Chng 4 TM HIU V IDS V IDS TRONG MNG KHNG DY

I. IDS(Intrusion Detection Systems)

I.1. Khi nim v IDS IDS(Intrusion Detection System_ h thng pht hin xm nhp) l mt thng gim st lu thng mng, cc hot ng kh nghi v cnh bo cho h thng, nh qun tr . Ngoi ra IDS cng m nhn vic phn ng li vi cc lu thng bt thng hay c hi bng cch hnh ng c thit lp trc nh kha ngi dng hay a ch IP ngun truy cp h thng mng,.. IDS cng c th phn bit gia nhng tn cng bn trong t bn trong (t nhng ngi trong cng ty) hay tn cng t bn ngoi (t cc hacker). IDS pht hin da trn cc du hiu c bit v cc nguy c bit (ging nh cch cc phn mm dit virus da vo cc du hiu c bit pht hin v dit virus) hay da trn so snh lu thng mng hin ti vi baseline(thng s o c chun ca h thng) tm ra cc du hiu khc thng. Quote: Ta c th hiu tm tt v IDS nh sau : + Chc nng quan trng nht : gim st -cnh bo - bo v --------Gim st : lu lng mng + cc hot ng kh nghi. --------Cnh bo : bo co v tnh trng mng cho h thng + nh qun tr. -------- Bo v : Dng nhng thit lp mc nh v s cu hnh t nh qun tr m c nhng hnh ng thit thc chng li k xm nhp v ph hoi. + Chc nng m rng : ------- Phn bit : "th trong gic ngoi" ------- Pht hin : nhng du hiu bt thng da trn nhng g bit hoc nh vo s so snh thng lng mng hin ti vi baseline

I.2. Phn loi IDS C 2 loi IDS l Network Based IDS(NIDS) v Host Based IDS (HIDS): I.2.1. NIDS : c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng.Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao. Quote: NIDS : ------V tr : mng bn trong --NIDS---mng bn ngoi ------Loi : hardware (phn cng) hoc software (phn mm) ------Nhim v : ch yu gim st lu lng ra vo mng. ------Nhc im : C th xy ra hin tng nghn khi lu lng mng hot ng mc

cao.

Mt s sn phm NIDS : Cisco IDS http://www.cisco.com/en/US/products/...113/index.html Dragon IDS/IPS http://www.enterasys.com/products/ad...rotection.aspx I.2.2. HIDS c ci t cc b trn mt my tnh lm cho n tr nn linh hot hn nhiu so vi NIDS. Kim sot lu lng vo ra trn mt my tnh, c th c trin khai trn nhiu my tnh trong h thng mng. HIDS c th c ci t trn nhiu dng my tnh khc nhau c th nh cc my ch, my trm, my tnh xch tay. HIDS cho php bn thc hin mt cch linh hot trong cc on mng m NIDS khng th thc hin c. Lu lng gi ti my tnh HIDS c phn tch v chuyn qua nu chng khng cha m nguy him. HIDS c thit k hot ng ch yu trn h iu hnh Windows , mc d vy vn c cc sn phm hot ng trong nn ng dng UNIX v nhiu h iu hnh khc.

Quote: HIDS : ------V tr : ci t cc b trn my tnh v dng my tnh => linh hot hn NIDS. ------Loi : software (phn mm) ------Nhim v : phn tch lu lng ra vo mng chuyn ti my tnh ci t HIDS ------u im : ----------------+ Ci t trn nhiu dng my tnh : xch tay, PC,my ch ... ----------------+ Phn tch lu lng mng ri mi forward. ------Nhc im : a s chy trn h iu hnh Window . Tuy nhin cng c 1 s chy c trn Unix v nhng h iu hnh khc.

Mt s sn phm HIDS : Snort(Min ph_ open source) Lin h: http://www.snort.org/ GFI EventsManager 7 Lin h: http://www.gfi.com/lanselm/?adv=142&...ickid=13108213

 ELM 5.0 TNT software: Lin h: http://www.tntsoftware.com/default.aspx I.3. Cc k thut x l d liu c s dng trong cc h thng pht hin xm nhp: Ph thuc vo kiu phng php c s dng pht hin xm nhp, cc c ch x l khc nhau cng c s dng cho d liu i vi mt IDS. thng Expert (Expert systems) H Quote: H thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc miu t cc tn cng. Tt c cc s kin c lin quan n bo mt u c kt hp vo cuc kim nh v c dch di dng nguyn tc if-then-else. Ly v d Wisdom & Sense v ComputerWatch (c pht trin ti AT&T).

