HC VIN CNG NGH BU CHNH VIN THNG

---------------------------------------

NGUYN MNH ON

NGHIN CU H THNG PHT HIN V NGN CHN XM NHP IDS/IPS

CHO MNG DOANH NGHIP

Chuyn ngnh: K THUT VIN THNG

M s: 60.52.02.08

TM TT LUN VN THC S

H NI-2014
a

Lun vn c hon thnh ti:

HC VIN CNG NGH BU CHNH VIN THNG

Ngi hng dn khoa hc: PGS.TS NGUYN TIN BAN

Phn bin 1: PGS. TS. TRNG V BNG GIANG
Phn bin 2: TS. NG NH TRANG

Lun vn s c bo v trc Hi ng chm lun vn thc s ti Hc vin Cng

ngh Bu chnh Vin thng
Vo lc: ....... gi ....... ngy ....... thng ....... .. nm ...............

C th tm hiu lun vn ti:

- Th vin ca Hc vin Cng ngh Bu chnh Vin thng.

M U
Trong thi gian gn y, Internet pht trin rt mnh m v phc v cho tt c
cc nhu cu v cng vic cng nh cuc sng. i km theo s pht trin mnh m
l cc yu t: tc , cht lng, bo mt, s a dng cc dch v,... Trong bo mt
l mt trong nhng vn quan trng nht i vi c nh cung cp dch v cng nh
ngi s dng, khng ch i vi cc c nhn m cn c bit quan trng trong cc
nghnh mang tnh c th yu cu v bo mt cao nh qun s, ngn hng, ti chnh
Ngay t khi Internet ra i, vn bo mt c t ra v rt c ch trng. Tri
qua c mt qu trnh di pht trin vi rt nhiu thay i, cc bin php bo mt cng
khng ngng pht trin v tin b c v s lng v cht lng: Firewall, VPN, m
ha, cc phn mm dit virus, Ty theo cc yu cu bo mt cng nh cc mi nguy
c b tn cng m c cc bin php bo mt tng ng. Tuy nhin c s an ton
mng cao nht th cn phi bit kt hp cc phng php bo mt mt cc hiu qu.
Lun vn i su vo tm hiu v nghin cu v h thng pht hin v ngn chn xm
nhp tri php IDS/IPS, qua a ra cc gii php s dng IDS/IPS trong h thng
mng. y l mt phng php bo mt rt quan trng lun c s dng trong mt
h thng mng. IDS/IPS pht hin v ngn chn nhng xm nhp tri php cng nh
cc trng hp dng sai quyn, n khc phc cc vn m cc phng php khc
nh Firewall hay VPN cha lm c.
Lun vn c chia lm 3 phn:
Chng 1: Tng quan v phng chng xm nhp mng.
Chng 2: H thng pht hin v ngn chn xm nhp tri php IDS/IPS.
Chng 3: Xy dng m hnh h thng IDS/IPS s dng cho mng doanh
nghip.
Tc gi xin chn thnh cm n cc thy c c bit l PGS TS. NGUYN
TIN BAN nhit tnh hng dn tc gi hon thnh lun vn ny.
Do thi gian nghin cu c hn, ng thi kin thc cn hn ch, lun vn
khng trnh khi nhng thiu st, tc gi rt mong c cc thy c hng dn v ch
dy thm. Tc gi xin c tip thu v c gng hon thnh tt nht lun vn.
Hc vin
NGUYN MNH ON
1

CHNG 1: TNG QUAN V PHNG CHNG XM NHP

MNG
1.1 Nhng mi e da i vi bo mt :
Trc khi tm hiu cc phng thc xm nhp h thng v phng chng, chng
ta cn phn bit c cc mi e da i vi bo mt cng nh mc nghim trng
ca chng. T chng ta c th a ra cc nh gi chnh xc v cch phng chng
mt cch hp l nht. Nhng mi e da c bit n c th phn chia da theo cu
trc hoc v tr tn cng :

1.1.1 Phn loi theo cu trc:

1.1.1.1 Nhng mi e da khng c cu trc:
Nhng mi e da khng c cu trc c gy ra bi nhng k tn cng t c
kh nng lp trnh v hu ht ch s dng nhng cng c hack v script c cung cp
trn Internet.
1.1.1.2 Nhng mi e da c cu trc:
Nhng mi e da c cu trc c bit n l nhng hnh ng c , c ng
c v k thut cao. Nhng k tn cng c trnh v k nng lp trnh to ra cc
cng c mi, s dng cc k thut hack phc tp v hin i hoc chnh sa v s
dng cc cng c theo mong mun ca chng.

1.1.2 Phn loi theo v tr tn cng:

1.1.2.1 Nhng mi e da t bn ngoi:
y l nhng mi e da ph bin, cc cuc tn cng c gy ra bi nhng k
khng c quyn no trong h thng mc tiu thng qua Internet. Nhng mi e da
loi ny thng c cc doanh nghip c bit ch v phng.
1.1.2.2 Nhng mi e da t bn trong:
Khi nhng k tn cng c mt hoc mt vi quyn trong h thng v thc hin
cuc tn cng t mt khu vc tin cy trong mng th ta gi l nhng cuc tn cng
t bn trong.

