Flow raws tu qauv ua ib qho cuab yeej rau kev saib xyuas kev ruaj ntseg hauv network

Thaum nws los saib xyuas kev ruaj ntseg ntawm ib lub koom haum sab hauv lossis chaw ua haujlwm, ntau tus koom nrog kev tswj xyuas cov ntaub ntawv xau thiab siv DLP cov kev daws teeb meem. Thiab yog tias koj sim ua kom meej cov lus nug thiab nug seb koj puas pom kev tawm tsam ntawm lub network sab hauv, ces cov lus teb yuav, raws li txoj cai, yog ib qho kev hais txog kev nkag mus rau kev kuaj pom (IDS). Thiab dab tsi yog qhov kev xaiv nkaus xwb 10-20 xyoo dhau los tau dhau los ua kev tsis sib haum xeeb niaj hnub no. Muaj qhov ua tau zoo dua, thiab hauv qee qhov chaw, tsuas yog qhov kev xaiv ua tau rau kev saib xyuas lub network sab hauv - siv cov txheej txheem ntws, uas yog tsim los tshawb nrhiav cov teeb meem hauv network (kev daws teeb meem), tab sis dhau sij hawm hloov mus rau hauv cov cuab yeej kev ruaj ntseg zoo heev. Peb yuav tham txog cov txheej txheem ntws dej dab tsi muaj thiab qhov twg yog qhov zoo dua ntawm kev kuaj xyuas kev tawm tsam hauv lub network, qhov twg nws yog qhov zoo tshaj los siv kev soj ntsuam xyuas, yuav ua li cas nrhiav tau thaum siv cov tswv yim zoo li no, thiab txawm tias yuav ua li cas "txiav" tag nrho cov no ntawm cov khoom siv hauv tsev. nyob rau hauv lub Scope ntawm tsab xov xwm no.

Kuv yuav tsis nyob rau lo lus nug "Vim li cas thiaj li muaj kev saib xyuas kev ruaj ntseg sab hauv?" Cov lus teb zoo li yog qhov tseeb. Tab sis yog tias, txawm li cas los xij, koj xav kom paub tseeb tias hnub no koj tsis tuaj yeem nyob yam tsis muaj nws, saib mus video luv luv hais txog yuav ua li cas koj tuaj yeem nkag mus rau lub tuam txhab network tiv thaiv los ntawm firewall hauv 17 txoj hauv kev. Yog li ntawd, peb yuav xav tias peb nkag siab tias kev saib xyuas sab hauv yog qhov tsim nyog thiab txhua yam uas tseem tshuav yog kom nkag siab tias nws tuaj yeem txhim kho li cas.

Kuv yuav hais txog peb qhov tseem ceeb cov ntaub ntawv rau kev saib xyuas cov txheej txheem ntawm qib network:

• "raws" tsheb uas peb ntes thiab xa mus rau kev tshuaj xyuas rau qee qhov kev tshuaj ntsuam xyuas,
• Cov xwm txheej los ntawm cov khoom siv hauv network los ntawm kev khiav tsheb hla,
• cov ntaub ntawv tsheb tau txais los ntawm ib qho ntawm cov txheej txheem ntws.

Kev ntes cov tsheb ciav hlau yog qhov kev xaiv nrov tshaj plaws ntawm cov kws tshaj lij kev ruaj ntseg, vim tias nws keeb kwm tau tshwm sim thiab yog thawj zaug. Cov txheej txheem kev nkag mus rau hauv lub network (thawj thawj kev lag luam nkag mus nrhiav qhov system yog NetRanger los ntawm Wheel Group, tau yuav hauv 1998 los ntawm Cisco) tau koom nrog kev ntes cov pob ntawv (thiab tom qab ntu) uas qee qhov kos npe tau saib rau ("cov cai txiav txim siab" hauv FSTEC terminology), teeb liab tawm tsam. Tau kawg, koj tuaj yeem txheeb xyuas cov tsheb khiav tsis yog siv IDS nkaus xwb, tab sis kuj tseem siv lwm cov cuab yeej (piv txwv li, Wireshark, tcpdum lossis NBAR2 functionality hauv Cisco IOS), tab sis lawv feem ntau tsis muaj kev paub txog qhov txawv ntawm cov ntaub ntawv kev ruaj ntseg cov cuab yeej los ntawm ib txwm muaj. IT tool.

Yog li, nres nrhiav kom tau systems. Txoj kev qub tshaj plaws thiab nrov tshaj plaws ntawm kev ntes cov kev tawm tsam hauv lub network, uas ua haujlwm zoo ntawm ib puag ncig (tsis muaj teeb meem dab tsi - tuam txhab, cov ntaub ntawv chaw, ntu, thiab lwm yam), tab sis ua tsis tiav hauv kev hloov pauv niaj hnub thiab software-txhais tes hauj lwm. Nyob rau hauv cov ntaub ntawv ntawm lub network tsim nyob rau hauv lub hauv paus ntawm cov pa keyboards, lub infrastructure ntawm nres nrhiav kom tau sensors yuav loj heev - koj yuav tsum tau nruab ib lub sensor ntawm txhua qhov kev twb kev txuas mus rau lub node uas koj xav saib xyuas kev tawm tsam. Txhua qhov chaw tsim khoom, tau kawg, yuav zoo siab muag koj ntau pua thiab txhiab tus sensors, tab sis kuv xav tias koj cov peev nyiaj tsis tuaj yeem pab txhawb cov nuj nqis no. Kuv tuaj yeem hais tias txawm tias ntawm Cisco (thiab peb yog tus tsim tawm ntawm NGIPS) peb tsis tuaj yeem ua qhov no, txawm hais tias nws yuav zoo li qhov teeb meem ntawm tus nqi yog ua ntej peb. Kuv yuav tsum tsis txhob sawv - nws yog peb tus kheej kev txiav txim siab. Tsis tas li ntawd, cov lus nug tshwm sim, yuav ua li cas txuas lub sensor hauv no version? Nyob rau hauv qhov sib txawv? Yuav ua li cas yog tias lub sensor nws tus kheej ua tsis tau? Xav tau ib tug bypass module nyob rau hauv lub sensor? Siv cov splitters (kais)? Tag nrho cov no ua rau cov kev daws teeb meem kim dua thiab ua rau nws tsis tsim nyog rau lub tuam txhab ntawm txhua qhov loj.

Koj tuaj yeem sim "dai" lub sensor ntawm SPAN / RSPAN / ERSPAN chaw nres nkoj thiab ncaj qha tsheb los ntawm qhov yuav tsum tau hloov chaw nres nkoj rau nws. Qhov kev xaiv no ib nrab tshem tawm qhov teeb meem uas tau piav qhia hauv kab lus dhau los, tab sis ua rau lwm tus - SPAN chaw nres nkoj tsis tuaj yeem lees txais tag nrho cov tsheb uas yuav xa mus rau nws - nws yuav tsis muaj bandwidth txaus. Koj yuav tau txi ib yam dab tsi. Txawm li cas los xij tawm qee qhov ntawm cov nodes yam tsis tau saib xyuas (tom qab ntawd koj yuav tsum tau ua qhov tseem ceeb rau lawv ua ntej), lossis tsis xa tag nrho cov tsheb khiav los ntawm cov node, tab sis tsuas yog qee yam. Txawm li cas los xij, peb yuav nco qee qhov kev tawm tsam. Ntxiv rau, SPAN chaw nres nkoj tuaj yeem siv rau lwm yam kev xav tau. Raws li qhov tshwm sim, peb yuav tau tshuaj xyuas cov kev ua haujlwm network uas twb muaj lawm thiab muaj peev xwm kho tau rau koj lub network rau qhov siab tshaj plaws nrog tus naj npawb ntawm cov sensors koj muaj (thiab sib koom tes nrog nws).

Yuav ua li cas yog tias koj lub network siv txoj hauv kev asymmetric? Yuav ua li cas yog tias koj tau siv lossis npaj yuav siv SDN? Yuav ua li cas yog tias koj xav tau saib xyuas cov tshuab virtualized lossis cov thawv uas nws cov tsheb tsis ncav cuag lub cev hloov pauv txhua? Cov no yog cov lus nug uas cov neeg muag khoom IDS ib txwm tsis nyiam vim lawv tsis paub yuav teb lawv li cas. Tej zaum lawv yuav yaum koj tias tag nrho cov thev naus laus zis niaj hnub no yog hype thiab koj tsis xav tau. Tej zaum lawv yuav tham txog qhov yuav tsum tau pib me me. Los yog tej zaum lawv yuav hais tias koj yuav tsum tau muab lub zog thresher nyob rau hauv nruab nrab ntawm lub network thiab coj tag nrho cov tsheb mus rau nws siv balancers. Txawm tias qhov kev xaiv twg yog muab rau koj, koj yuav tsum nkag siab meej tias nws haum koj li cas. Thiab tsuas yog tom qab ntawd txiav txim siab xaiv txoj hauv kev los saib xyuas cov ntaub ntawv kev ruaj ntseg ntawm lub network infrastructure. Rov qab mus rau pob ntawv ntes, kuv xav hais tias txoj kev no tseem nrov heev thiab tseem ceeb, tab sis nws lub hom phiaj tseem ceeb yog tswj ciam teb; Ciam nruab nrab ntawm koj lub koom haum thiab hauv Internet, ciam teb ntawm cov ntaub ntawv chaw thiab cov so ntawm lub network, ciam teb ntawm cov txheej txheem tswj system thiab cov neeg ua haujlwm ntu. Nyob rau hauv cov chaw no, classic IDS / IPS tseem muaj txoj cai muaj nyob thiab tiv tau zoo nrog lawv cov dej num.

Cia peb mus rau qhov kev xaiv thib ob. Kev tshuaj xyuas cov xwm txheej los ntawm cov khoom siv hauv lub network kuj tuaj yeem siv rau kev tawm tsam kom pom lub hom phiaj, tab sis tsis yog raws li lub ntsiab mechanism, vim nws tso cai rau kev tshawb pom tsuas yog ib chav me me ntawm kev nkag. Tsis tas li ntawd, nws yog qhov tshwm sim hauv qee qhov kev tawm tsam - qhov kev tawm tsam yuav tsum tshwm sim thawj zaug, tom qab ntawd nws yuav tsum tau kaw los ntawm lub network ntaus ntawv, uas nyob rau hauv ib txoj kev los yog lwm qhov yuav teeb liab teeb meem nrog cov ntaub ntawv kev ruaj ntseg. Muaj ntau txoj hauv kev. Qhov no tuaj yeem yog syslog, RMON lossis SNMP. Qhov kawg ob txoj cai rau kev saib xyuas lub network hauv cov ntsiab lus ntawm kev ruaj ntseg cov ntaub ntawv tsuas yog siv yog tias peb yuav tsum kuaj xyuas DoS nres ntawm cov khoom siv network nws tus kheej, txij li thaum siv RMON thiab SNMP nws muaj peev xwm, piv txwv li, los saib xyuas cov khoom ntawm lub hauv paus. processor los yog nws interfaces. Qhov no yog ib qho ntawm "pheej yig tshaj" (txhua tus muaj syslog lossis SNMP), tab sis kuj yog qhov ua tsis tau zoo tshaj plaws ntawm txhua txoj hauv kev los saib xyuas cov ntaub ntawv kev ruaj ntseg ntawm cov txheej txheem sab hauv - ntau qhov kev tawm tsam tsuas yog zais los ntawm nws. Tau kawg, lawv yuav tsum tsis txhob raug saib xyuas, thiab tib lub syslog tsom xam pab koj raws sijhawm txheeb xyuas cov kev hloov pauv hauv kev teeb tsa ntawm lub cuab yeej nws tus kheej, kev cuam tshuam ntawm nws, tab sis nws tsis tsim nyog rau kev kuaj xyuas kev tawm tsam ntawm tag nrho lub network.

Qhov kev xaiv thib peb yog txhawm rau txheeb xyuas cov ntaub ntawv hais txog kev khiav tsheb mus los ntawm ib lub cuab yeej uas txhawb nqa ib qho ntawm ntau cov txheej txheem ntws. Nyob rau hauv cov ntaub ntawv no, tsis hais raws tu qauv, threading infrastructure yuav tsum muaj peb yam:

• Generation los yog export ntawm ntws. Lub luag haujlwm no feem ntau yog muab rau lub router, hloov lossis lwm yam khoom siv network, uas, dhau los ntawm kev sib txuas hauv network los ntawm nws tus kheej, tso cai rau koj rho tawm cov ntsiab lus tseem ceeb ntawm nws, uas yog tom qab ntawd xa mus rau cov khoom sau. Piv txwv li, Cisco txhawb nqa Netflow raws tu qauv tsis tsuas yog ntawm routers thiab keyboards, suav nrog cov khoom siv hluav taws xob thiab kev lag luam, tab sis kuj tseem nyob ntawm wireless controllers, firewalls thiab txawm servers.
• Collection flow. Xav txog tias lub network niaj hnub no feem ntau muaj ntau tshaj li ib qho khoom siv network, qhov teeb meem ntawm kev sib sau thiab kev sib koom ua ke tau tshwm sim, uas yog daws tau los ntawm kev siv lub npe hu ua collectors, uas ua cov txheej txheem tau txais thiab xa mus rau kev txheeb xyuas.
• Flow tsom xam Tus kws tshuaj ntsuam xyuas siv lub luag haujlwm tseem ceeb ntawm kev txawj ntse thiab, siv ntau yam algorithms rau cov kwj deg, kos qee cov lus xaus. Piv txwv li, raws li ib feem ntawm IT muaj nuj nqi, xws li tus neeg soj ntsuam tuaj yeem txheeb xyuas cov kev tsis sib haum xeeb hauv lub network lossis txheeb xyuas cov tsheb thauj khoom profile rau kev txhim kho network ntxiv. Thiab rau cov ntaub ntawv kev ruaj ntseg, xws li ib tug analyzer tuaj yeem ntes cov ntaub ntawv xau, kev sib kis ntawm cov cai phem lossis DoS tawm tsam.

Tsis txhob xav tias qhov peb-tier architecture no nyuaj heev - tag nrho lwm yam kev xaiv (tshwj tsis yog, tej zaum, network saib xyuas kev ua haujlwm nrog SNMP thiab RMON) kuj ua haujlwm raws li nws. Peb muaj lub tshuab hluav taws xob cov ntaub ntawv rau kev tsom xam, uas tuaj yeem yog lub network ntaus ntawv lossis lub ntsuas hluav taws xob nyob ib leeg. Peb muaj lub tswb sau cov kab ke thiab kev tswj hwm kev tswj hwm rau tag nrho cov kev saib xyuas kev tsim kho. Ob lub ntsiab lus kawg tuaj yeem ua ke hauv ib qho ntawm ib qho, tab sis nyob rau hauv ntau dua lossis tsawg dua cov tes hauj lwm loj lawv feem ntau kis tau los ntawm tsawg kawg ob lub cuab yeej txhawm rau txhawm rau ua kom muaj peev xwm thiab kev ntseeg tau.

Tsis zoo li pob ntawv tsom xam, uas yog los ntawm kev kawm cov ntaub ntawv header thiab lub cev ntawm txhua pob ntawv thiab cov kev sib tham uas nws muaj, kev soj ntsuam ntws los ntawm kev sau cov metadata txog kev sib txuas hauv network. Thaum twg, ntau npaum li cas, los ntawm qhov twg thiab qhov twg, yuav ua li cas ... cov no yog cov lus nug teb los ntawm kev tsom xam ntawm network telemetry siv ntau yam kev cai ntws. Thaum xub thawj, lawv tau siv los txheeb xyuas cov txheeb cais thiab pom cov teeb meem IT hauv lub network, tab sis tom qab ntawd, raws li kev tshuaj ntsuam xyuas cov txheej txheem tsim, nws tau los siv rau tib lub telemetry rau kev ruaj ntseg. Nws yog ib qho tsim nyog yuav tsum tau rov qab hais dua tias kev soj ntsuam ntws tsis hloov lossis hloov pob ntawv ntes. Txhua txoj hauv kev no muaj nws qhov chaw ntawm kev thov. Tab sis nyob rau hauv cov ntsiab lus ntawm tsab xov xwm no, nws yog txaus tsom xam uas yog qhov zoo tshaj plaws haum rau kev soj ntsuam cov infrastructure. Koj muaj cov khoom siv hauv network (txawm lawv ua haujlwm hauv software-txhais lus piv txwv lossis raws li cov cai zoo li qub) uas qhov kev tawm tsam tsis tuaj yeem hla. Nws tuaj yeem hla lub IDS sensor classic, tab sis lub network ntaus ntawv uas txhawb nqa cov txheej txheem ntws tsis tuaj yeem. Qhov no yog qhov zoo ntawm txoj kev no.

Ntawm qhov tod tes, yog tias koj xav tau cov ntaub ntawv pov thawj rau tub ceev xwm lossis koj tus kheej pawg neeg tshawb xyuas qhov xwm txheej, koj tsis tuaj yeem ua yam tsis muaj pob ntawv ntes - network telemetry tsis yog daim ntawv luam ntawm cov tsheb uas tuaj yeem siv los sau cov pov thawj; nws yog qhov xav tau rau kev tshawb nrhiav sai thiab kev txiav txim siab hauv kev ruaj ntseg ntawm cov ntaub ntawv. Ntawm qhov tod tes, siv telemetry tsom xam, koj tuaj yeem "sau" tsis yog txhua qhov kev sib txuas hauv network (yog tias muaj dab tsi, Cisco cuam tshuam nrog cov chaw zov me nyuam :-), tab sis tsuas yog qhov uas koom nrog kev tawm tsam. Telemetry tsom xam cov cuab yeej nyob rau hauv no hais txog yuav ntxiv ib txwm packet capture mechanisms zoo, muab commands rau xaiv capture thiab cia. Txwv tsis pub, koj yuav tau muaj ib colossal cia infrastructure.

