Professional Documents
Culture Documents
Chương 4 - Gioi Thieu Ve IDS Va WIDS
Chương 4 - Gioi Thieu Ve IDS Va WIDS
I.2. Phn loi IDS C 2 loi IDS l Network Based IDS(NIDS) v Host Based IDS (HIDS): I.2.1. NIDS : c t gia kt ni h thng mng bn trong v mng bn ngoi gim st ton b lu lng vo ra. C th l mt thit b phn cng ring bit c thit lp sn hay phn mm ci t trn my tnh. Ch yu dng o lu lng mng c s dng.Tuy nhin c th xy ra hin tng nghn c chai khi lu lng mng hot ng mc cao. Quote: NIDS : ------V tr : mng bn trong --NIDS---mng bn ngoi ------Loi : hardware (phn cng) hoc software (phn mm) ------Nhim v : ch yu gim st lu lng ra vo mng. ------Nhc im : C th xy ra hin tng nghn khi lu lng mng hot ng mc
cao.
Mt s sn phm NIDS : Cisco IDS http://www.cisco.com/en/US/products/...113/index.html Dragon IDS/IPS http://www.enterasys.com/products/ad...rotection.aspx I.2.2. HIDS c ci t cc b trn mt my tnh lm cho n tr nn linh hot hn nhiu so vi NIDS. Kim sot lu lng vo ra trn mt my tnh, c th c trin khai trn nhiu my tnh trong h thng mng. HIDS c th c ci t trn nhiu dng my tnh khc nhau c th nh cc my ch, my trm, my tnh xch tay. HIDS cho php bn thc hin mt cch linh hot trong cc on mng m NIDS khng th thc hin c. Lu lng gi ti my tnh HIDS c phn tch v chuyn qua nu chng khng cha m nguy him. HIDS c thit k hot ng ch yu trn h iu hnh Windows , mc d vy vn c cc sn phm hot ng trong nn ng dng UNIX v nhiu h iu hnh khc.
Quote: HIDS : ------V tr : ci t cc b trn my tnh v dng my tnh => linh hot hn NIDS. ------Loi : software (phn mm) ------Nhim v : phn tch lu lng ra vo mng chuyn ti my tnh ci t HIDS ------u im : ----------------+ Ci t trn nhiu dng my tnh : xch tay, PC,my ch ... ----------------+ Phn tch lu lng mng ri mi forward. ------Nhc im : a s chy trn h iu hnh Window . Tuy nhin cng c 1 s chy c trn Unix v nhng h iu hnh khc.
Mt s sn phm HIDS : Snort(Min ph_ open source) Lin h: http://www.snort.org/ GFI EventsManager 7 Lin h: http://www.gfi.com/lanselm/?adv=142&...ickid=13108213
ELM 5.0 TNT software: Lin h: http://www.tntsoftware.com/default.aspx I.3. Cc k thut x l d liu c s dng trong cc h thng pht hin xm nhp: Ph thuc vo kiu phng php c s dng pht hin xm nhp, cc c ch x l khc nhau cng c s dng cho d liu i vi mt IDS. thng Expert (Expert systems) H Quote: H thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc miu t cc tn cng. Tt c cc s kin c lin quan n bo mt u c kt hp vo cuc kim nh v c dch di dng nguyn tc if-then-else. Ly v d Wisdom & Sense v ComputerWatch (c pht trin ti AT&T).
Pht hin xm nhp da trn lut(Rule-Based Intrusion Detection): Quote: Ging nh phng php h thng Expert, phng php ny da trn nhng hiu bit v tn cng. Chng bin i s m t ca mi tn cng thnh nh dng kim nh thch hp. Nh vy, du hiu tn cng c th c tm thy trong cc bn ghi(record). Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc h thng thng mi (v d nh: Cisco Secure IDS, Emerald eXpert-BSM(Solaris)). Phn bit nh ngi dng(User intention identification): Quote: K thut ny m hnh ha cc hnh vi thng thng ca ngi dng bng mt tp nhim v mc cao m h c th thc hin c trn h thng (lin quan n chc nng ngi dng). Cc nhim v thng cn n mt s hot ng c iu chnh sao cho hp vi d liu kim nh thch hp. B phn tch gi mt tp hp nhim v c th chp nhn cho mi ngi dng. Bt c khi no mt s khng hp l c pht hin th mt cnh bo s c sinh ra. Phn tch trng thi phin (State-transition analysis): Quote: Mt tn cng c miu t bng mt tp cc mc tiu v phin cn c thc hin bi mt k xm nhp gy tn hi h thng. Cc phin c trnh by trong s trng thi phin. Nu pht hin c mt tp phin vi phm s tin hnh cnh bo hay p tr theo cc hnh ng c nh trc. Phng php phn tch thng k (Statistical analysis approach): Quote: y l phng php thng c s dng. Hnh vi ngi dng hay h thng (tp cc thuc tnh) c tnh theo mt s bin thi gian. V d, cc bin nh l: ng nhp ngi dng, ng xut, s tp tin truy nhp trong mt khong thi gian, hiu sut s dng khng gian a, b nh, CPU, Chu k nng cp c th thay i t mt vi pht n mt thng. H thng lu gi tr c ngha cho mi bin c s dng pht hin s vt qu ngng c nh ngha t trc. Ngay c phng php n gin ny cng khng th hp c vi m hnh hnh vi ngi dng in hnh. Cc phng php da vo vic
lm tng quan thng tin v ngi dng ring l vi cc bin nhm c gp li cng t c hiu qu. V vy, mt m hnh tinh vi hn v hnh vi ngi dng c pht trin bng cch s dng thng tin ngi dng ngn hn hoc di hn. Cc thng tin ny thng xuyn c nng cp bt kp vi thay i trong hnh vi ngi dng. Cc phng php thng k thng c s dng trong vic b sung trong IDS da trn thng tin hnh vi ngi dng thng thng.
