1. Page | 1 Copyright by Tocbatdat T O C B A T D A T S E C U R
I T Y T O N T P Security ton tp Version 1.2 2012
2. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 2 Copyright by
Tocbatdat BNG THEO DI THAY I Phin bn Ngy cp nht Ngi cp nht Ch thch
1 7/2012 Hong Tun t First Release
3. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 3 Copyright by
Tocbatdat Mc lc ti liu I. MC CH V PHM VI TI LIU
.............................................................................................9
1. Mc ch ca ti
liu.........................................................................................................9
2. Phm vi ti
liu..................................................................................................................9
II. TNG QUAN V AN NINH MNG (SECURITY
OVERVIEW)..............................................10 1. Khi
nim c bn v an ton thng tin (security).
.......................................................11 2. H thng
mng c bn
....................................................................................................11
a. M hnh mng
OSI......................................................................................................................11
b. M hnh mng
TCP/IP................................................................................................................17
c. So snh m hnh TCP/IP v
OSI.................................................................................................19
d. Cu to gi tin IP, TCP,UDP, ICMP
..........................................................................................19
e. Mt s Port thng s
dng........................................................................................................22
f. S dng cng c Sniffer phn tch gi tin IP, ICMP, UDP, TCP.
.........................................22 g. Phn tch tng gi tin v
ton phin kt
ni................................................................................22
3. Khi nim v iu khin truy cp (Access
Controls)...................................................23 a.
Access Control
Systems..............................................................................................................23
b. Nguyn tc thit lp Access
Control...........................................................................................24
c. Cc dng Access
Controls...........................................................................................................24
4. Khi nim v
Authentications........................................................................................27
a. Nhng yu t nhn dng v xc thc ngi
dng..................................................................27
b. Cc phng thc xc thc
..........................................................................................................27
5.
Authorization...................................................................................................................31
a. C bn v
Authorization.............................................................................................................31
b. Cc phng thc
Authorization..................................................................................................31
6. Khi nim v
Accounting................................................................................................33
7. Tam gic bo mt
CIA....................................................................................................34
a. Confidentiality
............................................................................................................................34
b.
Integrity.......................................................................................................................................35
c. Availability
.................................................................................................................................35
8. Mt m hc c
bn..........................................................................................................36
a. Khi nim c bn v mt m
hc................................................................................................36
b. Hm bm
Hash.........................................................................................................................36
c. M ha i xng
Symmetric....................................................................................................37
d. M ha bt i xng
Assymmetric..........................................................................................37
e. Tng quan v h thng PKI
........................................................................................................39
f. Thc hnh m ha v gii m vi cng c Cryptography
tools..................................................42
4. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 4 Copyright by
Tocbatdat 9. Khi nim c bn v tn cng
mng..................................................................................42
a. bc c bn ca mt cuc tn
cng............................................................................................42
b. Mt s khi nim v bo
mt......................................................................................................44
c. Cc phng thc tn cng c
bn...............................................................................................44
d. ch ca cc dng tn
cng.........................................................................................................45
III. INFRASTRUCTURE SECURITY (AN NINH H TNG).
........................................................47 1. Cc
gii php v l trnh xy dng bo mt h tng mng
........................................48 3. Thit k m hnh mng an
ton
.....................................................................................50
4. Router v Switch
.............................................................................................................51
a. Chc nng ca
Router.....................................................................................................................51
b. Chc nng ca
Switch.....................................................................................................................52
c. Bo mt trn
Switch........................................................................................................................52
d. Bo mt trn
Router........................................................................................................................52
e. Thit lp bo mt cho
Router..........................................................................................................53
5. Firewall v Proxy
............................................................................................................58
a. Khi nim Firewall
.....................................................................................................................58
b. Chc nng ca Firewall
..............................................................................................................58
c. Nguyn l hot ng ca Firewall
..............................................................................................59
d. Cc loi
Firewall.........................................................................................................................60
e. Thit k Firewall trong m hnh
mng........................................................................................61
6. Cu hnh firewall IPtable trn
Linux............................................................................64
7. Ci t v cu hnh SQUID lm Proxy
Server.............................................................68
a. Linux SQUID Proxy
Server:.......................................................................................................68
b. Ci
t:........................................................................................................................................68
c. Cu hnh
Squid:...........................................................................................................................70
d. Khi ng
Squid:........................................................................................................................72
8. Trin khai VPN trn nn tng OpenVPN
.....................................................................74
a. Tng quan v
OpenVPN.............................................................................................................74
b. Trin khai OpenVPN vi SSL trn mi trng Ubuntu
linux....................................................75 9. ng
dng VPN bo v h thng Wifi
............................................................................82
a. Cc phng thc bo mt
Wifi...................................................................................................82
b. Thit lp cu hnh trn thit b Access Point v VPN Server 2003
............................................83 c. To kt ni VPN t cc
thit b truy cp qua
Wifi......................................................................95
10. H thng pht hin v ngn chn truy cp bt hp php IDS/IPS
..........................100 a. Nguyn l phn tch gi
tin.......................................................................................................100
a. Ci t v cu hnh Snort lm
IDS/IPS.....................................................................................104
5. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 5 Copyright by
Tocbatdat 11. Ci t v cu hnh Sourcefire IPS
.............................................................................111
a. Tnh nng ca h thng IPS Sourcefire
....................................................................................111
b. M hnh trin khai in hnh h thng
IDS/IPS........................................................................113
c. Nguyn l hot ng ca h thng IDS/IPS
Sourcefire............................................................114
d. Thit lp cc thng s qun tr cho cc thit b Sourcefire
.......................................................117 e.
Upgrade cho cc thit b
Sourcefire..........................................................................................118
f. Cu hnh cc thit lp h thng (System settings)
....................................................................118
g. Thit lp qun tr tp trung cho cc thit b
Sourcefire.............................................................122
h. Cu hnh Interface Sets v Detection
Engine............................................................................124
i. Qun tr v thit lp chnh sch cho IPS
...................................................................................127
j. Phn tch Event v
IPS..............................................................................................................143
12. Endpoint
Security..........................................................................................................147
a. Gii php Kaspersky Open Space Security
(KOSS).................................................................147
b. Tnh nng ca gi Kaspersky Endpoint
Security......................................................................148
c. Lab ci t KSC v Endpoint Security cho my trm
..............................................................149
13. Data Loss
Prevent..........................................................................................................149
14. Network Access Control
...............................................................................................151
15. Bo mt h iu hnh
...................................................................................................154
a. Bo mt cho h iu hnh
Windows.........................................................................................154
b. Lab: S dng Ipsec Policy bo v mt s ng dng trn
Windows.....................................156 c. Bo v cho h iu
hnh
Linux.................................................................................................156
16. Chnh sch an ninh
mng.............................................................................................159
a. Yu cu xy dng chnh sch an ninh
mng.............................................................................159
b. Quy trnh tng quan xy dng chnh sch tng quan:
..............................................................159
c. H thng ISMS
.........................................................................................................................160
d. ISO 27000 Series
......................................................................................................................161
IV. AN TON NG DNG
.................................................................................................................164
1. Bo mt cho ng dng DNS
.........................................................................................164
a. S dng DNS
Forwarder...........................................................................................................164
b. S dng my ch DNS lu
tr..................................................................................................165
c. S dng DNS Advertiser
..........................................................................................................165
d. S dng DNS
Resolver.............................................................................................................166
e. Bo v b nh m DNS
..........................................................................................................166
f. Bo mt kt ni bng
DDNS.....................................................................................................166
g. Ngng chy Zone Transfer
.......................................................................................................167
6. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 6 Copyright by
Tocbatdat h. S dng Firewall kim sot truy cp
DNS....................................................................................167
i. Ci t kim sot truy cp vo Registry ca
DNS.........................................................................167
j. Ci t kim sot truy cp vo file h thng
DNS.........................................................................168
2. Bo mt cho ng dng Web
.........................................................................................168
a. Gii
thiu.....................................................................................................................................168
b. Cc l hng trn dch v
Web...................................................................................................168
c. Khai thc l hng bo mt tng h iu hnh v bo mt cho my ch
Web......................169 d. Khai thc l hng trn Web
Service.........................................................................................171
e. Khai thc l hng DoS trn Apache 2.0.x-2.0.64 v 2.2.x 2.2.19
.....................................173 f. Khai thc l hng trn Web
Application
..................................................................................173
3. An ton dch v Mail Server
........................................................................................175
a. Gii thiu tng quan v SMTP, POP, IMAP
................................................................................175
b. Cc nguy c b tn cng khi s dng
Email......................................................................................................185
4. Bo mt truy cp t xa
.................................................................................................187
5. L hng bo mt Buffer overflow v cch phng chng
...........................................187 a. L
thuyt...................................................................................................................................187
b. M t k thut
..........................................................................................................................188
c. V d c bn
.............................................................................................................................188
d. Trn b nh m trn stack
.....................................................................................................188
e. M ngun v d
........................................................................................................................189
f. Khai
thc...................................................................................................................................190
g. Chng trn b
m...................................................................................................................191
h. Thc
hnh:................................................................................................................................194
V. AN TON D LIU
......................................................................................................................194
1. An ton c s d
liu..........................................................................................................194
a. S vi phm an ton c s d
liu.............................................................................................195
b. Cc mc an ton c s d
liu............................................................................................195
c. Nhng quyn hn khi s dng h c s d liu.
.......................................................................196
d. Khung nhn mt c ch bo
v................................................................................................197
e. Cp php cc quyn truy
nhp..................................................................................................198
f. Kim tra du
vt........................................................................................................................201
2. Gim st thng k c s d liu
........................................................................................201
3. Phng thc an ton c s d
liu....................................................................................208
VI. CC CNG C NH GI V PHN TCH
MNG.............................................................212
1. K nng Scan Open Port
..............................................................................................212
a. Nguyn tc truyn thng tin TCP/IP
.............................................................................................212
7. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 7 Copyright by
Tocbatdat b. Nguyn tc Scan Port trn mt h
thng......................................................................................214
c. Scan Port vi Nmap.
.....................................................................................................................216
2. Scan l hng bo mt trn
OS......................................................................................219
a. S dng Nmap Scan l hng bo mt ca OS
.....................................................................219
b. S dng Nessus Scan l hng bo mt ca
OS....................................................................220
c. S dng GFI Scan l hng bo mt ca
OS.........................................................................228
3. Scan l hng bo mt trn
Web...................................................................................231
a. S dng Acunetix scan l hng bo mt trn Web
..............................................................232
b. Lab S dng IBM App Scan Scan l hng bo mt trn
Web.............................................234 4. K thut phn
tch gi tin v nghe nn trn
mng.....................................................234 a. Bn
cht ca
Sniffer..................................................................................................................234
b. M hnh phn tch d liu chuyn nghip cho doanh nghip
...................................................235 c. Mi trng
Hub
........................................................................................................................236
d. K thut Sniffer trong mi trng Switch
................................................................................236
e. M hnh Sniffer s dng cng c h tr ARP
Attack...............................................................239
5. Cng c khai thc l hng
Metasploit.........................................................................240
a. Gii thiu tng quan v cng c Metasploit
.............................................................................240
b. S dng Metasploit Farmwork
.................................................................................................242
c. Kt
lun.....................................................................................................................................248
6. S dng Wireshark v Colasoft phn tch gi
tin.................................................248 d. S dng
Wireshark phn tch gi tin v traffic ca h thng mng
.....................................248 e. S dng Colasoft phn tch
traffic ca h thng mng
........................................................252 VII. KT
LUN......................................................................................................................................259
8. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 8 Copyright by
Tocbatdat Bng cc thut ng s dng trong ti liu STT Thut ng Vit y Mt vi
thng tin 1 ATTT An ton thng tin 2 Security Bo Mt 3 4 5 6 7 8 9 10
11 12 13 14 15
9. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 9 Copyright by
Tocbatdat I. MC CH V PHM VI TI LIU 1. Mc ch ca ti liu L ti liu o to
v An ton thng tin cho cc cn b vn hnh v qun tr mng ca ABC.Cung cp y
cho hc vin cc khi nim, m hnh h thng, cu hnh trin khai cc gii php,
qun l ri ro v nhiu kin thc khc v An ton thng tin. 2. Phm vi ti liu
L ti liu c vit ring cho kha hc An ton thng tin cho cc cn b ca
ABC
10. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 10 Copyright
by Tocbatdat II. TNG QUAN V AN NINH MNG (SECURITY OVERVIEW) 1. Khi
nim c bn v an ton thng tin (security). 2. H thng mng c bn 3. Khi
nim v iu khin truy cp (Access Controls). 4. Khi nim v
Authentications 5. Authorization 6. Khi nim v Accounting 7. Tam gic
bo mt CIA 8. Mt m hc c bn 9. Khi nim c bn v tn cng mng
11. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 11 Copyright
by Tocbatdat 1. Khi nim c bn v an ton thng tin (security). Mt s t
chc ln trn th gii a ra cc khi nim v Security Bo Mt hay An ton thng
tin nh sau: - Bo mt hay an ton thng tin l mc bo v thng tin trc cc
mi e ra v thng tn l, thng tin khng cn ton vn v thng tin khng sn
sng. - Bo mt hay an ton thng tin l mc bo v chng li cc nguy c v mt
an ton thng tin nh nguy him, thit hi, mt mt v cc ti phm khc. Bo mt
nh l hnh thc v mc bo v thng tin bao gm cu trc v qu trnh x l nng cao
bo mt. - T chc Institute for Security and Open Methodologies nh
ngha Security l hnh thc bo v, ni tch bit gia ti nguyn v nhng mi e
ra. 2. H thng mng c bn a. M hnh mng OSI Khi mt ng dng hay mt dch v
hot ng phc v cc nhu cu trao i thng tin ca ngi dng, h thng mng s hot
ng vic trao i thng tin c din ra vi nhng quy tc ring. Khi nhn vo si
dy mng hay cc thit b khng dy con ngi s khng th hiu c nhng nguyn tc
truyn thng tin . d dng hiu cc nguyn tc, nguyn l phc ph qu trnh
nghin cu, pht trin ng dng cng nh khc phc s c mng t chc tiu chun th
gii dng m hnh OSI nh l mt tiu chun ISO. M hnh OSI (Open Systems
Interconnection Reference Model, vit ngn l OSI Model hoc OSI
Reference Model) - tm dch l M hnh tham chiu kt ni cc h thng m - l
mt thit k da vo nguyn l tng cp, l gii mt cch tru tng k thut kt ni
truyn thng gia cc my vi tnh v thit k giao thc mng gia chng. M hnh
ny c pht trin thnh mt phn trong k hoch Kt ni cc h thng m (Open
Systems Interconnection) do ISO v IUT-T khi xng. N cn c gi l M hnh
by tng ca OSI. (Ngun Wikipedia).
12. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 12 Copyright
by Tocbatdat Mc ch ca m hnh OSI: M hnh OSI phn chia chc nng ca mt
giao thc ra thnh mt chui cc tng cp. Mi mt tng cp c mt c tnh l n ch
s dng chc nng ca tng di n, ng thi ch cho php tng trn s dng cc chc
nng ca mnh. Mt h thng ci t cc giao thc bao gm mt chui cc tng ni trn
c gi l "chng giao thc" (protocol stack). Chng giao thc c th c ci t
trn phn cng, hoc phn mm, hoc l t hp ca c hai. Thng thng th ch c
nhng tng thp hn l c ci t trong phn cng, cn nhng tng khc c ci t
trong phn mm. M hnh OSI ny ch c ngnh cng nghip mng v cng ngh thng
tin tn trng mt cch tng i. Tnh nng chnh ca n l quy nh v giao din gia
cc tng cp, tc qui nh c t v phng php cc tng lin lc vi nhau. iu ny c
ngha l cho d cc tng cp c son tho v thit k bi cc nh sn xut, hoc cng
ty, khc nhau nhng khi c lp rp li, chng s lm vic mt cch dung ha (vi
gi thit l cc c t c thu o mt cch ng n). Trong cng ng TCP/IP, cc c t
ny thng c bit n vi ci tn RFC (Requests for Comments, dch st l " ngh
duyt tho v bnh lun"). Trong cng ng OSI, chng l cc tiu chun ISO (ISO
standards). Thng th nhng phn thc thi ca giao thc s c sp xp theo tng
cp, tng t nh c t ca giao thc ra, song bn cnh , c nhng trng hp ngoi
l, cn c gi l "ng ct ngn" (fast path). Trong kin to "ng ct ngn", cc
giao dch thng dng nht, m h thng cho php, c ci t nh mt thnh phn n,
trong tnh nng ca nhiu tng c gp li lm mt. Vic phn chia hp l cc chc
nng ca giao thc khin vic suy xt v chc nng v hot ng ca cc chng giao
thc d dng hn, t to iu kin cho vic thit k cc chng giao thc t m, chi
tit, song c tin cy cao. Mi tng cp thi hnh v cung cp cc dch v cho
tng ngay trn n, ng thi i hi dch v ca tng ngay di n. Nh ni trn, mt
thc thi bao gm nhiu tng cp trong m hnh OSI, thng c gi l mt "chng
giao thc" (v d nh chng giao thc TCP/IP). M hnh tham chiu OSI l mt
cu trc ph h c 7 tng, n xc nh cc yu cu cho s giao tip gia hai my
tnh. M hnh ny c nh ngha bi T chc tiu chun ho quc t (International
Organization for Standardization) trong tiu chun s 7498-1
13. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 13 Copyright
by Tocbatdat (ISO standard 7498-1). Mc ch ca m hnh l cho php s tng
giao (interoperability) gia cc h my (platform) a dng c cung cp bi
cc nh sn xut khc nhau. M hnh cho php tt c cc thnh phn ca mng hot ng
ha ng, bt k thnh phn y do ai to dng. Vo nhng nm cui thp nin 1980,
ISO tin c vic thc thi m hnh OSI nh mt tiu chun mng. Ti thi im ,
TCP/IP c s dng ph bin trong nhiu nm. TCP/IP l nn tng ca ARPANET, v
cc mng khc - l nhng ci c tin ha v tr thnh Internet. (Xin xem thm
RFC 871 bit c s khc bit ch yu gia TCP/IP v ARPANET.) Hin nay ch c
mt phn ca m hnh OSI c s dng. Nhiu ngi tin rng i b phn cc c t ca OSI
qu phc tp v vic ci t y cc chc nng ca n s i hi mt lng thi gian qu
di, cho d c nhiu ngi nhit tnh ng h m hnh OSI i chng na. Chi tit cc
tng ca m hnh OSI: Tng 1: Tng vt l: Tng vt l nh ngha tt c cc c t v
in v vt l cho cc thit b. Trong bao gm b tr ca cc chn cm (pin), cc
hiu in th, v cc c t v cp ni (cable). Cc thit b tng vt l bao gm Hub,
b lp (repeater), thit b tip hp mng (network adapter) v thit b tip
hp knh my ch (Host Bus Adapter)- (HBA dng trong mng lu tr (Storage
Area Network)). Chc nng v dch v cn bn c thc hin bi tng vt l bao gm:
Thit lp hoc ngt mch kt ni in
14. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 14 Copyright
by Tocbatdat (electrical connection) vi mt [[mi trng truyn dnphng
tintruyn thng (transmission medium). Tham gia vo quy trnh m trong
cc ti nguyn truyn thng c chia s hiu qu gia nhiu ngi dng. Chng hn
gii quyt tranh chp ti nguyn (contention) v iu khin lu lng. iu bin
(modulation), hoc bin i gia biu din d liu s (digital data) ca cc
thit b ngi dng v cc tn hiu tng ng c truyn qua knh truyn thng
(communication channel). Cp (bus) SCSI song song hot ng tng cp ny.
