$100 SiLK Network Flow Sensor

Similar documents
Network Analysis with isilk

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

How To Use Elasticsearch

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

VoIP in Flow A Beginning

Evaluating the Quality of Software Engineering Performance Data

Moving Target Reference Implementation

N300 Wireless Gigabit Router

2012 CyberSecurity Watch Survey

Datasheet. Advanced Network Routers. Models: ERPro-8, ER-8, ERPoe-5, ERLite-3. Sophisticated Routing Features

ADM5120 HOME GATEWAY CONTROLLER. Product Notes

4/2/2014 Linux Dev-Boards. Linux Dev Boards. Tagung Forth Gesellschaft e.v. Maerz file:///home/cas/talk/linux-boards/html/linux-boards.

Applying Software Quality Models to Software Security

AC Touch Screen Wi-Fi Gigabit Router. Highlights

AC1750 WiFi Cable Modem Router

Secure IP Address Management Layer 2 Network Access Control Solution

N750 Wireless Dual Band Gigabit DSL Modem Router Premium Edition

EdgeRouter Lite 3-Port Router. Datasheet. Model: ERLite-3. Sophisticated Routing Features. Advanced Security, Monitoring, and Management

Network Monitoring for Cyber Security

AC1750 WiFi Cable Modem Router

MedInformatix System Requirements

RouterBOARD product overview. September, Gon Tel: +44 (0) Fax: +44 (0)

Introduction to PCI Express Positioning Information

NEW! CLOUD APPS ReadyCLOUD & genie remote access

Abuse of CPE Devices and Recommended Fixes

CERT Virtual Flow Collection and Analysis

Linux Firewalls (Ubuntu IPTables) II

AC1200 WiFi Modem Router Essentials Edition

pco.interface GigE & USB Installation Guide

Cyber Intelligence Workforce

WANic 800 & or 2 HSSI ports Up to 52 Mbps/port. WANic 850 & or 2 T3 or E3 ports Full-speed CSU/DSU. WANic 880.

New!! - Higher performance for Windows and UNIX environments

Applied Detection and Analysis Using Network Flow Data

Molecular Devices High Content Data Management Solution Database Schema

AC750 WiFi Modem Router ac Dual Band Gigabit

N750 Wireless Dual Band Gigabit Router Premium Edition

R6200 Smart WiFi Router AC1200 Dual Band Gigabit

Datasheet. Enterprise Gateway Router with Gigabit Ethernet. Models: USG, USG-PRO-4. Advanced Security, Monitoring, and Management

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Virtual Office. Technical Requirements. Version 3.1. Revision 1.0

Nighthawk AC1900 WiFi Cable Modem Router

Virtualised MikroTik

SolarWinds. Packet Analysis Sensor Deployment Guide

Output Power (without antenna) 5GHz 2.4GHz

AC1450 Smart WiFi Router ac Dual Band Gigabit

Software Architecture for Big Data Systems. Ian Gorton Senior Member of the Technical Staff - Architecture Practices

Kurt Wallnau Senior Member of Technical Staff

AC 750. Wireless Dual Band 4G LTE Router. Highlights

AC1200 WiFi High-Speed DSL Modem Router Simultaneous Dual Band Gigabit

AC1600 WiFi VDSL/ADSL Modem Router ac Dual Band Gigabit

AC1600 WiFi Modem Router ac Dual Band Gigabit

Post Genie TM WebMail Server 2400/2208R

Automated Provisioning of Cloud and Cloudlet Applications

Cisco ubr7200-npe-g2 Network Processing Engine

AC1200 WiFi DSL Modem Router ac Dual Band Gigabit

R6250 Smart WiFi Router - AC Dual Band Gigabit

Allscripts Professional EHR

N750 WiFi DSL Modem Router Premium Edition

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

SABRE Lite Development Kit

Custom Integration Solutions

AC1200 Multi-Function Concurrent Dual-Band Gigabit Wi-Fi Router

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

N600 Wireless Dual Band Router

msuite5 & mdesign Installation Prerequisites

OpenWRT - embedded Linux for wireless routers

Uniport appliances For corporate networks and operators

L-Series LAN Provisioning Best Practices for Local Area Network Deployment. Introduction. L-Series Network Provisioning

760 Veterans Circle, Warminster, PA Technical Proposal. Submitted by: ACT/Technico 760 Veterans Circle Warminster, PA

Connecting to the Internet. LAN Hardware Requirements. Computer Requirements. LAN Configuration Requirements

Prototyping Connected-Devices for the Internet of Things. Angus Wong

Recording Server Monitoring Tool

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

VIA CONNECT PRO Deployment Guide

N600 WiFi Cable Modem Router

Enabling NAT and Routing in DGW v2.0 June 6, 2012

DD670, DD860, and DD890 Hardware Overview

Networking Virtualization Using FPGAs

Firmware Release Notes

WISP 101. The DO s and DON T s of becoming a Wireless ISP

How To Set Up A Firewall Enterprise, Multi Firewall Edition And Virtual Firewall

Advanced Network Routers. Datasheet. Model: ERLite-3, ERPoe-5. Sophisticated Routing Features. Advanced Security, Monitoring, and Management

Monitoring Trends in Network Flow for Situational Awareness

Industry First X86-based Single Board Computer JaguarBoard Released

Adaptec: Snap Server NAS Performance Study

BEAGLEBONE BLACK ARCHITECTURE MADELEINE DAIGNEAU MICHELLE ADVENA

Recovery BIOS Update Instructions for Intel Desktop Boards

Cellular Development Made Easy Open Communica7ons Gateways

A Systematic Method for Big Data Technology Selection

AC1750 Smart WiFi Router ac Dual Band Gigabit

Quick-Start Guide 007-SE Gigaset. Residential Wireless Gateway SE567/SE568. Gigaset Communications GmbH is a trademark licensee of Siemens AG

RSA Security Analytics. S4 Broker Setup Guide

NComputing L-Series LAN Deployment

Chapter 1 Overview. JetBox Industrial Communication Computer

DEPLOYMENT GUIDE. This document gives a brief overview of deployment preparation, installation and configuration of a Vectra X-series platform.

AC Wireless Dual Band ADSL2+ Modem Router. Highlights

AC Wireless Dual Band Gigabit Router. Highlights

User Manual. Page 2 of 38

Transcription:

$100 SiLK Network Flow Sensor Ron Bandes John Badertscher Dwight Beaver 1

Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon, CERT and FloCon are registered marks of Carnegie Mellon University. DM-0000885 2

Agenda What are: SiLK? a Micro-server? Arch Linux ARM? Server choices (Raspberry Pi vs. PogoPlug) Network Infrastructure (taps, adapters etc.) Design/Implementation choices (Network locations) Installation Procedures Server Configuration Server Management (updates, logs, memory) Problems Things We Would Have Done Differently 3

What is SiLK? Tools for the collection and analysis of network flow data http://tools.netsa.cert.org http://vimeo.com/67177328 4

What are Micro-Servers? Characteristics: Small, Low Wattage, Silent Raspberry Pi PogoPlug Typically run Arch Linux [ARM] operating system 5

What is Arch Linux ARM? Lightweight Linux OS; well supported by user community Minimalist Simplicity - Full control by end-user, targeting competent Linux users https://github.com/archlinuxarm 6

Raspberry Pi Linux server intended for hobbyists $40 Includes a graphics adapter (HDMI) http://en.wikipedia.org/wiki/raspberry_pi http://www.raspberrypi.org/faqs 7

PogoPlug E02 Intended as a Network Attached Storage (NAS) device $25 on ebay Not intended as an all-purpose server No console. SSH only http://www.crunchbase.com/company/cloud-engines http://mediastreamers.productwiki.com/pogoplug-video 8

Server Comparison PogoPlug v2 (E02) No Console ARMv5te Marvell Kirkwood 1.2 GHz processor clock 256 MB RAM 128 MB NAND FLASH 4 USB 2.0 jacks Gigabit Ethernet No Real Time Clock Includes enclosure & power supply Raspberry Pi model B Dual VideoCore IV (HDMI) ARMv6h ARM1176JZFS 700 MHz processor clock 512 MB SDRAM SD, MMC, SDIO slot 2 USB 2.0 jacks 10/100 Mbps Ethernet (USB) No Real Time Clock User provides enclosure & power supply 9

Alternative Platforms Raspberry Pi Old laptop/desktop Virtualization! 10

Network infrastructure choices Taps, adapters etc. Cheap managed or smart switches Netgear GS108T-NAS o VLANs o LAGs o Port Mirroring o $80 Iptables on a wireless access point (OpenWRT) iptables -A PREROUTING -t mangle -j ROUTE --gw <sensor ip> tee iptables -A POSTROUTING -t mangle -j ROUTE --gw <sensor ip> --tee 11

Solution Components $100 Solution PogoPlug server ($25) NoName Ethernet Adapter ($4) MikroTik switch as network tap ($40) 16 GB Flash Drive ($10) 12

2 nd Ethernet Adapter For network monitoring 10/100 Mbps $3.75 The 1 st adapter is for server management http://www.tmart.com/rj45-ethernet-10-100-usb-network-adapter-purple_p123164.html 13

Network Tap MikroTik RB260 switch w/span port $40 http://www.lanmart.ru/blogs/review-mikrotik-rb260gs http://www.cisco.com/en/us/products/hw/modules/ps4999/products_tech_note09186a00807a30d6.shtml 15

Design & Implementation Choices Network monitoring locations Separate analysis server or combined node Implications of flash storage 16

Network Monitoring Locations Between edge router and cable modem Easy constriction point for monitoring Outside the Network Address Translation (NAT) On LAN Inside the NAT Hard to place when a residential router is used Need to interpose tap between the LAN switch and the router component, which is NOT exposed in residential router 17

Tap between Router and Cable Modem Router Switch (tap) Cable Modem YAF (sensor) 18

Residential Routers Switch DHCP Server Monitor here?! Firewall Router NAT Wireless Access Point Internet 19

Configuring the Tap Port 1 Switch management Ports 2&6 Unused Ports 3&4 Link to be tapped (rtr & cable mdm) Port 5 Monitoring port 4 http://www.tapmytrees.com/ 20

Switch (tap) Configuration 21

Repurposing Non-Hobbyist HW PogoPlug requires you to register on pogoplug.com before you can SSH into your device This could be a problem if you bought the PogoPlug on ebay and the original owner registered it PogoPlug can be repurposed for a variety of applications (e.g, Tor Relay, NAS, Streaming Server etc.) 22

Installation Procedures 1. Install Arch Linux ARM 2. Update Arch Linux ARM* 3. Install 2 nd Ethernet adapter 4. Install YAF 5. Install SiLK *Run Update FREQUENTLY *When in doubt update again! http://www.aquacityplumbing.com/images/pages/plumbing-installation.jpg 23

Installation Challenges Arch Build System: buildpkg & pacman Systemd vs. init vi vs. vim U-Boot boot-loader Installed on internal Flash, not mass storage Arch Linux requires newer U-Boot than what comes on the PogoPlug http://wwiimodeller.co.nz/wp-content/uploads/1355087242_s_010_basic_boxes_small.jpg 24

Server Configuration 1. Create service to bring up 2 nd Ethernet adapter 2. Create service for rwflowpack 3. Create service for YAF Tap YAF rwflowpack Repository 25

Management procedures Arch Linux ARM updates Logging Logs will eventually fill storage if you don t rotate them FLASH memory has a limited number of writes Minimize writing by minimizing logging 26

It works! [root@pogotor system]# rwfilter --type=in,inweb --all=- rwuniq --fields=dip dip Records 192.0.2.212 55 [root@pogotor system]# rwfilter --type=out,outweb -- all=- rwuniq --fields=sip sip Records 192.0.2.212 49 [root@pogotor system]# rwfilter --type=all --all=- rwuniq --fields=type type Records outweb 33 in 18 out 16 inweb 37 ext2ext 30 27

Performance & Metrics Raspberry Pi No PCI BUS NIC lives on USB bus 700 MHz processor main bottle neck YAF starts dropping packets around 55 Mbps No application labeling 28

Problems: Things We Would Have Done Differently You don t get what you don t pay for Effort (Opportunity Cost) Bandwidth Update management U-Boot PogoPlug becomes a brick http://marketingforhippies.com/wp-content/uploads/2012/09/gravestone.jpg 29

Software Problem with ARMv5 Unaligned memory word accesses on ARMv5 processors have results that are implementation defined. Some Memory Management Units may handle this improperly. It also helped (a lot) having CERT developers, Emily Sarneso and Dan Ruef, available to help. 30

Questions? http://cuteoverload.files.wordpress.com/2012/10/8024316149_438e648edf_b1.jpg%3fw%3d560 31

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information