Está en la página 1de 137

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin B GIO DC V O TO TRNG I HC S PHM K THUT HNG

YN _______________________________

N 5 NGNH: CNG NGH THNG TIN CHUYN NGNH: MNG V TRUYN THNG TN TI: TM HIU FIREWALL TRN CNG NGH CISCO V DEMO MT S NG DNG THC TIN

Nhm sinh vin:

Phm Th Vin V Tin Dng

GV hng dn:

Vi Hoi Nam

Hng yn, thng 11, nm 2011

NHN XT CA GIO VIN HNG DN

Page 1

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. Gio vin hng dn

Page 2

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin NHN XT CA GIO VIN PHN BIN ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. ............................................................................................................................................. Gio vin phn bin

Page 3

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

LI CM N Sau gn 3 thng n lc tm hiu v thc hin, n Tm hiu Firewall trn cng ngh Cisco v Demo mt s ng dng thc tin c hon thnh, ngoi s c gng ht mnh ca bn thn, chng ti cn nhn c nhiu s ng vin,khch l t gia nh, thy c v bn b. y l mt ti kh hay mang tnh thit thc cao. Nhm chng ti nghin cu v c gng thit k mt h thng mng cho n v hon chnh nht bng ht kh nng ca mnh. Tuy c gng ht sc song chc chn ti ny khng trnh khi nhng thit st. Rt mong nhn c s thng cm v ch bo tn tnh ca cc Thy c v cc bn. Chng ti xin by t lng bit n chn thnh nht n Thy Vi Hoi Nam tn tm ch bo v hng dn tn tnh trong sut thi gian nhm chng em thc hin ti ny. Chng ti cng xin chn thnh cm n qu Thy c trong Khoa Cng ngh thng tin, trng i hc s phm k thut Hng Yn tn tnh ging dy, hng dn, gip v to iu kin cho chng ti thc hin tt ti ny. Xin cm n tt c cc bn b v ang gip ng vin chng ti trong qu trnh hc tp v hon thnh n. Mc d c gn ht sc hon thnh n ny,nhng chc chn s khng trnh khi nhng sai st.Chng ti rt mong nhn c s thng cm v ng gp, ch bo tn tnh ca qu thy c v bn b! Hng Yn, ngy 25, thng 11 nm 2011 Sinh vin thc hin: Phm Th Vin V Tin Dng

Page 4

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin LI M U Trong thc t hin nay bo mt thng tin ang ng mt vai tr thit yu ch khng cn l th yu trong mi hot ng lin quan n vic ng dng cng ngh thng tin. Ti mun ni n vai tr to ln ca vic ng dng CNTT v ang din ra si ng, khng ch thun ty l nhng cng c (Hardware, software), m thc s c xem nh l gii php cho nhiu vn . Khi ng t nhng nm u thp nin 90, vi mt s t chuyn gia v CNTT, nhng hiu bit cn hn ch v a CNTT ng dng trong cc hot ng sn xut, giao dch, qun l cn kh khim tn v ch dng li mc cng c, v i khi ti cn nhn thy nhng cng c t tin ny cn gy mt s cn tr, khng em li nhng hiu qu thit thc cho nhng T chc s dng n. Internet cho php chng ta truy cp ti mi ni trn th gii thng qua mt s dch v. Ngi trc my tnh ca mnh bn c th bit c thng tin trn ton cu, nhng cng chnh v th m h thng my tnh ca bn c th b xm nhp vo bt k lc no m bn khng h c bit trc. Do vy vic bo v h thng l mt vn chng ta ng phi quan tm. Ngi ta a ra khi nim FireWall gii quyt vn ny. Cng c rt nhiu kiu, v loi firewall nhng Cisco a ra cng ngh bo mt vi firewall rt hu hiu lm r cc vn ny th n Tm hiu friewall trn cng ngh Cisco v demo mt s ng dng thc tin s cho chng ta ci nhn su hn v khi nim, cng nh chc nng, cch thc bo mt c th ca Firewall Cisco. Mt ln na nhm ti xin chn thnh cm n thy Vi Hoi Nam v cc thy c khoa CNTT hng dn nhm ti hon thnh n ca mnh!

I. Mc tiu

Page 5

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin n ny s gip cho chng ta bit c cc khi nim cng nh chc nng Firewall. Gip ta bit su hn v cc chnh sch bo mt Firewall ca Cisco c th nh th no? Cu hnh chng ra sao. II. Phng php nghin cu c k v nm bt c cc yu cu ca n ra. Phng php thit yu nht trong n ny l k nng c, dch v hiu ti liu Ting Anh

i su trong vic tm kim ti liu v trnh by mt cch hp l nht. Chm ch lng nghe v tip thu nhng kin ng gp ca gio vin hng dn. III. B cc * Ni dung ca n ny c chia lm 3 chng nh sau:

Chng 1: Ta tm hiu v tng quan Firewall. Chng 2: Cc vn bo mt Chng 3: Tm hiu su vo tm hiu Firewall ca Cisco Chng 4: Tng quan v VPNs Chng 5: Demo mt s m hnh ng dng trong thc t

Page 6

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

MC LC
LI CM N............................................................................................................ 4 LI M U............................................................................................................ 5 MC LC................................................................................................................. 7 DANH MC CC HNH V, BNG BIU....................................................................10 DANH MC CC T VIT TT.................................................................................12 1.1. KHI NIM V FIREWALL...............................................................................13 1.1.1. Ti sao phi s dng mt Firewall cho mng my tnh kt ni Internet?......................13 1.1.2. S ra i ca Firewall .......................................................................................................14 1.1.3. Mc ch ca Firewall .......................................................................................................15 1.1.4. Cc la chn Firewall........................................................................................................19 1.1.4.1. Firewall phn cng...........................................................................19 1.1.4.2. Firewall phn mm.........................................................................................................20 1.2. CHC NNG CA FIREWALL ........................................................................21 1.2.1. Firewall bo v nhng vn g? .....................................................................................21 1.2.2. Firewall bo v chng li nhng vn g? ....................................................................21 1.2.2.1. Chng li vic Hacking ....................................................................21 1.2.2.2. Chng li vic sa i m................................................................21 1.2.2.3. T chi cc dch v nh km...........................................................22 1.2.2.4. Tn cng trc tip............................................................................22 1.2.2.5. Nghe trm .......................................................................................22 1.2.2.6. V hiu ho cc chc nng ca h thng (Deny service)..................22 1.2.2.7. Li ngi qun tr h thng..............................................................23 1.2.2.8. Yu t con ngi..............................................................................23 1.3. M HNH V KIN TRC CA FIREWALL........................................................23 1.3.1. Kin trc Dual - Homed host (my ch trung gian)........................................................24 1.3.2. Kin trc Screend Host .....................................................................................................25 1.3.3. Kin trc Screened Subnet................................................................................................27 Page 7

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
1.4. PHN LOI FIREWALL...................................................................................28 1.4.1. Packet Filtering Firewall ..................................................................................................28 1.4.2. Application-proxy firewall ................................................................................................30 1.5. MT S VN KHI LA CHN MT FIREWALL ..........................................31 1.5.1. S cn thit ca Firewall ..................................................................................................31 1.5.2. Firewall iu khin v bo v g ?.....................................................................................31 1.6. NHNG HN CH CA FIREWALL..................................................................32 2.1. Nguyn tc bo v h thng mng...............................................................35 2.1.1. Hoch nh h thng bo v mng....................................................................................35 2.1.2. M hnh bo mt................................................................................................................36 2.1.3. Nng cao mc bo mt.................................................................................................36 2.2. Kin trc bo mt ca h thng mng..........................................................37 2.2.1. Cc mc an ton thng tin trn mng..............................................................................37 2.2.2. nh hng ca cc l hng mng.....................................................................................38 CHNG 3. FIREWALL CISCO...............................................................................39 3.3 Tng quan v NAT.......................................................................................53 3.3.1 a ch Private.....................................................................................................................53 3.3.2 Nhu cu ca NAT................................................................................................................54 3.3.3 Li ch ca NAT.................................................................................................................55 3.3.4 Thut ng v nh ngha NAT...........................................................................................55 3.3.5 Mt vi v d in hnh NAT.............................................................................................56 3.4.2 Cu hnh NAT tnh.............................................................................................................69 3.4.2 Cu hnh PAT tnh .............................................................................................................71 3.5 Access Control.............................................................................................72 3.6 Web content................................................................................................80 3. 7 Khi to cc chnh sch bo mt trn ASA...................................................88 3.8 Cc chc nng nng cao ca ASA ...............................................................93 CHNG 4. VPNs.................................................................................................110 4.1 IPSec l g?.................................................................................................110 Page 8

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin
4.2 Cch lm vic ca IPSec.............................................................................111 4.3 Cc loi kt ni:..........................................................................................111 4.4 Hng dn cu hnh...................................................................................113 4.4.4 Cu hnh anyconnect webvpn...........................................................................................125 KT LUN............................................................................................................135 TI LIU THAM KHO...........................................................................................137

Page 9

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

DANH MC CC HNH V, BNG BIU

S HIU Hnh 1.1 Hnh 1.2 Hnh 1.3 Hnh 1.4 Hnh 1.5 Hnh 1.6 Hnh 1.7 Hnh 1.8 Hnh 1.9 Hnh 1.10 Hnh 1.11 Hnh 2.1 Hnh 2.2 Hnh 2.3 Hnh 3.15 Hnh 3.16 Hnh 3.17 Hnh 3.18 Hnh 3.19 Hnh 3.20 Hnh 3.21 Hnh 3.22

M T Firewall c t gia mng ring v mng cng cng Mng gm c Firewall v cc my ch S dng nhiu Firewall nhm tng kh nng bo mt Kin trc ca h thng s dng Firewall Cu trc chung ca mt h thng Firewall Kin trc Dual - Homed host Kin trc Screened host Kin trc Screened Subnet Packet filtering firewall Circuit level gateway Application-proxy firewall Cc mc an ton thng tin trn mng Cu hnh t chi mt host theo standard -accesslist Cu hnh t chi telnet t subnet V d v chnh sch NAT V d chnh sch xc nh NAT V d cu hnh NAT tnh V d PAT tnh v d v NAT vi 2 interface V d NAT vi m hnh 3 interfaces Thay i proxy V d v cu hnh WCCP
Page 10

TRANG 8 9 10 14 15 16 18 19 20 21 22 27 30 31 67 68 70 71 75 77 84 87

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.23 Hnh 3.24 Hnh 3.25 Hnh 3.26 (a) Hnh 3.27 (b) Hnh 3.28 Hnh 4.1 Hnh 4.2 Hnh 4.3 Hnh 4.4 Hnh 4.5 Hnh 4.6 Hnh 4.7 Hnh 4.8 Hnh 4.9 Hnh 4.10 Hnh 4.11 Hnh 4.12 (a) Hnh 4.12(b) Bng 3.1 Bng 3.2 Bng 4.1 Bng 4.2

m hnh Active/Standby Stateful Failover M hnh chng thc ca ASA Chng thc bng Cut-through-Proxy cho kt ni Telnet,FTP,HTTP(S) nh tuyn tnh nh tuyn tnh M hnh s dng RIP vi mt mng nhiu Router m hnh site-to-site M hnh Access VPN Bc 8 cu hnh client sortware ci t VPN client Lu cu hnh ci t VPN client khi to kt ni Remote Access VPN ng nhp chng thc M hnh Active/Standby Hot ng ca AnyConnect VPN Cu hnh AnyConnect Truy cp ASA Thit lp kt ni SSL VPN Thit lp kt ni SSL VPN Tham s lnh Match Class map mc nh Lnh match cho kim sot lu lng mc nh Cc Trasform Thng tin d liu c m ha

94 97 99 101 103 105 110 111 120 135 121 121 122 123 125 126 132 133 133 92 93 115 117

Page 11

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin DANH MC CC T VIT TT

S HIU 1 2 3 4 5 7 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

CM T Network Interface Controller Internet Protocol Local Area Network Demilitarized Zone File Transfer Protocol Open Systems Interconnection Transmission Control Protocol Asymmetric Digital Subscriber Line Domain Name System Internet Security and Acceleration Virtual Private Network Network Address Translation Wide Area Network Operating System Post Office Protocol Access Con trol List Adaptive Security Appliance Internet Control Message Protocol User Datagram Protocol port Address Translation Authentication Authorization Accounting Virtual Private Network IP security
Page 12

VIT TT NIC IP LAN DMZ FTP OSI TCP ADSL DNS ISA VPN NAT WAN OS POP ACL ASA ICMP UDP PAT AAA VPNs IPsec

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

CHNG 1. TNG QUAN V FIREWALL

1.1. KHI NIM V FIREWALL 1.1.1. Ti sao phi s dng mt Firewall cho mng my tnh kt ni Internet? Internet ra i em li nhiu li ch rt ln cho con ngi, n l mt trong nhng nhn t hng u gp phn vo s pht trin nhanh chng ca c th gii v c th ni Internet kt ni mi ngi ti gn nhau hn. Chnh v mt kh nng kt ni rng ri nh vy m cc nguy c mt an ton ca mng my tnh rt ln. l cc nguy c b tn cng ca cc mng my tnh, tn cng ly d liu, tn cng nhm mc ch ph hoi lm t lit c mt h thng my tnh ln, tn cng thay i c s d liu Trc nhng nguy c , vn m bo an ton cho mng my tnh tr nn rt cp thit v quan trng hn bao gi ht. Cc nguy c b tn cng ngy cng nhiu v ngy cng tinh vi hn, nguy him hn. c nhiu gii php bo mt cho mng my tnh c a ra nh dng cc phn mm, chng trnh bo v ti nguyn, to nhng ti khon truy xut mng i hi c mt khu nhng nhng gii php ch bo v mt phn mng my tnh m thi, mt khi nhng k ph hoi mng my tnh thm nhp su hn vo bn trong mng th c rt nhiu cch ph hoi h thng mng. V vy t ra mt yu cu l phi c nhng cng c chng s xm nhp mng bt hp php ngay t bn ngoi mng, chnh l nguyn nhn dn ti s ra i ca Firewall (Tng la). Mt Firewall co th loc cac lu lng Internet nguy him nh hacker, cac loai su, va mt s loai virus trc khi chung co th gy ra truc trc trn h thng. Ngoai ra, Firewall co th giup cho may tinh tranh tham gia cac cuc tn cng vao cac may tinh khac ma khng hay bit. Vic s dung mt Firewall la cc ky quan trong i vi cc may tinh lun kt ni Internet, nh trng hp co mt kt ni bng thng rng hoc kt ni DSL/ADSL.

Page 13

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Trn Internet, cac tin tc s dung ma him c, nh la cac virus, su va Trojan, tim cach phat hin nhng ca khng khoa ca mt may tinh khng c bao v. Mt tng la co th giup bao v may tinh khoi bi nhng hoat ng nay va cac cuc tn cng bao mt khac. Vy mt tin tc co th lam gi? Tuy thuc vao ban cht cua vic tn cng. Trong khi mt s chi n gian la s quy ry vi nhng tro ua nghich n gian, mt s khac c tao ra vi nhng y inh nguy him. Nhng loai nghim trong hn nay tim cach xoa thng tin t may tinh, pha huy no, hoc thm chi n cp thng tin ca nhn, nh la cac mt khu hoc s the tin dung. Mt s tin tc chi thich t nhp vao cac may tinh d bi tn cng. Cac virus, su va Trojan rt ang s. May mn la co th giam nguy c ly nhim bng cach s dung mt Firewall. 1.1.2. S ra i ca Firewall Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ha hon. Trong cng ngh mng thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng c th hiu Firewall l mt c ch (Mechanism) bo v mng tin tng (Trusted network) khi cc mng khng tin tng (Untrusted network). Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty, t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet. Internet FireWall l mt tp hp thit b (bao gm phn cng v phn mm) gia mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet: (INTRANET - FIREWALL - INTERNET) Trong mt s trng hp, Firewall c th c thit lp trong cng mt mng ni b v c lp cc min an ton. V d nh mt mng cc b s dng Firewall ngn cch phng my v h thng mng tng di.

Page 14

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mt Firewall Internet co th giup ngn chn ngi ngoai trn Internet khng xm nhp c vao may tinh. Mt Firewall lam vic bng cach kim tra thng tin n va ra Internet. No nhn dang va bo qua cac thng tin n t mt ni nguy him hoc co ve nghi ng. Nu ban cai t Firewall cua ban mt cach thich hp, cac tin tc tim kim cac may tinh d bi tn cng khng th phat hin ra may tinh. Firewall l mt gii php da trn phn cng hoc phn mm dng kim tra cc d liu. Mt li khuyn l nn s dng firewall cho bt k my tnh hay mng no c kt ni ti Internet. i vi kt ni Internet bng thng rng th Firewall cng quan trng, bi v y l loi kt ni thng xuyn bt (always on) nn nhng tin tc s c nhiu thi gian hn khi mun tm cch t nhp vo my tnh. Kt ni bng thng rng cng thun li hn cho tin tc khi c s dng lm phng tin tip tc tn cng cc my tnh khc. 1.1.3. Mc ch ca Firewall Vi Firewall, ngi s dng c th yn tm ang c thc thi quyn gim st cc d liu truyn thng gia my tnh ca h vi cc my tnh hay h thng khc. C th xem Firewall l mt ngi bo v c nhim v kim tra "giy thng hnh" ca bt c gi d liu no i vo my tnh hay i ra khi my tnh ca ngi s dng, ch cho php nhng gi d liu hp l i qua v loi b tt c cc gi d liu khng hp l. Cc gii php Firewall l thc s cn thit, xut pht t chnh cch thc cc d liu di chuyn trn Internet. Gi s gi cho ngi thn ca mnh mt bc th th bc th c chuyn qua mng Internet, trc ht phi c phn chia thnh tng gi nh. Cc gi d liu ny s tm cc con ng ti u nht ti a ch ngi nhn th v sau lp rp li (theo th t c nh s trc ) v khi phc nguyn dng nh ban u. Vic phn chia thnh gi lm n gin ho vic chuyn d liu trn Internet nhng c th dn ti mt s vn . Nu mt ngi no vi dng khng tt gi ti mt s gi d liu, nhng li ci by lm cho my tnh ca khng bit cn phi x l cc gi d liu ny nh th no hoc lm cho cc gi d liu lp ghp theo th t sai, th c th nm quyn kim sot t xa i vi my tnh ca v gy nn nhng vn

Page 15

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin nghim trng. K nm quyn kim sot tri php sau c th s dng kt ni Internet ca pht ng cc cuc tn cng khc m khng b l tung tch ca mnh. Firewall s m bo tt c cc d liu i vo l hp l, ngn nga nhng ngi s dng bn ngoi ot quyn kim sot i vi my tnh ca bn. Chc nng kim sot cc d liu i ra ca Firewall cng rt quan trng v s ngn nga nhng k xm nhp tri php "cy" nhng virus c hi vo my tnh ca pht ng cc cuc tn cng ca sau ti nhng my tnh khc trn mng Internet.

Hnh 1.1. Firewall c t gia mng ring v mng cng cng Mt Firewall gm c t nht hai giao din mng: Chung v ring, giao din chung kt ni vi Internet, l pha m mi ngi c th truy cp, giao din ring l pha m cha cc d liu c bo v. Trn mt Firewall c th c nhiu giao din ring tu thuc vo s on mng cn c tch ri. ng vi mi giao din c mt b quy tc bo v ring xc nh kiu lu thng c th qua t nhng mng chung v mng ring.
Page 16

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Firewall cng c th lm c nhiu vic hn v cng c nhiu thun li v kh khn. Thng thng nh qun tr mng s dng Firewall nh mt thit b u ni VPN, my ch xc thc hoc my ch DNS. Tuy nhin nh bt k mt thit b mng khc, nhiu dch v hot ng trn cng mt my ch th cc ri ro cng nhiu .Do , mt Firewall khng nn chy nhiu dch v. Firewall l lp bo v th hai trong h thng mng, lp th nht l b nh tuyn mc nh tuyn s cho php hoc b t chi cc a ch IP no v pht hin nhng gi tin bt bnh thng. Firewall xem nhng cng no l c php hay t chi. Firewall i lc cng hu ch cho nhng on mng nh hoc a ch IP ring l. Bi v b nh tuyn thng lm vic qu ti, nn vic s dng b nh tuyn lc ra b nh tuyn IP n, hoc mt lp a ch nh c th to ra mt ti trng khng cn thit. Firewall c ch cho vic bo v nhng mng t nhng lu lng khng mong mun. Nu mt mng khng c cc my ch cng cng th Firewall l cng c rt tt t chi nhng lu lng i vo, nhng lu lng m khng bt u t mt my sau Firewall, Mt Firewall cng c th c cu hnh t chi tt c cc lu lng ngoi tr cng 53 dnh ring cho my ch DNS.

Page 17

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 1.2. Mng gm c Firewall v cc my ch Sc mnh ca Firewall nm trong kh nng lc lu lng da trn mt tp hp cc quy tc bo v, cn gi l quy tc bo v do cc nh qun tr a vo. y cng c th l nhc im ln nht ca Firewall, b quy tc xu hoc khng y c th m li cho k tn cng, v mng c th khng c an ton. Nhiu nh qun tr mng khng ngh rng Firewall hot ng nh mt thit b mng phc tp. Ngi ta quan tm nhiu n vic gi li nhng lu lng khng mong mun n mng ring, t quan tm n vic gi li nhng lu lng khng mong mun n mng cng cng. Nn quan tm n c hai kiu ca tp cc quy lut bo v. Nu mt k tn cng mun tm cch xm nhp vo mt my ch, chng khng th s dng my ch tn cng vo cc thit b mng xa.

Page 18

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin bo v v gip cho cc lu lng bn trong on mng cc nh qun l thng chy hai b Firewall, b th nht bo v ton b mng, v b cn li bo v cc on mng khc. Nhiu lp Firewall cng cho php cc nh qun tr an ton mng kim sot tt hn nhng dng thng tin, c bit l cc c s bn trong v bn ngoi cng ty phi x l cc thng tin nhy cm. Cc hot ng trao i thng tin c th cho php trn phn no ca mng th c th b gii hn trn nhng vng nhy cm hn.

