Tasks between now and end of February

6:33 pm in Uncategorized by charlesnw

1) Finish FNF production NOC setup

2) Finish FNF lab setup

Dev box tasks: ( this will be used for all my security research, financial modeling etc). It will also monitor my production system in the colo (via AlienVault)

1) Setup smartmon/smartd monitoring/alerting
2) setup LXC
3) Setup Alienvault LXC instance
4) Setup GNS3
5) Setup Marketcetera
6) Setup uDig
7) Setup kismet IDS
8) Setup snort
9) Setup clamav
10) Setup osiris
11) Setup logwatch
12) Setup root e-mail forwarding
13) Setup vlans
14) Setup openvas
15) Setup warvox
16)  install GPU SDK/drivers/tools etc

3) Root android phone so I can use it for Serval development and other fun things

 

So what are the outstanding tasks to finish the reference implementation?

 

Phase 1: FreedomNode and FreedomLink work

 

3) Infrastructure support services

Status: Not yet started

This set of tasks encompasses all of the necessary services a production network requires. This includes things such as backups, logging, security, user authentication and monitoring/alerting.

Storage system setup

  • Setup UPNP streaming for media (pictures/music)  << in progress
  • Setup Samba share for media (pictures/music) << in progress

Monitoring/alerting:

I have good coverage of all my prod systems at a basic level, but need to add more detail. Development/research is in a very early state, with almost no coverage. Currently using sureping.com for external monitoring of various production systems/services (apache/smtp etc) and this is working quite well. Internally I’m using opsview to monitor all of my systems (production and development). I also get traffic graphs etc.

Netflow exports to NTOP

MRTG via opsview

RANCID

Planned items: Network traffic visualization (snort/snorby/sguil/secviz.org tools)

Network Security:

  • LDAP
  • Kerberos
  • RADIUS
  • PacketFence
  • One Time Password System
  • Setup security test bed system
    • Setup OpenVAS
    • Setup Metasploit
    • Setup Nessus
    • Setup armitage
    • Setup various other pentest tools etc (network hacking, ssl, mitm etc)
    • Setup sshfs/git/cifs for laptop to work off of server
  • token security hardening
    • Keep up to date on patches for OS and applications
      • automate OS updates
      • alert when new security updates are available for my LAMP apps
    • Monitoring syslog (octopussy is used for this)
    • Monitoring file integrity (ossec is used for this)
    • Running SNORT with automated signature updates (pfsense)
    • Check various DNS/mail blacklists and dshield.org for my IP addresses (manual process at the moment. could easily automate it)
    • moving virtual machines to appropriate vlans (malware research, development as production stuff is all one vm at media temple)

After the above tasks are completed, I’ll be shifting focus to advanced security posture tasks. This will support my further goals (linux and windows malware research, high frequency trading systems for virtual currencies, overall parallel systems development).

So what will this security system be composed of, beyond standard data center/enterprise type network security items in my above list?

The first end product of the system will be a one time password server. This will be utilized network wide (windows/linux login, web app login, vpn authentication etc).

The second end product will be an openvz virtual machine image for hosting financial applications (bitcoin vault, virtual currency trading).

I’ve got some ideas about how to go about building these systems. Rough draft below. More to come later.

GENODE? Barrelfish? Striped down linux image?

Integrity monitoring

0 exposed ports

Centralization vs decentralization vs hybrid

  • Complete security project planning and preparation
    • blog post (high level, give folks a good overview of the problem space)
    • wiki article (more tactical. lots of links etc. will probably be several wiki pages)
    • 3d work space setup

OTP

Stored certs

Other 2 factor systems

 

4) Documentation

  • Pictures of racks on blog/wiki << in progress
  • Documentation of physical gear  (make/model, mac addresses, power/ethernet port mappings, power usage) on the wiki << in progress
  • Documentation of services configuration/setup on wiki << not started
  • Documentation of everything
Hope to have section 3/4 completed by 5PM CST Monday August 29th 2011.

5) Ensure all web services on wiki are operational

  • Hookup cordless phone base station to knel-prod-ap1 via ATA << in progress
  • Hookup Nortel VOIP phone to knel-prod-ap1 via wireless
  • Ensure all items have an associated URL for access to the service and to the software homepage
  • Setup antispam
  • Setup collaboration systems

Now that I’m wrapping up my data ownership project, I find myself taking on a couple larger projects:

1) Working with folks on the Free Network Foundation road map. Been using e-mail / wiki / skype screen sharing for this but want a better tool.

Working with folks on the security aspects of data ownership as it relates to providing a secure infrastructure for financial transactions. This is a really big project and I want to capture all aspects of it for archival purposes. People like that for security related things.

Here is what I have deployed so far:

1) Freeswitch (an open source Voice over IP server). This will let us have secure voice/video communications without using Skype.

2) Jabber (an open source text chat server). This will let us have secure text chats. I am investigating the use of http://jitsi.org/ to provide a single, open source client for Windows/Mac/Linux that will let us have voice/video/text chat using freeswitch/jabber and also share our screens.

3) Etherpad (an open source collaborative text editor). Self explanatory. This eliminates the use of google docs

4) Redmine/Tracks (open source project management tools). I also am reviewing some open source scrum tools like icescrum.org.

5) Git (open source source control system integrated with redmine) This is used for tracking changes to code and documentation.

6) Drupal (open source content management system)

Needed tools:
What are the awesome tools in this space? They must be open source and able to be self hosted. Prefer things in python/ruby/php but can also run Java applications.

1) Shared whiteboarding tool (quick and dirty drawings, temporary todo list capture)
2) Shared diagramming tool (for network and complex project diagrams)
3) Better discussion tool then e-mail. Especially for things like this e-mail, where it really should be a document with revision tracking etc. I’m still in the process of getting etherpad deployed. I have eyeOS deployed which has some document editing tools. Need to see if these tools will provide google docs functionality or if I need to use other tools.

 

6) High availability (primary at RH VPS, secondary at Debian VPS)

  • LinuxHA
  • PowerDNS
Hope to have section 5/6 done by end of September
8) FreedomTower/FreedomLink work
  • Setting up guest wireless access SSID/DHCP subnet/bandwidth limiting etc << not started
  • Setting up honeypot wireless SSID/DHCP subnet/bandwidth limiting etc << not started
  • Setting up mesh link between two parts of apartment complex << not started
  • Setup SPAN port on access and distribution switch for AlienVault use
  • Setup channel bonding and STP between access/dist switch
B)  Home network services:
  • Install AlienVault << done (deployed as a VM on proxmox machine. Needs lots of configuration, which will be done in section 3)
  • Setup DNS server  << done (PowerDNS with PowerAdmin. Authoritative and recursive)

September

No Comments »