Pht hin xm nhp da trn lut(Rule-Based Intrusion Detection): Quote: Ging nh phng php h thng Expert, phng php ny da trn nhng hiu bit v tn cng. Chng bin i s m t ca mi tn cng thnh nh dng kim nh thch hp. Nh vy, du hiu tn cng c th c tm thy trong cc bn ghi(record). Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc h thng thng mi (v d nh: Cisco Secure IDS, Emerald eXpert-BSM(Solaris)). Phn bit nh ngi dng(User intention identification): Quote: K thut ny m hnh ha cc hnh vi thng thng ca ngi dng bng mt tp nhim v mc cao m h c th thc hin c trn h thng (lin quan n chc nng ngi dng). Cc nhim v thng cn n mt s hot ng c iu chnh sao cho hp vi d liu kim nh thch hp. B phn tch gi mt tp hp nhim v c th chp nhn cho mi ngi dng. Bt c khi no mt s khng hp l c pht hin th mt cnh bo s c sinh ra. Phn tch trng thi phin (State-transition analysis): Quote: Mt tn cng c miu t bng mt tp cc mc tiu v phin cn c thc hin bi mt k xm nhp gy tn hi h thng. Cc phin c trnh by trong s trng thi phin. Nu pht hin c mt tp phin vi phm s tin hnh cnh bo hay p tr theo cc hnh ng c nh trc. Phng php phn tch thng k (Statistical analysis approach): Quote: y l phng php thng c s dng. Hnh vi ngi dng hay h thng (tp cc thuc tnh) c tnh theo mt s bin thi gian. V d, cc bin nh l: ng nhp ngi dng, ng xut, s tp tin truy nhp trong mt khong thi gian, hiu sut s dng khng gian a, b nh, CPU, Chu k nng cp c th thay i t mt vi pht n mt thng. H thng lu gi tr c ngha cho mi bin c s dng pht hin s vt qu ngng c nh ngha t trc. Ngay c phng php n gin ny cng khng th hp c vi m hnh hnh vi ngi dng in hnh. Cc phng php da vo vic

lm tng quan thng tin v ngi dng ring l vi cc bin nhm c gp li cng t c hiu qu. V vy, mt m hnh tinh vi hn v hnh vi ngi dng c pht trin bng cch s dng thng tin ngi dng ngn hn hoc di hn. Cc thng tin ny thng xuyn c nng cp bt kp vi thay i trong hnh vi ngi dng. Cc phng php thng k thng c s dng trong vic b sung trong IDS da trn thng tin hnh vi ngi dng thng thng.

II. Wireless IDS:

I.1. Wireless IDS l g?
IDS trong mng WLAN(WIDS) lm vic c nhiu khc bit so vi mi trng mng LAN c dy truyn thng. Trong WLAN, mi trng truyn l khng kh, cc thit b c h tr chun 802.11 trong phm vi ph sng u c th truy cp vo mng. Do cn c s gim st c bn trong v bn ngoi h thng mng. Mt h thng WIDS thng l mt h thng my tnh c phn cng v phn mm c bit pht hin cc hot ng bt thng. Phn cng wireless c nhiu tnh nng so vi card mng wireless thng thng , n bao gm vic gim st tn s sng(RF_Radio frequency), pht hin nhiu,. Mt WIDS bao gm mt hay nhiu thit b lng nghe thu thp a ch MAC (Media Access Control), SSID, cc c tnh c thit lp cc trm, tc truyn, knh hin ti, trng thi m ha, .. Quote: Tm li Wireless IDS c : + V tr cn phi gim st (rt cht ch) : bn trong v bn ngoi mng. +Thit b v chc nng : phn cng v phn mm chuyn dng c nhiu tn nng : thu thp a ch MAC, SSID, c tnh : thit lp cc trm + tc truyn + knh + trng thi m ha.

II.2. Nhim v ca WIDS:

Gim st v phn tch cc hot ng ca ngi dng v h thng. n din cc loi tn cng bit. Nh Xc nh cc hot ng bt thng ca h thng mng. Xc nh cc chnh sch bo mt cho WLAN. Thu thp tt c truyn thng trong mng khng dy v a ra cc cnh bo da trn nhng du hiu bit hay s bt thng trong truyn thng.

II.3. M hnh hot ng:

WIDS c 2 m hnh hot ng l: tp trung v phn tn: II.3.1. WIDS tp trung (centralized WIDS): WIDS tp trung c mt b tp trung thu thp tt c cc d liu ca cc cm bin mng ring l v chuyn chng ti thit b qun l trung tm, ni d liu IDS c lu tr v x l. Hu ht cc IDS tp trung u c nhiu cm bin c th pht hin

xm nhp trong phm vi ton mng. Cc log file v cc tn hiu bo ng u c gi v thit b qun l trung tm, thit b ny c th dng qun l cng nh cp nht cho tt c cc cm bin. WIDS tp trung ph hp vi mng WLAN phm vi rng v d qun l v hiu qu trong vic x l d liu.

II.3.2. WIDS phn tn (decentralize WIDS): WIDS phn tn thc hin c chc nng cm bin v qun l. M hnh ny ph hp vi mng WLAN nh v c t Access Point, wireless IDS phn tn tit kim chi ph hn so vi WIDS tp trung.

