Ensuring security in modern computer networks with a large number of hosts and devices requires a great effort, and keeping track of all events and logs becoming more and more difficult. It is important to have a vulnerability management system to allow you maintain control over your network and solve any related problems.
Generally, network security is based on standard kit we have a Firewall, AV solution, Intrusion detection system, vulnerability scanner such as Nessus or OpenVAS, and we can also add network scanner like Nmap.
Each program serves perfectly to protect the network, as they analyze and compare different data collected or provide information about different intrusions. The result that you will find a mountain of reports created by many utilities, which takes a long time to read and find what you are looking for.
Another important point that you have to monitor operating system and applications vulnerabilities to have the protection measures against different network attacks, and to record what update has been installed and which updates are on your schedule.
This can be accomplished by subscribing to different mailing lists and RSS feeds like Security Focus, the OSVDB database (Open Source Vulnerability DataBase) and Security-Database.
These are not the only sources you can also install HackerStorm OSVDB utility which includes a bunch of news and alerts feeds conveniently located in one place to help with vulnerability research and to help stay up to date.
On the market there is a long list with expensive solutions to grant an administrator a view of all the security-related aspects of their system, like Microsoft Security Response Center (MSRC), IBM Internet Security Systems, Lumension Vulnerability Management (PatchLink), QualysGuard, Symantec Control Compliance Suite (SCCS) but we will focus on the Open Source Security Information Management (OSSIM).
OSSIM stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of his or her networks, hosts, physical access devices, server, etc.
Currently you can integrate in OSSIM : Arpwatch, P0f, pads, Nessus / OpenVAS, Ntop, Snort, tcptrack, tcpdump, Nmap, Spade, Nagios, Osiris, OCSInventory-NG, OSSEC, RRDTool (additionally it is possible to analyze the data collected preludeIDS, NTsyslog, Snare, Cisco Secure IDS).
Data can be delivered over different ways: syslog, plain log, SNMP, OPSEC, socket… and administrator can have information about any event generated at the infrastructure.
Usually OSSIM consists of:
• Server – to make the correlation engine management, risk assessment and events priority.
• Daemon control framework, running on the server and connecting different network parts together;
• Database – provides information entry in a database and correlate data.
• Agents to integrate and provide into the database collected information from different sensors: Snort, Pads, Ntop, Tcptrack, p0f, Arpwatch, Nessus, etc.
• Web-based management console – management of the entire system, data analyzing and delivery, risk assessment (Apache, PHP, Phpgacl, Rrdtool, Mrtg, ACID, Nessus, Nmap, Ntop, FPDF, etc.)
All these components can be installed on a separate system, and the information are transferred only in encrypted form (using SSL).
At OSSIM Dashboard, there are three levels of access depending of the role of user: Network administrator, systems engineer and security specialist (CSO, Chief Security Officer).
After configuring and registering some users for the solution, you can find on the panel all that you need to manage all activities and threats: Dashboard, Incidents, Events (anomalies, events), Monitors (monitor networks and systems), Reports (reports on the sites, equipment, software, networks) Policy (policy setting and action, launching a program or send e-mail), Correlation, Configuration, Tools (backups, links for downloading clients, network scanner).
You can start by scanning the network by going to Tools – Netscan, and then all system info will be displayed under Policy -> Policy -> Host. To install agent remotely you can go to Tools -> Downloads, and it is important to note that there is a help option with screen shots to make the settings easier to understand.
After OSSIM we can add SIGVI , which is an Open Source application (license GNU GPL), designed to detect, prevent and manage threats. The way that SIGVI works is by downloading new vulnerability warning using standard CVE, CPE, and CVSS Protocol SCAP and according to The Common Vulnerability Scoring System (CVSS) it will add information on each vulnerability by Access Vector (AV), Access Complexity (AC), Authentication (Au), Confidentiality Impact, Integrity Impact and other conditions so Administrator will be able to know what to patch as a priority.
make sure you subscribe to my RSS feed!