Professional Documents
Culture Documents
TN TI:
Thng 06 / 2010
Thy Lc c Huy
Nguyn c T
Nguyn Vng Huy
VT071A
B GIO DC V O TO
TRNG I HC HOA SEN
KHOA KHOA HC V CNG NGH
TN TI:
Thng 06 / 2010
Ngy np bo co
Ngi nhn bo co (k tn, ghi r h v tn)
Thy Lc c Huy
Nguyn c T
Nguyn Vng Huy
VT071A
Lp : VT071A.........................
Lp : VT071A.........................
..........................................................................................................................
* Cc kt qu ti thiu phi c:
Ghi nhn, kim sot nh chn v ti u ha h thng mng
..........................................................................................................................
Ch k:..............................
TM TT
Trong vng 14 tun thc hin ti Tm hiu xy dng cc phng thc gim
st, ghi nhn s kin v nh gi hiu nng h thng chng ti t c cc kt
qu sau:
-
Trin khai nhng h thng gim st, ghi nhn s kin h thng nh Audit,
Snort, Forefront TMG 2010.
ii
LI CM N
Chng ti chn thnh cm n ti cc thy c trong vn phng khoa Khoa
Hc Cng Ngh, trng i hc Hoa Sen to iu kin cho chng ti c c
hi thc hin ti ny, cng nh lun cp nht v gi nhng thng tin lin
quan v qu trnh thc hin ti. Bn cnh , l s h tr nhit tnh, t vn
hiu qu t ging vin hng dn thy Lc c Huy, v cng khng qun gi
li cm n ti cc anh ph trch phng my.
iii
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
iv
MC LC
PHIU GIAO TI N TT NGHIP ........................................................ i
TM TT ................................................................................................................. ii
LI CM N .......................................................................................................... iii
NHN XT CA GING VIN HNG DN................................................... iv
MC LC................................................................................................................. v
DANH MC CC HNH NH, BNG BIU ........................................................ x
T VN ........................................................................................................... 1
1.
L Do Chn Ti ........................................................................................... 1
2.
4.
5.
3.2
3.3
4.2
Mc ch ....................................................................................................... 4
4.3
4.4
5.2
An ninh bo mt mng................................................................................... 9
6.
6.1.1
6.1.2
6.1.3
6.2
8.
6.2.1
6.2.2
6.2.3
6.2.4
6.3
7.
7.2
7.2.1
7.2.2
7.2.3
7.3
7.4
Cc v d Firewall ....................................................................................... 28
7.5
7.5.1
7.5.2
7.5.3
9.
Audit Policies................................................................................................... 37
9.1
9.2
9.2.1
9.2.2
9.2.3
9.3
9.3.1
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.5
9.6
Nhn xt ...................................................................................................... 64
10.
10.1
10.2
10.3
Cc ch hot ng ca Snort................................................................ 67
vii
10.3.1
10.3.2
10.3.3
10.4
10.4.1
10.4.2
10.4.3
10.5
10.6
10.7
10.8
10.8.1
10.8.2
Tn cng SMB................................................................................... 81
10.8.3
10.8.4
10.8.5
10.8.6
10.9
11.
Nhn xt................................................................................................... 83
11.1
11.1.1
11.1.2
11.2
11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.3
ix
xiv
T VN
1. L Do Chn Ti
y l mt ti c tnh thc tin cao, p dng c cho hu ht cc h thng ln
nh. H thng my server farm hay h thng my DMZ, u l nhng khu vc quan
trng i hi tnh n nh, an ton v bo mt cao, khng cho bt k mt lung thng
tin tri php xm nhp vo h thng. Chnh v th chng ta phi lp cc k hoch,
phng thc gim st , ghi nhn li tt c cc s kin xm nhp h thng tri php hay
truy cp thay i d liu, bn cnh thng xuyn kim tra nh gi hiu nng cho
h thng m bo tnh n nh v khng b qu ti.
2. Mc Tiu t c Sau Ti
Chng ti s c mt kin thc nht nh v xy dng, trin khai cc phng thc gim
st, ghi nhn cc s kin v nh gi hiu nng cho h thng.
Trang 1
Trang 2
Trang 3
4.2
Mc ch
H thng my tnh ca t chc c sn cho vic kinh doanh khi cn thit (Tnh
sn sng)
-
Thng tin trong cc h thng ch c tit l cho ngi dng c thm quyn
(Tnh bo mt)
-
em li gi tr
Mt trong nhng kt qu ca vic thc hin gim st ng l thng tin
phi hp l v chnh xc v trng thi ca thng tin nh mt ngun ti nguyn
ca cng ty. Cht lng ca k hoch v qun l v vy cn ci thin, chnh
xc, hp l v cc thng tin lun sn c.
Trang 4
T chn on
L c tnh ca phn ln cc cuc gim st. Yu t chn on ca gim
st c th nhn ra cc im mnh v im yu c xc nh. Thng tin c th
c s dng xy dng trn nhng im mnh loi b nhng im yu.
Li ch t hun luyn
Li ch ny thng b b qua. Mt gim st thng tin cung cp c hi
tham gia i ng nhn vin trong qu trnh gim st, ng thi dy h thm v
cc quy trnh, trit l v cc cu trc h tr vic s dng cc ngun ti nguyn
thng tin cng ty. Cc nhn vin s c mt s hiu bit tt hn, hnh nh ca
thng tin v vai tr ca n trong t chc.
