Professional Documents
Culture Documents
Triển khai vùng DMZ để tăng cường bảo vệ cho hệ thống mạng nội bộ
Triển khai vùng DMZ để tăng cường bảo vệ cho hệ thống mạng nội bộ
Gii thiu V mt a l v con ngi, th DMZ (Demilitarized Zone vng phi qun s) l mt khu vc m ti s hin din ca cc lc lng qun i (gm binh lnh, v kh, n dc) cng nh cc hot ng qun s (nh do thm, tp trn, nh nhau) u khng c cho php. V vy, DMZ c coi nh l mt vng ranh gii chia tch hai bn m l th ch ca nhau v vng DMZ thng c to nn sau nhng hip c ha bnh, nhng tha thun nh chin. Trong th gii thc, di t ct ngang bn o Triu Tin v phn tch bn o ny ra thnh hai nc l Hn Quc v Triu Tin chnh l mt v d v DMZ. Cn trong lch s chin tranh Vit Nam th sng Bn Hi chia tch hai min nam Bc cng l mt v d khc v DMZ. Cng ging nh nhiu thut ng tin hc khc c vay mn t th gii thc, DMZ cng l mt thut ng c dng trong lnh vc bo mt mng my tnh. Vy th ngha v mc ch ca t DMZ trong tin hc c ging vi t DMZ trong qun s hay khng? Trc khi i vo gii thch DMZ l g cng nh tc dng ca n th ti xin a ra mt tnh hung nh th ny. H thng mng ni b (internal) ca mt t chc thng bao gm cc server cung cp cc dch v c bn nh: Directory Service (Active Directory, OpenLDAP), DNS, DHCP, File/Print Sharing, Web, Mail, FTP. Trong th cc server Web, Mail, FTP thng phi cung cp cc dch v ca chng cho c nhng ngi dng nm bn trong ln bn ngoi mng ni b ca t chc. Nu trng hp bn t tt c cc server ny nm trong cng mt lp mng vi cc my trm ca ngi dng trong t chc th s nh th no nu hacker t mng bn ngoi (external - v d nh Internet) kim sot c 'public server' nh Web, Mail, FTP? Rt c th hacker s da vo cc server b chim ot ny nh vo cc server khc (nh DNS, DHCP, Directory Service) cng nh thm nhp su hn vo cc my trm bn trong. Th nn y, ta cn c mt gii php no hn ch kh nng mng internal b tn thng khi cc public server trn b tn cng. V DMZ l mt cu tr li cho vn ny. DMZ l mt mng tch bit vi mng internal v DMZ s dng ng mng (hoc c subnet) khc vi mng internal. V cc server nh Web, Mail, FTP, VoIP l cc dch v t chc mong mun ngi dng c th truy cp v s dng thng qua cc mng ngoi nh Internet c t trong vng DMZ. Cn cc server phc v cho cc mc ch ni b nh DNS, DHCP, File/Print vn c t trong vng internal. Gia DMZ v mng external ta c th t mt firewall cho php cc kt ni t external ch n c DMZ m thi. Cn gia mng internal v DMZ ta c th t thm mt firewall khc kim sot cc lu lng t DMZ i vo internal. Nh vy, cng ging vi vng DMZ trong qun s, DMZ y to ra s phn tch gia hai bn i nghch nhau: mng internal v mng external. V c th ni rng DMZ b sung thm mt lp bo v cch ly cho mng internal khi m hacker t mng ngoi ch c th tip cn ti cc my nm trong DMZ m thi.
Nu bn ngh mng external nh l 'untrusted network' v mng internal nh l 'trusted network' th c th coi DMZ nh l mng na tin cy - na khng tin cy (semi -trusted). N khng c an ton nh LAN nhng do n nm sau mt firewall nn n an ton hn Internet. Hoc bn cng c th ngh v DMZ nh l mt 'liaison network' (mng c quan h bt chnh :-p) v n c th lin lc vi c hai mng Internet v LAN trong khi nm gia hai mng ny nh c th hin trong hnh trn. Nhng khng ging nh s yn , khng c giao tranh m ta c th tm thy vng DMZ ngoi i thc, mng DMZ y thc s n cha rt nhiu ri ro do cc mi e da t pha ngoi mang li. in hnh nh vic hacker c th s dng hnh thc tn cng t chi dch v (DoS/DDoS) nhm vo cc server trong DMZ lm gin on hoc dp tt kh nng p ng yu cu dch v ca cc server ny cho nhng ngi dng hp php thng thng. V cng khng ging nh s v ch, trung lp ca cc vng DMZ i thc, khi to ra mt DMZ cho t chc th thc s n l mt phn ca c h thng mng ni b m bn phi kim sot chng tht tt. Kin trc xy dng DMZ DMZ c to nn bi hai thnh phn c bn l: cc a ch IP v cc firewall. C hai c im nhn dng quan trng ca DMZ m bn cn nh l: 1. N c mt network ID khc so vi mng internal. 2. N b phn tch khi mng Internet v c mng internal bi (cc) firewall. Di y ti s ni r hn v hai c im ny ca DMZ 1. a ch IP dng trong DMZ Ty vo kin trc ca DMZ v cu hnh trn firewall m mt DMZ c th s dng public IP hoc private IP cho cc server trong DMZ.
Nu bn s dng public IP cho DMZ, thng bn s cn chia mng con (subnetting) khi a ch IP m ISP cp cho bn bn c c hai network ID tch bit. Mt trong hai network ID ny s c dng cho external interface (card mng ni trc tip ti ISP) ca firewall v network ID cn li c dng cho mng DMZ. Lu khi chia subnet khi public IP ny, bn phi cu hnh cho router ca bn cc gi tin t ngoi Internet i vo s ti c DMZ. Bn cng c th to mt DMZ c network ID ging vi mng internal nhng vn m bo c s cch ly gia DMZ v mng internal bng cch s dng VLAN Tagging (IEEE 802.1q). Lc ny cc server trong DMZ v cc my trm trong mng internal u c cm chung vo mt switch (hoc khc switch nhng cc switch ny c ni vi nhau) nhng c gn vo cc VLAN khc nhau. Cn nu bn s dng private IP cho DMZ, bn s cn n NAT (mt s firewall h tr sn tnh nng ny) chuyn cc private IP ny sang mt public IP (m c gn cho external interface ca firewall nm gia Internet v DMZ). V mt s ng dng khng lm vic tt vi NAT (v d, Java RMI) nn bn cn nhc vic chn cu hnh NAT hay nh tuyn gia Internet v DMZ. 2. Cc Firewall C nhiu cch khi thit k mt h thng mng c s dng DMZ. Hai m hnh c bn v thng gp nht l: single firewall (hay three legged firewall) v dual firewall. Di y ti s ni s qua v phng thc hot ng cng nh u khuyt im ca ha i m hnh ny. a) Vi single firewall Bn s ch cn ti mt thit b c ba NIC (network interface card). Trong , mt NIC ni vi mng external, NIC th hai ni vi mng DMZ, v NIC cn li ni vi mng internal.
l l do ti sao ngi ta gi n l 'three legged firewall' (mi chn ca firewall chnh l mt NIC ca n). Lc ny three legged firewall phi c kh nng kim sot ton b traffic vo/ra gia ba mng (internal, external v DMZ) v n tr thnh im chu li duy nht (single point of failure) cho ton h thng mng. Nu c s c xy ra vi three legged firewall ny th c DMZ v mng internal u khng cn c bo v nhng b li bn khng phi tn chi ph u t thm mt firwewall na nh trong m hnh dual firewall di y. Khi s dng single firewall to DMZ, ta c khi nim trihomed DMZ. Bn cng c th to ra hai (hoc nhiu hn) vng DMZ tch bit c cc network ID khc nhau bng cch cch trang b thm s NIC tng ng cho single firewall. b) Vi dual firewall Bn s cn ti hai thit b firewall, mi firewall c hai NIC v c b tr nh sau: - Firewall th nht (c gi l front-end firewall) c mt NIC ni vi mng external (external interface) v NIC cn li ni vi DMZ (internal interface). Front-end firewall ny c nhim v kim sot traffic t Internet ti DMZ v mng internal. - Firewall th hai (c gi l back-end firewall) c mt NIC ni vi DMZ (external interface) v NIC cn li ni vi mng internal (internal interface). Back-end firewall ny c nhim v kim sot traffic t DMZ v Internet ti mng internal.
R rng, so vi single firewall th gii php ny tuy tn km hn v chi ph trin khai khi phi u t ti hai thit b firewall tch bit nhng v mt hiu sut v an ton cho h thng mng ca bn s c ci thin. Vy nn, ty vo hon cnh ca t chc v mi trng ca tng h thng mng m bn nn xem xt la chn gia single firewall hay dual firewall cho thch hp. Mt s khuyn co cho rng nn chn hai firewall t hai nh cung cp (vendor) khc nhau vi li gii thch rng nu hacker c th b gy firewall u tin th cng hn cng kh khn hn trong vic ph v firewall th hai bi chng c to nn theo nhng cch khc nhau. Cn bn, bn ngh nh th no v iu ny? Kt lun DMZ c coi nh l mt trong cc l chn bo v ca h thng phng th nhiu lp (defense in depth) cho mng ni b ca t chc. Nhng cng ging nh cc l chn khc, n vn c kh nng b ph hy v vic gi gn s lnh ln ca l chn ny i hi bn cn ci t, cu hnh, gim st hot ng y v thng xuyn cho cc firewall v server trong DMZ. Hy vng qua bi vit ny bn c mt ci nhn tng quan v cc kha cnh ca DMZ: N l g? N c tc dng g? c im ca n? Cc hnh thi khc nhau ca n? Cn vic trin khai DMZ trong tng trng hp c th vi tng sn phm firewall c th th xin hn cc bn cc bi vit khc.