Ứng dụng công nghệ bắt gói xây dựng firewall

LV DO DUNG FIREWALL Do do, an toan va bao m~t thong tin tren m~ng la mQt v~n dS quan 6n dinh xa hQi, tinh k@thira va phcit huy nSn van hoa dan tQc.. Firewall la mQt giai phap d\fa tren p

UNG DUNG CONG NGHE BAT GOI

•

TP HO CHi MINH - 2007

2.2 DU LI.$U M~NG TRaNG WINDOWS vA KY THUAT LOC GOI

3.1 TONG QUAN VB USER-MODE vA KERNEL-MODE 33

CHUONG 5 MO HINH PHAM MEM HUFLIT POWER

CHUONG 6 KET LU~NvA HUONG PHAT TRIEN 85

Chung em xin chfm thanh cam an Khoa Cong Ngh~Thong Tin, truemg £)~i hQc Ngo~i Ngfr Tin HQc Tp.HCM dat~o diSu ki~n cho chung em th\l'c hi~n t6t dS tai nay.

DS hoan thanh dS tai nay, chung em xin trfm trQng cam

chung em hQc hoi r~t nhiSu diSu va tich lliy duQ'c nhiSu kinhnghi~m cho ban than trong su6t thai gian th\l'Chi~n dS tai

MQt l<1nnfra xin chan thanh cam an Quy Th<1yCo trong

ki~n va kiSn thuc cftn thiSt trong su6t qua trinh hQC t?P t~itruong, va cling khong quen gui long biSt an sau s~c dSn cha

em trong nhfrng luc kho khan cling nhu trong su6t nhfrng namhQc vua qua

n6 h,rc cua ban than, nhung dS tai cua chung em ch~c ch~nkhong thS tranh duQ'c nhling thiSu sot, kinh mong s\!' camthong va t?n tinh chi bao cua Quy Thfty Co

Ngay nay, an toan va bao m~t thong tin tren m~ng la mQt nhu c~u thi@ty@ukhi Internet dang phat triSn nhanh chong Nhu c~u chia se thong tin tren

nhan K@tn6i Internet giup cho vi~c dS dang tim ki@mthong tin, mua s~m,trao d6i va lien l~c vai m9i nguai theo nhiSu m\lc dich khac nhau Tuy nhien,thong qua k@tn6i do, nguy co bi t~n cong hay truy c~p trai phep van may tinh

la diSu khong thS tranh khoi

LV DO DUNG FIREWALL

Do do, an toan va bao m~t thong tin tren m~ng la mQt v~n dS quan

6n dinh xa hQi, tinh k@thira va phcit huy nSn van hoa dan tQc DiSu do Ia c~nthi@ttrong qua trinh hQi nh~p va phat triSn cua nuac tao

m~t thong tin tren m~ng nhu k5' thu~t m~t rna, cac ph~n mSm ch6ng virus,spyware MQt k5' thu~t cling dap tmg cho nhu c~u nay la k5' thu~t Firewall

ben ngoai van m~ng nQi bQ

th6ng Ngoai ra, Firewall co thS giup cho may tinh tranh cac cu(>c t~n cong

rna khong hay biet Vi~c su d\,mg m(>ttuang lua tr6 nen c~n thiet neu may tinh

Iuon ket n6i Internet

CHUaNG 1 TONG QUAN vI: FIREWALL

1.1 TONG QUAN

Trong cong ngh~ m~mg thong tin, Firewall la mQt ky thu?t duQ'c tichhQ'P vao h~ th6ng m~mg dS ch6ng S\f truy C?P tnii phep, nh~m bao v~ cacngu6n thong tin nQi bQ va h:;m ch~ S\l'xam nh?p khong mong mu6n vao h~th6ng Gi6ng nhu mQt t~m ch~n, Firewall bao v~ h~ th6ng m~mg b~ng cachkiSm soat lu6ng thong tin ra vao gifra m~mgnQi bQ (Intranet) clla mQt ca nhan,cong ty, t6 chuc hay mQt qu6c gia voi m~mgben ngoai nhu Internet

Firewall la mQt giai phap d\fa tren ph~n cung ho~c ph~n mSm dung dSkiSm tra cac dfr li~u til ben ngoai van may tinh ho~c til may tinh ra ben ngoai

sat cac dl1'li~u truySn thong gifra may tinh clla hQ voi cac may tinh hay h~th6ng khac Co thS xem Firewall la mQt nguai bao v~ co nhi~m V\l kiSm tra

