Professional Documents
Culture Documents
Mc lc
1.
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
3.1 Tng quan ___________________________________________________ 36 3.2 Cc thnh phn ca b chng trnh proxy: _______________________ 37 3.2.1 Smap: Dch v SMTP _______________________________________ 37 3.2.2 Netacl: cng c iu khin truy nhp mng ______________________ 38 3.2.3 Ftp-Gw: Proxy server cho Ftp _________________________________ 39 3.2.4 Telnet-Gw: Proxy server cho Telnet ____________________________ 40 3.2.5 Rlogin-Gw: Proxy server cho rlogin ____________________________ 41 3.2.6 Sql-Gw: Proxy Server cho Oracle Sql-net _______________________ 41 3.2.7 Plug-Gw: TCP Plug-Board Connection server ____________________ 41 3.3 Ci t ______________________________________________________ 42 3.4 Thit lp cu hnh: ____________________________________________ 43 3.4.1 Cu hnh mng ban u______________________________________ 43 3.4.2 Cu hnh cho Bastion Host ___________________________________ 44 3.4.3 Thit lp tp hp quy tc _____________________________________ 46 3.4.4 Xc thc v dch v xc thc _________________________________ 55 3.4.5 S dng mn hnh iu khin CSE Proxy: _______________________ 61 3.4.6 Cc vn cn quan tm vi ngi s dng ______________________ 65
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
khng c thng bo, v nhiu l do, trong c th k n ni lo b mt uy tn, hoc n gin nhng ngi qun tr h thng khng h hay bit nhng cuc tn cng nhm vo h thng ca h. Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng php tn cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr h thng c kt ni vi Internet ngy cng cao cnh gic. Cng theo CERT, nhng cuc tn cng thi k 19881989 ch yu on tn ngi s dng-mt khu (UserIDpassword) hoc s dng mt s li ca cc chng trnh v h iu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng vo thi gian gn y bao gm c cc thao tc nh gi mo a ch IP, theo di thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin).
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
1.2 Bn mun bo v ci g?
Nhim v c bn ca Firewall l bo v. Nu bn mun xy dng firewall, vic u tin bn cn xem xt chnh l bn cn bo v ci g.
1.2.1 D liu ca bn
Nhng thng tin lu tr trn h thng my tnh cn c bo v do cc yu cu sau: Bo mt: Nhng thng tin c gi tr v kinh t, qun s, chnh sch vv... cn c gi kn. Tnh ton vn: Thng tin khng b mt mt hoc sa i, nh tro. Tnh kp thi: Yu cu truy nhp thng tin vo ng thi im cn thit. Trong cc yu cu ny, thng thng yu cu v bo mt c coi l yu cu s 1 i vi thng tin lu tr trn mng. Tuy nhin, ngay c khi nhng thng tin ny khng c gi b mt, th nhng yu cu v tnh ton vn cng rt quan trng. Khng mt c nhn, mt t chc no lng ph ti nguyn vt cht v thi gian lu tr nhng thng tin m khng bit v tnh ng n ca nhng thng tin .
1.2.2 Ti nguyn ca bn
Trn thc t, trong cc cuc tn cng trn Internet, k tn cng, sau khi lm ch c h thng bn trong, c th s dng cc my ny phc v cho mc ch ca mnh nh chy cc chng trnh d mt khu ngi s dng, s dng cc lin kt mng sn c tip tc tn cng cc h thng khc vv...
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
k tn cng c c
(root hay administrator). Hai v d thng xuyn c a ra minh ho cho phng php ny l v d vi chng trnh sendmail v chng trnh rlogin ca h iu hnh UNIX. Sendmail l mt chng trnh phc tp, vi m ngun bao gm hng ngn dng lnh ca ngn ng C. Sendmail c chy vi quyn u tin ca ngi qun tr h thng, do chng trnh phi c quyn ghi vo hp th ca nhng ngi s dng my. V Sendmail trc tip nhn cc yu cu v th tn trn mng bn ngoi. y chnh l nhng yu t lm cho sendmail tr thnh mt ngun cung cp nhng l hng v bo mt truy nhp h thng. Rlogin cho php ngi s dng t mt my trn mng truy nhp t xa vo mt my khc s dng ti nguyn ca my ny. Trong qu trnh nhn tn v mt khu ca ngi s dng, rlogin khng kim tra di ca dng nhp, do k tn cng c th a vo mt xu c tnh ton trc ghi ln m chng trnh ca rlogin, qua chim c quyn truy nhp. 1.3.1.2 Nghe trm Vic nghe trm thng tin trn mng c th a li nhng thng tin c ch nh tn-mt khu ca ngi s dng, cc thng tin mt chuyn qua mng. Vic nghe trm thng c tin hnh ngay sau khi k tn cng chim c quyn truy nhp h thng, thng qua cc chng trnh cho php a v giao tip mng (Network Interface Card-NIC) vo ch nhn ton b cc thng tin lu truyn trn mng. Nhng thng tin ny cng c th d dng ly c trn Internet.
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
1.3.1.3 Gi mo a ch Vic gi mo a ch IP c th c thc hin thng qua vic s dng kh nng dn ng trc tip (source-routing). Vi cch tn cng ny, k tn cng gi cc gi tin IP ti mng bn trong vi mt a ch IP gi mo (thng thng l a ch ca mt mng hoc mt my c coi l an ton i vi mng bn trong), ng thi ch r ng dn m cc gi tin IP phi gi i. 1.3.1.4 V hiu ho cc chc nng ca h thng (denial of service) y l ku tn cng nhm t lit h thng, khng cho n thc hin chc nng m n thit k. Kiu tn cng ny khng th ngn chn c, do nhng phng tin c t chc tn cng cng chnh l cc phng tin lm vic v truy nhp thng tin trn mng. V d s dng lnh ping vi tc cao nht c th, buc mt h thng tiu hao ton b tc tnh ton v kh nng ca mng tr li cc lnh ny, khng cn cc ti nguyn thc hin nhng cng vic c ch khc. 1.3.1.5 Li ca ngi qun tr h thng y khng phi l mt kiu tn cng ca nhng k t nhp, tuy nhin li ca ngi qun tr h thng thng to ra nhng l hng cho php k tn cng s dng truy nhp vo mng ni b. 1.3.1.6 Tn cng vo yu t con ngi K tn cng c th lin lc vi mt ngi qun tr h thng, gi lm mt ngi s dng yu cu thay i mt khu, thay i quyn truy nhp ca mnh i vi h thng, hoc thm ch thay i mt s cu hnh ca h thng thc
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
hin cc phng php tn cng khc. Vi kiu tn cng ny khng mt thit b no c th ngn chn mt cch hu hiu, v ch c mt cch gio dc ngi s dng mng ni b v nhng yu cu bo mt cao cnh gic vi nhng hin tng ng nghi. Ni chung yu t con ngi l mt im yu trong bt k mt h thng bo v no, v ch c s gio dc cng vi tinh thn hp tc t pha ngi s dng c th nng cao c an ton ca h thng bo v.
10
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Thng thng, trn Internet k ph hoi kh him. Mi ngi khng thch h. Nhiu ngi cn thch tm v chn ng nhng k ph hoi. Tuy t nhng k ph hoi thng gy hng trm trng cho h thng ca bn nh xo ton b d liu, ph hng cc thit b trn my tnh ca bn... 1.3.2.3 K ghi im Rt nhiu k qua ng b cun ht vo vic t nhp, ph hoi. H mun c khng nh mnh thng qua s lng v cc kiu h thng m h t nhp qua. t nhp c vo nhng ni ni ting, nhng ni phng b cht ch, nhng ni thit k tinh xo c gi tr nhiu im i vi h. Tuy nhin h cng s tn cng tt c nhng ni h c th, vi mc ch s lng cng nh mc ch cht lng. Nhng ngi ny khng quan tm n nhng thng tin bn c hay nhng c tnh khc v ti nguyn ca bn. Tuy nhin t c mc ch l t nhp, v tnh hay hu h s lm h hng h thng ca bn. 1.3.2.4 Gin ip Hin nay c rt nhiu thng tin quan trng c lu tr trn my tnh nh cc thng tin v qun s, kinh t... Gin ip my tnh l mt vn phc tp v kh pht hin. Thc t, phn ln cc t chc khng th phng th kiu tn cng ny mt cch hiu qu v bn c th chc rng ng lin kt vi Internet khng phi l con ng d nht gin ip thu lm thng tin.
11
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
12
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Ch c nhng trao i no c php bi ch an ninh ca h thng mng ni b mi c quyn lu thng qua Firewall.
Intranet
firewall
Internet
1.4.3 Cu trc
Firewall bao gm: Mt hoc nhiu h thng my ch kt ni vi cc b nh tuyn (router) hoc c chc nng router. Cc phn mm qun l an ninh chy trn h thng my ch. Thng thng l cc h qun tr xc thc (Authentication), cp quyn (Authorization) v k ton (Accounting). Chng ta s cp k hn cc hot ng ca nhng h ny phn sau.
13
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c ngha rng Firewall hot ng cht ch vi giao thc lin mng TCP/IP. V giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS...) thnh cc gi d liu (data packets) ri gn cho cc packet ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng. B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (packet header), dng cho php truyn cc packet trn mng. l:
14
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
a ch IP ni xut pht ( IP Source address) a ch IP ni nhn (IP Destination address) Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel) Cng TCP/UDP ni xut pht (TCP/UDP source port) Cng TCP/UDP ni nhn (TCP/UDP destination port) Dng thng bo ICMP ( ICMP message type) giao din packet n ( incomming interface of packet) giao din packet i ( outcomming interface of packet)
Nu lut l lc packet c tho mn th packet c chuyn qua firewall. Nu khng packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi chy c trn h thng mng cc b.
1.4.4.1.2 u im
a s cc h thng firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm router.
Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn c bit no c.
15
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
1.4.4.1.3 Hn ch:
Vic nh ngha cc ch lc packet l mt vic kh phc tp, n i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th m h c th nhn trn mi trng. Khi i hi v s lc cng ln, cc lut l v lc cng tr nn di v phc tp, rt kh qun l v iu khin. Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu. 1.4.4.2 Cng ng dng (application-level gateway)
1.4.4.2.1 Nguyn l
y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi dch v, giao thc c cho php truy cp vo h thng mng. C ch hot ng ca n da trn cch thc gi l Proxy service (dch v i din). Proxy service l cc b chng trnh c bit ci t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t chng trnh proxy cho mt ng dng no , dch v tng ng s khng c cung cp v do khng th chuyn thng tin qua firewall. Ngoi ra, proxy code c th c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l chp nhn c trong khi t chi nhng c im khc. Mt cng ng dng thng c coi nh l mt pho i (bastion host), bi v n c thit k t bit chng li s tn cng t bn ngoi. Nhng bin php m bo an ninh ca mt bastion host l:
16
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Bastion host lun chy cc version an ton (secure version) ca cc phn mm h thng (Operating system). Cc version an ton ny c thit k chuyn cho mc ch chng li s tn cng vo Operating System, cng nh l m bo s tch hp firewall.
Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t trn bastion host, n gin ch v nu mt dch v khng c ci t, n khng th b tn cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet, DNS, FTP, SMTP v xc thc user l c ci t trn bastion host.
Bastion host c th yu cu nhiu mc xc thc khc nhau, v d nh user password hay smart card.
Mi proxy c t cu hnh cho php truy nhp ch mt s cc my ch nht nh. iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch ng vi mt s my ch trn ton h thng.
Mi proxy duy tr mt quyn nht k ghi chp li ton b chi tit ca giao thng qua n, mi s kt ni, khong thi gian kt ni. Nht k ny rt c ch trong vic tm theo du vt hay ngn chn k ph hoi.
Mi proxy u c lp vi cc proxies khc trn bastion host. iu ny cho php d dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn .
V d: Telnet Proxy V d mt ngi (gi l outside client) mun s dng dch v TELNET kt ni vo h thng mng qua mt bastion host c Telnet proxy. Qu trnh xy ra nh sau:
17
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
1. Outside client telnets n bastion host. Bastion host kim tra password, nu hp l th outside client c php vo giao din ca Telnet proxy. Telnet proxy cho php mt tp nh nhng lnh ca Telnet, v quyt nh nhng my ch ni b no outside client c php truy nhp. 2. Outside client ch ra my ch ch v Telnet proxy to mt kt ni ca ring n ti my ch bn trong, v chuyn cc lnh ti my ch di s u quyn ca outside client. Outside client th tin rng Telnet proxy l my ch tht bn trong, trong khi my ch bn trong th tin rng Telnet proxy l client tht.
1.4.4.2.2 u im:
Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy nhp c bi cc dch v.
Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l cc dch v y b kho.
Cng ng dng cho php kim tra xc thc rt tt, v n c nht k ghi chp li thng tin v truy nhp h thng.
Lut l filltering (lc) cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc packet.
1.4.4.2.3 Hn ch:
Yu cu cc users bin i (mody) thao tc, hoc mody phn mm ci t trn my client cho truy nhp vo cc
18
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
dch v proxy. V d, Telnet truy nhp qua cng ng dng i hi hai bc ni vi my ch ch khng phi l mt bc thi. Tuy nhin, cng c mt s phn mm client cho php ng dng trn cng ng dng l trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng trn lnh Telnet. 1.4.4.3 Cng vng (circuit-Level Gateway) Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet no. Hnh 2.2 minh ho mt hnh ng s dng ni telnet qua cng vng. Cng vng n gin chuyn tip kt ni telnet qua firewall m khng thc hin mt s kim tra, lc hay iu khin cc th tc Telnet no.Cng vng lm vic nh mt si dy,sao chp cc byte gia kt ni bn trong (inside connection) v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut hin t h thng firewall, n che du thng tin v mng ni b. Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion host c th c cu hnh nh l mt hn hp cung cp Cng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng bc tng la d dng s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti cc dch v Internet, trong khi vn cung cp chc nng bc tng la bo v mng ni b t nhng s tn cng bn ngoi.
19
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
in in in Inside host
cng bng d liu (data-driven attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm nhim v r qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca firewall.
20
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
1.4.6 Cc v d firewall
1.4.6.1 Packet-Filtering Router (B trung chuyn c lc gi) H thng Internet firewall ph bin nht ch bao gm mt packet-filtering router t gia mng ni b v Internet (Hnh 2.3). Mt packet-filtering router c hai chc nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi cho php hay t chi truyn thng. Cn bn, cc quy lut lc c nh ngha sao cho cc host trn mng ni b c quyn truy nhp trc tip ti Internet, trong khi cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my tnh trn mng ni b. T tng ca m cu trc firewall ny l tt c nhng g khng c ch ra r rng l cho php th c ngha l b t chi.
Bn ngoi
Bn trong Mng ni b
The Internet
Hnh 2.3 Packet-filtering router u im: gi thnh thp (v cu hnh n gin) trong sut i vi ngi s dng
Hn ch:
21
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
C tt c hn ch ca mt packet-filtering router, nh l d b tn cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng ngm di nhng dch v c php.
Bi v cc packet c trao i trc tip gia hai mng thng qua router , nguy c b tn cng quyt nh bi s lng cc host v dch v c php. iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi ngi qun tr mng xem c du hiu ca s tn cng no khng.
1.4.6.2 Screened Host Firewall H thng ny bao gm mt packet-filtering router v mt bastion host (hnh 2.4). H thng ny cung cp bo mt cao hn h thng trn, v n thc hin c bo mt tng network( packet-filtering ) v tng ng dng (application level). ng thi, k tn cng phi ph v c hai tng bo mt tn cng vo mng ni b.
22
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Bn trong
Bn ngoi
Bastion host
my ni b The Internet
Information server
Trong h thng ny, bastion host c cu hnh trong mng ni b. Qui lut filtering trn packet-filtering router c nh ngha sao cho tt c cc h thng bn ngoi ch c th truy nhp bastion host; Vic truyn thng ti tt c cc h thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni b c php truy nhp trc tip vo bastion Internet hay l chng phi s dng dch v proxy trn bastion host. Vic bt buc nhng user ni b c thc hin bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng ni b xut pht t bastion host.
u im: My ch cung cp cc thng tin cng cng qua dch v Web v FTP c th t trn packet-filtering router v
23
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
bastion. Trong trng hp yu cu an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user c trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hp khng yu cu an ton cao th cc my ni b c th ni thng vi my ch. Nu cn bo mt cao hn na th c th dng h thng firewall dual-home (hai chiu) bastion host (hnh 2.5). Mt h thng bastion host nh vy c 2 giao din mng (network interface), nhng khi kh nng truyn thng trc tip gia hai giao din qua dch v proxy l b cm.
Bn trong
Bn ngoi
Bastion host
my ni b The Internet
Information server
Hnh 2.5
Screened host firewall (Dual- Homed Bastion Host) Bi v bastion host l h thng bn trong duy nht c th truy nhp c t Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu nh ngi dng truy nhp c vo bastion host th h c th d dng truy
24
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
nhp ton b mng ni b. V vy cn phi cm khng cho ngi dng truy nhp vo bastion host. 1.4.6.3 Demilitarized Zone (DMZ - khu vc phi qun s) hay Screened-subnet Firewall H thng ny bao gm hai packet-filtering router v mt bastion host (hnh 2.6). H thng firewall ny c an ton cao nht v n cung cp c mc bo mt : network v application trong khi nh ngha mt mng phi qun s. Mng DMZ ng vai tr nh mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip qua mng DMZ l khng th c. Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun (nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N cho php h thng bn ngoi truy nhp ch bastion host, v c th c information server. Router trong cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch vi nhng truyn thng bt u t bastion host. Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c information server. Quy lut filtering trn router ngoi yu cu s dung dich v proxy bng cch ch cho php thng tin ra bt ngun t bastion host. u im: K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router trong.
25
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Bi v router ngoi ch qung co DMZ network ti Internet, h thng mng ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra trn DMZ l c bit n bi Internet qua routing table v DNS information exchange (Domain Name Server).
Bi v router trong ch qung co DMZ network ti mng ni b, cc h thng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.
Bn trong
Information server
26
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
27
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
2. Cc dch v Internet
Nh trnh by trn, nhn chung bn phi xc nh bn bo v ci g khi thit lp lin kt ra mng ngoi hay Internet: d liu, ti nguyn, danh ting. Khi xy dng mt Firewall, bn phi quan tm n nhng vn c th hn: bn phi bo v nhng dch v no bn dng hoc cung cp cho mng ngoi (hay Internet). Internet cung cp mt h thng cc dch v cho php ngi dng ni vo Internet truy nhp v s dng cc thng tin trn mng Internet. H thng cc dch v ny v ang c b sung theo s pht trin khng ngng ca Internet. Cc dch v ny bao gm World Wide Web (gi tt l WWW hoc Web), Email (th in t), Ftp (file transfer protocols - dch v chuyn file), telnet (ng dng cho php truy nhp my tnh xa), Archie (h thng xc nh thng tin cc file v directory), finger (h thng xc nh cc user trn Internet), rlogin(remote login - vo mng t xa) v mt s cc dch v khc na.
28
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
29
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
30
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
31
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
32
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
2.5 Archie
Archie l mt loi th vin thng xuyn t ng tm kim cc my tnh trn Internet, to ra mt kho d liu v danh sch cc file c th np xung (downloadable) t Internet. Do , d liu trong cc file ny lun lun l mi nht. Archie do rt tin dng cho ngi dng tm kim v download cc file. Ngi dng ch cn gi tn file, hoc cc t kho ti Archie; Archie s cho li a ch ca cc file c tn hoc c cha nhng t .
33
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
2.6 Finger
Finger l mt chng trnh ng dng cho php tm a ch ca cc user khc trn Internet. Ti thiu, finger c th cho bn bit ai ang s dng mt h thng my tnh no , tn login ca ngi l g. Finger hay c s dng tm a ch email ca b bn trn Internet. Finger cn c th cung cp cho bn nhiu thng tin khc, nh l mt ngi no login vo mng bao lu. V th finger c th coi l mt ngi tr gip c lc nhng cng l mi him ho cho s an ton ca mng.
34
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Hai thnh phn ny c th hot ng mt cch ring r. Chng cng c th kt hp li vi nhau tr thnh mt h thng firewall hon chnh. Trong tp ti liu ny, chng ti ch cp n b chng trnh cng ng dng c ci t ti VPCP.
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
S khc nhau khi t cu hnh cho h thng quyt nh mc an ton mng khc nhau. Ngi ci t firewall phi hiu r yu cu v an ton ca mng cn bo v, nm chc nhng ri ro no l chp nhn c v khng chp nhn c, thu lm v phn tch chng t nhng i hi ca ngi dng. B chng trnh proxy c thit k cho mt s cu hnh firewall, trong cc dng c bn nht l dual-home gateway (hnh 2.4), screened host gateway(hnh 2.5), v screened subnet gateway(hnh 2.6). Nh chng ta bit, trong nhng cu trc firewall ny, yu t cn bn nht l bastion host, ng vai tr nh mt ngi chuyn tip thng tin (forwarder), ghi nht k truyn thng, v cung cp cc dch v. Duy tr an ton trn bastion host l cc k quan trng, bi v l ni tp trung hu ht cc c gng ci t mt h thng firewall.
36
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
37
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
thc hin bi chng trnh sendmail. Sendmail khng yu cu mt s thay i hay t li cu hnh g c. Khi mt h thng xa ni ti mt cng SMTP, h iu hnh khi ng smap. Smap lp tc chroot ti th mc dnh ring v t user-id mc bnh thng (khng c quyn u tin). Bi v smap khng yu cu h tr bi mt file h thng no c, th mc dnh ring ch cha cc file do smap to ra. Do vy, bn khng cn phi lo s l smap s thay i file h thng khi n chroot. Mc ch duy nht ca smap l i thoi SMTP vi cc h thng khc, thu lm thng bo mail, ghi vo a, ghi nht k, v thot. Smapd c trch nhim thng xuyn qut th mc kho ca smap v a ra cc thng bo c xp theo th t (queued messages) ti sendmail cui cng phn pht. Ch rng nu sendmail c t cu hnh mc bnh thng, v smap chy vi uucp user-id (?), mail c th c phn pht bnh thng m khng cn smapd chy vi mc u tin cao. Khi smapd phn pht mt thng bo, n xo file cha thng bo trong kho. Theo ngha ny, sendmail b c lp, v do mt user l trn mng khng th kt ni vi sendmail m khng qua smap. Tuy nhin, smap v smapd khng th gii quyt vn gi mo th hoc cc loi tn cng khc qua mail. Smap c kch thc rt nh so vi sendmail (700 dng so vi 20,000 dng) nn vic phn tch file ngun tm ra li n gin hn nhiu.
38
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Netacl l mt cng c iu khin truy nhp mng, da trn a ch network ca my client, v dch v c yu cu. V vy mt client (xc nh bi a ch IP hoc hostname) c th khi ng telnetd (mt version khc ca telnet) khi n ni vi cng dch v telnet trn firewall. Thng thng trong cc cu hnh firewall, netacl c s dng cm tt c cc my tr mt vi host c quyn login ti firewall qua hoc l telnet hoc l rlogin, v kho cc truy nhp t nhng k tn cng. an ton ca netacl da trn a ch IP v/hoc hostname. Vi cc h thng cn an ton cao, nn dng a ch IP trnh s gi mo DNS. Netacl khng chng li c s gi a ch IP qua chuyn ngun (source routing) hoc nhng phng tin khc. Nu c cc loi tn cng nh vy, cn phi s dng mt router c kh nng soi nhng packet c chuyn ngun (screening source routed packages). Ch l netacl khng cung cp iu khin truy nhp UDP, bi v cng ngh hin nay khng m bo s xc thc ca UDP. An ton cho cc dch v UDP y ng ngha vi s khng cho php tt c cc dch v UDP. Netacl ch bao gm 240 dng m C (c gii thch) cho nn rt d dng kim tra v hiu chnh. Tuy nhin vn cn phi cn thn khi cu hnh n.
39
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Ftp-Gw t bn thn n khng e do an ton ca h thng firewall, bi v n chy chroot ti mt th mc rng, khng thc hin mt th tc vo ra file no c ngoi vic c file cu hnh ca n. Kch thc ca Ftp-gw l khong 1,300 dng. Ftp gateway ch cung cp dch v ftp, m khng quan tm n ai c quyn hay khng c quyn kt xut (export) file. Do vy, vic xc nh quyn phi c thit lp trn gateway v phi thc hin trc khi thc hin kt xut (export) hay nhp (import) file. Ftp gateway nn c ci t da theo chnh sch an ton ca mng. B chng trnh ngun cho php ngi qun tr mng cung cp c dch v ftp v ftp proxy trn cng mt h thng.
40
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
41
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
3.3 Ci t
B ci t gm 2 a mm 1.44 Mb, R1 v R2. Mi b ci t u c mt s Serial number khc nhau v ch hot ng c trn my c hostname xc nh trc. Vic ci t c tin hnh bnh thng bng cch dng lnh custom. Khi ci t, mt ngi s dng c tn l proxy c ng k vi h thng thc hin cc chc nng qun l proxy. Ngi ci t phi t mt khu cho user ny. Mt th mc /usr/proxy c t ng thit lp, trong c cc th mc con: bin cha cc chng trnh thc hin etc cha cc tp cu hnh Firewall v mt s v d cc file cu hnh ca h thng khi chy vi Firewall nh inetd.conf, services, syslog.conf log cha cc tp nht k report cha cc tp bo co sau ny.
Vic t cu hnh v qun tr CSE Firewall u thng qua cc chc nng trn menu khi login vo my Firewall bng tn ngi s dng l proxy. Sau khi ci t nn i tn nhng tp h thng v lu li trc khi t cu hnh: /etc/inetd.conf /etc/services /etc/syslog.conf.
42
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
43
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
/etc/syslog.conf, /etc/sockd.conf. Sa i cu hnh h diu hnh, loi b nhng dch v c th gy li nh NFS, sau rebuild kernel. Vic ny c thc hin cho ti khi h thng cung cp dch v ti thiu m ngi qun tr tin tng. Vic cu hnh ny c th lm ng thi vi vic kim tra dch v no chy chnh xc bng cch dng cc lnh ps v netstat. Phn ln cc server c cu hnh cng vi mt s dng bo mt khc, cc cu hnh ny s m t phn sau. Mt cng c chung thm d cc dch v TCP/IP l /usr/proxy/bin/portscan c th dng xem dch v no ang c cung cp. Nu khng c yu cu c bit c th dng cc file cu hnh ni trn c to sn v t ti /usr/proxy/etc khi ci t, ngc li c th tham kho sa i theo yu cu. Ton b cc thnh phn ca b Firewall i hi c cu hnh chung (mc nh l /usr/proxy/etc/netperms). Phn ln cc thnh phn ca b Firewall c gi bi dch v ca h thng l inetd, khai bo trong /etc/inetd.conf tng t nh sau:
ftp
stream
tcp
nowait
root
/usr/proxy/bin/netacl
ftpd
44
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Chng trnh netacl l mt v bc TCP (TCP Wrapper) cung cp kh nng iu khin truy cp cho nhng dch v TCP v cng s dng mt tp cu hnh vi Firewall. Bc u tin cu hnh netacl l cho php mng ni b truy nhp c gii hn vo Firewall, nu nh n cn thit cho nhu cu qun tr. Tu thuc vo TELNET gateway tn-gw c c ci t hay khng, qun tr c th truy cp vo Firewall qua cng khc vi cng chun ca telnet (23). Bi v telnet thng khng cho php chng trnh truy cp ti mt cng khng phi l cng chun ca n. Dch v proxy s chy trn cng 23 v telnet thc s s chy trn cng khc v d dch v c tn l telnet-a trn (Xem file inetd.conf trn). C th kim tra tnh ng n ca netacl bng cch cu hnh cho php hoc cm mt s host ri th truy cp cc dch v t chng. Mi khi netacl c cu hnh, TELNET v FTP gateway cn phi c cu hnh theo. Cu hnh TELNET gateway ch n gin l coi n nh mt dch v v trong netacl.conf vit mt s miu t h thng no c th s dng n. Tr gip c th c cung cp cho ngi s dng khi cn thit. Vic cu hnh FTP proxy cng nh vy. Tuy nhin, FTP c th s dng cng khc khng ging TELNET. Rt nhiu cc FTP client h tr cho vic s dng cng khng chun.
45
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Dch v rlogin l mt tu chn c th dng v phi c ci t trn cng ng dng ca bastion host (cng 512) giao thc rlogin i hi mt cng c bit, mt qu trnh i hi s cho php ca h thng UNIX. Ngi qun tr mun s dng c ch an ton phi ci t th mc cho proxy n gii hn n trong th mc . Smap v smapd l cc tin trnh lc th c th c ci t s dng th mc ring ca proxy x l hoc s dng mt th mc no trong h thng. Smap v smapd khng thay th sendmail do vn cn cu hnh sendmail cho Firewall. Vic ny khng m t trong ti liu ny.
46
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
3.4.3.1 Thit lp tp hp cc quy tc cho dch v HTTP, FTP Vic thit lp cu hnh cho cc dch v HTTP, FTP l tng t nh nhau. Chng ti ch a ra chi tit v thit lp cu hnh v quy tc cho dch v FTP.
#Example ftp gateway rules: #--------------------------------ftp-gw: ftpgw: ftp-gw: ftp-gw: ftp-gw: denial-msg welcome-msg help-msg permit-hosts timeout 3600 /usr/proxy/etc/ftp-deny.txt /usr/proxy/etc/ftp-welcome.txt /usr/proxy/etc/ftp-help.txt 10.10.170.* -log {retr stor}
Trong v d trn, mng 10.10.170 c cho php dng proxy trong khi mi host khc khng c trong danh sch, mi truy cp khc u b cm. Nu mt mng khc mun truy cp proxy, n nhn c mt thng bo t chi trong /usr/proxy/etc/ftp-deny.txt v sau lin kt b ngt. Nu mng c bo v pht trin thm ch cn thm vo cc dng cho php.
ftp-gw: permit-hosts 16.67.32.* -log {retr stor}
or
ftp-gw: ftp-gw: permit-hosts permit-hosts 16.67.32.* -log {retr stor} 10.10.170.* -log {retr stor}
Mi b phn ca Firewall c mt tp cc tu chn v c c m t trong manual page ring ca phn . Trong v d trn, Tu chn -log {retr stor} cho php FTP proxy ghi li nht k vi tu chn retr v stor.
47
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
3.4.3.2 Anonymous FTP Anonymous FTP server c s dng trong h iu hnh UNIX t lu. Cc l hng trong vic bo m an ton (Security hole) thng xuyn sinh ra do cc chc nng mi c thm vo, s xut hin ca bug v do cu hnh sai. Mt cch tip cn vi vic m bo an ton cho anonymous FTP l s dng netacl chc chn FTP server b hn ch trong th mc ca n trc khi c gi. Vi cu hinh nh vy, kh khn cho anonymous FTP lm tn hi n h thng bn ngoi khu vc ca FTP. Di y l mt v d s dng netacl quyt nh gii hn hay khng gii hn vng s dng ca FTP i vi mi lin kt. Gi s l mng c bo v l 192.5.12
netacl-ftpd: netacl-ftpd: netacl-ftpd: hosts 192.5.12.* hosts unknown hosts * -exec /etc/ftpd -exec /bin/cat /usr/proxy/etc/noftp.txt -chroot /ftpdir -exec /etc/ftpd
Trong v d ny, ngi dng ni vi dch v FTP t mng c bo v c kh nng FTP bnh thng. Ngi dng kt ni t h thng khc domain nhn c mt thng bo rng h khng c quyn s dng FTP. Mi h thng khc kt ni vo FTP u s dng vi vng file FTP. iu ny c mt s thun li cho vic bo m an ton. Th nht, khi kim tra xc thc, ftpd kim tra mt khu ca ngi s dng trong vng FTP, cho php ngi qun tr a ra account cho FTP. iu ny cn thit cho nhng ngi khng c account trong bastion host cung cp s kim tra v xc thc n cn cho php qun tr s dng nhng im mnh ca ftpd cho d n cha mt s l hng v an ton.
48
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
3.4.3.3 Telnet v rlogin Ni chung truy cp ti bastion host nn b cm, ch ngi qun tr c quyn login. Thng thng khi chy proxy, chng trnh telnet v rlogin khng th chy trn cc cng chun ca chng. C 3 cch gii quyt vn ny: Chy telnet v rloggin proxy trn cng chun vi telnet v rlogin trn cng khc v bo v truy cp ti chng bng netacl Cho php login ch vi thit b u cui. Dng netacl chuyn i tu thuc vo im xut pht ca kt ni, da trn proxy thc hin kt ni thc s. Cch gii quyt cui cng rt tin li nhng cho php mi ngi c quyn dng proxy login vo bastion host. Nu bastion host s dng xc thc mc cao qun l truy cp ca ngi dng, s ri ro do vic tn cng vo h bastion host s c gim thiu. cu hnh h thng trc ht, tt c cc thit b c ni vo h thng qua netacl v dng n gi cc chng trnh server hay proxy server tu thuc vo ni xut pht ca kt ni. Ngi qun tr mun vo bastion host trc ht phi kt ni vo netacl sau ra lnh kt ni vo bastion host. Vic ny n gin v mt s bn telnet v rlogin khng lm vic nu khng c kt ni vo ng cng.
-exec /etc/telnetd -exec /etc/telnetd -exec /usr/proxy/bin/tn-gw -exec /etc/rlogin -exec /etc/rlogin
49
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
netacl-rlogin:
permit-hosts
-exec /usr/proxy/bin/rlogin-gw
3.4.3.4 Sql-net proxy Gi thit l c hai CSDL STU nm trn my 190.2.2.3 v VPCP nm trn my 190.2.0.4. cu hnh cho sql-net proxy, phi tin hnh cc bc nh sau:
3.4.3.4.1 Cu hnh trn firewall
#Oracle proxy for STU Database ora_stu1: ora_stu1: ora_stu2: ora_stu2: timeout 3600 port 1521 * -plug-to 190.2.2.3 -port 1521 timeout 3600 port 1526 * -plug-to 190.2.2.3 -port 1526
#Oracle proxy for VBPQ Database ora_vpcp1: ora_vpcp1: ora_vpcp2: ora_vpcp2: timeout 3600 port 1421 * -plug-to 190.2.0.4 -port 1521 timeout 3600 port 1426 * -plug-to 190.2.0.4 -port 1526
t li tp /etc/services nh sau:
#Oracle Proxy for STU Database ora_stu1 ora_stu2 1521/tcp 1526/tcp oracle proxy oracle proxy
50
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
#Oracle Proxy for VBPQ Database ora_vpcp1 ora_vpcp2 1421/tcp 1426/tcp oracle proxy oracle proxy
t li tp /etc/inetd.conf nh sau:
#Oracle Proxy for VBPQ Database ora_stu1 ora_stu2 stream tcp stream tcp nowait root nowait root /usr/proxy/bin/plug-gw /usr/proxy/bin/plug-gw ora_stu1 ora_stu2
#Oracle Proxy for VBPQ Database ora_vpcp1 ora_vpcp2 stream tcp stream tcp nowait root nowait root /usr/proxy/bin/plug-gw /usr/proxy/bin/plug-gw ora_vpcp1 ora_vpcp2
t li tp /etc/syslog.conf nh sau:
/usr/proxy/log/plug-gw
t li tp oracle_home\network\admin\tnsnames.ora nh sau:
51
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
(ADDRESS_LIST = (ADDRESS = (COMMUNITY = tcp.world) (PROTOCOL = TCP) (Host = firewall) (Port = 1521) ) (ADDRESS = (COMMUNITY = tcp.world) (PROTOCOL = TCP) (Host = firewall) (Port = 1526) ) ) (CONNECT_DATA = (SID = STU) ) )
vpcp.world = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (COMMUNITY = tcp.world) (PROTOCOL = TCP) (Host = firewall) (Port = 1421) ) (ADDRESS = (COMMUNITY = tcp.world) (PROTOCOL = TCP) (Host = firewall)
52
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Bn c th d dng m rng cho nhiu CSDL khc nm trn nhiu my khc nhau. 3.4.3.5 Cc dch v khc Tng t nh trn l cc v d cu hnh cho cc dch v khc khai bo trong file netperms:
# finger gateway rules:
# --------------------netacl-fingerd: permit-hosts 190.2.* ws1 -exec /etc/fingerd netacl-fingerd: deny-hosts * -exec /bin/cat /usr/proxy/etc/finger.txt # http gateway rules:
# --------------------netacl-httpd: permit-hosts * -exec /usr/proxy/bin/http-gw http-gw: #http-gw: #http-gw: #http-gw: http-gw: http-gw: http-gw: # # smap (E-mail) rules: timeout 3600 denial-msg welcome-msg help-msg /usr/proxy/etc/http-deny.txt /usr/proxy/etc/http-welcome.txt /usr/proxy/etc/http-help.txt
permit-hosts 190.2.* 10.* 192.2.0.* -log { all } deny-hosts 220.10.170.32 ws1 default-httpd hpnt
53
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
# ---------------------smap, smapd: smap, smapd: smapd: smapd: smap: # userid root directory /usr/spool/mail executable /usr/proxy/bin/smapd sendmail /usr/lib/sendmail timeout 3600
Ngoi ra, trong CSE Firewall cn c dch v socks kim sot cc phn mm ng dng c bit nh Lotus Notes. Cn phi thm vo cc file cu hnh h thng nh sau: File /etc/services:
socks 1080/tcp
File /etc/inetd.conf:
socks stream tcp nowait root /etc/sockd sockd
Cu hnh v quy tc cho dch v ny nm file /etc/sockd.conf, ch c hai t kho cn phi quan tm l permit v deny cho php hay khng cc host i qua, dch v ny khng kt hp vi dch v xc thc. a ch IP v Netmask t trong file ny ging nh vi lnh dn ng route ca UNIX.
permit 190.2.0.0 255.255.0.0 permit 10.10.170.50 255.255.255.255 permit 10.10.170.40 255.255.255.255 permit 10.10.170.31 255.255.255.255 deny 0.0.0.0 0.0.0.0 : mail -s 'SOCKD: rejected -- from %u@%A to host %Z (service %S)' root
54
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Trong /etc/inetd.conf:
55
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
authsrv
Cng dch v dng cho authsvr s c dng t cu hnh cho cc ng dng client c s dng dch v xc thc. Dch v xc thc khng cn p dng cho tt c cc dch v hay tt c cc client.
#Example ftp gateway rules: ftp-gw: ftp-gw: ftp-gw: ftp-gw: ftp-gw: ftp-gw: ftp-gw: ftp-gw: authserver denial-msg welcome-msg help-msg permit-host permit-host permist-host timeout local host 7777 /usr/proxy/etc/ftp-deny.txt /usr/proxy/etc/ftp-welcome.txt /usr/proxy/etc/ftp-help.txt 192.33.112.100 192.33.112.* -log {retr stor} -auth {stor} * -authall 36000
Trong v d trn, xc thc dng vi FTP proxy. Dng u tin nh ngha a ch mng cng dch v ca chng trnh xc thc. Dng permist-host cho thy mt trong s s mm do ca h thng xc thc, mt host c la chn khng phi chu c ch xc thc, ngi dng t host ny c th truy cp t do ti mi dch v ca proxy. Permist-host th 2 i hi xc thc mi h thng trong mng 192.33.112 mun truyn ra ngoi vi -auth {store} nhng thao tc ca FTP s b kho ti khi ngi dng hon thnh vic xc thc vi server. Khi , lnh c m kho v ngi dng c th vo h thng. V d cui nh ngha mi ngi c th ni vi server nhng trc ht h phi c xc thc. Authsrv server phi c cu hnh bit my no c cho php kt ni. iu ny cm tt c nhng c gng truy nhp bt hp php vo server t nhng server khng chy
56
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
nhng phn mm xc thc. Trong Firewall authsrv s chy trn bastion host cng vi proxy trn . Nu khng c h thng no i hi truy cp, mi client v server coi local host nh mt a ch truyn thng. Cu hnh authsrv nh ngha n s vn hnh CSDL v client h tr.
#Example authhsrv rules:
Trong v d trn, ng dn ti CSDL nh ngha v 2 host c nhn ra. Ch CSDL trn trong h thng c bo v hoc c bo v nghim ngt bi c ch truy cp file. Bo v CSDL rt quan trng do nn CSDL trn bastion host. Li vo th 2 l mt v d v client s dng m ho DES trong khi truyn thng vi authsrv. Kho m cha trong tp cu hnh i hi file cu hnh phi c bo v. Ni chung, vic m ho l khng cn thit. Kt qu ca vic m ho l cho php qun tr c th qun l c s d liu xc thc t trm lm vic. Lung d liu duy nht cn phi bo v l khi ngi qun tr mng t li mt khu qua mng cc b, hay khi qun l c s d liu xc thc qua mng din rng. Duy tr CSDL xc thc da vo 2 cng c authload v authdump load v dump CSDL xc thc. Ngi qun tr nn chy authdump trong crontab to bn sao dng ASCII ca CSDL trnh trng hp xu khi CSDL b hng hay b xo. Authsrv qun l nhm rt mm do, qun tr c th nhm ngi dng thnh nhm dng group wiz, ngi c quyn
57
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
qun tr nhm c th xo, thm, to sa bn ghi trong nhm, cho php hay cm ngi dng, thay i password ca mt khu ca user trong nhm ca mnh. Qun tr nhm khng thay i c ngi dng ca nhm khc, to ra nhm mi hay thay i quan h gia cc nhm. Qun tr nhm ch c quyn hn trong nhm ca mnh. Vic ny c ch i vi t chc c nhiu nhm lm vic cng s dng Firewall. To mt ngi s dng bng lnh adduser
adduser mrj Marcus J. Ranum
Khi mt user record mi c to n cha c hot ng v ngi s dng cha th login. Trc khi ngi s dng login, qun tr mng c th thay i mt khu v s hiu nhm ca ngi s dng
group users mjr password whumpus mjr proto SecurID mjr enable mjr
Khi mt user record to ra bi ngi qun tr nhm, n tha hng s hiu nhm cng nh giao thc xc thc. User record c th xem bi lnh display hay list. V d mt phin lm vic vi Authmsg:
%-> authmgs Connected to server authmgr-> login Username: wizard Challenge Logged in authmgs-> disp wizard Report for user wizard (Auth DBA) 200850 : 182312
58
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Last authenticated: Fri Oct 8 17:11:07 1993 Authentication protocol: Snk Flags: WIZARD authmgr-> list Report for user in database user --group longname ----- -------y W y flags proto ----- ----Snk passwd last --8 17:02:56 1993
wizard users Auth DBA avolio users Fred Avolio rnj 1993 mjr
Fri Oct
none ri Oct
8 17:02:10 1993
authmgr-> adduser dalva Dave dalva ok - user added initially disable authmgr-> enable dalva enabled authmgr-> group dalva users set group authmgr-> proto dalva Skey changed authmgr-> disp dalva Report for user dalva, group users (Dave Dalva) Authentication protocol: Skey Flags: none authmgr-> password dalva Password: ####### Repeat Password: ####### ID dalva s/key is 999 sol32 authmgr-> quit
Trong v d trn qun tr ni vo authsrv qua mng s dng giao din authmsg sau khi xc thc user record hin th
59
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
thi gian xc thc. Sau khi login, list CSDL user, to ngi dng, t password, enable v a vo nhm.
authsrv# adduser admin Auth DBA ok - user added initially disable authsrv# enable admin enabled authsrv# superwiz admin set wizard authsrv# proto admin Snk changed authsrv# pass 160 270 203 065 022 034 232 162 admin Secret key changed authsrv# list Report for user in database user --admin authsrv# quit group longname ----- -------Auth DBA flags ----y W roto ---Snk last --never
60
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Trong v d, mt CSDL mi c to cng vi mt record cho ngi qun tr. Ngi qun tr c gn quyn, gn protocol xc thc.
PROXY SERVICE MENU 1 Configuration 2 View TELNET log 3 View FTP log 4 View HTTP log 5 View E-MAIL log 6 View AUTHENTICATE log 7 View FINGER log 8 View RLOGIN log 9 View SOCKD log a Report b Authentication c Change system time d Change password e Shutdown q Exit Select option> _
Con s hay ch ci u tin th hin phm bm thc hin chc nng. Sau khi mi chc nng thc hin xong xut hin
61
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
thng bo
ri ch cho ti khi
phm Enter c bm tr li mn hnh iu khin chnh. 3.4.5.1 1 Configuration Chc nng ny cho php son tho trc tip ti file cu hnh ca proxy. Trong file ny cha cc quy tc ca cc dch v nh netacl, ftp-gw, tn-gw... C php ca cc quy tc ny c m t phn trn. Sau khi s i cc quy tc chn chc nng Save th cc quy tc mi s lp tc c p dng. Ch : B son tho vn bn son tho file cu hnh c cc phm chc nng tng t nh chc nng son tho ca Turbo Pascal 3.0. (Cc chc nng cn thit u c th thy trn Status Bar dng cui cng ca mn hnh). i vi mt s trng hp b son tho ny khng hot ng th chng trnh son tho vi ca UNIX s c dng thay th. 3.4.5.2 2 View TELNET log Chc nng xem ni dung nht k ca tn-gw. Nht k ghi li ton b cc truy nhp qua proxy i vi dch v tn-gw. i vi cc dch v khc nh ftp-gw, http-gw u dc ghi li nht k v c th theo di bi cc chc nng tng t (Xem cc mc di y). 3.4.5.3 3 View FTP log Chc nng xem ni dung nht k ca ftp-gw. 3.4.5.4 4 View HTTP log Chc nng xem ni dung nht k ca http-gw.
62
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
3.4.5.5 5 View E-MAIL log Chc nng xem ni dung nht k ca dch v email. 3.4.5.6 6 View AUTHENTICATE log Chc nng xem ni dung nht k ca dch v xc thc. 3.4.5.7 7 View FINGER log Chc nng xem ni dung nht k ca finger. 3.4.5.8 8 View RLOGIN log Chc nng xem ni dung nht k ca rlogin-gw. 3.4.5.9 9 View SOCKD log Chc nng xem ni dung nht k ca sockd. 3.4.5.10 a Report Chc nng lm bo co thng k i vi tt c cc dch v trong mt khong thi gian nht nh. u tin mn hnh s hin ln mt lch chn khong thi gian mun lm bo co. Sau khi tnh ton xong bo co. Ngi s dng s phi chn mt trong cc u ra ca bo co gm : xem (a ra mn hnh), save (ra a mm) hay print (in ra my in gn trc tip vi my server). Nu mun in t cc my in khc ta c th a ra a mm ri in cc tp t cc trm lm vic.
Fri May 8 10:39:13 1998 Apr S M Tu W Th 1 5 6 7 8 2 F 3 S 4 3 4 5 6 7 S M Tu May W Th F 1 8 S 2 9 7 S M Tu 1 8 2 Jun W Th 3 4 F 5 S 6
9 10 11
9 10 11 12 13
63
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
From date (dd/mm[/yy]) (08/05/98):01/05/98 To date (dd/mm[/yy]): (08/05/98):05/05/09 Calculating... View, save to MS-DOS floppy disk or print report (v/s/p/q)? v
3.4.5.11 b Authentication Chc nng ny gi authsrv qun tr ngi s dng v chc nng xc thc cho ngi . authrv c m t kh r rng trn.
authsrv# list Report for users in database user ---dalva ruth authsrv# group ----cse cse longname -------status proto ------ ----n y passw passw last ---never never
3.4.5.12 c Change system time Chc nng i thi gian h thng. Chc nng ny c tc dng iu chnh chnh xc gi ca h thng. Bi v gi h thng c nh hng quan trng ti chnh xc ca nht k. Gip cho ngi qun tr c th theo di ng cc truy nhp ti proxy.
64
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Dng nhp thi gian s nh di y. Ngy thng nm c th khng cn nhp nhng cn ch ti dng ca s a vo. Di y l v d i gi thnh 11 gi 28.
Current System Time is Fri May 08 10:32:00 HN 1998 Enter new time ([yymmdd]hhmm): 1128
3.4.5.13 d Change password Chc nng i mt khu ca user proxy. 3.4.5.14 e Shutdown Chc nng shut down ton b h thng. Chc nng ny c dng tt my mt cch an ton i vi ngi s dng. 3.4.5.15 q Exit Chc nng ny logout khi mn hnh iu khin proxy.
65
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Trong Netscape Nevigator (version 4.0) ta phi chn Edit >Preferences -> Advanced -> Proxies v t a ch proxy v cng dch v (port) (80) qua phn Manual proxy configuration. 3.4.6.2 Vi ngi s dng telnet, Nu khng c t chc nng xc thc th qu trnh nh sau:
$ telnet vectra Trying 192.1.1.155... connect hostname [serv/ port] connect to vectra. Escape character is^]. Vectra.sce.gov.vn telnet proxy (version V1.0) ready: tn-gw -> help Valid commands are: (unique abbreviations may be used) connect hostname [serv/ port] telnet hostname [serv/ port] x-gw [hostname/ display] help/ ? quit/ exit password tn-gw -> c 192.1.1.1 Trying 192.1.1.1 port 23... SCO Openserver
TM
66
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
3.4.6.3 i vi ngi dng dch v FTP Nu c dng chc nng xc thc th quy trnh nh sau:
$ftp vectra Connected to vectra. 220 -Proxy first requres authentication 220 Vectra.sce.gov.vn FTP Name (vectra: root): ngoc 331 Enter authentication password for ngoc Password: ####### 230 User authenticated to proxy ftp>user ngoc@192.1.1.1 331 -(----GATEWAY CONNECTED TO 192.1.1.1----) 331-(220 sco5.cse,gov.vn FTP server (Version 2.1 WU(1)) ready.) 331 Password required for ngoc. Password: 230 User ngoc logged in. ftp> ... proxy (version V1.0) ready:
67
Generated by Foxit PDF Creator Foxit Software http://www.foxitsoftware.com For evaluation only.
Name (vectra: root): ngoc@192.1.1.1 331 -(----GATEWAY CONNECTED TO 192.1.1.1----) 331-(220 sco5.cse,gov.vn FTP server (Version 2.1 WU(1)) ready.) 331 Password required for ngoc. Password: 230 User ngoc logged in. ftp> ... ftp>bye 221 Goodbye $
Nu s dng chng trnh WS_FTP trn Window ca Ipswitch, Inc th cn phi t ch Use Firewall trong phn Advanced khi ta cu hnh mt phin ni kt. Trong phn Firewall Informatic ta s a a ch IP ca proxy vo phn Hostname, tn ngi dng v mt khu (UserID v Password) cho phn xc thc trn proxy v cng dch v (21). ng thi phi chn kiu USER after logon phn Firewall type.
68