ﺑﻪ ﻧﺎﻡ ﺧﺪﺍ
ﺩﺍﻧﺸﮑﺪﻩ ﻣﻬﻨﺪﺳﻲ ﮐﺎﻣﭙﻴﻮﺗﺮ
ﺍﻣﻨﻴﺖ ﺩﺍﺩﻩﻫﺎ ﻭ ﺷﺒﮑﻪ
ﺗﻤﺮﻳﻦ ﺳﺮﻱ ﭼﻬﺎﺭﻡ
٢٦ﺁﺫﺭ ٩١
ﺗﻮﺟﻪ :ﺑﺮﺍﻱ ﺁﮔﺎﻫﻲ ﺍﺯ ﻧﺤﻮﻩﻱ ﺗﺤﻮﻳﻞ ﭘﺎﺳﺦ ﺗﻤﺮﻳﻦﻫﺎ ﺑﻪ ﻓﺎﻳﻞ DeliveryGuide.pdfﻣﺮﺍﺟﻌﻪ ﻧﻤﺎﻳﻴﺪ.
ﺩﻳﻮﺍﺭ ﺁﺗﺶ pfSense
ﻫﺪﻑ ﺍﺯ ﻃﺮﺍﺣﻲ ﺍﻳﻦ ﺗﻤﺮﻳﻦ ،ﺁﺷﻨﺎﻳﻲ ﻋﻤﻠﻲ ﺷﻤﺎ ﺑﺎ ﺑﺮﺧﻲ ﺍﺯ ﻗﺎﺑﻠﻴﺖﻫﺎﻱ ﺩﻳﻮﺍﺭﻫﺎﻱ ﺁﺗﺶ ﺍﺳﺖ ﮐﻪ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ ﺍﺯ ﻣﺴﻴﺮﻳﺎﺏ ١ﻭ ﺩﻳﻮﺍﺭ ﺁﺗﺶ
PfSense٢ﺍﺳﺘﻔﺎﺩﻩ ﺷﺪﻩ ﺍﺳﺖ .ﻫﻤﭽﻨﻴﻦ ﺩﺭ ﺑﺨﺶﻫﺎﻳﻲ ﺍﺯ ﺍﻳﻦ ﺗﻤﺮﻳﻦ ﺑﺎ ﺷﺒﮑﻪ ﻫﺎﻱ ﻣﺠﺎﺯﻱ ﺷﺨﺼﻲ ﻭ ﻫﻤﭽﻨﻴﻦ IPSecﻧﻴﺰ ﺁﺷﻨﺎ ﺧﻮﺍﻫﻴﺪ ﺷﺪ.
ﺩﻳﻮﺍﺭ ﺁﺗﺶ pfSenseﺑﻪ ﺻﻮﺭﺕ ﻧﺮﻡ ﺍﻓﺰﺍﺭﻱ ﻭ ﻣﺒﺘﻨﻲ ﺑﺮ ﺗﻮﺯﻳﻌﻲ ﺍﺯ FreeBSDﺍﺳﺖ .ﺑﺮﺍﻱ ﻧﺼﺐ ﻭ ﺷﺮﻭﻉ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺍﻳﻦ ﺩﻳﻮﺍﺭ ﺁﺗﺶ ﻣﻲﺗﻮﺍﻥ
ﻣﺮﺍﺣﻞ ﺯﻳﺮ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﺍﺩ) ﺍﻳﻦ ﻣﺮﺍﺣﻞ ﭘﻴﺸﻨﻬﺎﺩﻱ ﺍﺳﺖ ﻭ ﻣﻲﺗﻮﺍﻧﻴﺪ ﺭﻭﺵ ﺩﻟﺨﻮﺍﻩ ﺧﻮﺩ ﺑﺮﺍﻱ ﻧﺼﺐ ﻭ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺁﻥ ﺍﻧﺠﺎﻡ ﺩﻫﻴﺪ ﺑﺮﺍﻱ ﻣﺜﺎﻝ ﻣﻲﺗﻮﺍﻧﻴﺪ
ﺍﺯ ﺑﺮﻧﺎﻣﻪﻫﺎﻱ ﻣﺎﺷﻴﻦﻫﺎﻱ ﻣﺠﺎﺯﻱ ﺩﻳﮕﺮ ﺑﻪ ﺟﺰ VMWareﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﻭ ﻳﺎ ﺍﻳﻨﮑﻪ ﺑﻪ ﺻﻮﺭﺕ ﻓﻴﺰﻳﮑﻲ ﺍﻳﻦ ﺩﻳﻮﺍﺭﺁﺗﺶ ﺭﺍ ﻧﺼﺐ ﻧﻤﺎﻳﻴﺪ( :
•
ﺍﺯ ﻟﻴﻨﮏ ﺯﻳﺮ ﺩﻳﻮﺍﺭﺁﺗﺶ PfSenseﺭﺍ ﺩﺍﻧﻠﻮﺩ ﻧﻤﺎﻳﻴﺪ.
http://mirror.nus.edu.sg/PfSense/downloads/PfSense-2.0.1-RELEASE-i386.iso.gz
•
ﺑﺮﻧﺎﻣﻪ VMWareﺭﺍ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﻧﺼﺐ ﻧﻤﺎﻳﻴﺪ.
Router
www.PfSense.org
1
2
•
ﻓﺎﻳﻞ ﺗﺼﻮﻳﺮ ٣ﺩﺍﻧﻠﻮﺩ ﺷﺪﻩ ﺍﺯ PfSenseﺭﺍ ﺍﺯ ﺣﺎﻟﺖ ﻓﺸﺮﺩﻩ ﺷﺪﻩ ﺧﺎﺭﺝ ﻧﻤﺎﻳﻴﺪ.
•
ﺑﻪ ﺑﺮﻧﺎﻣﻪ VMWareﺑﺎﺯﮔﺮﺩﻳﺪ ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻣﻨﻮﻱ ﻓﺎﻳﻞ ﺑﺨﺶ ،ﻣﺎﺷﻴﻦ ﻣﺠﺎﺯﻱ ﺟﺪﻳﺪ ،ﻳﮏ ﻣﺎﺷﻴﻦ ﻣﺠﺎﺯﻱ Typicalﺍﻳﺠﺎﺩ ﮐﻨﻴﺪ.
•
ﺗﺼﻮﻳﺮﻱ ﮐﻪ ﺍﺯ ﺣﺎﻟﺖ ﻓﺸﺮﺩﻩ ﺧﺎﺭﺝ ﺷﺪﻩ ﺍﺳﺖ ﺭﺍ ﺩﺭ ﺑﺨﺶ Installer Disk Image Fileﻭﺍﺭﺩ ﻧﻤﺎﻳﻴﺪ.
•
ﺑﺎﻗﻲ ﺗﻨﻈﻴﻤﺎﺕ ﺭﺍ ﺑﻪ ﺻﻮﺭﺕ ﭘﻴﺶ ﻓﺮﺽ ﺑﺎﻗﻲ ﺑﮕﺬﺍﺭﻳﺪ.
•
ﻧﻮﻉ ﺷﺒﮑﻪ ﻣﺘﺼﻞ ﺷﺪﻩ ﺍﻳﻦ ﻣﺎﺷﻴﻦ ﻣﺠﺎﺯﻱ ﺭﺍ ﺑﻪ NATﺗﻐﻴﻴﺮ ﺩﻫﻴﺪ.
•
ﻳﮏ ﻭﺍﺳﻂ ﺷﺒﮑﻪ ﺩﻳﮕﺮ ﺑﻪ ﺍﻳﻦ ﺷﺒﮑﻪ ﺑﻴﺎﻓﺰﺍﻳﻴﺪ) .ﮐﻠﻴﮏ ﺭﺍﺳﺖ ﺭﻭﻱ ﻧﺎﻡ ﻣﺎﺷﻴﻦ ﻣﺠﺎﺯﻱ ،ﺗﻨﻈﻴﻤﺎﺕ ،ﺍﻓﺰﻭﺩﻥ ﻭﺍﺳﻂ ﺷﺒﮑﻪ ﺟﺪﻳﺪ ﻭ ﺁﻥ ﺭﺍ
ﺑﻪ ﻳﮏ ﺷﺒﮑﻪ Host Onlyﻣﺘﺼﻞ ﻧﻤﺎﻳﻴﺪ(.
