Saturday, May 31, 2014

Suricata with Logstash - Part 2: Setup and Configure Suricata

Pre-installation requirements

For Ubuntu 10.04 LTS and later, install the packages below to support IDS and IPS function on Suricata.
$sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Note: If you don't plant to use Suricata in IPS mode, you may remove 
libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Download Suricata

Download Suricata (latest version as of writing is 2.0.1)
Once downloaded, extract and navigate to the folder.
$wget http://www.openinfosecfoundation.org/download/suricata-2.0.1.tar.gz
tar -xvzf suricata-2.0.1.tar.gz
cd suricata-2.0.1

Compile

For IDS Mode:
$./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
For IPS Mode:
$./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Start building by triggering the following commands:
$make
$sudo make install-full

Test

To make sure Suricata is properly installed, run Suricata by:
$sudo suricata -c /etc/suricata/suricata.yaml -i (interface)
Replace the with your machine's interface name (i.e. eth0)
A similar message should show that Suricata is running successfully:


View the real-time events by:
$cd /var/log/suricata
$tail -f stats.log or http.log
Below is a sample how the real-time logging should look like:

http.log

stats.log

What's next?

Now that you have running Suricata, the next part is viewing all those events visually. :-)
Posted by at No comments:
Labels: , , , , ,

Wednesday, May 28, 2014

Configuring McAfee NGFW (Stonesoft) Client to Site VPN (using Stonesoft IPSec VPN Client): Configuring VPN NAT Pool based client-to-site VPN

Overview

Stonesoft IPSec VPN in NAT Pool is an alternate of allowing remote users to establish VPN connection. This configuration does not require external DHCP server to provide IP for remote users. 

The disadvantage of using this configuration is the manual setup of DNS server on the remote user.

Requirements

McAfee NGFW 5.5 and later
McAfee Security Management Center (SMC) 5.7
Stonesoft IPSec VPN Client 5.4 or later

Procedures

  1. Log-on to McAfee SMC
  2. Go to Configuration -> Configuration -> VPN
  1. Create a new VPN Profile by going to Other Elements -> Profiles -> VPN Profiles
Then Right-Click on VPN Profiles to choose New VPN Profile
  1. On the new window, configure the following: (You may change the following depending on your security requirements)




Then click Ok

  1. Create a new VPN configuration, right-click on VPNs then choose New VPN
Choose the VPN Profile that was created earlier
Make sure to enable the checkbox when configuring VPN for NAT Pool

  1. On the Edit view for the VPN configuration,

Add the default IPSec Client on the Satellite Gateways

Create a new Internal VPN Gateway for the Central Gateways

Select the Security Engine (Firewall) that will be access by the remote users

Select the public (external) IP address that will be handling the VPN session

Uncheck the “Include and update addresses based on routing” since this will allow any remote user to access any network
If the VPN rule are not configured properly.

Add the network segment that you will be allowing network user to access.

Click Ok.

You may add multiple internal gateway if you manage multiple NGFW
  1. Set IP range that can be used by the remote users.
Go to NGFW properties, Advanced tab then click VPN Settings button.

Check the “Translated IP Addresses”, place the IP range and port range (from 1024 to 65535)

Click Ok.

  1. Create VPN users account locally on the firewall
Go to Configuration -> Configuration -> User Authentication

To create a new local user account, expand Users then choose InternalDomain

Expand stonegate domain then create a new user under Mobile VPN user

Input username on the Name field, modify the Activation based on your requirement.

Set user authentication as User password then initialize the user’s password (take note of this so you can send it to the user afterwards)

A successful user authentication will show the following

  1. Create a new rule on your current Firewall Policy that will have the following configuration
Source IP: Any
Destination IP:
Service: Any
Action: Enforce VPN: Client to Site
Authentication: Select Authorize Client IP, Select the Group where the VPN users are stored, Choose the authentication type being use by the user

  1. Upload the rule to your firewall
  2. Test your VPN setting by connecting via Stonesoft VPN client

Input the public IP of the firewall that will accept VPN connection

Successful connection will prompt user authentication dialog

Successful authentication will establish connection

You should now able to access the server/workstation behind the firewall

Note: Unlike other IPSec VPN client, Stonesoft’s client will not disconnect your internet connection or will reconfigure the IP address of your network interface. So while you can access the internal network, you may still continue to access the Internet.

Posted by at No comments:
Labels: , , , ,

Thursday, May 1, 2014

Suricata with Logstash - Part 1: Planning and installation

IDS or IPS?

Before you start testing Suricata, understand first what will you need. If you are new or does not have knowledge the difference between an IPS and IDS. Let me give you a brief background below. If you are an advance user then you may skip this and move to Part 2: Setup and Configure Suricata

What is an IDS?

IDS stands for Intrusion Detection System. Like its name, the main role of this security device is to detect threats passing on your network. Nowadays, IDS uses different kind of method to detect and identify threats. It use signature based detection which vendor always provide an update, it may also use a behavioral detection (signature less) so that it may identify an unknown threat. This are the two most common feature it has, depending on the vendor, they may introduce other or more advance features of detecting threats.

IDS is deployed usually in one arm (using SPAN port or TAP) to detect threats on the network. It may also be deployed in-line (between two network device. i.e. firewall and core switch).

What is an IPS?

IPS stands for Intrusion Prevention System. This security device have capability to react when a threat was detected on the network, unlike IDS which usually has SYN reset feature most of the time. IPS can definitely block, drop or quarantine malicious traffic. In terms of deployment, an IPS requires to be deployed in-line since that is the only way it can stop the traffic passing through.

Unlike IDS (appliance or mode), IPS will require higher server/appliance that is capable of handling the whole network throughput. When dealing with encrypted traffic, this will require more CPU resources to decrypt and analyze.

Deployment option

When deploying an IPS/IDS there are things you or each organization need to consider. One may start looking on how other organization implement it on their environment. And from that they may evaluate if they can also apply it to them. But take note, there are cons and pros on each type of deployment.

In-line mode

When deploying in in-line, understand first this thing in your organization, like:
- Your all ingress and egress point (where the traffic goes in and goes out)
- The zone you want to protect (DMZ, Internal and etc...)
- The total throughput of each zone (say, DMZ has 10 servers with each has 10Gbps and Internal has 1Gbps traffic)
- Type of interface the other network device have
- High Availability setup (since placing a device in-line will become a single point of failure)

Below is an example how in-line is placed.



Pros:
- Able to do actions on the malicious traffic
- Can identify source and destination more accurately
- Does not need much configuration on other network devices (i.e. router or switch)

Cons:
- Single point of failure if not implemented properly
- Expensive
- Continuous monitoring
- Requires a lot of interface if need to monitor different segments

TAP / SPAN mode


When deploying in this mode, take note of the following requirements:
- Need to place a TAP device (for TAP mode)
- Need to add SPAN configuration on one of the network device interface
- Review any security settings on the network device (i.e. MAC address filtering)
- If VLAN is being use for different zone/department, admin must know which one to include on the SPAN configuration



Pros:
- Cheap
- Not a single point of failure
- Faster to deploy

Cons:
- Limited views on the attack
- Limited actions on the attack
- Not very accurate on the source and destination address

Suricata Implementation

Suricata support both In-Line and SPAN mode configuration. If you decide to do In-line, then you require at least 2 NIC on your hardware. For this tutorial, I'm just covering for now the SPAN mode since I only want to do IDS for Suricata.

move to Part 2
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)