Tweet
Tweet

Slide 1

Slide 1 text

Network Security Monitoring with Open Source Tools Paul Halliday, CANHEIT, June 12th 2006

Slide 2

Slide 2 text

Introduction The Accomplishment The creation of a comprehensive Network Monitoring Solution that adequately services 14 campus locations across the province of Nova Scotia. The Implementation • Budget of under $15,000 (Software and Hardware) • Producing useful results within 4 weeks • Modular and scalable • Low maintenance

Slide 3

Slide 3 text

Presentation Overview Data - Collection and Processing with Snort and Flow-tools - Analysis with Sguil (TCL/TK) - Web based Analysis and Reports (PHP/Bash/TCL) Third Party Product Integration (Examples) - McAfee ePolicy Orchestrator - Userlock Sensor and Server Design - OS and Software - Hardware - Deployment

Slide 4

Slide 4 text

Data Collection and Processing

Slide 5

Slide 5 text

Alert Data Snort: A Network Intrusion Detection and Prevention System Sguil: Analysis Console (Sensor Components) Components • Snort in IDS mode - Collects Alert Data • Barnyard - Fast Output Plug-in • sensor_agent - Gateway to Sguild • log_packets - Manages PCAP Data Data Collection

Slide 6

Slide 6 text

Alert Data How Snort rules work Data Collection Rule Header Rule Options alert tcp any 1723 -> any any (msg:”VPN - Connection Failed”; flags:R; Classtype:misc-activity; sid:1000001; rev:1;) • Alert Message • When to Fire • Action • Protocol • Source/Destination Address and Ports

Slide 7

Slide 7 text

Alert Data How Snort rules work Data Collection alert tcp any 1723 -> any any (msg:”VPN - Connection Failed”; flags:R; Classtype:misc-activity; sid:1000001; rev:1;)

Slide 8

Slide 8 text

Session Data fprobe: A NetFlow probe (packets that share a common property) flow-tools: A toolset for working with NetFlow Data Components • fprobe - Export flows • flow-capture - Collect and store • flow-cat, flow-print - Merge and print • flow-filter, flow-nfilter, flow-stat, flow-report - Process based on filters or report definitions Data Collection

Slide 9

Slide 9 text

Session Data Data Collection Duration Addresses Ports TCP Flags Priority Traffic Outbound Inbound 5-Tuple. Same source and destination ports. All packets in the same direction.

Slide 10

Slide 10 text

Session Data Data Collection Traffic Summary Distribution

Slide 11

Slide 11 text

Data Analysis with Sguil

Slide 12

Slide 12 text

The Sguil Client: Event Driven Analysis Data Analysis Alert Panes Information Panes

Slide 13

Slide 13 text

Sguil Client: Alert Panes Data Analysis

Slide 14

Slide 14 text

Sguil Client: Rule Details and Packet Data Data Analysis A Match

Slide 15

Slide 15 text

Sguil Client: Information Panes Data Analysis IP Resolution Sensor Status Snort Statistics *

Slide 16

Slide 16 text

Sguil Client: Transcripts – Adding context to alerts Data Analysis

Slide 17

Slide 17 text

Sguil Client: Exporting to Ethereal (WireShark) Data Analysis

Slide 18

Slide 18 text

Sguil Client: Performing Queries Data Analysis

Slide 19

Slide 19 text

Sguil Client: Generating Reports Data Analysis

Slide 20

Slide 20 text

Web Based Analysis and Reports

Slide 21

Slide 21 text

Main Springboard Data Analysis

Slide 22

Slide 22 text

Main Springboard Data Analysis

Slide 23

Slide 23 text

Main Springboard Site Navigation Site Specifics Campus Tools Data Analysis

Slide 24

Slide 24 text

Main Springboard: IDS Query Data Analysis Details - PHP based IDS front-end Data Source - MySQL Database (Sguil)

Slide 25

Slide 25 text

IDS Query: SQueRT Data Analysis

Slide 26

Slide 26 text

IDS Query: SQueRT Data Analysis

Slide 27

Slide 27 text

IDS Query: SQueRT Data Analysis

Slide 28

Slide 28 text

IDS Query: SQueRT Data Analysis

Slide 29

Slide 29 text

Main Springboard: ePO Query Data Analysis Details - PHP based query tool Data Source - MSSQL Database (McAfee ePO)

Slide 30

Slide 30 text

ePO Query: McAfee ePolicy Orchestrator Data Analysis

Slide 31

Slide 31 text

ePO Query: McAfee ePolicy Orchestrator Data Analysis Why? - Accessibility (Offsite) - Simplify common tasks

Slide 32

Slide 32 text

Main Springboard: FlowViewer Data Analysis Details - Perl based query tool Data Source - Binary file (Flow-tools)

Slide 33

Slide 33 text

NetFlow Reports: FlowViewer Data Analysis

Slide 34

Slide 34 text

NetFlow Reports: FlowViewer Data Analysis

Slide 35

Slide 35 text

NetFlow Reports: FlowViewer Data Analysis

Slide 36

Slide 36 text

NetFlow Reports: FlowViewer Data Analysis

Slide 37

Slide 37 text

NetFlow Reports: FlowViewer Data Analysis

Slide 38

Slide 38 text

Main Springboard: User Lookup Data Analysis Details - PHP based query tool Data Source - MSSQL Database (Userlock)

Slide 39

Slide 39 text

User Lookup: UserLock Data Analysis

Slide 40

Slide 40 text

User Lookup: UserLock Data Analysis Daily Activity

Slide 41

Slide 41 text

Main Springboard: Traffic Summary Data Analysis Details - TCL generated summary Data Source - Binary file (Flow-tools)

Slide 42

Slide 42 text

Traffic Summary: Flow-tools Data Analysis

Slide 43

Slide 43 text

Traffic Summary: Flow-tools Data Analysis

Slide 44

Slide 44 text

Main Springboard: Traffic Graphs Data Analysis Details - PHP query tool Data Source - Binary file (Flow-tools)

Slide 45

Slide 45 text

Traffic Graphs: Flow-tools Data Analysis

Slide 46

Slide 46 text

Traffic Graphs: Flow-tools Data Analysis

Slide 47

Slide 47 text

Main Springboard: Summary Report Data Analysis Details - PHP generated summary Data Source - MySQL (Flow-tools) - MySQL (Sguil) - MSSQL (ePO)

Slide 48

Slide 48 text

Summary Report Data Analysis

Slide 49

Slide 49 text

Summary Report Data Analysis

Slide 50

Slide 50 text

Summary Report Data Analysis Future Possibilities? - More complex graphs - Further trending - Improved analysis algorithms

Slide 51

Slide 51 text

EOF Summary • Network Awareness - Automation is not network awareness - Best practice is not awareness • Robust Solutions - Lower TCO* - Not second rate • Unique development possibilities - perpetuates research - hones existing skills

Slide 52

Slide 52 text

Operation Overview Data – Collection/Processing

Slide 53

Slide 53 text

Sensor and Server Design

Slide 54

Slide 54 text

Hardware Requirements Sensor and Server Design Sensor - Dell Optiplex GX280 SD - 2.4GHz Processor - 1GB Memory Cost: $700.00 - (2) GB Ethernet Controllers - (1) 80GB SATA Drive Server - Dell Optiplex GX280 SMT* - 2.4GHz Processor - 1GB Memory Cost: $850.00 - (2) GB Ethernet Controllers - (2) 80GB * Potential Scalability Issues

Slide 55

Slide 55 text

Deployment Sensor and Server Design Span Port - Low cost (If infrastructure supports it) - Simple Setup - Extra demand on hardware (lost packets) Network TAP - Completely passive - Simple setup - Costly Inline - Offers blocking and other capabilities - Complex setup - Requires decent hardware Cost: $0.00 - $5000.00

Slide 56

Slide 56 text

Component Protection – Firewall (PF) Sensor and Server Design Sensor - Inbound from Admins to SSH default port 22 (limit this) - Outbound to Server Server - Inbound from Sensors to Sguil default port 7736 - Inbound from Clients (techs) to Sguil default port 7734 (limit this) - Inbound from Sensors to MySQL default port 3306 - Inbound from Admins to SSH default port 22 (limit this) - Outbound to Sensors