•
ﺍﺟﺎﺯﻩ ﺑﺪﻫﻴﺪ ﮐﻪ ﺍﻳﻦ ﺳﻴﺴﺘﻢ ﻟﻮﺩ ﺷﻮﺩ ﻭ ﺩﺭ ﺻﻮﺭﺕ ﻧﻴﺎﺯ ﻧﺎﻡ ﻭﺍﺳﻂ ﺷﺒﮑﻪ ﺁﻥ ﺭﺍ ﻭﺍﺭﺩ ﻧﻤﺎﻳﻴﺪ em0) .ﻭ em1ﺑﺮﺍﻱ WANﻭ (LAN
•
ﻳﮏ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ ﺩﻳﮕﺮ ﺑﻪ ﺩﻟﺨﻮﺍﻩ ﺧﻮﺩ ﺩﺭ ﻣﺤﻴﻂ VMWareﻧﺼﺐ ﻧﻤﺎﻳﻴﺪ) .ﺑﺮﺍﻱ ﻣﺜﺎﻝ ﻭﻳﻨﺪﻭﺯ ﻳﺎ ﺍﻭﺑﻮﻧﺘﻮ ﻳﺎ ...ﻣﺎ ﺍﺯ ﺍﻳﻦ ﺑﻪ ﺑﻌﺪ OS2
ﻣﻲﻧﺎﻣﻴﻢ(
•
ﺷﺒﮑﻪ OS2ﺭﺍ ﺑﻪ ﻫﻤﺎﻥ ﺷﺒﮑﻪ Host Onlyﮐﻪ PfSenseﺭﺍ ﻣﺘﺼﻞ ﮐﺮﺩﻳﺪ ﻧﺼﺐ ﻧﻤﺎﻳﻴﺪ.
•
ﺣﺎﻝ ﺍﺯ ﻃﺮﻳﻖ ﻳﮏ ﻣﺮﻭﺭﮔﺮ ﺩﺭ OS2ﻣﻲﺗﻮﺍﻧﻴﺪ ﺑﻪ PfSenseﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ
•
IPﻣﺎﺷﻴﻦ ﻣﺠﺎﺯﻱ PfSenseﺭﺍ ﺩﺭ ﻣﺮﻭﺭﮔﺮ OS2ﻭﺍﺭﺩ ﻧﻤﺎﻳﻴﺪ.
•
ﺩﺭ ﺑﺨﺶ ﻧﺎﻡ ﮐﺎﺭﺑﺮﻱ adminﻭ ﺩﺭ ﺑﺨﺶ ﺭﻣﺰ ﻋﺒﻮﺭ PfSenseﺭﺍ ﻭﺍﺭﺩ ﻧﻤﺎﻳﻴﺪ.
•
ﺍﺯ ﻣﻨﻮﻱ ،Interfaceﺍﺯ ﺗﻨﻈﻴﻤﺎﺕ ﺩﺭﺳﺖ ﻫﺮ ﺩﻭ ﻭﺍﺳﻂ ﺍﻃﻤﻴﻨﺎﻥ ﺣﺎﺻﻞ ﻧﻤﺎﻳﻴﺪ.
ﺣﺎﻝ ﻓﻌﺎﻟﻴﺖﻫﺎﻱ ﺯﻳﺮ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﻫﻴﺪ،
.۱
ﺍﺯ ﻓﻌﺎﻝ ﺑﻮﺩﻥ NATﺁﻥ ﺍﻃﻤﻴﻨﺎﻥ ﺣﺎﺻﻞ ﻧﻤﺎﻳﻴﺪ ،ﺩﺭ ﺍﻳﻦ ﺻﻮﺭﺕ ﺍﮔﺮ ﺭﺍﻳﺎﻧﻪ ﺷﻤﺎ ﺑﻪ ﺍﻳﻨﺘﺮﻧﺖ ﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ ،ﺑﺎﻳﺪ OS2ﮐﻪ ﺩﺭ
VMWareﻧﺼﺐ ﮐﺮﺩﻩﺍﻳﺪ ﻫﻢ ﺑﻪ ﺍﻳﻨﺘﺮﻧﺖ ﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ ،ﺁﻥ ﺭﺍ ﺑﺮﺭﺳﻲ ﻧﻤﺎﻳﻴﺪ ﻭ ﺑﺎ ﺍﻧﺠﺎﻡ ﺩﺳﺘﻮﺭ ﺯﻳﺮ ﺍﺯ ﺁﻥ ﻣﻄﻤﺌﻦ ﺷﻮﻳﺪ) :ﺩﺭ
ﺻﻮﺭﺕ ﻋﺪﻡ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻭﻳﻨﺪﻭﺯ ﺍﺯ ﺩﺳﺘﻮﺭ Tracerouteﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﺎﻳﻴﺪ(.
Tracert -d 8.8.8.8
ﺩﺭ ﮔﺰﺍﺭﺵ ﺧﻮﺩ ﺧﺮﻭﺟﻲ ﺍﻳﻦ ﺩﺳﺘﻮﺭ ﻭ ﻫﻤﭽﻨﻴﻦ ﺑﺨﺸﻲ ﺍﺯ PfSenseﺭﺍ ﮐﻪ ﻣﺆﻳﺪ ﺍﻳﻦ ﺍﺗﻔﺎﻕ ﺍﺳﺖ ﺭﺍ ﻗﺮﺍﺭ ﺩﻫﻴﺪ) .ﺍﻳﻨﮑﻪ ﺩﺭ ﮐﺪﺍﻡ ﺑﺨﺶ
PfSenseﭼﻨﻴﻦ ﺍﻃﻼﻋﺎﺗﻲ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﻣﻲﺷﻮﺩ ﻫﻢ ﺑﺨﺸﻲ ﺍﺯ ﺗﻤﺮﻳﻦ ﺍﺳﺖ(.
.۲ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺗﻨﻈﻴﻤﺎﺕ ﺩﻳﻮﺍﺭﺁﺗﺶ PfSenseﺩﺳﺘﺮﺳﻲ ﺍﻳﻦ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﻪ ﺍﻳﻨﺘﺮﻧﺖ ﺑﻪ ﺁﺩﺭﺱﻫﺎﻳﻲ ﮐﻪ ﺑﺎ ۲۱۳ﺷﺮﻭﻉ ﻣﻲﺷﻮﻧﺪ ﻣﺤﺪﻭﺩ
ﻧﻤﺎﻳﻴﻢ).ﺑﺮﺍﻱ ﻣﺜﺎﻝ ﺩﺭ ﻧﺘﻴﺠﻪ ﺍﻳﻦ ﻗﺎﻧﻮﻥ ﻧﻤﻲﺗﻮﺍﻥ ﺑﻪ ce.sharif.eduﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺖ( )ﺗﺼﻮﻳﺮ ﺩﺳﺘﻮﺭ ﻫﺎﻱ ﺍﺳﺘﻔﺎﺩﻩ ﺷﺪﻩ ﺭﺍ ﺩﺭ ﮔﺰﺍﺭﺵ
ﺧﻮﺩ ﻗﺮﺍﺭ ﺩﻫﻴﺪ(.
.۳ﺩﺳﺘﺮﺳﻲ ﺑﻪ ﺗﻤﺎﻣﻲ ﺳﺎﻳﺖﻫﺎ ﺑﻪ ﺟﺰ ﺁﺩﺭﺱﻫﺎﻳﻲ ﮐﻪ ﺑﺎ ۲۱۳ﺷﺮﻭﻉ ﻣﻲﺷﻮﻧﺪ ﻣﺤﺪﻭﺩ ﺷﻮﺩ.
.۴ﺑﺴﺘﻪ ﻫﺎﻱ pingﺍﺭﺳﺎﻝ ﺷﻮﻧﺪ ،ﻭﻟﻲ ﭘﺎﺳﺦ ﺁﻥﻫﺎ ﺍﺯ ﺩﻳﻮﺍﺭﺁﺗﺶ ﺭﺩ ﻧﺸﻮﻧﺪ.
)ﺍﻣﺘﻴﺎﺯﻱ( ﻗﺪﻡ ﺑﻌﺪﻱ ﮐﻪ ﺑﺎﻳﺪ ﺑﺮﺩﺍﺷﺘﻪ ﺷﻮﺩ ﺍﻳﻦ ﺍﺳﺖ ﮐﻪ ﺍﻣﮑﺎﻥ ﺑﺮﻗﺮﺍﺭﻱ ﺍﺭﺗﺒﺎﻁ PPTP VPNﺑﻪ ﺁﻥ ﺭﺍ ﺑﺮﻗﺮﺍﺭ ﮐﻨﻴﺪ) .ﺑﺮﺍﻱ ﺍﻣﺘﺤﺎﻥ ﺍﻳﻦ ﺑﺨﺶ ﺍﺯ
ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ ﺍﺻﻠﻲ ﺷﻤﺎ ﺑﻪ ﺁﻥ ﺍﺭﺗﺒﺎﻁ VPNﺑﺮﻗﺮﺍﺭ ﺑﺎﻳﺪ ﺑﺸﻮﺩ ،ﺩﻗﺖ ﮐﻨﻴﺪ ﮐﻪ ﺷﺎﻳﺪ ﻧﻴﺎﺯ ﺑﺎﺷﺪ ﮐﻪ ﺗﻐﻴﻴﺮﺍﺗﻲ ﺩﺭ ruleﻫﺎﻱ ﺩﻳﻮﺍﺭﺁﺗﺶ ﺍﻧﺠﺎﻡ ﺩﻫﻴﺪ.
ﺩﺭ ﺻﻮﺭﺗﻲ ﮐﻪ ﺩﺭ ﺑﺮﻗﺮﺍﺭ ﺁﻥ ﻣﺸﮑﻠﻲ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ،ﺍﺯ ﻣﺴﺘﻨﺪﺳﺎﺯﻱﻫﺎﻳﻲ ﮐﻪ ﺑﺮﺍﻱ ﺍﻳﻦ ﺩﻳﻮﺍﺭﺁﺗﺶ ﺩﺭ ﺍﻳﻨﺘﺮﻧﺖ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﺎﻳﻴﺪ(
Image File
3
ﺩﺭ ﺁﺧﺮ ﻫﻢ ﺑﻪ ﺑﺨﺶ ﺗﻨﻈﻴﻤﺎﺕ VPN->IPSEC->Tunnelsﺑﺮﻭﻳﺪ ،ﺳﭙﺲ ﺭﻭﻱ ﻗﺴﻤﺖ ﺍﺿﺎﻓﻪ ﮐﺮﺩﻥ ﻳﮏ Entryﮐﻠﻴﮏ ﮐﺮﺩﻩ ﻭ ﺳﭙﺲ ﺷﺮﺡ
ﮐﻮﺗﺎﻫﻲ ﺩﺭ ﻣﻮﺭﺩ ﻫﺮ ﻳﮏ ﺍﺯ ﺗﻨﻈﻴﻤﺎﺕ ﺍﻳﻦ ﺑﺨﺶ ﺑﻨﻮﻳﺴﻴﺪ)ﺩﺭ ﺣﺪﻱ ﺑﻨﻮﻳﺴﻴﺪ ﮐﻪ ﺩﺭ ﺭﻭﺯ ﺍﺭﺍﺋﻪ ،ﺑﺎﻋﺚ ﻳﺎﺩﺁﻭﺭﻱ ﺁﻥ ﺷﻮﺩ ،ﮐﺎﻓﻲ ﺍﺳﺖ(.
ﺑﺨﺶ ﺍﻣﺘﻴﺎﺯﻱ -۲ﺍﻧﺠﺎﻡ ﺗﻨﻈﻴﻤﺎﺕ ﻭ ﻳﺎ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﻫﺮ ﮐﺪﺍﻡ ﺍﺯ ﺑﺨﺶﻫﺎﻳﻲ ﮐﻪ ﺟﺰﺋﻲ ﺍﺯ ﺍﻳﻦ ﺗﻤﺮﻳﻦ ﻧﻴﺴﺖ ،ﻧﻤﺮﻩ ﺍﺿﺎﻓﻲ ﺩﺍﺭﺩ .ﺑﺮﺍﻱ ﻣﺜﺎﻝ:
•
ﺍﻧﺠﺎﻡ ﺗﻨﻈﻴﻤﺎﺕ ﻳﮏ ﺍﺭﺗﺒﺎﻁ ﻭﻱ ﭘﻲ ﺍﻥ ) l2tp/ipsecﺁﻳﺎ ﺍﺻﻼ ﺍﻣﮑﺎﻥ ﭘﺬﻳﺮ ﺍﺳﺖ؟(
•
•
Traffic Shaper
ﻭ ﻳﺎ ﻫﺮ ﺑﺨﺶ ﻣﻮﺭﺩ ﻋﻼﻗﻪ ﺩﻳﮕﺮ ﻣﺘﻨﺎﺳﺐ ﺑﺎ ﺣﺠﻢ ﮐﺎﺭ
ﮐﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ
ﺩﺭ ﺍﻳﻦ ﻗﺴﻤﺖ ﺍﺯ ﻣﻔﺎﻫﻴﻢ ﻣﺨﺘﻠﻒ ﻣﺮﺑﻮﻁ ﺑﻪ ﮐﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ ﺳﻮﺍﻻﺗﻲ ﻣﻄﺮﺡ ﺷﺪﻩ ﺍﺳﺖ.
.۱
ﺣﺴﺎﻡ ﻣﻲﺗﻮﺍﻧﺪ ﻓﺎﻳﻞ xﺭﺍ ﺑﺨﻮﺍﻧﺪ ﻭ ﺑﻨﻮﻳﺴﺪ ،ﻓﺎﻳﻞ yﺭﺍ ﺑﺨﻮﺍﻧﺪ ﻭ ﻓﺎﻳﻞ zﺭﺍ ﺍﺟﺮﺍ ﮐﻨﺪ .ﻋﻠﻲ ﻣﻲﺗﻮﺍﻧﺪ ﻓﺎﻳﻞ xﺭﺍ ﺑﺨﻮﺍﻧﺪ ،ﻓﺎﻳﻞ yﺭﺍ ﺑﺨﻮﺍﻧﺪ
ﻭ ﺑﻨﻮﻳﺴﺪ ﻭ ﺑﻪ ﻓﺎﻳﻞ zﺩﺳﺘﺮﺳﻲ ﻧﺪﺍﺭﺩ.
٤
.aﻳﮏ ﻟﻴﺴﺖ ﮐﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻮﻗﻌﻴﺖ ﺑﻨﻮﻳﺴﻴﺪ ﻭ ﺑﻴﺎﻥ ﮐﻨﻴﺪ ﮐﻪ ﺍﻳﻦ ﻟﻴﺴﺖ ﺑﺎ ﭼﻪ ﺷﻲ ﺩﺭ ﺍﺭﺗﺒﺎﻁ ﺍﺳﺖ .
.bﻳﮏ ﻟﻴﺴﺖ ﺗﻮﺍﻧﺎﻳﻲ ٥ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻮﻗﻌﻴﺖ ﺑﻨﻮﻳﺴﻴﺪ ﻭ ﺑﻴﺎﻥ ﮐﻨﻴﺪ ﮐﻪ ﻫﺮ ﻟﻴﺴﺖ ﺑﺎ ﭼﻪ ﭼﻴﺰﻱ ﺩﺭ ﺍﺭﺗﺒﺎﻁ ﺍﺳﺖ .
.۲
ﻓﺮﺽ ﮐﻨﻴﺪ ﺳﻴﺴﺘﻤﻲ ﺑﺮﺍﻱ ﻣﻘﺎﺑﻠﻪ ﺑﺎ ﺗﺮﻭﺟﺎﻥ ﻫﺎ ﺍﺯ ﻟﻴﺴﺖ ﺗﻮﺍﻧﺎﻳﻲ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲﮐﻨﺪ.
.aﺑﻪ ﻃﻮﺭ ﮐﻠﻲ ﺁﻳﺎ ﻟﻴﺴﺖ ﺗﻮﺍﻧﺎﻳﻲ ﺩﺭ ﻣﻘﺎﻳﺴﻪ ﺑﺎ ﻟﻴﺴﺖ ﮐﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ ﻣﺤﺎﻓﻈﺖ ﺑﻴﺸﺘﺮﻱ ﺩﺭ ﻗﺒﺎﻝ ﺗﺮﻭﺟﺎﻥ ﻫﺎ ﺍﻳﺠﺎﺩ ﻣﻲﮐﻨﺪ؟
ﻓﺮﺽ ﮐﻨﻴﺪ ﻟﻴﺴﺖ ﻗﺎﺑﻠﻴﺖ ﺍﺯ ﻧﻈﺮ ﺗﺌﻮﺭﻱ ﺑﺎ ﻟﻴﺴﺖ ﮐﻨﺘﺮﻝ ﺩﺳﺘﺮﺳﻲ ﻣﻌﺎﺩﻝ ﺍﺳﺖ.
.b
ﺧﺎﺻﻴﺖ ﺍﺭﺙ ﺑﺮﻱ ﺩﺭ ﻓﺮﺍﻳﻨﺪ ٦ﺟﺪﻳﺪ ﺭﺍ ﻧﻈﺮ ﺑﮕﻴﺮﻳﺪ .ﺍﮔﺮ ﻓﺮﺍﻳﻨﺪ ﺍﻳﺠﺎﺩ ﮐﻨﻨﺪﻩ ﻱ ﻗﺎﺑﻠﻴﺖﻫﺎﻳﻲ ﺭﺍ ﮐﻪ ﻓﺮﺍﻳﻨﺪ ﺍﻳﺠﺎﺩ ﺷﺪﻩ ﺩﺭ ﺍﺑﺘﺪﺍ
ﺑﻪ ﺍﺭﺙ ﻣﻲﺑﺮﺩ ﮐﻨﺘﺮﻝ ﮐﻨﺪ ،ﺩﺭ ﭼﻪ ﺻﻮﺭﺕ ﻓﺮﺍﻳﻨﺪ ﺍﻳﺠﺎﺩ ﮐﻨﻨﺪﻩ ﻣﻲﺗﻮﺍﻧﺪ ﺟﻠﻮﻱ ﺁﺳﻴﺐﻫﺎﻱ ﺣﺎﺻﻞ ﺍﺯ ﺗﺮﻭﺟﺎﻥ ﺭﺍ ﺑﮕﻴﺮﺩ؟
.c
ﺁﻳﺎ ﻟﻴﺴﺖ ﺗﻮﺍﻧﺎﻳﻲ ﻣﻲﺗﻮﺍﻧﺪ ﺟﻠﻮﻱ ﺍﻧﻮﺍﻉ ﺗﺮﻭﺟﺎﻥ ﻫﺎ ﺭﺍ ﺑﮕﻴﺮﺩ؟ ﻳﺎ ﻧﺸﺎﻥ ﺩﻫﻴﺪ ﮐﻪ ﻣﻲﺗﻮﺍﻧﺪ ﻳﺎ ﻣﺜﺎﻟﻲ ﺍﺭﺍﺋﻪ ﮐﻨﻴﺪ ﮐﻪ ﻟﻴﺴﺖ
ﺗﻮﺍﻧﺎﻳﻲ ﻧﻤﻲﺗﻮﺍﻧﺪ ﺟﻠﻮﻱ ﺁﻥ ﺭﺍ ﺑﮕﻴﺮﺩ.
