LABK0009

Lun vn Thc s Tn ti: H thng pht hin xm nhp mng H v tn HVCH : Nguyn c Cng Ngi hng dn khoa hc:
: PGS.TS ng Vn Chuyt a ch c quan nghin cu: trng i hc Bch Khoa H Ni a ch email: cuongnd-linc@mail.hut.edu.vn Nm: 2008
Tm tt
Hn mt thp k qua, Internet pht trin mnh m c v quy m cng nh s phc tp. Trong qu trnh pht trin ny, vn an ninh mng ngy cng r rt. Qun tr mt mng ngy cng tr nn phc tp, v khng th sa li mt cch th cng nh trc. V vy h thng pht hin xm nhp t ng ra i l rt ct thit ng gp ca lun vn bao gm hai phn. Phn 1, Khi nim, cu trc mt h thng pht hin xm nhp mng (IDS), cc sn phm ang pht trin mnh trn th trng. Phn hai, bc u ng dng ci t IDS mm vo mng ca trng i hc Bch Khoa H Ni, c th l ng dng m ngun m SNORT, gp phn nng cao hiu nng ca h thng mng trng.
B GIO DC V O TO
TRNG I HC BCH KHOA H NI ---------------------------------------
H Ni 2008
NGUYN C CNG X L THNG TIN V TRUY THNG 2006 - 2008
LUN VN THC S KHOA HC NGNH: X L THNG TIN V TRUYN THNG
H THNG PHT HIN XM NHP MNG
NGUYN C CNG
H NI 2008
Master of Sience Thesis title: Warning and Protection System of Network Attacks Student: Nguyen Duc Cuong Supervisor: Professor Dang Van Chuyet Department of Information Technology Hanoi University of Technoloogy Email: cuongnd-linc@mail.hut.edu.vn Year: 2008
Summary
During the last decade, the Internet has developed rapidly in terms of scale as well as diversity. As a consequence, the network security has become more and more urgent issues. Therefore, network administration has been incrementally complicated and manually error handling is no longer sufficient. Due to that, the automatic warning system of attacks is aimed to necessarily establish. This thesis consists of the two parts as follows: Part 1: Principle, structure of Intrusion Detection System(IDS), and the strongly developing products in the market. Part 2: The first step for installing IDS into the HUT Network, using SNORT opensource, in order to improve the high perforamance of use of this network.
X l Thng tin v Truyn Thng
Nguyn c Cng
LI NI U .................................................................................................. 3 CHNG I - TNG QUAN V IDS ............................................................. 6 1.1 Khi nim ................................................................................................ 6 1.2. Chc nng .............................................................................................. 6 1.3 Cu trc chung ........................................................................................ 7 1.4. Phn bit cc m hnh IDS................................................................... 11 NIDS........................................................................................................ 11 HIDS........................................................................................................ 12 1.5. Cc phng php nhn bit tn cng................................................... 12 1.6 Cc sn phm IDS trn th trng......................................................... 14 Intrust ...................................................................................................... 14 ELM ........................................................................................................ 15 GFI LANGUARD S.E.L.M .................................................................... 16 SNORT.................................................................................................... 17 Cisco IDS ................................................................................................ 18 Dragon..................................................................................................... 19 CHNG II KT NI MY PHN TCH VO H THNG SWITCH CISCO ............................................................................................................. 20 2.1 Cc kin thc c s ca k thut phn tch thng k cng - SPAN .... 20 2.1.1 Khi nim SPAN............................................................................ 20 2.1.2 Cc thut ng ................................................................................. 22 2.1.3 Cc c im ca cng ngun........................................................ 24 2.1.4 Lc VLAN ..................................................................................... 24 2.1.5 Cc c im ca ngun VLAN .................................................... 25 2.1.6 Cc c im ca cng ch........................................................... 26 2.1.7 Cc c im ca cng phn hi.................................................... 27 2.2. SPAN trn cc dng Switch Cisco....................................................... 28 2.2.1 Span trn Catalyst 2900, 4500/4000, 5500/5000, v 6500/6000 Series chy CatOS................................................................................... 28 2.2.2 SPAN trn cc dng Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750 and 3750-E Series .................................................. 52 2.2.3 SPAN trn Catalyst 4500/4000 v Catalyst 6500/6000 Series chy phn mm h thng Cisco IOS ............................................................... 55 2.3 Hiu nng tc ng ca SPAN trn cc nn Switch Catalyst khc nhau ..................................................................................................................... 58 Cc dng Switch di Catalyst 4000 Series ........................................... 58 Catalyst 4500/4000 Series....................................................................... 59 Catalyst 5500/5000 and 6500/6000 Series.............................................. 59 2.4 Cc li thng gp khi cu hnh ........................................................... 59
H thng pht hin xm nhp mng
Nguyn c Cng
CHNG III TRIN KHAI TCH HP H THNG IDS MM - SNORT VO H THNG........................................................................................... 69 3.1. Cc c im chnh .............................................................................. 69 3.1.1 H thng detection engine: ............................................................ 70 3.1.2 H thng Logging & alerting:........................................................ 70 3.1.3 Tp lut(RULES) ........................................................................... 71 3.2 Cc bc ci t Snort trn h iu hnh Debian................................. 72 3.2.1 Ci h iu hnh Debian ................................................................ 72 3.2.2 Ci cc phn mm cn thit ........................................................... 73 3.2.3 Ci t v cu hnh IPTABLES-BASED FIREWALL ................. 75 3.2.4 Ci t Snort................................................................................... 75 3.2.5 Cu hnh MySQL Server................................................................ 77 3.2.6 Cu hnh SNORT bn alert vo MySQL .................................. 78 3.2.7 Ci t Apache-ssl Web Server ..................................................... 78 3.2.8 Ci t v cu hnh Basic Analysis v Sercurity Engine (Base) ... 79 3.2.9 Cp nht Rules vi Oinkmaster ..................................................... 81 3.2.10 Startup Script................................................................................ 82 3.2.11 To Acc truy cp vo Base .......................................................... 83 3.2.12 Cu hnh SNMP Server................................................................ 83 3.2.13 To file index.php nh hng trnh duyt ............................. 84 3.2.14 Ci t phn mm qun tr Webmin ............................................ 84 3.3 Giao din h thng sau ci t .............................................................. 85 3.3.1 Cc thng tin cu hnh c bn........................................................ 85 3.3.2 Hng dn s dng SNORT.......................................................... 86 3.3.3. Hng dn s dng cng c phn tch (Base) .............................. 89 3.3.4 Hng dn s dng Webmin ....................................................... 101 KT LUN ................................................................................................... 108 DANH MC TI LIU THAM KHO...................................................... 109
Nguyn c Cng
LI NI U
Khi nim pht hin xm nhp xut hin qua mt bi bo ca James Anderson cch y khong 25 nm. Khi ngi ta cn h thng pht hin xm nhp - IDS (Intrusion Detection System) vi mc ch l d tm v nghin cu cc hnh vi bt thng v thi ca ngi s dng trong mng, pht hin ra cc vic lm dng c quyn gim st ti sn h thng mng. Cc nghin cu v h thng pht hin xm nhp c nghin cu chnh thc t nm 1983 n nm 1988 trc khi c s dng ti mng my tnh ca khng lc Hoa K. Cho n tn nm 1996, cc khi nim IDS vn cha ph bin, mt s h thng IDS ch c xut hin trong cc phng th nghim v vin nghin cu. Tuy nhin trong thi gian ny, mt s cng ngh IDS bt u pht trin da trn s bng n ca cng ngh thng tin. n nm 1997 IDS mi c bit n rng ri v thc s em li li nhun vi s i u ca cng ty ISS, mt nm sau , Cisco nhn ra tm quan trng ca IDS v mua li mt cng ty cung cp gii php IDS tn l Wheel. Hin ti, cc thng k cho thy IDS ang l mt trong cc cng ngh an ninh c s dng nhiu nht v vn cn pht trin. Vo nm 2003, Gartner- mt cng ty hng u trong lnh vc nghin cu v phn tch th trng cng ngh thng tin trn ton cu- a ra mt d on gy chn ng trong lnh vc an ton thng tin : H thng pht hin xm nhp (IDS) s khng cn na vo nm 2005. Pht biu ny xut pht t mt s kt qu phn tch v nh gi cho thy h thng IDS khi ang i mt vi vn l IDS thng xuyn a ra rt nhiu bo ng gi ( False Positives). H thng IDS cn c v l gnh nng cho qun tr an ninh h thng bi n cn c theo di lin tc (24 gi trong sut c 365 ngy ca nm). Km theo cc cnh bo tn cng ca IDS cn l mt quy trnh x l an ninh rt vt v. Cc IDS lc ny khng c kh nng theo di cc lung d liu c truyn vi tc ln hn 600 Megabit trn giy. Nhn chung Gartner a ra nhn xt ny da trn nhiu phn nh ca nhng khch hng ang s dng IDS rng qun tr v vn hnh h thng IDS l rt kh khn, tn km v khng em li hiu qu tng xng so vi u t.
Nguyn c Cng
Sau khi pht biu ny c a ra, mt s kin phn i cho rng, vic h thng IDS khng em li hiu qu nh mong mun l do cc vn cn tn ti trong vic qun l v vn hnh ch khng phi do bn cht cng ngh kim sot v phn tch gi tin ca IDS. C th, cho mt h thng IDS hot ng hiu qu, vai tr ca cc cng c, con ngi qun tr l rt quan trng, cn phi p ng c cc tiu ch sau: - Thu thp v nh gi tng quan tt c cc s kin an ninh c pht hin bi cc IDS, tng la trnh cc bo ng gi. - Cc thnh phn qun tr phi t ng hot ng v phn tch. - Kt hp vi cc bin php ngn chn t ng. Kt qu l ti nm 2005, th h sau ca IDS-h thng t ng pht hin v ngn chn xm nhp IPS- dn khc phc c cc mt cn hn ch ca IDS v hot ng hiu qu hn nhiu so vi th h trc . Vy IPS l g. IPS l mt h thng chng xm nhp ( Intrusion Prevention System IPS) c nh ngha l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin xm nhp v c th ngn chn cc nguy c gy mt an ninh. IDS v IPS c rt nhiu im chung, do h thng IDS v IPS c th c gi chung l h thng IDP - Intrusion Detection and Prevention. Trc cc hn ch ca h thng IDS, nht l sau khi xut hin cc cuc tn cng t trn quy m ln nh cc cuc tn cng ca Code Red, NIMDA, SQL Slammer, mt vn c t ra l lm sao c th t ng ngn chn c cc tn cng ch khng ch a ra cc cnh bo nhm gim thiu cng vic ca ngi qun tr h thng. H thng IPS c ra i vo nm 2003 v ngay sau , nm 2004 n c ph bin rng ri. Kt hp vi vic nng cp cc thnh phn qun tr, h thng IPS xut hin dn thay th cho IDS bi n gim bt c cc yu cu tc ng ca con ngi trong vic p tr li cc nguy c pht hin c, cng nh gim bt c phn no gnh nng ca vic vn hnh. Hn na trong mt s trng hp c bit, mt IPS c th hot ng nh mt IDS bng vic ngt b tnh nng ngn chn xm nhp.
Nguyn c Cng
Ngy nay cc h thng mng u hng ti s dng cc gii php IPS thay v h thng IDS c. Tuy nhin ngn chn xm nhp th trc ht cn phi pht hin n. V vy khi ni n mt h thng IDS, trong thi im hin ti, ta c th hiu l mt h thng tch hp gm c 2 hai chc nng IPS/IDS. C s h tng CNTT cng pht trin, th vn pht trin mng li cng quan trng, m trong vic pht trin mng th vic m bo an ninh mng l mt vn ti quan trng. Sau hn chc nm pht trin, vn an ninh mng ti Vit Nam dn c quan tm ng mc hn. Trc khi c mt gii php ton din th mi mt mng phi t thit lp mt h thng tch hp IDS ca ring mnh. Trong lun vn ny, chng ta s tm hiu v cu trc mt h thng IDS, v i su tm hiu pht trin h thng IDS mm s dng m ngun m c th p dng trong h thng mng ca mnh thay th cho cc IDS cng t tin.
Nguyn c Cng
CHNG I - TNG QUAN V IDS 1.1 Khi nim

H thng pht hin xm nhp (Intrusion Detection System - IDS) l mt h thng gim st lu thng mng, cc hot ng kh nghi v cnh bo cho h thng, nh qun tr . Ngoi ra IDS cng m nhn vic phn ng li vi cc lu thng bt thng hay c hi bng cch thc hin cc hnh ng c thit lp trc nh kha ngi dng hay a ch IP ngun khng cho truy cp h thng mng,. IDS cng c th phn bit gia nhng tn cng t bn trong hay tn cng t bn ngoi. IDS pht hin tn cng da trn cc du hiu c bit v cc nguy c bit (ging nh cch cc phn mm dit virus da vo cc du hiu c bit pht hin v dit virus) hay da trn so snh lu thng mng hin ti vi baseline (thng s o c chun ca h thng) tm ra cc du hiu khc thng.
1.2. Chc nng

Ta c th hiu tm tt v h thng pht hin xm nhp mng IDS nh sau : Chc nng quan trng nht : gim st - cnh bo - bo v Gim st: lu lng mng v cc hot ng kh nghi. Cnh bo: bo co v tnh trng mng cho nh qun tr. Bo v: Dng nhng thit lp mc nh v s cu hnh t nh qun tr m c nhng hnh ng thit thc chng li k xm nhp v ph hoi. + Chc nng m rng Phn bit: cc tn cng trong v ngoi mng Pht hin: nhng du hiu bt thng da trn nhng g bit hoc nh vo s so snh thng lng mng hin ti vi baseline
Nguyn c Cng
1.3 Cu trc chung

Cu trc h thng IDS ph thuc vo kiu phng php c s dng pht hin xm nhp, cc c ch x l khc nhau c s dng i vi mt IDS. M hnh cu trc chung cho cc h IDS l:
Hnh 1.1 : M hnh chung h thng IDS
Nhim v chnh ca cc h thng pht hin xm phm l phng chng cho mt h thng my tnh bng cch pht hin cc du hiu tn cng v c th y li n. Vic pht hin cc tn cng ph thuc vo s lng v kiu hnh ng thch hp. ngn chn xm phm tt cn phi kt hp tt gia b v by c s dng xc nh cc mi e da. Vic lm lnh hng s tp trung ca k xm nhp vo ti nguyn c bo v cng l mt nhim v quan trng. C h thng thc v h thng by cn phi c kim tra mt cch lin tc. D liu c to ra bng cc h thng pht hin xm nhp c kim tra mt cch cn thn (y l nhim v chnh cho mi IDS) pht hin cc du hiu tn cng. Khi mt s xm nhp c pht hin, IDS a ra cc cnh bo n cc qun tr vin h thng v s vic ny. Bc tip theo c thc hin bi cc qun tr vin hoc
Nguyn c Cng
c th l bn thn IDS bng cch li dng cc tham s o b sung (cc chc nng kha gii hn cc session, backup h thng, nh tuyn cc kt ni n by h thng, c s h tng hp l,) theo cc chnh sch bo mt ca cc t chc. Mt IDS l mt thnh phn nm trong chnh sch bo mt. Gia cc nhim v IDS khc nhau, vic nhn ra k xm nhp l mt trong nhng nhim v c bn. N cng hu dng trong vic nghin cu mang tnh php l cc tnh tit v vic ci t cc bn v thch hp cho php pht hin cc tn cng trong tng lai nhm vo cc c nhn c th hoc ti nguyn h thng. Pht hin xm nhp i khi c th a ra cc bo cnh sai, v d nhng vn xy ra do trc trc v giao din mng hoc vic gi phn m t cc tn cng hoc cc ch k thng qua email. Cu trc ca mt h thng pht hin xm phm dng tp trung :
Hnh 1.2 : Cu trc tp trung.
Nguyn c Cng
B cm bin c tch hp vi thnh phn su tp d liu mt b to s kin. Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Trong trng hp no , v d, khi lung d liu s kin c truyn ti trc tip n b phn tch m khng c s lu d liu no c thc hin. iu ny cng lin quan mt cht no n cc gi mng. Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho mc ny. Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo , c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi module p tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau). IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c chng truyn thng vi nhau. Nhiu h thng tinh vi i theo nguyn l cu trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v.
10
Nguyn c Cng
Hnh 1.3 : Cu trc a tc nhn Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c bo v v ph thuc vo phng php c a ra to phn tch bc u v thm ch m trch c hnh ng p tr. Mng cc tc nhn hp tc bo co n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. IDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh khi ni n ngha bo v lin quan n cc kiu tn cng mi. Cc gii php da trn tc nhn IDS to c ch t phc tp hn cho vic nng cp chnh sch p tr. Gii php kin trc a tc nhn c a ra nm 1994 l AAFID (cc tc nhn t tr cho vic pht hin xm phm). N s dng cc tc nhn kim tra mt kha cnh no v cc hnh vi h thng mt thi im no . V d: mt tc nhn c th cho bit mt s khng bnh thng cc telnet session bn trong h thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc tc nhn c th c nhi v thay i bn trong cc h thng khc (tnh nng t
11
Nguyn c Cng
tr). Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht..
1.4. Phn bit cc m hnh IDS

C 2 m hnh IDS l Network Based IDS(NIDS) v Host Based IDS (HIDS) NIDS c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng. Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao.
Hnh 1.4 : M hnh NIDS Mt s sn phm NIDS : -Cisco IDS
12
Nguyn c Cng
-Dragon IDS/IPS HIDS c ci t cc b trn mt my tnh lm cho n tr nn linh hot hn nhiu so vi NIDS. Kim sot lu lng vo ra trn mt my tnh, c th c trin khai trn nhiu my tnh trong h thng mng. HIDS c th c ci t trn nhiu dng my tnh khc nhau c th nh cc my ch, my trm, my tnh xch tay. HIDS cho php bn thc hin mt cch linh hot trong cc on mng m NIDS khng th thc hin c. Lu lng gi ti my tnh HIDS c phn tch v chuyn qua nu chng khng cha m nguy him. HIDS c thit k hot ng ch yu trn h iu hnh Windows , mc d vy vn c cc sn phm hot ng trong nn ng dng UNIX v nhiu h iu hnh khc.
Hnh 1.5 : M hnh HIDS
1.5. Cc phng php nhn bit tn cng
13
Nguyn c Cng
Nhn bit qua tp s kin H thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc miu t cc tn cng. Tt c cc s kin c lin quan n bo mt u c kt hp vo cuc kim nh v c dch di dng nguyn tc if-then-else. Ly v d Wisdom & Sense v ComputerWatch (c pht trin ti AT&T Pht hin xm nhp da trn tp lut (Rule-Based Intrusion Detection): Ging nh phng php h thng Expert, phng php ny da trn nhng hiu bit v tn cng. Chng bin i s m t ca mi tn cng thnh nh dng kim nh thch hp. Nh vy, du hiu tn cng c th c tm thy trong cc bn ghi (record). Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc h thng thng mi (v d nh: Cisco Secure IDS, Emerald eXpert-BSM(Solaris). Phn bit nh ngi dng (User intention identification): K thut ny m hnh ha cc hnh vi thng thng ca ngi dng bng mt tp nhim v mc cao m h c th thc hin c trn h thng (lin quan n chc nng ngi dng). Cc nhim v thng cn n mt s hot ng c iu chnh sao cho hp vi d liu kim nh thch hp. B phn tch gi mt tp hp nhim v c th chp nhn cho mi ngi dng. Bt c khi no mt s khng hp l c pht hin th mt cnh bo s c sinh ra. Phn tch trng thi phin (State-transition analysis):
14
Nguyn c Cng
Mt tn cng c miu t bng mt tp cc mc tiu v phin cn c thc hin bi mt k xm nhp gy tn hi h thng. Cc phin c trnh by trong s trng thi phin. Nu pht hin c mt tp phin vi phm s tin hnh cnh bo hay p tr theo cc hnh ng c nh trc. Phng php phn tch thng k (Statistical analysis approach): y l phng php thng c s dng. Hnh vi ngi dng hay h thng (tp cc thuc tnh) c tnh theo mt s bin thi gian. V d, cc bin nh l: ng nhp ngi dng, ng xut, s tp tin truy nhp trong mt khong thi gian, hiu sut s dng khng gian a, b nh, CPU, Chu k nng cp c th thay i t mt vi pht n mt thng. H thng lu gi tr c ngha cho mi bin c s dng pht hin s vt qu ngng c nh ngha t trc. Ngay c phng php n gin ny cng khng th hp c vi m hnh hnh vi ngi dng in hnh. Cc phng php da vo vic lm tng quan thng tin v ngi dng ring l vi cc bin nhm c gp li cng t c hiu qu. V vy, mt m hnh tinh vi hn v hnh vi ngi dng c pht trin bng cch s dng thng tin ngi dng ngn hn hoc di hn. Cc thng tin ny thng xuyn c nng cp bt kp vi thay i trong hnh vi ngi dng. Cc phng php thng k thng c s dng trong vic b sung
1.6 Cc sn phm IDS trn th trng

Intrust Sn phm ny c nhiu tnh nng gip n tn ti c trong mi trng hot ng kinh doanh. Vi kh nng tng thch vi Unix, n c mt kh nng linh hot tuyt vi. a ra vi mt giao din bo co vi hn 1. 000 bo co khc nhau, gip kim
15
Nguyn c Cng
sot c Nhp phc tp. Ngoi ra n cng h tr mt gii php cnh bo ton din cho php cnh bo trn cc thit b di ng v nhiu cng ngh khc. 1. Tnh nng cnh bo ton din 2. Tnh nng bo co ton din 3. Hp nht v thm nh hiu sut d liu t trn cc nn tng 4. Tr li s h tr tnh nng mng t vic ghi chp pha trnh khch mt cch t m 5. Lc d liu cho php xem li mt cch d dng 6. Kim tra thi gian thc 7. Phn tch d liu c capture 8. Tun th theo cc chun cng nghip 9. S bt buc theo mt nguyn tc ELM Phn mm TNT l mt phn mm h tr cc chc nng HIDS, y l mt sn phm c phn tch so snh da trn ELM Enterprise Manager. N h tr vic kim tra thi gian thc, kh nng hot ng ton din v phng php bo co t m. C s d liu c b sung thm bo m c s d liu ca phn mm c an ton. iu ny c ngha l nu c s d liu chnh ELM offline th ELM Server s t ng to mt c s d liu tm thi lu d liu cho n khi c s d liu chnh online tr li. Di y l mt s m t vn tt v ELM Enterprise Manager 3. 0 1. ELM h tr giao din m un phn mm MMC linh hot
16
Nguyn c Cng
2. H tr vic kim tra tt c cc my ch Microsoft. NET bng cch kim tra cc bn ghi s kin v b m hiu sut. 3. H tr bo co wizard vi phin bn mi c th lp lch trnh, ngoi ra cn h tr cc bo co HTML v ASCII 4. Quan st tp trung cc bn ghi s kin trn nhiu my ch 5. Client c ch c kch hot Web trn trnh duyt h tr JavaScript v XML 6. H tr giao din kin thc c s 7. H tr thng bo c th thc thi wscripts, cscripts v cc file CMD/BAT. 8. H tr c s d liu SQL Server v Oracle. 9. Cc truy vn tng thch WMI cho mc ch so snh 10. a ra hnh ng sa li khi pht hin xm nhp GFI LANGUARD S.E.L.M Sn phm ny c nhiu tnh nng v ch yu cu cc kin thc n gin cho vic ci t. Di y l nhng thng tin vn tt v GFI LANguard S.E.L.M. 1. Phn tch bo mt t ng v rng ri trong ton mng i vi cc bn ghi s kin 2. Qun l bn ghi s kin mng 3. Pht hin nng cao cc tn cng bn trong 4. Gim TOC 5. Khng cn n phn mm client hoc cc tc nhn
17
Nguyn c Cng
6. Khng nh hng n lu lng mng 7. D ci tin, thch hp vi cc mng hot ng kinh doanh hoc cc mng nh 8. B kim tra file mt 9. Kim tra bn ghi ton din 10. Pht hin tn cng nu ti khon ngi dng cc b b s dng SNORT Snort l mt sn phm tuyt vi v n chin thng khi a vo hot ng trong mi trng UNIX. Sn phm mi nht c a ra gn y c h tr nn Windows nhng vn cn mt s chn lc tinh t. Th tt nht c trong sn phm ny l m ngun m v khng tn km mt cht chi ph no ngoi tr thi gian v bng tn cn thit ti n. Gii php ny c pht trin bi nhiu ngi v n hot ng rt tt trn cc phn cng r tin, iu lm cho n c th tn ti c trong bt k t chc no. Di y l nhng thng tin vn tt v sn phm ny: 1. H tr cu hnh hiu sut cao trong phn mm 2. H tr tt cho UNIX 3. H tr m ngun m linh hot 4. H tr tt SNMP 5. H tr m un qun l tp trung 6. H tr vic cnh bo v pht hin xm phm
18
Nguyn c Cng
7. C cc gi bn ghi 8. Pht hin tn cng ton din 9. Cc m un u ra tinh vi cung cp kh nng ghi chp ton din 10. H tr ngi dng trn cc danh sch mail v qua s tng tc email Cisco IDS Gii php ny l ca Cisco, vi gii php ny bn thy c cht lng, cm nhn cng nh danh ting truyn thng ca n. Di y l nhng thng tin vn tt v thit b ny: 1. Cc tnh nng pht hin chnh xc lm gim ng kt cc cnh bo sai. 2. Kh nng nng cp hot ng kinh doanh ging nh cc sn phm ca Cisco . 3. H thng pht hin xm phm thi gian thc, bo co v ngn chn cc hnh ng tri php 4. Vic phn tch mu dng pht hin c thc hin nhiu mc khc nhau 5. Cho hiu sut mng cao 6. Qun l danh sch truy cp nh tuyn ng thch nghi kp thi vi hnh vi ca k xm nhp 7. Qun l GUI tp trung 8. Qun l t xa 9. Email thng bo s kin.
19
Nguyn c Cng
Dragon Mt gii php ton din cho hot ng kinh doanh. Sn phm ny rt a nng v c cc yu cu bo mt cn thit trong mi trng hot ng kinh doanh. N cng h tr NIDS, qun l my ch, qun l s kin, kim tra tn cng. y l mt gii pht IDS hon tt, c thit k hon ho cng vi vic kim tra tch hp. Tuy nhin im yu ca sn phm ny l ch gi c ca n. Di y l nhng thng tin vn tt v Dragon (Phin bn hot ng kinh doanh). 1. Dragon h tr c NIDS v HIDS 2. H tr trn mt lot nn tng Windows, Linux, Solaris v AIX 3. c m un ha v c th m rng 4. Kim tra qun l tp trung 5. Phn tch v bo co ton din 6. Kh nng tng thch cao vi cc chi tit k thut trong hot ng kinh doanh 7. Kim tra bo mt hiu qu, tch hp cc switche, firewall v router. 8. Qun l bin dch bo co 9. C chu k cp nht ch k hon ho.
20
Nguyn c Cng
CHNG II KT NI MY PHN TCH VO H THNG SWITCH CISCO

Trong chng ny chng ta s kho st k thut cho php kt ni h thng IDS vo h thng switch ca Cisco. l k thut phn tch thng k cng switch. K thut phn tch thng k cng Switch (SPAN The Switched Port Analyzer), i khi c gi l k thut tham chiu cng (port mirroring) hoc gim st cng(port monitoring), cho php kt ni my phn tch vo Switch Cisco. My phn tch c th l mt Cisco SwitchProbe hoc mt thit b theo di kho st t xa Remote Monitoring (RMON). Trc y, SPAN l mt tnh nng k thut tng i c bn trn dng Switch Cisco Catalysts. Tuy nhin, cc phin bn mi ca Catalyst OS (CatOS) gii thiu cc tnh nng nng cao v nhiu kh nng mi i vi ngi s dng. Ta s im qua cc c im ca SPAN. l: - SPAN l g , cch cu hnh. - S khc nhau gia cc c im hin ti (c bit l a tin trnh, cc phin SPAN xy ra ng thi), v yu cu h thng chy chng. - SPAN nh hng th no n kh nng thc thi ca Switch
2.1 Cc kin thc c s ca k thut phn tch thng k cng - SPAN 2.1.1 Khi nim SPAN
c im ca SPAN c gii thiu khi phn bit chc nng c bn khc bit gia switch vi hub. Khi mt hub nhn mt gi tin trn mt cng, hub s gi mt bn sao ca gi tin n tt c cc port cn li tr port m hub nhn gi tin n. Khi mt switch khi ng, n bt u to nn mt bng chuyn tip (forwarding table ) Layer 2 da trn c s a ch MAC ngun ca cc gi tin khc nhau m switch nhn c. Sau khi bng chuyn tip ny c xy dng xong, Switch s chuyn tip lung d liu n ng cng thch hp c a ch MAC trong bng.
21
Nguyn c Cng
V d, nu bn mun lu li lung d liu Ethernet c gi bi my A sang my B v c hai c ni n mt hub, ta s ni my phn tch (sniffer) vo hub. Cc cng khc s xem c lu lng t my A n my B
Hnh 2.1 : My cn theo di gn vo hub Trn Switch, sau khi a ch MAC my B c hc, lung d liu n nht (traffic unicast) t my A n my B c chuyn tip duy nht n cng (port switch) m my B ni n. Bi vy, my phn tch s khng nhn thy lung d liu cn phn tch.
Hnh 2.2 : My cn theo di gn vo Switch Trong m hnh ny, my phn tch ch nhn c cc lung d liu c gi n tt c cc cng, nh l : - Lung thng tin qung b (broadcast traffic)
22
Nguyn c Cng
- Lung thng tin multicast vi CGMP hoc Internet Group Management Protocol (IGMP) - Cc lung d liu n nht (unicast traffic) khng r rng Lung thng tin n nht c chuyn tip ra cc cng (flooding) khi switch khng c a ch MAC ch trong bng nh ni dung a ch (CAM Content-addressable memory). Switch khng bit a ch cng chnh xc gi lung d liu . n gin l n s y cc gi tin n tt c mi cng cn li. Mt c im m rng cn thit l to mt bn sao gi to cc gi tin n nht (unicast packets) a n cng Switch gn my phn tch d liu
Hnh 2.3 : D liu c to bn sao Switch cu trc trn, my phn tch c gn vo cng c cu hnh nhn mt bn sao ca mi gi tin m my A gi, cng ny c gi l cng SPAN.
2.1.2 Cc thut ng
- Ingress traffic : lung d liu chy vo switch - Egress traffic : lung d liu i ra khi switch - Source (SPAN) port : cng c theo di (monitor) bng vic s dng k thut SPAN - Source (SPAN) VLAN : VLAN c theo di - Destination (SPAN) port : t cng theo di cng ngun (Source port), thng l khi y c mt my phn tch c gn vo
23
Nguyn c Cng
- Reflector Port : cng y cc bn sao gi tin n mt RSPAN VLAN - Monitor port : mt cng theo di cng ng thi l mt cng ch SPAN trong Catalyst 2900XL/3500XL/2950
Hnh 2.4 : Cc thut ng - Local SPAN : c im SPAN ny l cc b khi cng c theo di l c t trn cng Switch nh cng ch. c im ny l tng phn vi Remote SPAN (RSPAN) - Remote SPAN (RSPAN) : Mt s cng ngun khng trn cng Switch vi cng ch. RSPAN l mt c im nng cao, n yu cu mt VLAN c bit nhm mang lung thng tin c theo di bi SPAN gia cc Switch. RSPAN khng h tr trn tt c cc Switch. Kim tra ghi ch pht hnh tng ng hoc hng dn cu hnh xem bn c th s dng RSPAN trn Switch m bn trin khai. - Port-based SPAN (PSPAN) : Ngi s dng ch r mt hoc mt vi cng ngun trn Switch v mt cng ch. - VLAN-based SPAN (VSPAN) : Trn mt Switch, ngi s dng c th chn theo di tt c cc cng thuc v mt VLAN bng 1 dng lnh. - Administrative source : Mt tp cc cng ngun hoc cc VLAN c cu hnh theo di.
24
Nguyn c Cng
- Operational source : Mt tp cc cng c qun l thc s. Tp cc cng ny c th khc nhau t ngun qun tr. V d, mt cng trong ch tt c th hin th ti ngun qun tr, nhng n khng thc s c theo di.
2.1.3 Cc c im ca cng ngun

Mt cng ngun, cn c gi l cng c theo di (monitored port), l mt cng c chuyn mch hoc c nh tuyn cho php bn theo di lung d liu trn mng. Trong mt phin cc b SPAN hoc phin ngun RSPAN, bn c th theo di lu lng cng ngun, nh lu lngn nhn (Rx), gi (Tx), hoc c hai hng (bidirectional). Switch h tr mi cng (trn switch) v mi VLAN tn ti trn c th l ngun. Mt cng ngun c cc c im :
N c th l bt k kiu cng no, chng hn nh EtherChannel, Fast Ethernet, Gigabit Ethernet, . N c th c theo di trong nhiu phin Span. N khng th l mt cng ch. Mi cng ngun c th c cu hnh vi mt hng (i vo, i ra, hoc c hai) theo di. Vi ngun EtherChannel, theo di v gim st cc hng p dng cho tt c cc cng vt l trong nhm.
Cng ngun c th c trong cng mt hoc nhiu VLANs khc nhau. Vi cc VLAN Span ngun, tt c cc cng hot ng trong cc VLAN ngun c bao gm nh cng ngun.
2.1.4 Lc VLAN
Khi bn theo di ng trunk nh l mt cng ngun, tt c cc VLANs ang hot ng trn ng trunk c gim st theo mc nh. Bn c th s dng lc VLAN gii hn lu lng SPAN gim st trn ng trunk cng ngun ch r cc VLANs.
25
Nguyn c Cng
VLAN lc ch p dng cho cc ng trunk hoc cng voice VLAN. VLAN lc ch p dng cho cc cng ngun da trn phin v khng c cho php trong phin vi VLAN ngun. Khi mt danh sch VLAN lc c xc nh, ch c nhng VLANs trong danh sch c theo di v gim st trn cc cng trunk hoc trn cng, truy nhp voice VLAN .
L lng Span truy cp n t cc kiu cng khc khng b nh hng bi VLAN lc, iu c ngha l tt c cc VLANs u c php qua cc cng khc.
VLAN lc ch nh hng n lu lng chuyn tip n cng ch Span v khng nh hng ti vic chuyn mch ca lu lng truy cp bnh thng. Bn khng th lm vic vi cc VLAN ngun v lc ccVLAN trong mt phin. Bn c th c cc VLAN ngun hoc cc VLAN lc, nhng khng lm c hai cng mt lc c
2.1.5 Cc c im ca ngun VLAN

VSPAN l gim st lu lng mng mt hoc nhiu VLANs. Span hay RSPAN ngun giao din trong VSPAN l mt VLAN ID, v lu lng c theo di trn tt c cc cng thuc v VLAN . VSPAN c nhng c im:
Tt c cc cng hot ng trong VLAN ngun c bao gm nh cng ngun v c th c theo di mt hoc c hai hng. Trn mt cng, ch lu lng trn VLAN c theo di c gi n cng ch. Nu mt cng ch thuc vo mt VLAN ngun, n b loi tr khi danh sch ngun v khng c theo di v gim st.
26
Nguyn c Cng
Nu cc cng c thm hoc xo b t cc VLANs ngun, lu lng trn cc VLAN ngun nhn c bi cc cng c thm vo hoc xo b t ngun ang theo di v gim st.
Bn khng th s dng cc VLANs lc trong cng mt phin vi VLAN ngun. Bn c th theo di duy nht cc Ethernet VLANs.
2.1.6 Cc c im ca cng ch
Mi phin cc b SPAN hay phin ch RSPAN phi c mt cng ch(cn gi l cng gim st) nhn c mt bn sao lu lng truy cp t cc cng ngun v cc VLANs. Mt cng ch c cc c im :
Mt cng ch phi trn cng mt Switch nh cng ngun (cho mt phin SPAN cc b). Mt cng ch c th l bt k cng Ethernet vt l no. Mt cng ch c th tham gia vo duy nht mt phin SPAN ti mt thi im. Mt cng ch trong mt phin SPAN khng th l mt cng ch cho phin SPAN th hai. Mt cng ch khng th l mt cng ngun.
Mt cng ngun khng th l mt nhm EtherChannel. Mt cng ch c th l mt cng vt l trong mt nhm EtherChannel, ngay c khi nhm EtherChannel c xc nh nh l mt ngun SPAN. The port is removed from the group while it is configured as a SPAN destination port. Cng c g b khi nhm trong khi n c cu hnh nh mt cng ch SPAN.
Cng khng truyn ti bt k lu lng no, ngoi tr lu lng cho cc phin SPAN thit cho bui hc tp, tr khi tin trnh t hc c kch hot. Nu tin trnh t hc c kch hot, cng cng truyn lu lng theo hng n cc my trm c hc trn cng ch.
27
Nguyn c Cng
Trng thi ca cng ch bt /tt theo ch nh sn. Giao din hin th cng trong trng thi ny theo th t r rng cc cng hin ti khng thch hp nhu cng ngun.
Nu lu lng chuyn tip c cho php cho mt thit b bo mt mng. Cc cng ch chuyn tip lu lng ti lp 2(DataLink). Mt cng ch khng tham gia vo cy bao trm trong khi cc phin SPAN ang hot ng. Khi y l mt cng ch, n khng tham gia vo bt k giao thc lp 2 (EP, VTP, CDP, DTP, PagP). Mt cng chthuc v mt ngun VLAN ca bt c phin SPAN b loi tr khi danh sch cc ngun v khng c gim st. Mt cng ch nhn c cc bn sao ca lu lng gi v nhn ca cng ngun c gim st. Nu mt cng ch ht thi gian truy nhp, n c th dn n xung t. iu ny c th nh hng n lu lng chuyn tip trn mt hoc nhiu cng ngun.
2.1.7 Cc c im ca cng phn hi

Cng phn hi l c ch a cc bn sao cc gi ln mt RSPAN VLAN. Cng phn hi chuyn tip duy nht nhng lu lng t phin RSPAN ngun vi phin m n trc thuc. Bt k thit b no kt ni n mt cng oc t l cng phn hi mt kt ni ch khi phin RSPAN ngun b v hiu ha. Cng phn hi c nhng c im :

L mt cng t ch loopback. N c th khng c l mt nhm EtherChannel, khng phi ng trunk, v n khng th thc hin giao thc lc. N c th l mt cng vt l c t trong mt nhm EtherChannel, ngay c khi nhm EtherChannel c xc nh nh l mt SPAN ngun. Cng c b khi nhm trong khi n c cu hnh nh mt cng phn hi.
28
Nguyn c Cng
Mt cng c s dng nh l mt cng phn hi khng th l mt SPAN ngun hoc cng ch, cng khng th mt cng l mt cng ohn hi cho nhiu hn mt phin ti mt thi im.
N khng nhn thy trong mi VLANs. Native VLAN dnh cho lu lng looped-back trn mt cng phn hi l RSPAN VLAN. Cng phn hi loops back khng nh du lu lng i n Switch. Lu lng t trn RSPAN VLAN v a n cc cng trunk bt k mang RSPAN VLAN .
Thut ton cy bao trm t ng b v hiu trn mt cng phn hi. Mt cng phn hi nhn cc bn sao ca lu lng gi v nhn cho tt c cc ngun gim st..
2.2. SPAN trn cc dng Switch Cisco 2.2.1 Span trn Catalyst 2900, 4500/4000, 5500/5000, v 6500/6000 Series chy CatOS
Lu : Phn ny ch c p dng cho dng Switch Cisco Catalyst 2900 Series :

Cisco Catalyst 2948G-L2 Cisco Catalyst 2948G-GE-TX Cisco Catalyst 2980G-A
Phn ny c p dng cho dng Cisco Catalyst 4000 Series bao gm:
Modular Chassis Switches:

o o
Cisco Catalyst 4003 Cisco Catalyst 4006 Cisco Catalyst 4912G
Fixed Chassis Switch:

o
29
Nguyn c Cng
SPAN cc b Cc tnh nng SPAN c cp nht ln lt n CatOS, v cu hnh mt SPAN bao gm mt lnh n set SPAN . Hin nay, mt lot cc tu chn c sn cho lnh : switch (enable) set SPAN Usage: set SPAN disable [dest_mod/dest_port|all] set SPAN <src_mod/src_ports...|src_vlans...|sc0> <dest_mod/dest_port> [rx|tx|both] [inpkts <enable|disable>] [learning <enable|disable>] [filter <vlans...>] [create] Lc mng ny gii thiu nhng kh nng khc nhau SPAN tu theo yu cu: [multicast <enable|disable>]
Hnh 2.5 : Kt ni theo tng VLAN Lc ny i din cho mt phn ca mt dng th m nm slot 6 ca Catalyst 6500/6000. Trong phn ny:

Ports 6/1 and 6/2 belong to VLAN 1 Port 6/3 belongs to VLAN 2 Ports 6/4 and 6/5 belong to VLAN 3
30
Nguyn c Cng
Kt ni mt Sniffer n cng 6/2 v s dng n nh l mt cng gim st trong mt s trng hp khc nhau. PSPAN, VSPAN : Gim st mt s cng hoc ton b mt VLAN Nhp mu n gin nht lnh set SPAN gim st mt cng. C php l set SPAN source_port destination_port. Gim st mt cng vi SPAN
Hnh 2.6 : Gim st st mt cng switch (enable) set SPAN 6/1 6/2 Destination : Port 6/2 Admin Source : Port 6/1 Oper Source : Port 6/1 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active switch (enable) 2000 Sep 05 07:04:14 %SYS-5-SPAN_CFGSTATECHG:local SPAN session active for destination port 6/2
31
Nguyn c Cng
Vi cu hnh ny, mi gi c nhn hoc gi qua cng 6/1 c sao chp trn cng 6/2. Mt m t r rng ln n khi bn a vo cu hnh. S dng show SPAN nhn c mt tm tt cu hnh SPAN hin ti: switch (enable) show SPAN Destination : Port 6/2 Admin Source : Port 6/1 Oper Source : Port 6/1 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active Total local SPAN sessions: 1 Gim st mt s cng vi SPAN
Hnh 2.7 : Gim st nhiu cng Cu lnh set SPAN source_ports destination_port cho php ngi s dng ch nh nhiu hn mt cng ngun . n gin ch cn lit k tt c cc cng trn m bn mun thc hin SPAN, phn tch cc cng vi cc du phy. Cc thng dch dng lnh cng cho php bn s dng gch ni xc nh mt di cc cng. V d ny
32
Nguyn c Cng
minh ha kh nng ny xc nh nhiu hn mt cng. V d s dng SPAN trn cng 6/1 v mt di 3 cng 6/3 n 6/5: Lu : Hin ch c th xc nh mt cng ch. Lun lun xc nh cng ch sau ngun SPAN . switch (enable) set SPAN 6/1,6/3-5 6/2 2000 Sep 05 07:17:36 %SYS-5-SPAN_CFGSTATECHG:local SPAN session inactive for destination port 6/2 Destination : Port 6/2 Admin Source : Port 6/1,6/3-5 Oper Source : Port 6/1,6/3-5 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active switch (enable) 2000 Sep 05 07:17:36 %SYS-5-SPAN_CFGSTATECHG:local span session active for destination port 6/2 Lu : Khng ging nh dng Catalyst 2900XL/3500XL , Catalyst 4500/4000, 5500/5000, 6500/6000 c th gim st cc cng thuc mt vi VLAN khc nhau vi cc phin bn CatOS trc 5.1. y, cc cng gim st c gn cho cc VLANs 1, 2, v 3. Gim st cc VLANs vi SPAN
33
Nguyn c Cng
Cui cng, lnh set SPAN cho php bn cu hnh mt cng gim st lu lng cc b mt VLAN. C php l set SPAN source_vlan(s) destination_port. S dng mt danh sch ca mt hoc nhiu VLANs nh l mt ngun, thay v mt danh sch cc cng:
Hnh 2.8 : S dng cc VLAN nh cc ngun cng switch (enable) set SPAN 2,3 6/2 2000 Sep 05 07:40:10 %SYS-5-SPAN_CFGSTATECHG:local SPAN session inactive for destination port 6/2 Destination : Port 6/2 Admin Source : VLAN 2-3 Oper Source : Port 6/3-5,15/1 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active switch (enable) 2000 Sep 05 07:40:10 %SYS-5SPAN_CFGSTATECHG:local SPAN session active for destination port 6/2
34
Nguyn c Cng
Vi cu hnh ny, mi gi i vo hoc i ra khi VLAN 2 hoc 3 c nhn bn n cng 6/2. Lu : Kt qu l chnh xc ging nh nu bn thc hin SPAN c lp trn tt c cc cng thuc cc VLANs m cu lnh ch r. So snh cc trng Oper Source v trng Admin Source . Trng Admin Source lit k c bn tt c cc cng cu hnh cho phin SPAN, v trng Oper Source lit danh sch cc cng s dng SPAN. Ingress/Egress SPAN v d trong phn Monitor VLANs with SPAN, lu lng i vo v i ra khi cc cng c xc nh c gim st. Cc trng hng : truyn/nhn hin th lu lng. Cc dng Catalyst 4500/4000, 5500/5000, v 6500/6000 cho php bn thu thp ch cc lu lng i ra hoc ch lu lng i vo trn mt cng. Thm vo cc t kho RX (nhn) hoc tx (truyn) cui dng lnh lnh. Gi tr mc nh l both (tx v RX). set SPAN source_port destination_port [rx | tx | both] In this example, the session captures all incoming traffic for VLANs 1 and 3 and mirrors the traffic to port 6/2: Trong v d ny, phin ny lu tt c lu lng n cc VLANs 1 v 3 v nhn bn lu lng n cng 6/2:
Hnh 2.9 : Nhn bn lu lng n cng 6/2 switch (enable) set SPAN 1,3 6/2 rx
35
Nguyn c Cng
2000 Sep 05 08:09:06 %SYS-5-SPAN_CFGSTATECHG:local SPAN session inactive for destination port 6/2 Destination : Port 6/2 Admin Source : VLAN 1,3 Oper Source : Port 1/1,6/1,6/4-5,15/1 Direction : receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active switch (enable) 2000 Sep 05 08:09:06 %SYS-5SPAN_CFGSTATECHG:local SPAN session active for destination port 6/2 Thc hin SPAN trn mt ng Trunk Cc ng Trunks l mt trng hp c bit trong mt Switch, v cc trunk mang thng tin mt s VLANs. If a trunk is selected as a source port, the traffic for all the VLANs on this trunk is monitored. Nu mt ng trunk c chn l mt cng ngun, lu lng truy cp tt c cc VLANs trn ng trunk ny c gim st. Gim st mt tp nh ca cc VLANs trn mt ng trunk Trong Lc ny, cng 6/5 hin ti l mt ng trunk mang tt c cc VLANs. Tng tng rng bn mun s dng SPAN trn lu lng truy cp trong VLAN cho 2 cng 6/4 v 6/5. n gin l dng lnh : switch (enable) set SPAN 6/4-5 6/2
36
Nguyn c Cng
Hnh 2.10 : Gim st lu lng qua ng trunk Trong trng hp ny, lu lng c nhn trn cng SPAN l pha trn ca lu lng truy cp m bn mun v tt c cc VLANs m ng trunk 6/5 mang. V d, khng c cch no phn bit trn cng ch mt gi n t cng 6/4 trong VLAN 2 hoc cng 6/5 trong VLAN 1. Kh nng khc l s dng SPAN trn ton b VLAN 2: switch (enable) set SPAN 2 6/2
Hnh 2.11 : Thit lp VLAN b gim st Vi cu hnh ny, t nht, bn ch gim st lu lng truy cp thuc v VLAN 2 t ng trunk . Vn l hin ti bn cng nhn c lu lng truy cp m bn khng mun t cng 6/3. CatOS bao gm mt t kha khc m cho php bn la chn mt s VLANs gim st t ng trunk switch (enable) set SPAN 6/4-5 6/2 filter 2 2000 Sep 06 02:31:51 %SYS-5-SPAN_CFGSTATECHG:local SPAN session inactive
37
Nguyn c Cng
for destination port 6/2 Destination : Port 6/2 Admin Source : Port 6/4-5 Oper Source : Port 6/4-5 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : 2 Status : active
Lnh ny t c mc tiu v bn chn VLAN 2 trn tt c cc ng trunks c theo di v gim st. Bn c th ch nh mt s VLANs vi ty chn lc. Note: This filter option is only supported on Catalyst 4500/4000 and Catalyst 6500/6000 Switches. Catalyst 5500/5000 does not support the filter option that is available with the set SPAN command. Lu : ty chn lc ny ch h tr trn dng Catalyst 4500/4000 v Catalyst 6500/6000. Catalyst 5500/5000 khng h tr ty chn lc sn c vi cu lnh set SPAN. Trunking trn cng ch Nu bn c cng ngun thuc mt s VLANs khc nhau, hoc nu bn s dng SPAN trn mt vi VLANs trn mt ng trunk, bn c th mun xc nh VLAN ca mt gi bn nhn c trn cng SPAN ch . iu ny c th c xc nh l nu bn cho php trunking trn cng ch trc khi bn cu hnh cng cho
38
Nguyn c Cng
SPAN. Bng cch ny, tt c cc gi c chuyn tip n cc Sniffer cng c gn th ca h tng ng vi VLAN ID. Note: Your sniffer needs to recognize the corresponding encapsulation. Lu : My phn tch ca bn cn mc nh nhng d liu tng ng. switch (enable) set span disable 6/2 This command will disable your span session. Do you want to continue (y/n) [n]?y Disabled Port 6/2 to monitor transmit/receive traffic of Port 6/4-5 2000 Sep 06 02:52:22 %SYS-5-SPAN_CFGSTATECHG:local span session inactive for destination port 6/2 switch (enable) set trunk 6/2 nonegotiate isl Port(s) 6/2 trunk mode set to nonegotiate. Port(s) 6/2 trunk type set to isl. switch (enable) 2000 Sep 06 02:52:33 %DTP-5-TRUNKPORTON:Port 6/2 has become isl trunk switch (enable) set span 6/4-5 6/2 Destination : Port 6/2 Admin Source : Port 6/4-5 Oper Source : Port 6/4-5 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active
39
Nguyn c Cng
2000 Sep 06 02:53:23 %SYS-5-SPAN_CFGSTATECHG:local span session active for destination port 6/2 To ra cc phin lm vic ng thi Trc y, ch c mt phin Span c to ra. Mi lng bn nhp mt lnh mi set span, cu hnh trc s b loi b. Cc CatOS by gi c kh nng chy nhiu phin ng thi, v vy c th c vi cng ch khc nhau cng mt lc. Nhp lnh set span source destination create to thm mt phin SPAN. Trong phin ny, cng 6/1 n 6/2 c gim st, v cng mt thi im, VLAN 3 n cng 6/3 c gim st:
Hnh 2.12 : Gim st ng thi switch (enable) set span 6/1 6/2 2000 Sep 05 08:49:04 %SYS-5-SPAN_CFGSTATECHG:local span session inactive for destination port 6/2 Destination : Port 6/2 Admin Source : Port 6/1 Oper Source : Port 6/1 Direction : transmit/receive Incoming Packets: disabled
40
Nguyn c Cng
Learning : enabled Multicast : enabled Filter : Status : active switch (enable) 2000 Sep 05 08:49:05 %SYS-5-SPAN_CFGSTATECHG:local span session active for destination port 6/2 switch (enable) set span 3 6/3 create Destination : Port 6/3 Admin Source : VLAN 3 Oper Source : Port 6/4-5,15/1 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active switch (enable) 2000 Sep 05 08:55:38 %SYS-5-SPAN_CFGSTATECHG:local span session active for destination port 6/3 Cu lnh show span xc nh xem bn c hai phin vo cng mt thi im: switch (enable) show span Destination : Port 6/2 Admin Source : Port 6/1 Oper Source : Port 6/1 Direction : transmit/receive Incoming Packets: disabled Learning : enabled
41
Nguyn c Cng
Multicast : enabled Filter : Status : active -----------------------------------------------------------------------Destination : Port 6/3 Admin Source : VLAN 3 Oper Source : Port 6/4-5,15/1 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active Total local span sessions: 2 Cc phin thm vo c khi to. Bn mun xo mt vi phin. Cu lnh l set span disable {all | destination_port } Bi v ch c th c c mt cng ch mi phin, cng xc nh mt phin. Xa phin u tin c khi to, l phin s dng port 6/2 l cng ch: switch (enable) set span disable 6/2 This command will disable your span session. Do you want to continue (y/n) [n]?y Disabled Port 6/2 to monitor transmit/receive traffic of Port 6/1 2000 Sep 05 09:04:33 %SYS-5-SPAN_CFGSTATECHG:local span session inactive for destination port 6/2 Bn c th kim tra hin ti c duy nht mt phin duy tr :
42
Nguyn c Cng
switch (enable) show span Destination : Port 6/3 Admin Source : VLAN 3 Oper Source : Port 6/4-5,15/1 Direction : transmit/receive Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : Status : active Total local span sessions: 1 Nhp cu lnh sau nu mun kho tt c cc phin hin ti trong mt bc : switch (enable) set span disable all This command will disable all span session(s). Do you want to continue (y/n) [n]?y Disabled all local span sessions 2000 Sep 05 09:07:07 %SYS-5-SPAN_CFGSTATECHG:local span session inactive for destination port 6/3 switch (enable) show span No span session configured Cc tu chn SPAN khc C php ca set span l : switch (enable) set span
43
Nguyn c Cng
Usage: set span disable [dest_mod/dest_port|all] set span <src_mod/src_ports...|src_vlans...|sc0> <dest_mod/dest_port> [rx|tx|both] [inpkts <enable|disable>] [learning <enable|disable>] [multicast <enable|disable>] [filter <vlans...>] [create] Phn ny gii thiu ngn gn cc tu chn m ti liu cp :
sc0-Bn ch r t kha sc0 khi cu hnh mt Span khi bn cn phi gim st lu lng truy cp vo giao din qun l sc0. Tnh nng ny c sn trn cc Catalyst 5500/5000 v 6500/6000, CatOS phin bn 5.1 hoc mi hn.
inpkts enable/disable -Ty chn ny l v cng quan trng. Khi tu chn ny, mt cng m bn cu hnh l cng Span ch vn thuc v VLAN ban u ca n. Cc gi c nhn trn mt cng ch sau i vo VLAN , nu cng ny l mt cng truy nhp bnh thng. ng thi ny c th c mong mun. Nu bn s dng mt my tnh nh l mt Sniffer, bn c th mun my PC hon ton kt ni vi VLAN . Tuy nhin, cc kt ni c th c gy nguy him nu bn kt ni cng ch n cc thit b mng khc , to loop trong mng. Cng SPAN ich, khng chy STP, v bn c th kt thc trong mt tnh hung lp d liu. Cu hnh mc nh ca ty chn ny l v hiu ha, iu c ngha l cng ch span b qua cc m cng nhn c. iu ny bo v cng khi tnh trng bridging "loop". Ty chn ny xut hin trong CatOS 4.2.
learning enable/disable Ty chn ny cho php bn v hiu ho qu trnh hc trn cng ch. Theo mc nh, qu trnh hc c kch hot v cng ch hc cc a ch MAC t cc gi cng nhn c. Tnh nng ny xut
44
Nguyn c Cng
hin trong CatOS 5,2 trn Catalyst 4500/4000 v 5500/5000, v trong CatOS 5,3 trn Catalyst 6500/6000.
Nh tn gi, ty chn ny cho php bn kch hot hoc v hiu ha vic gim st ca cc gi multicast. Mc nh l cho php. Tnh nng ny c sn trn cc Catalyst 5500/5000 v 6500/6000, CatOS 5,1 v sau
spanning port 15/1 Trn Catalyst 6500/6000, bn c th s dng cng 15/1 (hoc 16/1) nh l mt SPAN ngun. Cng ny c th gim st lu lng truy cp c gi n Multilayer Switch Feature Card (MSFC).. Cng bt lu lng c nh tuyn-mm hoc a ti MSFC.
SPAN t xa Tng quan v RSPAN RSPAN cho php bn gim st cc cng ngun phn b trn mt mng, khng ch cc b trn mt Switch vi SPAN. Tnh nng ny xut hin trong CatOS 5.3 trong dng Catalyst 6500/6000 Series v c cp nht trong Catalyst 4500/4000 Series trong CatOS 6.3 v sau . Cc chc nng hot ng chnh xc nh l mt phin SPAN thng thng. Lu lng c gim st bi SPAN khng sao chp trc tip n cng ch, nhng y vo mt VLAN RSPAN c bit. Cc cng ch c th nm bt c ni no trong ny RSPAN VLAN. Thm ch c th c vi cng ch. Lc di miu t cu trc ca mt phin RSPAN
45
Nguyn c Cng
Hnh 2.3 : Gim st t xa Trong v d ny, bn cu hnh RSPAN gim st lu lng m my A gi. Khi A pht mt frame ch n l B, gi c sao chp bi mt ng dng mch tch hp (ASIC) ca Catalyst 6500/6000 Policy Feature Card (PFC) vo mt RSPAN VLAN xc nh. T , cc gi c y n n tt c cc cng khc m thuc v RSPAN VLAN . tt c cc lin kt lin Switch c v trn l cc ng trunks, l mt yu cu cho RSPAN. Ch cng truy cp l cc cng ch, ni cc my phn tch c kt ni ( y, trn S4 v S5). C mt vi lu trn thit k ny
S1 c gi l mt Switch ngun. Cc gi ch i vo RSPAN VLAN trong cc Switch c cu hnh nh RSPAN ngun. Hin ti, mt Switch ch c th l ngun trong mt phin RSPAN, iu c ngha l mt Switch ngun ch c th cho php mt RSPAN VLAN ti mt thi im.
46
Nguyn c Cng
S2 v S3 l cc Switch trung gian. Chng khng phi l cc ngun RSPAN v khng c cc cng ch. Mt Switch c th lm trung gian cho bt k phin RSPAN no.
S4 v S5 l cc Switch ch. Mt s cng ca chng c cu hnh lm cng ch cho mt phin RSPAN. Hin ti, mt Catalyst 6500/6000 c th c ti 24 cng ch RSPAN, cho mt hoc mt vi phin khc nhau. Bn cng c th nhn thy rng c S4 ng thi l mt Switch trung gian v Switch ch.
Bn c th thy cc gi RSPAN c lm ngp (flood) vo RSPAN VLAN. Ngay c cc Switch khng nm trn ng i n mt cng ch, chng hn nh S2, nhn c lu lng truy cp n RSPAN VLAN. Bn c th lm hiu qu hn bng cch lc b VLAN ny trn cc lin kt S1-S2
Nhm t c vic lm ngp d liu, qu trnh hc tp c v hiu ha trn RSPAN VLAN ngn nga vic lp d liu, STP c duy tr trn RSPAN VLAN. V vy, RSPAN khng th gim st cc BPDUs.
Cu hnh v d RSPAN Nhng thng tin trong phn ny minh ho vic cu hnh cc thnh phn khc nhau vi mt thit k rt n gin RSPAN. S1 v S2 l hai Switch Catalyst 6500/6000. gim st mt s cng S1 hoc cc VLANs t S2, bn phi thit lp mt c trng RSPAN VLAN. Phn cn li ca cc lnh c c php tng t nh mt phin SPAN tiu biu.
Hnh 2.14 : Gim st t xa qua ng trunk
47
Nguyn c Cng
t ng trunk ISL gia hai Switch S1 v S2 bt u, t cng mt tn minVLAN Trunk Protocol (VTP) trn mi Switch v cu hnh mi bn trunking desirable. a ra lnh trn S1: S1> (enable) set vtp domain cisco VTP domain cisco modified a cc lnh trn S2: S2> (enable) set vtp domain cisco VTP domain cisco modified S2> (enable) set trunk 5/1 desirable Port(s) 5/1 trunk mode set to desirable. S2> (enable) 2000 Sep 12 04:32:44 %PAGP-5-PORTFROMSTP:Port 5/1 left bridge port 5/1 2000 Sep 12 04:32:47 %DTP-5-TRUNKPORTON:Port 5/1 has become isl trunk To RSPAN VLAN Mt phin RSPAN cn mt RSPAN VLAN c th . Bn phi to VLAN ny. Bn khng th chuyn i mt VLAN hin c thnh mt RSPAN VLAN. V d ny s dng VLAN 100: S2> (enable) set vlan 100 rspan Vlan 100 configuration successful a ra lnh ny trn mt Switch c cu hnh nh mt VTP server. Cc thng tin ca RSPAN VLAN 100 c t ng qung b trong ton b min VTP. Cu hnh cng 5/2 ca S2 nh mt cng ch RSPAN
48
Nguyn c Cng
S2> (enable) set rspan destination 5/2 100 Rspan Type : Destination Destination : Port 5/2 Rspan Vlan : 100 Admin Source : Oper Source : Direction : Incoming Packets: disabled Learning : enabled Multicast : Filter : Status : active 2000 Sep 12 04:34:47 %SYS-5-SPAN_CFGSTATECHG:remote span destination session active for destination port 5/2 Cu hnh mt cng ngun RSPAN trn S1 Trong v d ny, lu lng i vo vo S1 qua cng 6/2 c gim st. Pht ra lnh : S1> (enable) set rspan source 6/2 100 rx Rspan Type : Source Destination : Rspan Vlan : 100 Admin Source : Port 6/2 Oper Source : Port 6/2 Direction : receive Incoming Packets: Learning : Multicast : enabled
49
Nguyn c Cng
Filter : Status : active S1> (enable) 2000 Sep 12 05:40:37 %SYS-5-SPAN_CFGSTATECHG:remote span source session active for remote span vlan 100 Tt c cc gi tin i vo qua cng 6/2 c y ngp trn RSPAN VLAN 100 v n cng ch c cu hnh trn S1 qua ng trunk. Xc thc cu hnh lnh show rspan hin th cu hnh RSPAN hin ti trn Switch. Nhc li, c duy nht mt phin RSPAN ngun ti mt thi im. S1> (enable) show rspan Rspan Type : Source Destination : Rspan Vlan : 100 Admin Source : Port 6/2 Oper Source : Port 6/2 Direction : receive Incoming Packets: Learning : Multicast : enabled Filter : Status : active Total remote span sessions: 1 Cc cu hnh khc c th t vi lnh set rspan
50
Nguyn c Cng
Xem phn set rspan xem cc tu chn ca lnh. Bn s dng mt vi dng lnh cu hnh ngun v ch vi RSPAN. Ngoi khc bit ny, SPAN v RSPAN th s hot ng theo cng mt cch. Bn thm ch c th s dng RSPAN cc b, trn mt Switch, nu bn mun c mt vi cng SPAN ch Lit k tnh nng v gii hn Bng ny lit k cc tnh nng khc nhau c gii thiu v cung cp phin bn ti thiu CatOS cn thit chy cc tnh nng trn mt dng Switch ch r : Catalyst Catalyst Catalyst
Tnh nng inpkts enable/disable (tu chn) a phin, cc cng cc
4500/4000 5500/5000 6500/6000
4.4
4.2
5.1
5.1
5.1
5.1
VLANs sc0 (tu chn) multicast enable/disable (tu chn) learning enable/disable (tu chn) RSPAN 6.3 5.3 5.2 5.2 5.3 5.1 5.1 5.1 5.1
51
Nguyn c Cng
Bng ny cung cp mt tm tt cc hn ch hin ti trn mt s phin SPAN c th xy ra : Catalyst Tnh nng 4500/4000 Phm vi ca cc Switch Rx hoc c hai phin SPAN Tx SPAN sessions Mini Protocol Analyzer sessions 1 Rx, Tx, hoc c hai phin RSPAN ngun 5 khng h tr Supervisor Engine 720 h tr 2 phin RSPAN ngun RSPAN ch 5 khng h tr 24 Khng h tr Khng h tr 1 5 4 4 5 1 2 Catalyst 5500/5000 Phm vi ca cc Switch Catalyst 6500/6000 Phm vi ca cc Switch
52
Nguyn c Cng
Tng cc phin
30
2.2.2 SPAN trn cc dng Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750 and 3750-E Series
y l nhng nguyn tc cu hnh tnh nng SPAN trn cc dng Switch Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750, and 3750-E Series
Cc Switch Catalyst 2950 ch c duy nht mt phin span hot ng ti mt thi im v ch gim st duy nht cc cng ngun. Cc Switch khng th gim st cc VLANs
Dng Catalyst 2950 v 3550 c th chuyn tip lu lng trn mt cng ngun SPAN cc phin bn Cisco IOS 12.1 (13) EA1 v mi hn. Dng Catalyst 3550, 3560, 3750 c th h tr ti a hai phin SPAN ti mt thi im v c th gim st cc cng ngun cng nh cc VLANs Cc dng Catalyst 2970, 3560, 3750 khng yu cu cu hnh ca mt cng phn hi khi bn cu hnh mt phin RSPAN Dng Catalyst 3750 h tr phin cu hnh vi vic s dng cc cng ngun v ch nm trn bt k mt Switch thnh vin ca stack Mi mt cng ch cho php mt phin SPAN, v cng mt cng khng th l mt cng ch cho nhiu phin SPAN. V vy, bn c th khng c hai phin SPAN s dng cng mt cng ch.
Cc cu lnh cu hnh tnh nng Span tng t trn Catalyst 2950 v Catalyst 3550. Tuy nhin, Catalyst 2950 khng th gim st VLANs. Bn c th cu hnh SPAN, nh trong v d ny: C2950#configure terminal C2950(config)# C2950(config)#monitor session 1 source interface fastethernet 0/2
53
Nguyn c Cng
!--- Cu hnh cng Fast Ethernet 0/2 l cng ngun. C2950(config)#monitor session 1 destination interface fastethernet 0/3 !--- Cu hnh cng Fast Ethernet 0/3 l cng ch. C2950(config)# C2950#show monitor session 1 Session 1 --------Source Ports: RX Only: TX Only: Both: C2950# Bn cng c th cu hnh mt cng nh l mt ch cho cc SPAN cc b v RSPAN cho cng lu lng truy cp mt VLAN. gim st lu lng truy cp cho mt VLAN nm trn 2 Switch kt ni trc tip, cu hnh cc lnh trn Switch c cng ch. Trong v d ny, chng ta gim st lu lng t VLAN 5 i qua hai Switch: c3750(config)#monitor session 1 source vlan < Remote RSPAN VLAN ID > c3750(config)#monitor session 1 source vlan 5 c3750(config)#monitor session 1 destination fastethernet 0/3 !--- Cu hnh cng FastEthernet 0/3 l cng ch. None None Fa0/2
Destination Ports: Fa0/3
54
Nguyn c Cng
Trn Switch xa , s dng cu hnh c3750_remote(config)#monitor session 1 source vlan 5 !--- Ch r VLAN 5 l Vlan c gim st. c3750_remote(config)#monitor session 1 destination remote vlan <Remote vlan id> Trong v d trc mt cng c cu hnh nh mt cng ch cho c hai RSPAN v SPAN cc b gim st lu lng truy cp cho cng mt VLAN c trn c hai Switch. Lu : Khng nh dng 2900XL v 3500XL Series, dng Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, E-3560, 3750, 3750 v E-Series h tr SPAN trn lu lng truy cp cng ngun theo duy nht chiu Rx ( Rx SPAN hay ingress Span), theo chiu ch Tx (Tx Span hay egress SPAN), hoc c hai. Lu : Cc lnh trong cu hnh khng h tr trn Catalyst 2950 vi Cisco IOS 12.0 (5.2) WC (1) hoc bt k phin bn no trc Cisco IOS 12.1(6) EA2. Tham kho phn Enabling Switch Port Analyzer ca Managing Switches cu hnh SPAN trn mt Catalyst 2950 vi phin bn trc Cisco IOS 12.1 (6) EA2. Lu : Catalyst 2950 s dng Cisco IOS 12.1.(9) EA1d v cc phin bn trc trong Cisco IOS 12.1 hng dn h tr SPAN. Tuy nhin, tt c cc gi c nhn thy trn cng ch SPAN (kt ni vi thit b phn tch hoc PC) c mt nhn IEEE 802.1Q, mc d cng ngun SPAN(cng gim st) c th khng l mt cng trunk 802.1Q. Nu thit b gim st hoc card mng PC (NIC), khng hiu cc gi c nh nhn 802.1Q, my phn tch c th ngt cc gi hoc gp kh khn khi n c gng gii m cc gi. Kh nng cc khung c nh nhn 802.1Q ch khi cng ngun SPAN l mt cng trunk. Vi Cisco IOS 12.1(11) EA1 v mi hn, bn
55
Nguyn c Cng
c th kch hot v v hiu ho tnh nng gn th ca cc gi ti cng ch SPAN. S dng lnh monitor session session_number destination interface interface_id encapsulation dot1q kch hot m ca gi ti cng ngun. Nu bn khng nu t kha encapsulation , cc gi c gi khng nh nhn, l mc nh trong Cisco IOS 12.1 (11) EA1 v sau . Tnh nng Ingress Catalyst 2950/3550 (inpkts) Cisco IOS Software
enable/disable tu chn Release 12.1(12c)EA1 RSPAN Cisco IOS Software
Release 12.1(12c)EA1 Catalyst 29401, 2960, 3560,
Tnh nng
2950, 2970, 3750
2955, 3550,
Rx or both SPAN sessions 2 Tx SPAN sessions Rx, Tx, or both RSPAN source sessions RSPAN destination Total sessions
1
2 2 2 2
Catalyst 2940 ch h tr SPAN cc b. RSPAN khng h tr trong dng Switch
ny. 2.2.3 SPAN trn Catalyst 4500/4000 v Catalyst 6500/6000 Series chy phn mm h thng Cisco IOS
56
Nguyn c Cng
Cc tnh nng SPAN c h tr trn Catalyst 4500/4000 v Catalyst 6500/6000 Series chy phn mm h thng Cisco IOS. C hai dng Switch ny s dng cc giao din lnh ging nhau (CLI), v cu hnh tng t Cu hnh v d Bn c th cu hnh SPAN, nh v d di 4507R#configure terminal Enter configuration commands, one per line. End with CNTL/Z. 4507R(config)#monitor session 1 source interface fastethernet 4/2 !--- Cu hnh cng Fast Ethernet 4/2 l cng ngun. 4507R(config)#monitor session 1 destination interface fastethernet 4/3 !--- Cu hnh cng Fast Ethernet 0/3 l cng ch. 4507R#show monitor session 1 Session 1 --------Type : Local Session Source Ports : Both : Fa4/2 Destination Ports : Fa4/3
4507R# Tm tt tnh nng v gii hn
57
Nguyn c Cng
Bng di tm tt cc tnh nng khc nhau c gii thiu v cho bit phin bn ti thiu ca Cisco IOS cn thit chy cc tnh nng trn dng Switch . Catalyst Tnh nng 4500/4000 (Cisco IOS) Ingress tu chn (inpkts) Cisco Software Release 12.1(19)EW Cisco RSPAN Software Release 12.1(20)EW
1
Catalyst 6500/6000 (Cisco IOS) Hin khng tr

1
IOS
ti h
enable/disable
IOS Cisco Software Release
IOS
12.1(13)E
Cc tnh nng hin ti khng c , v tnh kh dng ca cc tnh nng ny thng
khng c cng b cho n khi chnh thc pht hnh Lu : Tnh nng SPAN ca dng Switch Cisco Catalyst 6500/6000 Series c mt gii hn i vi vic truy vn giao thc PIM . Khi mt Switch c cu hnh cho c hai PIM v SPAN, cc my phn tch ni vi cng ch SPAN c th xem cc gi PIM khng phi l mt phn ca cng ngun SPAN / lu lng truy cp VLAN . Vn ny xy ra do mt gii hn trong phn chuyn tip gi tin ca Switch. Cng ch SPAN khng thc hin bt k kim tra xc thc ngun gc ca cc gi. Vn ny c nu trong ca Cisco bug ID CSCdy57506 ( registered ch dnh cho khch hng) Bng di cung cp mt tm tt cc gii hn hin ti trn mt s phin SPAN v RSPAN :
58
Nguyn c Cng
Tnh nng Cc phin SPAN Rx hoc c hai Cc phin SPAN Tx Cc phin ngun RSPAN Rx, Tx, hoc c hai RSPAN ch Tng cc phin
Catalyst 4500/4000 (Cisco IOS) 2 4 2 (Rx, Tx hoc c hai), v ln 4 vi duy nht Tx 2 6
Tham kho Local SPAN, RSPAN, and ERSPAN Session Limits dnh cho Catalyst 6500/6000 chy Cisco IOS Trong dng Catalyst 6500 Series, iu quan trng phi lu egress Span c thc hin trn s gim st. iu ny cho php tt c lu lng truy cp i n egress SPAN c gi mt c cu n my phn tch v sau n cng ch SPAN, c th s dng h thng ti nguyn quan trng v tc ng n lu lng truy cp ngi s dng. Ingress SPAN s c thc hin trn cc b phn ingress, v vy hiu nng SPAN s l tng hp ca tt c cc phn sao chp. Hiu nng ca cc tnh nng SPAN ph thuc vo kch thc gi v cc kiu ASIC c trong cc b phn sao chp.
2.3 Hiu nng tc ng ca SPAN trn cc nn Switch Catalyst khc nhau Cc dng Switch di Catalyst 4000 Series
59
Nguyn c Cng
gim st mt s cng vi SPAN, mt gi phi c sao chp t b m d liu n mt v tinh mt ln cp nht. Nhng tc ng trn c ch chuyn mch tc cao l khng ng k. Cng gim st nhn cc bn sao ca lu lng gi v nhn ca tt c cc cng c gim st. Trong kin trc ny, mt gi i n nhiu ch c lu gi trong b nh cho n khi tt c cc bn sao c chuyn tip. Nu cng gim st l 50 phn trm ti duy tr mt khong thi gian, cc cng c kh nng s tr thnh xung t v gi mt phn ca b nh chia s. C mt kh nng m mt hoc nhiu ca cc cng c gim st cng chm li.
Catalyst 4500/4000 Series

Vi vic s dng cc tnh nng SPAN, mt gi phi c gi cho hai cng khc nhau, nh trong v d trong phn Kin trc tng quan. Vic gi gi tin cho hai cng khng phi l mt vn , v c cu chuyn mch l khng kho. Nu cng ch SPAN b xung t, cc gi c xo b trong hng i u ra v gii phng chnh xc khi b nh chia s. V vy, khng c tc ng nh hng n hot ng Switch. Catalyst 5500/5000 and 6500/6000 Series D l mt hoc mt vi cng cui truyn ti cc gi hon ton khng c nh hng hot ng Switch. V vy, khi bn xem xt kin trc ny, tnh nng SPAN khng tc ng hiu sut.
2.4 Cc li thng gp khi cu hnh

Cc vn kt ni do li cu hnh SPAN Li kt ni xy ra v vic cu hnh SPAN sai xy ra thng xuyn trong cc phin bn CatOS trc 5.1. Vi nhng phin bn ny, ch duy nht mt phin SPAN din
60
Nguyn c Cng
ra. Phin ny lu trong cu hnh, thm ch khi bn v hiu ha SPAN. Vi vic s dng lnh set span enable, ngi s dng kch hot li phin SPAN c lu. Nhng hnh ng thng xuyn xy ra v mt li in, v d, nu ngi dng mun kch hot STP. Li kt ni trm trng c th xy ra nu cc cng ch c s dng chuyn tip lu lng truy cp ngi dng. Lu : vn ny vn cn trong thc thi hin ti ca CatOS. Hy rt cn thn cc cng m bn chn lm mt cng ch SPAN. Cng ch SPAN Up/Down Khi cc cng c trin khai SPAN cho cng tc gim st, trng thi cc cng l UP / DOWN. Khi bn cu hnh mt phin SPAN gim st cc cng, giao din cng ch cho thy trng thi DOWN (gim st), theo thit k. Giao din hin th cng trong trng thi ny lm cho n hin nhin rng cng hin ti khng kh thi nh cng sn xut. Cng trong trng thi UP/DOWN gim st l bnh thng. Ti sao phin SPAN to ra li lp cu Li lp cu thng xuyn xy ra khi ngi qun tr c m phng cc tnh nng RSPAN. Tng t, mt cu hnh li c th dn n li y l mt v d ca phn ny:
61
Nguyn c Cng
Hnh 2.15 : Li lp cu d liu C hai Switch trung tm c lin kt bi mt ng trunk. Trong d ny, mi Switch c mt s my ch, my trm, hoc cc cu ni kt ni vi n. Ngi qun tr mun gim st VLAN 1, xut hin trn mt s cu ni vi SPAN. Ngi qun tr to mt phin SPAN gim st ton b VLAN 1 trn Switch trung tm, v, hp nht hai phin, ni cng ch vo cng mt hub (hoc cng Switch, vi vic s dng cc phin SPAN khc) Ngi qun tr t c mc tiu. Mi mt gi tin m mt Switch trung tm nhn trn VLAN 1 c nhn bn trn cng SPAN v chuyn i ln vo hub. Mt my phn tch cui cng bt lu lng truy cp. lu lng cng i ln na vo Switch 2 qua cng ch SPAN. Lu lng ny i vo Switch 2 to ra mt lp cu ni trong VLAN 1. Nn nh rng mt cng ch SPAN khng chy STP v khng c kh nng ngn chn lp d liu.
62
Nguyn c Cng
Hnh 2.16 : Lp cu d liu din ra Lu : V cc gii thiu v ty chn inpkts (u vo cc gi) trn CatOS, mt cng ch SPAN ngt bt k cc gi theo mc nh, n ngn li ny khng xy ra. Tuy nhin, vn cn l vn ny l vn tng ti trn Catalyst 2900XL/3500XL Series Lu : Thm ch khi tu chn inpkts ngn vic xy ra lp, cu hnh phn ny cho thy rng c th gy ra mt s vn trong mng. Cc li c th xy ra bi v qu trinh hc a ch MAC c kt hp vi qu trnh hc kch hot trn cng ch. Bn c th cu hnh SPAN trn mt cng EherChannel? Mt EtherChannel khng hot ng chun nu mt trong s cc cng trong l mt cng ch SPAN. Nu bn c gng cu hnh SPAN trong tnh hung ny , Switch s cnh bo : Channel port cannot be a Monitor Destination Port Failed to configure span feature Bn c th s dng mt cng trong mt cm EtherChannel nh mt cng ngun SPAN.
63
Nguyn c Cng
Bn c th c mt vi phin SPAN chy cng mt thi im? Trn Catalyst 2900XL/3500XL Series, s lng cc cng ch c trn Switch l gii hn s lng cc phin SPAN. Trn Catalyst 2950 Series, bn ch c th khai bo mt cng gim st bt k lc no. Nu bn chn mt cng khc nh cng gim st, cng gim st trc b v hiu ha, v cng mi c la chn tr thnh cng gim st. Trn Catalyst 4500/4000, 5500/5000, 6500/6000 vi CatOS 5.1 v sau, bn c th c mt s phin SPAN tn ti ng thi. Li "% Local Session Limit Has Been Exceeded" Engine: Thng bo a ra khi phin SPAN thc thi qu gii hn ca thnh phn gim st % Local Session limit has been exceeded Khng th xo mt phin SPAN trn module VPN dch v, vi li %Session [Session No:] Used by Service Module Vi vn ny, cc mng ring o (VPN), mun a vo trong mt khuung, ni mt mun c cu chuyn mch c a vo. Cisco IOS t ng to ra mt phin Span cho cc m-un dch v VPN x l cc lu lng truy cp multicast S dng lnh sau xo phin SPAN m IOS to ra cho modul VPN dch v : Switch(config)# no monitor session session_number service-module Lu : Nu bn xo phin ny, modul VPN dch v ngt lu lng multicast Ti sao bn khng th bt cc gi tin li vi SPAN?
64
Nguyn c Cng
Bn khng th bt cc gi tin li vi SPAN, v cch m Switch thc hin chung. Khi mt gi i qua mt Switch, c nhng vn sau: 1. Cc gi ti c cng ingress. 2. Cc gi c lu trong t nht mt b m. 3. Cc gi cui cng c truyn trn cng egress.
Hnh 2.17 : Hng i b m trong Nu Switch nhn c mt gi hng, cc cng ingress xo gi tin . V th, bn khng nhn thy trn gi tin trn cng egress. Mt Switch khng hon ton ng sau i vi vic bt lu lng truy cp. Tng t, khi bn thy mt gi hng trn my phn tchca bn trong v d trong phn ny, bn bit rng cc li c to ra ti bc 3, trn phn on i ra. Nu bn cho rng mt thit b gi cc gi tin li, bn c th t my gi tin v thit b phn tch trn mt hub. Hub khng tin hnh kim tra bt k li no. Bi vy, khng nh Switch, hub khng ngt cc gi tin, bng cch ny bn c th hin th cc gi tin. Li : %Session 2 used by service module Nu mt modul dch v Firewall (FWSM) c ci t, v d, ci t v g b sau , trong CAT6500, n t ng kch hot cc tnh nng SPAN phn hi. Cc tnh nng SPAN phn hi s dng mt phin SPAN trong Switch. Nu bn khng s dng na, bn phi nhp lnh no monitor session service module t ch cu hnh ca CAT6500, v sau ngay lp tc nhp cu hnh SPAN cn thit.
65
Nguyn c Cng
Cng phn hi xo cc gi tin Mt cng phn hi nhn cc bn sao lu lng gi v nhn ca tt c cc cng cng gim st ngun. Nu mt cng phn hi qu ti, n c kh nng dn n xung t. iu ny c th nh hng n lu lng chuyn tip trn mt hoc nhiu cng ngun. Nu bng thng ca cng phn hi khng cho khi lng lu lng truy cp tng ng t cng ngun, cc gi i ra b hu b. Mt cng 10/100 phn hi mc 100 Mbps. Mt cng Gigabit phn hi t 1 Gbps. Phin SPAN lun s dng Vi mt FWSM trong Catalyst 6500 Chassis Khi bn s dng Supervisor Engine 720 vi mt FWSM trong cu trc chy Native Cisco IOS, theo mc nh mt phin SPAN c s dng. Nu bn kim tra cc phin khng s dng vi show monitor ,phin 1 c s dng: Cat6K#show monitor Session 1 --------Type : Service Module Session Khi mt phn tng la c trong Catalyst 6500 chassis, phin ny t ng ci t h tr nhn bn multicast phn cng v mt FWSM khng th nhn bn dng multicast . Nu dng d liu ngun multicast ng sau FWSM phi c nhn bn ti lp 3 n nhiu dng mch, cc phin t ng nhn bn lu lng truy cp n my phn tch thng qua mt c cu knh. Nu bn c mt ngun multicast to ra mt dng multicast t pha sau FWSM, bn cn phi c b phn hi SPAN. Nu bn t ngun multicast bn ngoi VLAN, b phn hi SPAN l khng cn thit. B phn hi SPAN khng tng thch vi cu ni BPDUs thng qua FWSM. Bn c th s dng lnh no monitor session service module v hiu ho b phn hi SPAN.
66
Nguyn c Cng
Mt phin Span v mt RSPAN c th c cng ID trong cng mt Switch? Khng, khng th s dng cng mt ID phin cho mt phin SPAN thng thng v phin ch RSPAN. Mi phin RSPAN v SPAN phi c ID phin khc nhau. Mt phin RSPAN c th hot ng qua tn min VTP khc? C. mt phin RSPAN c th hot ng qua tn min VTP khc. Nhng chc chn rng cc RSPAN VLAN tn ti trong c s d liu ca cc tn min VTP ny. Ngoi ra, hy chc chn rng khng c thit b Lp 3 hin din trong ng dn ca phin ngun n phin ch. RSPAN c th l mt phin lm vic qua WAN hoc cc mng khc? Khng, phin RSPAN khng th xuyn qua bt k thit b Lp 3 nh RSPAN l mt LAN (lp 2) tnh nng. gim st lu lng truy cp qua WAN hoc mng khc, s dng Encapsulated Remote SwitchPort Analyser (ERSPAN). Cc tnh nng ERSPAN h tr cc cng ngun, ngun VLANs, v cc cng ch trn cc Switch khc nhau, h tr gim st t xa ca nhiu Switch qua mng ca bn. ERSPAN bao gm mt phin ngun ERSPAN , bng nh tuyn lu lng ERSPAN GRE-encapsulated , v mt phin ch ERSPAN . Bn cu hnh ring r phin ngun ERSPAN v phin ch trn cc Switch khc nhau. Hin ti, cc tnh nng ERSPAN c h tr trong:
Supervisor 720 vi PFC3B hay PFC3BXL chy Cisco IOS 12.2(18) SXE tr ln. Supervisor PFC3A vi 720 c phn cng phin bn 3.2 tr ln v chy Cisco IOS 12.2(18)SXE tr ln.
Mt phin ngun RSPAN v phin ch c th tn ti trn cng Catalyst Switch?
67
Nguyn c Cng
Khng, RSPAN khng hot ng khi phin ngun RSPANv phin ch RSPAN trn cng mt Switch. Nu mt phin ngun RSPAN c cu hnh vi mt RSPAN VLAN v mt phin ch RSPAN cho RSPAN VLAN c cu hnh trn cng mt Switch, th cng ch ca phin ch RSPAN cng s khng truyn cc gi bt ngun t phin ngun RSPAN do hn ch phn cng. Vn ny khng h tr trn 4500 Series v 3750 Series. Vn ny c lu trong ti liu Cisco bug ID CSCeg08870 y l mt v d : monitor session 1 source interface Gi6/44 monitor session 1 destination remote vlan 666 monitor session 2 destination interface Gi6/2 monitor session 2 source remote vlan 666 My phn tch/thit b bo mt ni vi cng ch SPAN khng ti c Cc c tnh c bn ca mt cng ch SPAN l n khng truyn ti bt k lu lng truy cp no, ngoi tr cc lu lng truy cp cn thit cho phin SPAN. Nu bn cn truy nhp (IP reachability) my phn tich / thit b bo mt qua cng ch SPAN, bn cn kch hot lu lng ingress chuyn tip. Khi ingress c kch hot, cng ch span chp nhn cc gi i vo, n l kh nng dn nhn ph thuc ch ng gi ch r, v cc Switch hot ng bnh thng. Khi bn cu hnh mt cng ch SPAN, bn c th ch r c hoc khng tnh nng ingress c kch hot v VLAN g s dng Switch xo nhn gi ingress. Cc c im k thut ca mt ingress VLAN l khng cn thit khi ng gi c cu hnh, khi mi gi ng gi ISL c th VLAN. Mc d cng l chuyn tip STP, n khng tham gia trong STP, nn s dng thn trng khi bn cu hnh tnh nng ny v c th xy ra spanning-tree loop c gii thiu. Khi c hai
68
Nguyn c Cng
ingress v mt trunk encapsulation c ch r trn mt cng ch SPAN, cng chuyn tip tt c cc VLANs hot ng. Cu hnh ca mt VLAN khng tn ti nh mt ingress VLAN l khng c php. monitor session session_number destination interface interface [encapsulation {isl | dot1q}] ingress [vlan vlan_IDs] V d ny cho bit lm th no cu hnh mt cng ch vi giao thc ng gi 802.1q v cc gi i vo bng vic s dng native Vlan 7 Switch(config)#monitor session 1 destination interface fastethernet 5/48 encapsulation dot1q ingress vlan 7 Vi cu hnh ny, lu lng truy cp t phin ngun span lin kt vi phin 1 c sao chp ra cc giao din Fast Ethernet 5/48 vi chun 802.1q. Lu lng i vo c chp nhn v chuyn mch, vi cc gi khng nhn c phn loi vo VLAN 7.
69
Nguyn c Cng
CHNG III TRIN KHAI TCH HP H THNG IDS MM SNORT VO H THNG

Trong chng ny chng ta s ci t s dng h IDS mm c tn l SNORT. H thng Snort c chn vi l do chnh y l phn mm Open Source , ti liu ci t y , yu cu h thng khng qu cao v qua mt thi gian pht trin.
3.1. Cc c im chnh
Snort l cng c pht hin xm nhp kh ph bin v c gi l light-weight Instrution Detection System, vi mt s c tnh sau: -H tr nhiu platform: Linux, OpenBSD, FreeBSD, Solaris, Windows, -Kch thc tng i nh: phin bn hin ti 2. 6. 1. 5 c kch thc 3. 55 MBytes. - C kh nng pht hin mt s lng ln cc kiu thm d, xm nhp khc nhau nh : buffer overflow, CGI-attack, d tm h iu hnh, ICMP, virus, - Pht hin nhanh cc xm nhp theo thi gian thc. - Cung cp cho nh qun tr cc thng tin cn thit x l cc s c khi b xm nhp. - Gip ngi qun tr t t ra cc du hiu xm nhp mi mt cch d dng. - L phn mm Open Source v khng tn km chi ph u t. Snort c xy dng vi mc ch tho mn cc tnh nng c bn sau: C hiu nng cao, n gin v c tnh uyn chuyn cao. Ba thnh phn chnh ca Snort gm c: h thng packet decoder, h thng detection engine v h thng logging & alerting. Ba thnh phn ny da trn c s ca th vin LIBPCAP, l th vin cung cp kh nng lng nghe v lc packet trn mng. H thng Packet decoder: Nhim v ch yu ca h thng ny l phn tch gi d liu th bt c trn mng v phc hi thnh gi d liu hon chnh lp application, lm input cho h thng dectection engine.
70
Nguyn c Cng
Qu trnh phc hi gi d liu c tin hnh t lp Datalink cho ti lp Application theo th t ca Protocol Stack. Vn quan trng t ra cho h thng ny l tc x l gi d liu, nu tc x l chm s lm cho hiu nng ca SNORT gim st do nghe st 3.1.1 H thng detection engine: SNORT dng cc rules pht hin ra cc xm nhp trn mng. Xem rules sau: alert tcp !172. 16. 1. 0/24 any -> any any (flags: SF; msg: SYN-FIN Scan; ) Mt rules c hai thnh phn: Header v Option, Header: alert tcp !172. 16. 1. 0/24 any -> any any Option: (flags: SF; msg: SYN-FIN Scan; ) Mi du hiu xm nhp s c th hin bng mt rule. Vy SNORT qun l tp cc rules nh th no? SNORT dng cu trc d liu qun l cc rules gi l Chain Headers v Chain Options. Cu trc d liu ny bao gm mt dy cc Header v mi Header s lin kt n dy cc Option. S d da trn cc Header l v y l thnh phn t thay i ca nhng rules c vit cho cng mt kiu pht hin xm nhp v Option l thnh phn d c sa i nht. V d: ta c 40 rules c vit cho kiu thm d CGI-BIN, thc cht cc rules ny c chung IP source, IP ch, port source, port ch, tc l c chung Header. Mi packet s c so trng ln lt trong cc dy cho n khi tm thy mu u tin th hnh ng tng ng s c thc hin. 3.1.2 H thng Logging & alerting: Dng thng bo cho qun tr mng v ghi nhn li cc hnh ng xm nhp h thng. Hin ti c 3 dng logging v 5 kiu alerting. Cc dng logging, c chn khi chy SNORT:
71
Nguyn c Cng
- Dng decoded: y l dng log th nht, cho php thc hin nhanh v thch hp vi dn Pro. - Dng nh phn tcpdump: theo dng tng t nh tcpdump v ghi vo a nhanh chng, thch hp vi nhng h thng i hi performance cao - Dng cy th mc IP: Sp sp h thng log theo cu trc cy th mc IP, d hiu i vi ngi dng. Cc dng alerting: - Ghi alert vo syslog - Ghi alert vo trong file text - Gi thng ip Winpopup dng chng trnh smbclient - Full alert: ghi li thng ip alert cng vi ni dung gi d liu. - Fast alert: ch ghi nhn li header ca gi d liu. Cch ny thng dng trong cc h thng cn performance cao. 3.1.3 Tp lut(RULES) Tp lut ca Snort n gin ta hiu v vit, nhng cng mnh c th pht hin tt c cc hnh ng xm nhp trn mng. C 3 hnh ng chnh c SNORT thc hin khi so trng 1 packet vi cc mu trong rules: - Pass: loi b packet m SNORT bt c - Log: tu theo dng logging c chn m packet s c ghi nhn theo dng . - Alert: sinh ra mt alert ty theo dng alert c chn v log ton b packet dng dng logging chn. Dng c bn nht ca mt rule bao gm protocol, chiu ca gi d liu v port cn quan tm, khng cn n phn Option: log tcp any any -> 172. 16. 1. 0/24 80 Rule ny s log tt c cc gi d liu i vo mng 172. 16. 1. 0/24 port 80. Mt rule khc c cha Option:
72
Nguyn c Cng
alert tcp any any -> 172. 16. 1. 0/24 80 (content: "/cgi-bin/phf"; msg: "PHF probe!"; ) Rule ny s pht hin cc truy cp vo dch v PHF trn web server v alert s c to ra cng vi vic ghi nhn li ton b gi d liu. Vng a ch IP trong cc rules c vit di dng CIDR block netmask, cc port c th c xc nh ring l hoc theo vng, port bt u v port kt thc c ngn cch bi du : alert tcp any any -> 172. 16. 1. 0/24 6000:6010 (msg: "X traffic"; ) Cc option ph bin ca SNORT: 1. content: Search the packet payload for the a specified pattern. 2. flags: Test the TCP flags for specified settings. 3. ttl: Check the IP header's time-to-live (TTL) field. 4. itype: Match on the ICMP type field. 5. icode: Match on the ICMP code field. 6. minfrag: Set the threshold value for IP fragment size. 8. ack: Look for a specific TCP header acknowledgement number. 9. seq: Log for a specific TCP header sequence number. 10. logto: Log packets matching the rule to the specified filename. 11. dsize: Match on the size of the packet payload. 12. offset: Modifier for the content option, sets the offset into the packet payload to begin the content search. 13. depth: Modifier for the content option, sets the number of bytes from the start position to search through. 14. msg: Sets the message to be sent when a packet generates an event. SNORT c th chy tt trn cc platform m LIBPCAP h tr. 3.2 Cc bc ci t Snort trn h iu hnh Debian 3.2.1 Ci h iu hnh Debian
73
Nguyn c Cng
- Tn h iu hnh:Debian GNU/Linux 4. 0 r0 "Etch" - Kernel: Linux IDS 2. 6. 18-4-686 - Ti khon + user:root + pass:root 3.2.2 Ci cc phn mm cn thit - Sa li file /etc/apt/sources. list nh sau deb http://security. debian. org/ etch/updates main contrib deb-src http://security. debian. org/ etch/updates main contrib Tr link source qua my ch t trong mng gio dc TEIN2 deb http://debian.nctu.edu.tw/debian stable main deb-src http://debian.nctu.edu.tw/debian stable main #Backports deb http://www. backports. org/debian etch-backports main contrib non-free - Thm GPG key ca repo: # wget -O - http://backports.org/debian/archive. key | apt-key add - Cp nht danh sch cc gi # apt-get -y update - Ci t cc tools tin ch: # apt-get -y install wget tcpdump mc tethereal - Ci t cc gi cn thit # apt-get -y install apache-ssl apache-common libapache-mod-php4 Cc gi ci theo:
74
Nguyn c Cng
apache2-utils libapr1 libaprutil1 libexpat1 libmagic1 libpq4 libsqlite3-0 libzzip-0-12 lynx mime-support openssl perl perl-modules php4-common ssl-cert ucf Cu hnh SSL Certificate + Country: VN + State or Province Name: Hanoi + Locality: Hanoi + Organisation Name: DHBK + Organisation Unit Name: DHBK + Email Address: cuongnd-linc@mail. hut. edu. vn # apt-get -y install mysql-server mysql-common mysql-client php4-mysql Cc gi ci theo: libdbd-mysql-perl libdbi-perl libmysqlclient15off libnet-daemon-perl libplrpc-perl mysql-client-5. 0 mysql-server-5. 0 psmisc # apt-get -y install libpcap0. 8 libpcap0. 8-dev libmysqlclient15-dev Cc gi ci theo: libc6-dev linux-kernel-headers zlib1g-dev # apt-get -y install php4-gd php4-pear libphp-adodb vim gcc make Cc gi ci theo: binutils cpp cpp-4. 1 defoma file fontconfig-config gcc-4. 1 libfontconfig1 libfreetype6 libgd2-xpm libjpeg62 libpng12-0 libssp0 libt1-5 libx11-6 libx11-data libxau6 libxdmcp6 libxml2 libxpm4 php-db php-http php-mail php-net-smtp php-net-socket php-pear php-xml-parser php5-cli php5-common ttf-dejavu vim-runtime x11-common Configuring libphp-adodb
75
Nguyn c Cng
WARNING: include path for php has changed! libphp-adodb is no longer installed in /usr/share/adodb. New installation path is now /usr/share/php/adodb. Please update your php. ini file. Maybe you must also change your web-server configuraton. # apt-get -y install php4-cli libtool libssl-dev gcc-4. 1 g++ Cc gi ci theo: autotools-dev g++-4. 1 libstdc++6-4. 1-dev 3.2.3 Ci t v cu hnh IPTABLES-BASED FIREWALL S dng phn mm Shorewall cu hnh iptables # apt-get install shorewall iproute libatm1 shorewall-doc iproute-doc Cu hnh SHOREWALL c th thc hin qua Webmin 3.2.4 Ci t Snort - Ci t PCRE # cd /usr/local/src # apt-get source libpcre3 apt-get download v 3 file sau: pcre3_6. 7-1. diff. gz, pcre3_6. 7-1. dsc, pcre3_6. 7. orig. tar. gz # tar xzvf pcre3_6. 7. orig. tar. gz # cd pcre-6. 7 # . /configure && make && make install - Ci t Snort 2. 7 # cd /usr/local/src # wget -c http://snort. org/dl/current/snort-2. 7. 0. 1. tar. gz # tar zxvf snort-2. 7. 0. 1. tar. gz
76
Nguyn c Cng
# cd snort-2. 7. 0. 1 # . /configure --with-mysql --enable-dynamicplugin # make && make install - Cu hnh SNORT # mkdir /etc/snort # mkdir /var/log/snort # groupadd snort # useradd -g snort snort # chown snort:snort /var/log/snort Download snort-rules + ng k mt account ti snort. org v download "registered-user" rules snortrules-snapshot-CURRENT. tar. gz + Bn s nhn c mt OINKCODE update snort-rules mi khi c cc rule mi V d OINKCODE = a7a0ac0d6e14a691882eab106f27be4bc76fa28f # cd /etc/snort # tar zxvf snortrules-snapshot-CURRENT. tar. gz # cp /usr/local/src/snort-2. 7. 0. 1/etc/*. conf* . # cp /usr/local/src/snort-2. 7. 0. 1/etc/*. map . - Sa file cu hnh /etc/snort/snort. conf # vi /etc/snort/snort. conf var HOME_NET 203. 128. 246. 80/28 var EXTERNAL_NET !$HOME_NET var RULE_PATH /etc/snort/rules - To mt lut n gin test snort
77
Nguyn c Cng
# vi /etc/snort/rules/local. rules alert icmp any any -> $HOME_NET any (msg:"ICMP test"; dsize:8; itype:8; sid:10000001;) alert tcp any any -> any any (msg:"TCP test"; sid:10000002;) - Khi to snort ln u tin: # /usr/local/bin/snort -Dq -u snort -g snort -c /etc/snort/snort.conf - Kim tra /var/log/snort thy dng thng bo tng t nh sau: snort[1731]: Snort initialization completed successfully (pid=1731) - Kim tra /var/log/messages thy dng thng bo tng t nh sau: Aug 12 19:25:38 IDS kernel: device eth0 left promiscuous mode Aug 12 19:25:38 IDS kernel: audit(1186921538. 186:5): dev=eth0 prom=0 old_prom=256 auid=4294967295 3.2.5 Cu hnh MySQL Server - Thit lp mysql root password bng lnh sau: # mysqladmin -u root password "mysql2008" - ng nhp vo mysql command # mysql -u root -p - To CSDL snort mysql> create database snort; - To snort user v privileges mysql> grant create, insert, select, delete, update on snort. * to snort@localhost; - Thit lp snort user password cho CSDL snort mysql> set password for snort@localhost=password('snort2008'); mysql> exit
78
Nguyn c Cng
- Import the schema that comes with the snort program: # cd /usr/local/src/snort-2. 7. 0. 1/schemas/ # mysql -u root -p < create_mysql snort - ng nhp vo mysql server v xem cc bng c to: # mysql -u root -p mysql> use snort; mysql> show tables; 3.2.6 Cu hnh SNORT bn alert vo MySQL - Lets get snort logging alerts into the mysql database by configuring the output plugin for database logging: # vi /etc/snort/snort.conf - Tm dng di y, b ch thch u dng v chnh sa cc gi tr cho ph hp: output database: log, mysql, user=root password=mysql2008 dbname=snort host=localhost - Khi ng li snort v kim tra xem snort ghi log vo database hay cha: # mysql uroot -p"mysql2008" -D snort -e "select count(*) from event" 3.2.7 Ci t Apache-ssl Web Server - Sa file cu hnh apache-ssl # vi /etc/apache-ssl/httpd. conf - B comment ca 2 dng sau: AddType application/x-httpd-php . php AddType application/x-httpd-php-source .phps - Enable extension=mysql. so in /etc/php4/apache/php.ini # vi /etc/php4/apache/php.ini B comment dng sau:
79
Nguyn c Cng
extension=mysql.so - Khi ng li apache # /etc/init. d/apache-ssl restart 3.2.8 Ci t v cu hnh Basic Analysis v Sercurity Engine (Base) BASE l mt ng dng tuyt vi cung cp giao din web truy vn v phn tch cc snort alert BASE 1. 3. 8 was just released. - Ci t BASE: # cd /var/www # rm index. html # wget http://jaist. dl. sourceforge. net/sourceforge/secureideas/base-1. 3. 6. tar. gz # tar xvzf base-1.3.6.tar.gz # mv base-1.3.6 base # chmod 777 base (just for now) - Open a browser and go to: https://203. 128. 246. 100/base/index.html + Continue + Step 1 of 5 Pick a language: english Path to ADODB: /usr/share/php/adodb Submit query + Step 2 of 5 Pick a database type: MySQL Database name: snort Database host: localhost Database Port: Leave blank for default! blank
80
Nguyn c Cng
Database User Name: snort Database Password: snort B qua phn "Use Archive Database" Submit query + Step 3 of 5 Admin username: snortadmin Password: snort2008 Fullname: Snort Admin + Step 4 of 5 Click "Create BASE AG" which will: Adds tables to extend the Snort DB to support the BASE functionality Now continue to step 5 to login + Hin ra mn hnh qun tr ca BASE - You should be all setup now. I see thousands of events from my very noisy rule. Now I will disable the rule, restart snort, delete all these events from Base, and carry of with tuning my system. - Go back and chmod 755 the base directory in /var/www # cd /var/www # chmod 755 base - Vi bn Debian Testing hin thi, cn phi cu hnh thm nh sau BASE hin th c th: + Kt ni php trn Debian ti php4, nh sau: # rm /etc/alternatives/php # ln -s /usr/bin/php4 /etc/alternatives/php + Ri thc hin lnh sau: # pear config-set preferred_state alpha + Sau uncomment extension=gd. so trong file /etc/php4/cli/php. ini v pear command line s dng php-cli kim tra cc dependencies:
81
Nguyn c Cng
# vi /etc/php4/cli/php. ini Uncomment dng sau: extension=gd. so + Sau chy cc lnh: # pear install Image_Color # pear install Image_Canvas # pear install Log # pear install Numbers_Roman # pear install Numbers_Words # pear install Image_Graph + Khi ng li dch v apache-ssl trc khi click ln cc link v biu : # /etc/init. d/apache-ssl restart + Install signatures into BASE install o Create a directory named signature/ in the BASE install directory o Copy any signature txt file you would like into that directory 3.2.9 Cp nht Rules vi Oinkmaster - Ci t c bn: # cd /usr/local/src # wget http://nchc. dl. sourceforge. net/sourceforge/oinkmaster/oinkmaster-2. 0. tar. gz # tar xvzf oinkmaster-2. 0. tar. gz # cd oinkmaster-2. 0 # cp oinkmaster. pl /usr/local/bin # mkdir /usr/local/etc # cp oinkmaster. conf /usr/local/etc - To th mc temp
82
Nguyn c Cng
# mkdir /tmp/oinkmaster - To th mc lu rule-backup # mkdir /etc/snort/rulesbackup - To th mc temp # mkdir /tmp/oinkmaster - Chnh sa file cu hnh # vi /usr/local/etc/oinkmaster. conf url = http://www. snort. org/pub-bin/oinkmaster. cgi/a7a0ac0d6e14a691882eab106f27be4bc76fa28f/snortrules-snapshot-CURRENT. tar. gz - Chy oinkmaster update rules vo 0h:00 mi ngy: # vi /etc/crontab 0 0 * * * root /usr/local/bin/oinkmaster. pl -C /usr/local/etc/oinkmaster. conf -o /etc/snort/rules -b /etc/snort/rulesbackup 3.2.10 Startup Script - To startup script: # vi /etc/init. d/snort ==== #!/bin/bash /sbin/ifconfig eth1 up /usr/local/bin/snort -Dq -u snort -g snort -i eth1 -c /etc/snort/snort. conf -l /var/log/snort ==== - Make it executable: # chmod +x /etc/init. d/snort - The command update-rc. d will set up links between files in the directories rc?. d # update-rc. d snort defaults 95 Reboot and see if it works!
83
Nguyn c Cng
3.2.11 To Acc truy cp vo Base # cd /etc/apache-ssl/ # htpasswd -b -c /etc/apache-ssl/passwdBase admin basedhbk082007 # htpasswd -b /etc/apache-ssl/passwdBase viewer viewerdhbk082007 # htdigest -b -c conf. d/passwdBase realm admin basedhbk082007 # htdigest -b conf. d/passwdBase realm viewer viewerdhbk082007 - Administration - Create user: + Login: snortadmin + Fullname: Snort Admin + Password: snort2008 + Role: admin + Login: snortviewer + Fullname: Snort Viewer + Password: viewer2008 + Role: user 3.2.12 Cu hnh SNMP Server - Ci t gi snmpd monitor server c th bit c cc thng s v h thng pht hin xm nhp # apt-get -y install snmpd - Sa file cu hnh /etc/snmp/snmpd. conf # vi /etc/snmp/snmpd. conf === com2sec local localhost dhbk
84
Nguyn c Cng
com2sec localnet 203. 128. 246. 0/24 dhbk group MyROGroup v1 group MyROGroup v1 view all included . 1 localnet local 80
view system included . iso. org. dod. internet. mgmt. mib-2. system access MyROGroup "" any noauth exact all none none
- Cu hnh file /etc/default/snmpd. conf (mc nh debian ch nghe trn localhost --> thm vo interface nghe trn ip ca n) SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd. pid 127. 0. 0. 1 203. 128. 246. 91' // thm vo ip ng sau - Khi ng li dch v SNMP # /etc/init. d/snmpd restart 3.2.13 To file index.php nh hng trnh duyt https://192.168.40.12 # vi /var/www/index. php === <?php header('Location: ' . "https://192.168.40.12/base/"); ?> === 3.2.14 Ci t phn mm qun tr Webmin - Thm vo /etc/apt/source. list
85
Nguyn c Cng
deb http://download. webmin. com/download/repository sarge contrib # apt-get -y update # apt-get install webmin Cc gi sau s c ci thm vo h thng: libauthen-pam-perl libio-pty-perl libmd5-perl libnet-ssleay-perl - URL ng nhp: https://192.168.40.12:10000/ 3.3 Giao din h thng sau ci t 3.3.1 Cc thng tin cu hnh c bn Thng tin v v tr vt l ca IDS IDS gm c 2 network interface, hin ang c cm nh sau: + eth0 cm vo port thuc Vlan40, dng qun tr + eth1 cm vo port 20, sniff cc traffic t DMZ Thng tin v h iu hnh Debian - Account qun tr: root/root - Eth0 interface + IP: + Netmask: + Network: + Broadcast: + Gateway: + DNS: 192.168.40.12/24 255.255.255.0 192.168.40.0/24 192.168.40.255 192.168.40.1 208. 67. 222. 222 (Open DNS server)
- Cc phn mm ci t: + Iptables / Shorewall
86
Nguyn c Cng
+ Snort 2. 7 + MySQL Server + PHP 4. 4. 4-8+etch4 + Apache-ssl 1. 3. 34 + Basic Analysis and Security Engine 1. 3. 6 + Oinkmaster 2. 0 + Webmin + SNMP server (s dng cho Monitor server) - Cc dch v ang m: + 22/tcp + 443/tcp + 3306/tcp + 10000/tcp + 161/udp ssh https (BASE) mysql https (WENMIN) snmp
3.3.2 Hng dn s dng SNORT - File cu hnh: - File log: /etc/snort/snort. conf
- Th mc cha tp lut: /etc/snort/rules/ /var/log/snort/alert
Kch hot hoc hu tin trnh - kch hot SNORT, g lnh: # /etc/init. d/snort start Hoc # /sbin/ifconfig eth1 up # /usr/local/bin/snort -Dq -u snort -g snort -i eth1 -c /etc/snort/snort. conf -l /var/log/snort - hu tin trnh SNORT, g lnh: # pkill snort
87
Nguyn c Cng
File cu hnh SNORT # vi /etc/snort/snort. conf --# Thng s v a ch mng ang c gim st var HOME_NET [203. 128. 246. 80/28,203. 128. 246. 96/29,172. 168. 2. 0/24] S dng OINKMASTER cp nht Rules - nh k update rules bng cron vo lc 0h00 mi ngy: # vi /etc/crontab 0 0 * * * root /usr/local/bin/oinkmaster. pl -C /usr/local/etc/oinkmaster. conf -o /etc/snort/rules -b /etc/snort/rulesbackup - Chnh sa file cu hnh oinkmaster. conf cp nht cc rules nh : # vi /usr/local/etc/oinkmaster. conf + Gi nguyn rules, khng mun cp nht, tm n mc # Files to totally skip (i. e. never update or check for changes) # # or: # V d: skipfile local. rules skipfile deleted. rules skipfile snort. conf # khng t ng cp nht file local. rules # khng t ng cp nht file deleted. rules # khng t ng cp nht file snort. conf skipfile filename1, filename2, filename3, . . # # Syntax: skipfile filename
+ Thay i ni dung lut sau khi update, tm n mc: # SIDs to modify after each update (only for the
88
Nguyn c Cng
skilled/stupid/brave). # # Syntax: # # modifysid SID "replacethis" | "withthis" # # or: # # modifysid SID1, SID2, SID3, . . . "replacethis" | "withthis" # # or: # # modifysid file "replacethis" | "withthis" # # or: # # modifysid * "replacethis" | "withthis" # V d: modifysid 1325 "^#alert" | "alert" # B comment lut alert 1325 modifysid 1325 "^#" | "" # Thm vo th tag cho lut 1325 modifysid 1378 "^alert" | "drop" # Chuyn lut 1378 t alert thnh drop modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET" # Chuyn ln xut hin u tin EXTERNAL_NET thnh HOME_NET # B comment lut 1325 modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
89
Nguyn c Cng
+ Khng mun update mt lut no , tm n mc # SIDs that we don't want to update. # # Syntax: localsid SID # # or: # V d: localsid 1325 # Khng bao gi update lut 1325 + Hin 1 lut sau khi update, tm n mc # SIDs to enable after each update. # # Syntax: enablesid SID # # or: # V d: enablesid 1325 # B comment cho lut 1325 enablesid SID1, SID2, SID3, . . . localsid SID1, SID2, SID3, . . .
+ n 1 lut sau khi update, tm n mc # SIDs to comment out, i. e. disable, after each update by placing a # # Syntax: disablesid SID # # or: # V d: disablesid 1324 # Comment lut 1324 disablesid SID1, SID2, SID3, . . .
3.3.3. Hng dn s dng cng c phn tch (Base)
90
Nguyn c Cng
ng nhp vo trang qun tr - Account qun tr: admin/base2008 - a ch ng nhp: https://192.168.40.12/ - Mn hnh ng nhp:
Hnh 3.1 : Trang qun tr Base - Sau khi ng nhp thnh cng, hin th giao din qun tr:
Hnh 3.2 : Giao din qun tr
91
Nguyn c Cng
Tinh chnh cc Rules Xc nh cc alert c tn sut nhiu nht -> Cn phi tinh chnh cc rules gim bt alert khng c nhiu ngha hoc khng c du hiu nguy him. a. Alert ICMP PING CyberKit 2. 2 Windows xut hin rt nhiu (19771 ln, chim 46% tng s ICMP) -> Cn phi n rule 483 + n rule 483 trong icmp. rules # vi /etc/snort/rules/icmp. rules --# t ch thch chu lut c sid:483 #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2. 2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:miscactivity; sid:483; rev:6;) + n rule 483 khi thc hin update # vi /usr/local/etc/oinkmaster. conf --# Disable SID 483 ICMP PING CyberKit 2. 2 Windows disablesid 483 b. Alert ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited xut hin rt nhiu (10092 ln, chim 23% tng s ICMP) -> Cn phi n rule 486 + n rules 486 trong icmp. rules # vi /etc/snort/rules/icmp. rules ---
92
Nguyn c Cng
#alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:5;) + n rule 486 khi thc hin update # vi /usr/local/etc/oinkmaster. conf --# Disable SID 486 ICMP Destination Unreachable Communication with # Destination Host is Administratively Prohibited disablesid 486 c. Vo giao din chnh ca BASE https://192.168.40.12/base/base_main. php
Hnh 3.3 : Giao din chnh ca Base - Click vo mc Unique thuc dng Todays Alerts xem tn sut cc alert xut hin trong ngy hm nay
93
Nguyn c Cng
Hnh 3.4 : Tn sut cc Alert - Click tip vo > ct Total # sp th t cc alert theo tn sut t nhiu n t.
Hnh 3.5 : Sp xp tn sut cc Alert theo lp - Quan st, ta thy alert MS-SQL Worm propagation attemp xut hin nhiu nht, click vo link 368 tng ng ct < Total #> xem thng tin chi tit
94
Nguyn c Cng
Hnh 3.6 : Thng tin chi tit mt Alert - Trn bng Summary Statistics, click vo link Destination hng Unique addresses xem cc a ch ch b tn cng.
Hnh 3.7 : Hin th cc a ch nghi vn - Trn bng cho thy, IP range 80-100 l i tng b khai thc. Click tip vo link [snort] xem cc thng tin v alert ny trn Signature database ca site www. snort. org
95
Nguyn c Cng
Hnh 3.8 : Tra thng tin chi tit v Alert nghi vn - Sau khi c cc thng tin v alert ny, ta thy nhiu kh nng y l alert sinh ra do Slammer worm pht tn trn Internet, ang c gng khai thc mt li buffer overflow trn MS SQL Server 2000 Resolution Service.
Hnh 3.9 : Xc nh thng tin Alert - Tip tc c k cc thng tin v alert ny, ta thy ngay cch x l i vi alert ny phn Corrective Action + Cm truy cp t ngoi vo cc dch v MS SQL trn cng 1433 and 1434. Thc hin trn firewall ca h thng.
96
Nguyn c Cng
+ Cp nht bn v cho cc dch v MS SQL public t URL: www. microsoft. com/technet/security/bulletin/MS02-039. asp Xem Payload cc packets xem payload mt packet, click vo ct ID tng ng ca alert,
Hnh 3.10 : Xem Payload mt packet - V d: click vo link #0-(2-48876) xem ni dung gi tin tng ng
Hnh 3.11 : Xem ni dung mt packet
97
Nguyn c Cng
- Tnh nng ny c bit rt hu ch, cho php IDS admin review li c ton b gi tin to ra alert, gip cho qu trnh tinh chnh cc rules chnh xc hn, thun tin hn. Tm kim tm kim mt alert no , bn c th click vo link Search v tm kim theo rt nhiu tiu ch khc nhau nh: Sensor, Alert Group, Signature, Classification, Priority, Alert Time, ri sp xp theo mt vi tu chn c sn.
Hnh 3.12 : Tm kim Alert Qun l cc nhm Alert Bn cnh cch phn loi rules sn c ca snort, tin li cho vic qun l, ngi s dng c th to ra cc nhm alert khc nhau, gn cc alert vo tng nhm ph hp vi quan im ca mnh. Click vo Alert Group Management thao tc vi cc nhm:
98
Nguyn c Cng
Hnh 3.13 : Qun l Alert theo nhm Bn c th to nhm mi (Create), xem alert tng ng vi cc nhm (View), sa 1 nhm (Edit), xo 1 nhm(Delete) v reset 1 nhm (Clear). th trc quan BASE cung cp mt s cch hin th biu trc quan, cho php ngi qun tr c th cm nhn nhanh chng c cc vn ca h thng, a ra c cc phng n gii quyt kp thi. Graph Alert Data Click vo "Graph Alert Data" xem biu v d liu alert:
99
Nguyn c Cng
Hnh 3.14 : Chn biu d liu C rt nhiu tham s cho php xy dng biu , bao gm: - Kiu th (Chart title): + Thi gian (theo gi) v S lng alert + Thi gian (theo ngy) v S lng alert + Thi gian (theo thng) v s lng alert + - Chu k th (Chart period) + 7 ngy (1 tun) + 24 gi (1 ngy) + 168 gi (24 x 7) - Kch thc th - L th: tri, phi, trn, di - Kiu v: bar, line, pie - Thi gian bt u, thi gian kt thc
100
Nguyn c Cng
Hnh 3.15 : th trc quan Graph Alert Detection Time Ti trang chnh, click vo "Grap Alert Detection Time" xem biu th hin tn sut cc alert theo gi, ngy hoc theo thng. Dng biu ny rt hu ch, cho php xc nh nhng thi im bt thng, qua gip nh hng ngi qun tr tp trung vo nhng im quan trng.
101
Nguyn c Cng
Hnh 3.16 : th tn sut Alert 3.3.4 Hng dn s dng Webmin ng nhp trang qun tr - Account qun tr WEBMIN: root/root2008 - a ch ng nhp: https://192.168.40.12:10000/ - Mn hnh ng nhp
Hnh 3.17 : Mn hnh ng nhp Webmin - Sau khi ng nhp thnh cng, mn hnh xut hin ca s sau:
102
Nguyn c Cng
Hnh 3.18 : ng nhp thnh cng Qun tr Webmin Phn ny cho php thay i cc thng tin cu hnh ca Webmin, bao gm cc mc: - Backup Configuration Files - Change language and theme - Webmin Actions logs - Webmin configuration - Webmin server index - Webmin users
Hnh 3.19 : Giao din cng c qun tr
Qun tr h thng Hin ti Webmin qun tr cu hnh qun tr cc thng tin h thng sau (vo mc System) Bootup and Shutdown Change Passwords
103
Nguyn c Cng
Disk and Network file systems File system backups Log file rotation MIME type programs PAM Authentication Running processes Scheduled Commands Scheduled Cron jobs Software packages SysV Init Configuration System Documentation System logs Users and Groups
Hnh 3.20 : Cc thng tin c th qun tr
Qun tr Server
104
Nguyn c Cng
Hin ti, webmin cu hnh c th qun tr cc dch v sau: Apache webserver MySql server SSH server
Hnh 3.21 : Cc thng tin c qun tr Qun tr cc dch v mng Hin ti, webmin cu hnh c th thay i cc thng tin cu hnh mng sau: Internet services and protocols Linux firewall (IPTables) Network configuration PPP Dial in server Shorewall firewall
105
Nguyn c Cng
Hnh 3.22 : Cc dch v mng c th qun tr Qun tr phn cng Webmin cu hnh c th thay i cc thng tin cu hnh phn cng sau: Grub boot loader Partitions on Local disks System time
106
Nguyn c Cng
Hnh 3.23 : Qun tr phn cng
Qun tr cc vn khc Ngoi ra, webmin c th qun tr mt s ng dng khc: Command shell Custom commands File manager Http tunnel PHP configuration PERL Modules Protected web directories SSH/Telnet login System and server status Upload and download
107
Nguyn c Cng
Hnh 3.24 : Qun tr cc ng dng khc
108
Nguyn c Cng
KT LUN
Bt c mt mng no, u c nhng l hng v mt k thut cho php tin tc c th xm nhp vo h thng n cp thng tin hay ph hoi v do trn thc t s khng c mt mng no c th c xem l bo mt tuyt i. V vy, ngi ta thng phi s dng nhiu k thut bo mt i km vi cc mng bo m tnh an ton cho mng. Ngoi vic s dng cc phng php m ha bo m tnh b mt ca thng tin, s dng cc c ch chng thc kim tra tnh hp php ca ngi dng, th vic s dng h thng IDS nng cao kh nng qun l v bo v mng l rt cn thit. Mc d vic trin khai IDS cho mt mng mt cch ton din c nhiu kh khn tuy nhin nhng li ch m n em li l rt ln. Mt mt n gip h thng an ton trc nhng nguy c tn cng, mt khc n cho php nh qun tr nhn dng v pht hin c nhng nguy c tim n da trn nhng phn tch v bo co c IDS cung cp. T , h thng c tch hp IDS c th gp phn loi tr c mt cch ng k nhng l hng v bo mt trong mi trng mng. Bng cch s dng cc gii php IDS mm thay th cho cc IDS cng do vn kinh ph, h thng mng ca chng ta gim thiu c tng i cc nguy c tn cng tim n v nng cao an ton. Vi nhng tham kho p dng trin khai mt h thng IDS mm tch hp vo mng, ta c th thy mt h thng IDS mm cng hon ton thc hin c nhng tnh nng nh mt IDS cng, do thi gian trin khai phn mm ngn nn vic hon thin cc module gn thm cho h thng IDS l cha c. Nu tip tc pht trin, ta hon ton c th tch hp h thng IDS tng tc vi cc phn cn li ca mng, khi c tn cng xy ra, IDS s t ng bo tin n ngi qun tr, v t ng a ra phng n thch hp v hiu ho tn cng .
109
Nguyn c Cng
DANH MC TI LIU THAM KHO [1] Patrick S. Harper, Oinkmaster Installation and Configuration Guide [2] Andy Firman, Debian, Snort, Barnyard, BASE, & Oinkmaster Setup Guide [3]http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09 186a008015c612.shtml [4] Mark Cooper, Stephen Northcutt, Matt Fearnow, Karen Frederick, Intrusion Signatures and Analysis [5] Angela D. Orebaugh, Simon Biles, Jacob Babbin, Snort Cookbook [6] Roman Danyliw, ACID: Installation and Configuration [7] Chris Vespermann, Snort, MySQL 5, Apache, and BASE for Gentoo Linux [8] Brian Laing, ISS, How To Guide: Intrusion Detection Systems [9] Patrick S. Harper, Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core (updated for Snort 2.6.0. and NTOP) [10]Richard Bejtlich, Extrusion Detection: Security Monitoring for Internal Intrusions

LABK0009

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LABK0009

Uploaded by

Copyright:

Available Formats

Lun vn Thc s Tn ti: H thng pht hin xm nhp mng H v tn HVCH : Nguyn c Cng Ngi hng dn khoa hc:

NGUYN C CNG X L THNG TIN V TRUY THNG 2006 - 2008

LUN VN THC S KHOA HC NGNH: X L THNG TIN V TRUYN THNG

H THNG PHT HIN XM NHP MNG

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

CHNG I - TNG QUAN V IDS 1.1 Khi nim

1.2. Chc nng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

1.3 Cu trc chung

Hnh 1.1 : M hnh chung h thng IDS

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

Hnh 1.2 : Cu trc tp trung.

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

1.4. Phn bit cc m hnh IDS

Hnh 1.4 : M hnh NIDS Mt s sn phm NIDS : -Cisco IDS

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

Hnh 1.5 : M hnh HIDS

1.5. Cc phng php nhn bit tn cng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

1.6 Cc sn phm IDS trn th trng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

CHNG II KT NI MY PHN TCH VO H THNG SWITCH CISCO

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

H thng pht hin xm nhp mng

X l Thng tin v Truyn Thng

2.1.3 Cc c im ca cng ngun

H thng pht hin xm nhp mng