Flow protocols ngati chida chowunikira chitetezo chamkati mwamaneti

Zikafika pakuwunika chitetezo chamakampani amkati kapena m'madipatimenti, ambiri amalumikizana ndi kuwongolera kutulutsa kwa chidziwitso ndikukhazikitsa mayankho a DLP. Ndipo ngati muyesa kufotokozera funsolo ndikufunsani momwe mumaonera kuukira kwa intaneti yamkati, ndiye kuti yankho lidzakhala, monga lamulo, kutchulidwa kwa machitidwe ozindikira (IDS). Ndipo njira yokhayo yomwe inali 10-20 zapitazo ndikukhala anachronism lero. Pali yothandiza kwambiri, ndipo m'malo ena, njira yokhayo yotheka kuyang'anira maukonde amkati - kugwiritsa ntchito ma protocol otaya, omwe poyamba adapangidwa kuti afufuze zovuta zapaintaneti (kuthetsa mavuto), koma m'kupita kwanthawi adasandulika kukhala chida chosangalatsa kwambiri chachitetezo. Tidzakambirana za ma protocol omwe alipo komanso omwe ali bwino kuti azindikire kuukira kwa ma netiweki, komwe kuli bwino kugwiritsa ntchito kuyang'anira kayendetsedwe kake, zomwe muyenera kuyang'ana mukamagwiritsa ntchito chiwembu chotere, komanso momwe "munganyamulire" zonsezi pazida zapakhomo. mkati mwa nkhaniyi.

Sindingaganizire za funso lakuti "Chifukwa chiyani kuwunika kwachitetezo chamkati kumafunika?" Yankho likuwoneka lomveka. Koma ngati, komabe, mungafune kutsimikiziranso kuti lero simungakhale popanda izo, yang'anani kanema waufupi wamomwe mungalowerere pa intaneti yotetezedwa ndi firewall m'njira 17. Choncho, tidzaganiza kuti tikumvetsa kuti kuyang'anira mkati ndi chinthu chofunikira ndipo chomwe chatsalira ndikumvetsetsa momwe chingakonzedwe.

Nditha kuwunikira magwero atatu ofunikira pakuwunika zoyambira pamanetiweki:

• Magalimoto "awisi" omwe timawalanda ndikutumiza kuti awonedwe kumachitidwe ena owunikira,
• zochitika kuchokera pazida zamtaneti momwe magalimoto amadutsa,
• zidziwitso zamagalimoto zomwe zalandilidwa kudzera mu imodzi mwama protocol oyenda.

Kugwira magalimoto osaphika ndiye njira yotchuka kwambiri pakati pa akatswiri achitetezo, chifukwa idawonekera kale ndipo inali yoyamba. Machitidwe odziwika bwino a ma network intrusion (njira yoyamba yodziwira kulowererapo kwa malonda inali NetRanger kuchokera ku Wheel Group, yogulidwa mu 1998 ndi Cisco) anali atagwira nawo mapaketi (ndi magawo amtsogolo) omwe siginecha zina zimasakanizidwa ("malamulo otsimikizika" mu. FSTEC terminology), kuwonetsa kuwukira. Zachidziwikire, mutha kusanthula kuchuluka kwa magalimoto osagwiritsa ntchito IDS kokha, komanso kugwiritsa ntchito zida zina (mwachitsanzo, Wireshark, tcpdum kapena magwiridwe antchito a NBAR2 ku Cisco IOS), koma nthawi zambiri alibe chidziwitso chomwe chimasiyanitsa chida chachitetezo chazidziwitso kuchokera nthawi zonse. Chida cha IT.

Chifukwa chake, machitidwe ozindikira zowononga. Njira yakale kwambiri komanso yotchuka kwambiri yodziwira kuukira kwa maukonde, yomwe imagwira ntchito bwino pozungulira (ziribe kanthu - makampani, malo opangira data, gawo, ndi zina), koma imalephera pamakina amakono osinthika ndi mapulogalamu. Pankhani ya netiweki yomangidwa pamaziko a masiwichi ochiritsira, zida zowunikira zowunikira zimakhala zazikulu kwambiri - muyenera kuyika sensor pamalumikizidwe aliwonse ku mfundo yomwe mukufuna kuwunika. Wopanga aliyense, ndithudi, adzakhala wokondwa kukugulitsani mazana ndi masauzande a masensa, koma ndikuganiza kuti bajeti yanu sichitha kuthandizira ndalama zoterezi. Ndikhoza kunena kuti ngakhale ku Cisco (ndipo ndife oyambitsa NGIPS) sitingathe kuchita izi, ngakhale kuti zingawoneke kuti nkhani ya mtengo ili patsogolo pathu. Sindiyenera kuyimirira - ndi chisankho chathu. Kuphatikiza apo, funso limadzuka, momwe mungalumikizire sensa mumtunduwu? Mu gap? Bwanji ngati sensa yokhayo ikulephera? Mukufuna gawo lodutsa mu sensa? Gwiritsani ntchito zogawanitsa (pampopi)? Zonsezi zimapangitsa kuti yankho likhale lokwera mtengo kwambiri ndipo limapangitsa kuti likhale losatheka kumakampani amtundu uliwonse.

Mutha kuyesa "kupachika" sensa pa doko la SPAN/RSPAN/ERSPAN ndikuwongolera kuchuluka kwa magalimoto kuchokera pamadoko osinthira kupitako. Njirayi imachotsa pang'onopang'ono vuto lomwe lafotokozedwa m'ndime yapitayi, koma limayambitsa lina - doko la SPAN silingavomereze kwathunthu magalimoto onse omwe atumizidwa kwa ilo - silikhala ndi bandwidth yokwanira. Muyenera kupereka nsembe chinachake. Kapena kusiya ena mwa mfundo popanda kuwunika (ndiye muyenera kuziika patsogolo), kapena musatumize magalimoto onse kuchokera ku node, koma mtundu wina. Mulimonse mmene zingakhalire, tikhoza kuphonya zigawenga zina. Kuphatikiza apo, doko la SPAN lingagwiritsidwe ntchito pazosowa zina. Zotsatira zake, tidzayenera kuyang'ananso ma topology omwe alipo ndipo mwina kusinthako kuti athe kuphimba netiweki yanu mpaka kuchuluka kwa masensa omwe muli nawo (ndikugwirizanitsa izi ndi IT).

Nanga bwanji ngati netiweki yanu ikugwiritsa ntchito njira za asymmetric? Bwanji ngati mwakhazikitsa kapena mukukonzekera kukhazikitsa SDN? Nanga bwanji ngati mukufuna kuyang'anira makina owoneka bwino kapena zotengera zomwe magalimoto ake safika pakusintha konse? Awa ndi mafunso omwe mavenda a IDS achikhalidwe sakonda chifukwa sadziwa momwe angayankhire. Mwina adzakunyengererani kuti matekinoloje onse apamwambawa ndi abodza ndipo simukufuna. Mwina angalankhule za kufunika koyambira pang’ono. Kapena mwina anganene kuti muyenera kuyika chopunthira champhamvu pakati pa netiweki ndikuwongolera magalimoto onse kwa iwo pogwiritsa ntchito ma balancers. Chilichonse chomwe mungasankhe, muyenera kumvetsetsa bwino momwe chikukukwanireni. Ndipo pambuyo pake kupanga chisankho posankha njira yowunikira chitetezo chazidziwitso cha zomangamanga zamaneti. Kubwerera ku kugwidwa kwa paketi, ndikufuna kunena kuti njirayi ikupitiriza kukhala yotchuka kwambiri komanso yofunikira, koma cholinga chake chachikulu ndikulamulira malire; malire pakati pa bungwe lanu ndi intaneti, malire pakati pa malo a deta ndi maukonde ena onse, malire pakati pa ndondomeko yoyendetsera ndondomeko ndi gawo lamakampani. M'malo awa, IDS/IPS yachikale akadali ndi ufulu wokhalapo ndikuchita bwino ndi ntchito zawo.

Tiyeni tipitirire ku njira yachiwiri. Kuwunika kwa zochitika zomwe zimachokera pazida zapaintaneti zitha kugwiritsidwanso ntchito pozindikira kuukira, koma osati ngati njira yayikulu, chifukwa imalola kuzindikira kagulu kakang'ono ka kulowerera. Komanso, ndi chibadidwe ena reactivity - kuukira kuyenera kuchitika koyamba, ndiye ziyenera kulembedwa ndi chipangizo maukonde, amene mwa njira ina adzasonyeza vuto ndi chitetezo zambiri. Pali njira zingapo zotere. Izi zitha kukhala syslog, RMON kapena SNMP. Ma protocol awiri omaliza a kuwunika kwa maukonde pankhani yachitetezo chazidziwitso amagwiritsidwa ntchito pokhapokha ngati tikufuna kudziwa kuukira kwa DoS pazida zapaintaneti zokha, popeza kugwiritsa ntchito RMON ndi SNMP ndikotheka, mwachitsanzo, kuyang'anira katundu pakatikati pa chipangizocho. purosesa kapena mawonekedwe ake. Ichi ndi chimodzi mwa "zotsika mtengo" (aliyense ali ndi syslog kapena SNMP), komanso njira zosathandiza kwambiri zowunikira chitetezo chazidziwitso za zomangamanga zamkati - kuukira kwakukulu kumangobisika kwa izo. Kumene, iwo sayenera kunyalanyazidwa, ndi syslog kusanthula yemweyo kumakuthandizani kudziwa nthawi yake kusintha kasinthidwe chipangizo palokha, kunyengerera izo, koma si koyenera kwambiri kudziwa kuukira pa maukonde lonse.

Njira yachitatu ndikusanthula zambiri za magalimoto omwe amadutsa pa chipangizo chomwe chimathandizira imodzi mwazinthu zingapo zoyenda. Pankhaniyi, mosasamala kanthu za protocol, zopangira ulusi zimakhala ndi zigawo zitatu:

• Kutulutsa kapena kutumiza kunja kwamayendedwe. Udindowu nthawi zambiri umaperekedwa kwa rauta, chosinthira kapena chipangizo china chapaintaneti, chomwe, podutsa pamaneti pawokha, chimakulolani kuchotsa magawo ofunikira kuchokera pamenepo, omwe amatumizidwa ku gawo lotolera. Mwachitsanzo, Cisco imathandizira Netflow protocol osati pa ma routers ndi masiwichi, kuphatikiza pafupifupi ndi mafakitale, komanso pa owongolera opanda zingwe, ma firewall komanso ma seva.
• Mayendedwe osonkhanitsira. Poganizira kuti maukonde amakono nthawi zambiri amakhala ndi zida zopitilira imodzi, vuto la kusonkhanitsa ndi kuphatikizira kumayenda limayamba, lomwe limathetsedwa pogwiritsa ntchito otchedwa otolera, omwe amakonza zotuluka zomwe adalandira ndikuzitumiza kuti ziunike.
• Kusanthula kwakuyenda Wosanthula amatenga ntchito yayikulu yaluntha ndipo, pogwiritsa ntchito ma algorithms osiyanasiyana pamitsinje, amapeza mfundo zina. Mwachitsanzo, monga gawo la ntchito ya IT, wosanthula wotere amatha kuzindikira zovuta za netiweki kapena kusanthula kuchuluka kwa magalimoto pamsewu kuti muwonjezere kukhathamiritsa kwa netiweki. Ndipo pofuna chitetezo chazidziwitso, wosanthula wotere amatha kuzindikira kutayikira kwa data, kufalikira kwa code yoyipa kapena kuwukira kwa DoS.

Musaganize kuti zomangamanga zitatuzi ndizovuta kwambiri - zosankha zina zonse (kupatula, mwinamwake, machitidwe owunikira maukonde akugwira ntchito ndi SNMP ndi RMON) amagwiranso ntchito molingana ndi izo. Tili ndi jenereta ya data kuti tifufuze, zomwe zingakhale chipangizo cha intaneti kapena choyimira chokha. Tili ndi dongosolo lotolera ma alarm komanso dongosolo loyang'anira zowunikira zonse. Zigawo ziwiri zomaliza zimatha kuphatikizidwa mkati mwa node imodzi, koma mu maukonde ochulukirapo kapena ochepa nthawi zambiri zimafalikira pazida zosachepera ziwiri kuti zitsimikizire kudalirika komanso kudalirika.

Mosiyana ndi kusanthula kwa paketi, komwe kumachokera pakuphunzira mutu ndi thupi la paketi iliyonse ndi magawo omwe amakhala nawo, kusanthula kwamayendedwe kumadalira kusonkhanitsa metadata yokhudza kuchuluka kwa maukonde. Liti, mochuluka bwanji, kuchokera kuti ndi kuti, bwanji ... awa ndi mafunso omwe ayankhidwa ndi kusanthula kwa telemetry network pogwiritsa ntchito njira zosiyanasiyana zoyenda. Poyambirira, adagwiritsidwa ntchito kusanthula ziwerengero ndikupeza zovuta za IT pamaneti, koma, monga njira zowunikira zidapangidwa, zidakhala zotheka kuziyika pa telemetry yomweyo pazolinga zachitetezo. Ndikoyenera kudziwanso kuti kusanthula kwamayendedwe sikulowa m'malo kapena kulowetsa paketi. Iliyonse mwa njirazi ili ndi malo ake ogwiritsira ntchito. Koma m'nkhaniyi, ndikuwunika kwamayendedwe komwe kuli koyenera kuyang'anira zomangamanga zamkati. Muli ndi zida zapaintaneti (kaya zimagwira ntchito paradigm yofotokozedwa ndi pulogalamu kapena motsatira malamulo osasunthika) zomwe kuwukira sikungadutse. Imatha kudutsa sensa yapamwamba ya IDS, koma chipangizo cha netiweki chomwe chimathandizira protocol yothamanga sichingathe. Uwu ndiye ubwino wa njirayi.

Kumbali ina, ngati mukufuna umboni wazamalamulo kapena gulu lanu lofufuza zochitika, simungachite popanda paketi - telemetry network sikopera kwa magalimoto omwe angagwiritsidwe ntchito kusonkhanitsa umboni; ndizofunikira kuti zizindikire mwachangu komanso kupanga zisankho pankhani yachitetezo chazidziwitso. Kumbali ina, pogwiritsa ntchito kusanthula kwa telemetry, mukhoza "kulemba" osati magalimoto onse a pa intaneti (ngati pali chilichonse, Cisco imagwira ntchito ndi malo opangira deta :-), koma zomwe zimakhudzidwa ndi kuukira. Zida zowunikira ma telemetry pankhaniyi zithandizirana ndi njira zachikhalidwe zojambulira mapaketi bwino, ndikupereka malamulo oti agwire ndikusunga. Kupanda kutero, muyenera kukhala ndi malo osungiramo zinthu zambiri.

Tiyeni tiyerekeze maukonde akugwira ntchito pa liwiro la 250 Mbit / sec. Ngati mukufuna kusunga voliyumu yonseyi, ndiye kuti mudzafunika 31 MB yosungirako kwa sekondi imodzi ya magalimoto, 1,8 GB kwa mphindi imodzi, 108 GB kwa ola limodzi, ndi 2,6 TB kwa tsiku limodzi. Kuti musunge deta yatsiku ndi tsiku kuchokera pa netiweki yokhala ndi bandwidth ya 10 Gbit/s, mudzafunika 108 TB yosungirako. Koma owongolera ena amafunikira kusunga deta yachitetezo kwa zaka ... Kujambulitsa pakufunidwa, komwe kusanthula kwamayendedwe kumakuthandizani kuti mugwiritse ntchito, kumathandizira kuchepetsa zikhalidwe izi ndi malamulo akulu. Mwa njira, ngati tilankhula za chiŵerengero cha kuchuluka kwa deta yojambulidwa ya telemetry ndi deta yonse, ndiye kuti pafupifupi 1 mpaka 500. Pazikhalidwe zomwezo zomwe zaperekedwa pamwambapa, kusunga zolemba zonse za tsiku ndi tsiku. idzakhala 5 ndi 216 GB, motsatana (mutha kuyijambulitsa pagalimoto yokhazikika).

Ngati pazida zowunikira deta yaiwisi yapaintaneti, njira yolumikizira ili pafupifupi yofanana kuchokera kwa ogulitsa kupita kwa ogulitsa, ndiye pankhani ya kusanthula koyenda zinthu ndizosiyana. Pali zosankha zingapo zama protocol otaya, kusiyana komwe muyenera kudziwa pankhani yachitetezo. Chodziwika kwambiri ndi Netflow protocol yopangidwa ndi Cisco. Pali mitundu ingapo ya protocol iyi, yosiyana ndi kuthekera kwawo komanso kuchuluka kwa zidziwitso zamagalimoto zojambulidwa. Mtundu wapano ndi wachisanu ndi chinayi (Netflow v9), pamaziko omwe muyezo wamakampani Netflow v10, womwe umadziwikanso kuti IPFIX, unapangidwa. Masiku ano, ogulitsa ma network ambiri amathandizira Netflow kapena IPFIX pazida zawo. Koma pali zosankha zina zosiyanasiyana zama protocol otaya - sFlow, jFlow, cFlow, rFlow, NetStream, ndi zina, zomwe sFlow ndi yotchuka kwambiri. Ndi mtundu uwu womwe nthawi zambiri umathandizidwa ndi opanga zoweta zapaintaneti chifukwa chosavuta kukhazikitsa. Kodi pali kusiyana kotani pakati pa Netflow, yomwe yakhala de facto standard, ndi sFlow? Ndikufuna kuwunikira zingapo zofunika. Choyamba, Netflow ili ndi magawo osinthika ogwiritsa ntchito mosiyana ndi minda yokhazikika mu sFlow. Ndipo kachiwiri, ndipo ichi ndi chinthu chofunika kwambiri kwa ife, sFlow amasonkhanitsa otchedwa sampuli telemetry; mosiyana ndi yosatsatiridwa ya Netflow ndi IPFIX. Kodi pali kusiyana kotani pakati pawo?

Tangoganizani kuti mwasankha kuwerenga bukuli "Security Operations Center: Kumanga, Kugwira Ntchito, ndi Kusamalira SOC yanu” ya anzanga - Gary McIntyre, Joseph Munitz ndi Nadem Alfardan (mutha kutsitsa gawo la bukhuli pa ulalo). Muli ndi zinthu zitatu zomwe mungachite kuti mukwaniritse cholinga chanu - werengani buku lonse, fufuzani mozama, kuyima patsamba lililonse la 10 kapena 20, kapena yesani kupezanso mfundo zazikuluzikulu pabulogu kapena ntchito ngati SmartReading. Chifukwa chake, telemetry yosatsatiridwa ikuwerenga "tsamba" lililonse la traffic network, ndiko kuti, kusanthula metadata pa paketi iliyonse. Sampled telemetry ndiye kafukufuku wosankha wamagalimoto ndikuyembekeza kuti zitsanzo zomwe zasankhidwa zimakhala ndi zomwe mukufuna. Kutengera kuthamanga kwa tchanelo, sampuli za telemetry zimatumizidwa kuti zikawunikidwe pakiti iliyonse ya 64, 200, 500, 1000, 2000 kapena 10000.

Pankhani yowunikira chitetezo chazidziwitso, izi zikutanthauza kuti telemetry yotsatiridwa ndiyoyenera kuzindikira kuukira kwa DDoS, kusanthula, ndi kufalitsa ma code oyipa, koma ikhoza kuphonya ziwopsezo za ma atomiki kapena mapaketi angapo omwe sanaphatikizidwe mu zitsanzo zomwe zatumizidwa kuti ziwunikidwe. Telemetry yosasankhidwa ilibe zovuta zotere. Ndi izi, kuchuluka kwa ziwonetsero zomwe zapezeka ndizokulirapo. Nawu mndandanda wachidule wa zochitika zomwe zitha kuzindikirika pogwiritsa ntchito zida zowunikira ma network telemetry.