Nhiu tiu chun khc nhau ca Ethernet dnh cho tng vt l cng nm trong
tng ny; Ethernet nhp tng vt l vi tng lin kt d liu vo lm mt. iu tng
t cng xy ra i vi cc mng cc b nh Token ring, FDDI v IEEE 802.11.]]
Tng 2: Tng lin kt d liu (Data Link Layer) Tng lin kt d liu cung cp
cc phng tin c tnh chc nng v quy trnh truyn d liu gia cc thc th mng,
pht hin v c th sa cha cc li trong tng vt l nu c. Cch nh a ch mang
tnh vt l, ngha l a ch (a ch MAC) c m ha cng vo trong cc th mng
(network card) khi chng c sn xut. H thng xc nh a ch ny khng c ng cp
(flat scheme). Ch : V d in hnh nht l Ethernet. Nhng v d khc v cc
giao thc lin kt d liu (data link protocol) l cc giao thc HDLC;
ADCCP dnh cho cc mng im-ti-im hoc mng chuyn mch gi (packet-switched
networks) v giao thc Aloha cho cc mng cc b. Trong cc mng cc b theo
tiu chun IEEE 802, v mt s mng theo tiu chun khc, chng hn FDDI, tng
lin kt d liu c th c chia ra thnh 2 tng con: tng MAC (Media Access
Control - iu khin Truy nhp ng truyn) v tng LLC (Logical Link
Control - iu khin Lin kt Lgic) theo tiu chun IEEE 802.2. Tng lin kt
d liu chnh l ni cc cu ni (bridge) v cc thit b chuyn mch (switches)
hot ng. Kt ni ch c cung cp gia cc nt mng c ni vi nhau trong ni b
mng. Tuy nhin, c lp lun kh hp l cho rng thc ra cc thit b ny thuc v
tng 2,5 ch khng hon ton thuc v tng 2.
15. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 15 Copyright
by Tocbatdat Tng 3: Tng mng (Network Layer) Tng mng cung cp cc chc
nng v qui trnh cho vic truyn cc chui d liu c di a dng, t mt ngun ti
mt ch, thng qua mt hoc nhiu mng, trong khi vn duy tr cht lng dch v
(quality of service) m tng giao vn yu cu. Tng mng thc hin chc nng
nh tuyn, .Cc thit b nh tuyn (router) hot ng ti tng ny gi d liu ra
khp mng m rng, lm cho lin mng tr nn kh thi (cn c thit b chuyn mch
(switch) tng 3, cn gi l chuyn mch IP). y l mt h thng nh v a ch lgic
(logical addressing scheme) cc gi tr c chn bi k s mng. H thng ny c
cu trc ph h. V d in hnh ca giao thc tng 3 l giao thc IP. Tng 4: Tng
giao vn (Transport Layer) Tng giao vn cung cp dch v chuyn dng chuyn
d liu gia cc ngi dng ti u cui, nh cc tng trn khng phi quan tm n vic
cung cp dch v truyn d liu ng tin cy v hiu qu. Tng giao vn kim sot
tin cy ca mt kt ni c cho trc. Mt s giao thc c nh hng trng thi v kt
ni (state and connection orientated). C ngha l tng giao vn c th
theo di cc gi tin v truyn li cc gi b tht bi. Mt v d in hnh ca giao
thc tng 4 l TCP. Tng ny l ni cc thng ip c chuyn sang thnh cc gi tin
TCP hoc UDP. tng 4 a ch c nh l address ports, thng qua address
ports phn bit c ng dng trao i. Tng 5: Tng phin (Session layer) Tng
phin kim sot cc (phin) hi thoi gia cc my tnh. Tng ny thit lp, qun l
v kt thc cc kt ni gia trnh ng dng a phng v trnh ng dng xa. Tng ny
cn h tr hot ng song cng (duplex) hoc bn song cng (half-duplex) hoc
n cng (Single) v thit lp cc qui trnh nh du im hon thnh
(checkpointing) - gip vic phc hi truyn thng nhanh hn khi c li xy
ra, v im hon thnh c nh du - tr hon (adjournment), kt thc
(termination) v khi ng li (restart). M hnh OSI u nhim cho tng ny
trch nhim "ngt mch nh nhng" (graceful close) cc phin giao dch (mt
tnh cht ca giao thc kim sot giao vn TCP) v trch nhim kim tra v phc
hi phin, y l phn thng khng c dng n trong b giao thc TCP/IP.
16. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 16 Copyright
by Tocbatdat Tng 6: Tng trnh din (Presentation layer) Lp trnh din
hot ng nh tng d liu trn mng. lp ny trn my tnh truyn d liu lm nhim v
dch d liu c gi t tng Application sang dng Fomat chung. V ti my tnh
nhn, lp ny li chuyn t Fomat chung sang nh dng ca tng Application.
Lp th hin thc hin cc chc nng sau: - Dch cc m k t t ASCII sang
EBCDIC. - Chuyn i d liu, v d t s interger sang s du phy ng. - Nn d
liu gim lng d liu truyn trn mng. - M ho v gii m d liu m bo s bo mt
trn mng. Tng 7: Tng ng dng (Application layer) Tng ng dng l tng gn
vi ngi s dng nht. N cung cp phng tin cho ngi dng truy nhp cc thng
tin v d liu trn mng thng qua chng trnh ng dng. Tng ny l giao din
chnh ngi dng tng tc vi chng trnh ng dng, v qua vi mng. Mt s v d v
cc ng dng trong tng ny bao gm Telnet, Giao thc truyn tp tin FTP v
Giao thc truyn th in t SMTP, HTTP, X.400 Mail remote M hnh m t d
hiu m hnh OSI vi cc hnh thc trao i thng tin thc t:
17. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 17 Copyright
by Tocbatdat b. M hnh mng TCP/IP TCP/IP (ting Anh: Internet
protocol suite hoc IP suite hoc TCP/IP protocol suite - b giao thc
lin mng), l mt b cc giao thc truyn thng ci t chng giao thc m
Internet v hu ht cc mng my tnh thng mi ang chy trn . B giao thc ny
c t tn theo hai giao thc chnh ca n l TCP (Giao thc iu khin Giao vn)
v IP (Giao thc Lin mng). Chng cng l hai giao thc u tin c nh ngha.
Nh nhiu b giao thc khc, b giao thc TCP/IP c th c coi l mt tp hp cc
tng, mi tng gii quyt mt tp cc vn c lin quan n vic truyn d liu, v
cung cp cho cc giao thc tng cp trn mt dch v c nh ngha r rng da trn
vic s dng cc dch v ca cc tng thp hn. V mt lgic, cc tng trn gn vi
ngi dng hn v lm vic vi d liu tru tng hn, chng da vo cc giao thc tng
cp di bin i d liu thnh cc dng m cui cng c th c truyn i mt cch vt
l.
18. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 18 Copyright
by Tocbatdat M hnh OSI miu t mt tp c nh gm 7 tng m mt s nh sn xut
la chn v n c th c so snh tng i vi b giao thc TCP/IP. S so snh ny c
th gy nhm ln hoc mang li s hiu bit su hn v b giao thc TCP/IP. Tng
ng dng: Gm cc ng dng: DNS, TFTP, TLS/SSL, FTP, HTTP, IMAP, IRC,
NNTP, POP3, SIP, SMTP, SNMP, SSH, TELNET, ECHO, BitTorrent, RTP,
PNRP, rlogin, ENRP, Cc giao thc nh tuyn nh BGP v RIP, v mt s l do,
chy trn TCP v UDP - theo th t tng cp: BGP dng TCP, RIP dng UDP - cn
c th c coi l mt phn ca tng ng dng hoc tng mng. Tng giao vn: Gm cc
giao thc:TCP, UDP, DCCP, SCTP, IL, RUDP, Cc giao thc nh tuyn nh
OSPF (tuyn ngn nht c chn u tin), chy trn IP, cng c th c coi l mt
phn ca tng giao vn, hoc tng mng. ICMP (Internet control message
protocol| - tm dch l Giao thc iu khin thng ip Internet) v IGMP
(Internet group management protocol - tm dch l Giao thc qun l nhm
Internet) chy trn IP, c th c coi l mt phn ca tng mng. Tng mng: Giao
thc: IP (IPv4, IPv6) ARP (Address Resolution Protocol| - tm dch l
Giao thc tm a ch) v RARP (Reverse Address Resolution Protocol - tm
dch l Giao thc tm a ch ngc li) hot ng bn di IP nhng trn tng lin kt
(link layer), vy c th ni l n nm khong trung gian gia hai tng.
19. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 19 Copyright
by Tocbatdat Tng lin kt: Gm cc giao thc: Ethernet, Wi-Fi, Token
ring, PPP, SLIP, FDDI, ATM, Frame Relay, SMDS, c. So snh m hnh
TCP/IP v OSI M hnh n gin hn m hnh OSI vn th hin c qu trnh giao tip
trn mng. M hnh TCP/IP c chia lm 4 Layer OSI Model TCP/IP Model 7.
Application 4. Application 6. Presentation 5. Session 4. Transport
3. Transport 3. Network 2. Internet 2. Data Link 1. Network Access
1. Physical d. Cu to gi tin IP, TCP,UDP, ICMP phc v cng tc nghin cu
v Security cn phi hiu r cu to gi tin cc layer c th hiu v phn tch gi
tin. M hnh ng gi thng tin cc Layer ca m hnh TCP/IP
20. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 20 Copyright
by Tocbatdat Cu to gi tin IPv4 y l cu to ca gi tin IPv4, gm phn
Header v data. Header bao gm 160 hoc 192 bits phn cn li l Data. Phn
a ch l 32bits Cu to gi tin IPv6: Gi tin IPv6 cng gm hai phn l
Hearder v Data. Phn Header ca gi tin bao gm 40 octec (320bits),
trong a ch IPv6 l 128bit. Cu to ca gi tin TCP:
21. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 21 Copyright
by Tocbatdat Cu to ca gi tin TCP bao gm hai phn Header v Data.
Trong phn Header l 192bit. Ba bc bt u kt ni TCP: + Bc I: Client bn
n Server mt gi tin SYN + Bc II: Server tr li ti Client mt gi tin
SYN/ACK + Bc III: Khi Client nhn c gi tin SYN/ACK s gi li server mt
gi ACK v qu trnh trao i thng tin gia hai my bt u. Bn bc kt thc kt
ni TCP: + Bc I: Client gi n Server mt gi tin FIN ACK + Bc II:
Server gi li cho Client mt gi tin ACK + Bc III: Server li gi cho
Client mt gi FIN ACK + Bc IV: Client gi li cho Server gi ACK v qu
trnh ngt kt ni gia Server v Client c thc hin. Cu to gi tin UDP: G i
t i UDP bao gm hai phn Header v Data, trong phn Header gm
64bit.
22. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 22 Copyright
by Tocbatdat Cu to gi tin ICMP Type (8 bits) [8 bt s dng nhn din
loi ICMP] Code (8 bits) [Mi Type c th c nhng code c th ring miu t
cho dng ] Checksum (16 bits) [Checksum gm 16bits] Message (Khng c
nh) [Ph thuc vo type v code] e. Mt s Port thng s dng nhiu dch v c
th cng lc giao tip trn mt kt ni, mi dch v c s dng mt port nht nh.
Khi nghin cu v Security chng ta cng nn c mt s kin thc v cc port hay
c s dng: Protocol Port FTP 20/21 SSH 22 Telnet 23 SMTP 25 DNS 53
TFTP 69 HTTP 80 POP3 110 SNMP 161/162 HTTPS 443 SMB 445 NetBIOS
135,137,139 VPN 1723,500 Remote Desktop 3389 f. S dng cng c Sniffer
phn tch gi tin IP, ICMP, UDP, TCP. Thc hnh: Ci t Wireshark v
Colasoft phn tch g. Phn tch tng gi tin v ton phin kt ni Thc hnh: Ci
t Wireshark v Colasoft phn tch
23. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 23 Copyright
by Tocbatdat 3. Khi nim v iu khin truy cp (Access Controls). Trc
khi c cp thm quyn mi ngi u truy cp vi quyn user Anonymouse. Sau khi
ngi dng c xc thc (Authentication) s c h thng cp cho thm quyn s dng
ti nguyn (Authorization) v ton b qu trnh truy cp ca ngi dng s c gim
st v ghi li (Accounting). a. Access Control Systems Ti nguyn ch c
th truy cp bi nhng c nhn c xc thc. Qu trnh qun l truy cp ti nguyn
ca ngi dng cn thc hin qua cc bc: - Identification: Qu trnh nhn dng
ngi dng, ngi dng cung cp cc thng tin cho h thng nhn dng. -
Authentication: Bc xc thc ngi dng, ngi dng cung cp cc thng tin xc
nhn dng, h thng tin hnh xc thc bng nhiu phng thc khc nhau. -
Authorization:Thm quyn truy cp ti nguyn c h thng cp cho ngi dng sau
khi xc thc Authentication. - Accounting: H thng gim st v thng k qu
trnh truy cp ca ngi dng vo cc vng ti nguyn. Tt c cc h thng iu khin
truy cp (access control systems) u phi c ba yu t c bn nht: -
Subjects: Ton b i tng c th gn quyn truy cp. C th coi y l User/Group
trong h thng - Objects: Ti nguyn c s dng. - Access Permissions c s
dng gn quyn truy cp cc Objects cho Subjects. (V d mt User l mt
Subject, mt foder l mt Object, Permission l quyn gn cho User truy
cp vo Folder). Bng Access Permissions cho mt i tng gi l Access
Control List (ACLs), ACL ca ton b h thng c thng k trong bng Access
Control Entries (ACEs).
24. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 24 Copyright
by Tocbatdat b. Nguyn tc thit lp Access Control Ngi lm v chnh sch
bo mt cn phi a ra cc nguyn tc qun tr ti nguyn h thng m bo: Bo mt
nht cho ti nguyn, p ng c cng vic ca ngi dng. Cc nguyn tc c chia ra:
- Principle of Least Privilege Ngi dng (Subjects) c gn quyn nh nht
(minimum permissions) vi cc ti nguyn (Object) v vn m bo c cng vic.
- Principle of Separation of Duties and Responsibilities Cc h thng
quan trng cn phi phn chia thnh cc thnh phn khc nhau d dng phn quyn
iu khin hp l. - Principle of Need to Know Ngi dng ch truy cp vo
nhng vng ti nguyn m h cn v c hiu bit v ti nguyn m bo cho cng vic ca
h. c. Cc dng Access Controls Ti nguyn c nhiu dng, ngi dng c nhiu i
tng vy chng ta cn phi s dng nhng dng iu khin truy cp d liu hp l. -
Mandatory Access Control (MAC) + L phng thc iu khin da vo Rule-Base
gn quyn truy cp cho cc i tng. + Vic gn quyn cho cc i tng da vo vic
phn chia ti nguyn ra cc loi khc nhau (classification resources). +
Phng thc iu khin truy cp ny thng p dng cho: t chc chnh ph, cng ty +
V d: mt cng ty sn xut bia cc vng ti nguyn c chia: Public (website),
Private (d liu k ton), Confidential (cng thc nu bia). Mi vng ti
nguyn s c nhng i tng c truy cp ring, v vic iu khin truy cp ny chnh
l Mandatory Access Control.
25. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 25 Copyright
by Tocbatdat - Discretionary Access Control (DAC) + Ngi dng
(Subjects) c iu khin truy cp qua ACLs. + Cc mc truy cp vo d liu c
th c phn lm cc mc khc nhau (v d: NTFS Permission, vic gn quyn cho
User/Group theo cc mc nh Full control, Modify, Read). + Access
Control List c th c s dng khi gn Permission truy cp ti nguyn, hoc
trn router, firewall. Khi s dng ACLs l phng thc iu khin truy cp
Discretionary Access Control. bng Access Control List ca NTFS
Permission
26. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 26 Copyright
by Tocbatdat Role-Base Access Control + Ngi qun tr s da vo vai tr
ca ngi dng gn quyn cho ngi dng. Nhng quyn ca ngi dng c th l nhng tc
v ngi dng c th thc thi vi h thng. + V d ngi qun tr c th gn cc quyn
cho User: Shutdown, change network setings, remote desktop, backup
v mt s quyn khc da vo vai tr (role) ca ngi dng. + Trong h thng
Windows ca Microsoft phng thc iu khin truy cp ny c th hiu l gn User
Rights. + V d thit lp User Right ca h thng Microsoft. Ngoi ra
Access Control c th c chia lm hai dng: - Centralized Access Control
(CAC)
27. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 27 Copyright
by Tocbatdat Qu trnh xc thc v cp thm quyn c thc hin tp trung cho
ton b h thng. C ba phng thc iu khin truy cp tp trung thng c s dng
l: + Remote Authentication Dial-In User Service (RADIUS) + Terminal
Access Control Access System (TACAS) + Active Directory -
Decetranlized Access Control Systems (DACS) L phng thc iu khin tp
trung bao gm nhiu h thng CACs khc nhau trong mt t chc c tch hp
trong cc h thng khc nhau khng cn lin quan ti phn cng v phn mm. Da
vo cc hnh ng vi h thng Access Control cng c th c chia lm cc loi: +
Administrative Controls 4. Khi nim v Authentications a. Nhng yu t
nhn dng v xc thc ngi dng Cc phng thc xc thc ngi dng da vo cc yu t c
bn: - Something you KNOW - Da vo mt vi ci bn bit (vd: user/pass) -
Something you HAVE - Da vo mt vi ci bn c (vd: rt tin ATM bn phi c
th) - Something you ARE - Da vo mt vi ci l bn (vd: vn tay, ging ni)
b. Cc phng thc xc thc Trong thc t c kh nhiu phng thc xc thc ngi dng
hay trong CNTT, mi dng xc thc c th ph hp vi mt hoc nhiu dch v khc
nhau. Di y ti trnh by mt s phng thc xc thc hay c s dng trong
CNTT.
28. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 28 Copyright
by Tocbatdat - PAP - Password Authentication Protocol PAP c s dng
bi cc ngi dng t xa cn xc thc qua cc kt ni PPP. PAP cung cp kar nng
nhn din v xc thc ngi dng khi h kt ni t h thng t xa. Giao thc xc thc
ny yu cu ngi dng phi nhp Pasword trc khi c xc thc. Username v
Password c truyn i trn mng sau khi kt ni c thc hin qua PPP. Server
xc thc cha d liu xc thc, khi ngi dng nhp thng tin s c gi v my ch
ny. Ton b Username/Password c truyn trn mng hon ton khng c m ha
(cleartext). - CHAP Challenge Handshark Authentication Protocol
CHAP l phng thc xc thc sinh ra khc phc cc im yu v l hng ca phng thc
xc thc PAP. CHAP s dng phng thc challenge/response xc thc ngi dng.
Khi ngi dng mun thit lp mt kt ni PPP c hai s phi ng s dng phng thc
xc thc CHAP. Challenge c m ha s dng mt khu v encryption key. CHAP
hot ng c m t trong m hnh di y: - Kerberos L phng thc xc thc m
User/Password khng c truyn i trn mng. (VD: h thng Active Directory
ca Microsoft s dng phng thc xc thc Kerberos). Phng thc xc thc
Kerberos c th c miu t ging nh chng ta i xem phim:
29. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 29 Copyright
by Tocbatdat + u tin ngi dng phi c User/Password c thm quyn (i xem
phim phi c tin) + Ngi dng yu cu mt dch v (ngi xem cn xem mt b phim
chiu lc gi.) + Ngi dng a thm quyn ca mnh cho ngi xc thc (a tin mua
v) + My ch KDC cung cp thm quyn truy cp dch v cho ngi dng (Phng v a
v cho ngi mua) + Ngi dng mang thm quyn c cp mang ti my ch dch v
(ngi xem phim a v ti phng chiu phim ngi xot v kim tra). Kerberos c
th c miu t cc bc nh sau: - Multi factor L phng thc xc thc nhiu yu
t. V d s dng dch v ATM ca ngn hng bn cn c th ngn hng + mt khu ( l
xc thc da vo 2 yu t). Ngoi ra mt s dch v s dng nhiu phng thc xc thc
kt hp nng cao mc bo mt. - Certificate
30. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 30 Copyright
by Tocbatdat L phng thc xc thc rng ri trn Internet, cung cp kh nng
xc thc an ton cho ngi dng. Khi ni dung c m ha gi i, ch c Private
Key mi gii m c ni dung, v thng Private key khng c truyn i trn mng.
V d qu trnh xc thc bnh thng khi ngi dng truy cp Gmail: Bc 1: Ngi
dng truy cp gmail.com Bc 2: Gmail s gi thng tin ti Versign ly
Certificate Bc 3: Versign gi li cho Gmail Certificate bao gm:
Public Key v Private key Bc 4: Gmail gi li cho ngi dng Public Key m
ha thng tin xc thc Bc 5: Ngi dng s dng Public Key m ha gi ln Gmail
Bc 6: Gmail s dng Private key gii m Phng thc xc thc ny khng an ton
khi nhim cc loi m c v nh Keylogger, ngi dng vn c kh nng mt
User/Password - RSA RSA phng thc xc thc t tin v an ton cho qu trnh
xc thc v truyn thng tin trn Internet. RSA khc phc mt s nhc im ca
phng thc xc thc Certificate. y l phng thc hay c s dng giao dch ngn
hng. - Biometric
31. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 31 Copyright
by Tocbatdat Phng thc xc thc s dng sinh trc hc nhn dng ngi dng nh
dng: Vn tay, tnh mch, vng mc, m thanh, khun mt xc thc ngi dng. 5.
Authorization a. C bn v Authorization Authorization (Dch ting Vit:
S cp quyn) l vic cp quyn cho ngi dng trong mt h thng sau khi ngi
dng xc thc (Authenticaion). Authorization th hin cc quyn m ngi dng
c th thc thi trn h thng. Authorization lm vic trc tip vi iu khin
truy cp Access Control V d: Trn h thng Authorization ca Windows sau
khi ngi dng ng nhp (Authentication) h thng s cp quyn i vi: - File v
Folder c NTFS Permmission: Quyn c, ghi, xa, chnh sa. chnh l thm
quyn ngi dng c cp i vi file v folder - i vi h thng c User Right: Cp
quyn chnh sa h thng cho ngi dng nh remote desktop, s thng s card
mng.. b. Cc phng thc Authorization RADIUS Remote Authentication
Dial-in User Service (RADIUS) cung cp xc thc v iu khin truy cp s
dng giao thc UDP xc thc tp trung cho ton b h thng mng. RADIUS c th
s dng cho ngi dng truy cp VPN, RAS hay cung cp xc thc cho cc dch v
s dng RADIUS. Kerberos M hnh RADIUS xc thc cho h thng WIFI
32. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 32 Copyright
by Tocbatdat Tng t nh phn Authentication TACACS Terminal Access
Controller Access Control System (TACACS) iu khin truy cp bng cch
xc thc v cp thm quyn trong h thng UNIX network. Hot ng tng t nh h
thng RADIUS, khi mt h thng cn xc thc s chuyn qua Username v
Password cho my ch TACACS v my ch ny s xc thc v cp quyn truy cp.
TACACS s dng dch v UDP v TCP qua port 49. TACACS+ Extended Terminal
Access Controller Access Control System Plus (TACACS+) l mt bin th
t TACACS. Tng t nh RADIUS giao thc TACACS+ cung cp xc thc v cp thm
quyn c tnh nng Accounting cho vic cp thm quyn tp trung vi yu cu xc
thc. LDAP Lightweight Directory Access Protocol (LDAP) cung cp truy
cp ti directory services (dch v danh mc), c tch hp trong Microsoft
Active Directory. LDAP c to ra nh mt phn gin lc ca dch v X.500
Directory Access Protocol, v s dng port 389. LDAP c s dng rt rng ri
trong cc dch v cung cp directory nh: Directory Service Markup
Language (DSML), Service Location Protocol (SLP), v Microsoft
Active Directory. XTACACS L mt phin bn ca h thng TACACS c pht trin
v cung cp bi Cisco v c gi li Extended Terminal Access Controller
Access Control System (XTACACS). Dch v pht trin m rng t giao thc
TACACS cho php h tr thm tnh nng Accounting v Auditing, vi hai tnh
nng ch c trong TACACS+ v RADIUS. IEEE 802.1x
33. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 33 Copyright
by Tocbatdat IEEE 802.1x l chun cho wireless, s dng port ph thuc vo
dch v cung cp xc thc (authentication) v cp thm quyn (authorization)
nh RADIUS v TACACS+. Giao thc ny c th c s dng bo mt cho cc giao thc
WPA/WPA2. Ngoi ra IPsec cng l mt giao thc kh ph bin c s dng kt hp
vi IEEE 802.1x cung cp bo mt cho h thng mng. 6. Khi nim v
Accounting Gim st l qun l vic truy cp vo h thng ra sao v vic truy
cp din ra nh th no. - Qun l gim st s gip ngi qun tr xc nh c li do
ai ai v l li g ngi qun tr hon ton c th bit c vic cn thit khi phc li
mt cch nhanh nht. - Ngoi ra nh gim st m ngi qun tr s pht hin ra k
thm nhp bt hp php vo h thng , ngn chn cc cuc tn cng. - Vic bn truy
cp vo v lm g cng cn qun l bi v trn thc t th 60% cc cuc tn cng l bn
trong h thng 40% l ngoi Internet. Vic ngn nga nhng tn cng t trong
mng rt kh v h hiu c h thng v c ch bo mt ca h thng. - Ngi qun tr s
gim st nhng thuc tnh truy cp, xc thc t pht hin ra cc tn cng v mi e
do ca h thng. - Vic trnh din cc kt ni cng rt quan trng, thng qua cc
kt ni bn c th nhn dng k tn cng t u v k nh lm g. Gim st truy cp v xc
thc da trn nhng thnh t chnh sau pht hin lhng v tn cng: Truy cp li
nhiu ln, kt ni theo mt giao thc khc khng c trong h thng, ng nhp sai
mt khu nhiu ln,pht hin Scan mng.v.v.. Quy trnh gim: Gim st h thng:
gim st tt c cc tin trnh Logon, tin trnh truy cp iu khin, tin trnh
ca cc chng trnh chy trong h thng. Gim st truy cp mng, gim st cc
giao thc, cc kt ni, mail v mt s tnh nng truy cp khc.
34. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 34 Copyright
by Tocbatdat Gim st tnh nng backup sao lu Gim st tnh kh dng, tnh sn
sng, tnh n nh thng tin 7. Tam gic bo mt CIA Khi phn tch mt h thng
bo mt chng ta cn phi c phng php lun. C vng d liu yu cu tnh mt ca
thng tin, c vng d liu cn tnh ton vn, tt c cc d liu u phi c p ng khi
yu cu l tnh sn sng ca h thng. - Tnh mt ca thng tin - Tnh ton vn
thng tin - Tnh sn sng ca h thng L ba gc ca tam gic bo mt CIA ca mt
i tng cn bo v: a. Confidentiality Tnh mt ca thng tin la mc bo mt cn
thit nhm m bo nhng d liu quan trng khng b r r hay l thng tin.
35. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 35 Copyright
by Tocbatdat K tn cng c th thc hin nhiu phng thc nhm t c mc ch l ly
nhng thng tin mong mun. Nhng phng thc c th l gim st h thng mng, ly
cc file cha mt khu, hay Social engineering. Thng tin c th b l do
khng s dng cc phng thc m ha mnh khi truyn hay lu tr thng tin. Tnh
mt ca thng tin c i din bi quyn READ. b. Integrity Tnh ton vn ca
thng tin l mc bo mt cn thit nhm m bo tin tng ca thng tin khng b
thay i hay ch c chnh sa bi ngi c thm quyn. K tn cng c th thc hin
nhiu phng thc nhm thay i nhng thng tin mong mun. Nhng phng thc c th
l t nhp vt qua cc qu trnh xc thc, hoc tn cng khai thc l hng bo mt
ca h thng. y l mc bo mt thng tin quan trng, hng nm c rt nhiu t chc
doanh nghip b tn cng khai thc l hng bo mt v b thay i d liu. Tnh ton
vn ca thng tin c i din bi quyn MODIFY. c. Availability Cho ti truy
cp d liu ca bn Hy bt my tnh ca ti ln trc Kh nng p ng ca thng tin l
iu rt quan trng, iu ny th hin tnh sn sng phc v ca cc dch v. Kh nng
p ng ca h thng chu nh hng bi kh nhiu thnh phn: c th l phn cng, phn
mm hay h thng Backup. Kh nng p ng ca h thng cn c tnh n da trn s ngi
truy cp v mc quan trng ca d liu.
36. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 36 Copyright
by Tocbatdat 8. Mt m hc c bn a. Khi nim c bn v mt m hc Mt h thng m
ha (cipher system) cung cp mt phng php bo v thng tin bng vic m ha
chng (encrypting) thnh mt dng m ch c th c bi ngi c thm quyn vi h
thng hay mt ngi dng c th. Vic s dng v to h thng gi l mt m
(cryptography). Mt m c s dng t rt sm trong lch s loi ngi, trc khi c
CNTT c rt nhiu phng thc m ha c s dng. V d: M ha kinh thnh, m ha
Caesa, trong chin tranh th gii th 2 qun i c s dng c my m ha bng c
hc bo v cc bc th trong chin trng. Ngnh cng nh thng tin c cc phng
thc m ha c bn sau: - Hm bm HASH - M ha i xng Symmetric - M ha bt i
xng Assymmetric hiu v nghin cu v mt m cn phi hiu mt s khi nim: -
Cleartext hay Plantext: L d liu cha c m ha - Ciphertext: L d liu
sau khi c m ha - Encrypt: Qu trnh m ha - Algorithm: Thut ton m ha c
x dng trong qu trnh m ha - Key: Key c s dng bi thut ton m ha trong
qu trnh m ha - Decrypt: Qu trnh gii m b. Hm bm Hash Hash l mt phng
php hay thut ton c s dng kim tra tnh ton vn ca d liu, kim tra s
thay i ca d liu. Hash c hai thut ton c bit ti nhiu nht: SHA v
MD5.
37. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 37 Copyright
by Tocbatdat Khi d liu c truyn trn mng hay lu tr hon ton c th b
thay i, ngi nhn thng tin mun kim tra xem d liu c cn ton vn hay khng
th ch cn kim tra chui Hash ca d liu ban u v d liu nhn c. S dng hm
bm kim tra nu hai chui Hash ging nhau th d liu vn cn ton vn cha b
chnh sa v ngc li. Thc hnh: S dng MD5 hash mt file c. M ha i xng
Symmetric Symmetric Key Cryptography l mt h thng m ha s dng mt key
m ha v gii m. Phng php m ha ny c u im l d dng s dng v tch hp hn l
phng thc m ha bt i xng (Assymmetric). V tc m ha v gii m cng nhanh
hn phng thc m ha bt i xng. Tuy nhin do c qu trnh m ha v gii m s dng
mt Key nn thng key c thit lp sn hai u ngi gi v ngi nhn (vd: IPsec),
hay thng tin c chia s c m ha v ch c ngi c key mi m ra c. M ha i xng
thng c s dng m ha d liu, cn m ha bt i xng thng c dng cho xc thc v
truyn key. C rt nhiu thut ton m ha i xng nhng hay dng nht hin nay l
thut ton AES (Advanced Encrypt Standard). d. M ha bt i xng
Assymmetric Assymmetric Key Cryptography l mt h thng m ha s dng mt
cp key: Public key v Private Key thc hin cho qu trnh m ha v gii m.
Thng thng h thng ny hay s dng Public key m ha v s dng Private Key
gii m:
38. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 38 Copyright
by Tocbatdat Hnh m t qu trnh m ha v gii m ca Assymmetric Do qu trnh
sinh key v cung cp Key phc tp nn vic tch hp v s dng phng thc m ha
ny khng d nh Symmetric. Thc hin m ha v gii m mt nhiu ti nguyn hn nn
phng thc ny thng dng vo qu trnh xc thc ngi dng. Tuy nhin hin nay h
thng my tnh rt mnh (VD: Google) nn phng thc ny c th c s dng truyn d
liu. c th thc hin c phng thc m ha ny i hi phi c mt h thng: To, cung
cp, qun l v khc phc s c cung cp Key (public, private). H thng ny gi
l Public Key Infrastructure (PKI). Thut ton m ha RSA l mt thut ton
m ha bt i xng, c s dng rng ri nht. M t thut ton =>
39. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 39 Copyright
by Tocbatdat e. Tng quan v h thng PKI thut ton m ha bt i xng
(Assymmetric) hot ng cn mt h thng: Sinh Key, Cung cp Key, Qun l
Key, Thit lp chnh sch vi Key, h thng c gi l Public Key
Infrastructure vit tt l PKI. PKI c s dng rng ri cung cp h thng bo
mt cho ng dng v mng, iu khin truy cp, ti nguyn t website, bo v
email v nhiu th khc. PKI bo v thng tin bi cung cp cc tnh nng sau: -
Identify authentication: Cung cp nhn din v xc thc - Integrity
verification: Kim tra tnh ton vn d liu - Privacy assurance: m bo s
ring t - Access authorization: Cp thm quyn truy cp ti nguyn -
Transaction authorization: Thc thi vic cp thm quyn truy cp ti nguyn
- Nonrepudiation support: H tr tnh nng chng chi b Tip theo chng ta
cn quan tm ti cc chun v PKI, mi chun ca h thng PKI c p dng cho cc h
ng dng v h thng sau: PKIX Working Group ca t chc IETF pht trin chun
Internet cho PKI da trn chun X.509 v Certificate, v c trng tm: -
X.509 Version 3 Public Key Certificate v X.509 Version 2
Certificate Revocation List (CRLs). - PKI Management Protocols -
Operational Protocols
40. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 40 Copyright
by Tocbatdat - Certificate Policies v Certifcate practice
statements (CPSs) - Time-stamping, data-certification, and
validation services. Ni PKIX c pht trin da trn Internet Standards
X.509, Public Key Cryptography Standard (PKCS) l phng thc m ha d
liu c pht trin v cng b bi RSA Lab, hin nay l mt phn ca hng RSA.
Trong c 15 ti liu c th v PKCS, v d: - PKCS #1 RSA Cryptography
Standard cung cp xut v trin khai h thng mt m Public Key da trn thut
ton RSA - PKCS #2 c tch hp sn vo PKCS #1 - PKCS #15: - Di y l thng
tin ca mt Certificate theo chun X.509 H thng PKI gm cc thnh phn: -
Certificate Authority (CA)
41. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 41 Copyright
by Tocbatdat CA l thnh phn quan trng trong khi nim v h thng PKI. Cc
nh cung cp CA v nh VeriSign hay Entrust. L h thng cung cp
Certificate. - Registration Authority (RA) RA cung cp xc thc ti CA
v c coi nh mt Client yu cu chng ch s. - Digital Certificates Chng
ch s l d liu bao gm public key cryptography, hu ht Certificate u da
trn cu trc ca chun X.509. bao gm - Certificate Policies L chnh sch
cho chng ch s, nhn din vic s dng chng ch s. Nhng thng tin c th nh:
S dng bo v thng tin vi CA Phng thc xc thc vi CA Qun l Key Qun l s
dng Private Key Thi gian s dng chng ch s Cp mi Cho php exporrt
private key di ti thiu ca Public key v Private Key - Certificate
Practice Statement CPS l ti liu c to ra v cng b bi CA cung cp cc
thng tin ph thuc vo h thng CA s dng chng ch s. CPS cung cp thng tin
CA s dng
42. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 42 Copyright
by Tocbatdat V d trn VeriSign l CA, Thawte SGC CA l CSP v thng tin
s dng cho dch v accounts ca Google. - Revocation (Thu hi key) Khi
chng ch s c s dng, chng cng c th c thu hi. Qu trnht hu hi mt chng
ch s c thc hin trc khi n b qu hn. Qu trnh thu hi m bo mt chng ch s
khng th tn ti qu thi gian quy nh lc CA to ra. - Trust models H thng
PKI c cu trc n gin l c mt CA. Mt CA trong cu trc cho php to v qun l
chng ch s nhng m hnh ny ch p dng i vi cc t chng nh bi v tnh n gian.
Nhng nu CA li ton b h thng s dng dch v u b li. gim thiu ri ro cho h
thng PKI cho php xy dng h thng c cu trc bao gm Root CA l tng trn
cng sau l cc tng CA con, gia CA con c qun l khi b li c th xy dng li
n gin. l h thng Trust Models f. Thc hnh m ha v gii m vi cng c
Cryptography tools 9. Khi nim c bn v tn cng mng a. bc c bn ca mt
cuc tn cng Thng thng mt cuc tn cng c chia lm cc bc c bn nh di
y:
43. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 43 Copyright
by Tocbatdat - Bc 1: Reconnaissance (trinh thm) L bc u tin ca bt k
cuc tn cng no. K tn cng c gng ly cng nhiu thng tin v i tng cng tt v
ch yu qua hai phng thc (Active/Passive). Passive: k tn cng c th tm
thng tin v i tng qua cc knh thng tin Active: k tn cng thc hin theo
di v n tn a im hay v tr ca mc tiu v tm hiu. Mc tiu ca bc ny l xc nh
c mc tiu. - Bc 2: Scan Bc th hai thc hin sau khi xc nh c mc tiu. Bc
Scan nhm mc tiu xc nh c cc k h ca i tng. T lp bng lit k c ton b cc
yu t c th thc hin xm nhp vo h thng. - Bc 3: Gaining Accesss Khi pht
hin c cc im yu ca h thng, k tn cng la chn mt hoc nhiu l hng t tin
hnh tn cng v chim quyn iu khin. - Bc 4: Maintaining Access Khi thc
hin tn cng thnh cng, ln sau truy cp vo h thng n gin hn k tn cng
thng s dng Virus, Trojan, backdoor hay nhng on shell code.
44. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 44 Copyright
by Tocbatdat - Bc 5: Clearing Track K tn cng thc hin xa nhng du vt
truy cp ca mnh nh vic xa log. b. Mt s khi nim v bo mt. - Threat Mt
hnh ng hay mt tnh hung c th nh hng ti bo mt. Threat l mt nguy c nh
hng ti bo mt ca h thng - Vulnerability L l hng bo mt ca h thng. -
Target of Evaluation L mt h thng cng ngh thng tin l ch ca cuc tn
cng - Attack Tn cng h thng mng c th c chia lm hai dng: + Active
Attack + Passive Attack Tn cng h thng c th c chia lm nhiu dng khc.
Ly thng tin, thay i thng tin hay ph hy thng tin l nhng mc ch c bn
nht ca cc cuc tn cng - Exploit L hnh thc khai thc l hng bo mt c. Cc
phng thc tn cng c bn - Brute Force L phng thc tn cng m k tn cng s
dng nhng password n gin th ln lt nhm on ra mt khu ca ngi dng. Phng
thc ny ch p dng i vi nhng mt khu n gin. - Dictionary L phng thc tn
cng tng t Brute force nhng thay v th ln lt mt khu ,k tn cng s dng b
t in cha mt khu cn th. - Spoofing
45. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 45 Copyright
by Tocbatdat L dng tn cng m mt c nhn, mt h thng thc hin hnh vi gi
mo. V nh mt ngi gi mo a ch mail gi i m khng cn phi xc thc. - DoS L
dng tn cng m mt ngi hay mt h thng lm cho mt h thng khc khng th truy
cp hoc b chm i ng k bng cch s dng ht cc ti nguyn. -
Man-in-the-middle K tn cng bng mt cch no ng gia lung cng ng gia
giao tip ca hai my tnh. - Replay V d: khi mt qu trnh xc thc c thc
hin thnh cng v b k tn cng capture c qu trnh . Khi cn ng nhp vo h
thng, k tn cng pht li lung traffic thc hin xc thc. l phng thc tn
cng Replay - Sesion Hijacking Khi ngi dng thc hin thnh cng qu trnh
xc thc, k tn cng thc hin tn cng cp phin giao tip. Dng tn cng l
Session Hijacking. d. ch ca cc dng tn cng Cc dng tn cng c chia theo
ch ca dng tn cng : o Operating System: ch tn cng l cc h iu hnh. Ngy
nay cc h iu hnh rt phc tp vi nhiu serivice, port, nhiu ch truy cp.
Vic v cc l hng bo mt ngy cng phc tp v i khi vic cp nht khng c thc
hin. K tn cng thc hin khai thc cc l hng bo mt trn cc h iu hnh . o
Application: ch tn cng l cc ng dng. Cc ng dng c pht trin bi cc hng
phn mm c lp v i khi ch quan tm ti p ng nhu cu cng vic ca ng dng m
qun i vic phi bo mt cho ng dng. Rt nhiu ng dng c l hng bo mt cho
php hacker khai thc. o Shrink Wrap: Cc chng trnh, ng dng i khi b l
m code v vic ny cng l l hng bo mt rt ln. o Misconfiguration: cc
thit lp sai trn h thng i khi to k h cho k tn cng thc hin khai
thc.
46. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 46 Copyright
by Tocbatdat
47. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 47 Copyright
by Tocbatdat III. INFRASTRUCTURE SECURITY (AN NINH H TNG). Trong
phn ny gm cc ni dung chnh sau: Cc gii php v l trnh xy dng bo mt h
tng mng Thit k m hnh mng an ton Thnh phn bo mt trong h tng mng Bo
mt cho h iu hnh Xy dng chnh sch an ton thng tin
48. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 48 Copyright
by Tocbatdat 1. Cc gii php v l trnh xy dng bo mt h tng mng c th xy
dng mt h thng mng m bo tnh an ton cn phi c l trnh xy dng hp l gia:
Yu cu v Chi ph c th chi tr t la chn nhng gii php. Gii php ph hp nht
phi cn bng c cc yu t: - Tnh nng yu cu - Gi thnh gii php - Tnh nng -
Hiu nng ca h thng VD1: Chng ta khng th xy dng gii php hng triu $ bo
v cho mt my c nhn khng quan trng c. VD2: Chng ta cn bo v cho h thng
web, u cn nhng tnh nng v Endpoint security VD3: Chng ta khng th
chim 50% Performance ca h thng cho cc chng trnh bo v c. Bt k doanh
nghip hay t chc no cng khng th cng mt lc c th trin khai ton b cc
gii php bo mt, iu ny t ra cn phi c l trnh xy dng r rng. Mt l trnh
xy dng cn phi p ng tnh ph kn v tng thch gia cc gii php vi nhau trnh
chng cho v xung t. Mt n v c th da vo l trnh ny c th xy dng c mt h
tng CNTT p ng tnh bo mt. Di y l l trnh cc bc cng nh gii php xy dng
mt h thng mng m bo tnh bo mt cao
49. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 49 Copyright
by Tocbatdat
50. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 50 Copyright
by Tocbatdat 3. Thit k m hnh mng an ton cc gii php v an ton thng
tin lm vic khng b trng lp v xung t cn phi c m hnh thit k ph hp. Di
y l mt m hnh ti thy t thit k cc vng, thit b s dng, truy cp t xa,
tnh HA u c: Ti c kh nhiu cun v Security nhng cha thy cun no c m hnh
dng Module nh th ny, a phn l nhng m hnh n gin v thiu tnh thc t. -
Phn tch tng quan m hnh c chia lm cc module: + Module Internet gm:
Router, Proxy v ti u ha bng thng, Firewall
51. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 51 Copyright
by Tocbatdat + Module DMZ: IPS bo v v cc Server public ra internet
+ Module Core: Vng Routing v Switching li ca ton b h thng, ni thit
lp Access Controll List cho cc vng. + Module Server Farm: Ni cha cc
server quan trng nh my ch d liu, core banking c gim st bi thit b
IDS + Module Management: L vng mng an ton cm cc cng qun tr ca cc
thit b v my ch + Vng User: Cung cp mng cho ngi dng ti c quan +
Branch: Kt ni ti cc mng chi nhnh trn c nc. - Phn tch cc thit b bo
mt: + Router v Switch Core thit lp Access Controll List v m bo tnh
HA cho ton b cc kt ni + Proxy ng ra ti u ha bng thng Input-Output +
Firewall c chc nng ng m port v public server cng nh cho cc kt ni
VPN + IPS thit b gim st, pht hin v ngn chn cc cuc tn cng mng +
Endpoint Security: Gii php Endpoint cho my trm my ch + Gii php Data
Loss Prevent chng tht thot d liu + Network Access Control qun l
truy cp mng 4. Router v Switch a. Chc nng ca Router - Routing: thc
hin vic Routing cc gi tin trn mng - NAT: Thc hin NAT cc a ch IP t
private public v ngc li
52. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 52 Copyright
by Tocbatdat - Access Control List: Cho php to cc Access Control
List p ng yu cu chn port, ip ca ngi qun tr. b. Chc nng ca Switch -
Thc hin vic Switch cc gi tin Layer 2 c. Bo mt trn Switch - Chia
VLAN: Cho php to ra nhiu mng trn mt Switch, trnh c s bng n ca Virus
hay cc dng tn cng khc. - Security Port: Gn c nh mt s a ch MAC vo mt
port nht nh trn Switch, cho php chn c cc dng tn cng nh MAC
Spoofing, ARP Spoofing. d. Bo mt trn Router - Router l thit b rt
quan trng trong m hnh mng, cho php routing, nat v to ra cc ACLs bo
v h thng mng t tng Gateway. Lab: Ci t Packet Tracert 4.0 test mt s
cu lnh trn Router. Hiu v Access Control List Trn Router Cisco to ra
mt Access List (ch p dng cho a ch IP) s dng cu lnh:
53. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 53 Copyright
by Tocbatdat Router(config)# access-list access list number
{permit|deny} source [source- mask] p dng Access List va to: Router
(config-if)# ip access-group access-list-number {in|out} To v p dng
Extended Access Control List (cho php p dng cho port v IP).
