Slide 1

Slide 1 text

Network Introspection with Open Source Tools Brad Lhotsky [email protected] Coping with the Failures of Information Security Policy 1

Slide 2

Slide 2 text

Reality as a Foundation for Policy 1. Users adjusted to the Policy they disagreed with 2. Users have stopped complaining about security because they understand its importance 1. Users found a work- around 2. Users found that complaining got them no closer to publishing their paper. Users found a friend or family member capable of providing work arounds 2

Slide 3

Slide 3 text

Policy Can Fail? OMG! SHUT UP! • Policy is not infallible • Identify Failures • Discuss Failures Openly • Figure out why failure occurred • Discuss solutions with affected users 3

Slide 4

Slide 4 text

Understanding Failure • Design != Implementation • Perception != Reality • People are lazy • This is a good thing, use this • People like candy • Eat your own dog food “The problem with information security in the Federal Government is the people making the decisions bear none of the cost of those decisions.” -- Brad’s Friend at DoD 4

Slide 5

Slide 5 text

How It’s Designed Series of Tubes Firewalls Wireless Access IP Phones Workstations and Printers Internal Service Network DMZ 5

Slide 6

Slide 6 text

2 Months Later ... Series of Tubes Firewall Wireless Access IP Phones Internal Service Network DMZ Workstations and Printers 6

Slide 7

Slide 7 text

Avoiding Failure: More Than Failing to Fail Wrong: “This is the IT security policy that you will follow in order to maintain access to Internal Networks and Systems.” Correct: “What tools do you need to successfully attain your goals?” 7

Slide 8

Slide 8 text

Find problems where you can fix them Start small Start local ..You want to be where everyone knows your name .. Ask your colleagues, “How can we be more effective?” 8

Slide 9

Slide 9 text

Network Introspection Creating a Self-Aware Network • Discovery • Detection • Evaluation • Recommendations • Corrective Actions • Automated Change Tracking • Archived Logs, searchable 9

Slide 10

Slide 10 text

Open Source Software and some glue, duct tape, and WD-40 • cfengine (Configuration Management) • Subversion (Code & Configuration Repository) • JFFNMS (Network Monitoring via SNMP) • Netdisco (Network Discovery via SNMP, CDP, LLDP) • Custom libpcap based detectors at key points in the network (Service Discovery, Traffic Monitoring) • syslog-ng (Communication Bridge) • dhcpd (Node Discovery) • snort (Security Event Detection) • Windows Event Logs (Correlation / Discovery) • OSSEC HIDS (Correlation / Detection / Prevention) • PostgreSQL Database (Storage / Correlation) • RRDTool (Storage / Visual Analysis) • Perl (Glue / Duct Tape / WD-40) 10

Slide 11

Slide 11 text

Netdisco JFFNMS arpwatch Perl Script Master DB Message Dispatcher Log Archive Inventory Component IDS Component Service Discovery Agent Recursive DNS Agent syslog-ng System Daemons snort dhcpd Event Logs sshd The Florida Ballot for President 11

Slide 12

Slide 12 text

Bridging the worlds of Policy and Reality Add value locally Translate that value into global compliance Interpret Policy with a Reality Bias 12

Slide 13

Slide 13 text

Buzzword Compliance: Centralized Logging Log Review Log Archival • Syslog as Transport Agent • syslog-ng (UNIX) • SNARE (Windows) • Archive Logs on Central Server (Compressed, Flat Files) • Important Events to Database for Correlation • Perl syslog-ng script to dispatch messages to listeners • Turns syslog stream into a subscription based service • Keep track of discovery and authentication events 13

Slide 14

Slide 14 text

Help Desk can locate Users Value Added 14

Slide 15

Slide 15 text

Added on an Inventory Module for free .. 15

Slide 16

Slide 16 text

Intrusion Detection Systems • Build on what we have • Snort through syslog • OSSEC-HIDS direct to PostgreSQL • http://www.ossec.net • Check it out! • Correlate IDS Events to MAC Addrs, Users, and Switch Ports • Simplifies Corrective Actions 16

Slide 17

Slide 17 text

We wound up with this .. 17

Slide 18

Slide 18 text

or even cooler ... 18

Slide 19

Slide 19 text

Buzzword Compliance: Configuration Management • Centralized Change Management • http://www.cfengine.org/ • VCS the cfengine config • http://subversion.tigris.org/ • Tag Releases for Production Servers • Make tagging easy, “svntag” • Commit hook to deploy • Notify Admins of Tag • Auto-deploy 19

Slide 20

Slide 20 text

Proper Application of Leverage Problem: Skype is Banned for using the acronym “P2P” in service description. Researchers use Skype for International Collaboration. “Dual Use Technology” 20

Slide 21

Slide 21 text

Implement “Compensating Controls” Snort IDS Security Console Skype Singature Syslog Archive New User? New User Notification Usage Tracker Skype Users Monthly Skype Reports User Notification Rules of Behavior ? Sys Admin Notification Notification of Skype Usage Sys Admin Notification Monthly Usage Summary User Notification Rules of Behavior Refresher ? YES No NIA/IRP Automated Skype Tracking 21

Slide 22

Slide 22 text

Step 3: Profit • Researchers can Skype • Policy Makers have to play by their own rules • Perl saved the day! 22

Slide 23

Slide 23 text

Don’t be evil. Users do want to be secure Users want the company to succeed Insiders really aren’t the biggest threat Build trust with users & customers 23

Slide 24

Slide 24 text

Am I Crazy? Discuss. Brad Lhotsky http://divisionbyzero.net http://xkcd.com/325 24

Slide 25

Slide 25 text

Bonus Materials 25

Slide 26

Slide 26 text

“Uhm, Isn’t Perl Dead?” See Michael Schwern’s Perl is Undead URL: http://tinyurl.com/52ozwh • The CPAN continues to grow • ACT Conferences • http://act.mongueurs.net/conferences.html • Catalyst (MVC Web Framework) • http://catalyst.perl.org • POE (Event Driven Programming Framework) • http://poe.perl.org • DBIx::Class / Rose::DB (ORM) • Duke Nukem Forever^W^W^W Perl 6 26

Slide 27

Slide 27 text

Business Decisions •Metrics •Measure Success / Failure •Financial Assessment •Pin Point Direct and Indirect costs and benefits •Policy Makers should bear a percentage of direct and indirect expenses •Confidence •Guarantee / Warranty •SLA 27

Slide 28

Slide 28 text

Information Security Failures at NIH Password Policy 100% Laptop Encryption Overzealous Centralization FDCC Interpretation (NIST) 15 Minute Inactivity Time Out Certification & Accreditation Permanent Auto-Block IPS Feedback Importance HHS Policy Implementation No Service Level Agreement NIH AD Authentication Logs NIH VPN Authentication Logs 28