Trung T©M Øng Cøu Khèn Cêp M Y Týnh Viöt Nam (Vncert)

Trung tm ng cu khn cp My tnh Vit Nam
(VNCERT)
Bo co tng kt ti:
Nghin cu xy dng h thng theo di, gim st
an ton mng theo m hnh qun l tp trung
bo v mng Internet Vit Nam
Cnt: V Quc Khnh
8818
H ni - 2011
MC LC
BC CO THNG K ....................................................................................... iii
MC LC .............................................................................................................. 1
DANH MC HNH V ........................................................................................ 9
CC THUT NG V VIT TT .................................................................. 12
CHNG I. NGHIN CU THIT K KIN TRC TNG TH H
THNG, CHN LC CC CHUN THNG TIN V THIT B ............. 15
I.1. Nghin cu xut mc tiu, yu cu v cu trc chung ca h thng
gim st an ton mng Internet ........................................................................ 15
I.1.1. Hin trng t chc h tng mng Internet v cc nguy c mt an ton
thng tin ca mng Internet Vit Nam ................................................................. 15
I.1.2. Mc tiu kh thi cho H thng theo di gim st an ton mng Internet
Vit Nam ............................................................................................................... 38
I.1.3. Kinh nghim trin khai mt s h thng gim st an ton mng ca
nc ngoi ............................................................................................................ 51
I.2. Nghin cu p dng cc tiu chun v chun quc t phc v cho xy

dng h thng ................................................................................................... 71
I.2.1. Nghin cu phn tch p dng tiu chun quc t v h thng qun l
an ton thng tin v tiu chun quy tc thc hnh m bo an ton thng tin
(ISO 17799:2005 v ISO 27001:2005) cho h thng ........................................... 71
I.2.2. Nghin cu, phn tch chun quc t v nh dng trao i thng tin s
c an ton mng (IODEF ca t chc IETF) ........................................................ 77
I.2.3. xut khung trao i thng tin s c ATM v khung trao i thng
bo pht hin tn cng mng s p dng .............................................................. 80
I.2.4. Nghin cu, phn tch chun quc t v nh dng trao i thng bo
pht hin tn cng mng ....................................................................................... 82
I.3. Nghin cu v la chn cc ngun cung cp thng tin an ton mng ...... 86
I.3.1. Phn tch kh nng s dng khai thc thng tin ATM t cc ngun
cung cp thng tin khc ........................................................................................ 86
I.4. Thit k kin trc tng th ......................................................................... 90
I.4.1. Kin trc h thng ....................................................................................... 90

I.4.2. Lc d liu tng th ............................................................................. 91
I.5. Hon thin thit k tng th ....................................................................... 94

1.5.1. Ni dung thc hin ..................................................................................... 94
1.5.2. Nhn xt chung ........................................................................................... 94
I.5.3. Yu cu chnh sa, hon thin cho sn phm c cc nhnh thc
hin ........................................................................................................................ 96
CHNG II. PHT TRIN H THNG C S D LIU TCH HP

GIM ST AN TON MNG (NSIDB) .......................................................... 98
II.1. Nghin cu, phn tch ngun d liu u vo, chn la cng ngh
CSDL tch hp NSIDB. .................................................................................... 98
II.1.1. Nghin cu, phn tch cc ngun cung cp thng tin ATM a vo h
thng CSDL tch hp NSIDB ............................................................................... 98
II.1.2. Xc nh nh dng cc loi d liu u vo cho h thng CSDL tch
hp NSIDB ......................................................................................................... 105
II.1.3. Phn tch v la chn cng ngh ph hp p dng cho h thng CSDL
tch hp NSIDB, c kh nng m rng kt ni ti cc ngun d liu tng
thch ca nc ngoi v thng tin ATM ............................................................. 111
II.2. Nghin cu, thit k h thng CSDL tch hp NSIDB .......................... 118
II.2.1. Nghin cu, thit k phng thc trao i thng tin gia CSDL vi
cc thnh phn khc ca h thng ...................................................................... 118
II.2.2. Thit k CSDL sao lu d phng v khi phc d liu khi c s c
xy ra ................................................................................................................... 124
II.2.3. Thit k gii php bo mt CSDL tch hp gim st an ton mng. ....... 125
II.2.4. Thit k tng th h thng CSDL tch hp gim st an ton mng NSIDB................................................................................................................. 130
II.3.1. Thit k chi tit phn h CSDL lu tr thng tin v s c an ton mng 136
II.3.2. Thit k chi tit phn h CSDL lu tr thng tin v tn cng mng ....... 137
II.3.3. Thit k chi tit phn h CSDL lu tr thng tin trng thi cc h
thng xung yu.................................................................................................... 138
II.3.4. Thit k chi tit phn h CSDL lu tr thng tin qun tr ngi s
dng .................................................................................................................... 140
Thit k chi tit d liu ....................................................................................... 140
II.4. Xy dng, trin khai cc phn h CSDL tch hp NSIDB..................... 141

II.4.1. Xy dng, trin khai ci t, th nghim phn h CSDL lu tr thng
tin v s c ATM, phn h CSDL lu tr thng tin v tn cng mng. So
snh vi kt qu l thuyt ................................................................................... 141
II.4.2. Xy dng, trin khai ci t, th nghim phn h CSDL lu tr thng
tin trng thi cc h thng xung yu, phn h CSDL lu tr thng tin qun tr
ngi s dng. .................................................................................................... 145
CHNG III. NGHIN CU XY DNG H THNG THU THP

THNG TIN ATM TRUNG TM.................................................................. 149
III.1. Tng quan .............................................................................................. 149
III.1.1. Phn h h tr x l thng bo s c ..................................................... 149
III.1.2. Phn h tip nhn thng tin an ton mng t ng NSIAR ................... 150
III.1.3. Kho st v nh gi hin trng.............................................................. 150
III.1.4. Nghin cu v thit k giao thc thu thp thng tin an ton mng
ISGP .................................................................................................................... 151
III.1.5. Nghin cu, thit k v xy dng phn h h tr x l thng bo s
c an ton mng - SAMS .................................................................................... 151
III.1.6. Nghin cu v xy dng phn h tip nhn thng tin an ton mng t
ng NSIAR ....................................................................................................... 151
III.1.7. Phng php nghin cu ........................................................................ 152
III.2. Cc kt qu nghin cu chnh t c ca nhnh 3 ....................... 153

III.2.1 Nghin cu v thit k giao thc thu thp thng tin an ton mng
ISGP .................................................................................................................... 153
III.2.2. Thit k tng th h thng tip nhn thng tin an ton mng ................ 160
c an ton mng - SAMS .................................................................................... 161
III.2.4. Nghin cu, thit k v xy dng phn h tip nhn thng tin an ton
mng t ng NSIAR ......................................................................................... 165
III.2.5. Kt qu t c ca nhnh 3 ............................................................ 170
III.3. Kt lun.................................................................................................. 171

CHNG IV. PHT TRIN H PHN MM TC NGHIP X L
THEO DI THNG K CNH BO V IU KHIN (SIPS) ......... 172
IV.1. Nghin cu, phn tch mt s h thng x l thng tin theo di thng k - cnh bo thng tin an ton mng trn th gii. ............................. 172
IV.1.1. Internet Storm Center (ISC) ................................................................... 172
IV.1.2. Honeypots ............................................................................................... 173
IV.1.3. Honeynet ................................................................................................. 174
IV.1.4. Symantec Security Response .................................................................. 174
IV.2. Nghin cu xc nh chi tit cc tiu ch thng tin cn phi theo di

v thng k v tnh hnh an ton mng Internet ti Vit Nam ....................... 175
IV.2.1. Cc ngun thng tin cn thu thp, theo di v thng k ................... 175
IV.2.2. Phn tch cc thng tin cn theo di v thng k ................................... 176
IV.2.3. Cc tiu ch thng tin cn phi theo di v thng k v tnh hnh an
ton mng Internet ti Vit Nam......................................................................... 177
IV.3. Nghin cu, phn tch cc cp cnh bo, cc hnh thc cnh bo
v cc yu cu v biu mu thng tin cnh bo v tnh hnh an ton mng
Vit Nam......................................................................................................... 178
IV.3.1. Tm hiu v h thng cp cnh bo v nh ngha cc mc cnh
bo trn Internet Vit Nam ................................................................................. 178
IV.3.2. Hnh thc cnh bo ................................................................................. 179
IV.3.3. Cc mu biu cnh bo ........................................................................... 179
IV.4. Nghin cu, phn tch v thit k xy dng giao thc giao tip gia
h SIPS v cc sensor chuyn dng. .............................................................. 180
IV.4.1. Chc nng v nguyn tc hot ng ca h tp trung v my trinh st . 181
IV.4.2. Phn tch giao thc ................................................................................. 181
IV.5. Phn tch thit k chc nng theo di ca h thng SIPS. .................... 181
4
IV.5.1. H thng gim st ................................................................................... 182

IV.5.2. M hnh h thng gim st ..................................................................... 182
IV.5.3. Cc thng tin thng gim st ................................................................ 182
IV.5.4. Thc hin gim st theo 10 tiu ch........................................................ 182
IV.6. Phn tch thit k m un chc nng thng k ca h thng SIPS. ..... 183
IV.6.1. Cc thnh phn ca m un thng k..................................................... 184
IV.6.2. Mt s thut ton p dng cho m un thng k ................................... 184
IV.7. Phn tch thit k m un chc nng cnh bo ca h thng SIPS ...... 184
IV.7.1. H thng ng k.................................................................................... 184
IV.7.2. H thng gi cnh bo ............................................................................ 185
IV.7.3. H thng Infocon .................................................................................... 186
IV.8. Phn tch thit k m un chc nng qun l cc sensor chuyn

dng. ............................................................................................................... 187
IV.8.1. Chc nng qun l tng th tt c cc my trinh st .............................. 187
IV.8.2. Chc nng qun l trn mt my trinh st ............................................. 188
IV.9. Phn tch thit k m un qun tr chung (qun tr ngi dng, lu

tr d phng, qun tr h thng , cu hnh, ghi nhn thng tin, ) ca h
thng SIPS. ..................................................................................................... 189
IV.9.1. Cch thc qun l phn quyn c bn .................................................... 189
IV.9.2. Gii php phpGACL .............................................................................. 189
IV.10. Phn tch thit k giao din h tr gim st tnh hnh an ton mng
24/24. .............................................................................................................. 190
IV.10.1. Phn tch chc nng ca cc thnh phn trong giao din h tr gim
st an ton mng ................................................................................................. 190
IV.10.2. Xy dng giao din theo tng chc nng ............................................. 190
IV.11. Lp trnh, th nghim cc m un chc nng theo di, m un chc

nng thng k, m un chc nng cnh bo ca h thng SIPS. Phn tch,
nh gi v so snh vi kt qu l thuyt. ..................................................... 191
IV.11.1. M un chc nng theo di .................................................................. 191
IV.11.2. M un chc nng thng k ................................................................. 192

IV.11.3. M un chc nng cnh bo ................................................................. 192
IV.12. Lp trnh, th nghim cc m un chc nng qun l cc sensor

chuyn dng, cc m un qun tr chung. ...................................................... 193
IV.12.1. M un qun l sensor chuyn dng .................................................... 193
IV.12.2. M un qun tr chung.......................................................................... 193
IV.13. Lp trnh, th nghim cc m un kt ni vi CSDL NSIDB, m

un giao din h tr gim st tnh hnh ATM 24/24. ..................................... 194
IV.13.1. M un kt ni c s d liu NSIDB ................................................... 194
IV.13.2. M un giao din h tr gim st tnh hnh an ton mng ................... 195
CHNG V. PHT TRIN SN PHM SENSOR CHUYN DNG

DO VIT NAM LM CH V CNG NGH ............................................. 196
V.1. Tng quan ............................................................................................... 196
V.1.1. Thit b sensor c th thu thp thng tin an ton mng: ........................ 196
V.1.2. Phn mm thu thp thng tin an ton mng ti u cui (trn h iu
hnh Windows): .................................................................................................. 197
V.1.3. Nghin cu cc vn v l thuyt cc vn : ...................................... 197
V.1.4. Nghin cu thit k h thng thit b sensor: .......................................... 198
V.1.5. Nghin cu, xy dng cc m un phn mm cho sensor: ..................... 198
V.1.6. Nghin cu, xy dng phn mm theo di an ton mng ti cc my
u cui: .............................................................................................................. 198
V.2. Cc kt qu nghin cu chnh t c ca nhnh 5 ........................ 199

V.2.1. Nghin cu cc vn v l thuyt ......................................................... 199
V.2.2. Nghin cu thit k h thng thit b sensor ........................................... 202
V.2.3. Nghin cu, xy dng cc m un phn mm cho sensor ...................... 206
u cui ............................................................................................................... 210
V.3. Cc kt qu th nghim trong mi trng mng thc ........................... 211

V.4. Kt lun ................................................................................................... 213
V.5. Danh mc cc thit b sensor mu .......................................................... 213
6
V.6. Kt qu th nghim cho thit b sensor ti VDC ................................... 215

V.6.1. Cc yu cu v phng n t thit b Sensor ......................................... 215
V.6.2. Kim tra cc chc nng hot ng ca thit b Sensor: ........................... 216
V.6.3. Kim tra cc chc nng hot ng ca phn mm u cui trn
Windows ............................................................................................................. 217
V.6.4. M t chi tit v lp t sensor trin khai th nghim ........................ 218
CHNG VI. PHT TRIN GII PHP, CNG C TCH HP MT

S THIT B AN TON MNG THNG MI ANG PH BIN
VIT NAM......................................................................................................... 226
VI.1. Tng quan.............................................................................................. 226
VI.2. Phng php v ni dung nghin cu................................................... 226
VI.2.1. Phng php nghin cu ........................................................................ 227
VI.1.2. Cc ni dung nghin cu ........................................................................ 228
VI.3. Tng hp sn phm v kt qu t c ca nhnh 6 ..................... 228

VI.3.1. Cu trc v chun tip nhn thng tin an ton mng ............................. 228
VI.3.2. Cu trc v chun ha thng tin an ton mng ...................................... 235
VI.3.3. Thit k tng th phn mm thu nhn thng tin an ton mng thng
mi ...................................................................................................................... 238
VI.3.4. Sn phm thu c ................................................................................. 244
VI.4. Kt lun ................................................................................................. 245

CHNG VII. TH NGHIM, O KIM V PHN TCH NH
GI HIU NNG CA H THNG ............................................................. 247
VII.1. Tm tt ni dung thc hin ............................................................. 247
VII.2. M t th nghim................................................................................. 248
VII.2.1. Phn tch, nh gi kt qu th nghim ................................................ 248
VII.1.2. Phn tch, nh gi hiu nng ca ton b h thng, so snh vi k
qu l thuyt ....................................................................................................... 259
VII.1.3. Kt lun ................................................................................................. 260
VII.3. Nghin cu r sot a ra yu cu chnh sa, hon thin cho tt

c cc sn phm ca cc nhnh ti khc .................................................... 260
7
VII.3.1. Bo co kt qu r sot, nh gi th nghim....................................... 260
CHNG VIII. KT QU TRIN KHAI H THNG TRN MI

TRNG MNG THC T .......................................................................... 264
VIII.1. S h thng thc t hin nay ......................................................... 264
VIII.2. nh gi kt qu trin khai h thng gim st an ton mng quc
gia ................................................................................................................... 265
VIII.3. Kt lun ............................................................................................... 267
TI LIU THAM KHO ................................................................................ 268
DANH MC HNH V
Hnh I.1: M hnh mng li (Core) ca nh kt ni Internet ................................ 16
Hnh I.2: M t Kt ni Internet trung chuyn trong nc ................................... 18
Hnh I.3: S kt ni trung chuyn qua VNIX .................................................. 18
Hnh I.4: Kt ni t Nh cung cp dch v kt ni Internet n khch hng ....... 20
Hnh I.5: S kt ni khch hng ca mt Bu in a phng...................... 21
Hnh I.6: S kt ni t ISP n khch hng..................................................... 24
Hnh I.7: S hot ng ca c quan ch qun ................................................. 59
Hnh I.8: Lc m t ng cnh tng th ca H thng theo di, gim st an
ton mng Internet Vit Nam ................................................................................ 62
Hnh I.9: S cu trc chc nng chung ca h thng ...................................... 65
Hnh I.10: Thu thp thng tin t thit b ............................................................... 81
Hnh I.11: M hnh hot ng ............................................................................... 90
Hnh I.12: Lc gim st pht hin s c ........................................................ 92
Hnh I.13: Lc hot ng phn tch s c ..................................................... 93
Hnh I.14: Lc bo co pht hin s c ......................................................... 93
Hnh I.15: Lc phn ng/ng cu s c ........................................................ 94
Hnh II.1: M hnh tng th phn mm tip nhn thng tin ................................. 98
Hnh II.2: M hnh h thng qun l an ton Internet ........................................ 112
Hnh II.3: H tp trung ..............................................................................................
Hnh II.4: S hot ng ca h thng gim st mng .................................... 116
Hnh II.5: H thng CSDL tch hp NSIDB ....................................................... 117
Hnh II.5: Cu trc chung ca h thng CSDL tch hp NSIDB ....................... 120
Hnh II.6: Thu thp thng tin t thit b .............................................................. 122
Hnh II.7: S tng tc gia CSDL v cc thnh phn x l trong h thng 136
Hnh II.8: S lin kt CSDL lu tr thng tin s c...................................... 142
Hnh II.9: S lin kt CSDL thng tin tn cng ............................................ 144
Hnh II.10: Nhm lin kt cc bng my ch ..................................................... 146
9
Hnh II.11: Nhm lin kt cc bng net .............................................................. 147

Hnh II.12: Nhm lin kt cc bng tin ch Plugin ............................................ 147
Hnh II.13: S lin kt cc bng ngi dng ................................................. 148
Hnh III.1: Quan h gia ISGP v mt s giao thc c bn khc....................... 153
Hnh III.2: S kin trc tng th phn h SIGS ............................................. 160
Hnh III.3: Lc quy trnh x l thng bo s c .......................................... 161
Hnh III.4: Lc lung d liu ca NSIAR ................................................... 167
Hnh IV.1: Qu trnh lm vic h thng ISC. ..................................................... 173
Hnh IV.2: H thng tip nhn thng tin s c ................................................... 176
Hnh IV.3: H thng cnh bo 5 mc v h thng cnh bo 4 mc ................... 180
Hnh IV.4: H tp trung ....................................................................................... 181
Hnh IV.5: Thng k t l cc botnet phn loi theo cc quc gia ...................... 183
Hnh IV.6: Tng quan h thng gi cnh bo ..................................................... 186
Hnh IV.7 : Giao din qun l ton b cc my trinh st .................................... 188
Hnh IV.8 : Giao din thng k s kin, cnh bo .............................................. 191
Hnh V.1: Cc v tr c th t thit b sensor thu thp thng tin vng cp 1 200
Hnh V.2: Cc v tr c th t thit b sensor thu thp thng tin vng cp 2 201
Hnh V.3: Cc v tr c th t thit b sensor ti my u cui ......................... 201
Hnh V.4: M hnh kin trc h thch nghi pht hin xm nhp......................... 202
Hnh V.5: Cu trc bn trong mt thit b sensor gim st an ton mng .......... 204
Hnh V.6: Mt Thit b Sensor mu .................................................................... 205
Hnh V.7: Thit b Sensor mu 2 v mu 3 ang chy th nghim .................... 205
Hnh V.8: Cc module phn mm trong phin bn ht nhn Linux ................... 206
Hnh V.9: Cc thng s v th mc ca phin bn ht nhn Linux ................... 206
Hnh V.10: S nguyn l ca phn mm gim st an ton mng .................. 207
Hnh V.11: S nguyn l khi phn mm gim st pht hin ....................... 208
Hnh V.12: S nguyn l khi phn mm gim st lu lng ...................... 208
Hnh V.13: Giao din chnh ca phn mm ........................................................ 210
10
Hnh V.14: Giao din thit lp cu hnh phn mm ........................................... 211

Hnh V.15: Giao din thit lp cu hnh cc cng c h tr gim st ................ 211
Hnh V.16: S t thit b sensor gim st cc my u cui s dng
kt ni mng ADSL. ........................................................................................... 211
Hnh V.17: S t thit b sensor gim st h thng my ch ti cc nh
cung cp dch v cho thu my ch .................................................................... 212
Hnh V.18: S t thit b Sensor gim st h thng mng ni b ca
doanh nghip ....................................................................................................... 212
Hnh V.19: S t thit b sensor gim st cc my u cui................... 219
cung cp dch v cho thu my ch .................................................................... 221
Hnh VI.1: Lc ng cnh ............................................................................. 240
Hnh VI.2: M un GAG Lc lung d liu ............................................... 241
Hnh VI.3: M un GFW Lc lung d liu ............................................... 242
Hnh VII.1 : M hnh mng th nghim ............................................................. 249
11
CC THUT NG V VIT TT
Account
Access Point
ADSL
Antivirus
ATM
ATTT
BCG
BRAS
CERT
CERT/CC
CNTT
CSDL
DSLAM
FE
FW
GAG
GE
GIDS
GFW
HDSL
HTTT
HIDS
IDS
Ti khon ca ngi s dng

im truy cp mng khng dy
(Asymetric Digital Subscriber Line) Knh thu bao s phi
i xng (download 8Mbps, upload 800Kbps, khong cch
5500m)
Antivirus
An ton mng
An ton thng tin
(Bussiness Control Gate) Tn ring ca Module h tr x l
thng bo an ton mng
(Broadband Remote Access Server) my ch truy cp t xa
bng rng
Trung tm ng cu khn cp my tnh
Trung tm iu phi/ng cu khn cp my tnh
Cng ngh thng tin
C s d liu
(Digital Subscriber Line Access Multiplexer) Thit b tp
trung (dn) knh thu bao s.
Fast Ethernet
(Firewall) Tng la
Module GAG cung cp thng tin t Antivirus
Gigabit Ethernet
Tn ring ca Module GIDS cung cp thng tin t thit b
IDS
Tn ring ca Module GFW cung cp thng tin t thit b
Firewall
(High bit-rate Digital Subscriber Line) Knh thu bao s tc
cao (download 1.54Mbps, upload 1.54Mbps, khong cch
3650m).
H thng thng tin
H thng pht hin xm nhp trong ni b
H thng pht hin xm nhp tri php
12
IDMEF
IDSL
IODEF
IPS
ISP
IXP
Malware
MIME
MSDSL
NSAIR
NSIDB
Plugin
Router
RADSL
SAMS
SDH
SDSL
Sensor
SIG Gate
SIGS
(Intrusion Detection Message Exchange Format) Chun trao

i thng ip v pht hin xm nhp.
(Intergrated Service Digital Network DSL) Knh thu bao
sdch v tch hp (tc download 144Kbps, upload
144Kbps, khong cch 10700m).
(Incident Object Description and Exchange Format) Chun
m t v trao i thng tin v s c.
H thng phng nga xm nhp tri php
(Internet Service Provider) Nh cung cp dch v Internet.
(Internet eXchange Provider) Nh cung cp kt ni Internet
Phn mm c hi
(Multipurpose Internet Mail Extensions) Chun m rng th
in t internet a dng
(Multirate Symetric DSL) Knh thu bao s i xng a tc
(download 2Mbps, upload 2Mbps, khong cch 8800m).
Tn ring ca Phn h tip nhn thng tin ATM t ng
(Network Security Information DataBase) Tn ring cho
CSDL thng tin gim st an ton mng
Tin ch
Thit b nh tuyn
(Rate Adaptive DSL) Knh thu bao s phi i xng thch
nghi tc (Download 7Mbps, upload 1Mbps, khong cch
5500m).
Tn ring ca Phn h tip nhn v h tr x l thng bo s
c
(Synchronous Digital Hierachy) Phn cp truyn dn s ng
b
(Symetric DSL) Knh thu bao s i xng (Download
2.3Mbps, upload 2.3Mbps, khong cch 6700m).
Thit b cm bin (pht hin tn cng mng)
Tn ring ca Cng tip nhn thng tin an ton mng
(Security Information Getting System) Tn ring ca H
thng trung tm thu thp thng tin an ton mng
13
SIPS
SMNP
STM - x
Switch
Syslog
TTATM
UML
URL
VDSL
VNCERT
VNIX
XML
(Security Information Processing System) Tn ring ca H

thng x l thng tin, theo di, thng k, cnh bo v iu
khin.
(Simple management Network Protocol) Giao thc trao i
thng tin qun l mng.
Ch truyn tin ng b theo phng thc SDH mc x
(x=1, 4, 16 tng ng tc truyn 155 Mbps, 622 Mbps,
2,5Gbps).
Thit b chuyn mch
Chun Syslog lu tr v trao i file log.
Thng tin an ton mng
(Unified Modeling Language) Ngn ng m hnh ha thng
nht
(Uniform Resource Locator) Tn tm kim ti nguyn (mng)
(Veryhigh bit-rate DSL) Knh thu bao s phi i xng tc
rt cao (Download 52Mbps, upload 16Mbps, khong cch
1200m).
Trung tm ng cu khn cp my tnh Vit Nam.
(Vietnam National Internet eXchange) H thng chuyn
mch kt ni trung chuyn quc gia ca Vit Nam.
(Extensible Markup Language) Ngn ng nh du m rng.
14
CHNG I. NGHIN CU THIT K KIN TRC

TNG TH H THNG, CHN LC CC CHUN
THNG TIN V THIT B
Sn phm phi t l cc bn bo co k thut phn tch thc trng v
xut cc yu cu tng th v thit k h thng thu thp v phn tch, tng
hp thng tin m t v s c mng, thng tin v trng thi lung tin v c
im cc gi tin i qua nt mng do cc thit b sensor v mt s thit b bo
v mng x l v ghi nhn. Chn lc m hnh chung, cc chun c bn v cc
thit b phc v a ra thit k ph hp vi iu kin Vit Nam, tin tin v
kh thi v cng ngh v tit kim v chi ph, m bo h thng c tnh an ton
cao ng thi trao i thng tin thun li vi cc t chc ng cu khn cp
my tnh (CERT) ca cc quc gia khc.
I.1. Nghin cu xut mc tiu, yu cu v cu trc chung ca h

thng gim st an ton mng Internet
I.1.1. Hin trng t chc h tng mng Internet v cc nguy c mt an
ton thng tin ca mng Internet Vit Nam
a) Hin trng t chc h tng mng Internet Vit Nam (2009)
H thng mng Internet Vit Nam bao gm t cc knh v cng kt
ni quc t cho n cc u ni n mi ngi dng Internet. Qua kho st
nghin cu thc tin trong giai on cui 2008-u 2009, cc h thng mng
ca cc nh cung cp dch v Internet ch yu nc ta (bao gm cc nh
cung cp kt ni Internet IXP v cc nh cung cp dch v truy cp Internet
ISP) c th khi qut t chc mng thnh cc mc nh sau:
M hnh mng li (core) ca nh kt ni Internet (IXP)
S nguyn l ca m hnh mng li (core network) ca nh kt ni

Internet (IXP) c trnh by trn hnh v 1.1
Cc thit b c bn gm Gateway, Router, Edge Router (Router ngoi
vi)
15
ng truyn Internet quc t vo Vit Nam c ni vi cc Gateway

s dng mt hay nhiu knh truyn cp quang STM-1,.., STM-16 vi tc
truyn tin trong khong 155Mbps n 2.5Gbps. Cc IXP thng s dng h
thng catching (b lu m) d liu u vo loi tr cc truy nhp
Internet quc t trng nhau.
Hnh I.1: M hnh mng li (Core) ca nh kt ni Internet

16
Cc Gateway c ni vi cc Router chnh trong mng core t H

Ni, TP.HCM v Nng bng mt hay nhiu knh truyn STM-x tc
truyn 155Mbps n 2.5Gbps.
Cc Router to thnh mng li (core network) thng c ni vi nhau
bng ng nhiu knh STM-16 vi lu lng khong n ln 2.5Gbps
T mng li (core) thng ni ti cc b nh tuyn ngoi bin (Edge
Router) bng cc knh truyn STM-x, hay cc knh Ethernet tc cao
(GE/FE). Ty tng nhu cu v iu kin thc tin, knh truyn c th t tc
truyn n vi Gbps.
T cc b nh tuyn ngoi bin (Edge Router) c th kt ni ti cc
mng trung chuyn ni a, cc nh cung cp dch v Internet ISP (Internet
service provider) hay cc khch hng ln (mng ring) bng cc knh truyn
STM-x, hay cc knh Ethernet tc cao Gigabit (GE) hay Fast Ethernet
(FE), hoc kt ni ti cc khch hng thng thng bng cc ng leasedline hay cc knh truyn xDSL vi tc truyn t 64 Kbps n 52 Mbps ty
tng loi cp c s dng v khong cch t thu bao n cc tng i.
xDSL bao gm: ADSL, HDSL, IDSL, MSDSL RADSL, SDSL, STM x.
Kt ni trung chuyn Internet trong nc
Trung tm Internet Vit Nam VNNIC cung cp h thng VNIX

(Vietnam National Internet eXchange) l h thng chuyn mch kt ni
trung chuyn lu lng Internet trong nc gia cc doanh nghip cung cp
dch v kt ni Internet IXP. Cc ISP nh cng c th tham gia theo nhu cu.
S nguyn l kt ni trc tip v trung chuyn Internet trong nc
ca cc IXP c trnh by trn hnh v 1.2.
17
Hnh I.2: M t Kt ni Internet trung chuyn trong nc

Vi s ra i ca h thng VNIX, mt lng ln cc lu lng trao i
gia cc nh cung cp dch v kt ni c lu chuyn trong nc, lm
gim thiu bng thng kt ni quc t, tng cht lng ca dch v Internet.
Hnh sau cho bit s kt ni trung chuyn qua h thng VNIX.
Hnh I.3: S kt ni trung chuyn qua VNIX

18
Cc doanh nghip cung cp kt ni Internet IXP (Internet eXchange

Provider) ca Vit Nam c bng thng kt ni trong nc qua VNIX
(Vietnam National Internet eXchange) trung tm Internet Vit Nam bng
ng cp c bng thng t 1Gbps n 3x1Gbps.
Ngoi ra gia cc nh cung cp dch v cn thc hin thit lp cc
ng kt ni d phng m bo cung cp dch v tt nht cho khch hng
k c khi xy ra s c v mng hay ng dy.
Bn thn cc doanh nghip cung cp kt ni Internet cng c th kt ni
trc tip vi nhau bng cc ng ni gia cc router bin, vi bng thng
thng thng khong t 256Kbps n 1Gbps.
Cc ISP khc v cc khch hng cng c th kt ni trc tip vi trung
tm Internet Vit Nam VNIX.
Kt ni t nh cung cp kt ni Internet n khch hng
Nh cung cp kt ni Internet (IXP) thng thng cng l mt nh cung

cp dch v Internet (ISP) ln, ngoi ra IXP cn c khch hng l cc i l
ln (v d: bu in tnh), cc nh cung cp dch v Internet (ISP) khc, cc
c quan, t chc hay doanh nghip c mng ring ln.
S nguyn l v d cho mt mng khch hng ca IXP c trnh by
trn hnh v sau
19
Hnh I.4: Kt ni t Nh cung cp dch v kt ni Internet n khch hng

IXP kt ni vi cc khch hng ln thng qua cc b nh tuyn truy cp
(Accesss Router) v cc b nh tuyn bin (Edge Router). Thng s dng
knh cp quang hoc ng lease-line, vi cc chun a dng STM-x, GE,
FE, xDSL, nx64Kbps, dial-up.
Bng thng c th thay i t nh n vi Gbps.
Kt ni Internet ca Bu in tnh
S nguyn l kt ni khch hng ca mt Bu in a phng (tnh,

thnh ph) hoc mt ISP ln c trnh by trn hnh v 1.5.
20
Hnh I.5: S kt ni khch hng ca mt Bu in a phng.

Cc bu in tnh thng s dng mt my ch truy cp t xa bng rng
BRAS kt ni ti Edge Router ca nh cung cp kt ni Internet (IXP).
T BRAS kt ni dch v Internet ti khch hng thng qua h thng
mng phn cp vi cc thit b chuyn mch (switch/core switch) v b dn
21
ghp knh (DSLAM/Hub-DSLAM), cc router, modem v cc im truy cp

khng dy.
Thng thng, khi mt thu bao kt ni vo Internet, nh cung cp dch
v Internet (ISP) s cp cho kt ni ny mt a ch IP ng (v d DHCP
server trong dch v dial-up hay BRAS trong dch v ADSL). i khi BRAS
cn c nhim v nh mt RADIUS server kim tra chng thc khch
hng.
ng truyn kt ni t BRAS ti Edge Router ca nh cung cp kt
ni Internet (IXP) thng l cp quang hay cp ng, dng cc chun STM-x,
xDSL, nx64Kbps.
T BRAS kt ni ti cc thit b chuyn mch (switch/core switch) v
b dn ghp knh (DSLAM/Hub-DSLAM) bng cc ng truyn STM-1,
STM-4, GE, FE v cc chun xDSL.
Kt ni DSLAM ti Hub-DSLAM bng cc ng cp STM-1 hay E1,
dng chun xDSL tc 144Kbps n 52 Mbps.
Kt ni t DSLAM n khch hng cui bng cc ng cp ng vi
chun ADSL vi bng thng t 64 Kbps n 8 Mbps hoc cc ng Dial-up
tc 56 Kpbs.
Ngoi ra cn s dng cc im truy cp khng dy (Access point).
Khch hng c th truy cp Internet thng qua cc im truy cp khng dy
vi tc khong 64kpbs.
Kt ni t ISP n khch hng
ISP c th l mt mng con ca IXP hoc mt ISP c lp. Nhiu mng

Internet dng ring ca mt t chc ln cng c th c cu trc chung nh
mt ISP.
22
Cc ISP c th to thnh cc mc cung cp dch v nhiu cp, c th kt

ni trc tip vi nhau chuyn lu lng thng tin trong nc theo ng
ngn hn v to thnh cc ng kt ni Internet d phng.
S nguyn l ca mng dch v ISP cung cp cho khch hng u
cui c trnh by trn hnh v 1.6.
ISP kt ni vi cc IXP (an Internet eXchange Provider: Cc doanh
nghip cung cp dch v kt ni) bng cp quang vi chun STM-1, STM-4,
STM-16 tc khong 155Mbps n 2.5Gbps.
T cc b nh tuyn ngoi bin (Edge Router) c th kt ni ti cc
mng trung chuyn ni a, cc nh cung cp dch v Internet ISP (Internet
service provider) hay cc khch hng ln (mng ring) bng cc knh truyn
STM-x, hay cc knh Ethernet tc cao (GE/FE), hoc bng cc ng
leased-line hay cc knh truyn xDSL vi tc truyn t 64 Kbps n 52
Mbps ty tng loi cp c s dng v khong cch t thu bao n cc
tng i.
T cc ISP li kt ni vi cc ISP khc bng cc ng cp quang (Fiber
optic), xDSL, STM vi tc truyn t 144Mbps n 2.5Gbps
23
Hnh I.6: S kt ni t ISP n khch hng.

T cc ISP s kt ni ti cc khch hng thng thng thng qua cc
im truy cp khng dy, cp ADSL, hoc ng quay s Dial-up vi tc
bng thng trong khong t 56Kbps ti khong 8Mbps
Cc ISP, cc cng ty dch v, cc t chc ln, bu in cc tnh kt ni
vi khch hng bng cc ng ADSL (Asymetric Digital Subscriber Line)
vi tc download 8 Mbps, upload 800 Kbps, cc ng Dial-up tc
64Kbps hoc cc ng Leased-line nx64 Kbps, hoc thng qua cc im
truy cp khng dy chun 802.11 a/b/g/n.
Kt ni mng din rng dng ring qua Internet
24
Cc t chc hay doanh nghip ln, c a bn phn tn thng t chc

mng dng ring theo cng ngh Internet (Intranet/Extranet). Nhiu mng
dng ring ca mt t chc, doanh nghip ln t chc nh mt mng din
rng gm nhiu phn mng hay mng cc b kt ni vi nhau trn c s h
tng truyn dn Internet vi cc knh kt ni bo mt, hay ng hm truyn
tin c m ha.
Thng thng cc thnh phn ca mng dng ring c kt ni vi
Internet thng qua cc ISP ti a phng, v s dng cc ng truyn dn
theo cng ngh chung nh m t cc phn trn.
Cc cng ngh kt ni c th ph thuc vo xa v nhu cu dung
lng bng thng ca mng dng ring. Cc ng truyn thng thng hay
c s dng l cc ng leased-line hay xDSL vi tc khng qu vi
Mbps. Nhng t chc siu ln c th s dng kt ni cp quang nhng cng
khng my khi bng thng vt qu vi chc Mbps.
Cc knh thng tin dng ring c chuyn trong cc ng hm m
ha vi cng ngh nh SSL, VPN IP-Sec,
Nhiu t chc, doanh nghip khng ch s dng h tng Internet kt
ni mng din rng m cn cung cp kh nng truy nhp Internet cho cc
nhn vin ca mnh.
Mt s nhn xt chung
V c bn mng Internet Vit Nam c t chc phn cp v c h thng

catching d liu trong kt ni quc t. Ngoi ra, cc nh cung cp dch v
Internet v cc dch v gi tr gia tng hot ng trn Internet c th c kt
ni cho trc tip v kt ni trung chuyn trong nc vi dung lng bng
thng ln.
iu ny to ra trong khng gian Internet Vit Nam nhiu lung thng
tin c bn khc nhau:
25
Lung tin i-v quc t (ra Internet)

Lung tin i-v n cc b m (catching)
Lung tin ni b trong nc (qua trung chuyn)
Thng k n thng 11/2009 c:
Tng bng thng knh quc t ca Vit Nam 2008
Tng lu lng qua trm trung chuyn VNIX 2008
32,995 Mbps
31,856,896 Gbytes
S Internet eXchange service Providers (IXP)
S Internet access Service Providers (ISP)
15
S Internet Online Service Providers (OSP)
19
Dn s s dng Internet
20.570.000
Thu bao bng thng rng
1.928.191
b) Cc nguy c e da an ton thng tin i vi Internet Vit Nam

Cc vn v an ton thng tin
An ton thng tin bao gm cc hot ng qun l, nghip v v k thut

i vi h thng thng tin nhm bo v, khi phc cc h thng, cc dch v
v ni dung thng tin i vi nguy c t nhin hoc do con ngi gy ra.
Vic bo v thng tin, ti sn v con ngi trong h thng thng tin
nhm bo m cho cc h thng thc hin ng chc nng, phc v ng i
tng mt cch sn sng, chnh xc v tin cy. An ton thng tin bao hm cc
ni dung bo v v bo mt thng tin, an ton d liu, an ton my tnh v an
ton mng. (Ngh nh 64/2007/N-CP).
An ton thng tin trong h tng vin thng lin quan n mt s loi
mng nh sau: H thng vin thng c nh, H thng thng tin di ng,
mng truyn s liu, Mng Internet, H thng thng tin ca qun i, H
thng mng chuyn dng phc v iu hnh ca cc c quan ng, Chnh
ph.
26
Cc ng dng ln v cng ngh thng tin nc ta hin nay ngy cng

nhiu v kh nng cung cp dch v ca chng ngy cng ph thuc su hn
vo tnh trng hot ng v c bit vo kh nng m bo an ton an ninh
ca mng Internet quc gia (gi tt l mng quc gia).
Vic ng dng CNTT v Internet rng ri trong mi mt hot ng ca
i sng kinh t - x hi bin nhiu h thng mng ca mt ngnh hay mt
lnh vc tr thnh nhng c s h tng trng yu v CNTT c tm an ninh
quc gia. V d nh cc h thng mng thuc cc lnh vc chnh ph in t,
thng mi in t, bo ch in t, thanh ton ngn hng, chng khon trc
tuyn, bn v my bay tu ha, hi quan in t, thng tin lin lc qua
Internet.
Cc him ha chung trn khng gian Internet
Kinh nghim quc t cho thy cc him ha sau:

Virus my tnh v m c: Ngy ny vic phng chng virus ng trc
mt thch thc khc vi trc y: mi s kin u dn ti nhu cu pht
hin sm nguy c. Nu nh trc y cc chuyn gia c vi gi phn
ng vi mt nguy c mi th by gi ch c thi gian tnh bng pht.
Nn la o trn mng: Thi gian gn y, nn la o (phishing) trn
Internet pht trin mnh. N gy ra mt mi e da nghim trng i vi
ngi tiu dng v cc doanh nghip lm n trn Internet, tr thnh mt him
ha an ninh thc s, song song vi qu trnh pht trin ca ti phm ti chnh
trn cc knh in t.
Nn th rc (Spam) : Th rc hin ang l mt vn ng quan ngi
trn trn th gii. Theo mt bo co ca hng bo mt Sophos (Anh) a ra
vo thng 12/2004, th hn 20% th rc trn ton th gii c ngun gc t
Trung Quc v Hn Quc v "EU khng th mt minh chng li th rc bi
v bn cht y l vn khng bin gii. Thit hi trong nm 2004 do th
27
rc gy ra ln ti 50 t USD v hng nm th gii s phi b ra 1,7 t

chng li cn bnh ny.
Hacker: Ngoi nhng nguy c nh vi rt, su, nn th rc, nn la o,
khiu dm tr em, th Hacker ang l mt vn nn trn ton cu khi m khng
gian a l v bin gii quc gia khng cn l mt tr ngi trong khng gian
mng, khi m cc giao dch in t ang l xu hng tt yu ca tt c cc
nc trong hi nhp v hp tc.
Ngoi cc v do virus, su my tnh gy ra, th tn cng trn mng cng
thng xuyn xy ra trn ton th gii. Cc nc km v ATTT s l ni
thun li cho cc hacker li dng lm bn p tn cng trn mng.
Cc h thng da trn phn mm ngun m cng b tn cng.
Theo kt qu nghin cu ko di 4 nm ca hng WebCohort, th i b
phn cc ng dng web ang m rng ca trc cc cuc tn cng ca
hacker, c ti 92% ng dng trc tuyn khng m bo an ninh.
S bng n botnet ang l mt vn ln. Nhng phn mm k sinh
(bot) c b mt ci t ln my tnh ca nn nhn v kt ni nhng PC
ma ny thnh tng mng con (botnet) vi s lng t vi trm my tnh n
khong v trn ngn my tnh thc hin nhng mc ch ring.
Hu qu ca mt ATTT
Hng hc h thng thit b.
Ngng tr cng vic
l/mt thng tin
Chu trch nhim trc php lut
Gim hiu qu dch v
Tn hi uy tn quc gia
Tn hi ti sn thng tin
Tn tin, thi gian ca cng ng
Tn tin khi phc hot ng
Gim nng lc cnh tranh ca nn kinh t.
28
c) Kho st hin trng an ton thng tin trn Internet Vit Nam
+ Mt s s liu thng k nghip v v s c an ton thng tin
Virus my tnh nm 2007 (ti Vit Nam )
S lng
S lt my tnh b nhim virus
33.646.000 lt my tnh
S virus mi xut hin trong nm

S virus xut hin trung bnh trong 1 ngy
6.752 virus mi
18,49 virus mi / ngy
Virus ly lan nhiu nht trong nm:

W32.Winib.Worm
Ly nhim 511.000 my tnh
Nm
2005
2006
2007
S virus mi xut hin

232
880
6.752
T l my tnh b nhim virus (%)

94%
93%
96%
+ S phin bn virut mi xut hin trung bnh mt thng

2500
2375
2000
1500
S
v tn cng cc website VN t nc ngoi
1000
563
500
84
0
Nm 2006
Nm 2007
Nm 2008
+ S v tn cng cc website VN t nc ngoi

800
700
600
500
400
300
200
100
0
748
485
Total
Gov
234
87
2818
4112
89
2529
2002
2003
2004
2005
39
2006
33
53
2007 10/2008
+ Thng k cc s c nghim trng bo co v VNCERT

S v 29 (2006), 47 (2007), 79 (2008)
2008
6 3
2007
13
2006
11
7 24
0
DDoS
Malware
39
12
12
12
2 6
20
40
60
Deface website
Email Phishing
and Fraud
80
DNS Attack
100
Distribute spam
Other
+ Phn loi s c nghim trng c bo co theo nm

S v 29 (2006), 47 (2007), 79 (2008)
2006
14%
17%
7%
24%
38%
2007
2008
13% 11%
4%
19%
25%
28%
15%
6%
8%
4%
15%
3%
49%
DDoS
Malware
Deface website
Email Phishing
and Fraud
DNS Attack
Distribute spam
Other
30
+ Xu hng mt ATTT gia tng

Cc v tn cng: virus, web hacking, DoS& DDoS, DNS
Ti phm my tnh: trm ti khon ATM & tn dng, ti khon in
thoi di ng, tn cng h thng cc ca doanh nghip, pht tn virut
La o qua Email, phishing: tng lin tc (hn 3 ln qua nm 2008)
Nm 2007 xut hin mi cc v tn cng DNS v tr nn trm trng hn
trong 2008
Nm 2008 cc ngun pht tn th rc bt u c ch thng box
l.
Xu hng: ch s thng k cho thy s s c an ton thng tin hin
nay vn ang din bin tng theo quy lut cp s nhn
b) S liu iu tra kho st hin trng an ton thng tin nm 2008
Nm 2008 trong khun kh ti, VNCERT phi hp vi VNISA tin
hnh iu tra hin trng m bo an ton thng tin trong cc c quan nh
nc v doanh nghip c nc trn c s pht hnh phiu iu tra thm d
nhm nh gi nhn thc v mc ng dng an ton thng tin.
S liu kt qu tng hp thng tin iu tra
+ T l n v c nhn vin chuyn trch hoc bn chuyn trch v ATTT
C nc
56.0%
Doanh nghip
min Nam
44.0%
61.6%
38.4%
Doanh nghip
min B c
51.5%
48.5%
C quan nh
nc
49.2%
50.8%
0%
20%
C NV (bn) chuyn trch
40%
60%
K hng c NV v ATTT
+ T l n v c ban hnh quy ch v an ton thng tin

100%
90%
80%
70%
60%
50%
40%
30%
31
80%
100%
+ T l n v c quy trnh x l s c v an ton thng tin

100%
80%
60%
40%
20%
0%
CQNN
Doanh
nghip
Khng r
Chung
Khng c
+ Tnh hnh p dng gii php v cng ngh m bo an ton thng tin
Phn mm chng virus(Anti-Virus)
B lc chng th rc (Anti-Spam)
34%
Kim sot tip cn (Access Control)
17%
Mt khu c th s dng li (Reusable password)
Chng ch s, ch k s (Digital Certificate, Digital Signature)
35%
51%
16%
Lc ni dung web
t mt khu cho ti liu
69%
21%
Th thng minh, mt khu dng 1 ln (One-time-password)
Sinh trc hc (Biometrics, v d kim tra du vn tay.)
56%
33%
H thng pht hin xm nhp mng (IDS)
H thng pht hin xm nhp (IDS) cho my ch
98%
58%
15%
47%
9%
326%
18%
Vit Nam 2008

47%
6%
4%
32%
M 2007
+ Nhn bit v s c ATTT (2008)

+ S t chc bit b tn cng (t nht 1 ln trong nm 2008)
Phn mm chng virus(Anti-Virus)
B lc chng th rc (Anti-Spam)
34%
Kim sot tip cn (Access Control)
Lc ni dung web
47%
46%
45%
H thng pht hin xm nhp (IDS) cho my
ch
40%
15%
40%
6%
30%
t mt khu cho ti liu

22%
Chng ch20%
s, ch k s (Digital Certificate, Digital Signature)
Khc
CQNN
D. nghip
18%
Vit Nam 2008
M 2007
31%
47%
25%
6%
32%
4%
Tng la (Firewall)
Khng
47%
9%
35%
Sinh trc hc (Biometrics,
v d kim tra du vn tay.)
Mng ring o VPN
51%
16%
50%
35%
17%
Mt khu c th s dng li (Reusable password)
0%
69%
21%
Th thng minh, mt khu dng 1 ln (One-time-password)
M ha (Encrytion)
56%
33%
H thng pht hin xm nhp mng (IDS)
10%
98%
58%
97%
9%
2%
66%
2%
84%
1%
Khng r
4%
9%
M (2000)
0%
20%
40%
60%
80%
+ T l CQNN c kh nng ghi nhn cc cuc th tn cng

Khng r,
8%
Khng, 69%
33
C, 23%
100%
120%
+ T l CQNN bit c ngun gc cc v tn cng

Trong
nc
10%
Nc ngoi
24%
Khng r
66%
+ T l CQNN bit c tn tht ti chnh khi b tn cng

C
13%
Khng
87%
+ D kin t l u t cho an ton thng tin trong ngn sch CNTT

70%
60%
CQNN Vit Nam
60%
50%
40%
38%
30%
20%
23%
21%
18% 18%
13%
9%
10%
0%
Khng bit
0% - 5%
5% - 9%
10% - 15%
+ Quan im v vn kh khn nht trong m bo an ton thng tin

Vic nng cao nhn thc cho ngi s dng v
bo mt my tnh
52%
57%
S thiu hiu bit v an ton thng tin trong t

chc
34
Vic cp nht nhng cch thc tn cng hay
nhng im yu mi xut hin
Vic xc nh mc u tin ca ATTT trong
48%
56%
12%
39%
18%
d) Nhn nh chung
Nhiu t chc, doanh nghip khng ch s dng h tng Internet kt
ni mng din rng m cn cung cp kh nng truy nhp Internet cho cc
nhn vin ca mnh. iu ny c th to ra cc knh thng t h thng ni b
cn bo v nghim ngt ra n khng gian mng Internet quc t.
Cc thit b cng ngh ch yu nhp khu ca nc ngoi. Chng loi v
xut x thit b c gam mu tng i sc s, a dng.
Ngi dng quen s dng cc phn mm khng bn quyn, khng c
nng cp v v l hng an ton thng tin . Nhiu h thng ng dng c xy
dng vi cng ngh thp, khng c thit k chuyn nghip, khng tun th
cc chun v an ton thng tin.
Cc IXP v ISP ch yu cung cp dch v kt ni cho khch hng vi s
quan tm s dng ti a dung lng bng thng, khng quan tm nhiu n
vic gim st s c an ton thng tin trn mng. Trch nhim m bo an ton
thng tin hu nh ch ca cc khch hng u cui. Mt s t thit b gim st
v m bo an ton mng c lp t mng ngi dng u cui.
Cc IXP v ISP cng ch lp t thit b an ton mng cho phn khc
mng ni b ca mnh.
T cc nh cung cp dch v Internet n khch hng cn t quan tm
u t cho cc h thng m bo an ton mng, cng vi nhng c im
phn tch nu trn lm cho khng gian mng Internet Vit Nam hin ti ang
l mt trong nhng mi trng c nhiu nguy c mt an ton thng tin nht
trong khng gian Internet ton cu.
Trn 50% t chc qun l lng lo, thiu trch nhim, thiu quan tm v
an ton thng tin .
Phn ln cha c quy trnh ng ph vi s c, mt na c d kin xy
dng quy trnh trong 3 thng
35
Bo co v s c cha y , cha s dng c nhiu s h tr ca

lc lng chuyn nghip. Mt phn ln bo co khng kp thi.
Cng ngh yu (thiu, lc hu, khng cp nht).
Trnh hiu bit, kh nng nh gi nguy c thp.
Chi tiu c xu hng tng, nhng t l khng bit nh hng vn cn
rt cao.
Kh khn nht l khu nhn thc, kin thc.
S v vic an ton thng tin Vit Nam ngy cng tng nhanh,
K thut tin tc ngy cng cao nhng li c ph cp v d s dng
Mt b phn tin tc c chiu hng chuyn nghip ha.
Mc ch kinh t ca cc v vic an ton, an ninh mng ngy cng r
nt.
Thc t mng Internet Vit Nam ang i mt vi nhng nguy c sau:
S c pht tn virus v tn cng trn mng.
Pht trin cc mng my tnh ma (bots network) t chc tn cng t
chi dch v, gi th rc, qung co dng popup, c bit l chun b cho
hnh thc tn cng nguy him v kh chng nht trn Internet- DDoS.
Gi th rc vi quy m ln.
Cc dch v vin thng k cc in thoi di ng vi nn tng cng ngh
tch hp vi mng my tnh v cc thit b s dng h iu hnh s nm trong
tm ngm ca hacker v chu s tc ng ca cc hnh thi tn cng mng.
Hng lot website c bo mt km ca Vit Nam s b tn cng
nghim trng bi cc cng c t ng do mc cc li bo mt ph bin.
Ti phm my tnh: n trm th tn dng, th ATM, trm cp ti khon
in thoi di ng, Cc hot ng lin quan n lm gi, mua hng, ra tin
bng th tn dng.
Bo k v tn cng cc h thng thng mi in t v l do kinh t v
cnh tranh.
36
Trm cp thng tin c nhn; bi xu, xc phm nhn phm ngi khc.
La o qua th v tin nhn in t (phishing).
Nhu cu xy dng h thng gim st an ton mng
Nhn t gc v m ca mi quc gia, vn m bo an ton thng

tin, phng chng tin tc trn mng quc gia lin quan n 3 kha cnh chnh:
m bo an ton mng quc gia; gim st v qun l k thut an ton
mng; kim sot, phng chng v cnh bo cc cuc tn cng mng quc gia;
iu phi ng cu phn cng bo v mng quc gia; m bo an ton
mng thng tin cho cng ng, khi c quan nh nc, doanh nghip v cc
t chc x hi khi s dng Internet.
iu tra x l ti phm mng, chng ti phm cng ngh cao, m bo
an ninh quc gia v trt t an ton x hi, chng cc m mu tin tc gy ri,
ph hoi v nhng tc ng tiu cc n cc hot ng kinh t chnh tr x
hi.
m bo an ninh mng trong cc lnh vc quc phng, an ninh quc gia,
chng khng b trn mng v chin tranh trn mng, chng cc m mu gin
ip tnh bo xm phm n an ninh quc gia, bo v cc b mt quc gia.
Nhng nhn nh mc trc cho thy nu thiu s h tr k thut
mnh m t pha cc t chc v lc lng chuyn nghip an ton thng tin th
cn mt thi gian rt lu tnh hnh m bo an ton mng mi c ci thin.
iu s e da trc tip v ng k n s an ton ca cc dch v v cc
ng dng ln v CNTT.
Trong bi cnh hi nhp quc t v cc quc gia ang mun y mnh
ng dng CNTT th vic xy dng h thng m bo an ton mng quc gia
l iu khng th trnh c. cng chnh l nhng vic m cc t chc v
cng ngh thng tin v truyn thng quc t ang ht sc khuyn khch. iu
cng l mt bin php quan trng thc hin cam kt ca mi quc gia vi
37
cng ng quc t trong chin lc m bo an ninh kinh t v an ninh x

hi.
Xy dng h thng theo di gim st an ton mng quc gia l mt trong
nhng h thng k thut u tin m mi nc phi thit lp. cng chnh
l tin trin khai tip cc h thng k thut khc, ng thi cng to ra
kh nng v mi trng y mnh nghin cu v an ton thng tin v o to
lc lng chuyn gia gii rt cn thit cho nc nh.
I.1.2. Mc tiu kh thi cho H thng theo di gim st an ton mng
Internet Vit Nam
a) nh gi bi hc kinh nghim t mt s m hnh ca nc ngoi
Chng ta c th hc tp kinh nghim trin khai cc h thng gim st v
cnh bo an ton mng thuc cc trung tm k thut an ton mng quc gia
ca cc nc nh gii thiu trong phn ph lc, l:
H thng cnh bo an ton mng ARAKIS ca Trung tm ng cu khn
cp my tnh Ba Lan (CERT Polska).
Cc h thng gim st an ton mng Honeypot (by tn cng mng) v
SpamPots (by th rc) ca Trung tm ng cu khn cp my tnh Brazil
CERT.BR.
H thng gim st an ton mng ca Trung tm ng cu khn cp my
tnh ca chnh ph H Lan (GOVCERT.NL).
Trung tm An ton mng Hn Quc KISC thuc Trung tm iu phi
ng cu khn cp my tnh Hn Quc (KrCERT/CC).
Trung tm iu phi hot ng an ton mng Chnh ph GSOC thuc
Trung tm An ton thng tin Quc gia Nht Bn.
Trn tng th, cc h thng gim st v cnh bo an ton mng quc gia
thng bao gm cc phn h k thut chc nng ch yu l:
Phn h thu thp thng tin trn mng quc gia t cc ngun khc nhau
nh: cc knh thng bo, cc thit b bo v mng v cc sensors.
38
Phn h truyn ti thng tin an ton mng v my ch x l ti trung tm

quc gia.
Phn h c s d liu lu tr thng tin an ton mng quc gia.
Phn h h tr phn tch v x l thng tin.
Phn h h tr cnh bo s c s c v qun l an ton mng;
Mi quc gia c mt chin lc pht trin h thng gim st an ton
mng ring ca mnh nhng u tin ti xy dng cc chc nng nh trn.
c im ni bt l cc trung tm ny c xy dng theo cc thit k
ring bit v s dng cc phn mm chuyn dng c bo mt tuyt i,
khng chuyn giao cho ni khc v l do an ton. Ngay c khi phn h thng
c pht trin trn nn cng ngh m ngun m th h cng khng bao
gi cng b k thut thc m h ang s dng.
V quy m trin khai h thng
Quy m: phm vi t quy m nh l cc mng doanh nghip, n quy m

ln l quc gia, v quy m a quc gia
ng truyn gim st: Cc thit b thng thng ch gim st n nh
vi cc ng mng tc thp c FE/STM-1. Vi cc ng truyn t c
GE, STM-4 tr ln cn c cc thit b chuyn dng gim st
Nn tng H iu hnh: thng dng h iu hnh Windows v h iu
hnh Linux. Cc thit b x l t ng v server thng dng Linux, cc
client ca h thng th thng phi h tr c h iu hnh Windows.
Kt ni mng: c nhiu phng php khc nhau truy cp c vo
mng. i vi ng truyn mng tc thp c th kt ni sensor bng vic
s dng mt cng HUB, hoc cng SPAN trn b chuyn mch (switch) hoc
kt ni mt thit b gim st in-line trn mng. Nu ng truyn tc cao
th phi dng thit b TAP. c bit V-line TAP con gip cho ng truyn
khng khi no b gin on.
39
V cc loi hnh s c
Thng thng cc h thng gim st mng cc nc c th xc nh

cc loi s c sau:
Loi 1: Truy cp tri php bng ti khon Admin/Root
Loi 2: Truy cp tri php bng ti khon User
Loi 3: C gng truy cp tri php
Loi 4: Tn cng thnh cng kiu t chi dch v (bng DOS)
Loi 5: Vi phm chnh sch/quy nh v lm sai quy trnh
Loi 6: Thc hin k thut Qut/Chun on mng
Loi 7: Ly nhim virus, malware
Loi 8: Hot ng leo thang
Loi 9: Khng nguy him
V cng ngh ghi nhn v pht hin
Cc d liu cnh bo do SNORT cung cp. Vi mt s chnh sa nh

p ng cc yu cu v d liu cnh bo, Snort c vn hnh theo cch ph
hp vi hng nghn nh phn tch trn khp th gii.
S dng la chn Keepstats ca Snort, SGUIL nhn cc d liu TCPBased. Hin nay vic s dng ny ang c thay th bng ARGUS, SANCP
SNORT cng c th c thay th bng TCPDUMP hoc TETHEREAL
(cng nh rt nhiu la chn khc) trong trng hp thu thp tt c ni dung
d liu.
TCPFLOW ti to li ni dung cc tp tin a ra d liu.
P0f xc nh h iu hnh
V truyn thng
Vic truyn thng tin v trung tm c th s dng ngay kt ni Internet,

nhng vi mt h thng quan trng (nh Ngn hng) th mt s nc xy
dng mng truyn s liu ring ni sensor vi trung tm.
40
V CSDL lu tr
Vi phn mm m ngun m ngi ta thng s dng CSDL MySQL,

hoc posgrep lu tr cc cnh bo, gi d liu thu thp t SORT. Vi phn
mm thng mi Windows th thng s dng SQL-Server.
V cng ngh phn tch h tr
Cc cng ngh c bit n nhiu l cc cng ngh trn phn mm m

ngun m nh OSSIM, AIRCERT tch hp vi SNORT.
SGUIL l mt h thng Client server vi cc thnh phn c kh nng
hot ng trn cc my c lp. Cc nh phn tch s dng mt phn mm
Client c tn l SGUIL Deamon c ci t trn cc my c nhn truy
cp vo SGUIL Server qua giao thc ring. Ngi s dng cng c th s
dng giao thc SSL nng cao tnh bo mt ca truyn thng gia Client
Server. ActiveTCL l phn mm cho php chy SGUIL deamon trn
Windows.
Khi gim st mng tc cao th tt c cc thnh phn ca SGUIL nh
SGUIL database server, SGUIL Server, SGUIL Deamon, snort, sancp v.v
u c th ci ln cc thit b c lp nng cao hiu nng.
V hnh lang php l
mt s nc nh Nht ch c php t sensor nh mt thu bao

u cui v l do bo v thng tin cc nhn. phn ng cc nc khc
nh Hn Quc, Trung Quc c quan c thm quyn ca Nh nc c
php t sensor cc nt mng bc cao nht.
b) xut mc tiu kh thi cho H thng theo di gim st an ton mng
Internet Vit Nam xy dng trong ti
Mc tiu
H thng gim st cnh bo sm v phn ng nhanh vi cc s c an

ton mng thc hin cc chc nng chnh l:
41
Thu thp thng tin lin tc v nguy c v s c an ton mng.

