Your SlideShare is downloading. ×
0
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Unity makes strength
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Unity makes strength

1,197

Published on

Security devices work in silo and do not share useful data. This presentation will propose an architecture which will allow such devices or applications to be dynamically reconfigured to increase the …

Security devices work in silo and do not share useful data. This presentation will propose an architecture which will allow such devices or applications to be dynamically reconfigured to increase the overall security of the assets.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,197
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Welcome to my presentation! Let’s talk about same ways to improve our daily security. Q: How many of you have responsabilities to maintain security configurations?\n
  • A few words about me. My name is Xavier Mertens, I’m working for a big telco company in .be (Security consultant). My second life (at night) is my blog, some projects like pastemon or give some spare time to the community (BruCON).\n
  • \n
  • \n
  • I consider myself as a defensive security guy. But to defend properly, you need to know how attacks work.\n
  • I’m coming from Belgium. Small country in the heart of Europe.\n
  • Belgium is well-known for its beers, waffles and “moules-frites” dishes.\n
  • Three regions, three official languages (FR, NL, GE), hundreds of ministers.\n
  • \n
  • \n
  • \n
  • In most networks, security solutions were deployed in “silos”. Each component (firewall, ids, ...) had a specific job and executed it independently of the others. \n
  • \n
  • Something suspicious detected in zone “a” cannot protect zone “b” or “c”.\n
  • \n
  • Manual input: it’s a pain! Online repositories: Trust?\n\n
  • In fact, there is nothing new. In IT, everything is based on input/output. We have “data” (input) which are processed to generate new “data” (output)\n
  • \n
  • Security is a big market. Products are very expensive. You must investigate how to extract as much as possible power from them. Don’t be a victim of the Microsoft Office effect. Read manuals and explore!\n
  • All security solutions have backdoors (in the positive sense ;-).\n
  • Checkpoint provides a dbedit command line tool to managed the objects DB.\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Example of a cradle!\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript

    • 1. Unity Makes Strength“Why keep this valuable information in a corner?” hashdays 2012 - Xavier Mertens
    • 2. $ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer 2
    • 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.” 3
    • 4. Agenda• Some facts• Current situation• Toolbox• Examples 4
    • 5. Defense vs. Attack• Offensive security is funny (w00t! We break things)• Defensive security can also be fun! (proud to not be pwn3d ;-)• “Know your enemy!” 5
    • 6. Welcome to Belgium! 6
    • 7. Welcome to Belgium! 7
    • 8. Belgique, België, Belgien But with a very complicated political landscape! 8
    • 9. Belgian Motto “L’union fait la force” (“Unity Makes Strength”) 9
    • 10. And Infosec? Why not apply this to our security infrastructures? 10
    • 11. Agenda• Some facts• Current situation• Toolbox• Examples 11
    • 12. Initial Situation Malware Firewall IDS Proxy Analysis Action Action Action Action 12
    • 13. Then Came the god “SIEM” Malware Firewall IDS Proxy Analysis Logs Logs Logs Logs Centralized Logging Solutions / SIEM 13
    • 14. Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not shared• Real-time protection not easy 14
    • 15. The Value of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc) 15
    • 16. Multiple Sources• Online repositories• Internal resources• Automatic process 16
    • 17. Nothing New! Input Process Output 17
    • 18. Back to the Roots• REXX is a scripting language invented by IBM.• ARexx was implemented in AmigaOS in 1987.• Allow applications having an ARexx interface to communicate to exchange data. 18
    • 19. RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect (<10% of features really used)• Invest time to learn how your products work.• Be a hacker: Learn how it work and make it work like you want. 19
    • 20. Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console 20
    • 21. Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit) 21
    • 22. Automation is the Key• We’re all lazy people!• Expect! use Expect; my $e = Expect->new(); my $c = “ssh $user@$host”; $e = Expect->spawn($c) or die “No SSH?”; $e->Expect($timeout, [ qr’password: $’, sub { my $fh = shift; print $fh $passwordn”; } ] 22
    • 23. A New Architecture Toolbox Firewall IDS Proxy Malware Analysis Action Action Action Action Logs Logs Logs Logs Centralized Logging Solutions / SIEM 23
    • 24. Agenda• Some facts• Current situation• Toolbox• Examples 24
    • 25. HTTPS• Generate an API key https://10.0.0.1/api/?type=keygen&user=foo&password=bar• Submit XML requests https://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/ config/device/entry[@name=localhost]/vsys/ entry[@name=vsys1]/address/ entry[@name=NewHost]&element=<ip- netmask>192.168.0.1</ip-netmask><description>Test</ description> 25
    • 26. Snort-Rules Generator• Lot of Security tools accept Snort rules use Snort::Rule my $rule = Snort::Rule->new( -action => ‘alert’, -proto => ‘tcp’, -src => ‘10.0.0.1’, -sport => ‘any’, -dst => ‘any’, -dport => ‘any’, ); $rule->opts(‘msg’, ‘Detect traffic from 10.0.1’); $rule->opts(‘sid’, ‘666666’); 26
    • 27. IF-MAP• Open standard to allow authorized devices to publish/search relevant information• Information could be • IP • Login • Location (devices) • Domain 27
    • 28. IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address, ‘10.0.0.1’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address, ‘aa:bb:cc:dd:ee:ff’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’); 28
    • 29. SNMP• SNMP can be used to push configuration changes• Example: $ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp• Router 10.0.0.1 will pull the access-list “acm.tmp” from TFTP server 10.0.0.2 29
    • 30. TCL• Cisco devices have a framework called EEM: “Embedded Event Manager”• Example: event manager applet Interface_Event event syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*” event 1.0 cli command “tclsh flash:notify.tcl”• The router may communicate information based on its status 30
    • 31. The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine 31
    • 32. Action? Reaction!• Example of OSSEC rule <rule id=”100101” level=”5” frequency=”5” timeframe=”60”> <match>access denied</match> <group>invalid_login,</group> </rule> <active-response> <command>ad-block-user</command> <location>local</location> <rules_id>100101</rules_id> </active-response> 32
    • 33. Agenda• Some facts• Current situation• Toolbox• Examples 33
    • 34. $ cat disclaimer2.txt <warning> Some slides contain examples basedon open source as well as v€ndor$ solutions. I’m not affiliated with any of them! </warning> 34
    • 35. Online Resources• DNS-BH $ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsing use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... } 35
    • 36. Dynamic Firewall Config• FireEye malware analysis box• Firewalls • Checkpoint • PaloAlto • IPtables • <insert your preferred fw $VENDOR here>• OSSEC 36
    • 37. Dynamic Firewall Config CheckpointFireEye OSSEC PaloAlto IPtables 37
    • 38. Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSL VPN• LDAP directory 38
    • 39. Dynamic User Blacklist sshd sshd OSSEC LDAP $ ldapmodify -D ‘cn=admin’ -w ‘pass’ sshd dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass 39
    • 40. SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl) 40
    • 41. SMTP Malware AnalysisPostfix CuckooMX Cuckoo 41
    • 42. MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log 42
    • 43. MySQL Self-Defense error.logclient mysql-proxy mysqld 43
    • 44. Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• Use an OoB network• Risk of DoS! 44
    • 45. Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you! 45
    • 46. Thank You!Questions?Beers! 46

    ×