Once upon a time the argument was simple, RISC architecture was simply ahead of the game, by a long way, but guess what, x86 grew up, caught up, and overtook. These days, the performance you get out of multi-core x86 is significantly more than it’s RISC based equivalent. I realise that point could be considered contentious by the purists out there, but for mainstream computing in a world that is ever more cost concious, I struggle see how any argument for RISC can win over x86.

Once you have your x86 base, you can go with an x86 version of Solaris (not that you would) or thanks to Sun not playing silly games, you can actually use something useful, such as Redhat, Suse, Ubuntu or if you so desire, Novell.This additional flexibility is core to getting the base of your platform right. Large scale architectures need solid foundations to remain stable, perform and scale as desired.

Lets consider it for a moment. Sparc vs x86 & Solaris vs Linux, well to be honest, there is barley anything in the comparison except cost. Sun make x86 hardware based on multi-core AMD processors which are blisteringly fast and being manufactured by Sun, they are rock solid.

Now. If I were that retailer, I know where I would be looking to spend my money, but thats not what I am there to talk to them about, so I’ll keep it for my blog and not overstep my scope.

                          

Related posts

• Snort Rocks! (2)
• Linux Defence Tweaks (0)
• Free Security for All! (0)

Lets start with the TCP/IP stack. There are a number of quick easy wins here that can help defend against attacks through making the default behaviours of the stack more in-line with what we would like:

echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/lo/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/lo/log_martians
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "15" > /proc/sys/net/ipv4/ipfrag_time
echo "2048" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries

Now, that little lot above needs some caveats. Firstly, use at your own risk! Secondly, As per usual, you often get a small performance hit when you start getting more secure, so test each tweak fully before you go into production. Once your happy with the ones you like, add then to your /etc/rc.local or other start up file of your choice.

The next step is to use iptables to help deal with dodgy looking traffic.

Step 1, set-up a bunch of new chains:

$IPTABLES -N CHECK_FLAGS
$IPTABLES -N ALLOW_ICMP
$IPTABLES -N SRC_EGRESS
$IPTABLES -N DST_EGRESS

Step 2, now lets get those chains to do something useful:

$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type destination-unreachable
        -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
 
        for SRCNET in $EGRESS_NETS; do
                $IPTABLES -A SRC_EGRESS -s $SRCNET -j DROP
        done
 
        for DSTNET in $EGRESS_NETS; do
                $IPTABLES -A DST_EGRESS -d $DSTNET -j DROP
        done

Step 3, Apply the prior two steps to your input, forward and output chains as needed:

$IPTABLES -A $CHAIN -i $EXT_INT -j SRC_EGRESS
$IPTABLES -A $CHAIN -i $EXT_INT -j DST_EGRESS
$IPTABLES -A $CHAIN -i $EXT_INT -p icmp -j ALLOW_ICMP
$IPTABLES -A $CHAIN -i $EXT_INT -p tcp -j CHECK_FLAGS

Variables. In all of the above, variables are used to save typing!, here are some of the important variables, the rest are fairly self explanatory:

EGRESS_NETS="
        172.16.0.0/12
        224.0.0.0/4
        240.0.0.0/5
        14.0.0.0/8
        169.254.0.0/16
        172.16.0.0/12
        192.0.2.0/24
        192.88.99.0/24
        192.18.0.0/15
        0.0.0.0/8
        "

What we have just done is setup some new chains, apply some filters that can identify dodgy looking traffic and do something useful with it (limit it rather than drop it, as we don’t want to arouse suspicion with our attackers). Then apply all that nice Packet Mangling to each of our primary chains.

I provide all of this advice for free, with no guarantees, any use of the above code should be with full testing prior to its use in a production environment. Enjoy!

                          

Related posts

• Snort Rocks! (2)
• Free Security for All! (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

lets put it into perspective. First of all, you have to accept that open source software is your friend, then accept that just because it doesn’t have a “GUI” doesn’t mean its any more complex. Ok, now that you have accepted an alternate reality, it is time to look at some comparisons. Lets look at some good, typically expensive security controls, typically, usually reserved for Banks, because “they have the budget for it”.

We will start with IDS “Intrusion Detection System”, specifically, the network variety (NIDS), deployed across the infrastructure, and designed to spot malicious traffic flowing across your network and highlight suspicious activity that may be happening under the radar. If you were to buy one of the very excellent and very expensive commercial solutions, on a medium size network, you could be spending 6 figures before breakfast. That’s a serious hole in a security budget, so what other options exist? Well, for a start, “snort” an open source, well maintained and mature project that’s been around for years. Its 100% free, and will only cost you the physical hardware and some administrative overhead getting it up and running. Its very scalable, equally configurable and its signatures are maintained by a community of experts in the field. What more could you ask for? Ok, so the reality is, in our scenario of 6 figures for the commercial solution, the free one would likely cost you 10-20K in hardware and specialist labour, but whats 20K compared to £200,000K, I know which one I would prefer to sign off.

Next, lets look at another hot topic, SIMS “Security Information Management Solution”. This is another typically large investment to essentially, analyse logs generated by the infrastructure. Again, the concept has been available in open source for years. Syslog servers shipping logs to each other with some sort of Perl analysis scripting has been around forever, and again, its just the labour and hardware costs to consider.

What about Firewalls? The staple diet of all organisations of any size. Now, these can be quite cheap or ridiculously expensive. I have built, deployed and managed most of the top end ones, and can after a career of using them, I can happily say, I would deploy a well configured “iptables” firewall in Linux over a Cisco or Checkpoint any day of the week. Ok, so you don’t get the nice gui with all your 200 firewalls in, but, there are options…. Gui’s exist, and again, a specialist can easily make this whole concept easily manageable for any organisation. Now, if a key control for limiting the impact of a hack is through network segregation, then the ability to deploy low cost firewalls can only improve the overall security of the network

So, if I had a 1000 user network to protect, a budget of 500K and full autonomy. I would spend 100K on every open source solution available, home grow some of my own, contract a team of top class Linux / security gurus to get it all up and running, then sit back in my SOC “Security Operations Centre” and wait for the siren to go off! Of course, I would take the other 400K as my bonus

                          

Related posts

• Snort Rocks! (2)
• Linux Defence Tweaks (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

I can definatley say its come a long way. It was much easier to install, and only took a small amount of syntax debugging to figure out the configs. During my research / re-learning curve though it would seem that version 2.8 with the stream5 processor is not as good as version 2.4 with the flow processor at detecting portscans. This was certainley the concensus of the community, and after a bit of playing I can agree. However, I now have sfPortscan running with stream5 and its seems pretty accurate to me, so I am certainly happy with the results.

BASE is also a welcome move onwards from what used to be a very clunky interface. It seems light and intuitive, with decent features. I think it could do with the addition of some basic graphs, rather than having to use the graph engine to define your graphs each time, but on the whole i think it is certainly a good alternative to spending a large amount of money on a commercial product. Certainly the ability to abstract the managemnet interface, data storage and sensors from each other gives you a highly scaleable model to use a basis for a large scale deployment.

Of course, if you don’t fancy the pain of compiling code from scratch, or your just dam lazy, check out EasyIDS for a complete “IDS in a box” that gives you everything I just said with none of the hastle!

….You just can’t ingore the momentum that opensource has gained

                          

Related posts

• Linux Defence Tweaks (0)
• Free Security for All! (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)