Jade Unified Security Framework (USF)
The Jade Unified Security Framework (USF) is a thin extendable security layer that operates across machines in a network. It provides hooks for applications and security components to register and effect network wide security changes. It is made up of several components both in user and kernel spaces protecting specific protocols and services. The USF is a working functional prototype which has been protecting our networks for the past few years. It was designed as an easy to deploy solution for Small to Medium Enterprises (SMEs) without the need for expensive security hardware. The design is highly modular with USF utilities and analyzers being easy to maintain and build upon.
The USF can be thought of as four functional components or groups working together to detect, analyse, and react to protect a network. They are the core firewall, system and network logging (SIEM), application layer defenses, and other threat specific countermeasures.
Core Firewall Components
The core firewall is made up of iptables/ipset firewall configurations running on our main firewall/router and protected server machines. The firewall functions are designed to provide lower layer threat detection and responses in real time. The firewalls also use network logging for threats that can only accurately be detected across longer periods of time than the internal state based tools are equipped to handle. All traffic passes through the main firewall/router machine before being forwarded to the inside network. This main router machine is designed to detect threats for both itself and inside machines whereas the server configurations are simpler (use less resources) and do not perform blocklist processing.
Our iptables solution implements a limited stateful firewall but with the addition of ipset based blocklist processing. The ipset databases contain blocking data based on protocol, IP address, IP network ranges (networks) and time to live (TTL) data. The blocks reside in the Linux kernel making access time fast and efficient while at the same time removing the need to embed blocklist data within firewall configurations. Blocks can be time based (will timeout on their own inside the kernel) or permanent. Ipset databases are maintained outside of the firewall and are updated based on directives from other USF components. Most blocks start out as limited time blocks that eventually automatically get removed. If the same threats are detected in the future from the same source, a progressive backoff algorithm is used to lengthen the time window the block is active for. If a threat persists past a critical point, the threat is marked as permanent and changed to permanent in the firewall.
SIEM: Security Information and Event Management
Security Information and Event Management (SIEM) is a security solution that collects, analyzes, and correlates data from various sources within an organization’s IT environment to detect and respond to potential security threats in real-time. The Jade USF centralized log server collects and consolidates system logging information from machines on the network.
Logging data is sent to the log server for categorization and storage. Standalone analyzers provide operator status updates (via email) and often interact with the underlying network firewall to effect near real-time network blocks of ongoing attacks. The modular analysis and reporting tools are based on easy to write and adjust scripts. The currently existing reporting tools focus mainly on email and authentication related attacks, but the techniques we use for these can be applied to any SIEM detected threat type. Existing tools regularly check for various authentication attacks (ssh, sip, smtp, imap, http) and automatically block detected threats within the network firewall. Additional tools check for application specific attacks, in particular in support of our various WordPress installations.
SIEM plugin tools add the ability to deploy custom analysis on an incident type basis. They allow for analysis of application incidents which are logged but which the application itself does not have the ability to react to (authentication attacks across sessions for instance). Changes to the USF can be permanent or time based and are determined by the specific plugin tool.
Application Service Security
Application protocols currently being monitored include http (web), smtp (email MTA), ssh (secure shell access), imap (email remote message store access), sip/rtp/iax (VoIP) and others. Security incidents are detected and responded to at several layers:
- with the service application itself (postfix, apache, imapd, sshd, etc)
- application logging to the SIEM server
- within the network stack itself (firewall configuration)
Threats are often detected by different tools requiring different processing. In the case of email MTA’s – repeated authentication attacks within a single session are handled by the postfix service. Postfix is unable however to detect these attacks across sessions. SIEM intelligent threat analysis plugins have the ability to correlate new threats with historical data. This allows for the implementation of progressive backoff algorithms and variable time to live blocking within the USF firewalls.
In limited situations application layer attacks can be detected within the network layer through iptables. One such example is ssh secure remote access. Repeated failures can be detected and blocked within a short time window at the IP layer. The current USF firewall performs this on every machine in the network. Like the email example above though, long term retention of attack history is limited so this can best be viewed as a first line of defense. Ssh attacks within the network stack (Linux kernel) are also logged to the SIEM server for further retention and analysis.
Authentication Attacks
The most common application layer threats we see are authentication attacks. These happen when remote attackers try to login to a service to gain access to resources. Historically these can be seen as repetitive dictionary style attacks from a single source trying to guess login credentials. Today these often take the form of a distributed type of attack coming from many simultaneous remote IP addresses. Often rather than being continuous they break off an attack only to come back later to resume. They happen at both the protocol level as well as web based login attempts. The most common protocols we see attacked are SSH and SIP however attacks against email protocols such as SMTP and IMAP continue to rise.
As mentioned above some of these attacks are mitigated in real-time by the firewall. This is the case for both SSH and SIP for attacks detected in a single session. Similarly the Postfix MTA also detects and deflects authentication attacks within a single session. In both these cases the incidents are logged to the SIEM server. All other authentication attacks including multi-session SSH, SIP, and SMTP attacks and other protocols such as IMAP and HTTP (web application) are detected through our custom SIEM analysis scripts. Detected threats are handled using USF utilities that add the attack host to the appropriate USF firewall blocking script.
SPAM Prevention
Unsolicited Commercial E-Mail (UCE), otherwise known as SPAM has been a costly problem for email users for a long time. Common forms include solicitations for buying products or services. Often these messages are phishing attempts to get users to reveal sensitive information and result in identity theft, and many times result in significant financial loss for users unaware of the criminal intent. Some contain dangerous payloads that can infect the computer or device of the recipient.
We have a zero tolerance policy towards spam received (or sent) from our systems. Spam received through one of our many monitored accounts that can be confirmed by a human are fed into our SPAMPROC system. This system automatically analyzes the message headers to determine what the IP address of the submitting mail host was. It then immediately updates our DNS Blacklist (DNSBL) to include the confirmed spam relay host so that our MTA’s can immediately block any new messages passing through that route. A report is automatically generated (standard ARF format) and sent to the domain administrator indicated in the relevant WHOIS record for that address so that they can take appropriate action on their end.
Web Services
Jade Networks is host to many different virtual websites. These tend to be mostly WordPress and RoundCube based however other platforms, particularly Docker container based, are also supported. For WordPress installations we recommend one of several popular web application firewalls (WordPress plugin). We have tried several Apache modules focusing on security but found the added overhead and in some cases thermal overhead to be excessive. All web environments produce their own SIEM logging. WordPress configurations are categorized and then logged separately further refining what kind of analysis is needed. SIEM analyzers then check each of these separately for context specific threats and act accordingly.
Other Countermeasures
Security solutions such as pfSense, OFNsense and the USF are good and necessary tools but not a substitute for good operating system hardening, system administration and network monitoring. We have done extensive tuning and testing of kernel parameters associated with network resources over the years (sysctl). These changes have been standardized on our network and incorporated into every server. At the same time proper thermal management is needed, especially for some of our Ryzen based systems. In these cases we have implemented BIOS based adjustments while at the same time developing user level checks and controls under Linux. The result has been the elimination of thermal runaway problems previously seen.
Network monitoring is also very important. We have used Zabbix in the past with very good results. It integrates SNMP based checks and monitoring with custom checks and notification scripts. The excellent visual representation of network and server health greatly assists in the administration of the network and is easy to integrate with USF tools.