seccenter技术白皮书
H3C SecCenter A1000产品技术白皮书
1 SecCenter A1000 技术应用背景
1.1 当前安全管理面临的普遍问
题
快递公司问题件快递公司问题件货款处理关于圆的周长面积重点题型关于解方程组的题及答案关于南海问题
一家企业不仅要从物理上关注网络安全,还需要进行良好的网络安全管理,即使安全防
范再严密的网络,也有可能会有安全性漏洞出现,现在由于攻击所造成的经济损失已经大大
高于过去。另外,为了满足政府法规要求,企业需要执行安全审计流程,如果不能满足政府
的法规要求,除了有可能被高额的罚款以外,还有可能触犯法律,面临刑事诉讼。这些风险
是真实存在的,并且会影响到公司的日常业务,根据专业机构提供的行业报告,在安全领域,
每个企业都面临如下领域的挑战:
(1)对实时安全信息不了解,无法及时发出预警信息,并且处理;
(2)各种安全设备是孤立的,无法相互关联,信息共享;
(3)安全事件发生以后,无法及时诊断网络故障的原因,恢复困难;
(4)网络安全专家匮乏,没有足够的人员去监控、分析、解决问题,成本高;
(5)不能通过直观的图表和报告了解网络安全情况;
为了解决这些问题,我们需要在网络上及时发现问题、跟踪定位问题并解决问题。但是
现实情况是,网络安全设备众多,包括防火墙、IPS、IDS、VPN网关、邮件过滤系统、漏洞
扫描系统等。这些网络安全设备可能产生大量的安全事件信息,但是这些设备的报告机制不
同,报文
格式
pdf格式笔记格式下载页码格式下载公文格式下载简报格式下载
不同,不能进行集中分析,网络管理员很难快速有效的处理这些数据,无法及
时了解网络安全信息。
1.2 传统日志服务器的问题
目前网络中的主要设备(防火墙、VPN网关、IPS、IDS、交换机、路由器、反垃圾邮件
系统、病毒防护系统)都可以产生日志(syslog),日志中包含了很多重要的网络运行信息,
包括网络的安全、性能、资源使用情况等。传统的日志服务器可以接收这些日志信息,但只
能简单的保存和按原始格式显示,主要是用于事后分析使用。由于网络中会包含很多不同厂
商和不同类型的设备,这些设备的日志格式都不统一,所以显示的结果通常杂乱无章,再加
上日志产生的速度很快,在没有过滤和统计的情况下,用户看日志的速度有可能还跟不上系
统接收日志的速度,所以简单的日志接收和未经解析的原始日志显示对用户没有太多的实际
意义。同时对历史数据的检索也只能使用简单的按字符串、时间、发送日志设备IP地址等
查询方式,不能进行复杂的查询。
1.3 SIM、SEM系统简介
针对传统日志服务器的这些问题,出现了SIM(安全信息管理)和SEM(安全事件管理)
系统。SIM系统可完成原始安全信息的存档和检索、生成内部审计、法规遵从报告等功能,close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
解决了传统日志服务器的存档、检索、报告生成等问题,但是通常没有实时分析和显示部分,
不能及时反映网络当前的情况,只能作事后分析。SEM系统可实现实时安全状况监视信息、
安全事件关联分析、实时告警等实时信息显示等功能,解决了传统日志服务器不能实时过滤、
深入分析日志的问题,但是通常的SEM又没有SIM系统的原始数据保存能力。 1.4 SecCenter A1000 产品介绍
SecCenter A1000产品的推出就是为了解决安全管理中的上述问题。SCA1000综合了SIM
和SEM系统的功能,提供全面的安全信息与事件管理能力。这种产品是一种基于硬件的盒式
设备,能够提供对全网海量的安全事件进行集中收集与统一分析,兼容网络中多厂商的各种
设备,对收集到的事件进行高度聚合存储及分析,实时监控全网安全状况。可根据不同用户
需求提供各种具有说服力的网络安全状况与法规遵从审计报告。SecCenter A1000能使IT
及安全管理员脱离繁琐的手工管理工作,提高工作效率,集中精力用于更有价值的活动,保
障网络的安全。SecCenter A1000除了支持业界主流安全设备厂商的设备外,还提供了对H3C
SecPath防火墙产品、Comware V3、V5平台下路由器、交换机的全面支持。
SecCenter A1000 产品整体介绍 2
2.1 SecCenter A1000 重要软件功能模块介绍
图1 SecCenter A1000整体数据处理流程及模块功能分布
Syslog采集器(Built in Syslog Collector)模块
Syslog采集器负责采集和解析所有SCA1000支持的设备、主机的日志信息,并将这些
日志转换为SCA1000内部统一的日志格式供其它模块使用。Syslog采集器可以压缩保存原
始的日志信息,供以后查询使用。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
事件分析(Event Analysis)模块
事件分析模块对所有采集到的事件根据用户定义的需求进行过滤和统计,生成实时的统计图表、TopN列表、事件监视窗口。
实时事件监视(Real Time Event Monitoring)模块
让用户可根据实际需要自定义实时监视器(Monitor)、视图(View,View是将若干Monitor和Report组合起来的实时监视画面)、混合显示界面(Dashboard,Dashboard是系统登陆后的缺省画面)。
可视化安全视图(Threat Visualization)模块
