Gateway Antivirus

Network Incident Response and Forensics with NST

Posted on January 2, 2010. Filed under: Computer Virus and Malware, Gateway Antivirus, Linux, Network Forensics, Network Incident Response |

A Systems Engineer’s job isn’t just designing systems, but to also be proactive and think about weaknesses in the system and prevent the next big outage.

One day at the office recently, I started hearing reports of the internet connection running very slowly. Our firewall shows us overall stats, but doesn’t do a good job of showing “Top Talkers”. Actually, that feature is completely missing from it.

I was looking for a quick way to implement a monitoring system to show me who was using up the bandwidth. I also saw a need for a network forensics system to troubleshoot everything from network latency, to stopping the spread of malware. I remembered that I stumbled upon the Network Security Toolkit a while back. I was planning on evaluating it but never got around to it until now. This minor problem was the perfect thing to present to management to hopefully convince them of a need for a network monitoring system. You know how difficult it can be to get funding for anything that doesn’t contribute to the bottom line. I always look for an opening to get my company to use open source software whenever possible. This was a great opportunity.

By the time I had downloaded and burned a disc with NST, the internet latency issue was already over. Still, I went ahead with my evaluation. For the sake of brevity, I am leaving out the steps I took to create a monitor, or SPAN port on the switch. Without a monitor port on your switch, you can’t see all network traffic, only that which is addressed to your IP or MAC address, or broadcasts.

The ISO image was over a gigabyte, so it had to be burned to DVD (It can be used from a bootable USB drive as well). I used a spare laptop to boot the disc, and chose the graphical desktop from the menu options. After startup, I attempted to access the UI at URL https://<ip or domain name>/nstwui. The page wasn’t found. I realized that there weren’t any interfaces available besides lo. I ran the command “ifup eth0” and got a DHCP IP address.  I tried to access the URL again but didn’t get a response. I checked the service status and found that httpd wasn’t started. I ran the command “service httpd start” and got an ok response.  I was then able to access the admin UI.

NST Boot Screen

After logging in, I took the time to fully explore the web interface. I have to admit I was very impressed. It isn’t newbie simple, but this was meant to be a network analyst’s toolkit, not a newbie system. After familiarizing myself with the menus, I started up ntop and browsed to the management URL. I was able to easily drill down to see who was using up the most bandwidth and which services were running on the target computer.

While thinking about what other network issues I could solve with NST, I realized that we need to be prepared for the next big virus or worm outbreak and run an Intrusion Detection System (IDS). Fortunately, Snort is installed on NST, and was a snap to setup, but I already had some experience with Snort to start with. I recommend you try out NST in advance and get familiar with the tools BEFORE you are acting in a state of emergency. If you plan on using Snort, be sure to research how to create your own rules before the need arises. For those not already familiar with Snort, it can double as a gateway antivirus appliance if you configure it “inline”.

Snort Setup

Network Security Toolkit has many other tools installed that can be controlled in the excellent but very busy web interface. A complete list of tools included can be found here.

Read Full Post | Make a Comment ( 4 so far )

Small Business Servers

Posted on December 31, 2009. Filed under: Email Server, Firewall, Gateway Antivirus, Low Cost or Free, Office Server, Small Business Systems |

If you have a small to medium business and need a server, I have had good results with E-Box.

You can easily repurpose a used computer as your office server, firewall, or router instead of paying big licensing fees for MS Small Business Server or Cisco and buying expensive hardware. Contact me for consulting.

Features include:

eBox 1.2 Feature list

  • Networking
    • Firewall and routing
      • Filtering
      • NAT and port redirections
      • VLAN 802.1Q
      • Multi-gateway support, load balancing and automatic failover
      • Traffic shaping (with application layer support)
      • Graphical traffic rate monitoring
      • Network intrusion detection system
      • Dynamic DNS client
    • Network infrastructure
      • DHCP server
      • NTP server
      • DNS server
    • VPN support
      • Dynamic routes autoconfiguration
    • HTTP proxy
      • Internet cache
      • User authentication
      • Content filtering (with categorized lists)
      • Transparent antivirus
    • Intrusion Detection System
    • Mail Server
      • Virtual domains
      • POP3 and IMAP with SSL/TLS
      • Spam and antivirus filtering
        • Greylisting, blacklisting, whitelisting
      • Transparent POP3 proxy filter
    • Web server
      • Virtual hosts
    • Certification authority
  • Workgroup
    • Centralized users and groups management
      • Windows PDC support
    • Network resource sharing
      • File server
        • Antivirus
      • Print server
    • Groupware: calendar, address book, webmail, wiki, etc.
    • VoIP server
      • Voicemail
      • Conference rooms
      • Calls through an external provider
    • Jabber/XMMP server
      • Conference rooms
    • eBox User Corner for self users info updating
  • Reporting and monitoring
    • Dashboard for centralized service information
    • Monitor CPU, load, disk space, thermal, memory
    • Disk usage and RAID status
    • Summarized and full system reports
    • Event notification via mail, RSS or Jabber
  • Software updates
  • Backups (full and configuration only)
Read Full Post | Make a Comment ( None so far )

Liked it here?
Why not try sites on the blogroll...