Está en la página 1de 84

n tt nghip

Tm hiu Firewall Cisco ASA5520

MC LC
MC LC....................................................................................................1 DANH SCH CC BNG................................................................................4 DANH MC CC T VIT TT.......................................................................5 CHNG 1: TNG QUAN V FIREWALL.........................................................8 1.1. KHI 1.2. MC 1.3. PHN
NIM V

FIREWALL.................................................................................................8 FIREWALL ..............................................................................................8

CH CA LOI

FIREWALL..................................................................................................11

1.3.1. Firewall phn cng........................................................................12 1.3.2. Firewall phn mm.......................................................................12


1.4. K
THUT V CNG NGH

FIREWALL...............................................................................12

1.4.1. Packet Filtering..............................................................................13 1.4.2 Proxy...............................................................................................14


1.4.2.1. Cng mc mch................................................................................................. 14 1.4.2.2. Cng ng dng.................................................................................................. 16

1.4.3. Statefull Inspection Firewall (SIF)................................................19


1.5. KIN
TRC CA

FIREWALL............................................................................................20

1.5.1. Screening Router ...........................................................................20 1.5.2. Kin trc Dual - Homed host ........................................................21 1.5.3. Kin trc Screend Host .................................................................22 1.5.4. Kin trc Screened Subnet.............................................................24 1.5.5. S dng nhiu Bastion Host...........................................................25
CHNG 2: K THUT V CNG NGH TNG LA CISCO...........................28 2.1. LCH
S RA I.

......................................................................................................28 CISCO:............................................................................29 CISCO.................................................................30

2.2. TNG

QUAN V TNG LA CA

2.3. NGUYN

TC HOT NG CA TNG LA

2.3.1. nh tuyn lu lng qua tng la..............................................32 2.3.2. Truy cp thng qua tng la........................................................32 2.3.3. Truy cp ra ngoi thng qua tng la.........................................33 2.3.4. Truy cp vo trong thng qua tng la.......................................34
2.4. CNG
NGH TCH HP TRN TNG LA

CISCO....................................................................35

2.4.1. Cng ngh Stateful Inspection.......................................................35 2.4.2. Cng ngh Cut-Through Proxy......................................................37 2.4.3. Applicatin-Aware Inspection..........................................................38 2.4.4. Virtual Private Network.................................................................38 inh Hong Thi AT3C -1Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

2.4.5. Security Context (Virtual Firewall) ..............................................40 2.4.6. Kh nng d phng - Failover Capabilities..................................41 2.4.7. Ch trong sut (Transparent Mode).........................................43 2.4.8. Qun l thit b qua giao din web................................................45
2.5. CC
DNG SN PHM TNG LA

CISCO............................................................................46

2.5.1. Dng sn phm th h trc Cisco PIX Firewall .........................46 2.5.2. Dng sn phm th h mi Cisco ASA Firewall ....................48
CHNG 3: KHAI THC SN PHM FIREWALL CISCO ASA 5520....................50 3.1. GII 3.2. CC
THIU DNG SN PHM

FIREWALL CISCO ASA 5520......................................................50

LNH CU HNH C BN.........................................................................................54

3.2.1. Lnh nameif....................................................................................54 3.2.2. Lnh interface................................................................................55 3.2.3. Lnh ip address..............................................................................56 3.2.4. Lnh nat..........................................................................................56 3.2.5. Lnh global....................................................................................57 3.2.6. Lnh route......................................................................................58
3.3. CU
HNH MT S DCH V TRN

FIREWALL CISCO ASA 5520................................................59

3.3.1. Publich website qua tng la Cisco............................................59 3.3.2. Cu hnh PAT cho php vng INSIDE ra ngoi INTERNET.........64 3.3.3. Cu hnh d phng Failover Active/Stanby...................................67
3.4. NHN
XT V NH GI SN PHM..................................................................................70

3.4.1. Tng la Checkpoint....................................................................71 3.4.2. Tng la Netscreen......................................................................72


3.5.
XUT GII PHP THIT K H THNG MNG VI TNH D PHNG V TNH SN SNG CAO VI

FIREWALL

CISCO ASA5520...........................................................................................................74 KT LUN.................................................................................................82 TI LIU THAM KHO................................................................................84

DANH SCH CC HNH V


HNH 1. 1: FIREWALL C T GIA MNG RING V MNG CNG CNG ...............................................................................................................10 HNH 1. 2: S DNG NHIU FIREWALL NHM TNG KH NNG BO MT. . . .11 HNH 1. 3: CNG NGH FIREWALL PACKET - FILTERING...............................13

inh Hong Thi AT3C

-2-

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

HNH 1. 4: CNG NGH FIREWALL CNG MC MCH...................................15 HNH 1.5: M HNH CNG NG DNG........................................................16 HNH 1.7: HOT NG CA STATEFULL INSPECTION FIREWALL...................20 HNH 1.8: M HNH SCREENING ROUTER...................................................20 HNH 1.9: KIN TRC DUAL - HOMED HOST.................................................22 HNH 1.10: KIN TRC SCREENED HOST.....................................................24 HNH 1.11: KIN TRC SCREENED SUBNET.................................................25 HNH 1.12: S KIN TRC S DNG 2 BASTION HOST............................26 HNH 2.1 CNG NGH STATEFUL INSPECTION.............................................35 HNH 2.2: CNG NGH CUT-THOUGH PROXY...............................................37 HNH 2.3 CNG NGH APPLICATION-AWARE INSPECTION............................38 HNH 2.3 CNG NGH MNG RING O VPN...............................................39 HNH 2.4 CNG NGH TNG LA O........................................................40 HNH 2.5: CNG NGH FAILOVER...............................................................42 HNH 2.6 CNG NGH HOT NG CH TRANSPARENT.......................43 HNH 2.7 GII PHP GIAO DIN WEB..........................................................45 HNH 2.8 CC DNG SN PHM PIX...........................................................46 HNH 2.9 CC DNG SN PHM ASA..........................................................48 HNH 3.1 SN PHM FIREWALL CISCO ASA 5520.........................................50 HNH 3.2 MT TRC FIREWALL CISCO ASA 5510, 5520, 5540....................52 HNH 3.3 MT SAU FIREWALL CISCO ASA 5510, 5520, 5540.........................53 HNH 3.4: PORT TRN SN PHM FIREWALL CISCO ASA 5520......................53 HNH 3.5: M HNH DEMO NAT V PAT.......................................................59 HNH 3.6: TRUY NHP WEB T MY TNH TRONG VNG INSIDE...................62 HNH 3.7: REMOTE DESKTOP T VNG INSIDE............................................62 HNH 3.8: TRUY NHP WEB T MY TNH NGOI INTERNET ...............................................................................................................63 HNH 3. 9: REMOTE DESKTOP T MY TNH NGOI INTERNET......................63 HNH 3. 10: KT QU PING THNH CNG....................................................65 HNH 3.11: BNG NH X A CH PAT......................................................66 HNH 3.12: M HNH FAILOVER ACTIVE/STANDBY.......................................67 HNH 3.13 TNG LA CHECK POINT VPN-1 TRONG H THNG MNG.........72 HNH 3.14 TNG LA NETSCREEN TRONG H THNG MNG......................73

inh Hong Thi AT3C

-3-

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

HNH 3.15: H THNG MNG VI ASA 5520................................................75 HNH 3. 16: M HNH TRIN KHAI FAILOVER ACTIVE/ACTIVE........................77

DANH SCH CC BNG


BNG 1: THNG S K THUT FIREWALL CISCO ASA 5520..........................51 BNG 1: BNG PHN CHIA A CH...........................................................78

inh Hong Thi AT3C

-4-

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

DANH MC CC T VIT TT
STT
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

CM T
Network Interface Controller Internet Protocol Local Area Network Demilitarized Zone File Transfer Protocol Simple Mail Transfer Protocol Open Systems Interconnection Hypertext Transfer Protocol Transmission Control Protocol Asymmetric Digital Subscriber Line Personal Computer Domain Name System Random Access Memory Internet Security and Acceleration Virtual Private Network Network Address Translation Wide Area Network Operating System Post Office Protocol Internet Message Access Protocol

VIT TT
NIC IP LAN DMZ FTP SMTP OSI HTTP TCP ADSL PC DNS RAM ISA VPN NAT WAN OS POP IMAP

inh Hong Thi AT3C

-5-

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

LI M U
Trong thc t hin nay bo mt thng tin ang ng mt vai tr thit yu ch khng cn l th yu trong mi hot ng lin quan n vic ng dng cng ngh thng tin. Khi ng t nhng nm u thp nin 90, vi mt s t chuyn gia v CNTT, nhng hiu bit cn hn ch v a CNTT ng dng trong cc hot ng sn xut, giao dch, qun l cn kh khim tn v ch dng li mc cng c, v i khi cn nhn thy nhng cng c t tin ny cn gy mt s cn tr, khng em li nhng hiu qu thit thc cho nhng t chc s dng n. Internet cho php chng ta truy cp ti mi ni trn th gii thng qua mt s dch v. Ngi trc my tnh ca mnh bn c th bit c thng tin trn ton cu, nhng cng chnh v th m h thng my tnh ca bn c th b xm nhp vo bt k lc no m bn khng h c bit trc. Do vy vic bo v h thng l mt vn chng ta ng phi quan tm. Ngi ta a ra khi nim FireWall gii quyt vn ny. lm r cc vn ny th n Nghin cu tm hiu v firewall v khai thc sn phm firewall Cisco ASA 5520 ng dng bo v website hc vin k thut Mt M s cho chng ta ci nhn su hn v khi nim, cng nh chc nng ca Firewall. Ni dung n c chia lm 3 chng nh sau:
Chng 1 : Tng quan v firewall, chng ny s cung cp cc

khi nim c bn nht v firewall cng nh kin trc v cng ngh thit k firewall.
Chng 2 : K thut v cng ngh tng la Cisco, ni dung

chng ny s cp ti cc tnh nng, cc cng ngh c ng dng trong thit b firewall Cisco.
Chng 3 : Khai thc sn phm Firewall Cisco ASA 5520, phn

ny chng ta s i vo vic khai thc s dng mt s tnh nng ca dng sn phm Firewall ASA 5520 v ng dng trong thc t. inh Hong Thi AT3C -6Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Cui cng em xin chn thnh cm n Ths. Nguyn Xun H v cc thy c trong khoa CNTT gip , hng dn tn tnh gip em hon thnh tt n ca mnh.

H Ni, ngy 07 thng 6 nm 2011 Sinh vin thc hin inh Hong Thi

inh Hong Thi AT3C

-7-

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

CHNG 1: TNG QUAN V FIREWALL


Ni dung ca chng mt ch yu nhc ti cc khi nim c bn cng nh cc cng ngh , kin trc ca h thng firewall. Qua y gip chng ta c c nhng hiu bit c bn v firewall lm tin cho vic i xu v nghin cu mt sn phm firewall no . 1.1. Khi nim v Firewall Bc tng la (Firewall) hiu mt cch chung nht, l c cu bo v mt mng my tnh chng li s truy nhp bt hp php t cc (mng) my tnh khc. Firewall bao gm cc c cu nhm: Ngn chn truy nhp bt hp php. Cho php truy nhp sau khi kim tra tnh xc thc ca thc th yu cu truy nhp. Trn thc t, Firewall c th hin rt khc nhau: bng phn mm hoc phn cng chuyn dng, s dng mt my tnh hoc mt mng cc my tnh. Theo William Cheswick v Steven Beilovin l ngi tin phong xy dng h thng Firewall th bc tng la c th c xc nh nh l mt tp hp cc cu kin t gia hai mng. Nhn chung bc tng la c nhng thuc tnh sau : - Thng tin giao lu c theo hai chiu. - Ch nhng thng tin tho mn nhu cu bo v cc b mi c i qua. - Bn thn bc tng la khng i hi qu trnh thm nhp. 1.2. Mc ch ca Firewall Vi Firewall, ngi s dng c th yn tm ang c thc thi quyn gim st cc d liu truyn thng gia my tnh ca h vi cc my tnh hay h thng khc. C th xem Firewall l mt ngi bo v c nhim v kim tra "giy thng hnh" ca bt c gi d liu no i vo my tnh hay i ra khi inh Hong Thi AT3C -8Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

my tnh ca ngi s dng, ch cho php nhng gi d liu hp l i qua v loi b tt c cc gi d liu khng hp l. Cc gii php Firewall l thc s cn thit, xut pht t chnh cch thc cc d liu di chuyn trn internet. Gi s gi cho ngi thn ca mnh mt bc th th bc th c chuyn qua mng internet, trc ht phi c phn chia thnh tng gi nh. Cc gi d liu ny s tm cc con ng ti u nht ti a ch ngi nhn th v sau lp rp li (theo th t c nh s trc ) v khi phc nguyn dng nh ban u. Vic phn chia thnh gi lm n gin ho vic chuyn d liu trn internet nhng c th dn ti mt s vn . Nu mt ngi no vi dng khng tt gi ti mt s gi d liu, nhng li ci by lm cho my tnh ca khng bit cn phi x l cc gi d liu ny nh th no hoc lm cho cc gi d liu lp ghp theo th t sai, th c th nm quyn kim sot t xa i vi my tnh ca v gy nn nhng vn nghim trng. K nm quyn kim sot tri php sau c th s dng kt ni internet ca pht ng cc cuc tn cng khc m khng b l tung tch ca mnh. Firewall s m bo tt c cc d liu i vo l hp l, ngn nga nhng ngi s dng bn ngoi ot quyn kim sot i vi my tnh ca bn. Chc nng kim sot cc d liu i ra ca Firewall cng rt quan trng v s ngn nga nhng k xm nhp tri php "cy" nhng virus c hi vo my tnh ca pht ng cc cuc tn cng ca sau ti nhng my tnh khc trn mng internet.

inh Hong Thi AT3C

-9-

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 1. 1: Firewall c t gia mng ring v mng cng cng Mt Firewall gm c t nht hai giao din mng: Chung v ring, giao din chung kt ni vi internet, l pha m mi ngi c th truy cp, giao din ring l pha m cha cc d liu c bo v. Trn mt Firewall c th c nhiu giao din ring tu thuc vo s on mng cn c tch ri. ng vi mi giao din c mt b quy tc bo v ring xc nh kiu lu thng c th qua t nhng mng chung v mng ring. Firewall cng c th lm c nhiu vic hn v cng c nhiu thun li v kh khn. Thng thng nh qun tr mng s dng Firewall nh mt thit b u ni VPN, my ch xc thc hoc my ch DNS. Tuy nhin nh bt k mt thit b mng khc, nhiu dch v hot ng trn cng mt my ch th cc ri ro cng nhiu .Do , mt Firewall khng nn chy nhiu dch v. Firewall l lp bo v th hai trong h thng mng, lp th nht l b nh tuyn mc nh tuyn s cho php hoc b t chi cc a ch IP no v pht hin nhng gi tin bt bnh thng. Firewall xem nhng cng no l c php hay t chi. Sc mnh ca Firewall nm trong kh nng lc lu lng da trn mt tp hp cc quy tc bo v, cn gi l quy tc bo v do cc nh qun tr a vo. y cng c th l nhc im ln nht ca Firewall, b quy tc xu hoc khng y c th m li cho k tn cng, v mng c th khng c an ton. inh Hong Thi AT3C - 10 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Nhiu nh qun tr mng khng ngh rng Firewall hot ng nh mt thit b mng phc tp. Ngi ta quan tm nhiu n vic gi li nhng lu lng khng mong mun n mng ring, t quan tm n vic gi li nhng lu lng khng mong mun n mng cng cng. Nn quan tm n c hai kiu ca tp cc quy lut bo v. Nu mt k tn cng mun tm cch xm nhp vo mt my ch, chng khng th s dng my ch tn cng vo cc thit b mng xa. bo v v gip cho cc lu lng bn trong on mng cc nh qun l thng chy hai b Firewall, b th nht bo v ton b mng, v b cn li bo v cc on mng khc. Nhiu lp Firewall cng cho php cc nh qun tr an ton mng kim sot tt hn nhng dng thng tin, c bit l cc c s bn trong v bn ngoi cng ty phi x l cc thng tin nhy cm. Cc hot ng trao i thng tin c th cho php trn phn no ca mng th c th b gii hn trn nhng vng nhy cm hn.

Hnh 1. 2: S dng nhiu Firewall nhm tng kh nng bo mt 1.3. Phn loi Firewall C mt s cng ty sn xut sn phm Firewall v c hai loi chn: Firewall phn cng v Firewall phn mm.

inh Hong Thi AT3C

- 11 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

1.3.1. Firewall phn cng V tng th, Firewall phn cng cung cp mc bo v cao hn so vi Firewall phn mm v d bo tr hn. Firewall phn cng cng c mt u im khc l khng chim dng ti nguyn h thng trn my tnh nh Firewall phn mm. Firewall phn cng l mt la chn rt tt i vi cc doanh nghip nh, c bit cho nhng cng ty c chia s kt ni Internet. C th kt hp Firewall v mt b nh tuyn trn cng mt h thng phn cng v s dng h thng ny bo v cho ton b mng. Firewall phn cng c th l mt la chn tn chi ph hn so vi Firewall phn mm thng phi ci trn mi my tnh c nhn trong mng. 1.3.2. Firewall phn mm Nu khng mun tn tin mua Firewall phn cng th bn c th s dng Firewall phn mm. V gi c, Firewall phn mm thng khng t bng firewall phn cng, thm ch mt s cn min ph (phn mm Comodo Firewall Pro 3.0, PC Tools Firewall Plus 3.0, ZoneAlarm Firewall 7.1 ) v bn c th ti v t mng Internet. So vi Firewall phn cng, Firewall phn mm cho php linh ng hn, nht l khi cn t li cc thit lp cho ph hp hn vi nhu cu ring ca tng cng ty. Chng c th hot ng tt trn nhiu h thng khc nhau, khc vi Firewall phn cng tch hp vi b nh tuyn ch lm vic tt trong mng c qui m nh. Firewall phn mm cng l mt la chn ph hp i vi my tnh xch tay v my tnh s vn c bo v cho d mang my tnh i bt k ni no. Cac Firewall phn mm lam vic tt vi Windows 98, Windows ME va Windows 2000. Chung la mt la chon tt cho cac may tinh n le. Cac cng ty phn mm khac lam cac tng la nay. Chung khng cn thit cho Windows XP bi vi XP a co mt tng la cai sn. 1.4. K thut v cng ngh Firewall

inh Hong Thi AT3C

- 12 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hin nay c nhiu loi Firewall, tin cho qu trnh nghin cu v pht trin, ngi ta chia Firewall ra lm hai loi chnh bao gm: Packet Filtering Firewall: l h thng tng la gia cc thnh phn bn trong mng v bn ngoi mng c kim sot. Application-proxy Firewall: l h thng cho php kt ni trc tip gia cc my khch v cc host. 1.4.1. Packet Filtering Packet-Filtering l cng ngh ph bin v lu i nht. Tng la Packet-Filter kim tra lung d liu n ti tng vn chuyn (Transport Layer) ca m hnh OSI (Open System Interconnection). N phn tch cc gi tin IP (IP Packet) v so snh chng vi nhng quy tc c t trc trong danh sch iu khin truy cp (Access Control List - ACL). N kim tra nhng thnh phn sau ca gi tin: a ch IP ngun (Source IP Address) Cng ngun (Source Port) a ch IP ch (Destination IP Address) Cng ch (Destination Port) Giao thc (Protocol)

Hnh 1. 3: Cng ngh firewall Packet - Filtering inh Hong Thi AT3C - 13 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Ch : Ngoi nhng thnh phn trn, mt s Packet-Filter cn kim tra thng tin Header ca gi tin quyt nh xem gi tin n t mt kt ni mi hay kt ni ang tn ti.Nhng yu t trn c so snh vi ACL quyt nh xem gi tin c c php hay khng. u im Tc x l nhanh D dng trin khai, ci t v bo tr ng dng c lp Nhc im

Khng kim sot c d liu t lp 4 tr nn: Nhiu ng dng mi (nh ng dng a phng tin - Multimedia Application) to ra nhiu kt ni trn nhng cng bt k m khng xc nh cng s s dng cho n khi kt ni c thit lp. ACL c cu hnh mt cch th cng nn rt kh h tr c nhng ng dng kiu ny. Khng h tr tnh nng xc thc ngi dng: Ngi dng c th gi mo a ch IP c php trong ACL nh la Packet-Filter. Mc an ninh thp, thit lp lut phc tp. 1.4.2 Proxy Tng la Proxy hay cn gi l Proxy Server ng vai tr l i din cho cc host trn nhng on mng (Segment) cn bo v. Cc host ny khng to kt ni trc tip ra bn ngoi, chng gi yu cu (Request) n Proxy Server ni chng c xc thc (Authenticated) v phn quyn (Authorized). Ti y, Proxy Server gi nhng yu cu ny n cc host bn ngoi v gi tr hi m (Reply) ca host bn ngoi vo trong. Proxy hot ng ti cc tng trn (Upper Layers) ca m hnh OSI. Cc mng ln thng dng nhiu Proxy Server trnh nhng vn v bng thng. S lng ng dng cc host c th truy cp qua Proxy c gii hn. Theo thit k th cc tng la Proxy ch h tr mt s giao thc v ng dng c th. Proxy li c phn loi thnh: Cng mc mch v cng mc ng dng. 1.4.2.1. Cng mc mch inh Hong Thi AT3C - 14 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Cng mc mch th hot ng tng giao vn (transport). N thc hin vic gim st bt tay TCP gia gi tin vo/ra xc nh phin lm vic c hp l hay khng thng qua vic thit lp 2 kt ni TCP mt gia cng v my bn trong, mt gia cng v my bn ngoi tc l n khng cho php thc hin kt ni end - to - end. Khi hai kt ni c thit lp, cng mc mch s thc hin sao chp, chuyn tip on d liu TCP t kt ni bn trong sang kt ni bn ngoi (v ngc li) m khng cn kim tra ni dung d liu. Cng mc mch xc nh mt phin lm vic hp l nu c SYN, ACK v sequence number trong qu trnh bt tay gia cc kt ni l hp l.
Ciruit-Level Gateway

Outside connection OUT IN

OUT

IN

Inside connection OUT IN

Hnh 1. 4: Cng ngh firewall cng mc mch u im Mc an ton cao hn so vi lc gi tin C th trin khai vi lng ln giao thc tng trn m khng cn hiu v thng tin ti giao thc Nhc im - 15 Lp

inh Hong Thi AT3C

n tt nghip

Tm hiu Firewall Cisco ASA5520

Mt khi kt ni c thit lp, n c th cho php gi cc m c hi trong gi tin

1.4.2.2. Cng ng dng Nh tn gi nu, cng ng dng hot ng tng ng dng. Chng c thit k nhm tng cng chc nng kim sot cc loi dch v, giao thc c cho php truy cp vo h thng mng.

Applica tion -leve l Ga te w a y

Telnet
Outside host

FTP SMTP HTTP

Inside host

Hnh 1.5: M hnh cng ng dng Hot ng ca cng ng dng da trn cc dch v y quyn (Proxy service). Proxy service l cc chng trnh c bit ci trn gateway cho tng ng dng. Quy trnh kt ni s dng dch v thng qua cng ng dng din ra theo 5 bc sau y: Bc 1: My trm gi yu cu ti my ch xa n cng ng dng

inh Hong Thi AT3C

- 16 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Bc 2: Cng ng dng xc thc ngi dng. Nu xc thc thnh cng chuyn sang bc 3, ngc li qu trnh kt thc
Bc 3: Cng ng dng chuyn yu cu my trm n my ch

xa Bc 4: My ch xa tr li chuyn n cng ng dng Bc 5: Cng ng dng chuyn tr li ca my ch xa n my trm

Hnh 1.6: Minh ha hot ng cng ng dng V d: My khch (client) mun s dng dch v TELNET kt ni vo h thng mng qua cng ng dng (Telnet proxy). Qu trnh din ra nh sau: Client thc hin dch v telnet n Telnet proxy Telnet proxy kim tra password. Nu hp l th client c php vo giao din ca Telnet proxy. Telnet proxy s cung cp tp nh lnh ca Telnet v quyt nh nhng my ni b no c php truy cp. Client ch ra my ni b bn trong cn kt ni v Telnet proxy to mt kt ni ca ring n ti my ni b bn trong sau n thc hin chuyn cc lnh ti my ni b bn trong di s y quyn ca client, cn client th tin rng Telnet proxy chnh l my ni b tht bn trong, trong khi my ni b bn trong th tin rng Telnet proxy chnh l client tht. Dch v y quyn bao gm hai thnh phn: Chng trnh ch c y quyn (proxy server) Chng trnh khch c y quyn (client proxy) Thc hin sng lc hoc chn truy cp inh Hong Thi AT3C - 17 Lp

n tt nghip Chn URL

Tm hiu Firewall Cisco ASA5520

Chn theo phn nhm thng tin


Lc, chn cc ni dung nhng (embedded content): Java,

ActiveX controls, v cc i tng c nhng trong tr li (response) ca mt yu cu Web (request)

inh Hong Thi AT3C

- 18 -

Lp

n tt nghip u im

Tm hiu Firewall Cisco ASA5520

Hon ton iu khin c tng dch v trn mng (quyt nh nhng my ch no c th truy cp c bi cc dch v) Hon ton iu khin c nhng dch v no cho php ( vng mt ca proxy cho dch v no th dch v b kha) Kim tra xc thc rt tt, ghi chp li thng tin v truy cp h thng Lut lc cho cng ng dng d dng cu hnh v kim tra hn so vi lc gi tin Nhc im Tc chm, hiu sut thp do x l trn nhiu tng Cc dch v h tr b hn ch Kh nng thay i m rng (scalability) hn ch Ci t v bo tr phc tp Kh nng trong sut i vi ngi dng cui hn ch

