Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin B
GIO DC V O TO TRNG I HC S PHM K THUT HNG YN
_______________________________
N 5 NGNH: CNG NGH THNG TIN CHUYN NGNH: MNG V TRUYN THNG TN TI:
TM HIU FIREWALL TRN CNG NGH CISCO V DEMO MT S NG DNG THC TIN
Nhm sinh vin:
Phm Th Vin V Tin Dng
GV hng dn:
Vi Hoi Nam
Hng yn, thng 11, nm 2011
NHN XT CA GIO VIN HNG DN
Page 1
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
Gio vin hng dn
Page 2
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin NHN
XT CA GIO VIN PHN BIN
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
Gio vin phn bin
Page 3
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
LI CM N Sau gn 3 thng n lc tm hiu v thc hin, n Tm hiu Firewall
trn cng ngh Cisco v Demo mt s ng dng thc tin c hon thnh, ngoi s c
gng ht mnh ca bn thn, chng ti cn nhn c nhiu s ng vin,khch l t gia
nh, thy c v bn b. y l mt ti kh hay mang tnh thit thc cao. Nhm chng
ti nghin cu v c gng thit k mt h thng mng cho n v hon chnh nht bng
ht kh nng ca mnh. Tuy c gng ht sc song chc chn ti ny khng trnh khi
nhng thit st. Rt mong nhn c s thng cm v ch bo tn tnh ca cc Thy c v
cc bn. Chng ti xin by t lng bit n chn thnh nht n Thy Vi Hoi Nam tn
tm ch bo v hng dn tn tnh trong sut thi gian nhm chng em thc hin ti
ny. Chng ti cng xin chn thnh cm n qu Thy c trong Khoa Cng ngh thng
tin, trng i hc s phm k thut Hng Yn tn tnh ging dy, hng dn, gip v to
iu kin cho chng ti thc hin tt ti ny. Xin cm n tt c cc bn b v ang
gip ng vin chng ti trong qu trnh hc tp v hon thnh n. Mc d c gn ht
sc hon thnh n ny,nhng chc chn s khng trnh khi nhng sai st.Chng ti
rt mong nhn c s thng cm v ng gp, ch bo tn tnh ca qu thy c v bn b!
Hng Yn, ngy 25, thng 11 nm 2011 Sinh vin thc hin: Phm Th Vin V Tin
Dng
Page 4
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin LI
M U Trong thc t hin nay bo mt thng tin ang ng mt vai tr thit yu ch
khng cn l th yu trong mi hot ng lin quan n vic ng dng cng ngh thng
tin. Ti mun ni n vai tr to ln ca vic ng dng CNTT v ang din ra si
ng, khng ch thun ty l nhng cng c (Hardware, software), m thc s c
xem nh l gii php cho nhiu vn . Khi ng t nhng nm u thp nin 90, vi mt
s t chuyn gia v CNTT, nhng hiu bit cn hn ch v a CNTT ng dng trong
cc hot ng sn xut, giao dch, qun l cn kh khim tn v ch dng li mc cng
c, v i khi ti cn nhn thy nhng cng c t tin ny cn gy mt s cn tr, khng
em li nhng hiu qu thit thc cho nhng T chc s dng n. Internet cho php
chng ta truy cp ti mi ni trn th gii thng qua mt s dch v. Ngi trc my
tnh ca mnh bn c th bit c thng tin trn ton cu, nhng cng chnh v th m
h thng my tnh ca bn c th b xm nhp vo bt k lc no m bn khng h c bit
trc. Do vy vic bo v h thng l mt vn chng ta ng phi quan tm. Ngi ta a
ra khi nim FireWall gii quyt vn ny. Cng c rt nhiu kiu, v loi
firewall nhng Cisco a ra cng ngh bo mt vi firewall rt hu hiu lm r
cc vn ny th n Tm hiu friewall trn cng ngh Cisco v demo mt s ng dng
thc tin s cho chng ta ci nhn su hn v khi nim, cng nh chc nng, cch
thc bo mt c th ca Firewall Cisco. Mt ln na nhm ti xin chn thnh cm n
thy Vi Hoi Nam v cc thy c khoa CNTT hng dn nhm ti hon thnh n ca
mnh!
I. Mc tiu
Page 5
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin n
ny s gip cho chng ta bit c cc khi nim cng nh chc nng Firewall. Gip
ta bit su hn v cc chnh sch bo mt Firewall ca Cisco c th nh th no?
Cu hnh chng ra sao. II. Phng php nghin cu c k v nm bt c cc yu cu ca
n ra. Phng php thit yu nht trong n ny l k nng c, dch v hiu ti liu
Ting Anh
i su trong vic tm kim ti liu v trnh by mt cch hp l nht. Chm ch
lng nghe v tip thu nhng kin ng gp ca gio vin hng dn. III. B cc * Ni
dung ca n ny c chia lm 3 chng nh sau:
Chng 1: Ta tm hiu v tng quan Firewall. Chng 2: Cc vn bo mt Chng
3: Tm hiu su vo tm hiu Firewall ca Cisco Chng 4: Tng quan v VPNs
Chng 5: Demo mt s m hnh ng dng trong thc t
Page 6
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
MC LCLI CM
N............................................................................................................
4 LI M
U............................................................................................................
5 MC
LC.................................................................................................................
7 DANH MC CC HNH V, BNG
BIU....................................................................10
DANH MC CC T VIT
TT.................................................................................12
1.1. KHI NIM V
FIREWALL...............................................................................13
1.1.1. Ti sao phi s dng mt Firewall cho mng my tnh kt ni
Internet?......................13 1.1.2. S ra i ca Firewall
.......................................................................................................14
1.1.3. Mc ch ca Firewall
.......................................................................................................15
1.1.4. Cc la chn
Firewall........................................................................................................19
1.1.4.1. Firewall phn
cng...........................................................................19
1.1.4.2. Firewall phn
mm.........................................................................................................20
1.2. CHC NNG CA FIREWALL
........................................................................21
1.2.1. Firewall bo v nhng vn g?
.....................................................................................21
1.2.2. Firewall bo v chng li nhng vn g?
....................................................................21
1.2.2.1. Chng li vic Hacking
....................................................................21
1.2.2.2. Chng li vic sa i
m................................................................21
1.2.2.3. T chi cc dch v nh
km...........................................................22
1.2.2.4. Tn cng trc
tip............................................................................22
1.2.2.5. Nghe trm
.......................................................................................22
1.2.2.6. V hiu ho cc chc nng ca h thng (Deny
service)..................22 1.2.2.7. Li ngi qun tr h
thng..............................................................23
1.2.2.8. Yu t con
ngi..............................................................................23
1.3. M HNH V KIN TRC CA
FIREWALL........................................................23
1.3.1. Kin trc Dual - Homed host (my ch trung
gian)........................................................24
1.3.2. Kin trc Screend Host
.....................................................................................................25
1.3.3. Kin trc Screened
Subnet................................................................................................27
Page 7
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin1.4.
PHN LOI
FIREWALL...................................................................................28
1.4.1. Packet Filtering Firewall
..................................................................................................28
1.4.2. Application-proxy firewall
................................................................................................30
1.5. MT S VN KHI LA CHN MT FIREWALL
..........................................31 1.5.1. S cn thit ca
Firewall
..................................................................................................31
1.5.2. Firewall iu khin v bo v g
?.....................................................................................31
1.6. NHNG HN CH CA
FIREWALL..................................................................32
2.1. Nguyn tc bo v h thng
mng...............................................................35
2.1.1. Hoch nh h thng bo v
mng....................................................................................35
2.1.2. M hnh bo
mt................................................................................................................36
2.1.3. Nng cao mc bo
mt.................................................................................................36
2.2. Kin trc bo mt ca h thng
mng..........................................................37
2.2.1. Cc mc an ton thng tin trn
mng..............................................................................37
2.2.2. nh hng ca cc l hng
mng.....................................................................................38
CHNG 3. FIREWALL
CISCO...............................................................................39
3.3 Tng quan v
NAT.......................................................................................53
3.3.1 a ch
Private.....................................................................................................................53
3.3.2 Nhu cu ca
NAT................................................................................................................54
3.3.3 Li ch ca
NAT.................................................................................................................55
3.3.4 Thut ng v nh ngha
NAT...........................................................................................55
3.3.5 Mt vi v d in hnh
NAT.............................................................................................56
3.4.2 Cu hnh NAT
tnh.............................................................................................................69
3.4.2 Cu hnh PAT tnh
.............................................................................................................71
3.5 Access
Control.............................................................................................72
3.6 Web
content................................................................................................80
3. 7 Khi to cc chnh sch bo mt trn
ASA...................................................88 3.8 Cc chc
nng nng cao ca ASA
...............................................................93
CHNG 4.
VPNs.................................................................................................110
4.1 IPSec l
g?.................................................................................................110
Page 8
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin4.2
Cch lm vic ca
IPSec.............................................................................111
4.3 Cc loi kt
ni:..........................................................................................111
4.4 Hng dn cu
hnh...................................................................................113
4.4.4 Cu hnh anyconnect
webvpn...........................................................................................125
KT
LUN............................................................................................................135
TI LIU THAM
KHO...........................................................................................137
Page 9
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
DANH MC CC HNH V, BNG BIU
S HIU Hnh 1.1 Hnh 1.2 Hnh 1.3 Hnh 1.4 Hnh 1.5 Hnh 1.6 Hnh 1.7
Hnh 1.8 Hnh 1.9 Hnh 1.10 Hnh 1.11 Hnh 2.1 Hnh 2.2 Hnh 2.3 Hnh 3.15
Hnh 3.16 Hnh 3.17 Hnh 3.18 Hnh 3.19 Hnh 3.20 Hnh 3.21 Hnh 3.22
M T Firewall c t gia mng ring v mng cng cng Mng gm c Firewall v
cc my ch S dng nhiu Firewall nhm tng kh nng bo mt Kin trc ca h thng
s dng Firewall Cu trc chung ca mt h thng Firewall Kin trc Dual -
Homed host Kin trc Screened host Kin trc Screened Subnet Packet
filtering firewall Circuit level gateway Application-proxy firewall
Cc mc an ton thng tin trn mng Cu hnh t chi mt host theo standard
-accesslist Cu hnh t chi telnet t subnet V d v chnh sch NAT V d
chnh sch xc nh NAT V d cu hnh NAT tnh V d PAT tnh v d v NAT vi 2
interface V d NAT vi m hnh 3 interfaces Thay i proxy V d v cu hnh
WCCPPage 10
TRANG 8 9 10 14 15 16 18 19 20 21 22 27 30 31 67 68 70 71 75 77
84 87
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.23 Hnh 3.24 Hnh 3.25 Hnh 3.26 (a) Hnh 3.27 (b) Hnh 3.28
Hnh 4.1 Hnh 4.2 Hnh 4.3 Hnh 4.4 Hnh 4.5 Hnh 4.6 Hnh 4.7 Hnh 4.8 Hnh
4.9 Hnh 4.10 Hnh 4.11 Hnh 4.12 (a) Hnh 4.12(b) Bng 3.1 Bng 3.2 Bng
4.1 Bng 4.2
m hnh Active/Standby Stateful Failover M hnh chng thc ca ASA
Chng thc bng Cut-through-Proxy cho kt ni Telnet,FTP,HTTP(S) nh tuyn
tnh nh tuyn tnh M hnh s dng RIP vi mt mng nhiu Router m hnh
site-to-site M hnh Access VPN Bc 8 cu hnh client sortware ci t VPN
client Lu cu hnh ci t VPN client khi to kt ni Remote Access VPN ng
nhp chng thc M hnh Active/Standby Hot ng ca AnyConnect VPN Cu hnh
AnyConnect Truy cp ASA Thit lp kt ni SSL VPN Thit lp kt ni SSL VPN
Tham s lnh Match Class map mc nh Lnh match cho kim sot lu lng mc nh
Cc Trasform Thng tin d liu c m ha
94 97 99 101 103 105 110 111 120 135 121 121 122 123 125 126 132
133 133 92 93 115 117
Page 11
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
DANH MC CC T VIT TT
S HIU 1 2 3 4 5 7 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
25
CM T Network Interface Controller Internet Protocol Local Area
Network Demilitarized Zone File Transfer Protocol Open Systems
Interconnection Transmission Control Protocol Asymmetric Digital
Subscriber Line Domain Name System Internet Security and
Acceleration Virtual Private Network Network Address Translation
Wide Area Network Operating System Post Office Protocol Access Con
trol List Adaptive Security Appliance Internet Control Message
Protocol User Datagram Protocol port Address Translation
Authentication Authorization Accounting Virtual Private Network IP
securityPage 12
VIT TT NIC IP LAN DMZ FTP OSI TCP ADSL DNS ISA VPN NAT WAN OS
POP ACL ASA ICMP UDP PAT AAA VPNs IPsec
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
CHNG 1. TNG QUAN V FIREWALL
1.1. KHI NIM V FIREWALL 1.1.1. Ti sao phi s dng mt Firewall cho
mng my tnh kt ni Internet? Internet ra i em li nhiu li ch rt ln cho
con ngi, n l mt trong nhng nhn t hng u gp phn vo s pht trin nhanh
chng ca c th gii v c th ni Internet kt ni mi ngi ti gn nhau hn.
