Trin khai vng DMZ tng cng bo v cho h thng mng ni b

Gii thiu V mt a l v con ngi, th DMZ (Demilitarized Zone vng phi qun s) l mt khu vc m ti s hin din ca cc lc lng qun i (gm binh lnh, v kh, n dc) cng nh cc hot ng qun s (nh do thm, tp trn, nh nhau) u khng c cho php. V vy, DMZ c coi nh l mt vng ranh gii chia tch hai bn m l th ch ca nhau v vng DMZ thng c to nn sau nhng hip c ha bnh, nhng tha thun nh chin. Trong th gii thc, di t ct ngang bn o Triu Tin v phn tch bn o ny ra thnh hai nc l Hn Quc v Triu Tin chnh l mt v d v DMZ. Cn trong lch s chin tranh Vit Nam th sng Bn Hi chia tch hai min nam Bc cng l mt v d khc v DMZ. Cng ging nh nhiu thut ng tin hc khc c vay mn t th gii thc, DMZ cng l mt thut ng c dng trong lnh vc bo mt mng my tnh. Vy th ngha v mc ch ca t DMZ trong tin hc c ging vi t DMZ trong qun s hay khng? Trc khi i vo gii thch DMZ l g cng nh tc dng ca n th ti xin a ra mt tnh hung nh th ny. H thng mng ni b (internal) ca mt t chc thng bao gm cc server cung cp cc dch v c bn nh: Directory Service (Active Directory, OpenLDAP), DNS, DHCP, File/Print Sharing, Web, Mail, FTP. Trong th cc server Web, Mail, FTP thng phi cung cp cc dch v ca chng cho c nhng ngi dng nm bn trong ln bn ngoi mng ni b ca t chc. Nu trng hp bn t tt c cc server ny nm trong cng mt lp mng vi cc my trm ca ngi dng trong t chc th s nh th no nu hacker t mng bn ngoi (external - v d nh Internet) kim sot c 'public server' nh Web, Mail, FTP? Rt c th hacker s da vo cc server b chim ot ny nh vo cc server khc (nh DNS, DHCP, Directory Service) cng nh thm nhp su hn vo cc my trm bn trong. Th nn y, ta cn c mt gii php no hn ch kh nng mng internal b tn thng khi cc public server trn b tn cng. V DMZ l mt cu tr li cho vn ny. DMZ l mt mng tch bit vi mng internal v DMZ s dng ng mng (hoc c subnet) khc vi mng internal. V cc server nh Web, Mail, FTP, VoIP l cc dch v t chc mong mun ngi dng c th truy cp v s dng thng qua cc mng ngoi nh Internet c t trong vng DMZ. Cn cc server phc v cho cc mc ch ni b nh DNS, DHCP, File/Print vn c t trong vng internal. Gia DMZ v mng external ta c th t mt firewall cho php cc kt ni t external ch n c DMZ m thi. Cn gia mng internal v DMZ ta c th t thm mt firewall khc kim sot cc lu lng t DMZ i vo internal. Nh vy, cng ging vi vng DMZ trong qun s, DMZ y to ra s phn tch gia hai bn i nghch nhau: mng internal v mng external. V c th ni rng DMZ b sung thm mt lp bo v cch ly cho mng internal khi m hacker t mng ngoi ch c th tip cn ti cc my nm trong DMZ m thi.

Nu bn ngh mng external nh l 'untrusted network' v mng internal nh l 'trusted network' th c th coi DMZ nh l mng na tin cy - na khng tin cy (semi -trusted). N khng c an ton nh LAN nhng do n nm sau mt firewall nn n an ton hn Internet. Hoc bn cng c th ngh v DMZ nh l mt 'liaison network' (mng c quan h bt chnh :-p) v n c th lin lc vi c hai mng Internet v LAN trong khi nm gia hai mng ny nh c th hin trong hnh trn. Nhng khng ging nh s yn , khng c giao tranh m ta c th tm thy vng DMZ ngoi i thc, mng DMZ y thc s n cha rt nhiu ri ro do cc mi e da t pha ngoi mang li. in hnh nh vic hacker c th s dng hnh thc tn cng t chi dch v (DoS/DDoS) nhm vo cc server trong DMZ lm gin on hoc dp tt kh nng p ng yu cu dch v ca cc server ny cho nhng ngi dng hp php thng thng. V cng khng ging nh s v ch, trung lp ca cc vng DMZ i thc, khi to ra mt DMZ cho t chc th thc s n l mt phn ca c h thng mng ni b m bn phi kim sot chng tht tt. Kin trc xy dng DMZ DMZ c to nn bi hai thnh phn c bn l: cc a ch IP v cc firewall. C hai c im nhn dng quan trng ca DMZ m bn cn nh l: 1. N c mt network ID khc so vi mng internal. 2. N b phn tch khi mng Internet v c mng internal bi (cc) firewall. Di y ti s ni r hn v hai c im ny ca DMZ 1. a ch IP dng trong DMZ Ty vo kin trc ca DMZ v cu hnh trn firewall m mt DMZ c th s dng public IP hoc private IP cho cc server trong DMZ.

Nu bn s dng public IP cho DMZ, thng bn s cn chia mng con (subnetting) khi a ch IP m ISP cp cho bn bn c c hai network ID tch bit. Mt trong hai network ID ny s c dng cho external interface (card mng ni trc tip ti ISP) ca firewall v network ID cn li c dng cho mng DMZ. Lu khi chia subnet khi public IP ny, bn phi cu hnh cho router ca bn cc gi tin t ngoi Internet i vo s ti c DMZ. Bn cng c th to mt DMZ c network ID ging vi mng internal nhng vn m bo c s cch ly gia DMZ v mng internal bng cch s dng VLAN Tagging (IEEE 802.1q). Lc ny cc server trong DMZ v cc my trm trong mng internal u c cm chung vo mt switch (hoc khc switch nhng cc switch ny c ni vi nhau) nhng c gn vo cc VLAN khc nhau. Cn nu bn s dng private IP cho DMZ, bn s cn n NAT (mt s firewall h tr sn tnh nng ny) chuyn cc private IP ny sang mt public IP (m c gn cho external interface ca firewall nm gia Internet v DMZ). V mt s ng dng khng lm vic tt vi NAT (v d, Java RMI) nn bn cn nhc vic chn cu hnh NAT hay nh tuyn gia Internet v DMZ. 2. Cc Firewall C nhiu cch khi thit k mt h thng mng c s dng DMZ. Hai m hnh c bn v thng gp nht l: single firewall (hay three legged firewall) v dual firewall. Di y ti s ni s qua v phng thc hot ng cng nh u khuyt im ca ha i m hnh ny. a) Vi single firewall Bn s ch cn ti mt thit b c ba NIC (network interface card). Trong , mt NIC ni vi mng external, NIC th hai ni vi mng DMZ, v NIC cn li ni vi mng internal.

Kin trc single firewall

l l do ti sao ngi ta gi n l 'three legged firewall' (mi chn ca firewall chnh l mt NIC ca n). Lc ny three legged firewall phi c kh nng kim sot ton b traffic vo/ra gia ba mng (internal, external v DMZ) v n tr thnh im chu li duy nht (single point of failure) cho ton h thng mng. Nu c s c xy ra vi three legged firewall ny th c DMZ v mng internal u khng cn c bo v nhng b li bn khng phi tn chi ph u t thm mt firwewall na nh trong m hnh dual firewall di y. Khi s dng single firewall to DMZ, ta c khi nim trihomed DMZ. Bn cng c th to ra hai (hoc nhiu hn) vng DMZ tch bit c cc network ID khc nhau bng cch cch trang b thm s NIC tng ng cho single firewall. b) Vi dual firewall Bn s cn ti hai thit b firewall, mi firewall c hai NIC v c b tr nh sau: - Firewall th nht (c gi l front-end firewall) c mt NIC ni vi mng external (external interface) v NIC cn li ni vi DMZ (internal interface). Front-end firewall ny c nhim v kim sot traffic t Internet ti DMZ v mng internal. - Firewall th hai (c gi l back-end firewall) c mt NIC ni vi DMZ (external interface) v NIC cn li ni vi mng internal (internal interface). Back-end firewall ny c nhim v kim sot traffic t DMZ v Internet ti mng internal.

Kin trc dual firewall

R rng, so vi single firewall th gii php ny tuy tn km hn v chi ph trin khai khi phi u t ti hai thit b firewall tch bit nhng v mt hiu sut v an ton cho h thng mng ca bn s c ci thin. Vy nn, ty vo hon cnh ca t chc v mi trng ca tng h thng mng m bn nn xem xt la chn gia single firewall hay dual firewall cho thch hp. Mt s khuyn co cho rng nn chn hai firewall t hai nh cung cp (vendor) khc nhau vi li gii thch rng nu hacker c th b gy firewall u tin th cng hn cng kh khn hn trong vic ph v firewall th hai bi chng c to nn theo nhng cch khc nhau. Cn bn, bn ngh nh th no v iu ny? Kt lun DMZ c coi nh l mt trong cc l chn bo v ca h thng phng th nhiu lp (defense in depth) cho mng ni b ca t chc. Nhng cng ging nh cc l chn khc, n vn c kh nng b ph hy v vic gi gn s lnh ln ca l chn ny i hi bn cn ci t, cu hnh, gim st hot ng y v thng xuyn cho cc firewall v server trong DMZ. Hy vng qua bi vit ny bn c mt ci nhn tng quan v cc kha cnh ca DMZ: N l g? N c tc dng g? c im ca n? Cc hnh thi khc nhau ca n? Cn vic trin khai DMZ trong tng trng hp c th vi tng sn phm firewall c th th xin hn cc bn cc bi vit khc.