Posted: 8th September 2013 by Josh in SANS
Tags: Cloud, GCIA, NSM, SANS, SecurityOnion
As of yesterday, SANS has accepted & published the whitepaper for my GCIA Gold, titled “The Security Onion Cloud Client – Network Security Monitoring for the Cloud.”
With “cloud” servers continuing to become ever more popular, along with typical off-site servers (VPS/Dedicated), Network Security Monitoring (NSM) practitioners struggle to gain insight into these devices, as they usually don’t have the ability to tap the network traffic flowing to and from the servers—To solve this problem, I propose designing a cross platform (Windows, Linux) NSM client that would integrate with Security Onion, a NSM-centric Linux distribution. Essentially, the NSM client would copy traffic (near real time) to the Security Onion Sensor, which would then process the data as it would any other network tap. This would allow NSM practitioners the visibility they need into their off-site servers that are not in a setting where a typical NSM setup would suffice.
This was a topic that has direct impact on what I do on a daily basis, as most of the organizations that I do work for have at least a couple Cloud servers. I will be taking the next couple months and integrating the Cloud Client into Security Onion…. Hopefully it will see the light of day on the Stable ppa by the end of the year.
As for the actual paper, until SANS puts it on their Reading Room, you can find a pdf of it here.
Posted: 5th September 2013 by Josh in Uncategorized
Tags: GCIA, NewTribesMission, SANS, WinTAP
As part of my GCIA Gold project & paper that was recently published, Defensive Depth, in collaboration with New Tribes Mission USA, funded the development of WinTAP, a Daemonlogger clone for Windows.
The first iteration of WinTAP was a proof of concept that was essentially a .NET wrapper around WinPcap. This worked well, but performance was not as well as could be hoped for. The next iteration took the proof of concept, and instead of using WinPcap, implemented WinTAP as a kernel mode driver, using NDIS 6.0. This allowed for much better performance and stability.
From the official description:
WinTap is a packet sniffer and soft-tap developed to mirror packets flowing through an Ethernet interface. It is purely based on the NDIS which allows us to sniff packets and rewrite them to a second interface acting as a soft-tap. WinTap consists of two components,
1. NDIS 6.0 based protocol driver.
2. User mode soft-tap.
These two act in tandem to create a soft-tap, where the protocol driver sniffs the traffic and delivers to the user mode application. User mode application does the redirection logic and returns the packets to be rewritten to second interface.
WinTAP is licensed under GPL 2; source can be found on Github.
Posted: 11th March 2013 by Josh in Uncategorized
Between a new baby, moving to Florida, and working on my MSISE, it has been a crazy 8 months…. I have a couple new posts that I am working on:
1) Teaching Digital Security to End Users – A New Framework
2) Distributed IDS: OSSIM vs. Security Onion - Or, why I am going with SO
I hope to get these out within the next 6 weeks.