Kuyerera maprotocol sechishandiso chekutarisa mukati mekuchengetedza network

Kana zvasvika pakutarisa kuchengetedzeka kwekambani yemukati kana yedhipatimendi network, vazhinji vanoisanganisa nekudzora kuburitswa kweruzivo uye kuita DLP mhinduro. Uye kana iwe ukaedza kujekesa mubvunzo uye kubvunza kuti iwe unoona sei kurwiswa kwemukati wetiweki, ipapo mhinduro yacho, sekutonga, ichave ichitaura nezve intrusion yekuona masisitimu (IDS). Uye chii chaive chega sarudzo 10-20 makore apfuura iri kuita anachronism nhasi. Pane imwe inobudirira, uye mune dzimwe nzvimbo, chete zvinogoneka nezvechisarudzo chekutarisa yemukati network - kushandisa kuyerera protocols, izvo pakutanga akagadzirirwa kutsvaka netiweki matambudziko (troubleshooting), asi nokufamba kwenguva kuchinjwa kuva inofadza chaizvo kuchengeteka mudziyo. Tichataura nezve maprotocol ekuyerera aripo uye ndeapi ari nani pakuona kurwiswa kwenetiweki, kwazvakanakira kuita kuyerera kwekutarisa, zvekutarisa kana uchiendesa chirongwa chakadaro, uye kunyangwe maitiro e "kusimudza" zvese izvi pamidziyo yemumba. mukati mechikamu chechinyorwa chino.

Ini handisi kuzogara pamubvunzo wekuti "Nei chemukati chekuchengetedza chengetedzo ichidikanwa?" Mhinduro inoratidzika kuva yakajeka. Asi kana, zvakadaro, iwe uchida kuve nechokwadi zvakare kuti nhasi haugone kurarama pasina iyo, tarisa vhidhiyo pfupi pamusoro pekuti iwe ungapinda sei kune network yekambani yakachengetedzwa nefirewall munzira gumi nenomwe. Naizvozvo, isu tichafunga kuti tinonzwisisa kuti kuongorora kwemukati chinhu chinodiwa uye chasara kunzwisisa kuti ingarongeka sei.

Ini ndaizoratidza matatu akakosha data masosi ekutarisa zvivakwa padanho retiweki:

• "raw" traffic yatinotora uye tinoendesa kuti iongororwe kune mamwe masisitimu ekuongorora,
• zviitiko kubva kunetiweki zvishandiso izvo traffic inopfuura,
• ruzivo rwetraffic rwakagamuchirwa kuburikidza neimwe yekuyerera protocol.

Kubata mbishi traffic ndiyo inonyanya kufarirwa sarudzo pakati penyanzvi dzezvekuchengetedza, nekuti yakaonekwa kare uye yaive yekutanga. Yakajairika network intrusion yekuona masisitimu (yekutanga chaiyo yekutengesa intrusion yekuona sisitimu yaive NetRanger kubva kuWheel Group, yakatengwa muna 1998 neCisco) yakaitwa chaizvo mukutora mapaketi (uye gare gare zvikamu) umo mamwe masiginecha aitsvagwa ("mitemo yakasimba" mu. FSTEC terminology), kusaina kurwisa. Ehe, unogona kuongorora mbishi traffic kwete chete kushandisa IDS, asi zvakare kushandisa mamwe maturusi (semuenzaniso, Wireshark, tcpdum kana iyo NBAR2 mashandiro muCisco IOS), asi ivo vanowanzo shaya hwaro hweruzivo hunosiyanisa chishandiso chekuchengetedza ruzivo kubva kune yakajairwa. IT tool.

Saka, kurwisa kuona masisitimu. Nzira yekare uye yakakurumbira yekuona kurwiswa kwetiweki, iyo inoita basa rakanaka parinotenderera (zvisinei kuti chii - yekambani, data center, segment, etc.), asi inokundikana mune zvemazuva ano switched uye software-defined network. Panyaya yetiweki yakavakirwa pahwaro hweakajairwa switch, masisitimu ekurwiswa kwekuona ma sensors anove akakurisa - iwe uchafanirwa kuisa sensor pane yega yekubatanidza kune node yaunoda kutarisa kurwiswa. Chero mugadziri, hongu, achafara kukutengesera mazana nezviuru zvema sensor, asi ndinofunga bhajeti yako haigone kutsigira mari dzakadaro. Ndinogona kutaura kuti kunyange kuCisco (uye isu tiri vagadziri veNGIPS) hatingagoni kuita izvi, kunyange zvingaita sokuti nyaya yemutengo iri pamberi pedu. Ini handifanire kumira - isarudzo yedu pachedu. Mukuwedzera, mubvunzo unomuka, nzira yekubatanidza sensor mune iyi shanduro? Mukati memukana here? Ko kana sensor pachayo ikatadza? Unoda bypass module mune sensor? Shandisa zvidimbu (tap)? Zvose izvi zvinoita kuti mhinduro yacho iwedzere kudhura uye inoita kuti isakwanise kubhadhara kambani yehupi hupi.

