Understanding Security Onion: Network Security Monitoring Tools

Slide Note
Embed
Share

Security Onion is a Linux distribution designed for network security monitoring using various tools like Full Packet Capture, Network IDS, Host IDS, and Analysis Tools. It offers capabilities for detecting and responding to security incidents effectively, making it a valuable asset for defensive network security.

sadhbh
sadhbh Follow

Uploaded on Jul 29, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. IDS/IPS Incident Response

  2. What is Security Onion? A Linux distribution with various network security monitoring (NSM) tools Runs on Ubuntu Security Onion is to NSM as Kali is to pentesting Security Onion has three major components: Full packet capture Intrusion detection systems Network-based (NIDS) Host-based (HIDS) Analysis tools CSC-438 Defensive Network Security 2

  3. Full Packet Capture Capture all the things! Uses netsniff-ng Captures all the traffic, and stores as much as it can Security Onion will purge old data before the disks fill up CSC-438 Defensive Network Security Having a full capture is like having a recorder on your network Not for daily monitoring or hunting There to run down issues or incidents after the fact Attackers can t bypass a full capture 3

  4. Network IDS Rule Driven Snort and Suricata Uses fingerprints to match known malicious traffic Uses anomalous signatures to match suspicious traffic Kind of like antivirus but more flexible CSC-438 Defensive Network Security You can write custom rules and signatures Can use signatures from threat feeds 4

  5. Network IDS Analysis Driven Bro IDS Bro doesn t look for specific malicious or anomalous traffic Bro gathers data about the traffic Metadata Logs Connections DNS requests HTTP traffic SSL Certificates Files and more CSC-438 Defensive Network Security 5

  6. Host IDS OSSEC Free, open source HIDS for Windows, Linux, and Mac OS Agent to deploy on endpoints Log analysis CSC-438 Defensive Network Security File integrity checking Rootkit detection Real-time alerting Correlating host-based events with network-based events can be key 6

  7. Analysis Tools - Sguil The analyst console for network security monitoring Facilitates event driven analysis Provides visibility into the event data being collected CSC-438 Defensive Network Security A single GUI to view alerts Snort or Suricata alerts OSSEC alerts Bro HTTP events Can pivot from an alert into a packet capture 7

  8. Analysis Tools - Squert Web application interface to Squil Not a real-time interface for Sguil Not a replacement for Sguil Provides some visualizations of Sguil data CSC-438 Defensive Network Security Provides geo-IP mapping 8

  9. Analysis Tools - ELSA Enterprise Log Search and Archive ELSA Centralized syslog framework Web-based query interface for searching billions of logs Sift through logs that Security Onion collects And any syslog you send to ELSA CSC-438 Defensive Network Security Charting and graphing 9

  10. Analysis Tools Elastic Stack Elasticsearch, Logstash, Kibana ELK, Elastic Stack Store, search, and visualize data Logstash stores log data Elasticsearch searches log data CSC-438 Defensive Network Security Kibana dashboards and visualizations This is new to Security Onion, and not officially production ready Release candidate 1 released in late January 2018 10

  11. Deployment Scenarios Security Onion is setup in two parts: a sensor and a server Client-Server model The sensor is the client sends information back to the server Sensors can be placed throughout the network for additional visibility Server stores information, and includes analysis tools for processing CSC-438 Defensive Network Security The analyst logs in to the server Three deployment scenarios Standalone Server-sensor Hybrid 11

  12. Deployment Scenarios - Standalone A single machine running the sensor and server components Can be a physical machine or a VM Can have multiple network interfaces for monitoring different networks CSC-438 Defensive Network Security Easiest deployment for monitoring at a single location 12

  13. Deployment Scenarios Server-sensor A single machine runs the server component One or more separate machines run the sensor component Sensors report back to the central server Sensors run the sniffing, and store packet captures, alerts, and databases Analyst connects to the server Queries are distributed to the appropriate sensors CSC-438 Defensive Network Security Reduces network traffic, keeping the bulk of the data on the sensors 13

  14. Deployment Scenarios - Hybrid Standalone installation Server and sensor combination with one or more additional sensors reporting back to the server CSC-438 Defensive Network Security 14

  15. Hardware Requirements - Server If you re running just the server, requirements are down Intensive processing is left to the sensors 1-4 CPU cores 8-16gB RAM CSC-438 Defensive Network Security 100GB to 1TB of disk space 15

  16. Hardware Requirements - Sensor Snort, Suricata, and Bro are very CPU intensive The more traffic, the more CPU cores you ll need CPU - One core per worker 200Mbps per Snort, Suricata, or Bro worker Fully saturated 1Gbps link with Snort and Bro? 10 cores (5 Snort workers, 5 Bro workers) CSC-438 Defensive Network Security RAM It depends on traffic Minimum 3GB 50Mbps link 8GB+ 50-500Mbps link 16GB 128GB Storage Full packet capture takes a lot of space 50Mbps link, 540GB for one day of pcap Store for as long as you can useful for investigations after the fact ELSA will need space too 16

  17. Getting the traffic Make sure you ve got a good NIC Intel works well Will need 2 NICs one for sniffing, one for management Sniffing NIC is connected to a tap or span port Dumps a copy of all traffic Super cheap Netgear GS105E Config it to be an inline tap CSC-438 Defensive Network Security Many switches have port mirroring capabilities Various enterprise grade network taps available 17

Related


Preventing Active Timing Attacks in Low-Latency Anonymous Communication

Preventing Active Timing Attacks in Low-Latency Anonymous Communication

kmike
Developing Monitoring Tools for Programmatic Oversight

Developing Monitoring Tools for Programmatic Oversight

zdild
Analysis of Onion Routing Security and Adversary-based Metrics

Analysis of Onion Routing Security and Adversary-based Metrics

rus_n
Understanding Onion Routing for Enhanced Privacy Protection

Understanding Onion Routing for Enhanced Privacy Protection

marleyn
Understanding Flow Monitoring in OVS for Efficient Network Management

Understanding Flow Monitoring in OVS for Efficient Network Management

andreea
Analysis of

Analysis of "Valentine" by Carol Ann Duffy: Language, Structure, and Form

aishah
Internationalization Strategies for European University Alliances: The Onion or The Spider Approach

Internationalization Strategies for European University Alliances: The Onion or The Spider Approach

niara
Homemade Caramelised Onion Chutney Recipe

Homemade Caramelised Onion Chutney Recipe

reatama
Understanding Snort: An Open-Source Network Intrusion Detection System

Understanding Snort: An Open-Source Network Intrusion Detection System

farah
Continuous Monitoring of Water Quality in Little Bear River

Continuous Monitoring of Water Quality in Little Bear River

mjes
NIMH Clinical Research Education and Monitoring Program Overview

NIMH Clinical Research Education and Monitoring Program Overview

eyad
Metamodel-based Photovoltaic Monitoring System for Renewable Energies at Hongik University

Metamodel-based Photovoltaic Monitoring System for Renewable Energies at Hongik University

myfanwy
Unpredictable Arctic Monitoring Framework for Extreme Event Integration

Unpredictable Arctic Monitoring Framework for Extreme Event Integration

tre_ki
Network Slicing with OAI 5G CN Workshop Overview

Network Slicing with OAI 5G CN Workshop Overview

justice
Rethinking Network Monitoring: A Journey from Troubleshooting to Automation

Rethinking Network Monitoring: A Journey from Troubleshooting to Automation

hiro
Network Monitoring and Vulnerability Scanning Overview

Network Monitoring and Vulnerability Scanning Overview

hadiya
Understanding TCP/IP Networking Tools in Linux Administration

Understanding TCP/IP Networking Tools in Linux Administration

abraxas
Revolutionizing Network Management with Intent-Based Networking

Revolutionizing Network Management with Intent-Based Networking

manu
Framework for Building National Forest Monitoring Systems for REDD+

Framework for Building National Forest Monitoring Systems for REDD+

finnigan
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization

Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization

sidra
BCA 601(N): Computer Network Security

BCA 601(N): Computer Network Security

danna
Progress of Network Architecture Work in FG IMT-2020

Progress of Network Architecture Work in FG IMT-2020

lonan
Network Compression Techniques: Overview and Practical Issues

Network Compression Techniques: Overview and Practical Issues

heron
Overview of Policy Service Node (PSN) Architecture

Overview of Policy Service Node (PSN) Architecture

tuva

More Related Content

Understanding the Importance of Monitoring in Achieving Goals
Understanding the Importance of Monitoring in Achieving Goals
Understanding Continuous Monitoring in Risk Management Framework (RMF)
Understanding Continuous Monitoring in Risk Management Framework (RMF)
Understanding Weird Logs in Zeek for Network Security Analysis
Understanding Weird Logs in Zeek for Network Security Analysis
Understanding Computer Communication Networks at Anjuman College
Understanding Computer Communication Networks at Anjuman College
Network Design Challenges and Solutions in Business Data Communications
Network Design Challenges and Solutions in Business Data Communications
Understanding 5G RAN Network Slicing and Architecture
Understanding 5G RAN Network Slicing and Architecture
Understanding Interconnection Networks Topology
Understanding Interconnection Networks Topology
Behavior Progress Monitoring for Individualized Instructional Planning
Behavior Progress Monitoring for Individualized Instructional Planning
Insights into the National Monitoring on ESD in Germany
Insights into the National Monitoring on ESD in Germany
Development Process for Impact Monitoring Programs in Wilderness
Development Process for Impact Monitoring Programs in Wilderness
Food Security and Nutrition Monitoring Survey Round 22 Trends
Food Security and Nutrition Monitoring Survey Round 22 Trends
Autism and Developmental Disabilities Monitoring Network 2020 Surveillance Summaries
Autism and Developmental Disabilities Monitoring Network 2020 Surveillance Summaries
Measuring and Monitoring the Tor Network: Privacy Risks and Transparency Challenges
Measuring and Monitoring the Tor Network: Privacy Risks and Transparency Challenges
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Overview of Computer and Network Security Fundamentals
Overview of Computer and Network Security Fundamentals
Apache MINA: High-performance Network Applications Framework
Apache MINA: High-performance Network Applications Framework
Automated Anomaly Detection Tool for Network Performance Optimization
Automated Anomaly Detection Tool for Network Performance Optimization
Data Flows and Network Challenges in Particle Physics Infrastructure
Data Flows and Network Challenges in Particle Physics Infrastructure
Understanding Wireless Security Audits and Best Practices
Understanding Wireless Security Audits and Best Practices
Equity-Centered Agile Network Design for Higher Education Inclusion
Equity-Centered Agile Network Design for Higher Education Inclusion
Network Traffic Analysis with Wireshark: Examples and Techniques
Network Traffic Analysis with Wireshark: Examples and Techniques
Comprehensive Guide to Sewing Tools and Equipment
Comprehensive Guide to Sewing Tools and Equipment
Cyber Threat Detection and Network Security Strategies
Cyber Threat Detection and Network Security Strategies
Understanding LXI Network Security in Industrial Environments
Understanding LXI Network Security in Industrial Environments