Está en la página 1de 83

TRNG . KHOA.

----- ----

Bo co tt nghip
ti:

Thit k mng an ton s dng PIX firewall cho trng Cao ng c kh luyn kim

MC LC
MC LC.........................................................................................................................2 LI NI U...................................................................................................................4 LI CM N....................................................................................................................5 LI CAM OAN..............................................................................................................6 CHNG 1.......................................................................................................................7 TM HIU V AN NINH MNG V CHNH SCH AN NINH..................................7 1. S cn thit ca an ninh mng...................................................................................7 2. Nhn din cc nguy c tim n trong an ninh mng.................................................8 3. Cc mi e da v tn cng mng my tnh..............................................................9 3.1. Unstructured Threats (Cc mi e da khng c cu trc) ...............................9 3.2. Structured Threats (Cc mi e da c cu trc)...............................................9 3.3. External Threats (Cc mi e da bn ngoi)..................................................10 3.4. Internal Threats (Cc mi e da bn trong)....................................................10 4. Cc cch thc tn cng mng my tnh...................................................................10 4.1 S thm d - Reconnaisance..............................................................................10 4.2 Truy nhp - Access............................................................................................11 4.3. Cm cc dch v (DoS) - Denial of Service.....................................................11 4.4. Worms, Virus v Trojan Horses.......................................................................12 5. Chnh sch an ninh..................................................................................................13 5.1 The Security Wheel (bnh xe an ninh)..............................................................13 5.2 Bo v v qun l cc im cui.......................................................................18 5.3. Bo v v qun l mng...................................................................................20 CHNG 2.....................................................................................................................24 TNG LA CISCO PIX FIREWALL........................................................................24 I. Firewall v cc k thut firewall..............................................................................24 1. Firewall....................................................................................................................24 2. Cc k thut tng la.............................................................................................24 2.1. K thut packet filtering ..................................................................................25 2.2. K thut Proxy Server......................................................................................26 2.3. K thut stateful packet filtering......................................................................28 II. Tng quan v PIX Firewall.....................................................................................28 III. Cc dng PIX Firewall v nguyn tc hot ng..................................................29 1. Cc dng PIX Firewall............................................................................................29 2. Nguyn tc hot ng ca PIX Firewall..................................................................33 IV. Cc lnh duy tr thng thng ca PIX Firewall...................................................35 1. Cc ch truy cp.................................................................................................35 2. Cc lnh duy tr thng thng ca PIX Firewall.....................................................36 2.1. Lnh enable.......................................................................................................36 2.2. Lnh enable password......................................................................................37 2.3. Lnh write.........................................................................................................37 2.4. Lnh telnet........................................................................................................38 2.5. Lnh hostname v ping.....................................................................................39 2.6. Lnh show.........................................................................................................40 2.7. Lnh name........................................................................................................41 CHNG 3.....................................................................................................................42 CU HNH, DCH CHUYN A CH V IU KHIN TRUY CP TRONG PIX FIREWALL.....................................................................................................................42

I. Cc lnh cu hnh c bn PIX Firewall....................................................................42 1. Lnh nameif.........................................................................................................42 2. Lnh interface......................................................................................................43 3. Lnh ip addresss..................................................................................................44 4. Lnh nat...............................................................................................................44 5. Lnh global..........................................................................................................45 6. Lnh route............................................................................................................46 II. Dch chuyn a ch trong PIX Firewall.................................................................47 1. Tng quan v NAT..................................................................................................47 1.1. M t NAT........................................................................................................47 1.2. Nat control........................................................................................................48 2. Cc kiu NAT..........................................................................................................49 2.1 Dynamic NAT...................................................................................................49 2.2. PAT...................................................................................................................50 2.3. Static NAT .......................................................................................................50 2.4. Static PAT.........................................................................................................50 3. Cu hnh Nat Control...............................................................................................50 4. S dng Dynamic NAT v PAT..............................................................................50 5. S dng lnh Static NAT.........................................................................................56 6. S dng Static PAT.................................................................................................57 III. ACCESS LIST.......................................................................................................57 1. Tng quan v access list..........................................................................................57 1.1. Th t cc ACE................................................................................................58 1.2. Access Control Implicit Deny..........................................................................58 1.3. a ch IP c s dng cho access list khi s dng NAT..............................58 2. Cu hnh access list..................................................................................................60 2.1. Cu lnh access list........................................................................................60 2.2. Cu lnh access group...................................................................................61 CHNG 4.....................................................................................................................62 THIT K MNG AN TON CHO TRNG ...........................................................62 CAO NG C KH LUYN KIM S DNG PIX FIREWALL...............................62 I. Kho st h thng mng hin ti v cc yu cu cn nng cp................................62 1. Hin trng h thng.................................................................................................62 2. nh gi hiu nng v mc an ton ca h thng...................................................64 3. Cc yu cu nng cp h thng mng hin ti ca trng......................................65 II. Thit k h thng mng s dng thit b PIX firewall............................................66 1. S thit k h thng mi.....................................................................................66 2. Cp pht a ch.......................................................................................................68 3. Cu hnh m phng h thng...................................................................................70 3.1. Cc phn mm c s dng cho cu hnh m phng.........................................70 3.2. Thit lp cu hnh cho h thng mng..................................................................72 4. Kim tra cu hnh....................................................................................................79 KT LUN.....................................................................................................................82 TI LIU THAM KHO...............................................................................................83

LI NI U Cng ngh thng tin ngy nay c ng dng vo tt c cc lnh vc ca cuc sng. C th thy my tnh v mng internet l thnh phn khng th thiu ca hu ht cc cng ty, tr thnh cng c h tr c lc cho cng vic hng ngy v cc giao dch. Tuy nhin, s pht trin ny cng km theo vn an ninh my tnh ang ngy cng tr nn nng bng. Ti phm my tnh l mt trong nhng hnh vi phm ti c tc pht trin nhanh nht trn ton hnh tinh. V vy, vic xy dng mt nn an ninh my tnh, thit k v qun tr mng m bo v c kh nng kim sot ri do lin quan n vic s dng my tnh tr thnh i hi khng th thiu nhiu lnh vc. Kp thi nm bt xu hng ny, trong thi gian lm n thc tp tt nghip em la chn ti Thit k mng an ton s dng PIX firewall cho trng Cao ng c kh luyn kim. n cp n cc nguy c cng nh s cn thit ca an ninh mng, cc c trng v cu hnh c bn PIX firewall. V cui cng l ng dng PIX firewall thit k m hnh mng cho trng Cao ng c kh luyn kim.

LI CM N Sau thi gian 5 nm hc tp v rn luyn ti Khoa Cng ngh thng tin v truyn thng i hc Thi Nguyn, n nay em hon thnh n tt nghip v kt thc kha hc. Em xin gi li cm n chn thnh n lnh o khoa, ton th cc thy c gio tn tnh ging dy trang b cho chng em nhng kin thc qu bu lm hnh trang cho chng em sau ny. c bit em xin gi li cm n chn thnh n c gio Bi Th Mai Hoa B mn K thut my tnh trc tip hng dn, gip em c th hon thnh n ny. Cc n s ng gp kin ca cc thy c, bn b em c th hon thnh n ny. Thi Nguyn, thng 06 nm 2009. Sinh vin
Trn Gio

LI CAM OAN

n tt nghip ny hon thnh ng thi gian quy nh v p ng c yu cu ra nh s c gng nghin cu, hc tp ca bn thn v di s hng dn trc tip ca Th.s Bi Th Mai Hoa. Em tham kho mt s ti liu nu trong phn Ti liu tham kho v khng h sao chp ni dung t bt k n no khc. Mi sao chp khng hp l, vi phm quy ch o to, hay gian tr, em xin chu hon ton trch nhim trc hi ng

CHNG 1 TM HIU V AN NINH MNG V CHNH SCH AN NINH 1. S cn thit ca an ninh mng An ninh mng l vn cn thit bi v Internet l mt mng ca cc mng c mi lin h vi nhau khng c ranh gii. V l do ny m mng ca cc t chc c th c s dng v cng c th b tn cng t bt k mt my tnh no trn th gii. Khi mt cng ty s dng Internet trong kinh doanh, cc nguy c mi s pht sinh t nhng ngi m khng cn thit phi truy cp n ti nguyn my tnh ca cng ty thng qua mi trng vt l. Trong mt nghin cu gn y ca Computer Security Institute (CIS), 70% cc t chc b mt mt thng tin do vn an ninh mng c l thng v 60% trong s nguyn nhn l do chnh trong ni b cng ty ca h. Cng vi s pht trin ca my tnh, mng LAN v mng Internet, h thng mng ngy nay cng c m rng. Khi thng mi in t v nhiu ng dng trn Internet pht trin, vic tm ra cc phng thc an ton thng tin l iu v cng quan trng, km theo l kh nng tm v nhn dng nhng mi nguy him gy hi cho h thng thng tin. Hn na s pht trin ca th gii mng di ng v mng khng dy nh du nhng bc tin vt bc trong th gii cng ngh thng tin, loi b nhng m hnh c ng thi yu cu c nhng gii php bo mt linh hot hn, hiu qu hn. Vic s dng my tnh tr nn ph bin, s lng my tnh ngy cng tng, h thng mng LAN theo cng tng theo, mng ton cu Internet c s dng rng ri ko theo l s xut hin nhng nguy c mi v bo mt, kh kim sot hn. gii quyt nhng nguy c ny, gii php c a ra l s dng thit b tng la (firewall), cng ngh ny gip cho cc doanh nghip kh thi hn trong bo mt thng tin ca mnh khi truy cp Internet. Ngy nay nhng yu cu t ra cho h thng bo mt bao gm :

Ngi s dng ch c th thc thi nhng quyn li c cp php. Ngi s dng ch c c nhng thng tin, d liu c cho php. Ngi s dng khng th ph hy d liu, thng tin hay nhng ng dng m h thng s dng. 2. Nhn din cc nguy c tim n trong an ninh mng Vic phn tch cc ri ro c th xc nh c cc mi nguy c i vi mng, ti nguyn mng v d liu mng. Mc ch ca vic lm ny l xc nh cc thnh phn ca mng, nh gi tm quan trng ca mi thnh phn v sau p dng mc bo mt ph hp. + Asset Identification (nhn din ti sn trong mng) Trc khi ta tin hnh bo mt cho mng, cn phi xc nh cc thnh phn c trong mng. Mi c quan hay t chc nn tin hnh kim k ti sn tn ti trong mng ca mnh.Cc ti sn bao gm c cc thit b mng v cc im cui ( endpoint) nh host, server. + Vulnerability Assenssment ( nh gi cc l hng h thng ) Cc thnh phn ca mng my tnh lun lun ng trc nguy c b tn cng t nhng k xu. Nguyn nhn c th do s yu km v cng ngh, v cc cu hnh hoc do chnh sch an ninh cha tha ng. Tuy nhin, c th hn ch hay khng ch cc cuc tn cng ny bng nhiu phng thc khc nhau nh: s dng phn mm, cu hnh li thit b mng, hoc l trin khai cc bin php i ph (Firewall, phn mm Anti-virus ). + Threat Identification ( nhn din cc mi e da ) Mt li e da l mt s kin mang li li th cho cc cuc tn cng mng my tnh v l nguyn nhn ca cc tc ng khng tt trn mng. V vy, vic xc nh cc mi e da tim n trong mng l rt quan trng, cc cuc tn cng lin quan cn c lu hn ch, gim bt mc nguy him.