Hnh 1.3. S dng nhiu Firewall nhm tng kh nng bo mt 1.1.4. Cc la chn Firewall C mt s cng ty sn xut sn phm Firewall v c hai loi chn: Firewall phn cng v Firewall phn mm. 1.1.4.1. Firewall phn cng V tng th, Firewall phn cng cung cp mc bo v cao hn so vi Firewall phn mm v d bo tr hn. Firewall phn cng cng c mt u im khc l khng chim dng ti nguyn h thng trn my tnh nh Firewall phn mm. Firewall phn cng l mt la chn rt tt i vi cc doanh nghip nh, c bit cho nhng cng ty c chia s kt ni Internet. C th kt hp Firewall v mt b nh tuyn trn cng mt h thng phn cng v s dng h thng ny bo v cho ton b mng. Firewall phn cng c th l mt la chn tn chi ph hn so vi Firewall phn mm thng phi ci trn mi my tnh c nhn trong mng.
Page 19

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Trong s cc cng ty cung cp Firewall phn cng c th k ti Linksys (http://www.linksys.com) v NetGear (http://www.netgear.com). Tnh nng Firewall phn cng do cc cng ty ny cung cp thng c tch hp sn trong cc b nh tuyn dng cho mng ca cc doanh nghip nh v mng gia nh. 1.1.4.2. Firewall phn mm Nu khng mun tn tin mua Firewall phn cng th bn c th s dng Firewall phn mm. V gi c, Firewall phn mm thng khng t bng firewall phn cng, thm ch mt s cn min ph (phn mm Comodo Firewall Pro 3.0, PC Tools Firewall Plus 3.0, ZoneAlarm Firewall 7.1 ) v bn c th ti v t mng Internet. So vi Firewall phn cng, Firewall phn mm cho php linh ng hn, nht l khi cn t li cc thit lp cho ph hp hn vi nhu cu ring ca tng cng ty. Chng c th hot ng tt trn nhiu h thng khc nhau, khc vi Firewall phn cng tch hp vi b nh tuyn ch lm vic tt trong mng c qui m nh. Firewall phn mm cng l mt la chn ph hp i vi my tnh xch tay v my tnh s vn c bo v cho d mang my tnh i bt k ni no. Cac Firewall phn mm lam vic tt vi Windows 98, Windows ME va Windows 2000. Chung la mt la chon tt cho cac may tinh n le. Cac cng ty phn mm khac lam cac tng la nay. Chung khng cn thit cho Windows XP bi vi XP a co mt tng la cai sn. * u im: Khng yu cu phn cng b sung. Khng yu cu chay thm dy may tinh. Mt la chon tt cho cac may tinh n le.

* Nhc im: Chi phi thm: hu ht cac tng la phn mm tn chi phi. Vic cai t va va t cu hinh co th cn bt u. Cn mt ban sao ring cho mi may tinh.

Page 20

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin 1.2. CHC NNG CA FIREWALL FireWall quyt nh nhng dch v no t bn trong c php truy cp t bn ngoi, nhng ngi no t bn ngoi c php truy cp n cc dch v bn trong, v c nhng dch v no bn ngoi c php truy cp bi nhng ngi bn trong. 1.2.1. Firewall bo v nhng vn g? Bo v d liu: Theo di lung d liu mng gia Internet v Intranet. Nhng thng tin cn c bo v do nhng yu cu sau: Bo mt: Mt s chc nng ca Firewall l c th ct giu thng tin mng

tin cy v ni b so vi mng khng ng tin cy v cc mng bn ngoi khc. Firewall cng cung cp mt mi nhn trung tm m bo s qun l, rt c li khi ngun nhn lc v ti chnh ca mt t chc c gii hn. Tnh ton vn. Tnh kp thi.

Ti nguyn h thng. Danh ting ca cng ty s hu cc thng tin cn bo v. 1.2.2. Firewall bo v chng li nhng vn g? FireWall bo v chng li nhng s tn cng t bn ngoi. 1.2.2.1. Chng li vic Hacking Hacker l nhng ngi hiu bit v s dng my tnh rt thnh tho v l nhng ngi lp trnh rt gii. Khi phn tch v khm ph ra cc l hng h thng no , s tm ra nhng cch thch hp truy cp v tn cng h thng. C th s dng cc k nng khc nhau tn cng vo h thng my tnh. V d c th truy cp vo h thng m khng c php truy cp v to thng tin gi, ly cp thng tin. Nhiu cng ty ang lo ngi v d liu bo mt b nh cp bi cc hacker. V vy, tm ra cc phng php bo v d liu th Firewall c th lm c iu ny. 1.2.2.2. Chng li vic sa i m Kh nng ny xy ra khi mt k tn cng sa i, xa hoc thay th tnh xc thc ca cc on m bng cch s dng virus, worm v nhng chng trnh c ch tm. Khi ti file trn internet c th dn ti download cc an m c d tm, thiu kin thc v

Page 21

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin bo mt my tnh, nhng file download c th thc thi nhng quyn theo mc ch ca nhng ngi dng trn mt s trang website. 1.2.2.3. T chi cc dch v nh km T chi dch v l mt loi ngt hot ng ca s tn cng. Li e da ti tnh lin tc ca h thng mng l kt qu t nhiu phng thc tn cng ging nh lm trn ngp thng tin hay l s sa i ng i khng c php. Bi thut ng lm trn ngp thng tin, l mt ngi xm nhp to ra mt s thng tin khng xc thc gia tng lu lng trn mng v lm gim cc dch v ti ngi dng thc s. Hoc mt k tn cng c th ngm ngm ph hoi h thng my tnh v thm vo phn mm c d tm, m phn mm ny s tn cng h thng theo thi gian xc inh trc. 1.2.2.4. Tn cng trc tip Cch th nht: l dng phng php d mt khu trc tip. Thng qua cc chng trnh d tm mt khu vi mt s thng tin v ngi s dng nh ngy sinh, tui, a ch v kt hp vi th vin do ngi dng to ra, k tn cng c th d c mt khu. Trong mt s trng hp kh nng thnh cng c th ln ti 30%. V d nh chng trnh d tm mt khu chy trn h iu hnh Unix c tn l Crack. Cch th hai: l s dng li ca cc chng trnh ng dng v bn thn h iu hnh c s dng t nhng v tn cng u tin v vn c chim quyn truy cp (c c quyn ca ngi qun tr h thng). 1.2.2.5. Nghe trm C th bit c tn, mt khu, cc thng tin truyn qua mng thng qua cc chng trnh cho php a giao tip mng (NIC) vo ch nhn ton b cc thng tin lu truyn qua mng. 1.2.2.6. V hiu ho cc chc nng ca h thng (Deny service) y l kiu tn cng nhm lm t lit ton b h thng khng cho thc hin cc chc nng c thit k. Kiu tn cng ny khng th ngn chn c do nhng phng tin t chc tn cng cng chnh l cc phng tin lm vic v truy nhp thng tin trn mng.

Page 22

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin 1.2.2.7. Li ngi qun tr h thng Ngy nay, trnh ca cc hacker ngy cng gii hn, trong khi cc h thng mng vn cn chm chp trong vic x l cc l hng ca mnh. iu ny i hi ngi qun tr mng phi c kin thc tt v bo mt mng c th gi vng an ton cho thng tin ca h thng. i vi ngi dng c nhn, khng th bit ht cc th thut t xy dng cho mnh mt Firewall, nhng cng nn hiu r tm quan trng ca bo mt thng tin cho mi c nhn. Qua , t tm hiu bit mt s cch phng trnh nhng s tn cng n gin ca cc hacker. Vn l thc, khi c thc phng trnh th kh nng an ton s cao hn. 1.2.2.8. Yu t con ngi Vi nhng tnh cch ch quan v khng hiu r tm quan trng ca vic bo mt h thng nn d dng l cc thng tin quan trng cho hacker. * Ngoi ra th cn dng Firewall chng li s gi mo a ch IP . 1.3. M HNH V KIN TRC CA FIREWALL Kin trc ca h thng s dng Firewall nh sau:

FIRE WA L L

The In te rn e t In te rn e t ro u te r

S erver

S erver

Router S erver Com puter Com puter Com puter

Com puter Com puter

Com puter

Hnh 1.4. Kin trc ca h thng s dng Firewall

Page 23

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Cc h thng Firewall u c im chung cc cu trc c th nh sau:

Trong : Screening Router: l chng kim sot u tin cho LAN. DMZ: l vng c nguy c b tn cng t internet. Gateway Host: l cng ra vo gia mng LAN v DMZ, kim sot mi

lin lc, thc thi cc c ch bo mt. IF1 (Interface 1): l card giao tip vi vng DMZ. IF2 (Interface 2): l card giao tip vi vng mng LAN. FTP Gateway: Kim sot truy cp FTP gia LAN v vng FTP t mng

LAN ra internet l t do. Cc truy cp FTP vo LAN i hi xc thc thng qua Authentication server. Telnet gateway: Kim sot truy cp telnet tng t nh FTP, ngi dng

c th telnet ra ngoi t do, cc telnet t ngoi vo yu cu phi xc thc Hnh 1.5. Cu trc chung ca mt h thng Firewall thng qua Authentication server. Authentication server: l ni xc thc quyn truy cp dng cc k thut

xc thc mnh nh one-time password/token (mt khu s dng mt ln). Tt c cc Firewall u c chung mt thuc tnh l cho php phn bit i x hay kh nng t chi truy nhp da trn cc a ch ngun. Nh m hnh Firewall m cc my ch dch v trong mng LAN c bo v an ton, mi thn tin trao i vi internet u c kim sot thng qua gateway. 1.3.1. Kin trc Dual - Homed host (my ch trung gian) Firewall kin trc kiu Dual-homed host c xy dng da trn my tnh Dualhomed host. Mt my tnh c gi l Dual-homed host nu c t nht hai Network interfaces, c ngha l my c gn hai card mng giao tip vi hai mng khc nhau v nh th my tnh ny ng vai tr l router phn mm. Kin trc Dual-homed host rt
Page 24

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin n gin. Dual-homed host gia, mt bn c kt ni vi Internet v bn cn li ni vi mng ni b (LAN). Dual-homed host ch c th cung cp cc dch v bng cch y quyn (proxy) chng hoc cho php users ng nhp trc tip vo Dual-homes host. Mi giao tip t mt host trong mng ni b v host bn ngoi u b cm, Dual-homed host l ni giao tip duy nht.

Internet
Rem ote Us er

Firewall

Dual-hom ed host

Internal network

Us er

Us er

Us er

Hnh 1.6. Kin trc Dual - Homed host

1.3.2. Kin trc Screend Host Screened host c cu trc ngc li vi cu trc Dual-homed host, kin trc ny cung cp cc dch v t mt host bn trong mng ni b, dng mt router tch ri vi mng bn ngoi. Trong kiu kin trc ny, bo mt chnh l phng php Packet Filtering. Bastion host c t bn trong mng ni b, Packet Filtering c ci trn router. Theo cch ny, Bastion host l h thng duy nht trong mng ni b m nhng host trn Internet c th kt ni ti. Mc d vy, ch nhng kiu kt ni ph hp (c thit lp trong Bastion host) mi c php kt ni. Bt k mt h thng bn ngoi no c gng truy cp vo h thng hoc cc dch v bn trong u phi kt ni ti host ny.
Page 25

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin V th, Bastion host l host cn phi c duy tr ch bo mt cao. Packet Filtering cng cho php Bastion host c th m kt ni ra bn ngoi. Cu hnh ca packet filtering trn screening router nh sau : Cho php tt c cc host bn trong m kt nt ti host bn ngoi thng qua

mt s dch v c nh. Khng cho php tt c cc kt ni t host bn trong (cm nhng host ny

s dng dch v proxy thng qua Bastion host). Bn c th kt hp nhiu li vo cho nhng dch v khc nhau. Mt s dch v c php i vo trc tip qua packet filtering. Mt s dch v khc th ch c php i vo gin tip qua proxy.

Bi v kin trc ny cho php cc packet i t bn ngoi vo mng bn trong, n dng nh nguy him hn kin trc Dual-homed host, v th n c thit k khng mt packet no c th ti c mng bn trong. Tuy nhin trn thc t th kin trc Dual-homes host i khi cng c li m cho php mt packet tht s i t bn ngoi vo bn trong (bi v nhng li ny hon ton khng bit trc, n hu nh khng c bo v chng li nhng kiu tn cng ny) . Hn na, kin trc Dual-homes host th d dng bo v router (l my cung cp rt t cc dch v) hn l bo v cc host bn trong mng. Xt v ton din th kin trc Screened host cung cp tin cy cao hn v an ton hn kin trc Dual-homed host. So snh vi m s kin trc khc, chn hn nh kin trc Screened subnet th kin trc Screened host c mt s bt li. Bt li chnh l nu k tn cng tm cch xm nhp Bastion host th khng c cch no ngn tch gia Bastion host v cc host cn li bn trong mng ni b. Router cng c mt s im yu l nu router b tn thng, ton b mng s b tn cng. V l do ny m Screened subnet tr thnh kin trc ph bin nht.

Page 26

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Internet
RemoteUser

Firewall

Screening Router

Internal network

User

BastionHost

User

User

Hnh 1.7. Kin trc Screened host 1.3.3. Kin trc Screened Subnet Nhm tng cng kh nng bo v mng ni b, thc hin chin lc phng th theo chiu su, tng cng s an ton cho bastion host, tch bastion host khi cc host khc, phn no trnh ly lan mt khi bastion host b tn thng, ngi ta a ra kin trc Firewall c tn l Screened subnet. Kin trc Screened subnet dn xut t kin trc Screened host bng cch thm vo phn an ton: mng ngoi vi (perimeter network) nhm c lp mng ni b ra khi mng bn ngoi, tch bastion host ra khi cc host thng thng khc. Kiu Screen subnet n gin bao gm hai screened router:
-

Router ngoi (External router cn gi l access router): nm gia mng

ngoi vi v mng ngoi c chc nng bo v cho mng ngoi vi (bastion host, interior router). N cho php ngng g outbound t mng ngoi vi. Mt s quy tc packet filtering c bit c ci mc cn thit bo v bastion host v interior router v bastion host cn l host c ci t an ton mc cao. Ngoi cc quy tc , cc quy tc khc cn ging nhau gia hai router. Router trong (Interior router cn gi l choke router): nm gia mng

ngoi vi v mng ni b, nhm bo v mng ni b trc khi ra ngoi v mng ngoi vi. N khng thc hin ht cc quy tc packet filtering ca ton b firewall. Cc dch v m interior router cho php gia bastion host v mng ni b, gia bn ngoi v mng ni b khng nht thit phi ging nhau. Gii
Page 27

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin hn dch v gia bastion host v mng ni b nhm gim s lng my (s lng dch v trn cc my ny) c th b tn cng khi bastion host b tn thng v tha hip vi bn ngoi. Chng hn nn gii hn cc dch v c php gia bastion host v mng ni b nh SMTP khi c Email t bn ngoi vo, c l ch gii hn kt ni SMTP gia bastion host v email server bn trong.
Internet

Bastion Host

ExteriorRouter PerimeterNetwork InteriorRouter

Internal Network

User

User

User

User

Hnh 1.8. Kin trc Screened Subnet 1.4. PHN LOI FIREWALL Hin nay c nhiu loi Firewall, tin cho qu trnh nghin cu v pht trin, ngi ta chia Firewall ra lm hai loi chnh bao gm: Packet Filtering Firewall: l h thng tng la gia cc thnh phn bn trong mng v bn ngoi mng c kim sot. Application-proxy Firewall: l h thng cho php kt ni trc tip gia cc my khch v cc host. 1.4.1. Packet Filtering Firewall y l kiu Firewall thng dng hot ng da trn m hnh OSI mc mng. Firewall mc mng thng hot ng theo nguyn tc router hay cn c gi l router, tc l to ra cc lut l v quyn truy cp mng da trn mc mng. M hnh ny hot ng theo nguyn tc lc gi tin. kiu hot ng ny cc gi tin u c kim

Page 28

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin tra a ch ngun ni chng xut pht. Sau khi a ch IP ngun c xc nh, n s tip tc c kim tra vi cc lut t ra trn router. Vi phng thc hot ng nh vy, cc Firewall hot ng lp mng c tc x l nhanh v n ch kim tra a ch IP ngun m khng cn bit a ch l a ch sai hay b cm. y chnh l hn ch ca kiu Firewall ny v n khng m bo tnh tin cy. L hng ca kiu Firewall ny l n ch s dng a ch IP ngun lm ch th. Khi mt gi tin mang a ch ngun l a ch gi th n s vt qua c mt s mc truy nhp vo bn trong mng. Firewall kiu packet filtering chia lm hai loi: Packet filtering firewall: Hot ng ti lp mng (Network Layer) ca m hnh OSI. Cc lut lc gi tin da trn cc trng trong IP header, transport header, a ch IP ngun v a ch IP ch

S e c u ri t y p e ri m e t e r P ri v a t e N e t w o rk P a c ke t f i l t e ri n g ro u te r

I n t e rn e t

Hnh 1.9. Packet filtering firewall

Circuit level gateway: Hot ng ti lp phin (Session Layer) ca m hnh OSI. M hnh ny khng cho php cc kt ni end to end.

Page 29

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

C i rcu i t l e v e l g a te w a y o u tsi d e c o n n e c ti o n out


Ou ts i d e h o s t

in in in

out out

i n si d e c o n n e cti o n
In s i d e h o s t

Hnh 1.10. Circuit level gateway

1.4.2. Application-proxy firewall Khi m kt ni t mt ngi dng no n mng s dng Firewall kiu ny th kt ni s b chn li, sau Firewall s kim tra cc trng c lin quan ca gi tin yu cu kt ni. Nu vic kim tra thnh cng, c ngha l cc trng thng tin p ng c cc lut t ra trn Firewall th Firewall s to m cu kt ni cho gi tin i qua. * u im: Khng c chc nng chuyn tip cc gi tin IP. iu khin mt cch chi tit hn cc kt ni thng qua Firewall. a ra cng c cho php ghi li qu trnh kt ni.

* Nhc im: Tc x l kh chm. S chuyn tip cc gi tin IP khi m my ch nhn c m yu cu t mng ngoi ri chuyn chng vo mng trong chnh l l hng cho hacker xm nhp. Kiu firewallny hot ng da trn ng dng phn mm nn phi to cho mi dch v trn mng mt trnh ng dng u quyn (proxy) trn Firewall (Ex. Ftp proxy, Http proxy). * Firewall kiu Application- proxy chia thnh hai loi:

Page 30

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Applicatin level gateway: Hot ng lp ng dng (Application Layer) trong m hnh TCP/IP.
Application level gateway outside connection
Outsidehost

TELNET FTP SMTP HTTP

inside connection
Insidehost

Hnh 1.11. Application-proxy firewall Stateful multilayer inspection firewall: y l loi Firewall kt hp c tnh nng ca cc loi Firewall trn, m hnh ny lc cc gi tin ti lp mng v kim tra ni dung cc gi tin ti lp ng dng. Loi Firewall ny cho php cc kt ni trc tip gia client v host nn gim thiu c li, n cung cp cc tnh nng bo mt cao v trong sut i vi End Users. 1.5. MT S VN KHI LA CHN MT FIREWALL 1.5.1. S cn thit ca Firewall Gii quyt n thc thi vn Firewall s khng xy ra nu khng nghin cu v phn tch. Gii quyt n vn thc thi Firewall s da nhng i hi phi nh danh v chng minh. Bi v thc thi ca Firewall khng c nh danh nh hng gii quyt ca nhng t chc khc. To ra nhng Firewall da vo quy m nh, nhng ngha khng th to ra c bi l hng an ninh v c ch gy ra nhng vn mng li nhiu hn l thc hin Firewall. 1.5.2. Firewall iu khin v bo v g ? to ra mt Firewall th phi nh danh cho c chc nng no ca Firewall s cn thc hin. N s iu khin truy cp n t mng li no, hay n s bo v nhng dch v v ngi s dng no. Firewall iu khin g ? -

Truy cp vo mng. Truy cp ngoi mng.

Page 31

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Truy cp trong nhng mng li bn trong, nhng lnh vc hay nhng cng trnh kin trc. Truy cp nhng nhm t trng, nhng ngi s dng hoc a ch. Truy cp n nhng ti nguyn c th hoc nhng dch v.

Firewall cn bo v ci g? Nhng mng li hoc b iu khin c bit. Dch v c bit. Thng tin ring t hoc cng cng. Ngi s dng.

Sau khi nhn ra c Firewall cn bo v v iu khin ci g, quyt nh iu g c th xy ra lin tc vi s bo v v iu khin ny. iu g s xy ra khi ngi s dng truy cp n nhng trang m khng c quyn truy cp. iu ny s xy ra nu dch v khng c bo v v thng tin khng c bo mt tt. C phi s ri ro ca vic iu khin hoc bo v cho bc k tip trong c lng th cn phi c gii php Firewall. 1.6. NHNG HN CH CA FIREWALL Firewall khng thng minh nh con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i qua" n. Mt cch c th, Firewall khng th chng li mt cuc tn cng t mt ng dial-up, hoc s r r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn cng bng d liu (data-drivent attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua Firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca

Page 32

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Firewall. Firewall c th ngn chn nhng k xu t bn ngoi nhng cn nhng k xu bn trong th sao. Tuy nhin, Firewall vn l gii php hu hiu c p dng rng ri. c c kh nng bo mt ti u cho h thng, Firewall nn c s dng kt hp vi cc bin php an ninh mng nh cc phn mm dit virus, phn mm ng gi, m ho d liu. c bit, chnh sch bo mt c thc hin mt cch ph hp v c chiu su l vn sng cn khai thc ti u hiu qu ca bt c phn mm bo mt no. V cng cn nh rng cng ngh ch l mt phn ca gii php bo mt. Mt nhn t na ht sc quan trng quyt nh thnh cng ca gii php l s hp tc ca nhn vin, ng nghip.

CHNG 2. TM HIU CC VN BO MT

Bo mt l mt vn ln i vi tt c cc mng trong mi trng doanh nghip hin nay. Cc hacker v k xm nhp to ra rt nhiu cch c th thnh cng trong vic lm sp mt mng hoc dch v Web ca mt cng ty. Nhiu phng php c pht trin bo mt h tng mng v vic truyn thng trn Internet, bao gm cc cch nh s dng tng la, m ha, v mng ring o. Bo mt h thng mng bao gm 3 yu t: Tnh bo mt, tnh nguyn vn, tnh sn sng Tnh bo mt: Bo v thng tin nhy cm khng b truy cp bi nhng ngi khng c quyn hn - Tnh nguyn vn: Bo v thng tin h thng khi b sa bi hacker - Tnh sn sng: Lun m bo s sn c ti nguyn ti ngi dng bo v h thng ca bn, u tin bn phi nhn ra bn cn bo v chng khi ai v khi ci g. c th phng th i vi cc s tn cng, bn phi hiu cc kiu e da n s bo mt mng ca bn. C 4 mi e da bo mt Mi e da bn trong Mi e da bn ngoi

Page 33

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mi e da khng c cu trc Mi e da c cu trc

a)

Mi e da bn trong

Thut ng Mi e da bn trong c s dng m t mt kiu tn cng c thc hin t mt ngi hoc mt t chc c mt vi quyn truy cp mng ca bn. Cc cch tn cng t bn trong c thc hin t mt khu vc c tin cy trong mng. Mi e da ny c th kh phng chng hn v cc nhn vin c th truy cp mng v d liu b mt ca cng ty. Hu ht cc cng ty ch c cc tng la ng bin ca mng, v h tin tng hon ton vo cc ACL (Access Control Lists) v quyn truy cp server quy nh cho s bo mt bn trong. Quyn truy cp server thng bo v ti nguyn trn server nhng khng cung cp bt k s bo v no cho mng. Mi e da bn trong thng c thc hin bi cc nhn vin bt bnh, mun quay mt li vi cng ty. Nhiu phng php bo mt lin quan n vnh ai ca mng, bo v mng bn trong khi cc kt ni bn ngoi, nh l Internet. Khi vnh ai ca mng c bo mt, cc phn tin cy bn trong c khuynh hng b bt nghim ngt hn. Khi mt k xm nhp vt qua v bc bo mt cng cp ca mng, mi chuyn cn li thng l rt n gin. V vy cn phi c cc mc bo mt nh sau: -

Bo mt mc vt l: t thit b mng vo trong mt phng an ninh , lun kha Bo mt h iu hnh: S dng phin bn mi nht IOS p ng cc nhu cu ca doanh nghip. Lu tr bn sao file cu hnh Bo mt Router, Switch: Bo mt truy cp qun tr nh console, telnet Tt cc cng trn router, switch khng s dng, tt cc dch v khng cn thit b) Mi e da bn ngoi Mi e da bn ngoi l t cc t chc, chnh ph, hoc c nhn c gng truy cp t bn ngoi mng ca cng ty v bao gm tt c nhng ngi khng c quyn truy cp vo mng bn trong. Thng thng, cc k tn cng t bn ngoi c gng t cc server quay s hoc cc kt ni Internet. Mi e da bn ngoi l nhng g m cc cng ty thng phi b nhiu hu ht thi gian v tin bc ngn nga. Gii php nh sau:

Trin khai firewall bo v mng bn trong Ch cho php cc dch v cn thit p ng nhu cu ca t chc C cc bin php ngn nga v pht hin xm nhp vo mng bn trong

Page 34

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

c) Mi e da c cu trc Mi e da c cu trc l kh ngn nga v phng chng nht v n xut pht t cc t chc hoc c nhn s dng mt vi loi phng php lun thc hin tn cng. Cc hacker vi kin thc, kinh nghim cao v thit b s to ra mi e da ny. Cc hacker ny bit cc gi tin c to thnh nh th no v c th pht trin m khai thc cc l hng trong cu trc ca giao thc. H cng bit c cc bin php c s dng ngn nga truy cp tri php, cng nh cc h thng IDS v cch chng pht hin ra cc hnh vi xm nhp. H bit cc phng php trnh nhng cch bo v ny. Trong mt vi trng hp, mt cch tn cng c cu trc c thc hin vi s tr gip t mt vi ngi bn trong. y gi l mi e da c cu trc bn trong. Cu trc hoc khng cu trc c th l mi e da bn ngoi cng nh bn trong. 2.1. Nguyn tc bo v h thng mng 2.1.1. Hoch nh h thng bo v mng Trong mi trng mng, phi c s m bo rng nhng d liu c tnh b mt phi c ct gi ring, sao cho ch c ngi c thm quyn mi c php truy cp chng. Bo mt thng tin l vic lm quan trng, v vic bo v hot ng mng cng c tm quan trong khng km. Mng my tnh cn c bo v an ton, trnh khi nhng him ho do v tnh hay c . Tuy nhin mt nh qun tr mng cn phi bit bt c ci g cng c mc , khng nn thi qu. Mng khng nht thit phi c bo v qu cn mt, n mc ngi dng lun gp kh khn khi truy nhp mng thc hin nhim v ca mnh. Khng nn h tht vng khi c gng truy cp cc tp tin ca chnh mnh. Bn him ho chnh i vi s an ninh ca mng l: Truy nhp mng bt hp php. S can thip bng phng tin in t. K trm. Tai ha v tnh hoc c ch .

Mc bo mt: Tu thuc vo dng mi trng trong mng ang hot ng.

Page 35

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Chnh sch bo mt: H thng mng i hi mt tp hp nguyn tc, iu lut v chnh sch nhm loi tr mi ri ro. Gip hng dn vt qua cc thay i v nhng tnh hung khng d kin trong qu trnh pht trin mng. o to: Ngi dng mng c o to chu o s c t kh nng v ph hu mt ti nguyn. An ton cho thit b: Tu thuc quy m cng ty, b mt d liu, cc ti nguyn kh dng. Trong mi trng mng ngang hng, c th khng c chnh sch bo v phn cng c t chc no. Ngi dng chu trch nhim m bo an ton cho my tnh v d liu ca ring mnh. 2.1.2. M hnh bo mt Hai m hnh bo mt khc nhau pht trin, gip bo v an ton d liu v ti nguyn phn cng: Bo v ti nguyn dng chung bng mt m: Gn mt m cho tng ti nguyn dng chung. Truy cp khi c s cho php: L ch nh mt s quyn nht nh trn c s ngi dng, kim tra truy nhp ti nguyn dng chung cn c vo CSDL useraccess trn my server. 2.1.3. Nng cao mc bo mt Kim ton: Theo di hot ng trn mng thng qua ti khon ngi dng, ghi li nhiu dng bin c chn lc vo s nht k bo mt ca my server. Gip nhn bit cc hot ng bt hp l hoc khng ch nh. Cung cp cc thng tin v cch dng trong tnh hung c phng ban no thu ph s dng mt s ti nguyn nht nh, v cn quyt nh ph ca nhng ti nguyn ny theo cch thc no . My tnh khng a: Khng c a cng v mm. C th thi hnh mi vic nh my tnh thng thng, ngoi tr vic lu tr d liu trn a cng hay a mm cc b. Khng cn a khi ng. C kh nng giao tip vi server v ng nhp nh vo mt con chip ROM khi ng c bit c ci trn card mng. Khi bt my tnh khng a, chip ROM khi ng pht tn hiu cho server bit rng n mun khi ng. Server tr li bng cch ti phn mm khi ng vo RAM ca my tnh khng a v t ng hin th mn hnh ng nhp . Khi my tnh c kt ni vi mng.
Page 36

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin M ho d liu: l m ho thng tin sang dng mt m bng mt phng php no sao cho m bo thng tin khng th nhn bit c nu ni nhn khng bit cch gii m. Mt ngi s dng hay mt host c th s dng thng tin m khng s nh hng n ngi s dng hay mt host khc. Chng virus : Ngn khng cho virus hot ng. Sa cha h hi mt mc no . Chn ng virus sau khi n bc pht.

Ngn chn tnh trng truy cp bt hp php l mt trong nhng gii php hiu nghim nht trnh virus. Do bin php ch yu l phng nga, nn ngi qun tr mng phi bo m sao cho mi yu t cn thit u sn sng: Mt m gim kh nng truy cp bt hp php. Ch nh cc c quyn thch hp cho mi ngi dng. Cc profile t chc mi trng mng cho ngi dng c th lp cu hnh v duy tr mi trng ng nhp, bao gm cc kt ni mng v nhng khon mc chng trnh khi ngi dng ng nhp. Mt chnh sch quyt nh c th ti phn mm no.

2.2. Kin trc bo mt ca h thng mng 2.2.1. Cc mc an ton thng tin trn mng

Hnh 2.1. Cc mc an ton thng tin trn mng Page 37

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

An ton hay bo mt khng phi l mt sn phm, n cng khng phi l mt phn mm. N l mt cch ngh. S an ton c th c khi ng v dng nh mt dch v. Bo mt l cch an ton. Ti liu bo mt l t liu m nhng thnh vin ca t chc mun bo v. Trch nhim ca vic bo mt l ngi qun tr mng. S an ton mng c vai tr quan trng ti cao. C ch bo mt cn phi bao gm cu hnh mng ca Server, chu vi ng dng ca t chc mng v thm ch ca nhng Client truy nhp mng t xa. C vi cch m ta cn phi xem xt: S an ton vt l. An ton h thng. An ton mng. An ton cc ng dng. S truy nhp t xa v vic chp nhn.

Cc l hng bo mt trn mt h thng l cc im yu c th to ra s ngng tr ca dch v, thm quyn i vi ngi s dng hoc cho php cc truy nhp khng hp php vo h thng. Cc l hng cng c th nm ngay cc dch v cung cp nh sendmail, web, ftp ... Ngoi ra cc l hng cn tn ti ngay chnh ti h iu hnh nh trong Windows NT, Windows 95, XP, UNIX hoc trong cc ng dng m ngi s dng thng xuyn s dng nh Word processing, cc h databases ... 2.2.2. nh hng ca cc l hng mng phn trn phn tch mt s trng hp c nhng l hng bo mt, nhng k tn cng c th li dng nhng l hng ny to ra nhng l hng khc to thnh mt chui mt xch nhng l hng. V d, mt k ph hoi mun xm nhp vo h thng m khng c ti khon truy nhp hp l trn h thng . Trong trng hp ny, trc tin k ph hoi s tm ra cc im yu trn h thng, hoc t cc chnh sch bo mt, hoc s dng cc cng c d xt thng tin trn h thng t c quyn truy nhp vo h thng. Sau khi mc tiu duy nht t c, k ph hoi c th tip tc tm hiu cc dch v trn h thng, nm bt c cc im yu v thc hin cc hnh ng ph hoi tinh vi hn.

Page 38

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Tuy nhin, c phi bt k l hng bo mt no cng nguy him n h thng hay khng. C rt nhiu thng bo lin quan n l hng bo mt trn mng Internet, hu ht trong s l cc l hng loi C, l khng c bit nguy him i vi h thng. V d, khi nhng l hng v sendmail c thng bo trn mng, khng phi ngay lp tc nh hng trn ton b h thng. Khi nhng thng bo v l hng c khng nh chc chn, cc nhm tin s a ra mt s phng php khc phc h thng. CHNG 3. FIREWALL CISCO
3.1 FIREWALL ASA -

Cisco ASA vit tt ca t: Cisco Adaptive Security Appliance ASA l mt gii php bo mt u cui chnh ca Cisco. Hin ti ASA l sn phm bo mt dn u trn th trng v hiu nng v cung cp cc m hnh ph hp doanh nghip, tch hp gii php bo mt mng Dng sn phm ASA gip tit kim chi ph, d dng trin khai. N bao gm cc thuc tnh sau + Bo mt thi gian thc, h iu hnh c quyn ca Cisco + Cng ngh Stateful firewall s dng thut ton SA ca Cisco + S dng SNR bo mt kt ni TCP + S dng Cut through proxy chng thc telnet, http. ftp + Chnh sch bo mt mc nh gia tng bo v mc ti a v cng c kh nng ty chnh nhng chnh sch ny v xy dng ln chnh sch ca ring bn + VPN: IPSec, SSL v L2TP + Tch hp h thng ngn nga v pht hin xm nhp IDS/IPS + NAT ng, NAT tnh, NAT port + o ha cc chnh sch s dng Context 3.1.1 Dng sn phm ASA

C tt c 6 model khc nhau. Dng sn phm ny phn loi khc nhau t t chc nh n m hnh doanh nghip va hay cho nh cung cp dch v ISP. M hnh cng cao
Page 39

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin th thng lng, s port, chi ph cng cao. Sn phm bao gm : ASA 5505, 5510, 5520, 5540, 5550, 5580-20, 5580-40

Hnh 3.1 Sn phm ASA 5550

V d nh thng s ca dng ASA 5550

3.1.2 Thut ton bo mt ASA Mt chc nng chnh ca ASA l stateful firewall.Stateful firewall thm v duy tr thng tin kt ni ca ngi dng. Thng tin ny c lu tr trong bng state table, thng c gi l conn table. ASA Firewall s dng conn table gia tng chnh sch bo mt cho kt ni ngi dng Di y l mt vi thng tin m stateful firewall gi trong bng conn table + a ch IP ngun + a ch IP ch + Giao thc: Nh TCP hay UDP + Thng tin giao thc IP nh l TCP/UDP port, TCP Syn v TCP flag 3.1.2.1 Gii thch c ch Stateful Firewall
Page 40

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Ta c m hnh nh sau :

Hnh 3.2 C ch stateful Firewall a.Figure 1-1

PC-A trong mng ni b thc hin truy cp webserver bn ngoi mng Internet Gi tin Request http n firewall, firewall ly thng tin v kt ni ca PC-A l: a ch ngun, a ch ch, giao thc IP, v bt c thng tin giao thc khc v t n trong bng conn table Firewall sau chuyn tip gi tin http request ti webserver

Page 41

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.2 C ch stateful firewall b. Figure 1-2

Webserver gi tr li trang web cho ngi dng PC-A Firewall kim tra gi tin tr li ny v so snh vi entrie trong bng conn table + Nu vic so snh l hp l trong bng conn table th gi tin c cho php + Nu so snh l khng hp l trong bng conn table th gi tin b xa

Mt stateful firewall duy tr bng kt ni ny. Nu firewall thy client ngt kt ni th stateful firewall s xa entry trong bng conn table i. Nu entry khng hot ng trong mt khong thi gian th entry s timeout v stateful firewall s xa entry khi bng conn table 3.1.2.2 So snh Stateful v Packet Filtering Firewall:

Mt stateful firewall c kh nng nhn bit v tnh trng ca kt ni i qua n. Mt khc Packet firewall khng thy c tnh trng ca kt ni
Page 42

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Mt v d r rng cho vic hiu Packet filtering firewall l vic s dng Extended ACL m Router s dng. Vi loi ACL ny Router s ch thy c cc thng tin sau trong mi packet ring bit + a ch IP ngun + a ch IP ch + IP protocol + Thng tin giao thc IP nh TCP/UDP Port Ngay ci nhn u tin th c v thng tin m Packet filtering firewall s dng l ging Stateful Firewall. Tuy nhin Router s dng ACL s khng nhn bit c tnh trng kt ni l request hay kt ni ang tn ti, hay ngt kt ni, m n ch nhn c mi gi tin ring bit i qua interface . Ngha l Packet filtering firewall ch kim tra gi tin lp 3 v lp 4 thi.

3.1.2.3 Sequence Number Randomization (SNR) Firewall ASA c mt c nh c gi l Sequence Number Randomization (SNR). c tnh ny c khi to bng thut ton bo mt. SNR c s dng bo v bn chng li vic mt thng tin v tn cng cp phin kt ni TCP khi hacker.Nh chng ta bit mt vn vi giao thc TCP l hu ht giao thc TCP/IP khi to qu trnh kt ni bt tay 3 bc theo mt phng thc c th on trc c khi s dng SYN v ACK. Vi rt nhiu phng thc, hacker c th s dng cc cng c ny d on v tp thit lp ca d liu tip theo c gi trn mng v khi d on c s SYN ng. Hacker c th s dng thng tin ny cp phin kt ni v gi mo kt ni Firewall ASA c th gii quyt vn ny bng cch to ngu nhin s SYN v t n vo trong u mo ca gi tin TCP Segment. ASA s thay th s SYN c bng s SYN mi vo trong bng conn table. Tt c cc lu lng tr v t my ch thng qua Firewall tr v ngun, ASA tm kim thng tin ny v thay i tr li vi s ACK. V vy my ngun trong mng cc b c th nhn c gi tin tr v t ch. Sau y l v d v SNR

Page 43

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.3 C ch hot ng ca SNR

Gi tin TCP i qua Firewall ASA vi s SYN =578. SNR ca ASA thay i gi tr SYN ny thnh mt gi tr SYN ngu nhin v t n vo trong bng conn table ( trong trng hp ny l 992), v chuyn tip gi tin ti ch. My ch khng th nhn bit c v s thay i ny v gi li cho ngun vi ACK =993. Firewall nhn gi tin tr v ny v thay i gi tr 993 thnh 579 v vy my ngun s khng t chi gi tin ny. Hy nh rng gi tin cha ACK tng ln 1 v s dng gi tr ny nh ACK number Ch rng: SNR i vi my ngun v my ich l mt qu trnh trong sut. Cisco khuyn co bn khng nn v hiu ha tnh nng ny. Nu v hiu ha tnh nng SNR th mng ca bn s i mt vi kiu tn cng TCP session hijacking.

3.1.2.4 Cut-through Proxy

Bo mt SA khi to rt nhiu c tnh bo mt ca h iu hnh CISCO. Bn cnh mt thut ton gia tng bo mt khc l Cut-through Proxy (CTP). CTP cho php firewall ASA kim tra nhng kt ni ra vo mng v chng thc chng trc khi chng c cho php i vo mng ni b. CTP thng c s dng trong trng hp khi ngi s dng kt ni n mt server m khng th thc hin c chng thc chnh n

Page 44

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Kt ni ngi dng khng c chng thc bi ASA. Nhng ta c th s dng mt Server chuyn dng cho vic chng thc ny nh l Cisco Secure Access Control Server (CSACS) Cisco cung cp c hai giao thc cho vic chng thc l TACACS+ v RADIUS. CTP c th thc hin chng thc theo cc loi kt ni sau + FTP + HTTP v HTTPS + Telnet Khi cu hnh Firewall ASA c cu hnh CTP, u tin n chng thc kt ni trc khi cho php chng i xuyn qua firewall. Hnh di y m t tng bc CTP lm vic

Hnh 3.4 Cc bc lm vic ca CTP

User Pong khi to kt ni n FTP Server c a ch IP: 200.200.200.2

Page 45

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Firewall ASA kim tra kt ni ny v ng thi kim tra xem c entry no trong bng conn table khng. Nu tn ti mt entry trong ASA th ASA cho php kt ni ny. Nhng trong trng hp ny User phi c chng thc trc Nu ASA khng tm thy bt c mt entry no ph hp vi kt ni trong bng conn table th n s yu cu chng thc User Pong vi Username v password v chuyn tip thng tin ny ti Server chng thc Server chng thc kim tra bng ngi dng m n c cu hnh sn v so snh. Nu cho php hay t chi truy cp th Server s gi gi tin Allow hay Deny ti ASA + Nu ASA nhn gi tin Allow th n s thm thng tin kt ni ca ngi dng vo bng conn table v cho php kt ni + Nu ASA nhn gi tin Denny n s xa b kt ni hoc yu cu cung cp li thng tin username/password Mt khi ngi dng c chng thc th tt c cc lu lng ca ngi dng s c x l bi ASA lp 3 v lp 4 ca m hnh OSI. S khc bit vi ng dng proxy truyn thng l tt c cc lu lng c x l lp 7 trong m hnh OSI. Vi CTP, qu trnh chng thc c x l lp 7 nhng lu lng d liu li c x l lp 3 v lp 4 trong hu ht cc trng hp 3.1.2.4 Khi to chnh sch Policy Implementation Thut ton bo mt c trch nhim cho vic khi to v gia tng chnh sch bo mt. Thut ton ny cng s dng m hnh k tha, ci cho php bn khi to nhiu mc bo mt khc nhau. hon thnh iu ny, mi Interface trn ASA cn phi ch nh mt gi tr t 0 n 100, ng vi 0 l t bo mt nht v 100 l mc bo mt cao nht. Thut ton bo mt s dng nhng mc bo mt ny gia tng chnh sch bo mt mc nh. Mt v d cho iu ny. Interface kt ni ra internet c mc bo mt thp nht, Interface kt ni ti mng LAN s c mc bo mt cao nht Sau y l 4 quy tc cho tt c cc lu lng i qua ASA + Mc nh lu lng t interface c mc bo mt cao n interface c mc bo mt thp l c cho php + Mc nh lu lng t interface c mc bo mt thp hn n interface c mc bo mt cao hn l b cm + Mc nh lu lng t mt interface n mt interface khc vi cng mc bo mt l b cm

Page 46

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin + Mc nh lu lng vo ra cng 1 interface l b cm V d sau ch ra lu lng no c cho php, lu lng no khng c php. Trong v d ny User trong mng cc b khi to kt ni ti webserver ngoi internet l c php i qua ASA. Nh vy thut ton bo mt thm kt ni ny vo trong bng conn table. Khi webserver gi tr v trang web t internet s c cho php. Mt khi User ngt kt ni, thng tin kt ni s b xa khi bng conn table. Nu User trn Internet c gng truy cp webserver trong mng cc b. Thut ton bo mt trn ASA t ng cm kt ni Nhng rule ny l mc nh. Chng ta c th to cc ngoi l i vi cc rule ny trn ASA. iu ny thng chia thnh 2 loi: + Cho php truy cp da trn ti khon + Truy cp da trn iu kin lc

Hnh 3.5 Thut ton khi to chnh sch Policy Implementation

Mt v d khc, khi User t ngoi Internet c gng truy cp FTP server nm trong mng cc b th mc nh b cm. Bn c th s dng hai phng thc m kt ni thng qua firewall + Khi to CTP cho php kt ni + S dng ACL m kt ni tm thi
Page 47

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

3.2. Kim sot lu lng bng ASA 3.2.1 Tng quan v giao thc TCP/IP Trc khi i vo chi tit cc cu lnh cu hnh cho php cc lu lng qua ASA th cn phi nm chc c ch ca cc giao thc ph bin nh TCP,UDP v ICMP. iu ny rt quan trng bi ASA nhn bit cc lung lu lng ny khc nhau trong qu trnh lc gi tin theo c ch Stateful Firewall TCP l mt giao thc hng kt ni. C ngha l trc khi vn chuyn d liu qua mng th mt vi tham s kt ni phi c thng lng thit lp kt ni. thc hin vic thng lng ny, TCP s tri qua qu trnh bt tay ba bc: + Phn u ca qu trnh bt tay ba bc, a ch ngun gi mt TCP Syn, ch ra rng mun m mt kt ni + Khi my ch nhn c gi tin cha s SYN , n nhn bit iu ny vi s SYN cng vi s ACK. Qa trnh p tr ny thng c gi l SYN/ACK. Ga tr ACK ch ra ngun m ch nhn c vi s SYN do ngun yu cu + My ngun sau gi ACK li ch. iu ny chi ra qu trnh thit lp kt ni hon thnh Yu cu kt ni ra bn ngoi Khi mt kt ni ang c thit lp, lung d liu i theo hai hng qua Firewall ASA. Ga s rng mt ngi dng bn trong mng cc b khi to kt ni TCP n mt my ch bn ngoi Internet. Bi v ta cu hnh mt rule cho vic thit lp kt ni TCP nn n rt l d dng cho Firewall ASA hiu iu g ang xy ra vi qu trnh thit lp kt ni . Hay ni cch khc, rt d cho Firewall ASA kim tra lu lng ny. Nh c ni phn trc, stateful firewall gi ton b trng thi ca kt ni Nh trong v d ny, Firewall ASA nhn gi tin c cha s SYN v nhn ra y l mt gi tin yu cu kt ni t bn trong mng cc b. Bi v y l mt Stateful firewall nn ASA s thm kt ni ny vo trong bng conn table v th gi tin cha SYN/ACK t bn ngoi gi li s c cho php vo trong mng cc b v Us trong mng cc b c th hon thnh kt ni vi s ACK cui cng. ASA sau s cho php lu lng i li gia 2 my ny Khi ngt mt kt ni TCP, gi tin yu cu ngt kt ni s i qua firewall v c firewall nhn bit tnh trng ca kt ni nh vy. Qa trnh nhn bit da trn FIN v FIN/ACK hay RST. V sau Firewall s xa i tng kt ni khi bng conn
Page 48

