using bro to secure your science dmz - icir · using bro to secure your science dmz connections...
TRANSCRIPT
![Page 1: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/1.jpg)
Using Bro to Secure Your Science DMZ
Robin SommerInternational Computer Science Institute, &
Lawrence Berkeley National Laboratory
[email protected] http://www.icir.org/robin
Using Bro to Secure Your Science DMZ
![Page 2: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/2.jpg)
Using Bro to Secure Your Science DMZ
Securing Your Science DMZ Network
2
10G 10G100G
Campus LAN100G
Transfer/Storage Nodes
100G
Science DMZ Switch
Internet
100G
Bro
![Page 3: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/3.jpg)
Using Bro to Secure Your Science DMZ
The Bro Platform
3
Network
Programming Language
Packet Processing
Standard Library
Plat
form
Vulnerabilit.Mgmt
Intrusion Detection
File Analysis Compliance Monitoring
Traffic Measure-
ment
Traffic Control
Ana
lysi
sTa
pOpen SourceBSD License
Protecting open-science networks for 20 years now.
![Page 4: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/4.jpg)
Using Bro to Secure Your Science DMZ
Science DMZ Monitoring with Bro
4
Log files Host-level visibilityVisibility
Detection
Performance
Control
Customization
![Page 5: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/5.jpg)
Using Bro to Secure Your Science DMZ
Connections Logs
5
conn.logts 1393099191.817686 Timestamp
uid Cy3S2U2sbarorQgmw6a Unique ID
id.orig_h 177.22.211.144 Originator IP
id.orig_p 48053 Originator Port
id.resp_h 115.25.19.26 Responder IP
id.resp_p 2811 Responder Port
proto tcp IP Protocol
service gridftp,ssl App-layer Protocol
duration 8.405155 Duration
orig_bytes 13490 Bytes by Originator
resp_bytes 16127 Bytes by Responder
conn_state SF TCP state
local_orig F Local Originator?
history ShAdDaFf State History
tunnel_parents (empty) Outer Tunnels
![Page 6: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/6.jpg)
Using Bro to Secure Your Science DMZ
HTTP
6
http.logts 1393099291.589208
uid CKFUW73bIADw0r9pl
id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c
id.orig_p 54352
id.resp_h 2406:fe60:f47::aaeb:98c
id.resp_p 80
method POST
host com-services.pandonetworks.com
uri /soapservices/services/SessionStart
referrer -
user_agent Mozilla/4.0 (Windows; U) Pando/2.6.0.8
status_code 200
username anonymous
password -
orig_mime_types application/xml
resp_mime_types application/xml
![Page 7: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/7.jpg)
Using Bro to Secure Your Science DMZ
ts 1443449046.841848
uid CEA05l2D7k0BD9Dda2
id.orig_h 1.2.3.4
id.orig_p 59208
id.resp_h 131.243.231.10
id.resp_p 2811
version TLSv12
cipher TLS_RSA_WITH_AES_256_GCM_SHA384
server_name -
subjectCN=lrc-xfer.lbl.gov,OU=Services,O=Open Science Grid,DC=DigiCert-Grid,DC=com
issuerCN=DigiCert Grid CA-1,O=DigiCert Grid,DC=DigiCert-Grid,DC=com
client_subject CN=Foo Bar,O=LBNL HPCS,O=Globus,C=US
client_issuerCN=GO HPCS ONLINE,OU=HPCS
LBNL,DC=LBL,DC=govcert_hash 197cab7c6c92a0b9ac5f37cfb0699268
validation_status ok
SSL
7
ssl.log
![Page 8: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/8.jpg)
Using Bro to Secure Your Science DMZ
Bro Analyzers
8
AYIYABitTorrentDCE_RPCDHCPDNP3DNSDTLSFTP
FingerGTPv1
GnutellaHTTPICMPIRC
IdentKerberosLoginModbusMySQLNCPNFSNTP
NetBIOSPE
POP3Portmapper
RadiusRDP
RloginRshSIPSMTPSNMPSOCKSSSHSSL
SyslogTelnetTeredoX509ZIP
![Page 9: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/9.jpg)
Using Bro to Secure Your Science DMZ
Host-level Visibility
9
Source: NERSC
iSSHD
Leverage control over end hosts.
![Page 10: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/10.jpg)
Using Bro to Secure Your Science DMZ
Science DMZ Monitoring with Bro
10
Log files Host-level visibilityVisibility
Detection
Performance
Control
Customization
Suspicious activity Intelligence feeds
![Page 11: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/11.jpg)
Using Bro to Secure Your Science DMZ
Watching for Suspicious Logins
11
SSH::Interesting_Hostname_Login
Successful login from an unusual host name.
smtp.big-university.edu
SSH::Watched_Country_Login
Successful login from an unexpected country.
![Page 12: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/12.jpg)
Using Bro to Secure Your Science DMZ
ts 1258565309.806483
uid CAK677xaOmi66X4Th
id.orig_h 192.168.1.103
id.resp_h 192.168.1.1
note Intel::Notice
indicator baddomain.com
indicator_type Intel::DOMAIN
where HTTP::IN_HOST_HEADER
source My-Private-Feed
Intelligence Integration
12
Internal Network
IntelligenceIP addressesDNS namesURLsFile hashes
FeedsCIFJC3SpamhausCustom/Proprietary
Traffic MonitoringHTTP, FTP, SSL, SSH, FTP,DNS, SMTP, …
Internet
notice.log
![Page 13: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/13.jpg)
Using Bro to Secure Your Science DMZ
Science DMZ Monitoring with Bro
13
Log files Host-level visibilityVisibility
Detection
Performance
Control
Customization
Suspicious activity Intelligence feeds
Bro Cluster Shunting
![Page 14: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/14.jpg)
Using Bro to Secure Your Science DMZ
Scaling Bro to 100G
14
Shunting
API
Bro Cluster
Node
NIC
Bro Bro Bro
Bro Bro
Node
NIC
Bro Bro Bro
Bro Bro
Node
NIC
Bro Bro Bro
Bro Bro
Node
NIC
Bro Bro Bro
Bro Bro
100G
100G
100G
Transfer/Storage Nodes
Science DMZ Switch
100G
Load-balancer
10G 10G 10G10GBro
![Page 15: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/15.jpg)
Using Bro to Secure Your Science DMZ
100G Bro at LBNL
15
http://go.lbl.gov/100g
![Page 16: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/16.jpg)
Using Bro to Secure Your Science DMZ
Shunting at LBNL
16
![Page 17: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/17.jpg)
Using Bro to Secure Your Science DMZ
Science DMZ Monitoring with Bro
17
Log files Host-level visibilityVisibility
Detection
Performance
Control
Customization
Suspicious activity Intelligence feeds
Bro Cluster Shunting
Black- and whitelisting Traffic engineering
![Page 18: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/18.jpg)
Using Bro to Secure Your Science DMZ
Network Control
Network Control
18
Shunting
API
Bro Cluster
Node
NIC
Bro Bro Bro
Bro Bro
Node
NIC
Bro Bro Bro
Bro Bro
Node
NIC
Bro Bro Bro
Bro Bro
Node
NIC
Bro Bro Bro
Bro Bro
100G
100G
100G
Transfer/Storage Nodes
Science DMZ Switch
100G
Load-balancer
10G 10G 10G10G
![Page 19: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/19.jpg)
Using Bro to Secure Your Science DMZ
Blacklisting: “Catch & Release” Dropping
19
Source: Indiana Unversity
![Page 20: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/20.jpg)
Using Bro to Secure Your Science DMZ
Whitelisting: IU’s SciPass
20
Source: Indiana University
![Page 21: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/21.jpg)
Using Bro to Secure Your Science DMZ
Upcoming: Bro’s NetControl Framework
21
drop_connection (connection, timeout)
drop_address (host, timeout)
shunt_flow (flow, timeout)
BackendsOpenFlow, iptables, acld; Arista planned.
redirect (flow, port, timeout)
![Page 22: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/22.jpg)
Using Bro to Secure Your Science DMZ
Science DMZ Monitoring with Bro
22
Log files Host-level visibilityVisibility
Detection
Performance
Control
Customization
Suspicious activity Intelligence feeds
Bro Cluster Shunting
Black- and whitelisting Traffic engineering
Write your own scripts!
![Page 23: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/23.jpg)
Using Bro to Secure Your Science DMZ
Scripts are Bro’s “Magic Ingredient”
Bro comes with >10,000 lines of script code.Prewritten functionality that’s just loaded.
Scripts generate & do everything we have seen.Amendable to extensive customization and extension.
User community writing 3rd party scripts.Mozilla just released >20 scripts.
23
![Page 24: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/24.jpg)
Using Bro to Secure Your Science DMZ
Script Example: Shunting
24
Task: Shunt all GridFTP data connections.
event GridFTP::data_channel_detected(c: connection) {
NetControl::shunt_flow([$src_h=c$id$orig_h, $src_p=c$id$orig_p, $dst_h=c$id$resp_h, $resp_p=c$id$resp_p], 1hr);
}
![Page 25: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/25.jpg)
Using Bro to Secure Your Science DMZ
Script Example: Scan Detector
25
Task: Count failed connection attempts per source address.
global attempts: table[addr] of count &default=0;
event connection_rejected(c: connection){ local source = c$id$orig_h; # Get source address.
local n = ++attempts[source]; # Increase counter. if ( n == SOME_THRESHOLD ) # Check for threshold. NetControl::drop_address(source, 1hr); # Drop host.}
![Page 26: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/26.jpg)
Using Bro to Secure Your Science DMZ
Science DMZ Monitoring with Bro
26
Log files Host-level visibilityVisibility
Detection
Performance
Control
Customization
Suspicious activity Intelligence feeds
Bro Cluster Shunting
Black- and whitelisting Traffic engineering
Write your own scripts!
![Page 27: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/27.jpg)
Using Bro to Secure Your Science DMZ
The NSF Bro Center of Expertise
2727
Individual Advice
Training Material,Best Practices
Development,Maintenance
http://nsf.bro.org mailto:[email protected]
We are there to help you!
![Page 28: Using Bro to Secure Your Science DMZ - ICIR · Using Bro to Secure Your Science DMZ Connections Logs 5 conn.log ts 1393099191.817686 Timestamp uid Cy3S2U2sbarorQgmw6a Unique ID id.orig_h](https://reader035.vdocuments.mx/reader035/viewer/2022062920/5f0209927e708231d40243db/html5/thumbnails/28.jpg)
The Bro [email protected]
@Bro_IDS
Commercial [email protected]
@Broala_
The U.S. National Science Foundation has enabled much of Bro.
Bro is coming out of two decades of academic research, along with extensive transition to practice
efforts. NSF has supported much of that, and is currently funding the Bro Center of Expertise at the
International Computer Science Institute and the National Center for Supercomputing Applications.
The Bro Project is a member of Software Freedom Conservancy.
Software Freedom Conservancy, Inc. is a 501(c)(3) not-for-profit organization that helps promote,
improve, develop, and defend Free, Libre, and Open Source Software projects.