Amaphrothokholi agelezayo njengethuluzi lokuqapha ukuphepha kwenethiwekhi yangaphakathi

Uma kuziwa ekuqapheni ukuphepha kwenethiwekhi yangaphakathi yebhizinisi noma yomnyango, abaningi bayihlanganisa nokulawula ukuvuza kolwazi nokusebenzisa izixazululo ze-DLP. Futhi uma uzama ukucacisa umbuzo futhi ubuze ukuthi ubona kanjani ukuhlaselwa kunethiwekhi yangaphakathi, impendulo izoba, njengomthetho, ukukhuluma ngezinhlelo zokubona ukungena (IDS). Futhi okwakuwukuphela kwenketho eminyakeni eyi-10-20 edlule iba i-anachronism namuhla. Kukhona okusebenzayo, futhi kwezinye izindawo, okuwukuphela kwendlela yokuqapha inethiwekhi yangaphakathi - usebenzisa izivumelwano zokugeleza, ezaziklanyelwe ukusesha izinkinga zenethiwekhi (ukuxazulula izinkinga), kodwa ngokuhamba kwesikhathi zaguqulwa zaba ithuluzi lokuphepha elithakazelisa kakhulu. Sizokhuluma ngokuthi yiziphi izinqubo zokugeleza ezikhona nokuthi yiziphi ezingcono ekutholeni ukuhlaselwa kwenethiwekhi, lapho kungcono kakhulu ukusebenzisa ukuqapha ukugeleza, ukuthi yini okufanele uyibheke lapho kuthunyelwa uhlelo olunjalo, ngisho nokuthi "ukuphakamisa" kanjani konke lokhu kumishini yasekhaya. ngaphakathi kwendawo yalesi sihloko.

Ngeke ngigxile embuzweni othi “Kungani kudingeka ukuqapha kwezokuphepha kwengqalasizinda yangaphakathi?” Impendulo ibonakala icacile. Kodwa uma, nokho, ungathanda ukwenza isiqiniseko futhi ukuthi namuhla awukwazi ukuphila ngaphandle kwayo, abuke ividiyo emfushane mayelana nokuthi ungangena kanjani kunethiwekhi yenkampani evikelwe ngodonga lomlilo ngezindlela eziyi-17. Ngakho-ke, sizothatha ngokuthi siyaqonda ukuthi ukuqapha kwangaphakathi kuyinto edingekayo futhi okusele nje ukuqonda ukuthi kungahlelwa kanjani.

Ngizogqamisa imithombo emithathu yedatha ebalulekile yokuqapha ingqalasizinda ezingeni lenethiwekhi:

• ithrafikhi “eluhlaza” esiyithwebulayo futhi siyithumele ukuze ihlaziywe kumasistimu athile okuhlaziya,
• imicimbi evela kumadivayisi enethiwekhi okudlula kuwo ithrafikhi,
• imininingwane yethrafikhi etholwe ngeyodwa yamaphrothokholi agelezayo.

Ukubamba ithrafikhi eluhlaza kuyindlela ethandwa kakhulu phakathi kochwepheshe bezokuphepha, ngoba kwavela ngokomlando futhi bekungokokuqala ngqa. Izinhlelo ezivamile zokubona ukungena kwenethiwekhi (uhlelo lokuqala ngqa lokubona ukungena kwezentengiselwano kwakuyi-NetRanger evela ku-Wheel Group, eyathengwa ngo-1998 ngabakwaCisco) yayibambe iqhaza ngokunembile ekuthwebuleni amaphakethe (kanye namaseshini akamuva) lapho kwakubhekwa khona amasiginesha athile (“imithetho enqumayo” ku. Itemu ye-FSTEC), ukuhlaselwa okukhomba. Kunjalo, ungakwazi ukuhlaziya ithrafikhi eluhlaza hhayi nje ngokusebenzisa i-IDS, kodwa futhi usebenzisa amanye amathuluzi (isibonelo, i-Wireshark, i-tcpdum noma ukusebenza kwe-NBAR2 ku-Cisco IOS), kodwa ngokuvamile ayinaso isisekelo solwazi esihlukanisa ithuluzi lokuvikela ulwazi kwejwayelekile. Ithuluzi le-IT.

Ngakho, amasistimu okuthola ukuhlasela. Indlela endala futhi ethandwa kakhulu yokuthola ukuhlaselwa kwenethiwekhi, okwenza umsebenzi omuhle ku-perimeter (kungakhathaliseki ukuthi yini - yezinkampani, isikhungo sedatha, ingxenye, njll.), kodwa yehluleka kumanethiwekhi anamuhla ashintshiwe kanye ne-software. Endabeni yenethiwekhi eyakhelwe ngesisekelo sokushintshwa okujwayelekile, ingqalasizinda yezinzwa zokuthola ukuhlaselwa iba nkulu kakhulu - kuzodingeka ufake inzwa ekuxhumekeni ngakunye ku-node ofuna ukuqapha ngayo ukuhlaselwa. Noma yimuphi umkhiqizi, yiqiniso, uzokujabulela ukukudayisela amakhulu nezinkulungwane zezinzwa, kodwa ngicabanga ukuthi isabelomali sakho asikwazi ukusekela izindleko ezinjalo. Ngingasho ukuthi ngisho naseCisco (futhi singabathuthukisi be-NGIPS) asikwazanga ukwenza lokhu, nakuba kubonakala sengathi indaba yentengo iphambi kwethu. Akufanele ngime - kuyisinqumo sethu. Ngaphezu kwalokho, kuphakama umbuzo, indlela yokuxhuma inzwa kule nguqulo? Singene esikhaleni? Kuthiwani uma inzwa ngokwayo ihluleka? Idinga imojuli yokudlula kunzwa? Sebenzisa izihlukanisi (kampompi)? Konke lokhu kwenza ikhambi libize kakhulu futhi kwenze ukuthi inkampani yanoma yimuphi usayizi ingathengeki.

Ungazama "ukulenga" inzwa embobeni ye-SPAN/RSPAN/ERSPAN futhi uqondise ithrafikhi esuka kuzimbobo zokushintshela ezidingekayo ukuya kuyo. Le nketho isusa kancane inkinga echazwe endimeni edlule, kodwa ibeka enye - imbobo ye-SPAN ayikwazi ukwamukela ngokuphelele yonke ithrafikhi ezothunyelwa kuyo - ngeke ibe nomkhawulokudonsa owanele. Kuzodingeka udele okuthile. Kuphakathi kokuthi ushiye amanye ama-node ngaphandle kokuqapha (khona-ke udinga ukuwabeka phambili kuqala), noma ungathumeli wonke ama-traffic kusuka ku-node, kodwa uhlobo oluthile kuphela. Kunoma ikuphi, singase siphuthelwe ukuhlaselwa okuthile. Ngaphezu kwalokho, imbobo ye-SPAN ingasetshenziselwa ezinye izidingo. Ngenxa yalokho, kuzodingeka sibuyekeze i-topology yenethiwekhi ekhona futhi mhlawumbe senze izinguquko kuyo ukuze simboze inethiwekhi yakho ngenani lezinzwa onazo (futhi sixhumanise lokhu ne-IT).

Kuthiwani uma inethiwekhi yakho isebenzisa imizila ye-asymmetric? Kuthiwani uma usebenzise noma uhlela ukusebenzisa i-SDN? Kuthiwani uma udinga ukuqapha imishini eyenziwe nge-virtualized noma iziqukathi ezinethrafikhi yazo engafinyeleli nhlobo ekushintsheni okungokoqobo? Lena imibuzo abathengisi be-IDS bendabuko abangayithandi ngoba abazi ukuthi bayiphendule kanjani. Mhlawumbe bazokuncenga ukuthi bonke lobu buchwepheshe bemfashini buyi-hype futhi awubudingi. Mhlawumbe bazokhuluma ngesidingo sokuqala kancane. Noma mhlawumbe bazothi udinga ukubeka i-thresher enamandla phakathi nendawo yenethiwekhi futhi uqondise yonke ithrafikhi kuyo usebenzisa ama-balancers. Noma ngabe iyiphi inketho onikezwa yona, udinga ukuqonda ngokucacile ukuthi ikufanele kanjani. Futhi kuphela ngemva kwalokho wenze isinqumo ekukhetheni indlela yokuqapha ukuphepha kolwazi lwengqalasizinda yenethiwekhi. Ukubuyela ekuthunjweni kwephakethe, ngifuna ukusho ukuthi le ndlela iyaqhubeka ithandwa kakhulu futhi ibalulekile, kodwa injongo yayo eyinhloko ukulawula umngcele; imingcele phakathi kwenhlangano yakho ne-inthanethi, imingcele phakathi kwesikhungo sedatha nayo yonke inethiwekhi, imingcele phakathi kwesistimu yokulawula inqubo kanye nengxenye yenkampani. Kulezi zindawo, i-IDS/IPS yakudala isenelungelo lokuba khona kanye nokubhekana kahle nemisebenzi yabo.

Asiqhubekele entweni yesibili. Ukuhlaziywa kwemicimbi evela kumadivayisi enethiwekhi kungaphinda kusetshenziselwe izinjongo zokuthola ukuhlasela, kodwa hhayi njengendlela eyinhloko, njengoba kuvumela ukutholwa kwesigaba esincane kuphela sokungena. Ngaphezu kwalokho, kungokwemvelo kokunye ukusebenza kabusha - ukuhlaselwa kufanele kuqala kwenzeke, khona-ke kufanele kuqoshwe idivayisi yenethiwekhi, okuzothi ngandlela thize kuzobonisa inkinga ngokuvikeleka kolwazi. Kunezindlela eziningi ezinjalo. Lokhu kungaba i-syslog, i-RMON noma i-SNMP. Izivumelwano ezimbili zokugcina zokuqapha inethiwekhi kumongo wokuphepha kolwazi zisetshenziswa kuphela uma sidinga ukuthola ukuhlaselwa kwe-DoS emishinini yenethiwekhi ngokwayo, njengoba usebenzisa i-RMON ne-SNMP kungenzeka, isibonelo, ukuqapha umthwalo endaweni emaphakathi yedivayisi. iprosesa noma izixhumanisi zayo. Lena enye "yeshibhile" (wonke umuntu une-syslog noma i-SNMP), kodwa futhi engasebenzi kakhulu kuzo zonke izindlela zokuqapha ukuphepha kolwazi lwengqalasizinda yangaphakathi - ukuhlaselwa okuningi kufihliwe kukho. Yiqiniso, akufanele zinganakwa, futhi ukuhlaziya okufanayo kwe-syslog kukusiza ukuthi ubone izinguquko ngesikhathi esifanele ekucushweni kwedivayisi ngokwayo, ukuyekethisa kwayo, kodwa akufanelekile kakhulu ukuthola ukuhlaselwa kuyo yonke inethiwekhi.

Inketho yesithathu ukuhlaziya ulwazi mayelana nethrafikhi edlula kudivayisi esekela enye yezinqubo ezimbalwa zokugeleza. Kulokhu, kungakhathaliseki ukuthi iyiphi iphrothokholi, ingqalasizinda yokuhlanganisa ihlanganisa izingxenye ezintathu:

• Isizukulwane noma ukuthekelisa kokugeleza. Le ndima ivame ukunikezwa i-router, i-switch noma enye idivayisi yenethiwekhi, okuthi, ngokudlula ithrafikhi yenethiwekhi ngokwayo, ikuvumela ukuthi ukhiphe amapharamitha abalulekile kuwo, abese edluliselwa kumojula yokuqoqa. Isibonelo, i-Cisco isekela iphrothokholi ye-Netflow hhayi kuphela kuma-routers nama-switch, okuhlanganisa angokoqobo kanye nezimboni, kodwa futhi nakuzilawuli ezingenazintambo, izinqamuleli zomlilo ngisho namaseva.
• Ukugeleza kweqoqo. Uma kucatshangelwa ukuthi inethiwekhi yesimanje ngokuvamile inezisetshenziswa zenethiwekhi ezingaphezu kweyodwa, kuphakama inkinga yokuqoqa nokuhlanganisa ukugeleza, okuxazululwa kusetshenziswa okuthiwa abaqoqi, abacubungula ukugeleza okutholiwe bese bekudlulisela ukuze kuhlaziywe.
• Ukuhlaziywa kokugeleza I-analyzer ithatha umsebenzi wobuhlakani oyinhloko futhi, isebenzisa ama-algorithms ahlukahlukene ekusakazeni, ifinyelela iziphetho ezithile. Isibonelo, njengengxenye yomsebenzi we-IT, umhlaziyi onjalo angakwazi ukubona izingqinamba zenethiwekhi noma ahlaziye iphrofayili yomthwalo wethrafikhi ukuze kuthuthukiswe inethiwekhi. Futhi ngokuphepha kolwazi, umhlaziyi onjalo angathola ukuvuza kwedatha, ukusabalala kwekhodi enonya noma ukuhlaselwa kwe-DoS.

Ungacabangi ukuthi lokhu kwakhiwa kwezigaba ezintathu kuyinkimbinkimbi kakhulu - zonke ezinye izinketho (ngaphandle, mhlawumbe, izinhlelo zokuqapha inethiwekhi ezisebenza ne-SNMP ne-RMON) nazo zisebenza ngokuvumelana nayo. Sine-generator yedatha yokuhlaziya, okungaba idivayisi yenethiwekhi noma inzwa ezimele yodwa. Sinesistimu yokuqoqa ama-alamu kanye nesistimu yokuphatha yayo yonke ingqalasizinda yokuqapha. Izingxenye ezimbili zokugcina zingahlanganiswa ngaphakathi kwendawo eyodwa, kodwa kumanethiwekhi amakhulu kakhulu noma ngaphansi ngokuvamile zisakazwa kuwo wonke amadivayisi okungenani amabili ukuze kuqinisekiswe ukuqina nokuthembeka.

Ngokungafani nokuhlaziywa kwephakethe, okusekelwe ekufundeni unhlokweni nedatha yomzimba yephakethe ngalinye namaseshini aqukethe, ukuhlaziya ukugeleza kuncike ekuqoqeni imethadatha mayelana nethrafikhi yenethiwekhi. Nini, kangakanani, kusuka kuphi futhi kuphi, kanjani ... lena imibuzo ephendulwa ukuhlaziywa kwe-telemetry yenethiwekhi kusetshenziswa ama-flow protocol ahlukahlukene. Ekuqaleni, zazisetshenziselwa ukuhlaziya izibalo nokuthola izinkinga ze-IT kunethiwekhi, kodwa-ke, njengoba kwakhiwa izindlela zokuhlaziya, kwaba nokwenzeka ukuzisebenzisa ku-telemetry efanayo ngezinjongo zokuphepha. Kubalulekile ukuqaphela futhi ukuthi ukuhlaziywa kokugeleza akuthathi indawo noma kuthathele indawo ukuthwebula kwephakethe. Ngayinye yalezi zindlela inendawo yayo yokufaka isicelo. Kodwa kumongo walesi sihloko, ukuhlaziya ukugeleza okufanele kakhulu ukuqapha ingqalasizinda yangaphakathi. Unamadivaysi enethiwekhi (noma ngabe asebenza nge-software-defined paradigm noma ngokwemithetho emile) ukuhlasela okungeke kweqe. Ingakwazi ukudlula inzwa ye-IDS yakudala, kodwa idivayisi yenethiwekhi esekela iphrothokholi yokugeleza ayikwazi. Lena inzuzo yale ndlela.

Ngakolunye uhlangothi, uma udinga ubufakazi bokugcinwa komthetho noma ithimba lakho labaphenyi ngezigameko, awukwazi ukwenza ngaphandle kokuthwebula iphakethe - i-telemetry yenethiwekhi ayiyona ikhophi yethrafikhi engasetshenziswa ukuqoqa ubufakazi; iyadingeka ukuze kutholwe ngokushesha futhi kwenziwe izinqumo emkhakheni wokuphepha kolwazi. Ngakolunye uhlangothi, usebenzisa ukuhlaziywa kwe-telemetry, ungakwazi "ukubhala" hhayi yonke ithrafikhi yenethiwekhi (uma kukhona, i-Cisco ibhekene nezikhungo zedatha :-), kodwa kuphela lokho okuhilelekile ekuhlaselweni. Amathuluzi okuhlaziya i-Telemetry mayelana nalokhu azohambisana kahle nezindlela zendabuko zokuthwebula amaphakethe, anikeze imiyalo yokuthwebula nokugcinwa okukhethiwe. Uma kungenjalo, kuzodingeka ube nengqalasizinda enkulu yokugcina izinto.

Ake sicabange ngenethiwekhi esebenza ngesivinini esingu-250 Mbit/sec. Uma ufuna ukugcina yonke le volumu, uzodinga u-31 MB wesitoreji ngomzuzwana owodwa wokudluliselwa kwethrafikhi, 1,8 GB umzuzu owodwa, 108 GB ihora elilodwa, kanye no-2,6 TB usuku olulodwa. Ukuze ugcine idatha yansuku zonke evela kunethiwekhi enomkhawulokudonsa ongu-10 Gbit/s, uzodinga u-108 TB wesitoreji. Kodwa ezinye izilawuli zidinga ukugcinwa kwedatha yezokuvikela iminyaka... Ukurekhoda okufunwayo, okuhlaziya ukugeleza okukusiza ukukusebenzisa, kusiza ukwehlisa lawa manani ngama-oda wobukhulu. Ngendlela, uma sikhuluma ngenani levolumu yedatha ye-telemetry yenethiwekhi erekhodiwe kanye nokuthunjwa kwedatha okuphelele, khona-ke cishe ku-1 kuya ku-500. Ngamanani afanayo anikezwe ngenhla, ukugcina okulotshiwe okugcwele kwayo yonke ithrafikhi yansuku zonke. kuzoba ngu-5 no-216 GB, ngokulandelana (ungayiqopha ngisho ku-flash drive evamile ).

Uma ngamathuluzi okuhlaziya idatha yenethiwekhi eluhlaza, indlela yokuyibamba icishe ifane kusuka kumthengisi kuya kumthengisi, khona-ke esimweni sokuhlaziywa kokugeleza isimo sihlukile. Kunezinketho ezimbalwa zamaphrothokholi agelezayo, umehluko odinga ukwazi ngawo kumongo wokuphepha. Okudume kakhulu yi-Netflow protocol eyakhiwe ngabakwaCisco. Kunezinhlobo ezimbalwa zale phrothokholi, ezihlukile ngamakhono azo kanye nenani lemininingwane yethrafikhi erekhodiwe. Inguqulo yamanje ingeyesishiyagalolunye (Netflow v9), ngesisekelo lapho izinga lemboni ye-Netflow v10, eyaziwa nangokuthi i-IPFIX, yathuthukiswa. Namuhla, abathengisi abaningi benethiwekhi basekela i-Netflow noma i-IPFIX kumishini yabo. Kodwa kunezinye izinketho ezihlukahlukene zamaphrothokholi okugeleza - sFlow, jFlow, cFlow, rFlow, NetStream, njll., okuyi-sFlow edume kakhulu kuzo. Yilolu hlobo oluvame ukusekelwa abakhiqizi basekhaya bemishini yenethiwekhi ngenxa yokusebenziseka kwayo kalula. Yimuphi umehluko obalulekile phakathi kwe-Netflow, esiphenduke indinganiso ye-de facto, ne-sFlow? Ngizogqamisa ezimbalwa ezibalulekile. Okokuqala, i-Netflow inezinkambu ezenzeka ngokwezifiso uma ziqhathaniswa nezinkambu ezingashintshi ku-sFlow. Futhi okwesibili, futhi lokhu kuyinto ebaluleke kakhulu kithi, i-sFlow iqoqa okuthiwa i-telemetry yesampula; ngokungafani naleyo engasampulanga ye-Netflow ne-IPFIX. Uyini umehluko phakathi kwabo?

Cabanga ukuthi unquma ukufunda incwadi "Isikhungo Sokusebenza Kwezokuphepha: Ukwakha, Ukusebenza, kanye Nokugcina I-SOC yakho” kozakwethu - uGary McIntyre, Joseph Munitz kanye noNadem Alfardan (ungadawuniloda ingxenye yencwadi kusixhumanisi). Unezinketho ezintathu zokufinyelela umgomo wakho - funda yonke incwadi, udwebe ngaphakathi kuyo, ume ekhasini le-10 noma lama-20, noma uzame ukuthola ukulandwa kabusha kwemiqondo eyinhloko kubhulogi noma isevisi efana ne-SmartReading. Ngakho-ke, i-telemetry engafakiwe isampula ifunda “ikhasi” ngalinye lethrafikhi yenethiwekhi, okungukuthi, ihlaziya imethadatha yephakethe ngalinye. I-telemetry eyisampula iwucwaningo olukhethiwe lwethrafikhi ngethemba lokuthi amasampuli akhethiwe azoqukatha okudingayo. Kuye ngesivinini sesiteshi, i-telemetry eyisampula izothunyelwa ukuze ihlaziywe njalo ngephakethe lama-64, lama-200, lama-500, ele-1000, ele-2000 noma ele-10000.

Kumongo wokuqapha ukuphepha kolwazi, lokhu kusho ukuthi i-telemetry eyisampula ifaneleka kahle ukuthola ukuhlaselwa kwe-DDoS, ukuskena, nokusabalalisa ikhodi enonya, kodwa ingase iphuthelwe ukuhlasela kwe-athomu noma kwamaphakethe amaningi okungafakiwe kusampula ethunyelwe ukuze ihlaziywe. I-telemetry engasetshenzisiwe ayinakho ukonakala okunjalo. Ngalokhu, ububanzi bokuhlaselwa okutholiwe bukhulu kakhulu. Nali uhlu olufushane lwemicimbi engatholwa kusetshenziswa amathuluzi okuhlaziya i-telemetry yenethiwekhi.

Vele, omunye umhlaziyi we-Netflow womthombo ovulekile ngeke akuvumele ukuthi wenze lokhu, ngoba umsebenzi wawo oyinhloko ukuqoqa i-telemetry nokwenza ukuhlaziya okuyisisekelo kuyo ngokubuka kwe-IT. Ukuze uhlonze izinsongo zokuphepha kolwazi ngokusekelwe ekugelezeni, kuyadingeka ukuhlomisa isihlaziyi ngezinjini ezihlukahlukene nama-algorithms, okuzohlonza izinkinga ze-cybersecurity ngokusekelwe kuzinkambu ze-Netflow ezijwayelekile noma zangokwezifiso, kunothisa idatha evamile ngedatha yangaphandle evela emithonjeni ehlukahlukene ye-Treat Intelligence, njll.

Ngakho-ke, uma unenketho, bese ukhetha i-Netflow noma i-IPFIX. Kodwa noma ngabe okokusebenza kwakho kusebenza kuphela nge-sFlow, njengabakhiqizi basekhaya, khona-ke ngisho nakulokhu ungazuza kukho esimweni sokuphepha.

Ehlobo lika-2019, ngahlaziya amakhono abakhiqizi bezingxenyekazi zekhompiyutha zenethiwekhi yaseRussia kanye nawo wonke, ngaphandle kwe-NSG, i-Polygon ne-Craftway, bamemezele ukusekelwa kwe-sFlow (okungenani i-Zelax, i-Natex, i-Eltex, i-QTech, i-Rusteleteh).

Umbuzo olandelayo ozobhekana nawo ngowokuthi uzokusebenzisa kuphi usekelo lokugeleza ngezinjongo zokuphepha? Eqinisweni, umbuzo awubuzwanga ngendlela efanele. Imishini yesimanje cishe ihlale isekela amaphrothokholi agelezayo. Ngakho-ke, ngingawuhlela kabusha umbuzo ngendlela ehlukile - ikuphi okusebenza kahle kakhulu ukuqoqa i-telemetry kusuka endaweni yokubuka yezokuphepha? Impendulo izoba sobala impela - ezingeni lokufinyelela, lapho uzobona khona i-100% yazo zonke izimoto, lapho uzoba nolwazi oluningiliziwe ngabasingathi (MAC, VLAN, ID interface), lapho ungakwazi ukuqapha ithrafikhi ye-P2P phakathi kwabasingathi, okuyinto kubalulekile ukuze kuthwetshulwe nokusatshalaliswa kwekhodi enonya. Ezingeni eliyisisekelo, ungase ungaboni okunye kwethrafikhi, kodwa ezingeni le-perimeter, uzobona ingxenye yesine yayo yonke ithrafikhi yakho yenethiwekhi. Kodwa uma ngesizathu esithile unamadivayisi angaphandle kunethiwekhi yakho avumela abahlaseli ukuthi "bangene futhi baphume" ngaphandle kokudlula umjikelezo, khona-ke ukuhlaziya i-telemetry kuyo ngeke kukunike lutho. Ngakho-ke, ukuze uthole ukufakwa okuphezulu, kunconywa ukunika amandla ukuqoqwa kwe-telemetry ezingeni lokufinyelela. Ngasikhathi sinye, kufanelekile ukuqaphela ukuthi noma sikhuluma nge-virtualization noma iziqukathi, ukwesekwa kokugeleza nakho kuvame ukutholakala ekushintsheni okubonakalayo kwesimanje, okukuvumela ukuthi ulawule ithrafikhi lapho futhi.

Kodwa njengoba ngiphakamise isihloko, ngidinga ukuphendula umbuzo: kuthiwani uma imishini, ngokomzimba noma ebonakalayo, ingasekeli izivumelwano zokugeleza? Noma ingabe ukufakwa kwayo kuvinjelwe (ngokwesibonelo, ezingxenyeni zezimboni ukuze kuqinisekiswe ukwethembeka)? Noma ingabe ukuyivula kuholela ekulayisheni okuphezulu kwe-CPU (lokhu kwenzeka kuhadiwe endala)? Ukuze kuxazululwe le nkinga, kunezinzwa ezikhethekile ezikhethekile (izinzwa zokugeleza), okuyizihlukanisi ezijwayelekile ezidlula ithrafikhi ngokwazo futhi zisakaze ngendlela yokugeleza kumojula yeqoqo. Yiqiniso, kulokhu sithola zonke izinkinga esikhulume ngazo ngenhla maqondana namathuluzi wokuthwebula iphakethe. Okusho ukuthi, udinga ukuqonda hhayi kuphela izinzuzo zobuchwepheshe bokuhlaziya ukugeleza, kodwa futhi nokulinganiselwa kwayo.

Elinye iphuzu elibalulekile ukulikhumbula lapho ukhuluma ngamathuluzi okuhlaziya ukugeleza. Uma maqondana nezindlela ezijwayelekile zokukhiqiza izehlakalo zokuphepha sisebenzisa imethrikhi ye-EPS (umcimbi ngomzuzwana), khona-ke le nkomba ayisebenzi ekuhlaziyweni kwe-telemetry; ithathelwa indawo yi-FPS (ukugeleza ngomzuzwana). Njengasendabeni ye-EPS, ayikwazi ukubalwa kusenesikhathi, kodwa ungakwazi ukulinganisa inani elilinganiselwe lezintambo ezikhiqizwa idivayisi ethile kuye ngomsebenzi wayo. Ungathola amathebula ku-inthanethi anamanani alinganiselwe ezinhlobo ezahlukene zemishini nezimo zebhizinisi, ezizokuvumela ukuthi ulinganisele ukuthi yimaphi amalayisense owadingayo kumathuluzi okuhlaziya nokuthi izoba yini izakhiwo zawo? Iqiniso liwukuthi inzwa ye-IDS inqunyelwe umkhawulokudonsa othize ongakwazi "ukudonsa", futhi umqoqi wokugeleza unemikhawulo yayo okufanele iqondwe. Ngakho-ke, kumanethiwekhi amakhulu, asabalaliswe ngokwendawo ngokuvamile kunabaqoqi abambalwa. Lapho ngichaza ukuthi inethiwekhi igadwa kanjani ngaphakathi Cisco, Sengivele nginikeze inombolo yabaqoqi bethu - kukhona abangu-21. Futhi lokhu kungenxa yenethiwekhi ehlakazekile kuwo wonke amazwekazi amahlanu kanye nenani lamadivayisi asebenzayo angaba yingxenye yesigidi).

Sisebenzisa isixazululo sethu njengohlelo lokuqapha lwe-Netflow Cisco Stealthwatch, egxile ngokukhethekile ekuxazululeni izinkinga zokuphepha. Inezinjini eziningi ezakhelwe ngaphakathi zokuthola umsebenzi ongaqondakali, osolisayo futhi onobungozi obucacile, okuvumela ukuthi uthole izinsongo eziningi ezahlukene - kusukela ekusetshenzisweni kwe-cryptomining kuya ekuputshuzweni kolwazi, kusukela ekusabalaleni kwekhodi enonya kuya ekukhwabaniseni. Njengabahlaziyi abaningi bokugeleza, i-Stealthwatch yakhiwe ngokohlelo olunamazinga amathathu (ijeneretha - umqoqi - umhlaziyi), kodwa yenezelwa ngezici ezimbalwa ezithakazelisayo ezibalulekile kumongo wento ecutshungulwayo. Okokuqala, ihlanganisa nezixazululo zokubamba iphakethe (njenge-Cisco Security Packet Analyzer), ekuvumela ukuthi urekhode izikhathi ezikhethiwe zenethiwekhi ukuze uthole uphenyo olujulile nokuhlaziywa kamuva. Okwesibili, ikakhulukazi ukuze sandise imisebenzi yokuphepha, senze iphrothokholi ekhethekile ye-nvzFlow, ekuvumela ukuthi "usakaze" umsebenzi wezinhlelo zokusebenza kuma-node wokugcina (amaseva, izindawo zokusebenza, njll.) ku-telemetry futhi uyidlulisele kumqoqi ukuze uhlaziye kabanzi. Uma enguqulweni yayo yoqobo i-Stealthwatch isebenza nanoma iyiphi iphrothokholi yokugeleza (sFlow, rFlow, Netflow, IPFIX, cFlow, jFlow, NetStream) ezingeni lenethiwekhi, bese usekelo lwe-nvzFlow luvumela ukuhlotshaniswa kwedatha nakuleveli yenodi, ngalokho. ukwandisa ukusebenza kahle kwalo lonke uhlelo nokubona ukuhlaselwa okuningi kunabahlaziyi bokugeleza kwenethiwekhi abajwayelekile.

Kuyacaca ukuthi uma ukhuluma ngezinhlelo zokuhlaziya i-Netflow ngokubuka kwezokuphepha, imakethe ayikhawulelwe kusixazululo esisodwa esivela kuCisco. Ungasebenzisa kokubili izixazululo zezentengiso nezamahhala noma ze-shareware. Kuyamangaza uma ngicaphuna izixazululo zabancintisana nabo njengezibonelo kubhulogi ye-Cisco, ngakho-ke ngizosho amagama ambalwa mayelana nendlela i-telemetry yenethiwekhi ingahlaziywa ngayo kusetshenziswa okubili okudumile, okufanayo ngamagama, kodwa namanje amathuluzi ahlukene - i-SiLK ne-ELK.

I-SiLK iyisethi yamathuluzi (Uhlelo Lolwazi Lwezinga Le-inthanethi) lokuhlaziywa kwethrafikhi, elathuthukiswa yi-American CERT/CC futhi elisekela, kumongo wesihloko sanamuhla, i-Netflow (yesi-5 neyesi-9, izinguqulo ezidume kakhulu), i-IPFIX. kanye ne-sFlow nokusebenzisa izinsiza ezihlukahlukene (i-rwfilter, i-rwcount, i-rwflowpack, njll.) ukwenza imisebenzi ehlukahlukene ku-telemetry yenethiwekhi ukuze kutholwe izimpawu zezenzo ezingagunyaziwe kuyo. Kodwa kunamaphuzu ambalwa abalulekile okufanele uwaqaphele. I-SiLK iyithuluzi lomugqa womyalo elenza ukuhlaziya okuku-inthanethi ngokufaka imiyalo efana nale (ukutholwa kwamaphakethe e-ICMP amakhulu kunamabhayithi angu-200):

rwfilter --flowtypes=all/all --proto=1 --bytes-per-packet=200- --pass=stdout | rwrwcut --fields=sIP,dIP,iType,iCode --num-recs=15

ayikhululekile kakhulu. Ungasebenzisa i-iSiLK GUI, kodwa ngeke yenze impilo yakho ibe lula kakhulu, ixazulule kuphela umsebenzi wokubona ngeso lengqondo futhi ingafaki umhlaziyi. Futhi leli iphuzu lesibili. Ngokungafani nezixazululo zezentengiselwano, esezivele zinesisekelo esiqinile sokuhlaziya, ama-algorithms okuthola i-anomaly, ukuhamba komsebenzi okuhambisanayo, njll., endabeni ye-SiLK kuzodingeka uzenzele konke lokhu, okuzodinga amakhono ahluke kancane kuwe kunokusebenzisa osekulungele kakade- ukusebenzisa amathuluzi. Lokhu akukuhle futhi akukubi - lesi isici cishe sanoma yiliphi ithuluzi lamahhala elithatha ukuthi uyazi ukuthi yini okufanele uyenze, futhi lizokusiza ngalokhu (amathuluzi okuthengisa awancikile kakhulu ekwazisweni kwabasebenzisi bawo, yize becabanga futhi. ukuthi abahlaziyi baqonde okungenani izisekelo zophenyo nokuqapha kwenethiwekhi). Kodwa ake sibuyele ku-SiLK. Umjikelezo womsebenzi womhlaziyi ubukeka kanjena:

• Ukwakha i-hypothesis. Kufanele siqonde ukuthi sizobe sifunani ngaphakathi kwe-telemetry yenethiwekhi, sazi izimfanelo eziyingqayizivele esizohlonza ngazo okudidayo okuthile noma izinsongo.
• Ukwakha imodeli. Ngemva kokwenza i-hypothesis, siyihlela sisebenzisa iPython efanayo, igobolondo noma amanye amathuluzi angafakiwe ku-SiLK.
• Ukuhlola. Manje sekufike ithuba lokuhlola ukulunga kwe-hypothesis yethu, eqinisekiswa noma ephikiswe kusetshenziswa izinsiza ze-SiLK eziqala ngokuthi 'rw', 'set', 'bag'.
• Ukuhlaziywa kwedatha yangempela. Ekusebenzeni kwezimboni, i-SiLK isisiza ukuthi sibone okuthile futhi umhlaziyi kufanele aphendule imibuzo ethi "Sikutholile ebesikulindele?", "Ingabe lokhu kuhambisana ne-hypothesis yethu?", "Indlela yokunciphisa inani lezinto ezingamanga?", "Kanjani? ukuthuthukisa izinga lokuqashelwa? » njalo njalo.
• Ukuthuthukiswa. Esigabeni sokugcina, sithuthukisa lokho okwenziwe ngaphambilini - sakha izifanekiso, sithuthukisa futhi senza kahle ikhodi, sihlanganise kabusha futhi sicacise i-hypothesis, njll.

Lo mjikelezo uzosebenza naku-Cisco Stealthwatch, owokugcina kuphela ozenza lezi zinyathelo ezinhlanu zibe phezulu, wehlise inani lamaphutha womhlaziyi futhi ukhulise ukusebenza kahle kokutholwa kwesigameko. Isibonelo, ku-SiLK ungakwazi ukucebisa izibalo zenethiwekhi ngedatha yangaphandle kuma-IP anonya usebenzisa imibhalo ebhalwe ngesandla, futhi ku-Cisco Stealthwatch kuwumsebenzi owakhelwe ngaphakathi obonisa ngokushesha i-alamu uma ithrafikhi yenethiwekhi iqukethe ukuxhumana namakheli e-IP asuka ohlwini lwabavinjelwe.

Uma uya phezulu kuphiramidi “ekhokhelwayo” yesofthiwe yokuhlaziya ukugeleza, khona-ke ngemva kwe-SiLK yamahhala kuyoba khona i-ELK ye-shareware, ehlanganisa izingxenye ezintathu ezibalulekile - i-Elasticsearch (i-indexing, searching and data analysis), i-Logstash (ukufakwa kwedatha/okuphumayo ) kanye ne-Kibana (ukubona). Ngokungafani ne-SiLK, lapho kufanele ubhale khona yonke into ngokwakho, i-ELK isivele inemitapo yolwazi/amamojula amaningi enziwe ngomumo (amanye akhokhiwe, amanye awakho) enza ngokuzenzakalelayo ukuhlaziywa kwe-telemetry yenethiwekhi. Isibonelo, isihlungi se-GeoIP ku-Logstash sikuvumela ukuthi uhlobanise amakheli e-IP agadiwe nendawo akuyo (I-Stealthwatch inalesi sici esakhelwe ngaphakathi).

I-ELK futhi inomphakathi omkhulu oqedela izingxenye ezingekho zalesi sixazululo sokuqapha. Isibonelo, ukusebenza ne-Netflow, IPFIX kanye ne-sFlow ungasebenzisa imojula i-elastiflow, uma unganelisekile nge-Logstash Netflow Module, esekela i-Netflow kuphela.

Nakuba inikeza ukusebenza kahle okwengeziwe ekuqoqeni ukugeleza nokucinga kukho, i-ELK okwamanje ayinakho ukuhlaziya okwakhelwe ngaphakathi okucebile ukuthola okudidayo nezinsongo ku-telemetry yenethiwekhi. Okusho ukuthi, ngokulandela umjikelezo wokuphila ochazwe ngenhla, kuzodingeka uchaze ngokuzimele amamodeli wokwephula bese uwasebenzisa ohlelweni lokulwa (awekho amamodeli akhelwe ngaphakathi lapho).

Kukhona, yiqiniso, izandiso eziyinkimbinkimbi ye-ELK, esevele iqukethe amamodeli athile okuthola i-anomalies ku-telemetry yenethiwekhi, kodwa izandiso ezinjalo zibiza imali futhi lapha umbuzo uwukuthi umdlalo ufanelekile ikhandlela - bhala imodeli efanayo ngokwakho, uthenge ukuqaliswa kwethuluzi lakho lokuqapha, noma uthenge isixazululo esenziwe ngomumo sekilasi le-Network Traffic Analysis.

Ngokuvamile, angifuni ukungena engxoxweni yokuthi kungcono ukusebenzisa imali futhi uthenge isixazululo esenziwe ngomumo sokuqapha okudidayo nezinsongo ku-telemetry yenethiwekhi (isibonelo, i-Cisco Stealthwatch) noma uzitholele ngokwakho futhi wenze ngokwezifiso okufanayo. I-SiLK, ELK noma i-nfdump noma i-OSU Flow Tools ngosongo ngalunye olusha ( ngikhuluma ngezibili zokugcina zazo utshele isikhathi sokugcina)? Wonke umuntu uyazikhethela futhi wonke umuntu unezisusa zakhe zokukhetha noma yiziphi izinketho ezimbili. Bengifuna nje ukukhombisa ukuthi i-telemetry yenethiwekhi iyithuluzi elibaluleke kakhulu ekuqinisekiseni ukuphepha kwenethiwekhi yengqalasizinda yakho yangaphakathi futhi akufanele ungayinaki, ukuze ungangeni ohlwini lwezinkampani ezigama lazo elishiwo kwabezindaba kanye nama-epithets " kugqekeziwe”, “okungathobeli izidingo zokuphepha kolwazi” ", "bangacabangi ngokuvikeleka kwedatha yabo nedatha yekhasimende."

Ukufingqa, ngingathanda ukufaka kuhlu amathiphu abalulekile okufanele uwalandele lapho wakha ukuqapha kokuphepha kolwazi lwengqalasizinda yakho yangaphakathi:

1. Ungamane ukhawule ku-perimeter! Sebenzisa (futhi ukhethe) ingqalasizinda yenethiwekhi hhayi nje ukususa ithrafikhi ukusuka endaweni A ukuya endaweni engu-B, kodwa futhi nokubhekana nezindaba zokuphepha ku-inthanethi.
2. Funda izindlela ezikhona zokuqapha ukuphepha kolwazi kumpahla yenethiwekhi yakho bese uzisebenzisa.
3. Ukuze uthole ukuqapha kwangaphakathi, khetha ukuhlaziya kwe-telemetry - kukuvumela ukuthi uthole kuze kufike ku-80-90% wazo zonke izigameko zokuphepha kolwazi lwenethiwekhi, kuyilapho wenza okungenakwenzeka lapho uthwebula amaphakethe enethiwekhi futhi ulondoloza isikhala sokugcina yonke imicimbi yokuphepha kolwazi.
4. Ukuze ugade ukugeleza, sebenzisa i-Netflow v9 noma i-IPFIX - zinikeza ulwazi olwengeziwe kumongo wokuphepha futhi zikuvumela ukuthi ungaqapheli i-IPv4 kuphela, kodwa ne-IPv6, MPLS, njll.
5. Sebenzisa iphrothokholi yokugeleza engasampuliwe - inikeza ulwazi olwengeziwe lokuthola izinsongo. Isibonelo, i-Netflow noma i-IPFIX.
6. Hlola umthwalo kumpahla yenethiwekhi yakho - ingase ingakwazi ukuphatha nephrothokholi yokuhamba. Bese ucabangela ukusebenzisa izinzwa ezibonakalayo noma i-Netflow Generation Appliance.
7. Sebenzisa ukulawula kuqala ezingeni lokufinyelela - lokhu kuzokunika ithuba lokubona u-100% wayo yonke ithrafikhi.
8. Uma ungenakho ukukhetha futhi usebenzisa okokusebenza kwenethiwekhi yesi-Russian, bese ukhetha eyodwa esekela amaphrothokholi agelezayo noma enezimbobo ze-SPAN/RSPAN.
9. Hlanganisa amasistimu okuthola ukungena/ukuhlasela/okuvimbela emaphethelweni namasistimu okuhlaziya ukugeleza kunethiwekhi yangaphakathi (okuhlanganisa namafu).

Mayelana nethiphu yokugcina, ngithanda ukunikeza umfanekiso esengiwunikezile ngaphambili. Uyabona ukuthi uma ngaphambilini isevisi yezokuphepha yolwazi lwe-Cisco cishe yakha uhlelo lwayo lokuqapha ukuphepha kolwazi ngesisekelo sezinhlelo zokutholwa kokungena kanye nezindlela zokusayina, manje zibalwa kuphela i-20% yezigameko. Enye i-20% iwela ezinhlelweni zokuhlaziya ukugeleza, okuphakamisa ukuthi lezi zixazululo azizona izifiso, kodwa ithuluzi langempela emisebenzini yezinsizakalo zokuphepha zolwazi zebhizinisi lesimanje. Ngaphezu kwalokho, unento ebaluleke kakhulu ekusetshenzisweni kwabo - ingqalasizinda yenethiwekhi, ukutshalwa kwezimali okungase kuvikelwe ngokuqhubekayo ngokunikeza imisebenzi yokuqapha ukuphepha kolwazi kunethiwekhi.

Angizange ngithinte esihlokweni sokuphendula okudidayo noma izinsongo ezikhonjwe ekuhambeni kwenethiwekhi, kodwa ngicabanga ukuthi sekuvele kusobala ukuthi ukuqapha akufanele kuphele kuphela ngokutholwa kosongo. Kufanele ilandelwe impendulo futhi okungcono ibe kwimodi ezenzakalelayo noma ezenzakalelayo. Kodwa lesi yisihloko sendatshana ehlukile.

Ulwazi olungeziwe:

• Incazelo ye-Cisco IOS Netflow
• I-matrix yokusekela i-Netflow kuzixazululo ezihlukahlukene ze-Cisco
• Umhlahlandlela Wokumisa I-Netflow kuma-Cisco Platforms Ahlukahlukene
• Umphakathi we-sFlow
• Ilebhu esebenzisa i-Stealtjwatch, i-SiLK ne-ELK ukuze ihlaziye i-Netflow ngokombono wezokuphepha
• Iwebhusayithi yeSiLK
• Umhlahlandlela wamakhasi angamakhulu amathathu wokusebenzisa i-SiLK enamathani ezibonelo
• I-Logstash Netflow Module
• I-Cisco Isinyathelo Ngesinyathelo Umhlahlandlela Wokuhlaziya I-Netflow ku-ELK
• Ukuhlaziywa kwe-NetFlow v.9 Cisco ASA kusetshenziswa i-Logstash (ELK)
• Isixazululo se-Cisco Stealthwatch

PS. Uma kulula kuwe ukuzwa konke okubhalwe ngenhla, ungabuka isethulo sehora lonke esakha isisekelo saleli nothi.

Source: www.habr.com