Download - Simple Network Defense System
![Page 1: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/1.jpg)
Simple Network Defense SystemSimple Network Defense System
Shou-Chuan Lai
Computer and Communication CenterNational Tsing Hua University
![Page 2: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/2.jpg)
ObjectiveObjective
Make our network as available as possible.
![Page 3: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/3.jpg)
Network Defense SystemNetwork Defense System
Internet Worm Detection Module Automatic Router Control Module Notification Module Open Mail Relay Detection Module
![Page 4: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/4.jpg)
System RequirementSystem Requirement
A NetFlow-capable device Personal Computers running UNIX-like Ope
ration System (e.g., Linux, FreeBSD) The Simple Network Defense System sourc
e codes Open sources
flow-tools apache perl (libnet, Net-Server, Net-Telnet, Time-HiRes)
![Page 5: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/5.jpg)
Internet Worm Detection Internet Worm Detection ModuleModule
![Page 6: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/6.jpg)
System requirementSystem requirement
NetFlow-enabled routers or devices (e.g. Cisco Catalyst 6509, Mirror-enabled router/switch + NetFlow export software)
Personal Computers (e.g. Intel platform) UNIX-like OS (e.g. Linux, FreeBSD, Solaris,…) flow-tools (http://www.splintered.net/sw/fl
ow-tools/) Perl v5.6 or above apache-1.x or above (http://httpd.apache.or
g/)
![Page 7: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/7.jpg)
Directory StructureDirectory Structure
flow-scan (/usr/local/flow-scan/) bin (system programs) etc (configuration files) flow (netflow data captured by flow-tools) scan (scan files generated by flow-scan) htdocs (html files generated by scan2html) tmp (temporary space)
![Page 8: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/8.jpg)
ProgramsPrograms
flow2scan Read flow files and convert to scan files
scan2html Read scan files and convert to html files
html2idx Read html files and generate an index html
![Page 9: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/9.jpg)
flow2scanflow2scan
Program modules MyFlow.pm (common subroutines) MyScore.pm (score module) MyRobot.pm (talk to router control robot)
Read flow files read: /usr/local/flow-scan/flow/….
Generate scan files write: /usr/local/flow-scan/scan/….
Send blocking command
![Page 10: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/10.jpg)
flow2scan (cont.)flow2scan (cont.)
Read flow files each flow file is a collection of 10min flow r
ecords Find suspicious hosts Check each suspicious host
Score each host (use MyScore.pm) Block the problematic host if its score exce
ed pre-defined threshold (use MyRobot.pm)
![Page 11: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/11.jpg)
scan2htmlscan2html
Read scan files read: /usr/local/flow-scan/scan/….
Generate a html file for each scan file write: /usr/local/flow-scan/htdocs/….
![Page 12: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/12.jpg)
html2idxhtml2idx
Search html files read: /usr/local/flow-scan/htdocs/….
Generate an index html file write: /usr/local/flow-scan/htdocs/….
![Page 13: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/13.jpg)
Periodic JobsPeriodic Jobs
crontab.10min flow2scan $router scan2html $router html2idx $router
![Page 14: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/14.jpg)
ConfigurationsConfigurations
flow-scan.txt screen.txt (to be screened)
192.168.128.0/17 trust.txt (avoid being blocked)
192.168.192.0/24 worm.txt (list of worm types)
IP-SCAN-TCP-135
![Page 15: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/15.jpg)
flow-scan.txtflow-scan.txt TOOL = "/usr/local/flow-tools/bin" FLOW = "$FDIR/flow" SCAN = "$FDIR/scan" FTMP = "$FDIR/tmp" FSUP = "$FETC/dscan.supress" WORM = "$FETC/worm.txt" TRUST = "$FETC/trust.txt" SCREEN = "$FETC/screen.txt" IP_RESERVED = "$FETC/IPv4-address.txt" HTML = "$FDIR/htdocs/netflow" HTML_REF = "/netflow" HTML_URL = "http://netflow.myschool.edu.tw/netflow" C6509 = "c6509" C6509INT = "6"
![Page 16: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/16.jpg)
InstallationInstallation
Download source tar file http://cc.nthu.edu.tw/~chuan/
Extract source tar file cp flow-scan-0.90.tar.gz /usr/local cd /usr/local tar zxf flow-scan-0.90.tar.gz ln –s flow-scan-0.90 flow-scan
![Page 17: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/17.jpg)
Installation (cont.)Installation (cont.)
Modify bin/MyFlow.pm set FDIR
Modify etc/flow-scan.txt set TOOL set HTML_URL set C6509INT
Modify etc/screen.txt Modify etc/trust.txt
![Page 18: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/18.jpg)
Installation (cont’)Installation (cont’)
Test drive flow2scan2 6509 scan2html2 6509 html2idx2 6509
Setup crontab 2,12,22,32,42,52 * * * * (cd /usr/local/flow-s
can/bin; sh crontab.10min) > /dev/null 2>&1
Play
![Page 19: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/19.jpg)
Automatic Router Control Automatic Router Control ModuleModule
![Page 20: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/20.jpg)
System RequirementSystem Requirement
Supported Routers Extreme with ExtremeWare 7.x Cisco with IOS 12.x
Perl 5.6 or above Net-Server module installed Time-HiRes module installed
![Page 21: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/21.jpg)
Directory StructureDirectory Structure
netguard (/usr/local/netguard/) bin (binaries for human operation) etc (configurations) htdocs (notification web pages) lib (system modules) log (system logs) sbin (daemon resides) spool (IPC for registrar and netguard)
![Page 22: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/22.jpg)
Programs (bin)Programs (bin)
block-ip.pl block an IP address immediately
block-ip.pl ip-address tag comments
open-ip.pl open an IP address immediately
open-ip.pl ip-address
![Page 23: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/23.jpg)
Programs (cont.)Programs (cont.)
book-open-ip.pl book an IP address to be opened
book-open-ip ip-address cron-open.pl
open booked IP addresses at specified alarm time (obtained from spool/book)
cron-open.pl
![Page 24: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/24.jpg)
Daemon Programs (sbin)Daemon Programs (sbin) netguard.sh
start or stop netguard module netguard.sh (start|stop|restart)
monitor-netguard.sh keep netguard running (for shake of unkno
wn-reason stop); should work with crontab 1,11,21,31,41,51 * * * * (cd /usr/local/netguar
d/sbin; ./monitor-netguard.sh) > /dev/null 2>&1
![Page 25: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/25.jpg)
Daemon Programs (cont.)Daemon Programs (cont.)
registrar.pl as a central registrar which accept comma
nds from other programs via Socket and write commands to the file spool
should be waken up by netguard.sh netguard.pl
as a router control robot which read commands from the file spool (/spool)
should be waken up by netguard.sh
![Page 26: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/26.jpg)
Program Modules (lib)Program Modules (lib)
netguard.pm contains codes which is able to login the su
pported routers and configure the access control list for a specified IP address
currently support routers: Cisco and Extreme
![Page 27: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/27.jpg)
Periodic JobsPeriodic Jobs
Open already booked IP addresses crontab.daily
bin/cron-open.pl example
30 7 * * * (cd /usr/local/netguard/bin; ./cron-open.pl)
![Page 28: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/28.jpg)
ConfigurationsConfigurations
registrar.conf configuration required by Net-Server modul
e netguard.conf
configure the router information required to automatic configure the controllable routers
type (cisco|extreme);login;password;name
![Page 29: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/29.jpg)
Password and Port Password and Port SettingSetting
Server password and service port change the setting in registrar.pl
Client password and port change the settings in block-ip.pl, open-ip.
pl, and book-open-ip.pl change the programs which talk to netguar
d module in other detecting modules
![Page 30: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/30.jpg)
File Spool (spool)File Spool (spool)
The inter-process communication between registrar and netguard each file represents a status of an IP addre
ss archive (has become part of history) block (is being blocked) book (booked an open request) info (an immediate notification required) request (command the netguard) unblock (counting infected frequency)
![Page 31: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/31.jpg)
Notification ModuleNotification Module
![Page 32: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/32.jpg)
System RequirementSystem Requirement
Perl 5.6 or above Apache 1.x or above
http://httpd.apache.org/
![Page 33: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/33.jpg)
Directory StructureDirectory Structure
notify (/usr/local/notify/) bin (program binaries) etc (configurations and notification emails) htdocs (notification web pages)
![Page 34: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/34.jpg)
ProgramsPrograms
cron-sendmail.pl send daily notification
cron-sendmail2.pl send notification once being blocked
genhtm.pl generate notification web pages periodicall
y
![Page 35: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/35.jpg)
Periodic JobsPeriodic Jobs Notifications should be delivered
periodically Send emails daily, send email once being
blocked, and generate web pages periodically
10 8 * * * (cd /usr/local/notify; ./cron-sendmail)
8,18,28,38,48,58 * * * * (cd /usr/local/notify/bin; ./cron-sendmail2)
0,10,20,30,40,50 * * * * (cd /usr/local/notify/bin; ./genhtml.pl)
![Page 36: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/36.jpg)
ConfigurationsConfigurations
addressbook address book to send notification emails
dept:name:title:phone:fax:email subnet
notes which shown on the web pages subnet:building:dept
inform.mail the notification email which send daily
inform2.mail the notification email which send once being block
ed
![Page 37: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/37.jpg)
Web Pages (htdocs)Web Pages (htdocs) ban-head.htm
the header part of the notification web pages
ban-tail.htm the tail part of the notification web pages
index.htm may be required for the apache web server
![Page 38: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/38.jpg)
Open Mail Relay Detection Open Mail Relay Detection ModuleModule
![Page 39: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/39.jpg)
System RequirementSystem Requirement
A remote server relay testing email receive testing mail
Perl 5.6 or above libnet module installed
Pxytest http://www.unicom.com/sw/pxytest/
![Page 40: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/40.jpg)
To Be DoneTo Be Done
![Page 41: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/41.jpg)
ToDo ListToDo List Unify the perl modules used by all the
se codes Support more routers: Juniper and Fo
undry
![Page 42: Simple Network Defense System](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56814d62550346895dbaaef6/html5/thumbnails/42.jpg)
Thank You!Thank You!