Working of SURFids - SURFnet

righteousgaggleData Management

Jan 31, 2013 (4 years and 8 months ago)

201 views

SURFnet Relatiedagen 2008



SURFids

a Distributed Intrusion Detection System

Rogier.Spoor@SURFnet.nl

1

Goals

-
Understanding:

-
types of malicious network traffic within a LAN

-
amount of malicious network traffic within a LAN

-
spreading of worms

-
Setting up:

-
a scalable IDS solution

-
an IDS that is easy to manage and maintain

-
Comparing results with other sensors

-
Limit malicious outbound traffic from SURFnet


2

Why build something new?

-
Sensor must be maintenance free

-
IDS must be scalable and easy to manage

-
No False Positives!

-
cannot use
snort

-
Design IDS based on high speed networks

-
LAN

-
WAN

-
Design IDS “should” be able to analyse L2 traffic


3

Global Overview

4

Sensor

-
remastered Knoppix distribution

-
USB boot

-
OpenVPN between Sensor and Central Server

-
Portability.

-
Familiar daemon
-
style usage.

-
No kernel modifications required.

-
State
-
of
-
the
-
art cryptography

-
provided by the OpenSSL library

-
Comfortable with dynamic addresses or NAT.

5

Needed

-
Computer system

-
USB boot

-
1 NIC

-
DHCP or Static IP (2x)

-
OpenVPN session

-
through local firewall (TCP 1194)

-
HTTPS session

-
through local firewall (TCP 4443)

6

Logging server

-
Postgresql

-
Web interface

-
Show statistics of sensors (groups/individual)

-
Show statistics of different attacks

-
Ranking of sensors

-
Mail logging

-
IDMEF


7

Tunnel server

-
OpenVPN tunnel to sensor

-
Manage X509 certificates/keys of sensors

-
Source
-
based routing


8

Honeypot

-
Based on
nepenthes

-
a low
-
interaction honeypot

-
http://nepenthes.mwcollect.org

-
mimics the replies generated by vulnerable
services in order to collect the first stage exploit

-
Modules

-
Resolve DNS asynchronous

-
Emulate vulnerabilities

-
Download files

-
Submit the downloaded files

-
Trigger events

-
Shellcode handler

9

Working of SURFids

Logging Server
-

Postgresql
-

Web interface
Sensor
Client LAN
Honeypot
/
Tunnel
Server
-

Nepenthes
-

OpenVPN


Sensor is booted



OpenVPN is started



Uses tcp port 1194



Works with NAT !!



Layer 2 tunnel (tap device)



DHCP request trough tunnel



Binds IP of client LAN on tap device



Attacker/Worm/Virus/Hacker



Attacks IP on server



Nepenthes simulates weakness



Nepenthes handles attack



Nepenthes logs attack



Web interface makes data
representable

10

Sensor
Client LAN
Internet
VPN Tunnel VLAN
10
VLAN
10
VLAN
20
VLAN
30
VPN Tunnel VLAN
20
VPN Tunnel VLAN
30
192
.
168
.
10
.
0
/
24
192
.
168
.
2
0
.
0
/
24
192
.
168
.
30
.
0
/
24
VLAN
10
VLAN
20
VLAN
30
Honeypot
/
Tunnel
Server
Logging Server
Firewall
Server LAN
Multiple VLAN support


11

Current IDS setup

Client LAN
Internet
Public Server
LAN
1
st VPN Tunnel
Tunnelserver
+
load balancing
Loggingserver
Webserver
Dbserver
Nepenthes
Argos
Private Server
LAN
Client LAN
Sensor
Client LAN
Sensor
1
st VPN Tunnel
Argos

12

(http://www.cs.kuleuven.ac.be/conference/EuroSys2006/papers/p15
-
portokalidis.pdf)

What do we see

Nepenthes

-
Automated attacks

-
No end
-
user interaction

-
Attacks on OS and applications

-
Scans

-
Probes

-
Offered malware


Argos

-
Detects arbitrary control flow attacks

-
Detects arbitrary code execution attacks

-
Handles DMA

-
Handles user/kernel space memory mappings



What we don’t see

Nepenthes

-
Targeted attacks

-
System hacking


Argos

-

Detailed information about attack (like exploit type)

15

Last Year

-
Security fixes

-
Stability fixes

-
Redesigned GUI

-
Argos implementation

-
SURFids service outsourcing

-
Layer 2 detection

-
ARP poisoning attack detection

-
Rogue DHCP server detection

-
Argos integration

-
IP exclusions

-
RSS reports

-
Improved email reporting

-
CWSandbox/Norman support





Argos details in Future

Argos CSI
-
logs parsed, tool made
by Markus Koetter

17

Future plans

-
Detecting shellcodes in streams using emulation

-
Support for other honeypots

-
Your requests: svn.ids.surfnet.nl

Future goals


-
Correlation

-
Data between the different (honey) projects.

-
Data provided by other teams!

-
HoneyClients

-
Build a network of honey
-
clients

-
Catch 0
-
Day attacks on IE and other browsers

-
Watch for active exploitation of known and
new client
-
side vulnerabilities

-
Honey
-
clients are fed with URL’s from SPAM and
other sources

Conclusion

-
SURFids

-
Successful solution

-
Very easy to deploy

-
Actively developed

19