WWDC2004 Session 635

Transcript

Kind: captions
Language: en
thanks a lot folks
jettyguy and manage one of the developer
technical support teams and I have the
great pleasure of bringing up to people
who have a lot who spend their days
worrying about security brian schatz an
eighth ian is part of our emerging
technologies team and Damien Weiss is
part of our Apple consulting team and
they spent their days as I said thinking
about how to make things more secure so
if you'll help me welcome to the stage
Brian satin Asian Jason I would want to
say welcome again for this section 6 35
security best practices using open
source tools my name is bryan sutton
Aidan I work for a group called emerging
technologies we are involved in design
architecture and security for apple's
internal IT group and my co-presenter
here is Damian white she is an apple
consulting engineer he will be prefer he
will be introducing insults during his
presentation and having said that let's
move to the presentation with the growth
of the internet more and more people are
getting into the internet businesses are
getting into the internet there is a lot
of Commerce done on internet all these
different factors have created the
demand for security to make things worse
in the past five or six years the number
of vulnerabilities that have been
reported the threats that have been
reported the virus attacks that have
been reported I've almost doubled so all
these events tell us a simple story 19
letters three words one idea security is
important the good news here is that OS
10 is a secure platform it's got UNIX at
its core it's got security at its core
and it's got security at all the
different levels it also has so many
different tools to enhance security
especially as a system administrator you
could use OS 10 to increase the security
of your platform and especially OS you
can you could use OS 10 as an
administrative platform to administer
other machines in the network you could
use our sin to do scanning to do
detection and so many different
secure activities what are you going to
learn here in this presentation
initially you are going to learn about
some of the user level open source tools
tools that ship default with the OS
tools that you can use to enhance the
security in your organization how do you
configure these tools and what are some
of the hardening techniques that you can
apply to these tools and also you're
going to look at some of the network
scanning tools how do you use intrusion
detection software some what are some of
the scanning tools what are some of the
even correlation software's and how can
you detect file changes file system
changes file tampering and all these
different activities and finally you are
going to see how we can use some common
security libraries which are common to
all these different tools and how we can
build up on tools and get a general
awareness of what's inside these
security tools and so on so it's going
to be a real interesting journey we can
approach security from three different
angles there are three different areas
with potential and possible security
attacks can come from from the physical
side of it from the application site an
attacker could have attack your
application and gain unauthorized access
through your application upload
malicious code three application so from
the application side and also from the
network side and this section is
actually added to for complete for to
make the presentation complete but I'm
actually going to quickly skim through
this section physical security this is
often the hardest to obtain because this
involves humans and it also involves
responsibility of all the different
departments in the organization so this
is actually the harder to obtain it's no
matter how secure your system is in
terms of software and hardware if
somebody gains physical access to your
system there are so many different ways
to dig they can jeopardize the system
and I just want to highlight two things
here I want to talk about unprotected
wireless networks especially networks
that aren't protected and people can
drive around with antennas and tryna get
into these networks and attackers can
you
such networks as launch birds especially
in the network that you have here at
Apple there are guys out there who are
detecting and scanning and preventing
wonder abilities as as it's going to
happen as it's happening as I speak and
the next thing I want to talk about is
having multiple application well having
to use multiple different applications
are inevitable because you know you need
so many different applications to do
your day-to-day activities but all these
application need some form of
authentication and eventually it's going
to be a password so in end of the day
you have to remember all these different
passwords and you're going to you cannot
remember all of them you're going to
write them in yellow stickies stick them
somewhere and eventually they're going
to go to that trash can and get into
some introduce some attackers hand or
somebody who has physical access is
going to get his hand in on the password
and then there is a compromise can
happen so it's always the best practice
to move away from multiple password
systems move on to a single sign-on
system or move on to a system that has
single sign-on and single password or
single sign-on or a multi-factor
authentication or the two factor based
