Embed Size (px)
Citation preview
A. M. T. N. De Silva
Supervised byDr. Sameera de Alwis
1
Centralized Enterprise Syslog Manipulation Engine
BIT28/06/2010
2
• Introduction• Aim and Objectives• Current issues in System Log Manipulation• Technology adapted• CESM Engine for Secure Environment• Design of CESM Engine• Implementation of CESM Engine• Evaluation• Concussion
Overview
Introduction
3
Background and Motivation
Any system in the world could be failed or attacked.
Lack of diagnostic data could experience excessive downtime.
Securely logged data will help to investigate what went wrong .
Problem in brief
Decentralized system logs make audits, log backups and investigations harder.
High license cost of Commercial System Log Manipulation Suites.
Administrator level privilege escalation allow attackers to destroy system logs,
footprints and tracks.
4
Cont…Why the Problem is worth addressing
Syslogs will show some evidence of intrusion activity and what went wrong. Syslogs are prime targets for attackers to cover their activities. Applications and devices log their messages and events differently.
Technology used I suggest a Centralized Syslog Manipulation Engine based on Debian Linux,
Apache, PHP, MySQL, Hardware and Networking Technologies for improved Secure Environment.
Aim and Objectives
5
Aim The aim of this project is to develop a Centralized Enterprise Syslog Manipulation
Engine which manipulates and secures Syslogs in Enterprise environments under an extremely low budget, with the use of PHP, HTML, MySQL, Debian Linux and Hardware and Networking technology.
Objectives Study of the role of Enterprise Syslog Manipulation Engine Study of technologies that can be used for Syslog Manipulation Engine Design and develop Enterprise Syslog Engine for Manipulation & Securing
Syslogs Evaluation of the proposed Syslog Engine Preparation of final documentation
Current issues with System Log Manipulation
6
Existing Solutions
Commercial software suits Number of Hosts can use with system is limited. May be not fulfill Company requirement completely. The Software license cost is high. Availability of specialized underground exploits.
Manual System Log Manipulation It is not update accurately day to day. All Record difficult to analysis at a ones. Can’t provide real time Log Manipulation . Non functional requirements such as reliability , performance, security etc. are very low
Cont…
7
Centralized Enterprise Syslog Manipulation Engine
Real time Log Manipulation . Can use with multiple Hosts and Devices simultaneously. Easy to use and maintains. Zero Software license cost. Fully customizable Provide non functional requirements such as reliability , performance,
security, availability etc.
Technology adapted
8
What are technologies used for Centralized Enterprise Syslog Manipulation Engine ? Debian Linux with Operating Systems hardening and customization Technology . Database Management Technology with MySQL. Web Technology with PHP and Apache HTTPD. Hardware and Networking Technology with Manual Hardware customization
Technology and Physical Security Enhancing Technology. Why use LAMP tools (Linux, Apache, MySQL and PHP )?
Freely available, can be easily configured and very robust. Constant state of development and improvement, adding features suggested by
large user community.
Centralized Enterprise Syslog Manipulation Engine for Secure
Environment
9
Users
System Administrators, Digital Forensics Investigators, Information Security Officers.
InputWindows event logs, System logs, Firewall logs and Device logs.
OutputSyslog reports, Intrusions, Data tampering fingerprints, Critical service failures and
unusual system health conditions.
Cont…Process Log Correlation , Fetching and importing to MySQL database, Generate reports ,
Log sorting, Intrusion detection with external NOC (Network Operation Centre) and SOC (Secure Operation Centre)
Technology
PHP and HTML , Apache HTTPD, MySQL , Debian Linux , Hardware and Networking .
Feature
Log correlation to secure and safe place, Centrality, Log analysis, Intrusion detection with NOC and SOC
10
11
Design of CESM Engine Top level Architecture of CESM Engine
12
Cont…
User Interface Module This module is used to allow users to deal with CESM Engine . This module interacts with Database module and Report generating module.
Log correlation module This module is used to correlate of Event logs and System logs in to Syslog
daemon. This module interacts with database module.
Cont..Database Module
This module handle whole database which is related to CESM Engine. The information which has to store, are concern in this module This interacts with Report generating module, Log correlation module and User
interface module
Report Generating Module This module used to generating reports It is directly interact with database module and User interface module.
13
Implementation of CESM Engine
14
CESM Engine can be implemented as a standalone Engine.
The minimal resource requirements in implementing the system are as follows.Technical RequirementsHardware Configuration:
Processor : Core 2 Duo -Intel Processor RAM : 1 GB Hard Disk : 80 GB
Module ImplementationThe front end of the system is developed with User Interface Module and Apache HTTPD.
Cont…
15
Log correlation module implement
NT Syslog Windows agent Syslog push configuration
Report generating module implement PHP report script
Database module implement MySQL installation and configuration
Cont…
16
Prelog in Page
Cont…
17
User Login Page
Cont…
18
After Login Page
Cont…
19
Report Page
Evaluation
20
Following tests to be performed
Functionality Testing Performance Testing Usability Testing Web Interface Security Testing
Conclusion
21
This new system is Centralized Enterprise Syslog Manipulation Engine. CESM Engine is capable of manipulating and securing under extremely low
budget. Further enhancements can be done to the Report generating. After creating the CESM Engine I will do system validation and verification
process.
Thank You
22
