Snort for the Road Warrior Soapbox What is Snort? • Snort is an open source network Intrusion Prevention and Detection System (IDS/IPS) developed by Sourcefire. • Snort is the most widely deployed IDS/IPS technology worldwide. Snort has become the de facto standard for IPS. pfSense is a free, open source firewall and router platform based on NanoBSD/ FreeBSD that includes most all of the features of expensive, commercial firewalls. The pfSense stateful firewall for embedded applications supports: • • • • • • • • • • Stateful firewall based on OpenBSD pf Captive portal with MAC filtering, RADIUS support, etc. NAT support Load balancing VPN: IPsec, OpenVPN, PPTP Dynamic DNS client DHCP Server and Relay functions PPPoE Server Reporting and monitoring features with real time information The m1n1wall arrives pre-loaded with pfSense 2.0.3 software. You can reload the CF card with your own operating system / software to support your application. Possibilities include FreeBSD, NetBSD, OpenBSD, m0n0wall, OpenWRT, Voyage Linux, STYX, iMedia ALIX Linux, Fluxbuntu, fli4l, Zeroshell, Ikarus OS, Embed-it, Mikrotik RouterOS. Network Layout m1n1wall Hardware Soekris Crypto Accelerator Dashboard pfSense Packages Hardware / Software costs Netgate m1n1wall 2D3/2D13 appliance • Assembled ($225.00)/ Unassembled ($205.00) Soekris VPN1411: Crypto accelerator ($72.00) • http://store.netgate.com/Soekris-VPN1411-Crypto-accelerator-P319.aspx Sourcefire VRT rules ($29.99, personal license, 1 sensor) • http://www.snort.org/vrt/buy-a-subscription m1n1wall Appliance Features ALIX.2D13 System Board with • 500 MHz AMD Geode LX800 CPU • 3 10/100 Ethernet ports (VIA VT6105M 10/100) • 1 miniPCI slot for future expansion (VPN Acceleration, wireless, etc.) • 2 USB ports • 256 MB DDR DRAM • Pre-installed battery • I2C header • COM2 header • internal USB header for port 3 and 4 4 GB Industrial SLC CF Card pre-loaded with pfSense 2.0.3 Russian Business Network • The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. • The RBN, which is notorious for its hosting of illegal and dubious businesses, originated as an Internet service provider for child pornography, phishing, spam, and malware distribution physically based in St. Petersburg, Russia. • By 2007, it developed partner and affiliate marketing techniques in many countries to provide a method for organized crime to target victims internationally. Russian Business Network (RBN) Structure (circa 2007) RBN Activities • According to VeriSign, RBN was registered as an internet site in 2006 • Initially, much of its activity was legitimate. But apparently the founders soon discovered that it was more profitable to host illegitimate activities and started hiring its services to criminals. • The RBN has been described by VeriSign as "the baddest of the bad". RBN & Red October • Red October was a cyber espionage malware program discovered in October 2012 and uncovered in January 2013 by Russian firm Kaspersky Lab. • The malware was reportedly operating worldwide for up to five years prior to discovery, transmitting information ranging from diplomatic secrets to personal information, including from mobile devices. • Red October was termed an advanced cyber espionage campaign intended to target diplomatic, governmental and scientific research organizations worldwide. • After being revealed, domain registrars and hosting companies shut down as many as 60 domains used by the virus creators to receive information. The attackers themselves shut down their end of the operation as well. • According to Kaspersky’s report, the oldest domain name used in the Red October network was registered in November, 2007, and the newest in May, 2012. The RBN Network went dark on November 4, 2007 and temporarily moved operations to China. Then, after a few weeks, disappeared again. Russian Cyber Operations David J. Smith • “Unlike China,” Jeff Carr, the CEO of Taia Global, explains on his Digital Dao blog, “Russian cyber operations are rarely discovered, which is the true measure of a successful op.” • Russia-its government and motley crew of government-sponsored cyber-criminals and youth group members-has integrated cyber operations into its military doctrine and is conducting strategic espionage against the United States. • http://www.afpc.org/files/august2012.pdf Other Cyber Operations of Note • Hidden Lynx group – http://www.symantec.com/content/en/us/enterprise/media/security_ response/whitepapers/hidden_lynx.pdf • Syrian Electronic Army – http://en.wikipedia.org/wiki/Syrian_Electronic_Army • Mandiant Exposes APT1 – http://www.mandiant.com/apt1 • Anonymous (group) – http://en.wikipedia.org/wiki/Anonymous_%28group%29 Contact Email: alancz@wowway.com Phone: (614) 876 6124 Questions? Appendix pfSense Information m1n1wall Quick Start Guide • http://bit.ly/m1n1wallQSG Web Interface • https://192.168.1.1 Free Support • http://www.fpsense.org Paid Support • http://www.bsdperimeter.com (502) 442 7080 References pfSense • http://www.pfsense.org/ • Commercial Support – https://portal.pfsense.org/ Snort • http://www.sourcefire.com/security-technologies/open-source/snort Netgate • http://store.netgate.com/ VRT Subscription Tips: Packages http://doc.pfsense.org/index.php/Category:Packages