B GIO DC V O TO

TRNG I HC K THUT CNG NGH TP.HCM

KHOA CNG NGH THNG TIN

-----------o0o-----------

N CHUYN NGNH
ti
Xy dng h thng pht hin chng xm nhp da
vo Firewall Iptables v IPS Snort

GVHD: Th.S Vn Thin Hong

Sinh vin thc hin:
Phan Vn Th

09C1020136

Nguyn Quc Tin

09C1020159

Dng Quang Minh Huy

09C1020059

THNH PH H CH MINH NM 2012

-0-

LI NI U
Trc ht, chng em xin chn thnh gi li cm n n trng i Hc K
Thut Cng Ngh Tp.H Ch Minh o o, trau di cho chng em nhng kin
thc tht b ch trong thi gian hc ti trng.
Chng em xin cm n thy Vn Thin Hong hng dn chng em hon
thnh n chuyn ngnh. Cm n thy nh hng, hng dn, truyn t li
nhng kin thc rt b ch, cng nh cung cp nhng ti liu cn thit chng em
hon thnh c n. Cm n s nhit tnh, tn tm ca thy i vi chng em.
Chng em xin cm n tt c thy c trng i Hc K Thut Cng Ngh
cng nh thy c trong khoa Cng Ngh Thng Tin o to, to iu kin v cung
cp cho chng em nhng kin thc hu ch, lm hnh trang bc vo tng lai.
Chng em knh chc thy Vn Thin Hong cng nh tt c thy c trong khoa
Cng Ngh Thng Tin trng i Hc K Thut Cng Ngh Thnh Ph H Ch Minh
di do sc khe, gt hi nhiu thnh trong s nghip trng ngi m thy c chn.

Phan Vn Th
Nguyn Quc Tin
Dng Quang Minh Huy

-1-

MC LC
MC LC

M U

Chng 1 .

Tng Quan V H Thng Chng Xm Nhp

1.1

Gii thiu

1.2

Cc kiu tn cng mng

11

11
11

1.2.1 Phn loi cc l hng bo mt

11

1.2.2 Tn cng ch ng v tn cng b ng: 11

1.2.3 Cc bc tn cng thng gp

12

1.2.4 Cch thc tn cng 13

1.3

Cc phng php nhn bit tn cng

16

1.3.1 Nhn bit qua tp s kin 16

1.3.2 Pht hin da trn tp lut (Rule-Based ) 16
1.3.3 Phn bit nh ngi dng (User intention identification)
1.3.4 Phn tch trng thi phin (State-transition analysis)

16

17

1.3.5 Phng php phn tch thng k (Statistical analysis approach)

1.3.6 Phng thc pht hin xm nhp da vo ch k

17

1.3.7 Phng thc pht hin xm nhp da vo s bt thng

1.4

Kin trc ca mt h thng chng xm nhp

1.4.1 Module phn tch lung d liu: 19

1.4.2 Module pht hin tn cng:19
1.4.3 Module phn ng
1.5

20

Cc kiu h thng IPS

1.5.1 IPS ngoi lung

21

1.5.2 IPS trong lung

23

1.6

Cc sn phm IPS trn th trng 23

1.6.1 Intrust 23
1.6.2 ELM 23
-2-

19

18

17

1.6.3 SNORT

24

1.6.4 Cisco IDS

25

1.6.5 Dragon

25

Chng 2 .

Gii thiu tng quan v Firewall Iptable v IPS Snort inline

2.1

Tng quan v Firewall

2.2

Phn loi firewall

2.2.1 Packet Filtering

27

28
28

2.2.2 Application-proxy firewall 30

2.3

Tng quan v Iptables

32

2.3.1 Cc tnh nng ca Iptables 32

2.3.2 C ch hot ng Iptables 33
2.3.3 Jumps v Targets

34

2.3.4 Cc ty chn thao tc vi lut 35

2.4

Tm hiu cc cu lnh v thit lp lut trong Iptables 36

2.4.1 S dng chain t nh ngha

36

2.4.2 Lu v phc hi li nhng script cu hnh trong Iptables

2.4.3 ngha ca mt s lut c bn trong Iptables
2.5

Firewall and Logging

38

2.5.1 The syslog protocol 38

2.5.2 Proprietary logging methods
2.6

40

Firewall log review and analysis 40

2.6.1 Tng quan

40

2.6.2 Cc thng tin s kin t file log

2.7

Tng quan v Snort inline 42

2.7.1 Gii thiu Snort inline

42

2.7.2 Snort-inline v Iptables:

43

2.7.3 Cc trng thi

2.8

44

Cc thnh phn ca Snort 45

2.8.1 B packet sniffer

46

-3-

40

37

36

27

2.8.2 B Preprocessor

46

2.8.3 B pht hin (detection engine)

47

2.8.4 H thng ghi v cnh bo (Logging v alerting) 48

2.8.5 Cu trc ca mt lut
Chng 3 .

49

Thc Nghim Firewall Iptable v IPS Snort inline

51

3.1

M t thc nghim 51

3.2

H tng mng thc nghim 52

3.3

Cc bc ci t Iptables v Snort trn h iu hnh CentOS 53

3.3.1 Ci h iu hnh CentOS 53

3.3.2 Ci phn mm Iptables v cu hnh

53

3.3.3 Ci t v cu hnh Snort 54

3.3.4 Cu hnh MySQL server

57

3.3.5 Cu hnh Snort thc hin alert vo MySQL 57

3.3.6 Ci t v cu hnh Basic Analysis and Sercurity Engine (Base)
3.4

Giao din h thng sau ci t

59

3.4.1 Cc thng tin cu hnh c bn

59

3.4.2 Hng dn s dng Snort 60

3.4.3 Kt qu thng k thc nghim Firewall Iptables 60
3.4.4 Kt qu thng k thc nghim IDS Snort 62
3.5

Cc cuc tn cng v kt qu thng k thc nghim

3.5.1 Tn cng v IDS Snort pht hin 65

3.5.2 Ngn chn

66

3.5.3 Kt qu thng k thc nghim

KT LUN 69
TI LIU THAM KHO 70

-4-

67

65

58

M U
1.

Gii thiu
Ngy nay, thi k kinh t ha lun m rng trn ton cu. pht trin kinh t,

nm bt thng tin kp thi th ngnh cng ngh thng tin l mt trong ngnh rt cn
thit. Chnh v th m cng ngh thng tin pht trin rt nhanh, mang li nhng li ch
thit thc v nhiu mt nh: kinh t, x hi, chnh tr, y t, qun s nhng cuc hp
trong t chc, c quan, cng ty hay nhng bui hi tho xuyn quc gia, xuyn lc a
(Video Conference).
Mng Internet ngy cng ng vai tr quan trng trong cc hot ng ca con
ngi. Vi lng thng tin ngy cng phong ph v a dng. Khng ch c ngha l
ni tra cu tin tc s kin ang din ra trong i sng hng ngy, Internet cn ng
vai tr cu ni lin kt con ngi vi nhau mi vng a l. Cc khong cch v a
l hu nh khng cn ngha, khi con ngi cch nhau na vng tri t h vn c
th trao i thng tin, chia s d liu cho nhau nh nhng ngi trong cng mt vn
phng.
Internet cn gp phn lm thay i phng thc hot ng kinh doanh ca cc
doanh nghip. Ngoi cc hot ng kinh doanh truyn thng, gi y cc doanh
nghip c thm mt phng thc kinh doanh hiu qu, l thng mi in t.
Trong nhng nm gn y, thng mi in t tr thnh mt b phn quan trng
trong s tng trng, pht trin ca x hi, mang li nhng li ch rt ln cho cc
doanh nghip, ng thi thc y x hi ha thng tin cho cc ngnh ngh khc, gp
phn mang li tnh hiu qu cho nn kinh t ca doanh nghip ni ring v cho ton x
hi ni chung.
Chnh s a dng thng tin trn internet, li l cu ni chung cho ton cu nn d
xy ra tiu cc trn mng nh : ly trm thng tin, lm nhiu thng tin, thay i thng
tin, i i vi s pht trin cng ngh th bo mt mng ang l mt nhu cu cp
thit nhm bo v h thng mng bn trong, chng li nhng tn cng xm nhp v
thc hin cc trao i thng tin, giao dch qua mng c an ton. V nhng gi tr
-5-

li ch ca cng ngh thng tin mang li, nhng k xu cng li dng cng ngh ny
gy ra khng t nhng kh khn cho t chc, c quan cng nh nhng ngi p dng
cng ngh thng tin vo cuc sng.
Cng ngh no cng c u im v nhc im. Ngi tn cng (Attacker) chng
li dng nhng l hng ca h thng truy xut bt hp pht vo khai thc nhng
thng tin quan trng, nhng d liu c tnh cht bo mt, nhy cm, thng tin mt ca
quc phng V vy chng ta cn phi c bin php, phng php pht hin s
truy nhp tri php . pht hin s truy nhp tri php , hin nay cng ngh
pht hin chng xm nhp hiu qu c nhiu t chc, c quan, doanh nghip trin
khai v p dng vo trong h thng mng ca mnh l cng ngh Snort IPS.
Cc nghin cu v h thng pht hin xm nhp c nghin cu chnh thc
cch y khong 32 nm v cho ti nay c p dng rng ri cc t chc, doanh
nghip trn ton th gii.
2.

Nhim v ti
S dng cng ngh IPS (Intrusion Prevention System) kt hp tng la Firewall

Iptable phng chng v t ng ngn chn cc cuc tn cng h thng mng cng
vi s h tr cnh bo c lc ca Snort inline.
C s h tng cng ngh thng tin cng pht trin, th vn pht trin mng li
cng quan trng, m trong vic pht trin mng th vic m bo an ninh mng l mt
vn rt quan trng. Sau hn chc nm pht trin, vn an ninh mng ti Vit Nam
dn c quan tm ng mc hn. Trc khi c mt gii php ton din th mi
mt mng phi t thit lp mt h thng tch hp IPS ca ring mnh. Trong lun vn
ny, chng em s tm hiu v cu trc mt h thng IPS, v i su tm hiu pht trin
h thng IPS mm s dng m ngun m c th p dng trong h thng mng ca
mnh thay th cho cc IPS cng t tin. Vi s kt hp ca cc phn mm ngun m
Iptables v Snort inline. To ra mt h thng gim st mng, c kh nng pht hin
nhng xm nhp, phng chng tn cng mng.

-6-

Chng 1 .

1.1

Tng Quan V H Thng Chng Xm Nhp

Gii thiu

H thng phng chng xm nhp IPS (Intrusion Prevention System) l mt k thut

an ninh, kt hp cc u im ca k thut tng la vi h thng pht hin xm nhp
IDS (Intrusion Detection System). C kh nng pht hin cc cuc tn cng v t
ng ngn chn cc cuc tn cng nhm vo im yu ca h thng.
IPS c hai chc nng chnh l pht hin cc cuc tn cng v chng li cc cuc tn
cng . Phn ln h thng IPS c t vnh ai mng, kh nng bo v tt c
cc thit b trong mng.
1.2
1.2.1

Cc kiu tn cng mng

Phn loi cc l hng bo mt

Hiu c nhng im yu trong bo mt l mt vn ht sc quan trng tin

hnh nhng chnh sch bo mt c hiu qu. Nhng im yu trong bo mt mng
gm c nhng im yu: V mt k thut, v mt cu hnh v cc chnh sch bo mt.
im yu v mt k thut: im yu trong k thut gm c im yu trong cc giao
thc, trong H iu hnh v cc thit b phn cng nh Server, Switch, Router,...
im yu trong cu hnh h thng: y l li do nh qun tr to ra. Li ny do cc
thiu st trong vic cu hnh h thng nh: Khng bo mt ti khon khch hng, s
dng cc cu hnh mc nh trn thit b nh switch, router, modern
Nu da vo hnh ng ca cuc tn cng c th chia tn cng ra lm hai loi l:
1.2.2

Tn cng ch ng v tn cng b ng:

Tn cng ch ng: K tn cng thay i hot ng ca h thng v hot ng ca

mng khi tn cng v lm nh hng n tnh ton vn, sn sng v xc thc ca d
liu.

-7-

Tn cng b ng: K tn cng c gng thu thp thng tin t hot ng ca h

thng v hot ng ca mng lm ph v tnh b mt ca d liu.
Nu da vo ngun gc ca cuc tn cng th c th phn loi tn cng lm hai
loi. Tn cng t bn trong v tn cng t bn ngoi:
Tn cng t bn trong: L nhng tn cng xut pht t bn trong h thng mng.
K tn cng l nhng ngi trong h thng mng ni b mun truy cp, ly thng tin
nhiu hn quyn cho php.
Tn cng t bn ngoi: L nhng tn cng xut pht t bn ngoi Internet hay cc
kt ni truy cp t xa.
1.2.3

Cc bc tn cng thng gp

Bc 1: Kho st, thu thp thng tin. K tn cng thu thp thng tin v ni tn
cng nh pht hin cc my ch, a ch IP, cc dch v mng
Bc 2: D tm. K tn cng s dng cc thng tin thu thp c t bc mt
tm kim thm thng tin v l hng, im yu ca h thng mng. Cc cng c thng
c s dng cho qu trnh ny l cc cng c qut cng (scanport), qut IP, d tm l
hng
Buc 3: Xm nhp. Cc l hng c tm thy trong bc hai c k tn cng s
dng, khai thc xm nhp vo h thng. bc ny, k tn cng c th dng cc
k thut nh: Trn b m, t chi dch v (DoS)
Buc 4: Duy tr xm nhp. Mt khi k tn cng xm nhp c vo h thng,
bc tip theo l lm sao duy tr cc xm nhp ny nhm khai thc v xm nhp
tip trong tng lai. Mt vi k thut nh backboors, trojans c s dng bc
ny. Mt khi k tn cng lm ch h thng, chng c th gy ra nhng nguy hi
cho h thng hoc nh cp thng tin. Ngoi ra, chng c th s dng h thng ny
tn cng vo cc h thng khc nh loi tn cng DDoS.
Bc 5: Che y, xa du vt. Mt khi k tn cng xm nhp v c gng duy tr
xm nhp. Bc tip theo l chng phi lm sao xa ht du vt khng cn chng
c php l xm nhp. K tn cng phi xa cc tp tin log, xa cc cnh bo t h
thng pht hin xm nhp.

-8-

 bc D tm v Xm nhp, k tn cng thng lm lu lng kt ni mng

thay i khc vi lc mng bnh thng rt nhiu. ng thi ti nguyn ca h thng
my ch b nh hng ng k. Nhng du hiu ny rt c ch cho ngi qun tr
mng trong vic phn tch v nh gi tnh hnh hot ng ca h thng mng.
1.2.4

Cch thc tn cng

Gm hai bc c bn sau: Nhn packet v thi hnh tn cng.

K thut tn cng ARP:
Khi mt my tnh A cn bit a ch MAC t mt IP, n s gi gi tin ARP c cha
thng tin yu cu IP address dng Broadcasting ln mng. My tnh B khi nhn
c gi tin ARP ny s so snh gi tr IP ca n vi IP nhn c t gi tin do A gi.
Nu hai gi tr ny trng khp th B s gi gi tin reply c cha thng tin a ch IP
ca B cho A. Khi A nhn c gi tin do B reply, n s lu a ch MAC ca B trong
ARP table ARP cache dng cho ln truyn tip theo.
Kiu tn cng Man-in-the-middle (MITM):
iu kin cn ca phng php tn cng ARP l hacker phi t c s truy xut
vo mng WLAN v bit mt s thng tin v IP, MAC ca mt s my tnh trn
mng.
V d: Ly nhim ARP cache nh sau:
C hai my tnh E, F vi a ch IP v MAC tng ng nh sau:
E (IP = 10.1.3.2, MAC = EE:EE:EE:EE:EE:EE)
F (IP = 10.1.3.3, MAC = FF:FF:FF:FF:FF:FF)
My tnh ca hacker c a ch:
H (IP = 10.1.3.4, MAC = HH:HH:HH:HH:HH:HH)
H s gi thng ip ARP reply cho E ni rng IP: 10.1.3.3 c a ch MAC l
HH:HH:HH:HH:HH:HH. Lc ny ARP table ca E s l IP= 10.1.3.3 MAC=
HH:HH:HH:HH:HH:HH
H s gi thng ip ARP reply cho F ni rng IP: 10.1.3.2 c a ch MAC l
HH:HH:HH:HH:HH:HH. Lc ny ARP table ca F s l IP= 10.1.3.2 MAC=
HH:HH:HH:HH:HH:HH

-9-

Hnh 1-1 Phng thc nhim ARP cache

Khi E cn truyn thng ip n F, n thy trong ARP table F c a ch Ethernet l

HH:HH:HH:HH:HH:HH nn n s gi thng ip n cho H thay v n F. H nhn
c thng ip ny, x l v c th truyn li thng ip n F (ty theo mc ch
tn cng).
Trng hp F cn gi thng ip n E th quy trnh cng tng t nh trn. Nh
vy, H ng vai tr l ngi trung gian nhn v chuyn thng ip gia E v F m hai
host ny khng h hay bit. H c th thay i thng ip trc khi truyn n my
ch.

- 10 -

Hnh 1-2 Tn cng trn my b nhim ARP cache.

Ping of Death:
Kiu DoS attack ny, ta ch cn gi mt gi d liu c kch thc ln thng qua
lnh ping n my ch th h thng ca h s b treo.
VD: ping l 65000
Tn cng t chi dch v DNS
Hacker c th i mt li vo trn Domain Name Server A ca h thng nn nhn
ri ch n mt website B no ca hacker. Khi my khch truy cp n Server A
vo trang Web, th cc nn nhn s vo trang Web do chnh hacker to ra.
Gii php phng chng:
- Thng xuyn cp nht cc bn v li v update h thng.
- Trin khai nhng dch v h thng mng cn thit.
- Xy dng h thng IDS/IPS.
- Tng la (Firewall).
- Chng virus.
- Chnh sch s dng, qun l password.
- 11 -

- S dng cc trnh bo mt bo v cc ti liu, tp tin quan trng.

- Thng xuyn back-up.
1.3

Cc phng php nhn bit tn cng

Hin nay mt s loi h thng pht hin xm nhp, c phn bit bi cch thc
theo di v phn tch. Mi phng php c nhng li im v nhng hn ch nht
nh. Tuy nhin, mi phng php u c th m t thng qua mt m hnh tin trnh
chung tng qut cho h thng pht hin xm nhp. Error! No index entries found.
1.3.1 Nhn bit qua tp s kin
H thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc
miu t cc tn cng. Tt c cc s kin c lin quan n bo mt u c kt hp
vo cuc kim nh v c dch di dng nguyn tc if-then-else. Ly v d
Wisdom v Sense v Computer Watch (c pht trin ti AT&T).
1.3.2 Pht hin da trn tp lut (Rule-Based )
Ging nh phng php h thng Expert, phng php ny da trn nhng hiu
bit v tn cng. Chng bin i s m t ca mi tn cng thnh nh dng kim
nh thch hp. Nh vy, du hiu tn cng c th c tm thy trong cc bn ghi
(record). Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim
nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc
kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim
nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi
cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc
h thng thng mi (v d nh: Cisco Secure IDS, Emerald eXpert-BSM (Solaris)).
1.3.3 Phn bit nh ngi dng (User intention identification)
K thut ny m hnh ha cc hnh vi thng thng ca ngi dng bng mt tp
nhim v mc cao m h c th thc hin c trn h thng (lin quan n chc
nng ngi dng). Cc nhim v thng cn n mt s hot ng c iu
chnh sao cho hp vi d liu kim nh thch hp. B phn tch gi mt tp hp

- 12 -

nhim v c th chp nhn cho mi ngi dng. Bt c khi no mt s khng hp l

c pht hin thh mt cnh bo s c sinh ra.
1.3.4 Phn tch trng thi phin (State-transition analysis)
Mt tn cng c miu t bng mt tp cc mc tiu v phin cn c thc hin
bi mt k xm nhp gy tn hi h thng. Cc phin c trnh by trong s
trng thi phin. Nu pht hin c mt tp phin vi phm s tin hnh cnh bo hay
p tr theo cc hnh ng c nh trc.
1.3.5 Phng php phn tch thng k (Statistical analysis approach)
y l phng php thng c s dng. Hnh vi ngi dng hay h thng (tp
cc thuc tnh) c tnh theo mt s bin thi gian. V d, cc bin nh l: ng
nhp ngi dng, ng xut, s tp tin truy nhp trong mt khong thi gian, hiu sut
s dng khng gian a, b nh, CPU, Chu k nng cp c th thay i t mt vi
pht n mt thng. H thng lu gi tr c ngha cho mi bin c s dng pht
hin s vt qu ngng c nh ngha t trc. Ngay c phng php n gin
ny cng khng th hp c vi m hnh hnh vi ngi dng in hnh. Cc phng
php da vo vic lm tng quan thng tin v ngi dng ring l vi cc bin nhm
c gp li cng t c hiu qu.
V vy, mt m hnh tinh vi hn v hnh vi ngi dng c pht trin bng
cch s dng thng tin ngi dng ngn hn hoc di hn. Cc thng tin ny thng
xuyn c nng cp bt kp vi thay i trong hnh vi ngi dng. Cc phng
php thng k thng c s dng trong vic b sung trong IDS da trn thng tin
hnh vi ngi dng thng thng.
1.3.6 Phng thc pht hin xm nhp da vo ch k
Pht hin xm nhp da vo ch k (Signature - Based Detection) xc nh mt
s kin c phi l mt mi nguy him khng. Mt s cc trng hp tiu biu:
+ Chng trnh kt ni n h thng s dng quyn root vi tn truy cp l
root, c th l mt mi nguy him n cc chnh sch bo mt ca t chc.

- 13 -

+ Email vi tiu "Free Picture" file nh km "freepicture.exe", l c im

ca mt loi malware.
Vic pht hin xm nhp da vo ch k hiu qu vi nhng mi e da c
bit n. Tuy nhin, cch ny v hiu ha i vi nhng mi e da cha c bit
n, c che giu bng cch no hoc nhng bin th ca nhng mi e da
bit. Pht hin da vo ch k l phng thc n gin nht v n ch so snh cc n
v hot ng (gi tin hay file log) vi danh sch cc ch k, s dng phng thc so
snh chui. V vy nu k tn cng thay i tn t "freepic.exe" thnh "freepic2.exe"
th phng thc ny s khng th pht hin c l malware.
Phng thc ny khng hiu c nhiu giao thc hot ng ca mng, giao thc
hot ng ca cc ng dng, khng theo di v hiu cc trng thi lin lc phc tp.
1.3.7 Phng thc pht hin xm nhp da vo s bt thng
Phng thc pht hin xm nhp da vo s bt thng (Anomaly Based
Detection) l qu trnh so snh cc nh ngha s kin c cho l bnh thng vi cc
s kin c quan st xc nh cc vn bt thng. S dng phng thc pht
hin xm nhp da vo s bt thng s dng cc profile i din cho cc trng thi
bnh thng ca ngi dng, hoc kt ni mng hoc ng dng. V d khi profile i
din cho trng thi bnh thng ca kt ni mng ch ra rng hot ng truy cp web
tn 16% bng thng mng trong sut thi gian lm vic. IDS so snh kt qu ny vi
bng thng mng tht s v nu pht hin ra vic s dng cao hn, IDS s cnh bo
cho admin v s bt thng ny. Cc profile c th c chnh cho ph hp, v d nh
s lng mail c th gi i, s ln login sai, mc hot ng ca CPU
u im ca phng thc ny l s a dng n c th c chnh sa, thay i
t hiu qu khi pht hin nhng mi e da cha bit trc . V d nh khi
malware xm nhp vo my tnh, malware c th tiu th nhiu ti nguyn my tnh,
gi i mt lng ln email, to ra nhiu kt ni, ngn bng thng mng, v thc hin
nhiu hnh ng bt thng so vi nhng thng tin c trong profile.

- 14 -

1.4

Kin trc ca mt h thng chng xm nhp

Mt h thng IPS c xem l thnh cng nu chng hi t c cc yu t:

thc hin nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton
b thng lng, cm bin ti a, ngn chn thnh cng v chnh sch qun l mm
do. H thng IPS gm 3 module chnh: module phn tch lung d liu, module
pht hin tn cng, module phn ng.

- 15 -

1.4.1 Module phn tch lung d liu:

Module ny c nhim v ly tt cc gi tin i n mng phn tch. Thng
thng cc gi tin c a ch khng phi ca mt card mng th s b card mng
hu b nhng card mng ca IPS c t ch thu nhn tt c. Tt c cc gi tin
qua chng u c sao chp, x l, phn tch n tng trng thng tin. B phn
tch c thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin no,
dch v g... Cc thng tin ny c chuyn n module pht hin tn cng.
1.4.2 Module pht hin tn cng:
y l module quan trng nht trong h thng c nhim v pht hin cc cuc tn
cng. C hai phng php pht hin cc cuc tn cng, xm nhp l d s lm
dng v d s khng bnh thng.
Phng php d s lm dng: Phng php ny phn tch cc hot ng ca h
thng, tm kim cc s kin ging vi cc mu tn cng bit trc. Cc mu tn
cng bit trc ny gi l cc du hiu tn cng. Do vy phng php ny cn c
gi l phng php d du hiu. Kiu pht hin tn cng ny c u im l pht hin
cc cuc tn cng nhanh v chnh xc, khng a ra cc cnh bo sai lm gim kh
nng hot ng ca mng v gip cc ngi qun tr xc nh cc l hng bo mt
trong h thng ca mnh. Tuy nhin, phng php ny c nhc im l khng pht
hin c cc cuc tn cng khng c trong c s d liu, cc kiu tn cng mi, do
vy h thng lun phi cp nht cc mu tn cng mi.
Phng php d s khng bnh thng: y l k thut d thng minh, nhn dng
ra cc hnh ng khng bnh thng ca mng. Quan nim ca phng php ny v
cc cuc tn cng l khc so vi cc hot ng thng thng. Ban u, chng lu tr
cc m t s lc v cc hot ng bnh thng ca h thng. Cc cuc tn cng s c
nhng hnh ng khc so vi bnh thng v phng php d ny c th nhn dng.
C mt s k thut gip thc hin d s khng bnh thng ca cc cuc tn cng
nh di y:
Pht hin mc ngng: K thut ny nhn mnh vic o m cc hot ng bnh
thng trn mng. Cc mc ngng v cc hot ng bnh thng c t ra. Nu
c s bt thng no nh ng nhp vi s ln qu quy nh, s lng cc tin
trnh hot ng trn CPU, s lng mt loi gi tin c gi vt qu mc... th h
thng c du hiu b tn cng.

- 16 -

Pht hin nh qu trnh t hc: K thut ny bao gm hai bc. Khi bt u thit
lp, h thng pht hin tn cng s chy ch t hc v to ra mt h s v cch
c x ca mng vi cc hot ng bnh thng. Sau thi gian khi to, h thng s
chy ch lm vic, tin hnh theo di, pht hin cc hot ng bt thng ca
mng bng cch so snh vi h s thit lp. Ch t hc c th chy song song
vi ch lm vic cp nht h s ca mnh nhng nu d ra c tn hiu tn cng
th ch t hc phi dng li cho ti khi cuc tn cng kt thc.
Pht hin s khng bnh thng ca cc giao thc: K thut ny cn c vo hot
ng ca cc giao thc, cc dch v ca h thng tm ra cc gi tin khng hp l,
cc hot ng bt thng vn l du hiu ca s xm nhp, tn cng. K thut ny rt
hiu qu trong vic ngn chn cc hnh thc qut mng, qut cng thu thp thng
tin ca cc tin tc.
Phng php d s khng bnh thng ca h thng rt hu hiu trong vic pht
hin cc cuc tn cng kiu t chi dch v. u im ca phng php ny l c th
pht hin ra cc kiu tn cng mi, cung cp cc thng tin hu ch b sung cho
phng php d s lm dng, tuy nhin chng c nhc im thng to ra mt s
lng cc cnh bo sai lm gim hiu sut hot ng ca mng. Phng php ny s
l hng c nghin cu nhiu hn, khc phc cc nhc im cn gp, gim s ln
cnh
bo
sai

h
thng
chy
chun
xc
hn.
1.4.3

Module phn ng

Khi c du hiu ca s tn cng hoc thm nhp, module pht hin tn cng s gi
tn hiu bo hiu c s tn cng hoc thm nhp n module phn ng. Lc
module phn ng s kch hot tng la thc hin chc nng ngn chn cuc tn cng
hay cnh bo ti ngi qun tr. Ti module ny, nu ch a ra cc cnh bo ti cc
ngi qun tr v dng li th h thng ny c gi l h thng phng th b
ng. Module phn ng ny ty theo h thng m c cc chc nng v phng php
ngn chn khc nhau. Di y l mt s k thut ngn chn:

- 17 -

Kt thc tin trnh: C ch ca k thut ny l h thng IPS gi cc gi tin nhm

ph hu tin trnh b nghi ng. Tuy nhin phng php ny c mt s nhc im.
Thi gian gi gi tin can thip chm hn so vi thi im tin tc bt u tn cng, dn
n tnh trng tn cng xong ri mi bt u can thip. Phng php ny khng hiu
qu vi cc giao thc hot ng trn UDP nh DNS, ngoi ra cc gi tin can thip
phi c trng th t ng nh cc gi tin trong phin lm vic ca tin trnh tn
cng. Nu tin trnh tn cng xy ra nhanh th rt kh thc hin c phng php
ny.
Hu b tn cng: K thut ny dng tng la hy b gi tin hoc chn ng
mt gi tin n, mt phin lm vic hoc mt lung thng tin tn cng. Kiu phn
ng ny l an ton nht nhng li c nhc im l d nhm vi cc gi tin hp l.
Thay i cc chnh sch ca tng la: K thut ny cho php ngi qun tr cu
hnh li chnh sch bo mt khi cuc tn cng xy ra. S cu hnh li l tm thi thay
i cc chnh sch iu khin truy nhp bi ngi dng c bit trong khi cnh bo ti
ngi qun tr.
Cnh bo thi gian thc: Gi cc cnh bo thi gian thc n ngi qun tr h
nm c chi tit cc cuc tn cng, cc c im v thng tin v chng.
Ghi li vo tp tin: Cc d liu ca cc gi tin s c lu tr trong h thng cc
tp tin log. Mc ch cc ngi qun tr c th theo di cc lung thng tin v l
ngun thng tin gip cho module pht hin tn cng hot ng.
1.5

Cc kiu h thng IPS

C hai kiu kin trc IPS chnh l IPS ngoi lung v IPS trong lung.
1.5.1 IPS ngoi lung

- 18 -

H thng IPS ngoi lung khng can thip trc tip vo lung d liu. Lung d
liu vo h thng mng s cng i qua tng la v IPS. IPS c th kim sot lung
d liu vo, phn tch v pht hin cc du hiu ca s xm nhp, tn cng. Vi v tr
ny, IPS c th qun l bc tng la, ch dn n chn li cc hnh ng nghi ng m
khng lm nh hng n tc lu thng ca mng.

- 19 -

1.5.2

IPS trong lung

V tr IPS nm trc bc tng la, lung d liu phi i qua IPS trc khi ti bc
tng la. im khc chnh so vi IPS ngoi lung l c thm chc nng chn lu
thng. iu lm cho IPS c th ngn chn lung giao thng nguy him nhanh hn
so vi IPS ngoi lung. Tuy nhin, v tr ny s lm cho tc lung thng tin ra vo
mng chm hn.
1.6

Cc sn phm IPS trn th trng

1.6.1

Intrust

Sn phm ny c nhiu tnh nng gip n tn ti c trong mi trng hot ng

kinh doanh. Vi kh nng tng thch vi Unix, n c mt kh nng linh hot tuyt
vi. a ra vi mt giao din bo co vi hn 1.000 bo co khc nhau, gip kim
sot c Nhp phc tp. Ngoi ra n cng h tr mt gii php cnh bo ton din
cho php cnh bo trn cc thit b di ng v nhiu cng ngh khc. Di y l mt
s tnh nng c bn ca Instrust:
Tnh nng cnh bo ton din
Tnh nng bo co ton din
Hp nht v thm nh hiu sut d liu t trn cc nn tng
Lc d liu cho php xem li mt cch d dng
Kim tra thi gian thc
Phn tch d liu c capture
Tun th theo cc chun cng nghip
S bt buc theo mt nguyn tc
1.6.2 ELM
L sn phm h tr cc chc nng HIDS, y l mt sn phm c phn tch so
snh da trn ELM Enterprise Manager. N h tr vic kim tra thi gian thc, kh
nng hot ng ton din v phng php bo co chi tit. C s d liu c b sung
thm bo m c s d liu ca phn mm c an ton. iu ny c ngha l nu
- 20 -

c s d liu chnh ELM offline th ELM Server s t ng to mt c s d liu tm

thi lu d liu cho n khi c s d liu chnh online tr li. Di y l mt s
m t cc tnh nng v ELM Enterprise Manager 3.0
ELM h tr giao din m un phn mm MMC linh hot
H tr vic kim tra tt c cc my ch Microsoft. NET bng cch kim tra
cc bn ghi s kin v b m hiu sut
H tr bo co wizard vi phin bn mi c th lp lch trnh, ngoi ra cn
h tr cc bo co HTML v ASCII
Quan st tp trung cc bn ghi s kin trn nhiu my ch
Client ch c kch hot Web trn trnh duyt h tr JavaScript v XML
H tr giao din kin thc c s
H tr thng bo c th thc thi wscripts, cscripts v cc file CMD/BAT
H tr c s d liu SQL Server v Oracle
Cc truy vn tng thch WMI cho mc ch so snh
a ra hnh ng sa li khi pht hin xm nhp
1.6.3 SNORT
Snort l mt sn phm tuyt vi v n c nhiu t chc, c quan, doanh
nghip a vo hot ng trong mi trng Unix. Sn phm mi nht c a ra
gn y c h tr nn Windows nhng vn cn mt s chn lc tinh t. Th tt
nht c trong sn phm ny l m ngun m v khng tn km mt cht chi ph
no ngoi tr thi gian v bng tn cn thit ti n. Gii php ny c pht
trin bi nhiu ngi v n hot ng rt tt trn cc phn cng r tin, iu
lm cho n c th tn ti c trong bt k t chc no. Di y l nhng tnh nng
v sn phm ny:
H tr cu hnh hiu sut cao trong phn mm
H tr tt cho Unix
H tr m ngun m linh hot
H tr tt SNMP

- 21 -

 H tr m un qun l tp trung
H tr vic cnh bo v pht hin xm nhp
C cc gi bn ghi
Pht hin tn cng ton din
Cc m un u ra tinh vi cung cp kh nng ghi chp ton din
H tr ngi dng trn cc danh sch mail v qua s tng tc email
1.6.4 Cisco IDS
Gii php ny l ca Cisco, vi gii php ny chng ta thy c cht lng, cm
nhn cng nh danh ting truyn thng ca n. Di y l nhng tnh nng v thit
b ny:
Cc tnh nng pht hin chnh xc lm gim ng kt cc cnh bo sai
Kh nng nng cp hot ng kinh doanh ging nh cc sn phm ca
Cisco
H thng pht hin xm phm thi gian thc, bo co v ngn chn cc
hnh ng tri php
Vic phn tch mu dng pht hin c thc hin nhiu mc khc
nhau
Cho hiu sut mng cao
Qun l danh sch truy cp nh tuyn ng thch nghi kp thi vi hnh vi
ca k xm nhp
Qun l GUI tp trung
Qun l t xa
Email thng bo s kin
1.6.5

Dragon

Mt gii php ton din cho hot ng kinh doanh. Sn phm ny rt a nng v c
cc yu cu bo mt cn thit trong mi trng hot ng kinh doanh. N cng h tr
NIDS, qun l my ch, qun l s kin, kim tra tn cng. y l mt gii pht IDS

- 22 -

ton din, c thit k hon ho cng vi vic kim tra tch hp. Tuy nhin im yu
ca sn phm ny l ch gi c ca n. Di y l nhng tnh nng v Dragon :
Dragon h tr c NIDS v HIDS
H tr trn mt lot nn tng Windows, Linux, Solaris v AIX
c m un ha v c th m rng
Kim tra qun l tp trung
Phn tch v bo co ton din
Kh nng tng thch cao vi cc chi tit k thut trong hot ng kinh
doanh
Kim tra bo mt hiu qu, tch hp cc switch, firewall v router
Qun l bin dch bo co
C chu k cp nht ch k hon ho

- 23 -

Chng 2 .

Gii thiu tng quan v Firewall Iptable v IPS

Snort inline

2.1

Tng quan v Firewall

Hin nay internet ngy tr nn ph bin v vic kt ni hu nh tr nn quen

thuc vi nhiu ngi t cc my tnh n n cc h thng mng ca cc t chc, c
quan, doanh nghip. Vn t ra l nu cc my tnh h thng ny khng c bo
v th s tr thnh mc tiu cho hacker xm nhp. Do nhiu tnh nng bo mt
c pht trin nhm hn ch s xm nhp tri php ca hacker trong ng ch
l Firewall.
Firewall l thit b nhm ngn chn s truy nhp khng hp l t mng ngoi vo
mng trong. H thng firewall thng bao gm c phn cng v phn mm. Firewall
thng c dng theo phng thc ngn chn hay to cc lut i vi cc a ch
khc nhau, c chc nng qun l lu lng thng tin gia internet v h thng mng
c nhn. Firewall c th chia h thng mng ni b thnh hai hay nhiu phn khc
nhau v iu khin vic trao i d liu gia cc vng ny.
Cc chc nng c bn ca firewall:
Chc nng chnh ca Firewall l kim sot lung thng tin gia mng cn bo v
(Trusted Network) v Internet thng qua cc chnh sch truy nhp c thit lp.
Cho php hoc cm cc dch v truy nhp t trong ra ngoi v t ngoi vo trong.
Kim sot a ch truy nhp, v dch v s dng. Kim sot kh nng truy cp ngi
s dng gia hai mng. Kim sot ni dung thng tin truyn ti gia hai mng. Ngn
nga kh nng tn cng t cc mng ngoi.
Xy dng firewall l mt bin php kh hu hiu, n cho php bo v v kim sot
hu ht cc dch v, do c p dng ph bin nht trong cc bin php bo v
mng. Thng thng, mt h thng firewall l mt cng (gateway) gia mng ni b
giao tip vi mng bn ngoi v ngc li.

- 24 -

Hnh 2-3 M hnh Firewall

2.2

Phn loi firewall

C kh nhiu loi firewall, mi loi c nhng u v nhc im ring. Tuy

nhin thun tin cho vic nghin cu ngi ta chia h thng lm hai loi chnh:
Packet filtering v Application-proxy firewall.
- Packet filtering: l h thng firewall cho php chuyn thng tin gia h thng
trong v ngoi mng c kim sot.
- Application-proxy firewall: l h thng firewall thc hin cc kt ni thay cho
cc kt ni trc tip t my khch yu cu.
2.2.1

Packet Filtering

Firewall chung nht l kiu da trn mc mng ca m hnh OSI. Firewall mc

mng thng hot ng theo nguyn tc router, c ngha l to ra cc lut cho php
quyn truy nhp mng da trn mc mng. M hnh ny hot ng theo nguyn tc
lc gi tin (packet filtering).
kiu hot ng ny cc gi tin u c kim tra a ch ngun ni chng
xut pht. Sau khi a ch IP ngun c xc nh th n c kim tra vi cc lut
c t ra trn router. V d ngi qun tr firewall quyt nh rng khng cho
- 25 -

php bt k mt gi tin no xut pht t mng google.com c kt ni vi mng

trong th cc gi tin xut pht t mng ny s khng bao gi n c mng trong.
Cc firewall hot ng lp mng (tng t nh mt router) thng cho php
tc x l nhanh bi n ch kim tra a ch IP ngun m khng c mt lnh thc
s no trn router, n khng cn mt khong thi gian no xc nh xem l a
ch sai hay b cm. Nhng iu ny b hn ch bi tnh tin cy ca n. Kiu firewall
ny s dng a ch IP ngun lm ch th, iu ny to ra mt l hng l nu mt gi
tin mang a ch ngun l a ch gi th nh vy n s c c mt s mc truy
nhp vo mng bn trong.
Tuy nhin c nhiu bin php k thut c th c p dng cho vic lc gi tin
nhm khc phc yu im ny. V d nh i vi cc cng ngh packet filtering
phc tp th khng ch c trng a ch IP c kim tra bi router m cn c
cc trng khc na c kim tra vi cc lut c to ra trn firewall, cc
thng tin khc ny c th l thi gian truy nhp, giao thc s dng, port
Firewall Packet Filtering c th c phn thnh hai loi:
Packet filtering firewall: hot ng ti lp mng ca m hnh OSI hay lp IP
trong m hnh giao thc TCP/IP.

Hnh 2-4 Packet filtering firewall

Circuit level gateway: hot ng ti lp phin (session) ca m hnh OSI hay lp

TCP trong m hnh giao thc TCP/IP.

- 26 -

Hnh 2-5 Circuit level gateway

2.2.2

Application-proxy firewall

Firewall ny hot ng da trn phn mm. Khi mt kt ni t mt ngi dng

n mng s dng firewall th kt ni s b chn li, sau firewall s kim
tra cc trng c lin quan ca gi tin yu cu kt ni. Nu vic kim tra thnh cng
cc trng thng tin p ng c cc lut t ra trn firewall th firewall s to
mt cu kt ni gia hai node vi nhau.
u im ca kiu firewall ny l khng c chc nng chuyn tip cc gi tin
IP, hn na ta c th iu khin mt cch chi tit hn cc kt ni thng qua
firewall. ng thi n cn a ra nhiu cng c cho php ghi li cc qu trnh kt
ni. Tt nhin iu ny phi c nhc im bi tc x l, bi v tt c cc kt
ni cng nh cc gi tin chuyn qua firewall u c kim tra k lng vi cc
lut trn firewall v nu c chp nhn s c chuyn tip ti node ch.
S chuyn tip cc gi tin IP xy ra khi mt my ch nhn c mt yu cu t
mng ngoi ri chuyn chng vo mng trong. iu ny to ra mt l hng cho cc
k ph hoi (hacker) xm nhp t mng ngoi vo mng trong. Firewall Applicationproxy c th c phn thnh hai loi: Application level gateway v Stateful
multilayer inspection firewall.
Application level gateway: Tnh nng tng t nh loi circuit-level gateway
nhng li hot ng lp ng dng trong m hnh giao thc TCP/IP.

- 27 -

Hnh 2-6 Application level gateway

Stateful multilayer inspection firewall: y l loi kt hp c cc tnh nng ca

cc loi firewall trn: Lc cc gi ti lp mng v kim tra ni dung cc gi ti lp
ng dng. Firewall loi ny cho php cc kt ni trc tip gia cc client v cc host
nn gim c cc li. Stateful multilayer inspection firewall cung cp cc tnh nng
bo mt cao v li trong sut i vi cc end users.

Hnh 2-7 Stateful multilayer inspection firewall

- 28 -

2.3

Tng quan v Iptables

xy dng Firewall cho mt h thng mng chi ph thng rt cao nu chng ta

mua nhng sn phm thng mi. Iptable l phn mm m ngun m mim ph, tch
hp sn trn h iu hnh Linux, c th trin khai trn h thng mng va v nh.
Ban u Firewall/NAT chy trn Linux l Ipchains nhng do thiu st li v mt k
thut chy khng n nh. T chc Netfilter quyt nh vit ra phn mm khc phc
nhng li v sn phm Iptable c ra i nhm tng tnh nng lc gi tin, bo mt
trn h thng Linux. Tch hp tt trn nhn Linux (Kernel Linux), thit k m-un c
th nng cao tc v tin cy, c kh nng phn tch gi tin hiu qu.
Iptables lc gi tin da trn a ch MAC v cc gi tr ca nhng c hiu trong
phn u TCP header ca gi tin. iu ny l hu ch trong vic phng chng cc
cuc tn cng bng cch s dng cc gi d liu b thay i v hn ch truy cp n
my ch local t nhng my ch khc c cng a ch IP.
Iptables cung cp chi tit cc ty chn ghi nhn cc s kin xy ra trong h
thng, cung cp k thut NAT. NAT t trong ni b ra ngoi v ngc li. C kh
nng ngn chn mt s c ch tn cng theo kiu t chi dch v (DoS).
2.3.1

Cc tnh nng ca Iptables

Tch hp tt trn Linux kernel, ci thin s tin cy v tc chy iptables.

Quan st k tt c cc gi d liu, iu ny cho php firewall theo di mi mt kt
ni thng qua n v xem xt ni dung ca tng lung d liu t x l bc tip
theo s dng cc giao thc. iu ny rt quan trng trong vic h tr cc giao thc
FTP, DNS .
Lc gi da trn a ch MAC v cc c trong TCP header. iu ny gip ngn
chn vic tn cng bng cch s dng cc gi d dng (malformed packets) v ngn
chn vic truy cp t ni b n mt mng khc bt chp IP ca n.
Ghi chp h thng (System logging) cho php vic iu chnh mc ca bo co.
H tr vic tnh hp cc chng trnh Web proxy nh Squid. Ngn chn cc kiu tn
cng t chi dch v.

- 29 -

2.3.2 C ch hot ng Iptables

Tt c mi gi d liu u c kim tra bi iptables, qu trnh kim tra c
thc hin mt cch tun t dng cc bng xy dng sn (queues).
C ba loi bng trong Iptables gm:
Loi
Queue
Filter

Chc nng
Queue
Lc gi

Lc gi i n firewall
Lc gi d liu i n cc
server khc kt ni trn cc

Output
Network

NIC khc ca firewall

Lc gi i ra khi firewall
Vic thay i a ch din

Address

ra trc khi nh tuyn. Thay

Prerouting

i a ch ch s gip gi
d liu ph hp

Bin

vi bng

dch a ch

nh tuyn ca firewall. S

mng )

dng destination NAT hay

DNAT
Vic thay i a ch din

Chnh sa
Mangle

Chc nng ca chain

Forward

Translation

NAT

Quy tc x l
gi (Chain)
Input

TCP
header.

Postrouting

ra sau khi nh tuyn. S

Output

dng source NAT hay SNAT

NAT s dng cho cc gi

Prerouting

d liu xut pht t firewall.

iu chnh cc bit quy ch

Postrouting

cht lng dch v trc khi

Output

dn ng.

Input
Forward
Bng 2-1 Bng cc chc nng ca queue v chain

Mangle table: Chu trch nhim thay i cc bits cht lng dch v trong TCP
header nh: TOS (type of service), TTL (time to live), v MARK.

- 30 -

Filter queue: Chu trch nhim thit lp b lc (packet filtering). N gm c ba

quy tc nh (chain) thit lp cc nguyn tc lc gi, bao gm:
Forward chain: Lc gi khi i n n cc server khc.
Input chain: Lc gi khi i vo trong server.
Output chain: Lc gi khi ra khi server.
NAT queue: Thc hin chc nng NAT (Network Address Translation) gm c hai
loi:
Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin
trc khi thc thi c ch nh tuyn (routing). iu ny thun li cho vic i a
ch ch a ch tng thch vi bng nh tuyn ca firewall, c gi l NAT
ch destination NAT hay DNAT
Post-routing chain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi
thc hin c ch nh tuyn, qu trnh ny nhm thay i a ch ngun ca gi tin.
K thut ny c gi l NAT one-to-one hoc many-to-one, c gi l Source
NAT hay SNAT.
2.3.3 Jumps v Targets
Jump: L c ch chuyn mt packet n mt target no x l thm mt s
thao tc khc.
Target: L c ch hot ng trong Iptables, dng nhn din v kim tra packet.
Cc target c xy dng sn trong iptables nh:
ACCEPT: Iptables chp nhn chuyn data n ch.
DROP: Iptables kha nhng packet.
LOG: T hng tin ca packet s gi vo syslog daemon iptables tip tc x l
lut tip theo trong bng m t lut. Nu lut cui cng khng match th s drop
packet. Vi ty chn thng dng l --log-prefix=string, tc iptables s ghi nhn
li nhng message bt u bng chui string.
REJECT: Ngn chn packet v gi thng bo cho li cho ngi gi. Vi ty
chn thng dng l -- reject-with qualifier, tc qualifier ch nh loi reject message
s c gi li cho ngi gi. Cc loi qualifier sau: icmp-port-unreachable
(default), icmp-net-unreachable, icmp-host-unreachable, icmp-proto-unreachable
- 31 -

DNAT: Thay i a ch ch ca packet. Ty chn l --to-destination ipaddress.

SNAT: Thay i a ch ngun ca packet. Ty chn l --to-source <address>[address][:<port>-<port>]
MASQUERADING: c s dng thc hin k thut NAT (gi mo a ch
ngun vi a ch ca interface ca firewall). Ty chn l [--to-ports <port>[<port>]], ch nh dy port ngun s nh x vi dy port ban u.
2.3.4

Cc ty chn thao tc vi lut

Iptable

M t

command
-t <-table->

Ch nh bng cho iptables bao gm: filter, nat, mangle

tables. Mc nh iptable chn filter

-j <target>
Nhy n mt target chain khi packet tha lut hin ti
-A
Thm lut vo cui iptables chain
-F
Xa tt c cc lut trong bng la chn
-p
<protocolM t cc giao thc bao gm: icmp, tcp, udp v all
type>
-s <ip-address>
-d<ip-address>
-i<interface-

Ch nh a ch ngun
Ch nh a ch ch
Ch nh input interface nhn packet

name>
-o<interface-

Ch nh output interface chuyn packet ra ngoi

name>
Bng 2-2 Bng m t v Iptables command switch

2.4

Tm hiu cc cu lnh v thit lp lut trong Iptables

2.4.1 S dng chain t nh ngha

Thay v s dng cc chain c xy dng trong iptables, chng ta c th s
dng User Defined chains nh ngha mt chain name m t cho tt c protocoltype cho packet. Chng ta c th s dng User Defined chains thay th chain, bng
cch s dng chain chnh ch n nhiu chain con.
Mt s v d:
- 32 -

# iptables -A INPUT -i eth0 -d 192.168.0.38 -j fast-input-queue

# iptables -A OUTPUT -o eth0 -s 192.168.0.38 -j fast-output-queue
# iptables -A fast-input-queue -p icmp -j icmp-queue-in
# iptables -A fast-output-queue -p icmp -j icmp-queue-out
# iptables -A icmp-queue-out -p icmp --icmp-type echo-request \
-m state --state NEW -j ACCEPT
# iptables -A icmp-queue-in-p icmp --icmp-type echo-reply \
-m state --state NEW -j ACCEPT
Chain
INPUT
OUTPUT
fast-input-queue
fast-outputqueue
icmp-queue-out

M t
c xy dng trong INPUT chain trong bng iptables
c xy dng trong OUTPUT chain trong bng iptables
Input chain tch ring bit h tr cho nhng giao thc
c bit v chuyn cc gi n nhng protocol specific chains.
Output chain tch ring bit h tr cho nhng giao thc
c bit v chuyn cc gi n nhng protocol specific chains.
lnh output tch ring cho giao thc ICMP
Bng 2-3 Bng danh sch cc lnh (Queue)

2.4.2 Lu v phc hi li nhng script cu hnh trong Iptables

Lnh service iptables save lu tr cu hnh iptables trong file
/etc/sysconfig/iptables. Khi chng ta khi ng li th chng trnh iptables-restore
s c li file script ny v kch hot li thng tin cu hnh.
c th phc hi script khi mt script file. u tin, chng ta phi lu
script li dng lnh:
#iptables-save > script_cau_hinh. Sau , chng ta c th xem li script_cau_hinh
va lu, dng lnh cat script_cau_hinh. Sau , sa file script_cau_hinh v np li
iptables thng qua lnh iptables-restore
#iptables-restore < script_cau_hinh

Cui cng, chng ta dng lnh lu tr li cc lut vo file cu hnh:

# service iptables save

2.4.3

ngha ca mt s lut c bn trong Iptables

:INPUT ACCEPT [0:0] : Default rule ca cc gi tin i vo

- 33 -

:FORWARD ACCEPT [0:0] : Default rule ca cc gi tin t firewall i ra

:OUTPUT ACCEPT [0:0]: Default rule ca cc gi tin i ra
-A INPUT -j RH-Firewall 1-1 INPUT : Lut u tin, yu cu jump n, do h
thng t nh ngha tn RH-Firewall 1-1 INPUT.
-A INPUT -j RH-Firewall 1-1 INPUT -i lo -j ACCEPT : Cho php tt c user bn
ngoi c php truy cp n card loopback. Nu thng tin khng phi truy xut n
card loopback, th chng trnh s truy xut n rule k tip.
-A RH-Firewall 1-1 INPUT -p icmp --icmp-type any -j ACCEPT: Kim sot ping,
bn ngoi c th ping vo h thng cc b hay khng nu nh ta cho php ACCEPT
chp nhn.
Nguyn l x l ca cc lut. u tin h thng s x l lut u tin, nu tha mn
mt trong cc iu kin nh ACCEPT chp nhn, DROP loi b, REJECT t chi, th
thc thi. Nu khng tha mn h thng s chuyn qua tp lut th hai v c tip tc
nh vy cho n tp lnh cui cng.
-A RH Firewall 1-1 INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH Firewall 1-1 INPUT -m state --state ESTABLISHED,RELATED -j: Cho
php firewall c thit lp kt ni i ra v chp nhn cc gi c yu cu tr v khi
firewall thit lp kt ni.
-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j
ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 110 ng dng
pop3.
-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 22 ng dng
SSH.
-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 25 ng dng
mail SMTP.
-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 80 ng dng web

- 34 -

-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 443 ng dng
https.
2.5

Firewall and Logging

Logging l mt c ch v cng quan trng trong firewall, cung cp cc thng tin v

qu trnh s dng. Thng qua c ch logging, ngi qun tr s nm r tnh trng hin
ti ca h thng mng v y cng l phng thc duy nht firewall thng bo cho
ngi qun tr bit nhng g ang din ra bn trong h thng. C hai phng thc
logging l Syslog logging v Proprietary logging.
2.5.1

The syslog protocol

Syslog protocol l phng thc cung cp message nhc nh trong h thng mng.
nh ngha trong RFC 3164, s dng giao thc UDP port 514. Vi UDP, syslog c
nhiu thun li v l kt ni khng lu trng thi (khng yu cu nhiu ti nguyn) do
i khi kt qu syslog khng ng tin cy, thng mt message. ci thin vn
trn, nhiu thit b h tr syslog chy trn TCP nhm m bo gi tin khng b mt.
Logging
code
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

facility

Logging facility description

Kernel messages
User-level messages
Mail systems
System daemons
Security authorization messages
Messages geberated internally by syslog daemon
Line printer systems
Network news subsystem
UNIX-to-UNIX copy (UUCP) subsystem
Clock daemon
Security/authorization meaasges
FTP daemon
Network time protocol (NTP) subsytem
Log audit
Log alert
Clock deamon
Local use 0 (local0)
- 35 -

17
18
19
20
21
22
23

Local use 1 (local1)

Local use 2 (local2)
Local use 3 (local3)
Local use 4 (local4)
Local use 5 (local5)
Local use 6 (local6)
Local use 7 (local7)
Bng 2-4 Cp logging facility ca syslog

Syslog message s dng logging facility v severity level phn chia cc cp

logging v h thng nhm quyt nh message s c gi n u v tm quan trng
ca n.
Cc cp c xp theo mc quan trng t cao nht ti thp. Qui lut tng
qut l u tin ci t syslog ch ghi nhn Information level message v sau ty
theo nhu cu m ci t h thng logging message. L do l mc quan trng cng
thp th cng nhiu message c sinh ra dn n nh hng hiu sut ca h thng,
ngi qun tr phi ci t mc bo mt ph hp vi h thng ca mnh.
2.5.2 Proprietary logging methods
Cc phng thc logging c quyn (proprietary logging) l cc phng thc
logging tiu chun m firewall khng c ci t syslog s dng c pht trin bi
Open Platform for Security - Logging Export API (OPSEC LEA). V c bn th
OPSEC LEA tng t nh syslog, cn ci t mt logging server ghi nhn thng
tin bng cc th tc ring bit.
i vi cc firewall nh ISA Server s dng phn ln cc phng thc logging
ring bit ghi nhn cc s kin vo c s d liu, v d nh MSDE v SQL
database. Mt trong nhng u th ca h thng logging ny l kh nng c th tng
hp v thc hin cc lnh truy vn khc nhau da vo d liu trong database, cung
cp hng lot tnh nng to report linh hot.

- 36 -

2.6

Firewall log review and analysis

2.6.1 Tng quan

h tr cho vic phn tch cc file log, nhiu cng c h tr qun tr firewall cho
php ngi qun tr phn tch cc file log v ghi nhn cc thng tin cn thit nhm xc
nh vn ang gp phi.
Mt kha cnh khc l cc file logs cn c thit lp mt chnh sch lu tr
thng xuyn. iu ny a n mt vn l d liu no trong file log l cn thit
bi cc file log s b xa, ngha l chuyn cc file ny thnh mt nh dng tiu chun
cho php xem cc d liu t cc ngun khc nhau (v d t cc firewall khc).
2.6.2 Cc thng tin s kin t file log
Sau khi c c cc file log t firewall v bt u phn tch, iu quan trng l
ng lc no cng quan tm n cc s kin xu. Thc t cc file log ny l cha kha
dng tm ra cc vn lin quan n bo mt v l cng c duy nht dng phn
tch. ng thi cng c th s dng cc thng tin ny h tr hot ng cho firewall.
Sau cng cch thc d nht tm ra cc phng thc xu l nhn bit cc phng thc
tt sau dng cch loi tr. C mi s kin c bn:
+ Authenfication Allowed: Nghe c v v ch, nhng tht s v cng quan trng
trong vic xc nh s kin v xc thc c cho php bi n c th xc nhn firewall
cho php cc truy cp u trong khi n c th b t chi. L do l trong khi
nhng admin hp l ng nhp th khng cho php ngi dng bt hp php s dng
account v password m admin ang dng. Hn na nu firewall c cu hnh
xc thc ngi dng truy xut th cc thng tin ny c th c dng xc thc cc
user c xc thc v cc ng dng m h dng.
+ Traffic Dropped (khng nm ti firewall): Hu ht firewall bo v mt s ti
nguyn nht nh. Cc lung a ch ti cc server ny u c firewall theo di v
lc k. D vy gi tin traffic dropped ghi nhn nhng ai truy xut vo h thng ti
nguyn c th khng ging nhng g m ngi qun tr ci t, y ch l mt li
cu hnh thng thng. Do , nu user khng th truy cp vo ti nguyn th cn xem

- 37 -

li cc file log bit c firewall nh rt lung d liu no, da vo khai

bo li ng i s gii quyt c vn ny.
+ Firewall Stop/Start/Restart: Mc nh firewall khng bao gi dng hay khi
ng li m khng thng qua admin. Tuy nhin mt s trng hp cng c th xy ra
nh mt in hay h thng b treo hay do b tn cng. Do cn ghi nhn logging
bit r ngun gc vn .
+ Firewall Configuration Changed: Cu hnh ca firewall khi c thay i cn
phi ty chnh cc ti liu iu khin cho ph hp. Nhm m bo cc thay i l hp
l v h tr cho vn xy ra v sau.
+ Interface Up/Down Status Changed: Cc cng giao tip ca firewall thay i
trng thi t up sang down hay ngc li u c th dn n vn cu hnh ca h
thng mng. Thng tin ny s hu ch i vi h thng mng c nhiu firewall bi cc
cng giao tip mng thay i trng thi c th dn n tnh trng firewall xy ra li.
+ Adminstrator Access Granted: Bt c khi no ngi qun tr kt ni thnh
cng vo h thng th thng tin ny s c ghi nhn. Mc d tng t nh theo di
vic xc thc tuy nhin vn y l ngi qun tr c quyn truy xut. Hu ht
th cc truy xut u hp l tuy nhin nu c trng hp khng hp l xy ra ri ro th
cn phi kim tra log xem liu vic ti khon qun tr b nh cp hay khng.
+ Authentication Failed: Din ra c th l mt user no c gng nhp mt
password no bng phng thc brute-force nhm tm ra password tht s. S kin
xc nhn tht bi c th do ng nhp vo ti khon ring t hay l cc admin account
+ Traffic Dropped (Ti firewall): Tng t nh vic nh rt gi ti mt server
no , nhng trng hp ny l ngay ti firewall. Thng thng, firewall s khng
c bt k mt lung d liu no trc tip ti n qua cc cng giao tip bn ngoi thay
vo l tt c cc lung s c dn ti cc h thng ti nguyn bn trong. S kin
ny c th l ch mt user no mun ot quyn iu khin firewall hoc do li cu
hnh nh ICMP hay IPSEC, do qun l hay do cc giao thc nh tuyn.
+ Administrator Session Ended: Tng t nh khi quyn ng nhp admin c
cho php, khi phin lm vic ca ngi qun tr kt thc cng cn theo di xem ngi
qun tr no c php ng nhp. S kin ny theo di thi gian c th bi ch

- 38 -

ngi qun tr mi c th thay i firewall v do cc file log s c phn tch k

v thi gian sau khi phin lm vic kt thc nhm xc nh r nhng thay i din
ra trong h thng.
+ Connection Was Torn Down: Vic ngt kt ni sau qu trnh nh tuyn l bnh
thng. Tuy nhin c mt vi l do ngt kt ni l khng bnh thng. V d nh gi
tin SYN qu thi gian timeout c ngha l ai c th ang s dng tn cng DOS
vo h thng.
2.7

Tng quan v Snort inline

2.7.1 Gii thiu Snort inline

L mt phin bn sa i ca snort (IDS). N chp nhn cc gi tin t iptables v
IPFW qua libipq (linux) hoc lm chch hng cc socket (FreeBSD). N nhn c
cc gi tin c gi t Netfilter firewall vi s tr gip ca th vin libipq, so snh
chng vi cc du hiu xm nhp ca snort v s drop chng nu ging vi cc b
lut (rules) c thit lp sn. Sau cng gi chng li netfilter ni m snort-inline
drop cc gi tin.
2.7.2 Snort-inline v Iptables:
Netfilter l mt module ca kernel linux c sn cc phin bn kernel 2.4 tr i.
N cung cp 3 chc nng chnh:
Packet filtering: chp nhn (accept) hay chn (drop) cc gi tin.
NAT: thay i a ch ngun / ch ca a ch IP ca cc gi tin.
Packet mangling: dnh dng cc gi tin.
IPTables l 1 cng c cn thit cu hnh netfilter, n cn phi c chy bi
quyn root. Nu c 1 gi tin ph hp vi cc du hiu tn cng trong snort_inline, n
s c gn th libipq v gi tr li Netfilter, ni m n b drop.
Snort inline l mt phn mm pht hin xm nhp m ngun m hot ng da trn
cc du hiu cho php gim st, pht hin nhng du hin tn cng mng. Snort c
nhiu t chc, doanh nghip pht trin v bin thnh sn phm thng mi nh
Sourcefire, Astaro,

- 39 -

Snort inline ch yu l mt IPS da trn lut, tuy nhin cc input plug-in cng tn
ti pht hin s bt thng trong cc header ca giao thc. Snort s dng cc lut
c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut
c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc
nhau. File cu hnh chnh ca Snort inline l snort.conf. Snort inline c nhng lut
ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi d
liu. Tm ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh
t, v chng ta cng s dng nhiu lut th nng lc x l cng c i hi thu
thp d liu trong thc t. Snort inline c mt tp hp cc lut c nh ngha trc
pht hin cc hnh ng xm nhp. Cc lut trn Snort inline c tnh m, cho php
ngi qun tr mng to ra cc lut mi v chng ta c th thm vo cc lut ca
chnh mnh. Chng ta cng c th xa mt vi lut c to trc trnh vic bo
ng sai.
Cc c im chnh ca Snort inline:
- H tr nhiu platform: Linux, OpenBSD, FreeBSD, Solaris, Windows,
- C kh nng pht hin mt s lng ln cc kiu thm d, xm nhp khc nhau
nh: Buffer overflow, CGI-attack, d tm h iu hnh, ICMP, virus,
- Pht hin nhanh cc xm nhp theo thi gian thc.
- Cung cp cho nh qun tr cc thng tin cn thit x l cc s c khi b xm
nhp.
- Gip ngi qun tr t t ra cc du hiu xm nhp mi mt cch d dng.
- L phn mm m ngun m (Open Source) v khng tn km chi ph u t.

- 40 -

Hnh 2-8 M hnh IPS Snort

2.7.3

Cc trng thi

Snort inline c th c cu hnh chy ba trng thi:

+ Sniffer Mode: L ch bt gi tin v ch hin th header ca cc gi TCP/IP ra
mn hnh. Cu trc lnh nh sau:
snort -v: Lnh ny ch chy snort v hin th IP/TCP/UDP/ICMP header.
snort -vd: Lnh ny va hin th cc header va cho thy cc gi d liu.
snort -vde: Tng t nh trn nhng trnh by r rng hn. Th hin c header ca
lp Datalink.
+ Packet Logger Mode: Trong trng hp mun ghi nhn li cc gi bt c v
ni lu tr tin cho vic theo di v sau th ch packet logger s h tr tt cho
qun tr mng. Ch ny ch nh ni lu tr v khi s dng c php sau, snort s t
ng lu li thng tin vo th mc :
snort -vde -l /usr/local/log/snort
Log c lu dng nh phn, lm tng c kh nng bt gi tin ca Snort. Hu
ht cc h thng c th bt gi v ghi thnh file log tc 100Mbps m khng xy
ra vn g.
ghi nhn file log ch nh phn s dng c -b
- 41 -

snort -b l /usr/local/log/snort/temp.log
Khi bt c gi, chng ta c th c li file va to vi c -r v phn hin th
ging nh mode sniffer.
snort -r /usr/local/log/snort/temp.log
+ NIDS Mode: Snort pht hin xm nhp ch yu da vo mt b lut m ngi
qun tr mng nh ngha trong file snort.cfg. Hu ht cc hnh vi xm nhp u c
mt vi du hiu. Thng tin v cc du hiu ny c s dng to ra cc lut ca
Snort. Cc du hiu c th tn ti trong header ca cc gi tin. Cc lut ca Snort c
th kim tra nhiu phn ca gi tin pht hin ra cc du hiu ny.
m ch ny, s dng c php:
snort -dve -l /usr/local/log -h 192.168.0. 0/24 -c snort.cfg

Nu admin s dng Snort vi ch ny trong thi gian lu th nn loi b -v, -e ra

khi cu lnh. V qu trnh ghi d liu ra mn hnh s lm chm tc hot ng ca
h thng, i khi gy mt gi tin trong khi Snort ang ghi nhn. Vic lu li cc
header ca lp Datalink cng khng cn thit, nn c th loi b ra khi dng lnh.
Lnh cu hnh cho Snort chy hnh thi c bn ca ch NIDS.
snort -d -l /usr/local/log -h 192.168.0.0/24 -c snort.cfg

2.8

Cc thnh phn ca Snort

Snort c xy dng vi mc ch tho mn cc tnh nng c bn sau: C hiu

nng cao, n gin v c tnh uyn chuyn cao.
Cc thnh phn chnh ca Snort gm c:
B bt gi (Packet sniffer)
B tin x l (Preprocessor)
B pht hin (Detection engine)
H thng L ogging v alerting.
C c thnh phn ny da trn c s ca th vin Libpcap, l th vin cung cp
kh nng lng nghe v lc packet trn mng.

- 42 -

Hnh 2-9 Qu trnh x l gi

2.8.1

B packet sniffer

B Packet Sniffer: B bt gi l mt thit b (phn cng hay phn mm) c t

vo trong h thng, lm nhim v bt lu lng ra vo trong mng. B bt gi cho
php mt ng dng hay mt thit b c kh nng nghe ln ton b d liu i trong h
thng mng.
2.8.2

B Preprocessor

B Preprocessor: Sau khi bt c ton b cc gi tin, lc ny cc gi tin s c

chuyn n b tin x l kim tra cc gi tin c hp l khng. B tin x l s so
snh cc gi tin ny vi cc plug -in (v d nh RPC Plug -in, HTTP plug-in, port
scanning plug -in, v.v. . . ). Cc gi tin s c kim tra hnh vi xem c khp vi cc
hnh vi c nu trong plug -in hay cha, nu khp ri, cc gi tin ny s c
chuyn n b phn pht hin xm nhp.
B tin x l l mt thnh phn rt hu dng trong Snort. V y l mt plug-in c
th m hoc tt ty nn gip ch rt nhiu trong vic ty chnh ti nguyn h thng
hay ty chnh mc bo ng. V d khi qun tr mng nhn c thng bo port scan
qu nhiu ln trong khi lm vic, h c th tt plug-in ny i trong khi cc plug-in
khc vn hot ng bnh thng.

- 43 -

2.8.3

B pht hin (detection engine)

Sau khi cc gi tin i qua b tin x l, chng c chuyn n b phn pht hin
xm nhp. Nu mt gi tin ging vi bt k lut no, chng s c gi n b x l
cnh bo.
B phn pht hin xm nhp v cc b lut chim mt phn rt ln trong s nhng
kin thc phi bit hiu c Snort. Snort c nhng c php lnh ring s dng
vi cc b lut. Cc c php ny c th lin quan n giao thc mng, ni dung, chiu
di, phn header v rt nhiu nhng thnh phn khc, bao gm c nhng c im
nhn dng buffer overflow.
Snort dng cc rules pht hin ra cc xm nhp trn mng. Xem rules sau:
alert tcp !192.168.0.0/24 any -> any any (flags: SF; msg: SYN-FIN
Scan;)
Mt rules c hai thnh phn: Header v Option
Header: alert tcp !192.168.0.0/24 any -> any any
Option: (flags: SF; msg: SYN-FIN Scan;)

Hnh 2-10 B pht hin xm nhp

Mi du hiu xm nhp s c th hin bng mt rule. Vy Snort qun l tp

cc rules nh th no? Snort dng cu trc d liu qun l cc rules gi l
Chain Headers v Chain Options. Cu trc d liu ny bao gm mt dy cc Header
v mi Header s lin kt n dy cc Option. S d da trn cc Header l v y l

- 44 -

thnh phn t thay i ca nhng rules c vit cho cng mt kiu pht hin xm
nhp v Option l thnh phn d c sa i nht.
V d: chng ta c 60 rules c vit cho kiu thm d CGI-BIN, thc cht cc
rules ny c chung IP source, IP ch, port source, port ch, ngha l c chung
Header. Mi packet s c so trng ln lt trong cc dy cho n khi tm thy
mu u tin th hnh ng tng ng s c thc hin.
2.8.4

H thng ghi v cnh bo (Logging v alerting)

Dng thng bo cho qun tr mng v ghi nhn li cc hnh ng xm nhp

h thng. Hin ti c 3 dng logging v 5 kiu alerting.
Cc dng logging, c chn khi chy Snort:
- Dng decoded: y l dng log th nht, cho php thc hin nhanh.
- Dng nh phn tcpdump: theo dng tng t nh tcpdump v ghi vo a
nhanh chng, thch hp vi nhng h thng i hi performance cao.
- Dng cy th mc IP: Sp sp h thng log theo cu trc cy th mc IP, d
hiu i vi ngi dng.

Hnh 2-11 H thng ghi nhp file log v pht cnh bo

Cc dng alerting:
- Ghi alert vo syslog
- 45 -

- Ghi alert vo trong file text

- Gi thng ip Winpopup dng chng trnh smbclient
- Full alert: Ghi li thng ip alert cng vi ni dung gi d liu
- Fast alert: Ch ghi nhn li header ca gi d liu. Cch ny thng dng trong
cc h thng cn performance cao.
2.8.5

Cu trc ca mt lut

Tp lut ca Snort n gin ta hiu v vit, nhng cng mnh c th

pht hin tt c cc hnh ng xm nhp trn mng. C ba hnh ng chnh c
Snort thc hin khi so trng mt packet vi cc mu trong rules:
- Pass: Loi b packet m Snort bt c
- Log: Tu theo dng logging c chn m packet s c ghi nhn theo dng .
- Alert: Sinh ra mt alert ty theo dng alert c chn v log ton b packet
dng dng logging chn.
Dng c bn nht ca mt rule bao gm protocol, chiu ca gi d liu v port
cn quan tm, khng cn n phn Option:
log tcp any any -> 192.168.0. 0/24 80

Rule ny s log tt c cc gi d liu i vo mng 192.168.0.0/24 port 80.

Mt rule khc c cha Option:
alert tcp any any

-> 192.168.0.0/24

80 (content:"/cgi-bin/phf";

msg: "PHF probe!";)

Rule ny s pht hin cc truy cp vo dch v PHF trn web server v alert s
c to ra cng vi vic ghi nhn li ton b gi d liu.
Vng a ch IP trong cc rules c vit di dng CIDR block netmask, cc
port c th c xc nh ring l hoc theo vng, port bt u v port kt thc
c ngn cch bi du :
alert tcp any any -> 192.168. 0. 0/24 6000:6010 (msg: "X traffic";)

Cc option ph bin ca Snort:

1. content: Search the packet payload for the a specified pattern.
2. flags: Test the TCP flags for specified settings.
3. ttl: Check the IP header's time-to-live (TTL) field.

- 46 -

4. itype: Match on the ICMP type field.

5. icode: Match on the ICMP code field.
6. minfrag: Set the threshold value for IP fragment size.
7. ack: Look for a specific TCP header acknowledgement number.
8. seq: Log for a specific TCP header sequence number.
9. logto: Log packets matching the rule to the specified filename.
10. dsize: Match on the size of the packet payload.
11. offset: Modifier for the content option, sets the offset into the packet payload to
begin the content search.
12. depth: Modifier for the content option, sets the number of bytes from the
start position to search through.
13. msg: Sets the message to be sent when a packet generates an event.

- 47 -

Chng 3 .

3.1

Thc Nghim Firewall Iptable v IPS Snort inline

M t thc nghim

Thi k kinh t, cc c quan, cng ty hay tp on ng dng cng ngh thng tin
ngy cng nhiu. Cng vi quy m pht trin cc c quan, cng ty, tp on l s
lng cc my tnh, router, cc server ngy cng nhiu. H thng my tnh c
trin khai sao cho ph hp vi mc ch s dng ca cc c quan, doanh nghip
Cc h thng mng ny v cng phc tp, i hi cc k thut, cc cng ngh bo mt
cao. Ty theo nhu cu tng c quan, cng ty m cc k thut hay cng ngh c s
dng cng khc nhau. Tuy nhin, hai thnh phn c bn m bt k h thng no cng
s dng l h thng firewall v h thng pht hin xm nhp - IDS.
Trong m hnh thc nghim l a ra mt m hnh mng tht ang c ng dng
trong thc t nhm phn tch nh gi cc hot ng ca mt mng my tnh cng nh
c ch hot ng ca h thng Firewall v IPS, kh nng pht hin v ngn chn ca
IPS cng nh Firewall trong mng my tnh. C s h tng tt v h thng my tnh
mnh c kh nng x l cho h thng c tt hn.
m phng theo m hnh thc nghim yu cu v phn mm phi c cc phn
mm xy dng ln h thng nh: Firewall, my tnh o, IPS, my o Vmware.
Chng ta ci my o Vmware trn my tht Windows 7 v t my o Vmware chng
ta xy dng hai my o CentOS, mt my dng lm Firewall v IPS, my cn li xy
dng web server, ftp server yu cu cu hnh my tnh nh lm m phng l RAM
ti thiu 2Gb my c cu hnh cng cao cng tt.
Trong m hnh ny nu hacker tn cng t bn ngoi vo th trc tin chng
phi i qua Firewall v h thng phn tch cc gi tin IPS. Vn quan trng hn,
nguy him hn chnh l nhng k tn cng t bn trong. Vi h thng ny chng ta
tin hnh tn cng gi lp t bn ngoi vo h thng Firewall v IPS, kt qu thu c
ta s ln lt c trnh by bn di.

- 48 -

Hnh 3-12 M hnh tng quan

3.2

H tng mng thc nghim

H tng thc nghim s xy dng h thng Firewall v IPS trn my CentOS, c

hai card mng, mt card mng c a ch l 192.168.0.38 ni vi mng ngoi internet
v card cn li c a ch 192.168.211.130 kt ni vi mng bn trong gm web
server, ftp server c a ch l 192.168.211.131, gateway 192.168.211.130. m
phng, chng ta to cc kt ni nhng ssh, ping, http, ftp t ngoi hoc t trong vo
my Firewall v IDS, trong cng thi im chng ta dng h thng Firewall v
IDS theo di s pht hin xm nhp vo h thng. Firewall c th ngn chn c cc
lu lng mng c cn IDS c th kim sot c tt c lu lng bn trong ln bn
ngoi. Lu lng c hi khi i vo h thng s c IDS pht hin bo cho nh qun
tr mng bit kp thi ngn chn s xm nhp tri php bng h thng firewall..
Trong m hnh ny n gin chng ta ch kho st tn cng t ngoi vo h thng
Firewall v IDS. Khi c s tn cng vo h thng IDS s gi cnh bo n nh qun
tr thng qua cng c phn tch Base (Basic Analysis and Sercurity Engine)
M hnh thc nghim ny c thit k mc n gin, d hiu ngi c d
hiu v d hnh dung hn.

- 49 -

Hnh 3-13 M hnh thc nghim

3.3
3.3.1

Cc bc ci t Iptables v Snort trn h iu hnh CentOS

Ci h iu hnh CentOS

- Tn h iu hnh: Linux CentOS 5.2

- Kernel: 2.6.18-92.el5
- Ti khon
+ User: root
+ Pass : 123456
3.3.2 Ci phn mm Iptables v cu hnh
Iptables c xem l c tnh nng hiu qu v bo mt. Iptable tr thnh cc gi
phn mm Firewall c ci t mc nh trn RedHat v Fedora Linux.
Package ca Iptables l iptables version.rpm hoc iptables-version.tgz c th
dng lnh ci t package ny:
# rpm ivh iptables-version.rpm i Red Hat
# apt-get install iptables i vi Debian
Kim tra iptables c ci t cha:
[root@ngoclong ~]# rpm qa | grep iptables

Ci t (nu cha c ci t):

[root@ngoclong ~]# rpm ivh iptables-1.3.5-4.el5.i386.rpm
Preparing

############################

Kim tra iptables c ci t trn h thng:

- 50 -

[root@ngoclong ~]# rpm qa | grep iptables

iptables-ipv6-1.3.5-4.el5
iptables-1.3.5-4.el5

Cu hnh iptables:
C hai cch cu hnh iptables l dng lnh v sa file /etc/sysconfig/iptables.
Cu hnh iptables cm truy cp ssh, ping v truy cp http:
*filter
-A INPUT -p icmp --icmp-type any -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DROP
-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- /
sport 1024:65535 --dport 80 -j DROP
-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- /
sport 1024:65535 --dport 22 -j DROP
*nat
-A PREROUTING -d 192.168.0.38 -i eth0 -p tcp --dport 80 -j DNAT -- /
to-destination 192.168.211.131:80
-A PREROUTING -d 192.168.0.38 -i eth0 -p tcp --dport 22 -j DNAT --/
to-destination 192.168.211.131:22
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.38

Cu hnh iptables: Cc dch v ssh, ping, http c php truy cp vo firewall:

*filter
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- /
sport 1024:65535 --dport 80 -j ACCEPT
-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- /
sport 1024:65535 --dport 22 -j ACCEPT

3.3.3

Ci t v cu hnh Snort

Ci t cc gi ph thuc: Yu cu my phi kt ni vi internet

- 51 -

# yum install gcc gcc-c++ kernel-devel patch make libxml2 pcre-devel

php php-common php-gd php-cli php-mysql flex binson libcap libcapdevel mysql mysql-devel mysql-bench mysql-server y

Ci pear t trang web

# wget http://pear.php.net/go-pear
# php q go-pear

Base hin c th chy cc lnh:

# pear install Image_Color-1.0.3
# pear install Image_Canvas-0.3.2
# pear install Log-1.12.0
# pear install Numbers_Roman-1.0.2
# pear install Numbers_Words-0.16.1
# pear install Image_Graph-0.7.2
# pear install Image_GraphViz-1.3.0RC3

Download Libnet t http://www.filewatcher.com/m/libnet-1.0.2a.tar.gz

# cd /usr/local/
# tar zxvf /Download/libnet-1.0.2a.tar.gz
# cd Libnet-1.0.2a/
# ./configure && make && make install

Download Snort v Snort rules t trang web http://www.snort.org

ng k mt account ti snort.org v down b ruleset v my registered-user
# cd /usr/local/
# tar zxvf /Download/snort-2.8.5.3.tar.gz
# cd snort-2.8.5.3/
# ./configure enable-sourcefire enable-targetbased with-mysql
# make && make install

To ti khon v vng lu tr Snort

# mkdir /etc/snort
# mkdir /var/log/snort
# groupadd snort
# useradd -g snort snort
# chown snort:snort /var/log/snort
# cd /etc/snort/
# tar zxvf /Download/snortrules-snapshot-CURRENT.tar.gz
# cp etc/* /etc/snort/

- 52 -

# ln s /usr/local/bin/snort /usr/sbin/snort
# cd /etc/snort/so_rules/precompiled/CentOS-5.0/i386/2.8.5.3
# cp * /usr/local/lib/snort_dynamicrules/

Cu hnh Snort
Sa file cu hnh t /etc/snort/snort.conf
Var HOME_NET 192.168.0.0/24
Var RULE_PATH /etc/snort/rules
Var SO_RULE_PATH /etc/snort/so_rules
Var PREPROC_RULE_PATH /etc/snort/preproc_rules

To mt s lut thc nghim Snort

# vi /etc/snort/rules/local. Rules
alert tcp any any -> any 23 (msg:"Telnet Connection=> Attempt";
sid:100001;)
alert

tcp

any

any

->

192.168.0.0/24

any

(msg:"SYN-FIN=>scan

detected"; sid:1000002;)
alert icmp any any -> 192.168.0.0/24 any (flags: A; ack: 0; msg:"TCP
ping detected"; sid:100003;)
alert

tcp

any

any

->

any

22

(msg:"ssh

connection=>Attempt";

sid:1000004;)

- Khi to Snort ln u tin:

#

/usr/local/bin/snort

-Dq

-u

snort

-g

snort

-c

/etc/snort/snort.conf
Kim tra xem Snort hot ng ghi log c cha:
# cd /var/log/snort
# ls l
Total 12144
-rw---------- 1 root root 6205014 Dec 3 16:32 snort.alert
-rw---------- 1 root root 6205014 Dec 3 16:32 snort.log

Ci Barnyard
Barnyard l mt ng dng c s dng offload ti vic xut ra file log v
cnh bo cho Snort. Do , Snort dnh ti nguyn cho chc nng ca n.
# wget http://snort.org/dl/barnyanrd2-1.8.tar.gz
# cd /usr/local/
# tar zxvf /Download/Barnyard2-1.8.tar.gz
# cd barnayrd2-1.8/

- 53 -

#./configure with-mysql
# make && make install
# cd etc/
# cp barnyard.conf /etc/snort

3.3.4

Cu hnh MySQL server

To c s d liu vi MySQL

# service mysqld start

# mysql
Mysql> set password for root@localhost=password(123456);
Mysql> create database snort;
Mysql> grant create, insert, select, delete, update on snort.* to
snort@localhost;
Mysql> set password for snort@localhost=password(123456);
Mysql> exit
# cd /usr/local/snort-2.8.5.3/schemas/
# mysql p < create_mysql snort
Enter password:
Mysql> show databases;
Mysql> user snort;
Mysql> show tables;
Mysql> exit

3.3.5

Cu hnh Snort thc hin alert vo MySQL

# vi /etc/snort/snort.conf

- Tm dng di y, b ch thch u dng v chnh sa cc gi tr cho ph hp:

output database: log, mysql, user=snort password=123456 dbname=snort
host=localhost

- Khi ng li snort v kim tra xem Snort v Barnyard2 tng tc ghi log vo
database hay cha:
# mysql usnort -p"123456" -D snort -e "select count(*) from event"
Count(*)
280278

Nu s khc 0 th Snort v Barnyard2 ng b vi nhau

Ci t ADODB
- 54 -

Ti ADODB ti http://nchc.dl.sourceforge.net/sourceforge/adodb/
# cd /var/www/html/
# tar zxvf /Download/adodb4991.tgz

3.3.6

Ci t v cu hnh Basic Analysis and Sercurity Engine (Base)

BASE l mt ng dng cung cp giao din web truy vn v phn tch cc

Snort alert
# cd /var/www/html
# tar zxvf /Download/base-1.4.5.tgr.gz
# mv base-1.4.5 base
# chmod 777 base
# cd base
# cp base_conf.php.dist base_conf.php

Cu hnh base:
# vi base_conf.php

Sa cc dng sau:
$BASE_urlpath=/base;
$Dblib_path=/var/www/html/adodb;
$alert_dbname=snort;
$alert_password=123456;
$archive_exists=1; # set this to 1 if you have an archive DB
$archive_dbname=snort;
$archive_user=snort;
$archive_password=123456;
$external_whois_link=index.php;
$external_dns_link=index.php;
$external_all_link=index.php;

n y v c bn Snort hot ng c. C th kim tra bng cch s dng cu

lnh sau:
# snort c /etc/snort/snort.conf i eth0

- 55 -

Hnh 3-14 Snort ang hot ng

Sau khi Snort kim tra tt c nhng thng tin cn thit snort hot ng th chng
ta s thy xut hin dng sau:
Not Using PCAP_FRANES
Lc ny Snort ang hot ng v ghi li tt c nhng g m Snort pht hin, c du
hiu kh nghi.
dng s hot ng ca Snort, bm Ctrl_C
3.4

Giao din h thng sau ci t

3.4.1

Cc thng tin cu hnh c bn

Firewall v IDS gm c 2 network interface, hin ang c cm nh sau:

+ eth0 dng qun tr v lng nghe s xm nhp t ngoi vo
+ eth1 giao tip vi mng bn trong http, ssh, ftp
Thng tin v h iu hnh CentOS
- Account qun tr: root/root
- Eth0 interface
+ IP:

192.168.0.38/24

+ Netmask:

255.255.255.0

+ Network:

192.168.0.0/24

+ Broadcast:

192.168.0.255

+ Gateway:

192.168.0.254
- 56 -

- Cc phn mm ci t:
+ Iptables
+ Snort 2.8.5.3
+ MySQL Server
+ PHP
+ Barnyard2
+ Basic Analysis and Security Engine 1.4.5
3.4.2

Hng dn s dng Snort

- File cu hnh: /etc/snort/snort. conf
- Th mc cha tp lut: /etc/snort/rules/
- File log:

/var/log/snort/

Kch hot tin trnh Snort g lnh:

# /etc/init.d/snort start
Hoc
# /usr/local/bin/snort Dq u snort g snort i eth0 c /etc/snort/snort.conf
hy tin trnh snort g lnh:
# pkill snort
3.4.3 Kt qu thng k thc nghim Firewall Iptables
Kim tra: Cc dch v ssh, ping, http khng php truy cp vo firewall:
Kim tra ping:
C:\>ping 192.168.0.38
Pinging 192.168.0.38 with 32 bytes of data:
Reply from 192.168.0.38: Destination host unreachable.
Reply from 192.168.0.38: Destination host unreachable.
Reply from 192.168.0.38: Destination host unreachable.
Reply from 192.168.0.38: Destination host unreachable.
Ping statistics for 192.168.0.38:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

- 57 -

Kim tra ssh: Sang mt my khc c ci phn mm putty kim tra truy cp
bng ssh hoc vo cmd s dng lnh: telnet 192.168.0.38 22
C:\> telnet 192.168.0.38 22
Conneting To 192.168.0.38. Could not open connection to the host,
on port 22: Connect failed

Kim tra http:

Hnh 3-15 Khng cho truy xut vo trang web

Kim tra: Cc dch v ssh, ping, http c php truy cp vo firewall:

Kim tra ssh:
C:\> telnet 192.168.0.38 22
Login as: root
root@192.168.0.38s password:
last login: Mon Nov 29 17:02:45 2010 from 192.168.0.11
[root@ngoclong ~]#

Kim tra ping:

C:\>ping 192.168.0.38
Pinging 192.168.0.38 with 32 bytes of data:
Reply from 192.168.0.38: bytes=32 time=9ms TTL=64
Reply from 192.168.0.38: bytes=32 time=9ms TTL=64
Reply from 192.168.0.38: bytes=32 time<1ms TTL=64
Reply from 192.168.0.38: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.0.38:

- 58 -

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Kim tra truy cp http:

Hnh 3-16 c php truy xut vo trang web

Dng phn mm Nmap scanport d tm cc ng dng v port m mt h thng

Server no ang chy v sau chng da trn nhng l hng tn cng vo.
Kt qu m firewall log ghi nhn li sau khi b tn cng scanport
Kt qu firewall logs ghi c
Nov 29 18:10:54 ngoclong kernel: IN=eth0 OUT=
MAC=00:0c:29:cd:d1:7a:00:80:48:1e:e1:ca:08:00 SRC=192.168.0.11
DST=192.168.0.38 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=43279 PROTO=TCP
SPT=52643 DPT=39687 WINDOW=31337 RES=0x00 SYN URGP=0
Nov 29 18:10:54 ngoclong kernel: IN=eth0 OUT=
MAC=00:0c:29:cd:d1:7a:00:80:48:1e:e1:ca:08:00 SRC=192.168.0.11
DST=192.168.0.38 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=25827 PROTO=TCP
SPT=50714 DPT=43766 WINDOW=65535 RES=0x00 URG PSH FIN URGP=0
Nov 29 18:10:54 ngoclong kernel: IN=eth0 OUT=
MAC=00:0c:29:cd:d1:7a:00:80:48:1e:e1:ca:08:00 SRC=192.168.0.11
DST=192.168.0.38 LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=19624 DF
PROTO=TCP SPT=52644 DPT=39687 WINDOW=32768 RES=0x00 ACK URGP=0

3.4.4 Kt qu thng k thc nghim IDS Snort

S dng phn mm Base qun tr kim tra thng k thc nghim. Base cung cp
cng c bng giao din, cho php ngi dng truy xut v phn tch cc cnh bo.

- 59 -

Hnh 3-17 Giao din chnh ca Base

mc Traffic Profile by Protocol Click vo mc TCP xem tn sut cc alert

xut hin.

Hnh 3-18 Snort pht hin Nmap ang scanport, truy cp ssh

Trn bng Summary Statistics, click vo link Destination hng Unique

addresses xem cc a ch ch b tn cng.

- 60 -

Hnh 3-19 Hin th cc a ch nghi vn

Xem payload cc packets

xem payload cc packet, click vo ct ID tng ng ca alert
V d: click vo link #6-(2-296605) xem ni dung gi tin tng ng

Hnh 3-20 Xem ni dung mt packet

Tnh nng ny c bit rt hu ch, cho php IDS admin review li c ton b
gi tin to ra alert, gip cho qu trnh tinh chnh cc rules chnh xc hn.
Graph Alert Detection Time

- 61 -

Ti trang chnh, click vo "Grap Alert Detection Time" xem biu th hin
tn sut cc alert theo gi, ngy hoc theo thng.
Dng biu ny rt hu ch, cho php xc nh nhng thi im bt thng,
qua gip nh hng ngi qun tr tp trung vo nhng im quan trng.
Biu di thng k s pht hin xm nhp theo ngy, gi.

Hnh 3-21 Thng k theo ngy, gi

Xem biu m snort pht hin s xm nhp vo h thng theo ngy

Hnh 3-22 Thng k theo ngy

3.5

Cc cuc tn cng v kt qu thng k thc nghim

3.5.1 Tn cng v IDS Snort pht hin

Attacker
C:\>ping
s dng
192.168.0.38
phng php
-l 1000
tn cng
-t
gy ngp lt (PINGFLOOD) vo h thng
firewallPinging
v IDS,192.168.0.38
bng cch ping
with
gi1000
nhiu
bytes
gi of
package
data: vo h thng firewall v IDS.
Reply from 192.168.0.38: bytes=1000 time=1ms TTL=64
- 62 Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64

Khi h thng IDS pht hin c k ang tin hnh ping gy ngp lt, ngi qun tr
kim tra trn h thng c IDS pht hin v lu li tt c nhng s kin xy ra v
thy rng, trn h thng ca mnh ang c k tn cng gy ngp lt. Ngi qun tr
phi c trch nhim thit lp lut trn firewall hn ch vic attacker tn cng vo
h thng ca mnh.

Hnh 3-23 IDS Snort pht hin cc gi tin c gi vo h thng

3.5.2 Ngn chn

Ngi qun tr thit lp lut trn firewall Iptables chng li nhng cuc tn cng
gy ngp lt h thng bng tp lut nh sau:
#iptables N CHECK_FLOOD

- 63 -

#iptables A CHECK_FLOOD m limit --limit-burst 6 -limit 2/m j

RETURN
#iptables A CHECK_FLOOD j DROP
#iptables A INPUT -s 0/0 i eth0 p icmp --icmp-type echo-request
j CHECK_FLOOD

Tp lut trn, u tin lnh iptables N CHECK_FLOOD to mt chain mi tn

l CHECK_FLOOD. Ty chn A thm lut mi vo chain CHECK_FLOOD. i
vi chain CHECK_FLOOD, chng ta gii hn limit-burst mc 6 gi, limit l 2
gi/pht, nu tha lut s tr v RETURN, cn khng s b DROP. Su chng ta
ni thm chain CHECK_FLOOD vo chain INPUT, vi ty chn card mng vo l
eth0, giao thc icmp, loi icmp l echo-request. Lut ny s gii hn cc gi Ping ti
eth0 l 2 gi/pht sau khi t ti 6 gi.
Lut c p dng trong firewall iptables, ch 6 gi u trong pht u tin c
chp nhn, tha lut RETURN . By gi t n mc nh l 6 gi, lp tc
iptables s gii hn Ping ti eth0 l 2 gi trn mi pht bt chp c bao nhiu gi
c Ping ti eth0. Nu trong pht ti khng c gi no Ping ti, iptables s gim
limit i 2 gi, ngha l tc ang 2 gi trn pht s tng ln 4 gi trn pht. Nu
trong pht na khng c gi n, limit s gim i 2 gi na v tr li trng thi t
mc nh 6 gi. Qu trnh c tip tc nh vy.
3.5.3 Kt qu thng k thc nghim
Qua thc nghim kim tra chng ta thy iptables lm vic rt hiu qu, gii hn
c s lng cc package gi n, lm cho h thng ca chng ta chng li c tn
cng theo kiu gy ngp lt h thng. Cc ty chn rt linh hot, chng ta c th thit
lp lut ty theo mc cho php s lng gi tin vo trong h thng.
Xem kt qu Iptables gii hn gi tin vo h thng
C:\>ping 192.168.0.38 l 1000 -t
Pinging 192.168.0.38 with 32 bytes of data:
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64

- 64 -

Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64

Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Request timed out.
Request timed out.
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Request timed out.
Request timed out.
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Ping statistics for 192.168.0.38:
Packets: Sent = 43, Received = 12, Lost = 31 (72% loss),

Theo ghi nhn li ca h thng c 43 packets c gi n, nhng h thng ch

nhn 12 packets, loi b 31 gi, t l mt gi 72%.

- 65 -

KT LUN
Nhng iu t c:
Thng qua lun vn ny, nhng vic thc hin c cn hn ch, phn no
nm bt c nguyn l c bn, cch hot ng ca Firewall v IDS, cch ci t,
trin khai Firewall Iptables v IDS Snort. Trin khai h thng Firewall v IDS trong
mng LAN, pht hin v ghi nhn cc cuc tn cng.
Nhng iu cha t:
Cng vi nhng iu t c, cng xy ra nhiu kh khn, dn n nhng vic
cha thc hin c:
V kin thc cn hn ch nn cha thc hin c nhiu cuc tn cng vo h
thng, cha tht s xy dng c mt h thng mng LAN hon chnh, hn ch v
thi gian v ti chnh nn cha thc hin xy dng c h thng mng tht, vic
hon thin cc module gn thm cho h thng IDS l cha c, cng nh trin khai h
thng ny hot ng ng b, cch phi hp gia Firewall Iptables v IDS Snort cha
c cht ch, cha t ng gi cnh bo n ngi qun tr thng qua email v
SMS.
Hng pht trin:
Trong tng lai, cc k thut phng chng s cn pht trin. V vy quy m ca
lun vn s khng dng li vic ci t, vn hnh Firewall v IDS mc c bn m
s pht trin ln mt tm cao hn. C th nh ci t thm h thng pht hin v ngn
chn xm nhp FWSnort, iu chnh cc rule ca Snort v Firewall hot ng mt
cch linh hot v ng b hn, nhm ti u ha v tn dng ti a ton b h thng
thc hin vic ngn chn xm nhp hay tn cng mt cch hiu qu nht. Nu tip tc
pht trin, ta hon ton c th tch hp h thng IDS tng tc vi cc phn cn li
ca mng, khi c tn cng xy ra, IDS s t ng bo tin n ngi qun tr
thng qua email, SMS v t ng a ra phng n thch hp v hiu ho tn
cng .

- 66 -

TI LIU THAM KHO

[1] Rafeeq Ur Rehman Intrusion Detection Systems with Snort: Advanced IDS
Techniques with Snort, Apache, MySQL, PHP, and ACID
[2] Michael Rash. Firewalls Attack Detection and Response with Iptables, Psad
And Fwsnort
[3] S.Pozo, R.Ceballos, Model-Based Development of rewall rule sets:
Diagnosing model inconsistencies
[4] Karen Scarfone, Peter Mell.

Guide to Intrusion Detection and Prevention

Systems (IDPS)
[5] Dinangkur Kundu S. M. Ibrahim Lavlu Cacti 0.8 Network Monitoring
[6] Angela Orebaugh, Simon Biles, Jacob Babbin. Snort Cookbook
[7] Juniper Networks CA 94089 USA. Intrusion Detection and Prevention Concepts
& Examples Guide
[8] Andy Firman , Build a Debian based Intrusion Detection Sensor (IDS)
[9] Nguyn Quc Cng, H Thng Pht Hin Xm Nhp Mng

- 67 -