1 a model for virtual laboratory intrusion detection experience information security curriculum...
TRANSCRIPT
1
A Model for Virtual Laboratory Intrusion Detection Experience
Information Security Curriculum Development Conference
Kennesaw State UniversitySeptember 2006
Valerie J. Harvey,RMU Department of Computer & Information Systems
Randall Johnson, Technical Services, RMU Information Technology
John C. Turchek,RMU Department of Computer & Information Systems
© 2006, Robert Morris University
2
Placement in Model IS Curricula
This module may be used with:• Model I/S curriculum: IS2002.6
Networks and Telecommunication • MSIS 2000.3 Data Communications
and Networking
3
Curricular Rationale
Other drivers of curricular content include the Homeland Security Presidential Directive/Hspd-7 of December 17, 2003 on Critical Infrastructure Identification, Prioritization, and Protection, NSA and the enhancement of Open Standards such as COBIT, ITIL, and ISO 17799.
4
Intrusion Detection, Auditing: Sarbanes-Oxley Considerations
• Internal Controls – “Section 404 also requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board. “ Source: SEC at http://www.sec.gov/news/press/2003-66.htm
• “IT and the process owner must be responsible for: Access control over sensitive and critical applications and data files supporting the process (including security for preventing viruses and hacker intrusions.) Source: S. Anand, The Sarbanes-Oxley Guide for Finance and IT Professionals (Sarbanes-Oxley Group, 2004), pp. 50-51.
5
Instructional Advantages
1. Server independence giving eachstudent control of an IDS configuration.
2. A unique IP address on the"virtual" network for each server so that students are able to workin teams, including in distance learning situations.
3. Demonstration of centralized logging as typically deployed in productionnetworks by configuring each virtual machine to send log messages to theinstructor's virtual machine.
6
Information Security –Our Architecture (Virtualization)
dom0
domU-1
domU-2
domU-22
eth0xen-br
vif1.0
vif2.0
vifn.0
iptables
HP ML370G3 (2.8 GHz CPU, 1 GB RAM)22 virtual machines (48 MB RAM, 1 GB disk)Full root access but with full isolationFull bridged networking for virtual machines
Array of virtual machines withfull bridgingand anEthernet interfaceand a range of IP addresses:k.m.n.101 –k.m.n.123
7
Configuration Steps
1. The host server is prepared2. Range of IP addresses determined3. A template virtual machine is created4. Scripts create individual student virtual
machines from template1. On the first startup, a script in the template
creates the user, sets the root password, and emails the password to student and instructor
8
Configuration Steps, cont’d
5. Configured the instructor virtual machine
1. Configured instructor syslog-ng2. Configured instructor /var/log/HOSTS
directory (central logging destination)
9
Model of VM Environment(selected directories)
/R O O T d ir ec to r y
/e tcd ir ec to r y
/v ard ir ec to r y
/e tc /s n o r td ir ec to r y
/v ar /lo gd ir ec to r y
/e tc /ac id labd ir ec to r y
/e tc / in it . dd ir ec to r y
/e tc /s n o r t/r u lesd ir ec to r y
/v ar/ lo g /H O S T Sd i recto ry
(cen t ral au d i t o n ly )
/v ar /lo g /s n o r td ir ec to r y
D ir ec to r y m o d el ( s e lec ted s u b d ir ec to r ies ) f o r R M U I n f o r m atio n S ec u r ity Vir tu a l M ac h in es
10
Central Audit: Information SecurityLocal and Central Logging
Student inspectsauth.log and syslogon own virtual machine
Central syslog entrycopies are sent to central audit file(HOSTS)
S tu d en t v ir tu a lm ac h in e
I n s tr u c to r v ir tu a lm ac h in e
H O S TS f ile s C en tra l A ud it
logs
to
lo g s to
log en try cen tra l aud it
copy made and sen t
S n o rt s y s lo g -n g
a u th . lo g
s y s lo g
lo g s to
11
Information SecurityStudent Assessment of Exploits 1
Below is a list of attempts to open a session based on defaults of the system. Sometimes the passwords are easy to guess, and other times they have no passwords (i.e. guest; attempts to hit defaults; dictionary attacks running through a list of common words. This approach might work when passwords are not changed from defaults, making it sometimes easy to break into a system. If you look below, there are some users like FTP, Oracle, Tomcat, ID Linux, Internet, etc which usually indicate server names that connect to other servers. These names are the ID’s that defaulted by many systems (like Oracle’s Database) that connect to a main server, and the password provided could be a default to try to break in.Apr 9 14:32:12 vm-ljsst8 sshd[17365]: Illegal user info from 125.248.144.98Apr 9 14:32:14 vm-ljsst8 sshd[17367]: Illegal user ftp from 125.248.144.98Apr 9 14:32:16 vm-ljsst8 sshd[17369]: Illegal user httpd from 125.248.144.98Apr 9 14:32:18 vm-ljsst8 sshd[17371]: Illegal user dany from 125.248.144.98Apr 9 14:32:20 vm-ljsst8 sshd[17373]: Illegal user susan from 125.248.144.98Apr 9 14:32:22 vm-ljsst8 sshd[17375]: Illegal user oracle from 125.248.144.98Apr 9 14:32:24 vm-ljsst8 sshd[17377]: Illegal user tomcat from 125.248.144.98Apr 9 14:32:28 vm-ljsst8 sshd[17381]: Illegal user id from 125.248.144.98Apr 9 14:32:30 vm-ljsst8 sshd[17383]: Illegal user sgi from 125.248.144.98Apr 9 14:32:32 vm-ljsst8 sshd[17385]: Illegal user postgres from 125.248.144.98Apr 9 14:32:34 vm-ljsst8 sshd[17387]: Illegal user flowers from 125.248.144.98Apr 9 14:32:36 vm-ljsst8 sshd[17389]: Illegal user linux from 125.248.144.98Apr 9 14:32:37 vm-ljsst8 sshd[17391]: Illegal user internet from 125.248.144.98Apr 9 14:32:39 vm-ljsst8 sshd[17393]: Illegal user server from 125.248.144.98Apr 9 14:32:41 vm-ljsst8 sshd[17395]: Illegal user nokia from 125.248.144.98
12
Information SecurityStudent Assessment of Exploits 2
Sometimes hackers try to break into a super user account under root anonymously. Since some systems like Slackware Linux allow anonymity in super users and/or root passwords. This is an attempt to access.
Apr 11 06:25:01 vm-ljsst8 CRON[17742]: (pam_unix) session opened for user root by (uid=0)Apr 11 06:25:17 vm-ljsst8 su[17769]: + ??? root:nobodyApr 11 06:25:17 vm-ljsst8 su[17769]: (pam_unix) session opened for user nobody by (uid=0)Apr 11 06:28:00 vm-ljsst8 CRON[17742]: (pam_unix) session closed for user root
This is a user outside of our class scanning ports on my system. It is listed on ARIN as RIPE Network Coordination Centre in Amsterdam, NL.
Apr 11 17:06:41 vm-kvwst1 sshd[12790]: Illegal user postgres from 82.224.139.101Apr 11 17:06:42 vm-kvwst1 sshd[12792]: Illegal user oracle from 82.224.139.101Apr 11 17:06:47 vm-kvwst1 sshd[12794]: Illegal user cyrus from 82.224.139.101Dictionary attack from possibly spoofed IP address:
Apr 15 06:37:26 vm-dazst2 sshd[30204]: reverse mapping checking getaddrinfo for adsl-131.100.37.info.com.ph failed - POSSIBLE$Apr 15 06:37:28 vm-dazst2 sshd[30206]: reverse mapping checking getaddrinfo for adsl-131.100.37.info.com.ph failed - POSSIBLE$Apr 15 06:37:31 vm-dazst2 sshd[30208]: reverse mapping checking getaddrinfo for adsl-131.100.37.info.com.ph failed - POSSIBLE$Apr 15 06:37:33 vm-dazst2 sshd[30210]: Illegal user jason from 203.131.100.37Apr 15 06:37:33 vm-dazst2 sshd[30210]: reverse mapping checking getaddrinfo for adsl-131.100.37.info.com.ph failed - POSSIBLE$
13
Information SecurityStudent Assessment of Exploits 3Port Scanning with nmap
• Number of the attacks: 6 attacks.• Attacker: 125.248.144.117 (Classmate)• Example of the entries in the log file: Apr 11 11:08:06 vm-sfast1 snort: [122:1:0] (portscan) TCP Portscan {PROTO255} k.m.n.117 -> k.m.n.113Attempted to check SNMP (Port 61) vulnerability on the remote machine--->
Apr 10 01:42:36 vm-mxkst15 snort: [1:1421:11] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} k.m.n.114:62415 -> k.m.n.113:705
TCP Traffic flow to the open port 12345--->
Apr 10 01:42:37 vm-mxkst15 snort: [1:0:0] TCP traffic to port 12345 {TCP} k.m.n.114:62415 -> k.m.n.113:12345
Another User Tried to gain privilige via SNMP trap handling--->
Apr 11 11:08:07 vm-mxkst15 snort: [1:1420:11] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} k.m.n.117:47755 -> k.m.n.113:162Apr 11 11:08:07 vm-mxkst15 snort: [1:1421:11] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} k.m.n.117:47755 -> k.m.n.113:705Apr 11 11:08:08 vm-mxkst15 snort: [1:1418:11] SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} k.m.n.117:47755 -> k.m.n.113:161
Remote identification denied, log recorded by snort, attacker located in France --->
Apr 11 16:55:28 vm-mxkst15 sshd[14988]: Did not receive identification string from 82.224.139.101Unsuccessful Reverse mapping attempt---> Apr 12 04:08:53 vm-mxkst15 sshd[15172]: reverse mapping checking getaddrinfo for . failed - POSSIBLE BREAKIN ATTEMPT!Apr 12 04:08:54 vm-mxkst15 sshd[15174]: Illegal user user1 from 72.20.3.186
14
Information SecurityStudent Assessment of Exploits 4• Finally snort detected the attack from
machine “k.m.n.122”on the port 12345 with the rule I created in the “locals.rules” file, when the attacker used a telnet command on my 12345 port:Mar 28 13:00:09 vm-sfast1 snort: [1:0:0] TCP traffic to port 12345 {TCP} k.122:4607 -> k.m.n.117:12345Mar 28 13:00:09 vm-sfast1 snort: [1:0:0] TCP traffic to port 12345 {TCP} k.m.n.122:4607 -> k.m.n.117:12345
15
Information Security –Our Implementation
Students at work in RMU classroom (or at home) using their own computers (laptops)
Server in RMU Data Center hosting virtual machine array for intrusion detection practice
16
Your comments and demo
• Questions?
• Recommendations?
17
Sample Student Login
login as: xyzstnPassword:Linux snort-xen-01 2.6.11.12-xenU #1 Wed Mar 15 06:29:33 EST 2006 i686
GNU/LinuxThe programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Mon Apr 3 20:49:39 2006 from pool-151-201-242-
84.pitt.east.verizon.net
When prompted, enter your RMU virtual machine account password (it will not appear on the screen password for RMU networks): same as Novell system password for RMU networks)When you have the virtual machine prompt, like:xyzstn@snort-xen-01:~$Sample Login:
Just enter your RMU userid like xyzstnxyzstn@snort-xen-01:~$Then log in as superuser and provide the appropriate password.