3. Cc mi e da v tn cng mng my tnh C 4 mi e da chnh i vi an ninh mng

Hnh 1. Cc mi e da i vi an ninh mng 3.1. Unstructured Threats (Cc mi e da khng c cu trc) Mi e da khng c cu trc thng thng l nhng c nhn thiu kinh nghim s dng cc cng c n gin, sn c trn Internet. Mt s ngi thuc dng ny c ng c l mc ch ph hoi, nhng phn ln c ng c l tr ti tr c v rt tm thng. Phn ln h khng phi l nhng ngi ti gii hoc l nhng attacker c kinh nghim, nhng h c nhng ng c thc y, m nhng ng c u quan trng. 3.2. Structured Threats (Cc mi e da c cu trc) Mi e da c cu trc bao gm cc attacker, nhng ngi c ng c cao hn v c k thut thnh tho hn. Thng thng h hiu bit v thit k h thng mng v nhng ch c th tn cng, v h c th hiu cng nh to ra cc on m thm nhp vo nhng h thng mng ny

3.3. External Threats (Cc mi e da bn ngoi) Mi e da t bn ngoi l nhng c nhn, t chc lm vic bn ngoi cng ty.H khng c quyn truy cp n h thng mng hoc h thng my tnh ca cng ty. H lm vic theo cch thc ca h vo trong mng chnh t mng Internet hoc mng quay s truy cp vo servers 3.4. Internal Threats (Cc mi e da bn trong) Mi e da t bn trong xy ra khi mt s ngi c quyn truy cp n h thng mng thng qua mt ti khon trn mt server hoc truy cp trc tip thng qua mi trng vt l. Thng thng nhng ngi ny ang c bt bnh vi nhng thnh vin hin ti hoc trc hoc bt bnh vi gim c cng ty hoc cc chnh sch ca cng ty. 4. Cc cch thc tn cng mng my tnh C 4 cch thc tn cng mng my tnh

Hnh 2. Cc kiu tn cng vo mng my tnh 4.1 S thm d - Reconnaisance Thm d l mt hnh thc tnh ton, khm ph bt hp php h thng, cc dch v hoc nhng im d b tn cng nht. N cn c bit n nh l vic

10

thu thp thng tin. Trong hu ht cc trng hp n xy ra trc so vi cc hnh ng truy xut hp php khc hoc l tn cng theo kiu DoS. K thm nhp u tin s qut mng ch xc nh cc a ch IP cn hot ng. Sau khi hon thnh vic ny, tin tc s quyt nh cc dch v hoc cc cng c kch hot trn cc a ch IP ny. T nhng thng tin ny, tin tc tnh ton quyt nh ng kiu ca ng dng v phin bn cng nh l kiu v phin bn ca h iu hnh ang chy trn host ch. 4.2 Truy nhp - Access Truy cp l mt hnh thc vt qua gii hn x l d liu tri php, truy cp h thng hoc tin vo ch c quyn. Truy tm d liu tri php thng thng l vic c, ghi, sao chp hoc g b cc files m n khng th c s dng bi nhng k thm nhp. Truy cp h thng l kh nng ca k thm nhp dnh quyn truy cp vo mt my m n khng c php truy cp (v d nh k thm nhp khng c ti khon hoc mt khu). Nhp hoc truy cp vo h thng m n khng c quyn truy cp thng thng bao gm vic chy cc hack, cc on kch bn hoc cc cng c khai thc cc l hng ca h thng hoc cc ng dng. Mt dng khc ca tn cng theo kiu truy cp l tin ti ch c quyn. Vic ny c thc hin bi nhng ngi s dng hp php vi quyn truy cp thp hoc i vi nhng k thm nhp c quyn truy cp thp. Mc ch l thu thp thng tin hoc thc thi cc th tc m n khng c php cp truy cp hin ti. Trong mt vi trng hp k thm nhp ch mun dnh quyn truy cp m khng mun ly cp thng tin c bit khi ng c l s tranh ti v tr tu, t m hoc l do khng bit g. 4.3. Cm cc dch v (DoS) - Denial of Service y l kiu tn cng lm t lit h thng, lm mt kh nng cung cp dch v (Denial of Service - DoS) khng cho h thng thc hin c cc chc nng m n c thit k. Kiu tn cng ny rt kh ngn chn bi chnh nhng phng tin dng t chc tn cng li chnh l nhng phng tin dng lm vic v truy

11

cp thng tin trn mng. Mt th d v trng hp c th xy ra l mt ngi trn mng s dng chng trnh y ra nhng gi tin yu cu v mt trm no . Khi nhn c gi tin, trm lun lun phi x l v tip tc thu cc gi tin n sau cho n khi b m y, dn ti tnh trng nhng nhu cu cung cp dch v ca cc my khc n trm khng c phc v. iu ng s l cc kiu tn cng DoS ch cn s dng nhng ti nguyn gii hn m vn c th lm ngng tr dch v ca cc site ln v phc tp. Do vy loi hnh tn cng ny cn c gi l kiu tn cng khng cn xng (asymmetric attack). Chng hn nh k tn cng ch cn mt my tnh PC thng thng vi mt modem tc chm vn c th tn cng lm ngng tr cc my tnh mnh hay nhng mng c cu hnh phc tp. 4.4. Worms, Virus v Trojan Horses Worm (su my tnh) l mt loi virus my tnh chuyn tm kim mi d liu trong b nh hoc trong a, lm thay i bt k d liu no m n gp. Hnh ng thay i ny c th l chuyn cc k t thnh cc con s hoc l trao i cc byte c lu tr trong b nh. Nhng d liu b hng thng khng khi phc c. Virus hay chng trnh virus l mt chng trnh my tnh c thit k m c th t ly lan bng cch gn vo cc chng trnh khc v tin hnh cc thao tc v ch, v ngha, i khi l ph hoi. Khi virus pht tc chng gy nhiu hu qu nghim trng: t nhng thng bo sai lch n nhng tc ng lm lch lc kh nng thc hin ca phn mm h thng hoc xa sch mi thng tin trn a cng. Trojan Horse (con nga thnh Troa) l mt chng trnh xut hin thc hin chc nng c ch, ng thi c cha cc m hoc cc lnh n gy hng i vi h my ang chy n. Cc phn mm nguy him trn c ci t vo cc my tnh nhm ph hy, h hi h thng hoc ngn chn cc dch v, cc truy nhp ti mng. Bn cht v mc nguy him ca nhng mi e da ny thay i theo thi gian. Nhng virus n gin t nhng nm 80 tr nn phc tp hn v l nhng virus ph hy, l cng c tn cng h thng trong nhng nm gn y. Kh nng t lan rng ca su my tnh em li nhng mi nguy him mi. Nh trc y chng cn ti vi ngy

12

hay vi tun t lan rng th ngy nay chng c th lan rng trn ton th gii ch trong vng vi pht. Mt v d l su Slammer bt u t thng 01/2003, nhn rng trn ton th gii ch di 10 pht. Ngi ta cho rng cc th h tip theo ca virus c th tn cng ch trong vi giy. Nhng loi su my tnh v virus ny c th lm c nhiu nhim v khc na, khng ch n thun l ph hy ti nguyn mng, chng cn c s dng ph hy nhng thng tin ang truyn trn mng hoc xa cng. V vy trong tng lai s c mt mi e da rt ln nh hng trc tip ti c s h tng ca h thng mng. 5. Chnh sch an ninh Nhng nguy c e da h thng mng khng th b loi tr hay ngn chn hon ton. Tuy nhin, vic nh gi v qun l nh hng ca nhng nguy c trn s gp phn gim thiu s lng cuc tn cng v nhng thit hi km theo chng. Mc ri ro chp nhn c ph thuc vo kh nng ca tng doanh nghip. Mt chnh sch an ninh l thnh phn quan trng trong vic quyt nh nguy c ny c qun l nh th no. Chnh sch an ninh c hiu l nhng pht biu hnh thc ca nhng quy tc m theo nhng ngi c quyn truy nhp vo cc cng ngh, ti sn, v thng tin ca mt t chc no phi tun theo. 5.1 The Security Wheel (bnh xe an ninh)

13

An ninh mng cn phi l mt tin trnh lin tc c xy dng da trn cc chnh sch an ninh. Mt chnh sch an ninh lin tc mang li hiu qu ln nht bi v n xc tin qu trnh ti p dng v ti kim tra cc cp nht bo mt da trn c s lin tc. Tin trnh an ninh lin tc ny tiu biu cho Security Wheel. bt u tin trnh lin tc ny cn phi to mt chnh sch an ninh m n cho php bo mt cc ng dng. Mt chnh sch an ninh cn phi thc hin nhng nhim v sau: Nhn dng mc ch bo mt ca t chc Ti liu v ti nguyn cn bo v. Nhn dng c s h tng mng vi s hin ti v mt bn tm tt. to hoc thc thi mt chnh sch an ninh c hiu qu, cn phi xc nh ci m ta mun bo v v bo v n nh th no. Cn phi c hiu bit v cc im yu h thng mng v cch m ngi ta c th khai thc n. Cng cn phi hiu v cc chc nng thng thng ca h thng v th m chng ta phi bit l chng ta cn ci g v n cng ging vi cch m cc thit b thng thng c s dng. Cui cng l cn nhc n an ninh v mt vt l ca h thng mng v cch bo v n. Vic truy xut v mt vt l n mt my tnh, router, hoc tng la c th mang li cho ngi s dng kh nng tng iu khin trn ton b thit b. Sau chnh sch an ninh c pht trin th n phi ph hp vi bnh xe an ninh pha trn - bn bc k tip ca Security Wheel cn da vo: Bc 1: Bo mt h thng: bc ny bao gm vic cung cp cc thit b bo mt nh tng la, h thng chng thc, m ha,vi mc ch l ngn chn s truy cp tri php n h thng mng. y chnh l im m cc thit b tng la bo mt ca Cisco c hiu qu nht. Bc 2: Theo di h thng mng v cc vi phm v s tn cng chng li chnh sch bo mt ca cng ty. Cc vi phm c th xy ra t bn trong vnh ai an ninh ca mng do s phn n ca nhng ngi lao ng hoc l t bn ngoi do cc attacker. Vic kim tra mng vi h thng pht hin s xm nhp thi gian thc nh l Cisco Secure Intruction Detection System ( h thng pht hin s thm nhp bo

14

mt ca Cisco) c th m bo cc thit b bo mt trong bc 1 c cu hnh ng. Bc 3: Kim tra hiu qu ca h thng bo mt. S dng thit b qut bo mt ca Cisco ( Cisco Secure Scanner) nhn dng tnh trng an ton ca mng. Bc 4: Hon thin an ninh ca cng ty. Su tm v phn tch cc thng tin t cc pha kim tra, th nghim hon thin hn C bn bc Bo mt, theo di, kim tra v hon thin cn c lp i lp li lin tc v cn phi kt hp cht ch vi cc phin bn cp nht chnh sch an ninh ca cng ty 5.1.1. Bo mt h thng

Bo mt mng bng cch p dng cc chnh sch an ninh v thc thi cc chnh sch an ninh di y: Chng thc: ch em li quyn truy cp ca ngi s dng M ha: n cc lung ni dung nhm ngn cn s pht hin khng mong mun i vi cc c nhn c m mu ph hoi hoc c nhn tri php Tng la: Lc cc lu lng mng ch cho php cc lu lng v dch v hp php truyn qua V li: p dng vic sa cha hoc x l dng qu trnh khai thc cc l hng c pht hin. Cng vic ny bao gm vic tt cc dch v khng cn thit trn mi h thng, ch cho vi dch v c php chy, gy kh khn cho vic truy cp ca attacker.

