HTT 2

LI M U Vi nhu cu trao i thng tin ngy nay bt buc cc c n h n c n g n h c c c quan, t chc phi ho mnh vo mng ton cu Internet.
rnet. An ton v bo mt thng tin l mt trong nhng vn quan trng hng u khi thc hin kt ni Internet. Ngy nay, cc bin php an ton thng tin cho my tnh c nhn cng nh cc mng ni b c nghin cu v trin khai. Tuy nhin, vn thng xuyn c cc mng b tn cng, c cc t chc b nh cp thng tin,gy nn nhng hu qu v cng nghim trng. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn mng Internet, a phn v mc ch xu v cc cuc tn cng khng c bo trc, s lng cc v tn cng tng ln nhanh chng v cc phng php tn cng cng lin tc c hon thin. V vy vic kt ni mt my tnh vo mng ni b cng nh vo mng Internet cn phi c cc bin php m bo an ninh. Xut pht t cc him ho hin hu m ta thng xuyn phi i mt trn mi trng Internet em quyt nh chn ti: Nghin cu, ng dng h thng pht hin xm nhp vi mc ch tm hiu nguyn tc hot ng v c s l thuyt cng mt s k thut x l lm nn tng xy dng h thng pht hin xm nhp. Em xin trn thnh cm n s hng dn tn tnh ca PGS.TS Nguyn Th Vit Hng. Do trnh cn hn ch v lnh vc An ninh mng vn l mt lnh vc cn mi nn Lun vn ny khng trnh khi sai st, em rt mong c s ch bo ca cc thy c. Ni dung chnh ca cun Lun gm 4 chng nh sau: Chng I: Tng quan v an ninh mng my tnh Chng II: Xy dng m hnh an ninh mng v gii thiu mt s cng ngh bo mt Chng III: H thng pht hin v ngn chn xm nhp (IDS/IPS) Chng IV: ng dng Thc nghim
CHNG I TNG QUAN V AN NINH MNG MY TNH

I. TNG QUAN V AN NINH MNG MY TNH Trong h thng mng, vn an ton v bo mt mt h thng thng tin ng mt vai tr ht sc quan trng. Thng tin ch c gi tr khi n gi c tnh chnh xc, thng tin ch c tnh bo mt khi ch c nhng ngi c php nm gi thng tin bit c n. Khi ta cha c thng tin, hoc vic s dng h thng thng tin cha phi l phng tin duy nht trong qun l, iu hnh th vn an ton, bo mt i khi b xem thng. Nhng mt khi nhn nhn ti mc quan trng ca tnh bn h thng v gi tr ch thc ca thng tin ang c th chng ta s c mc nh gi v an ton v bo mt h thng thng tin. m bo c tnh an ton v bo mt cho mt h thng cn phi c s phi hp gia cc yu t phn cng, phn mm v con ngi.
1.
S cn thit phi c an ninh mng v cc yu t cn bo v thy c tm quan trng ca vic m bo an ninh mng ta tm hiu cc tc ng ca vic mt an ninh mng v t a ra cc yu t cn bo v: Tc hi ca vic khng m bo an ninh mng - Lm tn km chi ph - Tn km thi gian - nh hng n ti nguyn h thng - nh hng danh d, uy tn - Mt c hi kinh doanh Cc yu t cn bo v - D liu - Ti nguyn: con ngi, h thng, ng truyn - Danh ting 2. Cc tiu ch nh gi mc an ninh an ton mng m bo an ninh cho mng, cn phi xy dng mt s tiu chun nh gi mc an ninh an ton mng. Mt s tiu chun c tha nhn l thc o mc an ninh mng.
2.1 nh gi trn phng din vt l An ton thit b Cc thit b s dng trong mng cn p ng c cc yu cu sau: - C thit b d phng nng cho cc tnh hung hng t ngt. C kh nng thay th nng tng phn hoc ton phn (hot-plug, hot-swap). - Kh nng cp nht, nng cp, b xung phn cng v phn mm. - Yu cu ngun in, c d phng trong tnh hung mt t ngt - Cc yu cu ph hp vi mi trng xung quanh: m, nhit , chng st, phng chng chy n, vv... An ton d liu - C cc bin php sao lu d liu mt cch nh k v khng nh k trong cc tnh hung pht sinh. - C bin php lu tr d liu tp trung v phn tn nhm chia bt ri ro trong cc trng hp c bit nh chy n, thin tai, chin tranh, vv.. 2.2. nh gi trn phng din logic nh gi theo phng din ny c th chia thnh cc yu t c bn sau: Tnh b mt, tin cy (Condifidentislity) L s bo v d liu truyn i khi nhng cuc tn cng b ng. C th dng vi mc bo v chng li kiu tn cng ny. Dch v rng nht l bo v mi d liu ca ngi s dng truyn gia hai ngi dng trong mt khong thi gian. Nu mt knh o c thit lp gia hai h thng, mc bo v rng s ngn chn s r r ca bt k d liu no truyn trn knh . Cu trc hp hn ca dch v ny bao gm vic bo v mt bn tin ring l hay nhng trng hp c th bn trong mt bn tin. Kha cnh khc ca tin b mt l vic bo v lu lng khi vic phn tch. iu ny lm cho nhng k tn cng khng th quan st c tn sut, di ca ngun v ch hoc nhng c im khc ca lu lng trn mt phng tin giao tip. Tnh xc thc (Authentication) Lin quan ti vic m bo rng mt cuc trao i thng tin l ng tin cy. Trong trng hp mt bn tin n l, v d nh mt tn hiu bo ng hay cnh bo, chc nng ca dch v y quyn l m bo bn nhn rng bn tin l t ngun m n xc nhn l ng. Trong trng hp mt tng tc ang xy ra, v d kt ni ca mt u cui n my ch, c hai vn sau: th nht ti thi im khi to kt ni,
3
dch v m bo rng hai thc th l ng tin. Mi chng l mt thc th c xc nhn. Th hai, dch v cn phi m bo rng kt ni l khng b gy nhiu do mt thc th th ba c th gi mo l mt trong hai thc th hp php truyn tin hoc nhn tin khng c cho php. Tnh ton vn (Integrity) Cng vi tnh b mt, ton vn c th p dng cho mt lung cc bn tin, mt bn tin ring bit hoc nhng trng la chn trong bn tin. Mt ln na, phng thc c ch nht v d dng nht l bo v ton b lung d liu Mt dch v ton vn hng kt ni, lin quan ti lung d liu, m bo rng cc bn tin nhn c cng nh gi khng c s trng lp, chn, sa, hon v hoc ti s dng. Vic hy d liu ny cng c bao gm trong dch v ny. V vy, dch v ton vn hng kt ni ph hy c c s thay i lung d liu v c t chi d liu. Mt khc, mt dch v ton vn khng kt ni, lin quan ti tng bn tin ring l, khng quan tm ti bt k mt hon cnh rng no, ch cung cp s bo v chng li sa i bn tin Chng ta c th phn bit gia dch v c v khng c phc hi. Bi v dch v ton vn lin quan ti tn cng ch ng, chng ta quan tm ti pht hin hn l ngn chn. Nu mt s vi phm ton vn c pht hin, th phn dch v n gin l bo co s vi phm ny v mt vi nhng phn ca phn mm hoc s ngn chn ca con ngi s c yu cu khi phc t nhng vi phm . C nhng c ch ginh sn khi phc li nhng mt mt ca vic ton vn d liu. Khng th ph nhn (Non repudiation) Tnh khng th ph nhn bo m rng ngi gi v ngi nhn khng th chi b 1 bn tin c truyn. V vy, khi mt bn tin c gi i, bn nhn c th chng minh c rng bn tin tht s c gi t ngi gi hp php. Hon ton tng t, khi mt bn tin c nhn, bn gi c th chng minh c bn tin ng tht c nhn bi ngi nhn hp l. Kh nng iu khin truy nhp (Access Control) Trong hon cnh ca an ninh mng, iu khin truy cp l kh nng hn ch cc truy nhp vi my ch thng qua ng truyn thng. t c vic iu khin ny, mi mt thc th c gng t c quyn truy nhp cn phi c nhn din, hoc c xc nhn sao cho quyn truy nhp c th c p ng nhu cu i vi tng ngi. Tnh kh dng, sn sng (Availability)
Mt h thng m bo tnh sn sng c ngha l c th truy nhp d liu bt c lc no mong mun trong vng mt khong thi gian cho php. Cc cuc tn cng khc nhau c th to ra s mt mt hoc thiu v s sn sng ca dch v. Tnh kh dng ca dch v th hin kh nng ngn chn v khi phc nhng tn tht ca h thng do cc cuc tn cng gy ra. 3. Xc nh cc mi e da n an ninh mng 1. Mi e da khng c cu trc ( Untructured threat) Cng c hack v script c rt nhiu trn Internet, v th bt c ai t m c th ti chng v v s dng th trn mng ni b v cc mng xa. Cng c nhng ngi thch th vi vic xm nhp vo my tnh v cc hnh ng vt khi tm bo v. Hu ht tn cng khng c cu trc u c gy ra bi Script Kiddies (nhng k tn cng ch s dng cc cng c c cung cp, khng c hoc c t kh nng lp trnh) hay nhng ngi c trnh va phi. Hu ht cc cuc tn cng v s thch c nhn, nhng cng c nhiu cuc tn cng c xu. Nhng trng hp c nh hng xu n h thng v hnh nh ca cng ty. Mc d tnh chuyn mn ca cc cuc tn cng dng ny khng cao nhng n vn c th ph hoi hot ng ca cng ty v l mt mi nguy hi ln. i khi ch cn chy mt on m l c th ph hy chc nng mng ca cng ty. Mt Script Kiddies c th khng nhn ra v s dng on m tn cng vo tt c cc host ca h thng vi mc ch truy nhp vo mng, nhng k tn cng tnh c gy hng hc cho vng rng ca h thng. Hay trng hp khc, ch v ai c nh th nghim kh nng, cho d khng c mc ch xu nhng gy hi nghim trng cho h thng. 2. Mi e da c cu trc ( Structured threat) Structured threat l cc hnh ng c , c ng c v k thut cao. Khng nh Script Kiddes, nhng k tn cng ny c k nng hiu cc cng c, c th chnh sa cc cng c hin ti cng nh to ra cc cng c mi. Nhng k tn cng ny hot ng c lp hoc theo nhm, h hiu, pht trin v s dng cc k thut hack phc tp nhm xm nhp vo mc tiu. ng c ca cc cuc tn cng ny th c rt nhiu. Mt s yu t thng thy c th v tin, hot ng chnh tr, tc gin hay bo th. Cc t chc ti phm, cc i th cnh tranh hay cc t chc sc tc c th thu cc chuyn gia thc hin cc cuc tn cng dng structured threat. Cc cuc tn cng ny thng c mc ch t trc, nh ly c m ngun ca i th cnh tranh. Cho d ng c l g, th cc cuc tn cng nh vy c th gy hu qu
nghim trng cho h thng. Mt cuc tn cng structured thnh cng c th gy nn s ph hy cho ton h thng. 3. Mi e da t bn ngoi (External threat) External threat l cc cuc tn cng c to ra khi khng c mt quyn no trong h thng. Ngi dng trn ton th gii thng qua Internet u c th thc hin cc cuc tn cng nh vy. Cc h thng bo v vnh ai l tuyn bo v u tin chng li external threat. Bng cch gia tng h thng bo v vnh ai, ta c th gim tc ng ca kiu tn cng ny xung ti thiu. Mi e da t bn ngoi l mi e da m cc cng ty thng phi b nhiu tin v thi gian ngn nga. 4. Mi e da t bn trong ( Internal threat ) Thut ng Mi e da t bn trong c s dng m t mt kiu tn cng c thc hin t mt ngi hoc mt t chc c mt vi quyn truy cp mng ca bn. Cc cch tn cng t bn trong c thc hin t mt khu vc c tin cy trong mng. Mi e da ny c th kh phng chng hn v cc nhn vin c th truy cp mng v d liu b mt ca cng ty. Hu ht cc cng ty ch c cc tng la ng bin ca mng, v h tin tng hon ton vo cc ACL (Access Control Lists) v quyn truy cp server quy nh cho s bo mt bn trong. Quyn truy cp server thng bo v ti nguyn trn server nhng khng cung cp bt k s bo v no cho mng. Mi e da bn trong thng c thc hin bi cc nhn vin bt bnh, mun quay mt li vi cng ty. Nhiu phng php bo mt lin quan n vnh ai ca mng, bo v mng bn trong khi cc kt ni bn ngoi, nh l Internet. Khi vnh ai ca mng c bo mt, cc phn tin cy bn trong c khuynh hng b bt nghim ngt hn. Khi mt k xm nhp vt qua v bc bo mt cng cp ca mng, mi chuyn cn li thng l rt n gin. i khi cc cuc tn cng dng structured vo h thng c thc hin vi s gip ca ngi bn trong h thng. Trong trng hp , k tn cng tr thnh structured internal threat, k tn cng c th gy hi nghin trng cho h thng v n trm ti nguyn quan trng ca cng ty. Structured internel threat l kiu tn cng nguy him nht cho mi h thng. 4. Xc nh l hng h thng (Vulnerable) v cc nguy c (Risk)
4.1
L hng h thng L hng h thng l ni m i tng tn cng c th khai thc thc hin cc hnh vi tn cng h thng. L hng h thng c th tn ti trong h thng mng hoc trong th tc qun tr mng.
- L hng lp trnh (back-door) - L hng H iu hnh - L hng ng dng - L hng vt l - L hng trong th tc qun l (mt khu, chia s,)
4.2
Nguy c h thng Nguy c h thng c hnh thnh bi s kt hp gia l hng h thng, cc mi e da n h thng v cc bin php an ton h thng hin c Nguy c = Mi e da + L hng h thng + Cc bin php an ton hin c Xc nh cc l hng h thng vic xc nh cc l hng h thng c bt u t cc im truy cp vo h thng nh: - Kt ni mng Internet - Cc im kt ni t xa - Kt ni n cc t chc khc - Cc mi trng truy cp vt l n h thng - Cc im truy cp ngi dng - Cc im truy cp khng dy Xc nh cc mi e da Vic xc nh cc mi e da l rt kh khn v cc l do: - Cc mi e da thng khng xut hin r rng (n) - Cc hnh thc v k thut tn cng a dng: DoS/DDoS, BackDoor, Trn b m, Virus, Trojan Horse, Worm Social Engineering - Thi im tn cng khng bit trc - Qui m tn cng khng bit trc
Kim tra cc bin php an ninh mng hin c
Cc bin php an ninh gm cc loi sau:

7
- Bc tng la - Firewall - Phn mm dit virus - iu khin truy nhp - H thng chng thc (mt khu, sinh trc hc, th nhn dng,) - M ha d liu - H thng d xm nhp IDS - Cc k thut khc: AD, VPN, NAT - thc ngi s dng - H thng chnh sch bo mt v t ng v li h thng 5. Nhn dng cc him ha 1. Virus Virus my tnh l mt chng trnh c th t ng nhn bn v ly truyn t my tnh ny sang my tnh khc bt chp s cho php ca ngi dng. Chng trnh ngun Virus v cc bn copy ca n c th t bin th. Virus ch c th ly nhim t my ny sang my khc khi my tnh c giao tip vi ngun gy bnh thng qua cc phng thc trao i d liu nh qua a mm, CD hoc USB, c bit trong trng hp trao i qua h thng mng. 2. Con nga thnh Troya (Trojan Horse) Trojan l mt file xut hin mt cch v hi trc khi thi hnh. Tri ngc vi Virus Trojan khng chn cc on m lnh vo cc file khc. Trojan thng c gn vo cc chng trnh tr chi hoc phn mm min ph, v thng v pht. Khi mt ng dng c thc thi th Trojan cng ng thi thc hin nhim v ca n. Nhiu my tnh c nhn khi kt ni Internet l iu kin thun li b ly nhim Trojan. Ngy nay Trojan c ci t nh l mt b phn ca phn mm thm nhp vo ca sau ca h thng v t pht hin cc l hng bo mt. 3. Con su-Worm Con su Worm c th ly nhim t ng t my ny sang my khc khng nht thit phi dch chuyn nh l mt b phn ca host. Worm l chng trnh c th t ti to thng qua giao dch tm kim cc file b ly nhim ca h iu hnh. Hin nay Worm thng ly nhim qua ng th in t, Worm t ng nhn bn v gi n cc a ch trong danh mc a ch th ca ngi dng. Worm cng c th ly nhim thng qua vic download
file, s nguy him ca Worm l n c th lm v hiu ho cc chng trnh dit virus v cc bin php an ninh nh l vic n cp mt khu,... 4. Bom logic Logic Bombs Logic Bombs l mt on m lnh ngoi lai c chn vo h thng phn mm c mc ch ph hoi c ci t ch tt, khi gp iu kin thun li s c kch hot ph hoi. V d ngi lp trnh s ci n vo phn mm ca mnh on m lnh xo file nu trong qu trnh s dng khch hng khng tr ph. Thng thng logic Bombs c kch hot theo ch gii hn thi gian. Cc k thut ny cng c s dng trong cc chng trnh Virus v Worm hoc cc Trojan c kch hot ng lot ti mt thi im no gi l Time bombs. 5. Adware - advertising-supported software Adware hay cn gi l phn mm h tr qung co l mt gi phn mm t ng thc hin, trnh din hoc ti v cc cht liu qung co sau khi c kch hot. 6. Spyware Spyware l phn mm my tnh dng thu thp cc thng tin ca c nhn khng c s chp thun ca h. Thut ng Spyware xut hin nm 1995 v c ph bin rng ri sau 5 nm. Thng tin c nhn bao gm h thng kho truy cp (username, password, ...), a ch cc trang Web thng xuyn truy cp, cc thng tin c lu tr trn a cng ca my tnh c nhn... Spyware thng dng phng thc nh la khi khai bo truy cp vo trang Web no , c bit l cc thng tin mt, s PIN ca th tn dng, s in thoi,... 7. Backdoor Backdoor mt gii php tm ng vng truy cp t xa vo h thng c m bo an ninh mt cch v hnh t s cu th qu trnh kim duyt. Backdoor c th c t km theo chng trnh hoc bin i t mt chng trnh hp php. II. Mt s phng thc tn cng mng my tnh v phng chng Cc kiu tn cng vo mng ngy cng v cng tinh vi, phc tp v kh lng, gy ra nhiu tc hi. Cc k thut tn cng lun bin i v ch c pht hin sau khi li nhng hu qu xu. Mt yu cu cn thit bo v an ton cho mng l phi phn tch, thng k v phn loi c cc kiu tn cng, tm ra cc l hng c th b li dng tn cng. C th phn loi cc kiu tn cng theo mt s cch sau.
9
Theo tnh cht xm hi thng tin - Tn cng ch ng: L kiu tn cng can thip c vo ni dung v lung thng tin, sa cha hoc xa b thng tin. Kiu tn cng ny d nhn thy khi pht hin c nhng sai lch thng tin nhng li kh phng chng. - Tn cng b ng: L kiu tn cng nghe trm, nm bt c thng tin nhng khng th lm sai lc hoc hy hoi ni dung v lung thng tin. Kiu tn cng ny d phng chng nhng li kh c th nhn bit c thng tin c b r r hay khng Theo v tr mng b tn cng - Tn cng trc tip vo my ch cung cp dch v lm t lit my ch dn ti ngng tr dch v, hay ni cch khc l tn cng vo cc thit b phn cng v h iu hnh. - Tn cng vo c s d liu lm r r, sai lch hoc mt thng tin. - Tn cng vo cc im (node) truyn tin trung gian lm nghn mng hoc c th lm gin on mng - Tn cng ng truyn (ly trm thng tin t ng truyn vt l) Theo k thut tn cng - Tn cng t chi dch v (Denied of service): tn cng vo my ch lm t lit mt dch v no - Tn cng kiu lm dng quyn truy cp (Abose of acccess privileges): k tn cng chui vo my ch sau khi vt qua c cc mc quyn truy cp. Sau s dng cc quyn ny tn cng h thng. - Tn cng kiu n trm thng tin vt l (Physical theft): ly trm thng tin trn ng truyn vt l. - Tn cng kiu thu lm thng tin (information gather): bt cc tp tin lu thng trn mng, tp hp thnh nhng ni dung cn thit - Tn cng kiu b kha mt khu (password cracking): d, ph, b kha mt khu - Tn cng kiu khai thc nhng im yu, l hng (exploitation of system and network vulnerabilities): tn cng trc tip vo cc im yu, l hng ca mng - Tn cng kiu sao chp, n trm thng tin (spoofing): gi mo ngi khc trnh b pht hin khi gi thng tin v ngha hoc tn cng mng
10
- Tn cng bng cc on m nguy him (malicious code): gi theo gi tin n h thng cc on m mang tnh cht nguy hi n h thng. 1 Cc phng php xm nhp h thng 1.Phng thc n cp thng tin bng Packet Sniffers y l mt chng trnh ng dng bt gi c tt c cc cc gi lu chuyn trn mng (trn mt collision domain). Sniffer thng c dng cho troubleshooting network hoc phn tch traffic. Tuy nhin, do mt s ng dng gi d liu qua mng di dng clear text (telnet, FTP, SMTP, POP3,...) nn sniffer cng l mt cng c cho hacker bt cc thng tin nhy cm nh l username, password, v t c th truy xut vo cc thnh phn khc ca mng. 2. Phng thc tn cng mt khu Password attack Cc hacker tn cng password bng mt s phng php nh: bruteforce attack, chng trnh Trojan Horse, IP spoofing, v packet sniffer. Mc d dng packet sniffer v IP spoofing c th ly c user account v password, nh hacker li thng s dng brute-force ly user account hn. Tn cng brute-force c thc hin bng cch dng mt chng trnh chy trn mng, c gng login vo cc phn share trn server bng phng php th v sai passwork. 3.Phng thc tn cng bng Mail Relay y l phng php ph bin hin nay. Email server nu cu hnh khng chun hoc Username/ password ca user s dng mail b l. Hacker c th li dng email server gi mail gy ngp mng , ph hoi h thng email khc. Ngoi ra vi hnh thc gn thm cc on script trong mail hacker c th gy ra cc cuc tn cng Spam cng lc vi kh nng tn cng gin tip n cc my ch Database ni b hoc cc cuc tn cng D.o.S vo mt mc tiu no . 4.Phng thc tn cng h thng DNS DNS Server l im yu nht trong ton b cc loi my ch ng dng v cng l h thng quan trng nht trong h thng my ch. Vic tn cng v chim quyn iu khin my ch phc v DNS l mt s ph hoi nguy him lin quan n ton b hot ng ca h thng truyn thng trn mng. Hn ch ti a cc dch v khc trn h thng my ch DNS Ci t h thng IDS Host cho h thng DNS
11
DNS.
Lun cp nht phin bn mi c sa li ca h thng phn mm
5.Phng thc tn cng Man-in-the-middle attack Dng tn cng ny i hi hacker phi truy nhp c cc gi mng ca mng. Mt v d v tn cng ny l mt ngi lm vic ti ISP, c th bt c tc c cc gi mng ca cng ty khch hng cng nh tt c cc gi mng ca cc cng ty khc thu Leased line n ISP n cp thng tin hoc tip tc session truy nhp vo mng rin ca cng ty khch hng. Tn cng dng ny c thc hin nh mt packet sniffer. 6.Phng thc tn cng thm d mng Thm d mng l tt c cc hot ng nhm mc ch ly cc thng tin v mng. khi mt hacker c gng chc thng mt mng, thng th h phi thu thp c thng tin v mng cng nhiu cng tt trc khi tn cng. iu ny c th thc hin bi cc cng c nh DNS queries, ping sweep, hay port scan. 7.Phng thc tn cng Trust exploitation Loi tn cng kiu ny c thc hin bng cch tn dng mi quan h tin cy i vi mng. Mt v d cho tn cng kiu ny l bn ngoi firewall c mt quan h tin cy vi h thng bn trong firewall. Khi bn ngoi h thng b xm hi, cc hacker c th ln theo quan h tn cng vo bn trong firewall. 8.Phng thc tn cng Port redirection Tn cng ny l mt loi ca tn cng trust exploitation, li dng mt host b t nhp i qua firewall. V d, mt firewall c 3 inerface, mt host outside c th truy nhp c mt host trn DMZ, nhng khng th vo c host inside. Host DMZ c th vo c host inside, cng nh outside. Nu hacker chc thng c host trn DMZ, h c th ci phn mm trm host ca DMZ b hng traffic t host outside n host inside. 9.Phng thc tn cng lp ng dng Tn cng lp ng dng c thc hin bng nhiu cch khc nhau. Mt trong nhng cch thng dng nht l tn cng vo cc im yu ca phn mm nh sendmail, HTTP, hay FTP. Nguyn nhn ch yu ca cc tn cng lp ng dng ny l chng s dng nhng port cho qua bi firewall. V d cc hacker tn cng Web server bng cch s dng TCP port 80, mail server bng TCP port 25.
12
10.Phng thc tn Virus v Trojan Horse Cc nguy him chnh cho cc workstation v end user l cc tn cng virus v nga thnh Trojan (Trojan horse). Virus l mt phn mm c hi, c nh km vo mt chng trnh thc thi khc thc hin mt chc nng ph hi no . Trojan horse th hot ng khc hn. Mt v d v Trojan horse l mt phn mm ng dng chy mt game n gin my workstation. Trong khi ngi dng ang mi m chi game, Trojan horse s gi mt bn copy n tt c cc user trong address book. Khi user khc nhn v chi tr chi, th n li tip tc lm nh vy, gi n tt c cc a ch mail c trong address book ca user . 2 Cc phng php pht hin v ngn nga xm nhp 1.Phng thc n cp thng tin bng Packet Sniffers Kh nng thc hin Packet Sniffers c th xy ra t trong cc Segment ca mng ni b, cc kt ni RAS hoc pht sinh trong WAN. Ta c th cm packet sniffer bng mt s cch nh sau: Authentication K thut xc thc ny c thc hin ph bin nh one-type password (OTPs). K thut ny c thc hin bao gm hai yu t: personal identification number ( PIN ) v token card xc thc mt thit b hoc mt phn mm ng dng. Token card l thit b phn cng hoc phn mm sn sinh ra thng tin mt cch ngu nhin ( password ) tai mt thi im, thng l 60 giy. Khch hng s kt ni password vi mt PIN to ra mt password duy nht. Gi s mt hacker hc c password bng k thut packet sniffers, thng tin cng khng c gi tr v n ht hn. Dng switch thay v Bridge hay hub: hn ch c cc gi broadcast trong mng. K thut ny c th dng ngn chn packet sniffers trong mi trng mng. Vd: nu ton b h thng s dng switch ethernet, hacker ch c th xm nhp vo lung traffic ang lu thng ti 1 host m hacker kt ni n. K thut ny khng lm ngn chn hon ton packet sniffer nhng n c th gim c tm nh hng ca n. Cc cng c Anti-sniffer: cng c ny pht hin s c mt ca packet siffer trn mng.
13
M ha: Tt c cc thng tin lu chuyn trn mng u c m ha. Khi , nu hacker dng packet sniffer th ch bt c cc gi d liu c m ha. Cisco dng giao thc IPSec m ho d liu. 2. Phng thc tn cng mt khu Password attack Phng php gim thiu tn cng password: Gii han s ln login sai t password di Cm truy cp vo cc thit b, serever t xa thng qua cc giao thc khng an ton nh FTP, Telnet, rlogin, rtelnet ng dung SSL,SSH vo qun l t xa 3.Phng thc tn cng bng Mail Relay Phng php gim thiu : Gii hn dung lng Mail box S dng cc phng thc chng Relay Spam bng cc cng c bo mt cho SMTP server, t password cho SMTP. S dng gateway SMTP ring 4.Phng thc tn cng h thng DNS Phng php hn ch: Hn ch ti a cc dch v khc trn h thng my ch DNS Ci t h thng IDS Host cho h thng DNS Lun cp nht phin bn mi c sa li ca h thng phn mm DNS. 5.Phng thc tn cng Man-in-the-middle attack Tn cng dng ny c th hn ch bng cch m ho d liu c gi ra. Nu cc hacker c bt c cc gi d liu th l cc d liu c m ha. 6.Phng thc tn cng thm d mng Ta khng th ngn chn c hon ton cc hot thm d kiu nh vy. V d ta c th tt i ICMP echo v echo-reply, khi c th chn c ping sweep, nhng li kh cho ta khi mng c s c, cn phi chn oan li do u. NIDS v HIDS gip nhc nh (notify) khi c cc hot ng thm d xy ra trong mng. 7.Phng thc tn cng Trust exploitation
14
C th gii hn cc tn cng kiu ny bng cch to ra cc mc truy xut khc nhau vo mng v quy nh cht ch mc truy xut no s c truy xut vo cc ti nguyn no ca mng. 8.Phng thc tn cng Port redirection Ta ngn chn tn cng loi ny bng cch s dng HIDS ci trn mi server. HIDS c th gip pht hin c cc chng trnh l hot ng trn server . 9.Phng thc tn cng lp ng dng Mt s phng cch hn ch tn cng lp ng dng: Lu li log file, v thng xun phn tch log file Lun cp nht cc patch cho OS v cc ng dng Dng IDS, c 2 loi IDS: HIDS: ci t trn mi server mt agent ca HIDS pht hin cc tn cng ln server . NISD: xem xt tt c cc packet trn mng (collision domain). Khi n thy c mt packet hay mt chui packet ging nh b tn cng, n c th pht cnh bo, hay ct session . Cc IDS pht hin cc tn cng bng cch dng cc signature. Signature ca mt tn cng l mt profile v loi tn cng . Khi IDS pht hin thy traffic ging nh mt signature no , n s pht cnh bo. 10.Phng thc tn Virus v Trojan Horse C th dng cc phn mm chng virus dit cc virus v Trojan horse v lun lun cp nht chng trnh chng virus mi.
15
CHNG II XY DNG M HNH AN NINH MNG V GII THIU MT S CNG NGH BO MT

I. M HNH AN NINH MNG Trong mt h thng truyn thng ngy nay, cc loi d liu nh cc quyt nh, ch th, ti liu,.. c lu chuyn trn mng vi mt lu lng ln, khng l v a dng. Trong qu trnh d liu i t ngi gi n ngi nhn, chng ta quan tm n vn sau: - D liu c b sa i khng? - D liu c b mo danh khng? V khng th c mt gii php an ton tuyt i nn ngi ta thng phi s dng ng thi nhiu mc bo v khc nhau trc cc hot ng xm phm. Vic bo v thng tin trn mng ch yu l bo v thng tin trn cc kho d liu c ci t trong cc Server ca mng. Bi th ngoi mt s bin php nhm chng tht thot thng tin trn ng truyn, mi c gng tp trung vo vic xy dng cc mc ro chn t ngoi vo trong cho cc h thng kt ni vo mng. 1. Quy trnh xy dng h thng thng tin an ton 1.1. nh gi v lp k hoch - C cc kha o to trc trin khai ngi trc tip thc hin nm vng cc thng tin v an ton thng tin. Sau qu trnh o to ngi trc tip tham gia cng vic bit r lm th no bo v cc ti nguyn thng tin ca mnh. - nh gi mc an ton h thng v mi b phn nh cc ng dng mng, h thng, h iu hnh, phn mm ng dng, vv... Cc nh gi c thc hin c v mt h thng mng logic ln h thng vt l. Mc tiu l c ci nhn tng th v an ton ca h thng ca bn, cc im mnh v im yu. - Cc cn b ch cht tham gia lm vic a ra c chnh xc thc trng an ton h thng hin ti v cc yu cu mi v mc an ton. - Lp k hoch an ton h thng. 1.2. Phn tch h thng v thit k
- Thit k h thng an ton thng tin cho mng. - La chn cc cng ngh v tiu chun v an ton s p dng. - Xy dng cc ti liu v chnh sch an ton cho h thng 1.3. p dng vo thc t - Thit lp h thng an ton thng tin trn mng. - Ci t cc phn mm tng cng kh nng an ton nh firewall, cc bn cha li, chng trnh qut v dit virus, cc phn mm theo di v ngn chn truy nhp bt hp php. - Thay i cu hnh cc phn mm hay h thng hin s dng cho ph hp. - Ph bin cc chnh sch an ton n nhm qun tr h thng v tng ngi s dng trong mng, quy nh tt c mi ngi nm r cc chc nng v quyn hn ca mnh. 1.4. Duy tr v bo dng - o to nhm qun tr c th nm vng v qun l c h thng. - Lin tc b sung cc kin thc v an ton thng tin cho nhng ngi c trch nhim nh nhm qun tr, lnh o... - Thay i cc cng ngh an ton ph hp vi nhng yu cu mi. 2. Xy dng m hnh an ninh mng Hin nay vai tr bo m an ninh mng rt c coi trng, nhiu cng ngh v k thut mi c cp. bo m an ninh mng tt, chng ta phi lng trc ht mi kh nng vi phm c th xy ra. C hai loi vi phm thng xy ra l th ng v b ng. Vi phm th ng i khi do v tnh hoc khng c , cn vi phm ch ng c mc ch ph hoi r rng v hu qu khn lng.
H thng pht hin xm nhp (IDS/IPS) Fire wall Tng la Physical protection Bo v vt l Data encryption M ha d liu Loggin password M truy nhp Right access Quyn truy cp
Database
Hnh 2 1: M hnh an ninh mng 1. Lp quyn truy cp Right Acces. Nhm kim sot cc ti nguyn thng tin ca mng v quyn hn s dng ti nguyn . Vic kim sot cng chi tit cng tt 2. Lp ng nhp tn/mt khu Login Password.
Nhm kim sot quyn truy cp mc h thng. Mi ngi s dng mun vo c mng s dng ti nguyn u phi ng k tn v mt khu. Ngi qun tr mng c trch nhim qu l, kim sot mi hot ng ca mng v xc nh quyn truy nhp ca ngi s dng khc tu theo khng gian v thi gian 3. Lp m ho thng tin Data Encryption. bo mt thng tin truyn trn mng ngi ta cn s dng cc phng php m ho thng tin trn ng truyn. C hai phng php c bn: m ho i xng v bt i xng, ngi ta xy dng nhiu phng php m ho khc nhau. 4. Lp bo v vt l Physical Protection. Thng dng cc bin php truyn thng nh ngn cm tuyt i ngi khng phn s vo phng t my mng, quy nh cht ch cc ch khai thc v s dng mng,... 5. Lp bo v bc tng la . bo v t xa mt mng my tnh hoc cho c mt mng ni b ngi ta dng mt h thng c bit l bc tng la ngn chn cc thm nhp tri php, lc b cc gi tin khng cho gi hoc nhn t trong ra ngoi hoc ngc li. II. MT S PHNG PHP BO MT C nhiu bin php v cng c bo mt h thng, y xin lit k mt s loi ph bin, thng p dng 2.1 Phng php m ho M ho l c ch chnh cho vic bo mt thng tin. N bo v chc chn thng tin trong qu trnh truyn d liu, m ho c th bo v thng tin trong qu trnh lu tr bng m ho tp tin. Tuy nhin ngi s dng phi c quyn truy cp vo tp tin ny, h thng m ho s khng phn bit gia ngi s dng hp php v bt hp php nu c hai cng s dng mt key ging nhau. Do m ho chnh n s khng cung cp bo mt, chng phi c iu khin bi key m ho v ton b h thng.
Hnh 2-2: Quy trnh m ha M ho nhm m bo cc yu cu sau: - Tnh b mt (confidentiality): d liu khng b xem bi bn th 3. - Tnh ton vn (Integrity): d liu khng b thay i trong qu trnh truyn. Tnh khng t chi (Non-repudiation): l c ch ngi thc hin hnh ng khng th chi b nhng g mnh lm, c th kim chng c ngun gc hoc ngi a tin. Cc gii thut m ho: 1. Gii thut bm (Hashing Encryption) L cch thc m ho mt chiu tin hnh bin i vn bn nhn dng (cleartext) tr thnh hnh thi m ho m khng bao gi c th gii m. Kt qu ca tin trnh hashing cn c gi l mt hash (x l bm), gi tr hash (hash value), hay thng ip c m ho (message digest) v tt nhin khng th ti to li dng ban u. Trong x l hm bm d liu u vo c th khc nhau v di, th nhng di ca x l Hash li l c nh. Hashing c s dng trong mt s m hnh xc thc password. Mt gi tr hash c th c gn vi mt thng ip in t (electronic message) nhm h tr tnh tch hp ca d liu hoc h tr xc nh trch nhim khng th chi t (non-repudiation).
Hnh 2-3 M hnh gii thut bm Mt s gii thut bm - MD5 (Message Digest 5): gi tr bm 128 bit. - SHA-1 (Secure Hash Algorithm): gi tr bm 160 bit.
2. Gii thut m ho ng b/i xng (Symmetric)
M ho i xng hay m ho chia s kho (shared-key encryption) l m hnh m ho hai chiu c ngha l tin trnh m ho v gii m u dng chung mt kho. Kho ny phi c chuyn giao b mt gia hai i tng tham gia giao tip. C th b kho bng tn cng vt cn (Brute Force).
Hnh 2-4 Gii thut m ha ng b/i xng Cch thc m ho nh sau: - Hai bn chia s chung 1 kho (c gi b mt). - Trc khi bt u lin lc hai bn phi trao i kho b mt cho nhau. - Mi pha ca thnh phn lin lc yu cu mt kho chia s duy nht, kho ny khng chia s vi cc lin lc khc. Bng di y cho thy chi tit cc phng php m ha i xng thng dng. Cc loi m ha c tnh Data Encryption Standard (DES) - S dng mt khi 64 bit hoc mt kha 56 bit. - C th d dng b b kha.
Triple DES (3DES)
- p dng DES 3 ln. - S dng mt kha 168bit. - B thay th bi AES.
Advanced Encryption Standard - S dng Rhine doll c kh nng (AES) khng vi tt c tn cng bit.
- Dng mt kha v kha chiu di c
th thay i (128-192 hoc 256 bit).

