Early warning for security attacks

Transcription

1 Welcome to Early warning for security attacks 2013 Henrik Lund Kramshøj, internet samurai c license CC BY Solido Networks, Henrik Lund Kramshøj 1

2 Intro Security attacks and DDoS is very much in the media c license CC BY Solido Networks, Henrik Lund Kramshøj 2

3 Attack overview c license CC BY Solido Networks, Henrik Lund Kramshøj 3

4 Graphs and Dashboards! c license CC BY Solido Networks, Henrik Lund Kramshøj 4

5 Graphs and Dashboards! Screenshot from Peter Manev, OISF Shown are Suricata IDS alerts processed by Logstash and Kibana c license CC BY Solido Networks, Henrik Lund Kramshøj 5

6 Networks today internet x*10gbit connections Sample Network Location: Copenhagen Date: August X 2013 Room: x Version: 1..0 Router01 Core routing Router02 Security Services Firewalls Core switching Redundant customer with dedicated devices Redundant customer some shared devices LAN L2 switching Loadbalancer Loadbalancer Firewalls LAN L2 switching Loadbalancer Loadbalancer Dedicated load balancing c license CC BY Solido Networks, Henrik Lund Kramshøj 6

7 Defense in depth - multiple layers of security Knowledge about traffic Proposed actions to be done Get more bandwidth internet x*10gbit connections Individual packets Valid source IP? Stateless filtering Null-routing RTBH Blackholing Router01 Core routing Router02 Mirror IDS logging Packet capture Identify traffic by Ports/Protocols Shaping and fair distribution Core switching Security Services Firewalls Sessions #sessions/ip Stateful filtering screens IDS/IDP security services Full request with parameters and cookies Logged in user authenticated? Application tuning Next generation firewalls Load balancer features Server security Input validation Stack protection features Load balancer Load balancer c license CC BY Solido Networks, Henrik Lund Kramshøj 7

8 Netflow NFSen An extra 100k packets per second from this netflow source (source is a router) c license CC BY Solido Networks, Henrik Lund Kramshøj 8

9 DDoS traffic before filtering Only two links shown, at least 3Gbit incoming for this single IP c license CC BY Solido Networks, Henrik Lund Kramshøj 9

10 DDoS traffic after filtering Link toward server (next level firewall actually) about 350Mbit outgoing c license CC BY Solido Networks, Henrik Lund Kramshøj 10

11 How to get started How to get started searching for security events? Collect basic data from your devices and networks Netflow data from routers Session data from firewalls Logging from applications: , web, proxy systems Centralize! Process data Top 10: interesting due to high frequency, occurs often, brute-force attacks ignore Bottom 10: least-frequent messages are interesting c license CC BY Solido Networks, Henrik Lund Kramshøj 11

12 View data efficiently View data by digging into it easily - must be fast Logstash and Kibana are just examples, but use indexing to make it fast! c license CC BY Solido Networks, Henrik Lund Kramshøj 12

13 Security Onion Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). c license CC BY Solido Networks, Henrik Lund Kramshøj 13

14 Next steps In our network we are always improving things: Suricata IDS More graphs, with automatic identification of IPs under attack Identification of short sessions without data - spoofed addresses Alerting from existing devices Dashboards with key measurements Conclusion: Combine tools! c license CC BY Solido Networks, Henrik Lund Kramshøj 14

15 Questions? Henrik Lund Kramshøj, internet samurai You are always welcome to send me questions later via c license CC BY Solido Networks, Henrik Lund Kramshøj 15

16 Contact information Henrik Lund Kramshøj, IT-security and internet samurai Mobile: Educated from the Computer Science Department at the University of Copenhagen, DIKU CISSP certified Independent security consultant owner and partner in Solido Networks ApS c license CC BY Solido Networks, Henrik Lund Kramshøj 16