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin table. V l khi mt i tng b xa khi bng conn table th thit b bn ngoi s khng th kt ni vo mng Lan ca chng ta, tt c cc traffic mc nh b drop Yu cu kt ni vo bn trong mng ni b Bi v firewall ASA hot ng nh mt stateful firewall nn mc nh tt c cc kt ni t bn ngoi i vo mng ni b mc nh b cm. cho php cc kt ni ny, bn s phi khi to cho php mt Rule TCP m bn mun Tuy nhin c mt vn vi TCP, l kh nng c th d on c trc cc tham s trong qu trnh bt tay ba bc, iu ny thng gip cho Hacker xm nhp vo mng ni b ca chng ta. V d cho iu ny, mt k tn cng c gng gi ng lot s lng ln TCP SYN n mt my tnh bn trong mng ni b, lm gi vic thit lp kt ni TCP. Tuy nhin mc ch ca k tn cng l khng cn phi hon thnh qu trnh bt tay ba bc m ch c gng lin tc gi SYN lm cn kit ngun ti nguyn ca my tnh trong mng cc b. 3.2.2 Tng quan v UDP UDP- User Datagram Protocol l mt giao thc khng hng kt ni. Khng ging nh TCP, n khng c nh ngha v tnh trng kt ni. iu ny c ngha l khng c qu trnh bt tay ba bc nh TCP. Thay v mt thit b ch vic gi gi tin UDP khi n mun giao lin lc vi mt thit b khc. V vy khng c qu trnh nh ngha lp 4 trong m hnh OSI v khng c xc minh tng Vn Chuyn ch ra kt thc qu trnh gi tin. UDP chnh n cng khng c chc nng iu khin lung d liu gia hai thit b. Bi v s hn ch ny nn UDP thng c s dng trong vic gi khi lng thng tin rt l nh gia 2 thit b Mt v d in hnh cho vic hiu UDP l giao thc DNS. DNS c s dng khi mt thit b cn phn gii mt hostname thnh mt a ch IP. Thit b gi mt gi tin truy vn DNS( Gi tin UDP) n DNS Server, DNS server tr li li vi ch mt gi tin Reply. Trong trng hp ny UDP l cch thc s dng hu hiu hn TCP bi v ch cn c 2 gi tin i v v. Yu cu kt ni ra bn ngoi Chng ta s nhn vo mt v d khc minh ha mt trong nhng vn m Firewall ASA lm g vi cc traffic UDP. Trong v d ny gi s rng mt User trong mng LAN thc hin vic kt ni ti mt TFTP server bn ngoi Internet. Khi User ny khi to kt ni TFTP, firewall s thc hin qu trnh stateful firewall v thm kt ni tm thi ny vo bng conn table. iu ny cho php bt c UDP segment t ngoi TFTP tr vo mng Lan

Page 49

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin `Vn y l mt khi User hon thnh vic truyn file TFTP, firewall khng bit rng kt ni hon thnh. Bn s khng mun gi mi kt ni tm thi ny trong bng conn table sau khi vic vn chuyn file thnh cng. gii quyt vn ny thit b Firewall c mt gii php l: Firewall kim sot thi gian ch ca kt ni UDP. Mt khi Firewakk thy khng c lu lng no c truyn trong mt khong thi gian ch, n s xa kt ni ra khi bng conn table. i vi UDP, thi gian ch mc nh l 2 pht, tuy nhin bn c th ty chnh iu ny. Vic s dng thi gian ch khng phi l mt gii php hon ton thng minh, bi v khong thi gian ch hp l c th xy ra trong khi hay thit b UDO ang thc hin qu trnh truyn file khc v s tip tc kt ni ca chng ngay sau . Trong v d ny, firewall c th xa kt ni tm thi ny khi bng conn table, khi thit b bn ngoi tip tc truyn file th firewall s cm traffic v thi gian kt ni ht hn, v kt ni khng cn tn ti trong bng conn table na Ch rng mt vi ng dng UDP nh DNS c th thy c s n gin trong kt ni ca n hn TFTP. Trong v d v DNS, User khi to truy vn DNS th ch c 1 v ch 1 gi tin tr v t DNS Server. Trong hon cnh ny, firewall c th nhn bit xa kt ni khi bng conn table khi gi tin DNS reply vo mng LAN Yu cu kt ni n Nh ni t trc, bi v firewall asa hot ng theo c ch Stateful Firewall, n s khng cho php cc traffic vo trong mng cc b Lan ca chng ta nu ngun ca traffic l bn ngoi Internet. Bn phi cu hnh cho php traffic UDP ny Bi v UDP l giao thc khng hng kt ni nn gii quyt vn vi nhng yu cu kt ni n ny s to ra nhiu vn bo mt Khi ngt mt kt ni UDP, firewall s khng nhn bit c iu ny v n vn gi thng tin ca kt ni ny trong bng conn table. Nh vy mt k tn cng s li dng iu ny lm gi a ch IP ngun, Firewall s khng nhn bit c s xm nhp ny Bi v UDP khng s dng bt c qu trnh thit lp kt ni no nn khi khi to mt lung d liu, s kh khn trong vic phn bit s khc nhau gi vic bt u khi to hay ang khi to hay kt thc kt ni. V s hacker c th thc hin vic duy tr phin tn cng.
3.2.3 Tng quan v ICMP

ICMP Internet Control Management Protocol l mt giao thc khng hng kt ni, ngha l khng c nh ngha trng thi kt ni

Page 50

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ICMP c s dng trong rt nhiu mc ch bao gm vic kim tra kt ni, kt ni iu kin v cc thng tin cu hnh. ICMP c mt vi c tnh rt ging UDP, v n l khng hng kt ni v khng c iu khin lung. V l firewall c vn ging nh UDP Mc nh firewall khng thm cc gi tin ICMP vo trong bng conn table. V vy hoc bn phi s dng ACL cho php lung gi tin ICMP echo hoc bt tnh nng gim st ICMP trn firewall. Mt khi bn bt tnh nng gim st ICMP th khi mt gi tin ICMP c gi ra ngoi, n cha s SYN trong ICMP header v ng thi thng tin kt ni ny c a vo bng conn table. Firewall s thy gi tin ICMP echo quay tr li v cha s SYN nu n l 1 phn ca mt kt ni ang tn ti. Gi tin ICMP echo c cho php quay tr li vo mng ni b LAN Nhng giao thc khc Tt c cc giao thc khc v nhng kt ni lin quan ti chng l khng c kim tra bi firewall. Hay ni cch khc, firewall khng bao gi thm cc kt ni ny vo trong bng conn table. Nhng vn v ng dng v giao thc: C 3 vn chnh m stateful firewall phi i mt l:
- ng dng c nhiu kt ni

- ng dng v giao thc c nhng a ch v thng tin kt ni trong phn payload ca tng ng dng ng dng v giao thc c cc vn bo mt Applications vi nhiu kt ni Mt vn vi firewall l gii quyt cc ng dng c nhiu hn 1 kt ni, ging nh FTP, thoi, kt ni CSDL v . Mt vi dng ca giao thc v ng dng l cn thit gia tng mc bo mt qua firewall Chng ta hy nhn vo v d sau minh ha vn ny v cung cp gii php

Page 51

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.6 Application vi nhiu kt ni

Trong mng ny, client ang khi to mt kt ni FTP. Vi loi kt ni ny, client m mt kt ni iu khin TCP n cng 21 ca FTP Server. Bt c khi no user gi mt cu hnh FTP nh l get hay put thng qua kt ni ny th client gi lun port ca n ca FTP Server s dng. Sau FTP Server m mt kt ni th 2, thng gi l data connectionvi port ngun l 20 v port ch l port ca client gi trc . V th trong v s ny, client m mt kt ni iu khin ti server v server s m mt kt ni truyn d liu n Client
-

i vi firewall ASA th User c kt ni vo Interface c mc bo mt cao hn gi l Inside, Server ngoi internet c kt ni vo Interface c mc bo mt thp hn gi l Outside Tuy nhin vi kt ni th 2 (port 20 cho vic truyn d liu ) l b cm mc nh, bi v n n t mc bo mt thp hn n mc bo mt cao hn Gii php cho vn ny l phi cu hnh lm sao cho Firewall ASA kim tra c payload ca tng ng dng ca kt ni iu khin FTP quyt nh xem ch l active hay standard, nhng cu lnh c th thi v port m client mun s dng truyn d liu. V l m firewall ASA c th thm kt ni ny vo bng conn table thm ch trc khi kt ni th 2 c khi to Thng tin a ch c nhng vo trong ng dng Mt vi ng dng c nhng thng tin a ch vo trong phn payload ca kt ni, iu ny mong i thit b ch s dng thng tin ny cho nhng kt ni ph. Tuy nhin thng tin a ch ny c th trong bng NAT ca firewall ri

Page 52

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.7 Thng tin a ch c nhng vo trong ng dng

Trong v d ny, chng ta s s dng FTP ch active minh ha vn . i vi kt ni truyn d liu th kt ni cn phi c m, client mun s dng local port 51001. Tuy nhin tn ti mt kt ni vi port ny trong bng NAT ca firewall. Nu firewall khng gii quyt vn ny th bt c traffic no c th khng c NAT ng v c gi n mt thit b khc trong mng m khng phi l my khi to v yu cu kt ni Mt firewall tt nn thay thng tin a ch Payload thnh mt th g khc v nn to mt NAT khc trong bng NAT cho kt ni ny. Sn phm CISCO ASA cung cp nhiu giao thc v ng dng Firewall ASA dch chuyn s cng i vi kt ni truyn s liu 60000 v thm kt ni ny vo bng NAT. Firewakk cng ng thi cp nht payload ca kt ni iu khin FTP vi port 60000. V th khi server nhn yu cu kt ni cho kt ni iu khin, n s s dng port 60000 cho vic truyn d liu li cho client, v Firewall s dch chuyn thnh 51001 3.3 Tng quan v NAT Mt trong rt nhiu vn bn s phi lm vi h thng mng ca mnh l ch nh a ch IP cho tt c cc thit b mng. Bi v s cn kit a ch public Ipv4. Trong rt nhiu trng hp bn phi s dng a ch private cho cc thit b mng LAN 3.3.1 a ch Private gii quyt vn cn kit a ch IP, p ng nh cu pht trin ca cng ty kt ni ra Internet, t chc IETF pht trin RFC 1918

Page 53

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.8 a ch Private Nh bn c th thy t bng a ch, bn nn c d a ch Private p ng nhu cu ca cng ty. Mi thit b trong mng s c ch nh bi mt a ch IP duy nht. Tuy nhin RFC 1918 nh ngha rng: Gi tin c cha a ch Private hoc trong a ch ngun hay a ch ch s khng c chuyn tip trn mng public Hy tng tng hai cng ty c tn l cng ty A v cng ty B, c hai u s dng di a ch private l 10.0.0.0/8 cho cc thit b bn trong mng cc b LAN. R rng iu ny to ra rt nhiu vn bi v c 2 cng ty u trng lp a ch. Trong trng hp ny, vic trng lp subnet khng cho php bn c th lin lc cc thit b mng vi nhau. V d: C hai cng ty u s dng 10.1.1.0/24 nh hnh di

Vi cc kt ni trong cng ty th khng c vn g nhng nu 2 subnet ny cn kt ni li vi nhau, th iu ny l khng th. Router bin gia hai mng ny s khng th lin kt hai h thng mng ny li. 3.3.2 Nhu cu ca NAT gii quyt vn trng lp a ch, cng nh gii quyt vn s dng a ch IP Private v truy cp mng Public, t chc IETF pht trin RFC 1631. RFC 1631 nh ngha qu trnh thc hin NAT. iu ny cho php bn dch chuyn t a ch Private trong mo u ca gi tin IP n mt a ch IP khc. Di y l mt vi v d chung m bn c th cn trin khai NAT - Bn ang cn kt hp hai mng li vi nhau.
Page 54

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Nh cung cp dch v ISP ch nh cho bn khi lng a ch IP public gii hn v bn cn phi cung cp rt nhiu cc thit b truy cp Internet

- Bn c cung cp mt khng gian a ch IP public v khi bn chuyn sang nh cung cp dch v khc, nh cung cp dch v mi ny khng cung cp a ch IP public hin ti ang dng - Bn ang c mt dch v mng trn mt thit b v bn cn public chng ln mng Internet ai cng c th truy cp dch v ny 3.3.3 Li ch ca NAT Mt trong nhng li ch chnh ca NAT l vic thoi mi s dng s lng a ch ip private rng ln, hn 17 triu a ch/ iu ny bao gm 1 lp a ch mng lp A, 16 a ch mng lp B v 256 a ch mng lp C. Khi bn s dng a ch Ip private d cho bn c i nh cung cp dch v, bn s khng cn phi nh li a ch cho cc thit b trong mng cc b m bn ch phi thay i cu hnh NAT trn firewall trng vi a ch IP public mi Bi v tt c cc traffic phi i firewall n cc thit b c a ch IP private, bn c th iu khin iu ny bng cch sau: - Nhng ngun m Internet truy cp vo mng Inside ca chng ta - User no trn mng Inside c php truy cp Internet 3.3.4 Thut ng v nh ngha NAT Thit b thc hin NAT c th l rt nhiu dng. Thit b ny c th l mt firewall, mt router, mt proxy gateway hay thm ch l mt file server. Cisco router s dng IOS 11.2 v firewall c kh nng NAT. hiu tt hn v cc cu lnh c s dng trn firewall cu hnh NAT, bn phi hiu mt vi thut ng thng c s dng trong NAT -

Inside: Nhng a ch c translate, thng l a ch Ip private cho cc thit b bn trong mng LAN hay a ch public mua t ISP Outside: Nhng a ch c cp pht trn Internet Inside Local: Nhng a ch Private c gn cho cc host nm bn trong mng LAN Inside Global: Nhng a ch public c gn cho Inside host. Thng th y l pool a ch c cp bi ISP Outside Global: Nhng a ch c gn cho cc thit b Outside device

Page 55

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin 3.3.5 Mt vi v d in hnh NAT C nhiu loi NAT khc nhau c th c thc hin bi Firewall. Trong phn ny bn s thy hai v d: NAT v PAT

Hnh 3.8 V d v NAT V d v NAT Nh c ni trc , NAT thc hin vic dch chuyn t 1 a ch n 1 a ch. Bn thng s dng NAT tnh khi bn c mt Server, v bn mun mi ngi trn Internet c th truy cp Server ny. Tuy nhin, i vi cc User trn mng cc b bn s to mt pool a ch IP v thit b NAT ngu nhin ch nh cc a ch IP public cho cc thit b bn trong mng cc b. Trong v d ny User bn trong mng cc b ang truy cp ngun ti nguyn bn ngoi Internet(User c a ch 192.168.1.5 ang c gng truy cp 201.201.201.2)

Page 56

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.9 V d v NAT (a) hnh 3.9, bn c th nhn thy thc s vic truyn d liu t 192.168.1.5. Firewall nhn gi tin t 192.168.1.5 v quyt nh xem n c cn thc hin NAT hay khng v chuyn tip gi tin ti ich Firewall nhn thy gi tin n n v so snh vi rule NAT. Bi v gi tin trng vi rule trong chnh sch NAT, Firewall s dch chuyn a ch ngun trong gi tin t 192.168.1.5 thnh 200.200.200.1, y l a ch ip public. Tip theo bn c th thy a ch ch 201.201.201.2 nhn gi tin. N nhn thy a ch ngun l 200.200.200.1. iu ny l trong sut vi ngi dng trong mng cc b v c my ch

Page 57

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.9 V d v NAT (b) Khi my ch gi gi tin tr li tr li cho User, n s dng a ch IP public m n thy c sau khi Nat l 200.200.200.1 Tip theo Firewall nhn gi tin v kim tra chnh sch NAT ca n. Sau khi quyt nh cn thit dch chuyn li a ch ban u. N thy a ch 200.200.200.1 v thay i a ch Ip public ny tr li a ch Ip private ban u l 192.168.1.5, sau chuyn tip gi tin ny vo a ch User trong mng cc b V d v PAT Vi PAT, firewall s thay i a ch IP v TCP/UDP port ca gi tin. V d ny nh cung cp dch v ISP ch nh cho bn mt a ch IP public v bn cn phi s dng a ch ny cho tt c cc kt ni ca ngi dng ra ngoi Internet.

Page 58

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.10 v d v PAT (a)

Trong hnh trn User a ch 192.168.1.5 telnet n 201.201.201.2. Firewall nhn gi tin v n so snh thng tin ca gi tin vi chnh sch NAT v quyt nh xem n c cn thc hin NAT hay khng. Do n trng vi chnh sch v th firewall thc hin vic NAT v thay i a ch private 192.168.1.5 thnh 200.200.200.1. Trong trng hp ny, thng s port ngun l 1024 khng c s dng trong bng NAT nn n vn c gi nguyn m khng thay i s Port. Ch rng firewall thm a ch NAT ny vo trong bng NAT m n c th gii quyt vn traffic quay tr li mng cc b. My ch nhn c gi tin sau khi NAT. Mt ln na qu trnh NAT ny l trong sut vi c my ngun v my ch Khi my ch gi gi tin tr v, n s s dng a ch IP ch l 200.200.200.1 v port ch l 1024. Khi firewall nhn gi tin n, n quyt nh xem c thc hin NAT hay khng v sau n tm kim xem c thuc rule no trong bng NAT khng. Khi thy trng, n thay i a ch ch t 200.200.200.1 thnh 192.168.1.5 v li port ngun nh ban u Mt v d khc, gi s c mt my cc b c a ch 192.168.1.6 cng telnet n 201.201.201.2 vi a ch port ngun l 1024

Page 59

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.10 V d v PAT

Firewall nhn gi tin, v gi tin trng vi chnh sch NAT thit lp. Firewall to mt i tng NAT trong bng NAT cho kt ni ca User. Trong trng hp ny a ch IP public 200.200.200.1 c s dng. Tuy nhin bi v port ngun 1024 tn ti trong bng NAT, nn firewall ch nh mt port khc l 1025 cho kt ni ca User. Port ngun khc nhau nhm gip cho thit b ch nhn bit, phn bit gia cc kt ni l ca 192.168.1.5 hay 192.168.1.6 v cng cho php Firewall dch chuyn gi tin tr v t 201.201.201.2
3.4

Cu hnh NAT

Trong phn ny s tp trung ch yu vo chnh sch dch a ch chuyn i thng lng qua cc thit b ca bn. Chng ti s trnh by cch cu hnh mt a ch NAT, PAT ng . Mt a ch NAT, PAT tnh nh th no. Hn ch s lng kt ni TCP, ngn chn cc cuc tn cng trnTCP SYN , v kim tra cu hnh dch.Mt a ch c dch phi m bo cc yu cu sau y: Yu cu cu hnh: Trong phin bn 6 hoc phin bn trc . Bn lun phi cu hnh rule cho Nat cc gi tin. Hay ni cch khc, nu gi tin khng c cho php bi Rule NAT th n s b cm. Rule ny p dng cho c traffic vo v ra Trong phin bn 7, NAT l ty chn v khng c yu cu. khi ng tnh nng NAT, s dng cu lnh sau: Asa(config)#nat-control

Page 60

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Ln th nht ta yu cu a ch dch vi lnh nat-control, quy tc ny cng tng t trong phin bn 6.0. Nu chnh sch gia inbound v outbound khng lin kt c vi nhau v mt a ch dch c gi tr th packet b li. Tuy nhin, c mt ngoi l i vi quy tc ny l: nu c 2 interface tham gia vo qu trnh giaop tip c mc bo mt nh trn th chng ta khng cn n mt a ch dch theo quy tc chuyn paket gia chng. 3.4.1 Cu hnh NAT ng Vic cu hnh mt a ch dch ng ( c NAT hay PAT) tham gia vo 2 qu trnh s l sau: Xc nh a ch local s c NAT To nn mt a ch global m a ch local c th c NAT ti Theo chng ta c th cu hnh 2 loi ny m khng c vn g. Phn sau ta s bn ti vic tng bc ci t a ch NAT v PAT ng cng nh din t li nhiu v d khc nhau ca cc v d dch ng Xc nh a ch local trong vic dch

xc nh mt a ch local c th c dch, ta s dng lnh nat nh sau: ciscoasa(config)# nat (logical_if_name) NAT_ID local_IP_addr subnet_mask [tcp] max_TCP_conns [embryonic_conn_limit] [udp max_UDP_conns] [dns] [norandomseq]

Nhng quy nh c th ca lnh nat m a ch local s dch sang quy nh rt ngim khc trong lnh global. Tn logic ca interface ni m cc thit b vng c t xut hin trong du ngoc n (( )), v d nh : (inside) NAT_ID Cc mi quan h gia lnh nat v global, to ra mt chnh sch.Nhng trong mt s trng hp ngoi l, s lng bn s dng cho cc NAT_ID (s chnh sch) khng quan trng. C mt trng hp c bit bng cch s dng mt s NAT_ID: nu bn nhp s 0, bn ang ni vi cc thit b m cc a ch theo sau ny trong lnh nat khng nn translated.Cisco cp n tnh nng ny nh nhn dng NAT, c gii thiu trong phin bn 6.2. Bn c th mun s dng nhn dng NAT nu bn c mt hn hp cc a ch cng cng v c nhn ang c s dng bn trong mng ca bn cho cc my tnh vi a ch cng cng, bn c th v hiu ha NAT bng cch s dng lnh
Page 61

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin nat 0 v quy nh c th a ch hoc a ch ca cc thit b.Nu bn quy nh s lng a ch mng cho mt a ch local, cng nh c lng xp x s mt n mng con, th ta in s mng v mt mt n mng con bn c th thay i a ch dch(nhng a ch inside ca interface). lm iu ta dng lnh sau: ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 lnh NAT-ID tng ng vi lnh global. Ch rng ta c th rt gn chui 0.0.0.0 0.0.0.0 ch thnh 0 0. Bn c th gii hn tng kt ni TCP bng ln: (max_TCP_conns), v cng c th gim mt na kt ni TCP: embryonic_conn_limit Bt u t phin bn 7.0 bn c th gii hn s lng ti a cho mt kt ni UDP. Tuy nhin nu bn khng cu hnh gii hn s kt ni cho thit b m dng cc chnh sch lin kt vi nhau th bng conn table vn h tr cho cc thit b c cho php hin th nhng lnh nat ca bn g lnh: show run nat command. Cch to mt di a ch global Chnh sch dch lun cu hnh gia mt cp interface, v d nh inside v outside, hoc dmz v outside. Lnh nat nh ngha local hoc interface gc ca mt a ch dch nh ngha ch n hay interface u ra cha a ch global, ta s dng lnh global nh sau: ciscoasa(config)# global (logical_if_name) NAT_ID {first_global_IP_addr[-last_global_IP_addr] [netmask subnet_mask] | interface} Logical_if_name l tham s miu t tn logic ca interface. Thng lng s c dch v chuyn ra trn interface ny. The NAT_ID l tham s c bn ca lnh. y l a ch global c th c s dng Vic dch PAT c th b xa khi bng khi khng c kt ni tng ng trong bng gii hn thi gian kt ni. Trong khi vic dch NAT th khng n s dng lnh iu khin thi gian (thi gian mc nh ht hn l 3 gi) S dng vi ACLs Mt vn vi lnh NAT l mc nh vic dch ch c th iu khin c cc gi tin gi i m c a ch l local, bn khng th iu khin c vic dch trn cc a ch

Page 62

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ngun v ch c a ra . y chng ta ang bn n khu vc xc nh a ch local dnh cho vic dch. gii quyt vn trn, Cisco cho php bn lin kt chnh sch dch vi mt access control list (ACL) iu khin truy cp. Nu thng lng tng ng vi mt trng hp cho php xc nh trong ACL th chnh sch tng ng ny c s dng y l c php s dng lnh nat vi ACL: ciscoasa(config)# nat [(logical_if_name)] NAT_ID access-list ACL_ID [tcp] max_TCP_conns [embryonic_conn_limit] [udp max_UDP_conns] [dns] [norandomseq] Di y l 2 v d s dng ACLs V d v dch a ch Gi th bn hiu v c php ca lnh global v lnh NAT. Hy cng hiu r hn chnh sch dch a ch trn cc thit b thng qua v d n gin sau: hnh 3.11, thit b s NAT cho bt k internal no c a ch: 192.168.3.0/24 v 192.168.4.0/24 Chnh sch cu hnh NAT cho v d ny l nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# global (outside) 1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 Trong v d ny th a ch c yu cu NAT thng qua lnh nat-control . Tt c nhng thit b bn trong interface s c a ch ngun c dch l 200.200.200.0 khi tn ti mt interface u ra. a ch s c thit b chn ng k mt cch t ng.

