Lessons learned while working in Information Security.
moc.navat@ymerej
I decided, during my recent SANS overview course’s day on defensive network infrastructure, that I really don’t know enough about networking. Sure, I had all the basics - I understood the basics of the OSI model, setting up computers to talk to each other over TCP/IP, CIDR notation, how to crimp a functional RJ45 patch cable, &c. but I really had never had to learn about how enterprise networks go together. My employer has a large department to take care of that - I just have to use the thing. But I’m not comfortable just using the thing. So I decided to teach myself networking and network security by building the most complicated home network in California. This may be an exaggeration, but probably not by a whole lot.
I’m not going to put a complete network diagram in this blog posting, If you’re interested in the details, get in contact with me and I’d be happy to discuss it. but let’s go over some of the most interesting features of what I’ve done so far and what’s planned.
One of the first things I bought was a virtualization server, because I knew that I wanted to pull most of the services running on my network off of the desktop computers currently running them and place them on a power-efficient, modern virtualization system. I’m running ProxMox 4 as the base management system, and have a number of KVM virtual machines and LXC containers in place and planned. Unfortunately, I’m currently experiencing severe performance issues between the LXC containers and the outside network via the virtio network drivers and an Open vSwitch bridge on the host. Does anyone know what causes these <1kB/s throughputs? Please contact me!
The server itself is a mini-ITX motherboard with one of the new Intel Xeon 1540D chips on board. 8 cores, 16 threads, and 45W TDP. Talks to >64GB of DDR4, has piles of SATA ports and five network ports (two 1Gig, two 10Gig copper, one IPMI). Slapped that plus a couple ZFS mirrored 1TB SSDs in a cute little 2U rackmount box from PLinkUSA and I have most all the compute I need for services on the network.
Netgear sell a 24-port managed gigabit switch with two copper and two SFP+ 10GigE ports for $500. Wat. I’m pretty impressed with the thing so far - enough so that I plan on buying a second one for my media room and connecting the two via fiber for a single integrated management interface. Plus, I have configured one of the copper 10Gig ports as a mirror port for monitoring and the other serves as my virtualization box’s trunk port. Channel bonding? Sure - it does that. I have my NAS plugged in via four channel-bonded 1Gig ports. That took all of about 2 minutes to set up.
My router is a KVM virtual machine running pfSense. I’d never played with pfSense before, but I’m really impressed. It’s like you took all those web GUIs from home routers and configured them for every feature you could possibly ever want and removed all the extraneous graphical crap. It even has a package management system for adding more features - installing NUT for talking to my UPS’s SNMP interface was about a 5 minute job. The only real issue I have with pfSense is that the firewall rules are basically backwards from what I’m used to. You configure rules based on the network that is ORIGINATING the traffic, not based on what’s allowed to enter the destination network. So much confusion at first, but in their defense they DO document that somewhat.
Oh yes, we do VLANs in this household. Currently running separate VLANs for storage, PCs, printers, IoT devices, media devices, infrastructure management interfaces, external-facing services, security cameras … It’s a pain to have to buy and configure a bunch of smart-ish switches Do not buy the Netgear GS108PEv3 (or earlier versions of the same thing). It’s a garbage pocket switch that claims to support proper 802.1q but doesn’t fully. You can’t (as far as I’ve been able to determine) set it up for a management VLAN. but I like the segmentation and the control that this gives me with firewalls over what talks to what. It should also make detection of bad easier.
One of the secondary motivations for this project was that I was tired of consumer routers that have to be replaced annually or malfunction just enough to annoy but not enough to trigger replacement (like my old Asus router that needed weekly reboots to get the wireless working again). Once I implemented VLAN tagging, though, I realized that I really needed a more capable wireless access point that could handle it. I picked up an Engenius smoke-detector-style WAP with all the appropriate features, and while I’m not pleased with the performance of its management interface, it does appear to do the job, at least on the 2.4GHz band. It does allow me to have multple SSIDs, each with its own authentication and VLAN tags. One issue encountered and overcome is that the WAP had a “rapid handoff” mode that caused it to drop connections below a certain signal strength threshold in order to encourage devices to connect to a closer WAP. That doesn’t work well if you only have the one WAP! To do: implement proper 802.1X RADIUS authentication.
I’ve got a VM running a wide range of network monitoring tools, though at the moment they’re all just barely at the “spun up” state, and I haven’t yet configured all the alerting/active response stuff that I want. Bro for packet/protocol inspection, Snort monitoring, &c. $30/year for the Snort VRT rule updates for home users? Stupid cheap.
I just returned from SANS SEC501, my first formal Information Security training class in about fifteen years, held at their Network Security 2015 event in Las Vegas. This is a broad but “Advanced” overview class aimed at getting people a familiarity with as many topics as possible in the time available. I was pleased with the course with a few reservations, and I’m really glad I didn’t take one of the lower-level overview courses (SEC301 or SEC401) because this one was perfectly fine for someone at my level of background and experience. It could have been more challenging and technical and that would have been even better. A few notes on my experience:
This isn’t just a complaint about being away from home and family for a week at a stretch. That’s manageable. The amount of time spent learning at these courses, however, is problematic. It wasn’t unusual for me to spend from 0830 to 2130 in the convention center, between the course itself and the evening lectures and tournament. After a week of this I was really ready for some natural light and fresh air. I know there’s a lot of material to cover, but it’s hard to keep sharp for that many hours at a time even with breaks.
There’s a huge amount of material to cover in an overview class, and a week just plain isn’t long enough to do it justice. So many topics were breezed through with just top-level bullet points. So many of the labs would have been more useful if we had to really dig in to them and do some analysis rather than just copying and pasting into a terminal. Our instructor definitely enriched the course with humorous and enlightening anecdotes and suggestions, Of course, the discussions of virtualization and testing labs are going to result in some rather expensive purchases. C’est la vie. but had he just gone off the slides I would have felt cheated by the cursory treatment of the subject areas.
In addition to SEC501, I also signed up for NetWars DFIR because hey, why not, it’s free with the longform training course. This turned out to be the most entertaining and educational part of the entire trip. I hadn’t touched a computer forensics tool in my life before the day of the tournament, but due to convenient timing of the SEC501 topics, we did a quick overview of forensics tools the day the tournament started. Picture my surprise when I found myself on the leaderboard (10th place) after the first day. On the second day people jumped ahead super quickly, I won’t accuse them of working on the questions during the day, but it was pretty suspicious but I still managed to come in 14th out of about 75 participants. I had no idea that digging information out of hard disk, memory, server logs, and network pcap data would be so much fun. This will be a career-influencing experience.
That’s it for my quick reflections. I may well have additional posts to write on the various topics discussed during the class. I would like to thank Paul Henry for leading a fun and educational intro to InfoSec. I look forward to future, more specialized and detailed classes.
I had a need recently to identify the device that failed on a Dell server. The server reported the failure in terms of PCI Bus, Device, and Function. Unfortunately, unlike Linux with its lspci(8), Windows doesn’t expose those very easily. The Dell technician suggested installing and running their diagnostic gathering tool on the server, but given protections in place on the server it would have taken some time to do so.
It should be noted that finding the code to obtain this information took at least as long as whitelisting the tool and running it would have, but was much more educational. A little searching on the Internet and a little assembly of code resulted in the following:
Function Resolve-PCIBusInfo {
param (
[parameter(ValueFromPipeline=$true,Mandatory=$true)]
[string] $locationInfo
)
PROCESS {
[void]($locationInfo -match "\d+,\d+,\d+")
$busId,$deviceID,$functionID = $matches[0] -split ","
New-Object psobject -property @{
"BusID" = $busId
"DeviceID" = $deviceID
"FunctionID" = $functionID
}
}
}
$PnPEntities = Get-WmiObject Win32_PnPEntity | Where-Object { $_.Path -like "*PCI*" }
foreach ($dev in $PnPEntities) {
$locationinfo = (Get-ItemProperty -ErrorAction SilentlyContinue -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\$($dev."PNPDeviceID")" -name locationinformation).locationInformation
if ($locationinfo) {
$businfo = Resolve-PCIBusInfo -locationInfo $locationinfo
Write-Host $dev."Name" -NoNewline
Write-Host ": $($businfo."BusID"),$($businfo."DeviceID"),$($businfo."FunctionID")"
} else {
Write-Host "$($dev."Name"): Unknown"
}
}