You are on page 1of 140

B GIO DC V O TO

TRNG I HC HOA SEN


KHOA KHOA HC V CNG NGH

TN TI:

XY DNG PHNG THC GIM ST,


GHI NHN S KIN V NH GI
HIU NNG CHO H THNG

Ging vin hng dn


:
Nhm sinh vin thc hin :
Lp

Thng 06 / 2010

Thy Lc c Huy
Nguyn c T
Nguyn Vng Huy
VT071A

B GIO DC V O TO
TRNG I HC HOA SEN
KHOA KHOA HC V CNG NGH

TN TI:

XY DNG PHNG THC GIM ST,


GHI NHN S KIN V NH GI
HIU NNG CHO H THNG

Ging vin hng dn

Nhm sinh vin thc hin :


Lp

Thng 06 / 2010
Ngy np bo co
Ngi nhn bo co (k tn, ghi r h v tn)

Thy Lc c Huy
Nguyn c T
Nguyn Vng Huy
VT071A

TRNG I HC HOA SEN


KHOA KHOA HC V CNG NGH

PHIU GIAO TI N TT NGHIP


1. Mi sinh vin phi vit ring mt bo co
2. Phiu ny phi dn trang u tin ca bo co
H tn sinh vin/nhm sinh vin thc hin ti: (S s sinh vin trong nhm : 2)
1) SV1 : Nguyn c T ...................................

Lp : VT071A.........................

2) SV2 : Nguyn Vng Huy ............................

Lp : VT071A.........................

Ngnh: Mng my tnh


Tn ti: Xy dng cc phng thc gim st, ghi nhn cc s kin v nh gi
hiu nng cho h thng
.....................................................................................................................................
.....................................................................................................................................
* Cc d liu ban u:
ISA Server 2006 ( Forefront security )
Window Server 2003, PCs, v..v..
* Cc yu cu c bit:
M phng mng bng Solarwind
Thit k h thng mng gi nh

..........................................................................................................................

* Cc kt qu ti thiu phi c:
Ghi nhn, kim sot nh chn v ti u ha h thng mng

..........................................................................................................................

Ngy giao ti: 15/03/2010


H v tn GV hng dn: Lc c Huy

Ch k:..............................

TM TT

Trong vng 14 tun thc hin ti Tm hiu xy dng cc phng thc gim
st, ghi nhn s kin v nh gi hiu nng h thng chng ti t c cc kt
qu sau:
-

Nm bt v hiu r cc khi nim v bo mt, gim st thng tin, cc thnh


phn ca mt h thng gim st v tng la.

Qui trnh xy dng mt h thng gim st.

Trin khai nhng h thng gim st, ghi nhn s kin h thng nh Audit,
Snort, Forefront TMG 2010.

nh gi hiu nng lm vic v cc yu t nh hng ca tng m hnh h


thng.

ii

LI CM N
Chng ti chn thnh cm n ti cc thy c trong vn phng khoa Khoa
Hc Cng Ngh, trng i hc Hoa Sen to iu kin cho chng ti c c
hi thc hin ti ny, cng nh lun cp nht v gi nhng thng tin lin
quan v qu trnh thc hin ti. Bn cnh , l s h tr nhit tnh, t vn
hiu qu t ging vin hng dn thy Lc c Huy, v cng khng qun gi
li cm n ti cc anh ph trch phng my.

iii

NHN XT CA GING VIN HNG DN

.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................

iv

MC LC
PHIU GIAO TI N TT NGHIP ........................................................ i
TM TT ................................................................................................................. ii
LI CM N .......................................................................................................... iii
NHN XT CA GING VIN HNG DN................................................... iv
MC LC................................................................................................................. v
DANH MC CC HNH NH, BNG BIU ........................................................ x
T VN ........................................................................................................... 1
1.

L Do Chn Ti ........................................................................................... 1

2.

Mc Tiu t c Sau Ti ....................................................................... 1

PHN I: CC KHI NIM TNG QUAN............................................................ 2


3.

4.

5.

Tng Quan V Bo Mt Thng Tin ................................................................. 2


3.1

Khi qut bo mt thng tin ........................................................................... 2

3.2

Cc loi tn cng c bn ................................................................................ 2

3.3

Nhim v ca ngi qun tr ......................................................................... 3

Tng Quan Gim St Thng Tin...................................................................... 4


4.1

Khi qut gim st thng tin .......................................................................... 4

4.2

Mc ch ....................................................................................................... 4

4.3

Li ch ca vic gim st thng tin ................................................................ 4

4.4

Vai tr ca gim st thng tin ........................................................................ 5

Nguyn Tc V Bo Mt Thng Tin ................................................................ 8


5.1

Chin lc bo mt h thng ......................................................................... 8

5.2

An ninh bo mt mng................................................................................... 9

PHN II: CC THNH PHN GIM ST H THNG .................................. 11

6.

H Thng IDS V IPS ..................................................................................... 11


6.1

6.1.1

Kin trc ca h thng IDS ................................................................... 11

6.1.2

Phn loi IDS ........................................................................................ 12

6.1.3

Cc c ch pht hin xm nhp ............................................................. 15

6.2

8.

IPS (H thng ngn chn xm nhp) ............................................................ 17

6.2.1

Kin trc h thng IPS .......................................................................... 17

6.2.2

Phn loi IPS ........................................................................................ 19

6.2.3

Phn loi trin khai IPS ......................................................................... 20

6.2.4

Cng ngh ngn chn xm nhp IPS ..................................................... 21

6.3
7.

IDS (H thng pht hin xm nhp)............................................................. 11

i chiu IDS v IPS................................................................................... 24

Tm Hiu V H Thng Firewall .................................................................... 25


7.1

Chc Nng .................................................................................................. 25

7.2

Cc thnh phn v c ch hot ng ca Firewall ........................................ 25

7.2.1

B lc packet (packet-filtering router)................................................... 25

7.2.2

Cng ng dng (application-level-gateway) .......................................... 26

7.2.3

Cng vng (Circuit level Gateway) ....................................................... 27

7.3

Nhng hn ch ca firewall ......................................................................... 27

7.4

Cc v d Firewall ....................................................................................... 28

7.5

Cc kiu tn cng ........................................................................................ 30

7.5.1

Tn cng t chi dch v (Denial of Service Attacks) ........................... 30

7.5.2

Gi mo danh tnh ................................................................................. 32

7.5.3

Tn cng SMB ...................................................................................... 34

CC YU T NH HNG N HIU NNG H THNG.................. 36

PHN III: TRIN KHAI CC M HNH H THNG ..................................... 37


vi

9.

Audit Policies................................................................................................... 37
9.1

Khi qut v cc chnh sch gim st s kin ............................................... 37

9.2

Cc hng mc trong Event Viewer .............................................................. 39

9.2.1

Custom view ......................................................................................... 39

9.2.2

Windows logs ....................................................................................... 40

9.2.3

Applications and Services Logs ............................................................ 41

9.3

Xy dng v trin khai m hnh mng ......................................................... 42

9.3.1
9.4

M hnh lab thc hin ........................................................................... 42

Thit lp cc chnh sch gim st................................................................. 42

9.4.1

Application log ..................................................................................... 42

9.4.2

Audit account logon events ................................................................... 43

9.4.3

Audit account management ................................................................... 45

9.4.4

Audit directory service access ............................................................... 48

9.4.5

Audit logon events ................................................................................ 50

9.4.6

Audit object access ............................................................................... 52

9.4.7

Audit policy change .............................................................................. 56

9.4.8

Audit privilege use ................................................................................ 57

9.4.9

Audit process tracking .......................................................................... 58

9.4.10

Audit system events ........................................................................... 61

9.5

Gim st h thng bng command-line ........................................................ 62

9.6

Nhn xt ...................................................................................................... 64

10.

Xy dng h thng gim st vi SNORT..................................................... 65

10.1

Gii thiu Snort ........................................................................................ 65

10.2

Cu trc ca Snort .................................................................................... 65

10.3

Cc ch hot ng ca Snort................................................................ 67
vii

10.3.1

Snort hot ng nh mt Sniffer ........................................................ 67

10.3.2

Snort l mt Packet Logger................................................................ 70

10.3.3

Snort l mt NIDS ............................................................................. 70

10.4

Khi qut v Rules ................................................................................... 71

10.4.1

Cu trc ca mt rule ......................................................................... 71

10.4.2

Cu trc ca phn Header .................................................................. 72

10.4.3

Cu trc ca phn Options ................................................................. 73

10.5

Hin th cnh bo ..................................................................................... 74

10.6

Hiu nng ca Snort ................................................................................. 75

10.7

M hnh trin khai Snort .......................................................................... 78

10.8

Tn cng trong mng ni b ..................................................................... 79

10.8.1

Tn cng ARP Cache......................................................................... 80

10.8.2

Tn cng SMB................................................................................... 81

10.8.3

Tn cng Smurf attack ...................................................................... 82

10.8.4

Tn cng Land attack ......................................................................... 82

10.8.5

Tn cng Dos vi HTTP Post ............................................................ 82

10.8.6

Mt s rule cnh bo.......................................................................... 82

10.9
11.

Nhn xt................................................................................................... 83

Xy dng h thng gim st vi Forefront TMG........................................ 84

11.1

Tm hiu tng quan Forefront TMG ......................................................... 84

11.1.1

Mt s tnh nng mi trong Forefront TMG: ..................................... 84

11.1.2

c im ca Forefront TMG: ........................................................... 85

11.2

M hnh trin khai .................................................................................... 86

11.2.1

Thit lp chnh sch tng la ........................................................... 87

11.2.2

Pht hin v ngn chn tn cng ........................................................ 89


viii

11.2.3

Gim st lung giao thng ................................................................. 93

11.2.4

Theo di tng quan v hiu sut h thng .......................................... 96

11.2.5

Thit lp bo co vic gim st cho h thng ..................................... 97

11.3

Nhn xt................................................................................................. 100

KT LUN ........................................................................................................... 101


PH LC SNORT................................................................................................ 102
PH LC FOREFRONT..................................................................................... 121
TI LIU THAM KHO .................................................................................... 124

ix

DANH MC CC HNH NH, BNG BIU

Hnh 1. Kin trc IDS ............................................................................................... 11


Hnh 2. IDS da trn host. ........................................................................................ 13
Hnh 3. IDS da vo mng........................................................................................ 14
Hnh 4. Xy dng h thng vi IPS. ......................................................................... 17
Hnh 5. H thng Promiscuous mode IPS ................................................................. 20
Hnh 6. H thng In-line IPS .................................................................................... 21
Hnh 7. H thng Signature-based IPS ...................................................................... 21
Hnh 8. H thng Anomaly-based IPS ...................................................................... 22
Hnh 9. H thng policy based IPS ........................................................................ 23
Hnh 10. B lc ng dng. ........................................................................................ 26
Hnh 11. C ch cng vng. ..................................................................................... 27
Hnh 12. Single-Homed Bastion Host. ...................................................................... 29
Hnh 13. Dual-Homed Bastion Host ......................................................................... 29
Hnh 14. M hnh vng phi qun s. ......................................................................... 30
Hnh 15. Land Attack ............................................................................................... 31
Hnh 16. Smurf Attack .............................................................................................. 32
Hnh 17. Gi mo ARP Cache .................................................................................. 34
Hnh 18. Hp thoi Create Custom View. ................................................................. 39
Hnh 19. Khung nhn hin th kt qu xut hin di Custom Views ........................ 40
Hnh 20. M hnh Lab trin khai ............................................................................... 42
Hnh 21. Cc chnh sch gim st ............................................................................. 43
Hnh 22. Thit lp chnh sch gim st ..................................................................... 43

Hnh 23.Ti khon ng nhp thnh cng ................................................................. 44


Hnh 24. Keberos chng thc khi user ng nhp ..................................................... 44
Hnh 25. Ti khon u1 ng nhp sai password ........................................................ 45
Hnh 26. Ghi nhn s kin to ti khon u1 .............................................................. 46
Hnh 27. Thng tin chi tit khi to ti khon u1 ........................................................ 46
Hnh 28. Thng tin v vic xa ti khon .................................................................. 47
Hnh 29. Ghi nhn s kin to group ........................................................................ 47
Hnh 30. Thng tin chi tit ca filelog ...................................................................... 48
Hnh 31. Thit lp chnh sch gim st ..................................................................... 48
Hnh 32. Ghi nhn s kin domain kt ni vi nhau ................................................. 49
Hnh 33. Chi tit filelog 2 domain bt u replicate .................................................. 49
Hnh 34. ng b bn sao ca mt Active Directory kt thc ................................... 49
Hnh 35. Thit lp chnh sch gim st ..................................................................... 50
Hnh 36. My client ng nhp sai password ............................................................ 50
Hnh 37. Khng ghi nhn s kin ng nhp sai ....................................................... 51
Hnh 38. Ghi nhn v thng bo my truy cp tri php vo h thng ....................... 51
Hnh 39. Ghi nhn s kin u1 ................................................................................... 54
Hnh 40.Chi tit ti khon u1 ng nhp bng my KIT........................................... 54
Hnh 41. Chi tit cc th mc c user truy cp ...................................................... 55
Hnh 42. Ghi nhn s kin xm nhp tri php ......................................................... 55
Hnh 43. Chi tit ti khon truy cp .......................................................................... 56
Hnh 44. Ghi nhn s kin thay i chnh sch Logon/Logoff .................................. 56
Hnh 45. Thng tin chi tit ca file log thay i ................................................... 57
Hnh 46. Ghi nhn thay i ca auditing Object Access............................................ 57
Hnh 47. Danh sch cc quyn p dng ln ton domain........................................... 57
xi

Hnh 48.Khi to tin trnh ca dch v DNS............................................................ 59


Hnh 49.Gn token cho tin trnh va khi to.......................................................... 59
Hnh 50.Thot tin trnh............................................................................................ 60
Hnh 51.Ghi nhn s kin khi ng Firewall........................................................... 61
Hnh 52.Ghi nhn s kin tt Firewall ...................................................................... 62
Hnh 53. Danh sch gim st trong command-line .................................................... 62
Hnh 54. Lit k chi tit gim st command-line ....................................................... 63
Hnh 55. Thng tin gim st ca account logon trong command-line ........................ 64
Hnh 56. M hnh ca cc thnh phn Snort .............................................................. 65
Hnh 57. Lnh snort -W ............................................................................................ 68
Hnh 58. Lnh snort v -ix ........................................................................................ 68
Hnh 59. V d client ping ........................................................................................ 68
Hnh 60. Bng tm tt cc gi tin c bt gi trn Win .......................................... 69
Hnh 61. Lnh snort vd -ix ...................................................................................... 69
Hnh 62. Lnh snort vde ix.................................................................................... 69
Hnh 63. Cu trc ca mt rule ................................................................................. 71
Hnh 64. V d cu trc rule...................................................................................... 71
Hnh 65. Cu trc phn Header ................................................................................. 72
Hnh 66. Base ang hot ng .................................................................................. 74
Hnh 67. Thng k di dng ha ........................................................................ 74
Hnh 68. Thng tin 5 cnh bo xy ra nhiu nht ...................................................... 75
Hnh 69. Thng tin my ping .................................................................................... 75
Hnh 70. Thng tin IP ............................................................................................... 75
Hnh 71 Cc thng s ............................................................................................... 77
Hnh 72. Hiu sut CPU khi Snort hot ng ............................................................ 78
xii

Hnh 73. Trin khai IDS ........................................................................................... 78


Hnh 74. Port Monitor............................................................................................... 79
Hnh 75. Tn cng ni b. ........................................................................................ 79
Hnh 76. My Victim 1 ............................................................................................. 80
Hnh 77. My Victim 2 ............................................................................................. 81
Hnh 78. Cnh bo .................................................................................................... 81
Hnh 79. M hnh trin khai Forefront TMG Server.................................................. 86
Hnh 80. Thit lp cc lut c bn cho h thng........................................................ 88
Hnh 81. My client b cm truy cp facebook. ......................................................... 89
Hnh 82. Cc chc nng bo v trong IDS. ............................................................... 90
Hnh 83. Lc tn cng DNS ...................................................................................... 91
Hnh 84. Xut hin cnh bo qut cng..................................................................... 91
Hnh 85. Bt tnh nng IP Option.............................................................................. 92
Hnh 86. Ghi nhn chi tit v vic truy cp facebook. ............................................... 93
Hnh 87. Ghi nhn chi tit v vic truy cp facebook. ............................................... 94
Hnh 88. Ghi nhn thng tin chi tit v cuc tn cng. .............................................. 95
Hnh 89. Cnh bo lung thng tin i vo qu nhanh. ............................................... 95
Hnh 90.Bng Dashboard .......................................................................................... 96
Hnh 91. To bo co t ngy 1/6 n 6/6. ................................................................ 97
Hnh 92. Xut bo co di dng HTML.................................................................. 98
Hnh 93. Thng k cc giao thc s dng ................................................................. 98
Hnh 94. Thng k ngi dng truy cp.................................................................... 99
Hnh 95. Thng k cc trang web truy xut............................................................... 99
Hnh 96. Thng k lung giao thng ra vo h thng. ............................................... 99
Hnh 97. Thng k tng qut. ................................................................................. 100
xiii

Hnh 98. M hnh th nghim Snort ....................................................................... 102


Hnh 99. Ci t thnh cng ................................................................................... 103
Hnh 100. service snortd start ................................................................................. 105
Hnh 101. Not Using PCAP_FRAMES ................................................................... 105
Hnh 102. Setup page.............................................................................................. 108
Hnh 103. Create BASE .......................................................................................... 109
Hnh 104. BASE thnh cng ................................................................................... 109
Hnh 105. Giao din BASE ..................................................................................... 109
Hnh 106. Trang web tm kim ............................................................................... 110
Hnh 107. Thng tin IP ........................................................................................... 110
Hnh 108. lnh tail f .............................................................................................. 110
Hnh 109. Bng tm tt cc gi tin c bt gi ..................................................... 111
Hnh 110. Installation Options ................................................................................ 112
Hnh 111. Not Using PCAP_FRAMES trn Win .................................................... 113
Hnh 112. Mn hnh trn my o bo li khi ci Window Server 2008 x64 ............. 121
Hnh 113. Bo li ci Prepairation tool ................................................................... 123

xiv

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

T VN
1. L Do Chn Ti
y l mt ti c tnh thc tin cao, p dng c cho hu ht cc h thng ln
nh. H thng my server farm hay h thng my DMZ, u l nhng khu vc quan
trng i hi tnh n nh, an ton v bo mt cao, khng cho bt k mt lung thng
tin tri php xm nhp vo h thng. Chnh v th chng ta phi lp cc k hoch,
phng thc gim st , ghi nhn li tt c cc s kin xm nhp h thng tri php hay
truy cp thay i d liu, bn cnh thng xuyn kim tra nh gi hiu nng cho
h thng m bo tnh n nh v khng b qu ti.

2. Mc Tiu t c Sau Ti
Chng ti s c mt kin thc nht nh v xy dng, trin khai cc phng thc gim
st, ghi nhn cc s kin v nh gi hiu nng cho h thng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 1

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

PHN I: CC KHI NIM TNG QUAN


3. Tng Quan V Bo Mt Thng Tin
3.1 Khi qut bo mt thng tin
Ngy nay, mng Internet lan rng v pht trin rt mnh m. Ko theo nhu
cu trao i thng tin d liu ngy cng ln v a dng, cc tin b v vin thng v
cng ngh thng tin khng ngng pht trin ng dng nng cao cht lng v lu
lng truyn tin.
T cc khi nim v bin php bo v thng tin d liu cng khng ngng
i mi m bo tnh ton vn v bo mt cho vic lu tr v truyn thng tin trong
cc my tnh ni mng. Tnh bo mt v ton vn m bo cho cc d liu trong qu
trnh truyn khng th c c bi bt k ngi dng tri php v ton vn d liu
trong khi truyn dn khng b sa i hoc to ra bi bt k ngi dng tri php
no thng qua mng.

3.2 Cc loi tn cng c bn


Ta c th phn ra 2 loi tn cng l tn cng th ng v tn cng ch ng.
-

Tn cng th ng: Mc tiu ca hacker l ch nm bt v nh cp thng tin.

H ch c th bit c ngi gi, ngi nhn trong phn IP header v thng k


c tn s trao i, s lng, di ca thng tin, ch chng khng th chnh
sa hoc lm hy hoi ni dung thng tin d liu trao i. Kiu tn cng ny kh
pht hin nhng c th c bin php ngn chn hiu qu. i vi tn cng ch
ng c th lm thay i ni dung, xa b, xp xp li th t hoc lm lp li gi
tin .
-

Tn cng ch ng: D pht hin nhng ngn chn hiu qu th kh khn

hn nhiu. Mt thc t cho thy bt b mt h thng no d c bo v chc


chn n u cng khng th m bo l an ton tuyt i. V vy chng ta cn
phi xy dng cc chin lt bo mt c th tng bc bo v h thng an ton
hn.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 2

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

3.3 Nhim v ca ngi qun tr


Lnh vc bo mt thng tin i hi ngi qun tr mng phi lun tm ti,
nghin cu v o su nhng kin thc mi lun lm ch trong mi tnh hung s
c.
ng thi h phi thit lp cc chin lc xy dng h thng bo mt sao cho
hiu qu v ph hp vi c a ca tng h thng thng tin ca cc doanh nghip khc
nhau.
Thng xuyn theo di, gim st nhng lung thng tin v lng truy cp vo
ti nguyn mng. xut nhng phng n d phng khi h thng gp s c hay b
tn cng. Lp lch bo tr h thng thng xuyn gim thiu nhng ri ro ngoi
mun.
Lun cp nht nhng cng ngh mi v bo mt thng tin v p dng chng
mt cch hi ha v hp l. ch l iu kin cn cho nhng qun tr mng phi c
m bo h thng thng tin lun an ton v bo mt mc cao nht c th.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 3

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

4. Tng Quan Gim St Thng Tin


4.1 Khi qut gim st thng tin
Khi cng ngh my tnh tin tin, cc t chc tr nn ngy cng ph
thuc vo h thng thng tin my tnh thc hin cc hot ng quy trnh, duy tr, v
bo co thng tin cn thit.
Gim st cng ngh thng tin, hoc gim st h thng thng tin, l mt s kim
tra cc iu khin trong phn c s h tng trong cng ngh thng tin (IT). Mt gim
st IT cn c qu trnh thu thp v nh gi r rng cc h thng thng tin v cc hot
ng ca mt t chc. Cc nh gi r rng thu c quyt nh nu h thng thng
tin l bo v ti sn, duy tr tnh ton vn d liu, v hot ng hiu qu t c
nhng mc tiu hay nhng mc ch ca t chc.

4.2

Mc ch

Mc ch l nh gi kh nng bo v thng tin ca t chc, v phn phi


ng thng tin cho cc bn c u quyn. Vic gim st IT gm nhng vic sau:
-

H thng my tnh ca t chc c sn cho vic kinh doanh khi cn thit (Tnh

sn sng)
-

Thng tin trong cc h thng ch c tit l cho ngi dng c thm quyn

(Tnh bo mt)
-

Nhng thng tin c cung cp bi h thng lun c chnh xc, ng tin

cy, v kp thi (Tnh ton vn)

4.3 Li ch ca vic gim st thng tin


-

em li gi tr
Mt trong nhng kt qu ca vic thc hin gim st ng l thng tin
phi hp l v chnh xc v trng thi ca thng tin nh mt ngun ti nguyn
ca cng ty. Cht lng ca k hoch v qun l v vy cn ci thin, chnh
xc, hp l v cc thng tin lun sn c.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 4

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

T chn on
L c tnh ca phn ln cc cuc gim st. Yu t chn on ca gim
st c th nhn ra cc im mnh v im yu c xc nh. Thng tin c th
c s dng xy dng trn nhng im mnh loi b nhng im yu.

T phn hi thng tin


Gim st thng tin l mt yu t quan trng trong qu trnh phn hi.
Vic gim st thng tin c s dng xc nh xem thng tin c th u vo
cung cp nhng thng tin kt qu mong mun. Do gim st thng tin l mt
cng c nh gi v cung cp thng tin c th c s dng lp k hoch v
thc hin hnh ng khc phc.

Li ch t hun luyn
Li ch ny thng b b qua. Mt gim st thng tin cung cp c hi
tham gia i ng nhn vin trong qu trnh gim st, ng thi dy h thm v
cc quy trnh, trit l v cc cu trc h tr vic s dng cc ngun ti nguyn
thng tin cng ty. Cc nhn vin s c mt s hiu bit tt hn, hnh nh ca
thng tin v vai tr ca n trong t chc.

4.4 Vai tr ca gim st thng tin


Thng tin ang ngy cng c cng nhn l mt ngun ti nguyn c gi tr
m cn phi c qun l.
-

Qun l thng tin c nhn


Mt trong nhng kt qu ca gim st thng tin l kin thc v cc
ngun thng tin sn c v ni chng c ct gi. iu ny c th tng cng
s dng thng tin.
Vic kim k cc thng tin c phn tch v tnh hu ch ca cc
ngun thng tin v theo thng tin ny, cc quyt nh v lu tr hoc x l
thng tin c th c thc hin.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 5

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Qung b thng tin


Mt gim st thng tin lm tng nhn thc v thng tin, ph bin v sao
chp thng tin, t chc thng tin, truy cp thng tin, bo v v lu tr thng
tin.

Qun l hot ng thng tin


Xc nh nhu cu thng tin l mt thnh phn rt quan trng ca gim
st thng tin. Trong qu trnh gim st thng tin, ngun thng tin xc nh c
nh gi v gi tr cao thch hp cho ngi s dng bit.

T chc qun l thng tin


Pht trin v cung cp mt c s h tng cng ngh thng tin: Vic gim
st cc thng tin c th c cu trc bao gm cc xt nghim cng c cng
ngh thng tin c th tr gip qun l thng tin hiu qu.
Xc nh gi tr v chi ph ca thng tin: Khng phi tt c gim st
thng tin bao gm cc giai on nh l mt. Cc nh nghin cu cho rng iu
quan trng l cc nh gi v chi ph ca cc ngun thng tin nn to thnh mt
phn ca mt gim st thng tin.
Vic lp mt ni ct gi ca cc ch th thng tin: y l mt thnh
phn ct li ca phn ln cc cuc gim st thng tin. Vic iu phi v thc
hin mt chnh sch thng tin t chc: iu ny c th l mt trong nhng kt
qu ca gim st thng tin. Thc hin vic gim st thng tin vi mc ch
pht trin v thc hin mt chnh sch thng tin ca t chc.
Vic t chc thng tin trong h thng thng tin: s gim st thng tin s
a ra quyt nh nh th no t chc cc ngun thng tin cn c t chc.
Vic quy hoch, pht trin v nh gi lin tc ca h thng thng tin:
Vic gim st thng tin nn c lp i lp li theo chu k thng xuyn cho
mc ch nh gi h thng thng tin v cc ngun.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 6

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Cng ty, chin lc qun l thng tin


S pht trin ca ti nguyn thng tin ci thin vic t chc, chin
lc v quyt nh. Gim st thng tin c th ng gp ng k vo vic qun
l thng tin hiu qu, tc l n c th c coi nh mt cng c qun l thng
tin cc k quan trng .iu ny l do cc gim st thng tin cung cp thng tin
chi tit v chnh xc ca thng tin t chc.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 7

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

5. Nguyn Tc V Bo Mt Thng Tin


5.1 Chin lc bo mt h thng
-

Thit lp v gii hn quyn cho user


i vi cc user chng ta phi thit lp chnh sch quyn hn nht nh
i vi ti nguyn mng cho chng. Tng loi user s c cc quyn hn khc
nhau, v d nh mt user ca trng phng s c nhiu quyn hn hn user ca
nhn vin. Tng t nh vy user cp thp th cng t quyn hn hn,
phn quyn nh vy gip ta hn ch c nhng s truy cp tri php t mt
user bt k.

Bo v theo chiu su
Trong qu trnh xy dng h thng bo mt ta khng nn qu tin tng
v da vo mt ch bo v an ton no cho d chng rt mnh, m nn to
nhiu c ch an ton tng h ln nhau. Vi mt h thng bo v nhiu lp
s gip ngn cn v lm chm qu trnh thm nhp ca hacker, v mi lp bo
v vi mt c ch bo mt khc nhau nn chng phi mt rt nhiu thi gian
c th ph cc c ch bo v ny, ng thi ta c thm thi gian khc phc
s c mt cch kp thi.

im lin kt yu nht
Trong h thng bo v khng phi lc no cng kin c v an ton,
nhng k tn cng ph hoi thng tm nhng ch yu nht ca h thng tn
cng, do ta cn phi thng xuyn kim tra, gim st h thng kp thi
pht hin nhng l hng khc phc. Thng thng chng ta ch quan tm
n k tn cng trn mng hn l k tip cn h thng, v vy an ton vt l
c coi l im yu nht ca h thng chng ta.

Tnh a dng bo v
Nu chng ta lm vic trong mt cng ty ln, gm nhiu h thng my
ch khc nhau th chng ta cn s dng nhiu bin php bo v khc nhau
tng phc tp v bo mt cho cc h thng, nu khng mt khi k tn cng

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 8

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

thm nhp vo c h thng th chng d dng tn cng vo cc h thng


khc.

5.2 An ninh bo mt mng


Bi v khng th c mt gii php an ton tuyt i nn chng ta thng phi
s dng ng thi nhiu mc bo v khc nhau to thnh nhiu hng ro chn i vi
cc hot ng xm phm. Vic bo v thng tin trn mng ch yu l bo v thng tin
ct gi trong my tnh.
V vy ngoi mt s bin php nhm chng tht thot thng tin trn ng
truyn, mi c gng tp trung vo vic xy dng cc mc ro chn t ngoi vo trong
cho cc h thng kt ni vo mng.
-

Gim st quyn truy cp


Nhm kim sot, thng k c lu lng truy cp, s dng ti nguyn
ca mng v quyn hn trn ti nguyn . Hn ch v pht hin kp thi
nhng lng truy cp v s dng tri php ti nguyn mng.

Thit lp ti khon v mt khu


Phng php bo v ny ph bin nht v n n gin, t ph tn v cng
rt hiu qu. Mi ngi s dng mun truy cp vo mng s dng ti
nguyn u phi c mt ti khon v mt khu. Trong khi , ngi qun tr
mng c trch nhim qun l, kim sot mi hot ng ca mng v xc nh
quyn truy cp ca nhng ngi s dng khc.
Trong hon cnh thc t do nhiu nguyn nhn khc nhau nh qun mt
khu hay b nh cp mt khu. Ngi qun tr mng chu trch nhim t mt
khu hoc thay i mt khu theo thi gian.

M ha d liu
bo mt thng tin trn ng truyn chng ta s dng cc phng
php m ha. D liu b bin i t dng nhn thc c theo mt thut ton
no v s c bin i ngc li trm nhn.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 9

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Bo v vt l
Ngn cn cc truy cp vt l vo h thng. Thng dng cc bin php
truyn thng nh ngn cm tuyt i ngi khng phn s vo phng t my
mng, dng kha trn my tnh hoc cc my trm khng c mm.

Tng la
Ngn chn thm nhp tri php v lc b cc gi tin khng mun gi
hoc nhn v cc l do no bo v mt my tnh hoc c mng ni b.

Cc cng tc qun tr
Vic bo m cho h thng mng my tnh hot ng mt cch an ton,
khng xy ra s c l mt cng vic cp thit hng u. Cng tc qun tr mng
my tnh phi c thc hin mt cch khoa hc m bo ton b h thng
hot ng bnh thng trong gi lm vic.
Song song phi c mt h thng d phng khi c s c v phn cng
hay phn mm xy ra. Lp k hoch backup d liu quan trng v bo dng
mng theo nh k. Thit lp cc chnh sch bo mt d liu, phn quyn truy
cp v t chc nhm lm vic trn mng. Thit lp h thng v quy trnh
xc nh v ngn chn thng tin c hi hoc khng mong mun. Xy dng
mt qu trnh phn hi theo di v thng k cc chi tit s c, nh gi ri
ro. Lun cp nht thng xuyn cc cng ngh mi v cc ng dng cho t
chc.
Lin tc ci tin do mi trng kinh doanh thay i , cho php cc t
chc duy tr tnh trng bo mt thng tin mc ri ro c th chp nhn.
m bo vic bo mt thng tin lun trng thi sn sng p ng nhu cu
ca t chc ngay khi cn thit.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 10

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

PHN II: CC THNH PHN GIM ST H THNG


6. H Thng IDS V IPS
6.1 IDS (H thng pht hin xm nhp)

Hnh 1. Kin trc IDS


6.1.1 Kin trc ca h thng IDS
Kin trc ca h thng IDS bao gm cc thnh phn chnh:
-

Thnh phn thu thp thng tin (information collection)

Thnh phn pht hin (Detection)

Thnh phn phn ng (Response)


Trong ba thnh phn th thnh phn phn tch gi tin l quan trng nht v

thnh phn ny b cm bin ng vai tr quyt nh.


B cm bin c tch hp vi thnh phn su tp d liu mt b to s kin.
Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc
thng tin s kin.
B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh sch
thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc cc gi

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 11

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng
c bo v hoc bn ngoi.
Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng
thch. V vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c
s d liu chnh sch pht hin cho mc ny. Thm vo , c s d liu gi cc tham
s cu hnh, gm c cc ch truyn thng vi h thng p tr. B cm bin cng
c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n.
IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc
phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c
chng truyn thng vi nhau.
IDS c kh nng d tm v pht hin nhng cuc tn cng vo h thng mng.
IDS to ra mt bo ng khi n bit c s xm nhp bt thng vo h thng. IDS
da trn cc tiu ch bo ng cho php n c th xc nh cc cuc tn cng. Tt
nhin, c th pht hin cc cuc tn cng, mt hoc nhiu h thng IDS phi c
t mt cch thch hp trong mng, hoc ci t nh cc thit b mng li gim st
lu lng truy cp trn mng hoc ci t nh my trm theo di h iu hnh v ng
dng ng ng. IDS cn c kh nng pht hin cc cuc tn cng tinh vi s dng cc
k thut ln trnh qua mt cc IDS m thm nhp khng b pht hin.
6.1.2 Phn loi IDS
Chc nng c bn ca IDS l pht hin ngi xm nhp, IDS c cc dng chnh nh:
-

H thng pht hin xm nhp da trn host (Host IDS)

H thng pht hin xm nhp da trn mng (Network IDS)

H thng lai (Hybrid IDS Distributed IDS)

Mi dng ca IDS u c nhng u im v khuyt im ring


-

H Thng Pht hin xm nhp da trn host (HIDS)


Bng cch ci t mt phn mm trn tt c cc my tnh ch, IDS da
trn my ch quan st tt c nhng hot ng h thng, nh cc file log v
nhng lu lng mng thu thp c. H thng da trn my ch cng theo

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 12

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

di OS, ghi nhn cc s kin v nhng thng ip bo li trn h thng my


ch.

Hnh 2. IDS da trn host.


u im

Nhc im

- HIDS s phn tch trc khi m


ha v sau khi gii m.

- Yu cu mt i l trn mi my
ch m mun bo v.

- Cho php xc nh liu mt cuc


tn cng thnh cng hay cha.
(NIDS c th pht hin cc cuc tn
cng, nhng n khng c cch no
xc nh liu cc cuc tn cng
thnh cng.)

- Yu cu mt i l c th h tr
nhiu h iu hnh.

- Khng yu cu phn cng IDS


chuyn dng.
-

Pht hin xm nhp da vo mng (NIDS)


NIDS lin quan n vic t mt IDS dnh ring trn mt on mng r
rng m theo di lu lng truy cp thng qua phn on ny. Mt NIDS c
th c t trn cc phn on quan trng trn ton mng cung cp bo v
cho ton b mng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 13

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 3. IDS da vo mng.


Trong hnh trn, tt c lu lng truy cp t Internet l thng qua router,
giao thng c phn nh cho mt cng gim st trn mt IDS. NIDS thng
thng bao gm mt cng gim st cm vo cc on mng m ta mun theo
di. Cng gim st d dng b qu ti v s c mt s lung giao thng b b
st m c th cha cc cuc tn cng chng li mng. V vy, ta cn phi t
IDS cn thn, hp l bo m cng gim st s khng b qu ti.
u im
- Mt NIDS duy nht c th bo v
phn ln mng trong h thng.
- Pht hin tn cng da trn mng,
chng hn nh port scan hoc ping r
sot.

Nhc im
- Yu cu ci t trn mt on
mng m vic gim st cc cng
khng b qu ti.
Yu cu phi gim st cc phn
khc nhau ca mng s dng nhiu
thit b IDS.
Yu cu phi tp hp cc giao
thng b phn mnh (giao thng IP
c chia thnh nhiu mnh IP).
i hi CPU ng k v nhiu ti
nguyn b nh c th phn tch lu
lng truy cp theo di trong thi gian
thc.
Khng th pht hin cc cuc tn
cng c trong thng tin lin lc m ha.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 14

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Pht hin xm nhp IDS lai (Distributed (Hybrid) IDS)


Nhng h thng IDS lai l nhng h thng nhm kt hp nhng u im
ca ca mi dng IDS, cng nh vic ti thiu ha nhng hn ch. Trong h
thng lai, c nhng b cm bin v nhng my ch u bo co v mt trung
tm qun tr.
Ngoi kh nng kt hp c nhng im mnh ca hai dng IDS, cc
h IDS lai cn c th kt hp c hai c ch l da trn du hiu v c ch
pht hin bt thng.
6.1.3 Cc c ch pht hin xm nhp
Mc ch ca h thng IDS l nhm cnh bo cho nhm qun tr vin khi pht

hin xm nhp. Nhng h thng bo trm khi pht mt tn hiu da trn s chuyn
ng ca u d. Cc h thng IDS cng c hai dng c ch khi pht (triggering
mechanism):
-

Pht hin s s dng sai (da trn nhng du hiu)


Pht hin s dng sai cn c gi l pht hin da trn du hiu
(signature-based detection). Pht hin s dng sai i hi nhng file du hiu
(signature) nhn dng nhng hnh ng xm nhp. Nhng file du hiu s
dng trong phng php pht hin s dng sai th tng t nh nhng file du
hiu trong nhng phn mm dit virus.
u im

Nhc im

- C t cnh bo nhm hn kiu pht


hin s bt thng.

Khng pht hin nhng cuc tn


cng mi hay cha c bit.

- Khng theo di nhng mu lu


lng hay tm kim nhng s bt
thng.

Khng pht hin nhng s thay i


ca nhng cuc tn cng bit.

- Theo di nhng hot ng n


gin tm s tng xng i vi bt
k du hiu no c nh dng.
- D hiu cng nh d nh dng
hn nhng h thng pht hin s bt
thng.

Kh nng qun tr c s d liu


nhng du hiu l cng vic mt nhiu
thi gian cng nh kh khn.
Ging nh tng la , b cm bin
phi duy tr trng thi d liu trong b
nh tm li nhanh hn, nhng m
khong trng th gii hn.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 15

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Pht hin s khng bnh thng (da trn m t s lc)


Khi tm thy s bt thng, mt tn hiu cnh bo s c khi pht.
Chnh v dng pht hin ny tm kim nhng bt thng nn nh qun tr bo
mt phi nh ngha u l nhng hot ng, lu lng bt thng.
Nh qun tr bo mt c th nh ngha nhng hot ng bnh thng
bng cch to ra nhng bn m t s lc nhm ngi dng (user group
profiles). Mi profile c s dng nh l nh ngha cho ngi s dng thng
thng v hot ng mng. Nu mt ngi s dng lm chch qu xa nhng g
h nh ngha trong profile, h thng IDS s pht sinh cnh bo.
u im

Nhc im

- K xm nhp khng bao gi bit


lc no c, lc no khng pht sinh
cnh bo bi v h khng c quyn
truy cp vo nhng profile s dng
pht hin nhng cuc tn cng.

- Khng c s bo v trong sut thi


gian khi to ban u.

- Khng da trn mt tp nhng du


hiu c nh dng hay nhng t
tn cng c bit.

- Kh khn trong vic nh ngha


cch hnh ng thng thng.

- Thng xuyn cp nht profile khi


thi quen ngi dng thay i.

Thi gian chun b ban u cao.

Cnh bo nhm

Chn la gia NIDS v HIDS


Nhng qun tr h thng mng nh chng ta u quan tm n NIDS v
HIDS, nhng chn th no ph hp vi h thng mng ca mi doanh
nghip nht? HIDS cho gii php trn vn v NIDS cho gii php LAN.
Ging nh khi ci t phn mm chng virus, HIDS khng ch thc hin
ci t phn mm trn cc my ch chnh m cn phi ci t trn tt c cc
my khch. Khng c l do no gii thch ti sao c NIDS v HIDS khng
c s dng kt hp vi nhau trong mt chin lc IDS mnh. NIDS d b v
hiu ha i vi k xm nhp. R rng ci t nhiu nt pht hin trn mng
bng HIDS an ton nhiu hn l ch c mt NIDS vi mt vi nt pht hin ch
cho mt on mng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 16

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

6.2 IPS (H thng ngn chn xm nhp)


H thng IPS (intrusion prevention system) l mt k thut an ninh mi, kt
hp cc u im ca k thut firewall vi h thng pht hin xm nhp IDS (intrusion
detection system), c kh nng pht hin s xm nhp, cc cuc tn cng v t ng
ngn chn cc cuc tn cng.
Phn ln h thng IPS c t vnh ai mng, kh nng bo v tt c cc
thit b trong mng.

Hnh 4. Xy dng h thng vi IPS.


6.2.1 Kin trc h thng IPS
H thng IPS gm 3 module chnh:
-

Module phn tch gi


Module ny c nhim v phn tch cu trc thng tin trong cc gi tin.
Card mng (NIC) ca my gim st c t ch Promiscuous Mode, tt
c cc gi tin qua chng u c copy li v chuyn ln lp trn. B phn tch
gi c thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin
no, dch v g? Cc thng tin ny c chuyn n module pht hin tn cng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 17

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Module pht hin tn cng


y l module quan trng nht trong h thng, c kh nng pht hin
cc cuc tn cng. C mt s phng php pht hin cc cuc tn cng,
xm nhp (Signature-Based IPS, Anomaly-Based IPS,).
Phng php pht hin phn tch cc hot ng ca h thng, tm kim
cc s kin ging vi cc mu tn cng bit trc. Cc mu tn cng bit
trc ny gi l cc du hiu tn cng.
Kiu pht hin tn cng ny c u im l pht hin cc cuc tn cng
nhanh v chnh xc, gip ngi qun tr xc nh cc l hng bo mt trong h
thng. Tuy nhin, phng php ny c nhc im l khng pht hin c
cc cuc tn cng khng c trong c s d liu, cc kiu tn cng mi, do vy
h thng lun phi cp nht cc mu tn cng mi.

Module phn ng
Khi c du hiu ca s tn cng hoc xm nhp, modul pht hin tn
cng s gi tn hiu bo hiu c s tn cng hoc xm nhp n module phn
ng. Lc module phn ng s kck hot firewall thc hin chc nng ngn
chn cuc tn cng. Ti module ny, nu ch a ra cc cnh bo ti cc ngi
qun tr v dng li th h thng ny c gi l h thng phng th b
ng.
Module phn ng ny ty theo h thng m c cc chc nng khc
nhau. Di y l mt s k thut ngn chn:
Terminate session
C ch ca k thut ny l h thng IPS gi gi tin reset, thit lp li
cuc giao tip ti c client v server. Kt qu cuc giao tip s c bt u
li, cc mc ch ca hacker khng t c, cuc tn cng b ngng li.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 18

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Drop attack
K thut ny dng firewall hy b gi tin hoc chn ng mt gi
tin n, mt phin lm vic hoc mt lung thng tin gia hacker v nn
nhn.
Modify firewall polices
K thut ny cho php ngi qun tr cu hnh li chnh sch bo mt
khi cuc tn cng xy ra. S cu hnh li l tm thi thay i cc chnh sch
iu khin truy cp bi ngi dng c bit trong khi cnh bo ti ngi
qun tr.
Real-time Alerting
Gi cc cnh bo thi gian thc n ngi qun tr h lm c chi
tit cc cuc tn cng, cc c im v thng tin v chng.
Log packet
Cc d liu ca cc gi tin s c lu tr trong h thng cc file log.
Mc ch cc ngi qun tr c th theo di cc lung thng tin v l
ngun thng tin gip cho module pht hin tn cng hot ng.
Ba module trn hat ng theo tun t to nn h thng IPS hon chnh.
Mt h thng IPS c xem l thnh cng nu chng hi t c cc yu
t: thc hin nhanh, chnh xc, a ra cc thng bo hp l, phn tch c
ton b thng lng, cm bin ti a, ngn chn thnh cng v chnh sch
qun l mm do.
6.2.2 Phn loi IPS
-

NIPS: thit b cm bin c kt ni vi cc phn on mng gim st nhiu

my.
-

HIPS: cc i l phn mm qun l trung tm c ci t trn mi my ch

lu tr. Cc my ch c bo v v bo co vi trung tm qun l giao din iu

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 19

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

khin. HIPS cung cp my ch lu tr c nhn pht hin v bo v. HIPS khng


i hi phn cng c bit.
6.2.3 Phn loi trin khai IPS
-

Promiscuous Mode IPS


H thng IPS ng trn firewall. Nh vy lung d liu vo h thng
mng s cng i qua firewall v IPS. IPS c th kim sot lung d liu vo,
phn tch v pht hin cc du hiu ca s xm nhp, tn cng. Vi v tr ny,
Promiscuous Mode IPS c th qun l firewall, ch dn n chn li cc hnh
ng nghi ng.

Hnh 5. H thng Promiscuous mode IPS


-

In-line IPS
V tr IPS nm trc firewall, lung d liu phi i qua chng trc khi
ti firewall. im khc chnh so vi Promiscuous Mode IPS l c thm chc
nng traffic-blocking. iu lm cho IPS c th ngn chn lung giao thng
nguy him nhanh hn so vi Promiscuous Mode IPS. Tuy nhin v tr ny s
lm cho tc lung thng tin qua ra vo mng chm hn.
Vi mc tiu ngn chn cc cuc tn cng, h thng IPS phi hot ng
theo thi gian thc. Tc hat ng ca h thng l mt yu t rt quan

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 20

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

trng. Qua trnh pht hin xm nhp phi nhanh c th ngn chn cc
cuc tn cng ngay lp tc. Nu khng p ng c iu ny th cc cuc tn
cng c thc hin xong v h thng IPS l v ngha.

Hnh 6. H thng In-line IPS


6.2.4 Cng ngh ngn chn xm nhp IPS
-

Signature - Based IPS

Hnh 7. H thng Signature-based IPS

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 21

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Signature-Based IPS l to ra mt lut gn lin vi nhng hot ng xm nhp


tiu biu. Mt Signature-Based IPS gim st tt c cc traffic v so snh vi d liu
hin c. Nu khng c s a ra nhng cnh bo cho ngi qun tr cho bit l
mt cuc tn cng. Vic to ra cc Signature-Based yu cu ngi qun tr phi c
nhng k nng hiu bit tht r v attacks, nhng mi nguy hai v phi bit pht trin
nhng Signature d tm (detect) nhng cuc tn cng v mi nguy hi vi h thng
mng.
-

Anomaly-Based IPS

Hnh 8. H thng Anomaly-based IPS


Anomaly-Based IPS pht hin da trn s bt thng hay m t s lc phn
tch nhng hot ng ca mng v lu lng mng nhm tm kim s bt thng. Khi
tm thy s bt thng, mt tn hiu cnh bo s c khi pht. S bt thng l bt
c s chch hng hay i khi nhng th t, dng, nguyn tc thng thng.
Chnh v dng pht hin ny tm kim nhng bt thng nn nh qun tr bo
mt phi nh ngha u l nhng hot ng, lu lng bt thng. Nh qun tr bo
mt c th nh ngha nhng hot ng bnh thng bng cch to ra nhng bn m t
s lc nhm ngi dng (user group profiles).

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 22

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Policy-Based IPS

Hnh 9. H thng Policy based IPS


Policy-Based IPS s phn ng hoc c nhng hnh ng nu c s vi phm ca
mt cu hnh policy xy ra. Bi vy, mt Policy-Based IPS cung cp mt hoc nhiu
phng thc c a chung ngn chn.
-

Protocol Analysis-Based IPS.


Gii php phn tch giao thc(Protocol Analysis-Based IPS) v vic
chng xm nhp th cng tng t nh Signature-Based IPS, nhng n s i
su hn v vic phn tch cc giao thc trong gi tin(packets).V d: Mt
hacker bt u chy mt chng trnh tn cng ti mt Server. Trc tin
hacker phi gi mt gi tin IP cng vi kiu giao thc, theo mt RFC, c th
khng cha data trong payload.
Mt Protocol Analysis-Based s detect kiu tn cng c bn trn mt s
giao thc:
Kim tra kh nng ca giao thc xc nh gi tin c hp php hay
khng?
Kim tra ni dung trong Payload (pattern matching).
Thc hin nhng cnh co khng bnh thng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 23

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

6.3 i chiu IDS v IPS


Hin nay, cng ngh ca IDS c thay th bng cc gii php IPS. Nu
nh hiu n gin, ta c th xem nh IDS ch l mt ci chung cnh bo cho
ngi qun tr bit nhng nguy c c th xy ra tn cng. Vi IPS, ngi qun tr
khng nhng c th xc nh c cc lu lng kh nghi khi c du hiu tn cng
m cn gim thiu c kh nng xc nh sai cc lu lng. Vi IPS, cc cuc tn
cng s b loi b ngay khi mi c du hiu v n hot ng tun theo quy lut do nh
qun tr nh sn.
Vi IDS, do s lng c ch l t nn c th dn n tnh trng khng pht hin
ra c cc cuc tn cng vi c ch khng nh sn, dn n kh nng cc cuc tn
cng s thnh cng, gy nh hng n h thng. Thm vo , do cc c ch ca
IDS l tng qut, dn n tnh trng cnh bo nhm, lm tn thi gian v cng sc ca
nh qun tr. IPS th c xy dng trn rt nhiu c ch tn cng v hon ton c th
to mi cc c ch ph hp vi cc dng thc tn cng mi nn s gim thiu c
kh nng tn cng ca mng, thm vo , chnh xc ca IPS l cao hn so vi
IDS.
Kim chng qua v d nh nu k tn cng gi mo ca mt i tc, ISP, hay
l khch hng, to mt cuc tn cng t chi dch v, mc d IDS c th pht hin
c cuc tn cng t chi dch v v IP ca khch hng, ca ISP, ca i tc. Nhng
vi IPS th khc n s pht hin ngay t u du hiu ca cuc tn cng v sau l
kho ngay cc lu lng mng ny th mi c kh nng gim thiu c cc cuc tn
cng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 24

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

7. Tm Hiu V H Thng Firewall


7.1 Chc Nng
Internet Firewall (gi tt l firewall) l mt thnh phn t gia Intranet v
Internet kim sot tt c cc vic lu thng v Internet kim sot tt c cc vic
lu thng v truy cp gia chng vi nhau:
-

Firewall quyt nh nhng dch v no t bn ngoi c php truy cp n

cc dch v bn trong v c nhng dch v no bn ngoi c php truy cp bi


nhng ngi bn trong.
-

firewall lm vic hiu qu, tt c trao i thng tin t trong ra ngoi v

ngc li u phi thc hin thng qua firewall.


-

Ch c nhng trao i no c php bi ch an ninh ca h thng mng ni

b mi c quyn lu thng qua Firewall.

7.2 Cc thnh phn v c ch hot ng ca Firewall


7.2.1 B lc packet (packet-filtering router)
B lc gi tin cho php hay t chi mi packet m n nhn c. N
kim tra ton b on d liu quyt nh xem on d liu c tha mn
mt trong s cc lut l lc packet hay khng. Cc lut l lc packet ny l da
trn cc thng tin u mi packet, dng cho php truyn cc packet .
-

a ch IP ni xut pht (IP source address)

a ch IP ni nhn (IP destination address)

Nhng th tc truyn tin (TCP, UPD, ICMP, IP tunnel)

Cng TCP/UPD ni gi v nhn

Dng thng bo ICMP

u im
- Chi ph thp v bao gm trong mi
router
- Khng yu cu chuyn mn c bit

Nhc im
i hi v s lc cng ln
Cc b lut lc gi tin cng tr nn
di, phc tp, kh qun l
Khng kim sot c ton b ni
dung ca packet

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 25

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

7.2.2 Cng ng dng (application-level-gateway)


C ch ny c thit k tng cng chc nng kim sot cc loi dch v,
hot ng ca n da trn Proxy service. Proxy service c xem nh cc b chng
trnh c bit ci t trn gateway cho tng ng dng. Mt cng ng dng thng
c coi nh l mt pho i (bastion host), bi v n c thit k c bit chng
li s tn cng bn ngoi. Bastion host gm nhng bin php m bo an ninh nh:
-

Bastion lun chy cc phin bn h iu hnh an ton chng li s tn cng


vo h qun tr.

Ch nhng dch v no thc s cn thit v quan trng (telnet, DNS, FTP,)


mi c ci t trn bastion host, v hn ch ng dng no th s bt i s tn
cng vo phn .

Proxy c cu hnh cho php truy cp ch mt s my ch nht nh.

Mi proxy s duy tr, lu tr li ton b chi tit ca mi kt ni. y s l c


s tm ra du vt v ngn chn k ph hoi.

Hnh 10. B lc ng dng.

u im
Cho php ngi qun tr hon ton
iu khin nhng ng dng v dch
v no c cho php.
Cho php ghi chp kim tra xc
thc rt tt v c mt nht k ghi
chp li thng tin v truy cp h
thng
B lut lc cho cng ng dng d
dng cu hnh v kim tra hn so vi
b lc gi tin

Nhc im
B lc cng ng dng cn c xem
nh l mt firewall mm, v vy a
phn s tn chi ph kh cao cho
license.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 26

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

7.2.3 Cng vng (Circuit level Gateway)


-

Hot ng lp phin ca m hnh OSI hoc l mt lp m gia lp ng

dng v lp vn chuyn ca m hnh TCP/IP. Cng vng n gin ch chuyn tip


cc kt ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet
no.
-

Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc qun

tr mng tht s tin tng nhng ngi dng bn trong.

Hnh 11. C ch cng vng.


u im : C th cu hnh va cung cp cng ng dng cho nhng kt ni n v
cng vng cho cc kt ni i ra. V th lm cho h thng bc tng la d dng s
dng cho nhng ngi trong ni b mun trc tip truy cp ti cc dch v internet,
trong khi vn bo v mng ni b t s tn cng bn ngoi.

7.3 Nhng hn ch ca firewall


-

Ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong

mun nhng phi xc nh r cc thng s a ch.


-

Khng th ngn chn mt s tn cng khng i qua n. Khng i qua n y

c ngha l khng th chng li mt cuc tn cng t mt s r r thng tin do d


liu b nh cp bt hp php hoc b tn cng t ni b.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 27

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Khng th chng li cc cuc tn cng t s thm nhp ca cc chng trnh

c chuyn theo th in t v khng th lm nhim v r qut virus, v ngy


cng xut hin lin tc ca cc virus mi thot khi kh nng kim sot ca
firewall.

7.4 Cc v d Firewall
-

B nh tuyn lc gi tin (Packet-Filtering Router)


B lc ny ph bin nht v ch bao gm mt b nh tuyn lc gi tin
t gia mng ni b v internet. C hai chc nng chnh l chuyn tip truyn
ti gia hai mng v s dng cc b lut v lc gi tin cho php hay t chi
truyn.
u im

Gi thnh thp
Cu hnh n gin

Nhc im
-

D b tn cng vo cc b lc cu
hnh khng hon ho, tn cng ngm
di nhng dch v c php.
Tt c h thng trong mng ni b s
b tn cng nu b lc do mt s c
no ngng hot ng.
Nguy c b tn cng cao hn v cc
gi tin trao i trc tip vi nhau ch
thng qua router.

Screened Host Firewall


H thng ny bao gm mt router lc gi tin v mt bastion host. N
thc hin vic bo mt c tng network (packet filtering) v tng ng dng,
mt khi c s tn cng bn ngoi vo th n phi vt qua hai tng bo mt. H
thng ny c dng:
o Single Homed Bastion Host
M hnh h thng ny bastion host c cu hnh trong mng ni b, b
lut lc gi tin ci trn router sao cho tt c cc h thng bn ngoi ch c th
truy cp vo c bastion host. Cc truy cp t bn ngoi vo trong mc nh
u b kho, cn cc truy xut ra ngoi phi c xc nhn v xut pht t
bastion nhost.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 28

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 12. Single-Homed Bastion Host.


o Dual Homed Bastion Host
Cung cp bo mt cao hn, v h thng dng 2 cng mng mt ni
vi cng ra internet, cng cn li ni vi mng ni b. Vi m hnh ny th
trong h thng ch c duy nht bastion host c th truy cp c t internet, s
hn ch c s tn cng . Cn cu hnh chn khng cho ngi dng truy cp
vo bastion host v h s d dng truy cp c mng ni b mt khi vo c
bastion host.

Hnh 13. Dual-Homed Bastion Host


-

Vng phi qun s (DMZ Zone)


H thng ny cn c gi l screen-subnet firewall, gm hai router lc
gi tin v mt bastion host. Vng DMZ l mt mng nh c c lp t gia
internet v mng ni b. Router bn ngoi chng li nhng cuc tn cng v
iu khin truy cp vo DMZ, v t DMZ mun vo trong ni b th phi xut

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 29

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

pht t bastion host. Router bn trong ch cho php cc h thng ni b truy


cp bastion host.

Hnh 14. M hnh vng phi qun s.


u im:
-

Cn tr qu trnh tn cng vi ba lp bo v.

H thng ni b s b n i v router ngoi ch a vng DMZ hin th ra


internet.

m bo cc lt truy cp an ton cho cc user ni b mun ra ngoi, v


router bn trong ch qung b vng DMZ ti mng ni b.

7.5 Cc kiu tn cng


7.5.1 Tn cng t chi dch v (Denial of Service Attacks)
Tn cng t chi dch v DoS (Denial of Service) c th m t nh hnh ng
ngn cn nhng ngi dng hp php kh nng truy cp v s dng vo mt dch v
no . N bao gm lm trn ngp mng, mt kt ni vi dch v v.v..mc ch cui
cng l my ch (Server) khng th p ng c cc yu cu s dng dch v t cc
my trm (Client). Tn cng t chi dch v phn tn (tn cng DDoS- Distributed
denial of service) l mt hnh thc khc ca tn cng DoS.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 30

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

DoS c th lm ngng hot ng ca mt my tnh, mt mng ni b, thm ch


c mt h thng mng rt ln. V bn cht thc s ca DoS, hacker s chim dng
mt lng ln ti nguyn mng nh bng thng, b nh v lm mt kh nng x l
cc yu cu dch v t cc client khc.
C 2 loi tn cng chnh: chim dng ngun ti nguyn (resource depletion) v
tn cng chim dng bng thng (bandwidth depletion).
-

Tn cng chim dng ngun ti nguyn


Tn cng chim dng ngun ti nguyn lm nghn ti nguyn dch v
trn my nn nhn do n cp pht qu nhiu, t CPU ca nn nhn b qu
ti v cc qu trnh x l d liu b nh tr.
Tn cng kiu Land Attack l mt hnh thc tn cng chim dng ti
nguyn.Trong kiu tn cng ny th hacker s gi nhiu gi tin SYN vi cng
mt a ch ngun v a ch ch v ging ht port ngun v port ch ti nn
nhn.
Mc ch ca kiu tn cng ny l buc nn nhn gi cc gi tin tr li
cho chnh n (mt vng lp v tn khi c gng thit lp kt ni). Bi v hacker
lin tc gi cc gi tin, nn nhn c th gii phng ti nguyn bng cch gi
gi tin n chnh n. V mt k thut, k tn cng s dng ti nguyn ring ca
my ch chng li chnh n.

Hnh 15. Land Attack


Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 31

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Tn cng s dng bng thng


Tn cng chim dng bng thng lm ngp mng nn nhn vi lu
lng khng mong mun, t khin cho ngi dng hp php vo mng nn
nhn rt chm, nu khng mun ni l khng th no vo c.
Tn cng kiu Smurf Attack l mt hnh thc tn cng chim dng bng
thng. Kiu tn cng ny cn mt h thng rt quan trng, l mng khuych
i. Hacker dng a ch ca my tnh cn tn cng bng cch gi gi tin ICMP
echo request cho ton b mng (broadcast). Cc my tnh trong mng s ng
lot gi gi tin ICMP echo reply cho my tnh m hacker mun tn cng. Kt
qu l my tnh ny s khng th x l kp thi mt lng ln thng tin v dn
ti b treo my.

Hnh 16. Smurf Attack


7.5.2 Gi mo danh tnh
Cc h thng mng s dng IP address nhn bit s tn ti ca mnh.
V th a ch IP l s quan tm hng u ca nhng hacker. Khi h hack vo
bt c h thng no, h u bit a ch IP ca h thng mng . Thng
thng, nhng ngi tn cng gi mo IP address xm nhp v cu hnh li
h thng, sa i thng tin, v.v...

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 32

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Vic to ra mt kiu tn cng mi l mc ch ca cc hacker. Trn


mng Internet hin nay, c th s xut hin nhng kiu tn cng mi c khai
sinh t nhng hacker thch my m v sng to.
Man in the middle l mt hnh thc tn cng gi mo danh tnh. Kiu
tn cng c th xuyn thng mt kt ni bo mt VPN (Virtual Private
Network) gia mt my trm v trm kt ni.Bng cch chn mt trm kt ni
gi lp gia my trm v trm kt ni, hacker tr thnh Man in the middle v
hn ta s gi lp thnh trm kt ni i vi my trm v thnh my trm i vi
trm kt ni.
Hacker s buc my trm ng nhp li vo trm kt ni - nn nhn s
phi p ng v ng nhp li ln Access Point v ngc li Access Point phi
p ng kt ni thnh cng v d nhin thng qua hacker.
bt u mt cuc tn cng, hacker m thm thu thp cc thng tin
quan trng ca my trm khi kt ni n Access Point nh username,
servername, a ch IP ca client v server, ID dng kt ni, cc phng
thc ph chun
Sau hacker ny s kt ni vi Access Point bng cch gi yu cu kt
ni vi thng tin trn v hin nhin thng tin yu cu ny l ca my trm hp
l. Access Point s yu cu kt ni VPN n my trm, khi my trm nhn
c yu cu s gi thng tin to kt ni. Hacker s lng nghe nhng thng
tin ny t hai pha thu thp thng tin p ng. Sau khi lng nghe tt c
quy trnh kt ni th hacker bt u hnh ng. H s gi tn hiu gi mo vi
gi lng d liu ln tng dn v vng kt ni ca my trm hp l ra khi
h thng v tip tc gi ngn my trm khng th kt ni (vd: 0x00ffffff).
Lc ny hn ng hong i vo h thng nh mt my trm hp l.
Vi kiu tn cng ny ch c cch gim st h thng bng cch thit lp
IDS s pht hin v ngn chn kiu tn cng ny.
Mt s hnh thc tn cng ca Man in the middle: tn cng gi mo
ARP Cache, DNS Spoofing, chim quyn iu khin Session (session
hijacking).v.v..

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 33

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Tn cng gi mo ARP Cache


ARP thng c s dng xc nh a ch MAC khi m bit a ch IP.
S chuyn i ny c thc hin thng qua vic tm kim trong mt bng a ch,
ARP cache s gi nhim v cp nht bng a ch ny bng cch gi broadcast cc gi
d liu yu cu cha cc a ch IP n cc Client, nu nh IP ca Client no trng
vi IP nhn c th s phn hi li vi gi d liu cha MAC Address ca mnh.
Nhng thnh phn trong bng ny s ht hng trong mt khong thi gian nht nh v
Client c th thay i phn cng (NIC) th khi bng ny s c cp nht li. Tuy
nhin mt nhc im ca ARP l khng c bt k s kim tra no t nhng phn hi
ca cc Client hp l hoc l nhn phn hi t nhng Client gi mo.
ARP Poisoning l mt trong nhng cng ngh m cho php tn cng theo kiu
Man in the middle. Hacker s vo gia Client v Router, bng cch nhim vo
Client, cho nn IP ca Router c kt ni vi MAC Address ca hacker, ngc li
bng cch nhim vo Router cho nn IP ca Client s kt ni vi MAC Address ca
hacker, ngha l cui cng mi giao tip gia Client v Router u phi thng qua
hacker.

Hnh 17. Gi mo ARP Cache


7.5.3 Tn cng SMB
System Message Block (SMB) l mt cng mng cho php Windows
chia s tp tin, cc cy th mc v nhng thit b. Da vo li ny hacker c
th thc thi cc on m c t xa tm h thng nhng vi iu kin file

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 34

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

sharing c bt, s lm t lit h thng my tnh t xa (gy li mn hnh


xanh -blue screen of death).
Nguyn nhn chnh xut pht t cch thc driver srv2.sys x l cc yu
cu t my khch trong khi phn tiu (header) ca "Process Id High"
cha ng mt k t "&". Bng vic gi lch mt thng tin header trong gi
tin SMB 2.0 yu cu kt ni, chng hn nh t mt gi tr High trong field
Process ID (\x00\x26) l c th lm treo h thng.Cuc tn cng khng cn n
chng thc nhn dng, ch cn cng 445 c th truy xut. Mi lo ngi y l
cng 445 thng c m mc nh trong phn cu hnh mng ni b (LAN)
ca Windows.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 35

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

8. CC YU T NH HNG N HIU NNG H THNG


Yu t con ngi:
Thit lp v cu hnh h thng: Lp k hoch v chin lc trc khi
khi to mt lut bt k, m bo tnh chnh xc cho h thng.
Thng xuyn cp nht thng tin v h thng: Ngi qun tr phi lun
theo di nhng thng tin cp nht firmware i vi phn cng hoc bn
nng cp i vi phn mm ngn chn cc s tn cng vo nhng l
hng t h thng.
Yu t vt l:
C k hoch kim tra v r sot nh k h thng in nhm trnh nhng
s c chp n ngoi mun.
Yu t phn cng:
Lp t h thng my server p ng c mc yu cu nh sn xut
ra trong sn phm m bo v duy tr hiu sut lm vic n nh cho
server.
Lp rp cc linh kin phn cng phi ng b, tng thch vi nhau.
Yu t chuyn mn:
phc tp trong vic cu hnh hay yu cu mt chuyn mn qu cao s
l mt phn no gy s cn tr nht nh trong vic thit lp cc c ch
gim st, ng thi cng kh khn cho ngi qun tr trong cng tc qun
l h thng.
Yu t phn mm:
i vi h iu hnh, m bo rng l mt h iu hnh sch trc
khi ci t v cu hnh tng la. Song song, chng ta vn phi cp nht
nhng bn v li mi nht.
i vi cc ng dng v phn mm c ci t trong my, chng ta
kim tra nhng phn mm l, hoc xo ng dng khng cn thit s
dng, khng nn nhng ng dng ny trong my qu lu, v chng c
th mang li nhiu ri ro v nguy him cho h thng.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 36

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

PHN III: TRIN KHAI CC M HNH H THNG


9. Audit Policies
9.1 Khi qut v cc chnh sch gim st s kin
nh ngha

Audit
Account
Logon
Events

Thit lp mc
nh

To mt s kin khi mt user hoc my tnh c

Ti khon ng

gng xc thc ang s dng mt ti khon AD.

nhp thnh cng v

V d khi mt user ng nhp vo bt k m

tht bi u c

tnh trong domain, mt s kin ng nhp ti

gim st.

khon.
To mt s kin khi mt user ng nhp ni b

Ti khon ng

hoc t xa vo mt my tnh. V d , nu mt

nhp thnh cng v

trm lm vic v mt server c cu hnh

tht bi u c

gim st nhng s kin truy cp, trm lm vic

gim st.

Audit Logon gim st mt user ng nhp trc tip vo trm


Events

ny. Khi user kt ni ti mt tp tin chia s trn


server, my server ng nhp t xa. Khi mt
user ng nhp, DC ghi nhn li s kin ng
nhp bi v nhng on m v chnh sch ng
nhp c ly ra t DC.

Audit
Account
Management

Gim st nhng s kin, bao gm vic khi to,

Gim st nhng

xa hoc sa i ca ti khon ngi dng,

hot ng qun l

nhm hoc my tnh v ti thit lp mt khu

ti khon thnh

cho user.

cng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 37

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Gim st s kin c ch nh trong h thng

Gim st nhng s

SACL(system access control list), c quan st kin truy cp dch


Audit

trong mt hp thoi nhng thit lp an ninh cp

v danh b thnh

Directory

cao ca i tng AD. Thm vo nh ngha

cng, nhng

Service

chnh sch gim st vi thit lp ny, ta cng

SACLs ca mt vi

Access

phi cu hnh gim st cho i tng ch nh

i tng ch nh

hoc i tng s dng SACL ca mt hoc

nhng thit lp

nhiu i tng.

gim st.

Nhng vic gim st thay i cc chnh sch

Chnh sch thnh

phn quyn ngi dng, chnh sch gim st,

cng thay i c

chnh sch tin tng.

gim st.

Gim st vic s dng ca mt c quyn hay

Khng c gim st

quyn ca user. Xem xt nhng ghi ch gii

c thc hin mc

Audit policy
Change

Audit

privilege use thch cho chnh sch ny trong Group Policy

nh.

Management Editor (GPME).


Audit
System
Events

Vic khi ng li, tt, hoc thay i ca h

Gim st nhng s

thng gim st s nh hng n h thng hay

kin ca h thng

an ton d liu.

thnh cng v tht


bi.

Nhng s kin gim st chng hn nh khi

Gim st nhng s

Process

ng chng trnh v thot chng trnh. Xem

kin theo di tin

Tracking

xt ch thch cho chnh sch ny trong GPME.

trnh thnh cng.

Audit

Tip cn ti nhng i tng nh nhng tp tin, Gim st nhng s


th mc, nhng kha ng k v my in nhng
Audit Object ci c SACL ca chnh chng. Ngoi vic cho
Access

kin truy cp i
tng thnh cng.

php chnh sch gim st ny, ta phi cu hnh


nhng mc gim st trong SACL ca cc i
tng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 38

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

9.2 Cc hng mc trong Event Viewer


9.2.1 Custom view
Vic c gng xc nh mt s kin c th trong Windows Event Viewer l mt
cng vic rt kh khn. Nhng tin trnh ring bit c th to ra rt nhiu s kin khc
nhau trong mt thi gian ngn gy kh khn cho vic xc nh s kin mun kim tra.
Custom Event View cho php ngi dng thc hin cc phin tm kim ng nng
cao da trn mt s iu kin lc. Theo , chng ta c th xc nh mi s kin gy
ra li no ngoi vic ch tm li.
Hp thoi Create Custom View l giao din chnh c s dng to khung
nhn ty bin ca cc s kin my ch.

Hnh 18. Hp thoi Create Custom View.


u tin phi la chn phm vi ca nhng s kin mun lc. Danh sch
Logged th xung cho php kim sot nhng s kin xy ra trong gi trc, ngy
trc, tun trc hay mt giai on thi gian c th. ta c th to mt khong thi
gian ty bin.
Trong hnh trn c th la chn cc cp Event gm Critical, Error,
Warning, Information, hay Verbose.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 39

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

S kin bng Event Log (bn ghi s kin) hay Event Source (ngun s kin)
khng th s dng c hai. Nu la chn ty chn By Log, khi danh sch th xung
s hin th mt chui option chn c th s dng la chn nhng Event Log ring
bit mun a vo tin trnh lc. Nu la chn ty chn By Source, danh sch th
xung s hin th mt s hp chn cho mi Event Source hin c. Tip theo, nhp
nhng Event ID khc nhau mun lc. Nu khng xc nh c nhng Event ID c
th, c th nhp mt vng Event ID. V d, nu mun lc nhng Event ID c gi tr t
1 n 99, hy nhp 1-99.

Hnh 19. Khung nhn hin th kt qu xut hin di Custom Views


9.2.2 Windows logs
Windows Logs c nh lu tr cc s kin t cc ng dng k tha v cc s
kin p dng cho ton b h thng.
-

Application log c cha cc s kin ng nhp bi cc ng dng hoc cc

chng trnh.
-

Security log cha cc s kin nh c gng ng nhp hp l v khng hp l,

cng nh cc s kin lin quan n s dng ti nguyn, chng hn nh to, xa


cc tp tin hoc cc i tng khc. Ngi qun tr c th xc nh nhng g cc
s kin c ghi trong security log.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 40

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Setup log cha cc s kin lin quan thit lp ng dng.

System log cha cc thnh phn h thng ng nhp ca Windows. V d, s

tht bi ca mt trnh iu khin hoc cc thnh phn h thng khc np lc


khi ng c ghi li trong system log. Cc loi s kin ng nhp ca cc thnh
phn h thng c xc nh trc bi Windows.
-

Forwarded Events log ng nhp c s dng lu tr cc s kin thu thp

t cc my tnh t xa. thu thp cc s kin t cc my tnh t xa, bn phi to


mt ng k s kin.
9.2.3 Applications and Services Logs
Nhng s kin lu tr cc bn ghi t mt ng dng n l hoc mt thnh
phn ch khng phi l s kin m c th c tc ng rng h thng.
Th loi ca cc bn ghi bao gm bn phn nhm: Admin, Operational,
Analytic, and Debug logs. Cc s kin trong Admin log c quan tm c bit
chuyn gia IT s dng Event Viewer g ri vn . Cc s kin trong Admin log
cung cp cho bn hng dn v lm th no p ng cho h.
Analytic logs lu tr cc s kin m theo di mt vn v mt khi lng ln
cc s kin c lu li. Debug logs c s dng bi cc nh pht trin khi g li
cc ng dng. C Analytic v Debug log c n v v hiu ha theo mc nh.
-

Admin: Nhng s kin ny ch yu nhm vo ngi dng cui, cc qun tr

vin, v nhn vin h tr. Nhng s kin c tm thy trong cc knh Admin ch
ra mt vn v gii php cng nh cc quy nh rng mt qun tr vin c th
hnh ng.
-

Operational events: c s dng phn tch v chn on mt vn hay

xy ra. Chng c th c s dng kch hot cc cng c hoc nhim v da


trn cc vn hay xy ra.
-

Analytic events: c cng b v mc cao. Chng m t nhng hot ng

chng trnh v ch ra nhng vn m khng th c x l bi s can thip ca


ngi dng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 41

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Debug events: c s dng bi cc nh pht trin khc phc s c cc vn

vi chng trnh ca h.

9.3 Xy dng v trin khai m hnh mng


9.3.1 M hnh lab thc hin

Hnh 20. M hnh Lab trin khai


Gm 4 my:
-

My DC (Window Server 2008): ln AD, to domain test.local

My File server (Window Server 2003): to tp tin chia s v phn quyn cho
user

Router: cu hnh theo 2 cch vng server v client lin lac vi nhau
o Cch 1: Cu hnh Routing and Remote Access
o Cch 2: To vng server l VLAN 1 v clients l VLAN 2, cu hnh
InterVlan dng giao thc Trunking 2 VLAN chng c th lin lc vi
nhau.

- My client (Window XP): join domain test.local


9.4 Thit lp cc chnh sch gim st
9.4.1 Application log
Application log ghi li s kin ca cc ng dng khc t cc nh sn xut khc
nh symantec hay cc ng dng mai. Thng thit lp trong application l mc nh
ca cc ng dng nn chng ta ch c th c n m khng thit lp c.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 42

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Cc chnh sch gim st ca h iu hnh Window s c ghi mc nh vo


Security Log. Kim tra s kin ghi gim st c thit lp v bo mt bng Group
Policy.

Hnh 21. Cc chnh sch gim st


9.4.2 Audit account logon events
Gim st ny s thm nh mi khi ngi dng ng nhp hoc ng xut t
mt my tnh c s dng hp l ha ti khon. V d d hiu nht cho tnh
hung ny l khi mt ngi dng ng nhp vo my tnh chy h iu hnh
Windows XP Professional nhng li c thm nh bi domain controller. Do
domain controller s hp l ha ngi dng, khi s kin s c to trn domain
controller.

Hnh 22. Thit lp chnh sch gim st

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 43

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Vi s kin user ng nhp thnh cng ta s c cc s kin 4769 dch v


Kerberos c yu cu v 4624 ti khon ng nhp thnh cng.

Hnh 23.Ti khon ng nhp thnh cng


S kin 4769 cho bit v user logon v logon ti my tnh no, s kin ny
gm c c chng thc Kerberos. Mi s kin 4769 s c s Logon GUID khc nhau.

Hnh 24. Keberos chng thc khi user ng nhp

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 44

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Vi vic ng nhp sai pass ta c s kin 4771

Hnh 25. Ti khon u1 ng nhp sai password


9.4.3 Audit account management
Gim st ny s thm nh mi s kin c lin quan n ngi dng ang qun
l ti khon (user, group hoc computer) trong c s d liu ca ngi dng trn my
tnh c cu hnh thm nh. Nhng v d cho cc s kin ny:
-

To mt ti khon ngi dng

B sung thm mt ngi dng vo nhm

t li tn mt ti khon ngi dng

Thay i mt khu ca ti khon ngi dng


Vi s kin y quyn cho user to, sa, xa user v group. Audit ny cho
admin c th gim st cc hot ng ca user c y quyn.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 45

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

S kin 4720 l to user, nhn vo s kin ny ta s bit u1 to ra kt1

Hnh 26. Ghi nhn s kin to ti khon u1

Hnh 27. Thng tin chi tit khi to ti khon u1

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 46

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

S kin 4726 l xa user, 4724 l reset pass account.

Hnh 28. Thng tin v vic xa ti khon


Vi vic to group, event viewer cng s ghi li nhng group m user to.
S kin 4727 cho thy, user to ra 1 group c tnh nng Global Group - Security

Hnh 29. Ghi nhn s kin to group

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 47

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 30. Thng tin chi tit ca filelog


9.4.4 Audit directory service access
Gim st ny s thm nh s kin c lin quan n vic truy cp ca ngi
dng vo i tng Active Directory (AD), AD ny c cu hnh kim tra s
truy cp ca ngi dng thng qua System Access Control List (SACL) ca i
tng. SACL ca i tng AD s ch r ba vn sau:
-

Ti khong (ca ngi dng hoc nhm) s c kim tra

Kiu truy cp s c kim tra, chng hn nh c, to, thay i,

S truy cp thnh cng hay tht bi i vi i tng

Do mi mt i tng u c SACL ring nn mc iu khin s rt chnh xc.

Hnh 31. Thit lp chnh sch gim st


Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 48

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

V d v s kin ny, ta c 2 domain. 1 domain l primary (tn DC) v 1


domain l additional domain (tn ForeFront)

Hnh 32. Ghi nhn s kin domain kt ni vi nhau


Khi 2 domain kt ni vi nhau, ng thi chng replicate thng tin v d liu
ca chng cho nhau, s kin ghi nhn 2 qu trnh xy ra l 4932 ghi nhn qu trnh
bt u replicate v 493 l kt thc qu trnh replicate.

Hnh 33. Chi tit filelog 2 domain bt

Hnh 34. ng b bn sao ca mt Active

u replicate

Directory kt thc

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 49

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

9.4.5 Audit logon events


Gim st ny s thm nh mi s kin c lin quan n ngi dng ang ng
nhp, ng xut hay ang to mt kt ni mng n mt my tnh c cu hnh
thm nh cc s kin ng nhp. Mt v d in hnh v trng hp s dng hng
mc ny l thi im cc s kin c ghi l thi im ngi dng ng nhp vo
my trm ca h bng ti khon ngi dng trong min. Khi mt s kin trn my
trm lm vic ch khng phi domain controller s c to thc hin thm nh..

Hnh 35. Thit lp chnh sch gim st


Cng vi s kin ng nhp user, audit ny cng cho ta cc s kin nh audit
account logon events, nhng i vi vic ng nhp sai th khng c ghi nhn.

Hnh 36. My client ng nhp sai password

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 50

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 37. Khng ghi nhn s kin ng nhp sai


Trong qu trnh cho my client truy cp vo file server kho st cc tnh
hung gim st, v tnh cho my router khng join domain v truy cp vo file server,
ta s thy filelog bo li 4625.

Hnh 38. Ghi nhn v thng bo my truy cp tri php vo h thng

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 51

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Trong hnh lab m phng hin thng bo:


Failure Information:
Failure Reason:

Unknown username or bad password

Thng bo ghi l do sai v tn ngi dng khng bit hoc mt khu ti,
nhng l do y l v khng join domain, nn my router s khng c my DC
chng thc v phn gii DNS nn hin nhin h thng s khng bit my router l ai
v s bo li.
Network Information:
Workstation Name:

Router

Source Network Address: 172.16.1.3


Source Port:

1033

T bng thng bo ko xung s xut hin thm thng tin v my truy cp vo


bt hp php l my ROUTER vi a ch IP l 172.16.1.3 v port l 1033.
9.4.6 Audit object access
Gim st ny s thm nh s kin khi ngi dng truy cp mt i tng no
. Cc i tng y c th l cc file, th mc, my in, Registry key hay cc i
tng Active Directory. Thng thng chng ta khng cn cu hnh mc thm nh
ny, n ch cn thit khi c nhu kim tra s truy cp ti nguyn no .
H thng c File Server, th mc File Server s dng cha ti nguyn cung cp
cho nhn vin v NTFS Permision c cu hnh:
-

Group Nhansu ch c quyn truy cp, c, sa v xa th mc Nhansu.

Group Ketoan ch c quyn truy cp, c, sa v xa th mc Ketoan.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 52

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Bng phn quyn NTFS


Th mc

Ketoan

Nhansu

File server

Group
Ketoan

Truy cp, c, sa, Khng cho php


xa file chnh mnh truy cp
to ra

Nhansu

Khng cho php Truy cp, c,


truy cp
sa, xa file chnh
mnh to ra

Bn Auditing
Th mc

Ketoan

Nhansu

File server

Group
Ketoan

Truy cp, c, sa, Khng cho php


xa file chnh mnh truy cp - Success
to ra - Success
&Failed

c - Success

Nhansu

Khng cho php Truy cp, c, sa,


truy cp - Success xa file chnh mnh
to ra - Success
&Failed

c - Success

Bt tnh nng Auditing trn th mc File server xc nh xem nhng ai


thay i bn trong th mc, thay i c thnh cng hay khng, v lc thay i th
ang ngi lm vic my no.
Cu hnh GPO link OU cha computer account ca File server (hoc my no
lm File Server th trin khai Audit Policy trc tip trn my )
Ti my File server vo Local Security Policy, chn Audit Policy => Audit
Object Access chn Success v Failure.
Cho kt1 ng nhp vo file server, event vierwer lp t ghi nhn li s kin

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 53

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 39. Ghi nhn s kin u1


S kin 5140 cho bit user ng nhp v ang dng my no.

Hnh 40.Chi tit ti khon u1 ng nhp bng my KIT

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 54

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

S kin 4656 cho bit user ang ng nhp vo mc k ton v 4663 mt c


gng to c thc hin truy cp mt i tng.

Hnh 41. Chi tit cc th mc c user truy cp


Vi kt1 c gng ng nhp tri php vo mc nhn s cng c ghi nhn li.

Hnh 42. Ghi nhn s kin xm nhp tri php

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 55

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 43. Chi tit ti khon truy cp


9.4.7 Audit policy change
Chnh sch gim st ny s thm nh mi s kin c lin quan n thay i
ca mt trong ba lnh vc policy trn my tnh. Cc lnh vc policy ny gm:
-

User Rights Assignment - Ch nh quyn ngi dng

Audit Policies - Cc chnh sch thm nh

Trust relationships - Cc mi quan h tin cy


Thit lp chnh sch Logon/Logoff trong Local Security Policy, h thng s

ghi nhn s kin ngay lp tc. Ta s thy s kin 4719- Chnh sch thm nh h
thng b thay i.

Hnh 44. Ghi nhn s kin thay i chnh sch Logon/Logoff

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 56

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 45. Thng tin chi tit ca file log

Hnh 46. Ghi nhn thay i ca auditing

thay i

Object Access

9.4.8 Audit privilege use


Chnh sch gim st ny s thm nh s kin c lin quan n vic thc hin
mt nhim v no c iu khin bi mt ngi dng c thm quyn. Mc nh
mc thm nh ny khng c cu hnh kim tra cc s kin cho cc h iu hnh
no. Danh sch cc quyn ngi dng kh rng, gm c:

Hnh 47. Danh sch cc quyn p dng ln ton domain


Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 57

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

9.4.9 Audit process tracking


Chnh sch gim st ny s thm nh s kin c lin quan n cc qu trnh
trn my tnh. Xc nh gim st cc thng tin theo di chi tit cho cc s kin nh
kch hot chng trnh, thot tin trnh, x l sao chp, v truy cp cc i tng gin
tip.
Nu nh ngha thit lp ny, ta c th ch nh nhng gim st thnh cng v
c tht bi, hoc khng gim st cc loi tt c cc s kin. Nhng gim st thnh
cng s c to ra khi qu trnh c theo di l thnh cng, v cng tng t i
vi nhng gim st khng thnh cng.
Mt s event ID lin quan:
4689: tin trnh b thot, ngng, hoc c khi ng li
4696: Mt token u tin c gn cho tin trnh sau khi to
4688: tin trnh mi c to
u tin ta bt hp thoi dch v DNS v khi ng chng trnh ln, nh
trong hnh lab bn di ta s thy filelog 4696 (process creation) ghi nhn chung cho
cc tin trnh khi to v c th y l tin trnh ca dch v DNS.
Cc thng tin c ghi nhn nh:
Process Name:

C://Windows\System32\services.exe

Target Process Name:

C://Windows\System32\dns.exe

Thng tin trn c hiu nh services c ghi nhn l mt tin trnh ang
c khi to, m c th hn trong tin trnh , i tng tht s khi to l dch v
dns.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 58

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 48.Khi to tin trnh ca dch v DNS.


Khi mt tin trnh c khi to, km theo l mt token (m thng bo)
c to v gn cho tin trnh mi ny, ty theo loi tin trnh s c gn mt token
khc nhau. Lab m phng di y ca tin trnh khi to dns c gn token loi 1.
Token Elevation Type:

TokenElevationTypeDefault(1)

Qu trnh gn token cng c gi l qu trnh khi to (Process Creation)


nhng c mt event ID l 4688 phn bit vi cc qu trnh khi to khc

Hnh 49.Gn token cho tin trnh va khi to


Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 59

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

M hnh lab tip theo cp n tnh hung cho dng dch v DNS, qu trnh
gim st s xut hin ngay mt filelog 4689 (Process Termination) vi cc thng tin:
A process has exited.

//tin trnh thot

Account Name:

DC

//tn my

Accoun Domain:

TEST //tn domain

Process Name:

C:\\Windows\System32\dns.exe //tn tin trnh

Hnh 50.Thot tin trnh


Cc loi m thng bo (token) cho bit loi m thng bo c gn cho qu
trnh mi theo chnh sch ca kim sot ti khon ngi dng.
-

Loi 1 l mt m thng bo y khng c quyn loi b hoc tt. Mt m

thng bo y ch c s dng nu vic kim sot ti khon ngi dng b v


hiu ho hoc nu ngi dng l ti khon admin c sn hoc ti khon ca mt
dch v.
-

Loi 2 l mt m thng bo cao hn khng c quyn loi b hoc v hiu ha.

Mt m thng bo c s dng khi vic kim sot ti khon ngi dng c


kch hot v ngi s dng la chn bt u chng trnh bng cch s dng
Run as administrator. Mt m thng bo cng c s dng khi mt ng dng
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 60

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

c cu hnh lun yu cu c quyn qun tr v ngi s dng l thnh vin


ca nhm qun tr vin.
-

Loi 3 l mt m thng bo hn ch vi quyn qun tr g b v v hiu ha.

Cc m thng bo gii hn c s dng khi vic kim sot ti khon ngi dng
c kch hot, cc ng dng khng i hi c quyn hnh chnh, v ngi dng
khng chn bt u chng trnh bng cch s dng Run as administrator.
9.4.10 Audit system events
Chnh sch gim st ny s thm nh s kin c lin quan n vic khi ng
li hoc tt my tnh. Cc s kin c lin quan vi bn ghi bo mt v bo mt h
thng cng s c kim tra khi cch thc thm nh ny c kch hot. y l mt
cu hnh thm nh c yu cu cho my tnh cn kim tra khng ch khi cc s kin
xut hin m c khi bn thn bn ghi c xa.
Chng ta s kim chng chnh sch gim st ny qua bng cch bt v tt
firewall trong h thng. u tin ta s vo services.msc bt cho firewall khi ng,
ngay lp tc bn h thng gim st s xut hin file log 5024 (Other System Events)
c ghi thng tin v trng thi ca firewall h thng l:
The Windows Firewall Service has started successfully.

Hnh 51.Ghi nhn s kin khi ng Firewall

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 61

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Tip theo l trng hp ta cho tt firewall h thng, cng tng t s xut hin
file log 5025 (Other System Events) vi thng tin ghi nhn:
The Windows Firewall Service has been stopped.

Hnh 52.Ghi nhn s kin tt Firewall


Nh tn gi ca chnh sch gim st ny, n ch c th gim st nhng dch v,
thnh phn ca h thng v nhim nghin cc thnh phn khng thuc s khng c
gim st.

9.5 Gim st h thng bng command-line


S dng cng c auditpol.exe gim st cc chnh sch bng command-line.
Tnh nng ny ch c trn Window Server 2008 xem xt v thit lp cc chnh sch
gim st danh mc con, cng c ny khng nhm ln vi Group Policy Object Editor
(gpedit.msc).

Hnh 53. Danh sch gim st trong command-line


V tnh nng th auditpol vn hi t y cc tnh nng ca Audit Policy
trong Group Policy Editor, nhng s khc bit v hu ch ca auditpol ny so vi
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 62

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

GPO Editor ch n hin th y cc danh mc con trong tng chnh sch gim
st, ta c mt ci nhn c th hn v nhng chnh sch cn thit lp.
Nh cc bi lab m phng trn ta thy giao din ca Audit Policy gm 9
chnh sch gim st nhng ta khng th hiu trong nhng chnh sch y c nhng
thnh phn g, th hnh minh ha bn di y s hin th cho ta xem cc thnh phn
con c trong tng chnh sch tng ng.

Hnh 54. Lit k chi tit gim st command-line


Ta s thit lp chnh sch gim st Account Logonbng mt s lnh nh sau:
Auditpol /set /category:Account Logon /success:enable
bit thng tin sau khi cu hnh ta s dng lnh cu hnh nh sau:
Auditpol /get /category:*

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 63

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

ng thi kim tra, ta s cho user ng nhp vo domain, trong event viewer s ghi
nhn li s kin chng thc Keberos, v khi ta thit lp khi ng cho chnh sch
Account Logon trong c danh mc con chng thc Keberos.

Hnh 55. Thng tin gim st ca account logon trong command-line


Gia 2 cng c ny th chng ta nn s dng mt trong 2 trnh nhng s
nhm ln qua li khng ng c. Tuy nhng thng tin thit lp chnh sch gim st
trn GPO s hin th v replicate qua auditpol nhng ngc li th thit lp trn
auditpol s khng c hin th trn GPO mc d l nhng thit lp u c p
t ln h thng.

9.6 Nhn xt
Cng vic gim st s kin ca h thng lun l khu quan trng trong qu
trnh lm vic ca qun tr vin. Ch vi mt s chnh sch gim st tuy n gin
nhng bit cch thit lp kt hp tng loi chnh sch vi nhau sao cho hp l v hiu
qu nht vi tng h thng khc nhau. Bn cnh ta cn phi thng xuyn theo di,
phn loi v lc cc thng bo s kin kim sot c tnh trng ca h thng,
nhm bo m h thng lun trong trng thi an ton. ng thi c th nhanh chng
pht hin nhng ng nhp tri php, cc ri ro nguy him hoc bo li t h thng
kp thi khc phc chng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 64

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

10. Xy dng h thng gim st vi SNORT


10.1 Gii thiu Snort
Snort l cng c pht hin xm nhp kh ph bin v h tr cho nhiu h iu
hnh nh: CentOS, Fedora, Linux, Window, OpenBSD, SolarisSnort l mt dng
NIDS (Network Instruction Detection System) s ng vai tr l mt h thng c
ci t trong mng lm nhim v gim st nhng packet vo ra h thng mng. Khi
Snort pht hin ra mt cuc tn cng hay thm d th n c th phn ng bng nhiu
cch khc nhau ty thuc vo cu hnh m ngi qun tr mng thit lp.
Snort bao gm mt hoc nhiu sensor v mt server c s d liu chnh. Cc
sensor c th c t trc hoc sau firewall nhm :
-

Gim st cc cuc tn cng nhm vo firewall v h thng mng.

C kh nng ghi nh cc cuc vt firewall thnh cng.

10.2 Cu trc ca Snort


Cu trc ca Snort c chia thnh nhiu phn. Nhng phn ny lm vic cng
nhau nhm mt mc ch l pht hin cc loi tn cng v to ra cc p tr theo mt
nh dng c cu hnh. Mt Snort IDS c bn gm cc thnh phn chnh sau:
Packet Decoder : B gii m gi
Preprocessors : B tin x l
Detection Engine : B my pht hin
Logging and Alerting System : H thng ghi v cnh bo
Output Modules : Cc module xut
M hnh ca cc thnh phn Snort

Hnh 56. M hnh ca cc thnh phn Snort


Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 65

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Packet Decoder (B gii m gi)


B phn ny thu nhp cc gi tin t cc giao din mng khc nhau v
chun b cho gi tin c x l hoc c gi cho b phn pht hin. Giao din
mng gm: PPP, L2TP, Ethernet,v.v

Preprocessor (B tin x l)
L nhng thnh phn hay nhng plug-in c s dng cng vi Snort
sp xp v thay i nhng gi d liu trc khi detection engine thc hin
cng vic tm kim nu gi d liu l nguy him. Mt vi preprocessor c
th thc hin tm ra nhng du hiu bt thng trong tiu gi v to ra cc
cnh bo. Preprocessor rt l quan trng i vi IDS c chc nng chun b
nhng gi d liu phn tch cho vic thit lp rule trong detection engine.
Hacker s dng nhiu k thut khc nhau nhm nh la IDS bng
nhiu cch. Hacker cng s dng s phn mnh nh bi IDS. Preprocessor
thng c dng bo v nhng loi tn cng ny. Preprocessor trong Snort
c th ti hp cc gi, gii m HTTP URI, ti hp lung TCP,v.v... Nhng chc
nng ny rt l quan trng trong thnh phn IDS.

Detection Engine (B my pht hin)


y chnh l thnh phn quan trng nht ca Snort. Detection Engine chu
trch nhim pht hin nu c hnh vi xm nhp trong mt gi. Detection engine
s dng nhng rule Snort lm vic ny. Nu mt gi no khp vi rule,
hnh ng thch hp s c to ra. Nhng hnh ng c th l ghi gi hay
cnh bo. y l b phn ng vai tr quyt nh v thi gian thc thi ca Snort.
Ph thuc vo h nng ca h thng v c bao nhiu rule c nh ngha m n
c th tn nhng khong thi gian cho cng vic p ng cc gi. Nu lu lng
trn mng l qu ln khi Snort ang hot ng trong ch NIDS, c th mt
mt vi gi tin v c th thi gian p ng s khng chnh xc. Lu lng ca
detection engine ph thuc vo cc yu t:
o S lng cc lut.
o Sc khe ca h thng c Snort ang chy.
o Tc bus c s dng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 66

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

o Lu lng trn mng.


Detection engine lm vic khc nhau trong mi phin bn Snort. Trong
tt c phin bn Snort 1.x, detection engine ngng x l trn gi khi ph
hp vi mt rule. Ph thuc vo rule, detection engine c nhng hnh ng
tng ng. iu ny c ngha l nu mt gi tin ph hp vi nhiu rule, ch c
mt rule u tin c p dng m khng xem xt ti cc rule cn li. y l
mt vn . Mt rule c u tin thp s to ra mt cnh bo c u tin
thp, nu mt rule c u tin cao b xp sau trong chui rule. Vn ny
c sa trong Snort phin bn 2, tt c cc rule u c so khp vo mt gi
trc khi to mt cnh bo. Sau khi so khp tt c cc rule, rule no trn vn
nht s c chn to cnh bo.
Detection engine trong Snort 2.x c lm li mt cch hon chnh
n so snh tt hn, pht hin sm hn so vi cc phin bn trc.
-

Logging and Alerting System (H thng ghi v cnh bo)


Ph thuc vo detection engine tm trong gi, gi c th c dng
ghi hnh ng hay to ra cnh bo. Cc thng tin ghi li c gi trong cc file
text n gin hoc cc dng khc.

Output Modules (Cc module xut)


Output modules hay plug-in thc hin nhng hot ng khc nhau ph
thuc vo vic mun lu kt qu to ra bi logging v cnh bo th no.

10.3 Cc ch hot ng ca Snort


Snort c 3 c ch hot ng: Hot ng nh mt Sniffer, Packet Logger hay
l mt NIDS.
10.3.1 Snort hot ng nh mt Sniffer
S dng Snort nh mt Sniffer l mt cch gip snort bt c cc gi tin
thng qua b cm bin ca mnh. Kt qu ca ch Snort sniffer hi khc so

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 67

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

vi cc phn mm sniffer khc. Mt c tnh hay ca ch ny l vic tm tt


lu lng mng khi kt thc vic bt gi gi tin.
V d v snort trn Win:
Lit k cc card mng hin c:
snort -W

Hnh 57. Lnh snort -W


s dng Snort nh l mt sniffer, ta dng cu lnh:
snort -v ix
vi x l s hiu card mng m Snort s s dng sniffer

Hnh 58. Lnh snort v -ix


V d: ly my client ping th mt my trong mng

Hnh 59. V d client ping

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 68

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Khi dng ch sniffer, Snort s to ra mt bn tm tt cc gi tin c bt


gi, bao gm cc giao thc.

Hnh 60. Bng tm tt cc gi tin c bt gi trn Win


xem d liu gi tin bt c mt cch chi tit hn, ta s dng c -d
snort -vd -ix

Hnh 61. Lnh snort vd -ix


Vi ty chn c -e, ta c cung cp nhiu thng tin nht ,bao gm a ch
MAC v a ch IP
snort vde ix

Hnh 62. Lnh snort vde ix


Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 69

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

lu li trong file log thay v xut ra console, ta s dng


snort -vde -i1 > C:/log1/temp.log
10.3.2 Snort l mt Packet Logger
Sau khi Sniffer cc gi tin, nhim v tip theo l ghi log. Vic ghi log
ch n gin bng cch thm ty chn l, theo sau l th mc mun lu tr
file log. Th mc mc nh trong Snort l C:\snort\log. Ta c th thit lp th
mc log ni khc. V d: snort l C:\log1.
Khi chy ch ny, Snort thu thp mi gi tin n thy v lu chng
vo th mc log theo kiu phn cp. Snort lu cc gi tin thnh cc file ASCII,
vi tn file c to ra t giao thc v s cng.
10.3.3 Snort l mt NIDS
Khi ci t ch Snort mc nh trn Win, v tr file ny l
C:\snort\etc\snort.conf. Cc cnh bo c t trong file alert trong th mc log
C:\snort\log. Snort s thot ra vi mt li nu file cu hnh hoc th mc log khng
tn ti. Khi s dng ch ny cn ch r file cu hnh vi c c .
snort -c c:\snort\etc\snort.conf -l c:\snort\log
Dng lnh trn mc nh cc thng tin sniffer s c ghi vo file alerts v s
to ra mt file snort.log theo kiu phn cp. Nu gi tin so trng vi mt rule th s
gh nhn hoc cnh bo c to ra. Ngc li, nu gi tin khng trng vi mt rule
th khng cnh bo no to ra.
snort -c c:\snort\etc\snort.conf -l c:\snort\log -A console
Dng lnh ny khng ghi vo file alerts, nhng s to ra mt file snort.log theo
kiu phn cp. Vi c -A l thit lp ch cnh bo, console l giao din iu
khin. Bnh thng trn giao din cmd s khng hin cc sniffer, nhng khi dng
lnh trn ng thi ta xem c sniffer.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 70

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

10.4 Khi qut v Rules


Snort l mt h thng NIDS hot ng da trn cc tp lut (rules). Trong
Snort rules c cha nhng du hiu thng thng nhn bit cc hot ng bn
trong v ngoi mng.
Khi Snort hot ng, n s c cc tp lut c xy dng sn v phi c
cp nht thng xuyn. Mi lut i din cho mt cuc tn cng.
V d: tp lut c th c to ra gim st cc n lc quyt cng, tm du vt
(cc du hiu cn gi l signature-base). Khi c mt packet n h thng n s
c p vo tp lut, nu c s so trng Snort s phn ng.
10.4.1 Cu trc ca mt rule
Tt c cc rule u c 2 phn: header v options

Hnh 63. Cu trc ca mt rule


V d rule mu:

Hnh 64. V d cu trc rule

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 71

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Phn header cha thng tin hot ng m rule s lm. ng thi header cng
cha tiu chun cho vic so snh mt lut da vo gi tin. Phn options cha thng
ip cnh bo v thng tin v thng ip s c s dng to ra cnh bo. Phn
option cng cha tiu chun cho vic so snh mt lut da vo gi tin. Mt rule c th
pht hin mt kiu hay nhiu kiu xm nhp.
10.4.2 Cu trc ca phn Header

Hnh 65. Cu trc phn Header


-

Action: l loi hnh ng ca Snort khi tiu chun pht hin v c s so snh
chnh xc ca mt rule so vi mt gi tin. Nhng hot ng in hnh l to
mt cnh bo hoc ghi thng ip. C 5 loi action:
Action

M t

Alert

To cnh bo v ghi file log

Log

Ghi log cc gi tin

Pass

B qua cc gi tin

Activate

To cnh bo v t bt chc nng dynamic rule

Dynamic

Hot ng nh mt log rule khi c kch hot bi active rule

Protocol: l giao thc c dng p dng vo rule. Cc giao thc c th l


tcp, udp, icmp v IP.

Address: trong phn header c hai trng a ch, gm a ch ngun v a


ch ch c xc nh da trn trng Direction.

Direction: gip phn bit a ch ngun v a ch ch. V d vi trng


Direction l th a ch pha bn tri l ngun, a ch pha bn phi l
ch. Trng hp mun p dng snort theo c 2 chiu th s dng c php
<> thay cho .

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 72

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

V d ghi log 2 chiu:


Log tcp 192.168.1.0/24 any <> 172.16.0.0/24
-

Port: Trong giao thc TCP hay UDP, Port xc nh cng ngun v cng ch
ca gi tin khi rule p dng ln . Trong trng hp giao thc lp mng nh
IP hay ICMP, th gi tr port numbers khng c ngha.
V d: Phn tch phn header ca mt rule
alert tcp any any -> any 80 (content: "yahoo"; msg: "Yahoo Site Access";)
Hnh ng y l alert, khi cc TCP trafic t bt k a ch IP v port c
gi n mt a ch IP bt k trn Port 80 m phn ni dung c cha t kha
yahoo. Nu tnh hung ny xy ra, ngha l c mt user no trn LAN truy
cp vo 1 site c cha t yahoo th mt record Yahoo Site Access s c ghi
vo log file.
10.4.3 Cu trc ca phn Options
Mt Snort rule c th c nhiu option khc nhau phn cch bi giu ; .Thng

thng phn Options c cha t kha v mt i s. Mt i s truyn vo t kha


bng mt du :. V d:
msg : Phat hien xam nhap
y, msg l t kha v Phat hien xam nhap l i s cho t kha. Do c rt
nhiu t kha nn ta s i mt vi t kha tiu biu. Phn Option c cc t kha s
c cp trong phn ph lc.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 73

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

10.5 Hin th cnh bo


Dng my client truy cp web, ping hay scan port my Snort server, th trn
BASE ghi nhn li mi hot ng.

Hnh 66. Base ang hot ng

Hnh 67. Thng k di dng ha


Chn Most frequent 5 Unique Alerts: xem thng tin v 5 cnh bo xy
ra nhiu nht. Source addres: S lng host tham gia

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 74

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 68. Thng tin 5 cnh bo xy ra nhiu nht


Thng tin my ping

Hnh 69. Thng tin my ping


Hoc ta c th bit thng tin cc IP ngoi mng, vo a ch source
address

Hnh 70. Thng tin IP

10.6 Hiu nng ca Snort


Snort c gim st tnh trng hin ti ca h iu hnh. Cc thng s th hin
nhiu ngha v da vo ta c th on c nhiu iu v a ra nhiu bin php
iu ch theo mun.
c th gim st, vo file snort.conf cu hnh bt chc nng preprocessor
perfmonitor. B tin x l hiu nng gim st ch ly ra mt s cc chn la, cc chn
la ny bao gm:
Time: 300 seconds
Flow Stats: INACTIVE
Event Stats: INACTIVE
Max Perf Stats: INACTIVE
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 75

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Console Mode: ACTIVE


File Mode: /var/log/ snort.stats
SnortFile Mode: INACTIVE
Packet Count: 500
Ta c th cu hnh cc dng xut hin khi chy Snort:
preprocessor perfmonitor: time 300 console file

var/log/snort/snort.stats

pktcnt 500
preprocessor perfmonitor : time 300 events flow file var/log/snort/snort.stats
max console pktcnt 500
Hay ch chy n, vo file log messages c
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 500
Cc tham s c ngha:
Time: khong thi gian tnh bng giy (s) gia cc ln ly mu. Nu t gi
tr thi gian qu thp c th gia tng gi to gi tr. Gi tr mc nh l 300s.
Console: Giao din xut ra mn hnh console. Mc nh l c bt hay c
th xut ra bng cch km theo tham s file.
File <filename>: Kt qu xut ra file theo ng dn nh. Cc thng k
ghi ln file theo tng gi tr n l, cch nhau bng du phy , cho mi
ln chy ly mu.
Pktcnt: S lng packets s c x l trong thi gian nh. Lu nu
s lng packet bt c t hn packet ch nh th s khng nhn c
s liu thng k.
Flow: Pht sinh mt s lng ln cc thng tin chi tit trn cc dng lu
thng mng network traffic flows (hon thnh vi cc thng tin nh chiu
di gi tin cho n s lng gi tin mi dng, dung lng dng mi port v
kiu giao thc, cc con s phn on v vi thng tin khc).
Events: Snort s m chc nng reporting v hin th trng thi s lng
signatures match. Pht sinh nhiu b d liu ng gi li phn nh s lng
cc du hiu qua, khp, hay c chng thc. C 2 loi l Nonqualified events v Qualified events c xc nhn da trn cc c nhn
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 76

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

bit. Option ny c bit ch trng bt k s bt cn xng no gia ci


c mong i v ci ang thc s c dng d tm bi tp rule cho
trc.
Max: S kch hot Snort hot ng ht sc nng cao hiu qu.
Vi my o c cng 8G, ram 512 MB, khi Snort hot ng, thng s ca CPU

Hnh 71 Cc thng s
CPU Usage: 0.075% (user) 0.337% (sys) 99.588% (idle)
Snort:

VIRT- Virtual Image (kb): 38412 - Tng s lng b nh o c s

dng.
RES - Resident size (kb): 18M - B nh vt l c s dng.
SHR - Shared Mem size (kb): 2264 - S lng b nh chia s c s
dng bi mt nhim v.
Mi process trn CentOS c s lng memory c s dng v bin thin tu
hon cnh. Hn na, memory c mt process s dng c th l tng hp ca shared
memory, physical memory, virtual memory. Khi Snort lm vic, cn ch nhng
dng lut, lut cng nhiu th ng nhin chim ram kh nhiu v nhng lut mc
nh khng cn thit th nn tt gim ti cho h thng .
Biu hiu sut lm vic CPU trong vng hn 8 pht

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 77

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 72. Hiu sut CPU khi Snort hot ng

10.7 M hnh trin khai Snort

Hnh 73. Trin khai IDS


M hnh c switch h tr port "gim st" ("Span Port", "Port Monitoring",
"Management Port"). Vi tnh nng ny, ton b traffic ca cc my tnh ni vo
switch u c gim st. Cc IDS cn 1 card mng ni vo Port Monitor ca switch.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 78

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Khi d liu c truyn qua switch, ng thi switch s gi 1 bn so n Port


Monitor .

Hnh 74. Port Monitor

10.8 Tn cng trong mng ni b

Hnh 75. Tn cng ni b.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 79

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

10.8.1 Tn cng ARP Cache


My Hacker s gi MAC a ch ca Victim 1, khi Victim 2 truy cp remote
desktop vo Victim 1, Hacker s thu c nhng gi tin t Victim 2 gi cho Victim 1.
Khi IDS s bo hiu v ngi qun tr c nhim v i tm my Hacker.
ARP spoof preprocessor gii m nhng gi tin v pht hin nhng cuc tn
cng ARP. Khi c cu hnh thng s, preprocessor s kim tra a ch Ethernet v
cc a ch trong gi tin ARP. Khi xy ra hin tng, mt cnh bo GID 112 v SID 4
c to ra.
Khi unicast c ch nh, preprocessor s kim tra nhng yu cu Unicast
ARP. Mt cnh bo GID 112 v SID 1 s sinh ra nu mt Unicast ARP b pht hin.
preprocessor arpspoof[: -unicast]
preprocessor arpspoof_detect_host: ip mac
Cu hnh trong file snort.conf
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.100.2 00:0C:29:2E:2A:47
preprocessor arpspoof_detect_host: 192.168.100.3 00:0C:29:14:7B:2F
preprocessor arpspoof_detect_host: 192.168.100.21 00:0C:29:D1:BE:1E
preprocessor arpspoof_detect_host: 192.168.100.66 00:0C:29:48:20:C9
Cu hnh file log
output alert_csv: /var/log/snort/alert.csv
Ch : Du hin nhn bit cuc tn cng ny l 1 IP phi khp vi 1 MAC,
nhim v ca ngi qun tr l phi thu nhp IP v MAC trong h thng.
My Hacker dng chng Cain & Abel gi MAC ca 2 my Victim
sniffer cc thng tin t 2 my

Hnh 76. My Victim 1

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 80

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 77. My Victim 2


ng thi lc IDS s cnh bo c tn cng ARP

Hnh 78. Cnh bo


thy c a ch MAC ca Hacker ta vo file alert.csv

10.8.2 Tn cng SMB


-

Du hiu
y l dng tn cng qua port 445 v t gi tri Process ID High l
"\x00\x26" , gi tr bnh thng l "\x00\x00".

Lut
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg : "Tan cong
SMB"; content: "|00 26|"; flow:to_server,established; content:"|53 4d 42
20 32 2e 30 30 32 00|" ; sid: 1000003;)

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 81

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

10.8.3 Tn cng Smurf attack


-

Du hiu
y l dng tn cng lm ngp gi tin ICMP ECHO REPLY. S khc bit ln

gia n vi gi tin ICMP ping tht l 2 trng: icmp_id = 0x00 v sequence


number = 0x00 (gi ping tht c id v sequence number khc 0). Ngoi ra Hacker
thng tng kch thc payload mc nh ca gi tin ping (32 byte) nhanh
chng lm ngp mng victim.
-

Lut
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg: Tan cong
Smurf Attack; dsize: >32; icmp_seq:0; icmp_id:0 ; sid: 1000004; )
10.8.4 Tn cng Land attack

Du hiu
Land attack tn cng bng cch gi cc gi tin c a ch ngun v ch ging

nhau.Bng cch dng t kha sameip trong Rule option l c th pht hin ra.
-

Lut
alert udp any any <> $HOME_NET any (msg : Land Attack; sameip;)
10.8.5 Tn cng Dos vi HTTP Post

Du hiu
Dng tn cng ny s gi hng lot d cc liu hp l n Server s x l lm

trn database v nghn h thng. Dng wireshark bt gi tin tm ra du hiu nhn


bit cuc tn cng ny, trong c on 48 54 54 50 2f 31 2e 31 l thng xuyn
xut hin.
- Lut
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Tan cong DOS";
content:"|48 54 54 50 2f 31 2e 31 |"; flow:to_server; sid: 1000005;)
10.8.6 Mt s rule cnh bo
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg : Ping
cao hon 100; dsize : > 100; sid: 1000006;)
Pht hin gi tin ping ln hn 100 byte
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 82

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg : Tan


cong ping; content: "|40 00|" ; sid: 1000009;)
Pht hin tn cng ping f

10.9 Nhn xt
Snort l mt IDS dng theo di nhng bin c xy ra trn tcp/ip stack do
mnh nh ra. Vi Snort hoc bt c ng dng IDS no cng cn phi c mt b lut,
cn gi l cc "signature". Snort c th p dng cc m hnh mng, vi chi ph thp
Snort l la chn cho nhiu cng ty c quy m va v nh cng nh nhng cng ty c
quy m ln.
u im
-

Snort ghi nhn cc lung d liu t


trong ra ngoi hay ngc li vo file
log do mnh nh ra gip ngi qun
tr d gim st d liu.

Do pht trin da vo m ngun m


nn Snort hon ton min ph.

Ngi qun tr c th t vit lut v


kt hp vi cc phn mm v phn
cng khc nh: Cisco, Snortsam,
Swatch,.v.v..

Ti u ha tp lut, pht trin lut


tng tc vi tng la, nng cao
Snort hot ng nh mt h thng
pht hin ngn chn IPS.

Nhc im
-

Snort khng c kh nng chng li


cc cuc tn cng.

Do tp lut ca snort c cng khai


trn mng nn cc hacker c th tp
hp cc lut thay i du hiu tn
cng, t c th vt qua gim st
ca Snort.

Tp lut cn c nhiu khuyt im


nn khng th s dng ngay m cn
phi chnh sa.

Khng th cp nhp tp lut theo thi


gian thc.

IDS thng xuyn a ra bo ng


gi ( False Positives) l gnh nng
cho qun tr h thng bi n cn c
theo di lin tc.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 83

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

11. Xy dng h thng gim st vi Forefront TMG


11.1 Tm hiu tng quan Forefront TMG
Forefront TMG c ra i da trn nn tng ca cc tnh nng ni bt v
tng la ca ISA 2006 v b sung thm vo cc c ch bo v an ton ti u lm
tng thm tnh mnh m trong vic bo m an ninh cho mt h thng mng.
11.1.1 Mt s tnh nng mi trong Forefront TMG:
-

Web anti-malware: l mt phn ca dch v bo v Web cho Forefront TMG,


c th qut virus, phn mm c hi v cc mi e da khc trn cc trang
web.

URL filtering: Cho php hoc t chi truy cp n cc trang web da trn
danh mc URL chng hn nh nhng trang web en, nhng trang c ni dung
khng lnh mnh, ng thi cng bo v nng sut kinh doanh bng cch hn
ch hoc chn truy cp vo cc trang web c coi l phin nhiu nng sut.

E-mail protection: da trn cng ngh tch hp t Forefront Bo v cho


Exchange Server 2010. Forefront TMG phc v nh l tip sc cho SMTP giao
thng, v qut virus, malware, spam cho e-mail .

HTTPS: cho php kim tra phin m ho HTTPS kim tra cc phn mm
c hi. Nhm c th cc trang web nh cc trang web ngn hng, c th c
loi tr khi kim tra v l do ring t.

Network Inspection System (NIS): Kim tra h thng mng (NIS) cho php
giao thng cn kim tra khai thc l hng Microsoft. Da trn giao thc
phn tch, NIS c th chn cc lp hc ca cc cuc tn cng trong khi gim
thiu sai tch cc. Bo v c th c cp nht khi cn thit.

Network Address Translation: cho php bn xc nh c nhn my ch email c th c cng b trn c s NAT 1-ti-1.

Voice over IP: Tng cng h tr Voice IP trn bao gm SIP traversal, cho
php trin khai n gin ca Voice over IP trong h thng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 84

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

11.1.2 c im ca Forefront TMG:


-

Bo v h thng ton din

Qun l d dng

Gim st h thng hiu qu


Chng ta s tm hiu cc tnh nng ny chng minh xem rng cc c im

ca Forefront TMG c tht s ng hay khng. thun tin vic phn tch chng ta
s nhm cc tnh nng ny thnh 3 nhm chnh i in cho 3 c im ca Forefront:
-

Bo v h thng ton din


o Anti-virus, anti-malware
Loi b cc trang web mt linh hot da trn a ch IP, t n Domain, cc URL.

TMG s kim sot ni dung trong khi qut nhm gip pht hin cc phn mm c
hi, v nhng s ly nhim malware, virus u c th l nguyn nhn gy ra s chm
tr trong vic truyn ti ni dung t server n client.
o Firewall & Web Access Policy
Cho php kt ni t mng ngun ti mng ch trong khi vn bo v khi
nhng truy cp c hi bng cch thit lp nhng chnh sch c th cho php hoc
cm truy cp ti mng ch p dng ln tng user, tng group hoc user.
o Server publishing
Bo mt truy cp n cc server trong h thng ni b, tng cng an ninh cho
vic truy cp t xa vo Outlook Web Access bng cch ngn nga nhng user khng
c php chng thc lin lac n my ch Outlook Web Access.
Truy cp t xa thng qua cc hnh thc kt ni SSL ca SSL VPNs. To mt
bc tng la v to ra cc quy nh ca Outlook Web Access SSL kt ni
Exchange Server.
o Virtual Private Networking
T ng cu hnh kt ni VPN Site to site gia 2 vn phng. M rng h tr
VPN Client bng cch cho php Secure NAT truy cp Internet m khng yu cu
Firewall Client ci t trn my Client. Tng cng an ninh mng cho cng ty, buc
ngi s dng da trn hoc nhm da trn firewall policy trn VPN SecureNAT
client.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 85

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Qun l d dng
Bao gm cc tnh nng qun l nhm nng cao mc an ninh mng. Export

v import d liu c cu hnh, lu d liu c cu hnh thnh file .xml v


sau bn c th import file ny vo 1 server khc. Cung cp cc sn phm, chng
hn nh qut virus, cng c qun l, v lc cc ni dung v bo co, trn xy dng
v hi nhp vi TMG.
-

Gim st h thng hiu qu


Gim st vic ng nhp xem firewall, Web Proxy, v SMTP Message

Screener logs. Gim st v lc session da trn firewall sessions, xc minh kt ni


bng cch thng xuyn theo di c th kt ni ti mt my tnh hoc URL. Cu hnh
TMG bo co mt cch t ng, c th lu file bo co ny vo folder c ch nh,
hoc xut bo co di dng html xem bng trnh duyt web.

11.2 M hnh trin khai

Hnh 79. M hnh trin khai Forefront TMG Server


M hnh xy dng h thng tng la gm 2 lp:
-

Lp th nht ngoi cng s dng mt tng la cng l router Cisco c cu


hnh tnh tuyn va c tnh nng ACL lc gi tin, thit lp cc lut hn
ch vic truy xut ra vo c bn, ng thi cho php m port telnet cho ngi
qun tr truy xut cng nh kt ni remote desktop t ngoi vo trong, tin
cho vic qun tr h thng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 86

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

Lp th hai s dng Forefront TMG lm tng la mm, thit lp cc chnh


sch lc, gim st lung giao thng v xut cc bo co thng nht lun c
nhng thng tin mi nht v h thng.
Vi ti Tm hiu v xy dng phng thc gim st, ghi nhn s kin

chng ta s nghin cu tp trung vo cc phn sau y ca trong h thng Forefront


TMG:
11.2.1 Thit lp chnh sch tng la
C ch hot ng ca cc b lut truy cp (access rule) trong chnh sch tng
la (firewall policy) da trn nn tng tng t vi Access control list trong router.
Chng ta cn lp k hoch thit lp cc chnh sch cm/cho php ph hp vi tng i
tng. xy dng mt h thng phng v hu hiu nht chng cn phi c s phn
tch v chin lc cho tng b lut, xc nh cc vn sau y trc khi to mt b
lut:
Who?

Xc nh i tng l ai (l g) p t lut

Action?

Vi hnh ng thc thi l cm hay cho php

What?

From-To

Cm/Cho php s dng ng dng hay giao thc


no?
Xc nh hng truy cp ca i tng t u n
u (vd: internal external, hay ngc lai)

Mc nh sau khi ci t xong forefront s c 1 lut mc nh (default rule) s


cm tt c cc truy xut ra vo, ng trnh to chnh sch truy xut web (Web
Access Policy) s to cho chng ta thm 2 lut na truy xut ra internet v chn cc
ng dng c hi. chng ta c th b sung thm cc lut nh cho php phn gii giao
th DNS, cho php gi mail bng POP3, SMTP, hoc ch nh cm mt trang web no
.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 87

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

V d v mt tnh hung to mt lut cho php my client ch c truy xut


trang facebook.com vo gi ngh tra (11h 13h), ngoi gi ny s b cm.

Hnh 80. Thit lp cc lut c bn cho h thng.


Da vo cc cu hi, ta trin khai nh sau:
-

Xc nh i tng (who): group KeToan

Xc nh hnh ng (Action): Cho php (Allow)

Xc nh giao thc (What): HTTP, HTTPS

Xc nh hng truy cp (From To): t trong ra facebook

Ngoi ra chng ta lp thi gian biu l giai lao t 11h 13h cho php truy xut
facebook.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 88

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 81. My client b cm truy cp facebook.


My client truy cp vo Facebook nhng b cm l do thi gian truy cp
qu 13h (1:20 PM), hin th tn my Forefront TMG (fw.test.local).
Bng vic t ra nhng cu hi xc nh r vn cho tng tnh hung khc
nhau, chng ta c th thit lp mt b lut hon chnh cho h thng.
11.2.2 Pht hin v ngn chn tn cng
-

H thng thanh tra mng (Network Inspection System)


NIS kim tra lu lng truy cp web ngi dng ni b v pht hin v kho

giao thng c hi. NIS c th c cp nht cc signature vi MMPC (Microsoft


Malware Protection Center) ngay khi chng c to ra, bo v chng li cc cuc
tn cng v ri ro.
NIS bo v chng li cc l hng mng, n khng bo v chng li cc l hng
bo mt tp tin, chng hn nh virus, phn mm c hi. NIS c th cp nht v ci
t t ng ca tp ch k mi nht c kch hot.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 89

Trng i Hc Hoa Sen


-

Kha Lun Tt Nghip

H thng pht hin xm nhp


Trong TMG ,h thng pht hin xm nhp (Behavioral Instruction Detection)

vn hot ng da trn ba c ch:


o Nhng tn cng thng gp
Nhng tn cng thng gp l Ping of Death, bomb UDP hay qut IP mt na.
Nhng c cu bo v ny khng mi, nhng y l nhng ci t nn c c bn cho
phn ln cc server TMG.

Hnh 82. Cc chc nng bo v trong IDS.


Mc nh, Forefront TMG log tt c cc gi rt c thng bo khi c
mt xm phm c gng kt ni n tng la.Forefront TMG cho php cu hnh
tng la lc cc traffic DNS vi DNS-Filter tch hp.
ng thi TMG bo v khi overflow host name DNS, overflow length DNS
v nu cn n lc khu vc truyn d liu DNS. Nu bn kch hot mc khu vc truyn
d liu DNS, TMG s t chi khu vc DNS c th thng qua tng la.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 90

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 83. Lc tn cng DNS


Trong Common Attacks, bt thm tnh nng port scan, sau dng my bn
ngoi internet s dng cng c SupeerScan 4 qut cng bn my TMG kim chng
hot ng ca IDS. Khi my tn cng ang qut cng, trong mode Monitoring, tab
Alert ghi nhn cnh bo mt cuc tn cng qut cng t a ch IP 192.168.1.4

Hnh 84. Xut hin cnh bo qut cng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 91

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

o IP Options
Giao thc TCP/IP xc nh mt vi mc IP c th dng cho nhng mc ch
khc nhau trong IP network. Forefront TMG c kh nng kho mt s mc IP bi
ngy nay khng phi tt c cc mc IP u c s dng trong mng IP v mt s
mc IP c th dng xm nhp network. Mc nh, TMG t chi mt s mc IP
(nh hnh di) v c th t chi cc mc IP m ta khng mun dng.

Hnh 85. Bt tnh nng IP Option.


o IP Fragments
Phn mnh IP c dng chia ri cc gi nu chng ln hn kch thc ti
a mc nh. Ci t ny c tt mc nh v phi cn thn khi bt n ln v n c
th ph v kt ni v mt s kt ni chng hn nh khi cc kt ni VPN da trn
IPsec, L2TP s dng nhng gi tin kt ni c dung lng ln hn mc nh s b kho
ngay.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 92

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

11.2.3 Gim st lung giao thng


-

Phn tch, ghi nhn s kin cc lung giao thng (loggings)


theo di c nhng ghi nhn trong qu trnh truy xut t trong ra ngoi

hay t ngoi vo trong mt cch c th bng cch khi ng truy vn (Start Query)
trong tab Loggings.
V d: chng ta dng my DC (172.16.15.2) truy cp trang facebook.com
xem hot ng ca loggings.

Hnh 86. Ghi nhn chi tit v vic truy cp facebook.


Loggings ghi nhn c th v chi tit thng tin ca cc i tng c th l:
o Thi gian: c hin th chi thit ngy/thng nm v tng gi, pht,
giy.
o a ch ngun / ch: 172.16.15.2 ang truy vn n a ch 172.16.15.1
(card mng lan) bit ng ra internet (facebook.com). Sau , a
ch 172.16.15.1 s dng a ch 192.168.1.3(card mng ngoi) truy vn
ra ngoi bng default gateway 192.168.1.1.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 93

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

o Port / Protocol: ra c facebook, tt yu l phi bng port 80, giao


thc HTTP v port 53, giao thc DNS phn gii tn min.
o Hnh ng: Kt ni c cho php.
o Lut thc thi: lut to allow all cho php kt ni no rat rang
facebook.
o Mng ngun/ch: truy xut ny i t trong ni b (internal) ra bn
ngoi internet (External)
o URL: tn min truy xut l http://facebook.com

Hnh 87. Ghi nhn chi tit v vic truy cp facebook.


o Tn my trm: l FW chu trch nhim gim st lung truy cp.
o Loi tn min: Forefront t ng d tm th loi ca tn min truy vn
ca facebook l thuc loi Blog/Wiki.
o a ch NAT: ghi nhn a ch 192.168.1.3.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 94

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Mt v d tip theo, chung ta s dng SuperScan 4 v Zenmap scan port.

Hnh 88. Ghi nhn thng tin chi tit v cuc tn cng.
iu u tin, s khc bit chnh l cc thng tin ghi nhn hin th bng
mu , c ngha l cc kt ni ny b cm. My bn ngoi Internet 192.168.1.6 s
dng SuperScan 4 qut cng b Forefront cm bng lut Default rule.
Nhng c v nh SuperScan 4 dng qut cng vn cn kh hin. V vy
tip theo, chng ta s dng Zenmap qut trn tt c cc cng.

Hnh 89. Cnh bo lung thng tin i vo qu nhanh.


Dng nh, Forefront gp mt cht kh khn trong vic lc cc gi tin v
Zenmap qut trn tt c cc cng TCP, tc cc gi tin i vo qu nhanh c
th x l, nhng nhn chung vn kh lt qua tm kim sot ca Forefront.
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 95

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

11.2.4 Theo di tng quan v hiu sut h thng

Hnh 90.Bng Dashboard


y cng chnh l mt trong nhng tnh nng mi, kh hu dng trong Forefront. Vi
Dashboard, cung cp cho chng ta tng hp nhng mc nh:
-

Alerts: Ghi nhn nhng cnh bo tn cng, hay gp s c.

Session: Ghi nhn phin lm vic ca firewall.

Protection Technology: Hin th nhng tnh nng bo v cho h thng.

Services: Hin th nhng dch v dang s dng trong h thng.

System Performance: Cp nht hiu nng ca CPU v RAM.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 96

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

11.2.5 Thit lp bo co vic gim st cho h thng


Vi bo co Forefront TMG, c th to mt h s thng nht ca cc m hnh
s dng thng thng, v c th tm tt, phn tch thng tin ng nhp. V d, ta c
th xc nh:

o Ai l ngi truy cp vo cc trang web, v cc trang web c truy cp.


M cc giao thc v cc ng dng ang c s dng thng xuyn
nht.
o Tng lu lng truy cp cc mu.
o Hot ng ca Malware.
o Lc URL.
o Mng li hot ng thanh tra.
C hai loi bo co:
Bo co theo mt khong thi gian xc nh . Nhng bo co cung cp mt ci
nhn c th, chi tit ca cc hot ng c ghi li bi Forefront TMG qua bt
k khong thi gian ch nh.
Bo co cng vic nh k. Ta c th lp lch trnh cc bo co t ng trn
mt c s hng ngy, hng tun, hoc hng thng. Cc khong thi gian c sn
cho cc bo co ny c nhiu cu trc hn so vi bo co theokhong thi gian.
Chng ta to bo co theo mt khong thi gian t 1/6 ti 6/6 c th nm

bt thng tin ton din v h thng.

Hnh 91. To bo co t ngy 1/6 n 6/6.


Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 97

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Chn mc Generate View Selected Report xut bo co theo dng HTML.

Hnh 92. Xut bo co di dng HTML.


Tin hnh duyt mc tng hp theo di cc bo co trng tm, v trong mc
tng hp hin th nhng hng mc bo co tiu biu ca cc phn bo co, gm:

Hnh 93. Thng k cc giao thc s dng

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 98

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 94. Thng k ngi dng truy cp.

Hnh 95. Thng k cc trang web truy xut.

Hnh 96. Thng k lung giao thng ra vo h thng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 99

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 97. Thng k tng qut.

11.3 Nhn xt
Vi mt giao din d nhn, thn thin vi ngi dng, cng cc cng c thit lp v
qun l n gin m hiu qu, khng yu cu mt trnh chuyn mn qu cao cu
hnh. Forefront TMG p ng c cc iu kin cn v cho mt cng c tng
la thc th.
Ngoi cc tnh nng ca mt tng la mm, im ni bt ca Forefront TMG l xut
nhng bo co tht chi tit v c th, phn tch cc lung giao thng, ghi nhn cc
giao thng ra vo mng, hin th trng thi, hiu sut lm vic ca h thng phn cng
l CPU v b nh RAM.
Tuy nhin nhc im ln nht ca Forefront TMG l ngoi chi ph chi tr bn quyn,
yu cu h thng phn cng cao chng hn nh yu cu phi c ci t trn
Window Server 2008 R2 x64 v RAM ti thiu phi trn 1GB. h thng tng la
mm ny b buc ngi dng trong cc b tnh nng ring ca chng, ng thi kh
tch hp vi cc h thng tng la khc.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 100

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

KT LUN
Audit (Event viewer), Snort, Forefront TMG, c ba cng l nhng chng trnh lp
lut v theo di, gim st h thng. Nu h thng thit lp chnh sch Audit v gim
st bng Event viewer hot ng hiu qu trn domain v gim st nhng hnh vi c
cc my tnh, cc user c qun l tp trung trong mt domain; Cng ging nh
audit l lp lut cho h thng nhng Snort v Forefront TMG hot ng hiu qu
trong vic gim st v phn tch lung thng tin chi tit, nhng lun c nhng s khc
bit gia chng.

FOREFRONT TMG
-

u im

Nhc

im
-

Cung cp mt giao din


thn thin vi ngi dng.
Trnh qun l cc b lut rt
gn gng, linh hot.
Xut cc bo co a dng,
chi tit.
Tng cng nhng tnh
nng ci tin t ISA v cc
tnh nng hon ton mi
nh NIS.
Yu cu phn cng cao.
Phi chi tr ph bn quyn.
Gii hn nhng ngi qun
tr trong vic xy dng cc
b lut.
Khng th tch hp vi cc
h thng khc.

SNORT
-

S n gin trong giao din.


Khng yu cu phn cng
cao.
S dng trn nn m ngun
m (Unix) nn s khng phi
tr tin bn quyn.
C kh nng m rng trong
vic tu bin thit lp lut
qun tr v tch hp vi
nhng h thng khc
Trnh qun l cc lut
thit lp rt kh khn.
Yu cu ngi qun tr phi
c tm kin thc cao
i hi phi c chin lc
k lng trc khi lp lut.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 101

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

PH LC SNORT

Hnh 98. M hnh th nghim Snort


1. Ci t Snort trn nn CentOS 5.4
a. Cc gi ci t
Snort hot ng tt, ta ci cc gi h tr
Web server cn cc gi: php, php-gd, php-mysql, httpd, php-pear,
mod_ssl (cung cp cho HTTP v HTTPS v mt m cho Apache) , gd
(th vin gd h tr php) .
MySQL Database cn cc gi: mysql, mysql-server, mysql-devel,
php-mysql, mysql-bench.
M rng chc nng yum: yum-utils.
H tr trnh bin dch C v C++ : gcc, gcc-c++.
V cc gi: pcre-devel, distcache-devel, glib2-devel, libpcap-devel.
Ci t c 2 cch:
1. Ci tng gi
#yum install mysql
2. Ci tt c cc gi mt ln (mi gi cch nhau mt khong trng)
#yum install mysql mysql-devel mysql-bench mysql-server
Ci thm cc gi pht trin:
#yum groupinstall Development Tools
#yum groupinstall Development Libraries
#yum groupinstall MySQL Database

b. Ci t Snort
Ti cc gi
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 102

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Gi ci t

a ch down

M t

snort-2.8.6.tar.gz

http://www.snort.org/downloa
ds

Phn mm ci
snort

snortrules-snapshot2.8.tar.gz

http://www.snort.org/downloa
ds

Cc rules ca
snort

a ci gi vo th mc soft trn Desktop ca CentOS. Ta c ng


dn root/Desktop/soft. Dng lnh gii nn: tar zxvf i vi file tar.gz
[root@localhost ~]# cd Desktop/soft/
[root@localhost soft]# tar -zxvf snort-2.8.6.tar.gz
Sau khi gii nn sau ta vo th mc snort-2.8.6, chy lnh
# ./configure --with-mysql --enable-dynamicplugin
Lnh ./configure --with-mysql --enable-dynamicplugin dng kim tra
cc gi ph thuc c ci cha, nu sau cng m ko cn li th mi
chy c lnh make.
# make && make install
Lnh make tin hnh bin dch Snort sang dng thc thi nhng cc
file thc thi vn cn nm trn th mc hin hnh.
Lnh make install chp cc file thc thi sang ng v tr ca n
trn h thng. Nu nh khng c thng bo li g xy ra th han tt
vic ci t gi ln h thng.
Ci t thnh cng, dng lnh snort V s thy phin bn snort c ci.

Hnh 99. Ci t thnh cng


c. Cu hnh th mc cho Snort
To th mc lu tr file cu hnh v cc rules
# mkdir /etc/snort
# mkdir /etc/snort/rules
To th mc lu tr cc file log
# mkdir /var/log/snort
Vo th mc /etc bn trong source ca snort-2.8.6
[root@localhost snort-2.8.6]# cd /etc/
[root@localhost etc]#
Chp cc file cu hnh vo th mc /etc/snort
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 103

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

# cp * /etc/snort
To group snort v user snort
# groupadd snort
# useradd -g snort snort -s /sbin/nologin
Set quyn s hu v cho php Snort ghi log vo th mc ch file log
# chown snort:snort /var/log/snort/
d. Cu hnh cc thng s ca Snort
File cu hnh /etc/snort/snort.conf
# gedit /etc/snort/snort.conf
Sa cc dng v save li
25, khai bo lp mng bn trong
var HOME_NET 192.168.1.0/24
28, khai bo lp mng bn ngoi, any l bt k mng no
var EXTERNAL_NET any
60, khai bo v tr cc rules, do rules t /etc/snort/rules
var RULE_PATH /etc/snort/rules
270, cho php ghi nhng thng ip log vo CSDL ca MySQL
output database: log, mysql, user=snort password=123 test
dbname=snort host=localhost
ngha ca dng trn l: tn CSDL l snort v MySQL server ang
chy localhost. Ti khon s dng CSDL l snort, mt khu l
123.
e. Ci t rule cho Snort
Gii nn snortrules-snapshot-2.8.tar.gz
[root@localhost soft]# tar -zxvf snortrules-snapshot-2.8.tar.gz
[root@localhost soft]# cd rules
Copy tt c rules vo th mc /etc/snort/rules
[root@localhost rules]# cp * /etc/snort/rules
f. Cu hnh khi ng snort nh 1 dch v h thng
To mt lin kt mm (symbolic link) ca file snort binary n
/usr/sbin/snort, tp tin snort binary nm ng dn /usr/local/bin/snort
# ln -s /usr/local/bin/snort /usr/sbin/snort
Snort cung cp cc scrip khi ng trong th mc rpm/ trong th
mc gii nn snort-2.8.6
[root@localhost soft]# cd snort-2.8.6
[root@localhost snort-2.8.6]# cd rpm
[root@localhost rpm]# cp snortd /etc/init.d
[root@localhost rpm]# cp snort.sysconfig /etc/sysconfig/snort
Set quyn li cho file snortd
# chmod 755 /etc/init.d/snortd
Cu hnh Snort auto start
# chkconfig snortd on
Khi ng Snort
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 104

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

# service snortd start

Hnh 100. service snortd start


khi ng snort ch debug nu mun kim tra li dng lnh
#
snort c /etc/snort/snort.conf l /var/log/snort i eth0
Nu c li xy ra th Snort s t ng thot v thng bo li. Nu vn
hnh tt s c dng Not Using PCAP_FRAMES, y ch l mt thng
ip bo rng Snort khng c t mt file PCAP ch khng phi li.
thot n CTRL + C.

Hnh 101. Not Using PCAP_FRAMES


g. To CSDL Snort vi MySQL
Khi ng dch v MySQL
# service mysqld start
Set password cho root trong MySQL
# mysqladmin -u root password p@ss
i mt khu ta c th dng
# mysqladmin -u root p<pass c> password <pass mi>
Kt ni n MySQL server v nhp pass
# mysql p
To password cho ti khan snort

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 105

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Ch phi t pass trng vi ti khon snort khai bo ti


/etc/snort/snort.conf
To CSDL cho snort

To cc bng: vo th mc schames m bn gii nn snort snort-2.8.6


[root@localhost ~]# cd Desktop/soft/snort-2.8.6/schemas/
[root@localhost schemas]# mysql -u root -p < create_mysql snort
Kim tra to bng thnh cng hay khng
mysql p
mysql> show databases;

mysql> use snort;


mysql> show tables;

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 106

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

h. Ci t v cu hnh BASE (Basic Analysis and Security Engine)


Cn ci thm vi gi pear cho PHP
# pear install PEAR
# pear install --force PEAR
# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color
Numbers_Roman
Dng lnh xem cc gi ci
# pear list

Ti cc gi
Gi ci t

a ch down

M t

adodb508a.tgz

http://sourceforge.net/projects/adodb/
files/

Phn
mm ci
ADOBE

base-1.4.4.tar.gz

http://sourceforge.net/projects/securei
deas/files/

Phn
mm ci
BASE

Ci t ADODB
# cp adodb508a.tgz /var/www/html/
# cd /var/www/html/
# tar -zxvf adodb508a.tgz
Ci t BASE
# cp base-1.4.4.tar.gz /var/www/html/
# cd /var/www/html/
# tar -zxvf base-1.4.4.tar.gz
# mv base-1.4.4/ base/
# cd base
# cp base_conf.php.dist base_conf.php
# gedit base_conf.php
Sa cc dng v save li
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 107

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

57, ng dn vo mc BASE
$BASE_urlpath = '/base';
79, ng dn vo mc adodb
$DBlib_path = '/var/www/html/adodb5';
101, khai bo tn CSDL ca Snort
$alert_dbname = 'snort';
105, khao bo password
$alert_password = '123';
108, sa li thnh 1 (c lu tr DB)
$archive_exists = 1;
109, khai bo tn lu tr
$archive_dbname = 'snort';
113, khai bo password
$archive_password = '123';
i. Kim tra
Cn phi bo m cc dch v snortd, httpd v mysqld u trng thi
start
OK

G lnh: snort c /etc/snort/snort.conf l /var/log/snort i eth0


Ti my snort server m firefox truy cp Snort: http://localhost/base ,
chn Setup page

Hnh 102. Setup page


Chn Create BASE AG

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 108

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 103. Create BASE


To BASE thnh cng

Hnh 104. BASE thnh cng


Giao din qun l BASE

Hnh 105. Giao din BASE

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 109

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

BASE c h tr cc trang tm kim ip nh:


http://www.dshield.org/ipinfo.html
http://www.trustedsource.org/
http://isc.sans.org/ipinfo.html

Hnh 106. Trang web tm kim


V d vi trang http://isc.sans.org/ipinfo.html ta c th bit chnh xc ip
ny u

Hnh 107. Thng tin IP


theo di thi gian thc file log ta g lnh : tail f /var/log/snort/alert
, lnh tail dng xem lin tc alert, c ci g pht sinh l hin ra.

Hnh 108. lnh tail f


c file log r
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 110

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

#snort -dv -r /var/log/snort/snort.log.1077725466


c file log v ch show cc traffic c dng TCP
#snort -dv -r /var/log/snort/snort.log.107657944 tcp
Quay li vi terminal: snort c /etc/snort/snort.conf l /var/log/snort i
eth0, ta n thot s c nh bng di. Khi dng ch sniffer,
Snort s to ra mt bng tm tt cc gi tin c bt gi, bao gm cc
giao thc, thng k phn mnh v ti hp gi tin.

Hnh 109. Bng tm tt cc gi tin c bt gi


2. Ci t Snort trn nn Window
Vi m hnh Lab trn tin hnh ci snort trn Window Server 2008
a. Cc gi ci t
Gi ci t

a ch down

M t

Snort_2_8_6_Installer.e
xe

http://www.snort.org/down
loads

Phn mm
ci snort

snortrules-snapshot2.8.tar.gz

http://www.snort.org/down
loads

Cc rules
ca snort

WinPcap_4_1_1.exe

http://www.winpcap.org/in Phn mm
stall/default.htm
ci WinPcap

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 111

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Ci WinPcap trc ri mi ci snort_2_8_6


Tin hnh ci Snort_2_8_6_Installer.exe
Installation Options c cc c ch lu tr file log theo c s d liu
Microsoft SQL server hay Oracle. Do ch lu tr log trong Event Log
nn s chn u tin.

Hnh 110. Installation Options


Cc bc tip theo ci nh mc nh
b. Cu hnh cc thng s ca Snort
File cu hnh C:/Snort/etc/snort.conf
Sa cc dng v save li
Khai bo lp mng bn trong
var HOME_NET 192.168.1.0/24
Khai bo lp mng bn ngoi, any l bt k mng no
var EXTERNAL_NET any
Khai bo v tr cc rules,
var RULE_PATH c:\snort\rules
Khai bo cc bin include classification.config v reference.config
include C:Snort\etc\classification.config
include C:Snort\etc\reference.config
Khai bo ng dn n th vin dynamic preprocessor
C:\Snort\lib\snort_dynamicpreprocessor
Khai bo ng dn n base preprocessor engine
C:\Snort\lib\snort_dynamicengine\sf_engine.dll
Xut ra file log
# output log_tcpdump: tcpdump.log
output alert_fast: alerts.ids
c. Ci t rules cho Snort
Gii nn snortrules-snapshot-2.8.tar.gz, copy rules vo th mc C:\Snort
d. Chy th Snort
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 112

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

cd C:\Snort\bin
c:\Snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log
Nu gp li nh di th xa file sf_sdf.dll t
C:\Snort\lib\snort_dynamicpreprocessor
ERROR: Failed to initialize dynamic preprocessor: SF_SDF (IPV6)
version 1.1.1
Fatal Error, Quitting..
Ci t thnh cng Snort

Hnh 111. Not Using PCAP_FRAMES trn Win


3. T kha
i. T kha thng dng
T kha msg
msg: noi dung
Hin th thng bo trong alert v file log.
T kha gid
gid: <generator id>;
To gid cho rule. T kha gid c dng xc nh nhng g ca Snort
to ra nhng s kin khi c bo ng. V d gid 1 l lin kt vi cc h
thng ph gids v hn 100 c thit k cho preprocessors c th v b gii
m. Ty chn ny nn c s dng cng vi sid, trnh vic ng gi
tr vi nhng thnh phn khc, ta nn t gid ln hn 1.000.000.V d:
alert tcp any any -> any 80 (content:"yahoo"; gid:1000001; sid:1;
rev:1;)
T kha sid
sid: <snort rules id>;

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 113

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

To sid cho rule. T kha sid c s dng nhn din ra quy tc Snort.
thng tin ny cho php output plugin xc nh quy tc d dng. Ty chn
ny nn c s dng vi t kho rev.
Ch :

<100

Dnh

cho

cc

dng

trong

tng

lai

100-1.000.000 Nhng rule c trong bn phn phi Snort


> 1.000.000 c s dng cho cc rule cc b
V d:
alert tcp any any -> any 80 (content:"yahoo"; sid:1000900; rev:1;)
T kha rev
rev: <revision integer>;
T kha rev c s dng nhn din phin bn sa i cc quy tc ca
Snort. Nu cp nht rule, t kha rev c th s dng phn bit cc phin
bn. Ty chn ny nn c s dng vi t kho sid. V d:
alert tcp any any -> any 80 (content:"yahoo"; sid:1000900; rev:1;)
T kha priority
priority: <priority integer>;
T kha ny ch nh mt mc nghim trng ca rule.V d:
alert TCP any any -> any 80 (content:"php.image"; msg:"phat hien webvirus"; priority:10;)
ii. T kha tc ng n payload
T kha content
content: [!] "<content string>";
T kha ny tm mu d liu bn trong gi. Mu ny c th hin th dng
chui ASCII hay nh phn trong hnh thc m hexa. V d lut sau y pht
hin mt mu GET trong phn d liu ca gi TCP xut pht t a ch
192.168.1.0. t kha GET thng c s dng cho nhiu loi tn cng
HTTP:
alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any
(content: GET; msg: phat hien GET;)

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 114

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Rule di y cng tng t nhng n lit k dng hexa:


alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any
(content: |47 45 54|; msg: phat hien GET;)
M hexa ca 47= G, 45 = E, 54 = T. K t hexa nm trong cp du ||.
K hiu ! ngha l loi tr, nh v d di th phn ni dng s khng
cha GET.
alert tcp any any -> any 80 (content:!"GET";)
T kha content c th dng chug vi cc t kha: depth, nocase,
offset,.v.v..
T kha offset
offset: <number>;
T kha offset s dng bt u tm trong khong no t im bt u
ca phn d liu ca gi. Dng mt con s lm i s cho t kha ny. V
d sau s bt u tm t HTTP bt u t byte th 5 trong gi.
alert tcp 192.168.1.0/24 any -> any any (content:"HTTP"; offset:
5; msg: "phat hien HTTP ";)
T kha depth
depth: <number>;
T kha depth ch nh mt gii hn di cho vic ly mu. T kha cho
php ch nh mt khong bt u t byte u tin ca gi. D liu sau
khong ny khng ly mu na. Nu kt hp offset v depth cng vi
content, c th ch ra vng d liu m ta mun ly mu. V d mun tm t
HTTP, bt u t byte th 5 v tm kim ti a n byte th 20:
alert tcp 192.168.1.0/24 any -> any any (content:"HTTP"; offset:
5; depth: 20; msg: "phat hien HTTP";)
T kha nocase
nocase;
T kha nocase khng c i s. Nocase gip tm mu trong d liu khng
phn bit ch hoa v ch thng. V d:

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 115

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

alert tcp any any -> any 21 (content:"USER root"; msg:"FTP


ROOT"; nocase;)
T kha within
within: <byte count>;
T kha within chc rng N bytes th nm gia s so snh mu.
V d di y khi truy cp vo trang web c 14 byte th s bo alert , cn
vt qu 14 byte th khng bo:
alert tcp any any -> any 80 (content:"www"; content: "com";
msg: "test within "; within:14; sid: 10000003;)
iii. T kha tc ng n phn khng payload
T kha flow
flow:[(established|stateless)]
[,(to_client|to_server|from_client|from_server)]
[,(no_stream|only_stream)];
T kha flow dng p dng mt rule trn nhng TCP n nhng gi
trong phng hng ring. T kha ny dng xc nh phng hng.
T kha ch cho php rule p dng n client hoc server. ngha cc t
kha
La chn

M t

to_client

p ng n client

to_server

p ng n server

from_client

Yu cu t client

from_server Yu cu t server
established
stateless
no_stream

p dng rule xc lp nhng phin TCP


p dng rule khng cn xem trng thi ca phin TCP
Bt nhng rule p dng vo gi tin m khng cn xy dng
t mt lung

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 116

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

only_stream p dng rule ch trn nhng gi xy dng t mt lung


V d:
alert tcp !$HOME_NET any -> $HOME_NET 21 (content:"CWD
incoming"; msg:"phat hien cd "; flow:from_client; nocase;)
T kha ttl
ttl:[[<number>-]><=]<number>;
T kha ttl c dng pht hin gi tr Time To Live ca IP header. T
kha c th s dng vi tt c loi giao thc xy dng trn giao thc IP,
bao gm ICMP,UDP v TCP. V d:
ttl: <7;
T kha fragbits
fragbits:[+*!]<[MDR]>;
Tiu IP header cha 3 c bit, dng phn mnh v ti hp IP. T kha
fragbits dng kim tra nhng bit phn mnh v ti hp c bt ln
trong IP header. C cc chc nng sau:
M - More Fragments Bit c nhiu phn mnh
D - Dont Fragments Bit khng phn mnh
R - Reserved Bit Bit dnh ring cho tng lai
Nhng hiu chnh sau c th bt thay i iu kin so trng:
+ so trng nhng bit c th, gn thm bit c vi nhng bit khc
* so trng nu nhng bit c th c bt ln
! so trng nu nhng bit c th khng c bt ln
V d cnh bo khi c hai bit More Fragments v Reserved Bit c bt ln:
fragbits:MR+ ;
T kha dsize
dsize: [<>]<number>[<><number>];
T kha dsize dng kim tra nhng gi tin c kch thc bt thng.
V d tm kim nhng gi tin c kch thc gia 100 v 200 bytes:
dsize: 100 <>400;
T kha id

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 117

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

id:<number>;
T kha id dng so snh trng ID phn mnh. Mc ch l pht hin ra
tn cng m c dng ID c nh trong IP header.
T kha flags
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>];
T kha flags dng tm ra c bit c bt trong TCP. C bit ny c s
dng cho nhiu cng c bo mt. Nhng c bit:
F - FIN (LSB in TCP Flags byte)
S - SYN
R - RST
P - PSH
A - ACK
U - URG
1 - Reserved bit 1 (MSB in TCP Flags byte)
2 - Reserved bit 2
0 - No TCP Flags Set
V d:
alert tcp any any -> $HOME_NET any (flags:RP; msg: phat
hien RST-PSH;)
T kha ack
ack: <number>;
T kha ack kim tra mt TCP acknowledge number.
T kha seq
seq:<number>;
T kha seq kim tra sequence number ca TCP.
T kha icmp_id
icmp_id:<number>;
T kha dng kim tra mt gi tr ICMP ID c th.
T kha icmp_seq
icmp_seq:<number>;
Xy Dng Cc Phng Thc Gim St,
Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 118

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

T kha dng kim tra mt gi tr ICMP sequence c th.

4. Cc thng s hiu nng c a ra:


Packets received

Gi nhn c

Packets dropped

Gi b b

Percentage

of

packets Phn trm cc gi b

dropped
Kpackets per second

Kpackets / giy

Average bytes per packets

Byte trung bnh / gi

Mbits per second (wire)

Mbits / giy

Mbits per second (rebuilt)

Mbits trung bnh Snort nhng vo sau khi rebuilt cc


packet / giy

Mbits per second (total)

Mbit / giy ( tng cng)

Pattern-matching percent

Phn trm d liu trung bnh ca nhn qu trnh Snort


trong m hnh kt hp

CPU usage

S dng CPU: user time, system time, idle time

Alerts per second

Cnh bo / giy

SYN packets per second

Gi SYN / giy

SYN/ACK packet per second Gi (SYN/ACK) / giy


New sessions per second

Phin mi / giy

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 119

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Deleted sessions per second

Xa phin / giy

Total sessions

Tng cng phin

Max sessions during time Phin cc i trong thi gian


interval
Stream flushes per second

Stream trn / giy

Stream faults per second

Stream li / giy

Stream timeouts

Stream thi gian ch

Frag completes per second

Frag hon thnh / giy

Frag inserts per second

Frag thm / giy

Frag deletes per second

Frag xa / giy

Frag flushes per second

Frag trn / giy

Frag timeouts

Frag thi gian ch

Frag faults

Frag li

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 120

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

PH LC FOREFRONT
Ci t ForeFront TMG 2010
Cc yu cu trc khi ci t Forefront:
-

My Forefront TGM ch l domain member, phi join domain trc khi ci t

Ci

trn

nn

Window

Server

Ent

2008

Service

Pack

Start \ Run \ winver kim tra, nu l SP1 th download bn hotfix SP2 ci


vo:
http://www.microsoft.com/downloads/details.aspx?familyid=656c9d4a-55ec4972-a0d7-b1a6fedf51a7&displaylang=en
-

Lu : i vi vic ci t trn my o
ci c Window Server Ent 2008 x64 th phi bt chc nng
Virtualization trong Bios \ Advances, v chc nng ny mc nh lun trng
thi tt, nu cha bt s bo li CPU khng tng thch vi 64 bit

Hnh 112. Mn hnh trn my o bo li khi ci Window Server 2008 x64

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 121

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

- Ci t cc Roles v Features:

Ti

Forefront

TGM

2010

http://technet.microsoft.com/en-

us/evalcenter/ee423778.aspx
-

Chy file va ti v, n giao din ci t forefront, chn Run Prepairation


Tool kim tra .Net Framework 3.5, Installer 4.5, Windows Update v
Window Web Services API, nu cn thiu ci no n s t ng ti v v ci
t .

Mt s trng hp chy Prepairation Tool s b bo li l do phin bn h iu


hnh khng phi l SP2, v vy vic ci t SP2 cho Winserver 2008 l rt
quan trng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 122

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

Hnh 113. Bo li ci Prepairation tool


Sau khi giai on chy Prepairation Tool hon thnh, chng ta c th ci t Forefront
TMG bnh thng.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 123

Trng i Hc Hoa Sen

Kha Lun Tt Nghip

TI LIU THAM KHO


[1] Marianne Swanson & Barbara Guttman, Generally Accepted Principles and
Practices for Securing Information Technology Systems, 1996.
[2] Jack J. Champlain & John Wiley & Sons, Auditing Information Systems, Second
Edition, 2003.
[3] ITSEAG, Secure Your Information: Information Security Principles for
Enterprise Architecture, Jun 2007.
[4] HANNER BOTHA AND J.A. BOON, The Information Audit: Principles and
Guidelines, 2003.
[5] Brian Morgan & Neil Lovering, CCNP Implementing Secure Converged Wide
Area Networks, 2008.
[6] Jie Wang, Computer Network Security, June 2008.
[7] SnortTM Users Manual 2.8.4, April 21, 2009.
[8] Andrew R. Baker, Brian Caswell, Mike Poor, Syngress - Snort 2.1 Intrusion
Detection_ Second Edition, May 2004.
[9] Jesse Varsalone, Microsoft Forefront Security Administration Guide, 2009.
[10]

Securing Networks with Cisco Routers and Switches 2007.

[11]

Cc din dn Tin hc.

Xy Dng Cc Phng Thc Gim St,


Ghi Nhn S Kin v nh Gi Hiu Nng Cho H Thng

Trang 124

You might also like