8/12/2019 Firewall Chapter 5
1/29
Phm Minh Thun Khoa An ton thng tin
8/12/2019 Firewall Chapter 5
2/29
Chng 5
Thit lp v trin khai tng la
Phm Minh Thun Khoa ATTT 1
8/12/2019 Firewall Chapter 5
3/29
Thit lp v trin khai tng la
Title
nh gi tiu ch, cn nhccng nghv sn phm
tng la ph hp
Xc nh nguy cvxy dng chnh sch
Xc nh vtr thit tph hp
8/12/2019 Firewall Chapter 5
4/29
Xc nh cc dnh vang vn hnh
Xc nh cc nguy cc thnh hng ti hthngmng
Xy dng chnh sch
Phm Minh Thun Khoa ATTT 3
8/12/2019 Firewall Chapter 5
5/29
Kt quca phn tch ny sbao gm danh sch cc ngdng v lm thno nhng ng dng an ton.
Yu cu c kin thc vnguy cgn vi mi ng dngv chi ph li ch gn vi phng thc sdng m
bo an ton cho ng dng.Phn tch nguy cda trn:
Mi e da (threat) Lhng (vulnerability) Bin php i ph (countermeasure)
Bc tranh tng thvcc mi e da an ninh m hthng mng phi i mt
Phn tch nguy c
Phm Minh Thun Khoa ATTT 4
8/12/2019 Firewall Chapter 5
6/29
Rank assigned by Depts/IT Security Issue/concern
10 Remote Access to System Resources
10 Internet access to System Resources
10Data Exchange - securing all communications
pathways to and from system Resources
7
Minimal or weak network data accountability
mechanisms that link all network activity to a
user identity
6
Minimal or weak Access Control (User
identification and Authentication) to SystemResources (preventing non authorized users
from accessing materials that they are not
permitted to see)
4 Web Surfing and downloads to/from Resources
Phn tch nguy c(Cont )
Phm Minh Thun Khoa ATTT 5
8/12/2019 Firewall Chapter 5
7/29
Xc nh cc ng dng mng cho l cn thitXc nh cc nguy ce da lin quan ti nhng ngdng
Phn tch chi ph li ch cc phng php m boan ton cho ng dng
To ra bng ma trn lung dliu ng dng chra
phng thc bo v
Phn tch nguy cti ng dng
Phm Minh Thun Khoa ATTT 6
8/12/2019 Firewall Chapter 5
8/29
Xc nh xc dnh vang vn hnhXc nh cc nguy cc thnh hng ti hthngmng
Thit lp cc quy tc bo mt cho tng laXc lp cc quy tc dch a ch
Dch a cht!nh
Dch a ch"ng
Xy dng chnh sch
Phm Minh Thun Khoa ATTT 7
8/12/2019 Firewall Chapter 5
9/29
Thit lp v trin khai tng la
Title
nh gi tiu ch, cn nhccng nghv sn phm
tng la ph hp
Xc nh nguy cvxy dng chnh sch
Phn vng mng v xcnh vtr thit t ph
hp
8/12/2019 Firewall Chapter 5
10/29
Xc nh theo nh tnh ra m"t vi mc "an ninh, mc
"quan trng: Mc "cao Mc "trung bnh Mc "thp
Xc nh cc nhm my tnh c cng tnh cht mc "anninh hoc khn#ng btn cng, khn#ng xut hin tncng: My chng dng nghip v, CSDL
My qun tr My chcung cp dch vcng c"ng My trm Vng thnghim, lab
Phn vng mng
Phm Minh Thun Khoa ATTT 9
8/12/2019 Firewall Chapter 5
11/29
Thng thng chng ta c thchia cc vng mng sau: Database & Application
Management Zone
DMZ (DNS, Email, Web, FTP)
LAN, PC Zone (c thl nhiu vng) Lab, test Zone
Remote Access, Wireless Zone
WAN Zone
Internet ZoneXc nh cc host c bit quan trng cn c bin php
kim sot cc truy cp vo ra trn host
Phn vng mng (Cont )
Phm Minh Thun Khoa ATTT 10
8/12/2019 Firewall Chapter 5
12/29
Thit bbo mt khng t ng vtr skhng phthuy c ht tc dng
Tng la phi c t vtr giao tip gia haimng vi nhau
Kt hp xem xt lung dliu no cn phi gim stbtr cho hp l
La chn kin trc tng la ph hp thit t.
Xc nh vtr thit t
Phm Minh Thun Khoa ATTT 11
8/12/2019 Firewall Chapter 5
13/29
Screening Router
Sdng cng nghtng la lc gi tin tch hp vo trongb"nh tuyn
Sdng trong cc trng hp: Hthng mng c bo vbi m"t lp bo vbn trong
Slng giao thc sdng khng nhiu v khng cn kimsot n"i dng cc giao thc ny
Cn tc "cao, khn#ng dphng
La chn kin trc tng laph hp
Phm Minh Thun Khoa ATTT 12
8/12/2019 Firewall Chapter 5
14/29
Dual-Homed Host
$c xy dng da trn m"t thit bc t nht 2 giao dinmng. Dual homed chn hon ton lung dliu IP giamng bn trong v bn ngoi khng tin cy bn ngoi.
