iyisixazululo sokuhlaziya emkhakheni wokuphepha kolwazi ohlinzeka ngokuqapha okuphelele kwezinsongo kunethiwekhi esabalalisiwe. I-StealthWatch isekelwe ekuqoqeni i-NetFlow ne-IPFIX kumarutha, amaswishi namanye amadivayisi enethiwekhi. Ngenxa yalokho, inethiwekhi iba inzwa ebucayi futhi ivumela umlawuli ukuthi abheke ezindaweni lapho izindlela zokuphepha zenethiwekhi ezivamile, njenge-Next Generation Firewall, zingakwazi ukufinyelela kuzo.
Ezihlokweni ezedlule bengivele ngibhale ngeStealthWatch: Futhi . Manje ngiphakamisa ukuthi ngiqhubeke futhi ngixoxisane ngendlela yokusebenza ngama-alamu futhi ngiphenye izigameko zokuphepha ezikhiqizwa yisixazululo. Kuzoba nezibonelo eziyisi-6 engithemba ukuthi zizonikeza umbono omuhle wokuba wusizo komkhiqizo.
Okokuqala, kufanele kushiwo ukuthi i-StealthWatch inokusabalalisa okuthile kwama-alamu phakathi kwama-algorithms nokuphakelayo. Ezokuqala izinhlobo ezahlukene zama-alamu (izaziso), uma zicushiwe, ungathola izinto ezisolisayo kunethiwekhi. Esesibili yizigameko zezokuphepha. Lesi sihloko sizobheka izibonelo ezi-4 zama-algorithms acushiwe kanye nezibonelo ezi-2 zokuphakelayo.
1. Ukuhlaziywa kokusebenzelana okukhulu phakathi kwenethiwekhi
Isinyathelo sokuqala sokusetha i-StealthWatch ukuchaza ababungazi namanethiwekhi ngamaqembu. Kuthebhu yesixhumi esibonakalayo sewebhu Lungiselela > Ukuphathwa Kweqembu Lokusingatha Amanethiwekhi, abasingathi, namaseva kufanele ahlukaniswe ngamaqembu afanelekile. Ungakwazi futhi ukudala amaqembu akho. Kodwa-ke, ukuhlaziya ukusebenzisana phakathi kwabasingathi ku-Cisco StealthWatch kulula kakhulu, ngoba awukwazi nje ukulondoloza izihlungi zokusesha ngokusakaza, kodwa nemiphumela ngokwayo.
Ukuze uqalise, kusixhumi esibonakalayo sewebhu kufanele uye kuthebhu Hlaziya > Ukusesha Okugelezayo. Ngemuva kwalokho kufanele usethe amapharamitha alandelayo:
- Uhlobo Lokusesha - Izingxoxo Eziphezulu (ukusebenzelana okudume kakhulu)
- Isikhathi Range — amahora angama-24 (isikhathi, ungasebenzisa esinye)
- Sesha Igama - Izingxoxo Eziphezulu Ngaphakathi-Ngaphakathi (noma yiliphi igama elinobungane)
- Isihloko - Amaqembu Abasingathi → Abasingathi Bangaphakathi (umthombo - iqembu labasingathi bangaphakathi)
- Ukuxhumana (ungacacisa izimbobo, izinhlelo zokusebenza)
- Ontanga - Amaqembu Abasingathi → Abasingathi Ngaphakathi (indawo - iqembu lamanodi angaphakathi)
- Kuzinketho Ezithuthukisiwe, ungaphinda ucacise umqoqi lapho idatha ibukwa khona, ukuhlunga okukhiphayo (ngamabhayithi, imifudlana, njll.). Ngizoyishiya njengokuzenzakalelayo.
Ngemva kokucindezela inkinobho Ukucinga uhlu lokusebenzelana luyaboniswa oseluhlungwe ngenani ledatha edlulisiwe.
Esibonelweni sami umsingathi 10.150.1.201 (iseva) idluliswa phakathi kochungechunge olulodwa kuphela I-1.5 GB i-traffic ukuze ibambe 10.150.1.200 (iklayenti) ngephrothokholi mysql. Inkinobho Phatha Amakholomu ikuvumela ukuthi ungeze amakholomu engeziwe kudatha yokuphumayo.
Okulandelayo, ngokubona komlawuli, ungakha umthetho wangokwezifiso ozohlala ucupha lolu hlobo lokusebenzisana futhi ukwazise nge-SNMP, i-imeyili noma i-Syslog.
2. Ukuhlaziywa kokusebenzelana okunensa kakhulu kweklayenti-server ngaphakathi kwenethiwekhi ukuze kubambezeleke
Amalebula I-SRT (Isikhathi Sokuphendula Iseva), I-RTT (Isikhathi Sohambo Olujikelezayo) ikuvumela ukuthi uthole ukubambezeleka kweseva kanye nokulibaziseka kwenethiwekhi okuvamile. Leli thuluzi liwusizo ikakhulukazi uma udinga ukuthola ngokushesha imbangela yezikhalazo zabasebenzisi mayelana nohlelo lokusebenza olusebenza kancane.
Ukubhala: cishe bonke abathumeli be-Netflow angazi kanjani thumela amathegi e-SRT, e-RTT, kaningi, ukuze ubone idatha enjalo ku-FlowSensor, udinga ukulungisa ukuthumela ikhophi yethrafikhi kusuka kumadivayisi enethiwekhi. I-FlowSensor yona ithumela i-IPFIX enwetshiwe ku-FlowCollector.
Kulula kakhulu ukwenza lokhu kuhlaziya kuhlelo lokusebenza lwe-StealtWatch java, olufakwe kukhompuyutha yomlawuli.
Inkinobho yegundane yesokudla ivuliwe Ngaphakathi Ababungazi bese uye kuthebhu Ithebula Eligelezayo.
Chofoza ku- Hlunga bese usetha imingcele edingekayo. Njengesibonelo:
- Idethi/Isikhathi - Ezinsukwini ezi-3 zokugcina
- Ukusebenza - Isikhathi Esimaphakathi Sohambo Olujikelezayo >=50ms
Ngemva kokubonisa idatha, kufanele sengeze izinkambu ze-RTT ne-SRT esizithandayo. Ukuze wenze lokhu, chofoza kukholamu kusithombe-skrini bese ukhetha ngenkinobho yegundane engakwesokudla Phatha Amakholomu. Okulandelayo, chofoza i-RTT, imingcele ye-SRT.
Ngemva kokucubungula isicelo, ngihlele ngokwesilinganiso se-RTT futhi ngabona ukusebenzisana okunensa kakhulu.
Ukuze ungene olwazini olunemininingwane, chofoza kwesokudla ekusakazweni bese ukhetha Ukubuka Okusheshayo Kokugeleza.
Lolu lwazi lubonisa ukuthi umphathi 10.201.3.59 eqenjini Ukuthengisa nokuthengisa ngephrothokholi I-NFS ibhekisela ku Iseva ye-DNS umzuzu namasekhondi angu-23 futhi inesilele esibi nje. Kuthebhu interface ungathola ukuthi yimuphi umthumeli wedatha we-Netflow ulwazi olutholwe kuye. Kuthebhu Ithebula Ulwazi oluthe xaxa mayelana nokusebenzisana luyaboniswa.
Okulandelayo, kufanele uthole ukuthi imaphi amadivayisi athumela ithrafikhi ku-FlowSensor futhi inkinga okungenzeka ukuthi ilele lapho.
Ngaphezu kwalokho, i-StealthWatch ihlukile kulokho ekwenzayo ukuphindaphinda idatha (ihlanganisa ukusakaza okufanayo). Ngakho-ke, ungakwazi ukuqoqa cishe kuwo wonke amadivayisi we-Netflow futhi ungesabi ukuthi kuzoba nedatha eminingi eyimpinda. Ngokuphambene nalokho, kulolu hlelo kuzosiza ukuqonda ukuthi iyiphi i-hop enokubambezeleka okukhulu.
3. Ukucwaningwa kwamaphrothokholi e-cryptographic e-HTTPS
I-ETA (Izibalo Zethrafikhi Ezibethelwe) ubuchwepheshe obuthuthukiswe yi-Cisco obukuvumela ukuthi uthole ukuxhumana okunonya kuthrafikhi ebethelwe ngaphandle kokuyisusa. Ngaphezu kwalokho, lobu buchwepheshe bukuvumela ukuthi "uhlukanise" i-HTTPS ezinguqulweni ze-TLS kanye nezivumelwano eziyimfihlo ezisetshenziswa ngesikhathi sokuxhuma. Lokhu kusebenza kuwusizo ikakhulukazi uma udinga ukuthola ama-node enethiwekhi asebenzisa izindinganiso ezibuthakathaka ze-crypto.
Ukubhala: Kufanele uqale ufake uhlelo lokusebenza lwenethiwekhi ku-StealthWatch - I-ETA Cryptographic Audit.
Iya kuthebhu Amadeshibhodi → I-ETA Cryptographic Audit bese ukhetha iqembu labasingathi esihlela ukulihlaziya. Ngesithombe esiphelele, ake sikhethe Ngaphakathi Ababungazi.
Ungabona ukuthi inguqulo ye-TLS kanye nezinga elihambisanayo le-crypto liyaphuma. Ngokohlelo olujwayelekile kukholamu Izenzo Iya ku Buka Ukugeleza futhi ukusesha kuqala kuthebhu entsha.
Kusukela kokuphumayo kungabonakala ukuthi umsingathi 198.19.20.136 ngoba Amahora we-12 isebenzise i-HTTPS nge-TLS 1.2, lapho i-algorithm yokubethela AES-256 kanye nomsebenzi we-hash I-SHA-384. Ngakho, i-ETA ikuvumela ukuthi uthole ama-algorithms abuthakathaka kunethiwekhi.
4. Ukuhlaziya okudidayo kwenethiwekhi
I-Cisco StealthWatch ingabona ukuphazamiseka kwethrafikhi kunethiwekhi isebenzisa amathuluzi amathathu: Imicimbi Ebalulekile (imicimbi yezokuphepha), Imicimbi Yobudlelwano (imicimbi yokusebenzelana phakathi kwezigaba, izindawo zenethiwekhi) kanye ukuhlaziywa kokuziphatha.
Ukuhlaziywa kokuziphatha, nakho, kuvumela ngokuhamba kwesikhathi ukwakha imodeli yokuziphatha komsingathi othile noma iqembu labasingathi. Uma ithrafikhi eyengeziwe edlula ku-StealthWatch, izexwayiso zizoba nezinembe kakhulu ngenxa yalokhu kuhlaziya. Ekuqaleni, uhlelo luqala kakhulu ngokungalungile, ngakho-ke imithetho kufanele "isonte" ngesandla. Ngincoma ukuthi ungaziki izehlakalo ezinjalo emasontweni ambalwa okuqala, njengoba isistimu izozilungisa ngokwayo, noma yengeze kokuhlukile.
Ngezansi kunesibonelo somthetho ochazwe ngaphambilini Okungaziwa, othi umcimbi uzoqhuma ngaphandle kwe-alamu uma umsingathi eqenjini Lababuthi Bangaphakathi uhlanganyela neqembu Labasingathi Bangaphakathi futhi phakathi namahora angu-24 ithrafikhi izodlula amamegabhayithi ayi-10.
Isibonelo, ake sithathe i-alamu Ukugcinwa Kwedatha, okusho ukuthi umsingathi othile ongumthombo/indawo ekuyiwa kuyo ulayishe/ulande inani elikhulu ngokungavamile ledatha evela eqenjini labasingathi noma usokhaya. Chofoza umcimbi bese uya etafuleni lapho abasingathi abacuphayo bekhonjiswa khona. Okulandelayo, khetha umsingathi esinentshisekelo kuye kukholamu Ukugcinwa Kwedatha.
Umcimbi uyaboniswa obonisa ukuthi kutholwe “amaphuzu” angu-162k, futhi ngokuvumelana nenqubomgomo, “amaphuzu” angu-100k avunyelwe - lawa amamethrikhi e-StealthWatch angaphakathi. Kukholomu Izenzo Phusha Buka Ukugeleza.
Singakubona lokho umamukeli onikeziwe waxhumana nomphathi ebusuku 10.201.3.47 kusuka emnyangweni Ukuthengisa nokumaketha ngephrothokholi I-HTTPS futhi yalandwa I-1.4 GB. Mhlawumbe lesi sibonelo asiphumelelanga ngokuphelele, kodwa ukutholwa kokusebenzelana ngisho namakhulu amaningana amagigabhayithi kwenziwa ngendlela efanayo. Ngakho-ke, uphenyo olwengeziwe lwe-anomalies lungaholela emiphumeleni ethakazelisayo.
Ukubhala: kusixhumi esibonakalayo sewebhu se-SMC, idatha ikumathebhu AmaDashboard ziboniswa kuphela ngesonto eledlule nakuthebhu Gada emavikini angu-2 adlule. Ukuze uhlaziye imicimbi emidala futhi ukhiqize imibiko, udinga ukusebenzisana nekhonsoli ye-java kukhompuyutha yomlawuli.
5. Ukuthola izikena zenethiwekhi yangaphakathi
Manje ake sibheke izibonelo ezimbalwa zokuphakelayo - izigameko zokuphepha kolwazi. Lokhu kusebenza kunentshisekelo enkulu kochwepheshe bezokuphepha.
Kunezinhlobo ezimbalwa zemicimbi yokuskena esethiwe ngaphambilini ku-StealthWatch:
- I-Port Scan—umthombo uskena izimbobo eziningi kumsingathi wendawo.
- I-Addr tcp scan - umthombo uskena yonke inethiwekhi embotsheni efanayo ye-TCP, ushintsha ikheli le-IP okuyiwa kulo. Kulesi simo, umthombo uthola amaphakethe we-TCP Setha kabusha noma awutholi nhlobo izimpendulo.
- I-Add udp scan - umthombo uskena yonke inethiwekhi embotsheni efanayo ye-UDP, kuyilapho ushintsha ikheli le-IP okuyiwa kulo. Kulokhu, umthombo uthola amaphakethe we-ICMP Port Unreachable noma awutholi nhlobo izimpendulo.
- I-Ping Scan - umthombo uthumela izicelo ze-ICMP kuyo yonke inethiwekhi ukuze useshe izimpendulo.
- I-Stealth Scan tсp/udp - umthombo usebenzise imbobo efanayo ukuze uxhume ezimbobeni eziningi endaweni okuyiwa kuyo ngesikhathi esisodwa.
Ukwenza kube lula kakhulu ukuthola zonke izikena zangaphakathi ngesikhathi esisodwa, kunohlelo lokusebenza lwenethiwekhi I-StealthWatch - Ukuhlola Ukubonakala. Iya kuthebhu Amadeshibhodi → Ukuhlola Ukubonakala → Izikena Zenethiwekhi Yangaphakathi uzobona izehlakalo zokuphepha ezihlobene nokuskena emavikini angu-2 adlule.
Ngokuchofoza inkinobho Yekuchumana, uzobona ukuqala kokuskena kwenethiwekhi ngayinye, ukuthambekela kwethrafikhi nama-alamu ahambisanayo.
Okulandelayo, ungakwazi "ukwehluleka" ukungena kumsingathi kusukela kuthebhu yesithombe-skrini sangaphambilini futhi ubone imicimbi yokuphepha, kanye nomsebenzi weviki eledlule walo msingathi.
Njengesibonelo, ake sihlaziye umcimbi I-Port Scan kusuka kumsingathi 10.201.3.149 on 10.201.0.72, Iyacindezela Izenzo > Ukugeleza Okuhlobene. Ukusesha kochungechunge kuyethulwa futhi ulwazi olufanele luyaboniswa.
Sibona kanjani lo msingathi kwelinye lamachweba alo 51508 / TCP kuskenwe emahoreni angu-3 edlule umsingathi wendawo ngembobo 22, 28, 42, 41, 36, 40 (TCP). Ezinye izinkambu azibonisi ulwazi noma ngenxa yokuthi akuzona zonke izinkambu ze-Netflow ezisekelwa kusithekelisi se-Netflow.
6. Ukuhlaziywa kwe-malware elandiwe kusetshenziswa i-CTA
I-CTA (Cognitive Threat Analytics) — Izibalo zamafu e-Cisco, ezihlangana kahle ne-Cisco StealthWatch futhi zikuvumela ukuthi ugcwalise ukuhlaziya okungenasiginesha ngokuhlaziywa kwesiginesha. Lokhu kwenza kube nokwenzeka ukuthola ama-Trojan, izikelemu zenethiwekhi, uhlelo olungayilungele ikhompyutha nolunye uhlelo olungayilungele ikhompuyutha bese lusatshalaliswa kunethiwekhi. Futhi, ubuchwepheshe be-ETA okukhulunywe ngabo ngaphambilini bukuvumela ukuthi uhlaziye ukuxhumana okunjalo okunonya kuthrafikhi ebethelwe.
Ngokwezwi nezwi kuthebhu yokuqala ngqa kusixhumi esibonakalayo sewebhu kunewijethi ekhethekile I-Cognitive Threat Analytics. Isifinyezo esifushane sibonisa izinsongo ezitholwe kubasingathi babasebenzisi: I-Trojan, isofthiwe yomgunyathi, i-adware ecasulayo. Igama elithi “Ebethelwe” empeleni libonisa umsebenzi we-ETA. Ngokuchofoza kumsingathi, lonke ulwazi olumayelana nayo, imicimbi yezokuphepha, okuhlanganisa namalogi e-CTA, ayavela.
Ngokuzulazula phezu kwesigaba ngasinye se-CTA, umcimbi ubonisa ulwazi oluningiliziwe mayelana nokusebenzisana. Ukuze uthole ukuhlaziya okuphelele, chofoza lapha Buka Imininingwane Yesigameko, futhi uzoyiswa kukhonsoli ehlukile I-Cognitive Threat Analytics.
Ekhoneni eliphezulu kwesokudla, isihlungi sikuvumela ukuthi ubonise imicimbi ngezinga lobunzima. Uma ukhomba okudidayo okuthile, amalogi avela ngaphansi kwesikrini ngomugqa wesikhathi ohambisanayo kwesokudla. Ngakho-ke, uchwepheshe wezokuphepha kolwazi uqonda ngokucacile ukuthi yimuphi umsingathi onegciwane, ngemva kwalokho izenzo, zaqala ukwenza yiziphi izenzo.
Ngezansi kunesinye isibonelo - iTrojani yasebhange ethelele umsingathi 198.19.30.36. Lo msingathi uqale ukusebenzisana nezizinda ezinonya, futhi amalogi abonisa ulwazi ngokuhamba kwalokhu kusebenzisana.
Okulandelayo, esinye sezixazululo ezinhle kakhulu esingaba ukuvalela umsingathi ngenxa yomdabu nge-Cisco ISE ukuze uthole ukwelashwa okwengeziwe nokuhlaziya.
isiphetho
Isixazululo se-Cisco StealthWatch singomunye wabaholi phakathi kwemikhiqizo yokuqapha inethiwekhi kokubili mayelana nokuhlaziywa kwenethiwekhi nokuphepha kolwazi. Siyabonga ngakho, ungakwazi ukubona ukusebenzisana okungekho emthethweni ngaphakathi kwenethiwekhi, ukubambezeleka kohlelo lokusebenza, abasebenzisi abasebenzayo kakhulu, okudidayo, uhlelo olungayilungele ikhompuyutha nama-APT. Ngaphezu kwalokho, ungathola izikena, ama-pentesters, futhi wenze ukuhlolwa kwe-crypto kwethrafikhi ye-HTTPS. Ungathola izimo zokusebenzisa ezengeziwe ku .
Uma ungathanda ukuhlola ukuthi yonke into isebenza kahle kanjani kunethiwekhi yakho, thumela .
Esikhathini esizayo esiseduze, sihlela ukushicilelwa okwengeziwe kwezobuchwepheshe ngemikhiqizo ehlukahlukene yokuvikela ulwazi. Uma unentshisekelo kulesi sihloko, landela ukubuyekezwa eziteshini zethu (, , , )!
Source: www.habr.com