[178102] in North American Network Operators' Group
RE: Intrusion Detection recommendations
daemon@ATHENA.MIT.EDU (Colin Bodor)
Sun Feb 15 15:10:47 2015
X-Original-To: nanog@nanog.org
From: Colin Bodor <colin.bodor@imperium.ca>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Sat, 14 Feb 2015 22:55:41 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hello, I don't mean to hijack this thread, but I suppose its related -- I d=
idn't know spamhaus could provide a BGP feed of "bad" prefixes like that (f=
or a price it seems). Is anyone aware of other "free" providers of such nau=
ghty prefixes via BGP? I know Team Cymru has a bogon list that you can get =
via BGP session, just not aware of any others and these seem like a pretty =
good idea to have setup on your core.
Thanks
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Rich Kulawiec
Sent: Saturday, February 14, 2015 3:29 PM
To: nanog@nanog.org
Subject: Re: Intrusion Detection recommendations
On Sat, Feb 14, 2015 at 12:57:29PM -0600, Jimmy Hess wrote:
> By itself, a single install of Snort/Bro is not necessarily a complete=20
> IDS, as it cannot inspect the contents of outgoing SSL sessions, so=20
> there can still be Javascript/attacks against the browser, or SQL
> injection attempts encapsulated in the encrypted tunnels; [...]
This reminds me to bring up a point that can't be stressed enough:
it's just as important to block *outbound* traffic as inbound. Ask Anthem.=
Or Target. Or the ghosts of the Trojans. ;)
If you have subsets of systems that have no need to make an outbound connec=
tion, ever, then don't let them. "block all log" is not only your friend h=
ere, but it's your instant IDS, because if those systems aren't supposed to=
be sending outbound traffic, and so much as a single packet turns up in th=
e logs, then something is going on that you'd very much like to find out ab=
out. [1]
If you can't block all traffic, fine, block all and then permit the 5-tuple
{source, dest, source port, dest port, proto}
that is required to allow the necessary functionality. And again,
*anything* else is a sign of a problem.
And if you can't block all traffic *everywhere*, then at least block everyw=
here you can. Start with the Spamhaus DROP and EDROP lists
(actually: block these directionally):
http://www.spamhaus.org/drop
And then, if you can, use these:
http://okean.com/asianspamblocks.html
And then, if you can, use these:
http://ipdeny.com/
For example: you have an internal database server. Every night, some cron =
job kicks off and builds an exportable subset of that data, which is then r=
sync'd to a production web server somewhere. So that internal database ser=
ver only needs to reach 1 host on 1 port with 1 protocol.
Block all, then just allow that.
Another example: you sell stuff, but only in the US and Canada. Why would =
you allow traffic from Ukraine or Paraguay or Syria to reach your ecommerce=
web server? There is no positive outcome for you in letting that happen. =
So don't. Use ipdeny.com, allow the US and CA, block the world. (YES, you=
can still be attacked from those networks, and YES your IDS/IPS will light=
up like a Xmas tree when you are, but at least you won't have to wade thro=
ugh page after page of logs about attacks from Taiwan...because you dropped=
their packets on the floor.)
Default-deny is your best friend and should be the first rule in every fire=
wall everywhere. It's defense-by-default. Default permit is like allowing=
everyone into the bank vault and then walking through the crowd trying to =
decide who to kick out. So anywhere you possibly can, block everything and=
then only allow traffic that's necessary to accomplish the task(s) at hand=
.
I don't know if this approach would have saved Anthem or Target or any of t=
he rest. Maybe. Maybe not. But (a) it may save the next one and (b) it h=
as a fighting chance of causing intrusions to make enough noise in the logs=
that someone will notice and say "That's funny..."
before the roof caves in and Krebs has to write a blog entry about it.
---rsk
[1] But how will those systems do software updates? From your local mirror=
, which is the only system that can reach out to one of the "real" mirrors.
