Title: Network Security Monitoring with Open Source Tools
1Network Security Monitoring with Open Source Tools
- Paul Halliday, CANHEIT, June 12th 2006
2Introduction
- The Accomplishment
- The creation of a comprehensive Network
Monitoring Solution that adequately services 14
campus locations across the province of Nova
Scotia. - The Implementation
- Budget of under 15,000 (Software and Hardware)
- Producing useful results within 4 weeks
- Modular and scalable
- Low maintenance
3Presentation Overview
- Data
- - Collection and Processing with Snort and
Flow-tools - - Analysis with Sguil (TCL/TK)
- - Web based Analysis and Reports (PHP/Bash/TCL)
- Third Party Product Integration (Examples)
- - McAfee ePolicy Orchestrator
- - Userlock
- Sensor and Server Design
- - OS and Software
- - Hardware
- - Deployment
4- Data Collection and Processing
5Alert Data
Data Collection
- Snort A Network Intrusion Detection and
Prevention System - Sguil Analysis Console (Sensor Components)
- Components
- Snort in IDS mode
- - Collects Alert Data
- Barnyard
- - Fast Output Plug-in
- sensor_agent
- - Gateway to Sguild
- log_packets
- - Manages PCAP Data
6Alert Data
Data Collection
Rule Header
Rule Options
- Alert Message
- When to Fire
- Action
- Protocol
- Source/Destination Address and Ports
7Alert Data
Data Collection
alert tcp any 1723 -gt any any (msgVPN -
Connection Failed flagsR Classtypemisc-activ
ity sid1000001 rev1)
8Session Data
Data Collection
- fprobe A NetFlow probe (packets that share a
common property) - flow-tools A toolset for working with NetFlow
Data - Components
- fprobe
- - Export flows
- flow-capture
- - Collect and store
- flow-cat, flow-print
- - Merge and print
- flow-filter, flow-nfilter, flow-stat, flow-report
- - Process based on filters or report definitions
9Session Data
Data Collection
Duration
Addresses
Ports
TCP Flags
Priority
Traffic
Outbound
5-Tuple. Same source and destination ports. All
packets in the same direction.
Inbound
10Session Data
Data Collection
Traffic Summary
Distribution
11 12The Sguil Client Event Driven Analysis
Data Analysis
Alert Panes
Information Panes
13Sguil Client Alert Panes
Data Analysis
14Sguil Client Rule Details and Packet Data
Data Analysis
A Match
15Sguil Client Information Panes
Data Analysis
Sensor Status
IP Resolution
Snort Statistics
16Sguil Client Transcripts Adding context to
alerts
Data Analysis
17Sguil Client Exporting to Ethereal (WireShark)
Data Analysis
18Sguil Client Performing Queries
Data Analysis
19Sguil Client Generating Reports
Data Analysis
20- Web Based Analysis and Reports
21Main Springboard
Data Analysis
22Main Springboard
Data Analysis
23Main Springboard
Data Analysis
Campus Tools
Site Navigation
Site Specifics
24Main Springboard IDS Query
Data Analysis
Details - PHP based IDS front-end Data
Source - MySQL Database (Sguil)
25IDS Query SQueRT
Data Analysis
26IDS Query SQueRT
Data Analysis
27IDS Query SQueRT
Data Analysis
28IDS Query SQueRT
Data Analysis
29Main Springboard ePO Query
Data Analysis
Details - PHP based query tool Data Source -
MSSQL Database (McAfee ePO)
30ePO Query McAfee ePolicy Orchestrator
Data Analysis
31ePO Query McAfee ePolicy Orchestrator
Data Analysis
Why? - Accessibility (Offsite) - Simplify common
tasks
32Main Springboard FlowViewer
Data Analysis
Details - Perl based query tool Data Source -
Binary file (Flow-tools)
33NetFlow Reports FlowViewer
Data Analysis
34NetFlow Reports FlowViewer
Data Analysis
35NetFlow Reports FlowViewer
Data Analysis
36NetFlow Reports FlowViewer
Data Analysis
37NetFlow Reports FlowViewer
Data Analysis
38Main Springboard User Lookup
Data Analysis
Details - PHP based query tool Data Source -
MSSQL Database (Userlock)
39User Lookup UserLock
Data Analysis
40User Lookup UserLock
Data Analysis
Daily Activity
41Main Springboard Traffic Summary
Data Analysis
Details - TCL generated summary Data Source -
Binary file (Flow-tools)
42Traffic Summary Flow-tools
Data Analysis
43Traffic Summary Flow-tools
Data Analysis
44Main Springboard Traffic Graphs
Data Analysis
Details - PHP query tool Data Source - Binary
file (Flow-tools)
45Traffic Graphs Flow-tools
Data Analysis
46Traffic Graphs Flow-tools
Data Analysis
47Main Springboard Summary Report
Data Analysis
Details - PHP generated summary Data Source -
MySQL (Flow-tools) - MySQL (Sguil) - MSSQL (ePO)
48Summary Report
Data Analysis
49Summary Report
Data Analysis
50Summary Report
Data Analysis
Future Possibilities? - More complex graphs -
Further trending - Improved analysis algorithms
51EOF
Summary
- Network Awareness
- - Automation is not network awareness
- - Best practice is not awareness
- Robust Solutions
- - Lower TCO
- - Not second rate
- Unique development possibilities
- - perpetuates research
- - hones existing skills
52Operation Overview
Data Collection/Processing
53 54Hardware Requirements
Sensor and Server Design
- Sensor
- - Dell Optiplex GX280 SD
- - 2.4GHz Processor
- - 1GB Memory Cost 700.00
- - (2) GB Ethernet Controllers
- - (1) 80GB SATA Drive
- Server
- - Dell Optiplex GX280 SMT
- - 2.4GHz Processor
- - 1GB Memory Cost 850.00
- - (2) GB Ethernet Controllers
- - (2) 80GB
- Potential Scalability Issues
55Deployment
Sensor and Server Design
- Span Port
- - Low cost (If infrastructure supports it)
- - Simple Setup
- - Extra demand on hardware (lost packets)
- Network TAP
- - Completely passive
- - Simple setup
- - Costly
- Inline
- - Offers blocking and other capabilities
- - Complex setup
- - Requires decent hardware
Cost 0.00 - 5000.00
56Component Protection Firewall (PF)
Sensor and Server Design
- Sensor
- - Inbound from Admins to SSH default port 22
(limit this) - - Outbound to Server
- Server
- - Inbound from Sensors to Sguil default port
7736 - - Inbound from Clients (techs) to Sguil default
port 7734 (limit this) - - Inbound from Sensors to MySQL default port
3306 - - Inbound from Admins to SSH default port 22
(limit this) - - Outbound to Sensors