B GIO DC V O TO

TRNG I HC K THUT CNG NGH TP.HCM

KHOA CNG NGH THNG TIN

-----------o0o-----------

N CHUYN NGNH ti

Xy dng h thng pht hin chng xm nhp da vo Firewall Iptables v IPS SnortGVHD: Th.S Vn Thin Hong

Sinh vin thc hin:

Phan Vn Th09C1020136

Nguyn Quc Tin09C1020159

Dng Quang Minh Huy09C1020059

THNH PH H CH MINH NM 2012LI NI U

Trc ht, chng em xin chn thnh gi li cm n n trng i Hc K Thut Cng Ngh Tp.H Ch Minh o o, trau di cho chng em nhng kin thc tht b ch trong thi gian hc ti trng.

Chng em xin cm n thy Vn Thin Hong hng dn chng em hon thnh n chuyn ngnh. Cm n thy nh hng, hng dn, truyn t li nhng kin thc rt b ch, cng nh cung cp nhng ti liu cn thit chng em hon thnh c n. Cm n s nhit tnh, tn tm ca thy i vi chng em.Chng em xin cm n tt c thy c trng i Hc K Thut Cng Ngh cng nh thy c trong khoa Cng Ngh Thng Tin o to, to iu kin v cung cp cho chng em nhng kin thc hu ch, lm hnh trang bc vo tng lai.Chng em knh chc thy Vn Thin Hong cng nh tt c thy c trong khoa Cng Ngh Thng Tin trng i Hc K Thut Cng Ngh Thnh Ph H Ch Minh di do sc khe, gt hi nhiu thnh trong s nghip trng ngi m thy c chn.Phan Vn ThNguyn Quc Tin

Dng Quang Minh Huy

MC LC2MC LC

9M U

11Chng 1 .Tng Quan V H Thng Chng Xm Nhp

111.1Gii thiu

111.2Cc kiu tn cng mng

111.2.1Phn loi cc l hng bo mt

111.2.2Tn cng ch ng v tn cng b ng:

121.2.3Cc bc tn cng thng gp

131.2.4Cch thc tn cng

161.3Cc phng php nhn bit tn cng

161.3.1Nhn bit qua tp s kin

161.3.2Pht hin da trn tp lut (Rule-Based )

161.3.3Phn bit nh ngi dng (User intention identification)

171.3.4Phn tch trng thi phin (State-transition analysis)

171.3.5Phng php phn tch thng k (Statistical analysis approach)

171.3.6Phng thc pht hin xm nhp da vo ch k

181.3.7Phng thc pht hin xm nhp da vo s bt thng

191.4Kin trc ca mt h thng chng xm nhp

191.4.1Module phn tch lung d liu:

191.4.2Module pht hin tn cng:

HYPERLINK \l "_Toc329549927"

201.4.3Module phn ng

1.5Cc kiu h thng IPS 211.5.1IPS ngoi lung

231.5.2IPS trong lung

231.6Cc sn phm IPS trn th trng

231.6.1Intrust

231.6.2ELM

241.6.3SNORT

251.6.4Cisco IDS

251.6.5Dragon

27Chng 2 .Gii thiu tng quan v Firewall Iptable v IPS Snort inline

272.1Tng quan v Firewall

282.2Phn loi firewall

282.2.1Packet Filtering

302.2.2Application-proxy firewall

322.3Tng quan v Iptables

322.3.1Cc tnh nng ca Iptables

332.3.2C ch hot ng Iptables

342.3.3Jumps v Targets

352.3.4Cc ty chn thao tc vi lut

362.4Tm hiu cc cu lnh v thit lp lut trong Iptables

362.4.1S dng chain t nh ngha

362.4.2Lu v phc hi li nhng script cu hnh trong Iptables

372.4.3 ngha ca mt s lut c bn trong Iptables

382.5Firewall and Logging

382.5.1The syslog protocol

402.5.2Proprietary logging methods

402.6Firewall log review and analysis

402.6.1Tng quan

402.6.2Cc thng tin s kin t file log

422.7Tng quan v Snort inline

422.7.1Gii thiu Snort inline

432.7.2Snort-inline v Iptables:

442.7.3Cc trng thi

452.8Cc thnh phn ca Snort

462.8.1B packet sniffer

462.8.2B Preprocessor

472.8.3B pht hin (detection engine)

482.8.4H thng ghi v cnh bo (Logging v alerting)

492.8.5Cu trc ca mt lut

51Chng 3 .Thc Nghim Firewall Iptable v IPS Snort inline

513.1M t thc nghim

523.2H tng mng thc nghim

533.3Cc bc ci t Iptables v Snort trn h iu hnh CentOS

533.3.1Ci h iu hnh CentOS

533.3.2Ci phn mm Iptables v cu hnh

543.3.3Ci t v cu hnh Snort

573.3.4Cu hnh MySQL server

573.3.5Cu hnh Snort thc hin alert vo MySQL

583.3.6Ci t v cu hnh Basic Analysis and Sercurity Engine (Base)

593.4Giao din h thng sau ci t

593.4.1Cc thng tin cu hnh c bn

603.4.2Hng dn s dng Snort

603.4.3Kt qu thng k thc nghim Firewall Iptables

623.4.4Kt qu thng k thc nghim IDS Snort

653.5Cc cuc tn cng v kt qu thng k thc nghim

653.5.1Tn cng v IDS Snort pht hin

663.5.2Ngn chn

673.5.3Kt qu thng k thc nghim

69KT LUN

70TI LIU THAM KHO

M U

1. Gii thiu

Ngy nay, thi k kinh t ha lun m rng trn ton cu. pht trin kinh t, nm bt thng tin kp thi th ngnh cng ngh thng tin l mt trong ngnh rt cn thit. Chnh v th m cng ngh thng tin pht trin rt nhanh, mang li nhng li ch thit thc v nhiu mt nh: kinh t, x hi, chnh tr, y t, qun s nhng cuc hp trong t chc, c quan, cng ty hay nhng bui hi tho xuyn quc gia, xuyn lc a (Video Conference).Mng Internet ngy cng ng vai tr quan trng trong cc hot ng ca con ngi. Vi lng thng tin ngy cng phong ph v a dng. Khng ch c ngha l ni tra cu tin tc s kin ang din ra trong i sng hng ngy, Internet cn ng vai tr cu ni lin kt con ngi vi nhau mi vng a l. Cc khong cch v a l hu nh khng cn ngha, khi con ngi cch nhau na vng tri t h vn c th trao i thng tin, chia s d liu cho nhau nh nhng ngi trong cng mt vn phng.Internet cn gp phn lm thay i phng thc hot ng kinh doanh ca cc doanh nghip. Ngoi cc hot ng kinh doanh truyn thng, gi y cc doanh nghip c thm mt phng thc kinh doanh hiu qu, l thng mi in t. Trong nhng nm gn y, thng mi in t tr thnh mt b phn quan trng trong s tng trng, pht trin ca x hi, mang li nhng li ch rt ln cho cc doanh nghip, ng thi thc y x hi ha thng tin cho cc ngnh ngh khc, gp phn mang li tnh hiu qu cho nn kinh t ca doanh nghip ni ring v cho ton x hi ni chung.

Chnh s a dng thng tin trn internet, li l cu ni chung cho ton cu nn d xy ra tiu cc trn mng nh : ly trm thng tin, lm nhiu thng tin, thay i thng tin, i i vi s pht trin cng ngh th bo mt mng ang l mt nhu cu cp thit nhm bo v h thng mng bn trong, chng li nhng tn cng xm nhp v thc hin cc trao i thng tin, giao dch qua mng c an ton. V nhng gi tr li ch ca cng ngh thng tin mang li, nhng k xu cng li dng cng ngh ny gy ra khng t nhng kh khn cho t chc, c quan cng nh nhng ngi p dng cng ngh thng tin vo cuc sng.

Cng ngh no cng c u im v nhc im. Ngi tn cng (Attacker) chng li dng nhng l hng ca h thng truy xut bt hp pht vo khai thc nhng thng tin quan trng, nhng d liu c tnh cht bo mt, nhy cm, thng tin mt ca quc phng V vy chng ta cn phi c bin php, phng php pht hin s truy nhp tri php . pht hin s truy nhp tri php , hin nay cng ngh pht hin chng xm nhp hiu qu c nhiu t chc, c quan, doanh nghip trin khai v p dng vo trong h thng mng ca mnh l cng ngh Snort IPS.Cc nghin cu v h thng pht hin xm nhp c nghin cu chnh thc cch y khong 32 nm v cho ti nay c p dng rng ri cc t chc, doanh nghip trn ton th gii.

2. Nhim v ti

S dng cng ngh IPS (Intrusion Prevention System) kt hp tng la Firewall Iptable phng chng v t ng ngn chn cc cuc tn cng h thng mng cng vi s h tr cnh bo c lc ca Snort inline.C s h tng cng ngh thng tin cng pht trin, th vn pht trin mng li cng quan trng, m trong vic pht trin mng th vic m bo an ninh mng l mt vn rt quan trng. Sau hn chc nm pht trin, vn an ninh mng ti Vit Nam dn c quan tm ng mc hn. Trc khi c mt gii php ton din th mi mt mng phi t thit lp mt h thng tch hp IPS ca ring mnh. Trong lun vn ny, chng em s tm hiu v cu trc mt h thng IPS, v i su tm hiu pht trin h thng IPS mm s dng m ngun m c th p dng trong h thng mng ca mnh thay th cho cc IPS cng t tin. Vi s kt hp ca cc phn mm ngun m Iptables v Snort inline. To ra mt h thng gim st mng, c kh nng pht hin nhng xm nhp, phng chng tn cng mng.Chng 1 . Tng Quan V H Thng Chng Xm Nhp1.1 Gii thiu

H thng phng chng xm nhp IPS (Intrusion Prevention System) l mt k thut an ninh, kt hp cc u im ca k thut tng la vi h thng pht hin xm nhp IDS (Intrusion Detection System). C kh nng pht hin cc cuc tn cng v t ng ngn chn cc cuc tn cng nhm vo im yu ca h thng.IPS c hai chc nng chnh l pht hin cc cuc tn cng v chng li cc cuc tn cng . Phn ln h thng IPS c t vnh ai mng, kh nng bo v tt c cc thit b trong mng.1.2 Cc kiu tn cng mng1.2.1 Phn loi cc l hng bo mt Hiu c nhng im yu trong bo mt l mt vn ht sc quan trng tin hnh nhng chnh sch bo mt c hiu qu. Nhng im yu trong bo mt mng gm c nhng im yu: V mt k thut, v mt cu hnh v cc chnh sch bo mt. im yu v mt k thut: im yu trong k thut gm c im yu trong cc giao thc, trong H iu hnh v cc thit b phn cng nh Server, Switch, Router,... im yu trong cu hnh h thng: y l li do nh qun tr to ra. Li ny do cc thiu st trong vic cu hnh h thng nh: Khng bo mt ti khon khch hng, s dng cc cu hnh mc nh trn thit b nh switch, router, modernNu da vo hnh ng ca cuc tn cng c th chia tn cng ra lm hai loi l:1.2.2 Tn cng ch ng v tn cng b ng:

Tn cng ch ng: K tn cng thay i hot ng ca h thng v hot ng ca mng khi tn cng v lm nh hng n tnh ton vn, sn sng v xc thc ca d liu. Tn cng b ng: K tn cng c gng thu thp thng tin t hot ng ca h thng v hot ng ca mng lm ph v tnh b mt ca d liu.Nu da vo ngun gc ca cuc tn cng th c th phn loi tn cng lm hai loi. Tn cng t bn trong v tn cng t bn ngoi:Tn cng t bn trong: L nhng tn cng xut pht t bn trong h thng mng. K tn cng l nhng ngi trong h thng mng ni b mun truy cp, ly thng tin nhiu hn quyn cho php.Tn cng t bn ngoi: L nhng tn cng xut pht t bn ngoi Internet hay cc kt ni truy cp t xa.1.2.3 Cc bc tn cng thng gpBc 1: Kho st, thu thp thng tin. K tn cng thu thp thng tin v ni tn cng nh pht hin cc my ch, a ch IP, cc dch v mng Bc 2: D tm. K tn cng s dng cc thng tin thu thp c t bc mt tm kim thm thng tin v l hng, im yu ca h thng mng. Cc cng c thng c s dng cho qu trnh ny l cc cng c qut cng (scanport), qut IP, d tm l hng Buc 3: Xm nhp. Cc l hng c tm thy trong bc hai c k tn cng s dng, khai thc xm nhp vo h thng. bc ny, k tn cng c th dng cc k thut nh: Trn b m, t chi dch v (DoS)Buc 4: Duy tr xm nhp. Mt khi k tn cng xm nhp c vo h thng, bc tip theo l lm sao duy tr cc xm nhp ny nhm khai thc v xm nhp tip trong tng lai. Mt vi k thut nh backboors, trojans c s dng bc ny. Mt khi k tn cng lm ch h thng, chng c th gy ra nhng nguy hi cho h thng hoc nh cp thng tin. Ngoi ra, chng c th s dng h thng ny tn cng vo cc h thng khc nh loi tn cng DDoS.

Bc 5: Che y, xa du vt. Mt khi k tn cng xm nhp v c gng duy tr xm nhp. Bc tip theo l chng phi lm sao xa ht du vt khng cn chng c php l xm nhp. K tn cng phi xa cc tp tin log, xa cc cnh bo t h thng pht hin xm nhp.

bc D tm v Xm nhp, k tn cng thng lm lu lng kt ni mng thay i khc vi lc mng bnh thng rt nhiu. ng thi ti nguyn ca h thng my ch b nh hng ng k. Nhng du hiu ny rt c ch cho ngi qun tr mng trong vic phn tch v nh gi tnh hnh hot ng ca h thng mng.1.2.4 Cch thc tn cngGm hai bc c bn sau: Nhn packet v thi hnh tn cng.K thut tn cng ARP:Khi mt my tnh A cn bit a ch MAC t mt IP, n s gi gi tin ARP c cha thng tin yu cu IP address dng Broadcasting ln mng. My tnh B khi nhn c gi tin ARP ny s so snh gi tr IP ca n vi IP nhn c t gi tin do A gi. Nu hai gi tr ny trng khp th B s gi gi tin reply c cha thng tin a ch IP ca B cho A. Khi A nhn c gi tin do B reply, n s lu a ch MAC ca B trong ARP table ARP cache dng cho ln truyn tip theo.Kiu tn cng Man-in-the-middle (MITM):iu kin cn ca phng php tn cng ARP l hacker phi t c s truy xut vo mng WLAN v bit mt s thng tin v IP, MAC ca mt s my tnh trn mng.

V d: Ly nhim ARP cache nh sau:C hai my tnh E, F vi a ch IP v MAC tng ng nh sau: E (IP = 10.1.3.2, MAC = EE:EE:EE:EE:EE:EE)F (IP = 10.1.3.3, MAC = FF:FF:FF:FF:FF:FF)My tnh ca hacker c a ch:H (IP = 10.1.3.4, MAC = HH:HH:HH:HH:HH:HH)H s gi thng ip ARP reply cho E ni rng IP: 10.1.3.3 c a ch MAC l HH:HH:HH:HH:HH:HH. Lc ny ARP table ca E s l IP= 10.1.3.3 MAC= HH:HH:HH:HH:HH:HHH s gi thng ip ARP reply cho F ni rng IP: 10.1.3.2 c a ch MAC l HH:HH:HH:HH:HH:HH. Lc ny ARP table ca F s l IP= 10.1.3.2 MAC= HH:HH:HH:HH:HH:HH

Hnh 12 Tn cng trn my b nhim ARP cache.

Ping of Death:

Kiu DoS attack ny, ta ch cn gi mt gi d liu c kch thc ln thng qua lnh ping n my ch th h thng ca h s b treo.

VD: ping l 65000Tn cng t chi dch v DNS

Hacker c th i mt li vo trn Domain Name Server A ca h thng nn nhn ri ch n mt website B no ca hacker. Khi my khch truy cp n Server A vo trang Web, th cc nn nhn s vo trang Web do chnh hacker to ra.

Gii php phng chng:- Trin khai nhng dch v h thng mng cn thit.- Tng la (Firewall).- Chnh sch s dng, qun l password.- Thng xuyn back-up.1.3 Cc phng php nhn bit tn cng

Hin nay mt s loi h thng pht hin xm nhp, c phn bit bi cch thc theo di v phn tch. Mi phng php c nhng li im v nhng hn ch nht nh. Tuy nhin, mi phng php u c th m t thng qua mt m hnh tin trnh chung tng qut cho h thng pht hin xm nhp. Error! No index entries found. 1.3.1 Nhn bit qua tp s kinH thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc miu t cc tn cng. Tt c cc s kin c lin quan n bo mt u c kt hp vo cuc kim nh v c dch di dng nguyn tc if-then-else. Ly v d Wisdom v Sense v Computer Watch (c pht trin ti AT&T).1.3.2 Pht hin da trn tp lut (Rule-Based )Ging nh phng php h thng Expert, phng php ny da trn nhng hiu bit v tn cng. Chng bin i s m t ca mi tn cng thnh nh dng kim nh thch hp. Nh vy, du hiu tn cng c th c tm thy trong cc bn ghi (record). Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc h thng thng mi (v d nh: Cisco Secure IDS, Emerald eXpert-BSM (Solaris)).1.3.3 Phn bit nh ngi dng (User intention identification)K thut ny m hnh ha cc hnh vi thng thng ca ngi dng bng mt tp nhim v mc cao m h c th thc hin c trn h thng (lin quan n chc nng ngi dng). Cc nhim v thng cn n mt s hot ng c iu chnh sao cho hp vi d liu kim nh thch hp. B phn tch gi mt tp hp nhim v c th chp nhn cho mi ngi dng. Bt c khi no mt s khng hp l c pht hin th mt cnh bo s c sinh ra.1.3.4 Phn tch trng thi phin (State-transition analysis)Mt tn cng c miu t bng mt tp cc mc tiu v phin cn c thc hin bi mt k xm nhp gy tn hi h thng. Cc phin c trnh by trong s trng thi phin. Nu pht hin c mt tp phin vi phm s tin hnh cnh bo hay p tr theo cc hnh ng c nh trc.

1.3.5 Phng php phn tch thng k (Statistical analysis approach)y l phng php thng c s dng. Hnh vi ngi dng hay h thng (tp cc thuc tnh) c tnh theo mt s bin thi gian. V d, cc bin nh l: ng nhp ngi dng, ng xut, s tp tin truy nhp trong mt khong thi gian, hiu sut s dng khng gian a, b nh, CPU, Chu k nng cp c th thay i t mt vi pht n mt thng. H thng lu gi tr c ngha cho mi bin c s dng pht hin s vt qu ngng c nh ngha t trc. Ngay c phng php n gin ny cng khng th hp c vi m hnh hnh vi ngi dng in hnh. Cc phng php da vo vic lm tng quan thng tin v ngi dng ring l vi cc bin nhm c gp li cng t c hiu qu.

V vy, mt m hnh tinh vi hn v hnh vi ngi dng c pht trin bng cch s dng thng tin ngi dng ngn hn hoc di hn. Cc thng tin ny thng xuyn c nng cp bt kp vi thay i trong hnh vi ngi dng. Cc phng php thng k thng c s dng trong vic b sung trong IDS da trn thng tin hnh vi ngi dng thng thng.1.3.6 Phng thc pht hin xm nhp da vo ch kPht hin xm nhp da vo ch k (Signature - Based Detection) xc nh mt s kin c phi l mt mi nguy him khng. Mt s cc trng hp tiu biu:+ Chng trnh kt ni n h thng s dng quyn root vi tn truy cp l root, c th l mt mi nguy him n cc chnh sch bo mt ca t chc.+ Email vi tiu "Free Picture" file nh km "freepicture.exe", l c im ca mt loi malware.Vic pht hin xm nhp da vo ch k hiu qu vi nhng mi e da c bit n. Tuy nhin, cch ny v hiu ha i vi nhng mi e da cha c bit n, c che giu bng cch no hoc nhng bin th ca nhng mi e da bit. Pht hin da vo ch k l phng thc n gin nht v n ch so snh cc n v hot ng (gi tin hay file log) vi danh sch cc ch k, s dng phng thc so snh chui. V vy nu k tn cng thay i tn t "freepic.exe" thnh "freepic2.exe" th phng thc ny s khng th pht hin c l malware.Phng thc ny khng hiu c nhiu giao thc hot ng ca mng, giao thc hot ng ca cc ng dng, khng theo di v hiu cc trng thi lin lc phc tp.1.3.7 Phng thc pht hin xm nhp da vo s bt thngPhng thc pht hin xm nhp da vo s bt thng (Anomaly Based Detection) l qu trnh so snh cc nh ngha s kin c cho l bnh thng vi cc s kin c quan st xc nh cc vn bt thng. S dng phng thc pht hin xm nhp da vo s bt thng s dng cc profile i din cho cc trng thi bnh thng ca ngi dng, hoc kt ni mng hoc ng dng. V d khi profile i din cho trng thi bnh thng ca kt ni mng ch ra rng hot ng truy cp web tn 16% bng thng mng trong sut thi gian lm vic. IDS so snh kt qu ny vi bng thng mng tht s v nu pht hin ra vic s dng cao hn, IDS s cnh bo cho admin v s bt thng ny. Cc profile c th c chnh cho ph hp, v d nh s lng mail c th gi i, s ln login sai, mc hot ng ca CPU