xm nhp trong phm vi ton mng. Cc log file v cc tn hiu bo ng u c gi v thit b qun l trung tm, thit b ny c th dng qun l cng nh cp nht cho tt c cc cm bin. WIDS tp trung ph hp vi mng WLAN phm vi rng v d qun l v hiu qu trong vic x l d liu.
II.3.2. WIDS phn tn (decentralize WIDS): WIDS phn tn thc hin c chc nng cm bin v qun l. M hnh ny ph hp vi mng WLAN nh v c t Access Point, wireless IDS phn tn tit kim chi ph hn so vi WIDS tp trung.
II.4.2. H thng WIDS c th gi cnh bo trong mt s trng hp sau: b qu ti khi c qu nhiu trm kt ni vo. AP Knh truyn qu ti khi c qu nhiu AP hoc lu lng s dng cng knh. c cu hnh khng thch hp hoc khng ng nht vi cc AP khc AP trong h thng mng. cc gi fragment qu nhiu. S WIDS d ra c cc trm n. ln thc hin kt ni vo mng qu nhiu. S I.1.3. Lp bo co v kh nng thc thi mng Thng tin thu thp c bi WIDS to ra c s d liu c s dng lp bo co v tnh trng hot ng ca mng v lp ra k hoch cho h thng mng Bo co ca WIDS c th bao gm 10 AP c cnh bo nhiu nht, biu hot ng ca cc trm theo thi gian, cch s dng tri ph Xu hng gi cnh bo l khi AP biu hin mt s vn mi, hay l hot ng mng b gin on. Kho st cnh bo ca cc AP khc cng v tr gip ta nhn ra c s khc nhau ca cc thit b bt thng v iu kin mi trng lm nh hng n mi AP trong vng nh th no. Mt khc, so snh cnh bo ca cc AP qua nhiu v tr c th gip ta xc nh c vn gy ra do bi s khc nhau v cc dng sn phm, phin bn v phn mm h thng( firmware), v v cu hnh. n y chng ta hu nh c ci nhn s b v WIDS, v vic cn lm l dng nhng thit b WIDS p dng vo mng khng dy ca doanh nghip.
Lin h:http://www.airdefense.net/products/index.php La mt h thng ngn nga s xm nhp may va cung cp cho giai phap tin li nht pht hin , do tim s xm nhp, chnh sch gim st, t bo v, phn tich s c va sa cha t xa. III.2. Airmagnet: Lin h:http://www.airmagnet.com/ Cung cp rt nhiu gii php v Wireless IDS. AirMagnet cung cp gii php phn tch WLAN t xa cho Cisco.
AP(config)# station role scanner AP(config)#end 1.Cu hnh AP ch monitor Khi AP c cu hnh ch scanner n cng thc hin bt gi ch monitor. ch monitor AP bt gi 802.11 v chuyn tip n my c ci t IDS. AP thm 28 byte header vo mi frame m n chuyn tip, v b my c ci t IDS s dng thng tin header phn tch. AP s dng giao thc UDP chuyn tip gi c bt. Nhiu gi c bt s kt hp vi mt gi UDP hn ch vic tiu tn bng thng. ch scanner, AP s qut tt c cc knh ang c kch hot. Tuy nhin, ch monitor AP ch qut knh c cu hnh. Nhng bc cu hnh cho AP tham gia bt gi v chuyn gi 802.11: AP(config)# int dot11radio 0 AP(config)# monitor frames endpoint ip address 192.168.1.10 port 2000 truncate 512 Kim tra cu hnh ang chy: AP#show runBuilding configuration... Current configuration : 1525 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption! hostname ap ! enable secret 5 $1$dEaG$.lrLC4DffBIIXqHJEcsMy1 !no aaa new-model ! resource policy! ip subnet-zero !!! dot11 ssid BCVT authentication open ! dot11 ssid bcvt ! ! ! username Cisco password 7 1531021F0725 ! bridge irb !!interface Dot11Radio0 no ip address
no ip route-cache ! ssid BCVT ! station-role scanner monitor frames endpoint ip address 192.168.1.10 port 2000 truncate 512 bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.1.1 255.255.255.0 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag ! control-plane ! bridge 1 route ip