II.4. Gim st lu lng mng( Traffic monitoring)

II.4.1. Xy dng h thng WIDS phn tch hiu sut hot ng ca mng wireless Phn tch kh nng thc thi ca mng wireless l cp n vic thu thp gi v gii m. Sau ti hp gi li thc hin kt ni mng. Vic phn tch gip ta bit c s c xy ra i vi mng ang hot ng. H thng WIDS gim st ton b WLAN, chuyn tip lu lng c tng hp v thu thp lu lng t cc b cm bin. Sau phn tch lu lng thu thp c. Nu lu lng c phn tch c s bt thng th cnh bo s c hin th. Lu lng thu thp c c th c lu tr trn mt h thng khc hoc c log vo database. Quote: WIDS -> thu thp lu lng mng-> phn tch-> pht hin bt thng-> cnh bo

II.4.2. H thng WIDS c th gi cnh bo trong mt s trng hp sau: b qu ti khi c qu nhiu trm kt ni vo. AP Knh truyn qu ti khi c qu nhiu AP hoc lu lng s dng cng knh. c cu hnh khng thch hp hoc khng ng nht vi cc AP khc AP trong h thng mng. cc gi fragment qu nhiu. S WIDS d ra c cc trm n. ln thc hin kt ni vo mng qu nhiu. S I.1.3. Lp bo co v kh nng thc thi mng Thng tin thu thp c bi WIDS to ra c s d liu c s dng lp bo co v tnh trng hot ng ca mng v lp ra k hoch cho h thng mng Bo co ca WIDS c th bao gm 10 AP c cnh bo nhiu nht, biu hot ng ca cc trm theo thi gian, cch s dng tri ph Xu hng gi cnh bo l khi AP biu hin mt s vn mi, hay l hot ng mng b gin on. Kho st cnh bo ca cc AP khc cng v tr gip ta nhn ra c s khc nhau ca cc thit b bt thng v iu kin mi trng lm nh hng n mi AP trong vng nh th no. Mt khc, so snh cnh bo ca cc AP qua nhiu v tr c th gip ta xc nh c vn gy ra do bi s khc nhau v cc dng sn phm, phin bn v phn mm h thng( firmware), v v cu hnh. n y chng ta hu nh c ci nhn s b v WIDS, v vic cn lm l dng nhng thit b WIDS p dng vo mng khng dy ca doanh nghip.

III. Mt s sn phm WIDS:

III.1. AirDefense:

Lin h:http://www.airdefense.net/products/index.php La mt h thng ngn nga s xm nhp may va cung cp cho giai phap tin li nht pht hin , do tim s xm nhp, chnh sch gim st, t bo v, phn tich s c va sa cha t xa. III.2. Airmagnet: Lin h:http://www.airmagnet.com/ Cung cp rt nhiu gii php v Wireless IDS. AirMagnet cung cp gii php phn tch WLAN t xa cho Cisco.

IV. Cu hnh cho AP tham gia vo IDS

IV.1. Cu hnh cho AP ch scanner mode ch scanner mode, AP s qut tt c cc knh ang c kch hot . Mt AP ch scanner s khng chp nhn s kt ni ca client. Dng CLI cu hnh AP tham gia vo ch scanner: AP(config)# int dot11radio 0

AP(config)# station role scanner AP(config)#end 1.Cu hnh AP ch monitor Khi AP c cu hnh ch scanner n cng thc hin bt gi ch monitor. ch monitor AP bt gi 802.11 v chuyn tip n my c ci t IDS. AP thm 28 byte header vo mi frame m n chuyn tip, v b my c ci t IDS s dng thng tin header phn tch. AP s dng giao thc UDP chuyn tip gi c bt. Nhiu gi c bt s kt hp vi mt gi UDP hn ch vic tiu tn bng thng. ch scanner, AP s qut tt c cc knh ang c kch hot. Tuy nhin, ch monitor AP ch qut knh c cu hnh. Nhng bc cu hnh cho AP tham gia bt gi v chuyn gi 802.11: AP(config)# int dot11radio 0 AP(config)# monitor frames endpoint ip address 192.168.1.10 port 2000 truncate 512 Kim tra cu hnh ang chy: AP#show runBuilding configuration... Current configuration : 1525 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption! hostname ap ! enable secret 5 $1$dEaG$.lrLC4DffBIIXqHJEcsMy1 !no aaa new-model ! resource policy! ip subnet-zero !!! dot11 ssid BCVT authentication open ! dot11 ssid bcvt ! ! ! username Cisco password 7 1531021F0725 ! bridge irb !!interface Dot11Radio0 no ip address

no ip route-cache ! ssid BCVT ! station-role scanner monitor frames endpoint ip address 192.168.1.10 port 2000 truncate 512 bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.1.1 255.255.255.0 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag ! control-plane ! bridge 1 route ip

! ! ! line con 0 line vty 0 4 login local !End