3. Gii thut m ha khng ng b/khng i xng (Asymmetric)
M ha bt i xng, hay m ha kha cng khai(public-key encryption), l m hnh m ha 2 chiu s dng mt cp kha l kha ring (private key) v kha cng (public keys). Thng thng, mt thng ip c m ha vi private key, v chc chn rng key ny l ca ngi gi thng ip (message sender). N s c gii m vi public key, bt c ngi nhn no cng c th truy cp nu h c key ny. Ch , ch c public key trong cng mt cp kha mi c th gii m d liu m ha vi private key tng ng. V private key th khng bao gi c chia s vi bt k ai v do n gi c tnh bo mt, vi dng m ha ny c ng dng trong ch k in t.
Hnh 2-5 Gii thut m ha khng ng b/khng i xng Cc gii thut - RSA (Ron Rivest, Adi Shamir, and Leonard Adleman). - DSA (Digital Signature Standard). - Diffie-Hellman (W.Diffie and Dr.M.E.Hellman).
2.2 Chng thc ngi dng L qu trnh thit lp tnh hp l ca ngi dng trc khi truy cp thng tin trong h thng. Cc loi chng thc nh: 1. Username/password L loi chng thc ph bin nht v yu nht ca chng thc, username/password c gi nguyn dng chuyn n Server.
Hnh 2-6 Chng thc bng user v password - Tuy nhin phng php ny xut hin nhng vn nh d b nh cp trong qu trnh n server.
- Gii php:
t mt khu di ti thiu l tm k t, bao gm ch ci, s, biu tng. Thay i password: 01 thng/ln. Khng nn t cng password nhiu ni. 2. CHAP (Challenge Hanshake Authentication Protocol) Dng m ha mt khu khi ng nhp, dng phng php chng thc th thch/hi p. nh k kim tra li cc nh danh ca kt ni s dng c ch bt tay 3 bc v thng tin b mt c m ha s dng MD5. Hot ng ca CHAP nh sau: Xem xt vic cung cp password cho ai.
Hnh 2-7 Hot ng ca CHAP 3. Kerberos Kerberos l mt giao thc mt m dng xc thc trong cc mng my tnh hot ng trn nhng ng truyn khng an ton. Giao thc Kerberos c kh nng chng li vic nghe ln hay gi li cc gi tin c v m bo tnh ton vn ca d liu. Mc tiu khi thit k giao thc ny l nhm vo m hnh my ch-my khch (client-server) v m bo nhn thc cho c hai chiu. Kerberos hot ng s dng mt bn th ba tham gia vo qu trnh nhn thc gi l key distribution center KDC (KDC bao gm hai chc nng: "my ch xc thc" (authentication server - AS) v "my ch cung cp v" (ticket granting server - TGS). "V" trong h thng Kerberos chnh l cc chng thc chng minh nhn dng ca ngi s dng.). Mi ngi s dng trong h thng chia s mt kha chung vi my ch Kerberos. Vic s hu thng tin v kha chnh l bng chng chng minh nhn dng ca mt ngi s dng. Trong mi giao dch gia hai ngi s dng trong h thng, my ch Kerberos s to ra mt kha phin dng cho phin giao dch .
Hnh 2- 8 M ha Kerberos
4. Chng ch (Certificates)
Mt Server (Certificates Authority - CA) to ra cc certificates.
- C th l vt l: smartcard - C th l logic: ch k in t S dng public/private key (bt c d liu no c m ha bng public key ch c th gii m bng private key). S dng cng ty th 3 chng thc. c s dng ph bin trong chng thc web, smart cards, ch k in t cho email v m ha email. Nhc im: - Trin khai PKI (Public Key Infrastructure) ko di v tn km. - Smart cards lm tng gi trin khai v bo tr. - Dch v CA tn km. 5. Sinh trc hc C th dng cc phng php sau: mng mt/vng mc, vn tay, ging ni. u im ca phng php ny rt chnh xc, thi gian chng thc nhanh, tuy nhin gi thnh cao cho phn cng v phn mm, vic nhn din c th b sai lch. 6. Kt hp nhiu phng php (Multi-factor) S dng nhiu hn mt phng php chng thc nh: mt khu/ PIN, smart card, sinh trc hc, phng php ny nhm to s bo v theo chiu su vi nhiu tng bo v khc nhau. - u im: lm gim s ph thuc vo password, h thng chng thc mnh hn v cung cp kh nng cho Public Key Infrastructure (PKI). - Nhc im tng chi ph trin khai, tng chi ph duy tr, chi ph nng cp Cc h thng phn cng c bn: Smart card: Card thng minh (Smart card) l thit b c kch thc ging nh th tn dng bao gm: 01 b vi x l v 01 b nh. c cc thng tin t Smart card cn 01 u c. Smart card c th lu tr mt kho ring ca tng ngi dng cng vi bt k ng dng no c gi t nhm n gin ho qu trnh xc thc, c bit i vi ngi dng di ng. Hin nay xut hin mt s SC gm mt b ng x l m ho v gii m, khi vic m v gii m d dng v
nhanh chng. Cc h thng chng nhn in t n gin nht yu cu ngi nhp vo s nhn din c nhn PIN hon tt tin trnh xc thc. Trong rt nhiu h thng ngi ta kt hp gia PIN ca SC v cc thng tin v sinh trc hc ca ngi dng nh vn tay. dng h thng ny ngi ta trang b 1 my qut vn tay, sau so snh vi d liu c lu trn SC. PC card: L mt bo mch nh c cm vo slot m rng trn bo mch ch ca my tnh. Cc PC card km linh hot hn nhng c b nh ln hn SC nn c th lu tr lng thng tin xc thc ln hn. Th bi c xy dng da trn phn cng ring bit dng hin th cc m nhn dng (pascode) thay i m ngi dng phi nhp vo my. B x l bn trong th bi lu gi mt tp cc kho m b mt c dng pht cc m nhn dng mt ln. Cc m ny c chuyn n mt my ch bo mt trn mng, my ch ny kim tra tnh hp l v chuyn quyn truy cp cho ngi dng. Trc khi ngi dng c xc thc, cc thit b th yu cu mt PIN, sau s dng mt trong ba c ch sau: 1. C ch p ng thch my ch bo mt pht ra mt con s ngu nhin khi ngi dng ng nhp vo mng. Mt con s thch xut hin trn mn hnh, ngi dng nhp vo s cc s trong th bi. Th bi m ho cc con s thch ny vi m kho b mt ca n v hin th ln mn hnh LCD, sau ngi dng nhp kt qu ny vo my tnh. Trong khi , my ch m ho con s thch vi cng mt kho v nu nh hai kt qu ny ph hp th ngi dng s c php vo mng. 2. C ch ng b thi gian y th bi hin th mt s c m ho vi kho b mt m kho ny thay i c 60 giy. Ngi dng c nhc cho con s khi c gng ng nhp vo my ch. Bi ng h trn my ch v th c ng b, cho nn my ch c th xc nhn ngi dng bng cch gii m con s th v so snh kt qu. 3. C ch ng b s kin y, mt b m ghi li s ln vo mng ca ngi dng. Sau mi ln vo mng, b m c cp nht v mt m nhn dng khc c to ra cho ln ng nhp k tip.
2.3 Bo mt my trm S kim tra u n mc bo mt c cung cp bi cc my ch ph thuc ch yu vo s qun l. Mi my ch trong mt cng ty nn c kim tra t Internet pht hin l hng bo mt. Thm na, vic kim tra t bn trong v qu trnh thm nh my ch v cn bn l cn thit gim thiu tnh ri ro ca h thng, nh khi firewall b li hay mt my ch, h thng no b trc trc. Hu ht cc h iu hnh u chy trong tnh trng thp hn vi mc bo mt ti thiu v c rt nhiu l hng bo mt. Trc khi mt my ch khi a vo sn xut, s c mt qu trnh kim tra theo mt s bc nht nh. Ton b cc bn sa li phi c ci t trn my ch, v bt c dch v khng cn thit no phi c loi b. iu ny lm trnh ri ro xung mc thp nht cho h thng. Vic tip theo l kim tra cc log file t cc my ch v cc ng dng. Chng s cung cp cho ta mt s thng tin tt nht v h thng, cc tn cng bo mt. Trong rt nhiu trng hp, chnh l mt trong nhng cch xc nhn quy m ca mt tn cng vo my ch. 2.4 Bo mt truyn thng Tiu biu nh bo mt trn FTP, SSH.. Bo mt truyn thng FTP
Hnh 2-9 Bo mt FTP FTP l giao thc lp ng dng trong b giao thc TCP/IP cho php truyn d liu ch yu qua port 20 v nhn d liu ti port 21, d liu c truyn di dng clear-text, tuy nhin nguy c b nghe ln trong qu trnh truyn file hay ly mt khu trong qu trnh chng thc l rt cao, thm vo user mc nh Anonymous khng an ton to iu kin cho vic tn cng trn b m. Bin php t ra l s dng giao thc S/FTP (S/FTP = FTP + SSL/TSL) c tnh bo mt v nhng l do sau:
- S dng chng thc RSA/DSA . - S dng cng TCP 990 cho iu khin, cng TCP 989 cho d liu. - Tt chc nng Anonymous nu khng s dng. - S dng IDS pht hin tn cng trn b m. - S dng IPSec m ha d liu. Bo mt truyn thng SSH SSH l dng m ha an ton thay th cho telnet, rlogin..hot ng theo m hnh client/server v s dng k thut m ha public key cung cp phin m ha, n ch cung cp kh nng chuyn tip port bt k qua mt kt ni c m ha. Vi telnet hay rlogin qu trnh truyn username v password di dng cleartext nn rt d b nghe ln, bng cch bt u mt phin m ha. Khi my client mun kt ni phin an ton vi mt host, client phi bt u kt ni bng cch thit lp yu cu ti mt phin SSH. Mt khi server nhn dc yu cu t client, hai bn thc hin c ch three-way handshake trong bao gm vic xc minh cc giao thc, kha phin s c thay i gia client v server, khi kha phin trao i v xc minh i vi b nh cache ca host key, client lc ny c th bt u mt phin an ton 2.5 Bo mt ng dng H thng th in t Th in t hay email l mt h thng chuyn nhn th t qua cc mng my tnh, l mt phng tin thng tin rt nhanh. Mt mu thng tin (th t) c th c gi i dng m ho hay dng thng thng v c chuyn qua cc mng my tnh c bit l mng Internet. N c th chuyn mu thng tin t mt my ngun ti mt hay rt nhiu my nhn trong cng lc. Ngy nay, email chng nhng c th truyn gi c ch, n cn c th truyn c cc dng thng tin khc nh hnh nh, m thanh, phim, v c bit cc phn mm th in t kiu mi cn c th hin th cc email dng sng ng tng thch vi kiu tp HTML. - Gi: giao thc SMTP (TCP 25) - Nhn: giao thc POP3/IMAP (TCP 110/143)
Hnh 2-10 Th in t Li ch ca th in t nh tc di chuyn cao, chi ph r v tin li. Tuy nhin c nhng vn v bo mt, spam mail, s ly lan ca virus, trojan.. Bo v h thng email S dng S/MIME nu c th
Cu hnh Mail Server tt, khng b open relay
Ngn chn Spam trn Mail Server Cnh gic vi email l Bo mt ng dng Web - Web traffic: S dng giao thc bo mt SSL/TSL m ha thng tin gia Client v Server, hot ng tng Transport, s dng m ha khng i xng v MD5, s dng Public Key chng thc v m ha giao dch gia Client v Server v TSL bo mt tt hn. Vn t ra l trong qu trnh chng thc c Client v Server u phi cn trin khai PKI, nh hng n Performance, vic trin khai tim tng mt s vn : phng thc trin khai, cu hnh h thng, la chn phn mm. - Web Client: Trong m hnh client/server, my client l mt my trm m ch c s dng bi 1 ngi dng vi mun th hin tnh c lp cho n. Cc im yu ca Client nh JavaScript, ActiveX, Cookies, Applets. - Web Server: Server cung cp v iu khin cc tin trnh truy cp vo ti nguyn ca h thng. Vai tr ca server nh l mt nh cung cp dch v cho cc clients yu cu ti khi cn, cc dch v nh c s d liu, in n, truyn file, h thng... Cc li thng xy ra trong WEB Server: li trn b m, CGI/ Server Script v HTTP, HTTPS
2.6 Thng k ti nguyn
Hnh 2-11 Thng k ti nguyn bng Monitoring L kh nng kim sot (kim k) h thng mng, bao gm:
Logging: Ghi li cc hot ng phc v cho vic thng k cc s kin
trn mng. V d mun kim sot xem nhng ai truy cp file server, trong thi im no, lm g (Event Viewer).
Scanning: Qut h thng kim sot nhng dch v g ang chy
trn mng, phn tch cc nguy c ca h thng mng. V d Task manager.

Monitoring: Phn tch logfile kim tra cc ti nguyn mng c
s dng nh th no. V d cc syslog server. III. MT S CNG NGH BO MT 1. Bo mt bng VPN (Virtual Private Network) Mang ring ao la phng phap lam cho mt mang cng cng hoat ng ging nh mang cuc b, co cac c tinh nh bao mt va tinh u tin ma ngi dung a thich. VPN cho phep kt ni ring vi nhng ngi dung xa, cac vn phong chi nhanh cua b, cng ty va i tac cua b ang s dung chung mt mang cng cng inh ng hm la mt c ch dung cho vic ong goi mt giao thc vao trong mt giao thc khac. Trong ng canh Internet, inh ng hm cho phep nhng giao thc nh IPX, AppleTalk va IP c ma hoa, sau o ng goi trong IP. . VPN con cung cp cac thoa thun v cht lng dich vu (QoS), nhng thoa thun nay thng c inh ra trong mt gii han trn cho phep tr trung binh cua goi trn mang VPN = inh ng hm + Bao mt + Cac thoa thun v QoS Sau y la cac u im cua VPN:
- Giam chi phi thng xuyn: VPN cho phep tit kim n 60% chi phi so vi thu ng truyn - Giam chi phi u t: se khng tn chi phi u t cho may chu, b inh tuyn cho mang ng truc va b chuyn mach phuc vu cho vic truy cp bi vi cac thit bi nay do cac nha cung cp dich vu quan ly va lam chu. - Giam chi phi quan ly va h tr: vi qui m kinh t cua minh, cac nha cung cp dich vu co th mang lai cho cc n v s dng nhng khoan tit kim co gia tri so vi vic t quan ly mang. - Truy cp moi luc moi ni: Phn cp VPN Cac VPN truy cp t xa (Remote Access VPN): cac VPN nay cung cp truy cp tin cy cho nhng ngi dung xa nh cac nhn vin di ng, cac nhn vin xa va cac vn phong chi nhanh thuc mang li cua mt n v.
NAS y AAA
ISP
Telco /Internet /ISP
VPDN
y AAA
Hnh 2-12 Phn cp VPN
L2 2TP F/L
- Cac VPN ni b (Intranet VPN): cho phep cac vn phong chi nhanh c lin kt mt cach bao mt n tru s chinh cua n v. - Cac VPN m rng (Extranet VPN): cho phep cac ngi dng, cac nha qun l va cac i tc co th truy cp mt cach bao mt n mang Intranet cua n v. Cu truc VPN Tt ca cac VPN u cho phep truy cp bao mt qua cac mang cng cng bng cach s dung dich vu bao mt, bao gm vic inh ng hm (tunneling) va cac bin phap ma hoa d liu. Cc loi mng VPN Co hai cach chu yu s dung cac VPN. Cac VPN co th kt ni hai mang vi nhau, iu nay c bit n nh mt mang kt ni LAN-LAN VPN hay mt mang site-ni-site VPN. Th 2, mt VPN truy cp t xa co th kt ni mt ngi dung t xa vi mang. Cac khi trong mang VPN Co 4 thanh phn chinh cua mang Internet VPN o la Internet, cng ni bao mt, may chu chinh sach bao mt (security policy server) va cp quyn CA (certificate authority) (hinh 2-13)
y ch nh om t y ch nh om t
Internet
C ng n i om t C ng n i om t
ng LAN ov
Di ng Client C p quy n CA
Hnh 2-13 Bo mt bng VPN 2. Tng la (Firewall)
L mt hng ro gia hai mng my tnh, n bo v mng ny trnh khi s xm nhp t mng kia, i vi nhng doang nghip c va l ln th vic s dng firewall l rt cn thit, chc nng chnh l kim sot lung thng tin gia mng cn bo v v Internet thng qua cc chnh sch truy cp c thit lp. Firewall c th l phn cng, phn mm hoc c hai. Tt c u c chung mt thuc tnh l cho php x l da trn a ch ngun, bn cnh n cn c cc tnh nng nh d phng trong trng hp xy ra li h thng.
Hnh 2 - 14 M hnh tng qut firewall Do vic la chn firewall thch hp cho mt h thng khng phi l d dng. Cc firewall u ph thuc trn mt mi trng, cu hnh mng, ng dng c th. Khi xem xt la chn mt firewall cn tp trung tm hiu tp cc chc nng ca firewall nh tnh nng lc a ch, gi tin.. Cc thnh phn ca Firewall v c ch hot ng Mt Firewall chun bao gm mt hay nhiu cc thnh phn sau y: - B lc packet ( packet-filtering router ) - Cng ng dng (application-level gateway hay proxy server ) - Cng mch (circuite level gateway)
- B lc gi tin (Packet filtering router) Nguyn l Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c ngha rng Firewall hot ng cht ch vi giao thc lin mng TCP/IP. V giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS...) thnh cc gi d liu (data packets) ri gn cho cc packet ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng. B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (packet header), dng cho php truyn cc packet trn mng. l: - a ch IP ni xut pht ( IP Source address) - a ch IP ni nhn (IP Destination address) - Nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel) - Cng TCP/UDP ni xut pht (TCP/UDP source port) - Cng TCP/UDP ni nhn (TCP/UDP destination port) - Dng thng bo ICMP ( ICMP message type) - Giao din packet n ( incomming interface of packet) - Giao din packet i ( outcomming interface of packet) Nu lut l lc packet c tho mn th packet c chuyn qua firewall. Nu khng packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi chy c trn h thng mng cc b. u im
a s cc h thng firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm router. Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn c bit no c. Hn ch Vic nh ngha cc ch lc packet l mt vic kh phc tp, n i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th m h c th nhn trn mi trng. Khi i hi v s lc cng ln, cc lut l v lc cng tr nn di v phc tp, rt kh qun l v iu khin. Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu. 3. Bo mt bng IDS/IPS (H thng Pht hin/ Ngn chn xm nhp) IDS (Intrusion Detection System) l h thng pht hin xm nhp, h thng bo mt b sung cho firewall, cung cp thm cho vic bo v an ton thng tin mng mt mc cao hn, n tng t nh mt h thng chung bo ng c cu hnh gim st cc im truy cp c th theo di, pht hin s xm nhp ca cc attacker, c kh nng pht hin ra cc on m c hi hot ng trong h thng mng v c kh nng vt qua c firewall. C hai dng chnh l network based v host based
Hnh 2 -15 H thng chng xm nhp IDS IDS pht trin a dng trong c phn mm v phn cng ,mc ch chung ca IDS l quan st cc s kin trn h thng mng v thng bo cho nh qun tr vin bit v an ninh ca s kin cm bin c cho l ng bo ng. Mt s IDS so snh cc cuc hi thoi trn mng nghe c trn mng vi danh sch chui
tn cng bit trc hay ch k. Khi m lu lng mng c xem xt cho l ph hp vi mt ch k th chng s gy ra mt cnh bo,h thng ny gi l Signature-based IDS. i vi vic quan st lu lng ca h thng theo thi gian v xem xt cc tnh hung m khng ph hp vi bnh thng s gy ra mt cnh bo ,IDS ny gi l anomaly-based IDS. Ch ng bo v ti nguyn h thng mng l xu hng mi nht trong bo mt. Hu ht cc h thng pht hin xm nhp (IDS) th ng gim st h thng cho cc du hiu ca hot ng xm nhp. Khi hot ng xm nhp c pht hin, IDS cung cp kh nng cho vic ngn chn trong tng lai vi cc hot ng xm nhp t cc my ch nghi ng. Cch tip cn phn ng ny khng ngn chn lu lng cuc tn cng vo h thng t lc bt u n lc kt thc.Tuy nhin mt IPS (the intrusion prevention systems) c thc hin nhiu vai tr hn, c th ch ng dng ngay cc lu lng truy cp tn cng vo h thng ngay lc ban u.
H thng pht hin xm nhp mm(Snort)
ci c snort th u tin xem xt quy m ca h thng mng, cc yu cu c th ci t snort nh l:cn khng gian da cng lu tr cc file log ghi li cnh bo ca snort,phi c mt my ch kh mnh v vic chn la mt h iu hnh khng km phn quan trng thng th ngi qun tr s chn cho mnh mt h iu hnh m h s dng mt cch thnh tho nht.Snort c th chy trn cc h iu hnh nh window,linux.
H thng pht hin xm nhp cng(cisco)
Cisco cung cp nhiu loi thit b pht hin xm nhp, c nhiu nn cm bin cho php quyt nh v tr tt nht gim st hot ng xm nhp cho h thng. Cisco cung cp cc nn tng cm bin sau y: - Cisco Adaptive Security Appliance nng cao Kim tra v phng chng dch v bo v Module (ASA AIP SSM): Cisco ASA AIP SSM s dng cng ngh tin tin v kim tra cng tc phng chng cung cp dch v hiu nng bo mt cao, chng hn nh cc dch v cng tc phng chng xm nhp v chng tin tin-x dch v, c xc nh nh chng virus v spyware. Cisco ASA AIP SSM sn phm bao gm mt Cisco ASA AIP SSM-10 m-un vi 1-GB b nh, mt Cisco ASA AIP SSM-20 m-un vi 2-GB b nh, v mt Cisco ASA AIP SSM-40 m-un. - Cisco IPS 4.200 lot cc cm bin: Cisco IPS 4.200 lot cc cm bin ng k bo v mng ca bn bng cch gip pht hin, phn loi, v ngn chn cc
mi e da, bao gm c su, phn mm gin ip v phn mm qung co virus mng, v lm dng ng dng. S dng Cisco IPS Sensor Software Version 5.1, Cisco IPS gii php kt hp cc dch v cng tc phng chng xm nhp ni tuyn vi cc cng ngh tin tin ci thin tnh chnh xc. Kt qu l, cc mi e da khc c th c ngng li m khng c nguy c gim lu lng mng hp php. Cisco IPS Sensor Software bao gm kh nng pht hin tng cng kh nng m rng v nng cao, kh nng phc hi, v vv. - Cisco 6.500 Series Intrusion Detection System Services Module (IDSM-2): 6.500 Catalyst Series IDSM-2 l mt phn ca gii php ca Cisco IPS. N hot ng kt hp vi cc thnh phn khc bo v d liu ca bn c hiu qu c s h tng. Vi s phc tp gia tng ca cc mi e da an ninh, vic t c cc gii php bo mt mng hiu qu xm nhp l rt quan trng duy tr mt mc cao ca bo v. thn trng bo v ,m bo lin tc kinh doanh v gim thiu cc hot ng tn km cho vic pht hin xm nhp. - Cisco IPS Advance Integration Module (AIM): Cisco cung cp mt lot cc gii php IPS; Cisco IPS AIM cho Cisco 1841 Integrated Services Router v Cisco 2800 v 3.800 Series Integrated Services Routers c lm cho nh v va kinh doanh( small and medium-sized business (SMB) ) v cc mi trng vn phng chi nhnh. Cisco IPS Sensor Phn mm chy trn Cisco IPS AIM cung cp nng cao, doanh nghip-class IPS chc nng v p ng ngy cng tng nhu cu bo mt ca cc vn phng chi nhnh. Cisco IPS AIM c quy m trong hot ng ph hp vi vn phng chi nhnh vi h thng mng WAN yu cu bng thng ngy hm nay v trong tng lai, bi v chc nng IPS l chy trn dnh ring cho CPU ca n, v th khng chim CPU ca router. ng thi, s tch hp ca IPS ln mt Integrated Services Router Cisco gi chi ph thp v gii php hiu qu cho vic kinh doanh ca tt c cc kch c.
So snh gia IPS v IDS
Hin nay, Cng ngh ca IDS c thay th bng cc gii php IPS. Nu nh hiu n gin, c th xem nh IDS ch l mt ci chung cnh bo cho ngi qun tr bit nhng nguy c c th xy ra tn cng. D nhin c th thy rng, n ch l mt gii php gim st th ng, tc l ch c th cnh bo m thi, vic thc hin ngn chn cc cuc tn cng vo h thng li hon ton ph thuc vo ngi qun tr. V vy yu cu rt cao i vi nh qun tr trong vic xc nh cc lu lng cn v cc lu lng c nghi vn l du hiu ca mt cuc tn cng. V d nhin cng vic ny th li ht sc kh khn. Vi IPS, ngi qun tr khng nhng c th xc nh c cc lu lng kh nghi khi c du
hiu tn cng m cn gim thiu c kh nng xc nh sai cc lu lng. Vi IPS, cc cuc tn cng s b loi b ngay khi mi c du hiu v n hot ng tun theo mt quy lut do nh Qun tr nh sn. IDS hin nay ch s dng t mt n 2 c ch pht hin tn. V mi cuc tn cng li c cc c ch khc nhau ca n, v vy cn c cc c ch khc nhau phn bit. Vi IDS, do s lng c ch l t nn c th dn n tnh trng khng pht hin ra c cc cuc tn cng vi c ch khng nh sn, dn n kh nng cc cuc tn cng s thnh cng, gy nh hng n h thng. Thm vo , do cc c ch ca IDS l tng qut, dn n tnh trng bo co nhm, cnh bo nhm, lm tn thi gian v cng sc ca nh qun tr. Vi IPS th c xy dng trn rt nhiu c ch tn cng v hon ton c th to mi cc c ch ph hp vi cc dng thc tn cng mi nn s gim thiu c kh nng tn cng ca mng, thm , chnh xc ca IPS l cao hn so vi IDS.Nn bit rng vi IDS, vic p ng li cc cuc tn cng ch c th xut hin sau khi gi tin ca cuc tn cng i ti ch, lc vic chng li tn cng l vic n gi cc yu cu n cc my ca h thng xo cc kt ni n my tn cng v my ch, hoc l gi thng tin thng bo n tng la ( Firewall) tng la thc hin chc nng ca n, tuy nhin, vic lm ny i khi li gy tc ng ph n h thng. V d nh nu k tn cng (Attacker) gi mo (sniffer) ca mt i tc, ISP, hay l khch hng, to mt cuc tn cng t chi dch v th c th thy rng, mc d IDS c th chn c cuc tn cng t chi dch v nhng n cng s kha lun c IP ca khch hng, ca ISP, ca i tc, nh vy thit hi vn tn ti v coi nh hiu ng ph ca DoS thnh cng mc d cuc tn cng t chi dch v tht bi. Nhng vi IPS th khc n s pht hin ngay t u du hiu ca cuc tn cng v sau l kho ngay cc lu lng mng ny th mi c kh nng gim thiu c cc cuc tn cng.
CHNG III H THNG PHT HIN V NGN CHN XM NHP (IDS/IPS)