Iwe unogona kuedza "kurembera" sensor pane SPAN/RSPAN/ERSPAN chiteshi uye kutungamira traffic kubva kunodiwa switch ports kuenda kwairi. Iyi sarudzo inobvisa zvishoma dambudziko rakatsanangurwa mundima yapfuura, asi inoisa imwe - chiteshi cheSPAN hachigone kugamuchira zvachose traffic yese inotumirwa kwairi - haizove nebandwidth yakakwana. Unotofanira kubaira chimwe chinhu. Kusiya mamwe ma node pasina kutarisisa (saka iwe unofanirwa kuaisa pamberi), kana kutumira kwete yese traffic kubva kune node, asi chete imwe mhando. Chero zvazvingava, tingapotsa kumwe kurwiswa. Mukuwedzera, iyo SPAN port inogona kushandiswa kune zvimwe zvinodiwa. Nekuda kweizvozvo, isu tichafanirwa kuongorora iyo iripo network topology uye toita zvigadziriso pairi kuitira kuvhara network yako kusvika pakakwirira nehuwandu hwema sensors aunawo (uye kuronga izvi neIT).

Ko kana network yako ichishandisa asymmetric nzira? Ko kana iwe waita kana uri kuronga kuita SDN? Ko kana iwe uchida kutarisa virtualized michina kana midziyo ine traffic isingasviki pane yemuviri switch zvachose? Iyi mibvunzo isingafarirwe nevatengesi veIDS nekuti havazive mapinduriro. Pamwe ivo vanokunyengetedza kuti ese aya matekinoroji emufashoni ndeye hype uye hauzvide. Zvichida vachataura nezvekudikanwa kwekutanga zvishoma. Kana kuti pamwe ivo vanozotaura kuti iwe unofanirwa kuisa mupumburu une simba pakati petiweki uye kutungamira traffic yese kwairi uchishandisa mabharanzi. Chero chero sarudzo inopiwa kwauri, iwe unofanirwa kunzwisisa zvakajeka kuti inokodzera sei iwe. Uye chete mushure meizvozvo ita sarudzo pakusarudza nzira yekutarisa kuchengetedzwa kweruzivo rwe network network. Kudzokera packet capture, ndinoda kutaura kuti nzira iyi inoramba ichizivikanwa zvikuru uye yakakosha, asi chinangwa chayo chikuru ndechekutonga kwemuganhu; miganhu pakati pesangano rako neInternet, miganhu pakati pe data data uye yese network, miganhu pakati peiyo process control system uye chikamu chekambani. Munzvimbo idzi, yekare IDS/IPS ichine kodzero yekuvepo uye kurarama zvakanaka nemabasa avo.

Ngatiendererei kune yechipiri sarudzo. Ongororo yezviitiko zvinouya kubva kunetiweki zvishandiso zvinogona zvakare kushandiswa pakurwisa kurwiswa zvinangwa, asi kwete senzira huru, sezvo ichibvumira kuona chete kirasi diki yekupinda. Mukuwedzera, iyo inowanikwa mune imwe reactivity - kurwiswa kunofanira kutanga kuitika, zvino kunofanira kunyorwa nemutambo wetiweki, uyo nenzira imwe neimwe icharatidza dambudziko nekuchengetedzwa kwemashoko. Kune nzira dzakawanda dzakadaro. Izvi zvinogona kuva syslog, RMON kana SNMP. Iwo maviri ekupedzisira maprotocol ekutarisa network mumamiriro ekuchengetedza ruzivo anoshandiswa chete kana isu tichida kuona kurwiswa kweDoS pane network network pachayo, sezvo kushandisa RMON uye SNMP zvinogoneka, semuenzaniso, kutarisa mutoro uri pakati pemudziyo. processor kana ma interfaces ayo. Iyi ndeimwe ye "yakachipa" (munhu wese ane syslog kana SNMP), asi zvakare isingashande pane ese nzira dzekutarisa kuchengetedzwa kweruzivo rwemukati mezvivakwa - kurwiswa kwakawanda kunongovigwa kubva kwairi. Ehe, ivo havafanirwe kuregeredzwa, uye iyo syslog ongororo inokubatsira iwe panguva yakakodzera kuona shanduko mukugadziriswa kwechigadzirwa pachayo, kukanganisa kwayo, asi haina kunyatsokodzera kuona kurwiswa kune network yese.

