The Art of Information Security has the great pleasure of interviewing Michael Rash. Michael holds a Master’s Degree in applied mathematics with a concentration in computer security from the University of Maryland. He is the founder of cipherdyne.org, a website dedicated to open source security software for Linux systems, and works professionally as a Security Architect on the Dragon IDS/IPS for Enterasys Networks. He also is the author of “Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort” (Sample chapter and more information here) published by No Starch Press.
When I started the Art of Information Security blog, I felt that it was important to appropriately lock down the host. It would be an unfortunate irony to have the server hosting a security blog “owned” by some script kiddy. So, of course AoIS runs a firewall. I had been using iptables firewalls on Linux for a while, and there were a few things that I felt were lacking from the set-ups that I had in the past. One was the ability to understand that the firewall is working. A solid firewall generates logs – but what do you do with those? And, what do they tell you? Second, I knew that I should be able to detect certain types of automated attacks and block those IPs. There are so many improperly configured hosts to attack that a few simple countermeasures go a long way. Third, I have also been very interested in running host IDS/IPS, but all the requirements to run Snort for a single host seemed a bit too much. Alas, I ran to cipherdyne.org and the great tools sponsored (and authored) by Michael.
Erik: So, Michael, Network Security is obviously more than just a job for you. How did you come to be involved so deeply in Network Security and Intrusion Countermeasures?
Michael: During the late 1990’s I was introduced to intrusion detection on a large ISP’s network, and that experience coupled with learning networking protocols sparked a deep and abiding interest in network security. This interest eventually led me to systems programming on Linux, and to the internals of systems that need to be protected. The constant game of cat and mouse played by attackers and defenders in the network security world never ceases to provide new directions for security research, and thanks to the open source development model, many of the techniques to defend systems can be investigated and contributed to by anyone.
Erik: So when did you get the idea for PSAD?
Michael: In 1999 I started working with Jay Beale on the Bastille Linux project. At the time, both portsentry and Snort were around and were designed to detect network attacks (with the former only focused on port scans). Because Bastille was designed to harden the security stance of the host, a strong iptables policy was built in by Peter Watkins. With the strategy implemented by portsentry of listening on sockets in order to detect port scans (see the this link for why this is less than ideal from many perspectives), we needed a way to detect port scans in a manner compatible with Bastille’s iptables policy. The result was a portion of Bastille initially called “Bastille-NIDS”, but I eventually split it off as a dedicated project, and called it “PSAD”. An option would also have been to just write a configuration utility for Snort, but there would still have been a void since no tool really analyzed iptables log messages for suspicious activity. I made it my goal to try and fill this void mostly because the data source provided by iptables log is quite rich and has a lot to say.
Erik: On your website you identify three principles around which PSAD was developed. Why are these important? How does PSAD accomplish them?
- Good network security starts with a properly configured firewall
- A significant amount of intrusion detection data can be gleaned from firewalls logs
- Suspicious traffic should not be detected at the expense of trying to also block such traffic
Michael: Network security is more relevant for more people today than at any other point in Internet history. Important infrastructure is increasingly being put online (such as online banking access), and the threats are evolving to compromise this infrastructure. The default stance of many operating systems is to listen on several services to make things easier for users, and while many OS’s (particularly mainstream Linux distributions) offer to configure firewall policies, many users elect not to go through with this step. Sometimes people are too busy to maintain a properly configured firewall, or they reason that the local border firewall is sufficient. Firewalls should always be configured in a default-drop stance in order to provide an additional layer of protection for any vulnerable services that may be listening. For Linux systems, psad helps to verify that the local iptables policy is configured in this manner.
Firewall logs are also an important area to pay some attention. Although firewall logs cannot replace the full packet capture and logging capability of many intrusion detection systems, they can still be a valuable source of data to highlight efforts to break into systems. With a logging format that is as complete as provided by the iptables logging infrastructure, it is possible to detect and differentiate most types of nmap scans, passively fingerprint remote operating systems, detect probes for back doors, and more. The process of parsing iptables logs to look for these kinds of activities is automated by psad.
Finally, just detecting malicious traffic will always play second fiddle to an effective mechanism for also blocking such traffic. The iptables firewall is a well-tested piece of code that runs inline to the packet data path. Hence, it is a strong weapon to block suspicious traffic with a default drop stance before such traffic is allowed to target internal systems. By using the iptables string match extension, iptables blocking actions can even be tied to the inspection of application layer data.
Stay Tuned for Part 2
Part 2 of this series is coming soon, with more discussion about network security and open source security tools. More information is available on PSAD at http://www.cipherdyne.com/psad/. (Oh, and PSAD will be featured in an upcoming installment of the AoIS Secure Your Linux Host series !)