u im ca phng thc ny l s a dng n c th c chnh sa, thay i t hiu qu khi pht hin nhng mi e da cha bit trc . V d nh khi malware xm nhp vo my tnh, malware c th tiu th nhiu ti nguyn my tnh, gi i mt lng ln email, to ra nhiu kt ni, ngn bng thng mng, v thc hin nhiu hnh ng bt thng so vi nhng thng tin c trong profile.1.4 Kin trc ca mt h thng chng xm nhpMt h thng IPS c xem l thnh cng nu chng hi t c cc yu t: thc hin nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton b thng lng, cm bin ti a, ngn chn thnh cng v chnh sch qun l mm do. H thng IPS gm 3 module chnh: module phn tch lung d liu, module pht hin tn cng, module phn ng.1.4.1 Module phn tch lung d liu:Module ny c nhim v ly tt cc gi tin i n mng phn tch. Thng thng cc gi tin c a ch khng phi ca mt card mng th s b card mng hu b nhng card mng ca IPS c t ch thu nhn tt c. Tt c cc gi tin qua chng u c sao chp, x l, phn tch n tng trng thng tin. B phn tch c thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin no, dch v g... Cc thng tin ny c chuyn n module pht hin tn cng.1.4.2 Module pht hin tn cng: y l module quan trng nht trong h thng c nhim v pht hin cc cuc tn cng. C hai phng php pht hin cc cuc tn cng, xm nhp l d s lm dng v d s khng bnh thng.

Phng php d s lm dng: Phng php ny phn tch cc hot ng ca h thng, tm kim cc s kin ging vi cc mu tn cng bit trc. Cc mu tn cng bit trc ny gi l cc du hiu tn cng. Do vy phng php ny cn c gi l phng php d du hiu. Kiu pht hin tn cng ny c u im l pht hin cc cuc tn cng nhanh v chnh xc, khng a ra cc cnh bo sai lm gim kh nng hot ng ca mng v gip cc ngi qun tr xc nh cc l hng bo mt trong h thng ca mnh. Tuy nhin, phng php ny c nhc im l khng pht hin c cc cuc tn cng khng c trong c s d liu, cc kiu tn cng mi, do vy h thng lun phi cp nht cc mu tn cng mi.

Phng php d s khng bnh thng: y l k thut d thng minh, nhn dng ra cc hnh ng khng bnh thng ca mng. Quan nim ca phng php ny v cc cuc tn cng l khc so vi cc hot ng thng thng. Ban u, chng lu tr cc m t s lc v cc hot ng bnh thng ca h thng. Cc cuc tn cng s c nhng hnh ng khc so vi bnh thng v phng php d ny c th nhn dng. C mt s k thut gip thc hin d s khng bnh thng ca cc cuc tn cng nh di y:Pht hin mc ngng: K thut ny nhn mnh vic o m cc hot ng bnh thng trn mng. Cc mc ngng v cc hot ng bnh thng c t ra. Nu c s bt thng no nh ng nhp vi s ln qu quy nh, s lng cc tin trnh hot ng trn CPU, s lng mt loi gi tin c gi vt qu mc... th h thng c du hiu b tn cng.

Pht hin nh qu trnh t hc: K thut ny bao gm hai bc. Khi bt u thit lp, h thng pht hin tn cng s chy ch t hc v to ra mt h s v cch c x ca mng vi cc hot ng bnh thng. Sau thi gian khi to, h thng s chy ch lm vic, tin hnh theo di, pht hin cc hot ng bt thng ca mng bng cch so snh vi h s thit lp. Ch t hc c th chy song song vi ch lm vic cp nht h s ca mnh nhng nu d ra c tn hiu tn cng th ch t hc phi dng li cho ti khi cuc tn cng kt thc.

Pht hin s khng bnh thng ca cc giao thc: K thut ny cn c vo hot ng ca cc giao thc, cc dch v ca h thng tm ra cc gi tin khng hp l, cc hot ng bt thng vn l du hiu ca s xm nhp, tn cng. K thut ny rt hiu qu trong vic ngn chn cc hnh thc qut mng, qut cng thu thp thng tin ca cc tin tc.

Phng php d s khng bnh thng ca h thng rt hu hiu trong vic pht hin cc cuc tn cng kiu t chi dch v. u im ca phng php ny l c th pht hin ra cc kiu tn cng mi, cung cp cc thng tin hu ch b sung cho phng php d s lm dng, tuy nhin chng c nhc im thng to ra mt s lng cc cnh bo sai lm gim hiu sut hot ng ca mng. Phng php ny s l hng c nghin cu nhiu hn, khc phc cc nhc im cn gp, gim s ln cnh bo sai h thng chy chun xc hn.

1.4.3 Module phn ngKhi c du hiu ca s tn cng hoc thm nhp, module pht hin tn cng s gi tn hiu bo hiu c s tn cng hoc thm nhp n module phn ng. Lc module phn ng s kch hot tng la thc hin chc nng ngn chn cuc tn cng hay cnh bo ti ngi qun tr. Ti module ny, nu ch a ra cc cnh bo ti cc ngi qun tr v dng li th h thng ny c gi l h thng phng th b ng. Module phn ng ny ty theo h thng m c cc chc nng v phng php ngn chn khc nhau. Di y l mt s k thut ngn chn:Kt thc tin trnh: C ch ca k thut ny l h thng IPS gi cc gi tin nhm ph hu tin trnh b nghi ng. Tuy nhin phng php ny c mt s nhc im. Thi gian gi gi tin can thip chm hn so vi thi im tin tc bt u tn cng, dn n tnh trng tn cng xong ri mi bt u can thip. Phng php ny khng hiu qu vi cc giao thc hot ng trn UDP nh DNS, ngoi ra cc gi tin can thip phi c trng th t ng nh cc gi tin trong phin lm vic ca tin trnh tn cng. Nu tin trnh tn cng xy ra nhanh th rt kh thc hin c phng php ny.Hu b tn cng: K thut ny dng tng la hy b gi tin hoc chn ng mt gi tin n, mt phin lm vic hoc mt lung thng tin tn cng. Kiu phn ng ny l an ton nht nhng li c nhc im l d nhm vi cc gi tin hp l.Thay i cc chnh sch ca tng la: K thut ny cho php ngi qun tr cu hnh li chnh sch bo mt khi cuc tn cng xy ra. S cu hnh li l tm thi thay i cc chnh sch iu khin truy nhp bi ngi dng c bit trong khi cnh bo ti ngi qun tr.Cnh bo thi gian thc: Gi cc cnh bo thi gian thc n ngi qun tr h nm c chi tit cc cuc tn cng, cc c im v thng tin v chng.Ghi li vo tp tin: Cc d liu ca cc gi tin s c lu tr trong h thng cc tp tin log. Mc ch cc ngi qun tr c th theo di cc lung thng tin v l ngun thng tin gip cho module pht hin tn cng hot ng.1.5 Cc kiu h thng IPSC hai kiu kin trc IPS chnh l IPS ngoi lung v IPS trong lung.

1.5.1 IPS ngoi lungH thng IPS ngoi lung khng can thip trc tip vo lung d liu. Lung d liu vo h thng mng s cng i qua tng la v IPS. IPS c th kim sot lung d liu vo, phn tch v pht hin cc du hiu ca s xm nhp, tn cng. Vi v tr ny, IPS c th qun l bc tng la, ch dn n chn li cc hnh ng nghi ng m khng lm nh hng n tc lu thng ca mng.1.5.2 IPS trong lungV tr IPS nm trc bc tng la, lung d liu phi i qua IPS trc khi ti bc tng la. im khc chnh so vi IPS ngoi lung l c thm chc nng chn lu thng. iu lm cho IPS c th ngn chn lung giao thng nguy him nhanh hn so vi IPS ngoi lung. Tuy nhin, v tr ny s lm cho tc lung thng tin ra vo mng chm hn.1.6 Cc sn phm IPS trn th trng

1.6.1 Intrust

Sn phm ny c nhiu tnh nng gip n tn ti c trong mi trng hot ng kinh doanh. Vi kh nng tng thch vi Unix, n c mt kh nng linh hot tuyt vi. a ra vi mt giao din bo co vi hn 1.000 bo co khc nhau, gip kim sot c Nhp phc tp. Ngoi ra n cng h tr mt gii php cnh bo ton din cho php cnh bo trn cc thit b di ng v nhiu cng ngh khc. Di y l mt s tnh nng c bn ca Instrust: Tnh nng cnh bo ton din

Tnh nng bo co ton din

Hp nht v thm nh hiu sut d liu t trn cc nn tng Lc d liu cho php xem li mt cch d dng

Kim tra thi gian thc

Phn tch d liu c capture Tun th theo cc chun cng nghip

S bt buc theo mt nguyn tc1.6.2 ELM L sn phm h tr cc chc nng HIDS, y l mt sn phm c phn tch so snh da trn ELM Enterprise Manager. N h tr vic kim tra thi gian thc, kh nng hot ng ton din v phng php bo co chi tit. C s d liu c b sung thm bo m c s d liu ca phn mm c an ton. iu ny c ngha l nu c s d liu chnh ELM offline th ELM Server s t ng to mt c s d liu tm thi lu d liu cho n khi c s d liu chnh online tr li. Di y l mt s m t cc tnh nng v ELM Enterprise Manager 3.0 ELM h tr giao din m un phn mm MMC linh hot H tr vic kim tra tt c cc my ch Microsoft. NET bng cch kim tra cc bn ghi s kin v b m hiu sut H tr bo co wizard vi phin bn mi c th lp lch trnh, ngoi ra cn h tr cc bo co HTML v ASCII Quan st tp trung cc bn ghi s kin trn nhiu my ch Client ch c kch hot Web trn trnh duyt h tr JavaScript v XML H tr giao din kin thc c s H tr thng bo c th thc thi wscripts, cscripts v cc file CMD/BAT H tr c s d liu SQL Server v Oracle Cc truy vn tng thch WMI cho mc ch so snh a ra hnh ng sa li khi pht hin xm nhp1.6.3 SNORTSnort l mt sn phm tuyt vi v n c nhiu t chc, c quan, doanh nghip a vo hot ng trong mi trng Unix. Sn phm mi nht c a ra gn y c h tr nn Windows nhng vn cn mt s chn lc tinh t. Th tt nht c trong sn phm ny l m ngun m v khng tn km mt cht chi ph no ngoi tr thi gian v bng tn cn thit ti n. Gii php ny c pht trin bi nhiu ngi v n hot ng rt tt trn cc phn cng r tin, iu lm cho n c th tn ti c trong bt k t chc no. Di y l nhng tnh nng v sn phm ny: H tr cu hnh hiu sut cao trong phn mm H tr tt cho Unix H tr m ngun m linh hot H tr tt SNMP H tr m un qun l tp trung H tr vic cnh bo v pht hin xm nhp C cc gi bn ghi Pht hin tn cng ton din Cc m un u ra tinh vi cung cp kh nng ghi chp ton din H tr ngi dng trn cc danh sch mail v qua s tng tc email1.6.4 Cisco IDS

Gii php ny l ca Cisco, vi gii php ny chng ta thy c cht lng, cm nhn cng nh danh ting truyn thng ca n. Di y l nhng tnh nng v thit b ny: Cc tnh nng pht hin chnh xc lm gim ng kt cc cnh bo sai Kh nng nng cp hot ng kinh doanh ging nh cc sn phm ca Cisco H thng pht hin xm phm thi gian thc, bo co v ngn chn cc hnh ng tri php Vic phn tch mu dng pht hin c thc hin nhiu mc khc nhau Cho hiu sut mng cao Qun l danh sch truy cp nh tuyn ng thch nghi kp thi vi hnh vi ca k xm nhp Qun l GUI tp trung Qun l t xa Email thng bo s kin1.6.5 Dragon

Mt gii php ton din cho hot ng kinh doanh. Sn phm ny rt a nng v c cc yu cu bo mt cn thit trong mi trng hot ng kinh doanh. N cng h tr NIDS, qun l my ch, qun l s kin, kim tra tn cng. y l mt gii pht IDS ton din, c thit k hon ho cng vi vic kim tra tch hp. Tuy nhin im yu ca sn phm ny l ch gi c ca n. Di y l nhng tnh nng v Dragon: Dragon h tr c NIDS v HIDS H tr trn mt lot nn tng Windows, Linux, Solaris v AIX c m un ha v c th m rng Kim tra qun l tp trung Phn tch v bo co ton din Kh nng tng thch cao vi cc chi tit k thut trong hot ng kinh doanh Kim tra bo mt hiu qu, tch hp cc switch, firewall v router Qun l bin dch bo co C chu k cp nht ch k hon hoChng 2 . Gii thiu tng quan v Firewall Iptable v IPS Snort inline2.1 Tng quan v Firewall

Hin nay internet ngy tr nn ph bin v vic kt ni hu nh tr nn quen thuc vi nhiu ngi t cc my tnh n n cc h thng mng ca cc t chc, c quan, doanh nghip. Vn t ra l nu cc my tnh h thng ny khng c bo v th s tr thnh mc tiu cho hacker xm nhp. Do nhiu tnh nng bo mt c pht trin nhm hn ch s xm nhp tri php ca hacker trong ng ch l Firewall.Firewall l thit b nhm ngn chn s truy nhp khng hp l t mng ngoi vo mng trong. H thng firewall thng bao gm c phn cng v phn mm. Firewall thng c dng theo phng thc ngn chn hay to cc lut i vi cc a ch khc nhau, c chc nng qun l lu lng thng tin gia internet v h thng mng c nhn. Firewall c th chia h thng mng ni b thnh hai hay nhiu phn khc nhau v iu khin vic trao i d liu gia cc vng ny.Cc chc nng c bn ca firewall:Chc nng chnh ca Firewall l kim sot lung thng tin gia mng cn bo v (Trusted Network) v Internet thng qua cc chnh sch truy nhp c thit lp. Cho php hoc cm cc dch v truy nhp t trong ra ngoi v t ngoi vo trong. Kim sot a ch truy nhp, v dch v s dng. Kim sot kh nng truy cp ngi s dng gia hai mng. Kim sot ni dung thng tin truyn ti gia hai mng. Ngn nga kh nng tn cng t cc mng ngoi.Xy dng firewall l mt bin php kh hu hiu, n cho php bo v v kim sot hu ht cc dch v, do c p dng ph bin nht trong cc bin php bo v mng. Thng thng, mt h thng firewall l mt cng (gateway) gia mng ni b giao tip vi mng bn ngoi v ngc li.

Hnh 21 M hnh Firewall

2.2 Phn loi firewall

C kh nhiu loi firewall, mi loi c nhng u v nhc im ring. Tuy nhin thun tin cho vic nghin cu ngi ta chia h thng lm hai loi chnh: Packet filtering v Application-proxy firewall.- Packet filtering: l h thng firewall cho php chuyn thng tin gia h thng trong v ngoi mng c kim sot.- Application-proxy firewall: l h thng firewall thc hin cc kt ni thay cho cc kt ni trc tip t my khch yu cu.2.2.1 Packet Filtering Firewall chung nht l kiu da trn mc mng ca m hnh OSI. Firewall mc mng thng hot ng theo nguyn tc router, c ngha l to ra cc lut cho php quyn truy nhp mng da trn mc mng. M hnh ny hot ng theo nguyn tc lc gi tin (packet filtering). kiu hot ng ny cc gi tin u c kim tra a ch ngun ni chng xut pht. Sau khi a ch IP ngun c xc nh th n c kim tra vi cc lut c t ra trn router. V d ngi qun tr firewall quyt nh rng khng cho php bt k mt gi tin no xut pht t mng google.com c kt ni vi mng trong th cc gi tin xut pht t mng ny s khng bao gi n c mng trong.

Cc firewall hot ng lp mng (tng t nh mt router) thng cho php tc x l nhanh bi n ch kim tra a ch IP ngun m khng c mt lnh thc s no trn router, n khng cn mt khong thi gian no xc nh xem l a ch sai hay b cm. Nhng iu ny b hn ch bi tnh tin cy ca n. Kiu firewall ny s dng a ch IP ngun lm ch th, iu ny to ra mt l hng l nu mt gi tin mang a ch ngun l a ch gi th nh vy n s c c mt s mc truy nhp vo mng bn trong.

Tuy nhin c nhiu bin php k thut c th c p dng cho vic lc gi tin nhm khc phc yu im ny. V d nh i vi cc cng ngh packet filtering phc tp th khng ch c trng a ch IP c kim tra bi router m cn c cc trng khc na c kim tra vi cc lut c to ra trn firewall, cc thng tin khc ny c th l thi gian truy nhp, giao thc s dng, portFirewall Packet Filtering c th c phn thnh hai loi:Packet filtering firewall: hot ng ti lp mng ca m hnh OSI hay lp IP trong m hnh giao thc TCP/IP.

Hnh 22 Packet filtering firewallCircuit level gateway: hot ng ti lp phin (session) ca m hnh OSI hay lp TCP trong m hnh giao thc TCP/IP.

Hnh 23 Circuit level gateway

2.2.2 Application-proxy firewallFirewall ny hot ng da trn phn mm. Khi mt kt ni t mt ngi dng n mng s dng firewall th kt ni s b chn li, sau firewall s kim tra cc trng c lin quan ca gi tin yu cu kt ni. Nu vic kim tra thnh cng cc trng thng tin p ng c cc lut t ra trn firewall th firewall s to mt cu kt ni gia hai node vi nhau.u im ca kiu firewall ny l khng c chc nng chuyn tip cc gi tin IP, hn na ta c th iu khin mt cch chi tit hn cc kt ni thng qua firewall. ng thi n cn a ra nhiu cng c cho php ghi li cc qu trnh kt ni. Tt nhin iu ny phi c nhc im bi tc x l, bi v tt c cc kt ni cng nh cc gi tin chuyn qua firewall u c kim tra k lng vi cc lut trn firewall v nu c chp nhn s c chuyn tip ti node ch.S chuyn tip cc gi tin IP xy ra khi mt my ch nhn c mt yu cu t mng ngoi ri chuyn chng vo mng trong. iu ny to ra mt l hng cho cc k ph hoi (hacker) xm nhp t mng ngoi vo mng trong. Firewall Application-proxy c th c phn thnh hai loi: Application level gateway v Stateful multilayer inspection firewall.Application level gateway: Tnh nng tng t nh loi circuit-level gateway nhng li hot ng lp ng dng trong m hnh giao thc TCP/IP.

Hnh 24 Application level gateway Stateful multilayer inspection firewall: y l loi kt hp c cc tnh nng ca cc loi firewall trn: Lc cc gi ti lp mng v kim tra ni dung cc gi ti lp ng dng. Firewall loi ny cho php cc kt ni trc tip gia cc client v cc host nn gim c cc li. Stateful multilayer inspection firewall cung cp cc tnh nng bo mt cao v li trong sut i vi cc end users.

Hnh 25 Stateful multilayer inspection firewall2.3 Tng quan v Iptables

xy dng Firewall cho mt h thng mng chi ph thng rt cao nu chng ta mua nhng sn phm thng mi. Iptable l phn mm m ngun m mim ph, tch hp sn trn h iu hnh Linux, c th trin khai trn h thng mng va v nh.Ban u Firewall/NAT chy trn Linux l Ipchains nhng do thiu st li v mt k thut chy khng n nh. T chc Netfilter quyt nh vit ra phn mm khc phc nhng li v sn phm Iptable c ra i nhm tng tnh nng lc gi tin, bo mt trn h thng Linux. Tch hp tt trn nhn Linux (Kernel Linux), thit k m-un c th nng cao tc v tin cy, c kh nng phn tch gi tin hiu qu.Iptables lc gi tin da trn a ch MAC v cc gi tr ca nhng c hiu trong phn u TCP header ca gi tin. iu ny l hu ch trong vic phng chng cc cuc tn cng bng cch s dng cc gi d liu b thay i v hn ch truy cp n my ch local t nhng my ch khc c cng a ch IP.Iptables cung cp chi tit cc ty chn ghi nhn cc s kin xy ra trong h thng, cung cp k thut NAT. NAT t trong ni b ra ngoi v ngc li. C kh nng ngn chn mt s c ch tn cng theo kiu t chi dch v (DoS).2.3.1 Cc tnh nng ca Iptables

Tch hp tt trn Linux kernel, ci thin s tin cy v tc chy iptables. Quan st k tt c cc gi d liu, iu ny cho php firewall theo di mi mt kt ni thng qua n v xem xt ni dung ca tng lung d liu t x l bc tip theo s dng cc giao thc. iu ny rt quan trng trong vic h tr cc giao thc FTP, DNS .Lc gi da trn a ch MAC v cc c trong TCP header. iu ny gip ngn chn vic tn cng bng cch s dng cc gi d dng (malformed packets) v ngn chn vic truy cp t ni b n mt mng khc bt chp IP ca n.Ghi chp h thng (System logging) cho php vic iu chnh mc ca bo co. H tr vic tnh hp cc chng trnh Web proxy nh Squid. Ngn chn cc kiu tn cng t chi dch v.2.3.2 C ch hot ng Iptables

Tt c mi gi d liu u c kim tra bi iptables, qu trnh kim tra c thc hin mt cch tun t dng cc bng xy dng sn (queues).C ba loi bng trong Iptables gm:

Loi QueueChc nng QueueQuy tc x l gi (Chain)Chc nng ca chain

FilterLc giInput Lc gi i n firewall

ForwardLc gi d liu i n cc server khc kt ni trn cc NIC khc ca firewall

Output Lc gi i ra khi firewall

NATNetworkAddressTranslation( Bin dch a ch mng )PreroutingVic thay i a ch din ra trc khi nh tuyn. Thay i a ch ch s gip gi d liu ph hp vi bng nh tuyn ca firewall. S dng destination NAT hay DNAT

PostroutingVic thay i a ch din ra sau khi nh tuyn. S dng source NAT hay SNAT

OutputNAT s dng cho cc gi d liu xut pht t firewall.