I. S CN THIT CA IDS/IPS 1. S cn thit ca IDS/IPS Hin nay c nhiu cng c nhm gia tng tnh bo mt cho h thng. Cc cng c vn ang hot ng c hiu qu, tuy nhin chng u c nhng hn ch ring lm h thng vn c nguy c b tn cng cao v th cn thit phi c mt thit b pht hin v ngn chn cc c gng xm nhp vo h thng.
Hnh 3-1: Firewall bo v h thng Firewall l mt cng c hot ng ranh gii gia bn trong h thng v Internet bn ngoi (khng ng tin cy) v cung cp c ch phng th t vnh ai. N hn ch vic truyn thng ca h thng vi nhng k xm nhp tim tng v lm gim ri ro cho h thng. y l mt cng c khng th thiu trong mt gii php bo mt tng th. Tuy nhin Firewall cng c nhng im yu sau: Firewall khng qun l cc hot ng ca ngi dng khi vo c h thng, v khng th chng li s e da t trong h thng.
Firewall cn phi m bo mt mc truy cp no ti h thng, vic ny
c th cho php vic thm d im yu. Chnh sch ca Firewall c th chm tr so vi s thay i ca mi trng, iu ny cng c th to nn c hi cho vic xm nhp v tn cng. Hacker c th s dng phng thc tc ng n yu t con ngi c truy nhp mt cch tin cy v loi b c c ch firewall. Firewall khng ngn c vic s dng cc modem khng c xc thc hoc khng an ton gia nhp hoc ri khi h thng. Firewall khng hot ng tc c li cho vic trin khai Intranet.
Vic s dng c ch m ha v VPN cung cp kh nng bo mt cho vic truyn thng u cui cc d liu quan trng. Nhm m ha vi vic xc thc kha cng khai v kha mt cung cp cho ngi dng, ngi gi v ngi nhn s t chi, s tin cy v ton vn d liu.
Hnh 3-2: M hnh s dng chng ch m bo tnh tin cy Tuy nhin, cc d liu c m ha ch an ton vi nhng ngi khng c xc thc. Vic truyn thng s tr nn m, khng c bo v v qun l, k c nhng hnh ng ca ngi dng. PKI c vai tr nh khung lm vic chung cho vic qun l v x l cc du hiu s vi m ha cng khai bo m an ton cho d liu. N cng t ng x l xc nhn v chng thc ngi dng hay ng dng. PKI cho php ng dng ngn cn cc hnh ng c hi, tuy nhin hin ti vic trin khai s dng ch mi bt u (ch c cc d n th im v mt s d n c quy m ln p dng) v nhng l do sau: Chun PKI vn ang pht trin vi vic hot ng chung ca cc h thng chng ch khng ng nht. C qu t ng dng c s dng chng ch. Cc phng thc trn cung cp kh nng bo v cho cc thng tin, tuy nhin chng khng pht hin c cuc tn cng ang tin hnh. Pht hin xm nhp tri php c nh ngha l mt ng dng hay tin trnh dng qun l mi trng cho mc ch xc nh hnh ng c du hiu lm dng, dng sai hay c xu. 2. Li ch ca IDS/IPS
Li th ca h thng ny l c th pht hin c nhng kiu tn cng cha bit trc. Tuy nhin, h thng ny li sinh ra nhiu cnh bo sai do nh ngha qu chung v cuc tn cng. Thng k cho thy trong h thng ny, hu ht cc cnh bo l cnh bo sai, trong c rt nhiu cnh bo l t nhng hnh ng bnh thng, ch c mt vi hnh ng l c xu, vn l ch hu ht cc h thng u c t kh nng gii hn cc cnh bo nhm . S dng h thng IDS nng cao kh nng qun l v bo v mng, li ch m n em li l rt ln. Mt mt n gip h thng an ton trc nhng nguy c tn cng, mt khc n cho php nh qun tr nhn dng v pht hin c nhng nguy c tim n da trn nhng phn tch v bo co c IDS cung cp. T , h thng IDS c th gp phn loi tr c mt cch ng k nhng l hng v bo mt trong mi trng mng. C.S khc nhau gia IDS v IPS 1. IDS (Intrusion Detection System ) H thng pht hin xm nhp (Intrusion Detection System IDS) l h thng phn cng hoc phn mm c chc nng t ng theo di cc s kin xy ra trn h thng my tnh, phn tch pht hin ra cc vn lin quan n an ninh, bo mt. Khi m s v tn cng, t nhp vo cc h thng my tnh, mng ngy cng tng, h thng pht hin xm nhp cng c ngha quan trng v cn thit hn trong nn tng bo mt ca cc t chc. tng ca cng ngh ny l mi cuc tn cng chng li bt c thnh phn no ca mi trng c bo v s b lm chch hng bng cc gii php ngn nga xm nhp. Vi quyn ti thng, cc H thng Ngn nga Xm nhp c th nm ly bt c lu lng no ca cc gi tin mng v a ra quyt nh c ch liu y c phi l mt cuc tn cng hay mt s s dng hp php sau thc hin hnh ng thch hp hon thnh tc v mt cch trn vn. Kt qu cui cng l mt nhu cu c hn nh cho cc gii php pht hin hay gim st thm nhp mt khi tt c nhng g lin quan n mi e do u b ngn chn. 2. IPS (phat hin va ngn chn xm nhp ) IPS c hai chc nng chnh l pht hin cc cuc tn cng v chng li cc cuc tn cng . Phn ln h thng IPS c t vnh ai mng, kh nng bo v tt c cc thit b trong mng.2.1. Kin trc hung ca cc h thng IPSMt h thng IPS c xem l thnh cng nu chng hi t c cc yu t: thc hin nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton b
thng lng, cm bin ti a, ngn chn thnh cng v chnh sch qun l mm do. II. H THNG PHT HIN XM NHP IDS 1. Gii thiu v IDS Cch y khong 25 nm, khi nim pht hin xm nhp xut hin qua mt bi bo ca James Anderson. Khi ngi ta cn IDS vi mc ch l d tm v nghin cu cc hnh vi bt thng v thi ca ngi s dng trong mng, pht hin ra cc vic lm dng c quyn gim st ti sn h thng mng. Cc nghin cu v h thng pht hin xm nhp c nghin cu chnh thc t nm 1983 n nm 1988 trc khi c s dng ti mng my tnh ca khng lc Hoa K. Cho n tn nm 1996, cc khi nim IDS vn cha c ph bin, mt s h thng IDS ch c xut hin trong cc phng th nghim v vin nghin cu. Tuy nhin trong thi gian ny, mt s cng ngh IDS bt u pht trin da trn s bng n ca cng ngh thng tin. n nm 1997 IDS mi c bit n rng ri v thc s em li li nhun vi s i u ca cng ty ISS, mt nm sau , Cisco nhn ra tm quan trng ca IDS v mua li mt cng ty cung cp gii php IDS tn l Wheel. Hin ti, cc thng k cho thy IDS/IPS ang l mt trong cc cng ngh an ninh c s dng nhiu nht v vn cn pht trin
1.1 Khi nim Pht hin xm nhp
Pht hin xm nhp l tin trnh theo di cc s kin xy ra trn mt h thng my tnh hay h thng mng, phn tch chng tm ra cc du hiu xm nhp bt hp php. Xm nhp bt hp php c nh ngha l s c gng tm mi cch xm hi n tnh ton vn, tnh sn sng, tnh c th tin cy hay l s c gng vt qua cc c ch bo mt ca h thng my tnh hay mng . Vic xm nhp c th l xut pht t mt k tn cng no trn mng Internet nhm ginh quyn truy cp h thng, hay cng c th l mt ngi dng c php trong h thng mun chim ot cc quyn khc m h cha c cp pht. Nh cp trn, h thng pht hin xm nhp l h thng phn mm hoc phn cng c kh nng t ng theo di v phn tch pht hin ra cc du hiu xm nhp. Network IDS hoc NIDS L cc h thng pht hin tn cng, n c th bt gi cc gi tin c truyn trn cc thit b mng (c hu tuyn v v tuyn) v so snh chng vi c s d liu cc tn hiu. Host IDS hoc HIDS
c ci t nh l mt tc nhn trn my ch. Nhng h thng pht hin xm nhp ny c th xem nhng tp tin log ca cc trnh ng dng hoc ca h thng pht hin nhng hnh ng xm nhp. Signature L nhng phn m ta c th thy c trong mt gi d liu. N c s dng pht hin ra mt hoc nhiu kiu tn cng. Signature c th c mt trong cc phn khc nhau ca mt gi d liu. V d ta c th tm thy cc tn hiu trong header IP, header ca tng giao vn (TCP, UDP header) hoc header tng ng dng. Thng thng, IDS ra quyt nh da trn nhng tn hiu tm thy hnh ng xm nhp. Cc nh cung cp IDS cng thng xuyn cp nht nhng tn hiu tn cng mi khi chng b pht hin ra. Alert L nhng li thng bo ngn v nhng hnh ng xm nhp bt hp php. Khi IDS pht hin ra k xm nhp, n s thng bo cho ngi qun tr bo mt bng alert. Alert c th hin ngay trn mn hnh, khi ng nhp hoc bng mail v bng nhiu cch khc. Alert cng c th c lu vo file hoc vo c s d liu cc chuyn gia bo mt c th xem li. Log o Thng thng, nhng thng tin m IDS thu c s lu li trong file. Chng c th c lu li di dng text hoc dng nh phn. Tc lu li thng tin dng nh phn s nhanh hn dng text. False Alarm L nhng thng bo ng v mt du ging du hiu xm nhp nhng hnh ng . Sensor L nhng thit b m h thng pht hin xm nhp chy trn n bi v n c s dng nh cc gic quan trn mng. Cng tng t nh cc sensor trong cc ti liu k thut khc, sensor dng bt tn hiu m thanh, mu sc, p xut... th sensor y s bt cc tn hiu c du hiu ca xm nhp bt hp php. V tr ca sensor ph thuc vo m hnh ca h thng mng. Ta c th t mt hoc nhiu ni, n ph thuc vo loi hot ng m ta mun gim st (internal, external hoc c 2). V d, nu ta mun gim st hnh ng xm nhp t bn ngoi v ta ch c mt router kt ni vi internet th ni thch hp nht l
t pha sau thit b router (hay firewall). Nu ta c nhiu ng kt ni vi Interrnet th ta c th t sensor ti mi im kt ni vi Internet. Ta c th hnh dung qua hnh v sau:
Hnh 3-3: H thng pht hin xm nhp

