SCNS - Tactical Perimeter Defense
SCNS - Tactical Perimeter Defense
Warren Peterson
Warren Peterson is the President of Security Certied Program, LLC and the founder of the Security Certied Program. Mr. Peterson regularly delivers standing-room only security presentations for government and corporate clients on subjects ranging from general security to the threats of Cyber terrorism. Mr. Peterson is an accomplished and experienced teacher who holds many industry certications. His training methods have earned him the utmost respect and recognition from both his students and his peers. Even many years after courses have ended, many of Mr. Petersons students from around the world stay in touch with him. Mr. Peterson has developed instructional curriculum for customized courses, such as courses for Microsoft, Cisco, CompTIA, and various security programs. In addition to writing for magazines, such as Certication Magazine, he is the lead author for the Security Certied Program courses, including: Network Security Fundamentals, Hardening the Infrastructure, Network Defense and Countermeasures, Tactical Perimeter Defense, Strategic Infrastructure Security, Advanced Security Implementation, and Enterprise Security Solutions. Mr. Peterson includes the following personal thanks: Thank you to my wife, Carin, you and our girls give me constant support, and I thank you for your devotion. You remind me daily
why teaching is so important. I love you deeply, and look forward to seeing you again now that this writing phase is over! Thank you to Waleed, you have been the foundation behind more positive change than I can describe, knowing you and working with you has been a true pleasure. Thanks to Gene, for your trusted advice and mentoring; to Mark, for your passion and enthusiasm (go have another coffee!); to Tracy, for your loyalty and friendship, which are unmatched; to Joe, for your professionalism, and desire for the best; to Dave, for always being there, even early in the morning.
And, thanks to Charles, Shrinath, and Robert, time has moved us apart, but you have each made an impression on me, and I thank you for that.
ACKNOWLEDGEMENTS
Project Team
Curriculum and Technical Writers: Warren Peterson and Clay Scott Copy Editor: Carin Peterson Reviewing Editor: Sandy Castle-Rhoads Technical Editor: Tracy Richter Quality Assurance Analyst: David Young Graphic Designer: Mark Patrick
Project Support
Development Assistance: Ben Tchoubineh
NOTICES
DISCLAIMER: While Security Certied Program LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or tness for a particular purpose. Any name used in the data les for this course is that of a ctitious company. Any resemblance to current or future companies is purely coincidental. We do not believe we have used anyones name in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Security Certied Program LLC is an independent developer of courseware and certication programs for individuals, businesses, educational institutions, and government agencies. Use of screenshots, photographs of another entitys products, or another entitys product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by, nor any afliation of such entity with Security Certied Program LLC. This courseware may contain links to sites on the Internet that are owned and operated by third parties (the External Sites). Security Certied Program LLC is not responsible for the availability of, or the content located on or through, any External Site. Please contact Security Certied Program LLC if you have any concerns regarding such links or External Sites. TRADEMARK NOTICES: The Security Certied Program, SCP, SCNS, SCNP, and SCNA are trademarks of The Security Certied Program, LLC in the U.S. and other countries; The Security Certied Program, SCP, SCNS, SCNP, products and services discussed or described may be trademarks of The Security Certied Program, LLC. All other product names and services used throughout this book may be common law or registered trademarks of their respective proprietors. Copyright 2007 Security Certied Program, LLC. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publication or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express written permission of Security Certied Program LLC, 825 West State Street, Suite 204, Geneva, Illinois 60134, USA. (630) 208-5030. Security Certied Program LLCs World Wide Web site is located at: www.SecurityCertied.Net. This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Security Certied Program LLC materials are being reproduced or transmitted without permission, please call 1-630-208-5030.
ii
CONTENT OVERVIEW
Contents
iii
CONTENTS
CONTENTS
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Course Setup Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii How To Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xl
Topic 1B
Topic 1C
Objectives of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1C-1 Describing the Challenge Response Token Process . . . . . . . . .
Topic 1D
The Impact of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intrusion Detection Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1D-1 Describing the Problems of Additional Layers of Security . . . . .
Topic 1E
iv Tactical Perimeter Defense
Security Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Trails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Handling and Preserving Audit Data. . . . . . . . . . . . . . . . . . . . . . . . . . . Legal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1E-1 Describing Network Auditing . . . . . . . . . . . . . . . . . . . . . . . Lesson Review 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24 25 25 25 26 27
CONTENTS
Topic 2B
Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . . Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-1 Using Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-2 Installing and Starting Wireshark . . . . . . . . . . . . . . . . . . . . Wireshark Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-3 Using Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-4 Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . The Session Teardown Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-5 Analyzing the Session Teardown Process . . . . . . . . . . . . . . . .
Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 65 Task 2C-1 Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 67 Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 68 Task 2D-1 Capturing and Identifying ICMP Messages . . . . . . . . . . . . . . . 69 Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . . 70 Task 2E-1 Capturing and Identifying TCP Headers. . . . . . . . . . . . . . . . . 72 Capturing and Identifying UDP Headers . . . . . . . . . . . . . . . . 73 Task 2F-1 Working with UDP Headers . . . . . . . . . . . . . . . . . . . . . . . . . 73 Analyzing Packet Fragmentation. . . . . . . . . . . . . . . . . . . . . . . 74 Task 2G-1 Analyzing Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Contents v
CONTENTS
Topic 2H
Analyzing an Entire Session . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2H-1 Performing a Complete ICMP Session Analysis . . . . . . . . . . . . Continuing the Complete Session Analysis . . . . . . . . . . . . . . . . . . . . . . Task 2H-2 Performing a Complete FTP Session Analysis . . . . . . . . . . . . . Lesson Review 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
76 76 79 80 92
Topic 3B
Routing Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 The ARP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 LAN-to-LAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 LAN-to-WAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Task 3B-1 Performing IP and MAC Analysis . . . . . . . . . . . . . . . . . . . . . 113 The Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Static and Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Comparing Routed Protocols and Routing Protocols . . . . . . . . . . . . . . 119 The Routing Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Task 3B-2 Viewing a RIP Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Task 3B-3 Viewing a RIPv2 Capture . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Removing Protocols and Services . . . . . . . . . . . . . . . . . . . . . .128 CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Task 3C-1 Turning Off CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Task 3C-2 Hardening ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Source Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Small Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Remaining Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Task 3C-3 Removing Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 133 AutoSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Topic 3C
vi
Topic 3D
Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . .134 Access Control List Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 The Access List Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 The Wildcard Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Task 3D-1 Creating Wildcard Masks . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Implementing Access Control Lists . . . . . . . . . . . . . . . . . . . .138 Defending Against Attacks with ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . 142 Task 3E-1 Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 144 Context-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
CONTENTS
Topic 3E
Topic 3F
Logging Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Task 3F-1 Configuring Buffered Logging . . . . . . . . . . . . . . . . . . . . . . . 149 ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Task 3F-2 Configuring Anti-spoofing Logging . . . . . . . . . . . . . . . . . . . 151 Lesson Review 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Topic 4B Topic 4C
Rule Sets and Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . .168 Stateless and Stateful Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . 172 How Attackers Get Around Packet Filters . . . . . . . . . . . . . . . . . . . . . . . 175 Task 4C-1 Firewall Rule Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Topic 4D
Proxy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Proxy Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Proxy Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Proxy Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Task 4D-1 Diagram the Proxy Process . . . . . . . . . . . . . . . . . . . . . . . . . 179
Topic 4E Topic 4F
The Bastion Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 An Attack on the Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Task 4E-1 Describing a Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . 182 The Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 What is a Honeypot? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Goals of the Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Contents vii
CONTENTS
Legal Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Task 4F-1 Honeypot Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Lesson Review 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Topic 5B
viii
Configuring ISA Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Task 5B-16 Working with Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Task 5B-17 Working with Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 ISA Server 2006 Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Task 5B-18 Configuring Logging Options . . . . . . . . . . . . . . . . . . . . . . . 262 Additional Configuration Options for ISA Server 2006 . . . . . . . . . . . . . 265 Task 5B-19 Securing ISA Server 2006 with the Security Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Packet Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Task 5B-20 Configuring Packet Prioritization. . . . . . . . . . . . . . . . . . . . . 268 Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Task 5B-21 Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . 270
CONTENTS
Topic 5C
IPTables Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271 Firewalling in Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 The Flow of the Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 The iptables Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Rule Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Other Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Creating a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Deleting a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Flushing a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Checking for Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Negating Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Defining a Target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Complex Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Configuring Masquerading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Task 5C-1 Working with Chain Management . . . . . . . . . . . . . . . . . . . . 288
Topic 5D
Topic 6B
CONTENTS
Task 6B-1 Examining the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Task 6B-2 Identifying Default IPSec Security Policies . . . . . . . . . . . . . . 306 Saving the Customized MMC Configuration . . . . . . . . . . . . . . . . . . . . . 307 Task 6B-3 Saving a Customized MMC . . . . . . . . . . . . . . . . . . . . . . . . . 307 The Secure Server (Require Security) Policy . . . . . . . . . . . . . . . . . . . . . 307 Task 6B-4 Examining Security Methods. . . . . . . . . . . . . . . . . . . . . . . . 308 The Rules Tab for the Secure Server (Require Security) Policy. . . . . . . 309 Task 6B-5 Examining Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Topic 6C
IPSec AH Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Creating Custom IPSec Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Task 6C-1 Creating the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . 315 Editing Authentication Method Policies . . . . . . . . . . . . . . . . . . . . . . . . 317 Task 6C-2 Editing the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . . 318 Setting Up the Computers Response . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Task 6C-3 Configuring the Policy Response . . . . . . . . . . . . . . . . . . . . . 320 Configuring AH in Both Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Task 6C-4 Configuring the Second Computer . . . . . . . . . . . . . . . . . . . . 321 Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Task 6C-5 Setting Up the FTP Process . . . . . . . . . . . . . . . . . . . . . . . . 322 Implementing the IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Task 6C-6 Implementing the 1_REQUEST_AH(md5)_only Policy. . . . . . . . 324 Request-only Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Task 6C-7 Analyzing the Request-only Session. . . . . . . . . . . . . . . . . . . 325 Implementing a Request-and-Respond Policy . . . . . . . . . . . . . . . . . . . 325 Task 6C-8 Configuring a Request-and-Respond IPSec Session . . . . . . . . . 325 Request-and-Respond Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . 326 Task 6C-9 Analyzing the Request-and-Respond Session . . . . . . . . . . . . . 326 Combining AH and ESP in IPSec . . . . . . . . . . . . . . . . . . . . . . .327 Task 6D-1 Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and the Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Configuring the IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Task 6D-2 Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy . . . . 330 AH and ESP IPSec Session Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Task 6D-3 Configuring and Analyzing an IPSec Session Using AH and ESP . 331 Configuring All the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Task 6D-4 Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy . 333 Configuring the AH-and-ESP IPSec Response Policy. . . . . . . . . . . . . . . 335 Task 6D-5 Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy . 335 Implementing the Full IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Task 6D-6 Implementing and Analyzing an AH(sha) and ESP(sha+3des) IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 VPN Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337 VPN Business Drivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 VPN Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Topic 6D
Topic 6E
x Tactical Perimeter Defense
VPN Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Tunneling and Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Task 6E-1 Defining Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . 341
CONTENTS
Topic 6F
Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 Point-to-Point Tunneling Protocol (PPTP) . . . . . . . . . . . . . . . . . . . . . . 342 Layer 2 Tunneling Protocol (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 IPSec Tunnel and Transport Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 IPSec and Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . 346 Task 6F-1 Assigning Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . 347 VPN Design and Architecture. . . . . . . . . . . . . . . . . . . . . . . . . .348 VPN Implementation Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Task 6G-1 Examining VPN-related RFCs . . . . . . . . . . . . . . . . . . . . . . . . 349 VPN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350 VPNs and Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 VPN Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Task 6H-1 Viewing Firewall-related RFCs . . . . . . . . . . . . . . . . . . . . . . . 353
Topic 6G Topic 6H
Topic 6I
Configuring a VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 Task 6I-1 Configuring the VPN Server . . . . . . . . . . . . . . . . . . . . . . . . 354 VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Task 6I-2 Configuring VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Establishing the VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Task 6I-3 Establish the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Returning the Classroom Setup to its Original State . . . . . . . . . . . . . . 364 Task 6I-4 Restoring the Classroom Setup . . . . . . . . . . . . . . . . . . . . . . 364 Lesson Review 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Topic 7B
Technologies and Techniques of Intrusion Detection . . . . . .377 The Intrusion Detection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Behavioral Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Information Collection and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Task 7B-1 Discussing IDS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Contents
xi
CONTENTS
Topic 7C
Host-based Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . .384 Host-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Centralized Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Distributed Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Task 7C-1 Describing Centralized Host-based Intrusion Detection . . . . . . 387 Network-based Intrusion Detection . . . . . . . . . . . . . . . . . . . .387 Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Traditional Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . 388 Distributed Network-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . 389 Task 7D-1 Discussing Sensor Placement . . . . . . . . . . . . . . . . . . . . . . . 390 The Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 When to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Interval Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Real-time Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 How to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Signature Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 An Example Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Statistical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Task 7E-1 Discussing Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Topic 7D
Topic 7E
Topic 7F
How to Use an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Detection of Outside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Detection of Inside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Anticipation of Attack Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Surveillance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Task 7F-1 Discussing Intrusion Detection Uses . . . . . . . . . . . . . . . . . . 397 What an IDS Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398 Provide the Magic Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Manage Hardware Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Investigate an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 100 Percent Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Task 7G-1 Discussing Incident Investigation . . . . . . . . . . . . . . . . . . . . 399 Lesson Review 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Topic 7G
Topic 8B
xii Tactical Perimeter Defense
Task 8B-2 Initial Snort Configuration . . . . . . . . . . . . . . . . . . . . . . . . 408 Using Snort as a Packet Sniffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Task 8B-3 Capturing Packets with Snort . . . . . . . . . . . . . . . . . . . . . . . 411 Task 8B-4 Capturing Packet Data with Snort . . . . . . . . . . . . . . . . . . . . 413 Task 8B-5 Logging with Snort. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
CONTENTS
Topic 8C
Snort as an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415 Its All in the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Snort Rule IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Task 8C-1 Creating a Simple Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . 421 Task 8C-2 Testing the Ruleset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 More Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Task 8C-3 Examining Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . 426 Examine Denial of Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Task 8C-4 Examining DDoS Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Examine Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Task 8C-5 Examining Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . 427 Examine Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Task 8C-6 Examining Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . 428 Examine Web IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Task 8C-7 Examining IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Configuring Snort to Use a Database . . . . . . . . . . . . . . . . . . .430 Snort Output Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Configure Snort to Use a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Task 8D-1 Editing Snort.Conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Installing MySQL for Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Task 8D-2 Installing MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Task 8D-3 Creating the Snort Database . . . . . . . . . . . . . . . . . . . . . . . . 432 MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Task 8D-4 Creating MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . 433 Snort to Database Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Task 8D-5 Testing the New Configuration . . . . . . . . . . . . . . . . . . . . . . 434 Snort as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Task 8D-6 Configuring Snort as a Service . . . . . . . . . . . . . . . . . . . . . . 434
Topic 8D
Topic 8E
Running an IDS on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 LAMP On SuSe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Task 8E-1 Installing LAMP Components . . . . . . . . . . . . . . . . . . . . . . . 436 Apache and PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Task 8E-2 Apache and PHP Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Enable Snort on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Task 8E-3 Configure Snort on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Configuring MySQL on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Task 8E-4 Configuring MySQL for Snort. . . . . . . . . . . . . . . . . . . . . . . . 439 Connecting Snort to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Contents xiii
CONTENTS
Task 8E-5 Testing Snort Connectivity to the Database. . . . . . . . . . . . . . 440 Installing ADOdb and BASE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Task 8E-6 Downloading ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . 441 Task 8E-7 Installing ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . . . 441 Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Task 8E-8 Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Task 8E-9 Configuring the Firewall to Allow HTTP . . . . . . . . . . . . . . . . 443 Generating Snort Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Task 8E-10 Generating Portscan Snort Events . . . . . . . . . . . . . . . . . . . . 443 Task 8E-11 Generating Web Snort Events . . . . . . . . . . . . . . . . . . . . . . . 444 Lesson Review 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Topic 9B
Wireless LAN (WLAN) Fundamentals . . . . . . . . . . . . . . . . . . .465 Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 WLAN Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Lesson Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Prepare for the Ad-hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Task 9B-1 Installing the Linksys WPC54G WNIC . . . . . . . . . . . . . . . . . . 469 Configure the Second WNIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Task 9B-2 Installing the Netgear WPN511 . . . . . . . . . . . . . . . . . . . . . . 471 Enable the Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Task 9B-3 Enabling the Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . 474 802.11 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Task 9B-4 Installing the Linksys WAP54G Access Point . . . . . . . . . . . . . 482 Configure the Infrastructure Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Task 9B-5 Configuring the Linksys Client . . . . . . . . . . . . . . . . . . . . . . 485 Adding Infrastructure Network Clients . . . . . . . . . . . . . . . . . . . . . . . . . 487 Task 9B-6 Configuring the Netgear Client . . . . . . . . . . . . . . . . . . . . . . 487 WLAN Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
xiv
Topic 9C
Wireless Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . .490 Wireless Transport Layer Security (WTLS) . . . . . . . . . . . . . . . . . . . . . . . 491 Fundamental Access Point Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Configure WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Task 9C-1 Installing the Netgear WPN824 Access Point . . . . . . . . . . . . . 502 Establishing the WEP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Task 9C-2 Configuring WEP on the Network Client . . . . . . . . . . . . . . . . 505 Temporal Key Integrity Protocol (TKIP) . . . . . . . . . . . . . . . . . . . . . . . . 506 Extensible Authentication Protocol (EAP) . . . . . . . . . . . . . . . . . . . . . . 506 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Configure WPA2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Task 9C-3 Configure WPA2 on the Access Point . . . . . . . . . . . . . . . . . . 509 Supplicants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Task 9C-4 Configuring WPA2 on the Network Client . . . . . . . . . . . . . . . 510 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Wireless Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512 Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 NetStumbler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 Task 9D-1 Installing NetStumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Identify Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Task 9D-2 Identifying Wireless Networks . . . . . . . . . . . . . . . . . . . . . . 515 OmniPeek Personal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Task 9D-3 Installing OmniPeeK Personal . . . . . . . . . . . . . . . . . . . . . . . 516 WildPackets Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Task 9D-4 Viewing OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . 517 Live Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Task 9D-5 Viewing Live OmniPeek Personal Captures . . . . . . . . . . . . . . . 521 Non-802.11 Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Task 9D-6 Analyze Upper Layer Traffic . . . . . . . . . . . . . . . . . . . . . . . . 522 Decode WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Task 9D-7 Decrypting WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Aircrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 WEPCrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 AirSnort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Ekahau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Kismet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
CONTENTS
Topic 9D
Topic 9E
Wireless Trusted Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . .528 802.1x and EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528 EAP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Lightweight EAP (LEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 EAP with Transport Layer Security (EAP-TLS) . . . . . . . . . . . . . . . . . . . . 530 EAP with Tunneled Transport Layer Security (EAP-TTLS) . . . . . . . . . . . 531 Protected EAP (PEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Contents xv
CONTENTS
EAP Type Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Wireless Trusted Network Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 Task 9E-1 Choosing a Wireless Trusted Network . . . . . . . . . . . . . . . . . . 533 Lesson Review 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
xvi
xvii
The Security Certied Program Certication Path What is SCNS? The SCNS (Security Certied Network Specialist) is the SCPs core certication. The primary focus is on the defense of the perimeter. This certication covers the core security technologies used in defending todays business environments, including the following: Network Defense Fundamentals, Advanced TCP/IP, Router Security and Access Control Lists, Designing & Conguring Firewalls, Conguring Virtual Private Networks, Designing & Conguring Intrusion Detection Systems, and Securing Wireless Networks. What kind of experience do I need before I go for my SCNS? Before you begin the SCNS certication track, it is recommended that, at a minimum, you attain CompTIAs Security+ certication or have equivalent training with hands-on experience. The SCNS training and certication build on concepts and skills covered in the Security+ certication.
xviii Tactical Perimeter Defense
How do I become SCNS certied? The SCNS certication is comprised of one exam, titled: Tactical Perimeter Defense (TPD). To become SCNS certied, candidates must complete this exam with a passing score. The TPD exam uses exam number: SC0-451. It is strongly recommended that candidates study this official courseware extensively, and implement the hands-on tasks repeatedly, before taking the exams. What are exams like? The exams are multiple-answer, often scenario-based tests. The TPD exam has 60 questions and the candidate has 90 minutes to complete the exam. At the time of this publication, the exam breakdown was as follows: Examination Domain
1.0 Network Defense Fundamentals 2.0 Hardening Routers and Access Control Lists 3.0 Implementing IPSec and Virtual Private Networks 4.0 Advanced TCP/IP 5.0 Security Wireless Networks 6.0 Designing and Conguring Intrusion Detection Systems 7.0 Designing and Conguring Firewall Systems
Percentage
5% 10% 10% 15% 15% 20% 25%
Note that SCP exams are updated regularly to reect changes in the network security industry. It is strongly recommended that potential candidates review the exam objectives at www.securitycertied.net/certications.htm How do I take the exams? The SCP exams are available at any Prometric or VUE Testing center in over 7,400 locations around the world. There are several ways to register for SCP exams. To register for SCP exams over the Internet, visit Prometric at www.prometric.com/SCP or VUE at www. vue.com/scp/ and create and account with the vendor of your choice (if you dont already have one). For International Exam Registration, please check with your preferred vendors Web site for more information. During the exam: Read questions carefully. Dont jump to any conclusions! Skip questions that you are unsure of, and come back to them at the end. If you have time remaining, you will be given the opportunity to review your answers. Be sure to do so, and make sure you didnt make any obvious mistakes. If you come back to a question and are not sure about an answer, remember that your rst hunch is more often correct than your second-choice answer (after overanalyzing the question)! Be sure to answer all questions; unanswered questions count against your score, so if you dont have an answer, try to eliminate any options that you know are wrong and make a best guess from whatever remains.
xix
On your exam day, try to arrive 15 minutes early so you do not feel rushed or stressed by being late. This will also give you a few minutes to review any notes before beginning your exam. However, as the SCP exams are closed-book, notes or calculators may not be brought into the testing station and will have to be left with the facilitys faculty. Will my certicate expire? Yes. As technologies in the security eld are constantly changing, your SCNS certicate will be valid for two years starting on the date you pass the Tactical Perimeter Defense exam. Candidates who have received their SCNS credential will need to retake the TPD exam before their SCNS certication expires. Candidates who are recertifying will be able to do so at a discounted exam rate. For more information on the current SCNS re-certication exam rate please email [email protected]. What if I want to go further? After you have become SCNS-certied you will have the option of furthering your skills by moving on to the next level of SCP certication, the Security Certied Network Professional (SCNP) certicate. The Security Certied Network Professional (SCNP) certication is focused on infrastructure technologies. SCNP builds upon the security concepts and technologies covered in Tactical Perimeter Defense (TPD). The SCNP course, Strategic Infrastructure Security (SIS) covers several critical areas Cryptography, Operating System Security (Windows 2003 and SuSe Linux), Attack Techniques, Internet and WWW Security, Risk Analysis, Security Policy Creation, and Analysis of Intrusion Signatures. To become a Security Certied Network Professional (SCNP), candidates must successfully pass one exam and hold a current Security Certied Network Specialist (SCNS) certication. Security Certied Programs third certication is Security Certied Network Architect (SCNA). SCNA deals with more advanced security skills and concepts. Many enterprises are trying to integrate Digital Signatures, Digital Certicates, and Biometric and Smart Card Authentication systems into their infrastructures. These technologies are vital for businesses as they look to integrate their partners and suppliers into their business structures and provide real-time information and services to their customers. SCNA is about the fundamentals of building a trusted network, strong authentication techniques, encryption, biometrics, smart cards, and network forensics. SCNA includes two courses, Advanced Security Implementation (ASI) and Enterprise Security Solutions (ESS). Each course is a 40-hour program, and the content and hands-on labs are structures to develop the skills required by todays top security experts. To become a Security Certied Network Architect (SCNA), candidates must pass two exams. The rst is Enterprise Security Implementation (ESI), which covers the concepts and lab work covered in both the ASI and ESS courses, and the second is The Solutions Exam (TSE); which will cover all facets of technologies covered in all of the SCP courses. How do I prepare for the exam? The TPD exam will require that you be familiar with many technologies and utilities that are covered in this book. Further, the test was authored with the
xx
intention that people who have not become familiar with the technologies and utilities covered will not nd it as easy to pass the exam as those who have used the program and technologies in question. What does all this mean? It means that you really should use the utilities and programs that are covered here, rather than just read about them. You should become very familiar with all of the tasks in this book. If possible, create a home lab with at least two machines, and practicerepeatedlythe hands-on tasks in this book. Even using what you learned to help secure your own home network from hosts on the Internet will help you prepare for the exam Studying for the exam: 1. Read the book from start to nish completing all the tasks even if you are familiar with the technology in question. You never know when some new facet of a technology or program may be brought up and many of the lessons build upon the previous ones and it is easy to miss something if you skip around. 2. Be sure to complete all hands-on tasks. Again, the SCP exams are based on knowledge and hands-on experience! Once you have completed a task, do it again until you are very comfortable with that task. Be sure to answer Topic Review questions within each lesson. Make note of the questions you answered incorrectly and study the appropriate sections again. Before taking the SCP exams, it is recommended that you take the practice exams available through MeasureUp. More information on officially recommended practice exams is available at: www.securitycertied.net/practice_ tests.htm.
3.
4.
But perhaps the best way to make sure that you reach your goal is to register for the exam and stick to the date you set forth. Nothing keeps you on your toes and working toward a goal like a deadline! Honestly measure your skills, make your study schedule, and set the date that you will be ready to take the exam and register for it. Practice exams The only provider of practice exams authorized and recommended by the creators of the SCP is MeasureUp. For more information visit www.securitycertied.net/ practice_tests.htm for more information. Contact Information The Security Certied Program US: 800-869-0025 International: 630-208-5030 Email: [email protected] Website: www.SecurityCertied.Net
Course Prerequisites
To ensure your success, we recommend that you have CompTIAs Security+ certication, or have equivalent experience. This course assumes that the reader has fundamental working knowledge of networking concepts, and foundational security knowledge.
xxi
Course Objectives
When youre done working your way through this course, youll be able to: Describe the core issues of building a perimeter network defense system. Investigate the advanced concepts of the TCP/IP protocol suite. Secure routers through hardening techniques and congure Access Control Lists. Design and congure multiple rewall technologies. Examine and implement IPSec and Virtual Private Networks. Design and congure an Intrusion Detection System. Secure wireless networks through the use of encryption systems.
Instructor machine, same conguration as student machines. Three Cisco routers, 2500 Series preferred (used from a reseller is ne), running IOS 12.2 or greater, with IPSec/SSH support. One Cisco console cable. Two serial cables. DCE to DTE, for connecting routers. Three switches/hubs, 10/100 Mbps. The rewall lesson will require Microsoft ISA Server 2006. This must be downloaded as a 180-day trial from Microsoft, or full ISA Server software must be provided for students. During the VPN lesson, machines designated as VPN servers will require two NICs. The NICs can be either integrated or non-integrated. During the VPN lesson, the instructor machine will need to be running the FTP Service. You may enable the service during your initial setup, or during the VPN lesson, as you prefer. For class preparation, you will need the following tools. Note, where the tools are available as per open source licensing, they have been included on the course CD-ROM, all other tools should be downloaded and put in the
xxii
correct folder. All these tools should be copied to the C:\Tools or /Tools directories on your Windows and Linux systems accordingly. Lesson
Lesson 2
Tool
WinPcap_4_0.exe wireshark-setup-0.99.5.exe tftp.cap fragment.cap ping.text ping.cap ftp.txt ftp.cap puTTY.exe ping_arp.mac.cap rip.update.cap ripv2withAuthentication.cap ISA Server 2006 ISAScwHlpPack.exe rfc-index.wri rfc2547.txt rfc2979.txt Snort_2_6_1_2_Installer Snort Rules mysql-essential-5.0.27-win32 adodb493a.tgz base-1.2.7.tar.gz WildPackets_OmniPeek_Personal41 dotnetfx.exe NetStumbler
Download Source
SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD www.microsoft.com/isaserver/prodinfo/ default.mspx SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD www.omnipeek.com/downloads.php SCNS Book CD SCNS Book CD
Lesson 3
Lesson 5
Lesson 6
Lesson 8
Lesson 9
In this course, there are several wireless components utilized. Each training location can decide if they wish to acquire this equipment or use the content as the learning source. The equipment used in this lesson is: Two laptops running Windows XP. One Linksys WPC54G NIC and associated set-up CD-ROM. One Netgear WPN511 NIC and associates set-up CD-ROM. One Linksys WAP54G access point and associated set-up CD-ROM. One Netgear WPN824 access point and associated set-up CD-ROM.
Class Requirements
In order for the class to run properly, perform the procedures described below. Before you begin actually setting up the class, here are some recommendations for the classroom conguration and hardware preparation.
xxiii
Classroom Configuration
The following graphic shows the recommended classroom conguration. Use this gure in conjunction with the IP addressing and naming schemes described in the following section.
xxiv
Part of Classroom
LEFT LEFT LEFT RIGHT RIGHT RIGHT CENTER
Windows Name
WIN-L01 WIN-L02 WIN-L03 WIN-R01 WIN-R02 WIN-R03 WIN-C01
Linux Name
LIN-L01 LIN-L02 LIN-L03 LIN-R01 LIN-R02 LIN-R03 LIN-C01
IP Address
172.16.10.1 172.16.10.2 172.16.10.3 172.18.10.1 172.18.10.2 172.18.10.3 172.17.10.1
Default Gateway
172.16.0.1 172.16.0.1 172.16.0.1 172.18.0.1 172.18.0.1 172.18.0.1 172.17.0.1
10. Windows Server 2003 will continue installation independently. You will be able to see the approximate time it will take to complete installation on the left side of your screen. 11. Windows Server 2003 will install devices independently. The screen may ash, or icker, for several seconds during this process. 12. For Regional And Language Options, select your settings, and then click Next. 13. In the Personalize Your Settings screen, in the Name text box, type TEST, in the Organization text box, type SCP and click Next. 14. When prompted, enter the product key and click Next.
About This Course xxv
15. In the Licensing Modes screen, select the Per Device Or Per User radio button, and then click Next. 16. In the Computer Name dialog box, type WIN-XXX (replace XXX with your seat number, or as your instructor denes). The Administrator Password should be left blank, then click Next. 17. If the password is left blank, a screen will appear to conrm that you wish to leave the password blank, click Yes. (Note, the password is left blank for running the class, you would always have a password in a production environment.) 18. In the Date And Time Settings screen, select your time zone, set the date and time, and click Next. 19. Windows 2003 will begin installing network congurations. 20. In the Windows Server 2003 Setup Network Settings screen, select Typical Settings. Click Next. 21. In the Windows Server 2003 Setup Workgroup or Computer Domain screen, select Workgroup and then click Next. 22. Windows Server 2003 will nalize installation and reboot the computer independently. 23. After the system reboots, press Ctrl+Alt+Delete. 24. In the Log On To Windows screen, type Administrator and leave the password blank. Click OK. 25. The Personalized Setting will nalize independently. 26. When prompted, insert the Windows Server 2003 disc 2 into the CD-ROM drive and click OK. 27. In the Windows Server 2003 R2 Setup Wizard screen, click Next when prompted. (Note, do not check the box to create a desktop shortcut.) 28. In the Setup Summary screen, click Next to copy the les. 29. Windows Server 2003 will update your system independently. 30. In the Completing Windows Server 2003 R2 Setup screen, click Finish. 31. In the Windows Server Post-Setup Security Updates screen, click Finish. 32. When the Windows Server 2003 Post-Setup Security Updates screen appears, click Yes to close this dialog box. 33. Ensure that the Dont Display This Page At Logon check box is not checked. 34. Close the Manage Your Server window. 35. Choose StartControl PanelNetwork ConnectionsLocal Area Connection.
xxvi Tactical Perimeter Defense
36. Select TCP/IP and click Properties. 37. Select the Use The Following IP Address radio button. 38. In the IP Address text box type 172.X.X.X(your instructor will inform you what to enter in the last three octets based on your seat number). On the left side, your IP will be 172.16.x.x and on the right side, your IP will be 172. 18.x.x. 39. In the Subnet Mask text box, type 255.255.0.0 40. In the Default Gateway text box, type 172.16.0.1 if you are on the left side and type 172.18.0.1 if you are on the right side (if you are unsure, ask your instructor which side you are on). 41. In the Preferred DNS Server text box, type 127.0.0.1 and click OK twice. 42. If you receive the Pop-Up Warning, click Yes. 43. Close the Local Area Connection Properties screen.
10. Remove the Windows 2003 Server disc from your CD-ROM drive.
xxvii
10. Read the prompt about formatting your partitions, then click Install. 11. While the les are loading, you can watch the progress bar on the right side of the screen. This will note the approximate time remaining to nish the installation. (Note: Based on your system, this make take many minutes.) 12. When the les have nished loading, your system may reboot. Remove the disc from the DVD-ROM drive. If you do not remove the disc, the system will re-enter install mode. 13. At the boot loader, select the SUSE Linux Enterprise Server 10 line, and press Enter. The install process will continue. 14. Enter LIN-XXX as your Hostname. Replace XXX with your seat number in the class. For example, LIN-L01 or LIN-R03. 15. Enter SCPXXX as your Domain Name. Replace XXX to match your seat number in the class as in the previous step. For example, SCPL01 or SCPR03. 16. Once the Hostname and Domain name are entered, click Next. 17. Enter QWERTY1 as the password, and conrm the password in the second text box. Click Next. 18. The Network Conguration screen will take a moment as Linux determines your system conguration. Once complete, click Network Interfaces to edit the settings on your NIC. 19. To manually congure your NIC, click the Edit button.
xxviii
20. With the Address tab active, select the Static Address Setup radio button. 21. In the IP Address text box, type 172.x.x.x (your instructor will inform you what to enter in the last three octets, it is based on your seat in the classroom. If you are on the left side, this will be 172.16.x.x, and if you are on the right side, this will be 172.18.x.x.) 22. Change the subnet mask to 255.255.0.0, and then click the Routing button. 23. In the Default Gateway text box, type 172.16.0.1 if you are on the left side of the network, and type 172.18.0.1 if you are on the right side of the network. If you are unsure, please ask your instructor prior to entering any DG addresses. 24. Once the Default Gateway address is entered, click OK, and then click Next. 25. At the Network Card Conguration Overview, verify your IP Address and Subnet Mask, and then click Next. 26. At the Network Conguration screen, click Next. Networking services will now be installed and congured. 27. Select the No, Skip This Test radio button, and click Next. 28. Accept the default CA Management Installation Settings, and click Next. 29. Accept the default Authentication Method Of Local (/etc/passwd), and click Next. 30. In the New Local User screen, enter the following information: Users Full Name: SCP Test User Username: test1 Password: 1test Conrm Password: 1test
Click Next. 31. The system will now perform clean up of the installation. Read through the Release Notes, and then click Next. 32. Accept the default Hardware Conguration as it is detected, and click Next. If your system does not properly detect your hardware, you will need to locate the correct Linux drivers for your hardware. This setup guide does not include non-detected hardware environments. 33. The nal setup les will be congured. Once done, you will see the Installation Completed screen. Click Finish to exit the Setup and log in to Linux. 34. After the les load, you will be at the login prompt. Enter root as the Username, and press Enter. 35. Enter QWERTY1 as the password, and press Enter. The default les will load, and you will now be logged into SUSE Linux Enterprise 10.
About This Course xxix
The detailed conguration procedures are listed here in three main categories: Physical conguration Router setup Access list conguration
1. 2.
Study the class setup diagram provided in Classroom Conguration. Physically connect the three routers to each other, using serial crossover cables, so that the router designated as CENTER controls the clock rate. To do this, connect the DCE end of the serial cable to the serial interfaces on the CENTER router and the DTE ends to the LEFTs and RIGHTs appropriate serial interfaces. Connect the Ethernet interface on the CENTER router to the instructor machine via a crossover Ethernet cable. Connect the Ethernet interfaces on the LEFT and RIGHT routers to their respective hubs serving their side of the classroom.
3. 4.
7. 8.
Answer no to all setup questions. When the Router> prompt is displayed, enter enable to switch to enable mode. The Router# prompt should now be displayed. Once you are in enable mode, you can view and change the password, and you can erase the cong. To view the password, enter show cong at the Router# prompt.
9.
10. To change the password, from the Router# prompt: a. b. c. d. Enter cong mem to copy NVRAM to mem. Enter wr term Enter cong term to enter cong mode. The Router(cong)# prompt is now displayed. If an enable secret password is set, enter enable secret newpassword or if there is no enable secret password, enter enable password newpassword where newpassword is the new password you want to use. To exit cong mode press Ctrl+Z. The Router# prompt is now displayed. Enter write mem to commit the changes to mem. You should now be able to console in and congure the router.
e. f.
11. To erase the cong, from the Router# prompt: a. b. c. d. e. f. g. Enter write erase Enter cong term to enter cong mode. The Router(cong)# prompt is now displayed. Enter cong-register 0x2102 or whatever the conguration register setting was when you began. To exit cong mode, press Ctrl+Z. The Router# prompt is now displayed. Enter reload When you are prompted to save the modied system conguration, enter y When you are prompted to proceed with the reload, enter y
2.
xxxii
d. e. f. g. h. i. j. k. l. n. o. p. q. r. s. t. u. v. w. x. y. z.
To enter the host name for [Router], enter CENTER To enter the enable secret password, enter instructor To enter the enable password, enter cisco1 To enter the virtual terminal password, enter 2501 To congure SNMP network management, enter n To congure LAT, enter n To congure bridging, press Enter to accept the default of No. To congure AppleTalk, press Enter to accept the default of No. To congure DECnet, press Enter to accept the default of No. To congure IGRP routing, enter n To congure RIP routing, enter y To congure CLNS, press Enter to accept the default of No. To congure IPX, press Enter to accept the default of No. To congure Vines, press Enter to accept the default of No. To congure XNS, press Enter to accept the default of No. To congure Apollo, press Enter to accept the default of No. If you are prompted to congure BRI, select switch type 0. To congure the Ethernet0 interface, press Enter to accept the default of Yes. To congure IP on this interface, press Enter to accept the default of Yes. For the IP address for this interface, enter 172.17.0.1 For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0. To congure the Serial0 interface, press Enter to accept the default of Yes.
aa. To congure IP on this interface, press Enter to accept the default of Yes. ab. To congure IP unnumbered on this interface, press Enter to accept the default of No. ac. For the IP address for this interface, enter 192.168.20.2 ad. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0. ae. To congure the Serial1 interface, press Enter to accept the default of Yes. af. To congure IP on this interface, press Enter to accept the default of Yes. ag. To congure IP unnumbered on this interface, press Enter to accept the default of No. ah. For the IP address for this interface, enter 192.168.10.2 ai. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0.
xxxiii
aj.
If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action.
ak. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed. al. 3. 4. 5. 6. To press RETURN to get started, press Enter. The CENTER> prompt should now be displayed.
At the CENTER> prompt, enter en to activate enable mode. When you are prompted for the password, enter instructor and the CENTER# prompt should now be displayed. At the CENTER# prompt, enter conf t to enter cong mode. The CENTER(cong)# prompt should now be displayed. At the CENTER(cong)# prompt: a. b. Enter no ip domain lookup Enter int s0 and the CENTER(cong-if)# prompt should now be displayed.
7.
At the CENTER(cong-if)# prompt: a. b. c. d. e. f. g. h. Enter no shut Enter clo ra 4000000 Enter ban 10000000 Enter int s1 Enter no shut Enter clo ra 4000000 Enter ban 10000000 Enter exit and the CENTER(cong)# prompt is now displayed.
8.
At the CENTER(cong)# prompt: a. b. Enter ip route 0.0.0.0 0.0.0.0 a.b.c.d (note you must replace a.b.c.d with the gateway to get out of the network to the Internet). Enter exit and the CENTER# prompt is now displayed.
9.
At the CENTER# prompt: a. b. Enter sh run and you should see a message indicating that the router is building the conguration. Enter copy ru st
10. When you are prompted for a destination lename, press Enter to accept the default of startup-cong. You should again see a message indicating that the router is building the conguration.
xxxiv
2.
aa. To congure IP on this interface, press Enter to accept the default of Yes. ab. To congure IP unnumbered on this interface, press Enter to accept the default of No.
About This Course xxxv
ac. For the IP address for this interface, enter 192.168.10.1 ad. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0. ae. To congure the Serial1 interface, enter n af. If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action. ag. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed. ah. To press RETURN to get started, press Enter. The LEFT> prompt should now be displayed. 3. 4. 5. 6. At the LEFT> prompt, enter en to activate enable mode. When you are prompted for the password, enter cisco and the LEFT# prompt should now be displayed. At the LEFT# prompt, enter conf t to enter cong mode. The LEFT(cong)# prompt should now be displayed. At the LEFT(cong)# prompt: a. b. 7. Enter no ip domain lookup Enter int s0 and the LEFT(cong-if)# prompt should now be displayed.
At the LEFT(cong-if)# prompt: a. b. c. Enter no shut Enter ban 10000000 Enter exit and the LEFT(cong)# prompt is now displayed.
8.
At the LEFT(cong)# prompt: a. b. Enter ip route 0.0.0.0 0.0.0.0 192.168.10.2 Enter exit and the LEFT# prompt is now displayed.
9.
At the LEFT# prompt: a. b. Enter sh run and you should see a message indicating that the router is building the conguration. Enter copy ru st
10. When you are prompted for a destination lename, press Enter to accept the default of startup-cong. You should again see a message indicating that the router is building the conguration.
xxxvi
1.
Boot up the router and console into it. You should be prompted to enter the initial conguration dialog. (If you are not, follow the procedures listed previously in the Before You Start the Router Setup section.) When you are prompted: a. b. c. d. e. f. g. h. i. j. k. l. n. o. p. q. r. s. t. u. v. w. x. y. z. To enter the initial conguration dialog, enter y To enter basic management setup, enter n As to whether you want to see the current interface summary, press Enter. To enter the host name for [Router], enter RIGHT To enter the enable secret password, enter cisco To enter the enable password, enter cisco1 To enter the virtual terminal password, enter 2501 To congure SNMP network management, enter n To congure LAT, enter n To congure bridging, press Enter to accept the default of No. To congure AppleTalk, press Enter to accept the default of No. To congure DECnet, press Enter to accept the default of No. To congure IGRP routing, enter n To congure RIP routing, enter y To congure CLNS, press Enter to accept the default of No. To congure IPX, press Enter to accept the default of No. To congure Vines, press Enter to accept the default of No. To congure XNS, press Enter to accept the default of No. To congure Apollo, press Enter to accept the default of No. If you are prompted to congure BRI, select switch type 0. To congure the Ethernet0 interface, press Enter to accept the default of Yes. To congure IP on this interface, press Enter to accept the default of Yes. For the IP address for this interface, enter 172.18.0.1 For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0. To congure the Serial0 interface, enter n
2.
aa. To congure the Serial1 interface, press Enter to accept the default of Yes. ab. To congure IP on this interface, press Enter to accept the default of Yes. ac. To congure IP unnumbered on this interface, press Enter to accept the default of No. ad. For the IP address for this interface, enter 192.168.20.1 ae. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0.
About This Course xxxvii
af. If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action. ag. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed. ah. To press RETURN to get started, press Enter. The RIGHT> prompt should now be displayed. 3. 4. 5. 6. At the RIGHT> prompt, enter en to activate enable mode. When you are prompted for the password, enter cisco and the RIGHT# prompt should now be displayed. At the RIGHT# prompt, enter conf t to enter cong mode. The RIGHT(cong)# prompt should now be displayed. At the RIGHT(cong)# prompt: a. b. 7. Enter no ip domain lookup Enter int s1 and the RIGHT(cong-if)# prompt should now be displayed.
At the RIGHT(cong-if)# prompt: a. b. c. Enter no shut Enter ban 10000000 Enter exit and the RIGHT(cong)# prompt is now displayed.
8.
At the RIGHT(cong)# prompt: a. b. Enter ip route 0.0.0.0 0.0.0.0 192.168.20.2 Enter exit and the RIGHT# prompt is now displayed.
9.
At the RIGHT# prompt: a. b. Enter sh run and you should see a message indicating that the router is building the conguration. Enter copy ru st
10. When you are prompted for a destination lename, press Enter to accept the default of startup-cong. You should again see a message indicating that the router is building the conguration.
xxxviii
a. b. c. d. e. f. g. 2.
At the LEFT# prompt, enter conf t to switch to cong mode. The LEFT(cong)# prompt is now displayed. At the LEFT(cong)# prompt, enter access-list 123 deny tcp any any eq 25 At the LEFT(cong)# prompt, enter access-list 123 permit ip any any At the LEFT(cong)# prompt, enter int S0 to congure the interface. The LEFT(cong-if)# prompt is now displayed. At the LEFT(cong-if)# prompt, enter ip access-group 123 in At the LEFT(cong-if)# prompt, press Ctrl+Z to leave cong mode. The LEFT# prompt is now displayed. At the LEFT# prompt, enter copy ru st and save the conguration changes to startup-cong.
To complete the RIGHT Router Access Lists: a. b. c. d. e. f. g. At the RIGHT# prompt, enter conf t to switch to cong mode. The RIGHT(cong)# prompt is now displayed. At the RIGHT(cong)# prompt, enter access-list 145 deny tcp any any eq 25 At the RIGHT(cong)# prompt, enter access-list 145 permit ip any any At the RIGHT(cong)# prompt, enter int S1 to congure the interface. The RIGHT(cong-if)# prompt is now displayed. At the RIGHT(cong-if)# prompt, enter ip access-group 145 in At the RIGHT(cong-if)# prompt, press Ctrl+Z to leave cong mode. The RIGHT# prompt is now displayed. At the RIGHT# prompt, enter copy ru st and save the conguration changes to startup-cong.
3.
To complete the CENTER Router Access Lists: a. b. c. d. e. f. g. h. i. At the CENTER# prompt, enter conf t to switch to cong mode. The CENTER(cong)# prompt is now displayed. At the CENTER(cong)# prompt, enter access-list 155 deny tcp any any eq 20 At the CENTER(cong)# prompt, enter access-list 155 deny tcp any any eq 21 At the CENTER(cong)# prompt, enter access-list 155 permit ip any any At the CENTER(cong)# prompt, enter int S1 to congure the S1 interface. The CENTER(cong-if)# prompt is now displayed. At the CENTER(cong-if)# prompt, enter ip access-group 155 in At the CENTER(cong-if)# prompt, enter int S0 to congure the S0 interface. At the CENTER(cong-if)# prompt, enter ip access-group 155 in At the CENTER(cong-if)# prompt, press Ctrl+Z to leave cong mode. The CENTER# prompt is now displayed.
xxxix
j. 4.
At the CENTER# prompt, enter copy ru st and save the conguration changes to startup-cong.
Test the classroom setup, and troubleshoot as necessary. Once physical connectivity issues have been sorted out, you should be able to ping from one side of the classroom to the other. Specically, the instructor machine should be able to ping every student machine and vice versa. Student machines from the left side of the classroom should be able to ping student machines on the right side of the classroom and vice versa.
As a Learning Guide
Each lesson covers one broad topic or set of related topics. Lessons are arranged in order of increasing prociency with Tactical Perimeter Defense; skills you acquire in one lesson are used and developed in subsequent lessons. For this reason, you should work through the lessons in sequence. We organized each lesson into explanatory topics and step-by-step activities. Topics provide the theory you need to master Tactical Perimeter Defense, activities allow you to apply this theory to practical hands-on examples. You get to try out each new skill on a specially prepared sample le. This saves you typing time and allows you to concentrate on the technique at hand. Through the use of sample les, hands-on activities, illustrations that give you feedback at crucial steps, and supporting background information, this book provides you with the foundation and structure to learn about Tactical Perimeter Defense quickly and easily.
As a Review Tool
Any method of instruction is only as effective as the time and effort you are willing to invest in it. For this reason, we encourage you to spend some time reviewing the books more challenging topics and activities.
As a Reference
You can use the Concepts sections in this book as a rst source for denitions of terms, background information on given topics, and summaries of procedures.
xl
xli
xlii
LESSON
1
Data Files none Lesson Time 2 hours
Objectives
To dene the concepts of defending a modern complex network, you will: 1A Describe the ve keys of network security. Given a network scenario, you will describe how the ve keys of network security are integrated in a modern operational network. 1B Describe the concepts of defensive technologies in creating a layered defense. Given a network analogy of a fortied castle, you will identify the function of defensive technologies in creating a secure layered defense. 1C Describe the objectives of access control methods. Given a network scenario, you will describe the available access control methods and how they are implemented in the defense of the network. 1D Identify the impact of a layered defense on the performance of the network. Given a network where a layered defensive system has been implemented, you will identify the performance impact of each layer on accessing resources in the network. 1E Dene concepts of auditing in a network. Given a network scenario, you will examine the concepts of network auditing, including handling of data and types of audits.
Topic 1A
Network Defense
In todays world, it is getting easier for attackers to inltrate private networks. They have access to more tools, more powerful computers, and there are more networks to target. Sadly, many organizations simply do not take this threat seriously. They do not see the driving force to create a secure network. They do not see the need to spend money on a defense for their electronic assets. But the need is very real. Every year, the Computer Security Institute (CSI), and the Federal Bureau of Investigations (FBI), perform a survey of businesses, looking into the nancial losses for theft of proprietary information, and other losses. Although only a handful of companies who participate in this survey have estimated their losses, the number has been in the tens to hundreds of millions of dollars. What makes these numbers even more serious is the fact that these are voluntary reports, and only a small number of businesses are involved. Many organizations are not eager, even in an anonymous setting, to disclose any losses due to computer crime. Even so, there is an obvious pattern here. The attacks against networks are getting more seriouswith a greater loss to the business world than ever before. Even as organizations start to become more security conscious, the number of attackers grows. Clearly, defense is needed, and it is needed now. Network systems allow the enterprise to access information technology assets by authorized users quickly through seemingly secure methods. But as remote sites get interconnected through the Internet using non-dedicated lines to enterprise networks, many unauthorized users get connected and have access as well. Users may be naive at times about network security, because the assumption is often made that systems are needed, and are operational, to do their jobs. If they are on, some assume, they are secure. But administrators know that security is a real issue to address and no assumptions are going to make network security magically happen. They know that carefully planned steps must be taken to build a secure network system environment, where business transactions and support functions can occur within a system built on trust. They should have complete condence in security. Network security must become a strategic initiative within the enterprise. It must begin as an integral part of the strategic planning process that leads to strategic action plans, resulting in budgeted tactical projects to initiate and implement network security. The defense of the network starts with the basic security issues all networks must address. These key issues are detailed in upcoming sections.
network: Two or more machines interconnected for communications.
threat: The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security.
security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences.
network security: Protection of networks and their services from unauthorized modication, destruction, or disclosure, and provision of assurance that the network perform its critical functions correctly and there are no harmful side effects. Network security includes providing for data integrity.
availability: Assuring information and communications services will be ready for use when expected.
Assurance is absolutely necessary because without it, the other objectives of security will be difficult to meet. However, assurance cannot be a one-time promise but must be an ongoing effort to be most effective.
Authentication
After controlling who has access, even authorized users must be authenticated to verify and prove their identity. Authentication veries users to be who they say they are. In data communications, authenticating the sender is necessary to verify that the data came from the right source. The receiver is authenticated, as well, to verify that the data is going to the right destination. Public Key Infrastructure (PKI), is one of the best ways to ensure authentication through digital certicates and digital signatures. The number of factors used to show the identity of the user through authentication or proving the identity of the user through strong authentication determines how effective authentication can be. The three factors are: One-factor authentication provides what you knowsuch as a password or PIN. It is strictly based on recalling a piece of information from ones own memory or from writing it down (but that would defeat the purpose of providing only authorized access to networks based on using a password). Two-factor authentication provides what you have in addition to what you know. Examples are a proximity card for door entry or an ATM card with a PIN. An RSA SecureID Token used in conjunction with a pass code, or a
authentication: To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
smart card that may carry all your security credentials in a secure way with a PIN used to access the credentials are the second factors. The third factor that provides strong authentication is proving the users identity, or who you are, by using biometrics. Biometrics uses a physiological characteristic to identify you, such as a ngerprint, retina scan, hand geometry, voice recognition, iris scan, or behavioral characteristics, such as keystroke recognition or signature recognition. It results in strong authentication, because users not only verify their digital identity through what they know and what they have, but they are proving their physical identity by verifying their biometric characteristics.
Confidentiality
Data communications, as well as email, needs to be protected for privacy and condentiality. Network security must provide a secure channel for the transmission of data and email that does not allow eavesdropping by unauthorized users. Data condentiality ensures the privacy of data on the network system. PKI can provide what is required to ensure the condentiality and privacy of communications and data transmissions across networks. The following are the four basic types of information or data that require condentiality: Information that reveals technical data or source information. For example, the model number and software version of your rewall should be kept condential because divulgence may give a potential attacker/hacker a way to an advantage to exploit your system. Information that may be time dependent. It may only be condential for a given amount of time and then may not have any signicance as private information after that, but until then must be kept condential. Information that may reveal organizational or systems relationships that through divulgence may give unauthorized users a channel for social engineering exploits or other opportunities. Information that is private and condential in its own right. Information that may be crucial in the operations of the enterprise and divulgence would surely give an attacker an easy exploitation opportunity.
condentiality: Assuring information will be kept secret, with access limited to appropriate persons.
rewall: A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
hacker: A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the necessary minimum.
Integrity
Integrity is a security principle that ensures the continuous accuracy of data and information stored within network systems. Continuity of data integrity is paramount. Data must be kept from unauthorized modication, forgery, or any other form of corruption, regardless of whether these are from malicious threats or corruption that is accidental in nature. Upon receiving the email or data communication, integrity must be veried to ensure that the message has not been altered, modied, or added to or subtracted by unauthorized users while in transit. Again, PKI will ensure the integrity of messages through digital certicates and message digests. Integrity has two main objectives: Data integrity ensures that the data has not been altered in an unauthorized manner while in transit, during storage, or while being processed. System integrity ensures that a system, while performing its intended processes and applications, provides support to authorized users free from unauthorized manipulation.
Non-repudiation
Security must be established to prevent parties in a data transaction from denying their participation after the business transaction has occurred. Through PKI, the sender as well as the receiver are authenticated with regard to their respective identities, as well as tamperproof time stamping of the transaction, to ensure nonrepudiation from both parties. This establishes accountability for the transaction itself for all parties involved in the transaction. The three types of repudiation (or denial) to prevent are: Repudiation of origin by the message creator who denies ever creating or writing the message itself. Repudiation of receipt by the receiver who denies ever receiving the message even after receiving it. Repudiation of submission as to the time and date of the actual submission. The time stamp will help in non-repudiation for submission.
non-repudiation: Method by which the sender of data is provided with proof of delivery and the recipient is assured of the senders identity, so that neither can later deny having processed the data.
Malicious threats are intentional in nature and can come from either internal or external users. When unauthorized users make attempts to nd vulnerabilities in a network system and nd them, they present themselves as a malicious threat trying to get access by whatever means available. A successful unauthorized access event is called an active threat. The malicious threat has now gained unauthorized access into your network and will exploit whatever assets can be accessed. Once accessed, the exploit can manifest itself as a passive or an active threat. As a passive threat, the accessed data is viewed or intercepted but not modied. It does not change the operation of or the state of the system.
passive threat: The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information.
If the data is intercepted and modied by an unauthorized user, it is said to be an active threat. It may also change the operation of or state of the system itself.
breach: The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
Whether accidental or malicious, the threat can come from either internal or external users and may be authorized or unauthorized users. Surveys have consistently shown that of all respondents who reported a security breach within the past year, close to 60 percent of these breaches were caused by inside users accessing unauthorized resources, and over 40 percent blamed accounts left open after an employee had left the company. Of all respondents, 20 percent reported that their companies were victims of an attempted or successful break-in by an angry former employee. Also, during most economic slowdowns, companies lay off employees in increasing numbers each week. Such breaches will only get worse during these periods. Network security administrators must: Realize how to minimize, or mitigate, the effects of current and future threats upon their network. Realize what defensive strategies and techniques must be implemented to keep networks secure. This should be done to ensure the privacy, condentiality, and protection of sensitive data and information technology assets.
Defensive Strategies
If all threats to a network system were known, as well as all the vulnerabilities of the system itself, then a specic defensive posture could be deployed to guard and secure the system. It could even be a static defensive posture with denitive controls in place because the exact threat would be known. Perimeter security using a rewall is a good example of a static defensive posture. The threat is assumed to be known and rules are generated to allow the rewall to work. Unfortunately, if the threat is not known, any such assumptions can be fatal to the network. Administrators must take into consideration the following points when addressing and creating a defensive posture for the enterprise network.
Defense-in-Depth
Defense-in-Depth states that all information technology assets within a protected network need to have the necessary amount of security protection to guard against direct attacks at whatever level the asset resides within the network. The assumption cannot be made that a rewall or some sort of all-encompassing perimeter security is enough to protect all information technology assets within the network.
Active Defense-in-Depth
An Active Defense-in-Depth is necessary as a defensive posture to think creatively and counter any and every threat, whether known or unknown. It is an active defense that changes its defensive posture based on the threat. Its defensive assets are able to ex in any direction, based on the disposition of the threat. The basis for Active Defense-in-Depth are the concepts of Defense-in-Depth. The requirement for securing network systems and their information technology assets against all current and future threats compels us to use multiple layers of security techniques that provide overlapping protection against attackers, hackers, and any other malicious threat that may attempt an exploit. This is a core requirement for any network taking active measures to protect its assets. This strategy not only recognizes the value of Defense-in-Depth, which states that every information technology asset within the network must have its own necessary and adequate protection, but that it is an active defense that takes whatever actions necessary to stop the threat by the utilization of multiple layers of security to include rewalls, intrusion detection, monitoring devices, and other techniques for network security. It recognizes that due to the highly interactive nature of the various systems and networks, any single system cannot be secured adequately unless all interconnecting systems are also secured adequately. It must take into consideration the context of a shared-risk environment that dictates protection of IT systems at all levels, because of the interactive and interconnected nature of todays systems and networks. The strategy calls for use of multiple, overlapping protection approaches to ensure that the failure or bypass of any individual protection approach will not leave the system unprotected. Through user training and awareness, well thoughtout and planned policies, procedures and processes, as well as redundancy of protection mechanisms, the Active Defense-in-Depth strategy ensures the effective protection of information technology assets so the objective and purpose of the mission can be accomplished. An Active Defense-in-Depth utilizes the concept of addressing the largest vulnerability or the most dangerous threat rst. The additional layers of security can take care of the remainder of the threats. Anything else is less of a threat and many times the perimeter defense with rewalls can take care of many of the everyday types of threats. There is a general ow of the Active Defense-in-Depth strategy. The rst area is to advance the users security knowledge via training. Users must realize that the upcoming changes in the network are to protect them, and if they are required to act differently while online, then they must follow the security policy and do so.
intrusion detection: Pertaining to techniques that attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available.
vulnerability: Hardware, rmware, or software ow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to an AIS.
attack: An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
Security must then be established with a strong perimeter system. Inside the network, the Intrusion Detection System is working hard to identify unauthorized attempts to use resources. The stated strategy will respond to an attack, again as per the dened security policy. Finally, further controls and systems will be in place to minimize the likelihood of further intrusions and create a more trusted environment. After each part of the defense strategy, the lessons that have been learned are used to strengthen the overall security of the network. Figure 1-1 illustrates this concept.
intrusion: Any set of actions that attempts to compromise the integrity, condentiality, or availability of a resource.
Perimeter Security
Perimeter security is the rst line of defense for the network and usually is protected by a packet ltering or rules-based rewall. In order to be most effective, ensure that the rewall has the following properties and rules: Base your packet ltering and traffic management rules according to an organizational security policy. Firewall denes all network connections. All traffic from inside out and outside in must pass through the rewall.
packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message.
packet ltering: A feature incorporated into routers and bridges to limit the ow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet lters let the administrator limit protocol-specic trafc to one network segment, isolate email domains, and perform many other functions.
router: An interconnection device that is similar to a bridge, but serves packets or frames containing certain protocols. Routers link LANs at the network layer.
vulnerability analysis: Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deciencies, provide data from which to predict the effectiveness of proposed security measures, and conrm the adequacy of such measures after implementation.
Attack Response
Attack response consists of many practices in response to attacks or incidents whether real, false, or simulated for training. All attacks are handled the same way until it is veried by the administrator that it is in fact a false positive or a simulated attack for training. In any case, the response itself needs to be kept secret from outside the security network as not to give any potential attackers an advantage or possible vulnerability to exploit. A ready response team should be designated and alerted in a timely fashion once any attack has been detected. This team must have senior management backing and technical training to include security policy creation, maintenance, enforcement, and escalation during response in case the team cannot handle the particular attack.
false positive: Occurs when the system classies an action as anomalous (a possible intrusion) when it is a legitimate action.
TASK 1A-1
Identifying Non-repudiation Issues
1. What are the three potential problems a network could face if there is no assurance of non-repudiation, and what is the potential excuse for each problem? The following examples of excuses that people are known to routinely give each other are indicative of the potential problems in a network if nonrepudiation is not implemented: Repudiation of origin: I never sent it. Repudiation of receipt: I never received it. Repudiation of submission: I sent it out a while back versus You say you sent it out when? I only received it yesterday.
Topic 1B
Defensive Technologies
To have a network that can be considered well-secured requires a layered defense. The concepts of a layered defense are old and simple: The more layers an attacker will have to go through, the more difficult it is for the attack to be successful.
10
A castles defense system is the classic layered concept. The castle itself is built out of strong and very thick stone. The walls of the castle are very high. The towers of the castle are even higher and allow the guards to see intruders at a greater distance. Other guards are positioned inside to watch for imposters and other internal disruptions. Closer to the castle is the moat, a body of water surrounding the castle. The only entrance is the drawbridge, which can be raised so no one can enter or leave without permission. There is a massive door protecting the entrance past the drawbridge. Small arrow holes are hidden along the walls and in the towers for archers to use; these make it easy for arrows to get out of the castle but difficult to shoot an arrow into one of those holes. As you can see, each additional layer of defense created a more secure overall castle. The analogy is directly transferable to networking. No one single technology can create a secure network, just as a moat alone cannot create a secure castle.
Now, looking at this analogy, what are the defensive technologies employed in todays network security terms? There are many similarities, as you may have noticed.
11
protocol: Agreed-upon methods of communications used by computers. A specication that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network.
Further analogies to the rewall are the arrow holes and the front door itself. These arrow holes are roughly equivalent to protocol port numbers, in that they are small and can be set up to be only one-way. Arrows go out, but they do not come back in. The front door can be opened to allow full two-way movement or communication.
back door: A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls.
12
Figure 1-3: The layers of defense in reaching a le. The best way of looking at the defense of the network is to start on the outside, at the perimeter, and work your way in to the target. The target may be a number of different things, but we will focus in this discussion on an application residing on a host computer. 1. The rst aspect in the defense of the network does not even use electricity. It is the security policy. Many people consider the rewall the rst line of defense, but this could be argued as incorrect. Without a policy, the rewall cannot be congured! So, the rst item is the policy. There must be a clear understanding of the purpose of the security in the network. The policy must cover who can do what, when, and how. The policy also must state the clear objectives of each piece of equipment used in the defense of the network. As with many things in life, proper planning is required for successful implementation. 2. After the security policy has been created and agreed to, the implementation of the defense systems can begin. On the very edge of the network are the routers. These routers may be congured, via access control lists, to perform
proxy: A rewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all trafc passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
13
NAT and proxy services are covered in greater detail in upcoming lessons.
part of the rewall system, and provide some level of packet ltering. The rewall may provide NAT and proxy services. NAT will ensure that the internal private addresses stay hidden, and the proxy services will make requests for resources on behalf of the internal clients. 3. Moving through the layers, beyond the rewall, the next piece is the IDS. The IDS is in place to notify the security professionals when an intrusion has happened, and can perform this function both on the inside of the network, and also detect attempts on the outside of the network. Still deeper into the defense of the network is authentication. The host computer will require a form of authentication to gain access to the resources. Making it to the host is one thing, authenticating with the host and getting access is another. After authentication with the host is the le system security. Each le, or each resource, should be designed with its own security. This security dictates who has access to this le, and what kind of access each person has. The le security may even specify the times during the day that users have access to the le.
4.
5.
physical security: The measures used to provide physical protection of resources against deliberate and accidental threats.
The physical security of the network, although not a specic technology, is worth mentioning. Physical security of the computers, routers, switches, and employees is critical to maintaining a well-defended network. There is no point in implementing all the above technologies, if anyone can walk into an office and browse a computer. Physical access must be part of the defense, and should be outlined in the security policy.
TASK 1B-1
Describing the Layers of a Defended Network
1. Describe how an organization benets from implementing each layer of a layered defense to protect their network. Benets to implementing a layered defense include: Security Policy: Organized defense. Perimeter Defense: Rule sets dene what kind of traffc is allowed in or out. IDS: Monitoring of network or hosts to detect unusual behavior or attacks so that responses can be calculated, rather than remain arbitrary. Authentication: Depending upon the level of authentication used (one-, two-, or three-factor), it can be very diffcult for one user to impersonate another. File System Security: Users with veried credentials are granted or denied access to certain resources. Physical Security: Prevents access to machines by users with malicious intent.
14
Topic 1C
Objectives of Access Control
Every network, no matter how well it is defended, will require verication of the network users credentials. This is the process of access control. All networks need a system in place to be sure only authorized users have access to the network and its resources.
Access Control
On the network, one of the critical areas of security is determining who has access to what. It is the security professionals job to ensure that the policy guidelines are met and no unauthorized access of resources takes place. Or, as the denition of access control states, it is the prevention of unauthorized use by controlling the access to any protected system or resource. Access control systems are what help the security professional satisfy that requirement. There are two types of access control that may be implemented: Mandatory Access Control (MAC) and Discretionary Access Control (DAC). The policy in place determines which of these controls will be used.
15
Authentication
Once the policies of access control are in place, there needs to be a mechanism that can verify the user who is requesting access. Having either DAC or MAC in the organizations network is useless if the network cannot identify the users of the network. This is where authentication comes in. Although each operating system has its own methods of authentication, here we will discuss the concepts and methods of authentication. How is authentication dened? The basic denition is the process of determining the identity of a user that is attempting to access a system. (The word system in this case could be a router, server, workstation, and so on.)
server: A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
Authentication occurs when a user provides the requested information to an authentication verication authority. The requested information can take many forms, as you will see. The verication authority can also take different forms, but is generally a server on the network. The traditional method of authentication is to provide a password. This password is a value that the user creates individually, or is generated for them. In any case, it is a value the user remembers and enters when requested. Systems can be as simple as having a single password to log in and use every resource available, or as complex as requiring one password to log in and different passwords to access specic resources. To increase the level of reliability and ease of use to users, biometric authentication can be introduced. When this type of system is added to the authentication scheme, it is considered to be strong authentication. The designation of strong is given since the user is not only identied digitally, but by their physical person via a physiological characteristic, such as a ngerprint scan, iris scan, or hand geometry.
Authentication Tokens
For some organizations, the traditional methods of using passwords are not enough and the implementation of a biometric solution, such as ngerprint scanning, does not meet their policy requirements. These organizations may then look to tokens. Tokens come in different sizes and implementations. An authentication token is a portable device used for authenticating a user, thereby allowing authorized access into a network system. The tokens are literal physical devices and they operate by using systems such as challenge and response or time-based code sequences. One of the most well-known is the RSA SecureID Token.
16
10. The authentication server receives the response, and using the same DES key that the token used, processes it and veries the user and the token. 11. The authentication server sends a message to the NAS to allow the user access.
17
Time-based Tokens
The challenge response token system is widely used on many networks today. There is a different type of token that is also currently used. It is the time-based token. Where the challenge response token requires the user to enter data in the token and read data back out of the token, the user in the time-based token only reads data.
Figure 1-6: An example of the time-based token authentication system. The time-based token utilizes an authentication technique where the security token and the security server use an identical algorithm. To gain access, the user takes the code generated by the token and adds their user name and PIN to create a passcode. The passcode is combined with a seed value and the current time, which is then encrypted with an algorithm and sent to the server. The server authenticates the user by generating its own version of the valid code by accessing the pre-registered PIN and using the same seed value and algorithm to validate the user and their token.
Time-based and challenge response tokens are both good examples of two-factor authentication. The server validates what they know (the user name and PIN) and what they have (the authentication token).
Software Tokens
If an organization does not wish to purchase hardware tokens such as those described, they may opt for a software solution instead. A software token is an authentication technique using a portable device such as a Palm Pilot, Palm PC, or Wireless Telephone to carry the embedded software. When attempting to access the secured network, the user is prompted to provide their PIN (pre-registered with the server in association with the user name) and authentication code, which is generated by the software token. This information is routed to an access server such as an RSA ACE/Server for verication. If the PIN and authentication code are valid, the user is granted access. If not, the user is denied access to the network.
19
TASK 1C-1
Describing the Challenge Response Token Process
1. Describe the Challenge Response token process between the user, client, and server. Each challenge/response token is pre-loaded with a DES (Data Encryption Standard) encryption key and a default user PIN unique to that token in association with a user name. Neither of these items can be extracted from the token. Upon receiving a new token, the user must follow several steps to access a secured network by using challenge/response technology. 2. Place the following steps in the proper order. 7 3 10 The user types the challenge into the token, which then encrypts it using its internal DES key. The user types in the User ID from the requesting PC. The authentication server receives the response and using the same DES key that the token used, processes it, and veries the user and the token. The NAS passes the PIN and User ID to the authentication server as part of the logon request. The token displays the encrypted response. The authentication server sends a message to the NAS to allow the user access. The token is activated by changing the PIN to one known only to the user. User enters the chosen PIN on the token. The challenge is sent to the user where it appears on the requesting PC screen. The user begins the logon sequence. The user types the encrypted response into the requesting PC keyboard. The authentication server generates a random challenge and sends it back to the user via the connection through the NAS.
4 8 11 1 6 2 9 5
20
Topic 1D
The Impact of Defense
Network security protects all the information technology assets within the enterprise including computers, servers, databases, applications, peripherals, and perhaps most importantly, data or information. Network security allows authorized users to access IT assets quickly, whenever its needed, all the while improving communications with internal and external customers within a totally secure environment. Implementation of security controls, whether in a layered defense or any other mode, should not, in any way, hinder the functionality of the network. Networks must be secure, but the implementation of security cannot hinder the objective and purpose of the network itself. Of the different technologies discussed in this lesson, how many could have a negative impact on the performance of the network? If you answered all of them, you are correct. However, they do not have to have a negative impact on the network. Proper implementation of security controls will reduce the impact on the network. How exactly do these technologies impact the network in the rst place? Lets examine some of the technologies discussed previously.
Firewalls
The rewall is the rst line of defense for the network. All packets that enter the network should come through this point in a properly designed network. A modern rewall is generally a system of applications and hardware working together. The jobs a rewall can be asked to perform are packet ltering, network address translation, and proxy services. A rewall can have a negative impact on the network by blocking access to resources that should be accessible. It is possible that, because of improper conguration of a rewall, entire portions of a network become unavailable, in which case the performance hit is signicant. Additionally, if an ordinary PC has been congured to be the rewall (a multihomed computer), it may not have the internal speed to perform all the functions of the rewall fast enough, resulting in latency.
Encryption
The encryption process as a whole involves taking data that is readable in plain text, and using a mathematical calculation, make the text unreadable. The receiver then needs to perform a similar calculation to decrypt the message and read it in its plain text format. The performance hit is much more obvious with encryption. If the data packets are encrypted, the information that must be transmitted is larger, and more bandwidth will be consumed. Additionally, the devices that perform the encryption and decryption have more work to do in running the algorithms that perform the task. Networks that have systems at minimum levels will be affected the most by the addition of encryption.
Lesson 1: Network Defense Fundamentals 21
Computers and routers that are asked to perform encryption must be able to handle the extra workload. It is not always the network that has a performance drop; it is often the computers themselves, as they struggle to keep up with all the extra processing required to encrypt and decrypt data. File system encryption can be as much of a performance hit as encrypted network traffic.
Passwords
Forcing hard-to-remember passwords on users results in either the passwords being written down or frequent calls to the help desk to come and unlock their computer. This results in a performance hit on the overall functionality of the entire network. The password issue is a difficult one, as networks require strong passwords, but users have a hard time creating them. The network administration staff should take the time to educate users on creating strong passwords. One of the better methods of making strong passwords that users can remember is to use phrases instead of words (which should never be used). The phrase method requires the user to think of a phrase they will remember. This way it can be related to a users birthday and not be a security risk. For example, I was Born on June 27! could then be a password of IwBoJ27! This illustrates how easy it can be to generate secure passwords that can be remembered.
Auditing
If a commonly used server has had every single auditing option turned on, the computer is going to suffer a performance hit in logging all that information. If it also happens to be a le server, chances are good that available disk space will be taken up by the log les, again resulting in calls to the help desk. This can also be a method of hiding an attackers tracks. If an attacker gains access to a server and enables every single auditing option, it will be much more work for the administrator to search the log les for the real evidence of the security breach.
22
TASK 1D-1
Describing the Problems of Additional Layers of Security
1. How could adding additional layers of defense cause problems for the users of a network? Answers may vary, but may include: Improper conguration of a rewall, NAT, or proxy can result in authorized users not being able to access resources they need to access or vice versa; users may not fully understand the modern key management process used in encryption systems, therefore, unless encryption is an integrated feature of the operating system, IP stack, or application, users may be inconvenienced; the user logon and verication process can also inconvenience users if it is too complicated. 2. How could adding additional layers of defense cause problems for the packet ow on the network? Answers may vary, but could include: Strong encryption can increase the actual network traffc; more CPU cycles are required to generate encrypted traffc and decipher them upon receipt; IDS systems running in a very paranoid mode may create excessive auditing and alerts, sometimes resulting in false alerts.
Topic 1E
Network Auditing Concepts
Auditing entails the recording, maintenance, and protection from unauthorized access, modication, or deletion of detailed access event logs of information technology assets and network systems to ensure compliance with an established security policy. Auditing within a network systems environment involves much more than the typical recording of system activity.
compromise: An intrusion into a computer system where unauthorized disclosure, modication, or destruction of sensitive information may have occurred.
23
security violation: An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to the system itself.
Besides the usual recording of logins, logouts, accessing les, directories and resources, and security violations, additional network security events must be audited on both sides of the network connection. Both sides means any establishing or dropping of network connections with other networks must be logged, as well as any failed network components and any misrouted or lost data while in transit. Auditing should capture the information of the following events: All access events with use of identication and authentication mechanisms. Any deletion of les, data, or information. Modication of directories. Movement of large data assets into users address space. Any security actions or other security-related events. Date and time of the event. Name of user creating the event, as well as event origin. Event description and type. Name of asset in case of deletion. Event success or failure.
Each event should contain the following entries in the audit log:
audit: The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
Security Audits
Logged records of monitored events are kept on hand for auditing purposes. Although they can be conducted by either internal or external resources, the two typical types of security audits are operational or independent.
security audit: A search through a computer system for security problems and vulnerabilities.
Operational Audit
This type of audit is usually done by internal resources to examine the operational and ongoing activities within a network system for compliance with an established security policy.
Independent Audit
An independent audit is usually conducted by external or outside resources and may be a review or audit of detailed audit logs to: Examine system activities and access logs. Assess the adequacy of security methods and controls. Assess compliance with established enterprise network system policies and procedures. Assess effectiveness of support, enabling, and core processes. Recommend improvements in security processes, methods, and controls.
24
Whether an audit is done as an operational or independent audit, a thorough search through the system should be conducted to detect any aws, vulnerabilities, or problems. An IDS can provide network system vulnerabilities, but a security audit should be conducted to nd problems within the le systems on the network. Out of this audit should come detailed reports that may give you some clues as to possible existing or future problems. These may include: Accounts with no name or expired names of people that have left the company or group. New accounts needing validation for authorized users. Group accounts needing access control specics to pinpoint who had access at what time and not just a group name logon. Recent changes to le protection or changes in rights to large les. Accounts with easily guessed passwords. Accounts with expired or no passwords. Any other suspicious user activity.
Audit Trails
Network auditing still needs to log the audit trail or history of any network transaction. The requirement for any audit trail is that documentation be kept to record the historical use of the network system. But the primary purpose of a recorded audit trail is to be able to examine the detailed historical record of system use in order to replicate specic event scenarios after a compromise or exploit has occurred. An audit trail is the only way to examine the sequence of events that led up to the systems compromise or exploitation. Without an audit trail, there would be no way to nd out how a compromise or exploit of the system occurred, or when it actually happened.
audit trail: In computer security systems, a chronological record of system resource usage. This includes user login, le access, other various activities, and whether any actual or attempted security violations occurred.
perpetrator: The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker.
Legal Considerations
Due to the content of audit data, there are a number of legal questions that arise which might need to be addressed by your legal counsel. If you collect and save audit data, you need to be prepared for consequences resulting both from its content as well as its existence.
25
One area concerns the privacy of individuals. In certain instances, audit data may contain personal information. Searching through the data, even for a routine check of the systems security, could represent an invasion of privacy. A second area of concern involves knowledge of intrusive behavior originating from your site. If an organization keeps audit data, is it responsible for examining it to search for incidents? If a host in one organization is used as a launching point for an attack against another organization, can the second organization use the audit data of the rst organization to prove negligence on the part of that organization? These examples are not meant to be comprehensive, but should motivate your organization to consider the legal issues involved with audit data.
TASK 1E-1
Describing Network Auditing
1. What are the benets of auditing network traffic? Logs of audited network traffc can be used to examine a detailed historical record of network and system use in order to reconstruct specic event scenarios after a compromise or exploit has occurred. 2. What is a possible drawback to network auditing? If an intruder were to gain access to audit logs, the systems themselves would be at risk, in addition to the data. 3. Why is the handling and storage of audit data so critical? Audit data may contain personal information. Searching through the data, even for a routine check of the systems security, could represent an invasion of privacy. Apart from that, the very knowledge of intrusive behavior originating from your site raises the question of responsibility with regard to reporting the incident to a third party or maybe even an authority such as the FBI.
Summary
In this lesson, you walked through the process of creating a layered defense. You are able to identify why the layered defense is important and the technologies used to create one. You also examined the concepts of network auditing, including handling of data and types of audits. You have dened the ve keys of network defense, described the objectives of access control methods, and identied the impact of defense on the network.
26
Lesson Review
1A What do authentication and availability create in the network?
Authentication and availability in a network create system assurance. Describe the differences between one-, two-, and three-factor authentication. One-factor authentication provides what you know, such as a password or PIN. Two-factor authentication is providing what you have, like a smart card or a token in addition to what you know. The third factor which provides strong authentication is proving a users identity, or who you are, by using biometrics. Biometrics uses a physiological characteristic to identify you, such as a ngerprint, retina scan, hand geometry, voice recognition, iris scan, or behavioral characteristics such as keystroke recognition or signature recognition. Is it possible to have data condentiality without having data integrity? No, however, it is possible to have data integrity without data condentiality. What is the difference between a passive threat and an active threat? Simply put, in a passive threat, data is viewed, but in an active threat, data is modied.
1B What are the primary technologies used to create a layered defense? A security policy implemented at various layers of the network. Perimeter defenses, such as routers, rewalls, NAT, and proxies. Intrusion Detection Systems (IDS) can be put in place to monitor network traffc or hosts. Authentication has to be regularized using one-, two-, or three-factor authentication methods depending upon the requirement (machinespecic authentication may be required in some cases). File System Security should be in place once a user is logged in, to allow or deny access to resources. Physical access/security to the network or individual machines should be addressed.
What could be the result of skipping a layer of defense? Security policy: Unstructured defense. Perimeter defense: Intruders will come in. IDS: You wont know that intruders have come in. Authentication: Anyone can log in to your network. File System Security: Anyone who has access to a machine can access everything on that machine. Physical security: Anyone can access any machine.
27
1C Name and describe the two methods of Access Control. Mandatory Access Control, where subjects and objects are Classied, Secret, or Top Secret. Discretionary Access Control, where a users identity is used in rst determining certain user rights into the system, and then at each resource to see if the user has Create, Read, Update, or Delete (CRUD) privileges.
Describe the process of authentication. Authentication is the process of determining the identity of a user who is attempting to access a system. A user provides the requested information to an authentication verication authority. The authentication verication authority uses this information, or a derivative of it, against a pre-congured database. If the values match, the user is issued appropriate credentials to access the system. The user then presents these credentials to access resources. What are software tokens, and how can an organization benet by using them? A software token is an authentication technique using a portable device, such as a Palm Pilot or Palm PC. Since the token is generated via software, an organization does not have to be tied down to a particular hardware token generator. When circumstances change and they have to upgrade the strength of the token, for example, they just need to upgrade the software in the portable device rather than recall and reissue hardware devices.
1E What are two of the events that can be captured with auditing?
Answers may include the following: All access events with use of identication and authentication mechanisms; any deletion of les, data, or information; modication of directories; movement of large data assets into users address space; any security actions or other security-related events.
28
What are two of the entries that should be captured in an event? Answers may include the following: Date and time of the event; name of user creating the event as well as event origin; event description and type; name of asset in case of deletion; event successful or failed. What are the two typical types of security audits? Operational and independent.
29
30
Advanced TCP/IP
Overview
There is one primary set of protocols that runs networks and the Internet today. In this lesson, you will work with those protocols: the Transmission Control Protocol (TCP) and the Internet Protocol (IP). In order to manage the security of a network, you must become familiar with the details of how TCP/IP functions, including core concepts, such as addressing and subnetting, and advanced concepts, such as session establishment and packet analysis.
LESSON
2
Data Files tftp.cap fragment.cap ping.txt ping.cap ftp.txt ftp.cap WinPcap Wireshark Lesson Time 6 hours
Objectives
To better understand advanced TCP/IP concepts, you will: 2A Dene the core concepts of TCP/IP. Given a machine running TCP/IP, you will dene the core concepts of TCP/IP, including the layering models, RFCs, addressing and subnetting, VLSM and CIDR, and the TCP/IP suite. 2B Analyze sessions of TCP. Given a Windows Server 2003 computer, you will examine control ags, sequence numbers, and acknowledgement numbers, and you will use Network Monitor to view and analyze all of the elds of the three-way handshake and session teardowns. 2C Analyze IP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the elds of IP. 2D Analyze ICMP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the elds of ICMP. 2E Analyze TCP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the elds of TCP. 2F Analyze UDP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the elds of UDP.
31
2G
Analyze fragmentation. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze network traffic fragmentation.
2H
Complete a full session analysis. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze a complete FTP session, frame by frame.
32
Topic 2A
TCP/IP Concepts
In order for two hosts to communicate, there must rst be an agreed-upon method of communication for both hosts to use. The protocol that the Internet was built on, and the protocol that all hosts on the Internet use is TCP/IP, or Transmission Control Protocol/Internet Protocol. Because the two hosts agree on the protocol they will use, we can go right into the details of the protocol itself.
Many of the Concepts in this topic were covered in the prerequisite courses, but are provided here for review.
It is this last method that is actually used. For example, if a user is at a host and wants to view a web page on a different host, the request and subsequent response will take many small steps to complete. In Figure 2-1, you can see the four layers of the TCP/IP Model, along with the browsers request for a web page going to the web server.
server: A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
Figure 2-1: A web request moving along the TCP/IP Model. The four layers of the TCP/IP Model are: The Application Layer The Transport Layer The Internet Layer (also called the Network Layer) The Network Access Layer (also called the Link Layer)
33
The reason that there are alternate names for these layers is that there has never been an agreed-upon standard for the names to which the industry agrees. Each of these layers are detailed as follows: The Application Layer is the highest layer in the model, and communicates with the software that requires the network. In our example, the software is the web page request from a browser.
network: Two or more machines interconnected for communications.
The Transport Layer is where the reliability of the communication is dealt with. There are two protocols that work at this layer, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). An immediate difference between the two is that TCP does provide for reliable delivery of data, whereas UDP provides no such guarantee. The Internet Layer (or Network Layer) provides the mechanism required to address and move the data from one host to the other. The primary protocol you will examine at this layer is IP (Internet Protocol). The Network Access Layer (or Link Layer) is where the data communication interacts with the physical medium of the network. This is the layer that does the actual sending and receiving of the data.
As you saw in Figure 2-1, as the web page request was initiated on the host, it moved down the layers, was transmitted across the network, and moved up the layers on the web server. These are the layers on which all network communication using TCP/IP is based. There is a different set of layers, however, called the OSI Model.
OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components.
34
The names of these layers are xed, as this is an agreed upon standard. The details of each layer are as follows: The Application Layer is the highest layer of the OSI Model, and deals with interaction between the software and the network. The Presentation Layer is responsible for data services such as data compression and data encryption/decryption. The Session Layer is responsible for establishing, managing (such as packet size), and ending a session between two hosts. The Transport Layer is responsible for error control and data recovery between two hosts. Both TCP and UDP work at this layer. The Network Layer is responsible for logical addressing, routing, and forwarding of datagrams. IP works at this layer. The Data Link Layer is responsible for packaging data frames for transmission on the physical medium. Error control is added at this layer, often in the form of a Cyclic Redundancy Check (CRC). This layer is subdivided into the LLC (Logical Link Control) and MAC (Media Access Control) sublayers. The MAC sublayer is associated with the physical address of the network device and the LLC sublayer makes the association between this physical address (such as the 48-bit MAC address if using Ethernet) and the logical address (such as the 32-bit IP address if using IP) at the Network Layer. The Physical Layer is responsible for the actual transmission and receipt of the data bit stream on the physical medium.
packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message.
The OSI Model and the TCP/IP Model do t together. In Figure 2-2, you can see that the two primary layers of concern in the TCP/IP Model (the Transport and Internet Layers), match directly with the Transport and Network Layers of the OSI Model, while the other two TCP/IP Model layers encompass two or more layers of the OSI Model.
Figure 2-2: A comparison of the OSI and TCP/IP Models. As the data from one host ows down the layers of the model, each layer attaches a small piece of information relevant to that layer. This attachment is called the header. For example, the Network Layer header will identify the logical addresses (such as IP addresses) used for this transmission. This process of adding a header at each layer is called encapsulating. Figure 2-3 shows a visual representation of the header and the encapsulation process.
Lesson 2: Advanced TCP/IP 35
Figure 2-3: Headers and the encapsulation process as data moves down the stack. When the second host receives the data, and as the data moves up the layers, each header will let the host know how to handle this piece of data. After all the headers have been removed, the receiving host is left with the data as it was sent.
RFCs
With all the standards dened in the previous section, you may be asking where to go to nd the standards. The answer is to the RFCs. A Request For Comments (RFC) is the industry location for standards relating to TCP/IP and the Internet. RFCs are freely available documents to read and study, and if you ever want to go directly to the source, be sure to use the RFC. Although you will nd RFCs listed all over the Internet, to view them all online go to: www.rfc-editor.org. This is the website with a searchable index of all RFCs. There are several RFCs you should be familiar with, and that you should know by name to look up. This way you will not have to search hundreds of responses to nd what you need. The RFCs you should know are: The Internet Protocol (IP): RFC 791. The Internet Control Messaging Protocol (ICMP): RFC 792. The Transmission Control Protocol (TCP): RFC 793. The User Datagram Protocol (UDP): RFC 768.
The Function of IP
The Internet Protocol (which works at the Network layer of both the OSI and the TCP/IP models), by denition, has a simple function. IP identies the current hostvia an addressand using addressing, moves a packet of information from one host to another. Each host on the network has a unique IP address, and each packet the host sends will contain its own IP address and the IP address to which the packet is destined. The packets are then directed, or routed, across the network, using the destination address, until they reach their nal destination. The receiving host can read the IP address of the sender and send a response, if required.
36
Although it sounds straightforward, and does work, there are drawbacks. For instance, when packets are sent from one host to another, they may be received out of order. IP has no mechanism for dealing with that problem. Also, packets can get lost or corrupted during transmission, again a problem IP does not manage. These problems are left to an upper protocol to manage. Often that protocol will be TCP, as you will see in the following topic.
37
To convert the decimal address 192.168.10.1 to hexadecimal, convert each of its octets, then combine the results, as follows: 1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal 12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 is equal to Hex C0. Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal 10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 is equal to Hex A8. Decimal 10 is the same as Hex A. Decimal 1 is the same as Hex 1. Combining the results of each conversion shows that decimal 192.168.10.1 is equal to Hex C0A80A01.
2.
3. 4. 5.
Another way to derive this result is to rst convert from decimal to binary, then convert binary to hexadecimal four bits at a time, and nally, combine the results, as shown here: 1. 2. 3. 4. 5. 6. 7. 8. 9. Decimal 192 is the same as binary 11000000. Decimal 168 is the same as binary 10101000. Decimal 10 is the same as binary 00001010. Decimal 1 is the same as binary 00000001. Binary 1100 (the rst four bits of the rst octet) is the same as Hex C. Binary 0000 is the same as Hex 0. Binary 1010 is the same as Hex A. Binary 1000 is the same as Hex 8. Binary 0000 is the same as Hex 0.
10. Binary 1010 is the same as Hex A. 11. Binary 0000 is the same as Hex 0. 12. Binary 0001 is the same as Hex 1. 13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal to Hex C0A80A01.
IP Address Classes
There are ve dened classes of IP addresses: Class A, Class B, Class C, Class D, and Class E. The details of each class are as follows: Class A IP addresses use the rst 8 bits of an IP address to dene the network, and the remaining 24 bits to dene the host. This means there can be more than 16 million hosts in each Class A network (2242, because all 1s and all 0s cannot be used as host addresses). All Class A IP addresses will have a rst octet of 0xxxxxxx in binary format. 10.10.10.10 is an example of a Class A IP address. Class B IP addresses use the rst 16 bits to dene the network, and the remaining 16 bits to dene the host. This means there can be more than 65,000 hosts in each Class B network (2162). All Class B IP addresses will have a rst octet of 10xxxxxx in binary format. 172.16.31.200 is an example of a Class B IP address. Class C IP addresses use the rst 24 bits to dene the network, and the remaining 8 bits to dene the host. This means there can be only 254 hosts
38
in each Class C network (282). All Class C IP addresses will have a rst octet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class C IP address. Class D IP addressing is not used for hosts, but is often used for multicasting (which will be discussed later), where there is more than one recipient. The rst-octet binary value of a Class D IP address is 1110xxxx. 224.0.0.9 is an example of a Class D IP address. Class E IP addressing is used for experimental functions and for future use. It does have a dened rst-octet binary value as well. All Class E IP addresses have a rst octet binary value of 11110xxx. 241.1.2.3 is an example of a Class E IP address.
In addition to the private address ranges listed, there are a few other address ranges that have other functions. The rst, is the range of 127.0.0.0 to 127.255. 255.255. This address range is used for diagnostic purposes, with the common address of 127.0.0.1 used to identify IP on the host itself. The second range is 169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allocate addresses to hosts, for Automatic Private IP Addressing (APIPA).
39
Binary Format
11111111.00000000.00000000.00000000 11111111.11111111.00000000.00000000 11111111.11111111.11111111.00000000
The subnet mask can be represented in different formats. For example, one common format is to list the IP address followed by the full subnet mask, such as this: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write, is to count and record the number of bits that are used as 1s in the subnet mask. For example, in the default subnet mask for Class C, there are 24 bits designated as 1. So, to use the second format, list the IP address followed by a slash and the number of bits masked, such as this: 192.168.10.1/24.
Subnetting Example
In the event that you need to split a network into more than one range, such as having different buildings or oors, you will need to subdivide the network. The following example will step you through the process of splitting a network and creating the subnet mask necessary to support the resulting subnetworks. Lets say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnet mask, and need to break this up into 12 network ranges to support, for example, the 12 major departments in your corporate building. Heres what you should do: 1. Determine how many bits, in binary, it takes to make up the number of subnetworks you need to create. In binary, 12 is 1100, so you will need 4 bits. 2. Take 4 bits from the host side of the subnet mask and, AND them to the network side, effectively changing your subnet mask from 255.0.0.0 to 255. 240.0.0. As you know, the subnet mask tells you where the dividing line between network and host bits reside. You started with a network ID of 10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this: 00001010.00000000.00000000.00000000 (IP address for network) 11111111.00000000.00000000.00000000 (subnet mask) Your dividing line is at the end of the rst octet (eight bits starting from the left). You have one big network with a network ID of 10.0.0.0, a
40
range of usable addresses from: 10.0.0.1 to 10.255.255.254, and a broadcast address of 10.255.255.255. The new, divided network looks like this: 00001010.0000 0000.00000000.00000000 (IP address for network) 11111111.1111 0000.00000000.00000000 (subnet mask) Notice that the network/host dividing line is now in the middle of the second octet. All of your networks will have binary addresses that will look like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x represents one of the variable bits used to create your subnetworks and y represents a bit on the host side of the address.
3.
Determine the subnetwork addresses by changing the value of the x bits. The rst possible permutation is the 00001010.0000 network; the second is the 00001010.0001 network, and so forth. The following table lists all of the possible subnetwork addresses (notice the pattern?). Subnetwork
First Second Third Fourth Fifth Sixth Seventh Eighth Ninth Tenth Eleventh Twelfth Thirteenth Fourteenth Fifteenth Sixteenth
Binary Address
00001010.0000 0000.00000000.00000000 00001010.0001 0000.00000000.00000000 00001010.0010 0000.00000000.00000000 00001010.0011 0000.00000000.00000000 00001010.0100 0000.00000000.00000000 00001010.0101 0000.00000000.00000000 00001010.0110 0000.00000000.00000000 00001010.0111 0000.00000000.00000000 00001010.1000 0000.00000000.00000000 00001010.1001 0000.00000000.00000000 00001010.1010 0000.00000000.00000000 00001010.1011 0000.00000000.00000000 00001010.1100 0000.00000000.00000000 00001010.1101 0000.00000000.00000000 00001010.1110 0000.00000000.00000000 00001010.1111 0000.00000000.00000000
Decimal Address
10.0.0.0 10.16.0.0 10.32.0.0 10.48.0.0 10.64.0.0 10.80.0.0 10.96.0.0 10.112.0.0 10.128.0.0 10.144.0.0 10.160.0.0 10.176.0.0 10.192.0.0 10.208.0.0 10.224.0.0 10.240.0.0
For the rst network, the network ID is 10.0.0.0 with a subnet mask of 255.240. 0.0. The rst usable address is 10.0.0.1, and the last usable address is 10.15.255. 254. The broadcast address is 10.15.255.255 (the next possible IP address would be 10.16.0.0, which is the network ID of the second network). The second network has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and a broadcast address of 10.16.255.255. Notice that you needed only 12 networks, but you have 16. That can happen, depending on the number of networks needed. For example, if you had needed 20 networks, you would have needed to move the network/host dividing line over 5 bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, you would have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 that you used for the rst example), which would have given you 32 subnetworks, even though you needed only 20. Consider it room for corporate growth!
41
Note that any combination of addressing can be represented in different text. For example, you may come across a resource that denes the IP address in decimal, and the subnet mask in hexadecimal. You must be able to quickly recognize the addressing as dened. Use the following task to test your ability to quickly perform these conversions.
TASK 2A-1
Layering and Address Conversions
1. Describe how layering is benecial to the function of networking. By using a layered model, network communications can be broken into smaller chunks. These smaller chunks can each have a specic purpose, or function, and in the event an error happens in one chunk, it is possible that only that error be addressed, instead of starting over from scratch. 2. If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF00-00, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex, the network address is C0-A8-00-00. 3. If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex the network address is C0-A8-00-00.
Routing
You will get into routing in more detail later, but at this stage, you will address the basics. Being familiar with a network and how one host will communicate with another host within the same network, what do you think will happen if a host needs to send information to a host that is not in its network? This is exactly the situation where routing is needed. You need to route that information from your network to the receiving hosts network. Of course, the device that makes this possible is the router. The rst router you will encounter on your way out of your network is the default gateway. This is the device that your computer will send all traffic to, once it determines that the destination host is not local (on the same network as itself). After the default gateway gets a packet of information destined for host User1 on network X, it looks at its routing table (think of this as a sort of directorytelling the router that traffic destined for networks C, G, F, and X should go out interface 1, traffic destined for networks E, A, B, and R should go out interface 2, and so forth), then the router forwards the packet out through interface 1. The destination network may or may not be attached to interface 1the router doesnt really care at this pointit just forwards the packet on according to the information in its routing table. This process
router: An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer.
42
repeats from one router to the next until the packet nally reaches the router that is attached to the same network as the destination host. When the packet reaches this router, which is usually also the destination hosts default gateway, it is sent out on the network as a unicast directed to the destination host User1.
Binary Address
00001010.0011000 0.00000000.00000000 00001010.0011001 0.00000000.00000000 00001010.0011010 0.00000000.00000000 00001010.0011011 0.00000000.00000000 00001010.0011100 0.00000000.00000000 00001010.0011101 0.00000000.00000000 00001010.0011110 0.00000000.00000000 00001010.0011111 0.00000000.00000000
Decimal Address
10.48.0.0 10.50.0.0 10.52.0.0 10.54.0.0 10.56.0.0 10.58.0.0 10.60.0.0 10.62.0.0
43
For the rst network, the network ID is 10.48.0.0, the usable addresses are 10.48. 0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second, the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254, and the broadcast address is 10.51.255.255, and so forth. Did you notice that you have eight possible networks when you needed only ve? Again, you can consider it just having more room for expansion.
X-casting
When a packet is sent from one host to another, the process of routing functions and the packet is sent as dened. However, the process is different if one host is trying to reach more than one destination, or if one message is to be received by every other host in the network. These types of communication are referred to as broadcasting, multicasting, and unicasting. Unicast is a term that was created after multicasting and broadcasting were already dened. A unicast is a directed communication between a single transmitter and a single receiver. This is how most communication between two hosts happens, with Host A specically communicating with Host B. A broadcast is a communication that is sent out from a single transmitting host and is destined for all possible receivers on a segment (generally, everyone in the network, since the routers that direct traffic from one network to another are generally used to stop broadcasts, thereby creating broadcast domain boundaries). Broadcasting can be done for many reasons, such as locating another host. For a MAC broadcast, the broadcast address used is FF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on the network settings. For example, if you are on network 192.168.10.0/24, the broadcast address is 192.168.10.255. A multicast is a communication that is sent out to a group of receivers on the network. Multicasting is often implemented as a means for directing trafc from the presenter of a video conference to the audience. In comparison to the broadcast, which all receivers on the segment will receive, those who wish to receive a multicast must join a group to do so. Group membership is often very dynamic and controlled by a user or an application. Currently, Class D addresses are used for multicasting purposes. Remember, Class D has IP addresses in the range of 224.0.0.0 to 239.255.255.255.
TASK 2A-2
Routers and Subnetting
1. You are using a host that has an IP address of 192.168.10.23 and a subnet mask of 255.255.255.0. You are trying to reach a host with the IP address 192.168.11.23. Will you need to go through a router? Explain your response. Yes, you will need to go through a router. Your subnet mask denes you as belonging to network 192.168.10.0, and the remote host you are trying to reach does not belong to your network. 2. Boot your computer to Windows Server 2003, and log on as Administrator, with a blank (null) password.
44
3. 4. 5.
Choose StartSettingsNetwork Connections. Right-click the network interface and choose Properties. Select Internet Protocol (TCP/IP) and click Properties. Click the Advanced button, and verify that the IP Settings tab is displayed. Under Default Gateways, record the IP address here: For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. For the RIGHT side, it is 172.18.0.1.
Be prepared to diagram or otherwise explain the classroom setup.
6. 7.
Select the Default Gateway IP address you just recorded, and click Remove. Click OK twice and click Close twice. Open a command prompt and ping an address that is not on your local network. For instance, if you are on the LEFT side of the classroom, you could ping an address in the 172.18.10.0 network, and if you are on the RIGHT side of the classroom, you could ping an address in the 172.16.10.0 network. Observe the message you receive. The text Destination Host unreachable is displayed. Your computer knows that the ping packet is supposed to go to a computer that is outside your local network but it does not know how to get it there. Switch to the Network Connections Control Panel and display the properties of the network interface.
8.
9.
10. Select Internet Protocol (TCP/IP), click Properties, and then click Advanced. On the IP Settings tab, click the Add button found in the Default Gateway area. 11. In the TCP/IP Gateway Address box, enter the IP address you recorded earlier in the task and click Add. Click OK twice and click Close twice. 12. Switch back to the command prompt and try to ping the remote address again. 13. Observe the message you receive. This time, as long as the other computers default gateway is correctly congured, you should be successful in pinging the remote computer. This is because your computer now knows to send traffic to the router if that traffic is destined for another network. (How the routers know where to send the traffic is covered later in the course.) Contact your instructor if your ping attempt is not successful. 14. Close all open windows.
Students must be able to ping all computers within the classroom for the remaining tasks to work properly. If any students are not successful in the second ping attempt, help them troubleshoot the issue.
45
Topic 2B
Analyzing the Three-way Handshake
Although a great deal of emphasis is given to IP due to the addressing and masking issues, TCP deserves equal attention from the security professional. In addition to TCP, the other protocol that functions as a transport protocol is UDP. This topic will concentrate on TCP; however, a brief discussion on UDP is warranted. The following table provides a brief comparison of the two protocols. Comparing TCP and UDP TCP
Connection-oriented Slower communications Considered reliable Transport Layer
security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences.
UDP
Connectionless Faster communications Considered unreliable Transport Layer
TCP provides a connection-oriented means of communication, whereas UDP provides connectionless communication. The connection-oriented function of TCP means it can ensure reliable transmission, and can recover if transmission errors occur. The connectionless function of UDP means that packets are sent with the understanding they will make it to the other host, with no means of ensuring the reliability of the transmission. UDP is considered faster because less work is done between the two hosts that are communicating. Host 1 simply sends a packet to the address of host 2. There is nothing built into UDP to provide for host 1 checking to see if host 2 received the packet, or for host 2 sending a message back to host 1, acknowledging receipt. TCP provides the functions of connection-oriented communication by using features such as the three-way handshake, acknowledgements, and sequence numbers. In addition to these features, a signicant part of TCP is the use of control ags. There are six TCP control ags in a TCP header, each with a specic meaning.
46
TCP Flags
The TCP ags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These ags may also be identied as S, ack, F, R, P, and urg. Each of these ags occupies the space of one bit in the header, and if they are assigned a value of 1, they are considered on. The function of each ag is identied as follows: The SYN, or S, ag represents the rst part of establishing a connection. The synchronizing of communication will generally be in the rst packet of communication. The ACK, or ack, ag represents acknowledgement of receipt of data from the sending host. This is sent during the second part of establishing a connection, in response to the sending hosts SYN request. The FIN, or F, ag represents the senders intentions of terminating the communication in what is known as a graceful manner. The RESET, or R, ag represents the senders intentions to reset the communication. The PUSH, or P, ag is used when the sending host requires data to be pushed directly to the receiving application, and not ll in a buffer. The URGENT, or urg, ag represents that this data should take precedence over other data transmissions.
Sequence Numbers
The sequence number is found in the TCP header of each TCP packet and is a 32-bit value. These numbers allow the two hosts a common ground for communication, and allow for the hosts to identify packets sent and received. If a large web page requires several TCP packets for transmission, sequence numbers are used by the receiving host to reassemble the packets in the proper order and provide the full web page for viewing. When a host sends the request to initiate a new connection, an Initial Sequence Number (ISN) must be chosen. There are different algorithms by different vendors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a 32-bit number that increments by one every 4 microseconds.
Acknowledgement Numbers
The acknowledgement number is also found in the TCP header of each TCP packet, and is also a 32-bit value. These numbers allow the two hosts to be given a receipt of data delivery. An acknowledgement number is in the packet header in response to a sequence number in the sending packet. In the event that the sending host does not receive an acknowledgement for a transmitted packet in the dened timeframe, the sender will retransmit the packet. This is how TCP provides reliable delivery. If a packet seems to have been lost, the sender will retransmit it.
47
Connections
All communication in TCP/IP is done with connections between two hosts. Each connection is opened (or established), data is sent, and the connection is closed (or torn down). These connections have very specic rules they must follow. There are two different states of the open portion of this process: Passive Open and Active Open. Passive Open is when a running application tells TCP that it is ready to receive inbound requests via TCP. The application is assuming inbound requests are coming, and is prepared to serve those requests. This is also known as the listening state, as the application is listening for requests to communicate. Active Open is when a running application tells TCP to start a communication session with a remote host (which is in Passive Open state). It is possible for two hosts in Active Open to begin communication. It is not a requirement that the remote host be in Passive Open, but that is the most common scenario.
Connection Establishment
In order for the sequence and acknowledgement numbers to have any function, a session between the two hosts must be established. This connection establishment is called the three-way handshake. The three-way handshake involves three distinct steps, which are detailed as follows (please refer to Figure 2-5 when reading this section): 1. Host A sends a segment to Host C with the following: SYN = 1 (The session is being synchronized.) ACK = 0 (There is no value in the ACK eld, so this ag is a 0.) Sequence Number = x, where x is a variable. (x is Host As ISN.) Acknowledgement Number = 0 2. Host C receives Host As segment and responds to Host A with the following: SYN = 1 (The session is still being synchronized.) ACK = 1 (The acknowledgement ag is now set, as there is an ack value in this segment.) Sequence Number = y, where y is a variable. (y is Host Cs ISN.) Acknowledgement Number = x + 1 (The sequence number from Host A, plus 1.) 3. Host A receives Host Cs segment and responds to Host C with the following: SYN = 0 (Session is synchronized with this segment; further requests are not needed.) ACK = 1 (The ack ag is set in response to the SYN from the previous segment.) Sequence Number = x + 1 (This is the next sequence number in series.) Acknowledgement Number = y + 1 (The sequence number from Host C, plus 1.) At this point, the hosts are synchronized and the session is established in both directions, with data transfer to follow.
48 Tactical Perimeter Defense
Connection Termination
In addition to specic steps that are involved in the establishment of a session between two hosts, there are equally specic steps in the termination of the session. There are two methods of ending a session using TCP. One is considered graceful, and the other is non-graceful. A graceful shutdown happens when one host sends a message (using the FIN ag) to the other, stating it is time to end the session; the other acknowledges; and they both end the session. A non-graceful shutdown happens when one host simply sends a message (using the RESET ag) to the other, indicating the communication has stopped, with no acknowledgements and no further messages sent. In this section, we will investigate the details of the standard graceful termination. As you saw earlier, it requires three segments to establish a TCP session between two hosts. The other side of the session, the graceful termination, requires four segments. Four segments are required because TCP is a full-duplex communication protocol (meaning data can be owing in both directions independently). As per the specications of TCP, either end of a communication can end the session by sending a FIN, which has a sequence number just as a SYN has a sequence number. Similar to the Active and Passive Opens mentioned earlier, there are also Active and Passive Closes. The host that begins the termination sequence, by sending the rst FIN, is the host performing the Active Close. The host that receives the rst FIN is the host that is performing the Passive Close. The graceful teardown of a session is detailed as follows (please refer to Figure 2-6 when reading this section): 1. Host A initiates the session termination to Host C with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number, based on current communication.) Sequence Number (FIN number) = s (s is a variable based on the current communication.) Acknowledgement Number = p (p is a variable based on the current communication.) 2. Host C receives Host As segment and replies with the following: FIN = 0 (This segment is not requesting closure of the session.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present (As there is no FIN, there is no sequence number required.)
Lesson 2: Advanced TCP/IP 49
Acknowledgement Number = s + 1 (This is the response to Host As FIN.) 3. Host C initiates the session termination in the opposite direction with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number.) Sequence Number = p (p is a variable based on the current communication.) Acknowledgement Number = s + 1 (This is the same as in the previous segment.) 4. Host A receives the segments from Host C and replies with the following: FIN = 0 (This segment does not request a termination, there is no SYN.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present Acknowledgement Number = p + 1 (This is Host Cs sequence number, plus 1.) At this point the session has been terminated. Communication in both directions has had a FIN requested and an acknowledgement to the FIN, closing the session.
Ports
You have been introduced to the fact that IP deals with addressing and the sending/receiving of data between two hosts, and you have been introduced to the fact that TCP can be selected to provide reliable delivery of data. However, if a client sends a request to a server that is running many services, such as WWW, NNTP, SMTP, and FTP, how does the server know which application is supposed to receive the request? The answer is by specifying ports.
50
Port numbers are located in the TCP or UDP header, and they are 16-bit values, ranging from 0 to 65535. Port numbers can be assigned to specic functions or applications. Ports can also be left open for dynamic use by two hosts during communication. There are ranges of ports for each function. There are three main categories of ports: well-known, registered, and dynamic. The well-known ports (also called reserved ports by some) are those in the range of 0 to 1023. These port numbers are assigned to specic applications and need to remain constant for the primary services of the Internet to continue to provide the exibility and usefulness it does today. For example, the WWW service is port 80, the Telnet service is port 23, the SMTP service is port 25, and so on. The well-known port list is maintained by the Internet Assigned Numbers Authority (IANA), and can be found here: www.iana.org/assignments/port-numbers. Registered ports are those in the range of 1024 to 49151. These port numbers can be registered to a specic function, but are not dened or controlled by a governing body, so multiple functions could end up using the same port. Dynamic ports (also called private ports) are those from 49152 to 65535. Any user of the Internet can use dynamic ports.
When a client connects to a server and requests a resource, that client also requires a port. The client ports (also called ephemeral ports by some) are used by a client during one specic connection; each subsequent connection will use a different port number. These ports are not assigned to any default service, and are usually a number greater than 1023. There is no dened range for client ports; they can cover the numbers of both the registered and dynamic port ranges. When a client begins a session by requesting a service from a server, such as the WWW service on port 80, the client uses an ephemeral port on the client side. This enables the server to respond to the client. Data is then exchanged between the two hosts using the port numbers established for that session: 80 on the server side, and a dynamic number greater than 1023 on the client side. The combination of the IP address and port is often referred to as a socket, and the two hosts together are using a socket pair to communicate for this session. The following table lists some of the well-known ports and their associated services. Some Well-known Ports and their Services Port
23 80 443 20 and 21 53 25 119
Service
Telnet HTTP (Standard web pages) Secure HTTP (Secure web pages) FTP (Data and control) DNS SMTP NNTP
51
In addition to known valid services, such as those listed previously, there are many Trojan Horse programs that use specic ports (although the port can usually be changed).
Trojan Horse: An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsication, or destruction of data.
Network Monitor
There is a very valuable tool available with Windows called Network Monitor. This tool allows for full packet capture and lets the analyst (you) peer into the packets contents, examining both the payload, or data, and the headers, in detail. You can see any set agss dened sequence and acknowledgement numbers, packet size, and more. The following is a discussion on the use of Network Monitor, provided as background for you to be able to perform the tasks in this lesson. Some of the things you can do with Network Monitor are: Monitor real-time network traffic. Analyze network traffic. Filter specic protocols to capture.
In this lesson, you will be focusing on the capture and analysis of IP packets, and on the details of the protocol suite.
52
Figure 2-7: The default view of Network Monitor, showing the various panes. In Figure 2-7, you can see the default view of Network Monitor. In this view, the screen is split into several sections. The top bar is the standard menu bar found in Microsoft programs. The basic functions on the toolbar that you will use in this lesson are contained in the File and Capture menus. The File menu contains three commands: Open, Save As, and Exit. Choose Open to open a previously saved Network Monitor capture. Choose Save As to save a Network Monitor capture. Choose Exit to exit.
The Capture menu has more commands: Start, Stop, Stop And View, Pause, and Continue. The Start, Pause, and Continue commands are self-explanatory. The difference between Stop and Stop And View is that the Stop command ends the capture. The Stop And View command ends the capture and switches Network Monitor to its next mode, Display View.
The other sections of the Capture View are panes (windows in a window) called Graph, Session Stats, Station Stats, and Total Stats. The Graph pane provides ve bars that measure percentages of pre-dened metrics. The top graph indicates the percentage (%) of network utilization, meaning how much the network is being used. The second graph indicates the number of frames per second, meaning frames transmitted per second over the network. The third graph indicates the number of bytes per second that are transmitted over the network.
Lesson 2: Advanced TCP/IP 53
The fourth graph indicates the number of broadcasts per second that are transmitted over the network. The fth graph indicates the number of multicasts per second that are transmitted over the network. While a capture is running, these graphs work in real time, providing current data.
The next pane is the Session Stats pane. In this pane, you can see the sessions that are taking place during the capture. Following the Session Stats is the Station Stats pane. In this pane, you can see statistics per interface on the host, per broadcast, per multicast, and more. The nal pane in this view is the Total Stats pane. The Total Stats pane is subdivided into sections: Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics. From this pane, you can identify frames, broadcasts, multicasts, network utilization, errors, and more, all in real time during the capture.
Displaying Captures
After you have captured network traffic, you can begin your analysis, which requires a different view of Network Monitor. You will need to use the Display View. You can switch to the Display View by either using the CaptureStop And View command or by using the Display Captured Data command after a capture session has been stopped.
Figure 2-8: The Summary View of Network Monitor. When you rst open the Summary View, as shown in Figure 2-8, you will see a timeline of packets captured. By double-clicking any packet that was captured, you can look into its details and bring up the next view of Network Monitor. Once you have selected a packet, Network Monitor displays three panes for presenting information to you.
54 Tactical Perimeter Defense
Figure 2-9: The details of a packet in Network Monitor. The top pane shown in Figure 2-9 is the Summary pane. This pane provides the basic details of a packet, such as: Frame number Time the packet was captured Destination and source MAC addresses Protocol used Destination and source IP addresses
The middle pane shown in Figure 2-9 is the Detail pane. This pane provides the actual details of the protocol for the selected packet. Any line that has a plus sign next to it can be expanded for further detail. The bottom pane in Figure 2-9 is the Hex pane. This pane provides the actual Hex value for the raw data that each frame is comprised of. When you select something in the Detail pane, it is highlighted in the Hex pane for comparison. Also, in this pane, the ASCII characters are visible. In the event that cleartext is captured, this is where it will be readable.
55
To create or use lters, choose CaptureFilter. Using lters not only makes it easier for you, as an analyst, to nd what you are looking for, but they allow for the buffer that stores the capture to not be lled with useless information.
Figure 2-10: Network Monitors Capture Filter dialog box. Figure 2-11 shows the Display Filter dialog box.
56
When using ltering, you will likely use either protocol or address ltering. With protocol ltering, you identify a specic protocol to work with. With address ltering, you again dene the specic address to lter. Filters can be implemented in different directions, either traffic into this host, outbound from this host, or in both directions. These options are implemented by selecting the appropriate arrow (one of these three: --->, ---<, or <-->) for the function you want to perform.
TASK 2B-1
Using Network Monitor
1. Open a command prompt, and enter ipcong /all If you are on the LEFT side of the classroom, your IP addresses will be 172. 16.10.x. If you are on the RIGHT side of the classroom, your IP addresses will be 172.18.10.x. 2. Record the MAC and IP address for the network card in your computer.
MAC address IP address Each card will have a unique MAC address. Each card will have a unique IP address.
3. 4. 5.
Close the Command Prompt window. Open Network Monitor. (From the Start menu, choose All Programs Administrative ToolsNetwork Monitor.) If you see the Microsoft Network Monitor message box, click OK to display the Select A Network dialog box. Expand the + sign next to Local Computer, select the interface with the MAC address associated with the network interface you recorded in Step 2, and click OK. From the Capture menu, choose Start, or press F10 to start a capture. If you are on the LEFT side of the classroom, ping the IP address 172.16. 0.1. If you are on the RIGHT side of the classroom, ping the IP address 172.18.0.1. This will create network traffic for you to capture. Wait for 20 to 30 seconds. As you wait, watch the real time statistics change in the Network Monitor Capture window. Choose CaptureStop And View. You should now see the Display View, including the timeline of the packets captured.
6. 7.
8. 9.
10. Double-click any packet to change to the Detail View. 11. Observe the structure of the three panes in this view, and expand any + signs displayed in the middle pane. 12. From the Display menu, choose Filter. 13. Highlight Protocol==Any, and click the Edit Expression button.
Lesson 2: Advanced TCP/IP 57
14. With the Protocol tab selected, click the Disable All button. 15. Scroll down to ICMP, select ICMP, and click the Enable button. The Expression eld at the top of the dialog box should now display Protocol == ICMP. Click OK. 16. Click OK to implement this lter on your capture. 17. Observe that only ICMP frames are visible in your window now. 18. From the File menu, choose Save As, and save the capture as First_ Capture.cap in the default location. 19. Close Network Monitor.
Wireshark
Another product you can use to capture data is called Wireshark. (Wireshark was formerly known as Ethereal, with the name change taking place in 2006.) With Wireshark, data can be captured off the wire or read from a captured le. Data can also be saved to a le format that Microsoft Network Monitor can understand. Wireshark supports analysis on over 750 Data Link, Network, Transport, and Application layer protocols. Wireshark can be downloaded from www.wireshark.org To perform promiscuous mode captures on a Windows machine, you have to rst download and install the latest stable version of WinPcap; do not install any alpha or beta versions. WinPcap is the Windows equivalent of libpcap (LIBrary for Packet CAPtures) for Linux. It can be obtained from www.winpcap.org. In fact, you will use WinPcap later in the course, along with other tools such as windump, tcpdump, nmap, and snort.
promiscuous mode: Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
TASK 2B-2
Installing and Starting Wireshark
1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartMy Computer. Open C:\Tools\Lesson2.. Note: If you do not have a C:\Tools folder, please review the tools section of the Setup Guide. Double-click the WinPcap_4_0.exe le. In the WinPcap_4_0.exe Installer Welcome screen, click Next. In the WinPcap 4.0 Setup Wizard screen, click Next. Read the License Agreement, and click I Agree. To close the WinPcap install wizard, click Finish. Double click the Wireshark_setup-0.99.5.exe le. In the Wireshark Setup Wizard Welcome screen, click Next.
58
10. Read the License Agreement, and click I Agree. 11. Accept the Default Components (do not make any changes), and click Next. 12. Accept the Default Additional Tasks (do not make any changes), and click Next. 13. Accept the Default Destination Folder, and click Next. 14. You have already installed WinPcap, so do not check any boxes on the WinPcap screen, and click Install. 15. In the Installation Complete screen, click Next. 16. In the Completing The Wireshark 0.99.5 Setup Wizard, check the Run Wireshark0.99.5 check box and click Finish. 17. Leave Wireshark open for the following tasks.
Wireshark Overview
When you rst start Wireshark (formerly called Ethereal), you will see a GUI with three panes. The top pane lists the captured frames in sequence. When you highlight a frame, the middle pane provides protocol layer information about that frame, and the bottom pane shows the details of the frame in both Hex and ASCII values.
At the top of the GUI there is a menu bar, with File, Edit, View, Go, Capture, Analyze, Statistics, and Help. Just above the top pane is a Filter button, a dropdown menu, an Expression button, a Clear button, and an Apply button. These buttons allow you to lter through the captured data, which as you will see, is a very important feature. When you wish to start a capture in Wireshark, you have several options. You can go to the Capture drop-down menu and select Start or you can simply press the third icon from the right in the icons listed just below the main menu bar. However, as this is the rst time you are running Wireshark, you must dene some options. A quick way to the option screen is to press Ctrl+K combination. When you do so, you will see a window that has many options, where you can make some specic selections, including the following: The interface to capture packets from. The limit to the number of packets to capture (if any). Whether you wish to capture packets in promiscuous mode or not. Any lters you wish to use. The le name for the capture le. If you wish to view the packets onscreen in real time. Parameters to dene when the capture should stop. Whether you wish to enable or disable name resolution at the Data Link, Network, and Transport layers.
60
Figure 2-13: Ethereal (Wiresharks) Capture Options dialog box. When you click OK, capture will start on the selected network interface and you will see another pop-up informing you that. Wireshark will continue with the capture until you click the Stop button.
61
Once you have selected your options and clicked OK, the capture will start on the selected network interface, and you will see a pop-up window informing you of the capture in progress. Wireshark will continue with the capture until you press the Stop button or an option you congured tells the capture to stop.
Figure 2-15: The many Save As options in Ethereal (Wireshark). After you stop a capture, you can view and analyze the data for your current use. You when you are done and wish to save the le for future analysis, you have many options. Notice how many choices you have for saving a captureyou can save to Network Monitors format if you want. (Conversely, Wireshark will read a capture saved by any of the protocol analyzers in the list.) When you are done with capture and analysis and want to close the program, choose FileQuit or press Ctrl+Q.
TASK 2B-3
Using Wireshark
Setup: Wireshark has been successfully installed and is running on your computer. 1. 2. 3. From the menu options, choose CaptureOptions. In the Interface drop-down list, select you local area network adapter. Notice that when you select your adapter, directly below the word Interface, the program has listed your LAN address.
62
4. 5. 6. 7. 8. 9.
Make sure that the Capture Packets In Promiscuous Mode check box is checked. Under Display Options, check the Update List Of Packets In Real Time check box. Click the Start button and open a command prompt. Ping your Default Gateway IP Address. When the ping has completed, close the command prompt, return to Wireshark, and choose CaptureStop. Double-click any frame where your computer is the Source and the Destination is the Default Gateway IP Address you just pinged. The protocol will be listed as ICMP.
10. Expand and view the frame details. 11. Note that you can analyze data in a similar fashion as in Network Monitor. 12. Once you are done with this initial look at Wireshark, close the application. 13. Click the Continue Without Saving button.
TCP Connections
Earlier, you were introduced to the function and the process of control ags, the three-way handshake, and the session teardown. In this section, you are going to use Network Monitor to view the three-way handshake, packet by packet, and to view the teardown, packet by packet. Remember, the three-way handshake is used by two hosts when they are creating a session. The rst host begins by sending out a packet with the SYN ag set, and no other ags. The second packet is a response with both the SYN and ACK ags set. The third part of the session establishment will have the ACK ag set.
TASK 2B-4
Analyzing the Three-way Handshake
1. 2. 3. 4. 5. 6. Choose StartAdministrative ToolsServices. Right-click Telnet and choose Properties. In the Startup type drop-down menu, select manual. Click Apply. Click the Start button. Click OK.
63
7. 8. 9.
Close the Services window. Open Network Monitor, and start a capture. At a command prompt: If you are on the LEFT side of the classroom, enter telnet 172.16.0.1 If you are on the RIGHT side of the classroom, enter telnet 172.18.0.1 Enter y, at the Login type anonymous press Enter, and at the Password prompt, press Enter.
10. Press Enter repeatedly or a bad password until your connection to the host is lost. Your screen may resemble the following graphic.
Minimize the command prompt window. 11. Switch back to Network Monitor, and choose CaptureStop And View. 12. In the Summary pane, identify the frames that are involved in the threeway handshake. 13. Once you have identied the frames that are part of the three-way handshake, based on the discussion, look for the following: a. b. c. In the rst frame, what are the SEQ number, ACK number, and ags? In the second frame, what are the SEQ number, ACK number, and ags? In the third frame, what are the SEQ number, ACK number, and ags?
14. Expand each of the three frames in the handshake, and examine them in greater detail in the Detail pane. 15. Using the Hex pane, identify the value for the ags that are set for each frame of the three-way handshake. 16. Leave Network Monitor open, along with this capture, for the next task.
TASK 2B-5
Analyzing the Session Teardown Process
Setup: Network Monitor is running, and the last capture you performed is displayed. 1. 2. 3. In the Summary pane, identify the frames that are involved in the session teardown. Once you have identied the frames, examine them in greater detail in the Detail pane. In each frame, identify at least the following: a. Flags that are set. b. c. 4. 5. Sequence number. Acknowledgement number.
Save the capture as TCP_Connections.cap and close the capture. Minimize Network Monitor.
Topic 2C
Capturing and Identifying IP Datagrams
Along with TCP, the protocol you will spend the most time analyzing will be IP. This protocol is the one that does the most work of the entire TCP/IP suite. In Figure 2-16, you can see the actual format of the IP datagram. There are seven rows of information in the gure, with the critical rows being the rst ve. When a computer receives an IP datagram, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
To work with IP further, refer to RFC 791.
65
Figure 2-16: An IP datagram with all elds shown. Using Figure 2-16, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the IP header. Starting on Row One, on the left side is a eld called Version. This is a 4-bit eld that denes the version of IP that is currently running. Right now, this will likely be a value of 4, as that is the current industry standardIPv4, or IP version 4. Some instances may be using IP version 6, or IPv6, which you will examine later in the course. Moving to the right of the Version is a eld called Header Length (IHL). This is a 4-bit eld that denes the number of 32-bit words in the header itself, including options. In most captures, this value will be 5, for no options set, the normal value. Continuing to the right of Header Length is a eld called Type Of Service. This is an 8-bit eld that denes the quality of service for this packet. Different applications may require different needs of available bandwidth, and Type Of Service is one way of addressing those needs. The last eld on Row One is the eld called Total Length. This is a 16-bit eld that denes the length of the entire IP datagram in bytes. Starting on Row Two, on the left side is a eld called Identication. This is a 16-bit eld that denes each datagram sent by the host. The standard for this eld is for the identication value to increment by one for every datagram sent. Following the Identication eld is a eld called Flags. Not to be confused with the ags of TCP, which you have seen, this is a 3-bit eld that is used in conjunction with fragmentation. The rst of the three bits is to be set at 0,
66
as a default. The next bit is known as the DF bit, or Dont Fragment. The third bit is known as the MF bit, or More Fragment. The last eld on Row Two is a eld called Fragment Offset. This is a 13-bit eld that is used to dene where in the datagram this fragment belongs. (If there is fragmentation, the rst fragment will have an offset of 0.) Starting on Row Three, on the left side, is a eld called Time To Live. This is an 8-bit eld that is used to dene the maximum amount of time this datagram may be allowed to exist in the network. The TTL is created by the sender and lowers by 1 for every router that the datagram crosses. If the TTL reaches 0, the packet is to be discarded. Moving to the right is a eld called Protocol. This is an 8-bit eld that is used to dene the upper-layer protocol that is in use for this datagram. There are many unique protocol numbers, and if you wish to study all of the numbers, please refer to RFC 790. However, the following list identies several important Protocol ID numbers: Protocol ID Number 1: ICMP Protocol ID Number 6: TCP Protocol ID Number 17: UDP
The nal eld on Row Three is a eld called Header Checksum. This is a 16-bit eld that is used to provide a check on the IP header only; this is not a checksum for any data following the header. This checksum provides integrity for the header itself. The Fourth Row is a single eld, the Source IP Address. This eld is a 32-bit value that identies the IP address of the source host of this packet. The Fifth Row is also a single eld, the Destination IP Address. This eld is a 32-bit value that identies the IP address of the destination host for this packet. The Sixth Row contains any options that may be present. This is a variable, with no absolute xed size to the options. Some of the options that may be in this eld are those that are related to routing or timekeeping. If options are used, there will be padding added so this eld equals 32 bits in size. The Seventh and nal Row is the representation of the data. By this point, the header is complete and the data the user wishes to send or receive is stored in the packet.
TASK 2C-1
Capturing and Identifying IP Datagrams
Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1. 2. In Network Monitor, start a new capture, and leave the capture running. Open a command prompt and enter ftp ip_address where ip_address is the address of a neighbor computer.
67
3. 4. 5.
At this time, the connection will not be successful, type bye and close the command prompt. Return to Network Monitor and choose CaptureStop And View. Observe the Protocol column. Apply a lter to only show TCP. For the specic steps, see Task 2B-1, step 12 through step 16. Click any of the frames and observe that the TCP control bits includes FTP. Examine the IP header, compared to the discussion. Look for the following: a. Version Number. b. c. d. e. Time To Live. Protocol ID. Source Address. Destination Address.
6.
7.
Once you are done examining the IP header, save the capture as IP_Header.cap and close the capture le.
Topic 2D
Capturing and Identifying ICMP Messages
When you are analyzing protocols, it should become immediately apparent that there are differences between ICMP and the other protocols discussed in this lesson. There is a similar concept in that the ICMP message is encapsulated in the IP datagram, just as you saw with TCP and UDP. In Figure 2-17, you can see the actual format of the ICMP message. There are only two rows of information shown in the gure.
To work with ICMP further, refer to RFC 792.
68
Using Figure 2-17, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze an ICMP message. Starting on Row One, on the left side, the rst eld is called Type. This is an 8-bit value that identies the specic ICMP message. For example, a Type could be 3, which is a type of unreachable message. Following Type on Row One is a eld called Code. This is an 8-bit value that works in conjunction with Type to dene the specic details of the ICMP message. For example, using Type 3, the Code could be 1, which is destination host unreachable. Moving along on Row One, the nal eld is called Checksum. This is a 16-bit value that checks the integrity of the entire ICMP message. The Second Row has no xed elds. Depending on the Type and Code of the ICMP message, this eld may contain many things. One example of what may go in this eld is the time stamping of messages.
TASK 2D-1
Capturing and Identifying ICMP Messages
Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1. 2. Begin a new capture. Switch to the command prompt, and ping a valid IP address of another host in your subnet. Wait for the ping to nish, and then minimize the command prompt. In Network Monitor, stop and view the capture. Scroll down the packets captured to identify ICMP messages, or create an ICMP lter. Analyze the captured frames to identify the ping process between your computer and the host you pinged. Compare the messages to the discussion, looking for the following: a. Source IP Address. b. c. d. e. 7. 8. Destination IP Address. Type. Code. Payload for ping.
3. 4. 5. 6.
Save this capture as Valid_Ping.cap and close it. You are going to run another capture. Begin a new capture.
69
9.
Switch to the command prompt, ping a known invalid IP address for your network, wait for the ping to nish, and minimize the command prompt. For instance, if you were to ping the address 208.18.24.2, you should receive a message indicating that the request timed out. Or, if you are on the 172.16.10.0 network, you might try to ping the address 172.16.10. 201, as that address is unlikely to be in use on your network.
10. In Network Monitor, stop and view the capture. 11. Scroll down the packets captured to identify ICMP messages.
Based on your network environment, you may not receive these ICMP messages.
12. Analyze the captured frames, and compare them to the discussion, looking for the following: a. Source IP Address. b. c. d. Destination IP Address. Type. Code.
Topic 2E
Capturing and Identifying TCP Headers
When investigating TCP/IP, you will nd that TCP data is encapsulated in the IP datagram. Since you have already looked into the IP datagram itself, at this stage you will examine TCP further. In Figure 2-18, you can see the actual format of the TCP header. There are seven rows of information in the gure, with the critical ones for this discussion being the rst ve. Just as with IP, when a computer receives the TCP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
To work with TCP further, refer to RFC 793.
70
Using Figure 2-18, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the TCP header. Starting on Row One, on the left side is a eld called Source Port Number. This eld is a 16-bit number that denes the upper-layer application that is using TCP on the source host. The second eld on Row One is a eld called Destination Port Number. This is a 16-bit eld that denes the upper-layer application that is using TCP on the destination host. The combination of an IP address and a port number is often called a socket. A socket pair identies both ends of a communication completely, by using the host IP address and port, and the destination IP address and port. Moving onto Row Two, the entire row is a single eld called Sequence Number. This is a 32-bit value that identies the unique sequence number of this packet. The sequence numbers are used to track communication and are part of the reason TCP is considered a connection-oriented protocol. In Row Three, you can see that the entire row is also a single eld, called Acknowledgement Number. This is a 32-bit value that provides a response to a sequence number. Under normal operations, this value will be the value of the sequence number of the last packet received in this line of communication, plus 1. There will be a value in this eld only if the ACK ag is turned on (ags are in the next row). Continuing on to Row Four, starting on the left side is a eld called Offset (sometimes also called Header Length). This is a 4-bit value that denes the size of the TCP header. Because this is a 4-bit value, the limit on the size of the header is 60 bytes. If there are no options set, the size of the header is 20 bytes. Moving to the right is a eld called Reserved. This is a 6-bit value that is always left at 0 for functioning hosts using TCP/IP. It is not used for any normal network traffic. After the Reserved eld are the six Control Flags. Each ag is only 1 bit, either on or off. There are six control ags, and they are listed as follows in the left-to-right order they occupy in the TCP header: URG: If this is a 1, the Urgent ag is set. ACK: If this is a 1, the Acknowledgement ag is set. PSH: If this is a 1, the Push ag is set. RST: If this is a 1, the Reset ag is set. SYN: If this is a 1, the Synchronize ag is set. FIN: If this is a 1, the Finish ag is set. For a detailed discussion on the ags and their functions, please review that section earlier in this lesson. Following the Control Flags on Row Four is a eld called Window Size. This is a 16-bit value that identies the number of bytes, starting with the one dened in the Acknowledgement eld, that the sender of this segment is willing to accept. Moving on to Row Five, on the left side, there is a eld called TCP Checksum. This is a 16-bit value that is used to provide an integrity check
71
of the TCP header and the TCP data. The value is calculated by the sender, then stored and the receiver compares the value upon receipt. Following the TCP checksum on Row Five is a eld called Urgent Pointer. This is a 16-bit value that is used if the sender must send emergency information. The pointer points to the sequence number of the byte that follows the urgent data, and is only active if the URG ag has been set. The Sixth Row has only one eld, called Options. This is a 32-bit value that is often used to dene a maximum segment size (MSS). MSS is used so the sender can inform the receiver of the maximum segment size that the sender is going to receive on return communication. In the event that the options set do not take up all 32 bits, padding will be added to ll the eld. The Seventh and nal Row is the representation of the data. By this point, the header is complete and the data the user wants to send or receive is stored in the packet.
TASK 2E-1
Capturing and Identifying TCP Headers
Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1. 2. 3. 4. 5. 6. 7. 8. 9. Begin a new capture. Switch to the command prompt and initiate a Telnet session to a neighboring host. To begin the Telnet session, type y, and press Enter At the login prompt, type Administrator, leave the password blank, and press Enter. If the Telnet session starts, exit the Telnet session; otherwise, close the command prompt. Stop and view the capture. Add a lter so that all you see are TCP frames. For the specic steps to add lters, see Task 2B-1, step 12 through step 16. Analyze the TCP headers in the frames. When analyzing the headers, look for the following: a. Sequence Numbers. b. c. d. Acknowledgement Numbers. Source Port Numbers. Destination Port Numbers.
10. Once you have analyzed the header, save the capture as Telnet_Attempt.cap and close the capture le.
72
Topic 2F
Capturing and Identifying UDP Headers
Compared to TCP, UDP is a very simple transport protocol. The UDP header and data will be completely encapsulated in the IP datagram, just as with TCP. In Figure 2-19, you can see the actual format of the UDP header. There are three rows of information in the gure. Just as with TCP, when a computer receives the UDP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
To work with UDP further, refer to RFC 768.
Figure 2-19: A UDP header with all elds shown. Using Figure 2-19, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the UDP header. Starting on Row One, on the left side is a eld called Source Port Number. This eld is a 16-bit value that denes the upper-layer application that is using UDP on the source host. The second eld on Row One is called Destination Port Number. This eld is a 16-bit value that denes the upper-layer application that is using UDP on the destination host. On the Second Row, the eld on the left is called UDP Length. This is a 16-bit value that identies the length of the UDP data and the UDP header. The second eld on Row Two is a eld called UDP Checksum. This is a 16-bit value that is used to provide an integrity check of the UDP header and the UDP data. The value is calculated by the sender, then stored, and the receiver compares the value upon receipt. Row Three is where the actual user data is stored. It is possible for a user to send a UDP datagram with zero bytes of data.
TASK 2F-1
Working with UDP Headers
Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. Browse to C:\Tools\Lesson2. In that folder is a le called tftp.cap. Open tftp.cap in Network Monitor.
73
2.
Expand the details of any UDP frame, and compare it to the discussion. Look for the following: a. b. c. Source Port. Destination Port. What the actual UDP data is.
3. 4.
As you are analyzing this traffic, verify that no session was established, as UDP is connectionless. Close the capture.
Topic 2G
Analyzing Packet Fragmentation
Packet-switched networks will all, at one time or another, experience fragmentation. This is due to the fact that all complex networks are made up of various physical media and congurations. So, a packet of a certain size might t ne on one segment, but may suddenly be many times larger than the capacity of the next segment. The size limit that is allowed to exist on a network varies from network to network and is referred to as the Maximum Transmission Unit (MTU). In the event that a datagram gets fragmented, it is not reassembled until it reaches its nal destination. When the datagram is fragmented, each fragment becomes its own unique packettransmitted and received uniquely. TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio of segments to datagrams. Therefore, IP on the receiving end must completely reassemble the datagram before handing the segment to TCP. In the relationship between TCP and IP, the following rules that affect fragmentation are dened: The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Size minus 40 octets. The default IP Maximum Datagram Size is 576 octets. The default TCP Maximum Segment Size is 536 octets.
Fragmentation will rarely happen at the source of a datagram, but it is possible. For example, if a receiving host says it can accept segments that are many times larger than what the sender normally sends. Another example would be a host on a small-packet-sized network, such as PPP, and using an application with a xedsize message. The common location then for fragmentation is at a gateway, where the odds of different MTUs on different interfaces are very high. The following list shows the MTU for various media: PPP: 296 bytes Ethernet: 1500 bytes FDDI: 4352 bytes Token Ring (4 MB/s): 4464 bytes Token Ring (16 MB/s): 17914 bytes
74
TASK 2G-1
Analyzing Fragmentation
Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. 2. 3. 4. Navigate to C:\Tools\Lesson2 and open fragment.cap in Network Monitor. Expand the details of frame 1, looking for the Fragment ag. Observe that, in frame 1, there is no Fragment Offset, as this is the rst fragment. Select several consecutive frames. Observe that each successive frame has a higher Fragment Offset as it gets farther from the beginning of the original datagram. Observe that the IP ID stays constant for each fragment. Expand the details of frame 16. Observe that the Fragment ags are now both 0, indicating this is the last of the fragments. Close the capture.
5. 6. 7. 8.
75
Topic 2H
Analyzing an Entire Session
Now that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes, and teardowns, it is time to put them together. In this topic, you will follow along using two sample captures that were made specically for this purpose. One capture is a PING capture, and the other is an FTP capture. By analyzing them, you will see how TCP/IP functionsfrom start to nish.
TASK 2H-1
Performing a Complete ICMP Session Analysis
Objective: To use the supplied capture and text les to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down. Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. Start Notepad and open the le ping.txt. This le is in C:\Tools\Lesson2. You should see the output shown in the following graphic.
2. 3.
Keep this le open. Switch to Network Monitor, and open the le ping.cap. Its also located in C:\Tools\Lesson2
76
4.
Observe that frame 1 is an Ethernet broadcast trying to resolve the target IP address to its MAC address.
5.
Observe that frame 2 is a reply from the target machine with the appropriate resolution. From now on, the two hosts can communicate.
77
6.
Observe the next two frames. They are ICMP echo messages going back and forth between the two hosts, corresponding to the output in the text le. Examine the ICMP messages, and see the details in frames 3 and 4 as shown in the following graphics.
7. 8.
Observe that, for the ping command, no session was set up or torn down just a simple ICMP echo request, followed by an ICMP echo reply. Close ping.cap and ping.txt.
78
FTP Communication
Up to this point you have been examining ICMP communication. Now you will examine an active FTP session. There are two different types of FTP, something that many administrators are unfamiliar with. The two FTP types are simply called passive and active. The mode most people think of with FTP is active FTP. In active FTP, a client makes a connection to the FTP server. The client uses a port higher than 1024 (well call it X) to connect to the server, which then uses port 21, and the FTP command and control session is established. The server responds with the data transfer, sent on port 20. The client will receive the data transfer on a port one higher than the client used for command transfer, or X+1. In passive mode FTP, the client initiates both connections between the client and the server. When the FTP client begins an FTP session, the client opens two ports (again one higher than 1024, and the next port higher, or X and X+1). The rst connection and port is the session to the server for command and control on server port 21. The server then opens a random port (again higher than 1024, referred to as Y in this section), and sends this port information back to the client. The client then requests the data transfer from client port X+1 to server port Y. When active FTP is used, there can be a situation that rewalls dislike. The rst part of the FTP session, from client to server is not a problem. However, when the server responds to the client, it can seem to the rewall to be a new session started from an untrusted network, trying to gain access to the private network. Passive FTP solves this problem on the rewall, as both parts of the FTP session originate from the FTP client, and no session starts from an untrusted network. There is a different problem with passive FTP. This problem is not on the rewall, but on the server conguration itself. Because the FTP client starts both sessions, the FTP server must be able to listen on any high port, meaning all high ports must be open and available. To deal with this situation, many FTP applications now include features that limit the port range that the server can use.
79
TASK 2H-2
Performing a Complete FTP Session Analysis
Objective: To use the supplied capture and text les to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down. Setup: You are logged on to Windows Server 2003 as Administrator. Notepad and Network Monitor are running. 1. Switch to Notepad and open ftp.txt. This le is located in C:\Tools\ Lesson2. You should see the results shown in the following graphic.
2.
Observe that, in this session, when the ftp server asks for a password, the user enters it but it is not recorded on screen.
80
3.
Switch to Network Monitor, and open ftp.cap in C:\Tools\Lesson2. You should see results similar to those shown in the following graphics. (Depending on the version of Network Monitor you are using, MAC and IP addresses might be displayed in Hex, and the time might be in a different format.)
If you would like to change the format of the addresses from Hex to more readable names, choose Display Addresses, and click Add. In the box that is displayed, enter FTPSITE for the Name, add 002B32CFC72 for the Address, verify that the Type is Ethernet, and click OK. Click Add again, then enter LOCAL for the Name, add 0002B32C5B13 for the Address, verify that the Type is Ethernet, and click OK twice.
There are 51 frames involved in this capture. 4. If you would like to change the color of the FTP packets for easier viewing, choose DisplayColors. Scroll down and select FTP; then, from the Background drop-down list, select a mild color such as gray or teal, and click OK. If you select a darker color, it might make it more difficult to read the text.
Lesson 2: Advanced TCP/IP 81
5.
Observe that frames 3, 4, and 5 represent the TCP handshake involved in establishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19, 23, 29, 31-34, 38, 44, and 46-47) are all directly involved with the ftp applicationauthentication, ftp requests for directory information, an actual le transfer, followed by a quit, and bye response. Observe that in frame 8, you can see the user name being supplied. Observe that in frame 9, you can see the request for a password. Observe that in frame 11, you can see the password being supplied. Isnt this a good enough reason to employ some secure authentication such as encryption? Lets view the three-way handshake frames in a bit more detail.
6. 7. 8.
9.
Frame 3 starts the three-way handshake Active Open by setting the SYN bit to 1, offering source port no. 2025 (07E9 in Hex), while at the same time directing the request to port number 21 (15 in Hex) on the server. A sequence number 2052360112 (7A5487B0 in Hex) is associated with this frame to uniquely identify it, even in the event of multiple sessions between the same two hosts.
82
The reply from the ftp server in frame 4 includes an ACK, while simultaneously including a SYN. This is the Passive Open. 11. Observe that frame 5 includes an ACK from the client.
Once the session is established, FTP can continue on with its setup. This includes a login and a password (to be supplied if anonymous access in not supported), followed by le requests.
83
12. Observe that frame 6 shows the ftp server asking for user identication. Frame 8 shows the ftp client supplying the user name of test user.
13. Observe that this is met by the ftp server asking for the password in frame 9.
84
14. Observe that in frame 11, you can see the password being offered. Because no secure methods for authentication were set up, you can see the actual password (the word plaintext).
15. Observe that once the user has been authenticated, the ftp session is allowed to continue. The ftp server puts out the welcome message shown in frame 12.
85
16. Observe that the rest of the frames dealing with FTPframes 14, 16-19, 23, 29, 31-34, 38, and 44have to do with directory listings and le transfers.
86
87
17. Observe that in frame 38, you can see the actual contents of the le as it is being transferred In this case, and because it is just a text le, you can read the contents.
18. Observe that in frame 46, you can see the client attempt to close the connection with the Quit command.
88
19. Observe that in frame 47, you can see the server communicate with the client with the message See ya later.
89
20. Observe that these messages are followed by TCP terminating the session from both ends in frames 48 and 49, and 50 and 51, respectively, where the FIN bits are set to 1 and the corresponding frame contains the ACK bit set to 1.
90
21. Close Network Monitor. If you are prompted to save addresses, click No. 22. Close Notepad.
91
Summary
In this lesson, you looked deep into the structure of the TCP/IP protocol. You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You then used Network Monitor and Wireshark to capture and analyze IP packets. You examined captures associated with network traffic. You learned to read the actual data being transmitted between two or more hosts. Finally, you analyzed a complete session, frame-by-frame.
Lesson Review
2A How many layers are in the OSI Model?
Seven. How many layers are in the TCP/IP Model? Four. What are the assignable classes of IP addresses? A, B, and C. What are the three private ranges of IP addresses, as dened in the RFCs? a. b. c. 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.131.255.255 192.168.0.0 to 192.168.255.255
2C What is the rst eld that is read by the computer in the IP header?
Version.
92
What is the Protocol ID of ICMP in the IP header? 1. What is the Protocol ID of TCP in the IP header? 6. What is the Protocol ID of UDP in the IP header? 17.
2D What is the rst eld that is read by the computer in the ICMP message?
Type. How many bits make up the Type eld? Eight. How many bits make up the Code eld? Eight.
2E What is the rst eld that is read by the computer in the TCP header?
Source Port Number. How many control bits are in the TCP header? Six. How many bits is the Sequence Number? 32. How many bits is the Acknowledgement Number? 32.
2F What is the rst eld that is read by the computer in the UDP header?
Source Port Number. What is the UDP header and data encapsulated in? An IP datagram. How many bits are both the source and destination port numbers? 16. What is in the payload of the tftp.cap le that you analyzed? Cisco Router Conguration and Access Lists.
2G In the fragment.cap le that you analyzed, how do you suppose this fragmentation happened?
By a user sending a large ping. (See the le fragment.txt, in the same folder as fragment.cap, to understand how this was initiated.)
93
Why is there no upper-layer protocol list in the Detail pane for frames 2 through 13? These are the subsequent fragments whose upper-layer protocol is referred to in the rst fragment; therefore, they do not have any header information other than IP. What was the upper-layer protocol that caused the fragmentation? ICMP.
2H In the FTP capture le that you analyzed in this topic, what pair of sockets are involved in the initial three-way handshake?
On the client: IP address 172.16.30.2, port 2025. On the FTP Server: IP address 172.16.30.1, port 21. In the FTP capture le that you analyzed in this topic, what pair of sockets are involved in the exchange of FTP data in response to the request for directory listing? On the FTP Server: IP address 172.16.30.1, port 20. On the client: IP address 172.16.30.2, port 2026. In the FTP capture le that you analyzed in this topic, what frames indicate that a three-way handshake is taking place between the FTP server and the client in preparation for the sending of FTP data in response to the request for the le textle.txt? Frames 35, 36, and 37.
94
LESSON
3
Data Files ping-arp-mac.cap rip update.cap ripv2withAuthentication. cap PuTTy.exe Lesson Time 6 hours
Objectives
To understand the functions of routers and routing protocols, you will: 3A Congure fundamental router security. You will create the required congurations to secure connections, create banners, and implement SSH. 3B Examine principles of routing. You will capture routing protocols and analyze the IP and MAC relationship in a routed environment. 3C Congure the removal of services and protocols. You will create the required congurations to harden the core services and protocols on a Cisco router. 3D Examine the function of Access Control Lists on a Cisco router. You will create wildcard masks to be used in conjunction with the implementation of Access Control Lists. 3E Implement Cisco Access Control Lists. You will create the required congurations to implement Access Control Lists to defend against network attacks on a Cisco router. 3F Congure logging on a Cisco router. You will create the required congurations to enable logging on a Cisco router.
95
Topic 3A
Fundamental Cisco Security
Although this lesson is not designed to make you a Cisco or a routing expert, you will become familiar with the core functions of routers and how to best harden this critical component of the infrastructure.
Along with the interface type, Cisco routers are numbered. The interface numbering begins with a zero. In other words: The rst Ethernet interface on the router is known as E0. Likewise, the rst serial interface on the router is S0. Finally, the rst Token Ring interface on the router is To0.
bug: An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction.
SNMP: (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP.
96
tial conguration and in the event of an emergency, such as password recovery. Because it has direct physical access, the console port should not be the primary method of accessing the router. The auxiliary port can be used to connect to the router via a modem. This can be a functional method of accessing the router if the primary network is down and you are not able to gain physical access to the router. The VTY sessions provide for terminal access to the router. These connections require the network to be functioning to provide access. The most common method of accessing a VTY session is telnet, althoughfor security purposesSSH is supported, and is recommended. There are ve VTY ports on the router by default, and they are numbered 0 though 4. In this course, access will be provided by using VTY sessions. Other network access points like HTTP, TFTP, and SNMP are also supported on newer versions of the IOS. HTTP can be used if the router runs as a web server, authenticating users for access. TFTP is used for loading IOS and conguration les, and SNMP can be used in full network management congurations.
Modes of Operation
In the router, there are several different modes an administrator can use. These range from simple, informational modes, to the complex modes of router conguration. There are several examples of the different modes listed below: User Mode: In this mode, users can see the conguration of the router, but will not be able to make any signicant changes to the router. The prompt for User Mode looks like this: Router>. Enable Mode: In this mode, users can make more signicant changes to the router, including some of the router conguration options. The prompt for Enable Mode looks like this: Router#. Global Conguration Mode (also known as Congure Terminal Mode): In this mode, users can make conguration changes that will affect the entire router. The prompt for Global Mode looks like this: Router(config)#.
Generally, once you connect to the router, you will move to Enable Mode right away, since that is where much of the router management happens. As a side note, Enable Mode is often called Privileged Mode in text. So, you can consider Enable Mode and Privileged Mode to mean the same thingthe next level of router access beyond User Mode.
Configuration Fragments
In this lesson, you will see many examples of congurations of the router. It is not practical to list every step and every line entered for every option. Therefore, what you will see are called conguration fragments. For example, to navigate to an Interface Mode of a router, the following commands are required: 1. Connect to the router via an access method, such as telnet: Telnet 10.10.10. 10. 2. 3. 4. 5. Enter the password for VTY access: L3tm3!n. Enter the password for Enable Mode: P0w3r. Enter the command for Congure Terminal Mode: Congure Terminal. Enter the command for Interface Mode: Interface Ethernet 0.
Lesson 3: Routers and Access Control Lists 97
In this course, the command sequence listed previously will not be described lineby-line but with a conguration fragment. So, the steps to access Interface Mode will look like this: 1. Router#Config Terminal 2. Router(Config)#Interface Ethernet0 This conguration fragment goes right to the concept, or function, of the discussion. In this example, you cannot be in Enable Mode (identied by the Router# prompt), without rst accessing the router (probably by using Telnet), and entering the required credentials.
Other shortcuts to use are the Up Arrow and Down Arrow keys. Using these will scroll you through commands you have entered into the router for quick access. Finally, using key combinations can be helpful as well. Two examples of key combinations are Ctrl+A and Ctrl+E. Using the Ctrl+A key combination moves the cursor to the beginning of a command line. Using the Ctrl+E key combination moves the cursor to the end of a command line.
As an FYI, if the Up Arrow and Down Arrow keys do not function on your system, you can use the key combination Ctrl+P in place of the Up Arrow key, and Ctrl+N in place of the Down Arrow key.
In Cisco routers, there are two main categories of authentication. They are the AAA method and the non-AAA method (called traditional by some). AAA stands for Authentication, Authorization, and Accounting. Earlier, you were introduced to the methods of access, such as console, auxiliary, and VTY sessions. These are considered non-AAA access methods. Another non-AAA access method is called Terminal Access Controller Access Control System, or TACACS for short. They use a local username and password for authentication. AAA methods include RADIUS and Kerberos. These methods provide for the full level of Authentication, Authorization, and Accounting that are required for AAA access methods.
99
In the following conguration fragment, the password is set for all VTY sessions, 0 through 4. Note that the process is nearly identical.
Router#config terminal Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router
TASK 3A-1
Configuring Passwords
1. Create the conguration fragment that you would use to set the Console password of ACC3$$, and to set all VTY sessions to use the password of +3ln3+.
Router#configure terminal Router(config)#line console 0 Router(config-line)#login Router(config-line)#password ACC3$$ Router(config-line)#^Z Router# Router#configure terminal Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password +3ln3+ Router(config-line)#^Z Router#
100
Router#configure terminal Router(conf)#username Auser Router(conf)#username Buser Router(conf)#username Cuser Router(conf)#username Duser Router(conf)#^Z Router#
Implementing Banners
In addition to having proper passwords on the router, it is important to have adequate warning banners. It is highly recommended that you view these banners as warning banners and not as welcome banners, as they used to be called. A warning banner is not designed to be the end-all of security; most people know a banner will not stop a determined attacker. However, a banner can provide some legal backing for you and your organization. There are four general functions that warning banners should provide. Although you should look to legal counsel for the exact wording, your banner should address each of these. The banner should: Not provide useful technical or non-technical information that an attacker can use. Inform users of the system(s) that their actions are subject to recording, and may be used in a court of law. Dene who is and who is not an authorized user of the system(s). Provide adequate legal standing to both prosecute offenders and protect the administrators of the equipment.
The following is an example of what a banner could look like for an organization:
Warning!!! This system is designed solely for the authorized users of Company X on official business. Users of this system understand that there is no expectation of privacy, and that use of the system may be monitored and recorded. Use of this system is consent to said monitoring and recording. Users of this system acknowledge that if monitoring finds evidence of misuse, abuse, and/or criminal activity, that system operators may provide monitoring and recording data to law enforcement officials.
101
This banner is used for sending notices to users, such as if there is an upcoming system shutdown for upgrading the IOS. Login banner: The login banner is where the warning banner should be located. This banner will be shown to each user every time a login attempt happens. The banner is set in Congure Terminal Mode, and uses a beginning and ending delimiter character. The delimiter can cause confusion, but is quite simple. Any character can be used as a delimiter, just must make sure to use the same character at the beginning and the end. In the following conguration fragment, the letter C is used as the delimiter character:
Router#configure terminal Router(config)#banner login C Warning!!! This system is designed solely for the authorized users of Company X on official business. Users of this system understand that there is no expectation of privacy, and that use of the system may be monitored and recorded. Use of this system is consent to said monitoring and recording. Users of this system acknowledge that if monitoring finds evidence of misuse, abuse, and/or criminal activity, that system operators may provide monitoring and recording data to law enforcement officials. C Router(config)#^Z Router#
EXEC banner: The EXEC banner is used for setting a message for users who enter EXEC, or Privileged, Mode. You can create a new banner; use the same warning banner, or whatever else you wish. The process for setting a new banner is nearly identical to the process for the login banner. The difference is in the command. Instead of the command banner login, you use the command banner exec. In the following conguration fragment, you can see the exec banner created, with a delimiter of the pound sign (#):
Router#configure terminal Router(config)#banner exec # Reminder!!! When you logged into this system, you acknowledged that you are an authorized user of Company X systems. You also acknowledged that your use of this system may be monitored and recorded. Finally, you agreed that if misuse, abuse, and/or criminal activity are found while monitoring, that law enforcement officials may be contacted. # Router(config)#^Z Router#
102
TASK 3A-2
Configuring Login Banners
1. Create the conguration fragment that you would use to create a login warning banner. You can include whatever text you like for the banner, but use the letter B as your delimiter. A possible response is:
Router#configure terminal Router(config)#banner login B Warning!!! This is the login banner for the SCNS TPD class. If you are not a member of this class, you may not access this system. Users of this system are advised that nearly everyone is running packet-capturing utilities and everyone is watching you! B Router(config)#^Z Router#
SSH Overview
Although Telnet is used in this courseand is often the method of choice for many administratorsfrom a security perspective, it is not a solid option. This is due to the fact that there is no encryption on the session; all commands and responses are cleartext and can be viewed by any packet-capture utility. SSH, or Secure Shell, provides for a higher level of security on remote connections to the router. Using RSA public key cryptography, SSH establishes a secure channel of communication between client and server. Cisco IOS support for SSH is not present in older versions of the IOS, such as 11.2 and 11.3. After version 12.0(5) with IPSec, support for SSH was included. And, only IOS versions that have IPSec will have SSH support. In order for SSH sessions to be established, there is some preparation that must take place on the router. The router must have usernames dened, must have a hostname dened, and must have a domain name set.
Not all versions of the IOS support SSH. Versions that support IPSec also support SSH.
103
Router#configure terminal Router(config)#ip domain-name scp.mil Router(config)#access-list 23 permit 192.168.51.45 Router(config)#line vty 0 4 Router(config-line)#access-class 23 in Router(config-line)#exit Router(config)#username SSHUser password No+3ln3+ Router(config)#line vty 0 4 Router(config-line)#login local Router(config-line)#exit Router(config)#
The router conguration is close to being nished, but there is still some work to be done. RSA must be enabled so that the key pair can be generated and used. When creating a new key pair, be aware that it may take some time for the pair to complete. In this fragment, all you will see is the command of creating the key pair crypto generate RSA and the use of 1024 as the number of bits (Cisco recommended minimum), and the OK when the calculation is done.
Router#configure terminal Router(config)#crypto key generate rsa The name for the keys will be: Router.scp.mil Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] Router(config)#
You have now enabled SSH to run on your router. There are some commands that you can use to ne-tune the SSH function, and you will need to congure your client to use SSH. The following conguration fragment is used to dene the time-out, in seconds, that the server will wait for the client to provide a password. The default is 120 seconds, and the Cisco recommended time is 90 seconds. In this fragment, the time has been changed to 45 seconds.
Router#configure terminal Router(config)#ip ssh timeout 45 Router(config)#^Z Router#
The next fragment is used to dene the number of retries that will be allowed before the router drops the connection. The default for this setting is 3, and the maximum is 5. This is a setting that you may rarely change, but in the fragment, the retries are set to 2, so after the second bad try, the connection is dropped:
Router#configure terminal Router(config)#ip ssh authentication-retries 2 Router(config)#^Z Router#
Finally is the conguration to let the VTY sessions on the router accept both SSH and Telnet as valid connection types. If you want to have only SSH used, which is the point here, you would not add the word Telnet to the command.
104
Router#configure terminal Router(config)#line vty 0 4 Router(config-line)#transport input ssh telnet Router(config-line)#^Z Router#
SSH Verification
On the router, you will want to run some diagnostic commands to nd out who is connected and how. These commands will show you the state of your SSH connections. There are some differences based on the IOS version you are running, so note that in the following. If you are running IOS version 12.1, and you want to see the state of SSH connections, including who is connected, use the command show ip ssh. The following fragment lists what this command will reveal.
Router#show ip ssh Connection Version 0 1.5 Router# Encryption 3DES State 4 Username SSHUser
If you are running IOS version 12.2, there are two commands for viewing SSH information. First is the show ip ssh command, only here it lists the details, such as time-out and version. The second command is show ssh, and this shows the user connected. The following fragment shows both commands used, one after the other, and their result onscreen.
Router#show ip ssh SSH Enabled - version 1.5 Authentication timeout: 45 secs; Authentication retries: 2 Router#show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started SSHUser Router#
5. 6.
7. 8. 9.
Enter line vty 0 4 to begin the line conguration. The LEFT(cong-line)# prompt is displayed. Enter transport input ssh to limit the VTY sessions to accept only SSH connections. Enter login local to provide for local login.
10. Enter exit to return to the LEFT(cong)# prompt. 11. Enter username sshl01 privilege 15 password sshpass to assign a user name and password for student station L01. Repeat this command to assign user names and passwords for all other student stations on the left side of the classroom. 12. Enter exit to return to the LEFT# prompt. 13. Enter copy ru st to save the conguration changes. Press Enter to accept the default le name. 14. Enter exit to return to the LEFT> prompt. 15. Disconnect from the LEFT router, and console in to the RIGHT router. 16. Use the steps listed previously as a guide to set up SSH on the RIGHT router. Use the domain name right.com, and create user names such as sshr01, sshr02, and so forth. 17. Disconnect from the RIGHT router, and close the console. 18. Try to Telnet to either of the ssh-enabled routers, and ask students to do the same. None of the attempts should be successful, as you have blocked Telnet connections on both routers.
106
Figure 3-1: The client conguration for an SSH session. During the conguration, you will be asked to provide input on the cryptography used, and you will select RSA. Additionally, you will be required to present proper credentials when connecting, meaning the local username on the router and the password. Once you enter the proper credentials, you will have secure access, and operation will be no different than using Telnet.
TASK 3A-4
Configuring the SSH Client
Setup: You are logged on to Windows Server 2003 as the renamed Administrator account. The routers have a limited number of simultaneous logins, so you might need to take turns accessing the routers if your class has many students in it. 1. 2. 3. Navigate to the putty.exe le located in C:\Tools\Lesson3. Double-click putty.exe. For Host Name, enter the IP address for your router. Your instructor will provide the router IP addresses. The router you use is named LEFT or RIGHT, based on your location in the classroom. Click SSH (Port 22). Click Open to initiate the connection.
Provide students with the IP addresses for the LEFT and RIGHT routers. Provide students with the location of the PuTTY installation program.
4. 5.
107
6. 7. 8. 9.
When you are prompted, click Yes to accept the key, and click Yes to continue the connection. Press Enter to display the login prompt. Enter your ssh user name, such as sshl01. You should be prompted for a password. Enter sshpass to complete the login sequence. After authentication has taken place, log out and close PuTTY.
Topic 3B
Routing Principles
To be able to secure your routers and routed networks, you need to understand some basic principles related to routing in general. Lets begin by looking at how routers and routing t into the OSI Model.
The IEEE (Institute of Electrical and Electronic Engineers) issues MAC addresses to network hardware vendors to ensure that MAC addresses remain unique.
Layer Two addresses are used to get data packets from one local node to another local node, while Layer Three addresses are used to get data packets from one network to another network.
108
The rst example shows data moving from node 1 to node 2 on a local network segment. In order for the data to arrive properly, the following steps must occur: 1. Node 1 (knowing the Network layer address of node 2) sends a local broadcast on the LAN indicating that Node 1 wishes to learn the Data Link address for Node 2. Since Node 1 sent a broadcast, all nodes on the local segment receive and process the request, discarding it when they identify that the broadcast was not intended for them. Node 2 identies the message requesting its MAC address and responds by sending its Data Link address. Node 2 also stores the MAC address of Node 1 for future use. Node 1 sends the packet directly to the Data link address of Node 2.
2.
3.
4.
Figure 3-2 shows this process between Node 1 and Node 2 on the same segment.
Figure 3-2: This example shows the process of a local ARP broadcast between two nodes. To take this concept a bit further, lets look at the process of MAC address resolution if Node 2 is not on the local segment (see Figure 3-3). In order for communication to take place between Nodes 1 and 2, the following steps must occur: 1. Node 1 determines that it needs to communicate with Node 2. As with all TCP/IP communication, Node 1 ANDs its IP address with its subnet mask, then it ANDs Node 2s IP address with the Node 1 subnet mask. 2. Node 1 compares the results of the two AND processes to determine if they are the samemeaning that the nodes are on the same networkor differentmeaning that the nodes are on different networks. In this example, the results are different, so Node 1 can conclude that Node 2 is situated on a different network than Node 1. If Node 1s TCP/IP stack is congured with a Default Gateway, Node 1 will use ARP resolution for the Default Gateway address, as explained in the previous example (because Node 1s Default Gateway will most likely be on the same network as Node 1), and store the Default Gateway address as the address to use for reaching Node 2.
3.
109
Note: If a Default Gateway is not congured for Node 1, then Node 1 will not be able to communicate with Node 2. In fact, if a Default Gateway is not congured and Node 1 attempts to ping Node 2, it should receive a message stating that the destination host is unreachable. For a ping to be successful across a routed network such as the one in this example, Node 2 should also have an appropriate Default Gateway in its IP conguration. If Node 2 exists but is not congured with a Default Gateway, and if Node 1 attempts to ping Node 2, Node 1 should receive a message stating that the request timed out.
Figure 3-3: This example shows the process of a router returning the ARP request of a remote node. These examples are geared towards TCP/IP as a protocol, and we will use TCP/IP throughout this lesson. IP addressing is the primary example of Network layer addressing used today.
110
Figure 3-4: Two networks connected by a single router. From this diagram, you can see the networks are connected via a single router. Both interfaces are Ethernet interfaces, and the IP addresses are given. In this example, node 7 is trying to get a packet to node 10. Since the nodes are in different networks, the packet will need to be routed to reach its goal. An Ethernet packet will be generated at Node 7 with the IP source address as 10.0.10.115 and the source MAC address as Node 7. The destination IP address will be 20.0.20.207 with the destination MAC address still unknown. When the router hears the request for the MAC address of host 20.0.20.207, it replies to node 7 with its MAC address. Node 7 then sends the packet to the router with a destination IP address of 20.0.20.207 and the MAC address of the E0 interface of the router. Once the router receives the packet, it in turn sends a broadcast for the MAC address of 20.0.20.207. Node 10 responds to this request, and the router receives the response. A new packet is then generated by the router, addressed to IP address 20.0.20.207 from IP address 10.0.10.115 with the source MAC address of the router, and destination MAC address of Node 10. Node 10 receives the packet and responds, following the same steps.
111
Figure 3-5: Two end nodes connected over multiple routers in a WAN conguration.
112
For a packet to get from Node 7 to Node 10 in this conguration, there are several steps that must happen: 1. 2. Node 7 creates a request for the MAC address of node 50.0.50.150. The router connected to Network 10.0.10.0 sees this request, and realizes it is the path to the destination network. It replies to Node 7 with its MAC address. Node 7 creates a packet with the source IP address of 10.0.10.115 and the destination IP address of 50.0.50.150 and a source MAC of Node 7 and destination MAC of the network 10.0.10.0 router. As the local router receives the packet, the IP source and destination IP addresses do not change. The encapsulation may change to t the wire, PPP or Frame Relay for example. The packet is sent from one router to another, each time the IP address does not change. Once the packet reaches the router for segment 50.0.50.0, the encapsulation is removed, and you are left with an Ethernet packet with source IP address 10.0.10.115 and destination IP address 50.0.50.150, and source MAC of the local E0 interface of the local router and destination MAC address of Node 10.
3.
4.
5. 6.
TASK 3B-1
Performing IP and MAC Analysis
Setup: You are logged on to Windows Server 2003 as the renamed Administrator account. 1. 2. Navigate to C:\Tools\Lesson3 and open ping-arp-mac.cap. The le should open in Network Monitor. Quickly scroll through the main capture, noting the frames and their functions. You will see it is a capture of an initial ARP process, then two consecutive pings (Echo and Echo:Reply) packets. Expand Frame Four. Record the source and destination IP addresses and the source and destination MAC addresses here: Source IP address: 172.16.10.1 Destination IP address: 172.17.10.1 Source MAC address: 00 D0 09 7F 0D 73 Destination MAC address: 00 00 0C 8D B8 54 If you need to, expand IP and Ethernet so that you can see the addresses. 5. Expand Frame Five, and record those IP and MAC addresses as well.
3. 4.
113
Source IP address: 172.17.10.1 Destination IP address: 172.16.10.1 Source MAC address: 00 00 0C 8D B8 54 Destination MAC address: 00 D0 09 7F 0D 73 6. 7. 8. Observe that, when pinging 172.17.10.1 from 172.16.10.1, the destination MAC address is 00000C8DB854. Examine the exchanges in frames 6 and 7, 8 and 9, and 10 and 11 to see the ping process complete. Expand Frame Twelve, and record those IP and MAC addresses as well. Source IP address: 172.16.10.1 Destination IP address: 172.18.10.1 Source MAC address: 00 D0 09 7F 0D 73 Destination MAC address: 00 00 0C 8D B8 54 9. Expand Frame Thirteen, and record those IP and MAC addresses as well. Source IP address: 172.18.10.1 Destination IP address: 172.16.10.1 Source MAC address: 00 00 0C 8D B8 54 Destination MAC address: 00 D0 09 7F 0D 73 10. Observe that when pinging 172.18.10.1 from 172.16.10.1, the destination MAC address is 00000C8DB854. 11. Examine the exchanges in frames 14 and 15, 16 and 17, and 18 and 19 to see the ping process complete. 12. Close the capture le, and leave Network Monitor open.
114
Figure 3-6: Potential paths that data can take to get from one node to another. In order for the routers to exchange their data, they must have mutual paths of communication. These paths are the actual connections between the routers. By using logical addressing, the routers are able to have dened networks to transmit data on. The logical addressing minimizes the use of broadcasting, with the end result being more bandwidth for data transmission. In Figure 3-7, each segment with a letter is a unique Layer Three network segment.
115
Figure 3-7: Logical network addressing used in an internetwork. The routers will use the information about the paths to which they are connected, including the type of connection and available bandwidth, to determine the routes for data to take. For example, the routers might now say for a packet to get from network A to network N that the packet should take network A to network B to network D to network H to network J to network K to network M to network N. There are many times when the fastest route is not a straight path!
Static Routes
The creation of these paths can happen either dynamically (automatically) or statically (manually). The rst of these two concepts, static routing, is dened here.
116
A static route is a route that has been manually entered into the router to dene the path to the remote network. Although its use is not desirable for every situation, static routing has many advantages, such as: Precise control over the routes data will take across the network. Easy to congure in small networks. Reduced bandwidth use, due to no excessive router traffic. Reduced load on the routers, due to no need to make complex routing calculations.
Figure 3-8 shows a simple network conguration with two routers and their dened networks.
Figure 3-8: Two routers, Finance and Marketing, and the networks they connect. The conguration fragments for the static routes of the above routers look like the following:
MarketingRouter#config terminal MarketingRouter(config)#ip route 10.0.10.0 255.255.255.0 20.0.20.1 MarketingRouter(config-line)#^Z MarketingRouter# FinanceRouter#config terminal FinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2 FinanceRouter(config-line)#^Z FinanceRouter#
Dynamic Routes
From the previous example, you can see that the command syntax and time to enter the static routes is not complex and will not take a lot of time. However, the previous example is a very small simple network, and it is because of its simplicity that static routes will work. When the networks become more complex, static routing is not always a reasonable option. If there were a dozen routers, for example, each connected to several networks, static routing would become much more complex.
117
This is where dynamic routing enters the equation. Dynamic routing protocols can change the conguration of the network when a link goes down. Dynamic routing protocols can converge to be sure that all routers have a consistent view of the network. And, dynamic routing protocols have the means to calculate the best path through an internetwork. Dynamic routing protocols use mathematical algorithms to determine routes and communicate with one another. These same routers exchange their information at dened intervals, and these updates are used to make decisions on routes to take and reconguration, when required. Because the routers are exchanging this data frequently, they are able to change paths and update as needed. This exibility is what makes dynamic routing protocols so desirable. If a router goes down somewhere in the network, the remaining routers will recongure and nd a way for the data to reach the other side of the network. An example of this is shown in Figure 3-9.
Figure 3-9: There are several routers and multiple paths data can take across this internetwork. In the event that Finance Router 2 goes offline, and these routers are using dynamic routing, the other routers will recongure themselves to use only the other Finance Router. When the offline router comes back online, the other routers in the network will recongure themselves accordingly.
118
Routed protocols are those that have the given information so that user data may have an addressing method to use in the transportation of data between and across networks. The routed protocols have enough internal information to dene the structure and function of various elds inside a given packet. The most common routed protocol of today (and of the last decade) is the Internet Protocol, or IP. Other routed protocols are Novells IPX/SPX (Microsofts version of IPX/SPX is NWLink), and AppleTalk. TCP/IP, IXP/SPX, and AppleTalk all allow for addressing at the Network layer of the OSI model.
119
For the routing protocols to perform these two critical processes, they must conform to a given set of rules. These rules are part of the operation of the routing protocol. Examples of what rules these protocols can dene include: The frequency of updates between routers. The amount of data contained in the updates. The process of nding proper recipients of the router data.
Calculation of the different data paths, and ultimately choosing the most efficient one based on the given protocol, requires a dened formula. The formula in the case of routers is known as a routing algorithm. The routing algorithm is responsible for the actual calculation on determining the path the data will take as it moves throughout the network. To make this calculation, the algorithm must use certain variables to create what is known as a metric. The metric is then what is used in path determination. Some of the variables that are used to crate the overall metric of a given path are: Hop Count: This is the number of routers that a data packet must go through to reach its destination. The formula is that the lower the number of hops, the lower the overall data has to travel, and therefore is the better path. Cost: The cost of a link can be dened by the administrator or calculated by the router. Generally the lower the cost, the faster the route. Bandwidth: This variable is dened by the overall bandwidth that the link provides. MTU (Maximum Transmission Unit): The MTU is the largest message size (in octets) that a link will route. Load: This variable is based on the amount of work the CPU has to perform, and the number of packets the CPU must analyze and make calculations on.
Regardless of the routing protocol chosen, there is no single rule for selecting the best protocol based on its algorithm. The routing protocol must change to adapt to the network in the event there are network changes, and both Distance Vector and Link-State have this ability. When the routers change their tables based on this update information from the routing protocol, this is called convergence. When all routers have the same view of the network, the network is converged. It is the goal of all routing protocols to have fast convergence, so that the routers maintain a consistent view of the routes available to network segments, and do not use incorrect data to make routing decisions.
120
topology: The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information ows.
Figure 3-10: Routers passing the routing table. In Distance Vector routing, the routing table is passed between routers along the shared segments. In Figure 3-10, Router A and Router B will share their routing tables over the segment between them, out Interface E2 of Router A and out of Interface E0 of Router B. When the routers receive an update, they add any new information on how to get to new routes, or better paths (lower hop counts) to known routes. The algorithm adds one hop to the hop count for every hop that must be crossed to reach the destination. Figure 3-11 shows a basic routing table with hop count included.
Figure 3-11: A routing table with interfaces dened and hop counts. In this example, the routing table has been created, and convergence has been achieved. Both routers have a consistent view of the network, and the routing tables dene the path to the networks and the interface to forward packets out to reach the required destinations.
121
Link-State Routing
Where Distance Vector routing uses hop counts to make the decisions in the routing table on path determination, Link-State routing uses a more complex metric system. In Link-State routing, all routers maintain a consistent view of the network, as they do in Distance Vector routing, but they also are all aware of the complete network topology. The Link-State routers know each network segment, and the different options for reaching each segment. Convergence is just as critical in Link-State routing, and in order to have a converged network, there are steps that must be followed. Figure 3-12 shows a complex network, and after the diagram, the steps for convergence will be outlined.
Figure 3-12: In this complex network, 7 routers and 14 network segments are dened. The steps for network convergence are as follows: 1. The routers identify the routers that are their direct neighbors. For example, Router 3 will identify Router 6 and Router 4 as neighbors. 2. The routers send LSP (Link State Packets) to the network. The LSPs contain data on which networks the router can reach. For example, Router 7 would send LSPs indicating that Router 7 is connected to segments 10.0.0.0, 11.0. 0.0, 12.0.0.0, and 14.0.0.0. The routers in the network accept all the LSPs and build a topology database of the network. The LSPs from all routers are used to build this consistent view. The SPF (Shortest Path First) algorithm is used to determine the accessibility of each network and the shortest path between networks. The SPF algorithm
3.
4.
122
is executed on all routers, so that they all end up with the same topology view of the network. Each router knows the best path to every segment. 5. The router uses the SPF calculations to determine the best (shortest) path for reaching each destination network on the internetwork.
Common Protocols
Here is a quick list of common routing protocols used on Cisco routers: RIP (Routing Information Protocol) is a Distance-Vector protocol that uses hop count as its metric. IGRP (Interior Gateway Routing Protocol) is a routing protocol that uses a combined metric for routing decisions. EIGRP (Enhanced Interior Gateway Routing Protocol) is an enhanced version of IGRP that combines properties of Link-State and Distance Vector protocols. OSPF (Open Shortest Path First) is a Link-State protocol that commonly replaces RIP in growing internetworks. BGP (Border Gateway Protocol) is an interdomain routing protocol often used by Internet Service Providers. RTMP (Routing Table Maintenance Protocol) is Apples routing protocol. RTMP routers dynamically update topology changes in the network.
Administrative Distances
As the router has the ability to use static routes, dynamic routes, and multiple protocols, the ability to see the current routing table becomes even more critical as the networks complexity increases. There is a function in the router called administrative distance. The administrative distance function has one obvious use, and that is managing when two or more methods in the router are aware of a path to a destination. For example, if you entered a static route on how to get to a location, then RIP identied a route to that location, which route should the router use? This is where the administrative distance comes into play. The lower a value, the higher the level of trust the router places in that route. Some default administrative distances are listed in the following table. Route Type
Directly connected interface Static route IGRP route OSPF route RIP route
Distance
0 1 100 110 120
Therefore, if you had a static route and a RIP route, the static route would be the preferred route that the router uses. When viewing the routing table, not only will you be shown the current routes to destination networks, but you will also see the method used. The following conguration fragments show a portion of the routing tables for three routers in a network:
123
LEFT#show ip route R 192.168.10.0/24 [120/1] via 192.168.20.2, 00:00:13, Serial1 C 192.168.20.0/24 is directly connected, Serial1 C 172.16.0.0/16 is directly connected, Ethernet0 R 172.17.0.0/16 [120/1] via 192.168.20.2, 00:00:13, Serial1 R 172.18.0.0/16 [120/2] via 192.168.20.2, 00:00:13, Serial1 CENTER#show ip route C 192.168.10.0/24 is directly connected, Serial1 C 192.168.20.0/24 is directly connected, Serial0 R 172.16.0.0/16 [120/1] via 192.168.20.1, 00:00:13, Serial0 C 172.17.0.0/16 is directly connected, Ethernet0 R 172.18.0.0/16 [120/1] via 192.168.10.1, 00:00:18, Serial1 RIGHTt#show ip route C 192.168.10.0/24 is directly connected, Serial0 R 192.168.20.0/24 [120/1] via 192.168.10.2, 00:00:20, Serial0 R 172.16.0.0/16 [120/2] via 192.168.10.2, 00:00:20, Serial0 R 172.17.0.0/16 [120/1] via 192.168.10.2, 00:00:20, Serial0 C 172.18.0.0/16 is directly connected, Ethernet0
In these fragments, you can identify the routes on each router. You can also identify the routes that are directly connected and the routes that are using RIP. The way that you identify this is by the letter in front of each route. For example, in these examples, all routes with a letter C are connected interfaces. Routes with an R are using RIP. If a route had been input statically, it would have an S in front of it. For the RIP routes shown, note that the number 120 is displayed in brackets after the route. The 120 is an indicator of the administrative distance of this route. (The number following the slash is the hop count.)
RIP
RIP, or the Routing Information Protocol, is one of the most straightforward routing protocols that can be implemented. It also has no signicant security, is broadcast-based, and is noisy. RIP functions by informing neighboring routers of the routers that the current router can reach. The current routes are created during the simple conguration process of setting up RIP in the router. The following conguration fragments show the conguration of RIP on three routers, LEFT, RIGHT, and CENTER:
LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT# RIGHT#configure terminal RIGHT(config)#router rip RIGHT(config-router)#network 172.18.0.0
124
RIGHT(config-router)#network 192.168.20.0 RIGHT(config-router)^Z RIGHT# CENTER#configure terminal CENTER(config)#router rip CENTER(config-router)#network 172.17.0.0 CENTER(config-router)#network 192.168.10.0 CENTER(config-router)#network 192.168.20.0 CENTER(config-router)^Z CENTER#
In these fragments, RIP routing has been congured with the networks that each router can reach. For example, the LEFT router will announce that if there is a packet destined for network 172.16.0.0, then the other routers should send it to the LEFT router. Because RIP is broadcast-based, any host on a segment where RIP broadcasts are sent can receive the update. Only the router has a legitimate routing function, but an attacker can learn valuable information, such as the conguration and addressing of a network.
TASK 3B-2
Viewing a RIP Capture
Setup: You are logged on to Windows Server 2003 as the renamed Administrator account, and Network Monitor is running. 1. 2. 3. 4. 5. 6. Open rip update.cap located in C:\Tools\Lesson3. Expand Frame One, and observe the contents of the packet. Look for the destination address of the packet. Find the IP and MAC destination addresses. Observe the source address. You can conclude that this is likely the source address of a router in the network. Expand the RIP portion of the frame capture. Examine the network details sent in the packet. Even though you are a random user on the network, you have captured the packet and are able to learn quite a few things about the network in a very short amount of time. Close the capture le, and leave Network Monitor open.
7.
RIPv2
In order to address some of the issues associated with RIP, RIPv2 was introduced as a routing protocol. A security advantage was the ability to require and use authentication for RIP updates. From a networking perspective, the conguration is very similar to RIPv1, as shown previously. The following conguration fragment shows the same three routers congured to use RIPv2 instead of RIPv1:
Lesson 3: Routers and Access Control Lists 125
LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#version 2 LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT# RIGHT#configure terminal RIGHT(config)#router rip RIGHT(config-router)#version 2 RIGHT(config-router)#network 172.18.0.0 RIGHT(config-router)#network 192.168.20.0 RIGHT(config-router)^Z RIGHT# CENTER#configure terminal CENTER(config)#router rip CENTER(config-router)#version CENTER(config-router)#network CENTER(config-router)#network CENTER(config-router)#network CENTER(config-router)^Z CENTER#
The authentication used is a key and MD5. The following conguration fragment shows the setup of RIPv2 authentication. In this fragment, rst the router is told that RIP authentication is required, then the key (the word strongpassword) is created.
Router#configure terminal Router(config)#interface ethernet0 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#exit Router(config)# interface serial0 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#exit Router(config)# interface serial1 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#^Z Router#configure terminal Router(config)#key chain 3 Router(config-keychain)#key 1 Router(config-keychain-key)#key-string strongpassword Router(config-keychain-key)#^Z Router#
All routers that will exchange routing updates on the same network must use the same conguration, so the authentication will match. Once the router is congured, if you were to enter the show running-config command, you would get the following new pieces in the output:
126
enable secret 5 $1$v13S$Nk8zY5NcYor5VvAfcfZCn0 enable password 2501 ! ! key chain 3 key 1 key-string strongpassword ! interface Ethernet0 ip address 172.16.0.1 255.255.0.0 ip rip authentication mode md5 ip rip authentication key-chain 3 no mop enabled interface Serial0 no ip address shutdown
TASK 3B-3
Viewing a RIPv2 Capture
Setup: You are logged on to Windows Server 2003 as the renamed Administrator account, and Network Monitor is running. 1. 2. 3. 4. 5. 6. 7. Open ripv2withAuthentication.cap, located in C:\Tools\Lesson3. Expand Frame One (the only frame) and observe the contents of the packet. Look for the destination address of the packet. Find the IP and MAC destination addresses. Observe the source address. You can conclude that this is likely the source address of a router in the network. Expand the RIP portion of the frame capture. Examine the network details sent in the packet. Observe the addition of the Authentication portion of the capture and the additional elds not present in the RIPv1 packet. Second, observe that the Routing Data is still visible. Close Network Monitor.
8.
127
Topic 3C
Removing Protocols and Services
The fundamental concept of hardening the router is no different than hardening Linux or Windows. You must remove all of the protocols and services that are unused. You must congure the required protocols and services so that they are secured for access. In this topic, you will look at removing many of the protocols and services that are often not used on a router and continue to harden the device.
CDP
The Cisco Discovery Protocol (CDP) is a protocol used by Cisco routers to exchange information, such as platform information and status, with each other. In general, CDP can be a useful thing to use when troubleshooting in a simple environment. Unfortunately, like most things that can make our lives as administrators a little easier, CDP can make an attackers job a little easier because it gives out important information such as the IOS version that the router is running. And, of course, knowing what IOS version is running makes an attackers job much easier since he or she will have a much better idea of what exploits will work against such a target. In the following conguration fragment, you can see that turning off CDP for the entire router is not a complex set of commandsonly two commands are required:
Router#config terminal Router(config)#no cdp run Router(config)#^Z Router#
However, it may be desirable to stop CDP only on those interfaces that are not connected directly to another router. Perhaps there is only a direct link between two serial interfaces, and you want to allow CDP to run there, but not on the internal Ethernet network. In the following conguration fragment, CDP is disabled just for the Ethernet interface. Note that the only addition is the dening of the interface, and the command is no cdp enable, instead of no cdp run:
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no cdp enable Router(config-if)#^Z Router#
128
TASK 3C-1
Turning Off CDP
1. Create the conguration fragment that you would use for turning off CDP on Ethernet 0, Ethernet 1, and Serial 1.
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no cdp enable Router(config-if)#interface Ethernet 1 Router(config-if)#no cdp enable Router(config-if)#interface Serial 1 Router(config-if)#no cdp enable Router(config-if)#^Z Router#
ICMP
ICMP provides, among other functions, the ability to use the often-required ping and traceroute commands. However, ICMP has become one of the most misused of all protocols. DoS and DDoS attacks use ICMP, and more and more attacks take advantage of this function of the network. In this section, only a few examples of hardening ICMP are discussed.
traceroute: An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination.
ICMP Unreachable
Another very common attack is for a potential intruder to scan your system(s) looking for services that are open and that can be exploited. It is common to use ICMP to perform these scans of systems. If you remove the ICMP Unreachable message, be aware that your system will not respond to desired unreachable mes-
129
sages, such as when your internal users legitimately need them, such as during time-outs. The following conguration fragment shows the disabling of ICMP Unreachable messages on the Serial 0 interface. To remove ICMP Unreachable messages on the entire router, this command needs to be entered for each interface.
Router#config terminal Router(config)#interface Serial 0 Router(config-if)#no ip unreachables Router(config-if)#^Z Router
TASK 3C-2
Hardening ICMP
1. Create the conguration fragment that you would use to disable ICMP Directed Broadcasts and ICMP Unreachable messages on the entire router, which has the Ethernet 0, Serial 0, and Serial 1 interfaces.
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config-if)#^Z Router#
Source Routing
A feature that was added to routers to increase the control administrators had over the network was source routing. This feature has become a vulnerability that attackers now use. Source routing is used to allow a packet to dictate the path it should take through a routed network. This packet does not follow the routing tables as designated by the routing protocols. Doing so may allow an attacker to bypass critical systems, such as a rewall or an IDS. In most situations, there is no need for source routing to be allowed on any router. The conguration fragment that follows shows the disabling of the source routing service:
Router#config terminal Router(config)#no ip source-route Router(config)#^Z Router#
130
Small Services
TCP and UDP small services are enabled on some routers by default (generally IOS 11.3 and previous versions). Small services are not often used anymore and include echo, discard, daytime, and chargen. On most routers, be sure to disable these services. The conguration fragment that follows shows the disabling of small services for both TCP and UDP:
Router#config terminal Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#^Z Router#
Finger
Finger is another older service that is rarely used in modern networks. The Finger service is used to nd information about users who are logged into a router. On older versions of the IOS (11.2 and older), Finger is disabled by using the no service finger command. On newer versions of the IOS (11.3 and newer), Finger is disabled by using the no ip finger command. In the following code, the rst conguration fragment shows the removal of the Finger service from an older router, and the second fragment shows the removal of the Finger service from a newer router:
Router#config terminal Router(config)#no service finger Router(config)#^Z Router# Router#config terminal Router(config)#no ip finger Router(config)#^Z Router#
131
Remaining Services
As a security professional, you know that hardening a piece of equipment means disabling or removing all of the services and protocols that you are not using. In this section, you will see several other services that you should consider disabling for your router. In consideration of space, every service and protocol cannot be listed in this sectiononly several of the signicant services can be highlighted. The BootP service is used to remotely boot computers via the network. This service can be disabled by using the no ip bootp server command. The DNS function is enabled on Cisco routers, but there is no dened name server. The net result is broadcasting for all DNS requests. To disable this function, use the no ip name-server command. The Network Time Protocol (NTP) is used for time synchronization on the network. This service can be disabled by using no ntp server. If you want to disable this protocol for only a single interface, use ntp disable, when you are in the Interface Mode. The Simple Network Management Protocol (SNMP) is used to communicate between network devices. SNMP left as-is on routers can provide information about the router to attackers. Disable SNMP by using no snmp-server. HTTP is used on some routers to allow for remote access and management. Unless specically required in your organization, this should be disabled. To disable HTTP, use no ip http server.
When NTP is used in conjunction with syslog services, therefore keeping accurate timestamps on log entries, it can be useful for forensic purposes.
The conguration fragment that will disable all of the above services will look like this:
Router#config terminal Router(config)#no ip bootp server Router(config)#no ip name-server Router(config)#no ntp server Router(config)#no snmp-server Router(config)#no ip http server Router(config)#^Z Router#
132
TASK 3C-3
Removing Unneeded Services
1. Create the conguration fragment that you would use to remove the following services from the whole IOS v12.x router: CDP, ICMP Directed Broadcasts, Small Servers, Source Routing, and Finger. For this exercise, you can assume that the interfaces are named E0, S0, and S1.
Router#config terminal Router(config)#no cdp run Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#^Z Router# Router#config terminal Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#no ip source-route Router(config)#no ip finger Router(config)#^Z Router#
AutoSecure
A newer security feature, built into the IOS starting with version 12.3(1) is called AutoSecure. AutoSecure is essentially a script designed to help you secure the router by following a set of questions versus coding line-by-line the services and interfaces you want to secure. AutoSecure can also address your passwords, ensuring that no simple words are used, prompt for the conguration of SSH, and can enable console logging, among other security issues. AutoSecure has its security features divided into two core groups (Cisco calls these groups: Planes). These two groups are called the Management Plane and the Forwarding Plane.
133
You know by now that there are many more security issues other than the ones addressed in the previous list. The following list, details the services that are global, to the whole router, which can be disabled with AutoSecure: BootP CDP Finger HTTP Server IdentD protocol Network Time Protocol (NTP) Packet Assembler and Disassembler (PAD) Source Routing Small Servers (both TCP and UDP)
Topic 3D
Creating Access Control Lists
Access Control Lists (ACLs) enable network administrators to not only control access from a security standpoint, but also can be used to restrict bandwidth use on critical links. In this and the following topic, the discussion will be on IP access lists, but be aware that access lists can exist for other routed protocols, such as AppleTalk and IPX/SPX. An ACL is a packet lter that compares a packet with a given set of criteria. The ACL checks the packet and acts upon the packet as dened by the list. Access Control Lists are divided into several main categories, and for this course, you will focus on three categories: Standard ACLs, Extended ACLs, and Contextbased ACLs. Standard ACLs are designed to look at the source address of a packet that has been received by the router. The result of the list is to either permit or deny the packet based on the subnet, host, or network address. A standard access list takes effect for the full IP protocol stack. Extended ACLs are designed to look at both the source and destination packet addresses. Not limited to source IP address, extended lists allow for checking of protocol, port number, and destination address. This additional exibility is the reason that many administrators implement extended lists on their networks. Context-based ACLs are designed to look at information from layer 3 all the way through layer 7. This becomes the Cisco IOS stateful rewall function inside the Cisco Router.
packet lter: Inspects each packet for user dened content, such as an IP address, but does not track the state of sessions. This is one of the least secure types of rewall.
134
Figure 3-13: The Access Control List process. Figure 3-13 illustrates this outbound process. A packet is taken in via Interface E0. In this example, the packet is incoming on Interface Ethernet 0 and destined to be outgoing on Interface Ethernet 1. Because the list is used to determine whether or not the packet is to exit on interface Ethernet 1, this list can be determined to be an outgoing list.
135
The chart in Figure 3-15 shows several examples of the wildcard mask checking options. Where there is a 0, the values are checked for a match, and where there is a 1, the value is not checked.
136
Figure 3-15: Examples of wildcard masks. As you can see from this chart, if there were a mask of 11111111, then none of the eight bits of the corresponding IP address would be checked. Likewise, if there were a wildcard mask of 00000000, then all eight bits of the corresponding IP address would be checked.
Value
10.15.10.187 255.255.255.0 0.0.0.0
This tells the router to check every bit of the IP address, and if those bits are 10.15.10.187, then this access list statement applies to this host. If the goal is to have an access list statement match an entire network, the following wildcard mask could be used. Item
IP Network Subnet Mask Wildcard Mask
Value
10.15.10.0 255.255.255.0 0.0.0.255
This tells the router to check only the rst 24 bits of the IP address, and if the decimal value of those bits are 10.15.10, then this access list statement applies to this host. If the goal is to block a specied subnet, the mask requires a bit more calculation, but still functions the same way. In the event that the administrator wants to have subnet 10.15.10.32 match an access list statement, the mask would be as follows. Item
IP Subnet Address
Value
10.15.10.32
137
Item
Subnet Mask Wildcard Mask
Value
255.255.255.224 0.0.0.31
This tells the router to check all but the last ve bits of the fourth octet. If the checked bit equals 10.15.10.32, then the access list statement applies to this host.
TASK 3D-1
Creating Wildcard Masks
1. If your goal is to block out a single host, such as 192.168.27.93, that uses 255.255.255.0 as the subnet mask, what wildcard mask would you use? 0.0.0.255 2. If your goal is to block out a subnet of 10.12.24.0 that uses 255.255.248.0 as the subnet mask, what wildcard mask would you use? 0.0.7.255 3. If your goal is to block out network 172.168.32.0 that uses 255.255.255.0 as the subnet mask, what wildcard mask would you use? 0.0.0.255
Topic 3E
Implementing Access Control Lists
In this topic, we will detail the implementation of and rule-creation for access lists. There will be examples of access lists and their syntax on a Cisco router. Examples will include both standard and extended IP access lists, the most common lists for networks connected to the Internet today.
Although you have the option of using standard or extended access lists, the extended lists are preferred because they provide more granularity when you are permitting and denying trafc.
Access Control Lists are implemented in two stages on Cisco routers. The rst stage is to create the list, including all of its statements. The second stage is the implementation of the list on an interface of a router, dening whether the list is to lter packets as an inbound or outgoing list.
138
Where: access-list is the actual command to create a list. access-list-number is a value between 1 and 99, that is selected to create a standard ACL. permit|deny is the value that denes whether the list will grant or block access. source is the value that is the actual source address to match. source-mask is the value that species the wildcard mask for the dened host.
Once the list has been created, the second stage is to apply the list to an interface. Before you do this, however, make sure that you have specied the interface that you want to be affected by the list. The syntax for list application is shown here. Again, items in italics are variables to be lled in. Router(config-if)#ip access-group access-list-number {in|out} Where: ip access-group is the command to link (implement) a list to an interface. access-list-number is the value assigned to the actual list to be implemented on this interface. in|out is the value that denes whether the list will lter inbound or outbound packets.
Once the list has been created, the second stage is to apply the list to an interface. The syntax for list application is shown. As before, items in italics are variables to be lled in. Router(config-if)#ip access-group access-list-number {in|out} Where: ip access-group is the command to link (implement) a list to an interface. access-list-number is the value assigned to the actual list to be implemented on this interface. in|out is the value that denes whether the list will lter inbound or outbound packets.
Figure 3-16: A sample network for ACL implementation. Use Figure 3-16 with the network and host IP addresses dened to look at several examples of access lists. The same gure will be used for all examples, only with different lists, different goals, and different implementations. These examples will be using both standard and extended IP access lists.
140
Denial of a Subnet
Our second example will be the denial of a dened host out to the Internet and the denial of an entire network to the Internet. This can also be accomplished by using a standard ACL. The conguration fragment for this example is:
Router#configure terminal Router(config)#access-list 45 deny 192.168.10.7 0.0.0.0 Router(config)#access-list 45 deny 192.168.20.0 0.0.0.255 Router(config)#access-list 45 permit 0.0.0.0 255.255.255.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 45 out Router(config-if)#^Z Router#
The fourth line is permitting all trafc not denied by the second and third lines.
Denial of a Network
Our third example will be the denial of an entire network from another network. This can be accomplished by using a standard ACL. The conguration fragment for this example is:
Router#configure terminal Router(config)#access-list 57 deny 192.168.20.0 0.0.0.255 Router(config)#access-list 57 deny 192.168.10.0 0.0.0.255 Router(config)#access-list 57 permit 0.0.0.0 255.255.255.255 Router(config)#interface Ethernet 0 Router(config-if)#ip access-group 57 out Router(config-if)#interface Ethernet 1 Router(config-if)#ip access-group 57 out Router(config-if)#^Z Router#
141
Anti-DoS ACLs
These ACLs work by recognizing the protocol and port selection of the DoS attack. It is possible that by using these ACLs, you may block legitimate applications that have chosen the same high port values, so that must be taken into account. In order to prevent hosts inside the network from participating in a DoS on an Internet host, you should consider placing these on all interfaces, in both directions. At the minimum, you will place these lists on the inbound interfaces that are connected to the Internet. In the conguration fragment that follows, the rst section (ports 27665, 31335, 27444) of the list is designed to block the TRINOO DDoS, and the second section (ports 6776, 6669, 2222, 7000) is designed to block the SubSeven DDoS.
Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list 160 160 160 160 160 160 160 deny deny deny deny deny deny deny tcp udp udp tcp tcp tcp tcp any any any any any any any any any any any any any any eq eq eq eq eq eq eq 27665 31335 27444 6776 6669 2222 7000
Anti-SYN ACLs
The TCP SYN attack is where the attacker oods the target host and disallows any legitimate connections to be made by the target host. To work on blocking this, the ACL must allow legitimate TCP connections, which are created by hosts inside the network, but disallow connections to those hosts from outside (like on the Internet).
142 Tactical Perimeter Defense
In this rst conguration fragment, traffic that is established internally is allowed out, and incoming connections are not able to create new sessions.
Router#configure terminal Router(config)#access-list 170 permit tcp any 192.168.20.0 0.0.0.255 established Router(config)#access-list 170 deny ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 170 in Router(config-if)#^Z Router#
Anti-Land ACLs
Another type of attack that has been around for some time is the Land attack. The Land attack is rather simple in design, but it can cause serious network damage to unprotected systems. The attack works by sending a packet from an IP address to the same IP address, and using the same ports. So, a packet would be sent from 10.10.10.10:5700 to 10.10.10.10:5700 causing a signicant slowdown or DoS of the target. The following conguration fragment shows the defense against a Land attack on host 10.20.30.50, which is an IP address of an external interface on the router.
Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip address 10.20.30.50 255.255.255.0 Router(config-if)#exit Router(config)# Router(config)#access-list 110 deny ip host 10.20.30.50 host 10.20.30.50 log Router(config)#access-list 110 permit ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 110 in Router(config-if)#^Z Router#
Anti-spoofing ACLs
Spoong of packets has become more commonplace due to the increased number of tools that provide this function. You can use your router to combat this issue by not allowing packets to enter the network if they are coming from an internal IP address. When you create these lists, you want them to be complete. In other words, do not forget to block the broadcast addresses (to prevent attacks like the Smurf attack), the network addresses themselves, and private or reserved addresses. In the following conguration fragment, the internal network is 152.148.10.0/24, and you will see that there are quite a few lines necessary to provide for full spoof protection:
143
Router#configure terminal Router(config)#access-list 130 deny ip 152.148.10.0 0.0.0.255 any Router(config)#access-list 130 deny ip 127.0.0.0 0.255.255.255 any Router(config)#access-list 130 deny ip 0.0.0.0 255.255.255.255 any Router(config)#access-list 130 deny ip 10.0.0.0 0.255.255.255 any Router(config)#access-list 130 deny ip 172.16.0.0 0.0.240.255 any Router(config)#access-list 130 deny ip 192.168.0.0 0.0.255.255 any Router(config)#access-list 130 deny ip host 255.255.255.255 any Router(config)#access-list 130 permit ip any 152.148.10.0 0.0.0.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 130 in Router(config-if)#^Z Router#
TASK 3E-1
Creating Access Control Lists
Setup: Use the network as diagrammed in Figure 3-16 for this task. 1. Create the conguration fragment that you would use to create an Access Control List to prevent a SYN attack coming from the Internet into the private networks.
Router#configure terminal Router(config)#access-list 135 permit tcp any 192.168.20.0 0.0.0.255 established Router(config)#access-list 135 permit tcp any 192.168.10.0 0.0.0.255 established Router(config)#access-list 135 deny ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 135 in Router(config-if)#^Z Router#
144
Cisco Context-based Access Control (CBAC) works by ltering TCP, UDP, and in more recent revisions, ICMP network traffic. CBAC is able to inspect inside the packet looking at the actual application. CBAC essentially works by creating a dynamic (temporary) connection in your router, by keeping track of the state of your network traffic. For example, assume you had an access control list that said no Telnet connections are to be accepted inbound from the Internet to your router. With CBAC, you can build your system to allow an inbound Telnet connection, IF the router recognizes that packet as the return traffic of a session that was started by an authorized internal user. When packets enter the router, they are rst processed through the running of access control lists. If a packet is denied, it will not move on to the CBAC inspection. If the packet is allowed after running through the ACLs, then that packet will move on to CBAC inspection.
Since UDP communications do not establish a session, the CBAC system approximates the time (as dened by the administrator) a session should remain open.
Topic 3F
Logging Concepts
Although it does not get the credit or generate a high level of interest, logging on the router is a critical aspect of router hardening. Logs enable you to investigate attacks, nd problems in the network, and analyze the network. When you are conguring the logging options on a router, just as logging elsewhere in the network, you must walk a ne line between gathering too much and too little information. Log too much, and you will have a difficult time nding that single piece of critical information you need to make a decision or to perform an action. Log too little, and you do not have enough information to make an informed decision or to take proper action. There are many different kinds of logging applications and software products that can track and record logs from all over the network. These applications can then send messages to a pager or cell phone when signicant events happen. In this section, you will look at just the options that the actual router can manage, without using any major third-party applications.
145
Log Priority
The router has a built-in function of priority listing for log messages. The levels range from 0 to 7. If a message is given a lower number, it is considered to be a more critical message. So, Level 1 is more critical than Level 6. When you select a level, that level and all others of a lower number will be displayed. For example, if you select level 3, you will be presented with messages from level 3 to 0. If you select level 7, you will be presented with messages from level 7 to 0. The following table lists the level of logs, along with their titles and descriptions. Level
0 1 2 3 4 5 6 7
Title
Emergencies Alerts Critical Errors Warnings Notications Informational Debugging
Description
System is (or is becoming) unusable. Immediate action is needed. A critical condition has occurred. An error condition has occurred. A warning condition has occurred. Normal, but noteworthy event. Informative message. Debugging message.
The following table lists an example event for each level of severity. Level
0 1 2 3 4 5 6 7
Example
The IOS was unable to initialize. The core router temperature is too high. A problem in assigning memory occurred. The memory size allocated is invalid. Cryptography operation is unable to complete. An interface changed state to up or down. (This is a very common event.) A packet has been denied by an Access Control List. No event triggers this level; debug messages are displayed only when the debug option is used.
An example of what a log line will look like in the router is:
%SYS-5-CONFIG_I: Configured from console by vty1 (172.16.10.1)
In this line, the %SYS-5-CONFIG_I indicates that a Level 5 message was logged. Following the colon is the message itself. In this case, the router had a conguration change made via a VTY session using IP address 172.16.10.1.
146
Configuring Logging
In the following examples, you will see how to congure different forms of logging. Some will use the buffer, others the console. Viewing the conguration fragments through this section will enable you to determine which type of logging you will use in given situations. On the Cisco router, the command to enable logging is entered in Global Conguration Mode, using the logging on command.
Timestamping
In order for you to properly analyze the logs, you will need to know what happened when, not just that something happened. The assignment of a time that an event occurred, or to timestamp, is an option in the router. The Cisco command to congure the timestamp option is service timestamp log datetime. There are three options that can be added to this message. The msec option will include the millisecond in a log entry. This may or may not be required, based on your goals. If not added, the log will round the event to the nearest full second. The localtime option will make the router stamp the logs using the local time, so that it is easier for people to read and analyze the logs. When using a syslog server, this option is often left off. The show-timezone option adds the time zone to the log message. This can be useful when working with log les from many locations and regions.
When you are conguring logging in IOS 11.3 and earlier versions, the command must include the name of the level, such as Alerts. In IOS 12.0 and newer versions, you can use either the name of the level or the number of the level.
Console Logging
Console logging is perhaps the most straightforward of all of the logging options in the Cisco router. The following conguration fragment shows logging set to level 5 and to use the console as the method.
Router#configure terminal Router(config)#logging on Router(config)#logging console notification Router(config)#^Z Router#
In this example, level 5 logging has been congured, This means that items in the access list level will not be logged, nor will any debug messages. Had the goal been to see only those log messages that are level 2 or more critical, the proper command would have been logging console critical.
Buffered Logging
Buffered logging requires you to dene the memory size that will be used for the logs. The general formula that many follow is that if the router has less than 16 MB of RAM, your log can be 16 kilobytes. If your router has more than 16 MB of RAM, then your log can go as high as 32 or even 64 KB. On all logs, the time and date can be added to the messages, which is a recommended procedure. On buffered logging, however, it goes from a recommended to a required procedure. This is due to the fact that the router discards old messages and replaces them with new messages, when the buffer space is lled. So, the time of the log is a critical component to buffered logging. The following conguration fragment shows logging set to level 2, and using a timestamp.
147
Router#configure terminal Router(config)#logging on Router(config)#logging buffered 16000 critical Router(config)#service timestamp log date msec localtime show-timezone Router(config)#^Z Router#
In this example, the amount of memory that has been allocated is 16 KB. The logs will go to the buffer and will be recorded if they are level 2 (Critical) or higher. Finally, full timestamping is used, including the local time and the time zone options.
Terminal Logging
Normally, there are no messages sent to terminal sessions. This is for bandwidth purposes and, in some situations, security purposes. In order to allow logging to be visible on a VTY session, the terminal monitor command must be used. The following conguration fragment shows logging set to level 5, and to be sent to the VTY sessions.
Router#configure terminal Router(config)#logging on Router(config)#logging monitor 5 Router(config)#^Z Router#terminal monitor Router#
In this example, the terminal session will receive all level 5 and higher messages. This is the rst example that uses the numeric value of the level instead of the name, an indicator that the router must be at least IOS version 12.0. There is a second part for terminal logging. The above fragment will tell the router to log messages to the VTY sessions, but the VTY sessions have not been congured to see the messages. The terminal monitor command enables the VTY session to actually view the messages on screen. In the event that the logs become to numerous or are no longer needed, the terminal no monitor command can be used to stop viewing the logs on the VTY session.
Syslog Logging
Cisco routers have the ability to send their log messages to a server that is running as a syslog server. This is a highly recommended method of logging in a production environment. Routers collect the log messages, just as they normally do. However, instead of showing them on the console, or storing them in memory, they are sent to a server that will manage the messages and store them to the servers hard drive. This will allow for long-term storage and analysis of the information and will not be subject to real time analysis or memory constraints. Most UNIX and Linux servers have some version of the syslog server function, and there are many syslog applications for Windows systems on the market.
148
To congure syslog logging on a Cisco router, there are four components: The destination host is any host that can be located using a host name, DNS name, or an IP address. The syslog facility is the name to use to congure the storage of the messages on the syslog server. Although there are quite a few facility names, the routers will use the ones named Local0 through Local7. The severity level of the logs can be viewed as similar to that of the other log messages, using the Cisco severity levels. The source interface for the messages is the actual network interface that will send the messages to the Syslog server.
The following conguration fragment shows the setup of a router to use a syslog server.
Router#configure terminal Router(config)#logging on Router(config)#logging trap 5 Router(config)#logging host 10.20.30.45 Router(config)#logging facility Local5 Router(config)#logging origin-id hostname Router(config)#logging source-interface Ethernet 0 Router(config)#^Z Router#
In this example, logging has been enabled. Logging is going to be sent to a syslog server, logging messages that are level 5 or more critical. The IP address of the syslog server is 10.20.30.45. (Additional servers can be used with multiple commands using different IP addresses here, for redundancy.) The facility on the syslog server is Local5, the origin-id is the hostname (Router in this example), and the source for these messages is Ethernet 0 on the router.
TASK 3F-1
Configuring Buffered Logging
1. Create the conguration fragment you would use for buffered logging, using 32 kilobytes of memory. Include all timestamping options and log level 4 events. Assume that the router is running IOS version 12.2.
Router#configure terminal Router(config)#logging on Router(config)#logging buffered 32000 4 Router(config)#service timestamp log date msec localtime show-timezone Router(config)#^Z Router#
ACL Logging
The previous section on logging focused on the system log events, critical errors, and messages. Another important area to investigate is the use of logging in relationship to your Access Control Lists. When implemented, ACL logs are listed as Level 6 events.
Lesson 3: Routers and Access Control Lists 149
In order to implement ACL logging, the commands are very simple. All you need to add is the keyword log or log-input to the end of the ACL statements. You do not want to add this line to all your ACL statements, however, or you will ood your logs with so much information that you will be virtually unable to identify anything useful. Use of the log keyword will list the type, date, and time in the ACL log, and is a valid option only for standard ACLs on IOS version 12.0 and newer. The log-input keyword adds information on the interface and source MAC address, and an example of the use of this is if the same ACL is to be applied to more than one interface. Logging may be one reason that you do not count on the default deny all rule of an ACL. If a packet is dropped due to the default deny all statement, that packet will not be logged. If, however, you add the following line as your last statement in the ACL, then packets will be logged: access-list 123 deny ip any any log.
Anti-spoofing Logging
Earlier, you looked at the creation of anti-spoong ACLs. In this section, you will see these ACLs used with the logging function to gather information for analysis. In these examples, assume that the internal network is 172.16.0.0/16. First, the conguration fragment of the list itself:
Router#configure terminal Router(config)#access-list any log-input Router(config)#access-list Router(config)#access-list any log-input Router(config)#access-list Router(config)#^Z Router# 123 deny ip 172.16.0.0 0.0.255.255 123 permit ip any any 145 permit ip 172.16.0.0 0.0.255.255 145 deny ip any any log-input
For the next example, assume that the router has one internal Ethernet interface (where the trusted network is located) and has two external serial interfaces. The following conguration fragment shows the application of the ACLs, rst list 123 then list 145, on their proper interfaces.
Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip access-group 123 in Router(config-if)#exit Router(config)#interface Serial 1 Router(config-if)# ip access-group 123 in Router(config-if)#exit Router(config)#interface Serial 0 Router(config-if)# ip access-group 145 out Router(config)#^Z Router#
VTY Logging
When gaining access to the router, a primary method used was through VTY sessions. These sessions may come under frequent attacks at larger organizations. You will want to know who is and who is not successful at gaining access via VTY sessionsagain, logging is the answer to that need.
150
In this example, you will again assume the internal network 172.16.0.0/16, and that there is only one trusted host that has authorized VTY access, 172.16.23.45. With those variables dened, the following is the conguration fragment that will log VTY sessions on the router.
Router#configure terminal Router(config)#access-list 155 permit host 172.16.23.45 any log-input Router(config)#access-list 155 deny ip any any log-input Router(config)#^Z Router#
Once you have created the list, as shown, you will need to apply the list. In the following conguration fragment, the list is applied to VTY sessions 0 through 4.
Router#configure terminal Router(config)#line vty 0 4 Router(config)#access-class 155 in Router(config)#^Z Router#
TASK 3F-2
Configuring Anti-spoofing Logging
1. Create a logged ACL that is used for anti-spoong, using the following information: The router has interfaces Ethernet0, Serial0, and Serial1. Ethernet0 is connected to the only trusted network, which has the IP address 192.168.45.0/24. For this exercise, and in the interest of time, only create anti-spoong for the dened network. If you want to expand this to include all private and reserved networks, you can do so, but it is not required.
Router#configure terminal Router(config)#access-list 160 deny ip 192.168.45.0 0.255.255.255 any log-input Router(config)#access-list 160 permit ip any any Router(config)#access-list 170 permit ip 192.168.45.0 0.255.255.255 any log-input Router(config)#access-list 170 deny ip any any log-input Router(config)#^Z Router# Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip access-group 160 in Router(config-if)#exit Router(config)#interface Serial 1 Router(config-if)# ip access-group 160 in Router(config-if)#exit Router(config)#interface Serial 0 Router(config-if)# ip access-group 170 out Router(config)#^Z Router#
151
Summary
In this lesson, you examined the fundamentals of router security and the principles of routing. You created the congurations that are required to harden a Cisco router and congured the removal of services and protocols. You examined the process of the wildcard mask and how it relates to the Cisco ACL. You created the congurations for ACLs to defend the network against attacks. Finally, you examined the process of logging on a Cisco router and congured buffered and anti-spoong logging.
Lesson Review
3A What is authentication?
Authentication is the process of identifying a user, generally granting or denying access. What is authorization? Authorization is the process of dening what a user can do, or is authorized to do. What is AAA? Authentication, Authorization, and Accounting. What are the methods of access to a Cisco router? Console port Auxiliary port VTY sessions HTTP TFTP SNMP
What is a security advantage to using RIPv2 over RIPv1? Using RIPv2 provides the security advantage of authentication, enabling the routers to identify who is and who is not able to update routing information.
152
3D What type of Access Control List allows for the checking of port numbers?
Extended ACLs allow for port checking. When a packet enters the router, what is the rst thing the router will check regarding that packet? Is there a route for this packet? If yes, send to the ACLs if there are any; if no, discard the packet (and respond to the sender if need be).
3F When a conguration change is made to the router, such as an interface being brought down, what level of message will this generate?
Level 5. What is the command for an access list to be implemented on the VTY sessions? access-class [access list number] in
153
154
Designing Firewalls
Overview
In this lesson, you will be introduced to the concepts and technologies used in designing rewall systems. You will identify the methods of implementing rewalls in different scenarios, using different technologies. The strategies and concepts in this lesson are important in understanding later lessons.
LESSON
4
Data Files none Lesson Time 2 hours
Objectives
To identify the design and implementation issues of rewall systems, you will: 4A Examine the principles of rewall design and implementation. Given a rewall system, you will identify and describe methodologies of rewall function and implementation. 4B Create a rewall policy based on provided statements. Given the answers to questions regarding the rewall, you will create a rewall policy statement. 4C Create a rule set to be used with a packet lter. Given a network scenario, you will create a rule set for a packet ltering rewall. 4D Describe the function of a proxy server. Given a network scenario, you will describe the process of internal clients using a proxy server to access Internet web pages. 4E Describe how a bastion host is included in the security of a network. Given a network scenario, you will describe how the creation of a bastion host functions in the security of the network. 4F Describe the function of a honeypot in a network environment. Given a network running Windows 2003, describe the function of an effective honeypot in the security of the network.
155
Topic 4A
Firewall Components
The concept of Network Security today is a varied and challenging topic to discuss. There are so many different areas of the network architecture to be concerned with, ranging from messaging systems to databases, from le and print solutions to remote network access. In between these areas of our network, we nd things such as access control solutions, user control policies (group policies in a Windows environment), and a host of settings, functionality and options that serve to confuse and confound the average user of a computer in a domain based network today. It was not that long ago that security and the protection of network based assets was clearly the domain of the network engineer, that person who was technically savvy, highly skilled, and often times hard to talk to and understand if you were not also a network engineer. The challenges faced by these network engineers, access control, asset protection, and risk mitigation, have not changed at all, and yet at the same time, the technology used to address these issues has undergone startling transformations in both the areas of complexity, as well as capability. One need only look at the advances in the area of the rewall to see all too clearly how this transformation has had a direct, undeniable, and profound impact both on network security and on users perceptions of that security, and the people that provide it. The following image in an example of a simple rewall
Figure 4-1: An example of a single rewall. The rewall itself is positioned logically between the internal network (the LAN) and the external network (the WAN). The rewall sits there performing its job, denying and granting access based on rules that the network/security administrator has created and assigned to the device.
156
Over the last few years, providing this option to simply grant or deny access has typically been enough to provide a basic level of security and protection to most, if not all of our networks. The challenge that has been steadily rising in relation to the provision of basic security, has been that the hackers and the enemies of the networks that are protected by rewalls have not been content to sit back and quit trying to gure out how to break the security afforded by the rewalls. As a result, the addition of new features and options for the rewall has become a very important part of the continuing evolution of network security overall, and the ability to protect our networks from unauthorized and unwanted network access and traffic in particular. In addition to denying and granting access, now a rewall may offer one or more of the following services: Network Access Translation (NAT): NAT is used by the router to translate internal private IP addresses to external IP addresses. Data Caching: This option allows the router to store data that is accessed often by network clients. Restriction on Content: This option is available in many newer systems, allowing the administrator to control Internet access based on keyword restrictions.
Firewall Methodologies
Firewalls have two general methods of implementing security within a network. Although there are variations of these two, most modications still boil down to one or the other. They are: Packet ltering Proxy servers (application gateway) Packet ltering was the rst type of rewall used by many organizations to protect their networks. The general method of implementing a packet lter was to use a router. These routers had the ability to either permit or deny packets, based on simple rules the administrator would create. Even though these rewalls could perform this type of ltering, they were limited by the fact that they were designed to look at the header information of the packet only. An example of this drawback would be that a lter could block FTP access but could not block only a PUT command in FTP. The addition of proxy server (also known as an application gateway) capabilities to the rewalls created a much more solid security product than a pure packet lter was capable of providing on its own. The proxy software can make decisions based on more than the header of a packet. Proxy servers use software to intercept network traffic that is destined for a given application. The proxy recognizes the request, and on behalf of the client makes the request to the server. In this case, the internal client never makes a direct connection to the external server. Instead of a direct connection, the proxy functions as the man-in-the-middle and speaks to both the client and server, relaying their messages back and forth. The major advantage to this is that the proxy software can be instructed to permit or deny traffic based upon the actual data in the packet, not simply the header. In other words, the proxy is aware of communication methods, and will respond accordingly, not just open and close a port in a given direction.
Lesson 4: Designing Firewalls 157
158
A Multi-homed Device
As shown in the following gure, the network is being protected by a device (most likely a computer) that has been congured with multiple network interfaces. Proxy software will run on the device to forward packets between the interfaces.
159
A Screened Host
As shown in the following gure, the network is protected by combining the functions of proxy servers and the function of packet ltering. The packet lter accepts incoming traffic from the proxy only. If a client directly communicates with the proxy lter, the data will be discarded.
Figure 4-4: An example of a screened host running behind a packet ltering device.
160
161
TASK 4A-1
Firewall Planning
Objective: In order to implement rewall systems, you will need to be able to diagram the different methods used for implementation. 1. Diagram the method described in this topic for the rewall implementation that most accurately reects your current network design.
162
If you had a blank check and could design a rewall implementation for your network, what would that design look like? If it differs from your current design, please diagram the new solution that you would build.
Topic 4B
Create a Firewall Policy
Before you can identify conguration options, or implementation techniques, you must have a rewall policy. In many instances, organizations rush into rewall selection and installation, without enough thought on how this complex device is to be used. For a rewall to be designed and deployed correctly, there must be a rewall policy in place. While not as complete as an organizational security policy, the rewall policy has its place. The policy items in place for the rewall are part of the overall security policy the organization uses. The rewall policy can generally have one of two viewpoints: either deny everything except what is explicitly allowed, or permit everything except what is explicitly denied. It is general consensus that the former of the two viewpoints is used.
163
It is a good starting point to assume that all traffic is to be denied, except that which the policy has identied as explicitly being allowed. This also usually turns out to be less work for the network/security administrator. Imagine creating a list of all the ports Trojans use, and all the ports for applications your users are not authorized to use, and then creating rules to block each of them. Compare that to creating a list of what the users are allowed to use, and granting them access to those services and applications explicitly. There are different names for the items that can be included in the security policy, and the ones that follow are very common. The items include the Acceptable Usage Statement, the Network Connection Statement, the Contracted Worker Statement, and the Firewall Administrator Statement. After building the overall security policy, if it becomes very large (some organizations have policies that are hundreds of pages long), you may want to pull out and copy the sections related to the rewall and have a separate subdocument for the rewall alone. Having subdocuments is not a requirement, but it makes reading the policy much easier. The subdocuments are easier to index, reference, and view. Many organizations now run an internal web server to house important documents, such as the policies, for employees. The policy is one of those documents, and the subdocuments are easier to view and read when only a handful of pages, versus scrolling through 200 pages of content.
164
question. If a backup copy is required for archive, the organization will be responsible for creating and storing the archive copy. Computers may not be left unattended with a user account still logged on. If a user is temporarily away from the computer, the computer must be left in a locked state. Screensavers must employ the password protection option. The computer and its installed applications are to be used for organizational related activity only. The computer and its installed applications may not be used in any way to threaten or harass another individual. The installed email application is the only authorized email service allowed for use, and employees may not use this email service for personal use.
From this list, you can see the types of things that are to be covered in the policy. If there are examples that cannot be implemented on the rewall, even in part, they may be best located in the overall security policy document for the organization. Some of the examples given in the previous list fall into that category; for example, screensavers, installing applications at home, or threatening of individuals. These items clearly must be in the security policy, but may not be items that can be directly implemented on the rewall.
165
This section may have the most functional use on the rewall, as this section is dening actual network traffic. Some of the items that may be included in this portion are: Network scanning is not to be permitted by any user of the network, other than those in network administration roles. Users may access FTP sites to upload and download needed les, but internal user computers may not have FTP server software installed and running. Users may access WWW on port 80 as required. Users may access email on port 25 as required. Users may not access NNTP on any port. Users in subnet 10.0.10.0 are allowed to use SSH for remote administration purposes. Users not in subnet 10.0.10.0 are not allowed to use SSH to connect to any location or device. Users may not run any form of chat software to the Internet, including, but not limited to, AOL Instant Messenger, Yahoo Chat, IRC, ICQ, and MSN Chat. Users may not download les over 5 MB in size. Anti-virus software must be installed and running on all computers. Anti-virus updates are required weekly on user computers. Anti-virus updates are required daily on all servers. No new hardware (including network cards and modems) may be installed in any computer by any party other than the network administrators. No unauthorized links to the Internet from any computer are allowed under any circumstances.
As you can see this list could go on and on. These are only examples to get you started. This section can get technical, as in deciding which ports to allow to and from subnets or computers in the network. This may be where you spend the most time developing the rewall policy, as it is most relevant to implementation on the rewall.
166
Some examples of items in the contracted worker statement portion of the policy are: No contractors or temporary workers shall have access to unauthorized resources. No contractor or temporary worker shall be permitted to scan the network. No contractor or temporary worker shall copy data from a computer to a form of removable media, such as CD-ROM, DVD-ROM, USB device, or oppy disk. No contractor or temporary worker may use FTP, unless specically granted permission in writing. No contractor or temporary worker will have access to Telnet or SSH unless specically granted permission in writing.
From these examples, you can see that there are areas which overlap. As the saying goes, it is better to be safe than sorry.
As you can see, this area can almost be considered the job role of the rewall administrator. Some organizations will have such a policy, others will not. It can be a benet in a large organization to know these items, and to have them written in the policy. From these examples, you can start to build the framework for the security policy, and, in this case, the specic rewall portion of the policy. The rewall policy should be a working document that can be modied on a regular basis. The security world is ever-changing, so be sure your policy changes with it!
TASK 4B-1
Creating a Simple Firewall Policy
1. Read through the following scenario of a corporate network. The network is a single office, with 200 nodes. Currently, it is connected to the Internet through a single 64K ISDN, but they are getting 1.5M SDSL installed in a week, and want to use a rewall on their new connection. The network is a single Windows NT 4.0 domain with an internal web server and an internal email server. The internal servers are accessed by employees and customers over the Internet.
Lesson 4: Designing Firewalls 167
The CEO has stated that email must not be used for personal use and that no one can download anything harmful to the network or organization. You are the rewall administrator and have given the CEO a more specic set of questions, which are answered here: Your Question
Can the users use newsgroups? Can the users run Telnet to the Internet? Can the users visit external websites? Are there any websites to be dened as off limits? Can users use Instant Messaging software? Can users upload to FTP? Can users download from FTP? Can users access external email servers? Who is the rewall administrator? Is 24x7 rewall support expected?
Topic 4C
Rule Sets and Packet Filters
Having a solid policy is one important part of preparing to implement the rewall. Another, is being aware of the different types of rewalls that exist. We briey discussed rewall methodologies earlier, and now we will focus on packet ltering. Packet lters were the rst types of rewalls used to protect networks. Traditionally, packet lters were (and are still) implemented as access control lists on routers. This single border security device was all that was needed for quite some time. The router becomes the single access point to the network, and the place where the packet ltering functions. In the following gure, you can see examples of where the router may be located. The function of the packet lter will differ based on its location in the scheme of the network.
168
Figure 4-6: An example of the location of packet lters. In the rst example, there is only a single device running as the packet lter for the network. This device will have to be congured very well, as the security of the network is riding on its rules. In the second example, the packet lter must be carefully congured not to allow direct access from clients on the internal network to the Internet. Likewise, it must be congured so that traffic from the Internet cannot directly reach the internal clients. In the third example, a DMZ has been created. This requires the two devices to be congured differently. As such, the packet lter directly connected to the Internet must be secured to allow access to the hosts on the DMZ, but not the internal network. The packet lter connected to the internal network must be secured so that clients can access the hosts on the DMZ, but not the Internet directly.
169
Although each product will have different methods of implementing these rules, there are some basic considerations that apply to nearly all packet ltering devices. They include: The interface to which the rule will apply. For example, is it the internal network interface, or the external Internet connection? The direction of the packet. Will this rule apply to packets that are entering on the dened interface, or does it apply to packets that are leaving on the interface? Addresses used to make the decision. Will the rule base its decision on the source IP address, destination IP address, or both? Ports used to make the decision. Will the rule base its decision on the source port, destination port, or both? Higher level protocols. Is this rule to be based on the protocol using IP, such as UDP or TCP?
Figure 4-7: An example showing ports in exchange of a web page. Keeping this in mind, lets look at some rules that can be created with the packet lter. Assume it is the goal to only allow access to web pages on the Internet and the DMZ; the Internet can access web pages on the web server, and all other services are not to be allowed access to the Internet. The following gure depicts rules for a rewall.
170
Figure 4-8: Building rules for the rewall. In this case, the rst rule allows the Internet to access port 80 of the web server, which can respond on any port higher than 1023, the second rule. The third rule allows outbound requests to external web servers on port 80, and the fourth allows those requests to be returned. The nal rule disallows all other traffic. Is this a good set of rules? No! While it may initially look like it does the requested job, it has in fact left most of the network side open. The rewall will accept connections from the whole world on ports higher than 1023. This was not the intention. A simple Trojan horse program could take the network down, as if there were no rewall in place. To increase the security of the network then, another level is required. This next level is used to dene the source and destination ports. For example, rule number 2 should add port information for both the source and destination. It could then state: outbound traffic is ne to go to ports higher than 1023, if the data originated from port 80. Likewise, rule 4 could state that data may be accepted higher than 1023 if it came from port 80. Youll see an example of what rule 4 should not look like in the following gure.
Figure 4-9: The highlighting of rule 4, adding source and destination ports. Note this example leaves the high ports open, which is not considered good security. These additions increase the security of the rule set substantially. There should never be an open rule like rule number 4 shown here.
171
Figure 4-10: Rule 4, with the additional ACK bit. Now if we look at this same rule with our added functions of source and destination port, and the inclusion of the ack bit, we can see that the rewall rule has become more secure. In order for a packet to meet this rule, it must have originated from port 80, have the ack bit set, and a destination port higher than 1023. We can feel comfortable with this rule now that it has been tightened.
IP Address Filtering
IP address ltering is perhaps the oldest form of packet ltering. If you want to block access to a specic host, create a rule that says that IP address is off-limits. If you want to grant access to an entire subnet, create a rule that says that subnet has access. The IP address lters allow for permitting or denial of addresses, using only the IP address to make the decision. If the lter were to try to dene all the hosts that are to be denied, the rule set would get very long, and a rule like that for individual hosts in a large organization is unreasonable. Since the rule set can get very long, the odds of making a mistake are increased, and therefore, it is not a good way to implement strong security in a large organization. Using the lter to specically grant access by an IP address, on the other hand, can be much more effective. The areas that hosts will be allowed to access will be, by the very nature of security, a lesser number than the areas in which hosts are not allowed access.
172
Using primarily allowed addresses over denied addresses makes the implementation of the rules easier. And, it makes the task of the attacker a bit harder. The attacker would have to learn the list of approved addresses to attempt an attack. When the attacker does nally learn the addresses, he or she can spoof the source IP address and get a packet past the lter. If the attacker was trying to execute a denial of service attack (DoS), this will get them past the packet lter with no problems. If the attacker was performing a different type of attack, where the return packet was not needed, this type of lter is easily bypassed with spoofed source packets.
Protocol Filtering
In the event that using port numbers of UDP and TCP are still not enough, you can resort to protocol ltering. Packet ltering of this type investigates the contents of the header to determine the upper layer protocol used. If there is a match, accept or discard. The protocols you may choose to block or accept are few: TCP UDP ICMP IGMP
Although this type of ltering can be used, it is very limitinguse caution when employing this strategy. If you have a server running a service that uses UDP, and that is the only authorized service on the server, then allow only UDP. But, be aware that such a move removes the option of troubleshooting utilities such as ping, due to the lack of ICMP.
Fragmentation
When networks and routing were rst developed, many of the links used had very small bandwidth capabilities. Due to this, large les transmitted across the Internet had to be broken into several pieces. This is known as fragmentation. When packet lters inspect the header, if the packet is a fragment, they will see the port number, protocol type, IP address, and an indicator that this is fragment 0. Herein lies the problem: fragments 1 through x do not contain this same information, so the packet lter has nothing to use in making a decision. The packet lters would drop fragment 0, and allow the remaining packets through. The logic was that without the fragment 0, the packet could not be used. This was not always the case.
173
Smart and very TCP/IP savvy attackers would create entire attacks that begin with fragment 1. The attackers were aware that many versions of TCP/IP would go ahead and reassemble fragments even if fragment 0 was missing. These attacks would pass through the packet lter as if it were not even there.
174
The stateful packet lter will remove entries in the state table if there is no response, usually within a few minutes. This is to ensure there are no holes left open for an attacker to exploit. The rules are programmed into the stateful packet lter, just as they are in a stateless packet lter, although they may be called policies instead of rules.
TASK 4C-1
Firewall Rule Creation
1. Read through the following scenario of a corporate network. Your network is a mixed environment of Windows NT, Windows 2000, UNIX, and Linux. Your users in the network need to access FTP sites for upload and download, websites, and email servers on the Internet. Your net-
175
work provides a web server and email server that need to be accessed by the Internet.
2.
Based on this scenario, create a sample rule set, or portion thereof, needed for this packet lter.
Topic 4D
Proxy Server
As you have seen, packet lters are a great start to securing the network with a rewall. But, they also require help to create a more secure environment. One of the ways to increase security is to add the services of a proxy server. Proxy servers were initially used to cache commonly visited web pages, speeding up the network and Internet use. They have evolved to not only cache web pages, but have become part of the security system of a network. The packet lter, as discussed, works by inspecting the header information and basing the decision on dened rules or policies. The proxy works at the application layer, and is able to provide services to the network. The proxy acts as a sort of gateway (which is why it is also called an application gateway), for all packets to ow through. When a proxy is congured and running on the network, there is no direct communication between the client and the server. The packet lter allows for this direct communication, while the proxy prevents it. A signicant distinction then between a packet lter and a proxy server is that the proxy understands the application or service that is used, and the packet lter does not. The proxy server can then permit or deny access, based on what actual function the user is trying to perform.
176
Proxy Process
In this example, the client has requested a web page, and identied the server that has the web page. The request for the web page is passed to the proxy server. At this point, the proxy server does not act as a router and forward the packet. What it does is consult its set of rules regarding this service (WWW in this case), and decide if the request is to be granted or not. Once the proxy has made the decision to allow the request, a new packet is created with a source IP address of the proxy server. This new packet is the request for the web page from the destination server. The web server receives the request, and returns the web page to the requesting host. Since the proxy is running, the requesting host is the proxy server. When the proxy receives the web page, it checks its rules to see if this page is to be allowed. Once the decision is made to proceed, the proxy makes a new packet with the web page as the payload, and sends this to the original client. The following gure is an illustration of the basic function that a proxy server plays in the network. Notice the client packet never directly reaches the server, and vice versa.
Figure 4-12: A WWW proxy running in a network. This type of service can increase the security of the network considerably, as no packets can pass directly from the client to the server. The proxy service will need to be congured for each type of service that is allowed. For example, a separate proxy will be needed for SMTP, WWW, FTP, and Telnet, if all these services are to be used. The proxy server needs to be congured to work in both directions, just as a packet lter. This is the only way to be sure no packets are passed by the proxy server.
177
Proxy Benefits
There are several benets to the network, from a security point of view, that a proxy can provide. The list of advantages can be large; provided are the major benets: Client invisibility. Content ltering. Single point of logging.
Client Invisibility
The basic proxy process highlights this feature. The ability to have the clients inside IP address never appear to the Internet is a great benet. Attackers not knowing the internal structure of the network have a harder time gaining access and attacking internal clients.
Content Filtering
In the modern era, businesses have to be very sensitive to the needs of employees. This includes exposure to any offensive material, as much as can be prevented. Content lters can be programmed for many types of inspection. They may be programmed to look for certain keywords or phrases. Many employers use ltering to block the websites of major headhunters and resume posting sites. These lters can also be used to prevent Active-X controls from being downloaded, Java Applets being run, or executables being attached to email.
Proxy Problems
Even though it seems as if there are only benets to adding proxies, and in most cases this may be true, you need to be aware of potential problems of using proxies. As with all technologies, there are possible issues that may arise, such as: Single point of failure. A proxy for each service. Default congurations.
Be sure that the proxy is, in addition to other security mechanisms (such as a packet lter), used to reduce the likelihood of a direct intrusion attack on the proxy. If the entire network is dependent on this machine, you need to take good care of it!
Default Configurations
The majority of proxy server software is designed for functionality over security. The applications are created to get users up and running quickly, and give them access to the resources they need. This is the opposite of security. Therefore, when implementing a proxy, it is recommended to not use the default congurations. Take the time to implement the rules and restrictions, as they are needed.
TASK 4D-1
Diagram the Proxy Process
1. Diagram the process of an internal client in the network requesting an email message from the remote server running SMTP.
179
Topic 4E
The Bastion Host
In order to create a rewall or proxy, there must be a platform for the software to use. In some instances, there is a dedicated piece of hardware that will run the rewall software. In this topic, you will learn about the process of setting up a server to run the software. This server is called the bastion host. Bastion host is a term used for a computer that has been hardened in a manner much more securely than any other computers in the network. This server is using every security option that comes with the operating system to the maximum that it can be used. All auditing has been congured, all authentication has been congured, and encryption (where relevant) has been congured. Further conguration would be the removal of all services and applications not deemed absolutely necessary for the server to function. All user accounts are removed, except for those required for server management. Every service, application, and user account that is removed is one less target for a potential attacker. Once the computer has been congured, then the software may be installed and congured on top of the base operating system. This computer should not be considered the single line of defense, but rather, one link in a chain. The security of the network cannot rely on a single component, so the bastion host is one of several in a well designed network, as shown in the following gure. The rst line of defense is the router, connecting the network to the Internet, which should be congured with appropriate packet ltering. Following the packet ltering router is where the bastion host running proxy services is located. If the network is small, one bastion host running the proxy services for the entire network may be ne. In a large network, there are likely to be many bastion hosts, each running different proxy services.
180
The basic steps that must be followed in setting up a host as a Bastion are: Remove unused applications. Remove unused services. Remove unused user accounts. Enable auditing. Install the operating system from scratch, formatting the disk rst. Do not use a dual-boot computer. Remove unused hardware, such as modems or sound cards. Use very strong authentication methods, such as a tokens or biometrics. Implement a utility to check les for tampering, such as TripWire.
Other standard techniques for creating a Bastion host to run as a rewall are:
181
TASK 4E-1
Describing a Bastion Host
1. Describe the function of a bastion host in creating a secure network environment. Bastion host is a term used for a computer that has one or more network interfaces exposed to the Internet. The OS (typically a server OS) on such a device is hardened in a much more secure manner than any other computers in the network. Further conguration would be the removal of all services and applications not deemed absolutely necessary for the server to function. Once the computer has been congured, then the software that dictates rule sets for internal or external traffc may be installed and congured on top of the hardened OS.
Topic 4F
The Honeypot
One area that is the subject of much discussion in security circles is the use and deployment of honeypots. For some security professionals, network security is not fully functional without one, while others feel it is an unneeded and potentially dangerous part of the network.
What is a Honeypot?
Just as honey attracts bears, a honeypot is a computer designed to attract attackers. If an attacker has managed to get past your packet lter into your DMZ and is scanning for options, the honeypot should be the one computer that sticks out. This is depicted in Figure 4-14.
182
183
Legal Issues
A discussion of honeypots would not be complete without a discussion of the legal issues surrounding this use of technology. Perhaps the single biggest issue involving a honeypot today is the issue of entrapment. Some people feel that the setup of a honeypot is entrapment, and therefore, the same rules apply as in the real world. Up to this point, that is not yet the case. Although, it should be noted that defense attorneys have tried using entrapment as a defense. Another issue is that of privacy. If an attacker were to set up an IRC server on the honeypot, it is possible for the administrator to log all conversations on that server. For now, this issue is more of a moral and ethical dilemma than a legal one, since there is no dened law regarding this subject. However, it should be noted again that this could be a viable defense for an attorney to work with. The current standard for this issue is the Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. This publication is by the Computer Crime and Intellectual Property Section, Criminal Division, United States Department of Justice, and is part of the Computer Crime and Intellectual Property Section (CCIPS). The entire document can be found atwww.usdoj.gov/ criminal/cybercrime/searching.html#searchmanual
TASK 4F-1
Honeypot Configuration
1. What are the services most likely to be enabled in creating a honeypot, and why? Most likely services would include the normal WWW, TFP, SMTP, POP3,and Telnet. It is important to offer the normal services, since the honeypot must appear to be a productive, live computer in the network, and should be congured the same as a production WWW server, perhaps with looser permissions and solid logging.
Summary
In this lesson, you identied the major components used in building rewall systems; you learned to detail the methods used to create a rewall policy in a network scenario. You now know how packet lters are used in rewall systems. You can also describe the process of creating a bastion host, as well as how to use proxy servers in rewall systems. You are also aware of the process involved in creating a honeypot and can differentiate between a honeypot and a honeynet.
184
Lesson Review
4A Name two methodologies for rewalls.
Packet ltering and proxy servers (application gateway). What are three services a rewall can provide? Network Access Translation (NAT), data caching, and restricting access to content. How can a second connection to a client computer make an impact on rewall security? A second connection will render much of the rewall useless to this client, and maybe even the network. Name four different methods of implementing a rewall. A Single Packet Filtering Device. A Multi-homed Device. A Screened Host. A Demilitarized Zone.
List at least three items that would be specic to the rewall policy. Answers may include: Users may access WWW on port 80 as required; users may not access NNTP on any port; users not in subnet 10.0.10.0 are not allowed to Telnet to any location; any policies dealing with rewall administration.
4C What is the primary difference between stateful and stateless packet lters?
Stateless packet lters make a decision about a packet based on any portion of the protocol header; however, the vast majority of lters are based on the most signicant information in the header. Stateful packet lters encompass the techniques used by stateless packet lters; however, they do not base their decisions on individual packets. Stateful packet lters increase security by remembering the state of connections at the network and the session layers as they pass through the lter. This session information is stored and analyzed on all packets moving through the lter.
Lesson 4: Designing Firewalls 185
In addition to IP addresses, what else can a packet lter use to make a decision on a packet? Fragmentation, IP Protocol ID, Protocol Type, and TCP or UDP Port Numbers. How can an attacker use fragmentation to get through a packet lter? By encapsulating the entire payload in one or more fragments following the rst fragment.
4E What are the steps that must be followed to create a bastion host? 1. Remove unused applications. 2. Remove unused services. 3. Remove unused user accounts. 4. Enable auditing.
What are some additional steps that are recommended in securing the bastion host? Install the operating system from scratch, formatting the disk rst. Do not use a dual-boot computer. Remove unused hardware, such as modems or sound cards. Use very strong authentication methods, such as a tokens or biometrics. Implement a utility to check les for tampering, such as TripWire. How should a compromised bastion host be recovered? A compromised bastion host often leads to a compromised network. Once the bastion host has had an intrusion, it is critical that the remaining computers in the DMZ or network be examined quickly for possible intrusions. Identify the date of the intrusion before you restore the bastion host from backup. The best solution is to begin from scratch and re-create the bastion host, starting with formatting the disk.
186
What are two of the goals of a honeypot? Answers may include: Lure the attacker; log visits; and respond to incidents. What are some potential legal issues of honeypots? Entrapment and privacy issues.
187
188
Configuring Firewalls
Overview
In this lesson, you will rst review rewalls from a conceptual viewpoint to learn about the types of rewalls, how each of these types work, and what protection they can provide for your network. After you have the foundational concepts under your belt, you will go through a series of exercises to actually implement two different rewall solutions: Microsofts Internet Security and Acceleration server, which runs on top of the Windows platform; and IPTables, which runs on top of the Linux platform. This will provide you with the practical working knowledge to implement a rewall in your network environment.
LESSON
5
Data Files ISAScwHlpPack.exe Lesson Time 5 hours
Objectives
To congure network rewalls in the defense of a network, you will: 5A Describe standard rewall functionality and common implementation practices. Firewalls come in a wide variety of avors today. In addition to the many vendor offerings, there are also many versions of build your own rewalls. Regardless of the rewall implementation you are working with, there are commonalities between them, both functionally and in implementation methodologies. Exploring these commonalities will provide you with a solid foundation for developing mastery of rewall implementation. 5B Install, congure, and monitor Microsoft ISA Server 2006. In this topic, you will install Microsoft ISA Server 2006 and work with the built-in conguration tools. In addition, you will explore options for managing, monitoring, and auditing ISA Server 2006. 5C Examine the concepts of Linux IPTables. In this topic, you will examine how IPTables creates a chain of rules that can control the egress and ingress of specic network traffic. IPTables is a popular build-your-own type of rewall that you will nd implemented in many networks. 5D Apply rewall concepts and knowledge to a scenario. In this topic, you will be given a specic network situation, and you will then design rewall topology and rule sets to create the required rewall security posture.
189
Topic 5A
Understanding Firewalls
Technology-based rewalls rst appeared on the networking scene in the early 1990s. As the Internet and networks in general have developed and progressed, so have the potential digital dangers. Firewalls have progressed right along side, developing from simple gatekeepers to comprehensive security tools that can work in conjunction with intrusion detection systems and malware scanners. Security has become increasingly problematic for systems connected to the Internet. Network intrusions and attacks have now become so common that the risk is understood as an unavoidable part of conducting business in the digital age. In a modern network, rewall technology is a mainline component for any organization that has dened a network security architecture. Even home users connected to the Internet through commercial ISP connections regularly install software and hardware rewalls to provide a measure of protection for their personal systems. Fear notin this module we are going to lift the veil of mystery and discover what a rewall does and how rewalls actually work. Firewalls generally comprise the rst line of defense for a network and, therefore, a solid working understanding of rewalls is essential in todays modern networked world. You will also examine how to implement and congure two popular platform specic rewalls: Microsoft Internet Acceleration Server 2006 and the built-in Linux rewall, IPTables. Lets examine some rewall basics now.
Firewall Basics
A basic understanding of what rewalls are and how they work will give us a common framework of reference. We can then build our practical skills on top of this framework when we investigate how to implement and congure our two rewalls. This will be most effective if we can derive the answers to the following questions: What is a network rewall? What are common rewall related terms? What are the basic functions of a rewall? What do addresses, ports, protocols, and services have to do with a rewall? What are the common types of rewalls? How are rewall rules built? What are the common rewall network topologies? Why would I want a rewall? What can a rewall not protect me from?
190
Figure 5-1: Firewalls control network communication. A rewall is generally comprised of a software program (code) that works in conjunction with a hardware device that is responsible for physically transmitting network data. Firewalls can exist as a software program installed on top of an operating system or as a specialized hardware device running proprietary code. Depending on the size and complexity of the environment being protected, rewalls can be congured as a single system or have multiple systems working in concert. Many rewalls are capable of handling multiple types of transport protocols (TCP/IP, IPX/SPX, etc.). However, for the purposes of our discussion here, we will operate under the assumption that you are going to be using the current industry standard, TCP/IP, as your network transport protocol of choice.
Firewall Terms
We know that networks are made up of multiple connected systems, all with varying degrees or levels of trust between them. Your daily interactions with the network of humans around you is a good illustration of the principal of networked trust. For example, you might trust your best friend with the keys to your car, but certainly not the person who you just met at the car wash. In a networked environment, these areas of interaction can be referred to as zones of trust. Some common examples of these zones would be the Internet, which is a zone with little or no trust; and your internal network, which would a zone with a high level of trust.
191
The networking world has spawned a variety of terms such as Internet, Extranet, intranet, and DMZ. We can use these terms to dene the zones of trust that commonly occur in any given network environment. Internet: This zone of trust corresponds to the worldwide public network of systems. Since this zone is accessible by anyone, it is our least trusted zone. In rewall terminology, this is often referred to as an unprotected or external network. Intranet: An intranet is a private network that is used to securely share an organizations information or operations within the organization. In rewall terminology, this is often referred to as a protected or internal network. Extranet: This zone of trust is a semi-private network that an organization creates to share parts of their private network with business partners such as customers, suppliers, or other collaborative partners. Basically, this is an extension of the private zone of trust to include specic types of access to approved outside entities. DMZ: The Demilitarized Zone of trust is a network segment or segments located between protected and unprotected networks. DMZs are generally congured in one of two basic topologies: chained and three-legged. A chained DMZ is isolated in a linear fashion between the trusted and un-trusted zones by a rewall on either side, whereas a three-legged DMZ is connected to a third interface off of a single rewall that separates the trusted and un-trusted zones creating a third network spoke off of the rewall.
192
Address, Port, Protocol, and Services: The Building Blocks of Firewall Rules
In order to really understand what a rewall does, it will be helpful to take a quick review of how network communications work, especially in respect to the Internet Protocol. All Internet Protocol communications have several properties in common. It is these common properties that allow a rewall to perform most of its functionality. There are ve basic commonalities generally present in network communications over the Internet Protocol: Source address: This is where the communication originated from. Destination address: This is where the communication is going to. Protocol used: This could be TCP, UDP, ICMP, IGMP, etc. Target port: A port is an endpoint to a logical network connection. This port number is how a network request species a specic service from a remote resource on a network. (IANA RFC 1700 species well known port numbers.) Service: This is the application that is offering the data or functionality requested by the connection. Generally, services listen for requests on a specic port over a specic protocol.
We use similar types of mechanisms in our non-digital daily lives to move information from one place to another. A good example of this would be returning a defective computer part to a manufacturer. We know that we are sending the part from ourselves (the Source). Then, we obtain the manufacturers address (the Destination). We decide on a shipper: FedEx , UPS, DHL, etc. (the Protocol). We also add Attention: RMA department to the label (the Port). Because of how we addressed, shipped, and labeled the package, when it arrives at the manufacturer, it will be handed over to the warranty service department for repair or replacement (the Service).
From this example, you can see that the concepts of source, destination, protocol, port, and service are commonly used in our daily lives. In relationship to a rewall, these commonalities that occur in network communication form the building blocks of rule sets that rewalls use to control access to and from network entities.
193
Figure 5-4: The Open Systems Interconnection (OSI) model. In a nutshell, the layers of the OSI model perform the following functions: Layer 7: Application - Interface from network to applications Layer 6: Presentation - Handles data representation and encryption Layer 5: Session - Manages connections between applications Layer 4: Transport - Provides end-to-end connections and reliability Layer 3: Network - Path determination and logical addressing (IP) Layer 2: Data Link - Physical addressing (MAC & LLC) Layer 1: Physical - Media, signal, and binary transmission
A full discussion of the OSI model is outside the scope of this module, but those layers relevant to the topic of rewalls will help us understand how they function. Current rewall technology operates on the OSI model layers as shown in the following gure.
194
Firewalls generally operate at the levels corresponding to OSI Layers, 2, 3, 4, and 7. The common network functionalities of source and destination address, protocol, port, and services that we examined earlier are described as operating on these layers of the OSI model. Layer 2 (Data Link) is the lowest layer that contains addressing that can uniquely identify a single specic source or destination. These addresses are the MAC, or Media Access Control addresses, and are assigned to physical network interfaces. For example, a MAC address belonging to a standard Ethernet card is an example of a Layer 2 address. This is one layer that can be used by a rewall to discriminate source and destination addresses for communications control. Layer 3 (Network) is the layer that handles the delivery of network traffic by providing switching and routing technologies, creating virtual circuits (logical paths), and transmitting data from node to node. Source and destination addressing, routing, forwarding, packet sequencing, error handling, and ow control are handled at this layer. Like layer 2, Layer 3 can also be used by a rewall to discriminate source and destination addresses for communications control. Layer 4 (Transport) is the layer that identies end-to-end network communication mechanisms and communication sessions. This is the layer where the transport protocol is assigned, e.g. TCP, UDP, ICMP, etc., and the source and destination ports are specied. Firewalls can examine the protocol and port information from Layer 4 and use these values to control network communication. Layer 7 (Application) supports both application (service) and end-user processes. This layer is where such things as communication partners, authentication, quality of service, and any data syntax constraints are identied. Everything at this layer is application specic. Data is passed from the program in an application-specic format, then encapsulated and passed to the layers below. Firewalls can use a host of information, such as service specic information that occurs at the application layer to inspect and control inbound and outbound data communication to enhance your security posture. The additional layer coverage enables the rewall to handle advanced applications and protocols. A good example of this would be user authentication. A simple rewall that functions only on Layers 2 and 3 will not normally be able to distinguish individual users, whereas a rewall with awareness of the application level (level 7) can enforce communications policies based on user authentication.
Classifying Firewalls
Firewalls have continued to evolve since their inception and are continuing to grow more sophisticated. As with any sophisticated system, a methodology for classication can facilitate understanding. The simplest way for you to classify rewalls is by how they handle the process of controlling network communications. Is the communication control being done between a single system and a network, or between two or more network segments? Firewalls that control communication with a single system are generally called Personal Firewalls. Firewalls that control communication between network segments are called Network Firewalls.
Is the communication intercepted and inspected at the network layer or at the application layer? Network-layer rewalls are called Packet Filter Firewalls.
Lesson 5: Conguring Firewalls 195
Application-layer rewalls are called Application Gateways or Proxy Firewalls. If the rewall does not track the communication state, it is classied as a Stateless Firewall. If the rewall tracks the state of connections, it is classied as a Stateful Firewall.
196
Figure 5-6: OSI Layers of inspection for a Simple Packet Filter Firewall.
197
to either allow or fail to deny network traffic that your network policy states should be denied. Conversely, it is also easy to block traffic that should be permitted.
Figure 5-7: OSI Layers of inspection for a Stateful Packet Filter Firewall. Stateful packet lters control traffic in basically the same manner as a simple packet lter by using rule sets, but they have additional intelligence in their logic that enhances their performance and solves several challenges with simple packet lter rewalls. The stateful moniker comes from the fact that these rewalls keep track of the state of all accepted connections in a data table that resides in memory. This enables the rewall to determine if an incoming packet is either a new connection or is part of an existing established connection. Once the connection session has ended or has timed out, its corresponding entry in the state-table is discarded. Some applications can send periodic keepalive packets in order to stop a rewall from dropping the connection during periods of low user-activity.
198
Figure 5-8: Example of a connection state table. This ability to discriminate between new connections and existing ones brings several advantages to this type of rewall over a simple packet lter. Lower Attack Footprint: Stateful rewalls can take additional actions based on data residing in the state tables such as dynamically opening return client ports for each individual connection. This lowers your attack footprint, which increases your security posture. Less Susceptible to Spoong: A stateful rewall is able to hold in memory key attributes of individual connections. These attributes help the rewall track the state of the connection. Attributes stored in memory include the IP addresses and ports for both ends of the connection and also the sequence numbers of the data packets sent through the connection. The stateful rewalls awareness of IP addresses and sequence numbers makes it far less susceptible to spoong. Easy Black hole conguration: Stateful rewalls can easily be congured to pass all outgoing packets through, but to only permit incoming packets if they are part of an established connection that is listed in the state table. This prevents intruders from starting unsolicited connections to resources in the protected network. Coupled with a rule to discard unsolicited packets, this turns your network into a black hole on the Internet. Less Resource Intensive: Tracking the connection state gives stateful rewalls an increased efficiency in their packet inspection process. Packets for existing connections through the rewall only have to be checked against the state table, which is less resource intensive than checking the packet against the rewalls lter rules set.
Stateful inspection rewalls share some of the weaknesses of packet lter rewalls; however, the advantages created by the state table implementation means that stateful inspection rewalls are generally more secure than simple packet lter rewalls.
199
Figure 5-9: OSI Layers of inspection for an Application Level Firewall. Application level rewalls are capable of doing deep packet inspection in order to make accurate appraisals of which connections to allow and which to deny. By reading the actual data inside of a packet, application level rewalls are able to detect bypass attempts such as masking non-permitted communications inside of packets sent over permitted ports, for example, hiding IRC communications packets by using port 80 to masquerade as http. Traditional stateful rewalls cannot detect this, while an application level rewall can inspect and deny HTTP packets if the content does not match the packet type. Application level rewalls also generally have the ability to require authentication of each user or system attempting to transmit data across the rewall. A wide variety of authentication forms are available, including: User ID and Password Authentication Hardware or Software Token Authentication Source Address Authentication Biometric Authentication
Application level rewalls have several advantages over both types of lower level packet lter rewalls we previously examined. Extensive Logging Capabilities: Application level rewalls have extensive logging capabilities because the rewall is able to examine the entire network packet contents instead of just the lower level network addresses and ports. Application level rewall logs often will contain application-specic commands issued over the network data packets. This can be very useful for both policy management and intrusion incident investigation. Enforcement of Authentication: The authentication capabilities built into application level rewalls are vastly superior to those found in packet lter or stateful inspection packet lter rewalls. Application level rewalls allow you to set enforcement rules on the available types of authentication that are most appropriate for a network environment as opposed to just using lower level source, destination, and port addresses. Less Susceptible to TCP/IP Vulnerabilities: Application level rewalls can inspect the entire contents of a packet to ensure that the contents are appro-
200
priate for the target destination. This greatly improves the rewalls ability to block spoong attacks and other TCP/IP vulnerabilities. The deep packet inspection of an application level rewall can be a resourceintensive to process. Therefore, most application level rewalls include stateful inspection to optimize resource utilization. One potential danger to application level rewalls is that savvy intruders may attempt to defeat the deep level inspection by encrypting their packet contents such as tunneling with SSL. This is why it is important for application level rewalls to create a rule that denies any inbound encrypted communication unless the connection originated from inside the trusted zone and is listed in the state table.
201
A partial list of attributes that can be examined by a rewall and used for rule set comparison would look like this: Source address Destination address Protocol Source port Destination port Source service Destination service TTL values Originators netblock Destination netblock Domain name of the source Domain name of the destination Application source Application destination Authentication And many other attributes
Firewall rules are the heart of your rewall system. These rules build on one another and are generally parsed in sequence. The rst rule the rewall discovers that matches the attributes of the data packet is the rule that will be applied rst. Most rewalls will have a conguration option that allows you to manage the ow of how rules are parsed within a give rule set. Ordering your rewall sets correctly is an important step in ensuring that the rewall behaves as expected. View the following gure and look at rule number seven (the default deny rule). This rule is the last rule in the set. If this rule was placed anywhere but last in the list, all other rules below it would not have any effect, because all traffic is denied by this rule. Without careful ordering of your rules, you will nd your rewall producing unexpected results. One thing you can count on is that a rewall will do exactly what you tell it to do. It is a wise rewall administrator who plans his or her rules carefully and keeps them well documented!
Figure 5-11: Example of a perimeter rewall topology. Perimeter rewalls are the simplest conguration to use when no trusted resources need to be available to the un-trusted network. One exception would be remote users; in this case, the rewall is often combined with VPN technology to allow external users to securely access the internal network. This is a good choice for a topology when you want to allow access to the Internet from your trusted network, but do not wish to make internal resources available to users on the Internet. You can congure a perimeter rewall to allow access to specic internal resources by creating rewall rules that allow outside access to only those resources, such as an SMTP server or web server. In fact, many people do exactly that. Be aware, however, that if the internal resource should be compromised over the externally accessible resource port, it opens your whole network to further attacks. If you need to make resources available to users on un-trusted networks, the best choice is to choose one of the following DMZ congurations. Three-Legged (DMZ) Firewall Topology: The three-legged DMZ topology is commonly used where you need to publish resources to an un-trusted network such as the Internet. This topology uses a single rewall such as the perimeter topology; however, in this conguration, the rewall has an additional network interface that is connected to a network containing the externally available resources.
203
Figure 5-12: Example of a three-legged (DMZ) rewall topology. The three-legged rewall topology allows you to publish resources while still blocking all inbound access to your internal network. In this topology, the rewall rules are congured differently for the internal and DMZ interfaces. The internal interface is congured to deny external access to the internal network, while the DMZ interface is congured to allow access to specic resources in the DMZ from the external network. This conguration increases the security posture of your internal network by removing the need to open any inbound ports to the internal network other than for client return connections. An additional security benet of this topology is that if one of the publicly accessible resources is compromised, your internal network remains secure. Chained (DMZ) Firewall Topology: Another rewall DMZ topology commonly used where you need to publish resources to an un-trusted network such as the Internet is the chained DMZ. This topology uses a pair of rewalls to create the DMZ. The two rewalls sandwich the DMZ between the internal and external networks. Since this conguration contains two rewalls and subsequently two sets of rewall rules, it can be considerably more complex to setup. However, when this topology is correctly congured, it brings a high level of protection to your network.
204
This topology is commonly used where both the external network and the internal network need to access to resources in the DMZ, and those DMZ resources also require communication with other servers and services that reside inside the internal network. A good example of this would be a mail server that needs to authenticate internal users against a directory service that resides on a server in the internal network. The mail server in this scenario has two requirements. It must be able to exchange inbound and outbound SMTP packets with the Internet and be able to authenticate internal users against a directory service that resides on a server in the internal network. Another situation where this topology would be an appropriate choice is where you have an e-commerce site that connects to a database containing sensitive customer information. In this scenario, you would place the front end web server in the DMZ behind the front side rewall; then place the database server on the segment behind the backside rewall. The front side rewall rules would be congured to only allow inbound TCP port 80 and port 443 to the web server, while the backside rewall rules would only allow the web server to query the backend database server, effectively isolating the database server from the Internet. When correctly congured, the chained DMZ rewall topology offers a high level of threat protection from external network access, while providing ample exibility for communications between the DMZ and the internal network.
205
Regulatory Compliance
The prominence of Internet dangers has even prompted legislation in many countries that places responsibilities for data protection on the organization that owns the information. This is especially true of government, banking, and the healthcare industries. Organizations now nd themselves with compliance responsibilities for protecting sensitive data that sometimes carry stiff penalties for noncompliance. This has spawned a general move in most organizations towards a formal set of computing security policies. These policies dictate how an organizations resources must be protected and show that they are meeting regulatory compliance. A rewall is one of the key elements in enforcing the organizations written policy.
Public Image
A rewall can also serve to protect not only your organizations data, but also its public image. Almost every organization has a website today. If these publicly accessible resources are not protected and get hacked, either through defacement or denial of service attacks, the organizations image will be tarnished in the eyes of the website users. This impact can, and usually does, make itself felt on the organizations bottom lineeither through your customers going to the competition because they lost trust in your organization as the result of website defacement or data theft or through lost sales as the result of a denial of service attack on your e-commerce site. Firewalls cant always prevent this, but they can mitigate the dangers down to an acceptable level of risk.
Firewalls cannot protect against attacks that dont traverse your rewall:
206
lite or other wireless connection has effectively punched a hole right through your carefully congured security measures. Social engineering. This is a proven methodology to break into networks that are otherwise secured. It is simply astounding what villainous social engineers can get a user (or even a sys admin), who is otherwise an intelligent human being, to reveal about his or her computing environment. Your best line of defense against this type of attack is user education.
Cannot protect against attacks on services that are allowed through your rewall: Allowed inbound traffc. This would include attacks on web and email services that external access to has been permitted to. If you allow access to your web server through the rewall, and the web server has an un-patched vulnerability that works over port 80 (http), your rewall cannot protect the web server from that type of attack. Malware and browser threats. Firewalls cannot protect your network against threats that the user brings into the network themselves. This includes the many forms of malware such as email viruses, Trojans, browser-based attacks, spyware, and phishing sites. Again, we are back to defense in depth and user education as our best defense against these types of threats.
Some modern application layer rewalls capable of deep packet inspection also have varying levels of intrusion detection capabilities built in. These rewalls can potentially mitigate this type of risk. But better safe than sorry. Patch, Patch, Patch!
To have the best chance at defending your network, a well-congured rewall must be augmented by good conguration control, secure OS baselines, patch management, anti-malware programs, sound network administration basics, and a user education program. Defense in depth is the security-conscious administrators motto.
Some modern application layer rewalls capable of deep packet inspection also have varying levels of malware detection capabilities built in. These rewalls can potentially mitigate this type of risk. But again, better safe than sorry. Always use anti-malware software and keep it up-todate!
207
policy that explicitly outlines your overall security goals, policies, and procedures including your rewall conguration and rule sets. Obtaining management support and backing for the policy is critical, as they are the ones with the nal authority and responsibility for the organizations operations and information.
208
Figure 5-14: Using an internal rewall to secure sensitive internal resources. In this context, the rewalls are not only controlling access from the external network, the DMZ, and the partner networks, but also from within the organizations internal network itself. Employing rewalls in this manner can signicantly increase the security of your sensitive data against internal attacks.
209
Topic 5B
Configuring Microsoft ISA Server 2006
Introduction to ISA Server 2006
Microsofts Internet Security and Acceleration Server (ISA) 2006 is what Microsoft calls its integrated edge security gateway. Microsofts security offerings in the rewall arena have come a long way since its release of Proxy Server 2.0, which had rewall style features. This continued development has resulted in ISA Server 2006 being a robust and mature multilayer rewall. It has a wide range of features and capabilities that will meet the needs of almost any network environment: from small businesses to global enterprises. ISA Server 2006 features the following functionalities: Internet Access Control (Proxy) Flexible Conguration Controls Including Easy-to-use Wizards Conguration Export/Import to XML Customizable Protocol Denitions Secure Application Publishing Server Publishing Web Publishing SharePoint Publishing SSL Bridging Application Layer Filtering (Deep Packet Inspection) Intrusion Detection Capabilities Flood Resiliency Conguration Forward and Reverse Web Caching Remote User or Branch Office VPN Capability
In each one of these scenarios, ISA Server 2006 provides a robust solution with streamlined deployment, conguration, management, and reporting.
210 Tactical Perimeter Defense
211
TASK 5B-1
Preparing for the ISA Server 2006
Setup: Lab Prerequisites Task Note: Firewalls are primarily designed to control network traffic between network segments, so you will need to have more than one network adapter in your computer in order to congure ISA Server 2006 in the most common rewall topologies. Since the classroom computers have only one physical network card, we will install and congure the Microsoft Loopback Adapter to represent our internal network interface, while conguring the physical network card as our external network interface. 1. 2. 3. 4. 5. 6. 7. Choose StartControl PanelAdd Hardware. In the Welcome dialog box, click Next, the wizard will search for your hardware. Select Yes, I Have Already Connected The Hardware, then click Next. Scroll to the bottom of the Installed Hardware list box and select Add A New Hardware Device. Then, click Next. Select Install The Hardware That I Manually Select From A List (Advanced) option, then click Next. Under Common Hardware Types select Network Adapters, and click Next. Under Manufacturer, select Microsoft.
212
8.
9.
10. If prompted, click OK in the Insert Disk dialog box, enter the path to the Windows 2003 Server installation source les in the Files Needed dialog box, and then click OK. 11. Click Finish. 12. Choose StartControl PanelNetwork ConnectionsLocal Area Connection 2. 13. In the Local Area Connection 2 dialog box, click Properties. 14. In the This Connection Uses The Following Items list, select Internet Protocol (TCP/IP) and then click Properties. 15. On the General tab select Use The Following IP Address and then enter the address from the following table that corresponds to your computer name.
WIN-R01 - 10.16.1.1/24 WIN-R02 - 10.16.2.1/24 WIN-R03 - 10.16.3.1/24 WIN-R04 - 10.16.4.1/24 WIN-R05 - 10.16.5.1/24 WIN-R06 - 10.16.6.1/24 WIN-R07 - 10.16.7.1/24 WIN-R08 - 10.16.7.1/24 WIN-L01 10.18.1.1/24 WIN-L02 10.18.2.1/24 WIN-L03 10.18.3.1/24 WIN-L04 10.18.4.1/24 WIN-L05 10.18.5.1/24 WIN-L06 10.18.6.1/24 WIN-L07 10.18.7.1/24 WIN-L08 10.18.8.1/24
213
16. Leave the DNS value blank and then click OK. 17. Click OK, and close the Local Area Connection 2 Properties window.
The subnet mask is 255.255. 255.0 for all these IPs.
18. Choose StartControl Panel and right-click Network Connections. From the pop-up context menu, choose Open. 19. Right-click the Local Area Connection and choose Rename. 20. Name the connection External 21. Right-click the Local Area Connection 2 choose Rename. 22. Name the connection Internal 23. Close the Network Connections window. You have now installed the Microsoft loopback adapter and assigned it a unique IP address. We will be using this adapter to function as our internal network adapter for ISA Server 2006. You also renamed the two available network connections so they can easily be identied as either the external or internal networks.
214
TASK 5B-2
Install Microsoft ISA Server 2006
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous task. This task requires you have the Microsoft ISA Server 2006 software available. 1. 2. Browse to the location of the ISA Server 2006 installation les and double-click isaautorun.exe. Click the Install ISA Server 2006 link.
3. 4.
At the Installation Wizard, click Next. Read the License Agreement, select I Accept Terms In The License Agreement and click Next.
215
5.
In the Customer Information dialog box, enter your name, company, and license if necessary, and then click Next.
6. 7. 8. 9.
In the Setup Type dialog box, select the Typical radio button, then click Next. In the Internal Network dialog box, click the Add button. In the Addresses dialog box, click the Add Adapter button. In the Select Network Adapters dialog box, check the box next to your Internal network card, and then click OK.
216
10. In the Addresses dialog box, click OK. 11. In the Internal Network dialog box, click Next. 12. In the Firewall Clients dialog box, accept the default and click Next. (Do not check the box to Allow non-encrypted Firewall Client Connections.) 13. Read the Services warning dialog box and then click Next. 14. In the Ready to Install the Program dialog box, click Install. (The Microsoft ISA Server 2006 - Installation Wizard will start and a File Progress window will appear. Be patient, it will take several minutes to install all the components.) 15. In the Installation Wizard Finished dialog box, click Finish. 16. In the pop-up window, click OK. The Windows Internet Explorer window opens with some information on how to protect ISA. Read the page and then close the Internet Explorer window. 17. Close the Microsoft ISA Server 2006 Setup dialog. ISA Server 2006 is now installed.
Each of these tasks has a conguration page that guides you step by step through the various wizards and conguration pages associated with the individual tasks. In the following tasks, you will explore the ISA Server Management Console and congure each of these options for your ISA Server 2006 rewall.
217
Figure 5-17: The ISA Server Management Console panes. In the following task, you will explore the ISA Server Management Console and familiarize yourself with its functions and behaviors. The tool is very intuitive, but it does have a lot of moving parts, so the more time you spend getting comfortable with it, the more efficient you will become at conguring ISA Server.
TASK 5B-3
Exploring the Microsoft ISA Server 2006 Interface
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed task 3B-2. 1. 2. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Notice that the ISA Server Management console is divided into three panes: The left hand pane is your Console Tree pane. This pane contains a short list of navigable containers. The containers in this pane logically group related management or conguration settings. The center pane is your Details pane. For each container in the Console Tree pane, the Details pane will contain information related to the conguration container selected in the Console Tree. Depending on the conguration container selected, the Details pane may have multiple tabs of information. The right pane is your Tasks pane. The Tasks pane contains two tabs the Tasks tab has a list of relevant tasks that can be performed for the selected container in the Tree pane. If the conguration container
218
selected in the Tasks pane shows multiple tabs of information in the Details pane, the Tasks tab is contextual, that is, it will contain Tasks that can be performed for any selected tab in the Details pane of a particular conguration container. In addition, the Tasks pane also contains a Help tab with context-sensitive help for the selected Details pane tab. 3. Notice that the Details pane defaults to the Welcome information. In this section, you can nd links to guides on Getting Started, Securing your ISA Server, and Internet Websites with ISA Server Information. In the Console Tree pane, expand the container with your server name by clicking the + symbol. In the Console Tree pane, expand the Conguration container by clicking the + symbol. You have now exposed the whole conguration container chain for a standalone ISA Server 2006 rewall. The Console Tree can/will contain other items if the ISA Server is part of an ISA Array in a domain.
4. 5.
6. 7.
In the Console pane, select the WIN-R01 conguration container. Notice that this places the Getting Started information in the Details pane. This lists out the ve conguration steps for ISA Server. Briey read down the list of items in the Details pane. In the Details pane, click the Dene Your ISA Server Network Conguration link. Notice that the selected container in the Console Tree pane changed to the Networks container. The three panes found in the ISA Server Management console are linked. Clicking a link in any of the panes will take you to the correct conguration container for the property you are trying to congure.
8. 9.
10. Explore the four tabs in the Details pane of the Networks container.
219
11. Notice that as you move between tabs in the Details pane, the Tasks pane changes to show contextually relevant links for each tab.
12. On the middle of the vertical divider between the Details pane and the Task pane, click the arrow icon. Notice that the Tasks pane collapses to create a larger viewable area for the Details pane. 13. Click the arrow icon again. The Tasks pane expands again to allow access to the tasks listed for the Details pane tab. 14. In the Console Tree pane, select the Monitoring container. 15. Notice that this container has seven tabs in the Details pane. 16. In the Details pane, select the Services tab. 17. On the Services tab, select the Microsoft Firewall item. 18. On the Task pane under Services Tasks, click the Stop Selected Service link. 19. Notice that after the service stops, the Tasks link changes context from Stop to Start. 20. Restart the service after it stops by clicking the Start Selected Service link. 21. In the Details pane, after the service restarts, click the Alerts tab. 22. On the Tasks pane, click the Refresh now link. 23. Notice that the action of starting and stopping the service generated an alert entry. 24. Click the Dashboard tab.
220
25. Notice that Alerts is one of the items on the Dashboard. The Dashboard gives you a quick overview of the current state of activity on your ISA Server. 26. In the Console Tree pane, select the Firewall Policy container. 27. Notice in the Details pane that one rule, the Default Rule of deny all trafc for all networks, exists.
ISA Server installs only this default Deny All rule during installation. To allow traffic to pass through the ISA Server, you must congure rules to permit it to pass. 28. Notice on the Tasks pane for the Firewall Policy container that there is a long list of tasks that can be performed. 29. Explore the list of tasks in the Firewall Policy Tasks section of the Task pane. 30. Notice that these tasks are broken down into four categories: Firewall Policy Tasks Policy Editing Tasks System Policy Tasks Related Items
Again, the Tasks pane is context sensitive to the container selected in the Console Tree pane and the tab selected in the Details pane. If you are having trouble locating a task, be sure you have selected the right container and Details tab. 31. Notice that the Tasks pane now has a third tab called Toolbox. 32. Select the Toolbox tab in the Tasks pane. 33. Notice that the Toolbox tab has ve expandable sections.
221
34. Browse through the Toolbox tab sections. Be sure to expand and explore a few sub-containers under the various sections also.
222
35. Explore the remaining Console Tree pane conguration containers and their associated Details and Tasks panes. 36. After you have explored a bit, close the ISA Server 2006 Management console window.
This conguration area of the ISA Server Management console is where you can create and manage all of the various items that can be used in rewall policy rule congurations. A strong familiarity with these items will greatly benet you when you create custom rewall policy rules for your network. We will return to this area later when we create custom rules.
TASK 5B-4
Exporting the Default Configuration
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed task 3B-2. 1. 2. 3. 4. 5. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. In the Console Tree pane, select the container with your ISA server name. On the Tasks tab, click the Export (Backup) this ISA Server Conguration link. In the Export Wizard dialog box, click Next. In the Export Preferences dialog box, select Export User Permissions. We have no condential information, such as user passwords and certicates, to export so we will leave that check box unchecked. Click Next. In the Save The Data To This File eld, enter C:\originalcfg.xml and click Next. Click Finish. After the le nishes exporting, click OK.
Right-clicking any item in a container in the toolbox will give you a context menu listing available actions that can be taken on that object.
Be sure to cancel out of any dialog boxes you may open and discard any changes to the conguration. This is important so that your rewall will behave as expected in the remaining ISA task exercises.
6. 7. 8. 9.
223
We now have the ability to return to our default conguration if we accidentally miscongure our rewall. Adding the exported ISA Server conguration XML les to your regular backups would be a good conguration management tool and policy.
Access Rules
In ISA Server 2006 (like most other rewalls), the access rules are built from the following building blocks: Rule Name Rule Action (Allow, Deny) Protocol and Port Traffic Source Traffic Destination User Sets Content Groups
The parameters specied during the rules construction will create the constraint set that the rule set will enforce through the rewall policy of the ISA Server that the rule was created on. A best practice is to evaluate, dene, and document each rule before you implement it in ISA Server. This will ensure you get the expected results by applying the rule. Some rewall administrators nd it helpful to diagram the rule and include the diagram with the rule documentation. ISA Server has three basic types of rules: Access rules: In ISA Server, an access rule controls what network traffic from the internal network is allowed to access the external network. Access rules can apply to all traffic, to only a selected set of protocols, or to all trafc except a selected set of protocols. The same thing applies to source, destination, or user sets. A rule can apply to all, only a selected subset, or all but a selected subset. Publishing rules: ISA Server denes publishing rules as rules that control access requests from the external network for internal resources. This type of rule is applied to a web server that you want to provide public access to or to an SMTP server that needs to accept inbound mail delivery. In actuality, these are simply access rules applied to inbound traffic as opposed to outbound traffic. They can apply to the full set of rule building blocks or a selected subset just like access rules. Network rules: ISA Server network rules are built by dening the traffic source, traffic destination, and the network relationship (how the traffic is handled, for example, NAT or Routed). Network rules can be combined with access or publishing rules to provide granular control over the traffic that transverses the ISA Server rewall.
