The document covers infrastructure security with a focus on access control, prevention measures, intrusion detection and prevention systems, and security tools. It discusses various types of firewalls, including host-based and network-based, as well as advanced monitoring techniques like deep packet inspection and security information/event management (SIEM). The document also highlights malware analysis, honeypots, and threat intelligence as key components of comprehensive security strategies.

1. Infrastructure
Security
January 24th, 2018

2. Announcements
● CSG Lab Hangouts - http://goo.gl/HNhgyr
● SharifCTF - Friday, February 2nd, 1 - 5 pm; Saturday, February
3rd, 9 - 12 am; ECSS 4.619
● Firetalks - Sometime in March/April
● twitch.tv/utdcsg

3. Whitelisting vs. Blacklisting
Whitelist - Only these things are allowed (more secure, harder to
maintain)
Blacklist - Only these things are not allowed (less secure, easier to
maintain)

4. General Goals
● Who is allowed to do what (Access Control)
● What isn’t allowed (Prevention)
● What is currently happening (Intrusion Detection/Prevention)

5. Access Control

6. Access Control
● Are you who you say you are? (Authorization)
● Can you do what you say you can do? (Authentication)
● Log this transaction (Audit)
Aside: Lots of models for Access Control (RBAC, DAC, MAC, etc.)

7. Superuser
● A local account with total access to the local system
● Unix - root
● Windows - NT AUTHORITYSYSTEM and Administrator

8. Granting Superuser access
Windows - User Access Control
Unix - sudo
Listing Linux sudo ability: sudo -l

9. Linux Capabilities
● Superuser abilities broken into individual capabilities
● Applied to running threads
● Increasingly popular with increase in containerization
Useful command: capsh

10. Extending Access Control
● AppArmor - Canonical (Ubuntu and derivatives)
● SELinux - RedHat (Fedora and derivatives)

11. Directory Backed Credentials
Windows - Active Directory
Linux - LDAP + Kerberos (generally)

12. Prevention

13. Firewalls

14. Firewalls
Allow or block traffic based on a set of rules
provided

15. TCP/IP Network Model
1) Physical Layer
2) Data Link Layer
3) Network Layer
4) Transport Layer
5) Application Layer

16. “Network” Layer Firewalls
● Generally can filter traffic up to parts of the Transport layer
(TCP/UDP)
● Windows - Windows Defender Firewall
● Linux - iptables suite/nftables
● BSD - ipfw/PF

17. “Network” Layer Filtering
● Protocol (TCP/UPD/ICMP)
● Incoming/Outgoing Port
● Incoming/Outgoing Address
● Current State
● Protocol Specific Options

18. Host-based vs. Network-based Firewalls
● Firewall serves the same function, filtering incoming traffic
● Network-based firewalls are more difficult to attack

19. Network Firewalls - Popular
“Implementations”
● PFSense - Network Firewall built on FreeBSD with a handy Web
GUI
● UFW - Canonical “supported” frontend to iptables
● firewalld - RedHat “supported” frontend to iptables

20. Application Layer Firewalls
● Filter traffic up to the Application Layer
● Tend to focus on a specific type of traffic
● Most popular example: Web Application Firewall
● Filters traffic based on application specific markers

21. ModSecurity
● Open Source Web Application Firewall
● Works with Apache and Nginx
● OWASP provides a Core Rule Set for baseline security

22. ModSecurity Example
1. ModSecurity monitors incoming web traffic to a web server for
XSS
2. Notices ‘<script>alert('test');</script>’ in an incoming request
3. ModSecurity stops the request from continuing, and responds
with an error message

23. Intrusion
Detection/Prevention

24. Intrusion Detection/Prevention Systems
● Inspects interactions (network traffic, file system access,
application use, etc.) and alerts when a rule is matched
● Prevention systems take this a step further and follow an action
with a signature is matched
● Typically only seen in larger scale infrastructure deployments
● Only as good as the rules provided

25. Host Intrusion Detection/Prevention
Systems
● Monitoring logs
● Monitoring file integrity
● Killing processes
● Adding local firewall rules

26. HIDS/HIPS - Popular Implementations
● fail2ban - Incredibly simple system to block failed logins
● OSSEC - Cross platform system with support for many
applications

27. fail2ban example
1. fail2ban monitors logs for failed ssh logins
2. Notices 5 failed logins from 129.110.241.75
3. Adds a firewall rule to block incoming traffic from
129.110.241.75 on port 22

28. Network Intrusion Detection/Prevention
Systems
● Can be deployed at the network or host level
● Monitoring network traffic
● Adding firewall rules to block the incoming traffic

29. NIDS/NIPS - Popular Implementations
● Snort - Long lived, well acclaimed project
● Suricata - Supports multithreading to consume more traffic,
supports a lot of the tooling designed for Snort

30. Snort example
1. Snort is monitoring incoming network traffic
2. Notices traffic from 129.110.241.75 sending a TCP SYN packet
to every port 1-1024
3. Adds a firewall rule to block incoming traffic from
129.110.241.75

31. Deep Packet Inspection

32. Deep Packet Inspection
● Sort of an application firewall on steroids
● Designed to fully consider all possible traffic marker to make a
decision
● Popular implementation: ntopng

33. Great Firewall of China Example
1) GFC is inspecting all outgoing traffic
2) GFC thinks a traffic flow matches that of Tor traffic
3) GFC attempts a Tor handshake with the destination
4) If successful, GFC blocks ALL outgoing traffic to that IP address
Source:
https://www.technologyreview.com/s/427413/how-china-blocks-the-tor-anonymity-network/

34. Security Information
and Event Management

35. Security Information and Event
Management
● Aggregates information from various security tools (IDS/IPS,
etc.)
● Designed to allow an analyst to quickly view ongoing events
● Also provides a history to previous security events for
attribution

36. SIEM - Popular Implementations
● Splunk - 500 MB / Day Max for free tier
● Elastic Stack - Free
● OSSIM - Free, your mileage may very

37. Kibana Demo
https://demo.elastic.co/

38. Advanced Threat Protection
● Nick thinks this a stupid security buzzword
● Generally used to describe fully encapsulated systems that are used to stop “advanced
threats” (think SIEM + IDS + Firewall, etc.)
● Windows recently released Windows ATP which looks pretty neat
https://www.youtube.com/watch?v=2HNuzUuVyv0

39. Miscellaneous

40. Malware Analysis
● Automated Malware Analysis is popular for large companies
● Generally involves static and dynamic analysis
● Popular Implementations:
Cuckoo Sandbox

41. Malware Analysis Example
1. Email firewall is monitoring incoming email
2. Email firewall detects executable attachment from external
sender
3. Email firewall strips out the attachment, holds the email, and
sends the attachment to Cuckoo sandbox
4. Cuckoo sandbox executes the attachment in a virtual machine
and identifies it as malicious
5. Email firewall blocks the email

42. Honeypots
● Intentionally vulnerable systems designed to gather information
about attackers
● Field isn’t incredibly popular, but The Honeynet Project is
decently large
● https://www.honeynet.org/project

43. Cowrie (SSH) Honeypot Example
1. Cowrie is running on a machine as a honeypot
2. Attacker breaks into Cowrie and assuming it is a live machine,
backdoors the current version of grep
3. Malicious grep signature is now added to the list of known
malicious files, preventing future attacks

44. Threat Intelligence
● Gathering information about ongoing attacks to better prepare
and provide attribution
● Popular software:
STIX
TAXII