security toan tap version 1.1 2012___cd4pro.info

TOCBATDAT SECURITY TON TP

Security ton tp Version 1.2 2012

CD4pro.info

Page | 1 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....

Ti liu v Bo mt Version 1 2012

7, 2012

BNG THEO DI THAY I Phin bn 1 Ngy cp nht 7/2012 Ngi cp nht Hong Tun t Ch thch First Release

CD4pro.info



7, 2012

Mc lc ti liuI. MC CH V PHM VI TI LIU ............................................................................................. 9

1. 2. 1. 2.a. b. c. d. e. f. g.

Mc ch ca ti liu ......................................................................................................... 9 Phm vi ti liu .................................................................................................................. 9 Khi nim c bn v an ton thng tin (security). ....................................................... 11 H thng mng c bn .................................................................................................... 11M hnh mng OSI...................................................................................................................... 11 M hnh mng TCP/IP ................................................................................................................ 17 So snh m hnh TCP/IP v OSI ................................................................................................. 19 Cu to gi tin IP, TCP,UDP, ICMP .......................................................................................... 19 Mt s Port thng s dng........................................................................................................ 22 S dng cng c Sniffer phn tch gi tin IP, ICMP, UDP, TCP. ......................................... 22 Phn tch tng gi tin v ton phin kt ni................................................................................ 22

II. TNG QUAN V AN NINH MNG (SECURITY OVERVIEW) .............................................. 10

3.a. b. c.

Khi nim v iu khin truy cp (Access Controls). .................................................. 23Access Control Systems .............................................................................................................. 23 Nguyn tc thit lp Access Control ........................................................................................... 24 Cc dng Access Controls........................................................................................................... 24

4.a. b.

Khi nim v Authentications ........................................................................................ 27Nhng yu t nhn dng v xc thc ngi dng .................................................................. 27 Cc phng thc xc thc .......................................................................................................... 27

CD4pro.info

5.a. b.

Authorization ................................................................................................................... 31C bn v Authorization ............................................................................................................. 31 Cc phng thc Authorization .................................................................................................. 31

6. 7.a. b. c.

Khi nim v Accounting ................................................................................................ 33 Tam gic bo mt CIA .................................................................................................... 34Confidentiality ............................................................................................................................ 34 Integrity ....................................................................................................................................... 35 Availability ................................................................................................................................. 35

8.a. b. c. d. e. f.

Mt m hc c bn .......................................................................................................... 36Khi nim c bn v mt m hc ................................................................................................ 36 Hm bm Hash ......................................................................................................................... 36 M ha i xng Symmetric .................................................................................................... 37 M ha bt i xng Assymmetric .......................................................................................... 37 Tng quan v h thng PKI ........................................................................................................ 39 Thc hnh m ha v gii m vi cng c Cryptography tools.................................................. 42



7, 2012

9. Khi nim c bn v tn cng mng .................................................................................. 42a. b. c. d. bc c bn ca mt cuc tn cng ............................................................................................ 42 Mt s khi nim v bo mt. ..................................................................................................... 44 Cc phng thc tn cng c bn ............................................................................................... 44 ch ca cc dng tn cng......................................................................................................... 45

III. INFRASTRUCTURE SECURITY (AN NINH H TNG). ........................................................ 47

1. 3. 4.

Cc gii php v l trnh xy dng bo mt h tng mng ........................................ 48 Thit k m hnh mng an ton ..................................................................................... 50 Router v Switch ............................................................................................................. 51

a. Chc nng ca Router ..................................................................................................................... 51 b. Chc nng ca Switch..................................................................................................................... 52 c. Bo mt trn Switch ........................................................................................................................ 52 d. Bo mt trn Router ........................................................................................................................ 52 e. Thit lp bo mt cho Router .......................................................................................................... 53

5.a. b. c. d. e.

Firewall v Proxy ............................................................................................................ 58Khi nim Firewall ..................................................................................................................... 58 Chc nng ca Firewall .............................................................................................................. 58 Nguyn l hot ng ca Firewall .............................................................................................. 59 Cc loi Firewall ......................................................................................................................... 60 Thit k Firewall trong m hnh mng........................................................................................ 61

CD4pro.info

6. 7.a. b. c. d.

Cu hnh firewall IPtable trn Linux ............................................................................ 64 Ci t v cu hnh SQUID lm Proxy Server ............................................................. 68Linux SQUID Proxy Server: ....................................................................................................... 68 Ci t: ........................................................................................................................................ 68 Cu hnh Squid:........................................................................................................................... 70 Khi ng Squid: ........................................................................................................................ 72

8.a. b.

Trin khai VPN trn nn tng OpenVPN ..................................................................... 74Tng quan v OpenVPN. ............................................................................................................ 74 Trin khai OpenVPN vi SSL trn mi trng Ubuntu linux .................................................... 75

9.a. b. c.

ng dng VPN bo v h thng Wifi ............................................................................ 82Cc phng thc bo mt Wifi ................................................................................................... 82 Thit lp cu hnh trn thit b Access Point v VPN Server 2003 ............................................ 83 To kt ni VPN t cc thit b truy cp qua Wifi...................................................................... 95

10.a. a.

H thng pht hin v ngn chn truy cp bt hp php IDS/IPS .......................... 100Nguyn l phn tch gi tin ....................................................................................................... 100 Ci t v cu hnh Snort lm IDS/IPS ..................................................................................... 104



7, 2012

11.a. b. c. d. e. f. g. h. i. j.

Ci t v cu hnh Sourcefire IPS ............................................................................. 111Tnh nng ca h thng IPS Sourcefire .................................................................................... 111 M hnh trin khai in hnh h thng IDS/IPS ........................................................................ 113 Nguyn l hot ng ca h thng IDS/IPS Sourcefire ............................................................ 114 Thit lp cc thng s qun tr cho cc thit b Sourcefire ....................................................... 117 Upgrade cho cc thit b Sourcefire .......................................................................................... 118 Cu hnh cc thit lp h thng (System settings) .................................................................... 118 Thit lp qun tr tp trung cho cc thit b Sourcefire ............................................................. 122 Cu hnh Interface Sets v Detection Engine. ........................................................................... 124 Qun tr v thit lp chnh sch cho IPS ................................................................................... 127 Phn tch Event v IPS .............................................................................................................. 143

12.a. b. c.

Endpoint Security.......................................................................................................... 147Gii php Kaspersky Open Space Security (KOSS) ................................................................. 147 Tnh nng ca gi Kaspersky Endpoint Security ...................................................................... 148 Lab ci t KSC v Endpoint Security cho my trm .............................................................. 149

13. 14. 15.a. b. c.

Data Loss Prevent.......................................................................................................... 149 Network Access Control ............................................................................................... 151 Bo mt h iu hnh ................................................................................................... 154Bo mt cho h iu hnh Windows ......................................................................................... 154 Lab: S dng Ipsec Policy bo v mt s ng dng trn Windows ..................................... 156 Bo v cho h iu hnh Linux ................................................................................................. 156

CD4pro.info

16.a. b. c. d.

Chnh sch an ninh mng. ............................................................................................ 159Yu cu xy dng chnh sch an ninh mng. ............................................................................ 159 Quy trnh tng quan xy dng chnh sch tng quan: .............................................................. 159 H thng ISMS ......................................................................................................................... 160 ISO 27000 Series ...................................................................................................................... 161

IV. AN TON NG DNG ................................................................................................................. 164

1.a. b. c. d. e. f. g.

Bo mt cho ng dng DNS ......................................................................................... 164S dng DNS Forwarder........................................................................................................... 164 S dng my ch DNS lu tr. ................................................................................................. 165 S dng DNS Advertiser .......................................................................................................... 165 S dng DNS Resolver. ............................................................................................................ 166 Bo v b nh m DNS .......................................................................................................... 166 Bo mt kt ni bng DDNS..................................................................................................... 166 Ngng chy Zone Transfer ....................................................................................................... 167



7, 2012

h. S dng Firewall kim sot truy cp DNS.................................................................................... 167 i. Ci t kim sot truy cp vo Registry ca DNS ......................................................................... 167 j. Ci t kim sot truy cp vo file h thng DNS ......................................................................... 168

2.

Bo mt cho ng dng Web ......................................................................................... 168

a. Gii thiu ..................................................................................................................................... 168 b. Cc l hng trn dch v Web ................................................................................................... 168 c. Khai thc l hng bo mt tng h iu hnh v bo mt cho my ch Web ...................... 169 d. Khai thc l hng trn Web Service ......................................................................................... 171 e. Khai thc l hng DoS trn Apache 2.0.x-2.0.64 v 2.2.x 2.2.19 ..................................... 173 f. Khai thc l hng trn Web Application .................................................................................. 173

3.

An ton dch v Mail Server ........................................................................................ 175

a. Gii thiu tng quan v SMTP, POP, IMAP ................................................................................ 175 b. Cc nguy c b tn cng khi s dng Email ...................................................................................................... 185

4. 5.a. b. c. d. e. f. g. h. V.

Bo mt truy cp t xa ................................................................................................. 187 L hng bo mt Buffer overflow v cch phng chng ........................................... 187L thuyt ................................................................................................................................... 187 M t k thut .......................................................................................................................... 188 V d c bn ............................................................................................................................. 188 Trn b nh m trn stack ..................................................................................................... 188 M ngun v d ........................................................................................................................ 189 Khai thc ................................................................................................................................... 190 Chng trn b m ................................................................................................................... 191 Thc hnh: ................................................................................................................................ 194

CD4pro.info

AN TON D LIU ...................................................................................................................... 194

1. An ton c s d liu .......................................................................................................... 194a. b. c. d. e. f. S vi phm an ton c s d liu. ............................................................................................ 195 Cc mc an ton c s d liu............................................................................................ 195 Nhng quyn hn khi s dng h c s d liu. ....................................................................... 196 Khung nhn mt c ch bo v ................................................................................................ 197 Cp php cc quyn truy nhp .................................................................................................. 198 Kim tra du vt ........................................................................................................................ 201

2. Gim st thng k c s d liu ........................................................................................ 201 3. Phng thc an ton c s d liu.................................................................................... 208VI. CC CNG C NH GI V PHN TCH MNG ............................................................. 212

1.

K nng Scan Open Port .............................................................................................. 212

a. Nguyn tc truyn thng tin TCP/IP ............................................................................................. 212



7, 2012

b. Nguyn tc Scan Port trn mt h thng. ..................................................................................... 214 c. Scan Port vi Nmap. ..................................................................................................................... 216

2.a. b. c.

Scan l hng bo mt trn OS ...................................................................................... 219S dng Nmap Scan l hng bo mt ca OS ..................................................................... 219 S dng Nessus Scan l hng bo mt ca OS .................................................................... 220 S dng GFI Scan l hng bo mt ca OS ......................................................................... 228

3.a. b.

Scan l hng bo mt trn Web ................................................................................... 231S dng Acunetix scan l hng bo mt trn Web .............................................................. 232 Lab S dng IBM App Scan Scan l hng bo mt trn Web ............................................. 234

4.a. b. c. d. e.

K thut phn tch gi tin v nghe nn trn mng..................................................... 234Bn cht ca Sniffer .................................................................................................................. 234 M hnh phn tch d liu chuyn nghip cho doanh nghip ................................................... 235 Mi trng Hub ........................................................................................................................ 236 K thut Sniffer trong mi trng Switch ................................................................................ 236 M hnh Sniffer s dng cng c h tr ARP Attack ............................................................... 239

5.a. b. c.

Cng c khai thc l hng Metasploit ......................................................................... 240Gii thiu tng quan v cng c Metasploit ............................................................................. 240 S dng Metasploit Farmwork ................................................................................................. 242 Kt lun ..................................................................................................................................... 248

6.d. e.

S dng Wireshark v Colasoft phn tch gi tin ................................................. 248S dng Wireshark phn tch gi tin v traffic ca h thng mng ..................................... 248 S dng Colasoft phn tch traffic ca h thng mng ........................................................ 252

CD4pro.info

VII. KT LUN ...................................................................................................................................... 259



7, 2012

Bng cc thut ng s dng trong ti liu STT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Thut ng ATTT Security Vit y An ton thng tin Bo Mt Mt vi thng tin

CD4pro.info



7, 2012

I.

MC CH V PHM VI TI LIU

1. Mc ch ca ti liuL ti liu o to v An ton thng tin cho cc cn b vn hnh v qun tr mng ca ABC.Cung cp y cho hc vin cc khi nim, m hnh h thng, cu hnh trin khai cc gii php, qun l ri ro v nhiu kin thc khc v An ton thng tin.

2. Phm vi ti liuL ti liu c vit ring cho kha hc An ton thng tin cho cc cn b ca ABC

CD4pro.info



7, 2012

II.

TNG QUAN V AN NINH MNG (SECURITY OVERVIEW)1. 2. 3. 4. 5. 6. 7. 8. Khi nim c bn v an ton thng tin (security). H thng mng c bn Khi nim v iu khin truy cp (Access Controls). Khi nim v Authentications Authorization Khi nim v Accounting Tam gic bo mt CIA Mt m hc c bn

9. Khi nim c bn v tn cng mng

CD4pro.info



7, 2012

1. Khi nim c bn v an ton thng tin (security).Mt s t chc ln trn th gii a ra cc khi nim v Security Bo Mt hay An ton thng tin nh sau: Bo mt hay an ton thng tin l mc bo v thng tin trc cc mi e ra v thng tn l, thng tin khng cn ton vn v thng tin khng sn sng. Bo mt hay an ton thng tin l mc bo v chng li cc nguy c v mt an ton thng tin nh nguy him, thit hi, mt mt v cc ti phm khc. Bo mt nh l hnh thc v mc bo v thng tin bao gm cu trc v qu trnh x l nng cao bo mt. T chc Institute for Security and Open Methodologies nh ngha Security l hnh thc bo v, ni tch bit gia ti nguyn v nhng mi e ra.

-

-

2. H thng mng c bna. M hnh mng OSI

Khi mt ng dng hay mt dch v hot ng phc v cc nhu cu trao i thng tin ca ngi dng, h thng mng s hot ng vic trao i thng tin c din ra vi nhng quy tc ring. Khi nhn vo si dy mng hay cc thit b khng dy con ngi s khng th hiu c nhng nguyn tc truyn thng tin . d dng hiu cc nguyn tc, nguyn l phc ph qu trnh nghin cu, pht trin ng dng cng nh khc phc s c mng t chc tiu chun th gii dng m hnh OSI nh l mt tiu chun ISO. M hnh OSI (Open Systems Interconnection Reference Model, vit ngn l OSI Model hoc OSI Reference Model) - tm dch l M hnh tham chiu kt ni cc h thng m - l mt thit k da vo nguyn l tng cp, l gii mt cch tru tng k thut kt ni truyn thng gia cc my vi tnh v thit k giao thc mng gia chng. M hnh ny c pht trin thnh mt phn trong k hoch Kt ni cc h thng m (Open Systems Interconnection) do ISO v IUT-T khi xng. N cn c gi l M hnh by tng ca OSI. (Ngun Wikipedia).

CD4pro.info



7, 2012

Mc ch ca m hnh OSI: M hnh OSI phn chia chc nng ca mt giao thc ra thnh mt chui cc tng cp. Mi mt tng cp c mt c tnh l n ch s dng chc nng ca tng di n, ng thi ch cho php tng trn s dng cc chc nng ca mnh. Mt h thng ci t cc giao thc bao gm mt chui cc tng ni trn c gi l "chng giao thc" (protocol stack). Chng giao thc c th c ci t trn phn cng, hoc phn mm, hoc l t hp ca c hai. Thng thng th ch c nhng tng thp hn l c ci t trong phn cng, cn nhng tng khc c ci t trong phn mm. M hnh OSI ny ch c ngnh cng nghip mng v cng ngh thng tin tn trng mt cch tng i. Tnh nng chnh ca n l quy nh v giao din gia cc tng cp, tc qui nh c t v phng php cc tng lin lc vi nhau. iu ny c ngha l cho d cc tng cp c son tho v thit k bi cc nh sn xut, hoc cng ty, khc nhau nhng khi c lp rp li, chng s lm vic mt cch dung ha (vi gi thit l cc c t c thu o mt cch ng n). Trong cng ng TCP/IP, cc c t ny thng c bit n vi ci tn RFC (Requests for Comments, dch st l " ngh duyt tho v bnh lun"). Trong cng ng OSI, chng l cc tiu chun ISO (ISO standards).

CD4pro.info

Thng th nhng phn thc thi ca giao thc s c sp xp theo tng cp, tng t nh c t ca giao thc ra, song bn cnh , c nhng trng hp ngoi l, cn c gi l "ng ct ngn" (fast path). Trong kin to "ng ct ngn", cc giao dch thng dng nht, m h thng cho php, c ci t nh mt thnh phn n, trong tnh nng ca nhiu tng c gp li lm mt. Vic phn chia hp l cc chc nng ca giao thc khin vic suy xt v chc nng v hot ng ca cc chng giao thc d dng hn, t to iu kin cho vic thit k cc chng giao thc t m, chi tit, song c tin cy cao. Mi tng cp thi hnh v cung cp cc dch v cho tng ngay trn n, ng thi i hi dch v ca tng ngay di n. Nh ni trn, mt thc thi bao gm nhiu tng cp trong m hnh OSI, thng c gi l mt "chng giao thc" (v d nh chng giao thc TCP/IP). M hnh tham chiu OSI l mt cu trc ph h c 7 tng, n xc nh cc yu cu cho s giao tip gia hai my tnh. M hnh ny c nh ngha bi T chc tiu chun ho quc t (International Organization for Standardization) trong tiu chun s 7498-1 Page | 12 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

(ISO standard 7498-1). Mc ch ca m hnh l cho php s tng giao (interoperability) gia cc h my (platform) a dng c cung cp bi cc nh sn xut khc nhau. M hnh cho php tt c cc thnh phn ca mng hot ng ha ng, bt k thnh phn y do ai to dng. Vo nhng nm cui thp nin 1980, ISO tin c vic thc thi m hnh OSI nh mt tiu chun mng. Ti thi im , TCP/IP c s dng ph bin trong nhiu nm. TCP/IP l nn tng ca ARPANET, v cc mng khc - l nhng ci c tin ha v tr thnh Internet. (Xin xem thm RFC 871 bit c s khc bit ch yu gia TCP/IP v ARPANET.) Hin nay ch c mt phn ca m hnh OSI c s dng. Nhiu ngi tin rng i b phn cc c t ca OSI qu phc tp v vic ci t y cc chc nng ca n s i hi mt lng thi gian qu di, cho d c nhiu ngi nhit tnh ng h m hnh OSI i chng na. Chi tit cc tng ca m hnh OSI: Tng 1: Tng vt l:

CD4pro.info

Tng vt l nh ngha tt c cc c t v in v vt l cho cc thit b. Trong bao gm b tr ca cc chn cm (pin), cc hiu in th, v cc c t v cp ni (cable). Cc thit b tng vt l bao gm Hub, b lp (repeater), thit b tip hp mng (network adapter) v thit b tip hp knh my ch (Host Bus Adapter)(HBA dng trong mng lu tr (Storage Area Network)). Chc nng v dch v cn bn c thc hin bi tng vt l bao gm: Thit lp hoc ngt mch kt ni in



7, 2012

(electrical connection) vi mt [[mi trng truyn dnphng tintruyn thng (transmission medium). Tham gia vo quy trnh m trong cc ti nguyn truyn thng c chia s hiu qu gia nhiu ngi dng. Chng hn gii quyt tranh chp ti nguyn (contention) v iu khin lu lng. iu bin (modulation), hoc bin i gia biu din d liu s (digital data) ca cc thit b ngi dng v cc tn hiu tng ng c truyn qua knh truyn thng (communication channel). Cp (bus) SCSI song song hot ng tng cp ny. Nhiu tiu chun khc nhau ca Ethernet dnh cho tng vt l cng nm trong tng ny; Ethernet nhp tng vt l vi tng lin kt d liu vo lm mt. iu tng t cng xy ra i vi cc mng cc b nh Token ring, FDDI v IEEE 802.11.]] Tng 2: Tng lin kt d liu (Data Link Layer) Tng lin kt d liu cung cp cc phng tin c tnh chc nng v quy trnh truyn d liu gia cc thc th mng, pht hin v c th sa cha cc li trong tng vt l nu c. Cch nh a ch mang tnh vt l, ngha l a ch (a ch MAC) c m ha cng vo trong cc th mng (network card) khi chng c sn xut. H thng xc nh a ch ny khng c ng cp (flat scheme). Ch : V d in hnh nht l Ethernet. Nhng v d khc v cc giao thc lin kt d liu (data link protocol) l cc giao thc HDLC; ADCCP dnh cho cc mng im-ti-im hoc mng chuyn mch gi (packet-switched networks) v giao thc Aloha cho cc mng cc b. Trong cc mng cc b theo tiu chun IEEE 802, v mt s mng theo tiu chun khc, chng hn FDDI, tng lin kt d liu c th c chia ra thnh 2 tng con: tng MAC (Media Access Control - iu khin Truy nhp ng truyn) v tng LLC (Logical Link Control - iu khin Lin kt Lgic) theo tiu chun IEEE 802.2. Tng lin kt d liu chnh l ni cc cu ni (bridge) v cc thit b chuyn mch (switches) hot ng. Kt ni ch c cung cp gia cc nt mng c ni vi nhau trong ni b mng. Tuy nhin, c lp lun kh hp l cho rng thc ra cc thit b ny thuc v tng 2,5 ch khng hon ton thuc v tng 2.

CD4pro.info



7, 2012

Tng 3: Tng mng (Network Layer) Tng mng cung cp cc chc nng v qui trnh cho vic truyn cc chui d liu c di a dng, t mt ngun ti mt ch, thng qua mt hoc nhiu mng, trong khi vn duy tr cht lng dch v (quality of service) m tng giao vn yu cu. Tng mng thc hin chc nng nh tuyn, .Cc thit b nh tuyn (router) hot ng ti tng ny gi d liu ra khp mng m rng, lm cho lin mng tr nn kh thi (cn c thit b chuyn mch (switch) tng 3, cn gi l chuyn mch IP). y l mt h thng nh v a ch lgic (logical addressing scheme) cc gi tr c chn bi k s mng. H thng ny c cu trc ph h. V d in hnh ca giao thc tng 3 l giao thc IP. Tng 4: Tng giao vn (Transport Layer) Tng giao vn cung cp dch v chuyn dng chuyn d liu gia cc ngi dng ti u cui, nh cc tng trn khng phi quan tm n vic cung cp dch v truyn d liu ng tin cy v hiu qu. Tng giao vn kim sot tin cy ca mt kt ni c cho trc. Mt s giao thc c nh hng trng thi v kt ni (state and connection orientated). C ngha l tng giao vn c th theo di cc gi tin v truyn li cc gi b tht bi. Mt v d in hnh ca giao thc tng 4 l TCP. Tng ny l ni cc thng ip c chuyn sang thnh cc gi tin TCP hoc UDP. tng 4 a ch c nh l address ports, thng qua address ports phn bit c ng dng trao i.

CD4pro.info

Tng 5: Tng phin (Session layer) Tng phin kim sot cc (phin) hi thoi gia cc my tnh. Tng ny thit lp, qun l v kt thc cc kt ni gia trnh ng dng a phng v trnh ng dng xa. Tng ny cn h tr hot ng song cng (duplex) hoc bn song cng (half-duplex) hoc n cng (Single) v thit lp cc qui trnh nh du im hon thnh (checkpointing) gip vic phc hi truyn thng nhanh hn khi c li xy ra, v im hon thnh c nh du - tr hon (adjournment), kt thc (termination) v khi ng li (restart). M hnh OSI u nhim cho tng ny trch nhim "ngt mch nh nhng" (graceful close) cc phin giao dch (mt tnh cht ca giao thc kim sot giao vn TCP) v trch nhim kim tra v phc hi phin, y l phn thng khng c dng n trong b giao thc TCP/IP.



7, 2012

Tng 6: Tng trnh din (Presentation layer) Lp trnh din hot ng nh tng d liu trn mng. lp ny trn my tnh truyn d liu lm nhim v dch d liu c gi t tng Application sang dng Fomat chung. V ti my tnh nhn, lp ny li chuyn t Fomat chung sang nh dng ca tng Application. Lp th hin thc hin cc chc nng sau: - Dch cc m k t t ASCII sang EBCDIC. - Chuyn i d liu, v d t s interger sang s du phy ng. - Nn d liu gim lng d liu truyn trn mng. - M ho v gii m d liu m bo s bo mt trn mng. Tng 7: Tng ng dng (Application layer) Tng ng dng l tng gn vi ngi s dng nht. N cung cp phng tin cho ngi dng truy nhp cc thng tin v d liu trn mng thng qua chng trnh ng dng. Tng ny l giao din chnh ngi dng tng tc vi chng trnh ng dng, v qua vi mng. Mt s v d v cc ng dng trong tng ny bao gm Telnet, Giao thc truyn tp tin FTP v Giao thc truyn th in t SMTP, HTTP, X.400 Mail remote M hnh m t d hiu m hnh OSI vi cc hnh thc trao i thng tin thc t:

CD4pro.info



7, 2012

b. M hnh mng TCP/IP

CD4pro.info

TCP/IP (ting Anh: Internet protocol suite hoc IP suite hoc TCP/IP protocol suite b giao thc lin mng), l mt b cc giao thc truyn thng ci t chng giao thc m Internet v hu ht cc mng my tnh thng mi ang chy trn . B giao thc ny c t tn theo hai giao thc chnh ca n l TCP (Giao thc iu khin Giao vn) v IP (Giao thc Lin mng). Chng cng l hai giao thc u tin c nh ngha. Nh nhiu b giao thc khc, b giao thc TCP/IP c th c coi l mt tp hp cc tng, mi tng gii quyt mt tp cc vn c lin quan n vic truyn d liu, v cung cp cho cc giao thc tng cp trn mt dch v c nh ngha r rng da trn vic s dng cc dch v ca cc tng thp hn. V mt lgic, cc tng trn gn vi ngi dng hn v lm vic vi d liu tru tng hn, chng da vo cc giao thc tng cp di bin i d liu thnh cc dng m cui cng c th c truyn i mt cch vt l.



7, 2012

M hnh OSI miu t mt tp c nh gm 7 tng m mt s nh sn xut la chn v n c th c so snh tng i vi b giao thc TCP/IP. S so snh ny c th gy nhm ln hoc mang li s hiu bit su hn v b giao thc TCP/IP. Tng ng dng: Gm cc ng dng: DNS, TFTP, TLS/SSL, FTP, HTTP, IMAP, IRC, NNTP, POP3, SIP, SMTP, SNMP, SSH, TELNET, ECHO, BitTorrent, RTP, PNRP, rlogin, ENRP, Cc giao thc nh tuyn nh BGP v RIP, v mt s l do, chy trn TCP v UDP - theo th t tng cp: BGP dng TCP, RIP dng UDP - cn c th c coi l mt phn ca tng ng dng hoc tng mng. Tng giao vn:

CD4pro.info

Gm cc giao thc:TCP, UDP, DCCP, SCTP, IL, RUDP, Cc giao thc nh tuyn nh OSPF (tuyn ngn nht c chn u tin), chy trn IP, cng c th c coi l mt phn ca tng giao vn, hoc tng mng. ICMP (Internet control message protocol| - tm dch l Giao thc iu khin thng ip Internet) v IGMP (Internet group management protocol - tm dch l Giao thc qun l nhm Internet) chy trn IP, c th c coi l mt phn ca tng mng. Tng mng: Giao thc: IP (IPv4, IPv6) ARP (Address Resolution Protocol| - tm dch l Giao thc tm a ch) v RARP (Reverse Address Resolution Protocol - tm dch l Giao thc tm a ch ngc li) hot ng bn di IP nhng trn tng lin kt (link layer), vy c th ni l n nm khong trung gian gia hai tng. Page | 18 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

Tng lin kt: Gm cc giao thc: Ethernet, Wi-Fi, Token ring, PPP, SLIP, FDDI, ATM, Frame Relay, SMDS,

c. So snh m hnh TCP/IP v OSIM hnh n gin hn m hnh OSI vn th hin c qu trnh giao tip trn mng. M hnh TCP/IP c chia lm 4 Layer OSI Model 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical TCP/IP Model 4. Application

3. Transport 2. Internet 1. Network Access

d. Cu to gi tin IP, TCP,UDP, ICMP phc v cng tc nghin cu v Security cn phi hiu r cu to gi tin cc layer c th hiu v phn tch gi tin.

CD4pro.info

M hnh ng gi thng tin cc Layer ca m hnh TCP/IP



7, 2012

Cu to gi tin IPv4 y l cu to ca gi tin IPv4, gm phn Header v data. Header bao gm 160 hoc 192 bits phn cn li l Data. Phn a ch l 32bits

Cu to gi tin IPv6: Gi tin IPv6 cng gm hai phn l Hearder v Data. Phn Header ca gi tin bao gm 40 octec (320bits), trong a ch IPv6 l 128bit.

CD4pro.info

Cu to ca gi tin TCP:



7, 2012

Cu to ca gi tin TCP bao gm hai phn Header v Data. Trong phn Header l 192bit. Ba bc bt u kt ni TCP: + Bc I: Client bn n Server mt gi tin SYN + Bc II: Server tr li ti Client mt gi tin SYN/ACK + Bc III: Khi Client nhn c gi tin SYN/ACK s gi li server mt gi ACK v qu trnh trao i thng tin gia hai my bt u. Bn bc kt thc kt ni TCP: + Bc I: Client gi n Server mt gi tin FIN ACK + Bc II: Server gi li cho Client mt gi tin ACK

CD4pro.info

+ Bc III: Server li gi cho Client mt gi FIN ACK + Bc IV: Client gi li cho Server gi ACK v qu trnh ngt kt ni gia Server v Client c thc hin. Cu to gi tin UDP: G i t i UDP bao gm hai phn Header v Data, trong phn Header gm 64bit.



7, 2012

Cu to gi tin ICMP Type (8 bits) [8 bt s dng nhn din loi ICMP] Code (8 bits) [Mi Type c th c nhng code c th ring miu t cho dng ] Checksum (16 bits) [Checksum gm 16bits] Message (Khng c nh) [Ph thuc vo type v code]

e. Mt s Port thng s dng nhiu dch v c th cng lc giao tip trn mt kt ni, mi dch v c s dng mt port nht nh. Khi nghin cu v Security chng ta cng nn c mt s kin thc v cc port hay c s dng: Protocol FTP SSH Telnet SMTP DNS TFTP HTTP POP3 SNMP HTTPS SMB NetBIOS VPN Remote Desktop Port 20/21 22 23 25 53 69 80 110 161/162 443 445 135,137,139 1723,500 3389

CD4pro.info

f. S dng cng c Sniffer phn tch gi tin IP, ICMP, UDP, TCP.Thc hnh: Ci t Wireshark v Colasoft phn tch

g. Phn tch tng gi tin v ton phin kt niThc hnh: Ci t Wireshark v Colasoft phn tch



7, 2012

3. Khi nim v iu khin truy cp (Access Controls).Trc khi c cp thm quyn mi ngi u truy cp vi quyn user Anonymouse. Sau khi ngi dng c xc thc (Authentication) s c h thng cp cho thm quyn s dng ti nguyn (Authorization) v ton b qu trnh truy cp ca ngi dng s c gim st v ghi li (Accounting).

a. Access Control SystemsTi nguyn ch c th truy cp bi nhng c nhn c xc thc. Qu trnh qun l truy cp ti nguyn ca ngi dng cn thc hin qua cc bc: Identification: Qu trnh nhn dng ngi dng, ngi dng cung cp cc thng tin cho h thng nhn dng. Authentication: Bc xc thc ngi dng, ngi dng cung cp cc thng tin xc nhn dng, h thng tin hnh xc thc bng nhiu phng thc khc nhau. Authorization:Thm quyn truy cp ti nguyn c h thng cp cho ngi dng sau khi xc thc Authentication. Accounting: H thng gim st v thng k qu trnh truy cp ca ngi dng vo cc vng ti nguyn. Tt c cc h thng iu khin truy cp (access control systems) u phi c ba yu t c bn nht: Subjects: Ton b i tng c th gn quyn truy cp. C th coi y l User/Group trong h thng Objects: Ti nguyn c s dng. Access Permissions c s dng gn quyn truy cp cc Objects cho Subjects. (V d mt User l mt Subject, mt foder l mt Object, Permission l quyn gn cho User truy cp vo Folder). Bng Access Permissions cho mt i tng gi l Access Control List (ACLs), ACL ca ton b h thng c thng k trong bng Access Control Entries (ACEs).

-

-

CD4pro.info

-

-



7, 2012

b. Nguyn tc thit lp Access ControlNgi lm v chnh sch bo mt cn phi a ra cc nguyn tc qun tr ti nguyn h thng m bo: Bo mt nht cho ti nguyn, p ng c cng vic ca ngi dng. Cc nguyn tc c chia ra: Principle of Least Privilege Ngi dng (Subjects) c gn quyn nh nht (minimum permissions) vi cc ti nguyn (Object) v vn m bo c cng vic. Principle of Separation of Duties and Responsibilities Cc h thng quan trng cn phi phn chia thnh cc thnh phn khc nhau d dng phn quyn iu khin hp l. Principle of Need to Know Ngi dng ch truy cp vo nhng vng ti nguyn m h cn v c hiu bit v ti nguyn m bo cho cng vic ca h.

-

-

c. Cc dng Access ControlsTi nguyn c nhiu dng, ngi dng c nhiu i tng vy chng ta cn phi s dng nhng dng iu khin truy cp d liu hp l.

CD4pro.info

-

Mandatory Access Control (MAC) + L phng thc iu khin da vo Rule-Base gn quyn truy cp cho cc i tng. + Vic gn quyn cho cc i tng da vo vic phn chia ti nguyn ra cc loi khc nhau (classification resources). + Phng thc iu khin truy cp ny thng p dng cho: t chc chnh ph, cng ty + V d: mt cng ty sn xut bia cc vng ti nguyn c chia: Public (website), Private (d liu k ton), Confidential (cng thc nu bia). Mi vng ti nguyn s c nhng i tng c truy cp ring, v vic iu khin truy cp ny chnh l Mandatory Access Control.



7, 2012

-

Discretionary Access Control (DAC) + Ngi dng (Subjects) c iu khin truy cp qua ACLs. + Cc mc truy cp vo d liu c th c phn lm cc mc khc nhau (v d: NTFS Permission, vic gn quyn cho User/Group theo cc mc nh Full control, Modify, Read). + Access Control List c th c s dng khi gn Permission truy cp ti nguyn, hoc trn router, firewall. Khi s dng ACLs l phng thc iu khin truy cp Discretionary Access Control.

bng Access Control List ca NTFS Permission

CD4pro.info



7, 2012

Role-Base Access Control + Ngi qun tr s da vo vai tr ca ngi dng gn quyn cho ngi dng. Nhng quyn ca ngi dng c th l nhng tc v ngi dng c th thc thi vi h thng. + V d ngi qun tr c th gn cc quyn cho User: Shutdown, change network setings, remote desktop, backup v mt s quyn khc da vo vai tr (role) ca ngi dng. + Trong h thng Windows ca Microsoft phng thc iu khin truy cp ny c th hiu l gn User Rights. + V d thit lp User Right ca h thng Microsoft.

CD4pro.info

Ngoi ra Access Control c th c chia lm hai dng: Centralized Access Control (CAC)



7, 2012

Qu trnh xc thc v cp thm quyn c thc hin tp trung cho ton b h thng. C ba phng thc iu khin truy cp tp trung thng c s dng l: + Remote Authentication Dial-In User Service (RADIUS) + Terminal Access Control Access System (TACAS) + Active Directory Decetranlized Access Control Systems (DACS) L phng thc iu khin tp trung bao gm nhiu h thng CACs khc nhau trong mt t chc c tch hp trong cc h thng khc nhau khng cn lin quan ti phn cng v phn mm. Da vo cc hnh ng vi h thng Access Control cng c th c chia lm cc loi: + Administrative Controls

4. Khi nim v Authentications

CD4pro.info- Da vo mt vi ci bn bit (vd: user/pass) - Da vo mt vi ci bn c (vd: rt tin ATM bn phi c

a. Nhng yu t nhn dng v xc thc ngi dngCc phng thc xc thc ngi dng da vo cc yu t c bn: Something you KNOW Something you HAVE th) Something you ARE

-

- Da vo mt vi ci l bn (vd: vn tay, ging ni)

b. Cc phng thc xc thcTrong thc t c kh nhiu phng thc xc thc ngi dng hay trong CNTT, mi dng xc thc c th ph hp vi mt hoc nhiu dch v khc nhau. Di y ti trnh by mt s phng thc xc thc hay c s dng trong CNTT. Page | 27 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

-

PAP -

Password Authentication Protocol

PAP c s dng bi cc ngi dng t xa cn xc thc qua cc kt ni PPP. PAP cung cp kar nng nhn din v xc thc ngi dng khi h kt ni t h thng t xa. Giao thc xc thc ny yu cu ngi dng phi nhp Pasword trc khi c xc thc. Username v Password c truyn i trn mng sau khi kt ni c thc hin qua PPP. Server xc thc cha d liu xc thc, khi ngi dng nhp thng tin s c gi v my ch ny. Ton b Username/Password c truyn trn mng hon ton khng c m ha (cleartext). CHAP Challenge Handshark Authentication Protocol CHAP l phng thc xc thc sinh ra khc phc cc im yu v l hng ca phng thc xc thc PAP. CHAP s dng phng thc challenge/response xc thc ngi dng. Khi ngi dng mun thit lp mt kt ni PPP c hai s phi ng s dng phng thc xc thc CHAP. Challenge c m ha s dng mt khu v encryption key. CHAP hot ng c m t trong m hnh di y:

CD4pro.info

-

Kerberos L phng thc xc thc m User/Password khng c truyn i trn mng. (VD: h thng Active Directory ca Microsoft s dng phng thc xc thc Kerberos). Phng thc xc thc Kerberos c th c miu t ging nh chng ta i xem phim:



7, 2012

+ u tin ngi dng phi c User/Password c thm quyn (i xem phim phi c tin) + Ngi dng yu cu mt dch v (ngi xem cn xem mt b phim chiu lc gi.) + Ngi dng a thm quyn ca mnh cho ngi xc thc (a tin mua v) + My ch KDC cung cp thm quyn truy cp dch v cho ngi dng (Phng v a v cho ngi mua) + Ngi dng mang thm quyn c cp mang ti my ch dch v (ngi xem phim a v ti phng chiu phim ngi xot v kim tra). Kerberos c th c miu t cc bc nh sau:

CD4pro.info

-

Multi factor L phng thc xc thc nhiu yu t. V d s dng dch v ATM ca ngn hng bn cn c th ngn hng + mt khu ( l xc thc da vo 2 yu t). Ngoi ra mt s dch v s dng nhiu phng thc xc thc kt hp nng cao mc bo mt.

-

Certificate



7, 2012

L phng thc xc thc rng ri trn Internet, cung cp kh nng xc thc an ton cho ngi dng. Khi ni dung c m ha gi i, ch c Private Key mi gii m c ni dung, v thng Private key khng c truyn i trn mng. V d qu trnh xc thc bnh thng khi ngi dng truy cp Gmail:

Bc 1: Ngi dng truy cp gmail.com Bc 2: Gmail s gi thng tin ti Versign ly Certificate Bc 3: Versign gi li cho Gmail Certificate bao gm: Public Key v Private key Bc 4: Gmail gi li cho ngi dng Public Key m ha thng tin xc thc Bc 5: Ngi dng s dng Public Key m ha gi ln Gmail Bc 6: Gmail s dng Private key gii m Phng thc xc thc ny khng an ton khi nhim cc loi m c v nh Keylogger, ngi dng vn c kh nng mt User/Password RSA RSA phng thc xc thc t tin v an ton cho qu trnh xc thc v truyn thng tin trn Internet. RSA khc phc mt s nhc im ca phng thc xc thc Certificate. y l phng thc hay c s dng giao dch ngn hng. Biometric

CD4pro.info



7, 2012

Phng thc xc thc s dng sinh trc hc nhn dng ngi dng nh dng: Vn tay, tnh mch, vng mc, m thanh, khun mt xc thc ngi dng.

5. Authorizationa. C bn v AuthorizationAuthorization (Dch ting Vit: S cp quyn) l vic cp quyn cho ngi dng trong mt h thng sau khi ngi dng xc thc (Authenticaion). Authorization th hin cc quyn m ngi dng c th thc thi trn h thng. Authorization lm vic trc tip vi iu khin truy cp Access Control V d: Trn h thng Authorization ca Windows sau khi ngi dng ng nhp (Authentication) h thng s cp quyn i vi: File v Folder c NTFS Permmission: Quyn c, ghi, xa, chnh sa. chnh l thm quyn ngi dng c cp i vi file v folder i vi h thng c User Right: Cp quyn chnh sa h thng cho ngi dng nh remote desktop, s thng s card mng..

-

CD4pro.info

b. Cc phng thc AuthorizationRADIUS Remote Authentication Dial-in User Service (RADIUS) cung cp xc thc v iu khin truy cp s dng giao thc UDP xc thc tp trung cho ton b h thng mng. RADIUS c th s dng cho ngi dng truy cp VPN, RAS hay cung cp xc thc cho cc dch v s dng RADIUS. M hnh RADIUS xc thc cho h thng WIFI Kerberos Page | 31 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

Tng t nh phn Authentication TACACS Terminal Access Controller Access Control System (TACACS) iu khin truy cp bng cch xc thc v cp thm quyn trong h thng UNIX network. Hot ng tng t nh h thng RADIUS, khi mt h thng cn xc thc s chuyn qua Username v Password cho my ch TACACS v my ch ny s xc thc v cp quyn truy cp. TACACS s dng dch v UDP v TCP qua port 49. TACACS+ Extended Terminal Access Controller Access Control System Plus (TACACS+) l mt bin th t TACACS. Tng t nh RADIUS giao thc TACACS+ cung cp xc thc v cp thm quyn c tnh nng Accounting cho vic cp thm quyn tp trung vi yu cu xc thc. LDAP

Lightweight Directory Access Protocol (LDAP) cung cp truy cp ti directory services (dch v danh mc), c tch hp trong Microsoft Active Directory. LDAP c to ra nh mt phn gin lc ca dch v X.500 Directory Access Protocol, v s dng port 389. LDAP c s dng rt rng ri trong cc dch v cung cp directory nh: Directory Service Markup Language (DSML), Service Location Protocol (SLP), v Microsoft Active Directory. XTACACS L mt phin bn ca h thng TACACS c pht trin v cung cp bi Cisco v c gi li Extended Terminal Access Controller Access Control System (XTACACS). Dch v pht trin m rng t giao thc TACACS cho php h tr thm tnh nng Accounting v Auditing, vi hai tnh nng ch c trong TACACS+ v RADIUS. IEEE 802.1x Page | 32 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....

CD4pro.info


7, 2012

IEEE 802.1x l chun cho wireless, s dng port ph thuc vo dch v cung cp xc thc (authentication) v cp thm quyn (authorization) nh RADIUS v TACACS+. Giao thc ny c th c s dng bo mt cho cc giao thc WPA/WPA2. Ngoi ra IPsec cng l mt giao thc kh ph bin c s dng kt hp vi IEEE 802.1x cung cp bo mt cho h thng mng.

6. Khi nim v AccountingGim st l qun l vic truy cp vo h thng ra sao v vic truy cp din ra nh th no. - Qun l gim st s gip ngi qun tr xc nh c li do ai ai v l li g ngi qun tr hon ton c th bit c vic cn thit khi phc li mt cch nhanh nht. Ngoi ra nh gim st m ngi qun tr s pht hin ra k thm nhp bt hp php vo h thng , ngn chn cc cuc tn cng. Vic bn truy cp vo v lm g cng cn qun l bi v trn thc t th 60% cc cuc tn cng l bn trong h thng 40% l ngoi Internet. Vic ngn nga nhng tn cng t trong mng rt kh v h hiu c h thng v c ch bo mt ca h thng.

-

CD4pro.info

-

Ngi qun tr s gim st nhng thuc tnh truy cp, xc thc pht hin ra cc tn cng v mi e do ca h thng.

t

-

Vic trnh din cc kt ni cng rt quan trng, thng qua cc kt ni bn c th nhn dng k tn cng t u v k nh lm g. thnh t chnh sau pht

Gim st truy cp v xc thc da trn nhng hin lhng v tn cng:

Truy cp li nhiu ln, kt ni theo mt giao thc khc khng c trong h thng, ng nhp sai mt khu nhiu ln,pht hin Scan mng.v.v.. Quy trnh gim: Gim st h thng: gim st tt c cc tin trnh Logon, tin trnh truy cp iu khin, tin trnh ca cc chng trnh chy trong h thng. Gim st truy cp mng, gim st cc giao thc, cc kt ni, mail v mt s tnh nng truy cp khc. Page | 33 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

Gim st tnh nng backup sao lu Gim st tnh kh dng, tnh sn sng, tnh n nh thng tin

7. Tam gic bo mt CIAKhi phn tch mt h thng bo mt chng ta cn phi c phng php lun. C vng d liu yu cu tnh mt ca thng tin, c vng d liu cn tnh ton vn, tt c cc d liu u phi c p ng khi yu cu l tnh sn sng ca h thng. - Tnh mt ca thng tin Tnh ton vn thng tin Tnh sn sng ca h thng L ba gc ca tam gic bo mt CIA ca mt i tng cn bo v:

CD4pro.info

a. ConfidentialityTnh mt ca thng tin la mc bo mt cn thit nhm m bo nhng d liu quan trng khng b r r hay l thng tin.



7, 2012

K tn cng c th thc hin nhiu phng thc nhm t c mc ch l ly nhng thng tin mong mun. Nhng phng thc c th l gim st h thng mng, ly cc file cha mt khu, hay Social engineering. Thng tin c th b l do khng s dng cc phng thc m ha mnh khi truyn hay lu tr thng tin. Tnh mt ca thng tin c i din bi quyn READ.

b. IntegrityTnh ton vn ca thng tin l mc bo mt cn thit nhm m bo tin tng ca thng tin khng b thay i hay ch c chnh sa bi ngi c thm quyn. K tn cng c th thc hin nhiu phng thc nhm thay i nhng thng tin mong mun. Nhng phng thc c th l t nhp vt qua cc qu trnh xc thc, hoc tn cng khai thc l hng bo mt ca h thng. y l mc bo mt thng tin quan trng, hng nm c rt nhiu t chc doanh nghip b tn cng khai thc l hng bo mt v b thay i d liu.

CD4pro.info

Tnh ton vn ca thng tin c i din bi quyn MODIFY.

c. AvailabilityCho ti truy cp d liu ca bn Hy bt my tnh ca ti ln trc Kh nng p ng ca thng tin l iu rt quan trng, iu ny th hin tnh sn sng phc v ca cc dch v. Kh nng p ng ca h thng chu nh hng bi kh nhiu thnh phn: c th l phn cng, phn mm hay h thng Backup. Kh nng p ng ca h thng cn c tnh n da trn s ngi truy cp v mc quan trng ca d liu.



7, 2012

8. Mt m hc c bna. Khi nim c bn v mt m hcMt h thng m ha (cipher system) cung cp mt phng php bo v thng tin bng vic m ha chng (encrypting) thnh mt dng m ch c th c bi ngi c thm quyn vi h thng hay mt ngi dng c th. Vic s dng v to h thng gi l mt m (cryptography). Mt m c s dng t rt sm trong lch s loi ngi, trc khi c CNTT c rt nhiu phng thc m ha c s dng. V d: M ha kinh thnh, m ha Caesa, trong chin tranh th gii th 2 qun i c s dng c my m ha bng c hc bo v cc bc th trong chin trng. Ngnh cng nh thng tin c cc phng thc m ha c bn sau: - Hm bm HASH M ha i xng Symmetric

M ha bt i xng Assymmetric

CD4pro.info

hiu v nghin cu v mt m cn phi hiu mt s khi nim: Cleartext hay Plantext: L d liu cha c m ha Ciphertext: L d liu sau khi c m ha Encrypt: Qu trnh m ha Algorithm: Thut ton m ha c x dng trong qu trnh m ha Key: Key c s dng bi thut ton m ha trong qu trnh m ha Decrypt: Qu trnh gii m

b. Hm bm HashHash l mt phng php hay thut ton c s dng kim tra tnh ton vn ca d liu, kim tra s thay i ca d liu. Hash c hai thut ton c bit ti nhiu nht: SHA v MD5. Page | 36 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

Khi d liu c truyn trn mng hay lu tr hon ton c th b thay i, ngi nhn thng tin mun kim tra xem d liu c cn ton vn hay khng th ch cn kim tra chui Hash ca d liu ban u v d liu nhn c. S dng hm bm kim tra nu hai chui Hash ging nhau th d liu vn cn ton vn cha b chnh sa v ngc li. Thc hnh: S dng MD5 hash mt file

c. M ha i xng SymmetricSymmetric Key Cryptography l mt h thng m ha s dng mt key m ha v gii m. Phng php m ha ny c u im l d dng s dng v tch hp hn l phng thc m ha bt i xng (Assymmetric). V tc m ha v gii m cng nhanh hn phng thc m ha bt i xng. Tuy nhin do c qu trnh m ha v gii m s dng mt Key nn thng key c thit lp sn hai u ngi gi v ngi nhn (vd: IPsec), hay thng tin c chia s c m ha v ch c ngi c key mi m ra c. M ha i xng thng c s dng m ha d liu, cn m ha bt i xng thng c dng cho xc thc v truyn key. C rt nhiu thut ton m ha i xng nhng hay dng nht hin nay l thut ton AES (Advanced Encrypt Standard).

CD4pro.info

d. M ha bt i xng AssymmetricAssymmetric Key Cryptography l mt h thng m ha s dng mt cp key: Public key v Private Key thc hin cho qu trnh m ha v gii m. Thng thng h thng ny hay s dng Public key m ha v s dng Private Key gii m:



7, 2012

Hnh m t qu trnh m ha v gii m ca Assymmetric Do qu trnh sinh key v cung cp Key phc tp nn vic tch hp v s dng phng thc m ha ny khng d nh Symmetric. Thc hin m ha v gii m mt nhiu ti nguyn hn nn phng thc ny thng dng vo qu trnh xc thc ngi dng. Tuy nhin hin nay h thng my tnh rt mnh (VD: Google) nn phng thc ny c th c s dng truyn d liu. c th thc hin c phng thc m ha ny i hi phi c mt h thng: To, cung cp, qun l v khc phc s c cung cp Key (public, private). H thng ny gi l Public Key Infrastructure (PKI). Thut ton m ha RSA l mt thut ton m ha bt i xng, c s dng rng ri nht. M t thut ton =>

CD4pro.info



7, 2012

e. Tng quan v h thng PKI thut ton m ha bt i xng (Assymmetric) hot ng cn mt h thng: Sinh Key, Cung cp Key, Qun l Key, Thit lp chnh sch vi Key, h thng c gi l Public Key Infrastructure vit tt l PKI. PKI c s dng rng ri cung cp h thng bo mt cho ng dng v mng, iu khin truy cp, ti nguyn t website, bo v email v nhiu th khc. PKI bo v thng tin bi cung cp cc tnh nng sau: - Identify authentication: Cung cp nhn din v xc thc Integrity verification: Kim tra tnh ton vn d liu Privacy assurance: m bo s ring t Access authorization: Cp thm quyn truy cp ti nguyn Transaction authorization: Thc thi vic cp thm quyn truy cp ti nguyn Nonrepudiation support: H tr tnh nng chng chi b

Tip theo chng ta cn quan tm ti cc chun v PKI, mi chun ca h thng PKI c p dng cho cc h ng dng v h thng sau:

CD4pro.info

PKIX Working Group ca t chc IETF pht trin chun Internet cho PKI da trn chun X.509 v Certificate, v c trng tm: X.509 Version 3 Public Key Certificate v X.509 Version 2 Certificate Revocation List (CRLs). PKI Management Protocols Operational Protocols

-



7, 2012

-

Certificate Policies v Certifcate practice statements (CPSs) Time-stamping, data-certification, and validation services.

Ni PKIX c pht trin da trn Internet Standards X.509, Public Key Cryptography Standard (PKCS) l phng thc m ha d liu c pht trin v cng b bi RSA Lab, hin nay l mt phn ca hng RSA. Trong c 15 ti liu c th v PKCS, v d: - PKCS #1 RSA Cryptography Standard cung cp xut v trin khai h thng mt m Public Key da trn thut ton RSA PKCS #2 c tch hp sn vo PKCS #1 PKCS #15: Di y l thng tin ca mt Certificate theo chun X.509

CD4pro.info

H thng PKI gm cc thnh phn: - Certificate Authority (CA)



7, 2012

CA l thnh phn quan trng trong khi nim v h thng PKI. Cc nh cung cp CA v nh VeriSign hay Entrust. L h thng cung cp Certificate. Registration Authority (RA) RA cung cp xc thc ti CA v c coi nh mt Client yu cu chng ch s. Digital Certificates Chng ch s l d liu bao gm public key cryptography, hu ht Certificate u da trn cu trc ca chun X.509. bao gm

-

Certificate Policies L chnh sch cho chng ch s, nhn din vic s dng chng ch s. Nhng thng tin c th nh: S dng bo v thng tin vi CA Phng thc xc thc vi CA Qun l Key Qun l s dng Private Key Thi gian s dng chng ch s Cp mi Cho php exporrt private key di ti thiu ca Public key v Private Key

CD4pro.info

-

Certificate Practice Statement CPS l ti liu c to ra v cng b bi CA cung cp cc thng tin ph thuc vo h thng CA s dng chng ch s. CPS cung cp thng tin CA s dng



7, 2012

V d trn VeriSign l CA, Thawte SGC CA l CSP v thng tin s dng cho dch v accounts ca Google. Revocation (Thu hi key) Khi chng ch s c s dng, chng cng c th c thu hi. Qu trnht hu hi mt chng ch s c thc hin trc khi n b qu hn. Qu trnh thu hi m bo mt chng ch s khng th tn ti qu thi gian quy nh lc CA to ra. Trust models H thng PKI c cu trc n gin l c mt CA. Mt CA trong cu trc cho php to v qun l chng ch s nhng m hnh ny ch p dng i vi cc t chng nh bi v tnh n gian. Nhng nu CA li ton b h thng s dng dch v u b li. gim thiu ri ro cho h thng PKI cho php xy dng h thng c cu trc bao gm Root CA l tng trn cng sau l cc tng CA con, gia CA con c qun l khi b li c th xy dng li n gin. l h thng Trust Models

CD4pro.info

f. Thc hnh m ha v gii m vi cng c Cryptography tools9. Khi nim c bn v tn cng mng

a. bc c bn ca mt cuc tn cngThng thng mt cuc tn cng c chia lm cc bc c bn nh di y:



7, 2012

-

Bc 1: Reconnaissance (trinh thm) L bc u tin ca bt k cuc tn cng no. K tn cng c gng ly cng nhiu thng tin v i tng cng tt v ch yu qua hai phng thc (Active/Passive). Passive: k tn cng c th tm thng tin v i tng qua cc knh thng tin Active: k tn cng thc hin theo di v n tn a im hay v tr ca mc tiu v tm hiu. Mc tiu ca bc ny l xc nh c mc tiu.

CD4pro.info

-

Bc 2: Scan Bc th hai thc hin sau khi xc nh c mc tiu. Bc Scan nhm mc tiu xc nh c cc k h ca i tng. T lp bng lit k c ton b cc yu t c th thc hin xm nhp vo h thng.

-

Bc 3: Gaining Accesss Khi pht hin c cc im yu ca h thng, k tn cng la chn mt hoc nhiu l hng t tin hnh tn cng v chim quyn iu khin.

-

Bc 4: Maintaining Access Khi thc hin tn cng thnh cng, ln sau truy cp vo h thng n gin hn k tn cng thng s dng Virus, Trojan, backdoor hay nhng on shell code.



7, 2012

-

Bc 5: Clearing Track K tn cng thc hin xa nhng du vt truy cp ca mnh nh vic xa log.

b. Mt s khi nim v bo mt.Threat Mt hnh ng hay mt tnh hung c th nh hng ti bo mt. Threat l mt nguy c nh hng ti bo mt ca h thng Vulnerability L l hng bo mt ca h thng. Target of Evaluation L mt h thng cng ngh thng tin l ch ca cuc tn cng Attack Tn cng h thng mng c th c chia lm hai dng: + Active Attack + Passive Attack

Tn cng h thng c th c chia lm nhiu dng khc. Ly thng tin, thay i thng tin hay ph hy thng tin l nhng mc ch c bn nht ca cc cuc tn cng Exploit L hnh thc khai thc l hng bo mt

CD4pro.info

c. Cc phng thc tn cng c bnBrute Force L phng thc tn cng m k tn cng s dng nhng password n gin th ln lt nhm on ra mt khu ca ngi dng. Phng thc ny ch p dng i vi nhng mt khu n gin. Dictionary L phng thc tn cng tng t Brute force nhng thay v th ln lt mt khu ,k tn cng s dng b t in cha mt khu cn th. Spoofing



7, 2012

L dng tn cng m mt c nhn, mt h thng thc hin hnh vi gi mo. V nh mt ngi gi mo a ch mail gi i m khng cn phi xc thc. DoS L dng tn cng m mt ngi hay mt h thng lm cho mt h thng khc khng th truy cp hoc b chm i ng k bng cch s dng ht cc ti nguyn. Man-in-the-middle K tn cng bng mt cch no ng gia lung cng ng gia giao tip ca hai my tnh. Replay V d: khi mt qu trnh xc thc c thc hin thnh cng v b k tn cng capture c qu trnh . Khi cn ng nhp vo h thng, k tn cng pht li lung traffic thc hin xc thc. l phng thc tn cng Replay Sesion Hijacking Khi ngi dng thc hin thnh cng qu trnh xc thc, k tn cng thc hin tn cng cp phin giao tip. Dng tn cng l Session Hijacking.

d. ch ca cc dng tn cng

Cc dng tn cng c chia theo ch ca dng tn cng : o Operating System: ch tn cng l cc h iu hnh. Ngy nay cc h iu hnh rt phc tp vi nhiu serivice, port, nhiu ch truy cp. Vic v cc l hng bo mt ngy cng phc tp v i khi vic cp nht khng c thc hin. K tn cng thc hin khai thc cc l hng bo mt trn cc h iu hnh . o Application: ch tn cng l cc ng dng. Cc ng dng c pht trin bi cc hng phn mm c lp v i khi ch quan tm ti p ng nhu cu cng vic ca ng dng m qun i vic phi bo mt cho ng dng. Rt nhiu ng dng c l hng bo mt cho php hacker khai thc. o Shrink Wrap: Cc chng trnh, ng dng i khi b l m code v vic ny cng l l hng bo mt rt ln. o Misconfiguration: cc thit lp sai trn h thng i khi to k h cho k tn cng thc hin khai thc.

CD4pro.info



7, 2012

CD4pro.info



7, 2012

III.

INFRASTRUCTURE SECURITY (AN NINH H TNG).Cc gii php v l trnh xy dng bo mt h tng mng Thit k m hnh mng an ton Thnh phn bo mt trong h tng mng Bo mt cho h iu hnh Xy dng chnh sch an ton thng tin

Trong phn ny gm cc ni dung chnh sau:

CD4pro.info



7, 2012

1. Cc gii php v l trnh xy dng bo mt h tng mng c th xy dng mt h thng mng m bo tnh an ton cn phi c l trnh xy dng hp l gia: Yu cu v Chi ph c th chi tr t la chn nhng gii php. Gii php ph hp nht phi cn bng c cc yu t: Tnh nng yu cu Gi thnh gii php Tnh nng Hiu nng ca h thng

VD1: Chng ta khng th xy dng gii php hng triu $ bo v cho mt my c nhn khng quan trng c. VD2: Chng ta cn bo v cho h thng web, u cn nhng tnh nng v Endpoint security VD3: Chng ta khng th chim 50% Performance ca h thng cho cc chng trnh bo v c. Bt k doanh nghip hay t chc no cng khng th cng mt lc c th trin khai ton b cc gii php bo mt, iu ny t ra cn phi c l trnh xy dng r rng. Mt l trnh xy dng cn phi p ng tnh ph kn v tng thch gia cc gii php vi nhau trnh chng cho v xung t. Mt n v c th da vo l trnh ny c th xy dng c mt h tng CNTT p ng tnh bo mt. Di y l l trnh cc bc cng nh gii php xy dng mt h thng mng m bo tnh bo mt cao

CD4pro.info



7, 2012

CD4pro.info



7, 2012

3. Thit k m hnh mng an ton cc gii php v an ton thng tin lm vic khng b trng lp v xung t cn phi c m hnh thit k ph hp. Di y l mt m hnh ti thy t thit k cc vng, thit b s dng, truy cp t xa, tnh HA u c: Ti c kh nhiu cun v Security nhng cha thy cun no c m hnh dng Module nh th ny, a phn l nhng m hnh n gin v thiu tnh thc t.

CD4pro.info

-

Phn tch tng quan m hnh c chia lm cc module: + Module Internet gm: Router, Proxy v ti u ha bng thng, Firewall



7, 2012

+ Module DMZ: IPS bo v v cc Server public ra internet + Module Core: Vng Routing v Switching li ca ton b h thng, ni thit lp Access Controll List cho cc vng. + Module Server Farm: Ni cha cc server quan trng nh my ch d liu, core banking c gim st bi thit b IDS + Module Management: L vng mng an ton cm cc cng qun tr ca cc thit b v my ch + Vng User: Cung cp mng cho ngi dng ti c quan + Branch: Kt ni ti cc mng chi nhnh trn c nc. Phn tch cc thit b bo mt: + Router v Switch Core thit lp Access Controll List v m bo tnh HA cho ton b cc kt ni + Proxy ng ra ti u ha bng thng Input-Output

CD4pro.info

+ Firewall c chc nng ng m port v public server cng nh cho cc kt ni VPN + IPS thit b gim st, pht hin v ngn chn cc cuc tn cng mng + Endpoint Security: Gii php Endpoint cho my trm my ch + Gii php Data Loss Prevent chng tht thot d liu + Network Access Control qun l truy cp mng 4. Router v Switch a. Chc nng ca Router - Routing: thc hin vic Routing cc gi tin trn mng - NAT: Thc hin NAT cc a ch IP t private public v ngc li Page | 51 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

- Access Control List: Cho php to cc Access Control List p ng yu cu chn port, ip ca ngi qun tr. b. Chc nng ca Switch - Thc hin vic Switch cc gi tin Layer 2 c. Bo mt trn Switch - Chia VLAN: Cho php to ra nhiu mng trn mt Switch, trnh c s bng n ca Virus hay cc dng tn cng khc. - Security Port: Gn c nh mt s a ch MAC vo mt port nht nh trn Switch, cho php chn c cc dng tn cng nh MAC Spoofing, ARP Spoofing. d. Bo mt trn Router - Router l thit b rt quan trng trong m hnh mng, cho php routing, nat v to ra cc ACLs bo v h thng mng t tng Gateway. Lab: Ci t Packet Tracert 4.0 test mt s cu lnh trn Router. Hiu v Access Control List

CD4pro.info

Trn Router Cisco to ra mt Access List (ch p dng cho a ch IP) s dng cu lnh:



7, 2012

Router(config)# access-list access list number {permit|deny} source [sourcemask]

p dng Access List va to: Router (config-if)# ip access-group access-list-number {in|out}

To v p dng Extended Access Control List (cho php p dng cho port v IP). Router(config)# access-list access-list-number {permit|deny} protocol source source-mask destination destination mask [operator|operand] Router(config-if)#ip access-group access-list number {in|out}

Xem li h thng Log trn Router chng ta c th bit c h thng block hay nhng ai truy cp vo Router. e. Thit lp bo mt cho Router t a ch IP trn mt Interface: Router> Enable Router# Configure Terminal

Router (Config)# Interface Ethernet 0

CD4pro.info

Router (Config-if)# ip address 192.168.0.35 255.255.255.0

t Password cho Console login Router#config terminal Router(config)#line console 0 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router#

t password cho remote Router#config terminal Router(config)#line vty 0 Router(config-line)#login



7, 2012

Router(config-line)#password l3tm3!n Router(config-line)#^Z Router

To User trn Router Router#configure terminal Router(conf)#username Auser password u$3r1 Router(conf)#username Buser password u$3r2 Router(conf)#username Cuser password u$3r3 Router(conf)#username Duser password u$3r4 Router(conf)#^Z

Thit lp ng nhp qua SSH trn Router Router#configure terminal Router(config)#ip domain-name scp.mil

Router(config)#access-list 23 permit 192.168.51.45 Router(config)#line vty 0 4 Router(config-line)#access-class 23 in Router(config-line)#exit

CD4pro.info

Router(config)#username SSHUser password No+3ln3+ Router(config)#line vty 0 4 Router(config-line)#login local Router(config-line)#exit Router(config)# Router#configure terminal Router(config)#crypto key generate rsa The name for the keys will be: Router.scp.mil Choose the size of the key modulus in the range of 360 to 2048



7, 2012

for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] Router(config)# Router#configure terminal Router(config)#ip ssh timeout 45 Router(config)#^Z Router#configure terminal Router(config)#ip ssh authentication-retries 2 Router(config)#^Z Router#configure terminal

Router(config)#line vty 0 4

CD4pro.info

Router(config-line)#transport input ssh telnet Router(config-line)#^Z Router# show ip ssh

Thit lp static route trn router

MarketingRouter#config terminal



7, 2012

MarketingRouter(config)#ip route 10.0.10.0 255.255.255.0 20.0.20.1 MarketingRouter(config-line)#^Z MarketingRouter# FinanceRouter#config terminal FinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2 FinanceRouter(config-line)#^Z FinanceRouter#

Thit lp RIP (Dynamic route) trn Router LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT#

CD4pro.info

Bo mt Router trc cc dng ICMP Router#config terminal Router(config)#interface Serial 0 Router(config-if)#no ip unreachables Router(config-if)#^Z Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast



7, 2012

Router(config-if)#no ip unreachables Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config-if)#^Z

Bo v Source Routing Router#config terminal Router(config)#no ip source-route Router(config)#^Z Router#

Small Services Router#config terminal Router(config)#no service tcp-small-servers

Router(config)#no service udp-small-servers Router(config)#^Z Router#

CD4pro.info

Chng Finger Router#config terminal Router(config)#no service finger Router(config)#^Z Router# Router#config terminal Router(config)#no ip finger Router(config)#^Z Router#

Tt cc Services khng cn thit Page | 57 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

Router#config terminal Router(config)#no ip bootp server Router(config)#no ip name-server Router(config)#no ntp server Router(config)#no snmp-server Router(config)#no ip http server Router(config)#^Z

To cc Access Control List (bn trn). 5. Firewall v Proxy a. Khi nim Firewall Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ha hon. Trong cng ngh thng tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy cp tri php, nhm bo v cc ngun thng tin ni b v hn ch s xm nhp khng mong mun vo h thng. Firewall c miu t nh l h phng th bao quanh vi cc cht kim sot tt c cc lung lu thng nhp xut. C th theo di v kha truy cp ti cc cht ny.

CD4pro.info

Cc mng ring ni vi Internet thng b e da bi nhng k tn cng. bo v d liu bn trong ngi ta thng dng firewall. Firewall c cch no cho php ngi dng hp i qua v chn li nhng ngi dng khng hp l. Firewall c th l thit b phn cng hoc chng trnh phn mm chy trn host bo m hoc kt hp c hai. Trong mi trng hp, n phi c t nht hai giao tip mng, mt cho mng m n bo v, mt cho mng bn ngoi. Firewall c th l gateway hoc im ni lin gia hai mng, thng l mt mng ring v mt mng cng cng nh l Internet. Cc firewall u tin l cc router n gin. b. Chc nng ca Firewall Chc nng chnh ca Firewall l kim sot lung thng tin t gia Intranet v Internet. Thit lp c ch iu khin dng thng tin gia mng bn trong (Intranet) v mng Internet.

Cho php hoc cm nhng dch v truy cp ra ngoi. Cho php hoc cm nhng dch v t ngoi truy cp vo trong.



7, 2012

Theo di lung d liu mng gia Internet v Intranet Kim sot a ch truy nhp, cm a ch truy nhp Kim sot ngi s dng v vic truy cp ca ngi s dng. Kim sot ni dung

thng tin lu chuyn trn mng. Mt firewall kho st tt c cc lung lu lng gia hai mng xem n c t chun hay khng. Nu n t, n c nh tuyn gia cc mng, ngc li n b hy. Mt b lc firewall lc c lu lng ra ln lu lng vo. N cng c th qun l vic truy cp t bn ngoi vo ngun ti nguyn mng bn trong. N c th c s dng ghi li tt c cc c gng vo mng ring v a ra cnh bo nhanh chng khi k th hoc k khng c phn quyn t nhp. Firewall c th lc cc gi da vo a ch ngun, a ch ch v s cng ca chng. iu ny cn c gi l lc a ch. Firewall cng c th lc cc loi c bit ca lu lng mng. iu ny c gi l lc giao thc bi v vic ra quyt nh cho chuyn tip hoc t chi lu lng ph thuc vo giao thc c s dng, v d HTTP, FTP hoc Telnet. Firewall cng c th lc lung lu lng thng qua thuc tnh v trng thi ca gi. Mt s firewall c chc nng th v v cao cp, nh la c nhng k xm nhp rng h ph v c h thng an ton. V c bn, n pht hin s tn cng v tip qun n, dn dt k tn cng i theo bng tip cn nh phn chiu (hall of mirrors). Nu k tn cng tin rng h vo c mt phn ca h thng v c th truy cp xa hn, cc hot ng ca k tn cng c th c ghi li v theo di. Nu c th gi k ph hoi trong mt thi gian, ngi qun tr c th ln theo du vt ca h. V d, c th dng lnh finger theo vt k tn cng hoc to tp tin by mi h phi mt thi gian truyn lu, sau theo vt vic truyn tp tin v ni ca k tn cng qua kt ni Internet. c. Nguyn l hot ng ca Firewall Cc rule ca Firewall hot ng tng t nh Access Control List ca Router, Rule ca firewall c kh nng lc gi tin su hn ACL. Firewall hot ng cht ch vi giao thc TCP/IP, v giao thc ny lm vic theo thut tn chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS ) thnh cc gi d liu (data packets) ri gn cho cc packet ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng. Page | 59 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....

CD4pro.info


7, 2012

B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tha mn mt trong s cc lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (header), dng cho php truyn cc packet trn mng. Bao gm: a ch IP ni xut pht (Source) a ch IP ni nhn ( Destination) Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel ) Cng TCP/UDP ni xut pht Cng TCP/UDP ni nhn Dng thng bo ICMP Giao din packet n Giao din packet i Firewall c th bc tch d liu trong gi tin Layer 6,7: Filetype, URL, Content, Services, Application, User,.. d. Cc loi Firewall Nu chia theo v tr t:

- Network Firewall: bo v cho c h thng mng

CD4pro.info

- Host Firewall: Bo v cho mt my tnh c ci t (thng c tch hp trn OS hoc cc phn mm bo mt nh Anti-Virus, Endpoint Security). - Web Firewall: C th l Network Firewall hoc Host Firewall c chc nng bo v dch v web trc cc dng tn cng. Nu theo nn tng hardware v software - Software Firewall: Thng c ci t trn OS hoc l h iu hnh Linux tch hp firewall mm - Hardware Firewall: c ti u ha bng vic xy dng h iu hnh trn nn tng phn cng ca hng nn hiu nng x l tt hn. Nu theo kh nng x l gi tin - Packet Filter: Hot ng Layer3 4 M hnh OSI. Cho php lc gi tin hai lp ny, Firewall dng ny c th coi nh Acess Control List trn Router.



7, 2012

- Application Filter: Hot ng Layer 7. Cho php to ra cc Rules hot ng trn Layer 7 ca m hnh mng OSI nh URL, Content. - State Full Filter: Hot ng t Layer 3 7: Cho php to rules phc to t IP, Port, URL, Filetype, time, User, content, Header, - UTM: Tch hp gia Firewall v UTM. Do nhiu tnh nng nn hiu nng x l khng c cao. Khi nim mi v mt th h mi Firewall c Gartner (t chc nh gi cc gii php IT) nh ngha l: Next Generation Firewall cn phi c cc tnh nng sau: H tr hot ng Inline trong h thng mng (c th hot ng trong sut t Layer 2) C nhng tnh nng Firewall c bn: Packet Filter, NAT, Statefull, VPN H tr pht hin h thng mng (Host active, Service, Application, OS, Vulnerability). Tch hp IPS mc su (cho php cu hnh, rule edit, Event Impact Flag) Application Awareness: Cho php pht hin cc dch v h thng, a ra cc policy su nh cm c Skype, Yahoo Messager Extrafirewall Inteligence: V d cho php block mt user no ng nhp vo Facebook cn cc user cn li vn truy cp c. H tr update signature lin tc m bo h thng lun c bo mt.

-

CD4pro.info

-

Gartner a ra khi nim v Firewall v l tnh nng ca cc firewall hin nay, rt nhiu sch ti c thy cha h a khi nim ny vo trong khi thc t trin khai rt nhiu h thng ny. e. Thit k Firewall trong m hnh mng Thit k firewall ph hp vi h thng mng l rt quan trng, di y ti trnh by mt s m hnh trin khai firewall: Router lm chc nng Packet Filter



7, 2012

Firewall p dng cho vng DMZ

CD4pro.info

M hnh mng tch hp ti mt n v (v d)



7, 2012

CD4pro.infoM hnh mng tch hp Firewall v d khc Trong m hnh ny c thit b: Firewall, Proxy chuyn dng ca BlueCoat, IPS Sourcefire, Cn bng ti cho nhiu ng internet, UTM Firewall cng nhiu thit b v gii php bo mt khc.



7, 2012

CD4pro.info6. Cu hnh firewall IPtable trn Linux Trong h thng Unix/Linux c rt nhiu Firewall...Trong s c mt Firewall c cu hnh v hot ng trn nn Console rt nh v tin dng = = > l Iptables. Bi vit ny khng c nh trnh by chi tit v cch s dng Iptables. Nhng ti hy vng l qua n bn c th phn no hiu v cu hnh c Iptables mc c bn... Trc ht bn cn phi hiu Firewall Iptables s x l nh th no i vi nhng packets leaving, entering hay passing i vo hay i ra t PC. - Bt k Packet no mun i vo PC ca bn u phi i qua Input Chain. - Bt c Packet no t PC ca bn mun i ra ngoi Network u phi i qua Output Chain.



7, 2012

- Bt c Packet no m PC ca bn mun gi i mt Destination khc u phi i qua Forward Chain Tt c nhng iu nu trn u c gim st bi Iptables...V tt nhin l Iptables phi c ci t v thit lp :-) Vic thit lp cu hnh cho Input Chain, Output Chain v Forward gi l thit lp ni quy (rules) cho Firewall. Hu ht Iptables c ci t trong nhn ca mt s Version Linux thng dng hin nay: Redhat, Mandrake, SuSe.. Nu khng bn c th tm thy Iptables : http://www.linuxapps.com/ http://www.linuxapps.com/ http://www.freshmeat.net/ Mt s cu hnh n gin Mt s Port v Service thong dng trn mt h thng Unix/Linux: Port 21 22 23 25 53 79 80 110 111 443 901 1024 3306 6000 Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP

CD4pro.info

Service FTP SSH TELNET SMTP NAME (DNS) FINGER HTTP POP3 SUNRPC HTTPS SAMBA-SWAT KDM MYSQL X11

By gi chng ta bt u tm hiu nhng chc nng v cch cu hnh c bn ca Iptables. V d: Khi PC ca bn send mt Packet n http://www.yahoo.com/ yu cu hi p trang HTML. Th trc ht n phi c chuyn qua Output Chain. Lc ny cc ni quy (rule) s hot ng, n s kim tra yu cu Send Packet. Nu yu cu hp l th Packet s c i. Page | 65 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

Tip khi Yahoo Reply Packet v my bn th n cng s phi i qua Input Chain. ng nhin l n phi ph hp c vi cc Rule th mi c vo my ca bn. Rc ri v phc tp c y nh hi quan Ni Bi Air Port phi khng ? Chng ta bt u thao tc vi nhng a ch IP nht nh. Chng hn nh bn mun ngn chn tt c cc Packet n t 192.78.4.0 -s l tu chn ngn chn mt a ch IP hay DNS ngun. Tng t ta c dng lnh: iptables -s 192.78.4.0 Nu bn mun x l cc Packet mt cch chi tit hn. Th tu chn -j s gip bn thc hin iu nh: ACCEPT, DENY hay DROP (s dng kt hp vi tu chn -s nh)...Chc ti khng cn phi a ra ngha ting vit ca 3 t ACCEPT, DENY, DROP na nh. Nu bn mun DROP cc Packet t a ch 192.78.4.0 : iptables -s 192.78.4.0 -j DROP DENY hay ACCEPT cng tng t nh ;-p

Lnh n trn s b qua mi th n t 192.78.4.0

CD4pro.info

Chng ta cn c th b qua mt PC nht nh trn mt mng. Nu bn khng mun nhng PC trong mng lin lc v ni chuyn vi PC hay lin lc ra ngoi. Bn ch cn thay i tham s Input, Output v thay i tu chn -s, -d Nu chng ta mun b qua yu cu phn hi Telnet t my PC ny. Trong trng hp ny c t nht 3 giao thc c th c ch r: TCP, UDP v ICMP. Tu chn -p c s dng ch r chi tit giao thc cn x l. Telnet l mt giao thc hot ng trn Port 23/TCP ln chng ta s c dng lnh: iptables -A INPUT -s 192.78.4.0 -p tcp --80 telnet -j DROP Cc Command trn l thao tc cho 1 a ch IP (Single IP). Nu bn mun thao tc vi nhiu a ch IP cng mt lc (Multi IP) th s c cht thay i nh nh sau: - 192.78.4.0/84 = = > Tt cc cc IP t 192.78.4.0 cho n 192.78.4.84 Page | 66 Copyright by Tocbatdat www.CD4pro.info----License Windows Server 2003 2008 R2,Exchange Server,SQL,KIS,KOSS.....


7, 2012

- 192.78.4.* = = > Tt c cc IP thuc lp mng D. T 192.78.4.0 cho n 192.78.4.255 Cu hnh phc hp ln mt cht (mt cht thi nha) Bn c mt mng LAN v c mt kt ni Internet. Chng ta s nht tr coi LAN l eth0 cn kt ni Internet l ppp0. Bn mun cho php dch v Telnet chy trn cc PC trong mng LAN nhng khng mun cho n hot ng ngoi Internet (v nhng l do an ton). ng lo Iptables s lo cho bn iu ny. Bn c th s dng tu chn -i v -o. Cch ngn chn trn Output Chain t ra hp l hn l cch ngn chn Input Chain. Bn c th s dng thm tu chn -i iptables -A INPUT -p tcp --destination-port telnet -i ppp0 -j DROP Command trn s ngn chn tt c cc yu cu, nguy c tn cng bng Telnet t bn ngoi vo h thng LAN ca bn. Nu bn bit c cc Packet s dng nhng Protocol nht nh, nu n l TCP th bn cng c th d dng bit c Port m n s dng. Khi hai PC kt ni vi nhau qua giao thc TCP. Th trc tin kt ni phi c khi to trc. y l cng vic ca mt gi SYN. Mt SYN Packet s lm nhim v ni vi mt PC khc rng n sng sng kt ni. By gi ch mt PC i hi gi mt SYN Packet. Nu bn ngn chn nhng gi SYN vo. N s Stop cc PC khc t nhng Service ang c Open. iu c ngha l n s ngn chn c cc PC trong LAN ca bn vi cc PC ngoi Internet:

CD4pro.info

iptables -A INPUT -i ppp0 -p tcp --syn -j DROP Nu bn vn mun duy tr mt Service nhng li khng mun cc PC ngoi Internet truyn thng vi n. Ch cho cc PC trong LAN truyn thng vi nTh bn c th ngn chn tt cc SYN Packet trn Port ca Service : iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP Theo mc nh th Input Chain v Output Chain lun c cu hnh ch Accept. Cn Forward lun c thit lp ch Deny. Nu bn mun s dung Server v Firewall nh mt Router. Bn phi cu hnh cho Forward ch Accept



7, 2012

Hin trn Internet c rt nhiu Script cu hnh Rules cho Iptables rt tuyt. Bn c th Down chng v p dng ngay trn h thng ca mnh lun. Cng c mt s cng c cu hnh Iptables trn X . Li kt Bo mt lun l mt vn phc tp tn nhiu giy mc. Hy vng qua bi vit ny bn s hiu v nm c cch s dng Iptables. Mi th u ch mang tnh cht tng i. V vy nu mun giu cho h thng ca mnh an ton. Bn lun phi xem xt kim tra Firewall, cc Bug...V lun trng thi trc chin mc cao nht... 7. Ci t v cu hnh SQUID lm Proxy Server a. Linux SQUID Proxy Server: Squid l mt proxy server, kh nng ca squid l tit kim bng thng(bandwidth), ci tin vic bo mt, tng tc truy cp web cho ngi s dng v tr thnh mt trong nhng proxy ph bin c nhiu ngi bit n. Hin nay, trn th trng c rt nhiu chng trnh proxy-server nhng chng li c hai nhc im, th nht l phi tr tin s dng, th hai l hu ht khng h tr ICP ( ICP c s dng cp nht nhng thay i v ni dung ca nhng URL sn c trong cache l ni lu tr nhng trang web m bn tng i qua ). Squid l s la chn tt nht cho mt proxy-cache server, squid p ng hai yu cu ca chng ta l s dng min ph v c th s dng c trng I

security toan tap version 1.1 2012___cd4pro.info

Documents