Tìm hiểu vấn đề bảo mật mạng thông tin bằng công cụ của microsoft ứng dụng xây dựng hệ thống bảo mật cho tổ chức có quy mô vừa và nhỏ

Chuang 1 V~n d@bao m~t m~g thong tin va cac d6i tugng '" Trang 7/83Nhfrng m6i nguy hi~m ti@mnang do co th~ 1a OOfrngY\l pha ho~ihay OOungV\l thfun OO~pb~t hgp phap OO~mdanh x~p cac dich

BO GIA.O DUC vA DAo TAOTRUONG DAI HOC DAN LAp NGOAI NGU.- TIN HOC TP.HCM

KHOA CONG NGH~ THONG TIN

TIM HIEU VAN DE BAo MAT MANG THONG TIN

CHUC CO QUY MO VITA VA NHO

GIANG vrEN HUONG nAN: NGUYEN BINH DUONG

NGUYEN TAN PHAT

TP HO CHi MINH -2005

LOi cam on

Nh6m sinh vien lam d~ tai xin gui lai cam an chan thanh d~n thfiy NguySn

Binh Duang giang vien tIVc ti~p huang dful.Trang subt thai gian thlJC hi~n d~tai, dti con nhi~u cong vi~c nhung nh6m vfin nh~n dugc rftt nhi~u SlJh6 trg tuphia thfiy, cac y ki~n, nh~ xet va danh gia cua thfiy dff lam cho d~ tai dugc hoanthi~n han.Tuy nh6m chua c6 kinh nghi~m thlJc t~ nhi~u nhung qua thfiy cling dffthfty dugc cac nhu cfiu v~ bao m~t trong thlJc t~ hi~n nay.Va tu d6 huang di cuad~ tai cling sat thlJc t~ va dap tmg dugc cac yeu cfiu cua thlJc t~

Ngoai ra nh6m thlJc hi~n cling gui lai cam an d~n thfiy Vli Thanh Hi~n

(quy~n truang khoa CNTT truang DHDL Ngo~i ngu - Tin hQc TP.HCM) Tuythfiy khong trlJc ti~p huang dful nhung nh6m cfing dff nh~n dugc SlJh6 trg cuathfiy v~ nhi~u m~t Tu nhung SlJgiup dO't~n tinh d6 nh6m m6i c6 th@hoan thanhd~ tai

M<)t Ifill nua xin dugc gui lai cam an d~n thfiy NguySn Binh Duong vathfiy Vli Thanh Hi~n vi nhfrng SlJgiup dO'rna cac thfiy dff danh cho nh6m

Nhom thl}.'chi~n d~titi

Co nhiSu d6i tugng cfin duQ'c baa v~ nhu dS baa v~ cac cong trinh kiSntruc kh6i h6a ha~ nguai ta xay dVng h~ th6ng phong chay chua chay, dS baa v~can nguai truac nhfrng cai x~u nguai ta t~ara phap lu~t hay dS ch6ng h;linhungcu(>ct~n cong cua m(>tnhom nguai, nguai ta xay d\fng nhung thanh tri Va dSbaa v~ m(>th~ th6ng m~ng, nguai ta xay d\fng h~ th6ng baa m~t cha h~ th6ngm~ng do.

DS xay d\ffig m(>th~ th6ng baa v~ m(>th~ th6ng m~ng, nguai ta co nhiSucach va nhiSu cong ClfdS xay d\fng DS tai nay t~p trung tim hiSu cac bi~n phap

va cac cong Clfbaa m~t duQ'cdua ra boi Micrasaft nh~m xay d\fng m(>tgiai phapbaa v~ cha m(>tm~ng

Giai phap rna dS tai dua ra khong nh~m vaa m(>tmo hinh ClfthS nao rna lam(>tgiai phap t6ng quat co t)1Sap dlf~g cha nhiSu mo hinh ClfthS

Vai mlfc dich tim hieu van de baa m~t hi~n nay va dua ra giai phap baam~t taan Vttncha m(>th~ th6ng m~ng, dS tai duQ'cchia lam 5 chuang Co thS noim6i chu~g la m(>tbu~c tr<?ngqua trinh tim hiSu dS dua ra giai phap ,baa m~t saucung Phan I " Tim hieu van de baa m~t hi~n nay " tu chuang 1 den chuang 4t~p trung tim hiSu cac v~ dStrang baa m~t h~ th6ng m~ng hi~n nay, cac nguy

co co thS co, cac d6i tugng cua v~ dS baa m~t m~ng thong tin, cac phuang phapbaa m~t cha tUng la~i d6i tugng va cac cong Clfrna Microsaft dS th\Ic hi~n xayd\ffig m(>tgiai phap PhfinII "Giai phap baa m~t " chuang 5 neu len cac yeu cfiuchung cua m(>tt6 chuc co quy mo vua (ha~c nh6), co nhiSu chi nhanh trai trendi~n r(>ng va giai phap duQ'c dua ra d\fa tren cac cong Clfva phuang phap baam~t cua Microsaft

M1)C Ll)CpRAN I : TiM HIED VAN DE BAa MAT ~NG HIBN NAY.

Chuang 1 : Vfu1dS bao m?t m"mgthong tin va cac d6i tm;mg cua vfu1dS bao

1.2 Xac dinh cac d6i tuqng cua vfu1dS bao m?t m~ng TT Trang 3

2.2 Cac phuang phap (] muc lu?n ly Trang 10

4.3 Internet Security and Acceleration Server (ISA) 2000 Trang 34pRAN II : GIAI PIMP BAa MAT

Chuang 5 : Giai phap bao m?t h~ th6ng m~ng cho t6 chuc co quy mo vua va

5.2 Cac yeu d.u cua t6 chuc khi tri~n khai h~ th6ng m~g va h~ th6ng bao

5.3 Cac vfu1dS quan Himkhi tri~n khai giai phap Trang 42

Chuang 6 : Xay d\ffig h~ th6ng bao m?t h~ th6ng m~ng cho cac t6 chuc co

6.2 Phan tich yeu cfiu cua t6 chuc Trang 536.3 Thi~t l?p chuA~bao m?t cho h~ th6ng m~ng Trang 55

KSt lu~n de Uli Trang 76

Chuang 1 V~n d~ bao m~t m~g thong tin va cac d6i tugng Trang 6/83

pHAN I : TIM HIED VAN DE BAo MAT MANG HIEN

1.1-V~ d~ bao m~t m~ng thong tin

1.2-Xac diOOcac d6i tugng cua v~n d~ bao m~t m~ng thong tin

1.2.1.-Nhung thanh phfuI trong m~ng (tai nguyen)

1.2.1.1-Muc v~t Iy

1.2.1.2-Muc lu~n Iy

1.2.2-NhUng nguy cava hiSm hQa ti~m nang

1.3-KSt lu~

1.1 - yin d~ bao mat mang thong tin:

Trong thai d~i CNTT hi~n nay, vi~c lien kSt cac may tiOOI~i v6inhau t~o thaOOm9t m~ng dS thu~n ti~n cho vi~c chia se cac tai nguyengiua cac may trong m~g (may in, may scan, du li~u, cac t~p tin dungchung ) la m9t v~ d~ thiSt ySu, vira lam giam chi phi dftu tu vua tanghi~u qua su d\lng cac thiSt bi.Hftu nhu cac cong ty, xi nghi~p,truang hQcd~u co thiSt I~p m9t m~ng rieng cho cong ty minh va da s6 la co kSt n6ivao internet (m9t m~ng toan cftu, hiOOthanh d\fa tren S\f kSt n6i giua cacm~ng 006 han) ho~c kSt n6i v6i h~ th6ng m~ng khac Vi~c kSt n6i vaointernet d6i v6i m9t t6 chuc khong chi dan gian la c~p OO~tOOungthongtin m6i, gui nh~n thu di~n ill (e-mail) rna con la cach rna t6 chuc dogiao tiSp v6i thS gi6i ben ngoai, thlJc hi~n cac giao dich v6i cac d6i tac a

xa, quang ba hiOOaOOcua minh v6i thS gi6i, th\fc hi~n cac dich V\lthongqu~ i~ternet Ben ,c~nh OOung thu~ Igi ~a intern~t ~an~ I~i, ta cU1?-gthay rang internet rat r9ng Ian, mQi nguai deu co the ket noi vao va haunhu chfulg dugc ai quan Iy, chinh vi thS internet fin hi~n OOUngnguy ca

gay nguy h~i dSn h~ th6ng m~ng cua ta vi h~ th6ng m~ng cua ta co kSt n6idSn internet Va khong chi a internet rna cac m6i hiSm hQa ti~m tang docon dSnillOOungh~ th6ng m~ng khac co kSt n6i v6i h~ th6ng m~ng cua tarna khong dugc ta kiSm soat

Chuang 1 V~n d@bao m~t m~g thong tin va cac d6i tugng '" Trang 7/83

Nhfrng m6i nguy hi~m ti@mnang do co th~ 1a OOfrngY\l pha ho~ihay OOungV\l thfun OO~pb~t hgp phap OO~mdanh x~p cac dich V\l dugccung c~p bai mQt t6 chilc nao do d~ gianh 19i th@c~h tranh, hay nh~m d~danh c~p cac thong tin OO~ycam co tiOOch~t quan tn;mg d6i vm mQt cong

ty, t6 chilc nao do, Nhfrng m6i nguy hi~m ti@mnang do doi khi chi 1a S\fxam OO~pcua mQthacker(OOfrngnguai co ki@nthilc t6t v@h~ di@uhaOOval~p triOO)va d~ l~i mQt d~u ~n OO~mchUng t6 r~g h~ th6ng m~ng nay dff

bi anh ta xam OO~p,Tuy m\lc dich cua nhung cUQct~ cong do khac nhaunhung chUng co chung mQt di~m 1a gay nguy h~i d@nh~ th6ng m~mgcuachung tao

