Network Introspection with Open Source Tools

Transcript

1. Network Introspection with Open Source Tools Brad Lhotsky [email protected] Coping

   with the Failures of Information Security Policy 1

2. Reality as a Foundation for Policy 1. Users adjusted to

   the Policy they disagreed with 2. Users have stopped complaining about security because they understand its importance 1. Users found a work- around 2. Users found that complaining got them no closer to publishing their paper. Users found a friend or family member capable of providing work arounds 2

3. Policy Can Fail? OMG! SHUT UP! • Policy is not

   infallible • Identify Failures • Discuss Failures Openly • Figure out why failure occurred • Discuss solutions with affected users 3

4. Understanding Failure • Design != Implementation • Perception != Reality

   • People are lazy • This is a good thing, use this • People like candy • Eat your own dog food “The problem with information security in the Federal Government is the people making the decisions bear none of the cost of those decisions.” -- Brad’s Friend at DoD 4

5. How It’s Designed Series of Tubes Firewalls Wireless Access IP

   Phones Workstations and Printers Internal Service Network DMZ 5

6. 2 Months Later ... Series of Tubes Firewall Wireless Access

   IP Phones Internal Service Network DMZ Workstations and Printers 6

7. Avoiding Failure: More Than Failing to Fail Wrong: “This is

   the IT security policy that you will follow in order to maintain access to Internal Networks and Systems.” Correct: “What tools do you need to successfully attain your goals?” 7

8. Find problems where you can fix them Start small Start

   local ..You want to be where everyone knows your name .. Ask your colleagues, “How can we be more effective?” 8

9. Network Introspection Creating a Self-Aware Network • Discovery • Detection

   • Evaluation • Recommendations • Corrective Actions • Automated Change Tracking • Archived Logs, searchable 9

10. Open Source Software and some glue, duct tape, and WD-40

    • cfengine (Configuration Management) • Subversion (Code & Configuration Repository) • JFFNMS (Network Monitoring via SNMP) • Netdisco (Network Discovery via SNMP, CDP, LLDP) • Custom libpcap based detectors at key points in the network (Service Discovery, Traffic Monitoring) • syslog-ng (Communication Bridge) • dhcpd (Node Discovery) • snort (Security Event Detection) • Windows Event Logs (Correlation / Discovery) • OSSEC HIDS (Correlation / Detection / Prevention) • PostgreSQL Database (Storage / Correlation) • RRDTool (Storage / Visual Analysis) • Perl (Glue / Duct Tape / WD-40) 10

11. Netdisco JFFNMS arpwatch Perl Script Master DB Message Dispatcher Log

    Archive Inventory Component IDS Component Service Discovery Agent Recursive DNS Agent syslog-ng System Daemons snort dhcpd Event Logs sshd The Florida Ballot for President 11

12. Bridging the worlds of Policy and Reality Add value locally

    Translate that value into global compliance Interpret Policy with a Reality Bias 12

13. Buzzword Compliance: Centralized Logging Log Review Log Archival • Syslog

    as Transport Agent • syslog-ng (UNIX) • SNARE (Windows) • Archive Logs on Central Server (Compressed, Flat Files) • Important Events to Database for Correlation • Perl syslog-ng script to dispatch messages to listeners • Turns syslog stream into a subscription based service • Keep track of discovery and authentication events 13

14. Help Desk can locate Users Value Added 14

15. Added on an Inventory Module for free .. 15

16. Intrusion Detection Systems • Build on what we have •

    Snort through syslog • OSSEC-HIDS direct to PostgreSQL • http://www.ossec.net • Check it out! • Correlate IDS Events to MAC Addrs, Users, and Switch Ports • Simplifies Corrective Actions 16

17. We wound up with this .. 17

18. or even cooler ... 18

19. Buzzword Compliance: Configuration Management • Centralized Change Management • http://www.cfengine.org/

    • VCS the cfengine config • http://subversion.tigris.org/ • Tag Releases for Production Servers • Make tagging easy, “svntag” • Commit hook to deploy • Notify Admins of Tag • Auto-deploy 19

20. Proper Application of Leverage Problem: Skype is Banned for using

    the acronym “P2P” in service description. Researchers use Skype for International Collaboration. “Dual Use Technology” 20

21. Implement “Compensating Controls” Snort IDS Security Console Skype Singature Syslog

    Archive New User? New User Notification Usage Tracker Skype Users Monthly Skype Reports User Notification Rules of Behavior ? Sys Admin Notification Notification of Skype Usage Sys Admin Notification Monthly Usage Summary User Notification Rules of Behavior Refresher ? YES No NIA/IRP Automated Skype Tracking 21

22. Step 3: Profit • Researchers can Skype • Policy Makers

    have to play by their own rules • Perl saved the day! 22

23. Don’t be evil. Users do want to be secure Users

    want the company to succeed Insiders really aren’t the biggest threat Build trust with users & customers 23

24. Am I Crazy? Discuss. Brad Lhotsky http://divisionbyzero.net http://xkcd.com/325 24

25. Bonus Materials 25

26. “Uhm, Isn’t Perl Dead?” See Michael Schwern’s Perl is Undead

    URL: http://tinyurl.com/52ozwh • The CPAN continues to grow • ACT Conferences • http://act.mongueurs.net/conferences.html • Catalyst (MVC Web Framework) • http://catalyst.perl.org • POE (Event Driven Programming Framework) • http://poe.perl.org • DBIx::Class / Rose::DB (ORM) • Duke Nukem Forever^W^W^W Perl 6 26

27. Business Decisions •Metrics •Measure Success / Failure •Financial Assessment •Pin

    Point Direct and Indirect costs and benefits •Policy Makers should bear a percentage of direct and indirect expenses •Confidence •Guarantee / Warranty •SLA 27

28. Information Security Failures at NIH Password Policy 100% Laptop Encryption

    Overzealous Centralization FDCC Interpretation (NIST) 15 Minute Inactivity Time Out Certification & Accreditation Permanent Auto-Block IPS Feedback Importance HHS Policy Implementation No Service Level Agreement NIH AD Authentication Logs NIH VPN Authentication Logs 28