WÜRTHPHOENIX Neteye - netways
WÜRTHPHOENIX Neteye - netways
WÜRTHPHOENIX Neteye - netways
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Security Auditing ForwardEr Daemon<br />
licensed under GNU General Public License version 2
…developed by Würth Phoenix<br />
• IT and Consulting Company of the Würth-Group<br />
• Headquarter in Italy, European-wide presence, more<br />
than 100 employees<br />
• International experience in Business Software and IT<br />
Management<br />
• Core competencies in trading processes, wholesale<br />
distribution, logistics and System Monitoring<br />
• ITIL certified, Nagios Solution Provider, Microsoft Gold<br />
Certified Partner<br />
Facts & figures<br />
• More than 600<br />
customers worldwide<br />
• Over 7.000 ERP and<br />
CRM users<br />
• 25.000 monitored<br />
hosts<br />
• 4 offices in 3 countries<br />
• HQ in Italy<br />
• Core offers in Business<br />
Software and IT<br />
System Management<br />
Our Our mission mission is is to to improve improve the the business business productivity of of our our<br />
customers by by managing working working processes more more efficiently.<br />
To To assure assure this this we we offer offer complete and and international proven proven IT- ITsolutions<br />
solutions in in a a well-known Würth-quality.<br />
05/12/2011<br />
… more than software<br />
2
… belonging to the Würth group<br />
• The Würth Group is world market leader in its core<br />
business, the trade in assembly and fastening<br />
material<br />
• It currently consists of over 410 companies in 84<br />
countries and has more than 65,000 employees on<br />
its payroll. Over 30,000 of these are permanently<br />
employed sales representatives.<br />
Facts & figures<br />
• More than 65,000<br />
employees worldwide<br />
• 30, 000 sales<br />
representatives<br />
• More than 100.000<br />
products<br />
• In the first half of the business year 2011, the Würth<br />
Group generated total sales of EUR 4.78 billion.<br />
• The headquarter of the Würth Group, Adolf Würth<br />
GmbH & Co. KG, was founded by Adolf Würth in<br />
1945 in Künzelsau in Baden-Württemberg, Germany.<br />
05/12/2011<br />
… more than software<br />
3
History: the Italian Law<br />
A new measure issued by Italian Privacy Guarantor to<br />
guarantee the protection of electronic processing of sensitive<br />
personal data took effect in September 2009.<br />
• Assignment of the system administrator function<br />
through the evaluation of the employees’ subjective<br />
characteristics.<br />
Italian Law<br />
• System administrators’<br />
access logs archiving<br />
• Data encryption<br />
• Protection of personal<br />
sensitive data<br />
• Individual designation<br />
• Identification of a System administrators’ list<br />
• Annual verification of personal data processing<br />
activities based on the security laws.<br />
• Access logs archiving<br />
05/12/2011<br />
… more than software<br />
4
Architectural idea: centralize all auditing events<br />
Internet<br />
WAN<br />
Signed log files<br />
per day per host<br />
Centralized<br />
Syslog Server<br />
Syslog protocol<br />
data transmission<br />
05/12/2011<br />
… more than software<br />
5
Look for technical solutions…<br />
• rsyslog for server side<br />
• GPL Full License<br />
• Already part of Red Hat distribution<br />
• Look for possible Agents solution<br />
• Snare auditing for Windows Events<br />
• Epilog for file (Oracle, Lotus Notes, …)<br />
• http://www.intersectalliance.com/projects/index.html<br />
05/12/2011<br />
… more than software<br />
6
Problems to solve on Open Source Agents…<br />
• Auto discovery of Windows administrators was not<br />
possible with Snare<br />
• Epilog and Snare are two agents and customers<br />
expects one agent to reduce deployment efforts<br />
• Regular expression filtering on Snare for Windows<br />
was missing<br />
• Only UDP was supported<br />
• SYSLOG protocol was not reliable<br />
• Encrypting TLS/HTTPS was not supported<br />
Commercial Agents are available on the market satisfying these<br />
requirements, but not on the Open Source field.<br />
05/12/2011<br />
… more than software<br />
7
Development of<br />
our own agent<br />
Proprietary commercial<br />
agents for Snare<br />
05/12/2011<br />
… more than software<br />
8
Why a new Agent?<br />
• Commercial agents had restricted commercial policy that did not fit our needs<br />
• Commercial agents had no possibility to be extended with plugins and specific<br />
functionalities<br />
• Still missing functionalities were:<br />
• Administrators auto discovery<br />
• Regular expressions<br />
• Reliability through a solution on application layer<br />
(TCP was not enough for what we need)<br />
• Open protocol to realize a centralized<br />
configuration with templates<br />
• Snare & Epilog are still two separate agents<br />
05/12/2011<br />
… more than software<br />
9
The idea to develop Safed Agent is born…<br />
• Create a new agent that integrates<br />
Snare and Epilog functionalities<br />
• Still Open Source and free in the<br />
purpose of utilization<br />
• Guarantee Interoperability with<br />
rsyslogd and syslog-ng<br />
• Open Protocol to allow integration<br />
with other centralized Syslog<br />
Servers.<br />
• Implement TLS / SSL<br />
05/12/2011<br />
… more than software<br />
10
Goals of the Agent…<br />
The Safed Agent has the purpose to improve and extend the Open<br />
Source Snare Agent functionalities through:<br />
• Better reliability for data transmission<br />
• Efficient CPU usage<br />
• Improved security through TLS, https, access control<br />
• Optimized and centralized Agent configuration<br />
• More supported platforms<br />
• Improved filters’ efficiency<br />
• Administrators’ auto discovery<br />
• One single Agent<br />
05/12/2011<br />
… more than software<br />
11
Supported platforms<br />
• Windows XP<br />
• Windows Vista<br />
• Windows 7<br />
• Windows Server 2000<br />
• Windows Server 2003 (32 – 64 Bit)<br />
• Windows Server 2008<br />
• Windows Server 2008 R2<br />
• IBM-AIX<br />
• HP-UX<br />
• Solaris<br />
• Linux (Debian, Redhat, Suse, Ubuntu,…)<br />
05/12/2011<br />
… more than software<br />
12
The versions<br />
Unix/Linux version<br />
• Developed based on the Snare Epilog<br />
• Integrates the Snare Audit and Snare Epilog functionalities for Unix/Linux<br />
• Configurable polling time to identify new events on log files<br />
Windows version<br />
• Integrates the Snare Agent and Snare Epilog functionalities for Windows<br />
• Use of regular expression for pattern matching<br />
• Possibility to manage custom event logs<br />
05/12/2011<br />
… more than software<br />
13
Additional Features<br />
• Syslog message length configuration<br />
• Configurable local caching mechanism<br />
• Possibility to make an automatic retransmission of the messages in case of<br />
failures<br />
• Debug interface, error information, warning<br />
• Automatic discovery of the Windows administrators’ roles<br />
• Centralized configuration of the agents on a central server (i.e. NetEye)<br />
• Identification through a progressive numeration of the messages<br />
• On demand retransmission of missing messages<br />
• Transmission of the events through TLS/HTTPS protocol to provide encrypted<br />
communication<br />
• The administration web interface is available on http/https and can be used as<br />
alternative for a central configuration approach or can be blocked if central<br />
configuration is used<br />
05/12/2011<br />
… more than software<br />
14
Centralized configuration for the Safed Agent<br />
The Safed Agent embedded web server can receive structured<br />
configuration data<br />
[Config]<br />
• To facilitate the Agent configuration on a large scale deployment<br />
dAudit=1<br />
dFileAudit=1<br />
dCritAudit=0<br />
dLeaveRetention=0<br />
dFileExport=2<br />
dNumberFiles=2<br />
scenario, like hundreds, thousands it is possible dDestPort=514 to develop your own<br />
central management application with the Open Data Structure<br />
• The installation has been simplified thanks to a unique executable MSI<br />
sClientname=<br />
file that does sDelimiter= not need any user interaction.<br />
[SysAdmin]<br />
dClearTabs=0<br />
dSysAdministrators=1<br />
dTimesADay=1<br />
dVBS=0<br />
dLastSA=0<br />
[Network]<br />
[Remote]<br />
[End]<br />
sDestination=10.62.5.115<br />
dSocketType=1<br />
dMaxMessageSize=2048<br />
dSyslog=1<br />
dSyslogDest=38<br />
dSyslogDynamicCritic=0<br />
dAccessKey=0<br />
sAccessKeySet=098181024c2e968b16<br />
dAllow=1<br />
dRestrict=0<br />
sRestrictIP=10.62.5.115<br />
dWebPort=6161<br />
dWebPortChange=0<br />
05/12/2011<br />
… more than software<br />
15
The structure of a Safed message<br />
• It is a standard syslog message<br />
• The message contains new information as the Safed process name, its pid, the daily<br />
sequential number, User and event Id<br />
• Daily reset of the sequential numeration of the messages<br />
05/12/2011<br />
… more than software<br />
16
Data Encryption<br />
• Possibility of secure communication between<br />
agent and syslog server<br />
• Encryption via TLS on TCP<br />
• X.509 certificates<br />
• Verification of the respective identity of Agent and<br />
server<br />
• Encrypted channel for data transmission<br />
05/12/2011<br />
… more than software<br />
17
Case Study: Integrity check<br />
• Improved reliability of the SYSLOG transmission via TCP<br />
• Introduction of a progressive number for SYSLOG messages<br />
• Unique identification of each message<br />
• Verification on server site of the integrity log<br />
• The integrity is checked based on the sequential number of<br />
the log messages<br />
• Identification of missing messages<br />
• Retransmission of missing data via SYSLOG or http<br />
• A final control ensures that the activity has been successfully<br />
accomplished<br />
05/12/2011<br />
… more than software<br />
18
Windows system readout and Custom Event Log<br />
• Customer event Log management<br />
• Possibility to select the events to be monitored from the custom events<br />
queue registered in the Windows Registry<br />
• Custom event Log list<br />
05/12/2011<br />
… more than software<br />
19
Status Page<br />
05/12/2011<br />
… more than software<br />
20
Administrator Logging Configuration<br />
05/12/2011<br />
… more than software<br />
21
Advanced web configuration for event log files<br />
05/12/2011<br />
… more than software<br />
22
Filtering option of the agents on client site<br />
05/12/2011<br />
… more than software<br />
23
Debug Interface<br />
05/12/2011<br />
… more than software<br />
24
Quality Assurance for Safed using Selenium HQ<br />
05/12/2011<br />
… more than software<br />
25
…for more information www.neteye-blog.it/downloads<br />
05/12/2011<br />
… more than software<br />
26