tim hieu ve tuong lua firewall
TRANSCRIPT
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
1/74
1
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
2/74
2
Mc lc
1. An ton thng tin trn m ng _____________ Error! Bookmark not defined.
1.1 T i sao c n c Internet Firewall ___________ Error! Bookmark not defined.
1.2 B n mu n b o v ci g?__________________ Error! Bookmark not defined.
1.2.1 D li u c a b n ____________________ Error! Bookmark not defined.
1.2.2 Ti nguyn c a b n _________________ Error! Bookmark not defined.
1.2.3 Danh ti ng c a b n _________________ Error! Bookmark not defined.
1.3 B n mu n b o v ch ng l i ci g? _________ Error! Bookmark not defined.
1.3.1 Cc ki u t n cng __________________ Error! Bookmark not defined. 1.3.2 Phn lo i k t n cng _______________ Error! Bookmark not defined.
1.4 V y Internet Firewall l g? _______________ Error! Bookmark not defined.
1.4.1 nh ngh a________________________ Error! Bookmark not defined. 1.4.2 Ch c n ng ________________________ Error! Bookmark not defined.
1.4.3 C u trc __________________________ Error! Bookmark not defined.
1.4.4 Cc thnh ph n c a Firewall v c ch ho t ng Error! Bookmark notdefined.
1.4.5 Nh ng h n ch c a firewall __________ Error! Bookmark not defined.
1.4.6 Cc v d firewall __________________ Error! Bookmark not defined.
2. Cc d ch v Internet ______________ Error! Bookmark not defined.
2.1 World Wide Web - WWW________________ Error! Bookmark not defined.
2.2 Electronic Mail (Email hay th i n t ). ____ Error! Bookmark not defined.
2.3 Ftp (file transfer protocol hay d ch v chuy n file) ___ Error! Bookmark not
defined.
2.4 Telnet v rlogin _________________________ Error! Bookmark not defined.
2.5 Archie_________________________________ Error! Bookmark not defined.
2.6 Finger _________________________________ Error! Bookmark not defined.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
3/74
3
3. H th ng Firewall xy d ng b i CSE_ Error! Bookmark not defined.
3.1 T ng quan _____________________________ Error! Bookmark not defined.
3.2 Cc thnh ph n c a b ch ng trnh proxy:_ Error! Bookmark not defined. 3.2.1 Smap: D ch v SMTP _______________ Error! Bookmark not defined.
3.2.2 Netacl: cng c i u khi n truy nh p m ng _____ Error! Bookmark not
defined.
3.2.3 Ftp-Gw: Proxy server cho Ftp ________ Error! Bookmark not defined.
3.2.4 Telnet-Gw: Proxy server cho Telnet____ Error! Bookmark not defined.
3.2.5 Rlogin-Gw: Proxy server cho rlogin____ Error! Bookmark not defined.
3.2.6 Sql-Gw: Proxy Server cho Oracle Sql-net______ Error! Bookmark not
defined. 3.2.7 Plug-Gw: TCP Plug-Board Connection server___ Error! Bookmark not
defined.
3.3 Ci t ________________________________ Error! Bookmark not defined.
3.4 Thi t l p c u hnh: ______________________ Error! Bookmark not defined.
3.4.1 C u hnh m ng ban u______________ Error! Bookmark not defined.
3.4.2 C u hnh cho Bastion Host ___________ Error! Bookmark not defined.
3.4.3 Thi t l p t p h p quy t c_____________ Error! Bookmark not defined. 3.4.4 Xc th c v d ch v xc th c _________ Error! Bookmark not defined.
3.4.5 S d ng mn hnh i u khi n CSE Proxy: ______ Error! Bookmark not
defined.
3.4.6 Cc v n c n quan tm v i ng i s d ng ____ Error! Bookmark notdefined.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
4/74
4
1. An ton thng tin trn m ng
1.1 T i sao c n c Internet Firewall
Hi n nay, khi ni m m ng ton c u - Internet khng cn
m i m . N tr nn ph bi n t i m c khng c n ph i chgi i g thm trong nh ng t p ch k thu t, cn trn nh ng
t p ch khc th trn ng p nh ng bi vi t di, ng n v
Internet. Khi nh ng t p ch thng th ng ch tr ng voInternet th gi y, nh ng t p ch k thu t l i t p trung vokha c nh khc: an ton thng tin. cng l m t qu trnh
ti n tri n h p logic: khi nh ng vui thch ban u v m tsiu xa l thng tin, b n nh t nh nh n th y r!ng khng ch " cho php b n truy nh p vo nhi u n i trn th gi i, Internetcn cho php nhi u ng i khng m i m t gh th m mytnh c a b n.
Th c v y, Internet c nh ng k thu t tuy t v i cho phpm i ng i truy nh p, khai thc, chia s thng tin. Nh ng nc#ng l nguy c chnh d $n n thng tin c a b n b h h%ngho&c ph hu ' hon ton.
Theo s ( li u c a CERT(Computer Emegency ResponseTeam - i c p c u my tnh), s ( l ng cc v t n cngtrn Internet c thng bo cho t ch c ny l t h n 200vo n m 1989, kho ng 400 vo n m 1991, 1400 vo n m
1993, v 2241 vo n m 1994. Nh ng v t n cng ny nh !mvo t t c cc my tnh c m &t trn Internet, cc my tnh
c a t t c cc cng ty l n nh AT&T, IBM, cc tr ng ih c, cc c quan nh n c, cc t ch c qun s , nh b ng...M t s( v t n cng c quy m kh ng l) (c t i 100.000my tnh b t n cng). H n n a, nh ng con s ( ny ch " lph n n i c a t ng b ng. M t ph n r t l n cc v t n cng
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
5/74
5
khng c thng bo, v nhi u l do, trong c th k n n*i lo b m t uy tn, ho &c n gi n nh ng ng i qu n
tr h th( ng khng h hay bi t nh ng cu c t n cng nh !m
vo h th(ng c a h .
Khng ch " s( l ng cc cu c t n cng t ng ln nhanhchng, m cc ph ng php t n cng c #ng lin t c chon thi n. i u m t ph n do cc nhn vin qu n tr h
th( ng c k t n( i v i Internet ngy cng cao c nhgic. C #ng theo CERT, nh ng cu c t n cng th i k + 1988-1989 ch y u on tn ng i s d ng-m t kh, u (UserID-password) ho &c s d ng m t s( l*i c a cc ch ng trnh vh i u hnh (security hole) lm v hi u h th(ng b o v ,tuy nhin cc cu c t n cng vo th i gian g n y baog) m c cc thao tc nh gi m o a ch" IP, theo di thngtin truy n qua m ng, chi m cc phin lm vi c t- xa (telnetho&c rlogin).
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
6/74
6
1.2 B n mu n b o v ci g?
Nhi m v c b n c a Firewall l b o v . N u b n mu( n xyd ng firewall, vi c u tin b n c n xem xt chnh l b n
c n b o v ci g.
1.2.1 D li u c a b n
Nh ng thng tin l u tr trn h th( ng my tnh c n cb o v do cc yu c u sau:
B o m t: Nh ng thng tin c gi tr v kinh t , qun s ,
chnh sch vv... c n c gi kn.
Tnh ton v . n: Thng tin khng b m t mt ho &c s ai, nh tro.
Tnh k p th i: Yu c u truy nh p thng tin vo ngth i i m c n thi t.
Trong cc yu c u ny, thng th ng yu c u v b o m t c coi l yu c u s( 1 (i v i thng tin l u tr trn m ng.
Tuy nhin, ngay c khi nh ng thng tin ny khng c gi b m t, th nh ng yu c u v tnh ton v . n c#ng r t quantr ng. Khng m t c nhn, m t t ch c no lng ph ti
nguyn v t ch t v th i gian l u tr nh ng thng tin mkhng bi t v tnh ng n c a nh ng thng tin .
1.2.2 Ti nguyn c a b n
Trn th c t , trong cc cu c t n cng trn Internet, k t n
cng, sau khi lm ch c h th(ng bn trong, c th s d ng cc my ny ph c v cho m c ch c a mnh nh
ch y cc ch ng trnh d m t kh , u ng i s d ng, s d ngcc lin k t m ng s/n c ti p t c t n cng cc h th( ngkhc vv...
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
7/74
7
1.2.3 Danh ti ng c a b n
Nh trn nu, m t ph n l n cc cu c t n cng khng c thng bo r ng ri, v m t trong nh ng nguyn nhn
l n*i lo b m t uy tn c a c quan, &c bi t l cc cng tyl n v cc c quan quan tr ng trong b my nh n c.Trong tr ng h p ng i qu n tr h th( ng ch" c bi t
n sau khi chnh h th(ng c a mnh c dng lm bnp t n cng cc h th( ng khc, th t n th t v uy tn l
r t l n v c th l i h u qu lu di.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
8/74
8
1.3 B n mu n b o v ch ng l i ci g?
Cn nh ng g b n c n ph i lo l ng. B n s0 ph i ng uv i nh ng ki u t n cng no trn Internet v nh ng k nos0 th c hi n chng?
1.3.1 Cc ki u t n cng
C r t nhi u ki u t n cng vo h th(ng, v c nhi u cchphn lo i nh ng ki u t n cng ny. y, chng ta chia
thnh 3 ki u chnh nh sau:
1.3.1.1 T n cng tr c ti p
Nh ng cu c t n cng tr c ti p thng th ng c s d ngtrong giai o n u chi m c quy n truy nh p bntrong. M t ph ng php t n cng c i n l d c &p tnng i s d ng-m t kh , u. y l ph ng php n gi n, d1 th c hi n v khng i h%i m t i u ki n &c bi t no b t u. K t n cng c th s d ng nh ng thng tin nh
tn ng i dng, ngy sinh, a ch", s( nh vv.. on m tkh, u. Trong tr ng h p c c danh sch ng i s d ngv nh ng thng tin v mi tr ng lm vi c, c m t tr ngtrnh t ng ho v vi c d tm m t kh , u ny. m t tr ngtrnh c th d1 dng l y c t- Internet gi i cc m tkh, u m ho c a cc h th( ng unix c tn l crack , ckh n ng th cc t h p cc t - trong m t t- i n l n, theonh ng quy t c do ng i dng t nh ngh a. Trong m t s( tr ng h p, kh n ng thnh cng c a ph ng php ny cth ln t i 30%.
Ph ng php s d ng cc l *i c a ch ng trnh ng d ng vb n thn h i u hnh c s d ng t- nh ng v t ncng u tin v v $n c ti p t c chi m quy n truy
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
9/74
9
nh p. Trong m t s( tr ng h p ph ng php ny cho phpk t n cng c c quy n c a ng i qu n tr h th( ng(root hay administrator ).
Hai v d th ng xuyn c a ra minh ho choph ng php ny l v d v i ch ng trnh sendmail vch ng trnh rlogin c a h i u hnh UNIX.
