Intrusion Detection recommendations

Rich Kulawiec rsk at gsp.org
Sat Feb 14 22:29:05 UTC 2015


On Sat, Feb 14, 2015 at 12:57:29PM -0600, Jimmy Hess wrote:
> By itself, a single install of Snort/Bro is not necessarily a complete
> IDS,  as it cannot inspect the contents of outgoing SSL sessions,  so
> there can still be Javascript/attacks against the browser, or SQL
> injection attempts encapsulated in the encrypted tunnels;    [...]

This reminds me to bring up a point that can't be stressed enough:
it's just as important to block *outbound* traffic as inbound.  Ask
Anthem.  Or Target.  Or the ghosts of the Trojans. ;)

If you have subsets of systems that have no need to make an outbound
connection, ever, then don't let them.  "block all log" is not only
your friend here, but it's your instant IDS, because if those systems
aren't supposed to be sending outbound traffic, and so much as a single
packet turns up in the logs, then something is going on that you'd
very much like to find out about. [1]

If you can't block all traffic, fine, block all and then permit
the 5-tuple

	{source, dest, source port, dest port, proto}

that is required to allow the necessary functionality.  And again,
*anything* else is a sign of a problem.

And if you can't block all traffic *everywhere*, then at least block
everywhere you can.  Start with the Spamhaus DROP and EDROP lists
(actually: block these directionally):

	http://www.spamhaus.org/drop

And then, if you can, use these:

	http://okean.com/asianspamblocks.html

And then, if you can, use these:

	http://ipdeny.com/

For example: you have an internal database server.  Every night, some
cron job kicks off and builds an exportable subset of that data, which
is then rsync'd to a production web server somewhere.  So that internal
database server only needs to reach 1 host on 1 port with 1 protocol.
Block all, then just allow that.

Another example: you sell stuff, but only in the US and Canada.  Why
would you allow traffic from Ukraine or Paraguay or Syria to reach
your ecommerce web server?  There is no positive outcome for you in
letting that happen.  So don't.  Use ipdeny.com, allow the US and CA,
block the world. (YES, you can still be attacked from those networks,
and YES your IDS/IPS will light up like a Xmas tree when you are, but
at least you won't have to wade through page after page of logs about
attacks from Taiwan...because you dropped their packets on the floor.)

Default-deny is your best friend and should be the first rule in every
firewall everywhere.  It's defense-by-default.  Default permit is like
allowing everyone into the bank vault and then walking through the crowd
trying to decide who to kick out.  So anywhere you possibly can,
block everything and then only allow traffic that's necessary to
accomplish the task(s) at hand.

I don't know if this approach would have saved Anthem or Target or
any of the rest.  Maybe.  Maybe not.  But (a) it may save the next one
and (b) it has a fighting chance of causing intrusions to make enough
noise in the logs that someone will notice and say "That's funny..."
before the roof caves in and Krebs has to write a blog entry about it.

---rsk

[1] But how will those systems do software updates?  From your local mirror,
which is the only system that can reach out to one of the "real" mirrors.



More information about the NANOG mailing list