Trang 5
Trang 6
Trang 7
Bo v theo chiu su
Trong qu trnh xy dng h thng bo mt ta khng nn qu tin tng
v da vo mt ch bo v an ton no cho d chng rt mnh, m nn to
nhiu c ch an ton tng h ln nhau. Vi mt h thng bo v nhiu lp
s gip ngn cn v lm chm qu trnh thm nhp ca hacker, v mi lp bo
v vi mt c ch bo mt khc nhau nn chng phi mt rt nhiu thi gian
c th ph cc c ch bo v ny, ng thi ta c thm thi gian khc phc
s c mt cch kp thi.
im lin kt yu nht
Trong h thng bo v khng phi lc no cng kin c v an ton,
nhng k tn cng ph hoi thng tm nhng ch yu nht ca h thng tn
cng, do ta cn phi thng xuyn kim tra, gim st h thng kp thi
pht hin nhng l hng khc phc. Thng thng chng ta ch quan tm
n k tn cng trn mng hn l k tip cn h thng, v vy an ton vt l
c coi l im yu nht ca h thng chng ta.
Tnh a dng bo v
Nu chng ta lm vic trong mt cng ty ln, gm nhiu h thng my
ch khc nhau th chng ta cn s dng nhiu bin php bo v khc nhau
tng phc tp v bo mt cho cc h thng, nu khng mt khi k tn cng
Trang 8
M ha d liu
bo mt thng tin trn ng truyn chng ta s dng cc phng
php m ha. D liu b bin i t dng nhn thc c theo mt thut ton
no v s c bin i ngc li trm nhn.
Trang 9
Bo v vt l
Ngn cn cc truy cp vt l vo h thng. Thng dng cc bin php
truyn thng nh ngn cm tuyt i ngi khng phn s vo phng t my
mng, dng kha trn my tnh hoc cc my trm khng c mm.
Tng la
Ngn chn thm nhp tri php v lc b cc gi tin khng mun gi
hoc nhn v cc l do no bo v mt my tnh hoc c mng ni b.
Cc cng tc qun tr
Vic bo m cho h thng mng my tnh hot ng mt cch an ton,
khng xy ra s c l mt cng vic cp thit hng u. Cng tc qun tr mng
my tnh phi c thc hin mt cch khoa hc m bo ton b h thng
hot ng bnh thng trong gi lm vic.
Song song phi c mt h thng d phng khi c s c v phn cng
hay phn mm xy ra. Lp k hoch backup d liu quan trng v bo dng
mng theo nh k. Thit lp cc chnh sch bo mt d liu, phn quyn truy
cp v t chc nhm lm vic trn mng. Thit lp h thng v quy trnh
xc nh v ngn chn thng tin c hi hoc khng mong mun. Xy dng
mt qu trnh phn hi theo di v thng k cc chi tit s c, nh gi ri
ro. Lun cp nht thng xuyn cc cng ngh mi v cc ng dng cho t
chc.
Lin tc ci tin do mi trng kinh doanh thay i , cho php cc t
chc duy tr tnh trng bo mt thng tin mc ri ro c th chp nhn.
m bo vic bo mt thng tin lun trng thi sn sng p ng nhu cu
ca t chc ngay khi cn thit.
Trang 10
Trang 11
mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng
c bo v hoc bn ngoi.
Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng
thch. V vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c
s d liu chnh sch pht hin cho mc ny. Thm vo , c s d liu gi cc tham
s cu hnh, gm c cc ch truyn thng vi h thng p tr. B cm bin cng
c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n.
IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc
phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c
chng truyn thng vi nhau.
IDS c kh nng d tm v pht hin nhng cuc tn cng vo h thng mng.
IDS to ra mt bo ng khi n bit c s xm nhp bt thng vo h thng. IDS
da trn cc tiu ch bo ng cho php n c th xc nh cc cuc tn cng. Tt
nhin, c th pht hin cc cuc tn cng, mt hoc nhiu h thng IDS phi c
t mt cch thch hp trong mng, hoc ci t nh cc thit b mng li gim st
lu lng truy cp trn mng hoc ci t nh my trm theo di h iu hnh v ng
dng ng ng. IDS cn c kh nng pht hin cc cuc tn cng tinh vi s dng cc
k thut ln trnh qua mt cc IDS m thm nhp khng b pht hin.
6.1.2 Phn loi IDS
Chc nng c bn ca IDS l pht hin ngi xm nhp, IDS c cc dng chnh nh:
-
Trang 12
Nhc im
- Yu cu mt i l trn mi my
ch m mun bo v.
- Yu cu mt i l c th h tr
nhiu h iu hnh.
Trang 13
Nhc im
- Yu cu ci t trn mt on
mng m vic gim st cc cng
khng b qu ti.
Yu cu phi gim st cc phn
khc nhau ca mng s dng nhiu
thit b IDS.
Yu cu phi tp hp cc giao
thng b phn mnh (giao thng IP
c chia thnh nhiu mnh IP).
i hi CPU ng k v nhiu ti
nguyn b nh c th phn tch lu
lng truy cp theo di trong thi gian
thc.
Khng th pht hin cc cuc tn
cng c trong thng tin lin lc m ha.
Trang 14
hin xm nhp. Nhng h thng bo trm khi pht mt tn hiu da trn s chuyn
ng ca u d. Cc h thng IDS cng c hai dng c ch khi pht (triggering
mechanism):
-
Nhc im
Trang 15
Nhc im
Cnh bo nhm
Trang 16
Trang 17
Module phn ng
Khi c du hiu ca s tn cng hoc xm nhp, modul pht hin tn
cng s gi tn hiu bo hiu c s tn cng hoc xm nhp n module phn
ng. Lc module phn ng s kck hot firewall thc hin chc nng ngn
chn cuc tn cng. Ti module ny, nu ch a ra cc cnh bo ti cc ngi
qun tr v dng li th h thng ny c gi l h thng phng th b
ng.
Module phn ng ny ty theo h thng m c cc chc nng khc
nhau. Di y l mt s k thut ngn chn:
Terminate session
C ch ca k thut ny l h thng IPS gi gi tin reset, thit lp li
cuc giao tip ti c client v server. Kt qu cuc giao tip s c bt u
li, cc mc ch ca hacker khng t c, cuc tn cng b ngng li.
Trang 18
Drop attack
K thut ny dng firewall hy b gi tin hoc chn ng mt gi
tin n, mt phin lm vic hoc mt lung thng tin gia hacker v nn
nhn.
Modify firewall polices
K thut ny cho php ngi qun tr cu hnh li chnh sch bo mt
khi cuc tn cng xy ra. S cu hnh li l tm thi thay i cc chnh sch
iu khin truy cp bi ngi dng c bit trong khi cnh bo ti ngi
qun tr.
Real-time Alerting
Gi cc cnh bo thi gian thc n ngi qun tr h lm c chi
tit cc cuc tn cng, cc c im v thng tin v chng.
Log packet
Cc d liu ca cc gi tin s c lu tr trong h thng cc file log.
Mc ch cc ngi qun tr c th theo di cc lung thng tin v l
ngun thng tin gip cho module pht hin tn cng hot ng.
Ba module trn hat ng theo tun t to nn h thng IPS hon chnh.
Mt h thng IPS c xem l thnh cng nu chng hi t c cc yu
t: thc hin nhanh, chnh xc, a ra cc thng bo hp l, phn tch c
ton b thng lng, cm bin ti a, ngn chn thnh cng v chnh sch
qun l mm do.
6.2.2 Phn loi IPS
-
my.
-
Trang 19
In-line IPS
V tr IPS nm trc firewall, lung d liu phi i qua chng trc khi
ti firewall. im khc chnh so vi Promiscuous Mode IPS l c thm chc
nng traffic-blocking. iu lm cho IPS c th ngn chn lung giao thng
nguy him nhanh hn so vi Promiscuous Mode IPS. Tuy nhin v tr ny s
lm cho tc lung thng tin qua ra vo mng chm hn.
Vi mc tiu ngn chn cc cuc tn cng, h thng IPS phi hot ng
theo thi gian thc. Tc hat ng ca h thng l mt yu t rt quan
Trang 20
trng. Qua trnh pht hin xm nhp phi nhanh c th ngn chn cc
cuc tn cng ngay lp tc. Nu khng p ng c iu ny th cc cuc tn
cng c thc hin xong v h thng IPS l v ngha.
Trang 21
Anomaly-Based IPS
Trang 22
Policy-Based IPS
Trang 23
Trang 24
u im
- Chi ph thp v bao gm trong mi
router
- Khng yu cu chuyn mn c bit
Nhc im
i hi v s lc cng ln
Cc b lut lc gi tin cng tr nn
di, phc tp, kh qun l
Khng kim sot c ton b ni
dung ca packet
Trang 25
u im
Cho php ngi qun tr hon ton
iu khin nhng ng dng v dch
v no c cho php.
Cho php ghi chp kim tra xc
thc rt tt v c mt nht k ghi
chp li thng tin v truy cp h
thng
B lut lc cho cng ng dng d
dng cu hnh v kim tra hn so vi
b lc gi tin
Nhc im
B lc cng ng dng cn c xem
nh l mt firewall mm, v vy a
phn s tn chi ph kh cao cho
license.
Trang 26
Trang 27
7.4 Cc v d Firewall
-
Gi thnh thp
Cu hnh n gin
Nhc im
-
D b tn cng vo cc b lc cu
hnh khng hon ho, tn cng ngm
di nhng dch v c php.
Tt c h thng trong mng ni b s
b tn cng nu b lc do mt s c
no ngng hot ng.
Nguy c b tn cng cao hn v cc
gi tin trao i trc tip vi nhau ch
thng qua router.
Trang 28
Trang 29
Cn tr qu trnh tn cng vi ba lp bo v.
Trang 30
Trang 31
Trang 32
Trang 33
Trang 34
Trang 35
Trang 36
Audit
Account
Logon
Events
Thit lp mc
nh
Ti khon ng
tht bi u c
gim st.
khon.
To mt s kin khi mt user ng nhp ni b
Ti khon ng
hoc t xa vo mt my tnh. V d , nu mt
tht bi u c
gim st.
Audit
Account
Management
Gim st nhng
hot ng qun l
ti khon thnh
cho user.
cng.
Trang 37
Gim st nhng s
v danh b thnh
Directory
cng, nhng
Service
SACLs ca mt vi
Access
i tng ch nh
nhng thit lp
nhiu i tng.
gim st.
cng thay i c
gim st.
Khng c gim st
c thc hin mc
Audit policy
Change
Audit
nh.
Gim st nhng s
kin ca h thng
an ton d liu.
Gim st nhng s
Process
Tracking
Audit
kin truy cp i
tng thnh cng.
Trang 38
Trang 39
S kin bng Event Log (bn ghi s kin) hay Event Source (ngun s kin)
khng th s dng c hai. Nu la chn ty chn By Log, khi danh sch th xung
s hin th mt chui option chn c th s dng la chn nhng Event Log ring
bit mun a vo tin trnh lc. Nu la chn ty chn By Source, danh sch th
xung s hin th mt s hp chn cho mi Event Source hin c. Tip theo, nhp
nhng Event ID khc nhau mun lc. Nu khng xc nh c nhng Event ID c
th, c th nhp mt vng Event ID. V d, nu mun lc nhng Event ID c gi tr t
1 n 99, hy nhp 1-99.
chng trnh.
-
Trang 40
vin, v nhn vin h tr. Nhng s kin c tm thy trong cc knh Admin ch
ra mt vn v gii php cng nh cc quy nh rng mt qun tr vin c th
hnh ng.
-
Trang 41
vi chng trnh ca h.
My File server (Window Server 2003): to tp tin chia s v phn quyn cho
user
Router: cu hnh theo 2 cch vng server v client lin lac vi nhau
o Cch 1: Cu hnh Routing and Remote Access
o Cch 2: To vng server l VLAN 1 v clients l VLAN 2, cu hnh
InterVlan dng giao thc Trunking 2 VLAN chng c th lin lc vi
nhau.
Trang 42
Trang 43
Trang 44
Trang 45
Trang 46
Trang 47
Trang 48
u replicate
Directory kt thc
Trang 49
Trang 50
Trang 51
Thng bo ghi l do sai v tn ngi dng khng bit hoc mt khu ti,
nhng l do y l v khng join domain, nn my router s khng c my DC
chng thc v phn gii DNS nn hin nhin h thng s khng bit my router l ai
v s bo li.
Network Information:
Workstation Name:
Router
1033
Trang 52
Ketoan
Nhansu
File server
Group
Ketoan
Nhansu
Bn Auditing
Th mc
Ketoan
Nhansu
File server
Group
Ketoan
c - Success
Nhansu
c - Success
Trang 53
Trang 54
Trang 55
ghi nhn s kin ngay lp tc. Ta s thy s kin 4719- Chnh sch thm nh h
thng b thay i.
Trang 56
thay i
Object Access
Trang 57
C://Windows\System32\services.exe
C://Windows\System32\dns.exe
Thng tin trn c hiu nh services c ghi nhn l mt tin trnh ang
c khi to, m c th hn trong tin trnh , i tng tht s khi to l dch v
dns.
Trang 58
TokenElevationTypeDefault(1)
Trang 59
M hnh lab tip theo cp n tnh hung cho dng dch v DNS, qu trnh
gim st s xut hin ngay mt filelog 4689 (Process Termination) vi cc thng tin:
A process has exited.
Account Name:
DC
//tn my
Accoun Domain:
Process Name:
Trang 60
Cc m thng bo gii hn c s dng khi vic kim sot ti khon ngi dng
c kch hot, cc ng dng khng i hi c quyn hnh chnh, v ngi dng
khng chn bt u chng trnh bng cch s dng Run as administrator.
9.4.10 Audit system events
Chnh sch gim st ny s thm nh s kin c lin quan n vic khi ng
li hoc tt my tnh. Cc s kin c lin quan vi bn ghi bo mt v bo mt h
thng cng s c kim tra khi cch thc thm nh ny c kch hot. y l mt
cu hnh thm nh c yu cu cho my tnh cn kim tra khng ch khi cc s kin
xut hin m c khi bn thn bn ghi c xa.
Chng ta s kim chng chnh sch gim st ny qua bng cch bt v tt
firewall trong h thng. u tin ta s vo services.msc bt cho firewall khi ng,
ngay lp tc bn h thng gim st s xut hin file log 5024 (Other System Events)
c ghi thng tin v trng thi ca firewall h thng l:
The Windows Firewall Service has started successfully.
Trang 61
Tip theo l trng hp ta cho tt firewall h thng, cng tng t s xut hin
file log 5025 (Other System Events) vi thng tin ghi nhn:
The Windows Firewall Service has been stopped.
Trang 62
GPO Editor ch n hin th y cc danh mc con trong tng chnh sch gim
st, ta c mt ci nhn c th hn v nhng chnh sch cn thit lp.
Nh cc bi lab m phng trn ta thy giao din ca Audit Policy gm 9
chnh sch gim st nhng ta khng th hiu trong nhng chnh sch y c nhng
thnh phn g, th hnh minh ha bn di y s hin th cho ta xem cc thnh phn
con c trong tng chnh sch tng ng.
Trang 63
ng thi kim tra, ta s cho user ng nhp vo domain, trong event viewer s ghi
nhn li s kin chng thc Keberos, v khi ta thit lp khi ng cho chnh sch
Account Logon trong c danh mc con chng thc Keberos.
9.6 Nhn xt
Cng vic gim st s kin ca h thng lun l khu quan trng trong qu
trnh lm vic ca qun tr vin. Ch vi mt s chnh sch gim st tuy n gin
nhng bit cch thit lp kt hp tng loi chnh sch vi nhau sao cho hp l v hiu
qu nht vi tng h thng khc nhau. Bn cnh ta cn phi thng xuyn theo di,
phn loi v lc cc thng bo s kin kim sot c tnh trng ca h thng,
nhm bo m h thng lun trong trng thi an ton. ng thi c th nhanh chng
pht hin nhng ng nhp tri php, cc ri ro nguy him hoc bo li t h thng
kp thi khc phc chng.
Trang 64
Trang 65
Preprocessor (B tin x l)
L nhng thnh phn hay nhng plug-in c s dng cng vi Snort
sp xp v thay i nhng gi d liu trc khi detection engine thc hin
cng vic tm kim nu gi d liu l nguy him. Mt vi preprocessor c
th thc hin tm ra nhng du hiu bt thng trong tiu gi v to ra cc
cnh bo. Preprocessor rt l quan trng i vi IDS c chc nng chun b
nhng gi d liu phn tch cho vic thit lp rule trong detection engine.
Hacker s dng nhiu k thut khc nhau nhm nh la IDS bng
nhiu cch. Hacker cng s dng s phn mnh nh bi IDS. Preprocessor
thng c dng bo v nhng loi tn cng ny. Preprocessor trong Snort
c th ti hp cc gi, gii m HTTP URI, ti hp lung TCP,v.v... Nhng chc
nng ny rt l quan trng trong thnh phn IDS.
Trang 66
Trang 67
Trang 68
Trang 69
Trang 70
Trang 71
Phn header cha thng tin hot ng m rule s lm. ng thi header cng
cha tiu chun cho vic so snh mt lut da vo gi tin. Phn options cha thng
ip cnh bo v thng tin v thng ip s c s dng to ra cnh bo. Phn
option cng cha tiu chun cho vic so snh mt lut da vo gi tin. Mt rule c th
pht hin mt kiu hay nhiu kiu xm nhp.
10.4.2 Cu trc ca phn Header
Action: l loi hnh ng ca Snort khi tiu chun pht hin v c s so snh
chnh xc ca mt rule so vi mt gi tin. Nhng hot ng in hnh l to
mt cnh bo hoc ghi thng ip. C 5 loi action:
Action
M t
Alert
Log
Pass
B qua cc gi tin
Activate
Dynamic
Trang 72
Port: Trong giao thc TCP hay UDP, Port xc nh cng ngun v cng ch
ca gi tin khi rule p dng ln . Trong trng hp giao thc lp mng nh
IP hay ICMP, th gi tr port numbers khng c ngha.
V d: Phn tch phn header ca mt rule
alert tcp any any -> any 80 (content: "yahoo"; msg: "Yahoo Site Access";)
Hnh ng y l alert, khi cc TCP trafic t bt k a ch IP v port c
gi n mt a ch IP bt k trn Port 80 m phn ni dung c cha t kha
yahoo. Nu tnh hung ny xy ra, ngha l c mt user no trn LAN truy
cp vo 1 site c cha t yahoo th mt record Yahoo Site Access s c ghi
vo log file.
10.4.3 Cu trc ca phn Options
Mt Snort rule c th c nhiu option khc nhau phn cch bi giu ; .Thng
Trang 73
Trang 74
Trang 75
var/log/snort/snort.stats
pktcnt 500
preprocessor perfmonitor : time 300 events flow file var/log/snort/snort.stats
max console pktcnt 500
Hay ch chy n, vo file log messages c
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 500
Cc tham s c ngha:
Time: khong thi gian tnh bng giy (s) gia cc ln ly mu. Nu t gi
tr thi gian qu thp c th gia tng gi to gi tr. Gi tr mc nh l 300s.
Console: Giao din xut ra mn hnh console. Mc nh l c bt hay c
th xut ra bng cch km theo tham s file.
File <filename>: Kt qu xut ra file theo ng dn nh. Cc thng k
ghi ln file theo tng gi tr n l, cch nhau bng du phy , cho mi
ln chy ly mu.
Pktcnt: S lng packets s c x l trong thi gian nh. Lu nu
s lng packet bt c t hn packet ch nh th s khng nhn c
s liu thng k.
Flow: Pht sinh mt s lng ln cc thng tin chi tit trn cc dng lu
thng mng network traffic flows (hon thnh vi cc thng tin nh chiu
di gi tin cho n s lng gi tin mi dng, dung lng dng mi port v
kiu giao thc, cc con s phn on v vi thng tin khc).
Events: Snort s m chc nng reporting v hin th trng thi s lng
signatures match. Pht sinh nhiu b d liu ng gi li phn nh s lng
cc du hiu qua, khp, hay c chng thc. C 2 loi l Nonqualified events v Qualified events c xc nhn da trn cc c nhn
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng
Trang 76
Hnh 71 Cc thng s
CPU Usage: 0.075% (user) 0.337% (sys) 99.588% (idle)
Snort:
dng.
RES - Resident size (kb): 18M - B nh vt l c s dng.
