Professional Documents
Culture Documents
Table of Contents
Section 1: Overview ..................................................................................................................................... 3
Section 2: Deployment Considerations ....................................................................................................... 3
2-A: Analysis Box ....................................................................................................................................... 3
Figure 1: Ubuntu Mate .......................................................................................................................... 4
2-B: Storage............................................................................................................................................... 4
Figure 2: Free NAS................................................................................................................................. 5
2-C: Monitor .............................................................................................................................................. 5
Figure 3: Security Onion ........................................................................................................................ 6
2-D: Sensor 1 ............................................................................................................................................. 6
Figure 4: Free BSD Sensor 1 .................................................................................................................. 7
2-E: Sensor 2 ............................................................................................................................................. 7
Figure 5: Free BSD Sensor 2 .................................................................................................................. 8
Section 3: Design Solution ............................................................................................................................ 8
3-A: The Solution....................................................................................................................................... 8
3-B: NSM Set Up........................................................................................................................................ 9
Figure 6: NSM Network Design ........................................................................................................... 10
Section 4: Test Environment ....................................................................................................................... 10
Section 5: System Configurations ............................................................................................................... 11
5-A: Analyst ............................................................................................................................................. 11
Figure 7: Analyst Configuration........................................................................................................... 12
5-B: Monitor ............................................................................................................................................ 12
Figure 8: Sec Onion Configuration ...................................................................................................... 13
5-C: Storage ............................................................................................................................................. 14
5-D: Sensor 1 ........................................................................................................................................... 14
Figure 9: Sensor 1................................................................................................................................ 15
5-E: Sensor 2 ........................................................................................................................................... 15
Figure 10: Sensor 2.............................................................................................................................. 16
Section 6: Tools Used ................................................................................................................................. 16
6-A: Snorby.............................................................................................................................................. 17
Figure 11: Snorby Interface................................................................................................................. 17
6-B: WireShark ........................................................................................................................................ 18
Figure 12: WireShark........................................................................................................................... 18
Section 1: Overview
Dirty Mike and The Boys were hired by help a Big Money Inc., a fortune 500 company, to help
create a new network security monitor (NSM) for the company. Big Money Inc. wanted us to
create a cost effective network that could monitor their network and demilitarized zone (DMZ).
After we worked out the solution the company wanted us to test our NSM before they implement
it there on their own network. This document outlines the tools and results of the NSM on our
our test environment.
2-B: Storage
The storage box is need to storage the pcap files that have been capturing over the course of the
test. This box is running a Free NAS operating system. This box only serves as a storage server.
All the pcap data that is captured by the monitoring device is sent to this box. This means that the
other boxes on the NSM do not need to have a large amount of storage space. We are able to
open a command line to configure the box, however, we can only view the data through the web
interface that is created by the box. We do this through the analysis box that is also set up..
2-C: Monitor
The monitoring box is what interoperates the traffic that is picked up by the sensors. The exact
tools that do this are covered in section 6 of this document. The monitoring box is running
Security Onion which comes preinstalled with most of the tools that we want to use for the NSM.
This box helps us to capture and analyze the traffic as in comes in. We can also generate charts
for the traffic that is coming so we do not have to go through all of the data. Figure 3 show the
Secure Onion that we have set up for the company.
2-D: Sensor 1
The sensor is a Free BSD box that is configure to listen on specific interfaces. The sensor then
sends this traffic to the monitor and the storage box. It is built with minimal resources on it
because it is only required to listen for traffic. The only way to interface with the box is through
command line. Figure 4 show the basic interface for the sensor.
2-E: Sensor 2
The sensor is a Free BSD box that is configure to listen on specific interfaces. The sensor then
sends this traffic to the monitor and the storage box. It is built with minimal resources on it
because it is only required to listen for traffic. The only way to interface with the box is through
command line. Figure 4 show the basic interface for the sensor.
NSM setup we want to create would listen and track the traffic that is generated by the networks. The
entire setup can be created using open source programs and tools. It well only take a few hours to
properly set up and configure the NSM.
that is expected of a DMZ. This test environment allowed us to test our design before we implemented
it in the companys network.
5-A: Analyst
The hardware configurations of the box requires:
50 GB of storage
2 GB of memory
1 network interface
The box interfaces with the other boxes through a web interface so as long as the other boxes are
up it should be able to interact with them without any problem. The username and password
should be set to by the name convention that the company uses. For this purpose the address of
the box is configured to 192.168.5.31. Figure (7) shows the set of the box after it is configured to
run on the network. There are no special command that need to be issued on this box.
5-B: Monitor
The monitor box hardware requirements are:
50 GB of storage
2 GB of memory
2 network interfaces
This box is what the two sensors are going to connect to in order for us to monitor the traffic.
The first network interface needs to be configured to listen to the sensor for the NTS330
network. Enter the interface using command line and set the address for the sensor. Next set the
sensor to listen mode. The second interface needs to be configured for the NTW216 network.
Follow the same process as setting up sensor one but this time configure the address to listen on
the NTW216 network. After the network interface are configured we need to configure the
Snorby interface. On the home page of the Security Onion has a set up icon that is used to set
the log in info for the programs that it uses. Simple select an email address and password to use.
The default setting for this are ok to go with. After the set up for the network is completed we
need to configure the Snorby program to listen to the two interfaces. Simple select the interface
when first starting up Snorby and it well begin listening on those interfaces. Figure (8) shows the
basic configuration for the Security Onion box that we are using .
Figure 8: Sec Onion Configuration
5-C: Storage
The Free NAS storage box hardware requirements are:
100 GB of storage
2 GB of memory
1 network interface
This box is only going to be used to store the data that is collected by the sensors. Username and
passwords should be set using the companies name convention. The web interface of the box is
set up through the command line interface you will see if the box is accessed directly. After that
we just need to use the web interface to set up the file to save the data for the sensors. Using the
web interface is much easier and quicker than using the command line.
5-D: Sensor 1
The sensor hardware requirements are:
2 GB of storage
1 GB of memory
1 network interface
The sensor only needs minimal requirements to operate. It is only needed to listen for traffic and
nothing else. It should be connected to the monitoring box so we can see the traffic as it comes
in. The sensors are a critical part of the network and need to be configured properly. The sensor
for the NTS330 network have and address of 192.168.108.250 for this network. Figure (9) shows
the configuration for sensor we set up in the environment.
Figure 9: Sensor 1
5-E: Sensor 2
The sensor hardware requirements are:
2 GB of storage
1 GB of memory
1 network interface
The sensor only needs minimal requirements to operate. It is only needed to listen for traffic and
nothing else. It should be connected to the monitoring box so we can see the traffic as it comes
in. The sensors are a critical part of the network and need to be configured properly. The sensor
for the NTS330 network have and address of 192.168.108.251 for this network. Figure (10)
shows the configuration for the sensor that we set up in the environment.
Figure 10: Sensor 2
6-A: Snorby
Snorby set up is covered by the monitoring box configurations. This tool allowed us to sort the
traffic that we got from the network into easy to read graphs. It also keeps track of the numoreus
events that are generated on the network. Snorby is set to listen to the sensor based on the
interface that they are running on. In this document we had two interfaces set up. It is also used
to capture packets as they move across the network. The data that is captured here is sent to the
storage box to be reviewed in depth later. Figure 11 shows the Snorby interface that we set up for
this test.
Figure 11: Snorby Interface
6-B: WireShark
WireShark is used to filter out the pcap files that we are capturing on the network. With this tool we are
able to set filters and extract data for from the traffic. We can tell what is moving across the network as
well as where it is coming from and where it is going. While this is a simple tool to use it is also a very
powerful tool. In this environment the wireshark is set up on the analysis box. It does a bit more than
the Snorby box. Figure 12 show the main page of wireshark.
Figure 12: WireShark
6-C: VMware
VMware was used to create the test environment. We were able to create the NSM network and
manage all of the resources for it with easy. Figure 13 show the boxes that we set up for the test
environment. It was also use to create the NSM that we installed on the companys network.
Virtual machines are easier to create and maintain than physical systems are making them far
more cost effective.
Figure 13: Virtual Environment
boxes was running Kali Linux. Figure 14 shows a break down of the traffic that we capture in Wireshark.
Most of the traffic that was captured used transmission control protocols (TCP). There was some data
that Wireshark was not able to identify. Upon further inspection we found it to be a series of attempted
authorization requests. Figure 15 show the data that wireshark was able to bring up. From base on the
number of attempts and the number of resets we can tell that the 172.16.111.102 and 172.16.11.102
sources tried to launch a brute force attack against 172.16.111.222. We also found what we believe to
be an attempt at some kid of remote connection. We were unable to find anything else related to it so
we believe that it was a failed attempt. Figure 16 shows the packet of data that failed to establish a
connection. Since the destination port is port 80, HTTP, we can tell that it was a remote connection
attempt.
Figure 14: NTS330 Traffic
Based on our finding we believe that the system was attacked by and outside source. We would need to
investigate further to determine if the attacker(s) were able to damage the system or not. We
recommend that the company takes action to protect their systems.
believe that it was not malicious data. Finally, we found about four hundred images that had been
saved. Figure 20 show a few of images that were found. None of the images seemed to be
harmful of defy the rules of the system.
Figure 17: Updates
Based on our finding we do not believe that anything is wrong with the system. All of the traffic
that was generated did not seem to be harmful to the network at all. However, the large number
of images may show that the users are most likely using the company computer network for
personal use. We recommend that the restrict access to the internet from its employee
workstations.
New items can be added to this list based on the needed of the network.
Glossary
Network Security Monitor (NSM)- Highly scalable and flexible network management tool.
Enterprise customers can leverage NSM globally to scale from branch to data center, and service
providers can use it for carrier-class deployments. NSM can be deployed as software on a server or
as dedicated appliances to scale large enterprise and service provider environments.
Demilitarized Zone (DMZ)- Computers in the DMZ in turn respond, forward or re-issue requests
out to the Internet or other public network, as proxy servers do.
Free NAS- An open source operating system this is mostly used for servers.
Secure Onion- An open source operating system that is specialized for network security
monitoring.
Free BSD- Am open source operating system that is mostly used for servers.
Pentesters- Penetration testers who are paid to hack a network to identify the weaknesses of the
network.