Page 63

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.11 V d cu hnh NAT n gin V d n gin v cu hnh PAT

Hnh 3.12 V d n gin v cu hnh PAT Chng ta s s dng m hnh mng nh hnh v trn minh ha cho v d ny Lnh cu hnh nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0 0 ciscoasa(config)# global (outside) 1 interface y l mt v d v PAT, ni m thit b ang dng a ch interface bn ngoi cho PAT. a ch ny c th l a ch tnh cng c th l a ch c ng k mt cch t ng bi dch v DHCP hoc PPPoE. Trong v d ny cc thit b kt ni trc tip ti ISP v nhn a ch interface ra mt cch t ng.

Page 64

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin V d v cu hnh NAT v PAT minh ha cho vic s dng c chnh sch NAT v PAT trn mt thit b, ta s dng lnh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 192.168.3.0 255.255.255.0 ciscoasa(config)# global (outside) 1 200.200.200.1-200.200.200.125 netmask 255.255.255.128 ciscoasa(config)# nat (inside) 2 192.168.4.0 255.255.255.0 ciscoasa(config)# global (outside) 2 200.200.200.126 netmask 255.255.255.255 Trong v d ny, thit b bn trong s ni NAT v PAT li vi nhau 1, 192.168.3.0/24 c dch thnh 200.200.200.1125 (s dng NAT) 2, 192.168.4.0/24 c dch thnh 200.200.200.126 (s dng PAT)

Hnh 3.13 v d v cu hnh PAT v NAT V d v PAT vi 2 a ch global Minh ha cho ta thy vic s dng hai a ch global trn mt thit b. y ta s dng ly m hnh mng hnh 3.11 cu hnh nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# global (outside) 1 200.200.200.1
Page 65

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin netmask 255.255.255.255 ciscoasa(config)# global (outside) 1 200.200.200.2 netmask 255.255.255.255 Lnh cu hnh ny thc hin PAT trn tt c cc kt ni bn trong bn ngoi bng cch s dng hai a ch trong lnh global PAT v xc nh NAT V d s dng PAT v xc nh NAT Trn mt thit b.S dng m hnh mng hnh 3.13. Thc thi lnh PAT cho a ch 192.168.3.0/24 nhng khng thc hin vic dch a ch t a ch 200.200.200.128/25, sau cc thit b sn sng public a ch IP. Lnh cu hnh nh sau: ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 0 200.200.200.128 255.255.255.128 ciscoasa(config)# nat (inside) 1 192.168.3.0 255.255.255.0 50 25 ciscoasa(config)# global (outside) 1 200.200.200.1 netmask 255.255.255.255

Hnh 3.14 V d cu hnh PAT, khng NAT v d trn, s dng lnh PAT khi a ch i t bn trong 192.168.3.0/24 i qua interface ra ngoi n s c dch thnh 200.200.200.128/25. l v d NAT 3interface, cn trong trng hp vi nhiu thit b hn th vic cu hnh cng din ra tng t thy c s phc tp ta xem v d minh ha sau:

Page 66

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.15 V d cu hnh NAT vi 3 interface ciscoasa(config)# nat-control ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# nat (dmz) 1 192.168.5.0 255.255.255.0 ciscoasa(config)# global (outside) 1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 ciscoasa(config)# global (dmz) 1 192.168.5.10-192.168.5.254 netmask 255.255.255.0 Trong v d ny, c ba interface tham gia vi a ch dch ln lt l: inside, ousite, v dmz. Mt s c ca chnh sch dch a ch l: Inside ti dmz: chnh sch ny s dng lnh NAT bn trong v lnh global dmz ( c hai u c NAT_ID 1 ). Bt k thng lng no i qua t giao din inside ti giao din dmz s c NAT s dng khong a ch 192.168.5.10 ti 192.168.5.254. Dmz ti outside: chnh sch ny s dng lnh NAT dmz v lnh global trn interface bn ngoi ( c hai u c NAT_ID 1 ). Bt k lu lng no i qua interface t bn trong ra ngoi u c NAT dch thnh a ch nm trong khong 200.200.200.10 200.200.200.254 V d cu hnh NAT s dng vi ACLs

Page 67

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.15 V d v chnh sch NAT

ciscoasa(config)# access-list Site_A permit tcp 10.0.1.0 255.255.255.0 host 172.16.10.1 ciscoasa(config)# nat (inside) 100 access-list Site_A ciscoasa(config)# global (outside) 100 172.16.1.100 netmask 255.255.255.255 ciscoasa(config)# access-list Site_B permit tcp 10.0.1.0 255.255.255.0 host 172.17.10.2 ciscoasa(config)# nat (inside) 101 access-list Site_B ciscoasa(config)# global (outside) 101 172.17.1.88 netmask 255.255.255.255 Trong v d trc th bt k mt gi d liu no t a ch 10.0.1.0/24 gi n 172.16.10.1 c dch s dng PAT ti mt a ch IP 172.16.1.100, Nu bt k gi no t 10.0.1.0/24 u c gi ti 172.17.10.2. Tuy nhin chng c PAT ti mt a ch global khc172.17.1.88. Trong v d ny, mt ACLs c s dng iu khin khi din ra vic dch.C ngun v ch u tham gia vo kt ni ny Chnh sch xc nh NAT Trong v d ny ta cu hnh cc thit b cho mt trang web ca SOHO, lu lng i qua internet c dch s dng PAT
Page 68

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Cu lnh cu hnh thit b: SOHO(config)# access-list VPN-EXEMPT-NAT permit ip 10.100.10.0 255.255.255.0 10.10.0.0 255.255.0.0 SOHO(config)# nat-control SOHO(config)# nat (inside) 0 access-list VPN-EXEMPT-NAT SOHO(config)# nat (inside) 1 10.100.0.0 255.255.0.0 SOHO(config)# global (outside) 1 interface Khi lu lng i qua knh VPN theo kiu site-to-site ti cng ty, n khng nn c dch: Lnh access-list and nat (inside) 0 thc thi chnh sch ny. Khi lu lng i t SOHO ti Internet, n s dch s dng PAT: Lnh nat (inside) 1 and global (outside) 1 thc thi chnh sch ny.

Hnh 3.16 V d chnh sch xc nh NAT

3.4.2 Cu hnh NAT tnh


C php cu hnh dch NAT tnh NAT tnh thng c s dng cho kt ni d liu vo: Bn c mt server trn interface mc cao m mun mt gim xung thp hn x l, v d nh x l web dmz, email, v DNS server. Trong phn ny ta s cp n vn lm th no to mt NAT tnh

Page 69

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin y l c php to mt NAT tnh vi cu lnh sau: ciscoasa(config)# static (local_if_name,global_if_name) global_IP_addr local_IP_addr [netmask subnet_mask] [tcp [max_conns [embryonic_conn_limit]] [udp max_conns [dns] [norandomseq] Tt c nhng lnh lm vic vi thit b Cisco, lnh tnh l mt trong nhng lnh m cu hnh gn tng t nhau, v nhng yu cu chung ca tham s: local interface, a ch global, v a ch IP ca local V d v NAT tnh minh ha cho chnh sch cu hnh NAT tnh. Ta s dng m hnh mng trong hnh 3.17 miu t chnh schcu hnh c NAT tnh v ng ciscoasa(config)# nat-control ciscoasa(config)# static (dmz,outside) 200.200.200.1 192.168.5.2 netmask 255.255.255.255 ciscoasa(config)# static (dmz,outside) 200.200.200.2 192.168.5.3 netmask 255.255.255.255 ciscoasa(config)# static (inside,outside) 200.200.200.3 192.168.4.1 netmask 255.255.255.255 ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)# global (outside) 1 200.200.200.10-200.200.200.254 netmask 255.255.255.0 ciscoasa(config)# global (dmz) 1 192.168.5.10-192.168.5.254 netmask 255.255.255.0

Page 70

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.17 V d cu hnh NAT tnh Trong v d ny, thit b c ba giao din bn trong, bn ngoi, v dmz. Cc lnh tnh u tin to ra mt chnh sch dch NAT tnh cho DMZ email server: ngi s dng bn ngoi gi lu lng truy cp n 200.200.200.1, s c dch sang 192.168.5.2 v chuyn tip n dmz. Lnh th hai to ra mt chnh sch NAT tnh cho cc my ch DMZ web: ngi s dng bn ngoi gi lu lng truy cp n 200.200.200.2 s c dch sang 192.168.5.3 v chuyn tip n dmz. Lnh th ba to ra mt chnh sch NAT tnh cho cc my FTP_server bn trong:ngi s dng bn ngoi gi lu lng truy cp n 200.200.200.3 s c dch sang 192.168.4.1 v chuyn tip n giao din bn trong . C hai chnh sch dch b sung truy cp ra bn ngoi , l khi chng ta gi lu lng truy cp t bn trong ra ngoi, cc a ch s c dch bng NAT khc nhau t 200.200.200.10 n 200.200.200.254. Ngoi ra, khi ngi s dng bn trong truy cp vo phn on mng DMZ, cc a ch s c dch thnh cc a ch c di t 192.168.5.10 n 192.168.5.254 3.4.2 Cu hnh PAT tnh C php cu hnh PAT tnh Lnh tnh c s dng chuyn hng cc lu lng truy cp t mt a ch ch v mt port ch ti mt my ni b khc ( v c th l s cng ch khc nhau ). Di y l c php ca lnh: ciscoasa(config)# static (local_if_name,global_if_name) {tcp | udp} {global_IP_addr | interface} global_dest_port_# local_IP_addr local_port_#

Page 71

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin [netmask subnet_mask] [tcp [max_TCP_conns [embryonic_conn_limit]] [udp max_UDP_conns [dns] [norandomseq] i vi cc cng chuyn hng, xc nh cc giao thc IP : UDP hay TCP. a ch global IP hay a ch IP public m cc bn ngoi s gi lu lng truy cp ti. Thay v s dng a ch ny bn c th ch nh cc tham s giao din m cc thit b ng k tn. S cng ton cu l mt s ca ng dng m cc thit b bn ngoi ly c v d nh FTP c s cng l 21 Local_IP_address l a ch thc t c ng k vi cc thit b bn trong, v local_port_# l s cng ng dng ang lng nghe trn cc thit b ni b. Cc tham s khc c ni trc trong phn Xc nh cc a ch dch ni b V d v PAT tnh minh ha cu hnh PAT tnh hoc cc chnh sch dch PAR. Ta s dng m hnh mng 3.18. Lnh sau cu hnh cho PAR

Hnh 3.18 V d PAT tnh ciscoasa(config)# static (inside,outside) tcp interface 80 192.168.1.20 80 netmask 255.255.255.255 Trong v d ny, lu lng web c gi n cng 80 ti a ch IP trn giao din ngoi ca thit b s c chuyn tip n a ch 192.168.1.20 trn cng 80 ca giao din bn trong 3.5 Access Control phn trc, chng ta bn v mt s cc lnh bo v cc thit b thc hin dch a ch, nh global, NAT, v PAT tnh. Phn ny s m rng v ch kim sot lu lng truy cp thng qua cc thit b:
Page 72

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin S dng danh sch kim sot truy cp (ACL) lc lu lng truy cp thng qua thit b S dng cc nhm i tng n gin ha vic qun l ca ACL Lc cc gi tin ICMP n vo thit b Khc phc s c kt ni bng cch s dng nh du gi d liu v cc tnh nng chp gi 3.5.2 So snh gia ACL Router v Firewall ASA Cisco ang th sc di chuyn n mt giao din dng lnh thng nht trn ton sn phm mng ca n, m bn c th thy r iu ny vi cc lnh ACL trn cc thit b ca n . Phn ny trnh by nhng im tng ng v mt vi s khc bit gia cc ACL trn thit ni chung b v ACL trn router IOS. Mt nhm cc ACL c gn nhn vi 1 ch s nhn bit nhm C Standard v Extended ACL u c trang b trong Firewall ASA C php ca cc rule l nh nhau Mi rule c x l theo th t t trn xung bt u t rule u tin C mt rule cui mi danh sch ACL mc nh lun cm cc traffic Khi thm mt Rule vo th rule mc nh c thm vo cui ca danh sch Rule Khi chnh sa ACL, bn c th xa cc rule v thm cc rule vo sanh sch Rule Bn c th ch thch vo nhiu ACL Mi ACL c th c cho php hoc v hiu da trn ngy thng (Timed ACL) 3.5.3 To v p dng ACL Trong phn trc ta i qua mt vi v d n gin ca TCP lu lng chy qua thit b trong phn " V d kt ni TCP ". Ta s xy dng v ch ny cung cp mt s hiu bit tt hn v nhng g m cc thit b ang lm cho cc gi d liu vo ra giao din ca n. Di y l cc bc mt gi d liu s i qua khi bc vo mtgiao din:

Page 73

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Thit b so snh thng tin gi tin n cc kt ni hin c bng nh nc xc nh xem gi tin l mt phn mi, hoc l mt hin ti, kt ni. Nu n l mt kt ni hin ti, gi tin c cho php thng qua, v phn cn li ca ACL kim tra c lit k y c b qua. Gi s dch a ch c kch hot, bc ny c thc hin. i vi trong nc kt ni, a ch ch c so snh vi bn dch chnh sch m bo rng n c th c dch. i vi cc kt ni ra ngoi, a ch ch c so snh vi cc chnh sch dch m bo n c th c dch. Nu khng c chnh sch ph hp vi bn dch, gi tin c gim xung. Lu rng bn dch khng thc s xy ra bc ny. 3. Nu y l mt gi tin gi n, cc gi tin phi ph hp vi mt giy php ACL tuyn b p dng trong nc trn giao din n, nu khng th gi tin b ri. Nu y l mt gi tin gi i v khng c ACL tn ti, lu lng truy cp c cho php i t mt cao hn mt mc bo mt thp hn theo mc nh, nu khng, nu mt ACL tn ti cc b trn giao din, cc gi tin phi ph hp vi mt giy php ACL tuyn b hoc n b cm
Page 74

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin 4. Cc thit b sau mt tuyn ng tra cu xc nh giao din xut cnh thit b cn s dng. iu ny l cn thit xc nh cc ACL x l v thc hin dch a ch, nu c kch hot. 5. Gi s rng bn dch a ch c cu hnh, cc im n thng tin a ch l khng c phin dch vi mt lnh tnh hoc dch vi lnh nat v ton cu. 6. Ti thi im ny kt ni c thm vo bng conn v c theo di. 3.5.4 p dng mt ACL Standard ACL Ging nh IOS Router, Firewall ASA h tr Standard ACL lc packet da trn a ch IP. Tuy nhin vi Standard ACL, Firewall khng th s dng lc traffic vo ra Interface C php

Extended ACL C th lc traffic vo ra trn mt interface. Lc a ch ngun v ch, giao thc, ng dng

ACL theo thi gian ACL theo thi gian c th c thc thi hoc v hiu ph thuc vo thi gian m ta cu hnh
Page 75

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin V d bn cn cho php truy cp vo Server t 8h00 am n 6h00 pm To time ranges

Kim tra cu hnh ACL lit k cc cu lnh trong ACL, bn c hai la chn. u tin Show run access-list v show run access-group hin th cu hnh trong running-config ciscoasa(config)# show access-list [ACL_ID] Nu khng mun xem ACL n, bn c th xem ton b cc ACL - ciscoasa(config)# show access-list 3.5.5 Mt s v d ASA c hai Interface: VD1 Cho php tt cc cc Outbound traffic Hn ch inbound trafic i vi Internal Server

Hnh 3.19 v d v NAT vi 2 interface V d c 2 interface

Page 76

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

C hai nhm thit b trong LAN, nhm A(192.168.1.128-192.168.1.191) v nhm B(192.168.1.192-192.168.1.254). Cc rule nh sau i vi nhm A Chn truy cp i vi mng 131.108.0.0/16 Chn truy cp n webserver: 210.210.210.0/24 Cho php truy cp internet i vi nhm B Cho php truy cp n tt c cc thit b trong mng 140.140.0.0/16 Cho php truy cp n webserver: 210.210.210.5/32 v 211.211.211.3/32 Cm truy cp n cc mng Internet khc

Page 77

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

ASA c 3 interface Topo

Hnh 3.20 V d NAT vi m hnh 3 interfaces Cu hnh:

Page 78

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Cu hnh mt vi chnh sch lc gi tin i vi DMZ User khng c cho php truy cp bt c th g trn mng 192.168.1.0/24 My 192.168.5.5 v 192.168.5.6 c cho php truy cp 192.168.2.0/24 Cc thit b trong DMZ c truy cp Internet

i vi Internal User User c truy cp vo email v webserver : 192.168.5.0/24 ngoi tr cc thit b khc trn mng ny
Page 79

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin User khng c truy cp 192.168.1.0/24 Thit b trn 192.168.2.0/24 v 192.168.3.0/24 c cho php truy cp n Internet Thit b trn 192.168.4.0/24 c truy cp n 131.108.0.0/16. 140.140.0.0/16 v 210.210.210.0/24 bn ngoi Internet

i vi External User User c cho php truy cp n email server trong DMZ User c php truy cp n webserver trong DMZ Tt c cc loi truy cp khc u b cm

3.6 Web content phn trn ta tm hiu v cc kh nng lc ca cc thit b trong c c ACLs. Nhng mt hn ch ca ACLs l n ch c th lc a ch lp network v transport trong m hnh tham chiu OSI. M chng khng th c c ni dung thng
Page 80

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin tin( nhng thng tin c ti v). Trong trng hp cc Hacker mun tn cng bng cch to ra cc applet Java c hi hoc ActiveX m ngi dng s ti v to hoc chy cc ng dng . Mt vn ca ACLs l mt ACL c th chp nhn hay t chi cng TCP 80, trong c bao gm c applet Java ni trn. N khng th lc ch mt ng dng apple Java c. Tng t nh vy, ACL cng c vn khi giao dch vi b lc ni dung cc trang web. Hy tng tng bn c mt chnh sch nghim cm ngi s dng web truy cp vo cc trang web xu, bi v thng tin cc trang web thay i tt c ri th nn bn vn thm cc trang vo cu hnh ACLs ca mnh, vy qu trnh x l trn l khng th qun l c.Mt vn hng u ca bo mt l vn ti ni dung trang web chim qu trnh x l bng thng rt mnh, c bit l khi c nhiu ngi cung ti mt ni dung ca mt trang web. C ba gii php cho nhng vn ny. Cc gii php u tin l kh nng cc thit b lc trn Java v kch bn ActiveX c nhng vo trong cc kt ni HTTP. Gii php th hai cho lc ni dung cho php cc thit b lm vic vi phn mm lc ni dung ca bn th ba lc HTTP v FTP. Gii php th ba l s h tr cho Web Cache cc giao thc truyn thng (WCCP), cho php cc thit b chuyn hng cc yu cu web ti mt my ch web bn ngoi b nh cache ti v ni dung. Cc ch trong phn ny bao gm: Lc Java v ActiveX Web content Web caching 3.6.1 Gii php lc Java v ActiveX Cc thit b c th lc c java v kch bn activeX m khng cn bt k phn mm b sung hay cc thnh phn phn cng no. V c bn cc thit b cho nhng HTML vi lnh <object> v thay th chng vi nhng phn hi. Mt trong s ny lnh <object> bao gm: <APPLET>, <Object>, v CLASSID> <OBJECT>. Tnh nng lc ny cho php bn ngn chn vic ti cc applet c hi v cc kch bn cho my tnhca ngi dng trong khi vn cho php ti ni dung trang web. Mt li th ca vic s dng cc thit b l chng cung cp mt im trung tm cho chnh sch lc ca bn. Tuy nhin, b lc ch c th c thc hin da trn a ch IP ca mt my ch web.V vy, bn khng c mt s kh nng lc mt trnh duyt hoc lc mt ni dung c ng c xu, nhng bn c th s dng cc thit b kt hp vi cc cng c khc, nh ci t trnh duyt an ton v ni dung mt cng c lc, cung cp bo mt ti a cho mng ca bn. Hai phn sau y tho lun lm th no lc Java applet v kch bn ActiveX trn cc thit b ca bn.

Page 81

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Cu hnh lc Java v ActiveX V c bn bn ch c mt phng php lc Java applet trc tip trn thit b ca bn. C php ca lnh ny: ciscoasa(config)# filter java port_name_or_#[-port_name_or_#] internal_IP_address subnet_mask external_IP_address subnet_mask: Mt iu m bn s nhn thy l bn khng cn phi kch hot b lc trn mt giao din nh trong trng hp ca ACL. Cc lnh b lc java t ng p dng cho lu lng truy cp vo bt k giao din no trn cc thit b. Tham s u tin bn nhp vo l tnc ng hoc s lu lng m trang web truy cp. R rng l mt cng m bn s c l 80. Bn c th nhp mt lot cc cng, hoc nu chng khng lin k nhau, bn c th nhp chng vo vi lnh lc java ring bit. Hai thng tin cn c ca cng l hai a ch IP v mt n mng con. Ch rng y khng phi l c php mt s dng ACL, m n ch r mt ngun v a ch ch. u tin bn c th cu hnh cc nh dng ca a ch trong lnh lc java c cu hnh iterface cp bo mt cao hn sau cu hnh thng tin a ch IP ca giao din c mc thp hn. V d, nu bn mun lc tt c cc applet Java cho cc kt ni HTTP, bn s s dng c php sau y: ciscoasa (config) # lc java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 -orciscoasa ( config) # lc java http 0 0 0 0 Nu bn mun lc Java applet cho 192.1.1.0/24 mng bn ngoi cho tt c cc ngi dng ni b, cu hnh s nh sau: ciscoasa (config) # lc java 80 0 0 192.1.1.0 255.255.255.0 Cu hnh lc ActiveX Di y l c php ca lnh lc activex : ciscoasa (config) # lc activex port_name_or_ # [-port_name_or_ #] internal_IP_address subnet_mask external_IP_address subnet_mask C php ca lnh activex lc l c bn ging nh cc lnh lc java v c x theo cch tng t. Nu bn mun lc tt c cc kch bn ActiveX, s dng v d ny: ciscoasa (config) # lc activex 80 0 0 0 0 -orciscoasa ( config) # lc activex http 0 0 0 0
Page 82

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Nh bn c th thy, lc kch bn ActiveX khng khc so vi lc Java applet, c hai d dng thit lp.
3.6.2 Web content

Mt trong nhng mi quan tm ca nhiu cng ty khi kt ni vi Internet l cc loi thng tin m nhn vin ca h ang ti v my tnh bn ca h.Tuy nhin c mt vi nghin cu c thc hin, v trung bnh 30-40% lu lng truy cp Internet ca cng ty l mc ch khng phc v cho vic kinh doanh ca h. Trong mt s trng hp, thng tin m nhn vin ti v c th gy kh chu cho cc nhn vin khc. Thng tin ny c th l t ni dung khiu dm ti ni dung chnh tr hay tn gio. Rt nhiu cc ni dung c ti v nh bo gi c phiu v truyn m thanh v video l v hi, nhng c th s dng bng thng t tin. Cc thit b c kh nng hn ch v ngt kt ni khi lc ni dung web. Mt gii php kh nng m rng nhiu hn na l phi c cc thit b lm vic vi cc sn phm ca bn th ba cung cp tnh nng lc web ton din. Cc phn di y bao gm cc thit b v sn phm lc web tng tc nh th no, cc sn phm lc ca bn th ba m cc thit b h tr, v cu hnh cc thit b lc web. Tin trnh lc web thc hin lc ni dung web, i khi c gi l lc web, hai thnh phn c lin quan n: Chnh sch phi c xc nh l xc nh nhng g c hoc l khng c php ca ngi s dng. Cc chnh sch phi c thi hnh. Hai phng php thc hin cc qu trnh ny thng c trin khai trong cc mng: ng dng proxy Thay i Proxy Hai phn sau y s tho lun v nhng cch tip cn ny. ng dng proxy Vi mt proxy ng dng, c hai thnh phn nh ngha v thc thi chnh sch c thc hin trn mt my ch. Trnh duyt web hoc l ngi s dng c cu hnh tr n cc proxy, hoc lu lng truy cp ca h chuyn hng n proxy. Vi mt proxy ng dng, cc bc sau y xy ra khi ngi dng mun ti v ni dung trang web: 1. Ngi s dng s m ra mt trang web. 2. Tt c cc kt ni c chuyn hng n cc my ch proxy ng dng, m c th yu cu ngi dng xc thc trc khi truy cp bn ngoi c cho php. 3. Proxy ng dng kim tra mt (nhiu) kt ni v so snh n vi danh sch ca cc chnh sch cu hnh. 4. Nu kt ni l khng c php, ngi s dng thng c hin th mt trang web

Page 83

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin v vi phm chnh sch. 5. Nu kt ni c cho php, proxy m cc kt ni cn thit ti v ni dung. Ni dung sau c truyn li qua ban u ca ngi dng kt ni v c hin th trong trnh duyt web ca ngi dng. Thay i Proxy Mt proxy i chia tch ra hai thnh phn chnh sch: mt my ch bn ngoi c danh sch cc chnh sch, v mt thit b mng thc hin cc chnh sch lu lng truy cp web thng qua n. Cc thit b h tr phng php tip cn proxy sa i: b lc ni dung web, cc thit b phi tng thch vi mt my ch ni dung web bn ngoi. Hnh di y cho thy s tng tc gia ngi s dng thc t, thit b, chnh sch my ch, v cc my ch web bn ngoi. Trong v d ny, ngi dng s gi mt yu cu HTML n mt bn ngoi my ch web (bc 1). bc 2 cc thit b lm hai cng vic sau: Chuyn cc yu cu HTML (thng tin URL) n ni dung web chnh sch my ch Chuyn tip HTML yu cu n my ch web thc t.

