Security Onion- IDS, NSM, and log management

What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network?  And what if you want an easy setup that provides you with information that will help you – something with a GUI interface?   Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you.  While there are options, Security Onion offers the choice of Snort (http://snort.org/) or Suricata (http://suricata-ids.org/).

The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out.   While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards.  One network card for management and one to sniff.

Security Onion’s ISO can be downloaded from SourceForge.   While there is a ton of how-tos on the internet about Security Onion, there is a great deal of information on there blog located here.

Here’s a simple setup I did at home to try out Security Onion.  Using VMware’s Player (non-commercial use).  If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements.

menuinstallliveLive Runninginstalling rullinstalling driveinstalling drive erase  Installing files after time keyboard finished

 

Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url.

While snort is running, Snorby will present a dashboard.  You may be surprised to see no threats once you login.  You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats.

What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.”  more information.
2 snorby

Once you run NMap, click on More Options in the right corner and update the Cache

2a cache update

Give Security Onion just a few seconds and refresh the screen.  You’ll see the events logged.  This will visually show you not only how  many threats were ‘ seen’ on the network but will categorize and graph them.

3 snorby 3 severity

Clicking on the events will show each event and give you the option to categorize unknown threats or to reclassify threats.
4 nmap to test

Logging in to Squert allows you to see threats along with maps and information from threats.

5 squert

Squert map

ELSA – allows you to query and look for information.

6 Elsa

What does NMap show when Security Onion is scanned?

7 is it logging

 

 

 

Introduction to Security Onion

Security Onion Blog

 

Protecting your network by pen testing it

This post is for educational purposes and any use of these tools against a network without explicit permission could be illegal.   Metasploit is designed to identify weaknesses in networks and hardware/software on a network.  Do NOT use metasploit for other reasons.

Want to protect your network and the computers in your network?  You can get updates for your operating systems (Linux, Mac, iOS, Android, Windows or whatever) along with updates for third party programs yet you can still be unsecure.    When updating these products, you also have to remember firmware and updates for wireless devices, access points, bridges, firewalls, routers, switches, SCADA devices, robots, mobile devices, printers and any device on your network.

Metasploit

http://www.metasploit.com/download/

Metasploit Community is free and allows for a free scan of your network or server. Although limited (Try Pro for details and Brute Force), Metasploit Community is a first step in finding open services and ports on your operating system, hardware devices such as routers and other devices.   The trick to installing Metasploit is to disable your antivirus or make exceptions to what your antivirus finds.   You should truly install the software inside of a VM (Virtual Machine) so that your computer remains protected.

You can use Metasploit to protect your network by ‘seeing’ what a hacker or malicious person would see.  Truly for network professionals and auditors, this software can help you identify services, ports and weaknesses in your network.

There are several versions of Metasploit – Community, Pro, Express and Framework (Compare Editions)

Metasploit     Metasploit Two

Metasploit Scan Complete     metasploit Hosts

Metasploit Services After Scan

The above scan was in a controlled lab.  Malicious scanning of networks may be illegal.  Read  Penetration Basics on Metasploit’s website.

Tutorials (Videos)

Need a small wireless access point or wireless router?

Here’s one of the smallest, feature packed and powerful routers for under $30.  The NetShair Nano by iogear offers some of the most features money can buy.  Here’s how it works (interactive).   (Thanks Jeremy for bringing it in!)

  • Compact design USB powered ultra-portable Wi-Fi router with USB pass-through
  • Converts any wired Internet connection to Wi-Fi
  • Perfect accessory for Ultrabooks, MacBook Air and other devices without Ethernet ports
  • Serves as a DHCP Router or Access Point
  • Plugs into any USB port or USB charger for power
  • USB pass-though (no loss of USB port when connected)
  • Free apps for iPod®/iPhone®/iPad® and Android operating systems
  • IEEE 802.11b/g/n compliant 150Mbps speed
  • Supports WEP, WPA and WPA2 64/128 bit security
  • VPN
  • Firewall
  • more
Warranty:   1-YEAR
photo 1 photo 2 photo 3 photo 5

What about the  Zyxel Routers / APs we featured in late 2013? Here are some pics from an earlier  our blog post earlier..  With a router/ap switch on the side and the ability to act as a router, ap or bridge, the routers came with two power supplies each, a CAT5 cable and a very powerful wireless signal.

IMG_3105

IMG_7049

tiny

As we go through the CWTS curriculum, students are exposed to many different types of routers.  The Zyxel MWR102 is a tiny router (only 2.9″ x 2.3″ x .6″) that you can use when in a pinch or even in a small apartment.

Zyxel

This tiny router packs a ton of features.  Under $20, the router’s specs prove it gives a full size router a run for the money.

Zyxel Specs- USB Powered 150Mbps Wireless-N Fast Ethernet Travel Router

Features:

  • Pocket-sized router/AP for internet access on-the-go
  • 3-in-1 Functionality – Router, Access Point, and Client Bridge
  • Wirelessly share a wired Internet connection with multiple friends, colleagues, or devices.
  • 802.11n wireless connectivity for data transfer rates of up to 150 Mbps
  • USB or AC power provide flexibility for any situation
  • Hardware Specifications:
  • Ports:
  • Two (2) 10/100 Mbps (1x WAN, 1x LAN)
  • One (1) MiniUSB (For Power)Power:
  • 5V DC USB
  • System Specifications:
  • Wireless Standard:
  • IEEE802.3, IEEE 802.3u
  • IEEE802.11n auto rate up to 150Mbps
  • IEEE802.11b/g compatible auto rate up to 54Mbps
  • IEEE802.1x MDI/MDI-X adaptive flow-control
  • IEEE802.1p
  • IEEE802.3x
  • IEEE802.3az
  • Operating Modes:
  • Router
  • Access Point
  • WiFi Client Bridge   Yep, even a wireless bridge…Wireless Security:
  • WEP, WPA-PSK, WPA2-PSK
  • Security:
  • 64/128-bit WPA/WPA2
  • SPI Firewall
  • WPS Setup
  • Routing and IP Management:
  • Static IP
  • DHCP
  • PPPoE
  • NATUnit Dimensions:
  • 0.61 x 2.93 x 2.32-inches (H x W x D)   Is anything smaller?

Where can you buy it?

How to flush the DNS cache on Mac, Linux or Windows

If websites are not appearing correctly, connections time out or if you cannot find a computer on a network, you may need to flush the DNS cache.  Here’s how to do it-

Microsoft Windows

- Go to a command prompt as an administrator
- Type ipconfig /flushdns

Linux

- Go to the terminal
-Type /etc/rc.d/init.d/nscd

Mac OS X Mountain Lion or Lion:-

- Go to the terminal
_ Type sudo killall -HUP mDNSResponder

Mac OS x

- Go to the terminal
- Type sudo dscacheutil -flushcache

iPad

Reboot it to flush the cache or turn Airplane Mode on and off.

Ultimately resetting the network settings on the iPad will flush the DNS cache.
To reset the Network Settings-

  • Tap the Settings icon
  • Tap General
  • At the bottom of the column tap Reset
  • Choose Reset Network Settings

iPhones and Androids can be repbooted (powered down) to flush the DNS cashe

Network Switches – Avoid Daisy-Chains

When you are networking computers, wireless access points, printers and other nodes in multiple rooms, try to avoid daisy-chaining switches or using small 4-8 port switches when you are in a hurry.  Replace any hubs on your network as soon as you can.

With a hub, collisions can be >20% and utilization can stand at >50%.   By replacing a hub alone, you can reduce collisions to 5% on switches in rooms and <1% in the server room.  Switches help to isolate traffic, relieve congestion, separate collision domains (reduce collisions), segment and restart distance/repeater rules.

Daisy Chaining Switches -what not to do

Real world scenarios may require you to temporarily daisy chain switches.  If you do, test the network and run additional backbones or replace core switches to accommodate more nodes as soon as you can. (remember, replace any hubs in your network)

Daisy chaining

 

One of many solutions is to run independent lines to the core switch

alternative

Basic tips on optimization of your network -

  • Use stackable managed switches
  • Purchase switches that support
    IEEE 802.1D , IEEE 802.1p , IEEE 802.1Q , IEEE 802.1s , IEEE 802.1w , IEEE 802.1x , IEEE 802.3 , IEEE 802.3ab , IEEE 802.3ad (LACP) ,
    IEEE 802.3ae , IEEE 802.3u , IEEE 802.3x , IEEE 802.3z
  • Use a battery backup on the switches

This is the very basics behind network switch infrastructure.  Managing switches and using the IEEE standards above along with optimizing your network and managing the network infrastructure is important.

Excellent articles on Networking Infrastructure

http://www.lantronix.com/resources/net-tutor-switching.html

http://www.techrepublic.com/blog/it-consultant/only-novices-daisy-chain-switches/

 

October is National Cyber Security Awareness Month

facebook_cover_photo

National Cyber Security Awareness Month (NCSAM) – celebrated every October – was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Free Security Check ups

The Tennessee College of Applied Technology – Shelbyville is listed as a champion.

?????

List of all Champions

Get Involved!

Information for -

- See more at: http://www.staysafeonline.org/ncsam/get-involved/promote-ncsam#sthash.gQ2q3Y50.dpuf

A wireless printer for home and small businesses

Need a good wireless printer for your home or office?

Samsung has a line of wireless printers that can’t be beat.   We are always asked if there is a printer that supports tablets, smartphones, and computers.  The SCX-3405w series wireless printer offers enterprise level features and performance that is excellent and hard to beat.  The SCX-3405w laser printer can be purchased for less than $100.00 and is a multifunction printer that is easy to setup and use.

Scanning is done to your computer and printing is rated at 20 pages per minute with the first page out in less than 8 seconds.   Copying takes less than 14 seconds.  With ECO printing, toner is saved and printing options from two pages to one, remove images and other options are available.   Printing can be as sharp as 1200 dpi.

3405

Installation of the printer is done by USB cable during the initial setup.  The step by step software helps you to connect the printer to your wireless access point securely.  Once the printer is installed on your network, Samsung offers SyncThru Web Service so the printer can be managed from any device on your network.

Supplies and printer usage can be monitored by the web interface.

supplies

The initial toner is rated for approximately 750 sheets.   Full toner cartridges are rated for 1500 sheets.

Samsung offers continuous updates to both software and firmware for the printer.  Samsung offers these upgrades to fix security issues, add features, increase performance  or correct errors.

Managing the printer and updating firmware is easy.

Upgrading the firmware is done through the maintenance menu.   The default login is Admin and SEC00000.  This login information can be changed (The interface prompts you on each login)  and should be changed on your first visit.   In order to obtain the latest drivers or firmware, visit Samsung online.

In order to update your firmware, download the file to your desktop.  Unzip the files once the download is complete.  Click on Maintenance, click on the Upgrade Wizard and follow the prompts.

Before

Once you select the file, you will note that the word fakepath is substituted for the full path to your file.

fake

The file is verified and you will be shown your current version and the new version during this process.

uploadingafter

During the upgrade process, you will see the screen below.  Be patient during this process.

programming 

The printer offers enterprise level protocols (SNMP all versions, IPv6 and others).   The printer includes Google cloud print so you can print on the go  and all operating systems (Apple, Microsoft and Linux) are supported.   Support for mobile devices is included also.

network

While injet cartridges have increased in efficiency,   laser jet printers generally are more durable, and efficient.   The support for multiple operating systems,  enterprise protocols and eco print makes this printer an ideal device in your network.

CIT Continues Advanced Training on Airfiber AF24s

The Computer Information Technology class continues to receive advanced training on the Ubiquiti AF24 Airfiber.  The Ubiquiti AF24 Airfiber is a hi-power, linear 2X2 MIMO radio with enhanced receiver performance and reliability.  The AF24 has a breakthrough speed of 1.4+ Gbps real data throughput.

These devices are specifically designed for outdoor Point to Point bridging between buildings and provide hi-performance network backhauls.  These dual-independent 2×2 MIMO 24GHz hi-gain reflector antenna systems, can operate in FDD and HDD  modes providing speed and spectral efficiency in the 24GHz band.

Students learn how to configure advanced wireless devices for real world information technology and hands-on experience.

17767_10200791247681739_257268144_n   5273_10200791245841693_1926834266_n

429478_10200791244321655_297120865_n    527862_10200791246441708_100458323_n

airfiber

Justin, Josh and Theo’s results during a configuration of the AF24s.
Justin-Theo-Kelsey-FullDuplex-AirFibre

Students also participate in a wireless shoot-off.   This contest challenges the students to design an antenna that will make an association between a standard access point and a laptop that will connect at extreme distances.  The contest will start the second week of April.

(L-R) Jay Matlock, Jonathan Laine, Scott Hess (designer of a parabolic dish with a helical transceiver), Tyler Clift and Kenny Cooper.

IMG_6733
  Photo by D. Babian

100_3052 100_3054 100_3056 100_3057  100_3061

Great details about building the Airfiber below (from 03:17 forward)

049 050 100_3064  100_3066  100_3068 100_3069

Quad Quad

Photos above (D. Babian)

IMAG0443  IMAG0445 IMAG0447  IMAG0450 IMAG0451 IMAG0452 IMAG0454 IMAG0455 IMAG0456 IMAG0457 IMAG0458   IMAG0465 IMAG0466   IMAG0469

 

 

Photo Credit: (Wil McKamey)

Emsisoft Free Emergency Kit vs. Java Exploit

Mickey was repairing a computer and got a first hand look at a computer with a few viruses on it.  Here’s a some screenshots he shared with me during his long tireless battle.   After endlessly working with and fighting the computer, he selected Emsisoft’s Free Emergency Kit 3.0 to remove the viruses along with several other anti-malware programs.

If you have not disabled Java or have not updated Java, you should before you experience a long removal process or re-installing your OS and software.

java

a little more java

A slice of java         Im in the recycler

This flaw (Java 7) can be exploited on Linux and Mac operating systems also.  Yes, these users are included too.  The malicious programmers didn’t leave anyone out.

Latest Java Download

Setting the optimal MTU inside of your router

How you find the optimal MTU settings is truly a matter of opinion.  Here is what we do…remember setting firewalls, routers and your computer will truly tweak out your connection.  Start on the outside and change your router or firewall first and then each computer (Use TCPOptimzer for computers).  Don’t forget access points and other devices.

  • Find an ISP or a website you can ping.
  • Ping the website from the command prompt (Windows) using the following command
  • ping -f -l 1472 http://www.yourwebsiteaddress.com   (the -l is an “L” that is a lowercase and there is a space between each command and switch)
  • Hit the enter key
  • If you receive the message of fragmentation, reduce by 10 or 20 until you get responses.  Increase the number by 1 until you are 1 less away from getting a fragmentation message (midpoint – between high and low)
  • Now add 28 to this number.  (Why? This is because you specified the ping packet size – and did not include the header which is 28bytes)
  • This will give you your MaxMTU size.  (Enter this into your devices and into your OS)

Other Operating Systems

Linux users

ping -s 1472 www.yourwebsiteaddress.com

Apple users:

ping -D -s 1472 www.yourwebsiteaddress.com

Linux and Apple commands are case sensitive.

Here’s a quick example where I ran all the way down to 1400.  Therefore I would add 28bytes and the MaxMTU would be 1428.

C:\Users\x2370>ping -f -l 1450 http://www.somewhereoverthere  (use your ISP here)

Pinging http://www.somewhereoverthere [ IP Address] with 1450 bytes of data:
Reply from 192.168.1.1: Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for  IP Address:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

C:\Users\x2370>ping -f -l 1400 www.somewhereoverthere  (use your ISP here)

Pinging http://www.somewhereoverthere IP Address] with 1400 bytes of data:
Reply from IP Address: bytes=1400 time=161ms TTL=110
Reply from  IP Address: bytes=1400 time=80ms TTL=110
Reply from  IP Address: bytes=1400 time=60ms TTL=110
Reply from  IP Address: bytes=1400 time=124ms TTL=110

Ping statistics for  IP Address:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 60ms, Maximum = 161ms, Average = 106ms

Always test your internet before and after.  Use a true speed test such as Testmy.net

Testmy.net has been around since 1996 and uses real world speed test.  Testmy.net also is NOT owned by an ISP so there isn’t a chance of inflated scores or speeds.

Give it a try and use the Download and Upload link from the menu.

VMware Player Review – Virtualization that’s easy

VMware Player allows for the installation of a virtual machine onto your workstation.  This means of creating a second operating system within your operating system allows you to test or use an operating system of your choice.  The user-friendly interface is truly the easiest virtualization software there is.  Anyone wanting to try Windows 8 or any Linux distro can use this software to test operating systems.   VMWare Player can be downloaded here.

VMware Player is fully customizable and the wizard provides instructions that are well written and with easy to find settings.  Kudos to VMware for providing this excellent piece of software in an easy to use interface.

Remember, once you start the VM,  if you click the mouse in the window, it will take focus.  To release the mouse,  press Ctrl-Alt.

You must also remember to protect any OS in a VM.  (Antivirus information)

The first thing you will need is an .iso of your operating system of choice.

Win7iso

Above is the ISO for 32 bit Windows 7 with SP 1.

Next, install the VMWare Player.   The installation is straight forward and easy even for a novice.

1 vmplayer 2 vmplayer Two 3 vmplayer Three 4 vmplayer four 5 vmplayer five 6 vmplayer six 7 vmplayer seven 8 vmplayer eight

9 vmplayer nine

Now start the VMware Player by double clicking on the icon on your desktop.   In this scenario we created a new virtual machine.

10 vmplayer ten 11 VMplayer eleven

The New Virtual Machine Wizard walks you through step by step in setting up your operating system.

12 vmplayer 12 twelve

The wizard will ask for a location of the ISO or you can install from your DVD drive.  Select the appropriate location at this time (below).

13 vmplayer thirteen

Enter your product key and information if prompted to do so.  The Easy Install Information automates the installation process.  You can of course customize Windows and reset passwords, enable the Administrator account and change information once the operating system is installed.

14 vmwAREFOURTEEN

15 vmwarefifteen

Once the wizard reaches the customization stages for your hard drive, you can adjust this to meet your needs.

16 vmwaresixteen 17 vmwareseventeen

You can select the Customize Hardware button to adjust memory, processors and other hardware.   Remember to give your host machine plenty of memory.   Do not use more resources than you have.  This may cause lockups or other errors upon launching your OS.

18 vmwareeighteen

One of the best features is the Network Adapter Advanced Settings.  It allows you to bridge or NAT (Put your OS on a separate network – hidden from other computers on your network).  Bridging your network allows your virtual computer to be ‘seen’ by other computers as though it is a physical computer.   Because you are sharing a network card, you can limited the bandwidth (Inbound and Outbound traffic) of the virtual computer.

You can also generate a MAC address for the computer at this time.

The screenshot below (post install) shows the virtual computer when bridged (on the same network).

network

It is important to keep an eye on the resources of your host computer.  You can do this by using the Windows Task Manager.

20 vmplayer twenty

Once you finish, Windows will launch into setup mode.   You will see a message alerting you to other devices that can be used (Webcams and other devices) if they are available.

20 VMWaretwenty 21 vmplayer twenty one 21 VMWaretwentyone 25 VMplayer

As you can see from the screen shot below, the IP address is on the network with my other computers.  This allows the computer to share out documents and to utilize any device within the network.

26 vmplayer

The VMware player tools provides drivers and other features.

27 vmplayer tools

Installing the tools

30 VMware Tools 31 VMPlayer Tools Warning 32 VMWare Setting Up 33 VMWare Tools Setting up 34 VMWare Tools Setting Up 35 vmware custom settings 36 vmware tools setting up

40 vmware

Once the tools are installed, a restart should be made to the operating system.

Remember the option to use other devices during the setup – items such as the Webcam?  Click on Player when the VM starts and you will see the other devices.

Extra Stuff

You should also run a side by side comparison on the Task Manager’s to ‘see’ how much resources you are using.   As you can see, the host (left) is maxing out the memory of the host computer.   The virtual computer is not utilizing all of the allocated memory.   Therefore the 2Gb of RAM allocated can be tweaked by decreasing the memory if performance is not an issue.

Side by Side comparisons of resources

Once the VM is shutdown, you can adjust the settings in the console.

VMWare Complete

With dozens of tweaks and configurations, one of the best is the defragment, expansion and compact option under the hard disk in the virtual machine settings. (Compact only sorts the graintables but has no effect on size – optimizing your vm)

hard drive utilities

Overall VMware’s Player is an excellent tool that can be used (non-commercially) by anyone wanting to experiment with or run other operating systems.  VMware Player is an excellent virtualization tool that allows users to install and test or run another operating system.   The performance is based on shared resources of the host computer.  The ease of setup is definitely a pro.  Users should make every effort to ensure they have adequate resources on the host computer and the maximum amount of memory and other resources can be dedicated to the virtual machine.

Linux Kernel Host Kernel.org Breached

The site that hosts the Linux kernel’s source code, Kernel.org was compromised earlier this month. The discovery was made on August 28th, and steps are being taken now to enhance security for the site and recovery is underway…read more on ReadWrite Enterprise