Está en la página 1de 58

TRNG CAO NG CNG NGH THNG TIN

HU NGH VIT-HN
KHOA KHOA HC MY TNH

N TT NGHIP
NGNH MNG MY TNH

TI

NGHIN CU V TRIN KHAI H THNG


FIREWALL M NGUN M CHO DOANH NGHIP
VA V NH

SVTH: Nguyn c Trung


Lp: CCMM03C
Nin kha: 2009 2012
CBHD: Ths.ng Quang Hin

Nng, thng 6 nm 2012

LI CM N
Sau hn ba thng n lc tm hiu v thc hin, n Nghin cu v trin khai h
thng firewall m ngun m cho doanh nghip va v nh c hon thnh, ngoi
s c gng ht mnh ca bn thn, em cn nhn c nhiu s ng vin, khch l t gia
nh, thy c v bn b.
Em xin chn thnh cm n cc thy c ca Trng Cao ng Cng Ngh Thng
Tin Hu Ngh Vit Hn truyn t nhiu kinh nghim v kin thc qu bu cho em
trong sut qu trnh hc tp ti trng. c bit em xin t lng bit n su sc ti Thy
ng Quang Hin ging vin khoa khoa hc my tnh v cc thy c trong khoa tn
tnh gip em trong sut qu trnh thc hin n tt nghip ny.
Mc d em c gng ht sc hon thnh n tt nghip ny, nhng v tham
kho nhiu ngun ti liu khc nhau, cng thm kin thc cn nhiu hn ch, do
khng th trnh khi nhng thiu st. Em rt mong nhn c s thng cm v ng
gp, ch bo tn tnh ca qu thy c v cc bn n ngy cng hon thin hn.
Mt ln na em xin gi li cm n chn thnh nht!

Nng, thng 6 nm 2012


Sinh vin thc hin
Nguyn c Trung Lp CCMM03C

MC LC
Trang
LI CM N...................................................................................................................ii
MC LC..........................................................................................................................i
Trang...................................................................................................................................i
DANH MC CC T VIT TT..................................................................................iv
DANH MC CC HNH V...........................................................................................v
M U.........................................................................................................................vii
CHNG 1. TNG QUAN V GII PHP V AN TON AN NINH MNG......ix
1.1.TNG QUAN V AN TON AN NINH MNG...................................................ix
1.1.1.An ton mng l g..................................................................................ix
1.1.2.Cc c trng k thut ca an ton mng................................................x
1.1.3.nh gi v s e da, cc im yu ca h thng v cc kiu tn cng.
........................................................................................................................xi
1.1.3.1.nh gi v s e da......................................................................xi
1.1.3.2.Cc l hng v im yu ca mng..................................................xii
1.1.3.3.Cc kiu tn cng............................................................................xiv
1.1.3.4.Cc bin php pht hin h thng b tn cng.................................xvi
1.1.4.Mt s cng c an ninh an ton mng................................................xvii
1.1.4.1.Thc hin an ninh an ton t cng truy nhp dng tng la......xvii
1.1.4.2.M ha thng tin............................................................................xvii
1.1.5.Mt s gii php dng cho doanh nghip va v nh...........................xviii
1.2.GII PHP AN TON AN NINH MNG VI FIREWALL.................................xviii
1.2.1.Khi nim..............................................................................................xix
1.2.2.Chc nng..............................................................................................xx
1.2.3.Kin trc c bn ca Firewall..................................................................xx
1.2.3.1.Kin trc Dual homed Host...........................................................xxi
1.2.3.2.Kin trc Screend Host...................................................................xxii
1.2.3.3.Kin trc Screened Subnet Host.....................................................xxiii
i

1.2.4.Cc thnh phn ca Firewall v c ch hot ng................................xxv


1.2.4.1.Thnh phn....................................................................................xxv
1.2.4.2.C ch hot ng...........................................................................xxv
1.2.5.K thut Firewall..................................................................................xxix
1.2.6.Nhng hn ch ca Firewall..................................................................xxx
1.3.MNG RING O VPN..............................................................................xxxi
1.3.1.Gii thiu v VPN.................................................................................xxxi
1.3.1.1.Khi nim VPN...............................................................................xxxi
1.3.1.2.u im ca VPN...........................................................................xxxi
1.3.2.Kin trc ca VPN...............................................................................xxxii
1.3.3.Cc loi VPN.......................................................................................xxxii
1.3.4.Cc yu cu c bn i vi mt gii php VPN...................................xxxiii

CHNG 2. TNG QUAN V FIREWALL PFSENSE..........................................xxxv


2.1.GII THIU FIREWALL PFSENSE.................................................................xxxv
2.2.MT S CHC NNG CHNH CA FIREWALL PFSENSE..............................xxxvi
2.2.1.Aliases...............................................................................................xxxvi
2.2.2.Rules (Lut)......................................................................................xxxvii
2.2.3.Firewall Schedules............................................................................xxxviii
2.2.4.NAT..................................................................................................xxxviii
2.2.5.Traffic shaper (Qun l bng thng)....................................................xxxix
2.2.6.Virtual IPs..........................................................................................xxxix
2.3.MT S DCH V CA FIREWALL PFSENSE...................................................xl
2.3.1.Captive Portal..........................................................................................xl
2.3.2.DHCP Server...........................................................................................xli
2.3.3.DHCP Relay...........................................................................................xlii
2.3.4.Load Balancer........................................................................................xlii
2.3.5.VPN PPTP..............................................................................................xliii
2.3.6.Mt s chc nng khc.........................................................................xliv

CHNG 3. CI T V TRIN KHAI FIREWALL PFSENSE.............................xlv


ii

3.1.CI T FIREWALL PFSENSE........................................................................xlv


3.1.1.M hnh trin khai..................................................................................xlv
3.1.1.1.M hnh thc t...............................................................................xlv
3.1.1.2.M hnh gi lp...............................................................................xlvi
3.1.2.Ci t h thng...................................................................................xlvi
3.1.2.1.Ci t Routing and Remote Access trn Windows Server 2003. . . .xlvii
3.1.2.2.Ci t pfSense.............................................................................xlvii
3.2.CU HNH FIREWALL PFSENSE...................................................................xlviii
3.2.1.Cu hnh card mng cho Firewall pfSense...........................................xlviii
3.2.2.Cu hnh Load Balancing .....................................................................xlix
3.2.2.1.Cu hnh Load Balancing................................................................xlix
3.2.2.2.Firewall Rule...................................................................................xlix
3.2.3.Cu hnh Captive Portal.............................................................................l
3.2.4.Cu hnh VPN Server.................................................................................l
3.2.4.1.Cu hnh VPN Server...........................................................................l
3.2.4.2.Cu hnh NAT Inbound cho VPN Client kt ni n pfSense................li
3.3.KIM TRA V TI U H THNG.....................................................................li

KT LUN.....................................................................................................................liii
DANH MC TI LIU THAM KHO.........................................................................54
NHN XT CA CN B HNG DN..................................................................55

iii

DANH MC CC T VIT TT
CARP

Commom Address Redundancy Protocol

DMZ

Denilitarized Zone

DoS

Denial of Services

FTP

File Transfer Protocol

HTTP

Hypertext Transfer Protocol

IP

Internet Protocol

LAN

Local Area Network

NAT

Network Address Translation

OSI

Open Systems Interconnection

PPTP

Point-to-Point Tunneling Protocol

SMTP

Simple Mail Transfer Protocol

VPN

Virtual Private Network

WAN

Wide Area Network

iv

DANH MC CC HNH V
Hnh 1.1 S mng cho doanh nghip nh...............................................................xviii
Hnh 1.2. S mng cho doanh nghip c va..........................................................xviii
Hnh 1.3. M hnh tng la n gin...........................................................................xix
Hnh 1.4. Kin trc Dual homed Host.........................................................................xxi
Hnh 1.5. Kin trc Screened Host...............................................................................xxiii
Hnh 1.6. Kin trc Screened Subnet............................................................................xxiv
Hnh 1.7. Lc gi tin.....................................................................................................xxvi
Hnh 1.8. Cng mch....................................................................................................xxix
Hnh 1.9. M hnh mt mng VPN in hnh...............................................................xxxi
Hnh 1.10. Cu trc mt ng hm...........................................................................xxxii
Hnh 2.1. Biu tng ca pfSense...............................................................................xxxv
Hnh 2.2. M hnh trin khai pfSense cho doanh nghip nh.....................................xxxvi
Hnh 2.3. Chc nng Firewal: Aliases........................................................................xxxvi
Hnh 2.4. Thit lp Firewall: Aliases.........................................................................xxxvii
Hnh 2.5. Chc nng Firewall: Rules........................................................................xxxvii
Hnh 2.6. Thit lp chc nng Firewall Schedules...................................................xxxviii
Hnh 2.7. Chc nng Firewall Schedules.................................................................xxxviii
Hnh 2.8. Chc nng NAT..........................................................................................xxxix
Hnh 2.9. Chc nng Traffic Shaper...........................................................................xxxix
Hnh 2.10. Chc nng Virtual IPs...............................................................................xxxix
Hnh 2.11. Dch v Captive Portal....................................................................................xl
Hnh 2.12. Chy dch v DHCP Server...........................................................................xli
Hnh 2.13. Tnh nng cp IP ng..................................................................................xlii
Hnh 2.14. Cp a ch IP tnh........................................................................................xlii
Hnh 2.15. Dch v DHCP Relay...................................................................................xlii
Hnh 2.16. Dch v Load Balancer.................................................................................xlii
v

Hnh 2.17. Dch v VPN PPTP.....................................................................................xliii


