Let’s talk network security. You’ve got a firewall and a DMZ, you’re all set, right? Not so fast slugger. We preach a theory called “defense in depth” here at Hurricane. And that means you need something to defend you when your firewall admins make a mistake. And something to protect you when that layer fails. And so on. So what are these other layers? Well one of them is having a good IDS/IPS system. An IDS/IPS listens to network traffic, generally the traffic inside your firewall, and either alerts on (IDS) or drops/blocks altogether (IPS) traffic that meets specific rules defining “bad traffic”. But what else can you do? Introducing the self-defending network.

2. Introduction
• Who am I?
• Who is Hurricane Labs?
• What is a self-defending network?
• Why would I want one?

3. So how’s it work?

5. Story Time

6. What do you need?

9. Why not just use a
honeypot? Or artillery?

11. Installing OSSEC Server
• Make sure you have • Download the
a compiler, etc source distribution
installed • Un-tar

12. Installing OSSEC Server
• Pre-compiling the binaries makes building a single
agent tarball easy!
• Follow the instructions in the OSSEC wiki for doing
so - http://goo.gl/EYknZ

13. • Just a standard installation of Vyatta
• No special configuration is required
• We will add the OSSEC agent later

14. Cisco instead of Vyatta
• Cisco isn’t open source
• Can’t install OSSEC on Cisco IOS
• You could do it... but it’s not as easy

15. Pick Your Poison #1
Which IDS?

16. • Industry Standard
• Open Source (mostly)
• Been around a while (since 1998)
• Available in most package managers

17. • Very new
• Also open source
• Funding from both public (US DHS) and private
sector
• “Next Generation” from the ground up
• Becoming more available in package managers

18. Pick Your Poison #2
Which Ruleset?

19. VRT
• Snort “Vulnerability Research Team”
• Official Snort ruleset
• Been around a while
• Delayed by 30 days unless you pay ($499.99 for
a business, $29.99 for a person)
• Good coverage, quick updates

20. Emerging Threats / ETPro
• Alternative to VRT
• Originally “Bleeding
Snort”, also been around
a while
• Much quicker to respond
to new threats, but more
likely to false positive
• ETPro is a “premium”
ruleset from the same
folks

21. Pick Your Poison #3
Logging Methods

22. Built-In Syslog
• Built-in to Snort
• Reduces performance in the Snort process
• Easy to configure

23. Barnyard2
• Recommended method of logging Snort events
• Supported by Suricata and Snort
• Reads Snort “Unified2” format and outputs a
variety of logs
• More difficult to configure

24. Preventing chaos
Adjust your ruleset so the rules you
Proper tuning
have enabled match what you want
(not just turning stuff off)
to block

25. Configuration

26. OSSEC Server
•Collects events from the
agents
(more on this later)
•Matches events against a
ruleset
(this one doesn’t give you
many choices)
•Triggers alerts and, more
importantly, “active
response” based on events

27. OSSEC Agents
• One each on the router,
the inside IDS, and the
outside IDS
• Make sure the IDS agents
are reading whatever log
file the snort logs are in

28. Active-Response

29. Big Finish

31. Cool. Now What?

32. Other Event Sources
• FTP Servers
• Web Servers
• Web App Firewalls
• Anti-Virus Servers
• Domain Controllers
• Anything that you can
get logs from

33. Monitoring your Defenses

34. Splunk your Alerts

35. Questions?