15

Ngoi ra chng ta cn phi thc thi cc gii php an ninh mt vt l ngn cn vic truy cp tri php mt vt l n h thng mng

5.1.2. Theo di s an ton

Vim theo di h thng mng i vi s xm nhp tri php v cc cuc tn cng chng li chnh sch an ninh ca cng ty. Cc cuc tn cng ny c th xy ra trong vnh ai an ninh ca h thng mng t nhng ngi lao ng c m mu hoc t bn ngoi h thng mng. Vic kim tra h thng mng cng cn thc hin vi cc thit b pht hin s xm nhp thi gian thc nh l Cisco Secure Intrusion Detection System (CSIDS). Nhng thit b ny tr gip bn trong vic pht hin ra cc phn tri php v n cng c vai tr nh l mt h thng kim tra cn bng (check balance system) m bo rng cc thit b trong bc 1 ca Security Wheel c cu hnh v lm vic ng n. 5.1.3. Kim tra

16

Vic kim tra l cn thit. Bn c th c mt h thng an ninh mng tinh vi nht, nhng nu n khng lm vic th h thng mng ca bn c th b tn cng. iu ny gii thch ti sao bn cn phi kim tra, chy th cc thit b trong bc 1 v bc 2 m bo chng thc hin ng chc nng. Cisco Secure Scanner (thit b qut bo mt ca Cisco) c thit k nh gi bo mt ca h thng mng 5.1.4. Hon thin

Pha hon thin ca Security Wheel bao gm vic phn tch d liu c tng hp t hai pha kim tra v chy th nghim. K thut pht trin v hon thin n phc v cho chnh sch an ninh ca chng ta v n bo mt cho pha trong bc 1. Nu mun duy tr h thng mng c bo mt th cn phi lp li chu trnh ca

17

Security Wheel bi v l hng v nguy c b xm phm ca h thng mng lun c to ra hng ngy. 5.2 Bo v v qun l cc im cui 5.2.1 Cng ngh v cc thnh phn an ninh c bn trn host v server Cc my tnh v server cn c bo v khi chng tham gia vo mng. Phn mm chng virus, firewall v d tm xm nhp l nhng cng c hu ch c s dng m bo an ton cho cc my, server. Device hardening Khi mt h iu hnh mi c ci t trn my tnh, cc thit t v bo mt l nhng gi tr mc nh. Trong phn ln trng hp, nhng mc bo mt ny l cha . Cc h iu hnh nn p dng mt s bc n gin sau: Nn thay i ngay tn ngi dng v mt khu. Hn ch nhng truy nhp vo ti nguyn h thng, ch cho php nhng c nhn c quyn hp php truy nhp. Bt k dch v hay ng dng no khng cn thit nn tt i v g b ci t khi c th. Bc tng la c nhn My tnh c nhn kt ni Internet thng qua kt ni quay s, DSL, hoc cp modem cng c th b nguy him nh nhng mng ln. Bc tng la c nhn c tr trn my tnh ca ngi dng v c gng ngn chn cc cuc tn cng. Mt s phn mm ng vai tr bc tng la c nhn l McAfee, Norton, Symatec, Zone Labs Phn mm khng virus Antivirus Ci t phn mm khng virus bo v h thng trnh khi s tn cng ca virus bit. Cc phn mm ny c th pht hin hu ht virus v nhiu ng dng ca chng trnh Trojan horse, ngn chn chng pht tn trn mng. Nhng ming v h iu hnh

18

Mt cch hiu qu gim nh nh hng ca su my tnh v nhng bin th ca n l sa cha tt c cc h thng b xm phm. y l iu rt kh i vi nhng h thng ngi dng khng kim sot c v cng kh khn hn nu nhng h thng ny l kt ni t xa ti mng thng qua mng ring o (VPN) hay server truy nhp t xa (RAS). Vic iu hnh nhiu h thng i hi to ra mt nh phn mm chun m c trin khai trn nhng h thng mi hay nhng h thng c nng cp. Nhng nh ny c th khng lu tr s sa cha mi nht v qu trnh lin tc lm li nh s lm tn thi gian qun tr. D tm v ngn chn xm nhp D tm xm nhp l kh nng pht hin ra cc cuc tn cng vo mt mng, gi nhng ghi chp ti ni qun l v cung cp c ch phng nga sau: Ngn chn xm nhp l kh nng ngn cn cc cuc tn cng vo mt mng v cung cp nhng c ch phng nga sau: D tm: xc nh cc cuc tn cng nguy him trn mng v ti nguyn trn my Ngn chn: dng li cc cuc tn cng b pht hin Phn ng: phng nga h thng trc cc cuc tn cng trong tng lai. 5.2.2 Qun l my tnh c nhn (PC) Kim k my v bo tr Nhng ngi c trch nhim nn duy tr cc cuc kim k chi tit tt c cc my tnh trn mng nh cc trm lm vic, server, laptopC th kim k s serial ca my; kiu phn cng, phn mm c ci t, tn cc c nhn c nhn phn hi t my. Khi cc thnh phn phn cng, phn mm hoc cc thit b lu tr c thay th th qu trnh kim k cng phi cp nht nhng thay i. Mt vic lm cn thit na l o to nhng ngi lm trong t chc h c th gi an ton cho my. Cp nht phn mm khng virus

19

Khi virus mi hoc nhng ng dng mi dng chng trnh nhng ch nga thnh Troa c pht hin, doanh nghip cn cp nht phn mm khng virus mi nht v phin bn mi nht ca ng dng. qu trnh qut virus thnh cng, nn hon thnh nhng vic sau: Qut nhng file thng dng trong my Cp nht danh sch virus v cc du hiu Theo di thng xuyn nhng cnh bo t nhng my scanner 5.3. Bo v v qun l mng 5.3.1 Cc thnh phn v cng ngh c s ca an ninh mng Firewall trn nn trang thit b (Appliance-based Firewalls) Firewall trn nn trang thit b c thit k vi nn tng khng c cng. iu ny cho php qu trnh Boot nhanh hn, kim tra giao thng tc d liu bc cao v gim nh tht bi. Gii php ca Cisco bao gm mt IOS Firewall c tch hp v mt thit b PIX chuyn dng. c tnh ca IOS Firewall c th c ci t v cu hnh trn Router ca Cisco. PIX l mt gii php bo mt phn cng v phn mm cung cp cng ngh lc gi v proxy server. Mt s nh cung cp Firewall trn nn trang thit b l Juniper, Nokia, Symatec, Watchguard v Nortel Networks. i vi nhng mng trong phm vi gia nh th thch hp vi Linksys, Dlink, Netgear, SonicWALL. Firewall trn nn server Gii php Firewall trn nn server chy trn h iu hnh mng nh UNIX, NT hay WIN2K, Novell. N l gii php m kt hp mt firewall, iu khin truy nhp v nhng c im ca mng ring o trong mt gi.V d v cc gii php trn l Microsoft ISA Server, Linux, Novell, BorderManager, Checkpoint Firewall1. Mc bo mt ca Firewall trn nn server c th nh hn ca Firewall trn nn trang thit b. Mng ring o VPN

20

Mt mng ring o l bt k mng my tnh no c xy dng trn mt mng cng cng v c phn chia s dng cho cc c nhn ring l. FrameRelay, X25 v ATM c xem l cc VPN lp 2 trong m hnh OSI. Nhng dng khc ca VPN l cc IP VPN, c xem l cc VPN lp 3. V cn bn, c 3 dng khc nhau ca VPN m doanh nghip s dng Remote-access VPNs Site-to-site extranet and intranet VPNs Campus VPNs

Hnh 2.6. Remote-access VPNs

Hnh 2.7. Site-to-site extranet and intranet VPNs S tin cy v nh danh nh danh c xem l s nhn dng ng n, chnh xc cc user, cc my tnh, cc ng dng, cc dch v v ti nguyn. Cc cng ngh chun ny cho php nhn ra cc giao thc chng thc nh Remote Access Dial-In User Service

21

(RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), Kerberos v cng c OTP (one time password). Mt s cng ngh mi nh chng thc s, th thng minhngy cng ng vai tr quan trng trong gii php nh danh. 5.3.2. Qun l an ninh mng Mc ch ca qun l an ninh mng l iu khin vic truy nhp ti nguyn mng. N ngn chn s ph hoi mng my tnh v nhng ngi dng tri php truy nhp nhng thng tin nhy cm. V d, mt h thng qun l an ninh c th theo di vic ng k vo ti nguyn mng v t chi nhng truy nhp c m truy nhp khng thch hp. H thng qun l an ninh mng lm vic bng cch phn chia ti nguyn mng thnh nhng khu vc c php v khu vc khng c php. H thng ny thc thi mt s chc nng nh sau: nh ngha ti nguyn mng nhy cm. Quyt nh s gia cc ti nguyn vi cc thit t ca ngi dng. Theo di cc im truy cp ti nhng ti nguyn v kha nhng truy nhp khng hp l. Cu trc in hnh ca mt h thng qun l an ninh gm mt trm qun l lm nhim v theo di v qun l cc thit b nh Router, Firewall, cc thit b VPN, b cm bin IDS. Phn mm Gii php qun l an ninh (VMS) l mt v d. VMS bao gm mt tp cc ng dng trn nn Web cu hnh, theo di, g ri cho VPNs, firewall Ngoi ra, Cisco cn cung cp min ph thit b qun l GUI cu hnh, theo di cc Firewall n, b cm bin IDS hoc Router. S kim sot S kim sot an ninh l rt cn thit xc nh v theo di nhng chnh sch an ninh i vi mt c s h tng mng c c thc hin ng hay khng. Vic ng k v theo di cc s kin s gip pht hin ra bt k hnh vi no bt bnh thng.

22

kim tra hiu lc ca c s h tng an ninh, s kim sot an ninh phi c thc thi thng xuyn v ti nhiu v tr khc nhau. Nn kim sot vic ci t cc h thng mi, phng php pht hin nhng hnh ng nguy him, s xut hin ca nhng vn c bit, v d nh cc cuc tn cng DoS. Vic hiu c qu trnh vn hnh ca h thng, bit c nhng hnh vi no l ng khng ng v s dng thnh tho cc thit b s gip cc t chc pht hin ra cc vn v an ninh mng. Nhng s kin khng bnh thng l nhng du hiu cnh bo, gp phn ngn chn k xu trc khi chng ph hy h thng. Cng c kim sot an ninh c th gip cc doanh nghip, cc t chc pht hin, ghi chp v theo di nhng s kin bt thng .

23

CHNG 2 TNG LA CISCO PIX FIREWALL I. Firewall v cc k thut firewall 1. Firewall

Theo cch nh ngha thng thng th tng la l mt phn to nn vt liu chng chy, c thit k ngn cn s lan rng ca la t mt phn n phn khc. N cng c th c s dng cch ly mt phn vi phn khc. Khi p dng thut ng tng la cho mng my tnh, mt tng la l mt h thng hoc mt nhm h thng yu cu mt chnh sch iu khin vic truy cp gia hai hoc nhiu hn hai mng. 2. Cc k thut tng la

24

Tng la hot ng da trn mt trong ba k thut sau: Packet filtering Gii hn thng tin truyn sang mt mng da trn thng tin header ca gi tin. Proxy Server Yu cu s kt ni chuyn tip gia mt client bn trong ca tng la v mng Internet Stateful packet filtering Kt hp tt nht hai k thut packet filtering v proxy server 2.1. K thut packet filtering

Mt tng la c th s dng packet filtering gii hn thng tin i vo mt mng hoc thng tin di chuyn t mt on mng ny sang mt on mng khc. Packet filtering s dng danh sch iu khin truy cp (ACLs), n cho php mt tng la xc nhn hay ph nhn vic truy cp da trn kiu ca gi tin v cc bin khc.