224
Outgoing Requests
The process of access control for outgoing requests looks like this: ISA Server rst checks any dened network rules and veries that the two networks are connected. If a common connection between the source and destination network exists, ISA Server will then process the access policy rule set. If no connection is dened in the network rules, the packet is dropped. ISA Server now parses the access rules in the order that they are congured. If an allow rule applies to the request, ISA Server will allow the request. The rst rule that is a match for the traffic being inspected is the rule that will apply. This is why ordering is important. ISA Server checks the rule elements that make up an access rule in this order: Protocol Source address and port Schedule Destination address User set Content groups
Incoming Requests
ISA Server calls rules that control incoming requests publishing rules. These rules are designed to allow you to securely allow access to servers by clients on a different network. Incoming requests are controlled by the ISA Server publishing policy. The publishing policy is built from web publishing rules, server publishing rules, secure web publishing rules, and mail server publishing rules. These rules, in addition to any web chaining rules, control how incoming requests to published servers are handled. ISA Server has several types of publishing rules that you can use to control how resources are accessed. These are: Web publishing rules. Used to publish web server content. Secure web publishing servers. To publish Secure Sockets Layer (SSL) content. Mail Server publishing rules: Used to publish Mail servers across ISA Server. Server publishing rules. Used to publish all other internal resource content.
Access rules that deny trafc are processed before publishing rules that allow trafc. If a request matches a deny access rule, the request will be denied, because ISA Server will never get to the publishing rule that would have permitted the request.
Remember that access rules that deny traffic are processed before publishing rules that permit traffic. Your access rules must not explicitly deny any traffic that you intend to publish.
225
TASK 5B-5
Creating a Basic Access Rule
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will work with a partner in the classroom to test your conguration of an access rule. You will need to ask your partner for his or her IP address before you being the task. 1. 2. 3. 4. 5. 6. 7. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. In the Console Tree pane, expand the container named after your server. Select the Firewall Policy container. Notice in the Details pane that the only rule that exists is the default deny rule. Open a command prompt. Type ipconfig and then press Enter. Ping your default gateway. What was your result? Outbound Ping Allowed from your ISA Server. 8. Ping your partners External IP address. What was your result? Your partners ISA Server blocked the inbound Ping request on his or her external interface. 9. Minimize the command prompt.
10. In the Tasks pane, under Firewall Policy Tasks, click the Create Access Rule link.
226
11. On the New Access Rule Wizard dialog box, in the Access Rule Name eld,enter Inbound Ping to External Interface and then click Next.
12. In the Rule Action dialog box, select the Allow option and then click Next. 13. In the Protocols dialog box, click the Add button. 14. In the Add Protocols dialog box, expand Common Protocols and select PING, click Add, and then click Close.
227
16. In the Access Rule Sources dialog box, click the Add button. 17. In the Network Entities dialog box, expand Networks, select External, and click Add. Then, click Close. 18. In the Access Rule Sources dialog box, click Next. 19. In the Access Rule Destination dialog box, click the Add button. 20. In the Network Entities dialog box, expand Network Sets, select All Protected Networks, and click Add. Then, click Close. 21. In the Access Rule Destination dialog box, click Next. 22. In the User Sets dialog box, accept the default of All Users and click Next. 23. Click Finish. 24. At the top of the Firewall Policy Details pane, click Apply. 25. In the Saving Conguration Changes dialog box click OK. 26. Wait at this step until both partners have completed the previous steps. 27. Restore the command prompt. 28. Ping your partners external IP address. What was your result? Ping was allowed to the external interface of your partner. 29. Minimize the command prompt. 30. In the Details pane, select the Inbound Ping To External Interface rule.
228
31. In the Tasks pane, click the Disable Selected Rules link.
32. At the top of the Firewall Policy Details pane, click Apply. 33. In the Saving Conguration Changes dialog box, read the note below the progress bar and then click OK. 34. Wait at this step until both partners have completed the previous step. 35. Restore the command prompt. 36. Ping your partners external IP address. What was your result? Ping was allowed to the external interface of your partner even though the rule was disabled. This is because you already had an existing connection to your partner from the initial successful ping test. Note: If you are not able to ping your partners IP address, enable the rule again, ping your partner, and then disable the rule. 37. Choose StartControl PanelNetwork ConnectionsExternal. 38. In the External Status dialog box, click the Disable button. This will break your existing connection to your partner. 39. Wait at this step until both partners have completed the previous step of disabling the External NIC. 40. Choose StartControl PanelNetwork ConnectionsExternal. This will enable your external connection. 41. Wait at this step until both partners have completed the previous step. 42. Restore the command prompt.
Lesson 5: Conguring Firewalls 229
43. Ping your partners external IP address. What was your result Ping is now blocked again by the ISA Server rewall policy. 44. In the Details pane, select the Inbound Ping To External Interface rule. 45. In the Tasks pane, click the Delete Selected Rules link. 46. In the Conrm Delete dialog box, click Yes. 47. At the top of the Firewall Policy Details pane, click Apply. 48. In the Saving Conguration Changes dialog box, click OK. 49. Close all open windows. It is important to remember that any rules you add to the rewall policy will not take effect on any connections that are already established. This is because ISA Server 2006 is a stateful rewall and those connections are currently listed in the state tables. Stateful rewalls consult the state tables before parsing the rewall rules. If the connection is listed in the state table, it will not be checked against the rule set again until it is removed from the state table either through a time out or by the source terminating the connection. You can force the state table to reset for all connections by disabling and enabling the network interface that the connection is associated with.
230
Users: This element describes the user or groups of users that the rule will apply to. Schedule: This element describes the days and times that the rule will be enforced. Content Types: This element describes the network data packet contents that the rule will be applied to.
ISA Server 2006 has a robust set of access rule elements pre-congured when it is installed. However, you can easily create additional rule elements that meet your specic requirements when the default rule elements will not address the rule you are trying to create. Since it is impossible to predict what type of traffic any given network may require, the ability to create additional rule elements gives ISA Server 2006 the exibility to adapt to any requirements.
TASK 5B-6
Creating a Protocol Rule Element
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create a custom protocol element that you could use to network traffic for a custom network application that uses TCP port 2120 inbound across your rewall with return client connections dynamically established across the range of 49152-65535. 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Expand the Console Tree pane and select the Firewall Policy container. In the Tasks pane, select the Toolbox tab. On the Toolbox tab, expand the Protocols container. Explore the various default protocol elements that are dened by default. On the Toolbox tab, under the Protocols container, click the New dropdown menu, and select Protocols. In the New Protocol Denition Wizard dialog box, in the Protocol Denition Name eld, type Custom Application Protocol and then click Next. In the Primary Connection Information dialog box, click the New button. In the New/Edit Protocol Connection dialog box, enter the following values and then click OK. Protocol type: TCP Direction: Inbound Port Range: From: 2120
Lesson 5: Conguring Firewalls 231
To: 2120
10. In the Primary Connection Information dialog box, click Next. 11. In the Secondary Connections dialog box, under Do You Want To Use Secondary Connections? select the Yes radio button, and then click New. 12. In the New/Edit Protocol Connection dialog box, enter the following values and then click OK. Protocol type: TCP Direction: Outbound Port Range: From: 49152 To: 65535
13. In the Secondary Connection Information dialog box, click Next. 14. In the New Protocol Denition Wizard, click Finish. 15. Notice that your new User-Dened protocol now shows in the Toolbox Protocols area. 16. At the top of the Details pane, click the Apply button. 17. In the Saving Conguration Changes dialog box, click OK. 18. Close the ISA Server 2006 Management console.
232
TASK 5B-7
Creating a User Rule Element
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create a user element just for the administrator account. As an example, this user element could then be used in an access rule to deny the administrator account access to any external resources on the external network. 1. 2. 3. 4. 5. 6. 7. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Toolbox tab and then expand the Users container. Notice that ISA Server has three default user elements pre-dened. At the top of the Users container, click the New link. In the New User Set Wizard, in the User Set Name eld, type Administrator Account and then click Next. In the Users dialog box, click the Add button, and from the pop-up menu, choose Windows Users And Groups.
8. 9.
In the Select User Or Groups dialog box, click the Advanced button. In the Select User Or Groups dialog box, click the Find Now button.
10. In the Search results list, select the Administrator account and then click OK. Note, be sure you do not select the Administrators Group. 11. In the Select User Or Groups dialog box, verify that the Administrator account appears and then click OK. 12. In the Users dialog box, click Next. 13. In the New Users Set dialog box, click Finish. 14. Notice that your new user set appears in the toolbox pane.
233
15. At the top of the Details pane, click the Apply button. 16. In the Saving Conguration Changes dialog box, click OK. 17. Close the ISA Server 2006 Management console.
Content Types
ISA Server 2006 comes precongured with a variety of content types by default. If your targeted content type is not already dened, it is an easy task to congure a custom content type to suit your organizations needs. ISA Server 2006s deep packet inspection allows ISA Server to control not only traffic based not only on source, destination, protocol and port, but also on content type. This is useful in enforcing an organizations security policy when it forbids certain types of content for security or other reasons. For example, your organizations security policy forbids the downloading of executable .exe les from the Internet. You could create a content type for .exe les and then assign the new content type to a deny access rule to block any content that contains a .exe le.
TASK 5B-8
Creating a Content Group Rule Element
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. 4. 5. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Toolbox tab. In the Toolbox tab of the Task pane, expand the Content Types section. Examine the pre-dened content types. Notice that .exe les are not dened.
234
6.
7. 8.
In the New Content Type Set dialog box, in the Name eld, type Exe Files In the New Content Type Set dialog box, from the Available Types dropdown list, select the .exe type and then click Add.
9.
In the New Content Type Set dialog box, click OK. The new Exe Files content type appears in the Content Types list.
10. At the top of the Details pane, click Apply. 11. In the Saving Conguration Changes dialog box, click OK.
235
TASK 5B-9
Creating and Modifying Schedule Rule Elements
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. 4. 5. 6. 7. 8. 9. In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Toolbox tab. In the Toolbox tab of the Task pane, expand the Schedules section. Notice that there are two pre-dened schedules: Weekends and Work Hours. Select the Work hours schedule and then click the Edit link. In the Work hours Properties dialog box, click the Schedule tab. Notice that the schedule contains a grid comprised of 7 week days and 24 hours in one-hour increments. Notice that each one-hour block of time can be set to either Active or Inactive on the schedule. Click and drag your cursor from Monday 8:00 A.M. to Friday 8:00 P.M. and then click the Active radio button to extend the work hours to start at 8:00 A.M. instead of 9:00 A.M, and extend to 9 P.M. Monday through Friday.
10. Click and drag your cursor from Monday 12:00 P.M. to Friday 12:00 P.M. and then click the Inactive radio button to remove the lunch hour from the Work hours schedule. 11. Click OK to close the Work Hours Properties dialog box. 12. On the Toolbox tab, under the Schedules area, click the New link. 13. In the New schedule dialog box, in the Name eld, type After hours 14. Click and drag your mouse pointer in the schedule eld from Monday at 8:00 A.M. to Friday at 8:00 P.M. to cover the workday hours and then click the Inactive radio button. 15. In the New Schedule dialog box, click OK.
236
16. At the top of the Details pane, click Apply. 17. In the Saving Conguration Changes dialog box, click OK. You have now modied the existing Work hours schedule and created a new schedule for After hours. These schedules can be used in rule creation to control what times a rule is enforced by ISA Server 2006. This adds a great deal of exibility to your ability to congure and enforce rewall policies.
TASK 5B-10
Using Content Types and Schedules in Rules
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Tasks tab. In the Tasks pane, under Firewall Policy Tasks, click the Create Access Rule link.
237
4.
In the New Access Rule Wizard dialog box, in the Access Rule Name eldtype Enforce Video Content Policy and click Next.
5. 6. 7. 8. 9.
In the Rule Action dialog box, select the Deny radio button and then click Next. In the Protocols dialog box, from the This Rule Applies To drop-down list, select All Outbound Traffic and then click Next. In the Access Rule Sources dialog box, click the Add button. In the Network Entities dialog box, expand Network Sets, select All Protected Networks, click Add, and then click Close. In the Access Rule Sources dialog box, click Next.
10. In the Access Rule Destination dialog box, click the Add button. 11. In the Network Entities dialog box, expand Network Sets, select All Networks (and Local Host), and click Add. Then, click Close. 12. In the Access Rule Destination dialog box, click Next. 13. In the User Sets dialog box, accept the default of All Users and click Next. 14. Click Finish. 15. On the Tasks tab, under Policy Editing Tasks, click the Edit Selected Rule link.
238
16. Notice that the rule property dialog box has tabs for each of the items we congured during rule creation (General, Action, Protocols, From, To and Users) and it also contains two additional tabs: Schedule and Content type.
17. Click the Schedule tab, and from the Schedule drop-down list, select Work hours. 18. Click the Content Types tab and select the Selected content type radio button. 19. Scroll down in the Content Types list and select the Video Content Type and then click OK. 20. At the top of the Firewall Policy Details pane, click Apply. 21. In the Saving Conguration Changes dialog box, click OK. 22. The ISA Server rewall will now enforce our video policy during work hours.
239
ISA Server 2006 network elements include one or more computers, typically corresponding to a physical network. You can apply rules to one or more networks or to all addresses except those in the specied network. ISA Server 2006 creates network elements for the following objects: Networks Network Sets Computers Address Ranges Subnets Computer Sets URL Sets Domain Name Sets Web Listeners Server Farms
ISA Server 2006 has a set of default network elements that are pre-dened. You can use these default elements as part of an access rule denition or you can create custom network elements to meet your specic needs.
TASK 5B-11
Creating a Network Rule Element
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous task. 1. 2. 3. 4. In ISA Server Management, Expand the Console Tree pane and select the Firewall Policy container. In the Task pane, select the Toolbox tab. In the Toolbox tab of the Task pane, expand the Network Objects container. Examine the pre-dened Network Objects.
240
5.
On the Toolbox tab, at the top of the Network Objects container, click the New drop-down menu, and choose Computer from the pop-up menu.
6.
In the New Computer Rule Element dialog box, enter the following values and then click OK: Name: [Your computer name] Computer IP Address: [Your computer IP address] Description: ISA Firewall
7. 8.
At the top of the Firewall Policy Details pane, click Apply. In the Saving Conguration Changes dialog box, click OK.
We could now use this new Network Object as an element in an access rule that would only apply to the ISA Server 2006 rewall at our IP address.
241
TASK 5B-12
Configuring a Web Publishing Rule
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create an ISA Server publishing rule to allow external access to an internal website. 1. 2.
242 Tactical Perimeter Defense
In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container. In the Tasks pane, select the Tasks tab.
3. 4. 5. 6. 7.
On the Tasks tab, under the Firewall Policy Task section, click the Publish Web Sites link. In the New Web Publishing Rule Wizard, in the Web Publishing Rule Name eld, type Public Web Server and click Next. In the Select Rule Action dialog box, select the Allow radio button and click Next. In the Publishing Type dialog box, select the Publish A Single Web Site Or Load Balancer option and click Next. On the Connection Security tab, select the Use Non-secured Connections To The Published Web Server Or Server Farm option and then click Next. In the Internal Publishing Details dialog box, enter the following values: Internal site name: www.securitycertied.net. Computer name or IP address: 10.X.Y.100 (Where X and Y are the second and third octets of your internal interface (loopback adapter).
8.
Click Next. 9. In the Internal Publishing Details dialog box, in the Path (Optional) eld, type /* and click Next.
10. In the Public Name Details dialog box, in the Public Name eld, type www. securitycertied.net and click Next. 11. In the Select Web Listener dialog box, click the New button.
Lesson 5: Conguring Firewalls 243
12. In the New Web Listener Denition Wizard dialog box, in the Web Listener Name eld, type Public Web Listener and click Next. 13. In the Client Connection Security dialog box, select the Do Not Require SSL Secured Connections With Clients option and click Next. 14. In the Web Listener IP Addresses dialog box, select the External Network and click Next. 15. In the Authentication Settings dialog box, from the Select How Clients Will Provide Credentials To ISA Server drop-down list, select No Authentication and click Next. 16. Read the Single Sign On Settings dialog box and then click Next. 17. In the Completing The New Web Listener Wizard, click Finish. 18. In the Select Web Listener dialog box, click Next. 19. In the Authentication Delegation dialog box, select the No Delegation, and client cannot authenticate directly option and click Next. 20. In the User Sets dialog box, accept the default of All Users and click Next. 21. In the Completing the New Web Publishing Rule Wizard dialog box, click Finish. 22. At the top of the Firewall Policy Details pane, click Apply. 23. In the Saving Conguration Changes dialog box, click OK. 24. The new publishing rule appears at the top of the Details pane. 25. In the Tasks pane, click the Toolbox tab and then expand the Network Objects container. 26. Expand the Web Listener container. (Note: you may need to refresh your screen with F5 to perform this step.) 27. The web listener created during the publishing rule creation is now listed. You may have to click another container in the Console Tree pane and then reselect the Firewall Policy container to refresh the screen. You have now congured a Web Publishing rule that will use a web listener to listen for inbound requests from the external network for www.securitycertied. net and then forward them to the internal web server. Since only port 80 is exposed to the external network, and ISA Server is inspecting the inbound HTTP packets before passing them on to the internal web server, the security footprint of your web server is greatly enhanced.
244
TASK 5B-13
Enabling and Configuring Caching
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. 4. 5. 6. In ISA Server Management, expand the Console Tree pane and select the Cache container. Notice that the Cache container has a red down arrow on it in the Console Tree pane, indicating that it is currently not enabled. Notice that the Details pane contains three tabs corresponding to the three conguration items for caching discussed earlier. Notice that the Cache Size on NTFS Drives is currently zero. In the Tasks pane, under Cache Drive Tasks, click the Dene Cache Drives (Enable Caching) link. In the Dene Cache Drives dialog box, in the Maximum Cache Size (MB) eld, type 100 and then click the Set button.
245
7.
Drive C now shows a cache size of 100. If you had multiple drive arrays on your ISA Server, each partition formatted with NTFS would show as an option in this dialog box. In the Dene Cache Drives dialog box, click OK. At the top of the Firewall Policy Details pane, click Apply.
8. 9.
10. In the ISA Server Warning dialog box, select Save The Changes And Restart The Services radio button and click OK. (This may take a momentbe patient!) 11. In the Saving Conguration Changes dialog box, click OK. 12. In the Details pane, click the Cache Rules tab. 13. Notice that two default rules have been pre-dened.
ISA Server comes with a pre-dened cache rule for the Microsoft Update site. This can help speed up automatic downloads of patches by clients or WUS servers. 14. On the Tasks tab, under the Cache Rules Tasks, click the Create A Cache Rule link. 15. In the New Cache Rule Wizard, in the Cache Rule Name eld, type Security Certied Web Site and click Next. 16. In the Cache Rule Destination dialog box, click Add. 17. In the Add Network Entities dialog box, expand the Network Sets object. 18. In the Add Network Entities dialog box, select the All Protected Networks object. 19. In the Add Network Entities dialog box, click Add . 20. In the Add Network Entities dialog box, click Close. 21. In the Cache Rule Destination dialog box, click Next. 22. In the Content Retrieval dialog box, select the Only If A Valid Version Of The Object Exists In The Cache. If No Valid Version Exists, Route The Request To The Server. option and then click Next. 23. In the Cache Content dialog box, check the Dynamic Content check box.
246
24. In the Cache Content dialog box, check the Content For Offline Browsing (302, 307 Responses) check box and click Next.
25. In the Cache Advanced Conguration dialog box, click Next. 26. In the HTTP Caching dialog box, accept the defaults and click Next. 27. In the FTP Caching dialog box, deselect the Enable FTP Caching option and then click Next. 28. In the New Cache Rule Wizard dialog box, click Finish. 29. At the top of the Details pane, click the Apply button. 30. In the Saving Conguration Changes dialog box, click OK. 31. In the Details pane, select the Content Download Jobs tab. 32. In the Tasks pane, click the Schedule A Content Download Job link. 33. Read the Enable Schedule Content Download Jobs dialog box and then click Yes. (This will congure the required options to schedule a content download job.)
34. At the top of the Details pane, click the Apply button.
Lesson 5: Conguring Firewalls 247
35. In the Saving Conguration Changes dialog box, click OK. 36. In the Task pane, click the Schedule A Content Download Job link. 37. In New Content Download Job Wizard dialog box, in the Content Download Job Name eld, type Security Certied Web Site Download and click Next. 38. In the Download Frequency dialog box, select the Daily option and click Next. 39. In the Daily Frequency dialog box, under the Job Start Date eld, set the date to start tomorrow and then click Next. 40. In the Content Download dialog box, type http://www.securitycertied.net as the URL, select the Do Not Follow Link Outside The Specied URL Domain Name option. 41. In the Content Download dialog box, select the Maximum Depth Of Links Per Page option. 42. In the Content Download dialog box set the Maximum Depth Of Links Per Page value to 4 and click Next.
43. In the Content Caching dialog box, accept the default Cache Content and TTL settings and click Next. 44. In the Completing the Scheduled Content Download Job Wizard dialog box, click Finish. 45. Your new content download job appears in the details pane. 46. Close ISA Server 2006 Management console.
248
Currently, our ISA Server rewall is congured as a perimeter or edge rewall. If we add a third network interface to the ISA Server, we can then re-congure the network topology to include a DMZ and create a three-legged DMZ rewall topology. This type of upgrade is not uncommon in the real world. ISA Server makes it easy to re-congure through the use of pre-dened network templates.
TASK 5B-14
Install Second Microsoft Loop Back Adapter and Assign an IP Address
Setup: You must be logged on to Windows 2003 Server as an administrator, have completed the previous tasks, and have access to the Windows 2003 Server installation source les. 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartControl PanelAdd Hardware. In the Welcome dialog box, click Next. Select Yes, I Have Already Connected The Hardware and click Next. Scroll to the bottom of the Installed Hardware list box and select Add A New Hardware Device. Then, click Next. Select the Install The Hardware That I Manually Select From A List (Advanced) option and click Next. Under Common Hardware Types, select Network Adapters, and then click Next. Under Manufacturer, select Microsoft. Under Network Adapter, select Microsoft Loopback Adapter. Click Next twice.
11. Enter the path to the Windows 2003 Server installation source les in the Files Needed dialog box and then click OK. (Windows Server 2003 should remember that source path from the rst loopback adapter we installed earlier). 12. Click Finish. 13. Choose StartControl PanelNetwork ConnectionsLocal Area Connection. 14. In the Local Area Connection dialog box, click Properties. 15. In the This Connection Uses The Following Items list, select Internet Protocol (TCP/IP) and then click Properties. 16. On the General tab, select Use The Following IP Address and enter the address from the table below that corresponds to your computer name.
WIN-R01 - 192.168.16.1/24 WIN-R02 - 192.168.16.2/24 WIN-R03 - 192.168.16.3/24 WIN-R04 - 192.168.16.4/24 WIN-R05 - 192.168.16.5/24 WIN-R06 - 192.168.16.7/24 WIN-R07 - 192.168.16.8/24 WIN-R08 - 192.168.16.8/24 WIN-L01 192.168.18.1/24 WIN-L02 192.168.18..2/24 WIN-L03 192.168.18.3/24 WIN-L04 192.168.18.4/24 WIN-L05 192.168.18.5/24 WIN-L06 192.168.18.6/24 WIN-L07 192.168.18.7/24 WIN-L08 192.168.18.8/24
Note that the subnet mask is 255.255.255.0 for all these IPs. 17. Leave the DNS value blank and then click OK. 18. Click Close to close the NIC Properties. 19. Choose StartControl Panel and right-click Network Connections. From the context menu, choose Open. 20. Right-click the Local Area Connection, and from the context menu, choose Rename. 21. Name the connection DMZ 22. Close the Network Connections window. You have now installed a second Microsoft Loopback adapter and assigned it a unique IP address. We will be using this adapter to function as our DMZ network adapter to congure ISA server 2006 in a three-legged DMZ.
250
TASK 5B-15
Configure ISA Server 2006 in a Three-legged DMZ
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You will recongure your network as a three-legged DMZ topology. To accomplish this, you must rst import the originalcfg.xml le to remove the web access policy listener that you congured in the publishing task. 1. 2. 3. 4. 5. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. In the Console Tree pane, select the [Your Server Name] container. In the Tasks pane, click the Import (Restore) This ISA Server Conguration link. In the Import Wizard dialog box, click Next. In the Select The Import File dialog box, in the File Name eld, type C:\originalcfg.xml and click Next. Alternatively, you could use the Browse button to locate the le. In the Import Action dialog box, select the Overwrite (Restore) option and then click Next. In the Import Preferences dialog box, check the Import User Permission Settings check box, and then click Next. In the Completing The Import Wizard dialog box, click Finish. Read the ISA Server warning dialog box and then click OK twice.
6. 7. 8. 9.
10. At the top of the Details pane, click the Apply button. 11. In the Saving Conguration Changes dialog box, click OK. 12. In the Console Tree pane, select the Firewall Policy container. Notice that the rewall rule sets in the Details pane are back to the defaults. 13. In the Console Tree pane, select the Networks container. 14. In the Tasks pane, expand Conguration, and select the Templates tab.
251
16. In the Welcome To The Network Template Wizard dialog box, click Next. 17. In the Export The ISA Server Conguration dialog box, click Next. 18. In the Internal Network IP Addresses dialog box, click Next. 19. In the Perimeter Network IP Addresses dialog box, click Add Adapter. 20. In the Select Network Adapters dialog box, select the DMZ network and click OK. 21. In the Perimeter Network IP Addresses dialog box, click Next. 22. In the Select A Firewall Policy dialog box, scroll down and select the Allow Limited Web Access policy. Then, click Next. 23. In the Completing The Network Template Wizard dialog box, click Finish. 24. At the top of the Details pane, click the Apply button. 25. In the Saving Conguration Changes dialog box, click OK. 26. In the Console Tree pane, select the Firewall Policy container. 27. Highlight the Web Access Only Firewall Policy. 28. Notice that there are new access rules congured based on the template options we chose in the previous steps.
252
Figure 5-19: ISA Server 2006 monitoring features. The ISA Server 2006 Management console can be used to gather at a glance information on the status of your ISA Server. To view the real-time monitoring information, open the Management console and select the Monitoring container from the Console Tree pane. This will activate the Monitoring Details pane. On the Dashboard tab of the Monitoring Details pane, you will nd visual displays of current monitoring information. The refresh rate of this display is congurable in the task pane. Each of the individual information displays can also be collapsed to make more screen room for other displays.
253
TASK 5B-16
Working with Alerts
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will congure a custom alert for network disconnections and assign it actions to perform when the alert is triggered. 1. 2. 3. In ISA Server, with the Console Tree pane open, select the Monitoring container. In the Details pane, select the Alerts tab. In the Tasks pane, click the Congure Alert Denitions link.
254
4.
In the Alerts Properties dialog box, scroll briey though the list and look at the wide range of pre-congured alerts in ISA Server. Then, click Add.
5. 6.
In the New Alert Wizard dialog box, in the Alert Name eld, type Network Interface Disconnected and click Next. In the Events And Conditions dialog box, from the Event drop-down list, select Network Conguration Changed, from the Additional Condition drop-down list, select Network Disconnected. Click Next. In the Category And Severity dialog box, from the Category drop-down list, select Network Load Balancing, from the Severity drop-down list, select Error and click Next. In the Actions dialog box, select the Send An E-mail Message and the Report The Event To The Windows Event Log options and then click Next.
7.
8.
255
9.
In the Sending E-mail Messages dialog box, enter the following values: SMTP server: smtp.securitycertied.net From: [email protected] To: [email protected]
Click Next. 10. In the Completing The New Alert Conguration Wizard, click Finish. 11. In the Alerts Properties dialog box, scroll down and ensure that your new Network Interface Disconnected alert is selected, then click OK. 12. At the top of the Details pane, click the Apply button. 13. In the Saving Conguration Changes dialog box, click OK. 14. You have now congured ISA Server 2006 alerts to send you an email message and log a Windows Event Viewer event whenever a network interface is disconnected. This could speed up your response time to physical problems with the ISA Server network segments. 15. Minimize your ISA Server 2006 Management console. Alerts associated with actions such as sending an email will help you respond to critical ISA Server events in a timely fashion. Even conguring certain warning items to send an email alert can help you take proactive steps to ensure the ISA Server 2006 rewall remains in optimum condition.
256
TASK 5B-17
Working with Reports
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You will congure ISA Server 2006 to create a one-time report and to create scheduled reports for monitoring baselines and security performance evaluations. 1. 2. 3. 4. 5. 6. 7. 8. 9. From the Start menu, open Windows Explorer. Create the directory C:\ISA-Reports. Minimize Windows Explorer. Maximize your ISA Server. Expand the Console Tree pane and select the Monitoring container. In the Details pane, select the Reports tab. On the Tasks tab, click the Generate A New Report link. In the New Report Wizard dialog box, in the Report Name eld, type Snapshot Report and click Next. In the Report Content dialog box, accept the default of all content choices and click Next.
10. In the Report Period, leave the default start and stop date and click Next. 11. In the Report Publishing dialog box, check the Publish reports to a directory check box. 12. In the Report Publishing dialog box, click the Browse button. 13. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it, and click OK. 14. In the Report Publishing dialog box, check the Publish Using This Account check box and then click the Set Account button. 15. In the Set Account dialog box, click the Browse button. 16. In the Select User dialog box, in the Enter The Object Name To Select eld, type Administrator and then click Check Name. Click OK. 17. In the Password and Conrm Password elds, type the Administrator password and then click OK. (Your password should be blank.)
257
19. In the Send E-mail Notication dialog box, leave the defaults blank, and click Next. 20. In the Completing The New Report Wizard dialog box, click Finish. 21. Restore your minimized Windows Explorer and browse to the C:\ISAReports directory. 22. Open the Snapshot Report [Date Range] folder and double-click the contents.htm le. 23. Right-click the Allow Blocked Content bar at the top of the browser screen and choose Allow Blocked Content. Then, click Yes.
24. On the Summary page, click the Protocols link. Scroll through the report and examine the types of items that are reported. 25. The report contains no signicant data because your ISA Server has not passed a large number of packets to register monitoring statistics yet.
258 Tactical Perimeter Defense
26. When you nished examining the report, close your Internet Explorer windows and close Windows Explorer. 27. In the Tasks pane, click the Create And Congure Report Jobs link. 28. In the Report Jobs Properties dialog box, click Add. 29. In the New Report Job Wizard dialog box, in the Report Job Name eld, enter Daily Report and click Next. 30. In the New Report Content dialog box, accept the default all content types and click Next. 31. In the Report Job Schedule dialog box, select the Daily option and click Next. 32. In the Reports Publishing dialog box, check the Publish Reports To A Directory check box. 33. In the Report Publishing dialog box, click the Browse button. 34. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it, and then click OK. 35. In the Report Publishing dialog box, check the Publish Using This Account check box and then click the Set Account button. 36. In the Set Account dialog box, click the Browse button. 37. In the Select User dialog box, in the Enter The Object Name To Select eld, type Administrator and then click Check Name. Type Administrator (no password) and click OK.
259
39. In the Send E-Mail Notication dialog box, leave the defaults blank, and click Next. 40. In the Completing The New Report Job Wizard dialog box, click Finish. 41. In the Report Jobs Properties dialog box, select the Daily Report option and click OK. 42. At the top of the Details pane, click the Apply button. 43. In the Saving Conguration Changes dialog box, click OK. In this task, you successfully congured ISA Server 2006 reporting options. You examined a snapshot report and created a scheduled reporting job. ISA Server reports are very comprehensive and can give you an accurate picture of what is taking place on your ISA Server rewall.
260
Figure 5-21: ISA Server 2006 logging features. ISA Server divides logging into two logs: the Web Proxy logs, which record ISA Server traffic handled by Web Proxy Filter; and the Firewall service logs, which record ISA Server traffic handled by the Microsoft Firewall service. ISA Server features a variety of log storage options that enable you to the track traffic that has been handled by ISA Server. The default ISA Server 2006 logging location is to a local MSDE database on the ISA Server. This database le for the logs can be found in the C:\Program Files\Microsoft ISA Server\ISALogs folder and will be named ISALOG_yyyymmdd_xxx_nnn. Where: yyyy = year mm = month dd = date xxx = Log le type (ISA or WEB) nnn = order number for sequencing daily logs
Using a database for logging instead of logging to a text le gives ISA Server powerful reporting capabilities for the log information. ISA Server can redirect the log le storage location to either a SQL database or to text les. The ability to use a single SQL database server for multiple ISA servers allows you to centralize the management, auditing, and backup of the ISA logs. And of course, if you need the log les to be stored in a .txt le format for any reason, that option is available. If you choose to store the ISA Server logs on a centralized SQL server, you need to ensure that ISA Server and the SQL Server have reliable high-speed Internet connections between them. This precludes ISA from logging to SQL over a slow WAN link. Microsoft recommends that you have a minimum of 100 mbps connection speed between ISA and SQL. It is also worth noting that by default access rules are congured to report packets for that match that specic rule. If you dont want logging to record actions for a specic access rule in your rewall policy, then you must disable this option on the Actions tab of the rule property sheet.
261
Figure 5-22: ISA Server 2006 Rule logging options are enabled by default.
TASK 5B-18
Configuring Logging Options
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will examine ISA Server 2003 logging options. 1. 2. 3. 4. 5. 6. In ISA Server, expand the Console Tree pane and select the Monitoring container. On the Details pane, select the Logging tab. On the Tasks tab, click the Edit Filter link. In the Edit Filter dialog box, under the Filter By column, select the Action lter and then click the Remove button. In the Edit Filter dialog box, from the Filter By drop-down list, select Protocol. In the Edit Filter dialog box, from the Condition drop-down list, select Contains.
262
7.
In the Edit Filter dialog click, from the Value drop-down list, select NetBIOS Name Service and then click the Add To List button.
8. 9.
In the Edit Filter dialog box, click the Start Query button. Notice that the Details pane now reports Fetching Results.
10. Open a command prompt and arrange your desktop where you can see the results section of the Details pane while typing in the command prompt. 11. In the command prompt, type NET VIEW and then press Enter.
263
12. Wait until logging events show in the Details pane and then close the command prompt.
13. In the Task pane, click the Stop Query link. 14. In the Task pane, click the Congure Firewall Logging link. 15. The Log tab of the Firewall Logging Properties dialog box is where you would change what log le format ISA Server uses. Examine the available properties and then click the Fields tab. 16. Examine the list of available logging elds that are available in ISA Server 2006. 17. Scroll down in the Fields tab and check the Network Interface check box. Then, click OK. 18. At the top of the Details pane, click the Apply button. 19. In the Saving Conguration Changes dialog box, click OK. 20. In the Task pane, click the Congure Web Proxy Logging link. 21. The Log tab of the Web Proxy Logging Properties dialog is where you would change what log le format ISA Server uses. Examine the available properties and then click the Fields tab. 22. Examine the list of available logging elds that are available in ISA Server 2006. 23. Scroll down in the Fields tab and check the Service check box, and then click OK. 24. At the top of the Details pane, click the Apply button.
264 Tactical Perimeter Defense
25. In the Saving Conguration Changes dialog box, click OK. 26. Close the ISA Server 2006 Management console. You have now successfully used ISA logging to review real-time events and also congured both the Firewall logging and Web Proxy logging to log additional events. One useful tip to keep in mind is that if you are using database format as your logging method, you can use Access or other front-end tools to create custom queries and reports from the ISA Server log databases.
ISA Server 2006 runs on top of the Windows Server 2003 operating system. In order for ISA Server to be secure, the underlying OS must also be secured. Windows Server 2003 Service Pack 1 included an attack surface reduction tool called the Security Conguration Wizard. The Security Conguration Wizard allows you to select a role for the server OS and then secure it based on the template you choose. It does this by determining the minimum functionality required in the OS, and then disables functions that are not required. The default templates included with the Security Conguration Wizard do not contain a conguration for ISA Server 2006; however, you can download an update package from the Microsoft TechNet website that will update the Security Conguration Wizard with templates for ISA Server 2006. This can greatly simplify the process of securing the underlying OS for ISA Server. In order to use the Security Conguration Wizard (or update it), you must rst install it from the Add/Remove Windows Components control panel applet. Even if you have already secured the OS before installing ISA Server, the Security Conguration Wizard can ensure that you have not overlooked anything. Also, running a scan against the ISA Server OS using MBSA (Microsoft Baseline Security Analyzer) or other vulnerability scanning tool will help ensure that ISA Server is as solid as you can make it.
265
TASK 5B-19
Securing ISA Server 2006 with the Security Configuration Wizard
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You must also have access to the Windows Server 2003 source installation les and the ISA Server 2006 Security Conguration Wizard update package (IsaScwHlpPack.EXE). 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartControl PanelAdd Remove Programs. Click the Add/Remove Windows Components button. In the Add/Remove Windows Components dialog box, scroll down and check the Security Conguration Wizard check box and then click Next. If required, enter the path to the Windows Server 2003 source les. Click Finish and then close the Add Remove Programs control panel applet. Double-click the IsaScwHlpPack.exe located in C:\Tools\Lesson5. In the ISA Server Security Conguration Wizard Update dialog box, click Yes. In the ISA Server Security Conguration Wizard Update dialog box, type C:\Update for the path and then click OK. To create the C:\Update folder, Click Yes, and then click OK in the success dialog box.
10. Choose StartAdministrative ToolsSecurity Conguration Wizard. 11. In the Security Conguration Wizard dialog box, click Next. 12. Select the Create A New Security Policy radio button and click Next. 13. In the Select Sever dialog box, verify the name of your server and then click Next. 14. In the Processing Security Conguration Database dialog box, click Next. 15. In the Role-Based Service Collection dialog box, click Next. 16. In the Select Server Roles dialog box, de-select all options except Microsoft Internet Security and Acceleration Server 2004 and click Next. (ISA 2004 and ISA 2006 have the same OS requirements so the same template works for both.) 17. In the Select Client Features dialog box, de-select all options except Automatic Update Client and click Next.
266
18. In the Select Administration And Other Options dialog box, accept the defaults and click Next. 19. In the Select Additional Services dialog box, accept the defaults and click Next. 20. In the Handling Unspecied Services dialog box, select the Disable The Service option and click Next. 21. In the Conrm Service Changes dialog box, scroll through and review the changes that will be made and then click Next. 22. In the Network Security dialog box, ensure that the Skip This Section option is selected and then click Next. (ISA will handle our rewall requirements. We dont want to create conicts with the built in Windows Firewall.) 23. In the Registry Settings dialog box, leave the Skip option unselected and then click Next. 24. In the Require SMB Security Signatures dialog box, check both option boxes and then click Next. 25. In the Outbound Authentication Methods dialog box, select the Local Accounts On The Remote Computers option and then click Next. 26. In the Outbound Authentication Methods dialog box, select the Clocks That Are Synchronized With The Selected Servers Clock option and then click Next. 27. In the Inbound Authentication Methods dialog box, accept the defaults and then click Next. 28. In the Registry Settings Summary dialog box, review the changes and then click Next. 29. In the Audit Policy dialog box, ensure that the Skip option is not selected and then click Next. 30. In the System Audit Policy section, select the Audit Successful And Unsuccessful Activities radio button and then click Next. 31. In the Audit Policy Summary dialog box, read the summary and then click Next. 32. In the Save Security Policy dialog box, click Next. 33. In the Security Policy File Name dialog box, append \ISAConguration to the path and then click Next. 34. In the Apply Security Policy dialog box, select the Apply Now option and then click Next. 35. In the Completing The Security Conguration Wizard dialog box, click the Finish button.
267
You have successfully used the Security Conguration Wizard to congure the optimum security conguration settings for the Windows Server 2003 operating system that ISA Server 2006 is running on top of.
This wizard only makes conguration changes. It does not apply security patches or updates. You must also make sure your OS is kept up-to-date with the latest patches.
Packet Prioritization
Not all traffic that passes through your ISA Server 2006 rewall will have the same importance. This can be a real issue for an organization with limited outbound bandwidth. For example, a brokerage rm branch office might need to access up to the second information offered up over by a web service at the main office. This data would be considered high priority in making fast decisions when watching trading prices or other important nancial data. Ensuring that requests to this web service get high priority would be benecial to the brokerage rm. ISA Server 2006 provides packet prioritization for limited bandwidth scenarios by implementing the Differentiated Services (DiffServ) protocol. The DiffServ protocol provides a framework that enables deployment of scalable service discrimination over the Internet. DiffServ uses a marker in the IP header of each packet to assign it a priority level. It is important to note that this is a global setting and not assigned to a specic rule. ISA Server packet prioritization is a policy setting for HTTP traffic. It will apply to all HTTP traffic that traversing your ISA Server. The DiffServ web lter, built into ISA Server, will scan packets containing a specic set of URLs or for domain names and assign those packets a priority. The DiffServ lter has a high priority in ISA Server because it must be aware of the size of both the request and the response. To gain this awareness, DiffServ must inspect the HTTP packets at the point where ISA Server sends or receives the traffic. ISA Server can only add DiffServ bits to HTTP or HTTPS traffic. It does not ag any other protocols with a priority level nor does Microsoft guarantee that ISA Server will transmit DiffServ bits on any other protocol it receives. For packet prioritization to work, the routers in the traffic transit path must support the QoS (Quality of Service) functionality. Once you enable DiffServ on ISA Server, you can then congure the URLs and/or domains you want to prioritize.
TASK 5B-20
Configuring Packet Prioritization
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. Choose StartAll ProgramsMicrosoft ISA ServerISA Server Management. Expand the Console Tree pane, expand Conguration, and select the General container. In the Details pane, under Global HTTP Policy Settings, select the Specify DiffServ Preferences.
268
4. 5. 6.
In the HTTP DiffServ dialog box, select the Enable Network Traffic Prioritization According To DiffServ (Quality Of Service) Bits option. Click the Priorities tab and then click Add. In the Add Priority dialog box, in the Priority Name eld, type Branch Office Priority and then in the DiffServ Bits eld, type 010100 and click OK. (The DiffServ bits value would correspond to the value set on your routers.)
7. 8. 9.
Click the URLs tab and then click Add. On the Add URL Priority tab, in the URL eld, type brokeragehouse. securitycertied.net On the Add URL Priority tab, from the Priority drop-down list, select Branch Office Priority and then click OK.
10. In the HTTP DiffServ dialog box, click the Network tab, select the External network, and then click OK. 11. In the dialog box warning you that DiffServ is currently disabled, click Yes. 12. At the top of the Details pane, click Apply. 13. In the Saving Conguration Changes dialog box, click OK. 14. Close the ISA Server 2006 Management console. The ISA Server 2006 DiffServ lter is now enabled and congured to prioritize HTTP packets sent to the URL http://brokeragehouse.securitycertied.net.
server for a different purpose. However, as you discovered in an earlier exercise, the Security Conguration Wizard makes this process relatively painless. Just roll back the conguration that you used for ISA Server and apply the template that is appropriate for the servers new role on your network.
TASK 5B-21
Uninstalling ISA Server 2006
Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartAll ProgramsControl PanelAdd Or Remove Programs. In the Currently Installed Programs list, select Microsoft ISA Server 2006 and then click Change/Remove. When the Microsoft ISA Server 2006 - Installation Wizard dialog box appears, click Next. In the Program Maintenance window, select the Remove radio button and then click Next. In the Generated Files Removal dialog box, accept the defaults, and click Next. In the Remove The Program dialog box, click Remove. In the Installation Wizard Completed dialog box, click the Finish button. Close the Add Or Remove Programs control panel applet. Choose StartAdministrative ToolsSecurity Conguration Wizard.
10. In the Welcome To The Security Conguration Wizard, click Next. 11. In the Conguration Action dialog box, select the Rollback The Last Applied Security Policy option and then click Next. 12. In the Select Server dialog box, verify your server name and then click Next. 13. In the Rollback Security Conguration dialog box, click Next. (If you wish, you may view the rollback le before clicking Next.) 14. In the Completing The Security Conguration Wizard dialog box, click Finish. 15. You have successfully removed ISA Server 2006 and the security congurations from your server. 16. Choose StartControl Panel, right-click Network Connections, and choose Open.
270
17. Right-click each of the loopback adapters and choose Disable. 18. Close the Network Connections window. 19. If you would like to conrm that these connections are disabled attempt to ping them in a command prompt. You should not receive a response. 20. Close all open windows.
Topic 5C
IPTables Concepts
One of the primary benets touted for the Open Source model of Linux is its ability to adapt and change as people come up with bright ideas. This ability has allowed for security features to be created and modied as industry requirements and Internet threats evolve. Linux has the capacity to behave as a router, a NAT server, and a packet-ltering device. All these features are built into the core operating system.
Firewalling in Linux
Elementary rewalling via an application called ipfwadm was included in earlier kernel versions. With the development of kernel version 2.2, the rewall was built with IPChains. From kernel version 2.4 and up, IPChains is replaced with IPTables. One of the big differences between IPChains and IPTables is that the latter can be congured to be a stateful packet lter. At its very essence, the way that IPTables works is extremely simple. The headers within a packet are examined against a known set of rules (also referred to as a chain), in sequence. If the packet matches a certain rule, a decision is made for that packet based on what is specied (also referred to as the target). If a match is not found, then the packet is examined against the next rule in the sequence. This continues until all the rules are exhausted. At this point, IPTables looks to the default policy in order to make a decision. As a packet-ltering rewall, IPTables checks its rules on packets as they enter or leave an interface. Because IPTables is part of the kernel, the processing of the packets is very fast. IPTables ability to perform NAT is referred to as masquerading.
271
Essentially, there are three sets of tables that are part of IPTables: Filter, NAT, and Mangle. Throughout this topic, you will mostly discuss the Filter aspect of IPTables. NAT tables are used when IP addresses need to be substituted. This typically happens when you want to hide internal hosts from the Internet. Mangle tables are used when certain elds in the headers need to be changed, such as the TTL or TOS elds.
To be able to use IPTables, the kernel must be compiled to include support for rewalling. In this course, the version of Linux used is SUSE Enterprise Server 10, which includes IPTables. If you are using a different Linux distribution, you will need to verify if IPTables has been installed. If it has not, you will have to install it.
Depending upon the table chosen, you can manipulate certain built-in chains. For example, built into the Filter table are three rule sets (chains) that cannot be deleted: Input, Forward, and Output. If youre dealing with the NAT table, you will have to deal with the Prerouting and Postrouting built-in chains. If a packet is directed to the rewall, as it enters the computer via an interface, the Input chain is used to determine the fate of the packet. If a packet originates at the rewall, the Output chain will be checked. When the packet requires routing to another location, the Forward chain will be used. If the packet reaches the end of one of the chains and there has been no match, whatever default policy exists is used. These default policies exist only on the default chains, and the options are typically Accept and Drop. You set the default policy for the built-in chains to one of the above, and in the absence of any other rule, the action stated by the default policy is carried out. If a match is found in a rule for a packet, then the appropriate action is carried out. The action to be taken when a match is found is also referred to as target. The target could be Accept or Dropor even another chain altogether. Apart from the built-in chains, a rewall administrator can create user-dened chains. You identify such chains with a name. Unlike the built-in chains, userdened chains do not have a default policy. If a packet reaches the end of a userdened chain without any decision made about it, then the packet will return to the chain that was examining it previously, and start on the next rule in that chain.
272
273
Finally, lets look at routing and NAT ow. The following shows packets being routing, or forwarded.
Figure 5-26: The multiple decisions that have to be made about a packet by a rewall.
274
When a packet rst enters an interface, the system veries the checksum value. If the checksum is correct, the packet moves to the Sanity check. The Sanity check is a feature that checks for incorrectly formed packets. After the Sanity check, the packet is moved to the Input chain. It will go through the chain, and if there is a match at any point, it follows the instructions set forth for that rule. If there is no match, then the default policy applies. If the packets destination is the rewall itself, then the Input chain is the only chain processed. If the packet is destined for another host, the routing processes take over. This is to determine if the packet is to be forwarded to another machine or to a different local process. A local process would be one that can send and receive packets. The routing process looks to the Forward chain. The packet moves down the rules in the Forward chain, and the system checks for matches. If there is a match, the matching rule species where the packet should go. If the packet does not match, then the default policy of the Forward chain takes effect. The Output chain consists of rules that examine packets generated by the rewall.
Please note that the method of checking packets against the built-in chains in IPTables is very different from the method employed by IPChains.
Figure 5-27: The Input chain accepting a packet at the third rule. The target names are straightforwardAccept and Drop. A couple of extensions to the target are also availableLog and Reject. A small clarication is needed on the difference between Drop and Reject. As with Microsofts ISA Server, the end result (as far as the packet is concerned) is that the packet does not get through. However, by default, when TCP/IP is communicating, there is two-way
Lesson 5: Conguring Firewalls 275
communication. When the target is set to Drop and a matching packet is found, that packet is silently dropped. When this happens, technically the function of TCP has been broken. The TCP standard states that if a connection cannot be established, an ICMP message is to be returned to the host; this is useful for troubleshooting purposes. Due to this, the second option of Reject is included. When the target is set at Reject and a matching packet is found, the packet is still dropped, but an ICMP message is sent to the host, closing the communication. The choice is yours to make. Reject might be the nice way to drop a packet, but from a security standpoint, Drop provides less information. Each rule must be created with a target, and because rules are numbered and sequential, it is critical that the correct order be maintained. You do not want an error in the rule order to mistakenly block a subnet or grant access where it should not be granted. If the default rules do not provide the level of control that is required, administrators can create their own chains and apply detailed rules to them.
Figure 5-28: The Input chain nds a match and targets the packet to a user chain. Conguring chains can quickly become an involved task. For example, the Input chain receives a packet and nds a match on the fourth rule, sending the packet to a user chain. That same packet then goes through the user chain, where there might be a match sending it to a different chain, or even back to the Input chain. Remember, if a packet does not match any of the rules in a user-dened chain, it is sent back to the previous chain, where it picks up at the rule that sent it to the user-dened chain in the rst placesee the following gure.
276
Figure 5-29: A packet being examined by rst the Input chain, then a user-dened chain, and going back to the Input chain. It is possible for an administrator to write rules that will cause the process of packet examination to loop. If this happens, the packet will be dropped.
Configuration Options
This section covers the conguration options most often used in day-to-day environments running IPTables. Not all of the options available in IPTables are covered here. For a more detailed study of IPTables, you should look around at the various sources of information available to you. To start with, the man pages for IPTables are quite extensive and worth reading. For detailed syntax issues that are not covered here, issuing the man iptables command is a good place to start. If you do not have a Linux box handy, go to www.iptables.org or www.netlter.org and read or download articles dealing with setting up a Linux box as a rewall by using IPTables. There are conguration options for creating, viewing, and managing chains. The rst command switch is in uppercase. There are command switches for managing the individual rules as well, and these also use uppercase. Within the rules, various operations are dened by using lowercase.
Cisco gurus will quickly latch on to the syntax similarities between IPTables and Cisco Access Control Lists. Basically, youre dealing with some conditions, and if those conditions are met, then this rule says, Accept the packet. The following gure shows several examples of usage syntax.
Chain Management
The following table lists some of the command switches for managing the chains. (Italicized words are variables.)
278
Rule Management
The basic structure for the rule commands is the same as for the chain commands, as shown in the following table.
Figure 5-34: Example rule commands. The previous command switches are used in managing the rules, and they are in uppercase. The following table lists commands for creating the actual rules themselves.
Rule Creation
The previous command switches are used in managing the rules, and they are in uppercase. The following table lists commands for creating the actual rules themselves.
279
Other Options
In the rule sets, port numbers are congured as two values, source port, or sport, and destination port, or dport. For example, if you want a rule to govern source ports 2100 through 2200, inclusive, you can use the syntax --sport 2100:2200. Notice that two hyphens are used. Similarly, if you want a rule to address destination port 31337, you can use the syntax --dport 31337. Another very useful and important rule conguration tool is the bang (!) entry. This value, with spaces on either side, negates whatever follows it. Think of a rule as being divided into a number of elds that more or less correspond to the headers in a packet. Now, imagine that each of these elds can have certain specications. Sometimes you might want to negate whats specied (anything but this). This is where the ! comes in. The ! negates the values specied in that eld. For example, the syntax to specify any host other than 172.16.23.44 is ! 172.16.23.44. While discussing IP addresses in IPTables, the ability to specify any IP address is included as well. To do so, you can use 0/0. When choosing to block ping packets, more specically ICMP packets, be careful that you are blocking what you mean to block. Because the ICMP protocol is used for many different parts of communication, it is important that you are aware of what could happen if you blocked all ICMP traffichost unreachable
280 Tactical Perimeter Defense
messages would not come through, source-quench messages would not come through, time-exceeded messages would not come through, and so forth. You need to specify that part of ICMP you want to work with, just as you specify ports for TCP. The syntax is to use is icmp-type typename, where typename is one of the following: Destination-unreachable Source-quench Time-exceeded Parameter-problem Echo-request Echo-reply
There are several other switches that can be used; again, check the man pages for a comprehensive list. One more that is worth mentioning is the -l option. This option turns on kernel logging of the packets that match the rule. It is possible to create a rule and use the logging feature, but have no target for the packet. This is done for tracking purposes, such as to track the number of packets that are for a particular service on a given host. To save your IPTables conguration, use the command iptables-save lename to save the current conguration to the dened le. To restore this conguration, use the command iptables-restore lename.
Rule Examples
So that the syntax can make a bit more sense, we will look at some rule examples in their syntax form, and discuss the result of each rule. By the time you reach the end of this section, you should have a solid grasp of the IPTables syntax.
For this chain: -P sets the default policy of a specied chain. INPUT is the chain that is getting modied. DROP is the target.
Therefore, the default policy of the Input chain is now set to Drop all packets. If this is the only conguration of the Input chain, then all packets trying to reach the rewall will be dropped! You must create rules where the targets are other than Drop if you want communications to take place at all.
281
The end result of this modication is that when a packet reaches the end of the Input chain, it will be discarded. Because the default setting of Accept can present a security risk, changing the setting to Drop is a good idea from a security perspective.
Creating a Chain
If you need to create a new chain, the syntax is:
iptables -N chainname
For this chain: -N indicates that this is a new chain. chainname is the name of the new chain.
Deleting a Chain
To delete a chain, use the syntax:
iptables -X chainname
For this chain: -X indicates that you want to delete a chain command. chainname is the name of the chain that you want to delete. A chain cannot have any rules in it prior to deletion. If rules exist, you can use the Flush command.
Flushing a Chain
If you need to delete a chain, and there are still rules in the chain, you can rst ush the chain. Because ushing removes all rules from a chain, be careful that you do not perform something unexpected. Plan carefully when deleting chains, particularly on a production machine. To ush a chain, use the syntax:
iptables -F chainname
For this chain: -F indicates that you want to ush all rules. chainname is the name of the chain that you want to ush.
282
For this chain: -A indicates that you want to append a rule to a chain. chainname is the name of the chain that you want to add the new rule to. -p indicates that you want to check a protocol. TCP denes the protocol that you want to check. -s indicates that you want to check a source address. 10.0.10.10 is the source IP address that you want to check. --syn indicates that you want to check the SYN ag. -j indicates that you want to dene a target for matches. DROP denes the target.
The meaning of this rule is A packet coming from 10.0.10.10 that is trying to initiate a connection is to be dropped.
Negating Values
Here is an example of syntax that negates a value:
iptables -A OUTPUT -p TCP -d ! 172.16.35.40 --dport 80 -j ACCEPT
For this chain: -A OUTPUT species that you want to append a rule to the OUTPUT chain. -p TCP indicates that you want to check the TCP protocol. -d 172.16.35.40 species the destination that you want to check. However, because there is a ! before the destination, the rule is stating any destination other than the specied address. --dport 80 indicates that you want to check for WWW packets. -j ACCEPT denes the target as Accept.
In essence, this rule states that all TCP packets can get to the WWW service on any computerexcept for 172.16.35.40. The nal example of negating that we will look at also introduces the lo option, which is used to dene the loopback adapter. Here is the command:
iptables -A INPUT -i ! lo -j DROP
For this chain: -A INPUT indicates that you want to modify the default INPUT chain by appending a rule. -i indicates that you want to check an incoming interface, and lo denes the incoming interface that you want to check. The ! negates the denition. -j DROP denes the target as Drop.
In essence, this rule state that all incoming traffic will be deniedexcept for trafc on the loopback interface.
283
Defining a Target
To dene a target, use the following syntax:
iptables -A INPUT -s 10.0.10.100 -j DROP
For this chain: -A INPUT indicates that you want to modify the default INPUT chain by appending a rule. -s 10.0.10.100 denes the IP address to match. -j DROP denes the target as Drop.
The meaning of this rule is: All packets that are from the address 10.0.10.100 are to be denied. Here is another example of dening a target that also includes a port number:
iptables -A INPUT -p TCP -d 0/0 --dport 12345 -j DROP
The meaning of this rule is: All packets that are destined for any IP address and to port 12345 are to be denied.
Complex Rules
The different parts of the rules discussed herein can be combined to create overall rules as needed. Here are some examples of more complex rules:
iptables -A OUTPUT -p TCP -s 10.0.10.0/24 -d 0/0 --dport 80 -j ACCEPT
This rule for the OUTPUT chain states that any TCP traffic from the 10.0.10.0 network and destined for any IP address on port 80 is to be accepted:
iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport 31337 -j DROP
This rule for the INPUT chain states that any TCP traffic from any IP address destined for the 10.0.10.0 network on port 31337 is to be denied:
iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport 5000:10000 -j DROP
Similar to the previous command, the only syntax difference here is in the port numbers dened. In this rule, all ports from 5000 to 10000 are to be denied.
Configuring Masquerading
Linux does have the ability to perform IP Masquerading, which is a form of NAT. It is not difficult to implement, and the syntax is:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
284
For this command: -t nat indicates that you want to congure the NAT table. -A POSTROUTING indicates that you want to append a rule after routing decisions are made. -o ppp0 indicates the outgoing interface that should be used; in this case, the PPP dialup link. -j MASQUERADE denes the target; in this case, that the source IP address in the IP header should be masked by the IP address of ppp0.
Case Study
This section involves review of a case study of IPTables in a working environment. In this example, there is a single computer running as the rewall with two Ethernet interfaces. The Ethernet 0 Interface (172.168.25.40) goes to the Internet, and the Ethernet 1 Interface goes to the internal network. A diagram of the network is shown in the following gure.
Figure 5-37: An example network for rewall implementation. First, we need to dene the overall goals of the rewall. This should be done during the creation of the security policy, and specically during the creation of the rewall policy.
285
Firewall Goals
The intended goals of this rewall are:
Note, this is for you to manage a simple network resource, in your production environment; you would likely not allow ICMP through the rewall.
We have decided to allow ICMP pings (echo requests and echo replies) through the rewall. We will allow our external clients access to the email server. Internal clients cannot use email servers on the Internet. We will allow external clients to reach our web server. We will block attempts to spoof internal addresses.
Configuration
First, we will congure the default policies to deny all traffic:
iptables -P INPUT -j DROP iptables -P OUTPUT -j DROP iptables -P FORWARD -j DROP
Next, we will congure user-dened chains. This is done to make the chains easier to work with. For these user-dened chains, us is internal, and them is external:
iptables -N us-them iptables -N them-us
In the rst line, if the source is us and the destination is not us (that is, them), then the target is the user chain us-them. In the second line, if the source is not us (them), and the destination is us, then the target is the user chain them-us. Next, we will congure the internal (us) to external (them) chain. We start by dening the general rules: Allow internal machines WWW access to the outside. Allow internal machines to be able to ping hosts on the outside. Disallow all other outgoing traffic.
Next, we will congure the external (them) to internal (us) chain. Again, we will dene the general rules rst: Allow hosts on the outside WWW access to the Web server. Allow hosts on the outside to access the email server. Allow ping. Block internal address spoong. Disallow all other incoming traffic.
286
-A -A -A -A -A
-p -p -p -p -s
TCP -d 10.0.20.22 --dport 25 -j ACCEPT TCP -d 10.0.20.22 --dport 110 -j ACCEPT TCP -d 10.0.20.21 --dport 80 -j ACCEPT ICMP -d 10.0.20.0/24 -j ACCEPT 10.0.20.0/24 -j DROP
This study was designed to be a simple example of one possibility to implementation. Other options that could be added include: Adding full anti-spoong, thus blocking any packet from outside that has an address of inside. Opening ports for return communication on the high ports. Adding checks for the SYN option. Dening IP Masquerading.
As you can see, there are always options in rewall design. Chances are good that while the end result may be the same, no two people will congure the rewall in the exact same fashion every time. Rules may be in different orders, for example (as long as they lter properly, of course). Or, perhaps someone is ltering everything on the INPUT chain and not making smaller chains. The exibility is yours to use as you see t.
287
TASK 5C-1
Working with Chain Management
Objective: To review a sample chain, and determine the effect it will have on traffic. Setup: The following is an example chain. Review it and identify what has been implemented. Using the space provided, diagram this network and answer the questions that follow. 1. Examine the following chain:
INPUT DROP FORWARD ACCEPT OUTPUT ACCEPT iptables -A INPUT 23:23 -j ACCEPT iptables -A INPUT 80:80 -j ACCEPT iptables -A INPUT iptables -A INPUT iptables -A INPUT iptables -A INPUT iptables -A INPUT 23:23 -j DROP -y
-p 6 -s 0.0.0.0/0 -d 192.20.0.1/32 --dport -p 6 -s 0.0.0.0/0 -d 10.168.0.3/32 --dport -s -s -s -s -p 10.168.0.0/24 -d 0/0 -i eth0 -j DROP 127.0.0.0/8 -d 0/0 -i eth0 -j DROP 127.0.0.0/8 -d 0/0 -i eth1 -j DROP ! 10.168.0.0/24 -d 0/0 -i eth1 -j DROP 6 -s 0/0 -d 192.20.0.1/32 ! --dport
288
iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p iptables -A INPUT -s ACCEPT
6 -s 0/0 -d 192.20.0.1/32 --dport ! -y 17 -s 0/0 -d 192.20.0.1/32 --dport ! -y 6 -s 0/0 -d 10.168.0.0/24 --dport 17 -s 0/0 -d 10.168.0.0/24 --dport 1 -s 0/0 -d 0/0 -j ACCEPT 10.168.0.0/24 -d ! 192.20.0.1/32 -j
2.
Diagram the network here or on another sheet. Assume the Class C address 192.20.0.1 is an external address.
What effect does this set of rules have on the network? Telnet and web traffc are allowed to dened hosts. Anti-IP-spoong rules are in place. High-level ports are allowed for the return of web traffc. What services, if any, are running on the internal network? At least web and Telnet services. What are the internal clients allowed to access externally? Web and Telnet services. Is IP spoong prevention in place? Yes. If an internal client ran a server, would external clients be able to access it? Why or why not? They could not, since the ports required to be outgoing for a server are not open.
289
Topic 5D
Implementing Firewall Technologies
In the previous topics, you were introduced to the concepts and conguration of FireWall-1, ISA Server 2006, and IPTables. In this topic, you will put that knowledge to use.
Scenario
The following conceptualization will be used for conguring the rewall for this scenario. Review the network diagram and the required rules, and then proceed.
Figure 5-38: The conceptual network. In this activity, you will be creating the conguration rst for the internal rewall and then for the external rewall.
Firewall Rules
The following gure represents the policies that have been decided upon for the internal rewall.
Figure 5-39: Internal rewall rules. The following gure represents the policies that have been decided upon for the external rewall.
290
Address
172.16.10.0 172.16.10.10 172.16.100.100 1 172.16.100.1 2 192.168.10.1 192.168.10.100 192.168.10.101 192.168.10.2 10.10.10.10
Subnet Mask
255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0
First of all, you need to plan the chains and rules that you will use. Decide if you will create new chains, or use the default chains. Record, on paper, the chains and/or rule sets, and determine if they are correct before you begin implementation. You should always plan the whole process rst. Here are some general steps to guide you in this rst activity. 1. Decide if you will modify the default policies, and write down what you would modify them to. 2. 3. 4. 5. 6. Decide if you want to create new rules/chains for management, and write them down. In Linux, if you created new chains, dene the jumps to these chains. Dene the general goals of the rewall. Write down the rules you will congure. Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for conguration. Using the above steps as your general guidelines, go ahead and congure the rewall to meet the goals you outlined. Remember, there may be several ways to accomplish the overall goals, so no one way is to be considered correct over another. If the goals are met efficiently, then the rules and chains are correct for that scenario.
291
Suggested Solutions
The following are suggested solutions to the scenario for IPTables. Feel free to compare your results to the suggested results. Again, even though they may be different, as long as the goals are met, the rules and chains are a success. Congure the default policies to be more restrictive, by using the DROP target:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Dene the overall goals. In this scenario, you are dealing with the packets that are moving between the internal network to the DMZ, the DMZ to the internal network, and the Internet to the internal network. Identify what traffic is allowed in different directions. From the guidelines given, we can identify the following: The internal network can access the WWW server on the DMZ and the Internet. The DMZ and Internet cannot access WWW on the internal network. The internal network can access the email server on the DMZ, but not on the Internet. The DMZ and Internet cannot access email on the internal network. The Security Host can Telnet to the DMZ and the Internet. The DMZ and Internet cannot telnet to the internal network. The dened internal subnet can FTP to the DMZ and the Internet. The DMZ and Internet cannot FTP to the internal network. Ping is allowed in both directions. Congure the rules.
Based on the guidelines, the following conguration is one suggestion for solving this scenario. Congure one chain at a time:
iptables -A in-dmz -p TCP -d 192.168.10.101 --dport www -j ACCEPT iptables -A in-dmz -p TCP -d 192.168.10.100 --dport smtp -j ACCEPT iptables -A in-dmz -p TCP -d 192.168.10.100 --dport pop3 -j ACCEPT iptables -A in-dmz -p TCP -s 172.16.10.10/32 -d 0/0 --dport telnet -j ACCEPT iptables -A in-dmz -p TCP -s 172.16.10.0/24 -d 192.168.10.0/24 --dport 20:21 -j ACCEPT iptables -A in-dmz -p TCP -d 0/0 --dport www -j ACCEPT iptables -A in-dmz -p ICMP -d 0/0 -j ACCEPT iptables -A in-dmz -p 6 -d 0/0 --dport 1024:65535 ! --syn -j
292
ACCEPT iptables iptables iptables --syn -j iptables ACCEPT iptables iptables --syn -j iptables ACCEPT
-p 17 -d 0/0 --dport 1024:65535 -j ACCEPT -p ICMP -d 172.16.0.0/16 -j ACCEPT -p TCP -d 172.16.0.0/16 --dport 1024:65535 ! -p UDP -d 172.16.0.0/16 --dport 1024:65535 -j
-A net-in -p 1 -d 172.16.0.0/16 -j ACCEPT -A net-in -p 6 -d 172.16.0.0/16 --dport 1024:65535 ! ACCEPT -A net-in -p 17 -d 172.16.0.0/16 --dport 1024:65535 -j
As was stated before, this isnt only one possible solution. Compare the solutions you came up with to this one and to the others in the class. Discuss with each other the different points in each solution.
The IP addresses that will be used for this are listed in the following table. Use
Internal Subnet Security Host Internal Web Server Internal Firewall int 1 Internal Firewall int 2 DMZ Email Server DMZ Web Server External Firewall int 3 External Firewall int 4
IP Address
172.16.10.0 172.16.10.10 172.16.100.100 172.16.100.1 192.168.10.1 192.168.10.100 192.168.10.101 192.168.10.2 10.10.10.10
Subnet Mask
255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0
293
First of all, you need to plan the chains and rules that you will use. Decide if you will create new chains, or use the default chains. Record, on paper, the chains and/or rule sets, and determine if they are correct before you begin implementation. You should always plan the whole process rst. Here are some general steps to guide you in this rst activity: Decide if you will modify the default policies, and write down what you would modify them to. Decide if you want to create new rules/chains for management, and write them down. In Linux, if you created new chains, dene the jumps to these chains. Dene the general goals of the rewall. Write down the rules you will congure. Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for conguration. Using the above steps as your general guidelines, go ahead and congure the rewall to meet the goals you outlined. Remember, there may be several ways to accomplish the overall goals, so no one way is to be considered correct over another. If the goals are met efficiently, then the rules and chains are correct for that scenario.
Suggested Solutions
The following are suggested solutions to the scenario for IPTables. Feel free to compare your results to the suggested results. Again, even though they may be different, as long as the goals are met, the rules and chains are a success. Congure the default policies to be more restrictive, by using the DROP target:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Congure the jumps to the new chains, and congure IP spoong rules:
iptables iptables iptables iptables iptables dmz-net iptables iptables -A -A -A -A -A INPUT INPUT INPUT INPUT INPUT -s -s -s -s -s 172.16.0.0/16 -d 0/0 -i eth1 -j DROP 192.168.0.0/16 -d 0/0 -i eth1 -j DROP 127.0.0.0/8 -d 0/0 -i eth1 -j DROP 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-net 192.168.10.0/24 -d ! 192.168.10.0/24 -j
Dene the overall goals. In this scenario, you are dealing with the packets that are moving between the Internet, the internal network, and the DMZ. Identify what traffic is allowed in different directions.
294
From the guidelines given, we can identify the following: The internal network can access the WWW service on the Internet. The internal network cannot access email on the Internet. The internal subnet can access FTP on the Internet. The Security Host can access Telnet on the Internet. The internal network can ping the Internet. The DMZ can ping the Internet. The Internet can access the WWW server on the DMZ. The Internet can access the email server on the DMZ. The Internet cannot ping the DMZ. The Internet cannot ping the internal network. Congure the rules.
Based on the above guidelines, the following conguration is one suggestion for solving this scenario. Congure one chain at a time:
iptables -A in-net -p TCP -d 0/0 --dport www -j ACCEPT iptables -A in-net -p TCP -s 172.16.10.0/24 -d 0/0 --dport 20:21 -j ACCEPT iptables -A in-net -p TCP -s 172.16.10.10/32 -d 0/0 --dport telnet -j ACCEPT iptables -A in-net -p ICMP -d 0/0 -j ACCEPT iptables -A in-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -j ACCEPT iptables -A in-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPT iptables -A dmz-net -p ICMP -d 0/0 -j ACCEPT iptables -A dmz-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -j ACCEPT iptables -A dmz-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPT iptables -A net-dmz -p TCP -d 192.168.10.100 --dport pop3 -j ACCEPT
As was stated before, this isnt the only possible solution. Compare the solutions you came up with to this one and to the others in the class. Discuss with each other the different points in each solution.
Summary
In this lesson, you worked with standard rewall implementation practices. You learned that vendors implement their rewall products slightly differently from each other, but that they do follow some standard implementation practices in most situations. You worked with two industry leaders in rewall systems: Microsofts ISA Server 2006, and Linuxs embedded rewall, IPTables.
295
Lesson Review
5A What is a network rewall?
A rewall can be described as a security mechanism that places limitation controls on all inbound and outbound network communications between individual systems or entire networks of systems by permitting, denying, or acting as a proxy for all data connections. What is a rewalls primary responsibility? Controlling access requests across differing zones of trust. Name six basic building blocks or elements of rewall access rules. Source Address, Destination Address, Protocol, Source Port, Destination Port, and Service. What layers of the OSI model do rewalls operate on? Data Link, Network, Transport, Session and Application Layers (2, 3, 4, and 7). What does it mean when a rewall is stateful? The rewall keeps track of the state of all accepted connections in a data table that resides in memory. This enables the rewall to determine if an incoming packet is either a new connection or is part of an existing established connection. What are the three common rewall topologies? Perimeter topology, three-legged DMZ topology, and chained DMZ topology.
5B True or False? You need to have the install partition formatted to NTFS when installing ISA Server 2006 on a Windows 2003 Server.
True Is ISA Server Firewall available in a rewall appliance? Yes! There are a wide range of manufacturers that offer ISA-based appliances. What are the three panes in the ISA Server 2006 Management console? Console Tree, Details, and Task panes. List some things that can be a trigger for an ISA alert. Responses might include Event Log Failure, Intrusion Detected, IP Spoong, and Oversize UDP Packet. How do you back up or restore the conguration of ISA Server 2006? By exporting or importing the conguration to an XML le.
296
What is difference between an access rule and a publishing rule in ISA Server 2006? Access rules control outbound communication, while publishing rules control inbound communication. What are the features in ISA Server 2006 that can help manage bandwidth consumption? Forward and reverse caching and packet prioritization.
5C What is the difference between the DROP target and the REJECT target?
Dropping the connection complies with TCP/IP rules of communicationan ICMP message is sent back to the packets origin. Rejecting the connection simply drops a packet and does not inform the sender. What must be done before a chain can be deleted? You must ush the rules. What is the switch for deleting a rule? -D deletes a rule (-F ushes and -X deletes a chain).
297
298
LESSON
6
Data Files RFCs Lesson Time 3 hours
Objectives
To be able to implement IPSec and Virtual Private Networks, you will: 6A Dene the function of IPSec in a networked environment. Given a running network, you will examine the IPSec structure, cryptography, the Encapsulating Security Payload, the Authentication Header, the Internet Key Exchange, and modes of Implementation. 6B Examine IPSec policy management. Given a running network, you will examine the IPSec structure, cryptography, the Encapsulating Security Payload, the Authentication Header, the Internet Key Exchange, and modes of implementation. 6C Implement and examine IPSec AH congurations. Given a Windows 2003 computer, you will implement and analyze IPSec AH sessions. 6D Implement and examine IPSec AH and ESP congurations. Given a Windows 2003 computer, you will implement and analyze IPSec AH and ESP sessions. 6E Examine the business drivers and technology components for a VPN. In this topic, you will examine standard business drivers and technology components in order to successfully implement a VPN solution. 6F Examine the concepts of IPSec and other tunneling protocols. In this topic, you will investigate the components of IPSec, how IPSec works and identify other VPN tunneling protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
Lesson 6: Implementing IPSec and VPNs 299
6G
Analyze secure VPN design and implementation issues. In this topic, you will take the necessary steps required to analyze secure VPN design objectives and VPN implementation issues.
6H
Examine the issues of VPN and rewall architecture and VPN authentication. In this topic, you will address various VPN and rewall architectures and examine issues related to authentication.
6I
Congure VPN options built into Windows 2003. In this topic, you will perform tasks related to setting up VPN options built into Windows 2003 Server related to VPNs.
300
Topic 6A
Internet Protocol Security
The Internet Protocol (IP) by itself has no security. There are no built-in mechanisms to ensure the security of the packets. It has become possible for attackers to create bogus packets, posing as IP addresses that they are not. It has also become possible for attackers to intercept packets as they are transmitted on the Internet, and read into the payload of the packets. Due to the above-mentioned points, there is no way for the security professional to guarantee any of the following: That a packet is from the source IP address. That a packet was not copied or intercepted by a third party during transmission. That a packet holds the original data that was transmitted.
These issues combine to illustrate that security of the packets themselves is required. IPSec, or IP Security (described in detail in RFC 2401), can provide this security. In the simplest denition, IPSec protects IP datagrams. In a more detailed denition, IPSec provides condentiality, integrity, and authentication. Condentiality means there is a system of making the data unreadable by unauthorized individuals. Integrity means that there is a guarantee that data is not altered between the sender and the receiver. Authentication means that the receiver is guaranteed that the sender is not an imposter.
The way that IPSec is able to provide this protection is by specifying how the network traffic is going to be protected, and to whom the traffic will be sent. The way the traffic is going to be protected will be through an IPSec protocol such as the Authentication Header (AH) or the Encapsulating Security Payload (ESP). The operation of IPSec is completely transparent to the end-user. This is due to the fact that IPSec functions just above the Network layer (the IPSec protocols AH and ESP have their own IP protocol IDs), so they are well under the Application layer. Providing this automatic protection is signicant in the choice of whether or not to implement IPSec. The end result is that network traffic is encrypted on one end and decrypted on the other, without the upper-layer applications at either end worrying about the complexities of the encryption/decryption processes.
301
cryptography: The art of science concerning the principles, means, and methods for rendering plaintext unintelligible and for converting encrypted messages into intelligible form.
One method is called manual distribution. In the simplest denition, this literally means each user manually giving every other user his or her key. Manual distribution will more likely be done with what is called a KDC, or Key Distribution Center. The second method is automatic distribution. With automatic distribution, the concept is that keys are exchanged only when needed. The default IPSec implementation of automatic key distribution is called Internet Key Exchange (IKE). You can also implement an automated version of the KDC, such as Kerberos implementation.
Modes
IPSec has the ability to protect either the complete IP packet or just the upperlayer protocols. The distinction between the two creates two different modes of implementation. One mode is called Transport Mode. In this implementation, IPSec is protecting upper-layer protocols. The other mode is called Tunnel Mode. In this implementation, IPSec protects the entire (tunneled) IP payload.
When Transport Mode is used, the IPSec headers (AH and/or ESP) are inserted between the IP header and the TCP header. When Tunnel Mode is used, the IPSec header is inserted between the original IP header (now tunneled) and a new IP header. Tunnel Mode is commonly used to create VPNs between networks. Along with specifying a mode, the actual decision on the use of AH and/or ESP (or the other way around) is required. Since there are two modes of implementation, and two protocols that can be selected, there are four possible methods of protection using IPSec. You can use any of the following: ESP in Transport Mode ESP in Tunnel Mode AH in Transport Mode AH in Tunnel Mode
302
Over and above that, ESP offers message integrity (authentication) and condentiality (encryption). AH offers only message integrity. Tunnel Mode ESP encryption encrypts all of the tunneled data (that is, tunneled IP header and everything within), while Transport Mode ESP does notand cannotencrypt the IP header. Thus the IPSec implementation that offers the maximum protection is ESP in Tunnel Mode.
AH in Transport Mode
AH provides authentication of application data. AH does not provide encryption services like ESP, only authentication services (as the name indicates). In Transport Mode, there is similarity to ESP, though, in that both end users must have IPSec installed and congured.
AH in Tunnel Mode
In Tunnel Mode, AH authenticates application data from one endpoint to another, often network gateways or rewalls. There is no encryption provided, only authentication. If ESP authentication is turned on, then AH is rarely implemented in Tunnel Mode.
IPSec Implementation
As you identied in the previous section, there are various modes of implementing IPSec. One of the primary questions to answer is: Where are the endpoints in your network going to be? Are the endpoints the actual hosts? Or, are the endpoints the rewalls? If true end-to-end security is required between two hosts, then implementing IPSec on each host is the way to go. However, scaling that up to all the hosts in the network can become difficult to implement and manage. Imagine that you and your coworkers all pass open notes to each other in your organization. In order to prevent a third user from seeing the note sent between any two users, you build an infrastructure of opaque PVC pipes between each coworker in your organization. If there are a total of ve workers, you have to
rewall: A system or combination of systems that enforces a boundary between two or more networks. A gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based UNIX box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
303
have an infrastructure of [5 x (51)]/2or 10 pipes. In this office, each person holds four pipes. Now, increase the number of workers to 100. You will need an infrastructure of [100 x (1001)]/2or 4950 pipes, and each person holds 99 pipes. Lots of secure links to pass things back and forth through, but not that efficient overall. This is what happens when you implement IPSec in Transport Modeyou basically create many virtual secure pipes between each host and the rest of the hosts. If host-to-host implementation is chosen, the likely solution will be to use the IPSec function of the OS, such as Windows 2000. If this is the case, IPSec functions normally, at the Network layer, performing its function and moving on. Sometimes though, IPSec may be implemented underneath an existing implementation of the IP protocol stack, between the native IP and the local network drivers (see RFC 2401). In such a scenario, this is referred to as a Bump in the Stack implementation. Yet another option for IPSec implementation is to use a dedicated piece of hardware. This equipment would attach to an interface, or a router, and perform the specic encryption functions externally of other components. This is called a Bump in the Wire implementation. This offers excellent performance in regards to the processing of encryption and decryption. It is not suitable for all implementations, however, as adding a physical dedicated piece of equipment to links may not be a budgetary option for an organization.
TASK 6A-1
Describing the Need for IPSec
1. Why is IPSec becoming a requirement in networks that need secure communication? There is no security in the standard IP that is used today. IP can be captured, analyzed, and more with no prevention. IPSec allows for the security of the actual packets themselves, without relying on Application-level encryption.
Topic 6B
IPSec Policy Management
Implementing and managing IPSec policies in Windows is accomplished by using the Microsoft Management Console. In this topic, you will use the MMC to perform the many tasks of IPSec implementation.
The MMC
Microsoft introduced the Microsoft Management Console (MMC) in Windows NT. The MMC is a highly congurable tool used to manage and congure system and application settings.
304
In the rst task, you will become familiar with the MMC conguration options and create some customized settings. The MMC, as you rst use it, will be blankyou select the conguration options. In Figure 6-1, you will see that there are two places to use a drop-down menu. The rst is the overall MMC, called Console1 by default. This menu bar has three menus: Console, Window, and Help. The second menu bar contains the commands from the current option, also called a plug-in. The default plug-in is called Console Root. This has three commands: Action, View, and Favorites. In the default plug-in, Console Root, there are two tabs: Tree and Favorites. The Tree tab shows the items that are available in this plug-in. Items can include folders, web pages, other snap-ins, and more. The Favorites tab is used to manage shortcuts to items in the Console Tree. This enables you to create a customized grouping of tools and shortcuts that you frequently use to manage aspects of your system. The Tree and Favorites tabs are located in what is called the Left Pane of the snap-in. This is where the options are expanded, selected, and possibly added to Favorites. On the right side of the dividing line is what is called the Right Pane. In the Right Pane, you will nd the details of any object that is selected in the Left Pane.
TASK 6B-1
Examining the MMC
Setup: You are logged on to Windows 2003 Server as Administrator. 1. 2. 3. Choose StartRun. In the Run box, type mmc to start the Microsoft Management Console. Choose FileAdd/Remove Snap-In.
305
4. 5. 6. 7. 8.
On the Standalone tab, click Add. Scroll down, select IP Security Policy Management, and click Add. If necessary, select Local Computer, and click Finish. Click Close to close the Add Standalone Snap-in dialog box. Click OK, and leave the MMC open for the next task.
IPSec Policies
In Windows 2003, there are predened IPSec security policies. These policies allow for implementation of IPSec with minimal effort on the part of the administrator. As an administrator, you must identify the needs for IPSec in your environment, then enable the proper policy to meet those needs. The three predened policies are: Client (Respond Only): The policy of Client (Respond Only) is used for normal communication, which is not secured. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will have the ability to communicate using IPSec if required or requested. Such a machine will not enforce IPSec when initiating communications with any other machine. Secure Server (Require Security): The policy of Secure Server (Require Security) is used when all IP network traffic is secured. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will always enforce secure communications using IPSec. It will never fall back to unsecured communications. Server (Request Security): The policy of Server (Request Security) is used when IP network traffic is to be secured, and to allow unsecured communication with clients that do not respond to the request. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will rst look to enforce communications using IPSec. If the other machine cannot use IPSec, the rst machine will fall back to unsecured communications.
security policies: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
TASK 6B-2
Identifying Default IPSec Security Policies
Setup: You are logged on to Windows 2003 Server as Administrator, the MMC is running, and the IP Security Policy Management snap-in has been added. 1. In the left pane, select IP Security Policies On Local Machine. Three policies are shown in the right pane.
306
2.
By default, they are not assigned. 3. Leave the MMC open for the next task.
TASK 6B-3
Saving a Customized MMC
Setup: You are logged on to Windows 2003 Server as Administrator, the MMC is running, and the IP Security Policy Management snap-in has been added. 1. 2. 3. 4. Choose FileExit. When you are asked if you wish to save the console settings, click Yes. Save the le to the desktop as ipsec.mmc.msc Verify the new addition by double-clicking the new ipsec.mmc.msc le on the desktop. Your saved MMC opens just as you had customized it to do so.
307
Figure 6-2 shows the settings for Key Exchange. Keys are used as part of the different forms of encryption that can be implemented in the IPSec policy. IKE stands for Internet Key Exchange, and deals with the method of exchanging the cryptographic key(s). SHA1 and MD5 are both algorithms that are used to verify the integrity of a message. 3DES and DES are the actual encryption algorithms that can be used, and nally, Diffie-Hellman Group will dictate the overall strength of the encryption.
Figure 6-2: The Key Exchange Security Methods dialog box. These settings work together to determine the integrity, condentiality, and strength of the secured communication. Integrity is determined by the SHA1 or MD5 algorithm.
DES: (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
Condentiality is determined by the 3DES or DES algorithm. Strength is determined by the Diffie-Hellman Group, which can be either 96-bit (the low setting) or 128-bit (the high setting) key lengths.
TASK 6B-4
Examining Security Methods
Setup: You are logged on to Windows 2003 Server as Administrator, and the ipsec.mmc.msc console is open. 1. 2. 3. In the right pane, right-click Secure Server (Require Security), and choose Properties. Select the General tab. Observe that the default value for Check For Policy Changes Every is 180 minutes. Every 3 hours, the machine (if it is a domain member) will check with Windows Active Directory to see if this policy, when assigned, has changed.
308
4. 5. 6. 7.
Under Perform Key Exchange Using Additional Settings, click Settings. In the Key Exchange Settings dialog box, click Methods. Examine the default settings for the security used in Secure Server (Require Security). Close all windows without changing the properties.
The Rules Tab for the Secure Server (Require Security) Policy
The Rules section of an IPSec policyin this case, the Secure Server (Require Security) policycontains the actual security sections of the policy pertaining to traffic and actions. The IP Filter List is used to dene the types of network traffic that are to be affected by this policy. The predened rules in a policy can be modied, but cannot be removed. The default rules are for All IP Traffic, All ICMP Traffic, and <Dynamic>. In addition to the IP Filter List is the Filter Action. In other words, what does the system do when a match to the rule is found, such as IP Traffic. There are three actions, which are listed as: Permit: Allow unsecured IP packets to pass. Require Security: Requires secured communication. Default Response: Follow the negotiations as initiated by the other computer. This is especially useful when no other rule applies. In fact, it is the only lter action for the Client (Respond Only) predened policy.
309
Figure 6-3: The default lter lists and lter actions, as shown on the Require Security Rules tab. In addition to the IP Filter List and the Filter Actions on the Rules tab shown in Figure 6-3, there are other sections that deserve noting. These are the Authentication, Tunnel Setting, and Connection Type options, described in the following section and shown in Figure 6-4. The Authentication Methods are used to dene how a trust will be established between the two communicating hosts. By default, this is the
310
Kerberos method. The other valid options (in addition to Kerberos) are to use a certicate from a Certicate Authority (CA), or to use a predened shared key string. The Tunnel Setting is used to dene if this communication is to use a tunnel, and if so, what the IP address for the end of the tunnel is. The endpoint is the tunnel computer that is closest to the IP traffic destination. The Connection Type is used to dene the types of connections to which the rule will apply. For example, the default setting is All Network Connections. The second option is to have the rule apply only to Local Area Network (LAN) traffic, and the third option is to have the rule only apply to Remote Access traffic.
LAN: (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, frontend processors, controllers, and servers.
Figure 6-4: The authentication methods, tunnel settings, and connection types, as shown on the Require Security Rules tab.
TASK 6B-5
Examining Policy Rules
Setup: You are logged on to Windows 2003 Server as Administrator. 1. 2. 3. Reopen the ipsec.mmc.msc console. In the right pane, right-click Secure Server (Require Security), and choose Properties. If necessary, select the Rules tab.
311
4. 5. 6. 7. 8.
Examine the default settings for IP Filter List, Filter Action, Authentication Methods, Tunnel Setting, and Connection Type. Select the All IP Traffic rule, and click the Edit button. Observe the conguration options that can be adjusted in this section. When you are done reviewing the conguration options, click Cancel to close the Secure Server Properties, without making changes. Close the ipsec.mmc.msc console without saving changes.
Topic 6C
IPSec AH Implementation
You now have all of the information and tools you need to be able to implement IPSec. Lets try it out.
312
Figure 6-5: Opting not to use the Add Wizard. When you are creating a new policy, you will need to add and congure all the options you previously examined. In these tasks, you will be customizing the policies, one by one, and do not want to use the Add Wizard, because the Add Wizard will walk you through specic predened steps. At this stage, you want to perform everything manually.
313
Figure 6-6: The Security Methods tab, showing the leftmost part of the Security Method Preference Order. During policy creation, you will be presented with the Security Methods tab. At this stage, you will see ve columns presented: Type, AH Integrity, ESP Condentiality, ESP Integrity, and Key Lifetimes (KB/Sec), but you might need to scroll to see all ve.
314
Figure 6-7: The Security Methods tab, showing the right-most part of the Security Method Preference Order. Security methods are listed in order of preference that this machine will use when attempting to negotiate IP Security when dealing with another machine that responds that it can use IPSec, too. You can add, edit, or remove any of these methods. In this case, since you will have named this policy 1_REQUEST_ AH(md5)_only, you will simplify the list and offer exactly one choice: Request IP Security that relies only on AH Integrity using the MD5 hashing algorithm. Do not worry about key lifetimes at this stage.
TASK 6C-1
Creating the 1_REQUEST_AH(md5)_only Policy
Note: Perform this task only if you are designated as Student_Q. 1. 2. 3. 4. 5. Open the ipsec.mmc.msc console. In the right pane, right-click and choose Create IP Security Policy, then click Next. For the IP Security Policy Name, type 1_REQUEST_AH(md5)_only and click Next. Uncheck Activate The Default Response Rule and click Next. Uncheck Edit Properties and click Finish.
Lesson 6: Implementing IPSec and VPNs 315
6. 7. 8. 9.
Double-click the new policy 1_REQUEST_AH(md5)_only. On the Rules tab, uncheck Use Add Wizard and click Add. On the IP Filter List tab, click the radio button for All IP Traffic. Switch to the Filter Action tab.
10. Click the radio button for Request Security (Optional). 11. Click Edit. 12. Verify that the radio button for Negotiate Security is selected. 13. Read the options presented to you under Security Method Preference Order. 14. Remove all but one Security Method by holding down the Shift key, selecting all but one of the choices, and clicking Remove. You can leave any one of the Security Methods. 15. When prompted with Are You Sure?, click Yes. 16. Select the remaining method, and click Edit. 17. Under Security Method, click the Settings button found under Custom (For Expert Users)as youre on your way to becoming an expert on IPSec. 18. Verify that AH is checked and that the integrity algorithm is MD5. 19. If necessary, uncheck ESP. 20. Under Session Key Settings, uncheck both check boxes.
316
21. Click OK three times to return to the New Rule Properties dialog box. 22. Leave the New Rule Properties open for the next task.
Figure 6-8: The Authentication Method tab. Notice that three authentication methods are supported: Kerberos, Certicates, and Preshared Keys. You will use the third method, as it is simple to implement, for now. In a production environment, if you have a homogenous Windows 2003 domain implementation, you could leave it at the default Kerberos; in a heterogeneous network, you could choose to set up a CA and distribute IPSec certicates.
317
TASK 6C-2
Editing the 1_REQUEST_AH(md5)_only Policy
Note: Perform this task only if you are designated as Student_Q. 1. 2. 3. 4. Verify that the New Rule Properties are displayed. Select the Authentication Methods tab. Click Edit. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide text for the preshared key. Click OK to close the Edit Authentication Methods Properties dialog box. 5. 6. 7. Switch to the Tunnel Setting tab, but leave the settings alone. You will be working in Transport Mode only. Switch to the Connection Type tab, but leave the settings alone. You will use the default of All Network Connections. Click Close to close the Rule Properties. Keep the Policy Properties open for the next task.
318
Figure 6-9: Preparing to modify the default response. To modify the rule, you will not use the Add Wizard. Once you click Edit, you will again be presented with the tabs for Security Methods, Authentication Methods, and Connection Types.
Under Security Methods, you will again see ve columns presented: Type, AH Integrity, ESP Condentiality, ESP Integrity, and Key Lifetimes (KB/Sec). As before, you can add, edit, or remove any of these methods. In this case, this policy is named 1_REQUEST_AH(md5)_only, but because it will also have to respond to the request it made, youll simplify the list and offer exactly one choice: Respond to IP Security that relies only on AH integrity using the MD5 hashing algorithm. As before, you dont need to worry about the key lifetimes.
TASK 6C-3
Configuring the Policy Response
Note: Perform this task only if you are designated as Student_Q. 1. 2. 3. 4. 5. 6. 7. 8. 9. Verify that the properties for the 1_REQUEST_AH(md5)_only policy are displayed. On the Rules tab, check <Dynamic> Default Response, and click Edit. (The Use Add Wizard check box should remain unchecked.) Remove all but one Security Method by holding down the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method, and click Edit. Under Security Method, click the Settings button found under Custom. Verify that the box beside AH is checked and that the integrity algorithm is MD5. Verify that ESP is unchecked. Under Session Key Settings, verify that the options for generating new keys for both size and time are unchecked.
10. Click OK twice to return to the Edit Rule Properties. 11. Switch to the Authentication Methods tab. 12. Click Edit. 13. Click the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 14. Click OK twice to return to the policy properties. 15. Double-click All IP Traffic. 16. Switch to the Connection Type tab and verify that the setting is the default of All Network Connections.
320 Tactical Perimeter Defense
17. Click OK, and then click OK to close. 18. Close the ipsec.mmc.msc console without saving changes.
TASK 6C-4
Configuring the Second Computer
Note: Perform this task only if you are designated as Student_P. 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the ipsec.mmc.msc console. In the right pane, right-click and choose Create IP Security Policy. Click Next. For the IP Security Policy Name, type 1_RESPOND_AH(md5)_only and click Next. Uncheck Activate The Default Response Rule and click Next. Uncheck Edit Properties and click Finish. Double-click the new policy 1_RESPOND_AH(md5)_only. On the Rules tab, uncheck Use Add Wizard, check <Dynamic> Default Response, and click Edit. Remove all choices but one by holding down the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method and click Edit.
10. Under Security Method, click the Settings button found under Custom (For Expert Users). 11. Verify that AH is checked and that the integrity algorithm is MD5. 12. Verify that ESP is unchecked. 13. Under Session Key Settings, verify that the boxes for generating new keys for both time and size are unchecked. 14. Click OK twice to return to the Rule Properties. 15. Switch to the Authentication Methods tab.
321
16. Click Edit. 17. Click the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 18. Click OK. 19. Click OK twice, and then click Close to nish the creation of the policy. 20. Close the ipsec.mmc.msc console without saving changes.
Configuring FTP
Now that IPSec policies are congured on two machines, you need to test the policies to ensure that they work as you intended them to work. To do this, youll bring up an FTP site on Student_Q and attempt to access this FTP site from Student_P. Youll do this with IPSec implemented on one machine and then on the other. Youll run Network Monitor to capture and record traffic between the two machines. Youll examine these captures and see where (in the packet) the IPSec headers reside. For greater clarity, we can verify this with the RFCs associated with IPSec, as well.
TASK 6C-5
Setting Up the FTP Process
Note: Perform step 1 through step 17 only if you are designated as Student_Q. 1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartControl PanelAdd Or Remove Programs. Click the Add/Remove Windows Components button. Click Application Server, and click the Details button. Check the Internet Information Services (IIS) check box. Note, that when you select this option, COM+ is selected by default. With IIS selected, click the Details button. Check the File Transfer Protocol (FTP) Service check box and click OK. Click OK again to return to the Windows Components screen. Click Next. You may be prompted for your Windows Server 2003 CD-ROM. Once the installation is complete, click Finish. Close the Add Or Remove Programs window.
322
11. In the left pane expand your Server name. 12. Expand FTP Sites, right-click Default FTP Site, and choose Properties. 13. Click the Home Directory tab and verify the location of the FTP folder. The default location is C:\Inetpub\ftproot. 14. Close the IIS Manager. 15. In Explorer, locate and navigate to the folder designated as the FTP home directory. 16. In this folder, create a text document. Edit this document to input some text and save it as text1.txt 17. Create and save three more similar text documents in the same folder. Use text2.txt, text3.txt, and text4.txt as the le names. Note: Perform step 18 through step 23 only if you are designated as Student_P. 18. Open a command prompt. 19. Enter ftp IP_address_of_Student_Q to ftp to Student_Qs FTP site. 20. Log on as anonymous with no password. 21. Verify that you can access the text documents created on the Student_Q computer by using the DIR command. 22. Once you have veried that you can access the text documents, quit the ftp session by entering bye at the ftp prompt. 23. Leave this command prompt open.
323
TASK 6C-6
Implementing the 1_REQUEST_AH(md5)_only Policy
Note: Perform step 1 through step 4 only if you are designated as Student_Q. 1. 2. 3.
You will be using Network Monitor repeatedly throughout this course, so you might want to create a shortcut for it on the Windows desktop.
Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_ AH(md5)_only policy and choose Assign. Close the ipsec.mmc.msc console. If you are prompted to save changes, click No. Start Network Monitor, and verify that it is going to collect packets from the interface connected to Student_P. Start a new capture, and allow Network Monitor to capture packets until Student_P has completed step 5 through step 9.
4.
Note: Perform step 5 through step 9 only if you are designated as Student_P. 5. At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q. 6. 7. 8. 9. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session. Leave the command prompt open.
324
TASK 6C-7
Analyzing the Request-only Session
Note: Perform this task only if you are designated as Student_Q. 1. 2. In Network Monitor, stop and view the capture. Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). Because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4). In frame 4, observe that the protocol is ISAKMP (UDP port 500). When it does not hear from Student_P, it tries again approximately a second later. When it does not hear from Student_P again, it falls back to insecure communication, and the three-way handshake proceeds as before (in frames 6, 7, and 8). Once the connection is made, the session is established in clear text, with no IPSec. You are able to see the payload and full headers of all the packets, with no evidence of IPSec. Close Network Monitor. You can save your capture to a le, if you like.
Based on your network trafc, you might have different Frame numbers in your packet captures.
3.
4.
For this step, and subsequent steps that deal with the ISAKMP protocol, your classroom conguration might not yield the expected results, due to timing issues as the students complete their assigned steps. You can have them try to restart the computer, and then try redoing the activity.
TASK 6C-8
Configuring a Request-and-Respond IPSec Session
Note: Perform step 1 only if you are designated as Student_P. 1. Open your ipsec.mmc.msc console. Right-click 1_RESPOND_AH(md5)_ only policy, and choose Assign. Close the ipsec.mmc.msc console, without saving changes. Then, wait until Student_Q performs the next step. Note: Perform step 2 only if you are designated as Student_Q. 2. Activate Network Monitor, and start a capture.
Note: Perform the rest of this task only if you are designated as Student_P.
325
3.
At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q.
4. 5. 6. 7.
Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session. Close the command prompt.
TASK 6C-9
Analyzing the Request-and-Respond Session
Based on your network trafc, you might have different Frame numbers in your packet captures.
Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. 2. In Network Monitor, stop and view the capture. Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). Observe that, because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4) by using the ISAKMP protocol (UDP port 500). Observe that, when Student_P agrees to comply with the IPSec request (in frame 5), there is an ISAKMP interplay between the two machines for the next few frames to negotiate and establish the IPSec protocol. Observe that the actual three-way handshake is now completed in frames 14 and 15. If your network traffic is different, your frame numbers will be different.
3.
4.
5.
326
6. 7. 8.
Observe that, from frame 16 onward until the session teardown, the AH ensures integrity of communication between the two machines. Double-click a frame whose protocol is identied by Network Monitor as FTP. Observe the sequence of protocol identication: Ethernet, then IP, then AH, then TCP, then FTP. As noted earlier: Ethernet identies the protocol IP with an Ethertype of 0x800. IP identies AH with a protocol ID of 0x33 (51). AH identies TCP with a Next Header of 0x6 (6). TCP identies FTP with a destination port of 0x15 (21).
9.
Observe that there is no encryptionthe AH only signs the packet; it does not encrypt it.
10. In fact, look around frame 33. Near there, you should be able to see the name of the text le in response to the dir (LIST) command. 11. Close Network Monitor. You can save your capture to a le if you like.
Topic 6D
Combining AH and ESP in IPSec
In the previous topic, you examined the implementation of AH in Windows Server 2003, including viewing packet data in Network Monitor. In older systems, such as Windows 2000, you could create IPSec policies that were ESP only, but these are no longer an option. The ESP implementation in Windows Server 2003 now requires the use of the Authentication Header. In the following section of tasks, you will enable different options in the establishment of IPSec between two computers. You have congured and analyzed IPSec traffic by using AH, and IPSec traffic by using ESP. In this topic, you will congure and analyze network traffic that combines AH and ESP. When you are using both AH and ESP, you are conguring IPSec to its fullest strength.
TASK 6D-1
Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and the Response Policy
Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. Open your ipsec.mmc.msc console. In the right pane, unassign the current policy, and then create another IP Security Policy. Click Next.
327
2. 3. 4. 5. 6. 7. 8. 9.
For the IP Security Policy Name, type 5_REQUEST_AH(md5)+ESP(des) and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, and click Add. On the IP Filter List tab, select the All IP Traffic radio button. Switch to the Filter Action tab. Select the Request Security (Optional) radio button.
10. Click Edit. 11. Leave the radio button selected for Negotiate Security. 12. Read the options presented to you under Security Method Preference Order. 13. Remove all but one method by holding the Shift key, selecting all but one of the choices, and clicking Remove. Some congurations might have only one option. If so, skip the next step. 14. When prompted with Are You Sure?, click Yes. 15. Select the remaining method, and click Edit. 16. Under Security Method, click the Settings button found under Custom. 17. Verify that AH is checked. 18. Select the integrity algorithm MD5. 19. Verify that ESP is checked. 20. Leave ESPs integrity algorithm set to <None>. 21. For Encryption Algorithm, select DES. 22. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 23. Click OK three times to return to the Rule Properties. 24. Switch to the Authentication Methods tab. 25. Click Edit. 26. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key.
328 Tactical Perimeter Defense
27. Click OK, and then click Close to return to the Policy Properties. 28. On the Rules tab, check <Dynamic> Default Response, and click Edit. The Use Add Wizard check box should remain unchecked. 29. Under Security Methods, hold the Shift key, select all but one of the choices, and click Remove. 30. Select the remaining method, and click Edit. 31. Under Security Method, click the Settings button found under Custom. 32. Verify that AH is checked. 33. Select the integrity algorithm MD5. 34. Verify that ESP is checked. 35. Leave ESPs integrity algorithm set to <None>. 36. For Encryption Algorithm, select DES. 37. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 38. Click OK twice to return to the Rule Properties. 39. Switch to the Authentication Methods tab. 40. Click Edit. 41. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 42. Click OK three times to close the Policy Properties. 43. Close the console without saving settings.
329
TASK 6D-2
Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy
Note: Perform this task only if you are designated as Student_P. Student_Q is advised to follow along. 1. 2. 3. 4. 5. 6. 7. 8. 9. Open your ipsec.mmc.msc console. In the right pane, create another IP Security Policy. Click Next. For the IP Security Policy Name, type 5_RESPOND_AH(md5)+ESP(des) and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, check <Dynamic> Default Response, and click Edit. Remove all but one security method by holding the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method, and click Edit.
10. Under Security Method, click the Settings button found under Custom. 11. Verify that AH is checked. 12. Select the integrity algorithm MD5. 13. Verify that ESP is checked. 14. Leave ESPs integrity algorithm set to <None>. 15. For Encryption Algorithm, select DES. 16. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 17. Click OK twice to return to the Rule Properties. 18. Switch to the Authentication Methods tab. 19. Click Edit. 20. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key.
330
21. Click OK three times to close the Policy Properties. 22. Close the console without saving settings.
TASK 6D-3
Configuring and Analyzing an IPSec Session Using AH and ESP
Note: Perform step 1 through step 2 only if you are designated as Student_Q. 1. 2. Open your ipsec.mmc.msc console. Right-click the 5_REQUEST_ AH(md5)+ESP(des) policy and choose Assign. Close the console. Start Network Monitor, and start a capture.
As you assign and unassign policies, you might need to issue the command: gpupdate /force to initialize those policies right away.
Note: Perform step 3 through step 8 only if you are designated as Student_P. 3. At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q. 4. 5. 6. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session.
Lesson 6: Implementing IPSec and VPNs 331
7. 8.
Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_ AH(md5)+ESP(des) policy, and choose Assign. Open a command prompt and enter the following command gpupdate /force (this will ensure that your newly assigned policy will start right away).
Note: Perform step 9 through step 11 only if you are designated as Student_Q. 9. In Network Monitor, stop and view the capture.
10. Observe the session between the two hosts. Note that encryption is not used and that commands are visible in clear text. 11. Start a new capture (save the previous capture if you like). Note: Perform step 12 through step 15 on Student_P. 12. At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q. 13. Log on as anonymous with no password. 14. Enter dir to see a list of les hosted on the ftp site. 15. Exit the ftp session. Note: Perform step 16 through step 19 only if you are designated as Student_Q. 16. In Network Monitor, stop and view the capture. 17. Search the packets, and try to look for the name of the text le in response to the dir (LIST) command. 18. Observe that AH ensures integrity and ESP ensures condentiality of communication between the two machines. 19. Close Network Monitor. You can save your capture to a le if you like. Note: Perform the following step only if you are designated as Student_P. 20. Open your ipsec.mmc.msc console, unassign the 5_RESPOND_ AH(md5)+ESP(des) policy, and close the console.
332
TASK 6D-4
Implementing the 7_REQUIRE_ AH(sha)+ESP(sha+3des) Policy
Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. Create another IP Security Policy. Click Next.
333
2. 3. 4. 5. 6. 7. 8. 9.
For the IP Security Policy Name, type 7_REQUIRE_ AH(sha)+ESP(sha+3des) and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, and click Add. On the IP Filter List tab, select the All IP Traffic radio button. Switch to the Filter Action tab. Select the Require Security radio button.
10. Click Edit. 11. Leave the radio button selected for Negotiate Security. 12. If necessary, remove all but one security method. 13. Select the remaining method, and click Edit. 14. Under Security Method, click the Settings button found under Custom. 15. Verify that AH is checked. 16. Select the integrity algorithm as SHA1. 17. Verify that ESP is checked. 18. Select ESPs integrity algorithm as SHA1. 19. For Encryption Algorithm, select 3DES. 20. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 21. Click OK three times to return to the Rule Properties. 22. Switch to the Authentication Methods tab. 23. Click Edit. 24. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 25. Click OK, click Close, then click OK to exit the Policy Properties.
334
TASK 6D-5
Implementing the 7_RESPOND_ AH(sha)+ESP(sha+3des) Policy
Note: Perform this task only if you are designated as Student_P. Student_Q is advised to follow along. 1. 2. 3. 4. 5. 6. 7. 8. 9. Create another IP Security Policy. Click Next. For the IP Security Policy Name, type 7_RESPOND_ AH(sha)+ESP(sha+3des) and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, check <Dynamic> Default Response, and click Edit. Remove all but one security method. Select the remaining method, and click Edit. Under Security Method, click the Settings button found under Custom.
10. Verify that AH is checked. 11. Select the integrity algorithm as SHA1. 12. Verify that ESP is checked. 13. Select ESPs integrity algorithm as SHA1. 14. For Encryption Algorithm, select 3DES. 15. Under Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 16. Click OK twice to return to the Rule Properties. 17. Switch to the Authentication Methods tab. 18. Click Edit.
335
19. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 20. Click OK twice, and then click Close to exit the Policy Properties. 21. Close the console without saving settings.
TASK 6D-6
Implementing and Analyzing an AH(sha) and ESP(sha+3des) IPSec Session
Note: Perform step 1 through step 2 only if you are designated as Student_Q. 1. Open your ipsec.mmc.msc console. Assign the 7_REQUIRE_ AH(sha)+ESP(sha+3des) policy. When you assign this policy, the previously assigned policy is automatically unassigned. Start Network Monitor, and start a capture.
2.
Note: Perform step 3 through step 7 only if you are designated as Student_P. 3. 4. Open your ipsec.mmc.msc console. Assign the 7_RESPOND_ AH(sha)+ESP(sha+3des) policy. At the command prompt, enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q. 5. 6. 7. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session.
336
Note: Perform the rest of this task only if you are designated as Student_Q. 8. 9. In Network Monitor, stop and view the capture. Observe that once ISAKMP establishes the encryption method, all data is encrypted with ESP.
10. Identify any differences with respect to the negotiation process, encryption, or integrity algorithms. 11. Where does the Packet identify that AH is in use? In the IP Header. What is the Protocol ID assigned to AH? (0x33) Where does the AH information dene the use of ESP? In the AH Next Header. What is the Protocol ID assigned to ESP? 50 (0x32) 12. Close Network Monitor. You can save your capture to a le if you like. 13. Unassign all IPSec policies on all machines.
Topic 6E
VPN Fundamentals
A Virtual Private Network (VPN) provides a private tunnel through a public cloud (such as the Internet). A VPN enables a group of two or more computer systems to communicate over the Internet or any other public network. VPNs can exist between an individual machine and a private network (client-to-server) or a remote LAN (like a branch office) and a private, enterprise network (server-toserver). Secure VPNs make use of tunneling and security protocols to maintain the privacy of data transactions over the Internet. A VPN is virtual, as opposed to a real private network. The idea is to make a private network that provides a secure tunnel for the exchange of data between two or more parties. If this were done over a real private network, the dedicated lines/bandwidth and service would make it cost prohibitive. But when this idea of a secure tunnel is implemented over a public network such as the Internet, the costs as well as the bandwidth are spread among many users, thus creating a Virtual Private Network.
LAN: (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, frontend processors, controllers, and servers.
337
Some disadvantages include: Potentially lower bandwidth available to remote users over a VPN connection, as compared to a direct dial-in line. Inconsistent remote access performance due to changes in Internet connectivity. To counteract this, you can have your users choose ISPs that have higher levels of service, perhaps the same ISP from which you purchase your corporate Internet connection, to keep the majority of your traffic on the same backbone. No entrance into the network if the Internet connection is broken. Some administrators choose to leave a limited amount of dial-in access for emergency access.
VPN Types
Even though the number of solutions is steadily increasing, VPNs fall under three main types: Hardware-based VPNs, for use in gateway-to-gateway conguration. Firewall-based VPNs. Software-based VPN applications, for use in client-to-client conguration.
Most hardware-based VPN systems are encrypting routers. Dedicated hardware VPN products offer better performance, security, reliability, and scalability than software-based solutions running on conventional servers and operating systems. They offer better performance and are more scalable because they are custombuilt to perform essential tasks, such as encryption and decryption, as quickly as possible, often by having dedicated chips to carry out these functions. Their security is better because they are not vulnerable to weaknesses in an underlying operating system or hard disks that can fail or run out of space. The best hardware VPN packages offer software-only clients for remote installation, and incorporate some of the access control features more traditionally managed by rewalls or other perimeter security devices. However, they may not be as exible as software-based VPNs. Firewall-based VPNs take advantage of the rewalls security mechanisms, including controlling access to the internal network. They also perform Network Address Translation (NAT), satisfy requirements for strong authentication, and serve up real-time alarms along with audit logs. Most commercial rewalls also harden the host operating system kernel by stripping out unnecessary services, such as default accounts for guest users that is a clear vulnerability for exploitation, thus providing additional security for the VPN server. Operating system protection is a major plus, since very few VPN application vendors supply guidance on operating system security. Performance may be a concern, especially if the rewall is already congured; however, some rewall vendors offer hardwarebased encryption processors to minimize the impact of VPN management on the system. Software-based VPNs are ideal in situations where both user and destination endpoints of the VPN are not controlled by the same organization, and when different rewalls and routers are implemented within the same organization. At the moment, stand-alone VPNs offer the most exibility in how network traffic is managed. Many software-based products allow traffic to be tunneled based on IP address or protocolunlike hardware-based products, which generally tunnel all traffic they handle regardless of protocol. Tunneling specic traffic types is advantageous in situations where remote sites may see a mix of trafficsome that need transport over a VPN to access data or some that do not, as in simple web surng. In situations where performance requirements are not heavy, softwarebased VPNs may be the best choice. A disadvantage might be that software-based systems are generally harder to manage than encrypting routers. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms must be in place. Also, most software-based VPN packages require changes to routing tables and network addressing schemes. As the VPN market evolves, the distinctions between VPN architectures are becoming less clearly dened. Some hardware vendors have added software clients to their product offerings, and extended their server capabilities to include some of the security features more traditionally offered by software- or rewallLesson 6: Implementing IPSec and VPNs 339
based VPNs. A few stand-alone products have added support for hardware-based encryptors to improve their performance. For all types of VPNs, further implementation of the proposed IP Security Protocol (IPSec) is making interoperability easier with different VPN products by softening the lines of distinction between them.
VPN Elements
The critical elements of a VPN connection are described in the following table. Name
VPN server VPN client
Description
Accepts connections from VPN clients and can also provide VPN connections between routers. Initiates the VPN connection that ends up at the VPN server. A VPN client can be an end-user system, such as Windows 2000 or Windows XP, or it can be a router that gets a router-to-router connection. A VPN client can be a Point-toPoint Tunneling Protocol (PPTP) client or a Layer 2 Tunneling Protocol (L2TP) client using IPSec. The part of the connection where the data is encapsulated. The part of the connection where the data is encrypted. The data must be both encrypted and encapsulated along the same part of the connection for the connection to be considered a secure VPN connection. The communication standard used to manage the tunnel and encapsulate the data. For example, Windows 2003 supports PPTP and L2TP tunneling protocols. Is sent across the private point-to-point link. The IP internetwork (for example, the Internet) that connects the VPN client with the VPN server.
Tunneling protocols
Each of the different types of VPN congurations can be enabled by using some combination of the following technology components: Dedicated VPN gateways IPSec-enabled routers and rewalls VPN client software IPSec-enabled operating systems, such as Windows 2003
A number of security applications combine VPN and rewall functionality into a single box. This is very useful for branch offices communicating with central office gateways.
340
In a VPN connection, encrypted data is sent through the tunnel. Both the tunnel client and the tunnel server must use the same tunneling protocols. The major tunneling protocols for VPNs are: Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IP Security Protocol (IPSec)
Tunneling mechanisms differ in terms of: What is done to the data for encryption and authentication. The OSI layer at which they operate. The headers that describe the data transmission and authentication.
OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components.
TASK 6E-1
Defining Tunneling Protocols
1. Dene the three major tunneling protocols for VPNs: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP Security Protocol (IPSec)
Topic 6F
Tunneling Protocols
Earlier in the course, you studied the IPSec protocol intensively, by working with various IPSec policy settings and testing their validity. The policies, however, were tested only in Transport Mode. When IPSec is used to secure VPN communication, it is used in Tunnel Mode. IP Security Protocol (IPSec) is an evolving security protocol from the Internet Engineering Task Force (IETF) that provides authentication and encryption over the Internet. Normal IPv4 packets consist of headers and payload, both of which contain information of value to an attacker. The header contains source and destination IP addresses, which are required for routing, but may be spoofed or altered in what are known as man-in-the-middle attacks. The payload consists of information that may be condential to a particular organization.
Lesson 6: Implementing IPSec and VPNs 341
cryptography: The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form.
The two prime functions of IPSec are to ensure data security and data integrity. Security is achieved through data encryption techniques, and integrity through a combination of techniques that authenticate the data sender. IPSec is a set of industry standards for cryptography-based protection services and protocols. As mentioned in the previous topic, the major tunneling protocols for VPNs are PPTP, L2TP, and IPSec. Each of the three VPN protocols provides different levels of security and ease of deployment. The standardization process has made the Layer 2 Tunneling Protocol (L2TP) and IPSec the protocols of choice. PPTP is widely used for remote access connections, primarily because of its integration in the Microsoft operating systems. PPTP, L2TP, and Ciscos Layer 2 Forwarding Protocol (L2F) are all designed to work at Layer 2 of the OSI model. IPSec is the only protocol engineered to work at Layer 3 of the OSI model. IPSec is fast emerging as the protocol of choice to build the best VPN system because it supports: Strong security Encryption Authentication Key management
When dealing with VPNs in a multi-protocol non-IP network environment, PPTP or L2TP may be a better choice. Both PPTP and L2TP are strictly tunneling protocols. Since IPSec was designed for the IP protocol, it has wide industry support and is expected to eventually become the standard for VPNs on the Internet. Other tunneling protocols include: Secure Shell (SSH)
SSH: (Secure Shell) A completely encrypted shell connection between two machines protected by a super long pass-phrase.
Socks v5
These offer Application layer tunnels, as well as various implementations of tunnels, such as cascaded tunnels, nested tunnels, or end-to-end tunnels. The SSH protocol is a widely used Application layer tunneling protocol that uses a public key cryptographic system to ensure security. SSH is freely available as a direct result of OpenSSH initiatives. The SSH protocol suite offers a secure replacement for Telnet, rlogin, FTP, and other programs, in addition to tunneling capabilities. Socks v5 offers an Application layer VPN by providing desktop-to-server authentication and encryption. While both SSH and Socks v5 are exceptional application (session)-tunneling protocols, they are not widely deployed in strategic enterprise VPN solutions.
342
Working at Layer 2 of the OSI model, PPTP encapsulates PPP packets using a modied version of Generic Routing Encapsulation (GRE), which gives PPTP the capability to handle any supported network layer protocol such as IP, IPX, and NetBEUI. While PPTP is best suited for remote access VPNs, there are some security issues related to it. These issues relate to vulnerabilities associated with the Challenge/ Response Authentication Protocol (Microsoft CHAP), as well as the RC4-based encryption protocol (MPPE). Even though there have been security updates and enhancements by Microsoft, it is still recommended that Microsofts PPTP protocol not be used in VPN systems where there is a strong need to protect sensitive data. PPTP may be an appropriate solution to deploy in smaller organizations that may only need a limited regional VPN, supporting small numbers of mobile users.
343
IPSec
IPSec in Tunnel Mode secures TCP/IP-based protocols using Layer 2 Tunneling Protocol (L2TP). Three main components form the building blocks of the IPSec protocol suite. Component
AH: (Authentication Header) A eld that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram.
Description
Provides authentication, integrity, and anti-replay protection for both the IP header and the data payload. It does not provide condentiality. Provides condentiality and/or authentication. Data is encrypted before it is transmitted. Denes the security policy to be used in managing the secure communication between two nodes.
ESP: (Encapsulating Security Payload) A mechanism to provide condentiality and integrity protection to IP datagrams.
Keep in mind that you can use IPSec itself as the tunneling protocol, or you can use L2TP to create the tunnel and let IPSec provide data encryption. L2TP does not provide its own encryption service; it uses IPSecs ESP protocol to encrypt and authenticate the entire UDP datagram, thereby protecting it from compromise by unauthorized users. You can create L2TP tunnels without encryption, but this is technically not a VPN because the data is not protected.
344
Then, the two parties need to actually exchange the keys. These values are packaged together in a Security Association (SA) to facilitate secure communication between the two systems. Authentication and condentiality using AH or ESP use SAs. A primary role of IPSec key exchange is to establish and maintain SAs. SAs are logical, uniquely dened and uni-directional, or one-way connections between two communicating IP endpoints that provide security services to the traffic it carries using either AH or ESP procedures. The endpoints of the tunnel can be an IP host or IP security gateway, which is a VPN-enabled network device. Providing security to the more typical scenario of two-way (bi-directional) communication between two endpoints requires the establishment of two SAs (one in each direction). Two types of SAs are dened in IPSec, regardless of whether AH or ESP is used for the session. A Transport Mode SA is a security association between two hosts that provide the authentication and/or encryption service to the higher layer protocol. Only IPSec hosts support this mode of operation. A Tunnel Mode SA is a security association applied to an IP tunnel. In this mode, an IP header species the IPSec destination and an encapsulated IP header species the destination for the IP packet. Both hosts and security gateways support this mode of operation and it is considered the more secure of the two. IPSec is controlled specically by a security policy of both sender and receiver and one or more Security Associations (SA) negotiated between them. An SA between the sending and receiving parties provides access control based on the distribution of cryptographic key and traffic management relative to the AH and ESP security protocols. The SA is either one, one-way relationship or two oneway relationships in complimentary directions. A Security Parameter Index (SPI) uniquely distinguishes each SA from other SAs. The IPSec security policy consists of a lter list and associated actions. For a successful deployment of IPSec, a scalable, automated SA and key management scheme is necessary. Several protocols have been dened for these functions: The Internet Security Association and Key Management Protocol (ISAKMP) denes procedures and packet formats to establish, negotiate, modify, and delete SAs. It also provides the framework for exchanging information about authentication and key management, but it is completely separate from key exchange. The Oakley Key Determination Protocol (Oakley) describes a scheme by which two authenticated parties can exchange key information. Oakley uses the Diffie-Hellman key exchange algorithm. The Internet Key Exchange (IKE) algorithm is the default automated key management protocol for IPSec, which is the result of combining both ISAKMP and Oakley protocols.
Key exchange is closely related to the management of SAs. When you need to create an SA, you need to exchange keys, and IKE is the framework that wraps together all the required pieces and delivers them as an integrated package.
IPSec Components
The key IPSec components are described in the following table. Component
IPSec driver
Use
Monitors, lters, and secures IP trafc.
345
Component
The Internet Security Association Key Management Protocol (ISAKMP/Oakley) IP Policy Agent IP Security Policy and Security Association Security Association API Management Tools
Use
Key exchange and management services to oversee security negotiations between hosts. Looks for appropriate policies and delivesr these policies to the IPSec driver and ISAKMP. Denes the security environment in which the two hosts must communicate. Provides the programming interface that will be used between the IPSec driver, ISAKMP, and the Policy Agent. Creates policies, tracks IP security statistics, and creates and logs appropriate IP security events.
346
The compatibility problem stems from the fact that a NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and will complain that the hash value appended to the received packet doesnt match. The VPN device at the receiving end doesnt know about the NAT in the middle, so it assumes that the data has been altered while in transit. IPSec, using ESP in Tunnel Mode, encapsulates the entire original packet (including headers) in a new IP packet. The new IP packets source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. This mode (Tunnel Mode ESP with authentication) is compatible with NAT, because integrity checks are performed over the combination of the original header plus the original payload, which is unchanged by a NAT device. Transport Mode ESP with authentication is also compatible with NAT, but it is not often used by itself. Since the hash is computed only over the original payload, original headers can be rewritten.
TASK 6F-1
Assigning Tunneling Protocols
1. In the table provided here, assign the tunneling protocols: IPSec, PPTP, L2TP, SSH and Socks v5 to their corresponding OSI layers. Layer Number
7 6 5 4 3 2 1
Name
Application Presentation Session Transport Network Data Link Physical
Protocols
SSH, Socks v5SSH, Socks v5
347
Topic 6G
VPN Design and Architecture
VPN conguration is often complex. Conicts between NAT and IPSec can cause legitimate packets to be refused or dropped. Further, strong authentication of a VPN client is critical. If the client is not strongly authenticated, the enterprise is at risk of an intruder remotely taking control of the client system and gaining an open tunnel into the enterprise network. One VPN design choice would be to require a personal rewall with built-in intrusion detection on the remote client. The personal rewall would block any inbound communication, and when intrusions are detected, it would report back to the logging server on the enterprise network. The problem with this design is guaranteeing that the personal rewall software is always present or functional on the client side. Further, how does the enterprise network force a disconnect of the tunnel session? How does it deactivate the users account? Designing an IPSec-based VPN solution involves addressing the following objectives: Designing an IPSec encryption scheme.
security level: The combination of a hierarchical classication and a set of non-hierarchical categories that represents the sensitivity of information.
Designing an IPSec management strategy. Designing negotiation policies. Designing security policies. Designing IP lters. Dening security levels.
Specic challenges that an organization may experience in the process of deploying a VPN include: Addressing and routing. Administration. Common addressing methods for VPNs include DHCP and NAT address pools. The problem is that NAT and IPSec have had compatibility problems. Some vendors, such as Cisco, are solving the problem by licensing an IPSec-over-UDP client that allows IPSec connections through NAT. The IETF is working to intro348 Tactical Perimeter Defense
duce new standards for IPSec and NAT to work together better. According to RFC 2026, established SAs would no longer be bound to IP addresses. Instead, SAs would be controlled via Host Identity Tags (HIT) and Scope Identity elds. Therefore, a VPN client system could conceivably change its IP address using Mobile IP, DHCP, PPP, or even IPv6, and still maintain the same SA with its communication partner. Also, a draft protocol called the Host Identity Protocol (HIP) would be integrated into existing IKE code, allowing IKE to work across NAT devices as well. The IETF is also working on long-term solutions to make NAT and IPSec work together better. Until new standards are established, the most popular way to overcome problems with IPSec Tunnel Mode with NAT is to use ESP Transport Mode. This allows the VPN to traverse a NAT device, such as a gateway. However, client authentication cannot be guaranteed because IP headers are not veried upon receipt. The inability to authenticate communication partners in a VPN tunnel compromises the purpose of IPSec. The challenge for administration is to make sure that remote VPN clients have installed and congured their VPN software correctly. Also, they need to have security mechanisms in place to make sure that the client host is secure against attacks that might use the VPN connection to access the corporate network. Other VPN challenges include: Authentication and key management Fault tolerance Performance Reliable transport VPN architecture
TASK 6G-1
Examining VPN-related RFCs
1. 2. Navigate to C:\Tools\Lesson6\RFCs then open rfc-index.wri. Perform a search using the keyword VPN You should see RFC 2547 highlighted. RFC 2547 describes a method by which an Internet Service Provider may provide VPNs for its customers. 3. 4. 5. Identify the method used, and then close the le. In C:\Tools\Lesson6\RFCs, scroll down to rfc2547.txt. Scroll down to the third paragraph in section 1.1, and read the denitions for intranet and extranet. Note if these compare to your understanding of these terms. Close all open windows.
6.
349
Topic 6H
VPN Security
A VPN is not necessarily secure. This is because a VPN is typically protected by nothing more than a weak password. Sending information over the Internet is not secure, and therefore, has the corporate world concernedeven with the advent of VPNs. In practical terms, information passing over a secure VPN will potentially be routed across several networks that are not under the control of the sender. An important part of any VPN is the encryption that will secure the data payload from unauthorized users. Although most of the VPN solutions delivered today use Triple-DES encryption, there is a widely used, older, weaker type of encryption called DES, or SingleDES. Triple-DES, which is the type of encryption normally implemented in todays solutions, is much more secure than Single-DES, and has never been broken. Thats how safe data passing through a secure VPN is. Virtually all of the common encryption technologies can be used in a VPN. Most VPN equipment vendors give the user a choice. IT managers can often select anything from the 40-bit built-in encryption offered by Microsoft under Windows 95 to more robust encryption technologies like Triple-DES. VPN vendors support a number of different authentication methods. Many vendors now support a wide range of authentication techniques and products, including such things as Kerberos, tokens, and software- and hardware-based dynamic passwords. The primary purpose of a VPN is to secure the data in transmission. Four critical functions must be in place to ensure this. Data encryption, which ensures that no one who intercepts data as it travels through the Internet can read it. Most solutions delivered today use TripleDES encryption, which is so strong that it has never been broken. Data integrity, which checks each data packet received from the Internet to make sure that it has not been modied during transit. User authentication, which ensures that only authorized people can gain access to corporate resources through a VPN. There are many different methods in which users can authenticate themselves, from very basic user name and password authentication to much more secure methods, such as digital certicates, smart cards, SecureID tokens, biometrics, and others. Access control, which restricts unauthorized access to the network.
A VPN must secure the data against eavesdropping and tampering by unauthorized parties. Depending on the VPN solution being implemented, there are a few ways to control the type of traffic sent over a VPN session. Many VPN devices allow you to dene a user- or group-based lter, which can control IP address and protocol/port services allowed through a tunnel. In addition, IPSec-based VPNs allow you to dene a list of networks to which traffic can be passed (Security Associations). The rst mechanism allows the administrator to limit access to specic networks/machines and applications on their network. The second usually provides full connectivity to the private network. Allowing VPN access only in conjunction with strong authentication also prevents an intruder from successfully authenticating to your network, even if they somehow congured/captured a VPN session.
350 Tactical Perimeter Defense
The use of encryption adds some additional overhead to a session. Most VPN devices, whether hardware- or software-based, will be able to process encryption for connections up to 10Base-T speeds. On a lower-speed connection like a modem, VPN processing is much faster than delays introduced by the limited bandwidth availability. Often, performance is potentially affected more by packet loss and latency on bad Internet connections than by the encryption overhead. A VPN client typically establishes a connection with a VPN server using either L2TP over IPSec or PPTP. Keep in mind the following information related to PPTP, as it may be required for dening packet lters for VPN traffic on rewall systems: TCP port 1723 allows PPTP tunnel maintenance traffic to move from the PPTP client to the PPTP server. IP protocol type 47 allows the PPTP tunneled data to move from the PPTP client to the PPTP server.
351
The following information may be required for dening packet lters for L2TP over IPSec VPN traffic on rewall systems: UDP port 500 allows the Internet Key Exchange (IKE) traffic to access the VPN server. UDP port 1701 allows L2TP traffic to move from the VPN client to the VPN server. IP protocol ID 50 allows IPSec ESP traffic to move from the VPN server to the VPN client.
At the rewall, typically all L2TP traffic, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload. Figure 6-11 depicts ports and protocols associated with tunneling protocols.
VPN Authentication
In general, user authentication is based on the following principle: An entity has authenticating knowledge (what you know), possession of an authenticating device (what you have), or exhibits a required physiological characteristic (what you are). Strong authentication requires that at least two of the three factors be demonstrated. VPN authentication protocols, which operate at the Data Link layer, include: Password Authentication Protocol (PAP). PAP is a weak method for authentication as it uses a cleartext authentication scheme. Challenge Handshake Authentication Protocol (CHAP). CHAP does not transmit the actual password and is a stronger authentication protocol than is PAP. With CHAP, remote customers use a Message Digest 5 (MD5) hash of their credentials in response to a challenge by a network access server. Shiva Password Authentication Protocol (SPAP). SPAP is used in mixed environments that support the Shiva Local Area Network Rover software. Extensible Authentication Protocol-Transaction Level Security (EAP-TLS). EAP-TLS is a Microsoft implementation of a strong authentication method that uses public key certicates.
352
The IPSec authentication scheme for both AH and ESP uses the Hash-based Message Authentication Code (HMAC) authentication code, which uses a shared secret key between two parties, rather than public key methods, for message authentication. The generic HMAC procedure can be used with just about any hash algorithm, although IPSec species support for at least MD5 and Secure Hash Algorithm 1 (SHA-1) because of their widespread use. In HMAC, both parties share a secret key. The secret key is employed with the hash algorithm in a way that provides mutual authentication, but at the same time prevents the key from being transmitted on the line. IPSec key management procedures are used to manage key exchanges between the two parties via Security Associations (SA).
Key Length
Data is transmitted securely in a VPN by using industry standard IPSec tunneling, encryption services using DES and 3DES, and MD5 and SHA-1 for message authentication. IPSec creates private end-to-end pipes, or tunnels, through the IP network, connecting the designated VPN sites to each other. Unauthorized access to the information is prevented by the encryption and authentication services, which are applied. Encryption systems depend on two mechanisms to guarantee data condentiality. The encryption algorithm provides the mathematical rules that convert the plaintext message to a random ciphertext message. The algorithm provides steps for converting the plaintext message with an encryption key, a block of alphanumeric data that introduces the random element into the ciphertext message. The longer the secret key is, the more time it takes for an attacker to test all possible values of the key, and determine the plaintext content of the message. In other words, data that will be of value to an attacker for a long time should be encrypted with longer keys.
TASK 6H-1
Viewing Firewall-related RFCs
1. 2. Navigate to C:\Tools\Lesson6\RFCs and open rfc-index.wri. Perform a search using the keyword rewall If you keep clicking Find Next, you will see many hits. Stop when you see RFC 2979 highlighted. RFC 2979 describes the behavior of and requirements for Internet rewalls. 3. 4. 5. 6. Close the le. Navigate to C:\Tools\Lesson6\RFCs and open rfc2979.txt in Notepad. Scroll down to the second paragraph in section 3.1.1, and read the transparency rule for rewalls. Close all open windows.
353
Topic 6I
Configuring a VPN
Built into Windows 2003s Routing And Remote Access Service (RRAS) is a single, integrated service that terminates connections from either dial-up or Virtual Private Network (VPN) clients. With RRAS, your Windows 2003 Server can function as a remote access server, a VPN server, a gateway, or a branch-office router. You can allow users ready access to the network through the Internet by implementing a VPN, therefore, greatly reducing direct dial-up costs. Windows 2003 VPNs can be created by using either PPTP or L2TP. In this topic, you will build a VPN, and the tasks will require three computers. One computer will be congured as the internal resource, a simple FTP site. The second computer will be the VPN Server, and this machine will require two network cards. One of the cards on this server will be the connection to the private network, and the other will be the connection to the remote client. The third computer will function as the network client, the one making the access via the VPN. The computers will be called: VPN Server, Internal Server, and VPN Client.
TASK 6I-1
Configuring the VPN Server
Note: Complete this task only if you are designated as the VPN Server Note: The VPN Server in these tasks requires a second network card. This can be an integrated or non-integrated network card. Upon completion of the VPN tasks, this second network card can be either removed or disabled for the remainder of the class. 1. 2. Enable the second network card on the server. Assign the second network card with the following IP Address information: IP 10.0.10.x (replace x with your seat number) 3. SM 255.255.255.0 DG This can be left blank
Open a command prompt and verify your NIC and IP Address conguration, by entering the command ipconfig /all
354
4.
Verify that you have one NIC with an address of 172.16.x.x or 172.18.x.x based on your location in the classroom. Your second NIC has an address of 10.0.10.x based on your location in the classroom. Write down your 172.16.x.x address as your Internal NIC and your 10.0. 10.x address as your External NIC. Choose StartAdministrative ToolsCongure Your Server Wizard. At the Welcome screen, click Next. Verify you have met the requirements at the Preliminary Steps screen, and click Next. The system will now detect your network settings and conguration. Select the Custom Conguration radio button, and click Next. Select the Remote Access / VPN Server, and click Next.
5. 6. 7.
8. 9.
10. In the Summary Of Selections, verify that you are going to run the Routing and Remote Access Server to setup routing and VPN, then click Next. The RRAS Wizard will open at this time. 11. At the RRAS Setup Wizard, click Next.
355
12. Select the Virtual Private Network (VPN) Access and NAT radio button, and click Next.
13. Select your VPN Network adapter. In this task, this is the NIC that you have assigned the 10.0.10.x IP address to.
14. Leave the Basic Firewall check box checked, and click Next.
356
15. Select your internal network for the clients to connect to, and click Next.
16. In the IP Address Assignment screen, select the From A Specied Range Of Addresses radio button and click Next. 17. In the Address Range Assignment screen, click the New button. 18. These are the IP Addresses of the internal network.
Enter a small range, based on your seating in the classroom, click OK, verify your addresses are correct, and click Next.
357
19. At the Network Selection window, select the network that has access to the Internet, and click Next. This is usually the same network as your internal resource network.
20. At the Name & Address Translation Services window, leave the default of basic name and address Services, and click Next. If your system does not show this window, continue to the next step. 21. Review the Address Assignment Range, and click Next. If your system does not show this window, continue to the next step. 22. For this lesson, you will authenticate locally, so leave the No, Use RRAS To Authenticate Connection Requests radio button selected, and click Next. 23. Review your settings, and click Finish. (If you get a prompt to congure relaying of DHCP messages, click OK.)
358
24. The Remote Access / VPN Server will now start. Click Finish.
VPN Clients
Generally, the conguration on the client side of the VPN is minimal. The client needs to know how to make the connection, and needs proper credentials to authenticate and use the VPN. In the following task, you will prepare the VPN Server to accept VPN clients.
TASK 6I-2
Configuring VPN Clients
Setup: Complete this task if you are designated as the VPN Server. 1. 2. 3. 4. Choose StartAdministrative ToolsComputer Management. Expand Local Users And Groups (under system tools). Right-click Users and choose New User. In the User Name text box, type VPN1 and enter and conrm a password of QWERTY1 Uncheck the box to change password at next logon, and click Create. 5. 6. Click Close. One client account is enough for testing purposes. Double-click the new VPN1 user account, and click the Dial-in tab.
Lesson 6: Implementing IPSec and VPNs 359
7.
8. 9.
Close the Computer Management window. Choose StartAdministrative ToolsRouting And Remote Access.
10. Expand your server_name and click Remote Access Policies. 11. Right-click Remote Access Policies, and choose New Remote Access Policy. 12. In the New Remote Access Policy Wizard, click Next. 13. Leave the Use The Wizard To Set Up A Typical Policy For A Common Scenario radio button selected. 14. In the Policy Name text box type VPN_Policy_1 and click Next. 15. In the Access Method window, select the VPN radio button and click Next. 16. In the User Or Group Access window, select the User radio button and click Next. 17. For the Authentication Method, ensure that only MS-CHAPv2 is checked, and click Next.
360
18. For the Policy Encryption Level, only check the box for Strongest Encryption (MPPE 128-bit) and click Next.
19. Review the settings for this policy, and click Finish.
361
TASK 6I-3
Establish the VPN
The Instructor machine requires a resource for the VPN client to connect into. Enable the FTP Service on your machine, and use that for your students. If your class has enough time, run a packet capture on each machine to perform a packet analysis of the connection and ftp site access.
Note: Perform step 1 through step 15 on the VPN Client. 1. Open the TCP/IP Properties of your network card. Edit the IP Address to be a node on the 10.0.10.X/24 network. You can replace the X with your seat number. Close the properties of your network card. Open a command prompt. Enter ipconfig to verify your IP Address conguration. Choose StartControl PanelNetwork ConnectionsNew Connection Wizard. In the New Connection Wizard, click Next. Select the Connect To The Network At My Workplace radio button and click Next.
2. 3. 4. 5. 6. 7.
8.
Select the Virtual Private Network Connection radio button and click Next.
362
9.
In the Company Name text box, type SCP VPN and click Next.
10. Enter the IP Address that is assigned to the External NIC of the VPN Server, and then click Next. Note: The external IP Address is the one in the 10.0.10.x range. 11. Select the My Use Only radio button and click Next. 12. To complete the creation of the new connection, click Finish. 13. In the screen to connect to the SCP VPN, in the User Name eld, type VPN1, in the Password eld, type QWERTY1, and then click Connect.
15. Note that you have been assigned an IP Address from the VPN Server, and that the IP Address is part of the Internal network. Note: Perform step 16 through step 19 on the VPN Server 16. Choose StartAdministrative ToolsRouting And Remote Access. 17. Expand your Server name. 18. Click Remote Access Clients. 19. In the right pane, double-click the connection to see the IP Address that was assigned, and other statistics. Note: Perform step 20 through step 24 on the VPN Client 20. In the command prompt, enter ftp 172.17.10.1 (If your instructor changed the IP Address of the Internal Server, use the address as provided.) 21. Enter annonymous as the username with no password. 22. Once connected, enter dir to list the contents of the ftp site. 23. When done browsing the ftp site, enter bye to end the session. 24. Close all windows.
TASK 6I-4
Restoring the Classroom Setup
1. 2. 3. 4. 5. 6.
364 Tactical Perimeter Defense
On the VPN Server, choose StartAdministrative ToolsCongure Your Server Wizard. In the Welcome Screen, click Next. In the Preliminary Steps Wizard, click Next. Click Remote Access / VPN Server, and click Next. Check the Remove The Remote Access/VPN Server Role check box and click Next. At the prompt that you are disabling the router, click Yes.
7. 8. 9.
When the VPN Server Role has been removed, click Finish. Disable the External NIC on the VPN Server. Open a command prompt, and ensure that you are only running the Internal NIC with the 172.x.x.x address by entering ipconfig
Perform step 10 through step 14 on the VPN Client.
10. On the VPN Client, choose StartConnect ToShow All Connections. 11. Right-click the SCP VPN connection, and choose Delete. 12. In the conrmation prompt, click Yes. 13. Open the properties of your NIC and return the IP Address to your original conguration, then click OK. (The 172.x.x.x address.) 14. Close all windows.
Summary
In this lesson, you worked with a Microsoft Management Console (MMC). You congured an MMC and viewed the default or built-in IPSec policies. You then created custom IPSec policies. You implemented and tested these policies. You also took a rst look at implementing lter lists and experimented with a couple of authentication methodspreshared keys and certicates.
Lesson Review
6A What are the two protocols in IPSec that are used to protect network traffic?
The Encapsulating Security Protocol (ESP) and the Authentication Header (AH). What are the two main modes of implementation for IPSec? Transport Mode and Tunnel Mode. If you are going to set up a VPN with IPSec, what mode will you probably use? Tunnel Mode.
What encryption algorithms are supported in Windows 2003 IPSec? DES and 3DES.
6F What are the differences between the tunneling protocols PPTP and L2TP?
PPTP uses separate channelsa control stream that runs over TCP, and a data stream that runs over GRE. L2TP uses UDP. PPTP is generally associated with Microsoft, and Microsoft uses MPPE for encryption. L2TP uses IPSec for encryption. What are the differences between IPSec Tunnel and Transport Modes? In IPSec Tunnel Mode, one packet is encapsulated or tunneled in another; while IPSec Transport Mode secures the packet exchange end-to-end, source to destination. IPSec Tunnel Mode is used primarily for link-to-link packet exchanges between intermediary devices like routers and gateways. Transport Mode provides the security service between the two communicating endpoints. What is a Security Association (SA)? A Security Association (such as ISAKMP) determines which algorithms will be used for the session, how the key exchange will take place, and how often keys will need to change. What are the two types of SAs? Transport Mode SA and Tunnel Mode SA.
366
How does IKE relate to ISAKMP and Oakley? ISAKMP denes procedures and packet formats to establish, negotiate, modify, and delete SAs. It also provides the framework for exchanging information about authentication and key management, but it is completely separate from key exchange. Oakley describes a scheme by which two authenticated parties can exchange key information. Oakley uses the DiffeHellman key exchange algorithm. IKE is the result of combining both ISAKMP and Oakley protocols.
6H What is PAP? What is CHAP? Briey describe the differences between them.
PAP and CHAP are both authentication protocols. PAP uses cleartext authentication, while CHAP relies on encryption mechanisms. Describe the security issues related to having a VPN server in front of the rewall (exposed to the Internet connection) or having a VPN server (in the DMZ) behind the rewall. By placing a VPN device in front of your rewall, you will be terminating secure traffc in a public zone. You will need to assign addresses to users from a certain block of IP addresses and open a large hole in the rewall for access from these IP addresses. A potential advantage to doing this would be that you could then use your existing rewall to control the destination of traffc, but most VPN boxes will also allow you to do this. By placing a VPN device behind an existing rewall, you will need to change the conguration of your rewall. You will also need a rewall smart enough to be able to congure a lter to pass the VPN traffc. Depending on how your network is set up, this may also allow you to make use of only one of the two or more Ethernet ports on your VPN device. If a VPN server is using PPTP, which ports would you need to provide access through a rewall system? TCP port 1723 allows PPTP tunnel maintenance traffc to move from the PPTP client to the PPTP server. IP protocol type 47 allows the PPTP tunneled data to move from the PPTP client to the PPTP server.
367
Which ports are associated with L2TP and a VPN? UDP port 500 allows the Internet Key Exchange (IKE) traffc to access the VPN server. UDP port 1701 allows L2TP traffc to move from the VPN client to the VPN server. IP protocol ID 50 allows IPSec ESP traffc to move from the VPN server to the VPN client. What are security vulnerabilities of a VPN? What technologies can be used with a VPN to make it more secure? Key management is a critical security vulnerability of a VPN. PKI technologies can be used with a VPN to make it more secure.
368
LESSON
7
Data Files none Lesson Time 2 hours
Objectives
To design an Intrusion Detection System, you will: 7A Examine the goals of Intrusion Detection Systems. Given the components of Intrusion Detection Systems, you will describe how the components interact to accomplish the goals of intrusion detection. 7B Describe the technologies and techniques of intrusion detection. Given a scenario of users in a network, you will examine the process of intrusion detection and how behavioral use is implemented in the IDS. 7C Describe host-based IDSs. Given a network of connected hosts, you will describe how host-based IDSs identify an intrusion. 7D Describe network-based IDSs. Given a network of connected hosts, you will describe how networkbased intrusion detection systems identify an intrusion. 7E Examine the principles of intrusion detection data analysis. Given an example signature of an incident, you will examine the concepts and methods of data analysis. 7F Describe the methods of using an IDS. Given network scenarios, you will identify multiple uses of IDS for detection of, monitoring of, and anticipation of attacks.
369
7G
Dene what an IDS cannot do. Given a network situation, you will identify the functions an IDS cannot complete.
370
Topic 7A
The Goals of an Intrusion Detection System
As the months and years go by, security professionals have an increasingly difficult task of keeping the network secure. What makes this job so difficult? Is it the fact that there are more threats than ever? Perhaps, but there is more to it than that. Is it the fact that there are more people on the Internet year after year? It contributes, but there is more to it than that, too. As you build complex interconnected networks, where partners from the outside require access to the inside, where you have employees telecommuting, and where you have internal connections to external suppliers, the problem grows. It is the very nature of the industry to be even more connected. This connection comes with a price. The price is the extreme difficulty in securing the network. In order for networks to continue to grow and be functional, there must be a certain degree of trust built into the systems. However, on top of the level of trust, there must be verication of this trust. The method most often employed by organizations these days is a solid Intrusion Detection System (IDS). The three general components of network security from a need perspective are shown in Figure 7-1.
Figure 7-1: Components of network security. Most security analysts and professionals are at least familiar with these concepts. Over the last 30 years or so, most organizations had focused the vast majority of their time, energy, and budget on prevention. The logic seemed obviousif it were possible to stop the majority of threats from getting in, then the network could be reasonably secured. Then came the networks of today. These complex, interconnected networks do not have this clear-cut boundary, where the goal is to keep the bad people out and the good people in. Reliance on perimeter defense of a rewall alone is no longer adequate. Perhaps even more of an issue is the fact that most organizations do not have systems in place to detect the very attacks that can lead to nancial loss. This again proves that the rewall defense is not enough. The ability to detect intrusion through defense is critical to the overall security of the network.
371
A common analogy to this problem is to investigate the castle structure (or fortress structure) of centuries ago. As you discussed earlier, the fortress would have a large, thick stone wall surrounding the main structure. There would perhaps be a large moat on the outside of the wall, with only a large drawbridge as an entrance. This presented a solid defense, and there are many instances recorded of a small group of soldiers holding off many times the number of attackers. The question then arises, if the defense was so strong, why did the fortress model fade away? The attackers got smarter. They realized that attacking the front door was effective at times, but the losses could be enormous to gain entry. The attackers also realized that the soldiers inside the fortress seemed to be getting new supplies, but no one was seen going through the front door. This indicated a hidden door elsewhere, as was often the case. This hidden back door would be the key to the attackers capturing the fortress. What is the solution to the back door? Many in the fortress assumed the back door was secure, and with all the ghting on the front, there were little resources left to guard the hidden entrance. The swarming attackers, once inside, would seize the fortress from the inside out, and quickly overwhelm the one soldier left there to guard this door. Had solid intrusion detection systems been in place, odds are that the fortress would not be so quick to fall. Although this is a fun analogy (except for the soldiers!), it is quite correct. Todays modern networks are well guarded with rewalls. But, there needs to be a way to know if someone is trying to get through a side door, a hole in the rewall, or if people on the inside of the rewall need monitoring. The solution of adding layers may help with the defense, but as layers are added, the function of the network often suffers. It becomes more tedious to allow a single connection through from a remote supplier when there are ve layers to navigate. This is where intrusion detection comes in. By itself, intrusion detection will not prevent access to resources. However, it is a method to use in identication of criminal activity, assistance in gathering evidence, and, perhaps most importantly, indication of attacks in progress. Intrusion detection is the process of detecting and responding to computer and/or network misuse. Throughout this lesson, you will be introduced to the different options of detection and the ways to dene misuse. Some of the questions you will need to answer are: What constitutes an intrusion? What is our denition of detection? What is our denition of misuse? How will we dene a false-positive? How will we dene a false-negative?
372
Denition
Unauthorized access to, and/or activity in, an information system. Improper use of resources inside the organization, regardless of intention. The process of detecting unauthorized access or attempted unauthorized access to resources. The process of detecting unauthorized activity that matches known patterns of misuse. The process of detecting any variations from acceptable network use and activity, based on known patterns of use. The process of examining systems to locate problems or areas that could indicate security vulnerabilities. A feature or error found in system software or system congurations that provides a method of entry for an attacker, or provides for an opportunity for misuse.
Some of the groups that you might want to research for further denitions and standards on IDS are: the Recent Advances in Intrusion Detection (RAID) group, the Intrusion Detection Sub-Group (IDSG) of the Presidents National Security Telecommunications Advisory Committee (NSTAC), and the Intrusion Detection Systems Consortium (IDSC).
373
Figure 7-2: The classic true-false matrix of IDS. Think of a police officer who has just pulled over a car. The officer walks over and asks the driver for his license and registration. The driver starts to reach into his jacket. To a trained officer, this is a signature action representative of someone reaching for a handgun. According to the training the officer has received, an alarm should go off in his head. He should yell at the driver to freeze, and then very rmly order the driver to step out and search him for a handgun. Now, in the above scenario, if the officer does discover a handgun, it is representative of a true-positive. If there is no handgun, it is representative of a falsepositive. Lets change the scenario a bit. If the officer is not trained well, the action of the driver reaching into his jacket will not be seen as a signature action of someone reaching for a handgun. According to the training the officer has received, no alarms go off in his head. He doesnt yell at the driver to freeze. You might say here that the officer has been inadequately programmed. In this changed scenario, the officer does not see the action of the driver reaching into his jacket as a threat, and if the driver simply pulls out his license and registration from his jacket, it is representative of a true-negative. However, if the driver does pull out a handgun, it is a false-negative! As much as most of us would want to live in a world of the true-negative, it is unfortunately not the case. There are large numbers of true-positives (still OK) and many false-positives that you have to put up with. Then there is the complacent but dangerous world of false-negatives. To summarize: If the conguration of signatures is done right for the environment that the IDS is in, the state of the IDS is TRUE. If the conguration of signatures is not done right for the environment that the IDS is in, the state of the IDS is FALSE. If the alarms go off as programmed, its said to be POSITIVE. If the alarms do not go off as programmed, its said to be NEGATIVE.
Given the previous analogy with respect to an IDS, you can dene the states in the following table.
374
State
True-positive False-positive True-negative False-negative
Description
The event when an alarm is indicating an intrusion when there is an actual intrusion. The event when an alarm is indicating an intrusion when there is no actual intrusion. The event when an alarm does not occur and there is no actual intrusion. The event when an alarm does not occur when an actual intrusion is carried out.
IDS Components
An IDS in a network of today is a group of processes working together, and, in virtually every case, these processes are on different computers and devices across the network. The very nature of an IDS has grown from its rather simple name. Todays IDS is much more than a detection of intrusion. Most IDSs will have the abilities to do one or more of the following: Recognition of patterns associated with known attacks. Statistical analysis of abnormal traffic patterns. Assessment and integrity checking of dened les. Monitoring and analysis of user and system activity. Network traffic analysis. Event log analysis.
Although the systems vary from vendor to vendor, these features of IDSs have similar requirements for implementation. These components are generic, meaning that most IDS applications will have these in one form or another.
375
These ports are known as Switched Port ANalyzer (SPAN) ports. SPAN ports can be congured by the security professional to mirror all switch transmissions so that the single port can be used by the IDS to monitor designated traffic.
Alert Notification
Alert notication is the portion of the system that is responsible for contacting the incident handler. Modern IDSs can provide alerts via many options such as pop-up windows, audible tones, paging, email, and Simple Network Management Protocol (SNMP).
SNMP: (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP.
The most common response is not quite as exciting as many security professionals would likeit is a simple entry placed in the log le. Even though the log le entry does not have the glamour of a Hollywood intrusion response, it may turn out to be the most useful. The log le report has the data that many organizations will use in determining the overall IT security budget. Other responses can include a trigger that will issue a call to the security architects pager, or even a pop-up window or email message. During an attack, the response can also be the ability to have the network modify itself. A command may be issued to change or block port numbers, or to disable services. This response during an attack can prove to be the vital element that keeps the network from compromise.
376
Accountability
Having the response options is a valuable portion of all IDSs and should be congured as part of the network security policy, but many systems must provide proper accountability as well. This accountability provides the option to trace the misuse event of intrusion to the responsible party. Accountability is one of the hardest tasks in implementing an IDS, given that users change systems and attacks can come from spoofed sources. This is a critical step in the overall protection of a network, however, and this becomes even more evident in the event that the organization pursues legal avenues against an attacker. Ideally, the accountability system will enable the Security Professional to locate not only the computer used in the attack, but its physical location and, if possible, the user who initiated the attack.
TASK 7A-1
Describing Alarms
1. Describe the differences between a false-positive alarm and a falsenegative alarm. A false-positive is when an alarm indicates an intrusion when there is no actual intrusion. A false-negative is when an alarm does not occur when an actual intrusion is carried out.
Topic 7B
Technologies and Techniques of Intrusion Detection
Now that you are armed with the basics of intrusion detection, lets build on your new knowledge. The next step is to investigate the technologies and techniques commonly associated with IDSs.
377
promiscuous mode: Normally, an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
4.
5. 6. 7. 8.
378
Figure 7-3: A visual example of the IDS process. Figure 7-3 is only one example of the potential process of the IDS. As you progress through this lesson, you will see different processes.
Behavioral Use
For the system to generate the correct response in the correct situation, it must be programmed with starting data. The starting data is where misuse is dened (along with alerts and response techniques). If the system is expected to determine misuse, then the individual who programs this data needs to know how the organization denes misuse.
379
A starting point for this process is to determine the network activity that the IDS will attempt to deal with. The following diagrams illustrate the various steps in determining use, both acceptable and unacceptable. Figure 7-4 shows all the uses of a network.
Figure 7-4: All of the uses of the network. In Figure 7-5, you can see that a basic clarication between acceptable and unacceptable use has been made, according to the security policies that are applicable to the usage categories. (Only some of the options that the security policy may cover are included in this example.) The security policy for this organization might include the following: No users are allowed to telnet to remote hosts. Users can open only the les they are allowed to open. Users can access network printers only in their allocated areas. Users can execute only those applications they have been granted access to use.
380
Figure 7-5: The dividing line between acceptable and unacceptable use of resources. In order to meet these policy requirements, you must divide network and resource access to acceptable and unacceptable use. At this point, you have categorized resource use to dene what is considered acceptable and unacceptable. This is a generalization for the entire network, with the given that there will be exceptions made for specic users. From this diagram, you can see that the dividing line species that telnet is unacceptable, as is opening of unauthorized les, trying to execute applications without permission to do so, or attempting to use unauthorized network printers. Once this dividing line has been created, the rules for the IDS can be implemented. This is where the task increases, as the number of signatures of known attacks and intrusions is the limitation. If the company has unique applications, the IDS must be made aware of the corresponding signatures. Remember, an IDS can only do what it is told to do, just like any other component of the network. Although the line in our example is a nice solid line between acceptable and unacceptable, in reality, there are times when the line is not so clear. Crossing over the line is when false signals might be sent, as shown in Figure 7-6. In other words, if something that the policy has identied as acceptable has not been entered into the IDS and therefore is not known as acceptable, the IDS might send an alarm indicating an incident. This is known as a false-positive. Falsepositives take time and energy, and as much as possible, they should be minimized by proper policy making and data entry in the IDS. A false-negative, on the other hand, is more than lost time and energy. In fact, a false-negative does not equate lost time and energy, since no one is aware that the condition happened. In other words, a false-negative is when an incident should cause an alarm, but it does not. This is a serious issue, and those responsible for the IDS of an organization need to be sure that the policies createdand the rules implementedminimize the opportunities for false-negatives to occur.
381
Figure 7-6: False situations, both positive and negative. Since, in reality, the dividing line is not so clear, it becomes important for the security professional to be aware of the applications running and the current security policies of the organization. The same security professional needs to be made aware of any unusual activity that might take place in the network. For example, if the organization has recently hired 20 new Help Desk users, their trainer might be showing them various options and situations in the network, such as what it looks like to attempt access to unauthorized les, or to attempt to log on as a different user. The security professionals in the network need to know this is happening, so that their response is correct for the situation.
382
We previously dened an intrusion as anything from threats, to theft, to misuse but now you must dene analysis. What actually is analysis? Although there might be many different meanings, in this discussion, you will identify analysis as the concept of organizing and categorizing data according to the security policies present for the network. The analysis must identify the intrusions as previously dened. These intrusions, then, are the actual data collected. They can either be about a user, a node, an IP address, or any other given variable, again meeting the requirements of the policy. In order to begin the analysis process, there must rst be an analysis system in place. The analysis system can be as simple as reading a single log le at night, or as complex as multiple IDSs submitting data to an external database for future data mining. Regardless of the scale of the system, there are certain variables that must be met, and all systems have these in common. These are the ability to generate the initial data, categorize the data based on given rules, and process the data once organized. The collection of the data will be identied by the IDS, based on the rule set in place for the policy. This data collection can be either user misuse of resources, actual data theft, denial of service, or any of the types of data you have discussed that might be part of the IDS. Once the data has been collected, it must be organized in a usable format. This categorization can generally be dened by the cause of alarm and led accordingly. Two general categories that are commonly used are Misuse Of Resources and Threats. It is also common to organize the data by the type of signature present. If the attack was of a known signature, such as a Ping of Death DoS attack, it can be classied as such. By organizing the data using these known signatures, the analysis phase can be a more efficient process, as the data is in the order of attack.
Remember, not all misuse detection is a threat.
TASK 7B-1
Discussing IDS Concepts
1. What are the differences between misuse and intrusion? Misuse can occur if a user has access to a resource but uses that resource for a purpose not intended by the owner of that resource. However, if a user does not have access to a resource but gains access by subverting the networks or resources security, or by any other devious means, this is considered intrusion. 2. Describe behavioral use in terms of an IDS. First, categorize all network and resource usage into a set. Then, divide network and resource access into two categoriesacceptable and unacceptable usebased on policies that have been agreed to. This is a generalization for the entire network, with the given that there will be exceptions made for specic users. Over a period of time, look for patterns of usage of these resources to build a database of behavioral use.
Lesson 7: Designing an Intrusion Detection System 383
Topic 7C
Host-based Intrusion Detection
Now that the fundamental issues of intrusion detection have been covered, you will examine the actual options for implementation. In this topic, you will detail the host-based IDS. Host-based IDS is where the data that will be analyzed is generated by hosts (computers) in the network. This system has many variables in data collection, since the source is so varied. A host-based system can be collecting data from application logs, such as Web servers. At the same time, it is collecting data from operating system logs. Because the system is host based, it is generally quite good at detecting internal misuse of resources. The event logs of each host can generate data on les accessed, by whom, on what date, and at what time. This provides excellent tracking data of misuse, and in the event of compromise, evidence of the attack.
384
The following steps highlight the process of centralized design, and are shown in Figure 7-7. 1. The host detects that an event has happened (such as opening a le, or logging on to a user account). The event is written as an event record. The record is written to a secured le on the host. At a predened time, the host sends its records to the command console over the network, using a secured (encrypted) link. The command console receives the records and submits the data to the detection engine. The detection engine analyzes the data for known signatures. The command console generates a log of its work as a data archive. If an intrusion is detected, the command console generates an alert, and the programmed notication is used. The security professional receives the notication. A response to the alert is created. The response used by the console has been previously programmed by the security team for this type of intrusion event. The alert is stored in a secured database.
2. 3. 4. 5. 6. 7. 8. 9.
10. The data used for generating the alert is archived. 11. The console generates a report of the alert activities. 12. Long-term analysis is used to determine if this alert is part of a bigger intrusion.
385
4. 5. 6.
386
TASK 7C-1
Describing Centralized Host-based Intrusion Detection
1. Describe where and how data is collected in a centralized host-based IDS. 1. 2. 3. 4. 5. 6. 7. 8. 9. The host detects that an event has happened. The event is written as an event record. The record is written to a secured le on the host. At a predened time, the host sends its records to the command console over the network, using a secured (encrypted) link. The command console receives the records and submits the data to the detection engine. The detection engine analyzes the data for known signatures. The command console generates a log of its work as a data archive. If an intrusion is detected, the command console generates an alert, and the programmed notication is used. The security professional receives the notication. A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event. The alert is stored in a secured database.
10. The data used for generating the alert is archived. 11. The console generates a report of the alert activities. 12. Long-term analysis is used to determine if this alert is part of a bigger intrusion.
Topic 7D
Network-based Intrusion Detection
The concepts and implementation of the host-based IDS might lead you to believe that it is the best way to run your IDS. This might not be the case. Although there are advantages to running a host-based system, it does not suit every situation or meet every need. If you require the IDS in your organization to analyze the actual TCP/IP traffic, then network-based IDS is your choice. The IDS in a network-based design is such that it will sniff the packets off the wire. Hardware devices, such as switches and routers, can also be programmed to send this data directly to the IDS. A signicant difference between host- and network-based IDS is the actual location of the agents. In host-based IDS, the agents, or sensors, are placed directly on the hosts. In network-based IDS, the source of the detection is often placed so that it can sense the external traffic, or the intrusion attempts from the outside. This allows the network-based system to detect what the host-based normally cannot, such as a DoS.
387
Another example of a difference between these two implementations would be the detection of attempted access to a system by an attacker. Suppose, for a moment, that an attacker breaks into the network and attempts to log in to a host. The host-based system will not report, or have the ability to identify, anything until the actual login request happens. The network-based system will identify the pattern of the request itself, before (ideally) the attacker has successfully logged in.
388
TASK 7D-1
Discussing Sensor Placement
1. Is the location of the sensor the determining factor in deciding if the IDS is host-based or network-based? Explain your response. No. If the IDS is running on each computer and those computers are analyzing intrusion attempts on the operating system, then it is host-based. If the IDS is running on each computer and those computers are analyzing the packets with the Ethernet device, then it is network-based. 2. Describe the process of a traditional network-based IDS. 1. A network packet is sent from one host to another in the network (this can include a packet from the Internet to a rewall). 2. 3. 4. 5. 6. 7. 8. The packet is pulled off the network in real time by the network sensor, generally positioned between the two communicating hosts. The packet is processed in real time in the detection engine, and is analyzed for known signatures. If a signature match is detected, an alert is created and forwarded to the command console. The security professional is notied of the alert. A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event. The alert is archived for later analysis, and a report of the incident is created. Long-term analysis is used to determine if this is part of a bigger intrusion.
390
Topic 7E
The Analysis
In the previous topic, you examined the processes of the different types of IDS implementation. One common point in all of them was the analysis of data once it has been collected. In this topic, you will look into the analysis process itself.
When to Analyze
After the agents, or sensors, have been set in place, the timing of analysis must be dened. While this might be part of the architecture chosen, it is worth noting the options and their strong and weak points.
Interval Analysis
This method of analysis uses the internal operating system (or other host-based) audit logs to capture the events, and the IDS, at given intervals, analyzes the data in the logs for signatures of intrusion. Using this method of analysis is effective in organizations where the perceived threat is low and the potential loss from a single attack is high, such as a verywell-guarded server that holds the organizations most secret data. Those running this type of analysis are more concerned with the data collected and accuracy than speed. The data collected in this case is often, if secured properly, used in legal proceedings during criminal prosecution. Another strong point of interval analysis is that there is less of a burden placed on the individual hosts to perform the analysis, since it is not in real time. And, this type of analysis is a benet to organizations that are not large enough to have a full-time employee or consultant watching for intrusion signatures. On the other hand, there are weaknesses to this type of analysis. An incident is usually not identied until after it has occurred, which presents obvious problems. Because the analysis is in intervals, the ability to notice and respond to an incident quicklyor as it is happeningis close to nonexistent. Additionally, if the hosts that are running the analysis do not have sufficient disk space to hold the events, problems can occur.
Real-time Analysis
As an alternative to interval analysis, there is real-time analysis. This involves, as the name implies, data being analyzed for signatures as it is collected. Real-time analysis runs continuouslycollecting, analyzing, reporting, and responding (if programmed to do so). Do not misunderstand the term real-time to mean same-time. An event cannot be countered the exact moment it happens. However, the concept behind real time is such that an attack should be dealt with as it is happening, and if the system knows the signature, stop the attack before it can complete and compromise a host.
391
This type of analysis has the ability to respond in real time, via the methods previously discussed (email, pages, and even telephone calls). The real-time nature of this analysis means that security professionals can respond while an attack is underway, and stop it. An additional benet to real-time analysis is that hosts can be recovered quickly in the event of a compromise, because there is no need to wait for the analysis to nd out what has been compromised. However, just as there are benets, there are weaknesses to this type of analysis. One of the more critical weaknesses might be the extra resources used by the hosts. More memory and processing will be required. Because the systems can be programmed to provide an automated response, this must be planned carefully. Unless you can guarantee the system will analyze the data correctly, and respond as expected, the automatic response needs to be considered cautiously. A response of disconnecting a distribution partner over the Internet due to an error in analysis could be very costly.
How to Analyze
You have discussed the methods of when to have the IDS analyze data, but it is just as critical to determine how the analysis is going to happen. Again, this might be part of the architecture of the design, but the individual points must be described.
Signature Analysis
The common element that most IDS products have in common is signature analysis. The signature is a known event or pattern of events that correspond to acknowledged or known attacks. These signatures can be very simple to detect, like a ood of ICMP requests to a given server, or much more subtle, like a failed login request on a server three times in a week from an external source. Signature analysis is the process of matching the known attacks against the data collected in the network. If there is a match, then that is a trigger for an intrusion, and an alarm might be the result. Most commercial IDS vendors have a list of known signatures, much like the antivirus industry. The big difference is that the majority of the antivirus companies have lists of over 20,000 known signatures for viruses and Trojan horses, and, these companies can react very quickly, and have the signatures uploaded to webites for users to download. By way of comparison, an IDS might have only a few hundred signatures to use. The users of the IDS are then left to download further signatures when they are available, or analyze the data and create their own signatures.
An Example Signature
Although the signatures that an IDS uses can be complex, you can use parts of a signature to illustrate how the analysis works. Suppose that the data displayed in Figure 7-11 is collected by the IDS.
392
Figure 7-11: An example of data collected by an IDS. If this signature was not in the database of known signatures to the IDS, the security professional running the IDS should still be able to identify the attack. Lets perform a brief analysis of this data. You can identify that the source address is 172.168.30.23. You would check the IP address to see if there is any historical data regarding this IP address. The IDs are sequential, corresponding to the time of the event. This indicates a very fast event, as all IDs are less than one second apart (event starting at 8:52:52 and ending at 8:52:53). The destination port tells us the source is running a scan to see what hosts have a telnet server running. The scan is a scan of the entire network of IP addresses, 1 through 254. Our brief analysis of this event, then, is: At 8:52:52, the network 192.168.10.0/24 was scanned to see which computers were running telnet servers. The scan concluded at 8:52:53. The likelihood that the source IP address was spoofed is low, because the attacker would need the scan to return data on hosts running telnet. Because none of the computers scanned run telnet, the risk from this event individually, is low. There is no historical data to indicate previous activity from this source IP address. However, it is now recorded that there is intrusion activity from 172.168.30.23, and future attempts will correlate with this data. The previous example illustrates the process of analyzing signatures. The IDS can only detect the signatures it is aware of; other activity will need to be identied by the professionals using the system.
Statistical Analysis
A common scientic method, not often implemented in commercial IDS products, but worth discussing, is statistical analysis. The basic concept of statistical analysis is to nd a deviation from a known pattern of behavior. Using this method, an IDS would create proles of user behavior. Examples of the types of behavior might include login times, amount of time on the network, and the amount of bandwidth used.
393
prole: Patterns of a users activity which can detect changes in normal routines.
This data is then described as the normal usage of this prole. When an event happens that is not in the normal usage pattern, a possible intrusion is the result. The normal example of this would be login times. If a user has consistently logged in only between 8:30 A.M. and 6:30 P.M. for the last year, if that account tries to login at 2:00 A.M., a possible intrusion is happening, and an alert would be issued.
TASK 7E-1
Discussing Data Analysis
1. Which type of data analysis is often used as the method of analysis for legal proceedings involving IDSs? Interval analysis.
Topic 7F
How to Use an IDS
In this topic, you will be introduced to the different methodologies of intrusion detection. While there are no methods set in stone, this topic attempts to outline several examples for you to use in the future. These detailed intrusion examples include DoS, network sweeps, and internal misuse of resources.
Imagine the following scenario: It is 4:40 P.M. on Friday. You are about to go home and enjoy the weekend. You hear your incoming mail sound, and look at the new message. Incoming ICMP packets, lots of them. You are not going home after all. You begin your investigation. It seems the ICMP packets have been detected as a Denial of Service attack. You have seen this before, and are familiar with the signs. As you investigate further, you realize it is more than a simple ping attack. It seems to be a Distributed Denial of Service. The IDS is alarming with signs of attack from 101 distinct IP addresses. You continue to dig, as you read the log les, and it turns out although there are 101 addresses listed, they all register to the same local ISP. By now, youre thinking, I hope Saturday afternoon will be nice. The pings pause for a minute. Unusual, you think. It is almost like the attacker did not enter enough packets to maintain the high DDoS attack. About 10 minutes later, it starts again. You have been on the phone this entire time with your ISP trying to get them to block ICMP requests.
394
Back to the log les, where you see the attacks coming from the same group of nodes. The attacker must have re-entered the script, perhaps this time with a higher count. Now, your ISP is noticing, and they indicate they will open a ticket to investigate. Back to the log les, where further investigation conrms the IP addresses used are all in the same block from the same local ISP. You get on the phone to the local ISP. They are helpful and willing to work with you to locate the offending IP addresses. They conrm that those addresses are all in their range. Since the local ISP is only a few miles away, and the IP addresses in question are all local, you are thinking the attacker must have targeted your network on purpose, and you are not the victim of a random DDoS. On the other hand, your organization has not lost a veriable amount of money over the attack so far, so FBI involvement will probably not be needed. The local ISP administrator is helpful and works with you on helping to locate a source. The pings stop again. Even though they went longer this time, they still stopped. Again, there is a pause in the action for a while, and it picks up again. Back to the log les. Again, you nd 101 addresses in the attack. The local ISP administrator calls to tell you there is no new news yet. Into the night, you decide to leave and come back in the morning. Returning in the morning, you turn to the log les. The log les indicate that the attacks continued throughout the night, 101 addresses every time, yet each attack running only for 10 minutes. You dump the logs into a database for analysis, and you decide to see which addresses were involved in each attack. This turns out to be the break you were looking for. In the data logs, it turned out that only three IP addresses were involved in every attack. Working with the local ISP, you identify that two of the addresses are dial-up accounts and rarely on. The third is a DSL user who is always connected. You suspect this user is the culprit. Although the local ISP will not reveal the identity of the user to you, they had helped you as much as you could hope for. Now, you are onto internal research. You begin by combing through the current employee list and checking for home email addresses. The company is not all that large, so it is an easy task. You view the list from top to bottom and nd nothing. Next, you decide to go through the list of past employees, starting with people who were let go or who resigned in the last six months. This is a much smaller list, only 17 names. There it isin black and white. There is one ex-employee who was red only a month ago. The home email address does indeed come from the same local ISP. You pull out a saved email from the archive and check the headers. Sure enough, the IP address matches. You are hot on the trail of the attacker and have enough evidence to go to the next level. Now, imagine this scenario without the IDS running. What would the situation be in this case? The network would seem slower, but it would take time to isolate where it is slowing down. Without IDS, you would not have the head start, you would not have logging of the IP addresses, and you might have a hard time tracking down not only the cause, but you would have a hard time deciding on a response and solution.
395
396
Surveillance Monitoring
When there has been some indication of either a threat of a break-in, resource misuse, or some other unauthorized activity, the IDS can be used in a mode of surveillance. At rst glance, this might seem to be the entire function of the IDS in the rst place. However, in this particular area, the reference is to more of an increased level of awareness. Beyond the normal day-to-day monitoring that happens, this is when a threat has been identied. Take the following situation as an example: A company has had the same seniorlevel network administrator for ve years. Recently, this administrator was found to be working part-time for another company. Because this person was at a senior level and had an exclusive contract, he had to be let go. The release was not a pleasant one, but no threats or poor language was used towards either party. This situation would, however, be cause to put the IDS into a surveillance mode, with the specic goals being to monitor traffic that could be coming from the released employee. The task of detecting an ex-employee can be difficult (even more so if it is a technical person) because this person is aware of the internals of the network. Nonetheless, this situation would require an IDS on a higher alert.
TASK 7F-1
Discussing Intrusion Detection Uses
1. Describe how an IDS can be used to detect an outside threat. Answers will vary, but may include: To identify attack signatures that are originating from IP addresses other than your internal private range.
397
Topic 7G
What an IDS Cannot Do
Throughout this lesson, you have identied and discussed the abilities of IDSs. As good as they are, and as helpful to the security of the network as they are, they do have limitations. An IDS can only do what it is designed to dodo not expect more from it. In this topic, you will examine some of the things an IDS cannot do.
Investigate an Attack
There are options for what an IDS can do to respond to an attack. But responding is not the same as investigating. An IDS cannot notice a SYN ood coming from the same IP address, and follow up on it. The IDS will inform you of the SYN ood, and it will be up to you to follow up. The IDS will provide the data for the investigation, but do not expect the IDS to perform any of the investigation itself. Although, if that day ever comes, there will be some interesting ramications of it. Imagine your IDS paging you to state, You had a SYN ood at 2 A.M. I traced the IP address, sent a message to their ISP, and had the attacker arrested. Have a nice day!
SYN ood: When the SYN queue is ooded, no new connection can be opened.
398
TASK 7G-1
Discussing Incident Investigation
1. Describe why an IDS cannot investigate an intrusion attempt. The IDS is able to identify an attack, even in real time; however, it cannot investigate the attack. It might be able to respond, by closing ports, or paging the security professional. There is no mechanism in modern IDS systems for tracking down IP addresses, contacting the correct ISP, or explaining an intrusion attempt to the FBI.
Summary
In this lesson, you were introduced to the concepts and technologies of IDSs. You examined the differences between using host-based and networkbased IDSs, and how each of them can be implemented. You examined the types of data analysis. You identied multiple scenarios of an IDS in use, and how each one presents a different situation to the IDS. Finally, you examined the situations an IDS cannot help with, and the tasks an IDS cannot perform.
Lesson Review
7A What are the major components of an IDS?
Prevention, detection, and response. What is one reason you need to be careful with the response of the IDS? You have to exercise caution in determining the level of response to incidents, since aggressive or offensive responses may open up the organization to serious legal issues.
399
Whats worse: a false-negative or a true-positive? A false-negative, as it signies that an alarm was not generated when a condition should have been alerted.
7B Describe how an Ethernet host, running in promiscuous mode as an IDS, sniffs packets off the local segment. 1. A host creates a network packet. So far, nothing is known other than a packet exists that was sent from a host in the network. 2. The IDS host reads the packet in real time off the network segment. 3. The detection program in the sensor matches the packet with known signatures of misuse. When a signature is detected, an alert is generated and sent to the command console. 4. The command console receives the alert and noties the designated person or group of the detection. 5. The response is created in accordance with the programmed response for this matching signature. 6. The alert is logged for future reference. 7. A summary report is created. 8. The alert is viewed with other historical data to determine if there is a pattern of misuse or to indicate a slow attack. 7C Describe the general process of host-based IDS.
Host-based IDS uses what are known as agents (also called sensors), which are small programs running on the hosts that are programmed to detect intrusions upon the host. They communicate with the command console. What are the different designs of host-based IDS? Centralized and distributed. Describe the advantages and disadvantages of each design of host-based IDS. In centralized design, the data is gathered and sent from the host to a centralized location. There is no signicant performance drop on the hosts because the agents simply gather information and send it elsewhere for analysis. However, due to the nature of the design, there is no possibility of real-time detection and response. In distributed design, the agents of the hosts are the ones that perform the analysis. There is a signicant advantage to this method. The intrusion data can be monitored in real time. The ip side to this is that the hosts themselves can experience a bit of a performance drop as their computer is engaged in this work constantly.
400
What are the differences between host-based and network-based IDS? Host-based IDS is designed to detect intrusions on a host, whether the attempt to intrude comes through a network interface or the keyboard. Network-based IDS is designed to detect intrusions in a network by analyzing network traffc, regardless of any specic host. What are the different designs of network-based IDS? Traditional and distributed. Describe the advantages of each design of network-based IDS. In the traditional design of network-based IDS, sensors are used in the network where a sensor is a host that is congured to run the IDS software. This is usually a stand-alone computer. Each sensor runs in promiscuous mode. Packets are then fed directly into the detection engine for analysis. In general, there should be one sensor in each critical segment of the network. Any alarms that are generated are sent to the command console. In the distributed design of network-based IDS, a sensor is installed on each host in the network, instead of on each segment of the network. The sensors then communicate with each other in the event of an intrusion, and use the command console as a center of operations, and for alarms. This provides the opportunity to detect packets that might otherwise have been lost or missed by the traditional design IDS.
401
Describe the difference between surveillance and normal IDS operation. When there has been some indication of either a threat of break-in, resource misuse, or some other unauthorized activity, the IDS can be used in surveillance mode. While this might seem to be the entire function of the IDS in the rst place, the reference is to more of an increased level of awareness versus normal mode of operation.
402
Configuring an IDS
Overview
In this lesson, you will implement IDS. There are many different types of IDSes, and for this lesson, you will use perhaps the most famous free IDS toolSnort. Snort is a tool that is designed to monitor TCP/IP networks, looking for suspicious traffic and direct network attacks. It enables system administrators to collect enough data to make informed decisions on the best course of action in the event that an intrusion is detected.
LESSON
8
Data Files Snort_2_6_1_2_Installer Rules directory mysql-essential-5.0.27win32 adodb493a.tgz base-1.2.7.tar.gz Lesson Time 6 hours
Objectives
To congure IDSs, you will: 8A Describe how Snort works as an IDS. You will describe how Snort works as an IDS, including the pros and cons of implementation in a production network environment. 8B Install Snort on a stand-alone computer. Given a computer running Windows in a networked environment, you will install the Snort intrusion detection application. 8C Describe the rules used in Snort. On a computer running Snort, you will create and test a ruleset to check the effectiveness of the installation. 8D Congure Snort IDS to use a MySQL database. Given a computer running Windows, you will install MySQL and congure Snort to send alert data to the database. 8E Congure a full IDS on Linux. Given a computer running SuSe Linux, you will congure Snort, MySQL, and the BASE Console to view alerts.
403
Topic 8A
Snort Foundations
In the world of intrusion detection tools, administrators and analysts have many choices. One of the choices is cost. Another critical choice is speed of response to new types of incidents, such as Code Red and the quick follow-up of Code Red II. It is in this conversation that an open-source tool such as Snort really shines. This tool and the associated applications that go along with it can be found at www.snort.org. The cost issue should be obvious to everyone, and free cant be beat! When commercial IDS products can be a few thousand dollars on the low end and over a hundred thousand dollars towards the high end, free is clearly a driving force for some. The other primary benet is the fact that the open-source format allows for fast modications. The rules that Snort uses to make decisions can be made by anyone and then posted to the web. If a new threat is identied in the morning, an administrator can create a new rule and post it by that afternoon. The Snort community can then analyze the rule, and when it is determined to be correct, the rule can be downloaded and implemented. A threat can be minimized the very day it is announced. This is a signicant benet.
Snort Deployment
Snort can be deployed on just about any host on the network. The actual Snort program is very small and does not use enough resources to cause any signicant issues with the base operating system. It is possible to install and congure Snort and let it run for days with no intervention from the administrator. At a later date, the administrator can view and analyze the data collected. Although Snort can be installed on almost any host in the network, the choice for placement is important. Snort uses an interface in promiscuous mode (meaning that it captures all the packets seen by the NIC), and one installation of Snort per collision domain might be sufficient. It can also be a benet to have an IDS placed just inside and just outside of the rewall. This way, you can identify the attacks that are blocked by the rewall, not just those internal threats. The interface that is in promiscuous mode is acting as a sniffer, capturing all the network traffic that the NIC sees. If your network is switched, make sure that you have at least one host running Snort on each segment. The host itself need not be an overly powerful machine; however, it is advisable that sufficient disk space be available to store data and that the processor be able to keep up with analysis of the packets.
sniffer: A program to capture data across a computer network. Used by hackers to capture user ID names and passwords. Software tool that audits and identies network trafc packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems.
404
Limitations on what the rules can check for are limited by the administrators imagination and the fact that Snort can only identify TCP, UDP, IP, and ICMP. There is currently no support for routing protocols. The types of rules that can be created are therefore quite varied. Examples are buffer overows, port scanning, network mapping, SMB probes, NetBIOS scans, and so on. The way that Snort is able to use such exible rules is due to the way Snort functions. Snort can look inside a packet and examine its contents. Snort is not limited to an examination of headers only. This function is called payload inspection. It is due to this payload inspection that Snort can achieve such exible rules.
Snort Fundamentals
Snort has four main pieces that combine to provide you with solid IDS functionality. The rst is the actual packet capture piece, utilizing LibPcap or WinPcap, where raw packets are pulled off the wire. The second is the preprocessor where packets are examined prior to handoff to the actual detection engine. The third is the actual detection engine. This is where your Snort rules are in action, with the detection engine looking at the parts of the packets, as you have dened. Last is the Output piece. If the packet is run through the detection engine and an alert is generated, or if logging is dened, the Output piece is where that takes place. The main le that contains the core Snort conguration is called snort.conf. This le has several primary parts, some of which you will not make any adjustments to in this course. Note: If you wish to go into great depth with Snort, you are recommended to start with the official documentation found at www.snort.org. The primary parts to the snort.conf le are: Variables Preprocessors Output Plug-ins Rulesets
There are many variables used in Snort, which then can be referenced later. Some common variables are var HOME_NET, which is used to dene your local network, and var EXTERNAL_NET, which is used to dene your external network. Preprocessors are lters used by Snort to perform actions on a packet prior to full Snort engine. This is useful for speeding up Snort, when preprocessing can exclude a packet before Snort rules are required to look inside the payload to perform content and other matching. Output plug-ins are used by Snort to determine alerting and logging features and what format to use when Snort is going to dump collected data. You will dene the location of the rulesets that you wish to use in the snort.conf le. Although you could write rules into this le, that practice is not encouraged. By writing individual rule les, you are able to maintain better control over your conguration. You dene the location of the ruleset in the snort.conf le, and then the individual rules you require are located in that separate ruleset le.
405
Prior to running tasks on Snort, you will need to perform some initial congurations. The rst thing to alter is called the Home Network. This line tells Snort what your networks IP conguration is, so that Snort will only sniff traffic on your network, versus all traffic. If you wish to sniff all traffic, you may use a home network of any. In this classroom, there are two student networks; the LEFT side uses the 172.16. 10.0/24 network and the RIGHT side uses the 172.18.10.0/24 network. If your system is part of the LEFT network, you will congure Snort to use this line: var HOME_NET 172.16.10.0/24. If your system is part of the RIGHT network, you will congure Snort to use this line: var HOME_NET 172.18.10.0/24. Snort runs on both Linux and Windows platforms, and for this lesson, the tasks are run on a Windows system. There are other Snort conguration lines that require editing because you are running on a Windows system. Two of these other lines are: include classification.config include reference.config These need to be changed to dene the full Snort path on your system. You will need to change these lines to read as follows: include C:\Snort\etc\classification.config include C:\Snort\etc\reference.config
Topic 8B
Snort Installation
Another benet of Snort might be its ease of installation. The overall process of installation takes only a few minutes. A few more minutes of conguration, and Snort is up and running. In this section, you will be installing Snort on a Windows computer, and then later in the lesson, you will perform a full installation on SuSe Linux. You will require two things for the installation on Windows: LibPcap for Windows. You will use a packet capture driver called WinPcap for this function. (Further WinPcap information is available from the Computer Network and Network Intelligence Group of Politecnico di Torino.) This simple, self-extracting executable le can be found at www.snort.org or in other Internet archives. The Snort application le itself. This is an executable le that can also be found at www.snort.org.
406
TASK 8B-1
Installing Snort
1. If required (you should have installed WinPcap earlier in the course), run the WinPcap installation le to install the Windows version of the LibPcap driver. Note that the lename is WinPcap_4_0.exe. From the C:\Tools\Lesson8 folder, double-click the Snort installer le. The full lename is Snort_2_6_1_2_Installer.exe. Read the License Agreement, and if you agree, click the I Agree button to continue the installation. Keep the I Do Not Plan To Log To A Database radio button selected and click Next. Note that later in the lesson you will work with a MySQL database. Keep all the default selected components checked, and click Next. Accept the default install location, and click Next. When the install is complete, click Close to exit the Setup program. In the successful install window, click OK. If you get a pop-up about WinPcap, click OK. Open My Computer, and navigate to the C:\Snort folder. Note the directory structure that was created during the install: C:\Snort\bin C:\Snort\contrib C:\Snort\doc C:\Snort\etc C:\Snort\lib C:\Snort\log C:\Snort\rules C:\Snort\schemas
It is a good idea for the students to save current versions of their snort.conf le during this lesson. If an error occurs, they only have to go back the last known good le.
2. 3. 4.
5. 6. 7. 8. 9.
10. In the C:\Snort\bin folder, create a folder named log (this will have a path of C:\Snort\bin\log). 11. In the C:\Snort\log folder (note this is not the folder created in Step 10), create a le named alert.ids and click Yes to accept that you are going to change the le name extension. You will need this le later in the lesson. 12. Choose StartAdministrative ToolsServices. 13. Scroll to the Messenger service. 14. Right-click the Messenger service and choose Properties. 15. Change the Startup type to Automatic.
407
16. Click Apply. 17. Click Start. 18. Click OK. 19. Close the Services window.
TASK 8B-2
Initial Snort Configuration
1.
When editing Snort lines, be sure you edit the actual lines used, not the lines that are designated with a # comment.
Open My Computer and navigate to the C:\Snort\etc folder. Right-click the snort.conf le, and choose Copy. Right-click in the C:\Snort\etc folder and choose Paste. Rename the copy of snort.conf le as snort.conf.bak. (Click Yes, if you receive a Rename warning prompt.) In the event that you run into difficulty with your snort.conf le, you will have this le as a backup. Double-click the original snort.conf le. Select the Select The Program From A List radio button and click OK. Select WordPad as the program to use and click OK. You may leave the check box checked to always use this program to open this le type.
2. 3. 4.
5. 6. 7.
408
8.
Scroll down to var HOME_NET any and replace any with your home network. If you are in the LEFT network, use: var HOME_NET 172.16.0.0/16 If you are in the RIGHT network, use: var HOME_NET 172.18.0.0/16
9.
Search for the variable var EXTERNAL_NET any and change it to read var EXTERNAL_NET !$HOME_NET
10. Search for the variable include classification.config and change it to read include C:\Snort\etc\classification.config 11. Search for the variable include reference.config and change it to read include C:\Snort\etc\reference.config 12. Search for the variable var RULE_PATH ../rules and change it to read var RULE_PATH C:\Snort\rules 13. Change # include threshold.conf to read include C:\Snort\etc\threshold.conf 14. There are two other lines where you must replace the default line to a specic Windows path. The following two steps show the before and after of these two conguration lines. 15. Change dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ to read dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor 16. Change dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so to read dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll 17. Once you have made these changes, save and close the snort.conf le. 18. Open two command prompts. One will be used to run Snort and the other to run ping commands. 19. At one of the command prompts, navigate to the C:\Snort\bin folder, and enter snort -W You will see a list of available adapters on which you could install the sensor. The adapters are numbered 1, 2, 3, and so forth. In this lesson, you will be using the NIC. Write the number associated to that adapter here: _______ 20. At the C:\Snort\bin prompt, enter snort -v -iX where X is the number of the NIC that you recorded in the previous step. 21. Switch to your other open command prompt, and ping any other computer in the network. When the ping is complete, switch back to the command prompt that is running Snort.
Lesson 8: Conguring an IDS 409
22. In the Snort command prompt, press Ctrl+C to stop Snort. 23. Review the summary information, noting the packets that Snort captured in this test. 24. Close all open windows.
packet sniffer: A device or program that monitors the data traveling between computers on a network.
410
TASK 8B-3
Capturing Packets with Snort
Setup: Snort has been installed and tested, and your instructor has designated you as Host One or Host Two. Note: Perform the following step on all student computers. 1. Open two command prompts.
Note: Perform the following step only if you are designated as Host One. 2. Change to the c:\snort\bin directory. Enter snort -v -ix (remember to use the adapter number in place of the x). The -v switch prints the headers on the screen.
Note: Perform the following step only if you are designated as Host Two. 3. As soon as Host One has pressed Enter, ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One. 4. As soon as the ping is completed, press Ctrl+C to stop the packet capture. Leave the used windows open, and switch to the unused command prompt.
Note: Perform the following step only if you are designated as Host Two. 5. Switch to the unused command prompt. Change to the c:\snort\bin directory. Enter snort -v -ix (remember to use the adapter number in place of the x).
Note: Perform the following step only if you are designated as Host One. 6. As soon as Host Two has pressed Enter, ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 7. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers. 8. Minimize the command prompt window used for pinging, and focus on the window in which Snort was running. Browse the le, and try to identify the ping packets sent between Host One and Host Two.
Figure 8-2: An example of the statistics after a packet capture has completed. In this example, no packets were dropped, and the vast majority of packets captured were TCP. This screenshot was generated on a Windows 2000 computer, after running for about 20 seconds in a controlled environment. Figure 8-3 shows a portion of the packet headers that were captured, specically the ping packets. This is what the goal of the previous exercise wasto identify the ping packets. From this screenshot, you can identify that the ping initiated from host 10.0.10.115 and was sent to 10.0.10.213. You should be able to see that the packets were correctly identied as ICMP, and the ID numbers are going up as expected: 2635 on the rst request shown, 2636 on the second, and so on. The reply packets also follow the ICMP rules: ID 53820 followed by 53821. The sequence numbers are also correct, again incrementing by one, as expected.
412
Figure 8-3: An example of a ping sequence between two hosts captured by Snort. Although the capture of header information is an excellent way to craft the IDS for an organization, more might be required, such as examining the contents of packets and determining if the content matches any rule. If this is the case, then another switch is needed to see the packet data in Snort. The switch to add is the -d switch.
TASK 8B-4
Capturing Packet Data with Snort
Note: Perform the following step only if you are designated as Host One. 1. If necessary, change to the directory where you installed Snort. Remember, the directory is c:\snort\bin. Enter snort -ix -v -d. Using the -d switch enables you to see the packet data in Snort. Note: Perform the following step only if you are designated as Host Two. 2. As soon as Host One has pressed Enter, ping Host One by its IP address.
Dont forget, the x in the switch -ix is the number of your network interface.
Note: Perform the following step only if you are designated as Host One. 3. As soon as the ping is completed, press Ctrl+C to stop the packet capture. Leave this window open, and switch to the other command prompt.
Note: Perform the following step only if you are designated as Host Two. 4. Switch to the other command prompt. If necessary, change to the directory where you installed Snort. Enter snort -ix -v -d.
Lesson 8: Conguring an IDS 413
Note: Perform the following step only if you are designated as Host One. 5. As soon as Host Two has pressed Enter, ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 6. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers. 7. Minimize the command prompt that you used for pinging, and focus on the window in which Snort was running. Browse the le, and try to identify the ping packets sent between Host One and Host Two. Because the contents of the packet are captured this time, the screen looks different. You should still be able to identify the ping sequence, though. The difference that should be obvious is the payload data itself. Because the data is ping, the payload is lled with paddingin this case, letters from the English alphabet. In both command prompt windows, use the cls command to clear the screen and prepare for the next task.
TASK 8B-5
Logging with Snort
Setup: Two clean command prompt windows are open. Note: Perform the following step only if you are designated as Host One. 1. If necessary, change to the directory where you installed Snort. Enter snort -ix -dev -l \snort\log to start Snort and instruct it to record headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host Two.
414
2.
Note: Perform the following step only if you are designated as Host One. 3. Switch to the other prompt, and ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 4. Change to the directory where you installed Snort, and enter snort -ix -dev -l \snort\log to start Snort and instruct it to record headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host One. 5. Ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 6. Ping Host One by its IP address.
Note: Perform the rest of this task on all student computers. 7. 8. 9. Press Ctrl+C to stop Snort. Start Windows Explorer, and navigate to the snort\log folder. Locate your log le, it will have a name such as snort.log.116850130.
10. Choose StartAll ProgramsWiresharkWireshark. 11. Choose FileOpen. 12. Navigate to your new log le and click Open. 13. Review the packet capture, and compare what was captured with the ping commands you sent between you and your partner. 14. Close all windows.
Topic 8C
Snort as an IDS
Up to this point, you have been using Snort to capture packets and then examining the contents of those packets. Although this can be quite useful, it is not a practical way to deploy an IDS. An IDS needs rules to follow and a way to alert the administrator when a rule is matched. In this topic, you will take Snort to the next level: IDS.
415
In this example, the new addition to the line is the -c switch, followed by the snort.conf le. As you might remember, the snort.conf le is used to dene conguration variables that will be used for Snort. Earlier, all that the snort.conf le was used for was to specify the Home_Net variable by changing it to refer to the correct IP address. In this case, adding the -c switch tells Snort to apply the rules that are in the snort.conf le to the packets as they are processed by Snort. Before we get too far ahead of ourselves, lets back up and look at the basics of the Snort rules. The rules of Snort are made up of two distinct parts: Rule Header: The Rule Header is where the rules action, protocol, directional operator, source and destination IP addresses (with subnet mask), and the source and destination ports are identied. Rule Options: The Rule Options are where the rules alert messages and specications on what parts of the packet are to be matched to determine if there is a rule match.
alert tcp any any -> any 80 (content: "adult"; msg: "Adult Site Access";)
The syntax breakdown of this example is as follows: The text up to the rst parenthesis is the Rule Header. The section enclosed inside the parentheses are the Rule Options. Rule Options are not required by any rule, but they provide much information and might be the reason for creating the rule itself.
So, the end result of this rule is to create an alert if TCP traffic from any IP address and any port is sent to any host at port 80, where the word Adult is in the payload. If this rule is met, a message of Adult Site Access will be placed in the logs with this packet.
The rst part of this syntax, alert, is known as a rule action. The rule actions in the header denes what is to be done when a packet that matches the rule is found. There are ve actions that can be dened. Rule Action
Alert
Description
Creates an alert using whatever method has been dened. Also logs the packet using whatever method has been dened.
416
Rule Action
Log Pass Activate Dynamic
Description
Logs the packet using whatever method has been dened. Tells Snort to ignore this packet. Creates an alert and turns on a dynamic rule. Remains unused unless another rule calls it. If called, it acts similarly to a log rule.
After the action has been dened, the next step is to dene the protocol. In our example, the protocol dened is TCP. Currently, Snort supports dening the TCP, UDP, ICMP, and IP protocols. After the action and protocol are dened, Snort requires the IP addresses to be used. A valid statement is to use the word any, meaning any IP address. Snort uses the netmask format of specifying the subnet mask. Following this, a full Class A IP address will have a netmask of /8, a full Class B will have a netmask of /16, and a full Class C will have a netmask of /24. Single hosts might be specied with a /32 netmask. In addition to dening a single host or a single subnet of addresses, Snort can work with groups of IP addresses in a single rule. This is called creating an IP list. The IP list can be created by enclosing the list, with addresses separated by commas, in square brackets. An example of using an IP list is:
Alert tcp any any -> [10.0.10.0/24, 10.10.10.0/24] any (content: "Password"; msg:"Password Transfer Possible!";)
Note: Although the previous line is split in two lines, in the editor it can be entered as a long line. Versions of Snort, pre-1.8, required a slash symbol (\) between lines of a single rule. It is acceptable now to have a rule span multiple lines, but in most editors, a long line is easy to work with. After IP addresses have been specied, you need to tell Snort which port you want to check. When you are working with Snort rule syntax, ports can be dened in several ways. Single static ports are common, as in port 80, port 23, and so on. The rule can also dene the keyword any, again meaning any port. Ranges of ports can also be dened using a colon to separate the start and end points of the range. Here are several examples of different port denitions: To log any traffic from any IP address and any port to port 23 of the 10.0. 10.0/24 network:
Log tcp any any -> 10.0.10.0/24 23
To log any traffic from any IP address to any port between (and including) 1 and 1024 on any host in the 10.0.10.0/24 network:
Log tcp any any -> 10.0.10.0/24 1:1024
To log any traffic from any IP address where the port number is less than or equal to 1024 and is destined for any host in the 10.0.10.0/24 network with a destination port equal to and greater than 1024:
Log tcp any :1024 -> 10.0.10.0/24 1024:
417
In the rules of Snort, there is an option to negate a port or IP address. By using the exclamation point (!), the rule will perform a negate. This is similar to the negate option in the IPTables rulesets. For example: To log any tcp traffic from any host other than 172.16.40.50 using any port to any host on the 10.0.10.0/24 network using any port:
Log tcp ! 172.16.40.50/32 any -> 10.0.10.0/24 any
To log any tcp traffic from any host using any port to the 10.0.10.0/24 network to any port other than 23:
Log tcp any any -> 10.0.10.0/24 !23
By now, through these examples you should be able to identify the directional option. The direction is dened with ->. This means coming from the left and going to the right, so to speak. It is possible to have Snort check the packet for IP addresses and ports in both directions. This can be a benet for analysis of both sides of a session. The following example uses the bi-directional option to record both ends of a telnet session:
Log tcp 10.0.10.0/24 any <> 172.16.30.0/24 23
Description
Prints a message, as dened in the alert and packet logs. Used to match the IP headers Time To Live value. Used to match a specic IP header fragment value. Used to match tcp ags for dened values. Used to match the TCP ack setting for a dened value. Used to match a dened value in a packets payload.
There are more keywords. It is advisable that you check the man pages (if you are using a Linux box) or the Help pages (if you are using a Windows box) for the remaining list of keywords. When the msg option is used in a rule, it tells the logging and alerting engine that there is a message that should be inserted along with a packet dump or in an alert. Here is a sample syntax for the msg option:
msg: "text here";
When the ttl option is used in a rule, it tells Snort that there is a specic Time To Live value to match. Only successful on an exact match, this can be useful for detecting traceroute attempts. Here is a sample syntax for the ttl option:
ttl: "time-value";
When the id option is used in a rule, it tells Snort to match an exact value in the IP header Fragment eld. Here is a sample syntax for the id option:
id: "id-value";
418
For the ags option, there are several suboptions, which include the ags that can be matched. The ags are dened in the rule by their single letter, as listed here: F for FIN S for SYN R for RST P for PSH A for ACK U for URG 2 for Reserved bit 2 1 for Reserved bit 1 0 for no tcp ags set
The standard logical operators are also valid for ags: the + for matching all ags, the * for matching any ag, and the ! for matching all except the dened ag. The reserved bits can be used to detect scans or IP stack ngerprinting. Here is a sample syntax for the ags option:
flags: value(s);
The following rule example shows a syntax that could be used to detect SYNFIN scans:
Alert any any -> 10.0.10.0/24 any (flags: SF; msg: "SYN FIN Scan Possible";)
When the ack option is used in a rule, it tells Snort to match a specic ACK value in the TCP header of a packet. The network mapping tool Nmap uses the ACK ag to determine if a remote host is active. Here is a sample syntax for the ack option:
ack: "ack-value";
The content keyword might be the most important keyword that Snort has available. When you use this option in a rule, it enables Snort to examine the payload of a packet and perform checks against the contents based on this keyword. Snort uses a pattern-match function called Boyer-Moore. (This matching function can be more intense than all the other options, so take care not to overuse this option on slower machines.) This rule is case-sensitive, so matching the word Test and the word test are two different things. The complexity of this option comes into play with the denition of the data for the match. Although it can be entered in plaintext, it can also be entered as mixed binary bytecode. (Bytecode data is a hexadecimal representation of binary data.) The basic syntax of this option is similar to the other options:
content:"content value";
419
Even when using ICMP, Snort requires ports to be dened, so use the word any.
To nd attempts at OS ngerprinting:
Alert tcp any any -> 10.0.10.0/24 (msg: "O/S Fingerprint detected"; flags: S12;)
This example uses the Home_Net variable instead of dening the IP address.
Now that you have looked at several example rules, lets put them together and create a ruleset for Snort.
A great resource called www.bleedingsnort.com uses rules in the 2,000,000 range. When you develop your own local rules, as long as you use a unique number for every rule, and that number is greater than one million, your rule will not have a SID problem. However, it is a good idea to use a higher number such as four million and up, because organizations who write rules, such as Bleeding Snort, might be in the lower ranges.
420
TASK 8C-1
Creating a Simple Ruleset
Objective: To create a rule that logs all TCP traffic, alerts to ping, and alerts to the use of the word password. 1. Open Notepad and enter the following:
log tcp any any <> any any (msg: "TCP Traffic Logged"; sid:10000001;) alert icmp any any <> any any (msg: "ICMP Traffic Alerted"; sid: 10000002;) alert tcp any any <> any any (content: "password"; msg: "Possible Password Transmitted"; sid:10000003;)
Due to space constraints, code appearing with the character at the end of the line should appear on one line in Notepad.
2.
Save the le as C:\Snort\rules\myrule.rules and close Notepad. Be sure to type the quotes so that Windows will not assign a le name extension, keeping rules as the extension.
TASK 8C-2
Testing the Ruleset
Note: Perform the following step on all student computers. 1. Clear the \snort\log folder and open two command prompts. If you want to save the old logs to another location, go ahead and do so.
Note: Perform the following step only if you are designated as Host One. 2. If necessary, change to the directory where you installed Snort. Enter snort -d -e -v -iX -c \Snort\rules\myrule.rules -l \Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host Two. 3. Once Host One is running Snort, ping Host One by its IP address. Then, enter net send [ip_address] Here is my password In this case, [ip_address] is the IP address of your partners computer. Note: Perform the following step only if you are designated as Host One. 4. When you receive the message, click OK, and then stop Snort by pressing Ctrl+C.
421
Note: Perform the following step only if you are designated as Host Two. 5. If necessary, change to the directory where you installed Snort. Enter snort -d -e -v -iX -c \Snort\rules\myrule.rules -l \Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host One. 6. Once Host Two is running Snort, ping Host Two by its IP address. Then, enter net send [ip_address] Here is my password In this case, [ip_address] is the IP address of your partners computer. Note: Perform the following step only if you are designated as Host Two. 7. When you receive the message, click OK, and stop Snort by pressing Ctrl+C.
Note: Perform the following step on all student computers. 8. Examine the log les for the alerts and logs that were generated. Compare them to the ruleset and your scan from earlier. Then, close all open windows. To look at the alert data that was generated, right-click the alert.ids le, open it with WordPad, and examine the alert.
9.
422
Metadata Options
Metadata Options are where you detail characteristics about the rule. One example of a Metadata Option is the Message (msg), which you looked at previously in this lesson. Another example is the Snort Rule ID (sid). You could also dene a reference URL for more information about the event. Here is a quick list of Metadata Options: msg:: This option is used to insert a message in human-readable language. sid:: This option is used to dene the unique Snort Rule ID for the specic rule. classtype:: This option is used to classify the specic type of event. priority:: This option is used to dene the priority level of the event. reference:: This option is used to dene a reference URL for more information about the event. rev:: This option is used to dene a revision number to the rule.
Classtypes
Classtype and priority level can go together, with the classication of an event being tied to a priority level. There are three default levels of priority (low, medium, and high), but you are able to dene these further using the priority: option in your rule. The default priorities have a numeric value of 1 (high), 2 (medium), and 3 (low). The Classtype is used to categorize events. There are many precongured classtypes, and these are assigned to one of the three default priority levels. The following table details some of the default classtypes Classtype
Attempted-admin Attempted-user Shellcode-detect Successful-admin Trojan-activity Web-application-attack Attempted-recon Suspicious-login Successful-dos Unusual-client-port-connection Icmp-activity Network-scan
Description
Attempted administrator privilege gain. Attempted user privilege gain. Executable code was detected. Successful administrator privilege gain. A network Trojan was detected. Web application attack. Attempted information leak. An attempted login using a suspicious user name detected. Denial-of-service attack. A network client was using an unusual port. Generic ICMP event. Detection of a network scan.
Priority
High High High High High High Medium Medium Medium Medium Low Low
Here is an example rule with the addition of these new options: Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80 (msg:"Sample web access alert"; classtype:web-application-activity; reference:url,http://www.securitycertified.net; sid:10000023; rev:2;)
423
Walking through this rule from the beginning: This is an alert rule, looking at TCP as the protocol. It is designed to alert on traffic from the external network on any port to the machine at 192.168.10.1 on port 80. There is a simple message that states Sample web access alert, and the classtype has been dened as the built-in web-application-activity. As a reference for more information, a URL has been given, www.securitycertied.net, and this is the second revision to the rule, which has a Snort Rule ID of 10000023
Rule Payload
The core of many IDSes is to examine the actual contents, or payload, of each packet. Snort can look inside the packet at the payload details to make a determination about that specic packet. There are many options for Snort here, and in this lesson, you will focus on a few specic options.
Content Keyword
In Snort, the Content keyword might be the most important of all the keywords. The Content keyword is how you dene the specic content inside the packets payload that Snort should look at for rule matching. A critical issue to keep in mind when dening content is that the data can be either text or binary data. Your binary data is normally provided in bytecode format, and it is enclosed within the pipe ( | ) character. Bytecode is a way of representing binary data in hexadecimal format. When you enter your content information, if you require the : character, such as in a URL, use instead the |3a| notation. Using the : character in content matching will cause problems because the : character is used after each keyword.
