Security onion
-
Upload
kaustubh-padwad -
Category
Internet
-
view
260 -
download
3
description
Transcript of Security onion
What is NSM
S3CuriTy B3a$t
Network Security Monitoring is the collection, analysis, and escalation of
indications and warnings to detect and respond to intrusions.
Source: Google
For Me Its Simple IPS/IDS + any Network analysis tool :-)
Why IDS/IPS if I have a firewall ?
Firewall - A device or application that analyzes packet headers and enforces policy based on protocol
type, source address, destination address, source port, and/or destination port. Packets that do not
match policy are rejected.
Intrusion Detection System - A device or application that analyzes whole packets, both header and
payload, looking for known events. When a known event is detected a log message is generated
detailing the event.
Intrusion Prevention System - A device or application that analyzes whole packets, both header
and payload, looking for known events. When a known event is detected the packet is rejected.
S3CuriTy B3a$t
The Intrusion Detection System (IDS) provides the network with a level of preventive security against any suspicious activity. The IDS achieves this objective through early warnings aimed at systems administrators. However, unlike IPS, it is not designed to block attacks.
An Intrusion Prevention System (IPS) is a device that controls access to IT networks in order to protect systems from attack and abuse. It is designed to inspect attack data and take the corresponding action, blocking it as it is developing and before it succeeds, creating a series of rules in the corporate firewall.
Source: pandasecurity.com
Simply,
IDS :- Detect the attack and alert to the administrator
IPS :- Prevent from the attacks
Difference Between IPS AND IDS
S3CuriTy B3a$t
What IDS/IPS Can
Can :- ● Detect when your system Is under attack● Trace user activity from point of entry to point of
impact● Automate the task of monitoring the internet
searching for the latest Attack
S3CuriTy B3a$t
What IPS Can Not
Can Not :- ● Compensate of weakness in network
protocol● Investigate attacks without human
interaction
S3CuriTy B3a$t
Where do I put IPS/IDS?
● Between your network and extranet● In the DMZ, before the firewall, to identify
attacks on servers in DMZ● Between the servers and internal user to
identify internal attacks ● On intranet FTP and database environment
S3CuriTy B3a$t
Features of Security Onion
● Intrusion detection● Network security monitoring● Log management
S3CuriTy B3a$t
Packages
Xubuntu based● Snort, Suricata (IDS)● Bro, ELSA (Network Security analysis)● OSSEC (HIDS)● Squirt, Snorby, Sguil(NSM)● Xplico (Network forensic tool)…..many other security tools.
Who Is Behind Security Onion
Originally created and maintained by Doug Burks https://twitter.com/@dougburks
He really want to make SGUIL & NSN “easier” to deploy “mission accomplished” Ash deublehttps://twitter.com/ashd_au
...Open Source :-)
S3CuriTy B3a$t
Demonstration
● Setup ‘SO’ in our environment● Quick and advance setup ● Configuration review● Attacks and detection
S3CuriTy B3a$t
Not covered
● Installation - similar to any linux distro● Update - steps available on their blog● Writing Snort rules (maybe future sessions)● Advance Packet analysis
S3CuriTy B3a$t
Thank You
Contact Details:Twitter: @kingkaustubhpBlog: breakthesec.comEmail: [email protected]
S3CuriTy B3a$t