh ting cquan:............................................................13

1.3 Cc kiu tn cng: ................................................................................141.3.1 Tn cng trc tip:.........................................................................141.3.2 Nghe trm:....................................................................................151.3.3 Gimoa ch:.............................................................................151.3.4 V hiu cc chc nng ca hthng (DoS, DDoS):...........................151.3.5 Li ca ngi qun trhthng:......................................................161.3.6 Tn cng vo yu tcon ngi:......................................................17

1.4 Firewall l g ? ......................................................................................171.5 Cc chc nng chnh: ............................................................................19

1.5.1 Chc nng:....................................................................................191.5.2 Thnh phn:..................................................................................20

1.6 Nguyn l:............................................................................................211.7 Cc dng firewall: .................................................................................231.8 Cc nim chung v Firewall:................................................................25

1.8.1 Firewall da trn Application gateway:.............................................251.8.2 Cng vng(Circuit level gateway):...................................................27

1.8.3 Hn chca Firewall:.....................................................................281.8.4 Firewall c dph hay khng:.........................................................281.9 Mt sm hnh Firewall: .......................................................................30

1.9.1 Packet-Filtering Router:..................................................................301.9.2 M hnh Single-Homed Bastion Host:...............................................321.9.3 M hnh Dual-Homed Bastion Host:.................................................341.9.4 Proxy server:.................................................................................361.9.5 Phn mm Firewall Proxy server:..................................................37

1.10 Li kt: ................................................................................................46Chng 2: KHI NIM PROXY..........................................................................47

2.1 Proxy l g:...........................................................................................472.2 Ti sao proxy li ra i: .........................................................................482.3 Tng kt chung v proxy: ......................................................................48

Chng 3: CC PHNG PHP LP TRNH VT FIREWALL.............................503.1 Vt firewall l g:.................................................................................503.2 Phng php thnht: HTTP Proxy .......................................................50



8/94


3.3 Phng php thhai: Web-Based Proxy.................................................513.4 Phng php thba: Http Tunneling......................................................51

Chng 4: VT FIREWALL BNG HTTP PROXY...............................................534.1 Khi cc HTTP Proxy Server tr nn hu ch: ............................................53

4.2 Chc nng chnh:..................................................................................564.2.1 Truy cp Internet:..........................................................................564.2.2 Caching documents:.......................................................................574.2.3 iu khin truy cp Internet mt cch c chn lc:...........................594.2.4 Cung cp dch vInternet cho cc cquan sdng IPo:................60

4.3 Mt phin giao dch (transaction) thng qua proxy : ................................604.4 Kt ni thng qua proxy server: .............................................................614.5 HTTP proxy: .........................................................................................614.6 FTP proxy:............................................................................................624.7 Tin li v bt tin khi cache cc trang Web:...........................................634.8 Nhng bt cp do proxy: .......................................................................634.9 Kthut lp trnh mt HTTP Proxy c bn: ..............................................64

Chng 5: Vt firewall bng Web-Based Proxy................................................655.1 Thno l 1 web-based anonymous proxy ? ...........................................655.2 Cch thc hot ng ca 1 WBP : ..........................................................665.3 Gii thiu v trang Web Based Proxy: .....................................................67

5.3.1 Giao din:......................................................................................675.3.2 Chc nng:....................................................................................675.3.3 Thut ton:....................................................................................69

Chng 6: Plug-in chng vt firewall cho trnh duyt Internet Explorer .............736.1 Gii thiu s lc :................................................................................73

6.2 Cc tnh nng chnh: .............................................................................746.2.1 Lc cc trang web da trn vic duyt danh sch cc trang web c sntrong csdliu:.....................................................................................746.2.2 Lc cc trang web da trn cchkim traa ch(URL):................746.2.3 Lc da trn ni dung ca cc Input Form trong trang web:..............756.2.4 Cp nht cc trang web based proxy:...............................................766.2.5 V hiu ha/kch hot plugin:..........................................................76

6.3 Mt svn cn lu khi vit plugin cho trnh duyt IE :......................766.3.1 Khi nim Browser Helper Objects (BHO):........................................766.3.2 Mt shm xl quan trng:..........................................................78

6.4 Chi tit lu trdliu : .........................................................................79

6.4.1 Bng Forbidden..............................................................................796.4.2 Bng Trusted.................................................................................79

6.5 Thut ton chnh ca ng dng : ...........................................................796.5.1 M hnh hotng ca Plugin :.......................................................796.5.2 Din gii m hnh :.........................................................................81



9/94


6.6 Nhng u im v hn ch: ..................................................................82Chng 7: SERVICE CHNG VT FIREWALL ..................................................83

7.1 Gii thiu s lc :................................................................................837.2 Cc tnh nng chnh ca module:............................................................83

7.3 Module bt gi tin :...............................................................................847.3.1 cim ca gi tin HTTP requestn HTTP Proxy Server:..............847.3.2 Tm tt cc bc cn lu khi xy dng module;.............................847.3.3 Chi tit cci tng, hm xl chnh ca module :.........................85

7.4 Module chn a ch IP: .........................................................................857.4.1 Gii thiu vFilter-Hook Driver :......................................................857.4.2 Tm tt cc bc xy dng Filter-Hook Driverbt gi tin:.............86

7.5 Chi tit lu trdliu : .........................................................................867.5.1 Bng ForbiddenProxy......................................................................867.5.2 Bng TrustedProxy:........................................................................86

7.6 S hot ng ca Module chn a ch IP :.........................................877.7 Din gii m hnh :................................................................................877.8 Nhn xt nh gi :............................................................................88

7.8.1 uim:.......................................................................................887.8.2 Khuytim:.................................................................................89

Chng 8: KT LUN ......................................................................................908.1 Nhng kt qut c:.......................................................................908.2 Hng pht trin : ................................................................................91

DANH SCH HNH

Hnh 1 M hnh tn cng DDoS ...........................................................................16Hnh 2 M hnh firewall.......................................................................................18Hnh 3 Lc gi tin ti firewall...............................................................................18Hnh 4 Mt schc nng ca Firewall..................................................................20Hnh 5 Lc gi tin ..............................................................................................21Hnh 6 Firewall c cu hnh ti router...............................................................23Hnh 7 Firewall mm ..........................................................................................26Hnh 8 Tn cng h thng tbn ngoi...............................................................29Hnh 9 Packet filtering ........................................................................................31Hnh 10 M hnh single-Homed Bastion Host ........................................................33Hnh 11 M hnh Dual-Homed Bastion Host ..........................................................35Hnh 12 M hnh 1 Proxy n gin ......................................................................37Hnh 13 Mt sprotocol sau proxy ......................................................................39Hnh 14 M hnh proxy .......................................................................................48Hnh 15 M hnh hot ng chung ca cc proxy..................................................55



10/94


Hnh 16 Mt sprotocol c h tr ...................................................................56Hnh 17 Caching ................................................................................................58Hnh 18 Caching b li (failure) ............................................................................59Hnh 19 Mt transaction qua proxy ......................................................................60

Hnh 20 Truy xut thng tin thng qua HTTP proxy ..............................................62Hnh 21 Truy xut thng tin thng qua FTP proxy ................................................62Hnh 22 Giao din chnh ca Web Base Proxy .......................................................67Hnh 23 Mini form trn mi u trang ..................................................................68Hnh 24 S hot ng ca 1 trang Web-Based Proxy ........................................69Hnh 25 Giao din chnh ca plug-in ....................................................................73Hnh 26 Trang thng bo mi khi ngi dng duyt nhng trang web vi phm.......74Hnh 27 Cch trnh by thng thng ca mt trang web base proxy .....................75Hnh 28 Qu trnh trnh duyt khi ng v np cc BHO ......................................77Hnh 29 M hnh hot ng ca Plugin.................................................................80Hnh 30 nh dng ca gi tin gi n proxy server..............................................84Hnh 31 S hot ng ca module chn a ch IP............................................87

DANH SCH BNG



11/94


PHN THNHT

CSL THUYT

Chng 1: GII THIU V FIREWALL1.1 t vn :

Song song vi vic xy dng nn tng v cng ngh thng tin, cng nh pht

trin cc ng dng my tnh trong sn xut, kinh doanh, khoa hc, gio dc, x hi,...

th vic bo v nhng thnh qu l mt iu khng th thiu. S dng cc bc tng

la (Firewall) bo v mng ni b (Intranet), trnh s tn cng t bn ngoi l mtgii php hu hiu, m bo c cc yu t:

An ton cho s hot ng ca ton b h thng mng Bo mt cao trn nhiu phng din Kh nng kim sot cao m bo tc nhanh Mm do v d s dng Trong sut vi ngi s dng m bo kin trc m

1.2 Nhu cu bo v thng tin:1.2.1 Nguyn nhn:

Ngy nay, Internet, mt kho tng thng tin khng l, phc v hu hiu trong

sn xut kinh doanh, trthnh i tng cho nhiu ngi tn cng vi cc mcch khc nhau. i khi, cng chn gin l th ti hoc a bn vi ngi

khc.



12/94


Cng vi s pht trin khng ngng ca Internet v cc dch v trn

Internet, s lng cc v tn cng trn Internet cng tng theo cp s nhn. Trong

khi cc phng tin thng tin i chng ngy cng nhc nhiu n Internet vi

nhng kh nng truy nhp thng tin dng nhn v tn ca n, th cc ti liu

chuyn mn bt u cp nhiu n vn bo m v an ton d liu cho cc

my tnh c kt ni vo mng Internet.

Theo s liu ca CERT (Computer Emegency Response Team), s lng

cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo nm

1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm 1994.

Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my

tnh ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc cquan

nh nc, cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l

(c ti 100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni

ca tng bng. Mt phn rt ln cc v tn cng khng c thng bo, v nhiu l

do, trong c th kn ni lo b mt uy tn, hoc n gin nhng ngi qun tr

h thng khng h hay bit nhng cuc tn cng nhm vo h thng ca h.

Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phngphp tn cng cng lin tc c hon thin. iu mt phn do cc nhn vin

qun tr h thng c kt ni vi Internet ngy cng cao cnh gic. Cng theo

CERT, nhng cuc tn cng thi k 1988-1989 ch yu on tn ngi s dng-

mt khu (UserID-password) hoc s dng mt s li ca cc chng trnh v h

iu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng

vo thi gian gn y bao gm c cc thao tc nh gi mo a ch IP, theo di

thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin).Nhu cu bo v thng tin trn Internet c th chia thnh ba loi gm: Bo v

d liu; Bo v cc ti nguyn s dng trn mng v Bo v danh ting ca c

quan.



13/94


1.2.2 Bo vdliu:Nhng thng tin lu tr trn h thng my tnh cn c bo v do cc yu

cu sau:

Bo mt: Nhng thng tin c gi tr v kinh t, qun s, chnh sch vv...

cn c gi kn.

Tnh ton vn: Thng tin khng b mt mt hoc sa i, nh tro.Tnh kp thi: Yu cu truy nhp thng tin vo ng thi im cn thit.

Trong cc yu cu ny, thng thng yu cu v bo mt c coi l yu

cu s 1 i vi thng tin lu tr trn mng. Tuy nhin, ngay c khi nhng thng

tin ny khng c gi b mt, th nhng yu cu v tnh ton vn cng rt quantrng. Khng mt c nhn, mt t chc no lng ph ti nguyn vt cht v thi

gian lu tr nhng thng tin m khng bit v tnh ng n ca nhng thng tin

.

1.2.3 Bo vcc ti nguyn sdng trn mng:Trn thc t, trong cc cuc tn cng trn Internet, k tn cng, sau khi

lm chc h thng bn trong, c th s dng cc my ny phc v cho mcch ca mnh nhm chy cc chng trnh d mt khu ngi s dng, s dng

cc lin kt mng sn c tip tc tn cng cc h thng khc vv...

1.2.4 Bo vdanh ting cquan:Mt phn ln cc cuc tn cng khng c thng bo rng ri, v mt

trong nhng nguyn nhn l ni lo b mt uy tn ca cquan, c bit l cc cng ty

ln v cc cquan quan trng trong b my nh nc. Trong trng hp ngi

qun tr h thng chc bit n sau khi chnh h thng ca mnh c dng lm

bn p tn cng cc h thng khc, th tn tht v uy tn l rt ln v c th

li hu qu lu di.



14/94


1.3 Cc kiu tn cng:1.3.1 Tn cng trc tip:

Nhng cuc tn cng trc tip thng thng c s dng trong giai on

u chim c quyn truy nhp bn trong. Mt phng php tn cng cin

l d tm tn ngi s dng v mt khu. y l phng php n gin, d thc hin

v khng i hi mt iu kin c bit no bt u.

K tn cng c th s dng nhng thng tin nh tn ngi dng, ngy sinh,

a ch, s nh vv.. on mt khu. Trong trng hp c c danh sch ngi

s dng v nhng thng tin v mi trng lm vic, c mt trng trnh tng

ho v vic d tm mt khu ny.

Mt chng trnh c th d dng ly c t Internet gii cc mt khu

m ho ca cc h thng unix c tn l crack, c kh nng th cc t hp cc t

trong mt tin ln, theo nhng quy tc do ngi dng tnh ngha. Trong mt

s trng hp, kh nng thnh cng ca phng php ny c th ln ti 30%.

Phng php s dng cc li ca chng trnh ng dng v bn thn hiu

hnh c s dng t nhng v tn cng u tin v vn c tip tc chim

quyn truy nhp. Trong mt s trng hp phng php ny cho php k tn cng

c c quyn ca ngi qun tr h thng (root hay administrator).

Hai v d thng xuyn c a ra minh ho cho phng php ny l v

d vi chng trnh sendmail v chng trnh rlogin ca hiu hnh UNIX.

Sendmail l mt chng trnh phc tp, vi m ngun bao gm hng ngn

dng lnh ca ngn ng C. Sendmail c chy vi quyn u tin ca ngi

qun tr h thng, do chng trnh phi c quyn ghi vo hp thca nhng

ngi sdng my. V Sendmail trc tip nhn cc yu cu v thtn trn

mng bn ngoi.y chnh l nhng yu t lm cho sendmail trthnh mt ngun

cung cp nhng l hng v bo mt truy nhp h thng.



15/94


Rlogin cho php ngi s dng t mt my trn mng truy nhp t xa vo

mt my khc s dng ti nguyn ca my ny. Trong qu trnh nhn tn v mt

khu ca ngi sdng, rlogin khng kim tra di ca dng nhp, do k

tn cng c tha vo mt xu c tnh ton trc ghi ln m chng

trnh ca rlogin, qua chim c quyn truy nhp.

1.3.2 Nghe trm:Vic nghe trm thng tin trn mng c tha li nhng thng tin c ch

nh tn, mt khu ca ngi s dng, cc thng tin mt chuyn qua mng. Vic

nghe trm thng c tin hnh ngay sau khi k tn cng chim c

quyn truy nhp h thng, thng qua cc chng trnh cho php bt cc gi

tin vo ch nhn ton b cc thng tin lu truyn trn mng. Nhng thng tin

ny cng c th d dng ly c trn Internet.

1.3.3 Gi mo a ch:Vic gi mo a ch IP c thc thc hin thng qua vic s dng kh

nng dn ng trc tip (source-routing). Vi cch tn cng ny, k tn cng gi

cc gi tin IP ti mng bn trong vi mt a ch IP gi mo (thng thng l a

ch ca mt mng hoc mt my c coi l an ton i vi mng bn trong), ng

thi ch r ng dn m cc gi tin IP phi gi i.

1.3.4 V hiu cc chc nng ca hthng (DoS, DDoS):y l ku tn cng nhm t lit h thng, khng cho n thc hin chc

nng m n thit k. Kiu tn cng ny khng th ngn chn c, do nhng

phng tin c t chc tn cng cng chnh l cc phng tin lm vic v truynhp thng tin trn mng. V d s dng lnh ping vi tc cao nht c th, buc

mt h thng tiu hao ton b tc tnh ton v kh nng ca mng tr li cc

lnh ny, khng cn cc ti nguyn thc hin nhng cng vic c ch khc.



16/94


Hnh 1 M hnh tn cng DDoS

Client l mt attacker sp xp mt cuc tn cngHandler l mt host c tha hip chy nhng chng trnh

c bit dng tn cng

Mi handler c kh nng iu khin nhiu agentMi agent c trch nhim gi stream data ti victim

1.3.5 Li ca ngi qun trhthng:y khng phi l mt kiu tn cng ca nhng kt nhp, tuy nhin li

ca ngi qun tr h thng thng to ra nhng l hng cho php k tn cng s

dng truy nhp vo mng ni b.



17/94


1.3.6 Tn cng vo yu tcon ngi:K tn cng c th lin lc vi mt ngi qun tr h thng, gi lm mt

ngi s dng yu cu thay i mt khu, thay i quyn truy nhp ca mnh

i vi h thng, hoc thm ch thay i mt s cu hnh ca h thng thc hin

cc phng php tn cng khc. Vi kiu tn cng ny khng mt thit b no c

th ngn chn mt cch hu hiu, v ch c mt cch gio dc ngi s dng mng

ni b v nhng yu cu bo mt cao cnh gic vi nhng hin tng ng

nghi. Ni chung yu t con ngi l mt im yu trong bt k mt h thng bo v

no, v ch c s gio dc cng vi tinh thn hp tc t pha ngi s dng c th

nng cao c an ton ca h thng bo v.

1.4 Firewall l g ?Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn

chn, hn ch ho hon. Trong cng ngh mng thng tin, Firewall l mt k thut

c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc

ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng

c th hiu Firewall l mt cch (mechanism) bo v mng tin tng (Trusted

network) khi cc mng khng tin tng (Untrusted network).

Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty,

t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn

chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn

trong (Intranet) ti mt sa ch nht nh trn Internet.



18/94


Hnh 2 M hnh firewall

Mt cch vn tt, firewall l h thng ngn chn vic truy nhp tri php t bn

ngoi vo mng cng nh nhng kt ni khng hp l t bn trong ra. Firewall thc

hin vic lc b nhng a ch khng hp l da theo cc quy tc hay ch tiu nhtrc.

Lc gi tin ti firewallHnh 3

Firewall c th l h thng phn cng, phn mm hoc kt hp c hai. Nu l

phn cng, n c th ch bao gm duy nht b lc gi tin hoc l thit bnh tuyn

(routerc tch hp sn chc nng lc gi tin). Bnh tuyn c cc tnh nng bo

mt cao cp, trong c kh nng kim sot a ch IP. Quy trnh kim sot cho php

bn nh ra nhng a ch IP c th kt ni vi mng ca bn v ngc li. Tnh cht



19/94


chung ca cc Firewall l phn bit a ch IP da trn cc gi tin hay t chi vic truy

nhp hp php cn c trn a ch ngun.bt

1.5 Cc chc nng chnh:1.5.1 Chc nng:

Chc nng chnh ca Firewall l kim sot lung thng tin t gia Intranet

v Internet. Thit lp cchiu khin dng thng tin gia mng bn trong

(Intranet) v mng Internet. C th l:

Cho php hoc cm nhng dch v truy nhp ra ngoi (t Intranet raInternet).

Cho php hoc cm nhng dch v php truy nhp vo trong (t Internetvo Intranet).

Theo di lung d liu mng gia Internet v Intranet. Kim sot a ch truy nhp, cm a ch truy nhp. Kim sot ngi s dng v vic truy nhp ca ngi s dng. Kim

sot ni dung thng tin lu chuyn trn mng.



20/94


t s chc nng ca Firewall.Hnh 4 M

1.5.2 Thnh phn:Firewall chun bao gm mt hay nhiu cc thnh phn sau y:

B lc packet (packet-filtering router) Cng ng dng (application-level gateway hay proxy server) Cng mch (circuite level gateway) B lc paket (Paket filtering router).



21/94


1.6 Nguyn l:Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th

iu c ngha rng Firewall hot ng cht ch vi giao thc TCI/IP. V giao thc

ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn

mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP,

DNS, SMNP, NFS...) thnh cc gi d liu (data pakets) ri gn cho cc paket ny

nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi

Firewall cng lin quan rt nhiu n cc packet v nhng con sa ch ca chng.

Hnh 5 Lc gi tin

B lc packet cho php hay t chi mi packet m n nhn c. N kim tra

ton bon d liu quyt nh xem on d liu c tho mn mt trong s cc

lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin

u mi packet (packet header), dng cho php truyn cc packet trn mng.

l:



22/94


a ch IP ni xut pht ( IP Source address)a ch IP ni nhn (IP Destination address)Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel)Cng TCP/UDP ni xut pht (TCP/UDP source port)Cng TCP/UDP ni nhn (TCP/UDP destination port)Dng thng bo ICMP ( ICMP message type)Giao din packet n ( incomming interface of packet)Giao din packet i ( outcomming interface of packet)

Nu lut l lc packet c tho mn th packet c chuyn qua Firewall. Nu

khng packet s b bi. Nhvy m Firewall c th ngn cn c cc kt ni vocc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng

mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm

cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my

ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi

chy c trn h thng mng cc b.

u im:

a s cc h thng Firewall u s dng b lc packet. Mt trong nhng

u im ca phng php dng b lc packet l chi ph thp v cch

lc packet c bao gm trong mi phn mm router.

Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng

dng, v vy n khng yu cu s hun luyn c bit no c.

Hn ch:

Vic nh ngha cc ch lc package l mt vic kh phc tp; i hi

ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc

dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi



23/94


Do lm vic da trn header ca cc packet, r rng l b lc packet

khng kim sot c ni dung thng tin ca packet. Cc packet chuyn

qua vn c th mang theo nhng hnh ng vi n cp thng tin hay

ph hoi ca k xu.

1.7 Cc dng firewall:Mi dng Firewall khc nhau c nhng thun li v hn ch ring. Dng ph bin

nht l Firewall mc mng (Network-level firewall). Loi Firewall ny thng da trn

bnh tuyn, v vy cc quy tc quy nh tnh hp php cho vic truy nhp c thit

lp ngay trn bnh tuyn. M hnh Firewall ny s dng k thut lc gi tin (packet-

filtering technique), l tin trnh kim sot cc gi tin qua bnh tuyn.

Firewall c cu hnh ti routerHnh 6



24/94


Khi hot ng, Firewall s da trn bnh tuyn m kim tra a ch ngun

(source address) hay a ch xut pht ca gi tin. Sau khi nhn din xong, mi a ch

ngun IP sc kim tra theo cc quy tc do ngi qun tr mng nh trc.

Firewall da trn bnh tuyn lm vic rt nhanh do n ch kim tra lt trn

cc a ch ngun m khng h c yu cu thc s no i vi bnh tuyn, khng

tn thi gian x l nhng a ch sai hay khng hp l. Tuy nhin, bn phi tr gi:

ngoi tr nhng iu khin chng truy nhp, cc gi tin mang a ch gi mo vn c

th thm nhp mt mc no trn my ch ca bn.

Mt s k thut lc gi tin c thc s dng kt hp vi Firewall khc

phc nhc im ni trn. a ch IP khng phi l thnh phn duy nht ca gi tin c

th mc by bnh tuyn. Ngi qun tr nn p dng ng thi cc quy tc, s dng

thng tin nh danh km theo gi tin nh thi gian, giao thc, cng... tng cng

iu kin lc. Tuy nhin, s yu km trong k thut lc gi tin ca Firewall da trn b

nh tuyn khng ch c vy.

Mt s dch v gi th tc t xa (Remote Procedure Call - RPC) rt kh lc mt

cch hiu qu do cc server lin kt ph thuc vo cc cng c gn ngu nhin khi

khi ng h thng. Dch v gi l nh x cng (portmapper) s nh x cc li gi tidch v RPC thnh s dch v gn sn, tuy nhin, do khng c s tng ng gia s

dch v vi bnh tuyn lc gi tin, nn bnh tuyn khng nhn bit c dch v

no dng cng no, v th n khng th ngn chn hon ton cc dch v ny, tr khi

bnh tuyn ngn ton b cc gi tin UDP (cc dch v RPC ch yu s dng giao

thc UDP hay User Datagram Protocol). Vic ngn chn tt c cc gi tin UDP cng s

ngn lun c cc dch v cn thit, v d nh DNS (Domain Name Service dch v

t tn vng). V th, dn n tnh trng tin thoi lng nan.



25/94


1.8 Cc nim chung v Firewall:Mt trong nhng tng chnh ca Firewall l che chn cho mng ca bn khi

tm nhn ca nhng ngi dng bn ngoi khng c php kt ni, hay ch t cng

khng cho php h rti mng. Qu trnh ny thc thi cc ch tiu lc b do ngi

qun trn nh.

Trn l thuyt, Firewall l phng php bo mt an ton nht khi mng ca bn

c kt ni Internet. Tuy nhin, vn tn ti cc vn xung quanh mi trng bo mt

ny. Nu Firewall c cu hnh qu cht ch, tin trnh lm vic ca mng s bnh

hng, c bit trong mi trng ngi dng ph thuc hon ton vo ng dng phn

tn. Do Firewall thc thi tng chnh sch bo mt cht ch nn n c th b sa ly. Tmli, cch bo mt cng cht ch bao nhiu, th tnh nng cng b hn ch by nhiu.

Mt vn khc ca Firewall tng t nh vic xp trng vo r. Do l ro chn

chng kt ni bt hp php nn mt khe hcng c th d dng ph hu mng ca

bn. Firewall duy tr mi trng bo mt, trong n ng vai tr iu khin truy nhp

v thc thi s bo mt. Firewall thng c m t nh ca ng ca mng, ni xc

nhn quyn truy nhp. Tuy nhin iu g s xy ra khi n b v hiu ho? Nu mt k

thut ph Firewall c pht hin, cng c ngha ngi v sb tiu dit v chi sngst ca mng l rt mng manh. V vy trc khi xy dng Firewall, bn nn xem xt

k v tt nhin phi hiu tng tn v mng ca mnh.

Mt iu na, Firewall cng c kh nng cm cc kt ni khng c cho php t

bn trong ra. iu ny, nu suy nghn gin th chng ta thy rt c li, tuy nhin

trong mt vi trng hp th n vn c mt hn ch ca n.

1.8.1 Firewall da trn Application gateway:Mt dng ph bin l Firewall da trn ng dng application-proxy. Loi

ny hot ng hi khc vi Firewall da trn bnh tuyn lc gi tin. Application

gateway da trn csphn mm. Khi mt ngi dng khng xc nh kt ni t



26/94


xa vo mng chy application gateway, gateway s ngn chn kt ni t xa ny.

Thay v ni thng, gateway s kim tra cc thnh phn ca kt ni theo nhng quy

tc nh trc. Nu tho mn cc quy tc, gateway s to cu ni (bridge) gia trm

ngun v trm ch.

Hnh 7 Firewall mm

Cu ni ng vai tr trung gian gia hai giao thc. V d, trong mt m hnh

gateway c trng, gi tin theo giao thc IP khng c chuyn tip ti mng cc

b, lc s hnh thnh qu trnh dch m gateway ng vai tr b phin dch.

u im ca Firewall application gateway l khng phi chuyn tip IP.

Quan trng hn, cc iu khin thc hin ngay trn kt ni. Sau cng, mi cng c

u cung cp nhng tnh nng thun tin cho vic truy nhp mng. Do s lu

chuyn ca cc gi tin u c chp nhn, xem xt, dch v chuyn li nn



27/94


Firewall loi ny b hn ch v tc . Qu trnh chuyn tip IP din ra khi mt

server nhn c tn hiu t bn ngoi yu cu chuyn tip thng tin theo nh dng

IP vo mng ni b. Vic cho php chuyn tip IP l li khng trnh khi, khi ,

hacker c th thm nhp vo trm lm vic trn mng ca bn.

Hn ch khc ca m hnh Firewall ny l mi ng dng bo mt (proxy

application) phi c to ra cho tng dch v mng. Nh vy mt ng dng dng

cho Telnet, ng dng khc dng cho HTTP, v.v..

Do khng thng qua qu trnh chuyn dch IP nn gi tin IP ta ch khng

xc nh s khng th ti my tnh trong mng ca bn, do h thng application

gateway c bo mt cao hn.

1.8.2 Cng vng(Circuit level gateway):Cng vng l mt chc nng c bit c th thc hin c bi mt cng

ng dng(application gateway). Cng vng n gin ch chuyn tip (relay) cc kt

ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet no.

VD: Cng vng n gin chuyn tip kt ni telnet qua firewall m khng

thc hin mt s kim tra, lc hay iu khin cc th tc Telnet no.Cng vng lm

vic nh mt si dy, sao chp cc byte gia kt ni bn trong (inside connection)

v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut

hin t h thng firewall, nn n che du thng tin v mng ni b.

Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc

qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l

mt bastion host c thc cu hnh nh l mt hn hp cung cp Cng ng dng

cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng

Firewall d dng s dng cho nhng ngi trong mng ni b mun trc tip truy

nhp ti cc dch v Internet, trong khi vn cung cp chc nng Firewall bo v

mng ni b t nhng s tn cng bn ngoi.



28/94


1.8.3 Hn chca Firewall: Firewall khng thng minh nh con ngi c thc hiu tng loi

thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th

ngn chn s xm nhp ca nhng ngun thng tin khng mong mun

nhng phi xc nh r cc thng sa ch.

Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng nykhng "i qua" n. Mt cch c th, firewall khng th chng li mt

cuc tn cng t mt ng dial-up, hoc s d r thng tin do d liu b

sao chp bt hp php ln a mm.

Firewall cng khng th chng li cc cuc tn cng bng d liu (data-driven attack). Khi c mt s chng trnh c chuyn theo thin t,

vt qua firewall vo trong mng c bo v v bt u hot ng

y.

Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qutvirus trn cc d liu c chuyn qua n, do tc lm vic, s xut

hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu,

thot khi kh nng kim sot ca firewall.

Tuy nhin, Firewall vn l gii php hu hiu c p dng rng ri.

1.8.4 Firewall c dph hay khng:Cu tr li l khng. L thuyt khng chng minh c c khe htrn

Firewall, tuy nhin thc tin th li c. Cc hacker nghin cu nhiu cch ph

Firewall. Qu trnh ph Firewall gm hai giai on: u tin phi tm ra dng

Firewall m mng s dng cng cc loi dch v hot ng pha sau n; tip theo lpht hin khe htrn Firewall , giai on ny thng kh khn hn. Theo nghin

cu ca cc hacker, khe htrn Firewall tn ti l do li nh cu hnh ca ngi

qun tr h thng, sai st ny cng khng him khi xy ra. Ngi qun tr phi chc



29/94


chn s khng c bt trc cho d s dng hiu hnh (HH) mng no, y l c

mt vn nan gii. Trong cc mng UNIX, iu ny mt phn l do HH UNIX

qu phc tp, c ti hng trm ng dng, giao thc v lnh ring. Sai st trong xy

dng Firewall c th do ngi qun tr mng khng nm vng v TCP/IP.

Mt trong nhng vic phi lm ca cc hacker l tch cc thnh phn thc ra

khi cc thnh phn gi mo. Nhiu Firewall s dng trm hy sinh (sacrificial

hosts) - l h thng c thit k nh cc server Web (c th sn sng bi) hay

by (decoys), dng bt cc hnh vi thm nhp ca hacker. By c th cn dng

ti nhng thit b ngy trang phc tp nhm che du tnh cht tht ca n, v d:

a ra cu tr li tng t h thng tp tin hay cc ng dng thc. V vy, cng

vic u tin ca hacker l phi xc nh y l cc i tng tn ti tht.

Tn cng h thng tbn ngoiHnh 8



30/94


c c thng tin v h thng, hacker cn dng ti thit b c kh nng

phc v mail v cc dch v khc. Hacker s tm cch nhn c mt thng ip

n t bn trong h thng, khi , ng i c kim tra v c th tm ra nhng

manh mi v cu trc h thng.

Ngoi ra, khng Firewall no c th ngn cn vic ph hoi t bn trong.

Nu hacker tn ti ngay trong ni b t chc, chng bao lu mng ca bn s b

hack. Thc t xy ra vi mt cng ty du la ln: mt tay hacker tr trn vo i

ng nhn vin v thu thp nhng thng tin quan trng khng ch v mng m cn

v cc trm Firewall.

1.9 Mt s m hnh Firewall:1.9.1 Packet-Filtering Router:

H thng Internet firewall ph bin nht ch bao gm mt packet-filtering

routert gia mng ni b v Internet. Mt packet-filtering router c hai chc

nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi

cho php hay t chi truyn thng.



31/94


Hnh 9 Packet filtering



32/94


Cn bn, cc quy lut lc c nh ngha sao cho cc host trn mng ni b

c quyn truy nhp trc tip ti Internet, trong khi cc host trn Internet ch c

mt s gii hn cc truy nhp vo cc my tnh trn mng ni b. T tng ca m

cu trc firewall ny l tt c nhng g khng c ch ra r rng l cho php th c

ngha l b t chi.

u im:

Gi thnh thp, cu hnh n ginTrong sut(transparent) i vi user.

Hn ch:

C rt nhiu hn chi vi mt packet-filtering router, nh l d b tn

cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn

cng ngm di nhng dch v c php.

Bi v cc packet c trao i trc tip gia hai mng thng qua router,

nguy cb tn cng quyt nh bi s lng cc host v dch vc

php. iu dn n mi mt host c php truy nhp trc tip vo

Internet cn phi c cung cp mt h thng xc thc phc tp, v

thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca stn cng no khng.

Nu mt packet-filtering router do mt s c no ngng hot ng, tt

c h thng trn mng ni b c th b tn cng.

1.9.2 M hnh Single-Homed Bastion Host:H thng ny bao gm mt packet-filtering router v mt bastion host. H

thng ny cung cp bo mt cao hn h thng trn, v n thc hin c bomt tng network (packet-filtering) v tng ng dng (application level).

ng thi, k tn cng phi ph vc hai tng bo mt tn cng vo

mng ni b.



33/94


Hnh 10 M hnh single-Homed Bastion Host

Trong h thng ny, bastion host c cu hnh trong mng ni b. Qui

lut filtering trn packet-filtering routerc nh ngha sao cho tt c cc

h thng bn ngoi ch c th truy nhp bastion host; Vic truyn thng ti

tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v

bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s

quyt nh xem cc h thng ni bc php truy nhp trc tip vo

bastion Internet hay l chng phi s dng dch v proxy trn bastion host.

Vic bt buc nhng user ni bc thc hin bng cch t cu hnh b

lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t

bastion host.

u im:

My ch cung cp cc thng tin cng cng qua dch v Web v FTP c th

t trn packet-filtering router v bastion. Trong trng hp yu cu an

ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc



34/94


Bi v bastion host l h thng bn trong duy nht c th truy nhp c t

Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin,

nu nh user log on c vo bastion host th h c th d dng truy nhp

ton b mng ni b. V vy cn phi cm khng cho user logon vo bastion

host.

1.9.3 M hnh Dual-Homed Bastion Host:Demilitarized Zone (DMZ) hay Screened-subnet Firewall

H thng bao gm hai packet-filtering router v mt bastion host. H c

an ton cao nht v n cung cp c mc bo mt network v application,

trong khi nh ngha mt mng "phi qun s". Mng DMZ ng vai tr nh

mt mng nh, c lp t gia Internet v mng ni b. Cbn, mt DMZ

c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th

truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn

trc tip qua mng DMZ l khng thc.



35/94


Hnh 11 M hnh Dual-Homed Bastion Host

Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun

(nh gi mo a ch IP), v iu khin truy nhp ti DMZ. H thng ch chophp bn ngoi truy nhp vo bastion host. Router trong cung cp s bo v

th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng

truyn thng bt u t bastion host.

Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti

DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c

th c information server. Quy lut filtering trn router ngoi yu cu s

dung dich v proxy bng cch ch cho php thng tin ra bt ngun t bastionhost.

u im:

K tn cng cn ph vba tng bo v: router ngoi, bastion host v router



36/94


Ch c mt s h thng

c chn ra trn DMZ l c bit n bi Internet qua routing table v

DNS information exchange ( Domain Name Server ).

Bi v router trong ch qung co DMZ network ti mng ni b, cc h

thng trong mng ni b khng th truy nhp trc tip vo Internet. iu

nay m bo rng nhng user bn trong bt buc phi truy nhp Internet qua

dch v proxy.

1.9.4 Proxy server:Chng ta s xy dng Firewall theo kin trc application-level gateway, theo

mt b chng trnh proxy c t gateway ngn cch mt mng bn

trong (Intranet) vi Internet.

B chng trnh proxy c pht trin da trn b cng c xy dng

Internet Firewall TIS (Trusted Information System), bao gm mt b cc

chng trnh v st li cu hnh h thng nhm mc ch xy dng

mt Firewall. B chng trnh c thit k chy trn h UNIX s dng

TCP/IP vi giao din socket Berkeley.



37/94


Hnh 12 M hnh 1 Proxy n gin

B chng trnh proxy c thit k cho mt s cu hnh firewall, theo cc

dng cbn: dual-home gateway, screened host gateway, v screened subnetgateway.

Thnh phn Bastion host trong Firewall, ng vai tr nh mt ngi chuyn

tip thng tin, ghi nht k truyn thng, v cung cp cc dch v, i hi

an ton cao.

Proxy server chng ta s tm hiu khn phn sau.

