1. I-CheckFlow - uphicotho olubanzi olukhawulezayo nolusimahla lwetrafikhi yenethiwekhi yangaphakathi usebenzisa i-Flowmon

Wamkelekile kwikhosi yethu encinci elandelayo. Ngeli xesha siza kuthetha ngenkonzo yethu entsha - Khangela Ukugeleza. Yintoni? Enyanisweni, eli ligama nje lokuthengisa lophicotho lwasimahla lwetrafikhi yenethiwekhi (zombini ngaphakathi nangaphandle). Uphicotho ngokwalo lwenziwa kusetyenziswa isixhobo esimangalisa njenge Flowmon, leyo ngokupheleleyo nayiphi na inkampani inokusebenzisa, ngaphandle kwentlawulo, kwiintsuku ze-30. Kodwa, ndiyakuqinisekisa ukuba emva kweeyure zokuqala zovavanyo, uya kuqala ukufumana ulwazi oluxabisekileyo malunga nenethiwekhi yakho. Ngaphezu koko, olu lwazi luya kuba luxabisekileyo njengoko kubalawuli benethiwekhi, kwaye koonogada. Ewe, makhe sixoxe ukuba yintoni le ngcaciso kunye nexabiso layo (Ekupheleni kwenqaku, njengesiqhelo, kukho isifundo sevidiyo).

Apha, masenze uphambuko oluncinane. Ndiqinisekile ukuba abantu abaninzi ngoku bacinga: “Yahluke njani le Jonga uKhuseleko lweNdawo yokuHlola? Ababhalisi bethu mhlawumbi bayazi ukuba yintoni le (sichithe umzamo omkhulu kule nto) :) Musa ukukhawuleza ukuya kwizigqibo, njengoko isifundo siqhubela phambili yonke into iya kungena endaweni.

Yintoni enokwenziwa ngumlawuli wothungelwano esebenzisa olu phicotho:

• Uhlalutyo lwetrafikhi yenethiwekhi - ukuba iziteshi zilayishwa njani, zeziphi iiprotocol ezisetyenzisiweyo, zeziphi iiseva okanye abasebenzisi abasebenzisa inani elikhulu letrafikhi.
• Ulibaziseko lwenethiwekhi kunye nelahleko - ixesha lokuphendula eliphakathi kweenkonzo zakho, ubukho belahleko kuwo onke amajelo akho (amandla okufumana i-bottleneck).
• Uhlalutyo lwendlela yomsebenzisi - uhlalutyo olubanzi lwetrafikhi yabasebenzisi. Umthamo wezithuthi, izicelo ezisetyenzisiweyo, iingxaki ekusebenzeni neenkonzo zequmrhu.
• Uvavanyo lwentsebenzo yesicelo - ukuchonga imbangela yeengxaki ekusebenzeni kwezicelo zenkampani (ukulibaziseka kwenethiwekhi, ixesha lokuphendula leenkonzo, i-database, izicelo).
• esweni SLA -Izibhaqa ngokuzenzekelayo kwaye inike ingxelo yokulibaziseka kunye nelahleko xa usebenzisa usetyenziso lwakho lwewebhu lusekwe kwitrafikhi yokwenyani.
• Khangela izinto ezididayo kwinethiwekhi - I-DNS / DHCP spoofing, iilophu, iiseva ze-DHCP zobuxoki, i-DNS engaqhelekanga / i-SMTP traffic kunye nokunye okuninzi.
• Iingxaki ngolungelelwaniso — ukufunyanwa komsebenzisi ongekho mthethweni okanye itrafikhi yeseva, enokuthi ibonise useto olungachanekanga lokutshintsha okanye iindonga zomlilo.
• Ingxelo ebanzi - ingxelo eneenkcukacha malunga nobume besiseko sakho se-IT, ekuvumela ukuba ucwangcise umsebenzi okanye uthenge izixhobo ezongezelelweyo.

Yintoni enokwenziwa yingcali yokhuseleko yolwazi:

• Umsebenzi wentsholongwane - ibona i-viral traffic ngaphakathi kwenethiwekhi, kubandakanywa ne-malware engaziwayo (i-0-day) ngokusekelwe kuhlalutyo lokuziphatha.
• Ukuhanjiswa kweransomware - ukukwazi ukubona i-ransomware, nokuba isasazeka phakathi kweekhompyuter ezingabamelwane ngaphandle kokushiya icandelo layo.
• Umsebenzi ongaqhelekanga -itrafikhi engaqhelekanga yabasebenzisi, iiseva, usetyenziso, i-ICMP/DNS tunneling. Ukuchonga izoyikiso zokwenyani okanye ezinokubakho.
• Uhlaselo lwenethiwekhi - ukuskena kwezibuko, ukuhlaselwa kwe-brute-force, i-DoS, i-DDoS, i-traffic interception (MITM).
• Ukuvuza kwedatha yenkampani - ukufunyanwa kokukhuphela okungaqhelekanga (okanye ukulayishwa) kwedatha yenkampani kwiiseva zeefayile zenkampani.
• Izixhobo ezingagunyaziswanga - ukufunyanwa kwezixhobo ezingekho mthethweni ezixhunywe kwinethiwekhi yenkampani (ukugqiba umenzi kunye nenkqubo yokusebenza).
• izicelo ezingafunwayo Ukusetyenziswa kwezicelo ezingavumelekanga kwinethiwekhi (Bittorent, TeamViewer, VPN, Anonymizers, njl.).
• IiCryptominers kunye neBotnets — ukujonga inethiwekhi yezixhobo ezosulelekileyo eziqhagamshela kwiiseva zeC&C ezaziwayo.

Ingxelo

Ngokusekwe kwiziphumo zophicotho, uya kuba nakho ukubona zonke ii-analytics kwi-Flowmon dashboards okanye kwiingxelo zePDF. Ngezantsi kukho imizekelo ethile.

Uhlalutyo lwendlela jikelele

Ideshibhodi yesiko

Umsebenzi ongaqhelekanga

Izixhobo ezifunyenweyo

Iskimu sovavanyo oluqhelekileyo

Imeko #1 - ofisi enye

Into ephambili kukuba unokuhlalutya zombini i-traffic yangaphandle nangaphakathi engahlalutywanga ngezixhobo zokukhusela i-perimeter network (NGFW, IPS, DPI, njl.).

Imeko #2 - iiofisi ezininzi

Isifundo sevidiyo

Isishwankathelo

I-CheckFlow audit lelona thuba libalaseleyo kubaphathi be-IT/IS:

1. Ukuchonga iingxaki ezikhoyo kunye nezinokwenzeka kwiziseko zakho ze-IT;
2. Ukufumanisa iingxaki ngokhuseleko lolwazi kunye nokusebenza kwamanyathelo okhuseleko akhoyo;
3. Chonga ingxaki ephambili ekusebenzeni kwezicelo zeshishini (inxalenye yenethiwekhi, inxalenye yeseva, isoftware) kunye nabo banoxanduva lokuyicombulula;
4. Ukunciphisa kakhulu ixesha lokusombulula iingxaki kwiziseko ze-IT;
5. Qinisekisa isidingo sokwandisa amajelo, umthamo weseva okanye ukuthengwa okongeziweyo kwezixhobo zokukhusela.

Ndikwacebisa ukufunda inqaku lethu elidlulileyo - Iingxaki ezili-9 zenethiwekhi eziqhelekileyo ezinokubonwa kusetyenziswa uhlalutyo lweNetFlow (usebenzisa i-Flowmon njengomzekelo).
Ukuba unomdla kwesi sihloko, hlala ubukele (yocingo, Facebook, VK, TS Solution Blog, Yandex.Zen).

Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. Ngena, ndiyacela.

Ngaba usebenzisa abahlalutyi be-NetFlow/sFlow/jFlow/IPFIX?

• 55,6%Ewe5

• 11,1%Hayi, kodwa ndiceba ukusebenzisa1

• 33,3%No3

Bali-9 abasebenzisi abavotileyo. Umsebenzisi om-1 akakhange.

umthombo: www.habr.com