ke tharollo ea tlhahlobo lefapheng la ts'ireletso ea tlhahisoleseling e fanang ka leihlo le felletseng la litšokelo ho netweke e ajoang. StealthWatch e ipapisitse le ho bokella NetFlow le IPFIX ho lirutha, li-switches le lisebelisoa tse ling tsa marang-rang. Ka lebaka leo, marang-rang a fetoha sensor e bonolo 'me a lumella mookameli hore a shebe libakeng tseo mekhoa ea ts'ireletso ea marang-rang e tloaelehileng, e kang Next Generation Firewall, e ke keng ea fihla.
Lingoliloeng tse fetileng ke se ke ngotse ka StealthWatch: , hammoho le . Hona joale ke etsa tlhahiso ea ho tsoela pele le ho buisana ka mokhoa oa ho sebetsa ka lialamo le ho batlisisa liketsahalo tsa ts'ireletso tseo tharollo e li hlahisang. Ho tla ba le mehlala e 6 eo ke ts'epang hore e tla fana ka mohopolo o motle oa molemo oa sehlahisoa.
Taba ea pele, ho lokela ho boleloa hore StealthWatch e na le kabo e itseng ea lialamo lipakeng tsa li-algorithms le li-feed. Ea pele ke mefuta e fapaneng ea lialamo (litemoso), ha li hlahisoa, u ka bona lintho tse belaetsang marang-rang. Ea bobeli ke liketsahalo tsa tšireletso. Sengoliloeng sena se tla sheba mehlala e 4 ea li-algorithms tse hlahisitsoeng le mehlala e 2 ea lijo.
1. Tlhahlobo ea litšebelisano tse kholo ka ho fetisisa ka har'a marang-rang
Mohato oa pele oa ho theha StealthWatch ke ho hlalosa baamoheli le marang-rang ka lihlopha. Ho tab ya segokanyimmediamentsi sa sebolokigolo Lokisa > Tsamaiso ea Sehlopha sa Host Marang-rang, li-host, le li-server li lokela ho aroloa ka lihlopha tse nepahetseng. U ka boela ua iketsetsa lihlopha tsa hau. Ka tsela, ho sekaseka litšebelisano lipakeng tsa baamoheli ho Cisco StealthWatch ho bonolo haholo, hobane o ka se boloke feela li-filters tsa patlo ka molapo, empa le liphetho ka botsona.
Ho qala, ho web interface o lokela ho ea ho tab Hlahloba > Phatlalatso ea Phallo. Ka mor'a moo, o lokela ho beha paramente tse latelang:
- Mofuta oa ho Batla - Lipuisano tse holimo (lipuisano tse tsebahalang haholo)
- Nako Range - lihora tse 24 (nako, u ka sebelisa e 'ngoe)
- Batla Lebitso - Lipuisano tse ka Sehloohong Hare-Ka Hare (lebitso lefe kapa lefe la botsoalle)
- Sehlooho - Lihlopha tsa Host → Inside Hosts (mohloli - sehlopha sa mabotho a ka hare)
- Khokahano (o ka hlakisa likou, lits'ebetso)
- Lithaka - Lihlopha tsa Baamoheli → Baamoheli ba ka Hare (sebaka - sehlopha sa li-node tse ka hare)
- Ho Likhetho tse Tsoetseng Pele, o ka kenyelletsa mokelli eo data e shebiloeng ho eona, ho hlophisa tlhahiso (ka li-byte, melapo, joalo-joalo). Ke tla e tlohela e le ea kamehla.
Ka mor'a ho tobetsa konopo Search lethathamo la litšebelisano li bonts'itsoe tse seng li hlophisoa ka bongata ba data e fetisitsoeng.
Mohlala oa ka moamoheli 10.150.1.201 (server) e fetisoa ka har'a khoele e le 'ngoe feela 1.5 GB traffic to host 10.150.1.200 (client) ka protocol MySQL. Konopo Laola Likholomo e o lumella ho eketsa litšiea tse ling ho data e hlahisoang.
