Firewall Chapter 5

8/12/2019 Firewall Chapter 5

1/29

Phm Minh Thun Khoa An ton thng tin


2/29

Chng 5

Thit lp v trin khai tng la

Phm Minh Thun Khoa ATTT 1


3/29


Title

nh gi tiu ch, cn nhccng nghv sn phm

tng la ph hp

Xc nh nguy cvxy dng chnh sch

Xc nh vtr thit tph hp


4/29

Xc nh cc dnh vang vn hnh

Xc nh cc nguy cc thnh hng ti hthngmng

Xy dng chnh sch



5/29

Kt quca phn tch ny sbao gm danh sch cc ngdng v lm thno nhng ng dng an ton.

Yu cu c kin thc vnguy cgn vi mi ng dngv chi ph li ch gn vi phng thc sdng m

bo an ton cho ng dng.Phn tch nguy cda trn:

Mi e da (threat) Lhng (vulnerability) Bin php i ph (countermeasure)

Bc tranh tng thvcc mi e da an ninh m hthng mng phi i mt

Phn tch nguy c



6/29

Rank assigned by Depts/IT Security Issue/concern

10 Remote Access to System Resources

10 Internet access to System Resources

10Data Exchange - securing all communications

pathways to and from system Resources

7

Minimal or weak network data accountability

mechanisms that link all network activity to a

user identity

6

Minimal or weak Access Control (User

identification and Authentication) to SystemResources (preventing non authorized users

from accessing materials that they are not

permitted to see)

4 Web Surfing and downloads to/from Resources

Phn tch nguy c(Cont )



7/29

Xc nh cc ng dng mng cho l cn thitXc nh cc nguy ce da lin quan ti nhng ngdng

Phn tch chi ph li ch cc phng php m boan ton cho ng dng

To ra bng ma trn lung dliu ng dng chra

phng thc bo v

Phn tch nguy cti ng dng



8/29

Xc nh xc dnh vang vn hnhXc nh cc nguy cc thnh hng ti hthngmng

Thit lp cc quy tc bo mt cho tng laXc lp cc quy tc dch a ch

Dch a cht!nh

Dch a ch"ng

Xy dng chnh sch



9/29


Title


tng la ph hp


Phn vng mng v xcnh vtr thit t ph

hp


10/29

Xc nh theo nh tnh ra m"t vi mc "an ninh, mc

"quan trng: Mc "cao Mc "trung bnh Mc "thp

Xc nh cc nhm my tnh c cng tnh cht mc "anninh hoc khn#ng btn cng, khn#ng xut hin tncng: My chng dng nghip v, CSDL

My qun tr My chcung cp dch vcng c"ng My trm Vng thnghim, lab

Phn vng mng



11/29

Thng thng chng ta c thchia cc vng mng sau: Database & Application

Management Zone

DMZ (DNS, Email, Web, FTP)

LAN, PC Zone (c thl nhiu vng) Lab, test Zone

Remote Access, Wireless Zone

WAN Zone

Internet ZoneXc nh cc host c bit quan trng cn c bin php

kim sot cc truy cp vo ra trn host

Phn vng mng (Cont )



12/29

Thit bbo mt khng t ng vtr skhng phthuy c ht tc dng

Tng la phi c t vtr giao tip gia haimng vi nhau

Kt hp xem xt lung dliu no cn phi gim stbtr cho hp l

La chn kin trc tng la ph hp thit t.

Xc nh vtr thit t



13/29

Screening Router

Sdng cng nghtng la lc gi tin tch hp vo trongb"nh tuyn

Sdng trong cc trng hp: Hthng mng c bo vbi m"t lp bo vbn trong

Slng giao thc sdng khng nhiu v khng cn kimsot n"i dng cc giao thc ny

Cn tc "cao, khn#ng dphng

La chn kin trc tng laph hp



14/29

Dual-Homed Host

$c xy dng da trn m"t thit bc t nht 2 giao dinmng. Dual homed chn hon ton lung dliu IP giamng bn trong v bn ngoi khng tin cy bn ngoi.

