Sawubona, ezihlokweni ezedlule sajwayelana nomsebenzi we-ELK Stack. Manje ake sixoxe ngamathuba angenziwa uchwepheshe wezokuphepha kolwazi ekusebenziseni lezi zinhlelo. Yiziphi izingodo ezingakwazi futhi okufanele zifakwe ku-elasticsearch. Ake sicabangele ukuthi yiziphi izibalo ezingatholakala ngokusetha amadeshibhodi nokuthi ikhona yini inzuzo kulokhu. Ungayisebenzisa kanjani i-automation yezinqubo zokuphepha kolwazi usebenzisa isitaki se-ELK. Ake sidwebe ukwakheka kwesistimu. Sekukonke, ukuqaliswa konke ukusebenza kuwumsebenzi omkhulu kakhulu futhi onzima, ngakho isixazululo sanikezwa igama elihlukile - TS Total Sight.
Njengamanje, izixazululo ezihlanganisa futhi zihlaziye izigameko zokuphepha kolwazi endaweni eyodwa enengqondo zithola ukuthandwa ngokushesha, ngenxa yalokho, uchwepheshe uthola izibalo kanye nomngcele wesenzo sokuthuthukisa isimo sokuphepha kolwazi enhlanganweni. Sizibekele lo msebenzi ngokusebenzisa isitaki se-ELK, futhi ngenxa yalokho sahlukanisa ukusebenza okuyinhloko ngezigaba ezi-4:
- Izibalo kanye neso lengqondo;
- Ukutholwa kwezigameko zokuphepha kolwazi;
- Ukubekwa phambili kwesigameko;
- Ukuzenzakalela kwezinqubo zokuphepha kolwazi.
Okulandelayo, sizobheka ngokucophelela ngayinye ngayinye.
Ukutholwa kwezigameko zokuphepha kolwazi
Umsebenzi oyinhloko wokusebenzisa i-elasticsearch esimweni sethu ukuqoqa kuphela izehlakalo zokuphepha kolwazi. Ungakwazi ukuqoqa izehlakalo zokuphepha kolwazi kunoma yiziphi izindlela zokuphepha uma zisekela okungenani ezinye izindlela zokuthumela izingodo, izinga i-syslog noma i-scp yokulondoloza efayeleni.
Unganikeza izibonelo ezijwayelekile zamathuluzi okuvikela nokunye okwengeziwe, lapho kufanele ulungise khona ukudluliselwa kwamalogi:
- Noma yimaphi amathuluzi e-NGFW (Bheka Iphuzu, i-Fortinet);
- Noma yiziphi izikena zobungozi (PT Scanner, OpenVas);
- I-Web Application Firewall (PT AF);
- abahlaziyi be-netflow (i-Flowmon, i-Cisco StealthWatch);
- Iseva ye-AD.
Uma usulungise ukuthunyelwa kwamalogi namafayela okusetha ku-Logstash, ungakwazi ukuhlobanisa futhi uqhathanise nezigameko ezivela kumathuluzi ahlukahlukene okuvikela. Ukuze wenze lokhu, kulula ukusebenzisa izinkomba lapho sizogcina khona zonke izigameko ezihlobene nedivayisi ethile. Ngamanye amazwi, inkomba eyodwa yizo zonke izehlakalo kudivayisi eyodwa. Lokhu kusatshalaliswa kungenziwa ngezindlela ezi-2.
Okokuqala Lokhu okokulungiselela ukucushwa kwe-Logstash. Ukuze wenze lokhu, udinga ukuphinda ilogi yezinkambu ezithile ube yiyunithi ehlukile enohlobo oluhlukile. Bese usebenzisa lolu hlobo esikhathini esizayo. Esibonelweni, amalogi ahlanganiswa kusukela kucwecwe lwe-IPS lwe-firewall ye-Check Point.
filter {
if [product] == "SmartDefense" {
clone {
clones => ["CloneSmartDefense"]
add_field => {"system" => "checkpoint"}
}
}
}
Ukuze ulondoloze imicimbi enjalo enkombeni ehlukile kuye ngezinkambu zelogi, isibonelo, njengamasiginesha okuhlasela kwe-IP yendawo okuyiwa kuyo. Ungasebenzisa ukwakheka okufanayo:
output {
if [type] == "CloneSmartDefense"{
{
elasticsearch {
hosts => [",<IP_address_elasticsearch>:9200"]
index => "smartdefense-%{dst}"
user => "admin"
password => "password"
}
}
}
Futhi ngale ndlela, ungagcina zonke izigameko zibe inkomba, isibonelo, ngekheli le-IP, noma ngegama lesizinda lomshini. Kulokhu, siyigcina kunkomba "smartdefense-%{dst}", ngekheli le-IP lendawo yesiginesha.
Kodwa-ke, imikhiqizo ehlukene izoba nezinkambu ezihlukene zamalogi, okuzoholela ezinxushunxushwini nasekusetshenzisweni kwenkumbulo okungadingekile. Futhi lapha kuzodingeka ukuthi ushintshe ngokucophelela izinkambu kuzilungiselelo zokucushwa kwe-Logstash ngeziklanywe ngaphambili, ezizofana nazo zonke izinhlobo zezigameko, okubuye kube umsebenzi onzima.
Inketho yesibili yokusebenzisa - lokhu kubhala iskripthi noma inqubo ezofinyelela ku-database ye-elastic ngesikhathi sangempela, ikhiphe izigameko ezidingekayo, futhi uzigcine kunkomba entsha, lokhu kuwumsebenzi onzima, kodwa kukuvumela ukuthi usebenze ngezingodo njengoba uthanda, futhi uhlobanise ngokuqondile nezigameko ezivela kwezinye izinto zokusebenza zokuphepha. Le nketho ikuvumela ukuthi ulungiselele umsebenzi ngamalogi ukuze ube usizo kakhulu odabeni lwakho ngokuguquguquka okukhulu, kodwa lapha inkinga ivela ekutholeni uchwepheshe ongasebenzisa lokhu.
Futhi-ke, umbuzo obaluleke kakhulu, futhi yini engahlotshaniswa futhi itholwe??
Kungase kube nezinketho ezimbalwa lapha, futhi kuya ngokuthi yimaphi amathuluzi okuvikela asetshenziswa kungqalasizinda yakho, izibonelo ezimbalwa:
- Okusobala kakhulu futhi, ngokombono wami, inketho ethakazelisa kakhulu kulabo abanesixazululo se-NGFW kanye nesithwebuli sobungozi. Lokhu ukuqhathaniswa kwamalogi e-IPS nemiphumela yokuskena yokuba sengozini. Uma ukuhlaselwa kutholwe (okungavinjiwe) uhlelo lwe-IPS, futhi lobu bungozi bungavalwanga emshinini wokugcina ngokusekelwe emiphumeleni yokuskena, kuyadingeka ukuthi ushaye ikhwelo, njengoba kunamathuba amaningi okuthi ubungozi busetshenziswe. .
- Imizamo eminingi yokungena ngemvume isuka emshinini owodwa iye ezindaweni ezahlukene ingase ifanekisele izenzo ezinonya.
- Umsebenzisi ulanda amafayela egciwane ngenxa yokuvakashela inombolo enkulu yamasayithi angaba yingozi.
Izibalo nokubona ngeso lengqondo
Into esobala kakhulu futhi eqondakalayo okudingeka i-ELK Stack ukugcinwa nokuboniswa kwamalogi, kuboniswe ukuthi ungawakha kanjani amalogi kusuka kumadivayisi ahlukahlukene usebenzisa i-Logstash. Ngemuva kokuthi izingodo ziye ku-Elasticsearch, ungasetha amadeshibhodi, nawo ashiwo , ngolwazi nezibalo ozidingayo ngokubuka ngeso lengqondo.
izibonelo:
- Ideshibhodi yemicimbi Yokuvimbela Usongo enemicimbi ebaluleke kakhulu. Lapha ungabonisa ukuthi yimaphi amasiginesha e-IPS atholakele nokuthi avelaphi ngokwendawo.
- Ideshibhodi ekusetshenzisweni kwezinhlelo zokusebenza ezibaluleke kakhulu lapho ulwazi olungaputshuzwa khona.
- Skena imiphumela kunoma yisiphi isithwebuli sokuvikela.
- Amalogi ohlu olusebenzayo ngomsebenzisi.
- Ideshibhodi yokuxhumeka kwe-VPN.
Kulokhu, uma umisa amadeshibhodi ukuthi abuyekeze njalo ngemva kwemizuzwana embalwa, ungathola isistimu efanelekile yokuqapha imicimbi ngesikhathi sangempela, engasetshenziselwa ukusabela okusheshayo ezigamekweni zokuphepha kolwazi uma ubeka amadeshibhodi endaweni ehlukile. isikrini.
