Shulou(Shulou.com)06/01 Report--

I. the concept of network audit 1.1 the origin of network audit

Audit originates from financial management, which is used to examine whether the business behavior of an enterprise is legal or not. Audit starts with finance, that is, auditing accounts. Extending the concept of audit to the network can be traced back to the early days of IDS (* detection system) research. At first, it was an audit of the host log and found the * behavior, and later developed into the host IDS technology [IDS technology can be divided into host IDS and network IDS]. Because the host IDS only detects the behavior of the host and occupies the valuable resources of the host, with the continuous expansion of the network scale, security manufacturers have thought of directly collecting the original information of the network through the network link mirror, which is the widely used network IDS.

1.2 definition of network audit

Network audit is to mirror the packet to the server (usually IDS, audit device) on the network link, identify the business on the server during the later audit, restore the data packet to analyze and then restore a user's Internet behavior at a specific time. In this way, we can judge whether the user's online behavior is legal, provide evidence of illegal behavior, whether the business is in compliance, and also analyze the hidden dangers of loopholes in the current security defense network system.

Note: the audit behavior is not for external users, but for internal users of the network. After all, most of the security problems in the network come from internal personnel, and their main role is security deterrence, later investigation and forensics.

Second, the working principle of network audit product 2.1 product design architecture

The design architecture of the product is divided into control center, database, console, data collection engine, using distributed deployment.

2.2 ways of obtaining information

1. Mirror through the network link

A typical way is to mirror the port of the network link (if the optical link can also use a splitter), that is, to copy a copy of the communication signal (data) of the normal network to the mirror device. In the figure, the blue line is the information collection of IDS, and the red line is the information collection of audit. Many-to-one images can also be based on the deployment of the product using a separate data collection engine, using one-to-one images or many-to-one images based on traffic.

2. The way to collect information from the host

To collect information on the host, it is generally necessary to install Agent software, and it can also be obtained from the host through communication protocols such as Syslog, SNMP and so on. In the early stage of host IDS technology, the log of the system was also analyzed, and then it developed to monitor the process and status of the host; the system operation log, security log and operation log on the database of the host are also the data sources of the audit system.

2.3 Service identification technology

The collected information needs to be further processed, and the data packets mirrored from the network should first be restored to the communication protocol and located to the specific communication connection, which is what we often call service identification technology. The business identification technology of IDS is basically the same as that of audit.

Whether it is analyzing whether it is * or recording the behavior of the user, it is inevitable to identify what the user is doing. It is relatively easy to identify and match standard protocols, but many applications use encryption or are hidden in other communication protocols, such as P2P, so it is troublesome to identify. Feature matching technology is generally used in traffic management technology, but the application features are many and change rapidly. For IDS devices, the face of * is unknown and may be through various means of communication. Therefore, the requirement of feature recognition is higher. For audit products, the application to be audited is known, and there is no need to audit the services that the system does not provide, so the feature recognition needs to be simpler.

Third, the main functions of network audit products

Record the user's actions (either internally or externally). When to log in, when to go offline, what to do...

Identify the identity information of the user, identify the host IP used by the user. (the general audit system will be connected with the network identity authentication system to facilitate the identification of user identity information.)

The user's operation can be restored by using the traffic mirrored to the server.

The data recorded by the audit is immutable.

Network behavior audit

Audit the "behavior" of network users on the network, according to different areas of the network, different security concerns are divided into different special audit products. The way to obtain information is divided into: network mirror mode and host installation agent mode.

4.1.1 Network behavior audit:

The original data packet is obtained by port mirroring, and restored to the connection, and then restored to the corresponding communication protocols, such as FTP, Http, Telnet, SNMP, etc., and then reproduce the network behavior through the link.

Objective: to audit the "public behavior" of all users on the link on the network, which is generally placed on the main road of the network.

Cameras installed in key neighborhoods record the public safety of public areas.

Disadvantages: identification technology is critical, and there are too many application protocols to be identified, which is a test for security manufacturers.

Care about the application protocol parsing of the main traffic. However, this method loses the ability of audit when applying encryption.

4.1.2 Host Audit:

If the network is a street, the host is the interior of each unit. Install an audit agent on the server, audit the various behaviors of the host users, and record the system, security and other logs of the host, which is equivalent to the security audit of all business systems running on the host. The main representative of the development of host audit in terminal security is illegal outreach audit to prevent confidential information from leaking through the terminal.

Purpose: to audit the behavior of the host user, or the behavior of the user entering the host (server)

Disadvantages: the host audit needs to install agent software, which has a certain impact on the performance of the host. In addition, the anti-unloading and anti-interruption ability of the audit agent is necessary, otherwise the audit "skylight" is a fatal security loophole.

4.1.3 Database audit:

Mirror the link in front of the database server, audit the database usage behavior, can be reproduced to the database operation command level, such as SELECT, UPDATA and so on.

Purpose: the database is generally the core of the application system, the operation record of the database can generally record the illegal behavior process of the user, and the operation record of the audit can also provide the basis for the database recovery. the damage to the system can also be reduced.

Host audit: the audit terminal can also be installed directly on the database server to audit the database, or some operation log information of the database system can be used as the data source of audit analysis. But the difference is that the log of the database system can be deleted, and the audit log of the audit system can not be deleted.

Disadvantages: the traffic of the database is very large, and the storage capacity of audit records is considerable.

4.1.4 Internet audit:

The specific audit of employees' behavior on the Internet mainly identifies Http, SMTP, FTP and other protocols, while common Internet applications such as QQ, MSN, BT and so on also need to be identified. Internet audit generally regulates the Internet access of internal employees.

Purpose: Internet export is often a "security comprehensive zone" of an enterprise network, and it is an inevitable exit for enterprises to connect with the outside world. Setting up a special audit of the Internet is also the management demand of many enterprises.

Disadvantages: rapid upgrading of Internet applications, high requirements for audit identification technology, for the increasing number of encryption applications, such as Skype, MSN, etc., are great challenges for audit.

4.2 Operation and maintenance audit:

The operation and maintenance personnel of the network are the "special" user team of the network, who generally have the senior authority of the system, and the audit of the behavior of the operation and maintenance personnel has increasingly become a necessary part of security management. especially at present, in order to reduce the maintenance cost of the network and system, many enterprises adopt the way of renting the network or operation and maintenance outsourcing, and the network is managed by external personnel. The number of security cases generated by external maintenance personnel has been on the rise.

Purpose: operation and maintenance personnel have "special" authority, which is often ignored by all kinds of business audit. Network behavior audit can audit the work behavior of operation and maintenance personnel through the network, but the direct operation and management of equipment, such as Console, is not recorded.

Audit method: operation and maintenance audit is different from other audits, especially operation and maintenance personnel for security requirements, began to use a large number of encryption methods, such as RDP, SSL, etc., encrypted passwords are dynamically generated when the connection is established, but cannot be audited through link mirroring. Therefore, operation and maintenance audit is a kind of "system + technology" forced audit. Generally speaking, the operation and maintenance personnel must first log in to the authenticated "fortress machine" (or transfer all the management connections of the operation and maintenance to the operation and maintenance audit server through routing settings), and all the operation and maintenance work is carried out through the fortress machine. in this way, all operation and maintenance activities can be recorded. Because the fortress machine is the inevitable channel for operation and maintenance, when dealing with encryption protocols such as RDP, the fortress machine can be used as the intermediate agent of the encryption channel, so as to obtain the key generated in the communication, and then the encryption management protocol information can be audited.

Disadvantages: the use of a single point of operation and maintenance channel is to deal with encryption protocols, but it has a certain impact on the efficiency of operation and maintenance. And there are many kinds of products on the network, a variety of business management software, a variety of management methods, the use of a single operation and maintenance channel may not be able to achieve results. The most important thing is that the operation and maintenance audit plan must be in line with the safety management system, and it is impossible for the operation and maintenance personnel not to "contact" the equipment.

4.3 Business compliance audit:

The network is the supporting system of the business, and it is generally difficult to judge whether the business itself is "legal" or not, so the business compliance audit is generally an audit system developed by the organization associated with the business system. Through the installation of agents in the business system, or directly integrated into the business system, obtain business "pipeline" information, and complete the post-audit in a separate audit system. You can also audit the business flow log information of the business system on a regular basis.

Objective: to audit the legal nature of the business itself.

Product form: generally provided by business development companies, rather than network security companies, the business is very professional, generally a separate audit system.

V. deployment of network audit products 5.1 deployment location of network audit products

The design of the network audit product is the same as that of the network IDS, both are deployed in a "bypass" way, and most of the network links they are concerned about are the same, so when customers deploy monitoring and audit security products respectively, a common phenomenon is that one port should be mirrored to two target ports and to different data collection engines, and the previous working principles of the two engines are still very similar.

In the distributed product structure, the data collection engine is separated from the processing center. We can separate IDS from some functions of the data collection engine of the audit product, and then merge the two engines into one. One of the advantages of this is that it reduces the number of ports mirrored by the service link. The second is to reduce the number of engine devices on the network. The third is to generalize the data engine of image analysis, which can reduce the cost of the product and facilitate the deployment of new mirror systems in the future.

Security monitoring and audit are two indispensable aspects in the construction of network security. Whether it is the grade protection requirements of the information system of the Ministry of Public Security or the technical requirements of × × secret-related information systems, monitoring and audit are required. And there are fine-grained requirements. Reasonable and effective deployment of monitoring and audit systems is important and necessary to protect the security of your network.

5.2 Network Traffic Mirror configuration 5.5.1 CiscoNetFlow:

NetFlow is a data exchange method. NetFlow uses the standard exchange mode to process the first IP packet data of the data stream to generate NetFlow cache, and then the same data is transmitted in the same data stream based on the cache information, which no longer matches the relevant access control strategies. NetFlow cache also contains the statistical information of the subsequent data stream. The NetFlow data sent by the router can be stored on the server by NetFlow data acquisition software, so that various NetFlow data analysis tools can be used for further processing.

Configure Netflow on devices that need to mirror traffic:

Ip cef

Flow-sampler-map TEST / / create a Netflow example diagram

Mode random one-out-of 100 / / set the example diagram mode to 100 packets and take one at random

Ip flow-exportsource Loopback0

Ip flow-exportversion 9

Ip flow-exportdestination YY.YY.56.100 2222 sctp / / points to NetFlow Collector and Port

Backup destination YY.YY.56.254 2222 / / set backup Netflow Collector

Backup mode fail-over

Interface G0/1

Ip flow ingress / / turn on NetFlow in the entry direction

Ip flow egress / / turn on NetFlow in the exit direction

Flow-sampler TEST / / inbound traffic application diagram is adopted.

Flow-sampler TEST egress / / outbound traffic application diagram sampling

5.5.2 CiscoSPAN:

SPAN technology is mainly used to monitor the data flow on the switch, which can be divided into two types: local SPAN (SPAN), VLAN-based SPAN (VSPAN) and remote SPAN (RSPAN). Using SPAN technology, we can send a copy of the COPY or MIRROR of some data streams on the switch that want to be monitored (hereinafter referred to as the controlled port) to the flow analyzer connected to the monitoring port, such as IDS of CISCO or PC equipped with SNIFFER tools. There are three types of monitored traffic: receive traffic from Receive (Rx) SPAN controlled port, send traffic from Transmit (Tx) SPAN controlled port, and receive and send traffic from a controlled port of Both.

1. Local SPAN:

Controlled port and monitoring port can be on the same switch

Swconfig) # monitorsession 1 source interface f0ram 1 / / specifies the source port, default both

, Specify another range of interfaces / / optional parameters

-Specify a range of interfaces

Both Monitor received and transmitted traffic

Rx Monitor received traffic only

Tx Monitor transmitted traffic only

Sw (config) # monitorsession 1 destination interface fastEthernet 0

/ / specify the destination port (only mirror traffic is received by default, and all traffic belonging to itself is truncated)

two。 VLAN-based VSPAN:

VLAN-based SPAN can only monitor traffic (only received (Rx) traffic) received by all active ports in VLAN, if

If the monitoring port belongs to this VLAN, the port is not within the monitoring range. VSPAN only monitors the traffic entering the switch and does not monitor the routing data on the VLAN interface.

A maximum of two SPANSession can be set on the Catalyst 3550 switch, and the default SPAN is not used. If set, the inbound and outbound traffic of the first interface set as a controlled port will be monitored by default, and the additional controlled port will only monitor the received traffic. The default encapsulation type of the monitoring port is Native, that is, it is not marked with VLAN.

Switch (config) # monitor session 2 source vlan 101102 rx / / specify the VLAN to which the controlled port belongs

Switch (config) # monitor session 2 destination interface fastethernet0/30

3. Remote RSPAN:

A dedicated VLAN is used in the RSPAN to forward traffic, and the reflection port uses this dedicated VLAN to send the data flow to other switches through the TRUNK port, and the remote switch sends the data flow to the analyzer on the monitoring port through this dedicated VLAN. With regard to the creation of RSPAN VLAN, all switches participating in RSPAN should be in the same VTP domain, not VLAN 1, 1002-1005, but 2-1001 standard VLAN.

The Reflector Port reflection port is only used in RSPAN and is on the same switch as the controlled port in RSPAN. It is a method to forward local controlled port traffic to a remote monitoring port on another switch in RSPAN. The reflection port can only be an actual physical port, which does not belong to any VLAN. The reflection port should be > = the bandwidth of the controlled port, otherwise packet loss may occur.

The Session of RSPAN is divided into two parts: RSPANSource Session and RSPAN Destination Session, so the corresponding configuration should be done on the source and destination switches of Session respectively.

Switch (config) # vlan 800 / / create a dedicated VLAN; source for RSPAN, which should be configured on both intermediate and destination switches

Switch (config-vlan) # remote-span / / you can use sh vlan id 800 to view RSPANVLAN status

Configure Source Session on the source switch:

Switch (config) # monitor session 1 source interface fastethernet0/10-13

Switch (config) # monitorsession 1 source interface fastethernet0/15 rx

Switch (config) # monitor session 1 destination remote vlan 800 reflector-portfastethernet0/20

Configure Destination Session on the destination switch:

Switch (config) # monitor session 1 source remote vlan 800

Switch (config) # monitorsession 1 destination interface fastethernet0/30

5.5.3 Huawei SPAN:

According to the principle of port mirroring, a copy of the traffic of the mirror port is sent to the observation port for the traffic analysis equipment (software) connected under the observation port to analyze the traffic of the copied mirror port. In Huawei's SPAN port image, the observation port can still send and receive data (in Cisco, the observation port will stop normal data sending and receiving, and can only observe the traffic copied from the mirror port). Huawei SPAN is generally divided into the following categories:

1. Port mirroring

Port mirrors are port-based mirrors, which are divided into local port mirrors, layer 2 remote port mirrors and layer 3 remote port mirrors. The traffic of mirrors can be inbound or outbound.

Local Port Mirror:

[Huawei] observe-port1 interface g0ram 0Compact 1 / / configure an observation port g0Accord 1 with serial number 1

[Huawei] interfaceg0/0/2 / / configure the image port

[Huawei-GigabitEthernet0/0/2] port-mirroringto observe-port 1 both / / configure a mirror port to copy two-way traffic to the observation port with serial number 1

Layer 2 remote port mirroring:

First, create a vlan for broadcasting mirror traffic, and create a vlan2,LSW1 on lsw1 and lsw2 respectively to mirror the traffic of mirror port G0UniUniq1 to G0UniUniP2, which is broadcast to the Server1 of VLAN2 in the mirror VLAN2 through G0UniUniq2.

