Enterprise Information Security Management tool: Ossim

The special invited "Linux Enterprise application Case Refinement" book author Li Chenguang teacher, for open source information security system Ossim in the application of the problem to give answers, welcome netizens active questions, and experts to discuss!

Question: Miss Li, hello, Ossim is not very understanding, can trouble you to use concise language to describe what is ossim, what function, what characteristics, is the other related to the same nature of the software have any advantages? How to learn Ossim?

Answer: In previous discussions I have said that Ossim is an open source security information system that integrates many open source security management monitoring Tools (Snort,nmap,nessus,ntop,nagiso,openvas, based on the Debian Linux system). OCS and other open source system security software, set the director of many security software integrated in a system, he similar backtrack inherited a large number of network security detection tools, but there are differences, take BT4, it is a LIVECD system can be directly guided and used by CD-ROM &u disk. Here we talk about the Ossim system that must be installed for configuration debugging to be used. From Windows System Management direction to Linux friends, the Linux platform is generally considered a lot of shell command parameter programming script, not easy to grasp, Ossim is on the Debian Linux system on the security system, in addition to the original features, Also need to have network security (such as intrusion detection, security audits, security vulnerabilities, penetration testing, etc.), encryption and decryption skills. With these knowledge skills in the deployment of Ossim will be handy, slightly worse, you can learn by doing, as long as the intention to do things can be learned.

Question: Hello, Miss Li, may I ask Ossim whether this software can be deployed in large internet companies? Because of the characteristics of the Internet industry, all the services are open to the external network, users are unknown users, servers, databases and other needs are relatively large, there is a requirement must be 7*24 hours online, so and the corporate network is still a big difference. In this environment, network security is a very important link, then, in addition to product and site code level of security, other aspects of security Ossim can play an important role?

Answer: According to the situation that you introduce, Ossim can be competent completely, can monitor the engine room Web server, database server, can save detection log for inquiry. Anonymous access to the site, but access to the IP range can be set as. Your needs and Enterprise room management is still different, such a large number of Web access, no problem for Ossim, he can not only the high-level protocol to decode the data stream, but also through the adjustment of filters, detect problems, this has a great deal of experience with the operator. If you are unfamiliar with Ossim then you cannot use it in your system, let alone the important role.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

Question: Teacher hello, want to ask under Ossim to DDoS attack defense effect how? I want to ask the main is the big traffic attack (chicken is used by hackers), there is an abnormal fragmentation of the message attack ~ ~ and his detection is not the mechanism of attack? For example, our common land,winnuke,teardrop and so on, these are known types of attacks, if it is some unknown type of attack, can defend to live?

Answer: I introduced to you the Ossim of his composition, one of the components is snort, he can easily complete such as DDoS attacks, buffer overflow, port scanning, CGI attacks and other network abnormal activities, of course, he also has not perfect place, That is, Snort has a natural disadvantage when it comes to IP fragmentation, and some attackers use these features to fragment traffic to the target because of the difference in how the packet is handled by the stack of TCP/IP on the server itself. This causes the target host to run out of capacity to handle too much IP fragmentation. What do we do? We can configure ACLs via Frage, and firewalls, see "The Linux Enterprise Application case Refinement" chapter seventh deploying IDs case studies. As far as defending against unknown attacks is concerned, I think so, we look at the current anti-virus software is basically dependent on virus signature technology, and to know that the development of defense is always slower than the development of weapons, for Ossim although he can adjust the rules, but sometimes there will be false positives, that is, not completely defensive.

Question: How to deploy a network device on a Linux system, a centralized log management system of the server, and realize the functions of log storage, log classification, log view of the host, serious high-risk log reminders, etc.

Answer: We always hope that the computer does not have a virus, there is no killing all the virus in the world software, in fact, this idea is good, but actually does not exist. Linux system is not omnipotent, the most administrators should not rely on Third-party software to know where the default log files, such as/var/log/under the storage of those systems and network services log.  Some open source tools such as Logcheck,logwatch are used to analyze log files, filter out log items with potential security risks, and then use email notification to refer to the user, and of course the Linux platform also has what you mean by centralized control management storage, analysis of business software such as ManageEngine EventLog Analyzer, a web-based, real-time event monitoring and management solution, can improve enterprise network security and reduce workstation and server downtime events. EventLog uses agentless structures to collect event logs from distributed hosts, and collects logs from Linux/unix hosts, routers, switches, and other network devices, and generates graphical reports to help analyze and improve network performance.

Question: Hello, Miss Li! Will the next Ossim set up a centralized monitoring, management platform, is a one-stop service, so relatively before the monitoring and application software cacti and nagios its comprehensive advantages is what? And how do you minimize the risk of internal information disclosure? In addition to the intelligence of this piece can achieve a what effect?

Answer: Ossim is able to achieve a station is the effect of service, it is because it integrates some security, monitoring, auditing, and leak-sweeping software into an open architecture, and uses the alarm information generated by various sniffers and monitors to format centralized storage processing, which improves the accuracy of alarms. Individual Nagios or cacti, they can only be a single statistical flow and alarm function, in the server (or network equipment) again have problems or will cycle of alarm prompts, does not have the results of the intelligent analysis process. But the Ossim system uses the event Sequence Association algorithm and the heuristic algorithm to enable its event database (EDB) to save each detector to add each individual time, therefore this database will be very huge, In addition, it has a knowledge base and a repository for learning about the current network parameters and security policies. If the Ossim system is an aircraft carrier, then the simple Nagios function can only be said to be a gunboat. At present, because of the company's internal leakage reasons diversification, secret means of professionalism to prevent people, generally speaking, roughly divided into internal active leaks, unintentional leaks, malicious theft three against this situation, it can use login authentication, communication encryption, database encryption measures as far as possible to ensure that information is not easily stolen, but can not be completely avoided. In order to realize the real meaning of the internal information leak also requires the support of other Third-party software, and corporate governance system constraints.

Question: Hello, teacher! I'd like to ask about the Cacti+nagios monitoring system used by our company, but only screenshots are available every week when the report is out. Although the screenshot is more intuitive, but feel no real data out of the report is not much value! If you use his own form, the data is very messy, ossim have a monitor report plug-ins, there is a cross-platform on how to do it. Thank the teacher for answering!

Answer: Ossim can generate very detailed reports, more Siem can generate the attack host,used Port,alarm report of the top 10 records can also choose the time range, and finally to the Pdf,rtf,email way to inform you. Because he is based on B/S architecture, for cross-platform no problem.