Ukubekwa phambili kwesigameko
Ezimweni zengqalasizinda enkulu, inani lezehlakalo lingase lihambe kancane, futhi ochwepheshe ngeke babe nesikhathi sokubhekana nazo zonke izigameko ngesikhathi. Kulokhu, kuyadingeka, okokuqala, ukugqamisa kuphela lezo zenzakalo ezibeka usongo olukhulu. Ngakho-ke, uhlelo kufanele lubeke phambili izehlakalo ngokusekelwe ebucayini bazo maqondana nengqalasizinda yakho. Kutuswa ukuthi usethe i-imeyili noma isexwayiso socingo kule micimbi. Ukubeka phambili kungenziwa kusetshenziswa amathuluzi e-Kibana ajwayelekile ngokusetha ukubonwa. Kodwa ngezaziso kunzima kakhulu; ngokuzenzakalelayo, lokhu kusebenza akufakiwe enguqulweni eyisisekelo ye-Elasticsearch, enguqulweni ekhokhelwayo kuphela. Ngakho-ke, thenga inguqulo ekhokhelwayo, noma, futhi, bhala inqubo ngokwakho ezokwazisa ochwepheshe ngesikhathi sangempela nge-imeyili noma ngocingo.
Ukuzenzakalela kwezinqubo zokuphepha kolwazi
Futhi enye yezingxenye ezithakazelisa kakhulu ukuzenzakalelayo kwezenzo zezehlakalo zokuphepha kolwazi. Ngaphambilini, sisebenzise lokhu kusebenza kwe-Splunk, ungafunda okwengeziwe kulokhu . Umbono oyinhloko ukuthi inqubomgomo ye-IPS ayilokothi ihlolwe noma ithuthukiswe, nakuba kwezinye izimo iyingxenye ebalulekile yezinqubo zokuphepha kolwazi. Isibonelo, unyaka ngemva kokuqaliswa kwe-NGFW kanye nokungabikho kwezenzo zokwandisa i-IPS, uzoqoqa inani elikhulu lamasignesha ngesenzo se-Detect, esingeke sivinjwe, esinciphisa kakhulu isimo sokuphepha kolwazi enhlanganweni. Ngezansi kukhona izibonelo zalokho okungazenzakalela:
- Ukudluliswa kwesiginesha ye-IPS kusuka ku-Detect kuya ku-Prevent. Uma i-Prevent ingasebenzi kumasignesha abalulekile, kusho ukuthi lokhu akusebenzi futhi kunegebe elibi ohlelweni lokuvikela. Sishintsha isenzo kunqubomgomo sibe amasignesha anjalo. Lokhu kusebenza kungenziwa uma idivayisi ye-NGFW inomsebenzi we-REST API. Lokhu kungenzeka kuphela uma unamakhono okuhlela; udinga ukukhipha ulwazi oludingekayo ku-Elastcisearch futhi wenze izicelo ze-API kuseva yokuphatha ye-NGFW.
- Uma kutholwe amasiginesha amaningi noma avinjwa kuthrafikhi yenethiwekhi kusuka ekhelini le-IP elilodwa, kusho ukuthi kunengqondo ukuvimba leli kheli le-IP isikhashana kunqubomgomo ye-Firewall. Ukuqaliswa futhi kuhlanganisa ukusebenzisa i-REST API.
- Qalisa ukuskena komsingathi ngesikena sobungozi, uma lo msingathi enenombolo enkulu yamasiginesha e-IPS noma amanye amathuluzi okuvikela; uma kuyi-OpenVas, ungabhala umbhalo ozoxhuma nge-ssh kusikena sokuvikela bese uqala ukuskena.
I-TS Total Sight
Sekukonke, ukuqaliswa kwakho konke ukusebenza kuwumsebenzi omkhulu kakhulu futhi onzima. Ngaphandle kokuba namakhono okuhlela, ungamisa ukusebenza okuncane, okunganele ukusetshenziswa ekukhiqizeni. Kepha uma unentshisekelo kukho konke ukusebenza, unganaka i-TS Total Sight. Ungathola imininingwane eyengeziwe kwethi . Ngenxa yalokho, lonke uhlelo lokusebenza kanye nezakhiwo zizobukeka kanjena:
isiphetho
Sibheke ukuthi yini engasetshenziswa kusetshenziswa i-ELK Stack. Ezihlokweni ezilandelayo, sizocubungula ngokwehlukana ukusebenza kwe-TS Total Sight ngokuningiliziwe!
Ngakho hlala ubukele (, , , ), .
Source: www.habr.com