firewall chapter 3

8/12/2019 Firewall Chapter 3

1/58

Phm Minh Thun Khoa An ton thng tin


2/58

Chng 3

Kin trc tng la

Phm Minh Thun Khoa ATTT 1


3/58

Kin trc tng la

Screening Router1

Dual Homed Host2

Screened Host3

Screened Subnet4


Multiple Screened Subnet5


4/58

Chmt i tng hot ng ng vai tr tng la

u im: Dtrin khai

Qun l tp trung ddng

Nhc im: Khng c sbo vtheo chiu su (Defense in - depth)

Kin trc tng la n l



5/58

KI

N TRC T

NG L

A

N L

ScreeningRouter

Dual-HomedHost


6/58

Sdng cng nghtng la lc gi tin tch hp votrong bnh tuyn (Router)

Thc hin vic nh tuyn hay chn gi tin da vo

chnh sch an ninh

Screening Router



7/58

Screening Router (Cont)


Mng nib

Internet

Bn ngoi Bn trong

Packet FilterRouter


8/58




9/58

u im: Tc xl nhanh

Ddng trin khai

Nhc im: Mc an ninh thp a ra cc chnh sch cu hnh phc tp => Dmc li




10/58

Sdng trong cc trng hp: Hthng mng c bo vbi mt lp bo vbn

trong

Slng giao thc sdng khng nhiu v khng cnkim sot ni dng cc giao thc ny

Cn tc cao, khnng dphng




11/58

KIN TRC TNG LAN L

Dual-HomedHost

ScreeningRouter


12/58

c xy dng da trn mt thit bc t nht 2 giaodin mng

sdng mt dual-homed host nhmt tng lacn loi btnh nng chuyn tip gi tin

Hai my A v B c thtrao !i thng tin thng quad"liu chia s#trn my dual - homed.

Cc hthng bn trong v bn ngoi dual homedkhng thgiao tip trc tip vi nhau.

Dual Homed Host (Cont)



13/58




14/58

Dual homed c thtch mt mng bn trong khimng khng tin cy

Dual homed khng chuyn bt k$mt lu%ng d"liuTCP/IP no => chn hon ton lu%ng d"liu IP gi"amng bn trong v mng khng tin cy bn ngoi




15/58




16/58




17/58

Dual homed khng c khnng routing v conng duy nht gi"a cc phn on mng l thngqua chc nng tng ng dng.

D"liu ng dng i qua tng la cn c phn mmc bit chuyn cc yu cu ng dng gi"a haimng c ni vi nhau (Application forwarder)




18/58




19/58

Sdng trong cc trng hp: D"liu gi ra Internet t v khng quan trng

Khng cung cp dch vcng cng

Hthng mng c bo vkhng cha cc thng tin, hthng nhy cm v quan trng




20/58

Sdng nhiu thnh phn hot ng ng vai trtng la

Nng cao khnng an ninh cho hthng

Bo vhthng c chiu su (defense in depth)

Kin trc tng la kt hp



21/58

KIN TRC TNG LA KT HP

ScreenedHost

ScreenedSubnet


22/58

Phi hp Screening Router (Packet Filter Router)v Bation Host

Trin khai theo hai m hnh: Single-homed bastion

Dual-homed bastion

Screened Host



23/58

Bation Host, thut ng"chung chmt hthng cxc nh bi ngi qun trtng la nhl mtim an ninh cc k$quan trng v rt v"ng chctrong hthng mng

Thng thng trn bation host ci t c!ng ng dnghoc c!ng chuyn mch hoc chai

Dual homed host l mt v din hnh vbationhost

Bation Host



24/58

Bation Host (Cont)



25/58

Bation Host (Cont)



26/58

M hnh Single Homed Bation Host:

G%m mt blc gi tin v mt bastion host

Thc hin bo vmng tng mng v tng ng

dngCu hnh blc

i vi lu%ng thng tin t&Internet, chcc gi tin IP via chch l bastion host mi c php i vo trong

i vi lu%ng thng tin t&bn trong, chcc gi tin IP xutpht t&bastion host mi c php i ra ngoi

Screened Host (Cont)



27/58

Single Homed Bation Host



28/58




29/58




30/58

Bng d'n ng c(a router phi cu hnh sao cho gitin bn ngoi u c chuyn n bastion host.

