simple network defense system
DESCRIPTION
Simple Network Defense System. Shou-Chuan Lai Computer and Communication Center National Tsing Hua University. Objective. Make our network as available as possible. Network Defense System. Internet Worm Detection Module Automatic Router Control Module Notification Module - PowerPoint PPT PresentationTRANSCRIPT
Simple Network Defense SystemSimple Network Defense System
Shou-Chuan Lai
Computer and Communication CenterNational Tsing Hua University
ObjectiveObjective
Make our network as available as possible.
Network Defense SystemNetwork Defense System
Internet Worm Detection Module Automatic Router Control Module Notification Module Open Mail Relay Detection Module
System RequirementSystem Requirement
A NetFlow-capable device Personal Computers running UNIX-like Ope
ration System (e.g., Linux, FreeBSD) The Simple Network Defense System sourc
e codes Open sources
flow-tools apache perl (libnet, Net-Server, Net-Telnet, Time-HiRes)
Internet Worm Detection Internet Worm Detection ModuleModule
System requirementSystem requirement
NetFlow-enabled routers or devices (e.g. Cisco Catalyst 6509, Mirror-enabled router/switch + NetFlow export software)
Personal Computers (e.g. Intel platform) UNIX-like OS (e.g. Linux, FreeBSD, Solaris,…) flow-tools (http://www.splintered.net/sw/fl
ow-tools/) Perl v5.6 or above apache-1.x or above (http://httpd.apache.or
g/)
Directory StructureDirectory Structure
flow-scan (/usr/local/flow-scan/) bin (system programs) etc (configuration files) flow (netflow data captured by flow-tools) scan (scan files generated by flow-scan) htdocs (html files generated by scan2html) tmp (temporary space)
ProgramsPrograms
flow2scan Read flow files and convert to scan files
scan2html Read scan files and convert to html files
html2idx Read html files and generate an index html
flow2scanflow2scan
Program modules MyFlow.pm (common subroutines) MyScore.pm (score module) MyRobot.pm (talk to router control robot)
Read flow files read: /usr/local/flow-scan/flow/….
Generate scan files write: /usr/local/flow-scan/scan/….
Send blocking command
flow2scan (cont.)flow2scan (cont.)
Read flow files each flow file is a collection of 10min flow r
ecords Find suspicious hosts Check each suspicious host
Score each host (use MyScore.pm) Block the problematic host if its score exce
ed pre-defined threshold (use MyRobot.pm)
scan2htmlscan2html
Read scan files read: /usr/local/flow-scan/scan/….
Generate a html file for each scan file write: /usr/local/flow-scan/htdocs/….
html2idxhtml2idx
Search html files read: /usr/local/flow-scan/htdocs/….
Generate an index html file write: /usr/local/flow-scan/htdocs/….
Periodic JobsPeriodic Jobs
crontab.10min flow2scan $router scan2html $router html2idx $router
ConfigurationsConfigurations
flow-scan.txt screen.txt (to be screened)
192.168.128.0/17 trust.txt (avoid being blocked)
192.168.192.0/24 worm.txt (list of worm types)
IP-SCAN-TCP-135
flow-scan.txtflow-scan.txt TOOL = "/usr/local/flow-tools/bin" FLOW = "$FDIR/flow" SCAN = "$FDIR/scan" FTMP = "$FDIR/tmp" FSUP = "$FETC/dscan.supress" WORM = "$FETC/worm.txt" TRUST = "$FETC/trust.txt" SCREEN = "$FETC/screen.txt" IP_RESERVED = "$FETC/IPv4-address.txt" HTML = "$FDIR/htdocs/netflow" HTML_REF = "/netflow" HTML_URL = "http://netflow.myschool.edu.tw/netflow" C6509 = "c6509" C6509INT = "6"
InstallationInstallation
Download source tar file http://cc.nthu.edu.tw/~chuan/
Extract source tar file cp flow-scan-0.90.tar.gz /usr/local cd /usr/local tar zxf flow-scan-0.90.tar.gz ln –s flow-scan-0.90 flow-scan
Installation (cont.)Installation (cont.)
