Está en la página 1de 99

i

MC LC
Trang ph ba Li cm n Li cam oan Tm tt lun vn Mc Lc -------------------------------------------------------------------------------- i Danh mc cc ch vit tt ----------------------------------------------------------- iv Danh mc hnh v --------------------------------------------------------------------- v PHN M U ---------------------------------------------------------------------- 1 1 Tnh cp thit ca ti ---------------------------------------------------------- 1 2 Mc tiu ca ti ---------------------------------------------------------------- 2 3 i tng phn mm nghin cu ----------------------------------------------- 2 4 Ni dung nghin cu ti ------------------------------------------------------ 3 5 B cc lun vn ------------------------------------------------------------------- 4 6 Cc cng trnh nghin cu lin quan ------------------------------------------- 5 CHNG 1: TNG QUAN 1.1 nh gi tng quan v bo mt mng my tnh ---------------------------- 6 1.2 Phn loi cc mi e da trong bo mt ------------------------------------- 8 1.2.1 Mi e da bn trong ------------------------------------------------------ 8 1.2.2 Mi e da t bn ngoi --------------------------------------------------- 9 1.2.3 Mi e da khng c cu trc -------------------------------------------- 9 1.2.4 Mi e da c cu trc -------------------------------------------------- 10 1.3 Phn loi mt s l hng trong bo mt ----------------------------------- 10 1.3.1 L hng bo mt---------------------------------------------------------- 10 1.3.2 Phn loi l hng bo mt ----------------------------------------------- 10 1.4 Mt s kiu tn cng mng -------------------------------------------------- 14 1.5 Cc gii php pht hin v phng chng tn cng mng ---------------- 17 1.5.1 Cc bin php pht hin h thng b tn cng ------------------------ 17 1.5.2 Gii php pht hin v phng chng xm nhp ---------------------- 19 CHNG 2: H THNG PHT HIN V PHNG CHNG XM NHP

ii

2.1 Vai tr, chc nng ca h thng pht hin v phng chng xm nhp 22 2.1.1 Lch s pht trin --------------------------------------------------------- 22 2.1.2 Vai tr, chc nng ca h thng pht hin v phng chng xm nhp ------------------------------------------------------------------------------------- 23 2.2 c im, kin trc h thng ca IDS/IPS -------------------------------- 24 2.2.1 C s h tng ca h thng IDS/IPS----------------------------------- 24 2.2.2 Kin trc h thng pht hin xm nhp ------------------------------- 25 2.3 Phn loi IDS/IPS------------------------------------------------------------- 29 2.3.1 Host-based IDS/IPS (HIDS) -------------------------------------------- 31 2.3.2 Network Base IDS/IPS (NIDS/IPS)----------------------------------- 32 2.3.3 Trin khai h thng IDS/IPS -------------------------------------------- 34 2.3.4 Kh nng pht hin v phng chng xm nhp ca IDS/IPS ------- 36 2.4 H thng gim st lu lng mng ----------------------------------------- 37 2.5 H thng bo ng ------------------------------------------------------------ 38 2.6 SNMP v h thng gim st mng ----------------------------------------- 39 CHNG 3: CC CNG C M NGUN M H TR GIM ST, PHT HIN V PHNG CHNG XM NHP MNG 3.1 Gii thiu ---------------------------------------------------------------------- 41 3.2 c im ca Snort ----------------------------------------------------------- 42 3.3 Vn ca Snort v kh nng trin khai ---------------------------------- 45 3.3.1 Li ch ca Snort --------------------------------------------------------- 45 3.3.2 nh gi tp lut ca Snort --------------------------------------------- 46 3.4 Fwsnort chuyn i tp lut t Snort sang Iptables ---------------------- 46 3.5 H thng gim st trng thi hot ng thit b v dch v - Nagios--- 46 3.6 H thng gim st lu lng Cacti --------------------------------------- 50 3.7 H thng bo ng qua SMS Gnokii------------------------------------- 53 3.8 M hnh xut kt hp Snort, Fwsnort, Nagios, Cacti ----------------- 54 CHNG 4: PHT TRIN NG DNG H THNG GIM ST V PHT HIN XM NHP MNG DA TRN M NGUN M 4.1 M hnh ci t thc nghim ------------------------------------------------ 57 4.2 Ci t thc nghim ---------------------------------------------------------- 57

iii

4.2.1 Ci t Gnokii ------------------------------------------------------------ 58 4.2.2 Ci t Snort -------------------------------------------------------------- 59 4.2.4 Ci t Nagios ------------------------------------------------------------ 63 4.2.5 Ci t Cacti -------------------------------------------------------------- 65 4.3 Kt qu t c t thc nghim ------------------------------------------- 71 CHNG 5: KT LUN, KT QU T C V HNG PHT TRIN CA TI 5.1 Kt lun ------------------------------------------------------------------------ 76 5.2 Kt qu t c -------------------------------------------------------------- 77 5.3 ngha khoa hc v thc tin ---------------------------------------------- 78 5.3.1 ngha v mt khoa hc ------------------------------------------------ 78 5.3.2 V mt thc tin ---------------------------------------------------------- 78 5.4 Hng pht trin cho ti -------------------------------------------------- 78 TI LIU THAM KHO PH LC PH LC A: Hng dn cu hnh GSM Gateway trn Linux PH LC B: Hng dn ci t Snort PH LC C: Hng dn ci t v cu hnh Naigos PH LC D: Hng dn ci t v cu hnh Cacti

PHN M U
1 Tnh cp thit ca ti Vo cc thp nin 1960, 1980 v n thp nin 1990, thut ng mng din rng c ph bin rng ri khi u t B quc phng Hoa K sau thut ng mng din rng cn c gi l WAN c bit n rng ri trn ton th gii, WAN c nh ngha n gin bao gm s kt ni ca cc my tnh n l trn ton th gii da trn mt giao thc kt ni c gi l TCP/IP. Ngy nay, mng my tnh pht trin vi tc rt ln v phm vi ca n khng ch dng li m ti thi im hin nay vic cn kit ngun ti nguyn a ch mng phin bn 4 a ch IP l mt bng chng cho thy tc pht trin ca mng my tnh nhanh chng v tr thnh mt mi trng tt phc v cho cc hot ng pht trin ca nhn loi, song song vi iu l s pht trin mnh m ca khoa hc cng ngh v h thng cc tri thc lin quan n mng my tnh, cc thit b thng minh v ang ngy cng gp thm phn pht trin mnh m v vt tri ca h thng mng trn ton th gii. Do vy h thng mng my tnh l mt phn tt yu v v cng quan trng ca mt quc gia, mt doanh nghip hay n gin ch l mt h gia nh nh, chng gp phn vo vic to nn nhng thnh cng c bit i vi h thng mng quc gia v h thng mng ca cc doanh nghip v phn ln cc cng vic ngy nay t giao dch n trao i thng tin u da trn h thng mng my tnh. S pht trin mnh ca h thng mng my tnh cng l mt vng t c nhiu thun li cho vic theo di v nh cp thng tin ca cc nhm ti phm tin hc, vic xm nhp bt hp php v nh cp thng tin ca cc doanh nghip ang t ra cho th gii vn lm th no c th bo mt c thng tin ca doanh nghip mnh. Bo mt thng tin hay an ton an ninh mng l nhng yu t c quan tm hng u trong cc doanh nghip. c

nhng doanh nghip thc hin vic thu mt i tc th 3 vi vic chuyn bo mt h thng mng v bo mt thng tin cho n v mnh, cng c nhng doanh nghip a ra cc k hoch tnh ton chi ph cho vic mua sn phm phn mm nhm p ng vic bo mt ca n v mnh. Tuy nhin i vi nhng gii php cc doanh nghip u phi thc hin cn i v chnh sch ti chnh hng nm vi mc ch lm sao cho gii php an ton thng tin l ti u v c c chi ph r nht v m bo thng tin trao i c an ton, bo v thng tin ca n v mnh trc nhng tn cng ca ti phm cng ngh t bn ngoi do vy m ti xy dng h thng gim st mng da trn m ngun m c pht trin gip c phn no yu cu ca cc doanh nghip v an ton thng tin v bo mt h thng mng. 2 Mc tiu ca ti ti c thc hin nhm mc ch: Kho st cc l hng bo mt thng tin, cc nguy c c th mt an ton thng tin v cc nguy c h thng mng b xm nhp, tn cng. xut gii php gim st h thng mng bao gm: pht hin xm nhp, theo di cc hot ng ca cc thit b mng nh Router, Switch, Server v mt s dch v mng c s dng. Pht trin h thng bo ng ca chng trnh qua tin nhn (SMS), Email, Web 3 i tng phn mm nghin cu i tng nghin cu trong bi lun vn l cc chng trnh phn mm m ngun m bao gm: + Cc chng trnh phn mm m pht hin xm nhp. + Cc chng trnh phn mm m phng chng xm nhp. + Cc chng trnh phn mm m gim st lu lng ca h thng mng.

+ Cc chng trnh phn mm m gim st thit b mng v cc dch v mng. 4 Ni dung nghin cu ti ti tp trung nghin cu cc vn lin quan n pht hin xm nhp tri php v gim st lu lng mng bao gm; + Nghin cu cc kh nng tn cng mng. + Nghin cu cc kh nng pht hin xm nhp tri php h thng mng. + Nghin cu cc kh nng phng chng mt s cc phng thc tn cng mng. + Nghin cu cc kh nng gim st hot ng cc thit b mng v dch v mng trong ton h thng mng. T nhng vn nu trn xut m hnh gim st cc hot ng ca cc thit b mng, pht hin v phng chng xm nhp c tch hp t cc chng trnh m ngun m. Tin hnh thc nghim vic ci t gii php gim st hot ng ca cc thit b mng, dch v mng v pht hin, phng chng xm nhp tri php da trn c s cc chng trnh m ngun m, c cnh bo n qun tr bng SMS, Email, Web. Trong phn ni dung ca bi lun vn tt nghip ny, tc gi tp trung nghin cu cc chng trnh phn mm c cung cp bng m ngun m da vo cc phn mm ny tc gi xy dng gii php tng th vic theo di gim st h thng mng, cc dch v mng v cc du hiu bt thng trong h thng mng nhm cung cp cho ngi qun tr h thng mng c ci nhn tng quan v pht hin v phng chng xm nhp mng tri php. C th, tc gi xut s dng cc chng trnh m ngun m c cung cp rng ri

nh: Nagios, Snort, Cacti, Gnokii v s dng GSM/GPRS modem hoc dng in thoi thc nghim gii php. To ra mt h thng gim st mng c kh nng pht hin v cnh bo nhng ng thi xm nhp mng tri php, phng chng tn cng mng, gim st hot ng ca cc thit b mng trong c lu lng s dng trn thit b cc thnh phn phn cng trong thit b, cc dch v c s dng trong h thng mng. Da trn nhng gii php tc gi pht trin mt h thng cnh bo cho ngi qun tr h thng mng bng nhiu phng thc nh: Email, SMS, Web mc ch h tr cho ngi qun tr mt cch nhanh nht c th khc phc v x l s c lin quan n h thng mng t c hiu qu cao. 5 B cc lun vn Phn b cc ca lun vn c trnh by thnh 5 chng. Chng 1 : Tng quan. Gii thiu bao qut v vn bo mt mng v cc vn lin quan n tn cng xm nhp h thng mng. Chng 2: H thng pht hin v phng chng xm nhp mng, chng ny tc gi trnh by tng quan v kh nng, vai tr v c im ca chng trnh pht hin v phng chng xm nhp mng, gim st lu lng, gim st dch v mng. Chng 3: Cc cng c h tr trong vic pht hin v phng chng xm nhp mng. Trong chng ny tc gi trnh by cc c im ca cc phn mm m ngun m s dng trong vic ci t thc nghim ca lun vn. Kh nng tch hp chng thnh mt h thng gim st v pht hin xm nhp v cnh bo thng tin tc thi qua SMS hoc Email, Web. Chng 4: Trong chng ny tc gi tp trung pht trin ng dng gim st h thng mng bng cc chng trnh m ngun m, xut m hnh mng v ci t thc nghim dng cc chng trnh m ngun m nu trong ti.

Chng 5: nh gi nhng mt t c, kt lun v hng pht trin thm ca ti. 6 Cc cng trnh nghin cu lin quan - Bo co lun vn thc s k thut my tnh ti Xy dng h thng h tr gim st mng tc gi Nguyn ng Bo Phc i hc Nng thng 3/2012. Ni dung ca lun vn tc gi hng dn cch ci t v cu hnh chng trnh m ngun m Nagios theo di gim st mt h thng mng kt hp Gammu gi tin nhn n qun tr mng. - Bo co tt nghip k s ti Nghin cu h thng gim st qun tr mng trn nn tng m ngun m Nagios bi ng trn website http://www.hce.edu.vn/hsv/ nm 2008. Ni dung ca bi kha lun tc gi cng tp trung vo vic hng dn ci t v cu hnh chng trnh theo di gim st h thng mng da trn Nagios. - Bo co nghin cu khoa hc ti Xy dng h thng gim st mng da trn m ngun m tc gi nhm sinh vin Khoa Cng ngh thng tin i hc Lt nm 2010. Ni dung bo co l nhng tm hiu ban u v cch thc hot ng ca chng trnh Nagios v hng dn ci t. - Bo co tt nghip k s ti Nghin cu trin khai h thng gim st qun tr mng trn nn tng m ngun m Nagios thng 5/2009 ca tc gi Phm Hng Khai, ngnh Cng ngh thng tin i hc Quc gia H Ni. Ni dung ti tc gi tp trung nghin cu m hnh gim st mng da trn Nagios, khai thc cc tnh u vit ca chng trnh ci t v a vo gim st h thng mng v p dng Snort vo h thng. Cc cng trnh nghin cu c lin quan, cc tc gi tp trung nghin cu ch yu vo chng trnh m ngun m Nagios v Snort, s dng nn tng m ngun m vi mc ch xy dng h thng gim st mng, cha xy dng mt m hnh tng th vi vic pht hin v cnh bo bng SMS, email mt cch trc quan gip cng tc qun l iu hnh ca qun tr vin hiu qu hn.

CHNG 1: TNG QUAN


1.1 nh gi tng quan v bo mt mng my tnh Bo mt mng my tnh hin nay c nh gi l mt trong nhng vn quan trng bc nht ca tt c cc quc gia trong c Vit Nam, theo nhng thng k cha y ca Tng cc thng k th tnh n thng 03/2012 s thu bao s dng Internet vo khong 4,2 triu thu bao tng 17,5% v tng s ngi s dng Internet cng tng 15,3% tc vo khong 32,1 triu ngi so vi cng thi im nm 2011. S liu trn cho thy tnh hnh pht trin cng ngh thng tin ti Vit Nam trong nhng nm tr li y c tc rt ln v d kin s c chiu hng tng do s pht trin ca thit b thng minh v cc thit b khc. Mt s doanh nghip Vit Nam cha c k hoch hoc c k hoch u t nh vo vic bo mt cho h thng mng trong khi cc doanh nghip bt u pht trin cc ng dng cng ngh mng qung co hoc cung cp thng tin ca doanh nghip mnh trong th gii s. Theo bo co v an ton thng tin c cng b trong ngy An ton thng tin nm 2011 v vn n an ton thng tin trong cc t chc doanh nghip Vit Nam nm 2011, c n: - 52% s t chc vn khng hoc cha c quy trnh thao tc chun ng ph vi nhng cuc tn cng my tnh - T l s dng nhng cng ngh chuyn su hoc hp hn nh m ho, h thng pht hin xm nhp, chng ch s, ch k sch chim 20% . - c bit t l s dng nhng gii php cp cao trong bo mt an ninh mng nh qun l nh danh, h thng qun l chng tht thot d liu, sinh trc hc ch chim 5% trong tt c cc gii php chng tn cng ca ti phm cng ngh cao.[1] Nhn nh v an ton thng tin trong nhng nm qua, cc chuyn gia bo mt hng u ti Vit Nam u c chung mt nhn nh c nhiu bin ng ln v

mc tn cng l ngy cng rt nguy him v gy nhiu thit hi cho cc doanh nghip trong nc[2]. gii quyt vn ny cc cng ty bo mt hng u trn th gii v ca Vit Nam vn tip tc nghin cu pht trin nhng gi gii php bo mt bao gm thit b phn cng v cc chng trnh phn mm phc v cho vic an ton thng tin v bo mt h thng mng, cc nh cung cp dch v gii php bo mt nh Juniper (vi cc sn phm phn cng tng la nh NetScreen), Cisco vi cc thit b tng la nh ASA, PIX hoc nh cc thit b tng la tin tin hn nh Checkpoint, IPS ca nh cung cp IBM l nhng thit b phn cng lin quan n bo mt h thng mng v an ton thng tin lin tc c a ra trn th trng, bn cnh nhng thit b phn cng cn phi k n nhng ng dng phn mm c cc nh cung cp gii php an ton thng tin a ra nhm phc v cho vic bo mt h thng thng tin. C th k n mt vi tn tui ni ting nh: Symantec (vi gii php phn mm Anti Virut, Spam, Malware), Microsoft, Kaspersky, TrenPC, McAfee, SolarWin vi nhng gi phn mm kh hon ho (theo nh gi ca cc nh cung cp) trong vic bo mt v an ton thng tin. Nhng sn phm thng mi ca cc nh cung cp gii php an ton thng tin c tung ra trn th trng trong nhng nm gn y c nh gi cao v mc bo mt v hiu nng hot ng ca n, tuy nhin vn u t cc gii php bo mt an ton thng tin cho doanh nghip mang tnh y em n cho cc doanh nghip va v nh mt chi ph u t ng k so vi hot ng kinh doanh ca doanh nghip. Theo cc nghin cu hin nay c ti Vit Nam cng nh trn th gii v xy dng mt h thng IDS pht hin v phng chng xm nhp mng tri php da trn m ngun m cng pht trin mnh, tuy nhin ti Vit Nam cc nghin cu ny c mc trin khai vo thc t l cha cao v cn l nhng bi ton ln cho gii php bo mt thng tin da trn phn mm m ngun m.

1.2 Phn loi cc mi e da trong bo mt Nh nu trn, vic bo mt i vi cc doanh nghip l mt vn ln hin nay, vic mt ti phm tin hc xm nhp to ra rt nhiu cch khc nhau c th thnh cng trong vic lm h hng hon ton mt h thng mng hoc mt dch v ng dng Web ca mt doanh nghip. C nhiu phng php c trin khai nhm gim thiu kh nng tn cng nh pht trin h tng mng v truyn thng trn internet, dng tng la, m ha, mng ring o S pht hin xm nhp cng l mt k thut gn ging vi vic s dng tng la hay i loi nh th. Mc ch ca mt h thng pht hin xm nhp l thng bo cho nh qun tr khi c mt hnh vi xm nhp hoc mt s tn cng c pht hin. C th c nhiu cch khc nhau tn cng v h thng pht hin xm nhp cng c nhiu cch pht hin. lm r vn pht hin xm nhp trc tin cn hiu r mt s cc mi e da trong bo mt mt h thng mng hot ng ra sao. Thng thng c 4 mi e da cho vic bo mt h thng c m t nh sau: 1.2.1 Mi e da bn trong Thut ng mi e da bn trong c s dng m ta mt kiu tn cng c thc hin t mt ngi hoc mt t chc c quyn truy cp vo h thng mng. Cc cch tn cng t bn trong c thc hin t mt khu vc c coi l vng tin cy trong h thng mng. Mi e da ny c th kh phng chng hn v cc nhn vin hoc nhng t chc c quyn hn trong h thng mng s truy cp vo mng v d liu b mt ca doanh nghip. Phn ln cc doanh nghip hin nay u c tng la cc ng bin mng v h tin tng hon ton vo cc ACL (Access Control List) v quyn truy cp vo server qui nh cho s bo mt bn trong. Quyn truy cp server thng bo v ti nguyn trn server nhng khng cung cp bt k s bo v no cho mng. Mi e da bn trong thng c thc hin bi cc nhn vin, t chc bt bnh, mun quay mt li vi doanh nghip. Nhiu phng php bo mt lin quan n vnh ai ca h thng mng, bo v mng bn trong khi cc kt ni bn ngoi, nh l truy cp Internet. Khi vnh ai ca h thng mng c bo mt, cc

phn tin cy bn trong c khuynh hng b bt nghim ngt hn. Khi mt k xm nhp vt qua v bc bo mt cng cp ca h thng mng, mi chuyn cn li thng l rt n gin. Cc mng khng dy gii thiu mt lnh vc mi v qun tr bo mt. Khng ging nh mng c dy, cc mng khng dy to ra mt khu vc bao ph c th b can thip v s dng bi bt k ai c phn mm ng v mt adapter ca mng khng dy. Khng ch tt c cc d liu mng c th b xem v ghi li m cc s tn cng vo mng c th c thc hin t bn trong, ni m c s h tng d b nguy him hn nhiu. V vy, cc phng php m ha mnh lun c s dng trong mng khng dy. 1.2.2 Mi e da t bn ngoi Mi e da bn ngoi l t cc t chc, chnh ph, hoc c nhn c gng truy cp t bn ngoi mng ca doanh nghip v bao gm tt c nhng ngi khng c quyn truy cp vo mng bn trong. Thng thng, cc k tn cng t bn ngoi c gng t cc server quay s hoc cc kt ni Internet. Mi e da bn ngoi l nhng g m cc doanh nghip thng phi b nhiu hu ht thi gian v tin bc ngn nga. 1.2.3 Mi e da khng c cu trc Mi e da khng c cu trc l mi e da ph bin nht i vi h thng ca mt doanh nghip. Cc hacker mi vo ngh, thng c gi l script kiddies, s dng cc phn mm thu thp thng tin, truy cp hoc thc hin mt kiu tn cng DoS vo mt h thng ca mt doanh nghip. Script kiddies tin tng vo cc phn mm v kinh nghim ca cc hacker i trc. Khi script kiddies khng c nhiu kin thc v kinh nghim, h c th tin hnh ph hoi ln cc doanh nghip khng c chun b. Trong khi y ch l tr chi i vi cc kiddie, cc doanh nghip thng mt hng triu la cng nh l s tin tng ca cng ng. Nu mt web server ca mt doanh nghip b tn cng, cng ng cho rng hacker ph v c s bo mt ca doanh nghip , trong khi tht ra cc hacker ch tn cng c mt ch yu ca server. Cc server Web, FTP, SMTP v mt vi server khc cha cc dch v c rt nhiu l hng c th b tn cng, trong khi cc server quan trng c t sau rt

10

nhiu lp bo mt. Cng ng thng khng hiu rng ph v mt trang web ca mt doanh nghip th d hn rt nhiu so vi vic ph v c s d liu th tn dng ca doanh nghip . Cng ng phi tin tng rng mt doanh nghip rt gii trong vic bo mt cc thng tin ring t ca n. 1.2.4 Mi e da c cu trc Mi e da c cu trc l kh ngn nga v phng chng nht v n xut pht t cc t chc hoc c nhn s dng mt vi loi phng php lun thc hin tn cng. Cc hacker vi kin thc, kinh nghim cao v thit b s to ra mi e da ny. Cc hacker ny bit cc gi tin c to thnh nh th no v c th pht trin m khai thc cc l hng trong cu trc ca giao thc. H cng bit c cc bin php c s dng ngn nga truy cp tri php, cng nh cc h thng IDS v cch chng pht hin ra cc hnh vi xm nhp. H bit cc phng php trnh nhng cch bo v ny. Trong mt vi trng hp, mt cch tn cng c cu trc c thc hin vi s tr gip t mt vi ngi bn trong. y gi l mi e da c cu trc bn trong. Cu trc hoc khng cu trc c th l mi e da bn ngoi cng nh bn trong. 1.3 Phn loi mt s l hng trong bo mt 1.3.1 L hng bo mt Cc l hng bo mt trn mt h thng l cc im yu c th to nn s ngng tr ca dch v, thm quyn i vi ngi s dng hoc cho php truy cp bt hp php vo h thng. Cc l hng bo mt c th nm ngay cc dch v cung cp nh Web, Email, FTP, Ngoi ra cc chng trnh ng dng hay dng cng cha cc l hng bo mt nh Word, cc h c s d liu nh SQL 1.3.2 Phn loi l hng bo mt Thc hin phn loi v hiu c nhng phng thc bo mt thc s quan trng trong vic xy dng mt h thng lc v phn loi gi tin ca tng la vi mc ch pht hin c nhng l hng trong vic bo mt. Hin nay vic phn loi l hng bo mt c bn c phn thnh 03 loi.

11

Cc l hng bo mt trn mt h thng l cc im yu c th to ra s ngng tr ca dch v, thm quyn i vi ngi s dng hoc cho php cc truy nhp khng hp php vo h thng. Cc l hng cng c th nm ngay cc dch v cung cp nh sendmail, Web, Ftp Ngoi ra cc l hng cn tn ti ngay chnh ti h iu hnh nh trong Windows NT, Windows 95, UNIX; hoc trong cc ng dng m ngi s dng thng xuyn s dng nh Word processing, Cc h databases[6] 1.3.2.1 Loi C t nguy him Cc l hng bo mt thuc loi ny thng cho php thc hin vic tn cng DoS. DoS l mt hnh thc tn cng s dng cc giao thc tng ng dng trong b giao thc TCP/IP lm h thng ngng tr, trn m dn n tnh trng t chi tt c cc yu cu ca ngi s dng hp php truy cp hay s dng h thng. Mt s lng ln cc gi tin c gi ti server trong khong thi gian lin tc lm cho h thng tr nn qu ti, kt qu l server p ng chm hoc khng th p ng cc yu cu t client gi ti. Cc dch v c cha ng l hng cho php thc hin cc cuc tn cng DoS c th c nng cp hoc sa cha bng cc phin bn mi hn ca cc nh cung cp dch v. Hin nay, cha c mt gii php ton din no khc phc cc l hng loi ny v bn thn vic thit k giao thc tng Internet (IP) ni ring v b giao thc TCP/IP cha ng nhng nguy c tim tng ca cc l hng ny. Tuy nhin, mc nguy him ca cc l hng loi ny c xp loi C; t nguy him v chng ch lm gin on cung cp dch v ca h thng trong mt thi gian m khng lm nguy hi n d liu v ngi tn cng cng khng t c quyn truy nhp bt hp php vo h thng. Mt l hng loi C khc cng thng thy l cc im yu ca dch v cho php thc hin tn cng lm ngng tr h thng ca ngi s dng cui; Ch yu ca hnh thc tn cng ny l s dng dch v Web. Vi mt hnh thc tn cng n gin nh cng mt lc gi nhiu yu cu truy cp, iu ny c th lm treo h thng. y cng l mt hnh thc tn cng kiu DoS. Ngi

12

qun tr h thng Website trong trng hp ny ch c th khi ng li h thng.[6] Mt l hng loi C khc cng thng gp i vi cc h thng mail l khng xy dng cc c ch anti-relay (chng relay) cho php thc hin cc hnh ng spam mail. Nh chng ta bit, c ch hot ng ca dch v th in t l lu v chuyn tip; mt s h thng mail khng c cc xc thc khi ngi dng gi th, dn n tnh trng cc i tng tn cng li dng cc my ch mail ny thc hin spam mail; Spam mail l hnh ng nhm t lit dch v mail ca h thng bng cch gi mt s lng ln cc messages ti mt a ch khng xc nh, v my ch mail lun phi tn nng lc i tm nhng a ch khng c thc dn n tnh trng ngng tr dch v. S lng cc messages c th sinh ra t cc chng trnh lm bom th rt ph bin trn mng Internet. 1.3.2.2 Loi B Nguy him Cc l hng loi ny c mc nguy him hn l hng loi C, cho php ngi s dng ni b c th chim c quyn cao hn hoc truy nhp khng hp php. Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ngi s dng local c hiu l ngi c quyn truy nhp vo h thng vi mt s quyn hn nht nh. Mt dng khc ca l hng loi B xy ra i vi cc chng trnh c m ngun vit bng ngn ng lp trnh C. Nhng chng trnh vit bng ngn ng lp trnh C thng s dng mt vng m l mt vng trong b nh s dng lu d liu trc khi x l. Nhng ngi lp trnh thng s dng vng m trong b nh trc khi gn mt khong khng gian b nh cho tng khi d liu. V d, ngi s dng vit chng trnh nhp trng tn ngi s dng; qui nh trng ny di 20 k t. Do h s khai bo: char first_name [20];

13

Vi khai bo ny, cho php ngi s dng nhp vo ti a 20 k t. Khi nhp d liu, trc tin d liu c lu vng m; nu ngi s dng nhp vo 35 k t; s xy ra hin tng trn vng m v kt qu 15 k t d tha s nm mt v tr khng kim sot c trong b nh. i vi nhng ngi tn cng, c th li dng l hng ny nhp vo nhng k t c bit, thc thi mt s lnh c bit trn h thng. Thng thng, l hng ny thng c li dng bi nhng ngi s dng trn h thng t c quyn root khng hp l. Vic kim sot cht ch cu hnh h thng v cc chng trnh s hn ch c cc l hng loi B.[6] 1.3.2.3 Loi A Rt nguy him Cc l hng loi A c mc rt nguy him; e da tnh ton vn v bo mt ca h thng. Cc l hng loi ny thng xut hin nhng h thng qun tr yu km hoc khng kim sot c cu hnh mng. Mt v d thng thy l trn nhiu h thng s dng Web Server l Apache, i vi Web Server ny thng cu hnh th mc mc nh chy cc on scripts l cgi-bin; trong tn ti mt on scripts c vit sn th hot ng ca apache l test-cgi. i vi cc phin bn c ca Apache (trc version 1.1), c dng sau trong file test-cgi: echo QUERY_STRING = $QUERY_STRING Bin mi trng QUERY_STRING do khng c t trong c du (quote) nn khi pha client thc hin mt yu cu trong chui k t gi n gm mt s k t c bit; v d k t *, web server s tr v ni dung ca ton b th mc hin thi (l cc th mc cha cc scipts cgi). Ngi s dng c th nhn thy ton b ni dung cc file trong th mc hin thi trn h thng server. Mt v d khc cng xy ra tng t i vi cc Web server chy trn h iu hnh Novell; Cc web server ny c mt scripts l convert.bas, chy scripts ny cho php c ton b ni dung cc files trn h thng.

14

Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn mm s dng; ngi qun tr nu khng hiu su v dch v v phn mm s dng s c th b qua nhng im yu ny. i vi nhng h thng c, thng xuyn phi kim tra cc thng bo ca cc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lot cc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP, Gopher, Telnet, Sendmail, ARP, finger[2] Cc loi bo mt nu trn c th phn loi chung thnh 03 mc c bn ca im yu bo mt nh sau: - im yu v k thut: bao gm nhng k thut gm c im yu trong cc giao thc, h iu hnh v cc thit b phn cng nh Server, Router, Switch - im yu v cu hnh h thng: bao gm li do nh qun tr to ra, li ny do cc thiu st trong vic cu hnh h thng nh: khng m bo thng tin mt ti khon khch hng, h thng ti khon vi mt khu d dng on bit, s dng cc cu hnh mc nh trn thit b. - im yu trong chnh sch bo mt: chnh sch bo mt m t vic lm th no v u chnh sch bo mt c thc hin. y l iu kin quan trng gip vic bo mt c hiu qu tt nht. 1.4 Mt s kiu tn cng mng C rt nhiu dng tn cng mng ang c bit n hin nay, da vo hnh ng tn cng ca ti phm mng c th phn lm 02 loi l ch ng v b ng. - Tn cng ch ng (active attack): K tn cng thay i hot ng ca h thng v hot ng ca mng khi tn cng v lm nh hng n tnh ton vn, sn sng v xc thc ca d liu.

15

- Tn cng b ng (passive attack): K tn cng c gng thu thp thng tin t hot ng ca h thng v hot ng ca mng lm ph v tnh b mt ca d liu. Da vo ngun gc ca cuc tn cng th c th phn loi tn cng thnh 2 loi hnh tn cng bao gm: tn cng t bn trong v tn cng t bn ngoi, tn cng trc tip. - Tn cng bn trong bao gm nhng hnh vi mang tnh cht xm nhp h thng nhm mc ch ph hoi. K tn cng bn trong thng l nhng ngi nm trong mt h thng mng ni b, ly thng tin nhiu hn quyn cho php. - Tn cng bn ngoi l nhng tn cng xut pht t bn ngoi h thng nh Internet hay cc kt ni truy cp t xa. Tn cng bn ngoi c th l nhng dng tt cng trc tip, cc dng tn cng ny thng thng l s d ng trong giai on u chim quyn truy cp. Ph bin nht vn l cch d tm tn ngi s dng v mt khu. Ti phm mng c th s dng nhng thng tin lin quan n ch ti khon nh ngy thng nm sinh, tn v (chng) hoc con ci hoc s in thoi d tm thng tin ti khon v mt khu vi mc ch chim quyn iu khin ca mt ti khon, thng thng i vi nhng ti khon c mt khu n gin th ti phm mng ch d tm mt khu qua thng tin ch ti khon, mt cch tip cn vic chim quyn truy nhp bng cch tm ti khon v mt khu ti khong khc l dng chng trnh d tm mt khu. Phng php ny trong mt s kh nng hu dng th c th thnh cng n 30%. Mt kiu tn cng bn ngoi khc c cp n na chnh l hnh thc nghe trm, vic nghe trm thng tin trn mng c th a li nhng thng tin c ch nh tn, mt khu ca ngi s dng, cc thng tin mt chuyn qua mng. Vic nghe trm thng c tin hnh ngay sau khi k tn cng chim c quyn truy nhp h thng, thng qua cc chng trnh cho php a card giao tip mng (Network Interface Card-NIC) vo ch nhn ton b cc thng tin lu truyn trn mng. Nhng thng tin ny cng c th d dng ly c trn Internet.

16

- Mt s cc li khc lin quan n con ngi, h thng cng l nhng kiu tn cng trc tip t bn ngoi nhng c mc phc tp v kh khn hn, nguy him nht l yu t con ngi bi n l mt trong nhiu im yu nht trong bt k h thng bo mt no[5] (trch website quantrimang.com) - Khi mt mng my tnh b tn cng, n s b chim mt lng ln ti nguyn trn my ch, mc chim lng ti nguyn ny ty thuc vo kh nng huy ng tn cng ca ti phm mng, n mt gii hn nht nh kh nng cung cp ti nguyn ca my ch s ht v nh vy vic t chi cc yu cu s dng dch v ca ngi dng hp php b t chi. Vic pht ng tn cng ca ti phm mng cn ty thuc vo s lng cc my tnh ma m ti phm mng ang kim sot, nu kh nng kim sot ln th thi gian tn cng v lm sp hon ton mt h thng mng s nhanh v cp tn cng s tng nhanh hn, ti phm mng c th mt lc tn cng nhiu h thng mng khc nhau ty vo mc kim sot chi phi cc my tnh ma nh th no. Cc kiu tn cng c nhiu hnh thc khc nhau, nhng thng thng u thc hin qua cc bc theo hng m t sau: + Kho st thu thp thng tin v ni chun b tn cng bng cc cng c tm hiu y v h thng mng. + Sau khi thu thp thng tin, ti phm mng s d tm nhng thng tin v l hng ca bo mt h thng da trn nhng thng tin tm c, phn tch im yu ca h thng mng, s dng cc b cng c d qut tm li trn h thng mng . + Khi c trong tay nhng im yu ca h thng mng, ti phm mng s tin hnh xm nhp h thng mng bng cc cng c nh lm trn b m hoc tn cng t chi dch v. + mt s cuc tn cng, ngi xm nhp sau khi xm nhp thnh cng v khai thc c h thng mng ri s thc hin vic duy tr xm nhp

17

vi mc ch khai thc v xm nhp trong tng lai gn. Ti phm mng c th s dng nhng th thut nh m ca sau (backdoor) hoc ci t mt trojan nhm mc ch duy tr s xm nhp ca mnh. Vic duy tr v lm ch mt h thng mng to cho ti phm mng c nhng iu kin khai thc, phc v nhng nhu cu v thng tin. Ngoi ra, h thng mng ny khi b chim quyn xm nhp cng s tr thnh nn nhn ca mt h thng botnet c s dng trong cc cuc tn cng khc m c th l tn cng t chi dch v n mt h thng mng khc. + Xa du vt. Khi mt k tn cng xm nhp thnh cng s c gng duy tr s xm nhp ny. Bc tip theo l chng phi lm sao xa ht du vt khng cn chng c php l xm nhp. K tn cng phi xa cc tp tin log, xa cc cnh bo t h thng pht hin xm nhp. cc giai on thu thp thng tin v d tm l hng trong bo mt, k tn cng thng lm lu lng kt ni mng thay i khc vi lc mng bnh thng rt nhiu, ng thi ti nguyn ca h thng my ch s b nh hng ng k. Nhng du hiu ny rt c ch cho ngi qun tr mng c th phn tch v nh gi tnh hnh hot ng ca h thng mng. Hu ht cc cuc tn cng u tin hnh tun t nh cc bc nu trn. Lm sao nhn bit h thng mng ang b tn cng, xm nhp ngay t hai bc u tin l ht sc quan trng. giai on xm nhp, bc ny khng d dng i vi k tn cng. Do vy, khi khng th xm nhp c vo h thng, ph hoi c nhiu kh nng k tn cng s s dng tn cng t chi dch v ngn cn khng cho ngi dng hp l truy xut ti nguyn h thng. 1.5 Cc gii php pht hin v phng chng tn cng mng 1.5.1 Cc bin php pht hin h thng b tn cng Khng c mt h thng no c th m bo an ton tuyt i; bn thn mi dch v u c nhng l hng bo mt tim tng. ng trn gc ngi

18

qun tr h thng, ngoi vic tm hiu pht hin nhng l hng bo mt cn lun phi thc hin cc bin php kim tra h thng xem c du hiu tn cng hay khng. Cc bin php l: - Kim tra cc du hiu h thng b tn cng: h thng thng b treo hoc b crash bng nhng thng bo li khng r rng, kh xc nh nguyn nhn h thng b treo do thiu thng tin lin quan. Trc tin, xc nh cc nguyn nhn v phn cng hay khng, nu khng phi phn cng hy ngh n kh nng my b tn cng - Kim tra cc ti khon ngi dng mi trn h thng: mt s ti khon l, nht l uid ca ti khon l zero - Kim tra xut hin cc tp tin l. Thng pht hin thng qua cch t tn cc tp tin, mi ngi qun tr h thng nn c thi quen t tn tp tin theo mt mu nht nh d dng pht hin tp tin l. Thc hin cc lnh lit k danh sch tp tin trong h thng kim tra thuc tnh setuid v setgid i vi nhng tp tin ng ch (c bit l cc tp tin scripts). - Kim tra thi gian thay i trn h thng, c bit l cc chng trnh login, sh hoc cc scripts khi ng trong /etc/init.d, /etc/rc.d - Kim tra hiu nng ca h thng. S dng cc tin ch theo di ti nguyn v cc tin trnh ang hot ng trn h thng nh ps hoc top - Kim tra hot ng ca cc dch v m h thng cung cp. Chng ta bit rng mt trong cc mc ch tn cng l lm cho t lit h thng (Hnh thc tn cng DoS). S dng cc lnh nh ps, pstat, cc tin ch v mng pht hin nguyn nhn trn h thng. - Kim tra truy nhp h thng bng cc account thng thng, phng trng hp cc account ny b truy nhp tri php v thay i quyn hn m ngi s dng hp php khng kim sat c.

19

- Kim tra cc file lin quan n cu hnh mng v dch v nh /etc/inetd.conf; b cc dch v khng cn thit; i vi nhng dch v khng cn thit chy di quyn root th khng chy bng cc quyn yu hn. - Kim tra cc phin bn ca sendmail, /bin/mail, ftp; tham gia cc nhm tin v bo mt c thng tin v l hng ca dch v s dng Cc bin php ny kt hp vi nhau to nn mt chnh sch v bo mt i vi h thng. 1.5.2 Gii php pht hin v phng chng xm nhp Pht hin xm nhp l mt tp hp cc k thut v phng php dng d tm nhng hot ng ng nghi ng trn mng. Mt h thng pht hin xm nhp c nh ngha l mt tp hp cc cng c, phng thc, v ti nguyn gip ngi qun tr xc nh, nh gi, v bo co hot ng khng c php trn mng. Pht hin xm nhp c xem l mt tin trnh c quyt nh khi mt ngi khng xc thc ang c gng xm nhp h thng mng tri php. H thng pht hin xm nhp s kim tra tt c cc gi tin i qua h thng v quyt nh gi tin c vn kh nghi hay khng. H thng pht hin xm nhp uc trang b hng triu tnh hung nhn dng tn cng v uc cp nht thng xuyn. Chng thc s quan trng v l la chn hng u phng th trong vic pht hin v phng chng xm nhp mng. Vic nghin cu xy dng h thng pht hin v phng chng xm nhp (IDS/IPS) ang c pht trin mnh v cn pht trin mnh m trong thi gian ti. Cc sn phm thng mi trn th trng c chi ph rt ln, vt qu kh nng u t ca nhiu doanh nghip. Bn cnh , cc nghin cu v m ngun m cng c u t nghin cu v trin khai. C nhiu ti trong nc nghin cu lin quan n IDS/IPS bng m ngun m ch yu tp trung vo Snort. Nhng nhn chung cha c p dng rng ri, cn tn ti nhiu hn ch

20

nh: do chng trnh m ngun m nn hu ht khng c giao din thn thin; thnh phn bo ng khng c tch hp sn, hoc nu c cng ch qua giao din console, hoc qua giao din Web cha to c s linh ng v tin dng cho ngi qun tr mng; phn mm mang tnh n l (ch tp trung nghin cu v Snort) trong khi nhu cu tch hp nhiu tnh nng gim st khc nng cao hiu qu s dng cha c ch trng v pht trin. Hn na, cc du hiu ca cc kiu tn cng ngy mt tinh vi phc tp i hi h thng pht hin v phng chng xm nhp (IDS/IPS) phi c thng xuyn cp nht nhng du hiu mi. Ngi qun tr mng cn c th da vo nhng phn tch khc nh nhng du hiu bt thng v lu lng ra vo h thng, hot ng ca CPU, RAM... c nhng phn ng kp thi. Bn cnh , h thng bo ng cng cn trin khai mang tnh cht a dng nhiu hnh thc, linh ng, tin dng thc s h tr thit thc cho ngi qun tr mng. Cc nghin cu chng minh rng hu ht cc h thng c c im chung l tnh a dng v thay i. Vic nghin cu v trin khai mt h thng gim st mng, pht hin v phng chng xm nhp vi cc yu t: chnh xc, nhanh chng, trc quan, linh ng v tin li l vn cp thit trong thc t. Pht trin h thng gim st trc quan theo di cc din bin trn mng nh lu lng ra vo mt Server, Switch, hay hot ng ca CPU, b nh, gip ngi qun tr mng c nhng phn tch a ra ng ph kp thi. H thng pht hin xm nhp da vo nhng mu du hiu tn cng trin khai gip pht hin nhanh cc cuc tn cng mng. H thng pht hin ny kt hp vi tng la s chng li cc cuc tn cng xm nhp. Tuy nhin, cc du hiu ca cc kiu tn cng ngy mt tinh vi phc tp th h thng pht hin phi c thng xuyn cp nht nhng du hiu mi. c th pht hin nhanh chng cc bt thng trn mng, ngi qun tr mng cn c th da vo nhng th trc quan v lu lng ra vo h thng c nhng phn ng kp thi.

21

H thng bo ng cng cn trin khai thng bo cho ngi qun tr trong mt s trng hp: Server ngng hot ng, mt dch v mng ngng hot ng hay c tn cng mng. H thng bo ng c th c trin khai qua nhiu hnh thc pht bo ng nh: bng Web, E-mail hay qua tin nhn SMS n ngi qun tr mng.

CHNG 2: H THNG PHT HIN V PHNG CHNG XM NHP


2.1 Vai tr, chc nng ca h thng pht hin v phng chng xm nhp 2.1.1 Lch s pht trin c ra i t cc nghin cu v h thng pht hin xm nhp cch y 25 nm nhng trong khong thi gian t nm 1983 n nm 1988 cc nghin cu v h thng pht hin xm nhp IDS (Intrusion Detection System) mi chnh thc c cng b chnh thc v n 1996 c mt s cc h thng IDS c ng dng ch yu trong cc phng th nghim v cc vin nghin cu mng. n nm 1997 h thng pht hin xm nhp IDS mi c bit n rng ri v a vo thc nghim em li nhiu li nhun cho ISS - cng ty i u trong vic nghin cu h thng pht hin xm nhp mng. IPS c hiu l mt h thng chng xm nhp (Intrusion Prevention System IPS) c nh ngha l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin xm nhp v c th ngn chn cc nguy c gy mt an ninh. IDS v IPS c rt nhiu im chung, do h thng IDS v IPS c th c gi chung l IDP- Intrusion Detection and Prevention. Trc nhng mt hn ch ca IDS th vic pht trin mt h thng IPS l cn thit, nht l sau khi xut hin cc cuc tn cng t trn quy m ln nh Code Red, NIMDA, SQL Slammer, mt vn c t ra l lm sao c th t ng ngn chn c cc tn cng ch khng ch a ra cc cnh bo mc ch nhm gim thiu cng vic ca ngi qun tr h thng. H thng IPS c ra i vo nm 2003 v ngay sau , nm 2004 n c ph bin rng ri. Kt hp vi vic nng cp cc thnh phn qun tr, h thng IPS xut hin dn thay th cho IDS bi n gim bt c cc yu cu tc ng ca con ngi trong vic p tr li cc nguy c pht hin c, cng nh

23

gim bt c phn no gnh nng ca vic vn hnh. Hn na trong mt s trng hp c bit, mt IPS c th hot ng nh mt IDS bng vic ngt b tnh nng ngn chn xm nhp. Ngy nay cc h thng mng u hng ti s dng cc gii php IPS thay v h thng IDS v cn pht trin mnh trong cng ngh an ninh mng. 2.1.2 Vai tr, chc nng ca h thng pht hin v phng chng xm nhp H thng pht hin xm nhp dng lng nghe, d tm cc gi tin qua h thng mng pht hin nhng du hiu bt thng trong mng. Thng thng nhng du hiu bt thng l nhng du hiu ca nhng cuc tn cng xm nhp mng. IDS s pht nhng tn hiu cnh bo ti ngi qun tr mng. H thng phng chng xm nhp (Intrusion Prevention System IPS) l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin xm nhp v c th ngn chn cc nguy c mng b tn cng. IDS v IPS c rt nhiu im chung, do h thng IDS v IPS c th c gi chung l h thng pht hin v phng chng xm nhp (IDS/IPS). H thng IPS l mt k thut an ninh mi, kt hp cc u im ca k thut tng la (firewall) vi h thng pht hin xm nhp, c kh nng pht hin s xm nhp, cc cuc tn cng v t ng ngn chn cc cuc tn cng . H thng IDS/IPS thng c t phn bin mng bo v tt c cc thit b trong mng. Mt vi chc nng c bn ca IDS/IPS: + Nhn din cc nguy c c th xy ra. + Ghi nhn thng tin, log phc v cho vic kim sot nguy c. + Nhn din cc hot ng thm d h thng.

24

+ Nhn din cc yu khuyt ca chnh sch bo mt. + Ngn chn vi phm chnh sch bo mt. + Lu gi thng tin lin quan n cc i tng quan st + Cnh bo nhng s kin quan trng lin quan n i tng quan st + Ngn chn cc tn cng (IPS) + Xut bo co 2.2 c im, kin trc h thng ca IDS/IPS 2.2.1 C s h tng ca h thng IDS/IPS Nhim v chnh ca h thng IDS/IPS l phng th my tnh bng cch pht hin mt cuc tn cng v c th y li n. Pht hin v tn cng th ch ph thuc vo s lng v loi hnh ng thch hp.

Hnh 2.1 Hot ng ca h thng IDS/IPS[13] Cng tc phng chng xm nhp i hi mt s kt hp tt c la chn

25

ca "mi v by" nhm iu tra cc mi e da, nhim v chuyn hng s ch ca k xm nhp t cc h thng cn bo v sang cc h thng gi lp l nhim v ca 1 dng IDS ring bit (Honeypot IDS), c hai h thng thc v gi lp c lin tc gim st v d liu thu c c kim tra cn thn (y l cng vic chnh ca mi h IDS/IPS) pht hin cc cuc tn cng c th (xm nhp). Mt khi xm nhp c pht hin, h thng IDS/IPS pht cc cnh bo n ngi qun tr v s kin ny. Bc tip theo c thc hin, hoc bi cc qun tr vin hoc bi chnh h thng IDS/IPS , bng cch p dng cc bin php i ph (chm dt phin lm vic, sao lu h thng, nh tuyn cc kt ni n Honeypot IDS hoc s dng cc c s h tng php l v.v) ty thuc vo chnh sch an ninh ca mi t chc. H thng IDS/IPS l mt thnh phn ca chnh sch bo mt. Trong s cc nhim v IDS khc nhau, nhn dng k xm nhp l mt trong nhng nhim v c bn. N c th hu ch trong cc nghin cu gim nh s c v tin hnh ci t cc bn patches thch hp cho php pht hin cc cuc tn cng trong tng lai nhm vo mc tiu c th.

Hnh 2.2 C s h tng h thng IDS/IPS[7] 2.2.2 Kin trc h thng pht hin xm nhp

26

2.2.2.1 Cu trc Sensor / Agent: Gim st v phn tch cc hot ng. Sensor thng c dng cho dng Network-base IDS/IPS trong khi Agent thng c dng cho dng Host-base IDS/IPS Management Server: L 1 thit b trung tm dng thu nhn cc thng tin t Sensor / Agent v qun l chng. 1 s Management Server c th thc hin vic phn tch cc thng tin s vic c cung cp bi Sensor / Agent v c th nhn dng c cc s kin ny d cc Sensor / Agent n l khng th nhn din c Database server: Dng lu tr cc thng tin t Sensor / Agent hay Management Server Console: L 1 chng trnh cung cp giao din cho IDS/IPS users / Admins. C th ci t trn mt my tnh bnh thng dng phc v cho tc v qun tr, hoc gim st, phn tch. 2.2.2.2 Kin trc ca h thng IDS/IPS

Hnh 2.3 H thng mu pht hin xm nhp[7]

27

Trong h thng pht hin xm nhp, sensor c tch hp vi thnh phn su tp d liu mt b to s kin. Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Trong trng hp no , v d, khi lung d liu s kin c truyn ti trc tip n b phn tch m khng c s lu d liu no c thc hin. iu ny cng lin quan mt cht no n cc gi mng. Kin trc ca h thng IDS bao gm cc thnh phn chnh: + Thnh phn thu thp thng tin (information collection). + Thnh phn phn tch gi tin (Detection). + Thnh phn phn hi (response).

Hnh 2.4 Thnh phn ca kin trc IDS[7] Trong ba thnh phn ny th thnh phn phn tch gi tin l quan trng

28

nht v trong thnh phn ny sensor ng vai tr quyt nh. Sensor c tch hp vi thnh phn thu thp d liu. Cch thu thp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng tin s kin. B to s kin cung cp mt s chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong h thng c bo v hoc bn ngoi. Vai tr ca sensor l dng lc thng tin v loi b d liu khng tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho mc ny. Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo , c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi module p tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau). IDS c th c sp t tp trung hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c chng truyn thng vi nhau c gi l cu trc a tc nhn. Nhiu h thng tinh vi i theo nguyn l cu trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v. Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c bo v v ph thuc vo phng php c a. Mng cc tc nhn hp tc bo co n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. IDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh khi ni n ngha bo v lin quan n cc kiu tn cng mi. Cc gii php da trn tc nhn IDS cng s dng cc c ch t phc tp hn cho vic nng cp chnh sch p tr.

29

Gii php kin trc a tc nhn c a ra nm 1994. Gii php ny s dng cc tc nhn kim tra mt kha cnh no v cc hnh vi h thng mt thi im no . V d nh mt tc nhn c th cho bit mt s thng tin khng bnh thng ca cc phin Telnet bn trong h thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc tc nhn c th c sao chp v thay i bn trong cc h thng khc (tnh nng t tr). Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht. Cc b kim tra nhn thng tin t cc mng (khng ch t mt host), iu c ngha l chng c th tng quan vi thng tin phn tn. Thm vo , mt s b lc c th c a ra chn lc v thu thp d liu.

Hnh 2.5 Cc tc nhn t tr cho vic pht hin xm nhp[7] 2.3 Phn loi IDS/IPS C hai phng php khc nhau trong vic phn tch cc s kin pht hin cc v tn cng: pht hin da trn cc du hiu v pht hin s bt thng. Cc sn phm IDS c th s dng mt trong hai cch hoc s dng kt hp c hai.

30

+ Pht hin da trn du hiu: Phng php ny nhn dng cc s kin hoc tp hp cc s kin ph hp vi mt mu cc s kin c nh ngha l tn cng. + Pht hin s bt thng: cng c ny thit lp mt hin trng cc hot ng bnh thng v sau duy tr mt hin trng hin hnh cho mt h thng. Khi hai yu t ny xut hin s khc bit, ngha l c s xm nhp. Cc h thng IDS khc nhau u da vo pht hin cc xm nhp tri php v nhng hnh ng d thng. Qu trnh pht hin c th c m t bi 3 yu t c bn nn tng sau: - Thu thp thng tin (information collection): Kim tra tt c cc gi tin trn mng. - S phn tch (Analysis): Phn tch tt c cc gi tin thu thp cho bit hnh ng no l tn cng. - Cnh bo (response): hnh ng cnh bo cho s tn cng c phn tch trn.

Hnh 2.6 Phn loi IDS/IPS[10]

31

2.3.1 Host-based IDS/IPS (HIDS) Bng cch ci t mt phn mm trn tt c cc my tnh ch, IPS da trn my ch quan st tt c nhng hot ng h thng, nh cc file log v nhng lu lng mng thu thp c. H thng da trn my ch cng theo di OS, nhng cuc gi h thng, lch s s sch (audit log) v nhng thng ip bo li trn h thng my ch. Trong khi nhng u d ca mng c th pht hin mt cuc tn cng, th ch c h thng da trn my ch mi c th xc nh xem cuc tn cng c thnh cng hay khng. Thm n a l, h thng da trn my ch c th ghi nhn nhng vic m ngi tn cng lm trn my ch b tn cng (compromised host). Khng phi tt c cc cuc tn cng c thc hin qua mng. Bng cch ginh quyn truy cp mc vt l (physical access) vo mt h thng my tnh, k xm nhp c th tn cng mt h thng hay d liu m khng cn phi to ra bt c lu lng mng (network traffic) no c. H thng da trn my ch c th pht hin cc cuc tn cng m khng i qua ng cng cng hay mng c theo di, hay thc hin t cng iu khin (console), nhng vi mt k xm nhp c hiu bit, c kin thc v h IDS th hn c th nhanh chng tt tt c cc phn mm pht hin khi c quyn truy cp vt l. Mt u im khc ca IDS da trn my ch l n c th ngn chn cc kiu tn cng dng s phn mnh hoc TTL. V mt host phi nhn v ti hp cc phn mnh khi x l lu lng nn IDS da trn host c th gim st chuyn ny. HIDS thng c ci t trn mt my tnh nht nh. Thay v gim st hot ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh. HIDS thng c t trn cc host xung yu ca t chc, v cc server trong vng DMZ - thng l mc tiu b tn cng u tin. Nhim v chnh ca HIDS l gim st cc thay i trn h thng, bao gm (khng phi l tt c): - Cc tin trnh.

32

- Cc entry ca Registry. - Mc s dng CPU. - Kim tra tnh ton vn v truy cp trn h thng file. - Mt vi thng s khc. Cc thng s ny khi vt qua mt ngng nh trc hoc nhng thay i kh nghi trn h thng file s gy ra bo ng.

Hnh 2.7 M hnh v tr ca HIDS/IPS trong h thng mng 2.3.2 Network Base IDS/IPS (NIDS/IPS) H thng IDS da trn mng s dng b d v sensor ci t trn ton mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng vi nhng m t s lc c nh ngha hay l nhng du hiu. Nhng sensor thu nhn v phn tch lu lng trong thi gian thc. Khi ghi nhn c mt mu lu lng hay du hiu, b cm bin gi tn hiu cnh bo n trm

33

qun tr v c th c cu hnh nhm tm ra bin php ngn chn nhng xm nhp xa hn. NIPS l tp nhiu sensor c t ton mng theo di nhng gi tin trong mng so snh vi vi mu c nh ngha pht hin l tn cng hay khng. c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng. Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao

Hnh 2.8 M hnh v tr NIDS/IPS trong mt h thng mng Mt cch m cc hacker c gng nhm che y cho hot ng ca h khi gp h thng IDS da trn mng l phn mnh nhng gi thng tin ca h. Mi giao thc c mt kch c gi d liu gii hn, nu d liu truyn qua mng ln hn kch c ny th gi d liu s c phn mnh. Phn mnh n gin ch l qu trnh chia nh d liu ra nhng mu nh. Th t ca vic sp xp li khng thnh vn min l khng xut hin hin tng chng cho. Nu c hin tng phn mnh chng cho, b cm bin phi bit qu trnh ti hp li cho ng. Nhiu hacker c gng ngn chn pht hin bng cch gi nhiu gi d

34

liu phn mnh chng cho. Mt b cm bin s khng pht hin cc hot ng xm nhp nu b cm bin khng th sp xp li nhng gi thng tin mt cch chnh xc. 2.3.3 Trin khai h thng IDS/IPS Thng thng c nhiu cch trin khai mt h thng IDS/IPS, tuy nhin thng c dng nhiu trin khai trong mt h thng mng l 02 cch thc trin khai nh sau: + In-line (thng hng)

Hnh 2.9 M hnh trin khai theo kiu thng hng Ngi ta t mt sensor thng hng sao cho n c th gim st c cc lu lng mng i qua n nh trong trng hp ca firewall. Thc t l 1 s Sensor thng hng c s dng nh 1 loi lai gia firewall v NIDS/IPS, mt s khc l NIDS thun ty. ng c chnh ca vic trin khai Sensor kiu thng hng l n c th dng cc tn cng bng vic chn lu lng mng ( blocking network traffic ). Sensor thng hng thng c trin khai ti v tr tng t vi firewall v cc thit b bo mt khc: ranh gii gia cc mng. Sensor thng

35

hng c th c trin khai nhng vng mng km bo mt hn hoc pha trc cc thit b bo mt, firewall mc ch gim ti cho cc thit b ny. Tuy nhin v tr ny s lm cho tc lung thng tin qua ra vo mng chm hn, vi mc tiu ngn chn cc cuc tn cng, h thng IDS/IPS phi hot ng theo thi gian thc. Tc hot ng ca h thng l mt yu t rt quan trng. Qu trnh pht hin xm nhp phi nhanh c th ngn chn cc cuc tn cng ngay lp tc. + Passive (Th ng) Sensor kiu th ng c trin khai sao cho n c th gim st 01 bn sao ca cc lu lng trn mng. Thng c trin khai gim st cc v tr quan trng trong mng nh ranh gii gia cc mng, cc on mng quan trng v d nh Server farm hoc DMZ. Sensor th ng c th gim st lu lng mng qua nhiu cch nh Spanning port (hoc Mirror port), Network tap hoc IDS loadbalancer.

Hnh 2.10 M hnh trin khai kiu th ng

36

Kh nng thu thp thng tin bao gm nhn dng cc host, h iu hnh, cc ng dng, c im mng. Kh nng ghi log file. Kh nng nhn din nhng hot ng thm d, vi phm chnh sch hoc cc dch v ng dng khng mong i. Kh nng ngn chn ca kiu th ng l ngt phin TCP hin ti Cn lu khi trin khai h thng IDS/IPS l phi trin khai cc Sensor dng n (Stealth mode). Trong dng ny, cc giao din ca Sensor khng c gn a ch IP (tr giao din qun l) trnh vic khi to kt ni t cc host khc nhm n Sensor khi s pht hin ca k tn cng. im yu ca h thng NIDS/IPS chnh l vic n rt d b nh hng bi nhiu loi tn cng lin quan n khi lng lu lng mng ln ( large volume of network traffic ) v kin trc Single-point of Failure khi trin khai Sensor kiu thng hng. 2.3.4 Kh nng pht hin v phng chng xm nhp ca IDS/IPS H thng IDS/IPS hot ng theo kiu nhn dng mu gi tin (packet). N s so snh nhng gi tin trng vi gi tin mu tn cng m n c, nu trng khp th kt lun y l loi gi tin tn cng v h thng s pht cnh bo hoc gi tn hiu ti tng la ngn cn gi tin i vo mng bn trong. Hin nay a s IDS/IPS hot ng theo kiu ny. Tuy nhin nu kiu tn cng mi th IDS/IPS khng nhn bit c, nn phi cp nht cc lut (du hiu tn cng) thng xuyn ging nh cp nht virus. Nu hot ng theo kiu thng minh th IDS theo di mng xem c hin tng bt thng hay khng v phn ng li. Li im l c th nhn bit cc kiu tn cng mi, nhng nhiu trng hp b bo ng nhm c ngha l khng phi trng hp tn cng m vn gy bo ng. Nh vy, sau khi h thng IDS pht hin ra tn cng, xm nhp th c th thc hin cc hnh ng sau: + Gi tn hiu n tng la ngn chn tn cng. Trng hp ny gi l h thng pht hin v phng chng xm nhp (IDS/IPS)

37

+ Ch a ra cnh bo cho ngi qun tr mng: h thng pht hin xm nhp tri php (IDS). phng chng tn cng xm nhp, c th kt hp h thng pht hin vi h thng tng la ngn cn nhng gi tin tn cng i vo mng bn trong. Mt trong nhng h thng tng la c s dng ph bin trong cc phn mm ngun m l Iptables. C nhiu cng c ngun m cho php chuyn i cc lut trong Snort thnh cc lut trong Iptables nh Snort-inline, SnortSam, Fwsnort, Trong lun vn ny s s dng Fwsnort ci t thc nghim. 2.4 H thng gim st lu lng mng Ngoi vic theo di nhng gi tin pht hin vic xm nhp v phng chng vic xm nhp tri php, vic theo di gim st lu lng mng, cc dch v mng v thit b tham gia hot ng trong h thng mng cng khng km phn quan trng, vic gim st bao gm cc lu lng mng, hot ng ca CPU, RAM hay cc trng thi hot ng ca cc my ch cung cp cc dch v mng. Theo di hot ng ca cc thit b mng nh Router, Switch cng l nhng nhu cu ang c quan tm hin nay nhm mc ch nng cao hot ng ca h thng mng, m bo n nh v em li hiu qu cao. Vic gim st lu lng mng, cc dch v v thit b gip cho qun tr vin nhanh chng bit c vn cng nh tnh hnh hot ng ca h thng mng mnh ang qun l, nhanh chng a ra nhng phng n c th nhm ti u ha h thng hay nhng chnh sch nhm khc phc s c v tng cng an ninh bo mt cho h thng mng. H thng IDS/IPS nu trn hon ton c th pht hin c nhng hnh vi xm nhp mng v c kh nng phng chng vic nhng hnh vi xm nhp tri php da vo cc du hiu nhn bit tn cng c lu tr v cp nht thng xuyn. Tuy nhin hu nh cc h thng pht hin xm nhp v phng chng xm nhp u khng hon ton an ton, ngnh bo mt lun phi tm ra gii php sau nhng cuc xm nhp tri php trc v h thng pht hin v

38

phng chng xm nhp cng s d dng b loi b nu c nhng du hiu tn cng mi nhng cha c h thng cp nht y hoc cha bit ti, cc tp lut ca h thng pht hin cha cp nht y s d dng b qua mt bi nhng du hiu tn cng mi . Cng s kt hp vi h thng gim st lu lng mng, nhng hot ng ca thit b mng, dch v mng trong h thng s c theo di theo thi gian thc trn h thng, gip m t trc quan s hot ng ca ton h thng, cc biu , th hin th cc trng thi ca h thng mng gip qun tr vin d tng hp, phn tch nhng vic ang din ra nhm xut gii php cho nhng s c mang tnh nguy hi cho h thng c th xy ra. Ngoi ra, ngi qun tr c th thit lp nhng ngng cnh bo kt hp vi h thng bo ng gip ngi qun tr nhanh chng c c nhng thng tin v nhng cuc tn cng hay pht hin nhng bt thng trong h thng. Nhng bt thng y nh l mt dch v mng ngng hot ng, my ch ngng hot ng, hay CPU hot ng qu ti (t ngng cnh bo). Trong phm vi lun vn ny, tc gi xut s dng chc nng gim st lu lng mng, dch v mng v thit b hot ng trong mng da trn 02 chng trnh m ngun m l Nagios v Cacti. Hai chng trnh m ngun m ny s c s kt hp vi h thng IDS/IPS to nn mt h thng gim st y , c th gip qun tr vin hot ng tt hn trong vic theo di gim st v qun tr hiu qu hn h thng mng do mnh qun tr. 2.5 H thng bo ng Mt trong nhng thnh phn quan trng trong vic theo di tnh trng hot ng ca h thng i vi ngi qun tr mng l c th pht hin cc s c h thng mt cch nhanh chng. y cng l mt yu cu ln t ra cho h thng pht hin v phng chng xm nhp. Nh cp phn trn, h thng bo ng l mt thnh phn quan trng trong h thng gim st mng, n kt hp vi h thng d tm xm nhp v h

39

thng gim st trng thi hot ng ca cc thit b (host) v dch v (service) pht ra nhng tn hiu cnh bo n ngi qun tr khi h thng c s c xm nhp hay s c bt thng khc xy ra Nhng thng tin t h thng pht hin xm nhp hay h thng pht hin nhng du hiu bt thng c chuyn ti h thng bo ng pht cnh bo ti ngi qun tr. H thng bo ng trong lun vn ny s c trnh by v ci t trong m hnh thc nghim bao gm: h thng bo ng trn giao din Web, qua e-mail v gi tin nhn SMS qua in thoi di ng. c bit trong lun vn ny, phn bo ng SMS s dng gii php GSM/GPRS gateway. N c kh nng bo ng thng n in thoi di ng m khng thng qua bc trung gian no. C ngha l trong trng hp kt ni Internet b ngt th h thng vn lm vic bnh thng. Thnh phn kt ni vi thit b SMS Gateway s s dng l phn mm ngun m Gnokii SMS kt hp vi thit b phn cng GSM/GPRS modem hoc Mobile phone thc nghim.

Hnh 2.11 Thit b dng trong h thng bo ng Hot ng ca h thng bo ng c m t nh sau: H thng gim st mng s theo di tnh trng hot ng ca ton h thng, ngay khi pht hin ra nhng du hiu bt thng. Cc du hiu bt thng s c ngay lp tc gi n GSM/GPRS modem v pht cnh bo SMS ti ngi qun tr mng. 2.6 SNMP v h thng gim st mng SNMP (Simple Network Management Protocol) l mt giao thc c s dng trong h thng mng nhm mc ch theo di trng thi ca cc thit b. SNMP

40

lm nhim v thu thp thng tin t cc thit b mng (Router, Switch, Server) cn gim st v gi v cho chng trnh gim st phn tch v s dng hin th ra giao din qun tr cc thng tin cn thit theo mc ch ca chng trnh gim st. Trong SNMP c 3 vn cn quan tm: Manager, Agent v MIB (Management Information Base). - MIB: l c s d liu dng phc v cho Manager v Agent. - Manager: nm trn my ch gim st h thng mng -Thnh phn Agent: l mt chng trnh nm trn cc thit b cn gim st, qun l. Agent c th l mt chng trnh ring bit (v d nh daemon trn Unix) hay c tch hp vo H iu hnh, v d nh trong IOS ca cc thit b Cisco. Nhim v ca cc Agent l thng bo cc thng tin n cho thnh phn iu khin c cu hnh nm trn my ch gim st. SNMP s dng UDP (User Datagram Protocol) nh l giao thc truyn ti thng tin gia cc Manager v Agent. Vic s dng UDP, thay v TCP, bi v UDP l phng thc truyn m trong hai u thng tin khng cn thit lp kt ni trc khi d liu c trao i (connectionless), thuc tnh ny ph hp trong iu kin mng gp trc trc, h hng.

CHNG 3: CC CNG C M NGUN M H TR GIM ST, PHT HIN V PHNG CHNG XM NHP MNG
Trong chng ny, tc gi s trnh by mt s cng c ngun m h tr trong vic xy dng m hnh xut theo di tnh hnh hot ng ca h thng (thit b v dch v), pht hin v phng chng xm nhp: bao gm cc cng c chnh l Snort, Fwsnort, Cacti, Nagios v Gnokii. Vi nhng cng c ngun m ny c tch hp vo chung mt h thng, ng thi kt hp vi vic pht trin h thng bo ng a dng, linh hot bng giao din Web, Email v SMS to ra mt cng c tch hp lm nhim v gim st h thng gip pht hin v cnh bo nhng bin c cho h thng mng mt cch trc quan, thi gian thc, nhanh chng v tin li phc v hiu qu cho cng vic qun tr h thng mng. 3.1 Gii thiu C rt nhiu cng c cho php ngi qun tr mng d tm nhng l hng trong h thng mng ca mnh. in hnh c cc phn mm: Nmap, Metaexploit, SolarWinds, Blue Ports Scan, Super Scan, Nhng cng c ny rt cn thit kim tra xem trong h thng mng chng ta c nhng l hng bo mt no hay khng kp thi khc phc. cp cao hn l tin hnh xy dng mt gii php ton din c tnh kh thi cao nhm gip nhanh chng cho cc nh qun tr mng pht hin ra nhng cuc tn cng xm nhp mng, nhng s c trong qu trnh hot ng ca h thng nh mt dch v mng ngng hot ng hay mt thit b mng (Router, Switch, Server,) ngng hot ng, hay theo di lung lu lng qua cc kt ni gia cc thit b, hot ng ca CPU, RAM, trn mt s thit b cn gim st.

42

Trong ti ny, tc gi xut pht trin mt h thng gim st mng c tnh trc quan v tin li, gip ngi qun tr mng nm bt hot ng ca h thng mi lc, mi ni, M hnh kt hp m tc gi xut l kt hp ca cc phn mm ngun m: Snort, Fwsnort, Cacti, Nagios v h thng bo ng qua SMS Gnokii. + Snort: pht hin cc xm nhp mng da vo tp lut c cp nht thng xuyn. + Fwsnort: chuyn i cc lut trong Snort thnh cc lut trong Iptables phng chng tn cng mng + Cacti: gim st lu lng (traffic) trong tng thit b v gia cc thit b trong h thng mng th hin qua cc th: theo di cc lu lng ra vo cc cng giao tip, hot ng ca CPU, b nh, ca cc thit b mng quan trng nh Core Switch, Router, Firewall, Serveriu ny gip cc nh qun tr mng c nhng phn tch pht hin nhng bt thng trong h thng. + Nagios: gim st thit b trng thi hot ng ca cc thit b v cc dch v mng trong h thng. + Gnokii: h tr trong vic giao tip GSM/GPRS modem v h thng gim st t Snort, Cacti, Nagios gi cnh bo bng tin nhn SMS n in thoi di ng ca ngi qun tr mng. Phn tip theo s trnh by mt s c im ca Snort, Fwsnort, Cacti, Nagios v Gnokii trong vic gim st mng. 3.2 c im ca Snort Snort l mt phn mm thuc dng IDS/IPS m ngun m cho php gim st, pht hin nhng du hin tn cng, xm nhp mng. Snort c nhiu t chc pht trin v bin thnh sn phm thng mi nh Sourcefire, Astaro. Snort bao gm cc thnh phn chnh :[10] + B phn gii m gi - Packet Decoder

43

+ B tin x l Preprocessor + B phn pht hin - Detection Engine + H thng ghi log v cnh bo - Logging v Alerting System + Module xut kt qu - Output Modules. Thu thp cc gi tin t cc cng giao tip (interface) v chun b cho vic gi tin c x l trc hoc gi cho b phn pht hin.

Hnh 3.1 Cc thnh phn ca mt Snort[10] + B tin x l - Preprocessor c s dng sp xp hoc chnh sa gi d liu trc khi b phn pht hin lm mt vi x l tm ra gi tin c c s dng bi k xm nhp hay khng. B tin x l cng thc thi vic pht hin bng cch tm cc du hiu bt thng trong cc header ca gi tin v to ra cc cnh bo. B phn tin x l l rt quan trng trong bt k h thng pht hin no, chng chun b cho cc gi d liu c phn tch da trn cc lut trong b phn pht hin. B phn tin x l cng c dng kh phn on. Khi mt mu tin ln c

44

truyn n mt host, gi thng c chia nh ra. H thng nhn c kh nng rp li t cc gi nh. Trn h thng pht hin xm nhp, trc khi i chiu lut hoc tm du hiu cc gi tin cn c ni li. B phn tin x l trong Snort c th ti hp cc gi tin, gii m HTTP rp li cc dng TCP,Nhng chc nng ny rt quan trng trong h thng pht hin xm nhp. + B phn pht hin - Detection Engine y l phn quan trng nht trong Snort. Trch nhim ca n l pht hin c s xm nhp tn ti trong gi tin hay khng. B phn pht hin s dng cc lut ca Snort cho mc ch ny. Nu mt gi tin ging vi bt k mt lut no, mt hnh ng tng ng s c thc hin, cuc tn cng c ghi li hoc to ra cnh bo. y l b phn then cht v thi gian thc thi ca Snort. Lu lng trn b phn pht hin ph thuc vo cc yu t sau: - S lng cc lut. - Sc mnh ca my m Snort ang chy. - Tc ca bus c s dng. - Lu lng trn mng. + H thng ghi log v cnh bo - Logging v Alerting System. Ph thuc ci m b phn pht hin tm thy trong gi tin, gi tin c th c s dng ghi li cc hnh vi hoc to ra cc cnh bo. Cc thng tin ghi li c gi trong cc tp tin text n gin hoc cc dng khc nh trong c s d liu MySQL,... + Module xut kt qu - Output Modules Module xut kt qu c th hot ng theo nhiu cch ph thuc vo vic chng ta mun lu cc output c to ra bng h thng ghi v to cnh bo nh th no. Ph thuc vo vic cu hnh, output module c th thc hin nhng hnh ng sau: - Ghi d liu vo file log.

45

- Gi SNMP traps. - Gi cc thng bo n Syslog. - Ghi log vo CSDL nh MySQL hoc Oracle. Mt s cng c c th c pht trin gi cnh bo t output ca Snort nh E-mail, SMS hoc xem cnh bo qua giao din Web. 3.3 Vn ca Snort v kh nng trin khai 3.3.1 Li ch ca Snort Snort mang li nhiu li ch ph hp cho nhiu cng ty v nhiu l do: + Gi c. L mt phn mm m ngun m nn khng phi tn chi ph v bn quyn. + n nh, nhanh, mnh m. Snort nh gn, nhanh, khng chim dng nhiu bng thng ng truyn. + Tnh nng tin x l. Dng x l trc cc thng ip (message) trong mng thi gian thc, lm tng kh nng nhn dng cc gi tin kh nghi, tng kh nng nhn din k tn cng dng cc k thut tn cng nhm nh lc hng IDS. + Tnh uyn chuyn. C th d dng thit lp nhng lut (rules) cho Snort ph hp vi thc trng ca cng ty. C th dng cc cng c qun l tp trung nh ACID, BASE hay SnortCenter. Nhiu Scripts c th c tch hp m rng chc nng Snort c th to nhng danh sch iu khin truy cp (Access Control List) t ng. Trong phm vi lun vn ny, tc gi i su v s kt hp Snort vi BASE sau tch hp vo giao din qun l chung ca Cacti v pht bo ng qua giao din BASE, Email v SMS. Ngoi ra cn kt hp Snort vi phn mm ngun m Fwsnort chng li cc cuc tn cng xm nhp. Cc lut trong

46

Snort c Fwsnort chuyn thnh cc lut trong Iptables ngn chn mt s dng tn cng. + c h tr bi cng ng m ngun m. Snort l sn phm ngun m nn c h tr rt nhiu bi cng ng ngi s dng m ngun m. 3.3.2 nh gi tp lut ca Snort Tp lut trn Snort c cp nht thng xuyn nn kh nng pht hin cc du hiu tn cng l kh tt. Ngi qun tr mng cng c th t b sung nhng lut mi vo tp lut c sn. V vy, tp lut ca Snort c tnh m. Do Snort rt ph hp cho vic nghin cu v pht trin. C rt nhiu sn phm thng mi trn th trng pht trin t Snort: Sourcefire, O2Security, Astaro 3.4 Fwsnort chuyn i tp lut t Snort sang Iptables Fwsnort hay cng c gi l Firewall Snort l phn mm ngun m c chc nng chuyn cc lut trong Snort thnh cc lut trong Iptables. S kt hp ny gip cho nhng xm nhp c Snort pht hin s c ngn chn bi Iptables to thnh H thng pht hin v phng chng xm nhp (IDS/IPS) 3.5 H thng gim st trng thi hot ng thit b v dch v - Nagios Nagios l mt phn mm m ngun m h tr trong vic gim st hot ng ca cc thit b v cc dch v trong mng. Nagios gip gim st hot ng mt s thit b trung tm trong mng nh Server, Switch, Router,... ng thi kt hp vi b phn pht cnh bo qua SMS, pht cnh bo trong trng hp mt thit b ngng hot ng hoc mt dch v mng ngng hot ng. Nagios gim st cc thit b mng thng qua cc giao thc ICMP, SNMP, theo di trng thi hot ng ca cc thit b. ng thi, Nagios cn cho php thit lp c ch gim st hot ng ca cc dch v mng. Cc dch v ph bin c gim st nh: HTTP FTP, SMTP, POP3,

47

Hnh 3.2 M hnh dch v Nagios gim st[8] gim st cc host Windows, chng ta c th s dng trc tip thng qua giao thc SNMP hoc s dng phn mm NSClient++ (tch hp SNMP) thu thp thng tin hn t my Windows.

Hnh 3.3 M hnh theo di cc dch v trn Windows qua NSClient[13] Cng tng t nh vy, chng ta c th s dng SNMP gim st cc my Linux qua vic ci t gi NRPE (tch hp SNMP) gim st host v cc dch v trn my Linux.

Hnh 3.4 M hnh Nagios gim st dch v trn my Linux qua NRPE[13]

48

Bn cnh vic gim st cc my ch h iu hnh Windows v Linux, Nagios cn gim st vic hot ng ca cc thit b mng khc nh Router, Switch, Printer

Hnh 3.5 Nagios gim st my in[13] Gim st Router, Switch

Hnh 3.6 Nagios gim st Router v Switch[13] Cc dch v mng ph bin nh: HTTP, FTP, SMTP, POP3 ..vv cng s b gim st bi Nagios.

49

Hnh 3.7 Nagios gim st dch v mng v thit b mng. Ngoi ra Nagios cn v s hin th trng thi hot ng ca cc host ang tham gia trong h thng mng.

Hnh 3.8 S trng thi cc host hot ng trn mng. Ngoi kh nng gim st cc thit b, dch v mng. Khi c tch hp cng vi phn mm Cacti, Nagios s c thm mt vi tnh nng trong ng k nht vn l gi cnh bo bng email, SMS cnh bo cc thay i trong h thng thng qua mt gateway SMS.

50

Hnh 3.9 Nagios gi cnh bo qua email hoc SMS Tham s trng thi h thng c s dng lm i s trong vic gi cnh bo bao gm: - Tham s dch v: $SEVERVICESTATE$, $SERVICESTATETYPE$, SERVICCEATTEMMPT$ - Tham s cho host: $HOSTSTATE$, $HOSTSTATETYPE$,

$HOSTSTATEATTEMP$. 3.6 H thng gim st lu lng Cacti Cacti l mt phn mm ngun m h tr trong vic gim st cc lu lng mng. Cacti trong h thng c dng gim st lu lng qua cc Switch trung tm, Router v cc Server v lu lng kt ni gia cc thit b trong h thng mng. Hot ng ca Cacti c th hin nh sau:

Hnh 3.10 M hnh hot ng ca Cacti Thu thp d liu: Cacti thu thp d liu thng qua poller. Poller l mt ng dng hot ng theo nhng khong thi gian xc nh. Trong Unix/Linux th Poller c thit lp t chng trnh lp lch crontab. Cacti th hin lu lng qua cc th trc quan, thi gian thc. iu ny gip cho ngi qun tr theo di c tnh trng hot ng ca cc thit b v dch v trong h thng v pht hin nhng bt thng xy ra. Nhng bt thng ny c th l nhng du hiu ca tn cng xm nhp hoc s qu ti ca mt s thit b mng trong h thng.

51

Cacti s dng giao thc SNMP thu thp thng tin t cc thit b, lu tr thng tin v v hnh trn cc th.

Hnh 3.11 Trao i thng tin SNMP gia Cacti v thit b[9] Lu tr d liu: c th to ra nhng th v trng thi hot ng ca cc thit b cn gim st, Cacti phi cn thu thp v lu tr d liu. Nu l mt h thng mng ln th yu cu phi c phng php qun l d liu cho vic theo di trng thi hot ng ca thit b. Trong m hnh thc nghim ca lun vn ny, d liu thu thp c t SNMP c lu tr vo c s d liu ca MySQL.

Hnh 3.12 D liu Cacti thu thp c qua SNMP[9] Trnh by d liu: S dng cng c RRDTool trnh by d liu di dng cc th vi c s d liu thu thp c t SNMP v c lu tr trong database.

52

Cacti c kh nng gim st lu lng vo/ra cc cng ca thit b cn theo di; gim st mc hot ng ca CPU v b nh; cho php a s mng trc quan vo h thng v tng tc vi m hnh ny. Ngoi ra, Cacti pht bo ng khi c s c, cc s c ny c ch ra cho h thng nh: c mt thit b ang gim st ngng hot ng, lu lng vt qu mt ngng c thit lp trc

Hnh 3.13 Cacti m t lu lng bng th thi gian thc[9] Mc nh Cacti c t tnh nng, trong cu hnh mc nh Cacti ch h tr 2 mc l Console v Graph. Trong , phn Console cho php iu chnh cc thng s nh chn thit b cn gim st lu lng v hin th th lu lng trong phn Graph. Mt c im quan trng ca Cacti l cho php tch hp nhiu thnh phn khc, cng nh nhiu phn mm khc vo n. y l mt c im quan trng cho vic thc hin tng thc hin trong lun vn ny l to nn mt h thng tch hp h tr trong vic gim st mng. Trong lun vn ny, tch hp thm mt s thnh phn sau vo Cacti: - Realtime: h tr Cacti ly thng tin theo thi gian thc lp lch cho chng trnh ly thng tin t cc thit b mng cn gim st. - Update: h tr cp nht cc phin bn mi t Internet.

53

- Settings: Tch hp thm mt s cng c cu hnh cc tnh nng nng cao. - Manage: Gim st tnh trng cc thit b mng. Pht bo ng bng m thanh khi mt host ngng hot ng. - Weathermap: cho php v s mng v gim st lu lng gia cc thit b mng trong h thng. - BASE: Gim st Snort bng giao din Web. - Nagios: Gim st cho tit cc host v cc dch v mng. - SSL: s dng port 443 (https) khi truy xut vo Cacti.

Hnh 3.14 Cu hnh trong ../var/www/cacti/include/global.php 3.7 H thng bo ng qua SMS Gnokii Gnokii l mt phn mm m ngun m cho php giao tip vi thit b GMS/GPRS phc v cho vic nhn tin SMS. Ty vo loi GSM/GPRS c dng chng ta c cch can thip vo cu hnh Gnokii khc nhau. Trong m hnh thc nghim ca ti s dng GSM/GPRS kt ni vi my Linux qua cng COM. Thit b c tip nhn qua /dev/ttyS0.

54

C php s dng cho vic nhn tin qua SMS l: printf <message> | gnokii --sendsms <s in thoi> C php ny c a vo chng trnh Nagios h thng gi t ng tin nhn SMS khi c s c (c thit lp trc) xy ra. Thit lp cnh bo SMS cho Snort trong file SnortNotify.conf

Hnh 3.15 Thit lp cnh bo SMS cho Snort trong file SnortNotify.conf Cc thng s dng cnh bo v lnh pht cnh bo t Snort (pht cnh bo xm nhp), Nagios (pht cnh bo tnh trng hot ng ca cc host v dch v). 3.8 M hnh xut kt hp Snort, Fwsnort, Nagios, Cacti Trong m hnh xut ny to ra mt s kt hp cc tnh nng v qun l vi mt giao din chung trn Cacti. Cc thnh phn c tch hp (plugin) v giao din qun l ca Cacti. H thng chia thnh ba khi chc nng: + B phn pht hin v phng chng xm nhp mng + B phn gim st trc quan h thng: gim st lu lng qua cc cng ca Router, Switch, Server, hot ng ca CPU, B nh, ;gim st cc mt s

55

dch v mng: HTTP, FTP, v gim st trng thi hot ng ca cc thit b mng. + B phn bo ng: bo ng bng Web, E-mail v SMS.

CHNG 4: PHT TRIN NG DNG H THNG GIM ST V PHT HIN XM NHP MNG DA TRN M NGUN M
Trong chng ny, trnh by m hnh xut kt hp gia Snort, Fwsnort, Nagios v Cacti to ra mt h thng gim st mng mt cch trc quan v tin li. Mt s chc nng chnh ca h thng gim st ny l: - Pht hin cc xm nhp mng da vo Snort - Phng chng xm nhp da vo Fwsnort - Theo di hot ng ca cc thit b mng nh Router, Switch, Server v hot ng ca mt s dch v mng thng qua cc th da vo Cacti v Nagios - Pht cnh bo trong trng hp c xm nhp, thit b mng ngng hot ng hoc dch v mng ngng hot ng cho ngi qun tr mng qua cc hnh thc: bo ng bng, web, E-mail v tin nhn SMS qua in thot di ng.

57

4.1 M hnh ci t thc nghim

Hnh 4.1 M hnh ci t thc nghim Chc nng ca H thng gim st: - Cnh bo qua Web, Email v SMS khi thc hin tn cng vo h thng Web server - Bo ng SMS khi mt host (Server, Router, Switch) hoc mt dch v mng ngng hot ng. - Gim st lu lng mng qua cc cng giao tip trn Router, Switch, Serverhin th qua cc th trc quan, thi gian thc. Gim st lu lng gia cc thit b kt ni vi nhau mt cch trc quan. 4.2 Ci t thc nghim Cc chng trnh phn mm chnh c s dng trong h thng gim st: - Snort. - Fwsnort.

58

- Cacti. - Nagios. - SMS Gateway. - Sendmail. Qu trnh ci t thc nghim c thc hin theo qui trnh tun t sau: 4.2.1 Ci t Gnokii S dng phn mm ngun m Gnokii kt ni n GSM/GPRS modem. Trong chng trnh thc nghim ny, GSM/GPRS modem kt ni ni my Cacti server qua cng COM1 (/dev/ttyS0).[4] # ./configure # gmake # gmake install Sau khi ci t xong Gnokii, thit lp file cu hnh vi cc thng s sau: -S dng tp lnh AT: Model AT -Kim tra kt ni n GSM modem: #gnokii identify // Kim tra gi tin nhn SMS qua dng lnh: #print <message> | gnokii sendsms <s in thoi>

Hoc #echo <message> | gnokii sendsms <s in thoi> Chi tit ci t v cu hnh Gnokii c trnh by c th trong ph lc A bi bo co ny.

