1 / 42

Building a Campus Dshield

Building a Campus Dshield. Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060 marchany@vt.edu http://security.vt.edu. VT Defense-in-Depth Strategy. Layer 1: Blocking Attacks: Network Based Layer 2: Blocking Attacks: Host Based Layer 3: Eliminating Security Vulnerabilities

masako
Download Presentation

Building a Campus Dshield

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060 marchany@vt.edu http://security.vt.edu

  2. VT Defense-in-Depth Strategy • Layer 1: Blocking Attacks: Network Based • Layer 2: Blocking Attacks: Host Based • Layer 3: Eliminating Security Vulnerabilities • Layer 4: Supporting Authorized Users • Layer 5: Tools to minimize business losses

  3. Putting the Pieces Together • RDWEB – locate any device in our network • DSHIELD – Collect Firewall logs • SNORT – Sensors monitoring for patterns • SAFETYNET – “pull” vulnerability scanner • CHECKNET – “push” vulnerability scanner • REMEDY – Trouble Ticket system used by Help Desk • CENTRAL SYSLOG – collects syslogs

  4. IDS Infrastructure IPS CheckNet WWW SNORT Base MySQL DB CheckNet Failure DB Campus Systems Central Syslog Servers Nessus Scanners SNORT Sensors VT Dshield Dshield MySQL DB Remedy Trouble Ticket System SafetyNet MySQL DB Help Desk CIRT

  5. VA Tech Defense in Depth • Layer 1: Blocking Attacks: Network Based • Network Intrusion Prevention Systems • Discovery and mitigation • Firewalls • Secure Web Filtering • Secure Email, Anti-Spam

  6. VA Tech Defense in Depth • Layer 2: Blocking Attacks: Host Based • Personal firewalls • Spyware removal • Scan & Block/Quarantine Networks • Antivirus

  7. VA Tech Defense in Depth • Layer 3: Eliminating Security Vulnerabilities • Vulnerability management & remediation • Patch management • Configuration management • Security configuration compliance • Application security testing

  8. Putting the Pieces Together • REN-ISAC weather reports • Dshield.org • IPS • Netflows • UCONN netreg • VSC scanners

  9. You Already Belong to a “Dshield” • Default setting for Windows XP Personal Firewall sends copies of your firewall logs to http://hackerwatch.org • Why not belong to one that you know about?

  10. Dshield – Internet Storm Center • Internet Storm Center concept was developed after analysts noted that time zones provided an early warning system for some attacks • Attacks originating in Asia occurred 12+ hours before hitting North America • People coming to work and logging in their computers

  11. Dshield • Similar to weather reporting infrastructure • Mapping probes similar to mapping weather fronts • Admins could look at the data real-time and use this info to prepare for an attack • Similar to looking at a weather map to prepare for tomorrow’s weather

  12. Small sensors in as many places as possible recording basic weather info Regional weather stations providing tech support, summarize and display it for local meteorologists National weather centers summarize and map regional data to provide overall weather picture Small IDS tools send logs to regional/campus site Regional site provides automated support and reporting tools Global Analysis & Coordination Centers provide early warning to network community of impending/ongoing attacks Weather Report vs. Internet Storm Ctr

  13. DShield Configuration • Hardware • DEC 2650, 2GB RAM, 785GB disk • Software • Red Hat Enterprise • Apache WWW server • PHP • MySQL • Dshield base system from Internet Storm Center

  14. Good News Dshield code is already set to do the functions shown later You do some local mods and you’re ready to go Software can handle the load Fairly universal feeds Good reporting tool Bad News Code is hard to get Basic documentation Convincing your environment to feed your dshield Need to tailor firewall configurations Needs an analyst to interpret the results The Good News, The Bad News

  15. References • http://isc.sans.org • http://dshield.org • http://dshield.cirt.vt.edu • Randy Marchany • VA Tech IT Security Lab • 1300 Torgersen Hall, VA Tech • Blacksburg, VA 24060 • 540-231-9523, marchany@vt.edu

  16. IDS/IPS States

  17. VA Tech Defense in Depth • Layer 4: Supporting Authorized Users • ID and access management • File Encryption • Secure communications • PKI • VPN • IPSEC based VPN • SSL VPN • Secure remote access

  18. VA Tech Defense in Depth • Layer 5: Tools to minimize business losses • Security information management • Business transaction integrity monitoring • Security skills development (training) • Forensic tools • Regulatory compliance tools • Business recovery • Backup

More Related