Hnh 2.18. To user VPN..............................................................................................xliii
Hnh 2.19. To Rule VPN.............................................................................................xliii
Hnh 3.1. M hnh trin khai thc t..............................................................................xlv
Hnh 3.2. M hnh trin khai gi lp..............................................................................xlvi
Hnh 3.3. Cu hnh Routing and Remote Access.........................................................xlvii
Hnh 3.4. Kt qu sau khi cu hnh..............................................................................xlvii
Hnh 3.5. La chn ch ci t...............................................................................xlviii
Hnh 3.6. Ci t VLANs............................................................................................xlviii
Hnh 3.7. Interface WAN..............................................................................................xlix
Hnh 3.8. Interface LAN................................................................................................xlix
Hnh 3.9. Interface OPT1..............................................................................................xlix
Hnh 3.10. Khai bo DNS Server..................................................................................xlix
Hnh 3.11. Cu hnh Load Balancing............................................................................xlix
Hnh 3.12. Thit lp Rule cho Load Balancing..................................................................l
Hnh 3.13. Captive Portal...................................................................................................l
Hnh 3.14. To user cho captive portal...............................................................................l
Hnh 3.15. Cu hnh VPN PPTP........................................................................................li
Hnh 3.16. To User VPN.................................................................................................li
Hnh 3.17. To Rule cho VPN...........................................................................................li
Hnh 3.18. Cu hnh NAT Inbound cho VPN...................................................................li

vi

M U
1. L do chn ti.
Ngy nay, my tnh v mng internet c ph bin rng ri, cc t chc, c
nhn u c nhu cu s dng my tnh v mng my tnh tnh ton, lu tr, qung b
thng tin hay s dng cc giao dch trc tuyn trn mng. Nhng ng thi vi nhng
c hi c m ra li c nhng nguy c khi mng my tnh khng c qun l s d
dng b tn cng, gy hu qu nghim trng.
Xc nh c tm quan trng trong vic bo mt h thng mng ca doanh
nghip nn em chn v nghin cu ti Nghin cu v trin khai h thng
Firewall m ngun m cho doanh nghip va v nh vi mc ch tm hiu su
sc v c ch hot ng ca n cng nh pht hin ra nhng nhc im tm gii php
khc phc nhng nhc im ny h thng mng trong doanh nghip lun c vn
hnh trn tru, an ton v hn ch s c xy ra.
2. Mc ch nghin cu
Nghin cu v h thng Firewall m ngun m vi pfSense.
Trin khai h thng Firewall m ngun m vi pfSense cho doanh nghip va v
nh.
3. i tng v phm vi nghin cu
Nghin cu m hnh h thng Firewall m ngun m vi pfSense.
Nghin cu trin khai h thng Firewall m ngun m vi pfSense cho doanh
nghip va v nh.
4. Phng php nghin cu
Di s hng dn ca ging vin hng dn.
Tm hiu cc ti liu lin quan v pfSense v cc h thng Firewall c trin khai
vi pfSense.
Trin khai thc nghim trn m hnh h thng mng kim chng l thuyt
nghin cu c.
5. ngha khoa hc v thc tin ca ti
- ngha khoa hc:
Cung cp mt b ti liu hc tp v tham kho cho cc kha sau.
Cung cp mt b ti liu tp hun trin khai h thng Firewall m ngun m vi
pfSense.
vii

- ngha thc tin:


Sau khi thc hin ti c th gip sinh vin nng cao kh nng nghin cu, cch
xy dng mt h thng Firewall vi pfSense.

viii

CHNG 1.

TNG QUAN V GII PHP V AN TON


AN NINH MNG

1.1.

TNG QUAN V AN TON AN NINH MNG

1.1.1. An ton mng l g


Mc tiu ca vic kt ni mng l nhiu ngi s dng, t nhng v tr a l
khc nhau c th s dng chung ti nguyn, trao i thng tin vi nhau. Do c im
nhiu ngi s dng li phn tn v mt vt l nn vic bo v cc ti nguyn thng tin
trn mng trnh s mt mt, xm phm l cn thit v cp bch. An ton mng c th
hiu l cch bo v, m bo an ton cho tt c cc thnh phn mng bao gm: d liu,
thit b, c s h tng mng v m bo mi ti nguyn mng c s dng tng ng
vi mt chnh sch hot ng c n nh v vi ch nhng ngi c thm quyn
tng ng.
An ton mng bao gm:
Xc nh chnh sch, cc kh nng nguy c xm phm mng, cc s c ri ro i
vi cc thit b, d liu trn mng c cc gii php ph hp m bo an ton mng.
nh gi nguy c tn cng ca cc Hacker n mng, s pht tn virus Phi
nhn thy an ton mng l mt trong nhng vn cc k quan trng trong cc hot
ng, giao dch in t v trong vic khai thc s dng cc ti nguyn mng.
Mt thch thc i vi an ton mng l xc nh chnh xc cp an ton cn
thit cho vic iu khin h thng v cc thnh phn mng. nh gi cc nguy c, cc
l hng khin mng c th b xm phm thng qua cch tip cn c cu trc. Xc nh
nhng nguy c n cp, ph hoi my tnh, thit b, nguy c virus, su gin ip, nguy c
xa, ph hoi CSDL, n cp mt khu, nguy c i vi s hot ng ca h thng
nh nghn mng, nhiu in t. Khi nh gi c ht nhng nguy c nh hng ti an
ninh mng th mi c th c c nhng bin php tt nht m bo an ninh mng.
S dng hiu qu cc cng c bo mt (v d nh Firewall) v nhng bin php,
chnh sch c th cht ch.
V bn cht c th phn loi vi phm thnh cc vi phm th ng v vi phm ch
ng. Th ng v ch ng c hiu theo ngha c can thip vo ni dung v lung
thng tin c b trao i hay khng. Vi phm th ng ch nhm mc ch nm bt c
thng tin. Vi phm ch ng l thc hin s bin i, xa b hoc thm thng tin ngoi
lai lm sai lch thng tin gc nhm mc ch ph hoi. Cc hot ng vi phm th
ix

ng thng kh c th pht hin nhng c th ngn chn hiu qu. Tri li, vi phm
ch ng rt d pht hin nhng li kh ngn chn.
1.1.2. Cc c trng k thut ca an ton mng
-

Tnh xc thc (Authentification): Kim tra tnh xc thc ca mt thc th giao

tip mng. Mt thc th c th l mt ngi s dng, mt chng trnh my tnh, hoc


mt thit b phn cng. Cc hot ng kim tra tnh xc thc c nh gi l quan
trng nht trong cc hot ng ca mt phng thc bo mt. Mt h thng mng
thng phi thc hin kim tra tnh xc thc ca mt thc th trc khi thc th thc
hin kt ni vi h thng. C ch kim tra tnh xc thc ca cc phng thc bo mt
da vo 3 m hnh chnh sau:

i tng cn kim tra cn phi cung cp nhng thng tin trc, v d nh


password, hoc m s thng tin c nhn PIN.

Kim tra da vo m hnh nhng thng tin c, i tng kim tra cn phi
th hin nhng thng tin m chng s hu, v d nh Private Key, hoc s th
tn dng.

Kim tra da vo m hnh nhng thng tin xc inh tnh duy nht, i tng
kim tra cn phi c nhng thng tin nh danh tnh duy nht ca mnh, v
d thng qua ging ni, du vn tay, ch k

Tnh kh dng (Availability): Tnh kh dng l c tnh m thng tin trn

mng c cc thc th hp php tip cn v s dng theo yu cu khi cn thit bt c


khi no, trong hon cnh no. Tnh kh dng ni chung dng t l gia thi gian h
thng c s dng bnh thng vi thi gian qu trnh hot ng nh gi. Tnh
kh dng cn p ng nhng yu cu sau: Nhn bit v phn bit thc th, khng ch
tip cn (bao gm c vic khng ch t tip cn v khng ch tip cn cng bc),
khng ch lu lng (chng tc nghn), khng ch chn ng (cho php chn ng
nhnh, mch ni n nh, tin cy), gim st tung tch (tt c cc s kin pht sinh trong
h thng c lu gi phn tch nguyn nhn, kp thi dng cc bin php tng
ng).
-

Tnh bo mt (Confidentialy): Tnh bo mt l c tnh tin tc khng b tit l

cho cc thc th hay qu trnh khng c y quyn bit hoc khng cho i tng
xu li dng. Thng tin ch cho php thc th c y quyn s dng. K thut bo mt
thng l phng nga d la thu nhp, phng nga bc x, tng bo mt thng tin (di
x

s khng ch ca kha m), bo mt vt l (s dng phng php bo mt vt l bo


m tin tc khng b tit l).
-

Tnh ton vn (Integrity): L c tnh khi thng tin trn mng cha c y

quyn th khng th tin hnh c, tc l thng tin trn mng khi ang c lu gi
hoc trong qu trnh truyn dn m bo khng b xa b, sa i, gi mo, lm ri lon
trt t, pht li, xen vo mt cch ngu nhin hoc c v nhng s ph hoi khc.
Nhng nhn t ch yu nh hng ti s ton vn thng tin trn mng gm: s c thit
b, sai m, b con ngi tc ng, virus my tnh
Mt s phng php m bo tnh ton vn thng tin trn mng:

Giao thc an ton c th kim tra thng tin b sao chp, sa i hay sao chp,
Nu pht hin th thng tin s b v hiu ha.

Phng php pht hin sai v sa sai. Phng php sa sai m ha n gin
nht v thng dng l php kim tra chn l.

Bin php kim tra mt m ngn nga hnh vi xuyn tc v cn tr truyn tin.

Ch k in t: bo m tnh xc thc ca thng tin.

Yu cu c quan qun l hoc trung gian chng minh chn thc ca thng
tin.

Tnh khng ch (Accountlability): L c tnh v nng lc khng ch truyn

b v ni dung vn c ca tin tc trn mng.


-

Tnh khng th chi ci (Nonrepulation): Trong qu trnh giao lu tin tc trn

mng, xc nhn tnh chn thc ng nht ca nhng thc th tham gia, tc l tt c cc
thc th tham gia khng th chi b hoc ph nhn nhng thao tc v cam kt c
thc hin.
1.1.3. nh gi v s e da, cc im yu ca h thng v cc kiu tn cng.
1.1.3.1.

nh gi v s e da

V c bn c 4 mi e da n vn bo mt mng nh sau:
-

e da khng c cu trc (Unstructured threats)

e da c cu trc (Structured threats)

e da t bn ngoi (External threats)

e da t bn trong (Internal threats)

a) e da khng c cu trc

xi

Nhng mi e da thuc dng ny c to ra bi nhng hacker khng lnh


ngh, h tht s khng c kinh nghim. Nhng ngi ny ham hiu bit v mun
download d liu t mng Internet v. H tht s b thc y khi nhn thy nhng g m
h c th to ra.
b) e da c cu trc
Hacker to ra dng ny tinh t hn dng unstructured rt nhiu. H c k thut v
s hiu bit v cu trc h thng mng. H thnh tho trong vic lm th no khai
thc nhng im yu trong mng. H to ra mt h thng c cu trc v phng php
xm nhp xu vo trong h thng mng.
C hai dng c cu trc v khng c cu trc u thng qua Internet thc hin
tn cng mng.
c) e da t bn ngoi
Xut pht t Internet, nhng ngi ny tm thy l hng trong h thng mng t
bn ngoi. Khi cc cng ty bt u qung b s c mt ca h trn Internet th cng l
lc hacker r sot tm kim im yu, nh cp d liu v ph hy h thng mng.
d) e da t bn trong
Mi e da ny thc s rt nguy him bi v n xut pht t ngay trong chnh ni
b, in hnh l nhn vin hoc bn thn nhng ngi qun tr. H c th thc hin vic
tn cng mt cch nhanh gn v d dng v h am hiu cu trc cng nh bit r im
yu ca h thng mng.
1.1.3.2.

