Security Onion- IDS, NSM, and log management

What if you want an IDS system that monitors malicious activities and provides you with logs (Network Security Monitoring) and graphs to help protect your network?  And what if you want an easy setup that provides you with information that will help you – something with a GUI interface?   Security Onion can provide you with the defacto IDS system – Snort, Squert and a ton of other tools to help you.  While there are options, Security Onion offers the choice of Snort (http://snort.org/) or Suricata (http://suricata-ids.org/).

The setup below shows a test system using VMWare with 2 processors and 2 Gb of RAM if you want to try it out.   While the bare minimum is suggested to be 3 Gb, a production environment should have 8- 128 Gb of RAM, a ton of hard drive space for logs and two network cards.  One network card for management and one to sniff.

Security Onion’s ISO can be downloaded from SourceForge.   While there is a ton of how-tos on the internet about Security Onion, there is a great deal of information on there blog located here.

Here’s a simple setup I did at home to try out Security Onion.  Using VMware’s Player (non-commercial use).  If you plan on trying Security Onion or deploying it in a production environment, you should use the commercial version or have a system that supports the minimum requirements.

menuinstallliveLive Runninginstalling rullinstalling driveinstalling drive erase  Installing files after time keyboard finished

 

Once you restart, you’ll need to run setup again to enter an email address for squert and setup a password. Once this is done, you can open the shortcuts on the desktop or use your host computer to login. Once this is complete, login to Snorby’s url.

While snort is running, Snorby will present a dashboard.  You may be surprised to see no threats once you login.  You can expedite this process by running NMap (Zenmap against the virtual machine) if you want to see threats.

What is Snorby? “ Snorby is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses.”  more information.
2 snorby

Once you run NMap, click on More Options in the right corner and update the Cache

2a cache update

Give Security Onion just a few seconds and refresh the screen.  You’ll see the events logged.  This will visually show you not only how  many threats were ‘ seen’ on the network but will categorize and graph them.

3 snorby 3 severity

Clicking on the events will show each event and give you the option to categorize unknown threats or to reclassify threats.
4 nmap to test

Logging in to Squert allows you to see threats along with maps and information from threats.

5 squert

Squert map

ELSA – allows you to query and look for information.

6 Elsa

What does NMap show when Security Onion is scanned?

7 is it logging

 

 

 

Introduction to Security Onion

Security Onion Blog

 

Protecting your network by pen testing it

This post is for educational purposes and any use of these tools against a network without explicit permission could be illegal.   Metasploit is designed to identify weaknesses in networks and hardware/software on a network.  Do NOT use metasploit for other reasons.

Want to protect your network and the computers in your network?  You can get updates for your operating systems (Linux, Mac, iOS, Android, Windows or whatever) along with updates for third party programs yet you can still be unsecure.    When updating these products, you also have to remember firmware and updates for wireless devices, access points, bridges, firewalls, routers, switches, SCADA devices, robots, mobile devices, printers and any device on your network.

Metasploit

http://www.metasploit.com/download/

Metasploit Community is free and allows for a free scan of your network or server. Although limited (Try Pro for details and Brute Force), Metasploit Community is a first step in finding open services and ports on your operating system, hardware devices such as routers and other devices.   The trick to installing Metasploit is to disable your antivirus or make exceptions to what your antivirus finds.   You should truly install the software inside of a VM (Virtual Machine) so that your computer remains protected.

You can use Metasploit to protect your network by ‘seeing’ what a hacker or malicious person would see.  Truly for network professionals and auditors, this software can help you identify services, ports and weaknesses in your network.

There are several versions of Metasploit – Community, Pro, Express and Framework (Compare Editions)

Metasploit     Metasploit Two

Metasploit Scan Complete     metasploit Hosts

Metasploit Services After Scan

The above scan was in a controlled lab.  Malicious scanning of networks may be illegal.  Read  Penetration Basics on Metasploit’s website.

Tutorials (Videos)

Need a small wireless access point or wireless router?

Here’s one of the smallest, feature packed and powerful routers for under $30.  The NetShair Nano by iogear offers some of the most features money can buy.  Here’s how it works (interactive).   (Thanks Jeremy for bringing it in!)

  • Compact design USB powered ultra-portable Wi-Fi router with USB pass-through
  • Converts any wired Internet connection to Wi-Fi
  • Perfect accessory for Ultrabooks, MacBook Air and other devices without Ethernet ports
  • Serves as a DHCP Router or Access Point
  • Plugs into any USB port or USB charger for power
  • USB pass-though (no loss of USB port when connected)
  • Free apps for iPod®/iPhone®/iPad® and Android operating systems
  • IEEE 802.11b/g/n compliant 150Mbps speed
  • Supports WEP, WPA and WPA2 64/128 bit security
  • VPN
  • Firewall
  • more
Warranty:   1-YEAR
photo 1 photo 2 photo 3 photo 5

What about the  Zyxel Routers / APs we featured in late 2013? Here are some pics from an earlier  our blog post earlier..  With a router/ap switch on the side and the ability to act as a router, ap or bridge, the routers came with two power supplies each, a CAT5 cable and a very powerful wireless signal.

IMG_3105

IMG_7049

tiny

As we go through the CWTS curriculum, students are exposed to many different types of routers.  The Zyxel MWR102 is a tiny router (only 2.9″ x 2.3″ x .6″) that you can use when in a pinch or even in a small apartment.

Zyxel

This tiny router packs a ton of features.  Under $20, the router’s specs prove it gives a full size router a run for the money.

Zyxel Specs- USB Powered 150Mbps Wireless-N Fast Ethernet Travel Router

Features:

  • Pocket-sized router/AP for internet access on-the-go
  • 3-in-1 Functionality – Router, Access Point, and Client Bridge
  • Wirelessly share a wired Internet connection with multiple friends, colleagues, or devices.
  • 802.11n wireless connectivity for data transfer rates of up to 150 Mbps
  • USB or AC power provide flexibility for any situation
  • Hardware Specifications:
  • Ports:
  • Two (2) 10/100 Mbps (1x WAN, 1x LAN)
  • One (1) MiniUSB (For Power)Power:
  • 5V DC USB
  • System Specifications:
  • Wireless Standard:
  • IEEE802.3, IEEE 802.3u
  • IEEE802.11n auto rate up to 150Mbps
  • IEEE802.11b/g compatible auto rate up to 54Mbps
  • IEEE802.1x MDI/MDI-X adaptive flow-control
  • IEEE802.1p
  • IEEE802.3x
  • IEEE802.3az
  • Operating Modes:
  • Router
  • Access Point
  • WiFi Client Bridge   Yep, even a wireless bridge…Wireless Security:
  • WEP, WPA-PSK, WPA2-PSK
  • Security:
  • 64/128-bit WPA/WPA2
  • SPI Firewall
  • WPS Setup
  • Routing and IP Management:
  • Static IP
  • DHCP
  • PPPoE
  • NATUnit Dimensions:
  • 0.61 x 2.93 x 2.32-inches (H x W x D)   Is anything smaller?

Where can you buy it?

How to flush the DNS cache on Mac, Linux or Windows

If websites are not appearing correctly, connections time out or if you cannot find a computer on a network, you may need to flush the DNS cache.  Here’s how to do it-

Microsoft Windows

- Go to a command prompt as an administrator
– Type ipconfig /flushdns

Linux

- Go to the terminal
-Type /etc/rc.d/init.d/nscd

Mac OS X Mountain Lion or Lion:-

- Go to the terminal
_ Type sudo killall -HUP mDNSResponder

Mac OS x

- Go to the terminal
– Type sudo dscacheutil -flushcache

iPad

Reboot it to flush the cache or turn Airplane Mode on and off.

Ultimately resetting the network settings on the iPad will flush the DNS cache.
To reset the Network Settings-

  • Tap the Settings icon
  • Tap General
  • At the bottom of the column tap Reset
  • Choose Reset Network Settings

iPhones and Androids can be repbooted (powered down) to flush the DNS cashe

Network Switches – Avoid Daisy-Chains

When you are networking computers, wireless access points, printers and other nodes in multiple rooms, try to avoid daisy-chaining switches or using small 4-8 port switches when you are in a hurry.  Replace any hubs on your network as soon as you can.

With a hub, collisions can be >20% and utilization can stand at >50%.   By replacing a hub alone, you can reduce collisions to 5% on switches in rooms and <1% in the server room.  Switches help to isolate traffic, relieve congestion, separate collision domains (reduce collisions), segment and restart distance/repeater rules.

Daisy Chaining Switches -what not to do

Real world scenarios may require you to temporarily daisy chain switches.  If you do, test the network and run additional backbones or replace core switches to accommodate more nodes as soon as you can. (remember, replace any hubs in your network)

Daisy chaining

 

One of many solutions is to run independent lines to the core switch

alternative

Basic tips on optimization of your network -

  • Use stackable managed switches
  • Purchase switches that support
    IEEE 802.1D , IEEE 802.1p , IEEE 802.1Q , IEEE 802.1s , IEEE 802.1w , IEEE 802.1x , IEEE 802.3 , IEEE 802.3ab , IEEE 802.3ad (LACP) ,
    IEEE 802.3ae , IEEE 802.3u , IEEE 802.3x , IEEE 802.3z
  • Use a battery backup on the switches

This is the very basics behind network switch infrastructure.  Managing switches and using the IEEE standards above along with optimizing your network and managing the network infrastructure is important.

Excellent articles on Networking Infrastructure

http://www.lantronix.com/resources/net-tutor-switching.html

http://www.techrepublic.com/blog/it-consultant/only-novices-daisy-chain-switches/

 

October is National Cyber Security Awareness Month

facebook_cover_photo

National Cyber Security Awareness Month (NCSAM) – celebrated every October – was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Free Security Check ups

The Tennessee College of Applied Technology – Shelbyville is listed as a champion.

?????

List of all Champions

Get Involved!

Information for -

- See more at: http://www.staysafeonline.org/ncsam/get-involved/promote-ncsam#sthash.gQ2q3Y50.dpuf

A wireless printer for home and small businesses

Need a good wireless printer for your home or office?

Samsung has a line of wireless printers that can’t be beat.   We are always asked if there is a printer that supports tablets, smartphones, and computers.  The SCX-3405w series wireless printer offers enterprise level features and performance that is excellent and hard to beat.  The SCX-3405w laser printer can be purchased for less than $100.00 and is a multifunction printer that is easy to setup and use.

Scanning is done to your computer and printing is rated at 20 pages per minute with the first page out in less than 8 seconds.   Copying takes less than 14 seconds.  With ECO printing, toner is saved and printing options from two pages to one, remove images and other options are available.   Printing can be as sharp as 1200 dpi.

3405

Installation of the printer is done by USB cable during the initial setup.  The step by step software helps you to connect the printer to your wireless access point securely.  Once the printer is installed on your network, Samsung offers SyncThru Web Service so the printer can be managed from any device on your network.

Supplies and printer usage can be monitored by the web interface.

supplies

The initial toner is rated for approximately 750 sheets.   Full toner cartridges are rated for 1500 sheets.

Samsung offers continuous updates to both software and firmware for the printer.  Samsung offers these upgrades to fix security issues, add features, increase performance  or correct errors.

Managing the printer and updating firmware is easy.

Upgrading the firmware is done through the maintenance menu.   The default login is Admin and SEC00000.  This login information can be changed (The interface prompts you on each login)  and should be changed on your first visit.   In order to obtain the latest drivers or firmware, visit Samsung online.

In order to update your firmware, download the file to your desktop.  Unzip the files once the download is complete.  Click on Maintenance, click on the Upgrade Wizard and follow the prompts.

Before

Once you select the file, you will note that the word fakepath is substituted for the full path to your file.

fake

The file is verified and you will be shown your current version and the new version during this process.

uploadingafter

During the upgrade process, you will see the screen below.  Be patient during this process.

programming 

The printer offers enterprise level protocols (SNMP all versions, IPv6 and others).   The printer includes Google cloud print so you can print on the go  and all operating systems (Apple, Microsoft and Linux) are supported.   Support for mobile devices is included also.

network

While injet cartridges have increased in efficiency,   laser jet printers generally are more durable, and efficient.   The support for multiple operating systems,  enterprise protocols and eco print makes this printer an ideal device in your network.