Cia peb xav txog lub network ua haujlwm ntawm qhov nrawm ntawm 250 Mbit / sec. Yog tias koj xav khaws tag nrho cov ntim no, ces koj yuav xav tau 31 MB ntawm kev cia rau ib thib ob ntawm kev sib kis, 1,8 GB rau ib feeb, 108 GB rau ib teev, thiab 2,6 TB rau ib hnub. Txhawm rau khaws cov ntaub ntawv txhua hnub los ntawm lub network nrog bandwidth ntawm 10 Gbit / s, koj yuav xav tau 108 TB ntawm kev cia. Tab sis qee qhov kev tswj hwm yuav tsum khaws cov ntaub ntawv kev ruaj ntseg rau xyoo ... Cov ntaub ntawv ntawm qhov xav tau, uas ntsuas ntws pab koj siv, pab txo cov nqi no los ntawm kev txiav txim siab ntau. Los ntawm txoj kev, yog tias peb tham txog qhov sib piv ntawm qhov ntim ntawm cov ntaub ntawv kaw lus network telemetry thiab ua tiav cov ntaub ntawv ntes, ces nws yog kwv yees li 1 mus rau 500. Rau tib qhov txiaj ntsig tau muab los saum toj no, khaws cov ntawv sau tag nrho ntawm txhua hnub kev khiav tsheb. yuav yog 5 thiab 216 GB, ntsig txog (koj tuaj yeem kaw nws ntawm lub flash drive li niaj zaus).

Yog hais tias rau cov cuab yeej rau kev soj ntsuam cov ntaub ntawv raw network, txoj kev ntawm kev ntes nws yuav luag zoo ib yam los ntawm tus neeg muag khoom mus rau tus neeg muag khoom, ces nyob rau hauv cov ntaub ntawv ntawm ntws tsom xam qhov teeb meem yog txawv. Muaj ntau ntau txoj kev xaiv rau kev khiav dej num, qhov sib txawv uas koj yuav tsum paub txog hauv cov ntsiab lus ntawm kev ruaj ntseg. Qhov nrov tshaj plaws yog Netflow raws tu qauv tsim los ntawm Cisco. Muaj ob peb lub versions ntawm no raws tu qauv, txawv nyob rau hauv lawv cov peev xwm thiab tus nqi ntawm cov ntaub ntawv tsheb thauj mus los. Cov qauv tam sim no yog cuaj (Netflow v9), raws li kev lag luam tus qauv Netflow v10, tseem hu ua IPFIX, tau tsim. Niaj hnub no, feem ntau cov neeg muag khoom network txhawb Netflow lossis IPFIX hauv lawv cov khoom siv. Tab sis muaj ntau yam kev xaiv rau kev khiav dej num - sFlow, jFlow, cFlow, rFlow, NetStream, thiab lwm yam, uas sFlow yog qhov nrov tshaj plaws. Nws yog hom no uas feem ntau tau txais kev txhawb nqa los ntawm domestic manufacturers ntawm cov khoom siv network vim nws yooj yim ntawm kev siv. Dab tsi yog qhov txawv ntawm Netflow, uas tau dhau los ua tus qauv de facto, thiab sFlow? Kuv yuav qhia ntau yam tseem ceeb. Ua ntej, Netflow muaj cov neeg siv-customizable teb as opposed to the fixed fields in sFlow. Thiab qhov thib ob, thiab qhov no yog qhov tseem ceeb tshaj plaws hauv peb cov ntaub ntawv, sFlow sau cov npe hu ua telemetry; nyob rau hauv sib piv rau unsampled ib tug rau Netflow thiab IPFIX. Qhov txawv ntawm lawv yog dab tsi?

Xav txog tias koj txiav txim siab nyeem phau ntawv "Chaw Ua Haujlwm Kev Ruaj Ntseg: Lub Tsev, Kev Ua Haujlwm, thiab Tswj koj SOC” ntawm kuv cov npoj yaig - Gary McIntyre, Joseph Munitz thiab Nadem Alfardan (koj tuaj yeem rub tawm ib feem ntawm phau ntawv los ntawm qhov txuas). Koj muaj peb txoj kev xaiv kom ua tiav koj lub hom phiaj - nyeem tag nrho phau ntawv, hla dhau nws, nres ntawm txhua nplooj ntawv 10 lossis 20th, lossis sim nrhiav cov ntsiab lus tseem ceeb ntawm blog lossis kev pabcuam xws li SmartReading. Yog li, tsis siv neeg telemetry nyeem txhua "nplooj" ntawm kev sib txuas hauv network, uas yog, txheeb xyuas cov metadata rau txhua pob ntawv. Sampled telemetry yog qhov kev xaiv ntawm kev tsheb khiav hauv kev cia siab tias cov qauv xaiv yuav muaj qhov koj xav tau. Nyob ntawm cov channel ceev, cov qauv telemetry yuav raug xa mus rau kev tshuaj xyuas txhua txhua 64th, 200th, 500th, 1000th, 2000th lossis 10000th pob ntawv.

Nyob rau hauv cov ntsiab lus ntawm kev saib xyuas kev ruaj ntseg cov ntaub ntawv, qhov no txhais tau hais tias cov qauv telemetry zoo haum rau kev kuaj DDoS kev tawm tsam, scanning, thiab nthuav tawm cov cai phem, tab sis tej zaum yuav plam atomic lossis ntau pob ntawv tawm tsam uas tsis suav nrog hauv cov qauv xa mus rau kev tshuaj xyuas. Unsampled telemetry tsis muaj qhov tsis zoo li no. Nrog rau qhov no, qhov ntau ntawm kev kuaj pom kev tawm tsam yog dav dua. Ntawm no yog cov npe luv luv ntawm cov xwm txheej uas tuaj yeem tshawb pom siv cov cuab yeej tshuaj xyuas network telemetry.

