Ib zaug dhau los, cov phiaj xwm hluav taws xob zoo tib yam thiab cov phiaj xwm tiv thaiv kab mob tau txaus los tiv thaiv lub network hauv zos, tab sis cov txheej txheem zoo li no tsis muaj txiaj ntsig zoo rau kev tawm tsam ntawm niaj hnub hackers thiab cov malware uas nyuam qhuav nthuav tawm. Qhov zoo qub firewall tsom xam tsuas yog pob ntawv headers, hla los yog thaiv lawv raws li cov txheej txheem kev cai. Nws tsis paub dab tsi txog cov ntsiab lus ntawm cov pob khoom, thiab yog li tsis tuaj yeem lees paub qhov kev ua txhaum cai sab nraud ntawm cov neeg nkag tebchaws. Cov kev pab cuam tiv thaiv kab mob tsis tas yuav ntes malware, yog li tus thawj coj tau ntsib nrog txoj haujlwm ntawm kev saib xyuas cov haujlwm tsis zoo thiab cais cov neeg muaj kab mob nyob rau lub sijhawm.
Muaj ntau yam cuab yeej siv siab heev uas tso cai rau koj los tiv thaiv lub tuam txhab IT infrastructure. Niaj hnub no peb yuav tham txog qhib qhov chaw nkag mus nrhiav thiab tiv thaiv cov txheej txheem uas tuaj yeem siv tau yam tsis tau yuav cov khoom siv kim kim thiab cov ntawv tso cai software.
Kev faib tawm IDS/IPS
IDS (Intrusion Detection System) yog ib qho system tsim los sau npe cov haujlwm tsis txaus ntseeg ntawm lub network lossis ntawm lub khoos phis tawj cais. Nws tuav cov txheej xwm teev tseg thiab ceeb toom rau tus neeg ua haujlwm rau cov ntaub ntawv kev ruaj ntseg txog lawv. IDS suav nrog cov hauv qab no:
- sensors rau saib network tsheb, ntau yam cav, thiab lwm yam.
- ib qho kev ntsuam xyuas subsystem uas pom cov cim qhia txog kev puas tsuaj hauv cov ntaub ntawv tau txais;
- khaws cia rau tsub zuj zuj ntawm thawj txheej xwm thiab kev soj ntsuam tau;
- tswj console.
Thaum xub thawj, IDS tau muab cais los ntawm qhov chaw: lawv tuaj yeem tsom mus rau kev tiv thaiv tus kheej ntawm tus kheej (tus tswv tsev lossis Tus Tswv Cuab Hauv Kev Tshawb Fawb - HIDS) lossis tiv thaiv tag nrho cov koom haum koom tes (network-based lossis Network Intrusion Detection System - NIDS). Nws yog tsim nyog mentioning lub thiaj li hu. APIDS (Daim ntawv thov raws tu qauv-raws li IDS): lawv saib xyuas cov txheej txheem txheej txheem txheej txheem txhawm rau txheeb xyuas cov kev tawm tsam tshwj xeeb thiab tsis sib sib zog nqus cov ntaub ntawv network. Cov khoom zoo li no feem ntau zoo li tus neeg sawv cev thiab siv los tiv thaiv cov kev pabcuam tshwj xeeb: web server thiab web applications (piv txwv li, sau hauv PHP), database servers, thiab lwm yam. Ib tus neeg sawv cev ntawm chav kawm no yog mod_security rau Apache web server.
Peb txaus siab rau NIDS thoob ntiaj teb uas txhawb nqa ntau yam kev sib txuas lus raws tu qauv thiab DPI (Deep Packet Inspection) packet analysis technologies. Lawv saib xyuas txhua qhov kev hla dhau, pib los ntawm cov ntaub ntawv txuas txheej, thiab tshawb xyuas ntau yam kev tawm tsam hauv network, nrog rau kev nkag mus rau cov ntaub ntawv tsis raug cai. Feem ntau cov tshuab no muaj cov qauv faib khoom thiab tuaj yeem cuam tshuam nrog ntau yam khoom siv hauv network. Nco ntsoov tias ntau cov NIDS niaj hnub no yog hybrid thiab ua ke ntau txoj hauv kev. Nyob ntawm kev teeb tsa thiab kev teeb tsa, lawv tuaj yeem daws tau ntau yam teeb meem - piv txwv li, tiv thaiv ib qho los yog tag nrho lub network. Tsis tas li ntawd, IDS lub luag haujlwm rau cov chaw ua haujlwm tau raug coj los ntawm cov pob khoom tiv thaiv kab mob, uas, vim yog kev sib kis ntawm Trojans tsom rau kev nyiag cov ntaub ntawv, tau hloov mus ua ntau lub foob pob hluav taws uas tseem daws tau cov haujlwm ntawm kev lees paub thiab thaiv kev tsis txaus ntseeg.
Thaum pib, IDS tsuas tuaj yeem tshawb xyuas cov haujlwm malware, chaw nres nkoj scanners, lossis, hais tias, cov neeg siv ua txhaum cai ntawm tuam txhab kev ruaj ntseg cov cai. Thaum muaj qee qhov xwm txheej tshwm sim, lawv tau ceeb toom rau tus thawj tswj hwm, tab sis nws tau pom meej sai sai tias tsuas yog lees paub qhov kev tawm tsam tsis txaus - nws yuav tsum tau thaiv. Yog li IDS hloov mus rau IPS (Intrusion Prevention Systems) - kev tiv thaiv kev nkag mus uas tuaj yeem cuam tshuam nrog firewalls.
Cov txheej txheem kuaj xyuas
Niaj hnub nimno intrusion nrhiav thiab tiv thaiv kev daws teeb meem siv ntau txoj hauv kev los kuaj xyuas kev ua phem, uas tuaj yeem muab faib ua peb pawg. Qhov no muab peb lwm txoj hauv kev rau kev faib cov tshuab:
- Kos npe-raws li IDS/IPS nrhiav cov qauv hauv kev khiav tsheb lossis saib xyuas lub xeev cov kev hloov pauv txhawm rau txheeb xyuas qhov kev tawm tsam hauv lub network lossis kev sim kis kab mob. Lawv xyaum tsis muab misfires thiab cuav zoo, tab sis tsis muaj peev xwm mus ntes tsis paub hem;
- Anomaly-detecting IDSs tsis siv kos npe tawm tsam. Lawv paub txog tus cwj pwm txawv txav ntawm cov ntaub ntawv xov xwm (xws li kev tsis sib haum xeeb hauv kev sib txuas hauv network) thiab tuaj yeem ntes tau txawm tias tsis paub txog kev tawm tsam. Cov tshuab zoo li no muab ntau qhov tsis zoo thiab, yog tias siv tsis raug, ua rau tuag tes tuag taw kev ua haujlwm ntawm lub network hauv zos;
- Txoj cai-raws li IDSs ua haujlwm zoo li: yog FACT ces ACTION. Qhov tseeb, cov no yog cov kws tshaj lij nrog cov kev paub hauv paus - ib txheej ntawm qhov tseeb thiab cov cai ntawm kev xav. Cov kev daws teeb meem zoo li no yog siv sijhawm los teeb tsa thiab xav kom tus thawj tswj hwm kom muaj kev nkag siab ntxaws txog lub network.
Keeb kwm ntawm kev txhim kho IDS
Lub sijhawm ntawm kev loj hlob sai ntawm Is Taws Nem thiab cov koom tes sib koom tes tau pib nyob rau xyoo 90s ntawm lub xyoo pua xeem, txawm li cas los xij, cov kws tshaj lij tau xav tsis thoob los ntawm cov thev naus laus zis kev ruaj ntseg network ua ntej me ntsis. Xyoo 1986, Dorothy Denning thiab Peter Neumann tau luam tawm IDES (Intrusion detection expert system) qauv, uas tau los ua lub hauv paus ntawm feem ntau niaj hnub intrusion detection systems. Nws siv cov txheej txheem kws tshaj lij txhawm rau txheeb xyuas cov kev tawm tsam paub, nrog rau cov txheej txheem kev txheeb cais thiab cov neeg siv / cov kab ke. IDES tau khiav ntawm Sun workstations, tshawb xyuas lub network tsheb thiab cov ntaub ntawv thov. Xyoo 1993, NIDES (Next-generation Intrusion Detection Expert System) tau tso tawm - lub cim tshiab ntawm kev nkag mus nrhiav cov kws tshaj lij.
Raws li kev ua haujlwm ntawm Denning thiab Neumann, MIDAS (Multics intrusion detection and alerting system) cov kws tshaj lij tau tshwm sim xyoo 1988, siv P-BEST thiab LISP. Nyob rau tib lub sijhawm, Haystack system raws li kev txheeb cais tau tsim. Lwm qhov ntsuas qhov ntsuas tsis zoo, W&S (Wisdom & Sense), tau tsim ib xyoos tom qab ntawm Los Alamos National Laboratory. Txoj kev loj hlob ntawm kev lag luam tau mus txog qhov nrawm nrawm. Piv txwv li, xyoo 1990, kev tshawb nrhiav qhov tsis txaus ntseeg twb tau ua tiav hauv TIM (Lub Sijhawm-raws li inductive tshuab) siv kev kawm inductive ntawm cov qauv siv raws li cov qauv (Common LISP lus). NSM (Network Security Monitor) muab piv rau kev nkag mus rau matrices rau kev kuaj pom tsis zoo, thiab ISOA (Information Security Officer's Assistant) tau txhawb nqa ntau yam kev tshawb nrhiav: cov txheej txheem txheeb cais, kuaj xyuas profile thiab cov kws tshaj lij. Lub ComputerWatch system tsim los ntawm AT & T Bell Labs siv ob txoj hauv kev txheeb cais thiab cov cai rau kev txheeb xyuas, thiab cov neeg tsim khoom ntawm University of California tau txais thawj tus qauv ntawm ib qho kev faib IDS rov qab rau xyoo 1991 - DIDS (Distributed intrusion detection system) kuj yog ib tus kws tshaj lij. qhov system.
Thaum xub thawj, IDS yog tus tswv, tab sis twb yog xyoo 1998, National Laboratory. Lawrence ntawm Berkeley tso tawm Bro (renamed Zeek hauv 2018), qhov qhib qhov system uas siv nws tus kheej cov cai lus rau kev txheeb xyuas cov ntaub ntawv libpcap. Thaum lub Kaum Ib Hlis ntawm tib lub xyoo, APE pob ntawv sniffer siv libpcap tau tshwm sim, uas ib hlis tom qab tau hloov npe hu ua Snort, thiab tom qab ntawd tau dhau los ua IDS / IPS tag nrho. Nyob rau tib lub sijhawm, ntau cov tswv yim daws teeb meem pib tshwm sim.
Snort thiab Suricata
Ntau lub tuam txhab nyiam pub dawb thiab qhib qhov chaw IDS/IPS. Rau lub sijhawm ntev, Snort tau hais los saum no tau suav tias yog cov qauv kev daws teeb meem, tab sis tam sim no nws tau raug hloov los ntawm Suricata system. Xav txog lawv qhov zoo thiab qhov tsis zoo nyob rau hauv me ntsis ntxiv. Snort muab cov txiaj ntsig zoo ntawm txoj kev kos npe nrog lub peev xwm los txheeb xyuas qhov tsis txaus ntseeg hauv lub sijhawm. Suricata tseem tso cai rau lwm txoj hauv kev ntxiv rau kev tawm tsam kos npe nrhiav pom. Lub kaw lus tau tsim los ntawm ib pab pawg neeg tsim tawm uas tau faib tawm los ntawm Snort qhov project thiab txhawb IPS nta txij li version 1.4, thaum kev tiv thaiv kev nkag tau tshwm sim hauv Snort tom qab.
Qhov sib txawv tseem ceeb ntawm ob yam khoom nrov yog Suricata lub peev xwm siv GPU rau IDS xam, nrog rau IPS siab dua. Lub kaw lus yog Ameslikas tsim los rau ntau txoj xov, thaum Snort yog ib qho khoom siv. Vim nws cov keeb kwm ntev thiab keeb kwm yav dhau los, nws tsis ua kom pom kev siv ntau cov txheej txheem / multi-core hardware platforms, thaum Suricata tuaj yeem tswj cov tsheb mus txog 10 Gbps ntawm cov khoos phis tawj ib txwm siv. Koj tuaj yeem tham txog qhov zoo sib xws thiab qhov sib txawv ntawm ob lub tshuab rau lub sijhawm ntev, tab sis txawm hais tias lub cav Suricata ua haujlwm sai dua, rau cov kab tsis dhau los nws tsis muaj teeb meem.
Kev xaiv xa mus
IPS yuav tsum tau muab tso rau hauv txoj hauv kev uas lub kaw lus tuaj yeem saib xyuas cov ntu hauv lub network raws li nws tswj. Feem ntau, qhov no yog lub khoos phis tawj tshwj xeeb, ib qho kev sib txuas uas txuas tom qab cov khoom siv ntug thiab "zoo li" los ntawm lawv mus rau cov tsis muaj kev ruaj ntseg hauv zej zog (Internet). Lwm IPS interface yog txuas nrog cov tswv yim ntawm ntu tiv thaiv kom tag nrho cov tsheb khiav mus los ntawm lub kaw lus thiab raug tshuaj xyuas. Hauv cov xwm txheej nyuaj dua, tej zaum yuav muaj ntau qhov kev tiv thaiv: piv txwv li, hauv kev sib koom tes, thaj chaw tsis muaj tub rog (DMZ) feem ntau faib nrog cov kev pabcuam siv tau los ntawm Is Taws Nem.
Xws li IPS tuaj yeem tiv thaiv chaw nres nkoj scanning lossis brute-force tawm tsam, kev siv cov kev tsis zoo hauv cov xa ntawv, web server lossis cov ntawv sau, nrog rau lwm hom kev tawm tsam sab nraud. Yog tias cov khoos phis tawj ntawm lub network hauv zos muaj kab mob malware, IDS yuav tsis tso cai rau lawv hu rau botnet servers nyob sab nraud. Kev tiv thaiv loj dua ntawm lub network sab hauv feem ntau yuav xav tau kev teeb tsa nyuaj nrog cov kab ke sib faib thiab cov kev tswj hwm kim uas muaj peev xwm ua kom pom kev tsheb khiav mus rau IDS interface txuas nrog ib qho ntawm cov chaw nres nkoj.
Feem ntau cov koom tes sib koom tes yuav raug xa tawm tsis lees paub kev pabcuam (DDoS) tawm tsam. Txawm hais tias niaj hnub IDSs tuaj yeem cuam tshuam nrog lawv, qhov kev xaiv xa mus saum toj no yog kev pab me ntsis ntawm no. Lub kaw lus paub txog kev ua phem thiab thaiv cov tsheb khiav tsis zoo, tab sis rau qhov no, cov pob ntawv yuav tsum mus dhau ntawm kev sib txuas hauv Is Taws Nem sab nraud thiab ncav cuag nws lub network interface. Nyob ntawm qhov kev siv ntawm qhov kev tawm tsam, cov ntaub ntawv xa tawm channel yuav tsis tuaj yeem tiv nrog lub nra thiab lub hom phiaj ntawm cov neeg tawm tsam yuav ua tiav. Rau cov xwm txheej zoo li no, peb pom zoo kom xa IDS ntawm lub server virtual nrog kev paub zoo dua hauv internet. Koj tuaj yeem txuas VPS mus rau lub network hauv zos los ntawm VPN, thiab tom qab ntawd koj yuav tsum tau teeb tsa txoj kev khiav ntawm txhua qhov kev khiav tsheb sab nraud los ntawm nws. Tom qab ntawd, nyob rau hauv qhov xwm txheej ntawm DDoS nres, koj yuav tsis tau tsav cov pob ntawv los ntawm kev sib txuas rau tus neeg zov me nyuam, lawv yuav raug thaiv ntawm tus tswv tsev sab nraud.
Xaiv teeb meem
Nws yog qhov nyuaj heev los txheeb xyuas tus thawj coj ntawm cov kab ke dawb. Kev xaiv ntawm IDS / IPS yog txiav txim siab los ntawm lub network topology, qhov tsim nyog kev tiv thaiv kev ua haujlwm, nrog rau kev nyiam ntawm tus thawj tswj hwm tus kheej thiab nws lub siab xav fiddle nrog cov chaw. Snort muaj keeb kwm ntev dua thiab zoo dua cov ntaub ntawv, txawm hais tias cov ntaub ntawv ntawm Suricata kuj yooj yim nrhiav hauv online. Txawm li cas los xij, txhawm rau ua kom tau zoo, koj yuav tsum ua qee yam kev siv zog, uas thaum kawg yuav them tawm - kev lag luam kho vajtse thiab kho vajtse-software IDS / IPS yog kim heev thiab tsis tas yuav haum rau hauv cov peev nyiaj. Koj yuav tsum tsis txhob khuv xim lub sij hawm siv, vim hais tias tus thawj coj zoo ib txwm txhim kho nws cov kev tsim nyog ntawm tus nqi ntawm tus tswv hauj lwm. Hauv qhov xwm txheej no, txhua tus yeej. Hauv tsab xov xwm tom ntej, peb yuav saib qee qhov kev xaiv rau kev xa tawm Suricata thiab sib piv cov txheej txheem niaj hnub nrog cov classic IDS / IPS Snort hauv kev xyaum.
Tau qhov twg los: www.hab.com