Sendmail l m t ch ng trnh ph c t p, v i m ngu )n baog) m hng ngn dng l nh c a ngn ng C. Sendmail cch y v i quy n u tin c a ng i qu n tr h th( ng, doch ng trnh ph i c quy n ghi vo h p th c a nh ng
ng i s d ng my. V Sendmail tr c ti p nh n cc yuc u v th tn trn m ng bn ngoi. y chnh l nh ng
y u t( lm cho sendmail tr thnh m t ngu) n cung c pnh ng l* h ng v b o m t truy nh p h th(ng.
Rlogin cho php ng i s d ng t - m t my trn m ng truynh p t- xa vo m t my khc s d ng ti nguyn c a myny. Trong qu trnh nh n tn v m t kh, u c a ng i s d ng, rlogin khng ki m tra di c a dng nh p, do
k t n cng c th a vo m t xu c tnh ton tr cghi ln m ch ng trnh c a rlogin, qua chi m
c quy n truy nh p.
1.3.1.2 Nghe tr m
Vi c nghe tr m thng tin trn m ng c th a l i nh ng
thng tin c ch nh tn-m t kh, u c a ng i s d ng, cc
thng tin m t chuy n qua m ng. Vi c nghe tr m th ng c ti n hnh ngay sau khi k t n cng chi m c
quy n truy nh p h th( ng, thng qua cc ch ng trnh chophp a v" giao ti p m ng (Network Interface Card-NIC)vo ch nh n ton b cc thng tin l u truy n trn m ng.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
10/74
10
Nh ng thng tin ny c #ng c th d1 dng l y c trnInternet.
1.3.1.3 Gi m o a ch
Vi c gi m o a ch" IP c th c th c hi n thng quavi c s d ng kh n ng d$n ng tr c ti p (source-routing ). V i cch t n cng ny, k t n cng g i cc gi tinIP t i m ng bn trong v i m t a ch" IP gi m o (thngth ng l a ch" c a m t m ng ho &c m t my c coi lan ton (i v i m ng bn trong), )ng th i ch" r ngd$n m cc gi tin IP ph i g i i.
1.3.1.4 V hi u ho cc ch c n ng c a h th ng (denial of service)
y l k u t n cng nh !m t li t h th( ng, khng cho nth c hi n ch c n ng m n thi t k . Ki u t n cng ny
khng th ng n ch&n c, do nh ng ph ng ti n c t ch c t n cng c #ng chnh l cc ph ng ti n lm vi c vtruy nh p thng tin trn m ng. V d s d ng l nh ping v it(c cao nh t c th , bu c m t h th(ng tiu hao ton b t(c tnh ton v kh n ng c a m ng tr l i cc l nhny, khng cn cc ti nguyn th c hi n nh ng cng
vi c c ch khc.
1.3.1.5 L i c a ng i qu n tr h th ng
y khng ph i l m t ki u t n cng c a nh ng k t
nh p, tuy nhin l *i c a ng i qu n tr h th( ng th ng t ora nh ng l* h ng cho php k t n cng s d ng truynh p vo m ng n i b .
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
11/74
11
1.3.1.6 T n cng vo y u t con ng i
K t n cng c th lin l c v i m t ng i qu n tr h th(ng,gi lm m t ng i s d ng yu c u thay i m t kh , u,thay i quy n truy nh p c a mnh (i v i h th( ng, ho &cth m ch thay i m t s( c u hnh c a h th( ng th c hi ncc ph ng php t n cng khc. V i ki u t n cng nykhng m t thi t b no c th ng n ch&n m t cch h u hi u,v ch"c m t cch gio d c ng i s d ng m ng n i b v nh ng yu c u b o m t cao c nh gic v i nh ng hi nt ng ng nghi. Ni chung y u t( con ng i l m t i my u trong b t k + m t h th( ng b o v no, v ch "c s giod c c ng v i tinh th n h p tc t - pha ng i s d ng c th nng cao c an ton c a h th( ng b o v .
1.3.2 Phn lo i k t n cng
C r t nhi u k t n cng trn m ng ton c u Internet v
chng ta c #ng khng th phn lo i chng m t cch chnhxc, b t c m t b n phn lo i ki u ny c #ng ch" nn c
xem nh l m t s gi i thi u h n l m t cch nhn r pkhun.
1.3.2.1 Ng i qua ng
Ng i qua ng l nh ng k bu) n chn v i nh ng cngvi c th ng ngy, h mu(n tm nh ng tr gi i tr m i. H
t nh p vo my tnh c a b n v h ngh b n c th cnh ng d li u hay, ho &c b i v h c m th y thch th khi s d ng my tnh c a ng i khc, ho &c ch" n gi n l h khng tm c m t vi c g hay h n lm. H c th lng i t m nh ng khng ch nh lm h i b n. Tuy nhin,h th ng gy h h%ng h th( ng khi t nh p hay khi xob%d u v t c a h .
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
12/74
12
1.3.2.2 K ph ho i
K ph ho i ch nh ph ho i h th( ng c a b n, h c th khng thch b n, h c#ng c th khng bi t b n nh ng h tm th y ni m vui khi i ph ho i.
Thng th ng, trn Internet k ph ho i kh hi m. M ing i khng thch h . Nhi u ng i cn thch tm v ch &n
ng nh ng k ph ho i. Tuy t nh ng k ph ho i th nggy h%ng tr m tr ng cho h th( ng c a b n nh xo ton b d li u, ph h %ng cc thi t b trn my tnh c a b n...
1.3.2.3 K ghi i m
R t nhi u k qua ng b cu( n ht vo vi c t nh p, phho i. H mu( n c kh2ng nh mnh thng qua s ( l ngv cc ki u h th( ng m h t nh p qua. t nh p cvo nh ng n i n i ti ng, nh ng n i phng b ch&t ch0,nh ng n i thi t k tinh x o c gi tr nhi u i m (i v i h .Tuy nhin h c#ng s 0 t n cng t t c nh ng n i h c th ,v i m c ch s( l ng c#ng nh m c ch ch t l ng.Nh ng ng i ny khng quan tm n nh ng thng tin b nc hay nh ng &c tnh khc v ti nguyn c a b n. Tuynhin t c m c ch l t nh p, v tnh hay h u h s0 lm h h%ng h th( ng c a b n.
1.3.2.4 Gin i p
Hi n nay c r t nhi u thng tin quan tr ng c l u tr trnmy tnh nh cc thng tin v qun s , kinh t ... Gin i p
my tnh l m t v n ph c t p v kh pht hi n. Th c t ,
ph n l n cc t ch c khng th phng th ki u t n cng nym t cch hi u qu v b n c th ch c r!ng ng lin k t
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
13/74
13
v i Internet khng ph i l con ng d1 nh t gin i pthu l m thng tin.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
14/74
14
1.4 V y Internet Firewall l g?
1.4.1 nh ngh a
Thu t ng Firewall c ngu ) n g(c t- m t k thu t thi t k trong xy d ng ng n ch&n, h n ch ho ho n. Trongcng ngh m ng thng tin, Firewall l m t k thu t ctch h p vo h th(ng m ng ch( ng s truy c p tri phpnh!m b o v cc ngu )n thng tin n i b c#ng nh h n ch s xm nh p vo h th( ng c a m t s( thng tin khc khngmong mu ( n. C#ng c th hi u r !ng Firewall l m t c ch
b o v m ng tin t ng (trusted network) kh %i cc m ngkhng tin t ng (untrusted network).
Internet Firewall l m t thi t b (ph n c ng+ph n m m)
gi a m ng c a m t t ch c, m t cng ty, hay m t qu ( c gia(Intranet) v Internet. N th c hi n vai tr b o m t cc
thng tin Intranet t - th gi i Internet bn ngoi.
1.4.2 Ch c n ng
Internet Firewall (t - nay v sau g i t t l firewall) l m tthnh ph n &t gi a Intranet v Internet ki m sot t t c cc vi c l u thng v truy c p gi a chng v i nhau baog) m:
Firewall quy t nh nh ng d ch v no t- bn trong c php truy c p t- bn ngoi, nh ng ng i no t -
bn ngoi c php truy c p n cc d ch v bntrong, v c nh ng d ch v no bn ngoi c phptruy c p b i nh ng ng i bn trong.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
15/74
15
firewall lm vi c hi u qu , t t c trao i thng tin
t- trong ra ngoi v ng c l i u ph i th c hi n thngqua Firewall.
Ch"c nh ng trao i no c php b i ch an ninhc a h th(ng m ng n i b m i c quy n l u thngqua Firewall.
S ) ch c n ng h th( ng c a firewall c m t nh trong hnh 2.1
Intranet firewall Internet
Hnh 2.1 S ) ch c n ng h th(ng c a firewall
1.4.3 C u trc
Firewall bao g ) m:
M t ho&c nhi u h th( ng my ch k t n( i v i cc b nh tuy n (router) ho &c c ch c n ng router.
Cc ph n m m qu n l an ninh ch y trn h th(ng mych . Thng th ng l cc h qu n tr xc th c
(Authentication), c p quy n (Authorization) v k ton(Accounting).
Chng ta s 0 c p k h n cc ho t ng c a nh ng h ny ph n sau.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
16/74
16
1.4.4 Cc thnh ph n c a Firewall v c ch ho t ng
M t Firewall chu , n bao g )m m t hay nhi u cc thnh ph nsau y:
B l c packet ( packet-filtering router )
C ng ng d ng (application-level gateway hay proxy
server )
C ng m ch (circuite level gateway)
1.4.4.1 B l c gi tin (Packet filtering router)
1.4.4.1.1 Nguyn l:
Khi ni n vi c l u thng d li u gi a cc m ng v i nhauthng qua Firewall th i u c ngh a r!ng Firewall ho t
ng ch&t ch0 v i giao th c lin m ng TCP/IP. V giao th cny lm vi c theo thu t ton chia nh %cc d li u nh n ct- cc ng d ng trn m ng, hay ni chnh xc h n l ccd ch v ch y trn cc giao th c (Telnet, SMTP, DNS,
SMNP, NFS...) thnh cc gi d li u (data packets) r ) i gncho cc packet ny nh ng a ch" c th nh n d ng, til p l i ch c n g i n, do cc lo i Firewall c #ng linquan r t nhi u n cc packet v nh ng con s ( a ch " c achng.
B l c packet cho php hay t - ch( i m*i packet m n nh n c. N ki m tra ton b o n d li u quy t nh xem
o n d li u c tho mn m t trong s ( cc lu t l c a l c packet hay khng. Cc lu t l l c packet ny l d a trn cc
thng tin u m*i packet (packet header), dng chophp truy n cc packet trn m ng. l:
a ch"IP n i xu t pht ( IP Source address)
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
17/74
17
a ch"IP n i nh n (IP Destination address)
Nh ng th t c truy n tin (TCP, UDP, ICMP, IP tunnel)
C ng TCP/UDP n i xu t pht (TCP/UDP source port) C ng TCP/UDP n i nh n (TCP/UDP destination port)
D ng thng bo ICMP ( ICMP message type)
giao di n packet n ( incomming interface of packet)
giao di n packet i ( outcomming interface of packet)
N u lu t l l c packet c tho mn th packet cchuy n qua firewall. N u khng packet s0 b b% i. Nh v ym Firewall c th ng n c n c cc k t n( i vo cc mych ho&c m ng no c xc nh, ho &c kho vi c truyc p vo h th( ng m ng n i b t- nh ng a ch " khng chophp. H n n a, vi c ki m sot cc c ng lm cho Firewall ckh n ng ch" cho php m t s( lo i k t n( i nh t nh vocc lo i my ch no , ho&c ch"c nh ng d ch v no (Telnet, SMTP, FTP...) c php m i ch y c trn h th( ng m ng c c b .
