Iiprothokholi ezihambayo njengesixhobo sokubeka iliso kukhuseleko lwenethiwekhi yangaphakathi

Xa kuziwa ekubekeni iliso kukhuseleko lwenkampani yangaphakathi okanye inethiwekhi yesebe, abaninzi bayinxulumanisa nokulawula ukuvuza kolwazi kunye nokuphumeza izisombululo ze-DLP. Kwaye ukuba uzama ukucacisa umbuzo kwaye ubuze ukuba ufumanisa njani ukuhlaselwa kwinethiwekhi yangaphakathi, ngoko impendulo iya kuthi, njengomthetho, ikhankanywe kwiinkqubo zokufumanisa ukungena (IDS). Kwaye yintoni ekuphela kwenketho kwiminyaka eyi-10-20 eyadlulayo iba yi-anachronism namhlanje. Kukho esebenzayo ngakumbi, kwaye kwezinye iindawo, ukhetho olunokwenzeka kuphela esweni inethiwekhi yangaphakathi - usebenzisa iprotocol yokuhamba, eyayiyilelwe ekuqaleni ukukhangela iingxaki zenethiwekhi (ukusombulula ingxaki), kodwa ekuhambeni kwexesha yaguqulwa yaba sisixhobo sokhuseleko esinomdla kakhulu. Siza kuthetha malunga nokuba zeziphi iiprothokholi zokuhamba ezikhoyo kwaye zeziphi ezingcono ekuboneni uhlaselo lwenethiwekhi, apho kukulungele ukuphumeza ukujongwa kokuhamba, ukuba ukhangele ntoni xa uhambisa inkqubo enjalo, kunye nokuba "ukuphakamisa" njani konke oku kwizixhobo zasekhaya. kumda weli nqaku.

Andizukuhlala kumbuzo othi "Kutheni kufuneka ukubekwa iliso kukhuseleko lweziseko zophuhliso lwangaphakathi?" Impendulo ibonakala icacile. Kodwa ukuba, nangona kunjalo, ungathanda ukuqiniseka kwakhona ukuba namhlanje awukwazi ukuphila ngaphandle kwayo, jonga ividiyo emfutshane malunga nendlela onokungena ngayo kwinethiwekhi yenkampani ekhuselwe ngumlilo kwiindlela ze-17. Ke ngoko, siya kucinga ukuba siyaqonda ukuba ukubekwa esweni kwangaphakathi kuyinto eyimfuneko kwaye konke okuseleyo kukuqonda ukuba ingacwangciswa njani.

Ndiza kugxininisa imithombo emithathu engundoqo yedatha yokubeka iliso kwiziseko zophuhliso kwinqanaba lenethiwekhi:

• itrafikhi "ekrwada" esiyibambayo kwaye siyingenise ukuze ihlalutywe kwiinkqubo ezithile zokuhlalutya,
• Iziganeko ezivela kwizixhobo zenethiwekhi apho i-traffic idlula khona,
• ulwazi lwetrafikhi olufunyenwe ngenye yeendlela zokuhamba.

Ukubamba i-traffic eluhlaza yeyona ndlela idumileyo phakathi kweengcali zokhuseleko, kuba yavela ngokwembali kwaye yayiyeyokuqala. Iinkqubo eziqhelekileyo zokubona ukungena kwenethiwekhi (inkqubo yokuqala yokufumanisa ukungena kwentengiso yayiyi-NetRanger esuka kwiQela le-Wheel, ethengwe ngo-1998 yiCisco) yayizibandakanye ngokuchanekileyo ekubambeni iipakethi (kunye neeseshoni zamva) apho utyikityo oluthile lwalujongwa ("imithetho eqinisekileyo" kwi. Isigama se-FSTEC), ukuhlaselwa komqondiso. Ngokuqinisekileyo, unokuhlalutya i-traffic eluhlaza kungekuphela nje usebenzisa i-IDS, kodwa nokusebenzisa ezinye izixhobo (umzekelo, i-Wireshark, i-tcpdum okanye i-NBAR2 yokusebenza kwi-Cisco IOS), kodwa bahlala beswele isiseko solwazi esahlula isixhobo sokhuseleko lolwazi ukusuka rhoqo. Isixhobo se-IT.

Ke, iinkqubo zokubona uhlaselo. Indlela endala kunye neyona idumileyo yokubona ukuhlaselwa kwenethiwekhi, eyenza umsebenzi omhle kwi-perimeter (kungakhathaliseki ukuba yintoni - i-corporate, isikhungo sedatha, icandelo, njl.), kodwa iyasilela kwiinethiwekhi zanamhlanje ezitshintshiweyo kunye ne-software-defined. Kwimeko yothungelwano olwakhiwe ngesiseko sokutshintsha okuqhelekileyo, isiseko se-sensors zokukhangela ukuhlaselwa siba sikhulu kakhulu - kuya kufuneka ufake inzwa kunxibelelwano ngalunye kwi-node ofuna ukubeka iliso kuhlaselo. Nawuphi na umenzi, ewe, uya kukuvuyela ukukuthengisa amakhulu kunye namawaka eenzwa, kodwa ndicinga ukuba ibhajethi yakho ayinakuxhasa iindleko ezinjalo. Ndiyakwazi ukuthetha ukuba nakwiCisco (kwaye singabaphuhlisi be-NGIPS) asikwazanga ukwenza oku, nangona kubonakala ngathi umba wexabiso uphambi kwethu. Akufunekanga ndime - sisigqibo sethu. Ukongeza, umbuzo uvela, indlela yokudibanisa inzwa kule nguqulo? Kwisithuba? Kuthekani ukuba isivamvo ngokwaso siyasilela? Ifuna imodyuli yokugqitha kuluvo? Sebenzisa iziqhekeza (itephu)? Konke oku kwenza ukuba isisombululo sibize kakhulu kwaye sisenza ukuba singafikeleleki kwinkampani yayo nayiphi na isayizi.

Ungazama "ukuxhoma" inzwa kwi-SPAN/RSPAN/ERSPAN port kunye ne-traffic ngqo ukusuka kwizibuko ezifunekayo zokuya kuyo. Olu khetho lususa ingxaki echazwe kumhlathi wangaphambili, kodwa lubeka enye - i-port ye-SPAN ayikwazi ukwamkela ngokupheleleyo yonke i-traffic eya kuthunyelwa kuyo - ayiyi kuba ne-bandwidth eyaneleyo. Kuya kufuneka uncame okuthile. Okanye ushiye ezinye iindawo ngaphandle kokubeka iliso (emva koko kufuneka uzibeke phambili kuqala), okanye ungathumeli zonke i-traffic kwi-node, kodwa uhlobo oluthile kuphela. Enoba yintoni na, sisenokuphoswa ziintlaselo ezithile. Ukongeza, izibuko le-SPAN lingasetyenziselwa ezinye iimfuno. Ngenxa yoko, kuya kufuneka sihlole i-topology ekhoyo yothungelwano kwaye senze uhlengahlengiso kuyo ukuze sigqume inethiwekhi yakho ukuya kuthi ga kwinani labenzi boluvo onalo (kwaye ulungelelanise oku kunye ne-IT).

Kuthekani ukuba inethiwekhi yakho isebenzisa iindlela ze-asymmetric? Kuthekani ukuba uphunyeziwe okanye uceba ukuphumeza i-SDN? Kuthekani ukuba ufuna ukubeka iliso koomatshini okanye izikhongozeli ezinokuthi itrafikhi ingafikeleli kwiswitshi yasemzimbeni kwaphela? Le yimibuzo abangayithandiyo abathengisi be-IDS bemveli kuba bengazi ukuba bayiphendule njani. Mhlawumbi baya kukweyisela ukuba zonke ezi tekhnoloji zefashoni ziyi-hype kwaye awuyidingi. Mhlawumbi baya kuthetha ngemfuneko yokuqala encinane. Okanye mhlawumbi baya kuthi kufuneka ubeke i-thresher enamandla embindini womnatha kwaye uqondise yonke i-traffic kuyo usebenzisa i-balancers. Naluphi na ukhetho olunikezelwa kuwe, kufuneka uqonde ngokucacileyo ukuba ikulungele njani. Kwaye kuphela emva kokuba wenze isigqibo ekukhetheni indlela yokubeka iliso kukhuseleko lolwazi lweziseko zonxibelelwano. Ukubuyela ekubanjweni kwepakethe, ndifuna ukuthetha ukuba le ndlela iyaqhubeka ithandwa kakhulu kwaye ibalulekile, kodwa injongo yayo ephambili kukulawula umda; imida phakathi kombutho wakho kunye ne-Intanethi, imida phakathi kweziko ledatha kunye nayo yonke inethiwekhi, imida phakathi kwenkqubo yokulawula inkqubo kunye necandelo lenkampani. Kwezi ndawo, i-IDS/IPS yakudala isenelungelo lokubakho kwaye imelane kakuhle nemisebenzi yabo.

Masiqhubele phambili kukhetho lwesibini. Uhlalutyo lweziganeko ezivela kwizixhobo zenethiwekhi zingasetyenziselwa iinjongo zokukhangela ukuhlaselwa, kodwa kungekhona njengendlela ephambili, kuba ivumela ukufumanisa kuphela iklasi encinci yokungena. Ukongezelela, i-inherent kwi-reactivity ethile - ukuhlaselwa kufuneka kuqala kwenzeke, ngoko kufuneka kubhalwe ngesixhobo sothungelwano, ngendlela enye okanye enye iya kubonisa ingxaki ngokhuseleko lolwazi. Zininzi iindlela ezinjalo. Oku kunokuba yi-syslog, i-RMON okanye i-SNMP. Iiprothokholi ezimbini zokugqibela zokubeka iliso kwinethiwekhi kumxholo wokhuseleko lolwazi zisetyenziswa kuphela ukuba sifuna ukubona uhlaselo lwe-DoS kwisixhobo sothungelwano ngokwalo, ekubeni usebenzisa i-RMON kunye ne-SNMP kunokwenzeka, umzekelo, ukubeka iliso kumthwalo kumbindi wesixhobo. iprosesa okanye ujongano lwayo. Le yenye "yexabiso eliphantsi" (wonke umntu une-syslog okanye i-SNMP), kodwa kunye neyona nto ingasebenziyo kuzo zonke iindlela zokubeka esweni ukhuseleko lolwazi lweziseko zangaphakathi - ukuhlaselwa okuninzi kufihlwe kuyo. Kakade ke, akufanele zihoywe, kwaye uhlalutyo olufanayo lwe-syslog lukunceda ukuba uchonge kwangexesha utshintsho kuqwalaselo lwesixhobo ngokwaso, ukuthomalalisa kwayo, kodwa ayifanelekanga kakhulu ukufumanisa ukuhlaselwa kwinethiwekhi yonke.

Inketho yesithathu kukuhlalutya ulwazi malunga netrafikhi edlula kwisixhobo esixhasa enye yeeprotocol ezininzi zokuhamba. Kule meko, nokuba yeyiphi na iprothokholi, isiseko somsonto sibandakanya amacandelo amathathu:

• Ukuveliswa okanye ukuthumela ngaphandle kokuhamba. Le nxaxheba idla ngokunikezelwa kwi-router, ukutshintshela okanye esinye isixhobo sothungelwano, leyo, ngokudlula i-traffic yenethiwekhi ngokwayo, ikuvumela ukuba ukhuphe iiparitha eziphambili kuyo, ezithi zidluliselwe kwimodyuli yokuqokelela. Ngokomzekelo, i-Cisco ixhasa i-protocol ye-Netflow kungekhona kuphela kwii-routers kunye nokutshintsha, kubandakanywa ne-virtual kunye ne-industrial, kodwa kunye nabalawuli abangenazintambo, i-firewall kunye neeseva.
• Ukuhamba kokuqokelela. Ukuqwalasela ukuba uthungelwano lwanamhlanje luhlala lunesixhobo esingaphezulu kwesinye, ingxaki yokuqokelela kunye nokudibanisa ukuhamba ivela, esonjululwa ngokubizwa ngokuba ngabaqokeleli, abaqhuba ukuhamba okufunyenweyo baze badlulisele ukuhlalutya.
• Uhlalutyo lokuhamba I-analyzer ithatha owona msebenzi wengqondo oyintloko kwaye, isebenzisa i-algorithms eyahlukeneyo kwimisinga, yenza izigqibo ezithile. Ngokomzekelo, njengenxalenye yomsebenzi we-IT, uhlalutyi olunjalo lunokuchonga i-bottlenecks yenethiwekhi okanye ukuhlalutya iprofayili yomthwalo we-traffic ukwenzela ukuqhubela phambili kwenethiwekhi. Kwaye ukhuseleko lolwazi, i-analyzer enjalo inokubona ukuvuza kwedatha, ukusasazeka kwekhowudi enobungozi okanye ukuhlaselwa kwe-DoS.

Musa ukucinga ukuba olu lwakhiwo lwemigangatho emithathu lunzima kakhulu - zonke ezinye iinketho (ngaphandle, mhlawumbi, iinkqubo zokubeka iliso zenethiwekhi ezisebenza kunye ne-SNMP kunye ne-RMON) nazo zisebenza ngokuhambelana nayo. Sine-generator yedatha yokuhlalutya, enokuba sisixhobo senethiwekhi okanye inzwa yodwa. Sinenkqubo yokuqokelela i-alam kunye nenkqubo yokulawula yonke iziseko zokubeka iliso. Amacandelo amabini okugqibela anokudibaniswa ngaphakathi kwendawo enye, kodwa kwiinethiwekhi ezingaphezulu okanye ezincinci zidla ngokusasazwa ubuncinane kwizixhobo ezimbini ukwenzela ukuba kuqinisekiswe ukulinganisa kunye nokuthembeka.

Ngokungafani nohlalutyo lwepakethe, olusekelwe ekufundeni intloko kunye nedatha yomzimba wepakethi nganye kunye neeseshoni eziqulethwe kuzo, uhlalutyo lokuhamba luxhomekeke ekuqokeleleni imethadatha malunga nokuthuthwa kwenethiwekhi. Nini, kangakanani, ukusuka phi kwaye phi, njani ... le yimibuzo ephendulwe ngokuhlalutya kwe-telemetry yenethiwekhi kusetyenziswa iiprothokholi zokuhamba ezahlukeneyo. Ekuqaleni, zazisetyenziselwa ukuhlalutya izibalo kunye nokufumana iingxaki ze-IT kwinethiwekhi, kodwa ke, njengoko iindlela zokuhlalutya ziphuhlisiwe, kuye kwenzeka ukuba zisetyenziswe kwi-telemetry efanayo ngeenjongo zokhuseleko. Kubalulekile ukuqaphela kwakhona ukuba uhlalutyo lokuhamba aluthathi ndawo okanye luthathe indawo yokuthatha ipakethi. Nganye kwezi ndlela inendawo yayo yesicelo. Kodwa kumxholo weli nqaku, luhlalutyo lokuhamba olufaneleke kakhulu ukubeka iliso kwiziseko ezingundoqo zangaphakathi. Unezixhobo zenethiwekhi (nokuba zisebenza kwi-software-defined paradigm okanye ngokwemigaqo engatshintshiyo) ukuba uhlaselo alukwazi ukudlula. Iyakwazi ukudlula i-IDS yoluvo lwakudala, kodwa isixhobo sothungelwano esixhasa iprotocol yokuqukuqela asikwazi. Le yinzuzo yale ndlela.

Kwelinye icala, ukuba ufuna ubungqina bokuthotyelwa komthetho okanye iqela lakho lophando lwezehlo, awukwazi ukwenza ngaphandle kokubamba ipakethe - i-telemetry yenethiwekhi ayiyokopi yetrafikhi enokusetyenziswa ukuqokelela ubungqina; iyadingeka ukufumanisa ngokukhawuleza kunye nokwenza izigqibo kwintsimi yokhuseleko lolwazi. Ngakolunye uhlangothi, usebenzisa uhlalutyo lwe-telemetry, unako "ukubhala" kungekhona yonke i-traffic yenethiwekhi (ukuba kukho nantoni na, i-Cisco ijongene namaziko edatha :-), kodwa kuphela oko kubandakanyeka ekuhlaselweni. Izixhobo zokuhlalutya i-Telemetry kulo mba ziya kuncedisa iindlela zokubanjwa kweepakethi eziqhelekileyo kakuhle, ukunika imiyalelo yokubamba okukhethiweyo kunye nokugcinwa. Kungenjalo, kuya kufuneka ube nesiseko esikhulu sogcino.

Makhe sicinge inethiwekhi esebenza ngesantya se-250 Mbit / sec. Ukuba ufuna ukugcina yonke le volumu, ngoko uya kufuna i-31 MB yokugcina i-second ye-traffic transmission, i-1,8 GB ngomzuzu omnye, i-108 GB ngeyure enye, kunye ne-2,6 TB ngosuku olunye. Ukugcina idatha yemihla ngemihla kwinethiwekhi ene-bandwidth ye-10 Gbit / s, uya kufuna i-108 TB yokugcina. Kodwa abanye abalawuli bafuna ukugcina idatha yokhuseleko iminyaka ... Ukurekhoda okufunwayo, uhlalutyo lokuhamba lukunceda ukuba uphumeze, lunceda ukunciphisa ezi xabiso ngemiyalelo yobukhulu. Ngendlela, ukuba sithetha malunga nomthamo wedatha yenethiwekhi ye-telemetry erekhodiweyo kunye nokubanjwa kwedatha epheleleyo, ngoko ke malunga ne-1 ukuya kwi-500. Kumaxabiso afanayo anikwe ngasentla, ukugcina i-transcript epheleleyo yazo zonke i-traffic yemihla ngemihla. iya kuba yi-5 kunye ne-216 GB, ngokulandelanayo (unokuyirekhoda kwi-flash drive eqhelekileyo).

Ukuba izixhobo zokuhlalutya idatha yenethiwekhi eluhlaza, indlela yokuyibamba iphantse ifane nomthengisi ukuya kumthengisi, ngoko kwimeko yohlalutyo lokuhamba imeko iyahluka. Kukho iinketho ezininzi zeeprothokholi zokuhamba, umahluko ofuna ukwazi ngawo kumxholo wokhuseleko. Eyona nto idumileyo yi-Netflow protocol eyenziwe nguCisco. Kukho iinguqulelo ezininzi zale protocol, eyahlukileyo kubuchule bazo kunye nesixa solwazi lwendlela erekhodiweyo. Inguqulelo yangoku yesithoba (Netflow v9), ngesiseko apho umgangatho woshishino weNetflow v10, owaziwa ngokuba yi-IPFIX, waphuhliswa. Namhlanje, uninzi lwabathengisi benethiwekhi baxhasa i-Netflow okanye i-IPFIX kwizixhobo zabo. Kodwa kukho ezinye iindlela ezahlukeneyo zokukhetha iiprothokholi zokuhamba - sFlow, jFlow, cFlow, rFlow, NetStream, njl., apho i-sFlow ithandwa kakhulu. Yilolu hlobo oluhlala luxhaswa ngabavelisi basekhaya bezixhobo zenethiwekhi ngenxa yokulula kwayo ukuphunyezwa. Ngowuphi umahluko ophambili phakathi kweNetflow, ethe yaba ngumgangatho we-de facto, kunye ne-sFlow? Ndiza kuphawula ezininzi ezibalulekileyo. Okokuqala, i-Netflow inemimandla enokwenziwa ngokwezifiso kumsebenzisi ngokuchasene nemimandla emiselweyo kwi-sFlow. Kwaye okwesibini, kwaye le yeyona nto ibalulekileyo kwimeko yethu, i-sFlow iqokelela into ebizwa ngokuba yi-telemetry yesampuli; ngokuchaseneyo nengafakwanga sampuli ye-Netflow kunye ne-IPFIX. Yintoni umahluko phakathi kwabo?

Khawufane ucinge ukuba ugqibe kwelokuba uyifunde incwadi "Iziko leMisebenzi yoKhuseleko: Ukwakha, ukuSebenza, kunye noLondolozo lwe-SOC yakho” koogxa bam - uGary McIntyre, uJoseph Munitz kunye noNadem Alfardan (ungakhuphela inxalenye yencwadi kwikhonkco). Uneendlela ezintathu ongakhetha kuzo ukuze ufezekise injongo yakho - funda yonke incwadi, skim kuyo, uyeke kwiphepha ngalinye le-10 okanye lama-20, okanye uzame ukufumana ukuphinda uchaze iikhonsepthi eziphambili kwibhlog okanye inkonzo efana ne-SmartReading. Ke, i-telemetry engasetyenziswanga ifunda lonke "iphepha" letrafikhi yenethiwekhi, oko kukuthi, ukuhlalutya imethadatha kwipakethi nganye. Isampula ye-telemetry luphononongo olukhethiweyo lwetrafikhi ngethemba lokuba iisampulu ezikhethiweyo ziya kuqulatha into oyifunayo. Ngokuxhomekeke kwisantya setshaneli, isampula ye-telemetry iya kuthunyelwa kuhlalutyo rhoqo ngepakethi yama-64, 200, 500, 1000, 2000 okanye ne-10000.

Kumxholo wokubeka iliso kukhuseleko lolwazi, oku kuthetha ukuba i-telemetry eyisampula ifaneleke kakuhle ukukhangela uhlaselo lwe-DDoS, ukuskena, kunye nokusasaza ikhowudi ekhohlakeleyo, kodwa inokuphoswa yi-athomu okanye uhlaselo lweepakethi ezininzi ezingabandakanywanga kwisampulu ethunyelwe ukuhlalutya. I-telemetry engasetyenziswanga ayinazo izinto ezingalunganga. Ngale nto, uluhlu lohlaselo olufunyenweyo lubanzi kakhulu. Nalu uluhlu olufutshane lweziganeko ezinokubonwa kusetyenziswa izixhobo zokuhlalutya inethiwekhi ye-telemetry.

Ewe kunjalo, omnye umthombo ovulekileyo we-Netflow analyzer akayi kukuvumela ukuba wenze oku, kuba umsebenzi wawo oyintloko kukuqokelela i-telemetry kwaye uqhube uhlalutyo olusisiseko kuyo ukusuka kwindawo yokujonga i-IT. Ukuchonga izisongelo zokhuseleko lolwazi ngokusekelwe ekuhambeni, kuyimfuneko ukuxhobisa i-analyzer ngeenjini ezahlukeneyo kunye ne-algorithms, eziza kuchonga iingxaki ze-cybersecurity ngokusekelwe kwimigangatho ye-Netflow eqhelekileyo okanye yesiko, ukucebisa idatha esemgangathweni kunye nedatha yangaphandle evela kwimithombo eyahlukeneyo ye-Treat Intelligence, njl.

Ke, ukuba unokhetho, khetha iNetflow okanye IPFIX. Kodwa nokuba izixhobo zakho zisebenza kuphela nge-sFlow, njengabavelisi basekhaya, ke nakulo mzekelo unokuxhamla kuyo kwimeko yokhuseleko.

Ehlotyeni lika-2019, ndahlalutya amandla okuba ngabavelisi be-hardware yenethiwekhi yaseRashiya kunye nabo bonke, ngaphandle kwe-NSG, i-Polygon kunye ne-Craftway, babhengeze inkxaso ye-sFlow (ubuncinci i-Zelax, i-Natex, i-Eltex, i-QTech, i-Rusteleteh).

Umbuzo olandelayo oya kujongana nawo kukuphi ukuphumeza inkxaso yokuhamba ngeenjongo zokhuseleko? Enyanisweni, umbuzo awubuzwanga ngokupheleleyo. Izixhobo zanamhlanje phantse zihlala zixhasa iiprothokholi zokuhamba. Ke ngoko, ndingawulungisa kwakhona umbuzo ngokwahlukileyo-iphi eyona nto isebenzayo ukuqokelela i-telemetry kwindawo yokhuseleko? Impendulo iya kubonakala ngokucacileyo - kwinqanaba lofikelelo, apho uya kubona i-100% yazo zonke i-traffic, apho uya kuba nolwazi oluthe kratya malunga nomkhosi (MAC, VLAN, ID interface), apho unokujonga khona i-P2P yetrafikhi phakathi kwemikhosi, Ibalulekile ekubhaqweni kokuskena kunye nokusasazwa kwekhowudi engalunganga. Kwinqanaba eliphambili, usenokungayiboni enye yetrafikhi, kodwa kwinqanaba lomjikelezo, uya kubona ikota yetrafikhi yakho yenethiwekhi. Kodwa ukuba ngesizathu esithile unezixhobo zangaphandle kwinethiwekhi yakho ezivumela abahlaseli ukuba "bangene kwaye baphume" ngaphandle kokudlula umjikelezo, ngoko ukuhlalutya i-telemetry kuyo akuyi kukunika nantoni na. Ke ngoko, kukhuseleko oluphezulu, kuyacetyiswa ukuba uqokelele i-telemetry kwinqanaba lofikelelo. Kwangaxeshanye, kuyaphawuleka ukuba nokuba sithetha malunga ne-virtualization okanye izikhongozeli, inkxaso yokuqukuqela ifumaneka rhoqo kwiiswitshi zale mihla, ezikuvumela ukuba ulawule i-traffic apho kwakhona.

Kodwa ekubeni ndiphakamise isihloko, kufuneka ndiphendule umbuzo: kuthekani ukuba izixhobo, eziphathekayo okanye ezibonakalayo, azixhasi iiprothokholi zokuhamba? Okanye ngaba ukubandakanywa kwayo kunqatshelwe (umzekelo, kumacandelo amashishini ukuqinisekisa ukuthembeka)? Okanye ngaba ukuyivula kukhokelela kumthwalo ophezulu we-CPU (oku kwenzeka kwi-hardware endala)? Ukusombulula le ngxaki, kukho abenzi boluvo abakhethekileyo (izinzwa zokuqukuqela), ezizii-splitters eziqhelekileyo ezidlula i-traffic ngokwazo kwaye zisasaze ngendlela yokuhamba kwimodyuli yokuqokelela. Enyanisweni, kule meko sifumana zonke iingxaki ebesithetha ngazo ngasentla ngokumalunga nezixhobo zokubamba iipakethi. Oko kukuthi, kufuneka uqonde kungekuphela nje iingenelo zetekhnoloji yohlalutyo lokuhamba, kodwa kunye nemida yayo.

Enye ingongoma ebalulekileyo ukuyikhumbula xa uthetha malunga nezixhobo zokuhlalutya ukuhamba. Ukuba ngokumalunga neendlela eziqhelekileyo zokuvelisa iziganeko zokhuseleko sisebenzisa i-metric ye-EPS (isiganeko ngesibini), ke esi salathisi asisebenzi kuhlalutyo lwe-telemetry; ithatyathelwe indawo yiFPS (ukuhamba ngesekondi). Njengakwimeko ye-EPS, ayinakubalwa kwangaphambili, kodwa unokuqikelela inani eliqikelelweyo lemisonto eyenziwa sisixhobo esithile ngokuxhomekeke kumsebenzi wayo. Unokufumana iitafile kwi-Intanethi ngamaxabiso aqikelelweyo eentlobo ezahlukeneyo zezixhobo zeshishini kunye neemeko, eziya kukuvumela ukuba uqikelele ukuba zeziphi iilayisenisi ozifunayo kwizixhobo zokuhlalutya kunye nokuba ziya kuba yintoni izakhiwo zazo? Inyaniso kukuba i-sensor ye-IDS inqunyelwe yi-bandwidth ethile enokuthi "idonsa", kwaye umqokeleli wokuhamba unemida yakhe ekufuneka iqondwe. Ke ngoko, kuthungelwano olukhulu, olusasazwe ngokwejografi ngokuqhelekileyo kukho abaqokeleli abaninzi. Xa ndichaza indlela inethiwekhi esweni ngaphakathi Cisco, sele ndinike inani labaqokeleli bethu - kukho i-21. Kwaye oku kunethiwekhi ehlakazekile kumazwekazi amahlanu kunye nenani malunga nesiqingatha sesigidi sezixhobo ezisebenzayo).

Sisebenzisa isisombululo sethu njengenkqubo yokubeka iliso yeNetflow Cisco Stealthwatch, ejolise ngokukodwa ekusombululeni iingxaki zokhuseleko. Ineenjini ezininzi ezakhelwe ngaphakathi zokubona umsebenzi ongathandekiyo, okrokrelayo kunye nobubi ngokucacileyo, okuvumela ukuba uchonge uluhlu olubanzi lwezoyikiso ezahlukeneyo - ukusuka kwi-cryptomining ukuya ekuvuzeni kolwazi, ukusuka ekusasazeni ikhowudi ekhohlakeleyo ukuya kubuqhophololo. Njengabahlalutyi abaninzi bokuhamba, i-Stealthwatch yakhiwe ngokwesicwangciso senqanaba lesithathu (i-generator - umqokeleli - i-analyzer), kodwa yongezwa kunye nenani lezinto ezinomdla ezibalulekileyo kumxholo wezinto eziqwalaselwayo. Okokuqala, idibanisa nezisombululo zokubamba iipakethi (ezifana neCisco Security Packet Analyzer), ekuvumela ukuba urekhode iiseshoni zenethiwekhi ezikhethiweyo zophando olunzulu kunye nohlalutyo. Okwesibini, ngokukodwa ukwandisa imisebenzi yokhuseleko, siye saqulunqa i-protocol ekhethekileyo ye-nvzFlow, evumela ukuba "usasaze" umsebenzi wezicelo kwiindawo zokuphela (iiseva, iindawo zokusebenza, njl.) kwi-telemetry kwaye uyithumele kumqokeleli ukuze uhlalutye ngakumbi. Ukuba kwinguqulelo yayo yoqobo iStealthwatch isebenza nayo nayiphi na iprotocol yokuqukuqela (sFlow, rFlow, Netflow, IPFIX, cFlow, jFlow, NetStream) kwinqanaba lenethiwekhi, ke inkxaso ye-nvzFlow ivumela ulungelelwaniso lwedatha nakwinqanaba le-node, ngaloo ndlela. ukwandisa ukusebenza kakuhle kwenkqubo yonke kunye nokubona ukuhlaselwa okungaphezulu kunee-analyzers zenethiwekhi eziqhelekileyo.

Kucacile ukuba xa uthetha ngeenkqubo zokuhlalutya kwe-Netflow ukusuka kwindawo yokukhusela, imarike ayikhawulelwanga kwisisombululo esisodwa esivela kwiCisco. Ungasebenzisa zombini izisombululo zentengiso kunye nesimahla okanye ze-shareware. Kuyamangalisa ukuba ndicaphula izisombululo zabakhuphisanayo njengemizekelo kwibhlog yeCisco, ke ndiza kuthetha amagama ambalwa malunga nendlela i-telemetry yenethiwekhi inokuhlalutywa ngayo kusetyenziswa ezimbini ezidumileyo, ezifanayo ngegama, kodwa izixhobo ezahlukeneyo-i-SiLK kunye ne-ELK.

I-SiLK iyisethi yezixhobo (iNkqubo yoLwazi lweNqanaba le-Intanethi) yohlalutyo lwetrafikhi, oluphuhliswe yi-CERT / CC yaseMelika kwaye ixhasa, kumxholo wenqaku lanamhlanje, i-Netflow (i-5th kunye ne-9, iinguqulelo ezithandwa kakhulu), i-IPFIX. kunye ne-sFlow kunye nokusebenzisa izixhobo ezahlukeneyo (i-rwfilter, i-rwcount, i-rwflowpack, njl.) ukwenza imisebenzi eyahlukeneyo kwi-telemetry yenethiwekhi ukuze kubonwe iimpawu zezenzo ezingagunyaziswanga kuyo. Kodwa kukho iingongoma ezimbalwa ezibalulekileyo ekufuneka uziqaphele. I-SiLK sisixhobo somgca womyalelo esenza uhlalutyo lwe-intanethi ngokufaka imiyalelo efana nale (ukufunyanwa kweepakethi ze-ICMP ezinkulu kune-bytes ezingama-200):

rwfilter --flowtypes=all/all --proto=1 --bytes-per-packet=200- --pass=stdout | rwrwcut --fields=sIP,dIP,iType,iCode --num-recs=15

ayikhululekanga kakhulu. Ungasebenzisa i-iSiLK GUI, kodwa ayiyi kwenza ubomi bakho bube lula, ukusombulula kuphela umsebenzi wokubonisa kwaye ungafaki umhlalutyi. Kwaye le ngongoma yesibini. Ngokungafaniyo nezisombululo zorhwebo, esele zinesiseko esiluqilima sohlalutyo, i-algorithms yokufumanisa i-anomaly, ukuhamba komsebenzi okuhambelanayo, njl., Kwimeko ye-SiLK kuya kufuneka wenze konke oku ngokwakho, okuya kufuna ubuchule obahluke kancinane kuwe kunokusebenzisa esele ilungile- ukusebenzisa izixhobo. Oku akulunganga okanye kubi - olu luphawu phantse nasiphi na isixhobo sasimahla esithatha ukuba uyayazi into omawuyenze, kwaye iya kukunceda ngale nto (izixhobo zorhwebo zixhomekeke kancinci kubuchule babasebenzisi bayo, nangona nabo bacinga ukuba abahlalutyi baqonde ubuncinci iziseko zophando zothungelwano kunye nokubeka iliso). Kodwa masibuyele kwi-SiLK. Umjikelo womsebenzi womhlalutyi kunye nayo ujongeka ngolu hlobo:

• Ukuqulunqa ingcamango. Kuya kufuneka siyiqonde into esiza kuyijonga ngaphakathi kwe-telemetry yenethiwekhi, sazi iimpawu ezizodwa esiya kuchonga ngazo izinto ezingaqhelekanga okanye izoyikiso.
• Ukwakha imodeli. Emva kokuqulunqa i-hypothesis, siyicwangcisa ngokusebenzisa iPython efanayo, iqokobhe okanye ezinye izixhobo ezingabandakanywanga kwi-SiLK.
• Uvavanyo. Ixesha lokujonga ukuchaneka kwe-hypothesis yethu, eqinisekisiwe okanye ephikiswayo kusetyenziswa izixhobo ze-SiLK eziqala 'rw', 'set', 'bag'.
• Uhlalutyo lwedatha yokwenyani. Kwintsebenzo yoshishino, i-SiLK isinceda ukuba sibone into ethile kwaye umhlalutyi kufuneka aphendule imibuzo ethi "Ngaba sifumene into ebesiyilindele?", "Ngaba oku kuhambelana ne-hypothesis yethu?", "Indlela yokunciphisa inani leengcamango zobuxoki?", "Njani ukuphucula inqanaba lokuqatshelwa? » kwaye nangokunjalo.
• Uphuculo. Kwinqanaba lokugqibela, siphucula oko kwenziwe ngaphambili - senza iitemplates, siphucule kwaye siphucule ikhowudi, sihlaziye kwaye sicacise i-hypothesis, njl.

Lo mjikelo uya kusebenza kwakhona kwiCisco Stealthwatch, kuphela eyokugqibela i-automates la manyathelo amahlanu ukuya phezulu, ukunciphisa inani leempazamo zomhlalutyi kunye nokwandisa ukusebenza kakuhle kokufunyanwa kwesiganeko. Ngokomzekelo, kwi-SiLK unokucebisa izibalo zenethiwekhi kunye nedatha yangaphandle kwii-IP ezinobungozi usebenzisa izikripthi ezibhalwe ngesandla, kwaye kwi-Cisco Stealthwatch ngumsebenzi owakhelwe ngaphakathi obonisa ngokukhawuleza i-alamu ukuba i-traffic traffic iqulethe ukusebenzisana kunye needilesi ze-IP ezivela kuluhlu lwabamnyama.

Ukuba uya phezulu kwiphiramidi "ehlawulweyo" ye-software yohlalutyo lokuhamba, ngoko emva kwe-SiLK ekhululekile ngokupheleleyo kuya kubakho i-ELK ye-shareware, equlethwe ngamacandelo amathathu abalulekileyo - i-Elasticsearch (i-indexing, ukukhangela kunye nohlalutyo lwedatha), i-Logstash (ukufakwa kwedatha / isiphumo ) kunye ne-Kibana (umboniso). Ngokungafaniyo ne-SiLK, apho kufuneka ubhale yonke into ngokwakho, i-ELK sele sele inamathala eencwadi / iimodyuli ezininzi esele zenziwe (ezinye zihlawulwe, ezinye azikho) ezenza ngokuzenzekelayo uhlalutyo lwe-telemetry yenethiwekhi. Umzekelo, isihluzi se-GeoIP kwi-Logstash ikuvumela ukuba unxulumanise iidilesi ze-IP ezibekwe iliso kwindawo yazo (i-Stealthwatch inolu phawu lwakhelwe ngaphakathi).

I-ELK inoluntu olukhulu ngokufanelekileyo olugqibezela amacandelo angekhoyo kwesi sisombululo sokubeka iliso. Umzekelo, ukusebenza kunye ne-Netflow, IPFIX kunye ne-sFlow ungasebenzisa imodyuli elastiflow, ukuba awanelisekanga yiLogstash Netflow Module, exhasa kuphela iNetflow.

Ngelixa inika ukusebenza kakuhle ngakumbi ekuqokeleleni ukuhamba kunye nokukhangela kuyo, i-ELK okwangoku ayinayo i-analytics etyebileyo eyakhelwe-ngaphakathi yokufumanisa i-anomalies kunye nezoyikiso kwi-telemetry yenethiwekhi. Oko kukuthi, ukulandela umjikelo wobomi ochazwe ngasentla, kuya kufuneka uchaze ngokuzimeleyo iimodeli zokuphulwa kwaye emva koko uyisebenzise kwinkqubo yokulwa (akukho modeli eyakhelweyo apho).

Kukho, ngokuqinisekileyo, izandiso eziphucukileyo ze-ELK, esele iqulethe ezinye iimodeli zokubona ukungahambi kakuhle kwinethiwekhi ye-telemetry, kodwa ulwandiso olunjalo lubiza imali kwaye umbuzo kukuba ingaba umdlalo ufanelekile ikhandlela - bhala imodeli efanayo ngokwakho, uthenge ukuphunyezwa kwayo. isixhobo sakho esweni, okanye uthenge isisombululo esenziwe eselenziwe iklasi Network Traffic Analysis.

Ngokubanzi, andifuni ukungena kwingxoxo-mpikiswano ukuba kungcono ukuchitha imali kwaye uthenge isisombululo esele senziwe ngokujonga izinto ezingaqhelekanga kunye nezoyikiso kwi-telemetry yenethiwekhi (umzekelo, iCisco Stealthwatch) okanye uzibonele ngokwakho kwaye wenze okufanayo. I-SiLK, ELK okanye i-nfdump okanye i-OSU Flow Tools kwisoyikiso ngasinye esitsha ( ndithetha ngezimbini zokugqibela zazo. uxelelwe kwilixa elidlulile)? Wonke umntu uyazikhethela kwaye wonke umntu uneenjongo zakhe zokukhetha naziphi na iindlela ezimbini. Ndandifuna nje ukubonisa ukuba i-telemetry yenethiwekhi sisixhobo esibaluleke kakhulu ekuqinisekiseni ukhuseleko lwenethiwekhi yeziseko zakho zangaphakathi kwaye akufanele uyihoye, ukuze ungangeni kuluhlu lweenkampani ezigama lakhe likhankanywe kwimidiya kunye neepithets " igqekeziwe", "engahambelani neemfuno zokhuseleko lolwazi" "," bengacingi malunga nokhuseleko lwedatha yabo kunye nedatha yabathengi."

Ukushwankathela, ndingathanda ukudwelisa iingcebiso eziphambili onokuthi uzilandele xa usakha ukhuseleko lolwazi lweziseko zakho zangaphakathi:

1. Sukuzibekela umda kwiperimeter! Sebenzisa (kwaye ukhethe) iziseko zenethiwekhi kungekhona nje ukuhambisa i-traffic ukusuka kwindawo A ukuya kwindawo B, kodwa kunye nokujongana nemiba yokhuseleko lwe-cyber.
2. Funda iindlela ezikhoyo zokuhlola ukhuseleko lolwazi kwisixhobo sakho sothungelwano kwaye uzisebenzise.
3. Ukubeka iliso lwangaphakathi, khetha uhlalutyo lwe-telemetry - ikuvumela ukuba uchonge ukuya kuthi ga kwi-80-90% yazo zonke iziganeko zokhuseleko lolwazi lwenethiwekhi, ngelixa usenza into engenakwenzeka xa ubamba iipakethi zenethiwekhi kunye nokugcina indawo yokugcina zonke iziganeko zokhuseleko lolwazi.
4. Ukujonga ukuhamba, sebenzisa i-Netflow v9 okanye i-IPFIX - banikezela ngolwazi olungakumbi kwimeko yokhuseleko kwaye ikuvumela ukuba ujonge i-IPv4 kuphela, kodwa kunye ne-IPv6, i-MPLS, njl.
5. Sebenzisa iprotocol yokuqukuqela engalandelwanga - ibonelela ngolwazi oluthe kratya lokubona izoyikiso. Umzekelo, Netflow okanye IPFIX.
6. Jonga umthwalo kwisixhobo sakho sothungelwano-isenokungakwazi ukusingatha iprotocol yokuqukuqela ngokunjalo. Emva koko cinga ukusebenzisa abenzi boluvo okanye iNetflow Generation Appliance.
7. Ukuphumeza ulawulo kuqala kwinqanaba lofikelelo - oku kuya kukunika ithuba lokubona i-100% yazo zonke izithuthi.
8. Ukuba awunandlela yokukhetha kwaye usebenzisa izixhobo zenethwekhi zaseRussia, khetha enye exhasa iprotocol okanye ene-SPAN/RSPAN port.
9. Ukudibanisa ukungena / ukuhlaselwa ukufumanisa / ukuthintela iinkqubo kwimida kunye neenkqubo zokuhlalutya ukuhamba kwinethiwekhi yangaphakathi (kubandakanywa namafu).

Ngokuphathelele icebiso lokugqibela, ndingathanda ukunika umzekeliso esele ndiwunike ngaphambili. Uyabona ukuba ngaphambili i-Cisco yolwazi lwenkonzo yokhuseleko iphantse yakha yonke inkqubo yokubeka iliso yokhuseleko lolwazi ngokusekelwe kwiinkqubo zokufumanisa ukungena kunye neendlela zokutyikitya, ngoku zijonga kuphela i-20% yeziganeko. Enye i-20% iwela kwiinkqubo zokuhlalutya ukuhamba, ezibonisa ukuba ezi zisombululo azikho i-whim, kodwa isixhobo sangempela kwimisebenzi yeenkonzo zokhuseleko lolwazi lweshishini lanamhlanje. Ngaphezu koko, uneyona nto ibalulekileyo ekuphunyezweni kwabo - iziseko zonxibelelwano zothungelwano, utyalo-mali olunokuthi lukhuselwe ngakumbi ngokunikezela imisebenzi yokubeka iliso yokhuseleko kwinethiwekhi.

Andizange ndichukumise ngokukodwa kwisihloko sokuphendula kwi-anomalies okanye izoyikiso ezichongiweyo kuthungelwano lokuhamba, kodwa ndicinga ukuba sele kucacile ukuba ukubeka iliso akufanele kuphele kuphela ngokufumanisa kwesongelo. Kufuneka ilandelwe yimpendulo kwaye ngokukhethekileyo kwimodi ezenzekelayo okanye ezenzekelayo. Kodwa esi sisihloko senqaku elahlukileyo.

Ulwazi olongezelelweyo:

• Inkcazo yeCisco IOS Netflow
• I-matrix yenkxaso yeNetflow kwiisombululo ezahlukeneyo zeCisco
• Isikhokelo sokuQinisekisa iNetflow kwiiPlatifomu ezahlukeneyo zeCisco
• Uluntu lwesFlow
• ILab isebenzisa i-Stealtjwatch, i-SiLK kunye ne-ELK ukuhlalutya i-Netflow ngokwembono yokhuseleko
• Iwebhusayithi yeSiLK
• Isikhokelo samaphepha angamakhulu amathathu ekusebenziseni i-SiLK kunye neetoni zemizekelo
• Logstash Netflow Imodyuli
• Cisco Inyathelo ngeNyathelo Isikhokelo kuhlalutyo lweNetflow kwi-ELK
• Uhlalutyo lwe-NetFlow v.9 Cisco ASA usebenzisa i-Logstash (ELK)
• Cisco Stealthwatch Solution

PS. Ukuba kulula kuwe ukuva yonke into ebhalwe ngasentla, ngoko unokubukela inkcazo-ntetho yeyure eyakha isiseko sale nqaku.

umthombo: www.habr.com