Sarudzo yechitatu ndeyekuongorora ruzivo nezve traffic inopfuura nepamudziyo unotsigira imwe yeakawanda kuyerera maprotocol. Muchiitiko ichi, zvisinei neprotocol, iyo tambo yekugadzira ine zvikamu zvitatu:

• Chizvarwa kana kutumira kunze kwekuyerera. Iri basa rinowanzo kupihwa kune router, switch kana imwe network network, iyo, nekupfuura network traffic mukati mayo, inokutendera kuti utore akakosha paramita kubva mairi, ayo anozoendeswa kune yekuunganidza module. Semuenzaniso, Cisco inotsigira Netflow protocol kwete chete pamarouter uye switch, kusanganisira chaiwo uye maindasitiri, asiwo pane vasina waya controllers, firewall uye kunyange maseva.
• Kuyerera kwekuunganidza. Tichifunga kuti network yemazuva ano inowanzova neanopfuura imwe network network, dambudziko rekuunganidza nekubatanidza kuyerera rinomuka, iro rinogadziriswa uchishandisa avo vanonzi vateresi, vanogadzira iyo yakagamuchirwa inoyerera uye vozoatumira kuti iongororwe.
• Kuyerera kwekuongorora Iyo analyzer inotora basa guru rehungwaru uye, kushandisa akasiyana algorithms kune hova, inokwevera dzimwe mhedziso. Semuyenzaniso, sechikamu chebasa reIT, muongorori akadaro anogona kuona mabhodhoro etiweki kana kuongorora iyo traffic traffic profiles kuti iwedzere network optimization. Uye nekuda kwekuchengetedza ruzivo, muongorori akadaro anogona kuona kubuda kwedata, kupararira kwekodhi yakaipa kana kurwiswa kweDoS.

Usafunge kuti iyi matatu-tier architecture yakanyanya kuomarara - dzimwe sarudzo dzese (kunze, pamwe, network yekutarisa masisitimu anoshanda neSNMP neRMON) anoshandawo zvinoenderana nazvo. Isu tine data jenareta yekuongorora, iyo inogona kunge iri network network kana yekumira-yega sensor. Isu tine alarm yekuunganidza system uye manejimendi sisitimu yezvese zvekutarisa zvivakwa. Izvo zvikamu zviviri zvekupedzisira zvinogona kusanganiswa mukati meimwe node, asi mune akawanda kana mashoma ma network makuru anowanzo kupararira kune kanenge maviri emidziyo kuitira kuti ave nechokwadi che scalability uye kuvimbika.

Kusiyana nekuongorora kwepakiti, iyo yakavakirwa pakudzidza musoro uye data remuviri wepaketi yega yega uye masesheni ayo anosanganisira, kuyerera kwekuongorora kunoenderana nekuunganidza metadata nezve network traffic. Nguva, yakawanda sei, kubva kupi uye kupi, sei ... iyi ndiyo mibvunzo inopindurwa nekuongororwa kwetiweki telemetry uchishandisa nzira dzakasiyana-siyana dzekuyerera. Pakutanga, dzaishandiswa kuongorora nhamba uye kuwana matambudziko eIT panetiweki, asi zvino, semagadzirirwo ekuongorora akagadzirwa, zvakave zvichibvira kuishandisa kune imwecheteyo telemetry nekuda kwekuchengetedza. Zvakakosha kucherechedza zvakare kuti kuongororwa kwekuyerera hakutsivi kana kutsiva kubatwa kwepakeji. Imwe neimwe yenzira idzi ine nzvimbo yayo yekushandisa. Asi muchirevo chechinyorwa ichi, iko kuyerera kwekuongorora kunonyatsokodzera kutarisa zvemukati zvivakwa. Une maturusi etiweki (angave anoshanda mune-software-inotsanangurwa paradigm kana zvinoenderana neyakaomesesa mitemo) iyo kurwiswa hakugone kupfuura. Inogona kupfuura yekare IDS sensor, asi network network inotsigira kuyerera protocol haigone. Izvi ndizvo zvakanakira nzira iyi.

Nekune rimwe divi, kana iwe uchida humbowo hwekuteedzera mutemo kana yako wega chiitiko chekuongorora chiitiko, haugone kuita pasina packet kubatwa - network telemetry haisi kopi yetraffic inogona kushandiswa kuunganidza humbowo; inodiwa pakuona nekukurumidza uye kuita sarudzo mumunda wekuchengetedza ruzivo. Kune rumwe rutivi, uchishandisa telemetry kuongorora, iwe unogona "kunyora" kwete yese network traffic (kana paine, Cisco inobata nedata data :-), asi iyo chete inobatanidzwa mukurwisa. Telemetry yekuongorora maturusi mune izvi anozadzisa echinyakare mapaketi ekutora nzira zvakanaka, ichipa mirairo yekusarudza kutora uye kuchengetedza. Zvikasadaro, iwe uchafanirwa kuve neyakakura yekuchengetedza zvivakwa.

Ngatimbofungidzira network inoshanda nekumhanya kwe250 Mbit/sec. Kana iwe uchida kuchengeta vhoriyamu iyi yese, ipapo iwe unozoda 31 MB yekuchengetedza kwesekondi imwe yekutakura traffic, 1,8 GB kweminiti imwe, 108 GB kweawa imwe, uye 2,6 TB kwezuva rimwe. Kuti uchengetedze zuva nezuva data kubva kunetiweki ine bandwidth ye10 Gbit/s, iwe unozoda 108 TB yekuchengetedza. Asi mamwe maregulator anoda kuchengetedza data rekuchengetedza kwemakore ... On-inoda kurekodha, iyo inoyerera yekuongorora inokubatsira iwe kuita, inobatsira kudzikisa izvi zvakakosha nemirairo yehukuru. Nenzira, kana tikataura nezve chiyero chevhoriyamu yakarekodhwa network telemetry data uye yakazara data kubatwa, saka inenge 1 kusvika 500. Nezvehumwe hunhu hwakapihwa pamusoro, kuchengetedza yakazara chinyorwa chese traffic zuva nezuva. ichave 5 uye 216 GB, zvichiteerana (unogona kuinyora pane yakajairwa flash drive ).