1.4.4.1.2 3 u i m
a s ( cc h th( ng firewall u s d ng b l c packet .M t trong nh ng u i m c a ph ng php dng b l cpacket l chi ph th p v c ch l c packet c baog)m trong m *i ph n m m router.
Ngoi ra, b l c packet l trong su ( t (i v i ng i s d ng v cc ng d ng, v v y n khng yu c u s hu n
luy n &c bi t no c .
1.4.4.1.3 H n ch :
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
18/74
18
Vi c nh ngh a cc ch l c packet l m t vi c kh ph ct p, n i h%i ng i qu n tr m ng c n c hi u bi t chi ti tv cc d ch v Internet, cc d ng packet header , v cc gi
tr c th m h c th nh n trn m *i tr ng. Khi i h%i v s l c cng l n, cc lu t l v l c cng tr nn di v ph ct p, r t kh qu n l v i u khi n.
Do lm vi c d a trn header c a cc packet , r rng l b
l c packet khng ki m sot c n i dung thng tin c a packet . Cc packet chuy n qua v $n c th mang theo nh nghnh ng v i ) n c p thng tin hay ph ho i c a k x u.
1.4.4.2 C ng ng d ng (application-level gateway)
1.4.4.2.1 Nguyn l
y l m t lo i Firewall c thi t k t ng c ng ch cn ng ki m sot cc lo i d ch v , giao th c c cho phptruy c p vo h th( ng m ng. C ch ho t ng c a n d atrn cch th c g i l Proxy service (d ch v i di n).
Proxy service l cc b ch ng trnh &c bi t ci &t trngateway cho t - ng ng d ng. N u ng i qu n tr m ngkhng ci &t ch ng trnh proxy cho m t ng d ng no ,d ch v t ng ng s0 khng c cung c p v do khngth chuy n thng tin qua firewall. Ngoi ra, proxy code c
th c nh c u hnh h* tr ch"m t s( &c i m trongng d ng m ng i qu n tr m ng cho l ch p nh n c
trong khi t - ch( i nh ng &c i m khc. M t c ng ng d ng th ng c coi nh l m t pho i(bastion host), b i v n c thi t k &t bi t ch( ng l is t n cng t - bn ngoi. Nh ng bi n php m b o an ninhc a m t bastion host l:
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
19/74
19
Bastion host lun ch y cc version an ton (secure
version) c a cc ph n m m h th( ng (Operatingsystem). Cc version an ton ny c thi t k chuyn
cho m c ch ch (ng l i s t n cng vo OperatingSystem, c #ng nh l m b o s tch h p firewall.
Ch" nh ng d ch v m ng i qu n tr m ng cho l c nthi t m i c ci &t trn bastion host, n gi n ch "vn u m t d ch v khng c ci &t, n khng th b t ncng. Thng th ng, ch " m t s( gi i h n cc ng d ngcho cc d ch v Telnet, DNS, FTP, SMTP v xc th c
user l c ci &t trn bastion host.
Bastion host c th yu c u nhi u m c xc th c khc
nhau, v d nh user password hay smart card.
M*i proxy c &t c u hnh cho php truy nh p ch" m t s) cc my ch nh t nh. i u ny c ngh a r!ngb l nh v &c i m thi t l p cho m *i proxy ch " ngv i m t s( my ch trn ton h th( ng.
M*i proxy duy tr m t quy n nh t k ghi chp l i tonb chi ti t c a giao thng qua n, m *i s k t n( i,kho ng th i gian k t n( i. Nh t k ny r t c ch trongvi c tm theo d u v t hay ng n ch&n k ph ho i.
M*i proxy u c l p v i cc proxies khc trn bastionhost. i u ny cho php d 1 dng qu trnh ci &t m tproxy m i, hay tho g 4 mt proxy ang c v n .
V d : Telnet Proxy
V d m t ng i (g i l outside client) mu (n s d ng d chv TELNET k t n( i vo h th(ng m ng qua mt bastionhost c Telnet proxy. Qu trnh x y ra nh sau:
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
20/74
20
1. Outside client telnets n bastion host. Bastion host
ki m tra password, n u h p l th outside client cphp vo giao di n c a Telnet proxy. Telnet proxy cho
php m t t p nh %nh ng l nh c a Telnet, v quy t nhnh ng my ch n i b no outside client c php truynh p.
2. Outside client ch " ra my ch ch v Telnet proxy t om t k t n( i c a ring n t i my ch bn trong, vchuy n cc l nh t i my ch d i s u' quy n c aoutside client. Outside client th tin r !ng Telnet proxy lmy ch th t bn trong, trong khi my ch bn trongth tin r !ng Telnet proxy l client th t.
1.4.4.2.2 3 u i m:
Cho php ng i qu n tr m ng hon ton i u khi n c t- ng d ch v trn m ng, b i v ng d ng proxy
h n ch b l nh v quy t nh nh ng my ch no c
th truy nh p c b i cc d ch v .
Cho php ng i qu n tr m ng hon ton i u khi n c nh ng d ch v no cho php, b i v s v ng m&t
c a cc proxy cho cc d ch v t ng ng c ngh a l ccd ch v y b kho.
C ng ng d ng cho php ki m tra xc th c r t t( t, vn c nh t k ghi chp l i thng tin v truy nh p h
th(ng.
Lu t l filltering (l c) cho c ng ng d ng l d 1 dng c uhnh v ki m tra h n so v i b l c packet.
1.4.4.2.3 H n ch :
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
21/74
21
Yu c u cc users bi n i (mody) thao tc, ho &c modyph n m m ci &t trn my client cho truy nh p vo ccd ch v proxy. V d , Telnet truy nh p qua c ng ng d ng
i h%i hai b c n( i v i my ch ch khng ph i l m tb c thi. Tuy nhin, c #ng c m t s( ph n m m clientcho php ng d ng trn c ng ng d ng l trong su ( t, b !ngcch cho php user ch " ra my ch ch khng ph i c ng
ng d ng trn l nh Telnet.
1.4.4.3 C ng vng (circuit-Level Gateway)
C ng vng l m t ch c n ng &c bi t c th th c hi n cb i m t c ng ng d ng. C ng vng n gi n ch" chuy nti p (relay) cc k t n( i TCP m khng th c hi n b t k + m thnh ng x l hay l c packet no.
Hnh 2.2 minh ho m t hnh ng s d ng n( i telnet quac ng vng. C ng vng n gi n chuy n ti p k t n( i telnetqua firewall m khng th c hi n m t s ki m tra, l c hay
i u khi n cc th t c Telnet no.C ng vng lm vi c nh
m t s i dy,sao chp cc byte gi a k t n( i bn trong (insideconnection) v cc k t n( i bn ngoi (outside connection).Tuy nhin, v s k t n( i ny xu t hi n t- h th( ng firewall,n che d u thng tin v m ng n i b .
C ng vng th ng c s d ng cho nh ng k t n( i rangoi, n i m cc qu n tr m ng th t s tin t ng nh ngng i dng bn trong. 3 u i m l n nh t l m t bastion hostc th c c u hnh nh l m t h*n h p cung c p C ng
ng d ng cho nh ng k t n( i n, v c ng vng cho cc k tn( i i. i u ny lm cho h th(ng b c t ng l a d1 dng s d ng cho nh ng ng i trong m ng n i b mu(n tr c ti ptruy nh p t i cc d ch v Internet, trong khi v $n cung c p
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
22/74
22
ch c n ng b c t ng l a b o v m ng n i b t- nh ngs t n cng bn ngoi.
out
out
out
in
in
in
outside host Inside hostCircuit-level Gateway
Hnh 2.2 C ng vng
1.4.5 Nh ng h n ch c a firewall
Firewall khng thng minh nh con ng i c th c hi u t- ng lo i thng tin v phn tch n i dung t ( t
hay x u c a n. Firewall ch " c th ng n ch&n s xmnh p c a nh ng ngu )n thng tin khng mong mu ( nnh ng ph i xc nh r cc thng s ( a ch".
Firewall khng th ng n ch&n m t cu c t n cng n u
cu c t n cng ny khng " i qua" n. M t cch c th ,firewall khng th ch(ng l i m t cu c t n cng t - m t
ng dial-up, ho &c s d r " thng tin do d li u b saochp b t h p php ln a m m.
Firewall c #ng khng th ch(ng l i cc cu c t ncng b !ng d li u (data-driven attack). Khi c m t s( ch ng trnh c chuy n theo th i n t , v t quafirewall vo trong m ng c b o v v b t u ho t
ng y.
M t v d l cc virus my tnh. Firewall khng th lm
nhi m v r qut virus trn cc d li u c chuy n quan, do t ( c lm vi c, s xu t hi n lin t c c a cc
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
23/74
23
virus m i v do c r t nhi u cch m ha d li u,thot kh %i kh n ng ki m sot c a firewall.
1.4.6 Cc v d firewall
1.4.6.1 Packet-Filtering Router (B trung chuy n c l c gi)
H th( ng Internet firewall ph bi n nh t ch" bao g ) m m tpacket-filtering router &t gi a m ng n i b v Internet(Hnh 2.3). M t packet-filtering router c hai ch c n ng:
chuy n ti p truy n thng gi a hai m ng v s d ng cc quy
lu t v l c gi cho php hay t - ch( i truy n thng. C nb n, cc quy lu t l c c nh ngh a sao cho cc host trnm ng n i b c quy n truy nh p tr c ti p t i Internet,trong khi cc host trn Internet ch " c m t s( gi i h n cctruy nh p vo cc my tnh trn m ng n i b . T t ng c am c u trc firewall ny l t t c nh ng g khng c ch " ra r rng l cho php th c ngh a l b t- ch( i.
The Internet
Bn ngoi Packet filteringrouter
Mng ni b
Bn trong
Hnh 2.3 Packet-filtering router
u i m:
gi thnh th p (v c u hnh n gi n)
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
24/74
24
trong su ( t (i v i ng i s d ng
H n ch :
C t t c h n ch c a m t packet-filtering router, nh ld1 b t n cng vo cc b l c m c u hnh c &tkhng hon h o, ho&c l b t n cng ng m d i nh ngd ch v c php.
B i v cc packet c trao i tr c ti p gi a hai m ngthng qua router , nguy c b t n cng quy t nh b i s( l ng cc host v d ch v c php. i u d$n nm*i m t host c php truy nh p tr c ti p vo Internetc n ph i c cung c p m t h th(ng xc th c ph c t p,v th ng xuyn ki m tra b i ng i qu n tr m ng xemc d u hi u c a s t n cng no khng.
N u m t packet-filtering router do m t s c( no ng- ng ho t ng, t t c h th(ng trn m ng n i b cth b t n cng.
