Tim hieu ve tuong lua FIREWALL

8/14/2019 Tim hieu ve tuong lua FIREWALL

1/74

1


2/74

2

Mc lc

1. An ton thng tin trn m ng _____________ Error! Bookmark not defined.

1.1 T i sao c n c Internet Firewall ___________ Error! Bookmark not defined.

1.2 B n mu n b o v ci g?__________________ Error! Bookmark not defined.

1.2.1 D li u c a b n ____________________ Error! Bookmark not defined.

1.2.2 Ti nguyn c a b n _________________ Error! Bookmark not defined.

1.2.3 Danh ti ng c a b n _________________ Error! Bookmark not defined.

1.3 B n mu n b o v ch ng l i ci g? _________ Error! Bookmark not defined.

1.3.1 Cc ki u t n cng __________________ Error! Bookmark not defined. 1.3.2 Phn lo i k t n cng _______________ Error! Bookmark not defined.

1.4 V y Internet Firewall l g? _______________ Error! Bookmark not defined.

1.4.1 nh ngh a________________________ Error! Bookmark not defined. 1.4.2 Ch c n ng ________________________ Error! Bookmark not defined.

1.4.3 C u trc __________________________ Error! Bookmark not defined.

1.4.4 Cc thnh ph n c a Firewall v c ch ho t ng Error! Bookmark notdefined.

1.4.5 Nh ng h n ch c a firewall __________ Error! Bookmark not defined.

1.4.6 Cc v d firewall __________________ Error! Bookmark not defined.

2. Cc d ch v Internet ______________ Error! Bookmark not defined.

2.1 World Wide Web - WWW________________ Error! Bookmark not defined.

2.2 Electronic Mail (Email hay th i n t ). ____ Error! Bookmark not defined.

2.3 Ftp (file transfer protocol hay d ch v chuy n file) ___ Error! Bookmark not

defined.

2.4 Telnet v rlogin _________________________ Error! Bookmark not defined.

2.5 Archie_________________________________ Error! Bookmark not defined.

2.6 Finger _________________________________ Error! Bookmark not defined.


3/74

3

3. H th ng Firewall xy d ng b i CSE_ Error! Bookmark not defined.

3.1 T ng quan _____________________________ Error! Bookmark not defined.

3.2 Cc thnh ph n c a b ch ng trnh proxy:_ Error! Bookmark not defined. 3.2.1 Smap: D ch v SMTP _______________ Error! Bookmark not defined.

3.2.2 Netacl: cng c i u khi n truy nh p m ng _____ Error! Bookmark not

defined.

3.2.3 Ftp-Gw: Proxy server cho Ftp ________ Error! Bookmark not defined.

3.2.4 Telnet-Gw: Proxy server cho Telnet____ Error! Bookmark not defined.

3.2.5 Rlogin-Gw: Proxy server cho rlogin____ Error! Bookmark not defined.

3.2.6 Sql-Gw: Proxy Server cho Oracle Sql-net______ Error! Bookmark not

defined. 3.2.7 Plug-Gw: TCP Plug-Board Connection server___ Error! Bookmark not

defined.

3.3 Ci t ________________________________ Error! Bookmark not defined.

3.4 Thi t l p c u hnh: ______________________ Error! Bookmark not defined.

3.4.1 C u hnh m ng ban u______________ Error! Bookmark not defined.

3.4.2 C u hnh cho Bastion Host ___________ Error! Bookmark not defined.

3.4.3 Thi t l p t p h p quy t c_____________ Error! Bookmark not defined. 3.4.4 Xc th c v d ch v xc th c _________ Error! Bookmark not defined.

3.4.5 S d ng mn hnh i u khi n CSE Proxy: ______ Error! Bookmark not

defined.

3.4.6 Cc v n c n quan tm v i ng i s d ng ____ Error! Bookmark notdefined.


4/74

4

1. An ton thng tin trn m ng

1.1 T i sao c n c Internet Firewall

Hi n nay, khi ni m m ng ton c u - Internet khng cn

m i m . N tr nn ph bi n t i m c khng c n ph i chgi i g thm trong nh ng t p ch k thu t, cn trn nh ng

t p ch khc th trn ng p nh ng bi vi t di, ng n v

Internet. Khi nh ng t p ch thng th ng ch tr ng voInternet th gi y, nh ng t p ch k thu t l i t p trung vokha c nh khc: an ton thng tin. cng l m t qu trnh

ti n tri n h p logic: khi nh ng vui thch ban u v m tsiu xa l thng tin, b n nh t nh nh n th y r!ng khng ch " cho php b n truy nh p vo nhi u n i trn th gi i, Internetcn cho php nhi u ng i khng m i m t gh th m mytnh c a b n.

Th c v y, Internet c nh ng k thu t tuy t v i cho phpm i ng i truy nh p, khai thc, chia s thng tin. Nh ng nc#ng l nguy c chnh d $n n thng tin c a b n b h h%ngho&c ph hu ' hon ton.

Theo s ( li u c a CERT(Computer Emegency ResponseTeam - i c p c u my tnh), s ( l ng cc v t n cngtrn Internet c thng bo cho t ch c ny l t h n 200vo n m 1989, kho ng 400 vo n m 1991, 1400 vo n m

1993, v 2241 vo n m 1994. Nh ng v t n cng ny nh !mvo t t c cc my tnh c m &t trn Internet, cc my tnh

c a t t c cc cng ty l n nh AT&T, IBM, cc tr ng ih c, cc c quan nh n c, cc t ch c qun s , nh b ng...M t s( v t n cng c quy m kh ng l) (c t i 100.000my tnh b t n cng). H n n a, nh ng con s ( ny ch " lph n n i c a t ng b ng. M t ph n r t l n cc v t n cng


5/74

5

khng c thng bo, v nhi u l do, trong c th k n n*i lo b m t uy tn, ho &c n gi n nh ng ng i qu n

tr h th( ng khng h hay bi t nh ng cu c t n cng nh !m

vo h th(ng c a h .

Khng ch " s( l ng cc cu c t n cng t ng ln nhanhchng, m cc ph ng php t n cng c #ng lin t c chon thi n. i u m t ph n do cc nhn vin qu n tr h

th( ng c k t n( i v i Internet ngy cng cao c nhgic. C #ng theo CERT, nh ng cu c t n cng th i k + 1988-1989 ch y u on tn ng i s d ng-m t kh, u (UserID-password) ho &c s d ng m t s( l*i c a cc ch ng trnh vh i u hnh (security hole) lm v hi u h th(ng b o v ,tuy nhin cc cu c t n cng vo th i gian g n y baog) m c cc thao tc nh gi m o a ch" IP, theo di thngtin truy n qua m ng, chi m cc phin lm vi c t- xa (telnetho&c rlogin).


6/74

6

1.2 B n mu n b o v ci g?

Nhi m v c b n c a Firewall l b o v . N u b n mu( n xyd ng firewall, vi c u tin b n c n xem xt chnh l b n

c n b o v ci g.

1.2.1 D li u c a b n

Nh ng thng tin l u tr trn h th( ng my tnh c n cb o v do cc yu c u sau:

B o m t: Nh ng thng tin c gi tr v kinh t , qun s ,

chnh sch vv... c n c gi kn.

Tnh ton v . n: Thng tin khng b m t mt ho &c s ai, nh tro.

Tnh k p th i: Yu c u truy nh p thng tin vo ngth i i m c n thi t.

Trong cc yu c u ny, thng th ng yu c u v b o m t c coi l yu c u s( 1 (i v i thng tin l u tr trn m ng.

Tuy nhin, ngay c khi nh ng thng tin ny khng c gi b m t, th nh ng yu c u v tnh ton v . n c#ng r t quantr ng. Khng m t c nhn, m t t ch c no lng ph ti

nguyn v t ch t v th i gian l u tr nh ng thng tin mkhng bi t v tnh ng n c a nh ng thng tin .

1.2.2 Ti nguyn c a b n

Trn th c t , trong cc cu c t n cng trn Internet, k t n

cng, sau khi lm ch c h th(ng bn trong, c th s d ng cc my ny ph c v cho m c ch c a mnh nh

ch y cc ch ng trnh d m t kh , u ng i s d ng, s d ngcc lin k t m ng s/n c ti p t c t n cng cc h th( ngkhc vv...


7/74

7

1.2.3 Danh ti ng c a b n

Nh trn nu, m t ph n l n cc cu c t n cng khng c thng bo r ng ri, v m t trong nh ng nguyn nhn

l n*i lo b m t uy tn c a c quan, &c bi t l cc cng tyl n v cc c quan quan tr ng trong b my nh n c.Trong tr ng h p ng i qu n tr h th( ng ch" c bi t

n sau khi chnh h th(ng c a mnh c dng lm bnp t n cng cc h th( ng khc, th t n th t v uy tn l

r t l n v c th l i h u qu lu di.


8/74

8

1.3 B n mu n b o v ch ng l i ci g?

Cn nh ng g b n c n ph i lo l ng. B n s0 ph i ng uv i nh ng ki u t n cng no trn Internet v nh ng k nos0 th c hi n chng?

1.3.1 Cc ki u t n cng

C r t nhi u ki u t n cng vo h th(ng, v c nhi u cchphn lo i nh ng ki u t n cng ny. y, chng ta chia

thnh 3 ki u chnh nh sau:

1.3.1.1 T n cng tr c ti p

Nh ng cu c t n cng tr c ti p thng th ng c s d ngtrong giai o n u chi m c quy n truy nh p bntrong. M t ph ng php t n cng c i n l d c &p tnng i s d ng-m t kh , u. y l ph ng php n gi n, d1 th c hi n v khng i h%i m t i u ki n &c bi t no b t u. K t n cng c th s d ng nh ng thng tin nh

tn ng i dng, ngy sinh, a ch", s( nh vv.. on m tkh, u. Trong tr ng h p c c danh sch ng i s d ngv nh ng thng tin v mi tr ng lm vi c, c m t tr ngtrnh t ng ho v vi c d tm m t kh , u ny. m t tr ngtrnh c th d1 dng l y c t- Internet gi i cc m tkh, u m ho c a cc h th( ng unix c tn l crack , ckh n ng th cc t h p cc t - trong m t t- i n l n, theonh ng quy t c do ng i dng t nh ngh a. Trong m t s( tr ng h p, kh n ng thnh cng c a ph ng php ny cth ln t i 30%.

Ph ng php s d ng cc l *i c a ch ng trnh ng d ng vb n thn h i u hnh c s d ng t- nh ng v t ncng u tin v v $n c ti p t c chi m quy n truy


9/74

9

nh p. Trong m t s( tr ng h p ph ng php ny cho phpk t n cng c c quy n c a ng i qu n tr h th( ng(root hay administrator ).

Hai v d th ng xuyn c a ra minh ho choph ng php ny l v d v i ch ng trnh sendmail vch ng trnh rlogin c a h i u hnh UNIX.