Chnh v mt kh nng kt ni rng ri nh vy m cc nguy c mt an ton ca mng my
tnh rt ln. l cc nguy c b tn cng ca cc mng my tnh, tn cng ly d liu,
tn cng nhm mc ch ph hoi lm t lit c mt h thng my tnh ln, tn cng thay
i c s d liu Trc nhng nguy c , vn m bo an ton cho mng my tnh tr nn
rt cp thit v quan trng hn bao gi ht. Cc nguy c b tn cng ngy cng
nhiu v ngy cng tinh vi hn, nguy him hn. c nhiu gii php bo mt cho
mng my tnh c a ra nh dng cc phn mm, chng trnh bo v ti nguyn, to
nhng ti khon truy xut mng i hi c mt khu nhng nhng gii php ch bo v
mt phn mng my tnh m thi, mt khi nhng k ph hoi mng my tnh thm nhp su
hn vo bn trong mng th c rt nhiu cch ph hoi h thng mng. V vy t ra mt
yu cu l phi c nhng cng c chng s xm nhp mng bt hp php ngay t bn ngoi
mng, chnh l nguyn nhn dn ti s ra i ca Firewall (Tng la). Mt
Firewall co th loc cac lu lng Internet nguy him nh hacker, cac loai
su, va mt s loai virus trc khi chung co th gy ra truc trc trn h
thng. Ngoai ra, Firewall co th giup cho may tinh tranh tham gia cac
cuc tn cng vao cac may tinh khac ma khng hay bit. Vic s dung mt
Firewall la cc ky quan trong i vi cc may tinh lun kt ni Internet,
nh trng hp co mt kt ni bng thng rng hoc kt ni DSL/ADSL.
Page 13
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Trn
Internet, cac tin tc s dung ma him c, nh la cac virus, su va
Trojan, tim cach phat hin nhng ca khng khoa ca mt may tinh khng c
bao v. Mt tng la co th giup bao v may tinh khoi bi nhng hoat ng nay
va cac cuc tn cng bao mt khac. Vy mt tin tc co th lam gi? Tuy thuc
vao ban cht cua vic tn cng. Trong khi mt s chi n gian la s quy ry
vi nhng tro ua nghich n gian, mt s khac c tao ra vi nhng y inh nguy
him. Nhng loai nghim trong hn nay tim cach xoa thng tin t may tinh,
pha huy no, hoc thm chi n cp thng tin ca nhn, nh la cac mt khu hoc
s the tin dung. Mt s tin tc chi thich t nhp vao cac may tinh d bi
tn cng. Cac virus, su va Trojan rt ang s. May mn la co th giam nguy
c ly nhim bng cach s dung mt Firewall. 1.1.2. S ra i ca Firewall
Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn,
hn ch ha hon. Trong cng ngh mng thng tin, Firewall l mt k thut c
tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc ngun thng
tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng c th hiu
Firewall l mt c ch (Mechanism) bo v mng tin tng (Trusted network)
khi cc mng khng tin tng (Untrusted network). Thng thng Firewall c t
gia mng bn trong (Intranet) ca mt cng ty, t chc, ngnh hay mt quc
gia, v Internet. Vai tr chnh l bo mt thng tin, ngn chn s truy nhp
khng mong mun t bn ngoi (Internet) v cm truy nhp t bn trong
(Intranet) ti mt s a ch nht nh trn Internet. Internet FireWall l mt
tp hp thit b (bao gm phn cng v phn mm) gia mng ca mt t chc, mt cng
ty, hay mt quc gia (Intranet) v Internet: (INTRANET - FIREWALL -
INTERNET) Trong mt s trng hp, Firewall c th c thit lp trong cng mt
mng ni b v c lp cc min an ton. V d nh mt mng cc b s dng Firewall
ngn cch phng my v h thng mng tng di.
Page 14
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mt
Firewall Internet co th giup ngn chn ngi ngoai trn Internet khng xm
nhp c vao may tinh. Mt Firewall lam vic bng cach kim tra thng tin n
va ra Internet. No nhn dang va bo qua cac thng tin n t mt ni nguy
him hoc co ve nghi ng. Nu ban cai t Firewall cua ban mt cach thich
hp, cac tin tc tim kim cac may tinh d bi tn cng khng th phat hin ra
may tinh. Firewall l mt gii php da trn phn cng hoc phn mm dng kim
tra cc d liu. Mt li khuyn l nn s dng firewall cho bt k my tnh hay
mng no c kt ni ti Internet. i vi kt ni Internet bng thng rng th
Firewall cng quan trng, bi v y l loi kt ni thng xuyn bt (always on)
nn nhng tin tc s c nhiu thi gian hn khi mun tm cch t nhp vo my tnh.
Kt ni bng thng rng cng thun li hn cho tin tc khi c s dng lm phng
tin tip tc tn cng cc my tnh khc. 1.1.3. Mc ch ca Firewall Vi
Firewall, ngi s dng c th yn tm ang c thc thi quyn gim st cc d liu
truyn thng gia my tnh ca h vi cc my tnh hay h thng khc. C th xem
Firewall l mt ngi bo v c nhim v kim tra "giy thng hnh" ca bt c gi d
liu no i vo my tnh hay i ra khi my tnh ca ngi s dng, ch cho php
nhng gi d liu hp l i qua v loi b tt c cc gi d liu khng hp l. Cc gii
php Firewall l thc s cn thit, xut pht t chnh cch thc cc d liu di
chuyn trn Internet. Gi s gi cho ngi thn ca mnh mt bc th th bc th c
chuyn qua mng Internet, trc ht phi c phn chia thnh tng gi nh. Cc gi
d liu ny s tm cc con ng ti u nht ti a ch ngi nhn th v sau lp rp li
(theo th t c nh s trc ) v khi phc nguyn dng nh ban u. Vic phn chia
thnh gi lm n gin ho vic chuyn d liu trn Internet nhng c th dn ti mt
s vn . Nu mt ngi no vi dng khng tt gi ti mt s gi d liu, nhng li ci
by lm cho my tnh ca khng bit cn phi x l cc gi d liu ny nh th no hoc
lm cho cc gi d liu lp ghp theo th t sai, th c th nm quyn kim sot t
xa i vi my tnh ca v gy nn nhng vn
Page 15
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
nghim trng. K nm quyn kim sot tri php sau c th s dng kt ni Internet
ca pht ng cc cuc tn cng khc m khng b l tung tch ca mnh. Firewall s
m bo tt c cc d liu i vo l hp l, ngn nga nhng ngi s dng bn ngoi ot
quyn kim sot i vi my tnh ca bn. Chc nng kim sot cc d liu i ra ca
Firewall cng rt quan trng v s ngn nga nhng k xm nhp tri php "cy"
nhng virus c hi vo my tnh ca pht ng cc cuc tn cng ca sau ti nhng my
tnh khc trn mng Internet.
Hnh 1.1. Firewall c t gia mng ring v mng cng cng Mt Firewall gm
c t nht hai giao din mng: Chung v ring, giao din chung kt ni vi
Internet, l pha m mi ngi c th truy cp, giao din ring l pha m cha cc
d liu c bo v. Trn mt Firewall c th c nhiu giao din ring tu thuc vo
s on mng cn c tch ri. ng vi mi giao din c mt b quy tc bo v ring xc
nh kiu lu thng c th qua t nhng mng chung v mng ring.Page 16
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Firewall cng c th lm c nhiu vic hn v cng c nhiu thun li v kh khn.
Thng thng nh qun tr mng s dng Firewall nh mt thit b u ni VPN, my ch
xc thc hoc my ch DNS. Tuy nhin nh bt k mt thit b mng khc, nhiu dch
v hot ng trn cng mt my ch th cc ri ro cng nhiu .Do , mt Firewall
khng nn chy nhiu dch v. Firewall l lp bo v th hai trong h thng mng,
lp th nht l b nh tuyn mc nh tuyn s cho php hoc b t chi cc a ch IP
no v pht hin nhng gi tin bt bnh thng. Firewall xem nhng cng no l c
php hay t chi. Firewall i lc cng hu ch cho nhng on mng nh hoc a ch
IP ring l. Bi v b nh tuyn thng lm vic qu ti, nn vic s dng b nh tuyn
lc ra b nh tuyn IP n, hoc mt lp a ch nh c th to ra mt ti trng khng
cn thit. Firewall c ch cho vic bo v nhng mng t nhng lu lng khng
mong mun. Nu mt mng khng c cc my ch cng cng th Firewall l cng c rt
tt t chi nhng lu lng i vo, nhng lu lng m khng bt u t mt my sau
Firewall, Mt Firewall cng c th c cu hnh t chi tt c cc lu lng ngoi
tr cng 53 dnh ring cho my ch DNS.
Page 17
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 1.2. Mng gm c Firewall v cc my ch Sc mnh ca Firewall nm
trong kh nng lc lu lng da trn mt tp hp cc quy tc bo v, cn gi l quy
tc bo v do cc nh qun tr a vo. y cng c th l nhc im ln nht ca
Firewall, b quy tc xu hoc khng y c th m li cho k tn cng, v mng c th
khng c an ton. Nhiu nh qun tr mng khng ngh rng Firewall hot ng nh
mt thit b mng phc tp. Ngi ta quan tm nhiu n vic gi li nhng lu lng
khng mong mun n mng ring, t quan tm n vic gi li nhng lu lng khng
mong mun n mng cng cng. Nn quan tm n c hai kiu ca tp cc quy lut bo
v. Nu mt k tn cng mun tm cch xm nhp vo mt my ch, chng khng th s dng
my ch tn cng vo cc thit b mng xa.
Page 18
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin bo
v v gip cho cc lu lng bn trong on mng cc nh qun l thng chy hai b
Firewall, b th nht bo v ton b mng, v b cn li bo v cc on mng khc.
Nhiu lp Firewall cng cho php cc nh qun tr an ton mng kim sot tt hn
nhng dng thng tin, c bit l cc c s bn trong v bn ngoi cng ty phi x l
cc thng tin nhy cm. Cc hot ng trao i thng tin c th cho php trn phn
no ca mng th c th b gii hn trn nhng vng nhy cm hn.
Hnh 1.3. S dng nhiu Firewall nhm tng kh nng bo mt 1.1.4. Cc la
chn Firewall C mt s cng ty sn xut sn phm Firewall v c hai loi chn:
Firewall phn cng v Firewall phn mm. 1.1.4.1. Firewall phn cng V tng
th, Firewall phn cng cung cp mc bo v cao hn so vi Firewall phn mm v
d bo tr hn. Firewall phn cng cng c mt u im khc l khng chim dng ti
nguyn h thng trn my tnh nh Firewall phn mm. Firewall phn cng l mt
la chn rt tt i vi cc doanh nghip nh, c bit cho nhng cng ty c chia s
kt ni Internet. C th kt hp Firewall v mt b nh tuyn trn cng mt h
thng phn cng v s dng h thng ny bo v cho ton b mng. Firewall phn cng
c th l mt la chn tn chi ph hn so vi Firewall phn mm thng phi ci trn
mi my tnh c nhn trong mng.Page 19
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Trong s cc cng ty cung cp Firewall phn cng c th k ti Linksys
(http://www.linksys.com) v NetGear (http://www.netgear.com). Tnh
nng Firewall phn cng do cc cng ty ny cung cp thng c tch hp sn trong
cc b nh tuyn dng cho mng ca cc doanh nghip nh v mng gia nh.
1.1.4.2. Firewall phn mm Nu khng mun tn tin mua Firewall phn cng th
bn c th s dng Firewall phn mm. V gi c, Firewall phn mm thng khng t
bng firewall phn cng, thm ch mt s cn min ph (phn mm Comodo Firewall
Pro 3.0, PC Tools Firewall Plus 3.0, ZoneAlarm Firewall 7.1 ) v bn
c th ti v t mng Internet. So vi Firewall phn cng, Firewall phn mm
cho php linh ng hn, nht l khi cn t li cc thit lp cho ph hp hn vi
nhu cu ring ca tng cng ty. Chng c th hot ng tt trn nhiu h thng khc
nhau, khc vi Firewall phn cng tch hp vi b nh tuyn ch lm vic tt
trong mng c qui m nh. Firewall phn mm cng l mt la chn ph hp i vi my
tnh xch tay v my tnh s vn c bo v cho d mang my tnh i bt k ni no.
Cac Firewall phn mm lam vic tt vi Windows 98, Windows ME va Windows
2000. Chung la mt la chon tt cho cac may tinh n le. Cac cng ty phn
mm khac lam cac tng la nay. Chung khng cn thit cho Windows XP bi vi
XP a co mt tng la cai sn. * u im: Khng yu cu phn cng b sung. Khng
yu cu chay thm dy may tinh. Mt la chon tt cho cac may tinh n
le.
* Nhc im: Chi phi thm: hu ht cac tng la phn mm tn chi phi. Vic
cai t va va t cu hinh co th cn bt u. Cn mt ban sao ring cho mi may
tinh.
Page 20
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
1.2. CHC NNG CA FIREWALL FireWall quyt nh nhng dch v no t bn trong
c php truy cp t bn ngoi, nhng ngi no t bn ngoi c php truy cp n cc
dch v bn trong, v c nhng dch v no bn ngoi c php truy cp bi nhng ngi
bn trong. 1.2.1. Firewall bo v nhng vn g? Bo v d liu: Theo di lung
d liu mng gia Internet v Intranet. Nhng thng tin cn c bo v do nhng
yu cu sau: Bo mt: Mt s chc nng ca Firewall l c th ct giu thng tin
mng
tin cy v ni b so vi mng khng ng tin cy v cc mng bn ngoi khc.
Firewall cng cung cp mt mi nhn trung tm m bo s qun l, rt c li khi
ngun nhn lc v ti chnh ca mt t chc c gii hn. Tnh ton vn. Tnh kp
thi.
Ti nguyn h thng. Danh ting ca cng ty s hu cc thng tin cn bo v.
1.2.2. Firewall bo v chng li nhng vn g? FireWall bo v chng li nhng
s tn cng t bn ngoi. 1.2.2.1. Chng li vic Hacking Hacker l nhng ngi
hiu bit v s dng my tnh rt thnh tho v l nhng ngi lp trnh rt gii. Khi
phn tch v khm ph ra cc l hng h thng no , s tm ra nhng cch thch hp
truy cp v tn cng h thng. C th s dng cc k nng khc nhau tn cng vo h
thng my tnh. V d c th truy cp vo h thng m khng c php truy cp v to
thng tin gi, ly cp thng tin. Nhiu cng ty ang lo ngi v d liu bo mt b
nh cp bi cc hacker. V vy, tm ra cc phng php bo v d liu th Firewall
c th lm c iu ny. 1.2.2.2. Chng li vic sa i m Kh nng ny xy ra khi mt
k tn cng sa i, xa hoc thay th tnh xc thc ca cc on m bng cch s dng
virus, worm v nhng chng trnh c ch tm. Khi ti file trn internet c th
dn ti download cc an m c d tm, thiu kin thc v
Page 21
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin bo
mt my tnh, nhng file download c th thc thi nhng quyn theo mc ch ca
nhng ngi dng trn mt s trang website. 1.2.2.3. T chi cc dch v nh km
T chi dch v l mt loi ngt hot ng ca s tn cng. Li e da ti tnh lin tc
ca h thng mng l kt qu t nhiu phng thc tn cng ging nh lm trn ngp
thng tin hay l s sa i ng i khng c php. Bi thut ng lm trn ngp thng
tin, l mt ngi xm nhp to ra mt s thng tin khng xc thc gia tng lu lng
trn mng v lm gim cc dch v ti ngi dng thc s. Hoc mt k tn cng c th
ngm ngm ph hoi h thng my tnh v thm vo phn mm c d tm, m phn mm ny s
tn cng h thng theo thi gian xc inh trc. 1.2.2.4. Tn cng trc tip Cch
th nht: l dng phng php d mt khu trc tip. Thng qua cc chng trnh d tm
mt khu vi mt s thng tin v ngi s dng nh ngy sinh, tui, a ch v kt hp
vi th vin do ngi dng to ra, k tn cng c th d c mt khu. Trong mt s
trng hp kh nng thnh cng c th ln ti 30%. V d nh chng trnh d tm mt
khu chy trn h iu hnh Unix c tn l Crack. Cch th hai: l s dng li ca
cc chng trnh ng dng v bn thn h iu hnh c s dng t nhng v tn cng u tin
v vn c chim quyn truy cp (c c quyn ca ngi qun tr h thng). 1.2.2.5.
Nghe trm C th bit c tn, mt khu, cc thng tin truyn qua mng thng qua
cc chng trnh cho php a giao tip mng (NIC) vo ch nhn ton b cc thng
tin lu truyn qua mng. 1.2.2.6. V hiu ho cc chc nng ca h thng (Deny
service) y l kiu tn cng nhm lm t lit ton b h thng khng cho thc hin
cc chc nng c thit k. Kiu tn cng ny khng th ngn chn c do nhng phng
tin t chc tn cng cng chnh l cc phng tin lm vic v truy nhp thng tin
trn mng.
Page 22
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
1.2.2.7. Li ngi qun tr h thng Ngy nay, trnh ca cc hacker ngy cng
gii hn, trong khi cc h thng mng vn cn chm chp trong vic x l cc l
hng ca mnh. iu ny i hi ngi qun tr mng phi c kin thc tt v bo mt mng
c th gi vng an ton cho thng tin ca h thng. i vi ngi dng c nhn, khng
th bit ht cc th thut t xy dng cho mnh mt Firewall, nhng cng nn hiu
r tm quan trng ca bo mt thng tin cho mi c nhn. Qua , t tm hiu bit
mt s cch phng trnh nhng s tn cng n gin ca cc hacker. Vn l thc, khi
c thc phng trnh th kh nng an ton s cao hn. 1.2.2.8. Yu t con ngi Vi
nhng tnh cch ch quan v khng hiu r tm quan trng ca vic bo mt h thng
nn d dng l cc thng tin quan trng cho hacker. * Ngoi ra th cn dng
Firewall chng li s gi mo a ch IP . 1.3. M HNH V KIN TRC CA FIREWALL
Kin trc ca h thng s dng Firewall nh sau:
FIRE WA L L
The In te rn e t In te rn e t ro u te r
S erver
S erver
Router S erver Com puter Com puter Com puter
Com puter Com puter
Com puter
Hnh 1.4. Kin trc ca h thng s dng Firewall
Page 23
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Cc h thng Firewall u c im chung cc cu trc c th nh sau:
Trong : Screening Router: l chng kim sot u tin cho LAN. DMZ: l
vng c nguy c b tn cng t internet. Gateway Host: l cng ra vo gia mng
LAN v DMZ, kim sot mi
lin lc, thc thi cc c ch bo mt. IF1 (Interface 1): l card giao
tip vi vng DMZ. IF2 (Interface 2): l card giao tip vi vng mng LAN.
FTP Gateway: Kim sot truy cp FTP gia LAN v vng FTP t mng
LAN ra internet l t do. Cc truy cp FTP vo LAN i hi xc thc thng
qua Authentication server. Telnet gateway: Kim sot truy cp telnet
tng t nh FTP, ngi dng
c th telnet ra ngoi t do, cc telnet t ngoi vo yu cu phi xc thc
Hnh 1.5. Cu trc chung ca mt h thng Firewall thng qua Authentication
server. Authentication server: l ni xc thc quyn truy cp dng cc k
thut
xc thc mnh nh one-time password/token (mt khu s dng mt ln). Tt c
cc Firewall u c chung mt thuc tnh l cho php phn bit i x hay kh nng
t chi truy nhp da trn cc a ch ngun. Nh m hnh Firewall m cc my ch
dch v trong mng LAN c bo v an ton, mi thn tin trao i vi internet u
c kim sot thng qua gateway. 1.3.1. Kin trc Dual - Homed host (my ch
trung gian) Firewall kin trc kiu Dual-homed host c xy dng da trn my
tnh Dualhomed host. Mt my tnh c gi l Dual-homed host nu c t nht hai
Network interfaces, c ngha l my c gn hai card mng giao tip vi hai
mng khc nhau v nh th my tnh ny ng vai tr l router phn mm. Kin trc
Dual-homed host rtPage 24
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin n
gin. Dual-homed host gia, mt bn c kt ni vi Internet v bn cn li ni
vi mng ni b (LAN). Dual-homed host ch c th cung cp cc dch v bng cch
y quyn (proxy) chng hoc cho php users ng nhp trc tip vo Dual-homes
host. Mi giao tip t mt host trong mng ni b v host bn ngoi u b cm,
Dual-homed host l ni giao tip duy nht.
InternetRem ote Us er
Firewall
Dual-hom ed host
Internal network
Us er
Us er
Us er
Hnh 1.6. Kin trc Dual - Homed host
1.3.2. Kin trc Screend Host Screened host c cu trc ngc li vi cu
trc Dual-homed host, kin trc ny cung cp cc dch v t mt host bn trong
mng ni b, dng mt router tch ri vi mng bn ngoi. Trong kiu kin trc
ny, bo mt chnh l phng php Packet Filtering. Bastion host c t bn
trong mng ni b, Packet Filtering c ci trn router. Theo cch ny,
Bastion host l h thng duy nht trong mng ni b m nhng host trn
Internet c th kt ni ti. Mc d vy, ch nhng kiu kt ni ph hp (c thit lp
trong Bastion host) mi c php kt ni. Bt k mt h thng bn ngoi no c gng
truy cp vo h thng hoc cc dch v bn trong u phi kt ni ti host ny.Page
25
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin V
th, Bastion host l host cn phi c duy tr ch bo mt cao. Packet
Filtering cng cho php Bastion host c th m kt ni ra bn ngoi. Cu hnh
ca packet filtering trn screening router nh sau : Cho php tt c cc
host bn trong m kt nt ti host bn ngoi thng qua
mt s dch v c nh. Khng cho php tt c cc kt ni t host bn trong (cm
nhng host ny
s dng dch v proxy thng qua Bastion host). Bn c th kt hp nhiu li
vo cho nhng dch v khc nhau. Mt s dch v c php i vo trc tip qua
packet filtering. Mt s dch v khc th ch c php i vo gin tip qua
proxy.
Bi v kin trc ny cho php cc packet i t bn ngoi vo mng bn trong, n
dng nh nguy him hn kin trc Dual-homed host, v th n c thit k khng mt
packet no c th ti c mng bn trong. Tuy nhin trn thc t th kin trc
Dual-homes host i khi cng c li m cho php mt packet tht s i t bn
ngoi vo bn trong (bi v nhng li ny hon ton khng bit trc, n hu nh
khng c bo v chng li nhng kiu tn cng ny) . Hn na, kin trc Dual-homes
host th d dng bo v router (l my cung cp rt t cc dch v) hn l bo v cc
host bn trong mng. Xt v ton din th kin trc Screened host cung cp
tin cy cao hn v an ton hn kin trc Dual-homed host. So snh vi m s
kin trc khc, chn hn nh kin trc Screened subnet th kin trc Screened
host c mt s bt li. Bt li chnh l nu k tn cng tm cch xm nhp Bastion
host th khng c cch no ngn tch gia Bastion host v cc host cn li bn
trong mng ni b. Router cng c mt s im yu l nu router b tn thng, ton
b mng s b tn cng. V l do ny m Screened subnet tr thnh kin trc ph
bin nht.
Page 26
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
InternetRemoteUser
Firewall
Screening Router
Internal network
User
BastionHost
User
User
Hnh 1.7. Kin trc Screened host 1.3.3. Kin trc Screened Subnet
Nhm tng cng kh nng bo v mng ni b, thc hin chin lc phng th theo chiu
su, tng cng s an ton cho bastion host, tch bastion host khi cc host
khc, phn no trnh ly lan mt khi bastion host b tn thng, ngi ta a ra
kin trc Firewall c tn l Screened subnet. Kin trc Screened subnet dn
xut t kin trc Screened host bng cch thm vo phn an ton: mng ngoi vi
(perimeter network) nhm c lp mng ni b ra khi mng bn ngoi, tch
bastion host ra khi cc host thng thng khc. Kiu Screen subnet n gin
bao gm hai screened router:-
Router ngoi (External router cn gi l access router): nm gia
mng
ngoi vi v mng ngoi c chc nng bo v cho mng ngoi vi (bastion host,
interior router). N cho php ngng g outbound t mng ngoi vi. Mt s quy
tc packet filtering c bit c ci mc cn thit bo v bastion host v
interior router v bastion host cn l host c ci t an ton mc cao. Ngoi
cc quy tc , cc quy tc khc cn ging nhau gia hai router. Router trong
(Interior router cn gi l choke router): nm gia mng
ngoi vi v mng ni b, nhm bo v mng ni b trc khi ra ngoi v mng ngoi
vi. N khng thc hin ht cc quy tc packet filtering ca ton b firewall.
Cc dch v m interior router cho php gia bastion host v mng ni b, gia
bn ngoi v mng ni b khng nht thit phi ging nhau. GiiPage 27
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin hn
dch v gia bastion host v mng ni b nhm gim s lng my (s lng dch v trn
cc my ny) c th b tn cng khi bastion host b tn thng v tha hip vi bn
ngoi. Chng hn nn gii hn cc dch v c php gia bastion host v mng ni b
nh SMTP khi c Email t bn ngoi vo, c l ch gii hn kt ni SMTP gia
bastion host v email server bn trong.Internet
Bastion Host
ExteriorRouter PerimeterNetwork InteriorRouter
Internal Network
User
User
User
User
Hnh 1.8. Kin trc Screened Subnet 1.4. PHN LOI FIREWALL Hin nay c
nhiu loi Firewall, tin cho qu trnh nghin cu v pht trin, ngi ta chia
Firewall ra lm hai loi chnh bao gm: Packet Filtering Firewall: l h
thng tng la gia cc thnh phn bn trong mng v bn ngoi mng c kim sot.
Application-proxy Firewall: l h thng cho php kt ni trc tip gia cc
my khch v cc host. 1.4.1. Packet Filtering Firewall y l kiu
Firewall thng dng hot ng da trn m hnh OSI mc mng. Firewall mc mng
thng hot ng theo nguyn tc router hay cn c gi l router, tc l to ra
cc lut l v quyn truy cp mng da trn mc mng. M hnh ny hot ng theo
nguyn tc lc gi tin. kiu hot ng ny cc gi tin u c kim
Page 28
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin tra
a ch ngun ni chng xut pht. Sau khi a ch IP ngun c xc nh, n s tip tc
c kim tra vi cc lut t ra trn router. Vi phng thc hot ng nh vy, cc
Firewall hot ng lp mng c tc x l nhanh v n ch kim tra a ch IP ngun m
khng cn bit a ch l a ch sai hay b cm. y chnh l hn ch ca kiu
Firewall ny v n khng m bo tnh tin cy. L hng ca kiu Firewall ny l n
ch s dng a ch IP ngun lm ch th. Khi mt gi tin mang a ch ngun l a ch
gi th n s vt qua c mt s mc truy nhp vo bn trong mng. Firewall kiu
packet filtering chia lm hai loi: Packet filtering firewall: Hot ng
ti lp mng (Network Layer) ca m hnh OSI. Cc lut lc gi tin da trn cc
trng trong IP header, transport header, a ch IP ngun v a ch IP
ch
S e c u ri t y p e ri m e t e r P ri v a t e N e t w o rk P a c
ke t f i l t e ri n g ro u te r
I n t e rn e t
Hnh 1.9. Packet filtering firewall
-
Circuit level gateway: Hot ng ti lp phin (Session Layer) ca m
hnh OSI. M hnh ny khng cho php cc kt ni end to end.
Page 29
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
C i rcu i t l e v e l g a te w a y o u tsi d e c o n n e c ti o
n outOu ts i d e h o s t
in in in
out out
i n si d e c o n n e cti o nIn s i d e h o s t
Hnh 1.10. Circuit level gateway
1.4.2. Application-proxy firewall Khi m kt ni t mt ngi dng no n
mng s dng Firewall kiu ny th kt ni s b chn li, sau Firewall s kim
tra cc trng c lin quan ca gi tin yu cu kt ni. Nu vic kim tra thnh
cng, c ngha l cc trng thng tin p ng c cc lut t ra trn Firewall th
Firewall s to m cu kt ni cho gi tin i qua. * u im: Khng c chc nng
chuyn tip cc gi tin IP. iu khin mt cch chi tit hn cc kt ni thng qua
Firewall. a ra cng c cho php ghi li qu trnh kt ni.
* Nhc im: Tc x l kh chm. S chuyn tip cc gi tin IP khi m my ch
nhn c m yu cu t mng ngoi ri chuyn chng vo mng trong chnh l l hng
cho hacker xm nhp. Kiu firewallny hot ng da trn ng dng phn mm nn
phi to cho mi dch v trn mng mt trnh ng dng u quyn (proxy) trn
Firewall (Ex. Ftp proxy, Http proxy). * Firewall kiu Application-
proxy chia thnh hai loi:
Page 30
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Applicatin level gateway: Hot ng lp ng dng (Application Layer)
trong m hnh TCP/IP.Application level gateway outside
connectionOutsidehost
-
TELNET FTP SMTP HTTP
inside connectionInsidehost
Hnh 1.11. Application-proxy firewall Stateful multilayer
inspection firewall: y l loi Firewall kt hp c tnh nng ca cc loi
Firewall trn, m hnh ny lc cc gi tin ti lp mng v kim tra ni dung cc
gi tin ti lp ng dng. Loi Firewall ny cho php cc kt ni trc tip gia
client v host nn gim thiu c li, n cung cp cc tnh nng bo mt cao v
trong sut i vi End Users. 1.5. MT S VN KHI LA CHN MT FIREWALL
1.5.1. S cn thit ca Firewall Gii quyt n thc thi vn Firewall s khng
xy ra nu khng nghin cu v phn tch. Gii quyt n vn thc thi Firewall s
da nhng i hi phi nh danh v chng minh. Bi v thc thi ca Firewall khng
c nh danh nh hng gii quyt ca nhng t chc khc. To ra nhng Firewall da
vo quy m nh, nhng ngha khng th to ra c bi l hng an ninh v c ch gy
ra nhng vn mng li nhiu hn l thc hin Firewall. 1.5.2. Firewall iu
khin v bo v g ? to ra mt Firewall th phi nh danh cho c chc nng no
ca Firewall s cn thc hin. N s iu khin truy cp n t mng li no, hay n
s bo v nhng dch v v ngi s dng no. Firewall iu khin g ? -
Truy cp vo mng. Truy cp ngoi mng.
Page 31
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Truy cp trong nhng mng li bn trong, nhng lnh vc hay nhng cng trnh
kin trc. Truy cp nhng nhm t trng, nhng ngi s dng hoc a ch. Truy cp
n nhng ti nguyn c th hoc nhng dch v.
Firewall cn bo v ci g? Nhng mng li hoc b iu khin c bit. Dch v c
bit. Thng tin ring t hoc cng cng. Ngi s dng.
Sau khi nhn ra c Firewall cn bo v v iu khin ci g, quyt nh iu g c
th xy ra lin tc vi s bo v v iu khin ny. iu g s xy ra khi ngi s dng
truy cp n nhng trang m khng c quyn truy cp. iu ny s xy ra nu dch v
khng c bo v v thng tin khng c bo mt tt. C phi s ri ro ca vic iu
khin hoc bo v cho bc k tip trong c lng th cn phi c gii php
Firewall. 1.6. NHNG HN CH CA FIREWALL Firewall khng thng minh nh
con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca
n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng
mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn
mt cuc tn cng nu cuc tn cng ny khng "i qua" n. Mt cch c th,
Firewall khng th chng li mt cuc tn cng t mt ng dial-up, hoc s r r
thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th
chng li cc cuc tn cng bng d liu (data-drivent attack). Khi c mt s
chng trnh c chuyn theo th in t, vt qua Firewall vo trong mng c bo v
v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim
v r qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin
lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh
nng kim sot ca
Page 32
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Firewall. Firewall c th ngn chn nhng k xu t bn ngoi nhng cn nhng k
xu bn trong th sao. Tuy nhin, Firewall vn l gii php hu hiu c p dng
rng ri. c c kh nng bo mt ti u cho h thng, Firewall nn c s dng kt hp
vi cc bin php an ninh mng nh cc phn mm dit virus, phn mm ng gi, m
ho d liu. c bit, chnh sch bo mt c thc hin mt cch ph hp v c chiu su
l vn sng cn khai thc ti u hiu qu ca bt c phn mm bo mt no. V cng cn
nh rng cng ngh ch l mt phn ca gii php bo mt. Mt nhn t na ht sc quan
trng quyt nh thnh cng ca gii php l s hp tc ca nhn vin, ng
nghip.
CHNG 2. TM HIU CC VN BO MT
Bo mt l mt vn ln i vi tt c cc mng trong mi trng doanh nghip hin
nay. Cc hacker v k xm nhp to ra rt nhiu cch c th thnh cng trong vic
lm sp mt mng hoc dch v Web ca mt cng ty. Nhiu phng php c pht trin
bo mt h tng mng v vic truyn thng trn Internet, bao gm cc cch nh s
dng tng la, m ha, v mng ring o. Bo mt h thng mng bao gm 3 yu t: Tnh
bo mt, tnh nguyn vn, tnh sn sng Tnh bo mt: Bo v thng tin nhy cm
khng b truy cp bi nhng ngi khng c quyn hn - Tnh nguyn vn: Bo v thng
tin h thng khi b sa bi hacker - Tnh sn sng: Lun m bo s sn c ti
nguyn ti ngi dng bo v h thng ca bn, u tin bn phi nhn ra bn cn bo v
chng khi ai v khi ci g. c th phng th i vi cc s tn cng, bn phi hiu
cc kiu e da n s bo mt mng ca bn. C 4 mi e da bo mt Mi e da bn trong
Mi e da bn ngoi
Page 33
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mi
e da khng c cu trc Mi e da c cu trc
a)
Mi e da bn trong
Thut ng Mi e da bn trong c s dng m t mt kiu tn cng c thc hin t
mt ngi hoc mt t chc c mt vi quyn truy cp mng ca bn. Cc cch tn cng t
bn trong c thc hin t mt khu vc c tin cy trong mng. Mi e da ny c th
kh phng chng hn v cc nhn vin c th truy cp mng v d liu b mt ca cng
ty. Hu ht cc cng ty ch c cc tng la ng bin ca mng, v h tin tng hon
ton vo cc ACL (Access Control Lists) v quyn truy cp server quy nh
cho s bo mt bn trong. Quyn truy cp server thng bo v ti nguyn trn
server nhng khng cung cp bt k s bo v no cho mng. Mi e da bn trong
thng c thc hin bi cc nhn vin bt bnh, mun quay mt li vi cng ty. Nhiu
phng php bo mt lin quan n vnh ai ca mng, bo v mng bn trong khi cc
kt ni bn ngoi, nh l Internet. Khi vnh ai ca mng c bo mt, cc phn tin
cy bn trong c khuynh hng b bt nghim ngt hn. Khi mt k xm nhp vt qua
v bc bo mt cng cp ca mng, mi chuyn cn li thng l rt n gin. V vy cn
phi c cc mc bo mt nh sau: -
Bo mt mc vt l: t thit b mng vo trong mt phng an ninh , lun kha
Bo mt h iu hnh: S dng phin bn mi nht IOS p ng cc nhu cu ca doanh
nghip. Lu tr bn sao file cu hnh Bo mt Router, Switch: Bo mt truy cp
qun tr nh console, telnet Tt cc cng trn router, switch khng s dng,
tt cc dch v khng cn thit b) Mi e da bn ngoi Mi e da bn ngoi l t cc
t chc, chnh ph, hoc c nhn c gng truy cp t bn ngoi mng ca cng ty v
bao gm tt c nhng ngi khng c quyn truy cp vo mng bn trong. Thng
thng, cc k tn cng t bn ngoi c gng t cc server quay s hoc cc kt ni
Internet. Mi e da bn ngoi l nhng g m cc cng ty thng phi b nhiu hu
ht thi gian v tin bc ngn nga. Gii php nh sau:
-
Trin khai firewall bo v mng bn trong Ch cho php cc dch v cn thit
p ng nhu cu ca t chc C cc bin php ngn nga v pht hin xm nhp vo mng
bn trong
Page 34
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
c) Mi e da c cu trc Mi e da c cu trc l kh ngn nga v phng chng
nht v n xut pht t cc t chc hoc c nhn s dng mt vi loi phng php lun
thc hin tn cng. Cc hacker vi kin thc, kinh nghim cao v thit b s to
ra mi e da ny. Cc hacker ny bit cc gi tin c to thnh nh th no v c th
pht trin m khai thc cc l hng trong cu trc ca giao thc. H cng bit c
cc bin php c s dng ngn nga truy cp tri php, cng nh cc h thng IDS v
cch chng pht hin ra cc hnh vi xm nhp. H bit cc phng php trnh nhng
cch bo v ny. Trong mt vi trng hp, mt cch tn cng c cu trc c thc hin
vi s tr gip t mt vi ngi bn trong. y gi l mi e da c cu trc bn trong.