"gi~y thong hanh" clla b~t cu goi dfr li~u nao di vao may tinh hay di ra kh6imay tinh Clla nguai Slr d\lng, chi cho phep nhfrng goi dfr li~u hQ'Pl~ di qua valo?i b6 t~t ca cac goi dfr li~u khong hQ'pl~

1.1.1 Ngu8n gBe ella Firewall

Cong ngh~ Firewall b~t dftu xuftt hi~n vao cu6i nhfrng nam 1980 khiInternet vfin con la m9t cong ngh~ kha m6i me theo khia qlnh kSt n6i va su

vv xam ph?m nghiem trQng d6i v6i an ninh lien m?ng xay ra vao cu6i nhfrngnam 1980 Nam 1988, m9t nhan vien t?i trung tam nghien Clm NASA Ames

San Diego, Lawrence Livermore, Snford, va NASA Ames." Con virus duQ'cbiSt dSn v6i ten Sau Morris nay da:duQ'c phat tan qua thu di~n tli va khi do da:1a m9t sv kho chiu chung ngay ca d6i v6i nhfrng nguai dung vo thuang voph?t nhftt Sau Morris 1a CU9Ctftn cong di~n r9ng dftu tien d6i v6i an ninhInternet C9ng d6ng m?ng da: khong h~ chuc1nbi cho m9t cU9Ctftn cong nhu

v~y va da:hoan toan bi bftt nga Sau do, c9ng d6ng Internet da:quySt dinh r~ng

uu tien t6i cao 1aphai ngan ch?n khong cho m9t cu9c tftn cong bftt ky nao nfra

1.1.2 Lieh sir phat tri~n ella Firewall

Nam 1988, bai bao dftu tien v~ cong ngh~ tuang ltl'a duQ'c cong b6, khiJeff Mogul thu9C Digi1 Equipment Corp phat tri~n cac h~ th6ng lQc dftu tienduQ'cbiSt dSn v6i ten cac tuang Ilia 1Qcgoi tin H~ th6ng kha co ban nay da: 1a

thS h~ d~u tien cua cai rna sau nay se tra thanh mQt tinh nang ky thu?t an toan

m~ng duqc phat triSn cao

Tu narn 1980 dSn nam 1990, hai nha nghien cUu t~i phong thi nghi~rnAT&T Bell, Dave Presetto va Howard Trickey, da:ph at triSn thS h~ tUOng IlIa

thtl' hai, duqc biSn dSn v6'i ten cac tUOng IlIa t~ng m~ch (circuit level firewall).

phong thi nghi~rn AT&T va Marcus Ranum da: mo ta thS h~ tucmg IlIa thu ba,

Ranum da: khai d~u cho vi~c t~o ra san ph~n thuong m~i d~u tien San ph~mnay da: duqc Digil Equipment Corporation's (DEC) phat hanh v6'i ten SEAL.DQ'tban hang Ian d~u tien cua DEC la vao ngay 13 thang 9 nam 1991 cho mQt

T~i AT&T, Bill Cheswick va Steve Bellovin tiSp t\lC nghien cuu cua hQv@IQcgoi tin va da: phat triSn mQt rno hinh ch~y duqc cho cong ty cua chinh

hQ, d\l'a tren kiSn truc cua thS h~ tuang IlIa thu nhftt cua minh Nam 1992, Bob

Braden va Annette DeSchon t~i D~i hQc Nam California da: phat triSn h~

th6ng tuang IlIa IQc goi tin thS h~ thu tu San ph~m co ten "Visas" nay la h~

th6ng d~u tien co mQt giao di~n v6'i rnau s~c va cac biSu tUQ'TIg,co thS dS dangcai d~t thanh ph~n rn@rncho cac h~ di@uhanh ch~ng h~n Microsoft Windows

va Mac/OS cua Apple va truy nh?p tu cac h~ di@uhanh do

Nam 1994, mQt cong ty Israel co ten Check Point SoftwareTechnologies da xay dgng san ph~m nay thanh mQt ph~n m~m s~n sang cho

duQ'c dga tren cong ngh~ Kernel Proxy ThiSt kS mlY lien t\lC duQ'c cai tiSn

rai trong ca cac h~ th6ng may tinh gia dinh va thuang m~i Cisco, mQt trong

nam 1997

tin b~ng cach chia se chuc nang nay vai mQt h~ th6ng ngan ch?n xam nh?p

1.1.3 Chu'c nang coo ban Clla Firewall

Chuc nang chinh la bao m?t thong tin, kiSm soM, di~u khiSn lu6ngthong tin giua m~ng Intranet va m~ng Internet Di~u do co nghia la khongnhfrng co thS thiSt l?p Firewall dS cho phep hay ngan ch?n nhung troy C?Pkhac nhau til Internet vao m~ng nQi bQ, rna con co thS cho phep hay ngan

thong thuang Firewall duQ'c d?t giua m~ng Intranet va m~ng Internet Sa d6chuc nang h~ th6ng cua Firewall duQ'cmo ta nhu trong Hinh 1.1

l

\.

\

Private Network

~ Firewall co nhung chuc nang chinh sau:

,

Intranet ra Internet)

Internet vao Intranet)

1.1.4 Phan lo~i Firewall

Co mQt s6 cong ty san xu~t san phfim Firewall va co thS thvc thi mQtFirewall ph~n cling hay Firewall ph~n mSm ho?c th?m chi k~t hqp ca hai lO:;li

» Firewall phAn eu'ng (Firewall Hardware)

may tinh ho?c m:;lng va cap ho?c modem DSL NhiSu hang va nha cung c~pdich V\l Internet (ISP) dua ra cac thi~t bi "Router" trong do cling bao g6m cactinh nang Firewall Firewall ph~n cling duQ'c su d\lng co hi~u qua trong vi~cbao v~ nhiSu may tinh rna vftn co mlic bao m?t cao cho mQt may tinh dan.N~u chi co mQt may tinh phia sau Firewall, ho?c n~u t~t ca cac may tinh khactren m:;lngduQ'c C?P nh?t cac ban va miSn phi vS virus, worm va cac rna nguy

Firewall ph~n cling co uu diSm trong vi~c phan chia cac thi~t bi dang ch:;lytren h~ diSu hanh rieng, vi V?y chung cung c~p kha nang ch6ng l:;licac t~ncongo Tuy nhien m?t h:;lnch~ Ian Ia chi phi

VS t6ng thS, Firewall ph~n cung cung c~p milc dQ bao v~ cao han sovai Firewall ph~n mSm va dS bao tri han Firewall ph~n cilng cling co mQt uudiSm khac Ia khong chi~m d\lng tai nguyen h~ th6ng tren may tinh nhuFirewall ph~n mSm

Firewall ph~n Clmg Ia rnQt Iva chc;mrftt t6t d6i vai cac doanh nghi~pnhc>,d?c bi~t cho nhilng cong ty co chia se k@tn6i Internet Co th~ k@thQ'PFirewall va rnQt bQ dinh tuy@n(Router) tren cung rnQt h~ th6ng ph~n cung vaSlr dVng h~ th6ng nay d~ bao v~ cho toan bQ m~mg.

Trong s6 cac cong ty cung cftp Firewall ph~n Clmg co th~ k~ tai

Linksys [4] va NetGear [5] Tinh nang Firewall ph~n cung do cac cong ty naycung cftp thuOng duQ'c tich hQ'p s~n trong cac bQ dinh tuy@ndung cho mc;mgcua cac doanh nghi~p nhc>va rnc;mggia dinh

~lilrdwaro Firol'lall lJsually porI of a TCP/IP Routor

» Firewall phAnm~m (Firewall Software)

NSu khong mu6n t6n tiSn mua Firewall ph~n Ctmg thi co thS Slr d\lngFirewall ph~n mSm VS gia ca, Firewall ph~n mSm thucmg khong d~t b~ngFirewall ph~n cung, th?m chi m<)ts6 con miSn phi va co thS tai vS tu m~mgInternet

So v6i Firewall ph~n cung, Firewall ph~n mSm cho phep linh d<)ng

han, nh~t la khi c~n d?t l~i cac thiSt l?p cho phil hgp han v6i nhu c~u rieng

cua tung cong ty Chung co thS ho~t d<)ngt6t tren nhiSu h~ th6ng khac nhau,khac v6i Firewall ph~n cung tich hgp v6i b<)dinh tuySn chi lam vi~c t6t trongm~ng co qui mo nho Firewall ph5.n mSm cling la m<)t Iva ch<;mphil hgp d6iv6i may tinh xach tay vi may tlnh vfin dugc bao v~ cho dli mang may tinh dib~t ky nai nao

M<)tvai h~ diSu hanh co Firewall kern theo, nSu h~ diSu hanh khong cothi cling dS dang kiSm dugc tu m<)ts6 cua hang may tinh hay hang ph~n mSmho?c cac nha cung c~p dich V\l Internet Vi co nhiSu rui ro trong vi~cdownload ph~n mSm tu Internet vS m<)tmay tinh khong dugc bao v~ nen t6tnh~t la nen cai d?t Firewall tu rna CD, DVD ho?c rna mSm

Bai vi Firewall phftn mSm co dQng va co gia th~p han so v6i Firewallphftn Ctmg, chung se t~p trung tim hiSu vS trong su6t phftn con l?i cua dS tainay.

Cumputor ",illl Flrowall Soltwaro (m ay t11~o providu Inl()lrIol

C Otmuctlvily)

S,,"'curo Private Nel'.'lorll

Public NulYiOrll

Pri'/alu Local Arua Network

lflnh 1.3 M{j hinh Firewall phan mJm

1.1.5 Nhu'ng h~n eh~ ella Firewall

co thS dQc hiSu tung lo?i thong tin va phfm tich nQi dung t6t hay x~u cua.Firewall chi co thS ngan ch~n sv xam nh~p cua nhfrng ngu6n thong tin khongmong mu6n nhung phiii xac dinh ro cac thong s6 dia chi

Firewall khong thS ngan ch~n mQt cUQct~n cong n@ucUQct~n cong naykhong "di qua" , MQt cach C\lthS, Firewall khong thS ch6ng l?i mQt cUQct~n

cong til mQtduang dial-up, ho~c S\f ro ri thong tin do dfr li~u bi sao chep b~thqp phap len rna m~m.

Firewall cling khong thS ch6ng l~i cac cUQct~n cong b~ng dfr li~u drivent atck) Khi co mQt s6 chuang trinh dugc chuySn theo thu di~n tu, vuqt

MQt vi d\l la cac virus may tinh Firewall khong thS lam nhi~m V\l raquet virus tren cac dfr li~u dugc chuySn qua Firewall Do t6c dQ lam vi~c, S\fxu~t hi~n lien tlfc cua cac virus m6i va do co r~t nhi~u cach dS rna hoa dfr li~u

se thoat kh6i kha nang kiSm soat cua Firewall

Tuy nhien, Firewall v~n la giai phap hfru hi~u dugc ap dlfng rQng rili

1.2. cAe KY THUAT FIREWALL.

MQt Firewall co thS dung mQt ho~c ph6i hgp cac ky thu~t du6i day dS

cling co thS dugc xem la cach phan lo~i Firewall d\fa tren phuang di~n kythu~t

~ Sau day til m~t sa ky thu~t:

1.2.1 B(} IQcg6i tin (Packet-Filtering Router)

~ M6 hinh

5 Application

4 Transport Control Protocol (TCP)

3 Internet Protocol (IP)

Unknown traffic is only allowed up

to level 3 of the Net'Nork Stack.

Allowed Outgoi 9 Traffic

~ Nguyen If

Khi noi dSn vi~c luu thong dfr li~u gifra cac m?ng vai nhau thong quaFirewall thi diSu do co nghia r~ng Firewall ho?t dQng ch~t che vai giao thuc

TCP/IP Vi giao thuc nay lam vi~c theo thu?t tocin chia nh6 cac dfr li~u nh?n

duQ'c tu cac frng d\lng tren m;;mg, hay noi chinh xac han la cac dich V\l ch<;ty

packets) r6i gan cho cac goi nay nhfrng dia chi dS co thS nh?n d<;tng,tai l?p l<;ti

goi tin (packets) va nhli'ng con s6 dia chi cua chung

BQ 19Cgoi cho phep hay tu ch6i m6i goi rna nh?n duQ'C.BQ 19CnaykiSm tra toan bQ do<;tndfr li~u dS quySt dinh xem do<;tndfr li~u do co tho a manmQt trong s6 cac lu?t cua 19Cg6i tin hay khong

header) sau:

NSu lu?t l~ 19Cg6i tin duQ'c thoa man thi goi tin duQ'c chuySn quaFirewall NSu khong g6i tin d6 se bi b6 di Nh6 v?y rna Firewall co thS ngancan duQ'c cac kSt n6i vao cac may chu ho?c m<;tngnao d6 duQ'c xac dinh, ho?c

khoa vi~c truy C?P vao h~ th6ng m~ng nQi bQ tu nhfrng dia chi khong chophep Han nfra, vi~c ki~m soat cac c6ng lam cho Firewall co kha nang chi chophep mQt s6 lo~i kSt n6i nh~t dinh vao cac lo~i may chu nao do, ho?c chi co

nhfrng dich V\lnao do (Telnet, SMTP, FTP ) duQ'c phep mai ch~y duQ'c tren

h~ th6ng m~ng C\lCbQ

~ lfu iliJm

Da s6 cac h~ th6ng Firewall dSu su d\lng be) lQc g6i MQt trong nhCing

duQ'c bao g6m trong m6i phfrn mSm Router

Vi~c dinh nghla cac chS dQ lQc g6i la me)t vi~c kha phuc t~p, doi hoinguai quan tri m~ng cfrn c6 hi~u biSt chi tiSt vS cac dich V\l Internet, cac d~ng

hinh va d~ dang bi gia m~o IP Khi doi hoi v~ Sl! lQc cang lan, cac lu~t l~ vSlQc cang tnJ nen dai va phtl'Ct~p, r~t kh6 d~ quan ly va diSu khi~n

Do lam vi~c dl!a tren header cua cac g6i, ro rang la be) lQc g6i khongki~m soat duQ'c nQi dung thong tin cua g6i Cac g6i chuy~n qua v~n c6 th~mang theo nhfrng hanh de)ng vai y d6 an c~p thong tin hay pha ho~i cua ke,

xau

1.2.2 Cang u'ng dl,lDg(Application-Level Gateway hay Proxy

Server)

~ M6 hinh

5 Application

4 Transport Control Protocol (TCP)

3 Internet Protocol (IP)

as specified applications (such as

a browser) or a protocol, such as FTP, or combinations

Unknown ttattie is allowed up to the top of the Network Stack.

Incommg Traffic Allowed OutgOing Traffic

Hinh 1.5 M6 hinh Application Level Gateway

~ Nguyen Ij hO{ltapng

Day h\ ffi9t lo~i Firewall duQ'c thiSt kS dS Umg cUOng chuc nang kiSm

M9t Proxy Server la m9t lo~i Gateway rna gi~u dia chi m~ng th~t S\l'cua may tinh kSt n6i thong qua M9t Proxy Server kSt n6i v6i Internet, t~onhfrng yeu c~u (requests) cho cac trang, cac kSt n6i dSn cac servers va nh~n

dfr li~u thay cho cac may tinh phfa sau Cac kha nang cua Firewall nay th\fct~ n~m 0 ch6 mQt proxy co thS duQ'c cftu hinh chi cho phep nhung lo~i luuIUQ'ngchfnh nhu cac HTTP files, hay cac trang web di qua MQt Proxy Server

co kha nang giam S\f th\fc thi m~ng mQt cach ch~m ch~p, khi phai chli dQngphfm ttch va v~n dVng luu luqng di chuySn qua

Proxy Server la cac bl) chuang trinh d~c bi~t cai d~t tn~n Gateway chotung tmg dVng N~u nguai quan tri m~ng khong cai d~t chuang trinh Proxycho illl)t ung dVng nao do, dich vv tuang ung se khong duQ'c cung cftp va do

do khong thS chuySn thong tin qua Firewall Ngoai ra, Proxy Code co thSduQ'c dinh cftu hinh dS h6 trQ' chi mQt s6 d~c diSm trong ung dVng rna nguoiquan tri m~ng cho la chftp nh~n duQ'ctrong khi tir ch6i nhfrng d~c diSm khac

MQt c6ng trng dVng thuang duQ'c coi nhu la ml)t phao dai (bastionhost), boi vi duQ'c thi~t k~ d~t bi~t dS ch6ng l~i S\ftftn cong tu ben ngoai

~ lfu iliJm

tren m~ng, boi vi trng dVng Proxy h~n ch~ bl) l~nh va quy~t dinh nhung maychu nao co thS truy nh~p duQ'cboi cac dich vv

Cho phep nguai qu~mtri m(;1nghoim toim diSu khiSn duQ'c nhUng dich

co nghia 1a cac dich V\l ~y bi khoa

C6ng ling d\lng cho phep kiSm tra dQ xac th\fc dt t6t, co nh?t ky ghichep 1(;1ithong tin vS truy nh?p h~ th6ng

Lu?t l~ lQc cho c6ng trng d\lng la dS dang c~u hinh va kiSm tra han sovai bQ lQc goi

~ Nh u{J'c iliJm

Yeu c~u cac users sua d6i (modify) thao tac, ho?c sua d6i ph~n mSm da

Vi d\l, Telnet troy nh?p qua c6ng trng d\lng doi hoi hai buac dS n6i vai may chu chli khong phai la mQt buac thoi Tuy nhien, cling da co mQt s6 ph~n

mSm client cho phep ling d\lng tren c6ng ling d\lng la trong su6t, b~ng cachcho phep user chi ra may dich chli khong phai c6ng (mg d\lng tren 1~nhTe1net

1.2.3 CBng m~ch (Circuit level Gateway)

5 Application

4 Transport Control Protocol (TCP)

3 Internet Protocol (IP)

Unknown traffiC IS only aHowe-dup

to level 4 of the Network Stack.

Incoming Traffic Aliowed OutgOing Traffic

~ Nguyen If

mnh 1.6 M6 hinh Circuit level Gateway

C6ng yang la mQt chuc nang d?c bi~t co thS thlJc hi~n duac boi mQtc6ng ling d\lllg C6ng yang dan gian chi chuySn tiSp (relay) cac kSt n6i TCPrna kh6ng thlJChi~n b~t ky mQt hanh dQng xu ly hay IQc goi nao

Hinh 1.7 minh hQa mQt hanh dQng Slr dVng n6i Telnet qua c6ng yang.C6ng yang dan gian chuySn tiSp kSt n6i telnet qua Firewall rna kh6ng thlJChi~n mQt SlJ kiSm tra, IQc hay diSu khiSn cac thu tvc Telnet nao.C6ng yanglam vi~c nhu mQt sQ'iday, sao chep cac bytes gifra kSt n6i ben trong (inside

connection) va cac kSt n6i ben ngoai (outside connection) Tuy nhien, vi sv

kSt n6i nay xuftt hi~n tu h~ th6ng Firewall, che dftu thong tin vS mc;mgnQi bQ

C6ng yang thucmg duQ'c su d\lng cho nhfrng kSt n6i ra ngoai, nai rna

nhftt la mQt bastion host co thS duQ'c cftu hinh nhu la mQt h6n hQ'Pcung cftpC6ng (mg d\lng cho nhung kSt n6i dSn, va c6ng yang cho cac kSt n6i di UiSunay lam cho h~ th6ng b(l'c tuang lua dS dang su d\lng cho nhung nguai trong

cung cftp chuc nang buc tuang lua dS bao v~ m~ng nQi bQ tu nhfrng sv tftncong ben ngoai

i A -{]

outside host

Inside host Circuit-level Gateway

ffinh 1.7 C8ng vong

1.3 MOT s6 PH AN MEM FIREWALL THONG Dl)NG

Co r5.tnhiSu nha cung cftp ph~n rnSrn Tuang lua

,

1.3.1 Windows Firewall

Windows XP Phien b~m dfiu tien xu~t hi~n trong Win XP SP2, co tac d\mgbao v~ cac chuang trinh va thong tin tren may tinh ca nhfm kh6i S\1'xam nh?p

tu ben ngoai, d?c bi~t la khi nguai su dVng truy C?P Internet WindowsFirewall hO(;ltdQng nhu mQt chuang trinh chfmg l(;licac IO(;lisau may tinh Saumay tinh cling tuang t\1'nhu virus, nhung hO(;ltdQng dQc l?p han va co thS tvdQng lay nhiSm rna khong cfin S\1'tr9' giup cua cac chuang trinh khac

phep til ben trong ra ngoai h~ th6ng Do do, tinh hinh bao m?t v~n khong khaquan han la bao

Th?m chi nhiSu chuyen gia con khuyen r~ng nen thay thS phfin mSm

tuang lua nay cang nhanh cang t6t.

1.3.2 Internet Security Systems (ISS): BlackICE PC Protection

San phAm cho may tlnh dan hay m(;lng quy mo nh6 BlackICE [6] lamQt Firewall dS suodVng, r~t t6t trong vi~c ngan ch?n cac tin t?C c~y virus vaomay tinh

1.3.3 Network Associates: McAfee Personal Firewall [7]

San ph~m nllY se ghi l?i thong tin chi tiSt vS t~t ca cac cUQcX8.mnh~pkha nghi va kiSm soat r~t m?nh d6i v6i cac giao v~n chiSu di cling nhu cac

1.3.4 Symantec: Norton Personal Firewall

San ph~m nay cua Symantic [8] cling r~t t6t trong vi~c giam sat cacgiao v~n ca hai chiSu