1.2 Cc phng thc xm nhp v phng chng:

1.2.1 Tn cng t chi dch v(Denial of Service-DoS):
2

Tn cng t chi dch v thng c chia lm hai loi chnh: DoS v

DDoS(Distributed Denial of Service).
1.2.1.1 DoS:
DoS l cuc tn cng t mt ngi hoc mt nhm ngi no nhm lm t
lit h thng b tn cng, lm cho ngi dng khng th truy xut d liu hay thc
hin bt k mt cng vic no.DoS khng cho php y quyn truy cp n my hoc
d liu, ngn chn ngi dng hp php truy cp h thng ca dch v.
1.2.1.2 DDoS:
DDoS c tin hnh t mt h thng cc my tnh cc ln trn Internet, v
thng da vo cc dch v c sn trn cc my tnh trong mng BOT NET. y l
dng tn cng cc k nguy him v rt kh pht hin bi n c sinh ra t nhiu a
ch trn Internet. Khi cuc tn cng DdoS xy ra, rt kh c th ngng li v Firewall
c th ngn chn cc gi d liu n nhng n s d dng trn ngp ti kt ni
Internet.
Mt s phng php phng chng tn cng DDoS :
-

Phng nga cc im yu ca ng dng: Hacker c th li dng cc im yu

trong tng ng dng gy ra li trn b m dn n dch v b chm dt. Cc
li ch yu thng c tm thy trn cc ng dng mng ni b ca Windows,
cc chng trnh Web, DNS, Chnh v vy cp nht bn v l mt trong
nhng yu cu quan trng cho vic phng nga.

Kim sot s lng yu cu SYN-ACK ti h thng mng.

Gii hn s lng kt ni t mt ngun c th ti server.

Pht hin v ngn chn tn cng ti hn t thit lp kt ni: C th p dng

b lc gii hn s lng kt ni trung bnh. B lc s xc nh ngng tc
kt ni cho tng i tng mng.

1.2.2 Sniffers:
Sniffers l mt chng trnh hay thit b c kh nng n bt li cc thng tin
quan trng t giao thng mng n mt a ch ring vi mc ch tch cc hoc tiu
cc.
Chng ta c th ngn nga xm phm tri php s dng sniffers bng cc cch
sau :

Authentication: K thut xc thc c thc hin bao gm hai yu t: personal

identification number(PIN) v token card xc thc mt thit b hoc mt

phn mm ng dng.
Dng switch thay v dng bridge, hup nhm hn ch cc gi c broadcast

trong mng v lm gim nh hng ca sniffers mc d khng th ngn chn

hon ton sniffers.
M ha: m ha tt c cc thng tin trn mng, khi hacker dng sniffers th ch

c th bt c cc gi d liu m ha.

1.2.3 Port scan:

Scan port la phng php thng c thc hin trc tip trn mt host hoc
mt mng nhm mc ch nhn bit cc dch v m host cung cp. Hacker c th
da trn thng tin thu nhn c tm cch tn cng, khai thc vo server .
hn ch v khc phc loi tn cng ny, c th s dng Firewall hoc
IDS/IPS nhm pht hin, cnh bo, v ngn chn thm d v sau l xm nhp
mng.

1.2.4 ARP Spoofing

ARP l mt giao thc ca lp 2, chc nng ca n dng nh v mt host
trong mt segment mng bng cch phn gii a ch IP ra a ch MAC.ARP thc
hin iu thng qua mt tin trnh broadcast gi tin n tt c cc host trong mng,
gi tin cha a ch IP ca host cn giao tip. Cc host trong mng u nhn c
gi tin v ch duy nht host no c a ch IP trng vi a ch IP trong gi tin mi
tr li li, cn li s t ng drop gi tin.K thut ARP Spoffing li dng im yu
ca giao thc ny l khng c s xc thc khi gi cc gi tin ARP, tc l khng
bit c ai gi cc gi tin . Ngi tn cng s gi cc gi tin ARP reply vi a ch
IP l ca mt my trong mng nhng a ch MAC li l gi hoc l MAC ca my tn
cng. Nh vy my nn nhn khi nhn c cc gi tin gi ny s tng nhm i tc
ca mnh c a ch MAC do ngi tn cng gi n dn n sai lch trong vic
gi/nhn thng tin.

1.3 Nhu cu s dng IDS/IPS

1.3.1 Tng quan cc phng php bo mt trong an ninh mng:
1.3.1.1 Firewall:

Firewall l mt k thut c tch hp vo h thng mng chng s truy

nhp tri php nhm bo v cc ngun thng tin ni b v hn ch s xm nhp khng
mong mun vo h thng. Firewall c th l h thng phn cng, phn mm hoc kt
hp c hai.
Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng
ty, t chc, ngnh hay mt quc gia v Internet. Vai tr chnh l bo mt thng tin,
ngn chn s truy nhp khng mong mun t bn ngoi v cm truy nhp t bn trong
ti mt s a ch nht nh trn Internet.
Firewall chun gm mt hay nhiu cc thnh phn sau y :

B lc packet (packet- filtering router)

Cng ng dng (application-level gateway hay proxy server)

Cng mch (circuite level gateway)

1.3.1.2 An ton thng tin bng mt m:

Mt m l mt ngnh khoa hc chuyn nghin cu cc phng php truyn
thng tin b mt. Mt m bao gm: lp m v ph m. Lp m bao gm hai qu trnh:
m ha v gii m.
bo v thng tin trn ng truyn, thng tin c bin i t dng nhn
thc c sang dng khng nhn thc c trc khi truyn trn mng, qu trnh ny
c gi l m ha thng tin(encryption). ch n thng tin c bin i ngc
li qu trnh m ha, gi l qu trnh gii m.
1.3.1.3 VPN:
Mng ring o VPN c nh ngha l mt kt ni mng trin khai trn c s
h tng mng cng cng (nh mng Internet) vi cc chnh sch qun l v bo mt
ging nh mng cc b.
c th gi v nhn d liu thng qua mng cng cng m vn bo m tnh
an ton v bo mt, VPN cung cp cc c ch m ha d liu trn ng truyn to ra
mt ng ng bo mt gia ni nhn v ni gi ging nh mt kt ni point-topoint trn mng ring. c th to ra mt ng ng bo mt , d liu phi c
m ha hay che giu i ch cung cp phn u gi d liu l thng tin v ng i cho
php n c th i n ch thng qua mng cng cng mt cch nhanh chng. D lu
c m ha mt cch cn thn do nu cc packet b bt li trn ng truyn cng
5

cng cng khng th c c ni dung v khng c kha gii m. Lin kt vi d

liu c m ha v ng gi c gi l kt ni VPN. Cc ng kt ni VPN
thng c gi l ng ng VPN (VPN Tunnel).

1.3.2 H thng pht hin v ngn chn xm nhp tri php IDS/IPS:
Cc phng php nhm m bo an ton cho thng tin mng v h thng k
trn u c cc u im v cc nhim v nht nh. Tuy nhin cu hi t ra l lm th
no c th pht hin cc cuc tn cng, s dng sai quyn hn trong h thng?
IDS/IPS l gii php hp l v l cu tr li cho cu hi .

1.4 Kt lun
Chng 1 ca lun vn nu tng quan v phng chng xm nhp mng: nhng
mi e da i vi bo mt, cc phng thc xm nhp v phng chng xm nhp ph
bin (DoS, Sniffers, Port Scan, ARP Spoofing). ng thi tc gi cng nu khi qut
cc phng php bo mt trong an ninh mng hin nay: Fire wall, VPN, m ha,
qua a ra c nhu cu cp thit trong vic s dng h thng IDS/IPS.

CHNG 2: H THNG PHT HIN V NGN CHN XM

NHP TRI PHP IDS/IPS
2.1 Khi nim v pht hin xm nhp v ngn chn xm nhp:
Pht hin xm nhp l tin trnh theo di cc s kin xy ra trn mt h thng
my tnh hay h thng mng, phn tch chng tm ra cc du hiu xm nhp bt hp
php. Xm nhp bt hp php c nh ngha l s c gng tm mi cch xm hi
n tnh ton vn, tnh sn sng, tnh c th tin cy hay l s c gng vt qua cc c
ch bo mt ca h thng my tnh hay mng .
Ngn nga xm nhp nhm mc ch bo v ti nguyn, d liu v mng.
Chng s lm gim bt nhng mi e do tn cng bng vic loi b nhng lu lng
mng c hi hay c c trong khi vn cho php cc hot ng hp php tip tc. Mc
ch y l mt h thng hon ho khng c nhng bo ng gi no lm gim
nng sut ngi dng cui v khng c nhng t chi sai no to ra ri ro qu mc
bn trong mi trng.
Mt h thng chng xm nhp ( Intrusion Prevention System IPS) c nh
ngha l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin xm
nhp v c th ngn chn cc nguy c gy mt an ninh.
IDS v IPS c rt nhiu im chung, do h thng IDS v IPS c th c gi
chung l IDP-Intrusion Detection and Prevention. Lun vn i su vo nghin cu h
thng pht hin v ngn chn xm nhp tri php IDS/IPS(IDP). Ni dung ca chng
s c trnh by theo 2 phn chnh: Intrusion Detection v Intrusion Prevention

2. 2 IDS (Intrusion Detection System- h thng pht hin xm nhp)

H thng pht hin xm nhp tri php l nhng ng dng phn mm chuyn
dng pht hin xm nhp vo h thng mng cn bo v. IDS c thit k khng
phi vi mc ch thay th cc phng php bo mt truyn thng, m hon thin
n.

2. 2.1 Chc nng:

Chc nng quan trng nht l: gim st cnh bo bo v
9 Gim st: lu lng mng v cc hot ng kh nghi.
9 Cnh bo: bo co v tnh trng mng cho h thng v nh qun tr.
9 Bo v: Dng nhng thit lp mc nh v s cu hnh t nh qun tr m c
nhng hnh ng thit thc chng li k xm nhp v ph hoi.
7

Chc nng m rng:

Phn bit: tn cng bn trong v tn cng bn ngoi.
Pht hin: nhng du hiu bt thng da trn nhng g bit hoc nh vo s so
snh thng lng mng hin ti vi baseline.
2. 2.2 Phn loi:
C 2 loi IDS l Network Based IDS(NIDS) v Host Based IDS (HIDS):
a. Host Based IDS (HIDS)
Bng cch ci t mt phn mm trn tt c cc my tnh ch, HIDS da trn
my ch quan st tt c nhng hot ng h thng, nh cc file log v nhng lu
lng mng thu thp c. H thng da trn my ch cng theo di OS, nhng cuc
gi h thng, lch s s sch (audit log) v nhng thng ip bo li trn h thng my
ch.
Li th ca HIDS:
9 C kh nng xc inh user lin quan ti mt event.
9 HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS
khng c kh nng ny.
9 C th phn tch cc d liu m ho.
9 Cung cp cc thng tin v host trong lc cuc tn cng din ra trn host ny.
Hn ch ca HIDS:
9 Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo host ny
thnh cng.
9 Khi OS b "h" do tn cng, ng thi HIDS cng b "h".
9 HIDS phi c thit lp trn tng host cn gim st .
9 HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap, Netcat).
9 HIDS cn ti nguyn trn host hot ng.
9 HIDS c th khng hiu qu khi b DOS.
9 a s chy trn h iu hnh Window. Tuy nhin cng c 1 s chy c
trn UNIX v nhng h iu hnh khc.

b. Network Base IDS (NIDS)

Hnh2.1 NIDS
H thng NIDS da trn mng s dng b d v b cm bin ci t trn ton
mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng vi
nhng m t s lc c nh ngha hay l nhng du hiu. Nhng b cm bin thu
nhn v phn tch lu lng trong thi gian thc. Khi ghi nhn c mt mu lu
lng hay du hiu, b cm bin gi tn hiu cnh bo n trm qun tr v c th
c cu hnh nhm tm ra bin php ngn chn nhng xm nhp xa hn. NIDS l tp
nhiu sensor c t ton mng theo di nhng gi tin trong mng so snh vi
vi mu c nh ngha pht hin l tn cng hay khng.
Li th ca Network-Based IDS:
-

Qun l c c mt network segment (gm nhiu host)

"Trong sut" vi ngi s dng ln k tn cng

Ci t v bo tr n gin, khng nh hng ti mng

Trnh DOS nh hng ti mt host no .

