Beruflich Dokumente
Kultur Dokumente
(VNCERT)
Bo co tng kt ti:
Nghin cu xy dng h thng theo di, gim st
an ton mng theo m hnh qun l tp trung
bo v mng Internet Vit Nam
Cnt: V Quc Khnh
8818
H ni - 2011
MC LC
BC CO THNG K ....................................................................................... iii
MC LC .............................................................................................................. 1
DANH MC HNH V ........................................................................................ 9
CC THUT NG V VIT TT .................................................................. 12
CHNG I. NGHIN CU THIT K KIN TRC TNG TH H
THNG, CHN LC CC CHUN THNG TIN V THIT B ............. 15
I.1. Nghin cu xut mc tiu, yu cu v cu trc chung ca h thng
gim st an ton mng Internet ........................................................................ 15
I.1.1. Hin trng t chc h tng mng Internet v cc nguy c mt an ton
thng tin ca mng Internet Vit Nam ................................................................. 15
I.1.2. Mc tiu kh thi cho H thng theo di gim st an ton mng Internet
Vit Nam ............................................................................................................... 38
I.1.3. Kinh nghim trin khai mt s h thng gim st an ton mng ca
nc ngoi ............................................................................................................ 51
I.3. Nghin cu v la chn cc ngun cung cp thng tin an ton mng ...... 86
I.3.1. Phn tch kh nng s dng khai thc thng tin ATM t cc ngun
cung cp thng tin khc ........................................................................................ 86
II.2. Nghin cu, thit k h thng CSDL tch hp NSIDB .......................... 118
II.2.1. Nghin cu, thit k phng thc trao i thng tin gia CSDL vi
cc thnh phn khc ca h thng ...................................................................... 118
II.2.2. Thit k CSDL sao lu d phng v khi phc d liu khi c s c
xy ra ................................................................................................................... 124
II.2.3. Thit k gii php bo mt CSDL tch hp gim st an ton mng. ....... 125
II.2.4. Thit k tng th h thng CSDL tch hp gim st an ton mng NSIDB................................................................................................................. 130
II.3.1. Thit k chi tit phn h CSDL lu tr thng tin v s c an ton mng 136
II.3.2. Thit k chi tit phn h CSDL lu tr thng tin v tn cng mng ....... 137
II.3.3. Thit k chi tit phn h CSDL lu tr thng tin trng thi cc h
thng xung yu.................................................................................................... 138
II.3.4. Thit k chi tit phn h CSDL lu tr thng tin qun tr ngi s
dng .................................................................................................................... 140
Thit k chi tit d liu ....................................................................................... 140
III.2.4. Nghin cu, thit k v xy dng phn h tip nhn thng tin an ton
mng t ng NSIAR ......................................................................................... 165
III.2.5. Kt qu t c ca nhnh 3 ............................................................ 170
IV.3. Nghin cu, phn tch cc cp cnh bo, cc hnh thc cnh bo
v cc yu cu v biu mu thng tin cnh bo v tnh hnh an ton mng
Vit Nam......................................................................................................... 178
IV.3.1. Tm hiu v h thng cp cnh bo v nh ngha cc mc cnh
bo trn Internet Vit Nam ................................................................................. 178
IV.3.2. Hnh thc cnh bo ................................................................................. 179
IV.3.3. Cc mu biu cnh bo ........................................................................... 179
IV.4. Nghin cu, phn tch v thit k xy dng giao thc giao tip gia
h SIPS v cc sensor chuyn dng. .............................................................. 180
IV.4.1. Chc nng v nguyn tc hot ng ca h tp trung v my trinh st . 181
IV.4.2. Phn tch giao thc ................................................................................. 181
IV.5. Phn tch thit k chc nng theo di ca h thng SIPS. .................... 181
4
IV.6. Phn tch thit k m un chc nng thng k ca h thng SIPS. ..... 183
IV.6.1. Cc thnh phn ca m un thng k..................................................... 184
IV.6.2. Mt s thut ton p dng cho m un thng k ................................... 184
IV.7. Phn tch thit k m un chc nng cnh bo ca h thng SIPS ...... 184
IV.7.1. H thng ng k.................................................................................... 184
IV.7.2. H thng gi cnh bo ............................................................................ 185
IV.7.3. H thng Infocon .................................................................................... 186
IV.10. Phn tch thit k giao din h tr gim st tnh hnh an ton mng
24/24. .............................................................................................................. 190
IV.10.1. Phn tch chc nng ca cc thnh phn trong giao din h tr gim
st an ton mng ................................................................................................. 190
IV.10.2. Xy dng giao din theo tng chc nng ............................................. 190
DANH MC HNH V
Hnh I.1: M hnh mng li (Core) ca nh kt ni Internet ................................ 16
Hnh I.2: M t Kt ni Internet trung chuyn trong nc ................................... 18
Hnh I.3: S kt ni trung chuyn qua VNIX .................................................. 18
Hnh I.4: Kt ni t Nh cung cp dch v kt ni Internet n khch hng ....... 20
Hnh I.5: S kt ni khch hng ca mt Bu in a phng...................... 21
Hnh I.6: S kt ni t ISP n khch hng..................................................... 24
Hnh I.7: S hot ng ca c quan ch qun ................................................. 59
Hnh I.8: Lc m t ng cnh tng th ca H thng theo di, gim st an
ton mng Internet Vit Nam ................................................................................ 62
Hnh I.9: S cu trc chc nng chung ca h thng ...................................... 65
Hnh I.10: Thu thp thng tin t thit b ............................................................... 81
Hnh I.11: M hnh hot ng ............................................................................... 90
Hnh I.12: Lc gim st pht hin s c ........................................................ 92
Hnh I.13: Lc hot ng phn tch s c ..................................................... 93
Hnh I.14: Lc bo co pht hin s c ......................................................... 93
Hnh I.15: Lc phn ng/ng cu s c ........................................................ 94
Hnh II.1: M hnh tng th phn mm tip nhn thng tin ................................. 98
Hnh II.2: M hnh h thng qun l an ton Internet ........................................ 112
Hnh II.3: H tp trung ..............................................................................................
Hnh II.4: S hot ng ca h thng gim st mng .................................... 116
Hnh II.5: H thng CSDL tch hp NSIDB ....................................................... 117
Hnh II.5: Cu trc chung ca h thng CSDL tch hp NSIDB ....................... 120
Hnh II.6: Thu thp thng tin t thit b .............................................................. 122
Hnh II.7: S tng tc gia CSDL v cc thnh phn x l trong h thng 136
Hnh II.8: S lin kt CSDL lu tr thng tin s c...................................... 142
Hnh II.9: S lin kt CSDL thng tin tn cng ............................................ 144
Hnh II.10: Nhm lin kt cc bng my ch ..................................................... 146
9
11
CC THUT NG V VIT TT
Account
Access Point
ADSL
Antivirus
ATM
ATTT
BCG
BRAS
CERT
CERT/CC
CNTT
CSDL
DSLAM
FE
FW
GAG
GE
GIDS
GFW
HDSL
HTTT
HIDS
IDS
12
IDMEF
IDSL
IODEF
IPS
ISP
IXP
Malware
MIME
MSDSL
NSAIR
NSIDB
Plugin
Router
RADSL
SAMS
SDH
SDSL
Sensor
SIG Gate
SIGS
13
SIPS
SMNP
STM - x
Switch
Syslog
TTATM
UML
URL
VDSL
VNCERT
VNIX
XML
14
17
19
20
21
22
23
24
32,995 Mbps
31,856,896 Gbytes
15
19
Dn s s dng Internet
20.570.000
1.928.191
c) Kho st hin trng an ton thng tin trn Internet Vit Nam
+ Mt s s liu thng k nghip v v s c an ton thng tin
S lng
33.646.000 lt my tnh
6.752 virus mi
18,49 virus mi / ngy
Nm
2005
2006
2007
2375
2000
1500
S
v tn cng cc website VN t nc ngoi
1000
563
500
84
0
Nm 2006
Nm 2007
Nm 2008
748
485
Total
Gov
234
87
2818
4112
89
2529
2002
2003
2004
2005
39
2006
33
53
2007 10/2008
6 3
2007
13
2006
11
7 24
0
DDoS
Malware
39
12
12
12
2 6
20
40
60
Deface website
Email Phishing
and Fraud
80
DNS Attack
100
Distribute spam
Other
17%
7%
24%
38%
2007
2008
13% 11%
4%
19%
25%
28%
15%
6%
8%
4%
15%
3%
49%
DDoS
Malware
Deface website
Email Phishing
and Fraud
DNS Attack
Distribute spam
Other
30
56.0%
Doanh nghip
min Nam
44.0%
61.6%
38.4%
Doanh nghip
min B c
51.5%
48.5%
C quan nh
nc
49.2%
50.8%
0%
20%
40%
60%
K hng c NV v ATTT
31
80%
100%
Doanh
nghip
Khng r
Chung
Khng c
+ Tnh hnh p dng gii php v cng ngh m bo an ton thng tin
Phn mm chng virus(Anti-Virus)
B lc chng th rc (Anti-Spam)
34%
17%
35%
51%
16%
Lc ni dung web
69%
21%
56%
33%
98%
58%
15%
47%
9%
326%
18%
6%
4%
32%
M 2007
34%
Lc ni dung web
47%
46%
45%
H thng pht hin xm nhp (IDS) cho my
ch
40%
15%
40%
6%
30%
Khc
CQNN
D. nghip
18%
M 2007
31%
47%
25%
6%
32%
4%
Tng la (Firewall)
Khng
47%
9%
35%
Sinh trc hc (Biometrics,
v d kim tra du vn tay.)
51%
16%
50%
35%
17%
0%
69%
21%
M ha (Encrytion)
56%
33%
10%
98%
58%
97%
9%
2%
66%
2%
84%
1%
Khng r
4%
9%
M (2000)
0%
20%
40%
60%
80%
Khng, 69%
33
C, 23%
100%
120%
Nc ngoi
24%
Khng r
66%
Khng
87%
60%
50%
40%
38%
30%
20%
23%
21%
18% 18%
13%
9%
10%
0%
Khng bit
0% - 5%
5% - 9%
10% - 15%
52%
57%
48%
56%
12%
39%
18%
d) Nhn nh chung
Nhiu t chc, doanh nghip khng ch s dng h tng Internet kt
ni mng din rng m cn cung cp kh nng truy nhp Internet cho cc
nhn vin ca mnh. iu ny c th to ra cc knh thng t h thng ni b
cn bo v nghim ngt ra n khng gian mng Internet quc t.
Cc thit b cng ngh ch yu nhp khu ca nc ngoi. Chng loi v
xut x thit b c gam mu tng i sc s, a dng.
Ngi dng quen s dng cc phn mm khng bn quyn, khng c
nng cp v v l hng an ton thng tin . Nhiu h thng ng dng c xy
dng vi cng ngh thp, khng c thit k chuyn nghip, khng tun th
cc chun v an ton thng tin.
Cc IXP v ISP ch yu cung cp dch v kt ni cho khch hng vi s
quan tm s dng ti a dung lng bng thng, khng quan tm nhiu n
vic gim st s c an ton thng tin trn mng. Trch nhim m bo an ton
thng tin hu nh ch ca cc khch hng u cui. Mt s t thit b gim st
v m bo an ton mng c lp t mng ngi dng u cui.
Cc IXP v ISP cng ch lp t thit b an ton mng cho phn khc
mng ni b ca mnh.
T cc nh cung cp dch v Internet n khch hng cn t quan tm
u t cho cc h thng m bo an ton mng, cng vi nhng c im
phn tch nu trn lm cho khng gian mng Internet Vit Nam hin ti ang
l mt trong nhng mi trng c nhiu nguy c mt an ton thng tin nht
trong khng gian Internet ton cu.
Trn 50% t chc qun l lng lo, thiu trch nhim, thiu quan tm v
an ton thng tin .
Phn ln cha c quy trnh ng ph vi s c, mt na c d kin xy
dng quy trnh trong 3 thng
35
Trm cp thng tin c nhn; bi xu, xc phm nhn phm ngi khc.
La o qua th v tin nhn in t (phishing).
Nhu cu xy dng h thng gim st an ton mng
V cc loi hnh s c
V CSDL lu tr
42
+ Ni dung gim st
Spam,
Virus,
Theo di tn cng,
Theo di qut mng do thm,
Phishing
Malware khc
Ni dung cc thng tin ny cho bit v thi im cc cuc tn cng,
ngun gc, quy m, phm vi tn cng, k thut tn cng v m c hi lan
truyn trn mng.
Cc thng tin ny c lu tr trong c s d liu trung tm phc v
phn tch, x l nhanh phc v mc tiu cnh bo sm v h tr khc phc s
c. Ngoi ra chng cn c lu tr cho cc hot ng nghin cu, thng
k... di hn trong h thng nghip v chung.
+ Hiu qu phi t
C kh nng pht hin sm nguy c cnh bo
Thng tin sm cnh bo.
Tng kh nng phn ng nhanh, can thip kp thi chng tn cng.
Lm mi trng nghin cu th nghim xut d n xy dng h
thng theo di gim st an ton mng tng th cho Vit Nam.
Th nghim cng ngh:
Nn tng chung (HH, CSDL, Phn cng thit b mng v my tnh)
Mt s thit b chuyn dng (Thit b an ninh mng, thit b sensor, ).
Cng ngh thit b v phn mm t pht trin (sensors, m ha, x l
thng tin,).
Tch hp h thng:
Kt ni mng: S dng mng chuyn dng, S dng knh Internet c m
ha SSL, VPN.
43
Cng vn,
in thoi,
in bo (fax),
Th in t, tin nhn (email, message)
Thng bo trc tuyn qua giao din Web
ngoi ra c th c cc knh chia s thng tin qua ng mng Internet.
Cc m hnh x l tip nhn tin thng bo
tip nhn v x l thng bo, chng ta c th p dng mt trong hai
m hnh sau y, thm ch c th chn cc thnh phn ph hp ca chng
tch hp.
M hnh RTIR h thng qun l yu cu x l s c (Request Tracker
for Incident Response)
M hnh SURFnet IDS: h thng gim st tn cng v lan truyn m c
trn mng Surf(net) IDS vi mt h thng c th bao gm: mt honeypot
(Nepenthes), mt my ch Web lm nhim v chng thc, mt my ch log
s dng c s d liu PostgreSQL. H thng trung tm c bo v bi tng
la.
2. H thng cc b cm bin gim st chuyn dng
Cc cm bin (sensors) chuyn dng
Cc cm bin an ninh mng phn tch v ghi nhn cc du hiu mt an
ton mng trn c s lng nghe cc gi thng tin i qua cc nt mng
Internet.
Cc b cm bin gim st chuyn dng l cc thit b sensors gim st do
ta hon ton lm ch v cng ngh, c ch to ring v c thit lp ch
vn hnh linh hot theo yu cu gim st mng, thu thp thng tin gi v
trung tm mt cch t ng.
45
48
49
50
cc CSDL lu tr thng tin thu thp c ring cho tng knh, CSDL lu tr
thng tin qua x l tng quan, CSDL lu tr thng tin cnh bo.
Cn phi xy dng CSDL thng tin thng bo v thng tin gim st an
ton mng vi chun IODEF.
C th thc hin x l thng k v lu tr theo cng ngh nn OSSIM.
Thc hin trao i chia s thng tin cnh bo theo chun.
6. H thng phn tch thng k mt s ch tiu v s c
H thng phn tch thng k mt s ch tiu v s c l h thng trang b
cho phng iu hnh thc hin cc chc nng h tr chuyn gia phn tch v
ra quyt nh trong tnh hung khn cp.
Cn phi xy dng giao din iu hnh cho chuyn gia giao tip vi
CSDL thng tin thng bo v thng tin gim st an ton mng.
H thng tra cu kt qu thng k, phn tch v h tr ra quyt nh.
H thng m phng, th nghim v nh gi nhanh cc gii php k
thut an ton mng.
I.1.3. Kinh nghim trin khai mt s h thng gim st an ton mng ca
nc ngoi
a) Kho st mt s h thng gim st an ton mng ca nc ngoi.
Trong qu trnh nghin cu kho st nm 2008 chun b cho trin khai
trc tip cc ni dung k thut ca ti ny, cc cn b ca ti trc
tip i kho st hoc trao i thng tin vi cc i tc tm hiu v mt s
h thng m bo an ton mng ca cc quc gia v doanh nghip ln trn th
gii nh sau (xem gii thiu chi tit trong bo co):
Trung tm iu phi hot ng an ton mng Chnh ph GSOC thuc
Trung tm An ton thng tin Quc gia Nht Bn.
Trung tm iu hnh an ton thng tin JSOC (Japan Security Operation
Center) ca Tp on LAC (Nht Bn).
Trung tm iu hnh an ton mng FSOC ca Tp on Fujitsu.
51
52
Internet.
H thng x l thng tin an ton mng doanh nghip CESM ca hng e-Cop
c th bao gm:
H thng theo di v thng k lu lng Internet quc gia,
H thng by hacker (honeypot) v by th rc (spampot) quc gia,
H thng x l thng bo, cnh bo an ton thng tin.
H thng gim st t ng phc v phn ng nhanh vi s c trn din
rng
Xy dng cc h thng khai thc thng tin an ton mng v h tr hot ng
ngn chn, chng tn cng mng
57
c chc nng thu thp thng tin gim st mng, theo di s c, cnh bo cp
quc gia nu. Nhng ti cn thc hin theo mt s quan im sau:
Tranh th th nghim ti a cc cng ngh xc nh r mc ph
hp vi iu kin thc t khc nhau, c th l h thng sensor, cc h thng
qun tr tp trung
Ch trng pht trin th nghim cc sn phm m ngun m ly lm
trng tm, ng thi c gng khai thc th nghim ti a vi cc sn phm
thng mi.
Trong xy dng h thng qun tr cn tp trung vo xy dng hon thin
cc sn phm cng ngh phc v thu thp thng tin. Phn khai thc ch pht
trin mc dng kim nghim, hoc rt cn thit v n gin c th
phc v ngay. Cc kt qu s gip nh hng xy dng h thng thc tin
sau ny mt cch tt nht.
I.1.4. Lc ng cnh tng th ca h thng theo di gim st an ton mng
Internet Vit Nam
58
59
61
63
64
65
C s d liu phc v cho hot ng qun l thng qua giao din Web
cn cha nhng thng tin chnh nh sau:
+ Thng tin v ngi dng (Users), h thng s kim tra ti khon ca
ngi dng t bng ny mi khi ngi dng ng nhp vo h thng.
+ Thng tin v cc my ch (Hosts) c gim st trong mng
+ Danh sch cc service chy trn cc host (Host_services)
+ Thng tin lu tr cc yu im ca host c pht hin sau khi thc
hin qu trnh r sot yu im (Host_vulnerability)
+ Danh sch a ch vt l (a ch MAC) ca cc thit b host
(Host_Mac)
+ Danh sch tn ca cc my tnh trong mng (Host_Netbios)
+ Danh sch h iu hnh ca cc my tnh trong mng (Host_OS)
+ Danh sch cc mng my tnh c qun l (Net)
+ Danh sch cc My trinh st tham gia vo h thng qun l an ton
Internet (Sensor)
+ Thng tin v thit lp cu hnh h thng (Config)
+ Bng thit lp cc chnh sch cho cc i tng trong mng (Policy).
66
67
C th thy phn ln danh sch nhng thng tin nu trn l nhng thng
tin u vo t thay i v thuc loi thng tin c thit lp hoc ci t sn.
Ch c cc nhm thng tin lin quan n s kin (event) v s c (incident) v
nhng cnh bo (alert) c nhn trc tip t cc h thng bn ngoi khc l
nhng thng tin u vo c thu thp v cp nht lin tc t cc ngun tin
u vo phc v cho gim st an ton mng. Vic x l nhng thng tin
ny chnh l mc ch c bn ca ton b h thng gim st an ton mng.
Kt qu x l thng tin
68
70
72
S dng mt khu
Quy nh v bn sch v mn hnh sch
+ Qun l truy cp mng
Bo v cc h iu hnh
Qun l truy cp ti m ngun phn mm
+ Bo mt cc quy trnh h tr v pht trin
Th tc qun l thay i
Ngn chn s tit l thng tin
75
Qun l cc im yu k thut
i) Qun l s c an ton thng tin
+ Bo co cc s c v v im yu ATTT
76
I.2.2. Nghin cu, phn tch chun quc t v nh dng trao i thng
tin s c an ton mng (IODEF ca t chc IETF)
a) Chun IODEF
Chun IODEF do nhm lm vic c trch v X l s c m rng
(Extended Incident Handling) thuc t chc Lc lng c nhim k thut
Internet IETF (Internet Engineering Task Force) pht trin n thng 10/2006
v tip tc c cc chuyn gia b sung hon thin. Phin bn mi nht l
bn RFC 5070 c cng b vo thng 12/2007.
Chun IODEF c mc ch l mt m hnh d liu nhm phc v bo
co v trao i thng tin v cc s c my tnh. Do phn c bn ca m
hnh IODEF phi lm c vic m t v trao i thng tin v i tng s
c lin quan n an ton thng tin vi cc ni dung chnh nh sau:
Cuc tn cng (Attack)
Ngi tn cng (Attacker)
Thit hi (Damage)
S kin (Event)
Chng c (Evidence)
S c (Incident)
nh hng (Impact)
Mc ch (Target)
Nn nhn (Victim)
im yu (Vulnerability)
b)Thit k ca IODEF
i mt vi cc vn phi gii quyt sau:
D liu v s c vn phc tp khng ng nht, do c th b thay i
trong sut thi gian tn ti hay nghin cu.
77
78
79
Vic nghin cu ng dng IODEF l c li, tuy nhin khng nht thit
phi p dng ton b c t RFC 5070, m c th ch cn chn lc
nhng phn ph hp a vo thit k d liu c th.
C th ch cn s dng mt cu trc tng thch trong phn m t
IODEF-document-incident c th xut ra thng tin ph hp vi trao
i thng tin vi cc CERT/CSIRT quc t.I. 2.3. xut khung trao
i thng tin s c ATM v khung trao i thng bo pht hin tn
cng mng s p dng
I.2.3. xut khung trao i thng tin s c ATM v khung trao i
thng bo pht hin tn cng mng s p dng
a) xut khung trao i thng tin trong h thng
Cc phn h x l d liu ca h thng bao gm
81
83
Phng php tip cn hng i tng cho php gii thiu n gin cc
i tng mi b sung m rng vic m t ni dung mi.
C kh nng khai bo cc thuc tnh khc nhau cho cc thnh phn khc
nhau.
c t r rng nht qun
Cc m t s c ging nhau c to bi cc CSIRT khc nhau phi
c nhn dng l thnh mt s c.
H tr x l tng quan cc s c c lin quan
Cung cp c s cho s hp tc cn thit gia cc CSIRT
Nguyn tc i tng s c c ch l nguyn l then cht m bo cho
vic x l tng quan cc s c v vic biu din thng tin r rng nht qun
Trin khai bng XML
M t d liu d b sung m rng
Cng c c nhiu, thm ch min ph
Quc t ha, m bo cho CSIRT s dng ngn ng bn a
S dng li nhiu lp d liu ca IDMEF, s dng c open source.
Tng thch, tch hp c vi chun IODEF
c) S khc nhau gia IDMEF v IODEF
Tc nhn chnh ca IODEF l cc CERT/CSIRT, cn ca IDMEF l
IDS. CERT/CSIRT l ch s hu i tng s c (IO).
IODEF hng ngi dng (giao din/giao tc), cho php ngi c
nhng vn cho php my tnh phn tch.
i tng s c (IO) c thi gian sng di hn (so vi thng ip
IDMEF s dng mt ln) phc v x l s c, lu tr s c, phn tch thng
k v d bo.
So snh cc lp d liu mc cao IODEF vi IDMEF:
84
Khuyn ngh:
86
1. H v tn *
2. C quan, a ch
3. Email *
4. in thoi *
Thng tin s c
5. M t s b v s c *
6. Cch thc pht hin * H thng IDS/ Kim tra Log File/ Qun tr h
thng/ Khc (m t)
7. Thi gian xy ra s c *
8. Mi gi *
H thng xy ra s c
9. H iu hnh *
10. Version *
11. Patch
12. Antivirus * (c/khng)
87
89
91
92
Hnh I.14: Lc
bo co pht hin s
c
I.4.2.4. Lc
phn ng/ng
cu s c
93
95
96
97
II.1. Nghin cu, phn tch ngun d liu u vo, chn la cng
ngh CSDL tch hp NSIDB.
II.1.1. Nghin cu, phn tch cc ngun cung cp thng tin ATM a
vo h thng CSDL tch hp NSIDB
II.1.1.1. Cc yu cu thc tin
H thng CSDL thch hp NSIDB thu thp d liu u vo t cc ngun
cung cp thng tin c bn sau: H thng cc thit b gim st Sensor chuyn
dng, thng bo t cc phn mm gim st chuyn dng, thng tin t cc thit
b bo v mng thng mi (Firewall, IDS, Anti Virus) cc knh thng bo
ca cng ng v s c nh (Email, in thoi, Fax) ca ngi s dng v
cc cnh bo ca cc t chc nghin cu trong, ngoi nc
II.1.1.2. M hnh tng th h thng tip nhn d liu
H thng c chc nng thu thp c d liu thng bo t cc ngun
c m t tng quan trn s tc nhn (agent) tip nhn d liu nh sau:
+Antivirus
(Symantec
McAfee)
+ Firewall
(Checkpoint,
MiDFS)
M un
x l
Alert
GAG/GFW
/GIDS
vent
M un
kt ni
E
SIGS
Connector
+ IDS/IPS
(Proventia,
Intrushield)
Plugin
Database
SIGS
Ngun tin
M un
kt ni
Device
Connector
Kernel Version
Hnh ng (Drop/Reject)
Hng/Chiu d liu vo ra
Chun giao tip
IP ngun
Cng ngun
a ch Mac ngun
IP ch
Cng ch
a ch Mac ch
di
Kiu dch v (Type of service - TOS)
101
STT
1
Mc ch thng bo
a ch ca c nhn, n v, t chc
Tiu thng bo
10
Ni dung thng bo
11
Yu cu
Ghi ch
Sau khi tip nhn thng tin v lu tm vo bng thng tin tip nhn, b
phn tip nhn thng tin s s loi cc loi thng tin/thng bo, yu cu ca
cc cc nhn, n v t chc v chuyn cc thng tin ny n tng phng ban
hoc team lm nhim v chuyn trch ring. Cc phng ban hoc cc team
ny da vo tiu v ni dung v qu trnh b xung, lm giu thng tin nh
(gi in thoi trc tip, gi Email, trao i trn Forum ) cho n v, c nhn,
t chc. Sau cc phng ban hoc cc team ny s phn tch, nh gi mc
cn thit, mc khn cp, mc quan trng ca thng tin thng bo,
da vo kinh nghim, c s d liu c sn v cc knh trao i thng tin khc
s a ra li khuyn, hng dn khc phc s c cho c quan n v t chc
yu cu v ty vo mc nghim trng v tinh hnh c th c th gi thng
104
S dng
4001
3306
Cng DB ca c kt ni cho cc yu cu iu
khin (monitor) yu cu
sensor="192.168.1.10"
src_ip="192.168.1.8"
dst_ip="192.168.1.8"
interface="eth1"
data="user1"
priority="1"
log="Aug
106
Chng ta c th thy phn thng tin bao gm cc trng khc nhau cng
nh c thm vo trong Log.
S kin ny c cc trng c bit sau:
Host: a ch IP ca my ch thay i a c Mac
Mac: a ch MAC (bng s hexa)
Vendor: hng cung cp card mng
Sensor: thit b thu thp thng tin
Interface: giao din giao tip eth0 hay eth1
Date: ngy s kin
Plugin_id: lun lun l 1512
Plugin_sid: nu khng quan trng. My ch s gn xc nh m ng.
