Distributed Network Security Using Free Tools in University

Environments

Jeff Bollinger, CISSP, GSEC

Doug Brown, CISSP, GSEC

University of North Carolina at Chapel Hillhttps://www.unc.edu/security

Copyright Jeff Bollinger 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement

appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Introduction

Access to free tools are ubiquitous and only require the investment of time and a few pieces of hardware. Vendor supplied tools are expensive (initial costs, license fees, maintenance fees, support fees, etc.) and many are not typically customizable or easily scriptable. Given a campus with decentralized or departmental computing, security and incident response is in the hands of everyone – making the process distributed.

Why Free Tools?(they’re free, right?)

Most free tools offer free community support (mailing lists, websites, etc)Open source free tools give the administrator the ability to customize and tailor the results to the needs of the organization. It’s what the bad guys use! Its important to understand what you’re being attacked with so you can recognize the attack/recon signatures.

"To know your enemy, you must become your enemy... Keep your friends close and your enemies closer." - Sun Tzu

Trade Off

Invest Time or Money?Any security software package is an investment, the question is, what is your organization prepared to invest?Depending on the complexity of the tools, you will need someone who can understand and deploy them. This may require additional training, or some free time to allow your analysts to experiment. You must trust your tools.

Process

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

Preparation

The preparation phase of the incident handling process is often overlooked but is the most important step.

Everyone can participate in this process.

Preparation - Host Cataloguing

Host cataloguing: keeping a body of information on multiple hosts on the network.

Nbtscan

Nmap –sP (Ping Sweep)

Preparation - Vulnerability Assessment

NessusCan crash systems!

Great reporting functions (*.html, *.txt, *.xml, etc.)

Highly customizable –provides the ability for other administrators to log in and run scans against their own systems.

Constantly updated

Automatic updates through a cron job (nessus-update-plugins)

Identification

Identification - Intrusion Detection

SnortPassive Fiber Tap or Mirror Port

Useful as forensic tool

High False Positives

Steep Learning Curve

Very easy and quick to write custom signatures as soon as their needed.

Identification – Checking the Ports

NmapQuick Port scannerNew flags* (-sV) can actually show which version of common software you’re running by making an active connection to its port.

*version 3.45

Identification – Checking the Ports

NetcatAllows you to silently connect to remote ports to try and see what might be running from them.Easy to script when looking at a wide range of IP addresses.

Identification – Checking the Ports

AmapAnother tool that allows you to check the versions of software running on a particular port.A little more elegant than Netcat, Amap will actually send binary data to a host to try and make it return information on what is running on a particular port

Containment

Containment

Penalty BoxIsolation VLAN with no router interface

Gives administrators time to clean their systems in a safe network environment.

Good neighbor ACLs (RFC 1918)

DHCP Lease disabling/forced expiration

Source Blocking*Configurable unresolved ARP Threshold

Eradication

Eradication

FportShows a port listing matched with a PID of services running on a Windows host.

PSKillCan force the killing of an unwanted process.

VisionNice GUI similar to Fport

AV Solutions (free removal tools)Custom coding

Recovery

Recovery

Nmap can tell you which systems have been cleaned.

Administrators can e-mail you their Fport output for your verification.

Custom scan tools can help you probe for any leftovers.

Lessons Learned

Lessons Learned

The most important step in the Incident Handling process.

There really are not any tools for this particular step, but this is a good opportunity to tweak their settings and prepare them for the next big incident.

How well did they perform? What were their shortcomings? How can we more effectively use them in the future? What access do we give other administrators to our tools, and how can we justify it? Was our communication with other groups appropriate?

Conclusion

Staying current with security tools and being aware of developments within the security community gives you and the other administrators an opportunity to keep up with attack trends and other threats. Free tools provide a substantial ROI, and help to increase the technical ability of your staff.Distribution of duties is critical for a decentralized campus computing infrastructure. Put your trust in other administrators and they will do the same for your security group.

Thank you

https://www.unc.edu/security/educause2003

Contact us @:

Jeff at unc.edu

Doug at unc.edu

Downloads

Nbtscan (http://www.inetcat.org/software/nbtscan.html)Nmap (http://www.insecure.org)Nessus (http://www.nessus.org)

Snort (http://www.snort.org)

Netcat (http://www.atstake.com/research/tools/network_utilities)

Downloads (Cont.)

Amap (http://www.thc.org/releases.php)

Fport (http://www.foundstone.com/resources/proddesc/fport.htm)

PSKill (http://www.sysinternals.com/ntw2k/freeware/pskill.shtml)

Vision (http://www.foundstone.com/resources/proddesc/vision.htm)