Download - NoVA Hackers: Securin on a budget
Securin’ on a Budget
JC, Adam
Disclaimer» We are only representing ourselves, no one else.» The material in this presentation is provided
without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and no infringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.
» Attendance implies agreement with the disclaimer.
About us
JC@JC_SoCal
ADAM@dfinf2
Former MarineForensics/Malware Analysis/Social
EngineeringFishnet Security
Temporary Drifter from San Diego
Security MavenSOC Hobbit
Open Source Connoisseur
Expectations» A List of tools, yay tools!
» We will discuss quickly what its for.
» We will make an effort to discuss benefits of having this tool in your environment.
» We will not be detailing the complete functionality of every tool.
» Enjoy the talk, link to the slide deck will be at the end.
About this talk» Security Appliances are very
expensive.
» Budget is not always approved.
» We still need to do SOMETHING.
» Look to open source/free software to provide some degree of security.
» Cat Pictures
Agenda» Look at solutions present for the following areas:˃ FIREWALL/PROXIES/VPN˃ IDS˃ PACKET CAPTURE/FLOW˃ VULNERABILITY SCANNING˃ HOST SECURITY
Firewalls / Proxies/ VPNs» IPFire
» pfSense
» Squid
» OpenVPN
IPfire» GUI-based SOHO firewall distribution. Great “All-In-
One” solution» Very easy to install and pick up and run with» Support to use as wireless access point» Snort IDS/IPS package can be installed and run on
the box» Squid can be installed and comes with preloaded
block lists.
IPfire
pfSense» Another GUI-based Linux firewall distribution» Larger feature set than Ipfire» Also features snort, but provides more
configuration for it such as real time alerting, and true IPS capabilities.
» Can also install squid as a proxy» Multiple VPN options (OpenVPN, IPSec, PPTP, L2TP)» Features a captive portal page » High Availibility offering
pfSense
Squid Proxy» Best free proxy» Can configure blocklists that auto update» Can be paired with ClamAV to scan executables are
they are downloaded» ACLs can be implemented, to control who can
access what» Provides extensive logging, who did what, when,
and where
Squid Proxy
OpenVPN» Uses the features of OpenSSL
˃ encryption, authentication, and certification˃ cipher, key size, or HMAC digest
» Static-key based conventional encryption or certificate-based public key encryption
» Tunnel over a single UDP or TCP port» Use static, pre-shared keys or TLS-based dynamic
key exchange» Windows GUI» Comes installed on IPFire, pfSense
OpenVPN
IDS» Snort
˃ Snorby
» Suricata
Snort» Probably the most well known IDS out there» Fairly difficult to deploy a multi sensor IDS with
snort» Will work just as well as sourcefire if configured
properly» Multiple packages can be added to snort to make it
perform better (i.e. barnyard and pulledpork)
Snort
Snorby» Front End for snort» Displays a lot of useful information upfront and
easily» Events parse out quite well and make it easy to
read what caused the event» Native integration with OpenFPC, allows full packet
capture with snort without too much configuration
Snorby
Suricata» Another well known IDS/IPS engine» Part of Homeland’s open source tech program» Runs on Linux/Windows/Mac» Can use Snort VRT, rule language and logging» Multi-threaded» IPV6 support» Rule based ip reputation
Packet Capture/Flow» OpenFPC» Moloch
» fProbe
OpenFPC» Full Packet Capture program made to easily
integrate with other programs such as Snorby» API is easy to use» Installs easily on Debian with minimal compiling
OpenFPC
Moloch» Provides a great full program for packet capture» Has the ability to deploy multiple servers that
report back to one» Interface out of the box, useful if you don’t plan to
integrate with and IDS or SIEM, etc.
Moloch
Fprobe» Small program than can be run on either openfpc
or Moloch box that can turn packet captures into flows
» Very simple to use, just install and make sure the options are set correctly to point at the right collector (SIEM or pfSEN server, etc.)
» Helpful if networking decided to buy those Cisco routers that conveniently don’t support netflow…
Scanning» OpenVAS» Nessus» Arachni
OpenVAS» OpenVAS evolved from Nessus» Greenbone Security Assistant provides a useable
frontend, though it is sometimes slow» Daily updated feed of Network Vulnerability Tests
(NVTs), over 30,000 in total (as of April 2013).» Pro Services from 3rd party vendors.
OpenVAS w/Greenbone
Nessus – Free Feed» Though a Pro feed license for a Nessus Scanner is
only 2,500/yr you can pick up a free feed for $0/yr» Only catch are the plugins are updated a week or
so behind profeed» Not supposed to use in a commercial environment» Works well for what most small companies need
Nessus – Free Feed
Arachni» Free Web Application Scanner» Fairly active development on the project» Takes seconds to stand up and run» Tends to be more on the false positive side» Still provides useful information, mainly on out of
date vulnerable versions of web apps.
Arachni
Host Security» OSSEC
» Anti-Virus
» Cuckoo
OSSEC» OSSEC is a HIDS (Host intrusion detection system)» Agents run on: Windows, Linux, MacOS, Solaris,
HP-UX, and more» Comprised of a manager, agents and also has
agentless log acceptance (syslog)» Can monitor VMWare (ESX)» Real Time alerting» File Integrity, and Log Monitoring» Commercial support from TrendMicro
Anti-Virus» ClamAV – Open Source, no realtime file
monitoring, not as high success rate as others. Low Overhead
» AVG, AVIRA, Avast!, MSSE – All freeware antivirus, with decent detection ratios, fairly high overhead with the exception of MSSE.
» Microsoft has recently said MSSE may not be the best AV of choice and recommends alternatives be used.
Cuckoo» ‘Semi-automated’ Malware analysis Sandbox» Great at quickly identifying what malware may do
to a host» Reporting is very thorough» Some assembly required» API built in to make it a bit more automated if you
desire» Does not counter anti-vm malware
Cuckoo
Wrap up» Lots of options
» Great for home labs
» A good start …
» Move to commercial as you grow out of these solutions
Questions?
@JC_SoCal @dfinf2