Sdng trong cc trng hp: Dliu gi ra Internet t v khng quan trng

Khng cung cp dch vcng c"ng

Hthng mng c bo vkhng cha cc thng tin, hthng nhy cm v quan trng




15/29

Screened Host Phi hp Screening Router v Bation Host Trin khai theo hai m hnh:

Single-homed bastion

Gm m"t b"lc gi tin v m"t bastion host Thc hin bo vmng tng mng v tng ng dng

Dual-homed bastion

Khc phc nhc im ca kin trc single homed bation host Ng#n cn tip xc vi mng bn trong b%ng kin trc vt l

Sdng trong cc trng hp: Slng kt ni n t&mng Internet vo bn trong khng nhiu Mng bn trong c bo v tt




16/29

Screened Subnet (DMZ)

To thnh 3 lp an ninh.

Bn ngoi chnhn thy DMZ, khng nhn thy mng bntrong.

Bn trong chnhn thy DMZ, khng kt ni trc tip rabn ngoi.

L

a ch

n ki

n trc t

ng l

aph hp



17/29


18/29

t trc:

Xc nh vtr thit t (Cont )


Internet

Firewall

Internal

LAN

Public

Server


19/29

t sau:



Internet

Firewall

Internal

LAN

PublicServer


20/29

t gia:



Internet

Firewall

Internal

LAN

Public

Server

Firewall


21/29


Title


tng la ph hp


Xc nh vtr thit tph hp


22/29

Lc gi tin Cung cp gii php an ninh mc n gin vi gi thnh

khng cao. Kiu tng la ny c hiu n#ng cao v trongsut vi ngi dng

im yu:

Khng chng kiu tn cng da trn giao thc tng trn $i h'i ngi qun trphi c kin thc vcc giao thc

mc mng, cu hnh kh => lhng an ninh

Khng che du topology mng bn trong Hn chvkhn#ng thng k, ghi li thng tin

Cn nhc cc cng nghtngla



23/29

Tng la mc ng dng Hot "ng tng ng dng, c thkim tra chi tit lung

dliu => an ton hn nhng chm hn so vi tng lalc gi tin v khng trong sut vi ngi dng

u im: Hiu c giao thc tng ng dng, vl thuyt c khn#ng

lc cc dliu tn cng. D(dng cu hnh hn so vi tng la lc gi tin Che du topology mng bn trong C khn#ng thng k, ghi li thng tin

Cn nhc cc cng nghtngla (Cont )



24/29


25/29

Tiu ch an ninh

$m bo an ton $p ng cc tiu chu*n an ninh c cc cquan, tchc uy tn

chng nhn nhNCSA (National Computer Security Association)hay CSE (Communications Securtiy Establishment)

Kim sot c quyn C khn#ng hn chtruy cp ngi sdng

Xc thc Cung cp kiu truy cp no? Htrxc thc khng ? Sdng cng

nghxc thc g ?

Khn#ng thng k C khn#ng gim st lung dliu mng, bao gm ctruy cp triphp, to ra cc logs v a ra cc bo co thng k

Htrkhn#ng s+n sng cao, phn ti

Tiu ch la chn sn phmtng la



26/29

Tiu ch trin khai Linh hot

Thtc trong chnh sch an ninh lun c siu chnh ph hp vithc t, do vy tng la phi linh hot thch ng vi nhng thayi .

Hiu n#ng cao Tng la c tc "xl cao p ng cc dch vtrong mng Nu khn#ng xl ca tng la thp hn thng lng dliu

trn mng d)n ti tnh trng nghn mch (tng la trthnh nttht cchai)

Khn#ng mr"ng Tng la p ng nhiu nn mi trng khc nhau, nhiu kiu

mng khc nhau v nhiu cu hnh khc nhau

Tiu ch la chn sn phmtng la (Cont )



27/29

Tiu ch khc

D(dng sdngQun trqua giao din dng lnh, web hay GUI

Trong sutKhng nh hng ti ngi dng cui

Htrkhch hng

Tiu ch la chn sn phmtng la (Cont )



28/29

Nn dng cc sn ph*m ca cc hng chuyn vFirewall:

CheckPoint

Cisco

Juniper Netscreen

C khn#ng htrk,thut tt

C khn#ng qun trtp trung slng ln firewall

La chn sn phm tng la



29/29

Firewall Chapter 5

Documents