Use Case: Exploring NBTSTAT for Hostname and Domain Collection

Summary:

This document outlines a method for detecting unauthorized devices accessing a company's VPN by analyzing network information gathered through the use of specific scripts and tools. The process involves using two main components: 1. **VPN_Login_NBTSTAT.pl**: A Perl script designed to run on Windows machines, which takes a username and IP address as inputs. It pings the IP address; if successful, it performs an NBTSTAT command to retrieve the hostname and domain (i.e., Active Directory domain) of the machine. The results are then sent via Syslog to an ArcSight connector for further processing. 2. **arcsight_nbtstat.subagent.sdkrfilereader.properties**: This is a custom parser that should be loaded into a Syslog Daemon connector in ArcSight. It captures and logs the details of successful connections, including username, IP address, MAC address, hostname, and domain name. Additionally, there's another file: - **arcsight_nbtstat_error.subagent.sdkrfilereader.properties**: This parser is meant for capturing all error outputs from the Perl script mentioned above. It also logs details about the connection attempt that failed. Both parsers are crucial in detecting unauthorized access by comparing the Active Directory domain listed in NBTSTAT results with a pre-approved list of company domains to ensure only authorized devices can connect. The customization of these scripts and properties is essential for them to be effectively integrated into the existing network infrastructure, ensuring seamless operation despite being used for monitoring unapproved device connections over VPNs. The provided information outlines a system for managing and monitoring access to a VPN through a Cisco ASA device, using Perl scripts and NetBIOS name resolution tool (NBTSTAT). Here's a summary of the key components: 1. **Error Handling**: A Perl parser captures all errors that occur during the script execution, including "Could Not Ping" and "Could Not perform NBTSTAT". These errors are crucial for identifying issues in network connectivity and configuration. 2. **Properties File**: The file `VPN_Access_-_Perform NBTSTAT.arb` contains rules and active lists to track user access to the VPN. This includes: - A list of valid domains (`/All Active Lists/Personal/admin/AD – Approve Domains`) that are allowed on the network. - Specific active lists for users whose hostnames could not be resolved by NBTSTAT (`/All Active Lists/Personal/admin/VPN ASA – VPN Login NBT Failed to collect Hostname`). - Active lists for users where the hostname, MAC address, and domain were successfully resolved via NBTSTAT (`/All Active Lists/Personal/admin/VPN ASA – NetBIOS Info of VPN Remote User collected via NBTSTAT`). 3. **Rules**: These are defined in the ARB file to automate specific actions based on events: - The rule `/All Rules/Personal/admin/VPN ASA – Collect NetBIOS Host Info when internal IP assigned` triggers the Perl script when a user is assigned an internal IP address, ensuring that NBTSTAT information is collected. - The rule `/All Rules/Personal/admin/VPN ASA – VPN Login NBT Failed to collect Hostname` captures events where NBTSTAT fails to resolve NetBIOS info, adding details to the active list for failed hostname collection. - The rule `/All Rules/Personal/admin/VPN ASA – VPN Login NBTSTAT Results` triggers when NBTSTAT successfully resolves the information, and this data is added to the active list tracking users with resolved NetBIOS details. - Finally, the rule `/All Rules/Personal/admin/VPN ASA – VPN Login from host not in approved domains` matches events where the script returns results indicating that the host is not in the approved domain list, which might indicate unauthorized access or configuration issues. This system provides a comprehensive framework for monitoring and managing network access through a VPN, ensuring compliance with security policies and facilitating efficient troubleshooting of connectivity problems.

Details:

**Use Case Summary:** The use case focuses on enhancing security for VPN users utilizing Cisco ASA's with a focus on preventing unauthorized access and data breaches. The scenario involves employees or potential malicious actors using PCF files containing shared keys and profile information to configure VPN connections on untrusted devices, potentially leading to unauthorized access. **Objective:** The primary objective is to ensure the integrity of the VPN connection by verifying that only trusted devices are granted access to the corporate network. This involves collecting remote host information (via NBTSTAT) from users connecting through Cisco ASA's to authenticate and authorize their access based on the collected data. **Solution Description:**

• **VPN Configuration:** The use case is applicable to companies using Cisco ASA for VPN software, particularly in scenarios where employees or unauthorized parties might try to circumvent security measures by moving a PCF file containing sensitive information from an authorized device to an unauthorized one.

• **Security Measures:** To mitigate these risks, the solution involves deploying scripts and configurations that automatically collect NetBIOS info of remote users when they log into the VPN using NBTSTAT. This data is then compared against approved domains or devices in a list maintained by the IT department.

**Implementation Details:**

• **Scripts and Configurations:** The primary tools include:

• `VPN_Login_NBTSTAT.pl`: A Perl script used to gather information about remote hosts using NBTSTAT during VPN login attempts.

• Configuration files for Arcsight Subagent SDK, including `arcsight_nbtstat.subagent.sdkrfilereader.properties` and `arcsight_nbtstat_error.subagent.sdkrfilereader.properties`, to manage and log the collection of NetBIOS information.

• **Policies and Rules:** Specific rules are set up in the system to:

• Collect NetBIOS host info only when an internal IP is assigned during VPN login.

• Deny access if NBTSTAT collection fails or if the hostname does not match approved domains from the AD (Active Directory) list.

• Alert and log any failed attempts or unauthorized connections based on information collected via NBTSTAT.

**Advantages:**

• Enhances security by providing real-time visibility into VPN user devices, ensuring that only trusted devices are granted access to corporate networks.

• Proactive measures against potential data breaches due to stolen PCF files and unauthorized configurations of Cisco VPN clients.

This use case highlights the importance of maintaining strict control over shared keys and profile information used for VPN connections, emphasizing the need for continuous monitoring and automated response mechanisms to safeguard sensitive company data. This document outlines a method for detecting unauthorized devices accessing a company's VPN by analyzing network information gathered through the use of specific scripts and tools. The process involves using two main components: 1. **VPN_Login_NBTSTAT.pl**: A Perl script designed to run on Windows machines, which takes a username and IP address as inputs. It pings the IP address; if successful, it performs an NBTSTAT command to retrieve the hostname and domain (i.e., Active Directory domain) of the machine. The results are then sent via Syslog to an ArcSight connector for further processing. 2. **arcsight_nbtstat.subagent.sdkrfilereader.properties**: This is a custom parser that should be loaded into a Syslog Daemon connector in ArcSight. It captures and logs the details of successful connections, including username, IP address, MAC address, hostname, and domain name. Additionally, there's another file:

• **arcsight_nbtstat_error.subagent.sdkrfilereader.properties**: This parser is meant for capturing all error outputs from the Perl script mentioned above. It also logs details about the connection attempt that failed.

Both parsers are crucial in detecting unauthorized access by comparing the Active Directory domain listed in NBTSTAT results with a pre-approved list of company domains to ensure only authorized devices can connect. The customization of these scripts and properties is essential for them to be effectively integrated into the existing network infrastructure, ensuring seamless operation despite being used for monitoring unapproved device connections over VPNs. The provided information outlines a system for managing and monitoring access to a VPN through a Cisco ASA device, using Perl scripts and NetBIOS name resolution tool (NBTSTAT). Here's a summary of the key components: 1. **Error Handling**: A Perl parser captures all errors that occur during the script execution, including "Could Not Ping" and "Could Not perform NBTSTAT". These errors are crucial for identifying issues in network connectivity and configuration. 2. **Properties File**: The file `VPN_Access_-_Perform NBTSTAT.arb` contains rules and active lists to track user access to the VPN. This includes:

• A list of valid domains (`/All Active Lists/Personal/admin/AD – Approve Domains`) that are allowed on the network.

• Specific active lists for users whose hostnames could not be resolved by NBTSTAT (`/All Active Lists/Personal/admin/VPN ASA – VPN Login NBTSTAT Failed to collect Hostname`).

• Active lists for users where the hostname, MAC address, and domain were successfully resolved via NBTSTAT (`/All Active Lists/Personal/admin/VPN ASA – NetBIOS Info of VPN Remote User collected via NBTSTAT`).

3. **Rules**: These are defined in the ARB file to automate specific actions based on events:

• The rule `/All Rules/Personal/admin/VPN ASA – Collect NetBIOS Host Info when internal IP assigned` triggers the Perl script when a user is assigned an internal IP address, ensuring that NBTSTAT information is collected.

• The rule `/All Rules/Personal/admin/VPN ASA – VPN Login NBTSTAT Failed to collect Hostname` captures events where NBTSTAT fails to resolve NetBIOS info, adding details to the active list for failed hostname collection.

• The rule `/All Rules/Personal/admin/VPN ASA – VPN Login NBTSTAT Results` triggers when NBTSTAT successfully resolves the information, and this data is added to the active list tracking users with resolved NetBIOS details.

• Finally, the rule `/All Rules/Personal/admin/VPN ASA – VPN Login from host not in approved domains` matches events where the script returns results indicating that the host is not in the approved domain list, which might indicate unauthorized access or configuration issues.

This system provides a comprehensive framework for monitoring and managing network access through a VPN, ensuring compliance with security policies and facilitating efficient troubleshooting of connectivity problems. A domain value that doesn't correspond with any listed, approved domains from an "Active List" named AD - Approved Domains triggers this specific rule. When it activates, it serves as a warning sign for potential security breaches or unauthorized access attempts.