ãã€ãŠã¯ãããŒã«ã« ãããã¯ãŒã¯ãä¿è·ããã«ã¯éåžžã®ãã¡ã€ã¢ãŠã©ãŒã«ãšãŠã€ã«ã¹å¯Ÿçããã°ã©ã ã§ååã§ãããããã®ãããªã»ããã¯ãçŸä»£ã®ããã«ãŒã®æ»æãæè¿æ¥å¢ããŠãããã«ãŠã§ã¢ã«å¯ŸããŠã¯ååã«å¹æããããŸããã å€ãè¯ããã¡ã€ã¢ãŠã©ãŒã«ã¯ãã±ãã ããããŒã®ã¿ãåæããäžé£ã®æ£åŒãªã«ãŒã«ã«åŸã£ãŠãã±ãããééãŸãã¯ãããã¯ããŸãã ããã±ãŒãžã®å 容ã«ã€ããŠã¯äœãç¥ããªããããäŸµå ¥è ã®è¡šé¢çã«ã¯æ£åœãªè¡çºãèªèã§ããŸããã ãŠã€ã«ã¹å¯Ÿçããã°ã©ã ãåžžã«ãã«ãŠã§ã¢ãæ€åºãããšã¯éããªãããã管çè ã¯ç°åžžãªã¢ã¯ãã£ããã£ãç£èŠããææãããã¹ããé©æã«éé¢ãããšããã¿ã¹ã¯ã«çŽé¢ããŠããŸãã
äŒç€Ÿã® IT ã€ã³ãã©ã¹ãã©ã¯ãã£ãä¿è·ã§ããé«åºŠãªããŒã«ãå€æ°ãããŸãã ä»æ¥ã¯ãé«äŸ¡ãªããŒããŠã§ã¢ããœãããŠã§ã¢ã®ã©ã€ã»ã³ã¹ã賌å
¥ããã«å®è£
ã§ãããªãŒãã³ãœãŒã¹ã®äŸµå
¥æ€ç¥ããã³é²åŸ¡ã·ã¹ãã ã«ã€ããŠèª¬æããŸãã
IDS/IPSã®åé¡
IDS (äŸµå ¥æ€ç¥ã·ã¹ãã ) ã¯ããããã¯ãŒã¯ãŸãã¯å¥ã®ã³ã³ãã¥ãŒã¿äžã§äžå¯©ãªã¢ã¯ãã£ããã£ãç»é²ããããã«èšèšãããã·ã¹ãã ã§ãã ã€ãã³ããã°ãä¿æããæ å ±ã»ãã¥ãªãã£è²¬ä»»è ã«éç¥ããŸãã IDS ã«ã¯æ¬¡ã®èŠçŽ ãå«ãŸããŸãã
- ãããã¯ãŒã¯ãã©ãã£ãã¯ãåçš®ãã°ãªã©ãé²èŠ§ããããã®ã»ã³ãµãŒã
- åä¿¡ããããŒã¿ããæ害ãªåœ±é¿ã®å åãæ€åºããåæãµãã·ã¹ãã ã
- äžæ¬¡ã€ãã³ããšåæçµæãèç©ããããã®ã¹ãã¬ãŒãžã
- 管çã³ã³ãœãŒã«ã
åœåãIDS ã¯å Žæã«ãã£ãŠåé¡ãããŠããŸãããIDS ã¯ãåã ã®ããŒãã®ä¿è· (ãã¹ã ããŒã¹ãŸãã¯ãã¹ãäŸµå ¥æ€ç¥ã·ã¹ãã - HIDS) ãŸãã¯äŒæ¥ãããã¯ãŒã¯å šäœã®ä¿è· (ãããã¯ãŒã¯ ããŒã¹ãŸãã¯ãããã¯ãŒã¯äŸµå ¥æ€ç¥ã·ã¹ãã - NIDS) ã«éç¹ã眮ãããšãã§ããŸããã ãããããã®ã«èšåãã䟡å€ããããŸãã APIDS (ã¢ããªã±ãŒã·ã§ã³ ãããã³ã« ããŒã¹ã® IDS): éãããã¢ããªã±ãŒã·ã§ã³å±€ãããã³ã« ã»ãããç£èŠããŠç¹å®ã®æ»æãæ€åºãããããã¯ãŒã¯ ãã±ããã詳现ã«åæããããšã¯ãããŸããã ãã®ãããªè£œåã¯éåžžãããã·ã«äŒŒãŠãããWeb ãµãŒããŒã Web ã¢ããªã±ãŒã·ã§ã³ (PHP ã§èšè¿°ããããã®ãªã©)ãããŒã¿ããŒã¹ ãµãŒããŒãªã©ã®ç¹å®ã®ãµãŒãã¹ãä¿è·ããããã«äœ¿çšãããŸãã ãã®ã¯ã©ã¹ã®ä»£è¡šçãªãã®ã¯ãApache Web ãµãŒããŒã® mod_security ã§ãã
