Networking and Network Security¶
Network Security¶
Embedded Systems Security references on backdooring Cisco IOS via TCL, etc.
The CIDR Report web site
- Getting access to network traffic
Best Practices in Intrusion Detection System Implementation, by Erin Buxton, October 2002
Setting Up Switched Port Analyzer for Monitoring and Recording IP-ICD Agents on the Cisco ICS 7750, Cisco Systems
Implementing Networks Taps with Network Intrusion Detection Systems, by Nathan Einwechter, Senior Research Scientist Fate Research Labs, June 19, 2002
IDS FAQ - How do you implement IDS (network based) in a heavily switched environment?, by Brian W Laing, Internet Security Systems
Rediscovery of NetUSB Vulnerability in Broadband Routers by NewSky Security, February 28, 2016
Network traffic analysis tools (thanks to Toby Kohlenberg)¶
ifmonitor is a simple network interface traffic logger and grapher for Linux
Concord Performance Management Software: eHealth - Network
Internet Tool Summaries - CAIDA : TOOLS : taxonomy : measurement
More network traffic analysis tools and techniques¶
SecurityOnion
- SiLK
Installing SiLK on Security Onion, by Chris Sanders, November 7, 2013
SiLK Kibana 3 Demo, by J3F, Vimeo video, July 31, 2013
hadoop-dna Hadoop based Distributed Network Analyzer, by Choonho Son and Edward J. Yoon
‘Hello world’ for network engineers exploring Hadoop, by JR Mayberry
Scalable NetFlow Analysis with Hadoop, by Yeonhee Lee and Youngseok Lee
While your at it, see the Hadoop links in the Databases and database tools section.
Hunting for malicious connections using Python and TensorFlow, by Wes Young, csirtg blog, August 17, 2018
Other useful tools¶
Network Security Monitoring tool suites¶
- Security Onion (Security Onion talk at Derbycon 2012)
Security Onion Installation (YouTube video of complete process)
Security Onion Setup Phase 1 (YouTube video of configuration)
- Web site monitoring (e.g., to notice when a DoS attack occurs)
Security Event Management (SEM)/Security Incident Management (SIM)/Security Event Information Management (SEIM)/Security Information and Event Manageer (SIEM)¶
6 Open Source SIEM tools, by Daniel Berman, May 7, 2018
Cyphon (“An Open Source Incident Management and Response Platform”)
The Alien Vault Open Source SIM
- Splunk
Splunk Attack Range Now With Caldera and Kali Linux, by Rod Soto, Splunk Blog, May 8, 2020
Adversarial Emulation using Splunk Attack Range Locally, by Rod Soto and Jose Hernandez, Purpleteam Summit presentation, November 12, 2020
Splunk Analytic Story Execution (ASX) App, splunkbase
GitHub olafhartong/ThreatHunting (“A Splunk app mapped to MITRE ATT&CK to guide your threat hunts”)
OpenSIMS (Open Source Security Infrastructure Management System)
Zenoss Open Source Server and Network Monitoring
Graylog Open Source Log management system
- The Mozilla Defense Platform (MozDef)
MozDef: You’ve collected your security logs, now what?, by Anthony Verez (Anthony’s slide deck)
MozDef BsidesPDX2014 presentation, by Jeff Bryner
MozDef Documentation (latest release), ReadTheDocs
- GitHub Netflix/Fido (“Fully Integrated Defense Operation (FIDO)”)
Malware Defense and Automation: Fully Integrated Defense Operation (F.I.D.O.), by Rob Fry, RSA 2014
Netflix open-sources security incident management tool, by Jeremy Kirk, May 4, 2015
Which solutions help SOC or CERT teams to track cyber incident lifecycle?, by Conrad Constantine
Security Event Management (SEM)/Security Incident Management (SIM) systems
IPv6¶
The Great IPv6 Experiment (switch to IPv6, get free porn!?!)
Quick-start IPv6, HOWTOs
IPv6 and IPv4 Threat Comparison and Best Practice Evaluation (v1.0), by Convery, Sean and Darrin Miller, Cisco Systems, Critical Infrastructure Assurance Group
Technical and Economic Assessment of Internet Protocol, Version 6 (IPv6), IPv6 Task Force, U.S. Department of Commerce, National Telecommunications and Information Administration, National Institute of Standards and Technology
Issues with Dual Stack IPv6 on by Default, by S. Roy, A. Durand, and J. Paugh, July 7, 2004
On the Issues of IP Traceback for IPv6 and Mobile IPv6, by Henry C.J. Lee, Miao Ma, Vrizlynn L.L. Thing, and Yi Xu, Institute for Infocomm Research, 2003
Security Implications of IPv6, by Warfield, Michael H, Internet Security Systems, Inc., 2003
Network discovery tools¶
Log parsing tools¶
An explanation of Ethernet frames, by Rhys Haden
The Ethernet FAQ
Protecting Network Infrastructure at the Protocol Level (Word document), by Curt Wilson, Netw3.com Consulting. 12/15/00
A Study of BGP Misconfiguration, by <ratul @ cs.washington.edu>
An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, by Vern Paxson, June 2001
Path MTU Discovery and Filtering ICMP, by Marc Slemko
RFC 2267 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, by Paul Fergussen and Daniel Senie
RFC 2644 – Changing the Default for Directed Broadcasts in Routers, by Daniel Senie
“Essential IOS” - Features Every ISP Should Consider, Cisco Systems Inc.
Distributed Denial of Service (DDoS) News Flash, Cisco Systems Inc.
Characterizing and Tracing Packet Floods Using Cisco Routers, Cisco Systems Inc.
Policing and Shaping Overview, Cisco whitepaper on rate limiting
Denial of Service (DoS) Attack Resources, by Paul Ferguson
Inferring Internet Denial-of-Service Activity, by David Moore, Geoffrey M. Voelker and Stefan Savage, University of California, San Diego
Notes from Lockheed Martin conference on DDoS vendor solutions, December 20, 2001
See also my Distributed Denial of Service (DDoS) Attacks/tools page.
Network monitoring/Intrusion Detection Systems (IDS)¶
Background and technical references¶
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection Thomas Ptacek and Tim Newsham
Special Publication 800-54, Draft Version 2, Border Gateway Protocol Security, National Institute of Standards and Technology (NIST)
“An Overview of Issues in Testing Intrusion Detection Systems”, NIST IR 7007, National Institute of Standards and Technology (NIST) Honeypots, and Incident Handling Resources
Intrusion Detection for an On-Going Attack, by J. Yuill, S. Wu (North Carolina State University), F. Gong (Adv. Networking Research), M. Huang (Applied Research and Technology, The Boeing Company), USA
A Framework for Cooperative Intrusion Detection, by Deborah Frincke et al, NIST National Information Systems Security Conference, 1998
Leading non-commercial IDSs¶
The Suricata open source IDS/IPS from the Open Information Security Foundation
- Snort
I have a set of scripts for managing snort logs and rules, and a Red Hat Linux rc script to start/stop snort, that you might find useful – See the README.snort-stuff file for more info.
- Network Flight Recorder (NFR)
- Shadow
Towards trapping wily intruders in the large, by G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y. Nemoto (Cyber Solutions Inc, Tohoku University), Japan
Interpreting Network Traffic: A Network Intrusion Detector’s Look at Suspicious Events by Richard Bejtlich
Intrusion Detection: Challenges and Myths, Marcus Ranum
The BSD Packet Filter: A New Architecture for User-level Packet Capture, Steven McCanne and Van Jackobson, Lawrence Berkeley Laboratory (The underlying packet capture facility used by many IDSs)
Intrusion Detection Systems and A ViewTo Its Forensic Applications University of Melbourne (PostScript)
The Cooperative Intrusion Detection Evaluation and Response (CIDER) Project
A Framework for Cooperative Intrusion Detection, Jesse McConnell, Deborah Frincke, Don Tobin, Jamie Marconi, Dean Polla, University of Idaho
Honeypots and Honeynets¶
60 Days of Watching Hackers Attack Elasticsearch, by Jordan, May 11th, 2015
Intrusion Detection, Honeypots, and Incident Handling Resources
http://www.bromium.com/ (not really a honeypot, per se, but related technology)
Commercial honeypot related tools list (thanks to Fyodor!)
- Symantec Decoy Server (Formerly Recourse Technologies ManTrap)
This product has been discontinued, but see this article Symantec updates focus on intrusion protection for a description of the product.
Public domain packet capture/analysis tools¶
[Note: Basic packet capture can be done by reading the network device directly, but saving packets for future use, and use by other tools, requires a standard library. Libpcap is that standard, and tcpdump is the most common basic tool for packet capture.]
Packet Café, IQTLabs
tcpdstat (part of the WIDE Project tcpd tools package) [Here is my own modified version (MD5 hash), ported to Linux and with more protocols.]
Monitoring with tcpdump, SLAC home page + CoralReef
tcpshow.c (I have a patch to improve ICMP header parsing in my Stacheldraht analysis)
Dive into BPF: a list of reading material, by Quentin Monnet, September 1, 2016
Understanding time stamps in Packet Capture Data (.pcap) files, by admin, September 25, 2015
See also the public PCAP datasets in section Interesting Security Research.
Routers¶
Firewalls¶
NDC Logical Firewall prototype (based on Gibraltar, Linux based bootable CD-ROM firewall)
OpenBSD Filtering Bridge Firewall
OpenBSD Packet Filter documentation at benzedrine.cx
Guide to OpenBSD Packet Filtering Firewalls (Internet), by Roger E. Rustad, Jr.
OpenBSD bridge without IPs using IPF Tutorial, by Doug Hogan and Bryan Hinton, DaemonNews
Real Stateful TCP Packet Filtering in IP Filter by Guido Van Rooij
OpenBSD FAQ section 6.0 Networking
OpenBSD FAQ section 13.0 Using IPSec (IP Security Protocol)
OpenBSD man pages:BRIDGE(4), BRCONFIG(8), HOSTNAME.IF(5), IPF(5), IPF(8), IPFSTAT(8)
How to set up a basic VPN between two OpenBSD gateways using ISAKMP, By Patrick Ethier, SecureOps Inc.
MINI-FAQ: OpenBSD 2.4 IPSEC VPN Configuration, Steve McQuade, v1.07 - March 2, 1999
- Distributed firewalls
How to Implement Access Control in Linux via ipfwadm by Lamont Granquist
Linux firewall facilities for kernel-level packet screening by X/OS
Thinking About Firewalls V2.0: Beyond Perimeter Security, Marcus Ranum
The TAMU Security Package: An Ongoing Response to Internet Intruders in an Academic Environment
Firewalls: Don’t Get Burned (Data Communications Firewall Lab Test)
Network (In)Security Through IP Packet Filtering, Brent Chapman
(See NIST 800-10)
Firewalls fend off invasions from the Net, Steve Lodin and Christoph Schuba (published in the February 1998 issue of IEEE Spectrum magazine)
DNS¶
-
Split Horizon DNS (also known as “split DNS”)
Setting up DNSMasq instead of BIND for bulletproof internal DNS resolution (SplitDNS)
dnsmasq, Split DNS and the Dreaded “No address (A) records available” Error
Split-Horizon DNS Done Right, by Jay, October 12, 2013
how to setup split-dns for vpn with network-manager, askubuntu post
NetworkManager split dns with DNSMasq not working with VPN, Red Hat Bugzilla Bug 1161232
Unbound DNS tutorial, by CALOMEL
How To: Make Sure /etc/resolv.conf Never Get Updated By DHCP Client, by Vivek Gite, last updated April 22, 2014
Resolving the battle for control over your DNS settings in Debian/Ubuntu, by Daniel Aleksandersen, May 25, 2015
Virtual Private Networks (VPNs)/Crypto tunnels¶
Alphabet’s Outline lets you build your own VPN: The easiest way to control your own VPN server, by Romain Dillet, March 22, 2018
- GitHub trailofbits/algo (“Set up a personal IPSEC VPN in the cloud https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/”)
How I made my own VPN server in 15 minutes, by Romain Dillet, April 9, 2017
#VUC643 – Algo VPN Project, YouTube, Streamed live on April 28, 2017
Setup AlgoVPN in Windows 10, clickclickboom, October 23, 2017
Algo Personal VPN Full Install, by Nicholas Tolson, YouTube video, April 13, 2017
AlgoVPN Linux Mint DigitalOcean Windows10 by Sal Aurigemma, YouTube video, April 4, 2018
- Wireguard
Wireguard VPN: Portable Raspberry Pi Setup, by ck, December 28, 2017
[Guide] How to install WireGuard on a Raspberry Pi (full tunnel + split tunnel) using Pi-Hole as DNS., by u/vaporisharc92, September 2, 2015
GitHub adrianmihalko/raspberrypiwireguard (“Install and configure WireGuard on Raspberry Pi (and others) “)
NSTX (IP-over-DNS tunneling)
- OpenVPN
How to set up a basic VPN between two OpenBSD gateways using ISAKMP, By Patrick Ethier, SecureOps Inc.
How To Run OpenVPN in a Docker Container on Ubuntu 14.04, by Kyle Manna, February 2, 2015
Routing and Subnetting 101, by James T. Dennis, Linux Gazette
strongSwan setup for Road Warriors on macOS 10.12, iOS 10 and Windows 10, karlvr/00README.md
How to setup IPSec interoperable for Linux, OpenBSD and PGPNet, by Hans-Jorg Hoxer
Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) by B. Schneier and P. Mudge
VLANs¶
Wireless (WiFi) Access¶
dd-wrt (Linux based alternative OpenSource wireless access point firmware)
Recommended dd-wrt Settings, by Dave Farquhar, December 24, 2015
How To Build an Open Source Wi-Fi HotSpot with DD-WRT - Setting Up NoCatSplash, by Eric Geier, Sept. 6, 2007
The $100 Super Router – A Definitive DD-WRT Guide, by Peter Selmeczy, July 19, 2016
Chillispot WiFi hotspot
Tomato firmware
Router Bugs Flaws Hacks and Vulnerabilities, by Michael Horowitz
5 Open Source Wi-Fi Hotspot Solutions, Linuxplanet.com, June 7, 2010
Wireless Security¶
Cisco SAFE: Wireless LAN Security in Depth, by Sean Convery, Darrin Miller and Sri Sundaralingam, Cisco Systems
WildPackets’ AiroPeek 802.11b wireless protocol analyzer
An Introduction to Lucent’s WaveLAN Wireless Cards, by Rob Flickenger
wmwave (dockable GTK application to show wireless signal strength)
Papers by Steve Gribble and Armando Fox at Berkeley
Wireless Security, by Jim Reavis, Network World Fusion
Networking¶
Confused by 10GbE optics modules?, by Mike Sheldon, June 11, 2010