V d kiu s kin MAC:
host-mac-event
host="183.127.115.4"
mac="0:4:23:80:fb:ha"
11:30:09"
log="ip
vendor="Intel
Corporation"
sensor="163.117.131.11"
address:
163.117.155.2
interface="eth1"
date="2006-03-17
plugin_id="1512"
interface:
eth1
plugin_sid="1"
ethernet
address:
sensor="192.168.1.10"
plugin_id="1511"
plugin_sid="1"
host="192.168.1.77"
port="80"
application="CCO/4.0.3
(Unix)
sensor="192.168.1.10"
protocol="6"
tomcat"
service="www"
date="2006-03-27
07:59:54"
Kiu d liu
Null
Key
108
Ghi ch
Tn ct
Bng s c u tin
Priority_id
Kiu d liu
Tynyint(3)
Null
Key
Ghi ch
Not Null
PK
tin
Priority
Varchar(60)
Not Null
Dng
tin
Priority_desc
Varchar(30)
Not Null
Phng u
tin
109
Priority_color
Varchar(7)
Not Null
Mu
Priority_urgency Tinyint
Not Null
Khn cp
Ispublic
Not Null
Cng b
Tinyint
02:02:13"
plugin_id="1501"
plugin_sid="206"
dst_ip="88.x.x.x"
dst_port="80"
protocol="TCP"
date="1269889333"
src_ip="113.167.148.216"
sensor="88.x.x.x"
asset_src="2"
tzone="0"
interface="eth0"
asset_dst="2"
log="GET
/forums/attachment.php?attachmentid=9644&d=1215697569 HTTP/1.1"
Cc trng l:
Sensor: a ch sensor gim st
Interface: cng giao tip Ethernet
Protocol: Giao thc mng ang s dng thuc din TCP
Log: Ghi thng tin
II.1.2.5. u vo thng qua lng nghe socket (qua cng 40003 mc nh)
D liu c th nhn l:
D liu cnh bo ( s dng phn hi)
Nessus
Thng tin danh mc
V d:
nessus
action="scan"
target_type="hosts"
hostgroups="databases" hosts="207.158.15.50"
110
netgroups=""
nets=""
nessus action="status"
D liu c th nhn l:
Action: hnh ng thc hin
Target_type: cc host
Netgroups: Nhm mng
Host: a ch host.
II.1.2.6. D liu vo l cc
Hnh ng c bit c th cu hnh nh hi p i vi cc s kin
chnh. Hnh ng/Hi p c qun l trong mt policy-like( Chnh sch --> hnh ng v chnh sch --- > hi p)
Gi mt mail
Thc hin chng trnh m rng.
C hai cu hnh ca hnh ng l kh nhiu n gin, iu duy nht quan
trng l phi bit c rng c mt s t kha c th c s dng ging nh
cc m t trn.
Date, plugin_id, plugin_sid, risk, priority,src_ip, dst_ip, protocol, sensor,
plugin_name, sid_name, userdata1,userdata9, filename, password.
II.1.3. Phn tch v la chn cng ngh ph hp p dng cho h thng
CSDL tch hp NSIDB, c kh nng m rng kt ni ti cc ngun d
liu tng thch ca nc ngoi v thng tin ATM
II.1.3.1. M hnh tng quan x l thng tin
M hnh h thng tng th s bao gm 5 thnh phn c chc nng ring
bit v c th c trin khai trn nhng h thng khc nhau. 5 thnh phn
ny s tng tc, trao i thng tin qua mi trng Internet theo s sau:
111
112
116
119
d) Nhu cu trao i thng tin gia CSDL NSIDB vi cc thnh phn khc
Ni mt cch tng qut CSDL NSIDB tng tc trc tip vi hai phn h
l:
+ H thng trung tm tip nhn thu thp thng tin an ton mng (SIGS)
+ H thng lu tr, x l thng tin, thng k, cnh bo v iu khin
(SIPS)
+ Tr cc thng tin iu khin chun thng thng phc v kt ni cc
phn h, cn li l cc lung tin chnh nh sau:
+ Lung thng tin gia phn h SIGS v CSDL NSIDB: Thng tin thng
bo v ATTT theo chiu i ln t cc ngun thng bo (thit b ATM, cm
bin sensor/agent, knh thng bo) sau khi chun ha c ghi nh vo
CSDL, theo chiu i xung t CSDL n SIGS, mt s thit b sensor hay
agent c th i hi truy cp mt s loi thng tin v cu hnh.
+ Lung thng tin gia phn h SIPS v CSDL NSIDB
+ S dng Syslog, mt cng c ghi log kh ph bin trn cc OS Linux.
Syslog l mt cng c nhn bit v ghi li tt c cc loi system message,
t loi thng thng cho n quan trng. Syslog qun l cc system message
da trn hai nhn ca system message.
Nhn th nht th hin ngun to message.
Nhn th hai th hin mc quan trng ca message, gm tm gi tr nh
sau
Security Keyword
0 emergencies
1 alerts
2 critical
3 errors
4 warnings
5 notifications
6 informational
7 debugging
121
Cc thit b sinh ra thng ip IDMEF messages ghi theo khun dng IDS
alert format. Cc thng bo chuyn vo bng c s d liu SQL bng modun
tham chiu IDMEF-DBMS v b
connection pool).
Theo phn tch trong cc chuyn trc, bn cht ca vic x l thng tin
l tip nhn thng bo (tin) s c t cc tc nhn, bin i n thnh d liu theo
format chun, chn lc lu tr, phn tch, thng k, trao i.
Cc thng bo IDMEF c x l theo chu trnh 4 giai on
Gp/nhm d liu (Data Aggregation), Rt gn d liu (Data Reduction),
Tng quan ha d liu (Data Correlation) , Suy on/Quy np d liu (Data
Induction).
Qu trnh thu thp, bin i thng bo nh vy s da theo khung chun
IDMEF, v c h tr trong tt c cc khu x l theo chun quc t.
Sau khi x l xong, t rt nhiu thng bo rt ra c thng tin v mt i
tng s c. Khi chng ta s dng khun dng chun IODEF lu tr lu
di, phc v phn tch thng k v trao i thng tin v sau.
b) Khung trao i thng tin vi CSDL cc thng bo
Chng ta rt ra kt lun p dng khun dng cnh bo (Alert format) ca
chun IDMEF lm khung trao i thng tin pht hin tn cng mng.
Ni dung khung ny nh sau:
Cnh bo (Alert)
Ngun (Source)
ch (Target)
Phn loi (Classification)
Thi gian pht sinh (CreatTime)
Thi gian pht hin (DetectTime)
Thi gian phn tch (AnalyzerTime)
Ngi/thit b phn tch (Analyzer)
nh gi (Assessment)
Cnh bo tng quan (CorrelationAlert)
123
124
Bo v c s d liu ca h thng
a) Sao lu d phng c s d liu,
b) Khi phc h thng khi c s c,
Cc gii php qun tr an ton thng tin, gm:
a) Gim st cc thnh phn ca h thng
b) Pht hin nhanh cc nguy c v s c
c) T chc din tp nh gi v kim ton (audit) tnh an ton ca h thng.
Cc tiu ch nguyn tc la chn gii php cho qu trnh thit k v xy
dng h thng l:
+ m bo tnh an ton cao bng cch gim thiu cc nguy c h thng,
+ Bao gi cng c th khi phc c h thng trong thi gian chp nhn
c.
+ Gi thnh r,
+ t nh hng n hiu nng x l thng tin ca h thng.
Lin quan n bo v d liu cho h thng chng ta cn trin khai h thng
p dng cc nhm gii php di y.
II.2.3.2. Cc nhm gii php bo v d liu
a)
II.2.4. Thit k tng th h thng CSDL tch hp gim st an ton mng NSIDB
Thit k tng th h thng CSDL tch hp gim st an ton mng
II.2.4.1.Tng quan h thng
H thng CSDL trong h thng gim st an ton mng c phn ra thnh
nhiu phn h. Mi phn h trong h thng m nhim mt vai tr v chc nng
ring. Mi phn h m t h thng ring v cc phn h ny c mi lin h ht
sc cht ch vi nhau.
CSDL ca h thng qun l s c an ton thng tin lu tr nhng thng tin
v s c thu thp t ngi dng v cc cn b qun l h thng, thng tin c
nhp trc tip trn nn giao din web. Cc s c c gi ti ban qun l h
thng gim st lu vo trong CSDL.
CSDL ca h thng cn l nhng thnh phn c thit k lu v thu
thp t ng t cc thit b gim st, thu thp gi n v lu vo CSDL c ci
t trn my ch.
CSDL ca h thng gim st an ton mng c phn ra thnh nhiu phn
h con:
Phn h lu tr thng tin v s c an ton mng
Phn h lu tr v tn cng mng
Phn h lu tr thng tin trng thi cc h thng xung yu
Phn h lu tr thng tin qun tr ngi dng.
II.2.4.2. M t h thng
H thng CSDL tch hp gim st an ton mng c m t tng th thng
qua cc phn h ca CSDL. Mi phn h l mt m t hot ng ca h thng
trong c mt h thng an ton thng tin.
130
131
Thit k chi tit phn h CSDL lu tr thng tin cc trng thi cc h thng
xung yu, nhm lu tr tt c cc thng tin v my ch, mng, cc phn mm
(plugin ), nhm kim tra chnh xc, sng lc cc thng tin, b sung thng tin
s c chuyn thnh s kin an ton mng. Trn c s xc nh cc thng tin
v u tin, gi tr ti sn thng tin v tin cy c th a ra c mc
ri ro cho cc h thng mng, my ch, plugin.
Phn h CSDL lu tr thng tin qun tr ngi s dng
Thit k chi tit phn h CSDL lu tr thng tin qun tr ngi s dng.
Mi truy nhp vo h thng u thng qua mt ti khon ca ngi s dng.
Vic lp cc nhm dng gom nhm cc ngi dng c chung mt quyn
hoc chnh sch ring i vi h thng nhm to thun li trong vic qun tr,
qun l thng tin.
Phn h CSDL lu tr thng tin v s c an ton mng
Thit k phn h CSDL lu tr thng tin v s c an ton mng. Bao gm
nhm bng lu tr thng tin v s c an ton mng thu thp hoc pht hin
c. Mi s c c th hiu l mt vn an ton mng v s c mt hoc nhiu
s kin an ton mng khc khau. S c l tp hp cc s kin c cng im
chung no thun tin cho chuyn vin an ton thng tin x l. Theo quy
trnh x l, cc thng bo an ton mng sau khi c cc chuyn gia kim tra s
chnh xc, sng lc mc nguy him v b sung thng tin s c chuyn
thnh s c an ton mng. Thng tin v mt s c bao gm (Tiu , ngy
to/xy ra s c, loi s c, thi gian x l s c, mc nguy him ca s c,
ngun cung cp thng tin, cc a ch IP ngun/ch v a ch cng ngun
ngun/ch, ngi tip nhn x l s c, ngi ph trch, b xung thng tin s
c v cc tp tin nh km ca mi s c).
Phn h CSDL lu tr thng tin v tn cng mng
Thit k chi tit phn h CSDL lu tr thng tin v tn cng mng. H
thng bao gm nhm bng dng lu tr thng tin v cc tn cng mng,
nhng s kin, du hiu bt thng m thng gim st an ton mng thu thp
c t cc tc nhn nh Sensor, IDS, Firewal Nhng s kin ny s c
133
S kin
Gi tr
tin cy
10
Quyn u tin
Ri ro
My ch A (Snort)
192.168.1.111
10 = 5 * ( 10 * 5 / 25 )
My ch B
192.168.1.135
2 = 1 * ( 10 * 5 / 25 )
135
136
138
bng
my
ch:
(Host_OS,
Host_plugin,
Host_services,
Net_sensor_reference,
net_vulnerability,
my
ch
(HOST_SERVICES),
(HOST_VULERABILITY),
Bng
tham
Bng
chiu
hng
my
ch
sensor
my
ch
139
140
Response_port
Response_plugin
Response_id
Plugin_id
Response_net
response
Response_id
Net
_type
Id
Descr
Incident_id
Incident_alarm
Id
Incident_id
Src_ips
Src_ports
Dst_ips
Dst_ports
incident
Id
Title
Date
Ref
priority
Incident_metric
Incident_file
Id
Incident_id
Target
Metric_type
Metric_value
Id
Incident_id
Incident_ticket
Name
Type
Content
Response_id
Port
_type
Incident_ticket
Id
Incident_id
Date
Status
Priority
Users
Description
Action
In_charge
Transferred
copy
Gii php bao gm quy trnh, cc tin ch khi phc vi cc loi d liu file
thng thng ti CSDL, cho php khi phc d liu nhanh v hiu qu hn so
vi phng php khi phc thng thng. c tnh quan trng ca khi phc
bao gm:
Quy trnh khi phc c chun ha, c tch hp sn cc cng c h
tr khi phc vi cc loi CSDL, cc ng dng khc nhau.
C th la chn khi phc d liu ti bt c thi im no ph hp vi
chin lc sao lu thit lp.
C th chn khi phc tng phn hay khi phc ton b vi d liu b s
c; c cc tin ch b sung nhm cung cp kh nng t ng khi ng li cc
thao tc li.
