Securing your network

Update December 11th: I’m in the middle of testing OSSIM, and messing around a bit with several other things, like flow-inspector. I’m still gathering my thoughts, since this project is clearly a beast.

What are we stopping?
Data exfiltration and host zombification. That’s it.

Read these things:
I’m not a CSO, nor do I have a PhD in Engineering, so I’ll leave most of theory here to other folks.

The following list is a few items you should skim so that you have an idea of what I’m trying to do:

In addition to theory, I’ve come across a thorough list of products:

Endpoint Security Management Buyer’s Guide:
I suggest writing notes, as I wrote up notes/a list of actionable questions and expanding the below list in reaction. To be honest, my network isn’t gigantic, nor do I have much of a budget to work with, so I find this “CONSOLIDATE ALL THE CONSOLES!” concept elusive in the open source “market.” However, it is giving me a great and real reference point to start in on this gigantic task. I think the paper is a little idealistic for me, with the resources I have at hand; but it’s great for theory, and to understand how much larger environments’ security operations work.

The page list:
Part 1: Raise your awareness
Part 2: The Console
Part 2.a: Configure AlienVault’s OSSIM as your primary security console

Upcoming list (clearly the order is not relevant):
Part 2: Server and endpoint security
Part 2.a: Anti-virus (why? how? who? discuss filter drivers, cite i/o tests; Anti-malware analysis, virustotal,, that virus sample site…)
Part 2.b: Malicious Executable (Using SRP/AppLocker, El Jefe, checksum based whitelisting, and guaranteeing that it runs properly)
Part 2.c: Patch Management (WSUS + Local Update Publisher)
Part 2.d: Integrity monitoring (aka configuration management and integrity checks; using Foreman+RunDeck+Puppet, using hg, [maybe cover cloning? (FOG?)], OSSEC and Samhain)
Part 2.e: Encryption (why? how? who? truecrypt, discuss filter drivers, cite i/o tests)
Part 2.f: Sandboxing (EMET, unrealistic QubesOS)
Part 2.g: Device control (native device control, disable registry write abilities (WriteProtect key), talk about mass storage and MTP, end point DLP, MyDLP, OpenDLP)
Part 2.h: Asset access control: intranet site authentication, Windows file ACL auditing (with MACE).

The magic of log parsing.

Part 3: network security
Part 3.0: network isolation/segmentation
Part 3.a: Firewalls. Proxies.
Part 3.b: Network intrusion detection/prevention (snort+sguil+squert+snorby, +acarm-ng, sagan, maybe OSSIM?)
Part 3.c: Flow capture (argus, ntop)
Part 3.d: Worm infection detection and tarpitting (dionea, honeyd, nova)
Part 3.e: Switch configuration (802.1X, PacketFence, anti-spoofing, proper VLAN configs)
Part 3.f: Network service configuration (cover DHCP whitelisting, DNS-SEC, multicast and pim routing)

Part 4: Scare tactics, I mean… user training (agree with this, but taglines, accountability and creating an environment ripe for punishment and guilt go a long way)

Part 5: Incident response (isolation mechanisms, argus, flow-inspector, redline, El Jefe, considering and writing extensions to redline for additional log (follow XML schema))

Part 6: “Active defense” is the new cool thing to do. Just wanted to mention it: ADHD distro.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: