Your SlideShare is downloading. ×
NoVA Hackers: Securin on a budget
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

NoVA Hackers: Securin on a budget


Published on

NOVA Hackers Securin' on a budget

NOVA Hackers Securin' on a budget

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. JC, Adam
  • 2. » We are only representing ourselves, no one else. » The material in this presentation is provided without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and no infringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software. » Attendance implies agreement with the disclaimer.
  • 3. JC @JC_SoCal ADAM @dfinf2 Former Marine Forensics/Malware Analysis/Social Engineering Fishnet Security Temporary Drifter from San Diego Security Maven SOC Hobbit Open Source Connoisseur
  • 4. » A List of tools, yay tools! » We will discuss quickly what its for. » We will make an effort to discuss benefits of having this tool in your environment. » We will not be detailing the complete functionality of every tool. » Enjoy the talk, link to the slide deck will be at the end.
  • 5. » Security Appliances are very expensive. » Budget is not always approved. » We still need to do SOMETHING. » Look to open source/free software to provide some degree of security. » Cat Pictures
  • 6. » Look at solutions present for the following areas: ˃FIREWALL/PROXIES/VPN ˃IDS ˃PACKET CAPTURE/FLOW ˃VULNERABILITY SCANNING ˃HOST SECURITY
  • 7. » IPFire » pfSense » Squid » OpenVPN
  • 8. » GUI-based SOHO firewall distribution. Great “All-InOne” solution » Very easy to install and pick up and run with » Support to use as wireless access point » Snort IDS/IPS package can be installed and run on the box » Squid can be installed and comes with preloaded block lists.
  • 9. » Another GUI-based Linux firewall distribution » Larger feature set than Ipfire » Also features snort, but provides more configuration for it such as real time alerting, and true IPS capabilities. » Can also install squid as a proxy » Multiple VPN options (OpenVPN, IPSec, PPTP, L2TP) » Features a captive portal page » High Availibility offering
  • 10. » Best free proxy » Can configure blocklists that auto update » Can be paired with ClamAV to scan executables are they are downloaded » ACLs can be implemented, to control who can access what » Provides extensive logging, who did what, when, and where
  • 11. » Uses the features of OpenSSL ˃ encryption, authentication, and certification ˃ cipher, key size, or HMAC digest » Static-key based conventional encryption or certificate-based public key encryption » Tunnel over a single UDP or TCP port » Use static, pre-shared keys or TLS-based dynamic key exchange » Windows GUI » Comes installed on IPFire, pfSense
  • 12. » Snort ˃ Snorby » Suricata
  • 13. » Probably the most well known IDS out there » Fairly difficult to deploy a multi sensor IDS with snort » Will work just as well as sourcefire if configured properly » Multiple packages can be added to snort to make it perform better (i.e. barnyard and pulledpork)
  • 14. » Front End for snort » Displays a lot of useful information upfront and easily » Events parse out quite well and make it easy to read what caused the event » Native integration with OpenFPC, allows full packet capture with snort without too much configuration
  • 15. » » » » » » » Another well known IDS/IPS engine Part of Homeland’s open source tech program Runs on Linux/Windows/Mac Can use Snort VRT, rule language and logging Multi-threaded IPV6 support Rule based ip reputation
  • 16. » OpenFPC » Moloch » fProbe
  • 17. » Full Packet Capture program made to easily integrate with other programs such as Snorby » API is easy to use » Installs easily on Debian with minimal compiling
  • 18. » Provides a great full program for packet capture » Has the ability to deploy multiple servers that report back to one » Interface out of the box, useful if you don’t plan to integrate with and IDS or SIEM, etc.
  • 19. » Small program than can be run on either openfpc or Moloch box that can turn packet captures into flows » Very simple to use, just install and make sure the options are set correctly to point at the right collector (SIEM or pfSEN server, etc.) » Helpful if networking decided to buy those Cisco routers that conveniently don’t support netflow…
  • 20. » OpenVAS » Nessus » Arachni
  • 21. » OpenVAS evolved from Nessus » Greenbone Security Assistant provides a useable frontend, though it is sometimes slow » Daily updated feed of Network Vulnerability Tests (NVTs), over 30,000 in total (as of April 2013). » Pro Services from 3rd party vendors.
  • 22. » Though a Pro feed license for a Nessus Scanner is only 2,500/yr you can pick up a free feed for $0/yr » Only catch are the plugins are updated a week or so behind profeed » Not supposed to use in a commercial environment » Works well for what most small companies need
  • 23. » » » » » Free Web Application Scanner Fairly active development on the project Takes seconds to stand up and run Tends to be more on the false positive side Still provides useful information, mainly on out of date vulnerable versions of web apps.
  • 24. » OSSEC » Anti-Virus » Cuckoo
  • 25. » OSSEC is a HIDS (Host intrusion detection system) » Agents run on: Windows, Linux, MacOS, Solaris, HP-UX, and more » Comprised of a manager, agents and also has agentless log acceptance (syslog) » Can monitor VMWare (ESX) » Real Time alerting » File Integrity, and Log Monitoring » Commercial support from TrendMicro
  • 26. » ClamAV – Open Source, no realtime file monitoring, not as high success rate as others. Low Overhead » AVG, AVIRA, Avast!, MSSE – All freeware antivirus, with decent detection ratios, fairly high overhead with the exception of MSSE. » Microsoft has recently said MSSE may not be the best AV of choice and recommends alternatives be used.
  • 27. » ‘Semi-automated’ Malware analysis Sandbox » Great at quickly identifying what malware may do to a host » Reporting is very thorough » Some assembly required » API built in to make it a bit more automated if you desire » Does not counter anti-vm malware
  • 28. » Lots of options » Great for home labs » A good start … » Move to commercial as you grow out of these solutions
  • 29. @JC_SoCal @dfinf2