BÀI GI NG AN TOÀN M NG P 2 Infrastructure Security

FIS,2008 Network Security 1
Phn II
Infrastructure Security
Ni dung
1. Network security topologies
2. Firewall
3. IDS/IPS
4. VPN
5. VLAN
Ni dung
6.NAT
7.Media security
8.Network security policies
9.Lowlayer security baselines
Case study:
Thit lp h thng VPN v Firewall cho
mt doanh nghip
Network security topologies
`
`
`
`
`
ISP
Modem
Remote
Access
Server
Router
Server
Access
Point
PDA Laptop
Network security topologies
`
`
ISP
Modem
Firewall
web
Server
Access
Point
PDA
Laptop
`
V
L
A
N
2
`
`
VLAN3
`
V
L
A
N
4
IDS/IPS
mail
Server
file
Server
DMZ
Inside
Outside
Firewall
Chc nng: Chc nng chnh ca tng
la l iu khin, kim sot truy nhp.
Kim sot dch v (service control)
Kim sot hng (direction control)
Kim sot ngi dng (user control)
Kim sot hnh vi (behaviour control)
Firewall
Phn thnh cc vng (zones)
Intranet (inside): trusted
Extranet (outside): un-trusted
DMZ De-Militerized Zone

Firewall
Firewall
Phn loi
Software: Checkpoint, MS ISA,
Appliance: Cisco PIX, Juniper, Firebox,
watchguard,
Cng ngh: s dng mt trong cc cng ngh
Packet filtering
Proxy server
Statesfull Filtering

Firewall
Packet filtering:
Nguyn l hot ng: Hot ng cht ch vi giao thc TCP/IP
Packet Filtering
Nguyn l
- Kim tra on d liu quyt nh xem cc on
d liu c tha mn cc lut ca b lc hay
khng.
- B lc gi tin cho php (tha mn) hay t chi
(khng tha mn) mi gi tin m n nhn c.
Cc lut lc ny da trn thng tin no ?
Da trn cc trng trong phn u ca IP, TCP hay UDP
a ch IP xut pht (IP source address)
a ch IP ni nhn (IP destination address)
Giao thc s dng (TCP, UDP, ICMP)
Cng ngun TCP/UDP
Cng ch TCP/UDP
Giao din packet n
Giao din packet i
Lut lc
Policy cha danh sch cc rules, nu thng tin
trong gi tin trng vi rule, th rule c p
dng xc nh gi tin c forward hay loi
deny.
Nu khng trng vi bt k rule no, th rule
mc nh c p dng.
Thng th c hai chnh sch cho lut mc nh:
mc nh = chuyn tip
hoc mc nh = loi b.
Lut c duyt t trn xung, mc u tin
gim dn.
Lut lc gi tin
u im
Tc x l nhanh
Cc b lc gi tin thng trong sut i
vi ngi dng v cc ng dng.
Kh nng ngn chn cc tn cng t chi
dch v tt.
D trin khai, ci t v bo tr.
Nhc im
Khng kim sot c d liu t lp 4 tr ln
Kh nng a ra cc thng tin nht k hn ch
do tng la ch kim tra mt s lng gii hn
cc thng tin trong gi tin.
Phn ln cc tng la loi ny khng h tr
tnh nng xc thc ngi dng.
Khng ngn chn c cc tn cng li dng
im yu trong giao thc TCP/IP.
Yu cu ngi qun tr c hiu bit su v cc
dch v Internet.
Circuit Level Gateway
Hot ng tng giao vn
Gim st bt tay TCP gia gi
tin vo/ra xc nh phin
lm vic c hp l hay khng.
Nguyn l hot ng
Khng cho php thc hin kt ni end to end.
Thit lp hai kt ni TCP
Gia cng v my bn trong.
Gia cng v my bn ngoi.
Khi hai kt ni c thit lp, cng mc mch s thc
hin sao chp, chuyn tip on d liu TCP t kt ni
bn trong sang kt ni bn ngoi v ngc li m khng
cn kim tra ni dung d liu.
Cng vng xc nh mt phin lm vic hp l nu c
SYN, ACK v sequence number trong qu trnh bt tay
gia cc kt ni l hp l.
Qa trnh lm vic
My bn trong yu cu mt dch v, cng chp nhn yu cu .
Thay mt my bn trong, cng m kt ni n my bn ngoi v
gim st cht ch qu trnh bt tay TCP. Qu trnh bt tay lin quan
n vic trao i gi tin cha c (SYN hay ACK).
Cng xc thc my bn trong v my bn ngoi l thnh phn mt
phin lm vic, cng sao chp v chuyn tip d liu gia hai kt
ni.
Cng duy tr mt bng thit lp kt ni, d liu c php i qua
nu thuc mt trong cc phin lm vic c trong bng.
Khi phin lm vic kt thc, cng mc mch xa bn ghi kt ni ca
phin lm vic .
Bng kt ni: ID Session, Trng thi (handshake, etablished) ...
u im
Mc an ton cao hn so vi lc gi tin.
C th trin khai vi lng ln giao thc
tng trn m khng cn hiu v thng tin
ti giao thc .
Nhc im
Mt khi kt ni c thit lp, n c th
cho php gi cc m c hi trong gi tin
Cng ng dng
Hot ng tng ng dng.
Thit k nhm tng cng
chc nng kim sot cc loi
dch v, giao thc c cho
php truy cp vo h thng
mng.
Nguyn l hot ng
Da trn cc dch v i din (Proxy service).
Proxy service l cc chng trnh c bit ci
trn gateway cho tng ng dng.
Quy trnh kt ni s dng dch v thng qua
cng ng dng din ra theo 5 bc.
Nguyn l hot ng
Bc 1: My trm gi yu cu ti my ch xa n cng ng dng.
Bc 2: Cng ng dng xc thc ngi dng. Nu xc thc thnh cng
chuyn sang bc 3, ngc li qu trnh kt thc.
Bc 3: Cng ng dng chuyn yu cu my trm n my ch xa.
Bc 4: My ch xa tr li chuyn n cng ng dng.
Bc 5: Cng ng dng chuyn tr li ca my ch xa n my trm.
u im
Hon ton iu khin c tng dch v trn
mng (quyt nh nhng my ch no c th
truy cp c bi cc dch v).
Hon ton iu khin c nhng dch v no
cho php ( vng mt ca proxy cho dch v no
th dch v b kha).
Kim tra xc thc mnh, ghi li thng tin v
truy cp h thng.
Lut lc cho cng ng dng d dng cu hnh
v kim tra hn so vi lc gi tin.
u im
Hon ton iu khin c tng dch v trn
mng (quyt nh nhng my ch no c th
truy cp c bi cc dch v).
Hon ton iu khin c nhng dch v no
cho php ( vng mt ca proxy cho dch v no
th dch v b kha).
Kim tra xc thc mnh, ghi li thng tin v
truy cp h thng.
Lut lc cho cng ng dng d dng cu hnh
v kim tra hn so vi lc gi tin.
Nhc im
Tc chm, hiu sut thp do x l trn nhiu tng.
Cc dch v h tr b hn ch.
Kh nng thay i m rng (scalability) hn ch.
Ci t v bo tr phc tp..
Kh nng trong sut i vi ngi dng cui hn ch
Stateful Multilayer Inspection Firewall

Stateful Multilayer Inspection Firewall
Statefull Multilayer Inspection Firewall
Ging tng la lc gi tin, hot ng tng
mng, lc gi tin i/n da trn tham s: a ch
ngun, a ch ch, cng ngun, cng ch.
Ging cng mc mch, xc nh chnh xc gi
tin trong phin lm vic.
SIF bt chc cng mc ng dng, SIF a gi
tin ln tng ng dng v kim tra xem ni dung
d liu ph hp vi cc lut trong chnh sch an
ninh ca h thng.
Firewall
Mt s loi firewall tt c th m bo cho mt h thng an ninh ?
IDS/IPS
`
`
ISP
Modem
Firewall
web
Server
Access
Point
PDA
Laptop
`
V
L
A
N
2
`
`
VLAN3
`
V
L
A
N
4
IDS/IPS
mail
Server
file
Server
DMZ
Inside
Outside
X
IDS/IPS
IDS/IPS: pht hin/ngn chn tn cng
IDS: Instrusion Detection System
IPS: Instrusion Prevention System
Thng tch hp cng Firewall
Da trn du hiu, phi cp nht thng
xuyn
IDS/IPS
Ch hot ng
Pht hin tch cc
Pht hin th ng
Pht hin tch cc:
IDS phn ng li tn cng, ra lnh cho tng
la chn cc cng nghi vn
Vn : IDS cnh bo sai, cn cu hnh lin
lc gia IDS v thit b mng dng ngn chn
IDS/IPS
Pht hin th ng
Cc du hiu tn cng c ghi li,
nhng khng chn ngay
C th cu hnh cnh bo qun tr,
ngn chn bng tay
Dng phn tch cc cnh bo
Vn : Thi gian p ng chm
IDS/IPS
IDS/IPS
Phn loi
Network based: IDS/IPS dng cho ton
mng
Host based: IDS/IPS c nhn
Network based IDS
Thng di dng Appliance
C th gim st ton b h thng
IDS/IPS
Network based IDS
IDS/IPS
Host based IDS
Ci trn cc my quan trng pht
hin tn cng
Vn :
Khng c ci nhn tng quan v cc
cuc tn cng
Ch monitor c my ci IDS
IDS/IPS
Host based IDS
VPN
`
`
ISP
Modem
Firewall
web
Server
Access
Point
PDA
Laptop
`
V
L
A
N
2
`
`
VLAN3
`
V
L
A
N
4
IDS/IPS
mail
Server
file
Server
DMZ
Inside
Outside
VPN
VPN Virtual Private Network: Mng ring
o
Cho php thit lp knh kt ni an ton
(private) trn mi trng dng chung (virtual)
Li ch:
m bo an ninh
Tit kim chi ph
V d: VPN-1 POWER CA CHECKPOINT
VPN
Thit b/phn mm h tr
Thng c tch hp cng firewall
Nu cn hiu nng cao th tch ring
Phn loi VPN
VPN site to site: ni mng mng
VPN remote access: ni host
mng
VPN site to site
INTERNET
VPN
Gateway
VPN
Gateway
Head
Quarters Branch
VPN remote access
INTERNET
VPN
Gateway/server
Head
Quarters Branch
Remote ueser
VPN
client
VPN
Cc giao thc dng trong VPN
L2F Layer 2 Forwarding (Cisco)
PPTP Point to Point Tunneling Protocol
(Microsoft)
L2TP Layer 2 Tunneling Protocol (Microsoft
+ Cisco)
IPSec IP Security
SSL/TLS Security Sockets Layer/Transport
Layer Security
MPLS Multi-Protocol Label Switching
VLAN Virtual LAN
`
`
ISP
Modem
Firewall
web
Server
Access
Point
PDA
Laptop
`
V
L
A
N
2
`
`
VLAN3
`
V
L
A
N
4
IDS/IPS
mail
Server
file
Server
DMZ
Inside
Outside
VLAN Virtual LAN
V d: Trin khai mng VLAN
VLAN Virtual LAN
L k thut chia nh Broadcast domain
thnh nhiu Virtual Broadcast domain.
Mi Virtual Broadcast domain s dng
1Network hoc 1 Subnetwork
Lm tng tnh uyn chuyn trong vic thit
k h thng, Tit kim chi ph.
Cho php nhm cc ngi dng c cng
chc nng trong cng t chc hot ng
trong cng 1 Broadcast domain m khng
ph thuc vo v tr a l
VLAN Virtual LAN
Nhng ngi s dng thuc cng VLan s
dng cng 1 Network/Subnetwork v c th giao
tip vi nhau d dng.
Ngi dng khc VLan mun giao tip kt ni
vi nhau phi nh n thit b Layer3(Router)
Thng tin v VLan (VLan Database) c th lan
truyn t Switch ny sang Switch khc trong
cng h thng thng qua Kt ni Trunk v "int
VLan1"
Trunk link
C bng thng t 100mbps tr ln, l kt
ni m lu thng t tt c cc VLan c th
i qua .
Lu thng ca ngi dng thuc VLan khi
c gi ln ng Trunk s c ng
gi thng tin v VLan ID xc nh lu
thng thuc VLan no
Cch ng gi:VLanID
802.1q(Thng gi l dot1q): l chun ng gi
VLanID chung trn tt c cc Switch.
NativeVLan: VLan m d liu thuc v VLan
khi gi ln ng Trunk s khng ng gi
VLanID Mc nh Native VLan l VLan1
ISL(Inter Switch Link): l chun ng gi VLanID
trn Cisco Catalyst Switch m thi.
NAT Network Address Translation
`
`
ISP
Modem
Firewall
web
Server
Access
Point
PDA
Laptop
`
V
L
A
N
2
`
`
VLAN3
`
V
L
A
N
4
IDS/IPS
mail
Server
file
Server
DMZ
Inside
Outside
DA
10.0.0.10
IP Address outside
10.0.0.10 10.0.0.12
NAT Table
DA
10.0.0.12
NAT Network Address Translation
a ch Ring
RFC 1918 dnh ring 3 di a ch IP sau:
1 a ch lp A: 10.0.0.0/8
16 a ch lp B: 172.16.0.0-172.31.255.255
(172.16.0.0/12)
246 a ch lp C: 192.168.0.0 192.168.255.255
(192.168.0.0/16)
Nhng a ch trn c dng cho mng
ring, mng ni b. cc gi d liu c a ch
nh trn s khng c nh tuyn trn
Internet
56
NAT?
57
NAT?
Inside local address a ch c phn phi cho cc host bn trong mng ni
b
Inside global address L a ch IP hp php c cung cp bi ISP, a ch
ny i din cho mt hoc nhiu a ch ni b bn trong i vi th gii bn
ngoi.
Outside local address L a ch ring ca host nm bn ngoi mng ni b
Outside global address l a ch cng cng hp php ca host nm ngoi
mng ni b
Nguyn l lm vic ca NAT?
Static NAT chuyn i mt a ch private IP thnh
mt a ch public IP c th (one-to-one)

In static NAT, the computer with IP address 192.168.32.10 will always
translate to 213.18.123.110
58
Nguyn l lm vic ca NAT?
Dynamic NAT chuyn i mt a ch private IP thnh
mt a ch public IP thuc mt di a ch cho trc

In static NAT, the computer with IP address 192.168.32.10 will translate to the
first available address in the range from 213.18.123.100 to 213.18.123.150
59
NAT Overload hoc PAT
L mt dng ca dynamic NAT nhng chuyn i nhiu
a ch private IP thnh mt a ch public IP (many-to-
one) bng cch s dng nhiu port khc nhau
60
Media security
ng truyn
ng trc
UTP/STP
Fiber
wireless
Lu tr
FDD
HDD
Tape
CD/DVD
Flash disk
Media security Cp ng trc
Cng ngh cp lu
i nht
Gm nhiu v bc
bao quanh mt li
ng
B tn cng kiu vt
l
Media security UTP/STP
Unshielded Twisted
Pair
Loi dy mng LAN ph
bin nht
C th ln ti Gigabit
B nh hng ca nhiu
Shield Twisted Pair
Chng c nhiu
S dng trong mi
trng cng nghip
t hn
Media security - Fiber
Li thy tinh vi v
bc nha ngoi
Ch c th b nghe
trm ti nhng ch
ni
Media security Wifi
Gm cc im truy cp Access-point v wireless card
Nguy c cao hn so vi h thng c dy
Media security - wifi
Cc bin php
B broadcast SSID (Service Set Identifier)
MAC Filtering
WEP (Wired Equivalent Privacy)
WPA (Wi-fi Protected Access), WPA2
PKI (Public Key Infrastructure)
Media security - wifi
Media security - FDD
t dng
44MB
Dng khi ng/sa
li
Media security - HDD
Thit b lu tr chnh
Chun SCSI, IDE,
SATA
Gi ang gim
D liu nn c m
ha
Nn s dng RAID
Media security - Tape
c s dng lu tr
Tc chm hn cng
R
Bn

Media security CD/DVD

<3 nm
R
Media security Flash disk
Nh gn
Gi ngy cng r
Khng nn lu tr d
liu quan trng
Network security policies
`
`
ISP
Modem
Firewall
web
Server
Access
Point
PDA
Laptop
`
V
L
A
N
2
`
`
VLAN3
`
V
L
A
N
4
IDS/IPS
mail
Server
file
Server
DMZ
Inside
Outside
Permit: Google
Deny: YIM
Lowlayer security baselines
C thit k ngay t u
Ti liu h thng
Thit lp v duy tr ti liu
Cp nht khi c s thay i
ng cc cng, dch v khng cn thit
Case study

Thit lp h thng Firewall v VPN cho
mt doanh nghip

BÀI GI NG AN TOÀN M NG P 2 Infrastructure Security

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BÀI GI NG AN TOÀN M NG P 2 Infrastructure Security

Hochgeladen von

Copyright:

Verfügbare Formate

FIS,2008 Network Security 1

Das könnte Ihnen auch gefallen