12. Then Came the god “SIEM”
Firewall IDS Proxy
Malware
Analysis
Logs Logs Logs Logs
Centralized Logging Solutions / SIEM
12
13. Weaknesses?
• Independent solutions
• Static configurations
• Only logs are centralized
• No global protection
• Useful data not shared
• Real-time protection not easy
13
18. Back to the Roots
• REXX is a scripting language
invented by IBM.
• ARexx was implemented in
AmigaOS in 1987.
• Allow applications having an
ARexx interface to
communicate to exchange
data.
18
19. RTFM!
• Security is a big market ($$$)
• The “Microsoft Office” effect
(<10% of features really used)
• Invest time to learn how your
products work.
• Be a hacker: Learn how it work
and make it work like you want.
19
20. A True Story…(1)(2)
During a meeting with $VENDOR_A, the
presales guy proposed a new solution to
intercept SSL traffic. Later, the engineer
explained that the $VENDOR_B’s product
could perfectly handle the traffic just by
activating the feature “x” and redirecting
traffic to $VENDOR_A’s appliance. Still
remembering the face of the presales
guy… Priceless!
20
(1) Names have been changed to protect the innocents
(2) More info could be disclosed during the after party :-)
23. Lazy people or Optimization?
23
“A lazy sysadmin is the best admin”
- Anonymous
24. Automation is the Key
• Python|Perl|Bash|…
• Expect!
use Expect;
my $e = Expect->new();
my $c = “ssh $user@$host”;
$e = Expect->spawn($c) or die “No
SSH?”;
$e->Expect($timeout,
[
qr’password: $’,
sub {
my $fh = shift;
print $fh $passwordn”;
}
]
24
27. HTTPS
• Generate an API key
https://10.0.0.1/api/?type=keygen&user=foo&password=bar
• Submit XML requests
https://10.0.0.1/api/?
type=config&key=xxx&action=set&xpath=/config/device/
entry[@name=localhost]/vsys/entry[@name=vsys1]/address/
entry[@name=NewHost]&element=<ip-netmask>192.168.0.1</
ip-netmask><description>Test</description>
27
28. Snort-Rules Generator
• Lot of Security tools accept Snort rules
use Snort::Rule
my $rule = Snort::Rule->new(
-action => ‘alert’,
-proto => ‘tcp’,
-src => ‘10.0.0.1’,
-sport => ‘any’,
-dst => ‘any’,
-dport => ‘any’,
);
$rule->opts(‘msg’, ‘Detect traffic from 10.0.1’);
$rule->opts(‘sid’, ‘666666’);
28
29. IF-MAP
• Open standard to allow authorized
devices to publish/search relevant
information
• Information could be
• IP
• Login
• Location (devices)
29
30. IF-MAP
use Ifmap;
use Ifmap::Util;
my $r=Ifmap::Request::NewSession->new();
my $ip=Ifmap::Identifier::IpAddress->new(ip_address, ‘10.0.0.1’);
my $mac=Ifmap::Identifier::MacAddress->new(mac_address,
‘aa:bb:cc:dd:ee:ff’);
my $id = Ifmap::Identifier::Identity->new(name=> ‘john’,
type=>‘username’);
my $meta=Ifmap::Metadata::Element->new(name=>‘name’,
value=‘employee’);
30
31. SNMP
$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp
31
• SNMP can be used to push configuration
changes
• Example:
• Router 10.0.0.1 will pull the access-list
“acm.tmp” from TFTP server 10.0.0.2
32. TCL
event manager applet Interface_Event
event syslog pattern
“.*UPDOWN.*FastEthernet0/1.* changed
state to .*”
event 1.0 cli command “tclsh
flash:notify.tcl”
32
• Cisco devices have a framework called
EEM: “Embedded Event Manager”
• Example:
• The router may communicate information
based on its status
49. Controls
• Security first!
• Strong controls must be implemented
• Authentication/Authorization
• Could break your compliance
• Use an OoB network
• Risk of DoS!
49
50. Controls
• RFC1918
• Alexa Ranking List
• Top local sites
• admin logins
• Your domains, IP addresses
50
51. Conclusions
• Don’t buy just “a box”
• RTFM
• Control
• Take time to optimise your time (be lazy!)
51