I HC QUC GIA H NI TRNG I HC CNG NGH

Trn Tin Cng

NGHIN CU TRIN KHAI H THNG IDS/IPS

KHO LUN TT NGHIP I HC H CHNH QUY Ngnh : Cng ngh thng tin

H NI - 2009

I HC QUC GIA H NI TRNG I HC CNG NGH

Trn Tin Cng

NGHIN CU TRIN KHAI H THNG IDS/IPS

KHO LUN TT NGHIP I HC H CHNH QUY Ngnh : Cng ngh thng tin Cn b hng dn : Ths. on Minh Phng Cn b ng hng dn : Ths. Nguyn Nam Hi

H NI 2009

Li cm n
u tin, em xin gi li cm n chn thnh ti thy on Minh Phng v c bit l thy Nguyn Nam Hi nhit tnh gip em trong qu trnh la chn cng nh trong qu trnh thc hin kha lun. Em cng xin gi li cm n thy Hong Kin, thy Phng Ch Dng v thy Nguyn Vit Anh trung tm my tnh, nhng ngi ch dn em trong tng bc ti. c th thc hin v hon thnh kha lun ny, cc kin thc trong 4 nm hc i hc l v cng cn thit, v vy em xin gi li cm n ti tt c cc thy c gio truyn t cho em nhng bi hc qu bu trong thi gian va qua. Ti xin cm n bn V Hng Phong v bn Nguyn Duy Tng h tr ti thc hin ti. Ti cng xin cm n cc bn cng lp gip ti trong hc tp. Cui cng, em xin gi li cm n ti gia nh em, ngun ng vin to ln gip em thnh cng trong hc tp v cuc sng.

Tm tt ni dung
Nghin cu, trin khai cc gii php pht hin sm v ngn chn s thm nhp tri php (tn cng) vo cc h thng mng ngy nay l mt vn c tnh thi s v rt c ngha, v quy m v s phc tp ca cc cuc tn cng ngy cng tng. Kha lun ny trnh by h thng ha v cc phng thc tn cng v cc bin php ngn chn chng bng c l thuyt v nhng minh ha m phng thc t; Nhng tm hiu v gii php pht hin sm v ngn chn tn cng ca thit b chuyn dng (IDS/IPS) ca IBM: Proventia G200, vic thit lp cu hnh v vn hnh thit b, th nghim trong mi trng VNUnet, nhng nh gi v nhn xt. Thng qua tin hnh kho st h thng mng VNUnet, kha lun cng ch ra nhng kh khn, vn v hng gii quyt khi trin khai IPS trn nhng h thng mng ln nh mng ca cc trng i hc. Do ngn chn thm nhp l mt cng ngh kh mi trn th gii nn kha lun ny l mt trong nhng ti liu ting vit u tin cp chi tit n cng ngh ny.

Mc lc

BNG K HIU V CH VIT TT..............................1 DANH SCH BNG............................................................1 DANH SCH HNH MINH HA......................................2 M U 4 CHNG 1. AN NINH MNG V H THNG MNG VNUNET 5 CHNG 2. TN CNG V THM NHP...................8 CHNG 3. THIT B NGN CHN TN CNG V THM NHP.......................................................................23 CHNG 4. CC KT QU T C V NH HNG NGHIN CU TNG LAI............................61 PH LC A.........................................................................63 PH LC B.........................................................................66 PH LC C.........................................................................68 PH LC D ........................................................................71 PH LC E.........................................................................75

BNG K HIU V CH VIT TT

K hiu v vit tt HQGHN IDS/IPS VNUnet Proventia G 200 Gii thch i hc Quc gia H Ni H thng pht hin/ngn chn thm nhp H thng mng i hc Quc gia H Ni Tn dng thit b IDS/IPS ca hng IBM

DANH SCH BNG

BNG 1 THUT NG IDS/IPS.....................................23 BNG 2 HNH THI HOT NG.............................38 BNG 3 PHN HI EMAIL..........................................38 BNG 4 PHN HI LOG EVIDENCE........................39 BNG 5 PHN LOI CCH LY..................................39 BNG 6 PHN HI CCH LY.....................................40 BNG 7 PHN HI SNMP............................................41

BNG 8 PHN HI USER SPECIFIED......................41

DANH SCH HNH MINH HA

HNH 1 S KT NI LOGIC CA VNUNET.......6 HNH 2 - MINH HA TRNH T TN CNG [12].....15 HNH 3 - GIAO DIN DOSHTTP....................................18 HNH 4 - GIAO DIN SMURF ATTACK.......................19 HNH 5 - GIAO DIN CLIENT TROJAN BEAST........19 HNH 6 - LI TRONG DCH V RPC...........................20 HNH 7 - GIAO DIN METASPLOIT............................21 HNH 8 - GIAO DIN METASPLOIT (2).......................22 HNH 9 SECURITY EVENTS........................................36 HNH 10 RESPONSE FILTERS....................................44 HNH 11 PROTECTION DOMAIN..............................48 HNH 12 - PROTECTION DOMAIN...............................49 HNH 13 - MC NGHIM TRNG CA THNG BO 50 HNH 14 - MINH HA THNG BO.............................50 HNH 15 - NGN CHN THU THP THNG TIN.....51
2

HNH 16 NH DU CNH BO SYNFLOOD........52 HNH 17 NGN CHN TN CNG SYNFLOOD V SMURF ATTACK (PING SWEEP)..................................53 HNH 18 - NGN CHN THM NHP QUA TROJAN BEAST 53 HNH 19 NH DU CNH BO MSRPC_REMOTEACTIVE_BO......................................54 HNH 20 - NGN CHN TN CNG QUA L HNG MSRPC REMOTEACTIVE...............................................54 HNH 21 M HNH MNG VNUNET.........................55 HNH 22 S TRIN KHAI IPS..............................56 HNH 23 KHI C TN CNG HOC THM NHP TH GI MAIL CHO CN B TTMT...........................57 HNH 24 - M HNH MNG VNUNET SAU KHI TRIN KHAI H THNG IDS/IPS.................................58 HNH 25 - H THNG IPS GI MAIL CHO NGI QUN TR 59 HNH 26 - CC D QUT V TN CNG THC T 60 HNH 27 CC HNH VI KHAI THC IM YU AN NINH 63 HNH 28 - XU HNG PHISHING SP TI...............64 HNH 29 - MINH HA SMURF ATTACK.....................68 HNH 30 - MINH HA TN CNG SYNFLOOD........69 HNH 31 - S KT NI LOGIC...............................77 HNH 32 M HNH T CHC.....................................78

M U

Vi s pht trin nhanh chng ca cng ngh v thng tin trn Internet, vic bo v an ninh mng ngy cng quan trng v c tnh thi s hng ngy. chng li tin tc ngy cng pht trin, c cc ng dng phn mm h tr cng vi cc thit b phn cng nhm hn ch cc tc hi ca virus v cc hot ng xm nhp tri php. Kho lun cp n gii php pht hin sm v ngn chn tn cng, c ngha khoa hc l mt trong nhng gii php mi v c hiu qu cao, vi thc tin c trin khai ci t bo v h thng, chng li c cc tn cng m phng, c th s dng bo m an ninh mng mt mc kh cao. i tng nghin cu l cc hnh thc tn cng thm nhp v thit b pht hin ngn chn, c th l s dng mt thit b chuyn dng (IDS/IPS) ca IBM: Proventia G200 trn h thng mng ca Trng i hc Quc gia. Phng php nghin cu l tm hiu ti liu trn mng, tham kho kin cc chuyn gia, m phng h thng, thit lp cu hnh v vn hnh thit b, th nghim trong mi trng VNUnet, sau c nh gi v nhn xt. Ni dung nghin cu bao gm cc vn an ninh mng, kho st hin trng h thng mng ca Trng i hc Quc gia, cc hnh thc tn cng thm nhp v thit b pht hin ngn chn, cc bc ci t, cu hnh v vn hnh th nghim. Phn kt lun nu cc kt qu t c, nh gi v nh hng nghin cu tng lai c th c pht trin t kt qu ca kho lun.

CHNG 1. VNUNET

AN NINH MNG V H THNG MNG

1.1. AN NINH MNG

Theo cc bo co an ninh nm 2007 v 2008 ph lc A v B, vn e da an ninh hin nay cng ngy cng nghim trng. C th thy r mc tng t bin ca cc nguy c mng nh tn cng t xa, spam hay phising. Thm vo , cc l hng bo mt ngy cng c pht hin nhiu hn trong khi ngi dng vn cha thc c vic cp nht y cc bn v. Ch va trong mt thi gian ngn v trc, tng la c th ngn chn c hu ht cc tn cng. Tuy nhin, vi s pht trin ngy cng mnh ca ng dng nn Web v worm, hu ht cc mng hin nay u khng an ton k c vi tng la v phn mm qut virus. Tng la gi y ch hiu qu i vi nhng tn cng DoS ph thng hay nhng l hng bnh thng, n kh c th ngn chn nhng tn cng da trn tng ng dng v worm. Khng ch lp mng ngoi b tn cng m k c nhng ti nguyn ca mng trong bao gm nhiu nhng vng ti nguyn ni b gi tr, nhng vng l ra trn Internet cng u b khai thc v gy cho c quan v cng ty nhiu thit hi. V vy, cc thit b pht hin v chng thm nhp ngy cng tr nn cn thit trong cc c quan v cng ty hin nay. Hin gi c nhiu thit b pht hin thm nhp ph bin nh Internet Security Systems (ISS), Lancope StealthWatch, Snort, v StillSecure Border Guard. Trong s , sn phm ca ISS c ting vang ln nht. Hin nay, ngoi tnh nng pht hin thm nhp, cc sn phm ca hng ny c thm vo tnh nng ngn chn thm nhp thm ch cn trc c khi chng n c my mc tiu. c th qun tr v pht trin mt h thng mng an ninh tt v bo mt cao, mt yu cu hin nay i vi nhng ngi qun tr l hiu bit cc tn cng v thm nhp, ng thi bit cch ngn chn chng.

1.2. H THNG MNG VNUNET [4]

1.2.1. Khi qut v hin trng h thng mng VNUNet Phn ny s c cp chi tit trong ph lc E Kho st hin trng h thng mng VNUnet. Ta c th tm tt mt s chnh nh sau :

 H thng mng HQGHN l mt h thng mng c quy m trung bnh. Cc VNUnet c h thng ng truyn thng kh tt Kin trc phn tng ca mng cn n gin, khng n nh lm gim hiu sut mng, gy lng ph ln cc u t ti nguyn ca HQGHN, gy c ch tm l ngi dng, lm xut hin t tng kt ni phn tn ra bn ngoi, t website ra bn ngoi. S dng khng gian a ch gi lp vi thit b Proxy. H thng an ninh v an ton rt yu km.

INTERNET
H Kinh t, Khoa Lut, Vin CNSH

TEIN2 VINAren

CPNET 112
203.113.130.192/27 Proxy TTPT H thng, Khoa SP, Khoa SH Catalyst 2950 Web Mail

Router 3600 Catalyst 4507 TT o to t xa Cp H Ngoi ng Vin CNTT 10.1.0.0/16 quang Khoa QTKD

172.16.0.0/16 Trung tm TTTV

VP HQGHN

10.10.0.0/16

TRNG H CNG NGH Vi h thng thit b ghp ni mng ring

Hnh 1 S kt ni logic ca VNUnet 1.2.2. Mc tiu pht trin h thng mng VNUnet n pht trin mng VNUnet a ra cc mc tiu cn pht trin nh sau :

H KHXH-NV

Th vin T

KTX M Tr

H KHTN

 L mng tch hp a dch v: data (web 2.0, wap, Mail, SMS, MMS, eDocument, ...), voice, DVD video, ... L mng cung cp cc ng dng trc tuyn, dch v chia s cng ng trc tuyn phc v trc tip cng tc qun l, nghin cu khoa hc v o to. Lm gim kinh ph u t, tng cng hiu sut khai thc cc ti nguyn chia s ca c nhn, tp th trn ton h thng. Cung cp y cc t liu, tp ch in t theo nhu cu ngi dng. C trung tm d liu mnh. H thng xng sng cp quang t bng thng 10 Gbps, bng thng n ngi dng cui 1Gbps. H thng kt ni khng dy phc v cc thit b x l thng tin di ng ph khp mi trng lm vic, hc tp ca HQGHN, k c cc k tc x. Ph cp Video Conferencing phc v cng tc o to t xa v tip nhn bi ging t xa. Kt ni vi bn ngoi n nh, tc cao theo nhiu hng Lease line, V tinh, m bo truy cp cc ti nguyn bn ngoi mt cch nhanh chng nh trn mt desktop o. C gii php backup ton b h thng v gii php an ton in hiu qu. C gii php qun l gim st mt cch chuyn nghip mng hot ng thng sut, n nh, hiu qu. C gii php m bo an ton, an ninh chng thm nhp, ph hoi, chng truy cp tri php. H tr cn b, ging vin c th truy cp vo mng ni b t xa. hon thnh nhng mc tiu ra ny, vic nghin cu trin khai cc cng ngh tin tin trn th gii l mt vn v cng cn thit. Trong cng vic qun tr v m bo an ton, an ninh cho h thng mng VNUnet phi c t ln hng u. xy dng h thng an ninh mng VNUnet, vic trin khai thit b pht hin v ngn chn thm nhp IDS/IPS l mt khu quan trng. Do , kha lun ny c ngha thc t rt ln trong vic pht trin mng i hc quc gia H Ni.

CHNG 2.

TN CNG V THM NHP

2.1. KIN THC C S

m bo c an ninh mng ngy nay, cn phi hiu bit chi tit v cc vn lin quan n an ninh. c bit l cc khi nim nh thm nhp, tn cng. Phn ny s trnh by l thuyt nn tng v an ninh lin quan trc tip ti h thng IDS/IPS c ni ti trong kha lun.

2.1.1. Thm nhp [9] Mt thm nhp c th coi nh l mt s chim gi h thng t nhng ngi qun tr. Thm nhp c th c thc hin bi ngi bn trong (nhng ngi c ti khon ngi dng hp l trong h thng) v h dng l hng ca h iu hnh nng cp quyn ca h. Thm nhp cng c th c thc hin bi ngi bn ngoi, h khm ph ra nhng l hng bo mt v nhng ch bo v km trong h thng mng chim quyn iu khin h thng. Mt thm nhp c th xy ra di nhng dng sau : Mt virus, su hay trojan c ci vo my qua nhng con ng nh mail, active X hay java script Mt mt khu b mt trm bng nhng phng php nh nghe trm (sniffer), nhn trm (shoulder surfing), tn cng vt cn m hoc cc phng php ph m khc. Chim ot nhng phin dch v hay nhng thit b khng h tr m ha (telnet c, ftp, IMAP hay POP mail ) Mt tn cng vo l hng ca cc dch v nh ftp, Apache hay iis, Thm nhp vt l vo my tnh v cp ti khon qun tr hay to nhng l hng trong h thng cho phin thm nhp sau. Mt khi k thm nhp c c quyn hp l vi mt my tnh hay mt h thng, h thng ci t nhng phn mm trojan m che du s iu khin ca h vi h thng. Trojan l mt chng trnh ging nh cc chng trnh khc m ngi dng

c th mun s dng, tuy nhin khi s dng th n li thc hin nhng hot ng bt hp php. Mt hnh vi thm nhp ph thng khc l ci phn mm nghe trm hoc keylogger. Thng qua nhng my b chim quyn, k thm nhp c th vn ra c mng bng nhng mi quan h tin tng trn mng. Vic xc nh c c thm nhp trong mng hay khng l mt vic kh kh khn v nhng phn mm gin ip thng c cch che giu hot ng i vi ngi qun tr v ngi dng. Ch c mt cch bit chc chn rng c thm nhp l kim tra lu lng mng ti cc my nghi ng bn ngoi, hoc kim tra my tnh vi nhng cng c an ton.

2.1.2. Tn cng t chi dch v [11] Tn cng t chi dch v DoS (Denial of Service) l kiu tn cng vi mc ch lm cho my b tn cng khng th hot ng mt cch bnh thng trong mt khong thi gian tm thi hoc khng xc nh. i tng ca DoS thng l cc router, web server, DNS server... Cch thc tn cng thng dng l gi trn ngp cc yu cu kt ni n my i tng lm cho n khng th phn hi li cc kt ni hp l hoc phn hi mt cch chm chp. DoS c th khin cho my i tng b khi ng li hoc tiu th mt lng ln ti nguyn khin cho n khng th chy cc dch v khc cng nh gy tc nghn ng truyn ti ngi dng. C 5 loi tn cng DoS c bn: Tiu th ngun ti nguyn ca my nh bng thng, b nh hoc thi gian x l. Ph hy cc thng tin cu hnh, nh thng tin v nh tuyn. Ph hy cc thng tin trng thi, nh t khi ng li phin TCP. Ph hy cc thnh phn vt l. Gy tc nghn ng truyn gia ngi dng vi my b tn cng. DoS c th s dng cc m c hi vi mc ch: S dng ti a nng lc ca b vi x l, lm cho n khng thc hin c cc cng vic khc. Gy ra cc li trong vi m ca my. Gy ra cc li tun t trong cc ch th, khin cho my ri vo trng thi bt n hoc treo . Khai thc cc li trong h iu hnh gy nn vic thiu ti nguyn v li thrashing.

 Lm treo h iu hnh. Tn cng iFrame DoS, mt vn bn HTML c to ra gi n mt trang web cha nhiu thng tin nhiu ln, cho n khi chng lu tr mt ln gi vt qu bng thng gii hn. C rt nhiu cch thc cng nh loi tn cng t chi dch v. Di y l mt s loi tn cng tiu biu : Smurf Attack SYNFlood Land Attack UDP Flood Tear Drop Chi tit v cc cch tn cng ny xem trong ph lc C. Tn cng t chi dch v phn tn (Distributed DoS) Tn cng t chi dch v phn tn xy ra khi c nhiu my trm cng tham gia vo qu trnh lm ngp lt bng thng hoc ti nguyn ca my b tn cng. thc hin c tn cng DDoS, k tn cng xm nhp vo cc h thng my tnh, ci t cc chng trnh iu kin t xa v s kch hot ng thi cc chng trnh ny vo cng mt thi im ng lot tn cng vo mt mc tiu. Cch thc ny c th huy ng ti hng trm thm ch hng ngn my tnh cng tham gia tn cng mt lc (ty vo s chun b trc ) v c th ngn ht bng thng ca mc tiu trong nhy mt. Cc cch phng chng Hu qu m DoS gy ra khng ch tiu tn nhiu tin bc, v cng sc m cn mt rt nhiu thi gian khc phc. phng chng DoS c th s dng mt s bin php sau: M hnh h thng cn phi c xy dng hp l, trnh ph thuc ln nhau qu mc. Bi khi mt b phn gp s c s lm nh hng ti ton b h thng. Thit lp mt khu mnh (strong password) bo v cc thit b mng v cc ngun ti nguyn quan trng khc. Thit lp cc mc xc thc i vi ngi s dng cng nh cc ngun tin trn mng. c bit, nn thit lp ch xc thc khi cp nht cc thng tin nh tuyn gia cc router. Xy dng h thng lc thng tin trn router, firewall v h thng bo v chng li SYN flood. Ch kch hot cc dch v cn thit, tm thi v hiu ho v dng cc dch v cha c yu cu hoc khng s dng.

10

 Xy dng h thng nh mc, gii hn cho ngi s dng, nhm mc ch ngn nga trng hp ngi s dng c mun li dng cc ti nguyn trn server tn cng chnh server hoc mng v server khc. Lin tc cp nht, nghin cu, kim tra pht hin cc l hng bo mt v c bin php khc phc kp thi. S dng cc bin php kim tra hot ng ca h thng mt cch lin tc pht hin ngay nhng hnh ng bt bnh thng. Xy dng v trin khai h thng d phng.

2.1.3. L hng bo mt [10] Trong bo mt my tnh, thut ng l hng c dng cho mt h thng yu m cho php mt k tn cng xm phm vo s ton vn ca h thng. L hng c th l kt qu ca mt khu yu, cc li phn mm, mt virus my tnh hoc phn mm c hi khc, mt on m li, mt lnh SQL li hoc cu hnh sai. Mt nguy c bo mt c phn loi l mt l hng nu n c cng nhn nh l mt phng php c s dng tn cng. Mt ca s ca l hng l thi gian t khi l hng bo mt c gii thiu hoc chng t trong cc phn mm c trin khai ti khi mt bn v bo mt c sn hoc c trin khai . Cc l hng bo mt trn mt h thng l cc im yu c th to ra s ngng tr ca dch v, thm quyn i vi ngi s dng hoc cho php cc truy nhp khng hp php vo h thng. Cc l hng cng c th nm ngay cc dch v cung cp nh sendmail, web, ftp ... Ngoi ra cc l hng cn tn ti ngay chnh ti h iu hnh nh trong Windows NT, Windows XP, UNIX; hoc trong cc ng dng m ngi s dng thng xuyn s dng nh Word processing, Cc h databases... Nguyn nhn Qun l mt khu sai st: Ngi dng my tnh s dng cc mt khu yu m c th tm c bi vt cn. Ngi dng my tnh lu tr cc mt khu trn my tnh ch m mt chng trnh c th truy cp c n. Nhiu ngi dng s dng li cc mt khu gia nhiu chng trnh v website. Thit k h iu hnh c bn sai st: Cc nh thit k h iu hnh chn thc thi cc chnh sch ti u cho ngi dng/chng trnh qun l. V d h iu hnh vi cc chnh sch nh l cho php mc nh cc chng trnh v ngi dng y quyn truy cp ti my tnh. H iu hnh sai lm khi cho php cc virus v phn mm c hi thc thi cc lnh ch administrator. Cc li phn mm: Cc lp trnh vin thng b qua mt li c th khai thc trong mt chng trnh phn mm. Li phn mm ny c th cho php mt k tn cng lm dng mt phn mm.

11

Khng kim tra nhp vo ca ngi dng. Mt chng trnh gi nh rng tt c cc nhp vo ca ngi dng l an ton. Cc chng trnh s khng thc hin vic kim tra nhp vo ca ngi dng c th cho php s thc thi trc tip m khng c nh trc ca cc cu lnh hoc cc cu lnh SQL (vd nh trn b m , SQL injection hoc cc u vo khng c gi tr khc). Phn loi l hng c th xem thm trong ph lc D.

Cng b l hng Cc phng php lm gim cc l hng l mt ti ca cuc tranh lun trong giao tip an ton my tnh. Mt s ngi bo nn lp tc a y cc thng tin v l hng ngay khi chng c pht hin. Mt s khc chng minh rng vic gii hn khi a ra cc thng tin v l hng s t ngi dng vo nhng ri ro ln, v ch nn a ra cc thng tin chi tit sau mt thi gian, thm ch c th khng a ra. Vic a ra thng tin v cc l hng sau mt thi gian c th cho php thng bo khc phc cc vn bi nh pht trin bng cc bn v, nhng c th lm tng ri ro vi ngi dng. Gn y, hnh thc thng mi ha vi vic a ra l hng bo mt, nh mt vi cng ty bo mt thng mi b tin cho vic c quyn a ra l hng zero day. Nhng ngi ny s cung cp mt th trng hp php mua v bn cc thng tin l hng t cc trung tm bo mt. T ngi bo mt, vic tit l cc l hng min ph v cng cng ch thnh cng nu bn nhn b nh hng ly c thng tin thch ng trc khi b tin tc, nu khng cc tin tc s c ngay lp tc c li th trong vic li dng khai thc. Vic bo mt thng qua vic che du thng tin cc l hng cng phi tng t nh trn . Vic cho php mt cch cng bng vic ph bin cc thng tin bo mt tch cc l rt quan trng. Thng s c mt knh tin tng l ngun ca cc thng tin bo mt (vd .g CERT, SecurityFocus, Secunia and VUPEN). Cc ngun ny phn tch v nh gi ri ro m bo cht lng ca cc thng tin ny. Vic phn tch phi bao gm y cc chi tit cho php mt ngi dng c lin quan vi phn mm c th nh gi c ri ro c nhn ca h hoc ngay lp tc c cc hnh ng bo v ti sn ca h. Ngy cng b l hng Thi gian ca vic a ra mt l hng c nh ngha khc nhau trong tp on bo mt v lnh vc. N thng c coi nh l mt loi cng b cng cng ca cc thng tin bo mt bi mt bn. Thng thng , thng tin l hng c a ra trn mt danh sch th tn hoc c xut bn trn mt website bo mt v trong mt t vn an ninh sau . Thi gian ca cng b l ngy u tin l hng bo mt c miu t trn mt knh ,ni c cng b thng tin v l hng v c y cc yu cu sau :

12

Thng tin min ph v cng cng . Thng tin l hng c a ra bi mt ngun hoc mt knh c lp c tin cy L hng chu phn tch bi cc chuyn gia nh thng tin nh gi mc ri ro c bao gm trn cng b. Nhn ra v g b cc l hng Nhiu cc cng c phn mm tn ti gip trong vic khm ph (v thnh thong l g b) ca cc l hng trong h thng h iu hnh. Mc d cc cng c ny c th cung cp mt ci nhn khi qut tt v cc l hng, chng khng th thay th nhng nh gi ca con ngi . Cc l hng c tm thy ch yu trong cc h iu hnh bao gm windows, mac os, linux, cc dng Uni, OpenVMS v cc loi khc. Chi c mt cch gim bt c hi ca cc l hng c s dng vi mt h thng l s thn trng cao , bao gm vic duy tr h thng cn thn (cp nht cc bn v ), trin khai tt nht (s dng tng la v iu khin truy cp) v kim tra (trong sut qu trnh pht trin v vng i trin khai)

2.1.4. Virus, Su v Trojan [8] Vi rt Virus l nhng phn mm my tnh c kh nng ly nhim v ph hy cc phn mm thm ch phn cng my tnh. Cc virus khng th ly lan nu khng thng qua phng tin chia s nh trao i tp hoc th in t. Su Su c kh nng ly lan t my ny sang my khc ging nh virus, nhng chng khc virus ch chng c th t ly lan m khng cn c s iu khin ca ngi pht tn. Chng c th nm quyn iu khin my tnh, t ng trao i file. Bi v n c kh nng sao chp vi s lng rt ln, su c th lm cho nhng gi tin lu thng trong mng tc nghn, lm chm tt c cc hot ng lin quan ti internet. Chng cn lm cho ta tr thnh nhng k tn cng bng cch gi nh km chnh chng trong nhng tp tin gi cho danh sch bn b hay ng nghip. Su cng c th l mt cng c c s dng bi nhng k thm nhp bng cch chim quyn h thng v to cng sau cho k thm nhp truy cp vo.

13

Trojan Trojan l cc chng trnh my tnh trng c v nh l mt phn mm hu ch, nhng thc ra chng lm tn thng bo mt v gy ra rt nhiu ph hy. Chng chim quyn iu khin my b nhim v cho php ngi ngoi truy cp tri php ti, hoc chng c th t ng download cc lnh thc thi t mt a ch ngoi. Trojan thng i km vi keylogger, mt phn mm lu li cc thao tc bn phm ca ngi dng v gi cho k iu khin hoc phn mm theo di mn hnh my tnh. Vic c c nhng mt khu hp l lm cho k tn cng chim c ton quyn vi ti khon ca ngi dng. Cng c nhng thut ng khc v nhng mi e da an ninh mng, tuy nhin chng ch l phng tin dn ng cho nhng hot ng k trn.

2.2. CC BC TN CNG V THM NHP H THNG [1]

Thm nhp vo mt h thng khng phi l mt cng vic n gin nhng cng khng qu kh khn cho nhng ngi c kin thc v cng ngh thng tin ni chung. t c mc ch, cc hacker thng thc hin mt tn cng thm nhp theo nhng bc sau : FootPrinting In du Scanning D qut Enumeration im danh Gaining Access C quyn truy cp Escalating Privileges nng cp quyn Pilfering Khai thc h thng Covering Tracks Xa du vt Creating "Back Doors" To cng hu DoS Tn cng t chi dch v Ch rng nhng bc trn hon ton linh ng khi p dng vo thc t. Cc hnh ng khi tn cng thm nhp c th l an xen nhau thm ch mt hnh ng c thc hin lp li nhiu ln hay b qua khng cn thc hin. Tuy nhin cng c th sp xp th t cc hnh ng theo trnh t nh hnh di y :

14

Hnh 2 - Minh ha trnh t tn cng [12] By gi ta s cp chi tit n tng hnh ng trong mt tn cng thm nhp ca hacker. Nh ni trn, trc khi mt tn cng thc s c thc hin, hacker cn phi chun b y cc thng tin v i tng qua 3 bc : footprinting (in du), scanning (d qut), enumaration (im danh). Cng nh khi mt nhm cp mun cp mt nh bng, chng khng ch c n nh bng v yu cu tin m chng cn tm hiu rt nhiu thng tin v nh bng nh tuyn ng xe ch tin i, thi gian giao tin, cc camera gim st, l trnh tu thot v nhiu th khc cn thit. Bc u tin trong 3 bc thu thp thng tin l in du. In du In du l ch vic s dng cng c v k thut thu thp cc thng tin c bn ca i tng cn tn cng. Cc thng tin c th ly c qua nhiu ng nh Internet, Intranet, Remote access, extranet. V d nh t google, chng ta c th ly ra thng tin v tn min ca i tng, s a ch IP cp pht hay c nhng thng tin c nhn ca nhn vin trong mt cng ty i tng. Nhng thng tin tng chng n gin ny li l nhng thng tin khng th thiu c khi bt u mt tn cng thm nhp vo h thng ca i tng. Cc thng tin c nhn v ngun ti nguyn con ngi nh S in thoi, qu, nh, chc v, ngy sinh, i khi ch vi nhng thng tin ny hacker c th lm ch h thng. Ch c mt cch ngn nga vic in du l bo v nhng thng tin nhy cm khi nhng ni c th d dng truy cp n. Bc tip theo trong qu trnh ny l d qut (Scanning) Nu nh in du ch tm hiu cc thng tin bn ngoi ca mt nh bng th d qut l kim tra tt c cc ca s hay ca ra vo ca nh bng . Vic u tin trong l xc nh xem h thng c sng hay khng. Vic ny c th c thc hin bng cc

15

cng c nh ping (hay fping hoc nmap). Tip l xc nh xem c nhng dch v tcp hay udp no ang hot ng trn cc my i tng. C rt nhiu cch thc cng nh cng c thc hin vic ny ngy nay. Bc cui cng l xc nh h iu hnh trn cc my , vic ny rt quan trng trong vic tn cng thm nhp qua cc l hng bo mt. Bc cui cng trong cc bc tm kim thng tin l enumeration ( im danh). Hnh ng ny yu cu phi kt ni v truy vn trc tip ti my i tng nn n kh d b lu vt v cnh bo. Cch thc c bn nht ca ca im danh l ly banner (banner grabbing). Thng tin ny s cho bit cc dch v ang s dng v phin bn ca cc dch v . V d : C:\>telnet www.abc.com 80 HTTP/1.0 400 Bad Request Server: Netscape-Commerce/1.12 Your browser sent a non-HTTP compliant message. C nhiu cng c th s dng cho vic ly thng tin ny nh cng 80 HTTP, cng 25 SMTP, cng 21 FTP. Mt trong nhng dch v b khai thc nhiu nht t xa n nay l dch v DNS vi DNS Zone Transfers. Nu my ch ca i tng ang chy dch v DNS ca Microsoft th k tn cng c th thu thp c mt lng thng tin ln, thm ch c cc thng tin n v h thng mng ca i tng, ta c th thy trong v d sau : C:\>nslookup Default Server: dns01.wayne.net Address: 10.10.10.1 > > set type=any > ls -d wayne.net > dns.wayne.net > exit > server 10.10.10.2 Default Server: dns02.wayne.net Address: 10.10.10.2 > ls -d wayne.net

16

[dns1.wayne.net] wayne.net. SOA dns04.wayne.net wayne.dns04.wayne.net. (3301 10800 3600 604800 86400) wayne.net. NS dns04.wayne.net wayne.net. NS dns02.wayne.net wayne.net. NS dns01.wayne.net wayne.net. NS dns05.wayne.net wayne.net. MX 10 email.wayne.net rsmithpc TXT "smith, robert payments 214-389-xxxx" rsmithpc A 10.10.10.21 wmaplespc TXT "Waynes PC" wmaplespc A 10.10.10.10 wayne CNAME wmaplespc.wayne.net Ngoi ra, cn mt s cc dch v khc c th c khai thc bit thm thng tin nh MSRPC, NetBIOS, SNMP, . C th xem thm chi tit v cch khai thc cc dch v ny trong cun Hacking Exposed phn ti liu tham kho bn di. Sau khi ly c y thng tin v i tng, cc hacker c th chn la cc phng thc tn cng, thm nhp khc nhau. u tin, hacker c th chn DoS hoc DDoS i tng. Cc cch thc tn cng t chi dch v ny khng lm hacker chim c quyn iu khin h thng tuy nhin n c th lm ngng h thng t ng la v cc dch v an ninh hay lm phn tn s ch ca ngi qun tr h thng mng qua to iu kin cho vic thm nhp d dng hn. Nu lng thng tin thu c trong cc bc trn thc hin mt tn cng nhm vo h thng th hacker khng cn phi tn cng t chi dch v m s khai thc cc l hng bo mt hoc ph m c mt s ti khon qun tr thng qua nghe trm, phishing s dng keylogger, worm v trojan. Cng c mt s trng hp, khi hacker khng tm ra c cc im yu ca h thng, h tn cng vo im yu con ngi. V d nh h gi mo i tc kinh doanh yu cu ti khon hp l, hoc h cng c th gi in cho nhn vin qun l v gi v b mt ti khon. Tt nhin vic c c y cc thng tin v con ngi l rt cn thit. Nu hacker ch c c nhng ti khon qun tr mc thp th h s tm cch nng cp quyn qun tr ca ti khon bng cch li dng s tn nhim ca ti khon . Nu sau bc ny, hacker c c ton quyn h thng th vic cui cng m h lm l xa du vt v t backdoor thm nhp ln sau d dng hn. Cng vic xa

17

du vt ch n gin l xa cc log ca h thng gim st hay ca h iu hnh my thm nhp, mc xa du vt ty thuc vo mc ch tn cng ca hacker. Mt s hacker mun ni danh thm ch cn c li du vt, ngoi ra c nhng hacker n cp cc t liu mt, h cng mun li thng ip tng tin hay tng t ngi qun tr bit, tuy nhin hu nh tt c u phi xa nhng thng tin l ra h l ai. Cn backdoor c s dng cng c nhiu mc khc nhau, cc hacker c th to mt worm hay trojan trong h thng, c th ci t mt phn mm keylogger hay n gin ch to mt ti khon n.

2.3. M PHNG TN CNG V THM NHP

2.3.1. Thu thp thng tin Sau khi thu thp y thng tin v h thng i tng, c nhiu phng php c th s dng trong thm nhp, trong kha lun s trnh by 3 m phng tn cng v thm nhp. Nhng phng php thm nhp v tn cng khc hoc khng th m phng (nhn trm, nghe trm hay ph m ti khon ngi dng) hoc khng cn c nguy c xy ra (chim ot nhng phin dch v khng m ha). Ngoi ra do khng c lng my m phng tn cng DDoS nn trong kha lun s ch nu phng thc tn cng trn l thuyt v m phng kiu tn cng DoS ch khng m phng tn cng DDoS.

2.3.2. Tn cng t chi dch v Mt trong s nhng tn cng ph bin nht ca DoS l SYN Flood. M phng s dng cng c DoSHTTP ca socketsoft.com.

Hnh 3 - Giao din DoSHTTP

18

Cng c c giao din s dng rt n gin, ch cn thit lp s kt ni ng thi, xc nh mc tiu v tn cng. Ch cn vi my cng tin hnh tn cng ng thi l c th nh sp mt web server c nh. Mt tn cng na c m phng l smurf attack. Cng c s dng l smurf2k. Tng t nh trn, giao din chng trnh cng rt n gin, ch vic xc nh mc tiu, kch c gi tin v tin hnh tn cng.

Hnh 4 - Giao din smurf attack 2.3.3. Thm nhp qua Trojan M phng s dng Trojan Beast. Trojan ny ly nhim trn h iu hnh windows v s dng c ch client server. Phn server c nhng vo nhng phn mm v hi v c ci t trn my nn nhn qua sai st ca ngi dng. Phn ny s m mt cng 6666 cho my client kt ni ti. Trojan ny cn c tc dng v hiu ha phn mm tng la v chng virus ng thi ci t mt keylogger ly thng tin v mt khu ca ngi dng qua hacker c th truy cp trc tip n my nn nhn.

Hnh 5 - Giao din client trojan beast

19

y l mn hnh xy dng trojan (nhng vo cc file chy, a trojan ln webserver). Sau khi xy dng trojan v xc nh c my b nhim (c mail gi v nu my b nhim), ta s dng chng trnh client ny kt ni ti my qua cng 6666. Nu ti khon b nhim l ti khon admin th ta c ton quyn s dng vi my .

2.3.4. Thm nhp qua l hng bo mt [5] u tin, m phng s dng cng c retina network scanner d l hng bo mt mt trn mt my Windows server 2003 sp2. Kt qu cho thy my ny c mt l hng nghim trng cha c v l li RPC DCOM.

Hnh 6 - Li trong dch v RPC Chi tit v li ny nh sau [7]:

20

Windows cung cp kh nng s dng RPC thc thi cc ng dng phn tn. Microsoft RPC bao gm cc th vin v cc dch v cho php cc ng dng phn tn hot ng c trong mi trng Windows. Cc ng dng phn tn chnh bao gm nhiu tin trnh thc thi vi nhim v xc nh no . Cc tin trnh ny c th chy trn mt hay nhiu my tnh. Microsoft RPC s dng name service provider nh v Servers trn mng. Microsoft RPC name service provider phi i lin vi Microsoft RPC name service interface (NIS). NIS bao bao gm cc hm API cho php truy cp nhiu thc th trong cng mt name service database (name service database cha cc thc th, nhm cc thc th, lch s cc thc th trn Server). Khi ci t Windows, Microsoft Locator t ng c chn nh l name service provider. N l name service provider ti u nht trn mi trng mng Windows. Microsoft d b trn b m trong giao din Distributed Component Object Model (DCOM) ca dch v RPC (Remote Procedure Call). Bng cch gi mt thng ip xu ti dch v RPC, mt k tn cng t xa c th lm trn mt b m v thc thi mt on m ty trn h thng bi c quyn Local System. Vi on m ny, k tn cng c th ton quyn x l vi my mc tiu. Bc tip theo ta s dng phn mm ngun m metasploit khai thc l hng ny. Vo giao din chng trnh, chn l hng cn khai thc.

Hnh 7 - Giao din metasploit

21

Tip chn hnh ng cn thc hin khi khai thc, chn i tng v tn cng.

Hnh 8 - Giao din metasploit (2)

Cc hnh ng thc hin c khi khai thc l hng ny l to mt giao din dng lnh vi quyn qun tr administrator trn my nn nhn, to mt ti khon vi quyn qun tr, Khi l hng c khai thc, pha bn my nn nhn s xut hin mt thng bo khi ng li dch v RPC.

22

CHNG 3. NHP

THIT B NGN CHN TN CNG V THM

3.1. CC KHI NIM C BN [2]

hiu v nm vng phng php pht hin v ngn chn tn cng, thm nhp, mt h thng kin thc c s v h thng IDS/IPS l cn thit. Di y l cc thut ng s dng trong cng ngh ngn chn thm nhp

Bng 1 Thut ng IDS/IPS

Terminology Inline mode

Description Kim tra lu thng mng, c kh nng ngn chn thm nhp trc khi n n c mc tiu.

Promiscuous mode Th ng kim tra lu thng mng. (passive mode) Signature engine Mt engine h tr tn hiu chia s nhng thuc tnh chung (tng t nh giao thc) Kh nng nh ngha tn hiu bin i da trn nhiu tn hiu khc. Mt tn hiu pht ra theo ni dung ca tng gi tin. Mt tn hiu pht ra da trn thng tin cha trong trnh t gi tin gia 2 h thng (v d nh gi tin trong kt ni TCP) Mt tn hiu pht ra khi c lu thng bt thng t nhng ngi dng thng thng.

Meta-Event Generator Atomic signature Flow-based signature Behavior-based signature

23

Bng 1 Thut ng IDS/IPS

Terminology Anomaly-based signature False negative

Description Mt tn hiu pht ra khi lu thng vt qu cu hnh bnh thng.

Tnh hung m h thng pht hin khng nhn bit c thng nhp mc d c mt tn hiu nhn bit c hot ng . Tnh hung ngi dng bnh thng gy ra bo ng (khng c hnh vi t nhp). Tnh hung m khng pht sinh tn hiu khi c lu thng bnh thng trn mng. Tnh hung bo ng ng khi c t nhp, tn cng trn mng. Gii m cc giao thc v kim tra ton b gi tin cho nhng lut da trn gi tin hot ng ng. Kt hp vi a thng bo hay a s kin vi mt tn cng n l. Mt nh gi e da da trn nhiu nh sn xut m khng da trn tnh nghim trng ca tn cng.

False positive

True negative

True positive Deep-packet inspection Event correlation Risk rating (RR)

IPS/IDS Triggers Mc ch ca thit b IDS/IPS l nhn din tn cng v ngn chn n. Tuy nhin khng phi loi thit b no cng dng chung mt phng thc ging nhau. C ba phng thc chnh c s dng trong h thng IDS/IPS hin ti. Anomaly detection Misuse detection Protocol analysis Ch : Phng thc nhn bit da trn hnh ng gy ra cc bo ng ca h thng IDS/IPS. V d phng thc vi mt h thng chng trm ph thng chnh l s kin

24

ca s v. Mt IDS c th gy ra mt bo ng khi c mt gi tin ti mt cng xc nh vi mt d liu xc nh.

Anomaly Detection (Nhn bit bt thng) Nhn bit bt thng cn c th gi l nhn bit da trn h s. Trong nhn bit bt thng, ta xy dng nhng h s xc nh xem nhng hnh vi no l bnh thng. Nhng h s ny c kh nng t hc qua nhng c x trong qu kh. Sau khi nh ngha nhng h s bnh thng ny, nhng g cn li l bt thng v s to ra bo ng. Li ch chnh ca nhn bit bt thng l nhng bo ng to ra khng da trn nhng tn hiu ca nhng dng tn cng c th m da trn nhng hnh ng bt thng ca n. Bi vy m h thng c th pht hin c tn cng ngay c trc khi tn cng c cng b. Misuse Detection (Nhn bit lm dng) Nhn bit lm dng l nhn bit da trn nhng du hiu, n to ra thng bo khi c hot ng vi nhng du hiu trng khp vi nhng du hiu xc nh trc. Nhng du hiu ny l mt tp hp cc lut bt nhng l hng m k tn cng c th li dng thm nhp vo mng. Nhng k s c kinh nghim c th bit nhng tn cng v l hng pht trin nhng lut cho mi tn hiu ring. Mt s li ch chnh l : Tn hiu da trn nhng tn cng bit. D thit lp nhng nhn bit tn cng H thng d hiu Nhn bit tn cng ngay sau khi ci t Protocol Analysis (Phn tch giao thc) Phng thc cui cng l phn tch giao thc. Phng thc ny s phn tch cc hot ng da trn cc giao thc xc nh. N s phn tch gi tin da trn nh ngha ca giao thc trong RFC v cc payload hay tiu gi tin. S dng phn tch giao thc, nhng tn cng phi c c cc gi tin hp l v cng phi khng cha cc tn cng trong payload hoc tiu gi tin. IPS/IDS Monitoring Locations (a im gim st IPS/IDS) C hai loi a im gim st sau : Host-Based Network-Based Host-Based

25

H thng pht hin thm nhp da trn my trm kim tra nhng hot ng tri php bng cch kim tra thng tin mc my hoc mc h iu hnh. Nhng h thng ny thng kim tra nhng cuc gi h thng, hay nhng du vt chnh sa, thng bo li h thng V IPS/IDS da trn my kim tra lu thng sau khi n n my b tn cng. Vy nn n bit chnh xc my c b tn cng thnh cng hay khng. Network-Based Mt h thng pht hin thm nhp da trn mng kim tra nhng gi tin lu chuyn trn mng v so snh nhng lu thng vi nhng du hiu t nhp bit trc. Mt thit b IPS da trn mng kim tra lu thng nh l mt thit b hot ng tng 2. Lu : xem c ton b gi tin ca mng tc l phi kim tra tt c cc gi tin lu chuyn qua mng. Thng thng, mt my ch kim tra gi tin m c a ch ti n cng vi gi tin qung b. c kh nng thy tt c cc gi tin ca mng, thit b IDS phi t card mng hnh thi promiscuous. Trong hnh thi ny, card mng kim tra tt c cc gi tin m khng cn bit n a ch ch ca n. Mt h thng pht hin thm nhp da trn mng li hn mt h thng da trn my nhng im sau : C c ci nhn tng quan v ton mng Khng phi chy trn tt c cc my trong mng V thit b da trn mng c th thy c nhiu my, nn n c mt ci nhn tng quan v tn cng vi mng. Nu c ngi qut my trong mng, thng tin s c cnh bo ngay lp tc. Mt li ch khc ca h thng ny l n khng cn phi chy trn mi my trong mng. Thay vo , h thng da vo mt s lng cc sensor nht nh thu thp lu thng mng. Cc sensor ny c th ti u ha v n ch cn lm mt s cng vic xc nh trn mng.

3.2. THIT B IPS PROVENTIA G200

Da trn cng ngh Internet Security Systems, Proventia G l mt h thng ngn chn xm nhp ni tuyn (IPS), n t ng ngn chn cc tn cng c tnh nguy hi trong khi vn m bo bng thng cho ng truyn. c xy dng trn cc cng ngh hng u th gii v an ninh mng, s dng cc chip x l ca Intel nh Intel Xeon v mt h iu hnh s dng nhn Linux c

26

cng ho, Proventia G gip gim chi ph cho nhng pht trin, ti u ho vic qun l v bo v ti a cho h thng vi mt tc cao ti 100 Mbps. Khc vi tng la, Proventia G Series kim tra su ti ni dung gi tin v ngn chn cc tn cng bit cng nh cha bit trong thi gian thc, bao gm cc tn cng t chi dch v phn tn (DDoS), BackDoors, v cc l hng an ninh, gim bt cng vic cho ngi qun tr. Cng vi cc thnh phn bo v mng, my ch, my trm khc, Proventia G Series c qun l tp trung bi RealSecure SiteProtector . Vic qun tr tp trung bao gm cc thao tc cp nht, thit lp chnh sch an ninh,v bo co gip gim bt thi gian cho ngi qun tr. Proventia G hot ng vi cc stealth interface khng c a ch IP nhm hn ch cc tn cng vo n v n trong sut t vi mng t lp IP. IPS G200 l mt h thng pht hin thm nhp thuc dng sn phm G (G series), y l h thng IDS/IPS da trn mng (network based), phn tch tn cng thm nhp theo c ch mibuse detection - nhn bit cc tn cng da trn du hiu (signature) ca tn cng hay thm nhp c sn trong c s d liu ca n. C s d liu ny c cp nht thng xuyn bi nhng i ng nghin cu an ninh mng ting tm X-Force. Ngoi ra thit b cn cho php thit lp nhng lut tng la v lut kt ni h tr cho vic ngn chn cc tn cng thm nhp. Thit b c c ch cho php ngi qun tr t to cc du hiu nhn bit tn cng thm nhp ring, nh vo c ch m n c th pht hin v ngn chn nhng tn cng ngay c trc khi tn cng c bit n rng ri. Thit b hot ng 3 hnh thi sau: inline protection inline simulation passive monitoring Ba hnh thi ny c chn ngay khi ci t hoc c th c cu hnh sau Inline Protection Hnh thi ny cho php ta kt hp thit b vo h tng mng. Trong hnh thi ny, ngoi nhng lut ngn chn v cch ly bnh thng, tt c cc lut ca firewall cng vi tt c cc lut an ninh ca thit b u c bt. Inline Simulation Hnh thi ny cho php ta gim st mng m khng nh hng n lu thng. Ngoi nhng lut ngn chn ph thng, n cn c th cch ly i tng. Khng loi b gi tin khi c phn ng v thit b khng thit lp li kt ni TCP. Hnh thi ny s dng cho vic th nghim nhng lut an ninh m khng nh hng n lu thng mng. Passive Monitoring Hnh thi ny hot ng nh h thng pht hin xm nhp (IDS), n gim st mng m khng iu khin. Thng n phn ng vi thm nhp bng nhng lut ngn

27

chn ph thng. Nu thit b gp li, n s gi mt yu cu thit lp li ngn chn kt ni TCP. Hnh thi ny s dng khi cn xem xt loi hnh bo v no m h thng mng hin ti cn.

28

3.3. SITEPROTECTOR SYSTEM [2]

3.3.1. SiteProtector System l g? SiteProtector System l mt h thng qun l tp trung cung cp kh nng ra lnh, iu khin v gim st cho tt c cc sn phm IBM ISS. Cc thnh phn ca h thng SiteProtector H thng SiteProtector gm c nhiu thnh phn khc nhau, mi thnh phn c u c chc nng ring. Giao din h thng SiteProtector xem cc thnh phn nh l cc agent. Agent Manager (Desktop Controller): cung cp kh nng cu hnh, cp nht v qun l cc thnh phn SiteProtector v cc sn phm IBM ISS khc nh: o X-Press Update Server o Desktop Protection agents o Proventia G appliances o Proventia Network IPS o Proventia Network MFS Console: giao din chy tt c cc tc v h thng SiteProtector, gm: o Cu hnh, cp nht v qun l h thng SiteProtector. o Cu hnh, cp nht v qun l cc sn phm IBM ISS khc nh cc agent Desktop Protector, my qut, thit b v b cm ng. o To v qun l cc chnh sch an ninh v cc phn ng. o Thit lp, t chc v qun l nhm cho cc ti nguyn m h thng SiteProtector gim st. o Thit lp ngi dng v phn quyn. o Gim st cc vn an ninh v cc tn hi n mng. o Chy v lp thi gian biu cc cng vic nh scan, cp nht sn phm, v bo tr c s d liu. o Pht sinh cc bo co o Pht sinh cc ticket. Databridge: cho php h thng SiteProtector thu thp v hin th cc d liu bo mt t cc sn phm IBM ISS c nh System Scanner hoc t h thng th ba.

29

 Deployment Manager: mt ng dng chy trn web c s dng ci t h thng SiteProtector v cc sn phm ISS khc t mt v tr trung tm trn mng. Event Archiver: lu tr cc s kin bo mt ti mt thit b t xa. Event Collector: tp hp d liu bo mt c sinh ra bi cc sn phm ISS v gi chng ti Site Database x l. Sau khi x l, d liu c th c hin th trong SiteProtector Console. Event Collector cng gi d liu cha c x l n EventViewer. Event Viewer: cung cp mt giao din khc hin th cc s kin bo mt. Event Viewer nhn cc s kin cha x l trc tip t Event Collector. Giao din ny c s dng ch yu sa li. ISS khuyn co s dng Console cho cc tc v qun l an ninh. Site Databasse: lu tr cc thng tin sau o D liu bo mt c sinh ra bi cc sn phm ISS o Thng k cc s kin bo mt o Thng tin nhm o D liu iu khin v lnh o Trng thi XPU ca tt c cc agent o Ti khon ngi dng h thng SiteProtector v phn quyn o Cc ticket o Ty chnh hin th, bo co v cc thit lp khc. SiteProtector Application Server : lm cho giao tip gia SiteProtector Console v cc agent khc tr ln d dng hn. Application Server gip cho nhiu Console c th cng thc hin cc chc nng sau: o Giao tip vi SiteProtector Database o Gim st v qun l cng mt tp cc Event Collection v agent Ch : Application Server cha cc Sensor Controller v X-Press Update Server. Ba thnh phn ny cng c ci t t ng trn cng mt my tnh. Ba thnh phn ny c tch hp ton b v khng th tch ri. Sensor Controller: gip cc lnh v iu khin gia Console v cc agent khc tr ln d dng. X-Press Update Server: cng c chnh cp nht h thng SiteProtector v cc sn phm ISS khc cng lm vic. N thc hin cc vic sau: o Kt ni ti trung tm download ISS o Download cc bn cp nht. o Cung cp cp nht cho c h thng SiteProtector phn tn.

30

 Web Console: giao din web cho php truy cp ti h thng SiteProtector c gii hn. Web Console c s dng ch yu gim st ti nguyn v cc s kin bo mt ca h thng.

3.3.2. Qu trnh thit lp h thng SiteProtector Cc giai on thit lp Cu hnh v cp nht h thng: o Cu hnh cc thnh phn. o Cp nht cc thnh phn. o Thit lp ti khon v phn quyn. Thit lp nhm: o Lp k hoch t chc ti nguyn mng v cc agent thnh cc nhm. o To cc nhm v nhm con. o Cu hnh cc thuc tnh cho cc nhm. Cu hnh agent: o Ci t, cp nht v cu hnh cc sn phm ISS khc m ta mun s dng vi SiteProtector nh cc thit b, my qut o Kim tra vic ng k v cu hnh cc sn phm lm vic c vi h thng SiteProtector. Cu hnh chnh sch: o Cu hnh chnh sch an ninh v phn ng cho cc agent. o Cu hnh cc phn ng chnh. o Cu hnh ticket. Thit lp ti nguyn: o Thm cc phn cng ti nguyn quan trng i vi h thng SiteProtector m s c gim st bi cc agent. o iu chnh nhm phn cng ti nguyn. Sau khi thit lp xong h thng SiteProtector, ta c th ci t v cu hnh thm cc module. Cu hnh giao din tng tc Thit lp ty chn chung

31

Chng ta c th thit lp cc ty chn chung trong h thng SiteProtector iu khin hnh vi ca giao din, nh hin th mc nh khi khi ng, thi gian thit lp cc ty chn chung, trong giao din tng tc chn Tools -> Options. Trong ca s Options c cha cc loi ty chn: 1. General Cha cc ty chn khi ng, ty chn thi gian Di General l tab Table c cc ty chn hin th bng. 2. Logging iu khin cch thc SiteProtector kim sot vic ghi log. 3. Documentation Chn la ngun ti liu tham kho. 4. Browser Ty chn cho trnh duyt tch hp trn SiteProtector. 5. Global Summary Chn ni dung s hin th sau khi khi ng giao din (tng t nh homepage). 6. Notifications S dng ch nh loi v mc ca thng bo hin th trn giao din v cu hnh cnh bo bng email cho cc thng bo mc cao v nguy him. 7. Report S dng chn logo cng ty vo bo co. 8. Authentication S dng khi Site yu cu chng nhn ngi dng ng nhp vo h thng SiteProtector. Chng nhn c th cha sn trong Windows hoc t mt smart card. 9. Summary Chn ni dung c hin th trong mc summary 10. Asset Cha mt s ty chn v hin th ca mc Asset 11. Ticket Thay i hin th mc nh ca mc Ticket 12. Agent Thay i hin th mc nh ca mc Agent. 13. Analysis

32

Chn ni dung hin th trong mc Analysis SiteProtector c s dng trong kha lun ny ch vi mc ch iu khin v cu hnh thit b IPS mt cch d dng hn. Tuy nhin trong tng lai, cc thit b gim st mng c nng cp v s lng v cht lng th siteProtector s tr thnh h thng khng th thiu trong vic m bo an ninh cho h thng mng i hc quc gia.

3.4. CI T V CU HNH IPS [5]

3.4.1. Ci t H iu hnh s dng trong IPS Proventia G200 l mt h iu hnh ring ca IBM da trn Linux, phin bn G-Series.1.7_2008.1105_15.57.25. V c bn ci t h iu hnh ny cng ging nh ci t mt h iu hnh Linux thng thng. Trong khi ci t, h iu hnh s yu cu nhp a ch mng cho cng manager ca IPS. Sau khi ci t h iu hnh, cc cu hnh c bn ca thit b nh ngy gi, tn thit b, tn min hay a ch IP ca thit b c cu hnh trc tip trong giao din dng lnh ca thit b. Giao din web c truy cp thng qua a ch va t. Cu hnh cc lut tng la v s kin an ninh, phn hi c thit lp ti giao din ny. Mt cng vic quan trng khc trong giao din web ny l ng k a ch my ci t phn mm qun l SiteProtector vi IPS. S dng SiteProtector ta c th iu khin v cu hnh IPS mt cch d dng hn. Ngoi ra khi s dng phn mm ny, ta c th t thm signature nhn bit d dng hn cc tn cng v thm nhp.

3.4.2. Cu hnh hnh thi hot ng Thit b IPS c 3 hnh thi hot ng nh ni trn : passive monitoring inline simulation inline protection Thit b yu cu chn mt trong 3 hnh thi ny khi mi ci t phn mm cho thit b.

33

Ch : cu hnh tc nghn mng, nhng i l khng phn hi v nhng ty chn cp nht i l ch c trong hnh thi inline protection. Chng khng c s dng trong hnh thi passive. C th chn li hnh thi hot ng s dng khi ci t thit b bng cch sau. 1. Thit lp mt giao din cu hnh ni b (cng console) v ng nhp vo. 2. Trong thc n cu hnh, chn Agent Mode v n ENTER. Mn hnh cu hnh hnh thi s xut hin. 3. Chn hnh thi hot ng bng cch bm phm SPACE BAR. Nhng hnh thi c th chn l : Inline Protection Inline Simulation Passive Monitoring 4. n ENTER. Mn hnh cu hnh hnh thi s xut hin tr li. Chng ta cng c th cu hnh cc hnh thi hot ng trong site protector. thay i hnh thi, lm theo cc bc sau y : 1. Trong SiteProtector Site Manager, chn thit b. 2. Trong ca s Inline Appliance Properties, chn th General. 3. Trong vng Inline Appliance Mode, chn hnh thi t danh sch. 4. Nhn OK.

3.4.3. Cu hnh s kin an ninh Trang security event lit k hng trm s kin tn cng v bo mt. Mt s kin tn cng v bo mt l cc lu lng mng mang ni dung tn cng hoc mt hnh ng ng ng. Cc s kin ny c xy ra khi m lu lng mng trng vi mt trong cc s kin trong chnh sch bo mt c kch hot. Ch l tt c cc s kin u c lit k di min bo mt ton cc. Thit b lun lun s dng mt chnh sch bo mt ton cc, iu ny c ngha l n s dng cc s kin bo mt theo cng mt kiu cho tt c cc vng ca mng. Nn cu hnh cc s kin cp ton cc. Nu mun cu hnh cc chnh sch bo mt cho mt segment c bit trn mng, cn to ra cc protection domain cho mi segment

34

 thm cc s kin bo mt : 1. Chn Security Events. 2. Trn tab Security Events, click Add. 3. Hon thnh hoc thay i cc thit lp c ch ra sau : Enabled : chn ny cho php s kin ny thnh mt phn ca chnh sch bo mt Protection Domain : nu cc protection domain c cu hnh, chn mt t danh sch. Ch c th t mt s kin cho mt min vo mt thi im , cu hnh s kin ny cho mt min khc , phi sao chp v i tn s kin sau gn n cho min khc . Ch : Protection domain s l Global trong danh sch nu khng cu hnh hoc khng s dng cc protection domain Attack/Audit: Nu to ra mt s kin ty chn th ny s khng s dng. Nu chnh sa mt s kin trong danh sch , vng ny s hin th l audit hoc attack S kin audit l s kin v tm kim cc thng tin trn mng S kin attack l s kin tm kim lm hng mng . Tag Name : in miu t cho s kin (khng th thay i khi chnh sa) Severity: Chn mc nghim trng cho s kin Protocol : G giao thc (nu c th n s ch read-only) Ignore Events : Chn nu mun thit b b qua khi s kin ny xy ra Display: Chn ch hin th No Display: khng hin th khi pht hin ra s kin WithoutRaw. Ghi li tm tt s kin WithRaw. Ghi li v kt hp vi bt gi Block: Chn cho php hy tn cng bng cch b gi v thit lp li kt ni TCP Log Evidence : Lu li cc gi gy nn s kin vo th mc /var/iss Responses : cho php phn hi vi cc ty chn sau Email : chn email phn hi Quarantine : chn kiu cch ly SNMP . Chn phn hi SNMP t danh sch

35

 User Defined. Chn mt kiu phn hi do ngi dng nh ngha XPU : Ch cho cc s kin tn ti, hin th phin bn XPU(read-only) Event Throttling : in khong thi gian m khi s kin xut hin n s bo co trong sut khong ny . Mc nh l 0 (khng cho php) Check Date : hin th ngy thng m s kin c to ra (read-only) Default Protection : hin th protection mc nh c thit lp cho s kin , nh Block(read-only) User Overridden : nu to mi mt s kin , mc nh ny l custom event v s kin sa . 4. click Ok v lu li thay i

Hnh 9 Security Events Chnh sa nhiu s kin chnh sa nhiu s kin : 1. Chn cc Security Event 2. Trn tab Security Event , lm mt trong cc vic sau : a. Chn nhiu s kin bng cch s dng [CTRL] v chn tng s kin b. Chn mt di s kin bng cch nhn [SHIFT] v chn t s kin u tin n s kin cui cng 3. Click Edit

36

Mi mc c chnh sa s thay i cho ton b s kin . C mt hnh ch nht mu xanh xut hin bn cnh mi mc khi gi tr trong mc ca mi s kin l khc nhau. Nu thay i gi tr mc ny , gi tr s c thit lp cho ton b cc s kin c chn v hnh ch nht mu xanh khng xut hin na. V d , nu chnh sa 2 s kin v mt s kin cho php block cn mt s kin khng, mt hnh ch nht xanh xut hin bn cnh Block. Nu cho php block th c hai s kin s cho php block v hnh ch nht xanh s khng xut hin . 4. Click OK v lu thay i Gn mt protection domain cho nhiu s kin Khi c cc protection domain c cu hnh, c th gn cho chng nhiu s kin bo mt. gn mt protection domain cho nhiu s kin bo mt : 1. Chn cc Security Event 2. Trn tab Security Event , lm mt trong cc vic sau : a. Chn nhiu s kin bng cch s dng [CTRL] v chn tng s kin b. Chn mt di s kin bng cch nhn [SHIFT] v chn t s kin u tin n s kin cui cng 3. Click Copy 4. Click Paste 5. Chn tt c cc mc bng cch nh du v chn Edit 6. Chon protection domain cn gn cho cc s kin c chn 7. Chnh sa thm cc thit lp khc nu cn 8. Click Ok v lu li thay i

3.4.4. Cu hnh phn hi Phn hi Phn hi l cc hnh ng ca thit b khi c mt s kin quan trng trong mng hoc mt t nhp. Cng vic ca chng ta l to ra cc phn hi v p dng n vo cc s kin. Chng ta c th cu hnh cc loi phn hi sau : Email. Gi mail cnh bo ti mt nhm hoc mt c nhn. Thng tin chng thc. ghi li nhng thng tin cn thit vo file log. Cch ly. Cch ly mng vi cc tn cng. SNMP. Gi SNMP trap ti mt SNMP server.

37

c t ngi dng. Gi cnh bo da trn nhng yu cu c bit ngi qun tr to ra gim st mng. Mt loi phn hi mc nh ca PG l phn hi ngn chn (Block response), n ngn chn tn cng bng cch ngn cc gi tin v thit lp li kt ni TCP. Hot ng ca n cc hnh thi khc nhau nh sau :

Bng 2 Hnh thi hot ng

hnh thi... Passive Monitoring Inline Simulation Inline Protection

Thit b... Tt Block response Gim st mng v to cnh bo nhng khng ngn cc tn cng Ngn chn tn cng bng cch loi b gi tin v thit lp li kt ni TCP

Mt loi khc l phn hi chi b (Ignore response), c thit lp cho cc s kin an ninh, c tc dng loi b cc gi tin ph hp vi nhng c t trong s kin. Phn hi ny cng c th c thit lp trong b lc phn hi (response filters) hay trong s kin an ninh (security events). Thng thng, phn hi ny c s dng khi mun lc nhng s kin an ninh m khng gy hi ti mng. Email cu hnh phn hi Email, vo cc mc sau : a. Proventia Manager, chn Responses. b. SiteProtector, chn Response Objects. Chn th Email. Bm Add Hon thnh cu hnh ch ra trong bng sau.
Bng 3 Phn hi email

Setting Name

Miu t G tn cho phn hi nn c lin quan ti loi phn hi

38

SMTP Host

G domain name hay a ch IP ca mail server. (Ch rng mail server phi truy cp c t thit b)

From To Sensor Parameters

G a ch mail, ngn cch bi du phy G a ch mail, ngn cch bi du phy G ch v ni dung thng ip, cc tham bin cho ni dung mail

Nhn OK, save v thot. Log Evidence cu hnh phn hi lu thng tin, vo cc mc sau : a. Proventia Manager, chn Responses. b. SiteProtector, chn Response Objects. Chn th Log Evidence Ghi cc thng tin cn thit trong bng sau
Bng 4 Phn hi Log Evidence

Setting Maximum Files

Miu t G s file ti a m c th cha trong file log. Mc nh l 10 file, nu qu s file ti a th file c nht s b xa G dung lng ti a ca file lu tr, mc nh l 10000 G tin t ca log file, mc nh l evidence G hu t, mc nh l .enc

Maximum File Size (KB) Log File Prefix Log File Suffix Lu li cu hnh. Quarantince

Phn hi ny dng ngn chn thm nhp khi pht hin s kin an ninh hay kt ni. N cng c th chn c worm v trojan. Phn hi ny ch hot ng hnh thi Inline Protection. C 3 loi cch ly trong PG
Bng 5 Phn loi cch ly

i tng cch ly

Miu t

39

Quarantine Intruder Quarantine Trojan Quarantine Worm

Ngn chn hon ton nhng my lin quan ti tn cng Cch ly nhng my l nn nhn ca tn cng Cch ly nhng th worm ang tm kim v d nh mt cng SQL

cu hnh phn hi, vo cc mc sau : a. Proventia Manager, chn Responses. b. SiteProtector, chn Response Objects. Chn th Quarantine. Chn Add, hoc chn phn hi mun sa v nhn Edit. Hon thnh thng tin ghi trong bng sau
Bng 6 Phn hi cch ly

Setting Name Victim Address Victim Port Intruder Address Intruder Port ICMP Code ICMP Type Nhn OK v lu li. SNMP

Miu t G tn cho phn hi, nn c ngha Ngn chn gi tin da trn a ch IP nn nhn Ngn gi tin da trn cng nn nhn Ngn chn gi tin da trn a ch IP k t nhp Ngn gi tin da trn cng k t nhp Ngn gi tin da trn s m ICMP Ngn gi tin da trn s phn loi ICMP

Phn hi ny ly cc thng tin t cc MIB ca SNMP agent v gi n ti cho cc server. cu hnh phn hi, vo cc mc sau : a. Proventia Manager, chn Responses. b. SiteProtector, chn Response Objects. Chn th Quarantine. Chn Add, hoc chn phn hi mun sa v nhn Edit.

40

Hon thnh thng tin ghi trong bng sau

Bng 7 Phn hi SNMP

Setting Name Manager Community Nhn OK v lu li. User Specified

Miu t G tn cho phn hi, nn c ngha a ch IP ca SNMP server Tn dng chng thc vi cc SNMP agent

Chng ta c th s dng cc file m my ca linux hay file shell lm file chy cho phn hi ny. File chy ny cn c sao chp vo thit b chy. Mi s kin xc nh ch chy mt file duy nht nn nu mun chy nhiu thao tc, cn t mt tp hp lnh vo file . cu hnh phn hi, vo cc mc sau : a. Proventia Manager, chn Responses. b. SiteProtector, chn Response Objects. Chn th Quarantine. Chn Add, hoc chn phn hi mun sa v nhn Edit. Hon thnh thng tin ghi trong bng sau.
Bng 8 Phn hi User Specified

Setting Name Command Sensor Parameters Nhn OK v lu li. Cu hnh b lc phn hi

Miu t G tn cho phn hi, nn c ngha G lnh chy ca phn hi M rng danh sch ra v chn add ly nhng tham s cn dng

Mt b lc phn hi gip lc cc chnh sch bo mt bng cch iu khin s lng s kin m thit b phn hi v s s kin c bo co n my qun l. C th s dng theo cc cch sau :

41

 Cu hnh cc phn hi cho cc s kin m c gy ra da trn vic tt cc tiu chun c ch ra trong b lc Gim bt s lng s kin bo mt m thit b bo co ti my qun l V d , nu c cc host trn mng m n an ton v tin cy hoc cc host mun thit b b qua v bt k l do no, c th s dng b lc phn hi vi phn hi IGNORE c cho php. Cc thuc tnh ca b lc s kin adapter virtual LAN (VLAN) a ch IP ngun hay ch S hiu cng ngun hoc ch hoc m ICMP Filters and other events Khi thit b pht hin ra lu lng trng vi mt b lc phn hi, thit b s thc thi cc phn hi c ch ra trong b lc. Mt khc thit b thc thi cc s kin bo mt nh c ch ra trong bn thn s kin. B lc phn hi theo lut th t. V d, nu thm mt hay nhiu b lc cho cng mt s kin, thit b thc thi cc phn hi trng u tin. Thit b s c danh sch ny t trn xung di. thm b lc phn hi: 1. Chn Security Events. 2. Chn tab Response Filters 3. Click Add. 4. Hon thnh cc thit lp sau Enabled: mc nh l cho php Protection Domain: chn protection domain mun thit lp cho b lc ny. Event Name: Chn s kin mun thit lp b lc phn hi Ch c th chn mt s kin Event Name Info: hin th thng tin v s kin nu cn (ch c) Comment: in miu t b lc s kin Severity: Chn mc nghim trng ca s kin Adapter: chn cng ca thit b m p dng b lc. Ch : thit b s b qua cng khng p dng b lc VLAN: in di VLAN m b lc p dng

42

Event Throttling: in khong thi gian m khi s kin xut hin n s bo co trong sut khong ny. Mc nh l 0 (khng cho php) Ignore Events: thit b s b qua s kin ny khi n xut hin Display: Chn ch hin th No Display: khng hin th khi pht hin ra s kin WithoutRaw. Ghi li tm tt s kin WithRaw. Ghi li v kt hp vi bt gi Block: Chn cho php hy tn cng bng cch b gi v thit lp li kt ni TCP ICMP Type/Code : in loi hoc m ICMP Log Evidence : Lu li cc gi gy nn s kin vo th mc /var/iss Responses : cho php phn hi vi cc ty chn sau Email : chn email phn hi Quarantine : chn kiu cch ly SNMP . Chn phn hi SNMP t danh sch User Defined. Chn mt kiu phn hi do ngi dng nh ngha IP Address and Port : a ch IP ngun v ch hoc cng mun lc 5. Hon thnh cc thit lp v cng v a ch IP Address : Not : Loi nhng a ch ngi cu hnh ch ra Any: chn tt c cc a ch Single Address : Lc mt a ch v g a ch Address Range : Chn lc mt di a ch v g di a ch vo Range . Khng s dng 0.0.0.0-255.255.255.255. Network Address/# ,Network Bit (CIDR): chn a ch da trn subnet , in IP v mask. V d 128.8.27.18 / 16. Port : Not : Loi nhng cng ngi cu hnh ch ra Any: chn tt c cc cng Single Port : Lc mt a ch v g a ch Port Range : Chn lc mt di a ch v g di a ch vo Range . 6.Click Ok v lu thay i

43

Hnh 10 Response Filters

3.4.5. Cu hnh tng la Thit b IPS Proventia G200 khng nhng c kh nng ngn chn cc tn cng thm nhp qua cc du hiu tn cng m n cn c kh nng ca mt tng la thng thng, qua ngn chn mt phn nhng gi tin khng hp l vo trong min mng cn bo v. Chng ta c th s dng cc lut firewall ngn chn tn cng t cc ngun v ch ca gi tin. Cc lut ca tng la ch c thc hin khi thit b trong hnh thi Inline, hnh thi Passive, n s khng lm g, cn Simulation, n s miu t qu trnh thc hin lut nhng khng thc hin n. Chng ta c th to ra cc lut cho tng la da vo nhng tiu ch sau Adapter Tm VLAN Giao thc (TCP, UDP, hay ICMP) Khong IP v cng ngun, ch

44

Cc hnh ng x l ca tng la khi mt gi tin trng khp vi lut t ra nh sau : Ignore: Cho php gi tin trng khp i qua, khng c bt c hnh ng hay phn hi no sau . Protect: Gi tin trng khp s c x l bi nhng phn hi thng thng logging, drop (khng phi l hnh ng drop ca tng la thng thng),RealSecure Kills, v Dynamic Blocking. (xem thm trong phn cu hnh phn hi). Monitor: Hot ng nh mt danh sch IP trng, tc l b qua phn hi Dynamic Blocking, Drop, RSKill. Tuy nhin cc phn hi khc vn c p dng. Ch : hnh ng monitor mc nh b qua RSKill tuy nhin chng ta c th thit lp li bng cch t gi tr sensor.whitelistresets thnh true (1). Drop: Chn gi tin khng cho qua tng la. Khc vi nhng tng la thng thng, tng la ca IPS l trong sut nn s khng c a ch. Nhng gi tin b chn ny s phn hi li cho bn gi rng l mc tiu khng tr li. Bn gi s c gng gi li mt s ln v s b time out. Drop and Reset: Ging nh hnh ng drop nhng s gi mt gi tin ngt ti ngun bn ngun ngt kt ni nhanh hn. Cng nh cc tng la khc, cc lut ca tng la trong IPS c c t trn xung di. Gi s nu mt gi tin trng khp vi lut c hnh ng Ignore t trn, tt c phn cn li ca lut tng la s khng c c na. Ta c th thy r hn qua v d di y : Adapter any IP src addr any dst addr xxx.xx.x.xx tcp dst port 80 (Action = ignore) adapter any ip src addr any dst addr xxx.xx.x.1-xxx.x.x.255 (Action = drop) Lut u tin cho php tt c cc lu thng mng qua cng 80 ca my xxx.xx.x.xx i qua nh l mt lu thng hp l, tt c cc lu thng khc b chn. Tuy nhin nu o ngc 2 lut trn, tt c cc lu thng u b chn, k c lu thng ti web server trn my xxx.xx.x.xx cng 80. Cn nhc li rng cc lut ca tng la ch hot ng khi thit b hnh thi inline. tt hay bt tnh nng tng la 1. Trong ca s Policy Editor, chn th Firewall Rules. 2. Mun bt tnh nng tng la hay khng? Nu c, chn Firewall Rules check box. Nu khng th n bc 3.

45

3. Mun tt chc nng tng la? Nu c, b Firewall Rules check box. Nu khng, kt thc y. thm mt lut tng la 1. Trong ca s Policy Editor, chn th Firewall Rules. 2. Nhn Add. Ca s g tn hin ra. 3. G tn lut ri nhn OK. Lut c thm vo danh sch. 4. Mun bt tnh nng lu vt cho lut ny hay khng? Nu c chn Log. Nu khng, b ty chn Log. 5. Chn mt hnh ng cho lut tng la t danh sch hnh ng. Nhng hnh ng chn c l : Ignore Monitor Protect Drop DropAndReset 6. T thc n File, chn save. Mt ca s xc nhn xut hin. 7. Nhn OK. 8. Nhn Close. loi b mt lut tng la 1. Trong ca s Policy Editor chn th Firewall Rules. 2. Chn mt lut trong thanh bn phi ri nhn Remove. Lut s c loi b. 3. T thc n File nhn Save v xc nhn. 4. Nhn OK. 5. T thc n File chn Close. Sau khi ty chnh lut tng la, cn p dng lut vo thit b.