Nhn dng, x l nhanh, cnh bo sm cc nguy c v s c an ton
mng.
H tr iu hnh phn ng nhanh vi cc s c an ton mng.
H thng ny s to ra mt nng lc x l thng tin an ton mng cha
tng c Vit Nam bng cch thu thp v x l nhanh thng tin t tt c cc
ngun thng tin cnh bo c bn:
Cc knh thng bo ca cng ng v s c v nguy c s c,
Cc thng bo t h thng thit b cm bin gim st (sensor) chuyn
dng,
Cc thng bo t cc phn mm gim st chuyn dng,
Cc knh thng tin t cc thit b bo v mng thng mi,
Cc cnh bo ca cc t chc nghin cu trong v ngoi nc.
+ i tng gim st
V nguyn tc cn gim st theo di tt cc nhng ch cn nh:
Cc cng Internet quc t, cc cng ca ISP.
Cc cng mng ca c quan nh nc, doanh nghip,
Cc t chc ln (nh cng ty a quc gia, a thnh ph)
Mt s im i din ca ngi dng u cui.
t sensor cng nt mng cp cao th cng bao qut c nhiu nhng
yu cu v nng lc thit b v tc x l phi ln nn rt t tin, thm ch
khng kh thi.
t sensor cc mc thp th i hi k thut i vi sensor khng cao,
r tin, d t ch to, nhng s lng phi nhiu, lp t v qun l vn hnh
phc tp. Thut ton h thng trung tm cng phc tp hn.
Vn t ra l chn gii php no ti u vi iu kin ca nc ta. y
chnh l mt cu hi m kt qu th nghim ca ti phi gii p.
42
+ Ni dung gim st
Spam,
Virus,
Theo di tn cng,
Theo di qut mng do thm,
Phishing
Malware khc
Ni dung cc thng tin ny cho bit v thi im cc cuc tn cng,
ngun gc, quy m, phm vi tn cng, k thut tn cng v m c hi lan
truyn trn mng.
Cc thng tin ny c lu tr trong c s d liu trung tm phc v
phn tch, x l nhanh phc v mc tiu cnh bo sm v h tr khc phc s
c. Ngoi ra chng cn c lu tr cho cc hot ng nghin cu, thng
k... di hn trong h thng nghip v chung.
+ Hiu qu phi t
C kh nng pht hin sm nguy c cnh bo
Thng tin sm cnh bo.
Tng kh nng phn ng nhanh, can thip kp thi chng tn cng.
Lm mi trng nghin cu th nghim xut d n xy dng h
thng theo di gim st an ton mng tng th cho Vit Nam.
Th nghim cng ngh:
Nn tng chung (HH, CSDL, Phn cng thit b mng v my tnh)
Mt s thit b chuyn dng (Thit b an ninh mng, thit b sensor, ).
Cng ngh thit b v phn mm t pht trin (sensors, m ha, x l
thng tin,).
Tch hp h thng:
Kt ni mng: S dng mng chuyn dng, S dng knh Internet c m
ha SSL, VPN.
43
Tch hp d liu: s dng cc chun, chun ha bn tin cho cc loi

thng tin cnh bo.
M hnh h thng gim st an ton mng kh thi cho Vit nam
Cc Trung tm quc gia u khng mua cng ngh trn gi trn th

trng cho h thng ca mnh, m h t thit k v xy dng ht nhn h
thng. H thng mua mt phn cng ngh v pht trin mt phn cng ngh
b sung tch hp thnh h thng tng th.
Kinh nghim cho thy phng php tch hp h thng t cc cng ngh
sn c ca nhiu hng sn xut v cc h thng ci tin t m ngun m l
hon ton kh thi i vi mi quc gia c ngun nhn lc CNTT trnh .
Vit Nam ta cng nm trong s cc quc gia nh vy. Kt qu kho st v
nghin cu th nghim ca VNCERT cho php ta thit k v trin khai kh
thi h thng gim st mng vi cc thnh phn h thng nh sau:
Phn h h tr thu thp thng tin t cc knh thng bo
Phn h cc b cm bin gim st chuyn dng
Phn h phn mm chuyn dng thu thp thng tin
Phn h thu thp thng tin t cc thit b bo v mng thng mi
Phn h c s d liu v phn mm x l thng tin trung tm.
Phn h phn tch thng k mt s ch tiu v s c
Ni dung k thut ca phng n kh thi cho Vit Nam.
1. H thng h tr thu thp thng tin t cc knh thng bo

Trn c s nghin cu ti liu v kinh nghim nc ngoi chng ta c
th m t cc thnh phn h thng k thut v yu cu cng ngh nh sau:
Cc knh thng bo
Cc knh thng thng c th dng thng bo v nguy c hay s c
l:
44
Cng vn,
in thoi,
in bo (fax),
Th in t, tin nhn (email, message)
Thng bo trc tuyn qua giao din Web
ngoi ra c th c cc knh chia s thng tin qua ng mng Internet.
Cc m hnh x l tip nhn tin thng bo
tip nhn v x l thng bo, chng ta c th p dng mt trong hai
m hnh sau y, thm ch c th chn cc thnh phn ph hp ca chng
tch hp.
M hnh RTIR h thng qun l yu cu x l s c (Request Tracker
for Incident Response)
M hnh SURFnet IDS: h thng gim st tn cng v lan truyn m c
trn mng Surf(net) IDS vi mt h thng c th bao gm: mt honeypot
(Nepenthes), mt my ch Web lm nhim v chng thc, mt my ch log
s dng c s d liu PostgreSQL. H thng trung tm c bo v bi tng
la.
2. H thng cc b cm bin gim st chuyn dng
Cc cm bin (sensors) chuyn dng
Cc cm bin an ninh mng phn tch v ghi nhn cc du hiu mt an
ton mng trn c s lng nghe cc gi thng tin i qua cc nt mng
Internet.
Cc b cm bin gim st chuyn dng l cc thit b sensors gim st do
ta hon ton lm ch v cng ngh, c ch to ring v c thit lp ch
vn hnh linh hot theo yu cu gim st mng, thu thp thng tin gi v
trung tm mt cch t ng.
45
Quan im ch to cc b cm bin gim st chuyn dng: pht trin

trn c s phn mm m ngun m, m bo kh nng ty bin v cu hnh
linh hot, c th b sung cc m un c th.
Cc chc nng chnh:
Gim st lu lng mng.
By thu thp thng tin tn cng trn mng.
Thu thp m c hi pht tn trn mng.
Pht hin du hiu xm nhp tri php, t nhp mng.
By th rc.
Qut cc im yu ca cc h thng trn mng din rng.
Cng ngh thu thp thng tin
Cng ngh d kin p dng: xy dng mt s b cm bin trn c s ci
tin v tch hp cc cng ngh m ngun m sau:
NTop - Gim st lu lng mng.
Honeypot - By thu thp thng tin tn cng trn mng.
Nepenthes - Thu thp m c hi pht tn trn mng.
Snort IDS - Pht hin du hiu xm nhp tri php, t nhp mng.
Spampot - By th rc.
Nessus - Qut cc im yu ca cc h thng trn mng din rng.
H thng qun tr cm bin gim st chuyn dng
Cc cm bin gim st chuyn dng cn c theo di tip nhn thng
tin v iu khin t xa bi mt h thng qun tr tp trung.
Cng ngh OSSIM hoc Sguil v Argos l nhng gii php kh thi,
Lu kh nng dng giao thc SNMP truyn thng tin gim st.
Kt ni mng cm bin
Cc cm bin gim st kt ni vi h thng qun tr tp trung qua mt
mng truyn tin cnh bo v truyn tn hiu iu khin. C 2 gii php thng
dng trn th gii l:
46
Gii php th nht, cc cm bin gim st kt ni vi h thng qun tr

qua mng chuyn dng c xy dng ring bit khng lin quan n mng
Internet. Gii php ny c tnh an ton v tc rt cao nhng gi u t ln.
Gii php th hai, cc cm bin gim st kt ni vi h thng qun tr
qua mng Internet. m bo tnh an ton cho h thng ngi ta p dng
cng ngh mng ring o (VPN). n gin hn na c th s dng mt s
giao thc Internet c bo v bng mt m, nhng tnh an ton h thng khng
cao v cc kt ni trc tip qua Internet d b tn cng.
Gii php kt ni qua mng ring o l mt gii php r v c th ph
hp vi iu kin lc ny ca Vit Nam.
3. H thng phn mm chuyn dng thu thp thng ti
Trong qu trnh hot ng cc h iu hnh nh Windows, Linux,..., cc
h chng Virus, cc sn phm thit b an ninh mng nh Firewall, IDS,... lin
tc to ra cc bin bn s kin di dng cc file bin bn (logfiles) trong
cha rt nhiu thng tin cho php phn tch v tnh trng an ton mng. H
thng phn mm chuyn dng thu thp thng tin bng cch x l cc file bin
bn (logfiles) sn c nu trn l mt thnh phn quan trng cung cp thng tin
cho h thng gim st, cnh bo an ton mng quc gia.
H thng phn mm chuyn dng thu thp thng tin nh trn c th xy
dng da trn kin trc v gii php bit nh sau:
Kin trc DSHIELD
Da trn gii php ca DSHIELD.ORG xy dng h thng phn mm
cho php thu thp thng tin t cc file bin bn c bn (logfiles) t 3 loi
ngun:
Cc h iu hnh Windows, Linux, ...
Cc h chng Virus,
Cc sn phm thit b an ninh mng: Firewall, Firewall c nhn, IDS...
Gii php xy dng phn mm
47
Mt h thng da trn cng ngh DSHIELD c th c ci tin, b

sung tr thnh thnh phn tch hp c trong h thng gim st, cnh bo
an ton mng quc gia thng qua cc bc nghin cu pht trin nh sau:
Nghin cu xy dng cu trc bin bn s kin an ton mng (cho file
log ring ca h thng).
Xy dng module chuyn i/ci tin file log ca DSHIELD thnh
chun file log chung ca h thng.
Vit li phn mm DSHIELD client theo cu trc log chung.
4. H thng thu thp thng tin t cc thit b bo v mng thng mi
Trn khng gian mng quc gia c v s cc sn phm thit b bo v
mng thng mi nh Firewall, IDS, IPS, Anti-Virus... hot ng c kh
nng cung cp nhiu loi thng tin cho php phn tch v tnh trng an ton
mng. H thng thu thp thng tin t cc thit b bo v mng thng mi l
h thng cc giao din tip nhn thng tin t cc cc file bin bn (logfiles)
ca cc thit b thng mi ph bin, bin i chng v dng chun m h
thng phn mm chuyn dng thu thp thng tin nu mc trn c th tip
nhn v x l c.
R rng h thng thu thp thng tin t cc thit b bo v mng thng
mi l mt thnh phn quan trng cung cp thng tin u vo cho h thng
gim st, cnh bo an ton mng quc gia. H thng ny c th c xy
dng nh sau:
Chun trao i thng tin ca cc thit b bo v mng
Chun phc v tip nhn thng tin:
Chun chung phc v cho tip nhn tin an ton mng: SNMP, Syslog...
Cc hng sn xut ln thng c chun ring v h tr chun chung.
Chun c lp (ca cc nhm pht trin DSHIELD, OSSIM...) thng
tng thch hoc h tr chun chung.
48
Chun phc v lu tr v x l thng tin: IODEF, DSHIELD, Chuyn

i t chun DSHIELD sang IODEF hoc tng thch
Thu thp thng tin t cc thit b bo v mng c h tr chun trao
i thng tin
C th s dng hai gii php:
Mt l, s dng h thng qun tr thng tin tp trung ca cc hng an
ninh mng ln cho nhm thit b ca cc hng . Gii php ny c th trin
khai nhanh, nng cp thng xuyn, qun l ng b, nhng chi ph ban u
cao, phi tr chi ph thng xuyn khng nh s dng dch v phn tch
cnh bo ca cc hng nc ngoi.
Hai l, s dng modul tip nhn thng tin t pht trin tng t hoc ca
DSHIELD, OSSIM hoc SURFnet. Gii php ny r tin, h thng tch hp
chung nn gn gng, nhng phi c nng lc h tr k thut cao v lun nng
cp, ci tin phin bn kp thi mi ph hp vi s thay i nhanh v thng
xuyn ca th trng.
Thu thp thng tin t cc thit b bo v mng khng h tr chun
trao i thng tin
Ta c th s dng phn mm tip nhn thng tin t pht trin bng cch:
Xy dng modul chuyn i thng tin v chun DSHIELD.
Vit phn mm chuyn i thng tin v chun IODEF.
Thu thp thng tin t cc thit b bo v mng do Vit Nam t pht
trin
C th t pht trin cc m un phn mm cung cp v tip nhn thng tin
vi cc chc nng sau:
Xy dng modul h tr cung cp tin thu thp theo chun chung.
Vit phn mm chuyn i thng tin v chun DSHIELD hoc IODEF.
Tch hp h thng thng mi vo h thng c s d liu quc gia
49
Vit phn mm chuyn i thng tin t chun qun l ca cc hng sn

xut khc nhau v chun DSHIELD hoc IODEF.
5. H thng cc c s d liu v phn mm x l thng tin trung tm
X l s b thng tin tip nhn t cc cm bin chuyn dng, cc
phn mm chuyn dng thu thp thng tin v thit b bo v mng
Thc hin cc chc nng tip nhn thng tin sau cc khu tin x l t
cc knh tip nhn chuyn bit.
T ng kim chng, nh gi xc thc ca cc thng tin nhn c.
Mi knh thng tin ring bit phi c x l tng quan (correlation)
loi b yu t trng lp trong thng k.
Chnh l, hon thin bn ghi CSDL theo chun IODEF.
Lu thng tin kim chng v chnh l vo CSDL.
Lu chuyn, thng bo theo quy trnh ng cu s c.
X l thng tin qua tip nhn s b
Cc thng tin t nhiu knh khc nhau cung cn phi c x l tng
quan cho (correlation) trit loi b yu t trng lp trong thng k.
Phn mm x l tng quan c thut ton phc tp rt quan trng. Cht lng
phn mm ny nh hng n kt qu ca ton h thng (hiu nng x l
thng tin v t l b st cnh bo...).
H tr chuyn gia kim chng xc thc ngun tin thng bo c gi tr.
Cc yu t cnh bo c i chiu, nhn dng s c t ng hoc qua
phn tch chuyn gia.
Mi thng tin u vo sau x l tng quan v kt qu phn tch c
ghi vo h thng CSDL phc v thng k, tng hp, nghin cu...
Cc CSDL
H thng gim st an ton mng quc gia c h thng c s d liu
(CSDL) phc tp thc hin cc chc nng lu tr v x l thng tin, bao gm
50
cc CSDL lu tr thng tin thu thp c ring cho tng knh, CSDL lu tr
thng tin qua x l tng quan, CSDL lu tr thng tin cnh bo.
Cn phi xy dng CSDL thng tin thng bo v thng tin gim st an
ton mng vi chun IODEF.
C th thc hin x l thng k v lu tr theo cng ngh nn OSSIM.
Thc hin trao i chia s thng tin cnh bo theo chun.
6. H thng phn tch thng k mt s ch tiu v s c
H thng phn tch thng k mt s ch tiu v s c l h thng trang b
cho phng iu hnh thc hin cc chc nng h tr chuyn gia phn tch v
ra quyt nh trong tnh hung khn cp.
Cn phi xy dng giao din iu hnh cho chuyn gia giao tip vi
CSDL thng tin thng bo v thng tin gim st an ton mng.
H thng tra cu kt qu thng k, phn tch v h tr ra quyt nh.
H thng m phng, th nghim v nh gi nhanh cc gii php k
thut an ton mng.
I.1.3. Kinh nghim trin khai mt s h thng gim st an ton mng ca
nc ngoi
a) Kho st mt s h thng gim st an ton mng ca nc ngoi.
Trong qu trnh nghin cu kho st nm 2008 chun b cho trin khai
trc tip cc ni dung k thut ca ti ny, cc cn b ca ti trc
tip i kho st hoc trao i thng tin vi cc i tc tm hiu v mt s
h thng m bo an ton mng ca cc quc gia v doanh nghip ln trn th
gii nh sau (xem gii thiu chi tit trong bo co):
Trung tm iu phi hot ng an ton mng Chnh ph GSOC thuc
Trung tm An ton thng tin Quc gia Nht Bn.
Trung tm iu hnh an ton thng tin JSOC (Japan Security Operation
Center) ca Tp on LAC (Nht Bn).
Trung tm iu hnh an ton mng FSOC ca Tp on Fujitsu.
51
Trung tm Gim st phn tch s c v ng cu khn cp an ton mng

NICTER thuc Vin Cng ngh Thng tin v Truyn thng Quc gia Nht
Bn (NICT)
D n H thng mng li chim yn gim st cc cuc tn cng trn
Internet ca Trung tm iu phi ng cu khn cp my tnh Nht Bn
JPCERT/CC.
Trung tm An ton thng tin ISEC ca C quan thc y cng ngh
thng tin Nht Bn (IPA) trc thuc B Kinh t, Thng mi v Cng nghip
Nht Bn (METI).
Trung tm An ton mng Hn Quc KISC thuc Trung tm iu phi
ng cu khn cp my tnh Hn Quc (KrCERT/CC).
H thng cnh bo an ton mng ARAKIS ca Trung tm ng cu khn
cp my tnh Ba Lan (CERT Polska).
tnh ca chnh ph H Lan (GOVCERT.NL).
Cc h thng gim st an ton mng Honeypot (by tn cng mng) v
SpamPots (by th rc) ca Trung tm ng cu khn cp my tnh Brazil
CERT.BR
H thng gim st an ton mng ca Trung tm iu phi ng cu khn
cp my tnh Trung Quc (CNCERT/CC).
tnh Malaysia (MyCERT) thuc Cc an ton mng Malaysia (Cybersecurity
Malaysia).
Trung tm iu hnh an ton thng tin ISS ti Tokyo ca Tp on IBM
(M).
Trung tm gim st an ton mng phc v khu vc Chnh ph v khu
vc doanh nghip ti cng ty e-Cop ca Singapore. (Hp tc vi SingCERT).
52
Nhn chung, cc quc gia cng nh cc cng ty a quc gia u ht sc

quan tm xy dng cc Trung tm k thut an ton mng, tuy mc u t
cho cc h thng ny mi quc gia, t chc c khc nhau ty theo nhim v
v kh nng u t c th. c im ni bt l cc trung tm ny c xy
dng theo cc thit k ring bit v s dng cc phn mm chuyn dng c
bo mt tuyt i, khng chuyn giao nguyn vn cho ni khc v l do an
ton.
Cc Trung tm quc gia thng khng mua cng ngh trn gi cho h
thng ca mnh, m h t thit k xy dng ht nhn h thng. H thng
mua mt phn cng ngh v pht trin mt phn cng ngh tch hp nn h
thng tng th. Trong s cc thnh phn h thng ca Trung tm k thut an
ton mng quc gia th cc thnh phn thuc phn h thu thp thng tin theo
di, gim st an ton an ninh mng v phn tch thng k d liu l thng
i hi phi t pht trin cng ngh c th nhiu nht, v c gi b mt
nht. Ngay c khi phn h thng c pht trin trn nn cng ngh m
ngun m th h cng khng bao gi cng b cc chi tit k thut thc m h
ang s dng.
Trn tng th, mt trung tm k thut m bo an ton mng quc gia
nh vy thng bao gm cc h thng k thut chc nng ch yu l:
H thng thu thp thng tin gim st mng, theo di s c, cnh bo sm
cp quc gia;
H thng h tr phn tch, nghin cu v x l thng tin v an ton
mng;
H thng h tr iu hnh x l s c v qun l an ton mng;
Cc h thng th nghim gii php v cng ngh mi, h thng h tr
nh gi hp chun an ton thng tin, h thng h tr o to k nng v
chuyn giao cng ngh an ton thng tin.
H thng trung tm d liu lu tr thng tin an ton quc gia.
53
Mi quc gia c mt chin lc pht trin ring nhng u tin ti xy

dng cc h thng k thut chc nng nh trn.
b) V d c th v cc h thng thu thp thng tin gim st mng cp quc
gia ca mt s nc
H thng gim st mng ca GOVCERT.NL (H lan)
gim st c Cc cuc tn cng t ng ,Cc cuc tn cng vo h

iu hnh v cc ng dng, Cc tin trnh qut/thm d h thng, Cc loi m
c.
Trung tm gim st mng thuc KrCERT/CC (Hn Quc)
vn hnh mt h thng HoneyNet/Pot cp quc gia vi cc im theo

di nm ti cc khu vc xung yu ca mng Internet trong nc.
H thng by hacker (honeypot) quc gia ca CERT.Br (Brazil)
thu thp tt c hnh vi, cng c, im khi ngun v chin lc tn cng

vo h thng ca cc hacker. Ly mu cc on m c hi, thu thp cc mu
spam, thng k tn cng ca hacker trn mng din rng ca quc gia.
H thng cnh bo ARAKIS ca CERT Polska (Ba Lan)
s dng bn ngun d liu: t cc mng li honeypot, t tng la, t

cc h thng dit virus, t phn tch thng tin ca mng en (darknet).C
cc chc nng sau: Cnh bo, pht hin sm cc nguy c trn mng; D tm
cc nguy c mi v a ra cc m t i vi cc nguy c ; a ra c bc
tranh ton cnh ca Internet Ba Lan; H tr cng tc gim st mng: t ng
ha cc k thut phng th, bo v h tng xung yu.
M hnh theo di an ton mng Internet ca GSOC (Nht Bn)
Trung tm An ton thng tin Quc gia Nht Bn (NISC-National

Information Security Center) thit lp h thng GSOC (Government Security
Operation Coordination Team) theo di an ton mng Internet cho khi
54
Chnh ph Nht Bn, t cc thit b gim st (phn cng v phn mm) ti

cc im thu thp thng tin trn mng ca cc c quan chnh ph, ch yu t
ti cc my ch trng yu ca cc c quan, t chc v cc h thng IDS/IPS.
H thng pht hin khn cp ca hng Kaspersky
s dng thng bo pht sinh t cng ng nhng ngi ci phn mm

KAV hay KIS thu thp thng tin gip cp nht kp thi cc nguy c
malware mi.
hng Symantec
Internet.
H thng x l thng tin an ton mng doanh nghip CESM ca hng e-Cop
CESM (Cyclops Enterprise Security Management) c c im l khng

xy dng cc sensor ring bit tc cao, m s dng cc gii php thu thp
thng tin sinh ra t cc thit b an ton mng ca hn 50 hng cng nghip
sn xut thit b v phn mm an ton thng tin trn th gii.
Mt s cc gii php m ngun m nh OSSIM (Open Source Security
Information Management), AIRCERT (Automated Incident Reporting
CERT), Crusoe CIDS (Crusoe Correlated Intrusion Detection System),
MIDAS (Monitoring, Intrusion Detection, & Administration System). cng
pht trin theo hng ny.
c) Bi hc chung v kh nng p dng cho Vit Nam
Trn tng th v phng din k thut, m bo an ton mng quc
gia mi nc thng xy dng mt trung tm k thut m bo an ton mng
quc gia vi cc h thng k thut chc nng ch yu l:
H thng thu thp thng tin gim st mng, theo di s c, cnh bo sm
cp quc gia;
55
H thng h tr phn tch, nghin cu v x l thng tin v an ton

mng;
H thng h tr iu hnh x l s c v qun l an ton mng;
Cc h thng th nghim gii php v cng ngh mi, h thng h tr
nh gi hp chun an ton thng tin, h thng h tr o to k nng v
chuyn giao cng ngh an ton thng tin.
H thng trung tm d liu lu tr thng tin an ton quc gia.
hon ton kh thi i vi mi quc gia ang pht trin c ngun nhn lc
CNTT trnh . Vit Nam ta cng nm trong s cc quc gia nh vy. C
th phng hng pht trin nh sau (chi tit tham kho ti liu bo co
nhnh 1):
Xy dng cc h thng c chc nng thu thp thng tin gim st mng, theo di
s c, cnh bo cp quc gia
c th bao gm:
H thng theo di v thng k lu lng Internet quc gia,
H thng by hacker (honeypot) v by th rc (spampot) quc gia,
H thng x l thng bo, cnh bo an ton thng tin.
H thng gim st t ng phc v phn ng nhanh vi s c trn din
rng
Xy dng cc h thng khai thc thng tin an ton mng v h tr hot ng
ngn chn, chng tn cng mng
Nhim v tip theo khi c cc h CSDL do cc h thng c chc nng

thu thp thng tin gim st mng, theo di s c, cnh bo cp quc gia to
lp ra l khai thc d liu phc v m bo an ton mng. V d, chng ta c
th xy dng cc h thng sau:
56
H thng cnh bo sm v iu phi ng cu tn cng,

H thng khc phc cc l hng an ton mng quc gia,
H thng h tr thu thp chng c ti phm mng.
Bi hc v xy dng lc lng chuyn gia an ton thng tin
Ngoi nhng kinh nghim rt ra nh trn, qua lm vic vi cc i tc

nc ngoi chng ta cn rt ra c bi hc kinh nghim v xy dng lc
lng chuyn gia an ton thng tin phc v cho h thng theo di gim st an
ton mng quc gia, l: o to cc k nng cn thit; T chc lc lng
chuyn gia phn ng nhanh bao gm qun l chung, tr l, b phn tip nhn
thng tin; Chuyn gia x l phn tch s c
d) Kt lun
Cc h thng phn tch v a ra trn u rt cn thit cho mi quc

gia mun y mnh ng dng CNTT.
Cc h thng nu trong mc 2 i vi Vit Nam c tnh kh thi cao v
k thut, v c nhiu nc trin khai thnh cng. Tuy nhin cc h thng
ny khng d dng xy dng ngay c v nhiu l do nh:
Ngn sch nh nc khng th p ng,
Th trng an ton thng tin cn nh, cha thun li u t di dng
dch v,
Nhn lc chuyn gia cn rt thiu khng trin khai nhanh ng b
vi quy m ln.
Tnh kh thi chung ca mt d n ngoi iu kin k thut cn ph thuc
vo kinh ph (gi thnh) v nhn lc.
Do chng ta phi a ra k hoch trin khai tng bc ph hp.
Theo nh gi ban u, chng ta c th xy dng h thng theo di gim
st an ton mng Internet quc gia nh mt h thng tch hp c 4 h thng
57
c chc nng thu thp thng tin gim st mng, theo di s c, cnh bo cp
quc gia nu. Nhng ti cn thc hin theo mt s quan im sau:
Tranh th th nghim ti a cc cng ngh xc nh r mc ph
hp vi iu kin thc t khc nhau, c th l h thng sensor, cc h thng
qun tr tp trung
Ch trng pht trin th nghim cc sn phm m ngun m ly lm
trng tm, ng thi c gng khai thc th nghim ti a vi cc sn phm
thng mi.
Trong xy dng h thng qun tr cn tp trung vo xy dng hon thin
cc sn phm cng ngh phc v thu thp thng tin. Phn khai thc ch pht
trin mc dng kim nghim, hoc rt cn thit v n gin c th
phc v ngay. Cc kt qu s gip nh hng xy dng h thng thc tin
sau ny mt cch tt nht.
I.1.4. Lc ng cnh tng th ca h thng theo di gim st an ton mng
Internet Vit Nam
a) V tr vn hnh h thng h thng theo di gim st an ton mng

Tham gia vo vic m bo an ton mng quc gia, theo chc nng,
nhim v cng nh vai tr trch nhim ca cc b ngnh lin quan lm u
mi quc gia s l: B Thng tin v Truyn thng (B TTTT), B Cng an,
B Quc phng.
Ngoi hai B Cng an v B Quc phng lin quan n vn trn,
trong B Ni v c Ban C yu chnh ph m nhim vic qun l, nghin
cu v trin khai ng dng mt m v trin khai xy dng cc h thng m
bo an ton bo mt thng tin cho cc mng my tnh cc b v dng ring
ca cc c quan chnh ph. Hot ng ny khng trng lp vi hot ng m
bo an ton mng quc gia m ch b sung cho hot ng thm hu hiu
i vi khu vc cc c quan chnh ph
58
Hnh I.7: S hot ng ca c quan ch qun

Vai tr ca B TTTT trong cng tc m bo an ton thng tin
B Thng Tin v Truyn Thng thc hin qun l nh nc v thc thi

v cng ngh thng tin v truyn thng, trong c lnh vc m bo an ton
thng tin v an ninh mng.
Trung tm ng cu khn cp my tnh Vit Nam (VNCERT) l n v
thuc B Thng Tin v Truyn Thng thnh lp theo Quyt nh ca Th
tng Chnh ph s 339/2005/Q-TTg vi cc chc nng chnh nh sau:
iu phi cc hot ng ng cu s c my tnh trong ton quc;
Cnh bo kp thi cc vn v an ton mng my tnh; xy dng, phi
hp xy dng cc tiu chun k thut v an ton mng my tnh;
59
Thc y hnh thnh h thng cc CERT trong cc c quan, t chc, doanh

nghip;
L u mi thc hin hp tc vi cc t chc CERT nc ngoi
Hot ng ca Trung tm VNCERT thc hin cc chc nng nhim v
c quy nh gm mt s im chnh l:
iu phi cc hot ng ng cu mng Internet quc gia phng chng
s c mng v tham gia chng ti phm, chng khng b trn mng
Internet trong phm vi quc gia v trong khun kh hp quc t;
Thu thp thng tin v an ton mng Internet. Thng k, tng hp phn tch
cc s liu v an ton mng Internet quc gia gip cho cc hot ng
qun l nh nc v an ton bo mt trong hot ng vin thng v cng
ngh thng tin. Tham gia nghin cu pht trin cng c k thut an ton
mng my tnh. xy dng chnh sch, tiu chun k thut, chun v
khung o to bi dng cn b.
y mnh hot ng ng cu khn cp my tnh v thc y hnh thnh h
thng cc trung tm CERT trong cc c quan, t chc, doanh nghip.
Tham gia, hp tc vi cc t chc CERT trn th gii. L u mi quc gia
hp tc vi cc trung tm an ton mng quc t.
Tham gia cng tc qun l nh nc ca B trong lnh vc an ton bo mt
mng my tnh, i vi cc hot ng ca cc hip hi v t chc phi
chnh ph trong lnh vc an ton bo mt mng.
Cung cp cc dch v phc v an ton mng my tnh.
Mc d c quan iu phi quc gia l VNCERT c thnh lp v
bc u trin khai hot ng c hiu qu trong mt s vic, nhng ch yu
kt qu da trn kin thc v tc nghip c nhn ca cc chuyn gia v s
dng h thng mnh lnh hnh chnh. Thc t cha c u t mt h thng
k thut hin i phc v cho vic pht hin v cnh bo sm nguy c, nhanh
chng ra quyt nh iu phi phng chng, ngn chn hiu qu, khc phc
60
thit hi s c an ton an ninh mng. R rng cn phi to ra thm mt trung

tm k thut tc nghip mnh trong cc hot ng m bo an ton mng
quc gia v chng tin tc. iu gip thc hin gim st v qun l an ton
mng tm quc gia, to iu kin cho vic h tr k thut nhanh chng kp
thi v phi hp hiu qu gia cc t chc, b ngnh trong phm vi c nc.
Vic nghin cu xy dng mt h thng theo di gim st an ton mng
quc gia l rt cn thit nhm gii quyt cc nhim v nu trn.
b) Lc ng cnh tng th
T phn tch trn c th a ra lc ng cnh tng th nh sau:
61
Hnh I.8: Lc m t ng cnh tng th ca H thng theo di, gim st an

ton mng Internet Vit Nam
H thng theo di gim st an ton mng Internet Vit Nam l mt h
thng k thut, bao gm cc thit b, h thng lm nhim v thu thp thng
tin an ton mng t nhiu ngun thng tin khc nhau lu tr vo c s d
liu. Xem m t chi tit cc thnh phn lc trong bao co nhnh 1.
c) Cu trc chc nng tng qut ca h thng theo di gim st an ton
mng Internet Vit Nam
H thng gim st an ton mng thc hin cc chc nng chnh l:
+ Thu thp thng tin lin tc v nguy c v s c an ton mng.
+ Nhn dng, x l nhanh, cnh bo sm cc nguy c v s c ATM.
+ H tr iu hnh phn ng nhanh vi cc s c an ton mng.
H thng ny s to ra mt nng lc x l thng tin an ton mng cha
tng c Vit Nam bng cch thu thp v x l nhanh thng tin t tt c cc
ngun thng tin cnh bo c bn:
+ Cc knh thng bo ca cng ng v s c v nguy c s c ,
+ Cc thng bo cc thit b cm bin gim st (sensor) chuyn dng,
+ Cc thng bo t cc phn mm gim st chuyn dng,
+ Cc knh thng tin t cc thit b bo v mng thng mi,
+ Cc cnh bo ca cc t chc nghin cu trong v ngoi nc.
Ni dung cc thng tin ny cho bit v thi im cc cuc tn cng,
ngun gc, quy m, phm vi tn cng, k thut tn cng v m c hi lan
truyn trn mng. Cc thng tin ny cn c lu tr cho cc hot ng
nghin cu, thng k... di hn trong h thng nghip v chung.
T lc tng th c th xut s cu trc chc nng chung ca
h thng nh trn hnh I.9.
62
hon ton kh thi i vi chng ta. Kt qu kho st v nghin cu ca

VNCERT cho php ta thit k v trin khai h thng gim st mng vi cc
thnh phn sau:
Phn h h tr ch huy v iu hnh ng cu s c.
63
64
Hnh I.9: S cu trc chc nng chung ca h thng
65
d) Cu trc h thng chung v thng tin u vo v u ra ca h thng

Trong bo co chnh ca Nhnh 1 m t chc nng, xut cc yu
cu v gii php k thut, yu cu trang bi cn thit cho tng phn h tin
hnh xy dng mt h thng gim st thc theo quy m ca ti.
C s d liu l ni tp trung lu tr d liu ca ton b h thng. Do
c th ca h thng cng lc phi phc v nhiu i tng khc nhau nn
thnh phn ny phi l mt my ch c s d liu h tr nhiu client kt ni
n. H thng gim st an ton Internet s s dng mt s d liu chnh nh
sau:
C s d liu phc v qun l, tra cu qua giao din tng tc (website)
C s d liu phc v cho hot ng qun l thng qua giao din Web
cn cha nhng thng tin chnh nh sau:
+ Thng tin v ngi dng (Users), h thng s kim tra ti khon ca
ngi dng t bng ny mi khi ngi dng ng nhp vo h thng.
+ Thng tin v cc my ch (Hosts) c gim st trong mng
+ Danh sch cc service chy trn cc host (Host_services)
+ Thng tin lu tr cc yu im ca host c pht hin sau khi thc
hin qu trnh r sot yu im (Host_vulnerability)
+ Danh sch a ch vt l (a ch MAC) ca cc thit b host
(Host_Mac)
+ Danh sch tn ca cc my tnh trong mng (Host_Netbios)
+ Danh sch h iu hnh ca cc my tnh trong mng (Host_OS)
+ Danh sch cc mng my tnh c qun l (Net)
+ Danh sch cc My trinh st tham gia vo h thng qun l an ton
Internet (Sensor)
+ Thng tin v thit lp cu hnh h thng (Config)
+ Bng thit lp cc chnh sch cho cc i tng trong mng (Policy).
66
Chnh sch cho php ta nh ngha cc i tng, nhm i tng m h

thng s qun l. Nhng ai c php truy cp vo u v n mc no.
Sau , nhng s kin c lin quan n nhng i tng ny s c ch ,
nh gi x l ty theo mc u tin ca s kin v i tng.
+ Danh sch cc thng tin v cc tin ch dng cho h thng (Plugins).
Cc tin ch ny dng x l thng tin ngay ti cc sensor hoc ti
m un tip nhn d liu thu thp u vo, a vo thm trong d liu
nhng du hiu nhn dng khc nhau v cc s kin.
+ Bng thng tin ghi nhn cc s kin (Events).
+ Bng thng tin v cc s c an ton mng (Incidents)
C s d liu H thng pht hin xm nhp
C s d liu H thng pht hin xm nhp bao gm cc bng phc v

cho hot ng ca thnh phn pht hin xm nhp nh sau:
+ Danh sch cc s kin c pht hin bi H thng pht hin xm
nhp (Event)
+ Danh sch cc du hiu nhn dng lung lu thng mng c kh nng
gy ra mi nguy (Signature)
+ Thng tin lu tr phn ni dung ca cc gi d liu, khi cn c th
c v phn tch ngc li nhng g xy ra trn mng (Data)
+ phc v x l cn cn c mt s bng m t thng tin cho mt s
loi gi tin ph bin: icmphdr, iphdr, tcphdr, udphdr.
C s d liu iu khin truy nhp
C s d liu iu khin truy nhp dng cho mc ch phn quyn truy

nhp cho ngi s dng bao gm cc bng cha thng tin v nh ngha cc
nhm ngi dng, nh ngha cc i tng trn Website phn quyn truy
nhp n cc i tng cho tng nhm ngi dng.
67
C th thy phn ln danh sch nhng thng tin nu trn l nhng thng
tin u vo t thay i v thuc loi thng tin c thit lp hoc ci t sn.
Ch c cc nhm thng tin lin quan n s kin (event) v s c (incident) v
nhng cnh bo (alert) c nhn trc tip t cc h thng bn ngoi khc l
nhng thng tin u vo c thu thp v cp nht lin tc t cc ngun tin
u vo phc v cho gim st an ton mng. Vic x l nhng thng tin
ny chnh l mc ch c bn ca ton b h thng gim st an ton mng.
Kt qu x l thng tin
Qu trnh x l cho ra 4 nhm thng tin u ra chnh l:

Thng tin nh gi
H thng phi c kh nng phn tch, nh gi mc quan trng v u
tin ca mi s kin phc v cho vic sp xp v phn loi. S nh gi,
phn loi mc u tin phi cho bit nhng thng tin sau:
Thnh phn no l quan trng v cn bo v? (nh gi ti sn)
nh gi cc s kin v mc ri ro (ng lo ngi). Qua c th th
hin nhng a ch ngun hay a ch ch no l ng lo ngi?
H thng cng cho php thit lp pht ra cnh bo n ngi qun tr
mi khi c s kin no xy ra trn i tng. Mc u tin ph thuc
vo ng cnh ca s kin, ni cch khc, mc quan trng ca cnh bo c
lin quan ti mi trng c m t trong c s tri thc v h thng mng:
Danh sch cc my tnh v mng (m nhn dng, h iu hnh, cc dch
v...); Chnh sch truy cp: nhng ai c php truy cp, t u v n u
Thng tin tng hp
y chnh l tnh nng ni bt ca h thng Gim st an ton Internet
theo cu trc phn b sensor v. H thng ny c kh nng kt hp cc thng
tin a ra thng tin quyt nh:
68
Nhn bit c s lin quan ca mt cnh bo vi phin bn ca sn

phm hoc h iu hnh c th b tn cng (b qua nhng nguy c tn cng
ch vo cc phin bn khc)
Nhn bit c s lin quan gia phn mm pht hin xm nhp (v d:
Snort) v phn mm r sot im yu (v d: Nessus) (nu h thng c kh
nng b tn cng vo mt yu im v pht hin thy h thng c yu im
th cnh bo s c gn mc u tin cao)
Cho php nh ngha s lin quan gia cc s kin xy ra da vo mt s
du hiu: Cc cnh bo; Cc du hiu bt thng; Trng thi ca nhng h
thng ang c gim st
Thng tin qun l
H thng qun l an ton Internet s t ng lu gi nhng thng tin
v cc thnh phn ca mng, cc my tnh trong mng:
+ H iu hnh
+ a ch vt l ca cc thit b
+ Tn my tnh, tn min
+ Cc dch v ang chy trn h thng
+ Tn sn phm v phin bn ca cc dch v,
+
Nhng thng tin ny s c s dng pht hin v a ra cnh bo
mi khi c s thay i no .
Nhng d liu khc v lung d liu/cc kt ni/thi gian cng c
c lu trong c s d liu v c th thng k, hin th phc v vic nh
gi v gim st s dng mng.
Thng tin iu khin, vn hnh
C th thit lp H tp trung vi chc nng qun l v phn cng vic
cho cc My trinh st. Khi c yu cu qut mt h thng no , H tp trung
s chuyn yu cu xung cho nhng My trm trinh st tng ng vi h
69
thng mun qut. Cc My trinh st khc s khng phi thc hin yu cu

ny. Mt s h thng thng minh c th thc hin chc nmg phn ng vi s
c v nguy c an ton mng. Thm ch c kh nng tm kim thng tin ca k
tn cng nh tn, ng i, h thng g (Unix hay Windows...), s hiu
cng...
Trong qu trnh vn hnh, H tp trung c chc nng ghi nht k nhng
s kin xy ra trn h thng, nhng thao tc ngi dng thc hin. Chc
nng ny cn khi h thng c nhiu ngi s dng v ta mun xem ai lm
nhng g trn h thng.
Trong cc phn tch trn y chng ta ch ra nhng thng tin u vo,
u ra c bn ca mt h thng gim st an ton mng. Trong cc chuyn
sau s nghin cu thit k cu trc d liu chi tit v cc gii php x l
thng tin cho h thng.
70
I.2. Nghin cu p dng cc tiu chun v chun quc t phc v

cho xy dng h thng
I.2.1. Nghin cu phn tch p dng tiu chun quc t v h thng qun
l an ton thng tin v tiu chun quy tc thc hnh m bo an ton
thng tin (ISO 17799:2005 v ISO 27001:2005) cho h thng
a) Mc tiu v phm vi
nghin cu phn tch p dng tiu chun quc t v h thng qun l
(ISO 17799:2005 v ISO 27001:2005), rt ra phn ti liu hng dn vic
trin khai, vn hnh v m bo cho hot ng ca h thng theo di, gim
st an ton mng theo m hnh qun l tp trung bo v mng Internet Vit
Nam.
b) i tng p dng
Ti liu ny p dng cho tt cc cc cn b qun l, k thut v chuyn
vin vn hnh h thng h thng theo di, gim st an ton mng bo v
mng Internet Vit Nam ph hp vi b tiu chun m bo an ton an ninh
thng tin ph bin nht hin nay l ISO 17799 v ISO 27001.
Ni dung ti liu ny a ra cc bin php qun l an ton thng tin cho
trong vic ci t, thc thi hoc duy tr an ton h thng theo di, gim st an
ton mng theo m hnh qun l tp trung bo v mng Internet Vit Nam.
Cc bin php qun l rt ra t ti liu ny nn c la chn v s dng ph
hp vi cc lut cc quy nh lin quan.
c) Ti liu vin dn
Tiu chun quc t ISO 17799:2005 Code of practice for information
security v Tiu chun quc t ISO 27001:2005 Information security
management system.
Nhm ti l tc gi trc tip bin son phin bn tiu chun
TCVN/ISO-EIC 27001:2009 mi c ban hnh Vit Nam.
71
I.2.2. Ni dung quy nh k thut

Ni dung c khuyn co p dng l 9 nhm bin php qun l ATTT
sau
a) Chnh sch an ton
+ Chnh sch an ton thng tin
Chnh sch an ton thng tin

Sot xt chnh sch an ton thng tin
b) T chc an ton thng tin
+ T chc ni b
Trch nhim ca ban qun l v an ton thng tin

Phi hp m bo an ton thng tin
Phn cp trch nhim m bo an ton thng tin trong t chc
Phn quyn qun l phng tin x l thng tin
+ i tc bn ngoi
Xc nh cc ri ro lin quan n i tc bn ngoi

Xc nh cc vn ATTT lin quan ti ngi s dng l khch
hng
Xc nh cc vn ATTT trong tha thun vi bn th ba
c) Qun l ti sn
Trch nhim i vi ti sn
Kim k ti sn
Quyn s hu ti sn
S dng ti sn
d)An ton ngun nhn lc
+ u tin tuyn dng
72
Vai tr v trch nhim

Thm tra l lch
Cc iu khon v iu kin tuyn dng
Trch nhim ban qun l
Quy ch x l vi phm
Trch nhim khi chm dt vic s dng nhn s
Bn giao ti sn
Xa b quyn truy cp
e) An ton vt l v mi trng
+ Bo v thit b
An ton thit b t bn ngoi t chc

Loi b v ti s dng thit b mt cch an ton
f) Qun l iu hnh v truyn thng
+ Cc th tc v trch nhim iu hnh
Bin son ti liu v quy trnh vn hnh

Qun l cc thay i
+ Bo v chng li m c hi
Bin php bo v trc m c hi

+ Sao lu d phng
Sao lu thng tin

+ Qun l an ton mng
Bin php qun l h thng mng

m bo an ton cho dch v mng
Qun l thit b lu tr di ng
Loi b thit b
73
+ Trao i thng tin
Quy trnh v chnh sch trao i thng tin

Thng ip in t
H thng thng tin nghip v
+ Gim st
Nht k kim tra

S dng h thng gim st
Bo v thng tin nht k
Ghi nht k hot ng nhn vin qun tr v iu hnh
Nht k cc li pht sinh
ng b thi gian
g) Qun l truy cp
+ Cc yu cu i vi qun l truy cp
Chnh sch qun l truy cp

ng k s dng
Qun l c quyn
Qun l mt khu ca ngi s dng
Sot xt quyn truy cp ca ngi s dng
+ Trch nhim ca ngi s dng
S dng mt khu
Quy nh v bn sch v mn hnh sch
+ Qun l truy cp mng
Chnh sch s dng dch v mng

Xc thc ngi s dng vi cc kt ni t bn ngoi
Bo v cng cu hnh v chn on t xa
74
Phn vng mng

Qun l kt ni mng
+ Qun l truy cp h iu hnh
Quy trnh ng nhp an ton

Xc thc v nh danh ngi s dng
H thng qun l mt khu
Bo v cc tin ch h thng
Gii hn thi gian cc kt ni
+ Qun l truy cp thng tin v ng dng
Hn ch truy cp thng tin

X l v truyn thng di ng
Lm vic t xa
h)Tip nhn, pht trin v duy tr cc h thng thng tin
+ Phn tch v c t cc yu cu an ton h thng
Phn tch v c t cc yu cu an ton h thng

+ Cc bin php m ha
Chnh sch v s dng cc bin php m ha

Qun l kha m ha
+ Bo mt cc tp tin h thng
Bo v cc h iu hnh
Qun l truy cp ti m ngun phn mm
+ Bo mt cc quy trnh h tr v pht trin
Th tc qun l thay i
Ngn chn s tit l thng tin
75
Qun l thu khon dch v pht trin phn mm

+ Qun l cc im yu k thut
Qun l cc im yu k thut
i) Qun l s c an ton thng tin
+ Bo co cc s c v v im yu ATTT
Bo co cc s kin an ton thng tin

Bo co cc im yu bo mt
Cc trch nhim v cc quy trnh qun l s c an ton thng tin
Rt kinh nghim t cc s c an ton thng tin
Thu thp bng chng
+ Tun th
+ Tun th cc quy nh php l
p dng cc quy nh php l

Quyn s hu tr tu
Bo v d liu v thng tin c nhn
Chng lm dng cc phng tin x l thng tin
+ Tun th cc tiu chun, chnh sch
Tun th cc chnh sch v tiu chun ATTT

Kim tra vic tun th k thut
+ Kim tra h thng thng tin
Phng php o kim

Quy nh qun l
76
I.2.2. Nghin cu, phn tch chun quc t v nh dng trao i thng
tin s c an ton mng (IODEF ca t chc IETF)
a) Chun IODEF
Chun IODEF do nhm lm vic c trch v X l s c m rng
(Extended Incident Handling) thuc t chc Lc lng c nhim k thut
Internet IETF (Internet Engineering Task Force) pht trin n thng 10/2006
v tip tc c cc chuyn gia b sung hon thin. Phin bn mi nht l
bn RFC 5070 c cng b vo thng 12/2007.
Chun IODEF c mc ch l mt m hnh d liu nhm phc v bo
co v trao i thng tin v cc s c my tnh. Do phn c bn ca m
hnh IODEF phi lm c vic m t v trao i thng tin v i tng s
c lin quan n an ton thng tin vi cc ni dung chnh nh sau:
Cuc tn cng (Attack)
Ngi tn cng (Attacker)
Thit hi (Damage)
S kin (Event)
Chng c (Evidence)
S c (Incident)
nh hng (Impact)
Mc ch (Target)
Nn nhn (Victim)
im yu (Vulnerability)
b)Thit k ca IODEF
i mt vi cc vn phi gii quyt sau:
D liu v s c vn phc tp khng ng nht, do c th b thay i
trong sut thi gian tn ti hay nghin cu.
77
Thng tin v s c c sinh ra t nhiu ngun khc nhau

i tng m t s c c th c to lp ti CSIRT, c cng ng
bo tin hoc da trn bo co gc t cc thit b cnh bo IDS.
Vic m t s c c th cha ng nhiu thng tin nhy cm, do
thng tin nhy cm phi c bo v.
S tch hp chng c, trong mt s trng hp l thng tin b mt, nn
phi c bo mt.
Cc nguyn tc thit k IODEF m bo:
Hng ni dung
Phng php tip cn hng i tng cho php gii thiu n gin cc
i tng mi b sung m rng vic m t ni dung mi.
C kh nng khai bo cc thuc tnh khc nhau cho cc thnh phn khc
nhau.
c t r rng nht qun
Cc m t s c ging nhau c to bi cc CSIRT khc nhau phi
c nhn dng l thnh mt s c.
H tr x l tng quan cc s c c lin quan
Cung cp c s cho s hp tc cn thit gia cc CSIRT
Nguyn tc i tng s c c ch l nguyn l then cht m bo cho
vic x l tng quan cc s c v vic biu din thng tin r rng nht qun
Trin khai bng XML
D liu m bo cho ngi c c, nhng my cng phn tch c
M t d liu d b sung m rng
Cng c c nhiu, thm ch min ph
Quc t ha, m bo cho CSIRT s dng ngn ng bn a
S dng li nhiu lp d liu ca IDMEF, s dng c open source ca
IDMEF.
78
c) Tch hp nhun nhuyn vi chun IDMEF

IODEF tng thch vi IDMEF v c th s dng ly thng ip IDMEF
vo i tng s c bng mt trong hai cch: + dng IncidentAlert class
container bao gi Alert/IDMEF; + Phn r Alert/IDMEF vo cc lp
Incident/IODEF classes.
- IODEF pht trin i theo tng thch vi cc version ca IDMEF.
d) M t chun IODEF
Ti liu chi tit trong bo co Nhnh 1 v ph lc 1 km theo.
e) nh gi, khuyn ngh
im mnh
Chun IODEF nh hng dng cho vic m t thng tin v s c an

ton thng tin my tnh s dng cho cc CSIRT,
m bo vic m t s c theo phng php d dng b sung thng
tin,
H tr x l tng quan loi b cc thng bo cnh bo tng t,
Cho php p dng gii php m ha d liu bn trong bo mt,
Tng thch vi chun IDMEF,
c tip tc b sung thm ngoi chun nhiu phn m t cc lp d
liu b sung dnh cho cc loi s c mi c th (nh phishing,
DDoS)
cng b bn RFC 5070
C mt s d n thnh cng trn th gii dng IODEF nh AirCERT
(CERT/CC M), eCSIRT (Mng CSIRT chu u), ISDAS
(JPCERT/CC Nht)
im yu
79
Nhm lm vic quc t ca t chc IETF chm dt hot ng pht

trin chnh thc IODEF cng nh hon thin n. Ch cn cc chuyn
gia t ci tin, b sung.
Mt s mc trong m hnh IODEF cha c m t chun hoc cha
c update nh: CorrelateIncident Class (Section 5.2.2.2), Section
7.2 Unrecognized XML Tags to target better IDMEF and IODEF
integration, biu din packet v flow trong <Evidence>, biu din d
liu v l hng (vul-description), m t cch dng li IDMEF Classes
trong IODEF, Cch t cm mt s phn t no cn kh.
Mt s tnh nng nh dng c th rm ra, khng tht cn thit.
Khuyn ngh
Vic nghin cu ng dng IODEF l c li, tuy nhin khng nht thit
phi p dng ton b c t RFC 5070, m c th ch cn chn lc
nhng phn ph hp a vo thit k d liu c th.
C th ch cn s dng mt cu trc tng thch trong phn m t
IODEF-document-incident c th xut ra thng tin ph hp vi trao
i thng tin vi cc CERT/CSIRT quc t.I. 2.3. xut khung trao
i thng tin s c ATM v khung trao i thng bo pht hin tn
cng mng s p dng
I.2.3. xut khung trao i thng tin s c ATM v khung trao i
thng bo pht hin tn cng mng s p dng
a) xut khung trao i thng tin trong h thng
Cc phn h x l d liu ca h thng bao gm
1. Cc nhm tc nhn (con ngi/thit b/phn mm/knh thng tin) thu

thp thng tin an ton mng.
2. H thng trung tm tip nhn thu thp thng tin an ton mng (SIGS)
80
3. H thng lu tr, x l thng tin, thng k, cnh bo v iu khin

(SIPS)
Trao i thng tin
H thng SIGS s tip nhn cc thng bo v tn cng ( xy ra hoc

c th s xy ra) v x l bc u.
M hnh chung ca vic thu thp thng bo t thit b sensors (IDS,
firewall) xem trn hnh I.10.
Hnh I.10: Thu thp thng tin t thit b

Bn cht ca vic x l thng tin l tip nhn thng bo (tin) s c t
cc tc nhn, bin i n thnh d liu theo format chun, chn lc lu tr,
phn tch, thng k, trao i.
Cc thng bo IDMEF c x l theo chu trnh 4 giai on: Gp/nhm
d liu (Data Aggregation), Rt gn d liu (Data Reduction), Tng quan
ha d liu (Data Correlation) , Suy on/Quy np d liu (Data Induction).
81
Qu trnh thu thp, bin i thng bo nh vy s da theo khung chun

IDMEF, v c h tr trong tt c cc khu x l theo chun quc t.
Sau khi x l xong, t rt nhiu thng bo rt ra c thng tin v mt
i tng s c. Khi chng ta s dng khun dng chun IODEF lu
tr lu di, phc v phn tch thng k v trao i thng tin v sau.
Khung trao i thng bo pht hin tn cng mng
Chng ta rt ra kt lun p dng khun dng cnh bo (Alert format) ca

chun IDMEF lm khung trao i thng tin pht hin tn cng mng.
Khung trao i thng tin s c an ton mng
Thng tin v mt s c an ton mng ( hay cha xy ra) c coi l

mt i tng s c v c lu tr trong mt bn ghi theo chun IODEF.
Ni dung trao i ti thiu cng nn c thng tin tng thch vi thng
bo s c.
Kt lun chng ta s dng khun dng chun IODEF hoc tng thch
vi n lu tr lu di, phc v phn tch thng k v trao i thng tin v
i tng s c.
Chng ta s trnh by chi tit v ni dung khung trao i thng tin trong
chng 2.
I.2.4. Nghin cu, phn tch chun quc t v nh dng trao i thng
bo pht hin tn cng mng
a) Chun IDMEF
Chun IDMEF do nhm lm vic c trch v pht hin tn cng
(Intrusion Detection Working Group (IDWG)) thuc t chc Lc lng c
nhim k thut Internet IETF (Internet Engineering Task Force) pht trin.
Phin bn mi nht l bn RFC 4765 c cng b vo thng 3/2007.
Chun IDMEF c mc ch l mt m hnh d liu nhm phc v trao
i thng tin v cc s c tn cng my tnh. Do phn c bn ca m hnh
82
IODEF phi lm c vic m t v trao i thng tin v i tng lin quan

thng ip (thng bo) tn cng mng/my tnh vi cc d liu chnh nh sau:
Thng bo/Cnh bo (Alert)
Ngun (Source)
ch (Target)
S phn loi (Classification)
Thi gian pht sinh (CreatTime)
Thi gian pht hin (DetectTime)
Thi gian phn tch (AnalyzerTime)
Ngi/thit b phn tch (Analyzer)
nh gi (Assessment)
Cnh bo tng quan (CorrelationAlert)
Cnh bo cng c (ToolALert)
Cnh bo trn b nh (OverflowAlert)
D liu b sung (AdditionalData)
Ni s dng chnh ca IDMEF l trn knh truyn d liu cnh bo gia
trm thu thp thng tin (sensor) vi Trung tm qun l (console/database).
Tuy nhin IDMEF c th p dng trong cc trng hp sau y:
+ Lm c s d liu nh thu thp thng tin t nhiu sensor.
+ Dng cho mt h thng x l tng quan lc thng tin thu thp ng
thi t nhiu IDS.
+ Giao din ha s dng mt mn hnh hin th thng bo t nhiu
IDS.
+ S dng ng thi lm chun trao i d liu, va truyn thng d liu.
b) c im thit k ca IDMEF
Hng ni dung
83
Phng php tip cn hng i tng cho php gii thiu n gin cc
i tng mi b sung m rng vic m t ni dung mi.
C kh nng khai bo cc thuc tnh khc nhau cho cc thnh phn khc
nhau.
c t r rng nht qun
Cc m t s c ging nhau c to bi cc CSIRT khc nhau phi
c nhn dng l thnh mt s c.
H tr x l tng quan cc s c c lin quan
Cung cp c s cho s hp tc cn thit gia cc CSIRT
Nguyn tc i tng s c c ch l nguyn l then cht m bo cho
vic x l tng quan cc s c v vic biu din thng tin r rng nht qun
Trin khai bng XML
M t d liu d b sung m rng
Cng c c nhiu, thm ch min ph
Quc t ha, m bo cho CSIRT s dng ngn ng bn a
S dng li nhiu lp d liu ca IDMEF, s dng c open source.
Tng thch, tch hp c vi chun IODEF
c) S khc nhau gia IDMEF v IODEF
Tc nhn chnh ca IODEF l cc CERT/CSIRT, cn ca IDMEF l
IDS. CERT/CSIRT l ch s hu i tng s c (IO).
IODEF hng ngi dng (giao din/giao tc), cho php ngi c
nhng vn cho php my tnh phn tch.
i tng s c (IO) c thi gian sng di hn (so vi thng ip
IDMEF s dng mt ln) phc v x l s c, lu tr s c, phn tch thng
k v d bo.
So snh cc lp d liu mc cao IODEF vi IDMEF:
84
C th thy IODEF c th cha ng phn ln/tt c thng tin ca thng

ip IDMEF.
d) M t chun IODEF
Tham kho v IDMEF trong bo co Nhnh 1 v ph lc 2 km theo.
e) nh gi, khuyn ngh
im mnh
Chun IDMEF nh hng dng cho vic m t thng tin thng bo v

pht hin s c tn cng my tnh pht hin thit b IDS v cc sensor.
Chun IDMEF l chun hng ni dung, m bo vic m t s c theo
phng php d dng b sung thng tin thm nh m rng cc lp d liu,
Chun IDMEF m bo nguyn tc chuyn i thng bo nhiu cp nh
kh nng lng ghp thng bo: thng bo n gin c th cha trong thng
bo phc tp.
H tr x l tng quan loi b cc thng bo cnh bo tng t,
Tng thch vi chun IODEF,
C th c h tr b sung thm bng nhiu phn mm ngun m v
cc cng c lm tng tnh mm do trong trin khai ng dng.
cng b bn RFC 4765
C mt s d n thnh cng trn th gii dng IODEF v IDMEF nh
AirCERT (CERT/CC M), eCSIRT (Mng CSIRT chu u), ISDAS
(JPCERT/CC Nht)
im yu
Nhm lm vic quc t ca t chc IETF chm dt d n pht trin

chnh thc IDMEF. Ch cn cc chuyn gia t ci tin, b sung.
Mt s mc trong m hnh IDMEF cha c m t chun hoc cha c
update.
Mt s tnh nng nh dng c th rm ra, khng tht cn thit.
85
Khuyn ngh:
Vic nghin cu ng dng IDMEF cho h thng gim st an ton mng

Vit Nam l c li, tuy nhin khng nht thit phi p dng ton b c t
RFC 4765, m c th ch cn chn lc nhng phn ph hp a vo thit
k d liu c th ph hp vi mc tiu ca h thng.
C th ch cn s dng mt cu trc tng thch trong phn m t
IDMEF ph hp vi h thng s dng IODEF rt gn, nh vy vn m bo
c th xut ra thng tin ph hp vi trao i thng tin vi cc CERT/CSIRT
quc t.
I.3. Nghin cu v la chn cc ngun cung cp thng tin an ton

mng
I.3.1. Phn tch kh nng s dng khai thc thng tin ATM t cc ngun
cung cp thng tin khc
x l cc thng tin an ton mng c chuyn ti bng cc hnh thc
thng ip qua cc phng tin giao tip khc nhau nh Email, thng bo
qua Website, in thoi, fax, th, cng vn, chng ta phi s dng h thng
h tr thu thp thng tin t cc knh thng bo.
Trn c s nghin cu ti liu v kinh nghim nc ngoi chng ta c
th m t cc thnh phn h thng k thut v yu cu cng ngh nh sau:
a) Cc knh thng bo
Cc knh thng thng c th dng thng bo v nguy c hay s c l:
Cng vn, th vit, in thoi, in bo (fax), Th in t, tin nhn (email,
message), Thng bo trc tuyn qua giao din Web.Ngoi ra c th c cc
knh chia s thng tin qua ng mng Internet.
86
Cc thng tin ny ch yu l thng tin phi chun, do c th a

vo h thng x l, chng ta phi thc hin chun ha theo mt khun dng
m t (format) nht nh.
b) M t d liu u vo
Chng ta p dng chun m t thng tin IODEF (Incident Object
Description and Exchange Format). Chng ta cng c th ch p dng mt
phn ca chun ny cho n gin hn, nhng vn gi c tnh tng thch
vi chun quc t, do c th trao i thng tin vi cc h thng quc t.
V d m t cc trng d liu u vo n gin nht, cho mt thng
ip v s c mng my tnh:
Thng tin lin h
1. H v tn *
2. C quan, a ch
3. Email *
4. in thoi *
Thng tin s c
5. M t s b v s c *
6. Cch thc pht hin * H thng IDS/ Kim tra Log File/ Qun tr h
thng/ Khc (m t)
7. Thi gian xy ra s c *
8. Mi gi *
H thng xy ra s c
9. H iu hnh *
10. Version *
11. Patch
12. Antivirus * (c/khng)
87
13. Firewall * (c/khng)

14. Cc bin php phng v khc * (m t)
Cc dch v c trn h thng:
15. Web serve (c/khng)

16. Mail server (c/khng)
17. Database server (c/khng)
18. Application server (c/khng)
19. FTP server (c/khng)
20. Proxy server (c/khng)
21. Mc ch chnh s dng h thng * (m t)
Cc trng nh du * l bt buc c thng tin
Cc thng bo phi chun khc u nn c x l a v dng chun
ny, c th trao i, m t b sung, tng hp, bo co theo chun.
Bng cch nh vy ta c th x l tip nhn thng tin t mi ngun phi
chun.
c) Thu thp d liu
Trong thit k h thng, ng vi mi ngun d liu phi chun khc nhau
nn thit k mt m un tip nhn (agent) chuyn dng ti u ha vic x
l thng tin a v dng tng thch vi chun nh ni trn..I.3.2.
Nghin cu, phn tch kh nng thu thp thng tin ATM mt s thit b hoc
phn mm Firewall thng mi/ngun m, khuyn co cc loi thit b v
phn mm thch hp s dng cho h thng s c xy dng
a) Tng la
nghin cu phn tch kh nng thu thp thng tin ATM t cc thit
b/ phn mm firewall thng mi ca, Cisco, Juniper, Kerio, v cc firewall
ngun m IPTable, AVS firewall, firewall Script, Smooth Wall, IPCop. Chn
p dng trong ti 2 loi tng la thng dng nht Vit Nam l tng
la thng mi Firewall Check Point v IPTable (Firewall ngun m).
88
Tng la Firewall CheckPoint l mt trong cc tng la thng mi

c cht lng tt v s dng rt ph bin nht hin nay. Checkpoint h tr
cc chc nng Firewall mc 2 v cng ngh statefull pht hin cc s c
hoc khc phc d liu nu c th.
Firewall IPTables l tng la m ngun m c s dng rt ph bin
hin nay. IPTables cn c tch hp vo cc thit b an ton mng tch hp
nh MiDFS, Modem, Firewall thng mi do s n nh, hiu qu.
b) IDS/IPS
nghin cu phn tch cc dng thit b/phn mm IDS thng mi
ca 7 nh sn xut
(Cisco Intrusion Dection System (IDS),
NETSCREEN(JUNIPER), Phn mm Dragon, Proventia Network IDS, IDS
ca MacAfee, Phn mm MiDFS) v 2 sn phm IDS ngun m (Phn mm
Snort, Phn mm Prelude), chn th nghim 2 loi sn phm thng dng
Vit Nam l Proventia (IBM) v Snort (m ngun m) cho h thng s c
xy dng.
Snort c la chn l phn mm m ngun m cho php tch hp vi
h thng c h tr IDS, cho php pht trin, gi thnh r, tnh nng mnh.
Thit b la chn cho th nghim l proventia GX4002 vi cc tnh nng
gn nh y thch hp cho th nghim.
c) Sn phm chng virus
nghin cu cc h thng chng virus sau: Antivirus Corporation
Edition 10.0 (hng Symantec), Virus Scan Enterprise (McAffe), eTrust
Antivirus (CA - Computer Associates), Norton AntiVirus 2.5 cho Gateway,
phn mm pht hin virus m ngun m ClamAV. xut s dng cc sn
phm: Antivirus Coporate Edition ca Synmatec vi chc nng qun tr tp
trung, phn mm pht hin virus McAffee v phn mm m ngun m
ClamAV ( thay th) ph hp vi tnh hnh ng dng Vit Nam v ph
hp vi h thng s xy dng.
89
I.4. Thit k kin trc tng th

Ni dung chnh l nghin cu xc nh yu cu tng th ca h thng v
cc phn h, chn lc cc thit b c s v xc nh cng ngh nn tng p
dng trong h thng, thit k yu cu, c ch qun l v iu khin cc thit
b sensor t pht trin.
I.4.1. Kin trc h thng
Kin trc ca h thng th hin trn m hnh chc nng (hnh I.9).
Trn c s nghin cu, phn tch xc nh yu cu tng th ca h
thng v cc phn h. S hot ng trn hnh sau:
Hnh I.11: M hnh hot ng

xc nh cng ngh nn tng p dng trong h thng ch yu s dng
l cng ngh phn mm m ngun m:
90
+ Cc cng ngh nn: H iu hnh Linux, h qun tr CSDL My SQL,

Web server Apache.
+ Cc cng ngh lp trnh c bn cho mi trng cng ngh nn: Java,
Python, C, PHP, SQL, XML.
+ Cc chun IODEF, IDMEF, Syslog, ISO/EIC 2700x,
+ Cc sn phm phn mm ngun m v ATM c th lm nn ci tin
v s dng tch hp: RTIR, SURFnet IDS, NTop, Honeypot, Nepenthes,
Snort IDS, Spampot, Nessus, OSSIM, Sguil, Dshield, POF, PADS, NMAP.
ng thi ch ra yu cu cc loi v s lng thit b ti thiu cn thit
s dng xy thit lp phn cng mng th nghim cho h thng gim st
ATM Internet Vit Nam.
Vai tr ca cc sensor t pht trin l rt quan trng i vi h thng
gim st mng ca mi quc gia. V vy ti nhn mnh tm quan trng xy
dng v tch hp sensor ni. Da trn kin thc kho st cc h thng
ngoi v tm hiu m ngun m, ti ra yu cu n gin ha cho
c ch qun l v iu khin cc thit b sensor t pht trin.
Gii php m bo an ton tng th cho h thng l mt yu cu quan
trng. ti a ra m hnh bo v tng th bao gm cc gii php
Cui cng a ra yu cu tng hp v cc thnh phn h thng v cc
lc x l d liu tng th cho h thng.
I.4.2. Lc d liu tng th
a) Lc gim st pht hin s c
91
Hnh I.12: Lc gim st pht hin s c

b) Lc hot ng phn tch s c
92
Hnh I.13: Lc hot ng phn tch s c

I.4.2.3. Lc bo
co pht hin s c
Hnh I.14: Lc
bo co pht hin s
c
I.4.2.4. Lc
phn ng/ng
cu s c
93
Hnh I.15: Lc phn ng/ng cu s c
I.5. Hon thin thit k tng th

1.5.1. Ni dung thc hin
Nhm ti hiu chnh ton b thit k tng th trn c s phn tch,
nh gi kt qu th nghim "H thng theo di gim st an ton mng Vit
Nam", t kt qu th nghim ban u iu chnh li mt s yu cu v
cng ngh thit k cho ph hp, nh loi b vi giao thc kt ni t
sensor/agent n b tip nhn thng tin, hay lp m un x l ring cc thng
bo qua cc knh lin lc v thc tin t c s lin h trc tip vi cc lung
tin t thit b i hi phi x l t ng.
Kt qu phn tch, nh gi th nghim tch hp ton b h thng c
th hin trong chng 7 v bo co nhnh 7. D thay i mt s yu cu cho
n gin hn nhng h thng vn m bo y tnh nng nh thit k ban
u ca ti.
1.5.2. Nhn xt chung
Cc kt qu o th nghim cho cc chc nng gim st lu thng mng
v chc nng r sot cc im yu an ton mng ca sensor, chc nng gim
st h thng v dch v hot ng tt, p ng cc yu cu ra trong
thuyt minh ti.
Qua qu trnh thu thp thng tin v nh gi cho thy h thng hin ti
hon ton tng thch c th tng tc vi cc chun trao i thng tin tn
cng mng trn th gii.
Phn h x l thng bo s c an ton mng bao gm 02 website h tr
y cc hc nng. Cc chc nng u hot ng tt, n nh. Cc li do
ngi nhp liu u c phn mm pht hin v cnh bo chnh xc. Quy
trnh khai bo, tip nht v x l ph hp vi cc hot ng nghip v x l
94
thng bo s c an ton mng ca Trung tm VNCERT. Giao din chng

trnh c thit k n gin, khoa hc, trc quan v d s dng.
Phn h tip nhn thng tin ATM t ng t cc thit b h phn mm
thu thp thng tin c kh nng tip nhn y cc s kin do cc senser gi
n. Tc tip nhn chp nhn c, khng c hin tng st gim tc
hoc nghn x l. T l x l ca CPU lun t di 25%.. H thng hot
ng tt trn mi trng mng Internet thc t.
Cc kt qu o th nghim cho cc chc nng gim st 24/24, thng k
v phn tch cc a ra cc cnh bo hot ng tt, p ng cc yu cu
ra trong thuyt minh ti. Cc chc nng ny hot ng trn cc thit
b sensor, c th ci t nhiu v tr khc nhau trn mng. Kt qu kim tra
th nghim th hin cc m un phn mm p ng cc chc nng theo
yu cu ca ti. Vic gim st cc tiu ch an ton mng theo thi gian
thc gip cho ngi qun l an ton thng tin c c ci nhn tng th v
tnh hnh an ton mng quc gia.
Thit b tng la bo mt tch hp kim tra cung cp y cc
chc nng. Cc chc nng u hot ng tt v n nh.
Kt qu th nghim cho thy cc thit b sensor hot ng tt, p ng
cc yu cu ra trong ti.
Cc thit b v phn mm bo mt thng mi u pht hin tt cc
trng hp to s c an ton mng gi. S tham gia ca cc thit b/phn
mm bo mt thng mi cho thy kh nng thu thp c d liu lin quan
n an ton mng t nhiu ngun khc nhau trn ton quc, gp phn pht
hin nhanh chng v chnh xc cc s c c th xy ra.
V mt l thuyt khi tng s lng sensor th cn nh gi li nng lc
ca h thng c u t gia tng nng lc cho ph hp.
95
Hiu nng hin ti ca h thng p ng c yu cu th nghim vi

mt lng sensor va phi (~ 10 sensor). Vi lng sensor ny th nng lc
cc my ch v dch v u di ngng 25%.
Nu quy m trin khai thc t l ln (vi trm n vi ngn sensor) th
cn trin khai h thng trn nn tng kh m ng dng cng ngh o ho hay
cao cp hn l in ton m my c th nng cp nng lc ca h thng.
Trong qu trnh chun b th nghim mt s mt s nh v phng n
cng ngh lp trnh ban u phi thay i. Th nht l giao thc SNMP t
ra khng tt bng Syslog khi truyn ti d liu t cc Agent ln server. Do
phng n dng chun giao thc Syslog c ci t chnh. Th hai l
thc t x l d liu t cc ngun thng bo cho thy s dng ring mt bng
CSDL lu tr hiu qu hn l x l chung vi cc s kin (event) thu thp
t cc sensor, v thc t cc s kin c ngi dng thng bo ny hu nh
ch h tr cho cc chuyn gia qua giao din phn tch, chc khng tham gia
vo qu trnh x l tng quan vi cc dng s kin do my cung cp. Do
nhm ti lp phng n x l tch ring cc ngun tin ny.
I.5.3. Yu cu chnh sa, hon thin cho sn phm c cc nhnh
thc hin
V c bn h thng p ng yu cu ca ti. Cc khuyn co sau
y nhm mc ch lm tt v su sc hn vic chun b a h thng vo
giai on th nghim ng dng v phc v nghin cu. C th l:
Nhnh 2 v 3 chnh sa li giao thc truyn tin t agent ln server ch
yu l Syslog. Vn duy tr phng php trao i bng file trnh mt d liu
khi t ng truyn.
Nhnh 2 v 3 sa li thit k x l thng bo ATM qua cc knh lin lc
dng ring mt CSDL lu tr v tra cu v cc s kin c thng bo
ny nhng s dng chung giao din web cho chuyn gia.
96
Nhnh 4 trong qu trnh tch hp cc m un ngun m cn c gng vit

ha ngn ng giao din mt cch nht qun v y nht c th.
Nhnh 4 nghin cu cc bi th nghim nh gi hn ch ca CSDL cc
tham s sn c trong phin bn ngun m m ti p dng.
Nhnh 5 nghin cu nng cp sensor c v tc v chc nng.
Nhnh 4 v 5 nghin cu kh nng iu khin sensor t Trung tm mt
cch n gin nht.
Nhnh 6 nghin cu kh nng thay Proventia bng IPS hay IDS ca hng
khc so snh.
97
CHNG II. PHT TRIN H THNG C S D LIU TCH HP

GIM ST AN TON MNG (NSIDB)
II.1. Nghin cu, phn tch ngun d liu u vo, chn la cng
ngh CSDL tch hp NSIDB.
II.1.1. Nghin cu, phn tch cc ngun cung cp thng tin ATM a
vo h thng CSDL tch hp NSIDB
II.1.1.1. Cc yu cu thc tin
H thng CSDL thch hp NSIDB thu thp d liu u vo t cc ngun
cung cp thng tin c bn sau: H thng cc thit b gim st Sensor chuyn
dng, thng bo t cc phn mm gim st chuyn dng, thng tin t cc thit
b bo v mng thng mi (Firewall, IDS, Anti Virus) cc knh thng bo
ca cng ng v s c nh (Email, in thoi, Fax) ca ngi s dng v
cc cnh bo ca cc t chc nghin cu trong, ngoi nc
II.1.1.2. M hnh tng th h thng tip nhn d liu
H thng c chc nng thu thp c d liu thng bo t cc ngun
c m t tng quan trn s tc nhn (agent) tip nhn d liu nh sau:
+Antivirus
(Symantec
McAfee)
+ Firewall
Agent tip nhn d liu cho tng ngun tin
(Checkpoint,
MiDFS)
M un
x l
Alert
GAG/GFW
/GIDS
vent
M un
kt ni
E
SIGS
Connector
+ IDS/IPS
(Proventia,
Intrushield)
+ Ngun tin qua

in thoi, fax,
email, web
Plugin
Database
Hnh II.1: M hnh tng th phn mm tip nhn thng tin

98
SIGS
Ngun tin
M un
kt ni
Device
Connector
M hnh thit k nh trn th hin c yu cu thu thp thng tin t 3

loi ngun thit b sensor thnh phn ca h thng cung cp thng tin t ng
(Firewall, phn mm dit virus, h thng IDS/IPS) cng nh x l ngun tin
t ngi bo qua in thoi, fax, email, web.
II.1.1.3. Ngun thng tin ATM t thit tng la (Firewall)
a) Firewall Checkpoint
Tng la Firewall CheckPoint l mt trong nhng tng la thng
mi c cht lng tt v s dng rt ph bin nht hin nay v cung cp cc
thng tin:
M s kin
Ngy
Thi gian
Hnh ng (Drop/Accept/Reject)
a ch IP pht sinh s kin
Cng Dch v
IP ngun/ch
Cng ngun/ch
a ch Mac ngun/ch
M lut, tn lut
Ngi s dng
Thng tin h tr
b) H thng Firewall Server MiDFS
Firewall MiDFS server tch hp IPTABLE l tng la m ngun m
c s dng rt ph bin hin nay. Ni dung thng bo s c an ton mng
t MiDFS Server bao gm cc thng tin chnh sau:
Ngy
Thi gian
Tn Firewall
99
Kernel Version
Hnh ng (Drop/Reject)
Hng/Chiu d liu vo ra
Chun giao tip
IP ngun
Cng ngun
a ch Mac ngun
IP ch
Cng ch
a ch Mac ch
di
Kiu dch v (Type of service - TOS)
Thi gian tn ti (TTL)

M thng bo
Bit khng phn mnh(Dont Fragment - DF)
Giao thc
Windows size ca gi tin TCP (gi tr ti a l 65535)
Chuyn i IP Tn min
Loi gi tin SYN/RST
II.1.1.4. Ngun thng tin ATM t thit b IDS
a) Thng tin an ton mng t thit b IDS ca ISS
100
Thit b IDS ca ISS c tn l Proventia, v nguyn tc Proventia c th

chuyn cc cnh bo ti phn mm thu thp thng tin an ton mng theo cc
chun Syslog v SNMP. Thnh phn thng tin trong cc cnh bo ca
Proventia bao gm cc thng tin sau
M cnh bo
Phin bn nh dng cnh bo
Kiu tn cnh bo
Tn cnh bo
IP ngun
Cng ngun
IP ch
Cng ch
Thi gian (kiu s thc)
Local Timezone Offset
chnh xc ca cnh bo
M chui thi gian cnh bo (Alert Time Sequence ID)
M cnh bo
a ch sensor
Tn sensor
M sn phm
Kiu cnh bo
Mc u tin cnh bo
C cnh bo
Pair count
Phn ng
Blob count
b) Thng tin an ton mng t thit b IDS ca McAfee
101
Thit b IDS McAfee c tn l Intrushield, v nguyn tc McAfee c th

chun Syslog v SNMP. Thnh phn thng tin trong cc cnh bo ca ca
thit b IDS ca McAfee cung cp do ngi s dng cu hnh v cnh bo bao
gm cc thng tin c bn sau:
M cnh bo
Kiu cnh bo
Thi gian tn cng
Tn tn cng
M tn cng
Tnh nguy him (attacke severity)
Du hiu tn cng
S chc chn ca tn cng (Attack Confidence)
Min qun tr (Admin domain)
Tn sensor (Sensor name)
Giao din mng
IP ngun
Cng ngun
IP ch
Cng ch
Loi (Category)
Phn loi (Sub-Category)
Hng
Tnh trng kt qu
C ch pht hin
Giao thc tng ng dng (Application protocol)
Giao thc tng mng (Network)
Lin quan
102
II.1.1.5. Thng tin an ton mng t phn mm antivirus

a)
Thng tin an ton mng t phn mm antivirus Symantec

Ni dung thng bo s c ca H thng phn mm Antivirus
Corporation Edition Symantec bao gm:

Ngy xy ra
Thi gian
Ngun ly nhim
Kiu tn cng
Loi Virus
S lng
Phin bn cp nht
Tn my nhim virus
Chnh sch qut/dit
ng dn file b nhim
Hnh ng can thip
b) Thng tin an ton mng t phn mm antivirus McAfee
Ni dung thng bo s c ca H thng phn mm Virus Scan
Enterprise ca hng McAfee bao gm:
Ngy xy ra
Thi gian
Ngun ly nhim
Kiu tn cng
Loi Virus
S lng
Phin bn cp nht
Tn my nhim virus
Chnh sch qut/dit
ng dn file b nhim
103
Hnh ng can thip

II.1.1.6. Thng tin ATM c thu thp c t cc ngun cung cp
Email, in thoi, Fax, website
Thng tin t cc ngun ny c b phn chuyn trch m nhim v
lu thng tin vo 1 bng bao gm cc trng sau
Trng lu thng tin
STT
1
Tn ngi gi in, gi mail
Tn nhn vin tip nhn x l
Tn trng nhm tip nhn
C quan, n v gi thng bo/thng tin
S in thoi ca c nhn , n v thng bo
Mc ch thng bo
a ch ca c nhn, n v, t chc
Ngy nhn thng bo
Tiu thng bo
10
Ni dung thng bo
11
Yu cu
Ghi ch
Sau khi tip nhn thng tin v lu tm vo bng thng tin tip nhn, b
phn tip nhn thng tin s s loi cc loi thng tin/thng bo, yu cu ca
cc cc nhn, n v t chc v chuyn cc thng tin ny n tng phng ban
hoc team lm nhim v chuyn trch ring. Cc phng ban hoc cc team
ny da vo tiu v ni dung v qu trnh b xung, lm giu thng tin nh
(gi in thoi trc tip, gi Email, trao i trn Forum ) cho n v, c nhn,
t chc. Sau cc phng ban hoc cc team ny s phn tch, nh gi mc
cn thit, mc khn cp, mc quan trng ca thng tin thng bo,
da vo kinh nghim, c s d liu c sn v cc knh trao i thng tin khc
s a ra li khuyn, hng dn khc phc s c cho c quan n v t chc
yu cu v ty vo mc nghim trng v tinh hnh c th c th gi thng
104
tin cnh bo n c cc n v, t chc khc. Sau b phn chuyn trch s

chun ha v lu thng tin vo cc bng trong CSDL sau: Bng thng bo,
Bng cnh bo, Bng tin nhn, Bng s c.
Chi tit v cc Bng ny xin xem trong phn Nhnh 2 ca ti.
II.1.2. Xc nh nh dng cc loi d liu u vo cho h thng CSDL
tch hp NSIDB
II.1.2.1.
Cc tc nhn c trch nhim thu thp ton b d liu c gi bi nhng
thit b khc c trn mng, sau gi n my ch theo mt nh dng
c tiu chun ha. Cc tc nhn c ci t trn cc h thng thu thp
thng tin(sensor).
Cc cng kt ni ti tc nhn:
Cng
S dng
4001
Cng thng thng my server kt ni
3306
Cng DB ca c kt ni cho cc yu cu iu
khin (monitor) yu cu
II.1.2.2. D liu u vo l cc kiu s kin ca cc tc nhn

D liu u vo l cc kiu s kin ca cc tc nhn l bn kiu s kin
chung (S kin a ch Mac, S kin h iu hnh, S kin dch v, S kin
chun ha)
a) S kin c chun ha
Bt k s kin no nhn t cc phn mm hoc thit b khc u c cc
trng sau:
Type: kiu s kin, l Detector hoc l Monitor
Date: Ngy s kin nhn t thit b
Sensor: a ch IP ca sensor chung
Interface: Giao din mng l eth0 hay eth1...
Plugin_id: S hiu ca tin ch sinh ra s kin
105
Priority: Quyn u tin

Protocol: Loi giao thc c s dng (1 trong 3 loi: TCP,UDP, ICMP)
Src_ip: a ch IP do thit b to ra c xc nh nh l IP ngun ca
s kin
Src_port: Cng ngun
Dst_ip: a ch IP ch
Log: S kin d liu quan tm nh mt phn c ghi li ca khng
phi l ni dng trong cc trng khc. Do cc trng khc * Userdata, n
c s dng ngy cng t hn.
Data: Lu tr cc thng tin s kin c ch
Username: Ch yu c s dng trong cc s kin trong HIDS
Password: Mt khu s dng trong mt s kin
Filename: Tp tin c s dng trong mt s kin, ch yu c s
dng trong HIDS
Userdata1: Nhng trng c th c nh ngha bi ngi s dng t
cc plugin. C th cha bt k thng tin bng ch ci , v chn mt hoc
nhiu ci khc, kiu hin th cho ngi xem c th thay i. Ln ti 9 trng
c th c nh ngha cho mi phn mm userdata2.userdata9.
V d nh mt on sau c cc trng s kin:
event type="detector" date="2006-08-09 12:12:11" plugin_id="4002"
plugin_sid="1"
sensor="192.168.1.10"
src_ip="192.168.1.8"
dst_ip="192.168.1.8"
interface="eth1"
data="user1"
priority="1"
log="Aug
12:12:11 V-sensor sshd[6466]: (pam_unix) authentication failure; logname=

uid=0 euid=0 tty=ssh ruser= rhost=localhost user=user1"
b) S kin a ch MAC (MAC Event)
Cc s kin thng bo thay i a ch MAC cho cc IP c th. iu ny
c th c s dng to ra ch th nhy cm vi ARP Spoofing.
106
Chng ta c th thy phn thng tin bao gm cc trng khc nhau cng
nh c thm vo trong Log.
S kin ny c cc trng c bit sau:
Host: a ch IP ca my ch thay i a c Mac
Mac: a ch MAC (bng s hexa)
Vendor: hng cung cp card mng
Sensor: thit b thu thp thng tin
Interface: giao din giao tip eth0 hay eth1
Date: ngy s kin
Plugin_id: lun lun l 1512
Plugin_sid: nu khng quan trng. My ch s gn xc nh m ng.
V d kiu s kin MAC:
host-mac-event
host="183.127.115.4"
mac="0:4:23:80:fb:ha"
11:30:09"
log="ip
vendor="Intel
Corporation"
sensor="163.117.131.11"
address:
163.117.155.2
interface="eth1"
date="2006-03-17
plugin_id="1512"
interface:
eth1
plugin_sid="1"
ethernet
address:
0:4:23:88:fb:8a ethernet vendor: Intel Corporation timestamp: Friday, March

17, 2006 11:30:09 +0100"
c) S kin h iu hnh (OS Event)
S kin thng tin thay i trong h iu hnh.
S kin ny to ra bi cc sau khi c thng tin l thuc loi ny:
host-os-event host="192.168.1.81" os="Windows" date="2006-12-23
22:56:13"
sensor="192.168.1.10"
plugin_id="1511"
log="Windows XP" interface="eth1"

Cc trng ca s kin loi ny s l:
Host: a ch IP ca my ch
OS: H iu hnh
Sensor: thit b thu thp thng tin IP
107
plugin_sid="1"
Interface: giao tip qua cng Ethernet

Plugin_id: m tin ch lun lun l 1511
Plugin_sid: c xc nh bi my ch
Log: ghi log
Cc trng ring:
Userdata1: s dng duy tr mi tng quan.
d) S kin dch v (Service Event)
S dng nhng s kin ny gim st h thng c trn mng, cc ng
dng ang hot ng vi v cc cng m b pht hin. Chng cng c s
dng trong mi tng quan cho, cng vi DB OSODB.
V d s kin:
host-service-event
interface="eth1"
host="192.168.1.77"
port="80"
application="CCO/4.0.3
(Unix)
sensor="192.168.1.10"
protocol="6"
tomcat"
service="www"
date="2006-03-27
07:59:54"
plugin_id="1516" plugin_sid="1" log="blablablablabla"

Cc trng l:
Port: M cng hin th trong my ch
Service: Kiu dch v c sn trong cng (www, ssh, ftp)
Application: ng dng c bit thc hin dch v
Plugin_id: Tin ch lun l 1516
Plugin_sid: Tin tch con xc nh bi h thng qun l trn my ch
Cc trng ring:
-
Userdata1: Trng sao chp ng dng
Userdata2: Trng sao chp dch v.
II.1.2.3. D liu u vo do khai bo

CSDL qun l s c bao gm cc thng tin v kiu d liu, cc trng
d liu cn nhp t ngi dng, ngi qun tr h thng,..
Tn trng
Kiu d liu
Null
Key
108
Ghi ch
Tn trng: Xc nh bng tn cc trng thng tin yu cu trong h

thng.
Kiu d liu: Xc nh bng cc thnh phn kiu d liu c quy nh
ty vo cc trng d liu yu cu bao gm:
+ Kiu Int (): Kiu s nguyn
+ Kiu varchar(): Kiu d liu vn bn cho php ngi ng nhp
vi thng tin l mt vn bn.
+ Kiu Text(): Kiu d liu vn bn
+ Kiu Datetime(): Kiu d liu v thi gian
+ Kiu Date(): Kiu Nm: Thng: Ngy (0000:00:00)
+ Kiu Tinyint(): Gii hn s nguyn
- Null: Xc nh trng thng ban u nu l rng (Null), nu khng
rng (Not Null)
- Key: Trng kha chnh (PK) v trng kha ph (PK) trong
CSDL, vi mc ch xc nh cc trng thng tin trong quan h c
s d liu.
Ghi ch: M t chi tit cc trng thng tin khi thc hin thit k trong
CSDL.
V du:
STT
Tn ct
Bng s c u tin
Priority_id
Kiu d liu
Tynyint(3)
Null
Key
Ghi ch
Not Null
PK
tin
Priority
Varchar(60)
Not Null
Dng
tin
Priority_desc
Varchar(30)
Not Null
Phng u
tin
109
Priority_color
Varchar(7)
Not Null
Mu
Priority_urgency Tinyint
Not Null
Khn cp
Ispublic
Not Null
Cng b
Tinyint
II.1.2.4. D liu do h thng thu thp thng tin gi n

Trn h thng thu thp thng tin snort thc hin pht hin tn cng hay
cc s c gi thng tin s kin ln my ch. Nu mt vi h thng thu thp
thng tin trong h thng ang chy snort, bt k tn cng no hoc xm nhp
lin quan ti snort c ghi li trong log.
V d:
SIEM-Message: Event received: event id="0" alarm="0" type="detector"
fdate="2010-03-30
02:02:13"
plugin_id="1501"
plugin_sid="206"
dst_ip="88.x.x.x"
dst_port="80"
protocol="TCP"
date="1269889333"
src_ip="113.167.148.216"
sensor="88.x.x.x"
asset_src="2"
tzone="0"
interface="eth0"
asset_dst="2"
log="GET
/forums/attachment.php?attachmentid=9644&d=1215697569 HTTP/1.1"
Cc trng l:
Sensor: a ch sensor gim st
Interface: cng giao tip Ethernet
Protocol: Giao thc mng ang s dng thuc din TCP
Log: Ghi thng tin
II.1.2.5. u vo thng qua lng nghe socket (qua cng 40003 mc nh)
D liu c th nhn l:
D liu cnh bo ( s dng phn hi)
Nessus
Thng tin danh mc
V d:
nessus
action="scan"
target_type="hosts"
hostgroups="databases" hosts="207.158.15.50"
110
netgroups=""
nets=""
nessus action="status"
D liu c th nhn l:
Action: hnh ng thc hin
Target_type: cc host
Netgroups: Nhm mng
Host: a ch host.
II.1.2.6. D liu vo l cc
Hnh ng c bit c th cu hnh nh hi p i vi cc s kin
chnh. Hnh ng/Hi p c qun l trong mt policy-like( Chnh sch --> hnh ng v chnh sch --- > hi p)
Gi mt mail
Thc hin chng trnh m rng.
C hai cu hnh ca hnh ng l kh nhiu n gin, iu duy nht quan
trng l phi bit c rng c mt s t kha c th c s dng ging nh
cc m t trn.
Date, plugin_id, plugin_sid, risk, priority,src_ip, dst_ip, protocol, sensor,
plugin_name, sid_name, userdata1,userdata9, filename, password.
II.1.3. Phn tch v la chn cng ngh ph hp p dng cho h thng
CSDL tch hp NSIDB, c kh nng m rng kt ni ti cc ngun d
liu tng thch ca nc ngoi v thng tin ATM
II.1.3.1. M hnh tng quan x l thng tin
M hnh h thng tng th s bao gm 5 thnh phn c chc nng ring
bit v c th c trin khai trn nhng h thng khc nhau. 5 thnh phn
ny s tng tc, trao i thng tin qua mi trng Internet theo s sau:
111
Hnh II.2: M hnh h thng qun l an ton Internet

1. C s d liu: Thnh phn ny l mt my ch qun tr cc CSDL m
h thng s dng. Tt c d liu s c lu theo nh dng c cu trc trong
cc CSDL trn my ch. Cc thnh phn khc s phi giao tip vi my ch
CSDL ny lu tr v truy vn thng tin.
2. H tp trung: Thnh phn chnh s thc hin chc nng kim tra s
lin quan gia cc thng tin d liu thu thp c. Thnh phn ny s truy
vn nhng d liu c lu tr trn my ch qun tr CSDL, sau s tng
hp c kt qu cui cng. Thnh phn ny cng ng vai tr iu phi
cng vic cho cc My trinh st.
3. Website: y l thnh phn trung tm tng tc vi ngi s dng v
mi thnh phn khc ca h thng. Thnh phn ny bao gm mt giao din
Web ngi dng truy nhp vo, s dng cc chc nng ca h thng: qun
l cc My trinh st, xem cc thng tin thu thp c, yu cu mt My trinh
st truy vn thng tin v thit lp cu hnh cho h thng.
112
4. H x l: Thnh phn ny bao gm cc on script, cc file thc thi

thc hin cc tc v cn thit cho Website. y chnh l thnh phn c nhim
v x l nhng tc v c yu cu bi ngi dng ti Giao din Web ni
trn.
5. My trinh st(sensor): Thnh phn ny ng vai tr l cc My trinh
st nm ri rc trn mng thu thp thng tin. Thnh phn ny bao gm
nhiu tin ch, mi tin ch l mt phn mm n l, thc hin mt chc nng
gim st, thu thp, truy vn thng tin t mi trng mng. Nhng thng tin
thu c s c gi v my ch qun tr CSDL lu tr.
Trong s , nhng ng mi tn biu th tng tc gia cc thnh
phn ca h thng, nhng tng tc ny c th l truyn lnh iu khin hoc
d liu. Mi thnh phn s lu tr d liu tp trung ti my ch CSDL. H x
l s nhn nhng yu cu ca ngi dng t giao din Web thc thi. T
giao din Web, ngi dng cng c th qun l, iu khin H tp trung v
My trinh st.
II.1.3.2. M hnh chi tit
a) C s d liu
Thnh phn ny l mt h qun tr c s d liu, ni tp trung lu tr d
liu ca ton b h thng. Do c th ca h thng cng lc phi phc v
nhiu i tng khc nhau nn thnh phn ny phi l mt my ch c s d
liu h tr nhiu client kt ni n. H thng qun l an ton Internet s s
dng mt s c s d liu nh sau:
C s d liu cho Website
C s d liu cho Website cha nhng thng tin phc v cho hot ng
ca Website. Sau y l mt s bng d liu chnh:
Users: lu tr thng tin v ngi dng, h thng s kim tra ti khon
ca ngi dng t bng ny mi khi ngi dng ng nhp vo h thng
Host: h thng lu gi thng tin v cc host c gim st trong mng
113
Host_services: danh sch cc service chy trn cc host

Host_vulnerability: lu tr cc yu im ca host c pht hin sau khi
thc hin qu trnh r sot yu im
Host_mac: danh sch a ch vt l (a ch MAC) ca cc thit b
Host_netbios: danh sch tn ca cc my tnh trong mng
Host_os: danh sch h iu hnh ca cc my tnh trong mng
Net: danh sch cc mng my tnh c qun l
Sensor: danh sch cc My trinh st tham gia vo h thng qun l an
ton Internet
Policy: bng thit lp cc chnh sch cho cc i tng trong mng
Events: bng danh sch ghi nhn cc s kin
Config: lu cc thng tin v thit lp cu hnh h thng
Incidents: thng tin v cc s c an ton mng
Plugins: thng tin v cc tin ch dng cho h thng, h thng c rt
nhiu tin ch cung cp nhng du hiu nhn dng khc nhau
C s d liu h thng pht hin xm nhp
C s d liu H thng pht hin xm nhp bao gm cc bng phc v
cho hot ng ca thnh phn pht hin xm nhp nh sau:
Event: cc s kin c pht hin bi H thng pht hin xm nhp
Signature: lu tr cc du hiu nhn dng lung lu thng mng c kh
nng gy ra mi nguy
Data: lu tr phn ni dung ca gi d liu, khi cn c th c v phn
tch ngc li nhng g xy ra trn mng
Ngoi ra cn c mt s bng khc lu thng tin m t ca mt s loi
gi tin ph bin: icmphdr, iphdr, tcphdr, udphdr
C s d liu iu khin truy nhp
C s d liu iu khin truy nhp dng cho mc ch phn quyn truy
nhp vo cc thnh phn cho ngi s dng bao gm cc bng cha thng tin
114
v nh ngha cc nhm ngi dng, nh ngha cc i tng trn Website

phn quyn truy nhp n cc i tng cho tng nhm ngi dng.
b) H tp trung tip nhn d liu
H tp trung l thnh phn
qun l v iu phi cng vic cho
cc My trm trinh st. H tp trung
hot ng di dng dch v, lng
nghe cng 40001 (TCP) tip
nhn cc yu cu kt ni t My
trm trinh st. Khi mun iu khin
Hnh II.3: H tp trung
My trinh st, H tp trung s gi yu cu n cc My trm v ch phn hi

t My trinh st tr v. Mt H tp trung c th qun l nhiu My trm trinh
st.
II.1.3.3. Gim st mng
Gim st mng l vic gim st, theo di v ghi nhn nhng lung d
liu. Mt h thng gim st mng thng c nhng thnh phn sau:
My trinh st (Sensor): l nhng my trm lm nhim v trinh st.
Thnh phn ny s tip cn, tng tc vi cc h thng v dch v cn gim
st nhn bit trng thi ca nhng dch v . Trong qu trnh trin khai h
thng, thnh phn ny s c phn tn nm ri rc nhiu ni trn mng
thu thp thng tin t nhng ngun khc nhau nh Tng la, B nh tuyn,
file nht k,
My thu thp (Collector): Mt iu ng lu trong h thng gim st
mng l cc h thng, cc dch v cn gim st c th khc nhau. iu ny
ng ngha vi vic thng tin thu c cng c nhiu dng khc nhau. c
c thng tin mt cch ng nht nhm mc ch x l v thng k, cn c
mt thnh phn lm nhim v chun ha thng tin. My thu thp s c
nhng thng tin thu c t cc My trinh st v chun ha thng tin da trn
115
nhng quy tc chun ha bit trc. Thng tin u ra s c nh dng ging

nhau v c lu vo c s d liu trung tm.
C s d liu trung tm: l ni lu tr d liu ca ton b h thng gim
st. Cc d liu y c chun ha nn c th s dng tnh ton cc
s liu thng k trn ton h thng.
Cng c phn tch (Analysis Tool): Thnh phn ny s c cc d liu t
c s d liu trung tm v tnh ton to ra bn bo co c s liu thng k
trn ton h thng.
Cch thc hot ng ca h thng gim st mng
Hnh II.4: S hot ng ca h thng gim st mng

Mi My trinh st s c mt danh sch nhng i tng m My trinh
st cn gim st. Nhng i tng ny c th l file nht k hot ng trn
mt my tnh, c th l mt dch v trn h thng khc, cng c th l thnh
phn bo co trng thi ca Tng la/B nh tuynDa vo bn danh
sch ny, My trinh st s gi truy vn n i tng truy vn thng tin.
Thng tin thu c s gi n My thu thp chun ha trc khi lu tr
vo c s d liu trung tm.
116
ti xut s h thng x l thng tin tng tc gia CSDL

trung tm v cc thnh phn khc.
Hnh II.5: H thng CSDL tch hp NSIDB

Kt qu phn tch chi tit cc ngun thng tin ATM a vo h
thng CSDL tch hp NSIDB. p dng phng php chuyn i d liu v
chun Syslog, xut c phng php xy dng phn mm xy dng,
thu thp d liu chun Agent. Trn c s , xc nh mt nh dng d liu
117
u vo thng nht cho h thng CSDL tch hp NSIDB. l 4 cu trc d

liu m t chun ha 4 kiu s kin an ton thng tin (cc s kin: thng
thng, MAC, OS, dch v) v 1 cu trc nhp thng bo. CSDL ny n
gin nhng hon ton tng thch vi chun IODEF.
xy dng h th nghim, ti xut c cng ngh ci tin
trn nn h thng OSSIM ph hp vi mc tiu p dng v c kh nng tch
hp vi nhiu sn phm ngun m v nhiu ngun d liu nc ngoi.
II.2. Nghin cu, thit k h thng CSDL tch hp NSIDB

II.2.1. Nghin cu, thit k phng thc trao i thng tin gia CSDL
vi cc thnh phn khc ca h thng
II.2.1.1. H thng theo di gim st an ton mng Internet
a) Cc h thng chc nng
Kt qu kho st v nghin cu ca VNCERT cho php ta thit k v trin
khai kh thi h thng gim st mng vi cc thnh phn chc nng chung nh
sau:
Phn h h tr ch huy v iu hnh ng cu s c.
p ng chc nng nh vy chng ta a ra cu trc chung cho h
thng hot ng nh hnh v II.5.
b) Cu trc chung ca h thng
H thng gim st an ton mng bao gm
1. Cc nhm tc nhn (con ngi/thit b/phn mm/knh thng tin) thu
thp thng tin an ton mng.
2. H thng trung tm tip nhn thu thp thng tin an ton mng (SIGS)
118
3. H thng lu tr, x l thng tin, thng k, cnh bo v iu khin

(SIPS)
c) CSDL ca h thng
H thng trung tm tip nhn thu thp thng tin an ton mng (SIGS) v
h thng lu tr, x l thng tin, thng k, cnh bo v iu khin (SIPS)
hot ng trn c s mt trung tm d liu tch hp NSIDB.
Thc cht NSIDB bao gm mt nhm cc CSDL tng tc bao gm
a) H CSDL lu tr thng bo s c ATM thu thp c t cc ngun
IDS, ta s gi l CSDL cc thng bo
b) H CSDL lu tr i tng s c ATM nhn c sau khi thng bo
c x l. Ta s gi l CSDL cc s c
Nh phn tch, chng ta s p dng cu trc d liu tng thch chun
IDMEF cho CSDL cc thng bo, v p dng cu trc d liu tng thch
chun IODEF cho CSDL cc s c.
119
Hnh II.5: Cu trc chung ca h thng CSDL tch hp NSIDB
d) Nhu cu trao i thng tin gia CSDL NSIDB vi cc thnh phn khc
Ni mt cch tng qut CSDL NSIDB tng tc trc tip vi hai phn h
l:
+ H thng trung tm tip nhn thu thp thng tin an ton mng (SIGS)
+ H thng lu tr, x l thng tin, thng k, cnh bo v iu khin
(SIPS)
+ Tr cc thng tin iu khin chun thng thng phc v kt ni cc
phn h, cn li l cc lung tin chnh nh sau:
+ Lung thng tin gia phn h SIGS v CSDL NSIDB: Thng tin thng
bo v ATTT theo chiu i ln t cc ngun thng bo (thit b ATM, cm
bin sensor/agent, knh thng bo) sau khi chun ha c ghi nh vo
CSDL, theo chiu i xung t CSDL n SIGS, mt s thit b sensor hay
agent c th i hi truy cp mt s loi thng tin v cu hnh.
+ Lung thng tin gia phn h SIPS v CSDL NSIDB
+ S dng Syslog, mt cng c ghi log kh ph bin trn cc OS Linux.
Syslog l mt cng c nhn bit v ghi li tt c cc loi system message,
t loi thng thng cho n quan trng. Syslog qun l cc system message
da trn hai nhn ca system message.
Nhn th nht th hin ngun to message.
Nhn th hai th hin mc quan trng ca message, gm tm gi tr nh
sau
Security Keyword
0 emergencies
1 alerts
2 critical
3 errors
4 warnings
5 notifications
6 informational
7 debugging
121
II.2.1.2. xut khung trao i thng tin trong h thng

a) Trao i thng tin
Cc lung thng tin c bn m t trn hnh v cho chng ta hiu v tnh
cht x l tin.
Thng tin c th c thu thp t nhiu ngun: nhng ngun tng tc vi
con ngi nh cng vn, in thoi, fax, th in t, website; v c nhng
ngun t ng nh t cc thit b mng, cc My trinh st chuyn dng
Thng tin s c lu tr trong mt c s d liu tp trung (CSDL gim st an
ton mng) v s c phn tch a ra nhng thng k v cnh bo. Khi cn,
h thng c th tng tc ngc li cc thit b mng thc hin ngn chn cc
mi nguy.
Nh vy h thng SIGS s tip nhn cc thng bo v tn cng ( xy ra
hoc c th s xy ra) v x l bc u.
M hnh chung ca vic thu thp thng bo t thit b sensors (IDS,
firewall) xem trn hnh II.6.
Hnh II.6: Thu thp thng tin t thit b

122
Cc thit b sinh ra thng ip IDMEF messages ghi theo khun dng IDS
alert format. Cc thng bo chuyn vo bng c s d liu SQL bng modun
tham chiu IDMEF-DBMS v b
th vin kt ni CSDL Java (JDBC
connection pool).
Theo phn tch trong cc chuyn trc, bn cht ca vic x l thng tin
l tip nhn thng bo (tin) s c t cc tc nhn, bin i n thnh d liu theo
format chun, chn lc lu tr, phn tch, thng k, trao i.
Cc thng bo IDMEF c x l theo chu trnh 4 giai on
Gp/nhm d liu (Data Aggregation), Rt gn d liu (Data Reduction),
Tng quan ha d liu (Data Correlation) , Suy on/Quy np d liu (Data
Induction).
Qu trnh thu thp, bin i thng bo nh vy s da theo khung chun
IDMEF, v c h tr trong tt c cc khu x l theo chun quc t.
Sau khi x l xong, t rt nhiu thng bo rt ra c thng tin v mt i
tng s c. Khi chng ta s dng khun dng chun IODEF lu tr lu
di, phc v phn tch thng k v trao i thng tin v sau.
b) Khung trao i thng tin vi CSDL cc thng bo
Chng ta rt ra kt lun p dng khun dng cnh bo (Alert format) ca
chun IDMEF lm khung trao i thng tin pht hin tn cng mng.
Ni dung khung ny nh sau:
Cnh bo (Alert)
Ngun (Source)
ch (Target)
Phn loi (Classification)
Thi gian pht sinh (CreatTime)
Thi gian pht hin (DetectTime)
Thi gian phn tch (AnalyzerTime)
Ngi/thit b phn tch (Analyzer)
nh gi (Assessment)
Cnh bo tng quan (CorrelationAlert)
123
Cnh bo cng c (ToolALert)

Cnh bo trn b nh (OverflowAlert)
D liu b sung (AdditionalData)
Trong m t XML cu trc d liu ca chun IDMEF, khung ny bao hm
ti thiu cc lp d liu sau:
c) Khung trao i thng tin vi CSDL cc s c
Thng tin v mt s c an ton mng ( hay cha xy ra) c coi l mt
i tng s c v c lu tr trong mt bn ghi theo chun IODEF. Ni dung
trao i ti thiu cng nn c thng tin tng thch vi thng bo s c.
Kt lun chng ta s dng khun dng chun IODEF lu tr lu di,
phc v phn tch thng k v trao i thng tin v i tng s c.
Ni dung khung ny nh sau:
Cuc tn cng (Attack)
Ngi tn cng (Attacker)
Thit hi (Damage)
S kin (Event)
Chng c (Evidence)
S c (Incident)
nh hng (Impact)
Mc ch (Target)
Nn nhn (Victim)
im yu (Vulnerability)
II.2.2. Thit k CSDL sao lu d phng v khi phc d liu khi c s c
xy ra
II.2.2.1. Gii php sao lu d phng v khi phc CSDL
Cc s c v mt mt d liu do cc s c phn cng, phn mm, b virus
tn cng hoc sai st ca ngi s dng. i vi cc s c v h thng c th
khc phc bng cch s dng cc thit b phn cng, phn mm c n nh
cao, tng kh nng d phng phn cng.
124
Tuy nhin, cc s c v d liu do virus tn cng, sai st ca ngi s

dng th cc gii php trn hon ton khng c kh nng khc phc c. V
vy sao lu d liu l gii php ht sc quan trng i vi h thng thng tin,
m bo an ton d liu do cc s c v h thng cng nh t pha ngi s
dng.
Gii php bao gm quy trnh, cc tin ch khi phc vi cc loi d liu file
thng thng ti CSDL, cho php khi phc d liu nhanh v hiu qu hn so
vi phng php khi phc thng thng. c tnh quan trng ca khi phc
bao gm:
Quy trnh khi phc c chun ha, c tch hp sn cc cng c h
tr khi phc vi cc loi CSDL, cc ng dng khc nhau.
C th la chn khi phc d liu ti bt c thi im no ph hp vi
chin lc sao lu thit lp.
C th chn khi phc tng phn hay khi phc ton b vi d liu b s
c; c cc tin ch b sung nhm cung cp kh nng t ng khi ng li cc
thao tc li.
II.2.2.2. Thit k d liu
Bao gm: (Chi tit xem Nhnh 2 ca ti ny)
a) Bng nhm phc hi d liu: RESTOREDB_LOG
b) Bng nhm sao lu d liu: BACK_UP_LOG
II.2.3. Thit k gii php bo mt CSDL tch hp gim st an ton mng.
Gii php m bo an ton d liu cho h thng

II.2.3.1. Phng php
m bo an ton cho d liu h thng i hi phi a ra gii php tng
th m bo an ton cho cc thnh phn hot ng, bao gm ba nhm vic nh
sau:
Chng truy cp tri php vo h thng hay lm hng d liu
a) Bo v cc thit b trinh st ngoi vi/sensor,
b) Bo mt cc knh truyn kt ni gia sensor vi trung tm,
c) Chng truy cp tri php vo h thng x l trung tm.
125
Bo v c s d liu ca h thng
a) Sao lu d phng c s d liu,
b) Khi phc h thng khi c s c,
Cc gii php qun tr an ton thng tin, gm:
a) Gim st cc thnh phn ca h thng
b) Pht hin nhanh cc nguy c v s c
c) T chc din tp nh gi v kim ton (audit) tnh an ton ca h thng.
Cc tiu ch nguyn tc la chn gii php cho qu trnh thit k v xy
dng h thng l:
+ m bo tnh an ton cao bng cch gim thiu cc nguy c h thng,
+ Bao gi cng c th khi phc c h thng trong thi gian chp nhn
c.
+ Gi thnh r,
+ t nh hng n hiu nng x l thng tin ca h thng.
Lin quan n bo v d liu cho h thng chng ta cn trin khai h thng
p dng cc nhm gii php di y.
II.2.3.2. Cc nhm gii php bo v d liu
a)
Bo v d liu cho cc thit trinh st ngoi vi/sensor

Cc thit b sensor nn c ch to theo dng hp en, loi b mi cng
kt ni tha, s dng h iu hnh ti gin, trn c s rt gn ti a h iu

hnh Linux c tnh n nh cao. La chn v tr trin khai ti cc a im c
bo v.
Sensor cn s dng cng ngh Watchdog m bo t khi ng t xa,
khi h thng b treo. C kh nng t ng kt ni v ngt kt ni knh truyn
theo nhu cu, hn ch tp hp cc a ch IP/MAC v cng c th kt ni mng.
Tt mi chc nng chia s thng tin khc trn mng.
b) Bo mt cc knh truyn kt ni gia sensor vi trung tm
Cc cm bin gim st kt ni vi h thng qun tr tp trung qua mt
mng truyn tin cnh bo v truyn tn hiu iu khin. C 2 gii php thng
dng trn th gii l:
126
+ Gii php th nht, cc cm bin gim st kt ni vi h thng qun tr

qua mng chuyn dng c xy dng ring bit khng lin quan n
mng Internet. Gii php ny c tnh an ton v tc rt cao nhng gi
u t ln.
+ Gii php th hai, cc cm bin gim st kt ni vi h thng qun tr
qua mng Internet.
Gii php kt ni qua mng Internet l mt gii php r v hp l.
m bo tnh an ton cho h thng ngi ta p dng cng ngh mng
ring o (vi cc knh m ha VPN hoc SSH).
n gin hn na c th s dng mt s giao thc Internet c bo v bng
mt m, nhng iu ny lm gim hiu nng ca h thng ng thi tnh an ton
h thng cng khng cao v cc kt ni trc tip qua Internet d b tn cng.
Gii php kt ni qua mng ring o l mt gii php r v c th ph hp
vi iu kin lc ny ca Vit Nam.
c) Qun l v phn quyn truy xut cho ngi dng
H thng phi s dng mt c ch iu khin truy nhp ring. C ch ny
cho php nh ngha nhm ngi dng v nh ngha cc phn mc ca Website
nh nhng i tng, v cho php thit lp nhm ngi dng c truy xut
vo nhng i tng no. y chnh l giao din web qun l chc nng iu
khin truy nhp ca h thng.
Trong qun l v phn quyn cn lu bin php m ha bo v cc
thng tin v ngi dng.
Trong trng hp h thng ca chng ta khng nht thit i hi phi m
ha ton b d liu bn trong CSDL v lm nh vy s nh hng nng n n
tc x l. Ch trong nhng trng hp h thng c quy m ln hn v chnh
thc i vo hot ng th chng ta mi xem xt n bin php ny.
d) Ghi file bin bn truy cp h thng
Ghi file bin bn l iu kin cn bt buc qun tr h thng mt cch an
ton. Bn thn h thng c cc cng c gip phn tch log-files t
ng.
127
e) t sensor gim st ti cc im kt ni ra bn ngoi ca h thng

Sensor c th ci t ngay trn cng (gateway server) hoc kt ni vi
router m khng lm nh hng n hiu nng ca h thng. S liu ca sensor
ny c s l theo nguyn tc nh mi sensor binh thng khc. Nh vy h
thng s c gim st cht ch.
Gii php bo v s y nu nh chng ta s dng cc loi thit b
bo v nh IDS, Firewall, Anti Virus, ti cc nt cn thit, c bit l ti cng
kt ni ra mng bn ngoi (internet).
f) Sao lu d phng c s d liu
Gii php n gin v hiu qu m bo an ton cho d liu l h thng
phi cung cp chc nng sao lu c s d liu, phng trng hp h thng
gp s c, trnh gy mt mt d liu. Chc nng ny n gin ch l truy vn
ton b c s d liu v xut ra mt file. File ny cha nhng truy vn to ra
ton b d liu trong c s d liu ca h thng.
Mt iu cn lu l bn sao lu cn phi c gi ti mt ni an ton,
trnh lu trn chnh h thng. Ngoi ra cn phi kim tra chc chn l file sao
lu c th s dng c. Theo thi gian c th duy tr n bn sao lu gn nht.
Km theo bn sao file d liu l bn sao cc phn mm ca h thng.
Cc gii php sao lu d phng nng d liu, hay s dng song song cc
h thng my ch d phng standby u kh thi v mt k thut, nhng t tin,
cha cn p dng trong h thng ny.
g) Khi phc h thng khi c s c
Ngc li qu trnh trn, khi h thng gp s c hoc b mt d liu, ngi
qun tr c th khi phc li t bn sao lu gn nht. Bn cht ca qu trnh ny
l c file sao lu trn thc hin cc truy vn to ra d liu trong c s d
liu ca h thng.
h) Theo di log-file
Trong qu trnh hot ng, H tp trung s phi kt ni ti C s d liu
ly nhng thng tin v cc s kin c lu trong . Vic ghi log ca My ch
128
cng c thc hin trn c s d liu.

Theo di thng xuyn cc log-file gip pht hin nhanh cc truy cp bt
thng.
i) Phn ng khi c du hiu xm nhp
Hu ht cc h thng pht hin xm nhp c kh nng phn ng t ng
khi b tn cng nhng cn hn ch. Tuy nhin, nhng phn ng ny thng tp
trung vo vic lc b, chn, ngt kt ni. Chng ta c th chia ra lm hai loi
phn ng nh sau: phn ng th ng v ch ng.
Phn ng th ng
Thng thng, cc h thng pht hin xm nhp theo di cc hot ng
trn mng v ghi vo file nht k cnh bo cho ngi qun tr theo nhiu hnh
thc khc nhau. Ngi qun tr thng cu hnh cho h thng pht hin xm
nhp chng cnh bo theo nhiu cch ty vo tnh cht nghim trng ca s
tn cng v tn s xut hin ca cc cuc tn cng . Trong cch phn ng
ny, IDS ch dng , cng vic cn li dnh cho ngi qun tr.
Phn ng ch ng
Trong cch ny, h thng pht hin xm nhp khng ch cnh bo cho
ngi qun tr v ch i s x l tip theo, m cn c kh nng t ng phn
ng nh sau:
nh du v loi b cc loi lu thng nguy him (malicious traffic)
Kt thc nhng phin kt ni TCP m pht hin thy c du hiu ca s tn

cng.
Gi thng ip ICMP: Cc thng ip gi n a ch ngun khi khng th

c kt ni n a ch ch, cc tng la v b nh tuyn c cu hnh
trc nm gia h thng ch v k tn cng s ngn cn cc lung d liu
t k tn cng.
Ngoi ra, cn c kh nng tm kim thng tin ca k tn cng nh tn,
ng i, h thng g (Unix hay Windows...), s hiu cng...
129
II.2.4. Thit k tng th h thng CSDL tch hp gim st an ton mng NSIDB
Thit k tng th h thng CSDL tch hp gim st an ton mng
II.2.4.1.Tng quan h thng
H thng CSDL trong h thng gim st an ton mng c phn ra thnh
nhiu phn h. Mi phn h trong h thng m nhim mt vai tr v chc nng
ring. Mi phn h m t h thng ring v cc phn h ny c mi lin h ht
sc cht ch vi nhau.
CSDL ca h thng qun l s c an ton thng tin lu tr nhng thng tin
v s c thu thp t ngi dng v cc cn b qun l h thng, thng tin c
nhp trc tip trn nn giao din web. Cc s c c gi ti ban qun l h
thng gim st lu vo trong CSDL.
CSDL ca h thng cn l nhng thnh phn c thit k lu v thu
thp t ng t cc thit b gim st, thu thp gi n v lu vo CSDL c ci
t trn my ch.
CSDL ca h thng gim st an ton mng c phn ra thnh nhiu phn
h con:
Phn h lu tr thng tin v s c an ton mng
Phn h lu tr v tn cng mng
Phn h lu tr thng tin trng thi cc h thng xung yu
Phn h lu tr thng tin qun tr ngi dng.
II.2.4.2. M t h thng
H thng CSDL tch hp gim st an ton mng c m t tng th thng
qua cc phn h ca CSDL. Mi phn h l mt m t hot ng ca h thng
trong c mt h thng an ton thng tin.
130
131
Phn h CSDL lu tr thng tin cc trng thi cc h thng xung yu

132
Thit k chi tit phn h CSDL lu tr thng tin cc trng thi cc h thng
xung yu, nhm lu tr tt c cc thng tin v my ch, mng, cc phn mm
(plugin ), nhm kim tra chnh xc, sng lc cc thng tin, b sung thng tin
s c chuyn thnh s kin an ton mng. Trn c s xc nh cc thng tin
v u tin, gi tr ti sn thng tin v tin cy c th a ra c mc
ri ro cho cc h thng mng, my ch, plugin.
Phn h CSDL lu tr thng tin qun tr ngi s dng
Thit k chi tit phn h CSDL lu tr thng tin qun tr ngi s dng.
Mi truy nhp vo h thng u thng qua mt ti khon ca ngi s dng.
Vic lp cc nhm dng gom nhm cc ngi dng c chung mt quyn
hoc chnh sch ring i vi h thng nhm to thun li trong vic qun tr,
qun l thng tin.
Phn h CSDL lu tr thng tin v s c an ton mng
Thit k phn h CSDL lu tr thng tin v s c an ton mng. Bao gm
nhm bng lu tr thng tin v s c an ton mng thu thp hoc pht hin
c. Mi s c c th hiu l mt vn an ton mng v s c mt hoc nhiu
s kin an ton mng khc khau. S c l tp hp cc s kin c cng im
chung no thun tin cho chuyn vin an ton thng tin x l. Theo quy
trnh x l, cc thng bo an ton mng sau khi c cc chuyn gia kim tra s
chnh xc, sng lc mc nguy him v b sung thng tin s c chuyn
thnh s c an ton mng. Thng tin v mt s c bao gm (Tiu , ngy
to/xy ra s c, loi s c, thi gian x l s c, mc nguy him ca s c,
ngun cung cp thng tin, cc a ch IP ngun/ch v a ch cng ngun
ngun/ch, ngi tip nhn x l s c, ngi ph trch, b xung thng tin s
c v cc tp tin nh km ca mi s c).
Phn h CSDL lu tr thng tin v tn cng mng
Thit k chi tit phn h CSDL lu tr thng tin v tn cng mng. H
thng bao gm nhm bng dng lu tr thng tin v cc tn cng mng,
nhng s kin, du hiu bt thng m thng gim st an ton mng thu thp
c t cc tc nhn nh Sensor, IDS, Firewal Nhng s kin ny s c
133
lu tr vo bng s kin (Event). H thng an ton mng s phn tch mi tng

quan gia cc bng trong csdl da vo (Mc u tin, mc tin cy, ngng
quy nh, tn sut , mc ri ro, chnh sch p dng, du hiu nhn bit)
xc nh cc s kin ny c th c phi l mt cuc tn cng mng thc s hay
khng t a ra cc bin php i ph, chnh sch qun qun tr ph hp,
v nng nhm s kin thnh cnh bo. Khi cnh bo ny mt mc nguy
him nht nh th l mt s c. Nhm phn h lu tr tn cng mng bao
gm cc nhm bng sau: (Nhm cc s kin (Event), Nhm cc cnh bo
(Alarm), nhm cc du hiu nhn bit tn cng mng v nhm cc chnh sch p
dng thu thp cc cuc tn cng.).
II.2.4.3. Tng quan thnh phn h thng CSDL
Hot ng tng quan ca h thng CSDL tch hp gim st an ton mng
c th hin s b nh hnh sau:
Cc thit b thu thp thng tin l cc sensor trn c th c tch hp
mt hoc mt vi tc nhn (Snort, Arpwatch, Ntop ) lun lun gim st v thu
thp cc cnh bo v mng a ln my ch qun l h thng. Ti my ch qun
l h thng ton b thng tin v cc s kin c y vo CSDL ti y ngi
qun tr h thng qun l v c th thc hin cc cng tc qun l, phn tch,
nh gi an ton s c thng tin.
Bng s kin (Event)
Bng s c (incident)
Bng cnh bo (Alarm)
Bng a ch host (Host): Mt ti sn host c cu hnh theo chnh sch -> host. Mi host c mt gi tr ti sn lin vi n. Gi tr ny c s dng
xc nh mc nguy him khi s kin nhn c. Gii gi tr t 1 ti 5. 1 c
ngha l ban khng lu tr nhiu gi tr. 5 l gi tr cao nht c tm quan trng
cho mt my ch. Khi mt s kin c nhn, n c mt u tin tin cy v
gi tr c giao. Ri ro c tnh ton theo cng thc sau:
Ri ro = Ti sn * ( tin cy * quyn u tin / 25 ).
V d:
134
S kin
Gi tr
tin cy
10
Quyn u tin
Ri ro cho s kin u tin l 10, v th hai l 2

Ri ro = Ti sn * ( tin cy * quyn u tin / 25 )
a ch ip
Ri ro
My ch A (Snort)
192.168.1.111
10 = 5 * ( 10 * 5 / 25 )
My ch B
192.168.1.135
2 = 1 * ( 10 * 5 / 25 )
Bng chnh sch (Policy):

S tng tc gia CSDL v cc thnh phn x l trong h thng
135
Hnh II.7: S tng tc gia CSDL v cc thnh phn x l trong h thng

II.3.1. Thit k chi tit phn h CSDL lu tr thng tin v s c an ton
mng
Ni dung d liu cn thit k
136
Trn c s phn tch cc m un, lung d liu v phng thc trao i d

liu cc phn trc, trong phn ny chng ta thit k nhm bng lu tr thng
tin v s c an ton mng thu thp hoc pht hin c.
Mi s c c th hiu l mt vn an ton mng v s c mt hoc nhiu
s kin an ton mng khc khau. S c l tp hp cc s kin c cng im
chung no thun tin cho chuyn vin an ton thng tin x l. Theo quy
trnh x l, cc thng bo an ton mng sau khi c cc chuyn gia kim tra s
chnh xc, sng lc mc nguy him v b sung thng tin s c chuyn
thnh s c an ton mng. Trong nhm bng ny cn c bng lu tr thng tin
phn hi gia chuyn gia tip nhn bo co an ton mng vi ngi cung cp
bo co hoc nhng ngun tin cung cp thng tin khc lin quan n s c,
nhng tp tin nh km lin quan n s c v d nh cc file ghi ch v s c,
file ghi ch v thng tin phn hi s c. Thng tin v mt s c bao gm (Tiu
, ngy to/xy ra s c, loi s c, thi gian x l s c, mc nguy him
ca s c, ngun cung cp thng tin, cc a ch IP ngun/ch v a ch cng
ngun ngun/ch, ngi tip nhn x l s c, ngi ph trch, b xung thng
tin s c v cc tp tin nh km ca mi s c).
c y thng tin x l, chng ta c th phn loi thng tin thnh cc
10 bng c bn nh sau: Bng s c (Incident), Bng cnh bo s c
(Incident_alarm), Bng phn loi s c (Incident_metric), Bng file s c
(Incident_file), Bng Incident_ticket, Bng h p (Response), Bng my ch
hi p(Response_host), Bng mng hi p (Response_net), Bng cng hi
p (Response_Port), Bng Tin ch hi p (Response_Plugin).
II.3.2. Thit k chi tit phn h CSDL lu tr thng tin v tn cng mng
Ni dung d liu cn thit k
tin v tn cng mng.
H thng bao gm nhm cc bng dng lu tr thng tin v cc cuc
cng mng, nhng s kin, du hiu bt thng m thng gim st an ton mng
137
thu thp c t cc thit b nh Sensor, IDS, Firewal do ngi qun tr thit

lp chnh sch v qua nhng ngun thng tin khc nh website, in thoi,
email do ngi dng cung cp thng tin lin quan v cc cuc tn cng m h
gp phi. Nhng s kin ny s c lu tr vo bng s kin (Event). H thng
an ton mng s phn tch mi tng quan gia cc bng trong csdl da vo
(Mc u tin, mc tin cy, ngng quy nh, tn sut, mc ri ro,
chnh sch p dng, du hiu nhn bit) xc nh cc s kin ny c th c
phi l mt cuc tn cng mng thc s hay khng t a ra cc bin
php i ph, chnh sch ph hp, v nng nhm s kin thnh cnh bo. Khi
cnh bo ny mt mc nguy him nht nh th l mt s c.
Bao gm cc nhm bng chnh: Event, Backlog_event, Backlog, Alarm,
Signature, Signature_group_reference, Signature_group, Policy_Sig_Reference,
Policy, Policy_host_reference, Policy_net_reference, Policy_port_reference,
Policy_time.
II.3.3. Thit k chi tit phn h CSDL lu tr thng tin trng thi cc h
thng xung yu
II. 3.3.1. Ni dung d liu cn thit k
tin trng thi cc h thng xung yu.
xung yu, nhm lu tr tt c cc thng tin v my ch, mng, plugin nhm
kim tra chnh xc, sng lc cc thng tin, b sung thng tin s c chuyn
thnh s kin an ton mng. Cc s kin an ton mng l cc n v thng tin
chi tit nht v cc vn an ton mng v c th xy ra. Cc s kin an ton
mng thng thuc 1 s c an ton mng. Qu trnh cnh bo an ton thng tin,
v cc a ra cc mc ri ro cng nh cc s kin an ton mng cho cc
thng bo thng tin c lu tr trong phn h CSDL lu tr thng tin trng
thi cc h thng xung yu.
138
Vic lu tr thng tin v cc my ch, cc plugin v cc mng nhm a ra

cc mc u tin cho tng mng, my ch cc mc tin cy, u tin ri
ro c th xy ra i vi tng h thng mng.
Phn h CSDL lu tr thng tin trng thi cc h thng xung yu gm cc
nhm sau:
Nhm
bng
my
ch:
(Host_OS,
Host_plugin,
Host_services,
Host_vulerability, Host_mac, Host_netbios, Host_qualification, Host_Scan,

Host_sensor_reference, Host): Lu tr ton b thng tin lin quan n Host
Nhm bng mng: (Net, Net_group, Net_scan, Net_qualification,
Net_group_reference,
Net_sensor_reference,
net_vulnerability,
Net_group_scan): Lu tr ton b thng tin lin quan n Net.

Nhm bng tin ch: (Plugin, Plugin_sid, Plugin, Plugin_reference): Lu
tr ton b thng tin lin quan n Plugin
II.3.3.2. Thit k c s d liu
Nhm bng lu thng tin v mng: Bng lu thng tin v mng (Net),
Bng lu thng tin nhm cc mng(NET_GROUP), Bng nhm tham kho
mng (NET_GROUP_REFERENCE), Bng nhm mng gim st (NET
GROUP_SCAN), Bng tiu chun mng (NET _QUALIFICATION), Bng qut
mng(NET_SCAN),Bng mng sensor (NET_SENSOR_REFERENCE), Bng
l hng mng (NET_VULNERABILITY).
Nhm bng lu thng tin v my ch (HOST), Bng thng tin my ch
(HOST_IDS), Bng qut my ch (HOST_SCAN), Bng tiu chun my ch
(HOST_QUALIFICATION), Bng Host_netbios (HOST_NETBIOS), Bng a
ch MAC my ch (HOST_MAC), Bng h iu hnh my ch (HOST_OS)
Bng trung gian Host_plugin_sid (HOST_PLUGIN_SID), Bng cc dch
v
my
ch
(HOST_SERVICES),
(HOST_VULERABILITY),
Bng
tham
Bng
chiu
hng
my
ch
sensor
my
ch
(HOST_SENSOR_REFERENCE), Bng Sensor (SENSOR).
139
Nhm bng lu thng tin v cc tin ch Plugin: Bng plugin (PLUGIN),

Bng tham chiu plugin (PLUGIN_REFERENCE), Bng nh danh Plugin
(PLUGIN_SID), Bng hi p plugin (RESPONSE_PLUGIN),
II.3.4. Thit k chi tit phn h CSDL lu tr thng tin qun tr ngi s
dng
II.3.4.1. Ni dung d liu cn thit k
liu cc phn trc, trong phn ny chng ta thit k chi tit phn h CSDL
lu tr thng tin qun tr ngi s dng. Mi truy nhp vo h thng u thng
qua mt ti khon ca ngi s dng. Mi ti khon c thit lp bi ngi
qun tr h thng ngoi tr ti khon root (c tt c cc quyn). Vic lp cc
nhm dng gom nhm cc ngi dng c chung mt quyn hoc chnh sch
ring i vi h thng nhm to thun li trong vic qun tr. Cc users thng
ch c s dng ti nguyn h thng mt cch c h thng.
Trong vic thu thp qun l x c an ton mng. Cc nhm v cc ngi
dng c phn quyn mt cch r rang, to iu kin cho ngi qun tr thng
k xem xt cc hot ng ca cc thnh vin.
Mc ch ca vic qun tr ngi dng
Qun l c d liu d tha.
m bo tnh nht qun cho d liu.
To kh nng chia s d liu nhiu hn.
Ci tin tnh ton vn cho s liu.
Vic thu thp thng tin, cc cnh bo, thng bo s c l khi lng thng
tin rt ln cn phi c gim st qun l cht ch.
Thit k chi tit d liu
Bao gm cc bng sau: Bng ngi dng (USERS)
140
II.4. Xy dng, trin khai cc phn h CSDL tch hp NSIDB

II.4.1. Xy dng, trin khai ci t, th nghim phn h CSDL lu tr
thng tin v s c ATM, phn h CSDL lu tr thng tin v tn cng mng.
So snh vi kt qu l thuyt
II.4.1.1. Mc ch v yu cu
Mc ch ca cc bi th nghim phn h CSDLlu tr thng tin v s c
ATM, thng tin v tn cng mng nhm kim tra, r sot kh nng lu tr, pht
hin li cc cu lnh SQL cng nh nhng bt cp xy ra trong thc t m
CSDL lu tr cc thng tin v s c cng nh tn cng mng cha ph hp v
cha p ng y v vy mun ti u ha CSDL qun l lu tr thng tin v
s c v tn cng trong h thng lu tr thng tin ATM ta phi ci t v kim
th h thng CSDL ny.
Yu cu sau khi th nghim phi a ra c
Nhng bt cp, cha hp l v yu cu chnh sa cc trng trong cc
bng thm ch c th thm hoc xa cc bng khng ph hp.
Nhng cu lnh cha ng, cha ti u
Lc quan h gia cc bng
II.4.1.2. Ci t, th nghim phn h CSDL lu tr thng tin v s c
Thnh phn ca phn h bao gm:
c y thng tin x l, chng ta c th phn loi thng tin thnh cc
10 bng c bn nh sau:
Bng s c (Incident): Lu tr thng tin v s c mng
Bng cnh bo s c (Incident_alarm): Lu tr thng tin cnh bo lin
quan n s c.
Bng phn loi s c (Incident_metric): Lu thng tin cc kiu s c
Bng Incident_file : Lu tr cc file nh km s c
Bng Incident_ticket: Lu tr thng bo s c
Bng Response: Lu tr thng tin phn hi s c
Bng Response_host: Phn hi s c trn my ch
Bng Response_net: Phn hi s c trn mng
141
Bng Response_Port: Phn hi s c theo Port xy ra s c

Bng Response_Plugin: Phn hi s c theo phn mm s dng
S lin kt
Response_host
Response_id
Host
_type
Response_port
Response_plugin
Response_id
Plugin_id
Response_net
response
Response_id
Net
_type
Id
Descr
Incident_id
Incident_alarm
Id
Incident_id
Src_ips
Src_ports
Dst_ips
Dst_ports
incident
Id
Title
Date
Ref
priority
Incident_metric
Incident_file
Id
Incident_id
Target
Metric_type
Metric_value
Id
Incident_id
Incident_ticket
Name
Type
Content
Response_id
Port
_type
Incident_ticket
Id
Incident_id
Date
Status
Priority
Users
Description
Action
In_charge
Transferred
copy
Hnh II.8: S lin kt CSDL lu tr thng tin s c

C ch sao lu
dng.
142
bao gm:
thao tc li.
To lp mt s hm
- Cu lnh dng insert mt s c vo csdl:
INSERT INTO ÀTM`.ìncident` (ìd`, `title`, `date`, `ref`, `priority`)
VALUES ('1', 'Tn cng DDOS', CURRENT_TIMESTAMP, 'Tn cng c
thc hin vo hi 23h ngy 25/5/2010 do mt haker chuyn nghip thc hin',
'3'), ('2', 'Phishing', CURRENT_TIMESTAMP, 'Tn cng gi mo Email nhm
ly cp mt khu, thng tin ti khon ca ngi dng', '4');
II.4.1.3. Ci t, th nghim phn h CSDL lu tr thng tin v tn cng
Bao gm cc bng sau: Bng s kin (Event), Bng sao lu s
kin(BACKLOG_EVENT), Bng tng quan cc Rules (BACKLOG)
S lin kt gia cc bng
143
Backlog
Alarm
Id
Directive_id
Timestamp
matched
Backlog_id
Event_id
Timestamp
Plugin_id
Plugin_sid
Protocol
Src_ip
Dst_ip
Src_port
Dst_port
Risk
Snort_sid
Snort_cid
Event
Backlog_event
Backlog_id
Event_id
Time_out
Occurrence
Rule_level
matched
Id
Timestamp
Sensor
Interface
Type
Plugin_id
Plugin_sid
Protocol
Src_ip
Dst_ip
Src_port
Dst_port
Condition
Value
Time_interval
Absolute
Priority
Reliability
Asset_src
Asset_dst
Risk_a
Risk_c
Alarm
Snort_sid
Snort_cid
Hnh II.9: S lin kt CSDL thng tin tn cng

C ch sao lu
Gii php sao lu d phng v khi phc CSDL
dng.
bao gm:
144

thao tc li.
II.4.2. Xy dng, trin khai ci t, th nghim phn h CSDL lu tr
thng tin trng thi cc h thng xung yu, phn h CSDL lu tr thng tin
qun tr ngi s dng.
Trong phn ti liu ny trnh by kt qu xy dng, trin khai ci t, th
nghim phn h CSDL lu tr thng tin trng thi cc h thng xung yu, phn
h CSDL lu tr thng tin qun tr ngi s dng
4.2.1. Ci t, th nghim phn h CSDL lu tr thng tin trng thi cc
h thng xung yu
xung yu, nhm lu tr tt c cc thng tin v my ch, mng, plugin nhm
kim tra chnh xc, sng lc cc thng tin, b sung thng tin s c chuyn
thnh s kin an ton mng. Cc s kin an ton mng l cc n v thng tin
chi tit nht v cc vn an ton mng v c th xy ra. Cc s kin an ton
mng thng thuc 1 s c an ton mng. Qu trnh cnh bo an ton thng tin,
v cc a ra cc mc ri ro cng nh cc s kin an ton mng cho cc
thng bo thng tin c lu tr trong phn h CSDL lu tr thng tin trng
thi cc h thng xung yu.
Yu cu sau khi th nghim phi a ra c:
- Nhng bt cp, cha hp l v yu cu chnh sa cc trng trong cc
bng thm ch c th thm hoc xa cc bng khng ph hp.
- Nhng cu lnh cha ng, cha ti u.
a) Bao gm cc bng
145
Nhm
bng
Host:
(Host_OS,
Host_plugin,
Host_services,
Host_vulerability, Host_mac, Host_netbios, Host_qualification, Host_Scan,

Host_sensor_reference, Host): Lu tr ton b thng tin lin quan n Host
Nhm
bng
Net:
Net_group_reference,
(Net,
Net_group,
Net_scan,
Net_sensor_reference,
Net_qualification,
net_vulnerability,
Net_group_scan): Lu tr ton b thng tin lin quan n Net.

Nhm bng Plugin: (Plugin, Plugin_sid, Plugin, Plugin_reference): Lu tr
ton b thng tin lin quan n Plugin
b) S lin kt cc bng
S lin kt cc bng nhm my ch
Host_services
Ip
Port
Prtocol
Service
Service_type
Version
Date
Origin
Host_plugin_
sid
Host_ip
Plugin_id
Plugin_sid
Host_os
Ip
Os
Previous
Date
anom
Host_mac
Ip
Mac
Previous
Date
Vendor
Anom
Ip
vulnerability
Host_sensor_reference
Host_ip
Sensor_name
Ip
Name
Wgroup
Host_qualification
Host
Host_vulnerability
Host_netbios
Host_ip
Comprise
Attack
Ip
Hostname
Asset
Threshold_c
Threshold_a
Alert
Persistence
Nat
Descr
Rrd_profile
Host_ids
Host_scan
Policy_host_reference
Host_ip
Plugin_id
Plugin_sid
Policy_id
Host_ip
Derection
Hnh II.10: Nhm lin kt cc bng my ch

S lin kt cc bng nhm my net
146
Ip
Date
Hostname
Sensor
Sid
Event_type
What
Target
Extra_data
Net_sensor_reference
Net_name
Sensor_name
Net_group_reference
Net_group_name
Net_name
net
Name
Ips
Priority
Threshold_c
Threshold_a
Alert
Persistence
Descr
Rrd_profile
Net_vulnerability
Net_name
Sensor_name
Net_group
Name
Threshold_c
Threshold_a
Rrd_profile
Descr
Net_qualification
Net_scan
Net_name
Compromise
Attack
Net_name
Plugin_id
Plugin_sid
Hnh II.11: Nhm lin kt cc bng net

S lin kt cc bng nhm plugin
category
Id
name
Plugin_reference
Plugin_id
Plugin_sid
Reference_id
Reference_sid
Plugin_sid
Host_scan
Host_ip
Plugin_id
Plugin_sid
Plugin_id
Sid
Category_id
Class_id
Reliability
Priority
Name
plugin
Response_plugin
Id
Type
Name
description
Response_id
Plugin_id
Hnh II.12: Nhm lin kt cc bng tin ch Plugin

II.4.2.2. Ci t, th nghim phn h CSDL lu tr thng tin qun tr
ngi dng
Mi truy nhp vo h thng u thng qua mt ti khon ca ngi s
dng. Mi ti khon c thit lp bi ngi qun tr h thng ngoi tr ti
khon root (c tt c cc quyn).
Nhm bng lu tr thng tin qun tr ngi s dng bao gm:
Bng User: Lu tr tn ng nhp, mt khu ngi s dng
147
Bng Profile: Lu tr thng tin tit ca ngi s dng bao gm (Tn ngi
s dng, a ch, email, s in thoi, gii tnh, ngy sinh, qu trnh cng tc..)
Bng Team: Lu tr thng tin v cc cc nhm c chc nng nhim v
khc nhau nh: nhm ng cu s c, nhm trin khai h thng
Bng Group: Lu tr thng tin nhm ngi dng (Tn nhm, m nhm,
quyn)
Bng quyn (Permit): Thit lp quyn cho user, group, team.
S lin kt cc bng
Profile
User_team
Team_id
Name
Description
ID
Name
Birth
Gender
Email
Phone
Address
Team_id
Group_id
Manage Group
Group_id
Group_name
PermitName
Description
Permit
User
Permit_id
PermitName
Descriptiom
Id
Username
Password
Hnh II.13: S lin kt cc bng ngi dng
148
CHNG III. NGHIN CU XY DNG H THNG

THU THP THNG TIN ATM TRUNG TM
III.1. Tng quan
Bo co ny s trnh by tm tt v cc kt qu nghin cu ca Nhnh 3
ti KC.01.09/06 10.
Ni dung nghin cu chnh ca Nhnh 3 l nghin cu xy dng h thng
thu thp thng tin an ton mng (ATM) trung tm bao gm ba sn phm c bn:
Giao thc thu thp thng tin an ton mng - ISGP; Phn h tip nhn thng tin
an ton mng t ng - NSIAR v phn h h tr x l thng bo s c. Cc
yu cu c bn v sn phm nghin cu ca nhnh 3 c th nh sau:
III.1.1. Phn h h tr x l thng bo s c
Phn h h tr x l thng bo s c thu thp thng tin v cc s c my
tnh xy ra trn mng Internet Vit Nam (mt trong cc thng tin an ton mng
quan trng cn c gim st) t cc ngun:
- Thng bo s c t cc c nhn, t chc trong v ngoi nc di cc
hnh thc gi cng vn, email, fax, in thoi, ng dng web.
- Qua cng tc theo di tnh hnh s c my tnh ca cc c quan chuyn
trch.
- C kh nng cp nht t cc CSDL s c khc.
Yu cu k thut: Cc thng tin ny c tip nhn, phi qua xc thc, x
l v gi n lu gi trong CSDL s c (mt phn ca CSDL gim st an ton
mng Vit Nam). Chi tit thng tin v mt s c cn tng thch vi nh dng
chun quc t IODEF (Incident Object Description and Exchange Format). Tc
x l khng cn cao.
Mt phn nh ca ni dung l xy dng phn mm x l tin bo v s c
mng thng qua giao din web c thc hin v th nghim thnh cng
trong ti cp B BCVT nm 2006 "Nghin cu xy dng c s d liu qun
l thng tin cnh bo an ton mng", m s 47-06-KHKT-RD, hin ang c
s dng trn website ca VNCERT. Tuy vy phc v cho CSDL ny cn
149
c b sung, hon thin vi quy m ln hn rt nhiu v lm cho tun th cht

ch chun IODEF.
III.1.2. Phn h tip nhn thng tin an ton mng t ng NSIAR
Phn h tip nhn thng tin an ton mng (ATM) t ng NSIAR l mt
thnh phn quan trng ca h thng gim st an ton mng quc gia, phn h c
chc nng tip nhn v lu tr vo c s d liu cc thng tin an ton mng thu
nhn t:
Cc thit b sensor chuyn dng (sn phm cu nhnh 3)
Cc phn mm tip nhn thng tin an ton mng t cc sn phm an ton
thng tin thng mi (Sn phm ca nhnh 6)
V mt chc nng phn h tip nhn thng tin an ton mng t ng cn
p ng:
L giao din tip nhn v x l cc thng tin an ton mng t cc ngun
thit b, sensor v phn mm chuyn dng nhm cp nht cho CSDL gim st an
ton mng Vit Nam.
C kh nng trao i v cp nht thng tin vi cc CSDL gim st an ton
mng chun quc t.
Phn h m bo kh nng kt ni vi 50 ngun thng tin hay sensor ti
nt mng cp quc gia v 500 ngun thng tin t mng ngi dng, x l
khong 100.000 bn ghi mi ngy. Tc x l p ng dung lng tng
ng.
Nhm ti nhnh 3 trin khai nghin cu, thc hin c cc yu cu
t ra i vi cc sn phm nu trn. Trong qu trnh thc hin, nhm tp trung
vo cc hng nghin cu chnh nh sau:
III.1.3. Kho st v nh gi hin trng
Cc loi hnh tn cng ca tin tc,
Cc thng tin an ton mng c th tip nhn,
Kho st ni dung cc thng bo s c an ton mng.
150
III.1.4. Nghin cu v thit k giao thc thu thp thng tin an ton mng
ISGP
Giao thc thu thp thng tin an ton mng c xy dng nhm thng nht,
chun ha quy trnh trao i thng tin cc thit b sensor chuyn dng (sn phm
cu nhnh 3), cc phn mm tip nhn thng tin an ton mng t cc sn phm
an ton thng tin thng mi (sn phm ca nhnh 6) v h thng thu thp thng
tin an ton mng mt cch an ton, chnh xc thng qua mi trng mng
TCP/IP. Ni dung nghin cu c bn bao gm :
Nghin cu cc loi thng tin cn trao i
Phn loi v nh ngha cc s kin trao i qua giao thc ISGP
Thit k cc nh dng gi tin theo tng loi s kin
Thit k lc trao i thng tin
- Nghin cu v xut gii php bo mt giao thc trao i thng tin.
c an ton mng - SAMS
Trong qu trnh nghin cu v xy dng phn h h tr x l thng bo s
c, nhm tin hnh cc cng vic chnh sau:
Kho st cc thng bo s c an ton mng v nghin cu xy dng mu
thng bo s c.
Nghin cu xy dng quy trnh x l thng bo s c an ton mng
Nghin cu thit k C s d liu lu tr thng bo s c an ton mng.
- Thit k v lp trnh phn h h tr x l s c an ton mng.
III.1.6. Nghin cu v xy dng phn h tip nhn thng tin an ton mng
t ng NSIAR
Trong qu trnh nghin cu v xy dng phn h tip nhn thng tin an
ton mng t ng NSIAR, nhm tin hnh cc cng vic chnh sau:
- Nghin cu cc thng tin an ton mng tip nhn v trin khai CSDL
lu tr bng cng ngh MySQL
151
- Thit k v lp trnh module tip nhn thng tin an ton mng t cc

ngun sensor chuyn dng v cc phn mm thu thp thng tin an ton
mng t cc thit b an ton mng thng mi.
- Thit k v lp trnh module qun l ngun cung cp thng tin an ton
mng.
III.1.7. Phng php nghin cu
Nhm nghin cu thc hin phng php nghin cu nh sau:
- Phng php nghin cu l thuyt: m hnh ha, phn tch nh gi h
thng c c s khoa hc.
- Kho st cc yu cu thc tin m h thng gim st an ton mng cn
p ng.
- Nghin cu tham kho v phn tch cc h thng gim st an ton mng
quc t c uy tn v c nh gi cao nh h thng Security
Information Manager ca Synmatec, h thng Enterprise Security
Manager ca ArcSight, h thng gim st an ton mng m ngun m
OSSIM, h thng gim st Marc ca Cisco.
- Kho st cc thng tin an ton mng v ngun cung cp c th kt ni
vo h thng gim st an ton mng.
- Kim th i km vi qu trnh thit k v pht trin v tch hp sn
phm m bo gim thiu cc ri ro v s c c th xy ra v nng
cao cht lng sn phm, qu trnh th nghim sn phm c tin hnh
khoa hc v theo nhiu bc:
+ Kim tra tng thnh phn
+ Kim tra phn mm trn h thng m phng
+ Kim tra trn cc h thng mng nh
+ Th nghim trn mi trng tht.
152
III.2. Cc kt qu nghin cu chnh t c ca nhnh 3

III.2.1 Nghin cu v thit k giao thc thu thp thng tin an ton mng
ISGP
Giao thc ISGP l giao thc tng ng dng, c xy dng da trn giao
thc TCP, m hnh di y m t quan h v phn lp gia ISGP vi cc giao
thc khc.
ISGP | |HTTTP| |TFTP | ... | ... |
+------+ +-----+ +-----+

|
+-----+
+-----+
+-----+
+-----+
| TCP |
| UDP | ... | ... |
+-----+
+-----+
+-----+
+--------------------------+----+
|
Internet Protocol & ICMP
+--------------------------+----+
|
+---------------------------+
|
Local Network Protocol
+---------------------------+
Hnh III.1: Quan h gia ISGP v mt s giao thc c bn khc

III.2.1.1 Bo mt d liu
Giao thc ISGP c xy dng phc v trao i thng tin gia cc thit b
sensor chuyn dng (gi tt l Agent) v h thng tip nhn thng tin an ton
mng SIPS (Server). Giao thc c thit k m bo h tr hai ch hot
ng l c bo mt v khng bo mt. Yu cu ny xut pht t thc t, bo v
tnh b mt ca thng tin trao i thng qua mng l rt cn thit, phng php
thng dng nht thng c s dng l m ha bng cc m un m ha v
gii m s dng cc thut ton m ha cng khai hoc m ha i xng t ti
hai u kt ni. Tuy nhin, gii php ny ch ph hp vi cc h thng c nng
lc tnh ton mnh so vi lng d liu cn phi tip nhn do lin tc phi thc
hin cc php tnh m ha v gii m d liu trong khi thc t i vi h
153
thng gim st an ton mng th s lng thng tin trao i gia cc agent v
server lun lun rt ln v kh c h thng my ch no c th p ng, c bit
do kinh ph u t trang thit b ca ti nghin cu cn hn ch nn khi s
lng kt ni ln chc chn s xy ra cc hin tng qu ti ti thit b server
tip nhn. Do giao thc c thit kt c th thc hin trao i thng tin
bng c hai ch m ha hoc khng m ha. i vi trng hp giao thc
hot ng ch khng m ha, thng tin trao i gia agent v server s vn
an ton nu nh trin khai mt h thng mng ring o VPN s dng cng ngh
IPSEC, vi phng n ny server s khng b qu ti do vic m ha v gii m
d liu c chuyn sang cho thit b VPN chuyn dng. y cng l hnh
thc trin khi thc t ca hu ht cc h thng gim st an ton mng thng
mi ang p dng hin nay nh: SSIM ca Synmatec hay Argsight.
3.2.1.2 Lc trao i thng tin
Lc trao i thng tin bao gm nm bc c bn, c m t nh hnh
bn di:
Bc 1. To kha m ha - Generate Random key:
- Mc ch: Sinh ra mt kha m ha ngu nhin di 16 bytes
Bc 2. Gi thng bo yu cu kt ni - CONNECT msg:
- Mc ch:
Gi yu cu thit lp kt ni t agent ti server
- nh dng gi tin bao gm bn thng tin chnh
connect key=%s id=%d type=sensor version=%s\n
- Gii thch
key: key m ha (xu k t bt k 16 bytes) sinh ra
id: S th t c gn cho plugin (bt u t 1)
Type: kiu sensor
version: phin bn sensor
154
Hnh III.2: Lc trao i thng tin

Bc 3. Xc nhn kt ni OK Msg
- Mc ch: Server thng bo cho agent kt ni thnh cng
- nh dng gi tin
ok id=%d\n
- M t:
ok l t kha xc nh kt ni thnh cng
ID l s th t ca plug nhn c trong lnh kt ni
Bc 4. Thng bo li - ERROR msg
- Mc ch: Server thng bo cho agent kt ni khng thnh cng
- nh dng gi tin
error id=%d\n
- M t:
155
Error l t kha ca thng bo li

is l m ca sensor server nhn c t trc
Bc 5. iu khin - CONTROL msg:
- Mc ch:
Cho php Server gi cc lnh iu khin hot ng ca Agent, Agent
y c th l cc sensor hoc cng c th l cc server khc.
Lnh iu khin ny c 4 chc nng , bao gm: Enable/Disable/Start/Stop
- Cu trc lnh iu khin:
Cc thng bo lnh iu khin c cu trc nh sau
Command plugin_id=\%d\n
- M t
Trong cc thut ng c hiu nh sau:
Command l mt trong bn lnh iu khin sau:
sensor-plugin-start
Khi ng tin trnh c gn vi plugin
sensor-plugin-stop
Tt tin trnh c gn vi plugin
sensor-plugin-enable
Bt plugin
sensor-plugin-disnable
Tt plugin
plugin_id: S th t ca plugin c gn
III.2.1.3. nh dng cc gi tin thng bo s kin
Gi tin thng bo s kin l gi tin cha ni dung thng tin m Sensor v
cc phn mm thu thp thng tin an ton mng gi thng tin ti server cc s
kin thu nhn c.
Cc s kin c chia lm bn loi :
- S kin chun ha,
- S kin Mac,
156
- S kin h iu hnh,
- S kin dch v
a) S kin chun ha
- nh dng gi tin
event
type=detector"
plugin_id="4002"
interface="eth1"
date="2006-08-09
plugin_sid="1"
priority="1"
12:12:11"
sensor="192.168.1.10"
src_ip="192.168.1.8"
dst_ip="192.168.1.8" data="user1" log="Aug 9 12:12:11 ossimsensor sshd[6466]: (pam_unix) authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=localhost user=user1"
- M t
EVENT: t kha xc nh thng bo kiu s kin
type: kiu event, detector hoc monitor
date: thi gian pht sinh event
plugin_id: id ca plugin pht sinh event (nhn c t
CONNECT msg), dng phn bit gia cc plugin
plugin_sid: plugin class, dng phn bit gia cc message t
1 plugin
interface: giao din mng
sensor: a ch IP ca sensor pht sinh event
priority: mc u tin ca event (deprecated)
protocol: mt trong cc giao thc TCP, UDP hoc ICMP
src_ip: IP ngun ca event (do sensor nhn ra)
src_port: cng ngun (do sensor nhn ra)
dst_ip: IP ch ca event (do sensor nhn ra)
dst_port: cng ch (do sensor nhn ra)
log: ni dung log
data: event payload (hoc bt c ni dung g)
username: user pht sinh event (thng dng trong HIDS event)
157
password: password cho event

filename: file dng trong event (thng dng trong HIDS event)
userdata1: cc trng do user nh ngha trong file config. ti a
9 trng vi mi plugin. C th cha ni dung bt k, thng l
cc ni dung trong log m khng nm trong cc trng cn li.
b) S kin MAC
S kin MAC EVENT pht sinh khi c s thay i a ch MAC
- nh dng gi tin s kin mc bao gm
host-mac-event
host="183.127.115.4"
interface="eth1"
mac="0:4:23:80:fb:ha" vendor="Intel Corporation" date="200603-17 11:30:09" sensor="163.117.131.11" plugin_id="1512"
plugin_sid="1" log="ip address: 163.117.155.2 interface: eth1
ethernet address: 0:4:23:88:fb:8a ethernet vendor: Intel
Corporation timestamp: Friday, March 17, 2006 11:30:09
+0100"
- M t:
Host-mac-event : T kha xc nh gi tin loi MAC EVENT
host: IP ca my pht sinh event
mac: a ch MAC (dng hexa)
vendor: nh sn xut
date: thi gian
plugin_id: M Plugin (gi tr mc nh l 1512)
log: nht k
Cc trng c dnh ring:
userdata1: Bn sao ca trng mac
userdata2: Bn sao ca trng vendor
c) S kin h iu hnh
Thng bo s thay i trong h iu hnh
- nh dng biu din:
158
host-os-event host="192.168.1.81" os="Windows" date="200612-23 22:56:13" sensor="192.168.1.10" plugin_id="1511"

plugin_sid="1" log="Windows XP" interface="eth1"
- M t:
Host-os-event : T kha xc nh gi tin loi OS Event
os: tn h iu hnh (Windows, Linux...)
date: thi gian
plugin_id: M Plugin (gi tr mc nh l 1512)
log: nht k
Cc trng c dnh ring:
userdata1: bn sao ca trng os
d) S kin dch v (Service event)
Lu li thng tin cc my tnh trong mng, khi cc ng dng c chy,
hoc cc cng c m.
- nh dng biu din:
host-service-event host="192.168.1.77" sensor="192.168.1.10"
interface="eth1"
port="80"
application="CCO/4.0.3
07:59:54"
protocol="6"
(Unix)
tomcat"
plugin_id="1516"
service="www"
date="2006-03-27
plugin_sid="1"
log="blablablablabla"
- M t:
port: Cng c m trong my host
protocol: mt trong cc giao thc TCP, UDP hoc ICMP
159
service: Tn loi dch v cng c nu trong port (www,

http...)
application: Tn ng dng thc thi dch v
date: thi gian pht sinh event
plugin_id: Thng l 1516
plugin_sid: Do OSSIM server gn gi tr
log: nht k
Cc trng c dnh ring:
userdata1: Bn sao ca trng application
userdata2: Bn sao ca trng service
III.2.2. Thit k tng th h thng tip nhn thng tin an ton mng
Cc
Sensor chuyn
dngSEN
U
U
Gue
st
Hnh III.2: S kin trc tng th phn h SIGS
Gu
est
SIPS
160
ser
GS
ngoi
ser
SI
Cc thit
b bo mt TM
SIG
st ca nc
Business
h thng gim
GATE
Cc
PM TTTT
PS
AN TON MNG
EWAY
ANTIVIRUS
IDS/I
SAMS
GAT
CSDL THNG TIN
FIRE
WALL
AN TON MNG
SOR
NSIAR MODULE
SOR
SEN
Control Gate
SOR
SEN
H thng tip nhn thng tin an ton mng SIGS bao gm hai thnh phn
chnh ng vai tr tip nhn hai loi thng bo s c vi c tnh khc nhau, bao
gm:
+ Phn h thu thp thng tin an ton mng t ng (NSIAR) c chc
nng tip nhn thng tin an ton mng t cc phn mm thu thp thng tin
an ton mng v sensor t pht trin.
+ Phn h h tr x l thng bo s c an ton mng (SAM) c chc
nng h tr tip nhn v x l cc thng bo s c an ton mng. Phn h
ny bao gm hai module:
* Cng tip nhn thng bo s c an ton mng t ngi s dng
(Business control gate).
* Module h tr x l cc thng bo s c an ton mng SIG
Gate
c an ton mng - SAMS
III.2.3.1. Nghin cu xy dng quy trnh x l thng bo s c
Quy trnh x l thng bo s c c xy dng hon ton ph hp vi quy
trnh m bo an ton thng tin RITR, trong bao gm cc bc c bn sau
y:
Thng bo
s c ATM
1.
Tip
nhn
2. Kim tra v cp
thng bo s c
nht
ATM
ATM
thng
bo
3. To
4. X l s c
s c
ATM
ATM
2.1.Xa thng bo
5. ng s c
Hnh III.3: Lc quy trnh x l thng bo s c

Quy trnh tip nhn v x l thng bo s c bao gm cc bc chnh sau:
Tip nhn thng bo :
- Thng bo c tip nhn theo nhiu knh khc nhau nh: Web, Fax,
Email, Tel v.v
161
- i vi cc thng bo thu nhn qua h thng web s c cp nht trc

tip vo c s d liu lu tr.
- i vi cc thng bo thu nhn qua cc knh khc nh: in thoi, fax,
email s c cc chuyn gia tng hp v cp nht li qua giao din web
a vo c s d liu.
Kim tra v cp nht thng bo
- Thng bo sau khi c cp nht vo c s d liu s c cc chuyn
vin tip nhn, kim tra thng tin v cp nht thm d liu cn thit.
- Cc thng bo ng v c nguy c xy ra s c th chuyn vin s to ra
cc s c an ton mng vi thng tin cn c t cc thng bo tip nhn
c.
Kim tra v cp nht thng bo
- Cc thng bo sai hoc khng ph hp th s c chuyn vin xa b.
To s c an ton mng
- Cn c vo cc thng bo an ton mng, chuyn vin s to ra s c an
ton mng da trn cc thng bo c tip nhn v thng tin iu tra
b sung.
X l s c an ton mng
- Cn c vo cc thng tin v s c an ton mng, cc chuyn gia c th
a ra cc bin php x l v cp nht vo c s d liu. Cc thng tin
phn hi v kt qu vic thc hin cc bin php k thut cng c lu
vo h s x l ca s c an ton mng.
ng s c an ton mng
Sau khi cc s c an ton mng c x l hon tt, cc chuyn gia tin
hnh ng s c an ton mng.Yu cu chc nng vi phn h h tr x l
thng bo s c
Phn h c xy dng nhm cung cp cc chc nng tip nhn v x l
cc thng bo s c an ton mng, y l cng c quan trng h tr cho cng tc
phn ng nhanh vi cc s c an ton mng xy ra trn h thng mng quc gia.
162
Phn h ny cho php cp nht nhanh chng thng tin cc chuyn gia c th
pht hin c sm cc nguy c c kh nng bng pht s c an ton mng.
Phn h cn p ng mt s yu cu c th sau:
- C trang cung cp chc nng thng bo s c an ton mng di dng
website vi giao din n gin v thun tin ngi dn c th d
dng cp nht cc thng bo.
- Cung cp cc chc nng cho php chuyn gia b sung cc thng tin cp
nht v thng bo s c trong qu trnh iu tra.
- Cung cp chc nng to ra cc s c an ton mng
- Cung cp chc nng cp nht qu trnh x l s c.
- C s lu tr ca phn h phi m bo kh nng lu tr c y
thng tin v bo co v cc s c an ton mng.
i tng s dng h thng:
- Ngi dn c nhu cu thng bo thng tin v an ton mng
- Cc chuyn gia bo mt
D liu u vo ca h thng bao gm
- Cc thng bo s c t ngi s dng
o Thng tin v ngi gi thng bo
o Loi / ch s c
o M t v s c
o Cc bin php thc hin v kt qu
- Cc thng tin cp nht chi tit v thng bo s c qua email, tin nhn
ni b hoc in thoi
D liu u vo ca h thng bao gm:
- Thng bo gi ngi s dng v bin php x l hoc yu cu v cp
nht thm thng tin
- Cc s c an ton mng
- Cc thng bo s c an ton mng
III.2.3.3. Thit k tng th v cc thnh phn ca SAMS
163
ser
U
ser
U
Business
Control Gate
UEST
SAMS
GU
EST
SIG
GATE
CSDL THNG TIN
AN TON MNG
Hnh III.5: Kin trc phn h SAMS

H thng SAMS bao gm ba thnh phn chnh l :
Bussiness Control gate (BCG ) Cng nghip v qun l thng bo ATM
SIG Gate - Cng thng bo s c an ton mng.
C s d liu lu tr thng bo an ton mng
SIG Gate
SIG Gate cung cp cc chc nng cho php ngi dn khai bo s c an
ton mng v tip nhn cc thng tin phn hi v s c t cc chuyn gia an
ton mng. Trong bao gm hai chc nng c bn:
- Thng bo s c an ton mng.
Chc nng ny cho php tt c ngi s dng c th gi thng bo s
c an ton mng ti chuyn gia an ton mng.
- Theo di thng bo s c an ton mng gi.
Sau khi gi thng bo s c an ton mng, ngi s dng c th
theo di tnh trng x l thng bo s c an ton mng v tip nhn cc
thng tin phn hi t cc chuyn gia.
Bussiness Control gate - BGC
BCG cung cp cc chc nng chnh sau:
164
- Xem danh mc cc thng bo s c

Cc chuyn gia x l c th xem cc danh mc thng bao s c an
ton mng bao gm mt s thng tin tm tt nh: tiu s c, m s
c, thi gian tip nhn, tnh trng.
- Xem ni dung thng bo s c
Cc chuyn gia c th xem ni dung chi tit cc thng bo s c an
ton mng.
- Gi thng tin phn hi ti ngi thng bo s c
Cc chuyn gia c th gi phn hi hoc lu li thng tin v cc lin lc
c vi ngui cp nht thng tin an ton mng cp nht d liu mt
cch y nht phc v iu tra hoc x l s c an ton mng.
- Tip nhn tin nhn phn hi t ngi thng bo s c
Cc chuyn gia x l c th tip nhn cc tin phn hi t ngi thng
bo s c an ton mng.
- To s c an ton mng
Khi pht hin ra cc s c da trn cc thng bo an ton mng hoc do
chnh cc du hiu m chuyn gia pht hin ra, cc chuyn gia c th
to ra cc s c an ton mng.
- Cp nht cc bin php x l s c an ton mng
Cc bin php x l s c an ton mng c chuyn gia lp ra theo
di qu trnh x l s c.
- Cp nht kt qu x l s c an ton mng.
Cc chuyn gia c chc nng cp nht kt qu x l s c an ton mng
lm d liu theo di qu trnh x l.
III.2.4. Nghin cu, thit k v xy dng phn h tip nhn thng tin an
ton mng t ng NSIAR
Phn h NSIAR c nhim v chnh l t ng thu thp cc s kin an ton
mng do mng li sensor v phn mm thu thp an ton mng cung cp lu
tr vo c s d liu phc v cho hot ng nghip v gim st, phn tch v
x l cc s c an ton mng. NSIAR cng phi cho php kh nng m rng
165
trong tng lai c th tip nhn cc s kin an ton mng t cc ngun cung
cp khc nhau nh: cc sn phm bo v an ton mng thng mi, m ngun
m; cc h thng gim st an ton trong v ngoi nc v.v..
V mt qun l v iu khin, NSIAR khng c giao din qun l ring,
y l mt dch v nn, cn c thit k d dng tch hp vi h thng SIPS
tip nhn cc lnh iu khin ng thi khng lm nh hng hot ng ti
cc dch v khc trn cng h thng.
NSIAR phi p ng kh nng kt ni c ti trn 50 sensor vi kh nng
tip nhn 100.000 s kin an ton mng mi ngy
H thng c pht trin trn mi trng m ngun m, c th nh sau:
- H iu hnh: Linux Kernel version 2.6.32
- H qun tr c s d liu : MySQL Version 5.1.41
- Ngn ng lp trnh : C v Glib & GTK+
- D liu u vo
- D liu u vo ca phn h NSIAT bao gm:
o Yu cu thit lp knh kt ni t sensor v phn mm thu thp
thng tin an ton mng gi ti NSIAR
o S kin an ton mng t sensor v phn mm thu thp thng tin an
ton mng gi ti NSIAR
o Cc lnh iu khin t SIPS gi ti NSIAR,
- D liu u ra ca h thng bao gm:
o Cc s kin an ton mng c lu tr vo c s d liu
o Cc lnh iu khin gi ti sensor.
- Tc nhn lin quan n phn h NSIAR bao gm:
o Cc sensor chuyn dng: cung cp s kin an ton mng pht hin
c cho NSIAR.
o Cc phn mm thu thp thng tin an ton mng: Cung cp cc s
kin an ton mng thu thp t cc sn phm m bo an ton mng
thng mi nh IDS, Antivirus v Firewall.
166
o Mt s thit b an ton mng khc: NSIAR c kh nng tip nhn

trc tip thng tin an ton mng t mt s loi thit b/ phn mm
an ton mng.
o Phn h x l thng tin theo di- thng k - cnh bo v iu khin
(SIPS) : C chc nng iu khin hot ng ca NSIAR nh:
Bt v tt hot ng ca NSIAR
Cp nht danh mc sensor cung cp s kin an ton mng
o C s d liu an ton mng : Lu tr cc s kin an ton mng do
NSIAR tip nhn c v cung cp cho NSIAR cc thng tin lin
quan n qun l hot ng.
ANTI
SEN
SOR
VIRS
FIRE
Phn mm
SEN
SOR
TTTT ATM
WALL
IDS /
Gi
IPS
tin ATM
NSAI
G
R-A
hng tin
i tin
NSAI
NSAI
R-DI
hng tin
ATM
ATM
ATM
R-R
2.
Danh mc Sensor/ PM
thu thp
Phn tch
1.
N
Tip
gun
L
iu
L
nh
khin
NSAI
Lu tr
R-DI
iu
khin
3.2
Truy xut
NSAIR-C
Configuratio
4. iu khin
n Files
Lnh
iu khin
PHN H NSIAR
SIPS
Hnh III.4: Lc lung d liu ca NSIAR

