Pane imwe nguva, yakajairika firewall uye anti-virus zvirongwa zvaive zvakakwana kuchengetedza network yemuno, asi seti yakadai haichashanda zvakakwana kurwisa kurwiswa kwevabiki vemazuva ano uye malware ichangobva kuwanda. Iyo yakanaka yekare firewall inoongorora chete misoro yepakiti, ichipfuura kana ichivharira maererano neyakagadzika mitemo. Iyo haina chainoziva nezve zviri mumapakeji, uye saka haigone kuziva kunze kwepamutemo zviito zvevapambi. Zvirongwa zveAnti-virusi hazvigaro kubata malware, saka maneja akatarisana nebasa rekutarisa risinganzwisisike chiitiko uye kutsaura vanhu vane hutachiona panguva yakakodzera.
Kune akawanda epamberi maturusi anokutendera iwe kuchengetedza kambani IT zvivakwa. Nhasi tichataura nezve yakavhurika sosi intrusion yekuona uye kudzivirira masisitimu anogona kuitwa pasina kutenga inodhura hardware uye software marezinesi.
IDS/IPS kupatsanura
IDS (Intrusion Detection System) isystem yakagadzirirwa kunyoresa zviitiko zvinofungirwa pane network kana pakombuta yakaparadzana. Inochengetedza matanda ezviitiko uye inozivisa munhu ane mutoro wekuchengetedza ruzivo pamusoro pavo. IDS inosanganisira zvinotevera zvinhu:
- sensors yekuona network traffic, akasiyana matanda, nezvimwe.
- an analysis subsystem inoona zviratidzo zvekukuvadza mu data yakagamuchirwa;
- kuchengetedza kwekuunganidza kwezviitiko zvekutanga nemigumisiro yekuongorora;
- manejimendi console.
Pakutanga, IDS yakarongedzerwa nenzvimbo: yaigona kutariswa pakuchengetedza node dzega (host-based kana Host Intrusion Detection System - HIDS) kana kuchengetedza iyo yese corporate network (network-based kana Network Intrusion Detection System - NIDS). Zvakakodzera kutaura izvo zvinonzi. APIDS (Application protocol-based IDS): vanotarisisa seti yakaganhurirwa yeapplication layer protocol kuti vaone kurwiswa chaiko uye havaongorore zvakadzama mapaketi etiweki. Zvigadzirwa zvakadaro zvinowanzoita senge proxies uye zvinoshandiswa kuchengetedza chaiwo masevhisi: webhu server uye webhu maapplication (semuenzaniso, akanyorwa muPHP), maseva edatabase, nezvimwe. Mumiriri wekirasi iyi mod_security yeApache web server.
Isu tinonyanya kufarira NIDS yepasirese inotsigira huwandu hwakasiyana hwekutaurirana maprotocol uye DPI (Deep Packet Inspection) tekinoroji yekuongorora matekinoroji. Ivo vanoongorora ese anopfuura traffic, kutanga kubva kune data link layer, uye vanoona huwandu hwakawanda hwekurwiswa kwenetiweki, pamwe nekusatenderwa kuwana ruzivo. Kazhinji masisitimu akadaro ane dhizaini yakagoverwa uye anogona kudyidzana neakasiyana anoshanda network michina. Ziva kuti maNIDS mazhinji emazuva ano mahybrid uye anosanganisa akati wandei maitiro. Zvichienderana nekugadzirisa uye zvigadziriso, vanogona kugadzirisa matambudziko akasiyana-siyana - semuenzaniso, kudzivirira imwe node kana network yese. Pamusoro pezvo, mabasa eIDS enzvimbo dzekushandira akatorwa neanti-virus mapakeji, ayo, nekuda kwekupararira kweTrojans yakanangana nekubira ruzivo, yakashandurwa kuita multifunctional firewalls inogadzirisawo mabasa ekuziva uye kuvharira kufungidzira traffic.
Pakutanga, IDS yaingokwanisa kuona malware chiitiko, port scanner, kana, toti, kutyora kwevashandisi kwemitemo yekuchengetedza yekambani. Pakaitika chimwe chiitiko, vakazivisa mutungamiriri, asi zvakakurumidza kuva pachena kuti kungoziva kurwiswa kwakanga kusina kukwana - kwaifanira kudziviswa. Saka IDS yakashandurwa kuita IPS (Intrusion Prevention Systems) - intrusion kudzivirira masisitimu anogona kudyidzana nemafirewall.
Nzira dzekuona
Yemazuva ano yekuona kupinda mukati uye kudzivirira mhinduro dzinoshandisa nzira dzakasiyana siyana kuona chiitiko chakaipa, chinogona kukamurwa kuita zvikamu zvitatu. Izvi zvinotipa imwe sarudzo yekuisa masisitimu:
- Siginecha-yakavakirwa IDS/IPS tsvaga mapatani mutraffic kana kutarisa masisitimu shanduko yekuona kurwiswa kwenetiweki kana kuedza kwehutachiona. Ivo havape zvisizvo uye manyepo, asi havakwanise kuziva kutyisidzira kusingazivikanwe;
- Anomaly-detecting IDSs haashandise siginicha yekurwisa. Vanoziva maitiro asina kujairika ehurongwa hweruzivo (kusanganisira anomalies mune network traffic) uye vanogona kuona kunyangwe kurwiswa kusingazivikanwe. Masisitimu akadaro anopa akawanda emanyepo enhema uye, kana akashandiswa zvisizvo, anoremadza kushanda kwenetiweki yenzvimbo;
- Rule-based IDs inoshanda senge: kana FACT then ACTION. Muchokwadi, aya ndiwo masisitimu ehunyanzvi ane mabhesi eruzivo - seti yechokwadi uye mitemo yekufungidzira. Mhinduro dzakadai dzinotora nguva kumisa uye dzinoda kuti maneja ave nekunzwisisa kwakadzama kwetiweki.
Nhoroondo yekuvandudzwa kweIDS
Nguva yekukurumidza kusimudzira kweInternet uye network yemakambani yakatanga mu90s yezana ramakore rapfuura, zvisinei, nyanzvi dzakashamiswa nehunyanzvi hwekuchengetedza network zvishoma kare. Muna 1986, Dorothy Denning naPeter Neumann vakaburitsa iyo IDES (Intrusion detection expert system) modhi, inova hwaro hwemazuva ano ekuona masisitimu. Akashandisa hurongwa hwehunyanzvi kuona kurwiswa kunozivikanwa, pamwe nemaitiro ehuwandu uye mushandisi / system profiles. IDES yaimhanya paSunwork workstations, ichitarisa network traffic uye data application. Muna 1993, NIDES (Next-generation Intrusion Detection Expert System) yakaburitswa - chizvarwa chitsva chekupinda mukuona nyanzvi system.
Zvichienderana nebasa raDenning naNeumann, iyo MIDAS (Multics intrusion yekuona uye alerting system) nyanzvi system yakaonekwa muna 1988, ichishandisa P-BEST uye LISP. Panguva imwecheteyo, iyo Haystack system yakavakirwa pamaitiro ehuwandu yakagadzirwa. Imwe nhamba inomaly detector, W&S (Uchenjeri & Sense), yakagadziridzwa gore rakatevera paLos Alamos National Laboratory. Kubudirira kweindastiri kwakaenderera mberi nekukurumidza. Semuyenzaniso, muna 1990, kucherechedzwa kweanomaly kwakatoitwa muTIM (Time-based inductive machine) system uchishandisa inductive kudzidza pamasequential mushandisi mapatani (Common LISP mutauro). NSM (Network Security Monitor) yakaenzanisa matrices ekuwana kusinganzwisisike, uye ISOA (Information Security Officer's Assistant) yakatsigira nzira dzakasiyana dzekuona: nzira dzechiverengero, kuongorora chimiro uye hurongwa hwenyanzvi. Iyo ComputerWatch sisitimu yakagadzirwa paAT & T Bell Labs yakashandisa ese nzira dzechiverengero nemitemo yekusimbisa, uye vagadziri veYunivhesiti yeCalifornia vakagamuchira yekutanga prototype yeIDS yakagoverwa kumashure muna 1991 - DIDS (Distributed intrusion monitoring system) yaivewo nyanzvi. system.
Pakutanga, IDS yaive muridzi, asi kare muna 1998, National Laboratory. Lawrence kuBerkeley akaburitsa Bro (akapihwa zita rekuti Zeek muna 2018), yakavhurika sosi sisitimu inoshandisa yayo yemitemo mutauro wekuparura libpcap data. MunaNovember wegore rimwe chetero, iyo APE packet sniffer ichishandisa libpcap yakaonekwa, iyo mushure memwedzi yakazonzi Snort, uye yakazove yakazara-izere IDS / IPS. Panguva imwecheteyo, mhinduro dzakawanda dzevaridzi dzakatanga kuoneka.
Snort uye Suricata
Makambani mazhinji anofarira yemahara uye yakavhurika sosi IDS/IPS. Kwenguva yakareba, iyo Snort yakambotaurwa yaionekwa seyakajairwa mhinduro, asi ikozvino yakatsiviwa neSuricata system. Funga zvakanakira nekuipira kwavo mune zvishoma zvakadzama. Snort inosanganisa mabhenefiti enzira yekusaina pamwe nekuona nguva chaiyo inomaly. Suricata inobvumirawo dzimwe nzira kunze kwekurwisa siginecha yekuona. Iyo sisitimu yakagadzirwa neboka revagadziri vakapatsanura kubva kuSnort purojekiti uye inotsigira IPS maficha kubva mushanduro 1.4, nepo kudzivirira kwekupinda kwakaonekwa muSnort gare gare.
Musiyano mukuru pakati pezvigadzirwa zviviri zvakakurumbira kugona kwaSuricata kushandisa iyo GPU yeIDS komputa, pamwe neiyo IPS yepamusoro. Iyo sisitimu yakatanga kugadzirirwa kuwanda-shinda, nepo Snort iri chigadzirwa chine shinda imwechete. Nekuda kwenhoroondo yayo refu uye kodhi yenhaka, haina kunyatso shandisa akawanda-processor/multi-core hardware mapuratifomu, nepo Suricata inogona kubata traffic kusvika ku10 Gbps pamakomputa akajairika. Iwe unogona kutaura pamusoro pekufanana uye kusiyana pakati pezvirongwa zviviri kwenguva yakareba, asi kunyange zvazvo injini yeSuricata inoshanda nokukurumidza, nokuti haisi nzira dzakafara zvikuru, hazvina basa.
Deployment options
IPS inofanirwa kuiswa nenzira yekuti sisitimu inogona kutarisa zvikamu zvetiweki pasi pekutonga kwayo. Kazhinji kacho, iyi komputa yakatsaurirwa, imwe interface inobatanidza mushure memidziyo uye "inotarisa" kuburikidza navo kune isina kuchengetedzwa veruzhinji network (Internet). Imwe IPS interface yakabatana nekuiswa kwechikamu chakachengetedzwa kuitira kuti traffic yese ipfuure nehurongwa uye inoongororwa. Mune zvimwe zviitiko zvakaoma, panogona kunge paine akati wandei akadzivirirwa: semuenzaniso, mumakambani network, nzvimbo isina mauto (DMZ) inowanzopihwa masevhisi anowanikwa kubva paInternet.
Yakadaro IPS inogona kudzivirira port scanning kana brute-force kurwiswa, kushandiswa kwekusagadzikana mune mail server, web server kana zvinyorwa, pamwe nemamwe marudzi ekurwiswa kwekunze. Kana makomputa ari panetiweki yemuno aine hutachiona, IDS haivabvumire kubata botnet maseva ari kunze. Kudzivirirwa kwakakomba kwetiweki yemukati kungangoda kurongeka kwakaomarara neyakagoverwa sisitimu uye inodhura inogadziriswa switch inokwanisa kutarisisa traffic yeIDS interface yakabatana kune imwe yemachiteshi.
Kazhinji makambani emakambani ari pasi pekuparadzirwa kwekuramba-kwe-sevhisi (DDoS) kurwiswa. Kunyangwe maIDS emazuva ano achigona kubata nawo, sarudzo yekuendesa iri pamusoro haina rubatsiro pano. Iyo sisitimu inoziva kuita kwakashata uye inovhara spurious traffic, asi kune izvi, mapaketi anofanirwa kupfuura nekunze kweInternet yekubatanidza uye kusvika kune yayo network network. Zvichienderana nehukuru hwekurwiswa, nzira yekufambisa data inogona kusakwanisa kutsungirira mutoro uye chinangwa chevanorwisa chichawanikwa. Panyaya dzakadai, tinokurudzira kuendesa IDS pane virtual server ine inozivikanwa iri nani Internet yekubatanidza. Iwe unogona kubatanidza iyo VPS kune network yemuno kuburikidza neVPN, uye ipapo iwe unozofanirwa kugadzirisa kutenderera kwese kwekunze traffic kuburikidza nayo. Zvino, kana chiitiko cheDDoS kurwisa, haufanirwe kutyaira mapaketi kuburikidza nekubatanidza kune mupi, iwo anozovharirwa pane wekunze muenzi.
Chinetso chesarudzo
Zvakaoma zvikuru kuziva mutungamiri pakati pezvirongwa zvakasununguka. Sarudzo yeIDS / IPS inotemerwa netiweki topology, iyo inodiwa yekuchengetedza maficha, pamwe chete nezvaanofarira zvemunhu maneja uye chishuwo chake chekubata nemasetin'i. Snort ine nhoroondo refu uye yakanyorwa zvirinani, kunyangwe ruzivo rweSuricata rwuri nyore kuwana online. Chero zvazvingava, kuti ugone hurongwa, iwe uchafanirwa kuita kumwe kuedza, izvo zvinozopedzisira zvabhadhara - zvekutengesa hardware uye hardware-software IDS / IPS inodhura zvikuru uye haigari inokodzera mubhajeti. Iwe haufanirwe kudemba nguva yakashandiswa, nekuti maneja akanaka anogara achivandudza hunhu hwake pamubhadharo weanoshandira. Mumamiriro ezvinhu aya, munhu wose anokunda. Muchinyorwa chinotevera, isu tichatarisa dzimwe sarudzo dzekuendesa Suricata uye toenzanisa iyo yazvino sisitimu neiyo yekare IDS/IPS Snort mukuita.
Source: www.habr.com