Скачать презентацию A Model for Virtual Laboratory Intrusion Detection Experience Скачать презентацию A Model for Virtual Laboratory Intrusion Detection Experience

5f13647af5ff30bd07a931e83a075c47.ppt

  • Количество слайдов: 17

A Model for Virtual Laboratory Intrusion Detection Experience Information Security Curriculum Development Conference Kennesaw A Model for Virtual Laboratory Intrusion Detection Experience Information Security Curriculum Development Conference Kennesaw State University September 2006 Valerie J. Harvey, RMU Department of Computer & Information Systems Randall Johnson, Technical Services, RMU Information Technology John C. Turchek, RMU Department of Computer & Information Systems © 2006, Robert Morris University 1

Placement in Model IS Curricula This module may be used with: • Model I/S Placement in Model IS Curricula This module may be used with: • Model I/S curriculum: IS 2002. 6 Networks and Telecommunication • MSIS 2000. 3 Data Communications and Networking 2

Curricular Rationale Other drivers of curricular content include the Homeland Security Presidential Directive/Hspd-7 of Curricular Rationale Other drivers of curricular content include the Homeland Security Presidential Directive/Hspd-7 of December 17, 2003 on Critical Infrastructure Identification, Prioritization, and Protection, NSA and the enhancement of Open Standards such as COBIT, ITIL, and ISO 17799. 3

Intrusion Detection, Auditing: Sarbanes-Oxley Considerations • Internal Controls – “Section 404 also requires the Intrusion Detection, Auditing: Sarbanes-Oxley Considerations • Internal Controls – “Section 404 also requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board. “ Source: SEC at http: //www. sec. gov/news/press/2003 -66. htm • “IT and the process owner must be responsible for: Access control over sensitive and critical applications and data files supporting the process (including security for preventing viruses and hacker intrusions. ) Source: S. Anand, The Sarbanes-Oxley Guide for Finance and IT Professionals (Sarbanes-Oxley Group, 2004), pp. 50 -51. 4

Instructional Advantages 1. Server independence giving each student control of an IDS configuration. 2. Instructional Advantages 1. Server independence giving each student control of an IDS configuration. 2. A unique IP address on the "virtual" network for each server so that students are able to work in teams, including in distance learning situations. 3. Demonstration of centralized logging as typically deployed in production networks by configuring each virtual machine to send log messages to the instructor's virtual machine. 5

Information Security – Our Architecture (Virtualization) dom 0 vif 1. 0 dom. U-1 eth Information Security – Our Architecture (Virtualization) dom 0 vif 1. 0 dom. U-1 eth 0 vif 2. 0 xenbr dom. U-2 vifn. 0 dom. U-22 iptables HP ML 370 G 3 (2. 8 GHz CPU, 1 GB RAM) 22 virtual machines (48 MB RAM, 1 GB disk) Full root access but with full isolation Full bridged networking for virtual machines Array of virtual machines with full bridging and an Ethernet interface and a range of IP addresses: k. m. n. 101 – k. m. n. 123 6

Configuration Steps 1. 2. 3. 4. The host server is prepared Range of IP Configuration Steps 1. 2. 3. 4. The host server is prepared Range of IP addresses determined A template virtual machine is created Scripts create individual student virtual machines from template 1. On the first startup, a script in the template creates the user, sets the root password, and emails the password to student and instructor 7

Configuration Steps, cont’d 5. Configured the instructor virtual machine 1. Configured instructor syslog-ng 2. Configuration Steps, cont’d 5. Configured the instructor virtual machine 1. Configured instructor syslog-ng 2. Configured instructor /var/log/HOSTS directory (central logging destination) 8

Model of VM Environment (selected directories) 9 Model of VM Environment (selected directories) 9

Central Audit: Information Security Local and Central Logging Student inspects auth. log and syslog Central Audit: Information Security Local and Central Logging Student inspects auth. log and syslog on own virtual machine Central syslog entry copies are sent to central audit file (HOSTS) 10

Information Security Student Assessment of Exploits 1 Below is a list of attempts to Information Security Student Assessment of Exploits 1 Below is a list of attempts to open a session based on defaults of the system. Sometimes the passwords are easy to guess, and other times they have no passwords (i. e. guest; attempts to hit defaults; dictionary attacks running through a list of common words. This approach might work when passwords are not changed from defaults, making it sometimes easy to break into a system. If you look below, there are some users like FTP, Oracle, Tomcat, ID Linux, Internet, etc which usually indicate server names that connect to other servers. These names are the ID’s that defaulted by many systems (like Oracle’s Database) that connect to a main server, and the password provided could be a default to try to break in. Apr 9 14: 32: 12 vm-ljsst 8 sshd[17365]: Illegal user info from 125. 248. 144. 98 Apr 9 14: 32: 14 vm-ljsst 8 sshd[17367]: Illegal user ftp from 125. 248. 144. 98 Apr 9 14: 32: 16 vm-ljsst 8 sshd[17369]: Illegal user httpd from 125. 248. 144. 98 Apr 9 14: 32: 18 vm-ljsst 8 sshd[17371]: Illegal user dany from 125. 248. 144. 98 Apr 9 14: 32: 20 vm-ljsst 8 sshd[17373]: Illegal user susan from 125. 248. 144. 98 Apr 9 14: 32: 22 vm-ljsst 8 sshd[17375]: Illegal user oracle from 125. 248. 144. 98 Apr 9 14: 32: 24 vm-ljsst 8 sshd[17377]: Illegal user tomcat from 125. 248. 144. 98 Apr 9 14: 32: 28 vm-ljsst 8 sshd[17381]: Illegal user id from 125. 248. 144. 98 Apr 9 14: 32: 30 vm-ljsst 8 sshd[17383]: Illegal user sgi from 125. 248. 144. 98 Apr 9 14: 32 vm-ljsst 8 sshd[17385]: Illegal user postgres from 125. 248. 144. 98 Apr 9 14: 32: 34 vm-ljsst 8 sshd[17387]: Illegal user flowers from 125. 248. 144. 98 Apr 9 14: 32: 36 vm-ljsst 8 sshd[17389]: Illegal user linux from 125. 248. 144. 98 Apr 9 14: 32: 37 vm-ljsst 8 sshd[17391]: Illegal user internet from 125. 248. 144. 98 Apr 9 14: 32: 39 vm-ljsst 8 sshd[17393]: Illegal user server from 125. 248. 144. 98 Apr 9 14: 32: 41 vm-ljsst 8 sshd[17395]: Illegal user nokia from 125. 248. 144. 98 11

Information Security Student Assessment of Exploits 2 Sometimes hackers try to break into a Information Security Student Assessment of Exploits 2 Sometimes hackers try to break into a super user account under root anonymously. Since some systems like Slackware Linux allow anonymity in super users and/or root passwords. This is an attempt to access. Apr 11 06: 25: 01 vm-ljsst 8 CRON[17742]: (pam_unix) session opened for user root by (uid=0) Apr 11 06: 25: 17 vm-ljsst 8 su[17769]: + ? ? ? root: nobody Apr 11 06: 25: 17 vm-ljsst 8 su[17769]: (pam_unix) session opened for user nobody by (uid=0) Apr 11 06: 28: 00 vm-ljsst 8 CRON[17742]: (pam_unix) session closed for user root This is a user outside of our class scanning ports on my system. It is listed on ARIN as RIPE Network Coordination Centre in Amsterdam, NL. Apr 11 17: 06: 41 vm-kvwst 1 sshd[12790]: Illegal user postgres from 82. 224. 139. 101 Apr 11 17: 06: 42 vm-kvwst 1 sshd[12792]: Illegal user oracle from 82. 224. 139. 101 Apr 11 17: 06: 47 vm-kvwst 1 sshd[12794]: Illegal user cyrus from 82. 224. 139. 101 Dictionary attack from possibly spoofed IP address: Apr 15 06: 37: 26 vm-dazst 2 sshd[30204]: reverse mapping checking getaddrinfo for adsl-131. 100. 37. info. com. ph failed - POSSIBLE$ Apr 15 06: 37: 28 vm-dazst 2 sshd[30206]: reverse mapping checking getaddrinfo for adsl-131. 100. 37. info. com. ph failed - POSSIBLE$ Apr 15 06: 37: 31 vm-dazst 2 sshd[30208]: reverse mapping checking getaddrinfo for adsl-131. 100. 37. info. com. ph failed - POSSIBLE$ Apr 15 06: 37: 33 vm-dazst 2 sshd[30210]: Illegal user jason from 203. 131. 100. 37 Apr 15 06: 37: 33 vm-dazst 2 sshd[30210]: reverse mapping checking getaddrinfo for adsl-131. 100. 37. info. com. ph failed - POSSIBLE$ 12

Information Security Student Assessment of Exploits 3 Port Scanning with nmap • Number of Information Security Student Assessment of Exploits 3 Port Scanning with nmap • Number of the attacks: 6 attacks. • Attacker: 125. 248. 144. 117 (Classmate) • Example of the entries in the log file: Apr 11 11: 08: 06 vm-sfast 1 snort: [122: 1: 0] (portscan) TCP Portscan {PROTO 255} k. m. n. 117 -> k. m. n. 113 Attempted to check SNMP (Port 61) vulnerability on the remote machine---> Apr 10 01: 42: 36 vm-mxkst 15 snort: [1: 1421: 11] SNMP Agent. X/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} k. m. n. 114: 62415 -> k. m. n. 113: 705 TCP Traffic flow to the open port 12345 ---> Apr 10 01: 42: 37 vm-mxkst 15 snort: [1: 0: 0] TCP traffic to port 12345 {TCP} k. m. n. 114: 62415 -> k. m. n. 113: 12345 Another User Tried to gain privilige via SNMP trap handling---> Apr 11 11: 08: 07 vm-mxkst 15 snort: [1: 1420: 11] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} k. m. n. 117: 47755 > k. m. n. 113: 162 Apr 11 11: 08: 07 vm-mxkst 15 snort: [1: 1421: 11] SNMP Agent. X/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} k. m. n. 117: 47755 -> k. m. n. 113: 705 Apr 11 11: 08 vm-mxkst 15 snort: [1: 1418: 11] SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} k. m. n. 117: 47755 -> k. m. n. 113: 161 Remote identification denied, log recorded by snort, attacker located in France ---> Apr 11 16: 55: 28 vm-mxkst 15 sshd[14988]: Did not receive identification string from 82. 224. 139. 101 Unsuccessful Reverse mapping attempt---> Apr 12 04: 08: 53 vm-mxkst 15 sshd[15172]: reverse mapping checking getaddrinfo for. failed - POSSIBLE BREAKIN ATTEMPT! Apr 12 04: 08: 54 vm-mxkst 15 sshd[15174]: Illegal user 1 from 72. 20. 3. 186 13

Information Security Student Assessment of Exploits 4 • Finally snort detected the attack from Information Security Student Assessment of Exploits 4 • Finally snort detected the attack from machine “k. m. n. 122”on the port 12345 with the rule I created in the “locals. rules” file, when the attacker used a telnet command on my 12345 port: Mar 28 13: 00: 09 vm-sfast 1 snort: [1: 0: 0] TCP traffic to port 12345 {TCP} k. 122: 4607 -> k. m. n. 117: 12345 Mar 28 13: 00: 09 vm-sfast 1 snort: [1: 0: 0] TCP traffic to port 12345 {TCP} k. m. n. 122: 4607 -> k. m. n. 117: 12345 14

Information Security – Our Implementation Students at work in RMU classroom (or at home) Information Security – Our Implementation Students at work in RMU classroom (or at home) using their own computers (laptops) Server in RMU Data Center hosting virtual machine array for intrusion detection practice 15

Your comments and demo • Questions? • Recommendations? 16 Your comments and demo • Questions? • Recommendations? 16

Sample Student Login When prompted, enter your RMU virtual machine account password (it will Sample Student Login When prompted, enter your RMU virtual machine account password (it will not appear on the screen password for RMU networks): same as Novell system password for RMU networks) When you have the virtual machine prompt, like: [email protected]: ~$ Sample Login: login as: xyzstn Password: Linux snort-xen-01 2. 6. 11. 12 -xen. U #1 Wed Mar 15 06: 29: 33 EST 2006 i 686 GNU/Linux The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Apr 3 20: 49: 39 2006 from pool-151 -201 -24284. pitt. east. verizon. net Just enter your RMU userid like [email protected]: ~$ Then log in as superuser and provide the appropriate password. 17