BÀI GIẢNG AN TOÀN MẠNG p 2 Infrastructure Security

5/21/2018 BI GIA NG AN TON MA NG p 2 Infrastructure Security

1/75

FIS,2008 Network Security 1

Phn IIInfrastructure Security


2/75


Ni dung

1. Network security topologies

2. Firewall

3. IDS/IPS4. VPN

5. VLAN


3/75


Ni dung

6.NAT

7.Media security

8.Network security policies9.Lowlayer security baselines

Case study:

Thit lp h thng VPN v Firewall chomt doanh nghip


4/75


Network security topologies

`

`

`

`

`

ISP

Modem

Remote

AccessServer

Router

Server

Access

Point

PDALaptop


5/75


Network security topologies

`

`

ISPModem

Firewall

web

Server

Access

Point

PDALaptop

`

VLAN2

`

`

VLAN3

`

VLAN4

IDS/IPS

mail

Server

file

Server

DMZ

Inside

Outside


6/75


Firewall

Chc nng: Chc nng chnh ca tnglal iukhin,kimsot truy nhp.

Kimsot dchv(service control)

Kimsot hng(direction control) Kimsot ngidng (user control)

Kimsot hnh vi (behaviour control)


7/75FIS,2008 Network Security 7

Firewall

Phn thnh cc vng (zones) Intranet (inside): trusted

Extranet (outside): un-trusted

DMZDe-Militerized Zone



Firewall
http://upload.wikimedia.org/wikipedia/commons/thumb/6/6f/DMZ_network_diagram_1_firewall.svg/400px-DMZ_network_diagram_1_firewall.svg.png



Firewall

Phn loi Software: Checkpoint, MS ISA,

Appliance: Cisco PIX, Juniper, Firebox,watchguard,

Cng ngh: s dng mt trong cc cng ngh Packet filtering

Proxy server Statesfull Filtering


10/75


Firewall Packet filtering:

Nguyn l hotng: Hotngchtchvigiao thcTCP/IP


11/75


Packet Filtering

Nguyn l- Kimtra ondliuquytnhxem cc on

d liu c tha mn cc lut ca b lc hay

khng.- B lc gi tin cho php (tha mn) hay t chi

(khng thamn) migi tin m n nhnc.


12/75


Cc lut lc ny da trn thng tin no ?

Da trn cc trng trong phn u ca IP, TCP hay UDP

a ch IP xut pht (IP source address)

a ch IP ni nhn (IP destination address)

Giao thc s dng (TCP, UDP, ICMP) Cng ngun TCP/UDP

Cng ch TCP/UDP

Giao din packet n

Giao din packet i


13/75


Lut lc

Policy chadanh sch cc rules, nu thng tintrong gi tin trng vi rule, th rule cpdng xc nhgi tin c forward hay loideny.

Nu khng trng vi bt k rule no, th rulemcnhcp dng. Thngth c hai chnh sch cho lutmcnh:

mcnh= chuyntip hocmcnh= loib.

Lut c duyt t trn xung, mc u tingimdn.


14/75


Lut lc gi tin


15/75


u im

Tcxl nhanh

Cc b lc gi tin thng trong sut ivingidng v cc ngdng.

Khnngngnchncc tncng tchidchvtt.

Dtrinkhai, ci tv botr.


16/75


Nhc im

Khng kimsot cdliutlp4 trln Khnngara cc thng tin nhtk hnch

do tnglachkimtra mtslnggiihn

cc thng tin trong gi tin. Phn ln cc tng la loi ny khng h trtnh nngxc thcngidng.

Khng ngn chn c cc tn cng li dng

imyutrong giao thcTCP/IP. Yu cungiquntrc hiubitsu vcc

dchvInternet.


17/75


Circuit Level Gateway

Hotngtnggiao vn

Gim st bttay TCP giagitin vo/ra xc nh phinlm vicc hplhay khng.


18/75


Nguyn l hot ng

Khng cho php thchinktniendtoend. Thitlphai ktniTCP

Giacngv my bn trong. Giacngv my bn ngoi.

Khi hai ktnic thit lp,cngmcmchs thchinsao chp, chuyntipond liuTCP tktnibn trong sang ktnibn ngoi v ngclim khngcnkimtra nidung dliu.

Cngvng xc nhmtphin lm vichp lnucSYN, ACK v sequence number trong qu trnh bt taygiacc ktnil hpl.


19/75


Qa trnh lm vic

My bn trong yu cumtdchv,cngchpnhnyu cu. Thay mtmy bn trong, cngmktninmy bn ngoi v

gim st chtchqu trnh bttay TCP. Qu trnh bttay lin quannvictrao igi tin chac(SYN hay ACK).

Cngxc thcmy bn trong v my bn ngoi l thnh phnmtphin lm vic,cngsao chp v chuyn tipd liugiahai ktni.

Cng duy tr mtbng thit lpktni,d liucphp i quanuthucmttrong cc phin lm vicc trong bng.

Khi phin lm vicktthc, cngmcmchxa bnghi ktnicaphin lm vic.

Bngktni: ID Session, Trngthi (handshake, etablished) ...


20/75


u im

Mcan ton cao hnso vilcgi tin.

C th trin khai vi lng lngiao thctng trn m khng cnhiuv thng tintigiao thc.


21/75


Nhc im

Mt khi kt ni c thit lp, n c thcho php gicc m chitrong gi tin


22/75


Cng ng dng

Hotngtngngdng.

Thit k nhm tng cngchcnngkim sot cc loidch v, giao thc c chophp truy cp vo h thngmng.


23/75


Nguyn l hot ng

Datrn cc dchvidin(Proxy service).

Proxy service l cc chng trnh c bit citrn gateway cho tngngdng.

Quy trnh kt ni s dng dch v thng quacngngdngdinra theo 5 bc.


24/75


Nguyn l hot ng

Bc1:My trmgiyu cutimy chxa ncngngdng. Bc2:Cngngdng xc thcngidng. Nuxc thc thnh cng

chuynsang bc3, ngcliqu trnh ktthc.

Bc3:Cngngdngchuynyu cumy trmnmy chxa. Bc4:My chxa trlichuynncngngdng. Bc5:Cngngdngchuyntrlicamy chxa nmy trm.


25/75


u im

Hon ton iu khin c tng dch v trnmng (quyt nh nhng my ch no c thtruy cpcbicc dchv).

Hon ton iukhincnhngdchv nocho php ( vngmtcaproxy cho dchvnoth dchvbkha).

Kim tra xc thcmnh,ghi li thng tin v

truy cphthng. Lut lc cho cngngdngd dng cu hnhv kimtra hnso vilcgi tin.


26/75


u im

Hon ton iu khin c tng dch v trnmng (quyt nh nhng my ch no c thtruy cpcbicc dchv).

Hon ton iukhincnhngdchv nocho php ( vngmtcaproxy cho dchvnoth dchvbkha).

Kim tra xc thcmnh,ghi li thng tin v

truy cphthng. Lut lc cho cngngdngd dng cu hnhv kimtra hnso vilcgi tin.


27/75


Nhc im

Tcchm,hiusutthpdo xl trn nhiutng.

Cc dchvhtrbhnch.

Khnngthay imrng(scalability) hnch.

Ci tv botr phctp.. Khnngtrong sutivingidng cuihnch


28/75


Stateful Multilayer Inspection Firewall


29/75


Stateful Multilayer Inspection Firewall


30/75


Statefull Multilayer Inspection Firewall

Ging tng la lc gi tin, hot ng tngmng,lcgi tin i/ndatrn tham s: achngun,achch,cngngun,cngch.

Gingcngmcmch, xc nh chnh xc gitin trong phin lm vic.

SIF btchccngmcngdng,SIF agitin ln tngngdngv kimtra xem nidungdliuph hpvicc luttrong chnh sch anninh cahthng.


31/75


Firewall

Mt s loi firewall tt c th m bo cho mt h thng an ninh ?


32/75


IDS/IPS

`

`

ISPModem

Firewall

web

Server

Access

Point

PDALaptop

`

VLAN2

`

`

VLAN3

`

VLAN4

IDS/IPS

mail

Server

file

Server

DMZ

Inside

Outside

X


33/75


IDS/IPS

IDS/IPS: pht hin/ngn chn tn cng IDS: Instrusion Detection System

IPS: Instrusion Prevention System Thng tch hp cng Firewall

Da trn du hiu, phi cp nht thng

xuyn


34/75


IDS/IPS

Ch hot ng Pht hin tch cc

Pht hin th ng

Pht hin tch cc: IDS phn ng li tn cng, ra lnh cho tng

la chn cc cng nghi vn

Vn : IDS cnh bo sai, cn cu hnh linlc gia IDS v thit b mng dng ngn chn


35/75


IDS/IPS

Pht hinthng Cc du hiu tn cng c ghi li,

nhngkhng chnngay

C th cu hnh cnh bo qun tr,ngnchnbngtay

Dng phn tch cc cnhbo

Vn: Thigian pngchm


36/75


IDS/IPS


37/75


IDS/IPS

Phn loi Network based: IDS/IPS dng cho ton

mng

Host based: IDS/IPS c nhn

Network based IDS

ThngdidngAppliance C thgim st ton bhthng


38/75


IDS/IPS

Network based IDS


39/75


IDS/IPS

Host based IDS Ci trn cc my quan trng pht

hin tn cng

Vn :

Khng c ci nhn tng quan v cc

cuc tn cng Ch monitor c my ci IDS


40/75


IDS/IPS

Host based IDS


41/75


VPN

`

`

ISPModem

Firewall

web

Server

Access

Point

PDALaptop

`

VLAN2

`

`

VLAN3

`

VLAN4

IDS/IPS

mail

Server

file

Server

DMZ

Inside

Outside


42/75


VPN

VPNVirtual Private Network: Mng ringo Cho php thit lp knh kt ni an ton

(private) trn mi trng dng chung(virtual) Li ch:

m bo an ninh

Tit kim chi ph


43/75


V d: VPN-1 POWER CA CHECKPOINT


44/75


VPN

Thitb/phnmmhtrThngctch hpcng firewall

Nucnhiunngcao th tch ring Phn loiVPN

VPN site to site: nimngmng

VPN remote access: ni host mng


45/75


VPN site to site

INTERNET

VPNGateway

VPNGateway

HeadQuarters Branch


46/75


VPN remote access

INTERNET

VPNGateway/server

Head

Quarters Branch

Remote ueser

VPNclient


47/75


VPN

Cc giao thcdng trong VPN L2FLayer 2 Forwarding (Cisco) PPTP Point to Point Tunneling Protocol

(Microsoft) L2TPLayer 2 Tunneling Protocol (Microsoft+ Cisco)

IPSecIP Security

SSL/TLS Security Sockets Layer/TransportLayer Security

MPLSMulti-Protocol Label Switching


48/75


VLANVirtual LAN

`

`

ISP

Modem

Firewall

web

Server

Access

Point

PDALaptop

`

VLAN2

`

`

VLAN3

`

VLAN4

IDS/IPS

mail

Server

file

Server

DMZ

Inside

Outside


49/75


VLANVirtual LAN

V d: Trin khai mng VLAN


50/75


VLANVirtual LAN

L k thut chia nh Broadcast domainthnh nhiuVirtual Broadcast domain.

Mi Virtual Broadcast domain s dng1Network hoc1 Subnetwork

Lm tngtnh uynchuyntrong victhitkhthng,Titkimchi ph.

Cho php nhm cc ngidng c cng

chcnng trong cng tchchotngtrong cng 1 Broadcast domain m khngphthucvo vtr al


51/75


VLANVirtual LAN

Nhng ngi s dng thuc cng VLan sdngcng 1 Network/Subnetwork v c thgiaotipvinhau ddng.

Ngi dng khc VLan mun giao tip kt nivinhau phinhnthitbLayer3(Router)

Thng tin v VLan (VLan Database) c th lantruyn t Switch ny sang Switch khc trong

cng h thng thng qua Kt ni Trunk v "intVLan1"


52/75


Trunk link

C bng thng t100mbps tr ln, l ktnim luthng tttccc VLan c thiqua .

Luthng cangidng thucVLan khicgi ln ngTrunk scnggi thng tin vVLan ID xc nh lu

thng thucVLan no


53/75


Cch ng gi:VLanID

802.1q(Thnggil dot1q): l chunnggiVLanID chung trn ttccc Switch.

NativeVLan: VLan m dliuthucvVLan

khi gi ln ng Trunk s khng ng giVLanID McnhNative VLan l VLan1

ISL(Inter Switch Link): l chunnggi VLanIDtrn Cisco Catalyst Switch m thi.