Sendmail l m t ch ng trnh ph c t p, v i m ngu )n baog) m hng ngn dng l nh c a ngn ng C. Sendmail cch y v i quy n u tin c a ng i qu n tr h th( ng, doch ng trnh ph i c quy n ghi vo h p th c a nh ng

ng i s d ng my. V Sendmail tr c ti p nh n cc yuc u v th tn trn m ng bn ngoi. y chnh l nh ng

y u t( lm cho sendmail tr thnh m t ngu) n cung c pnh ng l* h ng v b o m t truy nh p h th(ng.

Rlogin cho php ng i s d ng t - m t my trn m ng truynh p t- xa vo m t my khc s d ng ti nguyn c a myny. Trong qu trnh nh n tn v m t kh, u c a ng i s d ng, rlogin khng ki m tra di c a dng nh p, do

k t n cng c th a vo m t xu c tnh ton tr cghi ln m ch ng trnh c a rlogin, qua chi m

c quy n truy nh p.

1.3.1.2 Nghe tr m

Vi c nghe tr m thng tin trn m ng c th a l i nh ng

thng tin c ch nh tn-m t kh, u c a ng i s d ng, cc

thng tin m t chuy n qua m ng. Vi c nghe tr m th ng c ti n hnh ngay sau khi k t n cng chi m c

quy n truy nh p h th( ng, thng qua cc ch ng trnh chophp a v" giao ti p m ng (Network Interface Card-NIC)vo ch nh n ton b cc thng tin l u truy n trn m ng.


10/74

10

Nh ng thng tin ny c #ng c th d1 dng l y c trnInternet.

1.3.1.3 Gi m o a ch

Vi c gi m o a ch" IP c th c th c hi n thng quavi c s d ng kh n ng d$n ng tr c ti p (source-routing ). V i cch t n cng ny, k t n cng g i cc gi tinIP t i m ng bn trong v i m t a ch" IP gi m o (thngth ng l a ch" c a m t m ng ho &c m t my c coi lan ton (i v i m ng bn trong), )ng th i ch" r ngd$n m cc gi tin IP ph i g i i.

1.3.1.4 V hi u ho cc ch c n ng c a h th ng (denial of service)

y l k u t n cng nh !m t li t h th( ng, khng cho nth c hi n ch c n ng m n thi t k . Ki u t n cng ny

khng th ng n ch&n c, do nh ng ph ng ti n c t ch c t n cng c #ng chnh l cc ph ng ti n lm vi c vtruy nh p thng tin trn m ng. V d s d ng l nh ping v it(c cao nh t c th , bu c m t h th(ng tiu hao ton b t(c tnh ton v kh n ng c a m ng tr l i cc l nhny, khng cn cc ti nguyn th c hi n nh ng cng

vi c c ch khc.

1.3.1.5 L i c a ng i qu n tr h th ng

y khng ph i l m t ki u t n cng c a nh ng k t

nh p, tuy nhin l *i c a ng i qu n tr h th( ng th ng t ora nh ng l* h ng cho php k t n cng s d ng truynh p vo m ng n i b .


11/74

11

1.3.1.6 T n cng vo y u t con ng i

K t n cng c th lin l c v i m t ng i qu n tr h th(ng,gi lm m t ng i s d ng yu c u thay i m t kh , u,thay i quy n truy nh p c a mnh (i v i h th( ng, ho &cth m ch thay i m t s( c u hnh c a h th( ng th c hi ncc ph ng php t n cng khc. V i ki u t n cng nykhng m t thi t b no c th ng n ch&n m t cch h u hi u,v ch"c m t cch gio d c ng i s d ng m ng n i b v nh ng yu c u b o m t cao c nh gic v i nh ng hi nt ng ng nghi. Ni chung y u t( con ng i l m t i my u trong b t k + m t h th( ng b o v no, v ch "c s giod c c ng v i tinh th n h p tc t - pha ng i s d ng c th nng cao c an ton c a h th( ng b o v .

1.3.2 Phn lo i k t n cng

C r t nhi u k t n cng trn m ng ton c u Internet v

chng ta c #ng khng th phn lo i chng m t cch chnhxc, b t c m t b n phn lo i ki u ny c #ng ch" nn c

xem nh l m t s gi i thi u h n l m t cch nhn r pkhun.

1.3.2.1 Ng i qua ng

Ng i qua ng l nh ng k bu) n chn v i nh ng cngvi c th ng ngy, h mu(n tm nh ng tr gi i tr m i. H

t nh p vo my tnh c a b n v h ngh b n c th cnh ng d li u hay, ho &c b i v h c m th y thch th khi s d ng my tnh c a ng i khc, ho &c ch" n gi n l h khng tm c m t vi c g hay h n lm. H c th lng i t m nh ng khng ch nh lm h i b n. Tuy nhin,h th ng gy h h%ng h th( ng khi t nh p hay khi xob%d u v t c a h .


12/74

12

1.3.2.2 K ph ho i

K ph ho i ch nh ph ho i h th( ng c a b n, h c th khng thch b n, h c#ng c th khng bi t b n nh ng h tm th y ni m vui khi i ph ho i.

Thng th ng, trn Internet k ph ho i kh hi m. M ing i khng thch h . Nhi u ng i cn thch tm v ch &n

ng nh ng k ph ho i. Tuy t nh ng k ph ho i th nggy h%ng tr m tr ng cho h th( ng c a b n nh xo ton b d li u, ph h %ng cc thi t b trn my tnh c a b n...

1.3.2.3 K ghi i m

R t nhi u k qua ng b cu( n ht vo vi c t nh p, phho i. H mu( n c kh2ng nh mnh thng qua s ( l ngv cc ki u h th( ng m h t nh p qua. t nh p cvo nh ng n i n i ti ng, nh ng n i phng b ch&t ch0,nh ng n i thi t k tinh x o c gi tr nhi u i m (i v i h .Tuy nhin h c#ng s 0 t n cng t t c nh ng n i h c th ,v i m c ch s( l ng c#ng nh m c ch ch t l ng.Nh ng ng i ny khng quan tm n nh ng thng tin b nc hay nh ng &c tnh khc v ti nguyn c a b n. Tuynhin t c m c ch l t nh p, v tnh hay h u h s0 lm h h%ng h th( ng c a b n.

1.3.2.4 Gin i p

Hi n nay c r t nhi u thng tin quan tr ng c l u tr trnmy tnh nh cc thng tin v qun s , kinh t ... Gin i p

my tnh l m t v n ph c t p v kh pht hi n. Th c t ,

ph n l n cc t ch c khng th phng th ki u t n cng nym t cch hi u qu v b n c th ch c r!ng ng lin k t


13/74

13

v i Internet khng ph i l con ng d1 nh t gin i pthu l m thng tin.


14/74

14

1.4 V y Internet Firewall l g?

1.4.1 nh ngh a

Thu t ng Firewall c ngu ) n g(c t- m t k thu t thi t k trong xy d ng ng n ch&n, h n ch ho ho n. Trongcng ngh m ng thng tin, Firewall l m t k thu t ctch h p vo h th(ng m ng ch( ng s truy c p tri phpnh!m b o v cc ngu )n thng tin n i b c#ng nh h n ch s xm nh p vo h th( ng c a m t s( thng tin khc khngmong mu ( n. C#ng c th hi u r !ng Firewall l m t c ch

b o v m ng tin t ng (trusted network) kh %i cc m ngkhng tin t ng (untrusted network).

Internet Firewall l m t thi t b (ph n c ng+ph n m m)

gi a m ng c a m t t ch c, m t cng ty, hay m t qu ( c gia(Intranet) v Internet. N th c hi n vai tr b o m t cc

thng tin Intranet t - th gi i Internet bn ngoi.

1.4.2 Ch c n ng

Internet Firewall (t - nay v sau g i t t l firewall) l m tthnh ph n &t gi a Intranet v Internet ki m sot t t c cc vi c l u thng v truy c p gi a chng v i nhau baog) m:

Firewall quy t nh nh ng d ch v no t- bn trong c php truy c p t- bn ngoi, nh ng ng i no t -

bn ngoi c php truy c p n cc d ch v bntrong, v c nh ng d ch v no bn ngoi c phptruy c p b i nh ng ng i bn trong.


15/74

15

firewall lm vi c hi u qu , t t c trao i thng tin

t- trong ra ngoi v ng c l i u ph i th c hi n thngqua Firewall.

Ch"c nh ng trao i no c php b i ch an ninhc a h th(ng m ng n i b m i c quy n l u thngqua Firewall.

S ) ch c n ng h th( ng c a firewall c m t nh trong hnh 2.1

Intranet firewall Internet

Hnh 2.1 S ) ch c n ng h th(ng c a firewall

1.4.3 C u trc

Firewall bao g ) m:

M t ho&c nhi u h th( ng my ch k t n( i v i cc b nh tuy n (router) ho &c c ch c n ng router.

Cc ph n m m qu n l an ninh ch y trn h th(ng mych . Thng th ng l cc h qu n tr xc th c

(Authentication), c p quy n (Authorization) v k ton(Accounting).

Chng ta s 0 c p k h n cc ho t ng c a nh ng h ny ph n sau.


16/74

16

1.4.4 Cc thnh ph n c a Firewall v c ch ho t ng

M t Firewall chu , n bao g )m m t hay nhi u cc thnh ph nsau y:

B l c packet ( packet-filtering router )

C ng ng d ng (application-level gateway hay proxy

server )

C ng m ch (circuite level gateway)

1.4.4.1 B l c gi tin (Packet filtering router)

1.4.4.1.1 Nguyn l:

Khi ni n vi c l u thng d li u gi a cc m ng v i nhauthng qua Firewall th i u c ngh a r!ng Firewall ho t

ng ch&t ch0 v i giao th c lin m ng TCP/IP. V giao th cny lm vi c theo thu t ton chia nh %cc d li u nh n ct- cc ng d ng trn m ng, hay ni chnh xc h n l ccd ch v ch y trn cc giao th c (Telnet, SMTP, DNS,

SMNP, NFS...) thnh cc gi d li u (data packets) r ) i gncho cc packet ny nh ng a ch" c th nh n d ng, til p l i ch c n g i n, do cc lo i Firewall c #ng linquan r t nhi u n cc packet v nh ng con s ( a ch " c achng.

B l c packet cho php hay t - ch( i m*i packet m n nh n c. N ki m tra ton b o n d li u quy t nh xem

o n d li u c tho mn m t trong s ( cc lu t l c a l c packet hay khng. Cc lu t l l c packet ny l d a trn cc

thng tin u m*i packet (packet header), dng chophp truy n cc packet trn m ng. l:

a ch"IP n i xu t pht ( IP Source address)


17/74

17

a ch"IP n i nh n (IP Destination address)

Nh ng th t c truy n tin (TCP, UDP, ICMP, IP tunnel)

C ng TCP/UDP n i xu t pht (TCP/UDP source port) C ng TCP/UDP n i nh n (TCP/UDP destination port)

D ng thng bo ICMP ( ICMP message type)

giao di n packet n ( incomming interface of packet)

giao di n packet i ( outcomming interface of packet)

N u lu t l l c packet c tho mn th packet cchuy n qua firewall. N u khng packet s0 b b% i. Nh v ym Firewall c th ng n c n c cc k t n( i vo cc mych ho&c m ng no c xc nh, ho &c kho vi c truyc p vo h th( ng m ng n i b t- nh ng a ch " khng chophp. H n n a, vi c ki m sot cc c ng lm cho Firewall ckh n ng ch" cho php m t s( lo i k t n( i nh t nh vocc lo i my ch no , ho&c ch"c nh ng d ch v no (Telnet, SMTP, FTP...) c php m i ch y c trn h th( ng m ng c c b .

