Snort for the Road Warrior

advertisement
Snort for the Road Warrior
Soapbox
What is Snort?
• Snort is an open source network Intrusion
Prevention and Detection System (IDS/IPS)
developed by Sourcefire.
• Snort is the most widely deployed IDS/IPS
technology worldwide. Snort has become the
de facto standard for IPS.
pfSense is a free, open source firewall and router platform based on NanoBSD/
FreeBSD that includes most all of the features of expensive, commercial firewalls.
The pfSense stateful firewall for embedded applications supports:
•
•
•
•
•
•
•
•
•
•
Stateful firewall based on OpenBSD pf
Captive portal with MAC filtering, RADIUS support, etc.
NAT support
Load balancing
VPN: IPsec, OpenVPN, PPTP
Dynamic DNS client
DHCP Server and Relay functions
PPPoE Server
Reporting and monitoring features with real time information
The m1n1wall arrives pre-loaded with pfSense 2.0.3 software. You can reload the CF card
with your own operating system / software to support your application. Possibilities
include FreeBSD, NetBSD, OpenBSD, m0n0wall, OpenWRT, Voyage Linux, STYX, iMedia
ALIX Linux, Fluxbuntu, fli4l, Zeroshell, Ikarus OS, Embed-it, Mikrotik RouterOS.
Network Layout
m1n1wall Hardware
Soekris Crypto Accelerator
Dashboard
pfSense Packages
Hardware / Software costs
Netgate m1n1wall 2D3/2D13 appliance
• Assembled ($225.00)/ Unassembled ($205.00)
Soekris VPN1411: Crypto accelerator ($72.00)
• http://store.netgate.com/Soekris-VPN1411-Crypto-accelerator-P319.aspx
Sourcefire VRT rules ($29.99, personal license, 1 sensor)
• http://www.snort.org/vrt/buy-a-subscription
m1n1wall Appliance Features
ALIX.2D13 System Board with
• 500 MHz AMD Geode LX800 CPU
• 3 10/100 Ethernet ports (VIA VT6105M 10/100)
• 1 miniPCI slot for future expansion (VPN Acceleration, wireless,
etc.)
• 2 USB ports
• 256 MB DDR DRAM
• Pre-installed battery
• I2C header
• COM2 header
• internal USB header for port 3 and 4
4 GB Industrial SLC CF Card pre-loaded with pfSense 2.0.3
Russian Business Network
• The Russian Business Network (commonly abbreviated
as RBN) is a multi-faceted cybercrime organization,
specializing in and in some cases monopolizing
personal identity theft for resale.
• The RBN, which is notorious for its hosting of illegal
and dubious businesses, originated as an Internet
service provider for child pornography, phishing, spam,
and malware distribution physically based in St.
Petersburg, Russia.
• By 2007, it developed partner and affiliate marketing
techniques in many countries to provide a method for
organized crime to target victims internationally.
Russian Business Network (RBN)
Structure (circa 2007)
RBN Activities
• According to VeriSign, RBN was registered as
an internet site in 2006
• Initially, much of its activity was legitimate.
But apparently the founders soon discovered
that it was more profitable to host illegitimate
activities and started hiring its services to
criminals.
• The RBN has been described by VeriSign as
"the baddest of the bad".
RBN & Red October
• Red October was a cyber espionage malware program discovered in
October 2012 and uncovered in January 2013 by Russian firm Kaspersky
Lab.
• The malware was reportedly operating worldwide for up to five years prior
to discovery, transmitting information ranging from diplomatic secrets to
personal information, including from mobile devices.
• Red October was termed an advanced cyber espionage campaign
intended to target diplomatic, governmental and scientific research
organizations worldwide.
• After being revealed, domain registrars and hosting companies shut down
as many as 60 domains used by the virus creators to receive information.
The attackers themselves shut down their end of the operation as well.
• According to Kaspersky’s report, the oldest domain name used in the Red
October network was registered in November, 2007, and the newest in
May, 2012. The RBN Network went dark on November 4, 2007 and
temporarily moved operations to China. Then, after a few weeks,
disappeared again.
Russian Cyber Operations
David J. Smith
• “Unlike China,” Jeff Carr, the CEO of Taia Global,
explains on his Digital Dao blog, “Russian cyber
operations are rarely discovered, which is the
true measure of a successful op.”
• Russia-its government and motley crew of
government-sponsored cyber-criminals and
youth group members-has integrated cyber
operations into its military doctrine and is
conducting strategic espionage against the United
States.
• http://www.afpc.org/files/august2012.pdf
Other Cyber Operations of Note
• Hidden Lynx group
– http://www.symantec.com/content/en/us/enterprise/media/security_
response/whitepapers/hidden_lynx.pdf
• Syrian Electronic Army
– http://en.wikipedia.org/wiki/Syrian_Electronic_Army
• Mandiant Exposes APT1
– http://www.mandiant.com/apt1
• Anonymous (group)
– http://en.wikipedia.org/wiki/Anonymous_%28group%29
Contact
Email: alancz@wowway.com
Phone: (614) 876 6124
Questions?
Appendix
pfSense Information
m1n1wall Quick Start Guide
• http://bit.ly/m1n1wallQSG
Web Interface
• https://192.168.1.1
Free Support
• http://www.fpsense.org
Paid Support
• http://www.bsdperimeter.com (502) 442 7080
References
pfSense
• http://www.pfsense.org/
• Commercial Support
– https://portal.pfsense.org/
Snort
• http://www.sourcefire.com/security-technologies/open-source/snort
Netgate
• http://store.netgate.com/
VRT Subscription
Tips: Packages
http://doc.pfsense.org/index.php/Category:Packages
Download