Your SlideShare is downloading. ×
Creating a Self-Defending Network Using Open Source Software
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Creating a Self-Defending Network Using Open Source Software

2,965

Published on

Let’s talk network security. You’ve got a firewall and a DMZ, you’re all set, right? Not so fast slugger. We preach a theory called “defense in depth” here at Hurricane. And that means you need …

Let’s talk network security. You’ve got a firewall and a DMZ, you’re all set, right? Not so fast slugger. We preach a theory called “defense in depth” here at Hurricane. And that means you need something to defend you when your firewall admins make a mistake. And something to protect you when that layer fails. And so on. So what are these other layers? Well one of them is having a good IDS/IPS system. An IDS/IPS listens to network traffic, generally the traffic inside your firewall, and either alerts on (IDS) or drops/blocks altogether (IPS) traffic that meets specific rules defining “bad traffic”. But what else can you do? Introducing the self-defending network.

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,965
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
157
Comments
1
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • external IDS captures scan traffic. internal IDS captures traffic to/from live servers. vyatta is the choke point for blocking traffic.\n
  • external ids - similar to honeypot/artillery, but without an actual bastion host\ninternal ids - watches real, already existing traffic against your real servers\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • also show the ossec rules\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript

    • 1. Introduction• Who am I?• Who is Hurricane Labs?• What is a self-defending network?• Why would I want one?
    • 2. So how’s it work?
    • 3. Story Time
    • 4. What do you need?
    • 5. Why not just use ahoneypot? Or artillery?
    • 6. Installing OSSEC Server• Make sure you have • Download the a compiler, etc source distribution installed • Un-tar
    • 7. Installing OSSEC Server• Pre-compiling the binaries makes building a single agent tarball easy!• Follow the instructions in the OSSEC wiki for doing so - http://goo.gl/EYknZ
    • 8. • Just a standard installation of Vyatta• No special configuration is required• We will add the OSSEC agent later
    • 9. Cisco instead of Vyatta• Cisco isn’t open source• Can’t install OSSEC on Cisco IOS• You could do it... but it’s not as easy
    • 10. Pick Your Poison #1 Which IDS?
    • 11. • Industry Standard• Open Source (mostly)• Been around a while (since 1998)• Available in most package managers
    • 12. • Very new• Also open source• Funding from both public (US DHS) and private sector• “Next Generation” from the ground up• Becoming more available in package managers
    • 13. Pick Your Poison #2 Which Ruleset?
    • 14. VRT• Snort “Vulnerability Research Team”• Official Snort ruleset• Been around a while• Delayed by 30 days unless you pay ($499.99 for a business, $29.99 for a person)• Good coverage, quick updates
    • 15. Emerging Threats / ETPro• Alternative to VRT• Originally “Bleeding Snort”, also been around a while• Much quicker to respond to new threats, but more likely to false positive• ETPro is a “premium” ruleset from the same folks
    • 16. Pick Your Poison #3 Logging Methods
    • 17. Built-In Syslog• Built-in to Snort• Reduces performance in the Snort process• Easy to configure
    • 18. Barnyard2• Recommended method of logging Snort events• Supported by Suricata and Snort• Reads Snort “Unified2” format and outputs a variety of logs• More difficult to configure
    • 19. Preventing chaosAdjust your ruleset so the rules you Proper tuninghave enabled match what you want (not just turning stuff off)to block
    • 20. Configuration
    • 21. OSSEC Server•Collects events from the agents (more on this later)•Matches events against a ruleset (this one doesn’t give you many choices)•Triggers alerts and, more importantly, “active response” based on events
    • 22. OSSEC Agents • One each on the router, the inside IDS, and the outside IDS • Make sure the IDS agents are reading whatever log file the snort logs are in
    • 23. Active-Response
    • 24. Big Finish
    • 25. Cool. Now What?
    • 26. Other Event Sources• FTP Servers• Web Servers• Web App Firewalls• Anti-Virus Servers• Domain Controllers• Anything that you can get logs from
    • 27. Monitoring your Defenses
    • 28. Splunk your Alerts
    • 29. Questions?

    ×