Network Security Monitoring with Open Source Tools

1
Network Security Monitoring with Open Source Tools

• Paul Halliday, CANHEIT, June 12th 2006

2
Introduction

• The Accomplishment
• The creation of a comprehensive Network
  Monitoring Solution that adequately services 14
  campus locations across the province of Nova
  Scotia.
• The Implementation
• Budget of under 15,000 (Software and Hardware)
• Producing useful results within 4 weeks
• Modular and scalable
• Low maintenance

3
Presentation Overview

• Data
• - Collection and Processing with Snort and
  Flow-tools
• - Analysis with Sguil (TCL/TK)
• - Web based Analysis and Reports (PHP/Bash/TCL)
• Third Party Product Integration (Examples)
• - McAfee ePolicy Orchestrator
• - Userlock
• Sensor and Server Design
• - OS and Software
• - Hardware
• - Deployment

4

• Data Collection and Processing

5
Alert Data
Data Collection

• Snort A Network Intrusion Detection and
  Prevention System
• Sguil Analysis Console (Sensor Components)
• Components
• Snort in IDS mode
• - Collects Alert Data
• Barnyard
• - Fast Output Plug-in
• sensor_agent
• - Gateway to Sguild
• log_packets
• - Manages PCAP Data

6
Alert Data
Data Collection

• How Snort rules work

Rule Header
Rule Options

• Alert Message
• When to Fire

• Action
• Protocol
• Source/Destination Address and Ports

7
Alert Data
Data Collection

• How Snort rules work

alert tcp any 1723 -gt any any (msgVPN -
Connection Failed flagsR Classtypemisc-activ
ity sid1000001 rev1)
8
Session Data
Data Collection

• fprobe A NetFlow probe (packets that share a
  common property)
• flow-tools A toolset for working with NetFlow
  Data
• Components
• fprobe
• - Export flows
• flow-capture
• - Collect and store
• flow-cat, flow-print
• - Merge and print
• flow-filter, flow-nfilter, flow-stat, flow-report
• - Process based on filters or report definitions

9
Session Data
Data Collection
Duration
Addresses
Ports
TCP Flags
Priority
Traffic
Outbound
5-Tuple. Same source and destination ports. All
packets in the same direction.
Inbound
10
Session Data
Data Collection
Traffic Summary
Distribution
11

• Data Analysis with Sguil

12
The Sguil Client Event Driven Analysis
Data Analysis
Alert Panes
Information Panes
13
Sguil Client Alert Panes
Data Analysis
14
Sguil Client Rule Details and Packet Data
Data Analysis
A Match
15
Sguil Client Information Panes
Data Analysis
Sensor Status
IP Resolution

Snort Statistics
16
Sguil Client Transcripts Adding context to
alerts
Data Analysis
17
Sguil Client Exporting to Ethereal (WireShark)
Data Analysis
18
Sguil Client Performing Queries
Data Analysis
19
Sguil Client Generating Reports
Data Analysis
20

• Web Based Analysis and Reports

21
Main Springboard
Data Analysis
22
Main Springboard
Data Analysis
23
Main Springboard
Data Analysis
Campus Tools
Site Navigation
Site Specifics
24
Main Springboard IDS Query
Data Analysis
Details - PHP based IDS front-end Data
Source - MySQL Database (Sguil)
25
IDS Query SQueRT
Data Analysis
26
IDS Query SQueRT
Data Analysis
27
IDS Query SQueRT
Data Analysis
28
IDS Query SQueRT
Data Analysis
29
Main Springboard ePO Query
Data Analysis
Details - PHP based query tool Data Source -
MSSQL Database (McAfee ePO)
30
ePO Query McAfee ePolicy Orchestrator
Data Analysis
31
ePO Query McAfee ePolicy Orchestrator
Data Analysis
Why? - Accessibility (Offsite) - Simplify common
tasks
32
Main Springboard FlowViewer
Data Analysis
Details - Perl based query tool Data Source -
Binary file (Flow-tools)
33
NetFlow Reports FlowViewer
Data Analysis
34
NetFlow Reports FlowViewer
Data Analysis
35
NetFlow Reports FlowViewer
Data Analysis
36
NetFlow Reports FlowViewer
Data Analysis
37
NetFlow Reports FlowViewer
Data Analysis
38
Main Springboard User Lookup
Data Analysis
Details - PHP based query tool Data Source -
MSSQL Database (Userlock)
39
User Lookup UserLock
Data Analysis
40
User Lookup UserLock
Data Analysis
Daily Activity
41
Main Springboard Traffic Summary
Data Analysis
Details - TCL generated summary Data Source -
Binary file (Flow-tools)
42
Traffic Summary Flow-tools
Data Analysis
43
Traffic Summary Flow-tools
Data Analysis
44
Main Springboard Traffic Graphs
Data Analysis
Details - PHP query tool Data Source - Binary
file (Flow-tools)
45
Traffic Graphs Flow-tools
Data Analysis
46
Traffic Graphs Flow-tools
Data Analysis
47
Main Springboard Summary Report
Data Analysis
Details - PHP generated summary Data Source -
MySQL (Flow-tools) - MySQL (Sguil) - MSSQL (ePO)
48
Summary Report
Data Analysis
49
Summary Report
Data Analysis
50
Summary Report
Data Analysis
Future Possibilities? - More complex graphs -
Further trending - Improved analysis algorithms
51
EOF
Summary

• Network Awareness
• - Automation is not network awareness
• - Best practice is not awareness
• Robust Solutions
• - Lower TCO
• - Not second rate
• Unique development possibilities
• - perpetuates research
• - hones existing skills

52
Operation Overview
Data Collection/Processing
53

• Sensor and Server Design

54
Hardware Requirements
Sensor and Server Design

• Sensor
• - Dell Optiplex GX280 SD
• - 2.4GHz Processor
• - 1GB Memory Cost 700.00
• - (2) GB Ethernet Controllers
• - (1) 80GB SATA Drive
• Server
• - Dell Optiplex GX280 SMT
• - 2.4GHz Processor
• - 1GB Memory Cost 850.00
• - (2) GB Ethernet Controllers
• - (2) 80GB
• Potential Scalability Issues

55
Deployment
Sensor and Server Design

• Span Port
• - Low cost (If infrastructure supports it)
• - Simple Setup
• - Extra demand on hardware (lost packets)
• Network TAP
• - Completely passive
• - Simple setup
• - Costly
• Inline
• - Offers blocking and other capabilities
• - Complex setup
• - Requires decent hardware

Cost 0.00 - 5000.00
56
Component Protection Firewall (PF)
Sensor and Server Design

• Sensor
• - Inbound from Admins to SSH default port 22
  (limit this)
• - Outbound to Server
• Server
• - Inbound from Sensors to Sguil default port
  7736
• - Inbound from Clients (techs) to Sguil default
  port 7734 (limit this)
• - Inbound from Sensors to MySQL default port
  3306
• - Inbound from Admins to SSH default port 22
  (limit this)
• - Outbound to Sensors