1 / 42

Simple Network Defense System

Simple Network Defense System. Shou-Chuan Lai Computer and Communication Center National Tsing Hua University. Objective. Make our network as available as possible. Network Defense System. Internet Worm Detection Module Automatic Router Control Module Notification Module

Download Presentation

Simple Network Defense System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Simple Network Defense System Shou-Chuan Lai Computer and Communication Center National Tsing Hua University

  2. Objective • Make our network as available as possible.

  3. Network Defense System • Internet Worm Detection Module • Automatic Router Control Module • Notification Module • Open Mail Relay Detection Module

  4. System Requirement • A NetFlow-capable device • Personal Computers running UNIX-like Operation System (e.g., Linux, FreeBSD) • The Simple Network Defense System source codes • Open sources • flow-tools • apache • perl (libnet, Net-Server, Net-Telnet, Time-HiRes)

  5. Internet Worm Detection Module

  6. System requirement • NetFlow-enabled routers or devices (e.g. Cisco Catalyst 6509, Mirror-enabled router/switch + NetFlow export software) • Personal Computers (e.g. Intel platform) • UNIX-like OS (e.g. Linux, FreeBSD, Solaris,…) • flow-tools (http://www.splintered.net/sw/flow-tools/) • Perl v5.6 or above • apache-1.x or above (http://httpd.apache.org/)

  7. Directory Structure • flow-scan (/usr/local/flow-scan/) • bin (system programs) • etc (configuration files) • flow (netflow data captured by flow-tools) • scan (scan files generated by flow-scan) • htdocs (html files generated by scan2html) • tmp (temporary space)

  8. Programs • flow2scan • Read flow files and convert to scan files • scan2html • Read scan files and convert to html files • html2idx • Read html files and generate an index html

  9. flow2scan • Program modules • MyFlow.pm (common subroutines) • MyScore.pm (score module) • MyRobot.pm (talk to router control robot) • Read flow files • read: /usr/local/flow-scan/flow/…. • Generate scan files • write: /usr/local/flow-scan/scan/…. • Send blocking command

  10. flow2scan (cont.) • Read flow files • each flow file is a collection of 10min flow records • Find suspicious hosts • Check each suspicious host • Score each host (use MyScore.pm) • Block the problematic host if its score exceed pre-defined threshold (use MyRobot.pm)

  11. scan2html • Read scan files • read: /usr/local/flow-scan/scan/…. • Generate a html file for each scan file • write: /usr/local/flow-scan/htdocs/….

  12. html2idx • Search html files • read: /usr/local/flow-scan/htdocs/…. • Generate an index html file • write: /usr/local/flow-scan/htdocs/….

  13. Periodic Jobs • crontab.10min • flow2scan $router • scan2html $router • html2idx $router

  14. Configurations • flow-scan.txt • screen.txt (to be screened) • 192.168.128.0/17 • trust.txt (avoid being blocked) • 192.168.192.0/24 • worm.txt (list of worm types) • IP-SCAN-TCP-135

  15. flow-scan.txt • TOOL = "/usr/local/flow-tools/bin" • FLOW = "$FDIR/flow" • SCAN = "$FDIR/scan" • FTMP = "$FDIR/tmp" • FSUP = "$FETC/dscan.supress" • WORM = "$FETC/worm.txt" • TRUST = "$FETC/trust.txt" • SCREEN = "$FETC/screen.txt" • IP_RESERVED = "$FETC/IPv4-address.txt" • HTML = "$FDIR/htdocs/netflow" • HTML_REF = "/netflow" • HTML_URL = "http://netflow.myschool.edu.tw/netflow" • C6509 = "c6509" • C6509INT = "6"

  16. Installation • Download source tar file • http://cc.nthu.edu.tw/~chuan/ • Extract source tar file • cp flow-scan-0.90.tar.gz /usr/local • cd /usr/local • tar zxf flow-scan-0.90.tar.gz • ln –s flow-scan-0.90 flow-scan

  17. Installation (cont.) • Modify bin/MyFlow.pm • set FDIR • Modify etc/flow-scan.txt • set TOOL • set HTML_URL • set C6509INT • Modify etc/screen.txt • Modify etc/trust.txt

  18. Installation (cont’) • Test drive • flow2scan2 6509 • scan2html2 6509 • html2idx2 6509 • Setup crontab • 2,12,22,32,42,52 * * * * (cd /usr/local/flow-scan/bin; sh crontab.10min) > /dev/null 2>&1 • Play

  19. Automatic Router Control Module

  20. System Requirement • Supported Routers • Extreme with ExtremeWare 7.x • Cisco with IOS 12.x • Perl 5.6 or above • Net-Server module installed • Time-HiRes module installed

  21. Directory Structure • netguard (/usr/local/netguard/) • bin (binaries for human operation) • etc (configurations) • htdocs (notification web pages) • lib (system modules) • log (system logs) • sbin (daemon resides) • spool (IPC for registrar and netguard)

  22. Programs (bin) • block-ip.pl • block an IP address immediately • block-ip.pl ip-address tag comments • open-ip.pl • open an IP address immediately • open-ip.pl ip-address

  23. Programs (cont.) • book-open-ip.pl • book an IP address to be opened • book-open-ip ip-address • cron-open.pl • open booked IP addresses at specified alarm time (obtained from spool/book) • cron-open.pl

  24. Daemon Programs (sbin) • netguard.sh • start or stop netguard module • netguard.sh (start|stop|restart) • monitor-netguard.sh • keep netguard running (for shake of unknown-reason stop); should work with crontab • 1,11,21,31,41,51 * * * * (cd /usr/local/netguard/sbin; ./monitor-netguard.sh) > /dev/null 2>&1

  25. Daemon Programs (cont.) • registrar.pl • as a central registrar which accept commands from other programs via Socket and write commands to the file spool • should be waken up by netguard.sh • netguard.pl • as a router control robot which read commands from the file spool (/spool) • should be waken up by netguard.sh

  26. Program Modules (lib) • netguard.pm • contains codes which is able to login the supported routers and configure the access control list for a specified IP address • currently support routers: Cisco and Extreme

  27. Periodic Jobs • Open already booked IP addresses • crontab.daily • bin/cron-open.pl • example 30 7 * * * (cd /usr/local/netguard/bin; ./cron-open.pl)

  28. Configurations • registrar.conf • configuration required by Net-Server module • netguard.conf • configure the router information required to automatic configure the controllable routers • type (cisco|extreme);login;password;name

  29. Password and Port Setting • Server password and service port • change the setting in registrar.pl • Client password and port • change the settings in block-ip.pl, open-ip.pl, and book-open-ip.pl • change the programs which talk to netguard module in other detecting modules

  30. File Spool (spool) • The inter-process communication between registrar and netguard • each file represents a status of an IP address • archive (has become part of history) • block (is being blocked) • book (booked an open request) • info (an immediate notification required) • request (command the netguard) • unblock (counting infected frequency)

  31. Notification Module

  32. System Requirement • Perl 5.6 or above • Apache 1.x or above • http://httpd.apache.org/

  33. Directory Structure • notify (/usr/local/notify/) • bin (program binaries) • etc (configurations and notification emails) • htdocs (notification web pages)

  34. Programs • cron-sendmail.pl • send daily notification • cron-sendmail2.pl • send notification once being blocked • genhtm.pl • generate notification web pages periodically

  35. Periodic Jobs • Notifications should be delivered periodically • Send emails daily, send email once being blocked, and generate web pages periodically • 10 8 * * * (cd /usr/local/notify; ./cron-sendmail) • 8,18,28,38,48,58 * * * * (cd /usr/local/notify/bin; ./cron-sendmail2) • 0,10,20,30,40,50 * * * * (cd /usr/local/notify/bin; ./genhtml.pl)

  36. Configurations • addressbook • address book to send notification emails • dept:name:title:phone:fax:email • subnet • notes which shown on the web pages • subnet:building:dept • inform.mail • the notification email which send daily • inform2.mail • the notification email which send once being blocked

  37. Web Pages (htdocs) • ban-head.htm • the header part of the notification web pages • ban-tail.htm • the tail part of the notification web pages • index.htm • may be required for the apache web server

  38. Open Mail Relay Detection Module

  39. System Requirement • A remote server • relay testing email • receive testing mail • Perl 5.6 or above • libnet module installed • Pxytest • http://www.unicom.com/sw/pxytest/

  40. To Be Done

  41. ToDo List • Unify the perl modules used by all these codes • Support more routers: Juniper and Foundry

  42. Thank You!

More Related