Intrusion Detection recommendations

Sat Feb 14 22:55:41 UTC 2015

Hello, I don't mean to hijack this thread, but I suppose its related -- I didn't know spamhaus could provide a BGP feed of "bad" prefixes like that (for a price it seems). Is anyone aware of other "free" providers of such naughty prefixes via BGP? I know Team Cymru has a bogon list that you can get via BGP session, just not aware of any others and these seem like a pretty good idea to have setup on your core.

Thanks

-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Rich Kulawiec
Sent: Saturday, February 14, 2015 3:29 PM
To: nanog at nanog.org
Subject: Re: Intrusion Detection recommendations

On Sat, Feb 14, 2015 at 12:57:29PM -0600, Jimmy Hess wrote:
> By itself, a single install of Snort/Bro is not necessarily a complete 
> IDS,  as it cannot inspect the contents of outgoing SSL sessions,  so 
> there can still be Javascript/attacks against the browser, or SQL
> injection attempts encapsulated in the encrypted tunnels;    [...]

This reminds me to bring up a point that can't be stressed enough:
it's just as important to block *outbound* traffic as inbound.  Ask Anthem.  Or Target.  Or the ghosts of the Trojans. ;)

If you have subsets of systems that have no need to make an outbound connection, ever, then don't let them.  "block all log" is not only your friend here, but it's your instant IDS, because if those systems aren't supposed to be sending outbound traffic, and so much as a single packet turns up in the logs, then something is going on that you'd very much like to find out about. [1]

If you can't block all traffic, fine, block all and then permit the 5-tuple

	{source, dest, source port, dest port, proto}

that is required to allow the necessary functionality.  And again,
*anything* else is a sign of a problem.

And if you can't block all traffic *everywhere*, then at least block everywhere you can.  Start with the Spamhaus DROP and EDROP lists
(actually: block these directionally):

	http://www.spamhaus.org/drop

And then, if you can, use these:

	http://okean.com/asianspamblocks.html

And then, if you can, use these:

	http://ipdeny.com/

For example: you have an internal database server.  Every night, some cron job kicks off and builds an exportable subset of that data, which is then rsync'd to a production web server somewhere.  So that internal database server only needs to reach 1 host on 1 port with 1 protocol.
Block all, then just allow that.

Another example: you sell stuff, but only in the US and Canada.  Why would you allow traffic from Ukraine or Paraguay or Syria to reach your ecommerce web server?  There is no positive outcome for you in letting that happen.  So don't.  Use ipdeny.com, allow the US and CA, block the world. (YES, you can still be attacked from those networks, and YES your IDS/IPS will light up like a Xmas tree when you are, but at least you won't have to wade through page after page of logs about attacks from Taiwan...because you dropped their packets on the floor.)

Default-deny is your best friend and should be the first rule in every firewall everywhere.  It's defense-by-default.  Default permit is like allowing everyone into the bank vault and then walking through the crowd trying to decide who to kick out.  So anywhere you possibly can, block everything and then only allow traffic that's necessary to accomplish the task(s) at hand.

I don't know if this approach would have saved Anthem or Target or any of the rest.  Maybe.  Maybe not.  But (a) it may save the next one and (b) it has a fighting chance of causing intrusions to make enough noise in the logs that someone will notice and say "That's funny..."
before the roof caves in and Krebs has to write a blog entry about it.

---rsk

[1] But how will those systems do software updates?  From your local mirror, which is the only system that can reach out to one of the "real" mirrors.