|By Hurricane Labs||
|October 4, 2012 10:00 AM EDT||
By: Steve McMaster
This past weekend, I presented the idea of a self-defending network at Ohio LinuxFest 2012. The accompanying slides are now available here. So let’s talk about network security. You’ve got a firewall and a DMZ, you’re all set, right? Not so fast slugger. We preach a theory called “defense in depth” here at Hurricane Labs. And that means you need something to defend you when your firewall admins make a mistake. And something to protect you when that layer fails. And so on. So what are these other layers? Well one of them is having a good IDS/IPS system. An IDS/IPS listens to network traffic, generally the traffic inside your firewall, and either alerts on (IDS) or drops/blocks altogether (IPS) traffic that meets specific rules defining “bad traffic”. But what else can you do?
A coworker and I put a couple pieces of open source software (OSSEC and Snort) together to respond to certain types of automated attacks we were seeing in our IDS (we use Snort in this case). Prior to this, an engineer would manually respond to alerts by logging into our firewall and blocking the IP address causing the alert. This process was tedious, repetitive, and time consuming. By the time the firewall change would be pushed, generally the scan (it was usually a scan) was over and the attacker had moved on. So we took advantage of a feature in OSSEC called “active response”, which is used to react to events on the network. OSSEC was configured to watch for Snort alerts, and would run a script on our Internet routers (running Vyatta core 6.3) to block the IP for 10 minutes. This response runs almost immediately. We hand selected alerts that we had associated with simple scans, such as FTP Brute Force attacks, and set them up to block the addresses. But this wasn’t enough for us.
We started to ponder what sorts of scans were happening that our firewall was dropping. For example SIP or SSH scans, which don’t ever pass through the firewall, that were at best sucking up bandwidth and at worst causing problems if our firewall rules ever let something slip. Granted, those sorts of slips are uncommon, but mistakes are always possible and it’s best to plan for every type of failure.
Coincidentally, we also wanted to test a new IDS on the market called Suricata. Suricata was designed from the ground up to be an “open source next generation intrusion detection and prevention engine”, and we wanted to run it through its paces (which is a different article entirely). So, we configured a server running Suricata, but this one was configured to watch traffic on a SPAN session watching traffic outside the firewall. What we found in preliminary testing was that we saw a few types of scans on a regular basis – NMAP ping scans, SSH brute force scans, and SIP scans. So, similarly to what we did with FTP brute forcing (which for multiple reasons is better detected on the sensor inside the network) we configured OSSEC to watch logs from Suricata (which was relatively simple, as it logs in a format compatible with Snort alerts anyways). Poof! A network that defends itself.
What we’ve done is similar in premise to the Team Cymru Darknet Project. According to their website, a darknet is “a portion of routed, allocated IP space in which no active services or servers reside.” It is then assumed that any packets entering the network are unsolicited and more than likely undesirable. This can be used to reliably build a list of known malicious hosts. Unlike a true darknet, we’re using IP space that hosts active services, however we’ve tuned our monitoring to look specifically for traffic we know, by design, not to expect. This allows us to gain many of the benefits of a darknet without the resource investment required.
The advantage of this method is that we can run the “active response” on multiple targets. So, for example, we run two Internet-facing routers on our colocated data center network, and another on the edge of our office network. By detecting scans on both networks, the other network is automatically protected as well. This could be propagated to several other mechanisms as well. It could be used to build a dynamic BGP feed, or DNS blacklist, of hosts that are known to be scanning the Internet maliciously.
I’ve attached a few snippets to this article to help get you started on the path to building a self-defending network. These include configuration examples and rule signatures for OSSEC, Snort and Suricata.
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex softw...
Jan. 19, 2017 05:30 AM EST Reads: 1,888
The cloud market growth today is largely in public clouds. While there is a lot of spend in IT departments in virtualization, these aren’t yet translating into a true “cloud” experience within the enterprise. What is stopping the growth of the “private cloud” market? In his general session at 18th Cloud Expo, Nara Rajagopalan, CEO of Accelerite, explored the challenges in deploying, managing, and getting adoption for a private cloud within an enterprise. What are the key differences between wh...
Jan. 19, 2017 01:15 AM EST Reads: 6,098
"Tintri was started in 2008 with the express purpose of building a storage appliance that is ideal for virtualized environments. We support a lot of different hypervisor platforms from VMware to OpenStack to Hyper-V," explained Dan Florea, Director of Product Management at Tintri, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jan. 19, 2017 12:45 AM EST Reads: 4,699
The security needs of IoT environments require a strong, proven approach to maintain security, trust and privacy in their ecosystem. Assurance and protection of device identity, secure data encryption and authentication are the key security challenges organizations are trying to address when integrating IoT devices. This holds true for IoT applications in a wide range of industries, for example, healthcare, consumer devices, and manufacturing. In his session at @ThingsExpo, Lancen LaChance, vic...
Jan. 18, 2017 09:45 PM EST Reads: 6,519
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Jan. 18, 2017 09:30 PM EST Reads: 7,637
Big Data, cloud, analytics, contextual information, wearable tech, sensors, mobility, and WebRTC: together, these advances have created a perfect storm of technologies that are disrupting and transforming classic communications models and ecosystems. In his session at @ThingsExpo, Erik Perotti, Senior Manager of New Ventures on Plantronics’ Innovation team, provided an overview of this technological shift, including associated business and consumer communications impacts, and opportunities it m...
Jan. 18, 2017 09:30 PM EST Reads: 5,748
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
Jan. 18, 2017 07:30 PM EST Reads: 3,151
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, discussed the importance of WebRTC and how it enables companies to focus o...
Jan. 18, 2017 06:15 PM EST Reads: 4,204
Big Data engines are powering a lot of service businesses right now. Data is collected from users from wearable technologies, web behaviors, purchase behavior as well as several arbitrary data points we’d never think of. The demand for faster and bigger engines to crunch and serve up the data to services is growing exponentially. You see a LOT of correlation between “Cloud” and “Big Data” but on Big Data and “Hybrid,” where hybrid hosting is the sanest approach to the Big Data Infrastructure pro...
Jan. 18, 2017 05:30 PM EST Reads: 4,892
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
Jan. 18, 2017 04:45 PM EST Reads: 4,607
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud enviro...
Jan. 18, 2017 04:30 PM EST Reads: 4,825
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
Jan. 18, 2017 03:30 PM EST Reads: 3,702
"LinearHub provides smart video conferencing, which is the Roundee service, and we archive all the video conferences and we also provide the transcript," stated Sunghyuk Kim, CEO of LinearHub, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Jan. 18, 2017 02:45 PM EST Reads: 1,603
Things are changing so quickly in IoT that it would take a wizard to predict which ecosystem will gain the most traction. In order for IoT to reach its potential, smart devices must be able to work together. Today, there are a slew of interoperability standards being promoted by big names to make this happen: HomeKit, Brillo and Alljoyn. In his session at @ThingsExpo, Adam Justice, vice president and general manager of Grid Connect, will review what happens when smart devices don’t work togethe...
Jan. 18, 2017 02:00 PM EST Reads: 431
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
Jan. 18, 2017 01:00 PM EST Reads: 5,627
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Jan. 18, 2017 01:00 PM EST Reads: 5,116
Discover top technologies and tools all under one roof at April 24–28, 2017, at the Westin San Diego in San Diego, CA. Explore the Mobile Dev + Test and IoT Dev + Test Expo and enjoy all of these unique opportunities: The latest solutions, technologies, and tools in mobile or IoT software development and testing. Meet one-on-one with representatives from some of today's most innovative organizations
Jan. 18, 2017 12:15 PM EST Reads: 1,563
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
Jan. 18, 2017 12:00 PM EST Reads: 4,247
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in Embedded and IoT solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 7-9, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/Big Data, HPC and E...
Jan. 18, 2017 12:00 PM EST Reads: 5,782
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
Jan. 18, 2017 12:00 PM EST Reads: 1,972