Designing firewalls

  • View
    733

  • Download
    1

Embed Size (px)

Transcript

DESIGNING FIREWALLS

DESIGNING FIREWALLSNhm 2 :08520435 Nguyn Thnh Trung08520530 Trng Th Thy Duyn08520292 Phm Ph Phc08520548 L Kim Hng

Firewall ComponentsCreate a Firewall PolicyRule Sets Packet FiltersProxy ServerThe Bastion HostThe Honeypot

I. Firewall ComponentsTng la c to ra do nhu cu v bo mt v an ninh thng tin ngy cng tng trc.Tng la nm ti v tr gia mng ni b v mng Wan.Thc hin mc ch ca n chnh l cm v cho php cc kt ni trn cc lut m c ngi qu tr to ra v ng k trn thit b.

Firewall ComponentsS c bn v Firewall:

Firewall ComponentsNgy nay trong mt tng la cn cung cp cc dch v sau:NAT: c dng bi router c th dich mt a ch ni b thnh mt a ch bn ngoiData Caching: ty chn ny cho php router lu tr d liu c cho php bi cc ngi dng mng.

Firewall ComponentsRestriction on Content: Ty chn ny c gi tr trn nhng h thng mi. Cho php ngi qun tr hn ch truy nhp ni dung internet bng cch s dng t kha.

Firewall MethodologiesTng la c 2 phng thc chnh dng thc hin bo mt bn trong mt mng. Mc d c nhiu bin th xong chng vn xoay quanh 2 loi chnh l :Packet lteringProxy servers (application gateway)Packet lteringLc gi tin l loi u tin ca tng la c s dng trong nhiu h thng bo v mng. N c nhiu phng thc ph bin c thc thi bt mt gi tin s dng router.Chng b gii hn bi chng ch c thit k phn tch tiu ca gi tinPacket lteringu im:- Gi thnh thp, cu hnh n gin- Trong sut(transparent) i vi user.Hn ch:- D b tn cng vo cc b lc.- Nu mt packet-filtering router do mt s c no ngng hot ng,tt c h thng trn mng ni b c th b tn cng

Proxy servers (application- gateway)Phn mm proxy c s dng to ra c th phn tch nhiu hn cc tiu ca gi tin.Proxy servers s dng phn mm chn ng cc truyn thng trn mng m c nh tr t trc. Proxy servers (application- gateway)Thun li chnh trong vic s dng phn mm proxy l c th thc hin cho php hay cm s giao tip da trn d liu tht s ca gi tin, ch khng ch heade.Trong nhng cng vic khc th proxy gip nhn ra nhng phng thc giao tip, v s phn ng li, khng ch l ng m cc cng theo s ch o.

What a Firewall Cannot DoV th nu mt tng la c th dng lc gi tin, my ch proxy, mt s kt hp c hai hay ty chn lc c to ra mi trng an ton cho d liu ca bn.FireWall bo v chng li nhng s tn cng t bn ngoi.

What a Firewall Cannot DoFirewall s m bo tt c cc d liu i vo l hp l, ngn nga nhng ngi s dng bn ngoi ot quyn kim sot i vi my tnh ca bnTm li Firewall mang li cho d liu ca chng ta tnh bo mt, tnh ton vn v tnh sn sng. Difficulty in securing the network by FirewallViruses: Tng la c th pht hin ra virus nhng chng ta vn cn mt h thng dit virus.Employee misuse:H c th qun a ch mail hay chy cc chng trnh khng an ton t bn b. Difficulty in securing the network by FirewallSecondary connections: Ngi dng c th to ra mt kt ni internet cho ring minh. Nhng kt ni ny khng c bo v bi tng laSocial engineering:Poor architecture:Implementation Options for FirewallsKhng c mt loi tng la no c coi l tiu chun bn trong mt mng. C nhiu loi tng la c pht trin khc nhau gm:A Single Packet Filtering DeviceA Multi-homed DeviceA Screened HostA Demilitarized Zone (DMZ)A Single Packet Filtering Device

Hnh m t di y l mt mng c bo v bi 1 thit b c cu hnh nh mt b lc gi tin, cho php hay cm cc truy cp da trn tiu ca gi tin.

A Multi-homed DeviceMng c bo v bi mt thit b c kt cu gm nhiu card mng, trn s ci phn mm proxy, phn mm ny s iu chnh cc gi tin i theo cc hng xc nh: A Multi-homed Device

A Screened HostMt mng c bo v bi s kt hp ca cc cu trc ca my ch proxy v cu trc lc gi tin

A Screened Host

A Screened HostH thng ny cung cp bo mt cao hn h thng trn, v n thc hin cbo mt tng network (packet-filtering) v tng ng dng (applicationlevel).Qui lut filtering trn packet-filtering router c nh ngha sao cho tt ccc h thng bn ngoi ch c th truy nhp bastion hostA Screened HostCh chp nhn nhng truyn thng ni b xutpht t bastion host.Bi v bastion host l h thng bn trong duy nht c th truy nhpc t Internet, s tn cng cng ch gii hn n bastion host m thi.

A Demilitarized Zone (DMZ)Mt mng c ch nh l mt zone hay mt min, n c to ra cho t my ch, cn c cho php vo internet v c cc ngi dng bn trong.y l mt vng c bit, n yu cu 2 thit b lc, v c th c nhiu my tn ti bn trong ng bin gii.

A Demilitarized Zone (DMZ)

A Demilitarized Zone (DMZ)H thng bao gm hai packet-filtering router v mt bastion host.Mng DMZ ngvai tr nh mt mng nh, c lp t gia Internet v mng ni b.Cc h thng trn Internet v mng ni bch c th truy nhp c mt s gii hn cc h thng trn mng DMZ, vs truyn trc tip qua mng DMZ l khng th cA Demilitarized Zone (DMZ)H thngch cho php bn ngoi truy nhp vo bastion host.Router trong cung cp sbo v th hai bng cch iu khin DMZ truy nhp mng ni b ch vinhng truyn thng bt u t bastion hostII. Create a Firewall Policy

Trc khi tin hnh cu hnh ta cn phi c mt Firewall Policy (Chnh sch v tng la) . trnh trng hp la chn v ci t tng la khng chnh xc , hiu qu .Mttng lac thit kv trin khaimt cch chnh xc,phi da trn mt chnh sch c th. l mt phn trong chnh sch bo mt tng th ca t chc s dng tng la .

Hai quan im trong vic xy dng tng la:T chi tt c , ch cho php nhng lu thng hp l .Cho php tt c , cm nhng lu thng khng hp l .

Mt s thnh phn trong chnh xch bo mt :Acceptable Use StatementNetwork Connection StatementContracted Worker StatementFirewall Administrator Statement

Acceptable Use Statement

Cc ng dng khng c php ci t .(T nhng ngun nh internet , CD , USB , a mm ).Vic sao lu ng dng c ci t ti mt my tnh ca t chc . (cho php / khng do t chc quyt nh ).Vic s dng ti khon ti cc my tnh , khi khng c ngi s dng , my phi trong trng thi kha v c ch bo v mt khu.My tnh v cc ng dng ci t trn n ch lin quan n hot ng ca t chc . Khng c php s dng e da hay quy ri bt c c nhn no.Cc dch v email c php s dng.

The Network Connection Statement

Ch qun tr vin mi c quyn thc hin qut mng .Ngi dng c thtruy cp vo cc trang siteFTPuploadv downloadcctptin cn thit, nhng mytnh ni bc th s khng ci t FTP server.Ngi dng c th truy cp WWW trn cng 80 v Email trn cng 25 . Nhng khng th truy cp NNTP trn mi cng.Ngisdngsubnet10.0.10.0c phpsdngSSHchovic qun tr t xa v ngc li .Ngidngc th khng cchybt kphn mm chatInternet no .Khng c down load file ln hn 5MbPhn mm Anti-virus phi c ci t , hot ng tt , cp nht thng xuyn hng tun trn my trm v cp nht hng ngy trn server .Ch c qun tr vin mi c php ci t phn cng mi trn my tnh (Bao gm c NIC v modem)Khng cho php nhng kt ni tri php ra internet di bt k hnh thc no .

The Contracted Worker Statement

l ccchnh schphi gii quyt ccvn ca ngi lao ng theohp ng,hoc ch ltm thi .Mt s vn cn ch l : Khng c nhng ngi s dng tm thi , hoc theo hp ng khng c php truy cp tri php n cc ti nguyn , hay thc hin qut mng , copy d liu t my tnh ra bt k thit b no khc.Khng c s dng FTP , telnet , SSH cho khi cha c s cho php da trn vn bn.

The Firewall Administrator Statement

Firewall administrator phi c chng nhn bi cc nh cung cp firewall .Phi c chng ch SCNAPhi nm r cc ng dng c ci t trn cc my tnh trong mng .Phi bo co trc tip vi trng b phn bo mt .Phi lun trong t th sn sng 24/24

Nhng vn lit k y s c ch trong vic son ra chnh sch cho firewall . Ngoi ra cch chnh sch v Firewall cn phi c thay i thng xuyn cho ph hp vi an ninh th gii .

III . Packet Filterv vic thit lp tp cc quy tc trong Packet Filter

Tng quan v Packet FilteringL kiu firewall u tin c s dng bo v mng ni b.Thng c ci t sn trn cc router v thc thi di dng access control list.S dng mt tp cc quy tc quyt nh gi tin c php qua hay khng.Ch kim tra phn header, khng kim tra ni dung gi tinTng quan v Packet FilteringChc nng khc nhau, ty thuc vo v tr ca Packet Filter trong h thng mng.

Tng quan v Packet Filtering

Tng quan v Packet Filtering

Tng quan v Packet Filtering

Cc quy tc trong Packet FilterCc vn cn quan tmMng ni b c truy cp dch v no trn internet?Internet c truy cp vo dch v no ca mng ni b?My no c quyn truy cp c bit no , m my khc khng c?

Cc quy tc trong Packet FilterCc vn cn quan tmB lut c t ti interface no? Hng ca gi tin. a ch IPS hiu cng (port)Cc giao thc tng cao hn.

Cc quy tc trong Packet FilterPort, Socket v ACK bita ch IP i din cho mt my trong phin lm vic, port i din cho im n thc s ca giao tip, tc ng dng c th. Socket bao gm mt ip i km vi mt port.Port nh hn 1023 c s dng cho cc ng dng ph bin. Port ln hn 1023 c s dng cho host khi thc hin kt ni.

Cc quy tc trong Packet FilterPort, Socket v ACK bit

Cc quy tc trong Packet FilterV d v mt tp quy tcCho php mng ni b truy cp n web pages trn internet v min DMZInternet c th truy cp n dch v web trn web serverCc dch v khc khng c php truy cp ra internet. Cc quy tc trong Packet FilterV d v mt tp quy tc

cho php tt c cc kt ni t bn ngoi vo mng bn trong vi port ch > 1023Cc quy tc trong Packet FilterV d v mt tp quy tcS dng thm thng tin v port ngun:

S dng ACK flag

Cc quy tc trong Packet FilterCc yu t cn m bo Tnh nht qun: m bo khng c s mu thun gia cc quy tc vi nhau. Tnh trn vn: m bo tp quy tc lit k ht cc trng hp c th xy ra. Tnh sc tch: m bo s ngn gn v cc quy tc khng trng lp nhau.Phn loi Packet FilterStateless Packet Filter (Standard Packet Filter)Stateful Packet FilterStateless Packet FilterL hnh thc c bn nht, c s dng rng ri.X l cc gi tin mt cch c lp vi nhau da vo thng tin trn header ca cc giao thc. Khng lu li bt k thng tin no v gi tin c x l.Stateless Packet FilterIP AddressTCP/UDP PortProtocol FilterFragmentationStateless Packet FilterIP AddressL thnh phn c bn nht.Da vo a ch IP ngun v (hoc) IP ch ra quyt nh x l mt gi tin.Thng thng c thit k mc nh cm tt c cc gi tin, tr nhng gi ph hp vi quy tc.

Stateless Packet FilterTCP/UDP PortS dng port ngun v port ch x l mt gi tin.Thng c s dng ch cho php mt s ng dng c th i qua Packet Filter, cn li mc nh cm.Stateless Packet FilterProtocol FieldKim tra ni dung ca header xc nh giao thc c dng tng k trn, t cho php gi tin i qua hay khng.Mt vi giao thc thng c kim tra:-TCP-UDP-ICMP-IGMP

Stateless Packet FilterFragmentationS phn mnh xy ra khi mt gi