Encryption Tidbits, and Snort

CS 493/693 Lecture, Dr. Lawlor, 2006/02/27

Linux has builtin support for turning files into encrypted "block devices", which can be used to mount up encrypted filesystems, or use as encrypted swap space. Even using real encryption algorithms like AES, they can read and write over 10MB/s, which is fast enough not to interfere with everyday use. The only downside of encrypted filesystems is that they're only secure when they're closed--while they're mounted, they're totally open to attackers that have root access. They're hence better insurance against hardware theft than network attacks.

# Turn off swap (for paranoia's sake)
swapoff -a

# 2.4 kernel optional install
modprobe cryptoapi
modprobe cipher-aes

# 2.6 kernel standard ciphers, in /lib/modules/*/kernel/crypto
modprobe cryptoloop
modprobe aes

# Make a file full of zeros.  This file will store our encrypted data.
dd if=/dev/zero of=crypt.dat bs=1000k count=1

# Make an encrypted block device /dev/loop1 from the file.
losetup -e AES128 /dev/loop1 crypt.dat 
#  You've got to enter a 20+ digit "passphrase" here.
#  Screwing up the passphrase just gives you garbage data!

# Make a filesystem on the block device (only needed the first time!)
mke2fs -m 0 /dev/loop1
# Mount the new encrypted block device
mkdir mnt
mount /dev/loop1 mnt/

# Unmount filesystem
umount mnt/
# Turn off encryption.  The crypt.dat file is now closed.
losetup -d /dev/loop1

Snort!

A very cool program that we'll be using for quite a while is Snort, a highly scriptable packet sniffer. In increasing complexity, Snort can be used as:

Just a plain old packet sniffer, like tcpdump: "snort -vde" (Verbose, dump packet Data, dump Extended packet data like ethernet MAC addresses). This mode scrolls piles of data to the screen in time order, which isn't very useful.
A packet logger: "snort -de -l ./log". This spits out nicely organized directories for each source IP address, with files arranged by protocol and port numbers, like "log/10.0.0.10/TCP:1778-80" containing machine 10.0.0.10's TCP conversation with port 80 of my machine.
A packet logger that only logs packets described in a configuration file: "snort -de -l ./log -c snort.conf". This is actual "Intrusion Detection System" mode--finally, the title of this class!
A packet filter (firewall) that allows traffic in and out based on rules listed in the configuration file.

Snort is undoubtably the most popular free Intrusion Detection System (IDS) that exists today. LBNL's Bro is also free and a bit more flexible. You can also pay large quantities of money and get cool hardware, nice GUIs, and big prebuilt rulesets from Cisco, Symantec, and a variety of other companies.