Router(config)# access-list access-list-number {permit|deny}
protocol source source-mask destination destination mask
[operator|operand] Router(config-if)#ip access-group access-list
number {in|out} Xem li h thng Log trn Router chng ta c th bit c h
thng block hay nhng ai truy cp vo Router. e. Thit lp bo mt cho
Router t a ch IP trn mt Interface: Router> Enable Router#
Configure Terminal Router (Config)# Interface Ethernet 0 Router
(Config-if)# ip address 192.168.0.35 255.255.255.0 t Password cho
Console login Router#config terminal Router(config)#line console 0
Router(config-line)#login Router(config-line)#password l3tm3!n
Router(config-line)#^Z Router# t password cho remote Router#config
terminal Router(config)#line vty 0 Router(config-line)#login
54. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 54 Copyright
by Tocbatdat Router(config-line)#password l3tm3!n
Router(config-line)#^Z Router To User trn Router Router#configure
terminal Router(conf)#username Auser password u$3r1
Router(conf)#username Buser password u$3r2 Router(conf)#username
Cuser password u$3r3 Router(conf)#username Duser password u$3r4
Router(conf)#^Z Thit lp ng nhp qua SSH trn Router Router#configure
terminal Router(config)#ip domain-name scp.mil
Router(config)#access-list 23 permit 192.168.51.45
Router(config)#line vty 0 4 Router(config-line)#access-class 23 in
Router(config-line)#exit Router(config)#username SSHUser password
No+3ln3+ Router(config)#line vty 0 4 Router(config-line)#login
local Router(config-line)#exit Router(config)# Router#configure
terminal Router(config)#crypto key generate rsa The name for the
keys will be: Router.scp.mil Choose the size of the key modulus in
the range of 360 to 2048
55. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 55 Copyright
by Tocbatdat for your General Purpose Keys. Choosing a key modulus
greater than 512 may take a few minutes. How many bits in the
modulus [512]: 1024 Generating RSA keys ... [OK] Router(config)#
Router#configure terminal Router(config)#ip ssh timeout 45
Router(config)#^Z Router#configure terminal Router(config)#ip ssh
authentication-retries 2 Router(config)#^Z Router#configure
terminal Router(config)#line vty 0 4 Router(config-line)#transport
input ssh telnet Router(config-line)#^Z Router# show ip ssh Thit lp
static route trn router MarketingRouter#config terminal
56. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 56 Copyright
by Tocbatdat MarketingRouter(config)#ip route 10.0.10.0
255.255.255.0 20.0.20.1 MarketingRouter(config-line)#^Z
MarketingRouter# FinanceRouter#config terminal
FinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2
FinanceRouter(config-line)#^Z FinanceRouter# Thit lp RIP (Dynamic
route) trn Router LEFT#configure terminal LEFT(config)#router rip
LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network
192.168.10.0 LEFT(config-router)^Z LEFT# Bo mt Router trc cc dng
ICMP Router#config terminal Router(config)#interface Serial 0
Router(config-if)#no ip unreachables Router(config-if)#^Z
Router#config terminal Router(config)#interface Ethernet 0
Router(config-if)#no ip directed broadcast Router(config-if)#no ip
unreachables Router(config)#interface Serial 0 Router(config-if)#no
ip directed broadcast
57. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 57 Copyright
by Tocbatdat Router(config-if)#no ip unreachables
Router(config)#interface Serial 1 Router(config-if)#no ip directed
broadcast Router(config-if)#no ip unreachables Router(config-if)#^Z
Bo v Source Routing Router#config terminal Router(config)#no ip
source-route Router(config)#^Z Router# Small Services Router#config
terminal Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers Router(config)#^Z
Router# Chng Finger Router#config terminal Router(config)#no
service finger Router(config)#^Z Router# Router#config terminal
Router(config)#no ip finger Router(config)#^Z Router# Tt cc
Services khng cn thit
58. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 58 Copyright
by Tocbatdat Router#config terminal Router(config)#no ip bootp
server Router(config)#no ip name-server Router(config)#no ntp
server Router(config)#no snmp-server Router(config)#no ip http
server Router(config)#^Z To cc Access Control List (bn trn). 5.
Firewall v Proxy a. Khi nim Firewall Thut ng Firewall c ngun gc t
mt k thut thit k trong xy dng ngn chn, hn ch ha hon. Trong cng ngh
thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy
cp tri php, nhm bo v cc ngun thng tin ni b v hn ch s xm nhp khng
mong mun vo h thng. Firewall c miu t nh l h phng th bao quanh vi cc
cht kim sot tt c cc lung lu thng nhp xut. C th theo di v kha truy
cp ti cc cht ny. Cc mng ring ni vi Internet thng b e da bi nhng k
tn cng. bo v d liu bn trong ngi ta thng dng firewall. Firewall c
cch no cho php ngi dng hp i qua v chn li nhng ngi dng khng hp l.
Firewall c th l thit b phn cng hoc chng trnh phn mm chy trn host bo
m hoc kt hp c hai. Trong mi trng hp, n phi c t nht hai giao tip
mng, mt cho mng m n bo v, mt cho mng bn ngoi. Firewall c th l
gateway hoc im ni lin gia hai mng, thng l mt mng ring v mt mng cng
cng nh l Internet. Cc firewall u tin l cc router n gin. b. Chc nng
ca Firewall Chc nng chnh ca Firewall l kim sot lung thng tin t gia
Intranet v Internet. Thit lp c ch iu khin dng thng tin gia mng bn
trong (Intranet) v mng Internet. Cho php hoc cm nhng dch v truy cp
ra ngoi. Cho php hoc cm nhng dch v t ngoi truy cp vo trong.
59. Ti liu v Bo mt Version 1 2012 7, 2012 Page | 59 Copyright
by Tocbatdat Theo di lung d liu mng gia Internet v Intranet Kim sot
a ch truy nhp, cm a ch truy nhp Kim sot ngi s dng v vic truy cp ca
ngi s dng. Kim sot ni dung thng tin lu chuyn trn mng. Mt firewall
kho st tt c cc lung lu lng gia hai mng xem n c t chun hay khng. Nu
n t, n c nh tuyn gia cc mng, ngc li n b hy. Mt b lc firewall lc c
lu lng ra ln lu lng vo. N cng c th qun l vic truy cp t bn ngoi vo
ngun ti nguyn mng bn trong. N c th c s dng ghi li tt c cc c gng vo
mng ring v a ra cnh bo nhanh chng khi k th hoc k khng c phn quyn t
nhp. Firewall c th lc cc gi da vo a ch ngun, a ch ch v s cng ca
chng. iu ny cn c gi l lc a ch. Firewall cng c th lc cc loi c bit ca
lu lng mng. iu ny c gi l lc giao thc bi v vic ra quyt nh cho chuyn
tip hoc t chi lu lng ph thuc vo giao thc c s dng, v d HTTP, FTP hoc
Telnet. Firewall cng c th lc lung lu lng thng qua thuc tnh v trng
thi ca gi. Mt s firewall c chc nng th v v cao cp, nh la c nhng k xm
nhp rng h ph v c h thng an ton. V c bn, n pht hin s tn cng v tip
qun n, dn dt k tn cng i theo bng tip cn nh phn chiu (hall of
mirrors). Nu k tn cng tin rng h vo c mt phn ca h thng v c th truy
cp xa hn, cc hot ng ca k tn cng c th c ghi li v theo di. Nu c th gi
k ph hoi trong mt thi gian, ngi qun tr c th ln theo du vt ca h. V
d, c th dng lnh finger theo vt k tn cng hoc to tp tin by mi h phi
mt thi gian truyn lu, sau theo vt vic truyn tp tin v ni ca k tn cng
qua kt ni Internet. c. Nguyn l hot ng ca Firewall Cc rule ca
Firewall hot ng tng t nh Access Control List ca Router, Rule ca
firewall c kh nng lc gi tin su hn ACL. Firewall hot ng cht ch vi
giao thc TCP/IP, v giao thc ny lm vic theo thut tn chia nh cc d liu
nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc
giao thc (Telnet, SMTP, DNS, SMNP, NFS ) thnh cc gi d liu (data
packets) ri gn cho cc packet ny nhng a ch c th nhn dng, ti lp li ch
cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc packet v nhng
con s a ch ca chng.