1.4.3. Statefull Inspection Firewall (SIF) Statefull Inspection Firewall l s kt hp gia hiu nng v mc an ninh. N tng hp tnh nng ca 3 loi tng la trn. Ging tng la lc gi tin, hot ng tng mng, lc gi tin i/n da trn tham s: a ch ngun, a ch ch, cng ngun, cng ch Ging cng mc mch, xc nh chnh xc gi tin trong phin lm vic. SIF xc nhn c ACK, SYN v sequence number c hp l khng? SIF bt chc cng mc ng dng, SIF a gi tin ln tng ng dng v kim tra xem ni dung d liu ph hp vi cc lut trong chnh sch an ninh ca h thng. Ging nh cng ng dng, SIF c th c cu hnh loi b gi tin cha nhng cu lnh xc nh (v d nh FTP PUT, FTP GET, ...) Khc vi cng mc ng dng (yu cu hai kt ni, do vy tc chm) SIF cho php client kt ni trc tip vi server

inh Hong Thi AT3C

- 19 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 1.7: Hot ng ca statefull inspection firewall y l cng ngh an ton v a nng nht bi cc kt ni khng ch c kim tra bi ACL m cn c ghi trong bng trng thi (State Table). Sau khi mt kt ni c thit lp, tt c cc thng tin ca phin kt ni (Session) i qua c so snh vi bng trng thi. Nu thng tin khng khp, kt ni s b hy. y l cng ngh mi nht, n c u im l an ton v bo mt rt cao. Mt thit b in hnh s dng cng ngh ny l ASA/PIX Firewall ca tp on Cisco. Trong khun kh ti, em s trnh by trng tm v Cisco Secure ASA/PIX Firewall - mt trong nhng thit b an ninh mng hng u th gii hin nay v chng ta s tm hiu k hn phn sau. 1.5. Kin trc ca Firewall 1.5.1. Screening Router

Hnh 1.8: M hnh Screening Router inh Hong Thi AT3C - 20 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Kin trc ny s dng cng ngh tng la lc gi tin tch hp vo trong b nh tuyn (Router). Thc hin vic nh tuyn hay chn gi tin da vo chnh sch an ninh. u im o Tc x l nhanh o D dng trin khai Nhc im o Mc an ninh thp o a ra cc chnh sch cu hnh phc tp nn d mc li 1.5.2. Kin trc Dual - Homed host Firewall kin trc kiu Dual-homed host c xy dng da trn my tnh Dual-homed host. Mt my tnh c gi l Dual-homed host nu c t nht hai Network interfaces, c ngha l my c gn hai card mng giao tip vi hai mng khc nhau v nh th my tnh ny ng vai tr l router phn mm. Kin trc Dual-homed host rt n gin. Dual-homed host gia, mt bn c kt ni vi Internet v bn cn li ni vi mng ni b (LAN). Dual-homed host ch c th cung cp cc dch v bng cch y quyn (proxy) chng hoc cho php users ng nhp trc tip vo Dual-homes host. Mi giao tip t mt host trong mng ni b v host bn ngoi u b cm, Dual-homed host l ni giao tip duy nht.

inh Hong Thi AT3C

- 21 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 1.9: Kin trc Dual - Homed host 1.5.3. Kin trc Screend Host Screened host c cu trc ngc li vi cu trc Dual-homed host, kin trc ny cung cp cc dch v t mt host bn trong mng ni b, dng mt router tch ri vi mng bn ngoi. Trong kiu kin trc ny, bo mt chnh l phng php Packet Filtering. Bastion host c t bn trong mng ni b, Packet Filtering c ci trn router. Theo cch ny, Bastion host l h thng duy nht trong mng ni b m nhng host trn internet c th kt ni ti. Mc d vy, ch nhng kiu kt ni ph hp (c thit lp trong Bastion host) mi c php kt ni. Bt k mt h thng bn ngoi no c gng truy cp vo h thng hoc cc dch v bn trong u phi kt ni ti host ny. V th, Bastion host l host

inh Hong Thi AT3C

- 22 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

cn phi c duy tr ch bo mt cao. Packet Filtering cng cho php Bastion host c th m kt ni ra bn ngoi. Cu hnh ca packet filtering trn screening router nh sau : Cho php tt c cc host bn trong m kt nt ti host bn ngoi thng qua mt s dch v c nh.
Khng cho php tt c cc kt ni t host bn trong (cm nhng

host ny s dng dch v proxy thng qua Bastion host).


Bn c th kt hp nhiu li vo cho nhng dch v khc nhau.

Mt s dch v c php i vo trc tip qua packet filtering. Mt s dch v khc th ch c php i vo gin tip qua proxy. Bi v kin trc ny cho php cc packet i t bn ngoi vo mng bn trong, n dng nh nguy him hn kin trc Dual-homed host, v th n c thit k khng mt packet no c th ti c mng bn trong. Tuy nhin trn thc t th kin trc Dual-homes host i khi cng c li m cho php mt packet tht s i t bn ngoi vo bn trong (bi v nhng li ny hon ton khng bit trc, n hu nh khng c bo v chng li nhng kiu tn cng ny) . Hn na, kin trc Dual-homes host th d dng bo v router (l my cung cp rt t cc dch v) hn l bo v cc host bn trong mng. Xt v ton din th kin trc Screened host cung cp tin cy cao hn v an ton hn kin trc Dual-homed host. So snh vi m s kin trc khc, chn hn nh kin trc Screened subnet th kin trc Screened host c mt s bt li. Bt li chnh l nu k tn cng tm cch xm nhp Bastion host th khng c cch no ngn tch gia Bastion host v cc host cn li bn trong mng ni b. Router cng c mt s im yu l nu router b tn thng, ton b mng s b tn cng. V l do ny m Screened subnet tr thnh kin trc ph bin nht.

inh Hong Thi AT3C

- 23 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 1.10: Kin trc Screened host 1.5.4. Kin trc Screened Subnet Nhm tng cng kh nng bo v mng ni b, thc hin chin lc phng th theo chiu su, tng cng s an ton cho bastion host, tch bastion host khi cc host khc, phn no trnh ly lan mt khi bastion host b tn thng, ngi ta a ra kin trc Firewall c tn l Screened subnet. Kin trc Screened subnet dn xut t kin trc Screened host bng cch thm vo phn an ton: mng ngoi vi (perimeter network) nhm c lp mng ni b ra khi mng bn ngoi, tch bastion host ra khi cc host thng thng khc. Kiu Screen subnet n gin bao gm hai screened router:
Router ngoi (External router cn gi l access router): nm gia

mng ngoi vi v mng ngoi c chc nng bo v cho mng ngoi vi (bastion host, interior router). N cho php ngng g outbound t mng ngoi vi. Mt s quy tc packet filtering c bit c ci mc cn thit bo v bastion host v interior router v bastion host cn l host c ci t an inh Hong Thi AT3C - 24 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

ton mc cao. Ngoi cc quy tc , cc quy tc khc cn ging nhau gia hai router.
Router trong (Interior router cn gi l choke router): nm gia mng

ngoi vi v mng ni b, nhm bo v mng ni b trc khi ra ngoi v mng ngoi vi. N khng thc hin ht cc quy tc packet filtering ca ton b firewall. Cc dch v m interior router cho php gia bastion host v mng ni b, gia bn ngoi v mng ni b khng nht thit phi ging nhau. Gii hn dch v gia bastion host v mng ni b nhm gim s lng my (s lng dch v trn cc my ny) c th b tn cng khi bastion host b tn thng v tha hip vi bn ngoi. Chng hn nn gii hn cc dch v c php gia bastion host v mng ni b nh SMTP khi c Email t bn ngoi vo, c l ch gii hn kt ni SMTP gia bastion host v email server bn trong.

Hnh 1.11: Kin trc Screened Subnet 1.5.5. S dng nhiu Bastion Host Do cc yu cu v tc p ng (performance) v d tha (redundancy), cng nh tch bit cc Servers khc nhau.

inh Hong Thi AT3C

- 25 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

S dng 1 Bastion Host cung cp nhng dch v cho ngi s dng bn trong (internal user), nh dch v SNMP Server, Proxy Servers S dng 1 Bastion Host khc cung cp dch v cho Internet hoc nhng ngi s dng bn ngoi (external user) s s dng. Nh l Anonymous FTP Server m Server ny nhng ngi s dng bn trong (local users) khng truy xut n.

Hnh 1.12: S kin trc s dng 2 Bastion Host Vi cch ny th tc p ng cho nhng ngi s dng bn trong (local user) mt phn no khng b nh hng (b lm chm i) bi hot ng ca nhng ngi s dng bn ngoi (external users). Cng c th s dng nhiu Bastion Host m cung cp cho 1 dch v no tng tc p ng (performance), nhng vic ny cng kh cn bng ti gia cc Server tr khi on trc c mc s dng. Vic s dng k thut d tha m bo tnh sn sng cao ca h thng, khi m mt Bastion Host hng th c ci khc thay th. Nhng ch c mt s loi dch v tr gip dng ny: DNS Server, SMTP Server, ... c th dng nhiu Bastion Host lm DNS Server , SMTP Server. Khi mt inh Hong Thi AT3C - 26 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Bastion Host hng hoc qu ti, nhng yu cu v DNS Server v SNMP s c dng qua Bastion Host khc nh l mt fallback system. S dng nhiu Bastion Host trong trng hp mun cung cp dch v cho nhiu mng khc nhau, v loi d liu cung cp cho mi mng cng khc nhau. S dng nhiu Bastion Host cho cc Server khc nhau khi m mt Server no b t nhp vo hay b hng th Server khc vn hot ng tt. n y chng ta nm c nhng khi nim c bn , cc k thut cng nh cng ngh thit k h thng tng la. Hin nay trn th trng c rt nhiu cc hng sn xut thit b tng la khc nhau, tuy nhin v nguyn l v cch thc hot ng u da trn cc nguyn tc chung nu trn. Chng sau chng ta s i tm hiu v k thut v cng ngh thit k tng la ca hng Cisco, cng nhau xem xt u v nhc ca cc sn phm ca hng.

inh Hong Thi AT3C

- 27 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

CHNG 2: K THUT V CNG NGH TNG LA CISCO


Cisco l hng cung cp hng u v cc thit b mng nh router, switch Bn cnh hng cng tp trung pht trin cc thit b phn cng chuyn dng cho lnh vc bo mt, an ton h thng. Trong chng ny chng s tm hiu v cc cng ngh cng nh cc tnh nng u vit ca cc dng sn phm Firewall Cisco l ASA Adaptive Security Appliances. 2.1. Lch s ra i. Thit b phn cng m nhn vai tr bo v h tng mng bn trong, trc y thng hiu PIX Firewall ca hng Cisco Systems ginh c mt trong nhng v tr hng u ca lnh vc ny. Tuy nhin,theo pht trin ca cng ngh v xu hng tch hp a chc nng trn cc kin trc phn cng hin nay (gi l Appliance) hng Cisco Systems cng nhanh chng tung ra dng sn phm bo mt a nng Cisco ASA (Adaptive Security Appliance). Dng thit b ny ngoi vic tha hng cc nh nng u im ca cng ngh dng trn Cisco PIX Firewall,Cisco IPS 4200 v Cisco VPN 3000 Concentrator, cn c tch hp ng thi 3 nhm chc nng chnh cho mt h tng bo v l Firewall, IPS v VPN.Thng qua vic tch hp nhng tnh nng nh trn,Cisco ASA s chuyn giao mt gii php hiu qu trong vic bo mt ho cc giao tip kt ni mng,nhm c th ch ng i ph trn din rng i vi cc hnh thc tn cng qua mng hoc cc him ha m t chc,doanh nghip thng phi ng u. c tnh ni bt ca thit b ASA l: y cc c im ca Firewall,IPS,anti-X v cng ngh VPN IPSec/SSL .

C kh nng m rng thch nghi nhn dng v kin trc Mitigation Services. Gim thiu chi ph vn hnh v pht trin.

inh Hong Thi AT3C

- 28 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

2.2. Tng quan v tng la ca Cisco: Cisco ASA Firewalls lun lun ng vai tr quan trng trong chin lc bo mt ca Cisco.Cc m hnh tng la khc nhau ca Cisco cung cp cc gii php bo mt cho cc doanh nghip va v nh. Cc sn phm tng la trc y ca Cisco bao gm: Cisco PIX Firewalls.

Cisco FWSM(Firewall Service Module)

Cisco IOS Firewall. ASA/PIX firewall l mt yu t chnh trong ton b gii php an ninh end-to-end ca Cisco. ASA/PIX Firewall l mt gii php an ninh phn cng v phn mm chuyn dng v mc bo mt cao hn m khng nh hng n s thc thi ca h thng mng. N l mt h thng c lai ghp bi v n s dng c hai k thut packet filtering v proxy server ASA/PIX Firewall cung cp cc c tnh v cc ch nng sau: Apdaptive Security Algorithm (ASA) thc hin vic iu khin cc kt ni stateful thng qua ASA/PIX Firewall

Cut through proxy Mt ngi s dng phi da trn phng php chng thc ca cc kt ni vo v ra cung cp mt hiu sut ci thin khi so snh n vi proxy server Stateful failover ASA/PIX Firewall cho php bn cu hnh hai thit b ASA/PIX Firewall trong mt topo mng nhm m bo tnh d phng.

Stateful packet filtering Mt phng php bo mt phn tch cc gi d liu m thng tin nm tri rng sang mt bng. mt phin c thit lp thng tin v cc kt ni phi kt hp c vi thng tin trong bng ASA/PIX Firewall c th vn hnh v m rng cp c vi cc ISPes, cc ISPec bao gm mt li an ninh v cc giao thc chng thc nh inh Hong Thi AT3C - 29 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

l internet Key Exchange (IKE) v Public Key Infrastructure (PKI). Cc my clients xa c th truy cp mt cch an ton n mng ca cng ty thng qua cc ISPs ca h.

2.3. Nguyn tc hot ng ca tng la Cisco Nguyn tc chung ca firewall (k c firewall dng phn mm nh proxy hay dng thit b cng nh l ASA/PIX) l bt gi d liu i ngang qua n v so snh vi cc lut thit lp. Nu thy khng vi phm lut no th cho i qua, ngc li th hy gi d liu. ASA/PIX firewall hot ng da trn gii thut bo mt thch hp ASA (Adaptive Security Algorithm) s dng Security level (cp bo mt). Gia hai cng th mt s c Security level cao hn, mt c Security level thp hn. Vn ct li ca cc thit b an ninh l thut ton bo mt thch hp (Adaptive Security Algorithm - ASA). Gii thut ASA duy tr vnh ai an ton gia cc mng iu khin bi thit b an ninh. ASA tun theo cc quy lut sau:

Khng gi tin no i qua ASA/PIX m khng c mt kt ni v trng thi

Cho php cc kt ni ra bn ngoi, tr nhng kt ni b cm bi danh sch iu khin truy nhp ACLs. Mt kt ni ra bn ngoi c th l mt ngun hoc mt client cng c mc bo mt cao hn ni nhn hoc server. Cng c mc bo mt cao nht l inside vi gi tr l 100, cng c mc bo mt thp nht l outside vi gi tr l 0. Bt k cng no khc cng c th c mc bo mt nhn gi tr t 1 n 99. Cm cc kt ni vo bn trong, ngoi tr nhng kt ni c php. Mt kt ni vo bn trong l mt ngun hoc client cng hay mng c mc bo mt thp hn ni nhn hoc server. Tt c cc gi ICMP u b cm, tr nhng gi c php Mi s th nghim nhm ph v cc quy tc trn u b hy b

inh Hong Thi AT3C

- 30 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Trn mi cng ca ASA/PIX c cc cp bo mt (Security-level), xc nh mt giao tip (interface) l tin cy, c bo v hay khng tin cy, c bo v t v tng quan vi cc giao tip khc nh th no. Mt giao tip c xem l tin cy trong mi quan h vi cc giao tip khc nu n c mc bo mt cao hn. Quy tc c bn v mc bo mt l: D liu c th i vo ASA/PIX thng qua mt interface vi Security level cao hn, i qua ASA/PIX v i ra ngoi thng qua interface c Security level thp hn. Ngc li, d liu i vo interface c Security level thp hn khng th i qua ASA/PIX v i ra ngoi thng qua interface c Security level cao hn nu trn ASA/PIX khng c cu hnh conduit hoc access-list cho php n thc hin iu ny. Cc mc bo mt nh s t 0 n 100.

Mc 0: L mc thp nht, thit lp mc nh cho outside interface (cng ra ) ca ASA/PIX, thng dnh cho cng kt ni ra internet. V 0 l mc bo mt t an ton nht nn cc untrusted network thng sau interface ny. Cc thit b outside ch c php truy nhp vo ASA/PIX khi n c cu hnh lm iu . Mc 100: L mc cao nht cho mt interface. N c s dng cho inside interface ( cng vo ) ca ASA/PIX, l cu hnh mc nh cho ASA/PIX v khng th thay i. V vy mng ca t chc thng sau interface ny, khng ai c th truy nhp vo mng ny tr khi c php thc hin iu . Vic cho php phi c cu hnh trn ASA/PIX; cc thit b trong mng ny c th truy nhp ra mng outside. Mc t 1 n 99: c dnh cho nhng mng xung quanh kt ni ti ASA/PIX, ng k da trn kiu ca truy nhp ca mi thit b, thng thng l kt ni n mt mng hot ng nh l Demilitarized zone (DMZ).

Khi c nhiu kt ni gia ASA/PIX v cc thit b xung quanh th: D liu i t interface c Security level cao hn n interface c Security level thp hn: Cn phi c mt translation ( static hay inh Hong Thi AT3C - 31 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

dynamic ) cho php giao thng t interface c Security level cao hn n interface c Security level thp hn. Khi c translation ny, giao thng bt u t inside interface n outside interface s c php, tr khi n b chn bi access-list, authentication hay authorization. D liu i t interface c Security level thp hn n interface c Security level cao hn: 2 iu quan trng cn phi c cu hnh cho giao thng t interface c Security level thp hn n interface c Security level cao hn l static translation v conduit hoc accesslist. D liu i qua hai interface c Security level nh nhau: Khng c giao thng i gia hai interface c Security level nh nhau. 2.3.1. nh tuyn lu lng qua tng la Mc nh th ASA/PIX Firewall ng vai tr nh mt thit b lp 3 trong h thng mng. Ngha l n phi nh tuyn cho cc lu lng i qua n. Khi gi tin n ASA/PIX Firewall, n cn xc nh xem phi y gi tin ra interface no (nu c php). Tng t nh Router, ASA/PIX Firewall nh tuyn cho cc lu lng da vo a ch IP ch. ASA/PIX tch phn a ch IP ch trong IP Header ca gi tin v tra trong bng nh tuyn (routing Table) ca n ra quyt nh. Nu n bit c a ch ch tng ng vi interface no th s y gi tin ra interface ; nu khng tm thy thng tin thch hp trong bng nh tuyn, n s hy gi tin. V vy, Firewall c th nh tuyn cho cc lu lng qua n, ngi quan tr cn phi cu hnh nh tuyn cho cc mng cc vng m Firewall cn bit. Khi cu hnh nh tuyn cho Firewall, ta c th s dng nh tuyn tnh (Static) hoc nh tuyn ng (RIP, IGRP, EIGRP, OSPF...). 2.3.2. Truy cp thng qua tng la ASA/PIX Firewall c th c cu hnh vi nhiu interface. Mi interface c mt cp bo mt ring. Mt interface c coi l bn trong (Inside) - tin cy, hay bn ngoi (Outside) - khng tin cy, cn ph thuc vo mi quan h ca n vi interface no. Ngha l trong mi quan h vi inh Hong Thi AT3C - 32 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

interface ny n c th l Inside nhng trong mi quan h khc n li l Outside. Interface c coi l Inside i vi interface khc nu nh n c cp bo mt cao hn, v ngc li nu cp bo mt ca n thp hn th n c coi l Outside. Chnh sch bo mt mc nh ca ASA/PIX Firewall cho php lu lng t interface c cp bo mt cao (Inside) truy cp vo interface c cp bo mt thp hn (Outside). Kt ni t Inside n Outside gi l kt ni ra ngoi (Outbound Connection). Cc kt ni ny mc nh l lun c php tr khi ngi qun tr (Admin) a ra chnh sch bo mt ngn cn kt ni. Kt ni t interface c cp bo mt thp n interface c cp bo mt cao hn (t Outside vo Inside) c gi l kt ni vo trong (Inbound Connection). Kt ni ny mc nh l khng c php tr khi ngi qun tr thit lp mt cp gm: chuyn i a ch tnh (Static Translation) v Access List. 2.3.3. Truy cp ra ngoi thng qua tng la Cc kt ni ra ngoi (Outbound Connection) lun c cho php bi chnh sch bo mt mc nh. Tuy nhin, ta vn cn phi thit lp chuyn i a ch cho ASA/PIX Firewall i vi cc kt ni kiu ny. V mc ch an ton, trnh mng ngoi (Outside) bit c cu trc mng bn trong (Inside), cng ngh chuyn i a ch c s dng vi ASA/PIX Firewall, gip n che du c cu trc mng bn trong m vn m bo kt ni hot ng tt.C hai kiu chuyn i a ch:
Chuyn i a ch ng (Dynamic Address Translation): chuyn i

nhiu a ch cc b (Local Address) ra mt hoc nhiu a ch ton cc (Global Address). Chuyn i a ch ng c chia lm hai loi: Chuyn i a ch mng (Network Address Translation - NAT): chuyn i nhiu a ch cc b ra mt di (Pool) a ch ton cc.

Chuyn i a ch cng (Port Address Translation - PAT): chuyn i nhiu a ch cc b ra mt hay mt s a ch ton cc. Sau khi chuyn i, cc a ch ton cc c th ging nhau nhng khc v s hiu cng. Ni cch khc, y khng n thun l chuyn

inh Hong Thi AT3C

- 33 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

i mt a ch m l chuyn i mt cp a ch IP/s hiu cng (IP Address/Port).


Chuyn i a ch tnh (Static Address Translation): l nh x mt-mt

gia a ch cc b v a ch ton cc. Vi NAT v PAT, mi khi c mt chuyn i, ASA/PIX Firewall s ghi n vo bng chuyn i (Xlate Table). Khi ht thi gian dnh cho chuyn i (timeout) m khng c lu lng no ca chuyn i ny i qua th ASA/PIX Firewall s xa n khi bng chuyn i. C ch ny ngoi vic gip che giu cu trc mng bn trong cn trnh mng ngoi c th d v tn cng ngc li a ch chuyn i bi cc chuyn i ch l tm thi. cho php cc host bn trong (Inside) truy cp ra ngoi, ta thit lp chuyn i a ch ng vi hai cu lnh nat cho interface bn trong v Global cho interface ngoi. 2.3.4. Truy cp vo trong thng qua tng la Chnh sch bo mt mc nh ca ASA/PIX Firewall khng cho php cc truy cp t mng ngoi (Outside) v trong (Inside). cho php kt ni ny, ta phi thit lp hai thnh phn sau: Danh sch iu khin truy cp (Access Control List - ACL) Chuyn i a ch tnh (Static Address Translation) Tuy nhin, cn lu l ch thit lp chuyn i tnh khng cho php kt ni c khi to t mng ngoi m phi kt hp vi Access List. Danh sch iu khin truy cp l thnh phn quan trng c s dng trong cc thit b ca Cisco. i vi ASA/PIX Firewall, ACL c dng hn ch lu lng ra ngoi (Outbound Traffic), v cho php lu lng i theo chiu ngc li. Mt ACL l mt danh sch tun t cc cu iu kin Permit v Deny ch ra cho Firewall bit lu lng no c chp nhn (Permit) hoc loi b (Deny). C ch kim tra Access-List tun theo nguyn tc tun t t trn xung. V vy th t cc cu lnh trong Access-List. Trong qu trnh kim tra, nu khp (match) vi cu lnh no th gi tin s c x l (Permit hay Deny) inh Hong Thi AT3C - 34 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

ngay v khng phi kim tra cc cu lnh tip theo na. Lu l trong mi Access-List u lun c cu lnh t chi n (Implicit Deny) cui cng (cho d n c c thit lp hay khng) vi mc ch t chi tt c cc gi tin. Sau khi thit lp ACL cho php truy cp vo trong, ta cn mt chuyn i tnh. Chuyn i tnh cho php host mng ngoi truy cp vo host bn trong qua a ch ton cc. Khi gi tin bn ngoi n ASA/PIX Firewall v thng qua chnh sch bo mt, Firewall s kim tra xem c chuyn i tnh ph hp khng. Nu c, n chuyn i a ch ton cc ra a ch cc b v y gi tin n ch.

