Building a Campus Dshield Randy Marchany IT Security

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060 marchany@vt. edu http: //security. vt. edu

VT Defense-in-Depth Strategy l l l Layer 1: Blocking Attacks: Network Based Layer 2: Blocking Attacks: Host Based Layer 3: Eliminating Security Vulnerabilities Layer 4: Supporting Authorized Users Layer 5: Tools to minimize business losses

Putting the Pieces Together l l l l RDWEB – locate any device in our network DSHIELD – Collect Firewall logs SNORT – Sensors monitoring for patterns SAFETYNET – “pull” vulnerability scanner CHECKNET – “push” vulnerability scanner REMEDY – Trouble Ticket system used by Help Desk CENTRAL SYSLOG – collects syslogs

IDS Infrastructure Campus Systems Check. Net WWW SNORT Base IPS My. SQL DB Central Syslog Servers Nessus Scanners Check. Net Failure DB VT Dshield Remedy Trouble Ticket System Dshield My. SQL DB Safety. Net My. SQL DB CIRT Help Desk SNORT Sensors

VA Tech Defense in Depth l Layer 1: Blocking Attacks: Network Based – – – Network Intrusion Prevention Systems Discovery and mitigation Firewalls Secure Web Filtering Secure Email, Anti-Spam

VA Tech Defense in Depth l Layer 2: Blocking Attacks: Host Based – – Personal firewalls Spyware removal Scan & Block/Quarantine Networks Antivirus

VA Tech Defense in Depth l Layer 3: Eliminating Security Vulnerabilities – – – Vulnerability management & remediation Patch management Configuration management Security configuration compliance Application security testing

Putting the Pieces Together l l l REN-ISAC weather reports Dshield. org IPS Netflows UCONN netreg VSC scanners

You Already Belong to a “Dshield” l l Default setting for Windows XP Personal Firewall sends copies of your firewall logs to http: //hackerwatch. org Why not belong to one that you know about?

Dshield – Internet Storm Center l l Internet Storm Center concept was developed after analysts noted that time zones provided an early warning system for some attacks Attacks originating in Asia occurred 12+ hours before hitting North America – People coming to work and logging in their computers

Dshield l l Similar to weather reporting infrastructure Mapping probes similar to mapping weather fronts Admins could look at the data real-time and use this info to prepare for an attack Similar to looking at a weather map to prepare for tomorrow’s weather

Weather Report vs. Internet Storm Ctr l l l Small sensors in as many places as possible recording basic weather info Regional weather stations providing tech support, summarize and display it for local meteorologists National weather centers summarize and map regional data to provide overall weather picture l l l Small IDS tools send logs to regional/campus site Regional site provides automated support and reporting tools Global Analysis & Coordination Centers provide early warning to network community of impending/ongoing attacks

DShield Configuration l Hardware – l DEC 2650, 2 GB RAM, 785 GB disk Software – – – Red Hat Enterprise Apache WWW server PHP My. SQL Dshield base system from Internet Storm Center

The Good News, The Bad News l l l Good News Dshield code is already set to do the functions shown later You do some local mods and you’re ready to go Software can handle the load Fairly universal feeds Good reporting tool l l l Bad News Code is hard to get Basic documentation Convincing your environment to feed your dshield Need to tailor firewall configurations Needs an analyst to interpret the results

References l l http: //isc. sans. org http: //dshield. cirt. vt. edu Randy Marchany – – VA Tech IT Security Lab 1300 Torgersen Hall, VA Tech Blacksburg, VA 24060 540 -231 -9523, marchany@vt. edu

IDS/IPS States BLOCK NO BLOCK ALERT GOOD NO ALERT BAD GOOD if Failover BAD if not

VA Tech Defense in Depth l Layer 4: Supporting Authorized Users – – – – ID and access management File Encryption Secure communications PKI VPN IPSEC based VPN SSL VPN Secure remote access

VA Tech Defense in Depth l Layer 5: Tools to minimize business losses – – – – Security information management Business transaction integrity monitoring Security skills development (training) Forensic tools Regulatory compliance tools Business recovery Backup