D~ ch6ng l~i OOfrngnguy cogay h~i, ta cAnxay d\filg mQt h~ th6ngm~ng rna trong do co nhfrng coch@bao m~t, OOungcoch@bao m~t nay 1at~t ca OOfrnggiai phap, pheln cUng ding nhu pheln m@m,nhung chiOOsachnh~m bao v~ h~ th6ng m~ng va cac tai nguyen ben trong no,lam giam t6i

da thi~t h~i khi co S\f c6, va hoan toan trong su6t d6i vai nguai su d\lng

ho~c gay phi@nha cho nguai su d\lng a muc th~p OO~td~ d~t dugc dQ antoan rna miOOmong mu6n

1.2 - Xac dinh cac d8i tU'O'ngclla vin d~ bao mat mang thong tin

D@ xay d\fng mQt h~ th6ng m~ng co tiOObao m~t cao, ta co th~ tham

khao cac buac sau (theo rfc2196):

1) Xac diOO nhfrng thanh pheln co trong h~ th6ng (Ia OOung tainguyen celnbao v~ )

2) Xac dinh chung ta celnphai ch6ng l~i OOungnguy conao

3) Xac dinh nhfrng m6i de d9a ti@mnang

4) Tri~n khai mQt h~ th6ng bao m~t hi~u qua

5) C~p OO~tOOfrngdi~m y@umai phcit hi~n ho~c dff timg m~c phaid~ phong tranh va sua chua kip thai

1.2.1-Nhu'ng thilnh ph~n trong he th8ng mang (tili nguyen)

1.2.1.1- Mu'c vat It(phisical):

- May chu (Server) : La mQt may tiOOm~nh dung d~ ch~y cac ungd\lng cung c~p cac dich Y\lOOuweb, mail, database 1atrung tam 1uu trudfr li~u Vi v~y server thuang 1am\lc tieu cua cac cUQct~n congo

- May tr~m (Workstation) : La cac may tiOOco c~u hiOOvira, ch~ycac Ung d\lng dan gian va 1acelun6i giua nguai dung va server Thuang 1avung d~m cua cac cUQct~n congo

Chuang 1 Vfin d~ bao m?t m~g thong tin va cac d6i tuQ11g Trang 8/83

- Cac thiSt bi m~ng (Network devices) : La cac thiSt bi dung d~ lienkSt cac may server, workstation l~i vai nhau t~o thanh m~ng

1.2.1.2- Mu'c luan Iy (logical):

- Dfr li~u (Data) : G6m tfit ca cac t?P tin (files), cac thu m\lc(folder), cac co sa dfr li~u (database).Nhfrng dfr li~u nay chinh la thong tindugc luu trfr Cac dfr li~u nay dugc luu trfr theo d~ng tho (khong dugc rnahoa hay nen), nen thuang bi nhfrng ke xam nh?p danh c~p, thay d6i

- Vng d\lng (Application) : G6m cac tmg d\lng ch~y a cac mayworkstation nhu Microsoft Offices, Adobe Photoshop, AutoCAD,Antivirus for Client va cac tmg d\lng cung cfip dich V\l ch~y a cac mayserver nhu Internet Information Services (IIS),Microsoft SQL Server,Anti virus for Server Day thuang la m\lc tieu tfin cong hong lam be gftyhay vo hi~u hoa tinh nang, bao m?t cua m9t ~~ th6n~ m~g Ho~c cainhfrng chuang trinh nguy hiem (virus) gay h~i den h~ thong

- Cac dich V\l (Services) : G6m cac dich V\l rna h~ th6ng do cungcfip nhu Web, FTP, DNS, Day thuang la noi d~ b9n tfin cong co th~theo d5i, tim va khai thac cac 16h6ng bao m?t (nhfrng vfin d~ rna nha thiSt

kS m~ng chua luang truac dugc ho~c nha quan tri chua biSt hay da biStnhung chua kh~c ph\lc )

- Cac nghi thuc (Protocols) : Cac nghi thuc dugc tri~n khai d~ ph\lcV\l cho cac ung d\lng va cac dich V\l dang ch~y nhu Web:http, FTP:ftp,MAIL: SMTP, IMAP, POP SlJ kern bao m?t tren cac nghi thuc naythuang dugc nhfrng ke tfin cong nghe len, danh c~p hay thay d6i thong tintren duang truy~n

1.2.2-Nhfi'ng nguy cO'va mBi hi~m hoa ti~m nan~

Da so cac m~g hi~n nay thuang bi tan cong vao cac dich V\l dangcung cfip va bi xam nh?P d~ danh c~p nhfrng thong tin nh~y cam ho~cnhfrng thong tin co gia trio

Cac ySu t6 de d9a dSn SlJan toan cua m9t h~ th6ng m~ng, no ti l~thu?n dSn kich thuac va ph~m vi cua m9t h~ th6ng m~ng :

1) Han 50% la l6i do nguai dung d~ 19m?t khAu (password), hay dad~t m?t khAu dan gian d~ dS dang bi doan ra

2) Khoang 20% Ia do SlJ bfit binh va thiSu trung thlJc cua nguaidung nhfrng nguai dang su d\lng h~ th6ng m~ng do

3) Khm'ing 10% la do S\f tin cong cua ke I~ (Ia vfin d~ chinh trongvi~c xay dlJllg giai phap bao m?t toan v~n cua d~ tai nay)

Chuong 1 V~n d~ bflOrn~t rnl~mgthong tin va cac d6i tuQ11g Trang 9/83

4) Con l~i la do cac ySu t6 khach quan (thien tai, hoa ho~, cac 16

h6ng bao rn~t chua dugc phat hi~n )S\l t~ cong ill ben ngoai van h~ th6ng rn~ng nhfun cac rn\lc dichtfl,lC19i hay chi don gian la dS hQc hoi DS tr\lc 19i nhung k6 t~ cong t~ncong van h~ th6ng dich Vl,ldang cung c~p lam gian do~ chung, dfin dSnvi~c khach hang co thS rm bo nha cung cap dich V\l, k6 t~ cong cling cothS chui van h~ th6ng rn~ng nQi bQ va l~y di nhfrng thong tin nh~y cam.Ngoai ra chung cling co thS sir d\lng cong C\lley thu~t cao ph:1n rn~rn hayph:1n cung dS co thS danh c~p thong tin dang dugc truy~n tren rn~ng congcQng, dfin dSn vi~c lQ, rn~t mat thong tin Nhfrng cUQct~n cong nh~rn rn\lcdich tfl,lC19i thuang dugc chuAn bi ki va thuang dugc nhfrng k6 t~n cong

co trinh dQ cao th\lc hi~n, qui rno t~n cong thuang 100 va thi~t h~i se

khong thS biSt truac dugc nSu h~ th6ng rn~ng cua chung ta dugc bao rn~t

khong t6t DS hQc hoi, nhung k6 t~n cong co thS t~ cong van rnQithu illt~n cong dich V\l,thfun nh~p trai phep dSn l~y trQrn thong tin trai phep trenduang truy~n, b~t cu gi rna chung co thS lam dugc Nhung cUQct~ncong nhu thS nay thuang diSn ra a quy rno nho, don 16 va thucmg donhfrng k6 t~ cong rnai van ngh~ hay co trinh dQ khong cao th\lc hi~n,thuang khong co thi~t h~i gi dang kS

S\l kern an toan cua h~ th6ng bao rn~t do nhi~u nguyen nhan : Quantri kern, d:1utu khong cao va thiSu quan Him cho h~ th6ng bao rn~t, cac 16h6ng bao rn~t ngay cang nhi~u do S\l thiSt kS va xay dVng khong cAnth~ncua nhfrng nha san xu~t ph:1nrn~rn

Quan tri kern, h:1uhSt cac nha quan tri hi~n nay d~u dugc dao t~o r~tbai ban, va cac nha tuySn d\lng cling yeu c:1ucao v~ rn~t kiSn thuc d6i vainhfrng nha quan trioNguyen nhan la do S\l thiSu nhi~t tinh trong cong vi~ccua cac nha quan trio HQ hoan toan co thS lam cho h~ th6ng an toan honnhung di~u nay thuang rn~t nhi~u thai gian va t6n cong suc, nen rnQi vi~cthuang dugc lam qua loa, d.u tha dfin dSn vi~c h~ th6ng rn~ng kern antoano Cling co nhi~u twang hgp la do nha quan tri thiSu nang h,rc (kern

Van de dau tu va S\l quan tam van h~ thong bao rn~t, nhieu to chuc,doanh nghi~p chua y thuc dugc vi~c c:1nphai bao v~ h~ th6ng rn~ng nQi

bQ cua hQ, don gian la vi t6n kern va hQ ch~ng co gi c:1nphai bao rn~t Suynghi chu quan do r~t co thS dfin dSn nhfrng h~u qua nghiern trQng, vi rnQithu trong may tinh co thS bi danh c~p, cac van ban, ban tinh, bao cao d~u

co thS bi danh c~p, k6 gian co thS nb b~t tinh hinh cua t6 chuc, xi nghi~p

Chuang 1 V~n d@bao rn?t rn~g thong tin va cac d6i tuQllg Trang 10/83

Cac 16h6ng bao rn?t ngay cang dugc phat hi~n ra nhi@uhan, khongchi do 16i cua nha san xu~t rna con do SlJnghien Clm r~t ti rni cua hacker,

va vi~c ch?m C?Pnh?t cac ban sua 16i hay khong thlJc hi~n cac bi~n phapd@tranh 16icling dang la nhfrng di@rny@ucua cac h~ th6ng bao rn?t

V~n d@bao rn?t rn~g thong tin la tim cach d~ gift an toan cho h~th6ng rnc.mgcua ta rna khong anh huang d@nvi~c giao ti@pv6i th@gi6iben ngoai

Chuang 2 Cac phuang phap bao m~t

- Cac lIng dVng va dich V\l.