authentication system compromises as I
said will also happen at the application
level before I go into the application
level I would like to talk about
something as I mentioned previously OS
10 is a secure system it is secure are
the box and there are quite a few
examples and the two things that I like
to bring here is that OS 10 has a real
good separation between user accounts
and administrative accounts the root
account is disabled by default and
especially there is and there are file
unique level permissions that separate
you between administrative and user
accounts and with tiger you're going to
have all the ACLS and all the great
features and in terms of network sports
OS 10 client has 0 ports opened and out
of the box away stand client does not
have any ports open a server of course
as six ports opened and out of our of
two of which are security software's
like sshd on 22
then the Kerberos sport and four of them
I administrative ports now we're going
to look at some tools that enhance
security these were reason that we are
looking at these tools are these tools
can help you to enhance security these
tools can provide you with
authentication can provide you with
access can also provide you with
encryption can provide you data
integrity and so on and so forth so what
we're going to do is you're going to
look at some configuration and some
hardening techniques by using these
tools the first tool we're going to talk
about is open it yourself it's shipped
default with the OS 10 it is is an open
source tool it's an open source
implementation of the ssa's ssl protocol
it's a great tool to do certificate
management you can manage the
certificate to out its life cycle using
this tool you can also manage a private
key throughout its life cycle you can
use this tool to do client server based
authentication and you can also do
encryption using these tools it has all
these different encryption utility is
embedded in this tool especially what
you could do is you could actually
create a generator certificate by using
openssl and then later on you can use
that certificate to do both client and
server authentication especially when
you heat an https website you your
client your client browser in counts
encounters a server certificate and then
then by looking at the install fear in
the client it actually verifies the
server certificate and the reverse also
could be done so basically this this
tool allows you to produce certificates
that can be later on used to do
authentication and encryption and so on
and so forth however at Apple we do ship
the serious a frameworks the cdsa
frameworks are much more secure it it
provides certificate management
functions it provides security services
it provides encryption services it
provides a lot of the things that
openssl does and there are numerous
advantages by using the cdsa frameworks
because if you use the serious a
framework you can do Export Control
paperwork really easily and
you can have so many other different
creatures as far as handling private
keys public keys and so on and so forth
and it's optimized to so at Apple we
strongly recommend you to use the CD sa
frameworks and if you have an old
application that uses openssl that links
directly to some openssl libraries it's
ok to use openssl but if you are trying
to build some cryptographic application
or some kind of public key based
application it's always recommended that
you use the CD sa frameworks what we see
here are some of the functions that
openssl can do first generating keys
openssl can be used to generate private
keys it can also be used to view keys
view your private keys and also view
your certificate you can be used to
create certificate signing request so
you basically give the private key in
and then she'll open episodes define you
create a CSR a signing request and it
will give you a bunch of questions and
which you need to give answers and then
it will eventually create your signing
request you can create a crl in the case
of verification when the server verifies
then the client or the server verified
certificate it'll actually look a check
across the crl and then you can create
CR else by using openssl and you can
actually do this finding process itself
by using openssl provided you are the CA
or the assigning or the administrator
you can also do a certificate format
changing and formatting scripts for
example certificates are in multiple
formats you can turn them from p PM
formats to dr format and so on and so
forth then finally you can verify you
can actually tell what role you want to
openssl to play and it actually will go
through the different depths that you
specify and to verify your certificate
and what we have here is a typical
example in the case of web
authentication if you if a website wants
to authenticate a client but what would
the web server do it would actually have
some kind of a password username some
kind of a basic or a digest based
mechanism to authenticate the client we
could also use a certificate from the
client side to really authenticate the
server so in order to do that we
actually in this example we modify the
HTTP dot v dot cornice and added some
configured
patience to it to do such an
authentication what we did first is that
we added this entry which basically
tells you which is the ca certificate to
verify the client certificate with the
