Firewall Chapter 4

Phm Minh Thun Khoa An ton thng tin
Chng 4
Chnh sch an ninh tng la
Pham Minh Thun Khoa ATTT 1
Chnh sch an ninh tung la
2
3
1
Cc nguy co c
th xy dn di
vi tung la
Chin luc an
ton cho h
thng mang
Xy dng chnh
sch an ninh
tung la
Cc nguy co c th xy dn
di vi tung la
Nguy co t bn ngoi
1
Nguy co t bn trong
2
Cc nguy co khc
3
Tn cng khng chu dinh
Nhung ke bun chn voi cng vic hng ngy, mun giai tr bng cch dt nhp vo cc
h thng mang.
Cc di tuong loai ny khng chu dinh ph hoai, nhung nhung hnh vi xm nhp v vic
chng xo du vt khi rt lui c th v tnh lm cho h thng bi truc trc.
Ke ph hoai
Chng chu dinh ph hoai h thng.
Gy ra nhung tc hai lon cho h thng
Ke mun khng dinh ban thn
Nhung ke mun khng dinh mnh qua nhung kiu tn cng moi, s luong h thng chng
d thm nhp...
Chng thch dt nhp nhung noi ni ting, canh phng cn mt.
Gin dip
Truy nhp d n cp ti liu d phuc vu nhung muc dch khc nhau, d mua bn, trao
di...
Nguy co t bn ngoi
Nhung ke xu trong cng ty
Nhung ke xu loi dung dim yu trong cng ty d
thuc hin hnh vi xm nhp vo h thng mang v tn
cng tu bn trong
Su bt cn cua nhung nguoi su dung mang bn trong
Nguy co t bn trong
Virus v m dc hai
Gy ra tc nghn bng thng mang, giam hiu sut lm
vic
Thay di, xo ni dung du liu
Dnh cp du liu, account
Lm hong hc my tnh, thit bi mang
Tao ra cc back door
L hng bao mt
Cc l hng trong bao v vt l
Cc l hong trong phn mm
Cc nguy co khc
2
3
1
Cc nguy co c
th xy dn di
vi tung la
Chin luc an
ton cho h
thng mang
Xy dng chnh
sch an ninh
tung la
Chin luc an ton cho h
thng mang
c quyn ti thiu
1
Bo v c chiu su
2
im nt
3
Mt xch yu nht
4
Tham gia tng th & a dang vic bo v
5
Dy l nguyn tc an ninh cn ban nht (bt ky loai
an ninh no, khng chi an ninh my tnh v an ninh
mang)
Nguyn tc: moi di tuong (nguoi dng, nguoi quan
tri, chuong trnh, h thng...) chi nn c du dc quyn
d di tuong thuc hin nhim vu cua chng.
Han ch loi dung mo rng tn cng v han ch tc hai
cua tn cng
c quyn ti thiu
Khng nn su dung mt bin php duy nht (ngay ca
khi d l bin php rt manh)
Su dung nhiu bin php h tro nhau, khi mt bin
php bi vuot qua th c bin php khc bao v =>
ton b h thng bao v kh bi sup d
Bo v c chiu su
Thit k buc ke tn cng su dung knh hep m ban
c th theo di v kim sot.
Tuong lua l mt v du v dim nt, moi du liu di
vo/di ra du phai thng qua.
im nt
D an ton cua ca h thng an ninh bng d an ton
cua mt xch yu nht
Pht hin, tp trung bao v cc dim yu trong h
thng.
V du: khi kt ni Internet, nguoi ta tp trung bao v
dich vu Telnet m t quan tm toi FTP. Trong khi hai
dich vu ny du c nhung dim yu tuong tu nhau.
Mt xch yu nht
Xem xt tng th tt ca nhung nguoi trong mang d
phai tham gia
Xt truong hop: h thng duoc bao v boi tuong lua,
nhung mt nguoi trong mang tu thit lp lin kt c nhn ra
bn ngoi. Nhu vy, hacker hon ton c th xm nhp vo
mang thng qua lin kt d.
Khng chi bao v nhiu lop m cn phai c nhiu
phuong php bao v khc nhau
V du: kin trc tuong lua c hai h thng loc gi tin,
chng ta c th nng cao da dang vic bao v bng cch su
dung h thng tu cc nh cung cp khc nhau.
Tham gia tng th & a dang
vic bo v
2
3
1
Cc nguy co c
th xy dn di
vi tung la
Chin luc an
ton cho h
thng mang
Xy dng chnh
sch an ninh
tung la
Thut ngu chnh sch an ninh (security policy) mang
nhiu hm :
Chnh sch duoc vit ra m ta mt t chuc quan l an ninh cc
ti nguyn cua ho nhu th no.
Mt khc, cu hnh trn thuc t cua mt thit bi (v du nhu danh
sch diu khin truy cp ACL)
Chnh sch an ninh tuong lua:
Chnh sch an ninh thng tin xc dinh nhung di tuong an ninh
no bao v cho h thng (bao gm ca tuong lua)
Chnh sch loc du vo, loc du ra, truy cp vic quan l (chnh
sch tuong lua hay tp lut tuong lua) xc dinh cu hnh thuc t
cua thit bi
Xy dng chnh sch an ninh
tung la
Chnh sch tuong lua chi dao tuong lua phai xu l nhu
th no di voi cc lung truy cp ung dung nhu web,
email hoc telnet.
Kt qua cua vic dnh gi, phn tch o cc phn trn s
dua ra duoc cc thng tin sau:
Danh sch cc ung dung mang
Danh sch cc dim yu cua ung dung
Phn tch chi ph v loi ch cua phuong php bao mt ung dung
Bang ma trn gm cc ung dung v phuong php bao v
Vic xy dung cc lut tuong lua bt buc phai dua trn
cc thng tin o trn.
tung la
No.: S thu tu cua lut
Name: Tn lut
Source Address: Dia chi ngun cua gi tin
Destination Address: Dia chi dch cua gi tin
Source Port: Cng ngun cua gi tin
Destination Address: Cng dch cua gi tin
Action: Hnh dng thuc hin
Description: M ta r hon v lut
tung la
No. Name
Source
Address
Source
Port
Destination
Address
Destination
Port
Action Description
3
Accept
Weberver
Any Any 10.10.10.10 80 Allow
Cho php truy
cp vo my
chu Webserver
Cc truong ti thiu trong lut tuong lua:
Chnh sch mc dinh di voi tuong lua l cn phai
chn tt ca moi gi tin v kt ni
tung la
No. Name
Source
Address
Source
Port
Destination
Address
Destination
Port
Action Description
3
Accept
Weberver
Any Any 10.10.10.10 80 Allow
Cho php truy
cp vo my
chu Webserver

10
Cleanup
Rule
Any Any Any Any Deny
Cm tt ca cc
truy cp tri
php khng
ph hop voi
bt ky lut no
o trn
Cc lut tuong lua phai lun lun ngn cm cc kiu
kt ni nhu sau:
Truy cp tu h thng ngun khng xc thuc voi dia chi
dch l chnh dia chi cua tuong lua.
tung la
No. Name
Source
Address
Source
Port
Destination
Address
Destination
Port
Action Description
1
Stealth
Rule
Any Any 192.168.1.1 Any Deny
Cm tt ca cc
truy cp tri
php vo
tuong lua
kt ni nhu sau:
Truy cp tu bn ngoi voi dia chi ngun c th hin l gi
tin bt ngun tu mt mang pha sau tuong lua -> Hnh thuc
gia mao (spoofing)
Cc truy cp tu bn ngoi su dung giao thuc ICMP
Cc truy cp tu bn ngoi voi dia chi ngun nm trong dai
dia chi dnh ring -> Tn cng tu chi dich vu DoS
10.0.0.0 to 10.255.255.255 (LopA)
172.16.0.0 to 172.31.255.255 (Lop B)
192.168.0.0 to 192.168.255.255 (Lop C)
tung la
kt ni nhu sau:
Truy cp vo mang bn trong tu h thng ngun khng xc
thuc su dung SNMP -> Ke xm nhp dang d qut mang
Truy cp chua thng tin IP Source Routing -> Bypass
Firewall
Truy cp mang chua dia chi ngun hoc dch l 127.0.0.1 -
> Tn cng ln chnh h thng tuong lua
Truy cp c chua dia chi huong quang b (directed
broadcast) -> Tn cng pht tn quang b: SMURF
tung la
Xy dung bang tp lut thuc hin cc yu cu:
Cm tt ca cc truy cp tri php vo tuong lua
Tt ca cc truy cp tu mang bn trong duoc php di ra tt ca cc dch bn ngoi
Cc email tu bn ngoi gui vo qua giao thuc SMTP duoc chuyn dn SMTP
Server sau d duoc chuyn tip vo bn trong.
Nhung nguoi dng bn ngoi chi c th truy cp vo HTTP Server thng qua giao
thuc HTTP, HTTPS.
Cc kt ni tu bn ngoi tu h thng tu xa duoc php toi cng VPN, v duoc
chuyn tip vo h thng bn trong
Tt ca cc kt ni khc du bi ngn cm
tung la
V d:
Cho m hnh mang nhu sau:

Firewall Chapter 4

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Firewall Chapter 4

Hochgeladen von

Copyright:

Verfügbare Formate

Phm Minh Thun Khoa An ton thng tin

Das könnte Ihnen auch gefallen