-Cac t~p tin, thu mvc, co sa du li~u

2.1 - Cac bien phap (y IDtfC vat IV :

2.1.1-May chit (S~rver} :. ,

-S\f can thiet :S\f tiep c~n v6i server cua mQt nguai l~ (nhfrng nguaikhong dugc phep) gay anh huang nghiem trc;mg dSn S\f an toan cua h~th6ng HQ co th~ lam bfit cu gi rna hQ mu6n : hQ co th~ t~o mQt tai khoan(account) rbi dung no d~ truy c~p vao server bfit cu khi nao rna hQ thich,

hQ co th~ cai nhfrng truong trinh nguy hi~m vao server d~ danh c~p m~tkhAu cua nguai quan tri hay d~ lam te li~t server, ho~c hQ co th~ chepnhfrng du li~u quan trQng di hay mQt cach dan gian vo tinh ho~c c6 y hQrestart/shutdown server lam h~ th6ng te li~t

-Bi~n phap :Server phai dugc d~ta nhfrng noi an toan va phai dugcki~m soat ch~t che, mQi S\ftiSp c~ server dSu phai dugc S\f cho phep cuanguai quan trio

+Server nen dugc d~tanhung noi rieng bi~t, co th~ t~p trungl~i va d~t vao cac tu, k~ dugc thiSt kS d~c bi~t cho vi~c chua server

co cac tinh nang an toan nhu co khoa, m~t rna, cac hinh thuc ki~mtra van tay, giQng noi, the thong minh (smart card) khi tiSp c~cac thiSt bi ding nhu khu V\fCnay

Chuang 2 Cac phuang phap bao m~t Trang 12/83

+Cac khu V\fC chua server se do nha qulin tri m~mgchiu trachnhi~m HQ co m~t rna, the thong minh dS co thS tiSp c~n cac khu

V\fC nay

+KimV\fC dS server ngoai vi~c bao v~ server traOOkh6i vi~c

bi xam OO~ptrai phep, con phai bao v~ server tranh kh6i cac dieuki~n kh~c nghi~t dS tang tu<3ithQ va giam h6ng hoc cho server vd :khu V\fC dS server nen duQ'c d~t 0 OOung nO'ithoang, dQ ~m thap,nen d~t cac may lam mat nSu thay OOi~tdQ cao hay cac may hut ~mnSu thay dQ~m cao

2.1.2- May tram (Work;station) ;

-S\f can thiet : S\f tiep c~ v6i Workstation cua nguai 1/;1gay nguyhiSm khong kernS\f tiSp c~ v6i server th~ chi con nguy hiSm han vi cacmay workstation trong m/;1ngthuang it bi kiSm soat ch~t che boi h~ th6ngbao v~ va S\f dS dai cua nguai dung nO.Ke 1/;1co thS danh c~p thong tin,phat tan virus, tim cach gian tiSp truy c~p t6i server,hay tho thiSn han lathao may ra va lay <3cling di

-Bi~n phap : Workstation phai duQ'c kiSm soat ch~t che boi nguaidung no, mQiS\f tiSp c~n phai duQ'cS\f cho phep cua nguai dung va nguaiquan trio Workstation phai duQ'c d~t trong cac khu V\fC an ninh va duQ'cbao du5ng thuang xuyen boi OOaqulin trio

+Nguai dung nao thi chiu trach nhi~m may cua hQ, khuySncao nguai dung khong nen dS the xac thllc, viSt m~t kh~u va dS 0dau do tren ban lam vi~c, h/;1nchS cho OOung nguai khac tiSp c~nmay, muqn may

+May cua nguai dung phai duQ'c nha qu~n tri ,m/;1n~thuangxuyen c~p OO~tcac chuang triOOdi~t virus, sua loi phan mem, nangcap phfuI mem cli, bao tri phfuI cling, khuySn cao nguai dung nenlUllnhfrng thong tin quan trQng len server

-S\f can thiet : S\f tiep c~ cac thiet bi m/;lllgcua nhfrng ke 1/;1dongnghia v6i vi~c h~ th6ng bao m~t gfin OOuvo nghIa, h~ th6ng m/;1ngluc do

se gi6ng nhu mQt ngoi OOarna trong do ke c~p va chu nha cung chungs6ng, mQi thu co thS bi danh c~p, mQi thu co thS bi pha huy Cac thiSt bim/;1ngcling gi6ng OOucac con duang, nSu cac thiSt bi m/;1ngkhong hO/;1tdQng, h~ th6ng m/;1ngse bi te li~t

-Bi~n phap : Cac thiSt bi m/;1ng(switch,router,hub,cable ) phaiduQ'c kiSm soat ch~t che, cac thiSt bi nhu switch, router, hub phai duQ'c

Chuang 2 Cac phuang phap bao rn?t Trang 13/83

bao v~ nghiern ng~t nhu server, rn9i S\f tiSp c?n d6i v6i cac thiSt bi miyd~u phai duqc S\f cho phep Clla nha quan tri ho~c nhfrng nguai co trachnhi~rn

+ Cac thiSt bi rn~g c~n nen duqc d~t trong tll ho~c k~ duqcthiSt kS d~c bi~t co cac tinh nang an toan nhu khoa, rn?t rna, thethong rninh nen d~t cac thiSt bi nay chung noi d@cua cac serverd@thu?n lqi trong vi~c bao duOng, bao v~ va giam sat

+ Day cap nen duqc di am tuang hay duqc di trong cac

duang ong rieng bi~t, duqc thiSt kS d@chi di day cap Di~u nay sethu?n ti~n cho vi~c bao dUOng va phong tranh cac S\f c6 dang tiSc

xay ra

+ Cac thiSt bi rn~ng (router, switch) nen duqc cfiu hinh cacphuang thuc bao rn?t t\f co vd : thiSt l?p rn?t khfru rn6i l~n dangnh?p d@cfiu hinh Cac c6ng tren router hay switch nen duqc cfiuhinh d@chi cac thiSt hi rn~ng duqc phep rn6i duqc giao tiSp

DLtIi~udl

ra titc;l

cacdng

Hinh 1 :S\ftiSp c?n thiSt hi rn~ng Cllake l~

2.2 - Cac bien pbap o'mtfc luan It :

2.2.1- May cbB (Server) :

Setyer a rnuc lu?n l~ dong v,ai tro nhu rnQt trung tam trao ~6i duli~u,no tiep nh?n cac yeu cau trao doi du li~u va tra lai nhung yeu cau do.Server bao g6rn rnQth~ di~u hanh rn~g duqc cai nhi~u lo~i trng d1,1ngtren

no nhu : lIS, Mail Deamon,Oracle,SQL d@cung cfip cac dich V1,1nhu :Web server, Mail server, Data server

Chuang 2 Cac phuang phap bao m~t Trang 14/83

- D6i v6'i h~ di~u hanh tren se~er : Cac bi~n phap co, ban,la sud\lllg tiOOnang bao m~t cua chiOOh~ dieu hanh do cung cap, hau het cach~ di~u hanh m?llg d~u co cac tioo nang bao m~t OOu : t~o nguai dung(user), cac OOomnguai dUng (group), phan quy~n troy c~p dS quan ly hQ.Cac chlic nang ghi OO~tleY,cho phep OOaquan tri co thS giam sat qua triOOdang OO~phay troy c~p t6i server cua cac nguai dung Ngoai ra dS tangti~ bao m~t, con co t!J.Ssu d~g cac bQ con~ C\lbao m~t khac (khong oofitthiet la do OOasan xuat h~ dieu hanh cung cap rna co the do mQt hang khac

cung cfip) tuang thich v6i h~ di~u hanh cua chung ta, vi d\l OOu :cac lo~i tuang lua (Firewall) danh cho dong Unix, cac lo~i tuang lua danh cho

dong Windows Server, cac cong C\lphat hi~n xam nh~p (DS co thS xemxet ffiQth~ di~u haOOtren may chu d~c trung, xin xem chuang 5Gi6i thi~ucac cong C\l bao m~t cua Microsoft - Microsoft Windows Server 2003Enterprise)

- D6i v6'i cac frng d\lng va cac djch V\l : Nen dugc cfiu hiOOcAnth~n khi cai d~t cling OOukhi bao dUOng Qua triOOho~t dQng phai dugckiSm soat ch~t che boi h~ di~u hanh va nguai quan trio Chung phai dugcphan quy~n C\l thS, ai dugc phep va khong dugc phep su d\lng Thuangxuyen c~p OO~tcac phien ban m6i cling OOucac ban sua l6i nh&m nangcao tiOO6n diOOva dQtin c~y

+ Khi dugc cai d~t cac ling d\lng nay cftn dugc xac diOOra :

ling d\lng nay cung cfip OOUngdich V\lnao, OOUngdich V\lnay dugccung cfip qua cac c6ng nao, cac c6ng khong lien quan nen dugcdong 1~i.Anh huang cua ling d\lng t6i h~ th5ng (cac ling d\lng khac), neu khong th~t S\f cftn thiet ho~c chua biet ra thi khong nen caid~t

+ Nen cai d~t OOUngling d\lng do OOUngOOasan xufit dugctin tuang viet, nh&mtranh cac 16h6ng bao m~t do vo tiOOhay c5 y

- D6i vm cac t~p tin, thO' IDt}C, cO'sir dfr li~u :cac bi~n phap huuhi~u la rna hoa va h~n che troy c~p, tfit ca cac S\f troy c~p phai dugc xacth\fc va dugc uy quy~n cac CA server (Certification Authority server) Cac

du li~u quan trQng phai thuang xuyen dugc sao luu cAn th~n dS co thSph\lc h6i l~i nhaOOchong khi co S\fc5 xay ra

+ Cac t~p tin, thu m\lc : cac h~ di~u hanh thuang cung cfips~n cac cong C\lrna hoa, OOuhQ Windows 2003 Server co h~ th5ngrna hoa (Ecryption File System) v6i cac thu~t toan rna hoa m~oo

Chuang 2 Cac phuang phap bao m~t Trang 15/83

PPPconnection PPTPcontrol connection PPTPdata connection

- DBi VOl cac nghi tht'fc : Phuang phap bao m~t hi~u qua cho cac

nghi thuc hi~n nay la goi chung trong cac nghi thuc duQ'c thi@tk@danhrieng cho bao m~t nhu : PPTP (Point to Point Tunneling Protocol), L2TP(Layer 2 Tunneling Protocol) hay sir d\lng cac nghi thuc co s~n tinhnang bao m~t nhu Kerberos, IPSec

