Implementing Security Solutions

Attendees:
Course notes online Case Studies in

at www.packet-level.com. Implementing
www.packet-level.com/resources/hpetsnotes.txt
Packet-Level
Analysis-based
Security Solutions
(what a mouthful!)
Sessions this week: Laura Chappell

Thursday – 1728 Cybercrime 1 – 9:30 Rm124 Protocol Analysis Institute
Thursday – 1729 Cybercrime 2 – 2:00 Rm224 www.packet-level.com
Friday – 1730 Advanced Analysis – 8:00a Rm124
Friday – 1731 Case Studies/Security – 11:00a Rm124
Remember to fill out your evaluations! October 11, 2002
© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 1
This Lecture Covers...

Selecting and Implementing an Analyzer Solution
Intruder Detection Systems
Forensics
Case Studies
1
Getting and
Implementing
Your Protocol
Analyzer
Analyzer Selection
Standalone
Distributed
Software only
Hardware/software
My opinions…
2
Analyzer Placement – Hub Networks
All packets go everywhere in a hubbed environment
Hub
Analyzer Placement – Switch Networks
Yipes! Virtual circuits ruin our analysis.

Consider the solutions
• Hubbing out
• Mirroring/spanning
• Hacking… Switch
3
Analyzer Placement – Routed Networks
You can’t analyze through a router.
Router
Hub Hub
Learning Packets and Protocols
www.ieee.org
www.iana.org
www.ietf.org
www.packet-level.com
www.podbooks.com
www.sans.org
www.cert.org
4
Baselining the Network
“The laying on of hands” approach

Look for:
• Broadcasts/multicasts
• ICMP traffic
• Client login sequences
• Too much visibility
Alarms/Alerts
Automatic notification of unusual events

Watch the thresholds
Trends enable you to set appropriate thresholds
Don’t trust all alarms/alerts— research their cause
5
Defining Alarms
Consider performing a ‘baseline’ before changing alarms.
Use a Cyclical Buffer
Use with a trigger to ‘catch’ an event
6
Building Security Filters
Test your firewall – firewall filters

Get hot port list
Build application-layer filters
• i.e., FTP or Gnutella filter
• DNS queries
• Hidden DHCP servers
• Hidden web servers Offset
0x36
(54d)
Documenting the Network
Step 1: Gather traces – take notes

– Use good naming techniques
– Gen1.cap, switch1-nospan.cap, mike-boot.cap
– Use last-page listing
Step 2: Build an outline
– Include 1 paragraph descriptions
Step 3: Review traces and take screenshots
– Use SnagIt by TechSmith
Address Execs separate from Techs
7
Consider
An Intruder
Detection
Systems
Active v. Passive IDS
Active IDS
• Actively looking for attack signatures in real time.
• ISS Real Secure
Passive IDS
• Passively gathering data for later signature checking and
correlation.
• Offline buffer filtering
8
Snort IDS
Network Intruder Detection System (NIDS)

Rules-based
Plug-ins available
Sample snort rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128
(msg:"INFO - Possible Squid Scan"; flags:S;
classtype:attempted-recon; sid:618; rev:1;)
Link: www.snort.org
Where do You Put Your Pig?
Off a hub
Off a spanned/mirrored switch port
Switch
2 Hub
Client A Client B
1
Server 1
9
Forensics
Forensics
And Other Tools
Forensic Computing
Gathering and analyzing data in a manner as free from

distortion or bias as possible to reconstruct data or what
has happened in the past on a system.
10
Forensic Ordering
Follow the order of volatility

• memory, cache
• swap files
• network state
• running processes
• disks (local)
• peripheral storage
Forensics
Take system offline

Track everything you do/type
Consider your space restrictions
Grab first; analyze later
Note hardware/software configuration
• netstat, route, arp, logfiles, kernel info
11
Unix Forensic Tools
Grave Robber
• memory
• netstat, route, arp, etc.
• capture process data
• log files
Windows NTFS Suite by NTI
DiskSearch NT - A Text Search Utility for Windows NT. It searches files, slack and
erased space.
FileList NT - A disk catalog tool used to evaluate computer use time lines for
normal and erased files on Windows NT systems.
GetFree NT - An ambient data collection tool used to capture unallocated data on

Windows NT systems.
GetSlack NT - An ambient data collection tool used to capture file slack on

Windows NT systems.
ShowFL NT - A program used to analyze the output of the NT FileList program.
PTable - A partition table analysis tool which is essential for the processing of NT
based systems.
12
Law Enforcement (LE) Tools
Tools we can only dream about
• Coroner’s Toolkit
• Encase
• A-TIP (Alarm-Triggered IP)
• Nasa VISAR
• Carnivore (FBI) Before VISAR After VISAR
Enhancement Enhancement
The Future of IP Traceback
“Practical Network Support for IP Traceback” [Savage,

Wetherall, Karlin, Anderson] Technical Report UW-CSE-00-02-01
2
5
7 V
A 1
3
6
4 •Node Append <all rtrs>
A=attacker •Node Sampling <one rtr each>
V=victim •Edge Sampling <outside rtrs>
•Compressed Edge Sampling
<combo edge rtrs>
13
Case Studies
Case #1: Catching Hacks in the Wild
The situation:
Onsite training class – tapped into the live network.
Suddenly, the firewall was breached.
Filters
Based
On
Blocked
Firewall
ports
14
Case #2: Dodging the Firewall
Clients opening up p2p sharing after all the authentication

put in place. Shared:
• C:\
• F:\user\[username]
Filter
Based
On
Gnutella
signature
Case #3: Dumpsters Rule!
One dumpster diving trip yielded a tremendous amount of

financial and client data.
Love
Confidential
Client Payroll That
Files
List AR/AP Data Expense Copy
Info Info Room!
15
Case #4: The Open Door Policy
Citrix box right onto the network…
CITRIX
Internet
Router
Case #5: Death by Application
100% server utilization (roaming)

Poor printing performance (roaming)
5 minute login time (static)
Lousy network performance (static)
The Culprit
16
Your Turn to Hack/Crack
More Training/Information
• Attend other analysis sessions
• US/Canada Roadshow (www.nuihotlabs.com)
• Hands-On Analysis, Troubleshooting and
Cybercrime
• Classes (private and public)
• Read the specs along side your analyzer
• Read books focusing on analysis and packet-level
communications
• see www.podbooks.com
• Get online at www.packet-level.com—join the mailing list
17
© 2002 hp
18

Implementing Security Solutions

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implementing Security Solutions

Uploaded by

Copyright:

Available Formats

Attendees:

Course notes online Case Studies in

Sessions this week: Laura Chappell

Remember to fill out your evaluations! October 11, 2002

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 1

This Lecture Covers...

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 2

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 3

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 4

All packets go everywhere in a hubbed environment

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 5

Analyzer Placement – Switch Networks

Yipes! Virtual circuits ruin our analysis.

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 6

You can’t analyze through a router.

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 7

Learning Packets and Protocols

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 8

“The laying on of hands” approach

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 9

Automatic notification of unusual events

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 10

Consider performing a ‘baseline’ before changing alarms.

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 11

Use a Cyclical Buffer

Use with a trigger to ‘catch’ an event

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 12

Test your firewall – firewall filters

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 13

Documenting the Network

Step 1: Gather traces – take notes

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 14

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 15

Active v. Passive IDS

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 16

Network Intruder Detection System (NIDS)

Where do You Put Your Pig?

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 18

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 19

Gathering and analyzing data in a manner as free from

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 20

Follow the order of volatility

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 21

Take system offline

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 22

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 23

Windows NTFS Suite by NTI

GetFree NT - An ambient data collection tool used to capture unallocated data on

GetSlack NT - An ambient data collection tool used to capture file slack on

ShowFL NT - A program used to analyze the output of the NT FileList program.

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 24

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 25

The Future of IP Traceback

“Practical Network Support for IP Traceback” [Savage,

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 26

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 27

Case #1: Catching Hacks in the Wild

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 28

Clients opening up p2p sharing after all the authentication

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 29

Case #3: Dumpsters Rule!

One dumpster diving trip yielded a tremendous amount of

© 2002 hp 1731_chappell.ppt hp enterprise technical symposium page 30

Citrix box right onto the network…