Sdng trong cc trng hp: Dliu gi ra Internet t v khng quan trng
Khng cung cp dch vcng c"ng
Hthng mng c bo vkhng cha cc thng tin, hthng nhy cm v quan trng
La chn kin trc tng laph hp
Phm Minh Thun Khoa ATTT 13
8/12/2019 Firewall Chapter 5
15/29
Screened Host Phi hp Screening Router v Bation Host Trin khai theo hai m hnh:
Single-homed bastion
Gm m"t b"lc gi tin v m"t bastion host Thc hin bo vmng tng mng v tng ng dng
Dual-homed bastion
Khc phc nhc im ca kin trc single homed bation host Ng#n cn tip xc vi mng bn trong b%ng kin trc vt l
Sdng trong cc trng hp: Slng kt ni n t&mng Internet vo bn trong khng nhiu Mng bn trong c bo v tt
La chn kin trc tng laph hp
Phm Minh Thun Khoa ATTT 14
8/12/2019 Firewall Chapter 5
16/29
Screened Subnet (DMZ)
To thnh 3 lp an ninh.
Bn ngoi chnhn thy DMZ, khng nhn thy mng bntrong.
Bn trong chnhn thy DMZ, khng kt ni trc tip rabn ngoi.
L
a ch
n ki
n trc t
ng l
aph hp
Phm Minh Thun Khoa ATTT 15
8/12/2019 Firewall Chapter 5
17/29
8/12/2019 Firewall Chapter 5
18/29
t trc:
Xc nh vtr thit t (Cont )
Phm Minh Thun Khoa ATTT 17
Internet
Firewall
Internal
LAN
Public
Server
8/12/2019 Firewall Chapter 5
19/29
t sau:
Xc nh vtr thit t (Cont )
Phm Minh Thun Khoa ATTT 18
Internet
Firewall
Internal
LAN
PublicServer
8/12/2019 Firewall Chapter 5
20/29
t gia:
Xc nh vtr thit t (Cont )
Phm Minh Thun Khoa ATTT 19
Internet
Firewall
Internal
LAN
Public
Server
Firewall
8/12/2019 Firewall Chapter 5
21/29
Thit lp v trin khai tng la
Title
nh gi tiu ch, cn nhccng nghv sn phm
tng la ph hp
Xc nh nguy cvxy dng chnh sch
Xc nh vtr thit tph hp
8/12/2019 Firewall Chapter 5
22/29
Lc gi tin Cung cp gii php an ninh mc n gin vi gi thnh
khng cao. Kiu tng la ny c hiu n#ng cao v trongsut vi ngi dng
im yu:
Khng chng kiu tn cng da trn giao thc tng trn $i h'i ngi qun trphi c kin thc vcc giao thc
mc mng, cu hnh kh => lhng an ninh
Khng che du topology mng bn trong Hn chvkhn#ng thng k, ghi li thng tin
Cn nhc cc cng nghtngla
Phm Minh Thun Khoa ATTT 21
8/12/2019 Firewall Chapter 5
23/29
Tng la mc ng dng Hot "ng tng ng dng, c thkim tra chi tit lung
dliu => an ton hn nhng chm hn so vi tng lalc gi tin v khng trong sut vi ngi dng
u im: Hiu c giao thc tng ng dng, vl thuyt c khn#ng
lc cc dliu tn cng. D(dng cu hnh hn so vi tng la lc gi tin Che du topology mng bn trong C khn#ng thng k, ghi li thng tin
Cn nhc cc cng nghtngla (Cont )
Phm Minh Thun Khoa ATTT 22
8/12/2019 Firewall Chapter 5
24/29
8/12/2019 Firewall Chapter 5
25/29
Tiu ch an ninh
$m bo an ton $p ng cc tiu chu*n an ninh c cc cquan, tchc uy tn
chng nhn nhNCSA (National Computer Security Association)hay CSE (Communications Securtiy Establishment)
Kim sot c quyn C khn#ng hn chtruy cp ngi sdng
Xc thc Cung cp kiu truy cp no? Htrxc thc khng ? Sdng cng
nghxc thc g ?
Khn#ng thng k C khn#ng gim st lung dliu mng, bao gm ctruy cp triphp, to ra cc logs v a ra cc bo co thng k
Htrkhn#ng s+n sng cao, phn ti
Tiu ch la chn sn phmtng la
Phm Minh Thun Khoa ATTT 24
8/12/2019 Firewall Chapter 5
26/29
Tiu ch trin khai Linh hot
Thtc trong chnh sch an ninh lun c siu chnh ph hp vithc t, do vy tng la phi linh hot thch ng vi nhng thayi .
Hiu n#ng cao Tng la c tc "xl cao p ng cc dch vtrong mng Nu khn#ng xl ca tng la thp hn thng lng dliu
trn mng d)n ti tnh trng nghn mch (tng la trthnh nttht cchai)
Khn#ng mr"ng Tng la p ng nhiu nn mi trng khc nhau, nhiu kiu
mng khc nhau v nhiu cu hnh khc nhau
Tiu ch la chn sn phmtng la (Cont )
Phm Minh Thun Khoa ATTT 25
8/12/2019 Firewall Chapter 5
27/29
Tiu ch khc
D(dng sdngQun trqua giao din dng lnh, web hay GUI
Trong sutKhng nh hng ti ngi dng cui
Htrkhch hng
Tiu ch la chn sn phmtng la (Cont )
Phm Minh Thun Khoa ATTT 26
8/12/2019 Firewall Chapter 5
28/29
Nn dng cc sn ph*m ca cc hng chuyn vFirewall:
CheckPoint
Cisco
Juniper Netscreen
C khn#ng htrk,thut tt
C khn#ng qun trtp trung slng ln firewall
La chn sn phm tng la
Phm Minh Thun Khoa ATTT 27
8/12/2019 Firewall Chapter 5
29/29