SHR - Shared Mem size (kb): 2264 - S lng b nh chia s c s
dng bi mt nhim v.
Mi process trn CentOS c s lng memory c s dng v bin thin tu
hon cnh. Hn na, memory c mt process s dng c th l tng hp ca shared
memory, physical memory, virtual memory. Khi Snort lm vic, cn ch nhng
dng lut, lut cng nhiu th ng nhin chim ram kh nhiu v nhng lut mc
nh khng cn thit th nn tt gim ti cho h thng .
Biu hiu sut lm vic CPU trong vng hn 8 pht
Trang 77
Trang 78
Trang 79
Trang 80
Du hiu
y l dng tn cng qua port 445 v t gi tri Process ID High l
"\x00\x26" , gi tr bnh thng l "\x00\x00".
Lut
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg : "Tan cong
SMB"; content: "|00 26|"; flow:to_server,established; content:"|53 4d 42
20 32 2e 30 30 32 00|" ; sid: 1000003;)
Trang 81
Du hiu
y l dng tn cng lm ngp gi tin ICMP ECHO REPLY. S khc bit ln
Lut
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg: Tan cong
Smurf Attack; dsize: >32; icmp_seq:0; icmp_id:0 ; sid: 1000004; )
10.8.4 Tn cng Land attack
Du hiu
Land attack tn cng bng cch gi cc gi tin c a ch ngun v ch ging
nhau.Bng cch dng t kha sameip trong Rule option l c th pht hin ra.
-
Lut
alert udp any any <> $HOME_NET any (msg : Land Attack; sameip;)
10.8.5 Tn cng Dos vi HTTP Post
Du hiu
Dng tn cng ny s gi hng lot d cc liu hp l n Server s x l lm
Trang 82
10.9 Nhn xt
Snort l mt IDS dng theo di nhng bin c xy ra trn tcp/ip stack do
mnh nh ra. Vi Snort hoc bt c ng dng IDS no cng cn phi c mt b lut,
cn gi l cc "signature". Snort c th p dng cc m hnh mng, vi chi ph thp
Snort l la chn cho nhiu cng ty c quy m va v nh cng nh nhng cng ty c
quy m ln.
u im
-
Nhc im
-
Trang 83
URL filtering: Cho php hoc t chi truy cp n cc trang web da trn
danh mc URL chng hn nh nhng trang web en, nhng trang c ni dung
khng lnh mnh, ng thi cng bo v nng sut kinh doanh bng cch hn
ch hoc chn truy cp vo cc trang web c coi l phin nhiu nng sut.
HTTPS: cho php kim tra phin m ho HTTPS kim tra cc phn mm
c hi. Nhm c th cc trang web nh cc trang web ngn hng, c th c
loi tr khi kim tra v l do ring t.
Network Inspection System (NIS): Kim tra h thng mng (NIS) cho php
giao thng cn kim tra khai thc l hng Microsoft. Da trn giao thc
phn tch, NIS c th chn cc lp hc ca cc cuc tn cng trong khi gim
thiu sai tch cc. Bo v c th c cp nht khi cn thit.
Network Address Translation: cho php bn xc nh c nhn my ch email c th c cng b trn c s NAT 1-ti-1.
Voice over IP: Tng cng h tr Voice IP trn bao gm SIP traversal, cho
php trin khai n gin ca Voice over IP trong h thng.
Trang 84
Qun l d dng
ca Forefront TMG c tht s ng hay khng. thun tin vic phn tch chng ta
s nhm cc tnh nng ny thnh 3 nhm chnh i in cho 3 c im ca Forefront:
-
TMG s kim sot ni dung trong khi qut nhm gip pht hin cc phn mm c
hi, v nhng s ly nhim malware, virus u c th l nguyn nhn gy ra s chm
tr trong vic truyn ti ni dung t server n client.
o Firewall & Web Access Policy
Cho php kt ni t mng ngun ti mng ch trong khi vn bo v khi
nhng truy cp c hi bng cch thit lp nhng chnh sch c th cho php hoc
cm truy cp ti mng ch p dng ln tng user, tng group hoc user.
o Server publishing
Bo mt truy cp n cc server trong h thng ni b, tng cng an ninh cho
vic truy cp t xa vo Outlook Web Access bng cch ngn nga nhng user khng
c php chng thc lin lac n my ch Outlook Web Access.
Truy cp t xa thng qua cc hnh thc kt ni SSL ca SSL VPNs. To mt
bc tng la v to ra cc quy nh ca Outlook Web Access SSL kt ni
Exchange Server.
o Virtual Private Networking
T ng cu hnh kt ni VPN Site to site gia 2 vn phng. M rng h tr
VPN Client bng cch cho php Secure NAT truy cp Internet m khng yu cu
Firewall Client ci t trn my Client. Tng cng an ninh mng cho cng ty, buc
ngi s dng da trn hoc nhm da trn firewall policy trn VPN SecureNAT
client.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng
Trang 85
Qun l d dng
Bao gm cc tnh nng qun l nhm nng cao mc an ninh mng. Export
Trang 86
Xc nh i tng l ai (l g) p t lut
Action?
What?
From-To
Trang 87
Ngoi ra chng ta lp thi gian biu l giai lao t 11h 13h cho php truy xut
facebook.
Trang 88
Trang 89
Trang 90
Trang 91
o IP Options
Giao thc TCP/IP xc nh mt vi mc IP c th dng cho nhng mc ch
khc nhau trong IP network. Forefront TMG c kh nng kho mt s mc IP bi
ngy nay khng phi tt c cc mc IP u c s dng trong mng IP v mt s
mc IP c th dng xm nhp network. Mc nh, TMG t chi mt s mc IP
(nh hnh di) v c th t chi cc mc IP m ta khng mun dng.
Trang 92
hay t ngoi vo trong mt cch c th bng cch khi ng truy vn (Start Query)
trong tab Loggings.
V d: chng ta dng my DC (172.16.15.2) truy cp trang facebook.com
xem hot ng ca loggings.
Trang 93
Trang 94
Hnh 88. Ghi nhn thng tin chi tit v cuc tn cng.
iu u tin, s khc bit chnh l cc thng tin ghi nhn hin th bng
mu , c ngha l cc kt ni ny b cm. My bn ngoi Internet 192.168.1.6 s
dng SuperScan 4 qut cng b Forefront cm bng lut Default rule.
Nhng c v nh SuperScan 4 dng qut cng vn cn kh hin. V vy
tip theo, chng ta s dng Zenmap qut trn tt c cc cng.
Trang 95
Trang 96
Trang 97
Trang 98
Trang 99
11.3 Nhn xt
Vi mt giao din d nhn, thn thin vi ngi dng, cng cc cng c thit lp v
qun l n gin m hiu qu, khng yu cu mt trnh chuyn mn qu cao cu
hnh. Forefront TMG p ng c cc iu kin cn v cho mt cng c tng
la thc th.
Ngoi cc tnh nng ca mt tng la mm, im ni bt ca Forefront TMG l xut
nhng bo co tht chi tit v c th, phn tch cc lung giao thng, ghi nhn cc
giao thng ra vo mng, hin th trng thi, hiu sut lm vic ca h thng phn cng
l CPU v b nh RAM.
Tuy nhin nhc im ln nht ca Forefront TMG l ngoi chi ph chi tr bn quyn,
yu cu h thng phn cng cao chng hn nh yu cu phi c ci t trn
Window Server 2008 R2 x64 v RAM ti thiu phi trn 1GB. h thng tng la
mm ny b buc ngi dng trong cc b tnh nng ring ca chng, ng thi kh
tch hp vi cc h thng tng la khc.
Trang 100
KT LUN
Audit (Event viewer), Snort, Forefront TMG, c ba cng l nhng chng trnh lp
lut v theo di, gim st h thng. Nu h thng thit lp chnh sch Audit v gim
st bng Event viewer hot ng hiu qu trn domain v gim st nhng hnh vi c
cc my tnh, cc user c qun l tp trung trong mt domain; Cng ging nh
audit l lp lut cho h thng nhng Snort v Forefront TMG hot ng hiu qu
trong vic gim st v phn tch lung thng tin chi tit, nhng lun c nhng s khc
bit gia chng.
FOREFRONT TMG
-
u im
Nhc
im
-
SNORT
-
Trang 101
PH LC SNORT
b. Ci t Snort
Ti cc gi
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng
Trang 102
Gi ci t
a ch down
M t
snort-2.8.6.tar.gz
http://www.snort.org/downloa
ds
Phn mm ci
snort
snortrules-snapshot2.8.tar.gz
http://www.snort.org/downloa
ds
Cc rules ca
snort
Trang 103
# cp * /etc/snort
To group snort v user snort
# groupadd snort
# useradd -g snort snort -s /sbin/nologin
Set quyn s hu v cho php Snort ghi log vo th mc ch file log
# chown snort:snort /var/log/snort/
d. Cu hnh cc thng s ca Snort
File cu hnh /etc/snort/snort.conf
# gedit /etc/snort/snort.conf
Sa cc dng v save li
25, khai bo lp mng bn trong
var HOME_NET 192.168.1.0/24
28, khai bo lp mng bn ngoi, any l bt k mng no
var EXTERNAL_NET any
60, khai bo v tr cc rules, do rules t /etc/snort/rules
var RULE_PATH /etc/snort/rules
270, cho php ghi nhng thng ip log vo CSDL ca MySQL
output database: log, mysql, user=snort password=123 test
dbname=snort host=localhost
ngha ca dng trn l: tn CSDL l snort v MySQL server ang
chy localhost. Ti khon s dng CSDL l snort, mt khu l
123.