C kh nng xc nh li tng Network (trong m hnh OSI)

9

c lp vi OS

Hn ch ca Network-Based IDS:
-

C th xy ra trng hp bo ng gi (false positive), tc khng c intrusion

m NIDS bo l c intrusion.

Khng th phn tch cc traffic c encrypt (vd: SSL, SSH, IPSec)

NIDS i hi phi c cp nht cc signature mi nht thc s an ton

C tr gia thi im b attack vi thi im pht bo ng. Khi bo ng

c pht ra, h thng c th b tn hi.

Khng cho bit vic attack c thnh cng hay khng.Mt trong nhng hn ch
l gii hn bng thng. Nhng b d mng phi nhn tt c cc lu lng
mng, sp xp li nhng lu lng cng nh phn tch chng.

2. 2.3 Kin trc v nguyn l hot ng:

IDS/IPS bao gm cc thnh phn chnh:
Thnh phn thu thp gi tin.
Thnh phn pht hin gi tin.
Thnh phn x l gi tin.
a. Thnh phn thu thp gi tin: Thnh phn ny c nhim v ly tt c cc gi tin i n
mng. Thng thng cc gi tin c a ch ch khng phi l ca mt card mng th
s b card mng hy b nhng card mng ca IDS c t ch thu nhn tt
c. Tt c cc gi tin qua chng u c sao chp, x l, phn tch n tng trng
thng tin. B thu thp gi tin s c thng tin tng trng trong gi tin, xc nh
chng thuc kiu gi tin no, dch v gCc thng tin ny c chuyn n thnh
phn pht hin.
b. Thnh phn pht hin gi tin: B cm bin ng vai tr quyt nh trong thnh phn
ny. B cm bin c tch hp vi thnh phn su tp d liu mt b to s kin.
Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc
thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s
chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng
hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu
trong h thng c bo v hoc bn ngoi. Trong trng hp no , v d khi lung
d liu s kin c truyn ti trc tip n b phn tch m khng c s lu d liu
no c thc hin.
10

Phng thc pht hin

Misuse based system
H misuse-based c th phn chia thnh hai loi da trn c s d liu v kiu
tn cng, l knowledge-based v signature-based.
Misuse-based system vi c s d liu knowledge-based lu d thng tin v
cc dng tn cng. D liu kim k c thu thp bi IDS so snh vi ni dung ca
c s d liu, v nu thy c s ging nhau th to ra cnh bo. S kin khng trng
vi bt c dng tn cng no th c coi l nhng hnh ng chnh ng.
Tip theo l h signature-based, l h s dng nh ngha tru tng m t
v tn cng gi l du hiu. Du hiu bao gm mt nhm cc thng tin cn thit m
t kiu tn cng. V d nh h network IDS c th lu tr trong c s d liu ni dung
cc gi tin c lin quan n kiu tn cng bit. Thng th du hiu c lu
dng cho php so snh trc tip vi thng tin c trong chui s kin. Trong qu trnh
x l, s kin c so snh vi cc mc trong file du hiu, nu thy c s ging nhau
th h s to ra cnh bo.
Anomaly based system
Anomalybased system da trn gi thit l nhng hnh ng khng bnh
thng l c xu, do trc tin h cn xy dng mu hnh ng bnh thng
ca h thng ri mi xc nh cc hnh ng khng bnh thng (nh nhng hnh
ng khng ph hp vi mu hnh ng cho).
c. Thnh phn phn hi: Khi c du hiu ca s tn cng hoc xm nhp, thnh phn
pht hin tn cng s gi tn hiu bo hiu c s tn cng hoc thm nhp n thnh
phn phn ng.
-

Khi thnh phn phn ng s kch hot tng la thc hin chc nng ngn
chn cuc tn cng, hay cnh bo ti ngi qun tr:

Cnh bo thi gian thc: gi cc cnh bo thi gian thc n ngi qun tr
h nm c chi tit cc cuc tn cng, c im thng tin v chng.

Ghi li vo tp tin: Cc d liu ca cc gi tin s c lu tr trong h thng

cc tp tin log. Mc ch l nhng ngi qun tr c th theo di cc lung
thng tin v l ngun thng tin gip cho module pht hin tn cng hot ng.

H tr Firewall: Thng bo cho tng la ngn chn, t chi, xa b hoc thay

i ni dung gi tin.
11

2. 3 IPS
IPS c hai chc nng chnh l pht hin cc cuc tn cng v chng li cc cuc
tn cng . Phn ln h thng IPS c t vnh ai mng, kh nng bo v tt
c cc thit b trong mng.
2. 3.1 Kin trc chung ca cc h thng IPS:
Module phn tch lung d liu:
Modul pht hin tn cng:
Modul phn ng
Khi c du hiu ca s tn cng hoc thm nhp, modul pht hin tn cng s
gi tn hiu bo hiu c s tn cng hoc thm nhp n modul phn ng. Lc
modul phn ng s kch hot tng la thc hin chc nng ngn chn cuc tn cng
hay cnh bo ti ngi qun tr. Ti modul ny, nu ch a ra cc cnh bo ti cc
ngi qun tr v dng li th h thng ny c gi l h thng phng th b
ng. Modul phn ng ny ty theo h thng m c cc chc nng v phng php
ngn chn khc nhau. Di y l mt s k thut ngn chn:
-

Kt thc tin trnh: C ch ca k thut ny l h thng IPS gi cc gi tin

nhm ph hu tin trnh b nghi ng. Tuy nhin phng php ny c mt s
nhc im. Thi gian gi gi tin can thip chm hn so vi thi im tin tc
bt u tn cng, dn n tnh trng tn cng xong ri mi bt u can thip.

Hu b tn cng: K thut ny dng tng la hy b gi tin hoc chn

ng mt gi tin n, mt phin lm vic hoc mt lung thng tin tn cng.
Kiu phn ng ny l an ton nht nhng li c nhc im l d nhm vi cc
gi tin hp l.

Thay i cc chnh sch ca tng la: K thut ny cho php ngi qun tr
cu hnh li chnh sch bo mt khi cuc tn cng xy ra. S cu hnh li l tm
thi thay i cc chnh sch iu khin truy nhp bi ngi dng c bit trong
khi cnh bo ti ngi qun tr.

Cnh bo thi gian thc: Gi cc cnh bo thi gian thc n ngi qun tr
h nm c chi tit cc cuc tn cng, cc c im v thng tin v chng.

Ghi li vo tp tin: Cc d liu ca cc gi tin s c lu tr trong h thng

cc tp tin log. Mc ch cc ngi qun tr c th theo di cc lung thng
tin v l ngun thng tin gip cho modul pht hin tn cnghotng.
12

2. 3.2 Cc kiu h thng IPS

C hai kiu kin trc IPS chnh l IPS ngoi lung v IPS trong lung.
a) IPS ngoi lung: H thng IPS ngoi lung khng can thip trc tip vo lung d
liu. Lung d liu vo h thng mng s cng i qua tng la v IPS. IPS c th
kim sot lung d liu vo, phn tch v pht hin cc du hiu ca s xm nhp, tn
cng.
b)IPS trong lung
V tr IPS nm trc bc tng la, lung d liu phi i qua IPS trc khi ti bc
tng la.

2.4 Cch pht hin v ngn chn cc kiu tn cng thng dng ca h thng
IDS/IPS
Denial of Service attack (Tn cng t chi dch v)
Gii php ca IDP: Mt firewall dng proxy rt hiu qu ngn chn cc gi tin
khng mong mun t bn ngoi, tuy nhin Network IDS c th pht hin c cc tn
cng dng gi tin.
Scanning v Probe (Qut v thm d)
Gii php ca IDP: Network-based IDP c th pht hin cc hnh ng nguy him
trc khi chng xy ra. Yu t time-to-response rt quan trng trong trng hp ny
c th chng cc kiu tn cng nh vy trc khi c thit hi. Host-based IDS cng
c th c tc dng i vi kiu tn cng ny, nhng khng hiu qu bng gii php
da trn mng.
Password attack (Tn cng vo mt m)
Gii php ca IDP: Mt Network-based IDP c th pht hin v ngn chn c gng
on m (c th ghi nhn sau mt s ln th khng thnh cng), nhng n khng c
hiu qu trong vic pht hin truy nhp tri php ti file m ha cha mt m hay chy
cc chng trnh b kha. Trong khi Host-based IDP li rt c hiu qu trong vic
pht hin vic on mt m cng nh pht hin truy nhp tri php ti file cha mt
m.
Privilege-grabbing (Chim c quyn)
Gii php ca IDP: C Network v Host-based IDP u c th xc nh vic thay i
c quyn tri php ngay lp tc, cp phn mm, do vic xy ra trn thit b ch.
Do Host-based IDP c th tm kim c nhng ngi dng khng c c quyn t
13

nhin tr thnh c c quyn m khng qua h thng thng thng, Host-based IDP
c th ngng hnh ng ny. Ngoi ra hnh ng chim c quyn ca h iu hnh
v ng dng c th c nh ngha trong tp cc du hiu tn cng ca Networkbased IDP nhm ngn chn vic tn cng xy ra.
Hostile code insertion (Ci t m nguy him)
Gii php ca IDP: Ci t cc phn mm bo mt c tc dng chng virus v cc
on m nguy him ln gateway, server v workstation l phng php hiu qu nht
gim mc nguy him. Cc file quan trng c qun l bng Host IDP c th
m bo rng chng trnh v file quan trng ca h iu hnh khng b iu khin.
Kt hp vi cc s kin khc, IDP c th xc nh c c gng ci on m nguy
him, v d nh n c th pht hin c ai nh thay chng trnh ghi log bng
mt backdoor. Network-based IDP cng c th c ch th qun l h thng v file
nh cho mc ch kim tra tnh ton vn.
Cyber vandalism (Hnh ng ph hoi trn my mc)
Gii php ca IDP: i vi gii php ca Host-based IDP, ci t v cu hnh cn
thn c th xc nh c tt c cc vn lin quan n cyber vandalism. V d nh
mi thay i i vi trang web c th c ghi li ti bin bn kim k ca thit b m
trang web nm trn . Khng ch c cu hnh qun l mi thay i trn trang
web, Host-based IDP cn c th thc hin cc hnh ng i ph, l nhng hnh ng
c Security Administrator cu hnh. Network-based IDP th c th s dng du hiu
tn cng c nh ngha trc pht hin chnh xc vic truy nhp tri php vo h
iu hnh, ng dng cng nh xa file v thay i trang web.
Proprietary data theft (n trm d liu quan trng)
Gii php ca IDP: M hnh Host-based IDP thc hin vic qun l cc d liu quan
trng c th pht hin cc file b sao chp bt hp php. Trong mt s trng hp IDP
c th da vo bin bn ca h iu hnh, nhng trong nhiu trng hp vic ghi bin
bn c cha qu nhiu overhead (nh vi Winddows NT). Trong cc trng hp ,
Host-based IDP cn phi thc hin vic qun l ring bit vi cc file quan trng. Cn
Network-based IDP c th c chnh sa qun l vic truy nhp vo cc file quan
trng v xc nh vic truyn thng c cha key word. Trong mt s trng hp rt
kh c th pht hin c mt host nghe trm trn mng, th phn mm IDP trn host

14

 c th pht hin c host b t trng thi ngu nhin v ang nghe trm vic
tuyn thng.
Fraud, waste, abuse (Gian ln, lng ph v lm dng)
Gii php ca IDP: Network-based IDP c th c thay i nhm ngn cc URL,
tuy nhin cc chng trnh chuyn dng ngn URL c lin h vi firewall c th
hot ng hiu qu hn, c th duy tr mt danh sch URL ng v chnh sch lm
dng da trn USERID. Host-based IDP c th thc thi mt chnh sch do cng ty t
ra, cc truy nhp tri php v sa i file h thng c th c pht hin thng qua
host-based IDP cng nh network-based IDP. Bt c thay i c th ngay lp tc c
ghi trong bin bn h thng, agent c th d dng theo di cc hnh ng .

Audit trail tampering (Can thip vo bin bn)

Gii php ca IDP: Host-based IDP agent c th qun l vic can thip vo bin bn
(xa, ngng hay sa i) v thc hin cc hnh ng ph hp. Network-based IDP c
th cung cp ng cnh cn thit pht hin audit trail b truy nhp hay sa i.
Security infrastructure attack (Tn cng h tng bo mt)
Gii php ca IDP: Cc hnh ng qun tr mng thng l ng nhp vo audit trail
trn host hay router trn mt node la chn trn mng nh SYSLOG trn UNIX. Hostbased IDP c th bt gi cc cuc ng nhp m thc hin nhng hnh ng nh a
thm ti khon c c quyn, hay router v firewall b thay i mt cch ng nghi.
Cn network-based IDPc th cung cp ng cnh cn thit qun l vic lm dng.

2.5 Kt lun
Trong chng 2, tc gi a ra cc khi nim rt chi tit v c th v xm
nhp tri php, pht hin v ngn chn xm nhp tri php. Cc h thng pht hin v
ngn chn xm nhp tri php cng c trnh by c th v cu trc, chc nng, v tr
v nguyn tc hot ng nhm a ra cc nhn trc din v r rng nht.

15

CHNG 3: XY DNG M HNH H THNG IDS/IPS CHO

MNG DOANH NGHIP
3.1 Gii thiu cc gii php ngn chn v phng chng xm nhp :
C th phn chia cc gii php ngn chn v phng chng xm nhp tri php
lm 2 dng chnh: gii php phn mm, gii php phn cng.

3.1.1 Gii php phn mm:

Tiu biu cho gii php phn mm l Snort. Snort l mt h thng pht hin
xm nhp mng m ngun m min ph. D liu c thu thp v phn tch bi Snort.
Sau , Snort lu tr d liu trong c s d liu MySQL bng cch dng output plugin. Web server Apache vi ACID, PHP, th vin GD v PHPLOT s biu din d liu
ny trn trnh duyt khi mt ngi dng kt ni n server.
Ngi dng c to nhiu kiu truy vn khc nhau phn tch d liu. Snort
ch yu l mt IDS da trn lut, tuy nhin cc input plug-in cng tn ti pht hin
s bt thng trong cc header ca giao thc.
Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa
bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi
c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort
c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc lut
bt gi d liu. Snort c mt tp hp cc lut c nh ngha trc pht hin
cc hnh ng xm nhp v qun tr vin cng c th thm vo cc lut.

3.1.2 Gii php phn cng:

Gii php phn cng kh a dng vi sn phm ca cc hng ni ting nh:
Cisco, ISS, Tuy nhin trong Lun vn ny s gii thiu v sn phm ca Cisco v
s dng chng trong qu trnh m phng.
Mt s dng sn phm IPS ca Cisco ni bt nh:
Cisco IPS 4200 Series Sensors:
Catalyst 6500
Cisco ASA 5500 Series
Kin trc phn mm ca IPS Cisco:
Phn mm cm bin Cisco chy trn tt c cc nn tng cm bin, cung cp kh
nng phn tch lu lng, pht hin xm nhp, v cc chc nng qun l thit b. Nh
nu cui chng 2, c nhiu cch tip cn khc nhau phn tch lu lng truy
16

cp. Trong cc cch , cc sn phm ca Cisco ch yu s dng phng php phn

tch Signature phn tch lu lng, c s d liu ca sn phm rt ln v thng
xuyn c cp nht pht hin v ngn chn cc cuc tn cng trn mng. Cc cng
c h tr phn tch n gin nhng rt linh hot v sng to nhm t hiu qu ln
nht v hn ch bo ng sai.
Cc sn phm IPS ca Cisco cng h tr cc phng php phn tch da trn s bt
thng. cc tnh nng xc minh giao thc, kim tra lu lng mng da trn s tun
th cc giao thc. Ngi qun tr c th t cu hnh cc ngng lu lng c th
pht hin cc cuc tn cng.
Lu lng c kim tra thng qua cc cm bin IPS Cisco theo cc bc sau y :
1 . u tin cm bin IPS Cisco p dng tin x l cho lu lng i vo cm bin .
Cm bin o thch hp c chn trn c s giao din hoc lu lng VLAN truy cp
vo cc b cm bin .
2 . IPS lc, chn truy cp vo a ch IP b nh cp " zombie" trn mng. Lu lng
truy cp t cc a ch IP xu b t chi.
3 . Lu lng c kim tra theo cc thng tin c trong d liu theo phng php
Signature.
4 . Pht hin bt thng ca lu lng v giao thc ( nu c kch hot trn cc cm
bin IPS ) .
5 . Kim tra mi tng quan ton cu lm tng kh nng nh gi ri ro ca cc s
kin, cho php nhng chn mt nguy c m khng cn du hiu tiu cc .
6 . Cm bin p dng cc hnh ng ph hp vi lu lng trong bc cui cng
trong phn tch lu lng v x l. Kt qu t mt vi du hiu quyt nh cc hnh
ng cm bin .

3.2 Xy dng m hnh IDS/IPS cho mng doanh nghip:

Nh trnh by trong chng 1, IDS/IPS khng phi l mt gii php bo mt
ring bit nhm thay th cc gii php bo mt truyn thng m l mt trong cc gii
php c kt hp mt cch hp l nhm tng cng v nng cao kh nng bo mt.

17

Mt h thng bo mt c th bao gm nhiu thnh phn bo mt ty thuc vo cc yu

t: quy m, m hnh h thng cn bo mt, mc ch, cc yu cu c th ca tng h
thng, cc thit b c s dng trong h thng
Bn cnh vic quan tm n m hnh h thng cng nh cc thit b bo mt
khc trong h thng, chng ta cng cn hiu r v cc loi IDS/IPS cng nh v tr ca
chng trong mng c nu rt chi tit trong chng 2.
Tm li, c th xy dng m hnh IDS/IPS ni ring v m hnh bo mt ni
chung cho mt h thng mng th cn phi c mt s hiu bit su , rng v m hnh
mng, cc thit b mng, cc thit b bo mt, cng nh cn phi c mt s kt hp hi
ha cc thit b k trn. Trong chng ny, tc gi xin php a ra mt m hnh th
hin gii php bo mt cho mt cng ty chng khon trong c s dng IDS/IPS.
Nm phn vng trong m hnh bo mt tng th l:
Vng mng LAN bn trong to nh ca cng ty Chng khon, vng ny bao
gm:
o

Mng LAN cc PC ca khi vn phng, khi ti chnh, khi nghip v

t vn ti chnh, migii mua bn chng khon.

H thng tng i IP phc v lin lc ca cng ty Chng khon

Vng cc my ch DMZ cung cp cc dch v trc tuyn c truy cp qua

Internet nh: E-Mail, Web site thng tin th trng, Online Brokerage, Online
OTC
Vng cc my ch c s d liu v ng dng quan trng vn hnh h thng
qun l cc giao dch chng khon.
Vng ngi dng truy cp t xa qua Internet vo h thng mng, ng dng ca
cng ty, vng ny bao gm:
o

Nhn vin ca cng ty chng khon hot ng ti 2 trung tm GDCK H

Ni v tp. H Ch Minh truy cp VPN (Client to Site) v mng ca cng
ty.

Cc nh u t truy cp vo Web site v dch v chng khon trc tuyn

(Online Brokerage, Online OTC) ca cng ty.

18

 Vng cc i l, chi nhnh ca cng ty kt ni VPN Site to Site hoc WAN vo

h thng mng ca cng ty. y cng l vng kt ni mng thng tin t cng ty
Chng khon ti mng ca cc Ngn hng thanh ton, lu k trong tng lai
Hu ht cc doanh nghip u c nhu cu v bo mt, c bit l trong tnh
trng hin nay, c rt nhiu cuc tn cng nhm vo cc doanh nghip ca c nh nc
v t nhn. Khng t th nhiu cc doanh nghip u s b nh hng khi h thng
mng cng nh c s d liu ca mnh b xm nhp v tn cng. Rt kh c th a
ra mt m hnh bo mt chung cho cc doanh nghip, vi vy trong chng ny, tc gi
xin php a ra mt m hnh th hin gii php bo mt cho mt cng ty chng khon
trong c s dng IDS/IPS.L do tc gi la chn cng ty chng khon v yu cu
bo mt ca cng ty chng khon rt cao v c y hu ht cc v tr cn bo mt
ca cc doanh nghip khc, vic la chon m hnh bo mt ca cc doanh nghip khc
c th s dng m hnh bo mt ca cng ty chng khon tham kho.
m bo an ton cho cc kt ni, trao i thng tin v ngn chn cc tn cng c t
bn trong trong v bn ngoi mng, gii php bo mt tng th c xut nh sau:
Phn tch cc vng mng v bo v bng h thng Firewall
Mng trong phm vi to nh ca cng ty s c chia lm ba vng chnh:

Vng DMZ gm cc Server cho cc dch v trc tuyn nh Web site, Email,
cc ng dng Online Brokerage, Online OTC

Vng cc Server c s d liu v ng dng quan trng nh BackOffice, CSDL

khch hng, giao dch, lu k y l vng cc Servers chnh vn hnh ton
b h thng phn mm v CSDL lin quan ti giao dch mua bn chng khon.

Vng mng LAN bao gm khi vn phng, nghip v v h thng thng tin IP.
Cc vng mng s c quy hoch trn cc di IP ring bit. H thng Firewall

s kim sot lung d liu i qua bao gm: Truy cp t ngoi Internet vo vng dch
v trc tuyn, ngi dng mng LAN truy cp Internet qua ng LeasedLine,
ADSL hoc Wireless, ngi dng mng LAN truy cp vo vng Server ng dng v
c s d liu. Firewall s kim sot, xc thc v ngn chn nhng truy cp khng hp
l, nhng tn cng ca hacker t ngoi Internet hoc trc tip xut pht t bn trong
19

mng vo cc vng servers. C th trong h thng tng la ca m hnh, tc gi

xut s dng 2 tng la ca 2 hng khc nhau: firewall 1 v router(Gateway) s c
tch hp trong thit b ASA5520-BUN-K9 v firewall2 s dng firewall Juniper SSG
520.
Vic s dng 2 firewall ca m bo m hnh bo mt phn tch mng ra lm
cc phn on mng : Internet, DMZ, khu vc d liu quan trng. Firewall1 c nhim
v qun l lu lng v cc truy cp mng gia 2 khu vc Internet v DMZ, ngoi ra
thit b ASA5520-BUN-K9 cn h tr tch hp gateway v IPSec VPN. Firewall
Juniper SSG 520 c nhim v kim sot cc yu cu truy nhp t khu vc LAN v bn
ngoi Internet (thng qua DMZ) vo khu vc database v application server. S dng
firewall ca 2 hng khc nhau lm a dng kh nng bo mt ca m hnh mng.
Thit lp v bo v cc kt ni VPN.
Vi m hnh kt ni VPN Site to Site, ti mi chi nhnh hoc i l s s dng
thit b Firewall VPN chuyn dng. Thit b ny c y tnh nng Firewall v thit
lp knh kt ni Site to Site qua ng Leaseline hoc ADSL. Vi m hnh ny, h
thng VPN Server ti Headquater s t ng xc thc gia 2 u thit b v kim tra
tnh an ton trc khi cho php thit lp knh kt ni.
M hnh Client to Site p dng cho cc nhn vin ca cng ty lm vic ti cc
TTGDCK thit lp knh kt ni qua Internet, dial-up v h tr xc thc ngi dng
bng nhiu phng thc nh Certificate, Token, Smartcard trc khi cho php kt
ni.
Kt ni VPN c thc hin thng qua gateway tch hp IPSec VPN v tng la
ASA5520-BUN-K9 ca Cisco. Ngoi ra ASA5520-BUN-K9 cn c chc nng cn
bng ti nng cao kh nng iu khin lu lng.
Cisco ASA 5520 cung cp mt lot cc dch v an ninh vi tnh sn sng cao v
kt ni Gigabit Ethernet cho cc mng doanh nghip va v nh, hiu sut cao. S
dng 4 giao din Ethernet Gigabit v h tr ln n 25 VLAN, doanh nghip c th d
dng trin khai cc dch v an ninh thnh nhiu khu vc trong h thng.
Thit lp cc h thng phng chng xm nhp cho cc vng thng tin quan
trng.
20

Trong m hnh bo mt tng th cho cng ty chng khon, vng my ch c s

d liu v my ch ng dng l quan trng nht trong hot ng trao i thng tin ca
cng ty chng khon. Nu mt trong cc my ch ny b tn cng hoc c s c, hot
ng kinh doanh ca cc cng ty s b nh hng trc tip. Do vy bn cnh h thng
Firewall bo v h tng network ca cng ty, nht thit cn trang b b sung h thng
phng chng xm nhp (IPS) bo v ring cho vng cc Server ng dng ny. Khc
vi Network Firewall, h thng IPS s pht hin v ngn chn cc xm nhp tng
ng dng, can thip trc tip vo cc protocols, cc traffice m h thng Firewall
khng pht hin c. H thng phi m bo c tc x l khng lm nghn
lung thng tin c trao i vi mt cao.
IPS cho php ngn chn trc cc cuc tn cng cha bit cng nh cc cuc
tn cng bit nh DoS, trojan, peer to peer download, backdoor, malicious http v
file nh km e-mail m khng nh hng n hot ng ca mng. c bit, thit b
IPS c kh nng phn tch v nhn dng cc giao thc c s dng trong VoIP nh
SIP, MGCP, H.323, H.225, H.245, Q.931, T.120 v SCCP xc nh cc cuc tn
cng.
Thit b ny s c t trc vng Server farm bo v cho c vng, kim sot ton b
cc yu cu truy cp d liu c mc Network v mc ng dng trn cc Server. C
s d liu v cc mu tn cng (attacking Signatures) s lun c h thng update
theo thi gian thc, m bo ngn chn ti a cc tn cng c th xy ra hin nay.
Cisco ASA 5520 tch hp c IDS/IPS nn c s dng ci t IPS lun cho khu
vc DMZ nhm pht hin nhng du hiu tn cng vo khu vc ny.Thit b IPS c
xut s dng ti khu vc database v application server l Cisco IPS 4270 Sensor
vi y cc chc nng HIPS: pht hin v ngn chn xm nhp tri php , bn cnh
n cng ph hp cho quy m bo mt ca doanh nhip chng khon.
Ngn chn tn cng ca Virus ti Gateway v trong cc vng mng.
Cc con ng m virus c th tn cng v bng pht vo mng ca cng ty
chng khon tng i a dng, xut pht t Internet, t ngi dng bn trong, bn
ngoi mng v c bit qua email. c mt h thng phng chng c hiu qu cao
th cn phng v chng Virus v Spyware ti c 4 lp mng : gateway, mailserver,
server, PCs. H thng ny phi c qun l tp trung, thng nht v lun lun c
21

cp nht mu Virus v Spyware t nhng trung tm phng chng Virus v Spyware

ln trn th gii. Ngoi ra cn phi c mt chnh sch bo mt chung v kt hp vi
cc gii php bo mt khc phng chng Virus v Spyware hiu qu hn.

3.3 Kt lun
Chng 3 gii thiu mt s gii php pht hin v ngn chn xm nhp: Snort(
phn mm), cc sn phm phn cng ca Cisco, ISSBn cnh tc gi cng trnh
by gii php s dng IDS/IPS trong mt h thng bo mt ca mt trng hp c
th(h thng an ton thng tin ca mt cng ty chng khon). Nhm lm tng thm
tnh thc t v r rng, tc gi trnh by phn m phng h thng IDS/IPS(ca Cisco)
trn GNS3 trong phn mc lc cui lun vn.

22

KT LUN
Chng ta c th thy rng khng th c mt bin php bo mt hon ho v
ton vn no c th gii quyt ht tt c cc vn v bo mt ca mt mng my
tnh. c mt s an ton cao nht cho mng my tnh cn phi s dng mt h thng
bo mt bao gm nhiu bin php bo mt v phi bit kt hp chng mt cch hp l
v hiu qu nht.. Lun vn tm hiu v i su vo nghin cu IDS/IPS v trnh
by c cc khi nim , c im, cu trc, chc nng v cc gii php s dng
IDS/IPS mt cch hiu qu nht, ng thi tc gi cng m phng IDS/IPS ca Cisco
thng qua GNS3 nhm a ra ci nhn trc quan v IDS/IPS. IDS/IPS l mt bin
php hiu qu nhm pht hin v ngn chn xm nhp tri php cng nh s dng sai
quyn. IDS/IPS l mt la chn ph hp khi mun phng chng Dos cng nh bo
v cc server ng dng v d liu quan trong trong vng DMZ. Bn cnh cc bin
php bo mt khc nh: Firewall , VPN,th IDS/IPS l mt bin php khng th
thiu ca mt h thng an ninh mng. Ty vo tng m hnh mng cng nh cc yu
cu v bo mt m chng ta c cc phng php s dng IDS/IPS cho hp l v hiu
qu.
Lun vn l nn tng cho cc nghin cu tip theo v h thng an ninh mng
ni chung cng nh h thng ngn chn xm nhp ni ring.

23