Creating a Self-Defending Network Using Open Source Software

3,857 views
3,648 views

Published on

Let’s talk network security. You’ve got a firewall and a DMZ, you’re all set, right? Not so fast slugger. We preach a theory called “defense in depth” here at Hurricane. And that means you need something to defend you when your firewall admins make a mistake. And something to protect you when that layer fails. And so on. So what are these other layers? Well one of them is having a good IDS/IPS system. An IDS/IPS listens to network traffic, generally the traffic inside your firewall, and either alerts on (IDS) or drops/blocks altogether (IPS) traffic that meets specific rules defining “bad traffic”. But what else can you do? Introducing the self-defending network.

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total views
3,857
On SlideShare
0
From Embeds
0
Number of Embeds
731
Actions
Shares
0
Downloads
176
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • external IDS captures scan traffic. internal IDS captures traffic to/from live servers. vyatta is the choke point for blocking traffic.\n
  • external ids - similar to honeypot/artillery, but without an actual bastion host\ninternal ids - watches real, already existing traffic against your real servers\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • also show the ossec rules\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Creating a Self-Defending Network Using Open Source Software

    1. 1. Introduction• Who am I?• Who is Hurricane Labs?• What is a self-defending network?• Why would I want one?
    2. 2. So how’s it work?
    3. 3. Story Time
    4. 4. What do you need?
    5. 5. Why not just use ahoneypot? Or artillery?
    6. 6. Installing OSSEC Server• Make sure you have • Download the a compiler, etc source distribution installed • Un-tar
    7. 7. Installing OSSEC Server• Pre-compiling the binaries makes building a single agent tarball easy!• Follow the instructions in the OSSEC wiki for doing so - http://goo.gl/EYknZ
    8. 8. • Just a standard installation of Vyatta• No special configuration is required• We will add the OSSEC agent later
    9. 9. Cisco instead of Vyatta• Cisco isn’t open source• Can’t install OSSEC on Cisco IOS• You could do it... but it’s not as easy
    10. 10. Pick Your Poison #1 Which IDS?
    11. 11. • Industry Standard• Open Source (mostly)• Been around a while (since 1998)• Available in most package managers
    12. 12. • Very new• Also open source• Funding from both public (US DHS) and private sector• “Next Generation” from the ground up• Becoming more available in package managers
    13. 13. Pick Your Poison #2 Which Ruleset?
    14. 14. VRT• Snort “Vulnerability Research Team”• Official Snort ruleset• Been around a while• Delayed by 30 days unless you pay ($499.99 for a business, $29.99 for a person)• Good coverage, quick updates
    15. 15. Emerging Threats / ETPro• Alternative to VRT• Originally “Bleeding Snort”, also been around a while• Much quicker to respond to new threats, but more likely to false positive• ETPro is a “premium” ruleset from the same folks
    16. 16. Pick Your Poison #3 Logging Methods
    17. 17. Built-In Syslog• Built-in to Snort• Reduces performance in the Snort process• Easy to configure
    18. 18. Barnyard2• Recommended method of logging Snort events• Supported by Suricata and Snort• Reads Snort “Unified2” format and outputs a variety of logs• More difficult to configure
    19. 19. Preventing chaosAdjust your ruleset so the rules you Proper tuninghave enabled match what you want (not just turning stuff off)to block
    20. 20. Configuration
    21. 21. OSSEC Server•Collects events from the agents (more on this later)•Matches events against a ruleset (this one doesn’t give you many choices)•Triggers alerts and, more importantly, “active response” based on events
    22. 22. OSSEC Agents • One each on the router, the inside IDS, and the outside IDS • Make sure the IDS agents are reading whatever log file the snort logs are in
    23. 23. Active-Response
    24. 24. Big Finish
    25. 25. Cool. Now What?
    26. 26. Other Event Sources• FTP Servers• Web Servers• Web App Firewalls• Anti-Virus Servers• Domain Controllers• Anything that you can get logs from
    27. 27. Monitoring your Defenses
    28. 28. Splunk your Alerts
    29. 29. Questions?

    ×