Questions about this topic? Sign up to ask in the talk tab.

Classes/Logs/2012/September/17/00-01

From NetSec
Jump to: navigation, search
23:58 <@rorschach> here's the class schedule and signup roster for this week
23:58 <@rorschach> www.blackhatlibrary.net/Current:Classes
23:58 <@rorschach> if you have a topic idea signup
23:59 <@rorschach> if you would like to do something but don't know what to talk about, pm me and I might be able to help
00:00 <@rorschach> if you have something you WANT someone to talk about come talk to us and we might be able to work 
                  something out
00:00 < lighthouse> if we were already signed up for the previous emails/classes do we have to sign up again at that URL 
                   for the next classes?
00:00 <@rorschach> and of course, tell all of your friends to come so we can share the knowledge
00:00 <@rorschach> :)
00:01 <@rorschach> no, these are open classes
00:01 <@rorschach> the signups are for scheduling a class
00:02 <@rorschach> speaker signups
-
00:16 <~hatter> ok guys here we go 
00:17 <~hatter> We're gonna do a little timeslot about security infrastructure and related components
00:19 <~hatter> Essentially security infrastructure at an internet security level is defined as intrusion detection 
               systems and intrusion prevention systems on the host and network layers (and also sometimes the OS and 
               application layers) which plug into a security infrastructure management system
00:19 <~hatter> This security infrastructure management system is typically accessed by the security personel at any 
               given NOC (network operations center) 
00:21 <~hatter> Open-Source Network intrusion detection & prevention systems include snort and sancp
00:21 <~hatter> there are also a variety of other tools
00:22 <~hatter> Like portsentry, shadow, [[HIDS|tripwire, [[|Cisco_IDS|cisco ids]]/ips (stay away from those)
00:22 <~hatter> (ciscos, I mean)
00:23 <~hatter> Sometimes a security infrastructure management system is also integrated with filesystem integrity check 
               daemons and other standard services (smtp/pop3/ftp/web/authentication/other common services)
00:25 <~hatter> Host-based intrusion detection and prevention systems include samhain and ossec - amongst some other more 
               specific service and application-level engines
00:25 <~hatter> like naxsi, suhoshin, and apache's mod_security
00:25 <~hatter> Firewalls are usually utilized by prevention systems and/or infrastructure management systems
00:26 <~hatter> these may consist of iptables, nufw, pf, ipchains, etc all the way to sonicguard, bigip, or a variety of 
                other appliances
00:27 <~hatter> Without proper firewalls, a security administrator may be unable to thoroughly mitigate an attack without 
               experiencing downtime.
00:27 <~hatter> Systemic failures can happen if appropriate infrastructures for logging all of these infrastructure 
               components are not in place during an incident
00:27 <~hatter> (or before one)
00:29 <~hatter> At the operating system level, other measures and enforcement protocols can be used to ensure integrity 
               (pam, auditd, grsec, pax, selinux)
00:30 <~hatter> Some good/open source sim's I'd recommend are opensims, ossim, and prelude siem.  
00:30 <~hatter> Prelude's frontend (Prewikka) is written in python, its kinda a pain to get running, but awesome once it 
               works
00:35 <~hatter> ok so you have a few different options when mitigating network based attacks
00:35 <~hatter> you can allow the traffic ( bad idea ) 
00:35 <~hatter> you can block/drop the traffic
00:35 <~hatter> or you can reflect the traffic
00:36 <~hatter> Blocking or reflecting are always the best solutions given different circumstances
00:37 <~hatter> for example, during a ddos, if you are sure a domain is the target and you have the ip address of the 
               command and control server, it would not even be remotely illegal for you to update the dns record to 
               point to the C&C server's ip address.  This would also cook the botnet, allowing you after a few moments 
               to update the dns record back to its original value, restoring uptime to the site
00:39 <~hatter> 1s
00:39 <~hatter> fixin somethin
00:40 <~hatter> fixt
00:41 <~hatter> In other cases when you know less information, simply dropping traffic is the appropriate response to a 
               ddos.
00:41 <~hatter> When you block the traffic using icmp unreachable or tcp reset messages, this actually makes your 
               appliances send more data, increasing the effectiveness of the denial of service attack.
00:42 <~hatter> likewise, it is advisable to chmod 0 affected directories, chattr +ia, and chown to root when a web 
               application has been compromised, unless the flaw is known.
00:42 <~hatter> traffic can be analyzed in realtime using a variety of sniffers
00:43 <~hatter> A lot of people just use tcpdump
00:43 <~hatter> Its a relatively standard command line tool
00:43 <~hatter> It does not have any attack functionality though, while things like ettercap aren't quite as good for 
               inspection but are great for attacks.
00:45 <~hatter> Sancp will make packet & pcap recordings
00:45 <~hatter> that you can inspect later using tcpdump or other pcap utilities
00:45 <~hatter> you can also just use hexdump
00:45 <~hatter> if you're into that sort of thing :)
00:48 <~hatter> there are multiple types of analysis employed by security infrastructure,
00:48 <~hatter> lets focus on integrity checking, signature based analysis, and behavior based analysis for the moment
00:49 <~hatter> Whenever you have the ability to do so, integrity checks should be done using multiple hashing 
               algorithms.  Additionally, third party systems may monitor the databases of the integrity checksums to 
               determine their integrity as well
00:50 <~hatter> The reasoning behind using multiple hashing algorithms for checksums applies due to hash collision attacks
00:50 <~hatter> It is possible to perform a collision attack using appended data against nearly any single checksum 
               algorithm
00:50 <~hatter> however because of the math involved, using multiple hashing alorithms that differ in origin may prove 
               impossible to collide at the same time
00:51 <~hatter> signature based analysis typically uses regular expressions or similar definitions for static file and/or 
               memory analysis at runtime
00:51 <~hatter> This is typically a poor solution as blacklisting will nearly always fail
00:52 <~hatter> (Perhaps a more bayesian style filtering approach is needed on a more general scale.)
00:52 <~hatter> Behaviour based analysis is a good solution however its still very young, and the technology needs 
               further growth before it can be adopted on a wider scale
00:54 <~hatter> Additionally, some behavior based intrusion detection systems are prone to false positives from licensing 
               engines, due to the polymorphic nature of modern software protections and their similarity to malware.
00:54 <~hatter> This can cause certain systemic failures if not properly integrated (part of the youth of the technology)
00:56 <~hatter> disaster recovery systems and monitoring systems may also be parts of security infrastructures
00:56 <~hatter> this includes backups, systems like nagios which check for service uptime, and database replication 
               systems for hotswitch configurations
00:57 <~hatter> Disk and filesystem cryptography also applies to security infrastructure
00:57 <~hatter> in some cases, they are legally required for various levels of legal business compliance in the united 
               states and other nations
00:58 <~hatter> This includes things like HIPAA for medical records and PCI for stored credit card data
00:58 <~hatter> This also includes stuff like application level hashing and salting for authentication
00:59 <~hatter> That kind of thing can also be required for various levels of legal compliance
00:59 < corvus> Isnt it true that adequate Disaster recovery implementations are often the largest point of failure in a 
               security policy?
00:59 <~hatter> corvus: usually either that or an audit/review process for production systems to begin with
00:59 <~hatter> but yes
01:00 <~hatter> Its usually one of those two things
01:00 < lighthouse> could you possibly give an example or two of a simple setup for a home network and maybe one for a 
                   small - medium sized business as far as what security hardware and software would be on each?
01:00 <~hatter> that is responsible for systemic failure
01:00 <~hatter> I'll go ahead and give it a go
01:00 < lighthouse> also, I have tried to setup snort for windows but to no avail, is there any way to use snort to 
                   protect a primarily windows network ?
01:01 <~hatter> Snort is a network layer inspection system
01:01 <~hatter> that means that you can install it on a single linux host
01:01 <~hatter> that also acts as a router
01:01 <~hatter> for the rest of the network
01:01 <~hatter> Say you had a switch (not a hub)
01:01 <~hatter> You'd set up your linux machine with snort 
01:01 <~hatter> as a router, then plug it into the switch
01:01 <~hatter> as well as the modem
01:01 <~hatter> the switch would then provide access to the rest of the network
01:01 <~hatter> via the router/NIDS
01:01 < lighthouse> so I could use one computer with a linux install with snort that acts as a router before the actual 
                   router?
01:01 <~hatter> you could use that on either a home network or a business network
01:02 <~hatter> yep
01:02 <~hatter> you sure could do that
01:02 < lighthouse> could that be done with saturn (a server I have with a custom hardened version of linux on it)?
01:02 <~hatter> probably.
