Tag Archives: GCIA

Security Onion Cloud Client – NSM for the Cloud

As of yesterday, SANS has accepted & published the whitepaper for my GCIA Gold, titled “The Security Onion Cloud Client – Network Security Monitoring for the Cloud.”

Abstract

 With “cloud” servers continuing to become ever more popular, along with typical off-site servers (VPS/Dedicated), Network Security Monitoring (NSM) practitioners struggle to gain insight into these devices, as they usually don’t have the ability to tap the network traffic flowing to and from the servers—To solve this problem, I propose designing a cross platform (Windows, Linux) NSM client that would integrate with Security Onion, a NSM-centric Linux distribution.  Essentially, the NSM client would copy traffic (near real time) to the Security Onion Sensor, which would then process the data as it would any other network tap.  This would allow NSM practitioners the visibility they need into their off-site servers that are not in a setting where a typical NSM setup would suffice.

This was a topic that has direct impact on what I do on a daily basis, as most of the organizations that I do work for have at least a couple Cloud servers. I will be taking the next couple months and integrating the Cloud Client into Security Onion…. Hopefully it will see the light of day on the Stable ppa by the end of the year.

As for the actual paper, until SANS puts it on their Reading Room, you can find a pdf of it here.

-Josh

Tagged , , , ,

Introducing… WinTAP

As part of my GCIA Gold project & paper that was recently published, Defensive Depth, in collaboration with New Tribes Mission USA, funded the development of WinTAP, a Daemonlogger clone for Windows.

The first iteration of WinTAP was a proof of concept that was essentially a .NET wrapper around WinPcap.  This worked well, but performance was not as well as could be hoped for.  The next iteration took the proof of concept, and instead of using WinPcap, implemented WinTAP as a kernel mode driver, using NDIS 6.0.  This allowed for much better performance and stability.

From the official description:

WinTap is a packet sniffer and soft-tap developed to mirror packets flowing through an Ethernet interface. It is purely based on the NDIS which allows us to sniff packets and rewrite them to a second interface acting as a soft-tap. WinTap consists of two components,

1. NDIS 6.0 based protocol driver.
2. User mode soft-tap.

These two act in tandem to create a soft-tap, where the protocol driver sniffs the traffic and delivers to the user mode application. User mode application does the redirection logic and returns the packets to be rewritten to second interface.

WinTAP is licensed under GPL 2; source can be found on Github.

 

Tagged , , ,

Passed the GIAC GCIA Exam…

Last month I passed the GIAC GCIA (Intrusion Analyst). I found the exam to be much more difficult than my previous GIAC Exams, primary for two reasons:

1) There were a number of tools that had been discussed in the class… There were a number of questions on the exam about these tools–Not “In what situation would you use this tool?” questions, but “What syntax would you use to get this output?” type questions. Most of the syntactical answers were esoteric switches that were neither mentioned in class, nor in my study books, which was why it was very frustrating to find it on the exam. I flagged these questions for review by GIAC, as I don’t think that they were legitimate.

2) The other reason why this exam was more difficult, was that a number of the questions requried a bit of actual work & calculation, instead of just looking up the right answer–Though this made the exam much more difficult, I thought it was a great change from my previous GIAC exams, as it took it one step closer to real life experience, rather than just “multiple-guess.”

I will be working on my GCIA Gold next.

 

-Josh

Tagged ,