Enterprise Network Security Monitoring with Open Source Software by sparkunder25

VIEWS: 185 PAGES: 70

									Enterprise Network Security Monitoring
       with Open Source Software



              Fosscar 2006
           Who am I ?


+ Exabytes System Engineer/Researcher

+ http://geek00L.blogspot.com

+ geek00L[at]gmail.com
Claim
I'm here to address

+ Enterpise Network Structures

+ The Open Source Integration &
  Solution

+ The Network Security Monitoring
  Mechanism

Continue .....
I'm not here to talk about


+ SNMP - Network Management &
         Monitoring

+ SIM – Security Information
        Management

+ SEM – Security Event Management
The Evolution Of Enteprise Network
Keep it simple

+ Single Network Tier

+ Single Network Segment

+ ! DMZ Deployment

+ ! VPN Endpoint

+ Human Elements
Link Indicator
Red – In/Out Out Of Control

Orange – In[In Control]
         Out[Out of Control]

Yellow – In[In Control]
         Out[Partially Control]

Light Blue – In[In Control]
             Out[Partially Control]
             Under Monitoring

Blue – In/Out No Control
The Network Threat Components

+ Virus/Worms

+ Botnet/Ddos

+ Spam/Phishing

+ Malwares/Rootkits

+ 0 days
The Countermeasures
Enterprise Prevention/Defensive
Perimeter

+ Router Access Control List

+ Transparent Proxy

+ Reverse Proxy

+ Firewall

+ Intrusion Prevention System[IPS]
Roles

+ Enforcing Security Policy

+ Network Screening/Jailing

+ Preventing Network Mapping

+ Traffic Sanitizer

+ Reducing Network Noise Processing
But we do believe .....
Protection/Prevention perimeters
eventually fails

+ Firewall Bypassing

+ IDS Evasion

+ Covert channels

+ Internal Threats

Nothing is unbreakable
Enterprise Network Traffic
Logging & Monitoring Devices
+ Network Tap

+ Network Bonding

+ Port Mirroring

+ Traffic collector

+ Intrusion Detection System
Roles

+ Collecting Statistical Data

+ Collecting Flow/Session Data

+ Collecting Alert Data

+ Collecting Full Content Data

+ Performing Network Security
  Monitoring, Analysis & Forensic
The Known Facts

Most of Enterprise Networks

+ use commercial based products

+ rely on vendors by outsourcing

+ implement partial Network Security
  Monitoring Model
The Problem
+ Only as secure as vendors tell you

+ Only as secure as commercial products
  deliver

+ You don't understand what is running
  in your network

+ You don't know open source softwares
  enough
  The Alternative Solution:

Open Source + Commodity Hardwares
Why Open Source?
+ Transparent

+ Flexible

+ Programmable

+ Tunable

+ Tweak-able

+ Community Supports

+ Improve Over Time
But How ... ?
Mastering the monkey way (: ])

+ Operating System Administration

+ Scripting Language–Shell|Perl|Python

+ TCP/IP

+ Libpcap Based Tools

+ BPF Filtering Language
   Network Security Monitoring

Open Source Methodology & Approach
Operating System

+ FreeBSD

+ OpenBSD

+ Linux – Debian
          CentOS
          Etc
Open Source Prevention/Defensive
Perimeter
+ OS Based Router[BSD/Linux]

+ Transparent Proxy[Squid]

+ Reverse Proxy[Pound]

+ Firewall - [IPtables/Endian]
             [PF/Pfsense]

+ IPS – [Snort2C/SnortSAM/Snort-Inline]
Open Source Network Traffic
Logging & Monitoring Devices
+ Network Tap – PF Dup-to Function

+ Inline Device – Bridge Interface

+ Network Bonding – Linux – Bond
                    FreeBSD – Ngeth
                    OpenBSD – Trunk

+ Traffic Collector – Etc

+ IDS - Bro/Snort
Quick Reference
 Network Tap[PF dup-to] & Network Bridge
BSD
/etc/pf-Net-Tap.conf
# pf-Net-Tap.conf

$orig_if = bge0
$dup_if = fxp0
$dst_ip = 172.18.3.55
pass in on $orig_if dup-to ($dup_if $dst_ip ) from any to any
pass out on $orig_if dup-to ($dup_if $dst_ip ) from any to any

#>pfctl -ef /etc/pf-Net-Tap.conf
-----------------------------------------------------------------------------
LINUX                                   FREEBSD
/etc/modules.conf                       #>ifconfig bridge0 create
alias br0 bridge                        #>ifconfig bridge0 \
-------------------------------------   addm $INT1 addm $INT2 up
#>modprobe br0                          -------------------------------------
#>brctl addbr br0                       OPENBSD
#>brctl addif br0 eth0                  /etc/hostname.bridge0
#>brctl addif br0 eth1                  add $INT1
#>ifconfig eth0 0.0.0.0 up              add $INT2
#>ifconfig eth1 0.0.0.0 up              up
#>if br0 up
                                        #>brconfig bridge0 \
                                        add $INT1 add $INT2 up
Network Bonding
LINUX                                   FREEBSD
/etc/modules.conf                       ifconfig $INT1 promisc -arp up
alias bond0 bonding                     ifconfig $INT2 promisc -arp up

-------------------------------------   ngctl   mkpeer . eiface hook ether
                                        ngctl   mkpeer ngeth0: one2many lower
/etc/sysconfig/network-scripts/         one
                                        ngctl   connect $INT1: ngeth0:lower
ifcfg-bond0                             lower   many0
DEVICE=bond0                            ngctl   connect $INT2: ngeth0:lower
BOOTPROTO=none                          lower   many1
ONBOOT=yes
USERCTL=no                              #>ifconfig ngeth0 -arp up
                                        -------------------------------------
ifcfg-eth[0/1]                          OPENBSD
DEVICE=eth[0/1]                         /etc/hostname.trunk0
BOOTPROTO=none                          up
ONBOOT=yes                              trunkproto roundrobin trunkport $INT1
MASTER=bond0                            trunkport $INT2
SLAVE=yes
USERCTL=no                              #>ifconfig trunk0 trunkproto \
                                        roundrobin trunkport $INT1 \
                                        trunkport $INT2 up
Open Source Network Security
Monitoring Toolkits
Statistical Data   Session/Flow Data   Alert Data Collection
Collection Tools   Collection Tools    Tools

Real Time          Argus               Bro-IDS
Trafshow           Ntop                Snort
Iftop              Ipaudit             Pads
Bwm-ng             Sancp               P0f
Slurm              Fprobe
                   Softflowd
Offline                                Full Content Data
Tcpdstat           Flowd               Collection Tools
Capinfos           Flow-tools/
                   flowViewer          Tcpdump
                   (Grapher)           Dumpcap
                   Nfdump/Nfsen        Snort
Statistical Data Logging
Real Time
#>trafshow -i $INT1
#>iftop -i $INT0 -F 172.16.3.0/24
#>bwm-ng -I $INT1
#>slurm -i $INT1 -c|-l|-s

Trafshow can read cisco netflow data on the
fly with -u 9995

Offline
#>tcpdstat /nsm/log.pcap
#>capinfos /nsm/log.pcap
#>softflowd -r /nsm/log.pcap

Statistical and flow/session data are brothers
Trafshow
Iftop
Slurm & Bwm-NG
Tcpdstat – Traffic Statistic
Capinfos – Pcap Statistic

#>capinfos gem-intrusion.pcap
File name: gem-intrusion.pcap
File type: libpcap (tcpdump, Ethereal, etc.)
Number of packets: 60
File size: 62444 bytes
Data size: 61460 bytes
Capture duration: 0.041043 seconds
Start time: Wed Jun 28 20:14:13 2006
End time: Wed Jun 28 20:14:13 2006
Data rate: 1497452.32 bytes/s
Data rate: 11979618.53 bits/s
Average packet size: 1024.33 bytes
Softflowd - Flow Statistic
[root@trinity /nsm/i-Pcaps]# softflowd -r fitmata-trace.pcap
softflowd v0.9.7 starting data collection
Exiting on pcap_dispatch: truncated dump file; tried to read 1514 captured
bytes, only got 794
Exiting immediately on user request
Number of active flows: 8313
Packets processed: 609988
Fragments: 1
Ignored packets: 1396 (1396 non-IP, 0 too short)
Flows expired: 7841 (7841 forced)
Flows exported: 0 in 0 packets (0 failures)

Expired flow statistics:    minimum    average       maximum
  Flow bytes:                    46      18841       6444748
  Flow packets:                   1         31          6793
  Duration:                    0.00s     14.81s       514.45s

Expired flow reasons:
       tcp =         0     tcp.rst =      0   tcp.fin =          0
       udp =         0        icmp =      0   general =          0
   maxlife =         0
  over 2Gb =         0
  maxflows =      7841
   flushed =         0

Per-protocol statistics:      Octets    Packets   Avg Life      Max Life
           icmp (1):           52116        843      56.68s       425.76s
            tcp (6):       147074139     235814      16.38s       514.45s
           udp (17):          608771       4923       5.34s       464.35s
Flow/Session Data Logging
#>argus -i fxp0 -JRS 30 \
-P 561 -w /nsm/flow.data -d

#>fprobe -ifxp0 -fip -r2 -n 5 localhost:2055

#>softflowd -v 9 -i fxp0 -n localhost:9995

+ Most of flow/session data collectors utilize
  UDP protocol for its speed

+ Cisco Netflow data can be exported easily
  and intepreted with Open Source Tools
Argus Flow Data
#>ramon -M TopN -N 10 -r ./fxp0.argus
11 Jun 06 17:27:37      192.168.1.55 493      486    210661        70992
11 Jun 06 17:28:10          1.2.3.4 211       223    15055         160792
11 Jun 06 17:28:24          1.2.3.4 91        115    30918         30738
11 Jun 06 17:33:54          2.3.4.5 33        41     11748         5747
11 Jun 06 17:28:37      192.168.1.1 36        36     1512          1512
11 Jun 06 17:28:27          2.3.4.5 36        19     2467          2045
11 Jun 06 17:29:24          tmnut.my 17       16     1277          2274
11 Jun 06 17:33:25          tmnut.my 15       13     1898          1007


#>ratop -nn -r fxp0.argus -M topN -m saddr - tcp

Source fxp0.argus Version 3.0 Queue          5 TotalRecords       673
Rate 19013.9850 rps
 Rank         StartTime        Flgs Proto     SrcAddr         Sport     Dir
      DstAddr         Dport SrcPkt
      1     19:06:46.360460             0           1.2.3.4             <->
            0.0.0.0            9101
      2     19:06:46.360444             0           1.2.3.4             <->
            0.0.0.0            1845
      3     19:06:46.368425             0           1.2.3.4             <->
            0.0.0.0            1825
      4     19:06:46.350470             0           1.2.3.4             <->
            0.0.0.0             611
Exporting Cisco Netflow
router1#en
Password:Iknowuwantmypasswd

router1#config t
router1(config)#interface GigabitEthernet 0/0
router1(config-if)#ip route-cache flow
router1(config-if)#exit
router1(config)#ip flow-export destination
172.16.3.100 9996
router1(config)#ip flow-export source
GigabitEthernet 0/0
router1(config)#ip flow-export version 5

router1#sh ip cache flow
Flowd – Intercept Cisco Netflow
Web Based Flow/Session Data
Collection & Analysis

+ FlowViewer/Grapher

+ Ipaudit-Web

+ Nfsen

+ Stager
FlowViewer/Grapher/Tracker
Ipaudit-Web
Nfdump/Nfsen
Alert Data Logging

#>snort -i $INT1 -u snort -g snort \
-c snort.conf -l /nsm -m 122 -A none -U -D

#>usr/local/bro/bin/bro -W \
-i fxp1 mysite.com.bro

#>p0f -i $INT1 -d -t \
-o /nsm/p0f.log 'net $localnet'

#>pads -i $INT1 -D \
-w /nsm/pads.log -n $localnet
Snort Alert Data
[**] (portscan) TCP Portsweep [**]
07/27-14:56:36.812593 1.2.3.4 -> 3.4.5.6
PROTO255 TTL:0 TOS:0x0 ID:28818 IpLen:20 DgmLen:165
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+

[**] SNMP request udp [**]
07/27-15:02:17.623670 1.2.3.4:51791 -> 3.4.5.6:161
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:79 DF
Len: 51
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+

[**] NETBIOS SMB IPC$ unicode share access [**]
07/27-14:56:32.398569 1.2.3.4:4287 -> 3.4.5.6:139
TCP TTL:128 TOS:0x0 ID:48983 IpLen:20 DgmLen:122 DF
***AP*** Seq: 0x18BAB924 Ack: 0x43BE0033 Win: 0xFDBC TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+
Bro-IDS Alert Data
t=1153152877.719595 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
sa=1.2.3.4 sp=31924/tcp da=3.4.5.6 dp=80/tcp method=POST
url=/_vti_bin/shtml.exe/wwwroot/userregFamiliku.htm num=200
msg=1.2.3.4/31924\ >\ 3.4.5.6/http\ %880:\ POST\ /
_vti_bin/shtml.exe/wwwroot/userregFamili.htm\ (200\ "OK"\ [0\\j.net)
tag= @3

t=1153161217.493714 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=1.2.3.4
sp=53166/tcp da=3.4.5.6 dp=22/ tcp msg=1.2.3.4\ has\ scanned\ 20\
hosts\ (ssh)tag= @6

t=1153194711.621244 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
sa=1.2.3.4 sp=1213/tcp da=3.4.5.6 dp=80/tcp method=POST
url=/interfaces/standard/FileManager.asp?DomainID=374&showFolderSizes
=&StartPath=\\wwwroot\\dasblog&Folder=&File= num=200
msg=1.2.3.4/1213\ >\ 3.4.5.6/http\ %117597\ @50:\ POST\ /
interfaces/standard/FileManager.asp?DomainID=374&showFolderSizes=&Sta
rtPath=\\wwwroot\\dasblog&Folder=&File=\ (200\ "OK"\ [20414]\
cp.maddd.com.my) tag= @50
P0f OS Data
<Thu Jul 27 22:32:35 2006> 1.2.3.4:1492 - Windows 2000 SP4, XP SP1
  -> 10.0.0.1:80 (distance 11, link: pppoe (DSL))
  -> 10.0.0.2:80 (distance 12, link: pppoe (DSL))
<Thu Jul 27 22:32:35 2006> 2.3.4.5:44667 - Linux 2.5 (sometimes 2.4)
(4) (NAT!) (up: 268 hrs)
  -> 10.0.0.3:110 (distance 12, link: pppoe (DSL))
<Thu Jul 27 22:32:36 2006> 3.4.5.6:50692 - Windows 2000 SP4, XP SP1
  -> 10.0.0.4:110 (distance 23, link: unknown-1460)
<Thu Jul 27 22:32:36 2006> 4.5.6.7:2422 - Windows 2000 SP4, XP SP1
  -> 10.0.0.5:80 (distance 12, link: PIX, SMC, sometimes wireless)
<Thu Jul 27 22:32:36 2006> 5.6.7.8:32230 - Windows 2000 SP4, XP SP1
  -> 10.0.0.6:80 (distance 16, link: ethernet/modem)
<Thu Jul 27 22:32:36 2006> 6.7.8.9:2508 - Windows 2000 SP2+, XP SP1
(seldom 98 4.10.2222)
  -> 10.0.0.7:110 (distance 12, link: pppoe (DSL))
<Thu Jul 27 22:32:37 2006> 6.7.8.9:1213 - Windows 2000 SP2+, XP SP1
(seldom 98 4.10.2222)
  -> 10.0.0.8:80 (distance 12, link: ethernet/modem)
<Thu Jul 27 22:32:37 2006> 7.8.9.10:57119 - Linux 2.4/2.6 <= 2.6.7
[high throughput] (up: 1671 hrs)
  -> 10.0.0.9:80 (distance 16, link: unknown-1470)
Pads Service/Application Data
asset,port,proto,service,application,discovered
10.0.0.141,80,6,unknown,unknown,1154011320
10.0.0.185,80,6,www,Apache,1154011320
10.0.0.29,80,6,unknown,unknown,1154011320
10.0.0.29,0,1,ICMP,ICMP,1154011320
10.0.0.165,80,6,www,Microsoft-IIS 6.0,1154011320
10.0.0.86,80,6,www,Microsoft-IIS 6.0,1154011320
10.0.0.90,80,6,www,Apache,1154011320
10.0.0.29,25,6,unknown,unknown,1154011320
10.0.0.17,80,6,www, ,1154011320
10.0.0.121,80,6,www,Microsoft-IIS 6.0,1154011320
10.0.0.133,80,6,www,Apache,1154011320
10.0.0.61,80,6,www,Microsoft-IIS 6.0,1154011320
10.0.0.29,110,6,unknown,unknown,1154011320
10.0.0.33,80,6,www,Apache,1154011320
10.0.0.5,143,6,unknown,unknown,1154011320
10.0.0.118,0,1,ICMP,ICMP,1154011320
10.0.0.118,443,6,ssl,OpenSSL,1154011320
10.0.0.162,80,6,www,Microsoft-IIS 6.0,1154011325
10.0.0.90,21,6,ftp,ProFTPD Server 1.2.10,1154011323
10.0.0.133,21,6,ftp,ProFTPD Server 1.2.10,1154011323
Full Content Data Logging
#>tcpdump -i sis0 -ns 1514 -w /nsm/full.cap

#>snort -u snort -g snort -m 122 -l /nsm -b -i sis0 -D

#>dumpcap -i sis0 -b filesize:100000 -w /nsm/full.pcap

#>dumpcap -i sis0 -b duration:3600 -w /nsm/full.pcap

Full Content Data usually has problem         when   your
network data transfer is huge. Remember to

+ Logging traffic after Firewall/ACL

+ Avoid of logging traffic that flowing to Backup
  Server(No Dups)

+ Logging traffic to broadcast ip via network flow
  data
BPF Filter to the rescue
#>Snort -F
#>Dumpcap -f

+ net $Local_Net - Example 172.16.3

+ not src net 224.0.0

+ not multicast

+ not arp

+ not $Local_Net_Broadcast - Example 172.16.3.255

\!"(src net 224.0.0 or \
ip multicast or ether multicast or arp or\
 dst host 172.16.3.255 or ! net 172.16.3)"
Bonus
VLAN Monitoring
Main pipe – VLAN Trunk [ llh 14 + vlan id 4 ]

Some of the Open Source tools supports monitoring
VLAN trunk by default

#>tcpdump -i $INT0 vlan or \(vlan and ip \)

#>fprobe -i$INT0 -f"vlan&&ip" -K18 localhost:2055

#>sancp -80211 -d /nsm/sancp/ -i $INT0 \
-u sancp -g sancp -c sancp.conf > /
var/log/sancp.log

IDS such as snort & bro-ids supports vlan by
default.
NSM Devices Monitoring
+   Prevent packet loss
+   Avoid monitoring tools failure
+   Self-recovery
+   Fully functional on 24/7

System utilities

+ Bpfstat
+ Systat ifstat
+ Netstat

Thirt Party tools

+ Daemon-tools
+ Monit
Reminder
+ NSM Model is flexible to be deployed

+ You are not bounced to any software or
  hardware restriction

+ You have alternatives

+ You can improve it over time

+ Enterprise Network Integration can be
  done easily
NSM Compliance Open Source
        Software

         Sguil

   http://sguil.sf.net
Related Projects


InstantNSM -    http://instantnsm.sf.net


Knoppix-NSM -    http://www.securixlive.com/knoppix-nsm/

Squert -   http://squert.sf.net


OpenNSM
Q & A
Thank you for listening (:])

								
To top