An examination of some of the freely available tools and techniques, which can help in the task of building highly secure computer networks and systems.
Topics include:
* Increasing network visibility - e.g. Network intrusion detection, NetFlow
* Increasing host visibility - e.g. Host-based intrusion detection, Auditing tools
* Wireless network security monitoring
* Rigorous log file management
* Security information and event management (SIEM) options
The presentation was delivered at LinuxCon Europe 2013 in Edinburgh.
1. Conducting Defensive Information Warfare
on
Open Platforms
23rd October 2013 – LinuxCon Europe
Ben Tullis – (formerly of) LinuxIT (Europe) Ltd.
2. Ben Tullis - Background
●
Professional Linux sysadmin (etc.) for 12+ years
●
Worked in several markets:
–
–
UK Government Research: (British Antarctic Survey)
–
Managed Services Providers
–
●
Independent Software Vendor
Specialist Linux Consultancy
Broad experience of Linux and IT security:
–
...in the SME Sector
–
...in the Outsourced Enterprise Sector
3. Presentation Topics
Defensive Information Warfare on Open Platforms
●
Definitions, Threats, Targets, The Basics
●
Increasing Network Visibility
●
Increasing Host Visibility
●
Log Management Tools & Techniques
●
Collating and Presenting Security Information
●
Focused Distributions
4. What is Information Warfare?
It's a model that helps to achieve good security practice.
Comprised of four key elements:
1: Information Resources
These resource have intrinsic value to someone:
●
Exchange value – how much is it worth?
●
Operational value – how useful/important is it?
5. What is Information Warfare?
2: Players of The Game
Offence
–
In this context, the enemy.
–
Could be anyone with Motive, Means & Opportunity
to launch an attack on an Information Resource
–
One or more of: insiders, hackers, criminals,
corporations, governments, and terrorists
–
Those ever-present “unknown unknowns”
Defence
–
Everyone else, from individuals to governments
–
Anyone with Information Resources to protect
–
In this context, us
6. What is Information Warfare?
3: Offensive Operations
Their aim is to:
●
Increase the value of an Information Resource to an Offensive player.
●
Decrease the value of an Information Resource to a Defensive player.
Three classes of attack
Increased availability of information for the offence
e.g. espionage, identity theft, physical theft
Decreased integrity of information
e.g. tampering, fabrication, perception management
Decreased availability of information for the defence
e.g. sabotage, denial of service, physical theft
7. What is Information Warfare?
4: Defensive Operations
Their aim is to:
●
Protect Information Resources from these three forms of attack.
They must:
●
Cost less than the losses that would occur in their absence.
Six classes of defensive operation
●
Prevention
●
Deterrence
●
Indications and Warnings
●
Detection
●
Emergency Preparedness
●
Response
8. Random Threats - Can affect anyone equally
Examples:
●
Malware distribution:
–
–
●
Removable Media
Infected Downloads
IP Address scanning:
–
Brute-force attacks
–
Zero-day attacks
–
e.g. Carna Botnet (420k node bot-net created by using
default passwords)
●
Wardriving
●
Session Hijacking
9. Focused Threats - We are the target
●
Traditional Network Penetration:
–
–
●
Dictionary Attacks
Off-line Attacks (e.g. Cloudcracker)
Known Exploits:
–
–
●
Vulnerable Network Services
Privilege Escalation
Social Engineering
10. Focused Threats - We are the target
Stealthy Devices:
Requiring physical access
–
Dropboxes e.g.
●
●
●
–
Pwnie Express
MiniPwner
Pwn Pi
Rogue Access Point e.g.
●
WiFi Pineapple
–
Key Stroke Loggers
–
Miniature Cameras etc.
12. Defending Information – The Basics
●
Good documentation & communication
●
Good passwords & security policies
●
Appropriate physical security measures
●
Well defined change-management procedures
●
Apply security patches promptly
●
Standardize where possible/appropriate
●
Back it all up
13. Defending Information – The Basics
●
Your Monitoring Solution TM
–
Monitor everything you can think of
–
Record as many metrics as possible
–
Review its configuration periodically and...
●
●
–
...in response to change
...in response to significant incidents
If appropriate, use multiple/parallel systems.
●
●
●
Availability Monitoring
Performance Monitoring
Network Security Monitoring
14. Increasing Network Visibility - Overview
Making the best possible haystack/needle finding machine:
–
Capture as much network traffic as possible
–
Scan captured traffic: NIDS
–
Consider wireless protocols: WIDS
–
Profile network traffic:
●
●
●
–
Record detailed statistical information
Visualise normal network behaviour
Facilitates filtering-out of legitimate traffic
Implement anomaly detection
15. Capturing Ethernet Traffic
Often use Switch Mirror Ports (aka. SPAN or Monitor Port)
One port receives all traffic sent to/from
the other ports.
Most smart/managed switches support
this feature.
Another technique is to use a Network Tap
16. Capturing Ethernet Traffic
Simplest case:
●
●
All traffic passing through the switch is visible at
the protective Monitoring Server
Do not assign an IP address to the capture
interface:
# ifconfig eth1 up promisc
# ifconfig eth1 up promisc
17. Capturing Ethernet Traffic
Redundant System:
●
●
Dual interfaces on all servers:
active/active or active/passive
One capture interface per switch
18. Capturing Ethernet Traffic
Tree Topology - Option 1 – Remote Port Mirroring
●
●
●
●
●
Requires high-end switches. e.g. Cisco, HP, H3C, Alcatel
Send all captured traffic to a central location for analysis/profiling.
Upgrade interface links as necessary.
Uses VLANs to isolate the mirrored traffic.
Fairly complex to configure.
19. Capturing Ethernet Traffic
Tree Topology - Option 2 – Distributed Monitoring
Requires several capture servers
Remote servers send back:
●
●
●
Events & Alerts
Statistical traffic information
System log files
20. Network Intrusion Detection Systems
Snort
–
Passive mode – Intrusion Detection
–
Inline mode – Intrusion Prevention
–
Searches network traffic for pattern matches
–
Rules files updated daily
●
●
●
●
Up-to-date VRT rules available immediately to subscribers
VRT rules freely available to registered users after 30 days
Community rules under GPL. A subset of the VRT rules
Third-party rule sets available. e.g.
http://www.emergingthreats.net
21. Network Intrusion Detection Systems
Snort
–
Update rules daily with one of:
●
●
–
Oinkmaster
Pulled Pork
Expect to spend some time tuning:
●
●
●
Main config file: snort.conf
Rules files
Ethernet interface configuration
e.g. Disable ”Large Receive Offload” and ”Generic Receive Offload” on the collector:
ethtool -K eth1 gro off
ethtool -K eth1 gro off
ethtool -K eth1 lro off
ethtool -K eth1 lro off
22. Network Intrusion Detection Systems
Snort
–
Each rule has an Action associated, e.g.
●
●
●
●
–
Send an alert and log traffic.
Simply drop the offending packets. (Inline mode)
Reject the traffic: TCP reset. UDP unreachable. (Inline mode)
Custom actions & custom log types
Very flexible alerting and logging methods, e.g.
●
●
●
Text → email alert & Pcap log file
Syslog alert & logging to database
Unified2 (recommended, high-performance format)
23. Network Intrusion Detection Systems
Suricata
●
IDS/IPS project started in 2009
–
Multi-threaded for greater native performance
–
Unified2 output by default
–
Protocol detection. Not based on port number
–
File identification by md5. Extract and save files from traffic
–
Can use Snort rules and can co-exist
–
http://suricata-ids.org/
24. Network Intrusion Detection Systems
Bro
●
Passive Network Analysis Platform:
–
IDS features available – require custom scripting.
–
Detailed statistical log files created
–
Application-layer transcripts, e.g. HTTP, SSL etc.
–
Cluster-aware for high-capacity analysis
–
Scripting engine : Highly extensible
–
Match MD5 against Team Cymru malware database
25. Wireless Intrusion Detection Systems
●
Current best practice in IEEE 802.11:
–
Implement WPA2-Enterprise
●
●
●
–
Implement IEEE 802.11w
●
●
RADIUS – e.g. FreeRADIUS
EAP – Strong Authentication
hostapd + wpa_supplicant [+ OpenSSL]
Management Frames Protected
We consider two types of attack:
–
A Rogue Access Point
–
A De-Authentication Attack
26. Wireless Intrusion Detection Systems
Kismet
●
Monitor 802.11 traffic for known attack patterns:
–
Use additional wireless radios in monitor mode
–
(optionally) Channel-hop on the channels that you use
–
Drones can be distributed network-wide
–
Suitable for embedded use i.e. OpenWRT, DD-WRT etc.
–
Client can view real-time client list and traffic
–
Alerts can be sent via syslog
–
Tap interface permits full 802.11 capture
30. Wireless Intrusion Detection Systems
Kismet
2: Detecting a de-authentication attack
●
On the server: kismet.conf
ncsource=drone1:host=10.10.100.1,port=2502
ncsource=drone1:host=10.10.100.1,port=2502
ncsource=drone2:host=10.10.100.2,port=2502
ncsource=drone2:host=10.10.100.2,port=2502
alert=DEAUTHFLOOD,5/min,2/sec
alert=DEAUTHFLOOD,5/min,2/sec
alert=BCASTDISCON,5/min,2/sec
alert=BCASTDISCON,5/min,2/sec
allowplugins=true
allowplugins=true
31. Network Traffic Profiling
Ntop and NtopNG
●
Near real-time and historical information about:
–
Hosts observed
–
Protocol distribution
–
Multicast/Broadcast frequency
–
Who's talking to whom?
●
Rich graphical interface
●
Can also be used as a NetFlow Collector
●
PF_RING allows multi-threaded libpcap analysis
34. NetFlow and friends
●
A UDP protocol describing network traffic
●
Many proprietary formats: NetFlow, sFlow, jflow, Rflow
●
IETF proposed standard: IPFIX (== NetFlow v10)
35. NetFlow Exporters
●
Native support in high-end switches routers
●
Open Source exporters based on Libpcap (& PF_RING)
–
Nprobe - http://www.ntop.org/products/nprobe/
–
Fprobe - http://fprobe.sourceforge.net/
–
Softflowd - http://code.google.com/p/softflowd/
–
Rflow - https://en.wikipedia.org/wiki/DD-WRT#Features
●
Also a feature of Open vSwitch - http://openvswitch.org/
●
Netflow v5 and v9 are the most common formats
●
Exporters send UDP packets to one or more collectors
36. NetFlow Collectors
Ntop – Historical and statistical analysis
Nfdump / NfSen – Long-term NetFlow storage and detailed query
–
Nfdump tool-set
●
●
nfdump – Extract and report information from the stored files
●
–
nfcapd – Collect netflow streams and save the information
nfprofile – Report on a subset of traffic from the stored files
NfSen web-interface
●
●
Web front-end to analyse and query Nfdump files
Dynamic graph generation, based on filters and time periods
38. Anomaly Detection Tools
●
Arpwatch / Arpalert
–
–
●
Maintain a database of authorized MAC addresses
Alert on any deviation – syslog or email
PRADS - Passive Real-Time Asset Detection System
–
–
Can be used to inform snort configuration
–
●
Builds a list of hosts/service on the network
pradsassetreport - what's been seen on the network?
PBNJ – Active Network Asset Detection System
–
Database of discovered hosts/services (nmap)
–
Re-scan & diff
46. Host-based Intrusion Detection Systems
●
Tripwire – Lightweight file integrity monitor
–
Define policy for file monitoring
–
Create checksum databases of a clean system
–
Mount /var/lib/tripwire on R/O media or R/O
network share
–
Checked by cron daily – email/syslog alert on change
–
Update databases and policies as required
–
Configuration, Policies and Databases digitally signed,
requiring pass-phrase to update
47. Host-based Intrusion Detection Systems
●
AIDE – Advanced Intrusion Detection System
–
–
●
Similar in scope and operation to Tripwire
Simpler configuration including conf.d snippets
Fcheck – Perl based file integrity monitor
–
●
Older but dependable and useful in certain environments
Stealth – Remote file integrity monitor over SSH
–
http://stealth.sourceforge.net
48. Log File Management
●
syslog – Generally using rsyslog or syslog-ng now
–
–
e.g. Snare or eventlog-to-syslog for Windows
–
●
Centralize logs – including switches, routers, etc.
TCP or RELP (rsyslog) can aid reliable network transfer
Cryptographic Log Signing (GPG-13 requirement)
–
Feature of rsyslog version 7.4+
–
rsgutil utility verifies signatures
action(type="omfile" file="/var/log/syslog"
action(type="omfile" file="/var/log/syslog"
sig.provider="gt"
sig.provider="gt"
sig.keepTreeHashes="on"
sig.keepTreeHashes="on"
sig.keepRecordHashes="on")
sig.keepRecordHashes="on")
51. Log File Management
●
Application Logs – e.g. Web server
–
Google Analytics != Web Log Analysis
–
Piwik Log Analytics Mode - http://piwik.org/log-analytics/
52. Active Response – Intrusion Prevention
●
Snortsam – Firewall hosts using a Snort plugin
–
●
Agent runs on/near firewall
fail2ban - Firewall hosts from log file matches
–
Authentication
Failures
–
Repeat Offender
Handling
53. Collating and Presenting Security
Information
●
Sagan – Scan log files for security related information
–
Snort-like rules for pattern matching
–
e.g. Handling our previous WIDS alert
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:
"[KISMET] Spoofed disassociated/deauthenticate packets";
"[KISMET] Spoofed disassociated/deauthenticate packets";
program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/";
program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/";
classtype: suspicious-traffic;)
classtype: suspicious-traffic;)
–
Incorporate results into an IDS database
–
Integrates with Snortsam Agent for active firewall response
54. Collating and Presenting Security
Information
●
Snorby – Web console collating IDS/IPS and Sagan alerts
–
●
Integrates with OpenFPC for full packet capture
Other consoles available – e.g. Sguil & Squert, BASE
55. Focused Distributions
●
AlienVault OSSIM : (Debian based)
–
●
●
●
●
●
●
●
●
●
●
Open Core version of their full-featured USM product
Nagios
NfSen
OSSEC
Kismet
Snort
Suricata
Ntop
Arpwatch
PADS
OpenVAS
–
Custom Correlation Engine
–
Custom web framework