ããã«ã¡ã¯ãåã®èšäºã§ã¯ ELK ã¹ã¿ãã¯ã®åãã«ã€ããŠèª¬æããŸããã ããã§ã¯ãæ
å ±ã»ãã¥ãªãã£ã®å°é家ããããã®ã·ã¹ãã ã䜿çšããããšã§å®çŸã§ããå¯èœæ§ã«ã€ããŠèª¬æããŸãã elasticsearch ã«è¿œå ã§ãããã°ãšè¿œå ãã¹ããã°ã ããã·ã¥ããŒããèšçœ®ããããšã§ã©ã®ãããªçµ±èšãåŸãããã®ããå©çã¯ããã®ããèããŠã¿ãŸãããã ELK ã¹ã¿ãã¯ã䜿çšããŠæ
å ±ã»ãã¥ãªã㣠ããã»ã¹ã®èªååãå®è£
ããã«ã¯ã©ãããã°ããã§ããã ã·ã¹ãã ã®ã¢ãŒããã¯ãã£ãäœæããŸãããã ãŸãšãããšããã¹ãŠã®æ©èœã®å®è£
ã¯éåžžã«å€§èŠæš¡ã§å°é£ãªäœæ¥ã§ããããããœãªã¥ãŒã·ã§ã³ã«ã¯ TS Total Sight ãšããå¥ã®ååãä»ããããŸããã
çŸåšãæ
å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã 4 ã€ã®è«ççãªå Žæã«çµ±åããŠåæãããœãªã¥ãŒã·ã§ã³ã®äººæ°ãé«ãŸã£ãŠããããã®çµæãå°é家ã¯çµ±èšæ
å ±ãåãåããçµç¹å
ã®æ
å ±ã»ãã¥ãªãã£ã®ç¶æ
ãæ¹åããããã®è¡åã®æåç·ãåŸãããšãã§ããŸãã ç§ãã¡ã¯ ELK ã¹ã¿ãã¯ã䜿çšããéã«ãã®ãããªã¿ã¹ã¯ãèšå®ããŸããããã®çµæãäž»èŠãªæ©èœã XNUMX ã€ã®ã»ã¯ã·ã§ã³ã«åããŠåãäžããŸããã
- çµ±èšãšèŠèŠåã
- ISäºä»¶ã®æ€ç¥ã
- ã€ã³ã·ãã³ãã®åªå é äœä»ãã
- æ å ±ã»ãã¥ãªãã£ããã»ã¹ã®èªååã
ããããã«ã€ããŠè©³ããèŠãŠãããŸãããã
æ å ±ã»ãã¥ãªãã£ã€ã³ã·ãã³ãã®æ€åº
ãã®äŸã§ elasticsearch ã䜿çšããéã®äž»ãªã¿ã¹ã¯ã¯ãæ å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã®ã¿ãåéããããšã§ãã å°ãªããšãäžéšã®ãã°è»¢éã¢ãŒã (æšæºçãªãã®ã¯ syslog ãŸã㯠scp ã«ãããã¡ã€ã«ãžã®ä¿å) ããµããŒããããŠããã°ãããããä¿è·æ段ããæ å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ããåéã§ããŸãã
ãã°ã®è»¢éãæ§æããå Žæã ãã§ãªããä¿è·ããŒã«ã®æšæºçãªäŸã瀺ãããšãã§ããŸãã
- NGFW ãã¡ã³ã (Check PointãFortinet);
- ããããè匱æ§ã¹ãã£ã㌠(PT ScannerãOpenVas)ã
- Web ã¢ããªã±ãŒã·ã§ã³ ãã¡ã€ã¢ãŠã©ãŒã« (PTAF)ã
- Netflow ã¢ãã©ã€ã¶ãŒ (FlowmonãCisco StealthWatch)ã
- ADãµãŒããŒã
ãã°ãšæ§æãã¡ã€ã«ãéä¿¡ããããã« Logstash ãèšå®ããããããŸããŸãªã»ãã¥ãªã㣠ããŒã«ããã®ã€ã³ã·ãã³ããé¢é£ä»ããŠæ¯èŒã§ããããã«ãªããŸãã ãããè¡ãã«ã¯ãç¹å®ã®ããã€ã¹ã«é¢é£ãããã¹ãŠã®ã€ã³ã·ãã³ããä¿åããã€ã³ããã¯ã¹ã䜿çšãããšäŸ¿å©ã§ãã ã€ãŸãã2 ã€ã®ã€ã³ããã¯ã¹ã¯ XNUMX ã€ã®ããã€ã¹ã®ãã¹ãŠã®ã€ã³ã·ãã³ãã«ãªããŸãã ãã®é åžã¯ XNUMX ã€ã®æ¹æ³ã§å®è£ ã§ããŸãã
第äžã®å®æœåœ¢æ Logstash æ§æãæ§æããããšã§ãã ãããè¡ãã«ã¯ãç¹å®ã®ãã£ãŒã«ãã®ãã°ããç°ãªãã¿ã€ãã®å¥åã®ãŠãããã«è€è£œããå¿ èŠããããŸãã ãããŠåŸã§ãã®ã¿ã€ãã䜿çšããŸãã ãã®äŸã§ã¯ãCheck Point ãã¡ã€ã¢ãŠã©ãŒã«ã® IPS ãã¬ãŒããããã°ã®ã¯ããŒã³ãäœæããŸãã
filter {
if [product] == "SmartDefense" {
clone {
clones => ["CloneSmartDefense"]
add_field => {"system" => "checkpoint"}
}
}
}
ãã®ãããªã€ãã³ãããã°ã®ãã£ãŒã«ã (æ»æã·ã°ããã£ã®å®å IP ãªã©) ã«å¿ããŠå¥ã®ã€ã³ããã¯ã¹ã«ä¿åããããã åæ§ã®æ§é ã䜿çšã§ããŸãã
output {
if [type] == "CloneSmartDefense"{
{
elasticsearch {
hosts => [",<IP_address_elasticsearch>:9200"]
index => "smartdefense-%{dst}"
user => "admin"
password => "password"
}
}
}
ãã®ããã«ããŠããã¹ãŠã®ã€ã³ã·ãã³ãããããšãã° IP ã¢ãã¬ã¹ããã·ã³ã®ãã¡ã€ã³åããšã«ã€ã³ããã¯ã¹ã«ä¿åã§ããŸãã ãã®å Žåãã€ã³ããã¯ã¹ã«æ ŒçŽããŸã ãã¹ããŒããã£ãã§ã³ã¹-%{dst}ãã眲åå ã® IP ã¢ãã¬ã¹ã«ãã£ãŠæ±ºãŸããŸãã
ãã ãã補åããšã«ãã° ãã£ãŒã«ããç°ãªããããæ··ä¹±ãçããã¡ã¢ãªãç¡é§ã«æ¶è²»ãããŸãã ãããŠããã§ã¯ãLogstash æ§æèšå®ã®ãã£ãŒã«ããäºåã«èšèšããããã£ãŒã«ãã«æ éã«çœ®ãæããå¿ èŠããããŸãããããã¯ãã¹ãŠã®çš®é¡ã®ã€ã³ã·ãã³ãã§åãã«ãªããŸããããããé£ããäœæ¥ã§ãã
XNUMX çªç®ã®å®è£ ãªãã·ã§ã³ - ããã¯ããªã¢ã«ã¿ã€ã ã§ãšã©ã¹ãã£ã㯠ããŒã¹ã«ã¢ã¯ã»ã¹ããå¿ èŠãªã€ã³ã·ãã³ããåãåºããæ°ããã€ã³ããã¯ã¹ã«ä¿åããã¹ã¯ãªãããŸãã¯ããã»ã¹ãäœæããããšã§ããããã¯é£ããäœæ¥ã§ããããã°ãèªç±ã«æäœã§ããããã«ãªããŸãã ãä»ã®ã»ãã¥ãªã㣠ããŒã«ããã®ã€ã³ã·ãã³ããšçŽæ¥çžé¢ããŸãã ãã®ãªãã·ã§ã³ã䜿çšãããšãã±ãŒã¹ã«åãããŠæ倧éã®æè»æ§ãæã£ãŠãã°ã䜿çšããäœæ¥ãã«ã¹ã¿ãã€ãºã§ããŸããããããå®è£ ã§ããå°é家ãèŠã€ããã®ãåé¡ã«ãªããŸãã
ãããŠãã¡ãããæãéèŠãªè³ªåã¯ã äœãçžé¢ãããŠæ€åºã§ããã®ã?
ããã«ã¯ããã€ãã®ãªãã·ã§ã³ããããã€ã³ãã©ã¹ãã©ã¯ãã£ã§äœ¿çšãããŠããã»ãã¥ãªã㣠ããŒã«ã«å¿ããŠãããã€ãã®äŸã瀺ããŸãã
- ç§ã®èŠ³ç¹ãããããšãNGFW ãœãªã¥ãŒã·ã§ã³ãšè匱æ§ã¹ãã£ããŒãæã£ãŠãã人ã«ãšã£ãŠã¯ãæãæçœã§æãèå³æ·±ããªãã·ã§ã³ã§ãã ããã¯ãIPS ãã°ãšè匱æ§ã¹ãã£ã³çµæã®æ¯èŒã§ãã IPS ã·ã¹ãã ã«ãã£ãŠæ»æãæ€åºãã (ãããã¯ãããŠããªã)ãã¹ãã£ã³ã®çµæã«åºã¥ããŠãšã³ã ãã·ã³ã§ãã®è匱æ§ã解決ãããŠããªãå Žåã¯ãè匱æ§ãæ»æãããå¯èœæ§ãé«ãããããã¹ãŠã®ãã€ããåæããå¿ èŠããããŸããæŸåãããã
- XNUMX å°ã®ãã·ã³ããå¥ã®å Žæãžã®ãã°ã€ã³è©Šè¡ãæ°å€ãè¡ããããšãæªæã®ããã¢ã¯ãã£ããã£ã象城ããå¯èœæ§ããããŸãã
- èšå€§ãªæ°ã®æœåšçã«å±éºãªãµã€ãã«ã¢ã¯ã»ã¹ããããšã«ããããŠãŒã¶ãŒã«ãããŠã€ã«ã¹ ãã¡ã€ã«ã®ããŠã³ããŒãã
çµ±èšãšèŠèŠå
ELK ã¹ã¿ãã¯ã®æãæçœã§ããããããç®çã¯ããã°ã®ä¿åãšèŠèŠåã§ãã
ÐÑОЌеÑÑïŒ
- æãéèŠãªã€ãã³ããå«ãè åšå¯Ÿçã€ãã³ãã®ããã·ã¥ããŒãã ããã§ã¯ãã©ã® IPS ã·ã°ããã£ãæ€åºãããã®ããå°ççã«ã©ãããæ¥ãã®ããåæ ã§ããŸãã
- æ å ±æŒæŽ©ã®å¯èœæ§ãããæãéèŠãªã¢ããªã±ãŒã·ã§ã³ã®äœ¿çšã«é¢ããããã·ã¥ããŒãã
- ã»ãã¥ãªã㣠ã¹ãã£ãããã®ã¹ãã£ã³çµæã
- ãŠãŒã¶ãŒã«ãã Active Directory ããã®ãã°ã
- VPNæ¥ç¶ããã·ã¥ããŒãã
ãã®å Žåãæ°ç§ããšã«æŽæ°ãããããã«ããã·ã¥ããŒããèšå®ãããšãã€ãã³ãããªã¢ã«ã¿ã€ã ã§ç£èŠããããã®éåžžã«äŸ¿å©ãªã·ã¹ãã ãåŸãããŸããããã·ã¥ããŒããå¥ç»é¢ã
ã€ã³ã·ãã³ãã®åªå é äœä»ã
倧èŠæš¡ãªã€ã³ãã©ã¹ãã©ã¯ãã£ã®ç¶æ³ã§ã¯ãã€ã³ã·ãã³ãã®æ°ãèŠæš¡ãè¶ ããŠå¢å ããå¯èœæ§ããããå°é家ã«ã¯ãã¹ãŠã®ã€ã³ã·ãã³ããé©æã«åæããæéããããŸããã ãã®å ŽåããŸã第äžã«ã倧ããªè åšãããããã€ã³ã·ãã³ãã®ã¿ãéžæããå¿ èŠããããŸãã ãããã£ãŠãã·ã¹ãã ã¯ãã€ã³ãã©ã¹ãã©ã¯ãã£ã«é¢é£ããé倧床ã«å¿ããŠã€ã³ã·ãã³ãã«åªå é äœãä»ããå¿ èŠããããŸãã ãããã®ã€ãã³ãã«ã€ããŠã¯ãã¡ãŒã«ãŸãã¯é»å ±ã§éç¥ãèšå®ããããšããå§ãããŸãã åªå é äœä»ãã¯ãèŠèŠåãèšå®ããããšã«ãããéåžžã® Kibana ããŒã«ã䜿çšããŠå®è£ ã§ããŸãã ããããéç¥ã®å Žåã¯ããã«é£ãããªããŸããããã©ã«ãã§ã¯ããã®æ©èœã¯ Elasticsearch ã®åºæ¬ããŒãžã§ã³ã«ã¯å«ãŸããŠããããææããŒãžã§ã³ã«ã®ã¿å«ãŸããŠããŸãã ãããã£ãŠãææçãè³Œå ¥ããããããäžåºŠãã¡ãŒã«ãŸãã¯é»å ±ã§å°é家ã«ãªã¢ã«ã¿ã€ã ã§éç¥ããããã»ã¹ãèªåã§äœæããŠãã ããã
æ å ±ã»ãã¥ãªãã£ããã»ã¹ã®èªåå
ãããŠæãèå³æ·±ãéšåã® XNUMX ã€ã¯ãæ
å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã«å¯Ÿããã¢ã¯ã·ã§ã³ã®èªååã§ãã 以åããã®æ©èœã Splunk ã«å®è£
ããŸããã詳ããã¯ããã®èšäºãåç
§ããŠãã ããã
- IPS ã·ã°ããã£ãæ€åºããé²æ¢ã«åãæ¿ããŸãã Prevent ãéèŠãªçœ²åã«å¯ŸããŠæ©èœããªãå Žåãããã¯ç°åžžã§ãããä¿è·ã·ã¹ãã ã®é倧ãªéåã§ãã ããªã·ãŒå ã®ã¢ã¯ã·ã§ã³ããã®ãããªçœ²åã«å€æŽããŸãã ãã®æ©èœã¯ãNGFW ããã€ã¹ã« REST API æ©èœãããå Žåã«å®è£ ã§ããŸãã ããã¯ããã°ã©ãã³ã° ã¹ãã«ãããå Žåã«ã®ã¿å¯èœã§ãããElastcisearch ããå¿ èŠãªæ å ±ãååŸããNGFW ã³ã³ãããŒã« ãµãŒããŒãžã® API ãªã¯ãšã¹ããå®è¡ããå¿ èŠããããŸãã
- XNUMX ã€ã® IP ã¢ãã¬ã¹ããã®ãããã¯ãŒã¯ ãã©ãã£ãã¯ã§å€æ°ã®ã·ã°ããã£ãæ€åºãŸãã¯ãããã¯ãããå Žåã¯ããã¡ã€ã¢ãŠã©ãŒã« ããªã·ãŒã§ãã® IP ã¢ãã¬ã¹ããã°ãããããã¯ããããšãåççã§ãã å®è£ ã«ã¯ REST API ã®äœ¿çšãå«ãŸããŸãã
- ãã®ãã¹ãã« IPS ãŸãã¯ãã®ä»ã®ã»ãã¥ãªã㣠ããŒã«ã®çœ²åãå€æ°ããå Žåã¯ãè匱æ§ã¹ãã£ãã䜿çšããŠãã¹ã ã¹ãã£ã³ãéå§ããŸããOpenVas ã®å Žåã¯ãSSH çµç±ã§ã»ãã¥ãªã㣠ã¹ãã£ãã«æ¥ç¶ããã¹ãã£ã³ãå®è¡ããã¹ã¯ãªãããäœæã§ããŸãã
TSããŒã¿ã«ãµã€ã
èŠããã«ããã¹ãŠã®æ©èœãå®è£
ããã®ã¯éåžžã«å€§èŠæš¡ã§å°é£ãªäœæ¥ã§ãã ããã°ã©ãã³ã°ã®ã¹ãã«ããªããŠããçç£æ§ãé«ããããã«ã¯å¿
èŠæäœéââã®æ©èœãèšå®ã§ããŸãã ãã ãããã¹ãŠã®æ©èœã«èå³ãããå Žåã¯ãTS Total Sight ã«æ³šç®ããŠãã ããã 詳现ã«ã€ããŠã¯ã
ãŸãšã
ELK ã¹ã¿ãã¯ã䜿çšããŠäœãå®è£ ã§ããããæ€èšããŸããã åŸç¶ã®èšäºã§ã¯ãTS Total Sight ã®æ©èœã«ã€ããŠåå¥ã«è©³ããæ€èšããŸãã
ä¹ããæåŸ
åºæïŒ habr.com