Scanners

1
Scanners

• Inventory all machines on site 12,000
• nmap farm
• All machines usually twice a day
• Find critical vulnerabilities and issue blocks
• Nessus
• Homegrown tools

2
IDS

• Bro cluster on 10 gig spans
• Snort on 1 gig switch
• Specific sigs used for Snort due to scalability
  and false positive issues
• State based is more attractive than signature
  based

3
Sig based IDS

• Used for point solutions
• Simply not terribly effective _at_Fermi
• Question
• How would you operate in an ISP's environment?
• Answer
• Umm... -)

4
State based IDS

• Used for everything else
• Example
• Alert if
• HTTP connection to this server
• Followed by GET of a non-PHP file
• Followed by SSH outbound connection
• If all of that happens in a short time frame
• Sig based IDS cannot do this

5
Netflow

• Real-time collection of netflow
• Real-time DNS name resolution of all IPs
• Historical searches through netflow during
  incidents
• Searches done via Splunk

6
Netflow

• Primarily used for incident response
• Valuable for telling who a badguy talked to
• Tells us whether we need to investigate further
  and, if so, how much further

7
Log collection

• Collecting from 189 hosts
• 13 billion log entries, and growing, are
  searchable
• 37.3 Gig a day intake
• Will be pushing 60 gig a day with netflow

8
Log collection

• Central syslog-ng available to all machines
• Collection of central web logs
• Searches via splunk
• Integration of search into enterprise programming
  API CST API

9
Darknets and Tarpits

• Monitoring all unallocated address space class B
• Valuable for detecting worms and software
  misconfiguration
• If it touches these networks, it is suspect

10
Scanners
11
Log collection