Network Security @ ICS MU
Jan Vykopal
vykopal@ics.muni.cz
May 10, 2012
FI MU, Brno
Part I
Introduction
Jan Vykopal Network Security @ ICS MU 2 / 26
Present Computer Security
Present Essentials and Best Practices
host-based: firewall, antivirus, automated patching, NAC1
network-based: firewall, antispam filter, IDS2, UTM3
Network Security Monitoring
Necessary complement to host-based approach.
NBA4 is a key approach in large and high-speed networks.
Traffic acquisition and storage is almost done,
security analysis is a challenging task.
1
Network Access Control, 2
Intrusion Detection System
3
Unified Threat Management, 4
Network Behavior Analysis
Jan Vykopal Network Security @ ICS MU 3 / 26
Flow Based Monitoring
Provides information about who communicates with whom,
for how long, which protocol, how much data and so on.
Based on CISCO NetFlow v5/v9 technology and IETF IPFIX.
Enables you to watch your network traffic in real-time.
GEANT2 Security Toolset = FlowMon probe + NfSen.
Detailed network view with NetFlow data.
Jan Vykopal Network Security @ ICS MU 4 / 26
NetFlow Applications in Time
Originally
Accounting
Jan Vykopal Network Security @ ICS MU 5 / 26
NetFlow Applications in Time
Originally
Accounting
Then
Incident handling
Network forensics
Jan Vykopal Network Security @ ICS MU 5 / 26
NetFlow Applications in Time
Originally
Accounting
Then
Incident handling
Network forensics
Now
Intrusion detection
Network protection
Jan Vykopal Network Security @ ICS MU 5 / 26
Part II
NetFlow Monitoring at MU
Jan Vykopal Network Security @ ICS MU 6 / 26
Masaryk University, Brno, Czech Republic
9 faculties: 200 departments and institutes
48,000 students and employees
15,000 networked hosts
2x 10 gigabit uplinks to CESNET (NREN)
Interval Flows Packets Bytes
Second 5 k 150 k 132 M
Minute 300 k 9 M 8 G
Hour 15 M 522 M 448 G
Day 285 M 9.4 G 8 T
Week 1.6 G 57 G 50 T
Average traffic volume at the edge
links in peak hours.
0
500000
1000000
1500000
Mon Tue Wed Thu Fri Sat Sun
Number of Flows in MU Network (5-minute Window)
Jan Vykopal Network Security @ ICS MU 7 / 26
FlowMon Probes at Masaryk University Campus
FlowMon probes:
NetFlow collectors:
25
6
Jan Vykopal Network Security @ ICS MU 8 / 26
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlow data
acquisition
1/10 GE
Jan Vykopal Network Security @ ICS MU 9 / 26
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlow data
acquisition
1/10 GE
NetFlow
collector
NetFlow
v5/v9
NetFlow data
collection
Jan Vykopal Network Security @ ICS MU 9 / 26
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlow data
acquisition
1/10 GE
NetFlow
collector
NetFlow
v5/v9
NetFlow data
collection
NetFlow data
analyses
SPAM
detection
worm/virus
detection
intrusion
detection
Jan Vykopal Network Security @ ICS MU 9 / 26
NetFlow Monitoring at Masaryk University
FlowMon
probe
FlowMon
probe
FlowMon
probe
NetFlow data
acquisition
1/10 GE
NetFlow
collector
NetFlow
v5/v9
NetFlow data
collection
NetFlow data
analyses
SPAM
detection
worm/virus
detection
intrusion
detection
Jan Vykopal Network Security @ ICS MU 9 / 26
Flow-based Traffic Monitoring System
Internet
LAN
LAN LAN
LAN
LAN
Firewall
Network without any flow monitoring system.
Jan Vykopal Network Security @ ICS MU 10 / 26
Flow-based Traffic Monitoring System
Internet
LAN
LAN LAN
LAN
LAN
Firewall
FlowMon Probe FlowMon Probe
FlowMon probe connected to in-line TAP.
Jan Vykopal Network Security @ ICS MU 10 / 26
Flow-based Traffic Monitoring System
Internet
LAN
LAN LAN
LAN
LAN
Firewall
FlowMon Probe FlowMon Probe
SPAN SPAN
TAP
FlowMon Probe
FlowMon observes data from TAP and SPAN ports.
Jan Vykopal Network Security @ ICS MU 10 / 26
NfSen/NFDUMP Collector Toolset Architecture
NetFlow
v5/v9
NFDUMP Backend
Periodic Update Tasks and Plugins
Web Front-End User Plugins Command-Line
Interface
NfSen – NetFlow Sensor – http://nfsen.sf.net/
NFDUMP – NetFlow display – http://nfdump.sf.net/
Jan Vykopal Network Security @ ICS MU 11 / 26
Methods for Data Analysis I
TCP SYN scanning detection
Very simple, but effective general method.
Reveals compromised hosts in our network.
Very low false positive rate.
Honeypot monitoring
Uses subnet allocated for high- and low-interaction honeypots.
Eliminates false positives, mainly catches hosts from outside.
Besides flow, passwords attempted by attackers are stored.
Jan Vykopal Network Security @ ICS MU 12 / 26
Methods for Data Analysis II
Brute force attack detection
Online password guessing is ubiquituos, still a threat.
Similar flows may be symptoms of this attack.
Suitable even for encrypted services such as SSH.
One attacker often aims to more targets ⇒ easier detection.
Round trip time anomaly detection
(D)DOSes overwhlem servers and increase response time.
Abrupt increase of RTT may point to attack/misconfiguration.
Number of incoming flows/packets is often correlated to RTT.
Jan Vykopal Network Security @ ICS MU 13 / 26
Chuck Norris Botnet in Nutshell
Linux malware – IRC bots with central C&C servers.
Attacks poorly-configured Linux MIPSEL devices.
Vulnerable devices – ADSL modems and routers.
Uses TELNET brute force attack as infection vector.
Users are not aware about the malicious activities.
Missing anti-malware solution to detect it.
Discovered at Masaryk University on 2 December 2009. The malware got the Chuck
Norris moniker from a comment in its source code [R]anger Killato : in nome
di Chuck Norris !
Jan Vykopal Network Security @ ICS MU 14 / 26
TELNET Malware Activities – 2009/11 - 2011/7
100000
200000
300000
400000
2009/11
2010/01
2010/03
2010/05
2010/07
2010/09
2010/11
2011/01
2011/03
2011/05
2011/07
TELNETScansperDay
Date
Campus Network Removed from
Botnet Scanning List
Chuck Norris Botnet Suspended
Chuck Norris Botnet Version 2
Jan Vykopal Network Security @ ICS MU 15 / 26
Chuck Norris Will Never Die or Cyber War ?
TELNET scans against single host – 2011/10/20.
SURFmap – http://surfmap.sf.net
Jan Vykopal Network Security @ ICS MU 16 / 26
Part III
Flow-based Network Protection
Jan Vykopal Network Security @ ICS MU 17 / 26
Goals and Components
Goals of Network Protection
Using NetFlow data to protect network.
Defending perimeter against attacks from outside.
Automated attack detection.
Suitable for high speed networks (10 Gbps+).
System Parts
Sensors (⇒ NetFlow data).
Control center (⇒ commands).
Active network components (⇒ blocking/filtering).
HAMOC platform – both sensor and active component.
Jan Vykopal Network Security @ ICS MU 18 / 26
Architecture of Network Protection
HAMOC
NetFlow
data
command
command
command
NetFlow collector
and control center
protected
network
HAMOC
HAMOC
NetFlow
data
NetFlow
data
Jan Vykopal Network Security @ ICS MU 19 / 26
Part IV
Integration with Early Warning Systems
Jan Vykopal Network Security @ ICS MU 20 / 26
Warden: Czech academic EWS
Client/server achitecture
Security-related events are sent to the center.
Clients (periodically) poll the center for new events.
Events: port scanning, brute force attack, phishing, etc.
Transport protocols: SOAP over HTTPS (+ SSL certificates)
Integration
Control center also calls remote procedure to store a newly
detected event.
Events coming from center may trigger an action.
Trustworthiness of participants is a key factor!
Jan Vykopal Network Security @ ICS MU 21 / 26
Part V
In Daily Operation
Jan Vykopal Network Security @ ICS MU 22 / 26
Computer Security Incident Response Team of MU
The first university CSIRT in the Visegrad Four listed and
accredited in the Trusted Introducer public database.
Provided services:
Incident handling and response (and its coordination).
Intrusion detection based on NetFlow probes and honeypots.
Network policy checks and network analysis
(e. g., reverse DNS records, live IPs, accounting, . . . ).
User education, alerts&warning: security advisories and
bulletins.
Constituency: tens of thousands of university students and staff.
Jan Vykopal Network Security @ ICS MU 23 / 26
Part VI
Conclusion
Jan Vykopal Network Security @ ICS MU 24 / 26
Conclusion
Flow-based network protection is suitable for large networks.
Online network monitoring contributes to the overall security.
Early warning systems may profit from flow-based detection.
Automated network protection based solely on the EWS may
be dangerous.
Jan Vykopal Network Security @ ICS MU 25 / 26
Thank you for your attention!
Jan Vykopal
vykopal@ics.muni.cz
Project CYBER
http://www.muni.cz/ics/cyber
CSIRT-MU
http://www.muni.cz/csirt
Network Security @ ICS MU
HAMOC
NetFlow
data
command
command
command
NetFlow collector
and control center
protected
network
HAMOC
HAMOC
NetFlow
data
NetFlow
data
Jan Vykopal Network Security @ ICS MU 26 / 26