25

Phng php ny c hiu qu khi mt mng c bo v nhn gi tin t mt mng khng c bo v khc. Bt k gi tin no c gi n mt mng c bo v v khng ng vi cc tiu chun c nh ngha bi ACLs u b hy. Nhng c mt s vn vi packet filtering Cc gi tin bt k c th c gi i m n ph hp vi cc tiu chun ca ACL th s i qua c b lc Cc gi tin c th i qua c b lc theo tng on ACL phc tp l rt kh thc thi v duy tr mt cch ng n Mt s dch v khng th lc 2.2. K thut Proxy Server

Mt Proxy server l mt thit b tng la m n quyt nh mt gi tin ti lp cao hn ca m hnh OSI. Thit b ny c gi tr n d liu bng cch yu cu ngi s dng giao tip vi mt h thng bo mt c ngha l mt proxy. Ngi s dng dnh quyn truy cp n mt mng bng cch i qua mt tin trnh, tin trnh s thit lp mt trng thi phin, chng thc ngi dng v chnh sch cp quyn. iu ny c ngha l ngi s dng kt ni n cc dch v bn ngoi thng qua chng trnh ng dng (proxies) ang chy trn cng dng kt ni n vng khng c bo v pha ngoi Tuy nhin cng c nhng vn vi Proxy server bi b n:

26

To mt cng li chung, n c ngha l nu cng vo mng b sp th sau ton b mng cng b sp theo N rt kh thm cc dch v mi vo tng la Thc thi cc ng sut chm

27

2.3. K thut stateful packet filtering

Stateful packet filtering l mt phng php c s dng bi thit b tng la PIX ca Cisco. K thut ny duy tr trng thi phin y . Mi khi mt kt ni TCP/UDP c thit lp cho cc kt ni vo hoc ra. Thng tin ny c tp hp trong bng Stateful session flow. Bng stateful session flow cha a ch ngun v ch, s cng, thng tin s th t TCP v thm thng tin cc c cho mi kt ni TCP/UDP kt hp vi cc phin . Thng tin ny to nn cc i tng kt ni v do cc gi tin vo v ra c so snh vi lu lng phin trong bng stateful session flow. D liu c php qua tng la ch khi nu mt kt ni thch hp tn ti nh gi tnh hp php i qua ca d liu Phng php ny c hiu qu bi v: N lm vic trn cc gi tin v cc kt ni N hot ng mc cao hn so vi packet filtering hoc s dng proxy N ghi d liu trong mt bng cho mi kt ni. Bng ny nh l mt im tham chiu xc nh gi tin c thuc v mt kt ni ang tn ti hay khng hoc l t mt ngun tri php II. Tng quan v PIX Firewall PIX firewall l mt yu t chnh trong ton b gii php an ninh end-to-end ca Cisco. PIX Firewall l mt gii php an ninh phn cng v phn mm chuyn dng v mc bo mt cao hn m khng nh hng n s thc thi ca h thng

28

mng. N l mt h thng c lai ghp bi v n s dng c hai k thut packet filtering v proxy server PIX Firewall cung cp cc c tnh v cc ch nng sau: Apdaptive Security Algorithm (ASA) thc hin vic iu khin cc kt ni stateful thng qua PIX Firewall Cut through proxy Mt ngi s dng phi da trn phng php chng thc ca cc kt ni vo v ra cung cp mt hiu sut ci thin khi so snh n vi proxy server Stateful failover PIX Firewall cho php bn cu hnh hai n v PIX Firewall trong mt topo m c s d tha Stateful packet filtering Mt phng php bo mt phn tch cc gi d liu m thng tin nm tri rng sang mt bng. mt phin c thit lp thng tin v cc kt ni phi kt hp c vi thng tin trong bng PIX Firewall c th vn hnh v m rng cp c vi cc ISPes, cc ISPec bao gm mt li an ninh v cc giao thc chng thc nh l Internet Key Exchange (IKE) v Public Key Infrastructure (PKI). Cc my clients xa c th truy cp mt cch an ton n mng ca cng ty thng qua cc ISPs ca h III. Cc dng PIX Firewall v nguyn tc hot ng. 1. Cc dng PIX Firewall

29

PIX 501

Hnh 3.1. PIX 501 Kch c 1.0 x 6.25 x 5.5 inches v 0.75 pounds c thit k cho cc vn phng nh, tc an ton cao, trn nhng mi trng tri rng. Thng lng l 60 Mbps i vi d liu text H tr 1 cng 10/100BASE-T Ethernet v 1 switch 4 cng Thng lng VPN 3 Mbps 3DES 4.5 Mbps 128-bit AES Kt ni 10 mng VPN ngang hng ng thi PIX 506E

Hnh 3.2. PIX 506E L gii php bo mt cho cc vn phng xa, cc chi nhnh cng ty v cc mng doanh nghip nh, trung bnh. Mt s c im ca PIX 506E nh sau: Kch c 8 x 12 x 17 inches B nh Flash 8 Mb

30

H tr 2 cng 10/100 BASE-T, 2 VLANs H tr chun Ipsec Thng lng l 100 Mbps i vi d liu text Thng lng VPN 17Mbps 3DES 30Mbps 128 bit AES Khng th kt ni nhiu hn 25 mng VPN ngang hng ng thi Vi phin bn 6.3, c hai ty chn m ha VPN: DES vi 56 bit m ha hoc 3DES vi 168 bit m ha 3DES v 256 bit m ha AES. PIX 515

Hnh 3.3 PIX 515 Dng cho trong cc doanh nghip nh v trung bnh Thng lng 118Mbps i vi d liu text Thng lng VPN 140 Mbps 3DES ( VAC) 140 Mbps 256-bit AES (VAC) H tr cc cng 6 cng 10/100 ethernet 25 VLANs 5 ng cnh bo mt B nh Flash 16 MB PIX 525

31

Hnh 3.4. PIX 525 Dng cho cc mng trung bnh v ln Thng lng l 330 Mbps i vi d liu text Cc cng h tr 10 cng 10/100 Fast Ethernet 100 VLANs 50 ng cnh bo mt Thng lng VPN 155 Mbps 3DES (VAC) 170 Mbps 256-bit AES (VAC) PIX 535

Hnh 3.5. PIX 535 Thit k cho cc mng ln v mng ca nh cung cp dch v Thng lng l 1.7 Gbps i vi d liu text Cc cng h tr 14 cng Fast Ethernet v Gigabit Ethernet 200 VLANs

32

100 ng cnh bo mt Thng lng VPN 440 Mbps 3DES (VAC) 440 Mbps 256-bit AES (VAC) B nh Flash l 16 MB

2. Nguyn tc hot ng ca PIX Firewall Nguyn tc chung ca firewall (k c firewall dng phn mm nh proxy hay dng thit b cng nh l PIX) l bt gi d liu i ngang qua n v so snh vi cc lut thit lp. Nu thy khng vi phm lut no th cho i qua, ngc li th hy gi d liu. PIX firewall hot ng da trn c ch ASA (Adaptive Security Algorithm) s dng Security level (mc bo mt). Gia hai cng th mt s c Security level cao hn, mt c Security level thp hn. Vn ct li ca cc thit b an ninh l thut ton An ninh tng hp (Adaptive Security Algorithm - ASA). Gii thut ASA duy tr vnh ai an ton gia cc mng iu khin bi thit b an ninh. ASA tun theo cc quy lut sau: Khng gi tin no i qua PIX m khng c mt kt ni v trng thi Cho php cc kt ni ra bn ngoi, tr nhng kt ni b cm bi danh sch iu khin truy nhp ACLs. Mt kt ni ra bn ngoi c th l mt ngun hoc mt client cng c mc bo mt cao hn ni nhn hoc server. Cng c mc bo mt cao nht l inside vi gi tr l 100, cng c mc bo mt thp nht l outside vi gi tr l 0. Bt k cng no khc cng c th c mc bo mt nhn gi tr t 1 n 99. Cm cc kt ni vo bn trong, ngoi tr nhng kt ni c php. Mt kt ni vo bn trong l mt ngun hoc client cng hay mng c mc bo mt thp hn ni nhn hoc server. Tt c cc gi ICMP u b cm, tr nhng gi c php

33

Mi s th nghim nhm ph v cc quy tc trn u b hy b Trn mi cng ca PIX c cc mc bo mt (Security-level), xc nh mt giao tip (interface) l tin cy, c bo v hay khng tin cy, c bo v t v tng quan vi cc giao tip khc nh th no. Mt giao tip c xem l tin cy trong mi quan h vi cc giao tip khc nu n c mc bo mt cao hn. Quy tc c bn v mc bo mt l: D liu c th i vo PIX thng qua mt interface vi Security level cao hn , i qua PIX v i ra ngoi thng qua interface c Security level thp hn. Ngc li, d liu i vo interface c Security level thp hn khng th i qua PIX v i ra ngoi thng qua interface c Security level cao hn nu trn PIX khng c cu hnh conduit hoc access-list cho php n thc hin iu ny. Cc mc bo mt nh s t 0 n 100. Mc 0: L mc thp nht, thit lp mc nh cho outside interface (cng ra ) ca PIX, thng dnh cho cng kt ni ra Internet. V 0 l mc bo mt t an ton nht nn cc untrusted network thng sau interface ny. Cc thit b outside ch c php truy nhp vo PIX khi n c cu hnh lm iu . Mc 100: L mc cao nht cho mt interface. N c s dng cho inside interface ( cng vo ) ca PIX, l cu hnh mc nh cho PIX v khng th thay i. V vy mng ca t chc thng sau interface ny, khng ai c th truy nhp vo mng ny tr khi c php thc hin iu . Vic cho php phi c cu hnh trn PIX; cc thit b trong mng ny c th truy nhp ra mng outside. Mc t 1 n 99: c dnh cho nhng mng xung quanh kt ni ti PIX, ng k da trn kiu ca truy nhp ca mi thit b, thng thng l kt ni n mt mng hot ng nh l Demilitarized zone ( DMZ ). Khi c nhiu kt ni gia PIX v cc thit b xung quanh th: D liu i t interface c Security level cao hn n interface c Security level thp hn: Cn phi c mt translation ( static hay dynamic ) cho php giao thng t interface c Security level cao hn n interface c

34

Security level thp hn. Khi c translation ny, giao thng bt u t inside interface n outside interface s c php, tr khi n b chn bi access-list, authentication hay authorization. D liu i t interface c Security level thp hn n interface c Security level cao hn: 2 iu quan trng cn phi c cu hnh cho giao thng t interface c Security level thp hn n interface c Security level cao hn l static translation v conduit hoc access-list. D liu i qua hai interface c Security level nh nhau: Khng c giao thng i gia hai interface c Security level nh nhau. IV. Cc lnh duy tr thng thng ca PIX Firewall 1. Cc ch truy cp PIX Firewall cha tp cc lnh da trn h iu hnh Cisco IOS v cung cp 4 ch truy cp: Unprivileged mode (ch truy cp khng c quyn) Ch ny s sn c khi bn ln u tin truy cp vo PIX Firewall. T du nhc > c hin th, ch ny cho php bn xem cc thit lp mt cch hn ch. Privileged mode (ch c quyn) Ch ny hin th du nhc # v cho php bn thay i ci t hin ti. Bt k lnh trong ch khng c quyn no u c th lm vic trong ch c quyn. Configuration mode (ch cu hnh) Ch ny hin th du nhc (config)# v cho php bn thay i cu hnh h thng. Tt c cc lnh c quyn, khng c quyn v lnh cu hnh u lm vic ch ny. Monitor mode (ch theo di kim tra) y l mt ch c bit n cho php bn cp nht image trn mng. Trong ch ny bn c th nhp cc lnh ch nh v tr ca TFTP server v image nh phn download. Trong mi mt kiu truy cp, ta c th rt gn mt cch ti a cu lnh xung ch cn mt vi k t ring bit ca cu lnh . V d ta c th nhp write t

