Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecDRAGON – An Intrusion Detection System
Introduction
How any other tool for Intrusion Detection, Dragon is a good cost-effective option.
s.
ht
Dragon is a Network and Host IDS basically composed by these products: Dragon
Sensor, Dragon Squire and Dragon Server. In this document, I will present some
rig
information about all components that composed Dragon.
ull
f
Dragon
ns
Key fingerprint
The Dragon = AF19
solution FA27 2F94
includes three 998D FDB5 DE3D
basic building F8B5
blocks. 06E4
These areA169 4E46
Dragon Sensor,
tai
Dragon Squire and Dragon Server.
re
- Dragon Sensor is a network IDS that works on Linux and/or Unix. It monitors
or
network packets for traffic that may indicate network misuse and/or abuse.
th
- Au
Dragon Squire is a host based IDS. It monitors key system files for evidence
of abuse and can also receive security information from routers and firewalls
2,
via SYSLOG or SNMP.
00
- Dragon Server manages data from all of the Dragon Sensor and Dragon
-2
Squire engines. Based on Linux it also provides several real times, forensic
and trending web based interfaces for event analysis.
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Dragon Sensor
Dragon Sensor monitors live network packets and looks for signs of computer crime,
network attacks, network misuse and anomalies. When it observes an event, the Dragon
Sensor can send pages and e-mail messages, and then take action to stop the event and
s.
record it for future forensic analysis.
ht
rig
For signature selection, you can choose from over 1500 signatures. To be updated with
new signatures go to https://63.210.52.6/. All Dragon events are categorized into
ull
suspicious, probe, attack, compromise, success, failure, virus, collection and maintenance
groups. While other NIDS concentrate on attack and probe detection, the Dragon Sensor
f
can usually collect enough evidence to indicate if an attack has succeeded or failed.
ns
These
Key groupings= are
fingerprint AF19keyFA27
to reducing false FDB5
2F94 998D positives.
DE3D F8B5 06E4 A169 4E46
tai
re
Dragon Squire
or
th
Dragon Squire is a host-based intrusion detection and firewall monitoring system that
looks at system logs for evidence of malicious or suspicious application activity, and
Au
monitors key system files for evidence of tampering in real time. Dragon Squire has been
tuned to prevent high load levels and minimize any negative system impact to a server’s
2,
performance. Besides being an excellent system security tool, Dragon Squire can also
00
analyze firewall logs, router events and just about anything that can speak SNMP or
-2
SYSLOG.
00
Dragon Squire’s signature library includes suspicious events from a wide variety of
20
operating systems. These events check for suspicious file transfers, denied login attempts,
physical messages (like an Ethernet interface set to promiscuous mode) and system
te
reboots. The library also includes security messages from many applications and services
tu
such as Secure Shell, Sendmail, Qmail, Bind and Apache Web servers.
sti
Dragon Squire is a complement to the Dragon Sensor network IDS. There are many
In
network attacks (such as web attacks sent over an SSL connection) which the Dragon
Sensor (or any other NIDS) cannot observe. Correlating these host and network events
NS
(along with firewall information) is accomplished at the Dragon Server.
SA
Dragon Server
©
It provides an engine management, event alerting, analysis and correlation. Dragon
Server facilitates secure management of all Dragon Sensors and Dragon Squires. It also
aggregates all alerts into one central database so that disparate attack information can be
correlated.
Key The =Dragon
fingerprint Server2F94
AF19 FA27 includes
998Da variety of reporting
FDB5 DE3D F8B5 and
06E4analysis tools as well as
A169 4E46
the ability to customize alerts via e-mail, SNMP or SYSLOG messages.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Dragon Sensor Architecture
Dragon Sensor is a network packet based intrusion detection system. It collects network
packets and analyzes them for a variety of suspicious activities. This suspicious activity
may indicate network abuse, probes, intrusions or vulnerabilities. Dragon Sensor is
s.
highly configurable and extremely fast. Multiple Dragon Sensors can operate jointly to
ht
provide enterprise coverage of complex networks.
rig
Dragon Sensor focuses on network performance and the collection of forensic evidence.
ull
A variety of analysis tools are included to process collected data. For example, these tools
sort through the collected data and produce flat log files, summary information, activity
f
graphs and rebuild network sessions for inspection.
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Dragon Sensors take two configuration files named dragon.net and dragon.sigs which
re
control what type of network traffic and event data is logged to the hard drive. The
dragon.net file controls basic Sensor configuration, IP/TCP/UDP header anomalies, port
or
scan/sweep detection, policy driven events (such as finding new web servers), filtering,
th
SNMP alerting and protocol reconstruction. The dragon.sigs file specifies unique network
patterns which may indicate probes, attacks and compromises and many other types of
Au
network abuse.
2,
The Dragon Sensor basically logs to the hard drive because the component of the Dragon
00
Sensor/Squire/Server architecture which enables enterprise communication is a
-2
client/server program named Dragon Rider. For a Dragon Sensor being managed from a
Dragon Server, a Dragon Rider Client program would be placed onto the Dragon Sensor.
00
The Dragon Rider Client program watches all new event information being added to the
20
Sensor's event log and sends new events to the Dragon Server. If the Server has new
configuration information, the Dragon Rider Client will receive it and then restart the
te
Sensor with the new configurations.
tu
The only other file that is required by Dragon Sensor at start up is a 'key' file. This file,
sti
named dragon.key, performs license management. The dragon.key file is tied to a specific
In
set of Dragon functions. These are Dragon Sensor, Dragon Squire and Dragon Server. A
key file will contain one or more hostnames which have been authorized to become a
NS
Sensor, Squire or Server. All software can be installed on the same system, but the key
has to reflect that.
SA
A Dragon Sensor can be configured to be 100% stand-alone. That is, a Sensor can be
©
deployed such that no IP stacks on any of it's network interfaces exist. In this case, the
box must be managed from the physical console, or through a remote terminal server. In
many cases, Sensors are deployed with one interface utilizing an IP stack, or two
interfaces with only one IP stack. On any open network interface, it is highly
recommended
Key fingerprintto= secure the operating
AF19 FA27 system
2F94 998D before
FDB5 DE3Dinstalling the Dragon
F8B5 06E4 Sensor.
A169 4E46
Assuming that the box will only be administered by a small number of people, the focus
should be on disabling remote services such as Sendmail and Telnet. If tight host based
security is desired for the Dragon Sensor platform, consider deploying OpenBSD.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Dragon Squire Architecture
Dragon Squire is a Host-Based IDS (HIDS) that can be run standalone or fully integrated
into the Dragon Server architecture. Events can either be stored locally on the HIDS
machine or forwarded to the Dragon Server and reported via the Dragon Fire interface. In
s.
either configuration Dragon Squire can generate SNMP traps for designated events.
ht
When storing the events locally, a set of the Dragon command line tools is stored on the
rig
machine to provide reporting and analysis capabilities.
ull
Squire's capabilities include the following:
f
FILE CHANGE MONITORING
ns
Files can= be
Key fingerprint defined
AF19 FA27in2F94
the Dragon SquireDE3D
998D FDB5 configuration file (dsquire.net)
F8B5 06E4 A169 4E46 by
tai
specifying a name of a file and the full pathname to the file. For each defined file,
re
many attributes can be monitored like: MD5 Hash Values, File Permissions, File
User Ownership, File Group Ownership, Inode Values, File Deletion, Truncated
or
Files, Growing Files and Modification Time Changes
th
These file definitions help to comprise a security policy for each Dragon Squire.
Security policies can be maintained via the Dragon Server web interface.
Au
SIGNATURE PROCESSING
2,
The contents of log files can be scanned to alarm if specified signature patterns
00
occur. This is configured by specifying a FILE_FORMAT describing the record
-2
layout for a defined file and then defining signatures that pattern match within the
FILE_FORMAT. The dsquire.net file contains the list of files to be monitored and
00
their log formats, and the dsquire.sigs file contains a list of signatures which are to
20
be applied to each file.
te
SERVICE MONITORING
tu
On Linux platforms, specific TCP and UDP services can be monitored to generate
events as services are started or existing services are terminated. The 'p roc' file
sti
system is monitored for notification of network service starts and terminations.
In
SNMP MONITORING
NS
Dragon Squire can also listen to a stream of SNMP traps from a variety of
devices. The SNMP traps may be from firewalls, from routers or from any other
SA
type of device which can generate a trap. Signatures can be written for application
to the received SNMP traps. This allows Dragon Squire agents to monitor a
©
variety of network devices.
Dragon Squire operates with the Dragon Server through the use of the Dragon Rider
Client which operates in a 'diskless' mode. By diskless, we mean that as long as the
network
Key connection
fingerprint to the
= AF19 Dragon
FA27 2F94Server
998D is present,
FDB5 DE3D detected eventsA169
F8B5 06E4 flow 4E46
immediately to
the Dragon Server.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Dragon Server Architecture
The Dragon Server is the "hub" of all enterprise security operations for the entire Dragon
products. It can control many Dragon Sensors and Dragon Squire engines. It receives
information from them and presents the information for alerting and analysis to Dragon
s.
administrators. The Server is also the focal point for all configuration management of
ht
each engine. When administrators change an engine configuration, the Dragon Server
rig
will push the policy out to the modified Dragon engine.
ull
The major features of Dragon Server are:
f
Centralized Network IDS, Host IDS, Firewall and Network Monitoring
ns
The Dragon
Key fingerprint Server
= AF19 FA27brings
2F94event
998Dcentralization
FDB5 DE3DtoF8B5 the both
06E4theA169
Dragon
4E46Sensor and
tai
Dragon Squire products. Since Dragon Squire can monitor log feeds from many
re
major firewall vendors and several major network components (such as routers
and DNS servers), correlation of security events across all of these platforms
or
provides a complete security picture.
th
Encrypted Event Centralization Au
All Dragon Squire and Dragon Sensor engines can have their events centralized to
the Dragon Server. This process is accomplished through the use of a single
2,
BLOWFISH encrypted TCP connection. BLOWFISH is an extremely fast
00
encryption algorithm. Filters can be placed at each Dragon engine such that only
-2
certain types of event data get forwarded to the Server.
00
Engine Management
20
All Dragon engines can be managed individually or in groups. This makes
management of large numbers of engines very easy. Also, all management is
te
accomplished through a web interface which can be secured with any SSL web
tu
server.
sti
Custom Signature Management
In
The Dragon Server maintains several databases of known malicious network
traffic. Dragon Server administrators can write their own signatures and create
NS
their own custom signature libraries. All signature management is accomplished
through a web interface and hooks are in place to link to online resources from
SA
CERT, Bugtraq and the CVE project.
©
Live Signature Updates
Enterasys constantly monitors a variety of online security resources and quickly
writes Dragon Sensor and Dragon Squire signatures when new security threats are
published. Enterasys also conducts a variety of R&D efforts to produce entire
libraries=ofAF19
Key fingerprint signatures
FA27 which attempt
2F94 998D to detect
FDB5 DE3Dnew varieties
F8B5 06E4 of misuse.
A169 4E46Any
Dragon customer who has purchased a Dragon Sensor license can subscribe their
server to automatically download new signatures from Enterasys.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Dragon Server Web Components
Dragon Server Web Interface
This web server interface is dedicated to management of the Dragon engine
configurations and will also monitor the performance of the engines as well. It is
s.
based on a combination of CGI-BIN PERL scripts and works with the Apache
ht
web server. Security can be enhanced by using an SSL version of the Apache web
rig
server.
ull
Dragon Fire
The Dragon Fire interface is also a set of CGI-BIN PERL scripts which can
f
analyze events collected at the Dragon Server. All analysis is performed on each
ns
day's logs.
Key fingerprint Suspicious
= AF19 events998D
FA27 2F94 can be correlated,
FDB5 DE3D sessions canA169
F8B5 06E4 be replayed
4E46 and
tai
many other forms of analysis are available as well.
re
Sorcerer
or
The Sorcerer application is a trending tool. It requires an SQL database to perform
th
long term storage of Dragon events. The web server interface to Sorcerer is also a
set of CGI-BIN PERL scripts which perform database queries to display trending
Au
information. The database can be kept entirely on a separate system which may
increase performance.
2,
00
Alarmtool
-2
The Alarmtool is used to send SNMP traps, SMTP emails, SMTP pages,
SYSLOG messages, or execute commands based on a policy. The policy is
00
defined through a custom web interface which generates a configuration file. The
20
'alarmtool' program receives events at the Dragon Server and then alerts the
Dragon dministrators.
te
tu
Dragon Console
Because Dragon Server databases can grow to extremely large sizes, using the
sti
Dragon Fire interface can become very slow. The Dragon Console allows Dragon
In
administrators to analyze events as they occur in real time. Several web interfaces,
similar to Dragon Fire, exist to help organize the recent events and make a variety
NS
of displays in real time. No event detail, such as packet payload, is available, but
up to 2,000,000 events can be stored in memory at one time. For large networks,
SA
this may be 2-5 days of typical event traffic. For small networks, this could be
several months worth of traffic.
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Conclusions
Security is possible, using the most up to date tools that are available, to protect against
virtually every type of threat that is currently known about. Unfortunately, new threats
and security holes in some software package or another are being discovered on a daily
s.
basis.
ht
rig
It is important in any environment to know what types of threats you might be facing. Be
aware of any potential security holes in your system, and take care to prevent attacks
ull
against these.
f
The Dragon tools and signatures are regularly updated to include information about new
ns
threats
Key as they are
fingerprint discovered,
= AF19 however
FA27 2F94 998Dit is important
FDB5 DE3DtoF8B5
keep06E4
up to A169
date with
4E46the latest
tai
version of these files.
re
or
References
th
1. Dragon Intrusion Detection Au
http://www.enterasys.com/ids/
2,
2. Intrusion Detection, Theory and Practice by David "Del" Elson, March 27, 2000
00
http://www.securityfocus.com/frames/index.html?focus=ids
-2
3. Ron Gula, Why Dragon ?, 1999
00
http://www.securitywizards.com/intro.htm
20
4. Documentation for Dragon Sensor
te
https://63.210.52.6/sensor/index.html
tu
5. Documentation for Dragon Squire
sti
https://63.210.52.6/squire/index.html
In
6. Documentation for Dragon Server
NS
https://63.210.52.6/server/index.html
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: June 18th, 2020
Upcoming Training
Cyber Defence Australia Online 2020 , Australia Jun 22, 2020 - Jul 04, 2020 CyberCon
Instructor-Led Training | Jun 22 , PA Jun 22, 2020 - Jun 27, 2020 CyberCon
Live Online - SEC401: Security Essentials Bootcamp Style , United Arab Emirates Jun 24, 2020 - Jul 31, 2020 vLive
SANS Japan Live Online July 2020 , Japan Jun 29, 2020 - Jul 11, 2020 CyberCon
SANS Summer of Cyber | Jul 6 , VA Jul 06, 2020 - Jul 17, 2020 CyberCon
Live Online - SEC401: Security Essentials Bootcamp Style , United Arab Emirates Jul 13, 2020 - Aug 01, 2020 vLive
SANS SEC401 Europe Online July 2020 , United Arab Emirates Jul 13, 2020 - Jul 18, 2020 CyberCon
SANS Rocky Mountain Summer 2020 , CO Jul 20, 2020 - Jul 25, 2020 CyberCon
SANS Summer of Cyber | Jul 27 , NC Jul 27, 2020 - Aug 01, 2020 CyberCon
Instructor-Led Training | Aug 3 ET , MA Aug 03, 2020 - Aug 08, 2020 CyberCon
Instructor-Led Training | Aug 10 MT , WA Aug 10, 2020 - Aug 15, 2020 CyberCon
SANS SEC401 Europe Online August 2020 , United Arab Emirates Aug 10, 2020 - Aug 15, 2020 CyberCon
SANS SEC401 Multi-Week Europe Online 2020 , United Arab Emirates Aug 17, 2020 - Aug 28, 2020 vLive
Cyber Defence APAC Live Online 2020 , Singapore Aug 17, 2020 - Aug 22, 2020 CyberCon
Instructor-Led Training | Aug 17 ET , DC Aug 17, 2020 - Aug 22, 2020 CyberCon
SANS Virginia Beach 2020 Virginia Beach, VA Aug 30, 2020 - Sep 04, 2020 Live Event
SANS Virginia Beach 2020 - Live Online Virginia Beach, VA Aug 30, 2020 - Sep 04, 2020 CyberCon
SANS London September 2020 London, United Sep 07, 2020 - Sep 12, 2020 Live Event
Kingdom
SANS Baltimore Fall 2020 Baltimore, MD Sep 08, 2020 - Sep 13, 2020 Live Event
SANS Baltimore Fall 2020 - Live Online Baltimore, MD Sep 08, 2020 - Sep 13, 2020 CyberCon
SANS Munich September 2020 Munich, Germany Sep 14, 2020 - Sep 19, 2020 Live Event
SANS Network Security 2020 - Live Online Las Vegas, NV Sep 20, 2020 - Sep 25, 2020 CyberCon
SANS Network Security 2020 Las Vegas, NV Sep 20, 2020 - Sep 25, 2020 Live Event
SANS Australia Spring Online 2020 , Australia Sep 21, 2020 - Oct 03, 2020 CyberCon
SANS Northern VA - Reston Fall 2020 - Live Online Reston, VA Sep 28, 2020 - Oct 03, 2020 CyberCon
SANS Northern VA - Reston Fall 2020 Reston, VA Sep 28, 2020 - Oct 03, 2020 Live Event
SANS Amsterdam October 2020 Amsterdam, Netherlands Oct 05, 2020 - Oct 10, 2020 Live Event
SANS Tokyo Autumn 2020 Tokyo, Japan Oct 05, 2020 - Oct 17, 2020 Live Event
SANS Orlando 2020 Orlando, FL Oct 12, 2020 - Oct 17, 2020 Live Event
SANS October Singapore 2020 Singapore, Singapore Oct 12, 2020 - Oct 24, 2020 Live Event
SANS Orlando 2020 - Live Online Orlando, FL Oct 12, 2020 - Oct 17, 2020 CyberConYou can also read
