ʻO nā protocol Flow ma ke ʻano he mea hana no ka nānā ʻana i ka palekana o kahi pūnaewele kūloko

I ka nānā ʻana i ka palekana o kahi ʻoihana kūloko a i ʻole ka ʻoihana ʻoihana, nui ka poʻe e hoʻopili iā ia me ka hoʻokele ʻana i ka ʻike leaks a me ka hoʻokō ʻana i nā hoʻonā DLP. A inā ʻoe e hoʻāʻo e wehewehe i ka nīnau a nīnau pehea ʻoe e ʻike ai i nā hoʻouka ʻana ma ka pūnaewele kūloko, ʻo ka pane maʻamau ka haʻi ʻana i nā ʻōnaehana intrusion detection (IDS). A he aha ke koho wale nō 10-20 mau makahiki i hala e lilo i anachronism i kēia lā. Aia kekahi ʻoi aku ka maikaʻi, a ma kekahi mau wahi, ʻo ke koho wale nō no ka nānā ʻana i kahi pūnaewele kūloko - me ka hoʻohana ʻana i nā protocols kahe, i hoʻolālā mua ʻia e ʻimi i nā pilikia pūnaewele (pilikia), akā i ka manawa i hoʻololi ʻia i kahi mea hana palekana hoihoi. E kamaʻilio mākou e pili ana i ke kahe o nā protocols a ʻoi aku ka maikaʻi o ka ʻike ʻana i nā hoʻouka ʻana o ka pūnaewele, kahi maikaʻi loa e hoʻokō i ka nānā ʻana i ke kahe, nā mea e nānā ai i ka wā e hoʻokau ai i kēlā ʻano hoʻolālā, a pehea hoʻi e "hoʻokiʻekiʻe" i kēia mau mea āpau ma nā lako home. i loko o ke kiko o kēia ʻatikala.

ʻAʻole wau e noʻonoʻo i ka nīnau "No ke aha e pono ai ka nānā ʻana i ka palekana o loko?" Me he mea lā ua maopopo ka pane. Akā inā makemake ʻoe e hōʻoia hou i kēia lā ʻaʻole hiki iā ʻoe ke ola me ka ʻole, e nānā he wikiō pōkole e pili ana pehea e hiki ai iā ʻoe ke komo i kahi ʻoihana hui i pale ʻia e kahi pā ahi ma 17 mau ala. No laila, e manaʻo mākou ua hoʻomaopopo mākou he mea pono ka nānā ʻana i loko a ʻo ka mea i koe e hoʻomaopopo i ke ʻano o ka hoʻonohonoho ʻana.

E hōʻike aku au i ʻekolu kumu ʻikepili koʻikoʻi no ka nānā ʻana i nā ʻōnaehana ma ka pae pūnaewele:

• "raw" kaʻa a mākou e hopu ai a waiho ʻia no ka nānā ʻana i kekahi mau ʻōnaehana loiloi,
• nā hanana mai nā ʻaoʻao pūnaewele kahi e hele ai ka huakaʻi,
• ʻike kaʻahele i loaʻa ma o kekahi o nā protocol kahe.

ʻO ka hopu ʻana i nā kaʻa maka ke koho kaulana loa i waena o nā poʻe loea palekana, no ka mea, ua ʻike mua ʻia a ʻo ia ka mea mua loa. ʻO nā ʻōnaehana ʻike intrusion intrusion maʻamau (ʻo NetRanger ka ʻōnaehana ʻike intrusion ʻoihana mua loa mai ka Hui Huila, i kūʻai ʻia ma 1998 e Cisco) i hana pololei i ka hopu ʻana i nā ʻeke (a me nā kau ma hope) kahi i ʻimi ʻia ai kekahi mau pūlima ("nā lula hoʻoholo" i loko. FSTEC terminology), hōʻailona hōʻeha. ʻO kaʻoiaʻiʻo, hiki iā ʻoe ke hoʻokaʻawale i nā kaʻa maka ʻaʻole wale me ka hoʻohana ʻana i ka IDS, akā me ka hoʻohana ʻana i nā mea hana ʻē aʻe (no ka laʻana, Wireshark, tcpdum a i ʻole ka hana NBAR2 ma Cisco IOS), akā ʻaʻole maʻamau lākou i ka waihona ʻike e hoʻokaʻawale i kahi mea palekana ʻike mai kahi maʻamau. Mea hana IT.

No laila, ʻōnaehana ʻike hoʻouka kaua. ʻO ke ala kahiko loa a kaulana loa o ka ʻike ʻana i nā hoʻouka ʻana i ka pūnaewele, he hana maikaʻi ia ma ka perimeter (ʻaʻohe mea - ʻoihana, kikowaena data, ʻāpana, a me nā mea ʻē aʻe), akā hāʻule i nā pūnaewele hoʻololi a me nā polokalamu i wehewehe ʻia. I ka hihia o kahi pūnaewele i kūkulu ʻia ma ke kumu o nā hoʻololi maʻamau, ʻoi aku ka nui o ka ʻōnaehana o nā mea ʻike hoʻouka kaua - pono ʻoe e kau i kahi sensor ma kēlā me kēia pili i ka node āu e makemake ai e nānā i nā hoʻouka. ʻO kēlā me kēia mea hana, ʻoiaʻiʻo, e hauʻoli e kūʻai aku iā ʻoe i nā haneli a me nā tausani o nā sensor, akā manaʻo wau ʻaʻole hiki i kāu kālā ke kākoʻo i kēlā mau lilo. Hiki iaʻu ke ʻōlelo ʻoiai ma Cisco (a ʻo mākou nā mea hoʻomohala o NGIPS) ʻaʻole hiki iā mākou ke hana i kēia, ʻoiai me he mea lā aia ka pilikia o ke kumukūʻai i mua o mākou. ʻAʻole pono wau e kū - ʻo kā mākou hoʻoholo ponoʻī. Eia kekahi, ua kū mai ka nīnau, pehea e hoʻopili ai i ka sensor i kēia mana? I loko o ka hakahaka? He aha inā hāʻule ka sensor ponoʻī? Makemake ʻoe i kahi module bypass i ka ʻike? E hoʻohana i nā mea hoʻokaʻawale? ʻO kēia mau mea a pau e ʻoi aku ka pipiʻi o ka hoʻonā a hiki ʻole ke kūʻai ʻia no kahi hui o kēlā me kēia nui.

Hiki iā ʻoe ke hoʻāʻo e "kau" i ka mea ʻike ma kahi awa SPAN/RSPAN/ERSPAN a kuhikuhi i ke kaʻa mai nā awa hoʻololi i makemake ʻia. Hoʻopau ʻokoʻa kēia koho i ka pilikia i wehewehe ʻia ma ka pauku mua, akā ke kau nei i kekahi - ʻaʻole hiki i ke awa SPAN ke ʻae loa i nā kaʻa a pau e hoʻouna ʻia iā ia - ʻaʻole lawa ka bandwidth. Pono ʻoe e kaumaha i kekahi mea. E waiho i kekahi o nā node me ka nānā ʻole (a laila pono ʻoe e hoʻonohonoho mua iā lākou), a i ʻole e hoʻouna i nā kaʻa āpau mai ka node, akā i kekahi ʻano. I kekahi hihia, poina paha mākou i kekahi mau hoʻouka kaua. Eia kekahi, hiki ke hoʻohana ʻia ke awa SPAN no nā pono ʻē aʻe. Ma muli o ka hopena, pono mākou e nānā i ka topology pūnaewele i loaʻa a hana paha i nā hoʻololi iā ia i mea e uhi ai i kāu pūnaewele i ka nui me ka helu o nā mea ʻike i loaʻa iā ʻoe (a hoʻonohonoho i kēia me IT).

Pehea inā hoʻohana kāu pūnaewele i nā ala asymmetric? He aha inā inā ua hoʻokō a hoʻolālā paha ʻoe e hoʻokō i ka SDN? He aha inā inā pono ʻoe e nānā i nā mīkini virtualized a i ʻole nā ​​​​mea pahu i hiki ʻole ke hele i ka hoʻololi kino? He mau nīnau kēia i makemake ʻole ʻia e ka poʻe kūʻai IDS kuʻuna no ka mea ʻaʻole lākou ʻike i ka pane ʻana iā lākou. Malia paha e hoʻohuli lākou iā ʻoe he hype kēia mau ʻenehana loea a ʻaʻole pono ʻoe. Malia paha e kamaʻilio lākou e pili ana i ka pono e hoʻomaka liʻiliʻi. A i ʻole e ʻōlelo paha lākou he pono ʻoe e kau i kahi thresher ikaika ma ke kikowaena o ka pūnaewele a kuhikuhi i nā kaʻa āpau iā ia me ka hoʻohana ʻana i nā mea kaulike. ʻO kēlā me kēia koho i hāʻawi ʻia iā ʻoe, pono ʻoe e hoʻomaopopo maopopo i ke ʻano o ia mea iā ʻoe. A ma hope wale nō e hoʻoholo ai i ke koho ʻana i kahi ala e nānā ai i ka palekana ʻike o ka ʻoihana pūnaewele. Ke hoʻi nei i ka hopu packet, makemake wau e ʻōlelo e hoʻomau ʻia kēia ʻano i kaulana loa a koʻikoʻi, akā ʻo kāna kumu nui ka mana palena; nā palena ma waena o kāu hui a me ka Pūnaewele, nā palena ma waena o ke kikowaena data a me ke koena o ka pūnaewele, nā palena ma waena o ka ʻōnaehana kaʻina hana a me ka ʻāpana hui. Ma kēia mau wahi, he kuleana ko ka IDS/IPS maʻamau e noho a hoʻokō pono i kā lākou mau hana.

E neʻe kākou i ke koho ʻelua. Hiki ke hoʻohana ʻia ka ʻikepili o nā hanana e hele mai ana mai nā ʻenehana pūnaewele no ka hoʻouka kaua ʻana, akā ʻaʻole ma ke ʻano he kumu nui, no ka mea hiki ke ʻike i kahi papa liʻiliʻi wale nō. Eia kekahi, he mea maʻamau ia i kekahi reactivity - pono e kū mua ka hoʻouka ʻana, a laila pono e hoʻopaʻa ʻia e kahi hāmeʻa pūnaewele, kahi e hōʻailona ai i kahi pilikia me ka palekana ʻike. Nui nā ʻano like. ʻO kēia paha ka syslog, RMON a i ʻole SNMP. Hoʻohana ʻia nā protocol hope ʻelua no ka nānā ʻana i ka pūnaewele i ka pōʻaiapili o ka palekana ʻike inā pono mākou e ʻike i kahi hoʻouka DoS ma luna o nā lako pūnaewele ponoʻī, ʻoiai me ka hoʻohana ʻana iā RMON a me SNMP hiki iā ia, no ka laʻana, ke nānā i ka ukana ma ke kikowaena o ka hāmeʻa. processor a i ʻole kona mau pilina. ʻO kēia kekahi o ka "ʻoi loa" (loaʻa i kēlā me kēia kanaka ka syslog a i ʻole SNMP), akā ʻo ka maikaʻi ʻole o nā ʻano āpau o ka nānā ʻana i ka palekana ʻike o ka ʻenehana kūloko - ua hūnā ʻia nā hoʻouka ʻana mai ia mea. ʻOiaʻiʻo, ʻaʻole pono lākou e haʻalele ʻia, a ʻo ka loiloi syslog like e kōkua iā ʻoe e ʻike i ka manawa kūpono i ka hoʻololi ʻana i ka hoʻonohonoho ʻana o ka hāmeʻa ponoʻī, ka ʻae ʻana o ia mea, akā ʻaʻole kūpono ia no ka ʻike ʻana i nā hoʻouka kaua ma ka pūnaewele holoʻokoʻa.

ʻO ke kolu o ka koho ʻana, ʻo ia ke kālailai ʻana i ka ʻike e pili ana i ke kaʻa e hele ana ma kahi hāmeʻa e kākoʻo ana i kekahi o nā protocol kahe. I kēia hihia, me ka nānā ʻole i ka protocol, pono ke ʻano o ka ʻenehana threading i ʻekolu mau ʻāpana:

• Hoʻopuka a hoʻokuʻu paha i ke kahe. Hāʻawi pinepine ʻia kēia kuleana i kahi alalai, hoʻololi a i ʻole nā ​​​​mea hana pūnaewele ʻē aʻe, ma ka hele ʻana i ka neʻe ʻana o ka pūnaewele ma o ia iho, e ʻae iā ʻoe e unuhi i nā ʻāpana koʻikoʻi mai ia mea, a laila e hoʻouna ʻia i ka module ohi. No ka laʻana, kākoʻo ʻo Cisco i ka protocol Netflow ʻaʻole wale ma nā ala ala a me nā hoʻololi, me nā mea virtual a me nā ʻoihana, akā pū kekahi i nā mea hoʻokele uila, nā pā ahi a me nā kikowaena.
• Ke kahe ohi. Ke noʻonoʻo nei he ʻoi aku ka ʻoi aku o ka ʻoihana pūnaewele hou ma mua o hoʻokahi, ʻo ka pilikia o ka hōʻiliʻili ʻana a me ka hoʻohui ʻana i nā kahe, e hoʻopau ʻia me ka hoʻohana ʻana i nā mea i kapa ʻia ʻo collectors, nāna e hana i nā kahe i loaʻa a laila e hoʻouna iā lākou no ka nānā ʻana.
• Ka nānā 'ana i ke kahe Lawe ka mea kālailai i ka hana naʻauao nui a, e hoʻohana ana i nā algorithms like ʻole i nā kahawai, e huki i kekahi mau hopena. No ka laʻana, ma ke ʻano o kahi hana IT, hiki i kahi mea loiloi ke ʻike i nā bottlenecks pūnaewele a i ʻole ka nānā ʻana i ka ʻaoʻao hoʻoili kaʻa no ka hoʻonui ʻana i ka ʻoihana pūnaewele. A no ka palekana o ka ʻike, hiki i kēlā ʻano loiloi ke ʻike i nā leaks data, ka hoʻolaha ʻana o nā code malicious a i ʻole nā ​​​​hōʻeha DoS.

Mai noʻonoʻo he paʻakikī loa kēia papa hana ʻekolu - nā koho ʻē aʻe āpau (koe naʻe paha, nā ʻōnaehana nānā pūnaewele e hana pū ana me SNMP a me RMON) e like me ia. Loaʻa iā mākou kahi mea hana ʻikepili no ka nānā ʻana, hiki ke lilo i mea ʻenehana a i ʻole kahi ʻike kū hoʻokahi. Loaʻa iā mākou kahi ʻōnaehana hōʻiliʻili alarm a me kahi ʻōnaehana hoʻokele no ka ʻōnaehana nānā holoʻokoʻa. Hiki ke hoʻohui ʻia nā ʻāpana hope ʻelua i loko o ka node hoʻokahi, akā i loko o nā pūnaewele nui a i ʻole ka liʻiliʻi e hoʻolaha pinepine ʻia lākou ma nā ʻaoʻao ʻelua ʻelua i mea e hōʻoia ai i ka scalability a me ka hilinaʻi.

ʻAʻole like me ka nānā ʻana i ka packet, kahi i hoʻokumu ʻia ma ke aʻo ʻana i ke poʻo a me ka ʻikepili kino o kēlā me kēia ʻeke a me nā kau i loko o ia mea, hilinaʻi ka loiloi kahe i ka hōʻiliʻili ʻana i nā metadata e pili ana i ka ʻoihana pūnaewele. I ka manawa, pehea ka nui, mai hea a ma hea, pehea ... eia nā nīnau i pane ʻia e ka nānā ʻana o ka telemetry pūnaewele me ka hoʻohana ʻana i nā protocol kahe. I ka hoʻomaka ʻana, ua hoʻohana ʻia lākou e nānā i nā helu helu a ʻike i nā pilikia IT ma ka pūnaewele, akā, i ka ulu ʻana o nā mīkini analytical, ua hiki ke hoʻopili iā lākou i ka telemetry like no nā kumu palekana. Pono e hoʻomaopopo hou ʻaʻole e hoʻololi a pani ʻia ka hoʻopaʻa ʻana i ka ʻeke. Loaʻa i kēlā me kēia o kēia mau ʻano i kona wahi ponoʻī o ka noi. Akā i loko o ka pōʻaiapili o kēia ʻatikala, ʻo ia ka loiloi kahe i kūpono no ka nānā ʻana i nā ʻōnaehana kūloko. Loaʻa iā ʻoe nā ʻenehana pūnaewele (inā paha lākou e hana i kahi paradigm i wehewehe ʻia e ka polokalamu a i ʻole e like me nā lula static) ʻaʻole hiki i kahi hoʻouka ke kāpae. Hiki iā ia ke kāpae i kahi sensor IDS maʻamau, akā ʻaʻole hiki i kahi hāmeʻa pūnaewele e kākoʻo ana i ka protocol kahe. ʻO kēia ka pōmaikaʻi o kēia ʻano.

Ma ka ʻaoʻao ʻē aʻe, inā makemake ʻoe i nā hōʻike no ka hoʻokō kānāwai a i ʻole kāu hui hoʻokolokolo ponoʻī, ʻaʻole hiki iā ʻoe ke hana me ka hopu ʻole ʻana i ka packet - ʻaʻole ʻo ka telemetry pūnaewele he kope o nā kaʻa e hiki ke hoʻohana ʻia e hōʻiliʻili i nā hōʻike; pono ia no ka ʻike wikiwiki a me ka hoʻoholo ʻana ma ke kahua o ka palekana ʻike. Ma ka ʻaoʻao ʻē aʻe, me ka hoʻohana ʻana i ka loiloi telemetry, hiki iā ʻoe ke "kākau" ʻaʻole nā ​​​​kānaka pūnaewele āpau (inā he mea, pili ʻo Cisco i nā kikowaena data :-), akā ʻo ka mea wale nō e pili ana i ka hoʻouka ʻana. E hoʻokō pono nā mea hana loiloi Telemetry ma kēia ʻano i nā mīkini hopu packet kuʻuna, e hāʻawi i nā kauoha no ka hopu a me ka mālama ʻana. A i ʻole, pono ʻoe e loaʻa kahi ʻōnaehana mālama nui.

E noʻonoʻo kākou i kahi pūnaewele e hana ana ma ka wikiwiki o 250 Mbit/sec. Inā makemake ʻoe e mālama i kēia leo a pau, a laila pono ʻoe i 31 MB o ka waiho ʻana no hoʻokahi kekona o ka hoʻouna ʻana i ke kaʻa, 1,8 GB no hoʻokahi minuke, 108 GB no hoʻokahi hola, a me 2,6 TB no hoʻokahi lā. No ka mālama ʻana i ka ʻikepili i kēlā me kēia lā mai kahi pūnaewele me ka bandwidth o 10 Gbit/s, pono ʻoe i ka 108 TB o ka waiho ʻana. Akā, koi kekahi mau regulators e mālama i ka ʻikepili palekana no nā makahiki ... ʻO ka hoʻopaʻa ʻana i ke koi, ʻo ia ka mea e kōkua ana i ke kahe ʻana e kōkua iā ʻoe e hoʻokō, kōkua i ka hōʻemi ʻana i kēia mau waiwai e nā kauoha o ka nui. Ma ke ala, inā mākou e kamaʻilio e pili ana i ka ratio o ka nui o ka ʻikepili telemetry pūnaewele i hoʻopaʻa ʻia a me ka hopu ʻana i ka ʻikepili piha, a laila ma kahi o 1 a 500. ʻo 5 a me 216 GB, i kēlā me kēia (hiki iā ʻoe ke hoʻopaʻa iā ia ma kahi flash drive maʻamau).

Inā no nā mea hana no ka nānā ʻana i ka ʻikepili pūnaewele maka, ʻo ke ʻano o ka hopu ʻana ua aneane like ia mai ka mea kūʻai aku i ka mea kūʻai aku, a laila ma ke ʻano o ka loiloi kahe ʻana ke kūlana. Nui nā koho no nā protocols kahe, nā ʻokoʻa āu e pono ai e ʻike e pili ana i ka pōʻaiapili o ka palekana. ʻO ka mea kaulana loa ka protocol Netflow i hoʻomohala ʻia e Cisco. Nui nā mana o kēia protocol, ʻokoʻa i ko lākou hiki a me ka nui o ka ʻike kaʻa i hoʻopaʻa ʻia. ʻO ka mana o kēia manawa ka ʻeiwa (Netflow v9), ma ke kumu i hoʻomohala ʻia ai ka maʻamau ʻoihana Netflow v10, i ʻike ʻia ʻo IPFIX. I kēia lā, kākoʻo ka hapa nui o nā mea kūʻai pūnaewele iā Netflow a i ʻole IPFIX i kā lākou lako. Akā, aia kekahi mau koho ʻē aʻe no nā protocol kahe - sFlow, jFlow, cFlow, rFlow, NetStream, etc., nona ka sFlow ka mea kaulana loa. ʻO kēia keʻano i kākoʻo pinepineʻia e nā mea hana hale o nā lako pūnaewele ma muli o ka maʻalahi o ka hoʻokō. He aha nā ʻokoʻa koʻikoʻi ma waena o Netflow, i lilo i mea maʻamau de facto, a me sFlow? E kuhikuhi au i kekahi mau mea nui. ʻO ka mea mua, loaʻa iā Netflow nā kahua hoʻohana-customizable e kū'ē i nā kahua paʻa i sFlow. A ʻo ka lua, a ʻo kēia ka mea nui loa i kā mākou hihia, ʻohi ʻo sFlow i ka mea i kapa ʻia ʻo sampled telemetry; ʻokoʻa i ka mea i hoʻopaʻa ʻole ʻia no Netflow a me IPFIX. He aha ka ʻokoʻa ma waena o lākou?

E noʻonoʻo e hoʻoholo ʻoe e heluhelu i ka puke "Ke kikowaena hana palekana: Ke kūkulu ʻana, ka hana, a me ka mālama ʻana i kāu SOC” o kaʻu mau hoa hana - Gary McIntyre, Joseph Munitz a me Nadem Alfardan (hiki iā ʻoe ke hoʻoiho i kahi hapa o ka puke mai ka loulou). ʻEkolu mau koho e hoʻokō ai i kāu pahuhopu - heluhelu i ka puke holoʻokoʻa, kahakiʻi i loko, kū i kēlā me kēia ʻaoʻao 10 a i ʻole 20, a i ʻole e ʻimi i ka haʻi hou ʻana i nā manaʻo koʻikoʻi ma kahi blog a i ʻole lawelawe e like me SmartReading. No laila, ke heluhelu nei ka telemetry unmpled i kēlā me kēia "ʻaoʻao" o ke kaʻa pūnaewele, ʻo ia hoʻi, ka nānā ʻana i nā metadata no kēlā me kēia ʻeke. ʻO ka telemetry laʻana ʻo ia ke aʻo ʻana i ke kaʻa me ka manaʻolana e loaʻa i nā laʻana i koho ʻia nā mea āu e pono ai. Ma muli o ka wikiwiki o ke kahawai, e hoʻouna ʻia ka telemetry i hoʻohālikelike ʻia no ka nānā ʻana i kēlā me kēia 64th, 200th, 500th, 1000th, 2000th a i ʻole 10000th packet.

Ma ke ʻano o ka nānā ʻana i ka palekana ʻike, ʻo ia ke ʻano o ka telemetry i hoʻohālikelike ʻia no ka ʻike ʻana i nā hōʻeha DDoS, ka nānā ʻana, a me ka hoʻolaha ʻana i nā code malicious, akā hiki ke hala i nā hoʻouka atomic a i ʻole nā ​​​​pakeke lehulehu ʻaʻole i hoʻokomo ʻia i ka hāpana i hoʻouna ʻia no ka nānā ʻana. ʻAʻole i loaʻa nā hemahema o ka telemetry un sampled. Me kēia, ʻoi aku ka laulā o ka hoʻouka ʻana i ʻike ʻia. Eia kahi papa inoa pōkole o nā hanana hiki ke ʻike ʻia me ka hoʻohana ʻana i nā mea hana loiloi telemetry pūnaewele.

ʻO kaʻoiaʻiʻo, ʻaʻole e ʻae ʻia kahi mea wehe ʻo Netflow analyzer iā ʻoe e hana i kēia, no ka mea, ʻo kāna hana nui ʻo ka hōʻiliʻili ʻana i ka telemetry a hana i ka loiloi kumu ma luna o ia mea mai kahi ʻike IT. No ka ʻike ʻana i nā hoʻoweliweli palekana ʻike e pili ana i ka kahe, pono e hoʻolako i ka mea anana me nā ʻenekini like ʻole a me nā algorithms, e ʻike ai i nā pilikia cybersecurity e pili ana i nā kahua Netflow maʻamau a i ʻole, hoʻonui i ka ʻikepili maʻamau me nā ʻikepili waho mai nā kumu Threat Intelligence, etc.

No laila, inā he koho kāu, e koho iā Netflow a i ʻole IPFIX. Akā inā hana wale kāu mau mea hana me sFlow, e like me nā mea hana hale, a ma kēia hihia hiki iā ʻoe ke pōmaikaʻi mai ia mea ma kahi ʻano palekana.

I ke kauwela o 2019, ua hoʻopaʻa au i nā mana i loaʻa i nā mea hana ʻenehana pūnaewele Lūkini a me lākou āpau, ʻaʻohe NSG, Polygon a me Craftway, hoʻolaha i ke kākoʻo no sFlow (ma ka liʻiliʻi loa ʻo Zelax, Natex, Eltex, QTech, Rusteleteh).

ʻO ka nīnau aʻe āu e kū ai ma hea e hoʻokō ai i ke kākoʻo kahe no nā kumu palekana? ʻOiaʻiʻo, ʻaʻole i hoʻopuka pololei ʻia ka nīnau. ʻaneʻane kākoʻo nā lako o kēia wā i nā protocol kahe. No laila, e hoʻoponopono hou au i ka nīnau - ma hea kahi ʻoi aku ka maikaʻi o ka hōʻiliʻili ʻana i ka telemetry mai kahi ʻike palekana? E ʻike maopopo ʻia ka pane - ma ka pae komo, kahi e ʻike ai ʻoe i ka 100% o nā kaʻa āpau, kahi e loaʻa ai iā ʻoe ka ʻike kikoʻī e pili ana i nā pūʻali (MAC, VLAN, ID ID), kahi e hiki ai iā ʻoe ke nānā i ke kaʻa P2P ma waena o nā pūʻali. He mea koʻikoʻi ia no ka ʻimi ʻana i ka ʻike ʻana a me ka hāʻawi ʻana i nā code ʻino. Ma ka pae kumu, ʻaʻole paha ʻoe e ʻike i kekahi o nā kaʻa, akā ma ka pae perimeter, e ʻike ʻoe i ka hapaha o kāu kaʻa pūnaewele āpau. Akā inā no kekahi kumu i loaʻa iā ʻoe nā mea ʻē aʻe ma kāu pūnaewele e hiki ai i nā mea hoʻouka ke "komo a puka" me ka ʻole o ke kaʻe ʻana i ka perimeter, a laila ʻaʻole e hāʻawi iā ʻoe i ka nānā ʻana i ka telemetry mai ia mea. No laila, no ka hoʻopiʻi kiʻekiʻe loa, ʻōlelo ʻia e hiki i ka hōʻiliʻili telemetry ma ka pae komo. I ka manawa like, pono e hoʻomaopopo ʻia ʻoiai inā mākou e kamaʻilio e pili ana i ka virtualization a i ʻole nā ​​​​mea ipu, ʻike pinepine ʻia ke kākoʻo kahe i nā hoʻololi virtual hou, kahi e hiki ai iā ʻoe ke hoʻomalu i ke kaʻa ma laila.

Akā ʻoiai ua hāpai wau i ke kumuhana, pono wau e pane i ka nīnau: pehea inā ʻaʻole kākoʻo nā mea hana, kino a virtual paha i nā protocols kahe? A i ʻole ua pāpā ʻia kona hoʻokomo ʻana (no ka laʻana, i nā ʻāpana ʻoihana e hōʻoia i ka hilinaʻi)? A i ʻole ka hoʻohuli ʻana iā ia e alakaʻi i ka hoʻouka CPU kiʻekiʻe (hiki kēia i nā lako kahiko)? No ka hoʻoponopono ʻana i kēia pilikia, aia nā mea ʻike uila kūikawā (nā kahe kahe), ʻo ia nā mea hoʻokaʻawale maʻamau e hele i nā kaʻa ma o lākou iho a hoʻolaha iā ia ma ke ʻano o ke kahe i ka module ohi. ʻOiaʻiʻo, i kēia hihia, loaʻa iā mākou nā pilikia āpau a mākou i kamaʻilio ai ma luna e pili ana i nā mea hana hopu packet. ʻO ia hoʻi, pono ʻoe e hoʻomaopopo ʻaʻole wale i nā pono o ka ʻenehana loiloi kahe, akā i kona mau palena.

ʻO kekahi mea nui e hoʻomanaʻo i ka wā e kamaʻilio ai e pili ana i nā mea hana loiloi kahe. Inā pili i nā ʻano hana maʻamau o ka hoʻokumu ʻana i nā hanana palekana e hoʻohana mākou i ka metric EPS (event per second), a laila ʻaʻole pili kēia hōʻailona i ka loiloi telemetry; ua pani ʻia e FPS (ka kahe i kekona). E like me ka hihia o EPS, ʻaʻole hiki ke helu mua ʻia, akā hiki iā ʻoe ke koho i ka helu kokoke o nā kaula i hana ʻia e kekahi mea ma muli o kāna hana. Hiki iā ʻoe ke ʻike i nā papa ma ka Pūnaewele me nā kumukūʻai pili no nā ʻano like ʻole o nā ʻoihana ʻoihana a me nā kūlana, e hiki ai iā ʻoe ke koho i nā laikini āu e pono ai no nā mea hana loiloi a he aha kā lākou hale hana? ʻO ka mea ʻoiaʻiʻo, ua kaupalena ʻia ka sensor IDS e kekahi bandwidth hiki iā ia ke "huki", a ʻo ka mea ʻohi kahe i kona mau palena ponoʻī e hoʻomaopopo ʻia. No laila, i loko o nā ʻupena nui i hoʻolaha ʻia ma ka ʻāina he nui nā ʻohi. I koʻu wehewehe ʻana pehea e nānā ʻia ai ka pūnaewele i loko o Cisco, Ua hāʻawi mua wau i ka helu o kā mākou mau ʻohi - aia he 21. A ʻo kēia no kahi pūnaewele i hoʻopuehu ʻia ma nā ʻāina ʻelima a helu ʻia ma kahi o ka hapalua miliona mau mea hana).

Hoʻohana mākou i kā mākou hoʻonā ponoʻī ma ke ʻano he ʻōnaehana nānā Netflow ʻO Cisco Stealthwatch, kahi i kālele nui ʻia i ka hoʻoponopono ʻana i nā pilikia palekana. Loaʻa iā ia nā mīkini i kūkulu ʻia no ka ʻike ʻana i nā anomalous, kānalua a maopopo i ka hana ʻino, e ʻae iā ʻoe e ʻike i kahi ākea o nā hoʻoweliweli like ʻole - mai ka cryptomining a hiki i ka ʻike leaks, mai ka hoʻolaha ʻana o nā code malicious i ka hoʻopunipuni. E like me ka hapa nui o nā mea anaana, ua kūkulu ʻia ʻo Stealthwatch e like me ka papahana ʻekolu-level (generator - collector - analyzer), akā ua hoʻohui ʻia me ka nui o nā hiʻohiʻona hoihoi i koʻikoʻi i ka pōʻaiapili o ka mea e noʻonoʻo ʻia. ʻO ka mea mua, hoʻohui ʻia me nā hāʻina hopu packet (e like me Cisco Security Packet Analyzer), hiki iā ʻoe ke hoʻopaʻa i nā hui pūnaewele i koho ʻia no ka hoʻokolokolo hohonu a me ka nānā ʻana. ʻO ka lua, no ka hoʻonui ʻana i nā hana palekana, ua kūkulu mākou i kahi protocol nvzFlow kūikawā, e hiki ai iā ʻoe ke "hoʻolaha" i ka hana o nā noi ma nā nodes hope (nā kikowaena, nā hale hana, a me nā mea ʻē aʻe) i telemetry a hoʻouna iā ia i ka ʻohi no ka nānā hou ʻana. Inā i loko o kāna ʻano kumu Stealthwatch e hana me kekahi kahe kahe (sFlow, rFlow, Netflow, IPFIX, cFlow, jFlow, NetStream) ma ka pae pūnaewele, a laila ʻae ke kākoʻo nvzFlow i ka hoʻopili ʻana i ka ʻikepili ma ka pae node, pēlā. e hoʻonui ana i ka maikaʻi o ka ʻōnaehana holoʻokoʻa a ʻike i nā hoʻouka hou aʻe ma mua o nā mea hoʻokalakupua holo pūnaewele maʻamau.

Ua maopopo i ka wā e kamaʻilio ai e pili ana i nā ʻōnaehana loiloi Netflow mai kahi ʻike palekana, ʻaʻole i kaupalena ʻia ka mākeke i kahi hopena hoʻokahi mai Cisco. Hiki iā ʻoe ke hoʻohana i nā hoʻonā pāʻoihana a manuahi a shareware paha. He mea ʻē loa inā ʻōlelo wau i nā hoʻonā o ka poʻe hoʻokūkū ma ke ʻano he mau hiʻohiʻona ma ka blog Cisco, no laila e ʻōlelo wau i kekahi mau huaʻōlelo e pili ana i ke ʻano o ka ʻike ʻana i ka telemetry pūnaewele me ka hoʻohana ʻana i ʻelua mea kaulana, like me ka inoa, akā ʻokoʻa nā mea hana - SiLK a me ELK.

ʻO SiLK he pūʻulu o nā mea hana (ʻo ka Pūnaehana no ka Internet-Level Knowledge) no ka nānā ʻana i nā kaʻa, i hoʻomohala ʻia e ka American CERT/CC a kākoʻo, ma ke ʻano o ka ʻatikala o kēia lā, Netflow (5th a me 9, nā mana kaulana loa), IPFIX a me sFlow a me ka hoʻohana ʻana i nā pono hana like ʻole (rwfilter, rwcount, rwflowpack, etc.) e hana i nā hana like ʻole ma ke kelepona pūnaewele i mea e ʻike ai i nā hōʻailona o nā hana ʻae ʻole i loko. Akā aia kekahi mau mea nui e hoʻomaopopo. ʻO SiLK kahi mea hana laina kauoha e hana ana i ka nānā ʻana ma ka laina ma ke komo ʻana i nā kauoha e like me kēia (ka ʻike ʻana i nā ʻeke ICMP ʻoi aku ka nui ma mua o 200 bytes):

rwfilter --flowtypes=all/all --proto=1 --bytes-per-packet=200- --pass=stdout | rwrwcut --fields=sIP,dIP,iType,iCode --num-recs=15

ʻaʻole ʻoluʻolu loa. Hiki iā ʻoe ke hoʻohana i ka iSiLK GUI, akā ʻaʻole ia e maʻalahi i kou ola, e hoʻoponopono wale i ka hana ʻike a ʻaʻole e hoʻololi i ka mea loiloi. A ʻo kēia ka helu ʻelua. ʻAʻole e like me nā hoʻonā pāʻoihana, i loaʻa i kahi kumu analytical paʻa, anomaly detection algorithms, pili i ka workflow, a me nā mea ʻē aʻe, i ka hihia o SiLK pono ʻoe e hana i kēia mau mea iā ʻoe iho, kahi e koi ai i nā mākaukau ʻokoʻa mai iā ʻoe ma mua o ka hoʻohana ʻana i mākaukau mua- mea hoohana. ʻAʻole maikaʻi a maikaʻi ʻole kēia - he hiʻohiʻona kēia o nā mea hana manuahi e manaʻo nei ua ʻike ʻoe i ka mea e hana ai, a ʻo ia wale nō ke kōkua iā ʻoe me kēia (ʻaʻole i hilinaʻi ʻia nā mea hana kālepa i nā mākaukau o kāna mea hoʻohana, ʻoiai ke manaʻo nei lākou. e hoʻomaopopo ka poʻe loiloi i nā kumu kumu o ka noiʻi pūnaewele a me ka nānā ʻana). Akā, e hoʻi kākou i SiLK. ʻO ke kaʻina hana a ka mea nāna e nānā e like me kēia:

• Ka hoʻokumu ʻana i kahi kuhiakau. Pono mākou e hoʻomaopopo i ka mea a mākou e ʻimi ai i loko o ka telemetry pūnaewele, ʻike i nā ʻano kūʻokoʻa e ʻike ai mākou i kekahi mau anomalies a i ʻole hoʻoweliweli.
• Ke kūkulu ʻana i kumu hoʻohālike. Ma hope o ka hoʻokumu ʻana i kahi kuhiakau, hoʻolālā mākou iā ia me ka hoʻohana ʻana i ka Python like, shell a i ʻole nā ​​​​mea hana ʻē aʻe ʻaʻole i hoʻokomo ʻia ma SiLK.
• Ke hoao ana. Ke hele mai nei ka manawa e nānā i ka pololei o kā mākou kuhiakau, i hōʻoia ʻia a hōʻole ʻia me ka hoʻohana ʻana i nā pono SiLK e hoʻomaka ana me 'rw', 'set', 'bag'.
• ʻIkepili o ka ʻikepili maoli. Ma ka hana ʻoihana, kōkua ʻo SiLK iā mākou e ʻike i kahi mea a pono e pane ka mea loiloi i nā nīnau "Ua loaʻa anei iā mākou ka mea a mākou i manaʻo ai?", "Ua pili anei kēia me kā mākou kuhiakau?", "Pehea e hōʻemi ai i ka helu o nā hopena maikaʻi ʻole?", "Pehea. e hoʻomaikaʻi i ka pae o ka ʻike? » a laila.
• Hoʻomaikaʻi. I ka pae hope, hoʻomaikaʻi mākou i nā mea i hana ʻia ma mua - hana mākou i nā templates, hoʻomaikaʻi a hoʻomaikaʻi i ke code, hoʻoponopono hou a wehewehe i ka hypothesis, etc.

E pili pū ana kēia pōʻai iā Cisco Stealthwatch, ʻo ka mea hope wale nō e hoʻomaʻamaʻa i kēia mau ʻanuʻu ʻelima i ka palena kiʻekiʻe, e hōʻemi ana i ka helu o nā hewa loiloi a hoʻonui i ka pono o ka ʻike hanana. Eia kekahi laʻana, ma SiLK hiki iāʻoe ke hoʻonui i nāʻikepili pūnaewele me nāʻikepili waho ma nā IP maikaʻiʻole me ka hoʻohanaʻana i nā palapala kākau lima, a ma Cisco Stealthwatch he hana i kūkuluʻia e hōʻike koke i kahi alarm inā loaʻa nā pilina me nā IP address mai ka blacklist.

Inā ʻoe e piʻi kiʻekiʻe ma ka pyramid "uku" no ka polokalamu loiloi kahe, a laila ma hope o ka SiLK manuahi loa e loaʻa kahi shareware ELK, i loko o ʻekolu mau mea nui - Elasticsearch (indexing, searching and data analysis), Logstash (data input/output). ) a me Kibana ( ʻike maka). ʻAʻole like me SiLK, kahi āu e kākau ai i nā mea āpau iā ʻoe iho, ua loaʻa iā ELK nā hale waihona puke/modules i mākaukau (ua uku ʻia kekahi, ʻaʻole kekahi) e hoʻomaʻamaʻa i ka nānā ʻana o ka telemetry pūnaewele. No ka laʻana, ʻo ka kānana GeoIP ma Logstash hiki iā ʻoe ke hoʻohui i nā helu IP i nānā ʻia me ko lākou wahi kikoʻī (Loaʻa iā Stealthwatch kēia hiʻohiʻona i kūkulu ʻia).

Loaʻa iā ELK kahi kaiāulu nui e hoʻopiha ana i nā ʻāpana i nalowale no kēia ʻōnaehana nānā. No ka laʻana, e hana pū me Netflow, IPFIX a me sFlow hiki iā ʻoe ke hoʻohana i ka module elastiflow, inā ʻaʻole ʻoluʻolu ʻoe i ka Logstash Netflow Module, e kākoʻo wale ana iā Netflow.

ʻOiai ʻoi aku ka maikaʻi o ka hōʻiliʻili ʻana i ke kahe a me ka ʻimi ʻana i loko, ʻaʻohe waiwai o ELK i kūkulu ʻia i loko o ka analytics no ka ʻike ʻana i nā anomalies a me nā hoʻoweliweli i ka telemetry pūnaewele. ʻO ia hoʻi, ma hope o ke kaʻina ola i hōʻike ʻia ma luna nei, pono ʻoe e wehewehe kūʻokoʻa i nā hiʻohiʻona violation a laila hoʻohana iā ia i ka ʻōnaehana hakakā (ʻaʻohe mau hiʻohiʻona i kūkulu ʻia ma laila).

Aia, ʻoiaʻiʻo, ʻoi aku ka maʻalahi o ka ELK, kahi i loaʻa i kekahi mau hiʻohiʻona no ka ʻike ʻana i nā anomalies i ka telemetry pūnaewele, akā ʻo ia mau hoʻonui kālā ke kumukūʻai a ʻo ka nīnau inā pono ke kukui i ka pāʻani - e kākau i kahi kumu hoʻohālike iā ʻoe iho, kūʻai i kāna hoʻokō. no kāu mea hana nānā, a i ʻole kūʻai i ka hopena mākaukau o ka papa Network Traffic Analysis.

Ma keʻano laulā, ʻaʻole makemake wau e komo i ka hoʻopaʻapaʻa ʻoi aku ka maikaʻi o ka hoʻolilo kālā a kūʻai i kahi hopena mākaukau no ka nānā ʻana i nā anomalies a me nā hoʻoweliweli i ka telemetry pūnaewele (no ka laʻana, Cisco Stealthwatch) a i ʻole e noʻonoʻo iā ʻoe iho a hana like. SiLK, ELK a i ʻole nfdump a i ʻole OSU Flow Tools no kēlā me kēia hoʻoweliweli hou (Ke kamaʻilio nei wau e pili ana i nā mea hope ʻelua o lākou. hai aku hope loa)? Koho kēlā me kēia kanaka no lākou iho a loaʻa i kēlā me kēia kanaka ko lākou manaʻo ponoʻī no ke koho ʻana i kekahi o nā koho ʻelua. Makemake wale au e hōʻike i ka telemetry pūnaewele he mea koʻikoʻi loa ia i ka hōʻoia ʻana i ka palekana o kāu ʻoihana kūloko a ʻaʻole pono ʻoe e haʻalele iā ia, i ʻole e komo i ka papa inoa o nā hui i ʻōlelo ʻia kona inoa ma ka media me nā epithets " hacked", "kūpono ʻole me nā koi palekana ʻike" "," ʻaʻole noʻonoʻo e pili ana i ka palekana o kā lākou ʻikepili a me ka ʻikepili mea kūʻai aku."