Cu trc hoc khng cu trc c th l mi e da bn ngoi cng nh bn trong. 2.1.
Nguyn tc bo v h thng mng 2.1.1. Hoch nh h thng bo v mng Trong mi
trng mng, phi c s m bo rng nhng d liu c tnh b mt phi c ct gi ring,
sao cho ch c ngi c thm quyn mi c php truy cp chng. Bo mt thng tin l
vic lm quan trng, v vic bo v hot ng mng cng c tm quan trong khng
km. Mng my tnh cn c bo v an ton, trnh khi nhng him ho do v tnh hay
c . Tuy nhin mt nh qun tr mng cn phi bit bt c ci g cng c mc , khng
nn thi qu. Mng khng nht thit phi c bo v qu cn mt, n mc ngi dng lun
gp kh khn khi truy nhp mng thc hin nhim v ca mnh. Khng nn h tht vng
khi c gng truy cp cc tp tin ca chnh mnh. Bn him ho chnh i vi s an
ninh ca mng l: Truy nhp mng bt hp php. S can thip bng phng tin in
t. K trm. Tai ha v tnh hoc c ch .
Mc bo mt: Tu thuc vo dng mi trng trong mng ang hot ng.
Page 35
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Chnh sch bo mt: H thng mng i hi mt tp hp nguyn tc, iu lut v chnh
sch nhm loi tr mi ri ro. Gip hng dn vt qua cc thay i v nhng tnh
hung khng d kin trong qu trnh pht trin mng. o to: Ngi dng mng c o
to chu o s c t kh nng v ph hu mt ti nguyn. An ton cho thit b: Tu
thuc quy m cng ty, b mt d liu, cc ti nguyn kh dng. Trong mi trng
mng ngang hng, c th khng c chnh sch bo v phn cng c t chc no. Ngi
dng chu trch nhim m bo an ton cho my tnh v d liu ca ring mnh.
2.1.2. M hnh bo mt Hai m hnh bo mt khc nhau pht trin, gip bo v an
ton d liu v ti nguyn phn cng: Bo v ti nguyn dng chung bng mt m: Gn
mt m cho tng ti nguyn dng chung. Truy cp khi c s cho php: L ch nh
mt s quyn nht nh trn c s ngi dng, kim tra truy nhp ti nguyn dng
chung cn c vo CSDL useraccess trn my server. 2.1.3. Nng cao mc bo
mt Kim ton: Theo di hot ng trn mng thng qua ti khon ngi dng, ghi li
nhiu dng bin c chn lc vo s nht k bo mt ca my server. Gip nhn bit cc
hot ng bt hp l hoc khng ch nh. Cung cp cc thng tin v cch dng trong
tnh hung c phng ban no thu ph s dng mt s ti nguyn nht nh, v cn quyt
nh ph ca nhng ti nguyn ny theo cch thc no . My tnh khng a: Khng c a
cng v mm. C th thi hnh mi vic nh my tnh thng thng, ngoi tr vic lu
tr d liu trn a cng hay a mm cc b. Khng cn a khi ng. C kh nng giao
tip vi server v ng nhp nh vo mt con chip ROM khi ng c bit c ci trn
card mng. Khi bt my tnh khng a, chip ROM khi ng pht tn hiu cho
server bit rng n mun khi ng. Server tr li bng cch ti phn mm khi ng
vo RAM ca my tnh khng a v t ng hin th mn hnh ng nhp . Khi my tnh c
kt ni vi mng.Page 36
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin M
ho d liu: l m ho thng tin sang dng mt m bng mt phng php no sao cho
m bo thng tin khng th nhn bit c nu ni nhn khng bit cch gii m. Mt
ngi s dng hay mt host c th s dng thng tin m khng s nh hng n ngi s
dng hay mt host khc. Chng virus : Ngn khng cho virus hot ng. Sa cha
h hi mt mc no . Chn ng virus sau khi n bc pht.
Ngn chn tnh trng truy cp bt hp php l mt trong nhng gii php hiu
nghim nht trnh virus. Do bin php ch yu l phng nga, nn ngi qun tr
mng phi bo m sao cho mi yu t cn thit u sn sng: Mt m gim kh nng truy
cp bt hp php. Ch nh cc c quyn thch hp cho mi ngi dng. Cc profile t
chc mi trng mng cho ngi dng c th lp cu hnh v duy tr mi trng ng nhp,
bao gm cc kt ni mng v nhng khon mc chng trnh khi ngi dng ng nhp. Mt
chnh sch quyt nh c th ti phn mm no.
2.2. Kin trc bo mt ca h thng mng 2.2.1. Cc mc an ton thng tin
trn mng
Hnh 2.1. Cc mc an ton thng tin trn mng Page 37
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
An ton hay bo mt khng phi l mt sn phm, n cng khng phi l mt phn
mm. N l mt cch ngh. S an ton c th c khi ng v dng nh mt dch v. Bo mt
l cch an ton. Ti liu bo mt l t liu m nhng thnh vin ca t chc mun bo
v. Trch nhim ca vic bo mt l ngi qun tr mng. S an ton mng c vai tr
quan trng ti cao. C ch bo mt cn phi bao gm cu hnh mng ca Server,
chu vi ng dng ca t chc mng v thm ch ca nhng Client truy nhp mng t
xa. C vi cch m ta cn phi xem xt: S an ton vt l. An ton h thng. An
ton mng. An ton cc ng dng. S truy nhp t xa v vic chp nhn.
Cc l hng bo mt trn mt h thng l cc im yu c th to ra s ngng tr ca
dch v, thm quyn i vi ngi s dng hoc cho php cc truy nhp khng hp php
vo h thng. Cc l hng cng c th nm ngay cc dch v cung cp nh sendmail,
web, ftp ... Ngoi ra cc l hng cn tn ti ngay chnh ti h iu hnh nh
trong Windows NT, Windows 95, XP, UNIX hoc trong cc ng dng m ngi s
dng thng xuyn s dng nh Word processing, cc h databases ... 2.2.2.
nh hng ca cc l hng mng phn trn phn tch mt s trng hp c nhng l hng bo
mt, nhng k tn cng c th li dng nhng l hng ny to ra nhng l hng khc to
thnh mt chui mt xch nhng l hng. V d, mt k ph hoi mun xm nhp vo h
thng m khng c ti khon truy nhp hp l trn h thng . Trong trng hp ny,
trc tin k ph hoi s tm ra cc im yu trn h thng, hoc t cc chnh sch bo
mt, hoc s dng cc cng c d xt thng tin trn h thng t c quyn truy nhp
vo h thng. Sau khi mc tiu duy nht t c, k ph hoi c th tip tc tm hiu
cc dch v trn h thng, nm bt c cc im yu v thc hin cc hnh ng ph hoi
tinh vi hn.
Page 38
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Tuy
nhin, c phi bt k l hng bo mt no cng nguy him n h thng hay khng. C
rt nhiu thng bo lin quan n l hng bo mt trn mng Internet, hu ht
trong s l cc l hng loi C, l khng c bit nguy him i vi h thng. V d,
khi nhng l hng v sendmail c thng bo trn mng, khng phi ngay lp tc nh
hng trn ton b h thng. Khi nhng thng bo v l hng c khng nh chc chn,
cc nhm tin s a ra mt s phng php khc phc h thng. CHNG 3. FIREWALL
CISCO3.1 FIREWALL ASA -
Cisco ASA vit tt ca t: Cisco Adaptive Security Appliance ASA l
mt gii php bo mt u cui chnh ca Cisco. Hin ti ASA l sn phm bo mt dn
u trn th trng v hiu nng v cung cp cc m hnh ph hp doanh nghip, tch
hp gii php bo mt mng Dng sn phm ASA gip tit kim chi ph, d dng trin
khai. N bao gm cc thuc tnh sau + Bo mt thi gian thc, h iu hnh c
quyn ca Cisco + Cng ngh Stateful firewall s dng thut ton SA ca
Cisco + S dng SNR bo mt kt ni TCP + S dng Cut through proxy chng
thc telnet, http. ftp + Chnh sch bo mt mc nh gia tng bo v mc ti a v
cng c kh nng ty chnh nhng chnh sch ny v xy dng ln chnh sch ca ring
bn + VPN: IPSec, SSL v L2TP + Tch hp h thng ngn nga v pht hin xm
nhp IDS/IPS + NAT ng, NAT tnh, NAT port + o ha cc chnh sch s dng
Context 3.1.1 Dng sn phm ASA
-
-
-
C tt c 6 model khc nhau. Dng sn phm ny phn loi khc nhau t t chc
nh n m hnh doanh nghip va hay cho nh cung cp dch v ISP. M hnh cng
caoPage 39
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin th
thng lng, s port, chi ph cng cao. Sn phm bao gm : ASA 5505, 5510,
5520, 5540, 5550, 5580-20, 5580-40
Hnh 3.1 Sn phm ASA 5550
V d nh thng s ca dng ASA 5550
3.1.2 Thut ton bo mt ASA Mt chc nng chnh ca ASA l stateful
firewall.Stateful firewall thm v duy tr thng tin kt ni ca ngi dng.
Thng tin ny c lu tr trong bng state table, thng c gi l conn table.
ASA Firewall s dng conn table gia tng chnh sch bo mt cho kt ni ngi
dng Di y l mt vi thng tin m stateful firewall gi trong bng conn
table + a ch IP ngun + a ch IP ch + Giao thc: Nh TCP hay UDP + Thng
tin giao thc IP nh l TCP/UDP port, TCP Syn v TCP flag 3.1.2.1 Gii
thch c ch Stateful FirewallPage 40
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Ta
c m hnh nh sau :
Hnh 3.2 C ch stateful Firewall a.Figure 1-1
-
PC-A trong mng ni b thc hin truy cp webserver bn ngoi mng
Internet Gi tin Request http n firewall, firewall ly thng tin v kt
ni ca PC-A l: a ch ngun, a ch ch, giao thc IP, v bt c thng tin giao
thc khc v t n trong bng conn table Firewall sau chuyn tip gi tin
http request ti webserver
-
Page 41
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.2 C ch stateful firewall b. Figure 1-2
-
Webserver gi tr li trang web cho ngi dng PC-A Firewall kim tra
gi tin tr li ny v so snh vi entrie trong bng conn table + Nu vic so
snh l hp l trong bng conn table th gi tin c cho php + Nu so snh l
khng hp l trong bng conn table th gi tin b xa
-
Mt stateful firewall duy tr bng kt ni ny. Nu firewall thy client
ngt kt ni th stateful firewall s xa entry trong bng conn table i.
Nu entry khng hot ng trong mt khong thi gian th entry s timeout v
stateful firewall s xa entry khi bng conn table 3.1.2.2 So snh
Stateful v Packet Filtering Firewall:
-
Mt stateful firewall c kh nng nhn bit v tnh trng ca kt ni i qua
n. Mt khc Packet firewall khng thy c tnh trng ca kt niPage 42
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mt
v d r rng cho vic hiu Packet filtering firewall l vic s dng
Extended ACL m Router s dng. Vi loi ACL ny Router s ch thy c cc
thng tin sau trong mi packet ring bit + a ch IP ngun + a ch IP ch +
IP protocol + Thng tin giao thc IP nh TCP/UDP Port Ngay ci nhn u
tin th c v thng tin m Packet filtering firewall s dng l ging
Stateful Firewall. Tuy nhin Router s dng ACL s khng nhn bit c tnh
trng kt ni l request hay kt ni ang tn ti, hay ngt kt ni, m n ch nhn
c mi gi tin ring bit i qua interface . Ngha l Packet filtering
firewall ch kim tra gi tin lp 3 v lp 4 thi.
3.1.2.3 Sequence Number Randomization (SNR) Firewall ASA c mt c
nh c gi l Sequence Number Randomization (SNR). c tnh ny c khi to
bng thut ton bo mt. SNR c s dng bo v bn chng li vic mt thng tin v
tn cng cp phin kt ni TCP khi hacker.Nh chng ta bit mt vn vi giao
thc TCP l hu ht giao thc TCP/IP khi to qu trnh kt ni bt tay 3 bc
theo mt phng thc c th on trc c khi s dng SYN v ACK. Vi rt nhiu phng
thc, hacker c th s dng cc cng c ny d on v tp thit lp ca d liu tip
theo c gi trn mng v khi d on c s SYN ng. Hacker c th s dng thng tin
ny cp phin kt ni v gi mo kt ni Firewall ASA c th gii quyt vn ny bng
cch to ngu nhin s SYN v t n vo trong u mo ca gi tin TCP Segment.
ASA s thay th s SYN c bng s SYN mi vo trong bng conn table. Tt c cc
lu lng tr v t my ch thng qua Firewall tr v ngun, ASA tm kim thng
tin ny v thay i tr li vi s ACK. V vy my ngun trong mng cc b c th
nhn c gi tin tr v t ch. Sau y l v d v SNR
-
Page 43
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.3 C ch hot ng ca SNR
-
Gi tin TCP i qua Firewall ASA vi s SYN =578. SNR ca ASA thay i
gi tr SYN ny thnh mt gi tr SYN ngu nhin v t n vo trong bng conn
table ( trong trng hp ny l 992), v chuyn tip gi tin ti ch. My ch
khng th nhn bit c v s thay i ny v gi li cho ngun vi ACK =993.
Firewall nhn gi tin tr v ny v thay i gi tr 993 thnh 579 v vy my
ngun s khng t chi gi tin ny. Hy nh rng gi tin cha ACK tng ln 1 v s
dng gi tr ny nh ACK number Ch rng: SNR i vi my ngun v my ich l mt
qu trnh trong sut. Cisco khuyn co bn khng nn v hiu ha tnh nng ny.
Nu v hiu ha tnh nng SNR th mng ca bn s i mt vi kiu tn cng TCP
session hijacking.
-
3.1.2.4 Cut-through Proxy
Bo mt SA khi to rt nhiu c tnh bo mt ca h iu hnh CISCO. Bn cnh mt
thut ton gia tng bo mt khc l Cut-through Proxy (CTP). CTP cho php
firewall ASA kim tra nhng kt ni ra vo mng v chng thc chng trc khi
chng c cho php i vo mng ni b. CTP thng c s dng trong trng hp khi
ngi s dng kt ni n mt server m khng th thc hin c chng thc chnh n
Page 44
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Kt
ni ngi dng khng c chng thc bi ASA. Nhng ta c th s dng mt Server
chuyn dng cho vic chng thc ny nh l Cisco Secure Access Control
Server (CSACS) Cisco cung cp c hai giao thc cho vic chng thc l
TACACS+ v RADIUS. CTP c th thc hin chng thc theo cc loi kt ni sau +
FTP + HTTP v HTTPS + Telnet Khi cu hnh Firewall ASA c cu hnh CTP, u
tin n chng thc kt ni trc khi cho php chng i xuyn qua firewall. Hnh
di y m t tng bc CTP lm vic
Hnh 3.4 Cc bc lm vic ca CTP
-
User Pong khi to kt ni n FTP Server c a ch IP: 200.200.200.2
Page 45
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Firewall ASA kim tra kt ni ny v ng thi kim tra xem c entry no trong
bng conn table khng. Nu tn ti mt entry trong ASA th ASA cho php kt
ni ny. Nhng trong trng hp ny User phi c chng thc trc Nu ASA khng tm
thy bt c mt entry no ph hp vi kt ni trong bng conn table th n s yu
cu chng thc User Pong vi Username v password v chuyn tip thng tin
ny ti Server chng thc Server chng thc kim tra bng ngi dng m n c cu
hnh sn v so snh. Nu cho php hay t chi truy cp th Server s gi gi tin
Allow hay Deny ti ASA + Nu ASA nhn gi tin Allow th n s thm thng tin
kt ni ca ngi dng vo bng conn table v cho php kt ni + Nu ASA nhn gi
tin Denny n s xa b kt ni hoc yu cu cung cp li thng tin
username/password Mt khi ngi dng c chng thc th tt c cc lu lng ca
ngi dng s c x l bi ASA lp 3 v lp 4 ca m hnh OSI. S khc bit vi ng
dng proxy truyn thng l tt c cc lu lng c x l lp 7 trong m hnh OSI.
Vi CTP, qu trnh chng thc c x l lp 7 nhng lu lng d liu li c x l lp 3
v lp 4 trong hu ht cc trng hp 3.1.2.4 Khi to chnh sch Policy
Implementation Thut ton bo mt c trch nhim cho vic khi to v gia tng
chnh sch bo mt. Thut ton ny cng s dng m hnh k tha, ci cho php bn
khi to nhiu mc bo mt khc nhau. hon thnh iu ny, mi Interface trn ASA
cn phi ch nh mt gi tr t 0 n 100, ng vi 0 l t bo mt nht v 100 l mc
bo mt cao nht. Thut ton bo mt s dng nhng mc bo mt ny gia tng chnh
sch bo mt mc nh. Mt v d cho iu ny. Interface kt ni ra internet c mc
bo mt thp nht, Interface kt ni ti mng LAN s c mc bo mt cao nht Sau
y l 4 quy tc cho tt c cc lu lng i qua ASA + Mc nh lu lng t
interface c mc bo mt cao n interface c mc bo mt thp l c cho php +
Mc nh lu lng t interface c mc bo mt thp hn n interface c mc bo mt
cao hn l b cm + Mc nh lu lng t mt interface n mt interface khc vi
cng mc bo mt l b cm
Page 46
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin +
Mc nh lu lng vo ra cng 1 interface l b cm V d sau ch ra lu lng no c
cho php, lu lng no khng c php. Trong v d ny User trong mng cc b khi
to kt ni ti webserver ngoi internet l c php i qua ASA. Nh vy thut
ton bo mt thm kt ni ny vo trong bng conn table. Khi webserver gi tr
v trang web t internet s c cho php. Mt khi User ngt kt ni, thng tin
kt ni s b xa khi bng conn table. Nu User trn Internet c gng truy cp
webserver trong mng cc b. Thut ton bo mt trn ASA t ng cm kt ni Nhng
rule ny l mc nh. Chng ta c th to cc ngoi l i vi cc rule ny trn ASA.
iu ny thng chia thnh 2 loi: + Cho php truy cp da trn ti khon + Truy
cp da trn iu kin lc
Hnh 3.5 Thut ton khi to chnh sch Policy Implementation
Mt v d khc, khi User t ngoi Internet c gng truy cp FTP server nm
trong mng cc b th mc nh b cm. Bn c th s dng hai phng thc m kt ni
thng qua firewall + Khi to CTP cho php kt ni + S dng ACL m kt ni tm
thiPage 47
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
3.2. Kim sot lu lng bng ASA 3.2.1 Tng quan v giao thc TCP/IP Trc
khi i vo chi tit cc cu lnh cu hnh cho php cc lu lng qua ASA th cn
phi nm chc c ch ca cc giao thc ph bin nh TCP,UDP v ICMP. iu ny rt
quan trng bi ASA nhn bit cc lung lu lng ny khc nhau trong qu trnh
lc gi tin theo c ch Stateful Firewall TCP l mt giao thc hng kt ni.
C ngha l trc khi vn chuyn d liu qua mng th mt vi tham s kt ni phi c
thng lng thit lp kt ni. thc hin vic thng lng ny, TCP s tri qua qu
trnh bt tay ba bc: + Phn u ca qu trnh bt tay ba bc, a ch ngun gi mt
TCP Syn, ch ra rng mun m mt kt ni + Khi my ch nhn c gi tin cha s
SYN , n nhn bit iu ny vi s SYN cng vi s ACK. Qa trnh p tr ny thng c
gi l SYN/ACK. Ga tr ACK ch ra ngun m ch nhn c vi s SYN do ngun yu
cu + My ngun sau gi ACK li ch. iu ny chi ra qu trnh thit lp kt ni
hon thnh Yu cu kt ni ra bn ngoi Khi mt kt ni ang c thit lp, lung d
liu i theo hai hng qua Firewall ASA. Ga s rng mt ngi dng bn trong
mng cc b khi to kt ni TCP n mt my ch bn ngoi Internet. Bi v ta cu
hnh mt rule cho vic thit lp kt ni TCP nn n rt l d dng cho Firewall
ASA hiu iu g ang xy ra vi qu trnh thit lp kt ni . Hay ni cch khc,
rt d cho Firewall ASA kim tra lu lng ny. Nh c ni phn trc, stateful
firewall gi ton b trng thi ca kt ni Nh trong v d ny, Firewall ASA
nhn gi tin c cha s SYN v nhn ra y l mt gi tin yu cu kt ni t bn
trong mng cc b. Bi v y l mt Stateful firewall nn ASA s thm kt ni ny
vo trong bng conn table v th gi tin cha SYN/ACK t bn ngoi gi li s c
cho php vo trong mng cc b v Us trong mng cc b c th hon thnh kt ni
vi s ACK cui cng. ASA sau s cho php lu lng i li gia 2 my ny Khi ngt
mt kt ni TCP, gi tin yu cu ngt kt ni s i qua firewall v c firewall
nhn bit tnh trng ca kt ni nh vy. Qa trnh nhn bit da trn FIN v
FIN/ACK hay RST. V sau Firewall s xa i tng kt ni khi bng connPage
48
-
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
table. V l khi mt i tng b xa khi bng conn table th thit b bn ngoi s
khng th kt ni vo mng Lan ca chng ta, tt c cc traffic mc nh b drop
Yu cu kt ni vo bn trong mng ni b Bi v firewall ASA hot ng nh mt
stateful firewall nn mc nh tt c cc kt ni t bn ngoi i vo mng ni b mc
nh b cm. cho php cc kt ni ny, bn s phi khi to cho php mt Rule TCP m
bn mun Tuy nhin c mt vn vi TCP, l kh nng c th d on c trc cc tham s
trong qu trnh bt tay ba bc, iu ny thng gip cho Hacker xm nhp vo mng
ni b ca chng ta. V d cho iu ny, mt k tn cng c gng gi ng lot s lng
ln TCP SYN n mt my tnh bn trong mng ni b, lm gi vic thit lp kt ni
TCP. Tuy nhin mc ch ca k tn cng l khng cn phi hon thnh qu trnh bt
tay ba bc m ch c gng lin tc gi SYN lm cn kit ngun ti nguyn ca my
tnh trong mng cc b. 3.2.2 Tng quan v UDP UDP- User Datagram
Protocol l mt giao thc khng hng kt ni. Khng ging nh TCP, n khng c
nh ngha v tnh trng kt ni. iu ny c ngha l khng c qu trnh bt tay ba
bc nh TCP. Thay v mt thit b ch vic gi gi tin UDP khi n mun giao lin
lc vi mt thit b khc. V vy khng c qu trnh nh ngha lp 4 trong m hnh
OSI v khng c xc minh tng Vn Chuyn ch ra kt thc qu trnh gi tin. UDP
chnh n cng khng c chc nng iu khin lung d liu gia hai thit b. Bi v s
hn ch ny nn UDP thng c s dng trong vic gi khi lng thng tin rt l nh
gia 2 thit b Mt v d in hnh cho vic hiu UDP l giao thc DNS. DNS c s
dng khi mt thit b cn phn gii mt hostname thnh mt a ch IP. Thit b gi
mt gi tin truy vn DNS( Gi tin UDP) n DNS Server, DNS server tr li
li vi ch mt gi tin Reply. Trong trng hp ny UDP l cch thc s dng hu
hiu hn TCP bi v ch cn c 2 gi tin i v v. Yu cu kt ni ra bn ngoi Chng
ta s nhn vo mt v d khc minh ha mt trong nhng vn m Firewall ASA lm g
vi cc traffic UDP. Trong v d ny gi s rng mt User trong mng LAN thc
hin vic kt ni ti mt TFTP server bn ngoi Internet. Khi User ny khi
to kt ni TFTP, firewall s thc hin qu trnh stateful firewall v thm
kt ni tm thi ny vo bng conn table. iu ny cho php bt c UDP segment t
ngoi TFTP tr vo mng Lan
Page 49
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin `Vn
y l mt khi User hon thnh vic truyn file TFTP, firewall khng bit rng
kt ni hon thnh. Bn s khng mun gi mi kt ni tm thi ny trong bng conn
table sau khi vic vn chuyn file thnh cng. gii quyt vn ny thit b
Firewall c mt gii php l: Firewall kim sot thi gian ch ca kt ni UDP.
Mt khi Firewakk thy khng c lu lng no c truyn trong mt khong thi
gian ch, n s xa kt ni ra khi bng conn table. i vi UDP, thi gian ch
mc nh l 2 pht, tuy nhin bn c th ty chnh iu ny. Vic s dng thi gian
ch khng phi l mt gii php hon ton thng minh, bi v khong thi gian ch
hp l c th xy ra trong khi hay thit b UDO ang thc hin qu trnh truyn
file khc v s tip tc kt ni ca chng ngay sau . Trong v d ny, firewall
c th xa kt ni tm thi ny khi bng conn table, khi thit b bn ngoi tip
tc truyn file th firewall s cm traffic v thi gian kt ni ht hn, v kt
ni khng cn tn ti trong bng conn table na Ch rng mt vi ng dng UDP nh
DNS c th thy c s n gin trong kt ni ca n hn TFTP. Trong v d v DNS,
User khi to truy vn DNS th ch c 1 v ch 1 gi tin tr v t DNS Server.