1.9.5 Phn mm Firewall Proxy server:B chng trnh proxy gm nhng chng trnh mc ng dng (application-

level programs), dng thay th hoc l thm vo phn mm h thng. i vi

mi dch v, cn c mt phn mm tng ng lm nhim v lc cc bn tin. Trn



38/94


SMTP Gateway - Proxy server cho dch v SMTP (Simple Mail Tranfer

Protocol)

FTP Gateway - Proxy server cho dch v FtpTelnet Gateway - Proxy server cho dch v TelnetHTTP Gateway - Proxy server cho dch v HTTP (World Wide Web)Rlogin Gateway - Proxy server cho dch vu rloginPlug Gateway - Proxy server cho dch v kt ni server tc thi dnggiao thc TCP (TCP Plug-Board Connection server)

SOCKS - Proxy server cho cc dch v theo chun SOCKSNETACL - iu khin truy nhp mng dng cho cc dch v khcIP filter Proxy iu khin mc IPSMTP Gateway - Proxy server cho cng SMTP



39/94


SMTP Gateway - Proxy server cho dch v SMTP (Simple Mail

Tranfer Protocol)

1.9.5.1

Hnh 13 Mt s protocol sau proxy

Chng trnh SMTP Gateway c xy dng trn css dng hai phn

mm smap v smapd, dng chng li s truy nhp thng qua giao thc

SMTP. Nguyn l thc hin l chn trc chng trnh mail server nguynthu ca h thng, khng cho php cc h thng bn ngoi kt ni trc tip

vi mail server. V trong mng tin cy mail server thng c mt s quyn



40/94


Khi mt h thng xa ni ti cng SMTP. Chng trnh smap s dnh

quyn phc v v chuyn ti th mc dnh ring v t user-id mc bnh

thng (khng c quyn u tin). Mc ch duy nht ca smap l i thoi

SMTP vi cc h thng khc, thu lm mail, ghi vo a, ghi nht k, v kt

thc. Smapd thng xuyn qut th mc ny, khi pht hin c th s chuyn

d liu cho sendmail phn pht vo cc hm th c nhn hoc chuyn

tip ti cc mail server khc.

Nh vy, mt user l trn mng khng th kt ni trc tip vi Mail Server.

Tt c cc thng tin i theo ng ny hon ton c th kim sot c. Tuy

nhin, chng trnh cng khng th gii quyt vn gi mo th hoc cc

loi tn cng bng ng khc.

FTP Gateway Proxy Server cho dch v FTP:1.9.5.2Proxy server cho dch v FTP cung cp kh nng kim sot truy nhp dch

v FTP da trn a ch IP v hostname, v cung cp iu khin truy nhp

th cp cho php tu chn kho hoc ghi nht k bt k lnh FTP no. Cc

a chch ca dch v ny cng c th tu chn c php hay b cm. Tt

c cc s kt ni v dung lng d liu chuyn qua u b ghi nht k li.

FTP Gateway t bn thn n khng e da an ton ca h thng Firewall,

bi v n chy ti mt th mc rng v khng thc hin mt th tc vo ra

file no c ngoi vic c file cu hnh ca n.

FTP Server ch cung cp dch v FTP, m khng quan tm n ai c quyn

hay khng c quyn kt xut (download) file. Do vy, vic xc nh quyn

phi c thit lp trn FTP Gateway v phi thc hin trc khi thc hin

vic kt xut (download) hay nhp (upload) file. Ftp Gateway nn c cu



41/94


1.9.5.3 Telnet Gateway Proxy Server cho dch v Telnet:Telnet Gateway l mt proxy server qun l truy nhp mng da trn a ch

IP v/hoc hostname, v cung cp siu khin truy nhp th cp cho php

tu chn kho bt kch no. Tt c cc s kt ni d liu chuyn qua u

c ghi nht k li. Mi mt ln user ni ti Telnet Gateway, ngi s

dng phi la chn phng thc kt ni.

Telnet Gateway khng phng hi ti an ton h thng, v n ch hot ng

trong mt phm vi cho php nht nh. C th, h thng s chuyn iu

khin ti mt th mc dnh ring. ng thi cm truy nhp ti cc th mc

v file khc.

Telnet Gateway c s dng kim sot cc truy nhp vo h thng mng

ni b. Cc truy nhp khng c php s khng th thc hin c cn cc

truy nhp hp php s b ghi li nht k v thi gian truy nhp v cc thao

tc thc hin.

HTTP Gateway - Proxy server cho web:

HTTP Gateway l mt Proxy Server qun l truy nhp h thng qua cng

HTTP (Web). Chng trnh ny, da trn a chch v a ch ngun

ngn cm hoc cho php yu cu truy nhp i qua.

ng thi cn c v m lnh ca giao thc HTTP, phn mm ny s cho



42/94


Rlogin Gateway - Proxy server cho rlogin:

Cc terminal truy nhp qua th tc BSD rlogin c kim sot bi rlogin

gateway. Chng trnh cho php kim tra v iu khin truy nhp mng

tng t nh telnet gateway. Rlogin client c th ch ra mt h thng xa

ngay khi bt u ni vo proxy. Chng trnh s hn ch yu cu tng tc

gia user vi my.

Plug Gateway - TCP Plug-Board Connection server:

Firewall cung cp cc dch v thng thng nh Usernet news. Ngi qun

tr mng c th chn hoc l chy dch v ny ngay trong firewall, hoc ci

t mt proxy server cho dch v ny.

Do dch v News chy trc tip trn firewall th d gy li h thng, nncch an ton hn l s dng proxy. Plug gateway c thit k kim sot

dch v Usernet News v mt s dch v khc nh Lotus Notes, Oracle, etc.

Plug gateway da trn a ch IP hoc hostname, s cho php kim sot tt

c cc truy nhp h thng thng qua cc cng dch vc ng k. Trn c

s s cho php hoc cm cc yu cu truy nhp. Tt c yu cu kt ni

bao gm c d liu c thc ghi li nht k theo di v kim sot.

1.9.5.4 SQL Gateway Proxy Server cho SQL-Net:SQL Net s dng giao thc ring khng ging nh ca News hay Lotus

Notes, Do vy, khng th s dng Plug Gateway cho dch v ny c. SQL



43/94


SOCKS Gateway v NETACL:1.9.5.5SOCKS Gateway - Proxy server cho cc dch v theo chun SOCKS:

SOCKS l giao thc kt ni mng gia cc my ch cng h trgiao thc

ny. Hai my ch khi s dng giao thc ny s khng cn quan tm ti vic

gia chng c th ni ghp thng qua IP hay khng.

SOCKS sch hng li cc yu cu ghp ni t my chu kia. My

ch SOCKS s xc nh quyn truy nhp v thit lp knh truyn thng tin

gia hai my. SOCKS Gateway dng chng li cc truy nhp vo mng

thng qua cng ny.

NETACL - Cng ciu khin truy nhp mng:

Cc dch v thng thng trn mng khng cung cp kh nng kim sot

truy cp ti chng do vy chng l cc im yu tn cng. K c trn h

thng firewall cc dch v thng thng c lc b kh nhiu m

bo an ton h thng nhng mt s dich v vn cn thit duy tr h thng

nh telnet, rlogin...

Netacl l mt cng ciu khin truy nhp mng, da trn a ch

network ca my client, v dch vc yu cu. N bao trm nn cc dch

v cbn cung cp thm kh nng kim sot cho dch v. V vy mt

client (xc nh bi a ch IP hoc hostname) c th truy nhp ti telnet

server khi n ni vi cng dch v telnet trn firewall.



44/94


Thng thng trong cc cu hnh firewall, NETACL c s dng cm

tt c cc my tr mt vi host c quyn login ti firewall qua hoc l

telnet hoc l rlogin, v kho cc truy nhp t nhng k tn cng.

an ton ca Netacl da trn a ch IP v/hoc hostname. Vi cc h

thng cn an ton cao, nn dng a ch IP trnh s gi mo DNS.

Netacl khng chng li c s gia ch IP qua chuyn ngun (source

routing) hoc nhng phng tin khc. Nu c cc loi tn cng nh vy,

cn phi s dng mt router c kh nng soi nhng packet c chuyn

ngun (screening source routed packages).

Ch l netacl khng cung cp iu khin truy nhp UDP, bi v cng ngh

hin nay khng m bo s xc thc ca UDP. An ton cho cc dch v

UDP y ng ngha vi s khng cho php tt c cc dch v UDP.

1.9.5.6 Authentication:B Firewall cha chng trnh server xc thc c thit k h trcch

phn quyn. Authsrv cha mt csd liu v ngi dng trong mng, mi

bn ghi tng ng vi mt ngi dng, cha cch xc thc cho mi anh ta,

trong bao gm tn nhm, tn y ca ngi dng, ln truy cp mi

nht. Mt khu khng m ho (Plain text password) c s dng cho ngi

dng trong mng vic qun trc n gin. Mt khu khng m ho

khng nn dng vi nhng ngi s dng t mng bn ngoi.

Ngi dng trong csd liu ca c thc chia thnh cc nhm khc

nhau c qun tr bi qun tr nhm l ngi c ton quyn trong nhm c

vic thm, bt ngi dng. iu ny thun li khi nhiu t chc cng dng

chung mt Firewall.

Authsrv qun l nhm rt mm do, qun tr c th nhm ngi dng thnh

nhm dng "group wiz", ngi c quyn qun tr nhm c th xo, thm, to



45/94


IP Filter B lc mc IP:1.9.5.7IP Filter l b lc cc gi tin TCP/IP, c xem nh thnh phn khng th

thiu khi thit lp Firewall trong sut i vi ngi s dng. Phn mm ny

sc ci t trong li ca h thng (nh UNIX kernel), c chy ngm

khi h thng hot ng, n nhn v phn tch tt c cc gi IP (IP

Package).

B lc IP filter c th thc hin cc vic sau:

- Cho i qua hoc cm bt k mt gi tin no.- Nhn bit c cc dch v khc nhau

Lc theo a ch IP hoc hosts-- Cho php lc chn la giao thc IP bt k- Cho php lc chn la theo cc mnh IP- Cho php lc chn la theo cc tu chn IP

Gi tr li cc khi ICMP/TCP li v t li s hiu packet-- Lu gi cc thng tin trng thi i vi cc dng TCP, UDP and ICMP- Lu gi cc thng tin trng thi i vi cc mnh IP packet bt k- C chc nng nh Network Address Translator (NAT)



46/94


Lm csthit lp cc kt ni trong sut i vi ngi s dng-Cung cp cc header cho cc chng trnh ca ngi s dng xc

nhn.

-

- Ngoi ra h trkhng gian tm cho cc quy tc xc nhn i vi cc gitin i qua.

c bit i vi cc giao thc cbn ca Internet, TCP, UDP v ICMP,

th IP filter cho php lc theo:

Inverted host/net matchingS hiu cng ca cc gi tin TCP/UDPKiu hoc m ca cc gi tin ICMPThit lp cc gi tin TCPT hp tu cc ctrng thi TCPLc/loi b nhng gi IP cha kt thcLc theo kiu dch vCho php ghi nht k cc bn tin bao gm:

- Header ca cc gi tin TCP/UDP/ICMP and IPMt phn hoc tt c d liu ca gi tin-

1.10Li kt:Hin ti, Firewall l phng php bo v mng ph bin nht, 95% cng ng

hacker phi tha nhn l dng nh khng th vt qua Firewall. Song trn thc t,

Firewall tng b ph. Nu mng ca bn c kt ni Internet v cha d liu quan

trng cn c bo v, bn cnh Firewall, bn nn tng cng cc bin php bo v

khc nh l bo mt mc physical, thng xuyn back up d liu, chn lc nhnvin



47/94


Chng 2: KHI NIM PROXY2.1 Proxy l g:

Theo www.learnthat.com: proxy l mt thit b cho php kt ni vointernet, n ng gia cc workstation trong mt mng v internet, cho

php bo mt kt ni, ch cho php mt s cng v protocol no , vd:

tcp, http, telnet trn cc cng 80, 23. Khi mt client yu cu mt trang

no , yu cu ny sc chuyn n proxy server, proxy server s

chuyn tip yu cu ny n site . Khi yu cu c p tr, proxy s

tr kt qu ny li cho client tng ng. Proxy server c thc dng ghi nhn vic s dng internet v ngn chn nhng trang b cm

Theo www.nyu.edu: proxy server l mt serverng gia mt ng dngca client, nh web browser, v mt serverxa (remote server). Proxy

server xem xt cc request xem n c th x l bng cache ca n khng,

nu khng th, n s chuyn yu cu ny n remote server.

Theo www.webopedia.com: proxy server l mt serverng gia mtng dng client, nh web browser, v mt server thc. N chn tt c cc

yu cu n cc server thc xem xem n c kh nng ng c

khng, nu khng th, n s chuyn cc yu cu ny n cc server thc.

Theo www.stayinvisible.com: proxy server l mt loi buffer gia mytnh ca bn v cc ti nguyn trn mng internet m bn ang truy cp,

d liu bn yu cu sn proxy trc, sau mi c chuyn n my

ca bn.

http://www.learnthat.com/http://www.nyu.edu/http://www.webopedia.com/http://www.stayinvisible.com/http://www.stayinvisible.com/http://www.webopedia.com/http://www.nyu.edu/http://www.learnthat.com/


48/94


Hnh 14 M hnh proxy

2.2 Ti sao proxy li ra i: Tng tc kt ni: cc proxy c mt cch gi l cache, cch cache cho

php proxy lu tr li nhng trang c truy cp nhiu nht, iu ny

lm cho vic truy cp ca bn s nhanh hn, v bn c p ng yu

cu mt cch ni b m khng phi ly thng tin trc tip t internet.

Bo mt: mi truy cp u phi thng qua proxy nn vic bo mt cthc hin trit .

Filtering: ngn cn cc truy cp khng c cho php nh cc trang itry, cc trang phn ng

2.3 Tng kt chung v proxy: Theo cc nh ngha cng nh nhng gi tr m proxy mng li nh

cp trn, ta c th thy proxy qu tht rt c li

Tuy nhin, li dng v tng proxy, mt s server trn mng t binmnh thnh nhng trm chung chuyn, nhng trung gian cho cc kt ni

khng c cho php. Chnh iu ny a ra thm mt nh ngha

mi, mt ngha mi ginh cho proxy.



49/94


Rt nhiu a ch trn mng do mt l do no m b cm truy cp ivi ngi dng nh l cc trang web i try, cc trang phn ng, ni

dung khng lnh mnh. Tuy nhin, chng li iu ny, nh ni

trn, mt s server bin mnh thnh proxy gip cho nhng kt ni

cm ny c th thc hin c.

Proxy ny c 2 loi, hay ni cch khc l c 2 cch thng qua cc proxyny truy cp, l HTTP proxy v web-based proxy m chng ta s

c tm hiu phn sau. V y cng chnh l 2 phng php lp trnh

vt firewall m chng em mun ni n trong lun vn ny.



50/94


Chng 3: CC PHNG PHP LP TRNHVT FIREWALL

3.1 Vt firewall l g: Ni mt cch nm na, vt firewall l vt qua s truy cn ca cc

chng trnh bo mt (Firewall) c th truy cp n c ch mong

mun

Vt firewall c th l vt t bn trong ra hay t bn ngoi vo y, chng ta ch cp n vt firewall t bn trong ra, do chng

ta c th tm gn li c 3 hnh thc vt firewall: HTTP proxy, web-

based proxy, http tunneling.

3.2 Phng php thnht: HTTP Proxy L phng php m server s dng mt cng no trung chuyn cc

yu cu, cc server ny thng c gi l web proxy server hay http

proxy server

Khi cc yu cu ca client b t chi bi ngi qun tr (hay ni chnhxc hn l cc chng trnh qun l trong mng LAN), th ngi s dng

c th s dng cc proxy server chuyn tip cc yu cu m trong ,

proxy server l mt a chc cho php kt ni n.

Cc proxy server ny thng khng cnh, n thng c thi gian sngrt ngn.

S dng proxy ny, bn ch cn cu hnh mc proxy m trong hu ht ccWeb browseru c h tr

Phng php ny sc tm hiu su phn 2



51/94


3.3 Phng php thhai: Web-Based Proxy Phng php ny cho php ngi s dng truy cp vo cc trang b cm

di hnh thc 1 truy cp vo 1 trang web trung gian.

u tin ngi dng truy cp vo trang web ny Sau , ngi s dng cung cp thng tin v trang web m mnh mun

n (ch yu di hnh thc url)

Sau Web-base proxy ny s kt ni n trang m ngi dng yu cu,ly thng tin, inh dng li thng tin, ri gi li cho ngi dng mt cch

hp php

Tt nhin, web-based proxy ny phi l mt trang web m cha b ngiqun tr cm

Phng php ny sc tm hiu su phn 23.4 Phng php thba: Http Tunneling

Cng nh cc phng php trn, htttp tunneling cho php ngi dngtruy cp vo nhng trang b cm

Bao gm mt chng trnh client pha ngi dng v mt chng trnhpha server

u tin, chng trnh pha client s to ra mt ng hm kt ni myca bn n chng trnh servert trn mng, ng hm ny i ngang

qua firewall ca bn m khng h hn g, v a ch server khng b filter.

Khi ng hm thit lp xong mi yu cu truy cp n trang web s

thn qua server, ri a vo ng hm v n my bn m firewall

khng h hay bit. Do 1 sng dng http-tunneling c vit theo m

hnh client-server, cch hot ng da trn kch bn lm vic dng sn,

ta c th chng qua mt cc firewall bng cch m ha cc gi tin trao



52/94


Do gii hn ca ti v gii hn v mt thi gian m phng php ny

s khng c tm hiu ktrong lun vn.



53/94


PHN THHAI

VT FIREWALL

Chng 4: VT FIREWALL BNG HTTPPROXY

4.1 Khi cc HTTP Proxy Server trnn hu ch: Nhim v chnh ca HTTP proxy server l cho php nhng client bn

trong truy cp ra internet m khng b ngn trbi Firewall (firewall).

Lc ny tt c cc client pha sau Firewall u c th truy cp ra ngoi

Internet ch vi mt cht cng sc v khng b ngn trbi cc dch v

bo mt

Proxy server lng nghe cc yu cu t cc client v chuyn tip(forward) nhng yu cu ny n cc server bn ngoi Internet. Proxy

serverc phn hi (response) t cc server bn ngoi ri gi tr chng

cho cc client bn trong. Thng thng, nhng client m cng subnet th dng cng mt proxy

server. Do , proxy server c th cache cc document phc v cho

cc client c cng nhu cu (cng truy cp n mt trang chng hn).

Ngi dng khi s dng proxy cm thy hang nhn cc phn himt cch trc tip t bn ngoi. Nhng thc s th hang ra ngoi

Internet mt cch gin tip thng qua proxy.

Cc client m khng s dng DNS vn c th duyt web v h ch cnmt thng tin duy nht, l a ch IP ca proxy server. Tng t, cc

cquan, doanh nghip s dng cc a cho (10.x.x.x, 192.168.x.x,



54/94


172.16.x.x 172.32.x.x) vn c th ra ngoi Internet mt cch bnh

thng thng qua proxy server.

Cc proxy server c th cho php hay t chi cc yu cu da trn giaothc ca cc kt ni. V d nh: mt proxy server c th cho php cc

kt ni HTTP trong khi t chi cc kt ni FTP

Khi bn dng proxy server nh mt cng ra ngoi Internet t mngLAN, bn c th chn la cc ty chn nh sau:

- Cho php hay ngn chn client truy cp Internet da trn nn tng a chIP

- Caching document: lu gi li cc trang web phc v cho cc nhu cuging nhau

- Sng lc kt ni- Cung cp dch v Internet cho cc cng ty dng mng ring (nn tng IP

o)

- Chuyn i d liu sang dng HTML c th xem bng trnh duyt



55/94


Hnh 15 M hnh hot ng chung ca cc proxy



56/94


4.2 Chc nng chnh:4.2.1 Truy cp Internet:

Cc my trong mng LAN c th khng th truy cp n cc ti nguyntrn Internet mt cch trc tip v chng ang hot ng pha sau mt

bc Firewall. Trong trng hp ny, proxy server c th gip chng thc

hin iu ny mt cch d dng.

Hnh 16 Mt s protocol c h tr

hnh trn, proxy serverang chy trn mt firewall host v thip lpcc kt ni ra th gii bn ngoi. Chng ta cng c th s dng mt my

tnh khc lm proxy server, my ny phi c y cc quyn truy

cp Internet.



57/94


Proxy nhn cc yu cu t trnh duyt, proxy truy vn n cc thng tinc yu cu, chuyn i sang dng HTML ri gi tr li cho browser

pha bn trong firewall. Proxy server c th qun l tt c cc kt ni ra

ngoi Internet nu n l my tnh duy nht c kt ni trc tip ra ngoi

Internet.

4.2.2 Caching documents: Thng thng, cc client ca cng mt subnet truy cp n mt Web

proxy server. Mt vi proxy server cho php bn cache (lu tr tm thi)

cc ti liu ny trn my phc v cho cc my khc c cng nhu cu.

Gi s: my A va truy cp vo trang http://mail.yahoo.com , sau my

B li yu cu n trang ny, trong trng hp ny, proxy server s dng

li documents ny c sn trong my m khng phi ln tn server ly v.

iu ny khin cho tc ci thin r rt

http://mail.yahoo.com/http://mail.yahoo.com/


58/94


Hnh 17 Caching

Caching trn proxy server hiu qu hn trn my n, n s titkim c khng gian lu tr bi v bn ch phi lu li mt ln.

Caching trn proxy server cho hiu qu hn, chng ta nn

caching li nhng trang m thng xuyn c tham chiu n

(c truy cp n)

Thng qua caching, chng ta cn c th truy cp n trang ngayc trong trng hp server b down

Mt s loi proxy cho php cache nhiu ni phng khi

cache b down hay b li



59/94


Caching b li (failure)Hnh 18

4.2.3 iu khin truy cp Internet mt cch c chn lc: Khi s dng proxy server bn c th lc cc transaction ca cc

client. Mt vi proxy server cho php bn:

o Yu cu no c chp nhn, yu cu no khngo Ngn chn cc trang m bn khng mun cho user truy cp

n



60/94


o Gii hn cc dch v m bn mun, v d: bn c th cho phpuser s dng dch v HTTP nhng li khng mun cho h s

dng dch v FTP

4.2.4 Cung cp dch v Internet cho cc cquan sdng IPo:Cc t chc m s dng mt hay nhiu khng gian a cho c th s

dng Internet, iu ny hon ton c th. Bng cch thng qua proxy

server v proxy server s gia ch tht.

4.3 Mt phin giao dch (transaction) thng qua proxy :

Hnh 19 Mt transaction qua proxy

Cc client u c cc a ch IP ca n cng nh mt kt ni trc tip n ccserver trn Internet. Khi trnh duyt to ra mt yu cu HTTP th HTTP server

ch ly ng dn v phn t kha ca URL c yu cu, nhng phn khc

nh phn giao thc, hostname ca my ang chy HTTP serveru r rng

i vi server.

V d: khi bn g: http://abc.com/class/th01.htm th trnh duyt s chuyn sangl: GET /class/th01.htm. Trnh duyt kt ni n abc.com server, a ra lnhv i phn hi. Trong v d ny, trnh duyt to ra mt yu cu n HTTP

server v ch r ti nguyn resource no cn c ti v, khng c giao thc

cng nh khng c bt k hostname no trong URL

http://abc.com/class/th01.htmhttp://abc.com/class/th01.htm


61/94


4.4 Kt ni thng qua proxy server: Proxy server hot ng vi c 2 vai tr l client v server, n ng vai tr

server trong trng hp n tip nhn cc yu cu HTTP t cc trnh duyt v

hot ng nh mt client khi n kt ni n serverxa truy vn cc ti

nguyn

Proxy s dng li tt c cc thng tin m trnh duyt gi cho n gi yucu n serverxa nn s khng sb mt mt hay thiu ht thng tin

Mt proxy server hon chnh c th h trht tt c cc giao thc nh: HTTP,FTP, Gopher, WAIS. Mt proxy cng c th ch h trmt giao thc nh

HTTP nhng iu tht bt tin khi bn c nhu cu kt ni n FTP trongqu trnh bn duyt Web

4.5 HTTP proxy: Khi proxy serverng vai tr client, n hot ng nh mt trnh duyt nhn

cc resource.

Mt v d v qu trnh trao i thng tin:o Khi bn g: http://abc.com/class/th01.htmo Trnh duyt chuyn URL ny thnh: GET http://abc.com/class/th01.htmo Yu cu ny c a n cho proxy server. Proxy server s da vo

URL tch ly phn abc.com kt ni n remote server, sau

chuyn URL thnh: GET /class/th01.com , chuyn lnh n server ri

i phn hi nh hnh bn di.

http://abc.com/class/th01.htmhttp://abc.com/class/th01.htmhttp://abc.com/class/th01.htmhttp://abc.com/class/th01.htm


62/94


Hnh 20 Truy xut thng tin thng qua HTTP proxy

4.6 FTP proxy:

Hnh 21 Truy xut thng tin thng qua FTP proxy

Hnh trn cho thy qu trnh mt yu cu FTP thng qua proxy. Proxy

server thng qua URL bit c y l mt yu cu FTP, do n s thc hin

mt kt ni FTP n serverxa. Proxy server to mt kt ni v truy vn file

n FTP xa, ly file v ri gi tr li cho client.



63/94


4.7 Tin li v bt tin khi cache cc trang Web: Caching c ngha l lu tr ti liu trn my cc b, v vy m cc user khng

phi kt ni n server ly cc file v. Khi mt trnh duyt cc b yu cu

mt file no , proxy xem xt xem c c cache file li khng. Nu c, n

s gi file v cho trnh duyt. Nu bn s dng tnh nng ny, bn cn phi

quyt nh v:

o Cc trang no cn c cache li (tn sc truy cp nhiu)o Thi gian bao lu phi cp nht li cc trang ny.

Nhng thun li ca tnh nng caching:o

Caching tit kim c mt lng ln thi gian cho cc user khithng xuyn truy cp n mt trang no . Proxy server sp ng

cc yu cu ny mt cch nhanh chng v ch phi truy vn n cc file

c lu tr cc b

o Tit kim c khng gian lu thng mngo Tit kim c khng gian a dng lu tr v tt c cc my cc b

u dng chung mt file thay v cc my phi cache li trn my mnh

o Vn c th cung cp nhu cu Internet mt mc no ngay c khikhng c kt ni Internet

4.8 Nhng bt cp do proxy: Tuy proxy nh ni trn em li rt nhiu iu hu ch. Tuy nhin cc g

cng c 2 mt v proxy cng khng ngoi l. Li dng tng v proxy, hng

lot cc my tnh trn mng t bin mnh thnh nhng proxy server cho cc

client c th truy cp vo nhng trang c ni dung xu m nh cung cp dchv ngn chn bng firewall.

Vn c t ra l lm th no cho cc client truy cp Internet vn cth truy cp Internet bnh thng nhng khng th truy cp nhng trang b



64/94


chn, hay ni cch khc l cm cn ngi dng s dng proxy bn ngoi h

thng.

4.9 Kthut lp trnh mt HTTP Proxy cbn:Lp trnh mt HTTP proxy cn qua cc bc sau:

Lng nghe cc kt ni n proxy server Khi c kt ni n th to ra mt thread qun l kt ni ny Tip nhn v sa i li gi tin HTTP Request cho hp l. Phn tch URL, ly c phn tn trang Web v Port.

VD:www.yahoo.com:8080 c tn l www.yahoo.com v port l 8080 (nu

khng c gi tr port th mc nh port=8080).

S dng phn tn ny phn gii a ch ly s IP. Kt ni n remote server Chuyn yu cu n server Chi thng tin phn hi t remote server Chuyn phn gi tin ny v li cho user.

http://www.yahoo.com/http://www.yahoo.com/


65/94


Chng 5: Vt firewall bng Web-Based Proxy5.1 Th no l 1 web-based anonymous proxy ?

Web-based Anonymous Proxy l 1 dng khc ca Web Proxy Server, nhng

c xy dng di dng 1 trang web (tm gi l Web-based Proxy WBP) .

Sau y l cc c im khc bit ca n so vi Web Proxy :

- D dng, thn thin vi ngi dng do c Proxy tch hp sn bntrong trang Web, ngi dng ch cn cung cp a ch trang web cn n

(URL) cho WBP v bt u duyt web. Ngoi ra ngi dng khng cn

phi tinh chnh cc thng s khc a ch IP ca WBP, s hiu cng,.. chotrnh duyt ca mnh, ch cn bit tn hoc IP ca WBP v linkn WBP

ny

- Khi c cc client yu cu, WBP s ly cc thng tin (Resource) t webserverch, sau xy dng li thnh 1 trang web hon chnh ri y

ton b ni dung trang web hon chnh ny v cho trnh duyt ca Client.

Thng th trnh duyt pha Client s nhn c trang web mnh yu cu

c nh km theo phn tiu ca WBP.- C kh nng chn lc cc web page components khi c yu cu. VD:

quyt nh xem c cho php s dng cookies,hnh nh,javascript,ca s

pop-up,... trong trang web hay khng.

- Do bn cht l lt web n danh thng qua 1 trang web trung gian nncc gi tin request ca Client gn nh ging hon ton vi cc gi tin

HTTP request thng thng .V vy cc phn mm lc gi tin s kh

lng pht hin ra u l gi tin c vn .

