äŒæ¥å
ãŸãã¯éšéå
ã®ãããã¯ãŒã¯ã®ã»ãã¥ãªãã£ã®ç£èŠãšãããšãæ
å ±æŒæŽ©ã®å¶åŸ¡ã DLP ãœãªã¥ãŒã·ã§ã³ã®å°å
¥ãé£æ³ãã人ãå€ãã§ãããã ãããŠã質åãæ確ã«ããŠå
éšãããã¯ãŒã¯ãžã®æ»æãã©ã®ããã«æ€åºããããå°ãããšãéåžžãçãã¯äŸµå
¥æ€ç¥ã·ã¹ãã (IDS) ã«ã€ããŠèšåãããã§ãããã ãããŠã10ïœ20幎åã«ã¯å¯äžã®éžæè¢ã ã£ããã®ããä»æ¥ã§ã¯æ代é¯èª€ã«ãªãã€ã€ãããŸãã å
éšãããã¯ãŒã¯ãç£èŠããã«ã¯ãããå¹æçã§ãå Žåã«ãã£ãŠã¯å¯äžå¯èœãªãªãã·ã§ã³ããããŸããããã¯ãã㌠ãããã³ã«ã䜿çšããããšã§ãããã㌠ãããã³ã«ã¯ãå
ã
ã¯ãããã¯ãŒã¯ã®åé¡ãæ€çŽ¢ (ãã©ãã«ã·ã¥ãŒãã£ã³ã°) ããããã«èšèšãããŸããããæéãçµã€ã«ã€ããŠãéåžžã«èå³æ·±ãã»ãã¥ãªã㣠ããŒã«ã«å€ãããŸããã ã©ã®ãããªãã㌠ãããã³ã«ããããã©ãããããã¯ãŒã¯æ»æã®æ€åºã«åªããŠãããããã㌠ã¢ãã¿ãªã³ã°ãå®è£
ããã®ã«æé©ãªå Žæããã®ãããªã¹ããŒã ãå±éãããšãã«äœã«æ³šæããããããã«ã¯å®¶åºçšæ©åšã§ããããã¹ãŠãã解é€ãããæ¹æ³ã«ã€ããŠã説æããŸãããã®èšäºã®ç¯å²å
ã§ãã
ããªãå
éšã€ã³ãã©ã¹ãã©ã¯ãã£ã®ã»ãã¥ãªãã£ç£èŠãå¿
èŠãªã®ã?ããšãã質åã«ã¯ç«ã¡å
¥ããŸããã çãã¯æããã®ããã§ãã ããããããã§ããä»æ¥ã§ã¯ãããªãã§ã¯çããŠãããªãããšãããäžåºŠç¢ºèªãããå Žåã¯ã
ãããã¯ãŒã¯ ã¬ãã«ã§ã€ã³ãã©ã¹ãã©ã¯ãã£ãç£èŠããããã® XNUMX ã€ã®äž»èŠãªããŒã¿ ãœãŒã¹ãåãäžããŸãã
- åœç€Ÿããã£ããã£ããŠåæã®ããã«ç¹å®ã®åæã·ã¹ãã ã«éä¿¡ãããçã®ããã©ãã£ãã¯ã
- ãã©ãã£ãã¯ãééãããããã¯ãŒã¯ããã€ã¹ããã®ã€ãã³ãã
- ãã㌠ãããã³ã«ã® XNUMX ã€ãä»ããŠåä¿¡ããããã©ãã£ãã¯æ å ±ã
raw ãã©ãã£ãã¯ã®ãã£ããã£ã¯ãæŽå²çã«æåã«ç»å Žãããã®ã§ãããããã»ãã¥ãªãã£å°é家ã®éã§æã人æ°ã®ãããªãã·ã§ã³ã§ãã åŸæ¥ã®ãããã¯ãŒã¯äŸµå
¥æ€ç¥ã·ã¹ãã ïŒæåã®åçšäŸµå
¥æ€ç¥ã·ã¹ãã ã¯ã1998 幎㫠Cisco ãè²·åãã Wheel Group ã® NetRanger ã§ããïŒã¯ãç¹å®ã®ã·ã°ããã£ïŒä»¥äžã®ã決å®ã«ãŒã«ãïŒãæ€çŽ¢ããããã±ããïŒããã³ãã®åŸã®ã»ãã·ã§ã³ïŒãæ£ç¢ºã«ãã£ããã£ããŠããŸããã FSTEC çšèª)ãã·ã°ããªã³ã°æ»æã ãã¡ãããIDS ã ãã§ãªããä»ã®ããŒã«ïŒWiresharkãtcpdumãCisco IOS ã® NBAR2 æ©èœãªã©ïŒã䜿çšããŠçã®ãã©ãã£ãã¯ãåæããããšãã§ããŸããããããã®ããŒã«ã«ã¯éåžžãæ
å ±ã»ãã¥ãªã㣠ããŒã«ãšéåžžã®ããŒã«ãåºå¥ããç¥èããŒã¹ãäžè¶³ããŠããŸãã ITããŒã«ã
ã€ãŸããæ»ææ€ç¥ã·ã¹ãã ã§ãã ãããã¯ãŒã¯æ»æãæ€åºããæãå€ããŠæãäžè¬çãªæ¹æ³ãå¢ç (äŒæ¥ãããŒã¿ ã»ã³ã¿ãŒãã»ã°ã¡ã³ããªã©) ã§ã¯ããŸãæ©èœããŸãããææ°ã®ã¹ã€ãã ãããã¯ãŒã¯ããœãããŠã§ã¢ ããã¡ã€ã³ã ãããã¯ãŒã¯ã§ã¯å€±æããŸãã åŸæ¥ã®ã¹ã€ãããããŒã¹ã«æ§ç¯ããããããã¯ãŒã¯ã®å Žåãæ»ææ€åºã»ã³ãµãŒã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã倧èŠæš¡ã«ãªããããŠãæ»æãç£èŠããããŒããžã®æ¥ç¶ããšã«ã»ã³ãµãŒãã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã ãã¡ãããã©ã®ã¡ãŒã«ãŒãåãã§äœçŸãäœåãã®ã»ã³ãµãŒã販売ããŠãããã§ãããããããªãã®äºç®ã§ã¯ãã®ãããªåºè²»ãè³ãããšã¯ã§ããªããšæããŸãã äŸ¡æ Œã®åé¡ãç®ã®åã«ããããã«èŠããŸãããã·ã¹ã³ïŒãããŠç§ãã¡ã¯ NGIPS ã®éçºè ã§ãïŒã§ããããè¡ãããšã¯ã§ããªãã£ããšèšããŸãã ç§ã¯ç«ã€ã¹ãã§ã¯ãããŸãã - ããã¯ç§ãã¡èªèº«ã®æ±ºå®ã§ãã ããã«ããã®ããŒãžã§ã³ã§ã¯ã»ã³ãµãŒãã©ã®ããã«æ¥ç¶ããããšããçåãçããŸãã ééã«ïŒ ã»ã³ãµãŒèªäœãæ éããå Žåã¯ã©ããªããŸãã? ã»ã³ãµãŒã«ãã€ãã¹ã¢ãžã¥ãŒã«ãå¿ èŠã§ãã? ã¹ããªãã¿ãŒïŒã¿ããïŒã䜿çšããŸããïŒ ããããã¹ãŠã«ããããœãªã¥ãŒã·ã§ã³ã®äŸ¡æ Œãé«ããªããã©ã®ãããªèŠæš¡ã®äŒæ¥ã«ãšã£ãŠãæã®å±ããªããã®ã«ãªããŸãã
SPAN/RSPAN/ERSPAN ããŒãäžã§ã»ã³ãµãŒãããã³ã°ããããå¿
èŠãªã¹ã€ãã ããŒãããã®ãã©ãã£ãã¯ãã»ã³ãµãŒã«èªå°ããããšãã§ããŸãã ãã®ãªãã·ã§ã³ã¯ãåã®æ®µèœã§èª¬æããåé¡ãéšåçã«è§£æ±ºããŸãããå¥ã®åé¡ãçºçããŸããSPAN ããŒãã¯ãéä¿¡ããããã¹ãŠã®ãã©ãã£ãã¯ãå®å
šã«ã¯åãå
¥ããããšãã§ãããååãªåž¯åå¹
ããããŸããã äœããç ç²ã«ããªããã°ãªããŸããã äžéšã®ããŒããç£èŠããã«æ®ãã (æåã«åªå
é äœãä»ããå¿
èŠããããŸã)ãããŒããããã¹ãŠã®ãã©ãã£ãã¯ãéä¿¡ããã®ã§ã¯ãªããç¹å®ã®çš®é¡ã®ãã©ãã£ãã¯ã®ã¿ãéä¿¡ããŸãã ãããã«ãããããã€ãã®æ»æãèŠéãå¯èœæ§ããããŸãã ããã«ãSPAN ããŒãã¯ä»ã®ããŒãºã«ã䜿çšã§ããŸãã ãã®çµæãã客æ§ãææããã»ã³ãµãŒã®æ°ã§ãããã¯ãŒã¯ãæ倧éã«ã«ããŒããããã«ãæ¢åã®ãããã¯ãŒã¯ ããããžãèŠçŽããå Žåã«ãã£ãŠã¯èª¿æŽãè¡ãå¿
èŠããããŸã (ããã IT éšéãšèª¿æŽããŸã)ã
ãããã¯ãŒã¯ã§é察称ã«ãŒãã䜿çšãããŠããå Žåã¯ã©ããªãã§ãããã? SDN ãå°å ¥æžã¿ããŸãã¯å°å ¥äºå®ã®å Žåã¯ã©ãããã°ããã§ãããã? ãã©ãã£ãã¯ãç©çã¹ã€ããã«ãŸã£ããå°éããªãä»®æ³åãã·ã³ãŸãã¯ã³ã³ãããç£èŠããå¿ èŠãããå Žåã¯ã©ãããã°ããã§ãããã? ãããã¯ãåŸæ¥ã® IDS ãã³ããŒãåçæ¹æ³ãç¥ããªãããã奜ãŸãªã質åã§ãã ãããã圌ãã¯ããããã®ãã¡ãã·ã§ããã«ãªãã¯ãããžãŒã¯ãã¹ãŠèªå€§å®£äŒã§ãããããªãã«ã¯å¿ èŠãªããšèª¬åŸããã§ãããã ãããã圌ãã¯ãå°ããå§ããå¿ èŠæ§ã«ã€ããŠè©±ãã§ãããã ãããã¯ããããã¯ãŒã¯ã®äžå¿ã«åŒ·åãªè±ç©æ©ã眮ãããã©ã³ãµãŒã䜿çšããŠãã¹ãŠã®ãã©ãã£ãã¯ãããã«èªå°ããå¿ èŠããããšèšããããããŸããã ã©ã®ãããªãªãã·ã§ã³ãæäŸãããå Žåã§ãããããã©ã®ããã«èªåã«é©ããŠããããæ確ã«ç解ããå¿ èŠããããŸãã ãã®åŸããããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ã®æ å ±ã»ãã¥ãªãã£ãç£èŠããã¢ãããŒãã®éžæã決å®ããŸãã ãã±ãã ãã£ããã£ã®è©±ã«æ»ããŸããããã®æ¹æ³ã¯åŒãç¶ãéåžžã«äººæ°ãããéèŠã§ããããã®äž»ãªç®çã¯åœå¢ç®¡çã§ãããšèšããããšæããŸãã çµç¹ãšã€ã³ã¿ãŒãããã®éã®å¢çãããŒã¿ã»ã³ã¿ãŒãšãããã¯ãŒã¯ã®æ®ãã®éšåã®éã®å¢çãããã»ã¹å¶åŸ¡ã·ã¹ãã ãšäŒæ¥ã»ã°ã¡ã³ãã®éã®å¢çã ãããã®å Žæã§ã¯ãåŸæ¥ã® IDS/IPS ãäŸç¶ãšããŠååšããã¿ã¹ã¯ã«é©åã«å¯ŸåŠããæš©å©ããããŸãã
XNUMX çªç®ã®ãªãã·ã§ã³ã«é²ã¿ãŸãããã ãããã¯ãŒã¯ ããã€ã¹ããã®ã€ãã³ãã®åæã¯ãæ»ææ€åºã®ç®çã«ã䜿çšã§ããŸãããå°èŠæš¡ãªã¯ã©ã¹ã®äŸµå
¥ã®ã¿ãæ€åºã§ãããããäž»èŠãªã¡ã«ããºã ãšããŠã¯äœ¿çšã§ããŸããã ããã«ãããã«ã¯äœããã®åå¿æ§ãå
åšããŠããŸããæ»æã¯æåã«çºçãããã®åŸãããã¯ãŒã¯ ããã€ã¹ã«ãã£ãŠèšé²ãããå¿
èŠããããŸããããã¯äœããã®åœ¢ã§æ
å ±ã»ãã¥ãªãã£ã®åé¡ã瀺ããŸãã ãã®ãããªæ¹æ³ã¯ããã€ããããŸãã ããã¯ãsyslogãRMONããŸã㯠SNMP ã§ããå¯èœæ§ããããŸãã æ
å ±ã»ãã¥ãªãã£ã®ã³ã³ããã¹ãã«ããããããã¯ãŒã¯ç£èŠã®æåŸã® XNUMX ã€ã®ãããã³ã«ã¯ãRMON ãš SNMP ã䜿çšãããšãããšãã°ããã€ã¹ã®äžå€®ã®è² è·ãç£èŠã§ããããããããã¯ãŒã¯æ©åšèªäœã«å¯Ÿãã DoS æ»æãæ€åºããå¿
èŠãããå Žåã«ã®ã¿äœ¿çšãããŸããããã»ããµãŸãã¯ãã®ã€ã³ã¿ãŒãã§ã€ã¹ã ããã¯æããå®äŸ¡ããªæ¹æ³ã® XNUMX 〠(誰ãã syslog ãŸã㯠SNMP ãæã£ãŠããŸã) ã§ãããå
éšã€ã³ãã©ã¹ãã©ã¯ãã£ã®æ
å ±ã»ãã¥ãªãã£ãç£èŠãããã¹ãŠã®æ¹æ³ã®äžã§æãå¹æçã§ã¯ãããŸãããå€ãã®æ»æã¯åçŽã«é èœãããŸãã ãã¡ãããããããç¡èŠãã¹ãã§ã¯ãªããåã syslog åæã¯ãããã€ã¹èªäœã®æ§æã®å€æŽããã®äŸµå®³ãã¿ã€ã ãªãŒã«ç¹å®ããã®ã«åœ¹ç«ã¡ãŸããããããã¯ãŒã¯å
šäœã«å¯Ÿããæ»æã®æ€åºã«ã¯ããŸãé©ããŠããŸããã
XNUMX çªç®ã®ãªãã·ã§ã³ã¯ãããã€ãã®ãã㌠ãããã³ã«ã®ããããããµããŒãããããã€ã¹ãééãããã©ãã£ãã¯ã«é¢ããæ å ±ãåæããããšã§ãã ãã®å Žåããããã³ã«ã«é¢ä¿ãªããã¹ã¬ãã ã€ã³ãã©ã¹ãã©ã¯ãã£ã¯å¿ ã XNUMX ã€ã®ã³ã³ããŒãã³ãã§æ§æãããŸãã
- ãããŒã®çæãŸãã¯ãšã¯ã¹ããŒãã ãã®åœ¹å²ã¯éåžžãã«ãŒã¿ãã¹ã€ããããŸãã¯ãã®ä»ã®ãããã¯ãŒã¯ ããã€ã¹ã«å²ãåœãŠããããããã¯ãŒã¯ ãã©ãã£ãã¯ãããèªäœãééãããããšã§ãããããäž»èŠãªãã©ã¡ãŒã¿ãæœåºããåéã¢ãžã¥ãŒã«ã«éä¿¡ããããšãã§ããŸãã ããšãã°ãCisco ã¯ãä»®æ³ããã³ç£æ¥çšã«ãŒã¿ãã¹ã€ããã ãã§ãªããã¯ã€ã€ã¬ã¹ ã³ã³ãããŒã©ããã¡ã€ã¢ãŠã©ãŒã«ãããã«ã¯ãµãŒãã§ã Netflow ãããã³ã«ããµããŒãããŠããŸãã
- ååã®æµãã çŸåšã®ãããã¯ãŒã¯ã«ã¯éåžžãè€æ°ã®ãããã¯ãŒã¯ ããã€ã¹ãããããšãèæ ®ãããšããããŒã®åéãšçµ±åãšããåé¡ãçºçããŸãããã®åé¡ã¯ãåä¿¡ãããããŒãåŠçããŠåæã®ããã«éä¿¡ãããããããã³ã¬ã¯ã¿ãŒã䜿çšããŠè§£æ±ºãããŸãã
- æµã解æã¢ãã©ã€ã¶ãŒã¯äž»ãªç¥çã¿ã¹ã¯ãåŒãåããããŸããŸãªã¢ã«ãŽãªãºã ãã¹ããªãŒã ã«é©çšããŠãç¹å®ã®çµè«ãå°ãåºããŸãã ããšãã°ãIT æ©èœã®äžéšãšããŠããã®ãããªã¢ãã©ã€ã¶ãŒã¯ãããã¯ãŒã¯ã®ããã«ããã¯ãç¹å®ãããããããã¯ãŒã¯ãããã«æé©åããããã«ãã©ãã£ãã¯è² è·ãããã¡ã€ã«ãåæãããã§ããŸãã ãŸããæ å ±ã»ãã¥ãªãã£ã«é¢ããŠã¯ããã®ãããªã¢ãã©ã€ã¶ãŒã¯ããŒã¿æŒæŽ©ãæªæã®ããã³ãŒãã®æ¡æ£ããŸã㯠DoS æ»æãæ€åºã§ããŸãã
ãã® XNUMX å±€ã¢ãŒããã¯ãã£ãè€éããããšèããªãã§ãã ãããä»ã®ãã¹ãŠã®ãªãã·ã§ã³ (ãããããSNMP ããã³ RMON ã§åäœãããããã¯ãŒã¯ç£èŠã·ã¹ãã ãé€ã) ãããã«åŸã£ãŠæ©èœããŸãã ãããã¯ãŒã¯ ããã€ã¹ãŸãã¯ã¹ã¿ã³ãã¢ãã³ ã»ã³ãµãŒãªã©ãåæçšã®ããŒã¿ ãžã§ãã¬ãŒã¿ãŒããããŸãã ã¢ã©ãŒã åéã·ã¹ãã ãšç£èŠã€ã³ãã©å šäœã®ç®¡çã·ã¹ãã ãåããŠããŸãã æåŸã® XNUMX ã€ã®ã³ã³ããŒãã³ã㯠XNUMX ã€ã®ããŒãå ã§çµã¿åãããããšãã§ããŸãããå€ããå°ãªãã倧èŠæš¡ãªãããã¯ãŒã¯ã§ã¯ãã¹ã±ãŒã©ããªãã£ãšä¿¡é Œæ§ã確ä¿ããããã«ãéåžžã¯å°ãªããšã XNUMX ã€ã®ããã€ã¹ã«åæ£ãããŸãã
åãã±ããã®ããããŒãšæ¬äœããŒã¿ãããã³ãã±ãããæ§æããã»ãã·ã§ã³ã®èª¿æ»ã«åºã¥ããã±ããåæãšã¯ç°ãªãããããŒåæã¯ãããã¯ãŒã¯ ãã©ãã£ãã¯ã«é¢ããã¡ã¿ããŒã¿ã®åéã«äŸåããŸãã ãã€ãã©ãã ããã©ããããã©ã®ããã«ããŠ...ãããã®è³ªåã¯ãããŸããŸãªãã㌠ãããã³ã«ã䜿çšãããããã¯ãŒã¯ ãã¬ã¡ããªã®åæã«ãã£ãŠçããããŸãã åœåããããã¯çµ±èšãåæãããããã¯ãŒã¯äžã® IT åé¡ãèŠã€ããããã«äœ¿çšãããŠããŸãããããã®åŸãåæã¡ã«ããºã ãéçºãããã«ã€ããŠãã»ãã¥ãªãã£ç®çã§åããã¬ã¡ããªã«ããããé©çšã§ããããã«ãªããŸããã ãããŒåæã¯ãã±ãã ãã£ããã£ã«åã£ãŠä»£ãããã®ã§ã¯ãªãããŸãã¯ãã±ãã ãã£ããã£ã«ä»£ãããã®ã§ã¯ãªãããšãå床泚æããŠãã ããã ãããã®æ¹æ³ã«ã¯ããããç¬èªã®å¿çšåéããããŸãã ãã ãããã®èšäºã®æèã§ã¯ãå
éšã€ã³ãã©ã¹ãã©ã¯ãã£ã®ç£èŠã«æãé©ããŠããã®ã¯ãããŒåæã§ãã æ»æãåé¿ã§ããªããããã¯ãŒã¯ ããã€ã¹ (ãœãããŠã§ã¢å®çŸ©ã®ãã©ãã€ã ã§åäœããããéçã«ãŒã«ã«åŸã£ãŠåäœãããã«é¢ä¿ãªã) ããããŸãã åŸæ¥ã® IDS ã»ã³ãµãŒã¯ãã€ãã¹ã§ããŸããããã㌠ãããã³ã«ããµããŒããããããã¯ãŒã¯ ããã€ã¹ã¯ãã€ãã¹ã§ããŸããã ããããã®æ¹æ³ã®å©ç¹ã§ãã
äžæ¹ãæ³å·è¡æ©é¢ãç¬èªã®ã€ã³ã·ãã³ã調æ»ããŒã ã«èšŒæ ãå¿ èŠãªå Žåã¯ããã±ãã ãã£ããã£ãªãã§ã¯å¯Ÿå¿ã§ããŸããããããã¯ãŒã¯ ãã¬ã¡ããªã¯ã蚌æ ãåéããããã«äœ¿çšã§ãããã©ãã£ãã¯ã®ã³ããŒã§ã¯ãããŸããã æ å ±ã»ãã¥ãªãã£ã®åéã§ã®è¿ éãªæ€åºãšææ決å®ã«å¿ èŠã§ãã äžæ¹ããã¬ã¡ããªåæã䜿çšãããšããã¹ãŠã®ãããã¯ãŒã¯ ãã©ãã£ãã¯ããæžã蟌ããããšã¯ã§ããŸãã (ã©ã¡ãããšãããšãCisco ã¯ããŒã¿ ã»ã³ã¿ãŒãæ±ã£ãŠããŸã:-) ããæ»æã«é¢ä¿ãããããã¯ãŒã¯ ãã©ãã£ãã¯ã®ã¿ããæžã蟌ããããšãã§ããŸãã ãã®ç¹ã«é¢ãããã¬ã¡ããªåæããŒã«ã¯ãåŸæ¥ã®ãã±ãã ãã£ãã㣠ã¡ã«ããºã ãé©åã«è£å®ããéžæçãªãã£ããã£ãšä¿åã®ããã®ã³ãã³ããæäŸããŸãã ãã以å€ã®å Žåã¯ã倧èŠæš¡ãªã¹ãã¬ãŒãž ã€ã³ãã©ã¹ãã©ã¯ãã£ãå¿ èŠã«ãªããŸãã
250 Mbit/ç§ã®é床ã§åäœãããããã¯ãŒã¯ãæ³åããŠã¿ãŸãããã ãã®ããªã¥ãŒã ãã¹ãŠãä¿åãããå Žåã31 ç§ã®ãã©ãã£ãã¯éä¿¡ã«ã¯ 1,8 MBã108 åéã«ã¯ 2,6 GBã10 æéã«ã¯ 108 GBã1 æ¥ã«ã¯ 500 TB ã®ã¹ãã¬ãŒãžãå¿ èŠã«ãªããŸãã 垯åå¹ 5 Gbit/s ã®ãããã¯ãŒã¯ããæ¯æ¥ã®ããŒã¿ãä¿åããã«ã¯ã216 TB ã®ã¹ãã¬ãŒãžãå¿ èŠã§ãã ããããäžéšã®èŠå¶åœå±ã¯ã»ãã¥ãªã㣠ããŒã¿ãäœå¹Žãä¿åããããšãèŠæ±ããŠããŸã...ãããŒåæã®å®è£ ã«åœ¹ç«ã€ãªã³ããã³ãèšé²ã¯ããããã®å€ãæ¡éãã«åæžããã®ã«åœ¹ç«ã¡ãŸãã ã¡ãªã¿ã«ãèšé²ããããããã¯ãŒã¯ ãã¬ã¡ã㪠ããŒã¿ãšå®å šãªããŒã¿ ãã£ããã£ã®éã®æ¯çã«ã€ããŠèšãã°ãããã¯çŽ XNUMX 察 XNUMX ã§ããäžèšãšåãå€ã®å Žåãæ¯æ¥ã®ãã¹ãŠã®ãã©ãã£ãã¯ã®å®å šãªèšé²ãä¿åãããšããããã XNUMX GB ãš XNUMX GB ã«ãªããŸã (éåžžã®ãã©ãã·ã¥ ãã©ã€ãã«èšé²ããããšãã§ããŸã)ã
çã®ãããã¯ãŒã¯ ããŒã¿ãåæããããŒã«ã®å ŽåãããŒã¿ãååŸããæ¹æ³ã¯ãã³ããŒéã§ã»ãŒåãã§ããããããŒåæã®å Žåã¯ç¶æ³ãç°ãªããŸãã ãã㌠ãããã³ã«ã«ã¯ããã€ãã®ãªãã·ã§ã³ããããã»ãã¥ãªãã£ã®èŠ³ç¹ãããã®éãã«ã€ããŠç¥ã£ãŠããå¿ èŠããããŸãã æã人æ°ã®ããã®ã¯ãCisco ã«ãã£ãŠéçºããã Netflow ãããã³ã«ã§ãã ãã®ãããã³ã«ã«ã¯ããã€ãã®ããŒãžã§ã³ããããæ©èœãèšé²ããããã©ãã£ãã¯æ å ±ã®éãç°ãªããŸãã çŸåšã®ããŒãžã§ã³ã¯ 9 çªç® (Netflow v10) ã§ãããã«åºã¥ããŠæ¥çæšæºã® Netflow vXNUMX (IPFIX ãšããŠãç¥ããã) ãéçºãããŸããã çŸåšãã»ãšãã©ã®ãããã¯ãŒã¯ ãã³ããŒã¯ãèªç€Ÿã®æ©åšã§ Netflow ãŸã㯠IPFIX ããµããŒãããŠããŸãã ãã ãããã㌠ãããã³ã«ã«ã¯ä»ã«ãããŸããŸãªãªãã·ã§ã³ (sFlowãjFlowãcFlowãrFlowãNetStream ãªã©) ããããsFlow ãæã人æ°ããããŸãã å°å ¥ã®å®¹æããããåœå ã®ãããã¯ãŒã¯æ©åšã¡ãŒã«ãŒã§æãå€ãæ¯æãããŠããã®ããã®ã¿ã€ãã§ãã äºå®äžã®æšæºãšãªã£ã Netflow ãš sFlow ã®äž»ãªéãã¯äœã§ãã? ããã€ãã®éèŠãªç¹ãåãäžããŸãã ãŸããsFlow ã®åºå®ãã£ãŒã«ããšã¯å¯Ÿç §çã«ãNetflow ã«ã¯ãŠãŒã¶ãŒãã«ã¹ã¿ãã€ãºå¯èœãªãã£ãŒã«ãããããŸãã 次ã«ãããããã®ã±ãŒã¹ã§æãéèŠãªããšã§ãããsFlow ã¯ãããããµã³ããªã³ã°ããããã¬ã¡ããªãåéããŸãã Netflow ããã³ IPFIX ã®éãµã³ããªã³ã°ã®ãã®ãšã¯å¯Ÿç §çã§ãã ãããã®éãã¯äœã§ãã?
ããªããæ¬ãèªãããšã«æ±ºãããšæ³åããŠãã ãããã
æ
å ±ã»ãã¥ãªãã£ç£èŠã®ã³ã³ããã¹ãã§ã¯ãããã¯ããµã³ããªã³ã°ããããã¬ã¡ããªã DDoS æ»æã®æ€åºãã¹ãã£ã³ãæªæã®ããã³ãŒãã®æ¡æ£ã«ã¯é©ããŠãããã®ã®ãåæã®ããã«éä¿¡ããããµã³ãã«ã«å«ãŸããŠããªãã¢ãããã¯æ»æããã«ããã±ããæ»æãèŠéãå¯èœæ§ãããããšãæå³ããŸãã éãµã³ããªã³ã° ãã¬ã¡ããªã«ã¯ãã®ãããªæ¬ ç¹ã¯ãããŸããã ããã«ãããæ€åºãããæ»æã®ç¯å²ãããã«åºãããŸãã 以äžã¯ããããã¯ãŒã¯ ãã¬ã¡ããªåæããŒã«ã䜿çšããŠæ€åºã§ããã€ãã³ãã®çããªã¹ãã§ãã
ãã¡ãããäžéšã®ãªãŒãã³ ãœãŒã¹ Netflow ã¢ãã©ã€ã¶ãŒã§ã¯ããããè¡ãããšãã§ããŸããããã®äž»ãªã¿ã¹ã¯ã¯ãã¬ã¡ããªãåéããIT ã®èŠ³ç¹ããåºæ¬çãªåæãå®è¡ããããšã ããã§ãã ãããŒã«åºã¥ããŠæ
å ±ã»ãã¥ãªãã£ã®è
åšãç¹å®ããã«ã¯ãæšæºãŸãã¯ã«ã¹ã¿ã ã® Netflow ãã£ãŒã«ãã«åºã¥ããŠãµã€ããŒã»ãã¥ãªãã£ã®åé¡ãç¹å®ããããŸããŸãªè
åšã€ã³ããªãžã§ã³ã¹ ãœãŒã¹ããã®å€éšããŒã¿ã§æšæºããŒã¿ã匷åããããŸããŸãªãšã³ãžã³ãšã¢ã«ãŽãªãºã ãã¢ãã©ã€ã¶ãŒã«è£
åããå¿
èŠããããŸãã
ãããã£ãŠãéžæè¢ãããå Žåã¯ãNetflow ãŸã㯠IPFIX ãéžæããŠãã ããã ãã ããåœå
ã¡ãŒã«ãŒã®ããã«ãæ©åšã sFlow ã§ã®ã¿åäœããå Žåã§ããã»ãã¥ãªãã£ã®èŠ³ç¹ããã¡ãªãããåŸãããšãã§ããŸãã
2019 幎ã®å€ãç§ã¯ãã·ã¢ã®ãããã¯ãŒã¯ ããŒããŠã§ã¢ ã¡ãŒã«ãŒãæã€æ©èœãåæãããšãããNSGãPolygonãCraftway ãé€ããã¹ãŠã®ã¡ãŒã«ãŒã sFlow ã®ãµããŒããçºè¡šããŸãã (å°ãªããšã ZelaxãNatexãEltexãQTechãRusteleteh)ã
次ã«çŽé¢ããçåã¯ãã»ãã¥ãªãã£ç®çã§ãã㌠ãµããŒããã©ãã«å®è£
ããããšããããšã§ãã å®éããã®è³ªåã¯å®å
šã«æ£ããæèµ·ãããŠããããã§ã¯ãããŸããã ææ°ã®æ©åšã¯ãã»ãŒåžžã«ãã㌠ãããã³ã«ããµããŒãããŠããŸãã ãããã£ãŠãç§ã¯è³ªåãå¥ã®æ¹æ³ã§åå®åŒåããŸããã»ãã¥ãªãã£ã®èŠ³ç¹ãããã¬ã¡ããªãåéããã®ãæãå¹æçãªã®ã¯ã©ãã§ãã? çãã¯æããã§ããã¢ã¯ã»ã¹ ã¬ãã«ã§ã¯ããã¹ãŠã®ãã©ãã£ãã¯ã 100% 衚瀺ããããã¹ãã«é¢ãã詳现æ
å ± (MACãVLANãã€ã³ã¿ãŒãã§ã€ã¹ ID) ãåŸããããã¹ãéã® P2P ãã©ãã£ãã¯ãç£èŠã§ããŸããæªæã®ããã³ãŒãã®ã¹ãã£ã³æ€åºãšé
åžã«ã¯éèŠã§ãã ã³ã¢ ã¬ãã«ã§ã¯ãã©ãã£ãã¯ã®äžéšã衚瀺ãããªãã ãã§ãããå¢çã¬ãã«ã§ã¯å
šãããã¯ãŒã¯ ãã©ãã£ãã¯ã® XNUMX åã® XNUMX ã衚瀺ãããŸãã ããããäœããã®çç±ã§ãæ»æè
ãå¢çãè¿åããã«ãåºå
¥ããã§ããå€éšããã€ã¹ããããã¯ãŒã¯äžã«ããå Žåãããããã®ãã¬ã¡ããªãåæããŠãäœãåŸãããŸããã ãããã£ãŠãã«ãã¬ããžãæ倧éã«é«ããã«ã¯ãã¢ã¯ã»ã¹ ã¬ãã«ã§ãã¬ã¡ããªåéãæå¹ã«ããããšããå§ãããŸãã åæã«ãä»®æ³åãã³ã³ãããŒã«ã€ããŠè©±ããŠããå Žåã§ãããã㌠ãµããŒãã¯ææ°ã®ä»®æ³ã¹ã€ããã«ãããèŠãããããã§ã®ãã©ãã£ãã¯ãå¶åŸ¡ã§ããããšã¯æ³šç®ã«å€ããŸãã
ãããããã®ãããã¯ãåãäžããã®ã§ãç©ççãŸãã¯ä»®æ³çãªæ©åšããã㌠ãããã³ã«ããµããŒãããŠããªãå Žåã¯ã©ããªãã®ããšãã質åã«çããå¿ èŠããããŸãã ãããšãããã®çµã¿èŸŒã¿ã¯çŠæ¢ãããŠããŸãã (ããšãã°ãä¿¡é Œæ§ã確ä¿ããããã«ç£æ¥ã»ã°ã¡ã³ããªã©)? ãããšããããããªã³ã«ãããš CPU è² è·ãé«ããªããŸãã (ããã¯å€ãããŒããŠã§ã¢ã§çºçããŸã)? ãã®åé¡ã解決ããããã«ãç¹æ®ãªä»®æ³ã»ã³ãµãŒ (ãã㌠ã»ã³ãµãŒ) ãååšããŸããããã¯æ¬è³ªçã«ã¯ãã©ãã£ãã¯ãèªèº«ãééããããããŒã®åœ¢åŒã§åéã¢ãžã¥ãŒã«ã«ãããŒããã£ã¹ãããéåžžã®ã¹ããªãã¿ãŒã§ãã 確ãã«ããã®å Žåããã±ãã ãã£ãã㣠ããŒã«ã«é¢é£ããŠäžã§èª¬æãããã¹ãŠã®åé¡ãçºçããŸãã ã€ãŸããæµã解æãã¯ãããžãŒã®å©ç¹ã ãã§ãªãããã®éçã«ã€ããŠãç解ããå¿ èŠããããŸãã
ãããŒåæããŒã«ã«ã€ããŠè©±ããšãã«èŠããŠããã¹ããã XNUMX ã€ã®éèŠãªç¹ã§ãã ã»ãã¥ãªã㣠ã€ãã³ããçæããåŸæ¥ã®æ段ã«é¢é£ã㊠EPS ã¡ããªã¯ã¹ (XNUMX ç§ãããã®ã€ãã³ãæ°) ã䜿çšããå Žåããã®ææšã¯ãã¬ã¡ããªåæã«ã¯é©çšã§ããŸããã ãã㯠FPS (XNUMX ç§ãããã®æµé) ã«çœ®ãæããããŸãã EPS ã®å Žåãšåæ§ãäºåã«èšç®ããããšã¯ã§ããŸããããç¹å®ã®ããã€ã¹ããã®ã¿ã¹ã¯ã«å¿ããŠçæããã¹ã¬ããã®ããããã®æ°ãæšå®ããããšã¯ã§ããŸãã ããŸããŸãªçš®é¡ã®äŒæ¥ããã€ã¹ãæ¡ä»¶ã®ããããã®å€ãèšèŒããè¡šãã€ã³ã¿ãŒãããäžã§èŠã€ããããšãã§ããŸããããã«ãããåæããŒã«ã«å¿
èŠãªã©ã€ã»ã³ã¹ãšãã®ã¢ãŒããã¯ãã£ãã©ã®ãããªãã®ããèŠç©ããããšãã§ããŸãã å®éã®ãšãããIDS ã»ã³ãµãŒã¯ããã«ãã§ããç¹å®ã®åž¯åå¹
ã«ãã£ãŠå¶éãããŠããããã㌠ã³ã¬ã¯ã¿ãŒã«ã¯ç解ããå¿
èŠãããç¬èªã®å¶éããããŸãã ãããã£ãŠã倧èŠæš¡ã§å°ççã«åæ£ããããããã¯ãŒã¯ã§ã¯ãéåžžãè€æ°ã®ã³ã¬ã¯ã¿ãŒãååšããŸãã 説æãããšããã
Netflowç£èŠã·ã¹ãã ãšããŠç¬èªã®ãœãªã¥ãŒã·ã§ã³ã䜿çšããŠããŸã
ã»ãã¥ãªãã£ã®èŠ³ç¹ãã Netflow åæã·ã¹ãã ã«ã€ããŠèªããšããåžå Žãã·ã¹ã³ã®åäžãœãªã¥ãŒã·ã§ã³ã«éå®ãããªãããšã¯æããã§ãã åçšãœãªã¥ãŒã·ã§ã³ãšç¡æãŸãã¯ã·ã§ã¢ãŠã§ã¢ ãœãªã¥ãŒã·ã§ã³ã®äž¡æ¹ã䜿çšã§ããŸãã Cisco ããã°ã§ç«¶åä»ç€Ÿã®ãœãªã¥ãŒã·ã§ã³ãäŸãšããŠåŒçšããã®ã¯éåžžã«å¥åŠã§ãããã®ãããååã¯äŒŒãŠããŸãããããã§ãç°ãªã XNUMX ã€ã®äººæ°ã®ããããŒã«ãSiLK ãš ELK ã䜿çšããŠãããã¯ãŒã¯ ãã¬ã¡ããªãåæããæ¹æ³ã«ã€ããŠå°ãã話ããŸãã
SiLK ã¯ãã¢ã¡ãªã«ã® CERT/CC ã«ãã£ãŠéçºããããã©ãã£ãã¯åæçšã®ããŒã« ã»ãã (ã€ã³ã¿ãŒããã ã¬ãã«ã®ç¥èã®ã·ã¹ãã ) ã§ãããä»æ¥ã®èšäºã®æèã§ã¯ãNetflow (æãäžè¬çãªããŒãžã§ã³ 5 ããã³ 9)ãIPFIX ããµããŒãããŸããããã³ sFlow ã䜿çšããããŸããŸãªãŠãŒãã£ãªã㣠(rwfilterãrwcountãrwflowpack ãªã©) ã䜿çšããŠãããã¯ãŒã¯ ãã¬ã¡ããªäžã§ããŸããŸãªæäœãå®è¡ãããããã¯ãŒã¯ ãã¬ã¡ããªå ã®äžæ£ãªã¢ã¯ã·ã§ã³ã®å åãæ€åºããŸãã ãã ãã泚æãã¹ãéèŠãªç¹ãããã€ããããŸãã SiLK ã¯ã次ã®ãããªã³ãã³ããå ¥åããŠãªã³ã©ã€ã³åæãå®è¡ããã³ãã³ã ã©ã€ã³ ããŒã«ã§ã (200 ãã€ããè¶ ãã ICMP ãã±ããã®æ€åº)ã
rwfilter --flowtypes=all/all --proto=1 --bytes-per-packet=200- --pass=stdout | rwrwcut --fields=sIP,dIP,iType,iCode --num-recs=15
ããŸãå¿«é©ã§ã¯ãããŸããã iSiLK GUI ã䜿çšããããšãã§ããŸãããäœæ¥ãå€§å¹ ã«æ¥œã«ãªãããã§ã¯ãªããèŠèŠåæ©èœã解決ãããã ãã§ãã¢ããªã¹ãã®ä»£ããã«ãªãããã§ã¯ãããŸããã ãããŠãããXNUMXã€ç®ã®ãã€ã³ãã§ãã ãã§ã«åŒ·åºãªåæåºç€ãç°åžžæ€åºã¢ã«ãŽãªãºã ã察å¿ããã¯ãŒã¯ãããŒãªã©ãåãã£ãŠããåçšãœãªã¥ãŒã·ã§ã³ãšã¯ç°ãªããSiLK ã®å Žåã¯ããããã¹ãŠãèªåã§è¡ãå¿ èŠãããããã§ã«æºåãæŽã£ãŠãããã®ã䜿çšããå Žåãšã¯è¥å¹²ç°ãªãèœåãå¿ èŠã«ãªããŸãã䜿çšããããŒã«ã ããã¯è¯ãããšãæªãããšããããŸãããããã¯ããŠãŒã¶ãŒãäœããã¹ãããç¥ã£ãŠããããšãåæãšããã»ãšãã©ãã¹ãŠã®ç¡æããŒã«ã®æ©èœã§ããããããæ¯æŽããã ãã§ã (åçšããŒã«ã¯ããŠãŒã¶ãŒã®èœåã«ããŸãäŸåããŸãããããŠãŒã¶ãŒã®èœåã«ããŸãäŸåããŸãããã¢ããªã¹ããå°ãªããšããããã¯ãŒã¯ã®èª¿æ»ãšç£èŠã®åºæ¬ãç解ããŠããããšïŒã ããŠãSiLK ã«æ»ããŸãããã ã¢ããªã¹ãã®äœæ¥ãµã€ã¯ã«ã¯æ¬¡ã®ããã«ãªããŸãã
- 仮説ãç«ãŠãŸãã ç§ãã¡ã¯ããããã¯ãŒã¯ ãã¬ã¡ããªå ã§äœãæ¢ãã®ããç解ããç¹å®ã®ç°åžžãè åšãèå¥ããããã®åºæã®å±æ§ãç¥ãå¿ èŠããããŸãã
- ã¢ãã«ã®æ§ç¯ã 仮説ãç«ãŠãããåã Pythonãã·ã§ã«ããŸã㯠SiLK ã«å«ãŸããŠããªããã®ä»ã®ããŒã«ã䜿çšããŠä»®èª¬ãããã°ã©ãã³ã°ããŸãã
- ãã¹ãäžã 次ã¯ã仮説ã®æ£ããããã§ãã¯ããçªã§ãã仮説ã¯ããrwãããsetãããbagãã§å§ãŸã SiLK ãŠãŒãã£ãªãã£ã䜿çšããŠç¢ºèªãŸãã¯åé§ãããŸãã
- å®éã®ããŒã¿ã®åæã ç£æ¥éå¶ã«ãããŠã¯ãSiLK ã¯äœããç¹å®ããã®ã«åœ¹ç«ã¡ãŸããã¢ããªã¹ãã¯ããæåŸ ãããã®ã¯èŠã€ãããŸããã?ãããããã¯ä»®èª¬ã«å¯Ÿå¿ããŠããŸãã?ããã誀æ€ç¥ã®æ°ãæžããã«ã¯ã©ãããã°ããã§ãã?ãããã©ã®ããã«ããã°ããã§ãã?ããšãã質åã«çããå¿ èŠããããŸããèªèã¬ãã«ãåäžãããã«ã¯? » çã ã
- æ¹åã æçµæ®µéã§ã¯ã以åã«è¡ã£ãããšãæ¹åããŸãããã³ãã¬ãŒãã®äœæãã³ãŒãã®æ¹åãšæé©åã仮説ã®åå®åŒåãšæ確åãªã©ãè¡ããŸãã
ãã®ãµã€ã¯ã«ã¯ Cisco Stealthwatch ã«ãé©çšãããæåŸã® XNUMX ã€ã ããããã XNUMX ã€ã®ã¹ããããæ倧éãŸã§èªååããã¢ããªã¹ãã®ãšã©ãŒã®æ°ãæžãããã€ã³ã·ãã³ãæ€åºã®å¹çãé«ããŸãã ããšãã°ãSiLK ã§ã¯ãææžãã®ã¹ã¯ãªããã䜿çšããŠæªæã®ãã IP ã«é¢ããå€éšããŒã¿ã䜿çšããŠãããã¯ãŒã¯çµ±èšãå å®ãããããšãã§ããŸãããŸããCisco Stealthwatch ã§ã¯ããããã¯ãŒã¯ ãã©ãã£ãã¯ã«ãã©ãã¯ãªã¹ãã® IP ã¢ãã¬ã¹ãšã®çžäºäœçšãå«ãŸããŠããå Žåã«å³åº§ã«ã¢ã©ãŒã ã衚瀺ããçµã¿èŸŒã¿æ©èœããããŸãã
ãããŒåæãœãããŠã§ã¢ã®ãææããã©ãããã®äžäœã«è¡ãå Žåã¯ãå®å šã«ç¡æã® SiLK ã®åŸã«ãElasticsearch (ã€ã³ããã¯ã¹ä»ããæ€çŽ¢ãããã³ããŒã¿åæ)ãLogstash (ããŒã¿å ¥åºå) ãšãã XNUMX ã€ã®äž»èŠã³ã³ããŒãã³ãã§æ§æãããã·ã§ã¢ãŠã§ã¢ ELK ããããŸãã ) ãš Kibana (èŠèŠå)ã ãã¹ãŠãèªåã§èšè¿°ããå¿ èŠããã SiLK ãšã¯ç°ãªããELK ã«ã¯ããããã¯ãŒã¯ ãã¬ã¡ããªã®åæãèªååããæ¢è£œã®ã©ã€ãã©ãª/ã¢ãžã¥ãŒã« (äžéšã¯ææãäžéšã¯ææ) ããã§ã«çšæãããŠããŸãã ããšãã°ãLogstash ã® GeoIP ãã£ã«ã¿ã䜿çšãããšãç£èŠå¯Ÿè±¡ã® IP ã¢ãã¬ã¹ãå°ççäœçœ®ã«é¢é£ä»ããããšãã§ããŸã (Stealthwatch ã«ã¯ãã®æ©èœãçµã¿èŸŒãŸããŠããŸã)ã
ELK ã«ã¯ããã®ç£èŠãœãªã¥ãŒã·ã§ã³ã«äžè¶³ããŠããã³ã³ããŒãã³ããå®æãããããªã倧èŠæš¡ãªã³ãã¥ããã£ããããŸãã ããšãã°ãNetflowãIPFIXãsFlow ã䜿çšããã«ã¯ã次ã®ã¢ãžã¥ãŒã«ã䜿çšã§ããŸãã
ELK ã«ã¯ããããŒã®åéãšãã®ãããŒå ã§ã®æ€çŽ¢ã®å¹çãåäžããŠããŸãããçŸåšããããã¯ãŒã¯ ãã¬ã¡ããªã®ç°åžžãè åšãæ€åºããããã®è±å¯ãªçµã¿èŸŒã¿åææ©èœããããŸããã ã€ãŸããäžèšã®ã©ã€ããµã€ã¯ã«ã«åŸã£ãŠãéåã¢ãã«ãç¬èªã«èšè¿°ãããããæŠéã·ã¹ãã ã§äœ¿çšããå¿ èŠããããŸã (ããã«ã¯çµã¿èŸŒã¿ã¢ãã«ã¯ãããŸãã)ã
ãã¡ãããELK ã«ã¯ããæŽç·Žãããæ¡åŒµæ©èœãããããããã¯ãŒã¯ ãã¬ã¡ããªã®ç°åžžãæ€åºããããã®ã¢ãã«ããã§ã«ããã€ãå«ãŸããŠããŸããããã®ãããªæ¡åŒµæ©èœã«ã¯è²»çšãããããŸããããã§åé¡ãšãªãã®ã¯ããã®ã²ãŒã ã«ããããã®äŸ¡å€ããããã©ããã§ããåæ§ã®ã¢ãã«ãèªåã§äœæãããã®ã¢ãã«ã賌å
¥ããŠãã ãããç£èŠããŒã«ã®å®è£
ãéžæãããããããã¯ãŒã¯ ãã©ãã£ãã¯åæã¯ã©ã¹ã®æ¢è£œã®ãœãªã¥ãŒã·ã§ã³ã賌å
¥ããŸãã
äžè¬ã«ããããã¯ãŒã¯ ãã¬ã¡ããªã®ç°åžžãè
åšãç£èŠããããã®æ¢è£œã®ãœãªã¥ãŒã·ã§ã³ (Cisco Stealthwatch ãªã©) ããéãåºããŠè³Œå
¥ããããèªåã§èãåºããŠã«ã¹ã¿ãã€ãºããæ¹ãè¯ãããšããè°è«ã«ã¯å
¥ããããªãã®ã§ããæ°ããè
åšããšã« SiLKãELKãnfdumpããŸã㯠OSU ãã㌠ããŒã« (æåŸã® XNUMX ã€ã«ã€ããŠè©±ããŠããŸã)
èŠçŽãããšãå
éšã€ã³ãã©ã¹ãã©ã¯ãã£ã®æ
å ±ã»ãã¥ãªãã£ç£èŠãæ§ç¯ããéã«åŸãã¹ãäž»èŠãªãã³ãããªã¹ãããããšæããŸãã
- åšå²ã ãã«éå®ããªãã§ãã ããã ãããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ã䜿çšïŒããã³éžæïŒããŠããã©ãã£ãã¯ããã€ã³ã A ãããã€ã³ã B ã«ç§»åããã ãã§ãªãããµã€ããŒã»ãã¥ãªãã£ã®åé¡ã«ã察åŠããŸãã
- ãããã¯ãŒã¯æ©åšã®æ¢åã®æ å ±ã»ãã¥ãªãã£ç£èŠã¡ã«ããºã ãæ€èšããããã䜿çšããŸãã
- å éšç£èŠã®å Žåã¯ããã¬ã¡ããªåæãåªå ããŸããããã«ããããã¹ãŠã®ãããã¯ãŒã¯æ å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã®æ倧 80 ïœ 90% ãæ€åºã§ãããšåæã«ããããã¯ãŒã¯ ãã±ããããã£ããã£ãããšãã«äžå¯èœãªããšãå®è¡ãããã¹ãŠã®æ å ±ã»ãã¥ãªã㣠ã€ãã³ããä¿åããããã®ã¹ããŒã¹ãç¯çŽã§ããŸãã
- ãããŒãç£èŠããã«ã¯ãNetflow v9 ãŸã㯠IPFIX ã䜿çšããŸãããããã¯ãã»ãã¥ãªã㣠ã³ã³ããã¹ãã§ããå€ãã®æ å ±ãæäŸããIPv4 ã ãã§ãªããIPv6ãMPLS ãªã©ãç£èŠã§ããããã«ããŸãã
- éãµã³ããªã³ã° ãã㌠ãããã³ã«ã䜿çšããŸããããã«ãããè åšãæ€åºããããã®ããå€ãã®æ å ±ãæäŸãããŸãã ããšãã°ãNetflow ã IPFIX ãªã©ã§ãã
- ãããã¯ãŒã¯æ©åšã®è² è·ã確èªããŠãã ããããã㌠ãããã³ã«ãåŠçã§ããªãå¯èœæ§ããããŸãã 次ã«ãä»®æ³ã»ã³ãµãŒãŸã㯠Netflow Generation Appliance ã®äœ¿çšãæ€èšããŠãã ããã
- ãŸãæåã«ã¢ã¯ã»ã¹ ã¬ãã«ã§å¶åŸ¡ãå®è£ ããŸããããã«ããããã¹ãŠã®ãã©ãã£ãã¯ã 100% 確èªã§ããããã«ãªããŸãã
- éžæè¢ããªãããã·ã¢ã®ãããã¯ãŒã¯æ©åšã䜿çšããŠããå Žåã¯ããã㌠ãããã³ã«ããµããŒããããã®ããŸã㯠SPAN/RSPAN ããŒããåãããã®ãéžæããŠãã ããã
- ãšããžã®äŸµå ¥/æ»ææ€ç¥/é²åŸ¡ã·ã¹ãã ãšãå éšãããã¯ãŒã¯(ã¯ã©ãŠããå«ã)ã®ãããŒåæã·ã¹ãã ãçµã¿åãããŸãã
æåŸã®ãã³ãã«ã€ããŠã¯ã以åã«ã説æããäŸã瀺ããããšæããŸãã ã·ã¹ã³æ
å ±ã»ãã¥ãªã㣠ãµãŒãã¹ã¯ã以åã¯ã»ãŒå®å
šã«äŸµå
¥æ€ç¥ã·ã¹ãã ãšçœ²åæ¹æ³ã«åºã¥ããŠæ
å ±ã»ãã¥ãªã㣠ã¢ãã¿ãªã³ã° ã·ã¹ãã ãæ§ç¯ããŠããŸããããçŸåšã§ã¯ããããã€ã³ã·ãã³ãã® 20% ã®ã¿ãå ããã«éããªãããšãããããŸãã ããã« 20% ã¯ãããŒåæã·ã¹ãã ã«åœãŠã¯ãŸããŸããããã¯ããããã®ãœãªã¥ãŒã·ã§ã³ãæ°ãŸããã§ã¯ãªããçŸä»£ã®äŒæ¥ã®æ
å ±ã»ãã¥ãªã㣠ãµãŒãã¹æŽ»åã«ãããå®éã®ããŒã«ã§ããããšã瀺åããŠããŸãã ããã«ããã®å®è£
ã«ãšã£ãŠæãéèŠãªãã®ã¯ããããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ã§ãããæ
å ±ã»ãã¥ãªãã£ç£èŠæ©èœããããã¯ãŒã¯ã«å²ãåœãŠãããšã§ããã«ä¿è·ã§ããæè³ã§ãã
ãããã¯ãŒã¯ ãããŒã§ç¹å®ãããç°åžžãè
åšãžã®å¯Ÿå¿ã«ã€ããŠã¯ç¹ã«è§ŠããŸããã§ããããç£èŠãè
åšã®æ€åºã ãã§çµããã¹ãã§ã¯ãªãããšã¯ãã§ã«æããã ãšæããŸãã ãã®åŸã«å¿çãç¶ãå¿
èŠããããã§ããã°èªåãŸãã¯èªåã¢ãŒãã§å¿çããå¿
èŠããããŸãã ããããããã¯å¥ã®èšäºã§åãäžããŸãã
è¿œå æ å ±ïŒ
Cisco IOS Netflow ã®èª¬æ ããŸããŸãªã·ã¹ã³ ãœãªã¥ãŒã·ã§ã³ã«ããã Netflow ãµããŒã ãããªãã¯ã¹ ããŸããŸãª Cisco ãã©ãããã©ãŒã ã§ã® Netflow ã®èšå®ã¬ã€ã sFlowã³ãã¥ãã㣠StealtjwatchãSiLKãELK ã䜿çšããŠã»ãã¥ãªãã£ã®èŠ³ç¹ãã Netflow ãåæããã©ã ã·ã«ã¯ã®ãŠã§ããµã€ã è±å¯ãªäŸãå«ããSiLK ã®äœ¿çšã«é¢ãã XNUMX ããŒãžã®ã¬ã€ã Logstash Netflow ã¢ãžã¥ãŒã« ELK ã§ã® Netflow åæã«é¢ãã Cisco ã¹ããããã€ã¹ããã ã¬ã€ã Logstash (ELK) ã䜿çšãã NetFlow v.9 Cisco ASA ã®åæ Cisco ã¹ãã«ã¹ãŠã©ãã ãœãªã¥ãŒã·ã§ã³
PS. äžèšã®å 容ããã¹ãŠèãåããããå Žåã¯ããã®ã¡ã¢ã®åºç€ãšãªã£ã XNUMX æéã®ãã¬ãŒã³ããŒã·ã§ã³ãã芧ãã ããã
åºæïŒ habr.com