BAN VN HNH V QUN TR H THNG

TI LIU THIT IPS/IDS SourceFire

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 BNG THEO DI THAY I Phin bn 2.0 Ngy cp nht Sep - 2012 Ngi cp nht Hong Tun t Ch thch Second Release.

2 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

Mc lc ni dung
Li m u ............................................................................................................................... 5 I.1 Mc ch ca ti liu ........................................................................................................ 5 I.2 Phm vi ti liu................................................................................................................. 5 II Mc ch thit k ...................................................................................................................... 5 II.1 Thit k tnh nng ............................................................................................................. 5 II.2 Thit k p ng cc yu cu k thut ............................................................................. 5 III Thit k h thng IPS/IDS .................................................................................................... 5 III.1 Cc yu cu ...................................................................................................................... 6 IV Gii php IPS/IDS ca SourceFire ....................................................................................... 8 IV.1 M hnh trin khai IPS/IDS in hnh ca SourceFire..................................................... 8 IV.2 Nguyn l hot ng ...................................................................................................... 10 IV.3 Nguyn tc chung ........................................................................................................... 14 IV.3.1 Nguyn tc qun tr ................................................................................................. 14 IV.3.2 Nguyn tc to Reports ........................................................................................... 15 IV.3.3 Nguyn tc tch hp h thng IPS/IDS vo h thng ang hot ng.................... 15 V M hnh trin khai SourceFire IPS/IDS cho CNG TY AAA .............................................. 16 V.1 M hnh Logic SourceFire qun l tp trung ................................................................. 16 V.2 M hnh vt l SourceFire qun l tp trung ................................................................. 18 V.3 M hnh trin khai IPS ................................................................................................... 18 V.4 M hnh trin khai IDS cho ServerFarm ........................................................................ 20 V.5 M hnh logic ca thit b SourceFire 3D2100 .............................................................. 22 V.6 M hnh logic ca thit b SourceFire 3D2500 .............................................................. 22 V.7 S lp t thit b ln Rack ....................................................................................... 23 VI Thit k chi tit to Reports ................................................................................................ 25 VI.1 Phn loi Report ............................................................................................................. 25 VI.2 Ni dung mt Intrusion Event ........................................................................................ 25 VI.3 To cc report v cc vng mng cn gim st .............................................................. 26 VI.4 Tm kim Event theo mc nguy him ....................................................................... 27 VI.5 Intrusion Report cn to ................................................................................................. 28 VII Ph lc ................................................................................................................................ 31 VII.1 Bng cc thut ng/t vit tt s dng trong ti liu .................................................. 31 I

3 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

Mc lc bng, s
Hnh 1: M hnh trin khai SourceFire IPS/IDS in hnh ............................................................. 8 Hnh 2: S thnh phn & nguyn l hot ng........................................................................ 10 Hnh 3: M hnh logic qun l tp trung....................................................................................... 17 Hnh 4: M hnh vt l qun l tp trung...................................................................................... 18 Hnh 5: M hnh trin khai IPS cho tan vng DMZ ................................................................... 19 Hnh 6: M hnh trin khai IPS cho VLAN DMZ Chng khon ................................................. 20 Hnh 7: M hnh trin khai IDS ................................................................................................... 21 Hnh 8: M hnh logic SourceFire 3D2100 .................................................................................. 22 Hnh 9: m hnh logic SourceFire 3D2500 .................................................................................. 22 Hnh 10: S v tr lp t trn Rack ......................................................................................... 24

4 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

I
I.1

Li m u
Mc ch ca ti liu

Ti liu thit k h thng IPS (Intrusion Prevention System) /IDS (Intrusion Detection System) SourceFire l ti liu thit k chi tit t s logic n s u ni vt l cc thit b IPS cho vng DMZ, IDS cho vng ServerFarm ca Tp on CNG TY AAA Thit k m t chi tit cc nguy c bo mt ngy cng tng cao & phc tp nhm vo cc h thng mng ngy nay v phng php gip nng cao, tng cng an ninh bo mt cho cc h thng mng ca Tp on s dng cc cng ngh IPS, IDS I.2 Phm vi ti liu

Ti liu p dng cho cc phn vng Internet DMZ Module, ServerFarm Module, Management Module

II Mc ch thit k
II.1 Thit k tnh nng - Thit k h thng IPS gip pht hin v ngn nga cc cuc tn cng, cc nguy c tim n v an ton bo mt thng tin t bn ngoi vo vng DMZ hoc VLAN DMZ Chng khon - Thit k h thng IDS gip pht hin v a ra cc cnh bo v cc cuc tn cng, cc l hng bo mt, cc nguy c v bo mt an ton thng tin cho cc vng ServerFarm - Tnh nng RNA b xung cho IPS/IDS cung cp tnh nng Network profile (OS, Services, Open Ports, Vulnerability, Host static). T kt hp vi IPS/IDS t ng cu hnh, tinh chnh Rules - Tnh nng RUA cho php lu cc Event vi yu t User. Tuy nhin hin nay h thng mng ca CNG TY AAA cha trin khai hon thin h thng Active Directory nn tnh nng ny cha c s dng II.2 Thit k p ng cc yu cu k thut Tnh sn sng h thng. Kh nng m rng h thng. H thng hot ng c hiu sut cao. Bo mt h thng. Kh nng qun l h thng

III Thit k h thng IPS/IDS

5 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 III.1 Cc yu cu Yu cu v tnh nng STT Tnh nng M t - Pht hin cc cuc tn cng t bn ngoi nh Worms, Trojans, Buffer overflows, DoS attacks, Backdoor attacks, Spyware, Port scans, VoIP attacks, IPv6 attacks, Statistical anomalies, Protocol anomalies, P2P attacks, Blended threats, Zero-day attacks vo cc server dch v vng DMZ, hoc VLAN DMZ Chng khon, m bo cc server vng DMZ c bo v - Ngn chn cc cuc tn cng vi cc recommend rules hay t ng tinh chnh s dng RNA recommend rules, manual cc rules ty theo cc dch v - a ra cc bo co v cc cuc tn cng, cc l hng bo mt nhm vo cc server DMZ , VLAN DMZ Chng khon - Pht hin v a ra cc bo co v cc cuc tn cng, cc nguy c bo mt, l hng an ninh ca cc server, dch v vng ServerFarm. - Pht hin cc cuc tn cng, cc nguy c bo mt t ngi dng vng - Trong trng hp xy ra tn cng vo cc server quan trng vng ServerFarm, c th thit lp tnh nng IPS trn thit b bo v server, ngn chn tn cng - RNA gip pht hin cc nguy c an ninh mng nh OS, Services, Open Ports, Vulnerability, Host static - RNA kt hp vi IPS, IDS t ng active/disable cc rules cn thit bo v h thng mng. Trong m hnh mng ca CNG TY AAA tnh nng RNA c mc nh i km vi IPS, IDS - Tnh nng Passive Scan cho php RNA pht hin h thng mng m khng nh hng ti h thng mng - Kt hp vi c s d liu LDAP nhn dng thng tin ngi dng

IPS cho vng DMZ /or VLAN DMZ Chng khon

IDS cho vng ServerFarm

RNA kt hp vi IPS/IDS

RUA

Yu cu tnh nng k thut: STT Tnh nng 6 / 31 M t Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 1 Tnh sn sng ca h thng. IPS c trin khai inline fail-open mode, khi c s c v thit b hay hng ngun in, thit b t ng bypass traffic, khng lm gin on traffic IDS c trin khai out-of-path, s dng cng SPAN trn cc thit b switch, router lung traffic cn gim st, khng nh hng ti hot ng mng Thit b qun l tp trung DC1000 c kh nng qun l ln n 25 sensor, hin ti mng CNG TY AAA ch gm 3 sensor (01 3D2500 & 02 3D2100) 3D2100 gm 4 sensing interface, c kh nng gim st ln n 4 vng mng 3D2500 gm 8 sensing interface, c kh nng gim st ln n 8 vng mng Vi vic cu hnh dng SPAN port, c th la trn VLAN, di VLAN cn gim st m bo kh nng nng cp, m rng h thng Thit b 3D2500 c trin khai inline fail-open mode, vi kh nng s l, phn tch gi tin vi tr < 1 ms, throughput ln n 500Mbps Thit b 3D2100 c trin khai dng SPAN port, h tr throughput ln n 250Mbps DC1000 c kh nng lu tr 10 triu events IPS/IDS l gii php hng u cho vn an ninh mng hin nay Thit b c cu hinh update cc l hng bo mt, tinh chnh cc rule t ng, sn sng pht hin v ngn nga cc cuc tn cng mi C kh nng qun l v phn cp quyn qun tr nhm p ng mm do trong qun tr

2 Kh nng m rng h thng. 3 H thng hot ng c hiu sut cao.

Bo mt h thng.

Kh nng qun l h thng

7 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

IV Gii php IPS/IDS ca SourceFire

IV.1 M hnh trin khai IPS/IDS in hnh ca SourceFire

Hnh 1: M hnh trin khai SourceFire IPS/IDS in hnh

8 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 Vi vng mng bin Perimeter zone, SourceFire sensor c trin khai IPS inline nhm pht hin v ngn nga cc cuc tn cng t Internet vo bn trong mng Intranet & vng server dch v DMZ Vi vng mng li Core zone, SourceFire sensor c trin khai IDS out-of-path, cc switch, router y traffic cn gim st ti sensor thc hin phn tch, pht hin cc cuc tn cng. Vi vng mng ni b quan trng - Internal Zone, SourceFire sensor c trin khai IPS inline pha trc vng server quan trng cn bo v, ngoi ra c th trin khai IDS outof-path ti cc vng mng cn gim st, pht hin tn cng nh wireless SourceFire sensor c trin khai inline vi cc mode sau: o Passive: Vi mode passive, sensor lm nhim v ca IDS o Inline: vi mode inline, sensor lm nhim v ca IPS, nhng khi c s c nh hng ngun, sensor s drop gi tin o inline fail-open: vi mode inline fail-open, sensor lm nhim v IPS, khi c s c nh hng ngun, traffic c by-pass qua thit b. Vi cc model sensor 3D2100 & 3D2500 khi fail-open, sensor ng vai tr nh straight-through device (hay ni cp thng). Vic ni cp cho sensor mode inline fail-open c thc hin kt ni mng bnh thng nh cha c thit b sensor.

SourceFire IDS sensor c trin khai out-of-path, c th s dng cc kiu kt ni sau: o S dng Hub: traffic c i qua Hub s c broadcast ra ton b cc interface kt ni, d trn khai. Nhc im l s dng Hub s gy ra colission domain (min xung t) trong mng. o S dng SPAN port: cc thit b mng nh switch, router h tr Span Port cho php cu hnh mirror traffic trn cc port khc hay cc VLAN ti port SPAN. Vic kt ni sensor ti cc vng mng cn gim st c thc hin qua cc Span port ny. Nhc im: ty theo nng lc ca thit b mng (switch, router) h tr cu hnh Span port, vic mirror traffic trn thit b qua Span port khng th vt qu nng lc ca Span port (bng thng c kh nng h tr trn Span port ca thit b) o S dng Network tap: tng t nh Hub, network tap cho php monitor passive cc phn vng mng. Nhc im: cn u t thm thit b Cn c vo tnh nng sn phm SourceFire sensor & m hnh trin khai, vic trin khai IPS/IDS SourceFire cho CNG TY AAA c thc hin nh sau: o Trin khai IPS inline fail-open mode cho vng DMZ hay VLAN DMZ Chng khon o Trin khai IDS out-of-path s dng Span port trn cc thit b switch cho vng ServerFarm. Do nng lc thit b sensor ch h tr 250Mbps & nng lc bng thng h tr cu hnh Span port trn cc thit b switch, vic trin khai IDS sensor cho vng ServerFarm (gm cc kt ni 10G & 1G) ch c p dng trn cc VLAN quan trng. 9 / 31 Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 IV.2 Nguyn l hot ng

Hnh 2: S thnh phn & nguyn l hot ng Gii thch nguyn l hot ng v cc thnh phn ca thit b SourceFire sensor qua v d sau: Thit b SourceFire sensor 3D2500c 8 cng Ethernet lm nhim v Sensing: Interface Sets: + Cc cng ny c nhm vo c Interface Sets khc nhau. Trn hnh vi 3 Interface Sets c to + Interface Sets c to ra c hai mode Passive v Inline (Inline v Inline with Fail Open) Detection Engine: lm nhim v thc thi Monitoring trn Interface Sets. trn hnh c hai Detection Engine c to v thc thi nhim v Monitoring trn cc Interface Sets Intrusion Policy: L chnh sch p dng cho Detection Engine (v d nh nhng Rule no c bt, hnh vi i vi mt cuc tn cng). Hnh trn c hai Intrusion Policy c to p dng vo hai Detection Engine

10 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 Khi gi tin c capture bi Sourcefire thit b s tin hnh x l:

Khi gi tin c capture bi thit b Sourcefire gi tin s c: - Decode bi thnh phn Decoders ca Sourcefire Sau gi tin s c chuyn vo qu trnh Preprocessors Gi tin s c so snh vi tp Rules c s dng Qu trnh s a ra c mt c s d liu v cc Event Cc Event c th c lc ra thnh cc dng Event khc nhau. T cc Event c pht sinh s c thc hin lm mt s tc v khc.

11 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 Hiu v qu trnh phn tch traffic network

Event s c ni dung:

Note: Impact Flag l tnh nng kt hp gia IPS v RNA cho php nh gi mc ri ro ca cuc tn cng. Mc nguy him nht l Flag 1, tip theo l 2,3,4 mc t ri ro nht l mc Flag 1. Qu trnh x l gi tin v Decoding 12 / 31 Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

Qu trnh ny s Decode gi tin t Layer 2

Sau khi Decode thit b Sourcefire s thc hin tip qu trnh Preprocessors v so snh vi tp Rules

13 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

Cc Event s c to ra t cc qu trnh

IV.3 Nguyn tc chung IV.3.1 Nguyn tc qun tr Qun tr qua giao din Web (HTTPS) cho php cu hnh, xem trng thi, log, report Qun tr qua giao din Console (SSH) cho php gii quyt mt s s c v cc thit lp su trong OS ca Sourcefire H tr SNMP User root: l user quyn cao nht trong h iu hnh ca Sourcefire ch cho php Console gii quyt mt s li h thng. User admin: l user c quyn cao nht trong giao din Web, c y cc quyn cu hnh Sourcefire h tr trn nn Web User khc: c th gn vo cc group phn quyn. Ngi qun tr thit b cao nht xut qun l User: root v Admin. 14 / 31 Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 Nhng ngi qun l mt vng mng mun xem cc Report v trng thi thit b s dng User bnh thng c to ra khi cu hnh thit b.

IV.3.2 Nguyn tc to Reports Cc loi reports: + Intrusion Report: L cc Report v xm nhp, cc cuc tn cng, cc giao tip bt hp php + RNA Report: cho php to cc report v Network Profile: Trng thi ca cc host, Active Host, Open Ports, Vulnerabiltiy. + Log Event: Cc Event lin quan ti qun tr + Drashboard: Cho php gim st Real-time, monitoring thit, cc Event lin quan ti Sourcefire trong mt khong thi gian nht nh Cch to ra report: + Report c to ra t Detection Engines ca cc Sensors ca Sourcefire + Report v Intrustion v RNA mc nh cho php ngi dng truy cp thit b v a ra cc report + V thit k v to ra cc report mi trong phn thit k chi tit s ni r hn IV.3.3 Nguyn tc tch hp h thng IPS/IDS vo h thng ang hot ng Tch hp cc thit b Sourcefire vo vng mng Management: Vng mng Management to ra mt VLAN mi cho php ra Internet, cm cc port management ca thit b Sourcefire vo cc port c phn hoch. Tch hp tnh nng IDS vo vng Server Farm v User: Do tnh nng IDS khng gy dn on i vi h thng khi trin khai nn c th trin khai vo thi gian sau gi lm vic. Cm cc port Sensing ca thit b Sourcefire 3D Sensor vo cc port c phn hoch trn cc thit b Cisco. Thit lp Span port cho cc port trn thit b Cisco cc lung giao tip s c y qua port ny. Tch hp tnh nng IPS: Do tnh nng IPS c gy ra s gin on trong h thng nn khi tch hp h thng cn phi lm theo cc bc: + Cu hnh thit b trc + Bt thit b v vn hnh th nghim trong h thng + Gi cng vn yu cu h thng c th s gin on trong thi gian 30 tch hp thit b vo h thng v kim tra cc li trong qu trnh vn hnh.

15 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

V M hnh trin khai SourceFire IPS/IDS cho CNG TY AAA

V.1 M hnh tng th
RSA server

ACS

Aggregation Switch (Ca3750G)

Aggregation Switch (Ca3750-E)

LMS3.1 DC1000

DMZ Module

IDS

Si
IPS

Si

DNS

ISP2

Si

INTERNET
ISP1

Router_02 (R3845)

BIG-IP 3400

Si

Si

IDS
Si

DNS BIG-IP 3400

Si

Si

Si

Si

Si

Si

Hnh 3: M hnh tng th

16 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 V.2 M hnh Logic SourceFire qun l tp trung

SourceFire DC1000

Management VLAN Mgt_VLAN215 10.29.115.0/24

SourceFire 3D2500 Sensor

SourceFire 3D2100 Sensor

IPS sensor DMZ

IDS01 sensor

IDS02 sensor

ServerFarm
Hnh 4: M hnh logic qun l tp trung

17 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 V.3 M hnh vt l SourceFire qun l tp trung
Management Module

eth0 gmt interface

VLAN Mgt_VLAN215 10.29.115.0/24

SourceFire DC1000

eth0 gmt interface

eth0 gmt interface

eth0 gmt interface

IPS sensor DMZ Module

IDS01 sensor Server Farm Module

Hnh 5: M hnh vt l qun l tp trung

IDS02 sensor

V.4 M hnh trin khai IPS Hin nay trin khai thit b Sourcefire ti CNG TY AAA c hai tnh hung xy ra khi trin khai tnh nng IPS vi thit b Sourcefire 3D2500 cho vng DMZ Trng hp 1: Trin khai IPS cho c vng DMZ

18 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

DMZ.SW01

ASA FW01 DMZ.SW02

External DMZ Module

IPS sensor DMZ01.SW01 ASA FW02

DMZ01.SW02

Internal DMZ Module

Hnh 6: M hnh trin khai IPS cho tan vng DMZ

19 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 Trng hp 2: Trin khai IPS cho mt VLAN ca CNG TY AAA Chng Khon

ASA FW01

DMZ.SW01

Sw.BVSC IPS sensor

ASA FW02

DMZ.SW02

Hnh 7: M hnh trin khai IPS cho VLAN DMZ Chng khon

Vic la chn m hnh trin khai ph thuc vo mt s yu t: - Vi m hnh 1: o Phm vi nh hng ca vic trin khai tc ng n ton vng DMZ o Bng thng tc ng n hiu nng thit b t cc vng DMZ ti Internet, Server Fam & cc vng mng khc. - Vi m hnh 2: o Thit b 3D2500 thuc d n CNG TY AAASC, la chn m hnh 2 s lm tch bch vn qun l. o Phm vi nh hng ca vic trin khai ch tc ng n cc server thuc VLAN Chng khon o Bng thng tc ng n hiu nng thit b khng ln o Vic trin khai nh hng n m hnh HA ca thit k cho DMZ Chng khon Vic trin khai IPS cho vng DMZ ca CNG TY AAA gip bo v cc server vng DMZ: - Pht hin v ngn nga cc cuc tn cng vo cc server dch v vng DMZ - To cc bo co v cc cuc tn cng t ngai vo cc server public dch v ca Tp on - To cc bo co v cc l hng, nguy c an ton thng tin trn cc server vng DMZ V.5 M hnh trin khai IDS cho ServerFarm Trin khai IDS gm 2 thit b sensor 3D2100, cu hnh Span port trn cc thit b switch, router mirror traffic thuc cc VLAN quan trng ca vng ServerFarm cn gim st ti 2 sensor.

20 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

IDS01 sensor
eth4

IDS engine Span port

eth3 eth1 eth2

3750E Cat6513

IPS engine

T12/1 T12/2

T1/1/1 T1/1/2

T12/3

Si
Sw-SFAgg01

T12/4

Stack wise
T1/1/1 T1/1/2 T1/1/1 T1/1/2

Sw-SFAcc01.1

3750E

G7/1

G7/2

Sw-SFAcc01.2

G7/1

Cat6513

G7/2

T12/2 T12/1

T12/3

3750E

Si
Sw-SFAgg02

T12/4

Sw-SFAcc02.1

Span port IDS engine

eth1

Stack wise
T1/1/1 T1/1/2

3750E

Sw-SFAcc02.2

eth2 eth3

IPS engine

IDS02 sensor

eth4

Hnh 8: M hnh trin khai IDS

Trong trng hp hot ng bnh thng, cc interface set & detection engine u c thit lp ch IDS, gim st hot ng mng, a ra cc bo co v tnh hnh an ninh mng. Trong trng hp khn cp, khi c tn cng n 1 server quan trng, c th cu hnh 1 cp interface & detection engine cha dng thnh ch IPS nhm ngn nga tn cng, bo v server

21 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 V.6 M hnh logic ca thit b SourceFire 3D2100

3D2100 sensor
IPS Detection Engine

IDS

RNA Detection Engine

Failed-open Inline Interface sets Passive ids interface set

Hnh 9: M hnh logic SourceFire 3D2100

V.7 M hnh logic ca thit b SourceFire 3D2500

3D2500 sensor
IPS Detection Engine

RNA Detection Engine Failed-open Inline Interface sets

Hnh 10: m hnh logic SourceFire 3D2500

22 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 V.8 S lp t thit b ln Rack Thit b SourceFire DC1000 c lp t ti t Rack C1, v tr U33 Thit b SourceFire Sensor 3D2100 IDS01 c lp t ti t Rack A1, v tr U36 Thit b SourceFire Sensor 3D2100 IDS02 c lp t ti t Rack A2, v tr U36 Thit b SourceFire Sensor 3D2500 IPS c lp t ti t Rack A1, v tr U40

23 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

Hnh 11: S v tr lp t trn Rack

24 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

VI Thit k chi tit to Reports

VI.1 Phn loi Report Report tng th v tnh hnh an ninh, tn cng trn ton b mng hay tng vng mng theo VLAN hay theo di IP. Report tng th p dng cho cc cp qun l nm c thng tin ton cnh v tnh hnh an ninh mng Report chi tit v cc cuc tn cng, l hng trn tng vng mng theo VLAN hay theo di IP. Report ny lit k chi tit theo cc template c sn c khuyn ngh ca hng SourceFire gm cc thng tin chi tit v IP ngun, ch, port/service ngun ch ca cc cuc tn cng, mc nguy him, thng tin v cc cuc tn cng Report ny c p dng cho ngi qun tr mng v ng dng trn cc server thit lp cc chnh sch ngn nga tn cng.

VI.2 Ni dung mt Intrusion Event

25 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

Note: Impact Flag l tnh nng kt hp gia IPS v RNA cho php nh gi mc ri ro ca cuc tn cng. Mc nguy him nht l Flag 1, tip theo l 2,3,4 mc t ri ro nht l mc Flag 0. VI.3 To cc report v cc vng mng cn gim st Khi tm kim Intrusion Event Sourcefire cho php tm kim t tt c cc yu tt lin quan ti ni dung ca Event v nhiu Options khc. To ra mt Instrusion Event Search vi tn Report 10.36.8.0/24 thit lp Option Source IP:10.36.8.0/24 v Destination IP:10.36.8.0/24 ri Save li thnh mt Search Temp Sau chng ta c th xut report t Report 10.36.8.0/24 theo khong thi gian nht nh. Cc options tm kim t mt Search Temp Sau khi to ra c mt Search Temp chng ta c th to ra mt Report (lu Sourcefire c sn mt lot cc Search Temp): Thit lp Report Information Bc 1: t tn cho Report Bc 2: Report Category IPS (hoc RNA, RUA) nu l Intrusion Event th l IPS Bc 3: Detection Engine chng ta s ly cc Event t Detection Engine no Bc 4: Thit lp Search Query t Searh Temp to t trc hoc cc Search Tem c sn Bc 5: Workflow mc nh Event-Specific Thit lp Report Sections Bc 6: Time thit lp khong thi gian cn ly Report Bc 7: Add Summary Report chn chi tit (Detail) Thit lp Report Options Bc 8: Thit lp dng file xut ra Bc 9: Generate Report

26 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

VI.4 Tm kim Event theo mc nguy him Mc nguy him cao l mc cn phi quan tm trc tin bi nhng cuc tn cng c th xy ra. Mc nguy him cao khi: Priority mc High v Impact Flag l Red, Organge, Yellow, Blue l cn phi quan tm u tin. Bc 1: To ra mt Search Temp vi Priority mc High v Impact Flag l Red, Organge, Yellow, Blue l cn phi quan tm u tin. Bc 2: To ra mt Report trong trong mt khong thi gian cn quan tm Khi s lng Event nhiu vt qu s lng gii hn ca thit b (Sourcefire DC1000 c kh nng lu 10.000.000 Event) cc Event c s t ng b xa theo First-In-First-Out (FIFO). Chng ta c th gim st khi s lng Event nhiu v c, khng quan trng na chng ta c th xa bng tay.

27 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 VI.5 Intrusion Report cn to STT Report Vng mng p dng - (1) Ton b cc vng mng c Monitoring - (2) Server Farm - (3) DMZ Ni dung ca Report Ngi phn tch Khong thi gian cn to Report 1ln/1tun Khi xy ra s c v bo mt

Tng th

Mc - (5) Ton b cc nguy him vng mng c cao Monitoring - (6) Server Farm - (7) DMZ

Chi tit

- Tt c cc VLAN ca vng Server Farm - Tt c VLAN

- (1) Ton b Event t tt c cc vng mng vi tt c cc mc . Trong mt khong thi gian nht nh. - (2) Ton b Event t vng Server Farm - (3) Ton b Event t vng DMZ - (4) Ton b Event t vng User - (5) Ton b Event cnh bo cc cuc tn cng nguy him (Priority l High, Impact Flag 1-4) t tt c cc vng mng. Trong mt khong thi gian nht nh. - (6) Ton b Event cnh bo cc cuc tn cng nguy him t vng Server Farm - (7) Ton b Event cnh bo cc cuc tn cng nguy him t vng DMZ - (8) Ton b Event cnh bo cc cuc tn cng nguy him t vngUser - Mi VLAN to ra mt Report Temp, ghi li ton b cc Event t vng mng

- (1) Ngi qun l IT v cn b bo mt phn tch. - (2) Ngi qun l IT ca vng Server Farm, cn b ph trch bo mt - (3) Ngi qun l IT ca vng DMZ, cn b ph trch bo mt - (4) Ngi ph trch IT ca vng User, cn b ph trch bo mt - (5) Ngi qun l IT v cn b bo mt phn tch. - (6) Ngi qun l IT ca vng Server Farm, cn b ph trch bo mt - (7) Ngi qun l IT ca vng DMZ, cn b ph trch bo mt - (8) Ngi ph trch IT ca vng User, cn b ph trch bo mt

1ln/1ngy

- To ngay mt bn Report (5) (6), (7), (8) ri phn tch ch tn cng

- Report t cc VLAN s c gi 1ln/1tun trc tip ti: Ngi qun tr vng VLAN , ngi qun l Server ti vng , v cn b ph trch bo mt

- To ngay mt Report t VLAN b

28 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 ca vng DMZ - Khi c cuc tn cng xy ra, hoc s c th cc Report ca VLAN s c ngi qun l IT, cn b bo mt, ngi qun tr my ch v cc dch v ca ch b tn cng phn tch tn cng

Ni dung ca mt Reports

29 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010 Alert - i vi nhng cuc tn cng nguy him cc cao (Priority High v Impact Flag l 1) s gi mail trc tip cho ngi qun tr. - Cc bc chi tit s c trnh by trong ti liu trin khai.

30 / 31

Ban Vn hnh v Qun tr H thng

[Ti liu thit k IPS/IDS SourceFire] Aug 1, 2010

VII Ph lc
VII.1 Bng cc thut ng/t vit tt s dng trong ti liu STT 1 2 3 Thut ng DC 3D Sensor IDS Vit y Defense Center 3D Sensor Intrusion Detection System Intrusion Prevention System Real-Time Network Awareness Real-time Users Awareness Event Span Port Interface Management Interface Interface Sets Detection Engine Intrusion Policy NOTE Ch gii Thit b Sourcefire DC cho php qun l tp trung cc thit b Sourcefire khc. Cung cp cc tnh nng khc cho gii php Sourcefire Thit b Sourcefire 3D Sensor lm nhim v Monitoring v thc thi cc chnh sch IPS/IDS Tnh nng trn thit b 3D Sensor cho php pht hin cc cuc tn cng mng. Tnh nng trn thit b 3D Sensor chop php pht hin v ngn chn cc cuc tn cng mng. L mt tnh nng ca gii php Sourcefire: - Network profile - Kt hp vi IPS/IDS ti u bo v h thng mng Cho php lu cc s kin vi yu t ngi dng Mt s kin v bo mt Span Port l port s dng trn cc thit b Switch/router cho php monitoring traffic cc VLAN. Thit b Sourcefire khi hot ng ch IDS s cn s dng Span Port Interface trn thit b Cng qun tr ca thit b Nhm cc Interface Engine pht hin cc cuc tn cng trn cc Interface Sets Policy p dng cho cc Detection Engine Cc ch ph khc

IPS

RNA

6 7 8 9 10 11 12 13 14

RUA Event Span Port Interface Management Interface Interface Sets Detection Engine Intrusion Policy NOTE

31 / 31

Ban Vn hnh v Qun tr H thng