Kana zvezvishandiso zvekuongorora mbishi network data, nzira yekuitora inenge yakafanana kubva kune mutengesi kune mutengesi, saka munyaya yekuyerera kwekuongorora mamiriro acho akasiyana. Pane akati wandei sarudzo dzekuyerera maprotocol, misiyano yaunofanirwa kuziva nezvayo mumamiriro ekuchengetedza. Inonyanya kufarirwa ndeye Netflow protocol yakagadziriswa naCisco. Kune akati wandei mavhezheni eiyi protocol, akasiyana mukugona kwavo uye huwandu hweruzivo rwetraffic rwakanyorwa. Iyo yazvino vhezheni ndeyepfumbamwe (Netflow v9), pahwaro hweiyo indasitiri yakajairwa Netflow v10, inozivikanwawo seIPFIX, yakagadzirwa. Nhasi, vazhinji vatengesi venetiweki vanotsigira Netflow kana IPFIX mumidziyo yavo. Asi kune dzimwe nzira dzakasiyana dzekuyerera maprotocol - sFlow, jFlow, cFlow, rFlow, NetStream, nezvimwewo, iyo sFlow ndiyo inonyanya kufarirwa. Irwo rudzi urwu runowanzo tsigirwa nevagadziri vepamba ve network network nekuda kwekureruka kwayo kuita. Ndeipi misiyano yakakosha pakati peNetflow, yave de facto standard, uye sFlow? Ini ndaizosimbisa akati wandei akakosha. Kutanga, Netflow ine mushandisi-inogoneka minda kupesana neyakagadziriswa minda mu sFlow. Uye chechipiri, uye ichi ndicho chinhu chinonyanya kukosha munyaya yedu, sFlow inounganidza zvinonzi sampled telemetry; mukupesana neiyo isina kuverengerwa yeNetflow uye IPFIX. Ndeupi musiyano uripo pakati pavo?

Fungidzira kuti wafunga kuverenga bhuku "Chengetedzo Yekushanda Center: Kuvaka, Kushanda, uye Kuchengeta yako SOC” yevandinoshanda navo - Gary McIntyre, Joseph Munitz naNadem Alfardan (unogona kudhawunirodha chikamu chebhuku kubva pakubatanidza). Une sarudzo nhatu dzekuzadzisa chinangwa chako - verenga bhuku rese, tarisa mariri, uchimira pane yega peji rechigumi kana 10, kana edza kutsvaga kudzokororwa kweakakosha pfungwa pablog kana sevhisi seSmartReading. Saka, isina kuverengerwa telemetry iri kuverenga yega "peji" yetiweki traffic, kureva, kuongorora metadata yepakiti yega yega. Sampled telemetry ndiyo yakasarudzika kudzidza yetraffic netariro yekuti masampuli akasarudzwa achave nezvaunoda. Zvichienderana nekumhanya kwechiteshi, sampled telemetry inotumirwa kunoongororwa yega yega 20th, 64th, 200th, 500th, 1000th kana 2000th packet.

Muchirevo chekuongorora kuchengetedza ruzivo, izvi zvinoreva kuti sampuli telemetry inonyatsokodzera kuona kurwiswa kweDDoS, kuongorora, uye kuparadzira kodhi ine hutsinye, asi inogona kupotsa kurwiswa kwemaatomu kana akawanda-packet asina kuverengerwa mumuenzaniso wakatumirwa kunoongororwa. Unsampled telemetry haina zvipingamupinyi zvakadaro. Neizvi, huwandu hwekurwiswa hwakaonekwa hwakakura zvakanyanya. Heino rondedzero pfupi yezviitiko zvinogona kuwonekwa uchishandisa network telemetry yekuongorora maturusi.

Ehe, imwe yakavhurika sosi Netflow analyzer haikubvumidze iwe kuti uite izvi, sezvo basa rayo guru ndere kuunganidza telemetry uye kuita ongororo yekutanga pairi kubva kune IT maonero. Kuti uone kutyisidzira kwekuchengetedza ruzivo zvichienderana nekuyerera, zvinodikanwa kushongedza iyo analyzer neinjini dzakasiyana uye algorithms, iyo inozivisa matambudziko ecybersecurity zvichienderana neyakajairwa kana tsika Netflow minda, pfumisa yakajairika data nekunze data kubva kwakasiyana Threat Intelligence masosi, nezvimwe.

Naizvozvo, kana uine sarudzo, wobva wasarudza Netflow kana IPFIX. Asi kunyangwe kana michina yako ichingoshanda ne sFlow, senge vagadziri vepamba, saka kunyangwe mune iyi kesi unogona kubatsirwa nayo mune yekuchengetedza mamiriro.

Muzhizha ra2019, ndakaongorora hunyanzvi hune vagadziri veRussia network hardware uye vese, kusasanganisa NSG, Polygon uye Craftway, vakazivisa rutsigiro rwe sFlow (kanenge Zelax, Natex, Eltex, QTech, Rusteleteh).

Mubvunzo unotevera wauchasangana nawo ndewekupi kushandisa kuyerera kwekutsigira zvinangwa zvekuchengetedza? Muchokwadi, mubvunzo hauna kubvunzwa zvakakwana. Midziyo yemazuva ano inogara ichitsigira kuyerera maprotocol. Naizvozvo, ini ndaizogadzirisa mubvunzo uyu zvakasiyana - ndepapi inonyanya kushanda kuunganidza telemetry kubva kune yekuchengetedza nzvimbo yekuona? Mhinduro ichave yakanyatsojeka - padanho rekuwana, kwauchaona 100% yetraffic yese, kwaunenge uine ruzivo rwakadzama pamusoro pevaenzi (MAC, VLAN, interface ID), kwaunogona kutarisa P2P traffic pakati pevaenzi, iyo yakakosha pakuongorora kutariswa uye kugoverwa kwekodhi yakaipa. Padanho repakati, iwe unogona kungotadza kuona imwe yetraffic, asi padanho rekutenderera, iwe uchaona chikamu chechina chese network yako traffic. Asi kana nekuda kwechimwe chikonzero uine zvishandiso zvekune dzimwe nyika panetiweki yako zvinobvumira vanokurwisa kuti "vapinde uye vabude" vasingapfuuri perimeter, ipapo kuongorora telemetry kubva mairi hakuzokupi chero chinhu. Naizvozvo, kuitira kuvharika kwakanyanya, zvinokurudzirwa kugonesa kuunganidza telemetry padanho rekuwana. Panguva imwecheteyo, zvakakosha kucherechedza kuti kunyangwe isu tiri kutaura nezve virtualization kana midziyo, kuyerera kwerutsigiro kunowanikwawo mune zvemazuva ano ma switch switch, ayo anobvumidza iwe kudzora traffic ipapo zvakare.

Asi kubva pandakasimudza musoro, ndinofanira kupindura mubvunzo: ko kana midziyo, yemuviri kana yechokwadi, isingatsigire kuyerera kweprotocol? Kana kuti kubatanidzwa kwayo kunorambidzwa here (semuenzaniso, muzvikamu zveindasitiri kuona kuvimbika)? Kana kuti kuibatidza inotungamira kune yakakwira CPU mutoro (izvi zvinoitika pane yekare Hardware)? Kugadzirisa dambudziko iri, kune akasarudzika ma sensors (kuyerera ma sensors), ayo ari akajairwa kupatsanura anopfuudza traffic mukati mavo uye anoaparadzira nenzira yekuyerera kune iyo yekuunganidza module. Ichokwadi, mune iyi kesi tinowana matambudziko ese atakataura pamusoro apa ane chekuita nemapaketi ekutora maturusi. Ndiko kuti, iwe unofanirwa kunzwisisa kwete chete zvakanakira kuyerera kwekuongorora tekinoroji, asiwo zvisingakwanisi.

Imwe pfungwa yakakosha kuyeuka kana uchitaura nezvekuyerera kwekuongorora maturusi. Kana maererano nemaitiro akajairika ekugadzira zviitiko zvekuchengetedza isu tinoshandisa EPS metric (chiitiko pasekondi), saka chiratidzo ichi hachishandi kune telemetry kuongororwa; inotsiviwa neFPS (kuyerera pasekondi). Sezviri muchiitiko cheEPS, haigone kuverengerwa pachine nguva, asi unogona kufungidzira huwandu hunofungidzirwa hwetambo hunogadzirwa neimwe mudziyo zvichienderana nebasa rayo. Iwe unogona kuwana matafura paInternet ane anofungidzirwa kukosha kwemhando dzakasiyana dzemabhizinesi emidziyo uye mamiriro, izvo zvinokutendera kuti ufungidzire kuti ndeapi marezinesi aunoda ekuongorora maturusi uye kuti mavakirwo azvo achave api? Icho chokwadi ndechekuti iyo IDS sensor inogumira neimwe bandwidth iyo inogona "kudhonza", uye iyo inoyerera muunganidzi ine miganhu yayo inofanirwa kunzwisiswa. Naizvozvo, muhombe, nharaunda dzakagovaniswa network kazhinji kune vaunganidzi vakati wandei. Pandakatsanangura kuti network inotariswa sei mukati meCisco, Ndatopa nhamba yevaunganidzi vedu - pane 21. Uye iyi ndeye network yakapararira mumakondinendi mashanu uye nhamba inenge hafu yemiriyoni inoshandiswa zvishandiso).

Isu tinoshandisa yedu mhinduro seNetflow yekutarisa system Cisco Stealthwatch, iyo yakanangana nekugadzirisa matambudziko ekuchengetedza. Iine injini dzakawanda dzakavakirwa-mukati dzekuona zvinosemesa, fungidziro uye zvakajeka chiitiko chakashata, ichichibvumira kuona huwandu hwakasiyana hwekutyisidzira kwakasiyana - kubva kukriptomining kusvika pakuburitswa kweruzivo, kubva pakupararira kwekodhi yakaipa kusvika kuhutsotsi. Kufanana nevazhinji vanoyerera vanoongorora, Stealthwatch inovakwa zvinoenderana neatatu-nhanho chirongwa (jenareta - muunganidzi - analyzer), asi inowedzerwa nehuwandu hwezvinhu zvinonakidza izvo zvakakosha mumamiriro ezvinhu ari kutariswa. Kutanga, inobatanidza nemapakiti ekutora mhinduro (zvakadai seCisco Security Packet Analyzer), zvichikutendera kuti urekodhe yakasarudzwa network masesisheni kuitira gare gare yakadzama kuongorora uye kuongorora. Chechipiri, kunyanya kuwedzera mabasa ekuchengetedza, isu takagadzira yakakosha nvzFlow protocol, iyo inokutendera iwe "kuparadzira" chiitiko chezvikumbiro pane yekupedzisira node (sevhavha, nzvimbo dzekushandira, nezvimwewo) mu telemetry uye kuitumira kune muunganidzi kuti awedzere kuongororwa. Kana mune yayo yekutanga vhezheni Stealthwatch inoshanda nechero kuyerera protocol (sFlow, rFlow, Netflow, IPFIX, cFlow, jFlow, NetStream) padanho retiweki, ipapo nvzFlow rutsigiro inobvumira kuwirirana kwedata zvakare padanho renode, nekudaro. kuwedzera kushanda kwehurongwa hwese uye kuona kurwiswa kwakawanda kupfuura kwakajairwa network flow analyzers.

Zviri pachena kuti kana tichitaura nezve Netflow yekuongorora masisitimu kubva kune yekuchengetedza nzvimbo yekuona, musika haugumirwe kune imwechete mhinduro kubva kuCisco. Unogona kushandisa zvese zvekutengesa uye zvemahara kana shareware mhinduro. Zvinoshamisa kana ndikataura mhinduro dzevakwikwidzi semuenzaniso paCisco blog, saka ini ndichataura mazwi mashoma ekuti network telemetry inogona kuongororwa sei uchishandisa maviri akakurumbira, akafanana muzita, asi achiri akasiyana maturusi - SiLK uye ELK.

SiLK seti yezvishandiso (System yeInternet-Level Knowledge) yekuongorora traffic, yakagadziridzwa neAmerican CERT/CC uye inotsigira, mumamiriro echinyorwa chanhasi, Netflow (5th uye 9th, iyo inonyanya kufarirwa shanduro), IPFIX. uye sFlow uye nekushandisa zvakasiyana-siyana zvinoshandiswa (rwfilter, rwcount, rwflowpack, nezvimwewo) kuita mabasa akasiyana-siyana pane network telemetry kuitira kuona zviratidzo zvezviito zvisina kutenderwa mairi. Asi pane akati wandei mapoinzi akakosha ekucherechedza. SiLK chishandiso chekuraira mutsara chinoita pa-line kuongororwa nekuisa mirairo seizvi (kuonekwa kweICMP mapaketi akakura kupfuura 200 bytes):

rwfilter --flowtypes=all/all --proto=1 --bytes-per-packet=200- --pass=stdout | rwrwcut --fields=sIP,dIP,iType,iCode --num-recs=15

isina kunyanya kugadzikana. Iwe unogona kushandisa iSiLK GUI, asi hazvizoiti kuti hupenyu hwako huve nyore, kungogadzirisa basa rekuona uye kwete kutsiva muongorori. Uye iyi ipfungwa yechipiri. Kusiyana nemhinduro dzekutengesa, dzinenge dzatove nehwaro hwakasimba hwekuongorora, anomaly yekuona maalgorithms, inoenderana mafambiro ebasa, nezvimwewo, mune yeSiLK iwe uchafanirwa kuita zvese izvi iwe pachako, izvo zvinoda hunyanzvi hwakasiyana kubva kwauri pane kubva pakushandisa watogadzirira- kushandisa zvishandiso. Izvi hazvina kunaka kana zvakaipa - ichi chinhu chechero chero chishandiso chemahara chinofungidzira kuti unoziva zvekuita, uye zvinongokubatsira neizvi (maturusi ekutengesa anoenderana nehunyanzvi hwevashandisi vayo, kunyangwe ivo vachifungawo. kuti vaongorori vanonzwisisa zvishoma zvekutanga zvekuongorora netiweki nekutarisa). Asi ngatidzokere kuSiLK. Kutenderera kwebasa remuongorori naro rinotaridzika seizvi:

• Kugadzira hypothesis. Isu tinofanirwa kunzwisisa zvatichange tichitsvaga mukati metiweki telemetry, tizive hunhu hwakasarudzika hwatinozoziva nadzo zvimwe zvinokanganisa kana kutyisidzira.
• Kuvaka muenzaniso. Takagadzira fungidziro, tinoironga tichishandisa iyo yakafanana Python, goko kana mamwe maturusi asina kuisirwa muSiLK.
• Testing. Ikozvino kunouya chijana chekutarisa kurongeka kwekufungidzira kwedu, iyo inosimbiswa kana kurambwa uchishandisa SiLK zvishandiso kutanga ne 'rw', 'set', 'bhegi'.
• Kuongororwa kwe data chaiyo. Mukushanda kwemaindasitiri, SiLK inotibatsira kuziva chimwe chinhu uye muongorori anofanira kupindura mibvunzo "Takawana here zvataitarisira?", "Izvi zvinopindirana nekufungidzira kwedu here?", "Maitiro ekudzikisa huwandu hwenhema?", "Sei kuvandudza mwero wekuzivikanwa? » zvichingoenda zvakadaro.
• Kuvandudza. Padanho rekupedzisira, isu tinovandudza izvo zvakaitwa kare - isu tinogadzira matemplate, tinovandudza uye nekunatsiridza kodhi, gadzirisa uye kujekesa iyo hypothesis, nezvimwe.

Kutenderera uku kuchashandawo kuCisco Stealthwatch, iyo yekupedzisira chete inogadzirisa aya matanho mashanu kusvika pakakwirira, ichideredza huwandu hwezvikanganiso zveanalyst uye kuwedzera kugona kwekuonekwa kwechiitiko. Semuyenzaniso, muSiLK unogona kupfumisa manhamba etiweki ane data rekunze pane yakaipa IPs uchishandisa manyoro-akanyorwa nemaoko, uye muCisco Stealthwatch ibasa rakavakirwa iro rinokurumidza kuratidza alarm kana network traffic ine kudyidzana ne IP kero kubva kune blacklist.

Kana iwe ukaenda kumusoro mu "yakabhadharwa" piramidhi yekuyerera kwekuongorora software, ipapo mushure meSiLK yemahara zvachose pachava ne shareware ELK, ine zvikamu zvitatu zvakakosha - Elasticsearch (indexing, kutsvaga uye kuongorora data), Logstash (data yekuisa / kubuda. ) uye Kibana (kuona). Kusiyana neSiLK, kwaunofanirwa kunyora zvese iwe pachako, ELK yatova nemaraibhurari / mamodule akawanda akagadzirwa (mamwe akabhadharwa, mamwe haana) anogadzirisa kuongororwa kwetiweki telemetry. Semuenzaniso, iyo GeoIP sefa muLogstash inokutendera kuti ubatanidze yakatariswa IP kero nenzvimbo yavo yenzvimbo (Stealthwatch ine iyi yakavakirwa-mukati chimiro).

ELK zvakare ine nharaunda yakakura zvakaringana iyo iri kupedzisa izvo zvisipo zveiyi yekutarisa mhinduro. Semuenzaniso, kushanda neNetflow, IPFIX uye sFlow unogona kushandisa module elastiflow, kana iwe usingagutsikane neLogstash Netflow Module, inongotsigira Netflow.

Ndichiri kupa humwe hunyanzvi mukuunganidza kuyerera uye kutsvaga mairi, ELK parizvino haina hupfumi hwakavakirwa-mukati analytics yekuona anomalies uye kutyisidzira mune network telemetry. Kureva kuti, uchitevera kutenderera kwehupenyu kunotsanangurwa pamusoro, iwe uchafanirwa kuzvimiririra kutsanangura mhando dzekutyora uye wozoishandisa mukurwisa system (hapana akavakirwa-mukati mamodheru ipapo).

Iko kune, hongu, yakawedzera yakawedzera kuwedzeredza ye ELK, iyo yatove ine mamwe mamodheru ekuona anomalies mune network telemetry, asi mawedzero akadaro anodhura mari uye pano mubvunzo ndewekuti mutambo wacho unokodzera kenduru - nyora muenzaniso wakafanana iwe pachako, tenga kushandiswa kwechishandiso chako chekutarisa, kana kutenga yakagadzirira-yakagadzirwa mhinduro yeNetwork Traffic Analysis kirasi.

Kazhinji, ini handidi kupinda mugakava rekuti zviri nani kushandisa mari uye kutenga yakagadzirira-yakagadziriswa mhinduro yekutarisa anomalies uye kutyisidzira mune network telemetry (semuenzaniso, Cisco Stealthwatch) kana zvionere wega uye gadzirisa zvakafanana. SiLK, ELK kana nfdump kana OSU Flow Tools kune yega yega kutyisidzira (Ndiri kutaura nezve maviri ekupedzisira azvo. akaudza nguva yekupedzisira)? Wese munhu anozvisarudzira uye munhu wese ane vavariro yake yekusarudza chero yezviviri sarudzo. Ini ndanga ndichida kuratidza kuti network telemetry chishandiso chakakosha kwazvo mukuvimbisa kuchengetedzeka kwetiweki yezvivakwa zvako zvemukati uye haufanirwe kuregeredza, kuti usajoinha runyorwa rwemakambani ane zita rinotaurwa munhau pamwe chete ne epithets " yakavharwa", "isingaenderane nezvinodiwa zvekuchengetedza ruzivo" "," kwete kufunga nezve kuchengetedzwa kwedata ravo uye data revatengi."

Kupfupisa, ndinoda kunyora matipi akakosha aunofanirwa kutevedzera kana uchivaka ruzivo rwekuchengetedza ruzivo rwezvemukati mako masisitimu:

1. Usangozviganhurira wega kune perimita! Shandisa (uye sarudza) network zvivakwa kwete kungofambisa traffic kubva papoint A kuenda kunongedzo B, asiwo kugadzirisa nyaya dzecybersecurity.
2. Dzidza iripo ruzivo rwekuchengetedza ruzivo nzira mune yako network zvishandiso uye uzvishandise.
3. Nekutarisa kwemukati, ipa sarudzo kune telemetry kuongororwa - inokutendera iwe kuti uone kusvika ku80-90% yezvese network kuchengetedza ruzivo zviitiko, uchiita izvo zvisingagoneke kana uchibata network mapaketi uye kuchengetedza nzvimbo yekuchengetedza zvese zvekuchengetedza ruzivo zviitiko.
4. Kuti utarise mafambiro, shandisa Netflow v9 kana IPFIX - ivo vanopa rumwe ruzivo mune yekuchengetedza mamiriro uye vanokubvumidza kuti utarise kwete IPv4 chete, asiwo IPv6, MPLS, nezvimwe.
5. Shandisa isina kuverengerwa kuyerera protocol - inopa rumwe ruzivo rwekuona kutyisidzira. Semuenzaniso, Netflow kana IPFIX.
6. Tarisa mutoro pamidziyo yako yetiweki - inogona kusakwanisa kubata kuyerera kweprotocol zvakare. Wobva wafunga kushandisa virtual sensors kana Netflow Generation Appliance.
7. Shandisa kutonga kutanga pane zvese padanho rekuwana - izvi zvinokupa iwe mukana wekuona 100% ye traffic yese.
8. Kana iwe usina sarudzo uye uri kushandisa Russian network zvishandiso, zvino sarudza imwe inotsigira kuyerera kweprotocol kana ine SPAN/RSPAN ports.
9. Batanidza intrusion / kurwisa kuona / kudzivirira masisitimu pamicheto uye kuyerera kwekuongorora masisitimu mukati metiweki network (kusanganisira mumakore).

Nezve zano rekupedzisira, ndinoda kupa mufananidzo wandatopa kare. Iwe unoona kuti kana yaimbove Cisco ruzivo rwekuchengetedza sevhisi yakapotsa yakagadzira yayo yeruzivo chengetedzo yekutarisa sisitimu pahwaro hwekupinda mukati mekuona masisitimu uye masiginecha nzira, ikozvino ivo vanongoverengera makumi maviri muzana ezviitiko. Imwe 20% inowira pakuyerera kwekuongorora masisitimu, ayo anoratidza kuti mhinduro idzi hadzisi dzechido, asi chishandiso chaicho mumabasa ekuchengetedza ruzivo masevhisi ebhizinesi remazuva ano. Uyezve, iwe une chinhu chinonyanya kukosha pakushandiswa kwavo - network network, mari inogona kuchengetedzwa zvakare nekupa ruzivo rwekuchengetedza mabasa kune network.

Ini chaizvo handina kubata pamusoro penyaya yekupindura kune anomalies kana kutyisidzira kunoonekwa mukuyerera kwetiweki, asi ndinofunga kuti zvatove pachena kuti kutarisa hakufanire kupera chete nekuonekwa kwekutyisidzira. Inofanirwa kuteverwa nemhinduro uye zviri nani mune otomatiki kana otomatiki modhi. Asi iyi inyaya yechinyorwa chakasiyana.

Mashoko okuwedzera:

• Tsanangudzo yeCisco IOS Netflow
• Netflow inotsigira matrix mune akasiyana Cisco mhinduro
• Nhungamiro Yekugadzirisa Netflow pane Akasiyana Cisco Platform
• sFlow Community
• Lab inoshandisa Stealtjwatch, SiLK uye ELK kuongorora Netflow kubva pakuchengetedza maonero
• SiLK webhusaiti
• Mazana matatu-mapeji gwara rekushandisa SiLK nematani emienzaniso
• Logstash Netflow Module
• Cisco Nhanho-ne-Nhanho Inotungamira kune Netflow Analysis muELK
• Ongororo yeNetFlow v.9 Cisco ASA uchishandisa Logstash (ELK)
• Cisco Stealthwatch Solution

PS. Kana zviri nyore kuti iwe unzwe zvese zvakanyorwa pamusoro, saka unogona kuona mharidzo yeawa yakareba iyo yakaumba hwaro hwechinyorwa ichi.

Source: www.habr.com