Taishaun_OwnensCNS-533_Lab

Enterprise Security Infrastructure Controls and Regulatory Compliance

IS-533 LABIS-533 LAB

PurposeThe primary purpose of this lab is to expose the students to network security monitoring and the level of details that security standards sometimes require. The secondary purpose of this lab is to assist in the creation of the final standard for logging.

The lab has been created in three parts:

Part 1: Create two client virtual machines to monitor with Security Onion

Part 2: Create a Security Onion virtual machine and install Splunk

Part 3: Test network settings and explore Security Onion via Splunk

Depending on the type of system you will be using, these labs may take some time to complete. Specifically, the installation and then update of Security Onion will take over 30 minutes on some systems. Plan accordingly.

Please post any questions to the Course Discussion Forum. These instructions were written as the lab was built, so there may be errors. Posting to the forum will allow everyone to adjust the lab.

RequirementsDownload VMware for your system at the CDM - VMware software storehttp://e5.onthehub.com/WebStore/ProductsByMajorVersionList.aspx?ws=b2c0cd57-97e2-de11-a13b-0030487d8897&vsro=8&JSEnabled=1

Download the 32 bit version of the Ubuntu Desktop for your test systems. Do not apply any updates. Once Security Onion is configured and running, this will be traffic that can be observed. The Desktop version will be easier to download other software such as Nmap and Nessus. The Ubuntu systems will be configured using NAT within VMware Workstation/Fusionhttp://www.ubuntu.com/download

Download Security Onion and note that it is a 64 bit distribution. If the laptop/desktop being used for this lab cannot run it within VMware Workstation/Fusion, follow the install guide for downloading and installing the Security Onion packages onto the 32 bit version of Ubuntu Desktop. http://code.google.com/p/security-onion/wiki/Installation

http://sourceforge.net/projects/security-onion/files/12.04.3/

IS-533 Lab of 15

http://sourceforge.net/projects/security-onion/files/12.04.3/

http://code.google.com/p/security-onion/wiki/Installation

http://www.ubuntu.com/download

http://e5.onthehub.com/WebStore/ProductsByMajorVersionList.aspx?ws=b2c0cd57-97e2-de11-a13b-0030487d8897&vsro=8&JSEnabled=1


Part 1

Virtual Machine SetupEach dialog window has a button to proceed through the configuration of the virtual machines (VM). The instructions assume that once the appropriate fields are entered or selected, the student will click on the appropriate button.

Open VMware Workstation/Fusion and create two VMs

First VM

1. Navigate the menu and select Create New Virtual Machine

2. Choose Custom

IS-533 Lab of 15


3. Accept the Hardware Compatibility defaults

4. Choose Installer disc image file (iso) and navigate to the folder where you downloaded the iso image and select it

5. Complete the Easy Install User Information

6. Enter the computer name - ubuntu-1 or anything you will remember (so you can distinguish between the systems in Security Onion

7. Accept the Processor defaults

IS-533 Lab of 15


8. Accept the Memory defaults

9. Choose Use network address translation (NAT)

10. Accept the I/O Controller defaults

11. Select Create New Virtual Disk

12. Accept the Default Type

13. Accept the Default for the size - Note: For the lab you will not need more than the default size provided

14. Accept the Disk file name

15. Click Finish to begin the O/S install - Note: Depending on the speed of your system, the install may take longer.

16. Upon completion of the VM creation, Logon and launch Terminal

17. Type ifconfig and press enter

a. Enter the First VM's IP address here: 192.168.60.128

18. Follow these steps to create your second VM

a. Enter the second VM's IP address here: 192.168.60.130

19. Test Internet browsing

IS-533 Lab of 15


Part 2Security Onion Setup

1. Navigate the menu and select Create New Virtual Machine

2. Choose Custom

3. Accept the Hardware Compatibility defaults

4. Choose the Security Onion Installer disc image file (iso) and navigate to the folder where you downloaded the iso image and select it

IS-533 Lab of 15


5. Use the down arrow to display the Version choices and select Other Linux 2.6.x kernel 64-bit

6. Enter "Security_Onion" for the Virtual Machine Name

7. Accept the Processor defaults

8. Accept the Memory defaults (Use 1024MB if possible)

9. Choose Use network address translation (NAT) (VMware automatically defaults to NAT)

10. Accept the I/O Controller defaults

11. Select Create New Virtual Disk

12. Accept the Default Type

IS-533 Lab of 15


13. Change the Maximum disk size to 20 GB if possible

14. Accept the Disk file name

15. Click Finish

Note: The installation of Security Onion will not start until the VM is powered on.

16. Click VM on Tool Menu and Select Settings

17. Click Add and if prompted by Security Notification, accept it

18. Click Add

19. Click Network Adapter and click Next

IS-533 Lab of 15


20. Ensure that NAT: Used to share the host's IP address is selected

21. Click Finish

22. Click OK to exit Virtual Machine Settings

23. Click Power on this virtual machine

24. Select install - start the installer directly

Note: Depending on the amount RAM and speed of the system, Security Onion may take some time to load

25. Double-Click on Install Security SecurityOnion 12.04 icon

26. Choose language

27. Click Continue without selecting any options on Preparing to install SecurityOnion

28. Select Erase disk and install SecurityOnion

29. Confirm time settings

30. Confirm Keyboard layout

31. Enter User Information

Note: For this lab, select Log in automatically to save time updating Security Onion. This lab will be done on an isolated network. This setting is normally not selected as a good security practice.

32. Click Restart Now

Note: If you didn’t select auto-logon, you will need to logon to continue

33. Double-click on the Terminal Emulator icon on the Desktop

34. Type sudo apt-get update && sudo apt-get dist-upgrade

35. Type your password

IS-533 Lab of 15


36. Type Y to continue

37. Type sudo reboot

38. Enter the password you entered during the install


39. Double-click on the Setup Icon on the Desktop to begin configuring Security Onion

40. Enter the password you entered during the install

41. Click Yes, Continue

42. Click Yes, configure /etc/network/interfaces

43. Click on eth0 for the management interface

44. Click on DHCP

45. Check the box next to eth1 for the interface used for sniffing

46. Click Yes, make changes and reboot!


47. Double-click on the Setup Icon on the Desktop to continue configuring Security Onion

48. Click Yes, to continue

49. Click Yes, skip network configuration!

50. Select Advanced Setup

51. Select Standalone

52. Enter a Sguil username

53. Enter an email address for Snorby

54. Enter a password that will be used for Sguil, Squert, Snorby and ELSA (ELSA won't be used for this lab)

55. Confirm your password

56. Select Snort

57. Select Emerging Threats GPL

58. Select eth1

59. Click Yes, enable the IDS engine

60. Click Yes, enable Bro

61. Click Yes, enable http_agent

62. Click Yes, enable Argus

63. Click Yes, enable Prads

64. Yes, enable full packet capture

65. Accept the default for the pcap files

66. Accept the default disk usage size

IS-533 Lab of 15


67. Click No, disable ELSA

68. Click Yes, proceed with the changes

69. Click OK to complete the setup

70. Click OK to acknowledge the Security Onion configuration

71. Click OK to acknowledge support options

72. Security Onion is now configured

73. Open a browser in Security Onion and go to www.splunk.com

Note: Splunk Enterprise 6 was released while creating this lab. There is an option for downloading older versions. These instructions were written for the version below.

74. Click Free Download

75. Click on Splunk-5.0.5-179365-linux-2.6-amd64.deb or the 32 bit version

76. Register with Splunk

77. Note: Splunk will not send emails except to "thank you" for downloading it. Remember the password that is created with this step.

78. Click on Splunk-5.0.5-179365-linux-2.6-amd64.deb splunk-6.2.1-245427-linux-2.6-amd64.deb or the 32 bit version

79. Click on Save file

80. When the download is complete, close the browser and Double-click on Terminal Emulator

81. Type cd Downloads

82. Type sudo dpkg -i splunk-6.2.1-245427-linux-2.6-amd64.deb Enter your password

83. Type sudo /opt/splunk/bin/splunk start

84. Press Enter down until License agreement has been completed

85. Type Yes to agree with the license

86. sudo /opt/splunk/bin/splunk enable boot-start

87. Close the Terminal window

88. Open the browser

89. Navigate to localhost:8000

90. Enter admin and changeme to login

91. Create a Splunk admin password

92. Click on Manager (top right on menu)

93. Click on Apps

94. Click on Find more apps online

95. In the search field type Security Onion

96. Click on Read more

IS-533 Lab of 15

http://www.splunk.com/


97. Click on the Documentation tab

98. Scroll down to Required Splunk Apps:

99. Right-click on each of the Apps, and select Open in new tab

100. Click the Download button and accept the license agreements when prompted

101. Save each file (they will be save to the Downloads folder)

102. Navigate back to the Manager

103. Click on Apps

104. Click on Install app from file

105. Browse to the %user%Downloads folder and select a file

106. Click Upload

107. Do this for each App - Ignore the restart message until all Apps are installed

108. Click on the Download for Security Onion and install it

109. Click Restart Splunk

IS-533 Lab of 15


Part 31. Double-click on the Terminal Emulator icon

2. Type sudo wireshark

3. Enter your password

4. Choose OK to accept the warning about running Wireshark as root

Note: There is a secure configuration for running Wireshark that should be undertaken for production systems.

5. Start capturing on Eth0

6. In the Filter box, type ICMP and click Apply

7. In one of the Ubuntu systems, open a terminal and ping the other one

8. Insert a print screen of your Wireshark capture here:

9. Browse to http://localhost:8000

10. Login using Admin and the password you defined

11. Navigate to the Security Onion App

12. Insert a Print Screen of the Overview page here:

IS-533 Lab of 15

http://localhost:8000/


IS-533 Lab of 15


13. Open the Snorby page from Security Onion. If there is an error, correct the URL to https://localhost:444

14. Add an exception to your browser's security

15. Login using the email address and password you provided during the install

16. Insert a print screen of the Snorby Dashboard here:

17. Exit Wireshark without saving the capture

18. Open the Squert page. If there is an error, correct the URL to https://localhost/squert/login.php

19. Insert a print screen of the Squert Dashboard here:

IS-533 Lab of 15

https://localhost/squert/login.php

https://localhost:444/


20. Start your Ubuntu virtual machines

21. Apply the security updates on both systems

22. Observe the changes to the Overview, Snorby and Squert Dashboards

23. This completes the lab. Make sure each virtual machine is closed down cleanly.

IS-533 Lab of 15

Taishaun_OwnensCNS-533_Lab

Documents

Transcript of Taishaun_OwnensCNS-533_Lab