, +Vi~c goi cac n~hi ~huc,duQ'cti@nhanh nhu sau : dftu ti,en h~thong th\l'c hi~n mQt ket noi bang nghi thuc duQ'c goi (vd : doi vaiPPTP thi dftu tien, mQt k@tn6i PPP se duQ'cthlJc hi~n ) Sau do mQtk@tn6i rna thong tin truySn tren do da duQ'c rna hoa se duQ'c thlJchi~n tren k@tn6i vira t~o (sau khi t~o mQt k@tn6i PPP, h~ th6ng set~o ti@pmQt k@tn6i PPTP) Qua trinh giai phong k@tn6i thi nguQ'cl~i (k@tn6i PPTP duQ'cgiai phong truac, ti@pden la k@tn6i PPP)

Chuong 2 Cac phuong phap bao m~t Trang 16/83

• 2.2.2- May tram (Workstation) :

Cac may tr~ thuemg it duqc trang bi cac cong C\Jbao v~ hon cacmay chu do cac may tr~ nay dff duqc bao bQc boi h~ th6ng bao v~ (h~th6ng cac may duqc trang bi cong C\Jbao m~t ) Tuy nhien dS phong tranh

cac cUQct&1 cong xufit phat tiT cac may nay, co thS khong phai tr\fC tiep

nguai dung may nay la ke tfin cong rna la do vo tinh may bi nhi6m nhungv,irus nhu troj an? back door va tro thanh cong C\Jtier tay cho nhUn,gketan cong, nen tien hanh nhUng bi~n phap bao m~t du de ngan ch~ moi dedQatren

+ Khuyen cao nguai dun!? khong nen truy c~p vao nhUng trang web khong tin tuang Tai ve va cai d~t nhUng chuong trinh tiT

nhUng trang web do

+Ngan cfim nguai dung cai d~t nhung chuong trinh rna chua

co S\fcho phep cua nha quan trio

+ Cai d~t va thuemg xuyen c~p nh~t nhUng chuong trinhch6ng virus, ch6ng ph~n mSm gian di~p (spyware) len cac maytr?m

+ Trong t~emg hgp may tr?m co nhiSu nguai cung sir d\Jng thi nen phan quyen C\Jthe cho tUng nguai dung Xac dinh ra nguai

dung nao duqc phep sir d\Jllg va duqc phep sir d\Jng tai nguyen naomaytr~nay

2.2.3- Cae thi~t bi mang :

Da so cac thiet bi m?ng nhu router hay switch hi~n nay deu cungcfip cac tinh nang bao m~t nhu ACL(Access Control List), FilterProtocol DS h~ th6ng m?ng duqc an toan hon, nhung thiet bi nhurouter nen duqc cfiu hinh thanh nhUng Firewall thu hai

Vi~c huan luy~n nguai dung la cong vi~c quan trQng va can duqc

tien hanh thuemg xuyen khi h~ th6ng duqc nang cfip ho~c co S\f thay d6i

Day cling la cong vi~c kho khan nhfit vi da s6 nguai dung thuemg la nhUng

n~uai kh~ng ~hu?c chuyen mon maY,tinh vi the rfit kho dS hQ co thS n~m

bat cac van de ve may tinh Vi~c huan luy~n nguai dung giup cho nguaidung co thS n~m b~t duqc nhung vi~c hQ nen lam va khong nen lam trenmay tinh cua hQ nh~m gill' an toan cho h~ th6ng m?ng

2.3 - K~t luan :

NhUng phuang_phap bao m~t la nhung cach thuc bao v~ nhung d6i

tuqng trong m?llg, moi doi tUQ'llgco mQt cach thuc bao v~ rieng TiT vi~c

Chuang 2 Cac phuang phap bao m~t Trang 17/83

bao v~ tung d6i tuqng trong m(;lngdful dSn ca h~ th6ng m(;lllgse dugc an

toan han.

Chuang 3 Tim hieu m(>ts6 Icythu~t bao m~t

3.1.1 - Cac thanh phfin cua rna hinh

3.1.2 - HO(;ltd(>ngcua rna hinh

3.1.3 - Vu diSm va khuySt diem

3.2 - Ky thu~t VPN

3.2.1 - Cac thanh phfin cua rna hinh

3.2.2 - HO(;ltd(>ngcua rna hinh

3.2.3 - Vu diSm va khuySt diem

3.3 - KSt lu~n

Ma hinh bao g6m cac thanh phfin sau :

+M(>th~ th6ng m(;lnghoan chinh, g6m nhiSu may con (workstation)

va cac may chu (server) cung cApcac dich V\l

+M(>th~ th6ng cac may chu co dfr li~u va dich V\l gi6ng y h~t nhucac may chu trong h~ th6ng m(;lnghoan chinh 0 tren (duqc anh X(;lillh~ th6ng cac may chu 0 tren ).Va hoan toan n~m tach bi~t boi h~th6ng m(;lng 0 tren boi m(>t buc tuang lira (Firewall).Day g9i laDMZ (Demilitarized Zone)

+ Buc tuang lira (Firewall) ngan cach h~ th6ng m(;lnghoan chinhv6'i cac h~ th6ng m(;lngkhac

Chuang 3 Tim hi@um9t s6 ley thu~t bao m~t Trang 19/83

Hinh 3 : M9t h~ th6ng m~mgsir d\mg ky thu~t DMZ d@bao v~

3.1.2- Hoat dong ella he thBng :

V6i ky thu~t DMZ thi h~ th6ng m~ng trong va h~ th6ng cung c<1pdich V\l cho m~ng ngoai duQ'Ctach ra thanh hai khu V\fCrieng bi~t KhuV\fCchua h~ th6ng cung c<1pdich V\l cho m~ng ngoai duQ'cg9i la DMZ

Cac du li~u trong DMZ thuemg duQ'c d6ng b9 hay c~p nh~t v6i cacserver trong m~g trong

Cac may con trong m~g mu6n troy c~p ra m~ng ngoai (duQ'cphep)

se hoan toan khong bi anh hu<'mgboi DMZ

Buc tuemg lira (Firewall), th\fc hi~n vi~c 19Ccac lu6ng du li~u vahuang cac huang kSt n6i theo dung ffi\lCdich Cac yeu cfiu troy c~p dichv}lillphia ngoai se duQ'cchuy@ncho cac may chli trong DMZ, b<1tcu yeucau nao khong phai la yeu cau dich V\l (duQ'c xet theo nghi thuc) hay codich dSn khong phai la cac may chli trong DMZ d@ubi illch6i Chi co cacmay chli trong DMZ duQ'c yeu cfiu troy c~p du li~u, t<1tca cac yeu cfiukhong xu<1tphat tu DMZ d@ubi lo~i bo Cac may con trong m~ng duQ'cphep troy c~p ra m~g ngoai nhung chi nhung m~ng duQ'c phep troy c~p,t<1tca cac truy c~p ra cac m~ng khong duQ'cphep d@ubi illch6i

Khi bi t<1ncong thi chi co DMZ chiu thi~t h~i con toan b9 dfr li~u vah~ th6ng m~g con van nguyen vyn

Hinh 4 cho th<1ycach trao d6i dfr li~u giua h~ th6ng m~ng ben trong vangoai DMZ

Chuang 3 Tim hieu m9t s6 ky thu~t bao m~t Trang 20/83

Hinh 4 : Trao doi dfr li~u thong qua DMZ

3.1.3 -Un va khny~t di~m ella k£ thnat DMZ:

- Chi phi cao cho vi~c xay d\ffig m9t DMZ

- T6c d9 trao d6i dfr li~u khong cao do phai di qua buc tUOnglira

Chuang 3 Tim hi@umQt s6 leY thu~t bao m~t Trang 21/83

3.2 - Phan tieh mot he thang Stf dung ky thuat VPN :

3.2.1 - Cae thanh ph~n eua he thang :

+ MQt h~ thong m~ng C\JCbQ(LAN) co cac tai nguyen nhu : may in,

scan,database

+MQt VPN server

+MQt buc tuOng hia (d~t truac ho~c sau VPN server) nhftm ki@msoat cac

kSt n6i

+MQt h~ th6ng m~ng C\JCbQ( hay mQt may) khac

+T~p nghi thuc (protocol) su d\Jng : L2TP, PPTP, PPP,IPSec

VPN connection

VPN clientHinh 5 : H~ th6ng su d\Jng leY thu~t VPN vai Firewall d~t phia sau VPN Server

VPN connection

Tunnel

Hinh 6 : H~ th6ng su d\Jng ky thu~t VPN vai Firewall d~t phia truac VPN

Server

3.2.2 - Hoat dong eua he thang :

Ky thu~t VPN cho phep kSt hqp hai hay nhi@uh~ th6ng m~ng l~ivai nhau thanh mQt h~ th6ng m~ng, co th@cling chia se cac tai nguyen cua

Chuang 3 Tim hiSu mQt s6 ky thu?t bim m?t Trang 22/83

rVPN connection

•.

m6i h~ th6ng mQt cach dS dang nhu hi trong cung mQt m~mg (Hinh 7 secho thfiy r5 han ky thu?t nay)

VPN Server se t(;10ra cac k~t n6i VPN tren cac kenh truyen

Vfin de bilo m?t 0 day la lam cach nao dS bilo v~ cac k~t n6i VPNkhi chung duqc th1Jc hi~n qua mQt m(;1ngc6ng cQng (ch~ng h(;1llnhuinternet) DS lam vi~c nay ky thu?t VPN dUng mQt t?P cac nghi thuc g6mL2TP, PPTP.Cac nghi thuc nay se rna h6a dfr li~u tren cac k~t n6i VPNd6ng thai t(;10ra mQt kenh truyen ngfun (tunneling) dS truyen dfr li~u quam(;1ngc6ng cQng GQi la kenh truyen ngfun la vi cac g6i tin ban d~u da biche ?fiu ho~c duqc bao bQc boi cac ~6i tin khac va cac g6i tin nay duqctruyen theo mQt duang IU?nly tir ngu6n t6i dich