Ka mor'a moo, ka bohlale ba mookameli, u ka etsa molao oa tloaelo o tla lula o baka mofuta ona oa ho sebelisana le ho u tsebisa ka SNMP, imeile kapa Syslog.
2. Tlhahlobo ea litšebelisano tse liehang ka ho fetisisa tsa bareki-server ka har'a marang-rang bakeng sa tieho
Labels SRT (Nako ea Karabelo ea Seva), RTT (Nako ea ho Tsamaea le ho Khutla) e u lumella ho fumana tieho ea seva le tieho e akaretsang ea marang-rang. Sesebelisoa sena se bohlokoa haholo ha o hloka ho fumana kapele sesosa sa litletlebo tsa basebelisi mabapi le ts'ebeliso e sebetsang butle.
mantsoe: hoo e batlang e le barekisi bohle ba Netflow ha ke tsebe joang romela li-tag tsa SRT, RTT, hangata, e le hore u bone data e joalo ho FlowSensor, u lokela ho lokisa ho romela kopi ea sephethephethe ho tloha lisebelisoa tsa marang-rang. FlowSensor le eona e romela IPFIX e atolositsoeng ho FlowCollector.
Ho bonolo haholoanyane ho etsa tlhahlobo ena ts'ebelisong ea java ea StealtWatch, e kentsoeng komporong ea motsamaisi.
Tobetsa ea toeba ka ho le letona Ka hare ho Baamoheli ebe u ea ho tab Tafole ea Phallo.
Tobetsa ho filthara ebe u beha li-parameter tse hlokahalang. Ka mohlala:
- Letsatsi/Nako - Matsatsing a 3 a fetileng
- Tshebetso - Karolelano ea Nako ea ho Eta ho Rōna> = 50ms
Kamora ho bonts'a data, re lokela ho eketsa masimo a RTT le SRT a re khahlang. Ho etsa sena, tobetsa konopo ea skrineng ebe u khetha ka konopo e nepahetseng ea toeba Laola Likholomo. E latelang, tlanya RTT, SRT parameters.
Kamora ho sebetsa kopo, ke ile ka hlophisa ka karolelano ea RTT mme ka bona litšebelisano tse liehang ka ho fetesisa.
Ho fumana lintlha tse qaqileng, tobetsa ka ho le letona ho molapo ebe u khetha Pono e Potlakileng bakeng sa Phallo.
Litaba tsena li bontša hore moamoheli 10.201.3.59 ho tsoa sehlopheng Sales le Marketing ka protocol NFS boipiletso ho Seva ea DNS ka motsotso le metsotsoana e 23 'me ho na le khefu e tšabehang feela. Ka har'a tab likarolo u ka fumana hore na tlhahisoleseling e fumanoe ho tsoa ho Netflow data ea kantle ho naha. Ka har'a tab Lethathamo Lintlha tse felletseng mabapi le tšebelisano li bonts'itsoe.
E latelang, o lokela ho fumana hore na ke lisebelisoa life tse romellang sephethephethe ho FlowSensor mme bothata bo ka ba teng moo.
Ho feta moo, StealthWatch e ikhethile ka hore e tsamaisa deduplication data (e kopanya melapo e tšoanang). Ka hona, o ka bokella hoo e batlang e le lisebelisoa tsohle tsa Netflow mme o seke oa tšaba hore ho tla ba le lintlha tse ngata tse kopitsoang. Ho fapana le hoo, morerong ona ho tla thusa ho utloisisa hore na hop e na le tieho e kholo ka ho fetisisa.
3. Ho hlahlojoa ha liprothokholo tsa HTTPS tsa cryptographic
ETA (Encrypted Traffic Analytics) ke theknoloji e ntlafalitsoeng ke Cisco e u lumellang ho bona likhokahano tse mpe ho sephethephethe se patiloeng ntle le ho e hlakola. Ho feta moo, theknoloji ena e u lumella ho "senya" HTTPS liphetolelong tsa TLS le li-cryptographic protocol tse sebelisoang nakong ea likhokahano. Ts'ebetso ena e bohlokoa haholo ha o hloka ho bona li-node tsa marang-rang tse sebelisang litekanyetso tse fokolang tsa crypto.
mantsoe: O tlameha ho qala ho kenya sesebelisoa sa marang-rang ho StealthWatch - ETA Cryptographic Audit.
Eya ho tab Li-dashboards → ETA Cryptographic Audit ebe u khetha sehlopha sa baamoheli bao re rerileng ho se sekaseka. Bakeng sa setšoantšo se akaretsang, a re khethe Ka hare ho Baamoheli.
U ka bona hore mofuta oa TLS le maemo a tšoanang a crypto a hlahisoa. Ho ea ka morero o tloaelehileng kholomong liketso eya ho Sheba Phallo 'me patlo e qala ho tab e ncha.
Ho tsoa ho tlhahiso ho ka bonoa hore moamoheli 198.19.20.136 ho pholletsa le Lihora tsa 12 e sebelisitse HTTPS e nang le TLS 1.2, moo algorithm ea encryption AES-256 le mosebetsi oa hash SHA-384. Kahoo, ETA e u lumella ho fumana li-algorithms tse fokolang marang-rang.
4. Tlhahlobo ea anomaly ea marang-rang
Cisco StealthWatch e ka lemoha mathata a sephethephethe marang-rang a sebelisa lisebelisoa tse tharo: Liketsahalo tsa mantlha (liketsahalo tsa ts'ireletso), Liketsahalo Tsa Kamano (liketsahalo tsa likamano pakeng tsa likarolo, li-network nodes) le tlhahlobo ea boitšoaro.
Tlhahlobo ea boitšoaro, ka lehlakoreng le leng, e lumella ha nako e ntse e ea ho haha mohlala oa boitšoaro bakeng sa moamoheli ea itseng kapa sehlopha sa mabotho. Ha sephethe-phethe se fetang StealthWatch, litlhokomeliso li tla nepahala haholoanyane ka lebaka la tlhahlobo ena. Qalong, tsamaiso e baka lintho tse ngata tse fosahetseng, kahoo melao e lokela ho "sotha" ka letsoho. Ke khothaletsa hore u iphapanyetse liketsahalo tse joalo libekeng tse 'maloa tse qalang, kaha sistimi e tla itlhophisa, kapa e e kenye ho mekhelo.
Ka tlase ke mohlala oa molao o boletsoeng esale pele Ho hlasela, e bolelang hore ketsahalo e tla thunya ntle le alamo haeba moamoheli sehlopheng sa Inside Hosts o sebelisana le sehlopha sa Inside Hosts mme nakong ea lihora tse 24 sephethephethe se tla feta 10 megabytes..
Mohlala, ha re nke alamo Ho bokella lintlha, e leng se bolelang hore moamoheli ea itseng o kentse/jarolohile boitsebiso bo bongata bo sa tloaelehang ho tsoa ho sehlopha sa baamoheli kapa moamoheli. Tobetsa ketsahalong eo 'me u ee tafoleng moo ho bontšitsoeng mabotho a qalang. Ka mor'a moo, khetha moamoheli eo re mo thahasellang kholomong Ho bokella lintlha.
Ketsahalo e hlahisoa e bonts'ang hore "lintlha" tse 162k li fumanoe, 'me ho latela leano, "lintlha" tse 100k li lumelletsoe - tsena ke metrics ea kahare ea StealthWatch. Ka kholumong liketso Sututsa Sheba Phallo.
Re ka hlokomela seo fuoa moamoheli qoaketsana le moeti bosiu 10.201.3.47 ho tsoa lefapheng Khoebo le Khoebo ka protocol HTTPS le ho jarollwa 1.4 GB. Mohlomong mohlala ona ha oa atleha ka ho feletseng, empa ho lemoha litšebelisano esita le ho makholo a 'maloa a li-gigabytes ho etsoa ka tsela e ts'oanang. Ka hona, lipatlisiso tse ling tsa anomalies li ka lebisa liphellong tse thahasellisang.
mantsoe: ho SMC web interface, data e ka har'a li-tab Dashboard li hlahisoa feela bekeng e fetileng le ho tab ho hlokomela libekeng tse 2 tse fetileng. Ho sekaseka liketsahalo tsa khale le ho hlahisa litlaleho, o hloka ho sebetsa le khomphutha ea java khomphuteng ea motsamaisi.
5. Ho fumana lisebelisoa tsa marang-rang tse ka hare
Joale a re shebeng mehlala e seng mekae ea liphepelo - liketsahalo tsa ts'ireletso ea tlhahisoleseling. Ts'ebetso ena e khahla haholo litsebi tsa ts'ireletso.
Ho na le mefuta e mengata ea liketsahalo tse reriloeng esale pele ho StealthWatch:
- Port Scan-mohloli o lekola likou tse ngata sebakeng sa moamoheli.
- Addr tcp scan - mohloli o lekola marang-rang kaofela boema-kepeng bo le bong ba TCP, o fetola aterese ea IP eo u eang ho eona. Tabeng ena, mohloli o fumana lipakete tsa TCP Reset kapa ha o fumane likarabo ho hang.
- Addr udp scan - mohloli o lekola marang-rang kaofela boema-kepeng bo tšoanang ba UDP, ha o ntse o fetola aterese ea IP ea moo o eang teng. Tabeng ena, mohloli o fumana lipakete tsa ICMP Port Unreachable kapa ha o fumane likarabo ho hang.
- Ping Scan - mohloli o romella likopo tsa ICMP ho marang-rang kaofela ho batla likarabo.
- Stealth Scan tсp/udp - mohloli o sebelisitse boema-kepe bo le bong ho hokela likoung tse ngata sebakeng sa sebaka seo e eang ho sona ka nako e le 'ngoe.
Ho etsa hore ho be bonolo ho fumana li-scanner tsohle tsa ka hare ka nako e le 'ngoe, ho na le app ea marang-rang bakeng sa StealthWatch - Tekolo ea Ponahalo. Ho ea ho tab Li-Dashboards → Tekolo ea Ponahalo → Li-Internal Network Scanners u tla bona liketsahalo tsa ts'ireletso tse amanang le ho skena bakeng sa libeke tse 2 tse fetileng.
Ho tobetsa konopo Details, u tla bona ho qaleha ha ho hlahlojoa ha marang-rang ka 'ngoe, mokhoa oa sephethephethe le li-alarm tse lumellanang.
Ka mor'a moo, o ka "hloleha" ho moamoheli ho tsoa ho tab e skrineng e fetileng mme o bone liketsahalo tsa ts'ireletso, hammoho le ts'ebetso bekeng e fetileng bakeng sa moamoheli enoa.
Ka mohlala, a re hlahlobeng ketsahalo eo Port Scan ho tsoa ho moamoheli 10.201.3.149 mabapi le 10.201.0.72, Ho hatella Liketso > Phallo e Amanang. Patlo ea likhoele e ea qalisoa 'me lintlha tse nepahetseng lia hlaha.
Kamoo re bonang moamoheli enoa ho tsoa ho e 'ngoe ea likou tsa eona 51508 / TCP e hlahlobiloe lihora tse 3 tse fetileng moamoheli oa sebaka ka boema-kepe 22, 28, 42, 41, 36, 40 (TCP). Libaka tse ling ha li bontše tlhahisoleseling hobane ha se masimo ohle a Netflow a tšehetsoang ho morekisi oa Netflow.