Hnh 3.21 Thay i proxy Bc 3: Cc ni dung chnh sch ca my ch web so snh cc yu cu URL vi chnh sch ni b ca mnh v gi li hnh ng vo thit b. Thit b sau thc thi cc hnh ng truy cp lu lng tr li (bc 4). Nu ni dung chnh sch ca my ch web ni t chi giao thng, thit b gim lu lng truy cp web tr v. Tuy nhin, nu ni dung chnh sch trang web my ch cho php lu lng truy cp, thit b chuyn tip lu lng truy cp cho ngi dng ni b(bc 5). Nh bn c th nhn thy t li gii thch ny, cc thit b khng thc s lc b i
Page 84

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin kt ni. Qu trnh ny v c bn cho php thi gian ni dung chnh sch trang web my ch gi li mt hnh ng vo thit b trc khi cc my ch web bn ngoi tr li ngi s dng, qua cho thy c rt t s chm tr trong dng lu lng truy cp ca ngi dng. Khng ging nh mt proxy ng dng, cc thit b khng c proxy kt ni: cho php h i ra v thc thi cc chnh sch v lu lng truy cp tr li. Hn th na y s l CPU v b nh thn thin bng cch s dng mt proxy ng dng thc s. Tuy nhin, nu cc ni dung chnh sch trang web my ch x l hng ngn yu cu, nu l ngi dng kinh nghim bn c th tr hon trong dng lu lng ca h. Cisco h tr mt hnh thc hn ch ca cn bng ti phn chia chnh sch tra cu trn nhiu ni dung chnh sch my ch web.
3.6.3 Web caching

B nh m Web c s dng gim tr v s tin ca lu lng khi ti ni dung trang web. Gi s mt b nh cache web my ch c trin khai, khi ngi dng truy cp mt trang web,ni dung c ti v lu tr trn my ch cache. Sau truy cp cng mt ni dung sau c cung cp t my ch b nh cache a phng so vi ti v cc ni dungt my ch gc. Truyn thng Web Cache Protocol (WCCP) cho php cc thit b an ninh tng tc vi b nh cache web bn ngoi v / hoc cc my ch lc. Tin trnh WCCP hiu c nhng li ch m WCCP cung cp, ta s i qua qu trnh thit b i qua khi s dng WCCP: 1. Ngi s dng s m ra mt trang web, ni kt ni (hoc nhng kt ni) to ra cc cch i n cc thit b. 2. Cc thit b chn cc kt ni yu cu web ny li, ng gi n trong mt Generic Routing Encapsulation (GRE) gi tin ngn chn thay i bi thit b trung gian v chuyn tip n b nh cache web ca my ch . 3. Nu ni dung c lu tr trong my ch, trng vi yu cu th n tr li trc tip ni dung cho ngi s dng. 4. Nu ni dung khng c lu tr trong my ch, yu cu c gi n cc thit b, v thit b cho php kt ni gia ngi dng ti my ch web gc. i vi bc 3 trong sut qu trnh chuyn hng, thit b khng thm kt ni bng lin kt v do khng thc hin bt k theo di trng thi ca TCP, khng ngu nhin s th t TCP trong tiu TCP, khng thc hin Cut-through Proxy Mt s li ch ca WCCP Ngi s dng khng phi thay i ci t trnh duyt web ca h. B nh m web my ch c th thc hin lc ni dung ty chn. Bng thng c ti u ha ni dung ngi dng ang yu cu trc c
Page 85

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin lu tr trn b nh cache web ca my ch. Cc b nh cache web my ch c th ng nhp v bo co cc yu cu web ca ngi s dng cho bn. Cisco to ra cc giao thc, v n c hai phin bn: 1 v 2. Mt s ci tin ca WCCPv2 bao gm h tr cho cc giao thc khc ngoi HTTP, multicasting cc yu cu b nh cache web ca my ch, nhiu b nh cache my ch, ti phn phi trong nhiu my ch b nh cache, MD5 xc thc ca thng tin gia cc redirector v b nh cache ca my ch web, v nhiu ngi khc. Trong hai phin bn, cc thit b ch h tr WCCPv2, tuy nhin, mt s tnh nng khng c h tr bi cc thit b, nh multicast WCCP. Cu hnh WCCP WCCP h tr mi trong phin bn 7.2 ca h iu hnh ca cc thit b. Vic kch hot WCCP chuyn hng cc yu cu web ca ngi s dng l mt qu trnh gm hai bc: nh ngha mt nhm my ch WCCP Kch hot WCCP trn mt giao din Hai phn sau y s tho lun v cu hnh ca hai bc trn: nh ngha mt nhm my ch WCCP xc nh cc nhm my ch WCCP (my ch web cache), s dng lnh sau y: ciscoasa(config)# wccp {web-cache | service_number} [redirect-list ACL_ID] [group-list ACL_ID] [password password] Tham s web-cache lm cho thit b nh chn kt ni TCP cng 80 v chuyn hng lu lng truy cp n cc b nh cache web my ch. Bn c th chuyn hng cc giao thc khc, nh FTP, bng cch ch nh mt s dch v, khong 0-254. V d, 60 th hin cho dch v FTP. Cc tham s chuyn hng, danh sch kim sot giao thng c chuyn hng n Tham s-cache web lm cho thit b nh chn cng TCP 80 kt ni v chuyn hng lu lng truy cp n cc my ch b nh cache web. Bn c th chuyn hng cc giao thc khc, nh FTP, bng cch ch nh mt s dch v, khong 0-254. V d, dch v 60 i din cho FTP. Chuyn hng danh sch tham s iu khin nhng g lu lng c chuyn hng n cc nhm dch v (c nh ngha trong mt ACL), v redirect-list quy nh c th a ch IP ca cc my ch b nh cache web (c nh ngha trong mt ACL tiu chun). Tham s password xc nh mt khu
Page 86

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin xc nh phm MD5 c s dng to ra v xc nhn ch k xc thc MD5 c s dng bi cc b nh cache web my ch. Kch hot WCCP trc tip trn mt giao din Bc th hai l cho php chuyn hng WCCP trn giao din kt ni vi ngi s dng v b nh cache web ca my ch: ciscoasa (config) # WCCP giao din logical_if_name {web-cache | service_number} redirect in Lnh ny cn phi c thc hin cho mi s dch v. Xc minh WCCP xc minh hot ng ca WCCP, s dng lnh sau y: ciscoasa# show wccp {web-cache | service_number} [detail] [view] Cc thng s chi tit hin th thng tin v tt c cc router / my ch web lu tr;xem cc thng s hin th cc thnh vin khc ca mt nhm my ch c th c th b pht hin hoc khng.
ciscoasa# show wccp Global WCCP information: Router information: Router Identifier: -not yet determinedProtocol Version: 2.0 Service Identifier: web-cache Number of Cache Engines: 0 Number of routers: 0 Total Packets Redirected: 0 Redirect access-list: web-traffic-list Total Connections Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: server-list Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0
Page 87

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin V d v cu hnh WCCP xem mt minh ha v cu hnh v s dng ca WCCP, kim tra mng trong Hnh bn di Ch rng ngi s dng v b nh cache web my ch c t cng mt giao din trn thit b. Di y l cu hnh thit b cho WCCP ciscoasa(config)# wccp web-cache password myMD5password ciscoasa(config)# wccp interface inside web-cache redirect in Nh chng ta thy th vic cu hnh cng rt n gin

Hnh 3.22 V d v cu hnh WCCP 3. 7 Khi to cc chnh sch bo mt trn ASA Chnh sch v cc giao thc Modular Policy Framework Phn ny s gii thiu v Cisco Modular Policy Framework (MPF) trn thit b bo mt Cisco. MPF thc s chuyn t Cisco IOS switch v router v thm vo phin bn 7,0. R rng l nhiu tng ng tn ti trong hot ng v s dng ca MPF trn c hai nn tng, tuy nhin, c s khc bit: MPF l ch yu c s dng thc hin chc nng bo mt trn thit b. Cc cc ch bao gm trong chng ny l Gii thiu MPF trn cc thit b Lm th no bn lp c s dng phn loi lu lng truy cp Lm th no bn chnh sch c s dng lin kt chnh sch bn lp Lm th no chnh sch dch v c s dng kch hot bn chnh sch Chng ny tp trung vo mt tng quan v MPF v ni chung lm th no MPF c thc hin. Cc chng tip theo s tp trung vo cc cch MPF c thc hin cho cc giao thc

Page 88

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin khc nhau v cc ng dng v mt s kh nng bo mt nng cao MPF cung cp cho bn ci nhn tng quan v chnh sch v cc giao thc tng quan v MPF

MPF l mt tnh nng chuyn t IOS lm cho n d dng hn thc hin nht qun v linh hot chnh sch trn cc thit b bo mt. Mt hoc nhiu chnh sch c th c p dng cho lu lng i qua cc thit b. Di y s tho lun v cc chnh sch thit b h tr v cc thnh phn c s dng thc hin MPF. Chnh sch MPF
MPF cho php bn ch nh mt hoc nhiu chnh sch mt lp hc ca lu lng truy cp. Cc chnh sch m bn c th p dng cho giao thng bao gm: Kim tra cc kt ni Bn c th kim sot nhng g giao thng c thm vo cho nh nc bng cho php tr v giao thng tr li ngun, cng nh kim tra trng ti cc ng dng kim tra dch, kt ni, v cc vn an ninh. Hn ch kt ni Bn c th gii hn s lng hon thnh v mt na m (phi) kt ni trn mi nhm, mi ngi s dng, hoc cho mi my ch c s, kim sot nhn ri th gian tm ngng cho cc kt ni trong bng nh nc, v cc thng s khc kim sot kt ni. giao thng u tin Bn c th thc hin tr thp xp hng (LLQ) u tin giao thng chm tr nhy cm v u tin cao, nh ging ni, v giao thng d liu bnh thng. giao thng chnh sch Bn c th gii hn tc giao thng c trong v ngoi nc hng dn trn mt giao din m bo rng bng thng qu nhiu nhu cu ca mt loi giao thng, ng dng khng nh hng n giao thng khc chy qua thit b. h thng chng xm nhp (IPS) Nu bn c th AIP-SSM ci t trong mt ASA, bn c th xc nh chnh sch sao chp cc gi d liu hoc chuyn hng cc gi d liu vo th AIP-SSM tm kim v ngn chn cc cuc tn cng. Anti-X Nu bn c th CSC-SSM c ci t trong mt ASA, bn c th xc nh chnh sch chuyn hng lu lng truy cp thng qua cc th tm kim virus, phn mm c hi,phn mm gin ip, la o, v cc loi khc ca cc vn vi cc trang web, FTP, v e-mail cc ng dng.

S cn thit ca MPF
Bn nhn thy nhiu l do trong phn cui cng l do ti sao bn c th mun s dng MPF. Tuy nhin, ti cn phi m rng thm trong nhng mc ny, kim tra ng dng, xem mt s n cc li th m MPF cung cp. Ba phn sau y s tho lun vn l cc
Page 89

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ng dng nht nh v / hoc cc giao thc c th c v nhng g MPF c th lm vi ng dng kim tra gii quyt nhng vn ny. Phn cn li ca Phn III i su vo nhiu cc ng dng v cc giao thc m Cisco c th thc hin kim tra trn; cc phn tip theo s ch tp trung vo mt s v d n gin im yu ca bo mt trong ng dng Nhiu ng dng tr nn ni ting vi chnh im yu bo mt ca n. E-mail v cc ng dng web cng c bit n, cng nh Microsoft Exchange v IIS, My ch web Apache, v Sendmail. Sendmail v Exchange s dng giao thc SMTP thc hin cc gii php e-mail TCP / IP. Mt trong s nhiu cc im yu bo mt c lin quan n e-mail phi thc hin vi cc lnh c h tr s dng SMTP tng tc gia cc thit b. Bn s mun mt trong hai cu hnh da trn gi e-mail SMTP ca bn loi b lnh khng cn thit, hoc s dng mt gii php thay th tp trung hn, ging nh cc thit b an ninh, lc ra lnh khng cn thit v khng mong mun. Mt s lnh e-mail khng c a chung l g li v Wiz. Tng t nh vy, thm ch hp php lnh c th gy ra vn cho e-mail, v d, bn s khng mun mt ai s dng hp php email lnh thu hoch th mc e-mail ca bn v sau s dng cc hc a ch cho mt cuc tn cng th rc. Thnh Phn ca MPF By gi bn hiu mt s chnh sch m MPF c th thc hin vl do ti sao MPF l cn thit, hy tho lun v cc thnh phn bao gm MPF. Thc hin MPF c bathnh phn: Cc bn lp Phn loi v / hoc xc nh lu lng truycp m bn mun kt hp mt hoc hn chnh sch Bn chnh sch lin kt mt hoc nhiu chnh sch mt lp hc ca lu lng truy cp trong cc bn lp hc ca bn Dch v chnh sch kch hot cc chnh sch trong cc bn chnh sch ca bn hoc trn mt c th giao din hoc trn tt c cc giao din ca thit b gip hiu cc thnh phn MPF v cch chng tng tc vi nhau, Trong v d ny, chnh sch c thc hin. u tin, tt c cc lu lng truy cp Internet vo giao din bn ngoi ca thit b s c qu trnh th IPS, gi s th IPS khng th n, giao thng tr li ca th, v thit b thc hin kim tra lp ng dng n cho cc kt ni hp l ny s c thm vo bng bn trong. Th hai, cc IPSec truy cp t xa (RA)ngi dng s c t l, hn ch (chnh sch) p dng cho giao thng ca h trn giao din bn ngoi. Th ba,lu lng thoi s c u tin v chuyn ra giao din bn trong trc khi cc loi khc ca lu lng truy cp. Th t, bnh thng d liu lu lng truy cp s c kim tra trn tt c cc giao din v b sung vo bng internal khi cn thit. Class Maps
Page 90

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Class maps xc nh lu lng truy cp m bn mun ch nh hoc nhiu chnh sch h tr. Cc loi Class maps: Lp3/4 : Phn loi lu lng truy cp da trn thng tin thit b nhn thy trong lp 3 v/hoc lp 4 tiu gi tin, nh lu lng truy cp web(TCP port 80) gi n mt DMZ web my ch vi mt a ch IP192.168.1.1 Kim duyt lp 7: Bn phn loi ging nh mt ngi no truy cp da trn thng tin trong ng dng ti trng ca mt gi tin, ging nh trong mt ngi no thc hin lnh t trn mt kim sot kt ni, hoc URL vt qu kch thc nht nh trn mt kt ni web:cc loi phn loi yu cu thit b kim tra ti trng thng tin trong chiu su. Thng xuyn biu thc phn loi lu lng truy cp da trncc chui biu thc chnh quy tm thy trong cc trng ti 7 lp ng dng ca cc gi tin. V d, bn c th mun tm mt URL bt u bng "http://" v cha "cisco.com /.". Qun l Trng hp cc loi lp bn khc c s dng xc nh ngi s dng lu lng chy qua thit b, bn qun l lp hc c s dng phn loi qun l lu lng truy cp n hoc t thit b. Khi s dng bn lp hc, bn c yu cu phi s dng mt lp 3 / 4 lp bn xc nh thit b v dch v, nh mt my ch FTP c th. Ty chn, bn c th hi iu kin ca bn lu lng truy cp bng cch s dng bn lp khc, ging nh mt bn lp kim tra ti trng mt chui biu thc c th no thng xuyn ca mt tn tp tin hoc cho mt lnh FTPc thc thi Lp 3/4 class map Di y l c php to ra mt lp 3/4 class map:

ciscoasa(config)# class-map class_map_name ciscoasa(config-cmap)# description class_map_description ciscoasa(config-cmap)# match any ciscoasa(config-cmap)# match access-list ACL_ID ciscoasa(config-cmap)# match port {tcp | udp} {eq port_# | range port_# port_#} ciscoasa(config-cmap)# match default-inspection-traffic ciscoasa(config-cmap)# match dscp value1 [value2] [...] [value8]

Page 91

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ciscoasa(config-cmap)# match precedence value1 [value2] [...] [value8] ciscoasa(config-cmap)# match rtp start_port_# end_port_# ciscoasa(config-cmap)# match tunnel-group tunnel_group_name ciscoasa(config-cmap)# match flow ip destination-address ciscoasa# show run class-map [class_map_name]

S dng lnh class-map ng k yu cu tn n class .Lnh match M t lu lng truy cp n bao gm trong class map, Bng sau s gii thch tham s cho lnh ny :

Bng 3.1: Tham s lnh Match Class map mc nh

Page 92

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Khi bn khi ng mt thit b vi cu hnh khng c, bn s thy mc nh nht nh cu hnh trn . Mt cu hnh mc nh l MPF, l mt class map mc nh c cu hnh : ciscoasa# show run class-map class-map inspection_default match default-inspection-traffic

Bng 3.2: Lnh match cho kim sot lu lng mc nh 3.8 Cc chc nng nng cao ca ASA Cu hnh Firewall Failover LAN Failover Link Nh c ch ra v d h thng mng trn, mt kt ni vt l LAN gia hai firewall. iu ny l yu cu bt buc i vi chc nng failover. Mt interface Ethernet phi c d tr cho LAN Failover Link. Link ny c th l mt cable cho Ethernet kt ni trc tip gia hai Firewall
Page 93

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Cu hnh Active/Standby Stateful Failover

Hnh 3.23 m hnh Active/Standby Stateful Failover

Bc 1: Chun b Active Firewall Chn mt trong nhng firewalll lm chc nng Active. Kt ni cable mng cho mi Interface m bn s s dng lm Active Firewall v kt ni n n mt Switch. Standby Firewall phi ngt kt ni ngay. Thit lp interface ca Active Firewall tc c nh. V d bn s dng cu lnh Speed 100 v dulplex full ch cu hnh Interface. Tng t cng cho php chc nng PortFast trn port Switch kt ni n Interface ca Firewall D tr hai a ch IP cho mi Interface ca Firewall v quyt nh xem ci no c ch nh lm Active, ci no lm Standby. Hai a ch IP cho mi Interface phi cng subnet. V d trong m hnh mng trn, gi s Inside Interface chng ta s s dng 192.168.1.1/24 cho Active Firewall, v 192.168.1.2 cho Standby Firewall. Tng t Outside Interface s l 100.100.100.1 cho Active v 100.100.100.2 cho Standby. Tng t chn a ch mng con cho vic s dng LAN Failover Link (Interface G0/2 trong v d trn). Ga s s dng 192.169.99.0/24 Bc 2: Cu hnh LAN Failover Link trn Active Firewall Trong topo trn, chng ta s s dng cng Gigabit Ethernet G0/2 nh l LAN Failover Link. C php nh sau:

Page 94

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

V d cu hnh:

Bc 3: Cu hnh a ch IP cho Interface ca Active Firewall

Bc 4: Cu hnh theo di trn Interface ca Active Firewall Mt trong nhng s kin to ra c ch Failover l s c xy ra trn Interface ca firewall. CHng ta cn ch nh ra Interface cn phi theo doi m chuyn qua ch Standby khi interface li. Trong v d chng ta cn theo di trn c inside v outside

Bc 5: Cu hnh LAN Failover Link trn Standby Firewall Sau khi Active Firewall c cu hnh, chng ta cn phi cu hnh Standby firewall. Cu hnh duy nht c yu cu cho Standby Firewall l LAN Failover Link. Ta khi ng Standby Firewall ln v kt ni Interface no n Switch tng ng. Khng kt ni

Page 95

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin LAN Failover Link gia hai Firewall. Ch kt ni bng console cable v cu hnh nh sau:

Ch rng s khc nhau duy nht gia hai firewall l Secondary. Mc du chng ta ang cu hnh Standby Firewall, vic cu hnh a ch IP phi ging nh IP trn Active Firewall

Bc 6: Khi ng li Standby Firewall S dng cu lnh write memory lu cu hnh Standby Firewall. Kt ni LAN Failover Link gia hai firewall v khi ng li Standby Firewall Sau khi Standby Firewall khi ng, cu hnh ca Active Firewall s c nhn bn ti Standby Firewall. Nhng thng bo sau s xut hin trn Active Firewall

Chng ta cn s dng Write Memory trn active Firewall lu tt c cc cu hnh trn c Active v Standy Firewall T by gi, bt c cu hnh thm no c lm ch trn Active Firewall n s t ng nhn bn ti Standby Firewall. Write memory trn Active Firewall s lu cu hnh c hai firewall Cui cng s dng Show failover kim tra xem c ch failover c thc s lm vic nh mong i 3.9 Authentication Authorization Accounting (AAA) AAA l c ch iu khin ph hp c s dng bi cc thit b mng iu khin vic truy cp mng. Chng thc (Authentication) l c ch ph bin nht c s dng xc nh User l ai. Vic cp quyn (Authorization) c s dng cp php quyn cho User c th c lm nhng g trong mng. Accouting
Page 96

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin c s dng thng k User lm g trong h thng, theo di nhng g User ang thc hin. Trong phn ny chng ta s tp trung hu ht vo chng thc (Authentication) s dng AAA Server nh Cisco Access Control Server

Cisco ASA c ba kiu chng thc Chng thc User truy cp vo chnh Firewall ASA Chng thc User truy cp HTTP,HTTPS,Telnet v FTP thng qua ASA. Phng thc chng thc ny c gi l Cut-through-proxy Chng thc User truy cp t xa thng qua IPSec hay SSL VPN Tunnel (Tunnel Access Authentication) ASA Firewall s dng External AAA Server. Nh ni trn, AAA Server l Cisco Secure ACS Server (Access Control Server). Server ny cung cp hai giao thc chng thc l RADIUS v TACACS. Mt AAA Server cung cp gii php tp trung bng vic a ra dch v chng thc n tt c cc thit b trong mng (Firewall, Router, Switch ). Li ch ln nht ca AAA Server l bn c th lu tr CSDL tp trung Username/Password v th bn khng cn phi cu hnh Local Username/Password trn mi thit b mng, v vy gip gim thiu ti a chi ph qun tr v gia tng chnh sch bo mt, chng thc trn ton h thng

Hnh 3.24 M hnh chng thc ca ASA Theo m hnh trn, my trm ca ngi qun tr c th truy cp firewall bng cable console hay thng qua vic s dng SSH, TELNET, HTTP. Trc khi cho
Page 97

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin php truy cp, ASA s yu cu user admin chng thc quyn hn ca mnh. Username/Password c Admin cung cp v ASA gi thng tin ny n AAA Server cho vic chng thc. Nu vic chng thc l hp l, AAA Server s tr li Access Accept ASA cho php Admin User truy cp
-

Ch : Trc khi ASA Firewall c th chng thc TELNET, SSH hay HTTP, u tin bn cn phi cu hnh ASA cho php cc giao thc qun l s dng telnet,ssh,http V d cu hnh:

S dng truy cp SSH c th c s dng trn tt c cc interface cu firewall ASA (inside, outside, dmz). Truy cp s dng Telnet ch c cho php trn Inside Interface Cu hnh chng thc s dng External AAA Server u tin xc nh nhm AAA Server

Sau ch nh Server chng thc. Bn cn phi nh ngha a ch IP ca AAA Server v pre-shared key, key ny cng phi c cu hnh trn AAA Server

Cu hnh ASA Firewall yu cu chng thc t AAA Server

Page 98

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

V d :

Ch : Cisco khuyn co nn s dng thm chc nng chng thc cc b (Local Authentication) trn ASA. iu ny c ngha rng khi AAA Server b li v nhiu l do th ASA Firewall s s dng Local Username/Password nh l phng thc chng thc ph Chng thc bng Cut-through-Proxy cho kt ni Telnet,FTP,HTTP(S) Chc nng Cut-through-Proxy ca ASA cho php ASA nhn bit User khi truy cp cc dch v Telnet, Ftp, Http. Firewall ASA u tin kim tra phin lm vic Telnet,Ftp,Http v chng thc ngi dng bng AAA Server. Nu vic chng thc thnh cng, phin lm vic ca User s c chuyn tip n Server ch.