Modify bin/MyFlow.pm set FDIR
Modify etc/flow-scan.txt set TOOL set HTML_URL set C6509INT
Modify etc/screen.txt Modify etc/trust.txt
Installation (cont’)Installation (cont’)
Test drive flow2scan2 6509 scan2html2 6509 html2idx2 6509
Setup crontab 2,12,22,32,42,52 * * * * (cd /usr/local/flow-s
can/bin; sh crontab.10min) > /dev/null 2>&1
Play
Automatic Router Control Automatic Router Control ModuleModule
System RequirementSystem Requirement
Supported Routers Extreme with ExtremeWare 7.x Cisco with IOS 12.x
Perl 5.6 or above Net-Server module installed Time-HiRes module installed
Directory StructureDirectory Structure
netguard (/usr/local/netguard/) bin (binaries for human operation) etc (configurations) htdocs (notification web pages) lib (system modules) log (system logs) sbin (daemon resides) spool (IPC for registrar and netguard)
Programs (bin)Programs (bin)
block-ip.pl block an IP address immediately
block-ip.pl ip-address tag comments
open-ip.pl open an IP address immediately
open-ip.pl ip-address
Programs (cont.)Programs (cont.)
book-open-ip.pl book an IP address to be opened
book-open-ip ip-address cron-open.pl
open booked IP addresses at specified alarm time (obtained from spool/book)
cron-open.pl
Daemon Programs (sbin)Daemon Programs (sbin) netguard.sh
start or stop netguard module netguard.sh (start|stop|restart)
monitor-netguard.sh keep netguard running (for shake of unkno
wn-reason stop); should work with crontab 1,11,21,31,41,51 * * * * (cd /usr/local/netguar
d/sbin; ./monitor-netguard.sh) > /dev/null 2>&1
Daemon Programs (cont.)Daemon Programs (cont.)
registrar.pl as a central registrar which accept comma
nds from other programs via Socket and write commands to the file spool
should be waken up by netguard.sh netguard.pl
as a router control robot which read commands from the file spool (/spool)
should be waken up by netguard.sh
Program Modules (lib)Program Modules (lib)
netguard.pm contains codes which is able to login the su
pported routers and configure the access control list for a specified IP address
currently support routers: Cisco and Extreme
Periodic JobsPeriodic Jobs
Open already booked IP addresses crontab.daily
bin/cron-open.pl example
30 7 * * * (cd /usr/local/netguard/bin; ./cron-open.pl)
ConfigurationsConfigurations
registrar.conf configuration required by Net-Server modul
e netguard.conf
configure the router information required to automatic configure the controllable routers
type (cisco|extreme);login;password;name
Password and Port Password and Port SettingSetting
Server password and service port change the setting in registrar.pl
Client password and port change the settings in block-ip.pl, open-ip.
pl, and book-open-ip.pl change the programs which talk to netguar
d module in other detecting modules
File Spool (spool)File Spool (spool)
The inter-process communication between registrar and netguard each file represents a status of an IP addre
ss archive (has become part of history) block (is being blocked) book (booked an open request) info (an immediate notification required) request (command the netguard) unblock (counting infected frequency)
Notification ModuleNotification Module
System RequirementSystem Requirement
Perl 5.6 or above Apache 1.x or above
http://httpd.apache.org/
Directory StructureDirectory Structure
notify (/usr/local/notify/) bin (program binaries) etc (configurations and notification emails) htdocs (notification web pages)
ProgramsPrograms
cron-sendmail.pl send daily notification
cron-sendmail2.pl send notification once being blocked
genhtm.pl generate notification web pages periodicall
y
Periodic JobsPeriodic Jobs Notifications should be delivered
periodically Send emails daily, send email once being
blocked, and generate web pages periodically
10 8 * * * (cd /usr/local/notify; ./cron-sendmail)
8,18,28,38,48,58 * * * * (cd /usr/local/notify/bin; ./cron-sendmail2)
0,10,20,30,40,50 * * * * (cd /usr/local/notify/bin; ./genhtml.pl)
ConfigurationsConfigurations
addressbook address book to send notification emails
dept:name:title:phone:fax:email subnet
notes which shown on the web pages subnet:building:dept
inform.mail the notification email which send daily
inform2.mail the notification email which send once being block
ed
Web Pages (htdocs)Web Pages (htdocs) ban-head.htm
the header part of the notification web pages
ban-tail.htm the tail part of the notification web pages
index.htm may be required for the apache web server
Open Mail Relay Detection Open Mail Relay Detection ModuleModule
System RequirementSystem Requirement
A remote server relay testing email receive testing mail
Perl 5.6 or above libnet module installed
Pxytest http://www.unicom.com/sw/pxytest/
To Be DoneTo Be Done
ToDo ListToDo List Unify the perl modules used by all the
se codes Support more routers: Juniper and Fo
undry
Thank You!Thank You!