6. Tlhahlobo ea malware e jarollotsoeng ka CTA
CTA (Cognitive Threat Analytics) - Cisco cloud analytics, e hokahaneng hantle le Cisco StealthWatch mme e o lumella ho tlatselletsa tlhahlobo e sa lefelloeng ea ho saena ka tlhahlobo ea signature. Sena se etsa hore ho khonehe ho bona Trojans, liboko tsa marang-rang, malware a letsatsi la zero le malware a mang le ho li aba ka har'a marang-rang. Hape, theknoloji ea ETA e boletsoeng pejana e u lumella ho sekaseka likhokahano tse mpe joalo ka sephethephethe se patiloeng.
Ha e le hantle, ho tabo ea pele ho sehokelo sa marang-rang ho na le widget e khethehileng Litlhahlobo tsa Kotsi ea kelello. Kakaretso e khuts'oane e bonts'a litšokelo tse fumanoeng ho basebelisi ba sebelisang: Trojan, software ea bolotsana, adware e tenang. Lentsoe "Encrypted" ha e le hantle le bontša mosebetsi oa ETA. Ka ho tobetsa moamoheli, tlhaiso-leseling eohle e mabapi le eona, liketsahalo tsa ts'ireletso, ho kenyelletsa le li-log tsa CTA, lia hlaha.
Ka ho ts'oara sethaleng ka seng sa CTA, ketsahalo e bonts'a lintlha tse qaqileng mabapi le tšebelisano. Bakeng sa li-analytics tse felletseng, tlanya mona Sheba Lintlha tsa Ketsahalo, 'me u tla isoa ho console e arohaneng Litlhahlobo tsa Kotsi ea kelello.
K'honeng e kaholimo ho le letona, filthara e u lumella ho bonts'a diketsahalo ho latela maemo a boima. Ha u supa phoso e itseng, li-log li hlaha tlase skrineng ka tatellano ea nako e lumellanang le eona ka ho le letona. Kahoo, setsebi sa ts'ireletso ea tlhahisoleseling se utloisisa ka ho hlaka hore na ke moeti ofe ea tšoaelitsoeng, ka mor'a moo liketso li ileng tsa qala ho etsa liketso life.
Ka tlase ke mohlala o mong - Trojan ea banka e tšoaelitseng moamoheli 198.19.30.36. Moamoheli enoa o ile a qala ho sebelisana le libaka tse mpe, 'me li-log li bonts'a tlhahisoleseling mabapi le phallo ea litšebelisano tsena.
Ka mor'a moo, e 'ngoe ea litharollo tse molemohali tse ka bang teng ke ho behella moamoheli ka thoko ka lebaka la letsoalloa le Cisco ISE bakeng sa kalafo le tlhahlobo e eketsehileng.
fihlela qeto e
Tharollo ea Cisco StealthWatch ke e mong oa baetapele har'a lihlahisoa tsa ho lekola marang-rang ka bobeli mabapi le tlhahlobo ea marang-rang le ts'ireletso ea tlhahisoleseling. Ka lebaka la eona, o ka bona litšebelisano tse seng molaong ka har'a marang-rang, tieho ea ts'ebeliso, basebelisi ba sebetsang ka ho fetesisa, li-anomalies, malware le APTs. Ho feta moo, u ka fumana li-scanner, li-pentesters, 'me u tsamaise li-crypto-audit tsa sephethephethe sa HTTPS. U ka fumana linyeoe tse ling tsa tšebeliso ho .
Haeba u ka rata ho hlahloba hore na ntho e 'ngoe le e' ngoe e sebetsa hantle hakae marang-rang a hau, romella .
Haufinyane, re ntse re rera likhatiso tse ling tse 'maloa tse mabapi le lihlahisoa tse fapaneng tsa ts'ireletso ea tlhahisoleseling. Haeba u thahasella sehlooho sena, latela lintlafatso tsa likanale tsa rona (, , , )!
Source: www.habr.com