Trong hon cnh ny, firewall c th nhn bit xa kt ni khi bng conn table
khi gi tin DNS reply vo mng LAN Yu cu kt ni n Nh ni t trc, bi v
firewall asa hot ng theo c ch Stateful Firewall, n s khng cho php
cc traffic vo trong mng cc b Lan ca chng ta nu ngun ca traffic l bn
ngoi Internet. Bn phi cu hnh cho php traffic UDP ny Bi v UDP l giao
thc khng hng kt ni nn gii quyt vn vi nhng yu cu kt ni n ny s to ra
nhiu vn bo mt Khi ngt mt kt ni UDP, firewall s khng nhn bit c iu ny
v n vn gi thng tin ca kt ni ny trong bng conn table. Nh vy mt k tn
cng s li dng iu ny lm gi a ch IP ngun, Firewall s khng nhn bit c s
xm nhp ny Bi v UDP khng s dng bt c qu trnh thit lp kt ni no nn khi
khi to mt lung d liu, s kh khn trong vic phn bit s khc nhau gi vic
bt u khi to hay ang khi to hay kt thc kt ni. V s hacker c th thc
hin vic duy tr phin tn cng.3.2.3 Tng quan v ICMP
ICMP Internet Control Management Protocol l mt giao thc khng hng
kt ni, ngha l khng c nh ngha trng thi kt ni
Page 50
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
ICMP c s dng trong rt nhiu mc ch bao gm vic kim tra kt ni, kt ni iu
kin v cc thng tin cu hnh. ICMP c mt vi c tnh rt ging UDP, v n l
khng hng kt ni v khng c iu khin lung. V l firewall c vn ging nh UDP
Mc nh firewall khng thm cc gi tin ICMP vo trong bng conn table. V
vy hoc bn phi s dng ACL cho php lung gi tin ICMP echo hoc bt tnh
nng gim st ICMP trn firewall. Mt khi bn bt tnh nng gim st ICMP th
khi mt gi tin ICMP c gi ra ngoi, n cha s SYN trong ICMP header v ng
thi thng tin kt ni ny c a vo bng conn table. Firewall s thy gi tin
ICMP echo quay tr li v cha s SYN nu n l 1 phn ca mt kt ni ang tn
ti. Gi tin ICMP echo c cho php quay tr li vo mng ni b LAN Nhng giao
thc khc Tt c cc giao thc khc v nhng kt ni lin quan ti chng l khng c
kim tra bi firewall. Hay ni cch khc, firewall khng bao gi thm cc kt
ni ny vo trong bng conn table. Nhng vn v ng dng v giao thc: C 3 vn
chnh m stateful firewall phi i mt l:- ng dng c nhiu kt ni
- ng dng v giao thc c nhng a ch v thng tin kt ni trong phn
payload ca tng ng dng ng dng v giao thc c cc vn bo mt Applications
vi nhiu kt ni Mt vn vi firewall l gii quyt cc ng dng c nhiu hn 1 kt
ni, ging nh FTP, thoi, kt ni CSDL v . Mt vi dng ca giao thc v ng
dng l cn thit gia tng mc bo mt qua firewall Chng ta hy nhn vo v d
sau minh ha vn ny v cung cp gii php
Page 51
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.6 Application vi nhiu kt ni
Trong mng ny, client ang khi to mt kt ni FTP. Vi loi kt ni ny,
client m mt kt ni iu khin TCP n cng 21 ca FTP Server. Bt c khi no
user gi mt cu hnh FTP nh l get hay put thng qua kt ni ny th client
gi lun port ca n ca FTP Server s dng. Sau FTP Server m mt kt ni th
2, thng gi l data connectionvi port ngun l 20 v port ch l port ca
client gi trc . V th trong v s ny, client m mt kt ni iu khin ti
server v server s m mt kt ni truyn d liu n Client-
i vi firewall ASA th User c kt ni vo Interface c mc bo mt cao hn
gi l Inside, Server ngoi internet c kt ni vo Interface c mc bo mt
thp hn gi l Outside Tuy nhin vi kt ni th 2 (port 20 cho vic truyn d
liu ) l b cm mc nh, bi v n n t mc bo mt thp hn n mc bo mt cao hn
Gii php cho vn ny l phi cu hnh lm sao cho Firewall ASA kim tra c
payload ca tng ng dng ca kt ni iu khin FTP quyt nh xem ch l active
hay standard, nhng cu lnh c th thi v port m client mun s dng truyn
d liu. V l m firewall ASA c th thm kt ni ny vo bng conn table thm
ch trc khi kt ni th 2 c khi to Thng tin a ch c nhng vo trong ng dng
Mt vi ng dng c nhng thng tin a ch vo trong phn payload ca kt ni, iu
ny mong i thit b ch s dng thng tin ny cho nhng kt ni ph. Tuy nhin
thng tin a ch ny c th trong bng NAT ca firewall ri
Page 52
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.7 Thng tin a ch c nhng vo trong ng dng
Trong v d ny, chng ta s s dng FTP ch active minh ha vn . i vi kt
ni truyn d liu th kt ni cn phi c m, client mun s dng local port
51001. Tuy nhin tn ti mt kt ni vi port ny trong bng NAT ca
firewall. Nu firewall khng gii quyt vn ny th bt c traffic no c th
khng c NAT ng v c gi n mt thit b khc trong mng m khng phi l my khi
to v yu cu kt ni Mt firewall tt nn thay thng tin a ch Payload thnh
mt th g khc v nn to mt NAT khc trong bng NAT cho kt ni ny. Sn phm
CISCO ASA cung cp nhiu giao thc v ng dng Firewall ASA dch chuyn s
cng i vi kt ni truyn s liu 60000 v thm kt ni ny vo bng NAT.
Firewakk cng ng thi cp nht payload ca kt ni iu khin FTP vi port
60000. V th khi server nhn yu cu kt ni cho kt ni iu khin, n s s dng
port 60000 cho vic truyn d liu li cho client, v Firewall s dch
chuyn thnh 51001 3.3 Tng quan v NAT Mt trong rt nhiu vn bn s phi lm
vi h thng mng ca mnh l ch nh a ch IP cho tt c cc thit b mng. Bi v s
cn kit a ch public Ipv4. Trong rt nhiu trng hp bn phi s dng a ch
private cho cc thit b mng LAN 3.3.1 a ch Private gii quyt vn cn kit
a ch IP, p ng nh cu pht trin ca cng ty kt ni ra Internet, t chc
IETF pht trin RFC 1918
Page 53
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.8 a ch Private Nh bn c th thy t bng a ch, bn nn c d a ch
Private p ng nhu cu ca cng ty. Mi thit b trong mng s c ch nh bi mt
a ch IP duy nht. Tuy nhin RFC 1918 nh ngha rng: Gi tin c cha a ch
Private hoc trong a ch ngun hay a ch ch s khng c chuyn tip trn mng
public Hy tng tng hai cng ty c tn l cng ty A v cng ty B, c hai u s
dng di a ch private l 10.0.0.0/8 cho cc thit b bn trong mng cc b
LAN. R rng iu ny to ra rt nhiu vn bi v c 2 cng ty u trng lp a ch.
Trong trng hp ny, vic trng lp subnet khng cho php bn c th lin lc cc
thit b mng vi nhau. V d: C hai cng ty u s dng 10.1.1.0/24 nh hnh
di
Vi cc kt ni trong cng ty th khng c vn g nhng nu 2 subnet ny cn
kt ni li vi nhau, th iu ny l khng th. Router bin gia hai mng ny s
khng th lin kt hai h thng mng ny li. 3.3.2 Nhu cu ca NAT gii quyt
vn trng lp a ch, cng nh gii quyt vn s dng a ch IP Private v truy cp
mng Public, t chc IETF pht trin RFC 1631. RFC 1631 nh ngha qu trnh
thc hin NAT. iu ny cho php bn dch chuyn t a ch Private trong mo u
ca gi tin IP n mt a ch IP khc. Di y l mt vi v d chung m bn c th cn
trin khai NAT - Bn ang cn kt hp hai mng li vi nhau.Page 54
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Nh
cung cp dch v ISP ch nh cho bn khi lng a ch IP public gii hn v bn
cn phi cung cp rt nhiu cc thit b truy cp Internet
- Bn c cung cp mt khng gian a ch IP public v khi bn chuyn sang
nh cung cp dch v khc, nh cung cp dch v mi ny khng cung cp a ch IP
public hin ti ang dng - Bn ang c mt dch v mng trn mt thit b v bn cn
public chng ln mng Internet ai cng c th truy cp dch v ny 3.3.3 Li
ch ca NAT Mt trong nhng li ch chnh ca NAT l vic thoi mi s dng s lng
a ch ip private rng ln, hn 17 triu a ch/ iu ny bao gm 1 lp a ch mng
lp A, 16 a ch mng lp B v 256 a ch mng lp C. Khi bn s dng a ch Ip
private d cho bn c i nh cung cp dch v, bn s khng cn phi nh li a ch
cho cc thit b trong mng cc b m bn ch phi thay i cu hnh NAT trn
firewall trng vi a ch IP public mi Bi v tt c cc traffic phi i
firewall n cc thit b c a ch IP private, bn c th iu khin iu ny bng
cch sau: - Nhng ngun m Internet truy cp vo mng Inside ca chng ta -
User no trn mng Inside c php truy cp Internet 3.3.4 Thut ng v nh
ngha NAT Thit b thc hin NAT c th l rt nhiu dng. Thit b ny c th l mt
firewall, mt router, mt proxy gateway hay thm ch l mt file server.
Cisco router s dng IOS 11.2 v firewall c kh nng NAT. hiu tt hn v cc
cu lnh c s dng trn firewall cu hnh NAT, bn phi hiu mt vi thut ng
thng c s dng trong NAT -
Inside: Nhng a ch c translate, thng l a ch Ip private cho cc
thit b bn trong mng LAN hay a ch public mua t ISP Outside: Nhng a
ch c cp pht trn Internet Inside Local: Nhng a ch Private c gn cho
cc host nm bn trong mng LAN Inside Global: Nhng a ch public c gn
cho Inside host. Thng th y l pool a ch c cp bi ISP Outside Global:
Nhng a ch c gn cho cc thit b Outside device
-
Page 55
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
3.3.5 Mt vi v d in hnh NAT C nhiu loi NAT khc nhau c th c thc hin
bi Firewall. Trong phn ny bn s thy hai v d: NAT v PAT
Hnh 3.8 V d v NAT V d v NAT Nh c ni trc , NAT thc hin vic dch
chuyn t 1 a ch n 1 a ch. Bn thng s dng NAT tnh khi bn c mt Server,
v bn mun mi ngi trn Internet c th truy cp Server ny. Tuy nhin, i vi
cc User trn mng cc b bn s to mt pool a ch IP v thit b NAT ngu nhin
ch nh cc a ch IP public cho cc thit b bn trong mng cc b. Trong v d
ny User bn trong mng cc b ang truy cp ngun ti nguyn bn ngoi
Internet(User c a ch 192.168.1.5 ang c gng truy cp
201.201.201.2)
Page 56
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.9 V d v NAT (a) hnh 3.9, bn c th nhn thy thc s vic truyn d
liu t 192.168.1.5. Firewall nhn gi tin t 192.168.1.5 v quyt nh xem
n c cn thc hin NAT hay khng v chuyn tip gi tin ti ich Firewall nhn
thy gi tin n n v so snh vi rule NAT. Bi v gi tin trng vi rule trong
chnh sch NAT, Firewall s dch chuyn a ch ngun trong gi tin t
192.168.1.5 thnh 200.200.200.1, y l a ch ip public. Tip theo bn c
th thy a ch ch 201.201.201.2 nhn gi tin. N nhn thy a ch ngun l
200.200.200.1. iu ny l trong sut vi ngi dng trong mng cc b v c my
ch
Page 57
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.9 V d v NAT (b) Khi my ch gi gi tin tr li tr li cho User,
n s dng a ch IP public m n thy c sau khi Nat l 200.200.200.1 Tip
theo Firewall nhn gi tin v kim tra chnh sch NAT ca n. Sau khi quyt
nh cn thit dch chuyn li a ch ban u. N thy a ch 200.200.200.1 v thay
i a ch Ip public ny tr li a ch Ip private ban u l 192.168.1.5, sau
chuyn tip gi tin ny vo a ch User trong mng cc b V d v PAT Vi PAT,
firewall s thay i a ch IP v TCP/UDP port ca gi tin. V d ny nh cung
cp dch v ISP ch nh cho bn mt a ch IP public v bn cn phi s dng a ch
ny cho tt c cc kt ni ca ngi dng ra ngoi Internet.
