Network Introspection with Open Source Tools Brad Lhotsky lhotskyb@mail.nih.gov Coping with the Failures of Information Security Policy 1

Reality as a Foundation for Policy 1. Users adjusted to the Policy they disagreed with 2. Users have stopped complaining about security because they understand its importance 1. Users found a work- around 2. Users found that complaining got them no closer to publishing their paper. Users found a friend or family member capable of providing work arounds 2

Policy Can Fail? OMG! SHUT UP! • Policy is not infallible • Identify Failures • Discuss Failures Openly • Figure out why failure occurred • Discuss solutions with affected users 3

Understanding Failure • Design != Implementation • Perception != Reality • People are lazy • This is a good thing, use this • People like candy • Eat your own dog food “The problem with information security in the Federal Government is the people making the decisions bear none of the cost of those decisions.” -- Brad’s Friend at DoD 4

How It’s Designed Series of Tubes Firewalls Wireless Access IP Phones Workstations and Printers Internal Service Network DMZ 5

2 Months Later ... Series of Tubes Firewall Wireless Access IP Phones Internal Service Network DMZ Workstations and Printers 6

Avoiding Failure: More Than Failing to Fail Wrong: “This is the IT security policy that you will follow in order to maintain access to Internal Networks and Systems.” Correct: “What tools do you need to successfully attain your goals?” 7

Find problems where you can fix them Start small Start local ..You want to be where everyone knows your name .. Ask your colleagues, “How can we be more effective?” 8

Network Introspection Creating a Self-Aware Network • Discovery • Detection • Evaluation • Recommendations • Corrective Actions • Automated Change Tracking • Archived Logs, searchable 9

Open Source Software and some glue, duct tape, and WD-40 • cfengine (Configuration Management) • Subversion (Code & Configuration Repository) • JFFNMS (Network Monitoring via SNMP) • Netdisco (Network Discovery via SNMP, CDP, LLDP) • Custom libpcap based detectors at key points in the network (Service Discovery, Traffic Monitoring) • syslog-ng (Communication Bridge) • dhcpd (Node Discovery) • snort (Security Event Detection) • Windows Event Logs (Correlation / Discovery) • OSSEC HIDS (Correlation / Detection / Prevention) • PostgreSQL Database (Storage / Correlation) • RRDTool (Storage / Visual Analysis) • Perl (Glue / Duct Tape / WD-40) 10

Netdisco JFFNMS arpwatch Perl Script Master DB Message Dispatcher Log Archive Inventory Component IDS Component Service Discovery Agent Recursive DNS Agent syslog-ng System Daemons snort dhcpd Event Logs sshd The Florida Ballot for President 11

Bridging the worlds of Policy and Reality Add value locally Translate that value into global compliance Interpret Policy with a Reality Bias 12

Buzzword Compliance: Centralized Logging Log Review Log Archival • Syslog as Transport Agent • syslog-ng (UNIX) • SNARE (Windows) • Archive Logs on Central Server (Compressed, Flat Files) • Important Events to Database for Correlation • Perl syslog-ng script to dispatch messages to listeners • Turns syslog stream into a subscription based service • Keep track of discovery and authentication events 13

Help Desk can locate Users Value Added 14

Added on an Inventory Module for free .. 15

Intrusion Detection Systems • Build on what we have • Snort through syslog • OSSEC-HIDS direct to PostgreSQL • http://www.ossec.net • Check it out! • Correlate IDS Events to MAC Addrs, Users, and Switch Ports • Simplifies Corrective Actions 16

We wound up with this .. 17

or even cooler ... 18

Buzzword Compliance: Configuration Management • Centralized Change Management • http://www.cfengine.org/ • VCS the cfengine config • http://subversion.tigris.org/ • Tag Releases for Production Servers • Make tagging easy, “svntag” • Commit hook to deploy • Notify Admins of Tag • Auto-deploy 19

Proper Application of Leverage Problem: Skype is Banned for using the acronym “P2P” in service description. Researchers use Skype for International Collaboration. “Dual Use Technology” 20

Implement “Compensating Controls” Snort IDS Security Console Skype Singature Syslog Archive New User? New User Notification Usage Tracker Skype Users Monthly Skype Reports User Notification Rules of Behavior ? Sys Admin Notification Notification of Skype Usage Sys Admin Notification Monthly Usage Summary User Notification Rules of Behavior Refresher ? YES No NIA/IRP Automated Skype Tracking 21

Step 3: Profit • Researchers can Skype • Policy Makers have to play by their own rules • Perl saved the day! 22

Don’t be evil. Users do want to be secure Users want the company to succeed Insiders really aren’t the biggest threat Build trust with users & customers 23

Am I Crazy? Discuss. Brad Lhotsky http://divisionbyzero.net http://xkcd.com/325 24

Bonus Materials 25

“Uhm, Isn’t Perl Dead?” See Michael Schwern’s Perl is Undead URL: http://tinyurl.com/52ozwh • The CPAN continues to grow • ACT Conferences • http://act.mongueurs.net/conferences.html • Catalyst (MVC Web Framework) • http://catalyst.perl.org • POE (Event Driven Programming Framework) • http://poe.perl.org • DBIx::Class / Rose::DB (ORM) • Duke Nukem Forever^W^W^W Perl 6 26

Business Decisions •Metrics •Measure Success / Failure •Financial Assessment •Pin Point Direct and Indirect costs and benefits •Policy Makers should bear a percentage of direct and indirect expenses •Confidence •Guarantee / Warranty •SLA 27

Information Security Failures at NIH Password Policy 100% Laptop Encryption Overzealous Centralization FDCC Interpretation (NIST) 15 Minute Inactivity Time Out Certification & Accreditation Permanent Auto-Block IPS Feedback Importance HHS Policy Implementation No Service Level Agreement NIH AD Authentication Logs NIH VPN Authentication Logs 28