|By Hurricane Labs||
|October 4, 2012 10:00 AM EDT||
By: Steve McMaster
This past weekend, I presented the idea of a self-defending network at Ohio LinuxFest 2012. The accompanying slides are now available here. So let’s talk about network security. You’ve got a firewall and a DMZ, you’re all set, right? Not so fast slugger. We preach a theory called “defense in depth” here at Hurricane Labs. And that means you need something to defend you when your firewall admins make a mistake. And something to protect you when that layer fails. And so on. So what are these other layers? Well one of them is having a good IDS/IPS system. An IDS/IPS listens to network traffic, generally the traffic inside your firewall, and either alerts on (IDS) or drops/blocks altogether (IPS) traffic that meets specific rules defining “bad traffic”. But what else can you do?
A coworker and I put a couple pieces of open source software (OSSEC and Snort) together to respond to certain types of automated attacks we were seeing in our IDS (we use Snort in this case). Prior to this, an engineer would manually respond to alerts by logging into our firewall and blocking the IP address causing the alert. This process was tedious, repetitive, and time consuming. By the time the firewall change would be pushed, generally the scan (it was usually a scan) was over and the attacker had moved on. So we took advantage of a feature in OSSEC called “active response”, which is used to react to events on the network. OSSEC was configured to watch for Snort alerts, and would run a script on our Internet routers (running Vyatta core 6.3) to block the IP for 10 minutes. This response runs almost immediately. We hand selected alerts that we had associated with simple scans, such as FTP Brute Force attacks, and set them up to block the addresses. But this wasn’t enough for us.
We started to ponder what sorts of scans were happening that our firewall was dropping. For example SIP or SSH scans, which don’t ever pass through the firewall, that were at best sucking up bandwidth and at worst causing problems if our firewall rules ever let something slip. Granted, those sorts of slips are uncommon, but mistakes are always possible and it’s best to plan for every type of failure.
Coincidentally, we also wanted to test a new IDS on the market called Suricata. Suricata was designed from the ground up to be an “open source next generation intrusion detection and prevention engine”, and we wanted to run it through its paces (which is a different article entirely). So, we configured a server running Suricata, but this one was configured to watch traffic on a SPAN session watching traffic outside the firewall. What we found in preliminary testing was that we saw a few types of scans on a regular basis – NMAP ping scans, SSH brute force scans, and SIP scans. So, similarly to what we did with FTP brute forcing (which for multiple reasons is better detected on the sensor inside the network) we configured OSSEC to watch logs from Suricata (which was relatively simple, as it logs in a format compatible with Snort alerts anyways). Poof! A network that defends itself.
What we’ve done is similar in premise to the Team Cymru Darknet Project. According to their website, a darknet is “a portion of routed, allocated IP space in which no active services or servers reside.” It is then assumed that any packets entering the network are unsolicited and more than likely undesirable. This can be used to reliably build a list of known malicious hosts. Unlike a true darknet, we’re using IP space that hosts active services, however we’ve tuned our monitoring to look specifically for traffic we know, by design, not to expect. This allows us to gain many of the benefits of a darknet without the resource investment required.
The advantage of this method is that we can run the “active response” on multiple targets. So, for example, we run two Internet-facing routers on our colocated data center network, and another on the edge of our office network. By detecting scans on both networks, the other network is automatically protected as well. This could be propagated to several other mechanisms as well. It could be used to build a dynamic BGP feed, or DNS blacklist, of hosts that are known to be scanning the Internet maliciously.
I’ve attached a few snippets to this article to help get you started on the path to building a self-defending network. These include configuration examples and rule signatures for OSSEC, Snort and Suricata.
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2017 New York. The 20th Cloud Expo and 7th @ThingsExpo will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Internet to enable us all to im...
Dec. 11, 2016 02:30 AM EST Reads: 1,042
Complete Internet of Things (IoT) embedded device security is not just about the device but involves the entire product’s identity, data and control integrity, and services traversing the cloud. A device can no longer be looked at as an island; it is a part of a system. In fact, given the cross-domain interactions enabled by IoT it could be a part of many systems. Also, depending on where the device is deployed, for example, in the office building versus a factory floor or oil field, security ha...
Dec. 11, 2016 02:00 AM EST Reads: 767
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at 20th Cloud Expo, Ed Featherston, director/senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Dec. 11, 2016 01:30 AM EST Reads: 1,742
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dec. 11, 2016 01:15 AM EST Reads: 1,333
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
Dec. 11, 2016 12:00 AM EST Reads: 1,129
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
Dec. 11, 2016 12:00 AM EST Reads: 2,399
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and sh...
Dec. 11, 2016 12:00 AM EST Reads: 938
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 10, 2016 11:15 PM EST Reads: 1,222
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 10, 2016 09:15 PM EST Reads: 1,356
Everyone knows that truly innovative companies learn as they go along, pushing boundaries in response to market changes and demands. What's more of a mystery is how to balance innovation on a fresh platform built from scratch with the legacy tech stack, product suite and customers that continue to serve as the business' foundation. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, discussed why and how ReadyTalk diverted from healthy revenue and mor...
Dec. 10, 2016 07:30 PM EST Reads: 1,825
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Dec. 10, 2016 07:00 PM EST Reads: 4,159
The Internet of Things (IoT) promises to simplify and streamline our lives by automating routine tasks that distract us from our goals. This promise is based on the ubiquitous deployment of smart, connected devices that link everything from industrial control systems to automobiles to refrigerators. Unfortunately, comparatively few of the devices currently deployed have been developed with an eye toward security, and as the DDoS attacks of late October 2016 have demonstrated, this oversight can ...
Dec. 10, 2016 06:30 PM EST Reads: 1,552
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
Dec. 10, 2016 06:30 PM EST Reads: 1,973
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
Dec. 10, 2016 06:15 PM EST Reads: 1,111
"ReadyTalk is an audio and web video conferencing provider. We've really come to embrace WebRTC as the platform for our future of technology," explained Dan Cunningham, CTO of ReadyTalk, in this SYS-CON.tv interview at WebRTC Summit at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 10, 2016 05:30 PM EST Reads: 1,014
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
Dec. 10, 2016 05:15 PM EST Reads: 1,429
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
Dec. 10, 2016 04:30 PM EST Reads: 1,842
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
Dec. 10, 2016 04:30 PM EST Reads: 1,934
"At ROHA we develop an app called Catcha. It was developed after we spent a year meeting with, talking to, interacting with senior citizens watching them use their smartphones and talking to them about how they use their smartphones so we could get to know their smartphone behavior," explained Dave Woods, Chief Innovation Officer at ROHA, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 10, 2016 03:30 PM EST Reads: 950
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry’s single source for the cloud. Fusion’s advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including cloud...
Dec. 10, 2016 01:45 PM EST Reads: 810