35

xem cu hnh thay v phi nhp cu lnh y write terminal. C th nhp en thay cho enable bt u ch c quyn, co t thay cho configuration terminal bt u ch cu hnh. Thng tin tr gip lun sn c trong dng lnh ca PIX Firewall bng cch nhp help hoc ? lit k tt c cc lnh. Nu bn nhp help hoc ? sau mt lnh (v d router), th c php lnh router s c lit k ra. S cc lnh c lit k ra khi ta dng du hi hoc t kha help l khc nhau cc ch truy cp v vy m ch khng c quyn s a ra cc lnh t nht v ch cu hnh s a ra s lnh nhiu nht. Hn na ta c th nhp bt c mt lnh no (chnh n) trn dng lnh v sau n phm Enter xem c php lnh 2. Cc lnh duy tr thng thng ca PIX Firewall C mt s lnh duy tr thng thng ca PIX Firewall: Lnh Enable, enable password v passwd c s dng truy cp vo phn mm PIX Firewall thay i mt khu. Write erase, wirte memory v write team c s dng hin th cu hnh h thng v lu tr cu hnh d liu mi Show interface, show ip address, show memory, show version v show xlate c s dng kim tra cu hnh h thng v thng tin thch hp khc Exit v reload c s dng thot mt ch truy cp, ti li mt cu hnh v khi ng li h thng Hostname, ping v telnet c s dng xc nh nu mt a ch IP khc tn ti, thay i hostname, ch nh host cc b cho PIX Firewall v ginh quyn truy cp console 2.1. Lnh enable Lnh enable cho php ta vo ch truy cp c quyn, sau khi nhp enable, PIX Firewall s nhc mt khu truy cp vo ch c quyn. Mc nh th mt khu ny khng yu cu v th m ch cn n phm Enter, sau khi bn vo

36

ch c quyn hy du nhc s thay i sang k hiu #. Khi g configure terminal n s vo ch cu hnh v du nhc thay i sang (config)#. thot v quay tr v ch trc , s dng lnh disable, exit hoc quit 2.2. Lnh enable password Lnh enable password thit lp mt khu truy cp vo ch c quyn. Bn s c nhc mt khu ny sau khi nhp lnh enable (Khi PIX Firewall khi ng v bn nhp vo ch c quyn th s xut hin du nhc nhp mt khu) Khng c mt khu mc nh do bn c th n phm enter ti du nhc mt khu hoc bn c th to ra mt khu do bn chn. Mt khu phn bit ch hoa v ch thng, h tr di ln n 16 k t ch s. Bt k k t no cng c th c s dng lai tr du chm hi, du cch v du hai chm. Nu bn thay i mt khu, bn nn ghi li va lu tr n mt ni thch hp. Sau khi bn thay i mt khu th bn khng th xem li n bi v n c m ha. Lnh show enable password ch a ra dng mt khu c m ha. Sau khi mt khu b m ha chng khng th o ngc li dng vn bn thng thng Lnh passwd cho php bn thit lp mt khu Telnet truy cp vo PIX Firewall. Mc nh gi tr ny l Cisco. 2.3. Lnh write Lnh write cho php bn ghi (l tr) cu hnh h thng vo b nh, hin th cu hnh h thng v xa cc cu hnh hin ti. Di y l cc lnh write: write net Lu tr cu hnh h thng thnh mt file trn TFTP server hoc trong mng. write earse Xa cu hnh b nh flash write floppy L tr cu hnh hin ti vo a mm (PIX Firewall 520 v cc model trc c a mm 3.5-inch) write memory Ghi cu hnh ang chy (hin ti) vo b nh Flash

37

write standby Ghi cu hnh c lu trong Ram trn active failover PIX Firewall, vo RAM trn standby PIX Firewall. Khi PIX Firewall hot ng (active PIX Firewall) khi ng ghi cu hnh vo PIX d phng.. S dng lnh ny ghi cu hnh ca active PIX Firewall sang standby PIX Firewall. Write teminal Hin th cu hnh hin ti trn thit b u cui 2.4. Lnh telnet telnet ip_address [netmask] [if_name] Cho php ch ra host no c th truy cp cng console ca PIX thng qua telnet. Vi cc version 5.0 tr v trc, ch c cc internal host mi c th truy cp vo PIX firewall thng qua telnet, nhng cc version sau ny, user c th telnet vo PIX firewall qua tt c cc interface. Tuy nhin, PIX firewall khuyn co rng, tt c telnet traffic n outside interface phi c bo v bi IPSEC. Do , khi ng mt telnet session n PIX, user cn cu hnh PIX thit lp IPSEC tunnel hc l vi mt PIX khc, hoc l router, hay l VPN Client. clear telnet [ip_address [netmask] [if_name]] Di chuyn n phin telnet truy cp t mt a ch IP trc telnet timeout minutes Thit lp thi gian cc i mt phin telnet c th khng c s dng trc khi n b kt thc bi PIX Firewall kill telnet_id Kt thc mt phin telnet. Khi bn kt thc mt phin telnet, PIX Firewall s ngn chn mi lnh kch hot v sau hy kt ni m khng cnh bo ngi s dng. who local_ip Cho php bn hin th a ch IP hin ti ang truy cp vo PIX Firewall thng qua telnet

38

Ip_address

Mt a ch IP ca mt host hoc mng m c th Telnet n PIX Firewall . Nu khng a ra tn giao din (if_name) th mc nh s l giao din pha trong (mng bn trong). PIX Firewall t ng kim tra a ch IP da trn a ch IP c nhp bi lnh ip address m bo rng a ch bn a ra thuc v mng bn trong (i vi cc IOS version di 5.0)

Netmask

Mt n mng ca a ch IP. gii hn truy cp n mt a ch IP n th s dng 255 cho mi octet (v d, 255.255.255.255). Nu bn khng a ra netmask th mc nh l 255.255.255.255 i vi lp local_ip (ip cc b). Khng s dng mt n mng con ca mng bn trong. Mt n mng ch l mt bit mask cho a ch IP trong ip address

If_name

Nu Ipsec ang hot ng, PIX Firewall cho php bn a ra mt tn giao din khng m bo. Thng thng l mng pha ngoi. Ti thiu th lnh cryto map cn c cu hnh a ra tn mt giao din vi lnh Telnet

Minutes

S pht m phin telnet c th khng s dng n trc khi b ng bi PIX Firewall. Mc nh l 5 pht. H tr t 1-60 pht

telnet_id local_ip

nh danh phin telnet Mt ty chn a ch ip bn trong gii hn danh sch n mt a ch ip hoc mt a ch mng

2.5. Lnh hostname v ping Lnh hostname thay i nhn trn du nhc. hostname c th h tr ln ti 16 k t alpha v ch hoa, ch thng. mc nh th hostname l pixfirewall. Lnh ping c s dng nu PIX Firewall c kt ni hoc nu tn ti mt host (c nhn din bi PIX Firewall ) trn mng. Nu host tn ti trn mng th lnh ping nhn c cn nu khng th s c thng bo NO response received.

39

(lc ny bn s dng lnh show interface m bo rng PIX Firewall c c kt ni n mng v thng lu lng). Mc nh lnh ping s c gng ping n host ch 3 ln. Sau khi PIX Firewall c cu hnh v hot ng, chng ta s khng th ping n giao din bn trong (mng bn trong) ca PIX Firewall t mng bn ngoi hoc t giao din bn ngoi (outside interface) ca PIX Firewall. Nu c th ping nhng mng bn trong t giao din bn trong v nu bn c th ping nhng mng bn ngoi t giao din bn ngoi th PIX Firewall thc hin c ng chc nng thng thng ca n. 2.6. Lnh show Lnh show cho php hin th cc thng tin lnh. Lnh ny thng kt hp vi cc lnh khc hin th thng tin h thng ca lnh . Ta c th nhp show cng vi ? xem tn ca cc lnh hin th v m t v chng. Di y l v d ca cc lnh show khc nhau Show interface - cho php hin th thng tin giao din mng. y l lnh u tin m s s dng khi th thit lp mt kt ni. Show history hin th cc dng lnh trc Show memory hin th tng quan b nh vt l ti a v b nh hin ti cn trng ca PIX Firewall Show vesion cho php hin th phin bn phn mm ca PIX Firewall, thi gian hot ng tnh t ln khi ng li gn y nht, kiu b vi x l, kiu b nh flash, giao din bng mch v s serial (BISO ID) Show xlate hin th thng tin khe dch Show cpu usage hin th CPU c s dng. Lnh ny s dng ch cu hnh hoc ch c quyn Show ip address - cho php xem a ch IP c gn n giao din mng. a ch IP hin ti ging nh l a ch IP h thng trn failover active (PIX active). Khi active unit b li, a ch IP hin ti tr thnh n v chun (a ch IP h thng)

40

2.7. Lnh name S dng lnh name cho php cu hnh mt danh sch cc nh x tn n a ch IP trn PIX Firewall. iu ny cho php s dng tn trong cu hnh thay cho a ch IP. Bn c th ch nh tn s dng c php di y: name ip_address name Ip_address Name a ch IP ca host c t tn Tn c gn cho a ch IP. Cho php t tn vi cc k t t a-z, A-Z, 0-9, du gch v du gch di. Tn khng th bt u bng s. Nu mt tn trn 16 k t th lnh s li Cho php t tn vi cc k t t a-z, A-Z, 0-9, du gch v du gch di. Tn khng th bt u bng s. Nu mt tn trn 16 k t th lnh s li. Sau khi tn c nh ngha n c th c s dng trong bt k lnh PIX Firewall no tham chiu n mt a ch IP. Lnh names cho php s dng lnh name. Lnh clear names v no names l ging nhau. Lnh show name lit k cc trng thi lnh name trong cu hnh

41

CHNG 3 CU HNH, DCH CHUYN A CH V IU KHIN TRUY CP TRONG PIX FIREWALL I. Cc lnh cu hnh c bn PIX Firewall C 6 lnh cu hnh c bn cho PIX Firewall: Nameif Gn tn n mi giao din mng vnh ai v ch nh mc an ninh cho n Interface Cu hnh kiu v kh nng ca mi giao din vnh ai Ip address gn mt a ch ip cho mi cng Nat che du a ch trn mng inside t mng outside Global Che du a ch IP trn mng inside t mng outside s dng mt pool (mt di a ch public) ca a ch IP Route nh ngha mt tuyn ng tnh hoc tuyn ng mc nh cho mt interface 1. Lnh nameif Lnh nameif gn mt tn n mi giao din vnh ai trn PIX Firewall v ch nh mc an ninh cho n (ngoi tr giao din inside v outside v n c mc nh). C php ca lnh nameif nh di y: nameif Harware_id hardware_id if_name security_level Ch nh mt giao din vnh ai v v tr khe ca n trn PIX Firewall. C 3 giao din m bn c th nhp y: Ethernet, FDDI hoc Token Ring. Mi giao din c m t bi mt nh danh va c ch va c s da trn giao din ca n l g v nh danh l s m bn chn cho n. V d, mt giao din Ethernet c m t nh l e1, e2, e3.; mt FDDI c m t nh l fddi1, fddi2, fddi3.; mt giao din Token Ring c m t nh l token-ring1, token-ring2, token-

42

If_name

ring3. M t giao din vnh ai. Tn ny c bn gn v cn s dng trong tt c cu hnh tng lai tham chiu n giao din vnh ai Ch ra mc an ninh cho giao din vnh ai, nhp mc an ninh t 1-99

Security_lever 2. Lnh interface

Lnh interface nhn dng phn cng, thit lp tc phn cng v kch hot giao din. Khi mt card Ethernet c thm vo n s c ci t trn PIX Firewall, PIX Firewall t ng nhn dng v thm card C php cho lnh interface nh di y: interface hardware_id hardware_speed [shutdown] Ch nh mt giao din v v tr khe trn PIX Firewall. Ci ny ging nh bin s c s dng trong lnh nameif Xc nh tc kt ni. Gi tr Ethernet c th nh sau 10baset thit lp giao tip bn song cng 10Mbps 10full Thit lp giao tip Ethernet song cng hon ton tc 10Mbps 100basetx Thit lp giao tip Ethernet bn song cng tc 100 Mbps 100full - Thit lp giao tip Ethernet song cng hon ton tc 100 Mbps 1000sxfull - Thit lp giao tipGigabit Ethernet song cng hon ton tc 1000 Mbps 1000basesx thit lp giao tip gigabit Ethernet bn song cng tc 1000 Mbps 1000auto Thit lp giao tip gigabit Ethernet tc 100 Mbps, t ng iu chnh bn song cng hoc song cng hon ton. Khuyn co l bn khng nn s dng ty chn ny suy trig tnh tng thch vi switchs v cc thit b khc trong