Hnh 3.25 Chng thc bng Cut-through-Proxy cho kt ni Telnet,FTP,HTTP(S)

T m hnh trn, Webserver (10.0.0.1) trong DMZ c NAT tnh thnh 50.1.1.1 trn Outside. Tng t nh vy FTP Server (10.0.0.2) c NAT thnh 50.1.1.2
Page 99

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin trn Outside. Khi mt user bn ngoi Internet c gng truy cp vo Webserver hay FTP Server, ASA s to ra mt mn hnh chng thc cho User. Sau khi User nhp thng tin chng thc ca mnh, ASA s truy vn AAA Server cho vic chng thc. Nu chng thc thnh cng, phin lm vic ca User s c ASA chuyn tip n Server ch Khi s dng Cut-through-Proxy bn hy chc chn rng Inbound ACL u tin phi cho php kt ni. Nu Inbound ACL cm cc kt ni t ngoi vo, th Cutthrough-Proxy s khng thc hin Cu hnh Cut-Through-Proxy chng thc s dng External AAA Server u tin ch nh nhm AAA Server

Sau ch nh Server chng thc. Bn cn phi nh ngha a ch IP ca AAA Server v pre-shared key, key ny cng phi c cu hnh trn AAA Server

Cho php chng thc Cut-through-Proxy bng cch ch nh traffic no c chng thc

V d:

Page 100

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

3.10 Giao thc nh tuyn trn asa u tin bn cn bit rng ASA Firewall khng c y chc nng nh mt Router. Tuy nhin n vn c bng nh tuyn. N s dng bng ny quyt nh ng i tt nht n mng ch. Sau nu gi tin p ng c cc rule trong firewall, n s c nh tuyn bi firewall v ti ch Cisco ASA Firewall cung cp c nh tuyn tnh v ng. Ba giao thc nh tuyn tnh l RIP,EGRP,OSPF. Cisco khuyn co s dng nh tuyn tnh trn Firewall ASA thay v s dng nh tuyn ng. Bi v vic s dng nh tuyn ng to c hi cho hacker khm ph c h tng h thng mng cc b ca ta. Nu bn khng cu nh tuyn ng tt th c kh nng thng tin qung b mng con cc b ra bn ngoi- mng khng tin tng Tuy nhin c mt vi trng hp m nh tuyn tnh cn thit. Nh l trong mt h thng mng ln, ni m ASA Firewall ng gia mng cc b v data center. Trong trng hp nh vy ta s c li ch t vic s dng nh tuyn ng bi v ta khng phi cu hnh hng t nh tuyn tnh v bn cng khng phi lo lng mi nguy him l cc mng con i vi mng khng tin tng (V ASA nm sau bn trong mng Campus) Ch : i vi h thng mng nh, ch cn s dng nh tuyn tnh. S dng default static route y tt c lu lng ra ngoi internet v cng s dng static route khi c nhiu hn 1 mng khng kt ni trc tip Bt c mng no kt ni trc tip n ASA th s khng cn phi cu hnh bt c nh tuyn tnh no c bi v Firewall ASA nhn bit c mng ny Nu ASA c kt ni n mt Router bin (gia mng tin tng v khng tin tng) th ta cu hnh y tt c cc lu lng ra ngoi Outside Interface (mng khng tin tng) v sau cu hnh static Route hng n cc mng trong Internal Nu ASA nm su trong mng campus vi nhiu mng Internal th nn cu hnh nh tuyn ng nh tuyn tnh

Page 101

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin C ba loi nh tuyn tnh Kt ni trc tip nh tuyn thng thng nh tuyn mc nh

i vi kt ni trc tip Kt ni trc tip thng t ng c to ra trong bng nh tuyn ca ASA khi bn cu hnh a ch Ip trn cc interface ca ASA. V d, nu bn cu hnh a ch IP 192.168.1.10/24 trn Inside Interface ca ASA th c route 192.168.1.0 255.255.255.0 s t ng c tao ra trong bng nh tuyn i vi nh tuyn thng thng v nh tuyn mc nh

Hnh 3.26 nh tuyn tnh Cu hnh nh tuyn tnh trn ASA ging nhu l ni cho Firewall bit cch gi gi tin n ch theo mt con ng no cho trc S dng cu lnh route to nh tuyn tnh hay nh tuyn mc nh. nh dng cu lnh nh sau:

[interface-name]: y l interface m gi tin s ra ngoi [destination-network] [netmask]: y l mng ch v subnetmask chng ta mun gi tin n

Page 102

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin [gateway]: Thit b mng tip theo m ASA s gi gi tin n V d:

i vi nh tuyn mc nh (default route) thng c s dng y lu lng ra internet, bn nn thit lp network/netmask l 0.0.0.0 0.0.0.0. Tt c lu lng m ASA khng hiu th s y ra 100.1.1.1 Show route kim tra bng nh tuyn

Kim sot nh tuyn tnh (Static Route Tracking)

Khi bn cu hnh nh tuyn tnh trn ASA, tuyn ng vn trong sut trong bng nh tuyn. Cch duy nht cho nh tuyn tnh xa khi bng nh tuyn l khi mt Interface vt l b li. Trong tt c cc trng hp khc, nh l remote default gateway b down, ASA s vn tip tc gi gi tin n gateway m khng bit rng n down ri Bt u t ASA phin bn 7.2 v v sau, chc nng Static Route Tracking c a vo. ASA kim sot sn sng ca cc static route bng cch gi cc gi tin ICMP Echo qua ng nh tuyn tnh v i tr li. Nu tuyn ng chnh b li th tuyn ng th hai s c s dng. Chc nng ny hu ch khi bn mun khi to d phng ng truyn ISP

Page 103

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.26 nh tuyn tnh Trong h thng mng trn Eth0/0 (outside) c kt ni n Primary ISP v Eth0/1 (backup) c kt ni n Secondary ISP. Hai nh tuyn mc nh (default route) s c cu hnh (mi ci cho mt ISP) v ng thi s dng tnh nng Tracking. Tuyn ng cho Primary ISP s c kim tra bng vic s dng gi ICMP Echo Request. Nu gi tin echo reply khng c nhn trong mt khong thi gian nh sn th tuyn ng tnh th 2 s c s dng l Secondary ISP. Tuy nhin ch rng m hnh mng trn ch ph hp cho giao tip outbound (T mng cc b LAN ra Internet)

Cu hnh Static Route Tracking S dng cu lnh sla monitor ch nh giao thc gim st (v d nh ICMP), a ch cn kim sot (v d nh Gateway Router ca nh cung cp dch v) v thi gian ti a cho vic kim sot tracking

S dng cu lnh sla monitor schedule lit k qua trnh gim st (thng qu trnh gim st ny c thit lp l mi mi (forever) nhng qung thi gian v thi im bt u c th ty chnh c)

nh ngha tuyn ng tnh chnh (primary static route) kim sot bng cch s dng cu lnh route theo sau vi ty chn track

nh ngha backup static route v thit lp metric cao hn primary static route

V d cu hnh:

Page 104

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

nh tuyn ng s dng RIP

RIP l mt trong nhng giao thc nh tuyn ng c nht. Mc du n khng c s dng trong nhiu h thng mng hin i nhng vn thy trong mt vi trng hp. ASA phin bn 7.x ch c th chy Rip v qung b default route. Tuy nhin n khng th nhn gi tin qung b RIP t Router lng ging v sau qung b nhng route ny ti cc Router khc. Tuy nhin t phin bn ASA 8.x, ASA h tr y tnh nng RIP c V1 v V2. Tuy nhin vic s dng RIPv1 khng c khuyn khch bi v n khng h tr vic chng thc Routing Update

Cu hnh RIP Vic cu hnh RIP trn ASA tng t nh Cisco Router. Rip c cu hnh bng cch s dng cu lnh router rip

Page 105

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Cu lnh no auto-summarize ch chy vi RIPv2. N t ng v hiu ha chc nng t tng hp a ch IP. V d nu bn c mt Route 10.1.3.0/24, bn mun qung b Route ny bng nh tuyn RIP, mc nh n s tng hp a ch thnh 10.0.0.0/8 bi ASA. Bn s dng no auto-summarize qung b Route ny 10.1.3.0/24. Cu hnh chng thc RIP trn Interface nh sau:

M hnh bn di l mt v d s dng RIP vi mt mng nhiu Router

Hnh 3.28 M hnh s dng RIP vi mt mng nhiu Router Ga s ASA gia mng Campus v mng Data Center. Tt c cc Router lng ging trong mng Inside chy RIP

Page 106

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

nh tuyn OSPF

OSPF l giao thc nh tuyn ng da trn trng thi ng lin kt hn l vc t khong cch cho vic ti u chn ng. iu ny tt hn v c kh nng m rng hn nh tuyn RIP. y l l do ti sao OSPF c s dng rng ri trong mng doanh nghip. OSPF c th rt phc tp. Trong phn ny chng ta tip tc tho lun nhng thnh phn c p dng ch yu vo thc t v s tho lun nhng chc nng v nhng trng hp s dng nhiu nht trong h thng mng thc t (Ch Ipv6 hin ti khng c h tr bi ASA khi chy OSPF) Cu hnh OSPF OSPF cu hnh da trn cc vng (Area). cu hnh OSPF chng ta cn to process chy nh tuyn OSPF (c th cu hnh 2 process CHO asa), ch nh a ch IP ha hp vi process nh tuyn v sau ch nh ID Area vi mi a ch mng. Tng t RIPv2, chng ta cng cn cu hnh chng thc MD5 cho nhng cp nht nh tuyn OSPF

cu hnh chng thc MD5 OSPF, bn cn phi cho php chng thc trn mi Area (trong process nh tuyn) v cng cu hnh chng thc MD5 di cu hnh Interface

Chng ta s nhn cc v d ca OSPF thng c s dng trong thc t. V d u tin m t Cisco ASA trong m hnh mng doanh nghip lm vic nh mt Router bin ABR v v d th 2 ch ra Firewall ASA qung b default route vo trong mng Internal thng qua OSPF V d 1: ASA gia chc nng lm OSPF ABR

Page 107

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 3.29 M hnh ASA gia chc nng lm OSPF ABR Trong v d trn, Firewall ASA gia Datacenter v Campus. Tt c cc router trong Data Center chy OSPF vng 0. Tri li tt c cc Router trong mng Campus chy OSPF vng 1. ASA lm vic nh l Router bin. Chng ta gi s rng khng c NAT trn ASA (no nat-control). Chnh sch Firewall c th c gia tng nh vic s dng ACL trn c Inside v Outside Interface

V d: Qung co Default route vo trong mng

Page 108

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Trong v d trn, ASA c default route ra ngoi mng Campus v qung b default route ny vo trong mng ni b (Data Center). iu ny c ngha rng tt c cc Router trong mng ni b (chy OSPF vng 0) s yu cu default route y lu lng ra ngoi Internet qua Router gn n nht n ASA

nh tuyn ng EIGRP EIGRP l phin bn nng cao ca IGRP. EIGRP l giao thc c quyn ca Cisco v n ch hot ng trn cc thit b ca Cisco. ASA h tr EIGRP t phin bn 8.0 v v sau. Mc du EIGRP rt d dng s dng v tnh linh ng. Nhng nh qun tr mng v nhng ngi thit k mng thng do d khi s dng EIGRP v s ph thuc vo thit b. Cu hnh EIGRP Vic cu hnh EIGRP trn ASA l rt ging vi trn Cisco Router. n gin bn ch cn phi bt qu trnh EIGRP ln bng cch ch nh h s t qun AS v sau cu hnh di a ch mng m ASA s qung b bng giao thc nh tuyn n cc Router chy EIGRP hng xm

Chng thc MD5 cho vic Update cc Route cng c h tr di cu hnh Interface

Ch rng: Tt c cc Router phi thuc v cng mt h t qun v c cng key MD5. [key ID] l t 0-255 V d cu hnh:

Page 109

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

CHNG 4. VPNs Chng ny s ni v mng ring o VPN s dng giao thc psec. Giao thc ny c a vo ASA v c s dng kt ni an ton gia cc LAN xa v mt a l qua mt kt ni Internet (Site to Site VPN) hay cho php cc user xa kt ni vi mng trung tm (Remote Access VPN). Trong chng ny s tp trung chnh v hai loi VPN Trc khi i vo chi tit cu hnh IPSec VPN, ta s i vo miu t ngn gn nguyn l ca giao thc IPSec c ci hiu ng n v VPN 4.1 IPSec l g? IP Security (IPSec) l mt chun m IETF, chun ny cho php m ha d liu khi giao tip. N l mt giao thc ph hp cho vic cung cp tnh bo mt, nguyn vn, xc thc d liu. Mt mng VPN l mt kt ni bo mt nh ng hm ring qua mt ng truyn khng bo mt nh Internet. V l IPSec l mt giao thc l tng xy dng cc mng ring o VPN qua internet. IPSec lm vic tng mng, ng gi v chng thc cc packet gia ASA v cc thit b khc tham gia vo mng VPN nh l Router Cisco, Firewall Cisco hay VPN Client o

Nhng chun v giao thc PSec sau c s dng

ESP (Encapsulation Security Payload): y l giao thc u tin trong hai giao thc quan to nn chun IPSec. N cung cp tnh nguyn vn, xc thc, bo mt d liu. ESP c s dng m ha payload ca gi tin IP AH (Authentication Header): y l giao thc th 2 trong hai giao thc quan trng ca IPSec. N cung cp tnh nguyn vn, xc thc, v d tr. Giao thc ny khng cung caaos m ha, nhng n hot ng nh mt ch k s in chc chn gi tin khng b xm phm
o

Page 110

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Internet Key Exchange (IKE): y l c ch c s dng bi ASA cho vic giao i kha m ha mt cch b mt, xc thc cc IPSec peer v thng lng cc tham s IPSec.
o

DES,3DES,AES: Tt c nhng ci ny l c ch m ha c cung cp bi ASA Firewall. DES l thut ton m ha yu nht (s dng key 56 bit) v AES l thut ton m ha mnh nht (s dng 128,192,256 bit m ha). 3DES l s la chn m ha tm trung s dng 168 bit m ha.
o

DH (Diffie-Hellman Group): y l giao thc to public key v c s dng bi IKE thit lp key phin kt ni
o

MD5,SHA-1: y l c hai thut ton Hash c s dng chng thc gi tin. SHA mnh hn MD5
o

SA (Security Association): Mt SA l mt kt ni gia 2 IPSec peer. Mi IPSec peer duy tr mt CSDL SA trong b nh ca n, ni cha cc tham s SA. SA c xc nh duy nht nh vo a ch IP ca peer y, giao thc bo mt, v ch s bo mt (SPI)
o

4.2 Cch lm vic ca IPSec C 5 bc chnh sau : o Interesting Traffic : Thit b IPSec nhn bit lung d liu cn bo v

o Phase 1(ISAKMP) : Thit b IPSec thng lng cc chnh sch bo mt IKE v thit lp mt knh bo mt cho lin lc gia cc IPSec Peer o Phase 2(IPSec) : Cc thit b IPSec thng lng chnh sch bo mt IPSec bo v d liu o Data Tranfer : Data c truyn bo mt gi cc IPSec peer da vo cc tham s IPSec v cc key c thng lng trong cc Phase trc o IPSec Tunnel Terminated : IPSec Sas ngt kt ni khi timeout

4.3 Cc loi kt ni: 4.3.1 Site-To-Site IPSEc VPN

Page 111

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 4.1: m hnh site-to-site Site-to-Site IPSec VPN i khi c gi l LAN-to-LAN. Ci tn ni ln iu , loi VPN ny kt ni hai LAN cch xa v mt vt l li vi nhau thng qua mng Internet. Thng thng th LAN s dng a ch dnh ring nh c ch ra trong hnh trn. Nu khng c kt ni VPN th 2 LAN trn s khng th giao tip c vi nhau. Bng vic cu hnh Site-to-Site IPSec VPN gia hai thit b ASA firewall, chng ta c th thit lp mt ng hm bo mt qua kt ni Internet, v y cc traffic ca LAN vo trong ng hm ny. Kt qu l host trong mng 192.168.1.0/24 c th truy cp trc tip n cc host trong mng 192.168.2.0/24 v ngc li. ng hm IPSec c thit lp kt ni gia hai a ch IP Public ca 2 Firewall ASA l 100.100.100.1 v 200.200.200.1 4.3.2 Remote Access VPN

Hnh 4.2 : M hnh Access VPN Loi IPSec VPN thc 2 m chng ni l Remote Access VPN. Remote User truy cp vo mng ca LAN s phi s dng Cisco VPN Client. Loi VPN ny cho php remote User thit lp kt ni bo mt IPSec VPN qua Internet n LAN ca cng ty. Remote User phi c phn mm Cisco VPN Client ci t trn my tnh c nhn ca user. Phn mm
Page 112

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ny cho php bn thit lp kt ni n LAN ca cng ty. Sau khi VPN c thit lp gia remote user v ASA firewall, user s c ch nh a ch private IP t mt pool c nh ngha trc, v sau cho php remote user truy cp vo LAN Topo mng trn ASA firewall bo v mng Corporate LAN v remote User vi VPN client thit lp kt ni bo mt n ASA. IP vi di 192.168.20.0/24 s c cp pht cho VPN Client lin lc vi Internal Corporate Network 192.168.1.0/24. Mt khi Remote Access VPN c thit lp, remote user mc nh s khng c kh nng truy cp bt c ci g ngoi internet ngoi tr mng Corporate LAN. X l iu ny bng cch cu hnh chc nng Split tunneling trn ASA 4.4 Hng dn cu hnh 4.4.1 Site-to-Site IPSec VPN

(Hnh 4.1) Bc 1: Cu hnh Interesting traffic

u tin chng ta cn nh ngha traffic m chng ta quan tm v traffic ny s c m ha. Bng cch s dng ACL chng ta c th xc nh c traffic no cn c qun l bi ASA. Trong hnh trn, chng ta mun tt c cc traffic gia mng 192.168.1.0/24 v 192.168.2.0/24 c m ha

Mt vn quan trng phi xem xt l trong trng hp s dng NAT trn firewall cho cc truy cp Internet thng thng. Bi v IPSec khng lm vic vi NAT, chng ta cn phi loi tr traffic IPSec khi NAT. S dng NAT 0 gii quyt vn ny.

Page 113

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Bc 2: Cu hnh Phase 1 (ISAKMP)

Cch thc hot ng ca Phase 1 c s dng thit lp knh giao tip bo mt cho vic truyn d liu. phase 1, cc VPN peer trao i key b mt, xc thc nhau, thng lng cc chnh sch bo mt IKE Trong phase ny chng ta cu hnh isakmp policy, phi trng vi policy c cu hnh peer bn kia. Isakmp policy ny ni cho cc peer khc tham s bo mt no phi c s dng trong VPN (nh l giao thc m ha, thut ton hash, phng thc chng thc, DH, lifetime) nh sau

Mt vi ISAKMP POLICY c th c cu hnh o ng mt vi yu cu khc nhau t cc peer khc nhau. Ch s u tin xc nh duy nht mi Policy. Nhng tham s sau c th c s dng to mt ISAKMP Policy mnh M ha: AES Hash: sha Chng thc: Pre-share Nhm: 2 hoc 5 Lifetime: 3600 (SA s ht hn v c thng lng li trong 1 gi)

iu tip theo ta cn xc nh l pre-shared key v loi VPN (SITE-to-Site, Remote Access hay WebVPN). c cu hnh bi cu lnh tunnel-group

Page 114

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Cu hnh:

Bc 3: Cu hnh Phase 2(IPSec)

Sau khi ng hm bo mt c thit lp trong phase 1, bc tip theo l thit lp VPN thng lng cc tham s bo mt IPSec, ci m s c s dng bo v d liu trong ng hm. iu ny c thc hin trong Phase 2 ca IPSec. Trong Phase ny cc chc nng sau s c thc hin: Thng lng cc tham s bo mt IPSec v tp cc bin i PSec Thit lp cc IPSec SA Thng lng li cc IPSec SA theo giai on m bo tnh bo mt

Mc tiu ca IKE Phase 2 l thit lp phin kt ni IPSec mt cch bo mt gia cc peer. Trc khi iu xy ra, mi bn thng lng mc bo mt (m ha v thut ton xc thc cho phin). Cc giao thc c nhm thnh cc sets v c gi l transform sets. Tp IPSec transform c trao i gia cc peer v chng phi ging nhau gia cc peer phin c th c thit lp nh dng cu lnh cu hnh mt transform set:

Page 115

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Nhng transform sau (giao thc/thut ton) c th c s dng trong transform1 v transform2

Transform Esp-des Esp-3des Esp-aes Esp-aes-192

M t ESP transform s dng DES 56 bits ESP transform s dng 3DES 168 bits Esp transform s dng AES-128 Esp transform s dng AES-192 Esp transform s dng AES-256

Esp-md5-hmac Esp-sha-hmac Esp-none Esp-null

Esp transform s dng HMACMD5 cho chng thc Esp transform s dng HMACSHA cho chng thc ESP khng chng thc Esp khng m ha Bng 4.1 : Cc Trasform

Mt s ch hu ch khi bn chn Transform protocols cung cp tnh bo mt (m ha) th s dng transform cho vic m ha ESP nh l 5 ESP u tin trong bng chng thc th s dng MD5-HMAC hay SHA-HMAC SHA l mnh hn MD5 nhng chm hn

Sau khi cu hnh transform set trn c 2 IPSEc peer, chng ta cn phi cu hnh crypto map, ci m cha tt c cc tham s Phase 2 IPSec. Sau Crypto map c p dng vo interface firewall (thng l Outside) ni m IPSec s c thit lp

Page 116

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Tham s seq-num trong crypto map c s dng ch ra nhiu entries map cng tn cho mi trng hp khi m chng ta c nhiu hn 1 IPSec peer trn firewall (v d ASA trong m hnh hub-and-spoke) Hon thnh cu hnh cho c 2 firewall i vi vic thit lp Phase 2

Bc 4 : Kim tra d liu c m ha Kim tra ng hm c thit lp ?

Cu lnh show crypto isakmp sa kim tra SA c thit lp hay cha ? Trng thi ca ng hm up hay down hay ang chy.

Kim tra d liu c c m ha?

Cu lnh show crypto ipsec sa xc nhn vic d liu c c m ha v gii m thnh cng hay khng?

Page 117

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Bng 4.2: Thng tin d liu c m ha

4.4.2 Cu hnh Remote Access VPN

Page 118

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

(Hnh 4.2) Nhiu cu lnh cu hnh tng t nh cu hnh Site-to-Site VPN, c bit l IKE Phase 1 v Phase 2. Tng t a ch IP Pool phi c cu hnh trn firewall cho vic cp pht ng a ch cho remote user Bc 1: Cu hnh IP Pool

nh dng cu lnh nh sau:

Trong v d ny chng ta mun ch nh a ch cho remote user t di 192.168.20.0/24

Bc 2: M ha traffic v khng NAT:

Tng t nh Site-to-Site VPN, chng ta cn xc nh ACL t Internal n remote user (192.168.20.0/24) loi b khi NAT

Bc 3: Cu hnh Group Policy

Group policy cho php bn phn tch cc remote user theo cch khc nhau thnh cc nhm vi cc thuc tnh khc nhau. V d ngi qun tr h thng c ch nh trong nhm c truy cp fulltime 24h, trong khi remote user bnh thng c ch nh vo mt nhm khc c quyn truy cp t 9h sng n 5h chiu. Group policy cng cung cp a ch DNS hoc WINS server, lc kt ni, thi gian timeout
Page 119

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin C php nh sau:

V d cu hnh:

Ga s rng tt c cc remote user s cng mt group policy c tn gi l company-cpn-policy nh c cu hnh nh trn. Policy ny ch nh a ch DNS v WINS server phn gii tn min trong internal domain v hostname. N c thit lp thi gian timeout l 30 pht. Bc 4: Cu hnh username cho vic chng thc Remote Access

Khi mt remote user kt ni bng VPN Client, th s c yu cu nhp thng tin username v password trn mn hnh ng nhp chng thc vi firewall. V l chng ta cn to ra usernames v password cho vic chng thc ny C php:

V d cu hnh:

Bc 5: Cu hnh Phase 1 (ISAKMP Policy)

Tng t nhue Site-to-Site VPN

Bc 6: Cu hnh Phase 2 (IPSec Parameters)

Bc ny cng tng t nh Site-to-Site VPN

Page 120

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Bc 7: Cu hnh Tunnel Group cho Remote Access

Vic cu hnh Tunnel Group l tri tim ca Remote Access VPN. N kt hp vi nhau Group Policy c cu hnh trc , IP pool, pre-shared key C php:

Group name l rt quan trng bi v chng ta s phi ch nh chnh xc cng tn khi cu hnh VPN client Software

V d cu hnh:

Bc 8: Cu hnh VPN Client software

Hnh 4.3: Bc 8 cu hnh client sortware


Page 121

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Sau khi ci t VPN Client, bt ng dng v chn New to mt i tng kt ni mi

Hnh 4.4 ci t VPN client

Tn ca kt ni l vpn v miu t. Trong textbox Host nh ip public mt ngoi ca ASA . Nhp cc thng tin username/password ca Group phi ging nh tunnel-group namev pre-shared-key t bc 7. Trong v d cu hnh ny, Group Authentication Name l vpnclient v password (pre-shared-key) l groupkey123. Sau save lu cu hnh

Hnh 4.5: Lu cu hnh ci t VPN client Sau khi lu cu hnh ci t, tr li Connection Entries Tab v chn Connect khi to kt ni Remote Access VPN

Page 122

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 4.6: khi to kt ni Remote Access VPN Sau khi khi to kt ni VPN, remote user s c yu cu nhp thng tin username/password trn mn hnh ng nhp chng thc vi firewall

Hnh 4.7 ng nhp chng thc Sau khi chng thc thnh cng vi firewall. Mt ng hm bo mt Remote Access c thit lp. Nu bn vo CMD ri ipconfig /all trn my tnh ca remote user, bn s thy a ch ip thuc di 192.168.20.0/25 c ch nh ti interface VPN o. iu ny cho php remote user c ton quyn truy cp n mng Corporate LAN 4.4.3 Cu hnh kh nng Firewall Cisco ASA Firewall l thnh phn quan trng trong t c h thng mng no v thng mt vi dch v quan trng trong doanh nghip ph thuc vo kh nng sn sng ca Firewall. V l tnh d phng ca Firewall phi c tch hp Trong chng ny chng ta s miu t nng chu li ca firewall vi ch Active/Standby. y l cch thc cu hnh ph bin nht trong hu ht h thng mng. ASA cng cung cp ch chu li kiu Active/Active M hnh Active/Standby

Trong m hnh Active/Standby, mt trong hai firewall c ch nh ng vai tr lm Active gii quyt tt c cc traffic v cc chc nng bo mt. Firewall cn li duy tr ch ch v t ng m nhim gii quyt tt c cc traffic nu Firewall Active b li

Page 123

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Chc nng chu li ca stateful firewall y cc thng tin v trng thi kt ni t firewall Active n firewall Standby. Say chc nng chu li s hot ng, thng tin ca kt nh nhau c sn ti firewall standby, ci t ng tr thnh active m khng ngt kt ni ca bt c user no. Thng tin v tnh trng kt ni c ng b gia active v standby bao gm di a ch global pool, tnh trng kt ni v thng tin bng NAT v tnh trng cc kt ni TCP/UDP v rt nhiu chi tit khc

Hnh 4.8 M hnh Active/Standby M hnh mng trn ch ra cp firewall gi chc nng failover theo ch Active/Standby. Cng Interface inside c kt vo cng mt Internal Switch v Outside kt ni vo cng mt External Switch. Mt cable cho kt ni gia hai thit b Firewall nh l LAN Failover Link. Trong sut qu trnh hot ng bnh thng, tt c cc traffic c y thng qua Firewall Active, ni m x l tt c cc giao tip inbound v outbound. Nu s kin Active Firewall b li (v d nh interface b down hay firewall b li) th Standby Firewall s m nhim bng cch nhn a ch Ip ca Active Firewall m tt c cc traffic s tip tc c i qua m khng c s gim on. Tt cc cc thng tin v tnh trng kt ni c ng b thng qua mt kt ni Lan gi l LAN Failover Link cho Standby Firewall bit c tnh trng ca Active Firewall Yu cu Mt vi yu cu v phn cng v phn mm cho c hai firewall c th chy chc nng failover Phi cng nn tng h iu hnh Phi cng cu hnh phn cng Phi cng ch hot ng (routed hay transparent, single hay multiple context) Phi cng dung lng Flash v Ram

Phi cng chc nng bn quyn (loi m ha, s lng context , s lng VPN peers)
Page 124

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Phi c bn quyn phn mm chy chc nng failover

4.4.4 Cu hnh anyconnect webvpn Trong phn ny chng ta s m t chc nng mi VPN c h tr bi ASA l Anyconnect WebVPN, chc nng ny s dng SSL v chng trnh Java client to mt ng hm cho vic truy cp t xa cho ngi dng. Trc khi i vo chi tit ca Anyconnect WebVPN hy n tp li kin thc v cng ngh VPN c h tr bi ASA Firewall 4.4.4.1 Tng quan v cng ngh VPN ca ASA Cisco cung cp mt vi phng thc khi to VPN trn ASA nhng chng thng c phn loi l IPSec Based VPN hoc SSL Based VPN. Phn loi u tin s dng giao thc IPSec cho vic giao tip bo mt trong khi phn loi th hai s dng SSL. SSL Based VPN cng c gi l WebVPN. Hai loi VPN chung c h tr bi ASA c phn chia thnh cc cng ngh VPN sau IPSec Based VPNs: Lan-to-Lan IPSec VPN: c s dng kt ni nhng mng LAN xa thng qua mt knh truyn khng bo mt (nh Internet). Cng ngh ny chy gia ASA-to-ASA hay ASA-to-Cisco Router Remote Access vi IPSec VPN Client: Phn mm VPN Client c ci t trn my tnh c nhn ca ngi dng cung cp truy cp n mng trung tm. N s dng giao thc IPSec v cung cp y cc kt ni vo h thng mng cho ngi dng. SSL Based VPNs (WebVPN): Clientless Mode WebVPN: y l phng thc khi to u tin ca SSL WebVPN c h tr bi ASA phin bn 7.0 v sau ny. N gip ngi dng thit lp kt ni VPN mt cch bo mt s dng ng hm bng cch s dng trnh duyt web. Li ch ca iu ny l khng cn ohaanf mm hay phn cng. Tuy nhin ch c mt vi ng dng hn ch mi c th truy cp c AnyConnect WebVPN: Client chy bng Java c ci t trn my tnh c nhn ngi dng cung cp ng hm bo mt SSL n mng trung tm. Cung cp y kt ni (tng t nh IPSec Remote Access). Tt c cc ng dng mng trung tm u c truy cp t xa. So snh gia cc cng ngh WebVPN Trong phn ny chng ta s ch tp trung co AnyConnect WebVPN. Chng ta s khng mt thi gian vo Clientless WebVPN bi v chng ta tin tng rng li ch ca vic s dng AnyConnect thay v Clientless l nhiu hn. chng minh iu ang ni, chng
Page 125

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin ta hy nhn vo s khc bit gia hai ch WebVPN v chc chn rng bn s hiu ti sao chng ta li tp trung vo AnyConnect Clientless WebVPN khng yu cu bt c VPN Client no ci t trn my tnh c nhn ca ngi dng. N ch s dng mt trnh duyt web thng thng. Bng cch truy cp trn trnh duyt n a ch http://[ a ch outside ca ASA] v chng thc vi firewall v c truy cp n Web Portal. Mc d Web Portal ny, user c th truy cp hn ch mt s ng dng mng ni b. Mt cch c bit ch c cc ng dng Web ni b (HTTP,HTTPs), email Server (POP3,SMTP,IMAP), Windows File chia s, v mt s lng cc chnh sch nh TCP (Telnet) c th c truy cp. Nh vy s khng c y truy cp vo mng ni b bng vic s dng Clientless VPN. AnyConnect WebVPN, mt khc cung caaos y kt ni mng cho remote user. ASA Firewall lm vic nh AnyConnect VPN Server, ch nh a ch IP n remote user v cho php ngi dng truy cp h thng mng. Nh vy tt c cc giao thc IP v chc nng ng dng thng qua ng hm VPN m khng c vn g. V d, mt remote user sau khi chng thc thnh cng vi AnyConnect VPN c th s dng Remote Desktop v truy cp Windows Terminal Server bn trong mng ni b. Mc du chng trnh khch chy trn Java c yu cu ci t trn my tnh c nhn ca ngi dng, chng trnh khch ny c th c cung cp ng cho user t ASA. Ngi dng c th s dng trnh duyt Web kt ni n Firewall ASA v download chng trnh khch Java v. Chng trnh ny c dung lng nh tm 3MB v c lu tr trn b nh Flash ca ASA 4.4.4.2Tng quan v AnyConnect WebVPN AnyConnect WebVPN bo v d liu tng mng v cc tng trn (tunnel-mode). N cung cp cng chc nng truy cp t xa nh Cisco IPSec VPN. C hai phin bn ca tunnel-mode WebVPN client c ch ra nh sau:

ASA phin bn 7.0 n 7.2, WebVPN Client c gi l SVC (SSL VPN Client). T phin bn 8.0 v sau, Client c gi l AnyConnect WebVPN client. Mc du chng ta s ch tp trung vo AnyConnect client, nhng vic cu hnh cho c 2 phin bn client (SVC v AnyConnect ) l nh nhau trn ASA. Tng quan v hot ng ca AnyConnect VPN M hnh di ch ra topo h thng mng vi ASA v ngi dng t xa truy cp vi AnyConnect VPN
Page 126

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 4.9 Hot ng ca AnyConnect VPN T m hnh trn, ASA Firewall c cu hnh lm AnyConnect WebVPN Server. Ngi dng truy cp t xa thng qua Internet v a ch IP ca my ngi dng l 10.1.1.1. Ngi dng ng sau Router c chy NAT/PAT v c a ch IP private c NAT thnh IP Public bi NAT Router. Khi ngi dng t xa truy cp v chng thc thnh cng ti ASA bng AnyConnect Client, ASA s ch nh a ch IP t di IP c nh ngha trc (nh v d trn l di 192.168.5.1-192.168.5.20). T m hnh trn, ASA ch nh a ch IP 192.168.5.1 cho ngi dng t xa. iu ny c ngha rng ngi dng c kt ni o vo mng ni b LAN ng sau Firewall ASA Tng quan hot ng c miu t trn gi s rng AnyConnect c ci t trn my tnh c nhn ca ngi dng. Chng ta hy nhn nhng ty chn bn di c th ci t AnyConnect Client C hai cch thc ci t AnyConnect cho Client S dng Clientless WebVPN portal Ci t bng tay bi ngi dng Vic s dng Clientless Web Portal, u tin ngi dng phi kt ni v chng thc ti ASA bng chng trnh duyt Web bo mt v chng trnh Java AnyConnect Client t ng c ti v v ci t trn my tnh (Ngi dng c th click vo tab AnyConnect trn WebVPN Portal download phn mm client). lm c iu ny th chng trnh java (.pkg extension) c lu tr trn b nh Flash bi Administrator Vi phng thc ci t bng tay, ngi qun tr mng phi ti chng trnh Java Client ph hp (Microsoft MSI package installer hay mt trong nhng phin bn OS khc) t Website ca Cisco v cung cp file ti ngi dng cho vic ci t bng tay. Vi phng thc ny ngi dng khng cn phi ng nhp vo ch Clientless khi to SSL VPN tunnel.
Page 127

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Tng bc cu hnh AnyConnect Chng ta s tp trung vo ty chn ci t t ng AnyConnect. V d chng trnh AnyConnect Client c lu tr trn b nh flash ASA v c ti v bi ngi dng. M hnh di s c s dng m t tng bc cu hnh

Hnh 4.10 Cu hnh AnyConnect

Bc 1: Lu tr file PKG vo b nh flash trn ASA. u tin bn cn phi ti v mt trong nhng file .pkg t Cisco Website. V d nh file client Windows c nh dng nh sau: anyconnect-win-x.x.xxxx-k9.pkg. copy file PKG vo b nh flash:

Ga s rng chng ta ti v AnyConnect Client trn my tnh c IP: 192.168.1.1. Chng ta s s dng TFTP Server trn my tnh lu copy file ti ASA

Bc 2: ng nht file PKG trn flash bng cch ni cho ASA ni m file c lu tr, cho php dch v WebVPN AnyConnect trn Outside ASA Interface

Page 128

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Ch : S 1 cui file l th t ca file trong b nh flash. N c s dng khi bn c nhiu hn mt file lu tr trn b nh flash (v d AnyConnect client cho Windows v MAC) Bc 3: Loi b traffic ca SSL WebVPN khi ACL trn Outside Interface. Mc nh WebVPN khng c loi b khi vic kim tra ca ACL. Mt khi traffic c ng gi, n s c kim tra bi Inbound ACL p dng trn Outside Interface. Bn phi cho php permit d liu c ng gi trong ACL hay s dng sysopt connection permit-vpn.

Bc 4: Bc ny l ty chn nhng thc s hu ch. Tt c cc kt ni SSL VPN gia remote user v ASA chy HTTPs (cng 443). iu ny c ngha rng ngi dng phi s dng https://[a ch IP public ca ASA trn trnh duyt. Bi v hu ht ngi dng qun https bn c th cu hnh chuyn cng. iu ny c ngha rng nu ngi dng kt ni ti cng 80 ASA s t ng chuyn sang cng 443

Bc 5: To mt di a ch mng ASA ch nh a ch ngi dng bn ngoi. T m hnh trn chng ta thy rng sau khi ngi dng bn ngoi c chng thc, ASA ch nh a ch IP n ngi dng bn ngoi t di a ch nh ngha trc : 192.168.5.1 -192.168.5.20

Bc 6: Khi to NAT loi b, khng cho NAT cc lu lng VPN . Chng ta lm iu ny bi v cc lu lng c ng gi s khng c i qua NAT

Page 129

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Bc 7: To Group Policy cho ngi dng dng AnyConnect WebVPN. Group Policy ny cho php bn to ring r ngi dng vo cc nhm khc nhau vi cc thuc tnh khc nhau. Cc thuc tnh ny c th c cu hnh nh DNS server, split-tunnel, cch chng trnh Client Anyconnect WebVPN c ti v (t ng hay sau khi chng thc)

Lm r mt vi thng s Svc keep-installer {installed | none} : installed ngha l chng trnh Client vn c ci t trong sut trn my tnh ngi dng thm ch ngt kt ni. Mc nh chng trnh Client s b xa sau khi ngi dng ngt kt ni khi AnyConnect Svc ask {none | enable [default {webvpn |svc} timeout value]} : Cu lnh ny ni cho ASA cch m chng trnh khch AnyConnect s c ti v my ngi dng nh th no Svc ask none default webvpn: ASA hin th ngay lp tc WebPortal. y l cu hnh mc nh Svc ask none default svc: Ti chng trnh khch AnyConnect mt cch t ng Svc asl enable default svc timeout 20: Ngi dng s c mt yu cu ci t chng trnh khch AnyConnect Client. Nu khng lm g trong khong 20 giy th chng trnh khch AnyConnect c ti v v ci t t ng

Page 130

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Bc 8: To Tunnel Group. Tunnel Group phi tng tc vi Group Policy c cu hnh trn. N kt hp Group Policy vi di a ch IP m chng ta cu hnh sn cho ngi dng t xa nh dng nh sau:

V d:

Page 131

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Bc 9: To ti khon cc b trn ASA s c s dng cho vic chng thc AnyConnect

Cu hnh hon chnh:

Page 132

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

4.4.5 Thit lp kt ni AnyConnect WebVPN Truy cp vo ASA bng a ch Public https://[ outside interface]

Hnh 4.11 (a)Truy cp ASA Enter username/password (ssluser1). Chn nhm ngi dng

Page 133

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 4.11 (b)Truy cp ASA Thit lp kt ni SSL VPN

Hnh 4.12 (a)Thit lp kt ni SSL VPN Phn mm ActiveX phi c ci t trn my tnh ca bn trc khi ti v AnyConnect Client. Bn s thy ca s Window di khi kt ni c thit lp

Page 134

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

Hnh 4.12(b) Thit lp kt ni SSL VPN Nh vy l kt ni c thit lp thnh cng.

CHNG 5. DEMO NG DNG KT LUN I. NH GI I.1. Kt qu nghin cu c Sau qu trnh tm hiu v nghin cu, ti t c mt s kt qu nh sau: hiu r c th no l Firewall trong lnh vc tin hc, bn cht ca

Firewall l nh th no. Chc nng ca Firewall trong vic bo mt cho mng my tnh. Nhng thnh phn chnh hnh thnh nn mt Firewall. Tm hiu c an ton v bo mt mng Cc yu cu v Firewall ca doanh nghip ni chung cng nh i vi

doanh nghip nh ni ring.


-

Tm hiu c cc chnh sch bo mt Firewall ca Cisco


Page 135

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin Lp m hnh gi lp cho mt ng dng cc chnh sch bo mt

I.2. Vn cha lm c Cha tm hiu ht c cc k thut lp trnh Firewall. Cha tip cn c thc t mt gii php Firewall no ra cch trin

khai h thng chnh xc. Vic trin khai v tm hiu cha c nhiu iu kin thc t, nhiu vn

ch mi qua cc ti liu. II. HNG PHT TRIN CA TI Trn c s nhng vic lm c v cha lm c trn khi thc hin ti, Nhm ti xin a ra hng pht trin nhm tng bc hon thin ti.
-

Tm hiu thm cc k thut lp trnh Firewall su hn na, cng nh

xut phng n v gii php tt.


-

Xy dng mt chng trnh Firewall c tnh thc tin cao, c th trin khai

c. III. LI KT Trong qu trnh tm hiu v lm n nhm ti nhn c rt nhiu kin ng gp v ni dung cng nh cch trnh by. Ti xin chn thnh cm n ging vin hng dn: Vi Hoi Nam v cc thy c trong khoa CNTT tn ty hng dn v ch bo. Mc d n th hin c phn no s hiu bit v vn nhng vn co nhng mc lm c v cha lm c nh a nu trn. Chng ti rt mong s ong gop y kin va b sung cua cac thy c, bn c nhm co thm kinh nghim hoan thanh tt hn trong nhng n tip theo.

Page 136

Tm hiu Firewall trn cng ngh Cisco v demo mt s ng dng thc tin

TI LIU THAM KHO Ti liu ting Anh [1] Richard Deal, Cisco Asa Configuration, Network professionals library [2] Harris Andrea Cisco-ASA-5505-Configuration Cisco Asa 5505 Bonus tutorial (CCNA,CCNP,CCSP) [3] Harris Andrea Cisco-ASA-Firewall-Fundamentals-2nd-Edition step by step configuration tutorial (CCNA,CCNP,CCSP) Ti liu Ting Vit [4]. Nguyn Th Bng Tm ,Bi vit v Pix Firewall Ti liu trn Internet [5]. http://www.quantrimang.com [6]. http://www.Cisco.com
[7]. http://www.networkstraining.com/

Page 137