e. Ci t rule cho Snort
Gii nn snortrules-snapshot-2.8.tar.gz
[root@localhost soft]# tar -zxvf snortrules-snapshot-2.8.tar.gz
[root@localhost soft]# cd rules
Copy tt c rules vo th mc /etc/snort/rules
[root@localhost rules]# cp * /etc/snort/rules
f. Cu hnh khi ng snort nh 1 dch v h thng
To mt lin kt mm (symbolic link) ca file snort binary n
/usr/sbin/snort, tp tin snort binary nm ng dn /usr/local/bin/snort
# ln -s /usr/local/bin/snort /usr/sbin/snort
Snort cung cp cc scrip khi ng trong th mc rpm/ trong th
mc gii nn snort-2.8.6
[root@localhost soft]# cd snort-2.8.6
[root@localhost snort-2.8.6]# cd rpm
[root@localhost rpm]# cp snortd /etc/init.d
[root@localhost rpm]# cp snort.sysconfig /etc/sysconfig/snort
Set quyn li cho file snortd
# chmod 755 /etc/init.d/snortd
Cu hnh Snort auto start
# chkconfig snortd on
Khi ng Snort
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng
Trang 104
Trang 105
Trang 106
Ti cc gi
Gi ci t
a ch down
M t
adodb508a.tgz
http://sourceforge.net/projects/adodb/
files/
Phn
mm ci
ADOBE
base-1.4.4.tar.gz
http://sourceforge.net/projects/securei
deas/files/
Phn
mm ci
BASE
Ci t ADODB
# cp adodb508a.tgz /var/www/html/
# cd /var/www/html/
# tar -zxvf adodb508a.tgz
Ci t BASE
# cp base-1.4.4.tar.gz /var/www/html/
# cd /var/www/html/
# tar -zxvf base-1.4.4.tar.gz
# mv base-1.4.4/ base/
# cd base
# cp base_conf.php.dist base_conf.php
# gedit base_conf.php
Sa cc dng v save li
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng
Trang 107
57, ng dn vo mc BASE
$BASE_urlpath = '/base';
79, ng dn vo mc adodb
$DBlib_path = '/var/www/html/adodb5';
101, khai bo tn CSDL ca Snort
$alert_dbname = 'snort';
105, khao bo password
$alert_password = '123';
108, sa li thnh 1 (c lu tr DB)
$archive_exists = 1;
109, khai bo tn lu tr
$archive_dbname = 'snort';
113, khai bo password
$archive_password = '123';
i. Kim tra
Cn phi bo m cc dch v snortd, httpd v mysqld u trng thi
start
OK
Trang 108
Trang 109
Trang 110
a ch down
M t
Snort_2_8_6_Installer.e
xe
http://www.snort.org/down
loads
Phn mm
ci snort
snortrules-snapshot2.8.tar.gz
http://www.snort.org/down
loads
Cc rules
ca snort
WinPcap_4_1_1.exe
http://www.winpcap.org/in Phn mm
stall/default.htm
ci WinPcap
Trang 111
Trang 112
cd C:\Snort\bin
c:\Snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log
Nu gp li nh di th xa file sf_sdf.dll t
C:\Snort\lib\snort_dynamicpreprocessor
ERROR: Failed to initialize dynamic preprocessor: SF_SDF (IPV6)
version 1.1.1
Fatal Error, Quitting..
Ci t thnh cng Snort
Trang 113
To sid cho rule. T kha sid c s dng nhn din ra quy tc Snort.
thng tin ny cho php output plugin xc nh quy tc d dng. Ty chn
ny nn c s dng vi t kho rev.
Ch :
<100
Dnh
cho
cc
dng
trong
tng
lai
Trang 114
Trang 115
M t
to_client
p ng n client
to_server
p ng n server
from_client
Yu cu t client
from_server Yu cu t server
established
stateless
no_stream
Trang 116
Trang 117
id:<number>;
T kha id dng so snh trng ID phn mnh. Mc ch l pht hin ra
tn cng m c dng ID c nh trong IP header.
T kha flags
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>];
T kha flags dng tm ra c bit c bt trong TCP. C bit ny c s
dng cho nhiu cng c bo mt. Nhng c bit:
F - FIN (LSB in TCP Flags byte)
S - SYN
R - RST
P - PSH
A - ACK
U - URG
1 - Reserved bit 1 (MSB in TCP Flags byte)
2 - Reserved bit 2
0 - No TCP Flags Set
V d:
alert tcp any any -> $HOME_NET any (flags:RP; msg: phat
hien RST-PSH;)
T kha ack
ack: <number>;
T kha ack kim tra mt TCP acknowledge number.
T kha seq
seq:<number>;
T kha seq kim tra sequence number ca TCP.
T kha icmp_id
icmp_id:<number>;
T kha dng kim tra mt gi tr ICMP ID c th.
T kha icmp_seq
icmp_seq:<number>;
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng
Trang 118
Gi nhn c
Packets dropped
Gi b b
Percentage
of
dropped
Kpackets per second
Kpackets / giy
Mbits / giy
Pattern-matching percent
CPU usage
Cnh bo / giy
Gi SYN / giy
Phin mi / giy
Trang 119
Xa phin / giy
Total sessions
Stream li / giy
Stream timeouts
Frag xa / giy
Frag timeouts
Frag faults
Frag li
Trang 120
PH LC FOREFRONT
Ci t ForeFront TMG 2010
Cc yu cu trc khi ci t Forefront:
-
Ci
trn
nn
Window
Server
Ent
2008
Service
Pack
Lu : i vi vic ci t trn my o
ci c Window Server Ent 2008 x64 th phi bt chc nng
Virtualization trong Bios \ Advances, v chc nng ny mc nh lun trng
thi tt, nu cha bt s bo li CPU khng tng thch vi 64 bit
Trang 121
- Ci t cc Roles v Features:
Ti
Forefront
TGM
2010
http://technet.microsoft.com/en-
us/evalcenter/ee423778.aspx
-
Trang 122
Trang 123
[11]
Trang 124