Securin’ on a Budget

JC, Adam

Disclaimer» We are only representing ourselves, no one else.» The material in this presentation is provided

without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and no infringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.

» Attendance implies agreement with the disclaimer.

About us

JC@JC_SoCal

ADAM@dfinf2

Former MarineForensics/Malware Analysis/Social

EngineeringFishnet Security

Temporary Drifter from San Diego

Security MavenSOC Hobbit

Open Source Connoisseur

Expectations» A List of tools, yay tools!

» We will discuss quickly what its for.

» We will make an effort to discuss benefits of having this tool in your environment.

» We will not be detailing the complete functionality of every tool.

» Enjoy the talk, link to the slide deck will be at the end.

About this talk» Security Appliances are very

expensive.

» Budget is not always approved.

» We still need to do SOMETHING.

» Look to open source/free software to provide some degree of security.

» Cat Pictures

Agenda» Look at solutions present for the following areas:˃ FIREWALL/PROXIES/VPN˃ IDS˃ PACKET CAPTURE/FLOW˃ VULNERABILITY SCANNING˃ HOST SECURITY

Firewalls / Proxies/ VPNs» IPFire

» pfSense

» Squid

» OpenVPN

IPfire» GUI-based SOHO firewall distribution. Great “All-In-

One” solution» Very easy to install and pick up and run with» Support to use as wireless access point» Snort IDS/IPS package can be installed and run on

the box» Squid can be installed and comes with preloaded

block lists.

IPfire

pfSense» Another GUI-based Linux firewall distribution» Larger feature set than Ipfire» Also features snort, but provides more

configuration for it such as real time alerting, and true IPS capabilities.

» Can also install squid as a proxy» Multiple VPN options (OpenVPN, IPSec, PPTP, L2TP)» Features a captive portal page » High Availibility offering

pfSense

Squid Proxy» Best free proxy» Can configure blocklists that auto update» Can be paired with ClamAV to scan executables are

they are downloaded» ACLs can be implemented, to control who can

access what» Provides extensive logging, who did what, when,

and where

Squid Proxy

OpenVPN» Uses the features of OpenSSL

˃ encryption, authentication, and certification˃ cipher, key size, or HMAC digest

» Static-key based conventional encryption or certificate-based public key encryption

» Tunnel over a single UDP or TCP port» Use static, pre-shared keys or TLS-based dynamic

key exchange» Windows GUI» Comes installed on IPFire, pfSense

OpenVPN

IDS» Snort

˃ Snorby

» Suricata

Snort» Probably the most well known IDS out there» Fairly difficult to deploy a multi sensor IDS with

snort» Will work just as well as sourcefire if configured

properly» Multiple packages can be added to snort to make it

perform better (i.e. barnyard and pulledpork)

Snort

Snorby» Front End for snort» Displays a lot of useful information upfront and

easily» Events parse out quite well and make it easy to

read what caused the event» Native integration with OpenFPC, allows full packet

capture with snort without too much configuration

Snorby

Suricata» Another well known IDS/IPS engine» Part of Homeland’s open source tech program» Runs on Linux/Windows/Mac» Can use Snort VRT, rule language and logging» Multi-threaded» IPV6 support» Rule based ip reputation

Packet Capture/Flow» OpenFPC» Moloch

» fProbe

OpenFPC» Full Packet Capture program made to easily

integrate with other programs such as Snorby» API is easy to use» Installs easily on Debian with minimal compiling

OpenFPC

Moloch» Provides a great full program for packet capture» Has the ability to deploy multiple servers that

report back to one» Interface out of the box, useful if you don’t plan to

integrate with and IDS or SIEM, etc.

Moloch

Fprobe» Small program than can be run on either openfpc

or Moloch box that can turn packet captures into flows

» Very simple to use, just install and make sure the options are set correctly to point at the right collector (SIEM or pfSEN server, etc.)

» Helpful if networking decided to buy those Cisco routers that conveniently don’t support netflow…

Scanning» OpenVAS» Nessus» Arachni

OpenVAS» OpenVAS evolved from Nessus» Greenbone Security Assistant provides a useable

frontend, though it is sometimes slow» Daily updated feed of Network Vulnerability Tests

(NVTs), over 30,000 in total (as of April 2013).» Pro Services from 3rd party vendors.

OpenVAS w/Greenbone

Nessus – Free Feed» Though a Pro feed license for a Nessus Scanner is

only 2,500/yr you can pick up a free feed for $0/yr» Only catch are the plugins are updated a week or

so behind profeed» Not supposed to use in a commercial environment» Works well for what most small companies need

Nessus – Free Feed

Arachni» Free Web Application Scanner» Fairly active development on the project» Takes seconds to stand up and run» Tends to be more on the false positive side» Still provides useful information, mainly on out of

date vulnerable versions of web apps.

Arachni

Host Security» OSSEC

» Anti-Virus

» Cuckoo

OSSEC» OSSEC is a HIDS (Host intrusion detection system)» Agents run on: Windows, Linux, MacOS, Solaris,

HP-UX, and more» Comprised of a manager, agents and also has

agentless log acceptance (syslog)» Can monitor VMWare (ESX)» Real Time alerting» File Integrity, and Log Monitoring» Commercial support from TrendMicro

Anti-Virus» ClamAV – Open Source, no realtime file

monitoring, not as high success rate as others. Low Overhead

» AVG, AVIRA, Avast!, MSSE – All freeware antivirus, with decent detection ratios, fairly high overhead with the exception of MSSE.

» Microsoft has recently said MSSE may not be the best AV of choice and recommends alternatives be used.

Cuckoo» ‘Semi-automated’ Malware analysis Sandbox» Great at quickly identifying what malware may do

to a host» Reporting is very thorough» Some assembly required» API built in to make it a bit more automated if you

desire» Does not counter anti-vm malware

Cuckoo

Wrap up» Lots of options

» Great for home labs

» A good start …

» Move to commercial as you grow out of these solutions

Questions?

@JC_SoCal @dfinf2