3.4.6. Cu hnh protection domain

46

Protection domains cho php nh ngha cc chnh sch bo mt cho cc phn khu mng khc nhau c gim st bi mt thit b duy nht. Protection domain hot ng nh cc sensor o, ging nh l ta c vi thit b gim st mng. C th nh ngha protection domain theo port, VLAN, hoc di a ch IP. s dng protection domain, cn phi: nh ngha v p dng nhiu protection domain cho thit b p dng nhiu chnh sch cho thit b, cho php iu chnh phn hi i vi lu thng trn mt hoc nhiu mng. Thit b lun s dng mt chnh sch bo mt global. C ngha l thit b lun iu khin cc s kin bo mt theo cng mt cch cho tt c cc vng trn mng. Thit b lun dng chnh sch global iu khin cc s kin nu khng nh ngha protection domain v chnh sa chnh sch s kin ph hp vi tng domain. Sau khi to protection domain cn lin kt chng vi cc chnh sch c th iu khin c cc s kin xy ra trong mng. C th to cc chnh sch c th cho tng protection domain hoc c th dng chnh sch global cho domain nu thy ph hp. Thm protection domain Vo trang protection domain. Chn Add v lm tng t nh hnh di.

47

Hnh 11 Protection Domain Sau khi to protection domain, n s xut hin trong trang security event. Sau c th thm cc chnh sch cho protection domain , hoc copy cc s kin t global.

48

Hnh 12 - Protection Domain

3.4.7. Cu hnh cnh bo S dng trang Alerts trong Proventia Manager hin th v qun l h thng v cc thng bo lin quan n bo mt. Danh sch thng bo gm cc loi thng bo sau: Intrusion Prevention Alert lin quan n cc n lc tn cng xy ra trn mng. System Alert lin quan n thit b v s hot ng ca n.

49

Cc biu tng th hin mc nghim trng ca thng bo

Hnh 13 - Mc nghim trng ca thng bo hin th thng bo Chn hin th tt c thng bo. Chn Notification > Alerts cng hin th tt c thng bo Chn Intrusion Prevention > Alerts hin th ch cc thng bo v bo mt Chn System > Alerts hin th thng bo h thng

Hnh 14 - Minh ha thng bo C th xem thng tin chi tit v thng bo bng cch nhp chut vo tn thng bo. Cc thng tin ny c th rt b ch cho vic tm hiu v khc phc s c.

50

C th s dng b lc c sn d dng lc cc thng bo cn quan tm theo cc tiu ch nh Risk Level, Alert Name, Alert Type

3.5. NGN CHN TN CNG M PHNG BNG IPS

Khi tn cng xy ra IPS s thc hin cc hnh ng c ci t ng thi gi mt thng bo v cuc tn cng. Thng bo c hin th ti mn hnh alert ca giao din web. Ngoi ra, thng bo c th gi qua mail cho ngi qun tr trong trng hp cn thit. Chng ta c th t mc cho loi tn cng, cc mc ny s c th hin bng mu trong thng bo Alerts khi pht hin tn cng (tam gic xanh tng ng vi mc low, vung vng tng ng vi medium, tam gic l high xem thm trong cu hnh cnh bo). Ta c th t cc ty chn phn ng khi pht hin tn cng nh block ngn chn tn cng xy ra, log ghi li ra mt file log, email gi mail thng bo, quarantine cch ly a ch gy ra tn cng 3.5.1. Ngn chn cc hnh thc thu thp thng tin Tng la c th ngn chn c mt s hnh thc thu thp thng tin nh ping ( d xem h thng bo v c tn ti hay khng) bng cch cm gi tin ICMP. C th ngn chn ftp, telnet, trace route bng cch cm cng. Tuy nhin hin nay hacker c nhiu cch thc vt qua nhng tng la thng thng ny. V d thay v ping, hacker c th s dng phng php gi gi tin ti mt cng xc nh lun m ca my (v d nh cng chy dch v Net Bios). Thay v ftp qua cng mc nh, hacker c th s dng giao thc qua nhng cng khng th b cm (v d nh cng nhn dns). Vi thit b IPS Proventia G200, tt c nhng hnh ng ny u b pht hin v c th b ngn chn do thit b theo di mt cch tng quan trn ton mng v tra xt theo tng du hiu, khng ch khun dng gi tin m ni dung gi tin hay giao thc gi n cng c kim tra. Do vy hin nay hu nh cha c mt cch thc no vt qua c thit b ny m khng b lu vt.

Hnh 15 - Ngn chn thu thp thng tin 3.5.2. Ngn chn tn cng DoS

51

IPS Proventia G200 Security Events ci t sn kh nng phng chng rt nhiu cch thc tn cng DoS. kch hot kh nng phng chng mt loi tn cng no, ta ch cn nh du vo textbox ct Enable cho cc kiu tn cng tng ng. Chng ta s nh du vi tn cng SYN flood. Chng tn cng SYN flood c kch hot.

Hnh 16 nh du cnh bo SYNFlood C ch pht hin v ngn chn tn cng SYNFlood. Da trn cch thc hot ng ca tn cng SYNFlood c th d dng pht hin cc gi tin SYN m khng c gi bin nhn ACK tng ng. C th khc phc bng cch gi li mt gi tin RST yu cu khi ng li kt ni. Kt qu l ti nguyn b chim dng s c gii phng. Vi Proventia Network IPS, du hiu mt cuc tn cng SYNFlood c pht hin bng cch gim st s lng v t l gi SYN m mt server nhn c nhng li khng c bin nhn ACK tng ng. C th iu khin t l ny s dng hai tham s nh ngha s yu cu kt ni mi v thi gian timeout. C tn cng SYNFlood v smurf attack (ping sweep) u c ips pht hin v ngn chn nh trong hnh di y.

52

Hnh 17 Ngn chn tn cng SYNFlood v Smurf Attack (Ping sweep) 3.5.3. Ngn chn thm nhp qua backdoor trojan Da trn nhng lu thng TCP m pha client ca trojan gy ra (v d nh yu cu kt ni ti cng 6666), pha client ca trojan ny s b chn v khng th gi c cc tn hiu iu khin ti cho pha my b nhim. My k tn cng c th b cch ly ra khi ton mng nu t ty chn quarantine trong cu hnh IPS. Do c ch trong sut ca thit b IPS, k tn cng khng h bit ti sao trojan ci bn pha my nn nhn khng hot ng.

Hnh 18 - Ngn chn thm nhp qua trojan Beast 3.5.4. Ngn chn thm nhp qua l hng bo mt Du hiu ca vic tn cng ny l s dng MSRPC Remote Activation Request hoc System Activation Request thc hin vic trn b m. Tip chim quyn

53

iu khin my. IPS s da vo cc gi tin vi cc yu cu nh trn xc nh vic tn cng vo l hng MSRPC. Security event ca IPS chng MSRPC RemoteActive

Hnh 19 nh du cnh bo MSRPC_RemoteActive_Bo IPS nhn dng tn cng MSRPC RemoteActive

Hnh 20 - Ngn chn tn cng qua l hng MSRPC RemoteActive

3.6. TRIN KHAI THC T

Nhng cng vic cn thc hin khi trin khai h thng pht hin v ngn chn thm nhp trn h thng mng VNUnet Phn tch nhng yu cu bo v da trn h thng mng hin ti a ra s trin khai. Ci t v lp t thit b. Cu hnh thit b vi nhng yu cu ca h thng mng. Kim tra hot ng ca h thng bo v. Thc t hot ng ca h thng.

54

Phn tch m hnh mng hin ti v a ra s trin khai

Hnh 21 M hnh mng VNUnet Vng mng bn trong VNUnet, bao gm my ca ging vin, my ca cn b trng, my thc hnh ca sinh vin c bo v bng c ch NAT v tng la CheckPoint (trin khai cng thi gian vi h thng IDS/IPS) nn kh c kh nng b tn cng. Hn na nu thit b IPS bo v tt c cc vng mng ny th thit b s b qu ti hoc chi ph mua thit b mi cng nh trin khai h thng s ln. V vy, bin php tt nht l trin khai thit b IPS Proventia G200 bo v vng vnh ai DMZ ni cha nhng my ch dch v, c a ch IP tht v d b tn cng ph hoi. Trong thc t, mt s tn cng c th b chn bng tng la, c bit l nhng tng la chuyn dng nh CheckPoint. Tng la ny cng tch hp mt h thng

55

IPS hot ng trn c ch anormal detection. V vy, nu thit b IPS Proventia G200 c t sau tng la th khi lng x l s gim. Hin ti, mng VNUnet c 3 ng ra Internet vi 2 router hot ng, hot ng cn bng ti, ta c th s dng 2 thit b IPS Proventia G200 t gia router v DMZ theo s sau.

ISP A
Router

Vng vnh ai DMZ

Firewall IPS, VPN Firewall IPS, VPN

Interne t ISP B
VINAren TEIN2

T.B cn bng ti

Router CPnet

Hnh 22 S trin khai IPS Lp t thit b Ci t h iu hnh a thit b ln gi Ni thit b qua cng iu khin vi TTMT Ci t h thng Khi trin khai cn ch ti tnh sn sng ca h thng mng, phi m bo h thng dch v vn hot ng n nh trong khi trin khai. Ngoi ra, cn lm cng vic backup h thng trc khi trin khai. Mt yu t khc cn tnh ti khi trin khai l tr ca gi tin do b kim tra bng thit b IPS. Vic ny s lm tng tr ca cc dch v cn thit trong h thng mng nh web, mail, . Vn ny c th gii quyt bng cch loi b cc du hiu nhn bit li thi, khng ph hp v khng c kh nng b khai thc. V d nh h thng Web ca VNUnet s dng my ch linux, my ch ny khng c kh nng b tn cng theo cc li ca h iu hnh Windows, hoc nhng li c khc phc t lu nh ping of death th cng b qua khng cn xem xt na.

56

Tng s du hiu nhn bit trong c s d liu ca thit b IPS l 2375 mc. Trong c 2007 du hiu tn cng v 368 du hiu thm d thng tin. S cc du hiu mc nh b chn t sn l 1181 du hiu tn cng v 0 du hiu thm d. Trong cc my dch v c mt my s dng h iu hnh windows server 2003, v vy thit lp mt min bo v ring p dng tp du hiu mc nh cho my ch ny. Nhng my ch khc s dng tp du hiu dnh cho linux trong lc bt nhng du hiu tn cng v thm d ca windows v dch v chy trn . Tp ny gm 1092 du hiu tn cng, 0 du hiu thm d. Cc du hiu thm d khng b chn nhng vn gy ra cnh bo trong h thng. Vic thm bt cc du hiu khc c th thc hin sau ny khi c yu cu thc t. Mt vn na khi trin khai l xem xt n vic cnh bo tc thi ca thit b vi ngi qun tr. Do ngi qun tr khng th xem cnh bo lin tc v vy cn t cnh bo theo email pht hin v ngn chn cc hnh ng ch gy nn cnh bo m khng t ng chn mt cch nhanh nht. Vic ny gip h thng c bo v mt cch tt hn. Cu hnh ban u l tt c cc du hiu thm d u c cnh bo qua email. Cng vi , nhng tn cng mc critical (nghim trng) cng cn c cnh bo c bin php x l ln sau. Ngoi ra, tt c nhng thay i lin quan ti thit b cng cn c thng bo qua mail trnh kh nng c ngi t nhp vo thit b. Cc cu hnh khc lin quan c bit n h thng mng s do cn b ca TTMT thc hin.

Hnh 23 Khi c tn cng hoc thm nhp th gi mail cho cn b TTMT

57

Kim tra hot ng ca h thng Sau khi cu hnh thit b theo yu cu xc nh, backup cc my ch dch v, ta ni cp mng ti 2 cng A v B ca 2 thit b IPS (y l 2 cng gim st) theo s ni trn. M hnh mng sau khi kt ni thit b IPS v checkpoint nh sau.

Hnh 24 - M hnh mng VNUnet sau khi trin khai h thng IDS/IPS

58

Sau khi lp t h thng IPS nh theo m hnh, cc my ch dch v vn hot ng bnh thng. Cc dch v mng gn nh khng b nh hng g. Khi th nghim cc thm d n gin, h thng u gi mail cho ngi qun tr nh cu hnh. Cc tn cng n gin u b chn bi hai lp bo v l tng la CheckPoint v h thng IDS/IPS. Cc tn cng nghim trng hn cha c th nghim do tnh an ton ca h thng dch v.

Hnh 25 - H thng IPS gi mail cho ngi qun tr Thc t hot ng ca h thng Sau ngy u tin lp t h thng, c ti hng ngn cnh bo c sinh ra trong giao din web ca thit b IPS, phn nhiu trong s l nhng d qut h thng (TCP port scan, ping sweep, ). c bit c mt tn cng dng critical theo du hiu SQL_SSRP_Slammer_Worm. Hu ht tt c nhng cnh bo ny u c gi qua email ti ngi qun tr h thng. Nh vy s email sinh ra trong thc t l qu nhiu. Vic ny dn n vic phi thay i cu hnh sinh cnh bo. Cu hnh mi s ch cnh bo khi c nhng du hiu tn cng critical (nghim trng), cc du hiu d qut s ch cnh bo 6 ting mt ln.

59

Hnh 26 - Cc d qut v tn cng thc t

60

CHNG 4. CC KT QU T C V NH HNG NGHIN CU TNG LAI

4.1. KT QU T C
Thng qua nghin cu v trin khai h thng IDS/IPS, em nhn thc c tnh hnh an ninh mng hin nay v nhng yu cu cn thit thit lp v duy tr mt h thng mng an ton. Bng cch tm hiu cc ti liu lin quan, tham kho kin cc chuyn gia v thc hnh, em nm vng c cc kin thc c s v th nghim c cc tn cng thm nhp mt h thng. Hiu c cng ngh th gii s dng ngn chn cc him ha an ninh mng hin nay, em ci t v s dng thnh tho mt thit b chuyn dng v cng ngh trong thi gian lm kha lun. Vi mt vn kh mi, em xc nh c nhng kh khn v hng gii quyt khi trin khai h thng ngn chn thm nhp trn mt h thng mng ln nh mng ca trng i hc. Thc t, h thng ny c trin khai th nghim trn m hnh mng trng i hc Quc gia H Ni. Nhn xt v nh gi Sau khi nghin cu tm hiu cng ngh phng chng thm nhp ca ISS qua mt trong nhng dng thit b in hnh ca IBM Proventia G, em nhn thy thit b ny c kh nng ngn chn c hu ht cc tn cng trong tm hiu bit ca cc hacker bnh thng hin nay. Do hot ng tng ng dng v kim sot ni dung gi tin, thit b ny c kh nng ngn chn tn cng tt hn nhiu so vi tng la n thun. Thit b ny c kh nng cp nht cc du hiu tn cng mi do X-Force nghin cu, v vy n c kh nng ngn chn c cc hnh thc tn cng mi. Ngoi ra, nu ngi qun tr hiu bit su rng v cc cch thc tn cng v im yu trong mng th h c th thit lp cc du hiu ring cho mng ca mnh v mng chc chn s kh c th b thm nhp tri php.

4.2. NH HNG NGHIN CU TRONG TNG LAI

Thng qua kt qu nghin cu v cc nguy c e da mng v cc im yu an ninh mng, em nhn thy vic m bo an ninh mng ngy nay l mt vn cn thit song cng kh kh khn. Sau khi hon thnh kha lun, em mong mun tip tc nghin cu chi tit hn v cc tn cng mng mt cch c h thng (hoc mt cch ton din hn), cng nh cc bin php bo m an ninh mng c hiu qu cao hn. V d, tm hiu v cch thc

61

pht hin ra mt l hng trong mt h thng, ng thi nghin cu cch thc phng trnh cc l hng trc khi k tn cng li dng c n. Kt qu nghin cu ca kho lun ny s gip nh hng cc nghin cu su hn v an ninh mng trong cc mi trng v h thng mng khc sau ny.

62

PH LC A
Bo co an ninh nm 2007 Thng 9/2007, i nghin cu an ninh X-Force ca ISS nghin cu v phn loi c 4.256 im yu an ninh. Nh vy, so vi nm 2006 s lng cc im yu an ninh tng 25,8 % (3.384). Trong s cc hnh vi li dng im yu an ninh th cc hnh vi nhm vt qua tng la, proxy, h thng pht hin xm nhp, h thng qut virus... truy cp c vo h thng v hnh vi tn cng t chi dch v c s thay i r nt theo tng thng.

Hnh 27 Cc hnh vi khai thc im yu an ninh Cc im yu an ninh nghim trng Trong 9 thng u nm 2007, X-Force a ra rt nhiu cnh bo v cc im yu an ninh nghim trng ca cc nh cung cp cc sn phm nh Microsoft, Apple, Adobe, VMWare... in hnh l nhng im yu an ninh trong cc PM Internet Explorer, Micrsoft Outlook, Windows DNS Server RPC ca Microsoft.

63

Hnh 28 - Xu hng phishing sp ti Cc bo co v Spam v Phishing Theo X-Force, nc M chim hn 1/8 lng spam ton cu, cn Ty Ban Nha chim t l email phishing ln nht. M cng l nc dn u v cc trang web c tr ti t cc lin kt nm trong spam v email phishing, chim t l hn 1/3.

64

Nh cung cp Microsoft Cc phn tch v ni dung web Apple Oracle Cisco Sun IBM Mozilla XOOPS BEA Linux Kernel

T l im yu 4,2% 3,0% 2,0% 1,9% 1,5% 1,3% 1,3% 1,2% 1,1% 0,9%

Qua vic phn tch 150 triu trang web v hnh nh mi mi thng (hn 6,9 t trang web v hnh nh t nm 1999), X-Force phn thnh 62 danh mc vi hn 80 triu thnh phn v b sung, cp nht 100.000 thnh phn mi ngy. Kt qu cho thy hn 10% cc ni dung ca web l cc thng tin khiu dm, bo lc, ma ty.... M li l nc c t l cc trang web cha cc ni dung khng mong mun nh bo lc v ti phm, khiu dm, ti phm my tnh, ma ty... ln nht.

Cc bo co pht hin PM c hi (malware) Trong 9 thng u nm 2007, X-Force thu thp v a vo c s d liu phng chng virus, chng spyware v chng cc PM c hi tng cng 677.65 mu mi. Trong s cc PM c hi, Trojan chim t l ln nht.

65

PH LC B
Bo co an ninh nm 2008 Theo bo co v cc mi e da bo mt mng (ISTR) th 14 ca hng Symantec nm 2008, cc hot ng tn cng mng trn th gii tip tc pht trin mc k lc, ch yu nhm ti nhng thng tin quan trng t my tnh ca ngi dng. Symantec to ra hn 1,6 triu mu ch k v cc loi m c mi trong nm 2008, tng ng vi hn 60% tng s mu ch k m Symantec tng to ra t trc n nay - mt phn ng i vi s tng trng mnh v s lng cng nh s phong ph, a dng ca nhng mi e do nguy hi mi. Bn bo co cng cho thy duyt web vn l mt trong nhng nguyn nhn ch o gy ra nhng pht tn v ly nhim virus trn mng trong nm 2008. Hacker ngy nay tn dng ngy cng nhiu nhng cng c sinh m c hi khc nhau pht trin v pht tn nhng mi e do ca chng. Nn kinh t ngm ngy cng hot ng phc tp Da trn s liu ca Bn bo co v nn kinh t ngm mi nht, Symantec cho bit c mt nn kinh t ngm vi c cu t chc tinh vi chuyn bun bn nhng thng tin quan trng b nh cp, c bit l thng tin v th tn dng v thng tin v ti khon ngn hng. Nn kinh t ngm ny ang bng n, mt iu minh chng l trong khi gi thnh sn phm nhng th trng hp php ang suy gim th gi thnh sn phm th gii ngm vn khng i t nm 2007 n cui nm 2008. Bo co cng cho thy nhng k vit m c lun thay i chng li nhng n lc ngn chn cc hnh vi ca chng. Chng hn nh, vic nh sp 2 h thng hosting mng ma (botnet) t ti M gp phn lm gim ng k cc hot ng botnet ch ng k t thng 9 n thng 11 nm 2008; tuy nhin, nhng k vn hnh botnet tm ra nhng a ch Web hosting thay th v s ly nhim botnet li n r, tr li ngng trc khi b nh sp mt cch nhanh chng. ng dng web, ngun gc ca l hng bo mt Theo Symantec, nhng nn tng ng dng Web li thng l nhng ngun gc ca nhng l hng bo mt. Nhng sn phm phn mm c xy dng sn ny c thit k nhm gip n gin ho vic trin khai nhng Website mi v c s dng rng ri trn Internet. Nhiu trong s nhng nn tng ny khng c chc nng bo mt, v mt h qu tt yu l chng tim n rt nhiu l hng v tr nn rt d b xm hi bi cc tn cng mng. Trong s nhng l hng bo mt c xc nh trong nm 2008, c n 63% l cc ng dng web b ly nhim, tng so vi con s 59% ca nm 2007. Trong s

66

12.885 l hng v m lnh lin kt cho ca bo co nm 2008 th ch c 3% (394 l hng) c khc phc ti thi im bo co ny c vit ra. Bo co cng ch ra rng nhng tn cng trn Web pht sinh t nhiu quc gia trn th gii m trong M dn u (38%), sau l Trung Quc (13%) v Ucraina (12%). Su trong s 10 quc gia dn u v tn cng trn web l cc nc trong khu vc Chu u, Trung ng v Chu Phi, nhng quc gia ny c t l tn cng trn web chim ti 45% so vi con s ton cu, nhiu hn cc khu vc khc. La o qua mng v nn th rc tip tc gia tng Bo co cho hay nn la o qua mng tip tc pht trin. Trong nm 2008, 55.389 my ch t website la o, tng 66% so vi con s 33.428 ca nm 2007. Nhng v la o lin quan n cc dch v ti chnh chim ti 76% cc v la o nm 2008, tng mnh so vi con s 52% nm 2007. Symantec cng cho bit, s lng th rc trong thi gian tr li y li tip tc tng mnh. Trong nm va qua, Symantec theo di s tng trng ca th rc l 192% trn ton mng Internet, con s ny tng t 119.6 t tin nhn (nm 2007) ln ti 349.6 t trong nm 2008. Nm 2008, cc mng botnet thc hin vic pht tn ti khong 90% tt c th rc.

67

PH LC C
Cc kiu tn cng DoS Smurf attack l mt bin th ring ca tn cng ngp lt trn mng Internet cng cng. Kiu tn cng ny cn mt h thng rt quan trng, l mng khuych i. Hacker dng a ch ca my tnh cn tn cng bng cch gi gi tin ICMP echo cho ton b mng (broadcast). Cc my tnh trong mng s ng lot gi gi tin ICMP reply cho my tnh m hacker mun tn cng. Kt qu l my tnh ny s khng th x l kp thi mt lng ln thng tin v dn ti b treo my.

Hnh 29 - Minh ha smurf attack Ping flood l tn cng bng cch gi trn ngp cc gi tin ICMP ti my b tn cng s dng cu lnh ping vi tham s -t. y l kiu tn cng rt n gin nhng i hi my tn cng phi truy cp vo mt bng thng ln hn bng thng ca my cn tn cng. SYN flood li dng cch thc hot ng ca kt ni TCP/IP. Khi mt my khch bt u mt kt ni TCP ti my ch, phi tri qua qu trnh bt tay ba bc. My khch gi mt TCP SYN packet n cng dch v ca my ch. My ch s phn hi li my khch bng 1 SYN/ACK Packet v ch nhn mt 1 ACK packet t pha my khch. My khch phn hi li my ch bng mt ACK Packet v vic kt ni han tt, my khch v my ch thc hin cng vic trao i d liu vi nhau.

68

Hnh 30 - Minh ha tn cng SYNFlood Sau khi thc hin xong bc hai, my ch phi ch nhn gi ACK t my khch. Do n cn phi tiu tn mt lng ti nguyn thc hin cng vic ny cho n khi nhn c gi ACK hoc ht mt thi gian timeout. Tn cng SYN flood s li dng iu bng cch gi lin tip nhiu gi TCP SYN yu cu kt ni n my ch, nhng sau s ko gi tr li gi ACK cho my ch. Khi s lng yu cu kt ni qu nhiu, n mt lc no , my ch s b qu ti v khng th phc v cc kt ni khc c na gy ra hin tng t chi dch v. K tn cng c th s dng hai phng thc to nn mt cuc tn cng SYN flood. Th nht l b qua bc cui cng, tc l khng gi gi tin ACK li my ch. Cch th hai l gi mo a ch IP ngun trong gi SYN lm cho server gi li gi SYN-ACK n sai a ch, do s khng nhn c gi ACK tr li. Kiu tn cng Land Attack Kiu tn cng Land Attack cng tng t nh SYN flood, nhng hacker s dng chnh IP ca mc tiu cn tn cng dng lm a ch IP ngun trong gi tin, y mc tiu vo mt vng lp v tn khi c gng thit lp kt ni vi chnh n. Kiu tn cng UDP flood Hacker gi gi tin UDP echo vi a ch IP ngun l cng loopback ca chnh mc tiu cn tn cng hoc ca mt my tnh trong cng mng. Vi mc tiu s dng cng UDP echo (port 7) thit lp vic gi v nhn cc gi tin echo trn 2 my tnh (hoc gia mc tiu vi chnh n nu mc tiu c cu hnh cng loopback), khin cho 2 my tnh ny dn dn s dng ht bng thng ca chng, v cn tr hot ng chia s ti nguyn mng ca cc my tnh khc trong mng. Tn cng kiu Tear Drop

69

Trong mng chuyn mch gi, d liu c chia thnh nhiu gi tin nh, mi gi tin c mt gi tr offset ring v c th truyn i theo nhiu con ng khc nhau ti ch. Ti ch, nh vo gi tr offset ca tng gi tin m d liu li c kt hp li nh ban u. Li dng iu ny, hacker c th to ra nhiu gi tin c gi tr offset trng lp nhau gi n mc tiu mun tn cng. Kt qu l my tnh ch khng th sp xp c nhng gi tin ny v dn ti b treo my v b "vt kit" kh nng x l.

70

PH LC D
Phn loi l hng bo mt C nhiu t chc khc nhau tin hnh phn loi cc dng l hng c bit. Theo cch phn loi ca B quc phng M, cc loi l hng bo mt trn mt h thng c chia nh sau: L hng loi C: cc l hng loi ny cho php thc hin cc phng thc tn cng theo DoS (Dinal of Services - T chi dch v). Mc nguy him thp, ch nh hng ti cht lng dch v, c th lm ngng tr, gin on h thng; khng lm ph hng d liu hoc t c quyn truy nhp bt hp php L hng loi B: Cc l hng cho php ngi s dng c thm cc quyn trn h thng m khng cn thc hin kim tra tnh hp l. Mc nguy him trung bnh; Nhng l hng ny thng c trong cc ng dng trn h thng; c th dn n mt hoc l thng tin yu cu bo mt. L hng loi A: Cc l hng ny cho php ngi s dng ngoi c th truy nhp vo h thng bt hp php. L hng rt nguy him, c th lm ph hy ton b h thng. Sau y s phn tch mt s l hng bo mt thng xut hin trn mng v h thng Cc l hng loi C: Cc l hng loi ny cho php thc hin cc cuc tn cng DoS. DoS l hnh thc tn cng s dng cc giao thc tng Internet trong b giao thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi s dng hp php truy nhp hay s dng h thng. Mt s lng ln cc gi tin c gi ti server trong khong thi gian lin tc lm cho h thng tr nn qu ti, kt qu l server p ng chm hoc khng th p ng cc yu cu t client gi ti. Cc dch v c cha ng l hng cho php thc hin cc cuc tn cng DoS c th c nng cp hoc sa cha bng cc phin bn mi hn ca cc nh cung cp dch v. Hin nay, cha c mt gii php ton din no khc phc cc l hng loi ny v bn thn vic thit k giao thc tng Internet (IP) ni ring v b giao thc TCP/IP cha ng nhng nguy c tim tng ca cc l hng ny. Tuy nhin, mc nguy him ca cc l hng loi ny c xp loi C; t nguy him v chng ch lm gin on cung cp dch v ca h thng trong mt thi gian m khng lm nguy hi n d liu v ngi tn cng cng khng t c quyn truy nhp bt hp php vo h thng.

71

Mt l hng loi C khc cng thng thy l cc im yu ca dch v cho php thc hin tn cng lm ngng tr h thng ca ngi s dng cui; Ch yu vi hnh thc tn cng ny l s dng dch v Web. Gi s: trn mt Web Server c nhng trang Web trong c cha cc on m Java hoc JavaScripts, lm "treo" h thng ca ngi s dng trnh duyt Web ca Netscape bng cc bc sau: Vit cc on m nhn bit c Web Browers s dng Netscape Nu s dng Netscape, s to mt vng lp v thi hn, sinh ra v s cc ca s, trong mi ca s ni n cc Web Server khc nhau. Vi mt hnh thc tn cng n gin ny, c th lm treo h thng. y cng l mt hnh thc tn cng kiu DoS. Ngi s dng trong trng hp ny ch c th khi ng li h thng. Mt l hng loi C khc cng thng gp i vi cc h thng mail l khng xy dng cc c ch anti-relay (chng relay) cho php thc hin cc hnh ng spam mail. Nh chng ta bit, c ch hot ng ca dch v th in t l lu v chuyn tip; mt s h thng mail khng c cc xc thc khi ngi dng gi th, dn n tnh trng cc i tng tn cng li dng cc my ch mail ny thc hin spam mail; Spam mail l hnh ng nhm t lit dch v mail ca h thng bng cch gi mt s lng ln cc messages ti mt a ch khng xc nh, v my ch mail lun phi tn nng lc i tm nhng a ch khng c thc dn n tnh trng ngng tr dch v. S lng cc messages c th sinh ra t cc chng trnh lm bom th rt ph bin trn mng Internet. Cc l hng loi B: L hng loi ny c mc nguy him hn l hng loi C, cho php ngi s dng ni b c th chim c quyn cao hn hoc truy nhp khng hp php. Nhng l hng loi ny thng xut hin trong cc dch v trn h thng. Ngi s dng local c hiu l ngi c quyn truy nhp vo h thng vi mt s quyn hn nht nh. Sau y s phn tch mt s l hng loi B thng xut hin trong cc ng dng Sendmail: Sendmail l mt chng trnh c s dng rt ph bin trn h thng UNIX thc hin gi th in t cho nhng ngi s dng trong ni b mng. Thng thng, sendmail l mt daemon chy ch nn c kch hot khi khi ng h thng. Trong trng thi, hot ng, sendmail m port 25 i mt yu cu ti s thc hin gi hoc chuyn tip th. Sendmail khi c kch hot s chy di quyn root hoc quyn tng ng (v lin quan n cc hnh ng to file v ghi log file). Li dng c im ny v mt s l hng trong cc on m ca sendmail, m cc i tng tn cng c th dng sendmail t c quyn root trn h thng.

72

 khc phc li ca sendmail cn tham gia cc nhm tin v bo mt; v sendmail l chng trnh c kh nhiu li; nhng cng c nhiu ngi s dng nn cc l hng bo mt thng c pht hin v khc phc nhanh chng. Khi pht hin l hng trong sendmail cn nng cp, thay th phin bn sendmail ang s dng. Mt lot cc vn khc v quyn s dng chng trnh trn UNIX cng thng gy nn cc l hng loi B. V trn h thng UNIX, mt chng trnh c th c thc thi vi 2 kh nng: Ngi ch s hu chng trnh kch hot chy Ngi mang quyn ca ngi ch s hu ch nhn ca file Cc loi l hng loi B khc: Mt dng khc ca l hng loi B xy ra i vi cc chng trnh c m ngun vit bng C. Nhng chng trnh vit bng C thng s dng mt vng m l mt vng trong b nh s dng lu d liu trc khi x l. Nhng ngi lp trnh thng s dng vng m trong b nh trc khi gn mt khong khng gian b nh cho tng khi d liu. V d, ngi s dng vit chng trnh nhp trng tn ngi s dng; qui nh trng ny di 20 k t. Do h s khai bo: char first_name [20]; Vi khai bo ny, cho php ngi s dng nhp vo ti a 20 k t. Khi nhp d liu, trc tin d liu c lu vng m; nu ngi s dng nhp vo 35 k t; s xy ra hin tng trn vng m v kt qu 15 k t d tha s nm mt v tr khng kim sot c trong b nh. i vi nhng ngi tn cng, c th li dng l hng ny nhp vo nhng k t c bit, thc thi mt s lnh c bit trn h thng. Thng thng, l hng ny thng c li dng bi nhng ngi s dng trn h thng t c quyn root khng hp l. Vic kim sot cht ch cu hnh h thng v cc chng trnh s hn ch c cc l hng loi B. Cc l hng loi A: Cc l hng loi A c mc rt nguy him; e da tnh ton vn v bo mt ca h thng. Cc l hng loi ny thng xut hin nhng h thng qun tr yu km hoc khng kim sot c cu hnh mng. Mt v d thng thy l trn nhiu h thng s dng Web Server l Apache, i vi Web Server ny thng cu hnh th mc mc nh chy cc scripts l cgi-bin; trong c mt Scripts c vit sn th hot ng ca apache l test-cgi. i vi cc phin bn c ca Apache (trc version 1.1), c dng sau trong file test-cgi: echo QUERY_STRING = $QUERY_STRING

73

Bin mi trng QUERY_STRING do khng c t trong c du " (quote) nn khi pha client thc hin mt yu cu trong chui k t gi n gm mt s k t c bit; v d k t "*", web server s tr v ni dung ca ton b th mc hin thi (l cc th mc cha cc scipts cgi). Ngi s dng c th nhn thy ton b ni dung cc file trong th mc hin thi trn h thng server. Mt v d khc cng xy ra tng t i vi cc Web server chy trn h iu hnh Novell; Cc web server ny c mt scripts l convert.bas, chy scripts ny cho php c ton b ni dung cc files trn h thng. Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn mm s dng; ngi qun tr nu khng hiu su v dch v v phn mm s dng s c th b qua nhng im yu ny. i vi nhng h thng c, thng xuyn phi kim tra cc thng bo ca cc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lot cc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP, Gopher, Telnet, Sendmail, ARP, finger...

74

PH LC E
Khi qut v hin trng VNUNet M hnh t chc i hc quc gia H Ni c tng cng 28 n v vi 2.503 cn b v 23.628 sinh vin, hc vin cc h tp trung (26.131 cn b v hc vin, sinh vin cc h tp trung), 26.000 sinh vin cc h khng tp trung. Gn nh 100% cn b c my tnh lm vic. S lng my tnh trong cc phng th nghim v phng thc hnh phc v cng tc ging dy v trong cc k tc x c khong 1.500 chic, tng cng hin c khong 4.000 my tnh kt ni vo VNunet. T l sinh vin c my tnh nh c tnh khong 20%, s lng sinh vin c cc thit b x l thng tin di ng hin cn rt thp, ch khong 2%, cc thit b di ng hin cha c kh nng kt ni di ng vo VNUnet. C s h tng truyn thng ca VNUNet H thng cp quang: hin c cc ng kt ni t im trung tm ti o Cc n v ti 144 Xun Thu: C quan HQGHN, Trng HNN, Trng HCN, Trng HKT, Khoa Qun tr kinh doanh, Trung tm Thng tin Th vin. o Cc n v ti 334-336 Nguyn Tri: Trng HKHTN, Trng HKHXH-NV o K tc x M tr M rng h thng cp quang ni trn l h thng cc ng kt ni bng cp ng n hu khp cc n v ca HQGHN. Bn a im, nm n v cha c kt ni vo VNUnet gm c o a im 19 L Thnh Tng: Khoa Ha. o a im 16 Hng Chui: Nh xut bn, Nh in. o Khoa Quc t o Ban Qun l d n Ho Lc ti Ho Lc. Cc ng kt ni ra bn ngoi o Lease line 10 Mbps ti Viettel vo Internet o Lease line 100 Mbps ti Netnam vo VINAren mng khoa hc gio dc Vit Nam v qua vo TEIN2, APAN. o Lease line ti mng hnh chnh ca chnh ph (cha hot ng).

75

 H thng thit b ghp ni Ti im tp trung ca VNUnet c o Cisco Router 2800. o Switch trung tm Catalyst 4507 (2005) vi 8 cng quang v 48 cng Giga Ethernet RJ45. o Switch phn on Catalyst 2950, 4 chic (2003), Catalyst 1900, 2 chic (2001). o Fire wall Cisco Pix 515e (2001, hng). Kin trc ghp ni o H thng truyn thng c xy dng theo kin trc Ethernet, mc mi n v thnh vin, trc thuc l mt subnet/VLAN , s dng khng gian a ch IP gi lp (10.0.0.0 v 172.16.0.0). Cc kt ni ra bn ngoi vi tn min vnu.edu.vn v vnu.vn c thc hin qua mt s lng IP c cp pht hn ch (32 a ch). o Ti cc n v thnh vin, trc thuc, vic phn chia subnet/VLAN mi ch c thc hin Trng HCN, cha c thc hin tt c cc n v cn li, v vy mi n v, d ln, d nh u l mt min broadcast, vi t l cc gi tin broadcast rt ln, t l truyn tin hu ch rt thp (ch xung quanh 30%). Hn na cht lng thi cng v qun l kt ni c mc logic v vt l u khng c quan tm nn t l li thc t rt cao; lm gim st nghim trng hiu sut hot ng ca h thng gy nn lng ph khng nh cc u t ca HQGHN. Mt s n v t thc hin cc kt ni ra bn ngoi qua ADSL, t website ra ngoi.

76

INTERNET
H Kinh t, Khoa Lut, Vin CNSH

TEIN2 VINAren

CPNET 112
203.113.130.192/27 Proxy TTPT H thng, Khoa SP, Khoa SH Catalyst 2950 Web Mail

Router 3600 Catalyst 4507 TT o to t xa Cp H Ngoi ng Vn CNTT

172.16.0.0/16

quang Khoa QTKD VP HQGHN

10.1.0.0/16

10.10.0.0/16

Trung tm TTTV

H KHXH-NV

Hnh 31 - S kt ni logic H thng cc server cc dch v H thng server hin ti c 15 chic, trong c 12 chic c trang b nm 2004, mt chic c 2 GB, 11 chic c 1 GB RAM, s cn li c trang b t nm 2000. Dung lng a cng lu tr rt hn ch, ch mt server c a cng dung lng 150 GB, s cn li ch c ti a 80 GB. VNU hin cung cp cc dch v: Ti khon truy cp Internet cho khong 3000 ti khon l cn b, ging vin ca HQGHN. Th tn in t cho cn b, ging vin ca HQGHN vi dung lng hp th rt hn ch, ch 10MB/account. Dch v vn th in t cho C quan HQGHN. Duy tr k thut hot ng ca Website HQGHN v Website ca ba khoa trc thuc l: khoa sau i hc, khoa S phm, khoa Quc t. T nhng s liu thng k trn, ta c th thy HQGHN l mt t chc i hc quy m trung bnh bao gm nhiu n v thnh vin v trc thuc, vi nhiu campus phn b trn din tch kh rng trong ni thnh th H Ni. Mt trong trong nhng

Th vin T

77

KTX M Tr

H KHTN

TRNG H CNG NGH Vi h thng thit b ghp ni mng ring

th mnh, cng l tiu ch xy dng pht trin HQGHN chnh l vic xc lp nhng c ch mi tp hp v cng chia s hiu qu cc ti nguyn tri thc, con ngi, ... t nhng n v thnh vin v trc thuc. VNUnet c ngha quan trng trong HQGHN, nh l gii php ICT tt yu cn c khng nhng trong vic t chc tp hp v chia s cc ti nguyn trong mi trng HQGHN m cn l t chc cung cp cc dch v hu ch ca HQGHN cho cc n v thnh vin, trc thuc; Mt th hin vai tr cng nh ngha ca m hnh HQGHN. Hin trng mng CTNet Trng i hc Cng ngh hin trin khai cc hot ng ca mnh trn mt bng rng gm 4 a im cch xa nhau t 3 n 5 km, trong a im ti 144 Xun Thy l a im chnh, mt a im khc c cc phng my thc hnh v truy cp Internet ca sinh vin cch xa 5 km. S mt bng ti a im chnh gm cc ta nh E3, E4, G2, G3, G2B, G5 v G6 c trnh by trn hnh v. Trong nm 2007, c s cho php ca HQGHN, Trng HCN ang trin khai k hoch xy dng nng tng nh G2 c thm 1000 m2 mt bng chuyn dn sinh vin v hc ti khu vc 144 Xun Thy, trong nh hng u tin cho h o to cht lng cao v chng trnh o to trnh quc t. M hnh t chc
Internet VNUnet Router
Cc trng Thnh vin v cc n v trc thuc HQG

Switch

Cc phng lm vic v phng my tnh trong ta nh E3

Cc phng lm vic v phng my tnh trong ta nh E4 Phn mng Trng HCN

Cc phng lm vic v phng my tnh trong ta nh G2

Hnh 32 M hnh t chc H thng hin c 01 Swicth trung tm Catalyst 6509 t trung tm my tinh tng 1 nh G2B. T y c cc ng cp UTP n wallplace ti tng phng (ca Khoa Cng ngh c; khi thnh lp Trng HCN, cc phng ny c thay i thit k, thay i n v s dng, nhng iu chnh, ni tip thm khng qun l c). Kt ni t mi phng n my tnh c thc hin qua cc HUB.

78

Server v cc dch v h thng C 04 server vi cu hnh nh sau

Server Web, 1 CPU P.4, 1 GB RAM, 2 cng 36 GB (t phng HCQT)

Server qun l ngi dng, 1 CPU P.4, 1 GB RAM, 1 cng 36 GB Server phc v tp, 1 CPU P.4, 512 MB RAM, 3 cng 36 GB Server phc v cc tin ch, 1 CPU P.4, 512 MB RAM, 1 cng 36 GB Nhng dch v h thng H thng hin ti ch cung cp nhng dch c ti thiu, trong c Website mn hc, cc t liu in t ca MIT v cc nh cung cp khc. Dch v tp d c cung cp cho sinh vin nhng v dung lng a cng qu hn ch nn khng hiu qu. Nhn xt VNUnet v CTNet c h thng ng truyn thng kh tt: kt ni ra bn ngoi mnh, h thng ng truyn ni b ph c ba khu vc chnh. Hn ch: o Kt ni Internet ra bn ngoi l kt ni n, khng c d phng, mi khi c s c ng truyn, lin lc vi bn ngoi b gin on. o S dng khng gian a ch gi lp vi thit b Proxy. H thng an ninh v an ton rt yu km. o Cn 4 a im cha c kt ni vo VNUnet, trong c 2 a im cn c quan tm kt ni sm l 19 L Thnh Tng v Khoa Quc t. o Tc truyn thng trn cc ng trc cp quang phn ln mi ch hn ch tc 100 Mbps theo cu trc n, halfduplex, khng m bo c kt ni lin lc khi c s c. o Kin trc phn tng ca mng cn n gin, khng n nh lm gim hiu sut mng, gy lng ph ln cc u t ti nguyn ca HQGHN, gy c ch tm l ngi dng, lm xut hin t tng kt ni phn tn ra bn ngoi, t website ra bn ngoi. H thng server dng nh khng t v s lng nhng cu hnh k thut, c bit l dung lng lu tr qu hn ch, khng sc mnh trin khai cc dch v trn phm vi rng ton HQGHN.

79

Qu ngho nn v dch v.

Mc tiu pht trin h thng mng VNUnet v CTNet n pht trin mng VNUnet v CTNet a ra cc mc tiu cn pht trin nh sau: Tch hp a dch v: data (web 2.0, wap, Mail, SMS, MMS, eDocument, ...), voice, DVD video, ... Cung cp cc ng dng trc tuyn, dch v chia s cng ng trc tuyn phc v trc tip cng tc qun l, nghin cu khoa hc v o to. Lm gim kinh ph u t, tng cng hiu sut khai thc cc ti nguyn chia s ca c nhn, tp th trn ton h thng. Cung cp y cc t liu, tp ch in t theo nhu cu ngi dng. C trung tm d liu mnh. H thng xng sng cp quang t bng thng 10 Gbps, bng thng n ngi dng cui 1Gbps. H thng kt ni khng dy phc v cc thit b x l thng tin di ng ph khp mi trng lm vic, hc tp ca HQGHN, k c cc k tc x. Ph cp Video Conferencing phc v cng tc o to t xa v tip nhn bi ging t xa. Kt ni vi bn ngoi n nh, tc cao theo nhiu hng Lease line, V tinh, m bo truy cp cc ti nguyn bn ngoi mt cch nhanh chng nh trn mt desktop o. C gii php backup ton b h thng v gii php an ton in hiu qu. C gii php qun l gim st mt cch chuyn nghip mng hot ng thng sut, n nh, hiu qu. C gii php m bo an ton, an ninh chng thm nhp, ph hoi, chng truy cp tri php. H tr cn b, ging vin c th truy cp vo mng ni b t xa.

80

Ti liu tham kho A. Ting Anh

[1] [2] [3] Stuart McClure, Joel Scambray v George Kurtz. Hacking exposed fifth edition, McGraw-Hill/Osborne, 2005 Internet Security Systems. ProventiaGSeries_Guide, May 2005 Internet Security Systems. Cc du hiu tn cng v thm nhp, 2005

B. Ting Vit
[4] [5] [6] Thc s Nguyn Nam Hi. n pht trin VNUnet Vnexperts Research Department. Hack Windows ton tp Vietnamnet.vn. Tm hiu v tn cng t chi dch v DoS

C. Cc website tham kho

[7] [8] [9] [10] [11] Microsoft. L hng MSRPC. http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Quantrimang. Cc nguy c an ninh mng. www.quantrimang.com.vn/print/23105.aspx Washington.edu. Khi nim thm nhp. http://www.washington.edu/computing/security/intrusion.html Wikipedia. L hng bo mt. http://en.wikipedia.org/wiki/Vulnerability_(computing) Wikipedia. Tn cng t chi dch v. http://www.vi.wikipedia.org/wiki/Denial_of_service

81

[12]

Yahoo blog. Qu trnh tn cng ca hacker. http://blog.360.yahoo.com/blog-WS_Rh2olbqeTH.tkhm7K.w--? cq=1&p=60

82