Cc l hng v im yu ca mng

a) Cc l hng ca mng

Cc l hng bo mt h thng l cc im yu c th to ra s ngng tr ca dch


v, thm quyn i vi ngi s dng hoc cho php cc truy cp khng hp l vo h
thng. Cc l hng tn ti trong cc dch v nh: Sendmail, Web, v trong h iu
hnh mng hoc trong cc ng dng.
Cc l hng bo mt trn h thng c chia nh sau:
L hng loi C: Cho php thc hin cc phng thc tn cng theo kiu t chi
dch v DoS (Denial of Services). Mc nguy him thp, ch nh hng n cht
lng dch v, c th lm ngng tr, gin on h thng, khng ph hy d liu hoc
chim quyn truy nhp.

xii

DoS l hnh thc tn cng s dng giao thc tng Internet trong b giao thc
TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi s dng hp php
truy nhp hay s dng h thng. Mt s lng ln cc gi tin c gi ti Server trong
khong thi gian lin tc lm cho h thng tr nn qu ti, kt qu l Server p ng
chm hoc khng th p ng cc yu cu t client gi ti.
Mt v d in hnh ca phng thc tn cng DoS l vo mt s website ln
lm ngng tr hot ng ca website ny nh: vietnamnet, bkav
L hng loi B: Cho php ngi s dng c thm cc quyn trn h thng m
khng cn kim tra tnh hp l. Mc nguy him trung bnh, nhng l hng loi ny
thng c trong cc ng dng trn h thng, c th dn n l thng tin yu cu bo
mt.
Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ngi
s dng local c hiu l ngi c quyn truy nhp vo h thng vi mt s quyn
hn nht nh.
Mt s l hng loi B thng xut hin trong cc ng dng nh l hng ca trnh
Sendmail trong h iu hnh Unix, Linux hay li trn b m trong cc chng trnh
vit bng C.
Nhng chng trnh vit bng C thng s dng b m l mt vng trong b
nh s dng lu tr d liu trc khi x l. Nhng ngi lp trnh thng s dng
vng m trong b nh trc khi gn mt khong khng gian b nh cho tng khi d
liu. V d: ngi s dng vit chng trnh nhp trng tn ngi s dng; qui nh
trng ny di 20 k t. Do h s khai bo:
Char first_name [20];
Vi khai bo ny, cho php ngi s dng nhp vo ti a 20 k t. Khi nhp d
liu, trc tin d liu c lu vng m; nu ngi s dng nhp vo 35 k t, s
xy ra hin tng trn vng m v kt qu l 15 k t d tha s nm mt v tr
khng kim sot c trong b nh. i vi nhng k tn cng c th li dng l hng
ny nhp vo nhng k t c bit thc hin mt s lnh c bit trn h thng.
Thng thng, l hng ny thng c li dng bi nhng ngi s dng trn h
thng t c quyn root khng hp l.
Vic kim sot cht ch cu hnh h thng v cc chng trnh s hn ch c
cc l hng loi B.
xiii

L hng loi A: Cho php ngi s dng ngoi c th truy nhp vo h thng
bt hp php. L hng loi ny rt nguy him, c th lm ph hy ton b h thng.
Cc l hng loi A c mc rt nguy him; e da tnh ton vn v bo mt
ca h thng. Cc l hng loi ny thng xut hin nhng h thng qun tr yu km
hoc khng kim sot c cu hnh mng.
Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn mm
s dng; ngi qun tr nu khng hiu su v dch v v phn mm s dng s c th
b qua nhng im yu ny.
i vi h thng c, thng xuyn phi kim tra cc thng bo ca cc nhm tin
v bo mt trn mng pht hin nhng l hng loi ny. Mt lot cc chng trnh
phin bn c thng s dng c nhng l hng loi A nh: FTP, Sendmail,
b) nh hng ca cc l hng bo mt trn mng Internet
Phn trn trnh by mt s trng hp c nhng l hng bo mt, nhng k
tn cng c th li dng nhng l hng ny to ra nhng l hng khc to thnh mt
chui mt xch nhng l hng.
V d: Mt k ph hoi mun xm nhp vo h thng m anh ta khng c ti
khon truy nhp hp l trn h thng . Trong trng hp ny, trc tin k ph hoi
s tm ra cc im yu trn h thng, hoc t cc chnh sch bo mt, hoc s dng cc
cng c d tm thng tin trn h thng t c quyn truy nhp vo h thng; sau
khi mc tiu th nht t c, k ph hoi c th tip tc tm hiu cc dch v trn
h thng, nm bt c cc im yu v thc hin cc hnh ng ph hoi tinh vi hn.
Tuy nhin, khng phi bt k l hng no cng nguy him n h thng. C rt
nhiu thng bo lin quan n l hng bo mt trn mng, hu ht trong s l cc l
hng loi C v khng c bit nguy him i vi h thng. V d: khi nhng l hng v
sendmail c thng bo trn mng, khng phi ngay lp tc nh hng trn ton b h
thng. Khi nhng thng bo v l hng c khng nh chc chn, cc nhm tin s
a ra mt s phng php khc phc h thng.

1.1.3.3.

Cc kiu tn cng

Tn cng trc tip


xiv

Nhng cuc tn cng trc tip thng c s dng trong giai on u chim
c quyn truy nhp bn trong. Mt s phng php tn cng c in l d tm tn
ngi s dng v mt khu. y l phng php n gin, d thc hin v khng i
hi mt iu kin c bit no bt u. K tn cng c th da vo nhng thng tin
m chng bit nh tn ngi dng, ngy sinh, a ch, s nh v.v on mt khu
da trn mt chng trnh t ng ha v vic d tm mt khu. Trong mt s trng
hp, kh nng thnh cng ca phng php ny c th ln ti 30%.
Phng php s dng cc li ca chng trnh ng dng v bn thn h iu hnh
c s dng t nhng v tn cng u tin v vn c tip tc chim quyn
truy nhp. Trong mt s trng hp phng php ny cho php k tn cng c c
quyn ca ngi qun tr h thng.
Nghe trm
Vic nghe trm thng tin trn mng c th em li nhng thng tin c ch nh tn,
mt khu ca ngi s dng, cc thng tin mt chuyn qua mng. Vic nghe trm
thng c tin hnh ngay sau khi k tn cng chim c quyn truy nhp h
thng, thng qua cc chng trnh cho php. Nhng thng tin ny cng c th d dng
ly c t Internet.
Gi mo a ch
Vic gi mo a ch IP c th c thc hin thng qua vic s dng kh nng
dn ng trc tip. Vi cch tn cng ny, k tn cng gi cc gi tin IP ti mng bn
trong vi mt a ch IP gi mo (thng thng l a ch ca mt mng hoc mt my
c coi l an ton i vi mng bn trong), ng thi ch r ng dn m cc gi tin
IP phi gi i.
V hiu cc chc nng ca h thng
y l kiu tn cng nhm t lit h thng, khng cho n thc hin chc nng m
n thit k. Kiu tn cng ny khng th ngn chn c, do nhng phng tin c
t chc tn cng cng chnh l cc phng tin lm vic v truy nhp thng tin trn
mng. V d s dng lnh ping vi tc cao nht c th, buc mt h thng tiu hao
ton b tc tnh ton v kh nng ca mng tr li cc lnh ny, khng cn cc ti
nguyn thc hin nhng cng vic c ch khc.
Li ca ngi qun tr h thng

xv

y khng phi l mt kiu tn cng ca nhng k t nhp, tuy nhin li ca


ngi qun tr h thng thng to ra nhng l hng cho php k tn cng s dng
truy nhp vo mng ni b.
Tn cng vo yu t con ngi
K tn cng c th lin lc vi mt ngi qun tr h thng, gi lm mt ngi s
dng yu cu thay i mt khu, thay i quyn truy nhp ca mnh i vi h
thng, hoc thm ch thay i mt s cu hnh ca h thng thc hin cc phng
php tn cng khc. Vi kiu tn cng ny khng mt thit b no c th ngn chn mt
cch hiu qu, v ch c mt cch gio dc ngi s dng mng ni b v nhng yu
cu bo mt cao cnh gic vi nhng hin tng ng nghi.
Ni chung yu t con ngi l mt im yu trong bt k mt h thng bo v no
v ch c s gio dc cng vi tinh thn hp tc t pha ngi s dng c th nng cao
c an ton ca h thng bo v.
1.1.3.4.

Cc bin php pht hin h thng b tn cng

Khng c mt h thng no c th m bo an ton tuyt i, mi mt dch v u


c nhng l hng bo mt tim tng. Ngi qun tr h thng khng nhng nghin cu,
xc nh cc l hng bo mt m cn phi thc hin cc bin php kim tra h thng c
du hiu tn cng hay khng. Mt s bin php c th:
-

Kim tra cc du hiu h thng b tn cng: H thng thng b treo bng nhng
thng bo li khng r rng. Kh xc nh nguyn nhn do thiu thng tin lin
quan. Trc tin, xc nh cc nguyn nhn c phi phn cng hay khng, nu
khng phi ngh n kh nng my tnh b tn cng.

Kim tra cc ti khon ngi dng mi l, nht l cc ti khon c ID bng


khng.

Kim tra s xut hin ca cc tp tin l. Ngi qun tr h thng nn c thi quen
t tn tp tin theo mu nht nh d dng pht hin tp tin l.

Kim tra thi gian thay i trn h thng.

Kim tra hiu nng ca h thng: S dng cc tin ch theo di ti nguyn v cc


tin trnh ang hot ng trn h thng.

Kim tra hot ng ca cc dch v h thng cung cp.

xvi

Kim tra truy nhp h thng bng cc ti khon thng thng, phng trng
hp cc ti khon ny b truy nhp tri php v thay i quyn hn m ngi s
dng hp php khng kim sot c.

Kim tra cc file lin quan n cu hnh mng v dch v, b cc dch v khng
cn thit.

Kim tra cc phin bn ca sendmail, ftp, tham gia cc nhm tin v bo mt


c thng tin v l hng bo mt ca dch v s dng.
Cc bin php ny kt hp vi nhau to nn mt chnh sch v bo mt i vi h

thng.
1.1.4. Mt s cng c an ninh an ton mng
1.1.4.1.

Thc hin an ninh an ton t cng truy nhp dng tng la

Tng la cho php qun tr mng iu khin truy nhp, thc hin chnh sch
ng hoc t chi dch v v lu lng i vo hoc i ra khi mng. Tng la c th
c s dng xc thc ngi s dng nhm m bo chc chn rng h ng l
ngi nh h khai bo trc khi cp quyn truy nhp ti nguyn mng.
Tng la cn c s dng phn chia mng thnh nhng phn on mng v
thit lp nhiu tng an ninh khc nhau trn cc phn on mng khc nhau c th
m bo rng nhng ti nguyn quan trng hn s c bo v tt hn, ng thi tng
la cn hn ch lu lng v iu khin lu lng ch cho php chng n nhng ni
chng c php n.
1.1.4.2.

M ha thng tin

Mt ha (Cryptography) l qu trnh chuyn i thng tin gc sang dng m ha.


C hai cch tip cn bo v thng tin bng mt m: theo ng truyn v t nt-nnt (End-to-End).
Trong cch th nht, thng tin c m ha bo v ng truyn gia hai nt
khng quan tm n ngun v ch ca thng tin . u im ca cch ny l c th b
mt c lung thng tin gia ngun v ch v c th ngn chn c ton b cc vi
phm nhm phn tch thng tin trn mng. Nhc im l v thng tin ch c m ha
trn ng truyn nn i hi cc nt phi c bo v tt.
Ngc li, trong cch th hai, thng tin c bo v trn ton ng i t ngun
ti ch. Thng tin c m ha ngay khi c to ra v ch c gii m khi n ch.
u im ca tip cn ny l ngi s dng c th dng n m khng nh hng g ti
xvii

ngi s dng khc. Nhc im ca phng php ny l ch c d liu ngi s dng


c m ha, cn thng tin iu khin phi gi nguyn c th x l ti cc nt.
1.1.5. Mt s gii php dng cho doanh nghip va v nh
Vi cc doanh nghip nh vic trang b mt mng tc nghip va phi m bo an
ninh an ton, va phi ph hp chi ph, d trin khai v bo tr l iu cn thit. y
chng ta a ra gii php dng mt thit b PC a chc nng lm tng la bo v
vnh ai, chy IDS cnh bo tn cng, chy NAT che cu trc logic ca mng,
chy VPN h tr bo mt kt ni xa.

Hnh 1.1 S mng cho doanh nghip nh


Vi cc doanh nghip va th s trn ph hp vi cc chi nhnh ca h. Cn ti
trung tm mng c th thc hin s an ninh nhiu tng nh sau:

Hnh 1.2. S mng cho doanh nghip c va


1.2.

GII PHP AN TON AN NINH MNG VI FIREWALL


xviii

1.2.1. Khi nim


Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn
chn, hn ch ha hon. Trong cng ngh thng tin, Firewall l mt k thut c tch
hp vo h thng mng chng s truy cp tri php, nhm bo v cc ngun thng
tin ni b v hn ch s xm nhp khng mong mun vo h thng. Cng c th hiu
Firewall l mt c ch bo v mng tin tng khi cc mng khng tin tng.
Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty,
t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn
chn s truy nhp khng mong mun t bn ngoi v cm truy nhp t bn trong ti
mt s a ch nht nh trn Internet.

Hnh 1.3. M hnh tng la n gin


Mt cch vn tt, Firewall l h thng ngn chn vic truy nhp tri php t bn
ngoi vo mng cng nh nhng kt ni khng hp l t bn trong ra. Firewall thc
hin vic loi b nhng a ch khng hp l da theo cc quy tc hay ch tiu t trc.
Firewall c th l h thng phn cng, phn mm hoc kt hp c hai.
-

Firewall cng: C th l nhng thit b Firewall chuyn dng ca hng Cisco


hoc Juniper, hay nhng Firewall c tch hp trn Router.
c im ca Firewall cng:

Khng c linh hot nh Firewall mm (kh thm chc nng, thm quy tc
nh Firewall mm).

Firewall cng hot ng tng thp hn Firewall mm (Tng Network v


tng Transport trong m hnh OSI).

Firewall cng khng th kim tra c ni dung ca gi tin.

xix

Firewall mm: L nhng chng trnh, h iu hnh c chc nng Firewall c


ci t trn Server.
c im ca Firewall mm:

Tnh linh hot cao: C th thm, bt cc quy tc, cc chc nng.

Firewall mm hot ng tng cao hn Firewall cng (Tng ng dng trong


m hnh OSI).

Firewall mm c th kim tra c ni dung ca gi tin (thng qua cc t


kha).

1.2.2. Chc nng


Chc nng chnh ca Firewall l kim sot lung thng tin gia Intranet (mng
bn trong) v Internet. Thit lp c ch iu khin dng thng tin gia Intranet v mng
Internet. C th l:
-

Cho php hoc cm nhng dch v truy nhp ra ngoi (T Intranet ra Internet).

Cho php hoc cm nhng dch v t ngoi truy nhp vo trong (t Internet vo
Intranet).

Theo di lung d liu mng gia Internet v Intranet.

Kim sot a ch truy nhp, cm a ch truy nhp.

Kim sot ngi s dng v vic truy nhp ca ngi s dng. Kim sot ni
dung thng tin lu chuyn trn mng.
Mt Firewall kho st tt c cc lung lu lng gia hai mng xem n t

chun hay khng. Nu n t, n c nh tuyn gia cc mng, ngc li n b hy.


Mt b lc Firewall lc c lu lng ra ln lu lng vo. N cng c th qun l vic
truy cp t bn ngoi vo ngun ti nguyn bn trong mng. N c th c s dng
ghi li tt c cc c gng vo mng ring v a ra cnh bo nhanh chng khi k tn
cng hoc ngi khng c phn quyn t nhp. Firewall c th lc cc gi tin da
vo a ch ngun, a ch ch v s cng ca chng. iu ny cn c gi l lc a
ch. Firewall cng c th lc cc loi c bit ca lu lng mng. iu ny c gi l
lc giao thc bi v vic ra quyt nh cho chuyn tip hoc t chi lu lng ph thuc
vo giao thc c s dng, v d HTTP, FTP hoc Telnet. Firewall cng c th lc
lung lu lng thng qua thuc tnh v trng thi ca gi.
1.2.3. Kin trc c bn ca Firewall
xx

1.2.3.1.

Kin trc Dual homed Host

Hnh 1.4. Kin trc Dual homed Host


Dual-homed Host l hnh thc xut hin u tin trong vic bo v mng ni b.
Dual-homed Host l mt my tnh c hai giao tip mng (Network interface): mt ni
vi mng cc b v mt ni vi mng ngoi (Internet).
H iu hnh ca Dual-home Host c sa i chc nng chuyn cc gi tin
(Packet forwarding) gia hai giao tip mng ny khng hot ng. lm vic c
vi mt my trn Internet, ngi dng mng cc b trc ht phi login vo Dualhomed Host, v t bt u phin lm vic.
u im ca Dual-homed Host:
-

Ci t d dng, khng yu cu phn cng hoc phn mm c bit.

Dual-homed Host ch yu cu cm kh nng chuyn cc gi tin, do vy, thng


thng trn cc h Unix, ch cn cu hnh v dch li nhn (Kernel) ca h iu
hnh l .
Nhc im ca Dual-homed Host:

Khng p ng c nhng yu cu bo mt ngy cng phc tp, cng nh


nhng h phn mm mi c tung ra th trng.

Khng c kh nng chng nhng t tn cng nhm vo chnh bn thn n,


v khi Dual-homed Host b t nhp, n s tr thnh u cu l tng tn
cng vo mng ni b.
nh gi v kin trc Dual-homed Host:
cung cp dch v cho nhng ngi s dng mng ni b c mt s gii php

nh sau:
xxi

Kt hp vi cc Proxy Server cung cp nhng Proxy Service.

Cp cc account cho user trn my dual-homed host ny v khi m ngi s


dng mun s dng dch v t Internet hay dch v t external network th h
phi logging in vo my ny.
Nu dng phng php cp account cho user trn my dual-homed host th user

khng thch s dng dch v phin phc nh vy, v mi ln h mun s dng dch v
th phi logging in vo my khc (dual-homed host) khc vi my ca h y l vn
rt khng thun tin vi ngi s dng.
Nu dng Proxy Server: kh c th cung cp c nhiu dch v cho ngi s
dng v phn mm Proxy Server v Proxy Client khng phi loi dch v no cng c
sn. Hoc khi s dch v cung cp nhiu th kh nng p ng ca h thng c th gim
xung v tt c cc Proxy Server u t trn cng mt my.
Mt khuyt im c bn ca hai m hnh trn na l : khi m my dual-homed
host ni chung cng nh cc Proxy Server b t nhp vo. Ngi tn cng (attacker)
t nhp vo c qua n th lu thng bn trong mng ni b b attacker ny thy ht
iu ny th ht sc nguy him. Trong cc h thng mng dng Ethernet hoc Token
Ring th d liu lu thng trong h thng c th b bt k my no ni vo mng nh
cp d liu cho nn kin trc ny ch thch hp vi mt s mng nh.
1.2.3.2.

Kin trc Screend Host

Kin trc ny kt hp 2 k thut l Packet Filtering v Proxy Services.


Packet Filtering: Lc mt s dch v m h thng mun cung cp s dng Proxy
Server, bt ngi s dng nu mun dng dch v th phi kt ni n Proxy Server m
khng c b qua Proxy Server ni trc tip vi mng bn trong/bn ngoi
(internal/external network), ng thi c th cho php Bastion Host m mt kt ni vi
internal/external host.
Proxy Service: Bastion Host s cha cc Proxy Server phc v mt s dch v
h thng cung cp cho ngi s dng qua Proxy Server.

xxii

Hnh 1.5. Kin trc Screened Host


nh gi mt s u, khuyt im chnh ca kin trc Screened Host
Kin trc screened host hay hn kin trc dual-homed host mt s im c th
sau:
Dual-Home Host: Kh c th bo v tt v my ny cng lc cung cp nhiu dch
v, vi phm qui tc cn bn l mi phn t hay thnh phn nn gi t chc nng nu c
th c (mi phn t nn gi t chc nng cng tt), cng nh tc p ng kh c
th cao v cng lc m nhim nhiu chc nng.
Screened Host: tch chc nng lc cc gi IP v cc Proxy Server hai my
ring bit. Packet Filtering ch gi chc nng lc gi nn c th kim sot, cng nh
kh xy ra li (tun th qui tc t chc nng). Proxy Servers c t my khc nn
kh nng phc v (tc p ng) cng cao.
Cng tng t nh kin trc Dual-Homed Host khi m h thng Packet Filtering
cng nh Bastion Host cha cc Proxy Server b t nhp vo (ngi tn cng t nhp
c qua cc hng ro ny) th lu thng ca mng ni b b ngi tn cng thy.
T khuyt im chnh ca hai kin trc trn ta c kin trc th ba sau y khc
phc phn no khuyt im trn.

1.2.3.3.

Kin trc Screened Subnet Host


xxiii

Hnh 1.6. Kin trc Screened Subnet


Vi kin trc ny, h thng ny bao gm hai Packet-Filtering Router v mt
Bastion Host. Kin trc ny c an ton cao nht v n cung cp c mc bo mt:
Network v Application trong khi nh ngha mt mng perimeter network. Mng trung
gian (DMZ) ng vai tr ca mt mng nh, c lp t gia Internet v mng ni b.
C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch
c th truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc
tip qua mng DMZ l khng th c.
V nhng thng tin n, Router ngoi (Exterior Router) chng li nhng s tn
cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N ch cho php
h thng bn ngoi truy nhp Bastion Host. Router trong (Interior Router) cung cp s
bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng truyn
thng bt u t Bastion Host.
Vi nhng thng tin i, Router trong iu khin mng ni b truy nhp ti DMZ.
N ch cho php cc h thng bn trong truy nhp Bastion. Quy lut Filtering trn
Router ngoi yu cu s dng dch v Proxy bng cch ch cho php thng tin ra bt
ngun t Bastion Host.
u im:
-

K tn cng cn ph v ba tng bo v: Router ngoi, Bastion Host, v Router


trong.

Bi v Router ngoi ch qung b DMZ Network ti Internet, h thng mng ni


b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra

xxiv

trn DMZ l c bit n bi Internet qua bng thng tin nh tuyn v trao i
thng tin nh tuyn DNS (Domain Name Server).
-

Bi v Router trong ch qung co DMZ Network ti mng ni b, cc h thng


trong mng ni b khng th truy nhp trc tip vo Internet. iu ny m bo
rng nhng user bn trong bt buc phi truy nhp Internet qua dch v Proxy.
nh gi v kin trc Screened Subnet Host:
i vi nhng h thng yu cu cung cp dch v nhanh, an ton cho nhiu ngi

s dng ng thi cng nh kh nng theo di lu thng ca mi ngi s dng trong


h thng v d liu trao i gia cc ngi dng trong h thng cn c bo v th
kin trc c bn trn ph hp.
tng an ton trong mng ni b, kin trc screened subnet trn s dng
thm mt mng DMZ (DMZ hay perimeter network) che phn no lu thng bn
trong mng ni b. Tch bit mng ni b vi Internet.
S dng 2 Screening Router: Router ngoi v Router trong.
p dng qui tc d tha c th b sung thm nhiu mng trung gian (DMZ v
perimeter network) cng tng kh nng bo v cng cao.
Ngoi ra, cn c nhng kin trc bin th khc nh: s dng nhiu Bastion Host,
ghp chung Router trong v Router ngoi, ghp chung Bastion Host v Router ngoi.
1.2.4. Cc thnh phn ca Firewall v c ch hot ng
1.2.4.1.

Thnh phn

Firewall chun gm mt hay nhiu cc thnh phn sau y:


-

B lc gi tin (packet filtering router)

Cng ng dng (application-level gateway hay proxy server)

Cng mch (circuite level gateway)

1.2.4.2.

C ch hot ng

B lc gi tin

Firewall hot ng cht ch vi giao thc TCP/IP, v giao thc ny lm vic theo
thut ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc
hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, NFS ) thnh cc gi
d liu (data packets) ri gn cho cc gi ny nhng a ch c th nhn dng, ti lp li
ch cn gi n, cc loi Firewall cng lin quan rt nhiu n cc packet v
nhng con s a ch ca chng.
xxv

Hnh 1.7. Lc gi tin


B lc gi tin cho php hay t chi mi gi tin m n nhn c. N kim tra ton
b on d liu quyt nh xem on d liu c tha mn mt trong s cc lut l
ca lc gi tin hay khng. Cc lut l lc gi tin l da trn cc thng tin u mi gi
tin (header), dng cho php truyn cc gi tin trn mng. Bao gm:
-

a ch IP ni xut pht (Source)

a ch IP ni nhn (Destination)

Nhng giao thc truyn tin (TCP, UDP, ICMP, IP tunnel )

Cng TCP/UDP ni xut pht.

Cng TCP/UDP ni nhn

Dng thng bo ICMP

Giao din gi tin n

Giao din gi tin i


Nu gi tin tha cc lut l c thit lp trc ca Firewall th gi tin c

chuyn qua, nu khng tha th s b loi b (drop). Vic kim sot cc cng lm cho
Firewall c kh nng ch cho php mt s loi kt ni nht nh c php mi vo
c h thng mng cc b.
u im:
-

a s cc h thng Firewall u s dng b lc gi tin. Mt trong nhng u


im ca phng php dng b lc gi tin l m bo thng qua ca lu lng
mng.

B lc gi tin l trong sut i vi ngi dng v cc ng dng, v vy n khng


yu cu s hun luyn c bit no c.

Hn ch:
xxvi

Vic nh ngha cc ch b lc gi tin l mt vic kh phc tp, ni i hi


ngi qun tr mng c hiu bit chi tit v cc dch v Internet, cc dng packet header
v cc gi tr c th m h c th nhn trn mi trng. Khi i hi v s lc cng ln,
cc lut l tr nn di v phc tp, rt kh qun l v iu khin.
Cng ng dng
y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi
dch v, giao thc c cho php truy cp vo mng. C ch hot ng ca n da trn
cch thc gi l Proxy service (dch v y quyn). Proxy service l cc b code c bit
ci t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t proxy
code cho mt ng dng no , dch v tng ng s khng c cung cp v do
khng th chuyn thng tin qua firewall. Ngoi ra, proxy code (m y nhim) c th
c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr
mng cho l chp nhn c trong khi t chi nhng c im khc.
Mt cng ng dng thng c coi nh l mt pho i ch (bastion host), bi v
n c thit k c bit chng li s tn cng t bn ngoi. Nhng bin php m bo
an ninh ca mt bastion host l:
-

Bastion host lun chy cc version (phin bn) an ton ca cc phn mm h


thng (Operating System). Cc version an ton ny c thit k chuyn cho
mc ch chng li s tn cng vo phn mm h thng, cng nh m bo s
tch hp Firewall.

Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t trn


bastion host, n gin ch v nu mt dch v c ci t, n kh c th b tn
cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet,
DNS, FTP, SMTP v xc thc user l c ci t trn bastion host.

Bastion host c th yu cu nhiu mc xc thc khc nhau, v d nh user


password hay smart card.

Mi proxy c cu hnh cho php truy nhp ch mt s cc my ch nht


nh. iu ny c ngha l b lnh v c im thit lp cho mi proxy ch ng
vi mt s my ch trn ton h thng.

Mi proxy duy tr mt quyn nht k ghi chp li ton b chi tit ca lu lng
qua n, mi s kt ni, khong thi gian kt ni. Nht k ny rt c ch trong
vic tm theo du vt hay ngn chn k ph hoi.
xxvii

Mi proxy u c lp vi cc proxies khc nhau trn bastion host. iu ny cho


php d dng trong qu trnh ci t mt proxy mi, hay tho g mt proxy ang
c vn .
u im:

Cho php ngi qun tr mng hon ton iu khin c tng dch v trn
mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no
c th truy cp c bi dch v.

Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho
php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l
cc dch v y b kha.

Cng ng dng cho php kim tra xc thc rt tt v n c nht k ghi chp
li thng tin v truy nhp h thng.

Lut l filtering (lc) cho cng ng dng l d dng cu hnh v kim tra hn so
vi b lc gi tin.
Hn ch:
Yu cu cc user thc hin cc thao tc chnh sa phn mm ci t trn my

client cho truy nhp vo cc dch v proxy. V d, Telnet truy nhp qua cng ng dng
i hi hai bc ni vi my ch ch khng phi l mt bc. Tuy nhin, cng c
mt s phn mm client cho php ng dng trn cng ng dng l trong sut, bng cch
cho php user ch ra my ch ch khng phi cng ng dng trn lnh Telnet.
Cng mch
Cng mch l mt chc nng c bit c th thc hin c bi mt cng ng
dng. Cng mch n gin ch chuyn tip cc kt ni TCP m khng thc hin bt k
mt hnh ng x l hay lc gi tin no.
Hnh 1.8 minh ha mt hnh ng s dng ni telnet qua cng mch. Cng mch
n gin chuyn tip kt ni telnet qua Firewall m khng thc hin mt s kim tra,
lc hay iu khin cc th tc telnet. Cng mch lm vic nh mt si dy, sao chp cc
byte gia kt ni bn trong (inside connection) v cc kt ni bn ngoi (outside
connection). Tuy nhin, v s kt ni ny xut hin t h thng firewall nn n che du
thng tin v mng ni b.

xxviii

Hnh 1.8. Cng mch


Cng mch thng c s dng cho nhng kt ni ra ngoi, ni m cc qun tr
mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion
host c th c cu hnh nh l mt hn hp cung cp. Cng ng dng cho nhng kt
ni n v cng mch cho cc kt ni i. iu ny lm cho h thng Firewall d dng
s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti dch v
internet, trong khi vn cung cp chc nng firewall bo v mng ni b t nhng s
tn cng bn ngoi.
1.2.5. K thut Firewall
Lc khung (Frame Filtering): Hot ng trong hai tng di cng ca m hnh
OSI, c th lc, kim tra c mc bit v ni dung ca khung tin. Trong tng ny cc
khung d liu khng tin cy s b t chi ngay khi vo mng.
Lc gi tin (Packet Filtering): Kiu Firewall chung nht l kiu da trn tng mng
ca m hnh OSI. Lc gi cho php hay t chi gi tin m n nhn c. N kim tra
ton b on d liu quyt nh xem on d liu c tha mn mt trong s cc
quy nh ca lc gi tin hay khng. Cc quy tc lc gi tin da vo cc thng tin trong
phn mo u ca gi tin.
Nu quy tc lc gi tin c tha mn th gi tin c chuyn qua Firewall. Nu
khng s b b i. Nh vy Firewall c th ngn cn cc kt ni vo h thng hoc kha
vic truy nhp vo h thng ni b t nhng a ch khng cho php.
Mt s Firewall hot ng tng mng thng cho php tc x l nhanh v ch
kim tra a ch IP ngun m khng thc hin lnh trn router, khng xc nh a ch
sai hay b cm. N s dng a ch IP ngun lm ch th, nu mt gi tin mang a ch
ngun l a ch gi th n s chim c quyn truy nhp vo h thng. Tuy nhin c
nhiu bin php k thut c th c p dng cho vic lc gi tin nhm khc phc
nhc im trn, ngoi trng a ch IP c kim tra cn c cc thng tin khc c

xxix

kim tra vi quy tc c to ra trn Firewall, cc thng tin ny c th l thi gian truy
nhp, giao thc s dng, cng.
Firewall kiu Packet Filtering c hai loi:
-

Packet filtering Firewall: Hot ng ti tng mng ca m hnh OSI. Kiu


Firewall ny khng qun l c giao dch trn mng.

Circuilt level gateway: Hot ng ti tng phin ca m hnh OSI. L loi


Firewall x l bo mt giao dch gia h thng v ngi dng cui (VD: kim tra
ID, mt khu), loi Firewall cho php lu vt trng thi ca ngi truy nhp.

1.2.6. Nhng hn ch ca Firewall


Firewall khng thng minh nh con ngi c th c hiu tng loi thng
tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn xm nhp
ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a
ch.
Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng i
qua n. Mt cch c th: firewall khng th chng li mt cuc tn cng t mt ng
dial-up, hoc s d r thng tin do d liu b sao chp bp hp php ln a.
Firewall cng khng th chng li cc cuc tn cng bng d liu (data-drivent
attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua Firewall
vo trong mng c bo v v bt u hot ng y.
Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus
trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc
virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca
Firewall. Firewall c th ngn chn nhng k xu t bn ngoi nhng cn nhng k xu
bn trong th sao. Tuy nhin, Firewall vn l gii php hu hiu c p dng rng
ri.
c c kh nng bo mt ti u cho h thng, Firewall nn c s dng
kt hp vi cc bin php an ninh mng nh cc phn mm dit virus, phn mm ng
gi, m ho d liu. c bit, chnh sch bo mt c thc hin mt cch ph hp v
c chiu su l vn sng cn khai thc ti u hiu qu ca bt c phn mm bo
mt no. V cng cn nh rng cng ngh ch l mt phn ca gii php bo mt. Mt
nhn t na ht sc quan trng quyt nh thnh cng ca gii php l s hp tc ca
nhn vin, ng nghip.
xxx

1.3.

MNG RING O VPN

1.3.1. Gii thiu v VPN


1.3.1.1.

Khi nim VPN

VPN c hiu n gin nh l s m rng ca mt mng ring (private network)


thng qua cc mng cng cng. V c bn, mi VPN l mt mng ring r s dng mt
mng chung (thng l internet) kt ni cng vi cc site (cc mng ring l) hay
nhiu ngi s dng t xa. Thay cho vic s dng bi mt kt ni thc chuyn dng
nh ng leased line, mi VPN s dng cc kt ni o c dn ng qua Internet t
mng ring ca cc cng ty ti cc site hay cc nhn vin t xa. c th gi v nhn
d liu thng qua mng cng cng m vn bo m tnh an ton v bo mt, VPN cung
cp cc c ch m ha d liu trn ng truyn to ra mt ng ng bo mt gia ni
nhn v ni gi ging nh mt kt ni point-to-point trn mng ring. c th to
ra c mt ng ng bo mt , d liu phi c m ha v che giu i ch cung
cp phn u gi d liu l thng tin v ng i cho php n c th i n ch thng
qua mng cng cng mt cch nhanh chng. D liu c m ha mt cch cn thn do
nu cc gi tin b bt li trn ng truyn cng cng cng khng th c c ni
dung v khng c kha gii m. Lin kt vi d liu c m ha v ng gi c
gi l kt ni VPN. Cc ng kt ni VPN thng c gi l ng ng VPN (VPN
Tunnel).

Hnh 1.9. M hnh mt mng VPN in hnh


1.3.1.2.

u im ca VPN

Chi ph: Cng ngh VPN cho php tit kim ng k chi ph thu knh ring hoc
cc cuc gi ng di bng chi ph cuc gi ni ht. Vic s dng kt ni n ISP cn
xxxi

cho php va s dng VPN va truy cp Internet. Cng ngh VPN cho php s dng
bng thng t hiu qu cao nht. Gim nhiu chi ph qun l, bo tr h thng.
Tnh bo mt: Trong VPN s dng c ch ng hm v cc giao thc tng 2 v
tng 3 trong m hnh OSI, xc thc ngi dng, kim sot truy nhp, bo mt d liu
bng m ha. V vy VPN c tnh bo mt cao, gim thiu kh nng tn cng, tht thot
d liu.
Truy nhp d dng: Ngi s dng trn VPN ngoi vic s dng ti nguyn trn
VPN cn c s dng cc dch v khc ca Internet m khng cn quan tm n phn
phc tp tng di.
1.3.2. Kin trc ca VPN
Hai thnh phn c bn ca Internet to ra mng ring o VPN l:
-

ng hm (Tunnelling) cho php lm o mt mng ring.

Cc dch v bo mt a dng cho php d liu mang tnh ring t.

Hnh 1.10. Cu trc mt ng hm


ng hm l kt ni gia hai im cui khi cn thit. Kt ni ny c gii
phng khi khng truyn d liu, dnh bng thng cho cc kt ni khc. Kt ni ny
mang tnh logic o khng ph thuc vo cu trc vt l ca mng. N che giu cc
thit b nh b nh tuyn, chuyn mch v trong sut i vi ngi dng.
1.3.3. Cc loi VPN
VPNs nhm hng vo ba yu cu c bn sau y:
-

C th truy nhp t xa, thc hin lin lc gia cc nhn vin ca mt t chc ti
cc ti nguyn mng.

Ni kt thng tin lin lc gia cc chi nhnh vn phng t xa.

c iu khin truy nhp ti nguyn mng khi cn thit ca khch hng, nh


cung cp v nhng i tc quan trng ca cng ty nhm hp tc kinh doanh.
xxxii

Da trn nhng nhu cu c bn trn, ngy nay VPNs pht trin v phn chia ra
lm 3 loi chnh sau:
-

Remote Access VPNs (VPNs truy nhp t xa): cho php truy cp bt c lc no
bng Remote, mobile v cc thit b truyn thng ca nhn vin cc chi nhnh
kt ni n ti nguyn mng ca t chc.

Intranet VPNs: Vic kt ni Intranet gia cc vn phng, chi nhnh ca mt cng


ty, t chc theo phng php truyn thng l s dng Backbone Router.

Extranet VPNs: Khng ging nh Intranet v Remote Access-based, Extranet


khng hon ton cch li t bn ngoi (outer-world), Extranet cho php truy nhp
nhng ti nguyn mng cn thit ca cc i tc kinh doanh, chng hn nh
khch hng, nh cung cp, i tc, nhng ngi gi vai tr quan trng trong t
chc.

1.3.4. Cc yu cu c bn i vi mt gii php VPN


-

Tnh tng thch:


Mi mt cng ty, mt doanh nghip u c xy dng cc h thng mng ni b

v din rng ca mnh da trn cc th tc khc nhau v khng tun theo mt chun
nht nh ca nh cung cp dch v. Rt nhiu cc h thng mng khng s dng chun
TCP/IP v vy khng th kt ni trc tip vi Internet. c th s dng IP VPN tt c
cc h thng mng ring u phi chuyn sang mt h thng a ch theo chun s dng
trong Internet cng nh b sung cc tnh nng v to knh kt ni o, ci t cng kt
ni Internet c chc nng trong vic chuyn i cc th tc khc nhau sang chun IP.
-

Tnh bo mt:
Tnh bo mt cho khch hng l mt yu t quan trng nht i vi mt gii php

VPN. Ngi s dng cn c m bo cc d liu thng qua mng. VPN t c


mc an ton ging nh trong mt h thng mng dng ring do h t xy dng v
qun l.
Vic cung cp tnh nng bo m an ton cn m bo hai mc tiu sau:

Cung cp tnh nng an ton thch hp bao gm: cung cp mt khu cho mi
ngi s dng trong mng v m ha d liu khi truyn.

n gin trong vic duy tr qun l, s dng. i hi thun tin v n gin


cho ngi s dng cng nh nh qun tr mng trong vic ci t cng nh
qun tr h thng.
xxxiii

Tnh kh dng:
Mt gii php VPN cn thit phi cung cp c tnh bo m v cht lng, hiu
sut s dng dch v cng nh dung lng truyn.

xxxiv

CHNG 2.
2.1.

TNG QUAN V FIREWALL PFSENSE

GII THIU FIREWALL PFSENSE


bo v cho h thng mng bn trong th chng ta c gii php s dng thit b

tng la cng nh PIX Firewall ca Cisco, hoc dng tng la mm ca Microsoft


nh ISA
Tuy nhin nhng thnh phn k trn tng i tn km. V vy i vi ngi
dng khng mun tn tin nhng li mun c mt tng la bo v h thng mng bn
trong (mng ni b) khi m chng ta giao tip vi h thng mng bn ngoi (Internet)
th pfSense l mt gii php tit kim v hiu qu tng i tt nht i vi ngi dng.
PfSense l mt ng dng c chc nng nh tuyn, tng la v min ph, ng
dng ny s cho php bn m rng mng ca mnh m khng b tha hip v s bo
mt. Bt u vo nm 2004, khi m0n0wall mi bt u chp chng y l mt d n
bo mt tp trung vo cc h thng nhng pfSense c hn 1 triu lt download v
c s dng bo v cc mng c tt c kch c, t mng gia inh n cc mng ln
ca cc cng ty/doanh nghip. ng dng ny c mt cng ng pht trin rt tch cc
v nhiu tnh nng ang c b sung trong mi ln pht hnh nhm ci thin hn na
tnh bo mt, s n nh v kh nng linh hot ca n.

Hnh 2.1. Biu tng ca pfSense


PfSense bao gm nhiu tnh nng m bn vn thy trn cc thit b tng la hoc
router thng mi, chng hn nh giao din ngi dng (GUI) trn nn Web to s
qun l mt cch d dng. Trong khi phn mm min ph ny cn c nhiu tnh nng
n tng i vi firewall/router min ph, tuy nhin cng c mt s hn ch.
PfSense h tr lc bi a ch ngun v a ch ch, cng ngun hoc cng ch
hay a ch IP. N cng h tr chnh sch nh tuyn v c ch hot ng trong ch
brigde hoc transparent, cho php bn ch cn t pfSense gia cc thit b mng m
khng cn i hi vic cu hnh b sung. PfSense cung cp c ch NAT v tnh nng
chuyn tip cng, tuy nhin ng dng ny vn cn mt s hn ch vi Point-to-Point
Tunneling Protocol (PPTP), Generic Routing Encapsulation (GRE) v Session Initiation
Protocol (SIP) khi s dng NAT.
xxxv

PfSense c da trn FreeBSD v giao thc Common Address Redundancy


Protocol (CARP) ca FreeBSD, cung cp kh nng d phng bng cch cho php cc
qun tr vin nhm hai hoc nhiu tng la vo mt nhm t ng chuyn i d
phng. V n h tr nhiu kt ni mng din rng (WAN) nn c th thc hin vic cn
bng ti. Tuy nhin c mt hn ch vi n ch ch c th thc hin cn bng lu
lng phn phi gia hai kt ni WAN v khng th ch nh c lu lng cho qua
mt kt ni.

Hnh 2.2. M hnh trin khai pfSense cho doanh nghip nh


2.2.

MT S CHC NNG CHNH CA FIREWALL PFSENSE

2.2.1. Aliases

Hnh 2.3. Chc nng Firewal: Aliases


Vi tnh nng ny chng ta c th gom nhm cc ports, host hoc Network(s) khc
nhau v t cho chng mt ci tn chung thit lp nhng quy tc c d dng v
nhanh chng hn. vo Aliases ca pfSense, ta vo Firewall Aliases.

xxxvi

Hnh 2.4. Thit lp Firewall: Aliases


Cc thnh phn trong Aliases:
-

Host: to nhm cc a ch IP

Network: to nhm cc mng

Port: Cho php gom nhm cc port nhng khng cho php to nhm cc
protocol. Cc protocol c s dng trong cc rule

2.2.2. Rules (Lut)


Ni lu cc rules (Lut) ca Firewall. vo Rules ca pfSense, ta vo Firewall
Rules.

Hnh 2.5. Chc nng Firewall: Rules


Mc nh pfSense cho php mi traffic ra/vo h thng. Bn phi to cc rules
qun l mng bn trong Firewall.
Mt s la chn trong Destination v Source.
-

Any: Tt c

Single host or alias: Mt a ch ip hoc l mt b danh.

Lan subnet: ng mng Lan

Network: a ch mng

Lan address: Tt c a ch mng ni b


xxxvii

Wan address: Tt c a ch mng bn ngoi

PPTP clients: Cc clients thc hin kt ni VPN s dng giao thc PPTP

PPPoE clients: Cc clients thc hin kt ni VPN s dng giao thc PPPoE

2.2.3. Firewall Schedules


Cc Firewall rules c th c sp xp n ch hot ng vo cc thi im nht
nh trong ngy hoc vo nhng ngy nht nh c th hoc cc ngy trong tun.
y l mt c ch rt hay v n thc t vi nhng yu cu ca cc doanh nghip
mun qun l nhn vin s dng internet trong gi hnh chnh.
to mt Schedules mi, ta vo Firewall Schedules: Nhn du +
V d: y To lch tn GioLamViec ca thng 6 T th hai n th by v thi
gian t 7 gi n 17 gi.

Hnh 2.6. Thit lp chc nng Firewall Schedules


Sau khi to xong nhn Add Time => Save

Hnh 2.7. Chc nng Firewall Schedules


2.2.4. NAT
Trong Firewall bn cng c th cu hnh cc thit lp NAT nu cn s dng cng
chuyn tip cho cc dch v hoc cu hnh NAT tnh (1:1) cho cc host c th.
Thit lp mc nh ca NAT cho cc kt ni outbound l Automatic outbound
NAT , tuy nhin bn c th thay i kiu Manual outbound NAT .. nu cn.
V d y ta NAT qua port 1723 (PPTP) cho cu hnh VPN vi IP NAT l
192.168.2.100

xxxviii

Hnh 2.8. Chc nng NAT


2.2.5. Traffic shaper (Qun l bng thng)
Vi tnh nng Traffic Shaper gip bn theo di v qun l bng thng mng d
dng v hiu qu hn.
cu hnh Traffic Shaper ta chn Firewall => Traffic Shaper => Next

Hnh 2.9. Chc nng Traffic Shaper


2.2.6. Virtual IPs

Hnh 2.10. Chc nng Virtual IPs


Virtual IP c s dng cho php pfSense ng cch chuyn tip lu lng cho
nhng vic nh chuyn tip cng NAT, NAT Outbound v NAT 1:1. H cng cho php
cc tnh nng nh failover, v c th cho php dch v trn router gn kt vi a ch
IP khc nhau.
-

CARP

xxxix

C th c s dng bi cc tng la chnh n chy cc dch v hoc


c chuyn tip.

To ra lp 2 lu lng cho cc VIP.

C th c s dng cho clustering (tng la v tng la ch failover ch


ch).

Cc VIP c trong cng mt subnet IP ca giao din thc.

S tr li ICMP ping nu c php theo cc quy tc tng la.

Proxy ARP

Khng th c s dng bi cc bc tng la chnh n, nhng c th c


chuyn tip.

To ra lp 2 lu lng cho cc VIP.

Cc VIP c th c trong mt subnet khc vi IP ca giao din thc.

Khng tr li gi tin ICMP ping.

Other

C th c s dng nu cc tuyn ng cung cp cho bn VIP ca bn d


sao m khng cn thng bo lp 2.

Khng th c s dng bi cc bc tng la chnh n, nhng c th c


chuyn tip.

2.3.

Cc VIP c th c trong mt subnet khc vi cc giao din IP.

Khng tr li ICMP ping.

MT S DCH V CA FIREWALL PFSENSE

2.3.1. Captive Portal


Captive portal cho php admin c th chuyn hng client ti mt trang web khc,
t trang web ny client c th phi chng thc trc khi kt ni ti internet. Tnh nng
captive portal nm mc Services/captive portal.

Hnh 2.11. Dch v Captive Portal


-

Captive portal: Tinh chnh cc chc nng ca Captive Portal

Enable captive portal: nh du chn nu mun s dng captive portal.

xl

Maximum concurrent connections: Gii hn cc connection trn mi


ip/user/mac.

Idle timeout: Nu mi ip khng cn truy cp mng trong 1 thi gian xc


nh th s ngt kt ni ca ip/user/mac.

Hard timeout: Gii hn thi gian kt ni ca mi ip/users/mac.

Logout popup windows: Xut hin 1 popup thng bo cho ip/user/mac.

Redirect URL: a ch URL m ngi dng s c direct ti sau khi ng


nhp

Pass-through MAC: Cc MAC address c cu hnh trong mc ny s c


b qua khng authentication.

Allowed IP address: Cc IP address c cu hnh s khng authentication

Users: To local user dng kiu authentication: local user

File Manager: Upload trang qun l ca Captive portal ln pfSense.


C 3 kiu chng thc client:

No authentication: pfSense s iu hng ngi dng ti 1 trang nht nh m


khng chng thc.

Local user manager: pfSense h tr to user chng thc.

Radius authentication: Chng thc bng radius server (Cn ch ra a ch IP


ca radius, port, )

2.3.2. DHCP Server


Dch v ny cho php pfSense cp a ch IP v cc thng tin cu hnh cho client
trong mng LAN.
Tnh nng ny nm trong Services => DHCP server

Hnh 2.12. Chy dch v DHCP Server


Bt tnh nng cp IP ng cho cc my client.

xli

Hnh 2.13. Tnh nng cp IP ng


Ta c th gn a ch IP vnh vin cho bt c mt my tnh no trn mng

Hnh 2.14. Cp a ch IP tnh


2.3.3. DHCP Relay

Hnh 2.15. Dch v DHCP Relay


Dch v ny cho php pfSense forward yu cu cp IP ca client nm trong mt
subnet no ti mt DHCP server cho trc.
Ch c php chy mt trong hai dch v DHCP server v DHCP relay.
2.3.4. Load Balancer
Vi chc nng ny bn c th iu phi mng hay cn gi l cn bng ti mng

Hnh 2.16. Dch v Load Balancer


xlii

C 2 loi load balancing trn pfSense:


-

Gateway load balancing: c dng khi c nhiu kt ni WAN. Client bn trong


LAN khi mun kt ni ra ngoi Internet th pfSense la chn card WAN
chuyn packet ra card gip cho vic cn bng ti cho ng truyn.

Server load balancing: cho php cn bng ti cho cc server ca mnh. c


dng ph bin cho cc web server, mail server v server khng hot ng na th
s b remove.

2.3.5. VPN PPTP


s dng chc nng ny bn vo VPN => PPTP
-

Chn Enable PPTP server bt tnh nng VPN

Server address: a ch server m client s kt ni vo

Remote address range: Di a ch IP s cp khi VPN client kt ni

RADIUS: Chng thc qua RADIUS

Hnh 2.17. Dch v VPN PPTP


-

Chn Save v chuyn qua tab User to ti khon

Hnh 2.18. To user VPN


-

Cn to Rules cho php VPN client truy cp vo mng

Hnh 2.19. To Rule VPN

xliii

2.3.6. Mt s chc nng khc


-

System log: theo di hot ng ca h thng pfSense v cc dch v m pfSense


cung cp. Mi hot ng ca h thng v dch v u c ghi li.

System Status: Lit k cc thng tin v tnh trng ca h thng.

Service Status: Hin th trng thi ca tt c cc service c trong h thng. Mi


service c hai trng thi l: running, stopped.

Interface Status: Hin th thng tin ca tt c card mng.

RRD Graph: Hin th cc thng tin di dng th. Cc thng tin m RRD
Graph s th hin l: System, Traffic, Packet, Quality, Queues.

xliv

CHNG 3.

CI T V TRIN KHAI FIREWALL


PFSENSE

3.1.

CI T FIREWALL PFSENSE

3.1.1. M hnh trin khai


c im kh quan trng l cu hnh ci t v s dng phn mm pfSense
khng i hi phi cao nh nhng phn mm mi hin ny. Chng ta ch cn mt my
tnh CPU P3, Ram 128 MB, HDD 1 GB th cng dng nn mt tng la pfSense
bo v mng bn trong.
C th trong m hnh ny, Server pfSense s c hai ng kt ni WAN v mt
ng i vo LAN, mc ch ca vic s dng hai ng kt ni WAN thc hin
ch Load Balancing (cn bng ti) v d phng kt ni ra ngoi (internet) cho
mng. Tuy nhin i vi mt doanh nghip khng c nhu cu hoc iu kin thu hai
ng kt ni WAN th hon ton c th s dng mt ng kt ni WAN.
Trong qu trnh thc hin ti ny, ch c mt ng kt ni ra internet v khng
c Server. V vy, s trin khai h thng ny trn VMWare, s dng my o Windows
Server 2003 chia mt ng kt ni thnh hai ng (qua tnh nng Routing and
Remote Access) nhm mc ch trin khai c ch Load Balancing, Server pfSense
cng thc hin trn VMWare.
3.1.1.1.

M hnh thc t

Hnh 3.1. M hnh trin khai thc t

xlv

3.1.1.2.

M hnh gi lp

Hnh 3.2. M hnh trin khai gi lp


M hnh trn c thc hin bng trnh my o WMWare Workstation, c th:
My o Windows Server 2003
-

C 3 network interface:

Interface u tin ( interface mc nh) s c bridge ra ngoi kt ni


Internet. IP l 192.168.0.2/24, gateway l 192.168.0.1/24.

Interface th hai l Adapter 2 s c ni vi VMnet 2: IP l 192.168.1.1/24.

Interface th ba l Adapter 3 s c ni vi VMnet 3: IP l 192.168.2.1/24.

My o pfSense
-

C 3 network interface, 2 interface ni vi 2 interface ca Windows Server 2003


c 2 ng ra internet, 1 interface ni vo LAN

Interface u tin (interface mc nh s ni vo VMnet 2 vi IP


192.168.1.2/24 (gateway 192.168.1.1).

Interface th hai l Adapter 2 s ni vo VMnet 3 vi IP l 192.168.2.2/24


(gatewat l 192.168.2.1).

Interface th 3 l Adapter 3 s ni vo VMnet 4 (interface LAN) vi IP l


10.0.0.1/24.

3.1.2. Ci t h thng
xlvi

3.1.2.1.

Ci t Routing and Remote Access trn Windows Server 2003

Mc ch lm bc ny gi lp 2 kt ni internet (WAN). Nu c 2 ng kt
ni internet ri th khng cn thc hin bc ny m kt ni thng hai ng vo 2
interface ca my pfSense.
Sau khi thm 2 interface v cu hnh IP cho cc interface. Bt y cu hnh
Routing and Remote Access.
Vo Administrator tool => Routing and Remote Access. Chn Configure and
Enable bt chc nng Routing and Remote Access.

Hnh 3.3. Cu hnh Routing and Remote Access

Hnh 3.4. Kt qu sau khi cu hnh


3.1.2.2.

Ci t pfSense

Ci t pfSense mt cch bnh thng. Lu n bc chn ch , nh nhn 99


vo ch ci t.

xlvii

Hnh 3.5. La chn ch ci t


Chn n (no) khi setup VLANs

Hnh 3.6. Ci t VLANs


Bc tip theo, tin hnh gn cc interface vo interface LAN, WAN, OPT1
(OPT1 l interface ty chn ngoi thm, y n c nhim v lm interface WAN th
2). Trong trng hp ny, em0 l interface WAN (ng vi card VMnet 2), em1 l
interface OPT1 (ng vi VMnet 3) v em2 l interface LAN (ng vi VMnet 4).
Sau khi khai bo LAN interface. Tin hnh gn IP cho card LAN bng cch
chn s trn mn hnh console, sau khi gn IP LAN xong, chng ta c th truy cp vo
webConfiguration ca pfSense bng cch vo trnh duyt web g http://
$a_ch_interface_LAN ( y l http://10.0.0.1), ng nhp bng ti khon mc nh
(admin/pfsense).
3.2.

CU HNH FIREWALL PFSENSE

3.2.1. Cu hnh card mng cho Firewall pfSense


y dng mt my o XP, gn interface vo VMnet 4 lm my client trong
LAN. Mi thao tc cu hnh cng nh test kt ni sau ny u c thc hin trn my
ny.
By gi, chng ta s dng webConfiguration khai bo IP tnh (static), Gateway
cho interface WAN v OPT1 (menu Interface => $Tn interface) v cp pht DHCP
cho cc my tnh trong LAN quan interface LAN (Services => DHCP server, chn tab
LAN).

xlviii

Kim tra trng thi ca interface bng cch vo Status => Interfaces. Nu trng
thi ca cc interface ny up l bnh thng.

Hnh 3.7. Interface WAN

Hnh 3.8. Interface LAN

Hnh 3.9. Interface OPT1


Khai bo DNS cho pfSense bng cch vo System => General Setup

Hnh 3.10. Khai bo DNS Server


3.2.2. Cu hnh Load Balancing
3.2.2.1.

Cu hnh Load Balancing

cu hnh Load Balancing. Ta chn Services => Load Balancer.


Ti Behavior => Chn vo Load Balancing. Sau a danh sch WAN v OPT1
vo danh sch Load balancing. Chn Save lu lai thng tin cu hnh.

Hnh 3.11. Cu hnh Load Balancing


3.2.2.2.

Firewall Rule
xlix

Vo Firewall => Rules, sau thit lp Rule tab LAN.

Hnh 3.12. Thit lp Rule cho Load Balancing


3.2.3. Cu hnh Captive Portal
Tnh nng captive portal nm mc Services => Captive Portal.

Hnh 3.13. Captive Portal


To trang index.htm c ni dung:
<form method="post" action="$PORTAL_ACTION$">
<input name="auth_user" type="text">
<input name="auth_pass" type="password">
<input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$">
<input name="accept" type="submit" value="Continue">
</form>
Ri chn browse trong portal page content ri up file ny ln. Bm Save lu
li.
Cui cng ta to user trong tab user ca captive portal.

Hnh 3.14. To user cho captive portal


3.2.4. Cu hnh VPN Server
3.2.4.1.

Cu hnh VPN Server

cu hnh VPN Server trn my pfSense, ta chn VPN => PPTP.

Hnh 3.15. Cu hnh VPN PPTP


To User cho php VPN Client kt ni VPN vo my VPN Server.

Hnh 3.16. To User VPN


To Rule m Port 1723.

Hnh 3.17. To Rule cho VPN


3.2.4.2.

Cu hnh NAT Inbound cho VPN Client kt ni n pfSense

Chn menu Firewall => NAT.

Hnh 3.18. Cu hnh NAT Inbound cho VPN


3.3.

KIM TRA V TI U H THNG


Sau khi tin hnh cu hnh nhng dch v cn thit trn h thng. Bc tip

theo cng ht sc quan trng l kim tra li nhng dch v cu hnh, m bo h


thng an ton v chy n nh, vic cu hnh sai hoc khng ti u s dn n vic ton
b h thng s ri vo tnh trng mt an ton v khng n nh.

li

Vic kim tra v ti u h thng cn c tin hnh tht chi tit vi tng chc
nng m ta trin khai trn h thng. Ngoi ra vic kim tra v ti u ny cn c
tin hnh nh k m bo h thng lun trong trng thi tt nht.

lii

KT LUN
bo v cho h thng mng bn trong th chng ta c nhiu gii php nh s
dng Router Cisco, dng tng la ca Microsoft nh ISA
Tuy nhin nhng thnh phn k trn tng i tn km. V vy i vi ngi
dng khng mun tn tin nhng li mun c mt tng la bo v h thng mng bn
trong (mng ni b) khi m chng ta giao tip vi h thng mng bn ngoi (Internet)
th pfSense l mt gii php tit kim v hiu qu tng i tt i vi ngi dng.
c im cng kh quan trng l cu hnh ci t v s dng phn mm
pfSense khng i hi phi cao nh nhng phn mm mi hin nay. Chng ta ch cn
mt my tnh P3, Ram 128, HDD 1GB th cng dng nn mt tng la pfSense
bo v mng bn trong.
pfSense l mt ng dng c chc nng nh tuyn vo tng la mnh v ng
dng ny s cho php bn m rng mng ca mnh m khng b tha hip v s bo
mt. Phn mm c thit k nh gn, d dng cu hnh thng qua giao din web v c
bit l c kh nng ci t thm gi dch v m rng tnh nng.
Tng la pfSense c th p ng c nhu cu ca mt mng doanh nghip nh
v n cng d dng trong qun l v cung cp nhiu tnh nng nh trong cc sn phm
thng mi. Mc d vy mt s tnh nng c s dng trong cc doanh nghip ln
vn cn nhiu hn ch. Vi thi gian v iu kin thc t cn nhiu hn ch, ti ch
dng li kh nng nghin cu v trin khai c nhng chc nng cn thit, cha
trin khai trn m hnh thc t do khng nh gi ht c nhng u nhc im
ca ng dng ny.

liii

Nghin cu v trin khai h thng Firewall m ngun m cho doanh nghip va v nh

DANH MC TI LIU THAM KHO


1. Ting Vit.
[1] Nguyn Vn Khoa (2006), Bo v my tnh bng tng la, NXB Giao
thng vn ti.
[2] Nguyn Tn Phng (2010), Tm hiu Firewall, Khoa CNTT i hc
Duy Tn.
2. Ting Anh.
[3] Christopher M. Buechler and Jim Pingle (2009), pfSense: The Definitive
Guide.
[4] Math Williamson (2011), pfSense 2 Cookbook.
3. Ngun t Internet
[5] http://www.pfsense.org
[6] http://nhatnghe.com
[7] http://www.linuxviet.com
[8] http://www.mangmaytinh.org
[9] http://www.hvaonline.net
[10] http://tailieu.vn

Nguyn c Trung Lp CCMM03C

Trang 54

Nghin cu v trin khai h thng Firewall m ngun m cho doanh nghip va v nh

NHN XT CA CN B HNG DN
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
Nguyn c Trung Lp CCMM03C

Trang 55

Nghin cu v trin khai h thng Firewall m ngun m cho doanh nghip va v nh

.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................

Nguyn c Trung Lp CCMM03C

Trang 56