name of the ca certificate that will
verify the client certificate with and
this section tells you the directory
that you want to protect and these are
some of the SSL options that will allow
you to be are you tell SSL to do certain
functionality for you to to protect your
website and next to that you're going to
look at is openssh openssh is the open
source implementation of the ssh
protocol openssh is shipped tefal in OS
10 it's a great tool it provides you
with encryption data integrity and the
secure communication it actually
encrypts both of both your data channel
as well as your command channel so in
origin the remote shell is actually
openssh so it provides you file transfer
services it provides to secure shell
services it provides you secure copy
services it replaces all the other
utilities so we recommend you to use
open it as a openssh it's a great tool
and openssh has the client as well as a
server side the client is basically the
ssh or the SCP or the SFTP components
and the server side is the sshd demon so
let's look at some hardening techniques
that you can use at the sshd demon to
increase security the file in question
here is the sshd config and some of the
changes that you're going to make here
basically we could filter connections
that are in coming into the sshd based
on IP and we could give access for
incoming connections and then something
else we can we could do is we could also
do filtering based on users you could be
good only allows certain users to
connect to the system now the important
thing I'd like to highlight here is that
previously i mentioned to move away from
password systems so you could you could
use some kind of a public key based
system to authenticate to sshd or you
could even move into a system like
Kerberos
having said that let's move into the
next section it's IP firewalls we said
that the west end is a very secure
platform out of the box as soon as you
start using all the different services
eventually you're going to open up a lot
of ports you're going to open up
different ports and you're gonna install
all your different servers so they are
going to have a lot of boats too so the
best way when you are in a public
network to protect yourself is by using
an IP firewall and always then by
default has a firewall built into it and
if you go to the client is not the ipfw
firewall interface in the client this is
this a certain the system preferences
sharing panel and in a server you have
it in the server admin panel so you can
enable your firewalls and protect
yourself from all the attack that can
public that can happen in the public
internet and if you are a command line
kind of guy you could actually use the
ipfw utility and you know build and
build your firewalls and then centrally
push firewalls and do all kinds of
different activities so the ipfw wutt
goes like this the ipfw the command add
commands all list or 0 all those things
then the action the protocol the
addresses and also the external and the
source destination and so on and so
forth and what you see below is a list
of commands that has been installed into
the ipfw the next interesting too that I
would like to talk about is Kerberos
previously I mean in the slide that came
before I was talking about the two that
i was talking about are primarily both
public key and shared key based
mechanism now we're going to talk about
a Kerberos scrub role is primarily a
shared key based mechanism it actually
gives security it provides you with
authentication and single sign-on and
kerberos is shipped default we do
western it's MIT s it will be
technically correct into MIT s3 party
key agreement protocol so basically what
it does is that it gives a single
sign-on it gives us authentication so
how does it give a single sign-on so to
understand how Kerberos gives single
sign-on we need to understand there are
three components in this system the
client the application or the
cover and the KDC so the real problem
here is that the the server needs to
authenticate the client so how can they
serve authenticate the client the server
can authenticate that client by some
sort of a trust credentials provided by
a trust cluster entity and that first
identity is the key distribution center
or the KDC in Kerberos the KDC will have
all the different user account and and
what happened is the clients and the
application servers will actually have
Kerberos libraries installing them so
when somebody wants to log into Kerberos
he will log into the client life
Kerberos library and as soon as a login
happens a ticket granting ticket is
given to the client so what happens is
this ticket granting ticket is stored
into the client cash and as long as you
have a ticket granting ticket you can
actually participate in all the other
different authentication sections for
example once and if you want to use an
application you the user will go and
click an application and the application
opens up and the application fees okay
there's a ticket granting ticket because
the application is sensitive of Kerberos
so it sees that there's a ticket
granting ticket and it takes it takes
the ticket finding ticket will send pic
to the KDC and it will get a service
ticket for that session as to let you
get a service ticket the application
will take a one-time token from the
service ticket and please send that
through its custom protocol it could
also use kerberos but in most
applications use their own protocols to
take that token from the service ticket
it can be a GSS token or if you are
familiar with the API is it can be a GSS
or a KR betoken it takes a token it
presents it to the application server
and the application server verifies and
gives access and as long as you have a
TGT you can all the different
applications can participate in a single
sign-on so using one TGT using multiple
different service tickets the
applications can participate in a single
sign-on the beauty here is that when a
user logs in the password never travels
across the wire and the tdt and the
service records are actually time
limited so it increases the security and
what we have here is
the Kerberos configuration file it in OS
turn it in it's in library preferences
it's called edu at MIT der Kerberos and
if you are using some sort of a
directory mechanism like if you enable
Active Directory plug-in or if you
enable an LD I based plug-in and you
want to use kerberos along with it the
this file would be automatically created
for you and are you if you are
connecting to some a different for
different Kerberos server like a
syllabic serve or something you could
create this file so let me quickly go
through this file so each KDC belongs to
a realm or a domain just like your
system it belongs to your domain so it
belongs to our wealth and what you see
here are the realm configurations and
what you see here is that if the entry
that tells the kds your client Kerberos
libraries where your KDC is it will give
you the domain name of the KDC as well
as the ports of the KDC so you can have
multiple KDC increase down there and in
case of a failure in case of the first
KDC fails it would naturally failover to
the second KDC and so on and so forth in
our Apple IT group we did have the exact
same problem so you had we had number of
applications we are tons of them and
then we have tons of passwords to
remember so what we did is we moved on
from our password scheme to a single
sign-on bay scheme how did we do that we
actually use the framework that was
deployed in weston platform the Kerberos
framework and we built a log in
application on top of that and what does
and we also added some more features in
top of this application so what did we
actually add the things that we added
was we added extension based on activity
if a user is sitting actively on its
terminal and having some kind of
keystrokes or mouse movements then the
tickets will be renewed the TGT that
obtained will be renewed if the TGT
eventually will be taken for a shorter
time and will be keep on renewing it
according to activity and something else
we are added was selective participation
there are certain mission-critical
applications which do not want to
participate in single sign-on so these
application can centrally be disabled
from participating into single sign-on
or the user can
decide whether he listened well whether
his application to participate in single
sign-on or not and so on and so forth we
also added another nice feature it's
called log in flash loggers logout hooks
especially if somebody is logged into
the single sign-on system and when
somebody goes into the Kerberos window
and finds off it would naturally the
hooks would tell each application will
call back each application and say like
look this guy has already logged out and
the applications could take their own
actions and the vice versa is true to
you could actually install a hook when
application people log out of
applications the the central login
system would know about and one of the
most interesting things we did is that
we added pluggable authentication to our
single sign-on system so we basically
added Kerberos hardware authentication
as fans a security authentication module
based authentication so we could do
kerberos authentication we could
bootstrap the authentication by using
smart cards and that was a very cool
thing that we did and what they are
going to see here is a tiny demo it's
going to be actually a video demo so
what you see here is the Kerberos window
and we don't have any tickets right now
so we are going to the central
application that I created that be
created and then we are logging into the
system oops the capsule is on okay let
me go back wait type everything
that's a long password so let me sign in
I'm signing to the system and I'm also
automatically signed into Kerberos so it
shows my TGT and I can see my TGT there
and it's time limited is taken for an
hour and now let me go back to since I
have the tdt I can go back to the
application and find using the
application so now I'm signed in so if i
go back to kerr bros i should see I'm
actually moving Travie try dragging the
application away if i go back to
Kerberos i will also see my service
ticket for that application and now I'm
vibing off my application service ticket
and it automatically logs me off the
application if I try to find in again
it'll actually pump me my login window
so you also can actually use the
existing Kerberos framework and start
building single sign-on systems it
really is real easy to do and it's real
powerful and it's really good and let's
having said that let's move on to the
next section it's the key chains well in
the OS 10 the key chain is the default
central repository for all passwords and
all secrets so you could store passwords
as well as certificates and all these
different things in the kitchen and if
you especially if you want always tend
native applications like Safari and the
TF framework and all these different
components to really recognize your
certificates you need to install them
into the into the key chains you have to
install them into the anchors file so we
have seen all the basic tools now let's
say no now let's see what else can be
done so I'm going to toss it on to
Damien to lead us from here Damien there
you go thank you Brian names Damien
Weiss I work for the apple and a prized
consulting group dealing with deployment
and integration issues and I spend most
of my time most of my focus on security
issues I'm going to talk about what else
can be done we're going to talk about
password policies scanning files and
changes in network intrusion detection
talk about password policies you know
passwords are the main gate into your
machine they are the easiest way in and
if you make them so the hardest way in I
have a friend of mine who aspires to be
a screenwriter and he loves to say all
the time he loves to say you know he had
a thousand monkeys a thousand
typewriters typing for a thousand years
they'd eventually turn out the
screenplay for The Godfather you also
like to say that if they give him a day
they would turn out the screenplay for
Titanic and the monkeys that have enough
time to smoke a couple of cigarettes
afterwards and that aside I see a lot of
folks when I go on site I see a lot of
folks who have the the Titanic of
passwords their password policies are
very lacks and and and indeed i alas and
I'll say well you know what's your
password or you know what's this user's
password and they'll tell me and
generally it's the username plus a
number which is the first thing of
course people scan form you know what do
we do at Apple to help you guys out well
we help you enact password policies
bye-bye actually implementing it into
open directory and there's a mistake up
here on the screen where it says
workgroup manager that's supposed to say
server admin so if you go to server
admin then to the open directory tab
you'll actually see there you can set a
number of things you can set password
policies such as whether or not the user
can have a password with their name in
it or whether or not they have to have
numbers or anything along those lines
also password generators are great to
use there's hundreds of them out there
if you go to google and search for
simply password generator at least 100
will pop up my two favorite personally
are those that go ahead and generate
passwords they're not are in the
dictionary but nevertheless sound like
normal English words indeed what you
find is that they're words that sound
like words that you would use everyday
but grossly misspelled also are those
password generators that generate
password
that are easy to type but are just an
amalgam of letters and numbers and
punctuation marks finally administrator
password policies you know I remember
the first time as a system administrator
I was actually working at the Defense
Department at the at DISA and the
administrator of the root password for
35 next step machines was simply DISA
and then the name of that computer and
that's what it was when I first arrived
and needless to say about 15 years later
things don't seem to change at clients
that part of the problem is too many
machines remember the root password
administrator password for I would
strongly suggest that each pass would be
unique don't try to go ahead and make
the mistake of setting up the
administrator pass or based on the
company name or your managers name or
anything along those lines because you
really need to protect yourself
especially in the admin password from
both external attacks but also internal
attacks the guy 3 cubes down knows what
your managers name is we're going to
talk about network scanning and
monitoring and we're going to talk about
these tools but first you know these
tools really generate a lot of output
and the real goal is to go ahead and
essentially break into your network and
find the weaknesses for you and a lot of
folks for some reason seemed to think a
good idea is just to leave the results
of this on the hard drive just somewhere
unencrypted or or world readable please
secure them my favorite technique is to
actually use one of those USB Drive
memory sticks and actually copy it on
take it put in your pocket and then use
it appropriately let's talk about in map
let's talk about a port we all know this
you know port is a is a it's a logical
connection it's the name for a logical
connection between services that stay
open for
and obviously we can go ahead and look
for these ports services that are
listening for requests or staying open
and using port scanner like in map
allows us to find those in maps really
good for quick and dirty scans for ports
and because that you can find out what
services the users of running in this
example I have here I've got the verbose
flag turned on and dash F specifies
that's going into a TCP syn scan mode
and the dash shows for LS detection
scanning every machine on this network
and I'm doing that for a very important
reason is that you can't have your eyes
everywhere folks have an easy way of
plugging in a computer and then hiding
it from you in order to listen to all
the traffic on the network talk about
necess necess is a great utility it goes
ahead and does more and obviously in map
it goes ahead and perform scans it looks
and actively treats the network based on
plugins that you've given it so for
instance database plugins or plugins
oops there we go sorry about that it
goes ahead and has plugins for a number
of operating systems and a number of
protocols and services allows you to go
ahead and specify exactly what it is
that you're scanning for and those
results are very good you can go ahead
and we scan over and over and over again
I have a client who actually runs meses
day and night specifically just looking
for new stuff and new vulnerabilities
out there on the network osm is really
straddle the line between scanning and
monitoring and intrusion detection which
we're going to get to later on here but
I really wanted to stick it fear into
scanning and monitoring it really is
sort of the the overlord if you want to
think of it that way of security
utilities it gathers information from
everywhere from log files from scans
from anything and everything that it can
possibly find
its goal is to bring that all together
in one place but more importantly to
bring it together in one place so it
gets a better read on the network so as
to eliminate any false positives excuse
me any false negatives of intrusion
detection on your network what else can
you do well you can also scan the file
system what I mean by that is skiing the
file system is simply going through
looking at each one of the files doing a
checksum in each one of those files and
then saving that checksum goes ahead and
allows you to be able to know when any
changes have been made and why do you
want to do that well very simply when a
break-in happens the evidence of the
break-in and certainly the evidence of
the attempt at a break and has generally
found somewhere on the file system also
after a break and has happened any back
doors that are left on the machine are
definitely found somewhere within that
file system knowing about a break and
after it happens very soon after it how
often helps to prevent further break and
you can see that the first machine to go
is generally the beachhead and then from
there because all the machines are
generally trusting of each other on some
level or another or in the case of most
machines you know all the administrative
passwords are the same it allows the
ease of breaking into further machine so
you really want to stop that as quickly
as possible and talk about a couple of
tools that allow you to scan trip wire
and read mine first is trip wire
stripper bar is great for locking down
one machine even if it's not on the
network it goes ahead and just like I
said it doesn't check someone every
single file on your network excuse me on
that one machine and it goes ahead into
texting changes so you run it every
night at one o'clock in the morning or
whenever and it will go ahead and tell
you what files have been changed a lot
of files that change every day obviously
log files those kind of things you tempt
w temp files those things change
normally but what you're looking for
obviously changes in files and in
directories that shouldn't be changing
at all a good thing to look here is su
ID bit su ID bits that have been
changed or added to files an old popular
way of back door and old populate back
door was to go ahead and find an su ID
file or actually create an Feig file
depending on what kind of access the
cracker head to the Machine and copy in
shell c shell any any shell file into
that now that container of a final
invest ranting you an su ID shell file
read mine you know read mine 11 of the
design awards for last year's WWDC it's
a great utility if you guys haven't
looked at I encourage a strong way to
take a look it's really a client-server
tripwires the best way I know to
describe it the first thing that you
would do is you'd first configure your
your read mine server to take the load
sets which are those checks them files
and go ahead then and go to each one of
the clients or use ard for that matter
to run the assistant to go ahead and
create those load sets at that point you
can go ahead and automatically check for
any changes and even possibly rollback
any changes and talk about network
intrusion detection and why you want to
do that well as the slide says very
simply another pair of eyes never hurts
and in this case multiple sets of eyes
never hurt and all the machines never
sleep and I have noticed that it seems
that crackers seemed to work best or the
very least most frequently from about
ten o'clock to about four o'clock in the
morning and that's generally the time
when I am dead asleep to tools i'm going
to go over hen wen and snort hen wen is
the mac OS 10 front end for snort the
GUI application allows you to get a
quick up and running intrusion detection
system going it is great for those folks
who want to have the power of snort but
don't want to bother with all the
configuration of it you don't want to
bother reading through all the texts and
configuration files strongly recommend
folks to go ahead and download it and
take a quick look at it it's very well
worth it it also allows for easy easy
spaded configuration we're going to talk
about speed in a second here spade is a
part of ten one excuse me it's actually
an add-on to snore but the
configurations there in hen one and what
it does is spayed loosens each one of
the packets that come through and
assigns it a score and what it does is
it has a model bet you know listen to
that packet figures out how suspicious
the packet is and the score is based on
that suspicion the lower the score the
less officious of packet and converse
with a higher score the higher the more
suspicious of packet is and you can set
the threshold at which Spade will notify
you of suspicious activity happening on
your network but what I like about Spade
is that it's very similar to junk mail
within mail within our mail application
wherein it goes ahead and goes into a
learning mode and then at that point
after you're satisfied with its learning
mode it will go ahead and automatically
set that threshold score and then it
will also continue to automatically
adjust itself it'll automatically adapt
based on more traffic and sees snort you
know it is a big mouthful I've been
practicing this slide over the last week
and every time I get to the sentence I'm
always just blown away snort uses
user-defined preprocessors and rule says
to detect suspicious package and what
that means is I'm like someone applauded
for that I didn't know that people were
in Delft of my literacy but you know
nods I odd it uses rule sets of tech
suspicious packets and what that means
is there's a number of rule sets that
run within snort and what it does is it
uses
you know bite level matching it listens
each one of the pack it some users bite
level matching in order to figure out
based on the rules you know what needs
to happen whether or not notifications
need to happen whether or not
notifications don't need to happen with
a nut for the processing needs to happen
those pre processes obviously are just
what they say they're just preprocessors
they're there before you get to the
rules and talk about preprocessors the
rules are written like this first you
have an action which in this case is
alert i have in this example and the
next one is the protocol which will be
TCP the source address is any and the
port address is any now what I've gone
ahead and done is i'm going to set up
this rule for detecting any mount d
access from anywhere to my local network
so I've got my destination address which
is the 192 168 with the netmask of 24
port number 111 which is the mount
deport and the actual specific content
which is within that packet which is
saying hey look you know this is Mount
deep packet and it will actually go
ahead and what actually needs to happen
well we're going to go ahead a message
to snort log that amount D accesses
happened preprocessors preprocessors run
before the rule set they allow for
packet modification analysis before
handing it off to that detection engine
or those rules that and so what that
means is that you know it's those things
the preprocessors run before the rule
said so if you have certain packets that
you don't want to be detected or if
you're getting a lot of false negatives
on on specific type of packets or or
from one specific machine the place to
go ahead and exempt those packets is
there in the preprocessors go ahead and
specify them in the configuration file
just like we have up here
the output modules you know the output
module is simply just telling snort
where to send the ruleset and pre
process or information signal as a
packet comes in goes to the rule sets
where does snort or where is snorts
supposed to write that information to
and that's where the output modules come
into play I know some clients like to go
ahead and specify all the output just go
into one huge honking file and others
like to go ahead and break it up very
very very small you know we've talked
about what else you should do and now
I'm going to talk about what you
shouldn't do please don't enable the our
utilities are shell arkathi etc I have
been guilty of doing this in the past
however the models have changed now we
actually have our alternatives each one
of these utilities and while the
utilities themselves specifically are
not secure in order to go ahead and get
them up and running you have to go ahead
and open up security holes telnet
there's a great you or a great
alternative Brian one had talked about
secure shell and finger I've noticed
first time I was introduced to unix the
first thing I actually introduced it was
finger and I thought this was
earth-shattering that you could go ahead
and actually stick your status in
somewhere and people get actually read
it this is the greatest thing since
sliced bread obviously all the
functionality of finger has now been
replaced by aim or by you know personal
web pages also try not to use non ssl
mail protocols I I have I love to go to
client side set up my powerbook let it
scan for an hour and then show the
clients all the mail passwords and
usernames that I've gone ahead and
harvested just by listening to their
network it usually brings a little bit
of unease but then they realize hey we
need to do something about this and and
and that's what I enjoy is actually
fixing those problems ftp use SFTP or
secure shell tftp
while limited use of tftp isn't
inherently insecure you see a lot of
times folks trying to extend tftp beyond
what it was designed to do and does
making it insecure and finally non open
directory based authentication there's a
lot of problems that we see outside of
open directory and I would encourage you
not to enable it so with that I'm going
to go ahead and invite brian back on up
here and he'll talk to you about writing
your own tools goodbye thanks Damien
that was wonderful we saw a great list
of all these different open source tools
and how you can take advantage of them
to do scanning intrusion detection even
correlation and all these different
things especially as an administrator
one of the things that you really need
to know is when you use all these tools
what is inside these tools and to get a
general awareness you have to know what
are the components of these tools so I'm
going to talk to you about some other
network components or some other
libraries these tools are constructed
with and most of them are open source
libraries and the first tool that I'm
going to library that I'm going to talk
about it slid pcap lead pcap is default
in OS 10 it's a package capturing
library it listens on the wire and it
can cap capture both Ethernet tcp/ip and
all these different types of packets and
any sort of application like TCP dump
would actually use lippy cap and a lot
of the different tools actually use p
delete all the different open source
tools they actually use lip pcap to do
the packet capturing later on I'm going
to show you a program that I've written
using lip recap it's a great it's a
great library the next library is lib
net little net is a packet injection
flash packet creation library so you can
use limit to create beard TCP packets I
would say our packets with different
headers and all this different stuff so
it's a great utility and lot of the
intuition detection tools and even snot
use equipment live net is actually a
low-level tool if you are building all
these different open source library
is you have to build lignite first in
order to build all the other libraries
and the next is lived in it liebe dich
net is a fraction library which provides
you abstract data abstracted colonel
data like the interface information like
the arp cache and also the routing table
so you can have direct access to the
routing table by using they lived in it
and a lot of the security tools and
applications does in fact you use lived
in it and the next tool is linked mixed
library I keep on saying tool for
libraries the next library is slip SF
leave SF is an OS fingerprinting library
so by using lib SF you can detect what
your destination OS is what always you
are pinging on so basically live by
yourself can work on active as well as
passive mode and what it does is it has
a database on how the colonel responds
to certain packets and depending on the
feedback and receives it compares it and
it actually gives scholz and the and the
system that gets the highest score is
most likely to be the system that in the
destination so it's a great library you
can use in your tools and the next
library is lip n ideas lib an idea to
the TCP fragmentation an assembly
detection library most of the inclusion
detection tools actually use in Libyan
ideas to like Ln ideas and n ideas and I
take it dear sniff they all these all
these tools they use liban ideas by you
can actually register a callback
function into callback function into
leben ideas when liban ideas encounters
a fragmented IP packets it will actually
call you back so it has great
functionality the reasons as I said
before why am I talking about all these
different libraries I'm talking about
these different libraries because it
gives you a general awareness of what
your tools are made of second it gives
you if you are a developer it gives you
the ability to code and write up a tiny
to it because most of the security tools
that we have they do a specific purpose
they are for a specific purpose and and
if you might have a purpose that's
different from the tools purpose so you
can actually quickly write up onto of
your own bye-bye no using some of these
libraries
and having said that let's move on to
see how you can write your tool I in
fact right wrote up a small program
hundred lines of code within less than
an hour it's very easy I call it the
Browse program and there are actually
programs like this in the open source
arena what this does is actually it uses
lead pcap listens on your wire captured
IP packets and then it strips off MAC
addresses from the packets and its toes
if it's have if you'd find the new mac
address it stores it in an array and
then it resolves the mac address to a
vendor name so basically it browses the
network and finds out all these divided
devices and and which window it belongs
to you could actually easily exchange
this program put liebe liebe ourselves
in it and you could actually do
fingerprinting away fingerprinting as
well so it's a very tiny program and
what you see here is the output of the
program you see I ran it in my home
network and you see the MAC addresses
VIPs and the vendor names so these tools
will really allows to to allow you to
write up this library the knowledge of
these libraries will allow you to write
up tools and increase security in your
network now in conclusion take advantage
of all the tools that we showed you they
are great tools and also use OS 10 as an
administrative platform to run all these
tools and secure your network and hear
what you see are some of the different
URLs for these tools tools like Nestle's
in map-read mind and lift at the lib net
libraries there were some of the tools
the rest of them they actually come in
the US 10