I kekahi manawa, ua lawa ka pale ahi maʻamau a me nā polokalamu anti-virus no ka pale ʻana i kahi pūnaewele kūloko, akā ʻaʻole lawa kēlā ʻano hoʻonohonoho e kūʻē i ka hoʻouka ʻana o nā mea hackers hou a me ka malware i hoʻonui ʻia i kēia manawa. Hoʻopili wale ka pā ahi kahiko i nā poʻomanaʻo packet, e ʻae a pale ʻia paha e like me ke ʻano o nā lula maʻamau. ʻAʻole ʻike ʻo ia i nā mea e pili ana i nā ʻike o nā ʻeke, a no laila ʻaʻole hiki ke ʻike i nā hana kūpono a nā mea hoʻouka. ʻAʻole loaʻa mau nā polokalamu Antivirus i ka malware, no laila ke alo nei ka luna hoʻomalu i ka hana o ka nānā ʻana i nā hana ʻino a me ka hoʻokaʻawale ʻana i nā pūʻali maʻi i ka manawa.
Nui nā mea hana kiʻekiʻe i loaʻa no ka pale ʻana i ka ʻoihana IT ʻoihana. I kēia lā e kamaʻilio mākou e pili ana i ka ʻike intrusion open source a me nā ʻōnaehana pale, hiki ke hoʻokō ʻia me ke kūʻai ʻole ʻana i nā lako waiwai a me nā laikini polokalamu.
IDS/IPS hoʻokaʻawale
ʻO IDS (Intrusion Detection System) kahi ʻōnaehana i hoʻolālā ʻia e hoʻopaʻa inoa i nā hana kānalua ma kahi pūnaewele a i ʻole ma kahi kamepiula pākahi. Mālama ia i nā moʻolelo hanana a hoʻolaha i ka limahana i kuleana no ka palekana ʻike e pili ana iā lākou. Hiki ke hoʻokaʻawale ʻia kēia mau mea ma ke ʻano he ʻāpana o ka IDS:
- nā mea ʻike no ka nānā ʻana i nā kaʻa o ka pūnaewele, nā lāʻau like ʻole, etc.
- he subsystem kālailai e hōʻike ana i nā hōʻailona o ka mana ʻino i ka ʻikepili i loaʻa;
- ka waiho ʻana no ka hōʻiliʻili ʻana i nā hanana mua a me nā hopena loiloi;
- ʻoluʻolu hoʻokele.
I ka hoʻomaka ʻana, ua hoʻokaʻawale ʻia nā IDS e ka wahi: hiki iā lākou ke nānā aku i ka pale ʻana i nā node pākahi (host-based a Host Intrusion Detection System - HIDS) a i ʻole ka pale ʻana i ka ʻoihana hui holoʻokoʻa (network-based or Network Intrusion Detection System - NIDS). He mea pono ke hai aku i ka mea i kapaia APIDS (Application protocol-based IDS): Nānā lākou i kahi hoʻonohonoho palena o nā protocol-level protocol e ʻike ai i nā hoʻouka kikoʻī a ʻaʻole e hana hohonu i nā ʻeke pūnaewele. Ua like ia mau huahana me nā proxies a hoʻohana ʻia e pale i nā lawelawe kikoʻī: kahi kikowaena pūnaewele a me nā noi pūnaewele (no ka laʻana, kākau ʻia ma PHP), kahi kikowaena waihona, etc. ʻO kahi hiʻohiʻona maʻamau o kēia papa he mod_security no ka pūnaewele pūnaewele Apache.
ʻOi aku ko mākou hoihoi i nā NIDS āpau e kākoʻo ana i kahi ākea o nā protocol kamaʻilio a me nā ʻenehana DPI (Deep Packet Inspection). Nānā lākou i nā kaʻa holo kaʻa a pau, e hoʻomaka ana mai ka papa loulou data, a ʻike i kahi ākea o nā hoʻouka kaua pūnaewele, a me ka hoʻāʻo ʻana i ka ʻae ʻole i ka ʻike. ʻO ka pinepine o ia mau ʻōnaehana i ka hoʻohele ʻia ʻana a hiki ke launa pū me nā ʻenehana pūnaewele ikaika. E hoʻomaopopo i ka nui o nā NIDS hou he hybrid a hoʻohui i kekahi mau ala. Ma muli o ka hoʻonohonoho a me nā hoʻonohonoho, hiki iā lākou ke hoʻoponopono i nā pilikia like ʻole - no ka laʻana, ka pale ʻana i hoʻokahi node a i ʻole ka pūnaewele holoʻokoʻa. Eia kekahi, ua lawe ʻia nā hana o IDS no nā hale hana e nā pūʻulu anti-virus, ma muli o ka hoʻolaha ʻana o nā Trojans i manaʻo ʻia e ʻaihue i ka ʻike, ua lilo i mau pale ahi multifunctional e hoʻoponopono ai i nā pilikia o ka ʻike a me ka pale ʻana i nā kaʻa kānalua.
I ka hoʻomaka ʻana, hiki i ka IDS ke ʻike i ka hana malware wale nō, nā scanner port, a i ʻole, ʻōlelo ʻia, nā mea hoʻohana i nā kulekele palekana ʻoihana. I ka wā i loaʻa ai kekahi hanana, haʻi lākou i ka luna hoʻomalu, akā ua maopopo koke ʻo ka ʻike wale ʻana i ka hoʻouka ʻana ʻaʻole lawa - pono ia e ālai ʻia. No laila ua hoʻololi ʻia ʻo IDS i IPS (Intrusion Prevention Systems) - nā ʻōnaehana pale intrusion hiki ke launa pū me nā pā ahi.
Nā ʻano ʻike
Hoʻohana ka ʻike intrusion hou a me ka pale ʻana i nā ʻano hana like ʻole e ʻike ai i ka hana ʻino, hiki ke hoʻokaʻawale ʻia i ʻekolu mau ʻāpana. Hāʻawi kēia iā mākou i kahi koho ʻē aʻe no ka hoʻonohonoho ʻana i nā ʻōnaehana:
- ʻIke ʻo IDS/IPS e pili ana i ka pūlima i nā mamana i ke kaʻa a nānā i nā loli i ke kūlana o nā ʻōnaehana e hoʻoholo ai i ka hoʻouka ʻana i ka pūnaewele a i ʻole ka hoʻāʻo ʻana i ka maʻi. ʻAʻole lākou e hāʻawi i nā kuhi hewa a me nā mea maikaʻi ʻole, akā ʻaʻole hiki iā lākou ke ʻike i nā hoʻoweliweli ʻike ʻole ʻia;
- ʻAʻole hoʻohana nā IDS e ʻike ana i ka anomaly i nā pūlima hoʻouka. Hoʻomaopopo lākou i ka hana ʻino o nā ʻōnaehana ʻike (me nā anomalies i ka hoʻokele pūnaewele) a hiki ke ʻike i nā hoʻouka ʻike ʻole. Hāʻawi ia mau ʻōnaehana i ka nui o nā mea maikaʻi ʻole a, inā hoʻohana hewa ʻole, hoʻopau i ka hana o ka pūnaewele kūloko;
- Hana nā IDS ma muli o ke kānāwai: inā FACT a laila ACTION. ʻO ka mea nui, he mau ʻōnaehana loea kēia me nā kumu ʻike - kahi pūʻulu o nā ʻoiaʻiʻo a me nā lula o ka ʻike loiloi. ʻO ia mau hoʻonā he mea paʻakikī ke hoʻonohonoho a koi aku i ka luna hoʻomalu e loaʻa ka ʻike kikoʻī o ka pūnaewele.
Moʻolelo o ka hoʻomohala ʻana o IDS
Ua hoʻomaka ka wā o ka hoʻomohala wikiwiki ʻana o ka Pūnaewele a me nā ʻoihana ʻoihana i nā makahiki 90 o ke kenekulia i hala, akā ua puʻupuʻu ka poʻe loea i nā ʻenehana palekana ʻoihana ma mua iki. I ka makahiki 1986, ua paʻi ʻo Dorothy Denning lāua ʻo Peter Neumann i ke ʻano hoʻohālike IDES (Intrusion detection expert system), i lilo i kumu o nā ʻōnaehana ʻike intrusion hou. Ua hoʻohana ʻo ia i kahi ʻōnaehana loea e ʻike i nā ʻano hoʻouka kaua ʻike ʻia, a me nā ʻano helu helu a me nā ʻaoʻao mea hoʻohana / ʻōnaehana. Ua holo ʻo IDES ma nā kahua hana o Sun, e nānā ana i ka hele ʻana o ka pūnaewele a me ka ʻikepili noi. I ka makahiki 1993, ua hoʻokuʻu ʻia ʻo NIDES (Next-generation Intrusion Detection Expert System) - he ʻōnaehana loea ʻike intrusion hou.
Ma muli o ka hana a Denning lāua ʻo Neumann, ua ʻike ʻia ka MIDAS (Multics intrusion detection and alerting system) me ka hoʻohana ʻana i ka P-BEST a me LISP i ka makahiki 1988. I ka manawa like, ua hana ʻia ka ʻōnaehana Haystack e pili ana i nā ʻano helu helu. Ua hoʻomohala ʻia kekahi mea ʻike anomaly helu, W&S (Wisdom & Sense), i hoʻokahi makahiki ma hope mai ma Los Alamos National Laboratory. Ke ulu wikiwiki nei ka ʻoihana. No ka laʻana, i ka makahiki 1990, ua hoʻokō ka ʻōnaehana TIM (Time-based inductive machine) i ka ʻike anomaly me ka hoʻohana ʻana i ke aʻo inductive ma nā kumu hoʻohana sequential (ʻōlelo LISP maʻamau). Ua hoʻohālikelike ʻo NSM (Network Security Monitor) i nā matrices komo no ka ʻike ʻana i nā anomalies, a ua kākoʻo ʻo ISOA (Kokua Luna Hoʻonaʻauao ʻIke) i nā hoʻolālā ʻike like ʻole: nā ʻano helu helu, ka nānā ʻana i ka ʻike a me ka ʻōnaehana loea. Ua hoʻohana ka ʻōnaehana ComputerWatch i hana ʻia ma AT&T Bell Labs i nā ʻano helu helu a me nā lula no ka hōʻoia ʻana, a ua loaʻa i nā mea hoʻomohala o ke Kulanui o Kaleponi i ka prototype mua o kahi IDS puʻupuʻu i ka makahiki 1991 - ʻo DIDS (Distributed Intrusion Detection System) kekahi ʻōnaehana loea.
I ka wā mua, he proprietary ka IDS, akā i ka makahiki 1998, ka National Laboratory. Ua hoʻokuʻu ʻo Lawrence Berkeley iā Bro (i kapa inoa ʻia ʻo Zeek ma 2018), kahi ʻōnaehana open source e hoʻohana ana i kahi ʻōlelo kānāwai ponoʻī no ka nānā ʻana i ka ʻikepili libpcap. I Nowemapa o ka makahiki hoʻokahi, ua ʻike ʻia ka sniffer packet APE me ka hoʻohana ʻana i ka libpcap, i hoʻokahi mahina ma hope i kapa ʻia ʻo Snort, a ma hope ua lilo i IDS/IPS piha. I ka manawa like, ua hoʻomaka ka nui o nā hoʻonā waiwai.
Snort a me Suricata
Nui nā ʻoihana i makemake i nā IDS/IPS manuahi a wehe ʻia. No ka manawa lōʻihi, ua manaʻo ʻia ʻo Snort i ʻōlelo ʻia i ka hopena maʻamau, akā i kēia manawa ua hoʻololi ʻia e ka ʻōnaehana Suricata. E nānā kākou i ko lākou mau pono a me nā hemahema ma kahi kikoʻī iki. Hoʻohui ʻo Snort i nā pōmaikaʻi o kahi ala e pili ana i ka pūlima me ka hiki ke ʻike i nā anomalies i ka manawa maoli. ʻAe ʻo Suricata iā ʻoe e hoʻohana i nā ala ʻē aʻe ma waho o ka ʻike ʻana i nā hoʻouka kaua ʻana e nā pūlima. Ua hoʻokumu ʻia ka ʻōnaehana e kahi hui o nā mea hoʻomohala i hoʻokaʻawale ʻia mai ka papahana Snort a kākoʻo i nā hana IPS e hoʻomaka ana mai ka mana 1.4, a ua hoʻokomo ʻo Snort i ka hiki ke pale i nā intrusions ma hope.
ʻO ka ʻokoʻa nui ma waena o nā huahana kaulana ʻelua ʻo ka hiki iā Suricata ke hoʻohana i ka computing GPU ma ke ʻano IDS, a me ka IPS kiʻekiʻe. Hoʻolālā mua ʻia ka ʻōnaehana no ka multi-threading, ʻoiai ʻo Snort kahi huahana hoʻokahi. Ma muli o kona mōʻaukala lōʻihi a me ka code hoʻoilina, ʻaʻole ia e hoʻohana maikaʻi loa i nā platform multiprocessor/multicore hardware, ʻoiai hiki iā Suricata ke lawelawe i nā kaʻa a hiki i 10 Gbps ma nā kamepiula kumu maʻamau. Hiki iā mākou ke kamaʻilio lōʻihi e pili ana i nā mea like a me nā ʻokoʻa ma waena o nā ʻōnaehana ʻelua, akā ʻoiai ʻoi aku ka wikiwiki o ka mīkini ʻo Suricata, no ka mea ʻaʻole i ākea nā kahawai ʻaʻole ia he mea nui.
Nā koho hoʻolaha
Pono e hoʻokomoʻia ka IPS ma keʻano e hiki ai i ka pūnaewele ke nānā i nā'āpana pūnaewele ma lalo o kona mana. ʻO ka pinepine, he kamepiula hoʻolaʻa kēia, hoʻokahi kikowaena o ia mea e pili ana ma hope o nā hāmeʻa lihi a "nānā" ma o lākou i nā pūnaewele lehulehu ʻole (ka Pūnaewele). Hoʻopili ʻia kekahi ʻaoʻao IPS i ka hoʻokomo ʻana o ka ʻāpana i pale ʻia i hiki ai i nā kaʻa āpau ke hele i ka ʻōnaehana a nānā ʻia. I nā hihia paʻakikī, aia kekahi mau ʻāpana i pale ʻia: no ka laʻana, ma nā ʻoihana hui e hoʻokaʻawale pinepine ʻia kahi ʻāpana demilitarized (DMZ) me nā lawelawe i loaʻa mai ka Pūnaewele.
Hiki i ia IPS ke pale i ka nānā ʻana i ke awa a i ʻole ka password brute force attacks, ka hoʻohana ʻana i nā mea palupalu i ka server leka uila, pūnaewele pūnaewele a i ʻole nā palapala, a me nā ʻano ʻano hoʻouka ʻē aʻe. Inā loaʻa nā kamepiula ma ka pūnaewele kūloko i ka malware, ʻaʻole ʻae ʻo IDS iā lākou e hoʻopili i nā kikowaena botnet aia ma waho. No ka pale koʻikoʻi o ka pūnaewele i loko, e koi ʻia kahi hoʻonohonoho paʻakikī me kahi ʻōnaehana puʻupuʻu a me nā hoʻololi hoʻokele kumukūʻai hiki ke hoʻohālikelike i nā kaʻa no ka interface IDS e pili ana i kekahi o nā awa.
Hoʻokomo pinepine ʻia nā ʻoihana hui i nā hōʻeha hoʻokaʻawale i ka lawelawe (DDoS). ʻOiai hiki i nā IDS hou ke hana me lākou, ʻaʻole hiki ke kōkua ʻia ka koho hoʻonohonoho ma luna nei. E ʻike ka ʻōnaehana i ka hana ʻino a hoʻopaʻa i nā kaʻa hoʻopunipuni, akā no ka hana ʻana i kēia, pono nā ʻeke e hele i kahi pilina pūnaewele waho a hiki i kāna kikowaena pūnaewele. Ma muli o ka ikaika o ka hoʻouka ʻana, ʻaʻole hiki i ke ala hoʻouna ʻikepili ke hoʻokō i ka ukana a e hoʻokō ʻia ka pahuhopu o nā mea hoʻouka. No ia mau hihia, paipai mākou e kau i ka IDS ma kahi kikowaena virtual me kahi pili pūnaewele ʻoi aku ka ikaika. Hiki iā ʻoe ke hoʻohui i ka VPS i ka pūnaewele kūloko ma o ka VPN, a laila pono ʻoe e hoʻonohonoho i ke ala ʻana o nā kaʻa waho āpau ma o ia. A laila, inā he hoʻouka kaua DDoS, ʻaʻole pono ʻoe e hoʻouna i nā ʻeke ma o ka pilina i ka mea hoʻolako; e ālai ʻia lākou ma ka node waho.
ʻO ka pilikia koho
He paʻakikī loa ka ʻike ʻana i kahi alakaʻi ma waena o nā ʻōnaehana manuahi. Hoʻoholo ʻia ke koho ʻana o IDS/IPS e ka topology network, nā hana palekana e pono ai, a me nā makemake pilikino o ka luna hoʻomalu a me kona makemake e tinker me nā hoʻonohonoho. He moʻolelo lōʻihi ko Snort a ʻoi aku ka maikaʻi o ka palapala, ʻoiai he maʻalahi ka ʻike ma Suricata ma ka pūnaewele. I kekahi hihia, no ka haku i ka ʻōnaehana pono ʻoe e hana i kekahi mau hoʻāʻo, e uku hope loa - ʻoi aku ka pipiʻi o nā lako pāʻoihana a me nā lako polokalamu-polokalamu IDS/IPS a ʻaʻole kūpono mau i ka waihona kālā. ʻAʻohe kumu o ka mihi i ka manawa hoʻopau ʻia, no ka mea, hoʻomaikaʻi mau ke alakaʻi maikaʻi i kona mau akamai ma ka lilo o ka mea hana. Ma kēia kūlana, lanakila nā kānaka a pau. Ma ka ʻatikala aʻe e nānā mākou i kekahi mau koho hoʻolaha ʻo Suricata a hoʻohālikelike i kahi ʻōnaehana hou aku me ka IDS / IPS Snort maʻamau i ka hoʻomaʻamaʻa.
Source: www.habr.com