以网络拓朴图的形式显示网络设备的安全状况。可直接根据拓朴中上设备的颜色判断设备的安全情况,通过直接点击设备对设备进行数据挖掘(Drill down)和深度分析(Forensic)操作并输出报告。
深度分析(Forensic Analysis)模块
在SCA1000上可指定使用外部网络存储设备(NAS)或自身的硬盘保存原始数据。这些原始数据供数据挖掘(drill down)和深度分析(Forensic analysis)使用,通过指定时间范围、设备列表、设定过滤条件输出经过统计后的TopN安全报告,并可以直接查询所有原始日志记录。
告警关联(Correlated Alerting)模块
告警关联模块提供对重复事件的精细过滤并提供匹配后的动作机制。可以通过定义灵活的过滤匹配找出真正有意义的告警,然后选择通过SNMP Trap或Email方式通知用户。
报告引擎和Web管理界面(Reports Engine & Reporting Portal)模块
, 报告引擎(Reports Engine)提供了近千种安全相关的内置报告,可输出PDF、
HTML、WORD、TXT多种格式。报告引擎采用内置数据库对所有报告需要的数据进行
统计和保存,可长期保存报告需要的数据。
, 报告通过Web界面(Reporting Portal)进行定制管理,将用户的定制信息通知
给报告引擎产生用户定制的报告。
管理模块(Management)模块
管理模块负责处理系统配置管理,设备管理,用户管理。
2.2 SecCenter A1000 重要功能列表
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
属性 说明
设备日志解析 支持主流厂商设备日志解析
Cisco为NetFlow Netflow/cFlow
网流数据解析 Juniper为cFlow H3C NetStreamH3C 格式的网流报文 解析
H3C 防火墙网流报文、包含H3C 防火墙 NAT信息 数据来源 可支持Windows主机(通过主机支持功能 WMI接口获取),和Unix主
机(通过SSH接口和syslog)
可支持Oracle 数据库审计信通过ODBC获取息导入
数据库审计信
可支持Microsoft SQL Server 息
数据库审计信息导入 基于Web的用户需要下载Java运行环境使用界面 (JRE) 人机界面(Web GUI) 基于Web的管理通过Web界面完成管理员工员界面 作
设备分组功能 可自定义设备分组 网络类型设备可增加(只能增加已知类型的数据源管理增加删除 网络设备)、删除设备 (Groups,Devices,Hosts) 主机类型设备可增加Windows类型主机和增加删除 Unix类型主机
包含最常用的日志分析策略,常用日志分析可以通过对日志的分析识别策略模板 出典型的安全问题。 日志分析策略可自定义日志分析策略模板。 日志分析(Policies) 模板管理
日志分析结果可触发关联告日志分析告警警,通过屏幕显示、发送关联 Email、发送SNMP Trap方式
提醒用户。
日志经过分析过滤出的结果关联告警触发 可触发告警
屏幕告警显示 在用户Web界面上显示告警
告警(Alerts) 信息
通过Email通知通过指定的SMTP服务器向任告警 意Email地址发送告警通知
信息
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
属性 说明
通过SNMP Trap通过SNMP Trap向其它网管系通知告警 统发送告警通知信息 设备日志监视 设备相关的监视画面
监视画面功能 主机日志监视 主机相关的监视画面 性能日志监视 性能相关的监视画面 基于设备的报通过从安全设备采集到的事告 件信息生成的报告
通过从网络中Windows和基于主机的报Unix主机中采集到的事件信告 息生成的报告
基于应用的报主要针对主机中关键应用程告 序生成的报告
报告功能 通过网络中攻击事件信息生攻击报告 成的报告
反映Windows、Unix主机的内主机资源报告 存、进程、CPU负荷、硬盘使
用状况的报告
Compliance 符合相关法规要求格式的报Report(法规遵告 从性报告
根据数据来源(文件或采集数自定义报告生据库)、时间范围、设备列表、成功能 过滤条件、预定义报告模板等
信息生成报告;
定时自动报告按指定的时间周期生成报告 报告定制(Profiles) 生成
报告模板自定可自定义报告模板,只输出感义 兴趣的报告;
支持Html、Word、Excel、Txt、以多种格式输Pdf、MHtml格式报告文件输出报告
内容
财务内部控制制度的内容财务内部控制制度的内容人员招聘与配置的内容项目成本控制的内容消防安全演练内容
出;
根据数据来源(文件或采集数
据库)、设备类型、时间范围、通过细致的过具体设备列表、源目的IP、滤条件搜索特源目的端口、
协议
离婚协议模板下载合伙人协议 下载渠道分销协议免费下载敬业协议下载授课协议下载
类型、日志日志信息深度分析(Forensic 点日志信息 类型、日志信息中的字符串匹Analysis) 配等信息作为过滤条件搜索
日志信息并生成报告; 定时自动报告按指定的时间周期生成报告 生成
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
属性 说明
可以以屏幕显示、输出Txt文以多种格式输件、Html文件或发送Email出结果 的方式输出结果,输出的字段
可选择;
在增加了有效的设备和主机
后根据从设备获得的信息自拓扑自动生成 动描绘出网络设备的实际拓
扑
可自动排列拓扑图中的设备拓扑自动排列 和主机图标
可手动调整拓扑图中的设备手动调整拓扑 和主机图标位置
拓扑功能(Topology) 拓扑图可显示拓扑图中显示的设备和主机设备事件状态能够显示日志状态信息 信息
通过拓扑显示点击拓扑图上的设备和主机节点可以直接图标可直接打开该节点的事跳转到设备事件浏览界面 件浏览界面
拓扑节点显示可通过过滤条件控制拓扑节过滤功能 点显示
可自定义主显示画面
(Dashboard),以不同名称保自定义监视画存;自定义画面可在所有支持面(Dashboard) 的监视画面和报告列表中选
择组合;
提供最常用的安全视图,就是
针对各种不同的监视需求,预
先将一些监视画面和报告组预定义常用安视图功能合起来形成一个集中显示的全视图 (Dashboard,SecurityCenter) 画面,类似Dashboard(目前
有13种,见附录III‘预定
义视图列表’); 自定义安全视可根据需要自定义视图 图
可根据需要自定义报告视图,自定义安全报就是可以在所有预定义报告告视图 中自由组合需要的报告到一
个视图中;
设备数量可显示支持的各种类型的license管理 license管理 license数量
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
属性 说明
设备有效使用可显示各类型节点的license 时间license管有效时间 理
license标识文可导出license标识文件通件导出及 过license生成器生成license文件导license文件再导入系统 入功能
可为不同的应用定义不同属用户管理(User) 用户管理 性的用户
可通过群组管理用户权限,支 群组管理 持系统管理员
用户群组权限/ 可定义群组操作权限 策略管理
Syslog服务器支持Syslog服务器分布式部
分布式 分布式结构支署,SecCenter通过网络集中
持 采集;
SecCenter支持 SecCenter支持分布式部署 分布式结构
文件方式的补可通过文件方式的补丁修补软件升级及补丁 丁 系统Bug
基于安装文件可通过文件方式的升级软件 的软件升级 包升级系统软件
所有功能都有
联机帮助 对应的联机帮
助
可直接利用windows系统的将接收日志备备份功能 份,避免硬盘损日志备份 坏后的数据丢利用Syslog server备份功失 能,转发到备份设备上
表1 SecCenter A1000 V200R003功能特性列表
2.3 SecCenter A1000 硬件参数指标及产品外观
SecCenter A1000使用双CPU 2.8GHz Xeon处理器,内存2个DDRII-400 DIMM,一个1个10/100Mbps以太网接口作为管理接口,4个10/100/1000Mbps以太网接口作为业务接口,一块400GB,7200转企业级SATA磁盘。机箱高度1U(43.6mm),外形尺寸(高×宽×深)43.6mm×430mm×685mm(不带挂耳或机柜滑轨)。整机功耗400W,电源模块电压0V,127V/200V,240V AC,电流 8.2A/4.1A,频率50Hz/60Hz,电源功率500W。重量14.0kg。 close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
(1) 挂耳 (2) 面板 (3) 键锁
(4) 电源指示灯 (5) 告警指示灯 (6) 定位指示灯
图2 整机外观图
(1) 交流电源输入 (2) 电源模块 (3) 鼠标、键盘接口
(4) 串口1 (5) 串口2 (6) USB接口(2个)
(7) 千兆网口1、2 (8) 千兆网口3、4 (9) 百兆网口
(10) 显示器接口 (11) PCI-X扩展槽
图3 背视图 2.4 SecCenter A1000 整机性能技术指标
名称 指标
事件处理能力 每秒种能处理的事件数量(Events/Sec) 10000
NetFlow处理能力 每秒可以处理的NetFlow(Cisco)数据(条/Sec) 15000
NetStream处理能力 每秒可以处理的NetStream(H3C)数据(条/Sec) 15000
NAT二进制流日志处理能力 每秒可以处理的二进制NAT流日志(H3C)数据(条/Sec) 15000
硬盘容量 400G
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
表2 SecCenter A1000 V200R003整机性能技术指标
3 SecCenter A1000 技术特色
3.1 多厂商多协议支持、统一的开放日志格式
SCA1000支持多厂商、多协议数据采集,对于每种不同的设备,SCA1000都有单独的解
析程序将这些日志信息解析为SCA1000内部统一的开放日志格式,可将网络中所有关键的安
全信息汇聚到SCA1000的数据库中集中分析。经过开放日志格式统一的日志可以使用相同的
统计、检索、记录和显示格式,解决了不同类型设备日志统一处理的问题。比如可以将几个
不同厂商的防火墙设备发来的同类型日志信息进行统计,找出网络中的问题,这在没有开放
日志格式之前是无法作到的。用SCA1000可构建整个网络的安全信息监视中心,汇聚网络中
所有安全信息,通过SCA1000对这些信息的统计、过滤和分析了解网络中当前的整体安全状
况。
图4 多厂商设备支持、统一的日志格式
(SCA1000可支持的设备类型和厂商:设备类型包括防火墙、VPN网关、IPS、IDS、交
换机、路由器、反垃圾邮件系统、病毒防护系统。厂商包括Cisco、Juniper、Nortel、Fortinet、
McAfee、Symantec、H3C、TippingPoint等)
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图5 多协议支持能力 3.2 丰富灵活的图形界面
SCA1000产品是一种盒式设备,用户通过浏览器访问SCA1000的图形用户界面,可以同
时支持多个Web客户端访问。SCA1000提供了丰富的图形化界面,包括:各种统计图表(支
持多种形式输出,2D/3D直方图、饼图、趋势图、列表)、可灵活自定义的显示面板
(Dashboard)、用颜色标识的各种事件级别的事件显示窗口。这些图形化功能可直观反映
网络中的安全问题,在视觉上提示用户应该注意的网络安全信息。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图6 Dashboard可自由组合所需监视
画面
用户可自由组合实时监视画面,可在系统予定义的实时监视画面(Monitors几十种)
和报告(Reports几百种)中选择。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图7 组合监视画面的内容可在所有系统支持的实时监视画面和报告画面中任意选择
3.3 强大的过滤功能
SCA1000中的过滤功能非常强大,包括以下五种过滤器:
数据采集过滤器:
过滤掉不需要的日志信息,节省SCA1000磁盘空间,降低系统负荷。从数据采集的源头
过滤无用信息。
实时显示过滤器:
可通过选择设备、级别、目标地址、目标端口、协议类型等条件控制显示输出,滤除不
需要关注的信息,突出重要信息的显示。
告警过滤器:
可将日志中包含的重要事件信息过滤出来,立即通知网络管理员,避免问题被延迟发现。
因为如果没有过滤功能,这些重要信息很可能会被淹没在其它日志信息中无法引起注意。
SCA1000提供常用的过滤规则模板,通过模板可方便的定义日志过滤策略。并通过屏幕显示、
Email或SNMP Trap的方式实时提示网络管理员网络中出现的问题。
报告过滤器:
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
可通过选择时间范围、设备、级别、目标地址、目标端口、协议类型等条件控制生成报
告的输入信息,滤除不需要关注的信息,在报告中输出需要关注的信息。
原始数据过滤器:
可通过选择时间范围、设备、级别、目标地址、目标端口、协议类型等条件精确控制需
要查询的原始数据输出,由于原始数据记录数量非常大,所以通过过滤器查询是必须具备的
功能
图8 ScaCenter A1000中的过滤功能
3.4 强大的统计分析功能
系统中有一些日志信息,单独的看并没有异常,但是如果这种日志的数量很大,则可能
是受到了攻击产生的。SCA1000的统计功能可以按网络中各种应用场景将这些信息分类统计
并排序输出,找出通过统计才能让管理员注意的网络安全问题。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图9 通过统计生成的TopN被攻击目标地址动作报告
3.5 原始数据保存、检索、分析功能
SCA1000可使用压缩技术保存所有的原始数据,支持数据挖掘功能。可对过去任意一段
时间范围内的原始数据进行统计生成TopN分析报告,帮助用户分析网络安全问题。也可以
查询任意时间范围内的设备的原始日志记录,作为事后追查的依据。
网络安全信息原始数据的保存对事后调查有重要意义。由于原始数据的数据量很大,系
统的存储可扩展能力和数据压缩能力是实现原始数据保存能力的重要因素。在SCA1000上可
指定使用外部网络存储设备(NAS)或自身的硬盘(400G容量,可扩展到400Gx2)保存原始
数据。SCA1000采用压缩技术保存原始数据,可最大程度利用存储空间。 close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图10 SecCenter A1000存储空间的扩容能力
3.6 强大的报告功能
SCA1000可提供设备、主机、应用程序、漏洞、网流(NetStream)、设备资产、法规
遵从(包括萨班斯法案)7大类报告,共计1000种左右,基本覆盖了所有安全相关的信息,
使用非常方便。用户可通过定制需要输出的报告让系统定期自动生成,帮助企业实现安全信
息的规范管理。
3.6.1 报告引擎和Web管理界面(Reports Engine & Reporting Portal)
SCA1000报告引擎(Reports Engine)提供了近千种安全相关的内置报告,可输出PDF、
HTML、WORD、TXT多种格式。报告引擎采用内置数据库(MySQL)对所有报告需要的数据进
行统计和保存,可长期保存报告需要的数据。
报告通过Web界面(Reporting Portal)进行定制管理,将用户的定制信息通知给报告
引擎产生用户定制的报告。可以选择报告数据的时间范围、报告数据的来源设备、报告生成
周期、输出报告的类型。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图11 SCA1000的报告定制界面,可选择近千种报告
3.6.2 报告分类介绍
SCA1000支持的予定义报告数量近千种,分为7大类:
1.Device-Based Reports(基于设备的报告)
报告数据直接来自网络及安全设备(防火墙、VPN网关、IPS、IDS、路由器、交换机),
所以这类报告是系统中最重要的报告。可通过TopN统计发现被攻击最多的设备、主机的
IP地址、端口号,发起攻击最多的的设备及主机IP地址信息、防火墙设备中的邮件过滤、
攻击防范产生的日志信息、IPS设备中的实时阻断日志信息等。这些重要信息会通过报告
引擎生成直观的报告,会对安全管理起到至关重要的作用。
2.Host-Based Reports(基于主机的报告)
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
基于主机的报告是通过从Windows主机、Unix/Linux主机中获取的安全日志信息统计分析形成的报告。由于主机中可能安装不同的应用软件,所以主机报告中也包括这些运行在主机上的应用的安全事件信息,如防病毒软件、数据库软件、DNS服务软件等。例如一台Windows主机中安装了Norton AntiVirus防病毒软件,防病毒软件在更新病毒库或发现病毒后会产生Windows日志,而这些日志会被SCA1000采集到并被解析识别,最后会形成报告输出。
主机报告主要分以下几类:
, 安全、系统相关的记录报告
, 防病毒系统报告
, 应用运行记录报告,主要是应用运行(Failure)记录
, 目录服务相关报告
, DNS服务相关记录报告
, Exchange服务相关报告
, ISA服务相关报告
, SQL Server报告
3.Application reports(应用报告)
应用报告主要针对SCA1000通过ODBC接口获得数据进行统计,数据库系统操作会产生丰富的审计日志,通过这些日志可以可以通过分析输出详细的数据库审计报告,管理员通过数据库审计报告可以了解数据库系统什么时间被谁使用过,进行了那些操作。对安全管理提供有用的参考。
4.Vulnerabilities Reports(漏洞报告)
漏洞报告是通过漏洞扫描系统获得的事件信息数据生成的报告。可通过漏洞报告了解系统中存在漏洞最多的设备、主机信息,帮助管理员修补系统中的漏洞。
5.NetStream Reports(网流报告)
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
网流报告就是通过网流报文统计输出的报告,按协议、源目的地址、目标端口、自治系统、接口号等网流N元组统计输出的TopN报告。通过网流报告可以发现系统中带宽资源的使用分布、发现异常流进而找到攻击点。
6.Assets(主机资产报告)
主机资产报告可输出包含操作系统版本信息、硬盘使用情况、内存使用情况、每天各时段的进程运行信息、每天各时段的应用程序运行信息报告。通过资产报告可了解主机的资源使用情况。
7.Compliance Reports(法规遵从报告)
法规遵从报告是输出符合相关法规格式的报告,可以直接提供给法规审计人员察看的报告。对于上市公司法规遵从报告非常重要。法规遵从报告包括以下几类: , FIMSA Report
, GLBA Report
, HIPAA Report
, PCI Repor
, Sarbanes-Oxley Report(萨班斯法案报告)
3.7 网流日志(NetStream)及防火墙NAT流日志统计功能支持
网流分析技术是按网络中IP包的N元组(源IP地址、目的IP地址、源端口、目的端口、协议号、ToS、接口ID、源自治系统、目的自治系统)信息作为键值进行统计、分析。使用网流技术可实现分析网络中的流量瓶颈,指导用户调整网络资源、找出安全隐患,定位可能的攻击、实现流量计费等功能。网流技术的实现各设备厂商都不相同,SCA1000目前支持以下几种网流报文的解析:
H3C NetStream、H3C SecPath防火墙二进制流日志
NetStream是H3C公司提出的一种网流技术,与cisco netflow技术的作用类似,但在实现方式上不同,增加了出方向流统计(Cisco Ntflow只支持入方向流统计)。
H3C SecPath防火墙二进制流日志与NetStream的实现原理基本相同,但是报文格式不同,同时增加了NAT相关信息。在防火墙启动NAT功能时,流统计信息中可以包含NAT内的
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
IP地址和端口信息,克服了NetStream统计在开启NAT功能后不能区分NAT内用户信息的
问题。
Cisco Netflow
网流技术最早就是Cisco提出的,Netflow是Cisco网流技术的名称。Netflow主要版
本有V5、V8和V9。V5、V8的区别不大,V9变化比较大,支持报文自定义的灵活格式。目
前应用比较广泛的还是V5,V8版本。SCA1000目前支持V5、V8格式的Netflow报文。有关
Netflow的详细信息可参考cisco网站资料:www.cisco.com/go/netflow
Juniper cFlow
cFlow与Netflow原理及机制基本一样,请参考Juniper网站资料:www.juniper.net
图12 H3C NetStream可实现流的入方向和出方向统计
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图13 H3CSecPath防火墙二进制流日志中包
含NAT相关信息
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图14 通过网流分析输出的实时统计画面
4 SecCenter A1000 典型应用组网
4.1 集中式部署方式组网
采用集中式部署组网方式,设备直接与SCA1000连接(从设备到SCA1000在网络上可达),
接收syslog日志、网流报文。SCA1000解析、保存统计设备的原始事件信息到SCA1000的
硬盘,也可以外接网络存储设备(可选)保存原始事件数据。用户通过Web浏览器访问SCA1000
的应用、管理界面。集中式部署方式SCA1000单机事件处理能力为每秒10000事件。
图15 集中式部署方式组网图 4.2 分布式部署方式组网
分布式部署组网方式是将若干个集中式部署的SCA1000(地区级SecCenter)集中起来
向一个中心级的SCA1000汇总事件信息数据,这样对于大型的网络可以解决事件处理的性能
问题,分布式组网情况下整个系统的事件处理能力将大大提高。也便于用户管理处于不同地
区网络中的事件。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图16 分布式部署方式组网图 5 SecCenter A1000 典型应用案例
5.1 通过SecPath防火墙日志统计发现网络中发起攻击最多的主机和攻击类型
SecCenter A1000可对H3C SecPath系列防火墙的攻击日志进行详细的解析和统计,经
过SecCenter A1000的统计后可直接输出TopN报告,通过TopN报告可直观了解网络中需要
关注的主机和设备。
图17 本案例组网示意图
SecCenter A1000通过对SecPath防火墙设备发来的攻击防御日志进行解析统计后输出
的攻击源分析列表,列表中根据统计结果对发出攻击的次数最多的主机进行了排序。通过该
分析列表能清楚知道网络中几个发出攻击最多的主机IP地址和攻击类型。 close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图18 通过统计功能找到发出攻击最多的
主机和攻击类型
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图19 统计结果可以选择按某一列进行排序
5.2 通过分时统计功能了解每天各时间段内网络安全的TopN信息
组网与上一节情况相同,对SecPath防火墙的syslog信息进行分时统计,输出每天各
个时间段内的不同源地址攻击次数:
图20 分时统计功能可统计每天各个时间段内的不同源地址攻击次数
对SecPath防火墙的syslog信息进行分时统计,输出每天各个时间段内的不同攻击类
型的次数:
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图21 分时统计功能可统计每天各个时间段内不同攻击类型的次数
5.3 使用业务影响指数BII(Business impact index)评估事件对业务的影响
业务影响指数BII(Business impact index)是根据产生事件的设备重要程度和事件
本身的重要程度进行计算后得出的一个参数,这个参数表示该事件对业务的影响程度,数值
越大影响程度越大,使用业务影响指数后用户对事件的重要性了解会更加直观。BII指数会
在事件浏览器中直接显示,也可以作为过滤条件使用。
业务影响指数BII的计算是根据设备所在组的重要性和设备产生事件本身的重要性以
及这两个因素各占的权重计算出来的。例如可以将重要的设备分组到下面的Important组
中,指定重要性(Inportance)为高(High),在指定设备重要性权重为60%,事件本身级
别的权重为40%,再选择10.154.78.116设备为该组成员。这样就可以完成对重要设备的业
务影响指数BII的设定。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图22 业务影响指数BII的设定通过分组
管理进行设定
没有使用业务影响指数BII进行过滤的事件浏览器,BII级别为2.0和3.5的事件都
显示在事件浏览器中:
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图23 没有使用业务影响指数过滤的事
件浏览器
没有使用业务影响指数BII进行过滤的事件浏览器中会包含很多不重要的(BII值比较
低)事件,会影响用户对重要事件的观察,可使用过滤器限制只有超过了一定BII数值之后
的事件才出现在事件浏览器窗口中。下面经过BII过滤后的事件浏览器只显示了级别为3.5
的事件信息:
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图24 使用了业务影响指数过滤的事
件浏览器
5.4 向网管系统发送告警信息,实现告警联动
SecCenter A1000可以将告警信息通过Snmp Trap报文发送到其它网管系统中,实现与
网管系统的联动。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图25 使用了业务影响指数过滤的事件浏览器
5.5 通过Forensic功能查找设备发出的原始日志、对原始数据进行二次分析
历史数据的保存对于安全信息事件管理系统非常重要,历史数据可以作为追查安全事件
根源及责任的的重要依据。同时有选择地对历史数据进行二次分析可以发现系统中潜在的安
全问题,因为系统预定义的监视器和报告的过滤器设定会偏重于常用的应用场景,而通过历
史数据进行二次分析时可针对具体关注的设备、时间段和相关的参数进行有针对性的设置,
这样得到的分析结果将更加准确。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图26 SecCenter A1000提供了非常灵活的历史数
据分析过滤设置功能
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图27 SecCenter A1000的Forensic查
询结果输出
5.6 通过网流信息发现网络中的攻击、发现网络瓶颈
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图28 本案例组网示意图
很多网络中的攻击会在网络中形成很大的网络流量,这些不正常的流量会被路由器、交
换机中的网络(NetStream)功能和SecPath防火墙的二进制流日志通过网流记录发送到
SecCenter A1000中,通过对攻击特征(如目标端口,试用协议等)和流量的统计就可以发
现网络中的攻击,提醒管理员采取措施保护网络。
网流技术的另外一个重要作用是可以通过网流统计信息发现网络中的带宽试用分布情
况,了解网络中存在的瓶颈,为网络资源优化提供依据。
为了解决使用NAT后无法分辨NAT内具体用户的问题,SecPath防火墙二进制流日志中
增加了NAT相关的信息字段,这样通过对SecPath防火墙二进制流日志的统计分析就可以具
体定位到NAT内准确的用户IP地址,增加分析的准确性。
5.7 通过数据库审计功能发现非法数据库操作
数据库审计功能是通过采集数据库的审计日志信息后通过统计分析生成审计报告的功
能,可通过审计报告发现经常使用数据库的用户,以及用户对哪些数据库进行了哪些操作。
图29 SecCenter A1000可根据采集的数据库审计信息生成数据库审计报告
5.8 通过主机日志获得的病毒信息
PC上的防病毒软件发现病毒后在主机中将产生安全日志。例如Windows系统下的Norton
AntiVirus软件在发现病毒、升级病毒库后都会在Windows系统中产生日志。SecCenter
A1000会通过WMI接口采集到这些日志并形成报告输出。当SecCenter A1000管理多台主机
时,通过病毒防护的相关报告就可以基本了解当前系统中的病毒防护情况。 close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图30 SecCenter A1000可根据从主机中采集到的病毒防护日志输出相应的病毒防护报告
5.9 通过主机日志发现关键服务器运行状况异常信息
一个网络系统中除了网络设备本身外还有很多主机,网络本身的存在就是为了这些主机
之间能够互相通讯并且保证安全。主机中往往运行着系统中的关键应用,如关系数据库、DNS
服务器、Web服务器、邮件服务器等。SecCenter A1000可以通过采集主机的日志信息和资
源使用信息,对主机及运行在主机上的关键应用程序进行监视并输出相应的报告,及时了解
关键主机的运行状态和资源使用状况、发现安全及性能问题。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
图31 SecCenter A1000可采集主机的日志及资源使用信息
SecCenter A1000中输出的一天中各时间段中主机的关键应用运行情况信
息:
图32 SecCenter A1000中输出的一天中各时间段中主机的关键应用运行情况信息
6 SecCenter A1000 实现
标准
excel标准偏差excel标准偏差函数exl标准差函数国标检验抽样标准表免费下载红头文件格式标准下载
Syslog
Syslog是一种工业标准的协议,可用来记录设备的日志。在UNIX系统,路由器、交换
机等网络设备中,系统日志(System Log)记录系统中任何时间发生的大小事件。管理者可
以通过查看系统记录,随时掌握系统状况。UNIX的系统日志是通过syslogd这个进程记录
系统有关事件记录,也可以记录应用程序运作事件。通过适当的配置,我们还可以实现运行
syslog协议的机器间通信,通过分析这些网络行为日志,藉以追踪掌握与设备和网络有关
的状况。
最新版本的syslog协议标准在RFC3164中定义。
Netflow
Netflow是Cisco公司提出的按网流中IP包的N元组(源IP地址、目的IP地址、源
端口、目的端口、协议号、ToS、接口ID、源自治系统、目的自治系统)信息作为键值进行
统计、分析。使用Netflow技术可实现分析网络中的流量瓶颈、找出安全隐患、实现流量计
费等功能。
有关Netflow的详细信息可参考cisco网站资料:www.cisco.com/go/netflow close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
NetStream
NetStream是公司Huawei和H3C公司提出的一种网流技术,与cisco netflow技术的作用类似,在实现方式上不同。
Windows WMI
WMI(Windows Management Instrumentation)是Microsoft公司为MMC和脚本程序提供了一个访问操作系统构成单元的公共接口。有了WMI,工具软件和脚本程序访问操作系统的不同部分时不需要使用不同的API;相反,操作系统的不同部分都可以插入WMI,工具软件和WMI可以方便地读写WMI。
SSH
最初的SSH是由芬兰的一家公司开发的。但是因为受版权和加密算法的限制,现在很多人都转而使用OpenSSH。OpenSSH是SSH的替代软件包,而且是免费的。
SSH是英文Secure Shell的简写形式。通过使用SSH,你可以把所有传输的数据进行加密,这样"中间人"这种攻击方式就不可能实现了,而且也能够防止DNS欺骗和IP欺骗。使用SSH,还有一个额外的好处就是传输的数据是经过压缩的,所以可以加快传输的速度。SSH有很多功能,它既可以代替Telnet,又可以为FTP、Pop、甚至为PPP提供一个安全的"通道"。
ODBC
ODBC是Open Database Connectivity的缩写,是MICROSOFT提出的数据库访问接口标准。ODBC定义了访问数据库的API一个规范,这些API独立于不同厂商的DBMS,也独立于具体的编程语言(但是MICROSOFT的ODBC文档是用C语言描述的,许多实际的ODBC驱动程序也是用C语言写就的。)ODBC规范后来被X/OPEN和ISO/IEC采纳,作为SQL标准的一部分,具体内容可以参看《ISO/IEC 9075-3:1995 (E) Call-Level Interface (SQL/CLI)》等相关的标准文件。
close attention to the development of safety risk assessment of the park, the overall planning of the park in a timely manner to make adjustments to ensure that the Park HealthKang development. Third, we must further implement the responsibility. At the meeting, everybody in the claim of the list of issues at the same time, also claimed the respective responsibilities. Hope to attach great importance to, seriously, and resolutely prevent going through the motions, to prevent the security check in the formalism, especially leading cadres will never be able to put the meeting, said, dispatch, checked as "task landing ', to stare staring death, a grasp in the end. To further strengthen over the work of production safety supervision and inspection, supervision and guidance of all enterprises to effectively implement the main responsibility of the hidden dangers rectification, and urge enterprises to implement the hidden danger investigation and rectification responsibility commitment system, rely on their own strength to carry out hidden self-examination and self correction work . fourth, it is necessary to strict liability accountability. Seriously investigate and deal with all kinds of accidents, not only to pursue the responsibility of the person who is directly responsible for the accident, but also held in leadership responsibility, truly there is accountability, there must be punished, a check in the end. Ji pick up supervisory organs much too hidden danger of accident beforehand accountability and river responsible efforts, the responsibility
浙公网安备 33021202002483