[123doc.vn] - Chuong 5 Cong Cu Moi Chon Giong Dua Tren Chi Thi Phan Tu
[123doc.vn] Chuong 4
-
Upload
tuyet-mai-nguyen -
Category
Documents
-
view
224 -
download
6
description
Transcript of [123doc.vn] Chuong 4
-
3/18/2013
1
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 1
H thng pht hin v ngn ngaxm nhp c trin khai trn
thit b u cui(Host-based IDS/IPS)
-
3/18/2013
2
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 2
Kh nng ca HIPS- Phi c kh nng ngn chn cc hot ng ca mc hi.- Khng c lm gin on cc hot ng bnhthng.- Phi c kh nng bit c s khc nhau gia ccs kin tn cng v s kin bnh thng.- Phi c kh nng ngn chn c cc cuc tncng cha tng c bit ti.- Phi bo v c cc l hng trong cc ng dng.- Nn c qun l tp trung.
-
3/18/2013
3
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 3
Cc li ch ca HIPS- Ngn chn tn cng (attack prevention)-Ngn chn pht tn tn cng ni b (internalattack propagation prevention)- Thc thi chnh sch (Policy enforcement)- Thc thi chnh sch s dng c th chpnhn c (Acceptable Use PolicyEnforcement)
-
3/18/2013
4
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 4
Cc gii hn ca HIPS- Can thip ngi dng cui (Subject to EndUser Tampering)- Thiu s bao qut ton mng (Lack ofComplete Coverage)- Cc cuc tn cng khng nhm vo mctiu l cc my tnh.
-
3/18/2013
5
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 5
Cc gii hn ca HIPS:Can thip ngi dng cui
Mt s phng php can thip c th gy hin HIPS.
-
3/18/2013
6
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 6
Cc gii hn ca HIPS:Thiu s bao qut ton mng
HIPS ch c th bo v ccmy tnh (host) m n cci t ln .
-
3/18/2013
7
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 7
Mc tiu khng phi l my tnh
-
3/18/2013
8
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 8
Cc thnh phn ca HIPSCc sn phm HIPS thng c 2 thnhphn thit yu:- Phn mm c ci t trn thit b ucui bo v thit b u cui . cgi Endpoint Agents.- C s h tng qun l qun l ccagent.
-
3/18/2013
9
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 9
Endpoint Agents:tin trnh iu khin truy cp
-
3/18/2013
10
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 10
Endpoint Agents:Xc nh ngun ti nguyn ang c truy cpBc u tin trong tin trnh iu khin truycp l Xc nh ngun ti nguyn angc truy cp. Xc nh ny s kch hotbc Thu thp d liu v thay i loi hays lng d liu c thu thp.Hi: Cch xc nh ngun ti nguyn lquan trng?
-
3/18/2013
11
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 11
Endpoint Agents:Xc nh ngun ti nguyn ang c truy cp(tt)
Vng i ca cuc tn cng
-
3/18/2013
12
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 12
Endpoint Agents:Xc nh ngun ti nguyn ang c truy cp(tt)Nhn bit cc ngun ti nguyn m cuc tncng cn cho mi giai on:- Mng (Network)- B nh (Memory)- S thc thi ng dng (Application execution)- Cc tp tin (files)- Cu hnh h thng
-
3/18/2013
13
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 13
Endpoint Agents:Thu thp d liu lin quan ti hot ng
4 phng php ph bin d thu thp d liu:- Kernel modification- System call Interception- Virtual Operation Systems- Network traffic Analysis
-
3/18/2013
14
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 14
Endpoint Agents:Thu thp d liu lin quan ti hot ng (tt)
Kernel modification
-
3/18/2013
15
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 15
Endpoint Agents:Thu thp d liu lin quan ti hot ng
System call Interception
-
3/18/2013
16
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 16
Endpoint Agents:Thu thp d liu lin quan ti hot ng
System call Interception (tt): V d trong Windows- CSATdi (transport driver interface)- CSAFile- CSAReg- CSACenter
-
3/18/2013
17
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 17
Endpoint Agents:Thu thp d liu lin quan ti hot ng
Virtual Operating Systems: trc khi cc hnh ng ccho php, quyn c thc thi hnh ng c thchin trong bn sao o ca h iu hnh.
-
3/18/2013
18
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 18
Endpoint Agents:Thu thp d liu lin quan ti hot ng
Network Traffic Analysis
-
3/18/2013
19
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 19
Endpoint Agents:Thu thp d liu lin quan ti hot ng
D liu c thu thp cho mi loi ti nguyn
Loi ti nguyn D liu thu thp
Tt c Thi gian, xc nh u cui, access token, credential
Gim st mng a ch IP ngun, ch ; cng ngun, ch
Yu cu kt ni mng Tn tin trnh, a ch IP, cng, hnh ng (chp nhn, t chi)
Truy cp file Tn tin trnh, ng dn file, tn file, hnh ng (c, vit)
Truy cp registry Tn tin trnh, ng dn key, tn key, gi tr, loi
S thc thi ng dng Tn tin trnh, ng dn tin trnh, tn tin trnh mc tiu, ng dn tin trnh mc tiu
Bo v kernel Tn m-dun kernel, hash m-dun, code pattarn
B nh (memory) Tn tin trnh, fuction call, buffer return address, buffer contents
-
3/18/2013
20
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 20
Endpoint Agents:Xc nh tnh trng h thng
Tt c d liu lin quan c thu thp, tuynhin tnh trng h thng c th thay i kt quca vic yu cu ny.C 3 loi sau:- Tnh trng v tr (location state)- Tnh trng ngi dng (user state)- Tnh trng h thng (system state)
-
3/18/2013
21
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 21
Endpoint Agents:Tham kho chnh sch bo mt
-
3/18/2013
22
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 22
Endpoint Agents:a ra quyt nh hnh ng
Cc hnh ng:- Permit: cho php hnh ng xy ra- Deny: khng cho php hnh ng xy ra- Log event: hnh ng ny c kt hp vi Permit hoc deny.V d, hnh ng ny nn c cho php nhng phi c ghi li- Drop packet: loi b gi (packet) m kch hot cc du hiu.- Shun host: loi b tt c cc lu lng mng, khng chp nhnkt ni n, hoc to kt ni i t mt my c th hoc mt nhmmy.- Query the user: hi ngi dng c hay khng mt hnh ngc cho php.
-
3/18/2013
23
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 23
C s h tng qun l(Management Infrastruture)
Bao gm:- Trung tm qun l (Management Center)- Giao din qun l (Management Interface)
-
3/18/2013
24
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 24
C s h tng qun l(Management Infrastruture)
Trung tm qun l (Management Center):c s d liu (database), kh nng qun l skin (event handing capability), v qun lchnh sch (policy management).Lu : 3 thnh phn trn mang tnh cht lunl. Nhng ty vo m hnh qun l, mi thnhphn trn c th c ci t trn cc my tnhvt l khc nhau.
-
3/18/2013
25
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 25
C s h tng qun l(Management Infrastruture)
Trung tm qun l (Management Center)
-
3/18/2013
26
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 26
C s h tng qun l(Management Infrastruture)
Trung tm qun l (Management Center):database
Database l thnh phn quan trong nht caTrung tm qun l, v n l kho lu tr cc thng tinv chnh sch. N phi mnh h tr s lngcc agent s dng n m khng b v v chng lic cc cuc tn cng.
Cc database thng dng: Microsoft SQLServer, Oracle...
-
3/18/2013
27
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 27
C s h tng qun l(Management Infrastruture)
Trung tm qun l (Management Center):Qun l s din v cnh bo (Event and alerthandle)
Bao gm cung cp s kin (event) v pht racnh bo (alert).
S kin ch n gin l cc bit thng tin (c thquan trng hoc khng quan trng). Cnh bo lnhng s kin c nh du, thng bi ngi quntr mng.
-
3/18/2013
28
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 28
C s h tng qun l(Management Infrastruture)
Trung tm qun l (Management Center):Qun l s din v cnh bo (Event and alert handle)
-
3/18/2013
29
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 29
C s h tng qun l(Management Infrastruture)
Trung tm qun l (Management Center):Qun l chnh sch (Policy Management):y l trnh son tho chnh sch (policy editor)dng thay i v phn phi cc chnh schti cc agents.
Knh truyn thng c dng phnphi s thay i chnh sch phi tin cy v bomt
-
3/18/2013
30
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 30
C s h tng qun l(Management Infrastruture)
Trung tm qun l (Management Center):Qun l chnh sch (Policy Management): cc mhnhPush: thay i chnh sch c a ti cc agent biTrung tm qun l (Management Center)Pull: cc agent nh k kim tra Trung tm qun l xem c s thay i chnh sch no khng.Push/Pull
-
3/18/2013
31
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 31
C s h tng qun l(Management Infrastruture)
Giao din qun l (Management Interface)y l cng c m ngi qun tr dng
tng tc vi Trung tm qun l (ManagementCenter)
-
3/18/2013
32
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 32
Kin trc Qun l
-
3/18/2013
33
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 33
Cisco Security Agent (CSA)- CSA l mt h thng ngn nga xm nhp mngc trin khai my tnh u cui (HIPS).- CSA bao gm:
+ SA MC: c ci t trn h thng Windows2003 v bao gm my ch CSDL v giao dinngi dng da trn nn web.+ CSA: c ci ln my ch hoc my con.
-
3/18/2013
34
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 34
Cisco Security Agent (CSA)CSA MC: dng CSA MC, cc my tnh cth c nhm li cng chung 1 nhm vc p dng cng chung chnh sch bomt. Tt c cc cu hnh c thc hinthng qua Giao din ngi dng da trnweb v sau c trin khai ti CSA.
-
3/18/2013
35
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 35
Cisco Security Agent (CSA)CSA MC
-
3/18/2013
36
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 36
Kin trc CSA MCKin trc CSA MC bao gm mt trung tmqun l tp trung (database), v cc my conm c ci t phn mm CSA.Cc agent ng k vi CSA MC. CSA MCkim tra CSDL ca n cho h thng . Khih thng c tm thy v c chng thc,CSA MC s trin khai chnh sch cho hthng
-
3/18/2013
37
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 37
Kin trc CSA MC
-
3/18/2013
38
i hc Cng ngh thng tinKhoa Mng my tnh v truyn thng
ThS. H HiH thng tm kim, pht hin v ngn nga xm nhp 38
Kin trc Cisco Security Agent (CSA)