building a campus dshield randy marchany it security lab va tech blacksburg, va 24060...
TRANSCRIPT
Building a Campus Dshield
Randy MarchanyIT Security LabVA TechBlacksburg, VA [email protected]://security.vt.edu
VT Defense-in-Depth Strategy
Layer 1: Blocking Attacks: Network Based Layer 2: Blocking Attacks: Host Based Layer 3: Eliminating Security
Vulnerabilities Layer 4: Supporting Authorized Users Layer 5: Tools to minimize business losses
Putting the Pieces Together
RDWEB – locate any device in our network DSHIELD – Collect Firewall logs SNORT – Sensors monitoring for patterns SAFETYNET – “pull” vulnerability scanner CHECKNET – “push” vulnerability scanner REMEDY – Trouble Ticket system used by
Help Desk CENTRAL SYSLOG – collects syslogs
IDS Infrastructure
Campus Systems
VT Dshield
DshieldMySQL DB
SNORT Base
MySQL DB
CheckNet Failure DB
CheckNetWWW
NessusScanners
SafetyNet
MySQL DB
Remedy TroubleTicket System
CIRT Help Desk
IPS
SNORTSensors
CentralSyslogServers
VA Tech Defense in Depth
Layer 1: Blocking Attacks: Network Based
– Network Intrusion Prevention Systems– Discovery and mitigation– Firewalls– Secure Web Filtering– Secure Email, Anti-Spam
VA Tech Defense in Depth
Layer 2: Blocking Attacks: Host Based– Personal firewalls– Spyware removal– Scan & Block/Quarantine Networks– Antivirus
VA Tech Defense in Depth
Layer 3: Eliminating Security Vulnerabilities
– Vulnerability management & remediation– Patch management– Configuration management– Security configuration compliance– Application security testing
Putting the Pieces Together
REN-ISAC weather reports Dshield.org IPS Netflows UCONN netreg VSC scanners
You Already Belong to a “Dshield”
Default setting for Windows XP Personal Firewall sends copies of your firewall logs to http://hackerwatch.org
Why not belong to one that you know about?
Dshield – Internet Storm Center
Internet Storm Center concept was developed after analysts noted that time zones provided an early warning system for some attacks
Attacks originating in Asia occurred 12+ hours before hitting North America– People coming to work and logging in their
computers
Dshield
Similar to weather reporting infrastructure Mapping probes similar to mapping weather
fronts Admins could look at the data real-time and
use this info to prepare for an attack Similar to looking at a weather map to
prepare for tomorrow’s weather
Weather Report vs. Internet Storm Ctr
Small sensors in as many places as possible recording basic weather info
Regional weather stations providing tech support, summarize and display it for local meteorologists
National weather centers summarize and map regional data to provide overall weather picture
Small IDS tools send logs to regional/campus site
Regional site provides automated support and reporting tools
Global Analysis & Coordination Centers provide early warning to network community of impending/ongoing attacks
DShield Configuration
Hardware– DEC 2650, 2GB RAM, 785GB disk
Software– Red Hat Enterprise– Apache WWW server– PHP– MySQL– Dshield base system from Internet Storm Center
The Good News, The Bad News
Good News Dshield code is already set
to do the functions shown later
You do some local mods and you’re ready to go
Software can handle the load
Fairly universal feeds Good reporting tool
Bad News Code is hard to get Basic documentation Convincing your
environment to feed your dshield
Need to tailor firewall configurations
Needs an analyst to interpret the results
References
http://isc.sans.org http://dshield.org http://dshield.cirt.vt.edu Randy Marchany
– VA Tech IT Security Lab– 1300 Torgersen Hall, VA Tech– Blacksburg, VA 24060– 540-231-9523, [email protected]
IDS/IPS States
BLOCK NO BLOCK
ALERT GOOD GOOD
NO ALERT
BAD GOOD if Failover
BAD if not
VA Tech Defense in Depth
Layer 4: Supporting Authorized Users – ID and access management– File Encryption– Secure communications– PKI– VPN– IPSEC based VPN– SSL VPN– Secure remote access
VA Tech Defense in Depth
Layer 5: Tools to minimize business losses
– Security information management– Business transaction integrity monitoring– Security skills development (training)– Forensic tools– Regulatory compliance tools– Business recovery– Backup