01:03 < lighthouse> but easier to go with a less complicated distro?
01:03 <~hatter> could really be done with nearly any system
01:03 <~hatter> you don't need a super power house for it
01:03 <~hatter> however 
01:03 <~hatter> it's good to have that system locked down
01:03 <~hatter> remember, it's going to be the gateway
01:03 <~hatter> so
01:03 <~hatter> if it gets hit by something, your whole network is at risk
01:03 <~hatter> so you might want to set up the modem -> router -> snort machine -> switch -> network
01:03 <+foo> Security Onion has a lot of these tools built in: https://code.google.com/p/security-onion/
01:04 <~hatter> ^
01:04 <+foo> it's good stuff
-
01:07 < lighthouse> how much security needs to be implemented to eliminate 90-95% of all most threats?
01:07 <~hatter> lol you mean
01:07 <~hatter> how much shit do you need to turn off
01:08 <+foo> ^
01:08 <~hatter> not how much stuff do you need to add
01:08 <~hatter> xD
01:08 < Dwaan> i think im gonna have a play with snort now
01:08 < lighthouse> lol
01:08 <+foo> lighthouse: most issues are caused by enabled but unused functionality
01:08 <+foo> lighthouse: for example, take office workstations, most are allowed full access to the internal network
01:09 <+foo> aside from p2p functionality, there is no reason workstations need to talk to each other
01:09 < lighthouse> what I am saying is, won't most threats / malware be thwarted by a few levels of security? I mean, 
                   yes its best to be 100% secure (if thats even possible) but mnost dont have to worry about being 
                   hacked by the alphabet boys
01:09 <+foo> yet, as demonstrated by extensive malware propagation of many environments, workstations are allowed to not 
            only talk to each other but also attack each other unchecked
01:09 <+foo> lighthouse: 100% "security" is not possible
01:10 < lighthouse> if the SNA (scrambled for obvious reasons) wants to see what you are doing, more then likely they 
                   will be able to, no?
01:10 < Dwaan> foo: YES
01:10 < Dwaan> i try to tell people this
01:10 < Dwaan> so many people have the attitued like
01:10 < lighthouse> unless you have a bunker with electromagnetic shielded walls, they can see what you are doing
01:10 < Dwaan> 'meh, noone gonna do anything malicious on our network'
01:10 <+foo> https://www.sans.org/critical-security-controls/ here are the things to do to get "mostly secure"
01:10 < Dwaan> why bother
01:10 < Dwaan> etc
01:10 <+foo> as in, "must be this tall to ride"
01:11 <+foo> Dwaan: most organizations have no clue what their workstations do, what the traffic flow is, what is on the 
            network let alone what is installed on system X
01:11 < lighthouse> an IDS dsoes not actually prevent attacks, correct? just the IPS?
01:11 <+foo> Intrusion Detection System
01:12 <+foo> detects attacks
01:12 < Dwaan> foo: exactly
01:12 < Dwaan> lazy
01:12 <+foo> IPS, Intrusion Prevention Systems, are typically IDS + Active Response
01:12 < Dwaan> wow
01:12 < Dwaan> security onion
01:12 < Dwaan> looks nice
01:12 <+foo> Dwaan: lazy, organic growth, lack of administrative processes
01:13 <+foo> it's the defense-in-depth philosophy, at your external perimeter (outside of the FW) it makes sense to have 
            an IDS
01:13 <+foo> inside the FW, it makes sense to have an IPS
01:14 <+foo> but your IDS outside should do more than just look for attacks, it should gather network statistics and 
            information about traffic flow
01:14 <+foo> your internal IPS would take care of the "attacks" that your router and fw were unable to handle
01:14 <+foo> zzzzzZZZZzzz[m3n]: you about ready to jump in?
01:15 <+foo> lighthouse: think about a castle and the various layers of defense
01:15 <+foo> you have your castle wall
01:15 <+foo> with archers and buckets of boiling oil and firebombs
01:15 <+foo> you have a moat and a big gate
01:15 <+foo> but you also have scouts out looking for attackers
01:16 <@zzzzzZZZZzzz[m3n]> Just a moment, yes
01:16 <+foo> inside the castle walls you have segmentation of areas to limit attackers
01:16 < lighthouse> teachers: analogys = awesome
01:16 <+foo> but open areas that trusted parties can get into
01:17 <+foo> each of these areas have guards and access controls