hệ thống phát hiện và ngăn chặn xâm
TRANSCRIPT
H thng pht hin v ngn chn xm nhp mng (IDS/IPS)
H thng pht hin v ngn chn xm nhp mng (IDS/IPS)Gio vin hng dn:Thc s L c NhngSinh vin:Bi Th HnhPhm Vn Lnh
17/11/20131CNTT K12Mc lc I Tng quan v IDS/IPS1.1 Gii thiu v IDS/IPS1.2 Phn loi IDS/IPS & phn tch u nhc im1.3 C ch hot ng ca h thng IDS/IPS
II Nghin cu ng dng Snort trong IDS/IPS
17/11/2013CNTT K122I Tng quan v IDS/IPS1.1Gii thiu v IDS/IPS1.1.1nh ngha
H thng pht hin xm nhp (IDS) l h thng c nhim v theo di, pht hin v (c th) ngn cn s xm nhp, cng nh cc hnh vi khai thc tri php ti nguyn ca h thng c bo v m c th dn n vic lm tn hi n tnh bo mt, tnh ton vn v tnh sn sng ca h thng.Khi mt h thng IDS c kh nng ngn chn cc nguy c xm nhp m n pht hin c th c gi l mt h thng phng chng xm nhp hay IPS.
17/11/2013CNTT K1231.1.2 S khc nhau gia IDS/IPS
IDS ch c chc nng pht hin xm nhp da vo cc mu c sn.
IPS c chc nng ngn chn nhng xm nhp c nghi ng IDS.
Nhng IDS va IPS trn thc t khng c s khc bit r rng. Mt s h thng IDS c thit k vi kh nang ngn chn nh mt chc nng ty chn. Trong khi mt s h thng IPS li khng mang y chc nng ca mt h thng phng chng theo ng ngha.
17/11/2013CNTT K1241.2 Phn loi IDS/IPS & phn tch u nhc im.
Type of IDS System
NIDSHIDSHibrid IDS
Operating Application
17/11/2013CNTT K1251.2.1 Network based IDS NIDS
IDS NIDS s dng d liu trn ton b lu thng mng cng vi d liu kim tra t mt hoc v my trm pht hin xm nhp.
17/11/2013CNTT K126u imNhc imChi ph thpPht hin c cc cuc tn cng m HIDS b quaKh xa b du vtPht hin ra i ph kp thiC tnh c lp caoB hn ch vi SwitchHn ch v hiu nngTng thng lng mngGp kh khn trong vic x l cc cuc tn cng trong mt phin c m haGp kh khn khi pht hin cc cuc tn cng mng t cc gi tin phn mnh.1.2.2 Host based IDS HIDS
S dng d liu kim tra t mt my trm n pht hin xm nhp.
Host-based IDS tm kim du hiu ca xm nhp vo mt host cc b; thng s dng cc c ch kim tra v phn tch cc thong tin c logic. N tm kim cc hot ng bt thng nh login, truy nhp file khng thch hp, bc leo thang cc c quyn khng c chp nhn.
17/11/2013CNTT K127u imNhc imXc nh c kt qu ca cuc tn cng.Gim st c cc hot ng c tht ca h thng.Pht hin cc xm nhp m NIDS b qua.Thch nghi tt vi mi trng chuyn mch, m ha.Khng yu cu thm phn cng.Kh qun trThng tin ngun khng an tonH thng host-based tng i tChim ti nguyn h thng17/11/2013CNTT K1281.3 C ch hot ng ca h thng IDS/IPS1.3.1 M hnh pht hin s lm dng
Pht hin s lm dng l pht hin nhng k xm nhp ang c gng t nhp vo h thng m s dng mt s k thut bit.
H thng pht hin s lm dng ch thc hin kim sot i vi cc mu r rng.
17/11/2013CNTT K129
17/11/2013CNTT K1210begingim bttc hiSDendhnh ng cah thng hinti = kch bnxm nhp
1.3.2 M hnh pht hin s bt thng1.3.2.1 Pht hin tnh
Gi thit: h thng c kim sot phi lun lun khng iPhn tnh ca h thng gm hai phn con:+ m h thng+ d liu ca h thngHai thng tin ny c biu din di dng mt xu bit nh phn hoc mt tp cc xu. Nu biu din ny c s sai khc so vi dng thc gc th hoc c li xy ra hoc mt k xm nhp no thay i n. Lc ny b pht hin tnh s c thng bo kim tra tnh ton vn d liu. lm iu ny, b pht hin tnh a ra mt vi xu bt c nh nh ngha trng thi mong mun ca h thng, ta s thu c mt biu din v trng thi . Sau n so snh biu din trng thi thu c vi biu din tng t. Bt k s khc nhau u th hin li hoc c xm phm17/11/2013CNTT K1211
1.3.2.2 Pht hin ngKhi nim hnh vi ca h thng: l mt chui cc s kin phn bit, sinh ra bi h iu hnh nh ngha cc s kin lien quan.Khi nim ngng phn bit gia vic s dng ti nguyn hp l hay bt thng.Nu khng chc chn hnh vi l bt thng hay khng, h thng c th da vo cc tham s c thit lp trong sut qu trnh khi to lien quan n hnh vi. Tuy nhin ranh gii trong trng hp ny khng r rang, c th dn n nhng cnh bo sai.Thng thng s dng phn loi thng k v cc lch chun xc nh ranh gii. Nu hnh vi nm bn ngoi th c cnh bo c xm nhp.
17/11/2013CNTT K12121.3.3 So snh gia hai m hnh
Pht hin s lm dngPht hi s bt thngBao gm:C s d liu cc du hiu tn cng.Tm kim cc so khp mu ng.Hiu qu trong vic pht hin cc dng tn cng bit hay cc bin th ca cc dng tn cng bit. Khng pht hin c cc dng tn cng mi.D cu hnh hn do i hi t hn v thu nhp d liu, phn tch v cp nhp.a ra kt lun da vo php so khp mu.C th kch hot mt thng ip cnh bo nh mt du hiu chc chn, hoc cung cp d li h tr cho cc du hiu khc.Bao gm:C s d liu cc hnh ng thng thng.Tm kim lch ca hnh ng thc t so vi hnh ng thng thng.Hiu qu trong vic pht hin cc dng tn cng mi m mt h thng pht hin s lm dng b qua.Kh cu hnh hn v a ra nhiu d liu hn, phi c mt khi nim ton din v hnh vi bit hay hnh vi c mong i ca h thng.a ra kt qu da vo tng quan bng thng k gia hnh vi thc t v hnh vi c mong i ca h thng.C th h tr vic t sinh thng tin h thng mt cch t ng nhng cn c thi gian v d liu thu thp c phi r rang.17/11/2013CNTT K1213ng dng Snort trong IDS/IPS
1. Gii thiu v Snort 2. Kin trc ca Snort3. Cu trc cua Snort4. Ch ngn chn ca Snort
1. Gii thiu v Snort
Nort l mt NID c Martin Roeh pht trin di m hnh m ngun m. Tuy nort min ph nhng n li c rt nhiu tnh nng tuyt vi m khng phi sn phm thng mi no cng c th c c. Bn cnh vic c th hot ng nh mt ng dng thu bt gi tin thng thng, nort cn c th c cu hnh chy nhmt NID. Nort h tr kh nng hot ng trn cc giao thc au: Ethernet, 802.11,Token Ring, FDDI, Cico HDLC, LIP, PPP, v PF ca OpenBD. Kin trc ca SnortNort bao gm nhiu thnh phn, vi mi phn c mt chc nng ring. Cc phn chnh l: Mun gii m gi tin (Packet Decoder) Mun tin xl (Preproceor) Mun pht hin (Detection Engine) Mun log v cnh bo (Logging and Alerting system) Mun kt xut thng tin (Output Module) M hnh kin trc hthng nort
1. Modun gii m gi tinSnort s dng th vin phn cp bt mi gi tin trn mng lu thng qua h thng
M un tin x l
Mun tin x l l mt mun rt quan trng i vi bt k mt h thng ID no c th chun b gi d liu a v cho mun pht hin phn tchBa nhim v chnh ca cc mun loi ny l:Kt hp li cc gi tinGii m v chun ha giao thc (decode/normalize)Pht hin cc xm nhp bt thng (nonrule /anormal)Mun pht hin
y l mun quan trng nht ca Nort. N chu trch nhim pht hin cc du hiu xm nhp. Mun pht hin s dng cc lut c nh ngha trc so nh vi d liu thu thp c t xc nh xem c xm nhp xy ra hay khng. Ri tip theo mi c th thc hin mt s cng vic nh ghi log, to thng bo v kt xut thng tin.
Mun pht hinMt mun pht hin cng c kh nng tch cc phn ca gi tin ra v p dng cc lut ln tng phn no ca gi tin . Cc phn c th l: IP header Header tng giao vn: TCP, UDP Header tng ng dng: DN header, HTTP header, FTP header, Phn ti ca gi tin (bn cng c thp dng cc lut ln cc phn d liu c truyn i ca gi tin).
Mun log v cnh bo
Ty thuc vo vic mun Pht hin c nhn dng uc xm nhp hay khng m gi tin c th b ghi log hoc a ra cnh bo. Cc file log l cc file text d liu trong c th c ghi di nhiu nh dng khc nhau chng hn tcpdump.
M un kt xut thng tinMun ny c th thc hin cc thao tc khc nhau ty theo vic bn mun lu kt qu xut ra nh th no.Ty theo vic cu hnh h thng m n c ththc hin cc cng vic nh l: Ghi log file Ghi ylog: ylog v mt chun lu tr cc file log c s dng rt nhiu trn cc h thng Unix, Linux. Ghi cnh bo vo c s d liu.
M un kt xut thng tinTo file log dng xml: vic ghi log file dng xml rt thun tin cho vic trao i v chia s d liu. Cu hnh li Router, firewall. Gi cc cnh bo c gi trong gi tin s dng giao thc NMP. Cc gi tin dng NMP ny s c gi ti mt NMP server t gip cho vic qun l cc cnh bo v h thng ID mt cch tp trung v thun tin hn. Gi cc thng ip MB (erver Meage Block) ti cc my tnh Window.
B lut ca Nort
Cu trc lut ca Nort Hy xem xt mt v d n gin : alert tcp 192.168.2.0/24 23 -> any any (content:confidential; mg: Detectedconfidential)Ta thy cu trc ca mt lut lun c 2 phn :1. Rule header2. Rule opition
B lut ca Nort Phn Header cha thng tin v hnh ng m lut s thc hin khi pht hin ra c xm nhp nm trong gi tin v n cng cha cc tiu chun p dng lut vi gi tin . Phn Option cha mt thng ip cnh bo v cc thng tin v cc phn ca gi tin dng to nn cnh bo. Phn Option cha cc tiu chun ph thm i snh lut vi gi tin. Mt lut c th pht hin c mt hay nhiu hot ng thm d hay tn cng. Cc lut thng minh c kh nng p dng cho nhiu du hiu xm nhp.
The end!17/11/2013CNTT K1227