Kudala, izinhlelo ezijwayelekile zokuvikela amagciwane kanye nezinhlelo zokulwa namagciwane zazanele ukuvikela inethiwekhi yendawo, kodwa isethi enjalo ayisasebenzi ngokwanele ekuhlaselweni ngabaduni besimanje kanye nohlelo olungayilungele ikhompuyutha olusanda ukwanda. I-firewall endala enhle ihlaziya kuphela izihloko zephakethe, ivumela noma ivimbe ngokuya ngesethi yemithetho esemthethweni. Ayazi lutho mayelana nokuqukethwe kwamaphakethe, ngakho-ke ayikwazi ukubona izenzo ezibonakala zisemthethweni zabahlaseli. Izinhlelo zokulwa namagciwane azibambi njalo uhlelo olungayilungele ikhompuyutha, ngakho umlawuli ubhekene nomsebenzi wokuqapha umsebenzi ongajwayelekile nokuhlukanisa ababungazi abathelelekile ngesikhathi.
Kunamathuluzi amaningi athuthukile atholakalayo okuvikela ingqalasizinda ye-IT yenkampani. Namuhla sizokhuluma ngezinhlelo zokutholwa kokungena kwemithombo evulekile kanye nokuvimbela, ezingasetshenziswa ngaphandle kokuthenga amathuluzi abizayo namalayisensi esoftware.
Ukuhlukaniswa kwe-IDS/IPS
I-IDS (Intrusion Detection System) iwuhlelo olwakhelwe ukubhalisa imisebenzi esolisayo kunethiwekhi noma kukhompuyutha ngayinye. Igcina amalogi omcimbi futhi yazisa isisebenzi esibhekele ukuphepha kolwazi mayelana nawo. Izinto ezilandelayo zingahlukaniswa njengengxenye ye-IDS:
- izinzwa zokubuka ithrafikhi yenethiwekhi, izingodo ezihlukahlukene, njll.
- isistimu engaphansi yokuhlaziya ekhomba izimpawu zethonya elibi kudatha etholiwe;
- isitoreji sokuqongelela imicimbi eyinhloko nemiphumela yokuhlaziya;
- ikhonsoli yokuphatha.
Ekuqaleni, ama-IDS ahlukaniswa ngendawo: ayengagxila ekuvikeleni ama-node angawodwana (i-Host-based or Host Intrusion Detection System - HIDS) noma ukuvikela yonke inethiwekhi yebhizinisi (okusekelwe kunethiwekhi noma Uhlelo Lokuthola I-Network Intrusion Detection - NIDS). Kuyafaneleka ukubalula okuthiwa I-APIDS (I-IDS esekwe kuphrothokholi yohlelo lokusebenza): Iqapha isethi elinganiselwe yemithethonqubo yezinga lohlelo lokusebenza ukuhlonza ukuhlasela okuthile futhi awenzi ukuhlaziya okujulile kwamaphakethe enethiwekhi. Imikhiqizo enjalo ivamise ukufana nabameleli futhi isetshenziselwa ukuvikela izinsiza ezithile: iseva yewebhu nezinhlelo zokusebenza zewebhu (isibonelo, ezibhalwe nge-PHP), iseva yedathabhesi, njll. Isibonelo esijwayelekile saleli klasi i-mod_security yeseva yewebhu ye-Apache.
Sithanda kakhulu i-NIDS yendawo yonke esekela izivumelwano zokuxhumana eziningi kanye nobuchwepheshe be-DPI (Deep Packet Inspection). Baqapha yonke ithrafikhi edlulayo, kusukela kusendlalelo sesixhumanisi sedatha, futhi bathola inqwaba yokuhlaselwa kwenethiwekhi, kanye nemizamo yokufinyelela okungagunyaziwe olwazini. Ngokuvamile amasistimu anjalo anezakhiwo ezisabalalisiwe futhi angasebenzisana nemishini ehlukahlukene yenethiwekhi esebenzayo. Qaphela ukuthi i-NIDS eminingi yesimanje iyingxube futhi ihlanganisa izindlela ezimbalwa. Kuye ngokucushwa nezilungiselelo, zingaxazulula izinkinga ezihlukahlukene - isibonelo, ukuvikela i-node eyodwa noma yonke inethiwekhi. Ngaphezu kwalokho, imisebenzi ye-IDS yezindawo zokusebenzela yathathwa ngamaphakeji e-anti-virus, okuthi, ngenxa yokusabalala kwamaTrojani okuhloswe ngawo ukweba ulwazi, aphenduke ama-firewall emisebenzi eminingi aphinde axazulule izinkinga zokuqaphela nokuvimbela ithrafikhi esolisayo.
Ekuqaleni, i-IDS yayingathola kuphela umsebenzi wohlelo olungayilungele ikhompuyutha, izikena zembobo, noma, sithi, ukwephulwa kwabasebenzisi kwezinqubomgomo zokuphepha zebhizinisi. Lapho kwenzeka isenzakalo esithile, bazisa umlawuli, kodwa kwasheshe kwacaca ukuthi ukuqaphela ukuhlasela akwanele - kwakudingeka kuvinjwe. Ngakho-ke i-IDS yaguqulwa yaba yi-IPS (I-Intrusion Prevention Systems) - amasistimu okuvimbela ukungena okukwazi ukuxhumana nezindonga zomlilo.
Izindlela zokutholwa
Izixazululo zesimanje zokutholwa kokungenela kanye nokuvimbela zisebenzisa izindlela ezahlukahlukene ukuhlonza umsebenzi onobungozi, ongahlukaniswa izigaba ezintathu. Lokhu kusinikeza enye inketho yokuhlukanisa amasistimu:
- I-IDS/IPS esekelwe kusiginesha ithola amaphethini kuthrafikhi noma iqaphe izinguquko kusimo samasistimu ukuze inqume ukuhlasela kwenethiwekhi noma umzamo wokutheleleka. Ababeki imililo engalungile kanye nemibono engamanga, kodwa abakwazi ukuhlonza izinsongo ezingaziwa;
- Ama-IDS athola ngokungaqondakali awasebenzisi amasiginesha okuhlasela. Babona ukuziphatha okungavamile kwezinhlelo zolwazi (okuhlanganisa okudidayo kuthrafikhi yenethiwekhi) futhi bangathola nokuhlasela okungaziwa. Amasistimu anjalo anikeza amaphuzu amaningi angamanga futhi, uma esetshenziswe ngokungalungile, akhubaze ukusebenza kwenethiwekhi yendawo;
- I-ID esekelwe emthethweni isebenza kumgomo othi: uma IQINISO bese kuba yi-ACTION. Empeleni, lezi izinhlelo zochwepheshe ezinezisekelo zolwazi - iqoqo lamaqiniso nemithetho yokusho okunengqondo. Izixazululo ezinjalo zidinga umsebenzi omkhulu ukuze zisethwe futhi zidinga ukuthi umlawuli abe nokuqonda okuningiliziwe kwenethiwekhi.
Umlando wokuthuthukiswa kwe-IDS
Inkathi yokuthuthukiswa okusheshayo kwe-intanethi kanye namanethiwekhi ezinkampani yaqala eminyakeni engu-90 yekhulu leminyaka elidlule, kodwa ochwepheshe bamangazwa ngobuchwepheshe bezokuphepha benethiwekhi obuthuthukisiwe ngaphambili kancane. Ngo-1986, u-Dorothy Denning kanye no-Peter Neumann bashicilela imodeli ye-IDES (Intrusiondetect expert system), eyaba yisisekelo sezinhlelo eziningi zesimanje zokuhlonza ukungena. Isebenzise isistimu yochwepheshe ukukhomba izinhlobo zokuhlasela ezaziwayo, kanye nezindlela zezibalo kanye namaphrofayili womsebenzisi/wesistimu. I-IDES isebenze ezindaweni zokusebenza ze-Sun, ihlola ithrafikhi yenethiwekhi nedatha yohlelo lokusebenza. Ngo-1993, kwakhululwa i-NIDES (Isizukulwane Esilandelayo Sohlelo Lokuthola Ukungena Kwezizukulwane) - uhlelo olusha lochwepheshe besizukulwane sokuthola intrusion.
Ngokusekelwe emsebenzini kaDenning noNeumann, uhlelo lochwepheshe lwe-MIDAS (Multics intrusion discover and alerting system) esebenzisa i-P-BEST kanye ne-LISP yavela ngo-1988. Ngesikhathi esifanayo, uhlelo lwe-Haystack olusekelwe ezindleleni zezibalo lwenziwa. Omunye umtshina wezibalo we-anomaly, i-W&S (Wisdom & Sense), wasungulwa ngonyaka olandelayo e-Los Alamos National Laboratory. Imboni yayithuthuka ngesivinini esikhulu. Isibonelo, ngo-1990, isistimu ye-TIM (Umshini wokungenisa inductive osuselwa kusikhathi) isivele isebenzise ukutholwa okudidayo kusetshenziswa ukufunda okungenasici kumaphethini omsebenzisi alandelanayo (Ulimi olujwayelekile lwe-LISP). I-NSM (Network Security Monitor) iqhathanise u-matrics wokufinyelela ukuze kutholwe okungaqondakali, futhi i-ISOA (Umsizi Wesikhulu Sokuphepha Kolwazi) isekele amasu okutholwa ahlukahlukene: izindlela zezibalo, ukuhlola iphrofayela kanye nohlelo lochwepheshe. Isistimu ye-ComputerWatch edalwe ku-AT&T Bell Labs yasebenzisa izindlela zezibalo nemithetho ukuze kuqinisekiswe, futhi onjiniyela baseNyuvesi yaseCalifornia bathole i-prototype yokuqala ye-IDS esabalalisiwe emuva ngo-1991 - i-DIDS (Distributed Intrusion Detection System) nayo yayiwuhlelo lochwepheshe.
Ekuqaleni, i-IDS yayingabanikazi, kodwa kakade ngo-1998, i-National Laboratory. U-Lawrence Berkeley ukhiphe u-Bro (oqanjwe kabusha ngo-Zeek ngo-2018), isistimu yomthombo ovulekile esebenzisa ulimi lwemithetho yobunikazi ukuze kuhlaziywe idatha ye-libpcap. NgoNovemba wonyaka ofanayo, kwavela i-APE packet sniffer esebenzisa i-libpcap, okwathi ngemva kwenyanga yaqanjwa kabusha ngokuthi i-Snort, futhi kamuva yaba i-IDS/IPS egcwele ngokugcwele. Ngesikhathi esifanayo, izixazululo eziningi zokuphathelene zaqala ukuvela.
Ukuhogela kanye noSuricata
Izinkampani eziningi zithanda i-IDS/IPS yomthombo wamahhala novulekile. Isikhathi eside, i-Snort eshiwo kakade yayibhekwa njengesixazululo esijwayelekile, kodwa manje isithathelwe indawo uhlelo lweSuricata. Ake sibheke izinzuzo zabo kanye nebubi ngokuningiliziwe okwengeziwe. I-Snort ihlanganisa izinzuzo zendlela esuselwe kusiginesha nekhono lokubona okudidayo ngesikhathi sangempela. I-Suricata futhi ikuvumela ukuthi usebenzise ezinye izindlela ngaphandle kokubona ukuhlaselwa ngamasignesha. Isistimu idalwe iqembu lonjiniyela abahlukaniswe kuphrojekthi ye-Snort futhi isekela imisebenzi ye-IPS kusukela kunguqulo 1.4, futhi i-Snort yethula ikhono lokuvimbela ukugxambukela kamuva.
Umehluko omkhulu phakathi kwemikhiqizo emibili edumile ikhono likaSuricata lokusebenzisa ikhompuyutha ye-GPU kumodi ye-IDS, kanye ne-IPS ethuthuke kakhulu. Isistimu ekuqaleni yakhelwe ukuthreading okuningi, kuyilapho i-Snort ingumkhiqizo onochungechunge olulodwa. Ngenxa yomlando wayo omude nekhodi yefa, ayizisebenzisi ngokufanelekile izinkundla zehadiwe ye-multiprocessor/multicore, kuyilapho i-Suricata ikwazi ukuphatha ithrafikhi efika ku-10 Gbps kumakhompuyutha enjongo evamile. Singakwazi ukukhuluma isikhathi eside mayelana nokufana nokungafani phakathi kwalezi zinhlelo ezimbili, kodwa nakuba injini ye-Suricata isebenza ngokushesha, ngoba iziteshi azibanzi kakhulu, lokhu akubalulekile kakhulu.
Izinketho Zokuthunyelwa
I-IPS kufanele ibekwe ngendlela yokuthi isistimu ikwazi ukuqapha izingxenye zenethiwekhi ezingaphansi kolawulo lwayo. Imvamisa, lena ikhompyutha ezinikezele, isikhombimsebenzisi esisodwa esixhunywe ngemuva kwamadivaysi asonqenqemeni futhi "ibheka" kuwo kumanethiwekhi omphakathi angavikelekile (i-inthanethi). Esinye isixhumi esibonakalayo se-IPS sixhunywe kokokufaka kwengxenye evikelwe ukuze yonke ithrafikhi idlule ohlelweni futhi ihlaziywe. Ezimweni eziyinkimbinkimbi kakhulu, kungase kube namasegimenti amaningana avikelwe: isibonelo, kumanethiwekhi ezinkampani indawo engenamasosha (DMZ) ivamise ukunikezwa nezinsizakalo ezitholakala ku-inthanethi.
I-IPS enjalo ingavimbela ukuskena kwembobo noma ukuhlaselwa kwe-password brute force, ukuxhashazwa kobungozi kuseva yemeyili, iseva yewebhu noma imibhalo, kanye nezinye izinhlobo zokuhlasela kwangaphandle. Uma amakhompyutha akunethiwekhi yendawo angenwe i-malware, i-IDS ngeke iwavumele ukuthi axhumane namaseva e-botnet atholakala ngaphandle. Ukuze uthole ukuvikelwa okubucayi okwengeziwe kwenethiwekhi yangaphakathi, ukucushwa okuyinkimbinkimbi okunesistimu esabalalisiwe kanye namaswishi aphethwe abizayo akwazi ukwenza isibuko ithrafikhi yesixhumi esibonakalayo se-IDS esixhunywe kwesinye sezimbobo cishe kuzodingeka.
Amanethiwekhi ezinkampani ngokuvamile angaphansi kokuhlaselwa kwe-distributed denial of service (DDoS). Nakuba i-IDS yesimanje ingabhekana nazo, inketho yokusebenzisa engenhla cishe ayinakusiza lapha. Uhlelo luzobona umsebenzi onobungozi futhi luvimbe ithrafikhi engamanga, kodwa ukwenza lokhu, amaphakethe kufanele adlule kuxhumano lwe-inthanethi lwangaphandle futhi afinyelele isixhumi esibonakalayo senethiwekhi. Ngokuya ngokuqina kokuhlasela, isiteshi sokudlulisa idatha singase singakwazi ukubhekana nomthwalo futhi umgomo wabahlaseli uzofezwa. Ezimweni ezinjalo, sincoma ukuthi kusetshenziswe i-IDS kuseva ebonakalayo enoxhumano lwe-inthanethi olunamandla ngokusobala. Ungakwazi ukuxhuma i-VPS kunethiwekhi yendawo nge-VPN, bese uzodinga ukulungisa umzila wayo yonke ithrafikhi yangaphandle ngayo. Khona-ke, uma kwenzeka ukuhlaselwa kwe-DDoS, ngeke kudingeke ukuthi uthumele amaphakethe ngoxhumano kumhlinzeki; azovinjelwa ku-node yangaphandle.
Inkinga yokukhetha
Kunzima kakhulu ukukhomba umholi phakathi kwezinhlelo zamahhala. Ukukhethwa kwe-IDS/IPS kunqunywa i-topology yenethiwekhi, imisebenzi yokuphepha edingekayo, kanye nezintandokazi zomuntu siqu zomlawuli kanye nesifiso sakhe sokulungisa izilungiselelo. I-Snort inomlando omude futhi ibhalwe kangcono, nakuba ulwazi lwe-Suricata nalo lutholakala kalula ku-inthanethi. Kunoma ikuphi, ukuze ukwazi kahle uhlelo kuzodingeka wenze imizamo ethile, ezogcina ikhokhe - i-hardware yezohwebo kanye ne-hardware-software IDS/IPS zibiza kakhulu futhi azihlali zingena kusabelomali. Asikho isidingo sokuzisola ngesikhathi esichithiwe, ngoba umlawuli omuhle uhlale ethuthukisa amakhono akhe ngezindleko zomqashi. Kulesi simo, wonke umuntu uyawina. Esihlokweni esilandelayo sizobheka ezinye izinketho zokusebenzisa i-Suricata futhi siqhathanise isistimu yesimanjemanje ne-IDS/IPS Snort yakudala ekusebenzeni.
Source: www.habr.com