To lp mt s hm
- Cu lnh dng insert mt s c vo csdl:
INSERT INTO `ATM`.`incident` (`id`, `title`, `date`, `ref`, `priority`)
VALUES ('1', 'Tn cng DDOS', CURRENT_TIMESTAMP, 'Tn cng c
thc hin vo hi 23h ngy 25/5/2010 do mt haker chuyn nghip thc hin',
'3'), ('2', 'Phishing', CURRENT_TIMESTAMP, 'Tn cng gi mo Email nhm
ly cp mt khu, thng tin ti khon ca ngi dng', '4');
II.4.1.3. Ci t, th nghim phn h CSDL lu tr thng tin v tn cng
Bao gm cc bng sau: Bng s kin (Event), Bng sao lu s
kin(BACKLOG_EVENT), Bng tng quan cc Rules (BACKLOG)
S lin kt gia cc bng
143
Backlog
Alarm
Id
Directive_id
Timestamp
matched
Backlog_id
Event_id
Timestamp
Plugin_id
Plugin_sid
Protocol
Src_ip
Dst_ip
Src_port
Dst_port
Risk
Snort_sid
Snort_cid
Event
Backlog_event
Backlog_id
Event_id
Time_out
Occurrence
Rule_level
matched
Id
Timestamp
Sensor
Interface
Type
Plugin_id
Plugin_sid
Protocol
Src_ip
Dst_ip
Src_port
Dst_port
Condition
Value
Time_interval
Absolute
Priority
Reliability
Asset_src
Asset_dst
Risk_a
Risk_c
Alarm
Snort_sid
Snort_cid
144
145
Nhm
bng
Host:
(Host_OS,
Host_plugin,
Host_services,
bng
Net:
Net_group_reference,
(Net,
Net_group,
Net_scan,
Net_sensor_reference,
Net_qualification,
net_vulnerability,
Host_plugin_
sid
Host_ip
Plugin_id
Plugin_sid
Host_os
Ip
Os
Previous
Date
anom
Host_mac
Ip
Mac
Previous
Date
Vendor
Anom
Ip
vulnerability
Host_sensor_reference
Host_ip
Sensor_name
Ip
Name
Wgroup
Host_qualification
Host
Host_vulnerability
Host_netbios
Host_ip
Comprise
Attack
Ip
Hostname
Asset
Threshold_c
Threshold_a
Alert
Persistence
Nat
Descr
Rrd_profile
Host_ids
Host_scan
Policy_host_reference
Host_ip
Plugin_id
Plugin_sid
Policy_id
Host_ip
Derection
146
Ip
Date
Hostname
Sensor
Sid
Event_type
What
Target
Extra_data
Net_sensor_reference
Net_name
Sensor_name
Net_group_reference
Net_group_name
Net_name
net
Name
Ips
Priority
Threshold_c
Threshold_a
Alert
Persistence
Descr
Rrd_profile
Net_vulnerability
Net_name
Sensor_name
Net_group
Name
Threshold_c
Threshold_a
Rrd_profile
Descr
Net_qualification
Net_scan
Net_name
Compromise
Attack
Net_name
Plugin_id
Plugin_sid
Plugin_reference
Plugin_id
Plugin_sid
Reference_id
Reference_sid
Plugin_sid
Host_scan
Host_ip
Plugin_id
Plugin_sid
Plugin_id
Sid
Category_id
Class_id
Reliability
Priority
Name
plugin
Response_plugin
Id
Type
Name
description
Response_id
Plugin_id
147
Bng Profile: Lu tr thng tin tit ca ngi s dng bao gm (Tn ngi
s dng, a ch, email, s in thoi, gii tnh, ngy sinh, qu trnh cng tc..)
Bng Team: Lu tr thng tin v cc cc nhm c chc nng nhim v
khc nhau nh: nhm ng cu s c, nhm trin khai h thng
Bng Group: Lu tr thng tin nhm ngi dng (Tn nhm, m nhm,
quyn)
Bng quyn (Permit): Thit lp quyn cho user, group, team.
S lin kt cc bng
Profile
User_team
Team_id
Name
Description
ID
Name
Birth
Gender
Email
Phone
Address
Team_id
Group_id
Manage Group
Group_id
Group_name
PermitName
Description
Permit
User
Permit_id
PermitName
Descriptiom
Id
Username
Password
148
149
150
III.1.4. Nghin cu v thit k giao thc thu thp thng tin an ton mng
ISGP
Giao thc thu thp thng tin an ton mng c xy dng nhm thng nht,
chun ha quy trnh trao i thng tin cc thit b sensor chuyn dng (sn phm
cu nhnh 3), cc phn mm tip nhn thng tin an ton mng t cc sn phm
an ton thng tin thng mi (sn phm ca nhnh 6) v h thng thu thp thng
tin an ton mng mt cch an ton, chnh xc thng qua mi trng mng
TCP/IP. Ni dung nghin cu c bn bao gm :
Nghin cu cc loi thng tin cn trao i
Phn loi v nh ngha cc s kin trao i qua giao thc ISGP
Thit k cc nh dng gi tin theo tng loi s kin
Thit k lc trao i thng tin
- Nghin cu v xut gii php bo mt giao thc trao i thng tin.
III.1.5. Nghin cu, thit k v xy dng phn h h tr x l thng bo s
c an ton mng - SAMS
Trong qu trnh nghin cu v xy dng phn h h tr x l thng bo s
c, nhm tin hnh cc cng vic chnh sau:
Kho st cc thng bo s c an ton mng v nghin cu xy dng mu
thng bo s c.
Nghin cu xy dng quy trnh x l thng bo s c an ton mng
Nghin cu thit k C s d liu lu tr thng bo s c an ton mng.
- Thit k v lp trnh phn h h tr x l s c an ton mng.
III.1.6. Nghin cu v xy dng phn h tip nhn thng tin an ton mng
t ng NSIAR
Trong qu trnh nghin cu v xy dng phn h tip nhn thng tin an
ton mng t ng NSIAR, nhm tin hnh cc cng vic chnh sau:
- Nghin cu cc thng tin an ton mng tip nhn v trin khai CSDL
lu tr bng cng ngh MySQL
151
152
+-----+
+-----+
+-----+
+-----+
| TCP |
+-----+
+-----+
+-----+
+--------------------------+----+
|
+--------------------------+----+
|
+---------------------------+
|
+---------------------------+
thng gim st an ton mng th s lng thng tin trao i gia cc agent v
server lun lun rt ln v kh c h thng my ch no c th p ng, c bit
do kinh ph u t trang thit b ca ti nghin cu cn hn ch nn khi s
lng kt ni ln chc chn s xy ra cc hin tng qu ti ti thit b server
tip nhn. Do giao thc c thit kt c th thc hin trao i thng tin
bng c hai ch m ha hoc khng m ha. i vi trng hp giao thc
hot ng ch khng m ha, thng tin trao i gia agent v server s vn
an ton nu nh trin khai mt h thng mng ring o VPN s dng cng ngh
IPSEC, vi phng n ny server s khng b qu ti do vic m ha v gii m
d liu c chuyn sang cho thit b VPN chuyn dng. y cng l hnh
thc trin khi thc t ca hu ht cc h thng gim st an ton mng thng
mi ang p dng hin nay nh: SSIM ca Synmatec hay Argsight.
3.2.1.2 Lc trao i thng tin
Lc trao i thng tin bao gm nm bc c bn, c m t nh hnh
bn di:
Bc 1. To kha m ha - Generate Random key:
- Mc ch: Sinh ra mt kha m ha ngu nhin di 16 bytes
Bc 2. Gi thng bo yu cu kt ni - CONNECT msg:
- Mc ch:
Gi yu cu thit lp kt ni t agent ti server
- nh dng gi tin bao gm bn thng tin chnh
connect key=%s id=%d type=sensor version=%s\n
- Gii thch
key: key m ha (xu k t bt k 16 bytes) sinh ra
id: S th t c gn cho plugin (bt u t 1)
Type: kiu sensor
version: phin bn sensor
154
- S kin h iu hnh,
- S kin dch v
a) S kin chun ha
- nh dng gi tin
event
type=detector"
plugin_id="4002"
interface="eth1"
date="2006-08-09
plugin_sid="1"
priority="1"
12:12:11"
sensor="192.168.1.10"
src_ip="192.168.1.8"
dst_ip="192.168.1.8" data="user1" log="Aug 9 12:12:11 ossimsensor sshd[6466]: (pam_unix) authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=localhost user=user1"
- M t
EVENT: t kha xc nh thng bo kiu s kin
type: kiu event, detector hoc monitor
date: thi gian pht sinh event
plugin_id: id ca plugin pht sinh event (nhn c t
CONNECT msg), dng phn bit gia cc plugin
plugin_sid: plugin class, dng phn bit gia cc message t
1 plugin
interface: giao din mng
sensor: a ch IP ca sensor pht sinh event
priority: mc u tin ca event (deprecated)
protocol: mt trong cc giao thc TCP, UDP hoc ICMP
src_ip: IP ngun ca event (do sensor nhn ra)
src_port: cng ngun (do sensor nhn ra)
dst_ip: IP ch ca event (do sensor nhn ra)
dst_port: cng ch (do sensor nhn ra)
log: ni dung log
data: event payload (hoc bt c ni dung g)
username: user pht sinh event (thng dng trong HIDS event)
157
port="80"
application="CCO/4.0.3
07:59:54"
protocol="6"
(Unix)
tomcat"
plugin_id="1516"
service="www"
date="2006-03-27
plugin_sid="1"
log="blablablablabla"
- M t:
host: IP ca my pht sinh event
sensor: a ch IP ca sensor pht sinh event
interface: giao din mng
port: Cng c m trong my host
protocol: mt trong cc giao thc TCP, UDP hoc ICMP
159
Cc
Sensor chuyn
dngSEN
U
U
Gue
st
Gu
est
SIPS
160
ser
GS
ngoi
ser
SI
Cc thit
b bo mt TM
SIG
st ca nc
Business
h thng gim
GATE
Cc
PM TTTT
PS
AN TON MNG
EWAY
ANTIVIRUS
IDS/I
SAMS
GAT
FIRE
WALL
AN TON MNG
SOR
NSIAR MODULE
SOR
SEN
Control Gate
SOR
SEN
H thng tip nhn thng tin an ton mng SIGS bao gm hai thnh phn
chnh ng vai tr tip nhn hai loi thng bo s c vi c tnh khc nhau, bao
gm:
+ Phn h thu thp thng tin an ton mng t ng (NSIAR) c chc
nng tip nhn thng tin an ton mng t cc phn mm thu thp thng tin
an ton mng v sensor t pht trin.
+ Phn h h tr x l thng bo s c an ton mng (SAM) c chc
nng h tr tip nhn v x l cc thng bo s c an ton mng. Phn h
ny bao gm hai module:
* Cng tip nhn thng bo s c an ton mng t ngi s dng
(Business control gate).
* Module h tr x l cc thng bo s c an ton mng SIG
Gate
III.2.3. Nghin cu, thit k v xy dng phn h h tr x l thng bo s
c an ton mng - SAMS
III.2.3.1. Nghin cu xy dng quy trnh x l thng bo s c
Quy trnh x l thng bo s c c xy dng hon ton ph hp vi quy
trnh m bo an ton thng tin RITR, trong bao gm cc bc c bn sau
y:
Thng bo
s c ATM
1.
Tip
nhn
2. Kim tra v cp
thng bo s c
nht
ATM
ATM
thng
bo
3. To
4. X l s c
s c
ATM
ATM
2.1.Xa thng bo
5. ng s c
162
Phn h ny cho php cp nht nhanh chng thng tin cc chuyn gia c th
pht hin c sm cc nguy c c kh nng bng pht s c an ton mng.
Phn h cn p ng mt s yu cu c th sau:
- C trang cung cp chc nng thng bo s c an ton mng di dng
website vi giao din n gin v thun tin ngi dn c th d
dng cp nht cc thng bo.
- Cung cp cc chc nng cho php chuyn gia b sung cc thng tin cp
nht v thng bo s c trong qu trnh iu tra.
- Cung cp chc nng to ra cc s c an ton mng
- Cung cp chc nng cp nht qu trnh x l s c.
- C s lu tr ca phn h phi m bo kh nng lu tr c y
thng tin v bo co v cc s c an ton mng.
i tng s dng h thng:
- Ngi dn c nhu cu thng bo thng tin v an ton mng
- Cc chuyn gia bo mt
D liu u vo ca h thng bao gm
- Cc thng bo s c t ngi s dng
o Thng tin v ngi gi thng bo
o Loi / ch s c
o M t v s c
o Cc bin php thc hin v kt qu
- Cc thng tin cp nht chi tit v thng bo s c qua email, tin nhn
ni b hoc in thoi
D liu u vo ca h thng bao gm:
- Thng bo gi ngi s dng v bin php x l hoc yu cu v cp
nht thm thng tin
- Cc s c an ton mng
- Cc thng bo s c an ton mng
III.2.3.3. Thit k tng th v cc thnh phn ca SAMS
163
ser
U
ser
U
Business
Control Gate
UEST
SAMS
GU
EST
SIG
GATE
AN TON MNG
trong tng lai c th tip nhn cc s kin an ton mng t cc ngun cung
cp khc nhau nh: cc sn phm bo v an ton mng thng mi, m ngun
m; cc h thng gim st an ton trong v ngoi nc v.v..
V mt qun l v iu khin, NSIAR khng c giao din qun l ring,
y l mt dch v nn, cn c thit k d dng tch hp vi h thng SIPS
tip nhn cc lnh iu khin ng thi khng lm nh hng hot ng ti
cc dch v khc trn cng h thng.
NSIAR phi p ng kh nng kt ni c ti trn 50 sensor vi kh nng
tip nhn 100.000 s kin an ton mng mi ngy
H thng c pht trin trn mi trng m ngun m, c th nh sau:
- H iu hnh: Linux Kernel version 2.6.32
- H qun tr c s d liu : MySQL Version 5.1.41
- Ngn ng lp trnh : C v Glib & GTK+
- D liu u vo
- D liu u vo ca phn h NSIAT bao gm:
o Yu cu thit lp knh kt ni t sensor v phn mm thu thp
thng tin an ton mng gi ti NSIAR
o S kin an ton mng t sensor v phn mm thu thp thng tin an
ton mng gi ti NSIAR
o Cc lnh iu khin t SIPS gi ti NSIAR,
- D liu u ra ca h thng bao gm:
o Cc s kin an ton mng c lu tr vo c s d liu
o Cc lnh iu khin gi ti sensor.
- Tc nhn lin quan n phn h NSIAR bao gm:
o Cc sensor chuyn dng: cung cp s kin an ton mng pht hin
c cho NSIAR.
o Cc phn mm thu thp thng tin an ton mng: Cung cp cc s
kin an ton mng thu thp t cc sn phm m bo an ton mng
thng mi nh IDS, Antivirus v Firewall.
166
ANTI
SEN
SOR
VIRS
FIRE
Phn mm
SEN
SOR
TTTT ATM
WALL
IDS /
Gi
IPS
tin ATM
NSAI
G
R-A
hng tin
i tin
NSAI
NSAI
R-DI
hng tin
ATM
ATM
ATM
R-R
2.
Danh mc Sensor/ PM
thu thp
Phn tch
1.
N
Tip
gun
L
iu
L
nh
khin
NSAI
Lu tr
R-DI
iu
khin
3.2
Truy xut
NSAIR-C
Configuratio
4. iu khin
n Files
Lnh
iu khin
PHN H NSIAR
SIPS
C S D LIU
thng tin
nhn
nh
3.1
cc phn mm thu thp thng tin ATM c nng cp, thay i th NSAIR-A
khng phi thay i nhiu m ch cn b sung lc phn tch thng tin mi,
tng t nh vy NSAIR-A cng c th phn tch c cc gi tin do cc phn
mm / thit b ATM thng mi khc c trc tip gi n SIGS hoc NSAIRC nu c c lc nh dng thng tin truyn.
NSAIR-A bao gm cc trng hp s dng c bn sau y:
o Cp nht lc phn tch thng tin
o Phn tch thng tin.
Module tng tc c s d liu NSAIR-DI Module
Module NSAIR-DI c chc nng thc hin tng tc vi h thng CSDL
chung ca SIGS truy xut v lu tr d liu, h tr hot ng cho cc module
x l nghip v khc trong phn h NSAIR.
NSAIR-DI c hai chc nng chnh:
o Tip nhn cc yu cu truy xut v lu tr d liu t cc module
khc trong phn h NSAIR-DI
o Truy xut d liu t CSDL
o Lu d liu vo CSDL
o Gi thng tin phn hi n cc yu cu truy xut d liu t cc
module khc trong phn h NSAIR-DI.
Module iu khin hot ng NSAIR-C Module
Hot ng phn h NSAIR bao gm cc dch v ni b hot ng ch
nn, khng h tr giao din iu khin trc tip cho ngi s dng ti cc dch
v ni b k trn. Thng qua h thng giao din ca SIPS, ngi s dng c th
gi mt s lnh iu khin ti cc dch v ca NSAIR nh lnh khi ng, khi
ng li dch v tip nhn thng tin; thay i cc dch v phn tch thng tin;
sa i, cp nht danh mc cc ngun cung cp thng tin v.v Cc lnh iu
khin khng c SIPS gi trc tip n cc dch v thi thnh ca NSAIR nh
NSAIR-A hay NSAIR-R m c thc thi thng qua module iu khin
NSAIR-C. Module ny c chc nng tip nhn cc lnh iu khin t SIPS sau
169
170
III.3. Kt lun
Nhm nghin cu ca ti hon thnh y cc mc tiu v nhim
v ng k cho nhnh 3 Pht trin h phn mm thu thp thng tin ATM
trung tm (SIGS). y l h thng tip nhn, x l tch hp thng tin an ton
mng cp nht vo CSDL gim st ATM, cho php cp nht tnh hnh ATM
24/24. Cc ch tiu nhm nghin cu t c u t v vt cc mc
ng k. Sn phm bn giao ti c th nghim qua nhiu khu v s
dng th thnh cng cho nghip v gim st v ng cu s c an ton mng ti
Trung tm ng cu khn cp My tnh Vit nam.
171
172
176
178
Mc nghim trng
Gii thiu
M t cnh bo
Tc hi
c im k thut
Cc phn mm, h thng b nh hng
Nhng ni dung trn c th c ty chnh cho ph hp vi hnh thc gi
cnh bo ti ngi dng.
IV.4. Nghin cu, phn tch v thit k xy dng giao thc giao tip
gia h SIPS v cc sensor chuyn dng.
h thng qun l hot ng thng sut i hi phi c mt cch thc
giao tip hiu qu gia cc thnh phn ca h thng. V vy, ta cn phn tch v
thit k, xy dng giao thc giao tip gia h SIPS v cc sensor chuyn dng.
180
dng, v vy cn phi chun ha. Vic chun ha d liu gip a thng tin v
mt dng c cu trc thng nht, lu tr tp trung phc v cho cc mc ch
v sau.
IV.5.1. H thng gim st
H thng gim st l h thng thc hin chc nng theo di, nm bt trng
thi hot ng ca cc thit b v h thng khc, thu thp cc thng tin c lin
quan tng hp nhm a ra nhng kt lun khi gp s c.
Mc ch ca h thng gim st:
Pht hin sm cc s c.
Ch ng c k hoch thay th hoc nng cp.
Chn on cc s c.
IV.5.2. M hnh h thng gim st
Cc thnh phn c bn ca h thng gim st bao gm:
Cc my trinh st (Sensor): l thnh phn thu thp thng tin t
mng li, thng c t ri rc trong cc phn vng mng.
My thu thp (Collector): tip nhn thng tin t cc my trinh st
v chun ha thng tin.
C s d liu trung tm: l ni lu tr ton b d liu ca qu trnh
thu thp thng tin.
IV.5.3. Cc thng tin thng gim st
Qua nhng tm hiu v cc h thng gim st khc trn th gii, ta thy mt
s nhng thng tin sau thng c a vo danh mc gim st:
Gim st dch v web.
Gim st dch v FTP.
Gim st dch v th in t.
Gim st tnh trng s dng ti nguyn.
IV.5.4. Thc hin gim st theo 10 tiu ch
Qua nhng nghin cu c c, ta xc nh c mi tiu ch cn phi
theo di v thng k. Mi tiu ch ny l nhng thng tin cn thit nht nm
bt c tnh hnh an ton mng quc gia. V vy, h thng gim st cn c
182
183
184
185
Mu xanh: tnh trng bnh thng, cha pht hin mi nguy mi.
Mu vng: pht hin v ang theo di mt mi nguy mi, c tn
cng nhng thit hi cha nghim trng.
Mu da cam: tn cng gy thit hi nghim trng ang din ra.
Mu : gin on hot ng din rng trn ton khng gian mng
Vit Nam.
M un cnh bo cung cp chc nng quan trng nht ca h thng qun l
an ton mng l gi cc cnh bo ti ngi dng quan tm. H thng c quy
trnh thc hin cho vic ngi dng ng k vo danh sch nhn cnh bo, cng
nh hy ng k nhn cnh bo khi khng cn nhu cu. Cc cnh bo c bin
son ni dung ph hp vi hnh thc gi cnh bo tng ng v c gi t
ng ti danh sch ngi dng ng k nhn thng tin. y l mt quy trnh
cn thit gip cho thng tin hu ch ti c ngi dng mt cch nhanh chng.
IV.8. Phn tch thit k m un chc nng qun l cc sensor chuyn
dng.
Nh ta bit, h thng thc hin chc nng gim st, theo di bao gm
nhiu sensor chuyn dng c trin khai t ti nhiu a im khc nhau
thu thp thng tin. H thng cn phi c mt giao din qun l tp trung,
gim st trng thi hot ng ca cc sensor gip cho ngi qun tr c th d
dng theo di tnh trng hot ng ca cc sensor v thc hin cc tc v cn
thit t h thng chnh.
IV.8.1. Chc nng qun l tng th tt c cc my trinh st
Chc nng ny cung cp ci nhn tng th v ton b cc my trinh st
trong mng li gim st an ton Internet. Chc nng ny h tr ngi dng h
thng thc hin nhng tc v sau qun l cc my trinh st trong mng li
gim st:
Thng k ton b cc my trinh st v trng thi hot ng: Trong giao
din ny, ngi dng s nhanh chng thy c nhng thng tin c bn nht v
danh sch cc my trinh st, trng thi hot ng ca my.
187
Trang ch
Thng k
Lp bo
Tip nhn
Qun tr
co
thng tin
ngi dng
/ i tng
Admin
User
Reporter
X
X
189
Kt lun: Kt qu nghin cu cho thy chc nng phn quyn truy xut l
khng th thiu i vi nhng h thng thng tin ln phc v nhiu ngi dng.
Vic p dng phn mm m ngun m phpGACL gip cho vic qun l truy
xut ngi dng vo cc thnh phn ca h thng c linh hot, mm do hn.
IV.10. Phn tch thit k giao din h tr gim st tnh hnh an ton
mng 24/24.
i vi mt h thng c giao tip vi ngi dng th giao din ngi s
dng l thnh phn rt quan trng. Giao din ny h tr ngi dng tng tc
vi h thng, thc hin cc tc v mt cch nhanh chng, chnh xc. V vy, ta
cn nghin cu, phn tch xy dng ln cc giao din ca h thng nhm h
tr ti a cho ngi dng.
IV.10.1. Phn tch chc nng ca cc thnh phn trong giao din h tr
gim st an ton mng
Da theo m hnh thit k cc chc nng ca h thng, ta c th xc nh
c cc thnh phn chc nng c tng tc vi ngi dng. Tng ng vi
mi thnh phn ny, ta cn thit k giao din ngi s dng sao cho tin li i
vi ngi dng h thng. T nhng bn phn tch v chc nng, ta s xc nh
c nhng thng tin cn c trong giao din ngi dng.
IV.10.2. Xy dng giao din theo tng chc nng
T nhng phn tch trn, ta c th xy dng ln cc giao din ha
tng ng v hnh nh tng tc ca h thng vi ngi dng. Cc thng tin cn
c trong giao din s c th hin trong nhng i tng thch hp nh: nt
bm, danh mc chn, biu mu Mt s tiu ch cho vic xy dng giao din
ngi dng nh sau:
Giao din gn, r rng, khng gy nhm ln
Cung cp nhiu giao din biu cho chc nng thng k
Tch bit cc chc nng, khng chng cho
Hin th cc thng tin tr gip cho thao tc ca ngi dng khi cn
190
191
Xy dng biu thng k thng lng trn cng giao tip mng
IV.11.3. M un chc nng cnh bo
M un ny phi c mt s hm chc nng chnh sau:
Qun l danh sch ng k: cho php thm/bt ngi dng ang k vo h
thng.
192
193
194
195
Theo di v ghi nhn hot ng tn cng ca tin tc trn khng gian mng,
pht hin xm nhp, pht hin cc du hiu nhn dng tn cng v cc du
hiu bt thng. Cc thng tin thu c s c gi v lu tr trong c s
d liu (CSDL) thuc trung tm gim st.
201
Hnh V.4: M hnh kin trc h thch nghi pht hin xm nhp
H thch nghi pht hin xm nhp da trn c s khai ph d liu thu thp
c t cc thit b sensor. H thng c xy dng trn c s m hnh ti to
thch nghi, thu thp d liu t cc sensor, t lp ra m hnh pht hin xm nhp.
Mt thut ton pht hin bt thng mi c xy dng nhm gip m hnh t
hiu qu hn, trnh c cc d liu nhiu. Thut ton c xy dng trn c s
cho php mt lng nh d liu khng sch ln vi lu lng d liu bnh
thng ca mng. M hnh cho php thc hin mt cch t ng trn c s mt
s c ch tng kh nng cho ngi dng nhanh chng v d dng thit lp cc
tp d liu v m hnh pht hin cc du hiu v p dng chng cho thnh
phn pht hin xm nhp ca h thng.
C s xy dng h thng l mt thut ton xc sut, c kh nng thch nghi
vi mt lng d liu nhiu c th tn ti trong h thng (xem bo co 5.1.1).
V trao i thng tin vi trung tm gim st, qun l cu hnh phn mm
sensor, nhm nghin cu cc kh nng s dng phn mm ngun m c sn
v kh nng pht trin phn mm giao thc mi. Qua nghin cu, th nghim
cc phng n, nhm xut gii php s dng truy cp t xa qua knh kt ni
bo mt SSH. Thng qua phin lm vic thit lp vi SSH, vic cp nht cu
hnh cho sensor cng nh thay i cc cu hnh phn mm trn sensor hon ton
d dng. Ngoi ra, nhm cng xut gii php kt ni mng ring o cho cc
thit b sensor kt ni vi trung tm gim st.
V.2.2. Nghin cu thit k h thng thit b sensor
Qua nghin cu cc gii php phn cng, v d ca hng Endace [9], hay
mt s gii php khc ca Symantec, ArcSight cho thy cc hng ny thng
202
204
205
1k-blocks
df: tmpfs
df: /dev/sda1
258236
548
257688
7850996
1104012
6348172
df: /dev/sda1
7850996
0% /dev
15% /target
1104012
6348172
15%
548
257688
0%
/dev/.static/dev
df: tmpfs
258236
/target/dev
free:
total
used
free
shared
buffers
free:
Mem:
516472
486436
30036
9324
free:
Swap:
409616
409616
free: Total:
926088
486436
439652
/proc/cmdline:
preseed/file=/cdrom/preseed
preseed/interactive=true
debian/priority=low
BOOT_IMAGE=/install.386/vmlinuz
Gim st dch v v ti
nguyn
Trung tm x l
207
Gii m gi tin
Chia cp
Tp lut
C du hiu
tn cng
Khng
C du hiu
bt thng
Khng
Lu li, a ra cnh
bo
Kim tra
dch v ang chy
Thu thp v
hin th kt qu
Phn mm ci t ti im cui
Agent ci trn im
u cui
Kim tra
dch v ang chy
209
210
211
V.4. Kt lun
Cc kt qu nghin cu v phn tch da trn cc bo co nghin cu
c thc hin trong ti cho thy vic thc hin la chn cu hnh thit b
ch to cc sensor v phn mm cho sensor cn phi c cn nhc xem xt da
trn nhiu tiu ch nh trnh by trong bo co.
Tch hp cc phn mm m ngun m l mt gii php kh thi chn
trong ti. Gii php ny cho php lm ch c cng ngh, pht trin v b
sung c nhng chc nng cn thit ph hp vi mi trng s dng sensor v
iu kin hin ti ca Vit Nam.
Cc kt qu v sn phm t c yu cu ra trong thuyt minh ti
KC.01.09/06-10. Kt qu nghin cu t c c th p dng ngay vo thc t.
Mt v d minh ha ng dng thc t c trnh by trong [15]. Nhm tc
gi cng cng b kt qu nghin cu trn mt s bi bo [16-19].
- Tc x l
- cng
2.5 GHz
SATA, 250 Gbytes, Cache 8 MB
- B nh trong
- Raid
2 GBytes
Smart Array 5i Controller h tr Raid: 0, 1, 5
2 x 400W
- Mng Ethernet
2 x 10/100 Mb/s
- quang
DVD RW
213
- Kch thc
2U Form Factor
10/100 Mbps
- S cng kt ni mng
2 port
RJ45 CAT5E
- S cng kt ni gim st
2 cng
RJ45 CAT5E
Phn mm: Ci t phn mm Sensor thu thp thng tin an ton mng.
Thit b Sensor mu 2: Chi tit phn cng:
HP Proliant ML150 G6, INTEL XEON QUAD-CORE
- Tc x l
- cng
2.5 GHz
SATA, 2 x 240 Gbytes, Cache 8 MB
- B nh trong
4 GBytes
H tr Raid: 0, 1, 10
- Raid
- Ngun cp in (+d phng)
2 x 400W
- Mng Ethernet
2 x 10/100/1000 Mb/s
- quang
DVD RW
- Kch thc
2U Form Factor
1Gbps
- S cng kt ni mng
2 port
RJ45 CAT5E
- S cng kt ni gim st
2 cng
RJ45 CAT5E
Phn mm: Ci t phn mm Sensor thu thp thng tin an ton mng.
Thit b Sensor mu 3: Chi tit phn cng
- B vi x l
- Tc x l
- cng
3.0 GHz
Ultra 320 SCSI, 3 x 72 Gbytes, Cache 8 MB
- B nh trong
- Raid
4 GBytes
Smart Array 5i Plus Controller Raid: 0, 1, 5
2 x 400W
- Mng Ethernet
3 x 10/100/1000 Mb/s
214
- quang
DVD RW
- Kch thc
2U Form Factor
1Gbps
- S cng kt ni mng
2 port
RJ45 CAT5E
- S cng kt ni gim st
2 cng
RJ45 CAT5E
C p ng
- Ngun d phng
Phn mm: Ci t phn mm Sensor thu thp thng tin an ton mng.
Kh nng p ng
Ok
Ok
Ok
Ok
hp trong sensor
Chc nng kim sot hot ng ca cc tin ch phn
Ok
Ok
o lu lng s dng
Ok
Ok
Ok
Ok
Ok
Ok
Ok
216
Chc nng yu cu
Kh nng p ng
Ok
Ok
10/100/1000
10/100
Ok
ngy)
V.6.3. Kim tra cc chc nng hot ng ca phn mm u cui trn
Windows
Cc bi kim tra th nghim: Mc tiu ca cc bi kim tra th nghim ny
l nhm kim tra cc chc nng thu nhn gi tin ca sensor, cc chc nng
qun tr thit b sensor, cc chc nng pht hin cc du hiu tn cng vo
mng,
Cch thc kim tra: Kim tra xem phn mm trn my u cui c cc
chc nng nu hay khng, kim tra cc chc nng c hot ng khng
v c theo ng thit k khng.
Chi tit cc bi kim tra ghi trong bng sau y.
Chc nng yu cu
Kh nng p ng
Ok
Ok
Ok
Ok
hp trong sensor
217
Chc nng yu cu
Kh nng p ng
Ok
Ok
o lu lng s dng
Ok
Ok
Ok
Ok
Ok
Ok
Ok
10/100
10/100
Ok
218
Kh nng p ng
219
Chc nng yu cu
Kh nng p ng
Ok
Ok
Ok
Ok
hp trong sensor
Chc nng kim sot hot ng ca cc tin ch phn
Ok
Ok
o lu lng s dng
Ok
Ok
Ok
Ok
Ok
Ok
Ok
Ok
Ok
10/100/1000
10/100
220
Chc nng yu cu
Kh nng p ng
Ok
221
Kh nng p ng
Ok
Ok
Ok
Ok
hp trong sensor
Chc nng kim sot hot ng ca cc tin ch phn
Ok
Ok
o lu lng s dng
Ok
Ok
Ok
Ok
Ok
Ok
Ok
Ok
Ok
222
Chc nng yu cu
Kh nng p ng
10/100/1000
10/100
Ok
Kh nng p ng
Ok
Ok
Ok
Ok
trong sensor
Chc nng kim sot hot ng ca cc tin ch phn mm
Ok
Ok
o lu lng s dng
Ok
Ok
Ok
Ok
Ok
Ok
Ok
Ok
224
Chc nng yu cu
Kh nng p ng
Ok
10/100/1000
10/100
225
Ok
226
227
- Tn tn cng
- M tn cng
- Tnh nguy him (attacke severity)
- Du hiu tn cng
- S chc chn ca tn cng (Attack Confidence)
- Min qun tr (Admin domain)
- Tn sensor (Sensor name)
- Giao din mng
- IP ngun
- Cng ngun
- IP ch
- Cng ch
- Loi (Category)
- Phn loi (Sub-Category)
- Hng
- Tnh trng kt qu
- C ch pht hin
- Giao thc tng ng dng (Application protocol)
- Giao thc tng mng (Network)
- Lin quan
b) Thng tin an ton mng t thit b IDS ca ISS
Thit b IDS ca ISS c tn l Proventia, v nguyn tc Proventia c th
chuyn cc cnh bo ti phn mm thu thp thng tin an ton mng theo cc
chun Syslog v SNMP. Thnh phn thng tin trong cc cnh bo ca Proventia
bao gm cc thng tin sau
- M cnh bo
- Phin bn nh dng cnh bo
- Kiu tn cnh bo
- Tn cnh bo
- IP ngun
229
- Cng ngun
- IP ch
- Cng ch
- Thi gian (kiu s thc)
- Local Timezone Offset
- chnh xc ca cnh bo
- M chui thi gian cnh bo (Alert Time Sequence ID)
- M cnh bo
- a ch sensor
- Tn sensor
- M sn phm
- Kiu cnh bo
- Mc u tin cnh bo
- C cnh bo
- Pair count
- Phn ng
- Blob count
c) Thng tin an ton mng t thit b bo mt tch hp MiDFS
MiDFS l thit b bo mt tch hp cung cp y cc chc nng nh
Firewall, IDS trong s dng phn mm m ngun m Snort thc hin cc
chc nng pht hin xm nhp v tn cng tri php. Snort l mt trong cc h
thng IDS c s dng rng ri nht hin nay. Snort l phn mm ngun m,
cht lng tt, hot ng n nh v mt kho cc signature phong ph cho php
Snort c kh nng pht hin ra cc s kin mt an ton thng tin kh chnh xc
ng thi ngi s dng hon ton khng cn phi mua l nhng l do c bn
m snort tr nn ph dng hin nay. Vic tch hp Snort vo h thng gim st
an ton mng s cho php tip nhn c rt nhiu alert xut pht t nhiu
ngun thng tin khc nhau ti cc mng thc t ang trin khai. Phn mm IDS
Snort h tr 03 c ch lu cc thng bo s c l s dng giao thc SNMP, lu
230
- Kernel Version
- Hnh ng (Drop/Reject)
- Direction
- Chun giao tip
- IP ngun
- Cng ngun
- a ch Mac ngun
- IP ch
- Cng ch
- a ch Mac ch
- di
- Kiu dch v (Type of service - TOS)
233
- Kiu
- Loi s c
- Ngi s dng
- M s c
- My b s c
- M t
- C s d liu s c
- File b s c
- Hnh ng
c) Thng tin an ton mng t phn mm antivirus ClamAV
ClamAv l phn mm pht hin virus m ngun m, s dng cho cc h
thng gateway ca linux hoc cc my trm windows. ClamAV c cng ng s
ln v kh nng cp nht c s d liu virus rt nhanh. Do phn mm ny
ang c s dng rt ph bin. Ni dung cnh bo ca phn mm antivirus
ClamAV bao gm cc thng tin chnh sau:
- Ngy xy ra
- Thi gian
- Ngun cung cp
- Kiu
- Loi s c
- M s c
- My b s c
- M t
- Ngi s dng ti my b virus
- File b s c
- Hnh ng
VI.3.2. Cu trc v chun ha thng tin an ton mng
Do d liu an ton mng thu thp t nhiu sn phm m bo an ton mng
thuc nhiu loi v nh sn xut khc nhau nn c ni dung v c trnh by
theo cc nh dng khc nhau. Do vic chun ha li d liu ny lm u
235
id
bigint(20)
No
M s c
timestamp
timestamp
No
Thi gian
sensor
text
No
Tn sensor
interface
text
No
Giao din
type
int(11)
No
Kiu Sensor
plugin_id
int(11)
No
M plugin
plugin_sid
int(11)
No
M sub-plugin
plugin_sid_name varchar(255)
Yes
Tn Sub-Plugin
protocol
int(11)
Yes
Giao thc
src_ip
int(10)
Yes
a ch IP Ngun
dst_ip
int(10)
Yes
a ch ch
src_port
int(11)
Yes
Cng ngun
dst_port
int(11)
Yes
Cng ch
priority
int(11)
Yes
Mc u tin
reliability
int(11)
Yes
tin cy
filename
varchar(255)
Yes
236
varchar(255)
Yes
userdata2
varchar(255)
Yes
userdata3
varchar(255)
Yes
userdata4
varchar(255)
Yes
userdata5
varchar(255)
Yes
userdata6
text
Yes
userdata7
text
Yes
userdata8
text
Yes
userdata9
text
Yes
VI.3.3. Thit k tng th phn mm thu nhn thng tin an ton mng
thng mi
VI.3.3.1. Phn tch cc yu cu t ra
Nh trnh by phn trn, vic tch hp cc thit b an ton mng vo
h thng gim st an ton mng ng vai tr nh cc sensor cung cp thng
tin an ton mng cho php m rng ngun cung cp thng tin, tip nhn nhanh
chng cc s c v phn nh ng nht cc din bin v an ton mng ang din
ra trong mi trng mng Internet. ng thi vic tn dng cc thit b/ phn
mm an ton mng sn c cho php tit kim kinh ph u t, gim thiu thay
i cc h tng mng mun gim st v nhanh chng trin khai mng li gim
st.
Theo thit k cng ti, cc ngun cung cp thng tin an ton mng
s c phn ra lm ba loi l:
- Thit b / phn mm tng la (FW)
- Thit b / phn mm pht hin tn cng v xm nhp tri php.
- Thit b / phn mm pht hin v ngn chn virus.
V i km vi ba loi ngun cung cp thng tin ny th xy dng 03
module phn mm tng ng thu nhn l GFW, GIDS v GAG. Nh vy
mi module s ch c chc nng tip nhn thng tin an ton mng t mt loi
ngun cung cp khc nhau.
VI.3.3.2. Gii php tip nhn thng tin an ton mng tch hp
Tuy nhin sau qu trnh nghin cu, nhm chuyn gia nhn thy vic xy
dng 03 module c lp thu thp ring cho tng loi ngun cung cp d liu
s lm cho vic trin khai khng c thun tin bng tch hp tt cc cc chc
nng thu nhn cc ngun thng tin vo mt phn mm. Phn mm ny s bao
gm khng ch ba module GFW, GIDS v GAG nh trn m cn c th nng
cp v tch hp thm nhiu module khc na thu thp thng tin an ton mng
t nhiu ngun thng tin khc nhau. Trn thc t ngoi ba ngun cung cp thng
238
239
Connector
GIDS
GF
W
G
AG
PLUGI
DATABASE
SIGS
SIGS
Device
Sc
Connetor
FW
IDS
anner
AV
Synmatec
Antivirus
Antivirus
Alert
Ant
Antivirus
McAfee
Device
Alert
Eve
GAG
Connector
SIGS
nt
Connector
SIGS
Antivirus
ivirus Alert
Antivirus
ClamAV
Alert
Plugin
Antivir
Database
us
Lc lung d liu ca chc nng tip nhn cc thng tin an ton mng
t cc phn mm anti virus c m t nh sau:
Synmatec
Antivirus
Antivirus
Alert
Ant
Antivirus
McAfee
Device
Alert
Eve
GFW
Connector
SIGS
nt
Connector
SIGS
Antivirus
ivirus Alert
Antivirus
ClamAV
Alert
Plugin
Antivir
Database
us
Proventia
IDS/IPS
IDS/P
Firewall
Alert
MiDFS
rt
Event
Alert
GIDS
Connector
SIGS
Connector
SIGS
ID
Device
Firewall
Ale
Alert
Plugin
Database
u vo ca module GIDS
- Cc thng bo t thit b / phn mm IDS do device connector tip nhn
sau c chuyn ti GIDS.
- Plugin data cha cc d liu cho php phn tch cc thng bo t thit b/
phn mm IDS. Trong khun kh d n ny h tr 02 nh dng cho php
tip nhn cnh bo t IPS ca ISS l Proventia v IDS Snort ci t trn
MiDFS.
u ra ca module GIDS
- Cc thng bo ca IDS v vn an ton mng theo chun thng bo s
c an ton mng.
Chc nng ca module GIDS
- To ra thng bo s c an ton mng (Event) chun m t s c an ton
mng t cc thng bo ca thit b / phn mm IDS hoc IPS.
VI.3.3.7. Module tip nhn thng tin - Device Connector
Module device connector c chc nng m cng tip nhn thng tin an
ton mng t cc thit b v phn mm an ton mng. Module kim tra ngun
cung cp v chuyn ti cc module x l ph hp:
- Nu ngun cung cp thng bo l cc thit b IDS hoc IPS th chuyn ti
Module GIDS,
243
McAfee
ClamAv.
o Bn cnh phn mm c th tip nhn thng tin t:
Phn mm qun l lu lng mng Ntop
Tng la Iptable Firewall
Phn mm pht hin xm nhp tri php Snort, v mt sn
phm an ton mng v qun l mng khc nhau.
- Chc nng chun ha v cung cp thng tin an ton mng cho h thng
tip nhn thng tin an ton mng trung tm SIGS.
m bo kh nng vn hnh lin tc ca phn mm tip nhn c bit
khi c lng thng tin tip nhn tng t bin, cao hn kh nng tip nhn ca
h thng SIGS hoc tc ng truyn d liu th phn mm c trang b
mt c ch b m theo hnh thc hng i lu tr tm thi cc thng tin
cha chuyn i kp, v dn dn chuyn tip sau.
m bo tnh n nh v hn ch s c xy ra th phn mm c pht
trin theo quy trnh gim st v kim th cht ch, t cc module c lp, kim
tra tch hp, th nghim trn mi trng gi nh v sau mi a v th
nghim thc t. Phn mm c a vo th nghim t nm 2009 v hot
ng thc tin t thng 9 nm 2010 cung cp thng tin an ton mng cho h
thng x l trung tm phc v cng tc gim st an ton mng v ng cu s c
ca Trung tm VNCERT.
VI.4. Kt lun
Nhm nghin cu ca ti hon thnh y cc mc tiu v nhim
v ng k cho nhnh 6 Pht trin gii php, cng c tch hp mt s thit
b an ton mng thng mi ang ph bin Vit Nam vo h thng gim st an
ton mng quc gia nu trn nh ng k theo cng c duyt. Nhm
ti cng hon thin sn phm hot ng n nh, p ng kh nng tip
nhn thng tin an ton mng t trn 9 thit b/ phn mm an ton mng thng
mi (ng k tip nhn vi 6 sn phm) v mt s phn mm qun l mng, an
245
246
VII.2. M t th nghim
Hiu chnh ton b thit k tng th trn c s phn tch, nh gi kt qu
th nghim "H thng theo di gim st an ton mng Vit Nam", so snh kt
qu th nghim vi kt qu nghin cu l thuyt
VII.2.1. Phn tch, nh gi kt qu th nghim
Mc ch ca cc bi th nghim l:
1. Th nghim, o kim cc thng s hot ng ton h thng;
2. Phn tch, nh gi hiu nng ca ton b h thng, so snh vi kt qu
l thuyt.
a) Phng php v mi trng th nghim
Phng php th nghim
Sensor c t cc v tr ph hp theo 3 phng n nh trnh by mc
2.2.1. Thit b sensor c s dng vi 2 cng ni mng: Mt cng dng kt
ni vo mng gim st thng qua thit b Tap. Mt cng kt ni vi trung tm
gim st.
Thit b Tap lm nhim v nghe d liu trn lung kt ni, sao chp d liu
v gi cho Sensor. Vi phng php ny, hot ng ca sensor khng gy nh
hng n mng gim st.
kim tra cc chc nng phn mm, phng php chung nht l kim tra
kh nng p ng cc chc nng. Ring i vi cc chc nng ghi nhn cc tn
cng xm nhp mng, s c an ton mng v cc hnh vi bt thng, mt s
cng c phn mm c s dng pht cc d liu tn cng vo mng v d:
truy nhp d tm mt khu, d qut trinh st cc cng, qut mng thu thp
thng tin
b) a im v thi gian thc hin
a im th nghim:
248
249
My Server
My tnh c nhn
Thit b tng la thng mi
Modem
Mi trng Internet
ng kt ni mng Internet
ng kt ni mng ni b Ethernet 100Mb/s
Switch
Thit b gim st chuyn dng (sensor), c th t nhiu
v tr khc nhau (mng LAN, mng dnh cho cc my ch
Sensor
v mng Internet)
250
b) Ni dung v kt qu th nghim:
Ni dung cc bi o th
Cn c vo phng php th nghim, 07 th nghim c tin hnh
kim tra cc chc nng hot ng ca sensor theo thit k. Chi tit cc bi kim
tra ghi trong bng sau y.
STT
01
02
Kt qu th nghim
STT
03
Kt qu th nghim
STT
04
Kt qu th nghim
ng t cc thit b h phn mm thu
thp thng tin:
- H thng thu thp an ton thng tin mng
SIGS c kh nng tip nhn y cc s
kin do cc senser gi n.
- Tc tip nhn chp nhn c, khng
c hin tng st gim tc hoc nghn
x l.
- T l x l ca CPU lun t di 25%.
- Khng c bt c mt sai st no trong
khu tip nhn cc s kin
- H thng hon ton hot ng tt trn
mi trng mng Internet thc t.
* Phn tch v nh gi chung:
- Qua vic nh gi phn h tip nhn
thng tin an ton mng t ng ti cc mi
trng th nghim v mi trng thc t
cho thy h thng hot ng tt, n nh
p ng y yu cu ca thuyt minh
v cng c duyt.
- Vi my ch tc trung bnh nh trong
qu trnh th nghim p ng hon ton
tt cc th nghim c s s kin ln ln
n trn tm triu s c trong vng 3 ngy.
- V mt nguyn tc, phn h hon ton
p ng kh nng tip nhn thng tin an
ton mng t ng t 50 ngun sensor tc
cao hoc 500 im u cui vi tc
100.000 s kin / ngy.
- Cc kt qu o th nghim cho cc chc
nng gim st 24/24, thng k v phn tch
cc a ra cc cnh bo hot ng
tt, p ng cc yu cu ra trong
thuyt minh ti. Cc chc nng ny hot
ng trn cc thit b sensor, c th ci t
nhiu v tr khc nhau trn mng. Kt
qu kim tra th nghim th hin cc
253
STT
05
06
Kt qu th nghim
STT
07
Kt qu th nghim
hin sai du hiu virus.
* Chc nng phn mm theo di an ton
mng ti u cui:
- Kt qu th nghim cho thy cc thit b
sensor hot ng tt, p ng cc yu cu
ra trong ti. Bng o th cho thy
thit b sensor p ng cc yu cu chc
nng phn mm trong vic bt gi cc gi
tin, ghi nhn cc tn cng xm nhp mng,
s c an ton mng v cc hnh vi bt
thng; kim tra mt s chc nng/tin ch
khc ca sensor nh: ghi nht k, giao din
qun l, kt ni gia sensor v trung tm
gim st,
- Cc kt qu o th nghim cho thy thit
b sensor hot ng tt p ng cc yu
cu ra trong thuyt minh ti. Cc
thit b sensor c th ci t trn mng
nhiu v tr khc nhau. Kt qu kim tra
th nghim th hin cc m un phn
mm p ng cc chc nng theo yu cu
ca ti.
* Gii php tch hp mt s thit b an
ton mng thng mi ph bin Vit
Nam vi h thng gim st:
- Cc thit b v phn mm bo mt
thng mi u pht hin tt cc trng
hp to s c an ton mng gi nh bao
gm:
+ Ly nhim virus
+ Tn cng mng
+ Vi phm cc chnh sch an ton mng
c thit lp
- Cc s c an ton mng c cp nht
y t thit b / phn mm pht hin
thng qua phn mm thu thp thng tin an
ton mng ri cp nht ln h thng gim
255
STT
Kt qu th nghim
st an ton mng trung tm.
- S tham gia ca cc thit b / phn mm
bo mt thng mi cho thy kh nng thu
thp c d liu lin quan n an ton
mng t nhiu ngun khc nhau trn ton
quc, gp phn pht hin nhanh chng v
chnh xc cc s c c th xy ra.
Kt qu nh gi:
Cn c vo cc bi o nu trn, kt qu th nghim c th hin trong
bng sau:
Test
case
01
02
03
04
05
06
Chc nng yu cu
-Th nghim chc nng phn h ghi nhn s c
an ton mng v ghi nhn cc tn cng mng ca
sensor
-Th nghim chc nng gim st lu thng mng
(o m lu lng s dng, theo di trng thi
hot ng mng v cc dch v, theo di hiu qu
s dng bng thng, theo di cc tn cng ang
xy ra v cnh bo v cc nguy c tim n ca h
thng mng).
-Th nghim chc nng qut r sot cc im yu
an ton mng ca sensor, chc nng gim st h
thng v dch v (theo di, gi cnh bo mi khi
thy mt my ch, thit b hoc mt dch v
ngng hot ng,).
-Th nghim h thng CSDL tch hp gim st an
ton mng.
- nh gi tnh tng thch vi cc chun trao i
thng tin s c v chun trao i thng tin tn
cng mng ca quc t phc v kh nng trao i
t ng vi cc h thng khc trong v ngoi
nc.
- Th nghim phn h h tr x l thng bo s
c trong h phn mm thu thp thng tin an ton
mng trung tm.
256
Mc p
ng
Tt
Tt
Tt
Tt
Hon ton
tng thch
chun IODEF
Tt
Test
case
07
08
09
10
11
Chc nng yu cu
- Th nghim phn h tip nhn thng tin ATM
t ng t cc thit b h phn mm thu thp
thng tin.
- Th nghim chc nng gim st 24/24, thng k
v phn tch a ra cc cnh bo v hng dn
cho cc c nhn, t chc Vit Nam trong h phn
mm tc nghip x l thng tin theo di-thng kcnh bo v iu khin.
- Th nghim h thng tng la bo v tch hp
(cc chc nng IDS/IPS, thit lp cc chnh sch
bo v, lu tr nht k hot ng, cp nht vo h
thng CSDL thu thp thng tin an ton mng).
- Th nghim chc nng lc ni dung (pht hin
ngn chn truy cp a ch cm, thit lp chnh
sch lc chn).
- Th nghim chc nng pht hin virus, m c
hi (pht hin, ngn chn cc truy cp ti cc
d liu c cha virus, m c hi).
Mc p
ng
Tt
Tt
Tt
Tt
Tt
12
Tt
13
Tt
nh gi chung
Kt qu th nghim cho thy cc thit b sensor hot ng tt, p ng cc
yu cu ra trong ti. Bng o th cho thy thit b sensor p ng cc
yu cu chc nng phn mm trong vic bt gi cc gi tin, ghi nhn cc tn
cng xm nhp mng, s c an ton mng v cc hnh vi bt thng; kim tra
mt s chc nng/tin ch khc ca sensor nh: ghi nht k, giao din qun l,
kt ni gia sensor v trung tm gim st,
Cc kt qu o th nghim cho cc chc nng gim st lu thng mng v
chc nng r sot cc im yu an ton mng ca sensor, chc nng gim st h
257
260
261
262
265
VIII.3. Kt lun
V c bn ti hon thnh sn phm chnh t ra, v bc u a
vo hot ng th nghim.
Kin ngh chuyn giao ton b H thng cho Trung tm VNCERT s
dng vo mc ch nghip v, nghin cu v o to nhn lc.
ti hon ton c kh nng nghin cu hon thin c cng c do Vit
Nam hon ton lm ch v hon thin cc dch v phc v cho cc c quan t
chc Vit Nam.
Xin trn trng cm n.
267
268
BO CO TM TT
KT QU KHOA HC CNG NGH TI
H Ni - 2010
Mc lc
Mc lc .............................................................................................................. 3
Cc thut ng v t vit tt ............................................................................... 5
I. Mc tiu, yu cu chung ca ti................................................................ 7
II. Kt qu nghin cu ca ti ...................................................................... 8
II.1. Nhnh 1: Nghin cu thit k kin trc tng th h thng, chn lc cc
chun thng tin v thit b s dng ph hp vi iu kin Vit Nam ....................8
II.1.1. Yu cu sn phm .....................................................................................8
II.1.2. Cc ni dung thc hin ........................................................................8
II.1.3. nh gi kt qu, xut .......................................................................14
II.2. Nhnh 2: Pht trin h thng c s d liu (CSDL) thng tin gim st an
ton mng h thng NSIDB ...............................................................................14
II.2.1. Yu cu sn phm ...................................................................................14
II.2.2. Ni dung thc hin ............................................................................15
II.2.3. nh gi kt qu, xut .......................................................................18
II.3. Nhnh 3: Pht trin h phn mm trung tm thu thp thng tin an ton mng
Internet (SIGS) ......................................................................................................18
II.3.1. Yu cu sn phm ...................................................................................18
II.3.2. Cc ni dung thc hin ......................................................................19
II.3.3. nh gi kt qu, xut .......................................................................23
II.4. Nhnh 4: Pht trin h phn mm x l thng tin theo di - thng k - cnh
bo v iu khin (SIPS) .......................................................................................23
II.4.1. Yu cu sn phm ...................................................................................23
II.4.2. Cc ni dung thc hin ......................................................................24
II.4.3. nh gi kt qu, xut .......................................................................30
II.5. Nhnh 5: Pht trin mt s sn phm ATM chuyn dng do Vit Nam lm
ch v cng ngh. ..................................................................................................31
II.5.1. Yu cu sn phm:..................................................................................31
II.5.2. Cc ni dung thc hin ......................................................................32
II.5.3. nh gi kt qu, xut .......................................................................35
II.6. Nhnh 6: Pht trin gii php, cng c tch hp mt s thit b ATM thng
mi ang ph bin Vit Nam vo h thng........................................................37
II.6.1. Yu cu sn phm ...................................................................................37
II.6.2. Cc ni dung thc hin ......................................................................38
Cc thut ng v t vit tt
Account
Access Point
Antivirus
ATM
ATTT
BCG
CERT
CERT/CC
CNTT
CSDL
FE
FW
GAG
GE
GIDS
GFW
HTTT
IDS
IPS
IDMEF
IODEF
ISP
IXP
Malware
MIME
NSAIR
NSIDB
Plugin
Router
SDH
SAMS
Sensor
SIG Gate
SIGS
SIPS
SMNP
Syslog
Switch
TTATM
UML
URL
VNCERT
XML
I. Mc tiu , yu cu chung ca ti
ti trin khai nhm nghin cu gii quyt cc vn c bn xy dng
mt h thng tch hp theo di gim st thng tin an ton mng quc gia theo
m hnh qun l tp trung, nhm t c 4 mc tiu chin lc nh sau:
- Ch ng pht hin, phng chng, phn ng v bo v c s h tng
thng tin quc gia trc cc cuc tn cng;
- Gim cc nguy c, cc im xung yu trn mng.
- Gim thit hi v thi gian khc phc s c.
- To kh nng tng cng trao i thng tin v hp tc quc t, trc
ht l gia cc t chc CERT.
Ton b ni dung nghin cu cn thc hin bao gm 7 nhnh sau y:
Nhnh 1: Nghin cu thit k kin trc tng th h thng. Sn phm l
Bo co thit k kin trc tng th h thng gim st ATM, bao gm: Lc
thit k tng th, chc nng cc thnh phn, cc ngun cung cp thng tin,
Lc lung d liu gia cc thnh phn, phn tch la chn cc cng ngh,
cc chun thng tin v thit b chnh.
Nhnh 2: Pht trin h thng CSDL tch hp gim st an ton mng. Sn
phm l h CSDL tch hp gim st an ton mng tp trung (gi tt l
NSIDB).
Nhnh 3: Pht trin h phn mm thu thp thng tin an ton mng trung
tm. Sn phm l H phn mm thu thp thng tin an ton mng trung tm
(gi tt l SIGS) vi hai phn h h tr x l thng bo s c gi qua cc
knh thng tin lin lc v phn h tip nhn thng tin ATM t ng t cc
thit b sensor chuyn dng, t cc file logs ca mt s h thng. Kt qu lu
tr cc s kin an ton thng tin trong CSDL tp trung NSIDB.
Nhnh 4. Pht trin h phn mm tc nghip x l thng tin theo di thng k - cnh bo v iu khin.
II. Kt qu nghin cu ca ti
II.1. Nhnh 1: Nghin cu thit k kin trc tng th h thng, chn lc
cc chun thng tin v thit b s dng ph hp vi iu kin Vit Nam
II.1.1. Yu cu sn phm:
Sn phm phi t l cc bn bo co k thut phn tch thc trng v
xut cc yu cu tng th v thit k h thng thu thp v phn tch, tng hp
thng tin m t v s c mng, thng tin v trng thi lung tin v c im
cc gi tin i qua nt mng do cc thit b sensor v mt s thit b bo v
mng x l v ghi nhn. Chn lc m hnh chung, cc chun c bn v cc
thit b phc v a ra thit k ph hp vi iu kin Vit Nam, tin tin v
kh thi v cng ngh v tit kim v chi ph, m bo h thng c tnh an ton
cao ng thi trao i thng tin thun li vi cc t chc ng cu khn cp
my tnh (CERT) ca cc quc gia khc.
II.1.2. Cc ni dung thc hin:
ti thc hin 5 nhm ni dung c th nh sau:
Ni dung 1. Nghin cu, xut mc tiu, yu cu v cu trc chung
ca h thng gim st an ton mng internet.
8
Vit Nam.
10
trao i thng bo pht hin tn cng mng IDMEF ca t chc IETF (phin
bn RFC 4765). xut khung trao i thng tin s c ATM v khung trao
i thng bo pht hin tn cng mng s p dng da trn cc chun trn.
Ch ra c kh nng, nhu cu v tnh cn thit p dng cc m hnh d liu
c th rt gn nhng tng thch vi cc chun trn p ng nhu cu kt ni
tch hp h thng v kt ni trao i thng tin vi cc h thng quc t.
Ni dung 3: Nghin cu v chn la cc ngun cung cp thng tin ATM.
Phn tch kh nng s dng khai thc thng tin ATM t cc ngun cung
cp thng tin vi cu trc phi chun nh thng bo qua Website, in thoi,
fax, tin nhn, th in t, cng vn v.v xut xy dng phn mm h tr
(Agent) thu thp thng tin t cc knh thng bo, p dng cu trc d liu lu
tr tng thch chun IODEF p ng cc ngun thng tin trn.
nghin cu phn tch kh nng thu thp thng tin ATM t cc thit
b/ phn mm firewall thng mi ca, Cisco, Juniper, Kerio, v cc firewall
ngun m IPTable, AVS firewall, firewall Script, Smooth Wall, IPCop. Chn
p dng trong ti 2 loi tng la thng dng nht Vit Nam l tng
la thng mi Firewall Check Point v IPTable (Firewall ngun m).
nghin cu phn tch cc dng thit b/phn mm IDS thng mi
ca 7 nh sn xut v 2 sn phm IDS ngun m, chn th nghim 2 loi sn
phm thng dng Vit Nam l Proventia (IBM) v Snort (m ngun m)
cho h thng s c xy dng.
nghin cu cc h thng chng virus sau: Antivirus Corporation
Edition 10.0 (hng Symantec), Virus Scan Enterprise (McAffe), eTrust
Antivirus (CA - Computer Associates), Norton AntiVirus 2.5 cho Gateway,
phn mm pht hin virus m ngun m ClamAV. xut s dng cc sn
phm: Antivirus Coporate Edition ca Synmatec vi chc nng qun tr tp
trung, phn mm pht hin virus McAffee v phn mm m ngun m
11
12
13
II.2. Nhnh 2: Pht trin h thng c s d liu (CSDL) thng tin gim
st an ton mng h thng NSIDB
II.2.1. Yu cu sn phm:
Thit k xy dng CSDL trung tm lu tr v phc v x l cc
thng tin thu thp c t cc ngun tin, c bit l t cc thit b ATM nhm
mc ch gim st ghi nhn s kin ATM trn c s cho php phn tch
nh gi v tnh hnh lu thng mng, cc h thng v dch v, cc nguy c
tn cng v cc s c an ton mng.
CSDL gim st an ton mng Vit Nam bao gm cc cc CSDL thnh
phn: CSDL s c, CSDL tn cng mng, CSDL trng thi cc h thng xung
yu,....
Cc i tng d liu trong CSDL gim st an ton mng Vit Nam
cn c thit k tng thch vi cc chun trao i thng tin s c v chun
trao i thng tin tn cng mng ca quc t (v d chun IODEF v IDMEF)
c kh nng trao i t ng vi cc h thng khc trong v ngoi nc.
CSDL c thit k vi nng lc tip nhn v x l khong 100.000
bn tin mi ngy, c tnh tng ng vi khong 20 MB d liu. Vi tnh
ton s b, nng lc ny t chc h thng c 50 ngun thng tin (t cc
knh thu thp thng bo, sensor, thit b bo v mng) ti nt mng cp quc
gia v 500 ngun thng tin ti mng ngi dng.
14
15
17
II.3. Nhnh 3: Pht trin h phn mm trung tm thu thp thng tin an
ton mng Internet (SIGS)
II.3.1. Yu cu sn phm
Sn phm phi t ca nhnh ti l bo co nghin cu v xy dng
giao thc thu thp thng tin ATM v phn tch, thit k, lp trnh xy dng
v th nghim h thng tip nhn thng tin an ton mng SIGS trong bao
gm cc ni dung chnh sau:
- Bo co nghin cu v xy dng giao thc thu thp thng tin ATM t
cc thit b sensor t pht trin
18
- Phn tch, thit k, lp trnh v th nghim phn h tip nhn thng tin
ATM t ng c xt n kh nng thu thp thng tin ATM t cc h
thng gim st ca nc ngoi.
o C kh nng tip nhn thng tin t 50 ngun cung cp thng tin
t cc nt mng an ton mng tc cao hoc 500 ngun cung
cp thng tin t cc nt mng tc thp vi tc trn 100.000
s kin mt ngy.
- Phn tch, thit k, lp trnh v th nghim phn h h tr x l thng
bo s c, xy dng quy trnh x l thng bo s c
o C kh nng tip nhn thng tin t 50 ngun cung cp thng tin
t cc nt mng an ton mng tc cao hoc 500 ngun cung
cp thng tin t cc nt mng tc thp vi tc trn 100.000
s kin mt ngy.
- Bo co th nghim tch hp h thng SIGS v chnh sa, hon chnh.
II.3.2. Cc ni dung thc hin:
ti thc hin nm nhm ni dung c th nh sau:
Ni dung 1: Nghin cu v xy dng giao thc thu thp thng tin ATM
t cc thit b sensor t pht trin
xy dng c giao thc thu thp thng tin an ton mng p ng
c y yu cu trao i thng tin thu thp c t cc ngun thit b an
ton mng xc nh trong cng nghin cu cng nh m bo kh
nng kt ni hoc m rng c th kt ni vi cc ngun cung cp thng
tin an ton mng khc, nhm phn tch xc nh cc thng tin cn trao i,
cc yu cu trong qu trnh trao i trn c s xy dng c cc nh
dng thng tin trao i chun ha gia hai u v lc trao i thng tin
ph hp. Qua xy dng c giao thc trao i thng tin an ton mng
gia phn mm thu thp thng tin an ton mng ti h thng SIGS.
19
22
23
25
- Nghin cu, phn tch v thit k xy dng giao thc giao tip gia h
SIPS v cc sensor chuyn dng. L phn nghin cu cch thc giao tip hiu
qu gia cc thnh phn ca h thng, c th l phn tch v thit k, xy
dng giao thc giao tip gia h SIPS v cc sensor chuyn dng. Nhm
i su phn tch Chc nng v nguyn tc hot ng ca h tp trung v my
trinh st v phn tch, thit k giao tip gia cc thnh phn ca h thng, cc
lung d liu c trao i trong h thng, xc nh cc s kin c th xy ra
v thng tin s c trao i. T , xy dng cc bc chun ha d liu v
ng gi truyn ti trn mi trng mng.
- Phn tch thit k chc nng theo di ca h thng SIPS. Chc nng
ny c u vo l nhng thng tin thu thp t nhiu ngun, rt nhiu v a
dng, v vy cn phi chun ha. Vic chun ha d liu gip a thng tin
v mt dng c cu trc thng nht, lu tr tp trung phc v cho cc mc
ch v sau. phn ny, nhm i su phn tch chc nng ca h thng
gim st, m hnh h thng gim st, a ra cc thng tin cn gim st t
xy dng h thng gim st theo 10 tiu ch. Mi tiu ch ny l nhng
thng tin cn thit nht nm bt c tnh hnh an ton mng quc gia. V
vy, h thng gim st cn c mi mn hnh gim st theo mi tiu ch ny
c th kp thi pht hin ra cc s c v c nhng phn ng thch hp.
- Phn tch thit k m un chc nng thng k ca h thng SIPS. y
l chc nng thng xuyn c s dng trong h thng SIPS, c ngha
quan trng trong qu trnh tnh ton nhm a ra ci nhn tng qut v cc
vn ang din ra trong thi gian thc. Do yu cu u tin vi m un
chc nng thng k l c kh nng tnh ton nhanh. Ngoi ra, gii quyt
vn d liu u vo c th vt qu kh nng tnh ton ca m un chc
nng thng k, m un ny cn c kh nng chu ti. c th theo di c
hot ng ca h thng SIPS nh gi v c lng, pht trin cho sau
ny, cn phi ghi li cc hot ng ca m un chc nng thng k. phc
26
28
29
30
Theo di v ghi nhn hot ng tn cng, pht hin xm nhp, pht hin
cc du hiu tn cng v cc du hiu bt thng v gi thng tin thu
c v trung tm gim st.
II.6. Nhnh 6: Pht trin gii php, cng c tch hp mt s thit b ATM
thng mi ang ph bin Vit Nam vo h thng
II.6.1. Yu cu sn phm
Sn phm phi t ca nhnh ti bao gm cc sn phm sau:
Cc bo co nghin cu v xc nh khun dng thng tin an ton
mng c a ra trong cc h thng tng la MiDFS v Checkpoint,h
thng IDS ca MCAFFEE v ISS, h thng antivirus TrendMicro v
McAffee.
Bo co nghin cu vic chun ho thng tin v ATM t thit b c
th p ng c yu cu cung cp thng tin ca CSDL an ton mng
Interrnet Vit nam trong bao gm nh dng thng tin chun ha m t s
c an ton mng c s dng cung cp thng tin ca CSDL an ton
mng Interrnet Vit nam
37
38
41
42
43
45
trng tin hnh th nghim, khng pht hin cc trng hp h thng nhn
dng sai du hiu virus, m c hi.
Ni dung 7. Th nghim chc nng phn mm theo di an ton mng
ti u cui, gii php tch hp mt s thit b an ton mng thng mi ph
bin Vit Nam.
Kt qu th nghim cho thy cc thit b u cui thc hin tt cc
chc nng theo di an ton mng. Chc nng ny bao gm cc hot ng bt
gi gi tin, ghi nhn cc tn cng xm nhp mng, s c an ton mng v cc
hnh vi bt thng, ng thi c mt s chc nng c bn khc nh: ghi nht
k, giao din qun l, kt ni gia sensor v trung tm gim st Vic tch
hp c cc thit b an ton mng thng mi ph bin mang ngha ln
cho vic trin khai h thng sau ny. Cc t chc khi tham gia vo h thng
gim st an ton mng s khng phi thay th cc thit b tng thch m vn
c th s dng nhng thit b hin ti thng qua chun trao i thng tin
chung m h thng h tr.
Ni dung 8. Th nghim, o kim cc thng s hot ng ton h
thng, hiu chnh phn mm; phn tch, nh gi hiu nng ca ton b h
thng.
Kt qu th nghim trong phn ny bao gm tt c nhng ni dung o
kim, nh gi thng s hot ng ca cc chc nng trn h thng. Vic th
nghim, o kim cc thng s ca hot ng ca ton h thng cho kt qu
tt. Thit b sensor hot ng v p ng c nhng chc nng c bn:
bt gi cc gi tin, ghi nhn cc tn cng xm nhp mng, s c an ton mng
v cc hnh vi bt thng. Bn cnh , thit b sensor cng cung cp nhng
chc nng: ghi nht k, giao din qun l, kt ni gia sensor v trung tm
gim st. Qu trnh thu thp thng tin v nh gi cho thy h thng th
nghim hon ton tng thch c th tng tc vi cc chun trao i
thng tin tn cng mng trn th gii.
46
47
48
49
270