Army CoN (Certificate of Networthiness) for Security Onion - Linux distro for network security monitoring and log management
342 views
Skip to first unread message
Doug Burks
Apr 4, 2014, 7:51:56 AM4/4/14
to mil...@googlegroups.com
Hello all,
I met Josh Davis yesterday and he asked me to join this list and send a brief announcement.
I know lots of departments within the Army are spending millions of dollars on commercial products to help monitor and defend their networks. For the last five years, I've been building a Linux distro called Security Onion to provide a totally free and open source alternative to these kinds of commercial products. I'm pleased to announce that the Army has approved a CoN (Certificate of Networthiness) allowing Army folks to officially deploy Security Onion. This has the opportunity to save millions of dollars in taxpayer money!
What is Security Onion?
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Please let me know if you have any questions about Security Onion!
Thanks,
Doug
Matthew
Apr 4, 2014, 8:50:30 AM4/4/14
to mil...@googlegroups.com
Nice.... I have heard of your distro. Will download it outerz0ne this weekend. Also anyone in the Atlanta area, outerz0ne takes place in Alpharetta this weekend.
--
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
www.mil-oss.org
---
You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mil-oss+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
Apr 4, 2014, 9:00:50 AM4/4/14
to mil...@googlegroups.com
Hi Matthew,
Yes, I've presented Security Onion at DC404 (which I believe you're
also a member of) and it's been mentioned on the DC404 mailing list a
few times since then.
Please let me know what you think of Security Onion!
Thanks,
Doug
--
Doug Burks
Yes, I've presented Security Onion at DC404 (which I believe you're
also a member of) and it's been mentioned on the DC404 mailing list a
few times since then.
Please let me know what you think of Security Onion!
Thanks,
Doug
Doug Burks
Miles Fidelman
Apr 4, 2014, 9:56:12 AM4/4/14
to mil...@googlegroups.com
I hate to say it, but.... one man's security forensics tool, is another
man's exploitation tool. This thing contains all kinds of network
sniffing tools, and can send emails. Hmmm.....
Miles Fidelman
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
man's exploitation tool. This thing contains all kinds of network
sniffing tools, and can send emails. Hmmm.....
Miles Fidelman
In practice, there is. .... Yogi Berra
Kit Plummer
Apr 4, 2014, 9:58:34 AM4/4/14
to mil...@googlegroups.com
It will always come down to trust...
--
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
www.mil-oss.org
--- You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mil-oss+unsubscribe@googlegroups.com.
Doug Burks
Apr 4, 2014, 10:10:51 AM4/4/14
to mil...@googlegroups.com
Hi Miles,
Yes, you bring up a great point and I agree with you! :)
This is why we allow users to pick and choose which services will be
enabled and disabled. If you don't need it, disable it!
This is also why, in addition to an ISO image, we also provide
individual packages that can be installed on the user's preferred
flavor of Ubuntu 12.04. If you don't need a particular package, don't
install it!
For those services that users choose to install/enable, we do provide
tuning and hardening guidance on our wiki:
https://code.google.com/p/security-onion/wiki/TableOfContents
For example, here is our firewall hardening page:
https://code.google.com/p/security-onion/wiki/Firewall
We also recommend that folks configure their network firewall rules
such that if a sensor ever gets compromised, it has limited access to
other parts of the network and no access to the Internet.
Please let me know if you have any additional questions.
Thanks,
Doug
Yes, you bring up a great point and I agree with you! :)
This is why we allow users to pick and choose which services will be
enabled and disabled. If you don't need it, disable it!
This is also why, in addition to an ISO image, we also provide
individual packages that can be installed on the user's preferred
flavor of Ubuntu 12.04. If you don't need a particular package, don't
install it!
For those services that users choose to install/enable, we do provide
tuning and hardening guidance on our wiki:
https://code.google.com/p/security-onion/wiki/TableOfContents
For example, here is our firewall hardening page:
https://code.google.com/p/security-onion/wiki/Firewall
We also recommend that folks configure their network firewall rules
such that if a sensor ever gets compromised, it has limited access to
other parts of the network and no access to the Internet.
Please let me know if you have any additional questions.
Thanks,
Doug
Kit Plummer
Apr 4, 2014, 10:17:41 AM4/4/14
to Doug Burks, mil...@googlegroups.com
Awesome stuff Doug.
Vagrant or cloud image by chance available somewhere? Very interesting that it’s based on Ubuntu as well…and cleared for classified use?
Is there a built-in reporting/notification service?
Thanks.
Kit
Doug Burks
Apr 4, 2014, 10:24:52 AM4/4/14
to Kit Plummer, mil...@googlegroups.com
Hi Kit,
Replies inline.
On Fri, Apr 4, 2014 at 10:17 AM, Kit Plummer <kitpl...@gmail.com> wrote:
> Awesome stuff Doug.
Thanks!
> Vagrant or cloud image by chance available somewhere?
You should be able to use any Ubuntu 12.04 vagrant or cloud image and
then add our PPA and packages as described in our Installation guide:
https://code.google.com/p/security-onion/wiki/Installation#If_you_want_to_quickly_evaluate_Security_Onion_on_your_preferred
> Very interesting that
> it's based on Ubuntu as well...and cleared for classified use?
All I know is that the Army has issued a CoN. I'm not sure what
environment(s) it applies to.
> Is there a built-in reporting/notification service?
We have several different interfaces available for analyzing alerts
and logs. You can see some screenshots here:
http://securityonion.net
If by notification you're referring to email, please see:
https://code.google.com/p/security-onion/wiki/Email
--
Doug Burks
Replies inline.
On Fri, Apr 4, 2014 at 10:17 AM, Kit Plummer <kitpl...@gmail.com> wrote:
> Awesome stuff Doug.
Thanks!
> Vagrant or cloud image by chance available somewhere?
then add our PPA and packages as described in our Installation guide:
https://code.google.com/p/security-onion/wiki/Installation#If_you_want_to_quickly_evaluate_Security_Onion_on_your_preferred
> Very interesting that
> it's based on Ubuntu as well...and cleared for classified use?
All I know is that the Army has issued a CoN. I'm not sure what
environment(s) it applies to.
> Is there a built-in reporting/notification service?
and logs. You can see some screenshots here:
http://securityonion.net
If by notification you're referring to email, please see:
https://code.google.com/p/security-onion/wiki/Email
Doug Burks
Miles Fidelman
Apr 4, 2014, 10:24:51 AM4/4/14
to mil...@googlegroups.com
Hi Doug,
I noticed that, and I was being a bit snarky in my comment - the value
of security-onion, and similar tools is quite obvious to any of us
who've managed any kind of computer or network.
On the other hand, it does strike me that this brings up a rather big
flaw in the whole notion of certificates-of-networthiness. By
"blessing" a piece of software for installation, it makes it a whole lot
easier for folks who don't understand the implications of the software,
and/or can't be bothered to do all the proper configuration, and/or have
malicious intent, to install something dangerous. And, when something
is free - it makes it really easy for someone to "play" with something
that's really dangerous. Again, not to denigrate your work, the phrase
"Trojan Horse" comes to mind.
Frankly, it scares me. (As much as I've had my shares of issues in
butting heads with security requirements for software installation, I'm
periodically brought up short when contemplating the alternatives.)
Miles
I noticed that, and I was being a bit snarky in my comment - the value
of security-onion, and similar tools is quite obvious to any of us
who've managed any kind of computer or network.
On the other hand, it does strike me that this brings up a rather big
flaw in the whole notion of certificates-of-networthiness. By
"blessing" a piece of software for installation, it makes it a whole lot
easier for folks who don't understand the implications of the software,
and/or can't be bothered to do all the proper configuration, and/or have
malicious intent, to install something dangerous. And, when something
is free - it makes it really easy for someone to "play" with something
that's really dangerous. Again, not to denigrate your work, the phrase
"Trojan Horse" comes to mind.
Frankly, it scares me. (As much as I've had my shares of issues in
butting heads with security requirements for software installation, I'm
periodically brought up short when contemplating the alternatives.)
Miles
Kit Plummer
Apr 4, 2014, 10:31:16 AM4/4/14
to Miles Fidelman, mil...@googlegroups.com
Miles, you’re spot on. Hate to sideswipe Doug’s good work/thread, but having gone through the Army CoN process myself…I assure you its a farce. And, even more of a farce from a security perspective. The staff who “push the paper” are clueless - and from what I’d seen are individuals without any or very little IT background, let alone general software/network security knowledge. They simply process checklists, and ask questions. The adjudication of any piece of software is suspect. The fact they’ve “approved” an OS distro full of goodies is an even bigger indicator that the CoN process is nothing more than a silly little gate. It scares me too.
Kit
From: Miles Fidelman mfid...@meetinghouse.net
Reply: mil...@googlegroups.com mil...@googlegroups.com
Date: April 4, 2014 at 7:24:58 AM
To: mil...@googlegroups.com mil...@googlegroups.com
Subject: Re: [mil-oss] Army CoN (Certificate of Networthiness) for Security Onion - Linux distro for network security monitoring and log management
Doug Burks
Apr 4, 2014, 10:44:59 AM4/4/14
to mil...@googlegroups.com, Miles Fidelman
I definitely agree that having a CoN is not an "accomplishment" for
our project or any other piece of software for that matter. It only
means that those network defenders inside the Army who have been
wanting to use Security Onion to defend their networks are now
officially allowed to.
On Fri, Apr 4, 2014 at 10:31 AM, Kit Plummer <kitpl...@gmail.com> wrote:
> Miles, you're spot on. Hate to sideswipe Doug's good work/thread, but
> having gone through the Army CoN process myself...I assure you its a farce.
Doug Burks
our project or any other piece of software for that matter. It only
means that those network defenders inside the Army who have been
wanting to use Security Onion to defend their networks are now
officially allowed to.
On Fri, Apr 4, 2014 at 10:31 AM, Kit Plummer <kitpl...@gmail.com> wrote:
> Miles, you're spot on. Hate to sideswipe Doug's good work/thread, but
Kit Plummer
Apr 4, 2014, 11:05:51 AM4/4/14
to Doug Burks, mil...@googlegroups.com, Miles Fidelman
I’d actually say it is an accomplishment…for that reason you mentioned. Just don’t stop there. ;)
If you do find out that it is being used in a high environment please, please let us know! For that matter, it would be awesome to hear how people are using it, in general.
Kit
Doug Burks
Apr 4, 2014, 2:06:33 PM4/4/14
to Kit Plummer, mil...@googlegroups.com, Miles Fidelman
On Fri, Apr 4, 2014 at 11:05 AM, Kit Plummer <kitpl...@gmail.com> wrote:
> I'd actually say it is an accomplishment...for that reason you mentioned.
defend their networks:
http://www.slideshare.net/slideshow/embed_code/26755364
> I'd actually say it is an accomplishment...for that reason you mentioned.
> Just don't stop there. ;)
>
> If you do find out that it is being used in a high environment please,
> please let us know! For that matter, it would be awesome to hear how people
> are using it, in general.
I can tell you that Mozilla is using Security Onion to monitor and
>
> If you do find out that it is being used in a high environment please,
> please let us know! For that matter, it would be awesome to hear how people
> are using it, in general.
defend their networks:
http://www.slideshare.net/slideshow/embed_code/26755364
Reply all
Reply to author
Forward
0 new messages