1.2 IDS (Intrusion Detection System- h thng pht hin xm nhp)
l mt h thng gim st lu thng mng, cc hot ng kh nghi v cnh bo cho h thng, nh qun tr.Ngoi ra,IDS cng m nhn vic phn ng li cc lu thng bt thong hay c hi bng cc hnh ng c thit lp t trc nh kha ngi dng hay hay a ch IP ngun truy cp h thng mng. - IDS cng c th phn bit gia nhng tn cng bn trong t bn trong (t nhng ngi trong cng ty) hay tn cng t bn ngoi (t cc hacker). IDS pht hin da trn cc du hiu c bit v cc nguy c bit (ging nh cch cc phn mm dit virus da vo cc du hiu c bit pht hin v dit virus) hay da trn so snh lu thng mng hin ti vi baseline (thng s o c chun ca h thng) tm ra cc du hiu khc thng. H thng pht hin xm nhp tri php l nhng ng dng phn mm chuyn dng pht hin xm nhp vo h thng mng cn bo v. IDS c thit k khng phi vi mc ch thay th cc phng php bo mt truyn thng, m hon thin n. Mt h thng pht hin xm nhp tri php cn phi tha mn nhng yu cu sau:
Tnh chnh xc (Accuracy): IDS khng c coi nhng hnh ng thng
thng trong mi trng h thng l nhng hnh ng bt thng hay lm dng (hnh ng thng thng b coi l bt thng c gi l false positive). Hiu nng (Performance): Hiu nng ca IDS phi pht hin xm nhp tri php trong thi gian thc (thi gian thc ngha l hnh ng xm nhp tri php phi c pht hin trc khi xy ra tn thng nghim trng ti h - theo [Ranum, 2000] l di 1 pht).
Tnh trn vn (Completeness): IDS khng c b qua mt xm nhp tri
php no (xm nhp khng b pht hin c gi l false negative). y l mt iu kin kh c th tha mn c v gn nh khng th c tt c thng tin v cc tn cng t qu kh, hin ti v tng lai. Chu li (Fault Tolerance): bn thn IDS phi c kh nng chng li tn cng. Kh nng m rng (Scalability): IDS phi c kh nng x l trong trng thi xu nht l khng b st thng tin. Yu cu ny c lin quan n h thng m cc s kin tng quan n t nhiu ngun ti nguyn vi s lng host nh. Vi s pht trin nhanh v mnh ca mng my tnh, h thng c th b qu ti bi s tng trng ca s lng s kin.
1.3 Phn bit nhng h thng khng phi l IDS
Tri ngc vi nhng thut ng c s dng trong cc bi ging v h thng pht hin xm nhp, khng phi mi th u c qui vo mc ny. Theo mt cch ring bit no , cc thit b bo mt di y khng phi l IDS: H thng ng nhp mng c s dng pht hin l hng i vi vn tn cng t chi dch v (DoS) trn mt mng no . s c h thng kim tra lu lng mng. Cc cng c nh gi l hng kim tra li v l hng trong h iu hnh, dch v mng (cc b qut bo mt). Cc sn phm chng virus c thit k pht hin cc phn mm m nguy him nh virus, trojan horse, worm,...Mc d nhng tnh nng mc nh c th ging IDS v thng cung cp mt cng c pht hin l hng bo mt hiu qu. Tng la firewall Cc h thng bo mt, mt m nh: SSL, Kerberos, VPN,..
2. Chc nng ca IDS H thng pht hin xm nhp cho php cc t chc bo v h thng ca h khi nhng e da vi vic gia tng kt ni mng v s tin cy ca h thng thng tin. Nhng e da i vi an ninh mng ngy cng tr nn cp thit t ra cu hi cho cc nh an ninh mng chuyn nghip c nn s dng h thng pht hin xm nhp tr khi nhng c tnh ca h thng pht hin xm nhp l hu ch cho h, b sung nhng im yu ca h thng khcIDS c c chp nhn l mt thnh phn thm vo cho mi h thng an ton hay khng vn l mt cu hi ca nhiu nh qun tr h thng. C nhiu ti liu gii thiu v nhng chc nng m IDS lm c nhng c th a ra vi l do ti sao nn s dng h thng IDS: - Bo v tnh ton vn (integrity) ca d liu, bo m s nht qun ca d liu trong h thng.Cc bin php a ra ngn chn c vic thay i bt hp php hoc ph hoi d liu. - Bo v tnh b mt, gi cho thng tin khng b l ra ngoi. Bo v tnh kh dng, tc l h thng lun sn sng thc hin yu cu truy nhp thng tin ca ngi dng hp php. - Bo v tnh ring t, tc l m bo cho ngi s dng khai thc ti nguyn ca h thng theo ng chc nng, nhim v c phn cp, ngn chn c s truy nhp thng tin bt hp php. - Cung cp thng tin v s xm nhp, a ra nhng chnh sch i ph, khi phc, sa cha Ni tm li ta c th tm tt IDS nh sau: Chc nng quan trng nht l: gim st cnh bo bo v Gim st: lu lng mng v cc hot ng kh nghi. Cnh bo: bo co v tnh trng mng cho h thng v nh qun tr. Bo v: Dng nhng thit lp mc nh v s cu hnh t nh qun tr m c nhng hnh ng thit thc chng li k xm nhp v ph hoi. Chc nng m rng: Phn bit: "th trong gic ngoi" tn cng bn trong v tn cng bn ngoi. Pht hin: nhng du hiu bt thng da trn nhng g bit hoc nh vo s so snh thng lng mng hin ti vi baseline.
Ngoi ra h thng pht hin xm nhp IDS cn c chc nng: Ngn chn s gia tng ca nhng tn cng B sung nhng im yu m cc h thng khc cha lm c nh gi cht lng ca vic thit k h thng Khi IDS chy mt thi gian s a ra c nhng im yu l iu hin nhin. Vic a ra nhng im yu nhm nh gi cht lng vic thit k mng cng nh cch b tr bo v phng th ca cc nh qun tr mng. 3. Phn loi IDS C hai phng php khc nhau trong vic phn tch cc s kin pht hin cc v tn cng: pht hin da trn cc du hiu v pht hin s bt thng. Cc sn phm IDS c th s dng mt trong hai cch hoc s dng kt hp c hai. Pht hin da trn du hiu: Phng php ny nhn dng cc s kin hoc tp hp cc s kin ph hp vi mt mu cc s kin c nh ngha l tn cng. Pht hin s bt thng: cng c ny thit lp mt hin trng cc hot ng bnh thng v sau duy tr mt hin trng hin hnh cho mt h thng. Khi hai yu t ny xut hin s khc bit, ngha l c s xm nhp. Cc h thng IDS khc nhau u da vo pht hin cc xm nhp tri php v nhng hnh ng d thng. Qu trnh pht hin c th c m t bi 3 yu t c bn nn tng sau: Thu thp thng tin (information source): Kim tra tt c cc gi tin trn mng. S phn tch (Analysis): Phn tch tt c cc gi tin thu thp cho bit hnh ng no l tn cng. Cnh bo (response): hnh ng cnh bo cho s tn cng c phn tch trn. 1.Network Base IDS (NIDS)
Hnh 3-4: NIDS H thng IDS da trn mng s dng b d v b b cm bin ci t trn ton mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng vi nhng m t s lc c nh ngha hay l nhng du hiu. Nhng b b cm bin thu nhn v phn tch lu lng trong thi gian thc. Khi ghi nhn c mt mu lu lng hay du hiu, b cm bin gi tn hiu cnh bo n trm qun tr v c th c cu hnh nhm tm ra bin php ngn chn nhng xm nhp xa hn. NIPS l tp nhiu sensor c t ton mng theo di nhng gi tin trong mng so snh vi vi mu c nh ngha pht hin l tn cng hay khng. c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng. Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao. Li th ca Network-Based IDSs: - Qun l c c mt network segment (gm nhiu host) - "Trong sut" vi ngi s dng ln k tn cng - Ci t v bo tr n gin, khng nh hng ti mng - Trnh DOS nh hng ti mt host no . - C kh nng xc nh li tng Network (trong m hnh OSI) - c lp vi OS Hn ch ca Network-Based IDSs:
- C th xy ra trng hp bo ng gi (false positive), tc khng c intrusion m NIDS bo l c intrusion. - Khng th phn tch cc traffic c encrypt (vd: SSL, SSH, IPSec) - NIDS i hi phi c cp nht cc signature mi nht thc s an ton - C tr gia thi im b attack vi thi im pht bo ng. Khi bo ng c pht ra, h thng c th b tn hi. - Khng cho bit vic attack c thnh cng hay khng.Mt trong nhng hn ch l gii hn bng thng. Nhng b d mng phi nhn tt c cc lu lng mng, sp xp li nhng lu lng cng nh phn tch chng. Khi tc mng tng ln th kh nng ca u d cng vy. Mt gii php l bo m cho mng c thit k chnh xc cho php s sp t ca nhiu u d. Khi m mng pht trin, th cng nhiu u d c lp thm vo bo m truyn thng v bo mt tt nht. Mt cch m cc hacker c gng nhm che y cho hot ng ca h khi gp h thng IDS da trn mng l phn mnh nhng gi thng tin ca h. Mi giao thc c mt kch c gi d liu gii hn, nu d liu truyn qua mng ln hn kch c ny th gi d liu s c phn mnh. Phn mnh n gin ch l qu trnh chia nh d liu ra nhng mu nh. Th t ca vic sp xp li khng thnh vn min l khng xut hin hin tng chng cho. Nu c hin tng phn mnh chng cho, b cm bin phi bit qu trnh ti hp li cho ng. Nhiu hacker c gng ngn chn pht hin bng cch gi nhiu gi d liu phn mnh chng cho. Mt b cm bin s khng pht hin cc hot ng xm nhp nu b cm bin khng th sp xp li nhng gi thng tin mt cch chnh xc. 2. Host Based IDS (HIDS)
Hnh 3-5: HIDS Bng cch ci t mt phn mm trn tt c cc my tnh ch, IPS da trn my ch quan st tt c nhng hot ng h thng, nh cc file log v nhng lu lng mng thu thp c. H thng da trn my ch cng theo di OS, nhng cuc gi h thng, lch s s sch (audit log) v nhng thng ip bo li trn h thng my ch. Trong khi nhng u d ca mng c th pht hin mt cuc tn cng, th ch c h thng da trn my ch mi c th xc nh xem cuc tn cng c thnh cng hay khng. Thm na l, h thng da trn my ch c th ghi nhn nhng vic m ngi tn cng lm trn my ch b tn cng (compromised host). Khng phi tt c cc cuc tn cng c thc hin qua mng. Bng cch ginh quyn truy cp mc vt l (physical access) vo mt h thng my tnh, k xm nhp c th tn cng mt h thng hay d liu m khng cn phi to ra bt c lu lng mng (network traffic) no c. H thng da trn my ch c th pht hin cc cuc tn cng m khng i qua ng public hay mng c theo di, hay thc hin t cng iu khin (console), nhng vi mt k xm nhp c hiu bit, c kin thc v h IDS th hn c th nhanh chng tt tt c cc phn mm pht hin khi c quyn truy cp vt l. Mt u im khc ca IDS da trn my ch l n c th ngn chn cc kiu tn cng dng s phn mnh hoc TTL. V mt host phi nhn v ti hp cc phn mnh khi x l lu lng nn IDS da trn host c th gim st chuyn ny.
HIDS thng c ci t trn mt my tnh nht inh. Thay v gim st hot ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh. HIDS thng c t trn cc host xung yu ca t chc, v cc server trong vng DMZ - thng l mc tiu b tn cng u tin. Nhim v chnh ca HIDS l gim st cc thay i trn h thng, bao gm (not all): Cc tin trnh. Cc entry ca Registry. Mc s dng CPU. Kim tra tnh ton vn v truy cp trn h thng file. Mt vi thng s khc. Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trn h thng file s gy ra bo ng. Li th ca HIDS: C kh nng xc inh user lin quan ti mt event. HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS khng c kh nng ny. C th phn tch cc d liu m ho. Cung cp cc thng tin v host trong lc cuc tn cng din ra trn host ny. Hn ch ca HIDS: Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo host ny thnh cng. Khi OS b "h" do tn cng, ng thi HIDS cng b "h". HIDS phi c thit lp trn tng host cn gim st . HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap, Netcat). HIDS cn ti nguyn trn host hot ng. HIDS c th khng hiu qu khi b DOS. a s chy trn h iu hnh Window. Tuy nhin cng c 1 s chy c trn UNIX v nhng h iu hnh khc.
V h thng IDS da trn my ch i hi phn mm IDS phi c ci t trn tt c cc my ch nn y c th l cn c mng ca nhng nh qun tr khi nng cp phin bn, bo tr phn mm, v cu hnh phn mm tr thnh cng vic tn nhiu thi gian v l nhng vic lm phc tp. Bi v h thng da trn my ch ch phn tch nhng lu lng c my ch nhn c, chng khng th pht hin nhng tn cng thm d thng thng c thc hin nhm chng li mt my ch hay l mt nhm my ch. H thng IDS da trn my ch s khng pht hin c nhng chc nng qut ping hay d cng (ping sweep and port scans) trn nhiu my ch. Nu my ch b tha hip th k xm nhp hon ton c th tt phn mm IDS hay tt kt ni ca my ch . Mt khi iu ny xy ra th cc my ch s khng th to ra c cnh bo no c. Phn mm IDS phi c ci t trn mi h thng trn mng nhm cung cp y kh nng cnh bo ca mng. Trong mt mi trng hn tp, iu ny c th l mt vn bi v phn mm IDS phi tng ng nhiu h iu hnh khc nhau. Do trc khi chn mt h thng IDS, chng ta phi chc l n ph hp v chy c trn tt c cc h iu hnh. 3. DIDS DIDS l s kt hp c cc NIDS sensors vi nhau hoc NIDS v HIDS sensor. Mi sensor to ra cc attack log v gi n cho my trung tm ni c cha database server x l. DIDS c kh nng x l tp trung, gip cho ngi qun tr c kh nng theo di ton b h thng. Hin nay trn th gii c s hin din ca mt DIDS ln nht vi nhiu sensor khp mi ni l h thng Dshield. Dshield l mt phn ca trung tm ISC (Internet Storm Center) ca vin SANS.
Hnh 3-6: DIDS 4. So snh HOST-BASED IDS v NETWORK-BASED IDS Network-based IDS thng s dng phng php pht hin l anomalybased v phn tch d liu trong thi gian thc. Network-based IDS khng c tc ng ti mng hay host, nn khng th bo v mt h xc nh khi tn cng c th thy cp mng. N cng ch c th qun l ti truyn thng hin hu vi workstation, cu hnh li network routing c th l cn thit vi mi trng chuyn mch. Host-based IDS th c th s dng c hai phng php tn cng l misusebased v anomaly-based. HIDS ph hp vi vic gim st v thu thp vt kim ton ca h thng thi gian thc cng nh nh k, do phn phi c s tn dng CPU v mng ng thi cung cp mt phng thc mm do cho qu trnh qun tr bo mt. Do n hot ng trn host nn HIDS khng th chng c kiu tn cng vo mng nh syn flood, nhng c th gim bt cng vic cho NIDS c bit vi cc cuc tn cng vo h thng console ca networkbased IDS v trn mi trng chuyn mch. V kh nng thc thi chnh sch bo mt ca nh qun tr, Host-based IDS cng c thit k thc thi cc chnh sch mt cch d dng, trong khi network-based IDS cn phi c cp nht cc chnh sch offline v c th gy nh hng v mt an ninh mng trong thi gian ngng hot ng.
Ni chung network-based IDS thch hp vi vic xc nh giao dch phc tp trn mng v xc nh cc vi phm bo mt. Vic thc thi NIDS l li th ln khi n c th lc cc cnh bo ging nh HIDS c iu khin t trung tm, iu ny tin cho vic qun l v phn ng vi cc cuc tn cng. Nh ni trn, mt t chc s dng IDS tng cng cho chin thut bo mt thng tin hin hnh, h thng s c tp trung vo HIDS. Cho d NIDS cng c gi tr ring v cn kt hp cht ch thnh gii php IDS hp l, n cng khng ph hp pht trin tun theo k thut pht trin ca s truyn d liu. Hu ht cc NIDS u khng hot ng tt trong mng chuyn mch, mng tc cao trn 100Mbps, v mng c m ha. Hn na, khong 80 85% cc v vi phm bo mt c ngun gc t ngay trong t chc. Do , h thng pht hin xm nhp tri php c th da phn ln vo HIDS, nhng nn lun s dng NIDS m bo an ton. Ni chung mt mi trng thc s an ton cn thc hin c HIDS v NIDS nhm cung cp kh nng bo mt cao nht bng cch va qun l ti truyn thng mng v vic khai thc trc tip mt host trn mng.
Hnh 3-7: Mt v d s dng kt hp NIDS v HIDS. Nh hnh trn ta thy chnh sch bo mt bao gm mt Firewall nhm hn ch bt cc kt ni nguy him vi mng bn ngoi. Network-based IDS c t trc ng ra mng ngoi nhm phn tch d liu vo ra h thng. Pha bn trong Host-based IDS c ci t trn cc my cn bo v v phn tch mi tng tc trn my . Manager Console l ni nhn cc cnh bo t NIDS v HIDS khi chng pht hin ra c xm nhp tri php.
Ta c th gii thch v nhng gii hn ca mi loi IDS bng v d di y, ng thi ni n li ch ca vic kt hp c hai gii php. Gi s mt hacker mun xm nhp vo h thng. Mt IDS ng dng c th pht hin c hacker nh ghi root directory ca web server bng mt tp file no . Nhng n khng th pht hin c nu k tn cng xa mt th mc quan trng ca h iu hnh nh /etc trn UNIX server. Trong khi mt IDS ca h iu hnh c th pht hin c hacker nh xa th mc quan trng ca h iu hnh nhng khng th pht hin c nu hacker nh thc hin mt tn cng dng mng nh LAND (trong mt gi tin IP c sa i lm cho server ri vo trng thi lp v hn, chim ht ti nguyn protocol stack v khng th phc v c). Cn mt network-based IDS vi b du hiu tnh c th pht hin c nu hacker thc hin cuc tn cng trn mng dng DoS attack nh LAND, nhng n khng th pht hin c nu k tn cng thc hin nh cp thng tin credit card thng qua ng dng c s d liu. Vic kt hp host-based v network-based IDS c th pht hin c tt c cc kiu tn cng trn. 4. Kin trc ca IDS Ngy nay ngi ta phn bit cc h thng IDS khc nhau thng qua vic phn tch v kim tra khc nhau ca cc h thng. Mt h thng IDS c xem l thnh cng nu chng hi t c cc yu t: thc hin nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton b thng lng, cm bin ti a, ngn chn thnh cng v chnh sch qun l mm do.Mi h thng c nhng u im cng nh khuyt im ring nhng cc h thng c th c m t di m hnh tng qut chung nh sau: 4.1 Cc nhim v thc hin Nhim v chnh ca cc h thng pht hin xm phm l bo v cho mt h thng my tnh bng cch pht hin cc du hiu tn cng. Vic pht hin cc tn cng ph thuc vo s lng v kiu hnh ng thch hp. ngn chn xm phm tt cn phi kt hp tt gia b v by c trang b cho vic nghin cu cc mi e da. Vic lm lnh hng s tp trung ca k xm nhp vo ti nguyn c bo v l mt nhim v quan trng khc. Ton b h thng cn phi c kim tra mt cch lin tc. D liu c to ra t cc h thng pht hin xm nhp c kim tra mt cch cn thn (y l nhim v chnh cho mi IDS) pht hin cc du hiu tn cng (s xm phm).
prevention Simulation Intrustion Monitoring Analysis Intruction detection Notification Respose
IDS Tasks
Monitoring
Notification
Protected system Response
Additional IDS Infas tructure
Sessions
Hnh 3-8: Nhim v IDS Khi mt hnh ng xm nhp c pht hin, IDS a ra cc cnh bo n cc qun tr vin h thng v s vic ny. Bc tip theo c thc hin bi cc qun tr vin hoc c th l bn thn IDS bng cch li dng cc tham s o b sung (cc chc nng kha gii hn cc session, backup h thng, nh tuyn cc kt ni n by h thng, c s h tng hp l,) theo cc chnh sch bo mt ca cc t chc (Hnh 2.3.1b). Mt IDS l mt thnh phn nm trong chnh sch bo mt. Gia cc nhim v IDS khc nhau, vic nhn ra k xm nhp l mt trong nhng nhim v c bn. N cng hu dng trong vic nghin cu mang tnh php l cc tnh tit v vic ci t cc bn v thch hp cho php pht hin
cc tn cng trong tng lai nhm vo cc c nhn c th hoc ti nguyn h thng. Pht hin xm nhp i khi c th a ra cc bo cnh sai, v d nhng vn xy ra do trc trc v giao din mng hoc vic gi phn m t cc tn cng hoc cc ch k thng qua mail. 4.2 Kin trc ca h thng pht hin xm nhp IDS
Hnh 3-9: Kin trc IDS Kin trc ca h thng IDS bao gm cc thnh phn chnh: thnh phn thu thp gi tin (information collection), thnh phn phn tch gi tin(Dectection), thnh phn phn hi (respontion) nu gi tin c pht hin l mt tn cng ca tin tc. Trong ba thnh phn ny th thnh phn phn tch gi tin l quan trng nht v thnh phn ny b cm bin ng vai tr quyt nh nn chng ta s i vo phn tch b cm bin hiu r hn kin trc ca h thng pht hin xm nhp l nh th no. B cm bin c tch hp vi thnh phn su tp d liu mt b to s kin. Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Trong trng hp no , v d khi lung d liu s kin c truyn ti trc tip n b phn tch m khng c s lu d liu no c thc hin. iu ny cng lin quan mt cht no n cc gi mng.
Hnh 3-10: Kin trc IDS Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho mc ny. Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo , c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi module p tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau). IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c chng truyn thng vi nhau. Nhiu h thng tinh vi i theo nguyn l cu trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v. Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c bo v v ph thuc vo phng php c a ra to phn tch bc u v thm ch m trch c hnh ng p tr. Mng cc tc nhn hp tc bo co n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. DIDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh khi ni n ngha v bo v lin quan n cc kiu tn cng mi.
Gii php kin trc a tc nhn c a ra nm 1994 l AAFID (cc tc nhn t tr cho vic pht hin xm phm). N s dng cc tc nhn kim tra mt kha cnh no v cc hnh vi h thng mt thi im no . V d: mt tc nhn c th cho bit mt s khng bnh thng cc telnet session bn trong h thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc tc nhn c th c nhi v thay i bn trong cc h thng khc (tnh nng t tr). Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht. Cc b kim tra nhn thng tin t cc mng (khng ch t mt host), iu c ngha l chng c th tng quan vi thng tin phn tn. Thm vo mt s b lc c th c a ra chn lc v thu thp d liu.
Hnh 3-11: Kin trc IDS Ngoi ra cn c 1 s im ch sau: - Kin trc, v tr t h thng IDS: ty thuc vo quy m t chc ca doanh nghip cng nh mc ch s dng h thng IDS ca doanh nghip. - Chin lc iu khin: l s m t r rng cho mi h thng IDS v vic kim sot , kim tra thng tin u vo u ra: + Chin lc tp trung: l vic iu khin trc tip cc thao tc nh kim tra, pht hin, phn tch, p tr, bo co t v tr trung tm: +Phn thnh nhiu thnh phn: Pht hin, kim tra t cc v tr thnh phn ri v bo co v v tr trung tm.
+Phn phi: Mi vng s c nhng trung tm i din cho trung tm chnh trc tip iu khin cc thao tc gim st, kim tra bo co. 5. Phng thc pht hin 1. Misuse based system H misuse-based c th phn chia thnh hai loi da trn c s d liu v kiu tn cng, l knowledge-based v signature-based. Misuse-based system vi c s d liu knowledge-based lu d thng tin v cc dng tn cng. D liu kim k c thu thp bi IDS so snh vi ni dung ca c s d liu, v nu thy c s ging nhau th to ra cnh bo. S kin khng trng vi bt c dng tn cng no th c coi l nhng hnh ng chnh ng. Li th ca m hnh ny l chng t khi to ra cnh bo sai do da trn m t chi tit v kiu tn cng. Tuy nhin m hnh ny c im yu, trc tin vi s lng kiu tn cng a dng vi nhiu l hng khc nhau theo thi gian s lm c s d liu tr nn qu ln, gy kh khn trong vic phn tch, thm na chng ch c th pht hin c cc kiu tn cng bit trc nn cn phi c cp nht thng xuyn khi pht hin ra nhng kiu tn cng v l hng mi. Match ?
Audit Data Knowledge Base Attack
Hnh 3-12: Knowledge based IDS Tip theo l h signature-based, l h s dng nh ngha tru tng m t v tn cng gi l du hiu. Du hiu bao gm mt nhm cc thng tin cn thit m t kiu tn cng. V d nh h network IDS c th lu tr trong c s d liu ni dung cc gi tin c lin quan n kiu tn cng bit. Thng th du hiu c lu dng cho php so snh trc tip vi thng tin c trong chui s kin. Trong qu trnh x l, s kin c so snh vi cc mc trong file du hiu, nu thy c s ging nhau th h s to ra cnh bo. Signature-based system hin nay rt thng dng v chng d pht trin, cho phn hi chnh xc v cnh bo, v thng yu cu t ti nguyn tnh ton. Tuy nhin, chng c nhng im yu sau: M t v cuc tn cng thng mc thp, kh hiu.
Mi cuc tn cng hay bin th ca n u cn thm du hiu a vo c s d liu, nn kch c ca n s tr nn rt ln. Du hiu cng c th, th cng to ra t cnh bo nhm, nhng cng kh pht hin nhng bin th ca n. V d quen thuc v signature-based l Snort, EMERALD v nhiu sn phm thng mi khc. C rt nhiu k thut c s dng pht hin dng sai, chng c s khc bit c bn v trng thi bo dng (v s quan trng ca c tnh ny vi h pht hin xm nhp tri php).
Stateless IDS coi cc s kin l c lp vi nhau, khi vic x l s kin
hin ti hon tt th thng tin lin quan n s kin s b hy i. Phng php tip cn ny n gin ha vic thit k h thng, c bit l Abox, v n khng cn phi lu tr v bo qun thng tin v cc hnh ng trc y. H stateless thng c hiu nng cao c bit l tc x l v bc phn tch c gim thnh vic so snh hnh ng vi c s d liu, khng cn phi x l thm g na. Tuy nhin, h stateless cng c nhiu gii hn. Trc tin l n khng c kh nng pht hin cc hnh ng c xu bao gm chui cc hnh ng khc nhau, v h ny ch x l tng hnh ng mt v khng lu chng li. Cn nu ta a du hiu v cc hnh ng c xu da trn cc bc u tin ca chui, th c th to ra s lng ln cc cnh bo nhm, v hnh ng c th l mt hnh ng thng thng, phi nm trong chui cc hnh ng khc mi c kh nng xm nhp. iu ny ngc vi li th chnh ca h misusebased IDS. Hn na, h stateless c th tr thnh mc tiu cho kiu tn cng nhm to ra lng cnh bo ln. Cc cng c c th phn tch c s d liu cc kiu tn cng v to ra chui cc s kin c m t l c xu, gy nn alert storm lm t lit IDS v che du tn cng thc.
Stateful IDS lu tr thng tin v cc s kin trong qu kh. V th, tc
ng ca cc s kin l c lin quan n nhau trong mt chui cc s kin. Trong khi kiu tip cn ny lm tng phc tp cho h thng, c bit l Abox, n cho thy li th r rt. Stateful tool c kh nng pht hin c cc cuc tn cng bao gm nhiu bc, hn na n cng t to ra alert storm nh ni n trn v vic to ra cc bc ca mt kiu tn cng s kh khn hn. Tuy nhin, h thng ny d b tn cng bng kiu tn cng trng thi, khi k tn cng lm h IDS phi x l mt lng thng tin ln, lm gim hiu nng ca h thng.
Hnh 3-13: Stateful IDS pht hin tn cng da trn s kin hin ti v qu kh Mt k thut c dng m t kiu tn cng phc tp l S chuyn tip trng thi (state transition), trong state l trng thi tm thi ca h thng, th hin gi tr vng nh ca h. Nhng hnh ng c xu s chuyn trng thi ca h t trng thi an ton ban u sang trng thi c hi cui cng, thng qua cc trng thi trung gian. K thut ny yu cu phn tch nhng bin i nhm dn h ti trng thi nguy him. IDS s tm kim s bin i , v th h ny thuc dng stateful. M hnh chuyn i trng thi ny c kh nng din t rt tt cc dng tn cng, k c vic m t bng ha. Trong thc t, cc kiu tn cng theo nhiu bc rt ph hp m t bng m hnh chuyn i trng thi. N cng cung cp phn hi rt chi tit v cnh bo, v ton b chui hnh ng gy cnh bo c th c cung cp. Hn na, n cho php trin khai phng thc i ph trc khi cuc tn cng i n bc cui cng, iu ny hiu qu hn l ch pht hin ra cuc tn cng. im bt li chnh ca k thut chuyn i trng thi l n yu cu kh nng tnh ton cao nu h thng cn theo di nhiu cuc tn cng cng lc. 2. Anomaly based system Anomalybased system da trn gi thit l nhng hnh ng khng bnh thng l c xu, do trc tin h cn xy dng mu hnh ng bnh thng ca h thng ri mi xc nh cc hnh ng khng bnh thng (nh nhng hnh ng khng ph hp vi mu hnh ng cho).
Statistically Anomalous ?
Audit Data System Profile Attack
Hnh 3-14: Anomaly-based IDS Li th ca h thng ny l n c th pht hin c nhng kiu tn cng cha bit trc. Tuy nhin, h thng ny li sinh ra nhiu cnh bo sai do nh ngha qu chung v cuc tn cng. Thng k cho thy trong h thng ny, hu ht cc cnh bo l cnh bo sai, trong c rt nhiu cnh bo l t nhng hnh ng bnh thng, ch c mt vi hnh ng l c xu, vn l ch hu ht cc h thng u c t kh nng gii hn cc cnh bo nhm . Nghin cu chng minh rng hu ht cc h thng c c im chung l tnh a dng v thay i. Hn na, s nhp nhng ca giao thc tng di v s khc bit ca cc ng dng lm vic pht hin cc hnh vi khng bnh thng trong mt mi trng nht nh l rt kh, v s khng bnh thng l c tnh ca mi trng. Cui cng, mt vi kiu tn cng mi c kh nng gi mo cc hnh ng hp php v c th khng b pht hin. V th ta c nhng nghin cu v cc h anomaly based IDS chuyn su v c th ng dng c vo vic pht hin xm nhp tri php trong h IDS. 6. Phn loi cc du hiu 6.1 Pht hin du hiu khng bnh thng H thng pht hin xm phm phi c kh nng phn bit gia cc hot ng thng thng ca ngi dng v hot ng bt thng tm ra c cc tn cng nguy him kp thi. Mc d vy, vic dch cc hnh vi ngi dng (hoc session h thng ngi dng hon chnh) trong mt quyt nh lin quan n bo mt ph hp thng khng n gin nhiu hnh vi khng c d nh trc v khng r rng (Hnh 2). phn loi cc hnh ng, IDS phi li dng phng php pht hin d thng, i khi l hnh vi c bn hoc cc du hiu tn cng, mt thit b m t hnh vi bt thng bit (pht hin du hiu) cng c gi l kin thc c bn. 6.2 Cc mu hnh vi thng thng- pht hin bt thng
Cc mu hnh vi thng thng rt hu ch trong vic d on ngi dng v hnh vi h thng. Do cc b pht hin bt thng xy dng profile th hin vic s dng thng thng v sau s dng d liu hnh vi thng thng pht hin s khng hp l gia cc profile v nhn ra tn cng c th. hp l vi cc profile s kin, h thng b yu cu phi to ra profile ngi dng ban u o to h thng quan tm n s hp php ha hnh vi ngi dng. C mt vn lin quan n vic lm profile y l: khi h thng c php hc trn chnh n, th nhng k xm nhp cng c th o to h thng im ny, ni m cc hnh vi xm phm trc tr thnh hnh vi thng thng. Mt profile khng tng thch s c th c pht hin tt c cc hot ng xm nhp c th. Ngoi ra, cn c mt s cn thit na l nng cp profile v o to h thng, mt nhim v kh khn v tn thi gian. Cho mt tp cc profile hnh vi thng thng, mi th khng hp vi profile c lu s c coi nh l mt hot ng nghi ng. Do , cc h thng ny c c trng bi hiu qu pht hin rt cao (chng c th nhn ra nhiu tn cng mc d tn cng l mi c trong h thng), tuy nhin chng li c hin tng l to cc cnh bo sai v mt s vn .
u im ca phng php pht hin bt thng ny l: c kh nng pht
hin cc tn cng mi khi c s xm nhp; cc vn khng bnh thng c nhn ra khng cn nguyn nhn bn trong ca chng v cc tnh cch; t ph thuc vo IDS i vi mi trng hot ng (khi so snh vi cc h thng da vo du hiu); kh nng pht hin s lm dng quyn ca ngi dng.
Nhc im ln nht ca phng php ny l: Xc sut cnh bo sai
nhiu. Hiu sut h thng khng c kim tra trong sut qu trnh xy dng profile v giai on o to. Do , tt c cc hot ng ngi dng b b qua trong sut giai on ny s khng hp l. Cc hnh vi ngi dng c th thay i theo thi gian, do cn phi c mt s nng cp lin tc i vi c s d liu profile hnh vi thng thng.S cn thit v o to h thng khi thay i hnh vi s lm h thng khng c c pht hin bt thng trong giai on o to (li tiu cc). 6.3 Cc du hiu c hnh vi xu pht hin du hiu Thng tin x l h thng trong cc hnh vi bt thng v khng an ton (du hiu tn cng da vo cc h thng) thng c s dng trong cc h thng pht hin xm nhp thi gian thc (v s phc tp trong tnh ton ca chng khng cao).
Cc du hiu hnh vi xu c chia thnh hai loi: Cc du hiu tn cng chng miu t cc mu hot ng c th gy ra mi e da v bo mt. in hnh, chng c th hin khi mi quan h ph thuc thi gian gia mt lot cc hot ng c th kt hp li vi cc hot ng trung tnh. Cc chui vn bn c chn cc du hiu hp vi cc chui vn bn ang tm kim cc hot ng nghi ng. Bt k hot ng no khng r rng u c th b xem xt v ngn cn. Do , chnh xc ca chng rt cao (s bo cnh sai thp). Tuy nhin chng khng thc hin mt cch hon ton v khng ngn cn hon ton cc tn cng mi. C hai phng php chnh kt hp s pht hin du hiu ny: Vic kim tra vn cc gi lp thp hn nhiu loi tn cng khai thc l hng trong cc gi IP, TCP, UDP hoc ICMP. Vi kim tra n gin v tp cc c trn gi c trng hon ton c th pht hin ra gi no hp l, gi no khng. Kh khn y c th l phi m gi v lp rp chng li. Tng t, mt s vn khc c th lin quan vi lp TCP/IP ca h thng ang c bo v. Thng th k tn cng hay s dng cch m cc gi bng qua c nhiu cng c IDS. Kim tra giao thc lp ng dng nhiu loi tn cng (WinNuke) khai thc cc l hng chng trnh, v d d liu c bit gi n mt kt ni mng c thnh lp. pht hin c hiu qu cc tn cng nh vy, IDS phi c b sung nhiu giao thc lp ng dng. Cc phng php pht hin du hiu c mt s u im di y: t l cnh bo sai thp, thut ton n gin, d dng to c s d liu du hiu tn cng, d dng b sung v tiu ph hiu sut ti nguyn h thng ti thiu. Mt s nhc im: Kh khn trong vic nng cp cc kiu tn cng mi. Chng khng th k tha pht hin cc tn cng mi v cha bit. Phi nng cp mt c s d liu du hiu tn cng tng quan vi n. S qun l v duy tr mt IDS cn thit phi kt hp vi vic phn tch v v cc l hng bo mt, l mt qu trnh tn km thi gian.
Kin thc v tn cng li ph thuc vo mi trng hot ng v vy, IDS da trn du hiu nhng hnh vi xu phi c cu hnh tun th nhng nguyn tc nghim ngt ca n vi h iu hnh (phin bn, nn tng, cc ng dng c s dng) Chng dng nh kh qun l cc tn cng bn trong. in hnh, s lm dng quyn ngi dng xc thc khng th pht hin khi c hot ng m nguy him (v chng thiu thng tin v quyn ngi dng v cu trc du hiu tn cng). Cc sn phm IDS thng mi thng s dng phng php pht hin du hiu cho hai l do. Trc tin, n d dng hn trong vic cung cp du hiu lin quan n tn cng bit v gn tn i vi mt tn cng. Th hai, c s d liu du hiu tn cng c nng cp thng xuyn (bng cch thm cc du hiu tn cng mi pht hin). 6.4 Tng quan cc mu tham s Phng php pht hin xm nhp kh khn ngoan hn cc phng php trc. N c sinh ra do nhu cu thc t rng, cc qun tr vin kim tra cc h thng khc nhau v cc thuc tnh mng (khng cn nhm n cc vn bo mt). Thng tin t c trong cch ny c mt mi trng c th khng thay i. Phng php ny lin quan n s dng kinh nghim hot ng hng ngy ca cc qun tr vin nh cc vn c bn cho vic pht hin du hiu bt thng. N c th c xem nh trng hp c bit ca phng php Profile thng thng. S khc nhau y nm ch trong thc t, mt profile l mt phn hiu bit ca con ngi. y l mt k thut mnh, bi v n cho php xm nhp da trn cc kiu tn cng khng bit. Hot ng h thng c th pht hin cc thay i tinh vi khng r rng i vi chnh hot ng . N k tha nhng nhc im trong thc t l con ngi ch hiu mt phn gii hn thng tin ti mt thi im, iu c ngha l cc tn cng no c th vt qua m khng b pht hin. 7. Cch pht hin cc kiu tn cng ca IDS 1. Denial of Service attack (Tn cng t chi dch v) Cho d a dng v kch c v hnh dng, t subtle malformed packet n full-blown packet storm, Denial of service (DoS) attack c mc ch chung l ng bng hay chn ng ti nguyn ca h thng ch. Cui cng, mc tiu tr nn khng th tip cn v khng th tr li. DoS tn cng vo cc mc tiu bao gm 3 dng l mng, h thng v ng dng.
Network flooding bao gm SYN flood, Ping flood hay multi echo request, Ph hoi h thng, thit b bao gm Ping of Death, Teardrop, Bonk, LAND, cc kiu tn cng nhm li dng l hng trn h iu hnh nhm ph hoi, gy qu ti h thng. S kin ny c th xy ra bng cch gi gi tin c nh dng khc thng ti h thng v thit b, chng c th c to ra bng cc cng c tn cng c lp trnh trc. Ph hoi, gy qu ti ng dng bao gm cc k thut ph hoi v gy qu ti h thng bng cch li cng im yu trn ng dng, c s d liu, email, trang web, V d nh mt email rt di hay mt s lng ln email, hay mt s lng ln yu cu ti trang web c th gy qu ti cho server ca cc ng dng . Gii php ca IDS: Mt firewall dng proxy rt hiu qu ngn chn cc gi tin khng mong mun t bn ngoi, tuy nhin Network IDS c th pht hin c cc tn cng dng gi tin. 2. Scanning v Probe (Qut v thm d) B qut v thm d t ng tm kim h thng trn mng xc nh im yu. Tuy cc cng c ny c thit k cho mc ch phn tch phng nga, nhng chng c th c s dng gy hi cho h thng. Cc cng c qut v thm d bao gm SATAN, ISS Internet Scanner, NETA CyberCop, Asmodeus, v AXENT NetRecon. Vic thm d c th c thc hin bng cch ping n h thng cng nh kim tra cc cng TCP v UDP pht hin ra ng dng c nhng li c bit n. V vy cc cng c ny c th l cng c c lc cho mc ch xm nhp. Gii php ca IDS: Network-based IDS c th pht hin cc hnh ng nguy him trc khi chng xy ra. Yu t time-to-response rt quan trng trong trng hp ny c th chng cc kiu tn cng nh vy trc khi c thit hi. Host-based IDS cng c th c tc dng i vi kiu tn cng ny, nhng khng hiu qu bng gii php da trn mng.
Hnh 3-15: Chnh sch bo mt theo chiu su 3. Password attack (Tn cng vo mt m) C 3 phng thc tip cn i vi kiu tn cng Passwork attack. Kiu d nhn thy nht l n trm mt m, mang li quyn hnh v tnh linh ng cao nht cho k tn cng c th truy nhp ti mi thng tin ti mi thnh phn trong mng. on hay b kha mt m l phng thc tip cn c gi l brute force bng cch th nhiu mt m mong tm c mt m ng. Vi b kha, k tn cng cn truy nhp ti mt m c m ha, hay file cha mt m m ha, k tn cng s dng chng trnh on nhiu m vi thut ton m ha c th s dng c xc nh m ng. Vi tc my tnh hin nay, vic b kha l rt hiu qu trong trng hp mt m l t c ngha (trong t in), bt c m no nh hn 6 k t, tn thng dng v cc php hon v. Hin nay, Internet cung cp rt nhiu chng trnh password hackerware c th ti v v s dng d dng. Cc cng c trn cng c cc k s s dng vi nhng mc ch tt nh tm li mt m, hay tm kim cc thng tin cn thit cho qu trnh iu tra ti phm Ta c v d v trm mt m nh nghe trm mt m gi trn mng (LOPHT2.0), gi th, chng trnh c km keylogger, trojan cho ngi qun tr; ngoi ra khng th khng k ti cc phng thc tn cng vo yu t con ngi nh nhn trm, dng v lc p buc,
D on v b kha v d nh: on t tn, cc thng tin c nhn, t cc t thng dng (c th dng khi bit username m khng bit mt m), s dng ti khon khch ri chim quyn qun tr; cc phng thc tn cng nh brute force, on mt m m ha t cc t trong t in, ta c mt s cng c nh LOPHT Crack, pwldump, Gii php ca IDS: Mt Network-based IDS c th pht hin v ngn chn c gng on m (c th ghi nhn sau mt s ln th khng thnh cng), nhng n khng c hiu qu trong vic pht hin truy nhp tri php ti file m ha cha mt m hay chy cc chng trnh b kha. Trong khi Host-based IDS li rt c hiu qu trong vic pht hin vic on mt m cng nh pht hin truy nhp tri php ti file cha mt m. 4. Privilege-grabbing (Chim c quyn) Khi k tn cng xm nhp c vo h thng, chng s c chim quyn truy nhp. Khi thnh cng, chng chim c h thng. Trong h iu hnh UNIX, iu ny ngha l tr thnh root, Windows NT l Administrator, trn NetWare l Supervisor. Cc cu lnh v m thc hin cho k thut trn c th kim c trn Internet, v d nh khai thc li trn b m ca h iu hnh hay phn mm ng dng ghi cc segment vo b nh. Khi chin thut ny c s dng vi chng trnh h iu hnh c quyn, n thng gy li hng core, dn n k tn cng c th c quyn truy cp superuser. Di y l mt s k thut thng dng cho vic chim c quyn: on hay b kha ca root hay administrator Gy trn b m Khai thc Windows NT registry Truy nhp v khai thc console c quyn Thm d file, scrip hay cc li ca h iu hnh v ng dng. Gii php ca IDS: C Network v Host-based IDS u c th xc nh vic thay i c quyn tri php ngay lp tc, cp phn mm, do vic xy ra trn thit b ch. Do Host-based IDS c th tm kim c nhng ngi dng khng c c quyn t nhin tr thnh c c quyn m khng qua h thng thng thng, Host-based IDS c th ngng hnh ng ny. Ngoi ra hnh ng chim c quyn ca h iu hnh v ng dng c th c nh ngha trong tp cc du hiu tn cng ca Network-based IDS nhm ngn chn vic tn cng xy ra.
Hnh 3-16: Sensor IDS nhn d liu v cuc tn cng 5. Hostile code insertion (Ci t m nguy him) Mt s loi tn cng c th ci t m nguy him vo h thng. M ny c th ly trm d liu, gy t chi dch v, xa file, hay to backdoor cho ln truy nhp tri php tip theo. Ta c mt s v d v vic ci t m nguy him sau: Virus : chng trnh hay on m m khi thc thi s dn n mt s hnh ng t ng, c hoc khng c hi, nhng lun dn n vic to ra bn sao ca file h thng, file ca ng dng hay d liu. Virus thng c xc nh nh vo nhng hnh ng c hi ca chng, c th c kch hot da trn s kin, ngy, Trojan Horse : mt chng trnh hay on m m khi thc thi s dn n mt s hnh ng t ng, thng c hi, nhng khng c mc ch nhn bn. Thng th Trojan Horse c t tn hay m t nh mt chng trnh m ngi ta mun s dng, nhng thc t chng kch hot cc hnh ng c th dn n hng file hay h thng.
Backdoor : y l mt loi Trojan c bit thc hin vic thay th mt
chng trnh c sn bng mt chng trnh cho php k xm nhp truy nhp c vo h thng trong tng lai (nh msgina.dll trn Windows NT). Malicious Apple : y cng l mt loi Trojan, chng thng l Java hay ActiveX applet m ngi dng c th gp khi duyt cc trang web. Applet c v nh thc hin cc chc nng bnh thng nhng n trong l cc hnh ng nguy him nh ti file ln web site ca k tn cng. Gii php ca IDS: Ci t cc phn mm bo mt c tc dng chng virus v cc on m nguy him ln gateway, server v workstation l phng php
hiu qu nht gim mc nguy him. Cc file quan trng c qun l bng Host IDS c th m bo rng chng trnh v file quan trng ca h iu hnh khng b iu khin. Kt hp vi cc s kin khc, IDS c th xc nh c c gng ci on m nguy him, v d nh n c th pht hin c ai nh thay chng trnh ghi log bng mt backdoor. Network-based IDS cng c th c ch th qun l h thng v file nh cho mc ch kim tra tnh ton vn. 6. Cyber vandalism (Hnh ng ph hoi trn my mc) Cyber Vandalism bao gm: thay i trang web, applet, xa file, ph block khi ng v chng trnh h iu hnh, format a. Gii php ca IDS: i vi gii php ca Host-based IDS, ci t v cu hnh cn thn c th xc nh c tt c cc vn lin quan n cyber vandalism. V d nh mi thay i i vi trang web c th c ghi li ti bin bn kim k ca thit b m trang web nm trn . Khng ch c cu hnh qun l mi thay i trn trang web, Host-based IDS cn c th thc hin cc hnh ng i ph, l nhng hnh ng c Security Administrator cu hnh. Network-based IDS th c th s dng du hiu tn cng c nh ngha trc pht hin chnh xc vic truy nhp tri php vo h iu hnh, ng dng cng nh xa file v thay i trang web. 7. Proprietary data theft (n trm d liu quan trng) Mc d hn 80% cc cuc tn cng lin quan n thng tin quan trng u xy ra ngay trong t chc , s cc cuc tn cng t bn ngoi lin tc tng trong mt vi nm qua. Ngoi vic tng cng chnh sch bo mt trong h thng, cc t chc cn phi xc nh rng vic tng cc lin kt cng lm tng s nguy him vi cc d liu quan trng nh vic sao chp d liu, nghe trm vic truyn nhm ly d liu quan trng. Gii php ca IDS: M hnh Host-based IDS thc hin vic qun l cc d liu quan trng c th pht hin cc file b sao chp bt hp php. Trong mt s trng hp IDS c th da vo bin bn ca h iu hnh, nhng trong nhiu trng hp vic ghi bin bn c cha qu nhiu overhead (nh vi Winddows NT). Trong cc trng hp , Host-based IDS cn phi thc hin vic qun l ring bit vi cc file quan trng. Cn Network-based IDS c th c chnh sa qun l vic truy nhp vo cc file quan trng v xc nh vic truyn thng c cha key word. Trong mt s trng hp rt kh c th pht hin c mt host nghe trm trn mng, th phn mm IDS trn host c th pht hin c host b t trng thi ngu nhin v ang nghe trm vic tuyn thng.
8. Fraud, waste, abuse (Gian ln, lng ph v lm dng) Gian ln, lng ph v lm dng ti nguyn my tnh v vn lin quan n kinh t trong thi k hin nay. Gian ln lin quan n vic chuyn tin bt hp php, trm s credit card, can thip vo ti khon nh bng, v thao tng chng trnh kim tra vit (check writing). Lng ph v lm dng xy ra khi ti nguyn c s dng (tnh c hay ch ch) cho cc cng vic i ngc li vi mc ch ca t chc. Gii php ca IDS: Network-based IDS c th c thay i nhm ngn cc URL, tuy nhin cc chng trnh chuyn dng ngn URL c lin h vi firewall c th hot ng hiu qu hn, c th duy tr mt danh sch URL ng v chnh sch lm dng da trn USERID. Host-based IDS c th thc thi mt chnh sch do cng ty t ra, cc truy nhp tri php v sa i file h thng c th c pht hin thng qua host-based IDS cng nh network-based IDS. Bt c thay i c th ngay lp tc c ghi trong bin bn h thng, agent c th d dng theo di cc hnh ng .
HIDS rt c hiu qu i vi Internal threat 9. Audit trail tampering (Can thip vo bin bn) Nh ni n trn, hu ht cc thng tin to nn t cc hnh ng ca ngi dng c ghi trong cc audit trail ring ca h thng ca doanh nghip. Can thip vo bin bn l cch c a thch loi b hay che du vt. Di y l cc phng thc hacker thng dng tn cng vo audit trail v che du vt: Audit Deletion : xa bin bn, khi vo c h thng.
Deactivation : ngng tin trnh ghi s kin ln audit trail. Modification : sa s kin m n ghi nhn c trc khi thot khi h thng. Flooding : to ra cc s kin lm nhiu ngy trang cho du vt tn cng. Gii php ca IDS: Host-based IDS agent c th qun l vic can thip vo bin bn (xa, ngng hay sa i) v thc hin cc hnh ng ph hp. Networkbased IDS c th cung cp ng cnh cn thit pht hin audit trail b truy nhp hay sa i. 10. Security infrastructure attack (Tn cng h tng bo mt) C nhiu loi tn cng can thip vo vic iu khin c bn ca c s h tng bo mt, nh to tng la tri php, chnh sa ti khon ca ngi dng hay router, hay thay i quyn ca file. Tn cng vo c s h tng cho php k xm nhp c thm quyn truy nhp hay to thm nhiu ng xm nhp vo h thng hay mng. Cuc tn cng to ra thay i bng cch truy nhp tri php ti chc nng qun tr, tm console qun tr khng c ch , hay tc ng ln ngi qun tr thc hin hnh ng no . Trong cc trng hp rt kh c th phn bit gia mt hnh ng tn cng v mt hnh ng ca ngi qun tr mng. Gii php ca IDS: Cc hnh ng qun tr mng thng l ng nhp vo audit trail trn host hay router trn mt node la chn trn mng nh SYSLOG trn UNIX. Host-based IDS c th bt gi cc cuc ng nhp m thc hin nhng hnh ng nh a thm ti khon c c quyn, hay router v firewall b thay i mt cch ng nghi. Cn network-based IDS c th cung cp ng cnh cn thit qun l vic lm dng. III. H THNG NGN CHN XM NHP IPS 1. nh ngha IPS H thng IPS (intrusion prevention system) l mt k thut an ninh mi, kt hp cc u im ca k thut firewall vi h thng pht hin xm nhp IDS (intrusion detection system), c kh nng pht hin s xm nhp, cc cuc tn cng v t ng ngn chn cc cuc tn cng . IPS khng n gin ch d cc cuc tn cng, chng c kh nng ngn chn cc cuc hoc cn tr cc cuc tn cng . Chng cho php t chc u tin, thc hin cc bc ngn chn li s xm nhp. Phn ln h thng IPS c t vnh ai mng, d kh nng bo v tt c cc thit b trong mng. H thng
IPS gm 3 modul chnh: modul phn tch lung d liu, modul pht hin tn cng, modul phn ng. 2. Chc nng ca IPS Chc nng IPS m t nh l kim tra gi tin, phn tch c trng thi, rp li cc on, rp li cc TCP-segment, kim tra gi tin su, xc nhn tnh hp l giao thc v thch ng ch k. Mt IPS hot ng ging nh mt ngi bo v gc cng cho mt khu dn c, cho php v t chi truy nhp da trn c s cc u nhim v tp quy tc ni quy no . Cc gii php IPS Ngn nga Xm nhp nhm mc ch bo v ti nguyn, d liu v mng. Chng s lm gim bt nhng mi e do tn cng bng vic loi b nhng lu lng mng c hi hay c c trong khi vn cho php cc hot ng hp php tip tc. Mc ch y l mt h thng hon ho, khng c nhng bo ng gi no lm gim nng sut ngi dng cui v khng c nhng t chi sai no to ra ri ro qu mc bn trong mi trng. C l mt vai tr ct yu hn s l cn thit tin tng, thc hin theo cch mong mun di bt k iu kin no. iu ny c ngha cc gii php Ngn nga Xm nhp c t vo ng v tr phc v vi: - Nhng ng dng khng mong mun v nhng cuc tn cng Trojan horse nhm vo cc mng v cc ng dng c nhn, qua vic s dng cc nguyn tc xc nh v cc danh sch iu khin truy nhp (access control lists). - Cc gi tin tn cng ging nh nhng gi tin t LAND v WinNuke qua vic s dng cc b lc gi tc cao. - S lm dng giao thc v nhng hnh ng lng trnh nhng thao tc giao thc mng ging nh Fragroute v nhng kho st ln TCP (TCP overlap exploits) thng qua s rp li thng minh. - Cc tn cng t chi dch v (DOS/DDOS) nh lt cc gi tin SYN v ICMP bi vic s dng cc thut ton lc da trn c s ngng. - S lm dng cc ng dng v nhng thao tc giao thc cc cuc tn cng bit v cha bit chng li HTTP, FTP, DNS, SMTP .v.v. qua vic s dng nhng quy tc giao thc ng dng v ch k. - Nhng cuc tn cng qu ti hay lm dng ng dng bng vic s dng cc hu hn tiu th ti nguyn da trn c s ngng. Tt c cc cuc tn cng v trng thi d b tn cng cho php chng tnh c xy ra u c chng minh bng ti liu. Ngoi ra, nhng khc thng trong
cc giao thc truyn thng t mng qua lp ng dng khng c ch cho bt c loi lu lng hp php no, lm cho cc li tr thnh t chn lc trong ng cnh xc nh. 3. Kin trc chung ca cc h thng IPS Mt h thng IPS c xem l thnh cng nu chng hi t c cc yu t: thc hin nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton b thng lng, cm bin ti a, ngn chn thnh cng v chnh sch qun l mm do. H thng IPS gm 3 modul chnh: modul phn tch lung d liu, modul pht hin tn cng, modul phn ng. 3.1 Module phn tch lung d liu Modul ny c nhim v ly tt cc gi tin i n mng phn tch. Thng thng cc gi tin c a ch khng phi ca mt card mng th s b card mng hu b nhng card mng ca IPS c t ch thu nhn tt c. Tt c cc gi tin qua chng u c sao chp, x l, phn tch n tng trng thng tin. B phn tch c thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin no, dch v g... Cc thng tin ny c chuyn n modul pht hin tn cng. 3.2 Modul pht hin tn cng y l modul quan trng nht trong h thng c nhim v pht hin cc cuc tn cng. C hai phng php pht hin cc cuc tn cng, xm nhp l d s lm dng v d s khng bnh thng. Phng php d s lm dng: Phng php ny phn tch cc hot ng ca h thng, tm kim cc s kin ging vi cc mu tn cng bit trc. Cc mu tn cng bit trc ny gi l cc du hiu tn cng. Do vy phng php ny cn c gi l phng php d du hiu. Kiu pht hin tn cng ny c u im l pht hin cc cuc tn cng nhanh v chnh xc, khng a ra cc cnh bo sai lm gim kh nng hot ng ca mng v gip cc ngi qun tr xc nh cc l hng bo mt trong h thng ca mnh. Tuy nhin, phng php ny c nhc im l khng pht hin c cc cuc tn cng khng c trong c s d liu, cc kiu tn cng mi, do vy h thng lun phi cp nht cc mu tn cng mi. Phng php d s khng bnh thng: y l k thut d thng minh, nhn dng ra cc hnh ng khng bnh thng ca mng. Quan nim ca phng php ny v cc cuc tn cng l khc so vi cc hot ng thng thng. Ban u, chng lu tr cc m t s lc v cc hot ng bnh thng
