Replacing TripWire with SNMPv3

Presented at DEF CON 10 (2002), Aug. 3, 2002, 2 p.m. (50 minutes)

This talk demonstrates how to use SNMPv3 software (specifically illustrated using Net-SNMP) both with minor custom configurations and also with specialized MIBs and Agents to provide file data and file hashes on demand over secure channels. I also discuss the use of the TCP Inform Trap as a syslog style message transfer mechanism. I spend the majority of the time showing how the authentication and privacy features of SNMPv3 provide robust bi-directional security message transfers. Along the way I demonstrate how to use the split between the authentication and privacy features to provide double blind random file hashes of a managed system. Use of trigger settings to capture file changes will be discussed. I provide the example MIBs and related Agent code for general Unix platforms running Net-SNMP and where possible discuss how to get the code working on Microsoft or other platforms. Time permitting I will digress into ways to integrate these techniques into common Network Management platforms.


Presenters:

  • Matthew G. Marsh - Chief Scientist NEbraskaCERT http://www.paksecured.com
    Chief Scientist of the NEbraskaCERT, President & Founder of Paktronix Systems LLC, Author of "Policy Routing Using Linux" (SAMS), Creator of PakSecured Linux. Working in network management and architecture since 1983 specializing in routed IP/IPX/SNA networks. Worked extensively with various SNMP platforms both as a user and as a vendor. On NEAR & BIT -Net in 1984 (PreHistoric Internet) and addicted ever since. As Chief Scientist of the NEbraskaCERT researching IPv4/IPv6/IPSec Integrated Security Networks. Developed the first (and currently still the only) SNMPv3 managable policy routing firewall system for Linux available under GPL at http://www.paksecured.com. Actively researching management and design of Integrated Security Networks.

Links: