Download - Out of Band Monitoring Scenarios
![Page 1: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/1.jpg)
Out of Band Monitoring
Scenarios Doug White, PhD, CISSP, CCE, PI(RI)
Director, Center for Forensics, Applied Networking, and Security
Roger Williams University
2013 © Secure Technology, LLC
![Page 2: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/2.jpg)
The Sad Tale of Jing An
• The idea of DMZ!
▫ DMZ should contain ONLY compromised assets
▫ This idea has become compromised and is often misunderstood!
▫ Only outward facing, expendables should be placed here
2013 © Secure Technology, LLC
![Page 3: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/3.jpg)
The Sad Tale of Jing An
• So what did Jing An do wrong?
▫ Placing backup device in DMZ
▫ Pull backups from the outward facing device
▫ Both approaches compromise the backup if the server is compromised
2013 © Secure Technology, LLC
![Page 4: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/4.jpg)
The Sad Tale of Jing Cha
• An undercover operation which reviews websites of illegal activity
▫ Dump all desktops into the same subnet
▫ Add all monitoring to the same subnet
▫ Treat this as a DMZ!
▫ Guess what happens.
2013 © Secure Technology, LLC
![Page 5: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/5.jpg)
Again
• Compromise of one machine in the global subnet
▫ All machines compromised
▫ Logging server (if it had existed) compromised
▫ All other resources compromised
2013 © Secure Technology, LLC
![Page 6: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/6.jpg)
The stupidest configuration ever
2013 © Secure Technology, LLC
![Page 7: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/7.jpg)
Tools
• So how do we fix this mess
▫ SNORT – an open source IDS system (snort.org)
Can run with a variety of gui front ends
Low overhead so is supported on low end hardware
Even better is to run it on VMWARE
▫ Logging servers with syslog
This is simple listening daemon that can again be run on vmware
2013 © Secure Technology, LLC
![Page 8: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/8.jpg)
Living the Virtual Life
• So if we virtualize these networks
▫ We can migrate all features into a single hardware box and separate the networks using vswitches
• NOTE: we can do all this physically as well but it is more resource intensive
2013 © Secure Technology, LLC
![Page 9: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/9.jpg)
The Virtual Out of Band Logging
2013 © Secure Technology, LLC
![Page 10: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/10.jpg)
Things to Note
• Vyatta is an open source router/firewall
▫ This could be done with any virtualized firewall or firewall/router combo to bridge between
▫ Only UDP/514 is allowed through the vyatta. All other ports are blocked (we used UDP/51400)
• VLogging
▫ Hardened, using splunk or other logging tool system
2013 © Secure Technology, LLC
![Page 11: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/11.jpg)
Snort Sensor
2013 © Secure Technology, LLC
![Page 12: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/12.jpg)
Things to Note
• The Snort sensor was simply a vm running snort with a standard ruleset.
▫ Rules which monitor traffic on syslog should be implemented but it’s a good idea to exclude normal traffic patterns to avoid sensory overload
▫ Our trigger was any sort of probe of the vVyatta or the vLogging or vBase ip addresses since this would imply compromise of the vHTTP.
2013 © Secure Technology, LLC
![Page 13: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/13.jpg)
Trusted Path
2013 © Secure Technology, LLC
![Page 14: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/14.jpg)
OpenVPN
• Open Source Encrypted Tunnel which can extend a subnet
• sysOpMonitor can be
▫ Vmware via vSwitch
▫ External, out of band, location
▫ Etc.
2013 © Secure Technology, LLC
![Page 15: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/15.jpg)
Threat Vectors
• vHTTP is primary point of entry
▫ Compromise server and attempt to push syslog attacks into the vHidden area
Likely outcomes
Probes from vHTTP should trigger SNORT alerts to vBase well in advance of compromise
• Physical compromise of sysOpMonitor
▫ As with all things, physical compromise is the greatest threat
▫ Ensure SOM is well protected and hardened
2013 © Secure Technology, LLC
![Page 16: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/16.jpg)
Secondary Threats
• Lack of monitoring
▫ Skills
▫ Complacency
• Operator Compromise
2013 © Secure Technology, LLC
![Page 17: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/17.jpg)
Non-Virtualized
• VPN tunnel should be used for Logging, BASE, and SOM
• SOM should be isolated from Logging and Base with separate key set
• Logging and Base subnet is vpn point to point
▫ But could be end to end
• SOM is end to point hybrid vpn
2013 © Secure Technology, LLC
![Page 18: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/18.jpg)
Total Cost
• Zero.
• NOTE: since we were using our own snort rules and only focused on the specific triggers, we did not subscribe to the snort ruleset. If you are using SNORT as a full IDS, you need the rule subscription.
2013 © Secure Technology, LLC
![Page 19: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/19.jpg)
Internet Resources
• www.snort.org/docs -- snort setups
• Base.secureideas.net – base setups
• Openvpn.net/howto.html
• Splunk.com
• Vyatta.org
2013 © Secure Technology, LLC
![Page 20: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/20.jpg)
Reference
• White, Doug, and A. Rea. 2003. “The Jing An Telescope Factory (JATF): A Network Security Case Study,” Journal of Information Systems Education. Vol 14:3. pp. 307-318.
2013 © Secure Technology, LLC
![Page 21: Out of Band Monitoring Scenarios](https://reader033.vdocuments.mx/reader033/viewer/2022060610/6296bb92c148567774069775/html5/thumbnails/21.jpg)
Contact Information
• (646)-485-5502
2013 © Secure Technology, LLC