1 / 21

VASCAN Conference October 21, 2010

Distributed Intrusion Detection with Open Source Software and Commodity Hardware. +. +. VASCAN Conference October 21, 2010. +. Philip Kobezak pdk@vt.edu. +. Will Urbanski urbanski@vt.edu. Information Technology Security Office. The Start of the Project. High IPS maintenance costs

iliana
Download Presentation

VASCAN Conference October 21, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Intrusion Detectionwith Open Source Softwareand Commodity Hardware + + VASCAN Conference October 21, 2010 + Philip Kobezak pdk@vt.edu + Will Urbanski urbanski@vt.edu Information Technology Security Office

  2. The Start of the Project • High IPS maintenance costs • Wanted more distributed view • Had never put IPS in-line • Wanted IPv6 support • Wanted root access to componentsfor troubleshooting • Wanted standard or common hardware for compatibility and maintenance Information Technology Security Office

  3. Concept of What We Wanted • Commodity hardware • Multiple distributed sensors • Open source software • Open data formats • For our own tools • Low initial and ongoing cost • Sold network group on access to sensors Information Technology Security Office

  4. Information Technology Security Office Network Topology

  5. Hardware: Sensor Design • Kept under $700 each • Dual port NIC for monitoring • Original plan to use fiber taps - switched to copper • Dual Core, 4GB RAM • Small HD • On motherboard NIC Information Technology Security Office

  6. Hardware: Sensor Design Partial Listing of 1 and 10 Gigabit Interfaces from Intel Information Technology Security Office

  7. Information Technology Security Office Sensor Design • We use FreeBSD 8.0 64-bit • Why not Linux? • K.I.S.S. • Sensors run a ‘minimal’ FreeBSD install • FreeBSD natively supports DMA between the NIC and the Kernel • Kernel module via NTOP’s PF-RING • Phil Wood’s libpcap implementation

  8. Information Technology Security Office System Architecture • Combined IDS software configs into logical packages called snort instances • An instance contains: • Rulesets (VRT, ET, or custom rules) • Configurations for Snort and other IDS tools DB Snort Instance

  9. Information Technology Security Office Instance Software • Snort • Daemonlogger • Barnyard2

  10. Information Technology Security Office Snort Instance Workflow Physical NIC Snort Daemonlogger MySQL RAMDISK Virtual NIC Barnyard2 “Identify DB attacks, brute force attempts, and network recon” “Only show IPv4 traffic going to my database servers” Save alerts to DB

  11. Information Technology Security Office Snort RAMDISK Virtual NIC “Identify DB attacks, brute force attempts, and network recon”

  12. Information Technology Security Office MySQL RAMDISK Barnyard2 Save alerts to DB

  13. Information Technology Security Office Why use snort instances? • Granularity • Monitor for specific attack types against specific services, on specific machines. • Care less about viruses in student dorms • Care more about PII leaked from misconfigured systems • Performance

  14. Information Technology Security Office Why use snort instances? • Granularity • Performance • Running Snort on the physical NIC results in a large number of dropped packets (60%+) • unless you run a very small number of rules • Snort may be configured to look for attacks against web services only but still sees P2P, streaming media, email traffic, etc • Through the use of a snort instance we limit the traffic snort must process. • The fewer packets there are to process, the fewer packets there are to drop

  15. Information Technology Security Office Scale Up! Snort Sensor Viruses DB Scanning Service-Specific Attacks

  16. Information Technology Security Office Scale Up! • Average CPU usage per application per snort instance: • Snort: 50% - 60% • Daemonlogger: 20% - 25% • Barnyard: < 1% • Because of this we can easily run one snort instance per core, without increasing the load on the system to unacceptable levels.

  17. Information Technology Security Office Deployment • Two additional servers required for deployment: • Database server for storing alerts • Management server for pushing rules and monitoring sensors

  18. Information Technology Security Office Database Server • Beefy physical machine: • Multicore, running MySQL server • Big Drives: • 146GB for OS • 1TB SAS drives in RAID10 for storage • Since June 1, 2010, we’ve recorded 22 million alerts.

  19. Information Technology Security Office Management Server • Rule management with Oinkmaster • Manages and automatically configures rulesets • Configuration propagation • Configuration files propagated via secure copy. • Monitoring • Uptime monitored by NAGIOS • Analytics and Reporting • Alert management and reporting provided by BASE

  20. Information Technology Security Office Summary Pros Minimal cost to implement No recurring annual costs Easy access to IDS data Easier to upgrade at a later date We are ready for IPv6 support Cons Requires expertise and many person-hours Must manually maintain software updates Waiting on BY2 IPv6 support

  21. Questions? Contact Information: Will Urbanski IT Security Analyst urbanski@vt.edu Philip Kobezak IT Security Analyst pdk@vt.edu Randy Marchany IT Security Officer marchany@vt.edu www.security.vt.edu Information Technology Security Office

More Related