While working on my final project for my security lab class, I ran across this amazing tool, OpenVPN ALS or Adito. Our group decided to implement a VPN as part of security for our network. This is all fine and dandy but we don't have any enterprise tools available to us to use. I don't know really anything about how to setup a VPN, except for making one in Windows. Anyway, in my searching on Google I found this video:
http://revision3.com/hak5/sslvpndsolo
Much thanks go to hak5.org for making this very informative video. He does talk about how to setup the service in the video and I encourage you to watch it if you are interested. I do want to post some comments I have about the service myself. I installed the server on a FC14 machine and it worked exactly the same as in the video except I installed the OpenJDK package rather than sun-java. Also, when I tried to access the VPN from a linux client machine I could not get the SSL tunnel to the server on my network working. It worked fine with Windows. I'll look into this more and try and see whats going on. Bottom line if you are looking for a simple VPN setup, this will probably do what you are looking for.
Friday, April 20, 2012
Thursday, April 12, 2012
Snort IDS
As a part of my final project for my security class this semester, we are working on defending a network against attack. Later we will work on attacking other groups' networks. I have been tasked with setting up Snort as our IDS. There is many great documents available on the web about Snort but I would like to share with you my experiences.
Before I start I must provide thanks to my TA Josh, who took the time to put together the bash script that I am basing this installation off of.
There are two main ways you can download and install snort. You can either download and compile from source, or you can download and install from an rpm. In my case I am using a VM running Fedora 14 with SELinux enabled and I chose the option of downloading and install from the rpm since it takes out some of the configuration that you need to do. As a result I will not talk about configuration and compiling from source. To start off there are some packages that you need to make sure you have.
You may not need absolutely all of these packages, but this will certainly get you everything you need.
Next, we need to obtain the .rpm file for installation. You can do this through wget or go to snort.org and download from there. Either way should work fine just make sure you choose the correct version. You will also need to download the daq .rpm as well.
These are the only two rpms you need. You need to install them using the following command on Fedora. I am sure the process is similar for apt-get or any other package manager you use:
When I did this the first time I tried to install daq I actually got an error, I don't know why that is if anyone would like to elaborate feel free. However, I just went ahead and tried the installation again and it worked, the error appears to be well known and accepted. Installing snort only took one iteration. At this point you have a working snort installation. All you have left to do is install the rules/signatures. Your snort installation is located at /etc/snort and the alert file is located at /var/log/alert. You must download the rules separately from the snort.org website. You must register as a user and there is a paid version and a free version. Once downloaded you can untar the file.
After untarring the file you need to copy the contents of the new folders to /etc/snort/. Command for this is:
At this point you have installed the current snort rules/signatures and have a working version of snort. It is recommended that you create a new snort user and change the owner of /var/log/snort/ to this new user and change the owner of /var/log/snort/alert to this new user as well. Also
Before I start I must provide thanks to my TA Josh, who took the time to put together the bash script that I am basing this installation off of.
There are two main ways you can download and install snort. You can either download and compile from source, or you can download and install from an rpm. In my case I am using a VM running Fedora 14 with SELinux enabled and I chose the option of downloading and install from the rpm since it takes out some of the configuration that you need to do. As a result I will not talk about configuration and compiling from source. To start off there are some packages that you need to make sure you have.
file-devel file-libs php-pecl-Fileinfo python-magic libpcap libpcap-devel libtermcap-devel wget make cmake gcc gcc-c++ bison bison-devel openssl openssl-devel zlib zlib-devel flex flex-devel python-devel swig GeoIP-devel sendmail
You may not need absolutely all of these packages, but this will certainly get you everything you need.
Next, we need to obtain the .rpm file for installation. You can do this through wget or go to snort.org and download from there. Either way should work fine just make sure you choose the correct version. You will also need to download the daq .rpm as well.
wget http://www.snort.org/downloads/1410 -O snort-2.9.2.1-1.F15.i386.rpm wget http://www.snort.org/downloads/1404 -O daq-0.6.2-1.i386.rpm
These are the only two rpms you need. You need to install them using the following command on Fedora. I am sure the process is similar for apt-get or any other package manager you use:
yum -y --nogpgcheck install daq-0.6.2-1.i386.rpm yum -y --nogpgcheck install daq-0.6.2-1.i386.rpm yum-complete-transaction -y yum -y --nogpgcheck install snort-2.9.2.1-1.F15.i386.rpm
When I did this the first time I tried to install daq I actually got an error, I don't know why that is if anyone would like to elaborate feel free. However, I just went ahead and tried the installation again and it worked, the error appears to be well known and accepted. Installing snort only took one iteration. At this point you have a working snort installation. All you have left to do is install the rules/signatures. Your snort installation is located at /etc/snort and the alert file is located at /var/log/alert. You must download the rules separately from the snort.org website. You must register as a user and there is a paid version and a free version. Once downloaded you can untar the file.
After untarring the file you need to copy the contents of the new folders to /etc/snort/. Command for this is:
sudo cp rules /etc/snort sudo cp etc /etc/snort sudo cp -R preproc_rules /etc/snort cp -R /usr/lib/snort-2.9.2.1_dynamicengine/* /usr/local/lib/snort_dynamicengine/ cp -R /usr/lib/snort-2.9.2.1_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/ cp so_rules/precompiled/FC-12/i386/2.9.1.2/*.so /usr/local/lib/snort_dynamicrules/
At this point you have installed the current snort rules/signatures and have a working version of snort. It is recommended that you create a new snort user and change the owner of /var/log/snort/ to this new user and change the owner of /var/log/snort/alert to this new user as well. Also
chmod 600is a good setting for read, write, execute permissions on the alert file. Snort can now be started by running the command snort. It must be run as sudo and you can look at the documentation or man page to see how to specify your own .conf file or load your own signatures. Out.
RSA 2012 Keynote
I recently ran across a video of Enrique Salem's keynote at the RSA conference 2012. If you didn't go to the conference or haven't heard the speech it really is quite interesting and is worth taking 28 minutes out of your day to listen to it. Here is a link to the video: http://www.youtube.com/watch?v=pkFTrI8R8m4
For those of you that don't know Enrique Salem is the President and CEO of Symantec Corp. I thought his comparison of Digital Natives and Digital Immigrants was very accurate. Being a digital native myself I know what he means when he says that walking out of the house without being connected to the rest of the world in someway is very disturbing. My job even requires me to be constantly connected to ensure that I do not miss anything important. I think it is important for us, as security professionals, to continue to work towards a security solution that will allow digital natives the freedom they desire and at the same time provide the digital immigrants the security they know.
Symantec also recently released a new enterprise product that appears to be a solution to this very problem. It is called "O3." For the scientific types, O3 is the molecular representation of Ozone and just like Ozone O3 was designed to protect a company's cloud services. Here is the product page for more information: http://www.symantec.com/theme.jsp?themeid=O3
Unfortunately, to me it appears that there are no big improvements over any other beefed up Firewall. The only functionality it adds is allowing users to sign on to every service in one location. From that one location administrators can keep track of and control where their data is going. Tasks that can be performed at a service level basis with our current technology. I can't completely dog on this product though. The convenience that it provides can create an environment that is easier to manage and easier to secure than trying to secure each service independently.
I believe that Mr. Salem and Symantec have a great vision for where they see security moving in the future, cloud computing is certainly among us. I also believe that O3 is the first of many steps into creating a new product that will effectively secure cloud services, respect user's privacy and allow the freedom of collaboration that we so love about the internet.
For those of you that don't know Enrique Salem is the President and CEO of Symantec Corp. I thought his comparison of Digital Natives and Digital Immigrants was very accurate. Being a digital native myself I know what he means when he says that walking out of the house without being connected to the rest of the world in someway is very disturbing. My job even requires me to be constantly connected to ensure that I do not miss anything important. I think it is important for us, as security professionals, to continue to work towards a security solution that will allow digital natives the freedom they desire and at the same time provide the digital immigrants the security they know.
Symantec also recently released a new enterprise product that appears to be a solution to this very problem. It is called "O3." For the scientific types, O3 is the molecular representation of Ozone and just like Ozone O3 was designed to protect a company's cloud services. Here is the product page for more information: http://www.symantec.com/theme.jsp?themeid=O3
Unfortunately, to me it appears that there are no big improvements over any other beefed up Firewall. The only functionality it adds is allowing users to sign on to every service in one location. From that one location administrators can keep track of and control where their data is going. Tasks that can be performed at a service level basis with our current technology. I can't completely dog on this product though. The convenience that it provides can create an environment that is easier to manage and easier to secure than trying to secure each service independently.
I believe that Mr. Salem and Symantec have a great vision for where they see security moving in the future, cloud computing is certainly among us. I also believe that O3 is the first of many steps into creating a new product that will effectively secure cloud services, respect user's privacy and allow the freedom of collaboration that we so love about the internet.
Subscribe to:
Posts (Atom)