ca h thng. Cc cuc tn cng s c nhng hnh ng khc so vi bnh thng v phng php d ny c th nhn dng. C mt s k thut gip thc hin d s khng bnh thng ca cc cuc tn cng nh di y: - Pht hin mc ngng: K thut ny nhn mnh vic o m cc hot ng bnh thng trn mng. Cc mc ngng v cc hot ng bnh thng c t ra. Nu c s bt thng no nh ng nhp vi s ln qu quy nh, s lng cc tin trnh hot ng trn CPU, s lng mt loi gi tin c gi vt qu mc... th h thng c du hiu b tn cng. - Pht hin nh qu trnh t hc: K thut ny bao gm hai bc. Khi bt u thit lp, h thng pht hin tn cng s chy ch t hc v to ra mt h s v cch c x ca mng vi cc hot ng bnh thng. Sau thi gian khi to, h thng s chy ch lm vic, tin hnh theo di, pht hin cc hot ng bt thng ca mng bng cch so snh vi h s thit lp. Ch t hc c th chy song song vi ch lm vic cp nht h s ca mnh nhng nu d ra c tn hiu tn cng th ch t hc phi dng li cho ti khi cuc tn cng kt thc. - Pht hin s khng bnh thng ca cc giao thc: K thut ny cn c vo hot ng ca cc giao thc, cc dch v ca h thng tm ra cc gi tin khng hp l, cc hot ng bt thng vn l du hiu ca s xm nhp, tn cng. K thut ny rt hiu qu trong vic ngn chn cc hnh thc qut mng, qut cng thu thp thng tin ca cc tin tc. Phng php d s khng bnh thng ca h thng rt hu hiu trong vic pht hin cc cuc tn cng kiu t chi dch v. u im ca phng php ny l c th pht hin ra cc kiu tn cng mi, cung cp cc thng tin hu ch b sung cho phng php d s lm dng, tuy nhin chng c nhc im thng to ra mt s lng cc cnh bo sai lm gim hiu sut hot ng ca mng. Phng php ny s l hng c nghin cu nhiu hn, khc phc cc nhc im cn gp, gim s ln cnh bo sai h thng chy chun xc hn. 3.3 Modul phn ng Khi c du hiu ca s tn cng hoc thm nhp, modul pht hin tn cng s gi tn hiu bo hiu c s tn cng hoc thm nhp n modul phn ng. Lc modul phn ng s kch hot tng la thc hin chc nng ngn chn cuc tn cng hay cnh bo ti ngi qun tr. Ti modul ny, nu ch a ra cc cnh bo ti cc ngi qun tr v dng li th h thng ny c gi l h thng
phng th b ng. Modul phn ng ny ty theo h thng m c cc chc nng v phng php ngn chn khc nhau. Di y l mt s k thut ngn chn: - Kt thc tin trnh: C ch ca k thut ny l h thng IPS gi cc gi tin nhm ph hu tin trnh b nghi ng. Tuy nhin phng php ny c mt s nhc im. Thi gian gi gi tin can thip chm hn so vi thi im tin tc bt u tn cng, dn n tnh trng tn cng xong ri mi bt u can thip. Phng php ny khng hiu qu vi cc giao thc hot ng trn UDP nh DNS, ngoi ra cc gi tin can thip phi c trng th t ng nh cc gi tin trong phin lm vic ca tin trnh tn cng. Nu tin trnh tn cng xy ra nhanh th rt kh thc hin c phng php ny. - Hu b tn cng: K thut ny dng tng la hy b gi tin hoc chn ng mt gi tin n, mt phin lm vic hoc mt lung thng tin tn cng. Kiu phn ng ny l an ton nht nhng li c nhc im l d nhm vi cc gi tin hp l. - Thay i cc chnh sch ca tng la: K thut ny cho php ngi qun tr cu hnh li chnh sch bo mt khi cuc tn cng xy ra. S cu hnh li l tm thi thay i cc chnh sch iu khin truy nhp bi ngi dng c bit trong khi cnh bo ti ngi qun tr. - Cnh bo thi gian thc: Gi cc cnh bo thi gian thc n ngi qun tr h nm c chi tit cc cuc tn cng, cc c im v thng tin v chng. - Ghi li vo tp tin: Cc d liu ca cc gi tin s c lu tr trong h thng cc tp tin log. Mc ch cc ngi qun tr c th theo di cc lung thng tin v l ngun thng tin gip cho modul pht hin tn cng hot ng. 4. Phn loi h thng IPS C hai kiu kin trc IPS chnh l IPS ngoi lung v IPS trong lung. 4.1 IPS ngoi lung(Promiscuous Mode IPS) H thng IPS ngoi lung khng can thip trc tip vo lung d liu. Lung d liu vo h thng mng s cng i qua tng la v IPS. IPS c th kim sot lung d liu vo, phn tch v pht hin cc du hiu ca s xm nhp, tn cng. Vi v tr ny, IPS c th qun l bc tng la, ch dn n chn li cc hnh ng nghi ng m khng lm nh hng n tc lu thng ca mng. 4.2 IPS trong lung (In-line IPS)
V tr IPS nm trc bc tng la, lung d liu phi i qua IPS trc khi ti bc tng la. im khc chnh so vi IPS ngoi lung l c thm chc nng chn lu thng (traffic-blocking). iu lm cho IPS c th ngn chn lung giao thng nguy him nhanh hn so vi IPS ngoi lung(Promiscuous Mode IPS). Tuy nhin, v tr ny s lm cho tc lung thng tin ra vo mng chm hn. Vi mc tiu ngn chn cc cuc tn cng, h thng IPS phi hot ng theo thi gian thc. Tc hat ng ca h thng l mt yu t rt quan trng. Qua trnh pht hin xm nhp phi nhanh c th ngn chn cc cuc tn cng ngay lp tc. Nu khng p ng c iu ny th cc cuc tn cng c thc hin xong v h thng IPS l v ngha. 5. Cng c h tr IPS(Ging ca IDS) 6. Cc k thut x l IPS Mc ch IPS l pht hin v ngn chn k tn cng xm nhp tri php vo h thng. Khng phi mt IPS c th pht hin v ngn chn c tt c cc kiu tn cng m ch c nhng kiu tn cng c nh ngha sn,v cc k thut c p dng trong h thng pht hin xm nhp l: Anomaly detection(Pht hin s bt thng) Misuse detection (Kim tra lm pht) Policy-Based detection(Kim tra cc chnh sch ) Protocol analysis (Phn tch giao thc) 1. Anomaly detection Pht hin da trn s bt thng hay m t s lc phn tch nhng hot ng a mng my tnh v lu lng mng nhm tm kim s bt thng Khi tm thy s bt thng, mt tn hiu cnh bo s c khi pht. S bt thng l bt c s chch hng hay i khi nhng th t, dng, nguyn tc thng thng. Chnh v dng pht hin ny tm kim nhng bt thng nn nh qun tr bo mt phi nh ngha u l nhng hot ng, lu lng bt thng. Nh qun tr bo mt c th nh ngha nhng hot ng bnh thng bng cch to ra nhng bn m t s lc nhm ngi dng (user group profiles). Bn m t s lc nhm ngi dng th hin ranh gii gia nhng hot ng cng nh nhng lu lng mng trn mt nhm ngi dng cho trc . Nhng nhm ngi dng c nh ngha bi k s bo mt v c dng th hin nhng chc nng cng vic chung. Mt cch in hnh , nhng nhm s
dng nn c chia theo nhng hot ng cng nh nhng ngun ti nguyn m nhm s dng. Mt web server phi c bn m t s lc ca n da trn lu lng web, tng t nh vy i vi mail server. Bn chc chn khng mong i lu lng telnet vi web server ca mnh cng nh khng mun lu lng SSH n vi mail server ca bn . Chnh v l do ny m bn nn c nhiu bn m t s lc khc nhau cho mi dng dch v c trn mng ca bn. a dng nhng k thut c s dng xy dng nhng bn m t s lc ngi dng v nhiu h thng IPS c th c nh dng xy dng nhng profile ca chng. Nhng phng php in hnh nhm xy dng bn m t s lc nhm ngi dng l ly mu thng k (statistical sampling) , da trn nhng nguyn tc v nhng mng neural. Mi profile c s dng nh l nh ngha cho ngi s dng thng thng v hot ng mng. Nu mt ngi s dng lm chch qu xa nhng g h nh ngha trong profile, h thng IPS s pht sinh cnh bo. Li ch ca vic dng Anomaly-Based IPS: - Vi phng php ny, k xm nhp khng bao gi bit lc no c, lc no khng pht sinh cnh bo bi v h khng c quyn truy cp vo nhng profile s dng pht hin nhng cuc tn cng. - Nhng profile nhm ngi dng rt ging c s d liu du hiu ng lun thay i khi mng ca bn thay i . Vi phng php da trn nhng du hiu, k xm nhp c th kim tra trn h thng IPS ca h ci g lm pht sinh tn hiu cnh bo . - File du hiu c cung cp km theo vi h thng IPS, v th k xm nhp c th s dng h thng IPS thc hin kim tra Mt khi k xm nhp hiu ci g to ra cnh bo th h c th thay i phng php tn cng cng nh cng c tn cng nh bi h IPS. - Chnh v pht hin bt thng khng s dng nhng c s d liu du hiu nh dng trc nn k xm nhp khng th bit chnh xc ci g gy ra cnh bo. - Pht hin bt thng c th nhanh chng pht hin mt cuc tn cng t bn trong s dng ti khon ngi dng b tha hip (compromised user account). Nu ti khon ngi dng l s hu ca mt ph t qun tr ang c s dng thi hnh qun tr h thng, h IPS s dng pht hin bt thng s
gy ra mt cnh bo min l ti khon khng c s dng qun tr h thng mt cch bnh thng. - u im ln nht ca pht hin da trn profile hay s bt thng l n khng da trn mt tp nhng du hiu c nh dng hay nhng t tn cng c bit Profile c th l ng v c th s dng tr tu nhn to xc nh nhng hot ng bnh thng. - Bi v pht hin da trn profile khng da trn nhng du hiu bit, n thc s ph hp cho vic pht hin nhng cuc tn cng cha h c bit trc y min l n chch khi profile bnh thng. Pht hin da trn profile c s dng pht hin nhng phng php tn cng mi m pht hin bng du hiu khng pht hin c.
Hn ch ca vic dng Anomaly-Based IPS - Nhiu hn ch ca phng php pht hin bt thng phi lm vi vic sng to nhng profile nhm ngi dng , cng nh cht lng ca nhng profile ny . - Thi gian chun b ban u cao. - Khng c s bo v trong sut thi gian khi to ban u. - Thng xuyn cp nht profile khi thi quen ngi dng thay i. - Kh khn trong vic nh ngha cch hnh ng thng thng : H IPS ch tht s tt c khi n nh ngha nhng hnh ng no l bnh thng. nh ngha nhng hot ng bnh thng thm ch cn l th thch khi m mi trng ni m cng vic ca ngi dng hay nhng trch nhim thay i thng xuyn. Cnh bo nhm: Nhng h thng da trn s bt thng c xu hng c nhiu false positive bi v chng thng tm nhng iu khc thng. Kh hiu : Hn ch cui cng ca phng php pht hin da trn s bt thng l s phc tp. Ly mu thng k, da trn nguyn tc, v mng neural l nhng phng cch nhm to profile m tht kh hiu v gii thch. 2. Misuse detection Pht hin s lm dng( Misuse detection), cng c bit nh signaturebased detection, ging nh hot ng xm phm m tranh ginh nhng signature c bit. Nhng signature ny c da trn mt s thit lp nhng qui lut m ginh nhng mu tiu biu v khai thc c s dng bi nhng k tn cng nhm chng li s truy cp vo mng. Nhng k s mng kho lo cp cao
nghin cu cch nhn bit tn cng v nhng ch yu nhm pht trin nhng qui lut cho mi signature. Vic xy dng nhng signature rnh mch lm gim nhng c hi ca false possitive trong khi lm nh c hi ca false negative. Mt misuse-detectionbased IDS cu hnh hon chnh to ra mc thp nht false negative. Nu mt misuse-based IDS lin tc to ra nhng false positive , s nh hng ton din ca n s c gim. Mt Signature-Based IPS l to ra mt lut gn lin vi nhng hot ng xm nhp tiu biu.Vic to ra cc Signature-Based yu cu ngi qun tr phi c nhng k nng hiu bit tht r v tn cng (attacks), nhng mi nguy hi v phi bit pht trin nhng Signature d tm (detect) nhng cuc tn cng v mi nguy hi vi h thng mng ca mnh. Mt Signature-Based IPS gim st tt c cc traffic v so snh vi d liu hin c. Nu khng c s a ra nhng cnh bo cho ngi qun tr cho bit l mt cuc tn cng. xc nh c mt attacks signature, khi phi thng xuyn bit c kiu dng ca attacks, mt Signature-Based IPS s xem packets header hoc data payloads. V d, mt Signature c th l chui gm nhiu s kin hoc mt chui cc bytes trong mt ng cnh no . Mt Signature-Based IPS l mt tp nhng nguyn tc s dng xc nh nhng hot ng xm nhp thng thng. Nhng nghin cu v nhng k thut kho lo nhm tm ra s tn cng, nhng mu v nhng phng php vit file du hiu . Khi m cng nhiu phng php tn cng cng nh phng php khai thc c khm ph, nhng nh sn xut IPS phi cung cp nhng bn cp nht (update) file du hiu, ging nh nhng nh cung cp phn mm dit virus khc cng phi cung cp nhng bn cp nht cho phn mm ca h. Khi cp nht file du hiu th h thng IPS c th phn tch tt c cc lu lng . Nu c nhng lu lng no trng vi du hiu th cnh bo c khi to. Nhng h thng IPS in hnh thng km theo d liu ca file du hiu. Li ch ca vic dng Signature-Based IPS - Nhng file du hiu c to nn t nhng hot ng v phng php tn cng c bit, do nu c s trng lp th xc sut xy ra mt cuc tn
cng l rt cao. Pht hin s dng sai s c t cnh bo nhm (false positive report) hn kiu pht hin s bt thng. Pht hin da trn du hiu khng theo di nhng mu lu lng hay tm kim nhng s bt thng. Thay vo n theo di nhng hot ng n gin tm s tng xng i vi bt k du hiu no c nh dng. - Bi v phng php pht hin s dng sai da trn nhng du hiukhng phi nhng mu lu lng - h thng IPS c th c nh dng v c th bt u bo v mng ngay lp tc. Nhng du hiu trong c s d liu cha nhng hot ng xm nhp bit v bn m t ca nhng du hiu ny. Mi du hiu trong c s d liu c th c thy cho php, khng cho php nhng mc cnh bo khc nhau cng nh nhng hnh ng ngn cn khc nhau, c th c nh dng cho nhng du hiu ring bit. Pht hin s dng sai d hiu cng nh d nh dng hn nhng h thng pht hin s bt thng . File du hiu c th d dng c ngi qun tr thy v hiu hnh ng no phi c tng xng cho mt tn hiu cnh bo. Ngi qun tr bo mt c th c th bt nhng du hiu ln, sau h thc hin cuc kim tra trn ton mng v xem xem c cnh bo no khng. - Chnh v pht hin s dng sai d hiu ,b sung, kim tra, do nh qun tr c nhng kh nng to ln trong vic iu khin cng nh t tin vo h thng IPS ca h. Nhng hn ch ca Signature-Based IPS Bn cnh nhng li im ca c ch pht hin s dng sai th n cng tn ti nhiu hn ch. Pht hin s dng sai d dng hn trong nh dng v hiu, nhng chnh s gin n ny tr thnh ci gi phi tr cho s mt mt nhng chc nng v overhead. y l nhng hn ch: - Khng c kh nng pht hin nhng cuc tn cng mi hay cha c bit : H thng IPS s dng pht hin s dng sai phi bit trc nhng hot ng tn cng n c th nhn ra t tn cng . Nhng dng tn cng mi m cha tng c bit hay khm ph trc y thng s khng b pht hin. Khng c kh nng pht hin nhng s thay i ca nhng cuc tn cng bit : Nhng file du hiu l nhng file tnh tc l chng khng thch nghi vi mt vi h thng da trn s bt thng. Bng cch thay i cch tn cng, mt k xm nhp c th thc hin cuc xm nhp m khng b pht hin(false negative).
Kh nng qun tr c s d liu nhng du hiu : Trch nhim ca nh qun tr bo mt l bo m file c s d liu lun cp nht v hin hnh. y l cng vic mt nhiu thi gian cng nh kh khn. - Nhng b b cm bin phi duy tr tnh trng thng tin : Ging nh tng la , b cm bin phi duy tr trng thi d liu. Hu ht nhng b cm bin gi trng thi thng tin trong b nh tm li nhanh hn, nhng m khong trng th gii hn. 3. Policy-Based IPS Mt Policy-Based IPS n s phn ng hoc c nhng hnh ng nu c s vi phm ca mt cu hnh policy xy ra. Bi vy, mt Policy-Based IPS cung cp mt hoc nhiu phng thc c u chung ngn chn.
Li ch ca vic dng Policy-Based IPS - C th p policy cho tng thit b mt trong h thng mng. - Mt trong nhng tnh nng quan trng ca Policy-Based l xc thc v phn ng nhanh, rt t c nhng cnh bo sai. y l nhng li ch c th chp nhn c bi v ngi qun tr h thng a cc security policy ti IPS mt cch chnh xc .Hn ch ca vic dng Policy-Based IPS. - Khi cng vic ca ngi qun tr cc k l vt v. - Khi mt thit b mi c thm vo trong mng th li phi cu hnh. - Kh khn khi qun tr t xa. 4. Protocol Analysis-Based IPS. Gii php phn tch giao thc(Protocol Analysis-Based IPS) v vic chng xm nhp th cng tng t nh Signature-Based IPS, nhng n s i su hn v vic phn tch cc giao thc trong gi tin(packets).V d: Mt hacker bt u chy mt chng trnh tn cng ti mt Server. Trc tin hacker phi gi mt gi tin IP cng vi kiu giao thc, theo mt RFC, c th khng cha data trong payload. Mt Protocol Analysis-Based s detect kiu tn cng c bn trn mt s giao thc. - Kim tra kh nng ca giao thc xc nh gi tin c hp php hay khng hp php. - Kim tra ni dung trong Payload (pattern matching). - Thc hin nhng cnh co khng bnh thng.
7. Ch k v cc k thut x l Ch k l mt tp cc quy tc m mt IDS v mt IPS s dng pht hin in hnh hot ng xm nhp, nh cc cuc tn cng DoS. C th d dng ci t ch k bng cch s dng phn mm qun l IDS v IPS nh Cisco IDM,SDM v c th d dng chnh sa hoc c th to mi. Ging nh b cm bin qut cc packet, IOS IPS s dng ch k pht hin cc cuc tn cng bit v phn ng vi hnh ng c xc nh trc. Mt lung gi c hi c mt loi c th ca hot ng v ch k, v mt b cm bin IDS hoc IPS kim tra d liu lu lng s dng ch k khc nhau. Khi mt IDS hoc IPS cm bin ph hp vi mt ch k vi lu lng d liu, cm bin s hnh ng, chng hn nh s kin ng nhp hoc gi bo ng IDS hoc phn mm qun l IPS, chng hn nh SDM ca Cisco. Ch k da trn pht hin xm nhp c th a ra mt cnh bo sai bi v mt s mng li hot ng bnh thng c th c hiu sai nh hot ng c hi. V d, mt s ng dng mng hoc h iu hnh c th gi nhiu thng ip Internet Control Message Protocol (ICMP) , c mt ch k trn c s pht hin h thng c th gii thch nh mt n lc ca k tn cng v ra mt phn on mng. C th gim thiu tch cc iu chnh sai bi cm bin ca h thng bng cch iu chnh thng s qui nh c xy dng trong ch k (iu chnh ch k) bng cch iu chnh cc thng s ch k cho ng theo nh hot ng ca h thng. 1. Ch k Micro-Engines Mt ch k Micro-Engines l mt thnh phn ca mt IDS v IPS cm bin c h tr mt nhm cc ch k dc ph bin trong danh sch cng cng. Mi ng c(engine) l ty chnh cho cc giao thc v lnh vc m n c thit k kim tra v xc nh mt tp hp cc thng s quy phm php lut c phm vi cho php hoc tp hp cc gi tr. Ch k Micro-Engines tm kim cc hot ng c hi trong mt giao thc c th. Ch k c th c nh ngha cho bt k ch k Micro-Engines s dng cc thng s c cung cp bi ng c vi sinh h tr. Cc gi d liu c qut bi Micro-Engines c th hiu c giao thc cha trong gi. Cisco signature micro-engines thc hin song song cc cng c qut. Tt c cc ch k trong mt ch k cho Micro-Engines c qut song song, ch khng phi l chui. Mi ch k Micro-Engines chit xut t cc gi tr gi v vt qua cc phn ca gi cho cng c v khng gian . Mt k thut x l biu
hin thng xuyn c qut song song, iu ny lm tng hiu qu v kt qu truong vic thng lng cao hn. Khi IDS (ch promiscuous) hoc IPS (inline mode) c kch hot, mt ch k vi ng c (signature micro-engine)c np (hoc xy dng) trn vi router. Khi mt ch k vi cng c c xy dng, router c th cn phi bin dch biu thc thng thng c tm thy trong mt ch k. Bin dch biu hin thng xuyn i hi b nh nhiu hn dung lng cui cng ca biu hin thng xuyn. Hy chc chn xc nh cc yu cu b nh cui cng ca ch k hon thnh vic sp nhp trc khi ti v kt hp ch k. Ch : - Mt biu hin thng xuyn l mt cch c h thng xc nh mt tm kim mt kiu mu trong mt lot cc byte. V d: mt biu hin thng xuyn c s dng ngn chn c cha d liu . Exe hay com hay bat. Thng qua bc tng la c th. Ging nh th ny: * ".* \. ([Ee] [Xx] [Ee] | [Cc] [Oo] [Mm] | [Bb] [Aa] [Tt])". Ch - i vi danh sch hin ang c h tr ch k vi ng c, hy tham kho danh sch "ca Cng c h tr Ch k" trn trang ch ca cisco. Tm tt cc loi ng c ch k c sn trong Cisco IOS Release: Signature Engine Atomic Service String Ch k s dng biu thc thng thng da trn cc mu pht hin xm nhp. Multi-string H tr cc m hnh kt hp linh hot v h tr xu hng ch k Other K thut bn trong x l ch k linh tinh Description Ch k ny th kim tra cc gi n gin, chng hn nh ICMP v UDP Ch k ny l kim tra nhiu dch v ang b tn cng
Bng: M t chi tit Signature Engine ATOMIC.IP ATOMIC.ICMP ATOMIC.IPOPTIONS ATOMIC.UDP Cung cp cc gi UDP n gin bo ng da trn cc thng s: cng, phng din,v chiu di d liu ATOMIC.TCP Cung cp cc gi tin TCP bo ng n gin, da trn cc thng s: cng, im n, v c SERVICE.DNS SERVICE.RPC SERVICE.SMTP SERVICE.HTTP Cung cp cc giao thc HTTP gii m c bn da trn chui ng c; bao gm anti-evasive URL deobfuscation SERVICE.FTP FTP cung cp dch v c bit gii m cnh bo STRING.TCP UDP cung cp thng xuyn biu Phn tch dch v DNS Phn tch dch v diu khin t xa rpc Kim tra phng thc gi mail SMTP Description Cnh bo ip lp 3 Cnh bo icmp da trn :type, code, sequence, and ID Cnh bo chc nng gii m lp 3
hin dch v da trn m hnh ng c kim tra STRING.UDP UDP cung cp thng xuyn biu hin dch v da trn m hnh ng c kim tra ICMP cung cp thng xuyn biu hin dch v da trn m hnh ng c kim tra MULTI-STRING Other H tr cc m hnh kt hp linh hot v h tr m hnh ch k xu hng . Cung cp cc cng c ni b x l ch k linh tinh.
STRING.ICMP
Cisco IOS IPS v Cisco IPS AIM khng th c s dng cng nhau. Cisco IOS IPS phi c v hiu ha khi IPS AIM c ci t. Cisco IOS IPS l mt ng dng cung cp kh nng kim tra cho lu lng chy qua router. Mc d n c bao gm trong IOS Cisco nng cao tnh nng bo mt thit, n s dng CPU router v b b nh chia s thc hin vic kim tra. Cisco IOS IPS cng chy mt tp con ca ch k IPS. Cisco AIM IPS, tho lun trc trong chng ny, chy vi mt CPU v b nh chuyn dng, gim ti x l tt c cc ch k IPS t CPU router. N c th ti mt ch k y cc thit lp v cung cp cc tnh nng nng cao IPS khng c sn trn Cisco IOS IPS. 2. Ch k cnh bo(Signature Alarms) Nng lc ca IDS v IPS cm bin pht hin chnh xc mt cuc tn cng hoc vi phm mt chnh sch v to ra mt bo ng l quan trng i vi cc chc nng ca cc b cm ng. Cuc tn cng c th to ra cc loi sau y ca cc bo ng: Sai tch cc: Mt sai tch cc l mt bo ng c kch hot bi giao thng bnh thng hoc mt hnh ng bnh thng. Hy xem xt kch bn ny: ch k to ra cc bo ng nu mt khu ca bt k thit b mng c nhp khng chnh xc. Mt vin qun tr mng c gng ng nhp vo mt router Cisco nhng nhp mt khu sai. Cc IDS khng th phn bit gia mt ngi s dng quy ph hay l mt qun tr mng, v n to ra mt bo ng.
Sai ph nh: Mt tiu cc sai xy ra khi mt ch k khng c to ra khi vi phm lu lng c pht hin. Phm vi vi phm giao thng t ai gi ti liu b mt bn ngoi mng cng ty chng li cc cuc tn cng cc my ch web ca cng ty. Sai m l li trong phn mm IDS v IPS v cn c bo co. Mt m tnh gi nn c coi l mt li phn mm ch khi IDS v IPS c mt ch k c thit k pht hin cc vi phm giao thng. ng tch cc: Mt tch cc thc s xy ra khi mt ch k IDS hay IPS ng b vi phm, v mt bo ng c to ra, khi vi phm lu lng c pht hin. V d, hy xem xt mt cuc tn cng Unicode. Cisco IPS cm bin c ch k m pht hin cc cuc tn cng chng li Unicode Microsoft Internet Information Services (IIS) cc my ch web. Nu mt cuc tn cng Unicode l a ra i vi cc my ch web Microsoft IIS, cc cm bin pht hin cc cuc tn cng v to ra mt bo ng. ng ph nh: Mt tiu cc thc s xy ra khi mt ch k khng ng khi khng vi phm lu lng b bt v phn tch. Ni cch khc, cm bin khng kch hot, mt bo ng khi n bt v phn tch "mng li giao thng bnh thng". Bng: cung cp mt tm tt cc loi bo ng: Loi cnh bo Xm nhp xy ra/pht Xm nhp khng xy hin ra/khng pht hin Sai tch cc ng ph dnh
Cnh bo c kch ng tch cc hot Cnh bo khng c Sai ph nh kch hot
Cnh bo xy ra khi c p n ng cc nhu cu. phi cn nhc vi lng cnh bo nu xy ra qu nhiu cnh bo s kh m qun l c v bng thng s b chim do qu trnh bt v phn tch gi tin v vic gy ra cnh bo nu cnh bo t qu th s kh khn trong vic pht hin h thng c b xm nhp khng nhng bng thng ca h thng khng b chim.Nu h thng IPS khng s dng dng cc cnh bo th s gy ra cnh bo sai tch cc. Do cn xem xt mc cn thit gy ra mt cnh bo, i vi IPS signature c phn ra cc cp cnh bo sau:
Thng tin: Hot ng kch hot cc ch k khng c xem l mt
mi e da trc mt, nhng nhng thng tin c cung cp thng tin c ch.
Thp: Mng li hot ng bt thng c pht hin rng c th
c coi nh l c hi, nhng mt mi e da trc mt l khng c kh nng.