Buc tuang lira trong h~ th6ng c6 nhi~m V\l kiSm soat cac k~t n6i tutrong m(;1ngC\lCbQra ngoai ho~c tu ngoai vao trong

D6i v6i h~ th6ng rna buc tuang lira n~m phia sau VPN (Hinh 5) Vin~m sau VPN Server nen tllang lira nay chi c6 tac d\lng la xac dinh nguaidung nao duqc sir d\lng tai nguyen nao cua m(;1llgben trong, con cac k~tn6i nao kh6ng phili la k~t n6i VPN thi da duqc VPN Server IQc

~

Hinh 7 : M6 hinh IU?nly sau khi th1Jchi~n mQt k~t n6i VPN

Chuang 3 Tim hieu rnQt s6 ky thu~t bao rn~t Trang 23/83

Hinh 8 : Quy trinh t~o rnQtkSt n6i PPTP

D6i vai h~ th6ng rna buc tuang lira n~rn phia truac VPN Server

(Hinh 6) Buc tuang lira co tac d\mg lo~i b6 cac kSt n6i khang phai la kSt

n6i VPN va giai h~n cac h~ th6ng rn~ng khac th\l'c hi~n kSt n6i VPN dSnrn~ng nay

3.2.2.1- PPTP (Point-to-Point Tunneling Protocol):

La nghi thuc duCJcphat triSn d\l'a tren PPP (Point-to-Point Protocol)

de tang tinh bao rn~t cho du li~u tren duang truy~n De th\l'Chi~n duCJcvi~c bao rn~t cac du li~u tren duang truy~n, truang chua tin cua goi PPPduCJcrna hoa hay nen l~i ho~c ca hai, sau do duCJcgoi vao goi PPTP

Data-link IP TCP Control link Header Message Trailer

Hinh 9 : Cdu truc goi di~u khien cua PPTP

Encr}'Ptl:l(hPB~PClyl oed

Data-?a~a- IP GRE PPP (IP Datagram, link

~~ader Header Header Header IBXDatagram), Trailer

N etBEUI Fram~) OKh6ng rna h6a 0 Ma h6a

Hinh 10 : Cdu truc goi PPTP

3.2.2.2 - L2TP (Layer 2 Tunneling Protocol):

La nghi thuc duQ'ct~o ra dva tren S\l'kSt hCJPgiua PPTP va ky thu~tL2F (Cisco's Layer 2 Forwarding).DuQ'C th\l'c thi tren lap Datalink (trongrna hinh OSI ) nen co kha nang h6 trQ'nhi~u giao thuc khac ngoai TCP/IP

vi d\l nhu : IPX, Apple Talk

L2TP thuang duQ'c dung kSt hCJPvai nghi thuc IPSec de nang caotinh bao rn~t

Chuang 3 Tim hiSu mQt s6 kythu~t bflOm~t Trang 24/83

Cac dfr li~u trong goi PPTP dugc rna hoa ho~c nen ho~c vUa rna hoavua nen r6i dugc goi van goi L2TP

Data-link IP ESP UDP L2TP ESP ESP link Header Header Header Header Message Trailer Auth Trailer

I

[EnCrypted by IPSecHinh 11 : cAu truc mQt goi diSu khiSn L2TP

- Chi phi khong cao

- La giai phap hi~u qua vS m~t kinh tS thay cho duemg day thue baorieng (leaseline)

3.2.3.2 - Khuy~t di~m :

- Tinh phuc t:;tpcao khi kSt n6i nhiSu m:;tng

- Nhfrng ke xam nh~p co thS lAythong tin hay xam nh~p van h~th6ng VPN ill m~g cong cQng mQt khi chung giai rna dugc nhfrng thongdi~p truySn tren do

3.3 - K~t luan :

M6i ky thu~t bao m~t dugc xay dvng huang dSn cac m\lc dich baom~t khac nhau, va nhfrng m\lc dich do khong la gi khac rna chinh la dS baov~ cac d6i tugng trong m:;tng.Ky thu~t DMZ dugc thiSt kS dS bao m~t dfrli~u t:;tinai luu trfr,ky thu~t VPN dugc thiSt kS dS bao m~t dfr li~u truySntren m:;tng

Chuang 4 Gi6i thi~u cac cong C\l bao m~t cua Microsoft Trang 25/83

-.

Chrrong 4

Internet Security and Acceleration Server.

,Tom Hit

4.1- Tim hiSu cac tinh nang bao m~t trong Microsoft Windows Server

2003 Enterprise

4.1.1 Xac th\fc (Authentication)

4.1.2 DiSu khiSn truy c~p tren co sa d6i tugng (Object-based

access control)

4.1.3 Chinh sach bao m~t (Security policy)

4.1.4 KiSm tra giam sat (Auditing)

4.1.5 Active Directory va bao m~t

4.1.6 Bao m~t dfr li~u

4.1.7 Bao v~ dfr li~u m~ng

4.1.8 M6i quan h~ tin tuang.

4.2- Tim hiSu Active Directory

4.2.1 DiSu khiSn truy c~p trong Active Directory

4.2.2 Xac th\fc nguai dung.

4.3- Internet Security and Acceleration (ISA) Server

4.3.2.5 T6ng quan ki~n truc

4.1 - Tim hi~u cac tlnh nang bao mat trong Microsoft Windows Server

Chuang 4 Gi6i thi~u cac cong C\l bao m~t cua Microsoft Trang 26/83

dung C\lCb(>hay la m(>ttai khom trong Active Directory

nguai ?ung v6i cac dich V\l rna r:guai dung nay duqc phep tru¥ c~p DScung cap cac d~ng xac th\Ic, h~ thong bao m~t dung OOieu co che xac th\TC

h~ th6ng Windows NT 4 )

nguai dung co thS truy c~p t6i cac tai nguyen tren m~ng rna khong c~

nh~t, t~t ca cac yeu c~u xac th\IC sau se duqc h~ di~u hanh dap ung m(>tcach t\I d(>ng d\Ia tren thong tin dff luu a l~n xac th\Ic d~u tien, nhftng vi~cnay hoan toan trong su6t v6i nguai dung

2003) thi vi~c xac th\Ic co thS duqc tiSn hanh d\Ia ySu t6 xac th\Ic thu haingoai ySu t6 xac th\Ic thu OO~tla xac th\Ic tai khom ra : ySu t6 thu hai cothS la the thong minh (smart cards)

Cac nghi thu'c xac th(l'c :

la nghi thuc xac th\Ic chiOO trongm(>t domain Kerberos V5 kiSm tra

ca daOO tiOOnguai dung va cac dichV\l m~ng rna nguai dung duqc pheptruy c~ '

Nghi thuc duqc sir d\lng khi nguai

Chuang 4 Gi6'i thi~u cac cong C\lbao m~t cua Microsoft Trang 27/83

".

Layer Security chu Web an toano V6'i SSL/TLS b?ll(SSL/TLS) co thS dieu khiSn vi~c thu~t toan rna

hoa mlo se duqc sil d\lng

NTLM Nghi thuc duqc sil d\lng trong twang

hqp may khach hay may chu sil d\lngm<;>th~ dieu hanh Cllhan may kia

Digest Truyen tai cac thong tin xac th\fc qua

m~ng, cac thong tin duqc rna hoatheo thu~t toan 11D5, hay du6'i d?llgcac thong di~p van tat (messageDigest)

Passport La m<;>tdich V\lxac th\fCngu~i dung

d~ cho d?llg xac th\fc m<;>thill duynhat (single sign-on)

The thong minh (smart cards):

La phuang phap ch6ng gia m~o va la cach dS cung c~p giai phapbao m~t cho cac tac V\lcful bao m~t nhu :Dang nh~p vao m<;>tDomainch~y Windows Server 2003, xac th\fc nguai dung, rna kYhi~u (codesigning), va bao m~t thu di~n ill

H6 trq the thong minh la chuc nang chinh cua phuang phap rna hoakhoa cong khai rna Microsoft da tich hqp vao Windows XP va h9

Windows Server 2003

The thong minh cung c~p :

+Phuang ti~n luu tm ch6ng gia m~o dS bao v~ cac khoa canhan (private keys) va cac d?llg thong tin cac nhan khac.+ Co l~p cac v~ de cua bao m~t lien quan dSn chUng th\fCvachu kYs6 (digital signatures)

+La m<;>tphuang ti~n chUng th\fc di d<;>ng,chua d\fllg nhUngthong tin ca nhan cful cho vi~c chUng th\fC rna b?ll co thS sild\lng ab~t cu dau : van phong, nha hay tren duang

Khi lam vi~c trong m<;>tmoi truang rna cac tai nguyen khac nhauduqc c~p cac m~t khAuva ten troy c~p khac nhau, r~t kho dS b~n co thS sild\lng duqc cac t,ain~uyen do v~i m6i lful dang nh~p theo m<;>tten dangnh~p va m~t khau co dinh cho Ian dang nh~p do

Phuang phap luu~~~te~ ~ang nh~p va m~t khAu cho phep b~n co

-Chuang 4 Gi6'i thi~u cac cong C\lbao m~t cua Microsoft Trang 28/83

-.

th~ 1uu tm cac ten dang nh~p va cac m~t khAu dung cho vi~c truy xuftt cac

tai nguyen tra thanh mQtphan cua tai khoan cua b~n.V6'i phuang phapnay b~ chi c~n dang nh~p mQt 1~ nhung vftn sir d\lng duqc nhiSu tainguyen khac nhau rna khong phai dang nh~p l~i

Mat kllt,u (Password):

Cung cftp cac phuang phap t~o ra mQt m~t khAum~nh H~n chS cac

ru ro xuftt phM ill vi~c quen hay khai t~o l~i m~t khAu

4.1.2-Diiu khi~n truy dip tren CO'sO' dBi tU'O'Dg(Object-based access

control):

Theo S\l' xac thlJc ng,uai d~g, cac tai n~uyen va d6i tuqng tr~nrn~ng duqc nha quan tri dieu khien truy c~p bang cach them vao phan d~ctinh rno ta bao m~t (security descriptors) cho d6i tuqng trong ActiveDirectory Ph~n d~c tinh mo ta bao m~t nay 1i~tke danh sach nhung nguaidung ho~c nh6m nguai dung duqc phep truy c~p t6'i mQt d6i tuqng vanhfrng quySn h~n truy c~p dff cftp cho cac nguai dung nay vd : t~p tin,may in va cac dich V\l

Nha quan tri khong nhung c6 th~ diSu khi~n truy c~p mQt d6i tuqng

xac dinh rna con c6 th~ diSu khi~n truy c~p dSn nhfrng thuQc tinh cuanhung d6ituqng d6 vd : ten, s6 di~n tho~i

£>iSukhi~n truy c~p 1aqua trinh uy nhi~m cho cac nguai dung,nh6m nguai dung, va cac may tinh c6 th~ truy c~p vao cac d6i tuqng trenm~ng £>iSuc6t ySu cua diSu khi~n truy c~p 1aphep truy c~p, quySn h~nnguai dung, ki~m tra giam sat cac d6i tuqng.

