distributed network security using free tools in university environments jeff bollinger, cissp, gsec...
TRANSCRIPT
![Page 1: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/1.jpg)
Distributed Network Security Using Free Tools in University
Environments
Jeff Bollinger, CISSP, GSEC
Doug Brown, CISSP, GSEC
University of North Carolina at Chapel Hillhttps://www.unc.edu/security
Copyright Jeff Bollinger 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
![Page 2: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/2.jpg)
Introduction
Access to free tools are ubiquitous and only require the investment of time and a few pieces of hardware. Vendor supplied tools are expensive (initial costs, license fees, maintenance fees, support fees, etc.) and many are not typically customizable or easily scriptable. Given a campus with decentralized or departmental computing, security and incident response is in the hands of everyone – making the process distributed.
![Page 3: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/3.jpg)
Why Free Tools?(they’re free, right?)
Most free tools offer free community support (mailing lists, websites, etc)Open source free tools give the administrator the ability to customize and tailor the results to the needs of the organization. It’s what the bad guys use! Its important to understand what you’re being attacked with so you can recognize the attack/recon signatures.
"To know your enemy, you must become your enemy... Keep your friends close and your enemies closer." - Sun Tzu
![Page 4: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/4.jpg)
Trade Off
Invest Time or Money?Any security software package is an investment, the question is, what is your organization prepared to invest?Depending on the complexity of the tools, you will need someone who can understand and deploy them. This may require additional training, or some free time to allow your analysts to experiment. You must trust your tools.
![Page 5: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/5.jpg)
Process
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
![Page 6: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/6.jpg)
Preparation
The preparation phase of the incident handling process is often overlooked but is the most important step.
Everyone can participate in this process.
![Page 7: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/7.jpg)
Preparation - Host Cataloguing
Host cataloguing: keeping a body of information on multiple hosts on the network.
Nbtscan
Nmap –sP (Ping Sweep)
![Page 8: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/8.jpg)
Preparation - Vulnerability Assessment
NessusCan crash systems!
Great reporting functions (*.html, *.txt, *.xml, etc.)
Highly customizable –provides the ability for other administrators to log in and run scans against their own systems.
Constantly updated
Automatic updates through a cron job (nessus-update-plugins)
![Page 9: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/9.jpg)
Identification
![Page 10: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/10.jpg)
Identification - Intrusion Detection
SnortPassive Fiber Tap or Mirror Port
Useful as forensic tool
High False Positives
Steep Learning Curve
Very easy and quick to write custom signatures as soon as their needed.
![Page 11: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/11.jpg)
Identification – Checking the Ports
NmapQuick Port scannerNew flags* (-sV) can actually show which version of common software you’re running by making an active connection to its port.
*version 3.45
![Page 12: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/12.jpg)
Identification – Checking the Ports
NetcatAllows you to silently connect to remote ports to try and see what might be running from them.Easy to script when looking at a wide range of IP addresses.
![Page 13: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/13.jpg)
Identification – Checking the Ports
AmapAnother tool that allows you to check the versions of software running on a particular port.A little more elegant than Netcat, Amap will actually send binary data to a host to try and make it return information on what is running on a particular port
![Page 14: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/14.jpg)
Containment
![Page 15: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/15.jpg)
Containment
Penalty BoxIsolation VLAN with no router interface
Gives administrators time to clean their systems in a safe network environment.
Good neighbor ACLs (RFC 1918)
DHCP Lease disabling/forced expiration
Source Blocking*Configurable unresolved ARP Threshold
![Page 16: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/16.jpg)
Eradication
![Page 17: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/17.jpg)
Eradication
FportShows a port listing matched with a PID of services running on a Windows host.
PSKillCan force the killing of an unwanted process.
VisionNice GUI similar to Fport
AV Solutions (free removal tools)Custom coding
![Page 18: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/18.jpg)
Recovery
![Page 19: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/19.jpg)
Recovery
Nmap can tell you which systems have been cleaned.
Administrators can e-mail you their Fport output for your verification.
Custom scan tools can help you probe for any leftovers.
![Page 20: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/20.jpg)
Lessons Learned
![Page 21: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/21.jpg)
Lessons Learned
The most important step in the Incident Handling process.
There really are not any tools for this particular step, but this is a good opportunity to tweak their settings and prepare them for the next big incident.
How well did they perform? What were their shortcomings? How can we more effectively use them in the future? What access do we give other administrators to our tools, and how can we justify it? Was our communication with other groups appropriate?
![Page 22: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/22.jpg)
Conclusion
Staying current with security tools and being aware of developments within the security community gives you and the other administrators an opportunity to keep up with attack trends and other threats. Free tools provide a substantial ROI, and help to increase the technical ability of your staff.Distribution of duties is critical for a decentralized campus computing infrastructure. Put your trust in other administrators and they will do the same for your security group.
![Page 23: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/23.jpg)
Thank you
https://www.unc.edu/security/educause2003
Contact us @:
Jeff at unc.edu
Doug at unc.edu
![Page 24: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/24.jpg)
Downloads
Nbtscan (http://www.inetcat.org/software/nbtscan.html)Nmap (http://www.insecure.org)Nessus (http://www.nessus.org)
Snort (http://www.snort.org)
Netcat (http://www.atstake.com/research/tools/network_utilities)
![Page 25: Distributed Network Security Using Free Tools in University Environments Jeff Bollinger, CISSP, GSEC Doug Brown, CISSP, GSEC University of North Carolina](https://reader030.vdocuments.us/reader030/viewer/2022032601/56649dd15503460f94ac77e8/html5/thumbnails/25.jpg)
Downloads (Cont.)
Amap (http://www.thc.org/releases.php)
Fport (http://www.foundstone.com/resources/proddesc/fport.htm)
PSKill (http://www.sysinternals.com/ntw2k/freeware/pskill.shtml)
Vision (http://www.foundstone.com/resources/proddesc/vision.htm)