1.4.6.2
Screened Host Firewall
H th( ng ny bao g )m m t packet-filtering router v m tbastion host (hnh 2.4). H th(ng ny cung c p b o m tcao h n h th( ng trn, v n th c hi n c b o m t t ngnetwork( packet-filtering ) v t ng ng d ng (applicationlevel). ) ng th i, k t n cng ph i ph v 4 c hai t ng b om t t n cng vo m ng n i b .
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
25/74
25
The Internet
Bn ngoi Packet filtering
router
Bn trong
Information server
Bastion host
my ni b
Hnh 2.4 Screened host firewall (Single- Homed Bastion Host)
Trong h th(ng ny, bastion host c c u hnh trongm ng n i b . Qui lu t filtering trn packet-filtering router
c nh ngh a sao cho t t c cc h th(ng bn ngoi ch " c th truy nh p bastion host; Vi c truy n thng t i t t c
cc h th(ng bn trong u b kho. B i v cc h th(ng n ib v bastion host trn cng m t m ng, chnh sch b om t c a m t t ch c s0 quy t nh xem cc h th(ng n i b
c php truy nh p tr c ti p vo bastion Internet hay lchng ph i s d ng d ch v proxy trn bastion host. Vi c
b t bu c nh ng user n i b c th c hi n b!ng cch &tc u hnh b l c c a router sao cho ch " ch p nh n nh ngtruy n thng n i b xu t pht t - bastion host.
u i m:
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
26/74
26
My ch cung c p cc thng tin cng c ng qua d ch v
Web v FTP c th &t trn packet-filtering router vbastion. Trong tr ng h p yu c u an ton cao nh t,
bastion host c th ch y cc d ch v proxy yu c u t t c cc user c trong v ngoi truy nh p qua bastion host tr ckhi n ( i v i my ch . Tr ng h p khng yu c u an toncao th cc my n i b c th n( i th2ng v i my ch .
N u c n b o m t cao h n n a th c th dng h th( ngfirewall dual-home (hai chi u) bastion host (hnh 2.5). M t
h th(ng bastion host nh v y c 2 giao di n m ng(network interface), nh ng khi kh n ng truy n thng
tr c ti p gi a hai giao di n qua d ch v proxy l b c m.
The Internet
Bn ngoi Packet filteringrouter
Bn trong
Information server
Bastion host
my ni b
Hnh 2.5 Screened host firewall (Dual- Homed Bastion Host)
B i v bastion host l h th( ng bn trong duy nh t c th truy nh p c t- Internet, s t n cng c #ng ch" gi i h n
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
27/74
27
n bastion host m thi. Tuy nhin, n u nh ng i dngtruy nh p c vo bastion host th h c th d1 dng truynh p ton b m ng n i b . V v y c n ph i c m khng cho
ng i dng truy nh p vo bastion host.
1.4.6.3 Demilitarized Zone (DMZ - khu v c phi qun s ) hay Screened-subnet Firewall
H th( ng ny bao g ) m hai packet-filtering router v m tbastion host (hnh 2.6). H th( ng firewall ny c an toncao nh t v n cung c p c m c b o m t : network v
application trong khi nh ngh a m t m ng phi qun s .M ng DMZ ng vai tr nh m t m ng nh %, c l p &t gi aInternet v m ng n i b . C b n, m t DMZ c c u hnhsao cho cc h th( ng trn Internet v m ng n i b ch"c th truy nh p c m t s( gi i h n cc h th( ng trn m ngDMZ, v s truy n tr c ti p qua m ng DMZ l khng th
c.
V i nh ng thng tin n, router ngoi ch ( ng l i nh ng s
t n cng chu , n (nh gi m o a ch" IP), v i u khi n truynh p t i DMZ. N cho php h th( ng bn ngoi truy nh pch" bastion host, v c th c information server. Routertrong cung c p s b o v th hai b!ng cch i u khi nDMZ truy nh p m ng n i b ch"v i nh ng truy n thng b t
u t- bastion host.
V i nh ng thng tin i, router trong i u khi n m ng n i b truy nh p t i DMZ. N ch "cho php cc h th(ng bn trongtruy nh p bastion host v c th c information server. Quy
lu t filtering trn router ngoi yu c u s dung dich v
proxy b !ng cch ch " cho php thng tin ra b t ngu) n t- bastion host.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
28/74
28
u i m:
K t n cng c n ph v 4 ba t ng b o v : router ngoi,bastion host v router trong.
B i v router ngoi ch " qu ng co DMZ network t iInternet, h th(ng m ng n i b l khng th nhn th y(invisible). Ch "c m t s( h th(ng c ch n ra trnDMZ l c bi t n b i Internet qua routing table vDNS information exchange (Domain Name Server).
B i v router trong ch " qu ng co DMZ network t im ng n i b , cc h th(ng trong m ng n i b khng th truy nh p tr c ti p vo Internet. i u nay m b o r!ngnh ng user bn trong b t bu c ph i truy nh p Internet
qua d ch v proxy.
The Internet
Bn ngoi Packet filteringrouter
Bn trong
Information server
Bastion host
Outside router Inside router
DMZ
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
29/74
29
Hnh 2.6 Screened-Subnet Firewall
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
30/74
30
2. Cc d ch v Internet
Nh trnh by trn, nhn chung b n ph i xc nh b n
b o v ci g khi thi t l p lin k t ra m ng ngoi hay
Internet: d li u, ti nguyn, danh ti ng. Khi xy d ng m t
Firewall, b n ph i quan tm n nh ng v n c th h n:b n ph i b o v nh ng d ch v no b n dng ho &c cung c pcho m ng ngoi (hay Internet).
Internet cung c p m t h th( ng cc d ch v cho php ng idng n ( i vo Internet truy nh p v s d ng cc thng tin
trn m ng Internet. H th(ng cc d ch v ny v ang c b sung theo s pht tri n khng ng - ng c a Internet.
Cc d ch v ny bao g ) m World Wide Web (g i t t lWWW ho &c Web), Email (th i n t ), Ftp (file transferprotocols - d ch v chuy n file), telnet ( ng d ng cho php
truy nh p my tnh xa), Archie (h th(ng xc nh thngtin cc file v directory), finger (h th(ng xc nh ccuser trn Internet), rlogin(remote login - vo m ng t- xa) v
m t s( cc d ch v khc n a.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
31/74
31
2.1 World Wide Web - WWW
WWW l d ch v Internet ra i g n y nh t, nh ng phttri n nhanh nh t hi n nay. Web cung c p m t giao di n v
cng thn thi n v i ng i dng, d 1 s d ng, v cng thu nl i v n gi n tm ki m thng tin. Web lin k t thngtin d a trn cng ngh hyper-link (siu lin k t), cho php
cc trang Web lin k t v i nhau tr c ti p qua cc a ch"c achng. Thng qua Web, ng i dng c th :
Pht hnh cc tin t c c a mnh v c tin t c t- kh pn i trn th gi i
Qu ng co v mnh, v cng ty hay t ch c c a mnh
c#ng nh xem cc lo i qu ng co trn th gi i, t- ki mvi c lm, tuy n m nhn vin, cng ngh v s n ph , mm i, tm b n, vn vn.
Trao i thng tin v i b b n, cc t ch c x h i, cctrung tm nghin c u, tr ng h c, vn vn
Th c hi n cc d ch v chuy n ti n hay mua bn hngho
Truy nh p cc c s d li u c a cc t ch c, cng ty(n u nh c php)
V r t nhi u cc ho t ng khc n a.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
32/74
32
2.2 Electronic Mail (Email hay th i n t ).
Email l d ch v Internet c s d ng r ng ri nh t hi nnay. Hu h t cc thng bo d ng text (v n b n) n gi n,nh ng ng i s d ng c th g i km theo cc file ch a cchnh nh nh s ), nh . H th( ng email trn Internet l h th( ng th i n t l n nh t trn th gi i, v th ng c s d ng cng v i cc h th( ng chuy n th khc.
Kh n ng chuy n th i n t trn Web c b h n ch h n sov i cc h th(ng chuy n th i n t trn Internet, b i vWeb l m t ph ng ti n trao i cng c ng, trong khi th lm t ci g ring t . V v y, khng ph i t t c cc Web
brower u cung c p ch c n ng email. (Hai browser l nnh t hi n nay l Netscape v Internet Explorer u cung c p
ch c n ng email).
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
33/74
33
2.3 Ftp (file transfer protocol hay d ch v chuy n file)
Ftp l m t d ch v cho php sao chp file t - m t h th( ngmy tnh ny n h th( ng my tnh khc ftp bao g )m th t c v ch ng trnh ng d ng, v l m t trong nh ng d chv ra i s m nh t trn Internet.
Fpt c th c dng m c h th( ng (g l nh vocommand-line ), trong Web browser hay m t s( ti n chkhc. Fpt v cng h u ch cho nh ng ng i dng Internet,b i v khi s c s o trn Internet, b n s0 tm th y v s ( nh ngth vi n ph n m m c ch v r t nhi u l nh v c v b n cth chp chng v s d ng.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
34/74
34
2.4 Telnet v rlogin
Telnet l m t ng d ng cho php b n truy nh p vo m t
my tnh xa v ch y cc ng d ng trn my tnh .Telnet l r t h u ch khi b n mu( n ch y m t ng d ngkhng c ho &c khng ch y c trn my tnh c a b n, v d nh b n mu( n ch y m t ng dung Unix trong khi myc a b n l PC. Hay b n my tnh c a b n khng m nh
ch y m t ng d ng no , ho&c khng c cc file d li uc n thi t.
Telnet cho b n kh n ng lm vi c trn my tnh xa b nhng ngn cy s ( m b n v$n c c m gic nh ang ng ) itr c my tnh .
Ch c n ng c a rlogin(remote login - vo m ng t - xa) c#ngt ng t nh Telnet.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
35/74
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
36/74
36
2.6 Finger
Finger l m t ch ng trnh ng d ng cho php tm a ch" c a cc user khc trn Internet. T ( i thi u, finger c th chob n bi t ai ang s d ng m t h th( ng my tnh no , tnlogin c a ng i l g.
Finger hay c s d ng tm a ch" email c a b b ntrn Internet. Finger cn c th cung c p cho b n nhi u
thng tin khc, nh l m t ng i no login vo m ngbao lu. V th finger c th coi l m t ng i tr gip cl c nh ng c#ng l m ( i hi m ho cho s an ton c a m ng.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
37/74
3. H th ng Firewall xy d ng b i CSE
B ch ng trnh Firewall 1.0 c a CSE c a ra vo
thng 6/1998. B ch ng trnh ny g )m hai thnh ph n:
B l c gi tin IP Filtering
B ch ng trnh c ng ng d ng proxy servers
Hai thnh ph n ny c th ho t ng m t cch ring r 0.Chng c #ng c th k t h p l i v i nhau tr thnh m t h th( ng firewall hon ch "nh.
Trong t p ti li u ny, chng ti ch " c p n b ch ngtrnh c ng ng d ng c ci &t t i VPCP.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
38/74
38
3.1 T ng quan
B ch ng trnh proxy c a CSE (phin b n 1.0) c phttri n d a trn b cng c xy d ng Internet Firewall TIS
(Trusted Information System) phin b n 1.3. TIS bao g )mm t b cc ch ng trnh v s &t l i c u hnh h th( ng nh!m m c ch xy d ng m t Firewall. B ch ng trnh
c thi t k ch y trn h UNIX s d ng TCP/IP v igiao di n socket Berkeley.
Vi c ci &t b ch ng trnh proxy i h%i kinh nghi mqu n l h th( ng UNIX, v TCP/IP networking. T ( i thi u,ng i qu n tr m ng firewall ph i quen thu c v i:
vi c qu n tr v duy tr h th( ng UNIX ho t ng
vi c xy d ng cc package cho h th(ng
S khc nhau khi &t c u hnh cho h th( ng quy t nh m can ton m ng khc nhau. Ng i ci &t firewall ph i
hi u r yu c u v an ton c a m ng c n b o v , n m
ch c nh ng r i ro no l ch p nh n c v khng ch pnh n c, thu l m v phn tch chng t - nh ng i h%ic a ng i dng.
B ch ng trnh proxy c thi t k cho m t s( c u hnhfirewall, trong cc d ng c b n nh t l dual-homegateway (hnh 2.4), screened host gateway(hnh 2.5), v
screened subnet gateway(hnh 2.6). Nh chng ta bi t,
trong nh ng c u trc firewall ny, y u t( c n b n nh t lbastion host, ng vai tr nh m t ng i chuy n ti p thngtin (forwarder), ghi nh t k truy n thng, v cung c p cc
d ch v . Duy tr an ton trn bastion host l c c k + quantr ng, b i v l n i t p trung h u h t cc c ( g ng ci &tm t h th(ng firewall.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
39/74
39
3.2
Cc thnh ph n c a b ch ng trnh proxy:B ch ng trnh proxy g ) m nh ng ch ng trnh b c ngd ng (application-level programs), ho &c l thay th ho&cl c c ng thm vo ph n m m h th( ng c. B ch ng trnh proxy c nh ng thnh ph n chnh bao g )m:
Smap: d ch v SMTP(Simple Mail Tranfer Protocol)
Netacl: d ch v Telnet, finger, v danh m c cc iu
khi n truy nh p m ng
Ftp-Gw: Proxy server cho Ftp
Telnet-Gw: Proxy server cho Telnet
Rlogin-Gw: Proxy server cho rlogin
Plug-Gw: TCP Plug-Board Connection server (server
k t n( i t c th i dng th t c TCP)
3.2.1 Smap: D ch v SMTP
SMTP c xy d ng b !ng cch s d ng c&p cng c ph nm m smap v smapd. C th ni r!ng SMTP ch (ng l i s
e do t i h th( ng, b i v cc ch ng trnh mail ch y m c h th( ng phn pht mail t i cc h p th c a user.
Smap v smapd th c hi n i u b!ng cch c l p ch ng
trnh mail, b t n ch y trn m t th m c dnh ring
(restricted directory) qua chroot (thay i th m c g(c),nh m t user khng c quy n u tin. M c ch c a smap
l c l p ch ng trnh mail v (n gy ra r t nhi u l*i trnh th( ng. Ph n l n cc cng vi c x l mail th ng c
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
40/74
40
th c hi n b i ch ng trnh sendmail. Sendmail khng yuc u m t s thay i hay &t l i c u hnh g c . Khi m t h th( ng xa n( i t i m t c ng SMTP, h i u hnh kh i ng
smap. Smap l p t c chroot t i th m c dnh ring v &tuser-id m c bnh th ng (khng c quy n u tin). B i vsmap khng yu c u h* tr b i m t file h th( ng no c , th m c dnh ring ch " ch a cc file do smap t o ra. Do v y,b n khng c n ph i lo s l smap s 0 thay i file h th( ngkhi n chroot. M c ch duy nh t c a smap l (i tho iSMTP v i cc h th(ng khc, thu l m thng bo mail, ghivo a, ghi nh t k, v thot.
Smapd c trch nhi m th ng xuyn qut th m c kho c asmap v a ra cc thng bo c x p theo th t (queued messages) t i sendmail cu( i cng phn pht.Ch r !ng n u sendmail c &t c u hnh m c bnhth ng, v smap ch y v i uucp user-id (?), mail c th cphn pht bnh th ng m khng c n smapd ch y v i m c
u tin cao. Khi smapd phn pht m t thng bo, n xo
file ch a thng bo trong kho.
Theo ngh a ny, sendmail b c l p, v do m t user l trn m ng khng th k t n( i v i sendmail m khng quasmap. Tuy nhin, smap v smapd khng th gi i quy t v n
gi m o th ho&c cc lo i t n cng khc qua mail. Smapc kch th c r t nh%so v i sendmail (700 dng so v i20,000 dng) nn vi c phn tch file ngu ) n tm ra l *i ngi n h n nhi u.
3.2.2 Netacl: cng c i u khi n truy nh p m ng
Chng ta bi t r!ng inetd khng cung c p m t s i ukhi n truy nh p m ng no c : n cho php b t k + m t h
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
41/74
41
th( ng no trn m ng c #ng c th n( i t i cc d ch v li t ktrong file inetd.conf .
Netacl l m t cng c i u khi n truy nh p m ng, d a
trn a ch" network c a my client, v d ch v c yuc u. V v y m t client (xc nh b i a ch" IP ho&chostname) c th kh i ng telnetd (m t version khc c atelnet) khi n n ( i v i c ng d ch v telnet trn firewall.
Th ng th ng trong cc c u hnh firewall, netacl c s d ng c m t t c cc my tr - m t vi host c quy nlogin t i firewall qua ho &c l telnet ho &c l rlogin, v
kho cc truy nh p t- nh ng k t n cng.
an ton c a netacl d a trn a ch"IP v/ho &c hostname .V i cc h th( ng c n an ton cao, nn d ng a ch"IP trnh s gi m o DNS. Netacl khng ch (ng l i c s gi
a ch" IP qua chuy n ngu ) n (source routing) ho &c nh ngph ng ti n khc. N u c cc lo i t n cng nh v y, c nph i s d ng m t router c kh n ng soi nh ng packet
c chuy n ngu ) n (screening source routed packages).
Ch l netacl khng cung c p i u khi n truy nh p UDP,
b i v cng ngh hi n nay khng m b o s xc th c c aUDP. An ton cho cc d ch v UDP y )ng ngh a v is khng cho php t t c cc d ch v UDP.
Netacl ch " bao g ) m 240 dng m C (c gi i thch) cho nnr t d1 dng ki m tra v hi u ch "nh. Tuy nhin v $n c n ph ic, n th n khi c u hnh n.
3.2.3 Ftp-Gw: Proxy server cho Ftp
Ftp-Gw l m t proxy server cung c p i u khi n truy nh p
m ng d a trn a ch" IP v/ho &c hostname, v cung c p
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
42/74
42
i u khi n truy nh p th c p cho php tu + ch n kho ho &cghi nh t k b t k + l nh ftp no. ch cho d ch v ny c#ngc th tu+ ch n c php hay kho. T t c cc s k t n ( i
v byte d li u chuy n qua u b ghi nh t k l i.
Ftp-Gw t b n thn n khng e do an ton c a h th( ngfirewall, b i v n ch y chroot t i m t th m c r*ng, khngth c hi n m t th t c vo ra file no c ngoi vi c c file
c u hnh c a n. Kch th c c a Ftp-gw l kho ng 1,300dng. Ftp gateway ch " cung c p d ch v ftp, m khng
quan tm n ai c quy n hay khng c quy n k t xu t(export) file. Do v y, vi c xc nh quy n ph i c thi tl p trn gateway v ph i th c hi n tr c khi th c hi n k txu t (export) hay nh p (import) file. Ftp gateway nn cci &t d a theo chnh sch an ton c a m ng. B ch ngtrnh ngu )n cho php ng i qu n tr m ng cung c p c d chv ftp v ftp proxy trn cng m t h th( ng.
3.2.4 Telnet-Gw: Proxy server cho Telnet
Telnet-Gw l m t proxy server cung c p i u khi n truy
nh p m ng d a trn a ch" IP v/ho &c hostname, v cungc p s i u khi n truy nh p th c p cho php tu + ch n khob t k + ch no. T t c cc s k t n( i v byte d li uchuy n qua u b ghi nh t k l i. M*i m t l n user n ( i t itelnet-gw, s 0 c m t menu n gi n c a cc ch n l a n( it i m t host xa.
Telnet-gw khng ph ng h i t i an ton h th( ng, v nch y chroot n mt th m c dnh ring (restricted
directory). File ngu ) n bao g ) m ch" 1,000 dng l nh. Vi cx l menu l hon ton di 1n ra trong b nh , v khng
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
43/74
43
c mt subsell hay ch ng trnh no tham d . C #ng khngc vi c vo ra file ngoi vi c c c u hnh file. V v y,
telnet-gw khng th cung c p truy nh p t i b n thn h
th( ng firewall.
3.2.5 Rlogin-Gw: Proxy server cho rlogin
Cc terminal truy nh p qua th t c BSD rlogin c th ccung c p qua rlogin proxy. rlogin cho php ki m tra v iu
khi n truy nh p m ng t ng t nh telnet gateway. Rloginclient c th ch" ra m t h th(ng xa ngay khi b t u n ( ivo proxy, cho php h n ch yu c u t ng tc c a user v imy (trong tr ng h p khng yu c u xc th c).
3.2.6 Sql-Gw: Proxy Server cho Oracle Sql-net
Thng th ng, vi c khai thc thng tin t - CSDL Oracle c ti n hnh thng qua d ch v WWW. Tuy nhin h*
tr ng i s d ng dng ch ng trnh plus33 n( i vo mych Oracle, b firewall c a CSE c a km vo ch ng
trnh Sql-net proxy. Vi c ki m sot truy nh p c th chi u qua tn my hay a ch" IP c a my ngu )n v my
ch.
3.2.7 Plug-Gw: TCP Plug-Board Connection server
Firewall cung c p cc d ch v thng th ng nh Usernetnews. Ng i qu n tr m ng c th ch n ho&c l ch y d chv ny trn b n thn firewall, ho &c l ci &t m t proxyserver. Do ch y news tr c ti p trn firewall d 1 gy l*i h th( ng trn ph n m m ny, cch an ton h n l s d ngproxy. Plug-gw c thi t k cho Usernet News.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
44/74
44
Plug-gw c th c &t c u hnh cho php hay t - ch( im t s k t n( i d a trn a ch" IP ho&c l hostname. T t c s k t n( i v cc byte d li u chuy n qua u c ghi nh t
k l i.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
45/74
45
3.3 Ci t
B ci &t g )m 2 a m m 1.44 Mb, R1 v R2. M *i b ci&t u c m t s( Serial number khc nhau v ch " ho tng c trn my c hostname xc nh tr c. Vi c
ci &t c ti n hnh bnh th ng b!ng cch dng l nhcustom .
Khi ci &t, m t ng i s d ng c tn l proxy c ngk v i h th( ng th c hi n cc ch c n ng qu n l proxy.Ng i ci &t ph i &t m t kh, u cho user ny.
M t th m c /usr/proxy c t ng thi t l p, trong ccc th m c con:
bin ch a cc ch ng trnh th c hi n
etc ch a cc t p c u hnh Firewall v m t s( v d cc file c u hnh c a h th(ng khi ch y v i Firewall nh inetd.conf, services , syslog.conf
log ch a cc t p nh t k
report ch a cc t p bo co sau ny.
Vi c &t c u hnh v qu n tr CSE Firewall u thng quacc ch c n ng trn menu khi login vo my Firewall b !ngtn ng i s d ng l proxy. Sau khi ci &t nn i tnnh ng t p h th( ng v l u l i tr c khi &t c u hnh:
/etc/inetd.conf
/etc/services
/etc/syslog.conf.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
46/74
46
3.4 Thi t l p c u hnh:
3.4.1 C u hnh m ng ban u
V i Firewall host-base Chng ta c th ch c ch n vo vi cm ng c ci &t theo m t chnh sch an ton c l ach n nh!m ng n c n m i lu) ng thng tin khng mong mu ( ngi a m ng c b o v v m ng bn ngoi. i u ny c th
c th c hi n b i screening router hay dual-homegateway. Thng th ng, cc thi t b m ng u s d ng c ch an ton ci &t trn router n i m m i lin k t u ph i
i qua.
M t i u c n quan tm l trong khi ang ci &t, nh ng mych cng khai (Firewall bastion host) c th b t n cng
tr c khi c ch an ton c a n c c u hnh hon ch "nhc th ch y c. Do , nn c u hnh t p inetd.conf
c m t t c cc d ch v m ng t - ngoi vo v s d ng thi tb u cu( i ci &t.
T i th i i m , chng ta c th quy nh nh ng truy nh pgi a m ng c b o v v m ng bn ngoi no s 0 b kho.Tu+ theo m c ch, chng ta c th ng n cc truy nh p tu + theo h ng c a chng. Ch ng trnh c #ng c n c th nghi m k cng tr c khi s d ng. N u c n thi t c th dng ch ng trnh /usr/proxy/bin/netscan th k t n( i t it t c my tnh trong m ng con ki m tra. N s 0 c( g ngth l t qua Firewall theo m i h ng ch c ch n r !ng cctruy nh p b t h p php l khng th x y ra. Ng n c m truynh p vo ra l ci ch ( t trong c ch an ton c a Firewallkhng nn s d ng n u n ch a c ci &t v th nghi mk l 4 ng.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
47/74
47
3.4.2 C u hnh cho Bastion Host
M t nguyn nhn c b n c a vi c xy d ng Firewall l ng n ch&n cc d ch v khng c n thi t v cc d ch v khngn m r. Ng n ch&n cc d ch v khng c n thi t i h%ing i ci &t ph i c hi u bi t v c u hnh h th(ng. Ccb c th c hi n nh sau:
S a i t p /etc/inetd.conf, /etc/services,
/etc/syslog.conf, /etc/sockd.conf .
S a i c u hnh h di u hnh, lo i b%nh ng d ch v cth gy l*i nh NFS, sau rebuild kernel.
Vi c ny c th c hi n cho t i khi h th(ng cung c p d chv t( i thi u m ng i qu n tr tin t ng. Vi c c u hnh nyc th lm )ng th i v i vi c ki m tra d ch v no ch ychnh xc b !ng cch dng cc l nh ps v netstat. Ph n l ncc server c c u hnh cng v i m t s( d ng b o m tkhc, cc c u hnh ny s 0 m t ph n sau. M t cng c chung th m d cc d ch v TCP/IP l
/usr/proxy/bin/portscan c th dng xem d ch v no
ang c cung c p. N u khng c yu c u &c bi t c th dng cc file c u hnh ni trn c t o s/ n v &t t i
/usr/proxy/etc khi ci &t, ng c l i c th tham kh o s ai theo yu c u.
Ton b cc thnh ph n c a b Firewall i h%i c c uhnh chung (m &c nh l / usr/proxy/etc/netperms ). Ph n l n
cc thnh ph n c a b Firewall c g i b i d ch v c a h th( ng l inetd , khai bo trong /etc/inetd.conf t ng t nh sau:
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
48/74
48
ftp stream tcp nowait root /usr/proxy/bin/netacl ftpd
ftp-gw stream tcp nowait root /usr/proxy/bin/ftp-gw ftp-gw
telnet-a stream tcp nowait root /usr/proxy/bin/netacl telnetd
telnet stream tcp nowait root /usr/proxy/bin/tn-gw tn-gw
login stream tcp nowait root /usr/proxy/bin/rlogin-gw rlogin-gw
finger stream tcp nowait nobody /usr/proxy/bin/netacl fingerd
http stream tcp nowait root /usr/proxy/bin/netacl httpd
smtp stream tcp nowait root /usr/proxy/bin/smap smap
Ch ng trnh netacl l m t v%b c TCP (TCP Wrapper)cung c p kh n ng i u khi n truy c p cho nh ng d ch v
TCP v c #ng s d ng m t t p c u hnh v i Firewall.
B c u tin c u hnh netacl l cho php m ng n i b truy nh p c gi i h n vo Firewall, n u nh n c n thi t chonhu c u qu n tr . Tu+ thu c vo TELNET gateway tn-gw c
c ci &t hay khng, qu n tr c th truy c p voFirewall qua c ng khc v i c ng chu , n c a telnet (23). B i
v telnet th ng khng cho php ch ng trnh truy c p t im t c ng khng ph i l c ng chu , n c a n. D ch v proxys0 ch y trn c ng 23 v telnet th c s s0 ch y trn c ngkhc v d d ch v c tn l telnet-a trn (Xem fileinetd.conf trn). C th ki m tra tnh ng n c a netaclb!ng cch c u hnh cho php ho &c c m m t s( host r ) i th truy c p cc d ch v t- chng.
M*i khi netacl c c u hnh, TELNET v FTP gatewayc n ph i c c u hnh theo. C u hnh TELNET gatewaych" n gi n l coi n nh m t d ch v v trong netacl.conf vi t m t s( miu t h th(ng no c th s d ng n. Tr gip c th c cung c p cho ng i s d ng khi c n thi t.Vi c c u hnh FTP proxy c #ng nh v y. Tuy nhin, FTP c
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
49/74
49
th s d ng c ng khc khng gi ( ng TELNET. R t nhi ucc FTP client h * tr cho vi c s d ng c ng khng chu , n.
D ch v rlogin l m t tu+ ch n c th dng v ph i c ci&t trn c ng ng d ng c a bastion host (c ng 512) giao
th c rlogin i h%i m t c ng &c bi t, m t qu trnh i h%is cho php c a h th( ng UNIX. Ng i qu n tr mu(n s d ng c ch an ton ph i ci &t th m c cho proxy ngi i h n n trong th m c .
Smap v smapd l cc ti n trnh l c th c th c ci &ts d ng th m c ring c a proxy x l ho&c s d ng m t
th m c no trong h th( ng. Smap v smapd khng thayth sendmail do v$n c n c u hnh sendmail cho Firewall.Vi c ny khng m t trong ti li u ny.
3.4.3 Thi t l p t p h p quy t c
Khi c u hnh cho proxy server v ch ng trnh i u khi ntruy c p m ng i u c n thi t l thi t l p chnh xc t p quy
t c th hi n ng v i m hnh an ton mong mu (n. M tcch t ( t b t u c u hnh Firewall l m i ng i trongm ng s d ng t do cc d ch v )ng th i c m t t c m ing i bn ngoi. Vi c &t c u hnh cho firewall khng qur c r( i, v n c thi t k h* tr cho m i hon c nh.T p tin /usr/proxy/etc/netperms l CSDL c u hnh v quy n
truy nh p (configuration/permissions) cho cc thnh ph n
c a Firewall: netacl, smap, smapd, ftp-gw, tn-gw, http-gw,
v plug-gw. Khi m t trong cc ng d ng ny kh i ng, nc c u hnh v quy n truy nh p c a n t - netperms v l u
tr vo m t CSDL trong b nh .
File configuration/permissions c thi t l p thnh nh ngquy t c, m*i quy t c ch a trn m t dng. Ph n u tin c a
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
50/74
50
m*i quy t c l tn c a ng d ng, ti p theo l d u hai ch m(:). Nhi u ng d ng c th dng chung m t quy t c v itn ng n cch b i d u ph y. Dng ch thch c th chn vo
file c u hnh b !ng cch thm vo u dng k t #.
3.4.3.1 Thi t l p t p h p cc quy t c cho d ch v HTTP, FTP
Vi c thi t l p c u hnh cho cc d ch v HTTP, FTP l t ngt nh nhau. Chng ti ch " a ra chi ti t v thi t l p c uhnh v quy t c cho d ch v FTP.
#Example ftp gateway rules:#---------------------------------
ftp-gw: denial-msg /usr/proxy/etc/ftp-deny.txt
ftpgw: welcome-msg /usr/proxy/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/proxy/etc/ftp-help.txt
ftp-gw: permit-hosts 10.10.170.* -log {retr stor}
ftp-gw: timeout 3600
Trong v d trn, m ng 10.10.170 c cho php dngproxy trong khi m i host khc khng c trong danh sch,
m i truy c p khc u b c m. N u m t m ng khc mu ( ntruy c p proxy, n nh n c m t thng bo t - ch( i trong
/usr/proxy/etc/ftp-deny.txt v sau lin k t b ng t. N u
m ng c b o v pht tri n thm ch " c n thm vo ccdng cho php.
ftp-gw: permit-hosts 16.67.32.* -log {retr stor}
or
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
51/74
51
ftp-gw: permit-hosts 16.67.32.* -log {retr stor}
ftp-gw: permit-hosts 10.10.170.* -log {retr stor}
M*i b ph n c a Firewall c m t t p cc tu + ch n v c c m t trong manual page ring c a ph n . Trong v
d trn, Tu + ch n -log {retr stor} cho php FTP proxy ghil i nh t k v i tu+ ch n retr v stor .
3.4.3.2 Anonymous FTP
Anonymous FTP server c s d ng trong h i uhnh UNIX t - lu. Cc l * h ng trong vi c b o m an ton(Security hole) th ng xuyn sinh ra do cc ch c n ng m i
c thm vo, s xu t hi n c a bug v do c u hnh sai.M t cch ti p c n v i vi c m b o an ton cho anonymousFTP l s d ng netacl ch c ch n FTP server b h n ch
trong th m c c a n tr c khi c g i. V i c u hinh nh v y, kh kh n cho anonymous FTP lm t n h i n h
th( ng bn ngoi khu v c c a FTP.
D i y l m t v d s d ng netacl quy t nh gi i h nhay khng gi i h n vng s d ng c a FTP (i v i m*i link t. Gi s l m ng c b o v l 192.5.12
netacl-ftpd: hosts 192.5.12.* -exec /etc/ftpd
netacl-ftpd: hosts unknown -exec /bin/cat /usr/proxy/etc/noftp.txt
netacl-ftpd: hosts * -chroot /ftpdir -exec /etc/ftpd
Trong v d ny, ng i dng n ( i v i d ch v FTP t- m ng c b o v c kh n ng FTP bnh th ng. Ng i dng k t
n( i t- h th(ng khc domain nh n c m t thng bo r !ngh khng c quy n s d ng FTP. M i h th( ng khc k t n( ivo FTP u s d ng v i vng file FTP. i u ny c m t
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
52/74
52
s( thu n l i cho vi c b o m an ton. Th nh t, khi ki mtra xc th c, ftpd ki m tra m t kh, u c a ng i s d ngtrong vng FTP, cho php ng i qu n tr a ra account
cho FTP. i u ny c n thi t cho nh ng ng i khng caccount trong bastion host cung c p s ki m tra v xc th c
n cn cho php qu n tr s d ng nh ng i m m nh c a
ftpd cho d n ch a m t s( l* h ng v an ton.
3.4.3.3 Telnet v rlogin
Ni chung truy c p t i bastion host nn b c m, ch" ng iqu n tr c quy n login. Thng th ng khi ch y proxy,ch ng trnh telnet v rlogin khng th ch y trn cc c ngchu, n c a chng. C 3 cch gi i quy t v n ny:
Ch y telnet v rloggin proxy trn c ng chu , n v i telnetv rlogin trn c ng khc v b o v truy c p t i chngb!ng netacl
Cho php login ch "v i thi t b u cu( i.
Dng netacl chuy n i tu+ thu c vo i m xu t phtc a k t n( i, d a trn proxy th c hi n k t n( i th c s .
Cch gi i quy t cu( i cng r t ti n l i nh ng cho php m ing i c quy n dng proxy login vo bastion host. N ubastion host s d ng xc th c m c cao qu n l truy c p
c a ng i dng, s r i ro do vi c t n cng vo h bastionhost s0 c gi m thi u. c u hnh h th( ng tr c h t, t tc cc thi t b c n( i vo h th( ng qua netacl v dng ng i cc ch ng trnh server hay proxy server tu + thu c von i xu t pht c a k t n( i.
Ng i qu n tr mu( n vo bastion host tr c h t ph i k t n( ivo netacl sau ra l nh k t n( i vo bastion host. Vi c ny
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
53/74
53
n gi n v m t s( b n telnet v rlogin khng lm vi c n ukhng c k t n( i vo ng c ng.
netacl-telnetd: permit-hosts 127.0.0.1 -exec /etc/telnetd
netacl-telnetd: permit-hosts myaddress -exec /etc/telnetd
netacl-telnetd: permit-hosts * -exec /usr/proxy/bin/tn-gw
netacl-rlogin: permit-hosts 127.0.0.1 -exec /etc/rlogin
netacl-rlogin: permit-hosts myaddress -exec /etc/rlogin
netacl-rlogin: permit-hosts * -exec /usr/proxy/bin/rlogin-gw
3.4.3.4 Sql-net proxy
Gi thi t l c hai CSDL STU n !m trn my 190.2.2.3 vVPCP n !m trn my 190.2.0.4.
c u hnh cho sql-net proxy , ph i ti n hnh cc b c nh sau:
3.4.3.4.1 C u hnh trn firewall
&t c u hnh cho t p netperms nh sau:
#Oracle proxy for STU Database
ora_stu1: timeout 3600
ora_stu1: port 1521 * -plug-to 190.2.2.3 -port 1521
ora_stu2: timeout 3600
ora_stu2: port 1526 * -plug-to 190.2.2.3 -port 1526
#Oracle proxy for VBPQ Database
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
54/74
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
55/74
55
#Oracle Proxy for VBPQ Database
ora_vpcp1 stream tcp nowait root /usr/proxy/bin/plug-gw ora_vpcp1
ora_vpcp2 stream tcp nowait root /usr/proxy/bin/plug-gw ora_vpcp2
&t l i t p /etc/syslog.conf nh sau:
#Logfile for Sql-gw
sql-gw /usr/proxy/log/plug-gw
3.4.3.4.2 C u hnh trn my tr m
&t l i t p oracle_home\network\admin\tnsnames.ora nh sau:
#Logfile for Sql-gw
stu.world =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = tcp.world)
(PROTOCOL = TCP)
(Host = firewall)
(Port = 1521)
)
(ADDRESS =
(COMMUNITY = tcp.world)
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
56/74
56
(PROTOCOL = TCP)
(Host = firewall)
(Port = 1526)
)
)
(CONNECT_DATA = (SID = STU)
)
)
vpcp.world =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = tcp.world)
(PROTOCOL = TCP)
(Host = firewall)
(Port = 1421)
)
(ADDRESS =
(COMMUNITY = tcp.world)
(PROTOCOL = TCP)
(Host = firewall)
(Port = 1426)
)
)
(CONNECT_DATA = (SID = ORA1)
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
57/74
57
)
)
B n c th d1dng m r ng cho nhi u CSDL khc n !m trnnhi u my khc nhau.
3.4.3.5 Cc d ch v khc
T ng t nh trn l cc v d c u hnh cho cc d ch v khc khai bo trong file netperms:
# finger gateway rules:
# ---------------------
netacl-fingerd: permit-hosts 190.2.* ws1 -exec /etc/fingerd
netacl-fingerd: deny-hosts * -exec /bin/cat /usr/proxy/etc/finger.txt
# http gateway rules:
# ---------------------
netacl-httpd: permit-hosts * -exec /usr/proxy/bin/http-gw
http-gw: timeout 3600
#http-gw: denial-msg /usr/proxy/etc/http-deny.txt
#http-gw: welcome-msg /usr/proxy/etc/http-welcome.txt
#http-gw: help-msg /usr/proxy/etc/http-help.txt
http-gw: permit-hosts 190.2.* 10.* 192.2.0.* -log { all }
http-gw: deny-hosts 220.10.170.32 ws1
http-gw: default-httpd hpnt
#
# smap (E-mail) rules:
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
58/74
58
# ----------------------
smap, smapd: userid root
smap, smapd: directory /usr/spool/mail
smapd: executable /usr/proxy/bin/smapd
smapd: sendmail /usr/lib/sendmail
smap: timeout 3600
#
Ngoi ra, trong CSE Firewall cn c d ch v socks ki m
sot cc ph n m m ng d ng &c bi t nh Lotus Notes. C n
ph i thm vo cc file c u hnh h th( ng nh sau:File /etc/services:
socks 1080/tcp
File /etc/inetd.conf:
socks stream tcp nowait root /etc/sockd sockd
C u hnh v quy t c cho d ch v ny n !m file /etc/sockd.conf , ch" c hai t - kho c n ph i quan tm lpermit v deny cho php hay khng cc host i qua, d ch
v ny khng k t h p v i d ch v xc th c. a ch" IP vNetmask &t trong file ny gi (ng nh v i l nh d$n ngroute c a UNIX.
permit 190.2.0.0 255.255.0.0
permit 10.10.170.50 255.255.255.255
permit 10.10.170.40 255.255.255.255
permit 10.10.170.31 255.255.255.255
deny 0.0.0.0 0.0.0.0 : mail -s 'SOCKD: rejected -- from %u@%A to host %Z(service %S)' root
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
59/74
59
3.4.4 Xc th c v d ch v xc th c
B Firewall ch a ch ng trnh server xc th c c thi t k h* tr c ch phn quy n. Authsrv ch a m t c s d
li u v ng i dng trong m ng, m*i b n ghi t ng ng v im t ng i dng, ch a c ch xc th c cho m *i anh ta, trong
bao g ) m tn nhm, tn y c a ng i dng, l n truyc p m i nh t. M t kh, u khng m ho (Plain text password)
c s d ng cho ng i dng trong m ng vi c qu n tr c n gi n. M t kh , u khng m ho khng nn dng
v i nh ng ng i s d ng t - m ng bn ngoi. Authsrv cch y trn m t host an ton thng th ng l bastion host.
n gi n cho vi c qu n tr authsrv ng i qu n tr c th s d ng m t shell authmsg qu n tr c s d li u c cungc p c ch m ho d li u.
Ng i dng trong 1 c s d li u c a authsrv c th cchia thnh cc nhm khc nhau c qu n tr b i qu n tr
nhm l ng i c ton quy n trong nhm c vi c thm, b tng i dng. i u ny thu n l i khi nhi u t ch c cngdng chung m t Firewall.
c u hnh authsrv, u tin c n xc nh 1 c ng TCP
tr(ng v thm vo m t dng vo trong inetd.conf g iauthsrv m *i khi c yu c u k t n( i. Authsrv khng ph i m tti n trnh deamon ch y lin t c, n l ch ng trnh c g im*i khi c yu c u v ch a m t b n sao CSDL trnh r iro. Thm authsrv vo inet.conf i h%i t o thm i m votrong /etc/services. V authsrv khng ch p nh n tham s ( , mph i thm vo inetd.conf v services cc dng nh sau:
Trong /etc/services:
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
60/74
60
authsrv 7777/tcp
Trong /etc/inetd.conf:
authsrv stream tcp nowait root /usr/proxy/bin/authsrv authsrvC ng d ch v dng cho authsvr s 0 c dng &t c uhnh cho cc ng d ng client c s d ng d ch v xc th c.
D ch v xc th c khng c n p d ng cho t t c cc d ch v
hay t t c cc client.
#Example ftp gateway rules:
ftp-gw: authserver local host 7777
ftp-gw: denial-msg /usr/proxy/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/proxy/etc/ftp-welcome.txt
ftp-gw: help-msg /usr/proxy/etc/ftp-help.txt
ftp-gw: permit-host 192.33.112.100
ftp-gw: permit-host 192.33.112.* -log {retr stor} -auth {stor}
ftp-gw: permist-host * -authallftp-gw: timeout 36000
Trong v d trn, xc th c dng v i FTP proxy. Dng utin nh ngh a a ch"m ng c ng d ch v c a ch ng trnhxc th c. Dng permist-host cho th y m t trong s ( s m md o c a h th( ng xc th c, m t host c l a ch n
khng ph i ch u c ch xc th c, ng i dng t - host ny cth truy c p t do t i m i d ch v c a proxy. Permist-hostth 2 i h%i xc th c m i h th(ng trong m ng 192.33.112mu( n truy n ra ngoi v i -auth {store} nh ng thao tc c aFTP s0 b kho t i khi ng i dng hon thnh vi c xc th c
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
61/74
61
v i server. Khi , l nh c m kho v ng i dng c th vo h th(ng. V d cu( i nh ngh a m i ng i c th n( iv i server nh ng tr c h t h ph i c xc th c.
Authsrv server ph i c c u hnh bi t my no ccho php k t n( i. i u ny c m t t c nh ng c( g ng truynh p b t h p php vo server t - nh ng server khng ch ynh ng ph n m m xc th c. Trong Firewall authsrv s 0 ch ytrn bastion host cng v i proxy trn . N u khng c h th( ng no i h%i truy c p, m *i client v server coi localhost nh m t a ch" truy n thng. C u hnh authsrv nhngh a n s0v n hnh CSDL v client h * tr .
