Simple Security: Moderate Difficulty Setup

A few days ago I posted Simple Security: The basics to cover a few easy and cheap ways to ways to help secure your Windows environment. Today I am planning on going a step further and covering some more advanced techniques to help secure your environment.

Given that this is a moderate set up I am going to be trying to keep things as cheap as possible.  On my advanced guide I will be talking about expensive high-quality security solutions like Cisco ASA, SonicWall, Pallo Alto, ESXI, Domain Controllers, enterprise level malware protection like SideWinder, VM servers, and Splunk.

In today's guide I will be discussing how to set up tools like Host Level Intrusion Detection Systems (HIDS), Network Level IDS (NIDS),  System Information and Event Management servers, and Smart Firewalls.  I'll also talk about ways to automatically aggregate data from opensource intelligence (OSINT) and using that to feed the analysis systems that will be helping to protect your network.

First, let's define an IDS.  An IDS checks network traffic against a series of rules, referred to as signatures, in a log file to alert when something matches those signatures.  An IDS only alerts while an Intrusion Prevention System can also block traffic that matches the signatures.  This is an important distinction to make when setting up a network.  Most IDS/IPS can operate doing either function.  While the average user will probably only need to use the IPS function it is sometimes useful only to log the activity and not to block it.

HIDS: Snort

For this guide, we are going to be using an IDS referred to as Snort.  Snort was a tool developed by an ex-employee of the NSA.  Snort would later go on to be purchased and managed by Cisco.  Snort employs a very simple to create in depth rule system.  A typical Snort rule looks something like this:
alert icmp any any -> $HOME_NET any (msg:"Icmp"; sid 10000001; rev:1; classtype:icmp-event; content:0x1b)
Let's take a short moment to break down the syntax of this.

  • Alert: This is the action Snort will take. This can be replaced with drop or log as required
  • ICMP: This refers to the protocol to listen for.  Typically you'd see TCP here. 
  • any (1st one): The source IP.  If you want to only listen for a specific IP you would put that here.
  • any (Second one): Source Port
  • ->: Direction of connection.  
  • $HOME_NET: Destination IP.  $HOME_NET is defined in the Snort configuration file.  This can be replaced by any IP address you choose.  
  • any (3rd one): Destination Port
  • msg: The message Snort will show you when the alert is triggered
  • sid: Unique number for the rule. All numbers below 1million are reserved for other processes 
  • rev: Revision number.  This helps with signature management
  • classtype: Helps to put rules and alerts into categories so that you can go back and find them easier later. 
  • content: Looks inside the packet for specific attributes.  This is the most important category to set if you want to reduce false positives. 
Reading this rule would basically play out like this:
Send an alert any time anyone attempts to do an ICMP connection to my home network. 
 As you can hopefully see the basic syntax of Snort easy to understand, but allows for endless flexibility and customization.

Snort is a free program developed and published under the GNU public license.  You can download and install it on either Linux or Windows; however, the Linux set up is easier.  There are plenty of guides on how to set up Snort on a Windows computer, including one written by the Snort development team itself.

Snort comes in three varieties:

  • Free: Anyone can download this at any time.  It comes with a basic collection of rules.
  • Community:  You need a free Snort account for this.  With this, you can download the community rule set to use with Snort. There are hundreds of thousands of rules in this rule set and they are updates, verified, and created constantly. 
  • Professional:  This requires a yearly fee but you get not only the rules from the community but you get the rules developed by Talos Intelligence as they are made.  These rules will later become free to the public but you will get them immediately.  This option is only really necessary for businesses. 
Snort also provides a system referred to as Pulled Pork.  This system requires you to have a free Snort account but will automatically pull new community rules and update your Snort rules for you. It's a must for anyone using Snort and something we'll talk more about in other sections as well.

One final note on Snort before we move on is rule management.  It is important to be careful with how many rules you task Snort with. Snort will compare every packet that enters your network with every rule until it finds a match. A small network will generate thousands of packets in a few seconds.  If your Snort rules set is millions of rules long than that's thousands of packets that will need to be checked against millions of rules. You can cripple your network like this.

Recommendation: Download Snort on your computer and install pulled pork to manage your rules for you.
Honorable Mentions: Yara and Suricata.  I'm not going to cover these in depth because I don't use them extensively so my knowledge is somewhat limited; however, I will give a brief overview.

  • Yara is designed for checking inside of a computer for files and activity that matched rules.  It is a good partner to Snort. You can use Snort to tell you when a computer is compromised and Yara to find the compromised computer. 
  • Suricata is an IDS/IPS/Network Security Monitor (NSM).  It contains the same functionality as Snort but it also contains the ability to process PCAP offline as well.  Its rules are written differently and are arguably more powerful and robust.


NIDS: BRO

Bro is an analytic tool capable of doing full PCAP dissection.  It is an extremely powerful tool that can provide a lot on insight into what you are looking at when you are looking at network traffic.  It is also a much lighter install and doesn't utilize as much hardware to run, so it runs well on something like a Raspberry Pi 3.  In this guide I will recommend that do a few things to help enhance Bro.  You'll need to make Bro aggregate data, create a logging system, create a notification system, store logs, install a graphic search tool to look through the logs, and finally make all the various log files compatible. 

This might sound difficult and I would have put this in my advance guide if Tripwire security hadn't developed a script that does it all for you.

Instead, I am going to take a moment to discuss a few things that are not included in the Tripwire Guide. In order to make any of the rest of this guide work, you will need one of three things, ordered by most complicated and most reliable to least complicated and least reliable.
  • A physical network tap.  If you can actually splice your internet line and install a network tap you can capture all of your network traffic and mirror it you a new location.
  • A smart switch with a SPAN port.  My personal recommendation here is $50 Mikrotik gigabit switch.  With a simple command you can have the switch mirror all connections coming through one port to a SPAN port that you choose.  The issue here is that if there is a lot of network traffic the switch might miss some simply do to hardware constraints
  • A promiscuous NIC.  You can buy a Network Interface Card (NIC) that can be placed into promiscuous mode and connect that.  The reason I don't recommend that is because it might not be compatible out of the box with the Raspberry Pi and it will rely on the hardware of the PI to be able to receive the all of the connections and process them at the same time. 
I haven't tested the Tripwire script on a regular Linux distro but I imagine it should work fine on something like Ubuntu or Mint. 

SIEM: Alienvault OSSIM

Alienvault is a cyber security company that runs the Open Threat Exchange (OTX).  The OTX provides a location security researchers can go and share Indicators of Compromise with others in a way that is searchable.  Alienvault also offers a free SIEM called Open Source Security Information Management (OSSIM). If you have a spare laptop or computer lying around or want to create a virtual machine, you can install OSSIM to act as a SIEM. 

OSSIM will give you statistics on your network health, show you security events you can further investigate.  There are honestly too many features and capabilities of OSSIM to try and list them all.  I could make a blog post on OSSIM alone and still not cover everything in depth.  I'm going to mention one key feature though.  OSSIM has the ability to link with OTX and automatically cross check network connection against IOCs in OTX to find compromises. 

One final note about OSSIM:  The computer you install OSSIM on will need two NICs.  One NIC is for the management interface and the second is for actually capturing traffic.  This isn't difficult to do if you run OSSIM in a VM as you can simply have the hyper visor create a second NIC for the VM. 

Smart Firewall: Security Onion

Now I'm sure I'm going to get someone who will recommend pfSense here instead of Security Onion, and I would usually agree with them; however, pfSense is difficult to set up and therefor more of an Advance security tool.  Security Onion is pretty straight forward when setting up.  

Security Onion allows you to tailor it to your desires.  If you prefer Suricata over Snort, cool Security Onion allows that.  If you want to simply log, ok, Security Onion allows that too. For the average user of this guide you'll want to set up Security Onion as a standalone product.  This will configure both the server to aggregate logs and the sensor to collect them.  

If you run Security Onion in its default configuration and enable it's DHCP server it will run Pulled Pork and then configure your rules for you.  With DHCP server turned on Security Onion will act as the gateway for your traffic blocking what's bad and allowing what's good.  

Remember though you need to set up a mirror for your traffic otherwise Security Onion won't see it.  Security Onion also provides a lot of SIEM like capabilities as well, but personally, I feel like OSSIM has a much cleaner interface.  If you wanted to you could use Bro, OSSIM, and Security Onion to be different SIEMs and place them at different parts of your network to allow you to see different things.  Best of all Security Onion is free. 

These tools will help you have much better visibility into your network and create a significantly more robust defense. 

I hope you found this guide useful.  If you did please comment before and visit simplecomputersecurity.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Fingbox Review: Simply not worth it.

Image
I'd like to open an honest public discourse on the Fingbox. First off I'd like to say that this isn't meant to be an attack on the product or the company. I actually really like the Fingbox but the marketing advertises a Corvette when the product is more of a Honda. I've been doing Network security and Forensics for a little over 7 years so the idea of a device like the Fingbox excited me; however, after having a Fingbox for a little while I'm ultimately disappointed. The bottom line up front: spend your $150 on an Asus RT-86U instead. You'll get 99% of the features and a powerful router with a Network intrusion prevention system built in. Devices Tab I'm going to go in order of the app when discussion its features. So up first is the network scan. I actually really like this scan and subsequent list in the app. It's clean, it's easy to read and search. Clicking on devices allows you to see some basic information about
Read more

Cypherpunk: A VPN review

Image
Those of you who know me know that I am a major advocate of VPNs. I think they're great security tools for keeping your public IP address less public. They're similar to a PO box in the sense that you give out that address instead of your actual home address, ideally making it less likely someone unwanted will show up at your front door. VPNs have many practical security applications. First and foremost they protect your information from prying eyes when you're using public Wi-Fi, but a lot of them also provide added features like DNS adblocking, Malware domain blocking, and IPv6 prevention. For this review, I'll be comparing the Cypherpunk to an industry standard Private Internet Access (PIA).  Right off the bat, you can see that Cypherpunk is very stylized. It certainly goes for the look of cyber. It's a simple button press to activate the VPN. Then you get this stylized graphic showing ciphertext moving across the screen. There are 35 ser
Read more