Final Document

Daniel Howell Jose Mejia Edward Sanchez

This document shows the NSM network solution that we
have designed for the Company. It also contains all the
configuration details and steps to set up the network.
DANIEL HOWELL
12/15/2015

Table of Contents
Section 1: Overview ..................................................................................................................................... 3
Section 2: Deployment Considerations ....................................................................................................... 3
2-A: Analysis Box ....................................................................................................................................... 3
Figure 1: Ubuntu Mate .......................................................................................................................... 4
2-B: Storage............................................................................................................................................... 4
Figure 2: Free NAS................................................................................................................................. 5
2-C: Monitor .............................................................................................................................................. 5
Figure 3: Security Onion ........................................................................................................................ 6
2-D: Sensor 1 ............................................................................................................................................. 6
Figure 4: Free BSD Sensor 1 .................................................................................................................. 7
2-E: Sensor 2 ............................................................................................................................................. 7
Figure 5: Free BSD Sensor 2 .................................................................................................................. 8
Section 3: Design Solution ............................................................................................................................ 8
3-A: The Solution....................................................................................................................................... 8
3-B: NSM Set Up........................................................................................................................................ 9
Figure 6: NSM Network Design ........................................................................................................... 10
Section 4: Test Environment ....................................................................................................................... 10
Section 5: System Configurations ............................................................................................................... 11
5-A: Analyst ............................................................................................................................................. 11
Figure 7: Analyst Configuration........................................................................................................... 12
5-B: Monitor ............................................................................................................................................ 12
Figure 8: Sec Onion Configuration ...................................................................................................... 13
5-C: Storage ............................................................................................................................................. 14
5-D: Sensor 1 ........................................................................................................................................... 14
Figure 9: Sensor 1................................................................................................................................ 15
5-E: Sensor 2 ........................................................................................................................................... 15
Figure 10: Sensor 2.............................................................................................................................. 16
Section 6: Tools Used ................................................................................................................................. 16
6-A: Snorby.............................................................................................................................................. 17
Figure 11: Snorby Interface................................................................................................................. 17
6-B: WireShark ........................................................................................................................................ 18
Figure 12: WireShark........................................................................................................................... 18

6-C: VMware ........................................................................................................................................... 19

Figure 13: Virtual Environment ........................................................................................................... 19
Section 7: Data Analysis ............................................................................................................................. 19
7-A: NTS330 Network.............................................................................................................................. 19
Figure 14: NTS330 Traffic .................................................................................................................... 20
Figure 15: Brute Force attack .............................................................................................................. 21
Figure 16: Remote Failure ................................................................................................................... 21
7-B: NTW216 Network ............................................................................................................................ 21
Figure 17: Updates .............................................................................................................................. 22
Figure 18: Malformed Packet.............................................................................................................. 22
Figure 19: Encrypted Traffic ................................................................................................................ 23
Figure 20: Found Images ..................................................................................................................... 23
Section 8: Training Plan .............................................................................................................................. 24
8-A: System basics................................................................................................................................... 24
8-B: NSM Set up ...................................................................................................................................... 25
8-C: NSM Operations .............................................................................................................................. 25
Glossary ....................................................................................................................................................... 25

Section 1: Overview
Dirty Mike and The Boys were hired by help a Big Money Inc., a fortune 500 company, to help
create a new network security monitor (NSM) for the company. Big Money Inc. wanted us to
create a cost effective network that could monitor their network and demilitarized zone (DMZ).
After we worked out the solution the company wanted us to test our NSM before they implement
it there on their own network. This document outlines the tools and results of the NSM on our
our test environment.

Section 2: Deployment Considerations

This section covers the different boxes that were deployed to create the network. Each box was
chosen for a specific purpose in the network. This section does not cover the configuration or
setting of the box that are mentioned. It only cover the basic info about the boxes and the
purpose that they server in the NSM set up.

2-A: Analysis Box

The analysis box is needed to more efficiently manage all the data. For this we have chosen to
use Ubuntu Mate which is another version of the standard Ubuntu operating system. This box is
connected to the monitoring box and storage so we do not have to jump between interfaces to
view the data that we are collecting. Figure 1 shows the Ubuntu Mate box that we were running
for the environment we have developed.

Figure 1: Ubuntu Mate

2-B: Storage
The storage box is need to storage the pcap files that have been capturing over the course of the
test. This box is running a Free NAS operating system. This box only serves as a storage server.
All the pcap data that is captured by the monitoring device is sent to this box. This means that the
other boxes on the NSM do not need to have a large amount of storage space. We are able to
open a command line to configure the box, however, we can only view the data through the web
interface that is created by the box. We do this through the analysis box that is also set up..

Figure 2: Free NAS

2-C: Monitor
The monitoring box is what interoperates the traffic that is picked up by the sensors. The exact
tools that do this are covered in section 6 of this document. The monitoring box is running
Security Onion which comes preinstalled with most of the tools that we want to use for the NSM.
This box helps us to capture and analyze the traffic as in comes in. We can also generate charts
for the traffic that is coming so we do not have to go through all of the data. Figure 3 show the
Secure Onion that we have set up for the company.

Figure 3: Security Onion

2-D: Sensor 1
The sensor is a Free BSD box that is configure to listen on specific interfaces. The sensor then
sends this traffic to the monitor and the storage box. It is built with minimal resources on it
because it is only required to listen for traffic. The only way to interface with the box is through
command line. Figure 4 show the basic interface for the sensor.

Figure 4: Free BSD Sensor 1

2-E: Sensor 2
The sensor is a Free BSD box that is configure to listen on specific interfaces. The sensor then
sends this traffic to the monitor and the storage box. It is built with minimal resources on it
because it is only required to listen for traffic. The only way to interface with the box is through
command line. Figure 4 show the basic interface for the sensor.

Figure 5: Free BSD Sensor 2

Section 3: Design Solution

This section goes over the design of the solution that we have developed. Figure 1 shows a simple
diagram of the NSM set up that has been developed for the company. The set up function of the
network is also covered in this section of the document.

3-A: The Solution

The solution that we have developed for the company is to create a small NSM network to monitor the
different areas of the companys network. We would set up a total of five boxes on the network. The

NSM setup we want to create would listen and track the traffic that is generated by the networks. The
entire setup can be created using open source programs and tools. It well only take a few hours to
properly set up and configure the NSM.

3-B: NSM Set Up

The design we created has three areas. The main area contains the monitor, analysis, and storage boxes
for the NSM. The second area is the corporate network that contains sensor 1 and the rest of the
NTS330 network. The third area is the corporate DMZ contains sensor 2 and the rest of the NTW216
network. Both of the networks are being watched by the same monitoring device. The monitoring
device is listening on the interfaces for the any traffic that is generated. The sensors are on the networks
that they are listening on. The sensors are each connected to an interface on the monitoring devices.
The monitor is configured with tools to help review the traffic from the networks. That data that is
collected by the sensors is then stored on the storage box to keep the storage space on the NSM boxes.

Figure 6: NSM Network Design

Section 4: Test Environment

This section covers the test environment that was used to test the design of the NSM network we have
created. The environment is we used was in a completely virtual environment of our own design. Using
VMware we were able to build and test our NSM network to prove that it would work in a real
environment. For the test we were able to create a network that looks just like the solution that we
want to use for the company. Then networks that we set it to monitor for this test were the NTS330 and
NTW2216 network. The NTS330 network is operated by a team of pentesters. We can see all the traffic
that is expected of an attempted attack on a network from here. The NTW216 network is being used as
a corporate DMZ. The most work with servers on this network so we can see some what regular traffic

that is expected of a DMZ. This test environment allowed us to test our design before we implemented
it in the companys network.

Section 5: System Configurations

The section covers the setup configuration of each box on the network. Each box on the network
needed to be configured to work together. This is a simple process and should only take a few
minutes to complete.

5-A: Analyst
The hardware configurations of the box requires:

50 GB of storage

2 GB of memory

1 network interface

The box interfaces with the other boxes through a web interface so as long as the other boxes are
up it should be able to interact with them without any problem. The username and password
should be set to by the name convention that the company uses. For this purpose the address of
the box is configured to 192.168.5.31. Figure (7) shows the set of the box after it is configured to
run on the network. There are no special command that need to be issued on this box.

Figure 7: Analyst Configuration

5-B: Monitor
The monitor box hardware requirements are:

50 GB of storage

2 GB of memory

2 network interfaces

This box is what the two sensors are going to connect to in order for us to monitor the traffic.
The first network interface needs to be configured to listen to the sensor for the NTS330

network. Enter the interface using command line and set the address for the sensor. Next set the
sensor to listen mode. The second interface needs to be configured for the NTW216 network.
Follow the same process as setting up sensor one but this time configure the address to listen on
the NTW216 network. After the network interface are configured we need to configure the
Snorby interface. On the home page of the Security Onion has a set up icon that is used to set
the log in info for the programs that it uses. Simple select an email address and password to use.
The default setting for this are ok to go with. After the set up for the network is completed we
need to configure the Snorby program to listen to the two interfaces. Simple select the interface
when first starting up Snorby and it well begin listening on those interfaces. Figure (8) shows the
basic configuration for the Security Onion box that we are using .
Figure 8: Sec Onion Configuration

5-C: Storage
The Free NAS storage box hardware requirements are:

100 GB of storage

2 GB of memory

1 network interface

This box is only going to be used to store the data that is collected by the sensors. Username and
passwords should be set using the companies name convention. The web interface of the box is
set up through the command line interface you will see if the box is accessed directly. After that
we just need to use the web interface to set up the file to save the data for the sensors. Using the
web interface is much easier and quicker than using the command line.

5-D: Sensor 1
The sensor hardware requirements are:

2 GB of storage

1 GB of memory

1 network interface

The sensor only needs minimal requirements to operate. It is only needed to listen for traffic and
nothing else. It should be connected to the monitoring box so we can see the traffic as it comes
in. The sensors are a critical part of the network and need to be configured properly. The sensor
for the NTS330 network have and address of 192.168.108.250 for this network. Figure (9) shows
the configuration for sensor we set up in the environment.

Figure 9: Sensor 1

5-E: Sensor 2
The sensor hardware requirements are:

2 GB of storage

1 GB of memory

1 network interface

The sensor only needs minimal requirements to operate. It is only needed to listen for traffic and
nothing else. It should be connected to the monitoring box so we can see the traffic as it comes
in. The sensors are a critical part of the network and need to be configured properly. The sensor

for the NTS330 network have and address of 192.168.108.251 for this network. Figure (10)
shows the configuration for the sensor that we set up in the environment.
Figure 10: Sensor 2

Section 6: Tools Used

This section cover the different tools used to monitor the traffic on the network. These tools are
different from the boxes that make up our network.

6-A: Snorby
Snorby set up is covered by the monitoring box configurations. This tool allowed us to sort the
traffic that we got from the network into easy to read graphs. It also keeps track of the numoreus
events that are generated on the network. Snorby is set to listen to the sensor based on the
interface that they are running on. In this document we had two interfaces set up. It is also used
to capture packets as they move across the network. The data that is captured here is sent to the
storage box to be reviewed in depth later. Figure 11 shows the Snorby interface that we set up for
this test.
Figure 11: Snorby Interface

6-B: WireShark
WireShark is used to filter out the pcap files that we are capturing on the network. With this tool we are
able to set filters and extract data for from the traffic. We can tell what is moving across the network as
well as where it is coming from and where it is going. While this is a simple tool to use it is also a very
powerful tool. In this environment the wireshark is set up on the analysis box. It does a bit more than
the Snorby box. Figure 12 show the main page of wireshark.
Figure 12: WireShark

6-C: VMware
VMware was used to create the test environment. We were able to create the NSM network and
manage all of the resources for it with easy. Figure 13 show the boxes that we set up for the test
environment. It was also use to create the NSM that we installed on the companys network.
Virtual machines are easier to create and maintain than physical systems are making them far
more cost effective.
Figure 13: Virtual Environment

Section 7: Data Analysis

This section covers our analysis of the data that we collected over the week that we monitored
the network. The data that is being analyzed was collect over the course of a thirteen week test.
The data was collected off of the NTS330 network and the NTW216 network. The data that is
shown is what we believe to be the high lights of the traffic.

7-A: NTS330 Network

For the NTS330 network we got a high amount of traffic. Based on the traffic we can see that most of
the traffic originated from 172.16.111.102 and 172.16.11.102. The destination of most of this traffic was
172.16.111.222. We could not identify the operating system on the boxes but we believe that one of the

boxes was running Kali Linux. Figure 14 shows a break down of the traffic that we capture in Wireshark.
Most of the traffic that was captured used transmission control protocols (TCP). There was some data
that Wireshark was not able to identify. Upon further inspection we found it to be a series of attempted
authorization requests. Figure 15 show the data that wireshark was able to bring up. From base on the
number of attempts and the number of resets we can tell that the 172.16.111.102 and 172.16.11.102
sources tried to launch a brute force attack against 172.16.111.222. We also found what we believe to
be an attempt at some kid of remote connection. We were unable to find anything else related to it so
we believe that it was a failed attempt. Figure 16 shows the packet of data that failed to establish a
connection. Since the destination port is port 80, HTTP, we can tell that it was a remote connection
attempt.
Figure 14: NTS330 Traffic

Figure 15: Brute Force attack

Figure 16: Remote Failure

Based on our finding we believe that the system was attacked by and outside source. We would need to
investigate further to determine if the attacker(s) were able to damage the system or not. We
recommend that the company takes action to protect their systems.

7-B: NTW216 Network

For the NTW216 network traffic was almost nothing. Using Wireshark we viewed mostly TCP
packets. Based on the traffic we collected we can tell it was mostly updates. Figure 17 shows the
TCP traffic for the updates that we found. All the updates were from windows. There were a few
malformed packets that were collected as well. We attempted to reassemble the but failed. Figure
18 show the malformed packet. Upon deeper investigation of the traffic we found a series of
encrypted packets that were sent from 23.213.39.149 to 192.168.103.10. Figure 19 shows the
encrypted traffic. We were unable to determine exactly what the encrypted traffic was but

believe that it was not malicious data. Finally, we found about four hundred images that had been
saved. Figure 20 show a few of images that were found. None of the images seemed to be
harmful of defy the rules of the system.
Figure 17: Updates

Figure 18: Malformed Packet

Figure 19: Encrypted Traffic

Figure 20: Found Images

Based on our finding we do not believe that anything is wrong with the system. All of the traffic
that was generated did not seem to be harmful to the network at all. However, the large number
of images may show that the users are most likely using the company computer network for

personal use. We recommend that the restrict access to the internet from its employee
workstations.

Section 8: Training Plan

This section covers the training program that we would like to implement among the IT staff.
This training program consists of (#) steps to teach the staff how to operate the NSM network we
want to implement on the companys network and DMZ.

8-A: System basics

To begin the training we would need to first teach the IT department how to operate each of the
boxes that we want to deploy. The analysis box well mostly be used to view the Free NAS
storage box through a web interface. That well be easy to demonstrate for anyone who has not
used it before. The Security Onion box is need to run Snorby and Sguil so only the basic
operations of these programs well be needed to for the NSM set we have create. The Free NAS
storage box well have to be set up so it can handle the all the data that is going to be sent to it.
This deals mostly with the configuration of the box which is covered more in section 5 of this
document. The Free BSD sensors need do not require much work. They mostly need to be
configured for the proper interface which is also covered in section 5 of this document. After the
IT team understands the basics of each of the boxes they can move onto the next stage of the
training. For more information regarding the box follow the links below.
(links)

8-B: NSM Set up

Once the team is able to operate the box they then need to be shown how to set it all up. By
simply following the configuration steps in section 5 it should not take long to accomplish. The
links that are provide in 8-A: System Basic should help if there are any question come up
regarding the systems.

8-C: NSM Operations

After the network is configured and operational the team needs to know how to manage all of the
systems to keep it running properly. This requires the team to check all the boxes for
connectivity on a regular basis. The following list should be check at least once a week to insure
the NSM is working properly.

All box running.

Sensors listening on the correct interfaces.

Logs being generated by the monitor.

Storage has enough space for new data.

New items can be added to this list based on the needed of the network.

Glossary
Network Security Monitor (NSM)- Highly scalable and flexible network management tool.
Enterprise customers can leverage NSM globally to scale from branch to data center, and service
providers can use it for carrier-class deployments. NSM can be deployed as software on a server or
as dedicated appliances to scale large enterprise and service provider environments.
Demilitarized Zone (DMZ)- Computers in the DMZ in turn respond, forward or re-issue requests
out to the Internet or other public network, as proxy servers do.

Free NAS- An open source operating system this is mostly used for servers.
Secure Onion- An open source operating system that is specialized for network security
monitoring.
Free BSD- Am open source operating system that is mostly used for servers.
Pentesters- Penetration testers who are paid to hack a network to identify the weaknesses of the
network.