Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations 1-1-2005 A modular architecture for security tools (MAST) Pascal Openshaw Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/rtd Recommended Citation Openshaw, Pascal, "A modular architecture for security tools (MAST)" (2005). Retrospective Theses and Dissertations. 19204. https://lib.dr.iastate.edu/rtd/19204 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. A Modular Architecture for Security Tools {MAST) by Pascal Openshaw A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Co-majors: Computer Engineering; Information Assurance Program of Study Committee: Doug Jacobson, Major Professor Yong Guan Adrian Sannier Iowa State University Ames, Iowa 2005 Copyright @Pascal Openshaw, 2005. All rights reserved. ii Graduate College Iowa State University This is to certify that the Master's thesis of Pascal Openshaw has met the thesis requirements of Iowa State University Signatures have been redacted for privacy lll TABLE OF CONTENTS CHAPTER 1. Overview . 1 1.1 Introduction . 1 1.2 History 2 1.2.1 Common areas 2 1.2.2 Additional security tools . 3 1.2.3 Putting them all together 3 1.3 The MAST solution 4 1.3.l A voiding vendor lock-in 6 1.3.2 Tradeoffs 6 1.3.3 Information collection 7 1.4 Sample scenarios 9 1.5 Potential modules 9 1.5.1 Application profiles . 9 1.5.2 File integrity checking 11 1.5.3 Antivirus integration . 12 1.5.4 Firewall integration 13 1.5.5 File access . 13 1.5.6 Registry access 14 1.5.7 Event logs . 14 1.6 Multiple computers . 14 1.6.1 Compiled information 15 1.6.2 Shared configurations 15 iv CHAPTER 2. MAST configuration ....... 16 2.1 Webmin modules . 16 2.2 Central repository 17 2.2.1 Configuration 18 2.2.2 Analysis 19 2.2.3 Alerts . 19 2.3 Plugin architecture 21 2.4 Database layout . 21 2.4.1 By program 22 2.4.2 By type . 22 2.4.3 Program analysis 22 CHAPTER 3. File monitoring ........ 24 3.1 Programs ..... 24 3.1.1 Tripwire, Inc 24 3.1.2 I3FS .. 25 3.1.3 AFICK 26 3.1.4 Samhain . 26 3.2 Webmin module 26 3.3 MAST plugin . 27 CHAPTER 4. Antivirus integration . ........ 30 4.1 Programs 30 4.1.1 Clam antivirus 30 4.1.2 Commercial options 31 4.1.3 F-Prot . 32 4.1.4 Spyware 33 4.2 Webmin module 33 4.3 MAST plugin 34 4.3.l Analysis 34 v 4.3.2 Table layout ......... 35 CHAPTER 5. Network integration ........ 36 5.1 Programs . 36 5.1.l Network intrusion detection 36 5.1.2 Firewalls 37 5.2 Webmin module 39 5.3 MAST plugin . 39 CHAPTER 6. Additional applications . ........ 42 6.1 Analysis 42 6.2 Normalizing across applications 43 6.3 Related products 43 6.3.1 Nagios . 44 6.3.2 Entercept 44 6.3.3 Webmin . 44 6.4 Related research 45 6.5 Future work . 45 6.5.l Plugin development 45 6.5.2 Data analysis . 46 6.5.3 Configuration management 46 6.6 Measuring success 46 6. 7 Conclusion . 47 APPENDIX . MAST database 48 BIBLIOGRAPHY ........ 51 vi LIST OF TABLES Table 2.1 Webmin standard modules for security . 17 Table 2.2 Webmin third party modules for security 17 Table 3.1 Layout for file integrity checking . 28 Table 4.1 Layout for antivirus reports 35 Table 5.1 Layout for Snort reports . 40 Table 5.2 Layout for firewall configuration changes 40 1 CHAPTER 1. Overview Desktop computer security is a growing problem with the many viruses, network attacks, trojans, and other malicious programs that can affect a system. Trying to track down what has happened on a computer, remove problems, and prevent future intrusions can be very problematic. The solution proposed in this thesis is to have a modular architecture for security tools (MAST). MAST consists of three components: A database containing security information, programs to interact with the database, and patches to security tools so that they can interact with the database and each other. The expert tools are responsible for analyzing data from their realms of expertise and reporting relevant information to the database. They should also be capable of sharing elements of functionality with other security applications through documented commands or interfaces. In return the programs may also be set up to utilize the functionality of other programs if installed. This kind of information and functionality sharing has the potential of increasing the quality of programs and reducing duplication of effort. 1.1 Introduction As a computer is running, many things are happening at the same time. Network services are responding to traffic, programs are accessing files, and system changes are being made periodically. Unfortunately there are no easy ways to view or even record most of this infor­ mation. A typical security administrator might have network alerts, a few event log entries, and not much else to work with. The key is to record all the information that the security administrator needs without being overwhelmed with too much information. A modular architecture fits this need by enabling or 2 disabling various portions based on requirements. At the moment there are many specialized utilities for security. The plethora of security software companies are each trying to establish their niche in a particular area, and a select few are attempting to expand their areas of expertise to everything that concerns computer security. The goal of MAST is to combine the expertise of security companies in each product area into one global package that is capable of monitoring various critical events for a computer system. 1.2 History Intrusion detection systems (IDS) have been an important topic for many years. Ever since the first security vulnerability was found and exploited, computer administrators have been looking for ways to find out about and prevent such exploits. Various tactics have been taken in order to do this. Of course, the best way to ensure good computer security is to not have any vulnerabilities in the software to begin with. Unfortunately software flaws are a continuing problem that is not going away anytime soon. Even if software is assumed to be perfect there are still potential problems such as accidentally installing viruses, spyware, using poor passwords, and so on. In these cases the IDS software is capable of mitigating the damage by detecting problems early on. 1.2.1 Common areas Three of the main angles taken by IDS products have been in the areas of file integrity checking, network monitoring, and antivirus. These make intuitive sense in that certain files should never change and finding out when they have is an important step in making sure that the system is secure. The network IDS (NIDS) is important because network traffic is ever-changing and presents potential pitfalls for the computer that is trying to interpret that traffic. 3 The most well-known program for file integrity checking is Tripwire, which has been around since the early 1990's. The open-source Snort has been the standard bearer for NIDS products and has also turned into a commercial product more recently. As for antivirus systems the major vendors at the moment are Symantec, Network Associates, and Trend Micro. 1.2.2 Additional security tools As it turns out, however, there are a multitude of security programs and checking mech­ anisms. Spyware has become a much greater problem with the increase in Internet traffic, web browsing, and e-mail. AdAware and Spybot Search & Destroy are two common pro­ grams that are capable of removing malicious software. Vulnerability assessment tools such as Nessus, SATAN, SAINT, and nmap are capable of finding potential remote compromises on computer systems. Numerous studies have been done looking for efficient artificial intelligence algorithms which can use intelligent agents to collect information and determine intrusions with the highest accuracy. The various approaches that are possible have led to a plethora of various software applications ranging from anomaly detection, event log monitoring, root kit detection, and so on. 1.2.3 Putting them all together Clearly a solution must be found for the typical computer administrator so that the se­ curity situation can cover all the various aspects yet still be usable. All the various products available can be confusing at times, which is where the big-name companies usually take to the forefront with the easier to use software suites. Network Associates has been moving to have more comprehensive solutions by including firewalls, spyware detection, and so on into their products. In the same way Tripwire has become an overall change monitoring solution rather than just simple file integrity checking. The problem, though, is that few companies can yet claim to have outstanding systems for each aspect of security. 4 1.3 The MAST solution Many companies attempt to create a global tool that is capable of doing everything. The program collects information from all the log files, network traffic, file access, virus detections, integrity checking, user behaviour, network statistics, and so on. By parsing through all this information the program attempts to find the patterns and reach conclusions about what is going on.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages61 Page
-
File Size-