Kalekale, mapulogalamu wamba ndi mapulogalamu odana ndi ma virus anali okwanira kuteteza netiweki yakomweko, koma seti yotere sikugwiranso ntchito mokwanira polimbana ndi owononga amakono komanso pulogalamu yaumbanda yomwe yafalikira posachedwa. Chowotcha moto chakale chabwino chimangosanthula mitu ya paketi, kuwalola kapena kuwatsekereza motsatira malamulo okhazikika. Sichidziwa chilichonse chokhudza zomwe zili m'mapaketi, choncho sichingazindikire zomwe zimawoneka ngati zovomerezeka za omwe akuukira. Mapulogalamu a antivayirasi samagwira pulogalamu yaumbanda nthawi zonse, chifukwa chake woyang'anira amayang'anizana ndi zochitika zachilendo ndikupatula omwe ali ndi kachilombo panthawi yake.
Pali zida zambiri zapamwamba zomwe zilipo kuti muteteze zida zamakampani za IT. Lero tikambirana za njira zowunikira komanso zopewera zotseguka, zomwe zitha kuchitika popanda kugula zida zodula komanso zilolezo zamapulogalamu.
Gulu la IDS/IPS
IDS (Intrusion Detection System) ndi dongosolo lopangidwira kulembetsa zochitika zokayikitsa pamanetiweki kapena pakompyuta. Imasunga zipika za zochitika ndikudziwitsa wogwira ntchito yemwe ali ndi udindo woteteza zidziwitso za iwo. Zinthu zotsatirazi zitha kuzindikirika ngati gawo la IDS:
- masensa kuti muwone kuchuluka kwa maukonde, zipika zosiyanasiyana, etc.
- kachitidwe kakang'ono ka kusanthula komwe kumawonetsa zizindikiro za kukopa koyipa mu data yomwe yalandilidwa;
- kusungirako kudzikundikira kwa zochitika zoyambirira ndi zotsatira za kusanthula;
- Management console.
Poyambirira, ma IDS adasankhidwa malinga ndi malo: amatha kuyang'ana kwambiri poteteza node payekha (host-based kapena Host Intrusion Detection System - HIDS) kapena kuteteza maukonde onse amakampani (network-based or Network Intrusion Detection System - NIDS). Ndikoyenera kutchula otchedwa APIDS (IDS yochokera ku Application Protocol): Amayang'anira magawo ochepa a ma protocol kuti azindikire kuukira kwina ndipo samasanthula mozama mapaketi a netiweki. Zogulitsa zoterezi nthawi zambiri zimafanana ndi ma proxies ndipo zimagwiritsidwa ntchito kuteteza ntchito zinazake: seva yapaintaneti ndi mapulogalamu apaintaneti (mwachitsanzo, olembedwa mu PHP), seva ya database, ndi zina zambiri. Chitsanzo cha kalasi iyi ndi mod_security pa seva ya Apache.
Tili ndi chidwi kwambiri ndi NIDS yapadziko lonse lapansi yomwe imathandizira njira zambiri zoyankhulirana komanso matekinoloje a DPI (Deep Packet Inspection). Amayang'anitsitsa magalimoto onse omwe akudutsa, kuyambira pamtundu wa data, ndikuwona maulendo ambiri okhudzana ndi maukonde, komanso kuyesa kupeza chidziwitso chosaloleka. Nthawi zambiri machitidwe oterowo amakhala ndi zomanga zogawidwa ndipo amatha kulumikizana ndi zida zosiyanasiyana zogwira ntchito pa intaneti. Dziwani kuti ma NIDS ambiri amakono ndi osakanizidwa ndipo amaphatikiza njira zingapo. Kutengera kasinthidwe ndi makonda, amatha kuthetsa mavuto osiyanasiyana - mwachitsanzo, kuteteza node imodzi kapena maukonde onse. Kuonjezera apo, ntchito za IDS za malo ogwirira ntchito zidatengedwa ndi phukusi lodana ndi kachilomboka, lomwe, chifukwa cha kufalikira kwa Trojans cholinga cha kuba chidziwitso, chinasandulika kukhala ma firewall omwe amathetsanso mavuto ozindikira ndikuletsa magalimoto okayikitsa.
