Simple Network Defense System

Simple Network Defense SystemSimple Network Defense System

Shou-Chuan Lai

Computer and Communication CenterNational Tsing Hua University

ObjectiveObjective

Make our network as available as possible.

Network Defense SystemNetwork Defense System

Internet Worm Detection Module Automatic Router Control Module Notification Module Open Mail Relay Detection Module

System RequirementSystem Requirement

A NetFlow-capable device Personal Computers running UNIX-like Ope

ration System (e.g., Linux, FreeBSD) The Simple Network Defense System sourc

e codes Open sources

flow-tools apache perl (libnet, Net-Server, Net-Telnet, Time-HiRes)

Internet Worm Detection Internet Worm Detection ModuleModule

System requirementSystem requirement

NetFlow-enabled routers or devices (e.g. Cisco Catalyst 6509, Mirror-enabled router/switch + NetFlow export software)

Personal Computers (e.g. Intel platform) UNIX-like OS (e.g. Linux, FreeBSD, Solaris,…) flow-tools (http://www.splintered.net/sw/fl

ow-tools/) Perl v5.6 or above apache-1.x or above (http://httpd.apache.or

g/)

Directory StructureDirectory Structure

flow-scan (/usr/local/flow-scan/) bin (system programs) etc (configuration files) flow (netflow data captured by flow-tools) scan (scan files generated by flow-scan) htdocs (html files generated by scan2html) tmp (temporary space)

ProgramsPrograms

flow2scan Read flow files and convert to scan files

scan2html Read scan files and convert to html files

html2idx Read html files and generate an index html

flow2scanflow2scan

Program modules MyFlow.pm (common subroutines) MyScore.pm (score module) MyRobot.pm (talk to router control robot)

Read flow files read: /usr/local/flow-scan/flow/….

Generate scan files write: /usr/local/flow-scan/scan/….

Send blocking command

flow2scan (cont.)flow2scan (cont.)

Read flow files each flow file is a collection of 10min flow r

ecords Find suspicious hosts Check each suspicious host

Score each host (use MyScore.pm) Block the problematic host if its score exce

ed pre-defined threshold (use MyRobot.pm)

scan2htmlscan2html

Read scan files read: /usr/local/flow-scan/scan/….

Generate a html file for each scan file write: /usr/local/flow-scan/htdocs/….

html2idxhtml2idx

Search html files read: /usr/local/flow-scan/htdocs/….

Generate an index html file write: /usr/local/flow-scan/htdocs/….

Periodic JobsPeriodic Jobs

crontab.10min flow2scan $router scan2html $router html2idx $router

ConfigurationsConfigurations

flow-scan.txt screen.txt (to be screened)

192.168.128.0/17 trust.txt (avoid being blocked)

192.168.192.0/24 worm.txt (list of worm types)

IP-SCAN-TCP-135

flow-scan.txtflow-scan.txt TOOL = "/usr/local/flow-tools/bin" FLOW = "$FDIR/flow" SCAN = "$FDIR/scan" FTMP = "$FDIR/tmp" FSUP = "$FETC/dscan.supress" WORM = "$FETC/worm.txt" TRUST = "$FETC/trust.txt" SCREEN = "$FETC/screen.txt" IP_RESERVED = "$FETC/IPv4-address.txt" HTML = "$FDIR/htdocs/netflow" HTML_REF = "/netflow" HTML_URL = "http://netflow.myschool.edu.tw/netflow" C6509 = "c6509" C6509INT = "6"

InstallationInstallation

Download source tar file http://cc.nthu.edu.tw/~chuan/

Extract source tar file cp flow-scan-0.90.tar.gz /usr/local cd /usr/local tar zxf flow-scan-0.90.tar.gz ln –s flow-scan-0.90 flow-scan

Installation (cont.)Installation (cont.)

Modify bin/MyFlow.pm set FDIR

Modify etc/flow-scan.txt set TOOL set HTML_URL set C6509INT

Modify etc/screen.txt Modify etc/trust.txt

Installation (cont’)Installation (cont’)

Test drive flow2scan2 6509 scan2html2 6509 html2idx2 6509

Setup crontab 2,12,22,32,42,52 * * * * (cd /usr/local/flow-s

can/bin; sh crontab.10min) > /dev/null 2>&1

Play

Automatic Router Control Automatic Router Control ModuleModule


Supported Routers Extreme with ExtremeWare 7.x Cisco with IOS 12.x

Perl 5.6 or above Net-Server module installed Time-HiRes module installed


netguard (/usr/local/netguard/) bin (binaries for human operation) etc (configurations) htdocs (notification web pages) lib (system modules) log (system logs) sbin (daemon resides) spool (IPC for registrar and netguard)

Programs (bin)Programs (bin)

block-ip.pl block an IP address immediately

block-ip.pl ip-address tag comments

open-ip.pl open an IP address immediately

open-ip.pl ip-address

Programs (cont.)Programs (cont.)

book-open-ip.pl book an IP address to be opened

book-open-ip ip-address cron-open.pl

open booked IP addresses at specified alarm time (obtained from spool/book)

cron-open.pl

Daemon Programs (sbin)Daemon Programs (sbin) netguard.sh

start or stop netguard module netguard.sh (start|stop|restart)

monitor-netguard.sh keep netguard running (for shake of unkno

wn-reason stop); should work with crontab 1,11,21,31,41,51 * * * * (cd /usr/local/netguar

d/sbin; ./monitor-netguard.sh) > /dev/null 2>&1

Daemon Programs (cont.)Daemon Programs (cont.)

registrar.pl as a central registrar which accept comma

nds from other programs via Socket and write commands to the file spool

should be waken up by netguard.sh netguard.pl

as a router control robot which read commands from the file spool (/spool)

should be waken up by netguard.sh

Program Modules (lib)Program Modules (lib)

netguard.pm contains codes which is able to login the su

pported routers and configure the access control list for a specified IP address

currently support routers: Cisco and Extreme

Periodic JobsPeriodic Jobs

Open already booked IP addresses crontab.daily

bin/cron-open.pl example

30 7 * * * (cd /usr/local/netguard/bin; ./cron-open.pl)


registrar.conf configuration required by Net-Server modul

e netguard.conf

configure the router information required to automatic configure the controllable routers

type (cisco|extreme);login;password;name

Password and Port Password and Port SettingSetting

Server password and service port change the setting in registrar.pl

Client password and port change the settings in block-ip.pl, open-ip.

pl, and book-open-ip.pl change the programs which talk to netguar

d module in other detecting modules

File Spool (spool)File Spool (spool)

The inter-process communication between registrar and netguard each file represents a status of an IP addre

ss archive (has become part of history) block (is being blocked) book (booked an open request) info (an immediate notification required) request (command the netguard) unblock (counting infected frequency)

Notification ModuleNotification Module


Perl 5.6 or above Apache 1.x or above

http://httpd.apache.org/


notify (/usr/local/notify/) bin (program binaries) etc (configurations and notification emails) htdocs (notification web pages)

ProgramsPrograms

cron-sendmail.pl send daily notification

cron-sendmail2.pl send notification once being blocked

genhtm.pl generate notification web pages periodicall

y

Periodic JobsPeriodic Jobs Notifications should be delivered

periodically Send emails daily, send email once being

blocked, and generate web pages periodically

10 8 * * * (cd /usr/local/notify; ./cron-sendmail)

8,18,28,38,48,58 * * * * (cd /usr/local/notify/bin; ./cron-sendmail2)

0,10,20,30,40,50 * * * * (cd /usr/local/notify/bin; ./genhtml.pl)


addressbook address book to send notification emails

dept:name:title:phone:fax:email subnet

notes which shown on the web pages subnet:building:dept

inform.mail the notification email which send daily

inform2.mail the notification email which send once being block

ed

Web Pages (htdocs)Web Pages (htdocs) ban-head.htm

the header part of the notification web pages

ban-tail.htm the tail part of the notification web pages

index.htm may be required for the apache web server

Open Mail Relay Detection Open Mail Relay Detection ModuleModule


A remote server relay testing email receive testing mail

Perl 5.6 or above libnet module installed

Pxytest http://www.unicom.com/sw/pxytest/

To Be DoneTo Be Done

ToDo ListToDo List Unify the perl modules used by all the

se codes Support more routers: Juniper and Fo

undry

Thank You!Thank You!

Documents

Simple Network Defense System