- a ch 1 s cc WBP tham kho khc trn internet : http://www.anonymization.net http://www.anonymizer.com

http://www.anonymization.net/http://www.anonymizer.com/http://www.anonymizer.com/http://www.anonymization.net/


66/94


http://www.stayinvisible.com http://www.proxify.com http://www.silentsuft.com

5.2 Cch thc hot ng ca 1 WBP :Mi khi nhn c yu cu request t pha Client,WBP s :

Phn tch URL tin hnh tip nhn cc resource tng ng (links,hnhnh,flash,) t trang web c client yu cu

Sau khi nhn xong,WBP s cp nht li cc URLs ca trang HTML cyu cu sao cho ph hp. WBP s tin hnh sng lc cc thnh phn

(web page components) da theo yu cu Client v y ton b trang

HTML c xy dng li ny v pha Client

Pha trnh duyt Client ang lng nghe phn hi t pha WBP nn khinhn c phn hi, trnh duyt s th hin trang web cho ngi dng.

http://www.stayinvisible.com/http://www.proxify.com/http://www.silentsuft.com/http://www.silentsuft.com/http://www.proxify.com/http://www.stayinvisible.com/


67/94


5.3 Gii thiu v trang Web Based Proxy:5.3.1 Giao din:

Hnh 22 Giao din chnh ca Web Base Proxy

Trang web c giao din n gin. Pha trn c mt thanh textbox, chophp user nhp a ch trang web mun n

Pha di l cc option cho php user la chn Cui cng l 2 nt, cho php ngi dng kch hot cho trang web

chy v nt reset li default.

5.3.2 Chc nng: Cho php ngi dng nhp vo mt a ch dng url. Ngi dng ch

cn nhp a ch, bm Enter, trang web s ti ni dung m ngi

dng mun.

Cho php s dng cc option, trong o Include a mini URL form: thm mt phn ca Web base

Proxy vo u trang



68/94


Hnh 23 Mini form trn mi u trang

o Remove all scripts: Loi b tt c cc scripto Accept HTTP cookies: cho php s dng cookies ci thin

tc

o Show images: Ti ni dung trang web v trong c c hnh(ly lun hnh, khng loi b)

o For future: dnh cho tng lio New window: cho php browse trong mt ca s mi.



69/94


5.3.3 Thut ton:5.3.3.1 Gii thiu m hnh hot ng:

Khng

Khi ngtrang web

Kim tracookies

Load trangweb default

C

Load trang datheo cookies

Nhp thng tin

Kim tra

hp l url

Khnghp l

Hp l

Chnhsa url

Kim tracc option

Duyt trang webtheo yu cu

Nu tht bi:thng bo li

Nu thnh cng Chnh satheo option

Gi kt qucho client

Hnh 24 S hot ng ca 1 trang Web-Based Proxy



70/94


5.3.3.2 Din gii m hnh: Khi ng trang web: Bao gm vic load cc form, cc mc,

giao din trang web

Kim tra cookies:Kim tra xem trn my hin c s dng cookiesca trang hay khng

Load trang web default:Nu kim tra cookies khng c, trnhduyt s load trang mc nh, tc l url s trng, cc option mc

nh sc check

Load trang da theo cookies:Nu kim tra cookies c, th s loadtheo cookies, bao gm cc url c s dng, cc trng thi cacc option.

Nhp thng tin:Client nhp cc thng tin nh url ca trang webcn n, check hay b check cc option ty theo ngi dng.

Kim tra hp l url:Kim tra v hnh thc nhp nh c thiu httphay khng, c thiu www hay khng, nu thiu s tng add

thm vo cho hp l.

Kim tra cc option:Kim tra cc option xem option no ccheck, option no khng c check thc hin ng theo yu

cu ca client.

Duyt trang web theo yu cu:Gi yu cu n webserver tngng: phn gii tn min, gi yu cu http n server

Tht bi, thng bo li:Nu khng c trang web, a ch sai dongi dng nh sai hay bt c nguyn nhn no lm cho vic gi

http request khng c p ng th u thng bo li

Thnh cng, chnh sa theo option:Nu thnh cng th s chnhsa li trang: da theo cc option, xem c phi add thm phn ph



71/94


vo u trang hay khng, ly hay loi b hnh nh, ly hay loi b

cc script(cc mc ny c thc hin khi gi http request).

Gi kt qu cho client:Gi kt qu cui cng n cho client l mttrang web c tinh chnh li, c chnh sa li cho ph hp.

5.3.3.3 Din gii mt s hm quan trng : Hm submit_form():Gi yu cu n server File url_form.inc:Phn header ca trang gi cho client. File style:Cha cc thng tin v giao din: mu sc, kch thc Hm set_response(): cu trc ha li trang web Hm set_url(): Kim tra v tinh chnh url li cho hp l Hm open_socket():Msock Hm encode_url(): M ha url Hm decode_url(): Gi m url Hm set_flags(): Set cc option Hm set_cookies(): Ghi vo cookies Hm get_cookies(): Ly cc thng tin t cookies Hm delete_cookies(): Xa cookies Hm include_form(): thm form ca web-base proxy vo phn

u ca trang (ty thuc vo option c c check)

Hm remove_scripts(): loi b cc script (ty thuc vo option cc check)

Hm send_response_headers(): gi phn header cho client Hm return_response():Gi cc phn cn li cho client. Hm remove_images():Loi b cc hnh nh ra khi trang (ty

thuc vo option c c check)



72/94


PHN THBA

MODULE CHNG VT FIREWALL

Ni dung :Do mc ch ca lun vn l nghin cu cc phng php lp trnh vt

firewall nhm tm hiu cc cch thc m ngi dng c th s dng vt qua

firewal. T mrng ra xy dng cc module chng vt firewall. Sau thi gian tm

hiu, chng em xy dng c 2 module ng dng trn Windows nhm ngn chn

ngi dng vt firewall bng 2 phng php trnh by bn trn :

- Module ng dng tch hp vo trnh duyt Internet Explorer, nhmpht hin v ngn chn ngi dng vt firewall thng qua Web based

Proxy. Module hot ng da trn vic phn tch cch thc hot ng ca cc

trang Web-Based Proxy v a ra 3 chnh sch hnh thnh b lc cho

Module. Khi ngi dng duyt bt k 1 trang web no, b lc ca module s

tin hnh kim tra da trn cc chnh sch c quy nh sn, nu vi phm

bt k chnh sch no, trang web s b chn li v lu thng tin (a ch)

vo csd liu ca module.

- Module ng dng di dng 1 service trong h thng, nhm pht hinv ngn chn ngi dng vt firewall thng qua 1 HTTP Proxy server.

Module bao gm 2 phn chnh: Lc gi tin v chn gi tin. Module hot ng

da trn vic lc v kim tra ni dung cc gi tin HTTP. Theo ti liu RFC v

HTTP, cc gi tin HTTP request thng qua 1 HTTP Proxy Server s c ni

dung khc vi cc gi tin HTTP Request thng thng. Da trn c im

ny, module s xy dng chnh sch lc v kim tra cc gi tin gi i trn

Mng. Khi 1 gi tin no vi phm, a chch ca gi tin (trng hp

ny chnh l a ch IP ca HTTP Proxy Server) sc a vo b lc v

lu vo csd liu.



73/94


Chng 6: Plug-in chng vt firewall cho trnhduyt Internet Explorer

Chng ny chng em xin php c trnh by v module th nht: Plug-in

chng vt firewall cho trnh duyt Internet Explorer

6.1 Gii thiu slc :Plugin l 1 ng dng c vit tch hp trong trnh duyt web Internet

Explorer, c nhim v kim sot ngi dng khi duyt web. Nu pht hin

ngi dng c nh mun vt qua firewall thng qua 1 trang Web Based

Proxy no , plugin s tin hnh ngn chn v lu thng tin v trang web

ny (a ch trang web) vo csd liu lm cs lc v sau. ng dng

c vit trn mi trng Visual C 6.0 di dng ATL, chy tt trn cc

phin bn trnh duyt IE5 trln v cc phin bn t Windows 2000 trln.

Do nhu cu lu tr thng tin v danh sch cc Proxy Server, Web-based

proxy lm cscho b lc nn cc thng tin ny c module lu tr vo

csd liu Microsoft Access.

Giao din chnh ca plugin

Giao din chnh ca plug-inHnh 25



74/94


Hnh 26 Trang thng bo mi khi ngi dng duyt nhng trang web vi phm

6.2 Cc tnh nng chnh:6.2.1 Lc cc trang web da trn vic duyt danh sch cc trang web c

sn trong csdliu:

Nu ngi dng c nh mun duyt 1 trang web c a ch c lu trong cs

d liu, plugin s hin ra trang thng bo ngi dng b cm.

6.2.2 Lc cc trang web da trn cchkim tra a ch(URL):Khi ngi dng duyt n 1 trang web mi, nu trang web ny c th

gip ngi dng qua mt c firewall (hay cn gi l vi phm), plugin s

hin ra trang thng bo cho ngi dng v lu li a ch trang web ny vo c

sd liu. Do i a s cc trang Web-based Proxy khi hot ng th th hin

a ch ca mnh di dng http://domain_name ca WebProxy/a chtht ca

trang web mun duyt nn da vo cch ny, ta c th xc nh cc a ch

http://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%CC%A3t%20cu%CC%89a%20trang%20web%20mu%C3%B4%CC%81n%20duy%C3%AA%CC%A3thttp://xn--domain_name%20ca%20webproxy-351p/%C4%91i%CC%A3a%20chi%CC%89%20th%C3%A2%C

Documents

LuanVanCNTT-CacPPLapTrinhVuotFirewall