[OPNsense] IPS ๊ตฌ์ถ• ๋ฐ ์ด์šฉ

2023. 7. 9. 06:00ใ†System ์ž‘์—…์‹ค/Server ๊ด€๋ จ

728x90
๋ฐ˜์‘ํ˜•

 

 

 

 

 

 

 

 

๋ฏธ๋‹ˆ PC PfSense ๋ฐฉํ™”๋ฒฝ N5105 ๋ผ์šฐํ„ฐ 4x ์ธํ…” i225V B3 25G LAN 2x ddr4 NVMe ์‚ฐ์—…์šฉ ํŒฌ๋ฆฌ์Šค 4xUSB HDMI20 OPNsense PV

COUPANG

www.coupang.com

"์ด ํฌ์ŠคํŒ…์€ ์ฟ ํŒก ํŒŒํŠธ๋„ˆ์Šค ํ™œ๋™์˜ ์ผํ™˜์œผ๋กœ, ์ด์— ๋”ฐ๋ฅธ ์ผ์ •์•ก์˜ ์ˆ˜์ˆ˜๋ฃŒ๋ฅผ ์ œ๊ณต๋ฐ›์Šต๋‹ˆ๋‹ค."

 

 

 

 

 

๐Ÿš€ [OPNsense] IPS ๊ตฌ์ถ• ๋ฐ ์ด์šฉ

    ๐Ÿ”ฝ ๊ฐœ์š”

        ๐Ÿ“ฆ ์†Œ๊ฐœ

์˜ค๋Š˜์€ OPNsense๋ฅผ ํ†ตํ•ด IPS(Intrusion Prevention System)์„ ๊ตฌ์ถ•ํ•˜์—ฌ ๋ณด์•ˆ์„ ๊ฐ•ํ™”ํ•˜๋Š” ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด ์ด์•ผ๊ธฐ ํ•ด๋ณด๋ ค ํ•ด์š”.

๋‚ด๋ถ€์˜ ์‚ฐ์ถœ๋ฌผ๊ณผ ์„œ๋น„์Šค, ๋ชจ๋“  ๋‚ด์šฉ์€ ๋งค์šฐ ์†Œ์ค‘ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ตœ๋Œ€ํ•œ ์•ˆ์ „ํ•˜๊ฒŒ ์ง€์ผœ์ฃผ๊ณ  ์‹ถ์–ด์š”.

์ฃผ๋‹ˆ์“ฐ๋Š” ์ž‘๋…„์— ์ •๋ณด๋ณด์•ˆ ์‚ฐ์—…๊ธฐ์‚ฌ๋ฅผ ์ทจ๋“ํ–ˆ๊ณ , 1๋…„๊ฐ„ ๋…์„œ์‹ค์— ๋ฐ•ํ˜€ ํ•„๊ธฐ์™€ ์‹ค๊ธฐ๋ฅผ ์—ด์‹ฌํžˆ ์ค€๋น„ํ–ˆ์–ด์š”.
๊ธฐ์‚ฌ๋„ ์ค€๋น„ํ–ˆ์œผ๋‚˜, ์•„์‰ฝ๊ฒŒ๋„ ๋–จ์–ด์ง€๊ณ  ๋ง์•˜์–ด์š”...

๊ทธ๋•Œ ๊ณต๋ถ€ํ•˜๋ฉด์„œ IPS์— ์ค‘์š”์„ฑ์„ ์•Œ๊ฒŒ ๋˜์—ˆ๋‹ต๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ IPS๋ฅผ ๊ตฌ์ถ•ํ•˜๊ณ , ๋ณด์•ˆ์„ ๋”์šฑ ๊ฐ•ํ™”ํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์„ ํƒํ•˜๊ฒŒ ๋˜์—ˆ์–ด์š”.

 

๋จผ์ € ๊ตฌ์ถ•ํ•˜๊ธฐ ์ „์— IPS์™€ IDS๊ฐ€ ๋ฌด์—‡์ธ์ง€ ๋ถ€ํ„ฐ ์ •๋ฆฌํ•ด ๋ณด๋ ค๊ณ  ํ•ด์š”.