1.3.5 Zone Labs: ZoneAlarm

Tinh nang cua chuang trinh con he>tr9' cho nhiSu kSt n6i t6i nhiSum?ng khac nhau Ngoai san ph~m miSn phi ZoneAlarm, ZoneLabs [9] concung c~p 3 san ph~m khac: ZoneAlarm Pro, ZoneAlarm Pro v6i tinh nang

Web Filtering, va ZoneAlarm Plus tren Website cua he) ea 3 san ph~m nay

dSu phong phu vS tinh nang han dt nhiSu so v6i phien ban miSn phi va t~t cacling dSu dS Slr dVng

1.4 NHI~M Vl) DE TAl

Tu t6ng quan vS Firewall, m\lc tieu cua dS tai nay 1a tim hiSu, nghien

Cll'll, ling dVng cong ngh~ b~t goi (Packet filtering) vao vi~c xay d\fng ph~n

mSm Firewall cho h~ diSu hanh Windows 2000 tra vS sau

~ vo-;cac chuc nang can thiit cho m(jt phan mJm bao m{it nhu' sau:

hay dong nhfrng Port c~n thiSt

~ Vai 2 phien ban au'(!cphat triJn nhU' sau:

may Client

may Server

1.5. eAu TRUe DE TAl

~ D~ tai gam 5 chuang san:

• Chuong 1: T6ng quan v~ Firewall

Cho biSt khai ni~m, chuc nang, phan lo~i, h~n chS, cac ky thu?t

Firewall va cling nhu mQt sf>phftn m~m Firewall thong d\mg

• Chuong 2: Phuong phap xay d\fng phftn m~m Firewall tren Windows

vao tim hiSu ky thu?t lQc g6i (Packet filtering) va cac mo hinh ung dVngcling nhu mo hinh phftn m~m cua Firewall

• Chuang 3: L?p trinh Kernel-Mode Driver tren Windows

• Chuang 4: Phuong phap phat triSn Firewall-Hook Driver

Cac v&nd~ lien quan dSn Firewall-Hook Driver va ky thu?t Hook cuaDriver nay

• Chuang 5: M6 hinh ph~n mSm HUFLIT Power Firewall

Xay dllng ph~n mSm demo thllc thi ky thu?t Firewall-Hook Driver

1.6 KET CHUONG

Firewall chi 1arnQt c6ng Clfb~lOv~ h~ th6ng mc;mgmay tinh, phai duQ'ckern thea v6i r~t nhiSu bi~n phap an toan khac N~m duQ'c cac khai ni~m t6ngquan vS Firewall va mQt s6 d~c thu cua Firewall, co thS biSt cach d~u tu va suodlfng Firewall mQt cach hgp ly dS H'mg tinh bao m?t c~n thiSt cho mQt h~th6ng mc;mg,mQt t6 chuc hay mQt ca nhan

CHUONG 2 PHUONG PHAp XAY DUNG pHAN MEM

FIREWALL TREN WINDOWS

Hi~n nay, khi mu6n xay d\l'ng m9t Firewall cho Linux, r~t dS dang timdugc nhiSu thong tin cling nhu source code Nhung d~ vi~t Firewall choWindows la m9t diSu h~t suc kho khan vi h~u nhu cac ph~n mSm Firewallcho Windows dSu dugc dong goi va rao ban vai gia r~t cao n~u kern theo casource code hoan chinh Ngoai ra, cling co m9t s6 ph~n mSm miSn phi nhung

Gia Slr Firewall dugc vi~t d~ Slr d\lng trong Windows chua co cai d~tm9t ph~n mSm Firewall nao

Ng6n ngii'l{lp trinh: C/C++

C6ng C(l phdt triJn: DDK, VC++ 2005 (MFC), DebugView, InstDrv

gili'a may tinh va Internet nen cac k~t n6i nay lien quan ch~t che d~n goi tin IP

(IP packet) Vi V?y, d~ thi~t k~ m<)tFirewall trong Windows, truac h~t c~m

N~m duQ'c diSu nay, se c6 cac k)i thu?t lQc g6i dfr li~u m:;mg tren Windowslam nSn Umg d~ xay dgng m<)tFirewall

2.2.1 Dfr Ii~u m~ng trong Windows

Windows

Sockets 1.1

API

Windows Sockets 16.bit 1.1 Application

Windows Sockels 32.bit 1.1 Application

Windows Sockets 32.bit 2.0 Application

Mswsock.dll Wshelp.dll Ws2)2.dll

Name Space DLLS

Nw provau.dll Rnr20.dll WinllU'.dll

M

o

D E

Msafd.dll

::::::::::::::::N: D: I:S:':' H: :Q:0:k hi: g::F: i:1t:e:r ::::::::::::::::

