This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.
2. $ whoami
• Xavier Mertens (@xme)
• Consultant @ day
• Blogger @ night
• BruCON co-organizer
2
3. $ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
3
5. Defense vs.Attack
• Offensive security is funny
(w00t! We break things)
• Defensive security can also
be fun!
(proud to not be pwn3d ;-)
• “Know your enemy!”
5
13. Then Came the god “SIEM”
Firewall IDS Proxy
Malware
Analysis
Logs Logs Logs Logs
Centralized Logging Solutions / SIEM
13
14. Weaknesses?
• Independent solutions
• Static configurations
• Only logs are centralized
• No global protection
• Useful data not shared
• Real-time protection not easy
14
15. TheValue of Data
• IP addresses
• User names
• URLs
• Domains
• Digests (MD5, SHA1, etc)
15
18. Back to the Roots
• REXX is a scripting language
invented by IBM.
• ARexx was implemented in
AmigaOS in 1987.
• Allow applications having an
ARexx interface to
communicate to exchange
data.
18
19. RTFM!
• Security is a big market ($$$)
• The “Microsoft Office” effect
(<10% of features really used)
• Invest time to learn how your
products work.
• Be a hacker: Learn how it work
and make it work like you want.
19
22. Automation is the Key
• We’re all lazy people!
• Expect!
use Expect;
my $e = Expect->new();
my $c = “ssh $user@$host”;
$e = Expect->spawn($c) or die “No SSH?”;
$e->Expect($timeout,
[
qr’password: $’,
sub {
my $fh = shift;
print $fh $passwordn”;
}
]
22
25. HTTPS
• Generate an API key
https://10.0.0.1/api/?type=keygen&user=foo&password=bar
• Submit XML requests
https://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/
config/device/entry[@name=localhost]/vsys/
entry[@name=vsys1]/address/
entry[@name=NewHost]&element=<ip-
netmask>192.168.0.1</ip-netmask><description>Test</
description>
25
26. Snort-Rules Generator
• Lot of Security tools accept Snort rules
use Snort::Rule
my $rule = Snort::Rule->new(
-action => ‘alert’,
-proto => ‘tcp’,
-src => ‘10.0.0.1’,
-sport => ‘any’,
-dst => ‘any’,
-dport => ‘any’,
);
$rule->opts(‘msg’,‘Detect traffic from 10.0.0.1’);
$rule->opts(‘sid’,‘666666’);
26
27. IF-MAP
• Open standard to allow authorized devices
to publish/search relevant information
• Information could be
• IP
• Login
• Location (devices)
• Domain
27
28. IF-MAP
use Ifmap;
use Ifmap::Util;
my $r=Ifmap::Request::NewSession->new();
my $ip=Ifmap::Identifier::IpAddress->new(ip_address,‘10.0.0.1’);
my $mac=Ifmap::Identifier::MacAddress->new(mac_address,‘aa:bb:cc:dd:ee:ff’);
my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);
my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);
28
29. SNMP
$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp
29
• SNMP can be used to push configuration
changes
• Example:
• Router 10.0.0.1 will pull the access-list
“acl.tmp” from TFTP server 10.0.0.2
30. TCL
event manager applet Interface_Event
event syslog pattern “.*UPDOWN.*FastEthernet0/1.*
changed state to .*”
event 1.0 cli command “tclsh flash:notify.tcl”
30
• Cisco devices have a framework called EEM:
“Embedded Event Manager”
• Example:
• The router may communicate information
based on its status
31. Puppet
31
• Configuration Management Software
• Deploy security patches
• Manage SSH keys
• Modify thousands of servers in one shot
“DevOps to the rescue”
35. $ cat disclaimer2.txt
<warning>
Some slides contain examples based
on open source as well as v€ndor$ solutions.
I’m not affiliated with any of them!
</warning>
35
36. Online Resources
• DNS-BH
$ wget -N http://dns-bh.sagadc.org/domains.txt
• Google SafeBrowsing
use Net::Google::SafeBrowsing2;
use Net::Google::SafeBrowsing2:::Sqlite;
my gsb = Net::Google::SafeBrowsing2->new(
key => “xxx”,
storage => Net::Google::SafeBrowsing2::Sqlite->new(file =>
“google.db”)
);
$gsb->update();
my $match = $gsb->lookup(url => “http://evil.com”);
if ($match eq MALWARE) { ... }
36
45. Controls
• Security first!
• Strong controls must be implemented
• Authentication/Authorization
• Could break your compliance
• Use an OoB network
• Risk of DoS!
45