~hep truy c~p ding n&hia cac d~ng truy c~p rna duq~ dip cho nguaidung de truy c~p den mQt doituqng ho~c thuQc tinh cua doi tuqng. vd :mQt nh6m(nguai dung) c6 th~ duqc cftp quySn dQCva ghi (thuQCtinh d6i

tuqng) t~p tin abc.txt (d6i tuqng).

Phep truy c~p c6 th~ duqc cftp cho bftt kY d6i tuqng bao m~t naonhu : t~p tin, d6i tuqng Active Directory, d6i tuqng registry Phep truyc~p cling c6 th~ duqc cftp cho nguai dung, nh6m nguai dung hay maytinh

B~n c6 th~ cftp quySn truy c~p cua cac d6ituqng cho :

+Nh6m nguai dung, nguai dung, va nhung nguai dung d~cbi~t (everyone )

+Nh6m, nguai dung trong Domain va cac Domain khac c6quan h~ tin tuang

Chuang 4 Gi6i thi~u cac c6ng C\lbao m~t cua Microsoft Trang 29/83

-

+Nhom va nguai dung C\lCbQ cua may chua d6i tugng cfultroy c~p

Phep troy c~p gan cho mQt d6i tugng ph\l thuQc vao d~ng d6i tugng,

vd : phep troy c~p gan cho mQt t~p tin khac v6i phep troy c~p co thS gancho ffiQtkhoa dang ky (registry key).Sau day la cac d~g phep troy c~phay g~p :

+Phep dugc dQc

+Phep dugc thay d6i

+Phep dugc thay d6i chu

+Phep dugc xoa

M6i d6itugng co thS dugc gan phep troy c~p khac nhau cho tlmglo~i nguai dung khac nhau

QuySn sa huu d6i hrgng thuang dugc gan ngay khi d6i tugng dugct~o ra va theo m~c djnh no cho biSt nguai t~o ra d6i tugng

S{l' tllil'aki cac pilip truy c(ip (Inheritance of permissions):

Sv thua kS phep troy c~p cho phep nha quan trj co thS d~ dang celpphat va q~an ly phep truy c~p Chuc nang nay hoan toan dQng, cac ban saohay cac d6i tugng con cua d6i tugng chinh se dugc tv dQng gan cac pheptroy c~p nhu d6i tugng chinh

QuyJn cua ngu'ui dung (User rights):

La nhung quySn h~n nheltdjnh va quySn dugc dang nh~p vao maytinh hay m6i truang m~g

Giam sat 116itU'!lng(Object auditing):

Nha quan trj co thS giam sat cac d6i tugng. Cac biSn c6 xay ra v6id6i tugng nay se dugc luu l~i cho nha quan trj xem

4.1.3-Chinh sach bao mat (Security policy) :

Nha qyan trj co thS ~ieu khiSn ?hinh ~ach bao m~t tren may C\lCbQhay tren nhieu may khac bang cach dieu khien chinh sach m~t khau, chinhsach khoa tai khoan, chinh sach Kerberos, chinh sach kiSm tra giam sat,cac quySn cua nguai dUng va cac chinh sach khac f)S thu~ ti~n trongvi~c t~o va quan ly cac chinh sach, cac biSu m~u bao m~t (securitytemplates) thuang dugc sir d\lng

4.1.4-Ki~m tra, giam sat (Auditing) :

Thvc hi~n theo d5i va giam sat cac ho~t dQng dQc, ghi, hi~u chinhcac t~p tin, cac ho~t dQng troy c~p cac tai nguyen khac trong m~ng ill do

Chuang 4 Gi6i thi~u cac cong C\lbao m~t cua Microsoft Trang 30/83

,.

ghi nh~ cac bi@nc6 xay ra OOfunph\lc Y\ltrong cong tac sua 16iho~c theodoi

Cac d(;Ulgph6 bi@nOOeltcua cac bi@nc6 dugc theo doi hi :

+Truy c~p vao d6i tugng (t~p tin hay thu m\lc)

+ Quan ly tai khoan nguai dung hay tai khoan OO6mnguaidung (them, xoa )

+Nguai dung dang OO~phay thoat ra kh6i h~ th6ng

Giam sat pltf,n mJm (Software retriction):

Cu~g celpkha nang ngan ch~ vi~c cai d~t, ch~y cac img d\lng ho~c

nhfrng phan mem ~on& dang tin c~y cua nguai dung "

Giam sat phan mem la mQt t~p cac chiOOsach dinh nghla t>hanmemnao dugc phep ch~y tren mQt may tiOOhay mQt Domain C6 OOieulo~i quit~c cho vi~c giam sat phful m~m ngoai qui t~c m~c dinh dff dugc h~ di~uhanh gan cho khi cai d~t phfin m~m vao h~ th6ng

Cac qui t~c giam sat phful m~m :

+Qui t~c bam (Hash rules)

+Qui t~c chung th\fc (Certificate rules)

+ Qui t~c duang dful,bao g6m ca duang d~n registry (Pathrules)

+Qui t~c vung Internet (Internet Zone rules)V6i ky thu~t giam sat phful m~m" Windows cun~ celp,OOi~u,cach,dSxac diOOphan mem, tir d6 cho phep kiem soat cac phan mem, phan memnao dugc phep ch~y, phfin m~m nao khong dugc phep ch~y

4.1.5-Active Directory va bao mat:

Active Directory cung celp kha nang bao v~ thong tin cua nguaidung va OO6m nguai dung bfu1g cach di~u khiSn truy c~p tren cac d6itugng va cac nguai dung dugc uy quy~n Vi Active Directory khong chiluu tm OOfrngnguai dUng dugc uy quy~n rna con luu tm OOfrngthong tincua d6i tugng rna nguai dung dugc phep truy c~p nen OOfrngnguai dungphai d~t dugc ca hai y@u t6 la uy quy~n (authorization) va xac th\fc(authentication) thi m6i dugc phep truy c~p vao tai nguyen m~ng d6 vd :Khi mQt nguai dung dang OO~pvao m~ng thi h~ th6ng se xac th\fc nguaidung nay theo thong tin dff luu trong Active Directory Sau d6 khi nguaidun~ nay thu truy c~p t6i mQt dich Y\lgao d6 thi h~ th6ng se kiSm tra cacquyen rna nguai dung nay dugc phep tien hanh tren tai nguyen nay

Vi Active Directory cho phep OOaquan tri t~o cac tai khoan nh6m,

nen cac nha quan tri c6 thS quan ly chung hi~u qua han vd : B~ng cach

Chuang 4 Gi6i thi~u cac cong C\lbao m~t cua Microsoft Trang 31/83

'.

hi~u chinh I~i cac thuQc tinh cua mi)t t~p tin, nha quan tri co thS cho phepcac nguai dung trong mi)t nhom co thS d9C t~p tin do Theo cach nay vi~c

truy c~p t6i cac d6i tuqng trong Active Directory duqc d\Ta tren m6i tu

cach cua nhom

cong C\lnay, khi tuang tac v6i t~p tin hay thu m\lc duqc rna hoa se khong

co S\Tkhac bi~t so v6i cac t~p tin hay thu m\lc thuang (khong duqc rnahmi).Khi th\Tc hi~n rna hoa cling gi6ng nhu phan quySn truy c~p, tuynhien, co S\Tkhac nhau la khi mi)t ke xam nh~p co thS tiSp xuc v~t Iy (tiSpxuc khong chiu tac di)ng cua h~ diSu hlinh dang ch~y) v6i t~p tin da duqcrna hoa, h~n se khong thS d9c,ghi hay sao chep Vi~c phan quySn truy c~pkhong thS ch6ng I~i S\TtAncong b~ng tiSp xuc v~t Iy nhu v~y

~ Chfr ky s6 (Digital Singnatur~s) : Cac thanh phfi~ kiS~ tra se th\Tchi~n kiem tra va xac th\Tc Chfr ky so la mi)t cach de chac chan tinh toanv~n va tinh nguyen thuy cua thong di~p (co nghTa la thong di~p khong bithay dbi tren duang truySn).Chfr ky s6 cho phep kh~ng dinh nguai da kYtren thong di~p Vi v~y hai chuc nang quan tr9ng cua chfr ky s6 la dambao tinh toan v~n cua thong di~p va tinh khong thS ch6i cai cua nguai kYrano

4.1.7-830 ve dfr lieu mang (Network data protection):

Cac dfr li~u m~ng trong m~ng (m~ng C\lCbi) va cac m~ng con) duqcbao m~t b~g cac nghi thuc xac th\Tc DS tang them di) an tolin, co thS sird\lng cac cong C\l dS rna hoa dfr li~u truySn tren m~ng Dung InternetProtocol Security (lPSec) b~n co thS rna hoa t:1t cac cac giao tiSp m~ngcua mQt may con C\lthS nao do ho~c t:1t ca cac may con trong m~ng cuab~n T:1t ca dfr li~u vao ho~c ra khoi m~ng dSu co thS duqc bao v~ thongqua cac ti~n ich :

+IPSec

+Routing and Remote Access

+Internet Authentication Services (lAS)

Chuang 4 Gi6i thi~u cac cong cl) bao m~t cl.iaMicrosoft Trang 32/83

'.