.۳
ﺑﺎ ﻓﺮﺽ ﺭﺩﻩ ﻫﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺧﻴﻠﻲ ﺳﺮﻱ ،ﺳﺮﻱ ،ﻣﺤﺮﻣﺎﻧﻪ ﻭ ﺑﺪﻭﻥ ﻃﺒﻘﻪ ﺑﻨﺪﻱ ) ﺑﻪ ﺗﺮﺗﻴﺐ ﺍﺯ ﺑﺎﻻﺗﺮﻳﻦ ﺑﻪ ﭘﺎﻳﻴﻦﺗﺮﻳﻦ( ﻭ ﺭﺳﺘﻪ ﻫﺎﻱ B ، A
ﻭ Cﻭ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻣﺪﻝ BLPﺑﻴﺎﻥ ﮐﻨﻴﺪ ﮐﻪ ﮐﺪﺍﻣﻴﮏ ﺍﺯ ﺩﺳﺘﺮﺳﻲﻫﺎﻱ ﺯﻳﺮ ﻗﺒﻮﻝ ﻭ ﮐﺪﺍﻣﻴﮏ ﺭﺩ ﻣﻲﺷﻮﻧﺪ.
.aﻋﻠﻲ ﺩﺳﺘﺮﺳﻲ )ﺧﻴﻠﻲ ﺳﺮﻱ ({A,C} ،ﺭﺍ ﺩﺍﺭﺩ ﻭ ﻣﻲﺧﻮﺍﻫﺪ ﺑﻪ ﺳﻨﺪﻱ ﺑﺎ ﺳﻄﺢ )ﺳﺮﻱ ( {C} ،ﺩﺳﺘﺮﺳﻲ ﭘﻴﺪﺍ ﮐﻨﺪ.
.bﺣﺴﺎﻡ ﺩﺳﺘﺮﺳﻲ )ﻣﺤﺮﻣﺎﻧﻪ ({C} ،ﺭﺍ ﺩﺍﺭﺩ ﻭ ﻣﻲﺧﻮﺍﻫﺪ ﺑﻪ ﺳﻨﺪﻱ ﺑﺎ ﺳﻄﺢ )ﻣﺤﺮﻣﺎﻧﻪ ( {B} ،ﺩﺳﺘﺮﺳﻲ ﭘﻴﺪﺍ ﮐﻨﺪ.
.c
ﻳﺪﺍﻟﻪ ﺩﺳﺘﺮﺳﻲ )ﺳﺮﻱ ({C} ،ﺭﺍ ﺩﺍﺭﺩ ﻭ ﻣﻲﺧﻮﺍﻫﺪ ﺑﻪ ﺳﻨﺪﻱ ﺑﺎ ﺳﻄﺢ )ﻣﺤﺮﻣﺎﻧﻪ ( {C} ،ﺩﺳﺘﺮﺳﻲ ﭘﻴﺪﺍ ﮐﻨﺪ.
.dﻳﻌﻘﻮﺏ ﺩﺳﺘﺮﺳﻲ )ﺧﻴﻠﻲ ﺳﺮﻱ ({A,C} ،ﺭﺍ ﺩﺍﺭﺩ ﻭ ﻣﻲﺧﻮﺍﻫﺪ ﺑﻪ ﺳﻨﺪﻱ ﺑﺎ ﺳﻄﺢ )ﻣﺤﺮﻣﺎﻧﻪ ( {A} ،ﺩﺳﺘﺮﺳﻲ ﭘﻴﺪﺍ ﮐﻨﺪ.
.eﻣﻘﺪﺍﺩ ﻫﻴﭻ ﺩﺳﺘﺮﺳﻲ ﻧﺪﺍﺭﺩ ) ﺩﺭ ﺭﺩﻩ ﺑﺪﻭﻥ ﻃﺒﻘﻪ ﺑﻨﺪﻱ ﻗﺮﺍﺭ ﺩﺍﺭﺩ( ﻣﻲﺧﻮﺍﻫﺪ ﺑﻪ ﺳﻨﺪﻱ ﺑﺎ ﺳﻄﺢ )ﻣﺤﺮﻣﺎﻧﻪ ( {B} ،ﺩﺳﺘﺮﺳﻲ
ﭘﻴﺪﺍ ﮐﻨﺪ.
4
Access control List
Capability list
6
Process
5
.۴
ﻳﮏ ﺳﻴﺴﺘﻢ ﺍﺯ ﺭﻭﺵ Bibaﺍﺳﺘﻔﺎﺩﻩ ﻣﻲﮐﻨﺪ .ﻳﮏ ﻭﻳﺮﻭﺱ ﺩﺭ ﺷﺮﺍﻳﻂ ﺯﻳﺮ ﭼﮕﻮﻧﻪ ﻣﻲﺗﻮﺍﻧﺪ ﭘﺨﺶ ﺷﻮﺩ
.aﻭﻳﺮﻭﺱ ﺩﺭ ﻗﺴﻤﺘﻲ ﺑﺎ ﺳﻄﺢ ﺻﺤﺘﻲ lowﻗﺮﺍﺭ ﺩﺍﺭﺩ ) ﻗﺴﻤﺘﻲ ﮐﻪ ﻫﻤﻪﻱ ﻗﺴﻤﺖﻫﺎ ﺑﺮ ﺁﻥ ﺗﻔﻮﻕ ﺩﺍﺭﻧﺪ(
.bﻭﻳﺮﻭﺱ ﺩﺭ ﻗﺴﻤﺘﻲ ﺑﺎ ﺳﻄﺢ ﺻﺤﺘﻲ highﻗﺮﺍﺭ ﺩﺍﺭﺩ ) ﻗﺴﻤﺘﻲ ﮐﻪ ﺑﺮ ﻫﻤﻪﻱ ﻗﺴﻤﺖﻫﺎﻱ ﺩﻳﮕﺮ ﺗﻔﻮﻕ ﺩﺍﺭﺩ(
ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﺍﻳﻨﮑﻪ ﺣﺠﻢ ﮔﺰﺍﺭﺵﻫﺎﻱ ﺷﻤﺎ ،ﺑﻪ ﺩﻟﻴﻞ ﻭﺟﻮﺩ ﻋﮑﺲﻫﺎ ﺍﺯ ﻣﺮﺍﺣﻞ ﺍﻧﺠﺎﻡ ﮐﺎﺭ ،ﺯﻳﺎﺩ ﺍﺳﺖ ﺍﺯ ﺍﺭﺳﺎﻝ ﮔﺰﺍﺭﺵﻫﺎ ﺑﻪ TAﻫﺎ ﺧﻮﺩﺩﺍﺭﻱ ﮐﻨﻴﺪ ﻭ
ﻓﻘﻂ ﻣﻘﺪﺍﺭ ﺩﺭﻫﻢﺳﺎﺯﻱ MD5ﻳﺎ SHA1ﺁﻧﻬﺎ ﺭﺍ ﺍﺭﺳﺎﻝ ﻧﻤﺎﻳﻴﺪ ﻭ ﮔﺰﺍﺭﺵﻫﺎ ﻫﻨﮕﺎﻡ ﺗﺤﻮﻳﻞ ﺣﻀﻮﺭﻱ ﺍﺯ ﺷﻤﺎ ﺗﺤﻮﻳﻞ ﮔﺮﻓﺘﻪ ﻣﻲﺷﻮﻧﺪ) .ﺍﻳﻦ
ﺑﺨﺶ ﺗﻤﺮﻳﻦ ﻫﻢ ﺍﺟﺒﺎﺭﻱ ﺍﺳﺖ ﻭ ﺍﺧﺘﻴﺎﺭﻱ ﻧﻤﻲﺑﺎﺷﺪ(
© Copyright 2025 Paperzz