Let’s talk network security. You’ve got a firewall and a DMZ, you’re all set, right? Not so fast slugger. We preach a theory called “defense in depth” here at Hurricane. And that means you need something to defend you when your firewall admins make a mistake. And something to protect you when that layer fails. And so on. So what are these other layers? Well one of them is having a good IDS/IPS system. An IDS/IPS listens to network traffic, generally the traffic inside your firewall, and either alerts on (IDS) or drops/blocks altogether (IPS) traffic that meets specific rules defining “bad traffic”. But what else can you do? Introducing the self-defending network.
11. Installing OSSEC Server
• Make sure you have • Download the
a compiler, etc source distribution
installed • Un-tar
12. Installing OSSEC Server
• Pre-compiling the binaries makes building a single
agent tarball easy!
• Follow the instructions in the OSSEC wiki for doing
so - http://goo.gl/EYknZ
13. • Just a standard installation of Vyatta
• No special configuration is required
• We will add the OSSEC agent later
14. Cisco instead of Vyatta
• Cisco isn’t open source
• Can’t install OSSEC on Cisco IOS
• You could do it... but it’s not as easy
16. • Industry Standard
• Open Source (mostly)
• Been around a while (since 1998)
• Available in most package managers
17. • Very new
• Also open source
• Funding from both public (US DHS) and private
sector
• “Next Generation” from the ground up
• Becoming more available in package managers
19. VRT
• Snort “Vulnerability Research Team”
• Official Snort ruleset
• Been around a while
• Delayed by 30 days unless you pay ($499.99 for
a business, $29.99 for a person)
• Good coverage, quick updates
20. Emerging Threats / ETPro
• Alternative to VRT
• Originally “Bleeding
Snort”, also been around
a while
• Much quicker to respond
to new threats, but more
likely to false positive
• ETPro is a “premium”
ruleset from the same
folks
23. Barnyard2
• Recommended method of logging Snort events
• Supported by Suricata and Snort
• Reads Snort “Unified2” format and outputs a
variety of logs
• More difficult to configure
24. Preventing chaos
Adjust your ruleset so the rules you
Proper tuning
have enabled match what you want
(not just turning stuff off)
to block
26. OSSEC Server
•Collects events from the
agents
(more on this later)
•Matches events against a
ruleset
(this one doesn’t give you
many choices)
•Triggers alerts and, more
importantly, “active
response” based on events
27. OSSEC Agents
• One each on the router,
the inside IDS, and the
outside IDS
• Make sure the IDS agents
are reading whatever log
file the snort logs are in
32. Other Event Sources
• FTP Servers
• Web Servers
• Web App Firewalls
• Anti-Virus Servers
• Domain Controllers
• Anything that you can
get logs from
external IDS captures scan traffic. internal IDS captures traffic to/from live servers. vyatta is the choke point for blocking traffic.\n
external ids - similar to honeypot/artillery, but without an actual bastion host\ninternal ids - watches real, already existing traffic against your real servers\n