ç§ãã¡ã¯ãå¹ åºãéä¿¡ãããã³ã«ãš DPI (ãã£ãŒã ãã±ãã ã€ã³ã¹ãã¯ã·ã§ã³) ãã±ããåæãã¯ãããžããµããŒããããŠãããŒãµã« NIDS ã«ããã«èå³ãæã£ãŠããŸãã ããŒã¿ãªã³ã¯å±€ããå§ããŠãééãããã¹ãŠã®ãã©ãã£ãã¯ãç£èŠããå¹ åºããããã¯ãŒã¯æ»æãæ å ±ãžã®äžæ£ã¢ã¯ã»ã¹ãæ€åºããŸãã å€ãã®å Žåããã®ãããªã·ã¹ãã ã¯åæ£ã¢ãŒããã¯ãã£ãåããŠãããããŸããŸãªã¢ã¯ãã£ããªãããã¯ãŒã¯æ©åšãšå¯Ÿè©±ã§ããŸãã ææ°ã® NIDS ã®å€ãã¯ãã€ããªããã§ãããããã€ãã®ã¢ãããŒããçµã¿åãããŠããããšã«æ³šæããŠãã ããã æ§æãšèšå®ã«å¿ããŠãããšãã° XNUMX ã€ã®ããŒããŸãã¯ãããã¯ãŒã¯å šäœãä¿è·ãããªã©ãããŸããŸãªåé¡ã解決ã§ããŸãã ããã«ãã¯ãŒã¯ã¹ããŒã·ã§ã³ã® IDS æ©èœã¯ãŠã€ã«ã¹å¯Ÿçããã±ãŒãžã«åŒãç¶ãããŸããããæ å ±çªçãç®çãšããããã€ã®æšéŠ¬ã®è延ã«ãããäžå¯©ãªãã©ãã£ãã¯ãèªèããŠãããã¯ããã¿ã¹ã¯ã解決ããå€æ©èœãã¡ã€ã¢ãŠã©ãŒã«ã«å€ãããŸããã
åœåãIDS ã¯ãã«ãŠã§ã¢æŽ»åãããŒã ã¹ãã£ããŒããããã¯äŒæ¥ã»ãã¥ãªã㣠ããªã·ãŒã«å¯ŸãããŠãŒã¶ãŒéåãªã©ãæ€åºããããšããã§ããŸããã§ããã ç¹å®ã®ã€ãã³ããçºçãããšã管çè ã«éç¥ããŸããããæ»æãèªèããã ãã§ã¯ååã§ã¯ãªãããããã¯ããå¿ èŠãããããšãããã«æããã«ãªããŸããã ãã㧠IDS ã¯ããã¡ã€ã¢ãŠã©ãŒã«ãšå¯Ÿè©±ã§ããäŸµå ¥é²åŸ¡ã·ã¹ãã ã§ãã IPS (äŸµå ¥é²åŸ¡ã·ã¹ãã ) ã«å€ãããŸããã
æ€åºæ¹æ³
ææ°ã®äŸµå ¥æ€åºããã³é²åŸ¡ãœãªã¥ãŒã·ã§ã³ã¯ãããŸããŸãªæ¹æ³ã䜿çšããŠæªæã®ããã¢ã¯ãã£ããã£ãæ€åºããŸãããã®ã¢ã¯ãã£ããã£ã¯ XNUMX ã€ã®ã«ããŽãªã«åé¡ã§ããŸãã ããã«ãããã·ã¹ãã ãåé¡ããããã®å¥ã®ãªãã·ã§ã³ãæäŸãããŸãã
- ã·ã°ããã£ããŒã¹ã® IDS/IPS ã¯ããã©ãã£ãã¯ã®ãã¿ãŒã³ãæ€çŽ¢ããããã·ã¹ãã ç¶æ ã®å€åãç£èŠãããããŠããããã¯ãŒã¯æ»æãææã®è©Šã¿ãæ€åºããŸãã å®éã«ã¯èª€çã誀æ€ç¥ã¯çºçããŸããããæªç¥ã®è åšãæ€åºããããšã¯ã§ããŸããã
- ç°åžžæ€åº IDS ã¯æ»æã·ã°ããã£ã䜿çšããŸããã æ å ±ã·ã¹ãã ã®ç°åžžãªåäœ (ãããã¯ãŒã¯ ãã©ãã£ãã¯ã®ç°åžžãå«ã) ãèªèããæªç¥ã®æ»æãæ€åºã§ããŸãã ãã®ãããªã·ã¹ãã ã¯éåžžã«å€ãã®èª€æ€ç¥ãåŒãèµ·ããã誀ã£ãŠäœ¿çšãããšããŒã«ã« ãããã¯ãŒã¯ã®åäœã麻çºãããŸãã
- ã«ãŒã«ããŒã¹ã® IDS ã¯ãFACT ã®å Žå㯠ACTION ã®ããã«æ©èœããŸãã å®éããããã¯ç¥èããŒã¹ãã€ãŸãäžé£ã®äºå®ãšæšè«ã«ãŒã«ãåãããšãã¹ããŒã ã·ã¹ãã ã§ãã ãã®ãããªãœãªã¥ãŒã·ã§ã³ã¯ã»ããã¢ããã«æéããããã管çè ã¯ãããã¯ãŒã¯ã詳现ã«ç解ããå¿ èŠããããŸãã
IDSéçºã®æŽå²
ã€ã³ã¿ãŒããããšäŒæ¥ãããã¯ãŒã¯ã®æ¥éãªçºå±ã®æ代ã¯åäžçŽã® 90 幎代ã«å§ãŸããŸããããå°é家ã¯ãã®å°ãåããé«åºŠãªãããã¯ãŒã¯ ã»ãã¥ãªã㣠ãã¯ãããžã«å°æããŠããŸããã 1986 幎ãããã·ãŒ ããã³ã°ãšããŒã¿ãŒ ãã¥ãŒãã³ã¯ãææ°ã®äŸµå ¥æ€ç¥ã·ã¹ãã ã®åºç€ãšãªã£ã IDES (äŸµå ¥æ€ç¥ãšãã¹ããŒã ã·ã¹ãã ) ã¢ãã«ãçºè¡šããŸããã 圌女ã¯ãšãã¹ããŒã ã·ã¹ãã ã䜿çšããŠæ¢ç¥ã®æ»æãçµ±èšçææ³ããŠãŒã¶ãŒ/ã·ã¹ãã ãããã¡ã€ã«ãç¹å®ããŸããã IDES 㯠Sun ã¯ãŒã¯ã¹ããŒã·ã§ã³äžã§å®è¡ããããããã¯ãŒã¯ ãã©ãã£ãã¯ãšã¢ããªã±ãŒã·ã§ã³ ããŒã¿ããã§ãã¯ããŸããã 1993 幎ã«ãæ°äžä»£ã®äŸµå ¥æ€ç¥ãšãã¹ããŒã ã·ã¹ãã ã§ãã NIDES (次äžä»£äŸµå ¥æ€ç¥ãšãã¹ããŒã ã·ã¹ãã ) ããªãªãŒã¹ãããŸããã
Denning ãš Neumann ã®ç 究ã«åºã¥ããŠãP-BEST ãš LISP ã䜿çšãã MIDAS (Multics äŸµå ¥æ€ç¥ããã³èŠåã·ã¹ãã ) ãšãã¹ããŒã ã·ã¹ãã ã 1988 幎ã«ç»å ŽããŸããã åæã«ãçµ±èšçææ³ã«åºã¥ãããã€ã¹ã¿ã㯠ã·ã¹ãã ãäœæãããŸããã å¥ã®çµ±èšçç°åžžæ€åºåšã§ãã W&S (Wisdom & Sense) ã¯ã1990 幎åŸã«ãã¹ ã¢ã©ã¢ã¹åœç«ç 究æã§éçºãããŸããã ç£æ¥ã®çºå±ã¯æ¥éã«é²ã¿ãŸããã ããšãã°ã1991 幎ã«ã¯ãç°åžžæ€åºã¯ãé次ãŠãŒã¶ãŒ ãã¿ãŒã³ (Common LISP èšèª) ã®åž°çŽåŠç¿ã䜿çšãã TIM (Time-based inductive machine) ã·ã¹ãã ã«ãã§ã«å®è£ ãããŠããŸããã NSM (ãããã¯ãŒã¯ ã»ãã¥ãªã㣠ã¢ãã¿ãŒ) ã¯ç°åžžæ€åºã®ããã®ã¢ã¯ã»ã¹ ãããªãã¯ã¹ãæ¯èŒããISOA (æ å ±ã»ãã¥ãªãã£è²¬ä»»è è£äœ) ã¯çµ±èšçææ³ããããã¡ã€ã« ãã§ãã¯ããšãã¹ããŒã ã·ã¹ãã ãªã©ã®ããŸããŸãªæ€åºæŠç¥ããµããŒãããŸããã AT & T ãã«ç 究æã§äœæããã ComputerWatch ã·ã¹ãã ã¯ãæ€èšŒã«çµ±èšçææ³ãšã«ãŒã«ã®äž¡æ¹ã䜿çšããŸãããã«ãªãã©ã«ãã¢å€§åŠã®éçºè ã¯ãXNUMX 幎ã«åæ£å IDS ã®æåã®ãããã¿ã€ããåãåããŸãããDIDS (åæ£åäŸµå ¥æ€ç¥ã·ã¹ãã ) ã®å°é家ã§ããããŸãããã·ã¹ãã ã
åœåãIDS ã¯ç¬èªã®ãã®ã§ãããã1998 幎ã«ã¯ãã§ã«åœç«ç 究æãææããŠããŸããã ããŒã¯ã¬ãŒæ ¡ã®ããŒã¬ã³ã¹æ°ã¯ãlibpcap ããŒã¿ã®è§£æã«ç¬èªã®ã«ãŒã«èšèªã䜿çšãããªãŒãã³ãœãŒã¹ ã·ã¹ãã ã§ãã Bro (2018 幎㫠Zeek ã«ååå€æŽ) ããªãªãŒã¹ããŸããã å幎 XNUMX æã«ã¯ãlibpcap ã䜿çšãã APE ãã±ãã ã¹ããã¡ãŒãç»å ŽããXNUMX ãæåŸã«ã¯ Snort ãšååãå€æŽãããåŸã«æ¬æ Œç㪠IDS / IPS ãšãªããŸããã åæã«ãå€æ°ã®ç¬èªã®ãœãªã¥ãŒã·ã§ã³ãç»å Žãå§ããŸããã
ã¹ããŒã¹ããšã¹ãªã«ã¿
å€ãã®äŒæ¥ã¯ãç¡æã®ãªãŒãã³ãœãŒã¹ IDS/IPS ã奜ã¿ãŸãã é·ãéãåè¿°ã® Snort ãæšæºãœãªã¥ãŒã·ã§ã³ãšèããããŠããŸããããçŸåšã§ã¯ Suricata ã·ã¹ãã ã«åã£ãŠä»£ããããŠããŸãã ãããã®é·æãšçæãããå°ã詳ããèããŠã¿ãŸãããã Snort ã¯ã眲åæ¹æ³ã®å©ç¹ãšãªã¢ã«ã¿ã€ã ã®ç°åžžæ€åºãçµã¿åãããŠããŸãã Suricata ã§ã¯ãæ»æã·ã°ããã£ã®æ€åºä»¥å€ã®æ¹æ³ã䜿çšã§ããŸãã ãã®ã·ã¹ãã ã¯ãSnort ãããžã§ã¯ãããåé¢ããéçºè ã®ã°ã«ãŒãã«ãã£ãŠäœæãããããŒãžã§ã³ 1.4 ãã IPS æ©èœããµããŒãããŠããŸãããäŸµå ¥é²åŸ¡ã¯åŸã« Snort ã«ç»å ŽããŸããã
10 ã€ã®äººæ°ã®ãã補åã®äž»ãªéãã¯ãSuricata ã IDS ã³ã³ãã¥ãŒãã£ã³ã°ã« GPU ã䜿çšã§ããããšãšãããé«åºŠãª IPS ã䜿çšã§ããããšã§ãã Snort ã¯ã·ã³ã°ã«ã¹ã¬ãã補åã§ããã®ã«å¯Ÿããã·ã¹ãã ã¯å ã ãã«ãã¹ã¬ããçšã«èšèšãããŸããã Suricata ã¯é·ãæŽå²ãšã¬ã¬ã·ãŒ ã³ãŒãã®ããããã«ãããã»ããµ/ãã«ãã³ã¢ ããŒããŠã§ã¢ ãã©ãããã©ãŒã ãæé©ã«æŽ»çšããŠããŸããããéåžžã®æ±çšã³ã³ãã¥ãŒã¿ã§ã¯æ倧 XNUMX Gbps ã®ãã©ãã£ãã¯ãåŠçã§ããŸãã XNUMX ã€ã®ã·ã¹ãã ã®é¡äŒŒç¹ãšçžéç¹ã«ã€ããŠã¯é·ã話ãããšãã§ããŸãããSuricata ãšã³ãžã³ã®æ¹ãé«éã«åäœããŸããããã£ãã«ãåºãããªãå Žåã¯åé¡ã«ãªããŸããã
å°å ¥ãªãã·ã§ã³
IPS ã¯ãã·ã¹ãã ããã®å¶åŸ¡äžã«ãããããã¯ãŒã¯ ã»ã°ã¡ã³ããç£èŠã§ããããã«é 眮ããå¿ èŠããããŸãã ã»ãšãã©ã®å Žåãããã¯å°çšã®ã³ã³ãã¥ãŒã¿ã§ããããã® XNUMX ã€ã®ã€ã³ã¿ãŒãã§ã€ã¹ã¯ãšããž ããã€ã¹ã®åŸã«æ¥ç¶ããããããä»ããŠã»ãã¥ãªãã£ã§ä¿è·ãããŠããªããããªã㯠ãããã¯ãŒã¯ (ã€ã³ã¿ãŒããã) ããç£èŠãããŸãã å¥ã® IPS ã€ã³ã¿ãŒãã§ã€ã¹ãä¿è·ã»ã°ã¡ã³ãã®å ¥åã«æ¥ç¶ãããŠããããããã¹ãŠã®ãã©ãã£ãã¯ãã·ã¹ãã ãééããŠåæãããŸãã ããè€éãªã±ãŒã¹ã§ã¯ãä¿è·ãããã»ã°ã¡ã³ããè€æ°ååšããå ŽåããããŸããããšãã°ãäŒæ¥ãããã¯ãŒã¯ã§ã¯ãå€ãã®å Žåãã€ã³ã¿ãŒãããããã¢ã¯ã»ã¹ã§ãããµãŒãã¹ã«éæŠè£ å°åž¯ (DMZ) ãå²ãåœãŠãããŸãã
ãã®ãã㪠IPS ã¯ãããŒã ã¹ãã£ã³ããã«ãŒã ãã©ãŒã¹æ»æãã¡ãŒã« ãµãŒããŒãWeb ãµãŒããŒããŸãã¯ã¹ã¯ãªããã®è匱æ§ã®æªçšããã®ä»ã®çš®é¡ã®å€éšæ»æãé²ãããšãã§ããŸãã ããŒã«ã« ãããã¯ãŒã¯äžã®ã³ã³ãã¥ãŒã¿ããã«ãŠã§ã¢ã«ææããŠããå ŽåãIDS ã¯ãã®ã³ã³ãã¥ãŒã¿ãå€éšã«ãããããããã ãµãŒããŒã«æ¥ç¶ããããšãèš±å¯ããŸããã å
éšãããã¯ãŒã¯ãããæ¬æ Œçã«ä¿è·ããã«ã¯ãåæ£ã·ã¹ãã ãšãããŒãã® XNUMX ã€ã«æ¥ç¶ããã IDS ã€ã³ã¿ãŒãã§ã€ã¹ã®ãã©ãã£ãã¯ããã©ãŒãªã³ã°ã§ããé«äŸ¡ãªãããŒãžã ã¹ã€ããã䜿çšããè€éãªæ§æãå¿
èŠã«ãªãå¯èœæ§ããããŸãã
å€ãã®å ŽåãäŒæ¥ãããã¯ãŒã¯ã¯åæ£åãµãŒãã¹æåŠ (DDoS) æ»æã®å¯Ÿè±¡ã«ãªããŸãã ææ°ã® IDS ã¯ãããã«å¯ŸåŠã§ããŸãããäžèšã®å±éãªãã·ã§ã³ã¯ããã§ã¯ã»ãšãã©åœ¹ã«ç«ã¡ãŸããã ã·ã¹ãã ã¯æªæã®ããã¢ã¯ãã£ããã£ãèªèããåœã®ãã©ãã£ãã¯ããããã¯ããŸããããã®ããã«ã¯ãã±ãããå€éšã®ã€ã³ã¿ãŒãããæ¥ç¶ãééããŠãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ã«å°éããå¿ èŠããããŸãã æ»æã®åŒ·åºŠã«ãã£ãŠã¯ãããŒã¿äŒéãã£ãã«ãè² è·ã«å¯Ÿå¿ã§ããªããªããæ»æè ã®ç®çãéæãããŠããŸãå¯èœæ§ããããŸãã ãã®ãããªå Žåãããè¯å¥œãªã€ã³ã¿ãŒãããæ¥ç¶ãç¥ãããŠããä»®æ³ãµãŒããŒã« IDS ãå±éããããšããå§ãããŸãã VPN ãä»ã㊠VPS ãããŒã«ã« ãããã¯ãŒã¯ã«æ¥ç¶ã§ããŸãããã®åŸãVPN ãçµç±ãããã¹ãŠã®å€éšãã©ãã£ãã¯ã®ã«ãŒãã£ã³ã°ãæ§æããå¿ èŠããããŸãã ããããã°ãDDoS æ»æãçºçããå Žåã§ãããããã€ããŒãžã®æ¥ç¶ãä»ããŠãã±ãããéä¿¡ããå¿ èŠããªãããã±ããã¯å€éšãã¹ãã§ãããã¯ãããŸãã
éžæã®åé¡
ç¡æã·ã¹ãã ã®äžã§ãªãŒããŒãç¹å®ããã®ã¯éåžžã«å°é£ã§ãã IDS / IPS ã®éžæã¯ããããã¯ãŒã¯ ããããžãå¿ èŠãªä¿è·æ©èœã管çè ã®å人çãªå¥œã¿ãšèšå®ãå€æŽããããšããèŠæã«ãã£ãŠæ±ºãŸããŸãã Snort ã«ã¯é·ãæŽå²ããããããã¥ã¡ã³ããå å®ããŠããŸãããSuricata ã«é¢ããæ å ±ããªã³ã©ã€ã³ã§ç°¡åã«èŠã€ããããšãã§ããŸãã ãããã«ãããã·ã¹ãã ã䜿ãããªãã«ã¯ãããçšåºŠã®åªåãå¿ èŠã§ãããããã¯æçµçã«ã¯å ±ãããŸããåžè²©ã®ããŒããŠã§ã¢ããã³ããŒããŠã§ã¢/ãœãããŠã§ã¢ IDS/IPS ã¯éåžžã«é«äŸ¡ã§ãããå¿ ãããäºç®å ã«åãŸããšã¯éããŸããã åªãã管çè ã¯åžžã«éçšäž»ãç ç²ã«ããŠèªåã®è³æ Œãåäžãããã®ã§ãè²»ãããæéãåŸæãã¹ãã§ã¯ãããŸããã ãã®ç¶æ³ã§ã¯å šå¡ãåã¡ãŸãã 次ã®èšäºã§ã¯ãSuricata ãå°å ¥ããããã®ããã€ãã®ãªãã·ã§ã³ãæ€èšããããææ°ã®ã·ã¹ãã ãšåŸæ¥ã® IDS/IPS Snort ãå®éã«æ¯èŒããŸãã
åºæïŒ habr.com