Most people visualize “IT security” as – sophisticated, protected by body builders with dark glasses, men-in-black type images and Firewalls !! Focusing just on network security, one way to slice it would be – active and passive network security.
Network security is a constant battle of keeping up with new software / system exploit techniques. Network and application traffic needs to be constantly monitored to identify new exploit patterns. Passive monitoring tools can record, analyze, correlate and produce highly valuable security intel specific to a network.
You don’t need to shell out a pentabillion $$ for turnkey commercial solutions. Free / Open Source community has a lot of it covered. It does help if you know what you are doing.
Active (in-line) monitoring typically includes “bump in the wire” type solutions –
- Firewalls (yeeaah!)
- Malware scanners (Spam, Phishing, Virus)
- Whitelisting / blacklisting at various layers
Active measures are good first steps but they are only as effective as the signature data and configuration driving them. Every organization’s traffic profile is different and a lot of times boilerplate active measures are not very effective or go stale very quickly.
Most firewalls are configured to block or allow combinations of IP / port / protocol. Some with more resources and features can do DPI (Deep Packet Inspection) to catch malware or intrusion attempts and also function as IPS (Intrusion Prevention). Malware scanners depend on pre-configured patterns of known bad attachments or phishing URLs Whitelisting / blacklisting rules need to be updated on a regular basis to be effective.
A passive monitoring system can be configured to parse a copy of live network traffic, flag known anomalies and take action or log it for a human to look at. Someone then does all the hard work of identifying new patterns and publishing them for general consumption. Thanks to Free / Open Source projects, a lot of this work is available in the open.
A good passive monitoring engine –
- Can consume and keep up with monitored traffic
- Can parse and de-construct connection flows on the fly
- Can log any / all flow metadata (as configured) for correlation
- Can apply pre-defined identification rules and flag suspicious activities
- Has flexible configuration to define new patterns on the fly
There are several mature Free / Open Source projects that can help.
Snort used to be the defacto IDS / IPS engine of choice for anyone looking to run an IDS. Somewhere along the way, like any other wildly popular Open Source project, it was blessed and run by a commercial entity. Some people were not happy and Snort codebase was forked into the Suricata project.
Snort / Suricata engines have a rich set of community supported and commercial rules available. It can run on an edge machine (router / firewall), monitor all network traffic and the flag and/or control bad traffic from flowing through.
Snort / Suricata have some fantastic integration features with analytics and search/indexing tools. More details here.
Bro is one my favorite tools!
The “IDS” tag in the name (been fixed) is unfortunate because it is a general purpose programmable network monitoring platform that does a fine job as an IDS. It can also be programmed to take action to control edge devices for an IPS type setup. Bro engine is driven by program like scripts that define patterns to be matched, ignored or alerted.
Bro is known to run on commodity hardware and scaled up to 100Gbps. Here is a berkley paper on 100Gbps IDS, powered by Bro. I am not doing justice to Bro’s capabilities by writing a small paragraph here. This deserves its own article. Something for the future.
Bro and Snort are just the tip of the mountain of network security monitoring tools. There is a whole slew of logging, parsing, indexing and search infrastructure tools that can be integrate with these engines to enhance their use cases.
Security Onion is a pre-packaged distribution that includes Bro and Snort + a long list of other tools that work out of the box after installation. It also lets you distribute sensors at multiple points in a network and consolidate the collected data into a central location. A good starting point would be to bring up security onion in a VM and feed pre-captured traffic. Both Bro and snort can consume .pcap files. Absolutely fantastic work by the Security Onion team.
Security monitoring is very hard work but very exciting and rewarding. There is a huge trove of software available. There is no one right way to do it.