1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
System Security Scanning and Discovery Chapter 14.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Web Server Administration
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Installing Samba Vicki Insixiengmay Jonathan Krieger.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Penetration Testing Security Analysis and Advanced Tools: Snort.
S E C U R E C O M P U T I N G Intrusion Tolerant Server Infrastructure Dick O’Brien, Tammy Kappel, Clint Bitzer OASIS PI Meeting March 14, 2002.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Honeypot and Intrusion Detection System
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Overview of MSS System Human Actors Non-Human Actors In-house developed components Third party products.
1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Security at NCAR David Mitchell February 20th, 2007.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Snort Intrusion detection system Charles Beckmann Anthony Magee Vijay Iyer.
S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.
Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Server Hardening Moses Ike and Paul Murley TexSAW 2015 Credit to Daniel Waymel and Corrin Thompson.
Firewalls Group 11Group 12 Bryan Chapman Richard Dillard Rohan Bansal Huang Chen Peijie Shen.
Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.
Module 10: Windows Firewall and Caching Fundamentals.
Role Of Network IDS in Network Perimeter Defense.
Lemon security. Previous security enhancements user lemon: lemon-db-admin-OraMon will create user lemon (Miro). - OraMon switches to user lemon at its.
Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Basic Linux Desktop Security © Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
The Linux Operating System
Securing services in a unix-based environment
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Security of a Local Area Network
Unit 27: Network Operating Systems
Chapter 27: System Security
Setting Up Firewall using Netfilter and Iptables
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Presentation transcript:

1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions

2 Overview Why do this? –Changes to site firewall –Needs of new generation of software –Better to make decisions at a node or cluster level What do we want to do? –Layered security system for FIO machines Network / firewall Node Cluster –Develop reusable components

3 Network Security What do we want to do? –Restrict external access to machines Based on specific IP addresses and ports Limit who can attack us and how –(Potentially) restrict out going connections to limit systems being used for DDoS attacks and unauthorized use Check we’re not spoofing others –Easy way to block P2P / IRC / banned apps.

4 IPTables Kernel level packet filter –checks packets before they get to application *filter :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] :FORWARD DROP [0:0] -A INPUT --match state --state RELATED -j ACCEPT -A INPUT --match state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport ssh --match state --state NEW -j ACCEPT COMMIT Example configuration

5 IPTables cont. Currently deployed on 2 clusters –CASTORGRIDSC –FTS Based on NCM component from Joao Martins –We have expanded logging functions and chains –Have a (short) to do list for extra functions Simple to write rules for Limited in intelligence –Doesn’t spot port scans

6 IPTables cont. Can be used to block P2P, IRC, etc –Both to and from machine –Several ways to do this Assuming static port number - block port Limited outside connections – restrict IP addresses Limited services – block all ports by default However …. –Does not make applications and services foolproof –Service vulnerabilities are still there!

7 Snort Similar to IPTables but for multiple nodes –Packet filter –Central monitoring system Can provide overview of attacks –Used it to create new rules before nodes get hit Network overhead  performance issues –Do we want all this info? Who will use it?

8 Snort Advantages Can have sensors on both sides of the firewall Popular with many people Can be used before IPTables Disadvantages Not useful if we have firewalls on every machine Less useful on a cluster basis Not able to see rejected packets on IPTables output Possibly overkill for us –Site level better for DDoS attacks

9 Conclusions We can now deploy IPTables on nodes quickly and easily Need documentation on rules for services –This is ongoing –Developers need to document network connections more – this is a general issue Is this enough? Do people want more from the host based firewall?

10 Intrusion Detection Many types – network, file, kernel … Our interest: File integrity checkers –creates a database of hash values for system files and executables which existing file system can be checked against Tripwire- open source and commercial product AIDE- open source alternative to Tripwire Samhain - open source & designed for clusters

11 Tripwire Very mature IDS Widely used in academia and SoHo –CHEP 2004 paper by CIEMAT, Madrid –Update issues for us – what is we change ssh? Requires fine tuning to the system –Initially there are a large number of s Has scalability issues –Software update issues

12 Policy File Secure Database File system Tripwire check report

13 Tripwire Policy File Example ( rulename = "Critical configuration files", severity = $(SIG_HI) ) { /etc/crontab -> $(SEC_BIN) ; } # Rest of critical system binaries ( rulename = "OS executables and libraries", severity = $(SIG_HI) ) { /bin -> $(SEC_BIN) ; /lib -> $(SEC_BIN) ; }

14 Tripwire Advantages Fast to deploy –Install on system in 10 minutes by hand –Can be rpm deployed Possible security issues In wide spread use Encrypted database –unlike AIDE Low network overhead – s to root Can be run over ssh Disadvantages Single host solution –1 database per node –Only profiles reused Limited development work – commercial version Security issues on install Password deployment Update deployment Message overhead –Big s

15 AIDE Advantages More likely to be maintained than open source Tripwire Disadvantages Limited functionality –Not as mature as Tripwire Designed for single host not cluster Database not encrypted! Doesn’t scale for our needs Open source alternative to Tripwire

16 Samhain Mature IDS Seems to be overlooked in favour of Tripwire Similar functionality –Encrypted database –Profile language Better support for cluster and distributed environments

17 Samhain Advantages Open Source Very easy single system install – much like tripwire Clients can send reports to server Client can have central database & profile Allows central changes to database Disadvantages Includes numerous options Still have issue of initial database security Network overhead in client server mode Issues of central config changes – updates & multiple versions

18 Conclusions An IDS will be a useful component –Covers more files than a simple sensor can –More adaptable –e.g. notify only if log file size decreases Central monitoring useful in cluster environments Need to solve issue of upgrade changes –This can be a useful contribution to development

19 Monitoring What do we want? Information presentation Change management –Want to see what’s happening Has ssh been changed? –Filter alerts & good initial policy not everything needs reporting Reduce unnecessary messages –Deal with software upgrades Don’t want to run n db updates by hand Suggestions & questions please!

20 What we looked at Beltane - Samhain web interface Lemon - CERN monitoring system Prelude - security component presentation system

21 Beltane Monitor Web interface / console for Samhain Allows you to –browse client messages –acknowledge messages –modify the file signature database More advanced than Tripwire s –Able to react immediately –Not (always) necessary to log into node to change database

22 Beltane Monitor Means installing software with web server –Developed for Apache – not sure about IIS –Beltane is specific to Samhain Wont work for AIDE or Tripwire –May have scalability issues Not tested with multiple clusters / >100 machines Not sure if we can break down to cluster level I’d like some Ganglia style features included …

23

24 Prelude Started as IDS – focused on the network Our interest is its monitoring system potential –Can receive reports from other IDSs –Standard message language - Intrusion Detection Message Exchange Format (IDMEF) –Uses MySQL or Postgres – no oracle support Web interface Central monitoring system for more / future security applications? Better choice than Beltane perhaps ….

25 Lemon Lemon – default monitor for our systems Looking for suggestions –Do we want to use lemon? –What do we want it to do? Critical issue only or full report? We can see three scenarios …

26 Scenario 1 Each node has a local db / log Lemon monitors this log and reports on a machine basis Advantages –No single point of failure Disadvantages –How do you deal with updates?

27 Scenario 2 Nodes have a central log system Lemon gets data from central node Advantages –Only one sensor needed –Can use Tripwire or Samhain Disadvantages –Still have issue of updates

28 Scenario 3 Nodes have client software but log, configuration and database centrally located Advantages –Only one sensor needed –Only one system for updates Disadvantages –Single point of failure –Only available with Samhain

29 Conclusions The monitoring / update system will important We need to make sure that we can monitor file changes in a sensible manner Don’t want to reinvent the wheel