MangleChnh sa TCPheader.PreroutingPostrouting

Output

Input Forwardiu chnh cc bit quy ch cht lng dch v trc khi dn ng.

Bng 21 Bng cc chc nng ca queue v chain

Mangle table: Chu trch nhim thay i cc bits cht lng dch v trong TCP header nh: TOS (type of service), TTL (time to live), v MARK.Filter queue: Chu trch nhim thit lp b lc (packet filtering). N gm c ba quy tc nh (chain) thit lp cc nguyn tc lc gi, bao gm:Forward chain: Lc gi khi i n n cc server khc.Input chain: Lc gi khi i vo trong server.Output chain: Lc gi khi ra khi server.NAT queue: Thc hin chc nng NAT (Network Address Translation) gm c hai loi:Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin trc khi thc thi c ch nh tuyn (routing). iu ny thun li cho vic i a ch ch a ch tng thch vi bng nh tuyn ca firewall, c gi l NAT ch destination NAT hay DNATPost-routing chain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi thc hin c ch nh tuyn, qu trnh ny nhm thay i a ch ngun ca gi tin. K thut ny c gi l NAT one-to-one hoc many-to-one, c gi l Source NAT hay SNAT. 2.3.3 Jumps v Targets

Jump: L c ch chuyn mt packet n mt target no x l thm mt s thao tc khc.Target: L c ch hot ng trong Iptables, dng nhn din v kim tra packet. Cc target c xy dng sn trong iptables nh:ACCEPT: Iptables chp nhn chuyn data n ch.DROP: Iptables kha nhng packet.LOG: Thng tin ca packet s gi vo syslog daemon iptables tip tc x l lut tip theo trong bng m t lut. Nu lut cui cng khng match th s drop packet. Vi ty chn thng dng l --log-prefix=string, tc iptables s ghi nhn li nhng message bt u bng chui string.REJECT: Ngn chn packet v gi thng bo cho li cho ngi gi. Vi ty chn thng dng l -- reject-with qualifier, tc qualifier ch nh loi reject message s c gi li cho ngi gi. Cc loi qualifier sau: icmp-port-unreachable (default), icmp-net-unreachable, icmp-host-unreachable, icmp-proto-unreachableDNAT: Thay i a ch ch ca packet. Ty chn l --to-destination ipaddress.SNAT: Thay i a ch ngun ca packet. Ty chn l --to-source [- address][:-]MASQUERADING: c s dng thc hin k thut NAT (gi mo a ch ngun vi a ch ca interface ca firewall). Ty chn l [--to-ports [-]], ch nh dy port ngun s nh x vi dy port ban u.2.3.4 Cc ty chn thao tc vi lut

Iptable commandM t

-t Ch nh bng cho iptables bao gm: filter, nat, mangle tables. Mc nh iptable chn filter

-j Nhy n mt target chain khi packet tha lut hin ti

-AThm lut vo cui iptables chain

-FXa tt c cc lut trong bng la chn

-p M t cc giao thc bao gm: icmp, tcp, udp v all

-s Ch nh a ch ngun

-dCh nh a ch ch

-iCh nh input interface nhn packet

-oCh nh output interface chuyn packet ra ngoi

Bng 22 Bng m t v Iptables command switch

2.4 Tm hiu cc cu lnh v thit lp lut trong Iptables2.4.1 S dng chain t nh ngha

Thay v s dng cc chain c xy dng trong iptables, chng ta c th s dng User Defined chains nh ngha mt chain name m t cho tt c protocol-type cho packet. Chng ta c th s dng User Defined chains thay th chain, bng cch s dng chain chnh ch n nhiu chain con.Mt s v d:# iptables -A INPUT -i eth0 -d 192.168.0.38 -j fast-input-queue# iptables -A OUTPUT -o eth0 -s 192.168.0.38 -j fast-output-queue# iptables -A fast-input-queue -p icmp -j icmp-queue-in# iptables -A fast-output-queue -p icmp -j icmp-queue-out# iptables -A icmp-queue-out -p icmp --icmp-type echo-request \-m state --state NEW -j ACCEPT# iptables -A icmp-queue-in-p icmp --icmp-type echo-reply \-m state --state NEW -j ACCEPT

ChainM t

INPUTc xy dng trong INPUT chain trong bng iptables

OUTPUTc xy dng trong OUTPUT chain trong bng iptables

fast-input-queueInput chain tch ring bit h tr cho nhng giao thc c bit v chuyn cc gi n nhng protocol specific chains.

fast-output-queueOutput chain tch ring bit h tr cho nhng giao thc c bit v chuyn cc gi n nhng protocol specific chains.

icmp-queue-outlnh output tch ring cho giao thc ICMP

Bng 23 Bng danh sch cc lnh (Queue)

2.4.2 Lu v phc hi li nhng script cu hnh trong Iptables

Lnh service iptables save lu tr cu hnh iptables trong file /etc/sysconfig/iptables. Khi chng ta khi ng li th chng trnh iptables-restore s c li file script ny v kch hot li thng tin cu hnh.

c th phc hi script khi mt script file. u tin, chng ta phi lu script li dng lnh:#iptables-save > script_cau_hinh. Sau , chng ta c th xem li script_cau_hinh va lu, dng lnh cat script_cau_hinh. Sau , sa file script_cau_hinh v np li iptables thng qua lnh iptables-restore#iptables-restore < script_cau_hinhCui cng, chng ta dng lnh lu tr li cc lut vo file cu hnh:# service iptables save2.4.3 ngha ca mt s lut c bn trong Iptables

:INPUT ACCEPT [0:0] : Default rule ca cc gi tin i vo:FORWARD ACCEPT [0:0] : Default rule ca cc gi tin t firewall i ra:OUTPUT ACCEPT [0:0]: Default rule ca cc gi tin i ra-A INPUT -j RH-Firewall 1-1 INPUT : Lut u tin, yu cu jump n, do h thng t nh ngha tn RH-Firewall 1-1 INPUT.-A INPUT -j RH-Firewall 1-1 INPUT -i lo -j ACCEPT : Cho php tt c user bn ngoi c php truy cp n card loopback. Nu thng tin khng phi truy xut n card loopback, th chng trnh s truy xut n rule k tip.-A RH-Firewall 1-1 INPUT -p icmp --icmp-type any -j ACCEPT: Kim sot ping, bn ngoi c th ping vo h thng cc b hay khng nu nh ta cho php ACCEPT chp nhn.Nguyn l x l ca cc lut. u tin h thng s x l lut u tin, nu tha mn mt trong cc iu kin nh ACCEPT chp nhn, DROP loi b, REJECT t chi, th thc thi. Nu khng tha mn h thng s chuyn qua tp lut th hai v c tip tc nh vy cho n tp lnh cui cng.-A RH Firewall 1-1 INPUT -j REJECT --reject-with icmp-host-prohibited -A RH Firewall 1-1 INPUT -m state --state ESTABLISHED,RELATED -j: Cho php firewall c thit lp kt ni i ra v chp nhn cc gi c yu cu tr v khi firewall thit lp kt ni.-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 110 ng dng pop3.-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 22 ng dng SSH.-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 25 ng dng mail SMTP.-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 80 ng dng web

-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 443 ng dng https.2.5 Firewall and LoggingLogging l mt c ch v cng quan trng trong firewall, cung cp cc thng tin v qu trnh s dng. Thng qua c ch logging, ngi qun tr s nm r tnh trng hin ti ca h thng mng v y cng l phng thc duy nht firewall thng bo cho ngi qun tr bit nhng g ang din ra bn trong h thng. C hai phng thc logging l Syslog logging v Proprietary logging.2.5.1 The syslog protocolSyslog protocol l phng thc cung cp message nhc nh trong h thng mng. nh ngha trong RFC 3164, s dng giao thc UDP port 514. Vi UDP, syslog c nhiu thun li v l kt ni khng lu trng thi (khng yu cu nhiu ti nguyn) do i khi kt qu syslog khng ng tin cy, thng mt message. ci thin vn trn, nhiu thit b h tr syslog chy trn TCP nhm m bo gi tin khng b mt.Logging facility codeLogging facility description

0Kernel messages

1User-level messages

2Mail systems

3System daemons

4Security authorization messages

5Messages geberated internally by syslog daemon

6Line printer systems

7Network news subsystem

8UNIX-to-UNIX copy (UUCP) subsystem

9Clock daemon

10Security/authorization meaasges

11FTP daemon

12Network time protocol (NTP) subsytem

13Log audit

14Log alert

15Clock deamon

16Local use 0 (local0)

17Local use 1 (local1)

18Local use 2 (local2)

19Local use 3 (local3)

20Local use 4 (local4)

21Local use 5 (local5)

22Local use 6 (local6)

23Local use 7 (local7)

Bng 24 Cp logging facility ca syslog

Syslog message s dng logging facility v severity level phn chia cc cp logging v h thng nhm quyt nh message s c gi n u v tm quan trng ca n.Cc cp c xp theo mc quan trng t cao nht ti thp. Qui lut tng qut l u tin ci t syslog ch ghi nhn Information level message v sau ty theo nhu cu m ci t h thng logging message. L do l mc quan trng cng thp th cng nhiu message c sinh ra dn n nh hng hiu sut ca h thng, ngi qun tr phi ci t mc bo mt ph hp vi h thng ca mnh.2.5.2 Proprietary logging methods

Cc phng thc logging c quyn (proprietary logging) l cc phng thc logging tiu chun m firewall khng c ci t syslog s dng c pht trin bi Open Platform for Security - Logging Export API (OPSEC LEA). V c bn th OPSEC LEA tng t nh syslog, cn ci t mt logging server ghi nhn thng tin bng cc th tc ring bit.i vi cc firewall nh ISA Server s dng phn ln cc phng thc logging ring bit ghi nhn cc s kin vo c s d liu, v d nh MSDE v SQL database. Mt trong nhng u th ca h thng logging ny l kh nng c th tng hp v thc hin cc lnh truy vn khc nhau da vo d liu trong database, cung cp hng lot tnh nng to report linh hot.2.6 Firewall log review and analysis

2.6.1 Tng quan

h tr cho vic phn tch cc file log, nhiu cng c h tr qun tr firewall cho php ngi qun tr phn tch cc file log v ghi nhn cc thng tin cn thit nhm xc nh vn ang gp phi.Mt kha cnh khc l cc file logs cn c thit lp mt chnh sch lu tr thng xuyn. iu ny a n mt vn l d liu no trong file log l cn thit bi cc file log s b xa, ngha l chuyn cc file ny thnh mt nh dng tiu chun cho php xem cc d liu t cc ngun khc nhau (v d t cc firewall khc).2.6.2 Cc thng tin s kin t file log

Sau khi c c cc file log t firewall v bt u phn tch, iu quan trng l ng lc no cng quan tm n cc s kin xu. Thc t cc file log ny l cha kha dng tm ra cc vn lin quan n bo mt v l cng c duy nht dng phn tch. ng thi cng c th s dng cc thng tin ny h tr hot ng cho firewall. Sau cng cch thc d nht tm ra cc phng thc xu l nhn bit cc phng thc tt sau dng cch loi tr. C mi s kin c bn:

+ Authenfication Allowed: Nghe c v v ch, nhng tht s v cng quan trng trong vic xc nh s kin v xc thc c cho php bi n c th xc nhn firewall cho php cc truy cp u trong khi n c th b t chi. L do l trong khi nhng admin hp l ng nhp th khng cho php ngi dng bt hp php s dng account v password m admin ang dng. Hn na nu firewall c cu hnh xc thc ngi dng truy xut th cc thng tin ny c th c dng xc thc cc user c xc thc v cc ng dng m h dng.

+ Traffic Dropped (khng nm ti firewall): Hu ht firewall bo v mt s ti nguyn nht nh. Cc lung a ch ti cc server ny u c firewall theo di v lc k. D vy gi tin traffic dropped ghi nhn nhng ai truy xut vo h thng ti nguyn c th khng ging nhng g m ngi qun tr ci t, y ch l mt li cu hnh thng thng. Do , nu user khng th truy cp vo ti nguyn th cn xem li cc file log bit c firewall nh rt lung d liu no, da vo khai bo li ng i s gii quyt c vn ny.

+ Firewall Stop/Start/Restart: Mc nh firewall khng bao gi dng hay khi ng li m khng thng qua admin. Tuy nhin mt s trng hp cng c th xy ra nh mt in hay h thng b treo hay do b tn cng. Do cn ghi nhn logging bit r ngun gc vn .

+ Firewall Configuration Changed: Cu hnh ca firewall khi c thay i cn phi ty chnh cc ti liu iu khin cho ph hp. Nhm m bo cc thay i l hp l v h tr cho vn xy ra v sau.

+ Interface Up/Down Status Changed: Cc cng giao tip ca firewall thay i trng thi t up sang down hay ngc li u c th dn n vn cu hnh ca h thng mng. Thng tin ny s hu ch i vi h thng mng c nhiu firewall bi cc cng giao tip mng thay i trng thi c th dn n tnh trng firewall xy ra li.

+ Adminstrator Access Granted: Bt c khi no ngi qun tr kt ni thnh cng vo h thng th thng tin ny s c ghi nhn. Mc d tng t nh theo di vic xc thc tuy nhin vn y l ngi qun tr c quyn truy xut. Hu ht th cc truy xut u hp l tuy nhin nu c trng hp khng hp l xy ra ri ro th cn phi kim tra log xem liu vic ti khon qun tr b nh cp hay khng.

+ Authentication Failed: Din ra c th l mt user no c gng nhp mt password no bng phng thc brute-force nhm tm ra password tht s. S kin xc nhn tht bi c th do ng nhp vo ti khon ring t hay l cc admin account

+ Traffic Dropped (Ti firewall): Tng t nh vic nh rt gi ti mt server no , nhng trng hp ny l ngay ti firewall. Thng thng, firewall s khng c bt k mt lung d liu no trc tip ti n qua cc cng giao tip bn ngoi thay vo l tt c cc lung s c dn ti cc h thng ti nguyn bn trong. S kin ny c th l ch mt user no mun ot quyn iu khin firewall hoc do li cu hnh nh ICMP hay IPSEC, do qun l hay do cc giao thc nh tuyn.

+ Administrator Session Ended: Tng t nh khi quyn ng nhp admin c cho php, khi phin lm vic ca ngi qun tr kt thc cng cn theo di xem ngi qun tr no c php ng nhp. S kin ny theo di thi gian c th bi ch ngi qun tr mi c th thay i firewall v do cc file log s c phn tch k v thi gian sau khi phin lm vic kt thc nhm xc nh r nhng thay i din ra trong h thng.

+ Connection Was Torn Down: Vic ngt kt ni sau qu trnh nh tuyn l bnh thng. Tuy nhin c mt vi l do ngt kt ni l khng bnh thng. V d nh gi tin SYN qu thi gian timeout c ngha l ai c th ang s dng tn cng DOS vo h thng.2.7 Tng quan v Snort inline2.7.1 Gii thiu Snort inlineL mt phin bn sa i ca snort (IDS). N chp nhn cc gi tin t iptables v IPFW qua libipq (linux) hoc lm chch hng cc socket (FreeBSD). N nhn c cc gi tin c gi t Netfilter firewall vi s tr gip ca th vin libipq, so snh chng vi cc du hiu xm nhp ca snort v s drop chng nu ging vi cc b lut (rules) c thit lp sn. Sau cng gi chng li netfilter ni m snort-inline drop cc gi tin.

2.7.2 Snort-inline v Iptables:

Netfilter l mt module ca kernel linux c sn cc phin bn kernel 2.4 tr i. N cung cp 3 chc nng chnh:

Packet filtering: chp nhn (accept) hay chn (drop) cc gi tin.

NAT: thay i a ch ngun / ch ca a ch IP ca cc gi tin.

Packet mangling: dnh dng cc gi tin.

IPTables l 1 cng c cn thit cu hnh netfilter, n cn phi c chy bi quyn root. Nu c 1 gi tin ph hp vi cc du hiu tn cng trong snort_inline, n s c gn th libipq v gi tr li Netfilter, ni m n b drop.Snort inline l mt phn mm pht hin xm nhp m ngun m hot ng da trn cc du hiu cho php gim st, pht hin nhng du hin tn cng mng. Snort c nhiu t chc, doanh nghip pht trin v bin thnh sn phm thng mi nh Sourcefire, Astaro,

Snort inline ch yu l mt IPS da trn lut, tuy nhin cc input plug-in cng tn ti pht hin s bt thng trong cc header ca giao thc. Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc nhau. File cu hnh chnh ca Snort inline l snort.conf. Snort inline c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi d liu. Tm ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v chng ta cng s dng nhiu lut th nng lc x l cng c i hi thu thp d liu trong thc t. Snort inline c mt tp hp cc lut c nh ngha trc pht hin cc hnh ng xm nhp. Cc lut trn Snort inline c tnh m, cho php ngi qun tr mng to ra cc lut mi v chng ta c th thm vo cc lut ca chnh mnh. Chng ta cng c th xa mt vi lut c to trc trnh vic bo ng sai.Cc c im chnh ca Snort inline:

- H tr nhiu platform: Linux, OpenBSD, FreeBSD, Solaris, Windows,

- C kh nng pht hin mt s lng ln cc kiu thm d, xm nhp khc nhau nh: Buffer overflow, CGI-attack, d tm h iu hnh, ICMP, virus,

- Pht hin nhanh cc xm nhp theo thi gian thc.

- Cung cp cho nh qun tr cc thng tin cn thit x l cc s c khi b xm nhp.

- Gip ngi qun tr t t ra cc du hiu xm nhp mi mt cch d dng.

- L phn mm m ngun m (Open Source) v khng tn km chi ph u t.

Hnh 26 M hnh IPS Snort

2.7.3 Cc trng thi

Snort inline c th c cu hnh chy ba trng thi:

+ Sniffer Mode: L ch bt gi tin v ch hin th header ca cc gi TCP/IP ra mn hnh. Cu trc lnh nh sau:

snort -v: Lnh ny ch chy snort v hin th IP/TCP/UDP/ICMP header.

snort -vd: Lnh ny va hin th cc header va cho thy cc gi d liu.

snort -vde: Tng t nh trn nhng trnh by r rng hn. Th hin c header ca lp Datalink.

+ Packet Logger Mode: Trong trng hp mun ghi nhn li cc gi bt c v ni lu tr tin cho vic theo di v sau th ch packet logger s h tr tt cho qun tr mng. Ch ny ch nh ni lu tr v khi s dng c php sau, snort s t ng lu li thng tin vo th mc :

snort -vde -l /usr/local/log/snort

Log c lu dng nh phn, lm tng c kh nng bt gi tin ca Snort. Hu ht cc h thng c th bt gi v ghi thnh file log tc 100Mbps m khng xy ra vn g.

ghi nhn file log ch nh phn s dng c -b

snort -b l /usr/local/log/snort/temp.log

Khi bt c gi, chng ta c th c li file va to vi c -r v phn hin th ging nh mode sniffer.

snort -r /usr/local/log/snort/temp.log

+ NIDS Mode: Snort pht hin xm nhp ch yu da vo mt b lut m ngi qun tr mng nh ngha trong file snort.cfg. Hu ht cc hnh vi xm nhp u c mt vi du hiu. Thng tin v cc du hiu ny c s dng to ra cc lut ca Snort. Cc du hiu c th tn ti trong header ca cc gi tin. Cc lut ca Snort c th kim tra nhiu phn ca gi tin pht hin ra cc du hiu ny.

m ch ny, s dng c php:

snort -dve -l /usr/local/log -h 192.168.0. 0/24 -c snort.cfg

Nu admin s dng Snort vi ch ny trong thi gian lu th nn loi b -v, -e ra khi cu lnh. V qu trnh ghi d liu ra mn hnh s lm chm tc hot ng ca h thng, i khi gy mt gi tin trong khi Snort ang ghi nhn. Vic lu li cc header ca lp Datalink cng khng cn thit, nn c th loi b ra khi dng lnh.

Lnh cu hnh cho Snort chy hnh thi c bn ca ch NIDS.

snort -d -l /usr/local/log -h 192.168.0.0/24 -c snort.cfg

2.8 Cc thnh phn ca Snort

Snort c xy dng vi mc ch tho mn cc tnh nng c bn sau: C hiu nng cao, n gin v c tnh uyn chuyn cao.Cc thnh phn chnh ca Snort gm c:

B bt gi (Packet sniffer) B tin x l (Preprocessor) B pht hin (Detection engine) H thng Logging v alerting.Cc thnh phn ny da trn c s ca th vin Libpcap, l th vin cung cp kh nng lng nghe v lc packet trn mng.

Hnh 27 Qu trnh x l gi

2.8.1 B packet sniffer

B Packet Sniffer: B bt gi l mt thit b (phn cng hay phn mm) c t vo trong h thng, lm nhim v bt lu lng ra vo trong mng. B bt gi cho php mt ng dng hay mt thit b c kh nng nghe ln ton b d liu i trong h thng mng.2.8.2 B PreprocessorB Preprocessor: Sau khi bt c ton b cc gi tin, lc ny cc gi tin s c chuyn n b tin x l kim tra cc gi tin c hp l khng. B tin x l s so snh cc gi tin ny vi cc plug -in (v d nh RPC Plug -in, HTTP plug-in, port scanning plug -in, v.v. . . ). Cc gi tin s c kim tra hnh vi xem c khp vi cc hnh vi c nu trong plug -in hay cha, nu khp ri, cc gi tin ny s c chuyn n b phn pht hin xm nhp.B tin x l l mt thnh phn rt hu dng trong Snort. V y l mt plug-in c th m hoc tt ty nn gip ch rt nhiu trong vic ty chnh ti nguyn h thng hay ty chnh mc bo ng. V d khi qun tr mng nhn c thng bo port scan qu nhiu ln trong khi lm vic, h c th tt plug-in ny i trong khi cc plug-in khc vn hot ng bnh thng.2.8.3 B pht hin (detection engine)

Sau khi cc gi tin i qua b tin x l, chng c chuyn n b phn pht hin xm nhp. Nu mt gi tin ging vi bt k lut no, chng s c gi n b x l cnh bo.B phn pht hin xm nhp v cc b lut chim mt phn rt ln trong s nhng kin thc phi bit hiu c Snort. Snort c nhng c php lnh ring s dng vi cc b lut. Cc c php ny c th lin quan n giao thc mng, ni dung, chiu di, phn header v rt nhiu nhng thnh phn khc, bao gm c nhng c im nhn dng buffer overflow.Snort dng cc rules pht hin ra cc xm nhp trn mng. Xem rules sau:alert tcp !192.168.0.0/24 any -> any any (flags: SF; msg: SYN-FIN Scan;)Mt rules c hai thnh phn: Header v OptionHeader: alert tcp !192.168.0.0/24 any -> any anyOption: (flags: SF; msg: SYN-FIN Scan;)

Hnh 28 B pht hin xm nhpMi du hiu xm nhp s c th hin bng mt rule. Vy Snort qun l tp cc rules nh th no? Snort dng cu trc d liu qun l cc rules gi l Chain Headers v Chain Options. Cu trc d liu ny bao gm mt dy cc Header v mi Header s lin kt n dy cc Option. S d da trn cc Header l v y l thnh phn t thay i ca nhng rules c vit cho cng mt kiu pht hin xm nhp v Option l thnh phn d c sa i nht.V d: chng ta c 60 rules c vit cho kiu thm d CGI-BIN, thc cht cc rules ny c chung IP source, IP ch, port source, port ch, ngha l c chung Header. Mi packet s c so trng ln lt trong cc dy cho n khi tm thy mu u tin th hnh ng tng ng s c thc hin.2.8.4 H thng ghi v cnh bo (Logging v alerting)Dng thng bo cho qun tr mng v ghi nhn li cc hnh ng xm nhp h thng. Hin ti c 3 dng logging v 5 kiu alerting.Cc dng logging, c chn khi chy Snort:- Dng decoded: y l dng log th nht, cho php thc hin nhanh.

- Dng nh phn tcpdump: theo dng tng t nh tcpdump v ghi vo a nhanh chng, thch hp vi nhng h thng i hi performance cao.- Dng cy th mc IP: Sp sp h thng log theo cu trc cy th mc IP, d hiu i vi ngi dng.

Hnh 29 H thng ghi nhp file log v pht cnh boCc dng alerting:- Ghi alert vo syslog- Ghi alert vo trong file text- Gi thng ip Winpopup dng chng trnh smbclient- Full alert: Ghi li thng ip alert cng vi ni dung gi d liu- Fast alert: Ch ghi nhn li header ca gi d liu. Cch ny thng dng trong cc h thng cn performance cao.2.8.5 Cu trc ca mt lut

Tp lut ca Snort n gin ta hiu v vit, nhng cng mnh c th pht hin tt c cc hnh ng xm nhp trn mng. C ba hnh ng chnh c Snort thc hin khi so trng mt packet vi cc mu trong rules:- Pass: Loi b packet m Snort bt c- Log: Tu theo dng logging c chn m packet s c ghi nhn theo dng .- Alert: Sinh ra mt alert ty theo dng alert c chn v log ton b packet dng dng logging chn.Dng c bn nht ca mt rule bao gm protocol, chiu ca gi d liu v port cn quan tm, khng cn n phn Option:log tcp any any -> 192.168.0. 0/24 80Rule ny s log tt c cc gi d liu i vo mng 192.168.0.0/24 port 80.Mt rule khc c cha Option:alert tcp any any -> 192.168.0.0/24 80 (content:"/cgi-bin/phf"; msg: "PHF probe!";)Rule ny s pht hin cc truy cp vo dch v PHF trn web server v alert s c to ra cng vi vic ghi nhn li ton b gi d liu.Vng a ch IP trong cc rules c vit di dng CIDR block netmask, cc port c th c xc nh ring l hoc theo vng, port bt u v port kt thc c ngn cch bi du :alert tcp any any -> 192.168. 0. 0/24 6000:6010 (msg: "X traffic";)Cc option ph bin ca Snort:1. content: Search the packet payload for the a specified pattern.2. flags: Test the TCP flags for specified settings.3. ttl: Check the IP header's time-to-live (TTL) field.4. itype: Match on the ICMP type field.5. icode: Match on the ICMP code field.6. minfrag: Set the threshold value for IP fragment size.7. ack: Look for a specific TCP header acknowledgement number.8. seq: Log for a specific TCP header sequence number.9. logto: Log packets matching the rule to the specified filename.10. dsize: Match on the size of the packet payload.11. offset: Modifier for the content option, sets the offset into the packet payload to begin the content search.12. depth: Modifier for the content option, sets the number of bytes from the start position to search through.13. msg: Sets the message to be sent when a packet generates an event.Chng 3 . Thc Nghim Firewall Iptable v IPS Snort inline3.1 M t thc nghim

Thi k kinh t, cc c quan, cng ty hay tp on ng dng cng ngh thng tin ngy cng nhiu. Cng vi quy m pht trin cc c quan, cng ty, tp on l s lng cc my tnh, router, cc server ngy cng nhiu. H thng my tnh c trin khai sao cho ph hp vi mc ch s dng ca cc c quan, doanh nghip Cc h thng mng ny v cng phc tp, i hi cc k thut, cc cng ngh bo mt cao. Ty theo nhu cu tng c quan, cng ty m cc k thut hay cng ngh c s dng cng khc nhau. Tuy nhin, hai thnh phn c bn m bt k h thng no cng s dng l h thng firewall v h thng pht hin xm nhp - IDS.Trong m hnh thc nghim l a ra mt m hnh mng tht ang c ng dng trong thc t nhm phn tch nh gi cc hot ng ca mt mng my tnh cng nh c ch hot ng ca h thng Firewall v IPS, kh nng pht hin v ngn chn ca IPS cng nh Firewall trong mng my tnh. C s h tng tt v h thng my tnh mnh c kh nng x l cho h thng c tt hn. m phng theo m hnh thc nghim yu cu v phn mm phi c cc phn mm xy dng ln h thng nh: Firewall, my tnh o, IPS, my o Vmware. Chng ta ci my o Vmware trn my tht Windows 7 v t my o Vmware chng ta xy dng hai my o CentOS, mt my dng lm Firewall v IPS, my cn li xy dng web server, ftp server yu cu cu hnh my tnh nh lm m phng l RAM ti thiu 2Gb my c cu hnh cng cao cng tt.Trong m hnh ny nu hacker tn cng t bn ngoi vo th trc tin chng phi i qua Firewall v h thng phn tch cc gi tin IPS. Vn quan trng hn, nguy him hn chnh l nhng k tn cng t bn trong. Vi h thng ny chng ta tin hnh tn cng gi lp t bn ngoi vo h thng Firewall v IPS, kt qu thu c ta s ln lt c trnh by bn di.

Hnh 31 M hnh tng quan

3.2 H tng mng thc nghim

H tng thc nghim s xy dng h thng Firewall v IPS trn my CentOS, c hai card mng, mt card mng c a ch l 192.168.0.38 ni vi mng ngoi internet v card cn li c a ch 192.168.211.130 kt ni vi mng bn trong gm web server, ftp server c a ch l 192.168.211.131, gateway 192.168.211.130. m phng, chng ta to cc kt ni nhng ssh, ping, http, ftp t ngoi hoc t trong vo my Firewall v IDS, trong cng thi im chng ta dng h thng Firewall v IDS theo di s pht hin xm nhp vo h thng. Firewall c th ngn chn c cc lu lng mng cn IDS c th kim sot c tt c lu lng bn trong ln bn ngoi. Lu lng c hi khi i vo h thng s c IDS pht hin bo cho nh qun tr mng bit kp thi ngn chn s xm nhp tri php bng h thng firewall.. Trong m hnh ny n gin chng ta ch kho st tn cng t ngoi vo h thng Firewall v IDS. Khi c s tn cng vo h thng IDS s gi cnh bo n nh qun tr thng qua cng c phn tch Base (Basic Analysis and Sercurity Engine)M hnh thc nghim ny c thit k mc n gin, d hiu ngi c d hiu v d hnh dung hn.

Hnh 32 M hnh thc nghim3.3 Cc bc ci t Iptables v Snort trn h iu hnh CentOS3.3.1 Ci h iu hnh CentOS

- Tn h iu hnh: Linux CentOS 5.2

- Kernel: 2.6.18-92.el5

- Ti khon

+ User: root

+ Pass: 123456

3.3.2 Ci phn mm Iptables v cu hnhIptables c xem l c tnh nng hiu qu v bo mt. Iptable tr thnh cc gi phn mm Firewall c ci t mc nh trn RedHat v Fedora Linux.Package ca Iptables l iptables version.rpm hoc iptables-version.tgz c th dng lnh ci t package ny:# rpm ivh iptables-version.rpm i Red Hat# apt-get install iptables i vi DebianKim tra iptables c ci t cha:[root@ngoclong ~]# rpm qa | grep iptablesCi t (nu cha c ci t):[root@ngoclong ~]# rpm ivh iptables-1.3.5-4.el5.i386.rpm

Preparing

############################ Kim tra iptables c ci t trn h thng:[root@ngoclong ~]# rpm qa | grep iptables

iptables-ipv6-1.3.5-4.el5

iptables-1.3.5-4.el5

Cu hnh iptables:C hai cch cu hnh iptables l dng lnh v sa file /etc/sysconfig/iptables.

Cu hnh iptables cm truy cp ssh, ping v truy cp http:*filter

-A INPUT -p icmp --icmp-type any -j DROP

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DROP

-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- / sport 1024:65535 --dport 80 -j DROP

-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- / sport 1024:65535 --dport 22 -j DROP

*nat

-A PREROUTING -d 192.168.0.38 -i eth0 -p tcp --dport 80 -j DNAT -- / to-destination 192.168.211.131:80

-A PREROUTING -d 192.168.0.38 -i eth0 -p tcp --dport 22 -j DNAT --/ to-destination 192.168.211.131:22

-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.38

Cu hnh iptables: Cc dch v ssh, ping, http c php truy cp vo firewall:*filter

-A INPUT -p icmp --icmp-type any -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- / sport 1024:65535 --dport 80 -j ACCEPT

-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- / sport 1024:65535 --dport 22 -j ACCEPT

3.3.3 Ci t v cu hnh SnortCi t cc gi ph thuc: Yu cu my phi kt ni vi internet

# yum install gcc gcc-c++ kernel-devel patch make libxml2 pcre-devel php php-common php-gd php-cli php-mysql flex binson libcap libcap-devel mysql mysql-devel mysql-bench mysql-server y

Ci pear t trang web

# wget http://pear.php.net/go-pear# php q go-pear

Base hin c th chy cc lnh:

# pear install Image_Color-1.0.3

# pear install Image_Canvas-0.3.2

# pear install Log-1.12.0

# pear install Numbers_Roman-1.0.2

# pear install Numbers_Words-0.16.1

# pear install Image_Graph-0.7.2

# pear install Image_GraphViz-1.3.0RC3Download Libnet t http://www.filewatcher.com/m/libnet-1.0.2a.tar.gz# cd /usr/local/

# tar zxvf /Download/libnet-1.0.2a.tar.gz

# cd Libnet-1.0.2a/

# ./configure && make && make install

Download Snort v Snort rules t trang web http://www.snort.orgng k mt account ti snort.org v down b ruleset v my registered-user# cd /usr/local/

# tar zxvf /Download/snort-2.8.5.3.tar.gz

# cd snort-2.8.5.3/

# ./configure enable-sourcefire enable-targetbased with-mysql

# make && make install

To ti khon v vng lu tr Snort# mkdir /etc/snort# mkdir /var/log/snort# groupadd snort# useradd -g snort snort

# chown snort:snort /var/log/snort# cd /etc/snort/

# tar zxvf /Download/snortrules-snapshot-CURRENT.tar.gz

# cp etc/* /etc/snort/

# ln s /usr/local/bin/snort /usr/sbin/snort

# cd /etc/snort/so_rules/precompiled/CentOS-5.0/i386/2.8.5.3

# cp * /usr/local/lib/snort_dynamicrules/

Cu hnh Snort

Sa file cu hnh t /etc/snort/snort.conf

Var HOME_NET 192.168.0.0/24

Var RULE_PATH /etc/snort/rules

Var SO_RULE_PATH /etc/snort/so_rules

Var PREPROC_RULE_PATH /etc/snort/preproc_rules

To mt s lut thc nghim Snort

# vi /etc/snort/rules/local. Rulesalert tcp any any -> any 23 (msg:"Telnet Connection=> Attempt"; sid:100001;)alert tcp any any -> 192.168.0.0/24 any (msg:"SYN-FIN=>scan detected"; sid:1000002;)alert icmp any any -> 192.168.0.0/24 any (flags: A; ack: 0; msg:"TCP ping detected"; sid:100003;)alert tcp any any -> any 22 (msg:"ssh connection=>Attempt"; sid:1000004;)- Khi to Snort ln u tin:# /usr/local/bin/snort -Dq -u snort -g snort -c /etc/snort/snort.confKim tra xem Snort hot ng ghi log c cha:

# cd /var/log/snort

# ls l

Total 12144

-rw---------- 1 root root 6205014 Dec 3 16:32 snort.alert

-rw---------- 1 root root 6205014 Dec 3 16:32 snort.logCi Barnyard

Barnyard l mt ng dng c s dng offload ti vic xut ra file log v cnh bo cho Snort. Do , Snort dnh ti nguyn cho chc nng ca n.

# wget http://snort.org/dl/barnyanrd2-1.8.tar.gz# cd /usr/local/

# tar zxvf /Download/Barnyard2-1.8.tar.gz

# cd barnayrd2-1.8/

#./configure with-mysql

# make && make install

# cd etc/

# cp barnyard.conf /etc/snort

3.3.4 Cu hnh MySQL server

To c s d liu vi MySQL

# service mysqld start

# mysql

Mysql> set password for root@localhost=password(123456);

Mysql> create database snort;

Mysql> grant create, insert, select, delete, update on snort.* to snort@localhost;

Mysql> set password for snort@localhost=password(123456);

Mysql> exit

# cd /usr/local/snort-2.8.5.3/schemas/

# mysql p < create_mysql snort

Enter password:

Mysql> show databases;

Mysql> user snort;

Mysql> show tables;

Mysql> exit

3.3.5 Cu hnh Snort thc hin alert vo MySQL# vi /etc/snort/snort.conf- Tm dng di y, b ch thch u dng v chnh sa cc gi tr cho ph hp:output database: log, mysql, user=snort password=123456 dbname=snort host=localhost- Khi ng li snort v kim tra xem Snort v Barnyard2 tng tc ghi log vo database hay cha:# mysql usnort -p"123456" -D snort -e "select count(*) from event"Count(*)

280278

Nu s khc 0 th Snort v Barnyard2 ng b vi nhau

Ci t ADODB

Ti ADODB ti http://nchc.dl.sourceforge.net/sourceforge/adodb/# cd /var/www/html/

# tar zxvf /Download/adodb4991.tgz3.3.6 Ci t v cu hnh Basic Analysis and Sercurity Engine (Base)BASE l mt ng dng cung cp giao din web truy vn v phn tch cc Snort alert# cd /var/www/html

# tar zxvf /Download/base-1.4.5.tgr.gz

# mv base-1.4.5 base

# chmod 777 base

# cd base

# cp base_conf.php.dist base_conf.php

Cu hnh base:

# vi base_conf.php

Sa cc dng sau:

$BASE_urlpath=/base;

$Dblib_path=/var/www/html/adodb;

$alert_dbname=snort;

$alert_password=123456;

$archive_exists=1; # set this to 1 if you have an archive DB

$archive_dbname=snort;

$archive_user=snort;

$archive_password=123456;

$external_whois_link=index.php;

$external_dns_link=index.php;

$external_all_link=index.php;

n y v c bn Snort hot ng c. C th kim tra bng cch s dng cu lnh sau:

# snort c /etc/snort/snort.conf i eth0

Hnh 33 Snort ang hot ng

Sau khi Snort kim tra tt c nhng thng tin cn thit snort hot ng th chng ta s thy xut hin dng sau:

Not Using PCAP_FRANES

Lc ny Snort ang hot ng v ghi li tt c nhng g m Snort pht hin, c du hiu kh nghi.

dng s hot ng ca Snort, bm Ctrl_C

3.4 Giao din h thng sau ci t

3.4.1 Cc thng tin cu hnh c bnFirewall v IDS gm c 2 network interface, hin ang c cm nh sau:+ eth0 dng qun tr v lng nghe s xm nhp t ngoi vo+ eth1 giao tip vi mng bn trong http, ssh, ftpThng tin v h iu hnh CentOS- Account qun tr: root/root- Eth0 interface+ IP: 192.168.0.38/24+ Netmask: 255.255.255.0+ Network: 192.168.0.0/24+ Broadcast: 192.168.0.255

+ Gateway: 192.168.0.254- Cc phn mm ci t:+ Iptables+ Snort 2.8.5.3+ MySQL Server+ PHP+ Barnyard2

+ Basic Analysis and Security Engine 1.4.5

3.4.2 Hng dn s dng Snort- File cu hnh: /etc/snort/snort. conf- Th mc cha tp lut: /etc/snort/rules/- File log: /var/log/snort/

Kch hot tin trnh Snort g lnh:

# /etc/init.d/snort start

Hoc

# /usr/local/bin/snort Dq u snort g snort i eth0 c /etc/snort/snort.conf

hy tin trnh snort g lnh:

# pkill snort

3.4.3 Kt qu thng k thc nghim Firewall Iptables

Kim tra: Cc dch v ssh, ping, http khng php truy cp vo firewall:Kim tra ping:C:\>ping 192.168.0.38

Pinging 192.168.0.38 with 32 bytes of data:

Reply from 192.168.0.38: Destination host unreachable.

Reply from 192.168.0.38: Destination host unreachable.

Reply from 192.168.0.38: Destination host unreachable.

Reply from 192.168.0.38: Destination host unreachable.

Ping statistics for 192.168.0.38:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Kim tra ssh: Sang mt my khc c ci phn mm putty kim tra truy cp bng ssh hoc vo cmd s dng lnh: telnet 192.168.0.38 22

C:\> telnet 192.168.0.38 22

Conneting To 192.168.0.38. Could not open connection to the host, on port 22: Connect failed

Kim tra http:

Hnh 34 Khng cho truy xut vo trang web

Kim tra: Cc dch v ssh, ping, http c php truy cp vo firewall:

Kim tra ssh:

C:\> telnet 192.168.0.38 22

Login as: root

root@192.168.0.38s password:

last login: Mon Nov 29 17:02:45 2010 from 192.168.0.11

[root@ngoclong ~]#Kim tra ping:C:\>ping 192.168.0.38

Pinging 192.168.0.38 with 32 bytes of data:

Reply from 192.168.0.38: bytes=32 time=9ms TTL=64

Reply from 192.168.0.38: bytes=32 time=9ms TTL=64

Reply from 192.168.0.38: bytes=32 time