mafita ce ta nazari a fagen tsaro na bayanai wanda ke ba da cikakkiyar sa ido kan barazanar a cikin hanyar sadarwa da aka rarraba. StealthWatch ya dogara ne akan tattara NetFlow da IPFIX daga masu amfani da hanyar sadarwa, masu sauyawa da sauran na'urorin cibiyar sadarwa. Sakamakon haka, hanyar sadarwar ta zama firikwensin firikwensin kuma tana ba mai gudanarwa damar duba wuraren da hanyoyin tsaro na cibiyar sadarwa na gargajiya, kamar Firewall na gaba na gaba, ba za su iya isa ba.
A cikin labaran da suka gabata na riga na rubuta game da StealthWatch: Kuma . Yanzu ina ba da shawarar ci gaba da tattauna yadda za a yi aiki tare da ƙararrawa da bincika abubuwan tsaro waɗanda mafita ta haifar. Za a sami misalan 6 waɗanda nake fata za su ba da kyakkyawan ra'ayi game da fa'idar samfurin.
Na farko, ya kamata a ce StealthWatch yana da wasu rarraba ƙararrawa tsakanin algorithms da ciyarwa. Na farko nau'ikan ƙararrawa ne (sanarwa), lokacin da aka kunna ku, zaku iya gano abubuwan da ake tuhuma akan hanyar sadarwar. Na biyu kuma shi ne al'amuran tsaro. Wannan labarin zai dubi misalan 4 na algorithms da aka jawo da kuma misalai 2 na ciyarwa.
1. Binciken mafi girman hulɗar a cikin hanyar sadarwa
Matakin farko na kafa StealthWatch shine ayyana runduna da cibiyoyin sadarwa zuwa kungiyoyi. A cikin shafin yanar gizon yanar gizo Sanya > Gudanarwar Rukunin Mai watsa shiri Ya kamata a rarraba cibiyoyin sadarwa, runduna, da sabar zuwa ƙungiyoyin da suka dace. Hakanan zaka iya ƙirƙirar ƙungiyoyin ku. Af, nazarin ma'amala tsakanin runduna a cikin Sisiko StealthWatch ya dace sosai, tunda ba za ku iya adana matatun bincike ta rafi kawai ba, har ma da sakamakon da kansu.
Don farawa, a cikin mahaɗin yanar gizon ya kamata ku je shafin Bincika > Neman Yawo. Sannan yakamata ku saita sigogi masu zuwa:
- Nau'in Bincike - Manyan Tattaunawa (mafi shaharar hulɗa)
- Tsawon lokaci - awanni 24 (lokacin lokaci, zaku iya amfani da wani)
- Sunan Nema - Manyan Tattaunawa Ciki-Ciki (kowane suna na abokantaka)
- Maudu'i - Ƙungiyoyin Mai watsa shiri → Ciki Mai Runduna (tushen - rukunin runduna na ciki)
- Haɗin kai (zaka iya saka tashar jiragen ruwa, aikace-aikace)
- Tsara - Ƙungiyoyin Mai watsa shiri → Ƙungiyoyin Ciki (manufa - ƙungiyar nodes na ciki)
- A cikin Zaɓuɓɓukan Babba, Hakanan zaka iya ƙayyade mai tarawa daga inda ake duba bayanan, rarraba abubuwan fitarwa (bytes, rafi, da sauransu). Zan bar shi azaman tsoho.
Bayan danna maballin search an nuna jerin ma'amala waɗanda aka riga aka jera su ta adadin bayanan da aka canjawa wuri.
A misali na mai gida 10.150.1.201 (Server) ana watsa shi a cikin zare ɗaya kawai 1.5 GB zirga-zirga zuwa masauki 10.150.1.200 (abokin ciniki) ta hanyar yarjejeniya MySQL. Maɓalli Sarrafa ginshiƙai yana ba ku damar ƙara ƙarin ginshiƙai zuwa bayanan fitarwa.
Na gaba, bisa ga ra'ayin mai gudanarwa, zaku iya ƙirƙirar ƙa'idar al'ada wacce koyaushe zata haifar da irin wannan hulɗar kuma ta sanar da ku ta SNMP, imel ko Syslog.
2. Binciken mafi jinkirin hulɗar abokin ciniki da uwar garken a cikin hanyar sadarwa don jinkiri
Labels SRT (Lokacin Amsar Sabar), RTT (Lokacin Tafiya) ba ka damar gano jinkirin uwar garken da jinkirin cibiyar sadarwa gabaɗaya. Wannan kayan aikin yana da amfani musamman lokacin da kuke buƙatar gano dalilin koke-koken masu amfani game da aikace-aikacen da ke tafiyar hawainiya.
Примечание: kusan duk masu fitar da Netflow ban san yadda ba aika SRT, RTT tags, sau da yawa, don ganin irin waɗannan bayanai akan FlowSensor, kuna buƙatar saita aika kwafin zirga-zirga daga na'urorin cibiyar sadarwa. FlowSensor bi da bi yana aika da tsawaita IPFIX zuwa FlowCollector.
Ya fi dacewa don aiwatar da wannan bincike a cikin aikace-aikacen java StealtWatch, wanda aka sanya akan kwamfutar mai gudanarwa.
Maɓallin linzamin kwamfuta na dama yana kunne Ciki Mai Runduna kuma je zuwa shafin Tebur mai gudana.
Danna kan Tace kuma saita sigogi masu dacewa. Misali:
- Kwanan wata/Lokaci - Domin kwanaki 3 na ƙarshe
- Ayyuka - Matsakaicin Lokacin Tafiya na Zagaye>=50ms
Bayan nuna bayanan, ya kamata mu ƙara filayen RTT da SRT waɗanda suke sha'awar mu. Don yin wannan, danna kan shafi a cikin hoton allo kuma zaɓi tare da maɓallin linzamin kwamfuta na dama Sarrafa ginshiƙai. Na gaba, danna RTT, sigogin SRT.
Bayan sarrafa buƙatun, na jera ta matsakaicin RTT kuma na ga mafi ƙarancin hulɗar.
Don shiga cikakkun bayanai, danna dama akan rafi kuma zaɓi Duban Sauri don Tafiya.
Wannan bayanin yana nuna cewa mai gida 10.201.3.59 daga kungiyar Sales da Marketing ta yarjejeniya NFS roko zuwa uwar garken DNS na minti daya da dakika 23 kuma yana da mugun rauni. A cikin tab musaya za ku iya gano wane mai fitar da bayanan Netflow aka samo bayanin daga gare shi. A cikin tab Table Ana nuna ƙarin cikakkun bayanai game da hulɗar.
Na gaba, yakamata ku gano waɗanne na'urori ne ke aika zirga-zirga zuwa FlowSensor kuma wataƙila matsalar tana can.
Haka kuma, StealthWatch na musamman ne a cikin abin da yake gudanarwa cirewa bayanai (haɗa rafukan guda ɗaya). Don haka, zaku iya tattarawa daga kusan duk na'urorin Netflow kuma kada ku ji tsoro cewa za a sami kwafin bayanai da yawa. Akasin haka, a cikin wannan makirci zai taimaka wajen fahimtar wane hop yana da jinkiri mafi girma.
3. Audit na HTTPS cryptographic ladabi
ETA (Tsarin Binciken Traffic) fasaha ce ta Cisco ta haɓaka wacce ke ba ku damar gano haɗin ƙeta a cikin ɓoyayyiyar zirga-zirgar ababen hawa ba tare da yanke ta ba. Bugu da ƙari, wannan fasaha tana ba ku damar “fasa” HTTPS cikin nau'ikan TLS da ka'idojin sirri waɗanda ake amfani da su yayin haɗin gwiwa. Wannan aikin yana da amfani musamman lokacin da kuke buƙatar gano nodes ɗin cibiyar sadarwa waɗanda ke amfani da ƙa'idodin crypto masu rauni.
Примечание: Dole ne ka fara shigar da app na cibiyar sadarwa akan StealthWatch - ETA Cryptographic Audit.
Jeka tab Dashboards → ETA Cryptographic Audit kuma zaɓi rukunin runduna waɗanda muke shirin tantancewa. Don cikakken hoto, bari mu zaɓa Ciki Mai Runduna.
Kuna iya ganin sigar TLS da daidaitattun ma'aunin crypto suna fitowa. Bisa ga tsarin da aka saba a cikin ginshiƙi Actions je zuwa Duba Yawo kuma binciken yana farawa a cikin sabon shafin.
Daga fitarwa ana iya ganin cewa mai watsa shiri 198.19.20.136 ko'ina 12 hours An yi amfani da HTTPS tare da TLS 1.2, inda ɓoyayyen algorithm AES-256 da aikin hash SHA-384. Don haka, ETA yana ba ku damar nemo algorithms masu rauni akan hanyar sadarwa.
4. Binciken anomaly na hanyar sadarwa
Cisco StealthWatch na iya gane matsalar zirga-zirga akan hanyar sadarwa ta amfani da kayan aiki guda uku: Mahimman Abubuwan Al'adu (security events), Al'amuran Dangantaka (al'amuran mu'amala tsakanin sassan, nodes na cibiyar sadarwa) da nazarin hali.
Binciken ɗabi'a, bi da bi, yana ba da damar tsawon lokaci don gina ƙirar ɗabi'a ga wani mai watsa shiri ko ƙungiyar runduna. Yawan zirga-zirgar zirga-zirgar da ke wucewa ta hanyar StealthWatch, mafi daidaiton faɗakarwar za ta kasance godiya ga wannan bincike. Da farko, tsarin yana haifar da da yawa ba daidai ba, don haka dokokin ya kamata a "karkatar da su" da hannu. Ina ba da shawarar ku yi watsi da irin waɗannan abubuwan na makonnin farko, kamar yadda tsarin zai daidaita kansa, ko ƙara su zuwa keɓancewa.
A ƙasa akwai misalin ƙayyadaddun ƙa'ida Anomaly, wanda ya bayyana cewa taron zai yi wuta ba tare da ƙararrawa ba idan mai masaukin baki a cikin rukunin Inside Hosts yana mu'amala da rukunin Masu Runduna kuma cikin sa'o'i 24 zirga-zirgar zai wuce megabyte 10.
Misali, bari mu ɗauki ƙararrawa Tattara bayanai, wanda ke nufin cewa wasu majiyoyi/masu masaukin baki sun loda/ zazzage babban adadin bayanai daga rukunin runduna ko mai masaukin baki. Danna kan taron kuma je zuwa teburin inda aka nuna runduna masu jawo. Na gaba, zaɓi rundunar da muke sha'awar a cikin shafi Tattara bayanai.
An nuna wani taron da ke nuna cewa an gano "maki" 162k, kuma bisa ga manufar, an ba da izinin "maki" 100k - waɗannan ma'aunin StealthWatch ne na ciki. A cikin ginshiƙi Actions tura Duba Yawo.
Muna iya lura da hakan aka ba masauki yayi mu'amala da mai gida da dare 10.201.3.47 daga sashen Talla & Talla ta yarjejeniya HTTPS kuma zazzagewa 1.4 GB. Wataƙila wannan misalin bai yi nasara gaba ɗaya ba, amma gano hulɗar ko da na gigabytes ɗari da yawa ana aiwatar da shi daidai daidai. Sabili da haka, ƙarin bincike na abubuwan da ba a sani ba na iya haifar da sakamako mai ban sha'awa.
Примечание: a cikin hanyar yanar gizo ta SMC, bayanai suna cikin shafuka Dashboards ana nunawa kawai na makon da ya gabata kuma a cikin shafin Monitor a cikin makonni 2 da suka gabata. Don bincika tsofaffin abubuwan da suka faru da samar da rahotanni, kuna buƙatar aiki tare da na'ura wasan bidiyo na java akan kwamfutar mai gudanarwa.
5. Nemo binciken binciken cibiyar sadarwa na ciki
Yanzu bari mu kalli wasu misalan ciyarwa - abubuwan tsaro na bayanai. Wannan aikin yana da ƙarin sha'awa ga ƙwararrun tsaro.
Akwai nau'ikan taron binciken da aka saita da yawa a cikin StealthWatch:
- Port Scan - tushen yana duba tashar jiragen ruwa da yawa akan mai masaukin baki.
- Addr tcp scan - tushen yana duba duk hanyar sadarwa akan tashar TCP guda ɗaya, yana canza adireshin IP na alkibla. A wannan yanayin, tushen yana karɓar fakitin Sake saitin TCP ko baya karɓar amsa kwata-kwata.
- Addr udp scan - tushen yana bincika duk hanyar sadarwa akan tashar UDP iri ɗaya, yayin canza adireshin IP na manufa. A wannan yanayin, tushen yana karɓar fakitin ICMP Port Unreachable ko baya karɓar amsa kwata-kwata.
- Scan Ping - tushen yana aika buƙatun ICMP zuwa ga duk hanyar sadarwa don neman amsoshi.
- Stealth Scan tсp/udp - tushen ya yi amfani da tashar jiragen ruwa guda ɗaya don haɗawa zuwa mashigai da yawa akan kumburin makoma a lokaci guda.
Don samun dacewa don nemo duk na'urorin daukar hoto na ciki lokaci guda, akwai app na cibiyar sadarwa don StealthWatch - Ƙimar Ganuwa. Zuwa shafin Dashboards → Ƙididdigar Ganuwa → Na'urorin Sadarwar Cikin Gida za ku ga abubuwan da suka faru na tsaro masu alaƙa da dubawa na makonni 2 da suka gabata.
Ta danna maballin details, za ku ga farkon binciken kowane cibiyar sadarwa, yanayin zirga-zirga da ƙararrawa masu dacewa.