#Example authhsrv rules:
authsrv: database /usr/proxy/bin/authsrv.db
authsrv: permit-host localhost
authsrv: permit-host 192.5.214..32
Trong v d trn, ng d$n t i CSDL nh ngh a v 2 host c nh n ra. Ch CSDL trn trong h th(ng c b o
v ho&c c b o v nghim ng &t b i c ch truy c p file.B o v CSDL r t quan tr ng do nn CSDL trn
bastion host. L ( i vo th 2 l m t v d v client s d ngm ho DES trong khi truy n thng v i authsrv. Kho mch a trong t p c u hnh i h%i file c u hnh ph i c b o
v . Ni chung, vi c m ho l khng c n thi t. K t qu c avi c m ho l cho php qu n tr c th qu n l c s d li u xc th c t- tr m lm vi c. Lu ) ng d li u duy nh t c nph i b o v l khi ng i qu n tr m ng &t l i m t kh , u qua
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
62/74
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
63/74
63
Khi m t user record t o ra b i ng i qu n tr nhm, nth- a h ng s( hi. u nhm c #ng nh giao th c xc th c.User record c th xem b i l nh display hay list.
V d m t phin lm vi c v i Authmsg:
%-> authmgs
Connected to server
authmgr-> login
Username: wizard
Challenge 200850 : 182312
Logged in
authmgs-> disp wizard
Report for user wizard (Auth DBA)
Last authenticated: Fri Oct 8 17:11:07 1993
Authentication protocol: Snk
Flags: WIZARD
authmgr-> list
Report for user in database
user group longname flags proto last
--- ----- -------- ----- ----- ---
wizard users Auth DBA y W Snk Fri Oct 8 17:02:56 1993
avolio users Fred Avolio y passwd Fri Sep 24 10:52:14 1993
rnj users Robert N. Jesse y passwd Wed Sep 29 18:35:45 1993
mjr users Marcus J. Ranum y none ri Oct 8 17:02:10 1993
authmgr-> adduser dalva Dave dalva
ok - user added initially disable
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
64/74
64
authmgr-> enable dalva
enabled
authmgr-> group dalva users
set group
authmgr-> proto dalva Skey
changed
authmgr-> disp dalva
Report for user dalva, group users (Dave Dalva)
Authentication protocol: Skey
Flags: none
authmgr-> password dalva
Password: #######
Repeat Password: #######
ID dalva s/key is 999 sol32
authmgr-> quit
Trong v d trn qu n tr n( i vo authsrv qua m ng s d nggiao di n authmsg sau khi xc th c user record hi n th th igian xc th c. Sau khi login, list CSDL user, t o ng idng, &t password, enable v a vo nhm.
Kh i t o CSDL Authsrv:
# authsrv-administrator mode-
authsrv# list
Report for user in database
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
65/74
65
user group longname flags proto last
--- ----- -------- ----- ----- ---
authsrv# adduser admin Auth DBA
ok - user added initially disable
authsrv# enable admin
enabled
authsrv# superwiz admin
set wizard
authsrv# proto admin Snk
changed
authsrv# pass 160 270 203 065 022 034 232 162 admin
Secret key changed
authsrv# list
Report for user in database
user group longname flags roto last
--- ----- -------- ----- ---- ---
admin Auth DBA y W Snk never
authsrv# quit
Trong v d , m t CSDL m i c t o cng v i m t recordcho ng i qu n tr . Ng i qu n tr c gn quy n, gnprotocol xc th c.
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
66/74
66
3.4.5 S d ng mn hnh i u khi n CSE Proxy:
Sau khi ci &t xong, khi login vo user proxy mn hnhi u khi n s0 hi n nn menu cc ch c n ng ng i qu n
tr c th l a ch n.
PROXY SERVICE MENU
1 Configuration
2 View TELNET log
3 View FTP log
4 View HTTP log
5 View E-MAIL log
6 View AUTHENTICATE log
7 View FINGER log
8 View RLOGIN log
9 View SOCKD log
a Report
b Authentication
c Change system time
d Change password
e Shutdown
q Exit
Select option> _
Con s ( hay ch ci u tin th hi n phm b m th c hi nch c n ng. Sau khi m *i ch c n ng th c hi n xong xu t hi n
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
67/74
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
68/74
68
3.4.5.5 5 View E-MAIL log
Ch c n ng xem n i dung nh t k c a d ch v email.
3.4.5.6 6 View AUTHENTICATE log
Ch c n ng xem n i dung nh t k c a d ch v xc th c.
3.4.5.7 7 View FINGER log
Ch c n ng xem n i dung nh t k c a finger.
3.4.5.8 8 View RLOGIN log
Ch c n ng xem n i dung nh t k c a rlogin-gw.
3.4.5.9 9 View SOCKD log
Ch c n ng xem n i dung nh t k c a sockd.
3.4.5.10 a Report
Ch c n ng lm bo co th ( ng k (i v i t t c cc d ch v trong m t kho ng th i gian nh t nh.
u tin mn hnh s 0 hi n ln m t l ch ch n kho ng th igian mu ( n lm bo co. Sau khi tnh ton xong bo co.Ng i s d ng s0 ph i ch n m t trong cc u ra c a boco g )m : xem ( a ra mn hnh), save (ra a m m) hayprint (in ra my in g n tr c ti p v i my server). N u mu( nin t- cc my in khc ta c th a ra a m m r) i in cc t p
t- cc tr m lm vi c.
Fri May 8 10:39:13 1998
Apr May Jun
S M Tu W Th F S S M Tu W Th F S S M Tu W Th F S
1 2 3 4 1 2 1 2 3 4 5 6
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
69/74
69
5 6 7 8 9 10 11 3 4 5 6 7 8 9 7 8 9 10 11 12 13
12 13 14 15 16 17 18 10 11 12 13 14 15 16 14 15 16 17 18 19 20
19 20 21 22 23 24 25 17 18 19 20 21 22 23 21 22 23 24 25 26 27
26 27 28 29 30 24 25 26 27 28 29 30 28 29 30
31
From date (dd/mm[/yy]) (08/05/98): 01/05/98
To date (dd/mm[/yy]): (08/05/98): 05/05/09
Calculating...
View, save to MS-DOS floppy disk or print report (v/s/p/q)? v
3.4.5.11 b Authentication
Ch c n ng ny g i authsrv qu n tr ng i s d ng vch c n ng xc th c cho ng i . authrv c m t khr rng trn.
authsrv# list
Report for users in database
user group longname status proto last
---- ----- -------- ------ ----- ----
dalva cse n passw never
ruth cse y passw neverauthsrv#
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
70/74
70
3.4.5.12 c Change system time
Ch c n ng i th i gian h th(ng. Ch c n ng ny c tcd ng i u ch"nh chnh xc gi c a h th( ng. B i v gi h th( ng c nh h ng quan tr ng t i chnh xc c a nh tk. Gip cho ng i qu n tr c th theo di ng cc truynh p t i proxy.
Dng nh p th i gian s 0 nh d i y. Ngy thng n m cth khng cn nh p nh ng c n ch t i d ng c a s( avo. D i y l v d i gi thnh 11 gi 28.
Current System Time is Fri May 08 10:32:00 HN 1998
Enter new time ([yymmdd]hhmm): 1128
3.4.5.13 d Change password
Ch c n ng i m t kh, u c a user proxy.
3.4.5.14 e Shutdown
Ch c n ng shut down ton b h th( ng. Ch c n ng ny c dng t t my m t cch an ton (i v i ng i s
d ng.
3.4.5.15 q Exit
Ch c n ng ny logout kh%i mn hnh i u khi n proxy .
3.4.6 Cc v n c n quan tm v i ng i s d ng
V i ng i s d ng, khi dng CSE Proxy c n ph iquan tm n cc v n sau:
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
71/74
71
3.4.6.1 V i cc Web Browser
C n ph i &t ch proxy chng c th truy nh p ncc trang Web thng qua proxy.
Trong Microsoft Internet Explore (version 4.0) ta ph i
ch n View -> Internet option -> Connection -> Proxy
Server v &t ch Access the Internet using a proxy, &ta ch"IP v port c a proxy vo.
Trong Netscape Nevigator (version 4.0) ta ph i ch n Edit -
>Preferences -> Advanced -> Proxies v &t a ch" proxyv c ng d ch v (port) (80) qua ph n Manual proxy
configuration.
3.4.6.2 V i ng i s d ng telnet,
N u khng c &t ch c n ng xc th c th qu trnh nh sau:
$ telnet vectra
Trying 192.1.1.155...
connect hostname [serv/ port]
connect to vectra.
Escape character is^].
Vectra.sce.gov.vn telnet proxy (version V1.0) ready:
tn-gw -> help
Valid commands are: (unique abbreviations may be used)
connect hostname [serv/ port]
telnet hostname [serv/ port]
x-gw [hostname/ display]
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
72/74
72
help/ ?
quit/ exit
password
tn-gw -> c 192.1.1.1
Trying 192.1.1.1 port 23...
SCO Openserver TM Release 5 (sco5.cse.gov.vn) (ttysO)
Login: ngoc
password: #######
...
$
N u c dng ch c n ng xc th c, th sau khi my proxy tr
l i:
Vectra.sce.gov.vn telnet proxy (version V1.0) ready:
Nh c ta ph i a vo tn v m t kh, u th c hi n xc th c:
Username: ngoc
password: #######
Login accepted
tn-gw ->
3.4.6.3 i v i ng i dng d ch v FTP
N u c dng ch c n ng xc th c th quy trnh nh sau:
$ftp vectra
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
73/74
73
Connected to vectra.
220 -Proxy first requres authentication
220 Vectra.sce.gov.vn FTP proxy (version V1.0) ready:
Name (vectra: root): ngoc
331 Enter authentication password for ngoc
Password: #######
230 User authenticated to proxy
ftp>user [email protected]
331 -(----GATEWAY CONNECTED TO 192.1.1.1----)
331-(220 sco5.cse,gov.vn FTP server (Version 2.1 WU(1)) ready.)
331 Password required for ngoc.
Password:
230 User ngoc logged in.
ftp>
...
ftp>bye
221 Goodbye.
$
Cn n u khng s d ng ch c n ng xc th c th n gi nh n:
$ftp vectra
Connected to vectra.
220 Vectra.sce.gov.vn FTP proxy (version V1.0) ready:
Name (vectra: root): [email protected]
331 -(----GATEWAY CONNECTED TO 192.1.1.1----)
331-(220 sco5.cse,gov.vn FTP server (Version 2.1 WU(1)) ready.)
-
8/14/2019 Tim hieu ve tuong lua FIREWALL
74/74
331 Password required for ngoc.
Password:
230 User ngoc logged in.
ftp>
...
ftp>bye
221 Goodbye
$
N u s d ng ch ng trnh WS_FTP trn Window c aIpswitch, Inc th c n ph i &t ch Use Firewall trongph n Advanced khi ta c u hnh m t phin n ( i k t. Trongph n Firewall Informatic ta s 0 a a ch" IP c a proxy voph n Hostname, tn ng i dng v m t kh , u (UserID vPassword) cho ph n xc th c trn proxy v c ng d ch v
(21). ) ng th i ph i ch n ki u USER after logon ph nFirewall type.