Thursday, May 14, 2009

Tips For Budding Packet Jockeys

If you are interested in becoming a packet jockey, i.e. getting into the Network Security side of IT Security, there's a lot of things you'll need to learn to do your job properly.
I started in this field coming over in IT from the desktop support side, so I didn't have a lot of networking or scripting experience. To make things even more interesting, there were NO IT security folks at the time. I was the first and not only learned by OTJ training, I determined what that job was and gave myself the training!

If I were to list what I think someone interested in getting into NetSec could look at learning, based on my past experience and what I learned after I DID get some real training, I'd suggest the list below.

1. Linux - Although a lot of network security tools have been ported over to Windows, a whole lot more have not and most of them run much better on Linux anyway.
If you are going to do serious intrusion analysis, you're going to have to learn Linux. In following posts I'll suggest some ways to learn each of the items I list if training through a company isn't an option (or you haven't landed a job yet).

2. tcpdump - There are more esoteric tools one can use, like Wireshark, but to learn packet analysis, you need a tool that doesn't do all the decoding for you. Once you are familiar with all the protocol headers and start to learn what is normal and what is anomalous, Wireshark and commercial tools can decode just about any protocol you'll see. I still use tcpdump 99% of the time because I can easily filter it and script it to parse the packets as they are captured.

3. Snort. If you want to do IDS, learning to set up, maintain and use Snort will help with about any other one you'll encounter. Once you have a Snort install loaded and start looking at alerts, you'll soon learn to determine what are false positives, what is normal traffic that can be filtered and what needs your attention. And it's a never-ending process as new attacks are released and the Bad Guys learn new ways to broach your defenses. Also, learning to write Snort signatures will really help you learn how to analyze packets as you find out what needs to be looked at and where.

4. Logs - Once you begin looking at packets, you'll need to learn to correlate them with logging from network devices and servers. A central syslog server will allow the aggregation of logs from different devices. To familiarize yourself, working with some open source tool like swatch is helpful. There are newer, better tools but using swatch will help you learn to install from source and use simple reg ex to filter.

5. Parsing tools - Packet sniffing tools record a LOT of packets. Using BPF's (Berkeley Packet Filters) with tcpdump will help a lot to narrow down what you need to see, but you'll need further filtering to refine your results or logs for analysis or to share with others. awk and sed can help a lot to pull out relevant parts of your packet data. Learning some shell scripting or better yet, a little bit of Perl will allow you to write some scripts to run your data through and find EOI's, Events of Interest.

No comments:

Blog Archive