Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA
VT Defense-in-Depth Strategy Layer 1: Blocking Attacks: Network Based Layer 2: Blocking Attacks: Host Based Layer 3: Eliminating Security Vulnerabilities Layer 4: Supporting Authorized Users Layer 5: Tools to minimize business losses
Putting the Pieces Together RDWEB – locate any device in our network DSHIELD – Collect Firewall logs SNORT – Sensors monitoring for patterns SAFETYNET – “pull” vulnerability scanner CHECKNET – “push” vulnerability scanner REMEDY – Trouble Ticket system used by Help Desk CENTRAL SYSLOG – collects syslogs
IDS Infrastructure Campus Systems VT Dshield Dshield MySQL DB SNORT Base MySQL DB CheckNet Failure DB CheckNet WWW Nessus Scanners SafetyNet MySQL DB Remedy Trouble Ticket System CIRT Help Desk IPS SNORT Sensors Central Syslog Servers
VA Tech Defense in Depth Layer 1: Blocking Attacks: Network Based – Network Intrusion Prevention Systems – Discovery and mitigation – Firewalls – Secure Web Filtering – Secure , Anti-Spam
VA Tech Defense in Depth Layer 2: Blocking Attacks: Host Based – Personal firewalls – Spyware removal – Scan & Block/Quarantine Networks – Antivirus
VA Tech Defense in Depth Layer 3: Eliminating Security Vulnerabilities – Vulnerability management & remediation – Patch management – Configuration management – Security configuration compliance – Application security testing
Putting the Pieces Together REN-ISAC weather reports Dshield.org IPS Netflows UCONN netreg VSC scanners
You Already Belong to a “Dshield” Default setting for Windows XP Personal Firewall sends copies of your firewall logs to Why not belong to one that you know about?
Dshield – Internet Storm Center Internet Storm Center concept was developed after analysts noted that time zones provided an early warning system for some attacks Attacks originating in Asia occurred 12+ hours before hitting North America – People coming to work and logging in their computers
Dshield Similar to weather reporting infrastructure Mapping probes similar to mapping weather fronts Admins could look at the data real-time and use this info to prepare for an attack Similar to looking at a weather map to prepare for tomorrow’s weather
Weather Report vs. Internet Storm Ctr Small sensors in as many places as possible recording basic weather info Regional weather stations providing tech support, summarize and display it for local meteorologists National weather centers summarize and map regional data to provide overall weather picture Small IDS tools send logs to regional/campus site Regional site provides automated support and reporting tools Global Analysis & Coordination Centers provide early warning to network community of impending/ongoing attacks
DShield Configuration Hardware – DEC 2650, 2GB RAM, 785GB disk Software – Red Hat Enterprise – Apache WWW server – PHP – MySQL – Dshield base system from Internet Storm Center
The Good News, The Bad News Good News Dshield code is already set to do the functions shown later You do some local mods and you’re ready to go Software can handle the load Fairly universal feeds Good reporting tool Bad News Code is hard to get Basic documentation Convincing your environment to feed your dshield Need to tailor firewall configurations Needs an analyst to interpret the results
References Randy Marchany – VA Tech IT Security Lab – 1300 Torgersen Hall, VA Tech – Blacksburg, VA – ,
IDS/IPS States BLOCK NO BLOCK ALERT GOOD NO ALERT BAD GOOD if Failover BAD if not
VA Tech Defense in Depth Layer 4: Supporting Authorized Users – ID and access management – File Encryption – Secure communications – PKI – VPN – IPSEC based VPN – SSL VPN – Secure remote access
VA Tech Defense in Depth Layer 5: Tools to minimize business losses – Security information management – Business transaction integrity monitoring – Security skills development (training) – Forensic tools – Regulatory compliance tools – Business recovery – Backup