Poyamba, IDS inkangozindikira zochitika za pulogalamu yaumbanda, zojambulira pamadoko, kapena, tinene, kuphwanya malamulo achitetezo amakampani. Pamene chochitika china chinachitika, iwo adadziwitsa woyang'anira, koma mwamsanga zinaonekeratu kuti kungozindikira kuukira sikunali kokwanira - kumayenera kutsekedwa. Chifukwa chake IDS idasinthidwa kukhala IPS (Intrusion Prevention Systems) - njira zopewera kulowerera zomwe zimatha kulumikizana ndi ma firewall.
Njira zodziwira
Kuzindikira kwamasiku ano kulowerera ndi njira zopewera zimagwiritsa ntchito njira zosiyanasiyana kuti zizindikire ntchito zoyipa, zomwe zitha kugawidwa m'magulu atatu. Izi zimatipatsa mwayi wina wosankha machitidwe:
- IDS/IPS yotengera siginecha imazindikira momwe kuchuluka kwa magalimoto kumayendera kapena kuyang'anira kusintha kwa machitidwe kuti muwone ngati pali kuukira kwa netiweki kapena kuyesa matenda. Iwo samapereka zolakwa kapena zabodza, koma sangathe kuzindikira ziwopsezo zosadziwika;
- Ma IDS ozindikira mosadziwika bwino sagwiritsa ntchito siginecha yakuukira. Amazindikira machitidwe olakwika a machitidwe azidziwitso (kuphatikiza zosokoneza pamanetiweki) ndipo amatha kuzindikira kuwukira kosadziwika. Makina oterowo amapereka zabwino zambiri zabodza ndipo, ngati atagwiritsidwa ntchito molakwika, amalepheretsa magwiridwe antchito amtaneti amderalo;
- IDS yozikidwa pamalamulo imagwira ntchito pa mfundo iyi: ngati FACT ndiye ZOCHITA. Kwenikweni, awa ndi machitidwe a akatswiri omwe ali ndi maziko a chidziwitso - mndandanda wa mfundo ndi malamulo omveka bwino. Mayankho oterowo ndi olimbikira ntchito kuti akhazikitse ndipo amafuna kuti woyang'anira amvetsetse mwatsatanetsatane maukonde.
Mbiri ya chitukuko cha IDS
Nthawi yachitukuko chofulumira cha intaneti ndi maukonde amakampani idayamba m'ma 90s azaka zapitazi, koma akatswiri adadabwa ndiukadaulo wapamwamba wachitetezo chapaintaneti kale. Mu 1986, Dorothy Denning ndi Peter Neumann adasindikiza chitsanzo cha IDES (Intrusion Detective expert system), chomwe chinakhala maziko a machitidwe amakono ozindikira kuti akulowa. Idagwiritsa ntchito kachitidwe ka akatswiri kuti adziwe mitundu yodziwika bwino yowukira, komanso njira zowerengera komanso mbiri ya ogwiritsa ntchito. IDES inkayenda pa malo ogwirira ntchito a Dzuwa, kuyang'ana kuchuluka kwa magalimoto pa netiweki ndi data ya pulogalamu. Mu 1993, NIDES (Next-generation Intrusion Detection Expert System) inatulutsidwa - njira yatsopano yowunikira akatswiri ozindikira.
Kutengera ntchito ya Denning ndi Neumann, akatswiri a MIDAS (Multics intrusion discovery and alerting system) pogwiritsa ntchito P-BEST ndi LISP adawonekera mu 1988. Panthawi imodzimodziyo, dongosolo la Haystack lozikidwa pa njira zowerengera linapangidwa. Chowunikira china chowerengera, W&S (Wisdom & Sense), chinapangidwa chaka chotsatira ku Los Alamos National Laboratory. Makampaniwa anali kukula mofulumira. Mwachitsanzo, mu 1990, makina a TIM (Time-based inductive machine) adakhazikitsa kale kuzindikira kwachilendo pogwiritsa ntchito kuphunzira mozama pamachitidwe otsatizana (Chiyankhulo cha Common LISP). NSM (Network Security Monitor) inayerekeza matrices ofikira kuti azindikire zolakwika, ndipo ISOA (Information Security Officer's Assistant) inathandizira njira zosiyanasiyana zodziwira: njira zowerengera, kufufuza mbiri ndi kachitidwe ka akatswiri. Makina a ComputerWatch opangidwa ku AT&T Bell Labs adagwiritsa ntchito njira zowerengera ndi malamulo kuti atsimikizire, ndipo opanga ma University of California adalandira chithunzi choyamba cha IDS yogawidwa mu 1991 - DIDS (Distributed Intrusion Detection System) analinso katswiri.
Poyamba, IDS inali eni ake, koma kale mu 1998, National Laboratory. Lawrence Berkeley adatulutsa Bro (wotchedwa Zeek mu 2018), njira yotseguka yomwe imagwiritsa ntchito chilankhulo cha eni ake posanthula deta ya libpcap. Mu Novembala chaka chomwecho, paketi ya APE yonunkhiza pogwiritsa ntchito libpcap idawonekera, yomwe patatha mwezi umodzi idatchedwa Snort, ndipo pambuyo pake idakhala IDS/IPS yodzaza. Panthawi imodzimodziyo, njira zambiri zopezera eni ake zinayamba kuonekera.
Snort ndi Suricata
Makampani ambiri amakonda IDS/IPS yaulere komanso yotseguka. Kwa nthawi yayitali, Snort yomwe yatchulidwa kale idawonedwa ngati yankho lokhazikika, koma tsopano yasinthidwa ndi dongosolo la Suricata. Tiyeni tione ubwino ndi kuipa kwawo mwatsatanetsatane. Snort imaphatikiza ubwino wa njira yogwiritsira ntchito siginecha ndi luso lozindikira zolakwika mu nthawi yeniyeni. Suricata imakupatsaninso mwayi wogwiritsa ntchito njira zina kupatula kuzindikira kuukira ndi siginecha. Dongosololi linapangidwa ndi gulu la omanga olekanitsidwa ndi pulojekiti ya Snort ndipo amathandizira ntchito za IPS kuyambira mtundu 1.4, ndipo Snort adayambitsa kuthekera koletsa kulowerera pambuyo pake.
Kusiyana kwakukulu pakati pa zinthu ziwiri zodziwika bwino ndi kuthekera kwa Suricata kugwiritsa ntchito kompyuta ya GPU mu IDS mode, komanso IPS yapamwamba kwambiri. Dongosololi poyambilira limapangidwa kuti likhale ndi ulusi wambiri, pomwe Snort ndi chinthu chokhala ndi ulusi umodzi. Chifukwa cha mbiri yakale komanso mbiri yakale, sichigwiritsa ntchito bwino mapulatifomu amtundu wa multiprocessor/multicore, pomwe Suricata imatha kuthana ndi kuchuluka kwa magalimoto mpaka 10 Gbps pamakompyuta okhazikika. Titha kulankhula kwa nthawi yayitali za kufanana ndi kusiyana pakati pa machitidwe awiriwa, koma ngakhale injini ya Suricata imagwira ntchito mofulumira, chifukwa si njira zazikulu kwambiri izi sizofunikira kwambiri.
Zosankha Zotumizira
IPS iyenera kuyikidwa m'njira yoti dongosolo lizitha kuyang'anira magawo a netiweki omwe ali pansi pa ulamuliro wake. Nthawi zambiri, iyi ndi kompyuta yodzipatulira, mawonekedwe omwe amalumikizidwa pambuyo pazida zam'mphepete ndipo "amayang'ana" kudzera pa intaneti osatetezedwa (Intaneti). Mawonekedwe ena a IPS amalumikizidwa ndi kulowetsedwa kwa gawo lotetezedwa kuti magalimoto onse adutse dongosolo ndikuwunikidwa. Muzochitika zovuta kwambiri, pakhoza kukhala magawo angapo otetezedwa: mwachitsanzo, m'magulu amakampani malo osagwirizana ndi asilikali (DMZ) nthawi zambiri amaperekedwa ndi ntchito zopezeka pa intaneti.
IPS yotereyi imatha kuletsa kusanthula padoko kapena kuukira kwachinsinsi, kugwiritsa ntchito ziwopsezo mu seva yamakalata, seva yapaintaneti kapena zolemba, komanso mitundu ina yaziwopsezo zakunja. Ngati makompyuta a pa netiweki yakomweko ali ndi pulogalamu yaumbanda, IDS singawalole kulumikizana ndi ma seva a botnet omwe ali kunja. Kuti muteteze kwambiri ma netiweki amkati, masinthidwe ovuta okhala ndi makina ogawa komanso ma switch okwera okwera omwe amatha kuwonetsa kuchuluka kwa magalimoto amtundu wa IDS wolumikizidwa ndi amodzi mwamadoko angafunike.
Ma network amakampani nthawi zambiri amakhala ndi vuto la distributed denial of service (DDoS). Ngakhale ma IDS amakono amatha kuthana nawo, njira yotumizira yomwe ili pamwambapa siyingathandize pano. Dongosolo lidzazindikira zochitika zoyipa ndikuletsa magalimoto olakwika, koma kuti achite izi, mapaketiwo ayenera kudutsa pa intaneti yakunja ndikufikira mawonekedwe ake apa intaneti. Malingana ndi kukula kwa chiwonongeko, njira yotumizira deta ikhoza kulephera kulimbana ndi katunduyo ndipo cholinga cha otsutsa chidzakwaniritsidwa. Pazifukwa zotere, timalimbikitsa kutumiza ma IDS pa seva yeniyeni yokhala ndi intaneti yamphamvu kwambiri. Mutha kulumikiza VPS ku netiweki yakomweko kudzera pa VPN, ndiyeno mudzafunika kukonza njira zamagalimoto onse akunja kudutsamo. Ndiye, pakachitika chiwonongeko cha DDoS, simudzasowa kutumiza mapaketi kudzera pa intaneti kwa wothandizira; adzatsekedwa pa node yakunja.
Vuto la kusankha
Ndizovuta kwambiri kuzindikira mtsogoleri pakati pa machitidwe aulere. Kusankhidwa kwa IDS/IPS kumatsimikiziridwa ndi topology ya netiweki, ntchito zotetezedwa zomwe zimafunikira, komanso zokonda za woyang'anira ndi chikhumbo chake choyang'ana zosintha. Snort ili ndi mbiri yayitali ndipo imalembedwa bwino, ngakhale zambiri za Suricata ndizosavuta kuzipeza pa intaneti. Mulimonsemo, kuti muthe kudziwa bwino dongosololi muyenera kuyesetsa, zomwe pamapeto pake zidzalipira - zida zamalonda ndi mapulogalamu a hardware IDS/IPS ndizokwera mtengo kwambiri ndipo sizigwirizana nthawi zonse mu bajeti. Palibe chifukwa chodandaulira nthawi yomwe wawononga, chifukwa woyang'anira wabwino nthawi zonse amawongolera luso lake powononga abwana. Munthawi imeneyi, aliyense amapambana. M'nkhani yotsatira tiwona njira zina zotumizira Suricata ndikufanizira dongosolo lamakono kwambiri ndi IDS / IPS Snort yapamwamba pochita.
Source: www.habr.com