Digital Forensics. Module 7 CS 996



Similar documents
A Prevention & Notification System By Using Firewall. Log Data. Pilan Lin

INTRODUCTION TO FIREWALL SECURITY

Cisco PIX vs. Checkpoint Firewall

The Comprehensive Guide to PCI Security Standards Compliance

Network Defense Tools

CorreLog Alignment to PCI Security Standards Compliance

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

Global Partner Management Notice

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

PIX/ASA 7.x with Syslog Configuration Example

Symantec Event Collector 4.3 for Cisco PIX Quick Reference

Computer Security DD2395

8. Firewall Design & Implementation

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Firewalls. Ahmad Almulhem March 10, 2012

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Computer Security: Principles and Practice

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Securing Networks with PIX and ASA

Firewalls & Intrusion Detection

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Intrusion Detection Systems (IDS)

Clavister InSight TM. Protecting Values

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Cisco Secure PIX Firewall with Two Routers Configuration Example

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Lab VI Capturing and monitoring the network traffic

Troubleshooting the Firewall Services Module

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Network Management and Monitoring Software

SonicWALL PCI 1.1 Implementation Guide

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

74% 96 Action Items. Compliance

Barracuda Networks Web Application Firewall

Firewalls. Chapter 3

How To Set Up Foglight Nms For A Proof Of Concept

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Concierge SIEM Reporting Overview

Did you know your security solution can help with PCI compliance too?

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Proxy Server, Network Address Translator, Firewall. Proxy Server

Chapter 4 Customizing Your Network Settings

Introduction of Intrusion Detection Systems

Scalable Extraction, Aggregation, and Response to Network Intelligence

PCI Wireless Compliance with AirTight WIPS

12. Firewalls Content

Data sent from Firewall Analyzer is normally not encrypted and hence is readable if intercepted.

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Deploying Firewalls Throughout Your Organization

Chapter 8 Monitoring and Logging

Achieving PCI-Compliance through Cyberoam

Configuring Logging. Information About Logging CHAPTER

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

An Introduction to Syslog. Rainer Gerhards Adiscon

Linux Network Security

Chapter 14 Analyzing Network Traffic. Ed Crowley

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

CTS2134 Introduction to Networking. Module Network Security

Networking Basics and Network Security

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Transformation of honeypot raw data into structured data

Firewall Log Format. Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g ,

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Intrusion Detection Systems

HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004

Cisco Setting Up PIX Syslog

How To Build A Network Security Firewall

Configuring Network Address Translation (NAT)

Chapter 9 Monitoring System Performance

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Interconnecting Cisco Network Devices 1 Course, Class Outline

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Network Forensics Network Traffic Analysis

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

The syslog-ng Store Box 3 F2

FIREWALLS & CBAC. philip.heimer@hh.se

Chapter 4 Firewall Protection and Content Filtering


The syslog-ng Store Box 3 LTS

Troubleshooting the Firewall Services Module

Overview. Firewall Security. Perimeter Security Devices. Routers

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Transcription:

Digital Forensics Module 7 CS 996

Outline of Module #7 Review of labs (Kulesh) Review of module #6: sniffer tools Network Forensics Overview of tools Motivations Log Logic Appliance overview 3/22/04 Module 7 2

Why is Forensics Difficult? More information v. better analysis Information generated in 2002 5 Exabytes (500,000 Libraries of Congress) 92% stored on magnetic media Information communicated 18 Exabytes (telephone, radio, TV, Internet) 400,000 Terabytes (email) 274,000 Terabytes (IM) http://www.crickettechnologies.com/case_st udies/articles.html 3/22/04 Module 7 3

Network Forensics Tools Traditional sniffers May be portable Real time and historical Content and/or header information Network recorders Monitor all traffic Log event analyzers (SIM) SIM=Security Information Management Include event aggregation and correlation Cover end to end network 3/22/04 Module 7 4

Network Sniffers Wildpackets Etherpeek: network engineers Eeye IRIS: user friendly Ethereal: free! Kismet (Linux): wireless and free! CommView (www.tamosoft.com) CommView for WiFi NGSSniff: free--www.nextgenss.com 3/22/04 Module 7 5

Eeye IRIS Features Easy to use Reconstructs TCP sessions Renders HTML content Filters Usual IP, MAC, port, etc. Word filters Does packet logging No content Pen register/trap and trace 3/22/04 Module 7 6

3/22/04 Module 7 7

3/22/04 Module 7 8

IRIS: Creating Filters 3/22/04 Module 7 9

IRIS: Packet Logging 3/22/04 Module 7 10

SIM Tools: Why Event Logging? One critical part of security infrastructure Prevention Detection Response Regulatory requirements Medical: HIPAA Financial: GLB 3/22/04 Module 7 11

HIPAA Logging Requirements 164.308 Administrative Safeguards (a) (1) Security Management Process Information system activity review (Required) (a) (5) Security Awareness and Training Log-in monitoring (Addressable) (a) (6) Security Incident Procedures Identify and respond to suspected or known security incidents; document security incidents and their outcomes (Required) 164.312 Technical Safeguards (b) Audit controls to record and examine activity in systems that contain or use electronic PHI 3/22/04 Module 7 12

Gramm Leach Bliley (GLB) FFIEC Handbook (Federal Financial Institutions Examination Council) Control access to applications by logging access and security events Secure access to the OS of all system components by logging and monitoring user or program access to sensitive resources and alerting on security events 3/22/04 Module 7 13

Log Files as Forensic Evidence Federal Rules of Evidence www.usdoj.gov/criminal/cybercrime/ usamarch2001_4.htm Part of regularly conducted business activity Authentication of records Was data altered? Is software reliable? Are computer records hearsay? US v. Blackburn (1993) 3/22/04 Module 7 14

MANAGEMENT STATION AGGREGATOR AGGREGATOR ARCHIVE STORAGE ROUTER SWITCH HUB FIREWALL/IDS END USER SECURITY INFORMATION MANAGEMENT END USER HOST SYSLOG 3/22/04 Module 7 DATA 15

Syslog Protocol RFC 3164 COLLECTOR DEVICE RELAY Uses UDP port 514 Message format Priority field: 0-7 Header field: host name and time stamp Message field: ASCII characters describing event 3/22/04 Module 7 16

Syslog Priority Levels SEVERITY 0 1 2 3 4 5 6 7 TYPE Emergencies Alerts Critical Errors Warnings Notifications Informational Debugging DESCRIPTION System unusable Immediate action Critical condition Error messages Warning message Normal Information Debug message 3/22/04 Module 7 17

Limitations of Syslog UDP not reliable No authentication or encryption RFC 3195: reliable syslog draft-ietf-syslog-sign-14.txt: signed syslog 3/22/04 Module 7 18

Security Information Vendors Function Visualize Information Correlate Information Data Aggregation/ Analysis Data Collection/Analysis Vendor Secure Decisions Intellitactics, NetForensics, ArcSight, GuardedNet, Open Services Network Intelligence, Forensics Explorers LogLogic, Addamark, Niksun Sandstorm 3/22/04 Module 7 19

Network Traffic Recorders Record all traffic on network Niksun NetDetector Sandstorm NetIntercept 3/22/04 Module 7 20

NetForensics Architecture ROUTER AGENTS ORACLE DATABASE IDS NF ENGINE: EVENT AGGREGATION AND CORRELATION HOST FIREWALL REPORTING TOOL: REAL TIME ANALYSIS; FORENSIC REPORTS 3/22/04 Module 7 21

Event Correlation Rules based: If then else Statistical: monitor changes in event statistics Behavioral: monitor trends in security events 3/22/04 Module 7 22

Intellitactics Message Architecture SYSLOG MESSAGE: DATE, TIME STAMP, SOURCE, DESTINATION, EVENT CODE (CISCO PIX 106001 DENY INBOUND TCP CONNECTION) CREATE NORMALIZED TYPE FIELD BASED ON EVENT TYPE ADD ZONE FIELDS BASED ON SOURCE LOCATION, TARGET LOCATION AND FIREWALL LOCATION ADD PRIORITY FIELD: TYPE FIELD + ASSET CLASSIFICATION 3/22/04 Module 7 23

Log Logic Log Appliance Archiving of log file data Uses intelligent data compression technique Allows real time and historical threat analysis Cisco message ID Message volume Regular expression filter LX-1000 Up to 1000 messages/second 90 GB storage: 90 days storage Archive server: 2 TB and 2 years of data 3/22/04 Module 7 24

LogLogic Log Appliance WWW, SMTP SYSLOG & PROPRIETARY MESSAGES FIREWALL CHECK POINT NETSCREEN CISCO PIX LOG APPLIANCE STRIPPED-DOWN LINUX OS MYSQL DATABASE ARCHIVE SERVER 3/22/04 Module 7 25

Summarization of Log Files 20-50 TCP CONNECTIONS PER WEB PAGE PIX FIREWALL PC USER SYSLOG MESSASGES WWW SERVER TAKES 60-150 MESSAGES AND SUMMARIZES TO ONE DATABASE RECORD LOGLOGIC LOGAPPLIANCE 3/22/04 Module 7 26

Applications of Log File Forensics Help diagnose virus infections Analysis of time zero events Monitor inside traffic for infected machines Help analyze hacker events Set log alerts to catch breaches in real time 3/22/04 Module 7 27

Log File Formats CheckPoint Proprietary binary format, not human readable Time Action Firewall Interface Product Source Source Port Dest. Service Protocol Translation (NAT) Cisco PIX Syslog format Date Time IP/Hostname Message Code Message NetScreen Syslog format Date Time Module Severity Type Message Text 3/22/04 Module 7 28

Significance of Priority Levels SEVERITY TYPES FUNCTION 1-4 5 6 7 Alert, Critical, Error, Warning Notifications Informational Debug Packet anomalies, policy conflicts Work done on the firewall Key to performing audit and policy verification Resolve firewall operational issues 3/22/04 Module 7 29

Example PIX Syslog Messages Severity Cisco # Description 0 Not used 1 103001 No response from other firewall 2 106006 Deny inbound UDP from A.B.C.D/Port to L.M.N.O/Port 3/22/04 Module 7 30

Example Syslog Messages, cont. Severity Cisco # Description 3 4 5 106010 209004 611103 Deny inbound from outside: IP_addr to inside: IP_addr IP fragment malformed; total size exceeds 65,535 bytes User logged out 3/22/04 Module 7 31

Example Syslog Messages, cont. Level Cisco # Description 6 199005 Start PIX firewall 7 111009 User executed command string that does not alter configuration 3/22/04 Module 7 32

Severity 5 + 6 Messages Contain critical information about traffic in/out of network %PIX-5-304001: user 192.168.69.71 Accessed URL 10.133.219.25: www.example.com %PIX-6-302013: Built TCP connection number for interface_name: real_address/real_port to interface_name:real_address/real_port 3/22/04 Module 7 33

3/22/04 Module 7 34

Real Time Reporting 3/22/04 Module 7 35

LogApp Configure Email Alerts 3/22/04 Module 7 36

3/22/04 Module 7 37

3/22/04 Module 7 38

3/22/04 Module 7 39

3/22/04 Module 7 40

3/22/04 Module 7 41

Log Analysis Using Regular Expressions Search through historical logs Configure alerts on real time logs Examples Character literals /a/ Mary had a little lamb. And everywhere that Mary went, the lamb was sure to go. Special characters (11); examples. Wildcard ^ Start of line $ End of line 3/22/04 Module 7 42

Regular Expressions, Examples ^Mary Mary had a little lamb. And everywhere that Mary went.a (wildcard) Mary had a little lamb. And everywhere that Mary went, the Lamb was sure to go. Further reference, see notes on web site: Matching Patters in Text: The Basics 3/22/04 Module 7 43

References for Module #7 Bill Nelson, Guide to Computer Investigations, 2004. Warren Kruse, Computer Forensics, 2002. Kevin Mandia, Incident Response, 2003. http://www.hipaadvisory.com/regs/finalsecu rity/regulationtext.htm (HIPAA security) Corey, Vicka, et al, Network Forensic Analysis, IEEE Internet Computing, Nov.- Dec., 2002. 3/22/04 Module 7 44

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information