Peeling back your Network Layers with Security Onion

Slide 1

Slide 1 text

Peeling Your Network Layers With { _id: “Mark Hillick”, “company”: “Kybeire” } Friday 23 November 12

Slide 2

Slide 2 text

> db.whoam.findOne() { "contact": { "email": "mark@kybeire.com", "web": "www.hackeire.net", "twitter": "markofu" }, "work" : { "10gen" : "MongoDB" }, "cert" : { "GIAC GSE" : true }, "state" : { "Nervous" : true, "Relaxed" : false }, "tags" : [ { "securityonion" : 1}, {"tcp" : 1} , {"ids" : 1}, {"packet analysis" : 1}, {"defensive fun" : 1}, {"nsm" : 1} ], "try-to-help" : [ { "IrissCert" : "not very well"} , {"Security Onion" : "not well enough"} ] } Friday 23 November 12

Slide 3

Slide 3 text

Last Presentation - need humour!!! Or at least an attempt at it :) SO @ IrissCon Friday 23 November 12

Slide 4

Slide 4 text

Four Things This talk is NOT an IDS talk! This talk will be fairly technical :) And fast :) If you don’t like Lego or Star Wars, you might want to leave Friday 23 November 12

Slide 5

Slide 5 text

Creator Doug Burks - the guy is incredible, he does not sleep :) Grew out of SANS Gold Paper Wanted to help make Sguil & NSM “easier” to deploy! Friday 23 November 12

Slide 6

Slide 6 text

Security Onion is a Linux distro for IDS (Intrusion Detection) & NSM (Network Security Monitoring). New version => all Ubuntu-type 12.04 distros [LTS], 32 & 64 bit Old version => Xubuntu 10.04 [LTS], 32 bit only Contains many security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Open-Source : so it’s all there!!!! So, what is it? Friday 23 November 12

Slide 7

Slide 7 text

Traditionally DEFENCE-IN-DEPTH Layers, layers & more layers: Firewalls; IDS/IPS; WAF Restrict inbound, allow all outbound Different FW tech ACLs on Routers But what is going on? Friday 23 November 12

Slide 8

Slide 8 text

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid: 2101390; rev:7;) IDS Alert, what now? Friday 23 November 12

Slide 9

Slide 9 text

NSM, Old-Style :( WTF??????? Ah man, this sucks! grep this, awk that, sed this, pipe to cvs, scp & open excel :( Then make pretty for mgmt :) Friday 23 November 12

Slide 10

Slide 10 text

State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg Friday 23 November 12

Slide 11

Slide 11 text

State of IDS Source: http://img2.moonbuggy.org/imgstore/doorstop.jpg Friday 23 November 12

Slide 12

Slide 12 text

NSM != IDS Clarity!!! “the collection, analysis, and escalation of indications and warnings (I&W) to detect and respond to intrusions” Richard Bejtlich, TaoSecurity Blog http://taosecurity.blogspot.com/2007/04/networksecurity- monitoring-history.html NSM Friday 23 November 12

Slide 13

Slide 13 text

NSM, ONION-STYLE :) Friday 23 November 12

Slide 14

Slide 14 text

NSM, ONION-STYLE :) Friday 23 November 12

Slide 15

Slide 15 text

NSM, ONION-STYLE :) Friday 23 November 12

Slide 16