Zachidziwikire, ena otsegula Netflow analyzer sangakulole kuchita izi, chifukwa ntchito yake yayikulu ndikusonkhanitsa telemetry ndikusanthula koyambira pamalingaliro a IT. Kuti muzindikire ziwopsezo zachitetezo chazidziwitso kutengera kuyenderera, ndikofunikira kukonzekeretsa analyzer ndi mainjini osiyanasiyana ndi ma aligorivimu, omwe angazindikire zovuta za cybersecurity kutengera minda yanthawi zonse ya Netflow, kulemeretsa deta yokhazikika ndi data yakunja kuchokera kuzinthu zosiyanasiyana za Threat Intelligence, ndi zina zambiri.

Chifukwa chake, ngati muli ndi chisankho, sankhani Netflow kapena IPFIX. Koma ngakhale zida zanu zimagwira ntchito ndi sFlow, monga opanga zapakhomo, ndiye kuti ngakhale pakadali pano mutha kupindula nazo pachitetezo.

M'chilimwe cha 2019, ndidasanthula kuthekera komwe opanga ma hardware aku Russia ali nawo ndi onse, kuphatikiza NSG, Polygon ndi Craftway, adalengeza kuthandizira sFlow (osachepera Zelax, Natex, Eltex, QTech, Rusteleteh).

Funso lotsatira lomwe mungakumane nalo ndi komwe mungakhazikitse thandizo lakuyenda kwachitetezo? Ndipotu funsoli silinayankhidwe molondola. Zida zamakono nthawi zonse zimathandizira ma protocol oyenda. Chifukwa chake, ndingakonzenso funsoli mosiyana - ndi kuti komwe kuli kothandiza kwambiri kusonkhanitsa telemetry kuchokera pachiwonetsero chachitetezo? Yankho lidzakhala lodziwikiratu - pamlingo wofikira, pomwe mudzawona 100% ya magalimoto onse, pomwe mudzakhala ndi chidziwitso chambiri pa makamu (MAC, VLAN, ID ya mawonekedwe), pomwe mutha kuyang'anira kuchuluka kwa magalimoto a P2P pakati pa makamu, omwe ndizofunikira pakusanthula kuzindikira ndikugawa ma code oyipa. Pakatikati, mwina simungawone kuchuluka kwa magalimoto, koma pamlingo wozungulira, mudzawona gawo limodzi mwa magawo atatu a magalimoto anu onse pa intaneti. Koma ngati pazifukwa zina muli ndi zida zakunja pamaneti anu zomwe zimalola oukira "kulowa ndi kutuluka" osadumphadumpha, ndiye kuti kusanthula telemetry sikungakupatseni chilichonse. Chifukwa chake, kuti mupeze zambiri, tikulimbikitsidwa kuti muzitha kusonkhanitsa telemetry pamlingo wofikira. Panthawi imodzimodziyo, ndizofunika kudziwa kuti ngakhale tikukamba za virtualization kapena zitsulo, chithandizo chothamanga chimapezekanso nthawi zambiri mumasinthidwe amakono, omwe amakulolani kulamulira magalimoto kumeneko.

Koma popeza ndakweza mutuwo, ndiyenera kuyankha funsoli: bwanji ngati zida, zakuthupi kapena zenizeni, sizigwirizana ndi ma protocol otaya? Kapena kodi kuphatikizidwa kwake ndikoletsedwa (mwachitsanzo, m'magawo a mafakitale kuti atsimikizire kudalirika)? Kapena kuyatsa kumabweretsa kuchuluka kwa CPU (izi zimachitika pazida zakale)? Kuti athetse vutoli, pali masensa apadera apadera (mafunde othamanga), omwe ali ogawanitsa wamba omwe amadutsa magalimoto pawokha ndikuwulutsa munjira yopita ku gawo lotolera. Zowona, munkhaniyi timapeza zovuta zonse zomwe takambirana pamwambapa pokhudzana ndi zida zojambulira paketi. Ndiko kuti, muyenera kumvetsetsa osati ubwino wa teknoloji yosanthula otaya, komanso zofooka zake.

Mfundo ina yofunika kukumbukira polankhula za otaya kusanthula zida. Ngati mogwirizana ndi njira wamba zopangira zochitika zachitetezo timagwiritsa ntchito metric ya EPS (chochitika pamphindikati), ndiye kuti chizindikirochi sichigwira ntchito pakuwunika kwa telemetry; imasinthidwa ndi FPS (kuyenda pamphindikati). Monga momwe zilili ndi EPS, sizingawerengedwe pasadakhale, koma mukhoza kulingalira chiwerengero cha ulusi umene chipangizo china chimapanga malinga ndi ntchito yake. Mutha kupeza matebulo pa intaneti okhala ndi mitengo pafupifupi yamitundu yosiyanasiyana yamabizinesi ndi momwe zinthu ziliri, zomwe zingakuthandizeni kuyerekezera zilolezo zomwe mungafune pazida zowunikira komanso momwe angapangire? Chowonadi ndi chakuti sensa ya IDS imakhala yochepa ndi bandwidth inayake yomwe imatha "kukoka", ndipo oyendetsa othamanga ali ndi malire ake omwe ayenera kumveka. Choncho, m'magulu akuluakulu, omwe amagawidwa m'madera nthawi zambiri amakhala osonkhanitsa angapo. Pamene ndinalongosola momwe maukonde amayang'aniridwa mkati mwa Cisco, Ndapereka kale chiwerengero cha osonkhanitsa athu - alipo 21. Ndipo izi ndi za maukonde amwazikana m'makontinenti asanu ndi owerengera pafupifupi theka la milioni zipangizo zogwira ntchito).

Timagwiritsa ntchito yankho lathu ngati njira yowunikira Netflow Cisco Stealthwatch, yomwe imayang'ana kwambiri kuthetsa mavuto achitetezo. Ili ndi injini zambiri zomangidwira kuti zizindikire zochitika zosasangalatsa, zokayikitsa komanso zoyipa momveka bwino, zomwe zimalola kuti zizindikire zoopsa zosiyanasiyana - kuchokera ku cryptomining mpaka kutulutsa chidziwitso, kuyambira kufalikira kwa code yoyipa mpaka chinyengo. Monga ma analyzer ambiri oyenda, Stealthwatch imamangidwa molingana ndi dongosolo la magawo atatu (jenereta - osonkhanitsa - analyzer), koma imaphatikizidwa ndi zinthu zingapo zosangalatsa zomwe zili zofunika pazomwe zikukambidwa. Choyamba, imaphatikizana ndi mayankho ojambulira paketi (monga Cisco Security Packet Analyzer), kukulolani kuti mulembe magawo osankhidwa a netiweki kuti mufufuze mozama ndikusanthula. Kachiwiri, makamaka kukulitsa ntchito zachitetezo, tapanga pulogalamu yapadera ya nvzFlow, yomwe imakulolani "kufalitsa" ntchito zamapulogalamu pama node omaliza (maseva, malo ogwirira ntchito, ndi zina zambiri) mu telemetry ndikutumiza kwa wokhometsa kuti muwunikenso. Ngati mu mtundu wake woyambirira Stealthwatch imagwira ntchito ndi protocol iliyonse yotuluka (sFlow, rFlow, Netflow, IPFIX, cFlow, jFlow, NetStream) pamanetiweki, ndiye thandizo la nvzFlow limalola kulumikizana kwa data pamlingo wa node, potero. kukulitsa mphamvu ya dongosolo lonse ndikuwona kuukira kochulukirapo kuposa kusanthula koyenda kwa intaneti.

Zikuwonekeratu kuti polankhula za machitidwe owunikira a Netflow kuchokera pamalingaliro achitetezo, msika suli ndi yankho limodzi lochokera ku Cisco. Mutha kugwiritsa ntchito zonse zamalonda ndi zaulere kapena zogawana. Ndizodabwitsa kwambiri ngati nditchula mayankho a mpikisano monga zitsanzo pa Cisco blog, kotero ine ndinena mawu ochepa za momwe network telemetry ingasankhidwe pogwiritsa ntchito awiri otchuka, ofanana ndi mayina, komabe zida zosiyana - SiLK ndi ELK.

SiLK ndi zida (System for Internet-Level Knowledge) zowunikira magalimoto, opangidwa ndi American CERT/CC ndipo amathandizira, malinga ndi nkhani yamasiku ano, Netflow (5th ndi 9th, mitundu yotchuka kwambiri), IPFIX. ndi sFlow ndi kugwiritsa ntchito zofunikira zosiyanasiyana (rwfilter, rwcount, rwflowpack, etc.) kuti achite ntchito zosiyanasiyana pa telemetry network kuti azindikire zizindikiro za zochita zosaloleka mmenemo. Koma pali mfundo zingapo zofunika kuziganizira. SiLK ndi chida cholamula chomwe chimasanthula pa intaneti polemba malamulo ngati awa (kuzindikira mapaketi a ICMP akulu kuposa ma byte 200):

rwfilter --flowtypes=all/all --proto=1 --bytes-per-packet=200- --pass=stdout | rwrwcut --fields=sIP,dIP,iType,iCode --num-recs=15

osamasuka kwambiri. Mutha kugwiritsa ntchito iSiLK GUI, koma sizingapangitse moyo wanu kukhala wosavuta, kungothetsa ntchito yowonera komanso osasintha wowunika. Ndipo iyi ndi mfundo yachiwiri. Mosiyana ndi mayankho amalonda, omwe ali ndi maziko owunikiridwa kale, ma aligorivimu odziwika bwino, mayendedwe ofananirako, ndi zina zambiri, pankhani ya SiLK muyenera kuchita izi nokha, zomwe zidzafunika luso losiyana pang'ono ndi inu kuposa kugwiritsa ntchito kale- kugwiritsa ntchito zida. Izi sizabwino kapena zoyipa - ichi ndi gawo la pafupifupi chida chilichonse chaulere chomwe chimaganiza kuti mukudziwa zoyenera kuchita, ndipo zimangokuthandizani ndi izi (zida zamalonda sizidalira luso la ogwiritsa ntchito, ngakhale amalingaliranso. kuti akatswiri amamvetsetsa zoyambira pakufufuza ndi kuyang'anira maukonde). Koma tiyeni tibwerere ku SiLK. Kuzungulira kwa ntchito ya akatswiri ndi izi zikuwoneka motere:

• Kupanga lingaliro. Tiyenera kumvetsetsa zomwe tikhala tikuyang'ana mkati mwa telemetry ya netiweki, kudziwa mawonekedwe apadera omwe titha kuzindikira zolakwika kapena zowopseza zina.
• Kumanga chitsanzo. Popeza tapanga lingaliro, timalipanga pogwiritsa ntchito Python, chipolopolo kapena zida zina zomwe sizinaphatikizidwe mu SiLK.
• Kuyesa. Tsopano ikubwera nthawi yoti tiwone kulondola kwa malingaliro athu, omwe amatsimikiziridwa kapena kutsutsidwa pogwiritsa ntchito zida za SiLK kuyambira ndi 'rw', 'set', 'chikwama'.
• Kusanthula deta yeniyeni. Mu ntchito ya mafakitale, SiLK imatithandiza kuzindikira chinachake ndipo wofufuza ayenera kuyankha mafunso akuti "Kodi tinapeza zomwe tinkayembekezera?", "Kodi izi zikugwirizana ndi malingaliro athu?", "Momwe mungachepetsere chiwerengero cha zolakwika?" kuti muwonjezere kuzindikirika? » ndi zina zotero.
• Kupititsa patsogolo. Pamapeto pake, timakonza zomwe zidachitika kale - timapanga ma tempuleti, kukonza ndikuwongolera ma code, kukonzanso ndikumveketsa malingaliro, ndi zina zambiri.

Kuzungulira uku kudzagwiranso ntchito ku Cisco Stealthwatch, yomaliza yokhayo imapanga masitepe asanuwa mpaka pamlingo waukulu, kuchepetsa kuchuluka kwa zolakwika za akatswiri ndikuwonjezera luso la kuzindikira zochitika. Mwachitsanzo, mu SiLK mungathe kulemeretsa ziwerengero zapaintaneti ndi deta yakunja pa IPs yoyipa pogwiritsa ntchito malemba olembedwa pamanja, ndipo mu Cisco Stealthwatch ndi ntchito yomanga yomwe imasonyeza nthawi yomweyo alamu ngati magalimoto amtundu ali ndi machitidwe ndi ma adiresi a IP kuchokera pamndandanda wakuda.

Ngati mupita pamwamba pa piramidi "yolipidwa" pa pulogalamu yowunikira maulendo, ndiye kuti pambuyo pa SiLK yaulere padzakhala ELK ya shareware, yomwe ili ndi zigawo zitatu zofunika kwambiri - Elasticsearch (indexing, searching and data analysis), Logstash (kulowetsa / kutulutsa deta). ) ndi Kibana (kuona). Mosiyana ndi SiLK, komwe muyenera kulemba zonse nokha, ELK ili kale ndi malaibulale / ma module ambiri (ena amalipidwa, ena osatero) omwe amawunikira kusanthula kwa ma telemetry network. Mwachitsanzo, fyuluta ya GeoIP mu Logstash imakupatsani mwayi wogwirizanitsa ma adilesi a IP omwe amawunikidwa ndi malo omwe ali (Stealthwatch ili ndi izi).

ELK ilinso ndi gulu lalikulu lomwe likukwaniritsa zomwe zikusowa panjira yowunikirayi. Mwachitsanzo, kuti mugwire ntchito ndi Netflow, IPFIX ndi sFlow mutha kugwiritsa ntchito gawoli elastiflow, ngati simukukhutira ndi Logstash Netflow Module, yomwe imangothandiza Netflow.

Pomwe ikupereka bwino kwambiri pakusonkhanitsira komanso kufufuza momwemo, ELK pakadali pano ilibe ma analytics okhazikika ozindikira zolakwika ndi zowopseza mu network telemetry. Ndiko kuti, kutsatira njira ya moyo yomwe tafotokozazi, muyenera kufotokoza mozama zitsanzo zophwanya malamulo ndikuzigwiritsa ntchito pankhondo (palibe zitsanzo zomangidwa pamenepo).

Pali, ndithudi, zowonjezera zowonjezereka za ELK, zomwe zili kale ndi zitsanzo zodziwira zolakwika mu telemetry network, koma zowonjezera zoterezi zimawononga ndalama ndipo apa funso ndiloti masewerawa ndi ofunika kandulo - lembani chitsanzo chomwecho nokha, gulani zake. kugwiritsa ntchito chida chanu chowunikira, kapena gulani njira yokonzekera ya Network Traffic Analysis class.

Nthawi zambiri, sindikufuna kulowa mkangano kuti ndi bwino kugwiritsa ntchito ndalama ndikugula njira yokonzekera yowunikira zolakwika ndi zowopseza pa telemetry network (mwachitsanzo, Cisco Stealthwatch) kapena dziwani nokha ndikusintha zomwezo. SiLK, ELK kapena nfdump kapena OSU Flow Tools pachiwopsezo chilichonse chatsopano ( ndikulankhula za awiri omaliza aiwo anauza nthawi yatha)? Aliyense amadzisankhira yekha ndipo aliyense ali ndi zolinga zake posankha njira ziwirizi. Ndinkangofuna kusonyeza kuti telemetry network ndi chida chofunika kwambiri poonetsetsa chitetezo cha maukonde cha zomangamanga zamkati mwanu ndipo simuyenera kunyalanyaza, kuti musalowe nawo mndandanda wa makampani omwe dzina lawo limatchulidwa muzofalitsa pamodzi ndi epithets " adabedwa", "zosagwirizana ndi zofunikira zachitetezo chazidziwitso" "," osaganizira zachitetezo cha data yawo ndi data yamakasitomala."

Mwachidule, ndikufuna kutchula maupangiri ofunikira omwe muyenera kutsatira popanga kuwunika kwachitetezo chazidziwitso zamkati mwanu:

1. Osamangodzipangira malire! Gwiritsani ntchito (ndikusankha) zopangira maukonde osati kungosuntha magalimoto kuchokera pamalo A kupita kumalo B, komanso kuthana ndi nkhani zachitetezo cha pa intaneti.
2. Phunzirani njira zomwe zilipo kale zowunikira chitetezo pazida zanu zapaintaneti ndikuzigwiritsa ntchito.
3. Pakuwunika kwamkati, perekani zokonda kusanthula kwa telemetry - kumakupatsani mwayi wozindikira mpaka 80-90% yazochitika zonse zotetezedwa pamaneti, pomwe mukuchita zomwe sizingatheke pogwira mapaketi a netiweki ndikusunga malo osungiramo zochitika zonse zachitetezo chazidziwitso.
4. Kuti muwunikire mayendedwe, gwiritsani ntchito Netflow v9 kapena IPFIX - amapereka zambiri pachitetezo ndikukulolani kuti muyang'ane osati IPv4 yokha, komanso IPv6, MPLS, ndi zina zambiri.
5. Gwiritsani ntchito protocol yosatsatiridwa yosatsatiridwa - imapereka zambiri zowunikira zomwe zikuwopseza. Mwachitsanzo, Netflow kapena IPFIX.
6. Yang'anani katundu pazida zanu zapaintaneti - mwina sizingathe kuthana ndi protocol yothamanga. Kenako ganizirani kugwiritsa ntchito masensa enieni kapena Netflow Generation Appliance.
7. Yambitsani kuwongolera choyamba pamlingo wofikira - izi zikupatsani mwayi wowona 100% yamagalimoto onse.
8. Ngati mulibe chochita ndipo mukugwiritsa ntchito zida za netiweki zaku Russia, sankhani imodzi yomwe imathandizira ma protocol kapena ili ndi madoko a SPAN/RSPAN.
9. Phatikizani machitidwe olowera / kuukira / kupewa m'mphepete ndi machitidwe owunikira mayendedwe mumaneti amkati (kuphatikiza mumtambo).

Ponena za nsonga yomaliza, ndikufuna ndipereke fanizo lomwe ndapereka kale. Mukuwona kuti ngati kale Cisco chidziwitso chachitetezo chachitetezo pafupifupi chimamanga dongosolo lake lowunikira zidziwitso pamaziko a njira zodziwikiratu ndi njira zosayina, tsopano amawerengera 20% yokha ya zochitika. 20% ina imagwera pamakina osanthula oyenda, omwe akuwonetsa kuti mayankho awa siwongopeka, koma chida chenicheni muzochita zachitetezo chazidziwitso zamakampani amakono. Kuphatikiza apo, muli ndi chinthu chofunikira kwambiri pakukhazikitsa kwawo - zomangamanga zama network, ndalama zomwe zitha kutetezedwa popereka ntchito zowunikira chitetezo pamaneti.

Ine makamaka sindinakhudze pa mutu wa kuyankha anomalies kapena ziwopsezo zodziwika mu maukonde umayenda, koma ine ndikuganiza kuti zaonekeratu kuti kuyang'anira sikuyenera kutha kokha ndi kuzindikira kuopseza. Iyenera kutsatiridwa ndi kuyankha ndipo makamaka mumayendedwe odzipangira okha. Koma uwu ndi mutu wa nkhani ina.

Zowonjezera:

• Kufotokozera kwa Cisco IOS Netflow
• Netflow thandizo matrix mumayankho osiyanasiyana a Cisco
• Chitsogozo Chokonzekera Netflow pa Mapulatifomu Osiyanasiyana a Cisco
• Gulu la sFlow
• Labu pogwiritsa ntchito Stealtjwatch, SiLK ndi ELK kusanthula Netflow kuchokera pachitetezo
• Webusaiti ya SiLK
• Maupangiri amasamba mazana atatu ogwiritsira ntchito SiLK okhala ndi zitsanzo zambiri
• Logstash Netflow Module
• Cisco Mtsogoleli wa Gawo ndi Gawo ku Netflow Analysis mu ELK
• Kuwunika kwa NetFlow v.9 Cisco ASA pogwiritsa ntchito Logstash (ELK)
• Cisco Stealthwatch Solution

PS. Ngati ndizosavuta kuti mumve zonse zomwe zidalembedwa pamwambapa, ndiye kuti mutha kuwona ulaliki wa ola limodzi womwe udapanga maziko a cholemba ichi.

Source: www.habr.com