DOCSLIB.ORG

Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment Log Management and Intrusion Detection solutions have been evolving for years. Yet, it remains a challenge for organizations of all sizes to meet the operational, audit and security needs using these solutions. This paper presents a solution to bridge logging, log based intrusion detection and network based intrusion detection using well known free open source tools available on the Security Onion Linux Distribution. It walks through the logging, monitoring and alerting approach necessary for security, compliance and q... Copyright SANS Institute Author Retains Full Rights AD Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment . ts h g ri GIAC (GCIA) Gold Certification ll u f Author: Sunil Gupta, [email protected] s Advisor: Dr. Kees Leune in ta re r Accepted: July 4, 2012o th u , A te tu ti Abstract s n Log Management and Intrusion I Detection solutions have been evolving for years. Yet, it remains a challenge for organizationsS of all sizes to meet the operational, audit and security needs using these solutions. ThisN paper presents a solution to bridge logging, log based intrusion detection A and network Sbased intrusion detection using well known free open source tools available on the Security Onion Linux Distribution. It walks through the logging, monitoring and alerting 12 approach0 necessary for security, compliance and quality of service. In the process it provides for cost 2 effective, customizable and scalable solution alternative to vendor based Security ©Information & Event Management (SIEM) solutions. © 2012 The SANS Institute Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Author retains full rights. Logging and Monitoring to Detect Network Intrusions and Compliance Violations | 2 1. Introduction Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or . imminent threats of violation of computer security policies, acceptable use policies, or standardts security practices. An intrusion detection system (IDS) is software that automates the intrusionh detection process. Network-Based IDS (NIDS) monitors network traffic for particular networkg ri segments or devices and analyzes the network and application protocol activity to lidentifyl suspicious activity (Scarfone & Mell, 2007). fu s Security Log Analysis Systems are also known as Log-based Intrusionin Detection Systems (LIDS). Log Analysis For Intrusion Detection is the process or techniquesta used to detect attacks on a specific environment using logs as the primary source of information.e LIDS is also used to r detect computer misuse, policy violations and other forms ofr inappropriate activities (Cid, 2007). o The main thesis of this paper is that NIDS andth LIDS are necessary for effectively u monitoring the security posture of an organization.A Both techniques, network-based detection and log-based detection, complement each other, in the identification and reporting of security te incidents. u tit 1.1. Outline s n This paper describes I how to build a system that combines Network Based Intrusion Detection with Log BasedS Intrusion Detection to create a comprehensive security monitoring N platform. ChapterA 2 provides an overview of essential terminology in the field of Security Information EventS Monitoring and Log Management. Chapter 3 builds on the terminology by proposing12 a technical architecture and by providing configuration guidance. Chapter 4 discusses Log0 Analysis and Correlation and the paper concludes by discussing Alerting and Reporting in Chapter 2 5. © This paper describes a fictional scenario in which an intrusion is detected using NIDS and LIDS alerts on the monitor console. The example demonstrates the value of this approach by following an intruder performing a network scan, connect to a system and control gain, followed by privilege escalation on the target system. Sunil Gupta, [email protected] © 2012 The SANS Institute Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Author retains full rights. Logging and Monitoring to Detect Network Intrusions and Compliance Violations | 3 1.2. Problem Addressed In an organization, there are many possible signs of incidents which may go unnoticed each day. These events can be studied mainly by analyzing network behavior or by reviewing computer security event logs. In order to avoid or minimize the losses from an incident outcome, . ts the events need to be analyzed as close to real-time as possible. Logging and intrusion detectionh systems have the potential to produce very large amount of data, and all that data must beg ri managed, filtered and analyzed. Having a single approach and a unified platform helpll s with this very difficult and challenging task to monitor and report in near-real time. fu s Automation is needed to perform an initial analysis of the data iandn to alert on select events of