54/75


NATNetwork Address Translation

`

`

ISPModem

Firewall

webServer

AccessPoint

PDALaptop

`

VLAN2

`

`

VLAN3

`

VLAN4

IDS/IPS

mailServer

fileServer

DMZ

Inside

Outside

DA

10.0.0.10

IP Address outside

10.0.0.10 10.0.0.12

NAT Table

DA

10.0.0.12


55/75


NATNetwork Address Translation

achRing RFC 1918 dnh ring 3 diachIP sau:

1 achlpA: 10.0.0.0/8

16 a ch lp B: 172.16.0.0-172.31.255.255(172.16.0.0/12)

246 ach lpC: 192.168.0.0 192.168.255.255(192.168.0.0/16)

Nhng a ch trn c dng cho mngring, mngnib. cc gi dliuc achnh trn s khng c nh tuyn trnInternet

?


56/75


56

NAT?


57/75


57

NAT?

Inside local addressachcphn phicho cc host bn trong mngnib

Inside global addressL achIP hpphp ccung cpbiISP,achny idincho mthocnhiuachnibbn trong ivi thgiibnngoi.

Outside local addressL achring cahost nmbn ngoi mngnib Outside global address l achcng cnghpphp cahost nmngoi

mngnib

N l l i NAT?


58/75

Nguyn l lm vic ca NAT?

Static NATchuyn i mt a ch private IP thnhmt a ch public IP c th (one-to-one)

In static NAT, the computer with IP address 192.168.32.10 will alwaystranslate to 213.18.123.110


58

N l l i NAT?


59/75

Nguyn l lm vic ca NAT?

Dynamic NATchuyn i mt a ch private IP thnhmt a ch public IP thuc mt di a ch cho trc

In static NAT, the computer with IP address 192.168.32.10 will translate to thefirst available address in the range from 213.18.123.100 to 213.18.123.150


59


60/75

NAT Overload hoc PAT

L mt dng ca dynamic NAT nhng chuyn i nhiua ch private IP thnh mt a ch public IP (many-to-one) bng cch s dng nhiu port khc nhau


60


61/75


Media security

ngtruyn ngtrc

UTP/STP

Fiber wireless

Lu tr FDD

HDD

Tape CD/DVD

Flash disk


62/75


Media securityCp ng trc

Cng ngh cp luinht

Gm nhiu v bc

bao quanh mt ling

B tn cng kiu vtl


63/75


Media securityUTP/STP

Unshielded TwistedPair Loidy mngLAN ph

binnht

C thln tiGigabit

Bnhhngcanhiu

Shield Twisted Pair

Chngcnhiu S dng trong mi

trngcng nghip

thn

M di it Fib


64/75


Media security - Fiber

Li thy tinh vi vbcnhangoi

Ch c th b nghe

trm ti nhng chni

M di it Wifi


65/75


Media securityWifi

Gmcc imtruy cpAccess-point v wireless card Nguy ccao hnso vihthngc dy


66/75


Media security - wifi

Cc binphp Bbroadcast SSID (Service Set Identifier)

MAC Filtering

WEP (Wired Equivalent Privacy) WPA (Wi-fi Protected Access), WPA2

PKI (Public Key Infrastructure)

M di it ifi


67/75


Media security - wifi

M di i FDD


68/75


Media security - FDD

t dng

44MB

Dng khi ng/sali

M di it HDD


69/75


Media security - HDD

Thit b lu tr chnh Chun SCSI, IDE,

SATA

Gi ang gim D liu nn c m

ha

Nn s dng RAID

M di it T


70/75


Media security - Tape

csdnglutr

Tcchmhncng

R

Bn

M di it CD/DVD


71/75


Media securityCD/DVD


72/75


Media securityFlash disk

Nh gn Gi ngy cng r

Khng nn lu tr d

liu quan trng


73/75


Network security policies

`

`

ISP

Modem

Firewall

web

Server

Access

Point

PDALaptop

`

VLAN2

`

`

VLAN3

`

VLAN4

IDS/IPS

mail

Server

file

Server

DMZ

Inside

Outside

Permit: Google

Deny: YIM

L l it b li


74/75


Lowlayer security baselines

C thitkngay tu Ti liuhthng

Thitlpv duy tr ti liu

Cpnhtkhi c sthay i

ngcc cng,dchvkhng cnthit


75/75

Case study

Thit lp h thng Firewall v VPN chomt doanh nghip

BÀI GIẢNG AN TOÀN MẠNG p 2 Infrastructure Security

Documents

Transcript of BÀI GIẢNG AN TOÀN MẠNG p 2 Infrastructure Security