No ka hōʻuluʻulu ʻana, makemake wau e papa inoa i nā ʻōlelo aʻoaʻo nui e pono ai ʻoe e hahai i ke kūkulu ʻana i ka nānā ʻana i ka palekana ʻike o kāu ʻōnaehana kūloko:

1. Mai kaupalena wale ʻoe iā ʻoe iho i ke anapuni! E hoʻohana (a koho) i nā ʻōnaehana pūnaewele ʻaʻole wale e neʻe i nā kaʻa mai kahi A a i kahi B, akā no ka hoʻoponopono ʻana i nā pilikia cybersecurity.
2. E noʻonoʻo i nā ʻōnaehana nānā palekana ʻike i kāu mau lako pūnaewele a hoʻohana iā lākou.
3. No ka nānā ʻana i loko, hāʻawi i ka makemake i ka loiloi telemetry - hiki iā ʻoe ke ʻike i ka 80-90% o nā hanana palekana ʻike pūnaewele, ʻoiai e hana ana i ka mea hiki ʻole ke hopu i nā ʻeke pūnaewele a mālama i kahi no ka mālama ʻana i nā hanana palekana ʻike.
4. No ka nānā ʻana i nā kahe, e hoʻohana iā Netflow v9 a i ʻole IPFIX - hāʻawi lākou i ka ʻike hou aʻe ma kahi pōʻaiapili palekana a ʻae iā ʻoe e nānā ʻaʻole wale i ka IPv4, akā ʻo IPv6, MPLS, etc.
5. E hoʻohana i kahi protocol kahe ʻole - hāʻawi ia i ka ʻike hou aku no ka ʻike ʻana i nā mea hoʻoweliweli. No ka laʻana, Netflow a i ʻole IPFIX.
6. E nānā i ka ukana ma kāu lako pūnaewele - ʻaʻole hiki iā ia ke mālama pū i ka protocol kahe. A laila e noʻonoʻo i ka hoʻohana ʻana i nā mea ʻike uila a i ʻole Netflow Generation Appliance.
7. E hoʻokō mua i ka mana ma ka pae komo - e hāʻawi kēia iā ʻoe i ka manawa e ʻike i ka 100% o nā kaʻa āpau.
8. Inā ʻaʻohe āu koho a ke hoʻohana nei ʻoe i nā lako pūnaewele Lūkini, a laila koho i kahi mea e kākoʻo ana i nā protocol kahe a i ʻole nā ​​awa SPAN/RSPAN.
9. Hoʻohui i nā ʻōnaehana intrusion / attack detection / prevention system ma nā ʻaoʻao a me nā ʻōnaehana loiloi kahe i loko o ka pūnaewele kūloko (me nā ao).

E pili ana i ka ʻōlelo aʻoaʻo hope, makemake wau e hāʻawi i kahi kiʻi aʻu i hāʻawi mua ai. ʻIke ʻoe inā ma mua o ka ʻoihana ʻike ʻike ʻike ʻo Cisco i kūkulu ʻia i kāna ʻōnaehana mālama mālama ʻike ma ke kumu o nā ʻōnaehana ʻike intrusion a me nā ʻano pūlima, i kēia manawa ua helu lākou no 20% wale nō o nā hanana. ʻO kekahi 20% e hāʻule i nā ʻōnaehana hoʻoheheʻe kahe, e hōʻike ana ʻaʻole kēia mau hoʻonā, akā he mea hana maoli i nā hana o nā lawelawe palekana ʻike o kahi ʻoihana hou. Eia kekahi, loaʻa iā ʻoe ka mea koʻikoʻi no kā lākou hoʻokō ʻana - ka ʻoihana pūnaewele, nā hoʻopukapuka e hiki ke pale hou ʻia ma o ka hāʻawi ʻana i nā hana mālama mālama ʻike i ka pūnaewele.

ʻAʻole wau i hoʻopā i ke kumuhana o ka pane ʻana i nā anomalies a i ʻole nā ​​​​mea hoʻoweliweli i ʻike ʻia i nā kahe o ka pūnaewele, akā manaʻo wau ua maopopo mua ʻaʻole e pau ka nānā ʻana me ka ʻike ʻana i kahi hoʻoweliweli. Pono e hahai ʻia e kahi pane a ʻoi aku ka maikaʻi ma ke ʻano ʻakomi a i ʻole. Akā he kumuhana kēia no kahi ʻatikala kaʻawale.

Nāʻike hou:

• ʻO ka wehewehe ʻana o Cisco IOS Netflow
• Kākoʻo Netflow matrix i nā ʻano hoʻonā Cisco
• Alakaʻi no ka hoʻonohonoho ʻana i ka Netflow ma nā ʻano ʻokoʻa Cisco
• Kaiāulu sFlow
• Ke hoʻohana nei ʻo Lab me Stealtjwatch, SiLK a me ELK e nānā i ka Netflow mai kahi hiʻohiʻona palekana
• Paena pūnaewele SiLK
• ʻEkolu haneli ʻaoʻao alakaʻi no ka hoʻohana ʻana iā SiLK me nā toni o nā laʻana
• Logstash Netflow Module
• Cisco Step-by-Step alakaʻi i ka Netflow Analysis ma ELK
• ʻIkepili o NetFlow v.9 Cisco ASA me ka hoʻohana ʻana iā Logstash (ELK)
• ʻO Cisco Stealthwatch Solution

PS. Inā ʻoi aku ka maʻalahi o ka lohe ʻana i nā mea a pau i kākau ʻia ma luna, a laila hiki iā ʻoe ke nānā i ka hōʻike hōʻike hola i hoʻokumu i ke kumu o kēia memo.

Source: www.habr.com