{"id":18610,"date":"2021-01-25T09:04:22","date_gmt":"2021-01-25T02:04:22","guid":{"rendered":"https:\/\/speed.family\/?p=18610"},"modified":"2021-01-25T09:04:22","modified_gmt":"2021-01-25T02:04:22","slug":"firewall-hay-tuong-lua","status":"publish","type":"post","link":"https:\/\/kiencang.net\/firewall-hay-tuong-lua\/","title":{"rendered":"Firewall hay T\u01b0\u1eddng l\u1eeda l\u00e0 g\u00ec?"},"content":{"rendered":"\n

T\u01b0\u1eddng l\u1eeda (firewall) l\u00e0 m\u1ed9t h\u1ec7 th\u1ed1ng b\u1ea3o m\u1eadt c\u00f3 nhi\u1ec7m v\u1ee5 gi\u00e1m s\u00e1t v\u00e0 ki\u1ec3m so\u00e1t l\u01b0u l\u01b0\u1ee3ng m\u1ea1ng d\u1ef1a tr\u00ean m\u1ed9t t\u1eadp h\u1ee3p c\u00e1c quy t\u1eafc b\u1ea3o m\u1eadt (security rules). T\u01b0\u1eddng l\u1eeda th\u01b0\u1eddng n\u1eb1m gi\u1eefa m\u1ea1ng tin c\u1eady v\u00e0 m\u1ea1ng kh\u00f4ng tin c\u1eady (untrusted network); \u0111\u00f4i khi m\u1ea1ng kh\u00f4ng \u0111\u00e1ng tin c\u1eady l\u1ea1i l\u00e0 Internet! V\u00ed d\u1ee5, c\u00e1c m\u1ea1ng v\u0103n ph\u00f2ng th\u01b0\u1eddng s\u1eed d\u1ee5ng t\u01b0\u1eddng l\u1eeda \u0111\u1ec3 b\u1ea3o v\u1ec7 m\u1ea1ng c\u1ee7a h\u1ecd kh\u1ecfi c\u00e1c m\u1ed1i \u0111e d\u1ecda tr\u1ef1c tuy\u1ebfn (online threats):<\/p>\n\n\n

\"\"<\/figure>\n\n\n

T\u01b0\u1eddng l\u1eeda quy\u1ebft \u0111\u1ecbnh c\u00f3 cho ph\u00e9p l\u01b0u l\u01b0\u1ee3ng v\u00e0o v\u00e0 ra hay kh\u00f4ng. Ch\u00fang c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c t\u00edch h\u1ee3p v\u00e0o ph\u1ea7n c\u1ee9ng, ph\u1ea7n m\u1ec1m ho\u1eb7c k\u1ebft h\u1ee3p c\u1ea3 hai lo\u1ea1i. Thu\u1eadt ng\u1eef ‘t\u01b0\u1eddng l\u1eeda’ th\u1ef1c s\u1ef1 \u0111\u01b0\u1ee3c m\u01b0\u1ee3n t\u1eeb m\u1ed9t th\u1ef1c t\u1ebf x\u00e2y d\u1ef1ng l\u00e0 x\u00e2y c\u00e1c b\u1ee9c t\u01b0\u1eddng \u1edf gi\u1eefa ho\u1eb7c xuy\u00ean qua gi\u1eefa c\u00e1c t\u00f2a nh\u00e0 \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 ch\u1ee9a l\u1eeda. T\u01b0\u01a1ng t\u1ef1, t\u01b0\u1eddng l\u1eeda m\u1ea1ng ho\u1ea1t \u0111\u1ed9ng \u0111\u1ec3 \u0111\u1ed1i ph\u00f3 (bao v\u00e2y) c\u00e1c m\u1ed1i \u0111e d\u1ecda tr\u1ef1c tuy\u1ebfn.<\/p>\n\n\n

T\u1ea1i sao s\u1eed d\u1ee5ng t\u01b0\u1eddng l\u1eeda?<\/h2>\n\n\n

M\u1ee5c \u0111\u00edch s\u1eed d\u1ee5ng ch\u00ednh c\u1ee7a t\u01b0\u1eddng l\u1eeda l\u00e0 b\u1ea3o m\u1eadt. T\u01b0\u1eddng l\u1eeda c\u00f3 th\u1ec3 ch\u1eb7n l\u01b0u l\u01b0\u1ee3ng \u0111\u1ed9c h\u1ea1i tr\u01b0\u1edbc khi n\u00f3 \u0111\u1ebfn \u0111\u01b0\u1ee3c m\u1ea1ng, c\u0169ng nh\u01b0 ng\u0103n th\u00f4ng tin nh\u1ea1y c\u1ea3m (sensitive information) r\u1eddi kh\u1ecfi m\u1ea1ng.<\/p>\n\n\n

T\u01b0\u1eddng l\u1eeda c\u0169ng c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 l\u1ecdc n\u1ed9i dung (content filtering). V\u00ed d\u1ee5: m\u1ed9t tr\u01b0\u1eddng h\u1ecdc c\u00f3 th\u1ec3 \u0111\u1ecbnh c\u1ea5u h\u00ecnh t\u01b0\u1eddng l\u1eeda \u0111\u1ec3 ng\u0103n ng\u01b0\u1eddi d\u00f9ng tr\u00ean m\u1ea1ng c\u1ee7a h\u1ecd truy c\u1eadp th\u00f4ng tin ng\u01b0\u1eddi l\u1edbn. T\u01b0\u01a1ng t\u1ef1, \u1edf m\u1ed9t s\u1ed1 qu\u1ed1c gia, ch\u00ednh ph\u1ee7 thi\u1ebft k\u1ebf m\u1ed9t b\u1ee9c t\u01b0\u1eddng l\u1eeda c\u00f3 th\u1ec3 ng\u0103n nh\u1eefng ng\u01b0\u1eddi b\u00ean trong qu\u1ed1c gia \u0111\u00f3 truy c\u1eadp v\u00e0o nh\u1eefng ph\u1ea7n nh\u1ea5t \u0111\u1ecbnh tr\u00ean Internet.<\/p>\n\n\n

B\u00e0i vi\u1ebft n\u00e0y s\u1ebd t\u1eadp trung v\u00e0o c\u00e1c t\u01b0\u1eddng l\u1eeda \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh \u0111\u1ec3 b\u1ea3o m\u1eadt, trong \u0111\u00f3 s\u1ebd b\u00e0n v\u1ec1 m\u1ed9t s\u1ed1 lo\u1ea1i ph\u1ed5 bi\u1ebfn.<\/p>\n\n\n

C\u00e1c lo\u1ea1i t\u01b0\u1eddng l\u1eeda kh\u00e1c nhau l\u00e0 g\u00ec?<\/h2>\n\n\n

T\u01b0\u1eddng l\u1eeda d\u1ef1a tr\u00ean proxy<\/h3>\n\n\n

\u0110\u00e2y l\u00e0 nh\u1eefng proxy* n\u1eb1m gi\u1eefa m\u00e1y kh\u00e1ch v\u00e0 m\u00e1y ch\u1ee7. M\u00e1y kh\u00e1ch k\u1ebft n\u1ed1i v\u1edbi t\u01b0\u1eddng l\u1eeda v\u00e0 t\u01b0\u1eddng l\u1eeda s\u1ebd ki\u1ec3m tra c\u00e1c g\u00f3i tin g\u1eedi \u0111i, sau \u0111\u00f3 n\u00f3 s\u1ebd t\u1ea1o k\u1ebft n\u1ed1i \u0111\u1ebfn ng\u01b0\u1eddi nh\u1eadn d\u1ef1 ki\u1ebfn \u200b\u200b(m\u00e1y ch\u1ee7 web). T\u01b0\u01a1ng t\u1ef1, khi m\u00e1y ch\u1ee7 web c\u1ed1 g\u1eafng g\u1eedi ph\u1ea3n h\u1ed3i \u0111\u1ebfn m\u00e1y kh\u00e1ch, t\u01b0\u1eddng l\u1eeda s\u1ebd ch\u1eb7n y\u00eau c\u1ea7u \u0111\u00f3, ki\u1ec3m tra c\u00e1c g\u00f3i v\u00e0 sau \u0111\u00f3 g\u1eedi ph\u1ea3n h\u1ed3i \u0111\u00f3 trong m\u1ed9t k\u1ebft n\u1ed1i ri\u00eang gi\u1eefa t\u01b0\u1eddng l\u1eeda v\u00e0 m\u00e1y kh\u00e1ch. T\u01b0\u1eddng l\u1eeda d\u1ef1a tr\u00ean proxy ng\u0103n ch\u1eb7n hi\u1ec7u qu\u1ea3 k\u1ebft n\u1ed1i tr\u1ef1c ti\u1ebfp gi\u1eefa m\u00e1y kh\u00e1ch v\u00e0 m\u00e1y ch\u1ee7.<\/p>\n\n\n

T\u01b0\u1eddng l\u1eeda d\u1ef1a tr\u00ean proxy gi\u1ed1ng nh\u01b0 m\u1ed9t ng\u01b0\u1eddi b\u1ea3o v\u1ec7 t\u1ea1i m\u1ed9t qu\u00e1n bar. Ng\u01b0\u1eddi b\u1ea3o v\u1ec7 n\u00e0y s\u1ebd ch\u1eb7n kh\u00e1ch tr\u01b0\u1edbc khi h\u1ecd b\u01b0\u1edbc v\u00e0o qu\u00e1n bar \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng h\u1ecd kh\u00f4ng d\u01b0\u1edbi tu\u1ed5i v\u1ecb th\u00e0nh ni\u00ean, mang v\u0169 kh\u00ed ho\u1eb7c b\u1ea5t c\u1ee9 c\u00e1i g\u00ec l\u00e0 m\u1ed1i \u0111e d\u1ecda \u0111\u1ed1i v\u1edbi qu\u00e1n bar v\u00e0 kh\u00e1ch quen c\u1ee7a qu\u00e1n. B\u1ea3o v\u1ec7 c\u0169ng ng\u0103n nh\u1eefng ng\u01b0\u1eddi kh\u00e1ch quen khi h\u1ecd \u0111i ra ngo\u00e0i \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng h\u1ecd v\u1ec1 nh\u00e0 theo c\u00e1ch an to\u00e0n v\u00e0 kh\u00f4ng \u0111\u1ecbnh u\u1ed1ng r\u01b0\u1ee3u v\u00e0 l\u00e1i xe.<\/p>\n\n\n

Nh\u01b0\u1ee3c \u0111i\u1ec3m c\u1ee7a vi\u1ec7c c\u00f3 m\u1ed9t ng\u01b0\u1eddi b\u1ea3o v\u1ec7 \u0111\u1ee9ng tr\u01b0\u1edbc qu\u1ea7y bar l\u00e0 khi nhi\u1ec1u ng\u01b0\u1eddi \u0111ang c\u1ed1 g\u1eafng v\u00e0o ho\u1eb7c r\u1eddi kh\u1ecfi qu\u1ea7y bar c\u00f9ng m\u1ed9t l\u00fac, s\u1ebd c\u00f3 m\u1ed9t h\u00e0ng d\u00e0i v\u00e0 m\u1ed9t s\u1ed1 ng\u01b0\u1eddi s\u1ebd g\u1eb7p ph\u1ea3i s\u1ef1 ch\u1eadm tr\u1ec5. T\u01b0\u01a1ng t\u1ef1, m\u1ed9t nh\u01b0\u1ee3c \u0111i\u1ec3m l\u1edbn c\u1ee7a t\u01b0\u1eddng l\u1eeda d\u1ef1a tr\u00ean proxy l\u00e0 n\u00f3 c\u00f3 th\u1ec3 g\u00e2y ra \u0111\u1ed9 tr\u1ec5, \u0111\u1eb7c bi\u1ec7t l\u00e0 trong th\u1eddi gian c\u00f3 l\u01b0u l\u01b0\u1ee3ng truy c\u1eadp l\u1edbn.<\/p>\n\n\n

* Proxy l\u00e0 m\u1ed9t m\u00e1y t\u00ednh ho\u1ea1t \u0111\u1ed9ng nh\u01b0 m\u1ed9t c\u1ed5ng k\u1ebft n\u1ed1i gi\u1eefa m\u1ea1ng c\u1ee5c b\u1ed9 v\u00e0 m\u1ea1ng l\u1edbn h\u01a1n, ch\u1eb3ng h\u1ea1n nh\u01b0 Internet.<\/p>\n\n\n

\n\n\n

T\u01b0\u1eddng l\u1eeda tr\u1ea1ng th\u00e1i<\/h3>\n\n\n

Trong khoa h\u1ecdc m\u00e1y t\u00ednh, \u1ee9ng d\u1ee5ng ‘tr\u1ea1ng th\u00e1i’ l\u00e0 \u1ee9ng d\u1ee5ng l\u01b0u d\u1eef li\u1ec7u t\u1eeb c\u00e1c s\u1ef1 ki\u1ec7n v\u00e0 t\u01b0\u01a1ng t\u00e1c tr\u01b0\u1edbc \u0111\u00f3. T\u01b0\u1eddng l\u1eeda tr\u1ea1ng th\u00e1i l\u01b0u th\u00f4ng tin v\u1ec1 c\u00e1c k\u1ebft n\u1ed1i m\u1edf v\u00e0 s\u1eed d\u1ee5ng th\u00f4ng tin n\u00e0y \u0111\u1ec3 ph\u00e2n t\u00edch l\u01b0u l\u01b0\u1ee3ng \u0111\u1ebfn v\u00e0 \u0111i, thay v\u00ec ki\u1ec3m tra t\u1eebng g\u00f3i. B\u1edfi v\u00ec n\u00f3 kh\u00f4ng ki\u1ec3m tra t\u1eebng g\u00f3i, t\u01b0\u1eddng l\u1eeda tr\u1ea1ng th\u00e1i (stateful firewall) nhanh h\u01a1n t\u01b0\u1eddng l\u1eeda d\u1ef1a tr\u00ean proxy (proxy-based firewalls).<\/p>\n\n\n

T\u01b0\u1eddng l\u1eeda tr\u1ea1ng th\u00e1i d\u1ef1a tr\u00ean r\u1ea5t nhi\u1ec1u ng\u1eef c\u1ea3nh khi \u0111\u01b0a ra quy\u1ebft \u0111\u1ecbnh. V\u00ed d\u1ee5: n\u1ebfu t\u01b0\u1eddng l\u1eeda ghi l\u1ea1i c\u00e1c g\u00f3i g\u1eedi \u0111i tr\u00ean m\u1ed9t k\u1ebft n\u1ed1i y\u00eau c\u1ea7u m\u1ed9t lo\u1ea1i ph\u1ea3n h\u1ed3i nh\u1ea5t \u0111\u1ecbnh, n\u00f3 s\u1ebd ch\u1ec9 cho ph\u00e9p c\u00e1c g\u00f3i \u0111\u1ebfn tr\u00ean k\u1ebft n\u1ed1i \u0111\u00f3 n\u1ebfu ch\u00fang cung c\u1ea5p lo\u1ea1i ph\u1ea3n h\u1ed3i \u0111\u01b0\u1ee3c y\u00eau c\u1ea7u.<\/p>\n\n\n

T\u01b0\u1eddng l\u1eeda tr\u1ea1ng th\u00e1i c\u0169ng c\u00f3 th\u1ec3 b\u1ea3o v\u1ec7 c\u00e1c c\u1ed5ng (ports)* b\u1eb1ng c\u00e1ch \u0111\u00f3ng t\u1ea5t c\u1ea3 ch\u00fang tr\u1eeb khi c\u00e1c g\u00f3i \u0111\u1ebfn y\u00eau c\u1ea7u quy\u1ec1n truy c\u1eadp v\u00e0o m\u1ed9t c\u1ed5ng c\u1ee5 th\u1ec3. \u0110i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 gi\u1ea3m thi\u1ec3u m\u1ed9t ki\u1ec3u t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 qu\u00e9t c\u1ed5ng.<\/p>\n\n\n

M\u1ed9t l\u1ed7 h\u1ed5ng \u0111\u00e3 bi\u1ebft li\u00ean quan \u0111\u1ebfn t\u01b0\u1eddng l\u1eeda tr\u1ea1ng th\u00e1i l\u00e0 ch\u00fang c\u00f3 th\u1ec3 b\u1ecb thao t\u00fang b\u1eb1ng c\u00e1ch l\u1eeba m\u00e1y kh\u00e1ch y\u00eau c\u1ea7u m\u1ed9t lo\u1ea1i th\u00f4ng tin nh\u1ea5t \u0111\u1ecbnh. Khi m\u00e1y kh\u00e1ch y\u00eau c\u1ea7u ph\u1ea3n h\u1ed3i \u0111\u00f3, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 g\u1eedi c\u00e1c g\u00f3i d\u1eef li\u1ec7u \u0111\u1ed9c h\u1ea1i ph\u00f9 h\u1ee3p v\u1edbi ti\u00eau ch\u00ed \u0111\u00f3 th\u00f4ng qua t\u01b0\u1eddng l\u1eeda. V\u00ed d\u1ee5: c\u00e1c trang web kh\u00f4ng an to\u00e0n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng m\u00e3 JavaScript \u0111\u1ec3 t\u1ea1o c\u00e1c lo\u1ea1i y\u00eau c\u1ea7u gi\u1ea3 m\u1ea1o (forged requests) n\u00e0y t\u1eeb tr\u00ecnh duy\u1ec7t web.<\/p>\n\n\n

* C\u1ed5ng m\u1ea1ng l\u00e0 n\u01a1i g\u1eedi th\u00f4ng tin; n\u00f3 kh\u00f4ng ph\u1ea3i l\u00e0 m\u1ed9t \u0111\u1ecba \u0111i\u1ec3m v\u1eadt l\u00fd m\u00e0 l\u00e0 m\u1ed9t \u0111i\u1ec3m cu\u1ed1i giao ti\u1ebfp. Khi c\u00f3 c\u01a1 h\u1ed9i, ch\u00fang ta s\u1ebd t\u00ecm hi\u1ec3u th\u00eam v\u1ec1 c\u00e1c c\u1ed5ng m\u1ea1ng sau.<\/p>\n\n\n

\n\n\n

T\u01b0\u1eddng l\u1eeda th\u1ebf h\u1ec7 ti\u1ebfp theo (NGFW \/ Next-Generation Firewalls)<\/h3>\n\n\n

\u0110\u00e2y l\u00e0 nh\u1eefng t\u01b0\u1eddng l\u1eeda c\u00f3 c\u00e1c kh\u1ea3 n\u0103ng c\u1ee7a t\u01b0\u1eddng l\u1eeda truy\u1ec1n th\u1ed1ng nh\u01b0ng c\u0169ng s\u1eed d\u1ee5ng m\u1ed9t lo\u1ea1t c\u00e1c t\u00ednh n\u0103ng b\u1ed5 sung \u0111\u1ec3 gi\u1ea3i quy\u1ebft c\u00e1c m\u1ed1i \u0111e d\u1ecda tr\u00ean c\u00e1c l\u1edbp kh\u00e1c c\u1ee7a M\u00f4 h\u00ecnh OSI. M\u1ed9t s\u1ed1 t\u00ednh n\u0103ng d\u00e0nh ri\u00eang cho NGFW bao g\u1ed3m:<\/p>\n\n\n