Trung bnh: Mng li hot ng bt thng c pht hin rng
c th c coi nh l c hi, v l mt mi e da trc mt c th.

Cao: Tn cng c s dng truy cp hoc gy ra mt cuc tn
cng DoS c pht hin, v l mt mi e da trc mt l rt c kh nng. Ngoi cc mc c nh ngha mc nh c th chnh sa li cho ph hp vi h thng mng. gim thiu sai tch cc cn xem xt lu lng mng tn ti v sau m signature ln pht hin xm nhp khng in hnh (trong cc t tnh) theo nh cc mu qui nh. Khng nn cn c vo ch k chnh sa khc mu qui nh ,m s dng mu ch k qui nh sn so snh vi cc lu lng mng ang c, ly mu qui nh sn lm im ta quyt nh mu lu lng t gy ra cnh bo.
CHNG IV NG DNG - THC NGHIM

HTT 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HTT 2

Uploaded by

Copyright:

Available Formats

LI M U Vi nhu cu trao i thng tin ngy nay bt buc cc c n h n c n g n h c c c quan, t chc phi ho mnh vo mng ton cu Internet.

CHNG I TNG QUAN V AN NINH MNG MY TNH

Cc bin php an ninh gm cc loi sau:

Lun cp nht phin bn mi c sa li ca h thng phn mm

CHNG II XY DNG M HNH AN NINH MNG V GII THIU MT S CNG NGH BO MT

Triple DES (3DES)

- p dng DES 3 ln. - S dng mt kha 168bit. - B thay th bi AES.

th thay i (128-192 hoc 256 bit).

Mt Server (Certificates Authority - CA) to ra cc certificates.

2.6 Thng k ti nguyn

trn mng, phn tch cc nguy c ca h thng mng. V d Task manager.

Telco /Internet /ISP

Hnh 2-12 Phn cp VPN

Hnh 2-13 Bo mt bng VPN 2. Tng la (Firewall)

CHNG III H THNG PHT HIN V NGN CHN XM NHP (IDS/IPS)

Hnh 3-3: H thng pht hin xm nhp

Tnh chnh xc (Accuracy): IDS khng c coi nhng hnh ng thng

prevention Simulation Intrustion Monitoring Analysis Intruction detection Notification Respose

Protected system Response

Additional IDS Infas tructure

Cnh bo c kch ng tch cc hot Cnh bo khng c Sai ph nh kch hot

Thng tin: Hot ng kch hot cc ch k khng c xem l mt

c coi nh l c hi, nhng mt mi e da trc mt l khng c kh nng.

c th c coi nh l c hi, v l mt mi e da trc mt c th.

CHNG IV NG DNG - THC NGHIM

You might also like