N E

L

Other

ND IS Protocol Driver

Nbf.sys

N etBT.sys PCA NDIS x sys

IOther TDI Client Driven

y

N etcard

tin trong ffi(;lng,

Th\fc tS thi cac phien ban Windows vS sau dmg co them nhiSu cac t~ng

xu ly goi Do do, cac ky thu?t IQc goi cung tra nen da d?ng han £)S tai nay

chi xin li~t ke ten mQt s6 ky thu?t va chi di sau vao ky thu?t Firewall-Hook

Thvc ch~t xay d\fng Firewall la xay d\fng mQt ung dVng co chuc nangchinh la IQc goi tin Trong c~u truc m?ng cua Windows, d\fa vao hanh trinh

ni~m Kernel-Mode, User-mode se duQ'c dS C?P sau Duai day chi trinh bay ten

gQi cua cac ky thu?t IQcgoi

• Windows 2000 Filter-Hook Driver

2.3 MOT s6PHUONG PHAP VIET FIREWALL

~ Tu nhfrng ky thu~t lQc goi kS tren, co thS ling dlfng lam thanh phftn c6t

Wi dS viSt Firewall:

2.4 MO HINH VIET FIREWALL

2.4.1 Mo hinh rng dl}ng

Internet IP,PORT IP,PORT

mnh 2.3M6 hinh ung d~ng eua Firewall

Trong mo hinh mlY eho th~y ro t~m ho~t dQng eua Firewall Firewall sedong vai tro nhu mQt bue tUOng va kiSm soat cae IP, Port gifra may Hnh vam~ng ben ngoai

Vi d\l, cae trinh ung d\lng ben trong may nhu Internet Explorer, Yahoomessenger hay Game Online ,., dung dS giao ti@pv6i Internet thi b~t kS caek@tnbi tu trong hay ngoai vao dSu phai di qua Firewall Cae IP va Port sedUQ'eFirewall xu ly OQe)t~i day

~ Dlfa vao rno hinh nay thay dU'(fccau truc cua cac thanh phan can thiit khi xay d'.l'ngFirewall cho Windows Til' day, co thi hiJu dU'(fc cach hO(ltd{jng cua Firewall nhU'sau:

(1) G6i tin se di qua card m~mg

(3) Firewall Driver lQc g6i tin tu IP Driver

xem GUI c6 ch~p nh~n hay khong ch~p nh~n cho g6i tin di qua

(5) GUI tn} l6i cho Firewall Driver bi~t d6ng y hay khong d6ng y chogoi tin qua.

(6) Xay ra mQt trong hai tru6ng hgp:

• N~u GUI gui l~nh cho qua thi Firewall Driver se nh6 IP Driver

xu ly cho qua card m~mg va di ra c6ng kia theo buac (7), (8)

• N~u GUI gui l~nh khong cho qua thi Firewall Driver se nh6 IPDriver xu 1y khong cho qua c6ng kia clla card m~mg

~ Dl)'a vao cach thuc lam vifC nay, m{Jt Firewall CO'him can phiii xay dl)'ng cac thanh phan sau:

• GU] (ii User-Mode): 1a giao di~n tmg dVng clla Firewall, giup nguoidung thao tic vai Firewall mQt cach dS dang Thong thuang d~ GUIgiao ti~p vai Driver, ngu6i l~p trinh chQn l?p trinh tren MFC (ngonngfr C++)

• Firewall Driver (0' Kernel-Mode): 1a thanh ph~n chinh clla ph~n mSmFirewall, 1a c~u n6i giua IP Driver va GUI Thanh ph~n nay co th~ vi~ttren User-Mode gQi 1a User-Mode Driver, n~u vi~t a Kernel-Mode gQi1a Kernel-Mode Driver Driver nay duQ'c vi~t b&ng C/C++

2.5 KET CHUONG

\Vinclo\Vs User-l'vIode Components

WINDOWS

Mu6n hiSu ro thS mlo la Firewall-Hook Driver, truac tien c~n tim hiSu

khai quat vS cac thanh ph~n c~u thanh Windows (Windows components) cling

nhu khai ni~m vS Driver [11].

3.1 TONG QUAN VE USER-MODE vA KERNEL-MODE

3.1.1 Cae thanh phAn cAu thanh Windows

C~u truc Windows do Microsoft dinh nghla duQ'c chia lam hai ph~n cob~m: