RE: Intrusion Detection recommendations

[Colin Bodor <colin.bodor () imperium ca>]

Hello, I don't mean to hijack this thread, but I suppose its related -- I didn't know spamhaus could provide a BGP feed 
of "bad" prefixes like that (for a price it seems). Is anyone aware of other "free" providers of such naughty prefixes 
via BGP? I know Team Cymru has a bogon list that you can get via BGP session, just not aware of any others and these 
seem like a pretty good idea to have setup on your core.

Thanks


-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Rich Kulawiec
Sent: Saturday, February 14, 2015 3:29 PM
To: nanog () nanog org
Subject: Re: Intrusion Detection recommendations

On Sat, Feb 14, 2015 at 12:57:29PM -0600, Jimmy Hess wrote:
> By itself, a single install of Snort/Bro is not necessarily a complete 
> IDS,  as it cannot inspect the contents of outgoing SSL sessions,  so 
> there can still be Javascript/attacks against the browser, or SQL
> injection attempts encapsulated in the encrypted tunnels;    [...]

This reminds me to bring up a point that can't be stressed enough:
it's just as important to block *outbound* traffic as inbound.  Ask Anthem.  Or Target.  Or the ghosts of the Trojans. 
;)

If you have subsets of systems that have no need to make an outbound connection, ever, then don't let them.  "block all 
log" is not only your friend here, but it's your instant IDS, because if those systems aren't supposed to be sending 
outbound traffic, and so much as a single packet turns up in the logs, then something is going on that you'd very much 
like to find out about. [1]

If you can't block all traffic, fine, block all and then permit the 5-tuple

        {source, dest, source port, dest port, proto}

that is required to allow the necessary functionality.  And again,
*anything* else is a sign of a problem.

And if you can't block all traffic *everywhere*, then at least block everywhere you can.  Start with the Spamhaus DROP 
and EDROP lists
(actually: block these directionally):

        http://www.spamhaus.org/drop

And then, if you can, use these:

        http://okean.com/asianspamblocks.html

And then, if you can, use these:

        http://ipdeny.com/

For example: you have an internal database server.  Every night, some cron job kicks off and builds an exportable 
subset of that data, which is then rsync'd to a production web server somewhere.  So that internal database server only 
needs to reach 1 host on 1 port with 1 protocol.
Block all, then just allow that.

Another example: you sell stuff, but only in the US and Canada.  Why would you allow traffic from Ukraine or Paraguay 
or Syria to reach your ecommerce web server?  There is no positive outcome for you in letting that happen.  So don't.  
Use ipdeny.com, allow the US and CA, block the world. (YES, you can still be attacked from those networks, and YES your 
IDS/IPS will light up like a Xmas tree when you are, but at least you won't have to wade through page after page of 
logs about attacks from Taiwan...because you dropped their packets on the floor.)

Default-deny is your best friend and should be the first rule in every firewall everywhere.  It's defense-by-default.  
Default permit is like allowing everyone into the bank vault and then walking through the crowd trying to decide who to 
kick out.  So anywhere you possibly can, block everything and then only allow traffic that's necessary to accomplish 
the task(s) at hand.

I don't know if this approach would have saved Anthem or Target or any of the rest.  Maybe.  Maybe not.  But (a) it may 
save the next one and (b) it has a fighting chance of causing intrusions to make enough noise in the logs that someone 
will notice and say "That's funny..."
before the roof caves in and Krebs has to write a blog entry about it.

---rsk

[1] But how will those systems do software updates?  From your local mirror, which is the only system that can reach 
out to one of the "real" mirrors.