Snort - a free IDS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

.

< hackimacation / ip v2.1 >


Look for more of a security "architectural" focus here in the coming months. I'll be moving away from the "how to hack" message here.  I believe we all agree that is what we want to find in the tech control world.


Security Engineering: Integrated, not added on.

Architecture Integration
There is few mistakes bigger than neglecting security in your network (re)design.  Here are some ideas.  Add a VLAN on a non-routable network.  This is where you would put a management network.  Have your IDS and firewall management interfaces, out of band management router and switch ports, and SYSLOG servers here.  Ensure you have the appropriate ACLs on your routers to restrict access to only management workstations.
Point all logging devices, including routers, to your SYSLOG server. 

Alert Management
So now you have all these devices and lots of alerts.  Now what?  Now, look into a Security Incident Management platform.  These will take logs and real-time alerts and normalize them.  For instance, your IDS shows an easy to read port scan.  Your firewall logs shows some ACLs being hit and some unauthorized service requests. Your DNS server logs some Domain Zone transfer request and filled one of them!  Suddenly, your host IDS (like Tripwire or Dragon Squire) reports system file changes on your SQL server.  Wouldn't it be nice to be able to correlate these alerts all at the same time?  What if you could write an alert script that would say, "If you see this alert on the IDS, AND the firewall reports the same source IP address attempting a connection on that port, AND file1 OR file2 changes on server x, PAGE me."  There is a growing amount of software that does this.  Check out ARCSight and netForensics for more.

Evaluate Everything FIRST!
Anytime you add a device to a network, always ask, "What does this expose and how can it be made secure without impacting users?"  Each time you add a service on a device, there is potential to exploit it.  The old adage of "If you do not need it, do not enable it." is always the first step.  Determine your AAA (Authentication, Authorization, and Accounting) schema.  Check with the vendor's documentation to ensure the latest patches are applied.  Check with Security Focus and others to find what vulnerabilities are publicized.  With the results of those investigations, update/tune your IDS signatures, firewalls and other security devices.  Here is a quick example bullet list for standing up an internal Exchange server:

  • Update the OS with all the latest patches
  • Update Exchange with all the latest patches
  • Turn off all non-essential services (like IIS or DHCP)
  • Add log exporting or an appropriate host IDS agent
  • Update routers/firewalls ACLs to only allow needed IP addresses and sockets
  • Update/tune network IDSs to accommodate this particular system
  • Use Nessus or other vulnerability scanning software to assess the new box
  • Import the Nesses report to your security devices if supported (Arcsight, netForensics and Dragon IDS supports this)
  • Add the box to your periodic vulnerability scan schedule

This list is certainly not all-inclusive.  It will get you started though.  Check with your unit/company's policy to ensure it allows for this and if there are any other things you need to do.  You do have a policy, right?

Wireless (802.11): It can be made secure.
There has been much debate over the insecurity of wireless LANs and Bridging solutions.  This is an affordable AND secure solution if done properly.  There are a few simple steps to take that can secure your implementation of a wireless device.

First, only buy devices with 128 bit encryption...and ENABLE IT!  Use good password practice when making your key.  Next, on your access points, enable secure access.  What this does is suppress the broadcast of your service set identifier (SSID).  This part is critical to rendering psuedo-sniffers like Netstumbler ineffective.  Third, use RADIUS or 802.1X authentication.  Essentially, if a device's MAC, or in the case of 1X a user, doesn't authenticate, that MAC's traffic is not accepted on the network.  Lastly, use a VPN technology with 3DES encryption.  Users can use software clients and bridges can use VPN hard clients to accomplish this.

For more info, see this white paper (PDF) which describes a wireless DMZ concept.


Forensic Focus - computer forensics and data recovery news and discussion: Join our lively computer forensics community today and stay current with other forensic computing professionals through our forum, email discussion list and monthly newsletter.

www.nessus.org has a great vulnerability tool.  Full assessment reporting with fix actions.  Leaves huge foot print on IDSs. Windows version is available here.

The Metasploit Framework is the best point-click-exploit to shell available. It takes Nessus to the next level. This is basic training for security/pen test labs.

Security News Portal - a one stop shop for all the latest in computer security.  Start here!

www.antionline.com will tell you the latest happenings in the underground, along with providing tools to secure (and unsecure) most networks.

www.securityfocus.com is another mainstream site.  There are lots of tools and information here.  Not a beginner site, but essential for any system administrator.

rain forrest puppy is a talented programmer who finds several security issues with MS-IIS.  Also has perl scripts to test the new vulnerabilities.

www.infowar.com is a mainstream information warfare / information security source page. Has all levels of info from desktop security to international infrastructure threats.

netscan.org also touches the underground as well as mainstream. Hope you do not see your organization listed here :-0

www.l0pht.com has lots of NT security tools too. 

Packet Storm More mainstream IP/Sec consulting.  Recent change in site's url and look, but has the same resources.

eEye™ Digital Security  Makers of Retina IIS hacking tool.  Has some tools, but is a good site for keeping up with news and advisories.

www.phrack.com mixes hacking and phreaking, with news, codes, etc.


Tutorials
Data Communications Magazine tutorial page. Very complete.

htmlgoodies.com is a great web page authoring site. beginners to pros can find help here.

INFO-WAR Sites
(Mostly academic)

Federation of American Scientists Information Warfare and Information Security on the Web Number two on the ugly/poor web sites in this list, it has very comprehensive sources on IW and is full of hyper linked references.  Probably a good place to start an academic research project on the subject of IW.

Institute for the Advanced Study of Information Warfare Possibly the ugliest, most poorly laid out site in this list, it has some seriously high-level thoughts on I-W and has an interesting take on how the Chinese view IW.  That's right, other countries are playing these reindeer games!

Rand Research Review Information War and Cyberspace Security Theory and thoughts on the concept of IW.   True think tank style.

The Terrorism Research Centre Information warfare Has a great scenario of what could happen.

   

Last update: 25 May 07