Poor man's DLP solution
by Manuel Humberto Santander Pelaez (Version: 1)
Although I have been fortunate to work with a company that handles large amounts of money and time to implement the security solutions typically get the latest technology solution, we also have companies that do not handle the same amount of money due to profit margin business in which they are located and therefore there is a greater rationale for the investment of monetary resources in those projects that are vital to the operation of the company.
A risk that materializes more frequently in companies is the leaking of information and one of the most common ways to steal over the Internet is through various forms such as emails and file transfers. That means we need to have a sensor that is responsible for monitoring the Internet traffic inbound and outbound. To determine your position, we will outline a two firewall DMZ and place a snort sensor in the middle using linux and configured in bridge mode.
Bridge configuration is pretty simple. Consider eth0 as the interface connected to vlan11 and eth1 the interface connected to vlan10:
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr sensor
brctl addif sensor eth0
brctl addif sensor eth1
ifconfig sensor up
Now it is time to configure the sensor. Many companies manage document templates, which contain default information that can be used to catalog the information contained therein. You can use words like secret, confidential, restricted, and many others. Based on this template, we proceed to create the appropriate alert to block the transit of information to the outside. For the following example, we will assume as the internal ip address range 192.168.1.0/24 and also that the template for confidential documents relating to the company X provides the following sentence: "Company X - Confidential":
alert ip 192.168.1.0/24 any -> any any (msg:”Data Loss from inside the network”; content:"Company X - Confidential"; rev:1)
Another interesting measure, depending on the environment and the risks of the company, is to disable the USB storage devices. To do this task in Windows environments, disable all permissions to the following files used each time you install a USB drive:
%SystemRoot%\Inf\Usbstor.pnf
%SystemRoot%\Inf\Usbstor.inf
If the USB storage device is already installed, change the following registry key value to 4: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Do you have any other ideas? Use our contact form to share it with us.
-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org
Comments
alert ip $home_net any -> $external_net any (msg:”Data Loss from inside the network”; content:"Company X - Confidential"; rev:1)
and you should define your external and home net:
var home_net [192.168.1.0/24]
var external_net !home_net
this will eliminate false positives if you are transferring documents with in your organization.
Yabbo
Mar 3rd 2011
1 decade ago
If its one thing i have learned over the years. If an analyst sees false positives coming from an alert enough they will start to ignore that alert.
Yabbo
Mar 3rd 2011
1 decade ago
Hal
Mar 3rd 2011
1 decade ago
Robert
Mar 3rd 2011
1 decade ago
This command will run snort & bridge interfaces eth0 and eth1
./snort --daq afpacket -i eth0:eth1
Just an FYI incase a deployment is planned by someone.
JBShrout
Mar 3rd 2011
1 decade ago
Open Registry Editor.
In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
Create the following value (DWORD):
WriteProtect
and give it a value of 1.
JBShrout
Mar 3rd 2011
1 decade ago
OnlyMe
Mar 3rd 2011
1 decade ago
Omar
Mar 3rd 2011
1 decade ago
And there's no "failover pair" config for a couple Linux servers like there is for a good Firewall such as an ASA.
Should the network have a gigabit uplink, the sensor itself is a potential DoS risk, high packets per second rates will cause the bridge to fall over and drop lots packets, when without the bridge, the load balanced server(s) would have handled the aggregate load fine.
Why go for bridging?
Snort can sniff traffic, and you can plug it into a network tap.
Draco
Mar 4th 2011
1 decade ago
alibert
Mar 7th 2011
1 decade ago