Está en la página 1de 7

Implementing Firewall Technologies: M t: Di y l h thng mng nhm xy dng thnh cng .H thng Firewall s s dng m hnh Firewall 2 lp.

. T Internet s kt ni vi h thng mng Router, tip theo h thng Router l h thng Firewall 2 lp, lp u tin l h thng Firewall ISA Server 2006 v lp th 2 l h thng Firewall phn cng Cisco ASA5510. M hnh tng quan:

Viettel
c te Ac Remo ess V PN

FPT

Firewall ISA 2006

DMZ1

Firewall ASA 55xx

DMZ2

Firewall ISA Server 2006 c 3 card mng: 1 card dnh cho kt ni Outbound. 1card dnh cho kt ni Inbound(Inbound ny dng kt ni vi Firewall Cisco ASA 5510). 1card dnh cho kt ni vng DMZ 1 (vng DMZ ny cha Web server, FTP server, Mail Server. ) vng DMZ ny cho php khch hng v nhn vin truy cp. Firewall Cisco ASA cng cn dng 3 interface giao tip: 1 interface dnh cho kt ni Outbound. Interface ny dng kt ni vi Inbound ca Firewall ISA 2006. 1 interface dng kt ni Inbound (Inbound bao gm h thng DC v User). H thng DC ny s c s qun l cht ch bi cc chnh sch ca Firewall ISA v ASA. Khng cho php mng ngoi Internet truy cp vo h thng ny. 1 interface dnh kt ni cho vng DMZ 2. Vng ny l vng ch dnh cho nhng b phn phng ban hoc nhn vin c thm quyn v quyn hn c php thao tc v x l v d liu trn y(s c cp trong nhng chnh sch v Qun l iu khin truy cp, t chc an ton thng tin, qun l ti sn v nhn vin s dng ti sn). H thng DMZ 2 ny s c s qun l cht ch bi cc chnh sch ca Firewall ISA v Pix. Khng cho php mng ngoi Internet truy cp vo h thng ny v h thng DMZ 2 ny c nhim v lun cp nhp v back up nhng d liu cn thit cho h thng DMZ 2 phc v khch hng. Nhng thng tin no ti mt s c gi li vng DMZ 2 v c s qun l cht ch bi 2 Firewall. Firewall ASA cu hnh bo mt cho ng hm VPN ca User, khch hng t bn ngoi vo, chng thc bng CA server trong vng DMZ2.

Mt s thao tc cu hnh trn Cisco ASA 5510:

1. ng nhp (pass mc nh: trng), cu hnh interface: ciscoasa>


ciscoasa> enable

Password: ciscoasa# ciscoasa# configure terminal ciscoasa(config)# hostname ASA5510 ASA5510(config)# interface Ethernet0/0 ASA5510(config-if)# no shutdown ASA5510(config-if)#nameif outside Tn cng, cng ny ni mng bn ngoi. ASA5510(config-if)#security-level 0 Do tnh cht khng ng tin cy nn set security level =0 ASA5510(config-if)# ip add 200.200.200.1 255.255.255.0

Tng t ta cu hnh cho cng Inside v DMZ:


ASA5510(config)# interface e1 ASA5510(config-if)#nameif inside

ASA5510(config-if)#security-level 100 ASA5510(config-if)#ip add 192.168.1.1 255.255.255.0 ASA5510(config-if)#no shut

ASA5510(config)# interface e2 ASA5510(config-if)#nameif DMZ ASA5510(config-if)#security-level 50 ASA5510(config-if)#ip add 30.30.30.1 255.255.255.0 ASA5510(config-if)#no shut

Lu : Mc nh cng c level cao c th truy cp qua cng c level thp v khng c iu ngc li. y l c tnh bo mt rt hay ca cisco ASA. Cc vng c level bng nhau cng khng truy cp ln nhau c, c th gii quyt tnh hung ny bng cu lnh sau: same-security-traffic permit inter-interface

2. Cu hnh telnet:

Telnet:
i vi ASA th ch chp nhn gi tin telnet vi ip ngun l mng 192.168.1.0/24 v vi username mc nh l admin.

Telnet s dng c s d liu l LOCAL, y l t kha mc nh cho cc dng ASA. Cc bc cu hnh

Bc 1: To username v password
ciscoasa(config)# username admin password tnpass privileged 15

Bc 2: Bt xc thc telnet trn ASA


ciscoasa(config)# aaa authentication telnet console LOCAL

3. Cu hnh SSH:

i vi ASA th ch chp nhn gi tin ssh vi ip ngun l mng 192.168.1.0/24 v vi username mc nh l admin. Cu hnh SSH trn ASA cng tng t nh trn router. Ch mt im khc l ta bt SSH ln bng cu aaa Cc bc cu hnh Bc 1: To username v password
ciscoasa(config)# username admin password tnpass privileged 15

Bc 2: Bt tnh nng AAA


ciscoasa(config)# aaa new-model

Bc 3: To domain cho qu trnh SSH


ciscoasa(config)# ip domain-name tn

Bc 4: To key
ciscoasa(config)# crypto key generate rsa

How many bits in the modulus [512]: 1024 Bc 5: Chn version cho SSH
ciscoasa(config)# ip ssh version 2

Bc 6: Kch hot tnh nng SSH v p vo VTY


ciscoasa(config)# aaa authentication login TERMINAL-LINES local ciscoasa(config)# line vty 0 4 ciscoasa(config-line)# login authentication TERMINAL-LINES

4. Cho php cu hnh ASA bng ASDM :

i vi ASA th ch chp nhn cu hnh bng ASDM vi ip ngun l mng 192.168.1.0/24 v vi username mc nh l admin. ASDM phi c ci t trc tip ln Flash. Cc bc cu hnh:

Bc 1: To username v password
ciscoasa(config)# username admin password tnpass privileged 15

Bc 2: nh ngha ip cho php cu hnh v xc thc vi c s d liu ca ASA


ciscoasa(config)# http 192.168.1.0 255.255.255.0 mgmt ciscoasa(config)# aaa authentication http console LOCAL

Bc 3: Bt tnh nng HTTP Server


ciscoasa(config)# http server enable

Bc 4: nh ngha v tr lu ASDM
ciscoasa(config)# asdm image disk0:/asdm-621.bin

5. Qun l license:

Cu lnh xem license ca ASA Thay i license:

ciscoasa# show version ciscoasa(config)# activation-key key-id

7. Thc hin NAT cho mng bn trong i ra ngoi:


ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0 ciscoasa(config)# global (outside) 1 interface

8. Thc hin NAT cho Inside i vo vng DMZ2:


ciscoasa(config)# 255.255.255.0 ciscoasa(config)# 255.255.255.128 static static (inside,DMZ) (inside,DMZ) 192.168.3.0 192.168.4.0 192.168.3.0 192.168.4.0 netmask netmask

9. Thc hin mt s cu hnh v dch v truy cp trn Server:

ciscoasa(config)# access-list 192.168.3.1 eq www ciscoasa(config)# access-list 192.168.3.1 eq 3389 ciscoasa(config)# access-list 192.168.3.2 eq ftp

ACCESS_DMZ ACCESS_DMZ ACCESS_DMZ

extended extended extended

permit permit permit

tcp tcp tcp

any any any

host host host

10. Cu hnh default route:


ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 200.200.200.1 1

11. Cu hnh ASA giao tip v nhn certification t CA Server: Ch gii thiu 1 s thao tc trn ASA:
To kha RSA: crypto key generate rsa modulus 1024

Xc nh thng tin CA: Ciscoasa# configure terminal Ciscoasa(config)# crypto ca trustpoint CISCO Ciscoasa(ca-trustpoint)# enrollment url http://209.165.202.130/certsrv/mscep/ mscep.dll Ciscoasa(ca-trustpoint)# enrollment retry count 3 Ciscoasa(ca-trustpoint)# enrollment retry period 5 Ciscoasa(ca-trustpoint)# fqdn Ciscoasa.securemeinc.com Ciscoasa(ca-trustpoint)# exit Ciscoasa(config)# exit Ciscoasa#

Thc hin xc thc vi CA: Ciscoasa (config)# crypto ca trustpoint CISCO Thc hin enroll vi CA: Ciscoasa (config)# crypto ca enroll CISCO

Mt s cu hnh lin quan n bo mt traffic: 1. Gii hn s lng kt ni chng DDoS:


ciscoasa(config)#class-map tcp_syn ciscoasa(config-cmap)#match port tcp eq 80 ciscoasa(config-cmap)#exit ciscoasa(config)#policy-map tcpmap ciscoasa(config-pmap)#class tcp_syn ciscoasa(config-pmap-c)#set connection conn-max 100 ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200 ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 10 ciscoasa(config-pmap-c)#set connection per-client-max 5 ciscoasa(config-pmap-c)#set connection random-sequence-number enable ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45 ciscoasa(config-pmap-c)#set connection timeout half-closed 0:25:0 ciscoasa(config-pmap-c)#set connection timeout tcp 2:0:0 ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#exit ciscoasa(config)#service-policy tcpmap global

2. Chng tn cng gi mo IP (IP Spoofing)


ciscoasa(config)#ip verify reverse-path interface outside

3. Tnh nng pht hin cc mi nguy him tim tng (Basic Threat Detection Feature in ASA 8.x)
ciscoasa#show threat-detection rate

Mt s thao tc cu hnh trn Firewall ISA 2006 :