59

4.2.2 Ci t Snort ci t Snort yu cu cn phi ci t cc gi mi trng nh sau: # install mysql, mysql-bench, mysql-server, mysql-devel, mysqlclient10, phpmysql, httpd, gcc, pcre-devel, gd, php-gd, mod_ssl, glib2-devel, gcc-c++, libpcap-devel, php-pear[12] Cc bc ci t: httpd: ci t qun l bng giao din web mysql: to CSDL snort lu tr thng tin v nhng du hiu tn cng mng. + Ci t, cu hnh Snort, cp nht cc rules: thit lp cc thng s v a ch mng cn gim st (trong trng hp ny l 192.168.7.0/24), thit lp ng dn n CSDL snort, gn quyn truy xut cho user snort. + Ci t, cu hnh adodb v BASE gim st Snort qua giao din Web. + Ci t bo ng cho Snort khi c tn cng: Cc thng tin thu thp t Snort v cc s kin theo di c hot ng theo thi gian thc v c ghi li trong MySQL. H thng bo ng thng xuyn cp nht cc thng tin t database. Cc thng tin cnh bo c trch ra t database v t vo bin $emailmessage. Thng ip ny c chuyn ti ngi qun tr mng qua SMS v E-mail. + Gi thng ip t $emailmessage qua SMS Open (MAIL, |sendsms sendsms 0983929445\n); Printf MAIL $emailmessage; Close(MAIL); Gi thng ip t $emailmessage qua Email (s dng Sendmail).

60

open(MAIL, |$sendmail t oi) printf MAIL, From: $sender\n; printf MAIL Return-Path: $return\n; printf MAIL To: $to\n; printf MAIL Subject: $subject\n; print MAIL $emailmessage; + Dng crontab lp lch cho chng trnh ly thng tin cnh bo t Snort chy 1 pht 1 ln: + Ni dung file lp lch ch ti file SnortNotify.pl: */1 * * * * /var/snortnotify-v2.1/SnortNotify.pl + Khi ng Snort: #snort c /etc/snort/etc/snort.conf -i eth0

Chi tit cc bc ci t Snort c th hin trong ph lc B. Hng dn ci t v cu hnh Snort. 4.2.3 Ci t Fwsnort Trc khi tin hnh ci t Fwsnort ta phi ci t iptablet ln h thng trc, mc ch ca Iptablet l s x l cc cnh bo ca snort v cng nh snort, iptablet ca c nhng tp rule hot ng. [iptablesfw]# tar xfj fwsnort-1.1.tar.bz2 [iptablesfw]# cd /usr/local/src/fwsnort-1.1 [iptablesfw]# ./install.pl [+] mkdir /etc/fwsnort [+] mkdir /etc/fwsnort/snort_rules [+] Installing the Net::IPv4Addr Perl module

61

[+] Installing the IPTables::Parse Perl module [+] Would you like to download the latest Snort rules from http://www.bleedingsnort.com? ([y]/n)? y --22:01:11-- http://www.bleedingsnort.com/bleeding-all.rules => `bleeding-all.rules' Resolving www.bleedingsnort.com... 69.44.153.29 Connecting to www.bleedingsnort.com[69.44.153.29]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 292,192 [text/plain] 100%[======================================>] 292,192 109.94K/s 22:01:17 (109.77 KB/s) - `bleeding-all.rules' saved [292,192/292,192] [+] Copying all rules files to /etc/fwsnort/snort_rules [+] Installing snmp.rules [+] Installing finger.rules [+] Installing info.rules [+] Installing ddos.rules [+] Installing virus.rules [+] Installing icmp.rules [+] Installing dns.rules [+] Installing rpc.rules [+] Installing backdoor.rules [+] Installing scan.rules [+] Installing shellcode.rules [+] Installing web-client.rules [+] Installing web-cgi.rules

62

[+] Installing exploit.rules [+] Installing attack-responses.rules [+] Installing web-attacks.rules [+] Installing fwsnort.8 man page as /usr/share/man/man8/fwsnort.8 [+] Compressing manpage /usr/share/man/man8/fwsnort.8 [+] Copying fwsnort.conf -> /etc/fwsnort/fwsnort.conf [+] Copying fwsnort -> /usr/sbin/fwsnort [+] fwsnort will generate an iptables script located at: /etc/fwsnort/fwsnort.sh when executed. [+] fwsnort has been successfully installed! Thc hin i cc tp lut (rule) trong snort thnh nhng tp lut trong iptable hot ng.

Hnh 4.2 Chuyn i tp lut trong snort thnh iptablet

63

V d: i vi cng c tn cng Ddos Trin00 c rule_ID trong snort l 237 alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;) S dng Fwsnort chuyn sang Iptablet [iptablesfw]# fwsnort --snort-sid 237 [+] Parsing Snort rules files... [+] Found sid: 237 in ddos.rules Successful translation. Kt qu sau khi chuyn sang iptable #IPTABLES -A FWSNORT_FORWARD -d 192.168.10.0/24 -p udp -dport 27444 -m string --string "l44adsl" --algo bm -m comment --comment "sid:237; msg: DDOS Trin00 Master to Daemon default password attempt; classtype: attempted-dos; reference: arachnids,197; rev: 2; FWS:1.0;" -j LOG --log-ip-options --log-prefix "[1] SID237 " 4.2.4 Ci t Nagios nh ngha lnh bo ng qua SMS Mc nh th khng c lnh cho php gi qua SMS m ch c lnh gi qua e-mail. chng trnh c th gi tin nhn qua SMS th nh ngha thm lnh cho h thng. Vic nh ngha thm lnh s a vo file commands.cfg Lnh s dng cho gi SMS c chn l: - notify-host-by-sms: lnh ny dng gi SMS khi mt host gp s c (V d nh host ngng hot ng)

64

- notify-service-by-sms: lnh ny c s dng gi SMS khi mt service trn host gp s c (V d nh service ngng hot ng). Nhng s c ny c xc nh theo ca ngi qun tr thng qua cc bin ly s kin t h thng). + Gim st cc thit b (host) v dch v (service) gim st cc thit b, phi nh ngha theo c php sau trong file cu hnh

Hnh 4.3 Cu hnh trong Nagios ci t Nagios cn c cc gi tin bt buc [13] # yum install httpd gcc glibc glibc-common gd gd-devel php To nhm v ngi s dng Nagios useradd -m nagios To nhm nagcmd v a user nagios v apache vo nhm # groupadd nagcmd # usermod -a -G nagcmd nagios # usermod -a -G nagcmd apache Tin hnh ci t Nagios t website ca phn mm. # ./configure with-command-group=nagcmd

65

# make all # make install # make install-init # make install-config # make install-commandmode Hng dn ci t chi tit v cu hnh Nagios c trnh by c th ti ph lc C bi bo co ny. 4.2.5 Ci t Cacti Trong phn ny trnh by cc ci t v cu hnh Cacti v tch hp Snort, Nagios vo Cacti.[3] Yu cu cc gi ci t trc: RRDTool NET-SNMP. MySQL PHP Apache Ci t Cacti + To account: username: cactiuser, password: cactiuser + To CSDL: cacti Ci t cc tham s cho file cu hnh Cacti + Ci t spine: cho php h thng hot ng theo chu k ly thng tin t cc host. + Tch hp (plugin) cc gi sau vo Cacti -Architecture: l phn nn tng c ci t trc cho php Cacti tch hp cc thnh phn khc vo. -Settings: cho php Cacti cu hnh cc tham s cho cc thnh phn tch hp

66

-Realtime: H tr mt s thnh phn tch hp hot ng theo thi gian thc -Manage: H tr trong vic gim st cc thit b mng v pht cnh bo bng m thanh. -Update: H tr cc thnh phn trong Cacti cp nht phin bn mi quan Internet. -Nagios: Thnh phn gim st, theo di cc host v dch v mng. -BASE (Snort): Theo di cc cnh bo t Snort. -SSL: bo mt cho cacti, s dng port 443 (HTTPS). Chi tit ci t v cu hnh Cacti c trnh by c th ti ph lc D ca bi bo co ny. Trn thc t vic tch hp cc chng trnh m ngun m gp nhiu kh khn do mi chng trnh u c c s d liu ring ca bn thn cc chng trnh, ngoi ra cn theo di vn hnh ca cc thit b mng c th nh cc thit b l Router, Switch Cu hnh mt Router Building configuration... Current configuration : 872 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Saigon ! boot-start-marker boot-end-marker

67

! no aaa new-model ip cef ! interface FastEthernet0/0 ip address 192.168.7.111 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.4.1 255.255.255.0 duplex auto speed auto ! ! no ip http server no ip http secure-server ! snmp-server host 192.168.7.123 public ! control-plane ! line con 0 line aux 0 line vty 0 4

68

login ! scheduler allocate 20000 1000 end Cu hnh thit b Switch sh run Building configuration... Current configuration : 1634 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname CoreSwitch ! no aaa new-model system mtu routing 1500 interface Vlan1 ip address 192.168.1.112 255.255.255.0 no ip route-cache ip http server snmp-server host 192.168.7.123 public !

69

control-plane ! line con 0 line vty 5 15 ! end Mun gim st mt thit b no cn khai bo cc thng s trn Cacti c d liu theo di v gim st

Hnh 4.4 Thit lp thng s cho mt thit b cn gim st[9]

70

Hnh 4.5 Hin th lu lng thu thp c qua SNMP Thit lp cnh bo qua SMS khi dch v cn gim st pht sinh s c. +C php lnh bo /usr/local/nagios/etc/object/command.cfg ng c t trong

Hnh 4.6 C php lnh ci t bo ng bng sms

71

4.3 Kt qu t c t thc nghim

Hnh 4.7 Mn hnh Cacti c tch hp cc tnh nng theo di

Hnh 4.8 Theo di hot ng ca Switch Cisco bng giao din

72

Hnh 4.9 Theo di trng thi cc thit b

Hnh 4.10 th ca cc thit b[9]

Hnh 4.11 Tng quan cc cnh bo t Snort qua giao din Web

73

Hnh 4.12 Cnh bo chi tit trn Snort giao din Web[10]

Hnh 4.13 Mt s dch v chy trn 1 host[10]

74

Hnh 4.14 Theo di trc quan lu lng mng

Hnh 4.15 th lu lng kt ni mng Kim tra hot ng ca h thng gim st mng: S dng cc cng c scan port v tn cng trn my ch Web: - Blue Port Scanner

75

- SolarWinds - DoSHTTP

Hnh 4.16 Mt s cnh bo dch v HTTP trn my ch web.

CHNG 5: KT LUN, KT QU T C V HNG PHT TRIN CA TI


5.1 Kt lun S tin li, nhanh chng v hiu qu trong vic gim st cc hot ng trn mng l mt nhu cu rt ln i vi nhng ngi lm qun tr h thng mng. Nht l i vi nhng h thng mng ln th nhu cu ny cng tr nn mt cng c khng th thiu. Vi m hnh xut trong lun vn ny, kt hp mt s cng c ngun m to ra mt h thng gim st mng trc quan, nhanh chng v tin li p ng c cc yu cu gim st trong thc t. Snort l mt h thng pht hin cc xm nhp mng da vo cc tp lut. Cc lut ny c cp nht thng xuyn bi cng ng m ngun m. ng thi, Cc lut ny l mt h thng m cho php ngi qun tr mng c quyn chnh sa, thm mi cho ph hp vi h thng mng ca mnh chng cc dng tn cng mi. Cacti l mt cng c mnh trong vic theo di chi tit tnh trng hot ng ca h thng, t bit l theo di cc lu lng mng vn chuyn qua cc thit b Switch, Router, Server. Cho php ngi qun tr theo di tnh trng hot ng ca cc thit b ca h thng mt cch trc quan thng quan rt nhiu dng th hin khc nhau. Nagios l mt cng c chuyn v gim st cc server v cc dch v mng trn cc server ny. Theo di tnh trng mt dch v mng, theo di tnh trng hot ng ca CPU, b nh, H thng bo ng c trnh by trong lun vn ny rt linh hot, c th pht cnh bo qua email v SMS. To ra s tin li cho ngi qun tr, gip ngi qun tr c th nm bt s c mt cch nhanh chng v hiu qu. S kt hp gia Snort, Nagios, Cacti v h thng bo ng qua SMS to nn mt

77

gii php hu hiu gip cho ngi qun tr mng gim st h thng mt cch tt hn trong vic pht hin nhanh chng s bt thng trong h thng mng. 5.2 Kt qu t c Bo mt h thng mng cho mt t chc, doanh nghip ang l mt nhu cu rt ln nhm bo v h thng d liu, bo v vic trao i thng tin qua h thng mng my tnh c an ton, khng b r r thng tin. Nghin cu v h thng pht hin v phng chng xm nhp mt h thng mng gip cho cc nh qun tr mng thun tin trong vic qun tr v pht hin sm cc du hiu tn cng h thng mng t bn ngoi ng thi c nhng bin pht khc phc lm cho h thng mng c an ton hn. Cc cng c m ngun m h tr trong vic gim st h thng mng cho php to chng ta c th c nhng ty bin ring v c th s dng rng ri trong cc h thng mng doanh nghip vi mc chi ph thp. Lun vn ny gii thiu mt gii php hiu qu trong vic gim st h thng mng khng nhng gip pht hin cc cuc tn cng, xm nhp mng m cn gip gim st hot ng ca h thng mt cch trc quan, nhanh chng, tin li. H thng bo ng qua email, bo ng qua SMS to nn s linh hot cho php ngi qun tr mng mi lc, mi ni. Gip nhanh chng pht hin nhng s c c nhng gii php kp thi. Nhng vn t c: + Hiu c c ch hot ng h thng pht hin v phng chng xm nhp mng. + Hiu c ch hot ng ca h thng pht hin xm nhp Snort. + Nm c c ch hot ng ca h thng phng chng xm nhp FwSnort. + Nm c c ch hot ng ca h thng gim st cc thit b v dch v Nagios

78

+ Nm c c ch hot ng ca h thng gim st lu lng Cacti + Ci t v cu hnh mt h thng gim st mng da vo cc phn mm m ngun m Snort, Nagios, Cacti. + Ci t h thng bo ng qua Web, Email v SMS y l lun vn c kh nng trin khai, p dng vo thc t rt cao. 5.3 ngha khoa hc v thc tin 5.3.1 ngha v mt khoa hc ti nghin cu a ra cch nhn tng quan nht v mt h thng gim st, pht hin v phng chng xm nhp mng, cc phng thc tn cng mng v cc gii php bo mt h thng mng. Bn cnh xy dng mt h thng gim st v cnh bo bng email hoc bng SMS n qun tr vin, gip cho vic qun tr h thng mng tr nn c ng v an ton hn. 5.3.2 V mt thc tin ti s c ng dng ngay trong c quan ca tc gi hoc c th m rng trong ton ngnh ni m tc gi ang cng tc do da trn m ngun m hon ton min ph v p ng nhu cu ca c quan. Mt khc, nghin cu ca ti c th c p dng rng ri trong cc n v hoc cc doanh nghip do khng cn chi ph u t v hiu qu ca cng trnh nghin cu c tnh kh thi. Cung cp cho cc qun tr vin mt b cng c tch hp gim st mng v pht hin xm nhp, gip qun tr vin d dng trong vic theo di v qun tr h thng mng ca mnh trc quan, hiu qu hn. 5.4 Hng pht trin cho ti + Hon thin cc chc nng ca chng trnh Hon thin thm chc nng gi cnh bo n qun tr vin bng m thanh (Audio), chc nng t ng cp nht cc rule ca snort. +Thc hin gim st h thng qua mi trng WAN

79

Hin ti, m hnh ang c p dng cho h thng mng ni b trong mt doanh nghip, cha th p dng trong mt h thng mng trong mi trng WAN nn cn tip tc nghin cu pht trin.