Hardware_id Hardware_speed

43

mng Aui thit lp giao tip Ethernet bn song cng tc 10 Mbps vi mt giao din cp AUI Auto thit lp tc Ethernet t ng. T kha t ng ch c th s dng vi card mng Intel tc 10/100 Bnc - thit lp giao tip Ethernet bn song cng tc 10 Mbps vi mt giao din cp BNC 4mbps thit lp tc truyn d liu l 4Mbps 16mbps (mc nh) thit lp tc truyn d liu Shutdown 3. Lnh ip addresss Mi mt giao din trn PIX Firewall cn c cu hnh vi mt a ch IP, c php cho lnh ip address nh di y:
ip address if_name ip_address [netmask]

l 16 Mbps Ngi qun tr tt cng

Ip_name Ip_address Netmask

M t giao din. Tn ny do bn gn v bn cn s dng trong tt c cc cu hnh trong tng lai a ch Ip ca giao din Nu khng a ra mt mt n mng, s s dng mt n mng mc nh

Sau khi cu hnh a ch IP v mt n mng, s dng lnh show ip hin th a ch c gn cho giao din mng. 4. Lnh nat Dch a ch mng (NAT) cho php bn gi a ch IP bn trong nhng a ch pha sau ca PIX Firewall khng c bit i vi nhng mng pha ngoi. NAT thc hin iu ny bng cch dch a ch IP bn trong, a ch m khng phi l duy nht sang a ch IP duy nht trc khia gi tin c y ra mng bn ngoi nat [(if_name)] If_name nat_id local_ip [netmask] M t tn giao din mng bn trong, ni m bn s s dng a ch public

44

Nat_id Local_ip netmask

nh danh global pool v kt hp n vi lnh nat tng ng a ch IP c gn cho giao din trn mng inside Mt n mng cho a ch IP cc b. Bn c th s dng 0.0.0.0 cho php tt c cc kt ni ra bn ngoi dch vi a ch IP t global pool

Khi chng ta khi to cu hnh PIX Firewall, ta c th cho php tt c host inside truy cp ra kt ni bn ngoi vi lnh nat 1.0.0.0 0.0.0.0. Lnh nat 1.0.0.0 0.0.0.0 kch hot NAT v cho php tt c cc host inside truy cp ra kt ni bn ngoi. Lnh nat c th ch nh mt host n hoc mt di cc host to nhiu hn s la chn truy cp. Khi mt gi tin IP truyn ra m c gi t mt thit b trn mng inside n PIX Firewall, a ch ngun c trch ra so snh vi bng dch ang tn ti. Nu a ch ca thit b khng tn ti trong bng th sau n s c dch v mc mi c to cho thit b , n c gn a ch IP public t di a ch IP public. Sau khi vic dch ny xy ra th bng c cp nht v dch IP ca gi tin y ra ngoi.. Sau khi ngi s dng cu hnh timeout period (hoc gi tr mc nh l 2 pht), sau khong thi gian m khng c vic dch gi tin cho a ch IP c th th a ch public s c gii phng s dng cho mt thit b inside khc 5. Lnh global C php ca lnh global nh di y: global [(if_name)] nat_id global_ip [-global_ip] [netmask global_mask] | interface If_name Nat_id Global_ip -global_ip Netmask global_mask M t tn giao din mng bn ngoi m bn s s dng a ch global nh danh global pool v kt hp n vi lnh nat tng ng vi n Mt a ch IP n hoc mt dy cc a ch IP public Mt dy cc a ch Ip public Mt n mng cho a ch global_ip. Nu c mng con th s dng mt n mng con (v d, 255.255.255.128). Nu bn ch nh mt dy a ch m chng cho ln

45

mng con vi lnh netmask, lnh ny s khng s dng a ch mng hoc a ch broadcast trong di a ch public. V d, nu bn s dng di a ch 192.150.50.20 192.150.50.140, a ch mng 192.150.50.128 v a ch broadcast 192.150.50.127 s interface khng bao gm trong di a ch public Ch nh PAT s dng a ch IP ti giao din

Nu lnh nat c s dng, th lnh i cng vi n l lnh global cn c cu hnh nh ngha mt di a ch IP c dch. xa mc global, s dng lnh no global. V d, no global (outside) 1 192.168.1.20-12.168.1.254 netmask 255.255.255.0 PIX Firewall s gn a ch t di a ch bt u t a ch thp nht ti a ch cao nht trong di a ch c ch nh bi lnh global PIX Firewall s dng a ch public gn mt a ch o n a ch NAT bn trong. Sau khi thm, thay i hoc g b mt trng thi global, s dng lnh clear xlate to cc a ch IP c sn trong bng dch (translation table) 6. Lnh route Lnh route nh ngha mt tuyn ng tnh hoc tuyn ng mc nh cho mt interface C php ca lnh route nh di y route if_name ip_address netmask gateway_ip [metric] If_name Ip_address M t tn giao din mng (vng mng) bn trong hoc bn ngoi M t a ch IP mng bn trong hoc bn ngoi. S dng 0.0.0.0 ch nh tuyn ng mc nh. a ch 0.0.0.0 c Netmask th vit tt l 0 Ch nh mt n mng p dng cho a ch ip_address. S dng 0.0.0.0 ch nh tuyn ng mc nh. Mt n mng Gateway_ip 0.0.0.0 c th vit tt l 0 Ch nh a ch ip ca router gateway (a ch next hop cho tuyn ng ny)

46

metric

Ch nh s lng hop n gateway_ip. Nu bn khng chc chn th nhp 1. Ngi qun tr WAN ca bn c th h tr thng tin ny hoc bn c th s dng lnh traceroute c c s lng hop. Mc nh l 1 nu mt metric khng c a ra

II. Dch chuyn a ch trong PIX Firewall 1. Tng quan v NAT 1.1. M t NAT

Dch a ch l thay th a ch thc trong mt packet thnh a ch c nh x c kh nng nh tuyn trn mng ch. Nat gm c 2 bc: mt tin trnh dch a ch thc thnh a ch nh x v mt tin trnh dch ngc tr li. PIX Firewall s dch a ch khi mt lut Nat kt hp vi packet. Nu khng c s kt hp vi lut Nat th tin trnh x l packet c tip tc. Ngoi l l khi kch hot Nat control. Nat control yu cu cc packets t mt interface c mc an ninh cao hn (inside) n mt interface c mc an ninh thp hn (outside) kt hp vi mt lut Nat hoc cc packets phi dng li. Nat c mt s li ch nh sau:

47

Bn c th s dng cc a ch ring trn mng inside. Cc a ch ny khng c nh tuyn trn Internet Nat n a ch thc ca mt host thuc mng inside trc cc mng khc v vy cc attacker khng th hc c a ch thc ca mt host inside C th gii quyt vn chng cho a ch IP. 1.2. Nat control Nat control yu cu cc packets t mt interface c mc an ninh cao hn (inside) n mt interface c mc an ninh thp hn (outside) kt hp vi mt lut Nat. Bt c host no trn mng inside truy cp n mt host trn mng outside u phi c cu hnh dch a ch.

Cc interface c cng mc an ninh th khng yu cu s dng Nat truyn thng vi nhau. Tuy nhin nu bn cu hnh dynamic Nat hoc Pat trn cc interface c cng mc an ninh th tt c cc lu lng t interface n mt interface c cng mc an ninh hoc outside interface cn phi kt hp vi mt lut Nat

48

Tng t nu kch hot outside dynamic Nat hoc Pat th tt c cc lu lng outside cn phi kt hp vi mt lut Nat khi truy cp vo mng inside

2. Cc kiu NAT 2.1 Dynamic NAT Dynamic Nat dch mt nhm cc a ch thc thnh mt di cc a ch c nh x v c kh nng nh tuyn trn mng ch. Cc a ch c nh x c th t hn cc a ch thc. Khi mt host mun dch a ch khi truy cp vo mng ch th PIX s gn cho n mt a ch trong di a ch c nh x. Translation ch c thm vo khi host thc khi to kt ni. Translation c duy tr trong sut qu trnh kt ni. Ngi s dng khng th gi c a ch IP khi Translation time out (ht thi gian). Ngi s dng trn mng ch khng th khi to kt ni n host m s dng dynamic Nat thm ch kt ni ny c php bi access list. (ch c th khi to kt ni trong sut translation).

49

Vi Dynamic Nat m di a ch c nh x c s a ch t hn s a ch thc ca mng inside th xy ra tnh trng thiu a ch nu s lu lng vt qua mc mong mun. 2.2. PAT PAT dch mt nhm cc a ch thc thnh mt a ch c nh x. c bit, PIX dch a ch thc v port ngun (real socket) thnh a ch c nh x v mt port duy nht (mapped port) ln hn 1024. Mi mt kt ni yu cu mt translation ring bit bi v port ngun l khc nhau cho mi kt ni. 2.3. Static NAT Static NAT to mt translation c nh ca mt (hoc nhiu) a ch thc n mt (hoc nhiu) a ch c nh x. i vi Dynamic NAT hoc PAT th mi host s s dng a ch hoc cng khc nhau cho mi translation. Bi v a ch c nh x l nh nhau cho cc kt ni lin tc v tn ti mt translation c nh do vi static Nat, ngi s dng mng ch c th khi to mt kt ni n host c dch (nu accsess list) cho php. 2.4. Static PAT Static PAT cng tng t nh Static NAT, ngoi tr chng ta cn phi ch ra giao thc (TCP hoc UDP) v cng cho a ch thc v a ch c nh x.

3. Cu hnh Nat Control Nat Control yu cu cc packets truyn t mt inside interface n outsite interface kt hp vi mt lut Nat. kch hot Nat control s dng lnh sau y: hostname(config)# nat-control . disable Nat control s dng dng no ca lnh ny. 4. S dng Dynamic NAT v PAT 4.1. Thc hin Dynamic NAT v PAT + i vi Dynamic NAT v PAT, trc ht cn cu hnh lnh Nat nhn din cc a ch thc ca cc interface cn dch. Sau cu hnh lnh Global ring bit ch

50

nh cc a ch c nh x. Mi lnh Nat cn kt hp vi lnh Global bi mt s c gi l Nat ID c ch ra trong mi lnh Nat v global.

+ Chng ta c th nhp lnh Nat cho mi

interface c cng Nat ID. Tt c u s dng cng mt lnh Global c cng Nat ID.

51

hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10

+ Chng ta cng c th nhp lnh global cho mi interface s dng cng mt Nat ID

hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 hostname(config)# global (dmz) 1 10.1.1.23 + Nu chng ta s dng cc Nat ID khc nhau, chng ta c th thit lp cc a ch

thc khc nhau c cc a ch c nh x khc nhau

52

hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (inside) 2 192.168.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 hostname(config)# global (outside) 2 209.165.201.11

+ Chng ta c th nhp nhiu lnh global cho mt interface s dng cng mt Nat ID. PIX Firewall s s dng lnh Global Dynamic Nat u tin theo th t chng c cu hnh. Sau mi s dng n lnh global Dynamic PAT. Chng ta c th s dng c hai lnh Dynamic Nat global v Dynamic PAT global, nu cn s dng Dynamic Nat cho mt ng dng ring bit no v to ra mt trng thi d phng bi lnh Dynamic PAT global khi lnh Dynamic NAT global b cn kit a ch.

53

hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4 hostname(config)# global (outside) 1 209.165.201.5

+ i vi Nat outside ta s dng t kha outside trong lnh Nat.

hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4 hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40

54

4.2. Cu hnh Dynamic NAT v PAT

Cu hnh Dynamic Nat v Pat cng tng t nhau. i vi Nat th s dng di a ch c nh x cn Dynamic Pat th ch s dng mt a ch n. + Ch cc host c dch mi c th to mt Nat session. Cc a ch c nh x c gn ng t di a ch c nh ngha bi lnh Global

+ Ch cc host c dch mi c th to mt Nat session. Cc a ch c nh x c nh ngha bi lnh global l nh nhau cho mi translation cn cc port th c gn ng.

55

hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]] hostname(config)# global (mapped_interface) nat_id {mapped_ip[-mapped_ip] | interface}

5. S dng lnh Static NAT Vi Static Nat translation lun lun kch hot bi v cc a ch c nh x c gn tnh t lnh Static

+ Khng c s dng cng a ch thc hoc a ch c nh x trong nhiu lnh static gia 2 interface cng nhau. Khng c s dng mt a ch c nh x trong lnh static m n c nh ngha trong lnh global i vi cng interface c nh x + Nu g lnh static th cc kt ni ang tn ti s dng translation ny s khng b nh hng nu s dng lnh clear xlate. Hy s dng lnh Clear local host. cu hnh Static NAT s dng mt trong hai lnh sau: i vi policy Static Nat, nhp lnh sau;
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface} accesslist acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

To access list s dng lnh access list. Lnh access list ny ch bao gm cc ACEs permit. Subnet mask ngun c s dng trong access list cng c s dng cho a ch c nh x. Chng ta cng c th ch nh port thc v port ngun trong access list s dng ton t eq.
i vi regular Static Nat, nhp lnh sau:
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

56

6. S dng Static PAT Static PAT s dch a ch thc thnh mt a ch IP c nh x cng nh port thc thnh port c nh x. Thng thng th PAT dch port thc thnh mt port c nh x nhng chng ta cng c th chn dch mt port thc thnh mt port nh th (cng ch s port).

cu hnh Static NAT s dng mt trong hai lnh sau: i vi policy Static PAT, nhp lnh sau;
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

To access list s dng lnh access list. Lnh access list ny ch bao gm cc ACEs permit. Subnet mask ngun c s dng trong access list cng c s dng cho a ch c nh x. Chng ta cng c th ch nh port thc v port ngun trong access list s dng ton t eq.
i vi regular Static PAT, nhp lnh sau:
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port real_ip real_port [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

III. ACCESS LIST 1. Tng quan v access list + Acess list c to nn t mt hoc nhiu Access Control Entries (ACEs). Mt ACE l mt mc trong mt access list m n to nn mt lut permit hoc deny, p

57

dng cho mt giao thc, mt a ch IP ngun v ch hoc mt mng v ty chn cc port ngun, port ch. + Mt s kiu access list: Standard, Extended, Ethertype, Webtype. 1.1. Th t cc ACE Mt access list c to nn t mt hoc nhiu Access Control Entries (ACEs). Ty thuc vo kiu access list chng ta c th ch nh a ch ngun v ch, cc giao thc, cc port (TCP hoc UDP), kiu ICMP (i vi ICMP) hoc Ethertype. Th t cc access list l rt quan trng. Khi PIX firewall quyt nh ni s y hoc hy gi tin. PIX s kim tra cc gi tin vi phm lut trong mi ACE theo th t trong ton b danh sch. V d, nu chng ta to mt ACE cho php tt c cc lu lng i qua ti im bt u ca access list th s khng c mt trng thi no c kim tra sau . C th disable mt ACE bng cch ch nh t kha inactive trong lnh access list. 1.2. Access Control Implicit Deny Access list c mt implicit deny ti im cui cng ca danh sch, v vy tr khi bn permit n nu khng lu lng khng th i qua. V d nu ta mun tt c cc lu lng ca mt mng c i qua PIX, ngoi tr mt a ch c bit th cn phi deny a ch c bit sau permit tt c cc a ch khc. 1.3. a ch IP c s dng cho access list khi s dng NAT Khi s dng Nat, a ch IP bn ch nh cho mt access list ph thuc vo interface m access list c gn vo. Cn s dng a ch thch hp trn mng c kt ni n interface. Nguyn tc ny p dng cho c 2 access list inbound v outbound: hng khng quyt nh m ch interface mi quyt nh a ch c s dng.

58

+ Nat c s dng cho a ch ngun

hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside

+ Nat c s dng cho a ch ch

hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside

59

+ Nat c s dng cho a ch IP ngun v ch

hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 10.1.1.56 hostname(config)# access-group INSIDE in interface inside

2. Cu hnh access list 2.1. Cu lnh access list.

Lnh access list cho php kch hot mt vic ch nh mt a ch IP l permited hoc denied vic truy cp n mt giao thc hoc port. Mc nh tt c cc truy cp trong mt access list l b cm. Chng ta cn permited n. Lnh show access list lit k cc trng thi trong cu hnh access list

60

Lnh clear access list s xa access list trong cu hnh PIX Firewall, nu ta a ra acl_id th ch xa cc ACL tng ng. + acl_ID: tn ca mt ACL, c th dng tn hoc s + deny: cm truy cp + permit: cho php truy cp + Protocol: tn hoc s ca mt giao thc TCP, n c th l mt t kha icmp, ip, tcp hoc udp, cng c th l mt s nm trong di t 1 n 254 + source_addr: a ch ngun + source_mask: subnet mask ngun + operator: cc ton t nh ep, neq, lt, gt + port: ch ra ch s port + destination_addr: a ch ch + destination_mask: subnet mask ch 2.2. Cu lnh access group

Lnh access-group acl_ID in interface interface_name Gn mt ACL n mt interface no access-group acl_ID in interface interface_name Hy gn mt ACL n mt interface show access-group acl_ID in interface interface_name Hin th vic gn ACL hin ti n mt interface clear access-group Xa lnh access group

61

CHNG 4 THIT K MNG AN TON CHO TRNG CAO NG C KH LUYN KIM S DNG PIX FIREWALL I. Kho st h thng mng hin ti v cc yu cu cn nng cp. 1. Hin trng h thng Qua qu trnh kho st hin trng h thng mng ca Trng Cao ng c kh luyn kim, cho thy y l mt h thng cn ht sc n gin, c th c m hnh ha nh sau:

* ng truyn ca h thng + ng truyn Internet: h thng hin ti ch c duy nht mt ng truyn Internet ADSL tc 2Mbps ca VNPT

62

+ Mng ni b: H thng mng LAN ni cc ta nh, cc phng ban vi nhau s dng cp UTP 4 pair

63

* Cc dch v cung cp: Hin ti h thng mng ca trng ch dng trao i thng tin gia cc my trong LAN v truy cp khai thc Internet, cha cung cp bt k dch v no khc. * Cc thit b chnh Switch Catalyst 2950 Switch planet FNSW 1601 Modem ADSL Cc my trm ti cc vn phng 2. nh gi hiu nng v mc an ton ca h thng * Hiu nng ca h thng Hin ti h thng ch s dng cc Hub phn chia lu lng mng, cc thit b ny c nhc im l khng phn chia cc min ng . Do khi mt my gi tn hiu i th tt c cc my khc trong cng min ng s nhn c lu lng . V vy mt lng ln lu lng chy trong h thng mng l lu lng v ch. N lm gim ng k hiu nng ca h thng mng. Trong tng lai nu m rng h thng mng hn na th nguy c h thng b t lit c th xy ra. Ngoi ra h thng mi ch dng mt modem ADSL cho vic truy cp mng. iu ny cha thc s lm cho h thng mng n nh - khng b rt mng. * an ton ca h thng Nguy c b mt mt d liu Hin nay, i vi h thng mng hin ti, nguy c b mt mt d liu l rt ln. Nguy c ny c th n t hai hng: bn ngoi Internet v ngay ni b h thng mng ca trng. Nguy c mt mt thng tin t ngoi Internet: Mng ca trng kt ni n Internet, nhng khng c mt thit b v chng trnh bo mt no bo v h thng khi cc nguy c xm nhp t bn ngoi vo. Nhng attacker c th s dng virus di dng trojan truy cp vo h thng n cp hoc ph hoi thng tin.

64

Nguy c mt mt thng tin t bn trong h thng: Vi cc switch hin ti, nhng ngi trong h thng mng c th d dng dng cc chng trnh nghe ln (sniffer nh Cain & Able) ly cp cc thng tin c truyn i trong mng (user name v password). B tn cng Cc h thng c kt ni Internet thng hay b tn cng bi cc tin tc. Nguy c tn cng cng c th xy ra t chnh bn trong mng, nu mt my tnh trong mng b nhim virus c kh nng tn cng mng hoc chy cc chng trnh tn cng mng th c th lm cho h thng mng hon ton t lit, khng th truy cp c Internet. Hoc vic tn cng do chnh mt thnh vin ni b h thng. 3. Cc yu cu nng cp h thng mng hin ti ca trng Qua phn tch cho thy h thng mng hin ti ca Trng Cao ng c kh luyn kim c hiu nng thp v c rt nhiu nguy c v an ninh mng. Ngoi ra nh trng mun xy dng thm cc server cung cp dch v mail server v web server cho ton b nhn vin ca trng. Lnh o nh trng quyt nh nng cp ton b h thng mng nhm khc phc cc vn v hiu nng h thng, an ton ca h thng v m bo cung cp cc dch v c ra.

65

II. Thit k h thng mng s dng thit b PIX firewall. 1. S thit k h thng mi. Xy dng cc web server, mail server, s dng thm 1 ng ADSL cho vic truy cp Internet, 1 ng lease line dnh ring cho cc server, thay th cc hub bng cc Switch 2960 nng cao hiu nng ca h thng. c bit l s dng thit b PIX firewall nng cao mc an ton cho h thng mng. M hnh mng ca trng s c thit k nh sau:

H thng mng theo m hnh trn c cc c im nh sau: * Xy dng cc Server trin khai cc dch v web server v mail server p ng yu cu ra ban u. * S dng thm mt ng ADSL 2Mbps cho vic truy cp Internet ca ngi dng. Nh vy h thng by gi c 2 ng ADSL chy qua mt thit b cn bng ti Draytek V2930. iu ny s ci thin ln tc truy cp Internet ca ngi dng, c bit tng tnh n nh ca mng Internet, khng xy ra tnh trng b rt mng.

66

* S dng mt ng lease line 384Kbps dnh ring cho cc Server m bo ng truyn cho cc Server c n nh. * S dng switch Cisco chia mng LAN o - VLAN: Cc Hub ni cc phng ban s c thay th bng switch vi kh nng chia VLAN, cc phng ban s c chia vo cc VLAN. Mc ch l hn ch s broadcast thng tin ln ton mng lm tc nghn ng truyn, nng cao hiu sut mng, mt khc gip d dng qun l, p dng c cc chnh sch khc nhau i vi tng phng ban cng nh nhanh chng khc phc cc s c khi xy ra. * S dng Firewall cng (Cisco PIX Firewall) bo v h thng server v mng ni b ca Trng, Firewall s chia h thng mng ra lm 3 vng c mc u tin bo mt khc nhau Outside: y l vng Internet, c mc u tin bo mt thp nht DMZ: vng t cc my ch, cc my ch c kh nng truy cp ra vng Outside Inside: mng ni b ca khoa, y l vng c mc u tin bo v cao nht, cc my trong vng inside c kh nng truy cp ra outside v DMZ. c tnh gi thnh cho vic nng cp ton b h thng: H thng mng sau khi xy dng vn gi li cc my trm, 1 switch 2960, h thng cp UTP v mt modem ADSL H thng mi cn mua thm cc thit b mi vi gi c v chi ph cu hnh c tnh nh sau:(gi c ch mang tnh cht tham kho ti thi im kho st) + 2 CISCO1841 Modular Router w/2xFE, 2 WAN slots, 32 FL/128 DR gi 950 x 2 = 1900 USD + Thit b cn bng ti Vigor 2910 gi 95 USD + Modem ADSL gi 20 USD + PIX 515 gi 980 USD + Modem lease line SGHDSL DATACRAFT 560 NTU gi 180 USD + 4 Switch 2960 gi 600 x 4 = 2400 USD + 3 my IBM SERVER x3200 - M2 gi 850 USD x 3 = 2550 USD + Chi ph thit k website, cu hnh server gi 800 USD

67

+ Chi ph cu hnh cc thit b cisco: pix, switch, router gi 750 USD Nh vy tng chi ph c tnh nng cp ton b h thng vo khong 9.675 USD Ngoi ra trng cn phi chi tr tin thu ng ADSL v lease line hng thng. 2. Cp pht a ch
Sau khi chia mi vn phng l mt VLAN, c s VLAN nh sau:
.3

.4

.5

192.168.128.0 /24 .2 118.71.120.10 Fa0/0

118.71.120.11 .1

Gn VLAN VLAN_ID 1 2 3 4 5 6 7 99 Tn VLAN VLAN 1 VLAN 2 VLAN 3 VLAN 4 VLAN 5 VLAN 6 VLAN 7 VLAN 99 M t Khng dng VLAN Ti chnh - K ton VLAN Cng on VLAN Qun l sinh vin VLAN Quan h QT VLAN Vn phng khoa VLAN o to VLAN qun l

68

Gn a ch IP * PIX firewall Interface Ethernet 0 Ethernet 1 Ethernet 2 Name Inside DMZ Outside Security Level 100 50 0 IP Address 192.168.128.1 192.168.128.2 118.71.120.10 Subnet 255.255.255.248 255.255.255.252 255.255.255.0

* Router Cisco 1841 Interface Fa0/0 Fa0/1 * Cc server STT 1 2 3 * Cc host inside VLAN ID
2 3 4 5 6 7

IP Address 118.71.120.11 a ch ny do ISP cp

Subnet 255.255.255.0

M t Ni vi PIX Firewall Ni vi lease line

Dch v Email, DNS Web ISA Server

Inside Local IP 192.168.128.3 192.168.128.4 192.168.128.5 v 192.168.128.6 Di a ch IP Subnet mask


/24 /24 /24 /24 /24 /24

Tn VLAN
VLAN2 VLAN3 VLAN4 VLAN5 VLAN6 VLAN7

192.168.2.1 192.168.2.254 192.168.3.1 192.168.3.254 192.168.4.1 192.168.4.254 192.168.5.1 192.168.5.254 192.168.6.1 192.168.6.254 192.168.7.1 192.168.7.254

69

* Cu hnh a ch IP cc my trm a ch IP: 192.168.x.y Subnet mask: /24 Gateway: 192.168.x.1 DNS: 192.168.128.3 Vi x l s VLAN tng ng, y l s th t my trong VLAN (y chy t 1-254) 3. Cu hnh m phng h thng

3.1. Cc phn mm c s dng cho cu hnh m phng 3.1.1. GNS3 Phn mm GNS3 mt phn mm gi lp mng c giao din dng ha. GNS3 l mt phn mm gi lp mng dng ha, n cho php m phng vi cc mng phc tp, n s dng h iu hnh mng Cisco. GNS3 cho php chng ta chy mt Cisco IOS trong mt mi trng o trn my tnh c nhn. GNS3 chy cc IOS tht ca cc thit b nh PIX, routertrong n ny s dng cc IOS pix722_2.bin v C2691-IS.BIN. V cc phn mm ny h tr IOS tht nn rt tn CPU ca my tnh. Do s dng thm phn mm BES 1.2.2 hn ch CPU.

70

3.1.2. VMWare Workstation GNS3 khng a ra thit b PC m a ra mt thnh phn gi l cloud dng kt ni n PC ca mt hng th 3 nh vpcs, VMWareTrong n ny s dng phn mm VMWare m phng cho cc my tnh c nhn ca mng ni b, user bn ngoi Internet v Server thuc vng DMZ. * Chc nng cc thnh phn trong m hnh + Web server: L mt my VMWare ci h iu hnh Windows Server 2003. Trn my vmware ny c cu hnh dch v web server trin khai public website http://www.cdluyenkim.com. Cc user thuc mng ni b ca trng (inside zone) v cc user bn ngoi Internet u c th truy cp c website ny. Ngoi ra server ny cn trin khai DNS nh x tn website sang a ch IP ca web server. + Host inside: L mt my VMWare ci t h iu hnh Windows XP c cu hnh a ch gateway l a ch e0 ca PIX firewall, DNS tr n a ch IP ca web server + Host outside: L mt my VMWare ci t h iu hnh Windows server 2003, dng kim tra kt ni n web sever. + PIX Firewall: c chy IOS tht pix722_2.bin 3.1.3. Packet tracer 5.0 Cc host thuc vng inside s dng phn mm packet tracer chia thnh cc VLAN khc nhau v cu hnh nh tuyn gia cc VLAN .

71

3.2. Thit lp cu hnh cho h thng mng * Cu hnh chia VLAN


Final Configurations * router Current configuration : 1085 bytes ! version 12.4 no service password-encryption ! hostname Router ! ! ! ! ! ip ssh version 1 ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1

72

encapsulation dot1Q 1 native ip address 192.168.1.1 255.255.255.0 ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 192.168.2.1 255.255.255.0 ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 192.168.3.1 255.255.255.0 ! interface FastEthernet0/0.4 encapsulation dot1Q 4 ip address 192.168.4.1 255.255.255.0 ! interface FastEthernet0/0.5 encapsulation dot1Q 5 ip address 192.168.5.1 255.255.255.0 ! interface FastEthernet0/0.6 encapsulation dot1Q 6 ip address 192.168.6.1 255.255.255.0 ! interface FastEthernet0/0.7 encapsulation dot1Q 7 ip address 192.168.7.1 255.255.255.0 ! interface FastEthernet0/0.99 encapsulation dot1Q 99 ip address 192.168.99.1 255.255.255.0 ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Vlan1 no ip address shutdown ! ip classless ! ! ! ! ! line con 0 line vty 0 4

73

login ! ! End * Switch S1 Current configuration : 1346 bytes ! version 12.2 no service password-encryption ! hostname S1 ! ! ! interface FastEthernet0/1 switchport access vlan 2 switchport mode access ! interface FastEthernet0/2 switchport access vlan 7 switchport mode access ! interface FastEthernet0/3 switchport trunk native vlan 99 switchport mode trunk interface range FastEthernet0/4 - 24 shutdown ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! interface Vlan99 ip address 192.168.99.11 255.255.255.0 ! line con 0 ! line vty 0 4 login line vty 5 15 login ! ! End

74

* Switch S2 Current configuration : 1346 bytes ! version 12.2 no service password-encryption ! hostname S2 ! ! ! interface FastEthernet0/1 switchport access vlan 3 switchport mode access ! interface FastEthernet0/2 switchport access vlan 6 switchport mode access ! interface FastEthernet0/3 switchport trunk native vlan 99 switchport mode trunk ! interface range FastEthernet0/4 - 24 ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! interface Vlan99 ip address 192.168.99.12 255.255.255.0 ! line con 0 ! line vty 0 4 login line vty 5 15 login ! ! End * Switch S3 Building configuration...

75

Current configuration : 1379 bytes ! version 12.2 no service password-encryption ! hostname S3 ! ! ! interface FastEthernet0/1 switchport access vlan 3 switchport mode access ! interface FastEthernet0/2 switchport access vlan 4 switchport mode access ! interface FastEthernet0/3 switchport trunk native vlan 99 switchport trunk allowed vlan 4 switchport mode trunk ! interface range FastEthernet0/4 24 shutdown ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! interface Vlan99 ip address 192.168.99.13 255.255.255.0 ! line con 0 ! line vty 0 4 login line vty 5 15 login ! ! End * Switch S4 Current configuration : 1538 bytes !

76

version 12.2 no service password-encryption ! hostname S4 ! no ip domain-lookup ! ! interface FastEthernet0/1 switchport access vlan 5 switchport mode access ! interface FastEthernet0/2 switchport access vlan 6 switchport mode access ! interface FastEthernet0/3 switchport trunk native vlan 99 switchport mode trunk ! interface FastEthernet0/4 switchport trunk native vlan 99 switchport mode trunk ! interface FastEthernet0/5 switchport trunk native vlan 99 switchport mode trunk ! interface FastEthernet0/6 switchport trunk native vlan 99 switchport mode trunk ! interface range FastEthernet0/7 - 24 shutdown ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! interface Vlan99 ip address 192.168.99.14 255.255.255.0 ! ip default-gateway 192.168.99.1 ! line con 0

77

! line vty 0 4 login line vty 5 15 login ! ! End * Cu hnh trn PIX firewall PIX Version 7.2(2) ! hostname pixfirewall enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif inside security-level 100 ip address 192.168.1.2 255.255.255.0 ! interface Ethernet1 nameif dmz security-level 50 ip address 192.168.128.2 255.255.255.0 ! interface Ethernet2 nameif outside security-level 0 ip address 118.71.120.1 255.255.255.0 ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list aclout extended permit tcp any host 118.71.120.12 eq 80 access-list aclout extended permit icmp any any pager lines 24

78

mtu outside 1500 mtu inside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat-control global (dmz) 1 118.71.120.14 netmask 255.255.255.0 global (outside) 1 118.71.120.13 netmask 255.255.255.0 global (outside) 2 118.71.120.15 netmask 255.255.255.0 nat (inside) 1 0 0 0 0 0 0 0 0 nat (dmz) 2 192.168.128.0 255.255.255.0 static (dmz,outside) 118.71.120.12 192.168.128.2 netmask 0 0 access-group aclout in interface dmz access-group aclout in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 prompt hostname context Cryptochecksum:225c6b16b78cabaa953f1b210a6844a5 : end

4. Kim tra cu hnh Cc host inside c chia thnh cc VLAN v c th truyn thng c vi nhau

79

Mt user bn ngoi Internet hoc user bn trong mng ni b ca trng u c th truy cp c website t trn my ch thuc vng DMZ.

Mt user thuc vng inside hoc vng dmz c th i ra bn ngoi Internet

Mt user thuc vng inside c th truy cp vo vng DMZ

80

Mt user bn ngoi Internet khng th truy cp vo c bn trong vng inside hoc DMZ

Nh vy sau khi s dng PIX, cc user bn trong mng ni b c th truy cp vo vng DMZ v truy cp ra ngoi Internet. Ngc li bn ngoi Internet khng th truy cp vo mng ni b hoc khu vc cha server ca trng.

81

KT LUN Cc giao dch ca Vit Nam v trn th gii hin ti v tng lai a s din ra trn mng. Do m vic bo mt thng tin l v cng quan trng. Tm hiu v an ninh mng v cc phng thc m bo an ton cho h thng mng l mt ti c tnh cht thc t v kh mi m i vi sinh vin. n Thit k mng an ton s dng PIX firewall cho trng Cao ng c kh luyn kim nhm nghin cu tm hiu cc vn c bn cng nh hiu bit v tm quan trng ca an ninh mng. ti tp trung tm hiu cc c trng ca PIX Firewall mt gii php an ninh phn cng ca Cisco v p dng vo m hnh mng ca trng Cao ng c kh luyn kim. Sc mnh bo mt ca Cisco PIX Firewall mang li cho h thng mng l rt ln. Tuy nhin do lng thi gian c hn nn vic tip cn mt cng ngh firewall cn kh mi m s kh trnh khi nhng hn ch. Em xin tip nhn cc kin ng gp ca thy c, bn b hon thin kin thc cho bn thn. Em xin chn thnh cm n c gio Bi Th Mai Hoa tn tnh hng dn em hon thnh n ny. Thi Nguyn, thng 06 nm 2009

82

TI LIU THAM KHO [1] Cisco Secure PIX Firewall Advanced - CSPFA Student Guide V3.2 - Cisco system, Inc. 170 Web Tasman Drive, San Jose, CA 951347-106 USA. [2] Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software - Version 7.2 Customer [3] http://www.cisco.com [4] http://www.gns3.net [5] http://www.vmware.com

83