210 likes | 390 Views
Distributed Intrusion Detection with Open Source Software and Commodity Hardware. +. +. VASCAN Conference October 21, 2010. +. Philip Kobezak pdk@vt.edu. +. Will Urbanski urbanski@vt.edu. Information Technology Security Office. The Start of the Project. High IPS maintenance costs
E N D
Distributed Intrusion Detectionwith Open Source Softwareand Commodity Hardware + + VASCAN Conference October 21, 2010 + Philip Kobezak pdk@vt.edu + Will Urbanski urbanski@vt.edu Information Technology Security Office
The Start of the Project • High IPS maintenance costs • Wanted more distributed view • Had never put IPS in-line • Wanted IPv6 support • Wanted root access to componentsfor troubleshooting • Wanted standard or common hardware for compatibility and maintenance Information Technology Security Office
Concept of What We Wanted • Commodity hardware • Multiple distributed sensors • Open source software • Open data formats • For our own tools • Low initial and ongoing cost • Sold network group on access to sensors Information Technology Security Office
Information Technology Security Office Network Topology
Hardware: Sensor Design • Kept under $700 each • Dual port NIC for monitoring • Original plan to use fiber taps - switched to copper • Dual Core, 4GB RAM • Small HD • On motherboard NIC Information Technology Security Office
Hardware: Sensor Design Partial Listing of 1 and 10 Gigabit Interfaces from Intel Information Technology Security Office
Information Technology Security Office Sensor Design • We use FreeBSD 8.0 64-bit • Why not Linux? • K.I.S.S. • Sensors run a ‘minimal’ FreeBSD install • FreeBSD natively supports DMA between the NIC and the Kernel • Kernel module via NTOP’s PF-RING • Phil Wood’s libpcap implementation
Information Technology Security Office System Architecture • Combined IDS software configs into logical packages called snort instances • An instance contains: • Rulesets (VRT, ET, or custom rules) • Configurations for Snort and other IDS tools DB Snort Instance
Information Technology Security Office Instance Software • Snort • Daemonlogger • Barnyard2
Information Technology Security Office Snort Instance Workflow Physical NIC Snort Daemonlogger MySQL RAMDISK Virtual NIC Barnyard2 “Identify DB attacks, brute force attempts, and network recon” “Only show IPv4 traffic going to my database servers” Save alerts to DB
Information Technology Security Office Snort RAMDISK Virtual NIC “Identify DB attacks, brute force attempts, and network recon”
Information Technology Security Office MySQL RAMDISK Barnyard2 Save alerts to DB
Information Technology Security Office Why use snort instances? • Granularity • Monitor for specific attack types against specific services, on specific machines. • Care less about viruses in student dorms • Care more about PII leaked from misconfigured systems • Performance
Information Technology Security Office Why use snort instances? • Granularity • Performance • Running Snort on the physical NIC results in a large number of dropped packets (60%+) • unless you run a very small number of rules • Snort may be configured to look for attacks against web services only but still sees P2P, streaming media, email traffic, etc • Through the use of a snort instance we limit the traffic snort must process. • The fewer packets there are to process, the fewer packets there are to drop
Information Technology Security Office Scale Up! Snort Sensor Viruses DB Scanning Service-Specific Attacks
Information Technology Security Office Scale Up! • Average CPU usage per application per snort instance: • Snort: 50% - 60% • Daemonlogger: 20% - 25% • Barnyard: < 1% • Because of this we can easily run one snort instance per core, without increasing the load on the system to unacceptable levels.
Information Technology Security Office Deployment • Two additional servers required for deployment: • Database server for storing alerts • Management server for pushing rules and monitoring sensors
Information Technology Security Office Database Server • Beefy physical machine: • Multicore, running MySQL server • Big Drives: • 146GB for OS • 1TB SAS drives in RAID10 for storage • Since June 1, 2010, we’ve recorded 22 million alerts.
Information Technology Security Office Management Server • Rule management with Oinkmaster • Manages and automatically configures rulesets • Configuration propagation • Configuration files propagated via secure copy. • Monitoring • Uptime monitored by NAGIOS • Analytics and Reporting • Alert management and reporting provided by BASE
Information Technology Security Office Summary Pros Minimal cost to implement No recurring annual costs Easy access to IDS data Easier to upgrade at a later date We are ready for IPv6 support Cons Requires expertise and many person-hours Must manually maintain software updates Waiting on BY2 IPv6 support
Questions? Contact Information: Will Urbanski IT Security Analyst urbanski@vt.edu Philip Kobezak IT Security Analyst pdk@vt.edu Randy Marchany IT Security Officer marchany@vt.edu www.security.vt.edu Information Technology Security Office