TI LIU THAM KHO


A Ting Vit [1] Ng Vi ng (2009),Hin trng v ATTT khu vc pha Nam, Ngy an ton thng tin 2009. [2] Trng Cm, Bo in t Vietnamnet.vn (2010) An ton thng tin Vit Nam: tha nhn thc, thiu thc thi. [3] Hng dn ci t v cu hnh file config h thng gim st Cacti Bi vit ca cc tc gi trn bo in t http://www.asterisk.vn/forum/viewtopic.php?f=18&t=174(2010) [4] Ci t v cu hnh gateway SMS Gnokii Bi vit trn website http://forum.niit.vn/archive/index.php/t-20359.html, tc gi hieunh thng 2/2011 [5] Cc kiu tn cng mng tc gi LeHoanPC 3/2008,Website http://www.quantrimang.com.vn/baomat/giaiphapbaomat/22_Cac-kieu-tancong-mang.aspx. [6] L hng bo mt mng. Website http://vinasupport.com/2010/lo-hong-baomat/ tc gi manlivo189, 25/3/2010. [7] H thng pht hin xm nhp IDS http://www.quantrimang.com.vn/kienthuc/kien-thuc-co-ban/37334_He-thongphat-hien-xam-pham-IDS-Phan-1.aspx tc gi VanLinh 24/01/2007

B Ting Anh [8] Max Schubert, Derrick Bennett (2008), Nagios 3 Enterprise Network Monitoring Including Plug-ins and Hardware Devices, Syngress. [9] Dinangkur Kundu, S.M. lbrahim Lavlu (2009), "Cacti 0.8 Network Monitoring" PACKT Publishing. [10] Rafeeq UR Rehman (2003),Intrusion Detection With Snort - Advanced IDS Techniques using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall PTR. [11] Nagios NRPE Document (1997-2000), NDOUtil Database Model(20062007),EthanGalstard.

[12] The Snort Project (2009), Snort users manual 2.8.5. [13] David Josephsen (2007),Building a Monitoring Infrastructure with Nagios, Prentic Hall.

PH LC
PH LC A Hng dn ci t v cu hnh Gnokii GSM Gateway

Bc 1: Chun b source ci t - Download software ti http://www.gnokii.org (gnokii-0.6.28.tar.gz) - Chp cc gi vo /usr/gnokii-soft Bc 2: Gii nn source gnokii # tar -zxvf gnokii-0.6.28.tar.gz Bc 3: Ci t Ch : phi ci trc gi gcc (# yum install gcc) v intltool (# yum install intltool) - Di chuyn vo th mc gii nn gnokii-0.6.28 # cd /gnokii-0.6.28 # ./configure # gmake # gmake install Bc 4: iu chnh file cu hnh - copy /Docs/sample/gnokiirc --> /etc/gnokiirc #cp ../Docs/gnokiirc /etc/gnokiirc - iu chnh cu hnh trong /etc/gnokiirc Ty vo thit b GSM/GPRS modem (gn cng COM1 (/dev/ttyS0) hay USB (/dev/ttyUSB0)) #vi /etc/.gnokiirc ---> iu chnh: B du # ti dng: model AT thm du # ti dng: model 6510 va TELEPHONE chnh: debug = off -- copy gnokiirc vo /root/ # cp /etc/gnokiirc /root/.gnokiirc Bc 5: Kim tra thit b kt ni vo computer

- gnokii --identify Note: Nu c hin th cc thng s ca GSM/GPRS modem th computer nhn din ra thit b VD: #gnokii --identify GNOKII Version 0.6.28 IMEI : 351047888189814 Manufacturer : WAVECOM MODEM Model : MULTIBAND 900E 1800 Product name : MULTIBAND 900E 1800 Revision : 641b09gg.Q2403! 132 //Kim tra vic gi SMS t dng lnh #printf "Test SMS" | gnokii --sendsms <so dien thoai>.

PH LC B Hng dn ci t v cu hnh Snort Bc 1: Cc gi cn thit phi ci t trc khi thc hin ci Snort # yum y install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ libpcapdevel php php-pear Bc 2: Bt v khi ng cc service cn thit - S dng cc dng lnh di y bt cc service ln #/sbin/chkconfig httpd on #/sbin/chkconfig mysqld on - S dng cc dng lnh di y khi ng cc service #/sbin/service httpd start #/sbin/service mysqld start Bc 3. Kim tra Apache Server Vo th mc /var/www/html v ti v tp tin index.php.txt nh sau #cd /var/www/html #wget http://www.internetsecurityguru.com/index.php.txt i tn tp tin va ti v thnh index.php bng lnh sau: #mv index.php.txt index.php M trnh duyt v g vo a ch http://<ip ca my ang cu hnh>/index.php Bc 4. To ti khon snort truy xut vo h thng v c s d liu mysql /usr/sbin/groupadd snort /usr/sbin/useradd g snort snort s /sbin/nologin t password cho user snort bng lnh: passwd snort Bc 5. Ti cc gi cn thit ci t SNORT

Download gi Snort-2.8.5.1.tar.gz Gii nn gi tin va chp v bng cc lnh di y #tar xvzf snort-2.8.5.1.tar.gz Vo th mc va gii nn. Thc hin cc lnh di y ci t: #chmod +x ./configure #./configure - -with-mysql - -enable-dynamicplugin #make #make install To cc th mc cha tp tin ci t v chy snort #mkdir /etc/snort Gii nn v sao chp ton b tp tin snortrules-snapshot-2.7.tar.gz vo trong /etc/snort va to #cd /etc/snort #tar xvzf snortrules-snapshot-2.7.tar.gz Chnh sa tp tin snort.conf nm trong th mc /etc/snort/etc/snort.conf l tp tin cu hnh chnh ca snort; khi thc thi, snort s c tp tin ny khi ng cc thng s cn thit. M v chnh sa tp tin snort.conf bng quyn root #vi /etc/snort/snort.conf Sa cc dng theo ch dn di y: - Tm n dng var HOME_NET any v sa thnh var HOME_NET 192.168.3.0/24; nu a ch mng trong l a ch ng mng 192.168.3.0 - Sa ng dn n th vin rules Tm n dng sau var RULE_PATH .../rules Sa ng dn thnh:

Var RULE_PATH /etc/snort/rules Bc 6. Cu hnh Snort log vo c s d liu MySQL Tm n phn output vi dng sau # output database: log, mysql, user=root password=test dbname=db host=localhost B du # v sa thnh nh sau: output database: log, mysql, user=snort password=<password> dbname=snort host=localhost Bc 7. Ci t c s d liu vo MySql #mysql mysql> SET PASSWORD FOR root@localhost=PASSWORD('password'); >Query OK, 0 rows affected (0.25 sec) (no need-da tao trong cacti) mysql> create database snort; >Query OK, 1 row affected (0.01 sec) mysql> grant INSERT,SELECT on root.* to snort@localhost; >Query OK, 0 rows affected (0.02 sec) mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf'); >Query OK, 0 rows affected (0.25 sec) mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; >Query OK, 0 rows affected (0.02 sec) mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort; >Query OK, 0 rows affected (0.02 sec)

mysql> exit >Bye - Thc thi cu lnh di y import c s d liu snort vo Mysql # mysql u root p snort < /etc/snort/snort-2.8.5.1/schemas/create_mysql.sql Enter password: <mysql root password> - Sau kim tra li c s d liu mysql nh sau #mysql p >Enter password: mysql> show databases; +------------+ | Database +------------+ | mysql | Snort | test +------------+ 3 rows in set (0.00 sec) mysql> use snort >Database changed mysql> show tables; Bc 8. Ci t BASE - Ci t ADODB #cd /var/www/html #tar xzf /root/snortinstall/adodb495.tgz - Ci t BASE

#cd /var/www/html #tar xvzf /root/snortinstall/base-1.4.0.tar.gz - i tn th mc: mv base-1.4.0 base/ Chp tp tin base_conf.php.dist thnh base_conf.php #cd base/ #cp base_conf.php.dist base_conf.php - Chnh sa cu hnh BASE cho thch hp nh sau #BASE_urlpath = "/base"; #DBlib_path = "/var/www/html/adodb/ "; #DBtype = "mysql"; #alert_dbname = "snort"; #alert_host = "localhost"; #alert_port = ""; #alert_user = "snort"; #alert_password = "password_from_snort_conf"; Kim tra li bng cch dng trnh duyt v g vo a ch nh sau: http://<ip my server>/base Sau bc ny, chng ta ci t thnh cng IDS SNORT vo h thng, qun tr vin s theo di h thng v cc alert ca IDS SNORT thng qua trang web BASE va ci t.

PH LC C Hng dn ci t v cu hnh Nagios Bc 1: Ci t cc gi th vin service cn thit # yum install httpd gcc glibc glibc-common gd gd-devel php[11] Bc 2: To account v group dnh cho vic run cc command thng qua giao din web # useradd -m nagios ///To nhm nagcmd v a user nagios v apache vo nhm # groupadd nagcmd # usermod -a -G nagcmd nagios # usermod -a -G nagcmd apache Bc 3: To th mc v down cc file ci t Nagios # mkdir /opt/Nagios Download gi core ca Nagios v Plugins http://www.nagios.org/download/download.php Gi ti v trong bi ny l Nagios-3.3.1.tar.gz v nagios-plugins-1.4.15-35g355a.tar.gz Bc 4: Ci t Nagios ///X nn 2 file trong th mc Nagios va to # cd /opt/Nagios # tar xzvf nagios-3.3.1.tar.gz # cd nagios-3.3.1

///Bin dch v cu hnh Nagios # ./configure with-command-group=nagcmd # make all # make install # make install-init # make install-config # make install-commandmode Xong bc ny th Nagios sn sng trong /usr/local/nagios Bc 5: Ci t giao din web cho Nagios # make install-webconf ///To user qun tr giao din web # htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin ///Start dch v httpd # service httpd start # chkconfig httpd on Bc 6 : Ci t Nagios plugin [11] # cd /opt/Nagios # tar xzf nagios-plugins-1.4.15-35-g355a.tar.gz # cd nagios-plugins-1.4.15-35-g355a

///Bin dch v ci t Nagios # ./configure with-nagios-user=nagios with-nagios-group=nagios # make # make install Cu hnh a ch admin nhn cc alerts trong file

/usr/local/nagios/etc/objects/contacts.cfg Sa dng email nagios@localhost ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ****** Check li file cu hnh mc nh ca Nagios # /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg Total Warnings: 0 Total Errors: 0 Start dch v Nagios # chkconfig add nagios # chkconfig nagios on # service nagios start Bc 7: log on v kim tra kt qu qua trang admin : http://ip-address/nagios/ Lu : Khi ci t xong h thng Nagios mc nh s add localhost lm i tng monitor u tin lc ny dch v http ca localhost s c monitor nhng lun

gp thng bo warning v khng tm thy index.html hay index.php.. v lc ny folder /var/www/hmtl ang rng v th gii quyt warning ch cn to mt file index.html trong /var/www/html # touch /var/www/html/index.html

PH LC D Hng dn ci t v cu hnh Cacti [3] Yu cu phn mm: + MySQL Server : lu tr d liu ca cacti. + NET-SNMP server - SNMP (Simple Network Management Protocol) l mt giao thc dng cho qun tr mng. + PHP with net-snmp module + Truy xut vo d liu SNMP bi PHP. + Apache / lighttpd / ngnix webserver : Web server th hin giao din th c to ra bi PHP v RRDTOOL. Cc gi cn c cho RRDTOOL: # pango-devel, libxml2-devel.ruby ruby-devel, //Ci NET-SNNMP Trch dn: #yum -y install net-snmp-utils php-snmp net-snmp-libs //Ci MySQL Trch dn: #yum -y install mysql-server mysql //Cu hnh MySQL database cho Cacti ci t password cho mysql root user Trch dn: #mysqladmin -u root password NEWPASSWORD //To database cho Cacti Trch dn: # mysql -u root -p -e 'create database cacti' //To v cp quyn cho user cacti trn database cacti vi password l 123456 Trch dn: #mysql -u root p mysql> GRANT ALL ON cacti.* TO cacti@localhost DENTIFIED BY '123456';

mysql>FLUSH privileges; mysql> exit //Ci t SNMP Trch dn: #yum install net-snmp-utils php-snmp net-snmp-libs //Cu hnh snmp Trch dn: #vi /etc/snmp/snmpd.conf Bn thay i v thm ni dung sau vo SNMP (xem snmpd.conf bit thm chi tit) Trch dn: rocommunity 123456 syslocation "Asterisk Vietnam" proc mountd proc ntalkd 4 disk / 10000 load 12 14 14 Bn lu file snmpd.conf v ng li, sau start snmpd v bt snmpd service: Trch dn: #/etc/init.d/snmpd start #chkconfig snmpd on //Ci t rrdtool Trch dn: #wget http://packages.sw.be/rrdtool/rrdtool-1 ... f.i386.rpm #wget http://packages.sw.be/rrdtool/perl-rrdt ... f.i386.rpm #wget http://packages.sw.be/rrdtool/rrdtool-d ... f.i386.rpm rpm -ivh rrdtool-1.2.18-1.el5.rf.i386.rpm perl-rrdtool-1.2.18-1.el5.rf.i386.rpm rrdtool-devel-1.2.18-1.el5.rf.i386.rpm //Ci t CACTI

Trch dn: #wget http://www.cacti.net/downloads/cacti-0.8.7g.tar.gz #tar -zvxf cacti-0.8.7g.tar.gz -C /var/www/html/ #cd /var/www/html/#mv cacti-0.8.7g cacti //Hoc bn c th ci bng yum Trch dn: #yum -y install cacti //To MySQL database cho cacti vi database name l cacti Trch dn: #mysqladmin --user=root --password=password create cacti //Import cacti database mc nh t cacti.sql trong th mc cacti Trch dn: #mysql --user=root --password=password cacti < cacti.sql //Edit li ni dung file include/config.php cho ng vi username v database ca h thng ca bn. Trch dn: #cd /var/www/html/cacti/include #vi config.php //Thay i ni dung trong file config.php : Trch dn: $database_default = "cacti"; $database_hostname = localhost"; $database_username = "cacti"; $database_password = "123456"; //Bn add thm dng sau y vo /etc/crontab Trch dn: #vi /etc/crontab

// thm ni dung nh sau : */5 * * * * /usr/bin/php /var/www/html/cacti/poller.php > /dev/null 2>&1 //Hon tt qu trnh ci t Cacti. //Ngun:http://www.asterisk.vn/forum/viewtopic.php?f=18&t=174&start=0