Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina.

Published byPauline Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina."— Presentation transcript:

1 Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina at Chapel Hill https://www.unc.edu/security Copyright Jeff Bollinger 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Introduction Access to free tools are ubiquitous and only require the investment of time and a few pieces of hardware. Vendor supplied tools are expensive (initial costs, license fees, maintenance fees, support fees, etc.) and many are not typically customizable or easily scriptable. Given a campus with decentralized or departmental computing, security and incident response is in the hands of everyone – making the process distributed.

3 Why Free Tools? ( they’re free, right?) Most free tools offer free community support (mailing lists, websites, etc) Open source free tools give the administrator the ability to customize and tailor the results to the needs of the organization. It’s what the bad guys use! Its important to understand what you’re being attacked with so you can recognize the attack/recon signatures. "To know your enemy, you must become your enemy... Keep your friends close and your enemies closer." - Sun Tzu

4 Trade Off Invest Time or Money? Any security software package is an investment, the question is, what is your organization prepared to invest? Depending on the complexity of the tools, you will need someone who can understand and deploy them. This may require additional training, or some free time to allow your analysts to experiment. You must trust your tools.

5 Process Preparation Identification Containment Eradication Recovery Lessons Learned

6 Preparation The preparation phase of the incident handling process is often overlooked but is the most important step. Everyone can participate in this process.

7 Preparation - Host Cataloguing Host cataloguing: keeping a body of information on multiple hosts on the network. Nbtscan Nmap –sP (Ping Sweep)

8 Preparation - Vulnerability Assessment Nessus Can crash systems! Great reporting functions (*.html, *.txt, *.xml, etc.) Highly customizable –provides the ability for other administrators to log in and run scans against their own systems. Constantly updated Automatic updates through a cron job (nessus- update-plugins)

9 Identification

10 Identification - Intrusion Detection Snort Passive Fiber Tap or Mirror Port Useful as forensic tool High False Positives Steep Learning Curve Very easy and quick to write custom signatures as soon as their needed.

11 Identification – Checking the Ports Nmap Quick Port scanner New flags* (-sV) can actually show which version of common software you’re running by making an active connection to its port. * version 3.45

12 Identification – Checking the Ports Netcat Allows you to silently connect to remote ports to try and see what might be running from them. Easy to script when looking at a wide range of IP addresses.

13 Identification – Checking the Ports Amap Another tool that allows you to check the versions of software running on a particular port. A little more elegant than Netcat, Amap will actually send binary data to a host to try and make it return information on what is running on a particular port

14 Containment

15 Penalty Box Isolation VLAN with no router interface Gives administrators time to clean their systems in a safe network environment. Good neighbor ACLs (RFC 1918) DHCP Lease disabling/forced expiration Source Blocking* Configurable unresolved ARP Threshold

16 Eradication

17 Fport Shows a port listing matched with a PID of services running on a Windows host. PSKill Can force the killing of an unwanted process. Vision Nice GUI similar to Fport AV Solutions (free removal tools) Custom coding

18 Recovery

19 Nmap can tell you which systems have been cleaned. Administrators can e-mail you their Fport output for your verification. Custom scan tools can help you probe for any leftovers.

20 Lessons Learned

21 The most important step in the Incident Handling process. There really are not any tools for this particular step, but this is a good opportunity to tweak their settings and prepare them for the next big incident. How well did they perform? What were their shortcomings? How can we more effectively use them in the future? What access do we give other administrators to our tools, and how can we justify it? Was our communication with other groups appropriate?

22 Conclusion Staying current with security tools and being aware of developments within the security community gives you and the other administrators an opportunity to keep up with attack trends and other threats. Free tools provide a substantial ROI, and help to increase the technical ability of your staff. Distribution of duties is critical for a decentralized campus computing infrastructure. Put your trust in other administrators and they will do the same for your security group.

23 Thank you https://www.unc.edu/security/educause2003 Contact us @: Jeff at unc.edu Doug at unc.edu

24 Downloads Nbtscan ( http://www.inetcat.org/software/nbtscan.html ) http://www.inetcat.org/software/nbtscan.html Nmap ( http://www.insecure.org ) http://www.insecure.org Nessus ( http://www.nessus.org ) http://www.nessus.org Snort ( http://www.snort.org ) http://www.snort.org Netcat ( http://www.atstake.com/research/tools/network_utilities ) http://www.atstake.com/research/tools/network_utilities

25 Downloads (Cont.) Amap ( http://www.thc.org/releases.php ) http://www.thc.org/releases.php Fport ( http://www.foundstone.com/resources/proddesc/fport.htm ) http://www.foundstone.com/resources/proddesc/fport.htm PSKill ( http://www.sysinternals.com/ntw2k/freeware/pskill.shtml ) http://www.sysinternals.com/ntw2k/freeware/pskill.shtml Vision ( http://www.foundstone.com/resources/proddesc/vision.htm ) http://www.foundstone.com/resources/proddesc/vision.htm

Download ppt "Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.

Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.
Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, 2003. This work is the intellectual property of the author.

Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Copyright Brian T. Huntley and Tim Antonowicz 2007 This work is the intellectual property of the authors. Permission is granted for this material to be.

Copyright Brian T. Huntley and Tim Antonowicz 2007 This work is the intellectual property of the authors. Permission is granted for this material to be.
CCSU’s E-portfolio Initiative and the IT Career Ladder Jo Kinnard, Ph.D. Clayton College and State University, Morrow, GA.

CCSU’s E-portfolio Initiative and the IT Career Ladder Jo Kinnard, Ph.D. Clayton College and State University, Morrow, GA.
Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges 2004. This work is the intellectual property of the author. Permission.

Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges This work is the intellectual property of the author. Permission.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Nessus – A Vulnerability Scanning Tool SUNY Technology Conference June 2003.

Nessus – A Vulnerability Scanning Tool SUNY Technology Conference June 2003.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
SM3121 Software Technology Mark Green School of Creative Media.

SM3121 Software Technology Mark Green School of Creative Media.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.

Similar presentations

Ads by Google