interest for human review. Event correlation software andt acentralized logging can be of great value in automating the analysis process. However, the effectivenessre of the process depends on the quality of the data and the data rules that goesr into it. o th 2. Log Management and SIEM Overviewu A The NIST Guide to Computer Security, Log Management (Kent & Souppaya, 2006) states that information regarding an incident mayte be recorded in several places, such as firewalls, u routers, network IDS, host IDS, andtit application logs. Organizations should deploy one or more centralized logging servers ands configure logging devices throughout the organization to send duplicates of their log entriesn to the centralized logging servers. A log management infrastructure I consists of the hardware,S software, networks and media used to generate, transmit, store, analyze, and dispose of log data.N This section describes the typical architecture and functions of a log A management.S 2 2.1.0 1Log Management Architecture 2 The NIST Guide to Computer Security Log Management (Kent & Souppaya, 2006) ©explains that a log management infrastructure typically comprises of three tiers: log generation, log analysis and storage, and log monitoring. Sunil Gupta, [email protected] © 2012 The SANS Institute Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Author retains full rights. Logging and Monitoring to Detect Network Intrusions and Compliance Violations | 4 The log generation tier involves hosts making their logs available to log servers in the second tier. This is performed in two different ways. The exact method depends on the log type, and, on the host and network controls. In one way hosts run some services to send their log data over the network to log collection servers. Alternatively, hosts allow the log servers to pull the . log data from them. The logs are often transferred to the log receivers either in a real-time or ts near-real-time manner, or in occasional batches based on a schedule. h g ri The log analysis and storage tier is composed of one or more log servers receivll ing log data from the hosts. These log receivers are also called collectors or aggregators. Tou facilitate log f analysis, automated methods of converting logs from multiple formats to as single standard format needs to be implemented. Syslog format of logging is often usedin for this purpose. ta The log monitoring tier contains consoles that are used for emonitoring and reviewing of log r data and the results of automated analysis. Report generation,r management dashboards and log o baselines may also be done using consoles as part of tthish tier. u The scope of log management infrastructure can be dictated by many factors, including the , A organization’s internal structure, systemt typese (e.g., a separate infrastructure for enterprise security systems), log types (e.g., a separateu infrastructure for application audit logs), and facility locations. it st 2.2. Log Management In Functions S Log managementN infrastructures typically perform several functions that assist in the storage, analysis,A and disposal of log data. These functions are normally performed in such a way that they do notS alter the original logs (Kent & Souppaya, 2006). 12 0 General functions of log management infrastructure include log parsing, event filtering and 2 event aggregation. On the storage side, log management has to provide for log rotation, log ©archival, log compression, log reduction, log conversion, log normalization and log file integrity. Event correlation, log viewing and log reporting are some of the analysis functions of a log management infrastructure. Sunil Gupta, [email protected] © 2012 The SANS Institute Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Author retains full rights. Logging and Monitoring to Detect Network Intrusions and Compliance Violations | 5 Kent & Souppaya (2006) also explain that a log management infrastructure usually encompasses most or all of the functions described in this section. The placement of some of the log functions among the three tiers of the log management infrastructure depends primarily on the type of log management software used. It is in the best interest of organizations to have . appropriate auditing in place that allows for effective and efficient log management. ts h 2.3. SIEM ig r Security information and event management (SIEM) software provides thel logl management infrastructure encompassing log analysis, log storage and log monitoringu tiers. f What sets SIEM products apart from traditional log management software sis the ability to perform event correlation, alerting, incident management, reporting andin forensic investigation ta based on event analysis. There are many SIEM solutions commerciallyre available today and these solutions provide different set of these features and additionalr add-ons.
Load more

Recommended publications
  • Implementing Cisco Cyber Security Operations
    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
    [Show full text]
  • Securing Infrastructure-As-A-Service Public Clouds Using Security Onion
    Securing Infrastructure-as-a-Service Public Clouds Using Security Onion MIKAIL, Abdullahi and PRANGGONO, Bernardi <http://orcid.org/0000-0002- 2992-697X> Available from Sheffield Hallam University Research Archive (SHURA) at: http://shura.shu.ac.uk/23927/ This document is the author deposited version. You are advised to consult the publisher's version if you wish to cite from it. Published version MIKAIL, Abdullahi and PRANGGONO, Bernardi (2019). Securing Infrastructure-as-a- Service Public Clouds Using Security Onion. Applied System Innovation, 2 (1). Copyright and re-use policy See http://shura.shu.ac.uk/information.html Sheffield Hallam University Research Archive http://shura.shu.ac.uk Article Securing Infrastructure-as-a-Service Public Clouds Using Security Onion Abdullahi Mikail and Bernardi Pranggono * Department of Engineering and Mathematics, Sheffield Hallam University, Howard Street, Sheffield S1 1WB, UK; [email protected] * Correspondence: [email protected] Received: 17 December 2018; Accepted: 23 January 2019; Published: 30 January 2019 Abstract: The shift to Cloud computing has brought with it its specific security challenges concerning the loss of control, trust and multi-tenancy especially in Infrastructure-as-a-Service (IaaS) Cloud model. This article focuses on the design and development of an intrusion detection system (IDS) that can handle security challenges in IaaS Cloud model using an open source IDS. We have implemented a proof-of-concept prototype on the most deployed hypervisor—VMware ESXi—and performed various real-world cyber-attacks, such as port scanning and denial of service (DoS) attacks to validate the practicality and effectiveness of our proposed IDS architecture.
    [Show full text]
  • Intrusion Detection Systems for Smart Home Iot Devices: Experimental Comparison Study
    Intrusion Detection Systems for Smart Home IoT Devices: Experimental Comparison Study Faisal Alsakran1, Gueltoum Bendiab1, Stavros Shiaeles2, and Nicholas Kolokotronis3 1 CSCAN, University of Plymouth, PL4 8AA, Plymouth, UK [email protected], [email protected] 2 School of Computing, University of Portsmouth, PO1 2UP, Portsmouth, UK [email protected] 3 Department of Informatics and Telecommunications, University of Peloponnese, 22131 Tripolis, Greece [email protected] ABSTRACT Smart homes are one of the most promising applications of the 1 INTRODUCTION emerging Internet of Things (IoT) technology. With the growing Smart home technology also often referred to as home automation number of IoT related devices such as smart thermostats, smart allows the entire home to be automated and therefore, the connected fridges, smart speaker, smart light bulbs and smart locks, smart smart home devices can be remotely controlled and operated, from any homes promise to make our lives easier and more comfortable. location in the world, through a smartphone app, iPads or other network However, the increased deployment of such smart devices brings an devices [13]. In recent years, smart home technology is gaining increase in potential security risks and home privacy breaches. In tremendous ground at all levels. Economic reports affirm that connected order to overcome such risks, Intrusion Detection Systems are home market becomes the largest IoT segment at seven billion related presented as pertinent tools that can provide network-level smart devices in 2018, which present 26% of the global IoT devices protection for smart devices deployed in home environments. These market [14]. According to Gartner [32] this segment is expected to grow systems monitor the network activities of the smart home-connected to 20.4 billion devices by 2020.
    [Show full text]
  • Evaluating the Availability of Forensic Evidence from Three Idss: Tool Ability
    Evaluating the Availability of Forensic Evidence from Three IDSs: Tool Ability EMAD ABDULLAH ALSAIARI A thesis submitted to the Faculty of Design and Creative Technologies Auckland University of Technology in partial fulfilment of the requirements for the degree of Masters of Forensic Information Technology School of Engineering, Computer and Mathematical Sciences Auckland, New Zealand 2016 i Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which to a substantial extent has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. Emad Abdullah Alsaiari ii Acknowledgement At the beginning and foremost, the researcher would like to thank almighty Allah. Additionally, I would like to thank everyone who helped me to conduct this thesis starting from my family, supervisor, all relatives and friends. I would also like to express my thorough appreciation to all the members of Saudi Culture Mission for facilitating the process of studying in a foreign country. I would also like to express my thorough appreciation to all the staff of Saudi Culture Mission for facilitating the process of studying in Auckland University of Technology. Especially, the pervious head principal of the Saudi Culture Mission Dr. Satam Al- Otaibi for all his motivation, advice and support to students from Saudi in New Zealand as well as Saudi Arabia Cultural Attaché Dr. Saud Theyab the head principal of the Saudi Culture Mission.
    [Show full text]
  • Effective Implementation of Dynamic Classification for Network Forensic and Traffic Analysis
    International Journal of Computing and Business Research (IJCBR) ISSN (Online) : 2229-6166 Volume 6 Issue 2 March 2015 EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS Manu Bansal Assistant Professor Department of IT University Institute of Engineering & Technology Panjab University, Sector 25, Chandigarh ABSTRACT Packet capturing is one of classical and most frequently used task performed by the network administrators. This is done to fetch the packets traveling in the network and finally detect any suspicious activity in the network. Finally, any out of the way activity or abnormal activity is analyzed by the intrusion detection system (IDS) tools for classification of attacks or type of the traffic. Enormous IDS tools are available including open source products which can classify the attacks or traffic from the PCAP (Packet Capture) Files fetched from honeypots or servers. This article explains about various aspects of PCAP and the detailed process of analyzing the PCAP using Snort IDS Tool for classification of traffic. Keywords – Network Forensic using Data Mining, PCAP Analysis, Honeypot and Honeynets International Journal of Computing and Business Research (IJCBR) ISSN (Online) : 2229-6166 Volume 6 Issue 2 March 2015 INTRODUCTION Network administrators generally face the regular issues of intrusion in their network by different media. To cope up with such issues, they make use of pcap (packet capture) that is having the application programming interface (API) for capturing the network traffic from different dimensions including ports, IP Addresses and associated parameters. In case of Unix- like systems, pcap is implemented in libpcap library. In case of Windows, it implements a port of libpcap that is known as WinPcap.
    [Show full text]
  • Part Iii Network Security Monitoring Processes
    Bejtlich_book.fm Page 345 Thursday, June 17, 2004 8:40 AM PART III NETWORK SECURITY MONITORING PROCESSES 345 Bejtlich_book.fm Page 346 Thursday, June 17, 2004 8:40 AM Bejtlich_book.fm Page 347 Thursday, June 17, 2004 8:40 AM Best11 Practices In Parts I and II we explored NSM theory and some tools for conducting NSM. Part III is intended for people who manage NSM operations. It presents best practices for assess- ment, protection, detection, and response, as far as NSM is concerned. While elements of NSM best practices appear throughout the book, this chapter focuses exclusively on the mind-set needed to conduct NSM operations. Chapter 12 brings these principles to life in several case studies. Chapter 1 introduced the security process in general. In this chapter, I explain the NSM-specific aspects of each security process step (see Figure 11.1). First, I describe the benefits of developing a well-defined security policy during assessment. Then I explain protection with respect to access control, traffic scrubbing, and proxies. Next, detection is expanded to include collection, identification, validation, and escalation of suspicious events. I elaborate on response within the context of short-term incident containment and emergency NSM. Finally, I conclude by returning to the assessment phase by high- lighting analyst feedback as a component of planning for the next cycle. ASSESSMENT Assessment involves taking steps to ensure the probability of successfully defending an enterprise. Within the NSM model, assessment means implementing products, people, and processes most conducive to accurately identifying and mitigating intrusions. Part II illustrated NSM tools, and Part IV will offer suggestions for training people.
    [Show full text]
  • Prototype Open-Source Software Stack for the Reduction of False
    CYBER 2018 : The Third International Conference on Cyber-Technologies and Cyber-Systems Prototype Open-Source Software Stack for the Reduction of False Positives and Negatives in the Detection of Cyber Indicators of Compromise and Attack Hybridized Log Analysis Correlation Engine and Container-Orchestration System Supplemented by Ensemble Method Voting Algorithms for Enhanced Event Correlation Steve Chan Decision Engineering Analysis Laboratory San Diego, California U.S.A. email: [email protected] Abstract—A prototypical solution stack (Solution Stack #1) black boxed commercial offering itself. Accordingly, with chosen Open-Source Software (OSS) components for an MSSPs are endeavoring to put forth their own offerings experiment was enhanced by hybridized OSS amalgams (e.g., (also for market differentiation), in a white box fashion; for Suricata and Sagan; Kubernetes, Nomad, Cloudify and Helios; the purposes of adhering to Joyce’s recommendation, the MineMeld and Hector) and supplemented by select modified white box approach can be, in some cases, more effective algorithms (e.g., modified N-Input Voting Algorithm [NIVA] modules and a modified Fault Tolerant Averaging Algorithm than the black box approach, but it is a much more difficult [FTAA] module) leveraged by ensemble method machine pathway in terms of the sophistication needed to understand learning. The preliminary results of the prototype solution and appropriately orchestrate the various involved stack (Stack #2) indicate a reduction, with regards to cyber subsystems. By way of example, a Verizon Data Breach Indicators of Compromise (IOC) and indicators of attack Report had articulated that those with robust log analysis (IOA), of false positives by approximately 15% and false and correlation were least likely to be a cyber victim; yet, negatives by approximately 47%.
    [Show full text]
  • Intrusion Detection Systems with Snort Advanced IDS Techniques Using Snort, Apache, Mysql, PHP, and ACID
    Intrusion Detection Systems with Snort Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID perens_series.fm Page 1 Thursday, April 10, 2003 1:43 AM BRUCE PERENS’ OPEN SOURCE SERIES ◆ Managing Linux Systems with Webmin: System Administration and Module Development Jamie Cameron ◆ Implementing CIFS: The Common Internet File System Christopher R. Hertel ◆ Embedded Software Development with eCos Anthony J. Massa ◆ The Linux Development Platform: Configuring, Using, and Maintaining a Complete Programming Environment Rafeeq Ur Rehman, Christopher Paul ◆ Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID Rafeeq Ur Rehman Intrusion Detection Systems with Snort Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID Rafeeq Ur Rehman Prentice Hall PTR Upper Saddle River, New Jersey 07458 www.phptr.com Library of Congress Cataloging-in-Publication Data A CIP catalog record for this book can be obtained from the Library of Congress. Editorial/production supervision: Mary Sudul Cover design director: Jerry Votta Cover design: DesignSource Manufacturing manager: Maura Zaldivar Acquisitions editor: Jill Harry Editorial assistant: Noreen Regina Marketing manager: Dan DePasquale © 2003 Pearson Education, Inc. Publishing as Prentice Hall PTR Upper Saddle River, New Jersey 07458 This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at <http://www.opencontent.org/openpub/>). Prentice Hall books are widely used by corporations and government agencies for training, marketing, and resale. The publisher offers discounts on this book when ordered in bulk quantities. For more information, contact Corporate Sales Department, Phone: 800-382-3419; FAX: 201-236-7141; E-mail: [email protected] Or write: Prentice Hall PTR, Corporate Sales Dept., One Lake Street, Upper Saddle River, NJ 07458.
    [Show full text]
  • Snort for Dummies.Pdf
    01_568353 ffirs.qxd 6/3/04 10:07 AM Page i Snort ™ FOR DUMmIES‰ 01_568353 ffirs.qxd 6/3/04 10:07 AM Page ii 01_568353 ffirs.qxd 6/3/04 10:07 AM Page iii Snort ™ FOR DUMmIES‰ by Charlie Scott, Paul Wolfe, and Bert Hayes 01_568353 ffirs.qxd 6/3/04 10:07 AM Page iv Snort™ For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 Copyright © 2004 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis- sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, e-mail: brandreview@ wiley.com. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission.
    [Show full text]
  • Intrusion Detection System and Intrusion Prevention System with Snort Provided by Security Onion
    Bezborodov Sergey Intrusion Detection System and Intrusion Prevention System with Snort provided by Security Onion. Bachelor’s Thesis Information Technology May 2016 DESCRIPTION Date of the bachelor's thesis 06.05.2016 Author(s) Degree programme and option Bezborodov Sergey Information Technology Name of the bachelor's thesis Intrusion Detection Systems and Intrusion Prevention System with Snort provided by Security Onion. Abstract In this thesis I wanted to get familiar with Snort IDS/IPS. I used the Security Onion distribution with a lot of security tools, but I concentrated on Snort. Also I needed to evaluate Security Onion environment and check what features it provides for processing with Snort. During the work I needed to figure out the pros and cons of using Security Onion with Snort as a security system for network. I compared it with alternatives and briefly describe it. As result I installed Security Onion, work with the environment, configured different features, created and modified rules and so on. I think this thesis will be helpful for people who want to use IDS/IPS for their network, it should help them to choose IDS/IPS vendor, make Security Onion and Snort installation, make comparison with another one and just get familiar with the network security tools. Also, this thesis can be a part of big research of network security tools, because now is impossible to find such detailed guides and literatures about any IDS/IPS tools. It is a good idea to combine many researches about it and make a good library. This thesis can be used for further development of Snort and Security Onion as it only on the development phase now, it will provide base for new researching with new versions.
    [Show full text]
  • Analyzing Offensive and Defensive Networking Tools in a Laboratory Environment
    NIKO HEIKURA ANALYZING OFFENSIVE AND DEFENSIVE NETWORKING TOOLS IN A LABORATORY ENVIRONMENT Master of Science thesis Examiners: prof. Jarmo Harju and M.Sc. Markku Vajaranta Examiners and topic approved by the Faculty Council of the Faculty of Computing and Electrical Engineer- ing on 8th October 2014 i ABSTRACT NIKO HEIKURA : Analyzing Offensive and Defensive Networking Tools in a La- boratory Environment Tampere University of Technology Master of Science Thesis, 93 pages March 2015 Master’s Degree Programme in Signal Processing and Communications Engi- neering Major: Communications Networks and Protocols Examiners: Professor Jarmo Harju and M.Sc. Markku Vajaranta Keywords: denial of service, network security, network security monitoring, ex- ploits, vulnerabilities The safest way of conducting network security testing is to do it in a closed laboratory environment that is isolated from the production network, and whose network configu- ration can be easily modified according to needs. Such an environment was built to the Department of Pervasive Computing in the fall of 2014 as part of TUTCyberLabs. In addition to the networking hardware, computers and servers, two purchases were made: Ruge, a traffic generator, and Clarified Analyzer, a network security monitor. Open source alternatives were researched for comparison and the chosen tools were Ostinato and Security Onion respectively. A hacking lab exercise was created for Computer Network and Security course employing various tools found in Kali Linux that was in- stalled on the computers. Different attack scenarios were designed for the traffic genera- tors and Kali Linux, and they were then monitored on the network security monitors. Finally a comparison was made between the monitoring applications.
    [Show full text]
  • Logging and Monitoring at Home Who Am I
    Defending the Homeland Logging and Monitoring at home Who am I @nullthreat Offensive Red Team for a major company I break stuff Started security @ CNDSP ADT for networks @ DOD Designed and Deployed NSM on DOD net Talking Points Perimeter Firewall Central Logging Host IDS Network IDS Basic Honeypots Deployment Strategies Disclaimer: The ideas and solutions presented are my opinion, feel free to disagree. OS'es I use all Linux and Macs at home I will not be talking about Windows at all, deal with it Won't matter once we are talking NIDS Firewalls on the Cheap As I see it there is only one good solution in this space PFSense http://www.pfsense.org ● Fork of MonoWall ● Robust Firewall based on PF(FreeBSD) ● Multiple VPN Support built-in ○ OpenVPN, IPSec, L2TP, PPTP ● Package based add-ons ○ pfBlocker(block netblocks), Snort, Squid ● Runs on almost anything, Full PC or Embedded Embedded Solutions ALIX 2D3/2D13 ~ 200$ @ store.netgate.com PFsense on Alix Setup Pauldotcom.com tech segement from episode 220 Google "alix pfsense pauldotcom" and you'll find the show notes Spark notes: Download IMG, Write to CF Card, Boot, Use Serial Terminal to do initial setup PFSense on Alix Setup Pro Tip: Don't put the box together until you flash the OS onto the card, You have to take the entire box apart to get the CF Card in and out. PFSense Demo Other Options Surplus Cisco/Juniper/Checkpoint Hardware Consumer Firewall Solutions http://en.wikipedia. org/wiki/List_of_router_or_firewall_distributions Firewalls Questions? Central Logging I do this on my servers and VPSs Could do on clients but....meh Usually the same box that hosts my NIDS stuff Lots of options syslogd Ol' reliable Been around since the dawn of freaking time originally part of sendmail circa 1980s UDP Only(in most cases) Easy-ish to configure but hard to really dial in syslogd Server: set -r flag in /etc/sysconfig/syslog ex.
    [Show full text]