Page 58
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.10 v d v PAT (a)
Trong hnh trn User a ch 192.168.1.5 telnet n 201.201.201.2.
Firewall nhn gi tin v n so snh thng tin ca gi tin vi chnh sch NAT v
quyt nh xem n c cn thc hin NAT hay khng. Do n trng vi chnh sch v th
firewall thc hin vic NAT v thay i a ch private 192.168.1.5 thnh
200.200.200.1. Trong trng hp ny, thng s port ngun l 1024 khng c s
dng trong bng NAT nn n vn c gi nguyn m khng thay i s Port. Ch rng
firewall thm a ch NAT ny vo trong bng NAT m n c th gii quyt vn
traffic quay tr li mng cc b. My ch nhn c gi tin sau khi NAT. Mt ln
na qu trnh NAT ny l trong sut vi c my ngun v my ch Khi my ch gi gi
tin tr v, n s s dng a ch IP ch l 200.200.200.1 v port ch l 1024.
Khi firewall nhn gi tin n, n quyt nh xem c thc hin NAT hay khng v
sau n tm kim xem c thuc rule no trong bng NAT khng. Khi thy trng, n
thay i a ch ch t 200.200.200.1 thnh 192.168.1.5 v li port ngun nh
ban u Mt v d khc, gi s c mt my cc b c a ch 192.168.1.6 cng telnet n
201.201.201.2 vi a ch port ngun l 1024
Page 59
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.10 V d v PAT
Firewall nhn gi tin, v gi tin trng vi chnh sch NAT thit lp.
Firewall to mt i tng NAT trong bng NAT cho kt ni ca User. Trong
trng hp ny a ch IP public 200.200.200.1 c s dng. Tuy nhin bi v port
ngun 1024 tn ti trong bng NAT, nn firewall ch nh mt port khc l 1025
cho kt ni ca User. Port ngun khc nhau nhm gip cho thit b ch nhn
bit, phn bit gia cc kt ni l ca 192.168.1.5 hay 192.168.1.6 v cng
cho php Firewall dch chuyn gi tin tr v t 201.201.201.23.4
Cu hnh NAT
Trong phn ny s tp trung ch yu vo chnh sch dch a ch chuyn i thng
lng qua cc thit b ca bn. Chng ti s trnh by cch cu hnh mt a ch NAT,
PAT ng . Mt a ch NAT, PAT tnh nh th no. Hn ch s lng kt ni TCP, ngn
chn cc cuc tn cng trnTCP SYN , v kim tra cu hnh dch.Mt a ch c dch
phi m bo cc yu cu sau y: Yu cu cu hnh: Trong phin bn 6 hoc phin bn
trc . Bn lun phi cu hnh rule cho Nat cc gi tin. Hay ni cch khc, nu
gi tin khng c cho php bi Rule NAT th n s b cm. Rule ny p dng cho c
traffic vo v ra Trong phin bn 7, NAT l ty chn v khng c yu cu. khi
ng tnh nng NAT, s dng cu lnh sau: Asa(config)#nat-control
Page 60
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Ln
th nht ta yu cu a ch dch vi lnh nat-control, quy tc ny cng tng t
trong phin bn 6.0. Nu chnh sch gia inbound v outbound khng lin kt c
vi nhau v mt a ch dch c gi tr th packet b li. Tuy nhin, c mt ngoi l
i vi quy tc ny l: nu c 2 interface tham gia vo qu trnh giaop tip c
mc bo mt nh trn th chng ta khng cn n mt a ch dch theo quy tc chuyn
paket gia chng. 3.4.1 Cu hnh NAT ng Vic cu hnh mt a ch dch ng ( c
NAT hay PAT) tham gia vo 2 qu trnh s l sau: Xc nh a ch local s c
NAT To nn mt a ch global m a ch local c th c NAT ti Theo chng ta c
th cu hnh 2 loi ny m khng c vn g. Phn sau ta s bn ti vic tng bc ci
t a ch NAT v PAT ng cng nh din t li nhiu v d khc nhau ca cc v d dch
ng Xc nh a ch local trong vic dch
xc nh mt a ch local c th c dch, ta s dng lnh nat nh sau:
ciscoasa(config)# nat (logical_if_name) NAT_ID local_IP_addr
subnet_mask [tcp] max_TCP_conns [embryonic_conn_limit] [udp
max_UDP_conns] [dns] [norandomseq]
Nhng quy nh c th ca lnh nat m a ch local s dch sang quy nh rt
ngim khc trong lnh global. Tn logic ca interface ni m cc thit b vng
c t xut hin trong du ngoc n (( )), v d nh : (inside) NAT_ID Cc mi
quan h gia lnh nat v global, to ra mt chnh sch.Nhng trong mt s trng
hp ngoi l, s lng bn s dng cho cc NAT_ID (s chnh sch) khng quan
trng. C mt trng hp c bit bng cch s dng mt s NAT_ID: nu bn nhp s 0,
bn ang ni vi cc thit b m cc a ch theo sau ny trong lnh nat khng nn
translated.Cisco cp n tnh nng ny nh nhn dng NAT, c gii thiu trong
phin bn 6.2. Bn c th mun s dng nhn dng NAT nu bn c mt hn hp cc a ch
cng cng v c nhn ang c s dng bn trong mng ca bn cho cc my tnh vi a
ch cng cng, bn c th v hiu ha NAT bng cch s dng lnhPage 61
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin nat
0 v quy nh c th a ch hoc a ch ca cc thit b.Nu bn quy nh s lng a ch
mng cho mt a ch local, cng nh c lng xp x s mt n mng con, th ta in s
mng v mt mt n mng con bn c th thay i a ch dch(nhng a ch inside ca
interface). lm iu ta dng lnh sau: ciscoasa(config)# nat (inside) 1
0.0.0.0 0.0.0.0 lnh NAT-ID tng ng vi lnh global. Ch rng ta c th rt
gn chui 0.0.0.0 0.0.0.0 ch thnh 0 0. Bn c th gii hn tng kt ni TCP
bng ln: (max_TCP_conns), v cng c th gim mt na kt ni TCP:
embryonic_conn_limit Bt u t phin bn 7.0 bn c th gii hn s lng ti a
cho mt kt ni UDP. Tuy nhin nu bn khng cu hnh gii hn s kt ni cho
thit b m dng cc chnh sch lin kt vi nhau th bng conn table vn h tr
cho cc thit b c cho php hin th nhng lnh nat ca bn g lnh: show run
nat command. Cch to mt di a ch global Chnh sch dch lun cu hnh gia
mt cp interface, v d nh inside v outside, hoc dmz v outside. Lnh
nat nh ngha local hoc interface gc ca mt a ch dch nh ngha ch n hay
interface u ra cha a ch global, ta s dng lnh global nh sau:
ciscoasa(config)# global (logical_if_name) NAT_ID
{first_global_IP_addr[-last_global_IP_addr] [netmask subnet_mask] |
interface} Logical_if_name l tham s miu t tn logic ca interface.
Thng lng s c dch v chuyn ra trn interface ny. The NAT_ID l tham s c
bn ca lnh. y l a ch global c th c s dng Vic dch PAT c th b xa khi
bng khi khng c kt ni tng ng trong bng gii hn thi gian kt ni. Trong
khi vic dch NAT th khng n s dng lnh iu khin thi gian (thi gian mc
nh ht hn l 3 gi) S dng vi ACLs Mt vn vi lnh NAT l mc nh vic dch ch
c th iu khin c cc gi tin gi i m c a ch l local, bn khng th iu khin
c vic dch trn cc a ch
Page 62
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
ngun v ch c a ra . y chng ta ang bn n khu vc xc nh a ch local dnh
cho vic dch. gii quyt vn trn, Cisco cho php bn lin kt chnh sch dch
vi mt access control list (ACL) iu khin truy cp. Nu thng lng tng ng
vi mt trng hp cho php xc nh trong ACL th chnh sch tng ng ny c s dng
y l c php s dng lnh nat vi ACL: ciscoasa(config)# nat
[(logical_if_name)] NAT_ID access-list ACL_ID [tcp] max_TCP_conns
[embryonic_conn_limit] [udp max_UDP_conns] [dns] [norandomseq] Di y
l 2 v d s dng ACLs V d v dch a ch Gi th bn hiu v c php ca lnh
global v lnh NAT. Hy cng hiu r hn chnh sch dch a ch trn cc thit b
thng qua v d n gin sau: hnh 3.11, thit b s NAT cho bt k internal no
c a ch: 192.168.3.0/24 v 192.168.4.0/24 Chnh sch cu hnh NAT cho v d
ny l nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat
(inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# global (outside) 1
200.200.200.10-200.200.200.254 netmask 255.255.255.0 Trong v d ny
th a ch c yu cu NAT thng qua lnh nat-control . Tt c nhng thit b bn
trong interface s c a ch ngun c dch l 200.200.200.0 khi tn ti mt
interface u ra. a ch s c thit b chn ng k mt cch t ng.
Page 63
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.11 V d cu hnh NAT n gin V d n gin v cu hnh PAT
Hnh 3.12 V d n gin v cu hnh PAT Chng ta s s dng m hnh mng nh hnh
v trn minh ha cho v d ny Lnh cu hnh nh sau: ciscoasa(config)#
nat-control ciscoasa(config)# nat (inside) 1 0 0 ciscoasa(config)#
global (outside) 1 interface y l mt v d v PAT, ni m thit b ang dng
a ch interface bn ngoi cho PAT. a ch ny c th l a ch tnh cng c th l
a ch c ng k mt cch t ng bi dch v DHCP hoc PPPoE. Trong v d ny cc
thit b kt ni trc tip ti ISP v nhn a ch interface ra mt cch t
ng.
Page 64
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin V d
v cu hnh NAT v PAT minh ha cho vic s dng c chnh sch NAT v PAT trn
mt thit b, ta s dng lnh sau: ciscoasa(config)# nat-control
ciscoasa(config)# nat (inside) 1 192.168.3.0 255.255.255.0
ciscoasa(config)# global (outside) 1 200.200.200.1-200.200.200.125
netmask 255.255.255.128 ciscoasa(config)# nat (inside) 2
192.168.4.0 255.255.255.0 ciscoasa(config)# global (outside) 2
200.200.200.126 netmask 255.255.255.255 Trong v d ny, thit b bn
trong s ni NAT v PAT li vi nhau 1, 192.168.3.0/24 c dch thnh
200.200.200.1125 (s dng NAT) 2, 192.168.4.0/24 c dch thnh
200.200.200.126 (s dng PAT)
Hnh 3.13 v d v cu hnh PAT v NAT V d v PAT vi 2 a ch global Minh
ha cho ta thy vic s dng hai a ch global trn mt thit b. y ta s dng
ly m hnh mng hnh 3.11 cu hnh nh sau: ciscoasa(config)# nat-control
ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)#
global (outside) 1 200.200.200.1Page 65
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
netmask 255.255.255.255 ciscoasa(config)# global (outside) 1
200.200.200.2 netmask 255.255.255.255 Lnh cu hnh ny thc hin PAT trn
tt c cc kt ni bn trong bn ngoi bng cch s dng hai a ch trong lnh
global PAT v xc nh NAT V d s dng PAT v xc nh NAT Trn mt thit b.S
dng m hnh mng hnh 3.13. Thc thi lnh PAT cho a ch 192.168.3.0/24
nhng khng thc hin vic dch a ch t a ch 200.200.200.128/25, sau cc
thit b sn sng public a ch IP. Lnh cu hnh nh sau: ciscoasa(config)#
nat-control ciscoasa(config)# nat (inside) 0 200.200.200.128
255.255.255.128 ciscoasa(config)# nat (inside) 1 192.168.3.0
255.255.255.0 50 25 ciscoasa(config)# global (outside) 1
200.200.200.1 netmask 255.255.255.255
Hnh 3.14 V d cu hnh PAT, khng NAT v d trn, s dng lnh PAT khi a
ch i t bn trong 192.168.3.0/24 i qua interface ra ngoi n s c dch
thnh 200.200.200.128/25. l v d NAT 3interface, cn trong trng hp vi
nhiu thit b hn th vic cu hnh cng din ra tng t thy c s phc tp ta xem
v d minh ha sau:
Page 66
Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
Hnh 3.15 V d cu hnh NAT vi 3 interface ciscoasa(config)#
nat-control ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0
ciscoasa(config)# nat (dmz) 1 192.168.5.0 255.255.255.0
ciscoasa(config)# global (outside) 1 200.200.200.10-200.200.200.254
netmask 255.255.255.0 ciscoasa(config)# global (dmz) 1
192.168.5.10-192.168.5.254 netmask 255.255.255.0 Trong