Lung x l thng tin ca NSIAR bao gm bn bc chnh:
167
C S D LIU
thng tin
nhn
nh
3.1
- Tip nhn v lc cc thng tin do cc sensor v phn mm an ton mng

thng mi theo cc chun cung cp khc nhau m h thng h tr. Chc
nng ny do m un SIR thc hin
- Phn tch cc gi tin ATM nhn c theo cc nh dng c v trch ra
cc thng tin ATM, cc gi tin khng phn tch c s b loi b.
- Lu tr cc thng tin ATM sau khi phn tch vo CSDL lu tr.
- Qun tr ton b hot ng ca module NSIAR bao gm vic: qun l
danh sch cc sensor v phn mm cung cp thng tin ATM, cu hnh cc
nh dng gi tin cung cp thng tin ATM, thng tin v CSDL v cc
thng tin khc.
- Configuration files: cc tp tin cha ni dung cu hnh hot ng cho ton
b thnh phn NSIAR.
- C s d liu l c s d liu lu tr thng tin chung ca ton b h
thng SIGS.
Module tip nhn thng tin NSAIR-R Module
Module tip nhn thng tin ATM c tn vit tt l NSAIR-R module c
chc nng to cng ch, tip nhn v cp nht tnh hnh hot ng ca cc
ngun cung cp thng tin an ton mng cho phn h NSAIR.
NSAIR-R Module bao gm cc trng hp s dng chnh sau y:
o Khi ng dch v tip nhn thng tin ATM
o Khi ng li dch v tip nhn thng tin ATM
o ng cng tip nhn
o Xc thc knh kt ni
o To knh trao i thng tin
ng knh trao i thng tin
- Module phn tch thng tin NSAIR-A Module
Module NSAIR-A c chc nng phn tch cc thng tin thu nhn c
trch ra cc thng tin v an ton mng theo cc nh dng chun c quy
nh theo cc lc trong c s d liu. Vi mi nh dng truyn tin khc
nhau, th h thng NSAIR-A s c mt lc phn tch tng ng ph hp,
vi c ch qun l linh ng ny th khi nh dng truyn tinh vi sensor hoc
168
cc phn mm thu thp thng tin ATM c nng cp, thay i th NSAIR-A
khng phi thay i nhiu m ch cn b sung lc phn tch thng tin mi,
tng t nh vy NSAIR-A cng c th phn tch c cc gi tin do cc phn
mm / thit b ATM thng mi khc c trc tip gi n SIGS hoc NSAIRC nu c c lc nh dng thng tin truyn.
NSAIR-A bao gm cc trng hp s dng c bn sau y:
o Cp nht lc phn tch thng tin
o Phn tch thng tin.
Module tng tc c s d liu NSAIR-DI Module
Module NSAIR-DI c chc nng thc hin tng tc vi h thng CSDL
chung ca SIGS truy xut v lu tr d liu, h tr hot ng cho cc module
x l nghip v khc trong phn h NSAIR.
NSAIR-DI c hai chc nng chnh:
o Tip nhn cc yu cu truy xut v lu tr d liu t cc module
khc trong phn h NSAIR-DI
o Truy xut d liu t CSDL
o Lu d liu vo CSDL
o Gi thng tin phn hi n cc yu cu truy xut d liu t cc
module khc trong phn h NSAIR-DI.
Module iu khin hot ng NSAIR-C Module
Hot ng phn h NSAIR bao gm cc dch v ni b hot ng ch
nn, khng h tr giao din iu khin trc tip cho ngi s dng ti cc dch
v ni b k trn. Thng qua h thng giao din ca SIPS, ngi s dng c th
gi mt s lnh iu khin ti cc dch v ca NSAIR nh lnh khi ng, khi
ng li dch v tip nhn thng tin; thay i cc dch v phn tch thng tin;
sa i, cp nht danh mc cc ngun cung cp thng tin v.v Cc lnh iu
khin khng c SIPS gi trc tip n cc dch v thi thnh ca NSAIR nh
NSAIR-A hay NSAIR-R m c thc thi thng qua module iu khin
NSAIR-C. Module ny c chc nng tip nhn cc lnh iu khin t SIPS sau
169
chuyn ti cc module x l tc v ph hp. Vi thit k ny, h thng SIPS

hon ton c lp v khng b nh hng khi SIGS c cc thay i trong ni b.
Cc trng hp s dng chnh ca NSAIR-C bao gm:
o Cp nht danh sch cc ngun cung cp thng tin ATM
o M v tt cc dch v gii m thng tin ATM
o M/khi ng li v ng dch v tip nhn thng tin ATM.
III.2.5. Kt qu t c ca nhnh 3
3.2.5.1. Giao thc trao i thng tin ISGP
Giao thc c thit k ph hp v p ng y yu cu trao i thng
tin gia cc thit b sensor chuyn dng (sn phm cu nhnh 3), cc phn mm
tip nhn thng tin an ton mng t cc sn phm an ton thng tin thng mi
(sn phm ca nhnh 6) v h thng thu thp thng tin an ton mng mt cch
an ton, chnh xc thng qua mi trng mng TCP/IP.
III.2.5.2. Phn h h tr x l thng bo s c an ton mng
Phn h h tr x l thng tin an ton mng c nghin cu, thit k
v xy dng thnh cng, a vo hot ng h tr hot ng nghip v tip
nhn thng bo s c an ton mng ca trung tm ng cu khn cp My tnh
Vit nam t thng 6 nm 2010. Phn h cung cp y cc chc nng tip
nhn thng bo s c an ton mng qua nhiu con ng khc nhau : trc tip
qua web site hoc gin tip qua email, fax, th tn, in thoi hoc cng vn.
Phn h hot ng ph hp vi ng quy trnh x l thng bo s c c
xy dng v gp phn quan trng trong vic nng cao hiu qu cng tc h tr
v ng cu cc s c an ton mng ca Trung tm VNCERT.
Giao din phn h c thit k thun tin v khoa hc lm n gin ha
qu trnh thao tc ca chuyn vin.
Khi ci t trin khai phn h trn my ch HP Server c B x l Xeon
3.0 Ghz, Ram 2 Ghz, cng 2x72Gb cho thy hot ng n nh v c kh
nng tip nhn ln ti trn 2.000 thng bo / ngy.
III.2.5.3. Phn h tip nhn thng tin an ton mng t ng
170
Nhm nghin cu hon thnh vic nghin cu, thit k v xy dng

phn h tip nhn thng tin an ton mng t ng t hai ngun thng tin chnh
l:
- Cc thit b sensor chuyn dng (sn phm cu nhnh 3)
- Cc phn mm tip nhn thng tin an ton mng t cc sn phm an
ton thng tin thng mi (Sn phm ca nhnh 6)
Bn cnh sn phm cn c m rng p ng kh nng kt ni tip
nhn thng tin an ton mng t mt s ngun thng tin khc nh: ngun cung
cp thng tin thng k v th rc ca Trung tm ng cu khn cp my tnh Vit
Nam; ngun thng tin v cc website phishing; ngun thng tin cng b thng
tin v tnh trng ly nhim virus conficker.
Phn h khng hn ch s lng sensor v phn mm tip nhn thng tin
an ton mng kt ni cung cp thng tin, qua cc th nghim cho thy phn
h p ng kh nng hot ng tt v n nh khi tip nhn trn 200.000 s kin
mi ngy khi ci t trn my ch c b vi x l Xeon Quadcore tc 2.2
Mhz. Ram 8G v tc kt ni mng l 1Gbits p ng trn 2 ln yu cu ng
k vi ti l 100.000 s kin.
III.3. Kt lun
Nhm nghin cu ca ti hon thnh y cc mc tiu v nhim
v ng k cho nhnh 3 Pht trin h phn mm thu thp thng tin ATM
trung tm (SIGS). y l h thng tip nhn, x l tch hp thng tin an ton
mng cp nht vo CSDL gim st ATM, cho php cp nht tnh hnh ATM
24/24. Cc ch tiu nhm nghin cu t c u t v vt cc mc
ng k. Sn phm bn giao ti c th nghim qua nhiu khu v s
dng th thnh cng cho nghip v gim st v ng cu s c an ton mng ti
Trung tm ng cu khn cp My tnh Vit nam.
171
CHNG IV. PHT TRIN H PHN MM TC

NGHIP X L THEO DI THNG K CNH
BO V IU KHIN (SIPS)
IV.1. Nghin cu, phn tch mt s h thng x l thng tin theo di thng k - cnh bo thng tin an ton mng trn th gii.
thit k h phn mm x l thng tin, theo di, thng k, cnh bo v
iu khin, nhm nghin cu tham kho, phn tch mt s h thng c trn
th gii t a ra cc chc nng cn thit p dng cho vic thit k, xy
dng h thng tng t Vit Nam. Hin nay trn th gii c rt nhiu h
thng x l thng tin, theo di, thng k, cnh bo nh Internet Storm Center
(ISC), Honeypots, Active Threat Level Analysis System (ATLAS), Symantec
Security Response u l nhng h thng dn u v theo di an ninh
mng ton cu. Hu ht cc cng trnh nghin cu ny u c tnh ng dng
cao, c trin khai v p dng rng ri vi cc quy m khc nhau.
IV.1.1. Internet Storm Center (ISC)
D n Internet Storm Center (ISC) c vin nghin cu SANS thnh lp
vo nm 2001 cung cp min ph dch v phn tch v cnh bo cho cng
ng Internet, hp tc cht ch vi cc ISP trn ton th gii nhm gii hn kh
nng hot ng ca tin tc. Hng ngy ISC thu thp hng triu thng tin t cc
h thng ghi nhn bao trm khong 500.000 a ch IP thuc hn 50 quc gia.
Nhim v ca ISC l pht hin sm cc t tn cng mi, xc nh cc trang
thng tin in t ang b li dng tn cng v cung cp thng tin v ngun
gc cc v tn cng trn ton khng gian mng.
172
Hnh IV.1: Qu trnh lm vic h thng ISC.

ISC da vo cc chuyn gia x l thng tin pht hin cc vn , phn
tch nguy c v ph bin cc hng dn cho cng ng Internet. Hng ngn h
thng ghi nhn c th lm vic vi hu ht cc Tng la, thit b bng thng
rng v cc loi h iu hnh lin tc ghi nhn thng tin v cc lung lu thng
nguy him trn Internet. Cc h thng ghi nhn ny lin tc cung cp thng tin
cho c s d liu DShield v c cc chuyn gia phn tch th cng hoc phn
tch t ng bng cc chng trnh pht hin xu hng ca cc nguy c mi
trn Internet. Kt qu phn tch s c cng b hng ngy trn trang thng tin
in t ca ISC.
ISC s pht huy ti a gi tr khi cc h thng theo di c t trn khp
cc khu vc ca Internet, vic ly mu s cng chnh xc khi s lng mu l
ln v i din cho tt c cc khu vc ca Internet. Ngi dng cng c th
chuyn th cng v trc tip thng tin ghi nhn c n c s d liu ca ISC.
D n ISC rt thnh cng trong vic tch cc thu thp cc thng tin ghi
nhn c t Tng la v H thng pht hin xm nhp ca hng ngn ngi
dng v t chc s dng Internet.
IV.1.2. Honeypots
Honeypot l mt h thng ti nguyn thng tin xy dng vi mc ch gi
mo v la nhng k tn cng khng hp php, thu ht s ch ca chng,
ngn khng cho chng tip xc vi h thng tht. H thng ti nguyn thng tin
c ngha l Honeypot c th gi bt c loi my ch ti nguyn no nh Mail
Server, Domain Name Server, Web Server v.v.
173
y l mt d n m nhm mc ch gip cc chuyn gia thu thp thng

tin v cc cng c, chin thut v cch thc tin tc tn cng cc h thng. D n
ny hon ton phi li nhun, hot ng da trn cc ngun ti tr vi s tham
gia ca rt nhiu chuyn gia trn ton th gii. Hin ti d n c trin khai ti
hn 20 quc gia di hnh thc cc h thng thu thp thng tin trn mi trng
mng Internet.
Ti Brazil, d n ny c trin khai rng khp ti 25 h thng cc v tr
a l nhm pht hin s c trn khng gian mng ca Brazil. T khi hot ng
n nay h thng cung cp rt nhiu thng tin cho cc t chc trong v ngoi
Brazil v gp phn ng k nng cao mc an ton trn Internet ca Brazil.
Ti Nht Bn trin khai thnh cng Honeywall Roo trn cc my ch
chy h iu hnh Fedora Core 3 v Windows 2000 thc hin cc chc nng ca
mt Honeypot, s dng Nepenthes thu thp cc loi m c hi, botnet. Pht
trin cc cng c nh SnortView, IP Matrix, STARMINE v ICHILAN hin
th trc quan cc phn tch d liu thu thp c.
IV.1.3. Honeynet
Honeynet l hnh thc honeypot tng tc cao. Khc vi cc honeypots,
Honeynet l mt h thng tht, hon ton ging mt mng lm vic bnh
thng. Honeynet cung cp cc h thng, ng dngv cc dch v tht.
Quan trng nht khi xy dng mt honeynet chnh l honeywall.
Honeywall l gateway gia honeypots v mng bn ngoi. N hot ng
tng 2 nh l Bridged. Cc lung d liu khi vo v ra t honeypots u phi i
qua honeywall. y chnh l ni trin khai cc hot ng thu thp thng tin v
cc lung d liu.
IV.1.4. Symantec Security Response
Trung tm Symantec Security Response (SSR) c thnh lp bi hng
Symantec (mt hng bo mt hng u trn th gii). Trung tm ny c mt i
ng chuyn gia hng u trn th gii chuyn ngin cu, theo di, phn tch cc
m c hay xm nhp ton cu. Khc vi h thng ISC, Symantec Security
Response ch cung cp mt s thng tin cn thit cho cng ng Internet bit
174
phng chng kp thi. i vi khch hng h s cung cp cc dich v nh h

ch, m bo an ton thng tin hng gi. m bo an ton mng ton cu
trung tm ny c nhiu cng tc vin trn ton th gi v hp tc vi nhiu nh
cung cp mng. Mc ch trung tm l cnh bo, cung cp cho khch hng v
cng ng Internet bit v mi e da ton cu.
Trung tm ny c 40.000 sensors nm 180 quc gia chuyn gim st hot
ng mng internet v a v trung tm x l. ng thi thu thp cc m c
hi v t trn 100 triu khch hng, server hay h thng gateway m c ci
t sn phm ca h. Thm na trung tm ny c mt kho d liu khng l v
cc m c, virus, l hng, im yu ca trn 8000 nh sn xut.
Qua qu trnh nghin cu, phn tch mt s h thng x l thng tin, theo
di, thng k, cnh bo v iu khin trn th gii, nhm nghin cu tm hiu
c m hnh v cch thc hot ng ca cc h thng ny, km theo mt s
chc nng thng k, cnh bo chnh thng gp trong h thng qun l an ton
mng. Mi h thng trn y u c nhng c trng ring, v c nhiu thng
tin hu ch c th p dng cho m hnh qun l an ton mng ti Vit Nam.
IV.2. Nghin cu xc nh chi tit cc tiu ch thng tin cn phi theo
di v thng k v tnh hnh an ton mng Internet ti Vit Nam

IV.2.1. Cc ngun thng tin cn thu thp, theo di v thng k
Vn u tin cn phi quan tm ca h thng qun l an ton mng l
thu thp thng tin xy dng c s d liu cc thng tin cn thit cho qu trnh
x l v phn tch thng tin. Thng tin thu thp c c th n t nhiu ngun
khc nhau nh:
Cng vn: C quan c th nhn cng vn chnh thc yu cu gip
x l mt s c mng no mi xy ra
in thoi: Vic bo co s c qua in thoi m bo nhanh
chng, chnh xc v c nhiu thng tin
Fax: Fax c th c dng truyn ti mt s ti liu lin quan
n s c
175
Email: y cng l mt knh lin lc thun tin truyn ti nhiu

loi thng tin mt cch nhanh chng
Website: Ngi dng c th nhp thng tin v s c mng thng
qua Biu mu Bo co s c c t trn Website
Thng tin chia s t nhng h thng khc: Trong qu trnh hot
ng lu di, lm phong ph thm c s thng tin an ton mng,
h thng c th ly thng tin c chia s t nhng h thng c
chc nng tng t trong v ngoi nc
Hnh IV.2: H thng tip nhn thng tin s c

IV.2.2. Phn tch cc thng tin cn theo di v thng k
Cc tiu ch thng tin cn phi theo di v thng k v tnh hnh an ton
mng Internet ti Vit Nam c xc nh v phn ra da vo cc nguy c, him
ha v ang nh hng trc tip n h thng mng Internet quc gia. Vi
lng thng tin, d liu v cng ln ang hot ng trn Internet th vic theo
di, gim st tr nn v cng kh khn v chng ta phi da vo cc tiu ch
lc ra cc thng tin no c nguy c nh hng ti an ninh mng a ra cc
cnh bo thng k v c hnh ng x l kp thi. Do vic phn loi cc
thng tin cn theo di s da trn cc yu t l nguy c, him ha c kh nng
nh hng n an ninh mng Internet Vit Nam.
176
Cc thng tin cn theo di c th c phn ra thnh mt s mng chnh

nh sau:
Thng tin lin quan n m c hi: cc thng tin cp nht v cc
loi virus, m c mi xut hin hoc ang pht tn trn mi
trng mng
Thng tin lin quan n an ninh ng dng web: theo di v thng
k cc tn cng, cnh bo bo mt lin quan ti ng dng web, v
d nh SQL Injection, XSS, CSRF, File Inclusion, Directory
Traversal, Sesion Hijacking, Malicious File Uploading, Server
Misconfiguration, Buffer Overflow
Thng tin v im yu ca cc h thng, ng dng: thng tin cp
nht v cc l hng mi pht hin ca h iu hnh, phn mm ng
dng
Thng tin v hot ng lin quan n cc dch v mng (network
services): theo di v thng k cc lung d liu ca cc dch v
mng ph bin nh SMTP, POP3, HTTP, ICMP, FTP, SSH,
Telnet,
Thng tin v cc cuc tn cng t trong v ngoi nc vo cc h
thng trong nc: thng tin v cc cuc tn cng vo cc h thng
trong nc c ghi nhn v thng bo v h thng
IV.2.3. Cc tiu ch thng tin cn phi theo di v thng k v tnh hnh an
ton mng Internet ti Vit Nam
Da trn vic phn loi thng tin thu thp c nh trn, ng thi tham
kho cc h thng ln c trn th gii, ta c th a ra cc tiu ch ch o
ca cc thng tin cn thng k v theo di v tnh hnh an ton mng Vit Nam.
Cc tiu ch ny a ra da vo yu cu ca tnh hnh thc t ti Vit Nam, bao
gm:
1. Loi virus ang ly nhim nhiu nht trn mng
2. Ngun pht tn m c
3. S gia tng truy xut ca mt cng dch v nn TCP/UDP
177
4. Kiu tn cng ph bin ang din ra

5. Ngun ang tn cng
6. Phishing site
7. Ngun pht tn th rc
8. Loi th rc
9. Thng tin cp nht t cc t chc quc t
10.Thng tin gim st ty chn
Nhm nghin cu gii quyt c bc u tin l xc nh c cc
ngun d liu u vo ca h thng. Thng tin sau khi thu thp c phn loi
thnh nhng mng thng tin chnh cn c theo di v thng k. Qua qu trnh
nghin cu, tham kho cc h thng ln c trn th gii v da trn thc tin
ti Vit Nam, nhm nghin cu xc nh c chi tit 10 tiu ch thng tin
cn phi theo di v thng k v tnh hnh an ton mng Internet ti Vit Nam.
IV.3. Nghin cu, phn tch cc cp cnh bo, cc hnh thc cnh
bo v cc yu cu v biu mu thng tin cnh bo v tnh hnh an

ton mng Vit Nam.
Mt trong nhng chc nng v l mc ch quan trng nht ca h thng
theo di, gim st an ton mng Internet cp quc gia l a ra cc cnh bo cho
ngi dng Internet Vit Nam v cc s c c kh nng xy ra. i vi mi s
c s c mc nh hng, kh nng gy thit hi khc nhau. Vic nghin cu
xy dng h thng cc cp cnh bo, v hnh thc cnh bo cng nh ni
dung cnh bo l rt cn thit i vi h thng theo di an ton mng quc gia.
IV.3.1. Tm hiu v h thng cp cnh bo v nh ngha cc mc cnh
bo trn Internet Vit Nam
Nhm nghin cu tham kho, tm hiu v cc cp cnh bo ang
c dng ti cc h thng khc trn th gii:
H thng Symantec Threatcon: l h thng cnh bo bo mt th h mi
ca Symantec, h tr tng tc vi ngi dng, cnh bo nhng nguy c bo
mt mi nht trn ton cu. ThreatCon hon ton min ph, cung cp kh nhanh
178
cc thng tin v nhng li bo mt, nguy c, him ha tn cng ngi dng.

ThreatCon trch xut thng tin t nhiu ngun ca Symantec nh Symantec
Security Response blog, DeepSight Threat Management System... ngi dng s
nhn c nhng thng tin y v cc vn m mnh cn cng nh thng
tin cp nht tip . H thng Threatcon nh ngha 4 cp cnh bo vi mc
nghim trng t thp n cao.
H thng SANS Infocon: SANS xy dng v duy tr mt h thng
INFOCON ring lin quan ti h thng ISC (Internet Storm Center). H thng
ny tp trung theo di h tng Internet, khng theo di c th mt quc gia hoc
cng ty no. H thng ny th hin s thay i ca cc lung d liu c hi
cng nh kh nng mt kt ni xy ra trn internet. H thng bao gm 5 mc
cnh bo c biu th bng mu sc: lc, lam, vng, da cam, .
Sau khi tham kho cc h thng trn, p dng vo thc tin ti Vit Nam, ta
c th chia ra 5 cp cnh bo tng ng vi mc nghim trng t thp n
cao vo c biu th bng nhng mu sc: lc, lam, vng, da cam .
IV.3.2. Hnh thc cnh bo
H thng sau khi thu thp thng tin, nh gi c th, h thng s a ra
cnh bo v cc s c di nhiu hnh thc khc nhau. Ty thuc vo tng giai
on v yu cu ca h thng c th s dng tng loi hnh thc ring. V c
bn c th c 5 hnh thc cnh bo nh sau:
Cnh bo qua website.
Cnh bo qua th in t.
Cnh bo qua tin nhn SMS.
Cnh bo qua in thoi.
Cnh bo qua ng cng vn.
IV.3.3. Cc mu biu cnh bo
Cc cnh bo gi ti ngi dng Internet thng cung cp nhng thng tin
ti thiu v thng nht theo mt mu chung. Mu cnh bo v c bn c nhng
thng tin sau:
M s, tiu cnh bo
179
Mc nghim trng
Gii thiu
M t cnh bo
Tc hi
c im k thut
Cc phn mm, h thng b nh hng
Nhng ni dung trn c th c ty chnh cho ph hp vi hnh thc gi
cnh bo ti ngi dng.
Hnh IV.3: H thng cnh bo 5 mc v h thng cnh bo 4 mc

Nhm nghin cu nu ra c cc tiu ch c bn i vi h thng mc
cnh bo (INFOCON) cng nh cc biu mu, hnh thc cnh bo trong h
thng gim st an ton mng quc gia ti Vit Nam. Vic xy dng h thng
mc cnh bo khng n thun ch mang yu t k thut, m gm c cc yu
t v qun l, chnh sch.
IV.4. Nghin cu, phn tch v thit k xy dng giao thc giao tip
gia h SIPS v cc sensor chuyn dng.
h thng qun l hot ng thng sut i hi phi c mt cch thc
giao tip hiu qu gia cc thnh phn ca h thng. V vy, ta cn phn tch v
thit k, xy dng giao thc giao tip gia h SIPS v cc sensor chuyn dng.
180
IV.4.1. Chc nng v nguyn tc hot ng ca h tp trung v my trinh

st
H tp trung: l thnh phn thc hin cc tc v x l trong h thng gim
st. N chu trch nhim kt ni truy xut thng tin vi CSDL, nhn d liu,
qun l v iu phi cng vic cho cc My trm trinh st.
My trm trinh st: My trm trinh st ng vai tr l cc sensor chuyn
dng t ti nhiu ni thu thp thng tin. My trm trinh st chu trch nhim
thu thp tt c d liu c gi bi nhng thit b tn ti trn mng, sau n
gi ti h tp trung theo mt giao thc chun.
Hnh IV.4: H tp trung

IV.4.2. Phn tch giao thc
c th thit k v xy dng giao thc giao tip gia cc thnh phn ca
h thng, ta i su phn tch cc lung d liu c trao i trong h thng, xc
nh cc s kin c th xy ra v thng tin s c trao i. T , ta s thit k
c cc bc chun ha d liu v ng gi truyn ti trn mi trng
mng.
Nhm nghin cu m t c th v chi tit cch thc cc thnh phn h
thng giao tip vi nhau, giao thc c s dng cng nh cch thc qun l
cc My trm trinh st trn ton b h thng.
IV.5. Phn tch thit k chc nng theo di ca h thng SIPS.
i vi h thng gim st an ton mng th chc nng theo di l mt chc
nng c bn, l tin cho nhng thnh phn khc hot ng. D liu ca h
thng l nhng thng tin thu thp c thng t nhiu ngun, rt nhiu v a
181
dng, v vy cn phi chun ha. Vic chun ha d liu gip a thng tin v
mt dng c cu trc thng nht, lu tr tp trung phc v cho cc mc ch
v sau.
IV.5.1. H thng gim st
H thng gim st l h thng thc hin chc nng theo di, nm bt trng
thi hot ng ca cc thit b v h thng khc, thu thp cc thng tin c lin
quan tng hp nhm a ra nhng kt lun khi gp s c.
Mc ch ca h thng gim st:
Pht hin sm cc s c.
Ch ng c k hoch thay th hoc nng cp.
Chn on cc s c.
IV.5.2. M hnh h thng gim st
Cc thnh phn c bn ca h thng gim st bao gm:
Cc my trinh st (Sensor): l thnh phn thu thp thng tin t
mng li, thng c t ri rc trong cc phn vng mng.
My thu thp (Collector): tip nhn thng tin t cc my trinh st
v chun ha thng tin.
C s d liu trung tm: l ni lu tr ton b d liu ca qu trnh
thu thp thng tin.
IV.5.3. Cc thng tin thng gim st
Qua nhng tm hiu v cc h thng gim st khc trn th gii, ta thy mt
s nhng thng tin sau thng c a vo danh mc gim st:
Gim st dch v web.
Gim st dch v FTP.
Gim st dch v th in t.
Gim st tnh trng s dng ti nguyn.
IV.5.4. Thc hin gim st theo 10 tiu ch
Qua nhng nghin cu c c, ta xc nh c mi tiu ch cn phi
theo di v thng k. Mi tiu ch ny l nhng thng tin cn thit nht nm
bt c tnh hnh an ton mng quc gia. V vy, h thng gim st cn c
182
mi mn hnh gim st theo mi tiu ch ny c th kp thi pht hin ra

cc s c v c nhng phn ng thch hp.
Nh vy chuyn thc hin phn tch, thit k chc nng theo di,
cch thc chun ha, chn lc thng tin c c kt qu cui cng l
nhng mn hnh hin th thng tin, theo di nhng tiu ch cn thit.
IV.6. Phn tch thit k m un chc nng thng k ca h thng SIPS.
Chc nng thng k l chc nng thng xuyn c s dng trong h
thng SIPS, c ngha quan trng trong qu trnh tnh ton nhm a ra ci
nhn tng qut v cc vn ang din ra trong thi gian thc. Do yu cu
u tin vi m un chc nng thng k l c kh nng tnh ton nhanh.
Ngoi ra, gii quyt vn d liu u vo c th vt qu kh nng
tnh ton ca m un chc nng thng k, m un ny cn c kh nng chu ti.
c th theo di c hot ng ca h thng SIPS nh gi v c
lng, pht trin cho sau ny, cn phi ghi li cc hot ng ca m un chc
nng thng k.
phc v cc nhu cu c th pht sinh sau ny, m un chc nng thng
k cn c kh nng thng k phc tp, da trn vic s dng cc thng k n
gin c ch ra ban u.
Hnh IV.5: Thng k t l cc botnet phn loi theo cc quc gia
183
IV.6.1. Cc thnh phn ca m un thng k

M un thng k bao gm hai thnh phn chnh:
B phn phn tch cc yu cu thng k (Statistical Analyzer): ty tng nhu
cu ca ngi dng ti mi thi im, thnh phn ny cho php ty bin cc yu
cu ban u thnh cc yu cu c phc tp nh hn, c nh ngha
trc a vo bc x l tip theo.
B phn truy vn (Query Module): t cc yu cu c th nhn c, b
phn ny c kh nng t ng truy vn vo CSDL ly kt qu thng k. Do
mi qu trnh tnh ton, thng k u thc hin thit b qun l CSDL m
khng din ra m un truy vn nn gim thiu c phc tp khi thit k
m un ny.
IV.6.2. Mt s thut ton p dng cho m un thng k
tng hiu qu cho hot ng ca m un thng k, ta cn nghin cu p
dng mt s cng thc gip cho vic thng k d liu thc hin nhanh hn. C
hai cng thc c p dng ti y:
Cng thc 1: Kim nh tnh c lp thng k ca cc s kin
Cng thc 2: K vng ton hc
Nhng cng thc ny s c p dng trong vic tnh ton thng k theo
10 tiu ch an ton mng ra.
Nh vy, phn ni dung ny gii quyt c c bn cc yu cu t ra
i vi m un chc nng thng k ca h thng SIPS. Ta thit k c m
hnh thc hin chc nng thng k, cng vi p dng cc cng thc ton hc
cho vic thng k theo 10 tiu ch an ton mng ra.
IV.7. Phn tch thit k m un chc nng cnh bo ca h thng SIPS

IV.7.1. H thng ng k
Chc nng c bn nht trong m un cnh bo ca h thng SIPS l gi
cc thng ip cnh bo ti nhng ngi dng quan tm v cc mi nguy c th
xy ra. Ngi dng mun nhn nhng thng tin ny phi ng k vo mt danh
sch tip nhn cnh bo t h thng v nhng thng tin h quan tm, v d nh:
184
cc tin tc v m c, l hng ca h iu hnh H thng ng k nhn thng

tin cnh bo bao gm cc chc nng, c s d liu cho php tip nhn, lu tr
cc thng tin ng k ca ngi dng thng qua cc phng thc ng k khc
nhau. C ba phng thc ng k nh sau:
ng k qua th in t: ngi dng gi th in t vi ni dung
v tiu theo mt mu quy nh v h thng ng k. H thng s
t ng kim tra th v xc nhn thng tin ngi dng ng k
a vo danh sch nhn cnh bo.
ng k qua website: trn website s c mt trang cha form nhp
liu cho php ngi dng ln khai bo cc thng tin lin quan n
vic nhn cnh bo. H thng ng k s xc nhn v x l cc
thng tin ny a ngi dng vo danh sch nhn cnh bo.
ng k qua SMS: ngi dng s dng in thoi nhn mt tin
nhn SMS vi c php xc nh trc v h thng ng k. Da
trn ni dung tin nhn, h thng s xc nhn v a ngi dng vo
danh sch i tng mun nhn cnh bo.
H thng ng k hot ng ng thi vi vic duy tr mt c s d liu
cha danh sch qun l nhng ngi dng mun nhn cnh bo v cc loi cnh
bo m h mun nhn. Ngoi chc nng ng k, h thng cng c chc nng
cho php ngi dng c th hy ng k bt c lc no ngng nhn cnh bo
ca h thng.
IV.7.2. H thng gi cnh bo
Trong qu trnh hot ng, h thng lun c cp nht nhng thng tin
mi nht v cc s c, l hng, trong ty vo mc nghim trng v cn
thit, h thng c th pht sinh cnh bo. Ni dung ca cc cnh bo ny c
bin son sao cho ph hp vi tng hnh thc cnh bo:
Cnh bo trn website: y thng tin, chi tit, c tham chiu n
cc ngun thng tin tham kho khc, khng cha thng tin nhy
cm.
185
Cnh bo qua email: thng tin ngn gn ph hp vi i tng

nhn tin, c th tham chiu n ngun thng tin tng ng trn
website.
Cnh bo qua SMS: do gii hn v di nn ni dung phi ngn
gn, sc tch, c tham chiu n thng tin tng ng trn website.
Da trn phn loi ni dung ca cnh bo v c s d liu ngi dng
mun nhn cnh bo, h thng s t ng thc hin gi cnh bo ti ngi dng
quan tm qua hnh thc cnh bo tng ng.
Hnh IV.6: Tng quan h thng gi cnh bo

IV.7.3. H thng Infocon
H thng Infocon c trch nhim phn tch d liu v cc s c a ra
cc mc cnh bo ph hp v xut bn thng tin ny ln website cnh bo.
Cc cnh bo c a ra trn h thng Infocon l kt qu da trn s tnh ton
ca h thng phn tch t ng v ca ngi gim st, phn tch cc s c. C 4
mc cnh bo sau:
186
Mu xanh: tnh trng bnh thng, cha pht hin mi nguy mi.
Mu vng: pht hin v ang theo di mt mi nguy mi, c tn
cng nhng thit hi cha nghim trng.
Mu da cam: tn cng gy thit hi nghim trng ang din ra.
Mu : gin on hot ng din rng trn ton khng gian mng
Vit Nam.
M un cnh bo cung cp chc nng quan trng nht ca h thng qun l
an ton mng l gi cc cnh bo ti ngi dng quan tm. H thng c quy
trnh thc hin cho vic ngi dng ng k vo danh sch nhn cnh bo, cng
nh hy ng k nhn cnh bo khi khng cn nhu cu. Cc cnh bo c bin
son ni dung ph hp vi hnh thc gi cnh bo tng ng v c gi t
ng ti danh sch ngi dng ng k nhn thng tin. y l mt quy trnh
cn thit gip cho thng tin hu ch ti c ngi dng mt cch nhanh chng.
IV.8. Phn tch thit k m un chc nng qun l cc sensor chuyn
dng.
Nh ta bit, h thng thc hin chc nng gim st, theo di bao gm
nhiu sensor chuyn dng c trin khai t ti nhiu a im khc nhau
thu thp thng tin. H thng cn phi c mt giao din qun l tp trung,
gim st trng thi hot ng ca cc sensor gip cho ngi qun tr c th d
dng theo di tnh trng hot ng ca cc sensor v thc hin cc tc v cn
thit t h thng chnh.
IV.8.1. Chc nng qun l tng th tt c cc my trinh st
Chc nng ny cung cp ci nhn tng th v ton b cc my trinh st
trong mng li gim st an ton Internet. Chc nng ny h tr ngi dng h
thng thc hin nhng tc v sau qun l cc my trinh st trong mng li
gim st:
Thng k ton b cc my trinh st v trng thi hot ng: Trong giao
din ny, ngi dng s nhanh chng thy c nhng thng tin c bn nht v
danh sch cc my trinh st, trng thi hot ng ca my.
187
Thm/bt cc my trinh st: cho php ngi dng ch ng khai bo thm

a ch ca cc my trinh st mi trin khai, hoc g b nhng my trinh st
khng cn s dng ra khi danh sch.
Hnh IV.7 : Giao din qun l ton b cc my trinh st

IV.8.2. Chc nng qun l trn mt my trinh st
Chc nng ny cng ging nh trn nhng cung cp nhng thng tin chi
tit v c th hn v mt my trinh st. Ngi dng c th truy vn cc thng tin
hot ng ca mt my trinh st xc nh. Nhng thng tin ny bao gm:
Trng thi hot ng: c ang hot ng hay khng, mc s dng ti
nguyn CPU, b nh trong, tc truy xut mng
Qun l cc tin ch trn my trm trinh st: Mi my trm c trin khai
c nhiu tin ch thc hin cc tc v gim st, theo di khc nhau. Ngi dng
c th thc hin thm bt cc tin ch trn tng my b sung hoc g b cc
tc v gim st, theo di tng ng.
Cu hnh h thng trn my trinh st: cho php ngi dng thc hin thay
i cu hnh hot ng ca my trm trinh st.
Qua nhng phn tch trn, ta thy h thng c y thng tin v chc
nng cn thit kim sot c cc my trinh st trong mng li gim st,
theo di. Vi chc nng qun l cc my trinh st t mt h thng tp trung,
ngi dng c th d dng thy c hot ng ca mt my trinh st bt k,
thc hin cu hnh my trinh st hot ng ng vi mc ch mong
mun.
188
IV.9. Phn tch thit k m un qun tr chung (qun tr ngi dng,
lu tr d phng, qun tr h thng , cu hnh, ghi nhn thng tin, )

ca h thng SIPS.
i vi mt h thng thng tin phc v nhiu i tng ngi dng th
qun l truy xut l chc nng c bn khng th thiu. Mt h thng c qun
l truy xut tt phi phn loi c r rng, c th tng nhm ngi dng khc
nhau cng vi chc nng, nhim v ca h. T thit lp h thng gii hn
ngi dng ch c th truy xut c vo nhng thng tin tng ng vi nhu
cu cng vic.
IV.9.1. Cch thc qun l phn quyn c bn
Mt h thng phn quyn c bn thng bao gm hai thnh phn chnh:
i tng v ti nguyn. Vic phn quyn n gin l tr li tng cu hi i
tng X c c quyn truy xut vo ti nguyn Y? Thng tin phn quyn truy
xut ny c th hin bi mt bng ma trn hai chiu xc nh quyn truy xut
ca tng i tng ngi dng vo mi ti nguyn.
V d:
Ti nguyn
Trang ch
Thng k
Lp bo
Tip nhn
Qun tr
co
thng tin
ngi dng
/ i tng
Admin
User
Reporter
X
X
IV.9.2. Gii php phpGACL

phpGACL l mt gii php m ngun m gii quyt c bi ton phn
quyn truy xut. Gii php ny gip ta hin thc ha bng phn quyn truy xut
nh trn, ng thi m rng kh nng qun l phn quyn truy xut bng vic
qun l cc nhm i tng v nhm ti nguyn. Vic h tr qun l nhm i
tng v ti nguyn to ra s tin dng, nhanh chng khi phn quyn truy xut
cho nhng i tng v ti nguyn ging nhau.
189
Kt lun: Kt qu nghin cu cho thy chc nng phn quyn truy xut l
khng th thiu i vi nhng h thng thng tin ln phc v nhiu ngi dng.
Vic p dng phn mm m ngun m phpGACL gip cho vic qun l truy
xut ngi dng vo cc thnh phn ca h thng c linh hot, mm do hn.
IV.10. Phn tch thit k giao din h tr gim st tnh hnh an ton
mng 24/24.
i vi mt h thng c giao tip vi ngi dng th giao din ngi s
dng l thnh phn rt quan trng. Giao din ny h tr ngi dng tng tc
vi h thng, thc hin cc tc v mt cch nhanh chng, chnh xc. V vy, ta
cn nghin cu, phn tch xy dng ln cc giao din ca h thng nhm h
tr ti a cho ngi dng.
IV.10.1. Phn tch chc nng ca cc thnh phn trong giao din h tr
gim st an ton mng
Da theo m hnh thit k cc chc nng ca h thng, ta c th xc nh
c cc thnh phn chc nng c tng tc vi ngi dng. Tng ng vi
mi thnh phn ny, ta cn thit k giao din ngi s dng sao cho tin li i
vi ngi dng h thng. T nhng bn phn tch v chc nng, ta s xc nh
c nhng thng tin cn c trong giao din ngi dng.
IV.10.2. Xy dng giao din theo tng chc nng
T nhng phn tch trn, ta c th xy dng ln cc giao din ha
tng ng v hnh nh tng tc ca h thng vi ngi dng. Cc thng tin cn
c trong giao din s c th hin trong nhng i tng thch hp nh: nt
bm, danh mc chn, biu mu Mt s tiu ch cho vic xy dng giao din
ngi dng nh sau:
Giao din gn, r rng, khng gy nhm ln
Cung cp nhiu giao din biu cho chc nng thng k
Tch bit cc chc nng, khng chng cho
Hin th cc thng tin tr gip cho thao tc ca ngi dng khi cn
190
Lu v kch thc mn hnh ca ngi dng b tr cc thnh

phn trong giao din cho hp l
Hnh IV.8 : Giao din thng k s kin, cnh bo

Phn ni dung ny i su tm hiu, nghin cu xc nh cc thng tin
cn thit phi c trong giao din tng tc vi ngi dng v a ra c
thit k c bn v giao din ngi s dng ca cc thnh phn chc nng trong
h thng.
IV.11. Lp trnh, th nghim cc m un chc nng theo di, m un
chc nng thng k, m un chc nng cnh bo ca h thng SIPS.

Phn tch, nh gi v so snh vi kt qu l thuyt.
IV.11.1. M un chc nng theo di
M un ny phi c mt s hm chc nng chnh sau
191
Ly thng tin v hng sn xut thit b mng: da trn a ch MAC ca

thit b v CSDL cc hng sn xut c m tng ng trong a ch MAC, h
thng tra cu v tr v thng tin hng sn xut ra thit b.
Ly thng tin v mt a ch IP c th: thc hin truy vn CSDL tm
kim a ch MAC ca thit b c a ch IP xc nh.
Pht hin cc s c c du hiu bt thng: thc hin truy vn CSDL cc
s kin c du hiu bt thng ly ra kt qu.
Pht hin cc s kin c du hiu h thng b tn cng: truy vn CSDL, tm
kim cc s kin c du hiu b tn cng khai thc vo cc l hng bit.
Pht hin cc s kin c du hiu tn cng vo tnh sn sng ca h thng:
tng t nh trn, truy vn CSDL, tm kim cc s kin c du hiu h thng b
tn cng.
IV.11.2. M un chc nng thng k
M un ny phi c mt s hm chc nng chnh sau:
Thng k cc a ch c du hiu bt thng: truy vn CSDL tm kim
cc thit b mng b thay i a ch MAC, mang du hiu b tn cng gi mo
a ch.
Lit k cc s kin bo mt m h thng pht hin c: cc s kin u
c ghi nhn vo CSDL, bc ny n gin ch l truy vn CSDL ly cc
thng tin v s kin pht hin c.
V biu thng k s liu theo thi gian: truy vn thng tin v cc s kin
xy ra trong khong thi gian xc nh.
Xy dng biu thng k s liu: xy dng cc loi biu thng k nh
hnh trn, hnh thanh, da trn s liu thu thp c s t tnh ton v ra biu
Xy dng biu thng k thng lng trn cng giao tip mng
IV.11.3. M un chc nng cnh bo
M un ny phi c mt s hm chc nng chnh sau:
Qun l danh sch ng k: cho php thm/bt ngi dng ang k vo h
thng.
192
In cc cnh bo ra mn hnh: n gin l truy vn CSDL v lit k kt qu.

Qun l vic cnh bo gi qua email: h thng c danh sch nhng ngi
dng quan tm mun nhn cnh bo qua email, cho php ngi dng qun tr c
th thm/bt cc i tng trong danh sch ny.
Thc hin gi email cnh bo: s dng cc hm chc nng c bn gi
email vi ni dung cnh bo ti danh sch ngi nhn l i tng mun nhn
ng k.
IV.12. Lp trnh, th nghim cc m un chc nng qun l cc sensor
chuyn dng, cc m un qun tr chung.

IV.12.1. M un qun l sensor chuyn dng
Nh ta bit, h thng hot ng theo m hnh cc sensor c t ri
rc v mt h thng qun l tp trung cc sensor. Sau y l mt s th vin i
tng trong lp trnh:
CommandLineOptions
Config
Conn
Output
Logger
Database
MonitorCommand
MonitorDatabase
MonitorHTTP
IV.12.2. M un qun tr chung
Bn cnh vic qun l cc sensor chuyn dng, h thng ng thi phi c
chc nng qun tr ngi dng h thng, phn quyn truy xut v qun l cu
hnh h thng:
Phn quyn truy xut ngi dng: p dng phn mm m ngun m
phpGACL thc hin chc nng phn quyn truy xut cho ngi dng h
193
thng, nh , c th phn quyn cho ngi dng ch c php vo mt s

mc c th.
Qun l cu hnh h thng: tng tc vi ngi dng cho php ngi dng
trc tip thay i cu hnh ca h thng thng qua giao din web. Nhng ni
dung cu hnh ngi dng chn trn giao din web s c chuyn thnh cc
on ni dung cu hnh tng ng trong file cu hnh ca h thng.
Qun tr ngi dng h thng: y l m un qun tr ti khon ca ngi
dng, thc hin vic ng nhp v qun l phin lm vic, thay i cc thng tin
lin quan n ti khon ngi s dng.
Phn ni dung ny tp trung phn tch v a ra cc on m chng trnh
thc hin chc nng qun tr chung trn h thng, bao gm: qun tr ngi dng,
phn quyn, cu hnh h thng. Ngoi ra, cng a ra cc m un chc nng
qun l sensor chuyn dng gip h thng c th qun l tp trung cc sensor
nm ri rc trn mi trng mng.
IV.13. Lp trnh, th nghim cc m un kt ni vi CSDL NSIDB, m
un giao din h tr gim st tnh hnh ATM 24/24.

Trong h thng tng th gm nhiu Sensor chuyn dng, c th thng
nht mi hot ng i hi phi c mt h c s d liu tp trung lu tr ton
b thng tin v h thng cng nh thng tin v tnh hnh an ninh mng. Giao
din gim st an ninh mng s tng tc vi h c s d liu a ra nhng
thng tin thng k v h thng v hin th trn mn hnh theo di qun tr.
IV.13.1. M un kt ni c s d liu NSIDB
CSDL l ni tp trung mi thng tin ca ton b h thng gim st an ton
mng. h thng hot ng c thng sut, vic kt ni c s d liu phi
din ra m bo v mt tc v bo mt. Phn ni dung ny cho thy c
lc ca cc CSDL s c v cnh bo, CSDL qun l h thng gim st,
ng thi cung cp on m lp trnh tng ng c th kt ni vo hai CSDL
ny.
194
IV.13.2. M un giao din h tr gim st tnh hnh an ton mng

Ton b giao din h tr gim st an ton mng c lp trnh thnh cc
khung gim st khc nhau. Ngi qun tr cao cp c th thm bt cc khung
ny ty mc ch s dng. Ngi dng c th thay i thm bt cc khung gim
st ny. Trong mi khung, ngi dng c th to nhiu ca s gim st v cu
hnh cho mi ca s gim st mt thng tin nht nh. Ta s dng chnh thnh
phn ny hnh thnh mi mn hnh gim st theo 10 tiu ch cho an ton
mng Vit Nam.
Nhm nghin cu lp trnh h thng v tin hnh chy th nghim, thu
c kt qu nh sau:
Cc khung gim st m bo v mt thm m v p ng c cc
chc nng ra.
C th thc hin nhun nhuyn cc thao tc vi cc ca s trn mi
khung
Qu trnh kt ni CSDL din ra ng trnh t, nhp xut v thao tc
d liu theo ng thit k.
195
CHNG V. PHT TRIN SN PHM SENSOR

CHUYN DNG DO VIT NAM LM CH V CNG
NGH
V.1. Tng quan
Bo co ny s trnh by tm tt v cc kt qu nghin cu ca nhnh 5
ti KC.01.09/06 10.
Ni dung nghin cu chnh ca Nhnh 5 l nghin cu pht trin sn phm
u cui chuyn dng (thit b sensor) do Vit Nam lm ch v cng ngh, bao
gm: Thit b sensor v phn mm theo di an ton mng ti u cui. y l
cc thit b v phn mm lng nghe thu thp thng tin an ton mng trn mng
Internet v c kt ni theo knh qun l ring vi H thng gim st an ton
mng quc gia. Cc yu cu c bn v sn phm nghin cu ca nhnh 5 c th
nh sau:
V.1.1. Thit b sensor c th thu thp thng tin an ton mng:
Sensor l thit b c xy dng nhm thu thp c cc thng tin phn
nh mt cch khch quan nht din bin an ton mng quc gia.
Yu cu i vi thit b sensor l cho php gi t c a dng cc phn
mm thc hin cc chc nng khc nhau nh:
-
Theo di v ghi nhn hot ng tn cng ca tin tc trn khng gian mng,
pht hin xm nhp, pht hin cc du hiu nhn dng tn cng v cc du
hiu bt thng. Cc thng tin thu c s c gi v lu tr trong c s
d liu (CSDL) thuc trung tm gim st.
Gim st lu thng mng, o m lu lng s dng, theo di hiu ch s

dng bng thng, theo di trng thi mng hot ng bnh thng/bt
thng, theo di cc tn cng v cc nguy c tim n.
R sot cc im yu an ton mng.
Mt s tin ch khc c th tng cng nh: kim sot kt ni, gim st

hot ng h thng v dch v.
196
Thit b sensor c th c pht trin da trn vic la chn v ng dng

phn mm ngun m, ci tin v xy dng nhm c th lm ch cng ngh. Cc
m un phn mm ny c tch hp vi h thng phn cng nn ph hp m
bo c cc tiu ch nh hot ng n nh, c kh nng trin khai rng ri,
ph hp vi hin trng cng ngh thng tin nc ta hin nay.
V yu cu k thut, sensor cn c cng thu tin vi tc 100 Mbps ghi
nhn cc gi tin, cho php gim st c cc nt c dung lng truyn thng c
Gbps bng phng php s dng thut ton trch ngu nhin gi tin phn tch
lung tin. u ra ca sensor trung bnh khong 1000 bn tin mi ngy.
V.1.2. Phn mm thu thp thng tin an ton mng ti u cui (trn h iu
hnh Windows):
Xy dng gii php v phn mm thu thp thng tin an ton mng t my
ch hay my trm ca ngi dng. Phn mm ny chy trn my ca ngi
dng, phn ln trn h iu hnh Windows, lin tc thu thp thng tin v gi v
c s d liu trung tm gim st.
V yu cu k thut, phn mm cn c kh nng thu tin vi tc 10/100
Mbps ghi nhn cc gi tin, x l phn tch s c, cho php gim st cc nt
mng ngi dng u cui. u ra ca phn mm trung bnh khong 100-150
bn tin mi ngy.
Cc h thng ny c th c pht trin trn c s s dng cng ngh
ngun m trn c s c th ci tin, b sung hoc nghin cu tch hp nhiu b
cng c ngun m khc nhau.
Nhm ti nhnh 5 trin khai nghin cu, thc hin c cc yu cu
t ra i vi hai sn phm nu trn.
Trong qu trnh thc hin, nhm tp trung vo bn hng nghin cu chnh
nh sau:
V.1.3. Nghin cu cc vn v l thuyt cc vn :
- Phn loi tn cng xm nhp v thng tin c th thu c.
- Phng thc thu thp thng tin, cc phng php bt gi gi tin, cc
phng php pht hin xm nhp v hnh vi bt thng.
197
- Cc v tr ci t thit b sensor trn mng ph hp cho vic thu thp

thng tin.
- Mt s gii php phn cng tiu biu v cc thit b ph tr cn thit.
- Phn mm h iu hnh Linux, Windows, Wmware phc v cho vic
ci t phn mm nn cho sensor.
- Cc cng c phn mm m ngun m phc v cho vic bt gi gi tin,
phn tch thng tin thu c, biu din thng tin...
- Cc vn v qun tr sensor, qun l cu hnh sensor, qun l nht k
hot ng, kt ni truyn tin v trao i thng tin vi trung tm gim
st, giao din kt ni iu khin sensor t xa
V.1.4. Nghin cu thit k h thng thit b sensor:
- Nghin cu la chn phn cng.
- Nghin cu, phn tch, la chn cc phn mm m ngun m thch hp
cho sensor.
- Nghin cu phn tch, thit k h thng qun tr sensor, theo di trng
thi hot ng v cu hnh sensor.
V.1.5. Nghin cu, xy dng cc m un phn mm cho sensor:
- Nghin cu, phn tch, xy dng phin bn ht nhn Linux cho sensor.
- Nghin cu, xy dng cc m un phn mm: Phn mm theo di, ghi
nhn tn cng; Phn mm theo di, gim st lu lng; Phn mm r
sot im yu, theo di trng thi hot ng ca h thng v dch v;
Phn mm kt ni thit b sensor vi Trung tm gim st; Phn mm
giao din ting Vit qun tr v cu hnh sensor, qun tr nht k sensor.
u cui:
- Nghin cu phng n xy dng phn mm theo di an ton mng ti
u cui s dng h iu hnh Windows, Linux.
- Nghin cu, xy dng cc m un phn mm ci t ti cc my u
cui nhm thu thp thng tin an ton mng gi v Trung tm gim
st: Phn mm theo di, ghi nhn tn cng; Phn mm theo di, gim st
198
lu lng; Phn mm theo di trng thi hot ng ca h thng v dch

v; Phn mm truyn d liu v Trung tm gim st; Phn mm qun tr
cu hnh, nht k
V phng php nghin cu, nhm tp trung vo:
- Cc phng php l thuyt cho thu thp thng tin, cc phng php pht
hin xm nhp v hnh vi bt thng; xy dng mt m hnh pht hin
lu lng bt thng trn c s tnh ton xc sut, c tnh thch nghi
cao, ph hp cho vic pht hin cc mu tn cng mi cha bit trc.
- Cc k thut v phn cng v phn mm cho vic bt gi cc gi tin trn
mng.
- Hc tp cc phng php v k thut ca mt s h thng gim st an
ton mng v pht hin xm nhp m ngun m in hnh nh:
Automated Incident Reporting (Air CERT) [1], Crusoe Correlated
Intrusion Detection System [2], Monitoring, Intrusion Detection and
Administration System [3], Sguil[4], Prelude[5], SiLK[6], OSSIM[7],
cc h thng ca Symantec, ArcSight, JPCERT, KrCERT [8],
- Trn c s m ngun m, nhm thc hin ci tin, b sung, tng cng
thm mt s chc nng cn thit cho h thng v xut gii php tch
hp cc cng c phn mm m ngun m cn thit vo thit b sensor
tng ng vi nhu cu lp t ti cc v tr khc nhau trn mng.
Trong cc phn sau y l tm tt cc kt qu nghin cu ch yu ca
nhnh 5 ti.
V.2. Cc kt qu nghin cu chnh t c ca nhnh 5

V.2.1. Nghin cu cc vn v l thuyt
Trn c s phn loi tn cng xm nhp, cc phng thc thu thp thng
tin, cc phng php bt gi gi tin, cc phng php pht hin xm nhp v
hnh vi bt thng, nhm xut 3 v tr ph hp trn mng t cc thit
b sensor thu thp thng tin:
- V tr mng phn vng cp 1: v tr trong mng trc. Cc gii php thu
thp thng tin c th s dng Hub, SPAN port, passive Tap,
199
- V tr mng phn vng cp 2: l v tr t sensor ti cc mng ISP.

- V tr mng phn vng cp 3: l v tr t sensor ti cc mng ngi
dng u cui.
Ti cc nt mng cp 1 cn s dng SPAN port hoc cc thit b TAP.
Thit b sensor c th chn cc my tnh c tc x l cao (t GHz tr ln), c
giao din mng tc cao (100/1000 Mbps tr ln), dung lng b nh ln (vi
Gbyte tr ln), dung lng a cng ln (vi trm Gbyte) ghi thng tin.
Hnh V.1: Cc v tr c th t thit b sensor thu thp thng tin vng cp 1

Ti cc nt mng cp 2 cn s dng SPAN port hoc cc thit b TAP.
Thit b sensor c th chn cc my tnh c tc x l cao (t GHz tr ln), c
giao din mng tc cao (100/1000 Mbps tr ln), dung lng b nh ln (vi
Gbyte tr ln), dung lng a cng ln (vi trm Gbyte) ghi thng tin.
200
Hnh V.2: Cc v tr c th t thit b sensor thu thp thng tin vng cp 2
Hnh V.3: Cc v tr c th t thit b sensor ti my u cui

Ti mng ngi dng u cui, c th s dng cc thit b sensor c tc
x l thp hn (tc CPU t GHz tr ln, tc giao din mng 10/100
Mbps). Ti cc my trm u cui ngi dng, hoc cc my ch (www, dns,
mail) c th s dng thit b sensor hon ton bng phn mm.
Trn c s , nhm xut s dng thit b Tap ly mu thng tin.
Cch thc ny cho php t cc thit b sensor khng lm nh hng ti hot
ng bnh thng ca mng.
V m hnh pht hin xm nhp v lu lng bt thng, nhm xut
m hnh kin trc thch nghi pht hin xm nhp nh trn hnh 4.
201
Hnh V.4: M hnh kin trc h thch nghi pht hin xm nhp
H thch nghi pht hin xm nhp da trn c s khai ph d liu thu thp
c t cc thit b sensor. H thng c xy dng trn c s m hnh ti to
thch nghi, thu thp d liu t cc sensor, t lp ra m hnh pht hin xm nhp.
Mt thut ton pht hin bt thng mi c xy dng nhm gip m hnh t
hiu qu hn, trnh c cc d liu nhiu. Thut ton c xy dng trn c s
cho php mt lng nh d liu khng sch ln vi lu lng d liu bnh
thng ca mng. M hnh cho php thc hin mt cch t ng trn c s mt
s c ch tng kh nng cho ngi dng nhanh chng v d dng thit lp cc
tp d liu v m hnh pht hin cc du hiu v p dng chng cho thnh
phn pht hin xm nhp ca h thng.
C s xy dng h thng l mt thut ton xc sut, c kh nng thch nghi
vi mt lng d liu nhiu c th tn ti trong h thng (xem bo co 5.1.1).
V trao i thng tin vi trung tm gim st, qun l cu hnh phn mm
sensor, nhm nghin cu cc kh nng s dng phn mm ngun m c sn
v kh nng pht trin phn mm giao thc mi. Qua nghin cu, th nghim
cc phng n, nhm xut gii php s dng truy cp t xa qua knh kt ni
bo mt SSH. Thng qua phin lm vic thit lp vi SSH, vic cp nht cu
hnh cho sensor cng nh thay i cc cu hnh phn mm trn sensor hon ton
d dng. Ngoi ra, nhm cng xut gii php kt ni mng ring o cho cc
thit b sensor kt ni vi trung tm gim st.
V.2.2. Nghin cu thit k h thng thit b sensor
Qua nghin cu cc gii php phn cng, v d ca hng Endace [9], hay
mt s gii php khc ca Symantec, ArcSight cho thy cc hng ny thng
202
dng thit b c chng, khng hon ton m. Do rt kh c th tip cn lm

ch c hon ton v cng ngh.
Nhm thc hin mt s th nghim v thy gii php phn cng s
dng v mch giao din mng v Network Tap hon ton kh thi cho thit k
thit b sensor chuyn dng. Tuy tc bt gi gi tin, kh nng tin x l ca
cc PC khng hn l cao, song vi vic trch ly mu th hon ton c th thc
hin c. y cng l gii php c cho l chp nhn c trong hon cnh
Vit Nam hin nay.
Mt h thng gim st vi v mch PCI cng c th nghim trong ti
liu [10] vi h thng c hai Intel Xeon CPU 2.5 Ghz, 4*2GB T-200 SDRAM
v mt card giao din Ethenet Intel Pro 1000. Kt qu th nghim ca [10] cho
thy, gii php nhm ti xut l kh thi.
Cc tiu ch v cu hnh phn cng
Nguyn tc chung cho cc thit b sensor l hot ng theo ch th
ng, ngha l ch bt gi cc gi tin, thu thp thng tin mng mt cch th ng
v khng c thay i d liu truyn qua mng cng nh khng gy nh
hng n vic truyn tin trn mng. Mt khc, cc thit b Sensor cn c kh
nng bt gi cc gi tin ph hp vi tc mng ni t sensor thu thp
thng tin nh nu phn trn.
Cc yu cu ch yu v ti thiu v phn cng gm:
+ My tnh chun x86 hoc tng thch x86
+ Tc b x l CPU: t 1 GHz tr ln
+ B nh ti thiu: 1 GB RAM tr ln.
+ a cng: ti thiu 1 GB trng.
+ Giao din mng: 10/100 Mbps, hay 1 Gbps ty theo cu hnh b cm bin
gim st.
+ Cc thit b sensor cn c 2 giao din mng, eth0 dng bt gi gi tin
t mng v eth1 kt ni vi trung tm gim st
203
Gii php phn cng thit b sensor chuyn dng

Trn c s cc phn tch trong ni dung cc bo co k thut, nhm ti
thit k v xy dng thit b sensor chuyn dng theo 3 nhm nh sau.
- My ch lm thit b sensor gim st mng trc v mng ngi dng c
yu cu cao v tc x l, b nh trong, a cng, giao din mng.
+ Cu hnh cho my ch tc cao: Intel Quadcore tc 3 Ghz, cng:
2x 160 GBs, Card Mng: 2 x 10/100/ 1000 Mbs, Ram 4 GBytes, CD Rewrite,
kiu server.
+ Cu hnh cho my ch tc thp: Intel Xeon Core 2 duo, tc 3.0
GHz, cng: 2x 72 GBs, Card Mng : 2 x 10/100Mbs, Ram: 1 GBytes, CD
Rewrite, kiu server.
- My lm thit b sensor gim st mng ngi dng u cui c yu cu
thp hn my ch v tc x l, b nh trong, a cng, giao din mng.
+ Cu hnh cho my tnh sensor tc cao: Intel Core 2 duo 2.8 GHz / 2.0
GB / 160GB / DVDRW, Card Mng : 3x 10/100/1000Mbs.
+ Cu hnh cho my tnh sensor tc thp: Intel CPU 1.6 GHz / 1.0 GB /
80GB / CDRW, Card Mng : 2x 10/100Mbs
Cc thit b sensor c ci t vi h iu hnh Linux, gm cc cng c
phn mm h tr gim st thu thp thng tin an ton mng m ngun m. Hnh
5 l s h thng bn trong mt thit b sensor.
Hnh V.5: Cu trc bn trong mt thit b sensor gim st an ton mng

Cc kt qu t c ni dung ny ca nhnh 5 l:
204
- 03 mu thit b Sensor vi cc tc thu tin khc nhau. Mu 1 l loi

Sensor tc thp, ph hp cho ghi nhn cc gi tin lin quan n an
ton mng ti cc nt mng c tc thp 10/100 Mbps. Mu 2 l loi
Sensor tc trung bnh 100 Mbps. Mu 3 l loi Sensor tc cao,
ph hp cho ghi nhn thng tin an ton mng ti cc nt mng c tc
cao 100/1000 Mbps. Tc lung tin ra ti a ghi nhn, x l c:100
Mbps.
- Cc kiu thng tin an ton mng ghi nhn c: lu lng, du hiu tn
cng, du hiu bt thng, tnh trng hot ng ca dch v, thng tin v
h thng, cc giao thc, dch v, trng thi sensor.
- Thi gian hot ng trong tun: 24h x 7ngy.
- in p: 110V-220V, cng sut tiu th: 400W, mi trng lp t: 2035oC.
Chi tit k thut ca cc thit b sensor mu c trnh by trong ph lc 1.
Hnh V.6: Mt Thit b Sensor mu
Hnh V.7: Thit b Sensor mu 2 v mu 3 ang chy th nghim
205
V.2.3. Nghin cu, xy dng cc m un phn mm cho sensor

V phin bn ht nhn Linux cho sensor, nhm phn tch, nh gi v
chn la phin bn Linux Ubuntu 2.6.26 tr ln, do y l phin bn c nh
gi l chy n nh nht.
Phin bn ht nhn 2.6.31 c xy dng v ci t th nghim cho kt
qu hot ng tt. Kin trc h thng tp trong phin bn ht nhn 2.6.31 c
trnh by trn hnh sau.
df: Filesystem
1k-blocks
df: tmpfs
df: /dev/sda1
Used Available Use% Mounted on
258236
548
257688
7850996
1104012
6348172
df: /dev/sda1
7850996
0% /dev
15% /target
1104012
6348172
15%
548
257688
0%
/dev/.static/dev
df: tmpfs
258236
/target/dev
free:
total
used
free
shared
buffers
free:
Mem:
516472
486436
30036
9324
free:
Swap:
409616
409616
free: Total:
926088
486436
439652
/proc/cmdline:
preseed/file=/cdrom/preseed
preseed/interactive=true
debian/priority=low
vga=788 initrd=/install.386/gtk/initrd.gz quiet
BOOT_IMAGE=/install.386/vmlinuz
Hnh V.8: Cc module phn mm trong phin bn ht nhn Linux

Hnh sau y hin th cc thng s ca phin bn ht nhn 2.6.31 v danh
sch cc th mc trn h iu hnh ht nhn Linux.
Hnh V.9: Cc thng s v th mc ca phin bn ht nhn Linux

Nhm nghin cu tham kho v hc tp kinh nghim t cc gii php
phn mm ca NetFlow [11], Crusoe Correlated Intrusion Detection System [2],
Monitoring, Intrusion Detection and Administration System [3], Sguil[4],
206
Prelude[5], SiLK[6], OSSIM[7], cc h thng ca Symantec, ArcSight,

JPCERT, KrCERT [8],
Nhm cng nghin cu cc b cng c phn mm m ngun m in
hnh nh Snort [12], Ntop, Nagios, Winpcap, Orisis/Snare, Openvas, Nessus,
Nmap, [13]
Trn c s phn tch, tng hp cc yu cu i vi thit b sensor v phn
mm thu thp thng tin an ton mng, nhm xy dng m hnh cc chc
nng chnh ca thit b sensor bao gm ba khi phn mm chnh nh sau (hnh
di):
Khi thu thp thng tin (bao gm c phn pht hin du hiu tn
cng v du hiu bt thng)
Khi gim st lu lng mng
Khi theo di tnh trng nhng ng dng v mc s dng ti
nguyn hin c trong mng
Gim st lu lng
mng
Thu thp thng tin
Pht hin du hiu tn

cng
Gim st dch v v ti
nguyn
Pht hin du hiu bt

thng
Trung tm x l
Hnh V.10: S nguyn l ca phn mm gim st an ton mng

T , nhm xy dng lu cho tng khi phn mm chnh ca sensor
nh m t trn cc hnh V.11 v V.12.
207
Thu thp gi tin
Gii m gi tin
Chia cp
Tp lut
C du hiu
tn cng
B phn pht hin da

trn tp lut
B phn pht hin du

hiu bt thng
Khng
C du hiu
bt thng
Khng
B qua, loi b gi tin
Lu li, a ra cnh
bo
Hnh V.11: S nguyn l khi phn mm gim st pht hin

Phn mm ci t ti im cui
Agent ci trn im
u cui
Kim tra lu lng

mng vo/ra
Kim tra
dch v ang chy
Thu thp v
hin th kt qu
Phn mm ci t ti im cui
Agent ci trn im
u cui
Kim tra
dch v ang chy
Kim tra lu lng

mng vo/ra
Hnh V.12: S nguyn l khi phn mm gim st lu lng

Nhm la chn, chnh sa, b sung v tch hp mt s cng c phn
mm m ngun m sn c vo trong thit b sensor, theo phn nhm 3 khi phn
mm chnh nh nu trn. Cc cng c phn mm in hnh cho thu thp
thng tin v pht hin xm nhp nh: winpcap, pcap, windump, nmap, snort
208
u c th nghim v ci t th trong thit b sensor. c bit vi vic

tch hp b phn mm m ngun m OSSIM [7] vo sensor.
Cc cng c phn mm in hnh cho theo di gim st lu lng mng,
pht hin lu lng bt thng v cc nguy c tn cng c dng nh: ntop,
nmap, arpwatch, P0fCc cng c phn mm in hnh cho theo di gim st
nh: nagios, Osiris/Snare, Cc module phn mm m ngun m ch yu nht
c tch hp trong thit b sensor bao gm:
Snort: cng c phn mm pht hin tn cng, xm nhp tri php v
du hiu bt thng trn mng.
Nessus: cng c phn mm r qut im yu.
Ntop: cng c phn mm gim st lu lng mng
Nagios: cng c phn mm gim st trng thi thit b, bng thng...
Nmap: cng c phn mm r qut mng
Mt s cng c khc theo di, gim st, pht hin cc hnh vi bt
thng nh: Arpwatch, P0f, Pads,...
Ngoi ra, trong thit b sensor cn ci t cc phn mm phc v cho vic
qun l cu hnh, giao din thit lp cu hnh bng ting Vit, phn mm qun l
v theo di trng thi thit b, qun l cp nht phn mm cho thit b sensor.
Cc m un phn mm c xy dng trn c s k tha cc phn mm m
ngun m sn c, in hnh l cc phn mm cng c nu trn.
Nhm nghin cu, th nghim cc phng n cho phn mm kt ni
thit b sensor vi Trung tm gim st, xy dng giao din ting Vit qun tr v
cu hnh sensor, qun tr nht k sensor.
Cc phn mm c tch hp, xy dng v chy th nghim trn mi
trng mng thc ti Trung tm ng cu khn cp my tnh Vit Nam t thng
2/2010 n nay. Ngoi ra, nhm ti cn thc hin chy th nghim trn mi
trng mng thc ti Cng ty VDC t thng 5 n nay. Cc kt qu th nghim
cho thy phn mm p ng cc yu cu ng k trong ti. Cc kt qu
th nghim c trnh by trong cc bo co k thut th nghim phn mm.
209

u cui
Qua kho st cho thy, kh nhiu cc my u cui s dng h iu hnh
Windows. Do , nghin cu phng n xy dng phn mm theo di an ton
mng ti u cui s dng h iu hnh Windows, Linux l mt nhu cu cn
thit trong ti c th thu thp thng tin an ton mng ti cc my u cui
gi v trung tm gim st.
Nhm nghin cu, th nghim v xut phng n s dng phn mm
o Vmware ci trn nn h iu hnh Windows t ci t cc m un
phn mm xy dng v tch hp cho cc thit b sensor.
Vi phng n xut nu trn, cc m un phn mm c xy dng trn
c s k tha cc phn mm m ngun m sn c ang dng cho cc thit b
sensor c th ti s dng ci t cho cc my u cui.
Cc m un phn mm tch hp, xy dng cho my u cui bao gm:
Phn mm theo di, ghi nhn tn cng; Phn mm theo di, gim st lu lng;
Phn mm r sot im yu, theo di trng thi hot ng ca h thng v dch
v; Phn mm kt ni thit b sensor vi Trung tm gim st; Phn mm giao
din ting Vit qun tr v cu hnh sensor, qun tr nht k sensor.
Trn cc hnh sau y l cc giao din thit lp cu hnh cho sensor ng
thi thit lp cu hnh cho phn mm ci t ti cc my trm u cui (v d
cc my ch, web server, my trm ngi dng).
Hnh V.13: Giao din chnh ca phn mm
210
Hnh V.14: Giao din thit lp cu hnh phn mm
Hnh V.15: Giao din thit lp cu hnh cc cng c h tr gim st
V.3. Cc kt qu th nghim trong mi trng mng thc

C 3 phng n theo s km theo c trin khai th nghim ti Cng
ty VDC.
Hnh V.16: S t thit b sensor gim st cc my u cui s dng kt

ni mng ADSL.
211

cung cp dch v cho thu my ch
Network Tap l thit b phn cng dng nghe d liu trn mt lung d
liu, y l thit b thng c s dng cho cc thit b pht hin xm nhp.
Network Tap ch thc hin sao chp d liu trn ng truyn v gi n n
cng monitor do khng gy nh hng g n mng c gim st.
Hnh V.18: S t thit b Sensor gim st h thng mng ni b ca

doanh nghip
Nhm ti thc hin kim tra cc chc nng phn mm ca thit b
sensor, cc hot ng thu thp thng tin an ton mng, cc hot ng qun l kt
ni, qun l nht k ca thit b sensor v phn mm thu thp thng tin ti cc
my u cui.
212
Mc tiu ca cc bi kim tra th nghim ny l nhm kim tra cc chc

nng thu nhn gi tin ca sensor, cc chc nng qun tr thit b sensor, cc chc
nng pht hin cc du hiu tn cng vo mng,
Cc kt qu th nghim cho thy phn mm p ng cc yu cu ng
k trong ti. Cc kt qu th nghim c trnh by trong cc bo co k
thut th nghim phn mm.
V.4. Kt lun
Cc kt qu nghin cu v phn tch da trn cc bo co nghin cu
c thc hin trong ti cho thy vic thc hin la chn cu hnh thit b
ch to cc sensor v phn mm cho sensor cn phi c cn nhc xem xt da
trn nhiu tiu ch nh trnh by trong bo co.
Tch hp cc phn mm m ngun m l mt gii php kh thi chn
trong ti. Gii php ny cho php lm ch c cng ngh, pht trin v b
sung c nhng chc nng cn thit ph hp vi mi trng s dng sensor v
iu kin hin ti ca Vit Nam.
Cc kt qu v sn phm t c yu cu ra trong thuyt minh ti
KC.01.09/06-10. Kt qu nghin cu t c c th p dng ngay vo thc t.
Mt v d minh ha ng dng thc t c trnh by trong [15]. Nhm tc
gi cng cng b kt qu nghin cu trn mt s bi bo [16-19].
V.5. Danh mc cc thit b sensor mu

Thit b Sensor mu 1:
Chi tit phn cng:
- B vi x l
INTEL XEON, Dual Core E5200, Sock 775
- Tc x l
- cng
2.5 GHz
SATA, 250 Gbytes, Cache 8 MB
- B nh trong
- Raid
2 GBytes
Smart Array 5i Controller h tr Raid: 0, 1, 5
- Ngun cp in (+d phng)
2 x 400W
- Mng Ethernet
2 x 10/100 Mb/s
- quang
DVD RW
213
- Kch thc
2U Form Factor
- Tc thu thp gi tin
10/100 Mbps
- S cng kt ni mng
2 port
- Loi cng kt ni mng
RJ45 CAT5E
- S cng kt ni gim st
2 cng
- Loi cng gim st
RJ45 CAT5E
Phn mm: Ci t phn mm Sensor thu thp thng tin an ton mng.
Thit b Sensor mu 2: Chi tit phn cng:
HP Proliant ML150 G6, INTEL XEON QUAD-CORE
- Tc x l
- cng
2.5 GHz
SATA, 2 x 240 Gbytes, Cache 8 MB
- B nh trong
4 GBytes
H tr Raid: 0, 1, 10
- Raid
2 x 400W
- Mng Ethernet
2 x 10/100/1000 Mb/s
- quang
DVD RW
- Kch thc
2U Form Factor
- Tc thu thp gi tin
1Gbps
- S cng kt ni mng
2 port
- Loi cng kt ni mng
RJ45 CAT5E
2 cng
- Loi cng gim st
RJ45 CAT5E
- Ph hp tiu chun ROHS
- Ph hp tiu chun IEE 802.3
Thit b Sensor mu 3: Chi tit phn cng
- B vi x l
INTEL XEON QUAD-CORE
- Tc x l
- cng
3.0 GHz
Ultra 320 SCSI, 3 x 72 Gbytes, Cache 8 MB
- B nh trong
- Raid
4 GBytes
Smart Array 5i Plus Controller Raid: 0, 1, 5
2 x 400W
- Mng Ethernet
3 x 10/100/1000 Mb/s
214
- quang
DVD RW
- Kch thc
2U Form Factor
- Tc thu thp gi tin
1Gbps
- S cng kt ni mng
2 port
- Loi cng kt ni mng
RJ45 CAT5E
2 cng
- Loi cng gim st
RJ45 CAT5E
- Nhit hot ng 0-55 C
C p ng
- Ngun d phng
- Ph hp tiu chun ROHS
- Ph hp tiu chun IEE 802.3
V.6. Kt qu th nghim cho thit b sensor ti VDC

Kt qu th nghim sau y cho thit b sensor ti VDC c thc hin
o kim bi Phng K thut o kim Cng ty C phn Dch v K thut Vin
thng TST (Phng K thut o kim c B Thng tin v Truyn thng ch
nh theo quyt nh s 575/Q-BBCVT ngy 22/06/2007).
V.6.1. Cc yu cu v phng n t thit b Sensor
Thit b Sensor l mt my tnh c ci t phn mm thu thp cc gi tin t
giao din mng kt ni mt cch th ng (thng qua thit b TAP), do
khng lm nh hng n hot ng ca mng.
Yu cu cn c 1 a ch static public IP kt ni n server
V tr t Sensor:
t my sensor ti v tr thu thp thng tin
C 3 phng n theo s ph lc km theo ( ngh VDC cho th
nghim bc u theo phng n 2 v 3)
Thit b Sensor gm 2 cng ni mng:
Kt ni cng th ng ca sensor vi network tap. Cng ny s thu thp
cc gi tin i qua kt ni mng mt cch th ng m khng nh hng
hay lm thay i bt c thng tin g lu chuyn qua kt ni mng.
Kt ni cng cn li ca sensor vi server gi thng tin s kin.
215
V.6.2. Kim tra cc chc nng hot ng ca thit b Sensor:

Cc bi kim tra th nghim: Mc tiu ca cc bi kim tra th nghim ny
l nhm kim tra cc chc nng thu nhn gi tin v nhn bit du hiu mt
an ton thng tin ca phn mm u cui
Chi tit cc bi kim tra ghi trong bng sau y.
Chc nng yu cu
Kh nng p ng
Qun l cc giao din ca thit b sensor
Ok
Theo di trng thi sensor
Ok
Kim tra kt ni gia sensor v server
Ok
Chc nng qun tr cu hnh cc modul phn mm tch
Ok
hp trong sensor
Chc nng kim sot hot ng ca cc tin ch phn
Ok
mm gi trn sensor t server

Chc nng gim st lu lng mng
Ok
o lu lng s dng
Ok
Hiu sut s dng bng thng
Ok
Chc nng pht hin xm nhp (IDS) da trn du hin
Ok
nhn dng, hnh vi bt thng

Chc nng ghi nhn s c an ton mng
Ok
Chc nng ghi nhn tn cng mng
Ok
Chc nng theo di thng tin nht k
Ok
Chc nng hin th thng tin trng thi thit b sensor
Ok
216
Chc nng yu cu
Kh nng p ng
cc thng tin h thng v server

Chc nng cp nht phn mm
Ok
Giao din ting Vit
Ok
Tc thu thp thng tin (cng thu 100 Mbps)

Tc lung tin (Mbps)
10/100/1000
10/100
S lng bn tin u ra sensor (1000 bn tin mi
Ok
ngy)
V.6.3. Kim tra cc chc nng hot ng ca phn mm u cui trn
Windows
l nhm kim tra cc chc nng thu nhn gi tin ca sensor, cc chc nng
qun tr thit b sensor, cc chc nng pht hin cc du hiu tn cng vo
mng,
Cch thc kim tra: Kim tra xem phn mm trn my u cui c cc
chc nng nu hay khng, kim tra cc chc nng c hot ng khng
v c theo ng thit k khng.
Chc nng yu cu
Kh nng p ng
Ok
Ok
Ok
Ok
hp trong sensor
217
Chc nng yu cu
Kh nng p ng
Ok

Ok
o lu lng s dng
Ok
Ok
Ok

Ok
Chc nng hin th thng tin trng thi thit b sensor cc
Ok
thng tin h thng v server

Ok
Giao din ting Vit
Ok
Tc thu thp thng tin (cng thu 100 Mbps )
10/100
Tc lung tin (Mbps)
10/100
S lng bn tin u ra sensor (1000 bn tin mi ngy)
Ok
V.6.4. M t chi tit v lp t sensor trin khai th nghim

Th nghim gim st thit b u cui ti mng ca nh cung cp dch v
ADSL
218
Hnh V.19: S t thit b sensor gim st cc my u cui

s dng kt ni mng ADSL.
M t thit b sensor
- Thit b sensor l mt my tnh c hai cng kt ni mng, mt cng c
s dng kt ni vi server truyn cc s kin th thp c v my
ch v mt cng dng kt ni vi mng cn gim st thng qua thit b
Network Tap.
- Network Tap l thit b phn cng dng nghe d liu trn mt lung d
liu, y l thit b thng c s dng cho cc thit b pht hin xm
nhp. Network Tap ch thc hin sao chp d liu trn ng truyn v gi
n n cng monitor do khng gy nh hng g n mng c gim
st.
Cc yu cu v phng n lp t thit b:
- Yu cu cn c 1 a ch static public IP kt ni n server v dng
kt ni vi sensor t xa thc hin cc thao tc qun tr sensor.
- Mt thit b network tap c kt ni theo hnh trn
Kim tra cc chc nng hot ng ca thit b Sensor
- Cc bi kim tra th nghim: Mc tiu ca cc bi kim tra th nghim ny
an ton thng tin ca cc my u cui s dng kt ni mng Internet
thng qua ADSL.
- Chi tit cc bi kim tra ghi trong bng sau y.
Chc nng yu cu
Kh nng p ng
219
Chc nng yu cu
Kh nng p ng
Ok
Ok
Ok
Ok
hp trong sensor
Ok

Ok
o lu lng s dng
Ok
Ok
Ok

Ok
Ok
Ok
Ok

Ok
Hin th giao din ting Vit
Ok

Tc lung tin (Mbps)
10/100/1000
10/100
220
Chc nng yu cu
Kh nng p ng
Ok
V.6.4.2. Th nghim gim st cc my ch ti nh cung cp dch v cho

thu my ch

cung cp dch v cho thu my ch
a) M t thit b sensor
- Thit b sensor l mt my tnh c hai cng kt ni mng, mt cng c
s dng kt ni vi server truyn cc s kin th thp c v my
ch v mt cng dng kt ni vi mng cn gim st thng qua thit b
Network Tap.
- Network Tap l thit b phn cng nghe d liu trn mt lung d liu,
y l thit b thng c s dng cho cc thit b pht hin xm nhp.
Network Tap ch thc hin sao chp d liu trn ng truyn v gi n
n cng monitor do khng gy nh hng g n mng c gim st.
b) Cc yu cu v phng n lp t thit b:
c) Phng n d kin thc hin th nghim
221
- Cc bi kim tra th nghim: Mc tiu ca cc bi kim tra th nghim ny

an ton thng tin vi cc my ch cung cp dch v hosting.
- Chi tit cc bi kim tra ghi trong bng sau y.
Chc nng yu cu
Kh nng p ng
Ok
Ok
Ok
Ok
hp trong sensor
Ok

Ok
o lu lng s dng
Ok
Ok
Ok

Ok
Ok
Ok
Ok

Ok
Giao din ting Vit
Ok
222
Chc nng yu cu
Kh nng p ng

Tc lung tin (Mbps)
10/100/1000
10/100
Ok
V.6.4.3. Th nghim gim st cc h thng mng ni b ca doanh nghip

a) M t thit b sensor
- Sensor l mt my tnh c hai cng kt ni mng, mt c s dng kt
ni vi server truyn cc s kin th thp c v my ch v mt cng
dng kt ni vi mng cn gim st thng qua thit b Network Tap.
- Network Tap l thit b phn cng nghe d liu trn mt lung d liu,
y l thit b thng c s dng cho cc thit b pht hin xm nhp.
Network Tap ch thc hin sao chp d liu trn ng truyn v gi n
n cng monitor do khng gy nh hng g n mng c gim st.
Hnh 3: S t thit b Sensor gim st h thng mng

ni b ca doanh nghip
b) Cc yu cu v phng n lp t thit b:
223
c) Phng n d kin thc hin th nghim

l nhm kim tra cc chc nng thu nhn gi tin v nhn bit du hiu mt an
ton thng tin trong mng doanh nghip.
Chc nng yu cu
Kh nng p ng
Ok
Ok
Ok
Chc nng qun tr cu hnh cc modul phn mm tch hp
Ok
trong sensor
Chc nng kim sot hot ng ca cc tin ch phn mm
Ok
gi trn sensor t server

Ok
o lu lng s dng
Ok
Ok
Ok

Ok
Ok
Ok
Ok

Ok
224
Chc nng yu cu
Kh nng p ng
Giao din ting Vit
Ok

Tc lung tin (Mbps)
10/100/1000
10/100
225
Ok
CHNG VI. PHT TRIN GII PHP, CNG C

TCH HP MT S THIT B AN TON MNG
THNG MI ANG PH BIN VIT NAM.
VI.1. Tng quan
Bo co ny s trnh by tm tt v cc kt qu nghin cu ca nhnh 6
ti KC.01.09/06 10.
Ni dung nghin cu chnh ca Nhnh 6 l Pht trin gii php, cng c
tch hp mt s thit b an ton mng thng mi ang ph bin Vit Nam vo
h thng gim st an ton mng quc gia nu trn.
D kin qua kho st s chn lc 3 nhm sn phm tiu biu cho cc loi
thit b nh tng la, b pht hin truy cp (IDS), b chng virus (AVGetway), mi nhm t nht 2 loi sn phm thng mi thng dng, xy
dng gii php v phn mm cng c h tr tch hp thng tin vi cc h thng
thu thp x l thng tin SIGS v CSDL trung tm NSIDB theo phng thc x
l t ng.
Yu cu k thut cn p ng : kt ni a dng cc sn phm thng mi:
t nht 5-6 loi, trong c cc sn phm c chc nng gi thng tin theo chun
(nh IODEF, Syslog) v c c cc sn phm khng c chc nng ny. Gii php
phn mm thit k m d dng tch hp cng c kt ni cho sn phm ATM
mi.
D kin s dng nhn lc 12 chuyn gia/nm v 10 nhn vin lp
trnh/nm thc hin, s dng h thng my ch mnh v mng LAN vi phn
mm cng ngh mi phc v cho pht trin. S dng nhiu phn mm v thit
b chuyn dng.
VI.2. Phng php v ni dung nghin cu
226
VI.2.1. Phng php nghin cu

Qu trnh nghin cu v xy dng cc sn phm ca nhnh 6 c thc
hin da trn cc quan im sau:
- H thng cn c thit k c tnh m, d dng tch hp thm cc cng
ngh mi.
- Qu trnh xy dng phn mm thc hin theo ng quy trnh m
bo cht lng v tin sn phm.
- Tn dng cc kt qu nghin cu trc, vn dng kinh nghim, tm ra
hn ch v nhc im c gii php khc phc.
- Kt hp hi ha v mm do gia cc gii php phn cng v phn
mm.
- Tham kho v p dng cc tiu chun quc t cng nh ni b ca h
thng gim st an ton mng m bo kh nng kt ni d dng vi
cc h thng khc
- Nghin cu p dng mt s cng ngh phn mm ngun m tt v ph
hp.
Phng php nghin cu, k thut s dng:
- Phng php nghin cu l thuyt: m hnh ha, phn tch nh gi h
thng c c s khoa hc.
- Nghin cu hc tp hoc p dng mt s sn phm phn mm ngun m
c cht lng tt.
- Nghin cu ng dng cc phng php v cng ngh, k thut tin tin.
- nng cao cht lng sn phm, qu trnh th nghim sn phm c
tin hnh khoa hc v theo nhiu bc:
Kim tra tng thnh phn
Kim tra phn mm trn h thng m phng
Kim tra trn cc h thng mng nh
Th nghim trn mi trng tht.
227
VI.1.2. Cc ni dung nghin cu

Nhm nghin cu tin hnh thc hin cc ni dung chnh sau:
- Kho st, phn tch cu trc v chun thng tin an ton mng c th thu
nhn t cc thit b an ton mng nh IDS, Firewall v Antivirus thng
mi.
- Xy dng chun m t s c an ton mng.
- Phn tch v thit k tng th phn mm thu thp thng tin an ton mng
tch hp.
- Phn tch thit k module cung cp thng tin an ton mng t thit b
/phn mm antivirus GAG.
- Phn tch thit k module cung cp thng tin an ton mng t thit b
/phn mm Firewall GFW.
- Phn tch thit k module cung cp thng tin an ton mng t thit b /
phn mm pht hin xm nhp tri php (IDS) GIDS.
VI.3. Tng hp sn phm v kt qu t c ca nhnh 6

VI.3.1. Cu trc v chun tip nhn thng tin an ton mng
VI.3.1.1. Thng tin an ton mng t IDS
Nhm phn tch thng tin an ton mng t hai thit b IDS l IDS ca
McAfee v ca ISS Proventia ca IBM. y l hai sn phm IDS thng mi c
cht lng tt v ang c s dng rt rng ri trn th trng quc t v trong
nc.
a) Thng tin an ton mng t thit b IDS McAfee
Thit b IDS ca McAfee c tn l Intrushiel, v nguyn tc McAfee c th
chun Syslog v SNMP. Thnh phn thng tin trong cc cnh bo ca ca thit
b IDS ca McAfee c th do ngi s dng cu hnh v bao gm cc thng tin
c bn sau:
- M cnh bo
- Kiu cnh bo
- Thi gian tn cng
228
- Tn tn cng
- M tn cng
- Tnh nguy him (attacke severity)
- Du hiu tn cng
- S chc chn ca tn cng (Attack Confidence)
- Min qun tr (Admin domain)
- Tn sensor (Sensor name)
- Giao din mng
- IP ngun
- Cng ngun
- IP ch
- Cng ch
- Loi (Category)
- Phn loi (Sub-Category)
- Hng
- Tnh trng kt qu
- C ch pht hin
- Giao thc tng ng dng (Application protocol)
- Giao thc tng mng (Network)
- Lin quan
b) Thng tin an ton mng t thit b IDS ca ISS
Thit b IDS ca ISS c tn l Proventia, v nguyn tc Proventia c th
chun Syslog v SNMP. Thnh phn thng tin trong cc cnh bo ca Proventia
bao gm cc thng tin sau
- M cnh bo
- Phin bn nh dng cnh bo
- Kiu tn cnh bo
- Tn cnh bo
- IP ngun
229
- Cng ngun
- IP ch
- Cng ch
- Thi gian (kiu s thc)
- Local Timezone Offset
- chnh xc ca cnh bo
- M chui thi gian cnh bo (Alert Time Sequence ID)
- M cnh bo
- a ch sensor
- Tn sensor
- M sn phm
- Kiu cnh bo
- Mc u tin cnh bo
- C cnh bo
- Pair count
- Phn ng
- Blob count
c) Thng tin an ton mng t thit b bo mt tch hp MiDFS
MiDFS l thit b bo mt tch hp cung cp y cc chc nng nh
Firewall, IDS trong s dng phn mm m ngun m Snort thc hin cc
chc nng pht hin xm nhp v tn cng tri php. Snort l mt trong cc h
thng IDS c s dng rng ri nht hin nay. Snort l phn mm ngun m,
cht lng tt, hot ng n nh v mt kho cc signature phong ph cho php
Snort c kh nng pht hin ra cc s kin mt an ton thng tin kh chnh xc
ng thi ngi s dng hon ton khng cn phi mua l nhng l do c bn
m snort tr nn ph dng hin nay. Vic tch hp Snort vo h thng gim st
an ton mng s cho php tip nhn c rt nhiu alert xut pht t nhiu
ngun thng tin khc nhau ti cc mng thc t ang trin khai. Phn mm IDS
Snort h tr 03 c ch lu cc thng bo s c l s dng giao thc SNMP, lu
230
vo c s d liu v lu vo log file. Ni dung thng bo s c ca Snort bao

gm:
- M s c
- IP ngun
- Cng ngun
- IP ch
- Cng ch
- Phn loi
- Mc u tin (Mc u tin bao gm cc mc sau : Emergency,
Alert, Critical, Error, Warning, Notice, Info or Debug)
- Giao thc
- Lut
- Tn s c
- Thng bo
- Thi gian.
- M sensor
- M s kin
- M phn loi
- Mc u tin
- Rev
VI.3.1.2. Thng tin an ton mng t cc thit b tng la
Nhm nghin cu, th nghim v kho st nhiu loi firewall trn th
trng ca c cc hng nc ngoi v trong nc nh: astaro firewall,
checkpoint, cisco, sourcefire, juniper, MiDFS (ca Cng ty Misoft) v.v.. tuy
nhin nhm nhn thy ba loi tng la c cht lng tt v s dng rt ph
bin ti th trng Vit nam, c tim nng cung cp thng tin an ton mng l :
Firewall ca Checkpoint, Cisco v MiDFS ca Misoft Vit nam.
a) Thng tin an ton mng firewall Checkpoint
Checkpoint mt trong cc tng la thng mi c cht lng tt v s
dng rt ph bin nht hin nay. Checkpoint h tr cc chc nng Firewall mc
231
2 v cng ngh statefull pht hin cc s c hoc khc phc d liu nu c

th. Qua phn tch cho thy cu trc thng tin an ton mng ly c thng qua
loi thit b ny bao gm cc ni dung sau:
- M s kin
- Ngy
- Thi gian
- Hnh ng (Drop/Accept/Reject)
- a ch IP pht sinh s kin
- Cng Dch v
- IP ngun
- Cng ngun
- a ch Mac ngun
- IP ch
- Cng ch
- a ch Mac ch
- M lut
- Tn lut
- Ngi s dng
- Thng tin h tr
b) Thng tin an ton mng t MiDFS
MiDFS s dng tng la lp 2 qun l v ngn chn cc tn cng
mng, bo v an ton cho h thng. MiDFS l mt sn phm ca Vit nam, hot
ng n nh, gi thnh r nn bc u c s dng ti mt s ni do
bn cnh cc sn phm thng mi ni ting, nhm nghin cu la chn MiDFS
l mt trong cc thit b cung cp thng tin an ton mng cho h thng gim st.
Qua nghin cu cho thy cu trc ca thng tin an ton mng do MiDFS cung
cp bao gm:
- Ngy
- Thi gian
- Tn Firewall
232
- Kernel Version
- Hnh ng (Drop/Reject)
- Direction
- Chun giao tip
- IP ngun
- Cng ngun
- a ch Mac ngun
- IP ch
- Cng ch
- a ch Mac ch
- di
- Kiu dch v (Type of service - TOS)
- Thi gian tn ti (TTL)

- M thng bo
- Bit khng phn mnh(Dont Fragment - DF)
- Giao thc
- Windows size ca gi tin TCP (gi tr ti a l 65535)
- Chuyn i IP Tn min
- Loi gi tin SYN/RST
VI.3.1.3. Thng tin an ton mng t cc phn mm antivirus
a) Thng tin an ton mng t phn mm antivirus Synmatec
233
H thng phn mm Synmatec Endpoint Protection ca hng Synmatec l

h thng phn mm antivirus rt tt khng ch c kh nng pht hin, dit hoc
x l tt cc s c do virus v malware m cn cung cp kh nng qun tr tp
trung gp phn nng cao kh nng thc thi cc chnh sch an ton thng tin c
vai tr c bit quan trng trong cc t chc c h thng thng tin ln. Ni dung
thng bo s c ca h thng phn mm Synmatec Endpoint Protection bao
gm:
- Ngy xy ra
- Thi gian
- Ngun cung cp
- Kiu
- Loi s c
- M s c
- My b s c
- M t
- Ngi s dng ti my b virus
- File b s c
- Hnh ng
b) Thng tin an ton mng t phn mm antivirus McAfee
Tng t nh H thng phn mm Antivirus Corporation Edition ca hng
Synmatec, phin bn Virus Scan Enterprise ca hng McAfee l h thng phn
mm antivirus rt tt khng ch c kh nng pht hin, dit hoc x l tt cc s
c do virus v malware m cn cung cp kh nng qun tr tp trung gp phn
nng cao kh nng thc thi cc chnh sch an ton thng tin c vai tr c bit
quan trng trong cc t chc c h thng thng tin ln. Ni dung thng bo s
c ca H thng phn mm Virus Scan Enterprise ca hng McAfee bao gm:
- Ngy xy ra
- Thi gian
- Ngun cung cp
234
- Kiu
- Loi s c
- Ngi s dng
- M s c
- My b s c
- M t
- C s d liu s c
- File b s c
- Hnh ng
c) Thng tin an ton mng t phn mm antivirus ClamAV
ClamAv l phn mm pht hin virus m ngun m, s dng cho cc h
thng gateway ca linux hoc cc my trm windows. ClamAV c cng ng s
ln v kh nng cp nht c s d liu virus rt nhanh. Do phn mm ny
ang c s dng rt ph bin. Ni dung cnh bo ca phn mm antivirus
ClamAV bao gm cc thng tin chnh sau:
- Ngy xy ra
- Thi gian
- Ngun cung cp
- Kiu
- Loi s c
- M s c
- My b s c
- M t
- Ngi s dng ti my b virus
- File b s c
- Hnh ng
VI.3.2. Cu trc v chun ha thng tin an ton mng
Do d liu an ton mng thu thp t nhiu sn phm m bo an ton mng
thuc nhiu loi v nh sn xut khc nhau nn c ni dung v c trnh by
theo cc nh dng khc nhau. Do vic chun ha li d liu ny lm u
235
vo cho h thng gim st an ton mng trung tm l yu cu bt buc phc

v cho qu trnh phn tch, nh gi cc s kin an ton mng a ra cnh
bo ph hp. Cu trc thng tin an ton mng s c s dng chung trong ton
b h thng gim st an ton mng quc gia.
Da trn cc thng tin thu thp t cc ngun khc nhau nh:
- Tng la
- Antivirus
- Pht hin xm nhp tri php IDS/IPS
- Cc phn mm pht hin im yu an ton mng
s c an ton mng c th cha c y cc thng tin cn thit
thc hin cho qu trnh tng hp v phn tch tnh hnh an ton mng, thng
bo s c an ton mng cn bao gm cc thng tin v loi d liu nh sau:
id
bigint(20)
No
M s c
timestamp
timestamp
No
Thi gian
sensor
text
No
Tn sensor
interface
text
No
Giao din
type
int(11)
No
Kiu Sensor
plugin_id
int(11)
No
M plugin
plugin_sid
int(11)
No
M sub-plugin
plugin_sid_name varchar(255)
Yes
Tn Sub-Plugin
protocol
int(11)
Yes
Giao thc
src_ip
int(10)
Yes
a ch IP Ngun
dst_ip
int(10)
Yes
a ch ch
src_port
int(11)
Yes
Cng ngun
dst_port
int(11)
Yes
Cng ch
priority
int(11)
Yes
Mc u tin
reliability
int(11)
Yes
tin cy
filename
varchar(255)
Yes
Tp tin lin quan
236
Trng d liu d phng, s

userdata1
varchar(255)
Yes
dng m rng kh nng kt

ni
userdata2
varchar(255)
Yes
dng m rng kh nng kt

ni
userdata3
varchar(255)
Yes
dng m rng kh nng kt

ni
userdata4
varchar(255)
Yes
dng m rng kh nng kt

ni
userdata5
varchar(255)
Yes
dng m rng kh nng kt

ni
userdata6
text
Yes
dng m rng kh nng kt

ni
userdata7
text
Yes
dng m rng kh nng kt

ni
userdata8
text
Yes
dng m rng kh nng kt

ni
userdata9
text
Yes
dng m rng kh nng kt

ni
Vi chn trng m rng c s dng d phng trong trng hp m

rng cc d liu thu thp thng tin an ton mng. m bo kh nng c th
chun ha hu ht cc loi s c an ton mng thu thp c t nhiu ngun
khc nhau v hon ton ph hp vi tiu chun quc t v m t s c IODEF.
237
VI.3.3. Thit k tng th phn mm thu nhn thng tin an ton mng
thng mi
VI.3.3.1. Phn tch cc yu cu t ra
Nh trnh by phn trn, vic tch hp cc thit b an ton mng vo
h thng gim st an ton mng ng vai tr nh cc sensor cung cp thng
tin an ton mng cho php m rng ngun cung cp thng tin, tip nhn nhanh
chng cc s c v phn nh ng nht cc din bin v an ton mng ang din
ra trong mi trng mng Internet. ng thi vic tn dng cc thit b/ phn
mm an ton mng sn c cho php tit kim kinh ph u t, gim thiu thay
i cc h tng mng mun gim st v nhanh chng trin khai mng li gim
st.
Theo thit k cng ti, cc ngun cung cp thng tin an ton mng
s c phn ra lm ba loi l:
- Thit b / phn mm tng la (FW)
- Thit b / phn mm pht hin tn cng v xm nhp tri php.
- Thit b / phn mm pht hin v ngn chn virus.
V i km vi ba loi ngun cung cp thng tin ny th xy dng 03
module phn mm tng ng thu nhn l GFW, GIDS v GAG. Nh vy
mi module s ch c chc nng tip nhn thng tin an ton mng t mt loi
ngun cung cp khc nhau.
VI.3.3.2. Gii php tip nhn thng tin an ton mng tch hp
Tuy nhin sau qu trnh nghin cu, nhm chuyn gia nhn thy vic xy
dng 03 module c lp thu thp ring cho tng loi ngun cung cp d liu
s lm cho vic trin khai khng c thun tin bng tch hp tt cc cc chc
nng thu nhn cc ngun thng tin vo mt phn mm. Phn mm ny s bao
gm khng ch ba module GFW, GIDS v GAG nh trn m cn c th nng
cp v tch hp thm nhiu module khc na thu thp thng tin an ton mng
t nhiu ngun thng tin khc nhau. Trn thc t ngoi ba ngun cung cp thng
238
tin trn, cn c th thu nhn cc thng tin t cc ngun sau c th phc v

cho vic phn tch d liu nh:
- Thng tin v im yu an ton t cc phn mm/ thit b pht hin im
yu trn cc mng, phn mm, my ch.
- Thng tin v cc vi phm chnh sch an ton thng tin thu thp t nht k
ca h iu hnh, h qun tr c s d liu, h thng xc thc v nhiu
dch v khc nhau.
Do nhm nghin cu thc hin xy dng phn mm thu thp thng tin
an ton mng t cc thit b thng mi c tch hp chc nng ca c ba
module GIDS, GFW v GAG trong bao gm cc chc nng v u im sau:
- Thu thp thng tin t cc thit b phn mm an ton mng:
o Thit b / phn mm pht hin tn cng v xm nhp tri php.
o Thit b / phn mm tng la (FW)
o Thit b / phn mm pht hin v ngn chn virus.
- Vi thit k c kh nng m rng thu thp thng tin an ton mng t
o Thng tin v im yu an ton t cc phn mm/ thit b pht hin
im yu trn cc mng, phn mm, my ch.
o Thng tin v cc vi phm chnh sch an ton thng tin thu thp t
nht k ca h iu hnh, h qun tr c s d liu, h thng xc
thc v nhiu dch v khc nhau.
- Chun ha v cung cp thng tin an ton mng ti h thng SIGS.
VI.3.3.3. Lc ng cnh
Thit k lc ng cnh ca phn mm thu thp thng tin an ton mng
tch hp c trnh by nh trong hnh sau:
239
Connector
GIDS
GF
W
G
AG
PLUGI
DATABASE
TIN AN TON MNG TCH HP
SIGS
PHN MM THU THP THNG
SIGS
Device
Sc
Connetor
FW
IDS
anner
AV
Hnh VI.1: Lc ng cnh

Device Connector: Module thc hin tip nhn cc thng tin an ton mng
t cc thit b thng mi.
GAG: Moduel thc hin tip nhn v chun ha cc thng tin an ton
mng t cc phn mm antivirus
GIDS: Moduel thc hin tip nhn v chun ha cc thng tin an ton
mng t cc thit b / phn mm IDS v IPS
GFW: Moduel thc hin tip nhn v chun ha thng tin an ton mng t
FW
SIGS Connector : Module thc hin to kt ni vi h thng SIGS v gi
cc s kin an ton mng c chun ha gi ti SIGS.
Plugin database : C s d liu cha cc thng tin v nh dng cnh bo
an ton mng c tip nhn t cc thit b / phn mm an ton mng.
VI.3.3.4. Module cung cp thng tin t phn mm Antivirus - GAG
240
Module GAG c chc nng chun ha cc thng bo an ton mng t

device connector sau phn tch v to ra cc event theo chun m t s c an
ton mng v chuyn ti module SIGS Connector gi ti phn h SIGS.
Lc lung d liu ca chc nng tip nhn cc thng tin an ton mng
t cc phn mm anti virus c m t nh sau:
Synmatec
Antivirus
Antivirus
Alert
Ant
Antivirus
McAfee
Device
Alert
Eve
GAG
Connector
SIGS
nt
Connector
SIGS
Antivirus
ivirus Alert
Antivirus
ClamAV
Alert
Plugin
Antivir
Database
us
Hnh VI.2: M un GAG Lc lung d liu

u vo ca module GAG
- Thng bo v cc du hiu virus t Device Connector
- Cc thng tin v nh dng ca thng bo v du hiu virus do Device
Connector cung cp.
u ra ca module GAG
- Cc thng bo s c an ton mng (Event) c to ra theo chun m t
s c an ton mng t cc thng bo du hiu virus tip nhn c.
Chc nng ca module GAG
- To ra thng bo s c an ton mng (Event) chun m t s c an ton
mng t cc thng bo du hiu virus tip nhn c.
VI.3.3.5. Module cung cp thng tin t thit b Firewall - GFW
Module GFW c chc nng chun ha cc thng bo an ton mng t
241
Lc lung d liu ca chc nng tip nhn cc thng tin an ton mng
t cc phn mm anti virus c m t nh sau:
Synmatec
Antivirus
Antivirus
Alert
Ant
Antivirus
McAfee
Device
Alert
Eve
GFW
Connector
SIGS
nt
Connector
SIGS
Antivirus
ivirus Alert
Antivirus
ClamAV
Alert
Plugin
Antivir
Database
us
Hnh VI.3: M un GFW Lc lung d liu

u vo ca module GFW
- Thng bo v cc vi phm chnh sch hoc cc hot ng c ghi li
nht k trn cc thit b tng la.
- Cc thng tin v nh dng d liu ca tng ng vi cc thng bo tip
nhn c h tr cho chc nng phn tch thng bo.
u ra ca module GFW
- Cc Event c to ra t cc thng bo s c v c cu trc li theo
theo chun m t s c an ton mng
Chc nng ca module GFW
mng t cc thng bo ca thit b firewall
VI.3.3.6. Module cung cp thng tin t thit b IDS/IPS - GIDS
Module GIDS c chc nng chun ha cc thng bo an ton mng t
Lc lung d liu ca chc nng tip nhn v phn tch cc thng tin
an ton mng t cc IDS v IPS c m t nh sau:
242
Proventia
IDS/IPS
IDS/P
Firewall
Alert
MiDFS
rt
Event
Alert
GIDS
Connector
SIGS
Connector
SIGS
ID
Device
Firewall
Ale
Alert
Plugin
Database
u vo ca module GIDS
- Cc thng bo t thit b / phn mm IDS do device connector tip nhn
sau c chuyn ti GIDS.
- Plugin data cha cc d liu cho php phn tch cc thng bo t thit b/
phn mm IDS. Trong khun kh d n ny h tr 02 nh dng cho php
tip nhn cnh bo t IPS ca ISS l Proventia v IDS Snort ci t trn
MiDFS.
u ra ca module GIDS
- Cc thng bo ca IDS v vn an ton mng theo chun thng bo s
c an ton mng.
Chc nng ca module GIDS
mng t cc thng bo ca thit b / phn mm IDS hoc IPS.
VI.3.3.7. Module tip nhn thng tin - Device Connector
Module device connector c chc nng m cng tip nhn thng tin an
ton mng t cc thit b v phn mm an ton mng. Module kim tra ngun
cung cp v chuyn ti cc module x l ph hp:
- Nu ngun cung cp thng bo l cc thit b IDS hoc IPS th chuyn ti
Module GIDS,
243
- Nu ngun cung cp thng bo l cc thit b/ phn mm Firewall th

chuyn ti Module FGFW
- Nu ngun cung cp thng bo l cc thit b/ phn mm Antivirus th
chuyn ti Module Antivirus.
VI.3.3.8. Module cung cp thng bo - SIGS Connector
Module SIGS connector c chc nng cung cp cc thng bo s c an
ton mng do cc Module GIDS, Module GFW hoc module GAG chun ha
chuyn n phn h SIGS.
VI.3.3.9. Mi trng pht trin
H thng c pht trin trn mi trng m ngun m, c th nh sau:
- H iu hnh hot ng : Linux / Windows
- Ngn ng lp trnh : C v Python
VI.3.4. Sn phm thu c
Phn mm tip nhn thng tin an ton mng tch hp bao gm y cc
module tip nhn thng tin an ton mng t thit b IDS/IPS (GIDS), module
tip nhn thng tin an ton mng t cc phn mm antivirus (GAG) v module
tip nhn thng tin an ton mng t cc thit b tng la (GFW). Phn mm
bao gm cc chc nng sau:
- Chc nng tip nhn thng tin an ton mng t cc ngun cung cp khc
nhau:
o Tip nhn thng tin an ton mng tng la :
Checkpoint
Cisco ASA 5500
MIDFS
o Tip nhn thng tin an ton mng t IDS/IPS ca cc thit b sau
Proventia
Intrushiel ca McAfee
MiDFS ca cng ty Misoft
o Tip nhn thng tin an ton mng t antivirus ca cc sn phm sau
Enpoint Protection ca Symatec
244
McAfee
ClamAv.
o Bn cnh phn mm c th tip nhn thng tin t:
Phn mm qun l lu lng mng Ntop
Tng la Iptable Firewall
Phn mm pht hin xm nhp tri php Snort, v mt sn
phm an ton mng v qun l mng khc nhau.
- Chc nng chun ha v cung cp thng tin an ton mng cho h thng
tip nhn thng tin an ton mng trung tm SIGS.
m bo kh nng vn hnh lin tc ca phn mm tip nhn c bit
khi c lng thng tin tip nhn tng t bin, cao hn kh nng tip nhn ca
h thng SIGS hoc tc ng truyn d liu th phn mm c trang b
mt c ch b m theo hnh thc hng i lu tr tm thi cc thng tin
cha chuyn i kp, v dn dn chuyn tip sau.
m bo tnh n nh v hn ch s c xy ra th phn mm c pht
trin theo quy trnh gim st v kim th cht ch, t cc module c lp, kim
tra tch hp, th nghim trn mi trng gi nh v sau mi a v th
nghim thc t. Phn mm c a vo th nghim t nm 2009 v hot
ng thc tin t thng 9 nm 2010 cung cp thng tin an ton mng cho h
thng x l trung tm phc v cng tc gim st an ton mng v ng cu s c
ca Trung tm VNCERT.
VI.4. Kt lun
Nhm nghin cu ca ti hon thnh y cc mc tiu v nhim
v ng k cho nhnh 6 Pht trin gii php, cng c tch hp mt s thit
b an ton mng thng mi ang ph bin Vit Nam vo h thng gim st an
ton mng quc gia nu trn nh ng k theo cng c duyt. Nhm
ti cng hon thin sn phm hot ng n nh, p ng kh nng tip
nhn thng tin an ton mng t trn 9 thit b/ phn mm an ton mng thng
mi (ng k tip nhn vi 6 sn phm) v mt s phn mm qun l mng, an
245
ton mng khc. Phn mm c a vo kim th v s dng n nh, m

bo cht lng v yu cu ca ti.
246
CHNG VII. TH NGHIM, O KIM V PHN

TCH NH GI HIU NNG CA H THNG
VII.1. Tm tt ni dung thc hin
Th nghim chc nng phn mm theo di an ton mng ti u cui, gii
php tch hp mt s thit b an ton mng thng mi ph bin Vit Nam.
Kt qu th nghim cho thy cc thit b u cui thc hin tt cc chc
nng theo di an ton mng. Chc nng ny bao gm cc hot ng bt gi gi
tin, ghi nhn cc tn cng xm nhp mng, s c an ton mng v cc hnh vi
bt thng, ng thi c mt s chc nng c bn khc nh: ghi nht k, giao
din qun l, kt ni gia sensor v trung tm gim st Vic tch hp c
cc thit b an ton mng thng mi ph bin mang ngha ln cho vic trin
khai h thng sau ny. Cc t chc khi tham gia vo h thng gim st an ton
mng s khng phi thay th cc thit b tng thch m vn c th s dng
nhng thit b hin ti thng qua chun trao i thng tin chung m h thng h
tr.
Th nghim, o kim cc thng s hot ng ton h thng, hiu chnh
phn mm; phn tch, nh gi hiu nng ca ton b h thng.
Kt qu th nghim trong phn ny bao gm tt c nhng ni dung o
kim, nh gi thng s hot ng ca cc chc nng trn h thng. Vic th
nghim, o kim cc thng s ca hot ng ca ton h thng cho kt qu tt.
Thit b sensor hot ng v p ng c nhng chc nng c bn: bt gi
cc gi tin, ghi nhn cc tn cng xm nhp mng, s c an ton mng v cc
hnh vi bt thng. Bn cnh , thit b sensor cng cung cp nhng chc
nng: ghi nht k, giao din qun l, kt ni gia sensor v trung tm gim st.
Qu trnh thu thp thng tin v nh gi cho thy h thng th nghim hon ton
tng thch c th tng tc vi cc chun trao i thng tin tn cng mng
trn th gii.
V mt l thuyt, khi tng s lng sensor th cn nh gi li nng lc h
thng c u t gia tng nng lc cho ph hp. Hiu nng hin ti ca h
247
thng hin ti p ng c yu cu th nghim vi mt lng sensor va phi

(di 10 sensor). Vi lng sensor ny th nng lc cc my ch v dch v u
di ngng 25%. Nu quy m trin khai trn thc t l ln (vi trm n vi
ngn sensor) th cn trin khai h thng trn nn tng kh m ng dng cng
ngh o ha hay cao cp hn l in ton m my c th nng cp mt cch
khng gii hn nng lc ca h thng.
VII.2. M t th nghim
Hiu chnh ton b thit k tng th trn c s phn tch, nh gi kt qu
th nghim "H thng theo di gim st an ton mng Vit Nam", so snh kt
qu th nghim vi kt qu nghin cu l thuyt
VII.2.1. Phn tch, nh gi kt qu th nghim
Mc ch ca cc bi th nghim l:
1. Th nghim, o kim cc thng s hot ng ton h thng;
2. Phn tch, nh gi hiu nng ca ton b h thng, so snh vi kt qu
l thuyt.
a) Phng php v mi trng th nghim
Phng php th nghim
Sensor c t cc v tr ph hp theo 3 phng n nh trnh by mc
2.2.1. Thit b sensor c s dng vi 2 cng ni mng: Mt cng dng kt
ni vo mng gim st thng qua thit b Tap. Mt cng kt ni vi trung tm
gim st.
Thit b Tap lm nhim v nghe d liu trn lung kt ni, sao chp d liu
v gi cho Sensor. Vi phng php ny, hot ng ca sensor khng gy nh
hng n mng gim st.
kim tra cc chc nng phn mm, phng php chung nht l kim tra
kh nng p ng cc chc nng. Ring i vi cc chc nng ghi nhn cc tn
cng xm nhp mng, s c an ton mng v cc hnh vi bt thng, mt s
cng c phn mm c s dng pht cc d liu tn cng vo mng v d:
truy nhp d tm mt khu, d qut trinh st cc cng, qut mng thu thp
thng tin
b) a im v thi gian thc hin
a im th nghim:
248
H thng c th nghim ti mng LAN ca Trung tm VNCERT v trn

mng thc ti Cng ty VDC.
Thi gian th nghim:
H thng c th nghim ti mng LAN ca Trung tm VNCERT t
ngy 20/3/2010 n nay.
Thit b sensor c th nghim trn mng thc ca Cng ty VDC t ngy
10/6/2010 n nay.
c) M hnh mng th nghim
Hnh VII.1 : M hnh mng th nghim

Ghi ch:
My ch h thng ci t phn mm thu thp theo di
gim st an ton thng tin mng (SIGS) v phn mm x
Server SIGS/SIPS
203.162.130.216
l thng tin, theo di -thng k-cnh bo v iu khin

(SIPS) t ti cng ty VDC.
249
My Server
My tnh c nhn
Thit b tng la thng mi
Modem
Mi trng Internet
ng kt ni mng Internet
ng kt ni mng ni b Ethernet 100Mb/s
Switch
Thit b gim st chuyn dng (sensor), c th t nhiu
v tr khc nhau (mng LAN, mng dnh cho cc my ch
Sensor
v mng Internet)
Chuyn gia truy cp vo SIGS/SIPS tc nghip

Chuyn gia
Tnh hung Test th nghim:

H thng c th nghim theo 3 tnh hung Test nh sau:
Th nghim gim st thit b u cui ti mng ca nh cung cp dch v
ADSL
Th nghim gim st cc my ch ti nh cung cp dch v cho thu my
ch
Th nghim gim st cc h thng mng ni b ca doanh nghip
250
b) Ni dung v kt qu th nghim:
Ni dung cc bi o th
Cn c vo phng php th nghim, 07 th nghim c tin hnh
kim tra cc chc nng hot ng ca sensor theo thit k. Chi tit cc bi kim
tra ghi trong bng sau y.
STT
01
02
Ni dung bi kim tra
Kt qu th nghim
* (Ti liu 7.1):
Kt qu th nghim cho thy cc thit b

-Th nghim chc nng sensor hot ng tt, p ng cc yu cu
ra trong ti. Bng o th cho thy
phn h ghi nhn s c an
thit b sensor p ng cc yu cu chc
ton mng v ghi nhn cc nng phn mm trong vic bt gi cc gi
tin, ghi nhn cc tn cng xm nhp mng,
tn cng mng ca sensor
s c an ton mng v cc hnh vi bt
thng; kim tra mt s chc nng/tin ch
khc ca sensor nh: ghi nht k, giao din
qun l, kt ni gia sensor v trung tm
gim st,
* (Ti liu 7.2):
- Cc kt qu o th nghim cho cc chc
-Th nghim chc nng
gim st lu thng mng (o nng gim st lu thng mng v chc
m lu lng s dng, theo nng r sot cc im yu an ton mng
di trng thi hot ng ca sensor, chc nng gim st h thng v
mng v cc dch v, theo
dch v hot ng tt, p ng cc yu cu
di hiu qu s dng bng
thng, theo di cc tn cng ra trong thuyt minh ti. Cc chc
ang xy ra v cnh bo v nng ny hot ng trn cc thit b sensor,
cc nguy c tim n ca h
c th ci t nhiu v tr khc nhau trn
thng mng).
-Th nghim chc nng qut mng. Kt qu kim tra th nghim th
r sot cc im yu an ton hin cc m un phn mm p ng cc
mng ca sensor, chc nng
chc nng theo yu cu ca ti.
gim st h thng v dch v
(theo di, gi cnh bo mi - Qua qu trnh thu thp thng tin v nh
khi thy mt my ch, thit gi cho thy h thng hin ti hon ton
b hoc mt dch v ngng tng thch c th tng tc vi cc
hot ng,).
251
STT
03
Ni dung bi kim tra
Kt qu th nghim
-Th nghim h thng chun trao i thng tin tn cng mng

CSDL tch hp gim st an trn th gii.
ton mng.
* (Ph lc 1, Ti liu 7.2):
- nh gi tnh tng thch
vi cc chun trao i thng
tin s c v chun trao i
thng tin tn cng mng ca
quc t phc v kh nng
trao i t ng vi cc h
thng khc trong v ngoi
nc.
* (Ti liu 7.3.1):
* Phn h x l thng bo s c an ton
- Th nghim phn h h tr mng bao gm 02 website h tr y
cc hc nng sau:
x l thng bo s c trong
+ Website khai bo thng tin an ton mng
h phn mm thu thp thng -Chc nng m thng bo mi
tin an ton mng trung tm. -Chc nng kim tra trng thi thng bo
* (Ti liu 7.3.2):
+ Website x l thng bo s c an ton

- Th nghim phn h tip mng
nhn thng tin ATM t ng -Cc chc nng dnh cho qun tr h thng
-Chc nng dnh cho chuyn vin
t cc thit b h phn mm
-Chc nng dnh cho cn b qun l
thu thp thng tin.
-Cc chc nng u hot ng tt, n nh.
Cc li do ngi nhp liu u c phn
mm pht hin v cnh bo chnh xc.
-Quy trnh khai bo, tip nht v x l ph
hp vi cc hot ng nghip v x l
thng bo s c an ton mng ca Trung
tm VNCERT.
-Giao din chng trnh c thit k n
gin, khoa hc, trc quan v d s dng.
-Phn h p ng y cc yu cu nu
ra trong thuyt minh v cng nghin
cu c duyt.
* Phn h tip nhn thng tin ATM t
252
STT
04
Ni dung bi kim tra
* (Ti liu 7.4):

- Th nghim chc nng
gim st 24/24, thng k v
phn tch a ra cc cnh
bo v hng dn cho cc c
nhn, t chc Vit Nam
Kt qu th nghim
ng t cc thit b h phn mm thu
thp thng tin:
- H thng thu thp an ton thng tin mng
SIGS c kh nng tip nhn y cc s
kin do cc senser gi n.
- Tc tip nhn chp nhn c, khng
c hin tng st gim tc hoc nghn
x l.
- T l x l ca CPU lun t di 25%.
- Khng c bt c mt sai st no trong
khu tip nhn cc s kin
- H thng hon ton hot ng tt trn
mi trng mng Internet thc t.
* Phn tch v nh gi chung:
- Qua vic nh gi phn h tip nhn
thng tin an ton mng t ng ti cc mi
trng th nghim v mi trng thc t
cho thy h thng hot ng tt, n nh
p ng y yu cu ca thuyt minh
v cng c duyt.
- Vi my ch tc trung bnh nh trong
qu trnh th nghim p ng hon ton
tt cc th nghim c s s kin ln ln
n trn tm triu s c trong vng 3 ngy.
- V mt nguyn tc, phn h hon ton
p ng kh nng tip nhn thng tin an
ton mng t ng t 50 ngun sensor tc
cao hoc 500 im u cui vi tc
100.000 s kin / ngy.
- Cc kt qu o th nghim cho cc chc
nng gim st 24/24, thng k v phn tch
cc a ra cc cnh bo hot ng
tt, p ng cc yu cu ra trong
thuyt minh ti. Cc chc nng ny hot
ng trn cc thit b sensor, c th ci t
nhiu v tr khc nhau trn mng. Kt
qu kim tra th nghim th hin cc
253
STT
05
06
Ni dung bi kim tra
Kt qu th nghim
trong h phn mm tc m un phn mm p ng cc chc nng

nghip x l thng tin theo theo yu cu ca ti.
- Vic gim st cc tiu ch an ton mng
di-thng k-cnh bo v
theo thi gian thc gip cho ngi qun l
iu khin.
an ton thng tin c c ci nhn tng th
v tnh hnh an ton mng quc gia.
* (Ti liu 7.5):
Thit b tng la bo mt tch hp
- Th nghim h thng kim tra cung cp y cc chc nng
sau:
tng la bo v tch hp
+
Chc nng chn a ch IP
(cc chc nng IDS/IPS, +
Chc nng chn kt ni n cng
thit lp cc chnh sch bo dch v
+
Chc nng pht hin xm nhp / tn
v, lu tr nht k hot
cng tri php
ng, cp nht vo h thng +
Ngn chn tn cng mng
Chc nng thng k v tng hp
CSDL thu thp thng tin an +
+
Chc nng theo di cc kt ni
ton mng).
+
Kim tra chc nng lc ni dung
- Th nghim chc nng lc +
Kim tra chc nng lc URL
Kim tra chc nng lc ni dung
ni dung (pht hin ngn +
Kim tra chc nng lc virus.
chn truy cp a ch cm, +
- Cc chc nng u hot ng tt v n
thit lp chnh sch lc nh.
chn).
- Giao din iu khin ting vit, thun
tin v d dng.
- Thit b tch hp rt ph hp vi cc m
hnh mng doanh nghip va v nh.
* (Ti liu 7.6):
- Thit b pht hin c 100% mu virus
- Th nghim chc nng em th nghim.
- Tc truy cp mng internet khi bt ch
pht hin virus, m c
pht hin virus thc t t trn 90% so
hi (pht hin, ngn chn vi khi khng bt ch pht hin virus
cc truy cp ti cc d liu vi kt ni mng Internet s dng cng
ngh ADSL tc ti a 2Mbbits/s
c cha virus, m c
- Thit b hot ng n nh trong ch
hi).
pht hin v ngn chn virus.
- Khng pht hin cc trng hp pht
254
STT
07
Ni dung bi kim tra

* (Ti liu 7.7.1):
- Th nghim chc nng
phn mm theo di an ton
mng ti u cui.
* (Ti liu 7.7.2):
- Th nghim gii php tch
hp mt s thit b an ton
mng thng mi ph bin
Vit Nam vi h thng gim
st.
Kt qu th nghim
hin sai du hiu virus.
* Chc nng phn mm theo di an ton
mng ti u cui:
- Kt qu th nghim cho thy cc thit b
sensor hot ng tt, p ng cc yu cu
ra trong ti. Bng o th cho thy
thit b sensor p ng cc yu cu chc
nng phn mm trong vic bt gi cc gi
tin, ghi nhn cc tn cng xm nhp mng,
s c an ton mng v cc hnh vi bt
thng; kim tra mt s chc nng/tin ch
khc ca sensor nh: ghi nht k, giao din
qun l, kt ni gia sensor v trung tm
gim st,
- Cc kt qu o th nghim cho thy thit
b sensor hot ng tt p ng cc yu
cu ra trong thuyt minh ti. Cc
thit b sensor c th ci t trn mng
nhiu v tr khc nhau. Kt qu kim tra
th nghim th hin cc m un phn
mm p ng cc chc nng theo yu cu
ca ti.
* Gii php tch hp mt s thit b an
ton mng thng mi ph bin Vit
Nam vi h thng gim st:
- Cc thit b v phn mm bo mt
thng mi u pht hin tt cc trng
hp to s c an ton mng gi nh bao
gm:
+ Ly nhim virus
+ Tn cng mng
+ Vi phm cc chnh sch an ton mng
c thit lp
- Cc s c an ton mng c cp nht
y t thit b / phn mm pht hin
thng qua phn mm thu thp thng tin an
ton mng ri cp nht ln h thng gim
255
STT
Ni dung bi kim tra
Kt qu th nghim
st an ton mng trung tm.
- S tham gia ca cc thit b / phn mm
bo mt thng mi cho thy kh nng thu
thp c d liu lin quan n an ton
mng t nhiu ngun khc nhau trn ton
quc, gp phn pht hin nhanh chng v
chnh xc cc s c c th xy ra.
Kt qu nh gi:
Cn c vo cc bi o nu trn, kt qu th nghim c th hin trong
bng sau:
Test
case
01
02
03
04
05
06
Chc nng yu cu
-Th nghim chc nng phn h ghi nhn s c
an ton mng v ghi nhn cc tn cng mng ca
sensor
-Th nghim chc nng gim st lu thng mng
(o m lu lng s dng, theo di trng thi
hot ng mng v cc dch v, theo di hiu qu
s dng bng thng, theo di cc tn cng ang
xy ra v cnh bo v cc nguy c tim n ca h
thng mng).
-Th nghim chc nng qut r sot cc im yu
an ton mng ca sensor, chc nng gim st h
thng v dch v (theo di, gi cnh bo mi khi
thy mt my ch, thit b hoc mt dch v
ngng hot ng,).
-Th nghim h thng CSDL tch hp gim st an
ton mng.
- nh gi tnh tng thch vi cc chun trao i
thng tin s c v chun trao i thng tin tn
cng mng ca quc t phc v kh nng trao i
t ng vi cc h thng khc trong v ngoi
nc.
- Th nghim phn h h tr x l thng bo s
c trong h phn mm thu thp thng tin an ton
mng trung tm.
256
Mc p
ng
Tt
Tt
Tt
Tt
Hon ton
tng thch
chun IODEF
Tt
Test
case
07
08
09
10
11
Chc nng yu cu
- Th nghim phn h tip nhn thng tin ATM
t ng t cc thit b h phn mm thu thp
thng tin.
- Th nghim chc nng gim st 24/24, thng k
v phn tch a ra cc cnh bo v hng dn
cho cc c nhn, t chc Vit Nam trong h phn
mm tc nghip x l thng tin theo di-thng kcnh bo v iu khin.
- Th nghim h thng tng la bo v tch hp
(cc chc nng IDS/IPS, thit lp cc chnh sch
bo v, lu tr nht k hot ng, cp nht vo h
thng CSDL thu thp thng tin an ton mng).
- Th nghim chc nng lc ni dung (pht hin
ngn chn truy cp a ch cm, thit lp chnh
sch lc chn).
- Th nghim chc nng pht hin virus, m c
hi (pht hin, ngn chn cc truy cp ti cc
d liu c cha virus, m c hi).
Mc p
ng
Tt
Tt
Tt
Tt
Tt
12
- Th nghim chc nng phn mm theo di an

ton mng ti u cui.
Tt
13
- Th nghim gii php tch hp mt s thit b an

ton mng thng mi ph bin Vit Nam vi
h thng gim st.
Tt
nh gi chung
Kt qu th nghim cho thy cc thit b sensor hot ng tt, p ng cc
yu cu ra trong ti. Bng o th cho thy thit b sensor p ng cc
yu cu chc nng phn mm trong vic bt gi cc gi tin, ghi nhn cc tn
cng xm nhp mng, s c an ton mng v cc hnh vi bt thng; kim tra
mt s chc nng/tin ch khc ca sensor nh: ghi nht k, giao din qun l,
kt ni gia sensor v trung tm gim st,
Cc kt qu o th nghim cho cc chc nng gim st lu thng mng v
chc nng r sot cc im yu an ton mng ca sensor, chc nng gim st h
257
thng v dch v hot ng tt, p ng cc yu cu ra trong thuyt minh

ti.
cng mng trn th gii.
Phn h x l thng bo s c an ton mng bao gm 02 website h tr y
cc hc nng. Cc chc nng u hot ng tt, n nh. Cc li do ngi
nhp liu u c phn mm pht hin v cnh bo chnh xc. Quy trnh khai
bo, tip nht v x l ph hp vi cc hot ng nghip v x l thng bo s
c an ton mng ca Trung tm VNCERT. Giao din chng trnh c thit k
n gin, khoa hc, trc quan v d s dng.
Phn h tip nhn thng tin ATM t ng t cc thit b h phn mm thu
thp thng tin c kh nng tip nhn y cc s kin do cc senser gi n.
Tc tip nhn chp nhn c, khng c hin tng st gim tc hoc
nghn x l. T l x l ca CPU lun t di 25%. Khng c bt c mt sai
st no trong khu tip nhn cc s kin. H thng hot ng tt trn mi trng
mng Internet thc t.
Cc kt qu o th nghim cho cc chc nng gim st 24/24, thng k v
phn tch cc a ra cc cnh bo hot ng tt, p ng cc yu cu
ra trong thuyt minh ti. Cc chc nng ny hot ng trn cc thit b
sensor, c th ci t nhiu v tr khc nhau trn mng. Kt qu kim tra th
nghim th hin cc m un phn mm p ng cc chc nng theo yu cu
ca ti. Vic gim st cc tiu ch an ton mng theo thi gian thc gip cho
ngi qun l an ton thng tin c c ci nhn tng th v tnh hnh an ton
mng quc gia.
Thit b tng la bo mt tch hp kim tra cung cp y cc chc
nng. Cc chc nng u hot ng tt v n nh.
258

Cc thit b v phn mm bo mt thng mi u pht hin tt cc trng
hp to s c an ton mng gi nh bao gm. Cc s c an ton mng c cp
nht y t thit b / phn mm pht hin thng qua phn mm thu thp
thng tin an ton mng ri cp nht ln h thng gim st an ton mng trung
tm. S tham gia ca cc thit b / phn mm bo mt thng mi cho thy kh
nng thu thp c d liu lin quan n an ton mng t nhiu ngun khc
nhau trn ton quc, gp phn pht hin nhanh chng v chnh xc cc s c c
th xy ra.
VII.1.2. Phn tch, nh gi hiu nng ca ton b h thng, so snh vi k
qu l thuyt
V mt l thuyt khi tng s lng sensor th cn nh gi li nng lc ca
h thng c u t gia tng nng lc cho ph hp.
Hiu nng hin ti ca h thng p ng c yu cu th nghim vi mt
lng sensor va phi (di 10 sensor). Vi lng sensor ny th nng lc cc
my ch v dch v u di ngng 25%.
Nu quy m trin khai thc t l ln (vi trm n vi ngn sensor) th cn
trin khai h thng trn nn tng kh m ng dng cng ngh o ho hay cao
cp hn l in ton m my c th nng cp mt cch khng gii hn nng
lc ca h thng.
Trong qu trnh chun b th nghim mt s mt s nh v phng n
cng ngh lp trnh ban u phi thay i. Th nht l giao thc SNMP t ra
khng tt bng Syslog khi truyn ti d liu t cc Agent ln server. Do
phng n dng chun giao thc Syslog c ci t chnh. Th hai l thc
t x l d liu t cc ngun thng bo cho thy s dng ring mt bng CSDL
lu tr hiu qu hn l x l chung vi cc s kin (event) thu thp t cc
sensor, v thc t cc s kin c ngi dng thng bo ny hu nh ch h tr
cho cc chuyn gia qua giao din phn tch, chc khng tham gia vo qu trnh
259
x l tng quan vi cc dng s kin do my cung cp. Do nhm ti

lp phng n x l tch ring cc ngun tin ny.
VII.1.3. Kt lun
Cc kt qu o th nghim cho thy h thng hot ng tt p ng cc
yu cu ra trong thuyt minh ti.
Kt qu kim tra th nghim th hin cc m un phn mm v CSDL
NSIDB p ng cc chc nng theo yu cu ca ti.
VII.3. Nghin cu r sot a ra yu cu chnh sa, hon thin cho

tt c cc sn phm ca cc nhnh ti khc
VII.3.1. Bo co kt qu r sot, nh gi th nghim
Kt qu th nghim trong bo co trc cho thy cc thit b sensor p
ng cc yu cu c bn ra trong ti, nh bt gi cc gi tin, ghi nhn
cc tn cng xm nhp mng, s c an ton mng v cc hnh vi bt thng;
kt ni gia sensor v trung tm gim st c hot ng.
Cc kt qu o th nghim cho cc chc nng gim st lu thng mng v
chc nng r sot cc im yu an ton mng ca sensor, chc nng gim st h
thng v dch v hot ng tt, p ng cc yu cu ra trong thuyt minh
ti. Cc chc nng ny hot ng trn cc thit b sensor, c th ci t
nhiu v tr khc nhau trn mng. Cc m un phn mm p ng cc chc nng
theo yu cu ca ti.
cng mng trn th gii.
Phn h x l thng bo s c an ton mng bao gm 02 website h tr
y cc chc nng sau:
Website khai bo thng tin an ton mng
+ Chc nng m thng bo mi
+ Chc nng kim tra trng thi thng bo
260
Website x l thng bo s c an ton mng

+ Cc chc nng dnh cho qun tr h thng
+ Chc nng dnh cho chuyn vin
+ Chc nng dnh cho cn b qun l
+ Cc chc nng u hot ng tt, n nh. Cc li do ngi nhp
liu u c phn mm pht hin v cnh bo chnh xc.
+ Quy trnh khai bo, tip nht v x l ph hp vi cc hot ng
nghip v x l thng bo s c an ton mng ca Trung tm
VNCERT.
+ Giao din chng trnh c thit k n gin, khoa hc, trc quan
v d s dng.
+ Phn h p ng y cc yu cu nu ra trong thuyt minh v
cng nghin cu c duyt.
Phn h tip nhn thng tin ATM t ng t cc thit b h phn mm
thu thp thng tin:
H thng thu thp an ton thng tin mng SIGS c kh nng tip nhn y
cc s kin do cc sensor gi n.
Tc tip nhn chp nhn c, khng c hin tng st gim tc
hoc nghn x l.
T l x l ca CPU lun t di 25%.
H thng hon ton hot ng tt trn mi trng mng Internet thc t.
Phn tch v nh gi chung:
Qua vic nh gi phn h tip nhn thng tin an ton mng t ng ti cc
mi trng th nghim v mi trng thc t cho thy h thng hot ng tt,
n nh p ng y yu cu ca thuyt minh v cng c duyt.
Vi my ch tc trung bnh nh trong qu trnh th nghim p ng
hon ton tt cc th nghim c s s kin ln ln n trn tm triu s c trong
vng 3 ngy.
261
V mt nguyn tc, phn h hon ton p ng kh nng tip nhn thng

tin an ton mng t ng t 50 ngun sensor tc cao hoc 500 im u cui
vi tc 100.000 s kin / ngy.
Cc kt qu o th nghim cho cc chc nng gim st 24/24, thng k v
phn tch cc a ra cc cnh bo hot ng tt, p ng cc yu cu
ra trong thuyt minh ti. Cc chc nng ny hot ng trn cc thit b
sensor, c th ci t nhiu v tr khc nhau trn mng. Kt qu kim tra th
nghim th hin cc m un phn mm p ng cc chc nng theo yu cu
ca ti.
Vic gim st cc tiu ch an ton mng theo thi gian thc gip cho ngi
qun l an ton thng tin c c ci nhn tng th v tnh hnh an ton mng
quc gia.
Thit b tng la bo mt tch hp kim tra cung cp y cc chc
nng sau:
+ Chc nng chn a ch IP
+ Chc nng chn kt ni n cng dch v
+ Chc nng pht hin xm nhp / tn cng tri php
+ Ngn chn tn cng mng
+ Chc nng thng k v tng hp
+ Chc nng theo di cc kt ni
+ Kim tra chc nng lc ni dung
+ Kim tra chc nng lc URL
+ Kim tra chc nng lc ni dung
+ Kim tra chc nng lc virus.
Cc chc nng u hot ng tt v n nh.
Giao din iu khin ting vit, thun tin v d dng.
Thit b tch hp rt ph hp vi cc m hnh mng doanh nghip va v
nh.
Thit b pht hin c 100% mu virus em th nghim.
262
Tc truy cp mng internet khi bt ch pht hin virus thc t t

trn 90% so vi khi khng bt ch pht hin virus vi kt ni mng Internet
s dng cng ngh ADSL tc ti a 2Mbbits/s
Thit b hot ng n nh trong ch pht hin v ngn chn virus.
Khng pht hin cc trng hp pht hin sai du hiu virus.
Chc nng phn mm theo di an ton mng ti u cui:
Cc kt qu o th nghim cho thy thit b sensor hot ng tt p ng
cc yu cu ra trong thuyt minh ti. Cc thit b sensor c th ci t
trn mng nhiu v tr khc nhau. Kt qu kim tra th nghim th hin cc
m un phn mm p ng cc chc nng theo yu cu ca ti.
Gii php tch hp mt s thit b an ton mng thng mi ph bin
Vit Nam vi h thng gim st:
Cc thit b v phn mm bo mt thng mi u pht hin tt cc trng
hp to s c an ton mng gi nh bao gm:
+ Ly nhim virus
+ Tn cng mng
+ Vi phm cc chnh sch an ton mng c thit lp
Cc s c an ton mng c cp nht y t thit b / phn mm pht
hin thng qua phn mm thu thp thng tin an ton mng ri cp nht ln h
thng gim st an ton mng trung tm.
S tham gia ca cc thit b / phn mm bo mt thng mi cho thy kh
nng thu thp c d liu lin quan n an ton mng t nhiu ngun khc
nhau trn ton quc, gp phn pht hin nhanh chng v chnh xc cc s c c
th xy ra.
263
CHNG VIII. KT QU TRIN KHAI H THNG

TRN MI TRNG MNG THC T
VIII.1. S h thng thc t hin nay
H thng gim st an ton mng Internet c trin khai lp t trn
thc t vi m hnh nh sau.
Cu hnh Server chnh ci t h thng x l trung tm

+ Nhn hiu Hewlett-Packard Proliant ML150 G6
+ Loi vi x l (Processor) Intel Xeon E5506 Quad-core
+ cng lu tr (Storage Hard Drives) : 2 x 250GB
+ RAID: iu khin lu tr (Storage Controller) Serial Attached SCSI
RAID Controller (0,1,10)
+ B nh RAM (Memory) 8GB DDR3-1333/PC3-10600
+ iu khin mng (Network Controller) Hewlett-Packard NC107i Gigabit
Ethernet IEEE 802.3ab
+ S lng cng Ethernet: 2
264
+ Tc kt ni Ethernet ti a: 1000 Mb/s

+ 5 Total: 1 x 32-bit/33 MHz PCI 3.3V Slots
+ ha (Graphics) 32MB Shared DDR3 SDRAM
Cc thit b sensor v server khc s dng ng cc thit b m t trong
cc bo co th nghim.
Trong qu trnh hn mt nm th nghim h thng b gin on hn 3
thng do khng c a im lp t, LAB ti 18 Nguyn Du bi d b xy li,
VDC cng thay i t chc v lp t li thit b. Sau khi n v c thu a
im mi, h thng c khi phc v vn hnh kh n nh.
VIII.2. nh gi kt qu trin khai h thng gim st an ton mng

quc gia
Kt qu trin khai h thng gim st an ton mng quc gia bc u
h tr rt nhiu cho cc nhim v gim st, cnh bo, ng cu, x l s c an
ton mng trn phm vi ton quc. Sau qu trnh th nghim t kt qu rt tt
trn mng m phng, thng 6 nm 2010 h thng gim st an ton mng quc
gia c a vo hot ng th nghim trn h thng mng Internet vi h
thng x l trung tm t ti cng ty VDC v cc sensor, thit b cung cp thng
tin an ton mng ti nhiu im khc nhau trn mng Internet. Qu trnh th
nghim cho thy h thng hot ng n nh, kin trc ca h thng c
thit k ph hp vi mi trng thc t ti Vit nam. Dui y l tm tt mt s
kt qu kh quan m h thng t c:
+ S lng s kin an ton mng thc t ti a m h thng x l trung
tm tip nhn mt ngy t trn trn 200.000 s kin, h thng vn
hot ng bnh thng.
+ C nhiu thi im, tng s s kin m h thng x l thng tin an ton
mng trung tm lu li l trn 2 triu s kin, tuy nhin cc chc nng h
thng vn hot ng bnh thng.
+ S lng ngun cung cp thng tin ti a th nghim kt ni vo h
thng l trn 50 (bao gm c sensor chuyn dng; cc thit b bo mt
265
nh: Firewall checkpoint; Cisco, MiDFS; IDS ca Proventia, MiDFS,

ClamAv v.v) v thng xuyn lun c trn 10 ngun cung cp c
kt ni vo h thng.
+ H thng cng c kt ni tt vi mt s ngun cung cp thng tin an
ton mng bn ngoi ca c trong nc v quc t to iu kin thun li
cho chuyn gia gim st.
+ Thit b sensor tc cao c t vo th nghim gim st trn cc
mng c tc 100 Mb/s v khng lm suy gim hiu nng mng, thit
b hot ng n nh. ???
+ H thng c kh nng kt ni v hot ng n nh vi nhiu loi thit b
/ phn mm mng v bo mt mng thng mi cng nh m ngun m
nh: Firewall checkpoint; Cisco, MiDFS; IDS ca Proventia, MiDFS,
McAffe, Antivirus : Synmatec, TrendMicro, ClamA v v.v; phn mm
qun l lu lng mng Ntop v.v.
Trong qu trnh th nghim, Trung tm VNCERT tng bc p dng h
thng gim st an ton mng vo nng cao hiu qu cng tc gim st v m
bo an ton thng tin theo chc nng v nhim v c giao nh:
+ Qu trnh trin khai h thng kt hp vi vic ci tin quy trnh, quy
nh trong cng tc gim st an ton mng ca Trung tm to ra c
cc hiu qu rt tt nng cao cht lng. y l cng c hu hiu
gip chuyn gia c cch nhn trc quan tng th mng li gim st thay
v phi lin tc truy cp tng thit b kim tra. Bn cnh cc lut
tng quan cho php kt ni cc s kin mt cch logic pht hin
sm nguy c c th xy ra.
+ H thng h tr tch cc trong vic pht hin ly lan virus conficker trn
din rng m khng cn cc thit b IPS t tin. y l mt trong cc
u im ni tri.
+ Vi s h tr ca h thng gim st an ton mng, cc thng bo s c
c qun l v x l hiu qu hn. V tng bc xy dng c mt
c s d liu v s c v cc cng tc x l c th lm cn c xy
266
dng cc k hoch ph hp cng nh ci tin k thut c cc x l

ph hp hn.
+ Vic trin khai cc sensor cho hiu qu tt, thit b hot ng n nh v
c bit khi s dng vi cc thit b TAP th hon ton khng gy nh
hng ti h thng mng c gim st nn m bo tnh thuyt phc
cao.
+ H thng ng dng cho thy kh nng khng ch pht hin sm cc tn
cng, s c trn mng din rng m cn cho php qun l hiu qu an
ton cho cc h thng my tnh cc b.
+ Nhm ti t o to c nhm chuyn gia ca c quan hiu su
v c kh nng phn tch m c v du hin tn cng trn mng, lm
tin m rng v vn hnh hiu qu h thng.
VIII.3. Kt lun
V c bn ti hon thnh sn phm chnh t ra, v bc u a
vo hot ng th nghim.
Kin ngh chuyn giao ton b H thng cho Trung tm VNCERT s
dng vo mc ch nghip v, nghin cu v o to nhn lc.
ti hon ton c kh nng nghin cu hon thin c cng c do Vit
Nam hon ton lm ch v hon thin cc dch v phc v cho cc c quan t
chc Vit Nam.
Xin trn trng cm n.
267
TI LIU THAM KHO

01. Anton Chuvakin and Vladislav V. Myasnyankin. Complete Snort-based
IDS Architecture ngy 19/11/2002
02. Peter Rob, Carlos Coronel. Database System Design the sixth Edition
03. Richard Bejtlich. The Tao of Network Security Monitoring Beyond
Intrusion Detection nh xut bn Addison Wesley pht hnh ngy
12/7/2004.
04. McAfee Intrushield IPS Userguide
05. Linux Firewalls Using iptables
06. Kerry Cox, Christopher Gerg - Managing security with Snort and IDS tools
O'Reilly Media, Inc., 2004
07. Wolfgang Barth - Nagios - System and Network Monitoring, 2006
08. Bryan Burns, Jennifer Stisa Granick, Steve Manzuik, Dave Killion, Paul
Guersch, Nicolas Beauchesne - Security power tools, 2007, O'Reilly Media,
Inc.
Intrusion Detection. Publisher: Addison Wesley, 2004, ISBN: 0-321-246772, 832 p.
10. Michael Gregg and others. Hack the Stack: Using the Snort and Ethereal to
master the 8 layers of an insecure network. Publisher: Syngress Publishing,
Inc., 2006, ISBN: 1-59749-109-8, 442 p.
11. The Automated Incident Reporting project (http://aircert.sourceforge.net/)
12. The Open Source Security Information Management project
(http://www.ossim.net/)
13. The
Crusoe
Correlated
Intrusion
Detection
System
(http://crusoecids.dyndns.org/)
14. The Monitoring, Intrusion Detection, & Administration System
(http://midas-nms.sourceforge.net/)
15. The Sguil. (http://sguil.sourceforge.net/)
16. Houston H. Car, Charles A. Snyder. Data Communication and Network
Security. Publisher: McGraw-Hill, 2007, ISBN: 978-0-07-110297-1, 526 p.
17.Michael Gregg and others. Hack the Stack: Using the Snort and Ethereal
to master the 8 layers of an insecure network. Publisher: Syngress
Publishing, Inc., 2006, ISBN: 1-59749-109-8, 442 p.
268
18. Kaspersky 2008 Half-Year Report

20. Trang web http://www.snort.org
21. Trang web http://www.nessus.org
22. Trang web http://www.ntop.org
23. Trang web http://www.ossim.net
24. Trang web http://www.nagios.org
25. Trang web http://www.securityfocus.com
26. Trang web http://www.sourceforce.net
27. RFC 3164 - The BSD Syslog. University of California Berkeley Software
Distribution 8/2001.
28. RFC 3164 - The Syslog Protocol. IETF Trust 3/2009.
29. IODEF Design
principles
and IODEF Data
Model
Overview
http://www.terena.org/activities/tf-csirt/meeting5/demchenko-iodefdesign-datamodel.pdf
30. IODEF and
Extended
Incident
Handling
Framework
www.terena.org/activities/tf-csirt/meeting3/demchenko-iodef.pdf
31. IETF Extended Incident Handling (INCH) Working Group
http://www.cert.org/ietf/inch/inch.html
32. Trang web http://www.securityfocus.com/
33. http://www.download.com.vn/security+firewall+tools/13381_avsfirewall-2-1-1-238.aspxhttp://vnpro.org/forum/showthread.php/30583Linux-firewall?p=140303
34. http://www.infoworld.com/d/security-central/proventia-desktop-firewallstymies-malware-849
35. http://www.hvaonline.net/hvaonline/posts/list/34903.hva
36. http://www.tuonglua.net
37. http://ipcop.sourceforge.net.
38. The Intrusion Detection Message Exchange Format (IDMEF)
39. http://rfc-ref.org/RFC-TEXTS/4765/contents.html
40. IODEF The Incident Object Description Exchange Format
41. http://www.rfc-editor.org/rfc/rfc5070.txt
42. The Intrusion Detection Message Exchange Format (IDMEF)
www.ietf.org/rfc/rfc4765.txt
B KHOA HC V CNG NGH
B THNG TIN V TRUYN THNG
CHNG TRNH KHCN CP NH NC KC 01.09/06-10
BO CO TM TT
KT QU KHOA HC CNG NGH TI
Nghin cu xy dng h thng theo di, gim st an ton

mng theo m hnh qun l tp trung bo v mng
Internet Vit Nam
M s: KC.01-09/06-10
C quan ch tr ti: Trung tm ng cu khn cp my tnh Vit Nam

Ch nhim ti: TS. V Quc Khnh
H Ni - 2010
Mc lc
Mc lc .............................................................................................................. 3
Cc thut ng v t vit tt ............................................................................... 5
I. Mc tiu, yu cu chung ca ti................................................................ 7
II. Kt qu nghin cu ca ti ...................................................................... 8
II.1. Nhnh 1: Nghin cu thit k kin trc tng th h thng, chn lc cc
chun thng tin v thit b s dng ph hp vi iu kin Vit Nam ....................8
II.1.1. Yu cu sn phm .....................................................................................8
II.1.2. Cc ni dung thc hin ........................................................................8
II.1.3. nh gi kt qu, xut .......................................................................14
II.2. Nhnh 2: Pht trin h thng c s d liu (CSDL) thng tin gim st an
ton mng h thng NSIDB ...............................................................................14
II.2.1. Yu cu sn phm ...................................................................................14
II.2.2. Ni dung thc hin ............................................................................15
II.2.3. nh gi kt qu, xut .......................................................................18
II.3. Nhnh 3: Pht trin h phn mm trung tm thu thp thng tin an ton mng
Internet (SIGS) ......................................................................................................18
II.3.1. Yu cu sn phm ...................................................................................18
II.3.2. Cc ni dung thc hin ......................................................................19
II.3.3. nh gi kt qu, xut .......................................................................23
II.4. Nhnh 4: Pht trin h phn mm x l thng tin theo di - thng k - cnh
bo v iu khin (SIPS) .......................................................................................23
II.4.1. Yu cu sn phm ...................................................................................23
II.4.3. nh gi kt qu, xut .......................................................................30
II.5. Nhnh 5: Pht trin mt s sn phm ATM chuyn dng do Vit Nam lm
ch v cng ngh. ..................................................................................................31
II.5.1. Yu cu sn phm:..................................................................................31
II.5.3. nh gi kt qu, xut .......................................................................35
II.6. Nhnh 6: Pht trin gii php, cng c tch hp mt s thit b ATM thng
mi ang ph bin Vit Nam vo h thng........................................................37
II.6.1. Yu cu sn phm ...................................................................................37
II.6.3. nh gi kt qu, xut ...................................................................... 40

II.7. Nhnh 7: Trin khai th nghim m hnh h thng theo di gim st ATM
trong mi trng mng c th cp quc gia thu nh m phng h thng tng th
.............................................................................................................................. 42
II.7.1. Yu cu sn phm .................................................................................. 42
II.7.2. Cc ni dung thc hin ..................................................................... 43
II.7.3. nh gi kt qu, xut ...................................................................... 47
Ti liu tham kho ........................................................................................... 49

Bo co thng k kt qu thc hin ti ....................................................... 51
Cc thut ng v t vit tt
Account
Access Point
Antivirus
ATM
ATTT
BCG
CERT
CERT/CC
CNTT
CSDL
FE
FW
GAG
GE
GIDS
GFW
HTTT
IDS
IPS
IDMEF
IODEF
ISP
IXP
Malware
MIME
NSAIR
Ti khon ca ngi s dng

im truy cp mng khng dy
Antivirus
An ton mng
An ton thng tin
(Bussiness Control Gate) Tn ring ca Module h tr x l
thng bo an ton mng
Trung tm ng cu khn cp my tnh
Trung tm iu phi/ng cu khn cp my tnh
Cng ngh thng tin
C s d liu
Fast Ethernet
(Firewall) Tng la
Module GAG cung cp thng tin t Antivirus
Gigabit Ethernet
Tn ring ca Module GIDS cung cp thng tin t thit b
IDS
Tn ring ca Module GFW cung cp thng tin t thit b
Firewall
H thng thng tin
H thng pht hin xm nhp tri php
H thng phng nga xm nhp tri php
(Intrusion Detection Message Exchange Format) Chun trao
i thng ip v pht hin xm nhp.
(Incident Object Description and Exchange Format) Chun
m t v trao i thng tin v s c.
(Internet Service Provider) Nh cung cp dch v Internet.
(Internet eXchange Provider) Nh cung cp kt ni Internet
Phn mm c hi
(Multipurpose Internet Mail Extensions) Chun m rng th
in t internet a dng
Tn ring ca Phn h tip nhn thng tin ATM t ng
NSIDB
Plugin
Router
SDH
SAMS
Sensor
SIG Gate
SIGS
SIPS
SMNP
Syslog
Switch
TTATM
UML
URL
VNCERT
XML
(Network Security Information DataBase) Tn ring cho

CSDL thng tin gim st an ton mng
Tin ch
Thit b nh tuyn
(Synchronous Digital Hierachy) Phn cp truyn dn s ng
b
Tn ring ca Phn h tip nhn v h tr x l thng bo s
c
Thit b cm bin (pht hin tn cng mng)
Tn ring ca Cng tip nhn thng tin an ton mng
(Security Information Getting System) Tn ring ca H
thng trung tm thu thp thng tin an ton mng
(Security Information Processing System) Tn ring ca H
thng x l thng tin, theo di, thng k, cnh bo v iu
khin.
(Simple management Network Protocol) Giao thc trao i
thng tin qun l mng.
Chun Syslog lu tr v trao i file log.
Thit b chuyn mch
Thng tin an ton mng
(Unified Modeling Language) Ngn ng m hnh ha thng
nht
(Uniform Resource Locator) Tn tm kim ti nguyn (mng)
Trung tm ng cu khn cp my tnh Vit Nam
(Extensible Markup Language) Ngn ng nh du m rng.
I. Mc tiu , yu cu chung ca ti
ti trin khai nhm nghin cu gii quyt cc vn c bn xy dng
mt h thng tch hp theo di gim st thng tin an ton mng quc gia theo
m hnh qun l tp trung, nhm t c 4 mc tiu chin lc nh sau:
- Ch ng pht hin, phng chng, phn ng v bo v c s h tng
thng tin quc gia trc cc cuc tn cng;
- Gim cc nguy c, cc im xung yu trn mng.
- Gim thit hi v thi gian khc phc s c.
- To kh nng tng cng trao i thng tin v hp tc quc t, trc
ht l gia cc t chc CERT.
Ton b ni dung nghin cu cn thc hin bao gm 7 nhnh sau y:
Nhnh 1: Nghin cu thit k kin trc tng th h thng. Sn phm l
Bo co thit k kin trc tng th h thng gim st ATM, bao gm: Lc
thit k tng th, chc nng cc thnh phn, cc ngun cung cp thng tin,
Lc lung d liu gia cc thnh phn, phn tch la chn cc cng ngh,
cc chun thng tin v thit b chnh.
Nhnh 2: Pht trin h thng CSDL tch hp gim st an ton mng. Sn
phm l h CSDL tch hp gim st an ton mng tp trung (gi tt l
NSIDB).
Nhnh 3: Pht trin h phn mm thu thp thng tin an ton mng trung
tm. Sn phm l H phn mm thu thp thng tin an ton mng trung tm
(gi tt l SIGS) vi hai phn h h tr x l thng bo s c gi qua cc
knh thng tin lin lc v phn h tip nhn thng tin ATM t ng t cc
thit b sensor chuyn dng, t cc file logs ca mt s h thng. Kt qu lu
tr cc s kin an ton thng tin trong CSDL tp trung NSIDB.
Nhnh 4. Pht trin h phn mm tc nghip x l thng tin theo di thng k - cnh bo v iu khin.
Nhnh 5. Pht trin sn phm u cui chuyn dng (sensor) do Vit

Nam lm ch v cng ngh. Sn phm bao gm 3 thit b sensor chuyn dng
v phn mm theo di an ton mng ti my u cui.
Nhnh 6. Pht trin gii php, cng c tch hp thng tin t mt s thit
b ATM thng mi ph bin Vit Nam. Sn phm l cc gii php v phn
mm cng c tch hp mt s thit b ATM thng mi ph bin Vit Nam
Nhnh 7. Trin khai th nghim m hnh h thng theo di gim st
ATM trong mi trng mng c th cp quc gia. Sn phm l bo co kt
qu th nghim trong mi trng mng c th cp quc gia vi H thng
qun l trung tm, cc nt mng cp quc gia v cc nt mng ngi dng.
II. Kt qu nghin cu ca ti
II.1. Nhnh 1: Nghin cu thit k kin trc tng th h thng, chn lc
cc chun thng tin v thit b s dng ph hp vi iu kin Vit Nam
II.1.1. Yu cu sn phm:
Sn phm phi t l cc bn bo co k thut phn tch thc trng v
xut cc yu cu tng th v thit k h thng thu thp v phn tch, tng hp
thng tin m t v s c mng, thng tin v trng thi lung tin v c im
cc gi tin i qua nt mng do cc thit b sensor v mt s thit b bo v
mng x l v ghi nhn. Chn lc m hnh chung, cc chun c bn v cc
thit b phc v a ra thit k ph hp vi iu kin Vit Nam, tin tin v
kh thi v cng ngh v tit kim v chi ph, m bo h thng c tnh an ton
cao ng thi trao i thng tin thun li vi cc t chc ng cu khn cp
my tnh (CERT) ca cc quc gia khc.
II.1.2. Cc ni dung thc hin:
ti thc hin 5 nhm ni dung c th nh sau:
Ni dung 1. Nghin cu, xut mc tiu, yu cu v cu trc chung
ca h thng gim st an ton mng internet.
8
Kt qu nghin cu hin trng t chc h tng mng Internet ti Vit

Nam v kho st phn tch cc nguy c mt an ton thng tin ca mng
Internet quc gia ch ra c th nhiu vn c th, nh khng gian mng
ngy cng m rng vi bng thng Internet quc t v trong nc u ln ti
hng chc Gbps, trong khi vn m bo ATTT cha c quan tm v u
t ng mc to iu kin cho nhiu hot ng tin tc, ti phm mng v vic
tin tc quc t li dng khng gian mng Vit Nam u tng mnh. iu
khng nh h thng gim st ATM quc gia l yu cu cp thit. Mt khc
vic kt qu kho st cu trc h tng Internet Vit nam m t r m
hnh ni mng quc t, mng trung chuyn internet trong nc, cc s kt
cung cp dch v internet t trung ng n a phng Vit Nam. iu
ny cho php hnh dung r cc yu cu cn thit thit k kh thi h thng.
ti phn tch thng tin kinh nghim cch trin khai h thng gim
st ATM internet ca 5 t chc CERT quc gia t 5 nc v ca 3 hng bo
mt ln hc tp, t khng nh c mc tiu kh thi cho h thng theo
di gim st an ton mng Internet Vit Nam vi ba nhm chc nng chnh,
su ngun thng tin thng bo c bn. ti cng xut nhng ni dung
thng tin gim st kh thi v bn nhm v tr nt mng cn gim st. t ra
bi ton ti u ha h thng sensor m c th gii quyt trn thc t sau khi
a h thng nghin cu ca ti vo vn hnh s dng. Qua phn tch
lm r mt bc yu cu k thut i vi su thnh phn ca h thng.
Phn tch bi cnh hot ng phi hp v an ton, an ninh thng tin ca
nhiu c quan chc nng Vit Nam, nhm ti ch ra lc ng cnh
tng th cho hot ng ca h thng theo di gim st an ton mng Internet
quc gia ti Vit Nam. Kt hp vi cc yu cu phn tch trong cc phn
nu trn, chng ta c c cu trc chc nng chung ca h thng v khng
nh phng php tch hp h thng t cc cng ngh sn c ca nhiu hng
sn xut v cc h thng ci tin t m ngun m l hon ton kh thi i vi
9
Vit Nam.
Kt hp cc thng tin phn tch nhm ti xut c cu trc

chung ca h thng v m t yu cu chung v thng tin vo - ra ca h
thng v cc thnh phn chnh.
Ni dung 2: Nghin cu p dng cc tiu chun v chun quc t
nghin cu phn tch p dng tiu chun quc t v h thng qun l
(ISO 17799:2005 v ISO 27001:2005), ch ra cho h thng. Nhm ti l
tc gi trc tip bin son phin bn tiu chun TCVN/ISO-EIC 27001:2009
mi c ban hnh Vit Nam.
nghin cu cc chun quc t v nh dng trao i thng tin s c
an ton mng IODEF (phin bn RFC 5070) v chun quc t v nh dng
10
trao i thng bo pht hin tn cng mng IDMEF ca t chc IETF (phin
bn RFC 4765). xut khung trao i thng tin s c ATM v khung trao
i thng bo pht hin tn cng mng s p dng da trn cc chun trn.
Ch ra c kh nng, nhu cu v tnh cn thit p dng cc m hnh d liu
c th rt gn nhng tng thch vi cc chun trn p ng nhu cu kt ni
tch hp h thng v kt ni trao i thng tin vi cc h thng quc t.
Ni dung 3: Nghin cu v chn la cc ngun cung cp thng tin ATM.
Phn tch kh nng s dng khai thc thng tin ATM t cc ngun cung
cp thng tin vi cu trc phi chun nh thng bo qua Website, in thoi,
fax, tin nhn, th in t, cng vn v.v xut xy dng phn mm h tr
(Agent) thu thp thng tin t cc knh thng bo, p dng cu trc d liu lu
tr tng thch chun IODEF p ng cc ngun thng tin trn.
nghin cu phn tch kh nng thu thp thng tin ATM t cc thit
b/ phn mm firewall thng mi ca, Cisco, Juniper, Kerio, v cc firewall
ngun m IPTable, AVS firewall, firewall Script, Smooth Wall, IPCop. Chn
p dng trong ti 2 loi tng la thng dng nht Vit Nam l tng
la thng mi Firewall Check Point v IPTable (Firewall ngun m).
nghin cu phn tch cc dng thit b/phn mm IDS thng mi
ca 7 nh sn xut v 2 sn phm IDS ngun m, chn th nghim 2 loi sn
phm thng dng Vit Nam l Proventia (IBM) v Snort (m ngun m)
cho h thng s c xy dng.
nghin cu cc h thng chng virus sau: Antivirus Corporation
Edition 10.0 (hng Symantec), Virus Scan Enterprise (McAffe), eTrust
Antivirus (CA - Computer Associates), Norton AntiVirus 2.5 cho Gateway,
phn mm pht hin virus m ngun m ClamAV. xut s dng cc sn
phm: Antivirus Coporate Edition ca Synmatec vi chc nng qun tr tp
trung, phn mm pht hin virus McAffee v phn mm m ngun m
11
ClamAV ph hp vi tnh hnh ng dng Vit Nam v ph hp vi h

thng s xy dng.
Ni dung 4: Thit k kin trc tng th
nghin cu, phn tch v xc nh yu cu tng th ca h thng v
cc phn h.
Xc nh cng ngh nn tng p dng trong h thng ch yu s dng l

cng ngh phn mm m ngun m:
+ Cc cng ngh nn: H iu hnh Linux, h qun tr CSDL My SQL,
Web server Apache.
+ Cc cng ngh lp trnh c bn cho mi trng cng ngh nn: Java,
Python, C, PHP, SQL, XML.
+ Cc chun IODEF, IDMEF, Syslog, ISO/EIC 2700x,
12
+ Cc sn phm phn mm ngun m v ATM c th lm nn ci tin

v s dng tch hp: RTIR, SURFnet IDS, NTop, Honeypot, Nepenthes,
Snort IDS, Spampot, Nessus, OSSIM, Sguil, Dshield, POF, PADS, NMAP.
ng thi ch ra yu cu cc loi v s lng thit b ti thiu cn thit
s dng xy thit lp phn cng mng th nghim cho h thng gim st
ATM Internet Vit Nam.
Vai tr ca cc sensor t pht trin l rt quan trng i vi h thng
gim st mng ca mi quc gia. V vy ti nhn mnh tm quan trng xy
dng v tch hp sensor ni. Da trn kin thc kho st cc h thng
ngoi v tm hiu m ngun m, ti ra yu cu n gin ha cho
c ch qun l v iu khin cc thit b sensor t pht trin.
Gii php m bo an ton tng th cho h thng l mt yu cu quan
trng. ti a ra m hnh bo v tng th bao gm cc gii php
Cui cng a ra yu cu tng hp v cc thnh phn h thng v cc
lc x l d liu tng th cho h thng.
Ni dung 5. Hon thin thit k tng th
Nhm ti hiu chnh ton b thit k tng th trn c s phn tch,
nh gi kt qu th nghim "H thng theo di gim st an ton mng Vit
Nam", t kt qu th nghim ban u iu chnh li mt s yu cu v
cng ngh thit k cho ph hp, nh loi b vi giao thc kt ni t
sensor/agent n b tip nhn thng tin, hay lp m un x l ring cc thng
bo qua cc knh lin lc v thc tin t c s lin h trc tip vi cc lung
tin t thit b i hi phi x l t ng.
Kt qu phn tch, nh gi th nghim tch hp ton b h thng c
th hin trong bo co 7.8 tng hp. D thay i mt s yu cu cho n gin
hn nhng h thng vn m bo y tnh nng nh thit k ban u ca
ti.
13
II.1.3. nh gi kt qu, xut:
ti nhnh hon thnh y cc yu cu ra. Cc thit k nh

hng l ng v kh thi.
II.2. Nhnh 2: Pht trin h thng c s d liu (CSDL) thng tin gim
st an ton mng h thng NSIDB
Thit k xy dng CSDL trung tm lu tr v phc v x l cc
thng tin thu thp c t cc ngun tin, c bit l t cc thit b ATM nhm
mc ch gim st ghi nhn s kin ATM trn c s cho php phn tch
nh gi v tnh hnh lu thng mng, cc h thng v dch v, cc nguy c
tn cng v cc s c an ton mng.
CSDL gim st an ton mng Vit Nam bao gm cc cc CSDL thnh
phn: CSDL s c, CSDL tn cng mng, CSDL trng thi cc h thng xung
yu,....
Cc i tng d liu trong CSDL gim st an ton mng Vit Nam
cn c thit k tng thch vi cc chun trao i thng tin s c v chun
trao i thng tin tn cng mng ca quc t (v d chun IODEF v IDMEF)
c kh nng trao i t ng vi cc h thng khc trong v ngoi nc.
CSDL c thit k vi nng lc tip nhn v x l khong 100.000
bn tin mi ngy, c tnh tng ng vi khong 20 MB d liu. Vi tnh
ton s b, nng lc ny t chc h thng c 50 ngun thng tin (t cc
knh thu thp thng bo, sensor, thit b bo v mng) ti nt mng cp quc
gia v 500 ngun thng tin ti mng ngi dng.
14
II.2.2. Ni dung thc hin:

Trn c s cc nguyn tc chung v cc xut chung a ra trong
kt qu ca nhnh 1 th chng ta xy dng 1 h thng CSDL tch hp da trn
nn m ngun m.
c im ca h thng m chng ta xy dng l :
- Tch hp c nhiu cng c m ngun m.
- Tch hp c c mt s phn mm thng mi.
- H thng phi c tnh m pht trin m rng v sau, yu cu pht
trin c v chiu su v chiu rng trong tng lai l rt ln.
- Nhng ng thi phi c tnh chun m bo kh nng tng thch
tt.
Do , phng php thit k d liu ch o l chn lc v tham kho cc
CSDL ca cc h m ngun m ni ting m tun th cc chun quc t hoc
c tha nhn nh 1 chun quc t.
Phng php ny c u im gip chng ta rt ngn thi gian xy dng,
thit k h thng i n kt qu, nhng cng c rt nhiu kh khn. l
phn ln cc phn h m ngun m ni ting u c pht trin rt phc tp
vi nhiu ngi pht trin vi nhiu mc ch khc nhau m ti liu thng
khng c m t r rng. hiu c phi mt rt nhiu thi gian phn
tch m ngun.
Do , nhm ti ch trng nghin cu su, hc tp mt s CSDL t
cc h thng c th nghim s b cho kt qu kh quan. Trn c s tm
hiu nm r bn cht v chi tit cc cu trc bn trong ca h thng mu, th
chng ta s thit k hoc ci tin 1 phin bn CSDL ph hp hn vi mc
ch ca mnh nhng vn gi li cc yu t tun th chun v m bo cho h
thng hon ton tng thch c vi cc sn phm theo chun quc t.
Bng phng php nhnh ti thc hin :
15
Ni dung 1. Nghin cu, phn tch ngun d liu u vo, chn la

cng ngh CSDL tch hp NSIDB.
Kt qu phn tch chi tit cc ngun thng tin ATM a vo h
thng CSDL tch hp NSIDB. p dng phng php chuyn i d liu v
chun Syslog, xut c phng php xy dng phn mm xy dng,
thu thp d liu chun Agent. Trn c s , xc nh mt nh dng d liu
u vo thng nht cho h thng CSDL tch hp NSIDB. l 4 cu trc d
liu m t chun ha 4 kiu s kin an ton thng tin (cc s kin: thng
thng, MAC, OS, dch v) v 1 cu trc nhp thng bo. CSDL ny n
gin nhng hon ton tng thch vi chun IODEF.
xy dng h th nghim, ti xut c cng ngh ci tin trn
nn h thng OSSIM ph hp vi mc tiu p dng v c kh nng tch hp
vi nhiu sn phm ngun m v nhiu ngun d liu nc ngoi.
Ni dung 2. Nghin cu, thit k h thng CSDL tch hp NSIDB
ti xut s h thng x l thng tin tng tc gia CSDL
trung tm v cc thnh phn khc. Nghin cu, thit k phng thc trao i
thng tin gia CSDL vi cc thnh phn khc ca h thng cng nh xut
c yu cu sao lu d phng v khi phc CSDL khi cn. Gii php bo
mt cho CSDL tch hp gim st an ton mng cng c xut p dng
trong trin khai bao gm 9 bin php. ti a ra c thit k tng th
v s tng tc d liu gia CSDL v cc thnh phn khc trong h thng
(hnh v).
Ni dung 3. Nghin cu, thit k chi tit cc phn h CSDL tch hp
NSIDB
ti thit k chi tit cc cu trc d liu cho 4 phn h: phn h
lu tr thng tin v s c an ton mng, phn h lu tr thng tin v tn cng
mng, phn h lu tr thng tin trng thi cc h thng xung yu, phn h
lu tr thng tin qun tr ngi s dng.
16
Ni dung 4. Xy dng, trin khai cc phn h CSDL tch hp NSIDB

ti xy dng, trin khai ci t, th nghim phn h CSDL lu
tr thng tin v s c ATM, phn h CSDL lu tr thng tin v tn cng
mng.
ti xy dng, trin khai ci t, th nghim phn h CSDL lu

tr thng tin trng thi cc h thng xung yu, phn h CSDL lu tr thng
17
tin qun tr ngi s dng. So snh kt qu l thuyt tc hot ng th

nghim hon ton p ng.
Ni dung 5. Kim tra, th nghim, hiu chnh, b sung h CSDL tch
hp NSIDB
ti xy dng kch bn th nghim h thng CSDL NSIDB trn
h qun tr CSDL la chn. Kim tra th nghim, phn tch, nh gi h
thng CSDL NSIDB v so snh vi cc d liu m phng v thc t.
Chnh sa h CSDL p ng yu cu hon thin trong v sau qu
trnh th nghim h thng tng th trn mi trng mng thc. Phn tch,
nh gi kt qu, so snh kt qu l thuyt v b sung, hon thin CSDL tch
hp NSIDB.
II.2.3. nh gi kt qu, xut:
ti nhnh hon thnh c bn cc yu cu ra. Cc thit k tng

th v chi tit qua th nghim chng t c tnh kh thi v tng thch
trong hot ng.
II.3. Nhnh 3: Pht trin h phn mm trung tm thu thp thng tin an
ton mng Internet (SIGS)
II.3.1. Yu cu sn phm
Sn phm phi t ca nhnh ti l bo co nghin cu v xy dng
giao thc thu thp thng tin ATM v phn tch, thit k, lp trnh xy dng
v th nghim h thng tip nhn thng tin an ton mng SIGS trong bao
gm cc ni dung chnh sau:
- Bo co nghin cu v xy dng giao thc thu thp thng tin ATM t
cc thit b sensor t pht trin
18
- Phn tch, thit k, lp trnh v th nghim phn h tip nhn thng tin
ATM t ng c xt n kh nng thu thp thng tin ATM t cc h
thng gim st ca nc ngoi.
o C kh nng tip nhn thng tin t 50 ngun cung cp thng tin
t cc nt mng an ton mng tc cao hoc 500 ngun cung
cp thng tin t cc nt mng tc thp vi tc trn 100.000
s kin mt ngy.
- Phn tch, thit k, lp trnh v th nghim phn h h tr x l thng
bo s c, xy dng quy trnh x l thng bo s c
o C kh nng tip nhn thng tin t 50 ngun cung cp thng tin
t cc nt mng an ton mng tc cao hoc 500 ngun cung
cp thng tin t cc nt mng tc thp vi tc trn 100.000
s kin mt ngy.
- Bo co th nghim tch hp h thng SIGS v chnh sa, hon chnh.
ti thc hin nm nhm ni dung c th nh sau:
Ni dung 1: Nghin cu v xy dng giao thc thu thp thng tin ATM
t cc thit b sensor t pht trin
xy dng c giao thc thu thp thng tin an ton mng p ng
c y yu cu trao i thng tin thu thp c t cc ngun thit b an
ton mng xc nh trong cng nghin cu cng nh m bo kh
nng kt ni hoc m rng c th kt ni vi cc ngun cung cp thng
tin an ton mng khc, nhm phn tch xc nh cc thng tin cn trao i,
cc yu cu trong qu trnh trao i trn c s xy dng c cc nh
dng thng tin trao i chun ha gia hai u v lc trao i thng tin
ph hp. Qua xy dng c giao thc trao i thng tin an ton mng
gia phn mm thu thp thng tin an ton mng ti h thng SIGS.
19
Ni dung 2: Phn tch v xy dng thit k k phn h tip nhn thng

tin ATM t ng c xt n kh nng thu thp thng tin ATM t cc h thng
gim st ca nc ngoi
Nhm phn tch cc yu cu t ra i vi h thng tip nhn thng
tin an ton mng t ng nh :
- Thng tin u vo
- Ngun cung cp thng tin
- Phng thc trao i thng tin
- D liu u vo v u ra ca phn h
- Cc lnh iu khin v yu cu chc nng
- Phn tch cc yu cu m rng, nng cp
- Thit k c s d liu lu tr thng tin tip nhn c
Trn c s cc kt qu phn tch, nhm xy dng c thit k phn
h thu thp thng tin an ton mng t ng bao gm nm thnh phn chnh
sau:
- Module tip nhn thng tin NSAIR-R Module Qun l vic xc
thc cc ngun cung cp thng tin v trao i thng tin.
- Module phn tch thng tin an ton mng NSAIR-A Module phn
tch cc thng tin thu c xc nh cc thng tin an ton mng do cc
ngun cung cp khc nhau cung cp.
- Module tng tc vi CSDL NSAIR-DI Module cung cp cc chc
nng tng tc vi c s d liu chung ca h thng NSIAR, trong bao
gm hai chc nng chnh l truy xut v cp nht / lu tr d liu vo CSDL.
- Module iu khin hot ng NSAIR-C Module c chc nngg tip
nhn cc lnh iu khin t cc phn h khc, kim tra v to cc lnh iu
khin ni b cn thit ti cc module khc trong ni b NSAIR-C.
ng thi thit k cng xem xt kh nng m rng, nng cp c th kt
ni ti cc h thng gim st an ton mng ti nc ngoi.
20
Ni dung 3: Phn tch v thit k phn h h tr x l thng bo s c,

xy dng quy trnh x l thng bo s c
Trong ni dung s 3, nhm thc hin c hai nhm cng vic
chnh :
1. Nghin cu m hnh phn ng s c v bo v an ton h thng RTIR trn
c s xy dng quy trnh tip nhn v x l cc thng bo s c an ton
mng cng vi cc quy trnh x l ni b.
2. Tng t nh i vi ni dung s 2, nhm tin hnh nghin cu cc
phn tch cc cn c v yu cu thc tin sau lm cn c xy dng thit k
cho phn h h tr x l thng bo s c trong bao gm:
- Phn tch cc ngun v phng thc tip nhn thng bo s c an ton
mng
- Phn tch v thit k mu thng bo s c an ton mng
- Xy dng cc yu cu i vi phn h h tr x l thng bo s c an
ton mng.
Trn c s cc phn tch, nhm xy dng c thit k phn h h tr
x l thng bo s c p ng y yu cu thu thp, x l cc thng bo
s c an ton mng.
Ni dung 4: Thit k v xy dng h thng giao din tng tc vi
ngi s dng
Nhm nghin cu cc yu cu v chc nng v xy dng cc thit
k cho h thng giao din i vi ngi s dng. Giao din c thit k m
bo p ng y cc yu cu chc nng, n gin, khoa hc v d s dng.
Ni dung 5: Lp trnh, tch hp v th nghim cc m un phn mm
Ni dung s 5 bao gm mt nhm cc ni dung thc hin lp trnh, th
nghim, tch hp v chnh sa hon thin h thng SIGS. Nhm tin
hnh lp trnh v th nghim y cc thnh phn thuc phn h NSIAR
thuc h thng SIGS trong bao gm:
21
- Lp trnh v th nghim cc m un m bo an ton v m un tip

nhn thng tin ATM t ng t thit b/sensor/phn mm t pht trin.
- Lp trnh, th nghim cc m un tip nhn thng tin ATM t cc h
thng IDS, Firewall thng mi do cc m un tch hp d liu GIDS/GFW
cung cp.
- Lp trnh, th nghim m un tip nhn thng tin ATM ca h thng
Antivirus Gateway thng mi do cc module tch hp d liu GAG cung
cp.
- Lp trnh, th nghim m un kim tra thng tin ATM thu thp c
v cc m un lu tr thng tin tip nhn vo CSDL tch hp.
- Tch hp cc mun pht trin phn h tip nhn thng tin ATM t
ng.
- Kim tra, th nghim v so snh kt qu l thuyt phn h tip nhn
thng tin
Lp trnh v th nghim y cc thnh phn thuc phn h h tr x l
s c SAMS thuc h thng SIGS trong bao gm:
- Lp trnh v th nghim m un h tr x l thng tin theo quy trnh x
l s c, cc m un v th vin h tr tng tc vi h CSDL tch hp
- Lp trnh, th nghim m un qun l truy cp phn h h tr x l
thng bo s c, m un xy dng bo co, thng k, tng hp.
Tch hp cc m un, hon thin phn mm NSIAR, chnh sa h thng
SIPS p ng yu cu hon thin trong v sau qu trnh th nghim h thng
tng th trn mi trng mng thc. Kim tra hot ng phn mm h tr x
l thng bo s c.
Hin nay phn h SIGS c tch hp thnh cng, hot ng n nh,
thu nhn c y thng tin t cc thit b an ton mng v thng bo s
c. Giao din h tr x l s c c thit k hp l, khoa hc v d s dng.
22
Kt qu th nghim cho thy h thng c th tip nhn t nhiu ngun

thng tin khc nhau, hot ng n nh vi tc tip nhn ln ti 1 triu bn
ghi mi ngy.
II.3.3. nh gi kt qu, xut
Nhm ti hon thnh y cc ni dung theo cng c
duyt, sn phm ti bao gm cc bo co k thut v h phn mm SIGS
c lp trnh v th nghim trc mt p ng c cc yu cu thc
tin ti trung tm ng cu khn cp my tnh Vit nam.
Thit k cc phn h NSIAR v SAMS thuc SIGS m bo kh nng
p ng y cc yu cu v chc nng, kh nng lu tr d liu v kh
nng m rng kt ni vi mt s ngun cung cp thng tin nhu cc h thng
gim st an ton mng ca nc ngoi trong tng lai.
II.4. Nhnh 4: Pht trin h phn mm x l thng tin theo di - thng k

- cnh bo v iu khin (SIPS)
H phn mm tc nghip x l thng tin theo di-thng k - cnh bo v
iu khin (SIPS) l m un c vai tr trong vic tng tc vi chuyn gia v
l u mi qun l ln nht. Yu cu ch yu t ra i vi Nhnh 4 ca
ti l tp trung pht trin h phn mm SIPS thc hin cc chc nng:
- Xy dng giao din h tr cc chuyn gia thc hin chc nng gim st
24/24, thng k v phn tch a ra cc cnh bo v hng dn cho cc c
nhn, t chc Vit Nam.
- Xy dng u mi qun l tp trung v ng b cc sensor chuyn dng.
C kh nng cp nht iu khin cu hnh cc sensor chuyn dng.
H thng d nh xy dng l rt mi i vi s pht trin an ton thng
tin Vit Nam hin nay. Yu cu k thut i vi h thng cng kh cao: i
23
hi tng hp nhanh theo nhiu tiu ch gip nh gi hin trng mng, th

hin qua bng biu th h tr cho vic phn tch chuyn gia, c knh iu
khin qua mng qun l v cu hnh ti tng sensor chuyn dng.
Ni dung 1. Nghin cu, phn tch, thit k h phn mm x l thng
tin, theo di -thng k-cnh bo v iu khin (SIPS).
i vi h thng gim st an ton mng th nhng chc nng theo di,
thng k, cnh bo l mt chc nng c bn, l tin cho nhng thnh phn
khc hot ng. D liu ca h thng l nhng thng tin thu thp c
thng t nhiu ngun, rt nhiu v a dng, v vy cn phi chun ha. Vic
chun ha d liu gip a thng tin v mt dng c cu trc thng nht, lu
tr tp trung phc v cho cc mc ch v sau.
D liu sau khi chun ha, c lu trong mt c s d liu, sau thc
hin cc tnh ton thng k xp hng. Nhng thng tin mi nht, cn thit
nht s c a ra hin th trn cc mn hnh gim st. Cch thc chn
lc thng tin nh vy s gip ngi dng h thng tip cn c vi nhng
thng tin mi nht, lin tc c cp nht trong thi gian thc, nhm a ra
nhng quyt nh cnh bo v x l kp thi khi c nguy c xy ra s c. y
chnh l nhu cu ca mt h thng gim st thi gian thc.
Ni dung ny i su phn tch, thit k cc chc nng x l chun ha
thng tin, theo di, cch thc chn lc thng tin c c kt qu cui cng
l nhng mn hnh hin th thng tin, theo di nhng tiu ch cn thit. T
c th a ra nhng cnh bo v nhng mi nguy c th xy ra da trn
nhng thng tin trn mn hnh.
C th trong ni dung thc hin nhng cng vic sau :
- Tm hiu m hnh v cch thc hot ng ca nhng h thng dn u
v theo di an ninh mng ton cu, nhng cng trnh nghin cu ny u
24
tnh ng dng cao, c trin khai v p dng rng ri vi cc quy m khc

nhau nh d n Internet Storm Center (ISC), Honeypot, Honeynet, Trung tm
Symantec Security Response (SSR) ca hng Symantec . Thng qua
nhng h thng ny, xy dng cc chc nng thng k, cnh bo chnh
thng gp trong h thng qun l an ton mng v p dng cho m hnh
qun l an ton mng ti Vit Nam.
- Nghin cu xc nh chi tit cc tiu ch thng tin cn phi theo di v
thng k v tnh hnh an ton mng Internet ti Vit Nam. Da vo cc nguy
c, him ha v ang nh hng trc tip n h thng mng Internet quc
gia, phn loi cc thng tin cn theo di s . Da trn vic phn loi thng tin
thu thp c, ng thi tham kho cc h thng ln c trn th gii,
nhm nghin cu a ra 10 tiu ch ch o ca cc thng tin cn thng k
v theo di v tnh hnh an ton mng Vit Nam.
- Nghin cu, phn tch cc cp cnh bo, cc hnh thc cnh bo v
cc yu cu v biu mu thng tin cnh bo v tnh hnh an ton mng Vit
Nam. Vic nghin cu xy dng h thng cc cp cnh bo, v hnh thc
cnh bo cng nh ni dung cnh bo l rt cn thit i vi h thng theo
di an ton mng quc gia. Nhm nghin cu tham kho, tm hiu v cc
cp cnh bo ang c dng ti cc h thng khc trn th gii nh h
thng Symantec Threatcon, h thng SANS Infocon. Sau khi tham kho cc
h thng trn, p dng vo thc tin ti Vit Nam, nhm chia ra 5 cp cnh
bo tng ng vi mc nghim trng t thp n cao vo c biu th
bng nhng mu sc: lc, lam, vng, da cam . ng thi nhm a ra 5
hnh thc cnh bo .Ty thuc vo tng giai on v yu cu ca h thng c
th s dng tng loi hnh thc ring. Nhm cng a ra mu cnh bo nhm
a ti ngi dng Internet nhng thng tin ti thiu v thng nht theo mt
mu chung.
25
- Nghin cu, phn tch v thit k xy dng giao thc giao tip gia h
SIPS v cc sensor chuyn dng. L phn nghin cu cch thc giao tip hiu
qu gia cc thnh phn ca h thng, c th l phn tch v thit k, xy
dng giao thc giao tip gia h SIPS v cc sensor chuyn dng. Nhm
i su phn tch Chc nng v nguyn tc hot ng ca h tp trung v my
trinh st v phn tch, thit k giao tip gia cc thnh phn ca h thng, cc
lung d liu c trao i trong h thng, xc nh cc s kin c th xy ra
v thng tin s c trao i. T , xy dng cc bc chun ha d liu v
ng gi truyn ti trn mi trng mng.
- Phn tch thit k chc nng theo di ca h thng SIPS. Chc nng
ny c u vo l nhng thng tin thu thp t nhiu ngun, rt nhiu v a
dng, v vy cn phi chun ha. Vic chun ha d liu gip a thng tin
v mt dng c cu trc thng nht, lu tr tp trung phc v cho cc mc
ch v sau. phn ny, nhm i su phn tch chc nng ca h thng
gim st, m hnh h thng gim st, a ra cc thng tin cn gim st t
xy dng h thng gim st theo 10 tiu ch. Mi tiu ch ny l nhng
thng tin cn thit nht nm bt c tnh hnh an ton mng quc gia. V
vy, h thng gim st cn c mi mn hnh gim st theo mi tiu ch ny
c th kp thi pht hin ra cc s c v c nhng phn ng thch hp.
- Phn tch thit k m un chc nng thng k ca h thng SIPS. y
l chc nng thng xuyn c s dng trong h thng SIPS, c ngha
quan trng trong qu trnh tnh ton nhm a ra ci nhn tng qut v cc
vn ang din ra trong thi gian thc. Do yu cu u tin vi m un
chc nng thng k l c kh nng tnh ton nhanh. Ngoi ra, gii quyt
vn d liu u vo c th vt qu kh nng tnh ton ca m un chc
nng thng k, m un ny cn c kh nng chu ti. c th theo di c
hot ng ca h thng SIPS nh gi v c lng, pht trin cho sau
ny, cn phi ghi li cc hot ng ca m un chc nng thng k. phc
26
v cc nhu cu c th pht sinh sau ny, m un chc nng thng k cn c

kh nng thng k phc tp, da trn vic s dng cc thng k n gin
c ch ra ban u. H thng c xy dng p ng tt nhng tiu ch
ny. Nhm cng phn tch thit k cc thnh phn ca m un thng k v
phn tch mt s thut ton p dng m un ny tng hiu qu cho hot
ng ca n.
- Phn tch thit k m un chc nng cnh bo ca h thng SIPS.
Chc nng c bn nht trong m un cnh bo ca h thng SIPS l gi cc
thng ip cnh bo ti nhng ngi dng quan tm v cc mi nguy c th
xy ra. Ngi dng mun nhn nhng thng tin ny phi ng k vo mt
danh sch tip nhn cnh bo t h thng v nhng thng tin h quan tm, v
d nh: cc tin tc v m c, l hng ca h iu hnh H thng ng k
nhn thng tin cnh bo bao gm cc chc nng, c s d liu cho php tip
nhn, lu tr cc thng tin ng k ca ngi dng thng qua cc phng
thc ng k khc nhau. Nhm a ra ba phng thc ng k. H thng
ng k hot ng ng thi vi vic duy tr mt c s d liu cha danh
sch qun l nhng ngi dng mun nhn cnh bo v cc loi cnh bo m
h mun nhn. Ngoi chc nng ng k, h thng cng c chc nng cho
php ngi dng c th hy ng k bt c lc no ngng nhn cnh bo
ca h thng. H phn mm cng c xy dng h thng gi cnh
bo.Trong qu trnh hot ng, h thng lun c cp nht nhng thng tin
mi nht v cc s c, l hng, trong ty vo mc nghim trng v
cn thit, h thng c th pht sinh cnh bo. Ni dung ca cc cnh bo ny
c bin son sao cho ph hp vi tng hnh thc cnh bo. Da trn phn
loi ni dung ca cnh bo v c s d liu ngi dng mun nhn cnh bo,
h thng s t ng thc hin gi cnh bo ti ngi dng quan tm qua hnh
thc cnh bo tng ng. Ngoi ra h phn mm c h thng Infocon c trch
nhim phn tch d liu v cc s c a ra cc mc cnh bo ph hp
27
v xut bn thng tin ny ln website cnh bo. Cc cnh bo c a ra

trn h thng Infocon l kt qu da trn s tnh ton ca h thng phn tch
t ng v ca ngi gim st, phn tch cc s c.
- Phn tch thit k m un chc nng qun l cc sensor chuyn dng.
H thng thc hin chc nng gim st, theo di bao gm nhiu sensor
chuyn dng c trin khai t ti nhiu a im khc nhau thu thp
thng tin. H thng cn phi c mt giao din qun l tp trung, gim st
trng thi hot ng ca cc sensor gip cho ngi qun tr c th d dng
theo di tnh trng hot ng ca cc sensor v thc hin cc tc v cn thit
t h thng chnh. Trong phn ny nhm xy dng chc nng qun l tng
th tt c cc my trinh st (cung cp ci nhn tng th, thng k v ton b
cc my trinh st trong mng li gim st an ton Internet) v chc nng
qun l trn mt my trinh st (cung cp nhng thng tin chi tit v c th
hn v mt my trinh st, cho php kim tra trng thi hot ng v thc
hin qun l my trinh st)
- Phn tch thit k m un qun tr chung (qun tr ngi dng, lu tr
d phng, qun tr h thng , cu hnh, ghi nhn thng tin, ) ca h thng
SIPS. Phn ny cung cp cch thc qun l phn quyn c bn v a ra gii
php m ngun m gii quyt c bi ton phn quyn truy xut. Gii php
ny gip hin thc ha bng phn quyn truy xut , ng thi m rng kh
nng qun l phn quyn truy xut bng vic qun l cc nhm i tng v
nhm ti nguyn.
Ni dung 2. Lp trnh, th nghim cc m un h phn mm x l
thng tin, theo di -thng k-cnh bo v iu khin (SIPS).
Phn ni dung ny i su v mt lp trnh h thng. Da trn nhng
phn tch v h thng, nhm lp trnh chng trnh thc hin chc nng
qun tr chung trn h thng, bao gm: qun tr ngi dng, phn quyn, cu
28
hnh h thng, lp trnh cc m un chc nng theo di, m un chc nng

thng k, m un chc nng cnh bo, chc nng qun l cc sensor chuyn
dng, cc m un qun tr chung ng thi a ra giao din h tr gim
st tnh hnh ATM 24/24.
C th trong ni dung ny nhm tin hnh lp trnh v th nghim
nhng m un sau:
- M un chc nng theo di, m un chc nng thng k, m un chc
nng cnh bo ca h thng SIPS
- M un chc nng qun tr chung v cc m un chc nng qun l
sensor chuyn dng gip h thng c th qun l tp trung cc sensor nm ri
rc trn mi trng mng.
- M un kt ni vi CSDL NSIDB (CSDL lu tr ton b thng tin v
h thng cng nh thng tin v tnh hnh an ninh mng)
- M un giao din h tr gim st tnh hnh ATM 24/24. Giao din
gim st an ninh mng s tng tc vi h c s d liu a ra nhng
thng tin thng k v h thng v hin th trn mn hnh theo di qun tr.
Da trn nhng m un c lp trnh, nhm tch hp cc m
un v phn h xy dng thnh h thng phn mm tc nghip SIPS. Tin
hnh chy th nghim, phn tch, nh gi v so snh vi kt qu l thuyt.
H thng m bo cc yu cu v giao in v k thut, p ng v mt
thm m, cc thao tc hot ng cng nh qu trnh kt ni c s d liu din
ra ng trnh t, nhp xut v thao tc d liu theo ng thit k.
Qua qu trnh chy th nghim, h thng pht sinh mt s vn
h thng to biu v chuyn i ngn ng. Tuy nhin nhm nghin cu
phn tch nguyn nhn ca vn trn v tin hnh khc phc cc vn pht
sinh trn h thng
29

Nh vy sau mt thi gian di nghin cu v pht trin, n nay nhnh 4
hon thnh nhng yu cu ti t ra. H phn mm c vn hnh m
bo cung cp cc chc nng tc nghip bao gm :
- Giao din h tr cc chuyn gia thc hin theo di gim st 24/24.
- a ra cc thng k v phn tch a ra cc cnh bo.
- H cho php qun l tp trung v ng b cc sensor chuyn dng.
- C kh nng cp nht iu khin cu hnh cc sensor chuyn dng.
H thng c xy dng l rt mi i vi s pht trin an ton thng tin
Vit Nam hin nay. H thng m bo cc yu cu k thut: Tng hp
nhanh theo nhiu tiu ch gip nh gi hin trng mng, th hin qua bng
biu th h tr cho vic phn tch chuyn gia, c knh iu khin qua mng
qun l v cu hnh ti tng sensor chuyn dng. H thng cho php theo
di gim st an ton mng quc gia ng thi cho php cc thit b, phn
mm cnh gii v bo v mng c th tch hp thng tin vo.
H thng c xy dng thnh cng gii quyt c nhu cu bc thit
l nng cao nng lc pht hin, cnh bo v t chc khc phc cc s c
an ton thng tin trn mng, c bit l cc s c nh hng trn din rng.
Tuy nhin, do iu kin qun l ti Vit Nam, VNCERT cha c thm
quyn th nghim trn h thng mng din rng ca quc gia. Hy vng
trong thi gian ti c s gip ca B Thng Tin V Truyn Thng,
cng nh cc n v khc VNCERT c iu kin hin thc ha sn phm
cho vic qun l mi trng mng Vit Nam.
30
II.5. Nhnh 5: Pht trin mt s sn phm ATM chuyn dng do Vit

Nam lm ch v cng ngh.
Sn phm phi t gm hai phn : a) Thit b sensor c th thu thp
thng tin an ton mng v b) Phn mm thu thp thng tin ATM ti u cui
(h iu hnh Windows). Cc yu cu c th i vi cc sn phm nh sau:
a) Thit b sensor c th thu thp thng tin an ton mng:
Yu cu i vi thit b sensor l cho php gi t c a dng cc phn
mm thc hin cc chc nng khc nhau nh:
-
Theo di v ghi nhn hot ng tn cng, pht hin xm nhp, pht hin
cc du hiu tn cng v cc du hiu bt thng v gi thng tin thu
c v trung tm gim st.
Gim st lu thng mng, lu lng s dng, hiu ch s dng bng

thng, trng thi mng hot ng, theo di cc tn cng v cc nguy c,
r sot cc im yu an ton mng.
Mt s tin ch khc c th tng cng nh: kim sot kt ni, gim st

hot ng h thng v dch v.
Thit b sensor c th c pht trin da trn la chn v ng dng
phn mm ngun m, ci tin v xy dng nhm c th lm ch cng ngh,

trin khai rng ri, ph hp vi hin trng CNTT nc ta hin nay.
Sensor cn c cng thu tin vi tc 100 Mbps ghi nhn cc gi tin,
cho php gim st c cc nt c dung lng truyn thng c Gbps bng
phng php s dng thut ton trch ngu nhin gi tin phn tch lung
tin. u ra ca sensor trung bnh khong 1000 bn tin mi ngy.
b) Phn mm thu thp thng tin ATM ti u cui:
Xy dng gii php v phn mm thu thp thng tin an ton mng t
my ch hay my trm u cui, thu thp thng tin v gi v c s d liu
trung tm gim st. Phn mm cn c kh nng thu tin vi tc 10/100
31
Mbps ghi nhn cc gi tin, x l phn tch s c, cho php gim st cc nt

mng ngi dng u cui. u ra ca phn mm trung bnh khong 100-150
bn tin mi ngy. H thng c th c pht trin trn c s cng ngh ngun
m, c th ci tin, b sung hoc nghin cu tch hp nhiu b cng c ngun
m khc nhau.
Ni dung 1. Nghin cu thit k h thng, pht trin thit b sensor thu
thp tnh hnh an ton mng.
Ni dung ny gm 4 chuyn v phn cng, phn mm, thu thp
thng tin v qun l nht k, la chn tch hp phn mm ngun m. Trong
ni dung ny, nhm ti thc hin c nhng cng vic chnh nh sau:
- Nghin cu la chn phn cng. Thit k, xy dng thit b Sensor
chuyn dng.
- Nghin cu, la chn cc phn mm m ngun m thch hp cho
sensor.
- Nghin cu phn tch, thit k h thng qun tr sensor, theo di trng
thi hot ng v cu hnh sensor.
Qua nghin cu cc gii php phn cng, v d ca hng Endace,
Symantec, ArcSight v mt s gii php khc ca cc hng khc cho thy cc
hng ny thng dng thit b c chng, khng hon ton m, rt kh c th
tip cn lm ch c hon ton v cng ngh. Nhm thc hin mt s th
nghim v xut cc gii php kh thi cho thit k thit b sensor chuyn
dng. xut gii php trch ly mu chp nhn c trong hon cnh Vit
Nam hin nay. Cc kt qu ni bt t c ni dung ny ca nhnh 5 l:
- xut c cc tiu ch la chn phn cng v phn mm thch hp
cho thit b sensor vi 3 nhm v tr thu thp thng tin.
32
- xut c gii php cho cc thit b sensor trn mng ph hp cho

vic thu thp thng tin vi 3 nhm v tr thu thp thng tin, mt s
gii php phn cng tiu biu v cc thit b ph tr cn thit.
- xut gii php trch ly mu chp nhn c cho cc thit b
sensor.
- Thit k, xy dng c 03 mu thit b Sensor vi cc tc thu tin
khc nhau. Mu 1 l loi Sensor tc thp, ph hp cho ghi nhn
cc gi tin lin quan n an ton mng ti cc nt mng c tc thp
10/100 Mbps. Mu 2 l loi Sensor tc trung bnh 100 Mbps. Mu
3 l loi Sensor tc cao, ph hp cho ghi nhn thng tin an ton
mng ti cc nt mng c tc cao 100/1000 Mbps. Tc lung
tin ra ti a ghi nhn, x l c:100 Mbps.
- Vi cu hnh phn cng, phn mm, gii php xut, cc thit b
sensor t c chc nng ghi nhn cc loi thng tin an ton mng:
lu lng, du hiu tn cng, du hiu bt thng, tnh trng hot
ng ca dch v, thng tin v h thng, cc giao thc, dch v, trng
thi sensor...
Ni dung 2. Nghin cu, xy dng cc m un phn mm cho sensor.
Ni dung ny gm 5 chuyn v xy dng phin bn ht nhn h iu
hnh Linux v nghin cu xy dng cc m un phn mm cho sensor. Nhm
ti thc hin c nhng cng vic chnh nh sau:
- Nghin cu, phn tch, kim tra v xy dng phin bn ht nhn linux
c th phc v cho thit b Sensor. Th nghim v nh gi.
- Nghin cu pht trin cc m un: qun l kt ni thit b sensor,
kim sot truy cp, truyn d liu v trung tm. Th nghim v nh
gi.
- Thit k xy dng m un qun tr/ iu khin Sensor c giao din
ting Vit. Th nghim v nh gi.
33
- Nghin cu xy dng phn mm hoc h thng gi lp theo di v

ghi nhn hot ng tn cng trn khng gian mng. Th nghim v
nh gi.
- Tch hp cng ngh, xy dng thit b Sensor. Th nghim v nh
gi h thng tng th trn mi trng mng thc.
Cc kt qu ni bt t c trong ni dung ny bao gm:
- Phn tch, nh gi v chn la phin bn ht nhn Linux Ubuntu
2.6.31. Xy dng v ci t th nghim cho kt qu hot ng tt, n
nh dng lm h iu hnh cho thit b sensor.
- Nghin cu tham kho cc gii php phn mm in hnh nh
NetFlow, Crusoe Correlated Intrusion Detection System, Monitoring,
Intrusion Detection and Administration System, Sguil, Prelude, SiLK,
OSSIM, cc h thng ca Symantec, ArcSight, JPCERT, KrCERT
T nhm xut h thng cc m un phn mm cho sensor gm
ba khi phn mm chnh: 1) Khi thu thp thng tin (pht hin du
hiu tn cng v du hiu bt thng); 2) Khi gim st lu lng
mng; 3) Khi theo di tnh trng nhng ng dng v mc s dng
ti nguyn hin c trong mng.
- Nghin cu, tch hp cc phn mm m ngun m in hnh nh
Snort, Ntop, Nagios, Winpcap, Orisis/Snare, Openvas, Nessus, Nmap,
Ossim, P0f, arpwatch, vo h thng cc m un phn mm cho
sensor. La chn, chnh sa, b sung v tch hp mt s cng c phn
mm m ngun m phc v theo di gim st lu lng mng, pht
hin lu lng bt thng v cc nguy c tn cng.
- Nghin cu xy dng phn mm phc v cho vic qun l cu hnh,
giao din thit lp cu hnh bng ting Vit, phn mm qun l v
theo di trng thi thit b, qun l cp nht phn mm cho thit b
sensor.
34
Ni dung 3. Nghin cu, xy dng phn mm theo di an ton mng

ti cc my u cui.
Ni dung ny gm 5 chuyn v nghin cu h iu hnh
Windows/Linux, xy dng cc phn mm, tch hp, th nghim. Nhm ti
thc hin c nhng cng vic chnh nh sau:
- Nghin cu c ch hot ng ca h iu hnh Windows, Linux.
- Phn tch, thit k phn mm theo di an ton mng ti cc my tnh
u cui s dng h iu hnh Windows.
- Xy dng m un thu thp thng tin nht k, m un kt ni vi
Trung tm. Th nghim, nh gi.
- Pht trin m un biu din thng tin tng hp tnh hnh an ton
mng. Th nghim, nh gi.
- Tch hp xy dng phn mm theo di an ton mng. Th nghim,
nh gi trn mi trng mng thc.
Nhm nghin cu, th nghim v xut phng n s dng phn
mm o Vmware ci trn nn h iu hnh Windows lm c s cho pht trin
cc m un phn mm. Nhm xut cc m un phn mm trn c s k
tha cc phn mm xy dng cho cc thit b sensor c th ti s dng
ci t cho cc my u cui, c th l cc m un: theo di ghi nhn tn
cng; gim st lu lng; r sot im yu, theo di trng thi hot ng ca
h thng v dch v; trao i thng tin vi Trung tm gim st; giao din
ting Vit qun tr cu hnh phn mm.
Thit b sensor mu v cc phn mm c tch hp, xy dng v
chy th nghim trn mi trng mng thc ti Trung tm ng cu khn cp
my tnh Vit Nam t thng 2/2010 n nay v ti Cng ty VDC t thng 5
n nay. Cc kt qu th nghim cho thy thit b sensor mu v phn mm
p ng cc yu cu ng k trong ti.
35
Trong qu trnh thc hin, nhm c thm mt s nghin cu v l

thuyt v th nghim, c th l:
- Phn loi tn cng xm nhp v thng tin c th thu c.
- Phng thc thu thp thng tin, cc phng php bt gi gi tin, cc
phng php pht hin xm nhp v hnh vi bt thng.
- M hnh pht hin xm nhp v lu lng bt thng c thch nghi.
- Topology cho cc thit b sensor trn mng ph hp cho vic thu thp
thng tin.
- Mt s gii php phn cng tiu biu v cc thit b ph tr cn thit.
Nhm xut s dng thit b Tap ly mu thng tin. Cch thc
ny cho php t cc thit b sensor khng lm nh hng ti hot ng bnh
thng ca mng.
V pht hin xm nhp v lu lng bt thng, nhm xut m
hnh kin trc thch nghi pht hin xm nhp. H thch nghi pht hin xm
nhp da trn c s khai ph d liu thu thp c t cc sensor. Mt thut
ton pht hin bt thng mi c xy dng nhm gip m hnh t hiu
qu hn, trnh c cc d liu nhiu. Thut ton c xy dng trn c s
cho php mt lng nh d liu khng sch ln vi lu lng d liu bnh
thng ca mng. C s xy dng h thng l mt thut ton xc sut, c kh
nng thch nghi vi mt lng d liu nhiu c th tn ti trong h thng.
V trao i thng tin vi trung tm gim st, qun l cu hnh phn mm
sensor, nhm xut gii php s dng truy cp t xa qua knh kt ni bo
mt SSH. Thng qua phin lm vic thit lp vi SSH, vic cp nht cu hnh
cho sensor cng nh thay i cc cu hnh phn mm trn sensor hon ton
d dng. Ngoi ra, nhm cng xut gii php kt ni mng ring o cho
cc thit b sensor kt ni vi trung tm gim st.
Cc kt qu nghin cu v phn tch da trn cc bo co nghin cu
c thc hin trong ti cho thy vic thc hin la chn cu hnh thit b
36
ch to cc sensor v phn mm cho sensor cn phi c cn nhc xem

xt da trn nhiu tiu ch nh trnh by trong bo co.
Tch hp cc phn mm m ngun m l mt gii php kh thi chn
trong ti. Gii php ny cho php lm ch c cng ngh, pht trin v
b sung c nhng chc nng cn thit ph hp vi mi trng s dng
sensor v iu kin hin ti ca Vit Nam.
Cc kt qu v sn phm t c yu cu ra i vi nhnh 5 ti
KC.01.09/06-10, bm st cng nghin cu. Kt qu nghin cu t c
c th p dng ngay vo thc t. Nhm tc gi cng cng b kt qu
nghin cu trn mt s bi bo trong nc v ngoi nc. Cc mu sensor
c th nghim trn mng thc t cho kt qu ph hp vi l thuyt v c
th p dng c vo thc tin.
II.6. Nhnh 6: Pht trin gii php, cng c tch hp mt s thit b ATM
thng mi ang ph bin Vit Nam vo h thng
II.6.1. Yu cu sn phm
Sn phm phi t ca nhnh ti bao gm cc sn phm sau:
Cc bo co nghin cu v xc nh khun dng thng tin an ton
mng c a ra trong cc h thng tng la MiDFS v Checkpoint,h
thng IDS ca MCAFFEE v ISS, h thng antivirus TrendMicro v
McAffee.
Bo co nghin cu vic chun ho thng tin v ATM t thit b c
th p ng c yu cu cung cp thng tin ca CSDL an ton mng
Interrnet Vit nam trong bao gm nh dng thng tin chun ha m t s
c an ton mng c s dng cung cp thng tin ca CSDL an ton
mng Interrnet Vit nam
37
Bo co nghin cu, phn tch, thit k v lp trnh cc module tip

nhn thng tin t cc thit b/ phn mm firewall c tn GFW cung cp ti
h thng SIGS.
nhn thng tin t cc thit b/ phn mm IDS c tn GIDS cung cp ti h
thng SIGS.
nhn thng tin t cc phn mm antivirus c tn GAV cung cp ti h
thng SIGS.
Bo co kim tra th nghim v hiu chnh cc module phn mm.
Nhnh ti thc hin cc nhm ni dung nghin cu chnh sau
y:
Ni dung 1: Nghin cu cc khun dng thng tin an ton mng thu
thp t mt s mt s thit b/ phn mm ATM trong bao gm:
Thit b IDS Intrushiel ca McAffe.
Thit b IDS Proventia ca ISS.
IDS Snort trong thit b tng la bo mt tch hp MiDFS
Tng la Checkpoint
Tng la IPTABLE trong thit b tng la bo mt tch hp
MiDFS
H thng Antivirus Corporation Edition ca Synmatec
H thng Virus Scan Enterprise ca McAffe
Phn mm antivirus ClamAV
Kt qu: xc nh c y ni dung thng tin an ton mng c
th thu thp t cc ngun thit b / phn mm nh trn.
38
Ni dung 2: Nghin cu vic chun ho thng tin v ATM t thit b

c th p ng c yu cu cung cp thng tin ca CSDL an ton mng
Interrnet Vit nam.
Kt qu: xy dng c chun d liu gi t phn mm thu thp
thng tin an ton mng t cc thit b thng mi gi ti h thng SIGS.
Ni dung 3: Nghin cu, phn tch, thit k v lp trnh cc module
tip nhn thng tin t cc thit b/ phn mm firewall c tn GFW cung
cp ti h thng SIGS.
Kt qu: Module c xy dng p ng y kh nng thu nhn
thng tin an ton mng t cc thit b Fw ca Checkpoint v FW ca MiDFS.
Ngoi ra thit k module cho php m rng tip nhn cc loi FW khc
nhau.
tip nhn thng tin t cc thit b/ phn mm IDS c tn GIDS cung cp
ti h thng SIGS.
thng tin an ton mng t cc thit b IDS ca Proventia v MiDFS. Ngoi ra
thit k module cho php m rng tip nhn cc loi IDS khc nhau
tip nhn thng tin t cc thit b/ phn mm antivirus c tn GAG cung
cp ti h thng SIGS.
thng tin an ton mng t cc phn mm AV: Antivirus Corporation Edition
ca Synmatec; Virus Scan Enterprise ca McAffe; Phn mm antivirus
ClamAV. Ngoi ra thit k module cho php m rng tip nhn cc loi
Antivirus khc nhau.
Ni dung 5: Tch hp cc module GFW, GIDS, GAG xy dng
phn mm thu thp thng tin an ton mng.
39
Kt qu: Phn mm c xy dng tch hp tt c cc tnh nng ca

03 module cho php s dng tin li trong khi thit k m m bo kh nng
tch hp thm nhiu thit b v loi thit b/ phn mm c kh nng cung cp
thng tin an ton mng khc nhau. Gii php ny cho php m rng ti a
ngun cung cp thng tin
Ni dung 6: Kim tra v th nghim cc module v phn mm xy
dng.
Kt qu: Kt qu kim tra v th nghim u t yu cu.
Nhm thc hin ti nhnh 6 thc hin y cc ni dung theo
cng c duyt:
- Thc hin nghin cu cc thng tin cung cp t trn ngun by ngun
cung cp khc nhau nh: Checkpoint, MiDFS, ISS IDS, Antivirus McAffee,
Antivirus Synmatec, ClamAV antivirus, Snort, Nessus v mt s ngun cung
cp khc c th s dng cung cp thng tin cho h thng gim st an ton
mng.
- Nghin cu, thit k v lp trnh phn mm thu thp thng tin an ton
mng, l sn phm tch hp gia cc module GFWc nhim v cung cp
thng tin t thit b Firewall, module GIDS c nhim v cung cp thng tin t
thit b IDS v module GAG c nhim v cung cp thng tin t h thng.
- Kt qu phi hp vi cng ty in ton v truyn s liu VDC kim tra
chc nng ca tng thnh phn cng kh nng tch hp vi h thng gim st
an ton mng u cho kt qu tt, chng minh cc phn mm c xy dng
hot ng n nh, ph hp vi yu cu t ra.
- xut thay i mt s thay i so vi cng m bo ph hp
vi thc tin v kh nng ng dng lu di:
+ Hin nay cc phn mm pht hin virus ca McAffee v TrendMicro
c ci t trn cc my ch Gateway khng cn c sn xut t ba nm
40
nay. Do vic s dng cc sn phm ny lm ngun cung cp khng cn

ph hp thc tin, do nhm ti ngh s dng cc sn phm pht hin
v dit virus sau: H thng pht hin virus ca Synmatec vi chc nng qun
tr tp trung Antivirus Coporate Edition ca Synmatec, Phn mm pht hin
virus McAffee v phn mm pht hin virus m ngun m ClamAV thay
th.
+ Thit b IDS ca McAffee khng c s dng ph bin ti Vit
Nam. ng thi do gi thnh thit b cao nn kinh ph thc hin ti ch
thu thit b phc v th nghim, nghin cu phn tch ch khng
mua sm thit b a vo s dng lu di. Do nhm ti ngh s dng
thit b MiDFS thay th v thit b ny s dng phn mm IDS Snort min
ph, m ngun m, c kh nng ng dng rng ri v lu di nn c ngha
thc tin cao hn.
Sau khi thit k v trin khai cc module phn mm cung cp d liu
GFW, GIDS v GAG nhm nhn thy vic tch hp cc module vo mt phn
mm thu thp thng tin an ton mng em li nhiu tin li trong s dng,
trin khai m vn m bo kh nng d dng trong vic nng cp, b sung kh
nng tip nhn cc thng tin an ton mng khc nhau trong tng lai nh: c
kh nng tip nhn thm thng tin an ton mng t cc loi thit b phn
tch trong ti nh IDS, IPS, Firewall, Antivirus khc. ng thi thit k
cng cho php m rng tip nhn c thng tin an ton mng t cc loi thit
b / phn mm khc nh: h iu hnh, tng la c nhn, h qun tr c s
d liu, Proxy, Thit b Router, Switch, modem tch hp, Access point v.v.
Vi thit k m rng cho php tch hp nhiu ngun thng tin s l yu t
quan trng m bo tnh hiu qu, thc tin cho h thng gim st an ton
mng hin ti cng nh trong tng lai.
41
II.7. Nhnh 7: Trin khai th nghim m hnh h thng theo di gim st

ATM trong mi trng mng c th cp quc gia thu nh m phng h
thng tng th
Sn phm phi t l cc bn bo co kt qu th nghim, phn tch,
nh gi, so snh kt qu ca cc chc nng bao gm:
Th nghim chc nng phn h ghi nhn s c an ton mng v
ghi nhn cc tn cng mng.
Th nghim chc nng gim st lu thng, qut r sot cc im
yu, h thng CSDL tch hp gim st an ton mng; nh gi
tnh tng thch vi cc chun trao i thng tin v s c v tn
cng mng.
Th nghim phn h h tr x l thng bo s c, tip nhn
thng tin an ton mng t ng t cc thit b.
Th nghim chc nng gim st 24/24, thng k v phn tch
a ra cc cnh bo v hng dn cho c nhn, t chc ti Vit
Nam.
Th nghim h thng tng la bo v tch hp, chc nng lc
ni dung.
Th nghim chc nng pht hin virus, m c hi
Th nghim chc nng phn mm theo di an ton mng ti u
cui, gii php tch hp mt s thit b an ton mng thng mi
ph bin Vit Nam.
Th nghim, o kim cc thng s hot ng ton h thng, hiu
chnh phn mm; phn tch, nh gi hiu nng ca ton b h
thng.
42

ti nhnh 7 thc hin 8 nhm ni dung c th nh sau:
Ni dung 1. Th nghim chc nng phn h ghi nhn s c an ton
mng v ghi nhn cc tn cng mng.
Kt qu th nghim cho thy cc thit b sensor hot ng tt, p ng
cc yu cu ra trong ti. Bng o th cho thy thit b sensor p ng
cc yu cu chc nng phn mm trong vic bt gi cc gi tin, ghi nhn cc
tn cng xm nhp mng, s c an ton mng v cc hnh vi bt thng;
kim tra mt s chc nng/tin ch khc ca sensor nh: ghi nht k, giao
din qun l, kt ni gia sensor v trung tm gim st,
Ni dung 2. Th nghim chc nng gim st lu thng, qut r sot
cc im yu, gim st h thng & dch v; h thng CSDL tch hp gim st
an ton mng; nh gi tnh tng thch vi cc chun trao i thng tin v
s c v tn cng mng.
Kt qu th nghim cho thy cc chc nng gim st lu thng, qut r
sot cc im yu, h thng CSDL tch hp gim st an ton mng hot ng
tt. Nhng thng tin v gim st lu thng c bo co dng thng k, c
nhiu ty chn cho ngi dng phn loi, chn lc theo cc tiu ch mt cch
d dng, thng tin v cc s c pht hin c cng ng thi km theo
nhng chi tit cn bit tin hnh x l s c. Chc nng qut r sot cc
im yu lit k c cc dch v ang chy trn h thng v cc im yu
pht hin c km theo mc nghim trng ca chng. Chc nng gim
st h thng, dch v cho thy c mc sn sng ca cc h thng, a ra
cc cnh bo ti ngi dng khi pht hin h thng hoc dch v ngng hot
ng. H thng CSDL tch hp lu tr y cc thng tin v s c nh thi
im xy ra s c, a ch ngun/ch, cc thng tin chi tit, ngoi ra cn c
giao din gip ngi dng nhanh chng tm kim thng tin.
43
Ni dung 3. Th nghim phn h h tr x l thng bo s c, tip

nhn thng tin an ton mng t ng t cc thit b.
Kt qu th nghim cho thy phn h h tr x l thng bo s c l
mt website h tr ngi dng thc hin quy trnh x l s c. Cc chc nng
ca website ny hot ng tt, h tr phn quyn cc nhm thnh vin khc
nhau nh: qun tr h thng, chuyn vin x l, cn b qun l. Cc li u
vo do nhp thng tin thiu hoc sai u c pht hin v cnh bo y .
Quy trnh khai bo, tip nhn v x l thng tin trn website ph hp vi cc
hot ng nghip v x l s c an ton mng ca Trung tm VNCERT.
Chc nng tip nhn thng tin an ton mng t ng t cc thit b
c th nghim trn mi trng mng Internet thc t vi d liu gi nh
thu c kt qu tt. Trong qu trnh th nghim, h thng thu thp c kh
nng tip nhn y cc s kin do sensor gi n, tc tip nhn chp
nhn c, khng c hin tng st gim tc hay tc nghn. Kt qu ny
cho thy h thng c iu kin hot ng tt trn mi trng mng
Internet thc t.
Ni dung 4. Th nghim chc nng gim st 24/24, thng k v phn
tch a ra cc cnh bo v hng dn cho c nhn, t chc ti Vit Nam.
Kt qu th nghim cho thy chc nng gim st 24/24 hot ng
tt. y l mt thnh phn quan trng khng th thiu ca h thng gim st
an ton Internet. Vic gim st 24/24 bao gm mi mn hnh ln, lin tc
theo di nhng thng tin v an ton mng quc gia theo 10 tiu ch thch hp,
cung cp ci nhn ton cnh v tnh hnh an ninh mng ti Vit Nam. Nhng
thng tin gim st c th hin mt cch trc quan, cung cp y thng
tin cho i ng cn b c th sn sng phn tch v a ra cc cnh bo khi
c nguy c s c. H thng s da trn nhng thng tin c gim st, thu
thp c t nhng h thng khc tng hp, phn tch v d on trc
nhng mi nguy c th xy ra, ng thi sn sng cnh bo sm nhng mi
44
nguy ny ti cc t chc quan trng trnh thit hi khi s c an ton mng

xy ra.
Ni dung 5. Th nghim h thng tng la bo v tch hp, chc
nng lc ni dung.
Kt qu th nghim cho thy h thng tng la bo v tch hp, chc
nng lc ni dung hot ng tt. Cc thit b v phn mm bo mt thng
mi u pht hin c cc trng hp to s c an ton mng gi nh bao
gm:
Ly nhim virus
Tn cng mng
Vi phm cc chnh sch an ton mng c thit lp
Vic th nghim c tin hnh trn m hnh mng dng my tnh tht
vi s lng my v thit b tng ng 02 phng lm vic. Cc chc nng
c bn ca tng la c kim th bao gm:
Chn a ch IP
Chn kt ni n cng dch v
Pht hin xm nhp / tn cng tri php
Tng la tch hp cng cung cp chc nng lc ni dung, phc v
cho vic ngn chn truy nhp vo nhng website c hi theo URL v theo
ni dung.
Ni dung 6. Th nghim chc nng pht hin virus, m c hi
Kt qu th nghim cho thy chc nng pht hin virus, m c hi
hot ng tt. Qu trnh th nghim c trin khai trn mi trng mng
my tnh tht, cho kt qu kh quan. Thit b th nghim pht hin c
100% mu virus. Tc truy cp mng Internet khi bt ch pht hin virus
thc t t trn 90% so vi khi khng bt ch pht hin virus vi kt ni
mng Internet s dng cng ngh ADSL ng truyn 2Mbps. Trong cc mi
45
trng tin hnh th nghim, khng pht hin cc trng hp h thng nhn
dng sai du hiu virus, m c hi.
Ni dung 7. Th nghim chc nng phn mm theo di an ton mng
ti u cui, gii php tch hp mt s thit b an ton mng thng mi ph
bin Vit Nam.
Kt qu th nghim cho thy cc thit b u cui thc hin tt cc
chc nng theo di an ton mng. Chc nng ny bao gm cc hot ng bt
gi gi tin, ghi nhn cc tn cng xm nhp mng, s c an ton mng v cc
hnh vi bt thng, ng thi c mt s chc nng c bn khc nh: ghi nht
k, giao din qun l, kt ni gia sensor v trung tm gim st Vic tch
hp c cc thit b an ton mng thng mi ph bin mang ngha ln
cho vic trin khai h thng sau ny. Cc t chc khi tham gia vo h thng
gim st an ton mng s khng phi thay th cc thit b tng thch m vn
c th s dng nhng thit b hin ti thng qua chun trao i thng tin
chung m h thng h tr.
Ni dung 8. Th nghim, o kim cc thng s hot ng ton h
thng, hiu chnh phn mm; phn tch, nh gi hiu nng ca ton b h
thng.
Kt qu th nghim trong phn ny bao gm tt c nhng ni dung o
kim, nh gi thng s hot ng ca cc chc nng trn h thng. Vic th
nghim, o kim cc thng s ca hot ng ca ton h thng cho kt qu
tt. Thit b sensor hot ng v p ng c nhng chc nng c bn:
bt gi cc gi tin, ghi nhn cc tn cng xm nhp mng, s c an ton mng
v cc hnh vi bt thng. Bn cnh , thit b sensor cng cung cp nhng
chc nng: ghi nht k, giao din qun l, kt ni gia sensor v trung tm
gim st. Qu trnh thu thp thng tin v nh gi cho thy h thng th
nghim hon ton tng thch c th tng tc vi cc chun trao i
thng tin tn cng mng trn th gii.
46
V mt l thuyt, khi tng s lng sensor th cn nh gi li nng lc

h thng c u t gia tng nng lc cho ph hp. Hiu nng hin ti ca
h thng hin ti p ng c yu cu th nghim vi mt lng sensor va
phi (di 10 sensor). Vi lng sensor ny th nng lc cc my ch v dch
v u di ngng 25%. Nu quy m trin khai trn thc t l ln (vi trm
n vi ngn sensor) th cn trin khai h thng trn nn tng kh m ng
dng cng ngh o ha hay cao cp hn l in ton m my c th nng
cp mt cch khng gii hn nng lc ca h thng.
Cc kt qu th nghim cho thy h thng hot ng vi y cc
chc nng nh ng k trong ti. Qua qu trnh hot ng th nghim
trong mi trng h thng thc t vi cc d liu th nghim gi nh, cc
bo co kim th cho thy cc chc nng hot ng tt, theo ng vi thit k
c phn tch. H thng c xy dng trn nn tng m ngun m, to
iu kin cho vic pht trin thm cc ng dng, chc nng b sung sau ny.
Tuy nhin, vi m hnh th nghim quy m cha ln, cn phi c thm thi
gian th nghim vi quy m ln hn hoc chun b trc cc kh nng nng
cao nng lc x l h thng c th hot ng c hiu qu, ng vi thit
k ban u.
III Kt lun chung:

Cc ti u hon thnh khi lng cng vic ra. ti hon
thnh s lng sn phm ng v chng loi, s lng v cht lng ng
k.
Nhm ti lm ch c nhiu cng ngh su v gim st an ninh mng
c th lm tin cho vic trin khai h thng gim st an ninh mng trong
tng lai.
47
Sn phm phn mm v phn cng ca ti u hot ng v tch hp

ng chc nng vi nhiu sn phm thng mi khc. V sn phm ny trong
thi gian trc mt s l cng c rt tt trin khai cc nghin cu thc
nghim nhm rt ra c kinh nghim v tri thc xy dng v ci tin hot
ng ca h thng trong tng lai. ng thi h thng ny hin cng l mi
trng duy nht ca Vit Nam c th va hot ng va o to cn b.
D on vi nng lc k thut nh hin nay, h thng c th p dng gim
st ATM mc quc gia cho mt ISP hoc cc t chc doanh nghip ln.
H thng ny hon ton c th vn hnh c lp hoc tham gia tng tc vo
1 h thng gim st an ninh mng quy m ln hn. Do hon ton c th
cho cc mng doanh nghip v c th dng nh mt thnh phn ca mng h
thng gim st an ninh mng trong tng lai.
48
Ti liu tham kho

01. Anton Chuvakin and Vladislav V. Myasnyankin. Complete Snort-based
IDS Architecture ngy 19/11/2002
02. Peter Rob, Carlos Coronel. Database System Design the sixth Edition
Intrusion Detection nh xut bn Addison Wesley pht hnh ngy
12/7/2004.
04. McAffee Intrushield IPS Userguide
05. Linux Firewalls Using iptables
06. Kerry Cox, Christopher Gerg - Managing security with Snort and IDS
tools O'Reilly Media, Inc., 2004
07. Wolfgang Barth - Nagios - System and Network Monitoring, 2006
08. Bryan Burns, Jennifer Stisa Granick, Steve Manzuik, Dave Killion, Paul
Guersch, Nicolas Beauchesne - Security power tools, 2007, O'Reilly
Media, Inc.
Intrusion Detection. Publisher: Addison Wesley, 2004, ISBN: 0-32124677-2, 832 p.
10. Michael Gregg and others. Hack the Stack: Using the Snort and Ethereal
to master the 8 layers of an insecure network. Publisher: Syngress
Publishing, Inc., 2006, ISBN: 1-59749-109-8, 442 p.
12. The Open Source Security Information Management project
(http://www.ossim.net/)
13. The Crusoe Correlated Intrusion Detection System
(http://crusoecids.dyndns.org/)
14. The Monitoring, Intrusion Detection, & Administration System
(http://midas-nms.sourceforge.net/)
15. The Sguil. (http://sguil.sourceforge.net/)
49
43. IDMEF Data Model and XML.

http://xml.coverpages.org/IDMEF-provisional-draft-ietf-idwg-idmef-xml2.html
270

Trung T©M Øng Cøu Khèn Cêp M Y Týnh Viöt Nam (Vncert)

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Trung T©M Øng Cøu Khèn Cêp M Y Týnh Viöt Nam (Vncert)

Hochgeladen von

Copyright:

Verfügbare Formate

Trung tm ng cu khn cp My tnh Vit Nam

I.2. Nghin cu p dng cc tiu chun v chun quc t phc v cho xy

I.4. Thit k kin trc tng th ......................................................................... 90

I.4.1. Kin trc h thng ....................................................................................... 90

I.5. Hon thin thit k tng th ....................................................................... 94

CHNG II. PHT TRIN H THNG C S D LIU TCH HP

II.4. Xy dng, trin khai cc phn h CSDL tch hp NSIDB..................... 141

CHNG III. NGHIN CU XY DNG H THNG THU THP

III.2. Cc kt qu nghin cu chnh t c ca nhnh 3 ....................... 153

III.3. Kt lun.................................................................................................. 171

IV.2. Nghin cu xc nh chi tit cc tiu ch thng tin cn phi theo di

IV.5.1. H thng gim st ................................................................................... 182

IV.8. Phn tch thit k m un chc nng qun l cc sensor chuyn

IV.9. Phn tch thit k m un qun tr chung (qun tr ngi dng, lu

IV.11. Lp trnh, th nghim cc m un chc nng theo di, m un chc

IV.11.2. M un chc nng thng k ................................................................. 192

IV.12. Lp trnh, th nghim cc m un chc nng qun l cc sensor

IV.13. Lp trnh, th nghim cc m un kt ni vi CSDL NSIDB, m

CHNG V. PHT TRIN SN PHM SENSOR CHUYN DNG

V.2. Cc kt qu nghin cu chnh t c ca nhnh 5 ........................ 199

V.3. Cc kt qu th nghim trong mi trng mng thc ........................... 211

V.6. Kt qu th nghim cho thit b sensor ti VDC ................................... 215

CHNG VI. PHT TRIN GII PHP, CNG C TCH HP MT

VI.3. Tng hp sn phm v kt qu t c ca nhnh 6 ..................... 228

VI.4. Kt lun ................................................................................................. 245

VII.3. Nghin cu r sot a ra yu cu chnh sa, hon thin cho tt

VII.3.1. Bo co kt qu r sot, nh gi th nghim....................................... 260

CHNG VIII. KT QU TRIN KHAI H THNG TRN MI

Hnh II.11: Nhm lin kt cc bng net .............................................................. 147

Hnh V.14: Giao din thit lp cu hnh phn mm ........................................... 211

Ti khon ca ngi s dng

(Intrusion Detection Message Exchange Format) Chun trao

(Security Information Processing System) Tn ring ca H

CHNG I. NGHIN CU THIT K KIN TRC

I.1. Nghin cu xut mc tiu, yu cu v cu trc chung ca h

S nguyn l ca m hnh mng li (core network) ca nh kt ni

ng truyn Internet quc t vo Vit Nam c ni vi cc Gateway

Hnh I.1: M hnh mng li (Core) ca nh kt ni Internet

Cc Gateway c ni vi cc Router chnh trong mng core t H

Trung tm Internet Vit Nam VNNIC cung cp h thng VNIX

Hnh I.2: M t Kt ni Internet trung chuyn trong nc

Hnh I.3: S kt ni trung chuyn qua VNIX

Cc doanh nghip cung cp kt ni Internet IXP (Internet eXchange

Nh cung cp kt ni Internet (IXP) thng thng cng l mt nh cung

Hnh I.4: Kt ni t Nh cung cp dch v kt ni Internet n khch hng

S nguyn l kt ni khch hng ca mt Bu in a phng (tnh,

Hnh I.5: S kt ni khch hng ca mt Bu in a phng.

ghp knh (DSLAM/Hub-DSLAM), cc router, modem v cc im truy cp

ISP c th l mt mng con ca IXP hoc mt ISP c lp. Nhiu mng

Cc ISP c th to thnh cc mc cung cp dch v nhiu cp, c th kt

Hnh I.6: S kt ni t ISP n khch hng.

Cc t chc hay doanh nghip ln, c a bn phn tn thng t chc

V c bn mng Internet Vit Nam c t chc phn cp v c h thng

Lung tin i-v quc t (ra Internet)

S Internet eXchange service Providers (IXP)

S Internet access Service Providers (ISP)

S Internet Online Service Providers (OSP)

Thu bao bng thng rng

b) Cc nguy c e da an ton thng tin i vi Internet Vit Nam

An ton thng tin bao gm cc hot ng qun l, nghip v v k thut

Cc ng dng ln v cng ngh thng tin nc ta hin nay ngy cng

Kinh nghim quc t cho thy cc him ha sau:

rc gy ra ln ti 50 t USD v hng nm th gii s phi b ra 1,7 t