Top Banner

of 29

Firewall Chapter 5

Jun 03, 2018

Download

Documents

an ninh mạng
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 8/12/2019 Firewall Chapter 5

    1/29

    Phm Minh Thun Khoa An ton thng tin

  • 8/12/2019 Firewall Chapter 5

    2/29

    Chng 5

    Thit lp v trin khai tng la

    Phm Minh Thun Khoa ATTT 1

  • 8/12/2019 Firewall Chapter 5

    3/29

    Thit lp v trin khai tng la

    Title

    nh gi tiu ch, cn nhccng nghv sn phm

    tng la ph hp

    Xc nh nguy cvxy dng chnh sch

    Xc nh vtr thit tph hp

  • 8/12/2019 Firewall Chapter 5

    4/29

    Xc nh cc dnh vang vn hnh

    Xc nh cc nguy cc thnh hng ti hthngmng

    Xy dng chnh sch

    Phm Minh Thun Khoa ATTT 3

  • 8/12/2019 Firewall Chapter 5

    5/29

    Kt quca phn tch ny sbao gm danh sch cc ngdng v lm thno nhng ng dng an ton.

    Yu cu c kin thc vnguy cgn vi mi ng dngv chi ph li ch gn vi phng thc sdng m

    bo an ton cho ng dng.Phn tch nguy cda trn:

    Mi e da (threat) Lhng (vulnerability) Bin php i ph (countermeasure)

    Bc tranh tng thvcc mi e da an ninh m hthng mng phi i mt

    Phn tch nguy c

    Phm Minh Thun Khoa ATTT 4

  • 8/12/2019 Firewall Chapter 5

    6/29

    Rank assigned by Depts/IT Security Issue/concern

    10 Remote Access to System Resources

    10 Internet access to System Resources

    10Data Exchange - securing all communications

    pathways to and from system Resources

    7

    Minimal or weak network data accountability

    mechanisms that link all network activity to a

    user identity

    6

    Minimal or weak Access Control (User

    identification and Authentication) to SystemResources (preventing non authorized users

    from accessing materials that they are not

    permitted to see)

    4 Web Surfing and downloads to/from Resources

    Phn tch nguy c(Cont )

    Phm Minh Thun Khoa ATTT 5

  • 8/12/2019 Firewall Chapter 5

    7/29

    Xc nh cc ng dng mng cho l cn thitXc nh cc nguy ce da lin quan ti nhng ngdng

    Phn tch chi ph li ch cc phng php m boan ton cho ng dng

    To ra bng ma trn lung dliu ng dng chra

    phng thc bo v

    Phn tch nguy cti ng dng

    Phm Minh Thun Khoa ATTT 6

  • 8/12/2019 Firewall Chapter 5

    8/29

    Xc nh xc dnh vang vn hnhXc nh cc nguy cc thnh hng ti hthngmng

    Thit lp cc quy tc bo mt cho tng laXc lp cc quy tc dch a ch

    Dch a cht!nh

    Dch a ch"ng

    Xy dng chnh sch

    Phm Minh Thun Khoa ATTT 7

  • 8/12/2019 Firewall Chapter 5

    9/29

    Thit lp v trin khai tng la

    Title

    nh gi tiu ch, cn nhccng nghv sn phm

    tng la ph hp

    Xc nh nguy cvxy dng chnh sch

    Phn vng mng v xcnh vtr thit t ph

    hp

  • 8/12/2019 Firewall Chapter 5

    10/29

    Xc nh theo nh tnh ra m"t vi mc "an ninh, mc

    "quan trng: Mc "cao Mc "trung bnh Mc "thp

    Xc nh cc nhm my tnh c cng tnh cht mc "anninh hoc khn#ng btn cng, khn#ng xut hin tncng: My chng dng nghip v, CSDL

    My qun tr My chcung cp dch vcng c"ng My trm Vng thnghim, lab

    Phn vng mng

    Phm Minh Thun Khoa ATTT 9

  • 8/12/2019 Firewall Chapter 5

    11/29

    Thng thng chng ta c thchia cc vng mng sau: Database & Application

    Management Zone

    DMZ (DNS, Email, Web, FTP)

    LAN, PC Zone (c thl nhiu vng) Lab, test Zone

    Remote Access, Wireless Zone

    WAN Zone

    Internet ZoneXc nh cc host c bit quan trng cn c bin php

    kim sot cc truy cp vo ra trn host

    Phn vng mng (Cont )

    Phm Minh Thun Khoa ATTT 10

  • 8/12/2019 Firewall Chapter 5

    12/29

    Thit bbo mt khng t ng vtr skhng phthuy c ht tc dng

    Tng la phi c t vtr giao tip gia haimng vi nhau

    Kt hp xem xt lung dliu no cn phi gim stbtr cho hp l

    La chn kin trc tng la ph hp thit t.

    Xc nh vtr thit t

    Phm Minh Thun Khoa ATTT 11

  • 8/12/2019 Firewall Chapter 5

    13/29

    Screening Router

    Sdng cng nghtng la lc gi tin tch hp vo trongb"nh tuyn

    Sdng trong cc trng hp: Hthng mng c bo vbi m"t lp bo vbn trong

    Slng giao thc sdng khng nhiu v khng cn kimsot n"i dng cc giao thc ny

    Cn tc "cao, khn#ng dphng

    La chn kin trc tng laph hp

    Phm Minh Thun Khoa ATTT 12

  • 8/12/2019 Firewall Chapter 5

    14/29

    Dual-Homed Host

    $c xy dng da trn m"t thit bc t nht 2 giao dinmng. Dual homed chn hon ton lung dliu IP giamng bn trong v bn ngoi khng tin cy bn ngoi.

    Sdng trong cc trng hp: Dliu gi ra Internet t v khng quan trng

    Khng cung cp dch vcng c"ng

    Hthng mng c bo vkhng cha cc thng tin, hthng nhy cm v quan trng

    La chn kin trc tng laph hp

    Phm Minh Thun Khoa ATTT 13

  • 8/12/2019 Firewall Chapter 5

    15/29

    Screened Host Phi hp Screening Router v Bation Host Trin khai theo hai m hnh:

    Single-homed bastion

    Gm m"t b"lc gi tin v m"t bastion host Thc hin bo vmng tng mng v tng ng dng

    Dual-homed bastion

    Khc phc nhc im ca kin trc single homed bation host Ng#n cn tip xc vi mng bn trong b%ng kin trc vt l

    Sdng trong cc trng hp: Slng kt ni n t&mng Internet vo bn trong khng nhiu Mng bn trong c bo v tt

    La chn kin trc tng laph hp

    Phm Minh Thun Khoa ATTT 14

  • 8/12/2019 Firewall Chapter 5

    16/29

    Screened Subnet (DMZ)

    To thnh 3 lp an ninh.

    Bn ngoi chnhn thy DMZ, khng nhn thy mng bntrong.

    Bn trong chnhn thy DMZ, khng kt ni trc tip rabn ngoi.

    L

    a ch

    n ki

    n trc t

    ng l

    aph hp

    Phm Minh Thun Khoa ATTT 15

  • 8/12/2019 Firewall Chapter 5

    17/29

  • 8/12/2019 Firewall Chapter 5

    18/29

    t trc:

    Xc nh vtr thit t (Cont )

    Phm Minh Thun Khoa ATTT 17

    Internet

    Firewall

    Internal

    LAN

    Public

    Server

  • 8/12/2019 Firewall Chapter 5

    19/29

    t sau:

    Xc nh vtr thit t (Cont )

    Phm Minh Thun Khoa ATTT 18

    Internet

    Firewall

    Internal

    LAN

    PublicServer

  • 8/12/2019 Firewall Chapter 5

    20/29

    t gia:

    Xc nh vtr thit t (Cont )

    Phm Minh Thun Khoa ATTT 19

    Internet

    Firewall

    Internal

    LAN

    Public

    Server

    Firewall

  • 8/12/2019 Firewall Chapter 5

    21/29

    Thit lp v trin khai tng la

    Title

    nh gi tiu ch, cn nhccng nghv sn phm

    tng la ph hp

    Xc nh nguy cvxy dng chnh sch

    Xc nh vtr thit tph hp

  • 8/12/2019 Firewall Chapter 5

    22/29

    Lc gi tin Cung cp gii php an ninh mc n gin vi gi thnh

    khng cao. Kiu tng la ny c hiu n#ng cao v trongsut vi ngi dng

    im yu:

    Khng chng kiu tn cng da trn giao thc tng trn $i h'i ngi qun trphi c kin thc vcc giao thc

    mc mng, cu hnh kh => lhng an ninh

    Khng che du topology mng bn trong Hn chvkhn#ng thng k, ghi li thng tin

    Cn nhc cc cng nghtngla

    Phm Minh Thun Khoa ATTT 21

  • 8/12/2019 Firewall Chapter 5

    23/29

    Tng la mc ng dng Hot "ng tng ng dng, c thkim tra chi tit lung

    dliu => an ton hn nhng chm hn so vi tng lalc gi tin v khng trong sut vi ngi dng

    u im: Hiu c giao thc tng ng dng, vl thuyt c khn#ng

    lc cc dliu tn cng. D(dng cu hnh hn so vi tng la lc gi tin Che du topology mng bn trong C khn#ng thng k, ghi li thng tin

    Cn nhc cc cng nghtngla (Cont )

    Phm Minh Thun Khoa ATTT 22

  • 8/12/2019 Firewall Chapter 5

    24/29

  • 8/12/2019 Firewall Chapter 5

    25/29

    Tiu ch an ninh

    $m bo an ton $p ng cc tiu chu*n an ninh c cc cquan, tchc uy tn

    chng nhn nhNCSA (National Computer Security Association)hay CSE (Communications Securtiy Establishment)

    Kim sot c quyn C khn#ng hn chtruy cp ngi sdng

    Xc thc Cung cp kiu truy cp no? Htrxc thc khng ? Sdng cng

    nghxc thc g ?

    Khn#ng thng k C khn#ng gim st lung dliu mng, bao gm ctruy cp triphp, to ra cc logs v a ra cc bo co thng k

    Htrkhn#ng s+n sng cao, phn ti

    Tiu ch la chn sn phmtng la

    Phm Minh Thun Khoa ATTT 24

  • 8/12/2019 Firewall Chapter 5

    26/29

    Tiu ch trin khai Linh hot

    Thtc trong chnh sch an ninh lun c siu chnh ph hp vithc t, do vy tng la phi linh hot thch ng vi nhng thayi .

    Hiu n#ng cao Tng la c tc "xl cao p ng cc dch vtrong mng Nu khn#ng xl ca tng la thp hn thng lng dliu

    trn mng d)n ti tnh trng nghn mch (tng la trthnh nttht cchai)

    Khn#ng mr"ng Tng la p ng nhiu nn mi trng khc nhau, nhiu kiu

    mng khc nhau v nhiu cu hnh khc nhau

    Tiu ch la chn sn phmtng la (Cont )

    Phm Minh Thun Khoa ATTT 25

  • 8/12/2019 Firewall Chapter 5

    27/29

    Tiu ch khc

    D(dng sdngQun trqua giao din dng lnh, web hay GUI

    Trong sutKhng nh hng ti ngi dng cui

    Htrkhch hng

    Tiu ch la chn sn phmtng la (Cont )

    Phm Minh Thun Khoa ATTT 26

  • 8/12/2019 Firewall Chapter 5

    28/29

    Nn dng cc sn ph*m ca cc hng chuyn vFirewall:

    CheckPoint

    Cisco

    Juniper Netscreen

    C khn#ng htrk,thut tt

    C khn#ng qun trtp trung slng ln firewall

    La chn sn phm tng la

    Phm Minh Thun Khoa ATTT 27

  • 8/12/2019 Firewall Chapter 5

    29/29