IPSec:

La m(>tb(>cac dich V\l bao v~ va cac nghi thuc bao m~t d\Ia tren cac

ky thu~t rna hoa Vi IPSec ch(;lyd(>cl~p v6i cac lIng dl)ng va cac nghi thucnen co thS de dang triSn khai IPSec van h~ th6ng m(;lnghi~n co

IPSec cung c~p kha nang xac th\Ic a muc may tinh, nhu rna hoa dfrli~u cho cac kSt n6i VPN SlT dVng nghi thuc L2TP IPSec la ciu n6i gifram(>tmay tinh va m(>tmay chl.i VPN (chuful L2TP) tru6c khi m(>tkSt n6iL2TP gifra may tinh do dSn may chl.i duQ'c thiSt l~p ciu n6i nay bao v~m~t khAu va dfr li~u

Cae thugt toan rna hoa sir dl;lng trong IPSee :

+ Data Encryption Standard (DES) : Thu~t toan rna hoa sudl)ng m(>tkhoa 56 bit Ma hoa m(>tkh6i 64 bit diu van thanh m(>tkh6i 64bi~diu ra, khoa xu~t hi~n du6i d?ll~ m(>tkh6i 64 bit, nhung m(>tb!t trongmoi khoi 8 bit duQ'cdung lam bit kiem tra Ie (odd parity bit), nen so bit cothS dung lam khoa chi can 56 bit

+ Triple DES(3DES) : Cling gi6ng nhu DES, chi khac la Slrdl)ng dSn 3 khoa 56 bit dS rna hoa nen d(>an toan cao han va thai gian rnahoa cling nhu thai gian giai rna cling lau han Thuang duQ'c su dl)ng trongmoi truang co d(>an toan cao

Routing and Remote Access (Djnh tuyin va truy c~p tit'xa):

Dich Vl)nay cung c~p kha nang dinh tuySn cho cac lu6ng dfr li~u, vacac kSt n6i Dich Vl)nay lam cho may tinh dong vai tro nhu m(>tRouter,cho phep IO(;lib6 ho~c chuySn huang cac kSt n6i Ngoai ra no can cungc~p kha nang truy c~p tir xa m(>tcach an toan (cac thong tin dSu duQ'cbaov~ ) cho nguai dung

Internet Authentiction Services (lAS) :

Cac chuc nang chinh rna dich Vl)nay cung c~p :

+NhiSu IO(;liphuang thuc xac th\Ic khac nhau :

+NhiSu phuang thuc l.iyquySn :

+ H6 trQ'nhiSu IO(;litruy c~p van may chl.i : Khong day,

+ RADIUS proxy (Remote Authentication Dial-in UserService)

+Quay s6 kSt n6i tir ben ngoai va truy c~p khong day

+Uy quySn va xac th\Ic t~p trung

+Quan tri t?P trung t~t ca cac may chl.itruy C?p

+KiSm tra giam sat t?P trung

+Cac cong Cl)quan tri nhanh

Chuong 4 Gi6i thi~u cac cong Cl,lbao m~t cua Microsoft Trang 33/83

-.

+ Cac cong C\lgiam sat t~i ch6 ho~c ill xa

+Ti~ tuon& thich cao

+Ho trq nhieu may chu lAS

+ Co kha nang rnar(mg va nang c~p

4.1.8-M8i quan he tin tuong (Trusts):

H<;>Windows server 2003 h6 tr<)'Domain tmsts va Forest (t~p hqpcua OOiSuDomain) trusts

Active Directory luu tru cac thong tin cua cac d6i tuqng tren m~ng

va lam cho nhfrng thong tin nay tra nen dS dang trong vi~c tim ki~m va sir

dl,lng d6i v6i nguai quan tri h~ th6ng Active Directory dung m(>tkho c~utruc du li~u lam nSn tang lu~ ly (thu t1,1'cua cac lo~i thong tin trongActive Directory)

Kho du li~u nay, duqc bi~t dSn OOum(>tthu ml,lc (directory), chuanhfrng thong tin vS cac d6i tuqng trong Active Directory Nhung d6i

tuqng d~c trung cua Active Directory la cac tai nguyen dung chung OOu:may chu (server), cac 6 rna (volumes), may in, va cac tai khoan nguaidung

Cac tiOOnang bao m~t duqc tich hqp trong Active Directory thongqua xac th1,1'cdang OO~p(logon Authentication) va diSu khi@ntruy c~ptirng d6i tuqng (Access control to Object), day la 2 chuc nang chiOOtrong phuong thuc uy quySn C\lCb(> (Local Security Authority - LSA)trong Active Directory V6i cach thuc dang OO~pm(>tIfill duy OO~t(Singlenetwork logon), OOaquan tri co th@quan ly cac du li~u (Directory data) vacach t6 chuc du li~u tren tom m~g Cac nguai dung duqc uy quySn coth@truy c~p d~n cac tai nguyen duqc phep a b~t cu dau trong m~ng, tu dodon gian hoa vi~c quan tri cac m~ng phuc t~p

Active Directory bao gAm:

M(>tt~p cac lu~t, hay con g<;>ila sO'd6 (schema), diOOnghla c~p b~ccua cac d6i tuqng va cac thu(>c tiOOkern theo cua cac d6i tuqng trong

Chuang 4 Gi6'i thi~u cac cong C\lbao m~t clia Microsoft Trang 34/83

MQt truy van va co che li~t ke, rna theo do cac doi tUQ11gva cacth\loCtinh cua chung dugc ph6 bi~n va dugc nguai dung hay lIng d\lng timth~y mQt cach d@dang

Dich V\l <inhX?, qua do phan tan dfr li~u Directory tren toan m?ng.T~t ca cac Domain controller (may chu chua co So' dfr li~u trong mQt rungActive Directory) d~u tham gia vao cong vi~c anh X? va m6i Domaincontroller trong Domain chua mQt ban sao hoan chinh t~t ca nhung thongtin Directory cho Domain do B~tIcy sg thay d6i dfr li~u Directory nao d~udugc <inhX? d~n toan bQDomain controller trong Domain

Cac ph~n m~m h6 trg Active Directory cho may khach (may can)

Bao Vf truy cfjp m{lng :

Active Directory cfu1xac dinh l?i nguai dung tru6'c khi cho phepnguai dung nay dugc dang nh~p vao m?ng, mQt qua trinh g~n gi6ng nhuxac thgc Nguai dung chi cfu1cung c~p username va password mQt lfu1de

co thS dang nh~p vao Domain (hay cac Domain dugc tin tuang - TrustedDomain ) MQt khi Active Directory da:xac dinh dugc nguai dung hgp l~,LSA tren Domain controller xac thgc se sinh ra mQt the (token), the nay

se xac dinh c~p dQ truy c~p cua nguai dung nay v6'i cac tai nguyen trenm?ng

Active Directory h6 trg mQt s6 cac nghi thuc chu<1nInternet va cac

co ch~ xac thgc dung de xac minh nguai dung, baa g6m : Kerberos V5,X.509 v3 certificates, smart cards, public key infrastructure (PKI) vaLightweight Directory Access Protocol (LDAP) dung Secure SocketsLayer (SSL)

Vi~c xac thgc giua cac Domain dugc thgc hi~n thong qua m6i quan

h~ tin tuang MQt m6i quan h~ tin tuang la mQt m6i quan h~ dugc thi~t l~p

gifra hai hay nhi~u Domain, vi~c nay cho phep mQt nguai dung co thedugc xac thgc bai mQt Domain controller trong mQt Domain khac

M6i quan h~ tin tuang co the la Domain nay tin tuang Domain khac hay Domain nay dugc Domain khac tin tuang Chung cung co mQt m\lc

Chuang 4 Gi6'i thi~u cac cong C\lbao m~t cua Microsoft Trang 35/83

dich chung la giup nguai dung 0 Domain nay co th~ chia se tai nguyen v6'inguai dung 0 cac Domain khac

Active Directory giup bao v~ cac tai nguyen dugc chia se bfuIg cachdan gian hoa vi~c uy quy~n nguai dting MQt khi nguai dung dugc chungthlJc boi Active Directory Cac quy~n cua nguai dting se dugc d.p chonguai dung, cac phep truy c~p se dugc c~p cho tai nguyen, diSu ll<lY selam mQi vi~c r5 rang han khi nguai dung co y dinh truy c~p vao tainguyen do Qua trinh uy quy~n nay se ch6ng l:;tiSlJ truy c~p cua nhungnguai dung khong hqp phap va chi co nhfrng nguai dung hqp phap m6'idugc truy c~p vao cac tai nguyen

4.2.1 -FJi~ukhiin truy clip tron~ Active ~irect0Q' : ,

Nha quan tri co the dung dieu khien truy c~p (access control) dequan ly nguai dung truy c~p vao cac tai nguyen dugc chia se vi m\lc dichbao m~t.Trong Active Directory, di~u khi~n truy c~p dugc tiSn hanh theoc~p dQ cua cac d6i tugng (object level) b~ng cach cai d?t nhfrng c~p dQtruy c~p khac nhau cho cac d6i tugng hay phep truy c~p cho d6i tugng vdnhu : toan quy~n (Full control), dQc, ghi, khong dugc phep truy c~p

Di~u khi~n truy c~:p trong Active Directory dinh nghla cach rnanguai dung Slr d\lng cac doi tugng trong Active Directory Theo m?c dinhcac d6i tugng trong Active Directory dugc cai d?t 0 chS dQ an toan nh~t

Cac ySu t6 dinh nghla cac phep di~u khi~n truy c~p trong ActiveDirectory bao g6m : Mo ta cac thuQc tinh bao m~t (Security descriptors),

kS thua cac thuQc tinh ( Object inheritance) va xac th1Jcnguai dung (Userauthentication)

Mo ta cac tbuoc tlnb bao mat (Security descriptors) :

