Está en la página 1de 7

Tn ti: Tm hiu v firewall v cc chc nng ca Cisco ASA Tn Sinh Vin: Nguyn Quc Lp MSSV:032 Nhng phn chnh

h nghin cu: A Gii thiu v Cisco ASA Firewall B Controlling Network Access (iu khin truy cp mng) I NAT II Packet Filtering III Content and URL Filtering C Application Inspection (ng dng kim tra) A Gii thiu v Cisco ASA Firewall Firewall thng cho l nhng h thng hoc thit c t gia h thng mng tin cy v khng tin cy(page 28)

Cisco ASA 5505 pha trc

Cisco ASA 5505 pha sau Cisco Adaptive Security Appliances (ASA) can act as a network firewall and can help pro-tect one or more networks from intruders and attackers Cisco ASA c th ng vai tr nh mt tng la mng my tnh v c th gip bo v mt hoc nhiu mng my tnh t nhng ngi xm phm v tn cng. Bn c th iu khin v gim st nhng kt ni gia nhng mng my tnh bng cch s dng nhng nt c trng mnh m ca Cisco ASA a ra.(trang 168) B - Controlling Network Access (iu khin truy cp mng I - Network Address Translation(NAT)

S cn kit khng gian a ch IPv4 public l nguyn nhn ra i ca NAT. NAT c to ra khc phc nhng vn v a ch, n xut hin cng vi s m rng ca Internet. Nhng thun li ca vic s dng NAT trong mng IP: NAT gip gim s cn a ch IP public. H thng mng c th s dng a ch private. NAT tng tnh bo mt bng cch n a ch v m hnh mng bn trong. Cisco ASA firewalls h tr hai loi chuyn i a ch chnh: Dynamic NAT translation: chuyn i nhng a ch ngun thuc nhng interface c mc bo mt cao thnh mt dy ca nhng a ch IP thuc mt interface mc bo mt thp, cho nhng kt ni bn ngoi. Cu lnh nat nh ngha nhng host bn trong s c chuyn i, v cu lnh global nh ngha dy a ch thuc interface i ra. Static NAT translation: nh x a ch mt-mt gia mt IP thuc interface mc bo mt cao hn v mt IP thuc interface mc bo mt thp hn. Vi Access Control List(ACL) thch hp, static NAT cho php nhng host thuc interface mc bo mt thp ( v d nh Internet) truy cp nhng host thuc interface mc bo mt cao hn (v d nh: Web Server) m khng phi ra a ch tht s ca nhng host thuc interface mc bo mt cao hn

II - Packet Filtering
Cisco ASA c th bo v mng bn trong(inside network), demilitarized zones (DMZs), v mng bn ngoi bng cch kim tra tt c lu lng i qua n. Bn c th nh r nhng chnh sch v iu l chng nhn bit lung d liu no nn c cho php vo bn trong hoc ra ngoi t mt interface. Thit b bo mt s dng mt access control list loi b lung d liu khng cn thit hoc cha bit khi chng c gng i vo firewall. Access control list(ACL) l mt tp hp ca nhng quy tt hoc chnh sch bo mt n cho php hoc t chi nhng gi tin sau khi thy nhng header ca gi tin v nhng thuc tnh khc. Mi pht biu cho php hoc t chi trong ACL c cho l mt access control entry(ACE). Nhng ACE ny c th phn loi nhng gi tin bng cch kim tra nhng header t lp 2 n lp 4 c mt nhm nhng tham s. Thng tin giao thc lp 2 nh l EtherTypes Thng tin giao thc lp 3 nh l ICMP, TCP, hoc UDP Thng tin header lp 3 nh l a ch IP ngun v ch Thng tin lp 4 nh l port ngun v port ch TCP hoc UDP Sau khi mt ACL c cu hnh thch hp, bn c th p dng n trn mt interface lc lu lng. Thit b bo mt c th lc nhng gi tin trong c chiu inbound v outbound trn mt interface. Khi mt inbound ACL c p dng i vi mt interface, thit b bo mt phn tch nhng gi tin da vo nhng ACE sau khi nhn chng. Nu mt gi tin c php bi ACL, firewall tip tc x l gi tin v cui cng a gi tin ra interface i ra ngoi. Nu mt gi tin b t chi bi ACL, thit b bo mt loi b gi tin v to ra mt thng bo syslog cho bit mt s kin xy ra. Nhng c im quan trng ca mt ACL: -Khi mt ACE mi c thm vo mt ACL tn ti, n c gn vo cui ca ACL. -Khi mt gi tin i vo thit b bo mt, nhng ACE th c nh gi trong dy th t lin tip. Do , th t ca mt ACE l quyt nh. V d, nu bn c mt ACE cho php tt c lung d liu i qua, v sau bn to ACE khc chn tt c

lung d liu IP, lc nhng gi tin s khng bao gi c nh gi da vo ACE th hai bi v tt c nhng gi tin s hp vi danh sch ACE. -C mt s cm ngm cui ca tt c ACL. Nu nhng gi tin khng ph hp i vi mt ACE trong cu hnh, lc n b loi b v mt syslog c to ra. -Theo mc nh, bn khng cn nh ngha mt ACE cho php lu lng t interface mc bo mt cao n interface mc bo mt thp. Tuy nhin, nu bn mun hn ch dng lu lng t interface mc bo mt cao n interface mc bo mt thp, bn c th nh ngha mt ACL. Nu bn cu hnh mt ACL i vi mt interface mc bo mt cao ti mt interface mc bo mt thp, n v hiu ho s cho php ngm t interface . -Mt ACL phi cho php lu lng i qua thit b bo mt mt cch r rng t interface mc bo mt thp hn ti interface mc bo mt cao hn ca firewall. ACL phi c p dng i vi interface mc bo mt thp hn. -Nhng ACL(m rng hoc IPv6) phi c p dng i vi mt interface -Bn c th gn thm m m rng v mt ACL Ethertype ti mi pha ca mt interface ti mi thi im. -Bn c th p dng cng mt ACL i vi nhiu interface. Tuy nhin, n th khng c xem nh l mt thc tin bo mt tt. -Bn c th s dng nhng ACL iu khin lu lng i qua lu lng bo mt. Nhng ACL iu khin lu lng ca thit b th c p dng khc so vi nhng ACL lc lu lng i qua thit b. -Khi lung lu lng TCP hoc UDP i qua thit b bo mt, lu lng gi li c php i qua mt cch t ng bi v chng c xem nh nhng kt ni c thit lp v hai chiu. -Nhng giao thc khc nh ICMP c xem nh nhng kt ni mt chiu v v th bn cn cho php nhng mc ACL ti c hai hng. C mt ngoi l cho lu lng ICMP khi bn kch hot cng c kim tra ICMP. Nhng loi ACL: Standard ACLs, Extended ACLs, IPv6 ACLs, EtherType ACLs, Webtype ACLs Standard ACLs Standard ACLs c s dng nhn ra nhng gi tin da trn nhng a ch IP ch ca chng. Tuy nhin chng khng th c p dng i vi mt interface lc lu lng. Extended ACLs C th phn loi nhng gi tin da trn nhng thuc tnh: Nhng a ch IP ngun v IP ch, nhng giao thc lp 3, nhng cng ngun v cng ch TCP hoc UDP, loi ICMP ch i vi nhng gi tin ICMP. Mt extended ACL c th c dng interface lc gi tin, phn loi Qos gi tin, nhn dng gi tin i vi m ho NAT v VPN, v IPv6 ACLs Mt IPv6 ACL c chc nng tng t nh Extended ACL. Tuy nhin, n ch nhn din lu lng Ipv6 i qua thit b bo mt. EtherType ACLs EtherType ACLs c th c s dng lc lu lng IP- and non-IP-based bng cch kim tra trng loi m Ethernet ti u lp 2. Lu lng IP-based s dng mt gi tr loi m l 0x800. Nh tt c nhng ACL, EtherType ACL c mt s cm ngm cui ca n. Tuy nhin, s cm ngm ny khng lm nh hng n lu lng IP i qua thit b bo mt. Bn c th p dng c EtherType v extended ACLs i vi mi chiu ca mt interface. Nu bn cu hnh mt s cm r rng cui ca EtherType ACL, n

chn lu lng ngay c nu mt extended ACL c nh ngha nhng gi tin truyn qua. Webtype ACLs Mt Webtype ACL cho php nhng ngi qun tr thit b bo mt gii hn lu lng n thng qua SSL VPN tunnels. Trong trng hp nh th mt Webtype ACL c nh ngha nhng y c s khng ph hp i vi mt gi tin, ch mt nh l b gi tin v s cm ngm nh. Mt khc, nu khng ACL c nh ngha, thit b bo mt cho php lu lng i qua n. So snh nhng im c trng ca cc loi ACL

Cu hnh lc lu lng
C Application Inspection (ng dng kim tra)

S mng cho cu hnh lc lu lng

Content and URL Filtering(lc ni dung v URL) Content Filtering URL Filtering Network Address Translation(NAT)

Inside Network Address Translation

Outside Network Address Translation

Port Address Translation Cu hnh: