NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes. Initially, what do people recommend for: 1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking Thank you all in advance for your wisdom. ---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
On Fri, 13 Feb 2015, Andy Ringsmuth wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
I'd have a look at Alien Vault if you don't want to fork out heavy money and have a geek enough staff who doesn't mind butchering it up. It can be plug and play to an extent yet at the same time, if not configured properly it becomes useless. On the other hand, if you don't want to waste precious time in the event of say incident response to an actual event, then I would opt for QRadar. IDS/IPS is a mere buzzword. Detection comes via way of knowledge: "Who knows/has seen, that N traffic is malicious" often based on signatures. Then of course you get all the nifty buzzwords: "but we use heuristic doohickey reverse nacho cheese technology!" Prevention is a paradox. If it did prevent then why did you get notified via a tweet that you were compromised before you even knew you were. IDS works like this (in theory): Look at all logs, and all traffic patterns. Compare this data (often) to a config file of known knowns, if it matches what we have seen then it MUST be an attack. IPS works like this: Sell someone an IDS appliance or software and tell them it's IPS. It won't stop a huge portion of attacks since it is well... IDS but boy does it have a cooler name. ITS (Intrusion Tolerance) works like this: Ok, so we won't stop them, we can't prevent them, but boy oh boy can we tolerate them! All work off of a broken premise of "known knowns" and not one vendor will ever come clean on this. I have had the opportunity (or misfortune take your pick) to have analyzed quite a bit of malware, intrusions, and so forth. I have seen how rapidly some of the attacks change, so I know firsthand why IDS, IPS, and others fail. Now let me be fair... IDS/IPS are good as a HSSS (new buzzword) Hind Sight Security System, but will only prevent, and detect what is known. Your best goal is to perform a combination security and network analysis PRIOR to implementing any system. In doing so, you create logic suitable to your environment. For example, you have a DB that is supposed to ONLY communicate internally, a better approach would be to go on to that machine, and use the local machine's firewall rule to create a rule that says: ONLY CONNECTIONS FROM HERE TO THERE ARE ALLOWED ALL OTHERS GET BLOCKED, then alert when something strays. Most of these systems lack because of the design prior to, and after their implementations. Organizations haven't taken the time to map data, processes, and create even a simple baseline to work with. This leads to these types of systems (IPS, IDS, SIEM, ITS, blah blah blah) generating all sorts of false positives. These false positives often overwhelm the users tasked with the administration of the systems. Thousands of alerts which often go unchecked until it is too late. thee end. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Unless you need regulatory-grade IDS, your best bet is a Unified Threat Management (UTM) appliance, essentially any modern enterprise grade firewall such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS options for a fee. -mel On Feb 13, 2015, at 9:40 AM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
On Fri, 13 Feb 2015, Mel Beckman wrote:
Unless you need regulatory-grade IDS, your best bet is a Unified Threat Management (UTM) appliance, essentially any modern enterprise grade firewall such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS options for a fee.
-mel
With all due respect, is regulatory-grade IDS the same as say "military-grade" encryption? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
JO, IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets specific notification and logging requirements. SNORT-based systems fall into this category. -mel beckman
On Feb 13, 2015, at 10:00 AM, "J. Oquendo" <joquendo@e-fensive.net> wrote:
On Fri, 13 Feb 2015, Mel Beckman wrote:
Unless you need regulatory-grade IDS, your best bet is a Unified Threat Management (UTM) appliance, essentially any modern enterprise grade firewall such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS options for a fee.
-mel
With all due respect, is regulatory-grade IDS the same as say "military-grade" encryption?
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On Fri, 13 Feb 2015, Mel Beckman wrote:
JO,
IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets specific notification and logging requirements. SNORT-based systems fall into this category.
<ramble>tl;dr (even I don't read what I write) You failed to see the snark in "military grade" crypto comment. This thought process is what causes many organizations to fail repeatedly. Relying on what the herd says. PCI, HIPAA, FINRA, FISMA, and all of the other regulatory guidelines, standards, baselines, and mandates spew from the manufacturing industry's ISO (BS pick your poisonous acronym). Call it SADHD (or Security ADHD) but I don't get why everyone keeps running around like dogs chasing their tails. Let's look at HIPAA where everyone is scrambling to replace Windows based on the word of the herd. Here is the rule: "Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization's inability to maintain its systems and customer information" Do you chuck Windows XP? It'd be easier to in theory but not in practice, however NO ONE EVER SAID: "thou shall chuck XP" (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html) "The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems" Organizations keep relying on half-decent guidelines for remedies to their problems. By you thinking that you are going to plop in any "regulatory grade" *anything* and find security, you are doing not only yourself a huge disservice, but also to your clients. These pieces of technology (IPS, IDS, FWs, HIPS, NIPS, etc) are only capable of doing what you tell them to. Neither the Payment Card Industry, NIST, or even the President of your country (or Premier, or whatever else) should be telling you how to secure your organization. YOU need to know the ins and outs, take the proper steps and THEN use these technologies when you're done with your risk assessments. If you're relying solely on what others tell you is "regulatory-grade" or "military-grade" or any other kind of grade, your bound to be right up there with Target, Anthem, Citi, JP Morgan Chase, <snip>a wikipedia-length list of compromised companies</snip>. When doing pentesting work, I fill up IPS and IDS with so many false positives, the analysts are FORCED to ignore the results while I shimmy my shiny right on by. I know based on experience what someone is going to do when they see a kabillion alerts light up their dashboard. http://seclists.org/incidents/2000/Aug/277 The approach: "Let me cater to what they say I should do" versus: "Let me figure out what my organization does, needs to do, and how to get to the proper point" is mind boggling. I wish there were a statistical database of compromised companies, and the tools they used, frameworks they followed, and regulatory nonsense they needed to comply with was listed. Most of these regulatory mandates are based off of half-baked models that are partially good when followed thoroughly. However, they are ONLY partially good when an organization goes beyond the normal banter: "thou shall apply this" - Does not mean: plop in an IPS and call it a day. For the most part though, this practice of half-baked security will continue, vendors will make bucketloads of money, consumers of IPS/IDS devices will still complain how much the product sucks, and I as a pentester... I stay happy as it keeps me steadily enjoying Five Guys' burgers </ramble> -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
tl;dr dc -mel
On Feb 13, 2015, at 1:13 PM, "J. Oquendo" <joquendo@e-fensive.net> wrote:
On Fri, 13 Feb 2015, Mel Beckman wrote:
JO,
IDS to meet PCI or HIPAA requirements is "regulatory grade". It meets specific notification and logging requirements. SNORT-based systems fall into this category.
<ramble>tl;dr (even I don't read what I write)
You failed to see the snark in "military grade" crypto comment. This thought process is what causes many organizations to fail repeatedly. Relying on what the herd says. PCI, HIPAA, FINRA, FISMA, and all of the other regulatory guidelines, standards, baselines, and mandates spew from the manufacturing industry's ISO (BS pick your poisonous acronym). Call it SADHD (or Security ADHD) but I don't get why everyone keeps running around like dogs chasing their tails.
Let's look at HIPAA where everyone is scrambling to replace Windows based on the word of the herd. Here is the rule:
"Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization's inability to maintain its systems and customer information"
Do you chuck Windows XP? It'd be easier to in theory but not in practice, however NO ONE EVER SAID: "thou shall chuck XP" (http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html)
"The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems"
Organizations keep relying on half-decent guidelines for remedies to their problems. By you thinking that you are going to plop in any "regulatory grade" *anything* and find security, you are doing not only yourself a huge disservice, but also to your clients. These pieces of technology (IPS, IDS, FWs, HIPS, NIPS, etc) are only capable of doing what you tell them to. Neither the Payment Card Industry, NIST, or even the President of your country (or Premier, or whatever else) should be telling you how to secure your organization. YOU need to know the ins and outs, take the proper steps and THEN use these technologies when you're done with your risk assessments.
If you're relying solely on what others tell you is "regulatory-grade" or "military-grade" or any other kind of grade, your bound to be right up there with Target, Anthem, Citi, JP Morgan Chase, <snip>a wikipedia-length list of compromised companies</snip>.
When doing pentesting work, I fill up IPS and IDS with so many false positives, the analysts are FORCED to ignore the results while I shimmy my shiny right on by. I know based on experience what someone is going to do when they see a kabillion alerts light up their dashboard.
http://seclists.org/incidents/2000/Aug/277
The approach: "Let me cater to what they say I should do" versus: "Let me figure out what my organization does, needs to do, and how to get to the proper point" is mind boggling. I wish there were a statistical database of compromised companies, and the tools they used, frameworks they followed, and regulatory nonsense they needed to comply with was listed. Most of these regulatory mandates are based off of half-baked models that are partially good when followed thoroughly. However, they are ONLY partially good when an organization goes beyond the normal banter: "thou shall apply this" - Does not mean: plop in an IPS and call it a day. For the most part though, this practice of half-baked security will continue, vendors will make bucketloads of money, consumers of IPS/IDS devices will still complain how much the product sucks, and I as a pentester... I stay happy as it keeps me steadily enjoying Five Guys' burgers
</ramble>
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On Fri, Feb 13, 2015 at 12:43 PM, J. Oquendo <joquendo@e-fensive.net> wrote: [...]
For the most part though, this practice of half-baked security will continue, vendors will make bucketloads of money, consumers of IPS/IDS devices will still complain how much the product sucks, and I as a pentester... I stay happy as it keeps me steadily enjoying Five Guys' burgers
Seriously? Five Guys? Man, In-n-Out is *so* much better than Five Guys...that has*got* to be a troll posting, just to get people like me out of the woodwork...
On 13/02/15 17:45 +0000, Mel Beckman wrote:
Unless you need regulatory-grade IDS, your best bet is a Unified Threat Management (UTM) appliance, essentially any modern enterprise grade firewall such as a Cisco ASA, Fortigate, SonicWall, etc. These all have built-in IDS/IPS options for a fee.
-mel
Flip over these, or ideally watch the talk before deploying an ASA (or some other black-box security appliance that tries to be All Things to All People) https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.p... -- richo
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA. Depending on the traffic you have on your fiber uplink, you can get a redundant pair of ASAs running for less than $2,000 in the US. I just find it less stressful to use a solution like ASA rather than worrying about patching your kernel every so often and worrying about possible vulns in the ipfw/pf codes. That, and you have to make sure EVERYTHING is taken into account when you create your rules, which requires some intense knowledge on either ipfw, pf or both. I am not an expert in intrusion detection, so with regards to that, I'd just setup a honeypot and monitor activity. You can also regularly run penetration tests on your own network and see how well you are protected. Just make sure the appropriate people know about these tests so you don't get wrongfully reported. Rafael On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years. On Fri, Feb 13, 2015 at 3:27 PM, Rich Kulawiec <rsk@gsp.org> wrote:
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
---rsk
On Fri, 13 Feb 2015, Rafael Possamai wrote:
What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years.
The alternative is to understand what his network does, what it was designed to do, and what he needs it to do. The end solution (IPS, IDS, ASA, whatever you want to throw in) should be just that, an END solution once he has taken the time to assess risk. This is a concept many miss. As for "testing" ... So you own a house, you hire an assessor to analyze your property, write a report for you on your vulnerabilities. "You have 12 windows. OMFG Someone can break one of those windows and steal your family jewels!" Vendor gets paid and leaves you with a headache. 12 windows? So what... Behind those windows are a rabid pitbull I never feed. Wanna take a chance to break in? Pentest... "So you own a house, same windows, now you're paying someone to get in." Let me tell you how pentesting fails. Pentesting fails because most companies get all bent out of shapes based on Internet history of systems, and applications crashing from a simple network scan. Ask your next pentesting client (if this pentesting is your primary function) to allow you to perform a no-holds barred pentest including social engineering. You'll get the deer in headlights look. I discussed this recently with a client who wanted to be snarky: "Oh you'll never get in my systems" and I decided to inform him about reality... Reality: Hardcore attackers are NOT charging down the castle road with a log trying to break down the castle wall. They're sending client side attacks (phishing emails, waterhole attacks). It's more cost effective for an attacker to do this versus trying to defeat the router, the switching with all its VLAN glory (that gets vlan hoppped), the L7 firewalls, the load balancers, the IPS, and then the IPS. Its useless, noisy, and just not cost effective when you think about it. IPS, IDS does little because they're RARELY applied in a proper fashion. As for tinkering, geekiness. If you can't at least wrap your head around the concept, then I don't know why you'd want to be on this list. Further, IPS/IDS is better suited to be inverted (Extrusion Detection) as you WILL NEVER (CAN NEVER) stop someone from knocking on your door. So you block every APNIC block thinking "Phew I just blocked 100% of APTs" until you get whacked from a hosting company in the US. What have you accomplished? On the EXTRUSION side of the equation, knowing your network, and how it works makes more sense. Your focus gets shifted to the following logic: (rule) SHOW ME ANYTHING LEAVING MY NETWORK THAT IS OVER 1MB ON A SUNDAY MORNING 2AM ... This anomaly means a hell of a lot more than watching all of the internet trash that will hit your door (egree ifaces) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On Fri, 13 Feb 2015 15:45:30 -0600, Rafael Possamai said:
What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years.
By the time you learn enough about security that the box is actually securing something rather than just filling a checkbox on a form, mastering ipwf/pf is the least of your worries....
On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years.
I know this will come a shock, but there are now a plethora of how-to's and tutorials and books and FAQs and examples for pf. Getting from zero to a first-order working configuration, especially for someone already familiar with FreeBSD (as in this case) should not entail more than a couple of days of reading and tinkering. And it's most definitely not necessary to become a BSD guru in order to run: pfctl -f /etc/pf.conf Obviously complex use cases will require more understanding, but that's a constant regardless of the platform. There's really no point-and-drool shortcut for actually understanding what your network's doing, why it's doing it, and how it's doing it in sufficient depth to figure out which parts of that are goodness and which are dubious -- worse. To quote Ranum, "How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing?" ---rsk
On Sat, Feb 14, 2015 at 10:19 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years.
Are we really talking "ipfw add deny udp from any to any 123 not in via $lan" where? Or are we talking "iptables -A INPUT -s 0/0 -p udp -m udp --dport 123 -j DROP"? Or maybe we are talking "config firewall local-in-policy \n edit #id \n set intf ifacename\n set srcaddr any\n set dstaddr any\n set service previosly_configured_object\n set action deny\n next\n end\n" ? Nobody needs to lock himself down on a basement to learn PF or IPFW. While this might not be true for other firewalling systems, it can't be easier than it's on BSD. All it takes is proper networking skills. The tool is just simple to do what you want to do if you know how you want it (TCP/IP skills, not PF skills required). I know this will come a shock, but there are now a plethora of how-to's
and tutorials and books and FAQs and examples for pf. Getting from zero to a first-order working configuration, especially for someone already familiar with FreeBSD (as in this case) should not entail more than a couple of days of reading and tinkering. And it's most definitely not necessary to become a BSD guru in order to run:
Not to mention PF's documentation, IPFW documentation and Handbook chapter...
pfctl -f /etc/pf.conf
Obviously complex use cases will require more understanding, but that's a constant regardless of the platform.
Agree, networking skills are required, not PF/IPFW skills as they are easy and well documented tools. Easier and more performing than most other firewalling tools and options, or as easy as other easy ones like Cisco ASA. But back to Andy's original point: As someone else mentioned before, I dropped Snort in favor of Suricata + Bro, and they are the tools I would also suggest. Do it FreeBSD + Suricata and/or Bro. And remember, IDS is not a service you set up and forget. The most important point is to learn how to do proper analysis on what you are seeing and understand volumetric vs unusual single attacks, inspect payload, L7 content and have a daily analysis cycle if you can't have dedicated personnel to do that continuosly. This is not different if you go how brew open source, "packed ready" opensource (pfSense) or proprietary / commercial. I also agree with someone who suggested Bejlich's SIEM (NSM) book, and I would recommend Shon Harrys, Miller et. al SIEM book as well! Regards,
On Sat, Feb 14, 2015 at 12:04 PM, BPNoC Group <bpnoc.lists@gmail.com> wrote: The thing to note about ipfw, is it only provides you with essentially 5-tuple based access lists based on source and destination, as this functions strictly by looking at packet headers. There's no ipfw rule you can make that will tell ipfw to Allow outgoing port 80 connections, but only if the protocol is HTTP. Don't allow outgoing SMTP or SSH connections over port 80. Often.... for a network with endpoints, almost everything outbound you want to allow will be going out on port 80 or 443, And almost everything outbound you need to reject will also be going out on port 80 or 443. If the syntax is a challenge for you at all, there are tools such as fwbuilder, or PfSense appliance with web GUI that can be used to construct the configuration.. The sticking point with pf, or iptables, or whatever you use should not be the syntax or the command language. But the question of *what* to allow, and how to appropriately structure that choice/requirement of what to allow in order to ensure the applications work correctly and minimize the exposure. This is not strictly a matter of coming up with rules or language syntax, but if done right includes analysis and reconfiguration of applications in order to ensure that legitimate traffic is as predictable and well-understood as possible. For example... Since 80 and 443 are such trouble, you might structure the "allow" by setting up a suitable proxy server on LAN, require all clients to use it, and on the ipfw device it is strictly a "Deny all".
Are we really talking "ipfw add deny udp from any to any 123 not in via $lan" where?
Or are we talking "iptables -A INPUT -s 0/0 -p udp -m udp --dport 123 -j DROP"? -- -JH
Of course it is. You say that like faith is a bad thing. The illogic of claiming to have no faith in anything is this: it's impractical to assume the role of quality assurance for everything in your life. The question is your faith reasonable. Ever use an elevator? Faith. Drive a car? Faith. Drive through a green light? Faith. Faith. Faith. Show me a man who has no faith, and I'll show you a man who is paralyzed. (Not a sexist statement; woman seem to have few problems with Faith). -mel
On Feb 13, 2015, at 1:27 PM, "Rich Kulawiec" <rsk@gsp.org> wrote:
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote: I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
---rsk
On Fri, 13 Feb 2015, Rich Kulawiec wrote:
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
The ASA, like so many network/security appliances anymore, runs Linux (or *BSD) under the hood, however I don't know how old or horribly mangled it is. jms
I believe the ASA was first developed as the PIX on Plan 9. The OS that came out of that was originally called Finesse OS, but was later renamed as PIX OS. After Cisco purchased the PIX and renamed it to the ASA, they began using a Linux kernel around PIX OS V8. --p -----Original Message----- From: NANOG [mailto:nanog-bounces+patrick.darden=p66.com@nanog.org] On Behalf Of Justin M. Streiner Sent: Saturday, February 14, 2015 3:28 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Intrusion Detection recommendations On Fri, 13 Feb 2015, Rich Kulawiec wrote:
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
The ASA, like so many network/security appliances anymore, runs Linux (or *BSD) under the hood, however I don't know how old or horribly mangled it is. jms
The PIX was originally developed as a “Network Translation, Inc.” box (translation.com <http://translation.com/>). (John Mayes, Brantley Coile, Johnson Wu) Cisco continued the PIX name for many years and through some major changes to the operating system. A later round of major changes had it renamed to ASA. Up through PIX 7 the PIX and ASA ran the same code releases. With PIX 8, PIX continued on the Finesse OS line, but ASA went to a Linux kernel. http://en.wikipedia.org/wiki/Cisco_PIX <http://en.wikipedia.org/wiki/Cisco_PIX> Owen Cisco bought that and renamed it PIX
On Feb 19, 2015, at 5:59 AM, Darden, Patrick <Patrick.Darden@p66.com> wrote:
I believe the ASA was first developed as the PIX on Plan 9. The OS that came out of that was originally called Finesse OS, but was later renamed as PIX OS. After Cisco purchased the PIX and renamed it to the ASA, they began using a Linux kernel around PIX OS V8.
--p
-----Original Message----- From: NANOG [mailto:nanog-bounces+patrick.darden=p66.com@nanog.org] On Behalf Of Justin M. Streiner Sent: Saturday, February 14, 2015 3:28 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Intrusion Detection recommendations
On Fri, 13 Feb 2015, Rich Kulawiec wrote:
On Fri, Feb 13, 2015 at 02:45:46PM -0600, Rafael Possamai wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA.
Closed-source software is faith-based security.
The ASA, like so many network/security appliances anymore, runs Linux (or *BSD) under the hood, however I don't know how old or horribly mangled it is.
jms
On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai <rafael@gav.ufsc.br> wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA.
Or maybe Juniper, Cisco's Ironport, IPSO? They are all FreeBSD based, big and large critical networks ready. FreeBSD's ipfw codebase exists for longer than most commercial products you somehow believe to be more mature. So, FreeBSD's firewalling code at least, as well tested as commercial vendors products.
Depending on the traffic you have on your fiber uplink, you can get a redundant pair of ASAs running for less than $2,000 in the US.
For this traffic rate the best part on a commercial product is just irrelevant: good specifics hardware. Whatever can be done with a USD 2K Cisco based solution can be done on cheap low capacity x86 hardware with FreeBSD.
I just find it less stressful to use a solution like ASA rather than worrying about patching your kernel every so often and worrying about possible vulns in the ipfw/pf codes.
One does not need to svn update, build kernel, build world if he does not want to. It's just a matter of adding freebsd-update to crontab (or having you own manual updating cycle in place).
That, and you have to make sure EVERYTHING is taken into account when you create your rules, which requires some intense knowledge on either ipfw, pf or both.
Another point I am completely inclined to disagree. My team is made up of junior level, trainees, to +20yr experience professionals. There is absolutely no relevant learning curve for someone who has configured a Cisco or Juniper firewall to a PF or IPFW firewall. If the guys comes from a Linux background he finds ridiculously simple to have a PF firewall up and running, after all for someone used to that weird iptables syntax and semantics, a firewall where rules are linear and natural syntax are a piece of cake. For new professionals, they quickly learn PF/IPFW better than Linux or Fortigate which is another product we also have in place (heterogenous / mixed team and technologies here). The tool is just the tool, it should a matter of what the tool can or can not do, but not a matter on how to use it. Cisco ASA and PF are completely different animals, sure, but learning 'em from scratch or coming from other animals like Linux or Fortigate is straightforward. While products like fortigate have a nice GUI interface, it's just limited and low productive. My team tendo to configura fortinet on CLI, and guess what? Fortinet team are usually joked by BSD team when they see someone using Fortinet cli. It just takes 5 times more to configure several "edit" blocks, creating objects, putting it all together to have a simple firewall rule in the end, when the BSD guys do a one line rule with macros and tables sorted all for equivalent "object" advantages. Nobody cares for GUI in my team, but if a fancy GUI is required they send pfSense screenshots for the Fortinet guys just to keep the making fun... I strongly believe in the idea that open source has it's place and commercial products have their place on different scenarios and requirements. And in this scenario Mr Andy is asking about, IMO there's no reason not to go with open source BSD. Specially because he seems already familiar with FreeBSD. I am not an expert in intrusion detection, so with regards to that, I'd
just setup a honeypot and monitor activity. You can also regularly run penetration tests on your own network and see how well you are protected. Just make sure the appropriate people know about these tests so you don't get wrongfully reported.
Not the same thing, same goal or same results.
Rafael
On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
Thanks for the awesome response, you have valid points. This could be me trying to simplify things by suggesting something like Cisco ASA, but the FreeBSD solution will need much more than just a well written ipfw or pf set of rules. In his scenario, I would also most likely need to setup VPN, CARP, etc, which requires decent amount of knowledge. If you use newer NICs, most likely will need to go with 10.0 or higher, which requires constant updates/patches since it's new release. On Sat, Feb 14, 2015 at 11:31 AM, BPNoC Group <bpnoc.lists@gmail.com> wrote:
On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai <rafael@gav.ufsc.br> wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA.
Or maybe Juniper, Cisco's Ironport, IPSO?
They are all FreeBSD based, big and large critical networks ready.
FreeBSD's ipfw codebase exists for longer than most commercial products you somehow believe to be more mature. So, FreeBSD's firewalling code at least, as well tested as commercial vendors products.
Depending on the traffic you have on your fiber uplink, you can get a redundant pair of ASAs running for less than $2,000 in the US.
For this traffic rate the best part on a commercial product is just irrelevant: good specifics hardware. Whatever can be done with a USD 2K Cisco based solution can be done on cheap low capacity x86 hardware with FreeBSD.
I just find it less stressful to use a solution like ASA rather than worrying about patching your kernel every so often and worrying about possible vulns in the ipfw/pf codes.
One does not need to svn update, build kernel, build world if he does not want to. It's just a matter of adding freebsd-update to crontab (or having you own manual updating cycle in place).
That, and you have to make sure EVERYTHING is taken into account when you create your rules, which requires some intense knowledge on either ipfw, pf or both.
Another point I am completely inclined to disagree.
My team is made up of junior level, trainees, to +20yr experience professionals.
There is absolutely no relevant learning curve for someone who has configured a Cisco or Juniper firewall to a PF or IPFW firewall. If the guys comes from a Linux background he finds ridiculously simple to have a PF firewall up and running, after all for someone used to that weird iptables syntax and semantics, a firewall where rules are linear and natural syntax are a piece of cake.
For new professionals, they quickly learn PF/IPFW better than Linux or Fortigate which is another product we also have in place (heterogenous / mixed team and technologies here).
The tool is just the tool, it should a matter of what the tool can or can not do, but not a matter on how to use it. Cisco ASA and PF are completely different animals, sure, but learning 'em from scratch or coming from other animals like Linux or Fortigate is straightforward.
While products like fortigate have a nice GUI interface, it's just limited and low productive. My team tendo to configura fortinet on CLI, and guess what? Fortinet team are usually joked by BSD team when they see someone using Fortinet cli.
It just takes 5 times more to configure several "edit" blocks, creating objects, putting it all together to have a simple firewall rule in the end, when the BSD guys do a one line rule with macros and tables sorted all for equivalent "object" advantages. Nobody cares for GUI in my team, but if a fancy GUI is required they send pfSense screenshots for the Fortinet guys just to keep the making fun...
I strongly believe in the idea that open source has it's place and commercial products have their place on different scenarios and requirements. And in this scenario Mr Andy is asking about, IMO there's no reason not to go with open source BSD.
Specially because he seems already familiar with FreeBSD.
I am not an expert in intrusion detection, so with regards to that, I'd
just setup a honeypot and monitor activity. You can also regularly run penetration tests on your own network and see how well you are protected. Just make sure the appropriate people know about these tests so you don't get wrongfully reported.
Not the same thing, same goal or same results.
Rafael
On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
Hello Andy, I believe you are very good set up the way you are in technology. I see you are surrounded by BSD systems everywhere, on servers, mobile and desktop. And I suggest you keep running FreeBSD for this new security requirement you have. We run FreeBSD as IDS/IPS system on several sites, and pfSense on a couple others. From my experience, we started using Snort, the common path people usually follow, but under certain circumstances, the drop ratio (unprocessed packets) started to raise a lot, and we looked for options. Tried Bro and Suricata and with some help from one of our servers supplier we decided to give Suricata a tuning and special try, and it became our primary option for IDS. Therefore I strongly suggest you start researching around Bro vs Snort vs Suricata and try to reach your conclusions from your own findings. But if you ask me for suggestion, as a long time user for Snort, I deprecated it in favor of Suricata. So my primary suggestion is Suricata + FreeBSD as IDP. Suricata is a very serious Project with very good software provided. We run ServerU networking servers, and they are the vendor who supported us. Usually they offer their own software solution called ProApps, it's a system made on top of FreeBSD which you have full root access etc, a plain old good FreeBSD system, but with nice auto update features and a helpful web GUI which allows me to delegate IDS operations to different level of staff operators on my team. They allow using for their ProApps solution on ServerU hardware, so if intend to add new hardware to your project, it might worth a try. I find the tool very powerful and very complete. On pfSense side you have a third party package made by community members, it also has a nice GUI, good deployment practices, but is Snort based. At one special location we needed even more performance for packets capturing, and we added Suricata running in Netmap mode, and it raised performance three times on the same box. So if you are looking for something easy, ready and supported, go for ServerU+ProApps. If you are looking for plain good open source arranged the way want to, you can have just the same with FreeBSD + Suricata & Friends. Should you want to do everything by yourself, FreeBSD + Suricata + Barnyard2 + Sguil + Snortsam is my suggested path way to go, with Richard Beijtlichs' books on your hand for good analysis learning and IDS best common operation practices. And maybe I can be of any help, private mail me if you want to. Regards,
From: andy@newslink.com Subject: Intrusion Detection recommendations Date: Fri, 13 Feb 2015 11:40:06 -0600 To: nanog@nanog.org
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
An important thing to realize is that an Intrusion Detection System is not a "product" you can buy. And if your org. is 100 people, you should probably think about engaging some professional security services firms to help, starting with a basic Info. security and physical security audit from an independent third party. An intrusion detection system consists of an infrastructure stack containing vigilant dedicated human beings, devices, various software for instrumenting the network in different ways and analyzing collected data, documentation, business, and security processes within the organization. Without enough of all those pieces, there are plenty of off-the-shelf IPS offerings, BUT using one could very well instill a false sense of security, because you have no idea if the product is actually doing a good job at what it is supposed to do, and not just presenting a "perception" of security mostly by tackling just whatever bugs or malware is appearing in the news headlines of the day. Also, there is the matter of being equipped with suitable analysis and response plans to be prepared for the time that the IDS alarm actually goes off, and to be able to determine if it's actually legitimately a false alarm, something meriting investigation, or if it represents an emergency.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc. [snip]
-- -JH
German Shepherd Dogs are wonderful intrusion detection devices. In a lot of cases they also server as excellent intrusion prevention devices as well. (Must be Friday night) :-) --- Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. Sometimes theory and practice are combined: nothing works and no one knows why.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Andy Ringsmuth Sent: Friday, 13 February, 2015 10:40 To: NANOG Subject: Intrusion Detection recommendations
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
I'm not sure if it's been mentioned, but for a business of your size...check out SecurityOnion. It's everything you need in one easy package and it's free. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Andy Ringsmuth Sent: Friday, February 13, 2015 12:40 PM To: NANOG Subject: Intrusion Detection recommendations NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes. Initially, what do people recommend for: 1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking Thank you all in advance for your wisdom. ---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular The information in this transmission may contain proprietary and non-public information of BB&T or its affiliates and may be subject to protection under the law. The message is intended for the sole use of the individual or entity to which it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited. If you received this message in error, please delete the material from your system without reading the content and notify the sender immediately of the inadvertent transmission.
I now have a few moments to discuss Security Onion, and why it works well for a many small and mid-sided organization. Security Onion is a Linux distro for IDS, NSM, and log management. The whole thing can be run on a single, or separated systems, based on the needs, network and security architecture, and budget. From a IDS sensor standpoint it contains;1. Snort, Suricata – Focused on network-based signature detection, or what I call “the barn door is open, and the horse is gone” detection. This is because someone needs to be compromised, take to time to send out signatures (or purchase them) before you can use them. Great if the attack is against everyone, or a small community of people that will share this information, but not so good if you are the target.2. Bro – Network based packet and protocol classifier, which when configured, preform:a. Internal intelligence analysisb. Full session, Bidirectional net flow analysisc. File extractiond. Network Reconnaissancee. Behavior and statically analysis on the flowf. And much more3. OSSEC – A comprehensive host based intrusion detection system with fine grained application/server specific policies across multiple platforms such as Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and Vmware ESX. To catch the traffic, you have:1. Sguil: The Analyst Console for Network Security Monitoring2. Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.3. Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are *simplicity*, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.4. ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. Packet Capture and analysis: 1. Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng).2. NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The only thing you are missing is a SEIM, which I recommend the ELK stack. This includes:1. elasticsearch - for distributed restful search and analytics2. logstash - manage events and logs - elasticsearch works seamlessly with logstash to collect, parse, index, and search logs3. kibana - visualize logs and time-stamped data - elasticsearch works seamlessly with kibana to let you see and interact with your dataAll of the above items are Open Source, have free and paid training and support, if needed. One can save millions of dollars and get the newest capabilities. Contact me off list if you have questions. Disclosure: I do not sell these products, but I use them. Joe Klein "Inveniam viam aut faciam" On Fri, Feb 13, 2015 at 12:40 PM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
participants (17)
-
Andy Ringsmuth -
BPNoC Group -
Darden, Patrick -
J. Oquendo -
Jimmy Hess -
Joe Klein -
Justin M. Streiner -
Keith Medcalf -
Matthew Petach -
Mel Beckman -
Owen DeLong -
Rafael Possamai -
Rich Kulawiec -
Richo Healey -
Scavotto, Brian -
Valdis.Kletnieks@vt.edu -
Warsaw LATAM Operations Group