Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Network Security Monitoring with Open Source Tools

paulh
June 12, 2006

Network Security Monitoring with Open Source Tools

CANHEIT, Dalhousie University. 2006.

paulh

June 12, 2006
Tweet

More Decks by paulh

Other Decks in Technology

Transcript

  1. Introduction The Accomplishment The creation of a comprehensive Network Monitoring

    Solution that adequately services 14 campus locations across the province of Nova Scotia. The Implementation • Budget of under $15,000 (Software and Hardware) • Producing useful results within 4 weeks • Modular and scalable • Low maintenance
  2. Presentation Overview Data - Collection and Processing with Snort and

    Flow-tools - Analysis with Sguil (TCL/TK) - Web based Analysis and Reports (PHP/Bash/TCL) Third Party Product Integration (Examples) - McAfee ePolicy Orchestrator - Userlock Sensor and Server Design - OS and Software - Hardware - Deployment
  3. Alert Data Snort: A Network Intrusion Detection and Prevention System

    Sguil: Analysis Console (Sensor Components) Components • Snort in IDS mode - Collects Alert Data • Barnyard - Fast Output Plug-in • sensor_agent - Gateway to Sguild • log_packets - Manages PCAP Data Data Collection
  4. Alert Data How Snort rules work Data Collection Rule Header

    Rule Options alert tcp any 1723 -> any any (msg:”VPN - Connection Failed”; flags:R; Classtype:misc-activity; sid:1000001; rev:1;) • Alert Message • When to Fire • Action • Protocol • Source/Destination Address and Ports
  5. Alert Data How Snort rules work Data Collection alert tcp

    any 1723 -> any any (msg:”VPN - Connection Failed”; flags:R; Classtype:misc-activity; sid:1000001; rev:1;)
  6. Session Data fprobe: A NetFlow probe (packets that share a

    common property) flow-tools: A toolset for working with NetFlow Data Components • fprobe - Export flows • flow-capture - Collect and store • flow-cat, flow-print - Merge and print • flow-filter, flow-nfilter, flow-stat, flow-report - Process based on filters or report definitions Data Collection
  7. Session Data Data Collection Duration Addresses Ports TCP Flags Priority

    Traffic Outbound Inbound 5-Tuple. Same source and destination ports. All packets in the same direction.
  8. Main Springboard: IDS Query Data Analysis Details - PHP based

    IDS front-end Data Source - MySQL Database (Sguil)
  9. Main Springboard: ePO Query Data Analysis Details - PHP based

    query tool Data Source - MSSQL Database (McAfee ePO)
  10. Main Springboard: FlowViewer Data Analysis Details - Perl based query

    tool Data Source - Binary file (Flow-tools)
  11. Main Springboard: User Lookup Data Analysis Details - PHP based

    query tool Data Source - MSSQL Database (Userlock)
  12. Main Springboard: Traffic Summary Data Analysis Details - TCL generated

    summary Data Source - Binary file (Flow-tools)
  13. Main Springboard: Traffic Graphs Data Analysis Details - PHP query

    tool Data Source - Binary file (Flow-tools)
  14. Main Springboard: Summary Report Data Analysis Details - PHP generated

    summary Data Source - MySQL (Flow-tools) - MySQL (Sguil) - MSSQL (ePO)
  15. Summary Report Data Analysis Future Possibilities? - More complex graphs

    - Further trending - Improved analysis algorithms
  16. EOF Summary • Network Awareness - Automation is not network

    awareness - Best practice is not awareness • Robust Solutions - Lower TCO* - Not second rate • Unique development possibilities - perpetuates research - hones existing skills
  17. Hardware Requirements Sensor and Server Design Sensor - Dell Optiplex

    GX280 SD - 2.4GHz Processor - 1GB Memory Cost: $700.00 - (2) GB Ethernet Controllers - (1) 80GB SATA Drive Server - Dell Optiplex GX280 SMT* - 2.4GHz Processor - 1GB Memory Cost: $850.00 - (2) GB Ethernet Controllers - (2) 80GB * Potential Scalability Issues
  18. Deployment Sensor and Server Design Span Port - Low cost

    (If infrastructure supports it) - Simple Setup - Extra demand on hardware (lost packets) Network TAP - Completely passive - Simple setup - Costly Inline - Offers blocking and other capabilities - Complex setup - Requires decent hardware Cost: $0.00 - $5000.00
  19. Component Protection – Firewall (PF) Sensor and Server Design Sensor

    - Inbound from Admins to SSH default port 22 (limit this) - Outbound to Server Server - Inbound from Sensors to Sguil default port 7736 - Inbound from Clients (techs) to Sguil default port 7734 (limit this) - Inbound from Sensors to MySQL default port 3306 - Inbound from Admins to SSH default port 22 (limit this) - Outbound to Sensors