Rogier Spoor (project leader) Jan van Lith (developer) Kees - - PowerPoint PPT Presentation

rogier spoor project leader jan van lith developer kees
SMART_READER_LITE
LIVE PREVIEW

Rogier Spoor (project leader) Jan van Lith (developer) Kees - - PowerPoint PPT Presentation

Jan 24, 2023 446 likes •569 views

SURFnet I DS a Distributed I ntrusion Detection System Rogier Spoor (project leader) Jan van Lith (developer) Kees Trippelvitz (developer) Amsterdam 24-1-2006 High-quality I nternet for higher education and research Goals Understanding:

slide-1
SLIDE 1

High-quality I nternet for higher education and research

Amsterdam 24-1-2006

Rogier Spoor (project leader) Jan van Lith (developer) Kees Trippelvitz (developer)

SURFnet I DS a Distributed I ntrusion Detection System

slide-2
SLIDE 2

High-quality I nternet for higher education and research

Goals

  • Understanding:

– types of malicious network traffic within a LAN – amount of malicious network traffic within a LAN – spreading of worms

  • Setting up:

– a scalable IDS solution – an IDS that is easy to manage and maintain

  • Comparing results with other sensors
  • Limit malicious outbound traffic SURFnet
slide-3
SLIDE 3

High-quality I nternet for higher education and research

W hy build som ething new ?

  • Sensor must be maintenance free
  • IDS must be scalable and easy to manage
  • No False Positives! (cannot use snort)
  • Design IDS based on high speed networks (LAN/ WAN)
  • Design IDS “should” be able to analyse L2 traffic
slide-4
SLIDE 4

High-quality I nternet for higher education and research

Sensor

  • remastered Knoppix distribution
  • USB boot
  • Open-vpn between Sensor and Central Server

Need:

  • PC capable of USB boot + 1 NIC
  • DHCP LAN (2x DHCP)
  • Open-vpn session through local firewall (TCP 1194)
slide-5
SLIDE 5

High-quality I nternet for higher education and research

Honeypot/ Tunnel server

  • Based on nepenthes

– a low-interaction honeypot – Link: http: / / nepenthes.sourceforge.net

  • Open-vpn tunnel to sensor
  • Manage X509 certificates/ keys of sensors
  • Source-based routing
slide-6
SLIDE 6

High-quality I nternet for higher education and research

Logging server

  • Postgresql
  • Web interface
  • Show statistics of sensors (groups/ individual)
  • Show statistics of different attacks
  • Ranking of sensors
  • Mail logging
  • IDMEF
slide-7
SLIDE 7

High-quality I nternet for higher education and research

Global Overview

slide-8
SLIDE 8

High-quality I nternet for higher education and research

  • Sensor is booted
  • OpenVPN is started
  • Uses tcp port 1194
  • Works with NAT !!
  • Layer 2 tunnel (tap device)
  • DHCP request trough tunnel
  • Binds IP of client LAN on tap device
  • Attacker/Worm/Virus/Hacker
  • Attacks IP on server
  • Nepenthes simulates weakness
  • Nepenthes handles attack
  • Nepenthes logs attack
  • Web interface makes data

representable

W orking of SURF I DS

slide-9
SLIDE 9

High-quality I nternet for higher education and research

Future

  • Start an IDS service for SURFnet customers
  • Open source licensing (GPL) and packaging
  • Additional honeypots on the central server
  • Logging interface for tools like AIRT
  • Interface for a quarantaine environment
  • Static assignment of IP addresses on server and

sensor

  • Multiple VLAN support for sensor
slide-10
SLIDE 10

High-quality I nternet for higher education and research

Dem o

slide-11
SLIDE 11

High-quality I nternet for higher education and research

Questions?

Website http: / / ids.surfnet.nl