Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina at Chapel Hill Copyright Jeff Bollinger This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Introduction Access to free tools are ubiquitous and only require the investment of time and a few pieces of hardware. Vendor supplied tools are expensive (initial costs, license fees, maintenance fees, support fees, etc.) and many are not typically customizable or easily scriptable. Given a campus with decentralized or departmental computing, security and incident response is in the hands of everyone – making the process distributed.

Why Free Tools? ( they’re free, right?) Most free tools offer free community support (mailing lists, websites, etc) Open source free tools give the administrator the ability to customize and tailor the results to the needs of the organization. It’s what the bad guys use! Its important to understand what you’re being attacked with so you can recognize the attack/recon signatures. "To know your enemy, you must become your enemy... Keep your friends close and your enemies closer." - Sun Tzu

Trade Off Invest Time or Money? Any security software package is an investment, the question is, what is your organization prepared to invest? Depending on the complexity of the tools, you will need someone who can understand and deploy them. This may require additional training, or some free time to allow your analysts to experiment. You must trust your tools.

Process Preparation Identification Containment Eradication Recovery Lessons Learned

Preparation The preparation phase of the incident handling process is often overlooked but is the most important step. Everyone can participate in this process.

Preparation - Host Cataloguing Host cataloguing: keeping a body of information on multiple hosts on the network. Nbtscan Nmap –sP (Ping Sweep)

Preparation - Vulnerability Assessment Nessus Can crash systems! Great reporting functions (*.html, *.txt, *.xml, etc.) Highly customizable –provides the ability for other administrators to log in and run scans against their own systems. Constantly updated Automatic updates through a cron job (nessus- update-plugins)

Identification

Identification - Intrusion Detection Snort Passive Fiber Tap or Mirror Port Useful as forensic tool High False Positives Steep Learning Curve Very easy and quick to write custom signatures as soon as their needed.

Identification – Checking the Ports Nmap Quick Port scanner New flags* (-sV) can actually show which version of common software you’re running by making an active connection to its port. * version 3.45

Identification – Checking the Ports Netcat Allows you to silently connect to remote ports to try and see what might be running from them. Easy to script when looking at a wide range of IP addresses.

Identification – Checking the Ports Amap Another tool that allows you to check the versions of software running on a particular port. A little more elegant than Netcat, Amap will actually send binary data to a host to try and make it return information on what is running on a particular port

Containment

Penalty Box Isolation VLAN with no router interface Gives administrators time to clean their systems in a safe network environment. Good neighbor ACLs (RFC 1918) DHCP Lease disabling/forced expiration Source Blocking* Configurable unresolved ARP Threshold

Eradication

Fport Shows a port listing matched with a PID of services running on a Windows host. PSKill Can force the killing of an unwanted process. Vision Nice GUI similar to Fport AV Solutions (free removal tools) Custom coding

Recovery

Nmap can tell you which systems have been cleaned. Administrators can you their Fport output for your verification. Custom scan tools can help you probe for any leftovers.

Lessons Learned

The most important step in the Incident Handling process. There really are not any tools for this particular step, but this is a good opportunity to tweak their settings and prepare them for the next big incident. How well did they perform? What were their shortcomings? How can we more effectively use them in the future? What access do we give other administrators to our tools, and how can we justify it? Was our communication with other groups appropriate?

Conclusion Staying current with security tools and being aware of developments within the security community gives you and the other administrators an opportunity to keep up with attack trends and other threats. Free tools provide a substantial ROI, and help to increase the technical ability of your staff. Distribution of duties is critical for a decentralized campus computing infrastructure. Put your trust in other administrators and they will do the same for your security group.

Thank you Contact Jeff at unc.edu Doug at unc.edu

Downloads Nbtscan ( ) Nmap ( ) Nessus ( ) Snort ( ) Netcat ( )

Downloads (Cont.) Amap ( ) Fport ( ) PSKill ( ) Vision ( )