2.4. Cng ngh tch hp trn tng la Cisco Cng ngh tng la Cisco da trn cng ngh Statefaul Inspection c tng hp t cc cng ngh Packet filtering(lc gi), Proxy Server v Stateful packet filtering. 2.4.1. Cng ngh Stateful Inspection

Hnh 2.1 Cng ngh Stateful Inspection inh Hong Thi AT3C - 35 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Cng ngh Stateful Inspection l s tng hp tnh nng ca 3 loi cng ngh trn. N c xem l chun cng ngh cho cc gii php bo mt mng dnh cho cc doanh nghip. Cng ngh Stateful Inspection p ng c tt c cc yu cu v bo mt trong khi cc cng ngh tng la truyn thng, nh lc gi hoc cc gateway lp ng dng thng khng p ng c y cc yu cu v bo mt. C nhiu hng tng la s dng cng ngh Stateful Inspection nh: CheckPoint, Cisco, Netscreen, 3COM Secure Gateway i vi cng ngh Stateful Inspection, cc gi tin c ngn chn t tng mng (tng t nh trong cng ngh lc gi), tuy nhin d liu bt ngun t tt c cc tng u c xem xt v phn tch phc v cho mc ch m bo an ninh (i vi cc gateway lp ng dng th i tng xem xt t tng 4 n tng 7). Cng ngh Stateful Inspection gii thiu gii php c bo mt cao hn nh vic kt hp cht ch cc thng tin kt ni, trng thi application-derived v ni dung thng tin c lu tr v cp nht t ng. N da vo cc thng tin trc lng gi cc kt ni sau y. N cng cung cp kh nng to ra cc thng tin phin lm vic o cho vic theo di cc giao thc khng kt ni (v d cc ng dng da trn cc giao thc RPC v UDP), y l nhng iu m cc cng ngh tng la khc khng lm c. Khng nh cng ngh lc gi ch kim tra thng thng tin header ca gi tin, cng ngh Stateful Inspection theo kim sot, theo di cc kt ni trn tt c cc cng ca tng la v m bo cc kt ni l hp php. Tng la s dng cng ngh Stateful Inspection khng ch kim tra thng tin header ca gi tin m cn kim tra ni dung ca gi tin tng ng dng. Tng la Stateful Inspection c kh nng theo di trng thi ca kt ni v a cc thng tin trng thi vo bng trng thi. V th, tng la s dng cng ngh Stateful Inspection kim sot khng ch da trn tp lut (chnh sch) m cn da theo ng cnh c thit lp u tin ca cc gi tin trc i qua tng la.

inh Hong Thi AT3C

- 36 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hn th na, cc cng ca tng la lun trong trng thi ng (close off) n ch c m khi c yu cu kt ni. iu ny ngn chn tn cng qut cng trn tng la, gip m bo an ton cho tng la v h thng. 2.4.2. Cng ngh Cut-Through Proxy

Hnh 2.2: Cng ngh Cut-Though Proxy Tnh nng Cut-Through Proxy gip tng la Cisco hot ng hiu qu hn tng la Proxy, v n thc hin qu trnh xc minh ngi ti tng ng dng, kim tra phn quyn ti chnh sch bo mt, ri sau mi m kt ni nh l c phn quyn bi chnh sch bo mt. Cc lu lng n sau ca kt ni ny khng b qun l ti tng ng dng na nhng vn c kim tra trng thi. Vic ny gip PIX Firewall hot ng nhanh hn, v khng b qu ti so vi tng la Proxy. M t qu trinh hot ng ca Cut-Through.
1. Ngi dng c nhu cu s to mt yu cu gi ti ISP. 2. Tng la Cisco s tm chn yu cu li. 3. Ti lp ng dng s bt buc ngi dng nhp username v mt

khu. Mt khu c th s c xc thc ti Local hay mt server xc thc Radius, TACACS+ ..


4. Xc thc thnh cng s c chuyn tip ti ISP.

inh Hong Thi AT3C

- 37 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

5. ISP hi p li yu cu ca ngi dng thng qua tng la.

2.4.3. Applicatin-Aware Inspection

Hnh 2.3 Cng ngh Application-Aware Inspection Vi tnh nng ny, cc dch v nh FTP ,HTTP .. s c t ng gn a ch Port ngun v Port ch thng qua firewall. Tng la s lm nhim v thanh tra cc gi tn t lp 3 lp network. Tng la s chu trch nhim m v ng port cho cc ng dng kt ni thng qua n. 2.4.4. Virtual Private Network

inh Hong Thi AT3C

- 38 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 2.3 Cng ngh mng ring o VPN Dng sn phm Cisco ASA 5500 Series h tr tnh nng VPN, cho php thit lp kt ni t xa gia cc chi nhnh hoc t ngi dng u xa Site to Site : Cung cp kt ni t xa gia cc chi nhanh

IPsec VPN : da trn nn tng ipsec, ngi dng u xa s s dng phn mm Cisco VPN client kt ni v h thng.

SSL VPN: y l tnh cho php ngi dng u xa kt ni ti h thng thng qua trnh duyt web Cc ti khon s dng VPN s c xc thc ngay ti tng la hoc s c xc thc ti my ch chuyn dng Radius, AAA, TACACS+

inh Hong Thi AT3C

- 39 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

2.4.5. Security Context (Virtual Firewall)

Hnh 2.4 Cng ngh tng la o Vic xut hin ngy mt nhiu cc Hacker mi am hiu k thut hn, cc cuc tn cng ngy mt nguy him hn, khin cho cc qun tr vin gp rt nhiu kh khn trong vic iu khin v qun l cc hot ng ca ngi dng trn mng. Trc y, khi mt t chc t ra yu cu phi c cc chnh sch bo mt ring bit cho tng phng ban th i km vi n cng l vic phi c thm nhiu tng la ring bit, mi thit b cho mt phng. Do , s lm tng phc tp, gy kh khn trong qun l h thng mng ca cng ty, v lm tng chi ph u t thit b. gii quyt vn ny, tp on Cisco a ra gii php to tng la o (Virtual Firewall) trong phin bn h iu hnh 7.0. Vi tnh nng Virtual Firewall hay cn c gi l Security Context (ng cnh bo mt), ngi qun tr c th to ra nhiu Security Context trong mt thit b tng la. Mi Context c mt file cu hnh ring cho chnh sch bo mt, p t cc Interface, v cc la chn qun l Security Context. Tnh nng ny lm gim s lng thit b, chi ph u t, v khi lng cng vic ca qun tr vin. Mc nh th ASA/PIX Firewall hot ng ch n ng cnh (Single Context). s dng tnh nng Virtual Firewall ta cn chuyn sang

inh Hong Thi AT3C

- 40 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

ch a ng cnh (Multiple Context). Khi , mi Context s l mt tng la c lp vi chnh sch bo mt v cc interface ca n. Mc d Security Context to ra kh nng mm do cho thit k ca thit b bo mt, tuy nhin khi thit lp ch a ng cnh (Multiple Context) th Firewall s khng h tr mt s tnh nng sau: Cc giao thc nh tuyn ng nh RIP, OSPF (ch h tr nh tuyn tnh) Mng ring o (VPN) Multicast

2.4.6. Kh nng d phng - Failover Capabilities Kh nng d phng l mt c im ni bt ca cc thit b Cisco ni chung v ca ASA ni ring. Kh nng d phng gip cho h thng vn c th hot ng c ngay c khi gp cc s c nghim trng m khng b sp nh cc h thng n l.C nhiu nguyn nhn c th gy ra s c i vi mt h thng ang vn hnh nh: mt in, cp b li, t dy cp, li phn cng thit b, hay cc li kt ni mng... Bt k mt li no cng c th gy ra s ngng tr, thm ch t lit h thng. Mt h thng hot ng tt khng ch phi m bo an ninh, thun tin m cn phi m bo tnh sn sng (Available). V vy, kh nng d phng cng nh vt li (Failover) l cn thit i vi bt c mt h thng no. Mt h thng trin khai d phng cn t nht hai thit b ASA/PIX Firewall, mt thit b hot ng chnh (Active) v mt thit b d phng nng (Hot Standby).

inh Hong Thi AT3C

- 41 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 2.5: Cng ngh failover Bnh thng th cc hot ng mng s c thc hin bi thit b chnh (Primary). Thit b th cp (Secondary) khng tham gia iu khin cc hot ng mng m ch ng vai tr d phng. Nu c mt s c xy ra khin thit b chnh khng hot ng c th thit b d phng s chuyn t trng thi Standby sang trng thi Active v cc hot ng mng s chuyn sang thit b d phng x l. Vi thit k nh trn th cc hot ng ca mng sau khi b li s tr li hot ng bnh thng mt cch nhanh chng, tuy nhin ta c th thy nhc im ca n l cc kt ni ngay trc khi xy ra s c s b hy v cc ng dng ca ngi dng s phi khi to li. gii quyt vn ny, Cisco a ra thit k vt li trng thi (Stateful Failover). Trong thit k d phng n gin th ch cn thit lp kt ni LAN-based Failover (kt ni qua cng Ethernet) hoc serial-based Failover (kt ni qua cng serial) cho hai thit b. i vi thit k Stateful Failover, cn thit lp thm ng kt ni trng thi (Stateful Link) gia hai thit b. ng kt ni ny s lm nhim v chuyn tip cc thng tin v kt ni cng nh cc hot ng khc ca thit b chnh cho thit b d phng khi s c xy ra vi thit b chnh th thit b d phng vn c th m nhim tip cng vic ca thit b chnh m khng phi hy cc kt ni trc khi xy ra s c. Hnh 2.1 m t h thng c thit k d phng kiu Stateful Failover. inh Hong Thi AT3C - 42 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Lu : c th trin khai c h thng d phng, phi tha mn nhng yu cu sau: Cc thit b phi cng nhm (Series). Cc thit b c chung tnh nng Failover. Cc thit b phi chy trn cng phin bn h iu hnh. Cc thit b phi c cng s lng cng nh kiu ca Interface. Cc thit b phi c dung lng b nh flash v RAM nh nhau. 2.4.7. Ch trong sut (Transparent Mode)

Hnh 2.6 Cng ngh hot ng ch Transparent Mc nh th Cisco Firewall hot ng nh mt thit b lp 3. N nh tuyn (routing) v chuyn i a ch (Translation) cc lu lng i qua n. Tuy nhin, cu hnh mc nh ny c th yu cu phi thay i cc thnh phn ca mng khi Firewall c trin khai trong h thng mng c t trc (nh h thng a ch IP, cu hnh NAT). Vn ny c th c khc phc bng cch cu hnh Cisco Firewall hot ng ch trong sut (transparent mode). inh Hong Thi AT3C - 43 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Vi cu hnh transparent mode, Cisco Firewall s hot ng nh mt thit b lp 2. N s chuyn mch (switching) cc gi tin thay v nh tuyn chng. Cisco Firewall chuyn mch cc gi tin t Interface ny sang mt Interface khc. Cc Interface ny thng nm trong cng mt VLAN (Virtual Local Area Network - mng ni b o) hay mng con. Trong ch ny, Cisco Firewall qun l cc lu lng i qua n da trn a ch MAC thay v a ch IP. Mc nh th Cisco Firewall s t ng hc a ch MAC. Tuy nhin cu hnh ny c th b Hacker khai thc bng cch ng gi a ch MAC kt ni n mng hoc s dng a ch MAC ngu nhin truy cp vo mng. m bo an ton cho h thng mng, ngi qun tr c th tt b ch hc a ch MAC t ng, v ch s dng cc a ch MAC c cu hnh tnh bi qun tr vin. Lu l khi thay i sang ch trong sut th s loi b hoc hn ch mt s tnh nng sau ca Cisco Firewall: Gii hn interface (Interface limit): tng la trong sut (transparent Firewall) ch c th hot ng vi 2 interface cho mi ng cnh n (Single Context). Nu c a ng cnh (Multiple Context) th mi Context s c s dng 2 interface. Cc interface ny ch c s dng bi mt Context duy nht v khng th chia s gia cc Context. NAT: cu hnh NAT khng c h tr trong ch ny. NAT ch c h tr vi ch hot ng lp 3. Cc giao thc nh tuyn ng (dynamic routing Protocol): ASA/PIX Firewall trong ch ny hot ng nh l thit b lp 2. N chuyn mch gi tin thay v nh tuyn chng. V vy, ch trong sut khng h tr cc giao thc nh tuyn ng. DHCP: transparent Firewall khng th hot ng vi chc nng l DHCP relay (DHCP chuyn tip), mc d c th cu hnh lm DHCP Server. Multicast: mc nh th ch ny khng h tr lu lng multicast. cho php lu lng multicast i qua, phi s dng danh sch truy cp m rng (extended Access List).

inh Hong Thi AT3C

- 44 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

2.4.8. Qun l thit b qua giao din web

Hnh 2.7 Gii php giao din web Vi vic ci t phn mm Adaptive Security Device Manager (ASDM) cung cp giao din cho ngi qun tr. n gin ha vic cu hnh mt s tnh nng thay v phi dng giap din dng lnh hi phc tp Tuy nhin hn ch l vic cu hnh, gim st v qun l ch trn mt thit b, hi thiu tnh chuyn nghip. Khng mm do trong vic cu hnh v kim sot li.

inh Hong Thi AT3C

- 45 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

2.5. Cc dng sn phm tng la Cisco 2.5.1. Dng sn phm th h trc Cisco PIX Firewall

Hnh 2.8 Cc dng sn phm PIX PIX ( Private Internet Exchange) firewall l thnh phn chnh trong gii php bo mt end-to-end ca Cisco. PIX firewall l gii php bo mt v phn cng v phn mm , p ng bo mt mng mc cao m khng nh hng n hot ng ca mng . Pix l mt thit b hybrid v n kt hp cc c im ca cng ngh packet filtering v proxy server . Tuy vi s pht trin ca cng ngh thit k tng la pht trin mnh nh hin nay th cc dng sn phm PIX l qu lc hu, hiu nng v tnh nng cha c phong ph, khng p ng c nhu cu ca ngi dng. Cc nhc im ca dng sn phm PIX:
Kh nng ngn chn cc tn cng, gim st v khai thc im

yu lp ng dng l rt hn ch.

inh Hong Thi AT3C

- 46 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Tnh nng tch hp cha phong ph, khng h tr tnh nng

SSLVPN, y l gii php gip truy nhp mt cch an ton t bn ngoi vo h thng mng cc b.
Khng h tr kh nng pht hin v ngn chn xm nhp

IPS/IDS.
Tnh nng Anti-Virus, anti-spyware, anti-spam cha c tch

hp.
Kh khn kim sot truy nhp internet v thit lp cc URL

Fitering.
Tc x l chm, khng p ng c i vi h thng ln.

Hin nay cc dng sn phm PIX ngng sn xut v s h tr cng ang dn t i. gii quyt nhng yu im ca dng sn phm th h c PIX, Cisco cho ra i dng sn phm mi ASA(Adaptive Security Appliance) khc phc.

inh Hong Thi AT3C

- 47 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

2.5.2. Dng sn phm th h mi Cisco ASA Firewall

Hnh 2.9 Cc dng sn phm ASA Dng sn Cisco ASA 5500 Series ra i nhm khc phc cc hn ch mc phi dng sn phm trc Pix Firewall. Cisco ASA 5500 Series tch hp cc tnh nng cao cp, p ng c nhng yu cu kht khe nht t pha ngi dng, cc doanh nghip. Dng sn phm ny c hiu nng, bng thng x l cao, ph hp vi cc mng doanh nghip v cc h thng ln nh ca cc nh cung cp dch v ISP. Dng sn phm ASA 5500 Series bao gm: ASA 5505, ASA 5510, ASA 5520, ASA 5540 c tch hp cc cng giao tip tc cao fastethernet(10/100 Mbps) v gigaethernet(1Gbps) m bo vic x l nhanh hn v p ng tt bng thng cho h thng.

inh Hong Thi AT3C

- 48 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Cisco ASA 5500 Series tch hp Secure Socket Layer (SSL) VPNs, cho php ngi dng u xa truy nhp an ton vo h thng. Bn cnh cn h tr tnh nng Site To Site VPN cho php to kt ni o gia cc chi nhnh xa nhau. Tnh nng Webvpn cho php ngi dng d dng thit lp mt kt ni VPN vo h thng thng qua trnh duyt web browser. Thm l tnh Anyconnect VPN cho php kt ni VPN c thc hin t bt k VPN client no. Kt hp vi Advance Inspection and Prevention Security Services Moudle (AIP-SSM) s cung cp tnh nng pht hin v ngn chn xm nhp bt hp php IPS/IDS. Ni dung ca chng phn no lm sng t v k thut, cng ngh Firewall ca hng Cisco. Hiu c cch thc lm vic, cc tnh nng c tch hp v ng dng ca chng trn dng sn phm Cisco ASA 500 Series.

inh Hong Thi AT3C

- 49 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

CHNG 3: KHAI THC SN PHM FIREWALL CISCO ASA 5520


Vi kin thc m chng ta thu lm c t cc ni dung bn trn s l nn tng rt tt chng ta i xu vo tm hiu v khai thc mt sn phm Firewall no . Trong chng ny chng ta s tp trung vo tm hiu v cch thc trin khai mt s tnh nng ca dng sn phm Firewall Cisco ASA 5520. 3.1. Gii thiu dng sn phm Firewall Cisco ASA 5520

Hnh 3.1 Sn phm Firewall Cisco ASA 5520 Cisco ASA 5520 (Adaptive Security Appliance) cung cp dch v bo v h thng vi tnh nng Failover Active / Active cung cp s sn sng cao v cc kt ni Ethernet Gigabit tc cao cho cc mng doanh nghip c trung bnh ch vi mt thit b. Vi bn giao din Ethernet Gigabit v h tr ln ti 100 VLAN, cc doanh nghip c th d dng trin khai Cisco ASA 5520 thnh nhiu khu vc trong phm vi mng ca h. Cisco ASA 5520 ( Adaptive Security Appliance) ph hp vi quy m cc doanh nghip va v nh vi yu cu an ninh mng mc trung bnh cn s bo v n nh v chi ph khng qu cao. Cc doanh nghip c th s dng tnh nng SSL v IPsec VPN h tr mt s lng ln ngi dng di ng t xa cc v cc i tc kinh doanh ca mnh. Kh nng h tr VPN c th c tng ln bng cch tn dng Firewall Cisco ASA 5520 tch hp VPN clustering v kh nng cn bng ti. Cc inh Hong Thi AT3C - 50 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Firewall Cisco ASA 5520 h tr ln n 10 thit b trong mt cluster, cung cp ti a l 7500 AnyConnect v hoc clientless VPN hoc 7500 IPsec. S dng ty chn bi cnh, kh nng bo mt ca Firewall Cisco ASA 5520 (Adaptive Security Appliance) c th trin khai ln ti 20 bc tng la o trong mt thit b cho php kim sot ton b h thng. Cng ngh o ha ny nhm tng cng an ninh mng v lm gim chi ph qun l chung v s h tr.

Thng lng tng la

Ln n 450 Mbps

Firewall v IPS ti a Throughput Ln n 225 Mbps vi AIP SSM-10 Ln n 375 Mbps vi AIP SSM-20 Ln n 450 Mbps vi AIP SSM-40 VPN Throughput ngthi phin IPsec VPN Peers Premium AnyConnect VPN Peer * An ninh bi cnh * Giao din port Giao din o (VLAN) Kh nng m rng Sn sng cao Ln n 225 Mbps 280.000 750 2,10, 25, 50, 100, 250, 500, hoc 750 Tnh n 20 4cng Gigabit Ethernet v 1 Fast Ethernet 150 VPN clustering v cn bng ti Active / Active **, Active / Standby

Bng 1: Thng s k thut Firewall Cisco ASA 5520 t tnh thit k ca dng sn phm Firewall Cisco ASA5520 , 5510, 5540 l ging nhau ch khc nhau v cc thng s trn tng tnh nng v kh nng h tr.

inh Hong Thi AT3C

- 51 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 3.2 Mt trc Firewall Cisco ASA 5510, 5520, 5540

inh Hong Thi AT3C

- 52 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

+ n Power ch trng thi ngun in + n Status ch trng thi hot ng ca my + n Active ch trang thi cc hot ng c cu hnh + n Flash ch trng thi hot ng ca b nh Flash + n VPN ch trang thi kt ni VPN

Hnh 3.3 Mt sau Firewall Cisco ASA 5510, 5520, 5540 + Security services module : Khe gn m rng

Hnh 3.4: Port trn sn phm Firewall Cisco ASA 5520 + Power supply : Ni cm ngun inh Hong Thi AT3C - 53 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

+ Console port : Cng cm dy console + AUX port: Cng truy cp bng capble AUX + Compact Flash : Khe gn th nh Flash + 10/100 out-of-band management port: cng kt ni qun l thit b + 4 Port 10/100/1000 Gigabit : Kt ni vo h thng cho tc ln ti 1Gbps + USB 2.0 port: Cng giao tip USb 3.2. Cc lnh cu hnh c bn C 6 lnh cu hnh c bn cho ASA/PIX Firewall: Nameif Gn tn n mi giao din mng vnh ai v ch nh mc an ninh cho n Interface Cu hnh kiu v kh nng ca mi giao din vnh ai Ip address gn mt a ch ip cho mi cng Nat che du a ch trn mng inside t mng outside Global Che du a ch IP trn mng inside t mng outside s dng mt pool (mt di a ch public) ca a ch IP Route nh ngha mt tuyn ng tnh hoc tuyn ng mc nh cho mt interface. 3.2.1. Lnh nameif Lnh nameif gn mt tn n mi giao din vnh ai trn ASA/PIX Firewall v ch nh mc an ninh cho n (ngoi tr giao din inside v outside v n c mc nh). C php ca lnh nameif nh di y: nameif hardware_id if_name security_level

Harware_id

Ch nh mt giao din vnh ai v v tr khe ca n trn PIX Firewall. C 3 giao din m bn c th nhp y: Ethernet, FDDI hoc Token Ring. Mi giao din c m t bi mt nh danh va c ch va c s da trn giao din ca n l g v nh danh l s m bn chn cho n. V d, mt giao din - 54 Lp

inh Hong Thi AT3C

n tt nghip

Tm hiu Firewall Cisco ASA5520 Ethernet c m t nh l e1, e2, e3.; mt FDDI c m t nh l fddi1, fddi2, fddi3.; mt giao din Token Ring c m t nh l token-ring1, token-ring2, token-ring3. M t giao din vnh ai. Tn ny c bn gn v cn s dng trong tt c cu hnh tng lai tham chiu n giao din vnh ai Ch ra mc an ninh cho giao din vnh ai, nhp mc an ninh t 1-99

If_name

Security_lever

3.2.2. Lnh interface Lnh interface nhn dng phn cng, thit lp tc phn cng v kch hot giao din. Khi mt card Ethernet c thm vo n s c ci t trn ASA/PIX Firewall, ASA/PIX Firewall t ng nhn dng v thm card C php cho lnh interface nh di y: interface Hardware_id Hardware_speed hardware_id hardware_speed [shutdown]

Ch nh mt giao din v v tr khe trn PIX Firewall. Ci ny ging nh bin s c s dng trong lnh nameif Xc nh tc kt ni. Gi tr Ethernet c th nh sau: 10baset thit lp giao tip bn song cng 10Mbps 10full Thit lp giao tip Ethernet song cng hon ton tc 10Mbps 100basetx Thit lp giao tip Ethernet bn song cng tc 100 Mbps 100full - Thit lp giao tip Ethernet song cng hon ton tc 100 Mbps 1000sxfull - Thit lp giao tipGigabit Ethernet song cng hon ton tc 1000 Mbps 1000basesx thit lp giao tip gigabit Ethernet bn song cng tc 1000 Mbps 1000auto Thit lp giao tip gigabit Ethernet tc - 55 Lp

inh Hong Thi AT3C

n tt nghip

Tm hiu Firewall Cisco ASA5520 100 Mbps, t ng iu chnh bn song cng hoc song cng hon ton. Khuyn co l bn khng nn s dng ty chn ny suy trig tnh tng thch vi switchs v cc thit b khc trong mng Aui thit lp giao tip Ethernet bn song cng tc 10 Mbps vi mt giao din cp AUI Auto thit lp tc Ethernet t ng. T kha t ng ch c th s dng vi card mng Intel tc 10/100 Bnc - thit lp giao tip Ethernet bn song cng tc 10 Mbps vi mt giao din cp BNC 4mbps thit lp tc truyn d liu l 4Mbps 16mbps (mc nh) thit lp tc truyn d liu l 16 Mbps Tt cng

Shutdown

3.2.3. Lnh ip address Mi mt giao din trn PIX Firewall cn c cu hnh vi mt a ch IP, c php cho lnh ip address nh di y: ip address if_name ip_address [netmask] Ip_name Ip_address Netmask M t giao din. Tn ny do bn gn v bn cn s dng trong tt c cc cu hnh trong tng lai a ch Ip ca giao din Nu khng a ra mt mt n mng, s s dng mt n mng mc nh

Sau khi cu hnh a ch IP v mt n mng, s dng lnh show ip hin th a ch c gn cho giao din mng. 3.2.4. Lnh nat Dch a ch mng (NAT) cho php bn gi a ch IP bn trong nhng a ch pha sau ca ASA/PIX Firewall khng c bit i vi nhng mng pha ngoi. NAT thc hin iu ny bng cch dch a ch IP bn trong, a ch m khng phi l duy nht sang a ch IP duy nht trc khia gi tin c y ra mng bn ngoi inh Hong Thi AT3C - 56 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

nat [(if_name)] nat_id local_ip [netmask] If_name Nat_id Local_ip Netmask M t tn giao din mng bn trong, ni m bn s s dng a ch public nh danh global pool v kt hp n vi lnh nat tng ng a ch IP c gn cho giao din trn mng inside Mt n mng cho a ch IP cc b. Bn c th s dng 0.0.0.0 cho php tt c cc kt ni ra bn ngoi dch vi a ch IP t global pool

Khi chng ta khi to cu hnh ASA/PIX Firewall, ta c th cho php tt c host inside truy cp ra kt ni bn ngoi vi lnh nat 1.0.0.0 0.0.0.0. Lnh nat 1.0.0.0 0.0.0.0 kch hot NAT v cho php tt c cc host inside truy cp ra kt ni bn ngoi. Lnh nat c th ch nh mt host n hoc mt di cc host to nhiu hn s la chn truy cp. Khi mt gi tin IP truyn ra m c gi t mt thit b trn mng inside n ASA/PIX Firewall, a ch ngun c trch ra so snh vi bng dch ang tn ti. Nu a ch ca thit b khng tn ti trong bng th sau n s c dch v mc mi c to cho thit b , n c gn a ch IP public t di a ch IP public. Sau khi vic dch ny xy ra th bng c cp nht v dch IP ca gi tin y ra ngoi.. Sau khi ngi s dng cu hnh timeout period (hoc gi tr mc nh l 2 pht), sau khong thi gian m khng c vic dch gi tin cho a ch IP c th th a ch public s c gii phng s dng cho mt thit b inside khc 3.2.5. Lnh global C php ca lnh global nh di y: global [(if_name)] nat_id global_ip [-global_ip] [netmask global_mask] a| interface If_name Nat_id Global_ip inh Hong Thi AT3C M t tn giao din mng bn ngoi m bn s s dng a ch global nh danh global pool v kt hp n vi lnh nat tng ng vi n Mt a ch IP n hoc mt dy cc a ch IP public - 57 Lp

n tt nghip global_ip

Tm hiu Firewall Cisco ASA5520

Mt dy cc a ch Ip public Mt n mng cho a ch global_ip. Nu c mng con th s dng mt n mng con (v d, 255.255.255.128). Nu bn ch nh mt dy a ch m chng cho ln mng con vi lnh netmask, Netmask lnh ny s khng s dng a ch mng hoc a global_mask ch broadcast trong di a ch public. V d, nu bn s dng di a ch 192.150.50.20 192.150.50.140, a ch mng 192.150.50.128 v a ch broadcast 192.150.50.127 s khng bao gm trong di a ch public interface Ch nh PAT s dng a ch IP ti giao din Nu lnh nat c s dng, th lnh i cng vi n l lnh global cn c cu hnh nh ngha mt di a ch IP c dch. ASA/PIX Firewall s gn a ch t di a ch bt u t a ch thp nht ti a ch cao nht trong di a ch c ch nh bi lnh global ASA/PIX Firewall s dng a ch public gn mt a ch o n a ch NAT bn trong. Sau khi thm, thay i hoc g b mt trng thi global, s dng lnh clear xlate to cc a ch IP c sn trong bng dch (translation table) 3.2.6. Lnh route Lnh route nh ngha mt tuyn ng tnh hoc tuyn ng mc nh cho mt interface C php ca lnh route nh di y route if_name ip_address netmask gateway_ip [metric] If_name Ip_address M t tn giao din mng (vng mng) bn trong hoc bn ngoi M t a ch IP mng bn trong hoc bn ngoi. S dng 0.0.0.0 ch nh tuyn ng mc nh. a ch 0.0.0.0 c th vit tt l 0 Ch nh mt n mng p dng cho a ch ip_address. S dng 0.0.0.0 ch nh tuyn ng mc - 58 Lp

Netmask

inh Hong Thi AT3C

n tt nghip

Tm hiu Firewall Cisco ASA5520 nh. Mt n mng 0.0.0.0 c th vit tt l 0 Ch nh a ch ip ca router gateway (a ch next hop cho tuyn ng ny) Ch nh s lng hop n gateway_ip. Nu bn khng chc chn th nhp 1. Ngi qun tr WAN ca bn c th h tr thng tin ny hoc bn c th s dng lnh traceroute c c s lng hop. Mc nh l 1 nu mt metric khng c a ra

Gateway_ip metric

3.3. Cu hnh mt s dch v trn Firewall Cisco ASA 5520 3.3.1. Publich website qua tng la Cisco

Hnh 3.5: M hnh demo NAT v PAT M t:


Cho php ngi dng ngoi internet c th truy nhp vo website ca

cng ty v qun tr vin c th dng Remote Desktop vo Webserver qun l.


Cho php ngi dng trong vng INSIDE c th truy nhp Webserver

v s dng cc dch v trn . Chun b: inh Hong Thi AT3C - 59 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

My ch ci Windows Server 2003 v xy dng mt website. Cc thit b c cu hnh a ch nh hnh v.

Cu hnh trn ASA: nh ngha thng tin cng inside ASA(config)# interface e0/0 ASA(config-if)# ip address 203.200.2.1 255.255.255.0 ASA(config-if)# nameif outside ASA(config-if)# no shut nh ngha thng tin cng outsde ASA(config)# interface e0/1 ASA(config-if)# ip address 10.10.10.1 255.255.255.0 ASA(config-if)# nameif inside ASA(config-if)# no shut nh ngha thng tin cng dmz ASA(config)# interface e0/2 ASA(config-if)# ip address 172.16.1.2 255.255.255.0 ASA(config-if)# nameif dmz ASA(config-if)# no shut Thc hin Nat tnh ASA(config)# static (dmz,outside) tcp 203.200.2.10 80 172.16.1.1 80 ASA(config)# static (dmz,outside) tcp 203.200.2.10 3389 172.16.1.1 3389 To ACL cho php truy cp dch v trong DMZ ASA(config)# access-list AL_WEB permit tcp any host 203.200.2.10 eq 80 ASA(config)# access-list AL_WEB permit tcp any host 203.200.2.10 eq 3389 ASA(config)# access-group AL_WEB in interface outside Cho php vng INSIDE truy nhp vo Webserver khng cn NAT

inh Hong Thi AT3C

- 60 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

ASA(config)# access-list IN_DMZ permit ip 10.10.10.0 255.255.255.0 host 172.16.1.1 ASA(config)# nat (inside) 0 access-list IN_DMZ

inh Hong Thi AT3C

- 61 -

Lp

n tt nghip Kim tra t my trong vng INSIDE:

Tm hiu Firewall Cisco ASA5520

Hnh 3.6: Truy nhp Web t my tnh trong vng INSIDE

Hnh 3.7: Remote Desktop t vng INSIDE

inh Hong Thi AT3C

- 62 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Kim tra t my ngoi vng INTERNET:

Hnh 3.8: Truy nhp Web t my tnh ngoi Internet

Hnh 3. 9: Remote Desktop t my tnh ngoi Internet

inh Hong Thi AT3C

- 63 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

3.3.2. Cu hnh PAT cho php vng INSIDE ra ngoi INTERNET M t: Cho php ngi dung trong vng INSIDE c th s dng cc dch v ngoi vng INTERNET v c nh x ngay ti a ch cng ca ASA.

Cu hnh trn ASA: nh ngha tuyn mc nh ASA(config)# route outside 0 0 203.200.2.2 Xc nh mng c NAT hoc PAT ASA(config)# nat (inside) 1 10.10.10.0 255.255.255.0 Xc nh NAT hoc PAT trn cng outside ASA(config)# global (outside) 1 interface INFO: outside interface address added to PAT pool Mc d c th truy phn ln nhng dch v cn thit ngoi Internet nh http, pop3, smtp, ftp... Nhng vi icmp th ASA khng cho php gi echoreply c tr v. gii quyt trng hp ny cn to chnh sch cho echoreply c tr v: ASA(config)# access-list PING permit icmp any any echo-reply ASA(config)# access-group PING in interface outside Kim tra t my trong vng INSIDE:

inh Hong Thi AT3C

- 64 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 3. 10: Kt qu Ping thnh cng Kt qu l t my tnh trong vng INSIDE ping thnh cng ra ngoi vng OUTSIDE.

inh Hong Thi AT3C

- 65 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520 Kim tra bng PAT t

Hnh 3.11: Bng nh x a ch PAT Khi thc hin Ping thnh cng, a ch my trong vng INSIDE 10.10.10.2 c nh x sang a ch vng OUTSIDE.

inh Hong Thi AT3C

- 66 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

3.3.3. Cu hnh d phng Failover Active/Stanby

Hnh 3.12: M hnh Failover Active/Standby M t : Vi tnh nng Failover s cho php h thng c tnh d phng, khi thit b chnh (Primary) c vn th thit b ph ng vai tr l Secondary s t ch ch (Standby) chuyn sang ch hot ng (Active) m nhim thay vai tr ca Primary. V khi Primary hot ng tr li th n li chuyn v ng vai tr nh ban u. Cu hnh : Trn ASA ng vai tr lm PRIMARY nh ngha thng tin cng OUTSIDE v cng d phng cho cng ny. ASA(config)# int Ethernet 0/0 ASA(config)# no shutdown ASA(config)# ip add 203.200.2.1 255.255.255.0 standby 203.200.2.2 ASA(config)# nameif outside nh ngha thong tin cng INSIDE v cng d phng cho cng ny. ASA(config)# int Ethernet 0/1 ASA(config)# no shutdown inh Hong Thi AT3C - 67 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

ASA(config)# ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2 ASA(config)# nameif inside Active cng ng vai tr lm Failover link ASA(config)# int Ethernet 0/3 ASA(config)# no shutdown Kch hot tnh nng failover trn Primay ASA(config)# failover ASA(config)# failover lan unit primary ASA(config)# failover lan interface lolink Ethernet0/3 ASA(config)# failover polltime unit msec 500 ASA(config)# failover link lolink Ethernet0/3 ASA(config)# failover interface ip lolink 192.168.0.1 255.255.255.252 standby 192.168.0.2 ASA(config)# failover Trn ASA ng vai tr lm SECONDARY Active cng ng vai tr lm Failover link ASA(config)# int Ethernet 0/3 ASA(config)# no shutdown Kch hot tnh nng failover trn Secondary ASA(config)# failover ASA(config)# failover lan unit secondary ASA(config)# failover lan interface lolink Ethernet0/3 ASA(config)# failover link lolink Ethernet0/3 ASA(config)# failover interface ip lolink 192.168.0.1 255.255.255.252 standby 192.168.0.2 ASA(config)# failover Kim tra tnh nng Failover trn Primary PRIMARY# show failover inh Hong Thi AT3C - 68 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Failover On Failover unit Primary Failover LAN Interface: lolink Ethernet0/3 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) This host: Primary - Active Active time: 690 (sec) slot 0: empty Interface outside (203.200.2.1): Normal Interface inside (10.10.10.1): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: empty Interface outside (203.200.2.2): Normal Interface inside (10.10.10.2): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : lolink Ethernet0/3 (up) PRIMARY# Kim tra tnh nng Failover trn Secondary PRIMARY# show failover Failover On Failover unit Secondary Failover LAN Interface: lolink Ethernet0/3 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum inh Hong Thi AT3C - 69 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Version: Ours 8.0(2), Mate 8.0(2) This host: Secondary - Standby Ready Active time: 0 (sec) slot 0: empty Interface outside (203.200.2.2): Normal Interface inside (10.10.10.2): Normal slot 1: empty Other host: Primary - Active Active time: 768 (sec) slot 0: empty Interface outside (203.200.2.1): Normal Interface inside (10.10.10.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : lolink Ethernet0/3 (up) PRIMARY# 3.4. Nhn xt v nh gi sn phm T trc ti nay, cc sn phm ca hng Cisco lun c nh gi cao v hiu nng v n nh. Chng ta bit ti Cisco v cng ngh inh tuyn v chuyn mnh gn nh l tt nht hin nay trn th gii v Cisco chim lnh a phn th trng mng ti Vit Nam. Vi dng sn phm Cisco ASA 5500 Series, Cisco cng khng nh mnh trn lnh vc bo mt. Dng sn phm a dng ph hp vi mi nhu cu ngi dng t tm trung n ln. Sn phm Firewall Cisco ASA 5520 p ng tt cc yu cu, cung cp cc tnh nng cao cp dnh cho cc donh nhip c nh v va. Dng sn phm Firewall Cisco ASA 5500 Series v c bit l Firewall Cisco ASA 5520 th hin c s ti u v cng ngh ca cc sn phm do hng Cisco sn sut:

Ty bin: C nhiu s la chn ph hp vi nhu cu v mc ch i vi h thng

inh Hong Thi AT3C

- 70 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Tnh linh hot: vi kh nng ty bin cao v c nhiu s la chn, tch hp cc gii php cng nh cc thnh phn m rng , khin cho vic s dng d dng v ph hp Cng ngh tin tin: Cc cng ngh tin tin u c tch hp v h tr y t Cisco. em li s n nh, an ton cao cho h thng v hiu nng x l cao, p ng c xu th pht trin. Tnh n gin: Vi gii php qun l qua giao din web phn no en li s n gin ha cho ngi qun tr khi cha thc s thnh tho cu lnh. Vi mt h thng ng b, Cisco cng a h thng gim st ton b h thng mng mt cch ng nht. Kt ni mng tin tin: H tr cng ngh VPN tin tin nh SSLVPN, WEBVPN nhng vn m bo c s an ton cho thng tin thng qua h thng my ch xc thc : Radius, TACACS+

Ni tm li dng sn phm em li s phng v cho h thng mt cch ti u v an ton. Tuy nhin bn cnh cn mt s hn ch nh:

Vic trin khai h thng d trn giao din dng lnh l hi phc tp, trong khi giao din ha khng cung cp . Vic m rng, thay i, nng cp h thng l kh khn v mt chi ph.

Hin nay cng c kh nhiu cc sn phm tng la tch hp y cc cng ngh tin tin, s n nh cng nh s an ton cho h thng. C th k n mt s hng nh Checkpoint, Juniper vi chi ph xy dng v vn hnh h thng thp hn. 3.4.1. Tng la Checkpoint Check Point l hng i tin phong trong cng ngh tng la Stateful Inspection. Hng c nhiu sn phm tng la s dng cng ngh ny nh Firewall-1, VPN-1,chng c kh nng ng dng cao trong thc t. Vi mt s tnh nng ni tri nh: NAT, kim sot truy cp, ghi li nht k (loggin), inh Hong Thi AT3C - 71 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

xc thc ngi dng, xc thc phin v dch v kt ni. Cng ngh Stateful Inspection ghi li hai loi thng tin trng thi l thng tin c ly ra t kt ni (communication-derived) v thng tin t ng dng (Applicationderived). Thu thp thng tin trng thi v ng cnh gip cho VPN-1 kim sot c cc giao thc phi kt ni (connectionless protocols) nh UDP hay RPC.

Hnh 3.13 Tng la Check Point VPN-1 trong h thng mng Ngoi kh nng thc thi tt cc tnh nng bo mt ca tng la Stateful Inspection, VPN-1 x l vi tc cao nh kin trc Inspection Engine c ci vo nhn ca h iu hnh. VPN-1 linh hot trong khi a ra quyt nh i vi mt gi tin, n c th da trn thng tin ca 5 lp trn cng ca m hnh OSI . 3.4.2. Tng la Netscreen Mi thit b NetScreen u c mt bng mch Application Specific Integrated Circuit (ASIC). Nhng ASIC ny l nhng con chip c thit k c bit phc v cho vic tng tc tng la, m ha, xc thc v qu trnh PKI. Bng vic thc hin cc cng vic tnh ton chuyn su trong cht silicon, NetScreen vt tri hn hn v hiu nng so vi cc phn mm

inh Hong Thi AT3C

- 72 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

tng la. Thc t l cc thit b NetScreen c thit k u c nhng con chip ASIC, nng cao hiu qu hn. Trong qu trnh tch hp gia phn cng v phn mm, NetScreen cung cp kin trc high-speed multibus nh km mi ASIC vi mi b vi x l RISC, SDRAN v cc giao din Ethernet. Khng ging cc tng la trin khai trn phn cng PC, NetScreen platform l cc h thng tch hp c thit k vi hiu nng cao, trong mi trng high-availability. T NetScreen-5 dual10BaseT n NetScreen-1000 Gigabit, cc thit b NetScreen c s m rng rt ln v hiu nng v c chi ph tt nht.

Hnh 3.14 Tng la NetScreen trong h thng mng NetScreen firewall l cc firewall ngn chn chiu su cho php bo v lp ng dng. Trong khi tng la Cisco ch c th cu hnh stateless v statefull firewall h tr bo mt lp mng v lp giao vn. NetScreen firewall l thit b bo v trng thi v lp chiu su gi tin n cn c vo tt c cc kim tra ca n v quyt nh c to ra bng ng song song khc, bao gm a ch ngun, a ch ch, cng ngun, cng ch, d liu c kim tra s ph hp giao thc. inh Hong Thi AT3C - 73 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Thit b NetScreen bo tr bng phin da vo a ch ngun, a ch ch, cng ngun, cng ch, v cc tc ng phin.

3.5. xut gii php thit k h thng mng vi tnh d phng v tnh sn sng cao vi Firewall Cisco ASA5520 Topo tng th h thng:

inh Hong Thi AT3C

- 74 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Hnh 3.15: H thng mng vi ASA 5520 Tng quan h thng: H thng bao gm cc thnh phn: o Vng Internet s dng hai ng truyn ra ngoi nhm m bo tnh sn sng cao c th p ng 24/24 cc yu cu ca ngi dng bn trong cng nh cc ngi dng xa truy nhp vo h thng ca hc vin. Vi topo xut trn em ch yu thit k da trn cc cng ngh u vit ca hng Cisco. Vi h thng hai ng truyn internet cng vi tnh nng Failover c trin khai trn hai thit b ASA 5520 s cung cp cho h thng an ton cao v kh nng d phng linh hot. H thng firewall h tr bo mt, m ha, antivirus, lc web, IPS/IDS

inh Hong Thi AT3C

- 75 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

o Vng DMZ Zone cha my ch h tr cc dch v mail, web, ftp .. c th public ra ngoi cho ngi dng ngoi v c ngi dng bn trong.
o Vng Ineternal Zone, vi hai Switch layer 3 m nhim lun vai tr

va l Core layer v Distribution layer nhm tit kim chi ph cng nh vic cu hnh v vn hnh h thng. Lp Core chu trch nhim vn chuy khi lng ln d liu m vn m bo tin cy v s sn sng cao. Trn hai Switch lp Core ny ta c th cu hnh tnh nng cluster switch hay High Availability. Cc gii php ng dng xy dng h thng : Tnh nng Failover : y ta s s dng tnh nng Failover theo m hnh Actvie/Active tang hiu nng x l cng nh tn dng ti a hot ng ca thit b. ch Active/Active th hai thit b ASA/PIX hot ng cng lc v theo kch bn m ngi qun tr nh trc. Cng ngh Etherchannel l cng ngh ca Cisco cho php kt hp cc kt ni Ethernet thnh m b (bundle) tng bng thong. Mi bundle c th bao gm t hai n tm kt ni FastEthernet hay Gigabit Ethernet to thnh mi kt ni logic gi l FastEthernetChannel hay Gigabit Ethernet Channel. Kt ni ny cung cp bng thong ln n 1600Mbps (16Gbps). p dng cng ngh Etherchannel trn giao tip gia cc my ch v switch tng bng thng . Trn cc my ch s dng card mng h tr cng ngh Etherchannel v s dng phn mm i km theo my ch, nh HP Auto Port Aggregation ..

inh Hong Thi AT3C

- 76 -

Lp

n tt nghip Trin khai :

Tm hiu Firewall Cisco ASA5520

Cu hnh Failover Active/Active trn h thng

Hnh 3. 16: M hnh trin khai Failover Active/Active


STT Loi TB 1 PRIMARY Tn Port E0 E1 E2 E3 E4 E0 E1 E2 E3 E4 Fa0/0 Chc nng Outside(admin) Outside(ctx1) Folink Inside(ctx1) Inside(admin) Outside(ctx1) Outside(admin) Folink Inside(admin) Inside(ctx1) IP Address 192.168.0.1 192.168.0.10 172.16.1.1 10.10.20.2 10.10.10.1 192.168.0.9 192.168.0.2 172.16.1.2 10.10.10.2 10.10.20.1 192.168.0.3 Subnetmask /29 /29 /30 /24 /24 /29 /29 /30 /24 /24 /29

SECONDARY

R1

inh Hong Thi AT3C

- 77 -

Lp

n tt nghip
4 R2 Fa0/0

Tm hiu Firewall Cisco ASA5520


192.168.0.11 /29

Bng 1: Bng phn chia a ch Cu hnh : Trn ASA ng vai tr lm Primary Ti ng cnh system: Active cng ng vai tr lm Failover link PRIMARY(config)# int Ethernet 0/2 PRIMARY (config-if)# no shutdown Kch hot tnh nng failover trn Primay PRIMARY (config)# failover PRIMARY (config)# failover lan unit primary PRIMARY(config)# failover lan interface folink Ethernet0/2 PRIMARY(config)# failover polltime unit msec 500 PRIMARY(config)# failover link folink Ethernet0/2 PRIMARY(config)#failover interface ip folink 172.16.1.1 255.255.255.252 standby 172.16.1.2 PRIMARY(config)# failover Khi to Group v thit lp cc ng cnh (context) PRIMARY(config)# failover group 1 PRIMARY(config-fover-group)# primary PRIMARY(config-fover-group)# preempt 60 PRIMARY(config)# failover group 2 PRIMARY (config-fover-group)# secondary PRIMARY (config-fover-group)# preempt 60 PRIMARY (config)# admin-context admin PRIMARY (config)# context admin inh Hong Thi AT3C - 78 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

PRIMARY (config-ctx)# description admin PRIMARY (config-ctx)# allocate-interface ethernet0/0 PRIMARY (config-ctx)# allocate-interface ethernet0/4 PRIMARY (config-ctx)# config-url flash:/admin.cfg PRIMARY (config-ctx)# join-failover-group 1 PRIMARY (config)# context ctx1 PRIMARY (config-ctx)# description context 1 PRIMARY (config-ctx)# allocate-interface ethernet0/0 PRIMARY (config-ctx)# allocate-interface ethernet0/4 PRIMARY (config-ctx)# config-url flash:/ctx1.cfg PRIMARY (config-ctx)# join-failover-group 2 Thit lp ni dung cho ng cnh admin (admin context) Vo ng cnh admin PRIMARY (config)# change context admin PRIMARY/admin (config)# PRIMARY/admin (config)# interface e0/0 PRIMARY/admin (config-if)# nameif outside PRIMARY/admin (config-if)# ip add 192.168.0.1 255.255.255.248 standby 192.168.0.2 PRIMARY/admin (config)# no shutdown PRIMARY/admin (config)# interface e0/4 PRIMARY/admin (config-if)# nameif inside PRIMARY/admin (config-if)# ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2 PRIMARY/admin (config-if# no shutdown PRIMARY/admin (config)# monitor-interface outside PRIMARY/admin (config)# monitor-interface inside PRIMARY/admin (config)# route outside 0 0 192.168.0.3 Thit lp ni dung cho ng cnh ctx1 inh Hong Thi AT3C - 79 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

Vo ng cnh ctx1 PRIMARY (config)# change context ctx1 PRIMARY/ctx1(config)# PRIMARY ctx1 (config)# interface e0/0 PRIMARY/ctx1(config-if)# nameif outside PRIMARY/ctx1(config-if)# ip add 192.168.0.9 255.255.255.248 standby 192.168.0.10 PRIMARY/ctx1(config)# no shutdown PRIMARY/ctx1(config)# interface e0/4 PRIMARY/ctx1(config-if)# nameif inside PRIMARY/ctx1(config-if)# ip add 10.10.20.1 255.255.255.0 standby 10.10.20.2 PRIMARY/ctx1(config-if# no shutdown PRIMARY/ctx1(config)# monitor-interface outside PRIMARY/ctx1(config)# monitor-interface inside PRIMARY/ctx1(config)# route outside 0 0 192.168.0.11 Trn ASA ng vai tr lm Secondary SECONDARY (config)# failover SECONDARY (config)# failover lan unit primary SECONDARY (config)# failover lan interface folink Ethernet0/2 SECONDARY Y(config)# failover polltime unit msec 500 SECONDARY (config)# failover link folink Ethernet0/2 SECONDARY (config)#failover interface ip folink 172.16.1.1 255.255.255.252 standby 172.16.1.2 SECONDARY (config)# failover Nh vy vi vic trin khai thc nghim cc tnh nng trn phn no gip chng ta hiu xu hn v hot ng ca Firewall ni chung v sn phm ASA 5520 ni ring. Chng ta c k nng tng th hn v vic cu hnh cc dch v mng, bit cch xy dng mt webserver v hiu c cch thc hot ng ca dch v dch chuyn a ch NAT v PAT. Bn cnh chng ta bit c cch thc cu hnh tnh nng cao cp ca dng sn phm ASA 5520 l kh nng d phng Failover. Thm vo l vic ng dng sn phm ASA 5520 inh Hong Thi AT3C - 80 Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

xy dng h thng mng trung tm cho hc vin, p ng c tnh sn sng v bo mt cao.

inh Hong Thi AT3C

- 81 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520

KT LUN
Hin nay internet ang bng n v pht trin mnh, dng nh tt c mi hot ng ca con ngi u din ra trn . Do vy vic bo mt thng tin l v cng quan trng. Tm hiu v tng la, khai thc sn phm v cc phng thc m bo an ton cho h thng mng l mt ti c tnh cht thc t i vi sinh vin. ti tp trung nghin cu, tm hiu nhng vn c bn nht ca tng la nh: Khi nim v tng la. K thut v cng ngh tng la. Kin trc ca h thng tng la V c bit l tm hiu v cng ngh tng la ca Cisco mt gii php an ninh phn cng ca Cisco v p dng vo xy dng m hnh mng an ton. Sau qu trnh tm hiu v nghin cu ti, em thu c mt s kt qu sau: Hiu c tng quan, cc khi nim v cng ngh cng nh kin trc xy dng h thng firewall.

ng dng, trin khai cc tnh nng ca Cisco Firewall.

a ra xut gii php m hnh mng s dng firewall ASA 5520 c tnh bo mt, sn sng v d phng cao. Hng pht trin:

Sc mnh bo mt ca tng la Cisco mang li cho h thng mng l rt ln. Tuy nhin do lng thi gian c hn nn vic tip cn mt cng ngh firewall cao cp s kh trnh khi nhng hn ch em mong cc thy, c ch bo gip ti ny c hon thin hn. Vi kin thc thu c v nhng kt qu thc nghim ban u thnh cng, em mun pht trin ti mang tnh ng dng thc - 82 Lp

inh Hong Thi AT3C

n tt nghip

Tm hiu Firewall Cisco ASA5520

tin cao hn l xy dng h thng mng vi tnh nng bo mt, sn sng cao cho hc vin. Cui cng, Em c c thnh cng nh ngy hm ny l nh cng sc ln lao ca cc thy c v ton th cn b trong hc vin. Sut 5 nm qua, em rt vinh hnh c l sinh vin ca mt hc vin giu truyn thng v c nhiu thnh tch v o to. Vi nhng tri thc m cc thy c truyn t, em tin ra sau khi ra trng em s c trnh v nng lc lm vic. Mt ln na cho em xin gi li cm n ti ton th thy c trong hc vin tn tnh du dt em trong sut 5 nm qua. Chc cc thy c, ton th cn b cng nhn vin trong hc vin v gia nh mnh khe v thnh cng trong cuc sng.

inh Hong Thi AT3C

- 83 -

Lp

n tt nghip

Tm hiu Firewall Cisco ASA5520 TI LIU THAM KHO

[1] Gio trnh bc tng la Hc vin k thut Mt M. [2] Cisco Security Appliance Command Line Configuration Guide, V8.0 [3] www.cisco.com [4] www.google.com

inh Hong Thi AT3C

- 84 -

Lp