1.4.4.1.2 3 u i m

a s ( cc h th( ng firewall u s d ng b l c packet .M t trong nh ng u i m c a ph ng php dng b l cpacket l chi ph th p v c ch l c packet c baog)m trong m *i ph n m m router.

Ngoi ra, b l c packet l trong su ( t (i v i ng i s d ng v cc ng d ng, v v y n khng yu c u s hu n

luy n &c bi t no c .

1.4.4.1.3 H n ch :


18/74

18

Vi c nh ngh a cc ch l c packet l m t vi c kh ph ct p, n i h%i ng i qu n tr m ng c n c hi u bi t chi ti tv cc d ch v Internet, cc d ng packet header , v cc gi

tr c th m h c th nh n trn m *i tr ng. Khi i h%i v s l c cng l n, cc lu t l v l c cng tr nn di v ph ct p, r t kh qu n l v i u khi n.

Do lm vi c d a trn header c a cc packet , r rng l b

l c packet khng ki m sot c n i dung thng tin c a packet . Cc packet chuy n qua v $n c th mang theo nh nghnh ng v i ) n c p thng tin hay ph ho i c a k x u.

1.4.4.2 C ng ng d ng (application-level gateway)

1.4.4.2.1 Nguyn l

y l m t lo i Firewall c thi t k t ng c ng ch cn ng ki m sot cc lo i d ch v , giao th c c cho phptruy c p vo h th( ng m ng. C ch ho t ng c a n d atrn cch th c g i l Proxy service (d ch v i di n).

Proxy service l cc b ch ng trnh &c bi t ci &t trngateway cho t - ng ng d ng. N u ng i qu n tr m ngkhng ci &t ch ng trnh proxy cho m t ng d ng no ,d ch v t ng ng s0 khng c cung c p v do khngth chuy n thng tin qua firewall. Ngoi ra, proxy code c

th c nh c u hnh h* tr ch"m t s( &c i m trongng d ng m ng i qu n tr m ng cho l ch p nh n c

trong khi t - ch( i nh ng &c i m khc. M t c ng ng d ng th ng c coi nh l m t pho i(bastion host), b i v n c thi t k &t bi t ch( ng l is t n cng t - bn ngoi. Nh ng bi n php m b o an ninhc a m t bastion host l:


19/74

19

Bastion host lun ch y cc version an ton (secure

version) c a cc ph n m m h th( ng (Operatingsystem). Cc version an ton ny c thi t k chuyn

cho m c ch ch (ng l i s t n cng vo OperatingSystem, c #ng nh l m b o s tch h p firewall.

Ch" nh ng d ch v m ng i qu n tr m ng cho l c nthi t m i c ci &t trn bastion host, n gi n ch "vn u m t d ch v khng c ci &t, n khng th b t ncng. Thng th ng, ch " m t s( gi i h n cc ng d ngcho cc d ch v Telnet, DNS, FTP, SMTP v xc th c

user l c ci &t trn bastion host.

Bastion host c th yu c u nhi u m c xc th c khc

nhau, v d nh user password hay smart card.

M*i proxy c &t c u hnh cho php truy nh p ch" m t s) cc my ch nh t nh. i u ny c ngh a r!ngb l nh v &c i m thi t l p cho m *i proxy ch " ngv i m t s( my ch trn ton h th( ng.

M*i proxy duy tr m t quy n nh t k ghi chp l i tonb chi ti t c a giao thng qua n, m *i s k t n( i,kho ng th i gian k t n( i. Nh t k ny r t c ch trongvi c tm theo d u v t hay ng n ch&n k ph ho i.

M*i proxy u c l p v i cc proxies khc trn bastionhost. i u ny cho php d 1 dng qu trnh ci &t m tproxy m i, hay tho g 4 mt proxy ang c v n .

V d : Telnet Proxy

V d m t ng i (g i l outside client) mu (n s d ng d chv TELNET k t n( i vo h th(ng m ng qua mt bastionhost c Telnet proxy. Qu trnh x y ra nh sau:


20/74

20

1. Outside client telnets n bastion host. Bastion host

ki m tra password, n u h p l th outside client cphp vo giao di n c a Telnet proxy. Telnet proxy cho

php m t t p nh %nh ng l nh c a Telnet, v quy t nhnh ng my ch n i b no outside client c php truynh p.

2. Outside client ch " ra my ch ch v Telnet proxy t om t k t n( i c a ring n t i my ch bn trong, vchuy n cc l nh t i my ch d i s u' quy n c aoutside client. Outside client th tin r !ng Telnet proxy lmy ch th t bn trong, trong khi my ch bn trongth tin r !ng Telnet proxy l client th t.

1.4.4.2.2 3 u i m:

Cho php ng i qu n tr m ng hon ton i u khi n c t- ng d ch v trn m ng, b i v ng d ng proxy

h n ch b l nh v quy t nh nh ng my ch no c

th truy nh p c b i cc d ch v .

Cho php ng i qu n tr m ng hon ton i u khi n c nh ng d ch v no cho php, b i v s v ng m&t

c a cc proxy cho cc d ch v t ng ng c ngh a l ccd ch v y b kho.

C ng ng d ng cho php ki m tra xc th c r t t( t, vn c nh t k ghi chp l i thng tin v truy nh p h

th(ng.

Lu t l filltering (l c) cho c ng ng d ng l d 1 dng c uhnh v ki m tra h n so v i b l c packet.

1.4.4.2.3 H n ch :


21/74

21

Yu c u cc users bi n i (mody) thao tc, ho &c modyph n m m ci &t trn my client cho truy nh p vo ccd ch v proxy. V d , Telnet truy nh p qua c ng ng d ng

i h%i hai b c n( i v i my ch ch khng ph i l m tb c thi. Tuy nhin, c #ng c m t s( ph n m m clientcho php ng d ng trn c ng ng d ng l trong su ( t, b !ngcch cho php user ch " ra my ch ch khng ph i c ng

ng d ng trn l nh Telnet.

1.4.4.3 C ng vng (circuit-Level Gateway)

C ng vng l m t ch c n ng &c bi t c th th c hi n cb i m t c ng ng d ng. C ng vng n gi n ch" chuy nti p (relay) cc k t n( i TCP m khng th c hi n b t k + m thnh ng x l hay l c packet no.

Hnh 2.2 minh ho m t hnh ng s d ng n( i telnet quac ng vng. C ng vng n gi n chuy n ti p k t n( i telnetqua firewall m khng th c hi n m t s ki m tra, l c hay

i u khi n cc th t c Telnet no.C ng vng lm vi c nh

m t s i dy,sao chp cc byte gi a k t n( i bn trong (insideconnection) v cc k t n( i bn ngoi (outside connection).Tuy nhin, v s k t n( i ny xu t hi n t- h th( ng firewall,n che d u thng tin v m ng n i b .

C ng vng th ng c s d ng cho nh ng k t n( i rangoi, n i m cc qu n tr m ng th t s tin t ng nh ngng i dng bn trong. 3 u i m l n nh t l m t bastion hostc th c c u hnh nh l m t h*n h p cung c p C ng

ng d ng cho nh ng k t n( i n, v c ng vng cho cc k tn( i i. i u ny lm cho h th(ng b c t ng l a d1 dng s d ng cho nh ng ng i trong m ng n i b mu(n tr c ti ptruy nh p t i cc d ch v Internet, trong khi v $n cung c p


22/74

22

ch c n ng b c t ng l a b o v m ng n i b t- nh ngs t n cng bn ngoi.

out

out

out

in

in

in

outside host Inside hostCircuit-level Gateway

Hnh 2.2 C ng vng

1.4.5 Nh ng h n ch c a firewall

Firewall khng thng minh nh con ng i c th c hi u t- ng lo i thng tin v phn tch n i dung t ( t

hay x u c a n. Firewall ch " c th ng n ch&n s xmnh p c a nh ng ngu )n thng tin khng mong mu ( nnh ng ph i xc nh r cc thng s ( a ch".

Firewall khng th ng n ch&n m t cu c t n cng n u

cu c t n cng ny khng " i qua" n. M t cch c th ,firewall khng th ch(ng l i m t cu c t n cng t - m t

ng dial-up, ho &c s d r " thng tin do d li u b saochp b t h p php ln a m m.

Firewall c #ng khng th ch(ng l i cc cu c t ncng b !ng d li u (data-driven attack). Khi c m t s( ch ng trnh c chuy n theo th i n t , v t quafirewall vo trong m ng c b o v v b t u ho t

ng y.

M t v d l cc virus my tnh. Firewall khng th lm

nhi m v r qut virus trn cc d li u c chuy n quan, do t ( c lm vi c, s xu t hi n lin t c c a cc


23/74

23

virus m i v do c r t nhi u cch m ha d li u,thot kh %i kh n ng ki m sot c a firewall.

1.4.6 Cc v d firewall

1.4.6.1 Packet-Filtering Router (B trung chuy n c l c gi)

H th( ng Internet firewall ph bi n nh t ch" bao g ) m m tpacket-filtering router &t gi a m ng n i b v Internet(Hnh 2.3). M t packet-filtering router c hai ch c n ng:

chuy n ti p truy n thng gi a hai m ng v s d ng cc quy

lu t v l c gi cho php hay t - ch( i truy n thng. C nb n, cc quy lu t l c c nh ngh a sao cho cc host trnm ng n i b c quy n truy nh p tr c ti p t i Internet,trong khi cc host trn Internet ch " c m t s( gi i h n cctruy nh p vo cc my tnh trn m ng n i b . T t ng c am c u trc firewall ny l t t c nh ng g khng c ch " ra r rng l cho php th c ngh a l b t- ch( i.

The Internet

Bn ngoi Packet filteringrouter

Mng ni b

Bn trong

Hnh 2.3 Packet-filtering router

u i m:

gi thnh th p (v c u hnh n gi n)


24/74

24

trong su ( t (i v i ng i s d ng

H n ch :

C t t c h n ch c a m t packet-filtering router, nh ld1 b t n cng vo cc b l c m c u hnh c &tkhng hon h o, ho&c l b t n cng ng m d i nh ngd ch v c php.

B i v cc packet c trao i tr c ti p gi a hai m ngthng qua router , nguy c b t n cng quy t nh b i s( l ng cc host v d ch v c php. i u d$n nm*i m t host c php truy nh p tr c ti p vo Internetc n ph i c cung c p m t h th(ng xc th c ph c t p,v th ng xuyn ki m tra b i ng i qu n tr m ng xemc d u hi u c a s t n cng no khng.

N u m t packet-filtering router do m t s c( no ngng ho t ng, t t c h th(ng trn m ng n i b cth b t n cng.

1.4.6.2

Screened Host Firewall

H th( ng ny bao g )m m t packet-filtering router v m tbastion host (hnh 2.4). H th(ng ny cung c p b o m tcao h n h th( ng trn, v n th c hi n c b o m t t ngnetwork( packet-filtering ) v t ng ng d ng (applicationlevel). ) ng th i, k t n cng ph i ph v 4 c hai t ng b om t t n cng vo m ng n i b .


25/74

25

The Internet

Bn ngoi Packet filtering

router

Bn trong

Information server

Bastion host

my ni b

Hnh 2.4 Screened host firewall (Single- Homed Bastion Host)

Trong h th(ng ny, bastion host c c u hnh trongm ng n i b . Qui lu t filtering trn packet-filtering router

c nh ngh a sao cho t t c cc h th(ng bn ngoi ch " c th truy nh p bastion host; Vi c truy n thng t i t t c

cc h th(ng bn trong u b kho. B i v cc h th(ng n ib v bastion host trn cng m t m ng, chnh sch b om t c a m t t ch c s0 quy t nh xem cc h th(ng n i b

c php truy nh p tr c ti p vo bastion Internet hay lchng ph i s d ng d ch v proxy trn bastion host. Vi c

b t bu c nh ng user n i b c th c hi n b!ng cch &tc u hnh b l c c a router sao cho ch " ch p nh n nh ngtruy n thng n i b xu t pht t - bastion host.

u i m:


26/74

26

My ch cung c p cc thng tin cng c ng qua d ch v

Web v FTP c th &t trn packet-filtering router vbastion. Trong tr ng h p yu c u an ton cao nh t,

bastion host c th ch y cc d ch v proxy yu c u t t c cc user c trong v ngoi truy nh p qua bastion host tr ckhi n ( i v i my ch . Tr ng h p khng yu c u an toncao th cc my n i b c th n( i th2ng v i my ch .

N u c n b o m t cao h n n a th c th dng h th( ngfirewall dual-home (hai chi u) bastion host (hnh 2.5). M t

h th(ng bastion host nh v y c 2 giao di n m ng(network interface), nh ng khi kh n ng truy n thng

tr c ti p gi a hai giao di n qua d ch v proxy l b c m.

The Internet


Bn trong

Information server

Bastion host

my ni b

Hnh 2.5 Screened host firewall (Dual- Homed Bastion Host)

B i v bastion host l h th( ng bn trong duy nh t c th truy nh p c t- Internet, s t n cng c #ng ch" gi i h n


27/74

27

n bastion host m thi. Tuy nhin, n u nh ng i dngtruy nh p c vo bastion host th h c th d1 dng truynh p ton b m ng n i b . V v y c n ph i c m khng cho

ng i dng truy nh p vo bastion host.

1.4.6.3 Demilitarized Zone (DMZ - khu v c phi qun s ) hay Screened-subnet Firewall

H th( ng ny bao g ) m hai packet-filtering router v m tbastion host (hnh 2.6). H th( ng firewall ny c an toncao nh t v n cung c p c m c b o m t : network v

application trong khi nh ngh a m t m ng phi qun s .M ng DMZ ng vai tr nh m t m ng nh %, c l p &t gi aInternet v m ng n i b . C b n, m t DMZ c c u hnhsao cho cc h th( ng trn Internet v m ng n i b ch"c th truy nh p c m t s( gi i h n cc h th( ng trn m ngDMZ, v s truy n tr c ti p qua m ng DMZ l khng th

c.

V i nh ng thng tin n, router ngoi ch ( ng l i nh ng s

t n cng chu , n (nh gi m o a ch" IP), v i u khi n truynh p t i DMZ. N cho php h th( ng bn ngoi truy nh pch" bastion host, v c th c information server. Routertrong cung c p s b o v th hai b!ng cch i u khi nDMZ truy nh p m ng n i b ch"v i nh ng truy n thng b t

u t- bastion host.

V i nh ng thng tin i, router trong i u khi n m ng n i b truy nh p t i DMZ. N ch "cho php cc h th(ng bn trongtruy nh p bastion host v c th c information server. Quy

lu t filtering trn router ngoi yu c u s dung dich v

proxy b !ng cch ch " cho php thng tin ra b t ngu) n t- bastion host.


28/74

28

u i m:

K t n cng c n ph v 4 ba t ng b o v : router ngoi,bastion host v router trong.

B i v router ngoi ch " qu ng co DMZ network t iInternet, h th(ng m ng n i b l khng th nhn th y(invisible). Ch "c m t s( h th(ng c ch n ra trnDMZ l c bi t n b i Internet qua routing table vDNS information exchange (Domain Name Server).

B i v router trong ch " qu ng co DMZ network t im ng n i b , cc h th(ng trong m ng n i b khng th truy nh p tr c ti p vo Internet. i u nay m b o r!ngnh ng user bn trong b t bu c ph i truy nh p Internet

qua d ch v proxy.

The Internet


Bn trong

Information server

Bastion host

Outside router Inside router

DMZ


29/74

29

Hnh 2.6 Screened-Subnet Firewall


30/74

30

2. Cc d ch v Internet

Nh trnh by trn, nhn chung b n ph i xc nh b n

b o v ci g khi thi t l p lin k t ra m ng ngoi hay

Internet: d li u, ti nguyn, danh ti ng. Khi xy d ng m t

Firewall, b n ph i quan tm n nh ng v n c th h n:b n ph i b o v nh ng d ch v no b n dng ho &c cung c pcho m ng ngoi (hay Internet).

Internet cung c p m t h th( ng cc d ch v cho php ng idng n ( i vo Internet truy nh p v s d ng cc thng tin

trn m ng Internet. H th(ng cc d ch v ny v ang c b sung theo s pht tri n khng ng - ng c a Internet.

Cc d ch v ny bao g ) m World Wide Web (g i t t lWWW ho &c Web), Email (th i n t ), Ftp (file transferprotocols - d ch v chuy n file), telnet ( ng d ng cho php

truy nh p my tnh xa), Archie (h th(ng xc nh thngtin cc file v directory), finger (h th(ng xc nh ccuser trn Internet), rlogin(remote login - vo m ng t- xa) v

m t s( cc d ch v khc n a.


31/74

31

2.1 World Wide Web - WWW

WWW l d ch v Internet ra i g n y nh t, nh ng phttri n nhanh nh t hi n nay. Web cung c p m t giao di n v

cng thn thi n v i ng i dng, d 1 s d ng, v cng thu nl i v n gi n tm ki m thng tin. Web lin k t thngtin d a trn cng ngh hyper-link (siu lin k t), cho php

cc trang Web lin k t v i nhau tr c ti p qua cc a ch"c achng. Thng qua Web, ng i dng c th :

Pht hnh cc tin t c c a mnh v c tin t c t- kh pn i trn th gi i

Qu ng co v mnh, v cng ty hay t ch c c a mnh

c#ng nh xem cc lo i qu ng co trn th gi i, t- ki mvi c lm, tuy n m nhn vin, cng ngh v s n ph , mm i, tm b n, vn vn.

Trao i thng tin v i b b n, cc t ch c x h i, cctrung tm nghin c u, tr ng h c, vn vn

Th c hi n cc d ch v chuy n ti n hay mua bn hngho

Truy nh p cc c s d li u c a cc t ch c, cng ty(n u nh c php)

V r t nhi u cc ho t ng khc n a.


32/74

32

2.2 Electronic Mail (Email hay th i n t ).

Email l d ch v Internet c s d ng r ng ri nh t hi nnay. Hu h t cc thng bo d ng text (v n b n) n gi n,nh ng ng i s d ng c th g i km theo cc file ch a cchnh nh nh s ), nh . H th( ng email trn Internet l h th( ng th i n t l n nh t trn th gi i, v th ng c s d ng cng v i cc h th( ng chuy n th khc.

Kh n ng chuy n th i n t trn Web c b h n ch h n sov i cc h th(ng chuy n th i n t trn Internet, b i vWeb l m t ph ng ti n trao i cng c ng, trong khi th lm t ci g ring t . V v y, khng ph i t t c cc Web

brower u cung c p ch c n ng email. (Hai browser l nnh t hi n nay l Netscape v Internet Explorer u cung c p

ch c n ng email).


33/74

33

2.3 Ftp (file transfer protocol hay d ch v chuy n file)

Ftp l m t d ch v cho php sao chp file t - m t h th( ngmy tnh ny n h th( ng my tnh khc ftp bao g )m th t c v ch ng trnh ng d ng, v l m t trong nh ng d chv ra i s m nh t trn Internet.

Fpt c th c dng m c h th( ng (g l nh vocommand-line ), trong Web browser hay m t s( ti n chkhc. Fpt v cng h u ch cho nh ng ng i dng Internet,b i v khi s c s o trn Internet, b n s0 tm th y v s ( nh ngth vi n ph n m m c ch v r t nhi u l nh v c v b n cth chp chng v s d ng.


34/74

34

2.4 Telnet v rlogin

Telnet l m t ng d ng cho php b n truy nh p vo m t

my tnh xa v ch y cc ng d ng trn my tnh .Telnet l r t h u ch khi b n mu( n ch y m t ng d ngkhng c ho &c khng ch y c trn my tnh c a b n, v d nh b n mu( n ch y m t ng dung Unix trong khi myc a b n l PC. Hay b n my tnh c a b n khng m nh

ch y m t ng d ng no , ho&c khng c cc file d li uc n thi t.

Telnet cho b n kh n ng lm vi c trn my tnh xa b nhng ngn cy s ( m b n v$n c c m gic nh ang ng ) itr c my tnh .

Ch c n ng c a rlogin(remote login - vo m ng t - xa) c#ngt ng t nh Telnet.


35/74


36/74

36

2.6 Finger

Finger l m t ch ng trnh ng d ng cho php tm a ch" c a cc user khc trn Internet. T ( i thi u, finger c th chob n bi t ai ang s d ng m t h th( ng my tnh no , tnlogin c a ng i l g.

Finger hay c s d ng tm a ch" email c a b b ntrn Internet. Finger cn c th cung c p cho b n nhi u

thng tin khc, nh l m t ng i no login vo m ngbao lu. V th finger c th coi l m t ng i tr gip cl c nh ng c#ng l m ( i hi m ho cho s an ton c a m ng.


37/74

3. H th ng Firewall xy d ng b i CSE

B ch ng trnh Firewall 1.0 c a CSE c a ra vo

thng 6/1998. B ch ng trnh ny g )m hai thnh ph n:

B l c gi tin IP Filtering

B ch ng trnh c ng ng d ng proxy servers

Hai thnh ph n ny c th ho t ng m t cch ring r 0.Chng c #ng c th k t h p l i v i nhau tr thnh m t h th( ng firewall hon ch "nh.

Trong t p ti li u ny, chng ti ch " c p n b ch ngtrnh c ng ng d ng c ci &t t i VPCP.


38/74

38

3.1 T ng quan

B ch ng trnh proxy c a CSE (phin b n 1.0) c phttri n d a trn b cng c xy d ng Internet Firewall TIS

(Trusted Information System) phin b n 1.3. TIS bao g )mm t b cc ch ng trnh v s &t l i c u hnh h th( ng nh!m m c ch xy d ng m t Firewall. B ch ng trnh

c thi t k ch y trn h UNIX s d ng TCP/IP v igiao di n socket Berkeley.

Vi c ci &t b ch ng trnh proxy i h%i kinh nghi mqu n l h th( ng UNIX, v TCP/IP networking. T ( i thi u,ng i qu n tr m ng firewall ph i quen thu c v i:

vi c qu n tr v duy tr h th( ng UNIX ho t ng

vi c xy d ng cc package cho h th(ng

S khc nhau khi &t c u hnh cho h th( ng quy t nh m can ton m ng khc nhau. Ng i ci &t firewall ph i

hi u r yu c u v an ton c a m ng c n b o v , n m

ch c nh ng r i ro no l ch p nh n c v khng ch pnh n c, thu l m v phn tch chng t - nh ng i h%ic a ng i dng.

B ch ng trnh proxy c thi t k cho m t s( c u hnhfirewall, trong cc d ng c b n nh t l dual-homegateway (hnh 2.4), screened host gateway(hnh 2.5), v

screened subnet gateway(hnh 2.6). Nh chng ta bi t,

trong nh ng c u trc firewall ny, y u t( c n b n nh t lbastion host, ng vai tr nh m t ng i chuy n ti p thngtin (forwarder), ghi nh t k truy n thng, v cung c p cc

d ch v . Duy tr an ton trn bastion host l c c k + quantr ng, b i v l n i t p trung h u h t cc c ( g ng ci &tm t h th(ng firewall.


39/74

39

3.2

Cc thnh ph n c a b ch ng trnh proxy:B ch ng trnh proxy g ) m nh ng ch ng trnh b c ngd ng (application-level programs), ho &c l thay th ho&cl c c ng thm vo ph n m m h th( ng c. B ch ng trnh proxy c nh ng thnh ph n chnh bao g )m:

Smap: d ch v SMTP(Simple Mail Tranfer Protocol)

Netacl: d ch v Telnet, finger, v danh m c cc iu

khi n truy nh p m ng

Ftp-Gw: Proxy server cho Ftp

Telnet-Gw: Proxy server cho Telnet

Rlogin-Gw: Proxy server cho rlogin

Plug-Gw: TCP Plug-Board Connection server (server

k t n( i t c th i dng th t c TCP)

3.2.1 Smap: D ch v SMTP

SMTP c xy d ng b !ng cch s d ng c&p cng c ph nm m smap v smapd. C th ni r!ng SMTP ch (ng l i s

e do t i h th( ng, b i v cc ch ng trnh mail ch y m c h th( ng phn pht mail t i cc h p th c a user.

Smap v smapd th c hi n i u b!ng cch c l p ch ng

trnh mail, b t n ch y trn m t th m c dnh ring

(restricted directory) qua chroot (thay i th m c g(c),nh m t user khng c quy n u tin. M c ch c a smap

l c l p ch ng trnh mail v (n gy ra r t nhi u l*i trnh th( ng. Ph n l n cc cng vi c x l mail th ng c


40/74

40

th c hi n b i ch ng trnh sendmail. Sendmail khng yuc u m t s thay i hay &t l i c u hnh g c . Khi m t h th( ng xa n( i t i m t c ng SMTP, h i u hnh kh i ng

smap. Smap l p t c chroot t i th m c dnh ring v &tuser-id m c bnh th ng (khng c quy n u tin). B i vsmap khng yu c u h* tr b i m t file h th( ng no c , th m c dnh ring ch " ch a cc file do smap t o ra. Do v y,b n khng c n ph i lo s l smap s 0 thay i file h th( ngkhi n chroot. M c ch duy nh t c a smap l (i tho iSMTP v i cc h th(ng khc, thu l m thng bo mail, ghivo a, ghi nh t k, v thot.

Smapd c trch nhi m th ng xuyn qut th m c kho c asmap v a ra cc thng bo c x p theo th t (queued messages) t i sendmail cu( i cng phn pht.Ch r !ng n u sendmail c &t c u hnh m c bnhth ng, v smap ch y v i uucp user-id (?), mail c th cphn pht bnh th ng m khng c n smapd ch y v i m c

u tin cao. Khi smapd phn pht m t thng bo, n xo

file ch a thng bo trong kho.

Theo ngh a ny, sendmail b c l p, v do m t user l trn m ng khng th k t n( i v i sendmail m khng quasmap. Tuy nhin, smap v smapd khng th gi i quy t v n

gi m o th ho&c cc lo i t n cng khc qua mail. Smapc kch th c r t nh%so v i sendmail (700 dng so v i20,000 dng) nn vi c phn tch file ngu ) n tm ra l *i ngi n h n nhi u.

3.2.2 Netacl: cng c i u khi n truy nh p m ng

Chng ta bi t r!ng inetd khng cung c p m t s i ukhi n truy nh p m ng no c : n cho php b t k + m t h


41/74

41

th( ng no trn m ng c #ng c th n( i t i cc d ch v li t ktrong file inetd.conf .

Netacl l m t cng c i u khi n truy nh p m ng, d a

trn a ch" network c a my client, v d ch v c yuc u. V v y m t client (xc nh b i a ch" IP ho&chostname) c th kh i ng telnetd (m t version khc c atelnet) khi n n ( i v i c ng d ch v telnet trn firewall.

Th ng th ng trong cc c u hnh firewall, netacl c s d ng c m t t c cc my tr - m t vi host c quy nlogin t i firewall qua ho &c l telnet ho &c l rlogin, v

kho cc truy nh p t- nh ng k t n cng.

an ton c a netacl d a trn a ch"IP v/ho &c hostname .V i cc h th( ng c n an ton cao, nn d ng a ch"IP trnh s gi m o DNS. Netacl khng ch (ng l i c s gi

a ch" IP qua chuy n ngu ) n (source routing) ho &c nh ngph ng ti n khc. N u c cc lo i t n cng nh v y, c nph i s d ng m t router c kh n ng soi nh ng packet

c chuy n ngu ) n (screening source routed packages).

Ch l netacl khng cung c p i u khi n truy nh p UDP,

b i v cng ngh hi n nay khng m b o s xc th c c aUDP. An ton cho cc d ch v UDP y )ng ngh a v is khng cho php t t c cc d ch v UDP.

Netacl ch " bao g ) m 240 dng m C (c gi i thch) cho nnr t d1 dng ki m tra v hi u ch "nh. Tuy nhin v $n c n ph ic, n th n khi c u hnh n.

3.2.3 Ftp-Gw: Proxy server cho Ftp

Ftp-Gw l m t proxy server cung c p i u khi n truy nh p

m ng d a trn a ch" IP v/ho &c hostname, v cung c p


42/74

42

i u khi n truy nh p th c p cho php tu + ch n kho ho &cghi nh t k b t k + l nh ftp no. ch cho d ch v ny c#ngc th tu+ ch n c php hay kho. T t c cc s k t n ( i

v byte d li u chuy n qua u b ghi nh t k l i.

Ftp-Gw t b n thn n khng e do an ton c a h th( ngfirewall, b i v n ch y chroot t i m t th m c r*ng, khngth c hi n m t th t c vo ra file no c ngoi vi c c file

c u hnh c a n. Kch th c c a Ftp-gw l kho ng 1,300dng. Ftp gateway ch " cung c p d ch v ftp, m khng

quan tm n ai c quy n hay khng c quy n k t xu t(export) file. Do v y, vi c xc nh quy n ph i c thi tl p trn gateway v ph i th c hi n tr c khi th c hi n k txu t (export) hay nh p (import) file. Ftp gateway nn cci &t d a theo chnh sch an ton c a m ng. B ch ngtrnh ngu )n cho php ng i qu n tr m ng cung c p c d chv ftp v ftp proxy trn cng m t h th( ng.

3.2.4 Telnet-Gw: Proxy server cho Telnet

Telnet-Gw l m t proxy server cung c p i u khi n truy

nh p m ng d a trn a ch" IP v/ho &c hostname, v cungc p s i u khi n truy nh p th c p cho php tu + ch n khob t k + ch no. T t c cc s k t n( i v byte d li uchuy n qua u b ghi nh t k l i. M*i m t l n user n ( i t itelnet-gw, s 0 c m t menu n gi n c a cc ch n l a n( it i m t host xa.

Telnet-gw khng ph ng h i t i an ton h th( ng, v nch y chroot n mt th m c dnh ring (restricted

directory). File ngu ) n bao g ) m ch" 1,000 dng l nh. Vi cx l menu l hon ton di 1n ra trong b nh , v khng


43/74

43

c mt subsell hay ch ng trnh no tham d . C #ng khngc vi c vo ra file ngoi vi c c c u hnh file. V v y,

telnet-gw khng th cung c p truy nh p t i b n thn h

th( ng firewall.

3.2.5 Rlogin-Gw: Proxy server cho rlogin

Cc terminal truy nh p qua th t c BSD rlogin c th ccung c p qua rlogin proxy. rlogin cho php ki m tra v iu

khi n truy nh p m ng t ng t nh telnet gateway. Rloginclient c th ch" ra m t h th(ng xa ngay khi b t u n ( ivo proxy, cho php h n ch yu c u t ng tc c a user v imy (trong tr ng h p khng yu c u xc th c).

3.2.6 Sql-Gw: Proxy Server cho Oracle Sql-net

Thng th ng, vi c khai thc thng tin t - CSDL Oracle c ti n hnh thng qua d ch v WWW. Tuy nhin h*

tr ng i s d ng dng ch ng trnh plus33 n( i vo mych Oracle, b firewall c a CSE c a km vo ch ng

trnh Sql-net proxy. Vi c ki m sot truy nh p c th chi u qua tn my hay a ch" IP c a my ngu )n v my

ch.

3.2.7 Plug-Gw: TCP Plug-Board Connection server

Firewall cung c p cc d ch v thng th ng nh Usernetnews. Ng i qu n tr m ng c th ch n ho&c l ch y d chv ny trn b n thn firewall, ho &c l ci &t m t proxyserver. Do ch y news tr c ti p trn firewall d 1 gy l*i h th( ng trn ph n m m ny, cch an ton h n l s d ngproxy. Plug-gw c thi t k cho Usernet News.


44/74

44

Plug-gw c th c &t c u hnh cho php hay t - ch( im t s k t n( i d a trn a ch" IP ho&c l hostname. T t c s k t n( i v cc byte d li u chuy n qua u c ghi nh t

k l i.


45/74

45

3.3 Ci t

B ci &t g )m 2 a m m 1.44 Mb, R1 v R2. M *i b ci&t u c m t s( Serial number khc nhau v ch " ho tng c trn my c hostname xc nh tr c. Vi c

ci &t c ti n hnh bnh th ng b!ng cch dng l nhcustom .

Khi ci &t, m t ng i s d ng c tn l proxy c ngk v i h th( ng th c hi n cc ch c n ng qu n l proxy.Ng i ci &t ph i &t m t kh, u cho user ny.

M t th m c /usr/proxy c t ng thi t l p, trong ccc th m c con:

bin ch a cc ch ng trnh th c hi n

etc ch a cc t p c u hnh Firewall v m t s( v d cc file c u hnh c a h th(ng khi ch y v i Firewall nh inetd.conf, services , syslog.conf

log ch a cc t p nh t k

report ch a cc t p bo co sau ny.

Vi c &t c u hnh v qu n tr CSE Firewall u thng quacc ch c n ng trn menu khi login vo my Firewall b !ngtn ng i s d ng l proxy. Sau khi ci &t nn i tnnh ng t p h th( ng v l u l i tr c khi &t c u hnh:

/etc/inetd.conf

/etc/services

/etc/syslog.conf.


46/74

46

3.4 Thi t l p c u hnh:

3.4.1 C u hnh m ng ban u

V i Firewall host-base Chng ta c th ch c ch n vo vi cm ng c ci &t theo m t chnh sch an ton c l ach n nh!m ng n c n m i lu) ng thng tin khng mong mu ( ngi a m ng c b o v v m ng bn ngoi. i u ny c th

c th c hi n b i screening router hay dual-homegateway. Thng th ng, cc thi t b m ng u s d ng c ch an ton ci &t trn router n i m m i lin k t u ph i

i qua.

M t i u c n quan tm l trong khi ang ci &t, nh ng mych cng khai (Firewall bastion host) c th b t n cng

tr c khi c ch an ton c a n c c u hnh hon ch "nhc th ch y c. Do , nn c u hnh t p inetd.conf

c m t t c cc d ch v m ng t - ngoi vo v s d ng thi tb u cu( i ci &t.

T i th i i m , chng ta c th quy nh nh ng truy nh pgi a m ng c b o v v m ng bn ngoi no s 0 b kho.Tu+ theo m c ch, chng ta c th ng n cc truy nh p tu + theo h ng c a chng. Ch ng trnh c #ng c n c th nghi m k cng tr c khi s d ng. N u c n thi t c th dng ch ng trnh /usr/proxy/bin/netscan th k t n( i t it t c my tnh trong m ng con ki m tra. N s 0 c( g ngth l t qua Firewall theo m i h ng ch c ch n r !ng cctruy nh p b t h p php l khng th x y ra. Ng n c m truynh p vo ra l ci ch ( t trong c ch an ton c a Firewallkhng nn s d ng n u n ch a c ci &t v th nghi mk l 4 ng.


47/74

47

3.4.2 C u hnh cho Bastion Host

M t nguyn nhn c b n c a vi c xy d ng Firewall l ng n ch&n cc d ch v khng c n thi t v cc d ch v khngn m r. Ng n ch&n cc d ch v khng c n thi t i h%ing i ci &t ph i c hi u bi t v c u hnh h th(ng. Ccb c th c hi n nh sau:

S a i t p /etc/inetd.conf, /etc/services,

/etc/syslog.conf, /etc/sockd.conf .

S a i c u hnh h di u hnh, lo i b%nh ng d ch v cth gy l*i nh NFS, sau rebuild kernel.

Vi c ny c th c hi n cho t i khi h th(ng cung c p d chv t( i thi u m ng i qu n tr tin t ng. Vi c c u hnh nyc th lm )ng th i v i vi c ki m tra d ch v no ch ychnh xc b !ng cch dng cc l nh ps v netstat. Ph n l ncc server c c u hnh cng v i m t s( d ng b o m tkhc, cc c u hnh ny s 0 m t ph n sau. M t cng c chung th m d cc d ch v TCP/IP l

/usr/proxy/bin/portscan c th dng xem d ch v no

ang c cung c p. N u khng c yu c u &c bi t c th dng cc file c u hnh ni trn c t o s/ n v &t t i

/usr/proxy/etc khi ci &t, ng c l i c th tham kh o s ai theo yu c u.

Ton b cc thnh ph n c a b Firewall i h%i c c uhnh chung (m &c nh l / usr/proxy/etc/netperms ). Ph n l n

cc thnh ph n c a b Firewall c g i b i d ch v c a h th( ng l inetd , khai bo trong /etc/inetd.conf t ng t nh sau:


48/74

48

ftp stream tcp nowait root /usr/proxy/bin/netacl ftpd

ftp-gw stream tcp nowait root /usr/proxy/bin/ftp-gw ftp-gw

telnet-a stream tcp nowait root /usr/proxy/bin/netacl telnetd

telnet stream tcp nowait root /usr/proxy/bin/tn-gw tn-gw

login stream tcp nowait root /usr/proxy/bin/rlogin-gw rlogin-gw

finger stream tcp nowait nobody /usr/proxy/bin/netacl fingerd

http stream tcp nowait root /usr/proxy/bin/netacl httpd

smtp stream tcp nowait root /usr/proxy/bin/smap smap

Ch ng trnh netacl l m t v%b c TCP (TCP Wrapper)cung c p kh n ng i u khi n truy c p cho nh ng d ch v

TCP v c #ng s d ng m t t p c u hnh v i Firewall.

B c u tin c u hnh netacl l cho php m ng n i b truy nh p c gi i h n vo Firewall, n u nh n c n thi t chonhu c u qu n tr . Tu+ thu c vo TELNET gateway tn-gw c

c ci &t hay khng, qu n tr c th truy c p voFirewall qua c ng khc v i c ng chu , n c a telnet (23). B i

v telnet th ng khng cho php ch ng trnh truy c p t im t c ng khng ph i l c ng chu , n c a n. D ch v proxys0 ch y trn c ng 23 v telnet th c s s0 ch y trn c ngkhc v d d ch v c tn l telnet-a trn (Xem fileinetd.conf trn). C th ki m tra tnh ng n c a netaclb!ng cch c u hnh cho php ho &c c m m t s( host r ) i th truy c p cc d ch v t- chng.

M*i khi netacl c c u hnh, TELNET v FTP gatewayc n ph i c c u hnh theo. C u hnh TELNET gatewaych" n gi n l coi n nh m t d ch v v trong netacl.conf vi t m t s( miu t h th(ng no c th s d ng n. Tr gip c th c cung c p cho ng i s d ng khi c n thi t.Vi c c u hnh FTP proxy c #ng nh v y. Tuy nhin, FTP c


49/74

49

th s d ng c ng khc khng gi ( ng TELNET. R t nhi ucc FTP client h * tr cho vi c s d ng c ng khng chu , n.

D ch v rlogin l m t tu+ ch n c th dng v ph i c ci&t trn c ng ng d ng c a bastion host (c ng 512) giao

th c rlogin i h%i m t c ng &c bi t, m t qu trnh i h%is cho php c a h th( ng UNIX. Ng i qu n tr mu(n s d ng c ch an ton ph i ci &t th m c cho proxy ngi i h n n trong th m c .

Smap v smapd l cc ti n trnh l c th c th c ci &ts d ng th m c ring c a proxy x l ho&c s d ng m t

th m c no trong h th( ng. Smap v smapd khng thayth sendmail do v$n c n c u hnh sendmail cho Firewall.Vi c ny khng m t trong ti li u ny.

3.4.3 Thi t l p t p h p quy t c

Khi c u hnh cho proxy server v ch ng trnh i u khi ntruy c p m ng i u c n thi t l thi t l p chnh xc t p quy

t c th hi n ng v i m hnh an ton mong mu (n. M tcch t ( t b t u c u hnh Firewall l m i ng i trongm ng s d ng t do cc d ch v )ng th i c m t t c m ing i bn ngoi. Vi c &t c u hnh cho firewall khng qur c r( i, v n c thi t k h* tr cho m i hon c nh.T p tin /usr/proxy/etc/netperms l CSDL c u hnh v quy n

truy nh p (configuration/permissions) cho cc thnh ph n

c a Firewall: netacl, smap, smapd, ftp-gw, tn-gw, http-gw,

v plug-gw. Khi m t trong cc ng d ng ny kh i ng, nc c u hnh v quy n truy nh p c a n t - netperms v l u

tr vo m t CSDL trong b nh .

File configuration/permissions c thi t l p thnh nh ngquy t c, m*i quy t c ch a trn m t dng. Ph n u tin c a


50/74

50

m*i quy t c l tn c a ng d ng, ti p theo l d u hai ch m(:). Nhi u ng d ng c th dng chung m t quy t c v itn ng n cch b i d u ph y. Dng ch thch c th chn vo

file c u hnh b !ng cch thm vo u dng k t #.

3.4.3.1 Thi t l p t p h p cc quy t c cho d ch v HTTP, FTP

Vi c thi t l p c u hnh cho cc d ch v HTTP, FTP l t ngt nh nhau. Chng ti ch " a ra chi ti t v thi t l p c uhnh v quy t c cho d ch v FTP.

#Example ftp gateway rules:#---------------------------------

ftp-gw: denial-msg /usr/proxy/etc/ftp-deny.txt

ftpgw: welcome-msg /usr/proxy/etc/ftp-welcome.txt

ftp-gw: help-msg /usr/proxy/etc/ftp-help.txt

ftp-gw: permit-hosts 10.10.170.* -log {retr stor}

ftp-gw: timeout 3600

Trong v d trn, m ng 10.10.170 c cho php dngproxy trong khi m i host khc khng c trong danh sch,

m i truy c p khc u b c m. N u m t m ng khc mu ( ntruy c p proxy, n nh n c m t thng bo t - ch( i trong

/usr/proxy/etc/ftp-deny.txt v sau lin k t b ng t. N u

m ng c b o v pht tri n thm ch " c n thm vo ccdng cho php.


or


51/74

51



M*i b ph n c a Firewall c m t t p cc tu + ch n v c c m t trong manual page ring c a ph n . Trong v

d trn, Tu + ch n -log {retr stor} cho php FTP proxy ghil i nh t k v i tu+ ch n retr v stor .

3.4.3.2 Anonymous FTP

Anonymous FTP server c s d ng trong h i uhnh UNIX t - lu. Cc l * h ng trong vi c b o m an ton(Security hole) th ng xuyn sinh ra do cc ch c n ng m i

c thm vo, s xu t hi n c a bug v do c u hnh sai.M t cch ti p c n v i vi c m b o an ton cho anonymousFTP l s d ng netacl ch c ch n FTP server b h n ch

trong th m c c a n tr c khi c g i. V i c u hinh nh v y, kh kh n cho anonymous FTP lm t n h i n h

th( ng bn ngoi khu v c c a FTP.

D i y l m t v d s d ng netacl quy t nh gi i h nhay khng gi i h n vng s d ng c a FTP (i v i m*i link t. Gi s l m ng c b o v l 192.5.12

netacl-ftpd: hosts 192.5.12.* -exec /etc/ftpd

netacl-ftpd: hosts unknown -exec /bin/cat /usr/proxy/etc/noftp.txt

netacl-ftpd: hosts * -chroot /ftpdir -exec /etc/ftpd

Trong v d ny, ng i dng n ( i v i d ch v FTP t- m ng c b o v c kh n ng FTP bnh th ng. Ng i dng k t

n( i t- h th(ng khc domain nh n c m t thng bo r !ngh khng c quy n s d ng FTP. M i h th( ng khc k t n( ivo FTP u s d ng v i vng file FTP. i u ny c m t


52/74

52

s( thu n l i cho vi c b o m an ton. Th nh t, khi ki mtra xc th c, ftpd ki m tra m t kh, u c a ng i s d ngtrong vng FTP, cho php ng i qu n tr a ra account

cho FTP. i u ny c n thi t cho nh ng ng i khng caccount trong bastion host cung c p s ki m tra v xc th c

n cn cho php qu n tr s d ng nh ng i m m nh c a

ftpd cho d n ch a m t s( l* h ng v an ton.

3.4.3.3 Telnet v rlogin

Ni chung truy c p t i bastion host nn b c m, ch" ng iqu n tr c quy n login. Thng th ng khi ch y proxy,ch ng trnh telnet v rlogin khng th ch y trn cc c ngchu, n c a chng. C 3 cch gi i quy t v n ny:

Ch y telnet v rloggin proxy trn c ng chu , n v i telnetv rlogin trn c ng khc v b o v truy c p t i chngb!ng netacl

Cho php login ch "v i thi t b u cu( i.

Dng netacl chuy n i tu+ thu c vo i m xu t phtc a k t n( i, d a trn proxy th c hi n k t n( i th c s .

Cch gi i quy t cu( i cng r t ti n l i nh ng cho php m ing i c quy n dng proxy login vo bastion host. N ubastion host s d ng xc th c m c cao qu n l truy c p

c a ng i dng, s r i ro do vi c t n cng vo h bastionhost s0 c gi m thi u. c u hnh h th( ng tr c h t, t tc cc thi t b c n( i vo h th( ng qua netacl v dng ng i cc ch ng trnh server hay proxy server tu + thu c von i xu t pht c a k t n( i.

Ng i qu n tr mu( n vo bastion host tr c h t ph i k t n( ivo netacl sau ra l nh k t n( i vo bastion host. Vi c ny


53/74

53

n gi n v m t s( b n telnet v rlogin khng lm vi c n ukhng c k t n( i vo ng c ng.

netacl-telnetd: permit-hosts 127.0.0.1 -exec /etc/telnetd

netacl-telnetd: permit-hosts myaddress -exec /etc/telnetd

netacl-telnetd: permit-hosts * -exec /usr/proxy/bin/tn-gw

netacl-rlogin: permit-hosts 127.0.0.1 -exec /etc/rlogin

netacl-rlogin: permit-hosts myaddress -exec /etc/rlogin

netacl-rlogin: permit-hosts * -exec /usr/proxy/bin/rlogin-gw

3.4.3.4 Sql-net proxy

Gi thi t l c hai CSDL STU n !m trn my 190.2.2.3 vVPCP n !m trn my 190.2.0.4.

c u hnh cho sql-net proxy , ph i ti n hnh cc b c nh sau:

3.4.3.4.1 C u hnh trn firewall

&t c u hnh cho t p netperms nh sau:

#Oracle proxy for STU Database

ora_stu1: timeout 3600

ora_stu1: port 1521 * -plug-to 190.2.2.3 -port 1521

ora_stu2: timeout 3600

ora_stu2: port 1526 * -plug-to 190.2.2.3 -port 1526

#Oracle proxy for VBPQ Database


54/74


55/74

55

#Oracle Proxy for VBPQ Database

ora_vpcp1 stream tcp nowait root /usr/proxy/bin/plug-gw ora_vpcp1

ora_vpcp2 stream tcp nowait root /usr/proxy/bin/plug-gw ora_vpcp2

&t l i t p /etc/syslog.conf nh sau:

#Logfile for Sql-gw

sql-gw /usr/proxy/log/plug-gw

3.4.3.4.2 C u hnh trn my tr m

&t l i t p oracle_home\network\admin\tnsnames.ora nh sau:

#Logfile for Sql-gw

stu.world =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS =

(COMMUNITY = tcp.world)

(PROTOCOL = TCP)

(Host = firewall)

(Port = 1521)

)

(ADDRESS =



56/74

56

(PROTOCOL = TCP)

(Host = firewall)

(Port = 1526)

)

)

(CONNECT_DATA = (SID = STU)

)

)

vpcp.world =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS =


(PROTOCOL = TCP)

(Host = firewall)

(Port = 1421)

)

(ADDRESS =


(PROTOCOL = TCP)

(Host = firewall)

(Port = 1426)

)

)

(CONNECT_DATA = (SID = ORA1)


57/74

57

)

)

B n c th d1dng m r ng cho nhi u CSDL khc n !m trnnhi u my khc nhau.

3.4.3.5 Cc d ch v khc

T ng t nh trn l cc v d c u hnh cho cc d ch v khc khai bo trong file netperms:

# finger gateway rules:

# ---------------------

netacl-fingerd: permit-hosts 190.2.* ws1 -exec /etc/fingerd

netacl-fingerd: deny-hosts * -exec /bin/cat /usr/proxy/etc/finger.txt

# http gateway rules:

# ---------------------

netacl-httpd: permit-hosts * -exec /usr/proxy/bin/http-gw

http-gw: timeout 3600

#http-gw: denial-msg /usr/proxy/etc/http-deny.txt

#http-gw: welcome-msg /usr/proxy/etc/http-welcome.txt

#http-gw: help-msg /usr/proxy/etc/http-help.txt

http-gw: permit-hosts 190.2.* 10.* 192.2.0.* -log { all }

http-gw: deny-hosts 220.10.170.32 ws1

http-gw: default-httpd hpnt

#

# smap (E-mail) rules:


58/74

58

# ----------------------

smap, smapd: userid root

smap, smapd: directory /usr/spool/mail

smapd: executable /usr/proxy/bin/smapd

smapd: sendmail /usr/lib/sendmail

smap: timeout 3600

#

Ngoi ra, trong CSE Firewall cn c d ch v socks ki m

sot cc ph n m m ng d ng &c bi t nh Lotus Notes. C n

ph i thm vo cc file c u hnh h th( ng nh sau:File /etc/services:

socks 1080/tcp

File /etc/inetd.conf:

socks stream tcp nowait root /etc/sockd sockd

C u hnh v quy t c cho d ch v ny n !m file /etc/sockd.conf , ch" c hai t - kho c n ph i quan tm lpermit v deny cho php hay khng cc host i qua, d ch

v ny khng k t h p v i d ch v xc th c. a ch" IP vNetmask &t trong file ny gi (ng nh v i l nh d$n ngroute c a UNIX.

permit 190.2.0.0 255.255.0.0

permit 10.10.170.50 255.255.255.255

permit 10.10.170.40 255.255.255.255

permit 10.10.170.31 255.255.255.255

deny 0.0.0.0 0.0.0.0 : mail -s 'SOCKD: rejected -- from %u@%A to host %Z(service %S)' root


59/74

59

3.4.4 Xc th c v d ch v xc th c

B Firewall ch a ch ng trnh server xc th c c thi t k h* tr c ch phn quy n. Authsrv ch a m t c s d

li u v ng i dng trong m ng, m*i b n ghi t ng ng v im t ng i dng, ch a c ch xc th c cho m *i anh ta, trong

bao g ) m tn nhm, tn y c a ng i dng, l n truyc p m i nh t. M t kh, u khng m ho (Plain text password)

c s d ng cho ng i dng trong m ng vi c qu n tr c n gi n. M t kh , u khng m ho khng nn dng

v i nh ng ng i s d ng t - m ng bn ngoi. Authsrv cch y trn m t host an ton thng th ng l bastion host.

n gi n cho vi c qu n tr authsrv ng i qu n tr c th s d ng m t shell authmsg qu n tr c s d li u c cungc p c ch m ho d li u.

Ng i dng trong 1 c s d li u c a authsrv c th cchia thnh cc nhm khc nhau c qu n tr b i qu n tr

nhm l ng i c ton quy n trong nhm c vi c thm, b tng i dng. i u ny thu n l i khi nhi u t ch c cngdng chung m t Firewall.

c u hnh authsrv, u tin c n xc nh 1 c ng TCP

tr(ng v thm vo m t dng vo trong inetd.conf g iauthsrv m *i khi c yu c u k t n( i. Authsrv khng ph i m tti n trnh deamon ch y lin t c, n l ch ng trnh c g im*i khi c yu c u v ch a m t b n sao CSDL trnh r iro. Thm authsrv vo inet.conf i h%i t o thm i m votrong /etc/services. V authsrv khng ch p nh n tham s ( , mph i thm vo inetd.conf v services cc dng nh sau:

Trong /etc/services:


60/74

60

authsrv 7777/tcp

Trong /etc/inetd.conf:

authsrv stream tcp nowait root /usr/proxy/bin/authsrv authsrvC ng d ch v dng cho authsvr s 0 c dng &t c uhnh cho cc ng d ng client c s d ng d ch v xc th c.

D ch v xc th c khng c n p d ng cho t t c cc d ch v

hay t t c cc client.

#Example ftp gateway rules:

ftp-gw: authserver local host 7777

ftp-gw: denial-msg /usr/proxy/etc/ftp-deny.txt

ftp-gw: welcome-msg /usr/proxy/etc/ftp-welcome.txt

ftp-gw: help-msg /usr/proxy/etc/ftp-help.txt

ftp-gw: permit-host 192.33.112.100

ftp-gw: permit-host 192.33.112.* -log {retr stor} -auth {stor}

ftp-gw: permist-host * -authallftp-gw: timeout 36000

Trong v d trn, xc th c dng v i FTP proxy. Dng utin nh ngh a a ch"m ng c ng d ch v c a ch ng trnhxc th c. Dng permist-host cho th y m t trong s ( s m md o c a h th( ng xc th c, m t host c l a ch n

khng ph i ch u c ch xc th c, ng i dng t - host ny cth truy c p t do t i m i d ch v c a proxy. Permist-hostth 2 i h%i xc th c m i h th(ng trong m ng 192.33.112mu( n truy n ra ngoi v i -auth {store} nh ng thao tc c aFTP s0 b kho t i khi ng i dng hon thnh vi c xc th c


61/74

61

v i server. Khi , l nh c m kho v ng i dng c th vo h th(ng. V d cu( i nh ngh a m i ng i c th n( iv i server nh ng tr c h t h ph i c xc th c.

Authsrv server ph i c c u hnh bi t my no ccho php k t n( i. i u ny c m t t c nh ng c( g ng truynh p b t h p php vo server t - nh ng server khng ch ynh ng ph n m m xc th c. Trong Firewall authsrv s 0 ch ytrn bastion host cng v i proxy trn . N u khng c h th( ng no i h%i truy c p, m *i client v server coi localhost nh m t a ch" truy n thng. C u hnh authsrv nhngh a n s0v n hnh CSDL v client h * tr .

#Example authhsrv rules:

authsrv: database /usr/proxy/bin/authsrv.db

authsrv: permit-host localhost

authsrv: permit-host 192.5.214..32

Trong v d trn, ng d$n t i CSDL nh ngh a v 2 host c nh n ra. Ch CSDL trn trong h th(ng c b o

v ho&c c b o v nghim ng &t b i c ch truy c p file.B o v CSDL r t quan tr ng do nn CSDL trn

bastion host. L ( i vo th 2 l m t v d v client s d ngm ho DES trong khi truy n thng v i authsrv. Kho mch a trong t p c u hnh i h%i file c u hnh ph i c b o

v . Ni chung, vi c m ho l khng c n thi t. K t qu c avi c m ho l cho php qu n tr c th qu n l c s d li u xc th c t- tr m lm vi c. Lu ) ng d li u duy nh t c nph i b o v l khi ng i qu n tr m ng &t l i m t kh , u qua


62/74


63/74

63

Khi m t user record t o ra b i ng i qu n tr nhm, nth- a h ng s( hi. u nhm c #ng nh giao th c xc th c.User record c th xem b i l nh display hay list.

V d m t phin lm vi c v i Authmsg:

%-> authmgs

Connected to server

authmgr-> login

Username: wizard

Challenge 200850 : 182312

Logged in

authmgs-> disp wizard

Report for user wizard (Auth DBA)

Last authenticated: Fri Oct 8 17:11:07 1993

Authentication protocol: Snk

Flags: WIZARD

authmgr-> list

Report for user in database

user group longname flags proto last

--- ----- -------- ----- ----- ---

wizard users Auth DBA y W Snk Fri Oct 8 17:02:56 1993

avolio users Fred Avolio y passwd Fri Sep 24 10:52:14 1993

rnj users Robert N. Jesse y passwd Wed Sep 29 18:35:45 1993

mjr users Marcus J. Ranum y none ri Oct 8 17:02:10 1993

authmgr-> adduser dalva Dave dalva

ok - user added initially disable


64/74

64

authmgr-> enable dalva

enabled

authmgr-> group dalva users

set group

authmgr-> proto dalva Skey

changed

authmgr-> disp dalva

Report for user dalva, group users (Dave Dalva)

Authentication protocol: Skey

Flags: none

authmgr-> password dalva

Password: #######

Repeat Password: #######

ID dalva s/key is 999 sol32

authmgr-> quit

Trong v d trn qu n tr n( i vo authsrv qua m ng s d nggiao di n authmsg sau khi xc th c user record hi n th th igian xc th c. Sau khi login, list CSDL user, t o ng idng, &t password, enable v a vo nhm.

Kh i t o CSDL Authsrv:

# authsrv-administrator mode-

authsrv# list



65/74

65

user group longname flags proto last

--- ----- -------- ----- ----- ---

authsrv# adduser admin Auth DBA

ok - user added initially disable

authsrv# enable admin

enabled

authsrv# superwiz admin

set wizard

authsrv# proto admin Snk

changed

authsrv# pass 160 270 203 065 022 034 232 162 admin

Secret key changed

authsrv# list


user group longname flags roto last

--- ----- -------- ----- ---- ---

admin Auth DBA y W Snk never

authsrv# quit

Trong v d , m t CSDL m i c t o cng v i m t recordcho ng i qu n tr . Ng i qu n tr c gn quy n, gnprotocol xc th c.


66/74

66

3.4.5 S d ng mn hnh i u khi n CSE Proxy:

Sau khi ci &t xong, khi login vo user proxy mn hnhi u khi n s0 hi n nn menu cc ch c n ng ng i qu n

tr c th l a ch n.

PROXY SERVICE MENU

1 Configuration

2 View TELNET log

3 View FTP log

4 View HTTP log

5 View E-MAIL log

6 View AUTHENTICATE log

7 View FINGER log

8 View RLOGIN log

9 View SOCKD log

a Report

b Authentication

c Change system time

d Change password

e Shutdown

q Exit

Select option> _

Con s ( hay ch ci u tin th hi n phm b m th c hi nch c n ng. Sau khi m *i ch c n ng th c hi n xong xu t hi n


67/74


68/74

68

3.4.5.5 5 View E-MAIL log

Ch c n ng xem n i dung nh t k c a d ch v email.

3.4.5.6 6 View AUTHENTICATE log

Ch c n ng xem n i dung nh t k c a d ch v xc th c.

3.4.5.7 7 View FINGER log

Ch c n ng xem n i dung nh t k c a finger.

3.4.5.8 8 View RLOGIN log

Ch c n ng xem n i dung nh t k c a rlogin-gw.

3.4.5.9 9 View SOCKD log

Ch c n ng xem n i dung nh t k c a sockd.

3.4.5.10 a Report

Ch c n ng lm bo co th ( ng k (i v i t t c cc d ch v trong m t kho ng th i gian nh t nh.

u tin mn hnh s 0 hi n ln m t l ch ch n kho ng th igian mu ( n lm bo co. Sau khi tnh ton xong bo co.Ng i s d ng s0 ph i ch n m t trong cc u ra c a boco g )m : xem ( a ra mn hnh), save (ra a m m) hayprint (in ra my in g n tr c ti p v i my server). N u mu( nin t- cc my in khc ta c th a ra a m m r) i in cc t p

t- cc tr m lm vi c.

Fri May 8 10:39:13 1998

Apr May Jun

S M Tu W Th F S S M Tu W Th F S S M Tu W Th F S

1 2 3 4 1 2 1 2 3 4 5 6


69/74

69

5 6 7 8 9 10 11 3 4 5 6 7 8 9 7 8 9 10 11 12 13

12 13 14 15 16 17 18 10 11 12 13 14 15 16 14 15 16 17 18 19 20

19 20 21 22 23 24 25 17 18 19 20 21 22 23 21 22 23 24 25 26 27

26 27 28 29 30 24 25 26 27 28 29 30 28 29 30

31

From date (dd/mm[/yy]) (08/05/98): 01/05/98

To date (dd/mm[/yy]): (08/05/98): 05/05/09

Calculating...

View, save to MS-DOS floppy disk or print report (v/s/p/q)? v

3.4.5.11 b Authentication

Ch c n ng ny g i authsrv qu n tr ng i s d ng vch c n ng xc th c cho ng i . authrv c m t khr rng trn.

authsrv# list

Report for users in database

user group longname status proto last

---- ----- -------- ------ ----- ----

dalva cse n passw never

ruth cse y passw neverauthsrv#


70/74

70

3.4.5.12 c Change system time

Ch c n ng i th i gian h th(ng. Ch c n ng ny c tcd ng i u ch"nh chnh xc gi c a h th( ng. B i v gi h th( ng c nh h ng quan tr ng t i chnh xc c a nh tk. Gip cho ng i qu n tr c th theo di ng cc truynh p t i proxy.

Dng nh p th i gian s 0 nh d i y. Ngy thng n m cth khng cn nh p nh ng c n ch t i d ng c a s( avo. D i y l v d i gi thnh 11 gi 28.

Current System Time is Fri May 08 10:32:00 HN 1998

Enter new time ([yymmdd]hhmm): 1128

3.4.5.13 d Change password

Ch c n ng i m t kh, u c a user proxy.

3.4.5.14 e Shutdown

Ch c n ng shut down ton b h th( ng. Ch c n ng ny c dng t t my m t cch an ton (i v i ng i s

d ng.

3.4.5.15 q Exit

Ch c n ng ny logout kh%i mn hnh i u khi n proxy .

3.4.6 Cc v n c n quan tm v i ng i s d ng

V i ng i s d ng, khi dng CSE Proxy c n ph iquan tm n cc v n sau:


71/74

71

3.4.6.1 V i cc Web Browser

C n ph i &t ch proxy chng c th truy nh p ncc trang Web thng qua proxy.

Trong Microsoft Internet Explore (version 4.0) ta ph i

ch n View -> Internet option -> Connection -> Proxy

Server v &t ch Access the Internet using a proxy, &ta ch"IP v port c a proxy vo.

Trong Netscape Nevigator (version 4.0) ta ph i ch n Edit -

>Preferences -> Advanced -> Proxies v &t a ch" proxyv c ng d ch v (port) (80) qua ph n Manual proxy

configuration.

3.4.6.2 V i ng i s d ng telnet,

N u khng c &t ch c n ng xc th c th qu trnh nh sau:

$ telnet vectra

Trying 192.1.1.155...

connect hostname [serv/ port]

connect to vectra.

Escape character is^].

Vectra.sce.gov.vn telnet proxy (version V1.0) ready:

tn-gw -> help

Valid commands are: (unique abbreviations may be used)

connect hostname [serv/ port]

telnet hostname [serv/ port]

x-gw [hostname/ display]


72/74

72

help/ ?

quit/ exit

password

tn-gw -> c 192.1.1.1

Trying 192.1.1.1 port 23...

SCO Openserver TM Release 5 (sco5.cse.gov.vn) (ttysO)

Login: ngoc

password: #######

...

$

N u c dng ch c n ng xc th c, th sau khi my proxy tr

l i:

Vectra.sce.gov.vn telnet proxy (version V1.0) ready:

Nh c ta ph i a vo tn v m t kh, u th c hi n xc th c:

Username: ngoc

password: #######

Login accepted

tn-gw ->

3.4.6.3 i v i ng i dng d ch v FTP

N u c dng ch c n ng xc th c th quy trnh nh sau:

$ftp vectra


73/74

73

Connected to vectra.

220 -Proxy first requres authentication

220 Vectra.sce.gov.vn FTP proxy (version V1.0) ready:

Name (vectra: root): ngoc

331 Enter authentication password for ngoc

Password: #######

230 User authenticated to proxy

ftp>user [email protected]

331 -(----GATEWAY CONNECTED TO 192.1.1.1----)

331-(220 sco5.cse,gov.vn FTP server (Version 2.1 WU(1)) ready.)

331 Password required for ngoc.

Password:

230 User ngoc logged in.

ftp>

...

ftp>bye

221 Goodbye.

$

Cn n u khng s d ng ch c n ng xc th c th n gi nh n:

$ftp vectra

Connected to vectra.

220 Vectra.sce.gov.vn FTP proxy (version V1.0) ready:

Name (vectra: root): [email protected]

331 -(----GATEWAY CONNECTED TO 192.1.1.1----)

331-(220 sco5.cse,gov.vn FTP server (Version 2.1 WU(1)) ready.)


74/74

331 Password required for ngoc.

Password:

230 User ngoc logged in.

ftp>

...

ftp>bye

221 Goodbye

$

N u s d ng ch ng trnh WS_FTP trn Window c aIpswitch, Inc th c n ph i &t ch Use Firewall trongph n Advanced khi ta c u hnh m t phin n ( i k t. Trongph n Firewall Informatic ta s 0 a a ch" IP c a proxy voph n Hostname, tn ng i dng v m t kh , u (UserID vPassword) cho ph n xc th c trn proxy v c ng d ch v

(21). ) ng th i ph i ch n ki u USER after logon ph nFirewall type.

Tim hieu ve tuong lua FIREWALL

Documents