Automation for network security: BanHammer-ng and Brozilla

Anthony Verez

Slides: anthony-verez.fr/mozilla

Questions: averez on #airmozilla and #security

1. BanHammer-ng: blocking bad guys on Mozilla network
2. Brozilla: Intrusion Detection with Bro at Mozilla

• Centralized system to block external IP addresses from the Mozilla network
• Gets security events from our security logging system
• Computes a score for each event and sum scores for each attacker
• Notifications via IRC and emails depending on score thresholds
• Allows an operator to apply suitable blocking mechanism

• We didn't know where someone was blocked on our load balancers
• Need to streamline the blocking workflow
• Time consuming
• Bad experience including for legitimate users (e.g: university proxy, NAT)
• We wanted finer granularity for blacklists than the old BanHammer
• Block only access to specified websites, usually not download/updates websites

• System to give ability to operators to quickly block attackers
• Fine-grained blocking mechanisms
• Captive portal where suspicious visitors have to resolve a captcha
• Code: https://github.com/mozilla/banhammer

• Copy traffic to sensors for security inspection
• Security Onion: Linux distribution for Network Security Monitoring
  • Snort: Rules-based Intrusion Detection System

                alert any any -> any any
                (flags: SF,12; msg: "Possible SYN FIN scan";)
              

  • CapMe: tool to search through network capture dumps
  • Bro: Framework and programming language to get information from traffic

• Packet capture
• Traffic inspection
• Attack detection
• Log recording
• Scripting language

• Real-time analysis
• You have to define what is an attack
• Forensics
• High speed: clusters for 40+ Gb/s

• Leverage Bro to detect attacks and security incidents on Mozilla network
• Very early stage
• What would we rather use Snort for?
  • Third party rules
  • Known suspicious hosts
  • Malware
  • Software vulnerabilities/exploit attempts

• We plan to use Bro to detect
  • SSL negotiations network-wide
  • Sensitive information exchanged using plaintext protocols
  • Unauthorized scans
  • Outdated version of software (think Java plugin)
• Conduct network forensics for incident response

• Storage
  • Files + awk
  • Elastic Search
• Visualization on top of Elastic Search
  • ELSA
  • Kibana
  • Brownian

• Thanks to Joe Stevensen, OpSec, IT and Mozilla
• BanHammer-ng: https://github.com/mozilla/banhammer
• Brozilla: https://github.com/mozilla/brozilla
• 
  contact@anthony-verez.fr