Phep truy c~p dugc c~p cho cac d6i tugng dung chung va cacd6i tugng Active Directory d~ di~u khi~n nguai dung dung chungnhu thS nao MQt d6i tugng dung chung hay mQt tai nguyen dungchung, la mQt d6i tugng dugc mQt hay nhi~u nguai dung Slr d\lngtren m:;tng, Chung co th~ la t~p tin, thu m\lc, may in, cac dich V\l Cac d6i tugng dung chung va cac d6i tugng Active Directory d~uluu tru thong tin truy c~p vao phcln mo ta cac thuQc tinh bao m~t(Security Descriptors)

MQt "mo ta cac thuQc tinh bao m~t" chua hai danh sach di~ukhi~n truy c~p (Access Control Lists - ACLs) dung d~ c~p va theod5i cac thong tin bao m~t cho timg d6i tugng : Danh sach truy c~p

Chuang 4 Gi6i thi~u cac cong C\l bao m~t cua Microsoft Trang 36/83

I ~

-.

troy c~p h~ th6ng (System Access Control Lists - SACLs)

hay nhom nguai dung dugc cfip quy@n hay bi tu ch6i tren mQt d6itugng, N8u DACLs khong dugc chi diOO r5 rang nguai dung nao

phep lam gi tren d6i tugng thi nguai dung do se bi til ch6i khi troy

co chua cac m\lc (Access Control Entries - ACEs) dung dS xac diOOnguai dung nao troy c~p vao d6i tugng

nguai dung rna nha quan tri mu6n giam sat s6 l~n troy c~p thanh

cua nguai dung vao mQt d6i tugng

Domain

d6i tugng nay Sv thua k8 thi8t l~p cac thong tin trong Security

no Di@u nay lo?i b6 dugc sv phi@n phuc khi phai cfip l?i cac thongtin bao m~t cho cac d6i tugng con N8u c~n thi8t chung ta v~n cothS thay d6i l?i quy@n thua k8 nay

4.2.2 - Xac thrrc ngrrOi dung (User Authentication):

Active Directory co thS xac th\Ic, uy quy@n cho nguai dung, OOomnguai dung ho~c may tiOO quy@n truy c~p vao cac tai nguyen trong m?ng.LAS la mQt h~ th6ng bao m~t ph\l, chiu trach OOi~m toan bQ vi~c xac th\Icnguai dung va cac dich V\l uy quy@n tren mQt may C\lCbQ LSA cling dugcdung dS xu ly cac yeu c~u xac th\Ic thong qua cac nghi thuc nhu KerberosV5 hay NTLM trong Acitve Directory

Chuang 4 Gi6i thi~u cac cong C\l bao rn~t cua Microsoft Trang 37/83

".

MQt khi nguai dUng da duqc Active Directory dinh danh, LSA tren

Domain controller xac thvc se t~o ra rnQt " the truy c~p " (User access

token) va rnQtrna s6 an ninh rn~t tuang trng v6i nguai dung.

The troy c~p (Access token) Khi rnQt nguai dung da duqc xac thvc LSA se t~o ra rnQt the troy c~p cho nguai dung MQt the troy c~p chua ten dang nh~p, nhorn cua nguai dung, rna s6 an ninh cua nguai dung (SID) va toan bQ rna s6 an ninh cua cac nhorn rna nguai dung la thanh

vien

Ma s6 an ninh (Security ID) Active Directoty tv dQng c~p phat cac

rna s6 an ninh cho cac d6i tuqng chinh ngay hIe rna no duqc t~o ra Cac d6i tuqng chinh la nhUng tai khoan trong Acitve Directory duqc dung dS

c~p phat cho may tinh, nhorn, nguai dung MQt SID ung v6i rnQt nguai

dung da duqc xac th\l'c, no di kern v6i the truy c~p cua nguai dung.

Thong tin tren the troy c~p cua nguai dung chi ra rnuc dQ rna nguai dung do co thS troy c~p tren d6i tuqng b~t cu khi nao nguai dung troy c~p vao d6i tuqng SID trong the troy c~p duqc so sanh v6i danh sach SID trong DACLs cua d6i tuqng dS ch~c ch~ d.ng b~ co quySn troy c~p vao d6i tuqng nay.

4.3 - Internet Security and Acceleration (lSA)4.3.1-GiOi thieu :

ISA la rnQt chuang trinh Internet Gateway rna no cung c~p mQt kStn6i bao rn~t d6ng thai nang c~p va cai thi~n S\l'thS hi~n m~ng ISA dapung nhung yeu cftu nay bfulg cach cung c~p 1 giai phap kSt n6i Internetrna bao g6m ca Firewall va Web Cache

ISA bao m~t m~ng cua b~, cho phep ta hi~n th\l'c chinh sach baom~t bfulg vi~c c~u hinh t~p hqp cac quy dinh cho cac Web site, Protocols

va Content co thS di qua may tinh cai ISA ISA co thS giam sat cac "yeucftu" va cac "dap trng" giua Internet va cac may tr~m trong rn~g nQi bQ.ISA cling co thS diSu khiSn client nao duqc troy xu~t Internet, no cling cothS diSu khiSn may tinh nao tren Internet duqc quySn troy xu~t dSn clienttrong m~ng nQi bQ

Firewallla gi?

Thu~t ngu firewall co ngu6n g6c tu mQt ky thu~t thiSt kS trong xayd\l'llg dS ngan ch~, h~n chS hoa ho~n Trong con~ ngh~ m~n&thop.g tin,firewall la mQt ky thu~t duqc tich hqp vao h~ thong m~ng de chong l~ivi~c troy c~p trai phep nhfun bao v~ cac ngu6n thong tin nQi bQ cling nhuh~ chS S\l'xam nh~p vao h~ th6ng cua mQt s6 thong tin khac kh6ng mong

Chuang 4 Gi6i thi~u cac cong C\lbao m~t cua Microsoft Trang 38/83

Tfit ca cac trao d6i dfr li~u tu trong ra ngoai va nguqc l?i phai th\fchi~n thong qua firewall

Chi c6 nhfrng trao d6i nao duqc phep bai ch~ d<)an ninh cua h~th5ng m?ng n<)ib<)m6i duqc quy~n luu thong qua firewall

V~m~t v~t ly, firewall bao g6m:

M<)t ho~c nhi~u h~ th5ng may chu k~t n5i v6i cac b<) dinh tuy~nho~c c6 chuc nang router

Cac phfin m~m quan ly an ninh ch?)' tren, cac h~, th5ng may chu.Thong thuem~ la cac h~ quan tri xac th\fC, dip quyen va ke toan

Cac kieu Buc tuemg hiaC6 m<)ts5 kiSu buc tuemg lua khac nhau rna tfit ca chung d~u c6 thSduqc g<)pvao trong m<)tMay chu Tuemg lua duy nh:1t va duqc c:1uhinhrieng theo y d6 cua tung nha quan tri m?ng, thucmg la qua m<)tgiao di~nnguai dung d6 ho?

Cac c6ng n5i muc ll'ng d\lng Cac buc tuemg lua thuang h6 trq chom<)t s5 cac server ung d\lng tieu chufin, bao g6m thu di~n ill, tintuc, WWW, FTP va DNS M6i ll'ng d\lng th~m chi con c6 thS duqc ngancach kh6i phfin m~m tuang lua khac sao cho n~u m<)tserver rieng bi~t naod6 bi t:1n cong thi cac server ho~c cac chuc nang khac khong bi anhhuang

Khi cac g6i duqc chuySn len gia giao thuc, cac lap khac nhau sethao tac dfr li~u v~ phia ben trong g6i Khi g6i d?t t6i lap ung d\lng, cacthao tac duqc th\fc hi~n tren truemg tai dfr li~u cua g6i Day la thong tinrna chuang trinh ll'ng d\lng xu ly va hiSn thi du6i d?llg nguai dung c6 thShiSu duqc T?i lap nay, tu quan diSm bao v~ an ninh thong tin, c6 thS ti~nhanh m<)ts5 di~u rfit thu vi, nhu:

* Quet virus cac t~p FTP va e-mail gui t6i dS tranh Ian truy~n laynhiSm

* KiSm soat xem nhfrng l~nh FTP nao nguai dung duqc phep th\fchi~n

* KiSm soat xem nhfrng l~nh nao duqc phep th\fc hi~n cho b:1t kym<)tdich V\lC\lthS nao

Chuang 4 Giai thi~u cac cong C\!bao m~t clla Microsoft Trang 39/83

-.

Clla lo~i thu va vfu1

ISA co thS duqc triSn khai nhu m(>t Firewall chuyen d\!ng rna no se

server bao v~ tAt ca SlJ giao tiSp giua client trong m~ng n(>i b(>va Internet

M(>t cai duqc kSt n6i vai m~ng LAN va cai kia duqc kSt n6i Internet

Ta co thS dung ISA Server dS config Firewall, config Policies va t~ocac lu~t dS hi~n thlJc cac quy t~c nghi~p V\! B~ng cach thiSt l~p cac chiOOsach truy xuAt bao m~t ta se ngan ngira duqc cac truy xuAt trai phep va cac

luqng cho m6i nguai dung va OOom

Cac d~c trrrng bao mit Clla ISA bao gAm:

Out goinp access policy:

Ta co the config Site and Content Rules va cac Protocol Rules rna

no se control cac Client n(>ib(>truy xuAt Internet OOu thS nao

No .1%1k{if IRoute to upstream server.

Is the route directly

No that denies the request?. '

No -11 DDeny the request

Is there a protocol rule

~ :::~:~;~:s::ea~::::~ent rule

N; that denies the request?

Yes rule that allows the request?. '

No block the request?

Hinh 13: Quy trinh xu ly cho m9t Outgoing Web Request

Site and content Rule chi dinh Site va Content nao dugc truy xufit.Con Protocol Rule chi ra giao thuc C\l thS nao do co thS dugc truy xufitvao ra hay khong?

Ky thu~t do tim S1J xam nh~p dugc tich hgp vao ISA co the canhbao ta khi co 1 S1J xam nh~p ~~c bi~t vao n:~n~ cua tao Vi d\l, ta co thSconfig ISA canh bao cho ta biet co m9t S1J co gang do tim port dugc phathi~n

Security Wizard: