Unity makes strength


Published on

Security devices work in silo and do not share useful data. This presentation will propose an architecture which will allow such devices or applications to be dynamically reconfigured to increase the overall security of the assets.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Welcome to my presentation! Let’s talk about same ways to improve our daily security. Q: How many of you have responsabilities to maintain security configurations?\n
  • A few words about me. My name is Xavier Mertens, I’m working for a big telco company in .be (Security consultant). My second life (at night) is my blog, some projects like pastemon or give some spare time to the community (BruCON).\n
  • \n
  • \n
  • I consider myself as a defensive security guy. But to defend properly, you need to know how attacks work.\n
  • I’m coming from Belgium. Small country in the heart of Europe.\n
  • Belgium is well-known for its beers, waffles and “moules-frites” dishes.\n
  • Three regions, three official languages (FR, NL, GE), hundreds of ministers.\n
  • \n
  • \n
  • \n
  • In most networks, security solutions were deployed in “silos”. Each component (firewall, ids, ...) had a specific job and executed it independently of the others. \n
  • \n
  • Something suspicious detected in zone “a” cannot protect zone “b” or “c”.\n
  • \n
  • Manual input: it’s a pain! Online repositories: Trust?\n\n
  • In fact, there is nothing new. In IT, everything is based on input/output. We have “data” (input) which are processed to generate new “data” (output)\n
  • \n
  • Security is a big market. Products are very expensive. You must investigate how to extract as much as possible power from them. Don’t be a victim of the Microsoft Office effect. Read manuals and explore!\n
  • All security solutions have backdoors (in the positive sense ;-).\n
  • Checkpoint provides a dbedit command line tool to managed the objects DB.\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Example of a cradle!\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Unity makes strength

    1. 1. Unity Makes Strength“Why keep this valuable information in a corner?” hashdays 2012 - Xavier Mertens
    2. 2. $ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer 2
    3. 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.” 3
    4. 4. Agenda• Some facts• Current situation• Toolbox• Examples 4
    5. 5. Defense vs. Attack• Offensive security is funny (w00t! We break things)• Defensive security can also be fun! (proud to not be pwn3d ;-)• “Know your enemy!” 5
    6. 6. Welcome to Belgium! 6
    7. 7. Welcome to Belgium! 7
    8. 8. Belgique, België, Belgien But with a very complicated political landscape! 8
    9. 9. Belgian Motto “L’union fait la force” (“Unity Makes Strength”) 9
    10. 10. And Infosec? Why not apply this to our security infrastructures? 10
    11. 11. Agenda• Some facts• Current situation• Toolbox• Examples 11
    12. 12. Initial Situation Malware Firewall IDS Proxy Analysis Action Action Action Action 12
    13. 13. Then Came the god “SIEM” Malware Firewall IDS Proxy Analysis Logs Logs Logs Logs Centralized Logging Solutions / SIEM 13
    14. 14. Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not shared• Real-time protection not easy 14
    15. 15. The Value of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc) 15
    16. 16. Multiple Sources• Online repositories• Internal resources• Automatic process 16
    17. 17. Nothing New! Input Process Output 17
    18. 18. Back to the Roots• REXX is a scripting language invented by IBM.• ARexx was implemented in AmigaOS in 1987.• Allow applications having an ARexx interface to communicate to exchange data. 18
    19. 19. RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect (<10% of features really used)• Invest time to learn how your products work.• Be a hacker: Learn how it work and make it work like you want. 19
    20. 20. Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console 20
    21. 21. Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit) 21
    22. 22. Automation is the Key• We’re all lazy people!• Expect! use Expect; my $e = Expect->new(); my $c = “ssh $user@$host”; $e = Expect->spawn($c) or die “No SSH?”; $e->Expect($timeout, [ qr’password: $’, sub { my $fh = shift; print $fh $passwordn”; } ] 22
    23. 23. A New Architecture Toolbox Firewall IDS Proxy Malware Analysis Action Action Action Action Logs Logs Logs Logs Centralized Logging Solutions / SIEM 23
    24. 24. Agenda• Some facts• Current situation• Toolbox• Examples 24
    25. 25. HTTPS• Generate an API key• Submit XML requests config/device/entry[@name=localhost]/vsys/ entry[@name=vsys1]/address/ entry[@name=NewHost]&element=<ip- netmask></ip-netmask><description>Test</ description> 25
    26. 26. Snort-Rules Generator• Lot of Security tools accept Snort rules use Snort::Rule my $rule = Snort::Rule->new( -action => ‘alert’, -proto => ‘tcp’, -src => ‘’, -sport => ‘any’, -dst => ‘any’, -dport => ‘any’, ); $rule->opts(‘msg’, ‘Detect traffic from 10.0.1’); $rule->opts(‘sid’, ‘666666’); 26
    27. 27. IF-MAP• Open standard to allow authorized devices to publish/search relevant information• Information could be • IP • Login • Location (devices) • Domain 27
    28. 28. IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address, ‘’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address, ‘aa:bb:cc:dd:ee:ff’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’); 28
    29. 29. SNMP• SNMP can be used to push configuration changes• Example: $ snmpset 10.0.1 Pr1v4t3 . acl.tmp• Router will pull the access-list “acm.tmp” from TFTP server 29
    30. 30. TCL• Cisco devices have a framework called EEM: “Embedded Event Manager”• Example: event manager applet Interface_Event event syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*” event 1.0 cli command “tclsh flash:notify.tcl”• The router may communicate information based on its status 30
    31. 31. The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine 31
    32. 32. Action? Reaction!• Example of OSSEC rule <rule id=”100101” level=”5” frequency=”5” timeframe=”60”> <match>access denied</match> <group>invalid_login,</group> </rule> <active-response> <command>ad-block-user</command> <location>local</location> <rules_id>100101</rules_id> </active-response> 32
    33. 33. Agenda• Some facts• Current situation• Toolbox• Examples 33
    34. 34. $ cat disclaimer2.txt <warning> Some slides contain examples basedon open source as well as v€ndor$ solutions. I’m not affiliated with any of them! </warning> 34
    35. 35. Online Resources• DNS-BH $ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsing use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... } 35
    36. 36. Dynamic Firewall Config• FireEye malware analysis box• Firewalls • Checkpoint • PaloAlto • IPtables • <insert your preferred fw $VENDOR here>• OSSEC 36
    37. 37. Dynamic Firewall Config CheckpointFireEye OSSEC PaloAlto IPtables 37
    38. 38. Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSL VPN• LDAP directory 38
    39. 39. Dynamic User Blacklist sshd sshd OSSEC LDAP $ ldapmodify -D ‘cn=admin’ -w ‘pass’ sshd dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass 39
    40. 40. SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl) 40
    41. 41. SMTP Malware AnalysisPostfix CuckooMX Cuckoo 41
    42. 42. MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log 42
    43. 43. MySQL Self-Defense error.logclient mysql-proxy mysqld 43
    44. 44. Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• Use an OoB network• Risk of DoS! 44
    45. 45. Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you! 45
    46. 46. Thank You!Questions?Beers! 46