Nirlog.com

Hurray…! My intense work for last couple of weeks has finally paid off. Yeah, I’ve just passed my SFCP (Source Fire Certified Professional) Certification Exam.

First briefly about the company - Sourcerfire was founded by the author of Snort (an open source network intrusion prevention and detection system). Snort is the most popular and widely deployed IDS/IPS and has become the de facto standard for the industry.

So, why do we need Sourcefire (very expensive) if Snort is the best and free?

Right, Snort is the best and free out there but it’s implementation, management and maintenance is not a piece of cake for everyone; that’s where sourcefire comes into play. Sourcefire uses snort at it’s heart to utilize it’s powerful IDS/IPS techonology, with added benefit of plug-n-protect simplicity (the purpose-built appliance is easy to install, maintain and manage), and it comes with tons of extra features that make it very powerful. Sourcefire adds an Adaptive IPS and Enterprise Threat Management (ETM) on top of the Snort IPS. It is managed via user-friendly and intuitive web interface, of course you can always do your advanced config from the shell because it’s a snort installed in a linux box anyway.

Components of Sourcefire 3D System

Sourcefire 3D System is comprised of two appliances (Sourcefire Defense Center and Sourcefire 3D Sensor).

Sourcefire Defense Center (DC) is a centralized management console to manage the sensors, centralized event aggregation and sensor policy administration.

Sourcefire 3D Sensors are purpose-built network security appliances that passively aggregate network and user intelligence while defending the network against internal and external threats.

3D Sensor Modules

Each Sourcefire 3D Sensor is capable of running any combination of the following four software components (you need to buy them separately):

Sourcefire IPS (Intrusion Prevention System) it’s the mighty snort running in background, where you can use rules-based detection engine and utilize the acclaimed Vulnerability Research Team (VRT) to protect your network. The IPS component is included in the base system.

Sourcefire RNA (Real-time Network Awareness) passively monitors real-time network traffic and gathers network intelligence, it can detect operating systems, services, applications, protocols, and potential vulnerabilities that exist on your network. This is a very useful component of Sourcefire but you’ll need to buy the RNA license separately.

Sourcefire RUA (Real-time User Awareness) helps to identify the user identity and contact information, it pairs Active Directory and LDAP usernames with host IP addresses involved in security and compliance events. You’ll need to buy the RUA license separately.

Sourcefire NetFlow Analysis is an optional component of Sourcefire’s Network Behavior Analysis (NBA) solution. It gives additional insight to network threats by aggregating and analyzing NetFlow from routers and switches.

Sourcefire 3D System deployment with Master Defense Center

OK that was about sourcefire. Here’s how you go about getting certified.

Read the rest of this entry »

After a vigorous job hunt of little more than a week, I’m glad to let you all know that I’ve joined Vanco (Reliance Globalcom, Anil Dhirubhai Ambani Group) as a Security Engineer, which provides global managed network solutions with assets and expertise of FLAG, Vanco and Yipes:

Delivering customer-focused managed network and application delivery solutions that leverage a global network with unrivalled reach, depth and breadth to multinational, service provider and global carrier clients. Over 1400 enterprise customers and 200 carriers depend upon Reliance Globalcom to manage business-critical network solutions and address complex requirements for their businesses and partners throughout the world

Vanco is now Reliance Globalcom, Anil Dihrubhai Ambani group, which is also well known because of it’s chairman Anil Ambani, currently 6th on The World’s Billionaires List.

I feel myself privileged and honored to have this opportunity. At Vanco my role will be exclusively focusing on security, I’m really excited about it. This is a perfect opportunity for me to bring forward my previous network/security expertise as well as learn and grow at this truly global organization.

GFI LANguard Network Security Scanner is a very easy to use yet powerful commercial Network vulnerability scanning, patch management and auditing tool. If you have a small network with few computers then it’s easy to keep track of the softwares installed and do the patching manually, but for larger networks it would be a nightmare to do everything manually. This is where tools like GFI LANguard NSS come in to help network/system admins. GFI LANguard NSS makes use of the vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. It is one of the best commercial network security scanner and patch management tool available.

I’ve installed and tested it in my WinXP SP2 running on my MacBook Pro Vmware Fusion, and this is what I found.

Read the rest of this entry »

If you’re running a web site and have come to a point where a single web server cannot handle the traffic, then it’s time to get multiple web servers and share the loading. To do that you’ll need a load balancer which distributes the web traffic among multiple web servers.

Basically you’ve two choice — go for the hardware solutions (expensive with many nice features) or software solutions (possibly free but with limited features). If you want a free and open source solution then Pound is the choice.

Pound is a Free Open Source reverse-proxy, load balancer, SSL wrapper, http/https sanitizer, fail over server and a request redirector:

1. a reverse-proxy: it passes requests from client browsers to one or more back-end servers.
2. a load balancer: it will distribute the requests from the client browsers among several back-end servers, while keeping session information.
3. an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
4. an HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones.
5. a fail over-server: should a back-end server fail, Pound will take note of the fact and stop passing requests to it until it recovers.
6. a request redirector: requests may be distributed among servers according to the requested URL.

Pound is built with security in mind, it can run as setuid/setgid and/or in a chroot jail. It’s a very small, robust and efficient program.

It’s very easy to install and configure.

Read the rest of this entry »

When I read Mahabir Pun’s story about how he brought the wireless technology to a remote mountainous village of Nepal called Nangi, I was amazed by his determination! What an inspirational story of a man with a noble cause. It really gave me goose bumps, I just thought what a difference one committed individual can make to a society. With his determination, hard-work, and dream, he changed the lives of all the people of Nangi village for better. What a meaningful way to use the technology and what a wonderful way to live this life. I sincerely wish I could do something like that. I’ve written to Mr Pun and hopefully I could be helpful to his project in someways.

Relay Station 2, Khopra with Antennas Pointing to Different Villages Elevation 3,600m (~12,000 ft)
More Photos

Read the rest of this entry »

How do you monitor your network traffic? Of course using MRTG, you might say. Yes, that’s true, MRTG does an excellent job of monitoring traffic across networks and devices (router/switches). But when you see an abnormal traffic in MRTG, how do you find out what is generating that extra abnormal traffic? This is where ntop comes into play. Basically, MRTG shows you a bigger picture, whereas ntop lets you zoom into individual networks and hosts, and gives you enough information to pinpoint the hosts or devices generating extra/abnormal traffic.

ntop is a tool that shows network traffic usage. It is based on libpcap and when installed in a place where it can capture network traffic (hub or a mirrored port of a switch), it logs and reports information concerning IP and Fibre Channel traffic generated by each host in the network. ntop has a very rich and user-friendly web interface for reporting.

This is what ntop can do for you:

* Sort network traffic according to many protocols
* Show network traffic sorted according to various criteria
* Display traffic statistics
* Store on disk persistent traffic statistics in RRD format
* Identify the indentity (e.g. email address) of computer users
* Passively (i.e. withou sending probe packets) identify the host OS
* Show IP traffic distribution among the various protocols
* Analyse IP traffic and sort it according to the source/destination
* Display IP Traffic Subnet matrix (who’s talking to who?)
* Report IP protocol usage sorted by protocol type
* Act as a NetFlow/sFlow collector for flows generated by routers (e.g. Cisco and Juniper) or switches (e.g. Foundry Networks)
* Produce RMON-like network traffic statistics

Read the rest of this entry »

After switching to a mac, I tried many desktop password managers, and had written about Password Managers for OS X, which got a lot of attention. It’s needless to mention the importance of using a password manager since we use passwords to protect almost everything digital, and we’ve so many of them today. Currently we trust most of our private data like, emails, bookmarks, documents, spreadsheets and calendar events to some online providers like Google, Yahoo or Microsoft. So, how about your secrets and passwords stored online, somewhere in the cloud? I know what your immediate response is, passwords? No way I’m going to store my passwords online! But you might want to give a second thought because now the technology is secure enough. Thanks to Host-Proof Hosting. If the owners of the servers wanted to mess around with your information, or even if the server gets hacked, they won’t be able to recover your data. In Host-Proof Hosting the sensitive data is always transmitted to the server in encrypted from using a pass-phrase. The good thing is that, this pass-phrase is never transmitted to or stored in the server. The server can never access the stored data in it’s plain form. All the encryption and decryption takes place in the client side, inside the browser. This is basically a “Zero-Knowledge” web application, where the provider knows nothing about your actual data.

* User enters pass-phrase to begin using the system. Browser retains the pass-phrase as a global variable.
* User requests a list of all data belonging to him.
* For each record, the system stores the associated user ID in plain-text, the record ID in plain form, and the record content only in encrypted form. (The message content is one or more database columns, each encrypted.) Thus, system is able to return a list of record IDs for this user.
* User selects one of the record IDs.
* System checks that this user ID is associated with the record ID, and returns the corresponding message content.
* Browser uses stored pass-phrase to decrypt the contents.

Ok, with that background if you’re ready to store your sensitive information online, here are few choices for you.

Read the rest of this entry »

The benefits of designing and testing complex networks in simulated environments are obvious to network professionals and companies. It lets them test the network configurations before implementing it in the real world, and the good thing is that, they can do this without investing any money in expensive hardwares. Virtual networks are also excellent tools for academic and certification purposes like CCNA, CCNP or CCIE, where students can get hands-on experience configuring cisco routers.

Currently Cisco is the leader in Networking market, and Linux, the leader in Server market. So, if you want to test your complex (or not so complex) network configurations before buying any actual linux servers or the very expensive cisco routers, then you can use Dynamips to simulate Cisco Router/Switch and VNUML (Virtual Network User Mode Linux) to simulate your linux servers/routers. Both Dynamips and VNUML are open source and free.

Read the rest of this entry »

There are many things you can and should do to keep your system and network secure. As the saying goes — “Security is not a single event or a product, it’s a process”. So, you’ve to keep up with all the changes, installing firewalls, IDS/IPS, network security monitoring, auditing, making security policies, password policies, email policies and so on… Yes, all of them are very important and you’ll be dealing with most them depending on your security requirements. But there’re some basic things every network and system admin should follow. Personally, I’ve found 4 things that are very simple yet effective in securing your systems.

Read the rest of this entry »

Snort has always been, and still is my favorite IDS (Intrusion Detection System) although I manage many UTM (Unified Threat Management) Firewalls with built in IPS/IDS (Intrusion Detection/Prevention) now. The commercial UTM Firewalls with IPS/IDS are easy to use and configure but they come with a high price tag and aren’t easy to customize. Even though snort is not that easy to install, configure and manage it still is the most popular IDS/IPS today because of the fact that it is open source, free, easily customizable, easy to create rules, signatures are always kept up-to-date by its community and plenty of excellent documentation, guides and books.

Snort captures enormous amount of data from the network and generates alert based on the rules and signatures. There’re currently 3 excellent and relatively user friendly ways to manage and analyze the snort data:
Read the rest of this entry »