Network Security Monitoring with Open Source Tools

Network Security Monitoring with Open Source Tools Paul Halliday, CANHEIT,
June 12th 2006

Introduction The Accomplishment The creation of a comprehensive Network Monitoring
Solution that adequately services 14 campus locations across the province of Nova Scotia. The Implementation • Budget of under $15,000 (Software and Hardware) • Producing useful results within 4 weeks • Modular and scalable • Low maintenance

Presentation Overview Data - Collection and Processing with Snort and
Flow-tools - Analysis with Sguil (TCL/TK) - Web based Analysis and Reports (PHP/Bash/TCL) Third Party Product Integration (Examples) - McAfee ePolicy Orchestrator - Userlock Sensor and Server Design - OS and Software - Hardware - Deployment

Data Collection and Processing

Alert Data Snort: A Network Intrusion Detection and Prevention System
Sguil: Analysis Console (Sensor Components) Components • Snort in IDS mode - Collects Alert Data • Barnyard - Fast Output Plug-in • sensor_agent - Gateway to Sguild • log_packets - Manages PCAP Data Data Collection

Alert Data How Snort rules work Data Collection Rule Header
Rule Options alert tcp any 1723 -> any any (msg:”VPN - Connection Failed”; flags:R; Classtype:misc-activity; sid:1000001; rev:1;) • Alert Message • When to Fire • Action • Protocol • Source/Destination Address and Ports

Alert Data How Snort rules work Data Collection alert tcp
any 1723 -> any any (msg:”VPN - Connection Failed”; flags:R; Classtype:misc-activity; sid:1000001; rev:1;)

Session Data fprobe: A NetFlow probe (packets that share a
common property) flow-tools: A toolset for working with NetFlow Data Components • fprobe - Export flows • flow-capture - Collect and store • flow-cat, flow-print - Merge and print • flow-filter, flow-nfilter, flow-stat, flow-report - Process based on filters or report definitions Data Collection

Session Data Data Collection Duration Addresses Ports TCP Flags Priority
Traffic Outbound Inbound 5-Tuple. Same source and destination ports. All packets in the same direction.

Session Data Data Collection Traffic Summary Distribution

Data Analysis with Sguil

The Sguil Client: Event Driven Analysis Data Analysis Alert Panes
Information Panes

Sguil Client: Alert Panes Data Analysis

Sguil Client: Rule Details and Packet Data Data Analysis A
Match

Sguil Client: Information Panes Data Analysis IP Resolution Sensor Status
Snort Statistics *

Sguil Client: Transcripts – Adding context to alerts Data Analysis

Sguil Client: Exporting to Ethereal (WireShark) Data Analysis

Sguil Client: Performing Queries Data Analysis

Sguil Client: Generating Reports Data Analysis

Web Based Analysis and Reports

Main Springboard Data Analysis

Main Springboard Site Navigation Site Specifics Campus Tools Data Analysis

Main Springboard: IDS Query Data Analysis Details - PHP based
IDS front-end Data Source - MySQL Database (Sguil)

IDS Query: SQueRT Data Analysis

Main Springboard: ePO Query Data Analysis Details - PHP based
query tool Data Source - MSSQL Database (McAfee ePO)

ePO Query: McAfee ePolicy Orchestrator Data Analysis

ePO Query: McAfee ePolicy Orchestrator Data Analysis Why? - Accessibility
(Offsite) - Simplify common tasks

Main Springboard: FlowViewer Data Analysis Details - Perl based query
tool Data Source - Binary file (Flow-tools)

NetFlow Reports: FlowViewer Data Analysis

Main Springboard: User Lookup Data Analysis Details - PHP based
query tool Data Source - MSSQL Database (Userlock)

User Lookup: UserLock Data Analysis

User Lookup: UserLock Data Analysis Daily Activity

Main Springboard: Traffic Summary Data Analysis Details - TCL generated
summary Data Source - Binary file (Flow-tools)

Traffic Summary: Flow-tools Data Analysis

Main Springboard: Traffic Graphs Data Analysis Details - PHP query
tool Data Source - Binary file (Flow-tools)

Traffic Graphs: Flow-tools Data Analysis

Main Springboard: Summary Report Data Analysis Details - PHP generated
summary Data Source - MySQL (Flow-tools) - MySQL (Sguil) - MSSQL (ePO)

Summary Report Data Analysis

Summary Report Data Analysis Future Possibilities? - More complex graphs
- Further trending - Improved analysis algorithms

EOF Summary • Network Awareness - Automation is not network
awareness - Best practice is not awareness • Robust Solutions - Lower TCO* - Not second rate • Unique development possibilities - perpetuates research - hones existing skills

Operation Overview Data – Collection/Processing

Sensor and Server Design

Hardware Requirements Sensor and Server Design Sensor - Dell Optiplex
GX280 SD - 2.4GHz Processor - 1GB Memory Cost: $700.00 - (2) GB Ethernet Controllers - (1) 80GB SATA Drive Server - Dell Optiplex GX280 SMT* - 2.4GHz Processor - 1GB Memory Cost: $850.00 - (2) GB Ethernet Controllers - (2) 80GB * Potential Scalability Issues

Deployment Sensor and Server Design Span Port - Low cost
(If infrastructure supports it) - Simple Setup - Extra demand on hardware (lost packets) Network TAP - Completely passive - Simple setup - Costly Inline - Offers blocking and other capabilities - Complex setup - Requires decent hardware Cost: $0.00 - $5000.00

Component Protection – Firewall (PF) Sensor and Server Design Sensor
- Inbound from Admins to SSH default port 22 (limit this) - Outbound to Server Server - Inbound from Sensors to Sguil default port 7736 - Inbound from Clients (techs) to Sguil default port 7734 (limit this) - Inbound from Sensors to MySQL default port 3306 - Inbound from Admins to SSH default port 22 (limit this) - Outbound to Sensors

Network Security Monitoring with Open Source Tools

Network Security Monitoring with Open Source Tools

More Decks by paulh

Other Decks in Technology

Featured

Transcript