[lsw1] vlan 2

[lsw1-vlan2] mac-address learning disable// must turn off mac address learning in observation vlan

[lsw1] observe-port1 interface g0amp 0ram 2 vlan2 / / specifies the observation port and broadcasts replicated traffic in vlan2

[lsw1] interfaceg0/0/1

[lsw1-GigabitEthernet0/0/1] port-mirroringto observe-port 1 both / / specifies the mirror port to copy traffic to the observation port with serial number 1

[lsw2] vlan 2

Layer 3 remote port mirroring configuration:

The principle of the three-layer remote mirroring of the port is that the traffic of the mirrored port is copied to the observation port by establishing a GRE tunnel tunnel in the ip layer, and the traffic is analyzed when the port sends the traffic to the port where the monitoring device is located through the GRE-tunnel tunnel. In the following topology, the mirror port on LSW1 copies the traffic to the observation port, which is sent by the observation port through GRE-tunle to the E0UniPax 2 interface of lsw2 connected to the server2 monitoring server, for server2 to analyze the traffic on the mirror port.

First, configure routing network segment and static route on AR1 and AR2 respectively to ensure layer 3 interworking, and then configure mirror port and gre tunnel of observation port on LSW1.

Configure on lsw1:

[Huawei] observe-port1 interface e0Accord 1 destination-ip 192.168.2.100 source-ip 192.168.1.100 / / create an observation port and tunnel

[Huawei] interfacee0/0/2

[Huawei-Ethernet0/0/1] port-mirroringto observe-port 1 both / / specify image port 1

two。 Flowing mirror image

Flow mirror is a flow-based mirror, which is mirrored according to the traffic matched by the user-configured Liu policy traffic-class. It only supports the inbound direction (of the mirror port), but not the outbound direction. Stream mirror is divided into local stream mirror, layer 2 remote flow mirror and layer 3 remote flow mirror.

3.VLAN Mirror

Vlan image is based on vlan image, which copies the inbound traffic of all active interfaces in the defined vlan to the observation port, and does not support the outbound direction. Vlan images are divided into local vlan images and layer 2 remote vlan images, and layer 3 remote images are not supported.

Local VLAN image:

[Huawei] observe-port1 interface GigabitEthernet0/0/3 / / designated observation port

[Huawei] vlan 2

[Huawei-vlan2] inbound traffic of all active interfaces in mirroringto observe-port 1 inbound / / mirrored vlan2

Layer 2 remote VLAN mirroring:

The configuration of layer 2 remote is the same as that of port mirroring. you only need to change the mirror port to vlan, and layer 3 remote is not supported.

4.MAC address mirroring

Based on the mirror of the mac address, the traffic matching the inbound direction of the source or destination mac address is copied to the observation gate, and the outbound direction is not supported. Mac address mirrors support local mac address mirrors and layer 2 remote mac address mirrors.

5.5.4 Huawei Netstream:

NetStream is a statistical and publishing technology based on network flow information, which can classify and count the traffic and resource usage in the network, and manage and charge based on various services and different QoS. Huawei Netstream technology is equivalent to Cisco NetFlow technology.

Configure Netstream on devices that need to mirror traffic:

1. Configure the flow sending of the switch

[Huawei] ipnetstream timeout active 100th stream active time

[Huawei] ipnetstream timeout inactive 3-stream aging time

[Huawei] ipnetstream export version 9 netstream version, only v9 is supported

[Huawei] ip of the switch where ipnetstream export source x.x.x.x sends the stream

[Huawei] the destination ip and port number of the ipnetstream export host a.a.a.a 11111 send stream

2. Configure the netstream function of a port on the switch.

[Huawei-Ethernet0/0/1] data in the direction of ipnetstream inbound interface is converted into stream

[Huawei-Ethernet0/0/1] the data in the outgoing direction of the ipnetstream outbound interface is converted into a stream

[Huawei-Ethernet0/0/1] ipnetstream sampler fix-packets 1000 inbound set sampling rate

[Huawei-Ethernet0/0/1] ipnetstream sampler fix-packets 1000 outbound

After the configuration is completed, the data of the interface with netstream function can be streamed and sent to the designated port of the specified device. Dis netstream all can view all the netstream configurations of the current switch.

Attachment: http://down.51cto.com/data/2366852

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.