Na gaba, za ku iya "kasa" a cikin mai watsa shiri daga shafin a cikin hoton da ya gabata kuma ku ga abubuwan tsaro, da kuma ayyuka a cikin makon da ya gabata na wannan rundunar.
A matsayin misali, bari mu yi nazarin taron Port Scan daga mai masaukin baki 10.201.3.149 a kan 10.201.0.72, Latsawa Ayyuka > Haɓaka Yawo. An ƙaddamar da binciken zaren kuma an nuna bayanan da suka dace.
Yadda muke ganin wannan mai masaukin baki daga daya daga cikin tashoshin jiragen ruwa 51508 / TCP duban sa'o'i 3 da suka wuce masaukin tashar jirgin ruwa 22, 28, 42, 41, 36, 40 (TCP). Wasu filayen ba sa nuna bayani ko dai saboda ba duk filayen Netflow ke samun goyan bayan mai fitar da Netflow ba.
6. Analysis na zazzage malware ta amfani da CTA
CTA (Nazarin Barazana) - Binciken girgije na Cisco, wanda ya haɗu daidai da Cisco StealthWatch kuma yana ba ku damar haɓaka bincike mara sa hannu tare da nazarin sa hannu. Wannan yana ba da damar gano Trojans, tsutsotsi na cibiyar sadarwa, malware-day-day da sauran malware da rarraba su a cikin hanyar sadarwar. Hakanan, fasahar ETA da aka ambata a baya tana ba ku damar yin nazarin irin waɗannan mugayen hanyoyin sadarwa a cikin ɓoyayyun hanyoyin sadarwa.
A zahiri akan shafin farko a cikin mahallin yanar gizo akwai widget na musamman Fahimtar Barazana Nazarin. Taƙaitaccen taƙaitaccen bayani yana nuna barazanar da aka gano akan runduna masu amfani: Trojan, software na yaudara, adware mai ban haushi. Kalmar "Rufaffen" a zahiri tana nuna aikin ETA. Ta danna kan runduna, duk bayanai game da shi, abubuwan tsaro, gami da rajistan ayyukan CTA, suna bayyana.
Ta shawagi akan kowane mataki na CTA, taron yana nuna cikakkun bayanai game da hulɗar. Don cikakken nazari, danna nan Duba Cikakkun Lamarin, kuma za a kai ku zuwa na'ura mai kwakwalwa daban Fahimtar Barazana Nazarin.
A kusurwar dama ta sama, tacewa yana ba ku damar nuna abubuwan da suka faru ta matakin tsanani. Lokacin da kuka nuna wani ƙayyadaddun ƙayyadaddun ƙayyadaddun bayanai, rajistan ayyukan suna bayyana a kasan allon tare da madaidaicin tsarin lokaci a dama. Don haka, ƙwararrun tsaro na bayanai sun fahimci sarai wace mai watsa shirye-shiryen kamuwa da cuta, bayan waɗanne ayyuka, suka fara aiwatar da waɗanne ayyuka.
A ƙasa akwai wani misali - Trojan na banki wanda ya cutar da mai watsa shiri 198.19.30.36. Wannan mai masaukin baki ya fara mu'amala tare da mugayen yanki, kuma rajistan ayyukan suna nuna bayanai kan kwararar waɗannan hulɗar.
Na gaba, ɗayan mafi kyawun mafita wanda zai iya zama shine keɓe mai watsa shiri godiya ga ɗan ƙasa tare da Cisco ISE don ƙarin jiyya da bincike.
ƙarshe
Maganin Cisco StealthWatch yana ɗaya daga cikin jagorori tsakanin samfuran sa ido kan hanyar sadarwa duka dangane da binciken cibiyar sadarwa da tsaro na bayanai. Godiya gare shi, zaku iya gano hulɗar da ba ta dace ba a cikin hanyar sadarwar, jinkirin aikace-aikacen, mafi yawan masu amfani, abubuwan da ba su da kyau, malware da APTs. Haka kuma, zaku iya nemo na'urar daukar hotan takardu, pentesters, da gudanar da binciken binciken zirga-zirgar HTTPS. Kuna iya samun ƙarin lokuta masu amfani a .
Idan kuna son duba yadda komai yake aiki cikin sauƙi da inganci akan hanyar sadarwar ku, aika .
Nan gaba kadan, muna shirin ƙarin wallafe-wallafen fasaha da yawa akan samfuran tsaro na bayanai daban-daban. Idan kuna sha'awar wannan batu, to ku bi abubuwan sabuntawa a cikin tashoshin mu (, , , )!
source: www.habr.com