์ด ๋‚ด์šฉ์€ ์ด ๊ณณ์— ๋”ฐ๋กœ ์—ด์‹ฌํžˆ ์ค€๋น„ํ•ด ๋‘์—ˆ์–ด์š”.

 

 

 

    ๐Ÿ”ฝ OPNsense IPS 

        ๐Ÿ“ฆ ๊ตฌ์ถ• ๋ฐ ์„ค์ •

์ตœ์ดˆ OPNsense ๊ด€๋ฆฌ์ž Page๋กœ ์ ‘์†ํ•˜์—ฌ ๊ฐ€์ง€๊ณ  ๋†€์•„ ๋ณผ๊ฒŒ์š”.

Services -> Intrusion Detection -> Administration

728x90

 

์ตœ์ดˆ ์œ„์™€ ๊ฐ™์ด IDS ์„ค์ • Tab์œผ๋กœ ์ด๋™ ํ•ด ์ฃผ์—ˆ์–ด์š”.

Services -> Intrusion Detection -> Administration -> Settings

 


๊ทธ๋Ÿฐ ๋’ค ์ฃผ๋‹ˆ๋Š” ์œ„์™€ ๊ฐ™์ด ์„ค์ • ํ•ด ์ฃผ๋ ค๊ณ  ํ•ด์š”.

์ฐธ๊ณ ๋กœ ์œ„์—์„œ Interfaces๋ฅผ WAN์œผ๋กœ ์„ค์ •ํ–ˆ๋‹ค๋ฉด advanced mode ๋ฒ„ํŠผ์„ ํ™œ์„ฑํ™”ํ•˜์—ฌ

Home Network ๋ถ€๋ถ„์— WAN IP ์ฃผ์†Œ๋ฅผ ์ž…๋ ฅํ•ด ์ฃผ์–ด์•ผ ํ•ด์š”.

์ด ๊ณณ์—์„œ๋Š” Domain Name์„ ์ž‘์„ฑํ•  ์ˆ˜ ์—†๊ธฐ ๋•Œ๋ฌธ์— WAN ์ฃผ์†Œ๊ฐ€ ๋ณ€๊ฒฝ๋œ๋‹ค๋ฉด
์ด ๊ณณ์— IP๋ฅผ ์ตœ์‹ ํ™” ํ•ด์ค˜์•ผ ํ•˜๋Š” ๋‹จ์ ์ด ์žˆ์–ด์š”.

ํ•œ๊ฐ€์ง€ ๋‹คํ–‰์ธ๊ฒƒ์€ ๋งŽ์€ ISP์—์„œ ์žฅ๊ธฐ๊ฐ„ Network๋ฅผ ๋ฌผ๊ณ  ์žˆ๋‹ค๋ฉด IP๋ฅผ ๋ณ€๊ฒฝํ•˜์ง€ ์•Š์•„์ฃผ๊ณ  ์žˆ์–ด์š”.

๋งŒ์•ฝ IP๊ฐ€ ์ž๊พธ ๋ณ€๊ฒฝ๋˜์–ด ๋ถˆํŽธํ•˜๋‹ค๋ฉด WAN์ด ์•„๋‹Œ LAN์„ ์„ ํƒํ•˜๋Š” ๊ฒƒ๋„ ๋ฐฉ๋ฒ•์ผ ์ˆ˜ ์žˆ์–ด์š”.

Apply๋ฅผ ๋ˆŒ๋Ÿฌ์ค„๊ฒŒ์š”.

 

์ข…    ๋ฅ˜ ๋‚ด    ์šฉ
Enable IDS Mode ํ™œ์„ฑํ™” (ํƒ์ง€๋งŒ ๊ฐ€๋Šฅ)
IPS Mode IPS Mode ํ™œ์„ฑํ™” (์นจ์ž… ์ฐจ๋‹จ ๊ฐ€๋Šฅ)
Promiscuous Mode ๋ฌด์ฐจ๋ณ„ ๋ชจ๋“œ์—์„œ ํŠธ๋ž˜ํ”ฝ์„ ๋ถ„์„
(๋„คํŠธ์›Œํฌ ์ธํ„ฐํŽ˜์ด์Šค์— ์ „๋‹ฌ ๋œ ๋ชจ๋“  ํŒจํ‚ท)
Enable syslog alerts ๋น ๋ฅธ ๋กœ๊ทธ ํ˜•์‹์„ ์‚ฌ์šฉํ•˜์—ฌ syslog์— ์•Œ๋ฆผ์„ ์ „๋‹ฌ
Enble eve syslog output ๋กœ๊ทธ ๋ ˆ๋ฒจ ์ •๋ณด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ Eve ํ˜•์‹์œผ๋กœ Syslog๋กœ ์•Œ๋ฆผ ์ „๋‹ฌ.
์ œํ’ˆ ์ž์ฒด๊ฐ€ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ๊ณ  ๋กœ๊น…์€ ๋ณ€๊ฒฝ๋˜์ง€ ์•Š์œผ๋ฉฐ,
๋“œ๋กญ ๋กœ๊ทธ๋Š” Suricata์˜ ์ œํ•œ์œผ๋กœ ์ธํ•ด ๋‚ด๋ถ€ ๋กœ๊ฑฐ๋กœ๋งŒ ์ „์†ก.
Pattern matcher ํŒจํ„ด ๋งค์นญ ์•Œ๊ณ ๋ฆฌ์ฆ˜ ์ œ์–ด. 
AHO โ€“ CORASICK๊ฐ€ ๊ธฐ๋ณธ๊ฐ’์ด๋ฉฐ, ์ง€์›๋˜๋Š” ํ”Œ๋žซํผ์—์„œ Hyperscan์ด ์ตœ์ƒ์œ„ ๊ธฐ๋Šฅ ์ œ๊ณต.
๊ตฌ์ถ•๋œ ํ•˜๋“œ์›จ์–ด์—์„œ Hyperscan์„ ์‚ฌ์šฉํ•  ์ˆ˜์—†๋Š” ๊ฒฝ์šฐ ์ œ์•ˆ ๋œ ์„ค์ •์€ "aho -corasick"๋ณด๋‹ค ์„ฑ๋Šฅ์ด ๋›ฐ์–ด๋‚˜๊ธฐ ๋•Œ๋ฌธ์— "aho โ€“ corasick Ken Steele ๋ณ€ํ˜•"์ž…๋‹ˆ๋‹ค.
Interfaces ๋ณดํ˜ธํ•  Interface๋กœ ๊ธฐ๋ณธ์ ์œผ๋กœ ์™ธ๋ถ€์™€ ์—ฐ๊ฒฐ๋œ Interface WAN
Rotate log Log ํšŒ์ „ ๋นˆ๋„์ˆ˜
Save logs ์ €์žฅํ•  Log ๊ฐœ์ˆ˜




Services -> Intrusion Detection -> Administration -> Download

 


์ด๋ฒˆ์—” Download Tab์—์„œ ์ฐจ๋‹จ Rule set์— ๋Œ€ํ•œ ๋ชจ๋“  Rule Set์„ ๋‚ด๋ ค ๋ฐ›์•„์ฃผ๋ ค๊ณ  ํ•ด์š”.

์ตœ์ดˆ ๊ฐ๊ฐ์˜ Rule Set ์˜ค๋ฅธ์ชฝ์— Edit ๋ฐ‘์— ์—ฐํ•„ ๋ชจ์–‘์„ ๋ˆŒ๋Ÿฌ์ค๋‹ˆ๋‹ค.

๊ทธ๋Ÿฐ ๋’ค ์œ„์™€ ๊ฐ™์ด Enabled๋ฅผ ํ™œ์„ฑํ™” ํ•˜๊ณ , Save๋ฅผ ๋ˆŒ๋Ÿฌ์ค˜์•ผ ํ•ด์š”.


Services -> Intrusion Detection -> Administration -> Download

 


๊ทธ๋Ÿผ ์œ„์™€ ๊ฐ™์ด Enabled๋ž€์ด ๋ชจ๋‘ ์ฒดํฌ ๋ชจ์–‘์œผ๋กœ ๋ณ€๊ฒฝ๋  ๊ฑฐ์—์š”.


๋ชจ๋‘ ์„ ํƒํ•œ ๋’ค Download and Update๋ฅผ ๋ˆŒ๋Ÿฌ์ฃผ๋ฉด ์ž๋™์œผ๋กœ ๊ทœ์น™์„ ๋‚ด๋ ค๋ฐ›๊ณ , ์ ์šฉํ•  ๊ฑฐ์—์š”.


Services -> Intrusion Detection -> Administration -> Download

 


๊ทธ๋Ÿผ ์œ„์™€ ๊ฐ™์ด Last Updated์— ๋‚ด๋ ค ๋ฐ›๊ฑฐ๋‚˜, Updateํ•œ ๋‚ ์งœ๊ฐ€ ๋‚˜์˜ค๊ฒŒ ๋ ๊ฑฐ์—์š”.


์ฐธ๊ณ ๋กœ ์ด๊ฒƒ์€ ๊ณต์ธ๋œ ๊ณณ์—์„œ ๊ฐ€์ ธ์˜จ Rule Set์ด์—์š”.


IDS/IPS๋ฅผ ์ฒ˜์Œ ํ™œ์„ฑํ™” ํ•  ๋‹น์‹œ OPNsense๋Š” ์•…์„ฑ ํŠธ๋ž˜ํ”ฝ์„ ํƒ์ง€ํ•˜๊ฑฐ๋‚˜, ์ฐจ๋‹จํ•˜๋Š” ๊ทœ์น™ ์—†์ด ํ™œ์„ฑํ™” ๋˜๊ฒŒ ๋˜๋Š”๋ฐ, ํ•ด๋‹น Tab์—์„œ System์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๋ชจ๋“  ๊ทœ์น™๋“ค์„ ๋‚ด๋ ค ๋ฐ›์„ ์ˆ˜ ์žˆ๊ฒŒ ์ค€๋น„ ๋˜์–ด ์žˆ์–ด์š”.

(Plugin์„ ์‚ฌ์šฉํ•˜์—ฌ ํ™•์žฅ ๊ฐ€๋Šฅ)

์ด ๊ณณ์—์„œ๋Š” ๋‹ค๋ฅธ ์‚ฌ์šฉ์ž๊ฐ€ ์ œ๊ณตํ•œ ๊ทœ์น™ ์ง‘ํ•ฉ ๋ชฉ๋ก๊ณผ System์—์„œ ๋งˆ์ง€๋ง‰์œผ๋กœ ๋‚ด๋ ค๋ฐ›๊ธฐ ํ•œ ์‹œ๊ธฐ(์„ค์น˜๋œ ๊ฒฝ์šฐ)๋ฅผ ์ฐพ์„ ์ˆ˜ ์žˆ๋Š” ๊ณณ์ด๊ณ , 21.1 ์ด์ „ Version์—์„œ๋Š” ์—ฌ๊ธฐ์—์„œ ํ•„ํ„ฐ๋ฅผ ์„ ํƒํ•˜์—ฌ ์„ค์น˜๋œ ๊ทœ์น™์˜ ๊ธฐ๋ณธ ๋™์ž‘์„ ๊ฒฝ๊ณ ์—์„œ ์ฐจ๋‹จ์œผ๋กœ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์—ˆ์œผ๋‚˜, 21.1 ์ดํ›„๋ถ€ํ„ฐ IDS/IPS Module ์•ˆ์— ๋ณ„๋„ ๊ธฐ๋Šฅ์ธ Policies์—์„œ ์ด ๊ธฐ๋Šฅ์„ ์ด์šฉํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ณ€๊ฒฝ๋˜์–ด ๊ทœ์น™์— ๋Œ€ํ•ด ๋ณด๋‹ค ์„ธ๋ถ„ํ™”๋œ ์ œ์–ด๋ฅผ ํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ณ€๊ฒฝ ๋˜์—ˆ๋‹ค๊ณ  ํ•ด์š”.


์œ„์— ET๋ผ๊ณ  ํ‘œ์‹œ๋œ ๊ฒƒ์€ Emerging Threats์— ์•ฝ์ž๋กœ ๋‹ค์–‘ํ•œ IDS/IPS ๊ทœ์น™๋“ค์„ ๋‹ด๊ณ  ์žˆ์–ด์š”.
๋ฌด๋ฃŒ BSD Lisense Version๊ณผ ์œ ๋ฃŒ Lisense Version์ด ์žˆ๋‹ต๋‹ˆ๋‹ค.


์ •๋ณด ํ™•์ธ: https://docs.opnsense.org/manual/ips.html#available-rulesets

 

Intrusion Prevention System โ€” OPNsense documentation

Feodo Tracker Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victimโ€™s computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions o

docs.opnsense.org

 

 

์ฐธ๊ณ ๋กœ Rule์˜ ๊ฒฝ์šฐ ์ฃผ๊ธฐ์ ์œผ๋กœ Update๋ฅผ ํ•ด์ค˜์•ผ ์•ˆ์ •์ ์ธ ๋ณด์•ˆ์„ ๊ฐ€์ ธ๊ฐˆ ์ˆ˜ ์žˆ์–ด์š”.
Update๋ฅผ ์ˆ˜๋™์œผ๋กœ ํ•˜๋Š” ๊ฒƒ๋ณด๋‹จ ์ž๋™์œผ๋กœ ํ•ด์ฃผ๋Š”๊ฒŒ ๋”์šฑ ํŽธํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์Šค์ผ€์ฅด ์ชฝ์—์„œ Update ์ผ์ •์„ ์žก์•„ ์ฃผ๋„๋ก ํ• ๊ฒŒ์š”.


Services -> Intrusion Detection -> Administration -> Schedule

 


์œ„์™€ ๊ฐ™์ด Schedule Tab์„ ๋ˆ„๋ฅด๋ฉด ์„ค์ •ํ•  ์ˆ˜ ์žˆ์–ด์š”.



์ฃผ๋‹ˆ์“ฐ๋Š” ์œ„์™€ ๊ฐ™์ด ๋งค์ผ 7์‹œ์— Update๊ฐ€ ์ง„ํ–‰๋˜๋„๋ก ์„ค์ •ํ•ด ์ฃผ์—ˆ์–ด์š”.

 

 

 

๊ธฐ๋ณธ์ ์œผ๋กœ IPS๋ฅผ ์ฒ˜์Œ ์ ์šฉํ•˜๊ฒŒ ๋˜๋ฉด ๋ชจ๋“  ๊ทœ์น™์ด Alert๋กœ ์„ค์ • ๋˜์–ด ์žˆ์„ ๊ฑฐ์—์š”.

Drop์œผ๋กœ ํ•  ๊ฒฝ์šฐ Response ์—†์ด ์ฐจ๋‹จ์„ ํ•ด๋ฒ„๋ ค์„œ Service ์žฅ์• ๋ฅผ ์ผ์œผํ‚ฌ ์œ„ํ—˜์ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์—
Alert๊ฐ€ ๋œจ๋Š” ๊ทœ์น™์„ ํ™•์ธํ•˜๊ณ ,
์˜คํƒ์ด ์•„๋‹Œ ์ •ํƒ์ด๋ผ๋ฉด Drop ๊ทœ์น™์œผ๋กœ ๋ฐ”๊พธ๋Š” ๊ฒƒ๋„ ๋ฐฉ๋ฒ•์ผ ์ˆ˜ ์žˆ์–ด์š”.

Services -> Intrusion Detection -> Administration -> Rules

 


Rules Tab์— ๊ฐ€์„œ ๋ณด๋ฉด ๊ต‰์žฅํžˆ ๋งŽ์€ ๊ทœ์น™๋“ค์ด ์žˆ๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ์–ด์š”.

Black List IP์™€ CVE์™€ ๊ฐ™์€ ์ทจ์•ฝ์ ๋„ ํฌํ•จ ๋˜์–ด ์žˆ๋Š”๊ฑธ ํ™•์ธํ•  ์ˆ˜ ์žˆ์–ด์š”.

๊ฐ€์žฅ ๋Œ€ํ‘œ์ ์ธ ์ทจ์•ฝ์ ์ด 2021๋…„๋„ ๊ฐœ๋ฐœ์ž๋“ค์˜ ๊ฐ„๋‹ด์„ ์„œ๋Š˜ํ•˜๊ฒŒ ํ–ˆ๋˜ Log4j ์ทจ์•ฝ์ ๋„ ์žˆ๋‹ค๊ณ  ํ•ด์š”.

์ด์ œ ์ƒ์„ธํ•œ ์„ค์ •์— ๋Œ€ํ•ด์„œ๋Š” ์•„๋ž˜์™€ ๊ฐ™์ด User define์„ ํ†ตํ•ด ์ ์šฉํ•ด ์ค„ ์ˆ˜ ์žˆ์–ด์š”.

 

 

Services -> Intrusion Detection -> Administration -> User define

๋ฐ˜์‘ํ˜•

 


์ฃผ๋‹ˆ์“ฐ๋Š” ๋ชจ๋“  IP ๋Œ€์—ญ์—์„œ Server Zone์œผ๋กœ ์˜ค๋Š” ๊ฒƒ์— ๋Œ€ํ•ด ๋จผ์ € ์ •์ฑ…์„ ๊ฑธ์–ด ๋ณด์•˜์–ด์š”.

 

 

์ด๋ฒˆ์—๋Š” ์ •์ฑ…์„ ์ž‘์„ฑํ•ด ๋†“์•„๋ณด๋„๋ก ํ• ๊ฒŒ์š”.

Services -> Intrusion Detection -> Policy

 


์œ„์™€ ๊ฐ™์ด Policy Tab์—์„œ + ๋ฒ„ํŠผ์„ ๋ˆŒ๋Ÿฌ์ค„๊ฒŒ์š”.


Rulsets ๋ถ€๋ถ„์— ๋ชจ๋“  ๋‚ด์šฉ์„ ์„ ํƒํ•ด์„œ ํ™œ์„ฑํ™” ํ•˜๊ณ ,
Description์— ์–ด๋–ค ์ •์ฑ…์ธ์ง€๋ฅผ ์ ์€ ๋’ค New action์— ํ•ด๋‹น ์ •์ฑ…์— ์œ„๋ฐ˜ํ•œ ๋‚ด์šฉ์„ ๋ฐœ๊ฒฌํ•˜๋ฉด ์–ด๋–ป๊ฒŒ ํ•  ๊ฒƒ์ธ๊ฐ€๋ฅผ ์ •์˜ํ•ด ์ฃผ์—ˆ์–ด์š”.

 




๐Ÿง ์ฐธ๊ณ  ์ž๋ฃŒ

 

Intrusion Prevention System โ€” OPNsense documentation

Feodo Tracker Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victimโ€™s computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions o

docs.opnsense.org

 

 

 

 

 

๋ฏธ๋‹ˆ PC PfSense ๋ฐฉํ™”๋ฒฝ N5105 ๋ผ์šฐํ„ฐ 4x ์ธํ…” i225V B3 25G LAN 2x ddr4 NVMe ์‚ฐ์—…์šฉ ํŒฌ๋ฆฌ์Šค 4xUSB HDMI20 OPNsense PV

COUPANG

www.coupang.com

"์ด ํฌ์ŠคํŒ…์€ ์ฟ ํŒก ํŒŒํŠธ๋„ˆ์Šค ํ™œ๋™์˜ ์ผํ™˜์œผ๋กœ, ์ด์— ๋”ฐ๋ฅธ ์ผ์ •์•ก์˜ ์ˆ˜์ˆ˜๋ฃŒ๋ฅผ ์ œ๊ณต๋ฐ›์Šต๋‹ˆ๋‹ค."

 

 

 

 

 

 

728x90
๋ฐ˜์‘ํ˜•