Muzvinyorwa zvakapfuura ndakatonyora nezve StealthWatch:
Chekutanga, zvinofanirwa kutaurwa kuti StealthWatch ine kumwe kugovera maalarm pakati pealgorithms uye mafeed. Ekutanga marudzi akasiyana-siyana emaalarm (ziviso), kana amutswa, unogona kuona zvinhu zvinofungira panetiweki. Chechipiri zviitiko zvekuchengetedza. Ichi chinyorwa chinotarisa kune 4 mienzaniso yealgorithms yakakonzeresa uye 2 mienzaniso yemafeed.
1. Ongororo yekudyidzana kukuru mukati metiweki
Nhanho yekutanga yekumisikidza StealthWatch ndeyekutsanangura mauto uye network mumapoka. Muwebhu interface tab Gadzirisa > Host Group Management Manetiweki, anotambira, uye maseva anofanira kuiswa mumapoka akakodzera. Unogonawo kugadzira mapoka ako. Nenzira, kuongorora kupindirana pakati pevaenzi muCisco StealthWatch kuri nyore, sezvo iwe usingangogone kuchengetedza mafirita ekutsvaga nerukova, asiwo mhedzisiro pachayo.
Kuti utange, muwebhu interface iwe unofanirwa kuenda kune iyo tab Ongorora > Kuyerera Kutsvaga. Ipapo iwe unofanirwa kuseta zvinotevera parameter:
- Mhando Yekutsvagisa - Nhaurirano dzepamusoro (dzinonyanya kufarirwa kudyidzana)
- Nguva Range - maawa makumi maviri nemana (nguva, unogona kushandisa imwe)
- Tsvaga Zita - Nhaurirano Dzepamusoro Mukati-Mukati (chero zita rehushamwari)
- Musoro - Mapoka Anogamuchira β Mukati MaHosts (mabviro - boka revatambi vemukati)
- Kubatanidza (unogona kutsanangura madoko, maapplication)
- Vezera - Mapoka Anogamuchira β Mukati MaHosts (kwakuenda - boka remukati node)
- Mune Yepamberi Sarudzo, iwe unogona kuwedzera kutsanangura muunganidzi kubva kune iyo data inoonekwa, kuronga zvinobuda (byte, hova, nezvimwewo). Ndichaisiya seyakagadzika.
Mushure mekudzvanya bhatani kutsvaka rondedzero yekudyidzana inoratidzwa iyo yakatorongwa nehuwandu hwe data inotamiswa.
Mumuenzaniso wangu mugamuchiri 10.150.1.201 (sevha) inofambiswa mukati meshinda imwe chete 1.5 GB traffic kune host 10.150.1.200 (mutengi) neprotocol mysql. Bhatani Manage Columns inokubvumira kuti uwedzere mamwe makoramu kune yakabuda data.
Tevere, pakufunga kwemaneja, unogona kugadzira mutemo wetsika unozogara uchikonzeresa rudzi urwu rwekudyidzana uye kukuzivisa iwe kuburikidza neSNMP, email kana Syslog.
2. Ongororo yeinononoka mutengi-server kudyidzana mukati metiweki yekunonoka
Mavara SRT (Nguva Yekupindura Sevha), RTT (Nguva Yerwendo Rwekutenderera) inokutendera kuti uwane kunonoka kweseva uye kunonoka kwenetiweki. Ichi chishandiso chinonyanya kubatsira kana iwe uchida nekukurumidza kutsvaga chikonzero chekunyunyuta kwevashandisi nezve inononoka-inomhanya application.
taura pfungwa: vanenge vese vatengesi veNetflow handizivi kuti sei tumira SRT, RTT tags, saka kazhinji, kuti uone data rakadaro paFlowSensor, unofanirwa kugadzirisa kutumira kopi yetraffic kubva kunetiweki zvishandiso. FlowSensor inotumira iyo yakawedzera IPFIX kuFlowCollector.
Zviri nyore kuita ongororo iyi muStealtWatch java application, iyo yakaiswa pakombuta yemutungamiriri.
Bhatani rekurudyi rembeva Inside Hosts uye enda kune tab Flow Table.
Dzvanya pa firita uye isa zvinodiwa parameters. Somuenzaniso:
- Zuva/Nguva - Kwemazuva matatu apfuura
- Kuita - Avhareji Yerwendo Rwendo Nguva> = 50ms
Mushure mekuratidza iyo data, isu tinofanirwa kuwedzera iyo RTT uye SRT minda yatinofarira. Kuti uite izvi, tinya pakona muscreenshot uye sarudza nebhatani rekurudyi Manage Columns. Tevere, tinya RTT, SRT paramita.
Mushure mekugadzirisa chikumbiro, ndakarongedza neRTT avhareji uye ndakaona kunonoka kupindirana.
Kuti upinde muruzivo rwakadzama, tinya-kurudyi parukova uye sarudza Kukurumidza Kuona Kwekuyerera.
Mashoko aya anoratidza kuti muridzi 10.201.3.59 kubva muboka Sales uye Marketing protocol NFS zvikumbiro ku DNS server kweminiti nemasekonzi makumi maviri nematatu uye inongova nekunonoka kunotyisa. Mune tab Interfaces iwe unogona kuona kuti ndeupi Netflow data kunze kwenyika iyo ruzivo rwakatorwa kubva. Mune tab tafura Mamwe ruzivo rwakadzama nezvekudyidzana kunoratidzwa.
Tevere, iwe unofanirwa kuona kuti ndeapi maturusi anotumira traffic kuFlowSensor uye dambudziko ringangove riri ipapo.
Uyezve, StealthWatch yakasarudzika pakuti inoitisa deduplication data (inobatanidza hova dzakafanana). Naizvozvo, iwe unogona kuunganidza kubva kune angangoita ese maNetflow zvishandiso uye usatya kuti kuchave neakawanda akadhindwa data. Zvakasiyana, muchirongwa ichi zvichabatsira kunzwisisa kuti ndeipi hop ine kunonoka kukuru.
3. Ongororo yeHTTPS cryptographic protocol
ETA (Encrypted Traffic Analytics) itekinoroji yakagadziridzwa neCisco iyo inokutendera iwe kuti uone hutsinye hwekubatanidza mune yakavharidzirwa traffic pasina kuibvisa. Uyezve, tekinoroji iyi inobvumidza iwe "kusiyanisa" HTTPS muTLS shanduro uye cryptographic protocol anoshandiswa panguva yekubatanidza. Kushanda uku kunonyanya kubatsira kana iwe uchida kuona network node dzinoshandisa zvisina kusimba crypto zviyero.
taura pfungwa: Unofanira kutanga waisa iyo network app paStealthWatch - ETA Cryptographic Audit.
Enda kune tab Dashboards β ETA Cryptographic Audit uye sarudza boka revagamuchiri vatinoronga kuongorora. Pamufananidzo wakazara, ngatisarudze Inside Hosts.
Iwe unogona kuona kuti TLS vhezheni uye inoenderana crypto standard inobuda. Zvinoenderana neyakajairwa chirongwa mukoromo Actions enda ku View Flows uye kutsvaga kunotanga mune itsva tab.
Kubva pane zvakabuda zvinogona kuonekwa kuti muenzi 198.19.20.136 over the 12 maawa yakashandisa HTTPS ine TLS 1.2, uko encryption algorithm AES-256 uye hash basa SHA-384. Nekudaro, ETA inokutendera iwe kuti uwane isina kusimba algorithms panetiweki.
4. Network anomaly analysis
Cisco StealthWatch inogona kuona traffic anomalies panetiweki uchishandisa matatu maturusi: Core Zviitiko (zviitiko zvekuchengetedza), Zviitiko zvehukama (zviitiko zvekudyidzana pakati pezvikamu, network node) uye kuongorora maitiro.
Kuongororwa kwemaitiro, zvakare, kunobvumira nekufamba kwenguva kuvaka chimiro chemaitiro kune mumwe muenzi kana boka revanotambira. Iyo yakawanda traffic inopfuura neStealthWatch, iyo yakanyatso chenjedzo ichave yekutenda nekuongorora uku. Pakutanga, hurongwa hunokonzera zvakawanda zvisizvo, saka mitemo inofanira "kumonyaniswa" nemaoko. Ini ndinokurudzira kuti usatarise zviitiko zvakadaro kwemavhiki mashoma ekutanga, sezvo sisitimu inozozvigadzirisa pachayo, kana kuwedzera kune izvo zvisirizvo.
Pazasi pane muenzaniso wemutemo wakafanotsanangurwa Zvakaipa, iyo inotaura kuti chiitiko chinopisa pasina alarm kana muenzi ari muInside Hosts group anodyidzana neInside Hosts group uye mukati memaawa makumi maviri nemana traffic inodarika 24 megabytes..
Semuenzaniso, ngatitorei alarm Data Hoarding, zvinoreva kuti imwe sosi/yekunotambira yakaisa/kudhawunirodha data rakawandisa zvisingaite kubva kuboka revaridzi kana mugamuchiri. Dzvanya pane chiitiko uye enda kutafura iyo inokonzeresa mauto inoratidzwa. Tevere, sarudza mugamuchiri watiri kufarira muchikamu Data Hoarding.
Chiitiko chinoratidzwa chinoratidza kuti 162k "mapoinzi" aonekwa, uye zvinoenderana nepolicy, 100k "mapoinzi" anotenderwa - aya ndeemukati StealthWatch metrics. Mune koramu Actions kusunda View Flows.
Tinogona kuona izvozvo akapiwa muenzi akasangana nemugamuchiri manheru 10.201.3.47 kubva kubazi Kutengesa & Kushambadzira protocol HTTPS uye yakatorwa 1.4 GB. Zvichida muenzaniso uyu hauna kubudirira zvachose, asi kuonekwa kwekubatana kunyange kwemazana akawanda egigabytes kunoitwa nenzira imwecheteyo. Naizvozvo, kumwe kuongorora kweanomalies kunogona kutungamirira kumigumisiro inofadza.
taura pfungwa: muSMC web interface, data iri mumatabu Dashboard zvinoratidzwa chete kwevhiki rapfuura uye mune tab tarisisa mumavhiki maviri apfuura. Kuti uongorore zviitiko zvekare uye kugadzira mishumo, unofanirwa kushanda nejava console pakombuta yemutungamiriri.
5. Kutsvaga mukati me network scans
Zvino ngatitarisei mienzaniso mishoma yemafeed - ruzivo rwekuchengetedza zviitiko. Kushanda uku kunonyanya kufarira kune vanochengetedza vashandi.
Kune akati wandei preset scan chiitiko mhando muStealthWatch:
- Port Scan-iyo sosi inoongorora akawanda madoko pane yekunotambira.
- Addr tcp scan - iyo sosi inotarisa network yese pane imwechete TCP port, ichichinja kero yeIP. Muchiitiko ichi, sosi inogamuchira TCP Reset mapaketi kana haigamuchire mhinduro zvachose.
- Addr udp scan - iyo sosi inotarisa network yese pane imwechete UDP port, uku uchichinja kero yeIP. Muchiitiko ichi, sosi inogamuchira ICMP Port Unreachable mapaketi kana kusagashira mhinduro zvachose.
- Ping Scan - sosi inotumira ICMP zvikumbiro kune network yese kuitira kutsvaga mhinduro.
- Stealth Scan tΡp/udp - sosi yakashandisa chiteshi chimwe chete kubatanidza kune akawanda madoko panzvimbo yekuenda panguva imwe chete.
Kuita kuti zvive nyore kuwana ese emukati scanner kamwechete, kune network app ye StealthWatch - Kuonekwa Kuongorora. Kuenda kune tab Dashboards β Kuonekwa Kuongorora β Yemukati Network Scanners iwe uchaona zviitiko zvekuchengetedza zvine chekuita nekuongorora kwemavhiki maviri apfuura.
Kudzvanya bhatani Details, iwe uchaona kutanga kwekutarisisa kwetiweki yega yega, mafambiro emigwagwa uye maalarm anoenderana.
Tevere, iwe unogona "kutadza" kupinda mugadziri kubva kune iyo tebhu mune yapfuura skrini uye woona zviitiko zvekuchengetedza, pamwe nechiitiko chevhiki rapfuura remuenzi uyu.
Semuenzaniso, ngationgororei chiitiko Port Scan kubva kumuenzi 10.201.3.149 pamusoro 10.201.0.72, Kudzvanya Zviito > Inoyerera Inoyerera. Tsvagiridzo ye thread inotangwa uye ruzivo rwakakodzera runoratidzwa.
Maonero atinoita uyu muenzi kubva kune imwe yemachiteshi ayo 51508 / TCP scanned 3 hours ago the destination host by port 22, 28, 42, 41, 36, 40 (TCP). Mamwe minda haaratidze ruzivo nekuti haasi ese minda yeNetflow inotsigirwa pane Netflow mutengesi.
6. Ongororo yekurodha malware uchishandisa CTA
CTA (Cognitive Threat Analytics) -Cisco cloud analytics, iyo inobatanidza zvakakwana neCisco StealthWatch uye inokutendera iwe kuzadzisa siginecha-yemahara kuongororwa nekuongorora siginecha. Izvi zvinoita kuti zvikwanise kuona Trojans, network worms, zero-day malware uye mamwe malware uye wozvigovera mukati metiweki. Zvakare, iyo yakambotaurwa tekinoroji yeETA inokutendera iwe kuti uongorore hutsinye hwekutaurirana mumigwagwa yakavharidzirwa.
Chaizvoizvo pane yekutanga tebhu muwebhu interface pane yakakosha widget Cognitive Threat Analytics. Pfupiso pfupi inoratidza kutyisidzira kunoonekwa pavashandisi: Trojan, hunyengeri software, inogumbura adware. Izwi rekuti "Encrypted" rinonyatsoratidza basa reETA. Nekudzvanya pane muenzi, ruzivo rwese pamusoro payo, zviitiko zvekuchengetedza, kusanganisira CTA matanda, inooneka.
Nekutenderera pamusoro pechikamu chimwe nechimwe cheCTA, chiitiko chinoratidza ruzivo rwakadzama nezvekudyidzana. Kuti uwane analytics yakazara, tinya pano Ona Chiitiko Details, uye iwe uchaendeswa kune imwe console Cognitive Threat Analytics.
Mukona yepamusoro yekurudyi, sefa inobvumidza iwe kuratidza zviitiko nekuomarara nhanho. Kana iwe uchinge wanongedza pane chaiyo inomaly, matanda anooneka pazasi pechidzitiro aine mutsara unoenderana nekurudyi. Saka, nyanzvi yekuchengetedza ruzivo inonzwisisa zvakajeka kuti ndeupi mubati ane hutachiona, mushure mezvo zviito, zvakatanga kuita zviito zvipi.
Pazasi pane mumwe muenzaniso - yebhangi Trojan yakabata mubati 198.19.30.36. Uyu muenzi akatanga kudyidzana nemadomasi ane hutsinye, uye matanda anoratidza ruzivo rwekuyerera kwekudyidzana uku.
Tevere, imwe yeakanakisa mhinduro inogona kuve ndeye kugarisa muenzi wekutenda kune wekuzvarwa
mhedziso
Iyo Cisco StealthWatch mhinduro ndeimwe yevatungamiriri pakati pe network yekutarisa zvigadzirwa zvese maererano netiweki kuongororwa uye kuchengetedza ruzivo. Nekuda kwazviri, unogona kuona kupindirana zvisiri pamutemo mukati metiweki, kunonoka kwekushandisa, vashandisi vanoshanda zvakanyanya, anomalies, malware uye APTs. Uyezve, iwe unogona kuwana scanner, pentesters, uye kuitisa crypto-audit yeHTTPS traffic. Unogona kuwana mamwe ekushandisa kesi pa
Kana iwe uchida kutarisa kuti zvinhu zvese zvinoshanda sei panetiweki yako, tumira
Munguva pfupi iri kutevera, tiri kuronga akati wandei mamwe mabhuku ehunyanzvi pane akasiyana siyana ekuchengetedza ruzivo zvigadzirwa. Kana iwe uchifarira nyaya iyi, saka tevera zvigadziriso mumatanho edu (
Source: www.habr.com