Tau kawg, qee qhov qhib Netflow analyzer yuav tsis tso cai rau koj ua qhov no, txij li nws txoj haujlwm tseem ceeb yog khaws cov telemetry thiab ua qhov kev ntsuam xyuas yooj yim ntawm nws los ntawm IT point of view. Txhawm rau txheeb xyuas cov ntaub ntawv kev nyab xeeb kev hem thawj raws li kev ntws, nws yog qhov yuav tsum tau muab cov ntsuas ntsuas nrog ntau lub cav thiab cov algorithms, uas yuav txheeb xyuas cov teeb meem kev nyab xeeb ntawm cybersecurity raws li tus qauv lossis kev cai Netflow teb, txhawb cov ntaub ntawv txheem nrog cov ntaub ntawv sab nraud los ntawm ntau yam Kev Nyab Xeeb Kev Nyab Xeeb, thiab lwm yam.

Yog li ntawd, yog tias koj muaj kev xaiv, ces xaiv Netflow lossis IPFIX. Tab sis txawm tias koj cov cuab yeej siv tsuas yog ua haujlwm nrog sFlow, zoo li cov tuam txhab tsim khoom hauv tsev, ces txawm tias qhov no koj tuaj yeem tau txais txiaj ntsig los ntawm nws hauv cov ntsiab lus kev nyab xeeb.

Thaum lub caij ntuj sov xyoo 2019, kuv tau txheeb xyuas lub peev xwm uas cov tuam txhab lag luam Lavxias teb sab network muaj thiab tag nrho lawv, tsis suav nrog NSG, Polygon thiab Craftway, tshaj tawm kev txhawb nqa rau sFlow (tsawg kawg yog Zelax, Natex, Eltex, QTech, Rusteleteh).

Cov lus nug tom ntej uas koj yuav ntsib yog qhov twg los siv kev txhawb nqa rau kev ruaj ntseg? Qhov tseeb, lo lus nug tsis yog pos tag nrho kom raug. Cov cuab yeej siv niaj hnub yuav luag ib txwm txhawb nqa cov txheej txheem ntws. Yog li ntawd, kuv yuav hloov kho cov lus nug txawv - qhov twg yog qhov zoo tshaj plaws los sau telemetry los ntawm kev saib xyuas kev ruaj ntseg? Cov lus teb yuav pom tseeb heev - ntawm qib nkag, qhov twg koj yuav pom 100% ntawm tag nrho cov tsheb khiav, qhov twg koj yuav muaj cov ncauj lus kom ntxaws txog cov tswv (MAC, VLAN, interface ID), qhov twg koj tuaj yeem saib xyuas P2P tsheb khiav ntawm cov tswv, uas. Nws yog ib qho tseem ceeb rau kev soj ntsuam xyuas thiab faib cov kab mob phem. Nyob rau theem tseem ceeb, koj tsuas yog tsis pom qee qhov kev khiav tsheb, tab sis nyob rau theem ib puag ncig, koj yuav pom ib feem peb ntawm tag nrho koj cov tsheb khiav hauv network. Tab sis yog vim li cas rau qee yam koj muaj cov cuab yeej txawv teb chaws ntawm koj lub network uas tso cai rau cov neeg tawm tsam "nkag mus thiab tawm" yam tsis muaj kev hla ib puag ncig, tom qab ntawd kev tshuaj xyuas lub telemetry los ntawm nws yuav tsis muab dab tsi rau koj. Yog li ntawd, rau qhov kev pab them siab tshaj plaws, nws raug nquahu kom qhib telemetry sau ntawm qib nkag. Nyob rau tib lub sijhawm, nws tsim nyog sau cia tias txawm tias peb tab tom tham txog virtualization lossis ntim khoom, kev txhawb nqa txaus kuj tseem pom muaj nyob hauv cov keyboards niaj hnub virtual, uas tso cai rau koj los tswj cov tsheb khiav mus rau qhov ntawd thiab.

Tab sis txij li thaum kuv tau tsa lub ntsiab lus, kuv yuav tsum teb cov lus nug: yuav ua li cas yog tias cov cuab yeej siv, lub cev lossis virtual, tsis txhawb cov txheej txheem ntws? Los yog nws txwv tsis pub suav nrog (piv txwv li, hauv ntu kev lag luam kom ntseeg tau tias muaj kev ntseeg siab)? Los yog tig nws ua rau siab CPU load (qhov no tshwm sim ntawm cov khoom qub)? Yuav kom daws tau qhov teeb meem no, muaj cov tshwj xeeb virtual sensors (ntws sensors), uas yog qhov tseem ceeb zoo tib yam splitters uas dhau kev khiav tsheb los ntawm lawv tus kheej thiab tshaj tawm nws nyob rau hauv daim ntawv ntawm ntws mus rau lub collection module. Muaj tseeb tiag, qhov no peb tau txais tag nrho cov teeb meem uas peb tau tham txog saum toj no nyob rau hauv kev cuam tshuam nrog pob ntawv ntes cov cuab yeej. Ntawd yog, koj yuav tsum nkag siab tsis yog tsuas yog qhov zoo ntawm kev tsom xam cov thev naus laus zis, tab sis kuj tseem muaj cov kev txwv.

Lwm qhov tseem ceeb uas yuav tsum nco ntsoov thaum tham txog cov cuab yeej ntsuas dej ntws. Yog hais tias nyob rau hauv kev sib raug zoo rau cov pa txhais tau tias tsim kev ruaj ntseg txheej xwm peb siv lub EPS metric (tseem ceeb ib ob), ces qhov taw qhia no tsis muaj feem xyuam rau telemetry tsom xam; nws yog hloov los ntawm FPS (flow per second). Raws li nyob rau hauv rooj plaub ntawm EPS, nws tsis tuaj yeem suav ua ntej, tab sis koj tuaj yeem kwv yees kwv yees tus naj npawb ntawm cov xov uas ib lub cuab yeej tsim los ntawm nws txoj haujlwm. Koj tuaj yeem pom cov ntxhuav hauv Is Taws Nem nrog kwv yees qhov tseem ceeb rau ntau hom kev lag luam thiab cov xwm txheej, uas yuav tso cai rau koj los kwv yees cov ntawv tso cai uas koj xav tau rau cov cuab yeej tshuaj ntsuam thiab lawv cov architecture yuav ua li cas? Qhov tseeb yog tias IDS sensor raug txwv los ntawm qee qhov bandwidth uas nws tuaj yeem "rub", thiab cov khoom ntws ntws muaj nws cov kev txwv uas yuav tsum tau nkag siab. Yog li ntawd, nyob rau hauv loj, geographically faib tes hauj lwm muaj feem ntau muaj ob peb collectors. Thaum kuv piav Yuav ua li cas lub network tau saib xyuas hauv Cisco, Kuv twb tau muab cov naj npawb ntawm peb cov neeg sau khoom - muaj 21 ntawm lawv. Thiab qhov no yog rau lub network uas tau tawg thoob plaws tsib lub teb chaws thiab suav txog ib nrab lab cov khoom siv nquag).

Peb siv peb tus kheej kev daws teeb meem raws li Netflow saib xyuas Cisco Stealthwatch, uas yog tshwj xeeb rau kev daws teeb meem kev ruaj ntseg. Nws muaj ntau lub cav tsim los rau kev tshawb nrhiav qhov tsis zoo, tsis txaus ntseeg thiab ua kom pom tseeb kev ua phem, uas tso cai rau koj txhawm rau txheeb xyuas ntau yam kev hem thawj sib txawv - los ntawm cryptomining rau cov ntaub ntawv xau, los ntawm kev sib kis ntawm cov cai phem mus rau kev dag ntxias. Zoo li feem ntau cov kev ntsuas ntws, Stealthwatch yog tsim raws li peb theem txheej txheem (generator - collector - analyzer), tab sis nws yog supplemented nrog ib tug xov tooj ntawm nthuav nta uas yog ib qho tseem ceeb nyob rau hauv cov ntsiab lus ntawm cov khoom nyob rau hauv kev saib xyuas. Ua ntej, nws koom nrog cov kev daws teeb meem ntawm pob ntawv (xws li Cisco Security Packet Analyzer), uas tso cai rau koj los sau cov kev xaiv sib tham hauv network rau kev tshawb xyuas qhov tob thiab kev tshuaj xyuas tom qab. Qhov thib ob, tshwj xeeb tshaj yog txhawm rau nthuav dav kev ruaj ntseg, peb tau tsim tshwj xeeb nvzFlow raws tu qauv, uas tso cai rau koj "tshaj tawm" cov haujlwm ntawm cov ntawv thov ntawm qhov kawg nodes (servers, workstations, thiab lwm yam) rau hauv telemetry thiab xa mus rau tus neeg sau rau kev tshuaj xyuas ntxiv. Yog hais tias nyob rau hauv nws thawj version Stealthwatch ua hauj lwm nrog ib tug txaus raws tu qauv (sFlow, rFlow, Netflow, IPFIX, cFlow, jFlow, NetStream) nyob rau hauv lub network theem, ces nvzFlow kev them nyiaj yug tso cai rau cov ntaub ntawv correlation kuj nyob rau hauv lub node theem, yog li ntawd. nce qhov kev ua tau zoo ntawm tag nrho cov kab ke thiab pom kev tawm tsam ntau dua li cov pa network flow analyzers.

Nws yog tseeb hais tias thaum tham txog Netflow tsom xam systems los ntawm ib tug kev ruaj ntseg taw tes ntawm view, kev ua lag luam tsis txwv rau ib qho kev daws teeb meem los ntawm Cisco. Koj tuaj yeem siv ob qho tib si coj mus muag thiab pub dawb lossis cov kev daws teeb meem shareware. Nws yog qhov txawv heev yog tias kuv hais txog cov neeg sib tw cov kev daws teeb meem raws li piv txwv ntawm Cisco blog, yog li kuv yuav hais ob peb lo lus hais txog yuav ua li cas network telemetry tuaj yeem txheeb xyuas siv ob lub npe nrov, zoo ib yam, tab sis tseem muaj cov cuab yeej sib txawv - SiLK thiab ELK.

SiLK yog ib txheej ntawm cov cuab yeej (Qhov System for Internet-Level Knowledge) rau kev tsom xam tsheb, tsim los ntawm American CERT/CC thiab uas txhawb nqa, nyob rau hauv cov ntsiab lus ntawm hnub no tsab xov xwm, Netflow (5th thiab 9th, nrov tshaj plaws versions), IPFIX thiab sFlow thiab siv ntau yam khoom siv (rwfilter, rwcount, rwflowpack, thiab lwm yam) los ua ntau yam haujlwm ntawm lub network telemetry txhawm rau txheeb xyuas cov cim ntawm kev ua tsis raug cai hauv nws. Tab sis muaj ob peb lub ntsiab lus tseem ceeb yuav tsum nco ntsoov. SiLK yog cov cuab yeej hais kom ua uas ua rau kev tshuaj xyuas online los ntawm kev nkag mus rau cov lus txib zoo li no (nrhiav cov ICMP pob ntawv loj dua 200 bytes):

rwfilter --flowtypes=all/all --proto=1 --bytes-per-packet=200- --pass=stdout | rwrwcut --fields=sIP,dIP,iType,iCode --num-recs=15

tsis xis nyob heev. Koj tuaj yeem siv iSiLK GUI, tab sis nws yuav tsis ua rau koj lub neej yooj yim dua, tsuas yog daws qhov pom kev ua haujlwm thiab tsis hloov tus kws tshuaj ntsuam. Thiab qhov no yog qhov thib ob. Tsis zoo li kev lag luam kev daws teeb meem, uas twb muaj lub hauv paus kev soj ntsuam zoo, kev kuaj pom tsis pom kev, kev ua haujlwm sib raug zoo, thiab lwm yam, hauv SiLK koj yuav tau ua txhua yam no koj tus kheej, uas yuav xav tau kev sib txawv me ntsis ntawm koj dua li ntawm kev siv twb npaj lawm- siv cov cuab yeej. Qhov no tsis yog qhov zoo lossis qhov phem - qhov no yog qhov tshwj xeeb ntawm yuav luag txhua lub cuab yeej pub dawb uas xav tias koj paub yuav ua li cas, thiab nws tsuas yog pab koj nrog qhov no (cov cuab yeej lag luam tsawg dua nyob ntawm qhov kev txawj ntawm nws cov neeg siv, txawm hais tias lawv kuj xav tau. uas cov kws tshuaj ntsuam nkag siab yam tsawg kawg yog cov hauv paus ntawm kev tshawb xyuas network thiab kev saib xyuas). Tab sis cia peb rov qab mus rau SiLK. Tus kws tshuaj ntsuam lub voj voog ua haujlwm nrog nws zoo li no:

• Formulating ib hypothesis. Peb yuav tsum nkag siab tias peb yuav nrhiav dab tsi hauv network telemetry, paub cov yam ntxwv tshwj xeeb uas peb yuav txheeb xyuas qee qhov tsis txaus ntseeg lossis kev hem thawj.
• Tsim ib qho qauv. Tau tsim ib qho kev xav, peb ua haujlwm nws siv tib Python, plhaub lossis lwm yam cuab yeej tsis suav nrog SiLK.
• Kev sim. Tam sim no los ntawm kev tig los xyuas qhov tseeb ntawm peb qhov kev xav, uas tau lees paub lossis tsis lees paub siv SiLK cov khoom siv pib nrog 'rw', 'set', 'bag'.
• Kev txheeb xyuas cov ntaub ntawv tiag. Hauv kev lag luam kev lag luam, SiLK pab peb txheeb xyuas qee yam thiab tus kws tshuaj ntsuam yuav tsum teb cov lus nug "Peb puas pom qhov peb xav tau?", "Qhov no puas cuam tshuam rau peb qhov kev xav?", "Yuav ua li cas txo tus naj npawb ntawm qhov tsis zoo?", "Yuav ua li cas? txhawm rau txhim kho qib kev paub? » thiab lwm yam.
• Kev txhim kho. Nyob rau theem kawg, peb txhim kho yam uas tau ua dhau los - peb tsim cov qauv, txhim kho thiab ua kom zoo dua cov cai, hloov kho thiab qhia meej qhov kev xav, thiab lwm yam.

Lub voj voog no kuj tseem yuav siv tau rau Cisco Stealthwatch, tsuas yog qhov kawg automates tsib kauj ruam mus rau qhov siab tshaj plaws, txo tus naj npawb ntawm cov kws tshuaj ntsuam tsis raug thiab ua kom muaj txiaj ntsig ntawm kev tshawb pom qhov xwm txheej. Piv txwv li, hauv SiLK koj tuaj yeem txhawb nqa kev txheeb xyuas network nrog cov ntaub ntawv sab nraud ntawm cov neeg phem IPs siv cov ntawv sau tes, thiab hauv Cisco Stealthwatch nws yog ib qho kev ua haujlwm uas tam sim ntawd qhia lub tswb yog tias network tsheb muaj kev cuam tshuam nrog IP chaw nyob los ntawm blacklist.

Yog tias koj mus siab dua hauv "them" pyramid rau kev soj ntsuam xyuas software, tom qab lub SiLK dawb kiag li yuav muaj kev sib koom ua ke ELK, suav nrog peb yam tseem ceeb - Elasticsearch (indexing, searching and data analysis), Logstash (cov ntaub ntawv tawm tswv yim / tso tawm. ) thiab Kibana (visualization). Tsis zoo li SiLK, qhov twg koj yuav tsum tau sau txhua yam ntawm koj tus kheej, ELK twb muaj ntau cov tsev qiv ntawv npaj txhij / qauv (qee qhov them, qee qhov tsis yog) uas ua rau kev tsom xam ntawm network telemetry. Piv txwv li, GeoIP lim hauv Logstash tso cai rau koj los koom nrog saib IP chaw nyob nrog lawv qhov chaw nyob (Stealthwatch muaj qhov ua haujlwm no).

ELK kuj tseem muaj lub zej zog loj loj uas ua tiav cov khoom uas ploj lawm rau qhov kev tshuaj xyuas no. Piv txwv li, ua haujlwm nrog Netflow, IPFIX thiab sFlow koj tuaj yeem siv lub module elastiflow, yog tias koj tsis txaus siab rau Logstash Netflow Module, uas tsuas yog txhawb Netflow.

Thaum muab kev ua haujlwm ntau dua hauv kev sau thiab tshawb nrhiav hauv nws, ELK tam sim no tsis muaj cov khoom siv hauv kev txheeb xyuas kom pom qhov tsis txaus ntseeg thiab kev hem thawj hauv network telemetry. Ntawd yog, ua raws li lub neej voj voog uas tau piav qhia saum toj no, koj yuav tsum tau piav qhia txog kev ua txhaum cai ntawm tus kheej thiab tom qab ntawd siv nws hauv kev sib ntaus sib tua (tsis muaj cov qauv tsim muaj).

Muaj, tau kawg, muaj ntau yam kev txuas ntxiv rau ELK, uas twb muaj qee cov qauv rau kev kuaj xyuas qhov tsis sib xws hauv network telemetry, tab sis cov kev txuas ntxiv no raug nqi nyiaj thiab cov lus nug yog seb qhov kev ua si puas tsim nyog rau tswm ciab - sau tus qauv zoo sib xws ntawm koj tus kheej, yuav nws qhov kev siv. rau koj cov cuab yeej saib xyuas, lossis yuav npaj cov kev daws teeb meem ntawm Network Traffic Analysis class.

Feem ntau, kuv tsis xav kom nkag mus rau hauv kev sib cav hais tias nws yog qhov zoo dua los siv nyiaj thiab yuav qhov kev npaj ua tiav rau kev saib xyuas qhov tsis zoo thiab kev hem thawj hauv network telemetry (piv txwv li, Cisco Stealthwatch) lossis txheeb xyuas koj tus kheej thiab kho tib yam. SiLK, ELK lossis nfdump lossis OSU Flow Tools rau txhua qhov kev hem thawj tshiab (Kuv tab tom tham txog ob qhov kawg ntawm lawv hais zaum kawg)? Txhua tus xaiv rau lawv tus kheej thiab txhua tus muaj lawv tus kheej lub siab xav xaiv ib qho ntawm ob qho kev xaiv. Kuv tsuas yog xav qhia tias network telemetry yog ib qho cuab yeej tseem ceeb hauv kev ua kom muaj kev ruaj ntseg network ntawm koj cov kev tsim kho vaj tse sab hauv thiab koj yuav tsum tsis txhob tso tseg, yog li tsis txhob koom nrog cov npe ntawm cov tuam txhab uas nws lub npe tau hais hauv xov xwm nrog rau cov epithets " hacked", "tsis ua raws li cov ntaub ntawv kev ruaj ntseg", "tsis xav txog kev ruaj ntseg ntawm lawv cov ntaub ntawv thiab cov neeg siv khoom cov ntaub ntawv."

Txhawm rau kom ua tiav, Kuv xav sau cov lus qhia tseem ceeb uas koj yuav tsum ua raws thaum tsim cov ntaub ntawv kev ruaj ntseg saib xyuas koj qhov kev tsim kho hauv tsev:

1. Tsis txhob txwv koj tus kheej rau hauv ib puag ncig! Siv (thiab xaiv) network infrastructure tsis yog tsuas yog txav mus los ntawm point A mus rau point B, tab sis kuj los daws teeb meem cybersecurity.
2. Kawm txog cov txheej txheem tswj xyuas kev ruaj ntseg uas twb muaj lawm hauv koj cov khoom siv network thiab siv lawv.
3. Rau kev saib xyuas sab hauv, muab kev nyiam rau kev tsom xam telemetry - nws tso cai rau koj los txheeb xyuas txog li 80-90% ntawm tag nrho cov ntaub ntawv kev ruaj ntseg network, thaum ua qhov tsis yooj yim sua thaum ntes cov pob ntawv hauv lub network thiab txuag chaw rau khaws tag nrho cov ntaub ntawv kev ruaj ntseg xwm txheej.
4. Txhawm rau saib xyuas cov dej ntws, siv Netflow v9 lossis IPFIX - lawv muab cov ntaub ntawv ntau ntxiv hauv cov ntsiab lus kev nyab xeeb thiab tso cai rau koj los saib xyuas tsis yog IPv4 nkaus xwb, tab sis kuj IPv6, MPLS, thiab lwm yam.
5. Siv cov txheej txheem khiav tsis zoo - nws muab cov ntaub ntawv ntau ntxiv rau kev kuaj xyuas kev hem thawj. Piv txwv li, Netflow lossis IPFIX.
6. Tshawb xyuas cov khoom thauj ntawm koj cov khoom siv network - nws yuav tsis tuaj yeem tswj cov txheej txheem ntws zoo ib yam. Tom qab ntawd xav txog kev siv virtual sensors lossis Netflow Generation Appliance.
7. Siv kev tswj thawj zaug ntawm kev nkag mus rau qib - qhov no yuav muab sijhawm rau koj pom 100% ntawm tag nrho cov tsheb khiav.
8. Yog tias koj tsis muaj kev xaiv thiab koj tab tom siv cov cuab yeej siv hauv Lavxias, ces xaiv ib qho uas txhawb nqa cov txheej txheem ntws los yog muaj SPAN / RSPAN chaw nres nkoj.
9. Ua ke kev nkag / tawm tsam kev tshawb nrhiav / kev tiv thaiv kab ke ntawm cov npoo thiab cov kev ntsuas ntws hauv lub network sab hauv (suav nrog hauv huab).

Hais txog cov lus qhia kawg, kuv xav muab ib qho piv txwv uas kuv tau muab ua ntej. Koj pom tias yav dhau los Cisco cov ntaub ntawv kev nyab xeeb kev pabcuam yuav luag tag nrho ua nws cov ntaub ntawv kev ruaj ntseg saib xyuas cov txheej txheem raws li kev nkag mus rau kev tshawb nrhiav thiab kev kos npe, tam sim no lawv suav txog 20% ​​ntawm qhov xwm txheej. Lwm 20% poob rau ntawm cov kev ntsuam xyuas ntws, uas qhia tias cov kev daws teeb meem no tsis yog ib qho kev xav, tab sis yog ib qho cuab yeej tiag tiag hauv kev ua haujlwm ntawm cov ntaub ntawv kev ruaj ntseg cov kev pabcuam niaj hnub no. Ntxiv mus, koj muaj qhov tseem ceeb tshaj plaws rau lawv qhov kev siv - network infrastructure, kev nqis peev uas tuaj yeem tiv thaiv ntxiv los ntawm kev muab cov ntaub ntawv saib xyuas kev ruaj ntseg rau lub network.

Kuv tshwj xeeb tsis tau kov lub ntsiab lus ntawm kev teb rau qhov tsis txaus ntseeg lossis kev hem thawj uas tau txheeb xyuas hauv kev sib txuas hauv network, tab sis kuv xav tias nws twb paub meej tias kev saib xyuas yuav tsum tsis txhob xaus nrog kev tshawb pom ntawm kev hem thawj. Nws yuav tsum tau ua raws li cov lus teb thiab nyiam dua nyob rau hauv ib qho kev tsis siv neeg lossis automated hom. Tab sis qhov no yog lub ntsiab lus rau ib tsab xov xwm cais.

Lus qhia ntxiv:

• Cov lus piav qhia ntawm Cisco IOS Netflow
• Netflow txhawb matrix hauv ntau yam kev daws teeb meem Cisco
• Qhia rau Configuring Netflow ntawm Ntau Cisco Platforms
• sFlow Community
• Lab siv Stealtjwatch, SiLK thiab ELK los txheeb xyuas Netflow los ntawm kev pom kev nyab xeeb
• SiLK website
• Peb-pua-nplooj ntawv qhia siv SiLK nrog tons ntawm cov piv txwv
• Logstash Netflow Module
• Cisco Step-by-Step Guide to Netflow Analysis in ELK
• Kev soj ntsuam ntawm NetFlow v.9 Cisco ASA siv Logstash (ELK)
• Cisco Stealthwatch Solution

PS. Yog tias nws yooj yim dua rau koj hnov ​​​​txhua yam uas tau sau saum toj no, koj tuaj yeem saib qhov kev nthuav qhia ntev ib teev uas tsim lub hauv paus ntawm daim ntawv no.

Tau qhov twg los: www.hab.com