Bng d'n ng phi c bo v

Nu thng tin trong bng d'n ng bsa !i th gitin khng chuyn n bastion host m gi trc tipvo mng bn trong




31/58

Mng bn trong: 199.245.180.0 Bastion host: 199.245.180.10

Destination = 192.245.180.0

Forward to = 192.245.180.10




32/58




33/58

Kin trc ny an ton h)n kin trc )n l#bi: Kt hp clc gi tin v lc ng dng => mm d#o trong

vic a ra cc chnh sch an ninh

K#tn cng phi i qua hai mng lp an ninh trc khi gy

t!n hi ti hthng bn trongTuy nhin, kin trc ny c nhc im l cho php

k#tn cng tip xc vi mng bn trong khi kim

sot c packet filter router




34/58

Khc phc nhc im c(a kin trc single homedbation host

Ngn cn tip xc vi mng bn trong b*ng kin trcvt l

Cu hnh router t)ng tnhsingle homed bastionhost

Dual Homed Bation Host



35/58

Dual Homed Bation Host



36/58

Cc trng hp nn sdng kin trc screened host: Slng kt ni n t&mng Internet vo bn trong

khng nhiu

Mng bn trong c bo v tt

Screened Host (Cont)



37/58

KIN TRC TNG LA KT HP

ScreenedSubnet

ScreenedHost


38/58

Phn tch nhc im an ninh c(a screened host!

y l m hnh kin trc tng la an ton nht trongcc m hnh kin trc trnh by trn.

To thnh mng con bit lp, mng bn ngoi haymng bn trong u c thtruy cp vo song lu%ngd"liu i qua DMZ s+bchn

Screened Subnet



39/58

Screened Subnet (Cont)


Internal

Screen

ed

subnet

(DMZ

)

Isolated Network

Network traffic cannot

flow accross

External


40/58




41/58

To thnh 3 lp an ninh

Bn ngoi chnhn thy DMZ, khng nhn thy mngbn trong (che du)

Bn trong chnhn thy DMZ, khng kt ni trc tipra bn ngoi




42/58

Mng vnh ai (perimeter network) Mng vnh ai l mt lp an ninh, c thm vo gi"a

mng bn ngoi v mng bn trong cn bo v

Trong mt mng, mt my bt k$c ththy lu%ng d"liu

trao !i trong mng K#tn cng chim c bastion host, lu%ng d"liu trao!i gi"a my bn trong v'n an ton




43/58

Router pha trong (Interior router)

Bo vmng bn trong khi mng Internet v mng vnh ai

Thc hin chc nng lc gi: cho php chn dch vt&bntrong ra Internet

Router bn ngoi (Exterior router) Bo vcmng bn trong l'n mng vnh ai

Trn thc t, router bn ngoi cho php hu ht cc kt ni rabn ngoi t&mng vnh ai v hu nhthc hin rt t vic lcgi tin.

Chng vic thay !i a chngu%n trong gi tin i ra bn ngoi




44/58




45/58

SplitScreened Subnet

MultipleScreened Subnet

IndependentScreened Subnet


46/58

V'n sdng hai router (router bn trong v routerbn ngoi)

Cc mng (multiple network) c t gi"a hai routerny

Cung cp nhiu lp bo v

Split Screened Subnet



47/58

Split Screened Subnet (Cont)



48/58

Split Screened Subnet (Cont)



49/58

Sdng nhiu mng vnh ai tch ring cc dchvbn trong ra khi cc dch vbn ngoi

m bo tnh cht dphng v tng hiu nng mng

Independent Screened Subnet



50/58

Independent Screened Subnet(Cont)



51/58

Sdng nhiu Bastion host

Kt hp Router trong vi Router ngoi

Kt hp Bastion host vi Router ngoi

Sdng nhiu Router ngoi

Cc phng php kt hp



52/58

Kt hp Bastion v Router trong

Sdng nhiu Router trong

Sdng %ng thi cScreened Subnet v Screenedhost

Khng nn sdng



53/58

Sdng nhiu Bastion host


Kt h R t t i R t


54/58

Kt hp Router trong vi Routerngoi


Kt h B ti h t i R t


55/58

Kt hp Bastion host vi Routerngoi



56/58

Kt hp Bastion v Router trong



57/58

Sdng nhiu Router trong



58/58

firewall chapter 3

Documents