Other Keywords
The content keyword matches either text or binary data.
The nocase keyword simply tells Snort to ignore case when looking into a packet. Nocase is a modier, used after the content keyword. The depth keyword tells Snort how far into a packet it should look to nd the pattern, or content match. If you inserted a value of 5 here, then Snort would only look for the pattern within the rst 5 bytes of the packet payload. Like nocase, the depth keyword is a modier used after the content keyword. The offset keyword tells Snort to ignore a dened number of bytes before looking into a packet. If you inserted a value of 5 here, then Snort would start to look for the pattern, or content match, after the rst 5 bytes of packet payload. Offset is also a modier and must be used after the content keyword. Here is an example rule with the addition of these new options:
Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80 (msg:"Sample web access alert"; content:"http|3a|//www.securitycertified.net/ test.cgi?id=r00t"; nocase; offset:2; classtype: web-application-activity; reference:url,http://www. securitycertified.net; sid:10000025; rev:2;)
This rule is the same as the previous example, with some additions. The rst is the content keyword. This rule is looking for content that includes a URL with the id=r00t in the payload. Note that the : character you would normally put in a URL has been replaced with the |3a| notation. You cannot use the : character inside the content keyword. This rule is skipping the case sensitivity and is ignoring the rst 2 bytes of each payload. Lastly, as this is a different rule, there is a different sid assigned.
424 Tactical Perimeter Defense
Flow Control
The ow keyword gives you the exibility to dene packets with Snort in terms of their direction between the client and the server. This option works on TCP streams, and there are several choices for you, if you wish to use the ow keyword. The following list identies the ow control options, with a brief comment about each option: to_client: This matches a server response to a client. to_server: This matches a request from a client to a server. from_client: This matches packets sent from the client. Similar function as the to_server option. from_server: This matches packets sent from the server. Similar function as the to_client option. only_stream: This matches only on reassembled stream packets. no_stream: This does not match reassembled stream packets. established: This matches on packets that are part of an established TCP connection. stateless: This matches packets without regard of state.
While there is no one correct way to write a Snort rule, there are some general guidelines that will make your writing more efficient and accurate. To start with, you want to be as precise as possible with your content matching. This will cut down on false matches and will cut down on the load on your system. A second guideline is to create rules to match the vulnerability, not the specic exploit. Writing rules that look for matches to the vulnerability will allow your IDS to still match traffic, even if an attacker makes a modication to the exploit.
Pre-configured Rules
It is vital that you know how to create rules for Snort, but no one wants to build something from scratch when it is already available and you can get it with very little effort. The same thought applies for basic rules for Snort. The default Snort installation comes with a selection of IDS rules for you to pick through and use, and there are several more available for download at www.snort.org. There are several options for you to choose from when you wish to receive Snort rules. If you need to have real-time rules, with the most current options available, you must become a subscriber to receive the Sourcere VRT-certied rules. The Subscriber rules are the ones you need if you are looking to address security issues as they arise, often with a new rule available within days of a new vulnerability being introduced. The second method to download pre-congured rules is to become a registered user at www.snort.org. Registered users are able to receive all the latest snort rules, but the rules are available 30 days after they are made available to Sourcere subscribers. The third way to download pre-congured rules from Snort is as an unregistered user. Unregistered users are able to download the ruleset that is available with every major Snort release.
425
In addition to the rules that are available from Snort, there are rules available from www.bleedingsnort.com The bleedingsnort.com rules are very current and are submitted from people all over the net. If you need absolute up-to-the-minute, experimental, and test rules, this is the location to nd them. In this lesson, you will work with Snort rules that are made available to everyone (unregistered) from www.snort.org.
TASK 8C-3
Examining Pre-configured Rules
1. 2. 3. 4. Navigate to C:\Tools\Lesson8\Rules. Copy all the .rules les to the C:\Snort\rules folder. Navigate to the C:\Snort\rules folder. Open the folder, and browse through the pre-congured rules. You will come back to these les in a moment.
426
TASK 8C-4
Examining DDoS Rules
1. 2. 3. Navigate to the C:\Snort\rules folder. Open the ddos.rules le with WordPad. Based on these rules, what three ports does the DDoS tool Trin00 utilize? UDP 31335, TCP 27665, and UDP 27444. 4. Based on these rules, what icmp_id numbers does the DDoS tool Stacheldraht utilize? Icmp_ids: 666, 667, 668, 669, 1000, 6666, 6667.
TASK 8C-5
Examining Backdoor Rules
1. 2. Navigate to the C:\Snort\rules folder. Open the backdoor.rules le with WordPad.
427
3.
Based on this rule set, what service and port are the majority of the Linux rootkit attempts using? Telent, on port 23.
4.
Is the second Subseven rule with SID 107 looking for an attempt to place a Trojan on a computer in your network or looking for evidence that a Trojan has already been placed on a computer in your network? Looking for evidence that a Trojan is already in the network.
This rule is an alert, looking at TCP traffic from the external network on any port to your web servers on your web server ports. The web servers and web server ports are dened in your variables. The ow of this traffic is to the web server, and it would be an established connection. The attacker is looking for the /etc/ shadow le on a Linux/UNIX system. Case sensitivity is not taken into consideration with this rule, it has been given a Snort Rule ID of 1372, and is the fth revision to the rule. This specic rule is listing the classtype as webapplication-activity, but you might want to consider this potentially a recon event.
If you have an older rule set, your web attack rules may vary.
TASK 8C-6
Examining Web Attack Rules
1. 2. 3. Navigate to the C:\Snort\rules folder. Open the web-attacks.rules le. Which rule is watching for an attacker adding a user account to the administrators group? SID 1357. 4. In SID 1335, an attacker would send the command /bin/kill. What operating system is the web server likely running? Linux/UNIX. 5. Many of these rules contain the %20 characters. What does this mean? This means that the Snort rule is looking to match a space where the %20 resides in the content portion of the rule.
428
TASK 8C-7
Examining IIS Rules
1. 2. 3. Navigate to the C:\Snort\rules folder. Open the web-iis.rules le with WordPad The Code Red exploit has .ida? in the payload. Which SID would you look up online for more information about the rule to match Code Red attacks? SID 1243. 4. The Code Red II exploit attempted to use /root.exe and has a Snort Rule ID of 1256. If you wanted to learn more about this exploit, what URL would you use to nd more information about Code Red? www.cert.org/advisories/CA-2001-19.html
429
Topic 8D
Configuring Snort to Use a Database
Snort Output Plug-ins
By now you can see that Snort will be able to generate large volumes of data in the form of alerts, logs, and so on. Reading this data on screen while Snort is running isnt realistic, so you will need to use some means of reading the data that Snort collects. Snort provides several output options through the use of output plug-ins. In this section, you will congure Snort to output information to a MySQL database. Snort is not limited to using a MySQL database, that is simply the choice for this lesson. You could output Snort to Oracle, SQL Server, any UNIX ODBCcompliant database, and so on. In addition to sending logs and alerts to a database, you could instruct Snort to send this data to a remote logging server via Syslog. This is the command to output locally to a Syslog format: output alert_syslog: LOG_LOCAL2 LOG_ALERT. If you wish to send this data to a remote server, you will need to replace the local information with the remote server information. Another option, if you desire, is to output directly in a binary format that tcpdump works well with. This is the command to output in tcpdump format: output log_tcpdump: snort.dump In the snort.conf le, you will congure the type of output you wish to use. Remember, the output is detailed in the snort.conf le, not with a command-line switch. For this lesson, you will be conguring the system to output to a database. The following example shows what a basic entry for database logging would like in the snort.conf le: output database: log, mysql, user=username password=password dbname=snortdb host=localhost
430
TASK 8D-1
Editing Snort.Conf
1. 2. 3. 4. Navigate to the C:\Snort\etc folder. Open the Snort.conf le with WordPad. Scroll down in the le to the Output database plug-in section. Add the following line:
Output database: log, mysql, user=snort password=snortpass dbname=snortdb1 host=localhost
5.
TASK 8D-2
Installing MySQL
1. 2. 3. 4. 5. 6. 7. 8. 9. Navigate to the C:\Tools\Lesson8 folder. Double-click the mysql-essentials-5.0.27-win32.msi le. In the Welcome screen, click Next. Select the Custom radio button and click Next. Click the Change button. You are going to install to a location you choose. In the Folder Name text box, type C:\Snort\mysql and click OK, and then click Next. Verify the install directory location and click Install. Once MySQL is installed, select the Skip Sign-Up radio button and click Next. Verify that the Congure MySQL Server Now check box is checked, and click Finish.
10. In the Welcome screen, click Next. 11. Select the Standard Conguration radio button, and click Next.
Lesson 8: Conguring an IDS 431
12. Check the Include BIN Directory In Windows PATH check box, and click Next. (Note: leave the box checked next to Install As Windows Service.) 13. In the Root Password and the Conrm text boxes, type and re-type sqlpass Do not check the box to Enable Root Access or Create An Anonymous Account, and then click Next. 14. To start the conguration, click Execute, and then click Finish to end the installation. With MySQL now installed with the base conguration, you will need to create the actual database that Snort is going to work with. In the following task, you will use both the MySQL command line and the Snort command line. Snort comes with a script to build the database in MySQL, complete with the appropriate tables. This script was generated during the install of Snort. If you recall, you had the option to dene the database/logging that you would use, and you selected the option that included support for MySQL.
TASK 8D-3
Creating the Snort Database
1. 2. 3. 4. 5. 6. 7. 8. 9. Navigate to the C:\Snort\schemas directory. Note the le create_mysql. This is the le you will use to build the database. Choose StartAll ProgramsMySQLMySQL Server 5.0MySQL Command Line Client. Enter your MySQL root password. Note: This should be sqlpass from the previous task. Enter create database snortdb1; Enter show databases; Verify that your two new databases are listed. To switch to the new database, enter connect snortdb1; To populate the database, enter source C:\Snort\schemas\create_mysql To show the tables that were created during the execution of the previous script, enter show tables;
432
TASK 8D-4
Creating MySQL User Accounts
1. 2. 3. 4. 5. 6. 7. 8. 9. Choose StartAll ProgramsMySQLMySQL Server 5.0MySQL Command Line Client. Enter your MySQL root password. Note: This should be sqlpass. At the mysql> prompt, enter show databases; Enter grant INSERT,SELECT,UPDATE on snortdb1.* to snort identified by snortpass; Enter grant INSERT,SELECT,UPDATE on snortdb1.* to snort@localhost identified by snortpass; Enter flush privileges; Enter exit; Navigate to the C:\Snort\mysql folder. Right-click my.ini and open the le with WordPad.
After:
sql-mode="NO_AUTO_CREATE_USER,NO_ENGINE_ SUBSTITUTION"
433
TASK 8D-5
Testing the New Configuration
1.
If you receive a winpcap error, you can try using winpcap_3_1.exe.
Open a command prompt. Navigate to the C:\Snort\bin folder. Enter snort -d -e -v -iX (remember to change X to use your network interface as before). Watch to see that Snort is functional and is showing packets on screen. If you need to generate network traffic, ping a neighbor computer. Press Ctrl+C to end Snort. To see the full Snort system running, enter snort -d -e -v -iX -c C:\Snort\etc\snort.conf -l C:\Snort\log Press Ctrl+C to stop Snort. To see where Snort made the connection to the database, scroll through the commands.
2. 3. 4. 5. 6. 7. 8.
Snort as a Service
While it may work for you to manually start and stop Snort to perform the occasional packet capture, in a working environment, you will likely want Snort on all the time. One way to achieve this is to install Snort as a service in Windows. The following task will walk you through the steps of adding a service, and then verify that it starts automatically.
TASK 8D-6
Configuring Snort as a Service
1. 2. 3. Open a command prompt. Navigate to the C:\Snort\bin> folder. At the C:\Snort\bin> prompt, enter snort /SERVICE /INSTALL -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii -iX (Remember to change X to use your network interface as before.) You will receive a prompt that the SNORT_SERVICE has been successfully installed. 4. 5. 6.
434 Tactical Perimeter Defense
Close the command prompt. Choose StartAdministrative ToolsServices. In the right pane, scroll down to and double-click the Snort service.
7. 8. 9.
In the Startup Type, change the setting from Manual to Automatic. Click Apply. To close the Snort Properties window, click OK. Do NOT click Start at this time.
10. Close the Services window. 11. To verify that the Snort service starts automatically, restart your server. 12. When the server restarts, log on as Administrator. 13. Right-click the taskbar and choose Task Manager. 14. Select the Processes tab, and verify that both Snort and mysql are started and running. 15. Select the Snort process, and note the amount of memory that is allocated to Snort. As you can see, Snort is a memory-intensive process. 16. Close the Task Manager.
Topic 8E
Running an IDS on Linux
LAMP On SuSe
While this lesson, up to this point, has focused on the use of Snort, in order to make the system more functional, you will need a system in place to read, sort, and view all the data that Snort is able to collect. In the previous section you saw how to set up Snort to interact with a MySQL database, while running on a Windows system. In this section, you will congure Linux with the background system to read the Snort data via a web browser. This requires the building of a LAMP server. LAMP stands for Linux, Apache, MySQL, and PHP (you may see the P also refer to Python or Perl, but in this case it is PHP). In addition to the LAMP components, you will install nmap, a tool you will use later in the lesson to generate network scanning traffic. In SuSe Linux 10, many of the components required to build the environment for Snort are available and ready for installation. Other components will require you to connect to the Internet to get the current version. In this lesson, the specic versions are detailed. Please keep in mind that in the event that you use a different version, it is possible, and even likely, that these steps will not work.
435
TASK 8E-1
Installing LAMP Components
1. 2. 3. Log in to your Linux server as root. From the Computer menu, choose Install Software. In the Software list, scroll down and check the following check boxes: lamp_server (i586) 4. 5. nmap (i586) php5-gd (i586) php5-mysql (i586) php5-mysqli (i586) php5-pear (i586) snort (i586) webalizer (i586)
Verify that you have checked these components, and click Install. The additional packages that are required for these components to run properly are listed. Review the list to see how many smaller pieces are required, and then click Apply. If you are prompted for the Novell media, insert the CD or DVD now, and click OK. Note: it may take several minutes to install these packages. Once the les have been copied, you will see an Installation Was Successful prompt. Click Close. Close the Software Installer.
6. 7. 8.
436
In the following task, you will turn on your Apache server and verify that PHP is properly installed and running. If your server does not reply with the test screen, you must check your installation. Without a functional PHP and Apache Server, you will not be able to complete the tasks in this topic.
TASK 8E-2
Apache and PHP Test
1. 2. 3. 4. 5. 6. 7. 8. 9. From the Computer menu, choose YaST. On the left side, click System, and then click System Services (Runlevel). Scroll down and highlight apache2. Click Enable, and if you see a pop-up message about dependencies, click Continue. In the success pop-up, click OK. To close the System Services window, click Finish. To save the Runlevel changes, click Yes. Close YaST. From the Computer menu, choose Firefox.
10. In the address bar, enter http://localhost 11. If your server is running, you will get the message, It works! If not, carefully repeat the installation steps. 12. Close the browser, and navigate to the /srv/www/htdocs directory. 13. Inside /srv/www/htdocs, create a new document named info.php 14. Right-click this document and open it with Gedit. 15. Enter <?php phpinfo(); ?> and then save and close the le. (Note If you made your le using the File Manager, you must right-click and edit the permissions so that the Others group has read access.) 16. Open the web browser. 17. In the address bar, enter http://localhost/info.php 18. You will see a screen that presents all the local PHP information. This summary screen details the PHP install on your system. 19. Close the Web Browser.
437
TASK 8E-3
Configure Snort on Linux
1. 2. 3. Open your le browser, and navigate to /etc/snort. To open the le with Gedit, double-click snort.conf. Edit these lines in your snort.conf le:
var HOME_NET 172.X.0.0/16 (replace the X based on your address in the network) var EXTERNAL_NET !$HOME_NET var RULE_PATH /etc/snort/rules output database: log, mysql, user=snort password=snortpass dbname=snortdb1 host=localhost
4. 5. 6. 7. 8. 9.
Save and close the le. From the Computer menu, choose YaST. Click System, then click System Services (Runlevel). Scroll down, highlight mysql, and click Enable. Click Continue To Enable The Dependencies, and then click OK. Scroll down and highlight Snort, and click Enable. Note the message prompt, and click OK. Click Finish, and then click Yes to save the changes to the run levels, and then close YaST.
438
Remember that when you work with MySQL, each of your commands end with the ; character. If your install is not done on the SuSe platform with the software installer, the location of your Snort les will likely be different. In this task, you will assign a password to the root account, create and assign a password to the snort account, and build the database.
TASK 8E-4
Configuring MySQL for Snort
1. 2. Open a Terminal Enter the following commands (press Enter after each command):
mysql SET PASSWORD FOR root@localhost=PASSWORD('rootpass'); create database snortdb1; grant ALL on root.* to snortdb1@localhost; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.* to snort identified by 'snortpass'; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.* to snort@localhost identified by 'snortpass'; exit mysql -u root -p rootpass connect snortdb1; source /usr/share/doc/packages/snort/schemas/create_mysql; show databases; use snortdb1; show tables;
3.
If you see the table, with 16 rows, you have successfully created the database and you can proceed. If not, please follow this task again carefully; every step must be exact. At the mysql> prompt, enter exit Close the Terminal window.
4. 5.
TASK 8E-5
Testing Snort Connectivity to the Database
1. 2. 3. Open a Terminal window. Enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort It may take a moment, but you should see Snort load and make the connection to the database. If you get an error message, verify that all the lines are correct in your snort.conf le and that your MySQL is congured properly. Press Ctrl+Z to stop Snort. Scroll up to see where Snort made the connection to the database. Once successful, close the Terminal window.
4. 5.
440
TASK 8E-6
Downloading ADOdb and BASE
1. 2. Open a Terminal window. Enter the following commands:
cd / mkdir download cd /download ls cd /Tools/Lesson8 ls cp adodb493a.gz /download cp base-1.2.7.tar.gz /download cd /download ls
With these two les downloaded, you are now ready to install them. The install steps are straightforward; however, there is one conguration le for BASE that you will need to congure. This le, called base_conf.php, needs to know where your adodb is installed and needs to know how to connect to the Snort databse you made in MySQL. In the following task, you will install these two les and congure the BASE php le.
TASK 8E-7
Installing ADOdb and BASE
1. 2. Open a Terminal window. Enter the following commands:
cd /download cp adodb493a.gz /srv/www cd /srv/www tar -xvzf adodb493a.gz rm -rf adodb493a.gz cd /download cp base-1.2.7.tar.gz /srv/www/htdocs cd /srv/www/htdocs tar -xvzf base-1.2.7.tar.gz rm -rf base-1.2.7.tar.gz mv base-1.2.7 base cd /srv/www/htdocs/base cp base_conf.php.dist base_conf.php
Be sure you type these commands exactly.
3. 4.
Once you have created the new base_conf.php le by copying it, you can close the Terminal window. In the le browser, navigate to /srv/www/htdocs/base and open base_conf. php with Gedit.
441
5.
Edit the le so that the following changes take place: $BASE_urlpath = /base; $Dblib_path = /srv/www/adodb/; $alert_dbname = snortdb1; $alert_host = localhost; $alert_port = ; $aler_user = snort; $alert_password = snortpass;
6. 7.
Configuring BASE
You have just about nished with the steps to getting your system operational. There is one last conguration that is required once the BASE console is running. In this last task, you will need to tell BASE how to set up the database. Once this last step is complete, your system will be ready to go.
TASK 8E-8
Configuring BASE
1. 2. 3. 4. 5. 6. 7. Open a web browser. In the address bar, enter http://localhost/base/base_main.php You will receive a message that the underlying database appears to be incomplete/invalid. Click the Setup Page link. On the next page, click the Create BASE AG button on the right side of the page. If you get a Security Warning, click Continue. The required items will be successfully created. Click the Main Page link at the bottom of the page. You are now at the default page of your new BASE console.
This next task is not a requirement specic to the BASE console, but it is required for remote access to your web server. Later in this lesson, you are going to generate some events through the web server. In order for a simulated attacker to be able to connect to your web server, it must be enabled for others to access. By default, the rewall in your installation does not allow this. In the following task, you will turn on the HTTP service through the rewall.
442
TASK 8E-9
Configuring the Firewall to Allow HTTP
1. 2. 3. 4. 5. 6. 7. From the Computer menu, choose YaST. Click Security And Users, and then click Firewall. On the left side, click Allowed Services. From the Service To Allow drop-down list, select HTTP Server. Click the Add button to the right of the drop-down list. Click Next, and then click Accept. Close YaST.
TASK 8E-10
Generating Portscan Snort Events
Setup: This task requires students to work in pairs. 1. 2. 3. 4. 5. 6. Right-click the desktop and open a Terminal. To start Snort, enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort Keep the Snort window open. Right-click the desktop and open a second Terminal. Verify that your partner has Snort started. In your second Terminal, replacing a.b.c.d with your partners IP address, enter
nmap nmap nmap nmap nmap -sS a.b.c.d --system-dns -sX a.b.c.d --system-dns -sN a.b.c.d --system-dns -sF a.b.c.d --system-dns -O a.b.c.d --system-dns
7.
When your partner has nished running these nmap scans, close your nmap Terminal, and proceed to the next step.
Lesson 8: Conguring an IDS 443
8. 9.
In your Snort Terminal, press Ctrl+Z to stop Snort. Open a web browser, and enter http://localhost/base/base_main.php in the address bar.
10. Note that you will have new Portscan Traffic found (you may need to scroll down in your window to see this). 11. Scroll down in your browser, and click the Percentage link to the right of Portscan Traffic. 12. Here you can see the scans that were detected. Click any of the event IDs on the left side. These will likely start with #0, or something similar, on your system. 13. Review the details of this event. 14. Keep your Snort Terminal open, keep the BASE console open, and open a second web browser for the next task. In the previous task, you generated simple Portscan traffic, which Snort reported and which you analyzed in your BASE console. In this next task, you will generate web attack traffic. These will be simple URL requests to your web server. You will start Snort in your Terminal window, then open a web browser and make several requests of your partners server. You will then view the results of these actions in your BASE console.
TASK 8E-11
Generating Web Snort Events
Setup: This task requires students to work in pairs. One student running the Snort IDS, and the other an attacking Windows machine. It is suggested to go through the task twice, with students switching roles the second time through. 1. On the Linux Machine, running Snort, open your Snort Terminal, and enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort On the Windows Server 2003 machine, verify that your partner has started Snort. Open a web browser, and connect to http://your.partners.ip.address. Verify that you see the It works! default page. If you do not see this message, check that the HTTP service is allowed on the web server. In the web browser, enter the following URL requests. Note: These will be unsuccessful, which is ne for this task: http://your.partners.ip.address/../../ .
444 Tactical Perimeter Defense
2.
Steps 2 through 6 are to be done on the Windows Server 2003 machine.
3. 4. 5.
http://your.partners.ip.address/../../bin/sh
6. 7. 8. 9.
Close the web browser. On the Linux machine, running the Snort IDS, switch to your Snort Terminal, and press Ctrl+Z. Open your BASE console. Notice that you now have new alerts, this time they are TCP alerts.
Steps 7 through 12 are to be done on the Linux IDS machine.
10. Click the percentage next to TCP to analyze the alerts. 11. Answer the following questions: What is the name of this signature? (http_inspect) WEBROOT DIRECTORY TRAVERSAL How can you learn more about this event through BASE? Click the Snort link next to the name. What ags were set on this event? ACK and PSH. 12. Close all open windows. You have now congured all the components of running a full-edged Network Intrusion Detection System. The default conguration of Snort uses many different rulesets, which you can dene in the snort.conf le. In your environment, you will need to craft rules for your specic requirements or use the predened rulesets.
If you have time, have your students turn on Snort again, and then you can generate some events, scanning, web events, etc. Ask your students to identify what you did by analyzing their BASE consoles.
Summary
In this lesson, you identied that there are many different types of IDSes, and you implemented the worlds favorite free IDSSnort. You used Snort as a network-based IDS tool that is designed to monitor TCP/IP networks, looking for suspicious traffic and direct network attacks. You learned that Snort enables system administrators to collect enough data to make informed decisions on the best course of action when an intrusion is detected. You then built a full functional network IDS on Linux, including the BASE console for alert analysis.
445
Lesson Review
8A What protocols does Snort support?
TCP, UDP, IP, and ICMP. What are the four primary parts of the Snort.conf le? Variables, preprocessors, output plug-ins, and rulesets
8D What Snort le must you edit in order to have Snort connect to a database?
Snort.conf At the mysql prompt, what is the command to make a new database, called snortdb1? create database snortdb1;
8E What scripting does Apache need to have congured in order for your BASE console to work?
PHP What are the components of a LAMP server? Linux, Apache, MySQL, and PHP
446
LESSON
9
Data Files dotnetfx.exe NetStumblerInstaller_0_ 4_0 Lesson Time 8 hours
Objectives
To secure a wireless network, you will: 9A Examine the fundamental issues of wireless networking. You will identify and examine the equipment, media, and systems of wireless networking. 9B Describe the fundamentals of wireless local area networks. You will describe how WLANs function, including the 802.11 framing options, the essentials of WLAN congurations, and the threats that exist to the WLAN. 9C Implement wireless security solutions. You will implement WEP, SSID broadcast disabling, MAC address ltering, and WPA as security solutions to the wireless network. 9D Audit the wireless network. You will use leading tools, such as OmniPeek Personal and NetStumbler, to audit a wireless network. 9E Describe the implementation of a wireless trusted network, a wireless PKI. You will examine the components required to implement and the procedure for implementing a wireless trusted network.
447
Topic 9A
Wireless Networking Fundamentals
Not too long ago, the concept of a network inside an office that had no wires running to and from the client computers seemed a bit far-fetched. Perhaps in the future, many people said, but not for a while. Fast forward only a few short years, and you are in the future. Wireless networks are here now. The idea now of a mobile workforce, able to move through an office, city, or country, and connect no matter where they are located has become very desirable to many organizations. The enterprise network now must include options for users to move, and have their connection stay with them. In addition to the idea of a mobile workforce, other factors are pushing the implementation of wireless networks. New networks can be deployed faster, and often cheaper, if they are wireless versus wired. Buildings where running cable is cost prohibitive, such as offices across a street or city block, are nding wireless the best option. Companies that have chosen architectural buildings for their appearance may nd those buildings marked as historical landmarks, and running cables may not be allowed. All of these reasons will make the option of a network without wires seem like the perfect solution. But what may seem like a perfect solution has serious issues upon closer inspection. Even though the network experience may seem the same to end users, there are major differences in wireless networks from their wired counterparts. Where two computers communicating in a wired network have a single cable connecting each end point, there is no such cable for the wireless network. It is this lack of cable that causes the problems. For most enterprises, not much of the security policy and effort will be spent on the physical medium. There may be systems in place to try to prevent cable splicing, or physical security systems that guard the cable. The wireless network cannot employ these systems.
Wireless Equipment
As you may expect, there are unique pieces of equipment used to run the wireless network. Although many of these pieces perform tasks similar to their wired counterparts, the wireless network equipment requires specic examination. The physical pieces used in the wireless network require careful placement because the location of the devices can affect security and performance of the network.
Access Points
The centerpiece, literally, of the wireless network is the Wireless Access Point. The full acronym for this is WAP, but in the context of this lesson, the acronym AP (for access point) will be used. This is to eliminate confusion with the other wireless networking acronym of the same name, which is Wireless Application Protocol. The function of the AP in the wireless network is similar to that of the switch in the wired network. Individual components of the network communicate to and from the AP in order to communicate with other network components. Each AP will have at least one, and usually two antennas. By having multiple antennas, the AP is able to cancel out any duplicating radio waves that may reach the AP.
448 Tactical Perimeter Defense
Antennas
Whereas the AP of the wireless network is similar to the switch in the wired network, and the network cards of both the wireless and wired networks have the same functionality, there is one component of the wireless network that is not found in the wired networks. This component is the antenna. The antenna itself becomes an extension of the transmitter or receiver. When an access point transmits a signal it is passed from the internal signal generation components to the antenna, then transmitted through the air to a receiving antenna, which pulls the signal into the device. You can use an antenna that is designed to increase its ability to pull in a good signal in its construction and aiming. This increase is called the gain of the antenna. Although there are many subtypes of antennas, there are three common types of antennas used to increase the range of wireless networks. These are the: yagi, parabolic, and omni-directional antennas. The yagi antenna is one that is designed to be very directional. Yagi antennas may be enclosed in a tube, as shown in Figure 9-3, or they may be open, like the traditional over-the-air television antennas. Yagi antennas are perfect for direct point-to-point communication, such as a bridge connecting two offices.
449
Figure 9-3: A yagi antenna, manufactured by Telex Wireless. The second common antenna is the parabolic antenna. This antenna is also a good choice for bridging two networks, and has a greater range than the yagi antenna. The parabolic dish antenna is able to create gains that can be twice that of the yagi antenna.
450
The third common antenna is the omni-directional antenna. The omni-directional antenna is often used in conjunction with an AP to increase the local connection ability of the wireless network. This antenna type is usually mounted high above the group of end points that will communicate with the wireless network. The gain of the omni-directional antenna can approach that of some yagi antennas, but is quite a bit less than the gains of the parabolic antennas.
Association
A unique aspect of the wireless network is that nodes that are going to use an access point must rst associate with an access point. In the wired network, the node is simply turned on and plugged into the cable, there is no association required for the local hub or switch. In the wireless network, the node must be turned on, and then associate, or join, a wireless access point. This process of association is accomplished by the wireless node knowing what its alphanumeric identier is, and looking for an alphanumeric identier that matches. The vast majority of network cards now include an option that scans the local radio waves and lists the possible networks that the WNIC can attempt to associate with. It is an attempt to associate rst; the WNIC must be authenticated as well, and then association can be successful.
Wireless Media
In the traditional network, the cable can be guarded and cable runs carefully controlled; in the wireless network there is no cable. This presents the problem of wireless security in a very general way. The problem is how to secure that which you cannot see, and cannot control.
451
Although the media cannot be seen, there are similarities between the wired and wireless networks. In both networks, a signal is sent from one computer to another computer, there must be a common method of communication, and there must be a common method of delivery and receipt. In the wireless network, the media used to carry the signals from one wireless device to another can vary. In this course, you will examine the three wireless media: infrared, microwave, and radio waves. There are signicant differences in these media, in how they work, and what they can do for your network.
452
453
Although the prism is the most common form of a beam splitter, there are also beam splitters that are simple mirrors with a high degree of translucency. The mirror is placed at an angle in the stream, and functions just as the prism does. Just as the line-of-sight cannot be sniffed, the infrared signal cannot penetrate walls, therefore, the infrared transmission cannot be listened in on from a neighboring room or outside office. Another strong point for the infrared line-of-sight is that outside interference is minimal; other radio waves will have no noticeable effect on the signal. The security advantages of infrared wireless are offset by the limitations of infrared. Infrared cannot provide any mobility to the devices, and the pure lineof-sight issue causes too much disruption in most office settings. Similar to local line-of-sight, infrared networks are laser communications. Laser communications work by using a powerful directed beam between two points, with the unique difference being that the distances covered are much greater. Laser line-of-sight transmissions can cover miles, as long as the direct and uninterrupted line-of-sight is clear and available. Diffused infrared technologies overcomes some of the limitations of the line-ofsight communication. In the broadcast network, there still are two end points, the emitter and detector. However, the emitter does not send the signal directly to the detector. Instead, the signal is sent out to the network, and can bounce off walls and other objects in the room. The detector receives the signal and processes the information just as if it were line-of-sight. A big difference between line-of-sight and diffused infrared is speed. Because the signal has to travel farther and bounce off surfaces, it is a weaker signal when the receiving node detects the transmission. A second difference is that because the signal is broadcast, end points other than the intended recipient are able to receive the transmission. These issues combine to limit most use of infrared in wireless networking to the small local devices. As more and more people use small devices, you can expect infrared technology to remain a part of wireless networking for some time.
Satellite Microwave
When you have extreme distance to cover, the only choice is satellite. Satellites are the equivalent of the transmitter and receiver stationed high in the sky. By placing the transmitter and receiver higher, more ground can be covered by the same point. This allows an enterprise with one office in New York to have a single hop to a second office in London.
Figure 9-8: Example of satellite microwave networking. There are multiple orbits a satellite might take around the Earth. Geostationary orbits (GEOs) are those that circle Earth directly above the equator. A benet of gravity and orbiting is that once at a specic point, the geostationary satellite will achieve a xed position. This position is approximately 22,200 miles (or 36,000 km) above the Earths surface. Being placed at such an altitude, the satellite will be able to cover about one-third of the Earths surface. You could, therefore, place three satellites 120 degrees apart and cover the entire planet, except for the extreme northern and southern latitudes. Today there are hundreds of GEOs in the sky above you. There is also an orbital pattern called the Highly Elliptical Orbits (HEOs). These orbits do not orbit the Earth in a circle around the equator. Instead, these satellites orbit in an oval-shaped pattern. The oval is not equal around the Earth, instead the satellite will pass close to the Earth (at its closest, is called the perigee of the orbit), and will then move further away from Earth (at its furthest, it is called the apogee of the orbit).
455
Finally there are Low Earth Orbits (LEOs). These orbits are between 124 and 15,900 miles above the Earths surface (between 200 and 25,589 km). Most of the satellites in this range are at the low end, from 124 to 1,490 miles (200 to 2,400 km). These satellites can move very fast, and can be visible with the naked eye standing on Earth. A satellite in LEO may be able to circle the entire earth in 90 minutes. LEOs are not restricted to equatorial orbits.
TASK 9A-1
Examining Satellite Orbits
1. 2. 3. 4. Open Internet Explorer, and connect to http://science.nasa.gov/Realtime/ JTrack/3D/JTrack3D.html In the dialog box asking you to perform an install, click No. Wait for a moment, the JTrack satellite applet will open and load satellite data. Maximize the applet. Once the applet loads, press Ctrl and click the mouse (Ctrl-click) to move the Earth back and to see the orbital path of the GEOs. Examine the distance to the GEO orbits in relation to the size of the Earth. Click any small white dot to see the orbital path of the satellite. Click the mouse in the applet and drag to rotate the Earth and notice the GEOs all are lined in a similar pattern. Ctrl-click until the Earth is small in the applet. Click a white dot that seems further away from Earth, and not in the same circle pattern of the GEOs. Try to nd Chandra, AO-40, and Integral. Examine the orbital patterns of these HEO satellites.
5. 6. 7. 8. 9.
10. Shift-click to move in towards Earth until the continents are clearly visible. 11. Click any white dot that is near Earth, and examine the orbital patterns of these LEO satellites. 12. Shift-click until the Earth lls the applet window. 13. Choose OptionsUpdate Rate14 Second. 14. Choose OptionsTimingReal-time. 15. Note the movement of the satellites in LEO. 16. Choose OptionsTimingX100. 17. Note the movements of the LEO satellites at 100 times real-time speed.
456
18. When you have nished examining the orbital patterns of the satellites, close the JTrack3d Applet and close Internet Explorer. 19. What type of satellite orbit, the LEO or the GEO, will introduce the largest delay in packet transmission? The GEOs produce the highest delay in packet transmission. You may be able to get high speeds, but the distance alone dictates that there will be considerable delay in the network packet transmission.
Spread Spectrum
Spread spectrum technology allows for bandwidth to be shared by multiple devices, so your microwave and wireless network are not going to battle over the exact same frequency at the exact same time. Spread spectrum works by splitting the information over multiple channels of communication. By splitting the inforLesson 9: Securing Wireless Networks 457
mation over different channels, if a person is sniffing one specic channel, they will not get useful information from that channel, only tiny pieces of larger transmissions. There are two primary methods of spread spectrum used in wireless networks: Frequency Hopping Spread Spectrum (FHSS), and Direct Sequence Spread Spectrum (DSSS).
Figure 9-9: Multiple signal bursts sent as an example of FHSS. During FHSS, the time that is spent on any one frequency is called the dwell time, and the amount of time that it takes to move from one frequency to another is called the hop time. A device using FHSS will transmit on the designated frequency and then move to the next frequency using the pre-dened sequence. Once the device reaches the last frequency, the device loops to the rst frequency and starts the process over again. The sequence of frequency hopping creates a single channel.
458
Figure 9-10: The XOR process of DSSS communications. This added data used in the XOR process is called the chipping code. By adding these codes, the original data is spread out, which increases the likelihood that the data will be received properly. The number of bits (chips) in the chipping code compared to the raw data is referred to as the spread ratio; higher spread ratios means higher chances of successful communication. The 802.11 specications dictate that there are to be 11 chipping bits per raw data bit. Due to issues such as the use of multiple frequencies, and the inclusion of the chipping code, DSSS is able to achieve higher rates of transmission than FHSS. You should not think of either FHSS or DSSS as better than one another. Instead, you should realize that they are used for different functions. FHSS generally costs less to build, is used for devices that require shorter transmission distances, and has a lower overall speed. DSSS generally cost more to build, is used in devices that require greater transmission distances, and offers greater speed. From an administrative viewpoint, you may never deal directly with spread spectrum issues, they are more in the realm of the product manufacturer.
Bluetooth
Although it is the most common technology for wireless networking, 802.11 is not the only wireless standard. Another common standard is Bluetooth. Bluetooth devices are generally FHSS devices, and are used in close proximity from one another. Bluetooth has found a market in device-to-device communications, such as PDA to computer, computer to a printer, automobile to phone headset, and so on. Bluetooth functions in the 2.4 GHz range, and has low-speed bandwidth, when compared to 802.11 standards, especially 802.11g. For these reasons, Bluetooth is not designed to be directly competitive with 802.11, rather a complimentary technology used for different purposes.
459
SMS is used to send and receive the short (up to 160 characters) text-only messages on devices like cell phones, pagers, and PDAs. This technology uses a store and forward system, which means that if the intended recipient is not available, the message can be stored for later transmission. Nearly all providers of cellular services offer support for SMS today, and security problems exist here just as they do with all other forms of wireless communication. Although SMS security is out of the scope of this course, here are a few examples of SMS security issues: A Norwegian company found that a specic message sent via SMS to certain cell phones would freeze the phones, with the only solution being to remove the batteries. A virus called Timofon.A sends short SMS messages to random numbers. By itself, this is not a true virus, as users have to run a VBS script, but it hints at the potential. SMS Bombers are being built to ood networks with messages.
IEEE 802.11
All forms of networking that have any success are built upon standards, and wireless networking is no different. The primary standard in the world of wireless networking is the 802.11 standard. The 802 LAN standards committee was created in 1980 by the Institute of Electrical and Electronic Engineers (IEEE), and in 1990 the committee created the 802.11 working group to discuss and dene issues surrounding wireless networking. In 1997, the 802.11 working group nalized their rst standard. The IEEE 802.11 standard was to address the Media Access Control (MAC) and Physical (PHY) Layers of network communication. 802.11 described three specic types of transmissions to take place at the PHY Layer: Diffused Infrared, utilizing infrared transmissions. Direct Sequence Spread Spectrum (DSSS), utilizing radio transmissions. Frequency Hopping Spread Spectrum (FHSS), utilizing radio transmissions.
The 802.11 working group quickly found that the project was growing at such a rate, and the amount of issues to discuss was growing. The solution to this problem was to create subgroups to handle each issue independently. These groups have been assigned a letter and appended to the 802.11 name. Several of these groups have produced standards that are used in the industry today, others are on the horizon, and others still will become obsolete.
802.11a
In 1999, IEEE approved the 802.11a standard, calling it: High-speed Physical Layer in the 5 GHz Band. This standard utilizes Coded Orthogonal Frequency Multiplexing (COFM), and supports multiple data transmission rates. Supported rates are: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Two 802.11a devices will connect using the fastest data rate (based on things like distance between nodes and signal strength), with a maximum rate of 54 Mbps. Work on this standard is considered complete.
460
802.11b
Also published in 1999, but slightly ahead of 802.11a, was the IEEE approved 802.11b standard, called: Higher-speed Layer Extensions in the 2.4 GHz Band. This standard utilizes High-Rate Direct Sequence Spread Spectrum (HR-DSS), and supports multiple transmission rates. Supported rates are: 1, 2, 5, and 11 Mbps. Work on this standard is considered complete.
802.11c
The 802.11c working group was developed to manage MAC bridging operations. This type of standard is used by developers of hardware. The 802.11c working group on its own is complete, with continued discussion on this subject folded into the 802.11d working group.
802.11d
As wireless networking came on the scene, and the 802.11 standard was available, there were only a few economies (such as the United States, Europe, and Japan) that had regulations on the use of the radio waves. In order for wireless networking to become global, standards would be required that comply with regulation of transmissions in various countries. The 802.11d working group is focused on the international regulations for the use of wireless networking.
802.11e
An important issue in all of networking is Quality of Service (QoS). By ensuring high QoS, transmitting other types of information such as audio and video can be accomplished through a wireless network. The 802.11e group is working on standards to prioritize network traffic through the wireless network, to improve QoS. 802.11e addresses the MAC layer, and as such it will be compatible with all 802.11 PHJY networks.
802.11f
The development of the original 802.11 standard did not address the communications between individual access points. This was done to provide for the maximum exibility in an enterprise implementing various vendors products. This causes difficulty though, when there are many different types of vendor equipment in the network, that may have different methods of communicating. 802.11f is working to dene the standards of communication between access points so that roaming wireless clients do not experience network problems, or have communications cut off. It is suggested that until this standard is complete, and all vendors comply, that you should use a single vendor to provide your wireless infrastructure.
802.11g
A problem that developed during the initial standards process was that 802.11a and 802.11b did not communicate. So, although the ability to add the higher bandwidth of 802.11a was appealing to some, the lack of interoperability discouraged others. 802.11g provides the standards to provide higher speed, while being able to interoperate with other wireless networks. 802.11g utilizes OFDM to manage communications, provides for transmission rates of up to 54 Mbps, and operates in the 2.4 GHz range.
461
802.11h
Specic European regulatory issues are discussed in the 802.11h working group. In Europe, there is a strong possibility that 802.11a devices, which operate in the 5 GHz range, will interfere with satellite communications, which are designated as primary use. Many European countries label wireless networking as secondary use.
802.11i
There are serious security issues associated with wired equivalent privacy (WEP). The 802.11i working group was designed to address these issues. The result of the groups efforts is a stronger security standard, including all the options that exist in Wi-Fi Protected Access (WPA), and adding the use of the Advanced Encryption Standard (AES). Some, including the Wi-Fi Alliance refer to 802.11i as WPA2.
802.11n
With the ever-growing demands on wireless networks, speed is always an issue. The 802.11n working group develops enhancements to wireless networking technologies to achieve a higher throughput. The speed estimates out this standard at a 200+ Mbps rate. Through the use of multiple antennas, some vendors are claiming speed into the 400+ Mbps range.
Since WAP is a protocol and application environment, it has the ability to be built into any operating system that is designed to use it. It is currently used in operating systems such as: WindowsCE, PalmOS, JavaOS, and OS/9. Mobile devices work by using WAP microbrowsers that are built into the device. These are similar to the full-scale Internet browsers, such as Netscape and Internet Explorer, only scaled down to the minimum requirements. Many mobile devices can communicate via HTML and/or XML, but there is a language specically for the wireless devices. That language is called Wireless Markup Language (WML). WML is based on XML, and web content accessed via WML will have the .wml extension, similar to the .html extension of web pages. The programming of WML looks very similar to that of HTML or XML. There are in fact XML tags in WML pages. The following code example shows what two WML cards look like in a WML deck:
web pages written in WML are called decks, and decks are constructed using cards.
462
<wml> <card id="no1" title="Card 1"> <p>Hello World!</p> </card> <card id="no2" title="Card 2"> <p>This is the second card text!</p> </card> </wml>
WAP itself, like all specications, has gone through several versions since it was rst introduced. WAP v1.0 was introduced in April 1998, WAP v1.1 in June 1999, WAP v1.2 in November 1999, and WAP v2.0 in the summer of 2001. The 1.0 version of WAP used a WAP gateway, often a separate computer to act as the literal gateway between the WAP client and the web server hosting the les.
Figure 9-11: The original WAP architecture. In the original WAP architecture, protocol conversion was required at the WAP gateway. This is due to the WAP devices not speaking the language of the Internet. With WAP v2.0 devices, the gateway protocol conversion is not required. This is due to devices running the WAP v2.0 stack being able to utilize TCP/IP, and speak through a proxy to the Internet.
463
TASK 9A-2
Choosing a Wireless Media
1. You have been contracted to design the wireless network for your new client. This client has three offices, all within the same two-block radius. They are three independent offices, each in a multistory building, which do not require frequent resource access to any of the other offices. The only authorized communications that can be sent from one office to another are email or other approved instant messages. There are some slight obstructions, such as trees, that prevent perfect line-ofsight between all three buildings. You have asked the client, and have been informed that removal of the trees is not permitted. Based on this information, which media type will you recommend to the client, and why? You will recommend using radio waves as the media, by conguring the networks to use radio waves and a directional antenna, such as a yagi, to increase the strength and range. The radio wave option should provide the client with an inexpensive solution.
464
Topic 9B
Wireless LAN (WLAN) Fundamentals
WLANs are built upon the 802.11 standards and are designed to operate similarly to their wired counterparts, running the 802.3 (Ethernet) standard. One difference (other than the lack of those pesky wires!) is that 802.11 networks use Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA), whereas the 802.3 networks use Carrier Sense Multiple Access/Collision Detection (CSMA/CD). In the CSMA/CD networks, the nodes listen to the wire to see if it is clear to transmit. Since the 802.11 nodes are not on a single physical media like the 802.3 networks, CSMA/CD will not work. Instead, the WLANs use CSMA/CA where each node sends a short broadcast preceding each transmission.
SSID
Wireless networks have a component called the Service Set Identier, or SSID. The SSID is a 32-character unique identier that gets attached to the header of WLAN packets. The SSID is designed to identify individual WLANs, so that devices connect to the proper WLAN. This is a value that should be congured upon setting up security on a WLAN. The SSIDs are well known for many manufacturers, and changing this value to one that is not well known is one of your initial steps in your WLAN security. Access Points are congured, usually by default, to broadcast their SSID in what are called beacon frames. This function allows authorized users to nd their proper WLAN easily, but also informs any attacker the name of the WLAN segment. The beacon frames are broadcast in plaintext; there is no encryption of these transmissions. Most WLAN analyzing software will listen for SSID beacon frames, and report that information back, making the location of the networks simple. If your network will allow for it, you should turn off the SSID beacon frame broadcast.
465
Association
A unique aspect of the wireless network is that nodes that are going to use an access point must rst associate with an access point. In the wired network, the node is simply turned on and plugged into the cable, there is no association required for the local hub or switch. In the wireless network, the node must be turned on, and then associate or join, a wireless access point.
Association is the process of a WLAN client associating with an AP in the WLAN.
This process of association is accomplished by the wireless node knowing what its SSID value is, and looking for an SSID value that matches its known value. The vast majority of network cards now include an option that scans the local radio waves and lists the possible networks that the WNIC can attempt to associate with. It is an attempt to associate rst; the WNIC must be authenticated as well, and then association can be successful.
Authentication
One step in the WLAN client being able to use the WLAN is association, but that may not be enough. The second step that may be required in the network is authentication. Authentication can happen in one of two general methods, as per the IEEE 802.11 specication: open system authentication and shared-key authentication. Open system authentication is simply when there is no encryption and all communication is done in clear text. The WLAN client can authenticate in the open system without having to know any key information. In the shared-key authentication system, a key is required, and the key system must be used on both ends of the communication, meaning both the AP and the WLAN client must be using the same system.
WLAN Topologies
When building your WLAN, you have two major types of networks to build. You can build a WLAN in either ad-hoc mode or in infrastructure mode. Neither of these topologies are right or wrong, they just have different functions.
Ad-hoc Mode
The ad-hoc is perhaps the fastest WLAN to build. No APs are required from the ad-hoc mode WLAN. In this case, you install and congure the wireless network card on multiple end nodes, and they all have the ability to interact directly with any other node. This is a true peer-to-peer network with no single point in control.
466
Figure 9-13: An example of an ad-hoc WLAN conguration. When you group several end nodes together in the ad-hoc mode those nodes create what is called an Independent Basic Service Set (IBSS). These nodes are grouped together by all using the same SSID.
Infrastructure Mode
Although the ad-hoc mode may be the fastest for you to set up, it is not likely the mode you will use in a production environment. In the enterprise, you are much more likely to use the infrastructure mode. In the infrastructure mode, your network clients are congured with the SSID of an AP. All the clients who are going to be grouped together have the same SSID. The AP then acts as the central point in the network. The request of each node is received by the AP, and then transmitted to the network. If you have a single AP, that does not overlap with any other WLAN segments, then you have created a Basic Service Set (BSS). You can create an Extended Service Set (ESS) by grouping BSS to form a single subnetwork. Just about all APs that are made today have at least one Ethernet port on them, allowing you to seamlessly connect your wired clients into your wireless network. You will usually connect the Ethernet port of the AP to a hub, switch, or other network connecting device.
467
Lesson Configuration
There is quite a bit of hardware used in this lesson. For the tasks and screenshots there were multiple WNICs and APs used, and both ad-hoc and infrastructure mode will be used. For this lesson, there are two congured clients, one Linksys WPC54G and one Netgear WPN824, used in laptop computers.
468
TASK 9B-1
Installing the Linksys WPC54G WNIC
Setup: This task is performed on the rst Windows XP laptop. 1. 2. Log on to Windows XP Professional. Insert the Linksys WPC54G setup CD-ROM into the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the Setup.exe le. In the Linksys Welcome screen, click the Click Here To Start button. Read the License Agreement, and click Next. The setup les will now be installed to your computer. When prompted, insert the WNIC into the computer, then click Next. The Linksys Available Wireless Network screen will open. Click the Manual Setup button to create a prole.
3. 4. 5. 6.
7.
Select the Specify Network Settings radio button: In the IP Address text box, type: 10.0.10.30 In the Subnet Mask text box, type: 255.255.255.0 In the Default Gateway text box, type: 10.0.10.1
8. 9.
Leave the DNS text boxes blank, and click Next. Select the Ad-Hoc Mode radio button.
469
10. In the SSID text box, type Ad_Hoc_1 and click Next.
11. In the Channel drop-down list, select Channel 3 and click Next. 12. In the Security drop-down list, select Disabled and click Next. (You will add security features later in the lesson.) 13. Conrm your settings are correct, and click Save.
470
14. Verify your IP Address settings via Windows Networking. Note, on some systems the Linksys conguration tool will not congure the Windows IP settings. In this case you will be required to manually congure the WNIC. IP: 10.0.10.30 / 24 DG: 10.0.10.1 15. Leave the screen open, as you will return to it shortly.
TASK 9B-2
Installing the Netgear WPN511
Setup: This task is performed on the second Windows XP laptop. 1. 2. Log on to Windows XP Professional. Insert the Netgear WPN511 CD-ROM into the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the autorun.exe le. In the Netgear SmartWizard screen, click the Install Software button. In the Welcome screen, click Next. Read the License Agreement, and click Accept. Accept the default Destination Folder, and click Next. The setup les will now be copied to your computer. Once the software installation is complete, click Next. The setup les will nish their installation. Insert your Netgear WPN511 card into your computer, and click Next. In the Country drop-down list, select your country, and click Agree.
3. 4. 5. 6. 7. 8. 9.
471
10. Keep the default selection to use the Netgear Smart Wizard for your wireless connection, and click Next.
11. Select the No, I Want To Congure It Myself radio button, and click Next. 12. Choose StartAll ProgramsNetgear WPN511 Smart WizardNetgear Smart Wizard. The tool to congure the Netgear WNIC will open. 13. In the Network Name text box, type Ad_Hoc_1 14. In the Network Type section, select the Computer-to-Computer (Ad Hoc) radio button.
472
16. From the Channel drop-down list, select Channel 3 and click OK.
17. Click the Apply button. 18. Open the Windows Network Connections window, right-click the newly installed Netgear WNIC, and choose Properties. 19. Select Internet Protocol (TCP/IP), and click Properties. 20. Select the Use The Following IP Address radio button. 21. Enter the following conguration: IP 10.0.10.31, SM 255.255.255.0, DG 10.0.10.1, click OK, click Close, and close the Network Connections window. 22. In the Netgear WPN511 Smart Wizard window, select the Networks tab. 23. Select the Ad_Hoc_1 network, and click the Connect button. (If no network is listed, click the Find a Network button.)
473
24. Click the Apply button. You will be connected to the Ad_Hoc_1 network from this computer.
25. Leave the Wireless Network Connection window open for subsequent tasks.
TASK 9B-3
Enabling the Ad-Hoc Network
1. 2. 3. Verify that you are at the computer with the Linksys WNIC installed. In the Site Survey screen of the Linksys Network Monitor Tool, click the Refresh button. You should now see the Ad-Hoc_1 network available. Select the Ad-Hoc_1 network, and click Connect.
474
4.
Once connected, you will see that you have successfully joined the Ad-Hoc network.
5.
Click the More Information button to see the details of this connection.
6.
If you wish, open a command prompt and perform a ping test from one computer to the other to conrm the wireless network is functional.
475
802.11 Framing
Although you will likely never directly work with the design or physical architecture of any wireless network device, you do need a strong understanding of how the 802.11 network functions in order to implement solid networks. At rst glance, it seems that the 802.11 network functions in the exact same way as the Ethernet networks. Upon further investigation you will notice that, although the appearance is the same, the 802.11 network has very real differences from the Ethernet network. The Ethernet network framing is essentially to take the data, add a preamble, add the required addressing information, such as IP, and add an integrity check (or Frame Check Sequence) on the end. The wireless network however, must add more information than that. In the 802.11 network there are multiple frame types. The three 802.11 frame types are: data frames, control frames, and management frames. The data frames are the frames that you will see on the network the most, these carry the actual data from one node to another. The control frames are for functions like carrier-sensing (like modems) and acknowledgement. The management frames are what a node uses to join (or associate) and to leave (or disassociate) an access point.
Frame Format
The rst thing you will notice when looking at the 802.11 frame is that the MAC uses four address elds. Every 802.11 frame will not use all four elds, and values that are assigned to the different address elds can actually change based on the type of MAC frame that is being transmitted.
Frame Details
An in-depth discussion of the 802.11 framing format is beyond the scope of this course.
Every 802.11 frame begins with a two-byte frame control subeld that is divided into several different subelds. One of the subelds is the protocol version. The protocol version subeld is a two-bit value, which indicates what version of the 802.11 MAC is found in the frame. Currently, there is only one supported version of the 802.11 MAC, and that has been given a protocol ID of 0.
476
Figure 9-16: The frame control of the 802.11 frame, expanded showing its internal contents. The second subeld is the type. This indicates the type of subtype to follow. If this is set to 00, then management frames are to follow. If this is set to 01 then control frames are to follow, and if this is set to 10, then data frames are to follow. The third subeld is called the subtype, which is related to the type of eld just discussed. This subeld is a four-bit value, which indicates the subtype of the frame. Management subtypes are identied in the following table. Management Subtype Value
0000 0001 0010 0011 0100 0101 1000 1001 1010 1011 1100
Subtype Name
Association request Association response Reassociation request Reassociation response Probe request Probe response Beacon Announcement trafc indication message Disassociation Authentication Deauthentication
Using the table as reference, you can identify two common subtypes: The association request (0000), and the beacon (1000). Another subeld is the WEP eld. When this is set to 1, WEP is in use, and when this is set to 0, WEP is not in use.
477
By now you have noticed that there are multiple entries for addresses in the frame format. The 802.11 frame can use up to four address elds, generally numbered one through four. Address eld one is a receiver, address eld two is a transmitter (or sender), address eld three is ltering, and address eld four is optional. The sequence control eld is used for multiple purposes. It uses 4 bits to manage fragmentation and 12 bits to manage sequence numbers. If a higher-level packet needs to be fragmented, the sequence number will be constant for all the fragments, but the 4-bit fragment number will increase by 1 for every new fragment. The data eld is where the upper layer payload goes for transmission. This eld has a maximum payload value of 2304 bytes of data, and has a maximum size of 2312 bytes. The additional 8 bytes are to allow for the extra information required of WEP, which must be supported. Finally, there is a frame check sequence (FCS) eld. This is similar to the FCS in Ethernet and other networking systems. The FCS allows for an integrity check on the frame, but there is a difference in the wireless network. The difference in the 802.11 format, is that there is no negative ACK if a frame fails the FCS. Instead the nodes must wait for an ACK timeout before they retransmit.
802.11 Addressing
As you saw earlier, there are four address elds in the frame, all of which do not have to be used in each transmission. Before you can make a connection between an address and an address led, you need to be aware that there are multiple types of addresses in the 802.11 wireless networks. These addresses can be given the DA, RA, SA, and TA acronyms. Their denitions are as follows: Destination Address (DA): This is the MAC address of the node that is to ultimately process the frame. Receiving Address (RA): This is the MAC address of the node that will receive the frame. Note, this does not have to match the DA. Source Address (SA): This is the MAC address of the node that created the frame. Transmitting Address (TA): This is the MAC address of the node that transmitted the frame. Note, this does not have to match the SA.
The address elds will change based on the frame format. For example, the third eld can hold the SSID address, the DA, or the SA, based on the frame. Where there is consistency is in the eld that holds the transmitting address, this is address eld two. Address eld one is designed for the recipient of the frame, which you must note does not mean the nal destination of the frame, only the recipient of the current frame.
The SSID used in MAC address eld is not the same as the manually entered SSID value.
When the network is in infrastructure mode, the address used is the SSID address. This is not the same as the SSID that has been manually assigned to the network, such as the default Linksys. The interface on the physical AP requires a MAC address, just as any other interface does. In Infrastructure mode, the SSID address is the MAC address of the AP that is participating in the Infrastructure network.
478
One reason that there are multiple options here for the addressing is that there are multiple methods for establishing a wireless network. For example, in the most straightforward network, all the nodes simply talk directly to one another; this is the ad-hoc network. Another network could be where all the end nodes communicate only with the Access Point. Finally, you could link two (or more) wireless networks together, with the Access Point of each one functioning as a bridge to the other network. Figure 9-17 identies the addresses that would be assigned to each of the four address elds, and the DS settings, based on the function.
Figure 9-17: The settings of the address elds, based on the frame function. From this gure, you can identify that the most basic addressing is in ad-hoc mode, where the frame has a simple DA and SA. This is the closest to the traditional Ethernet network that most network professionals are familiar with. Of note in this table are the congurations of the ToDS and FromDS bits. DS is the Distribution System, for example the Ethernet network that is connected to the wired side of an AP. If both the ToDS and FromDS bits are set to 0, then the frame is on an ad-hoc network. When the ToDS is 1 and the FromDS is 0, this indicates a frame that is transmitted from a node to an infrastructure network. Conversely, when the ToDS is 0 and the FromDS is 1, this indicates a frame that is received for a node in an infrastructure network. Finally, when both the ToDS and FromDS are set to 1, then the frame is on a wireless bridge, from one wireless network to another.
When the ToDS and FromDS are both set to zero; the frames are for a network running in ad-hoc mode.
479
Figure 9-18: The addressing of two nodes in an ad-hoc network. When two nodes are communicating in ad-hoc mode, the addressing is clear-cut. The SSID is identied in the third address eld, and the receiver and transmitter addresses are entered. This is the most straightforward of all the addressing options.
Figure 9-19: The addressing of two nodes and one AP in an infrastructure network. In this second example (an infrastructure network), the addressing becomes more complex. When the two end nodes initiate their communication, the ToDS bit is set to 1 and the FromDS bit is set to 0, which indicates a frame sent to an infrastructure network. The address eld one is the receiving address (RA), which is the SSID, and address eld two is the source address (SA). In this case the node
480 Tactical Perimeter Defense
that originated the frame is the SA; this is because the frame is sent to the network, not directly to the end node. Notice that address eld three is used; in this case it holds the destination address of the frame. The destination address is for the node that is to ultimately process the frame. As the frames are moved from the AP to the respective end nodes, you can see that the ToDS bit is now set to 0 and the FromDS bit is now set to 1. This indicates the frame is intended for an end node, coming from the infrastructure network. Address eld one now contains the address for the actual intended node that will process the frame. Address eld two contains the SSID, where the frame was transmitted from, and address eld three contains the source address, where the frame originated.
In infrastructure mode, when a frame is sent to the AP, address eld one contains the SSID address.
In infrastructure mode, when a frame is sent from the AP, address eld one contains the destination address.
Figure 9-20: The addressing of frames in a wireless bridge network. In the nal addressing example, you have two APs in wireless bridge mode that are connecting two wireless networks. In this example, you have frames that are of different functions in the network. The frame that leaves the node that started the transmission sends a frame that is in infrastructure mode, and is sent to the AP, with the nal destination address in the third address eld. When the frame gets to the AP, the network is in bridge mode between the two points, and the ToDS and FromDS are now both 1s. It is at this time that all the address elds are used, and it is here that the distinction between transmitting and sending and receiving and destination addresses are clear. At the AP, with MACs 2345 and 3456, the frame has a receiving address of 4567, the MAC on the other side of the bridge. The nal destination address is 6789, this is how the addressing makes the difference between a point receiving the frame, and the end node that is to nally process the frame. Also at the AP, the frame has a sending address of 1234, as that is where the frame originated, but the transmitting address is 3456, the AP that is sending the frame to the next access point. When the frame is received at the second AP, the frame is then formatted as a frame in infrastructure mode, with the ToDS set to 0 and the FromDS set to 1. This frame is then sent to the node that will process the frame, and the series of frames are complete. In the event that a response to the original sender is required, the same process will happen, only in reverse.
481
TASK 9B-4
Installing the Linksys WAP54G Access Point
1. 2. 3. 4. Log on to Windows 2003 Server as Administrator. Open the Properties of your LAN adapter. Select TCP/IP, and click Properties. Enter the following IP Addressing information: IP Address: 192.168.1.145 5. 6. Subnet Mask: 255.255.255.0 Default Gateway: This may be left blank
Click OK twice, and then click Close. Physically locate the WAP54G access point where you want it in the room. If possible, this should be a high point in the room, and not near any source of EMI. Insert the Linksys CD-ROM into the CD-Rom drive. If the setup program does not autorun, navigate to the CD, and double-click the Setup.exe le. In the Welcome screen, click the Click Here To Start button. Plug in the WAP54G power cord and plug in the supplied network cable, then click Next.
7. 8. 9.
10. Connect the WAP54G to the network, and click Next. 11. Connect the WAP54G to an outlet, and click Next.
482
12. Verify all three LEDs are lit on the front panel, and click Next. 13. Note the status of the new AP, including the default IP Address, and click Yes.
14. Type the default password of admin and click Enter. For ease of running the course, you will leave the default password in place. In a production environment, you would use a strong password here. 15. In the IP Address text box, type 10.0.10.1 16. In the Subnet Mask text box, type 255.255.255.0
483
17. Leave the Default Gateway text box empty. Once you have entered this information, click Next.
18. In the Congure Wireless Settings window, click the Enter Wireless Setting Manually button. 19. In the SSID text box, type SCP_1 20. Leave the Channel drop-down list on Channel 6. 21. In the Network Mode drop-down list, select G-only, then click Next.
484
22. At this time, you are not conguring Security options, select the Disable radio button, and click Next. 23. Conrm your settings, and click Yes.
TASK 9B-5
Configuring the Linksys Client
1. 2. Log on to the computer with the Linksys WPC54G installed. In the Windows system tray, right-click the Linksys WPC54G monitor icon, and choose Open The Monitor.
485
3.
Click the Site Survey tab. You will now see the new AP that has recently been congured.
4. 5. 6. 7.
Click the Proles tab. Click the New option. Type SCP-1 in the text box, and click OK. Select the SCP-1 network, and click Connect. Once you are connected in Infrastructure Mode, click the More Information button to see the details of the connection.
486
TASK 9B-6
Configuring the Netgear Client
1. 2. 3. Log on to the computer with the Netgear WPN511 installed. In the Windows system tray, click the Netgear WPN511 Smart Wizard icon. Click the Networks tab, and highlight the SCP-1 network by clicking on it.
4.
Click the Connect button. The adapter will now connect to the SCP-1 network.
487
5.
To make the changes to the adapters conguration, click the Apply button. You are now connected in Infrastructure mode.
6.
If you wish, open a command prompt and perform a ping test from one computer to the other, and to the access point itself, to conrm the wireless network is functional.
WLAN Threats
The threats facing the WLAN are similar to those facing the LAN, with some variation due to the open medium of the wireless network. The techniques used to counter the threats will be discussed later in this lesson. You will start with some of the passive threats.
488
War Driving
Something that may not be a specic threat to the WLAN, but in the same category is that of war driving. War driving is the practice of building a mobile wireless machine, with software designed to learn and map wireless networks. In addition, war drivers may have a powerful external antenna and a Global Positioning System (GPS) device. Using a GPS, the attacker can record the exact longitude and latitude of the network that was found while driving. Along with war driving is a practice called war chalking. War chalking is where a person who has found a WLAN via war driving marks the location with a symbol. These symbols represent open networks, closed networks, protected networks, and more. The growing list of symbols used to identify networks is changing frequently.
Figure 9-21: Example of the three main symbols of war chalking. In the gure, the symbol on the left indicates an open network, where the SSID is being broadcast by the AP. When chalked, the symbol will include the actual SSID located and the bandwidth at that point. The middle symbol is a closed network, where the AP is not broadcasting the SSID. This symbol will also list the SSID, once discovered, and the speed of the connection. The symbol on the right is one that is protected using the Wired Equivalent Privacy (WEP). WEP will be discussed in more detail later in this lesson. The WEP symbol, along with the others, may also contain other information; there is no restriction on what can be written down. If you come into the office and see a symbol like this near your network, you should address the security of the network right away.
Gaining Access
An interesting problem that is unique to the WLAN versus the wired network is that of DHCP. If the WLAN is using DHCP, then any client that turns on in range and asks for an IP address will be given one. This may include attacker computers. In some instances, the entire job of the attacker gaining unauthorized access is to simply nd a WLAN, and there are many tools available to locate WLANs.
489
Networks that use DHCP must employ another system to defend their wireless network; otherwise any client may gain access. Even if there were operating system level security measures in place to prevent unauthorized users from accessing a server, they would be in the network. Furthermore, you could have two or more users accessing the network and communicating with each other, happily using up your wireless bandwidth. The man-in-the-middle attack is one that exists on the wired network, and exists in the wireless world as well. For this to work, the attacker is positioned between two end points, which is trivial on the wireless network, as being between the two points does not mean a straight line. The attacker breaks the connection that is established between the target node and the AP. (The connection can be broken using an RF Jammer or other form of electrical interference.) The attacker then congures the attacking machine as the new local AP for the target, and allows the target to successfully associate with the attacker machine. The attacker will then route the packets through to the legitimate AP. All packets can then be stored and analyzed for whatever purpose the attacker has in mind can be carried out.
Denial of Service
One common threat for all forms of networking is the denial of service. For the WLAN this can take on new meaning, as there are natural bandwidth restrictions on the network to begin with. The WLAN has a limited amount of bandwidth to share among all the WLAN clients. This is due to the physical restriction on the number of radio waves available to carry data. Unlike the wired network, where each node to the switch may have dedicated bandwidth, in the WLAN all nodes share the same 10 MB, and this is amplied when you consider the devices are half-duplex. This is a perfect example of why two nodes connecting via DHCP can cause problems on the network, even if they do not attempt to gain access to servers. Simply performing large le transfers can tie up the network, or setting up a continuous ping sequence, or transmitting large malformed packets.
Topic 9C
Wireless Security Solutions
Although there are risks to using wireless networking, there are also solutions to make the wireless network secure. It can be argued that the wireless network can never be as secure as the wired network, but there are solutions that you can implement to provide reasonable levels of security on your wireless networks. In this topic you will examine and implement several of these solutions.
490
WTLS Origins
WTLS is considered a security protocol for wireless networking, most specically applying to WAP, and is sponsored by the WAPforum. WTLS is designed to provide for the assurance that messages sent to and from end points in the wireless network have not been modied. WTLS is based on TLS, which is based upon SSL.
WTLS Authentication
When moving towards the security of a trusted network, authentication is a requirement. WTLS is no different. The method of authentication used in WTLS is certicates. It is possible to implement WTLS to not require certicates, but in order to increase the security, certicates are recommended. Various formats of certicates are allowed in WTLS, including the X.509v3 format.
WTLS Components
WTLS is split into multiple components. The lower layer is called the Record Protocol (RP). The RP takes the raw data from the higher layers, performs compression, encryption, and transmits the data. Likewise, upon receipt the RP takes the data, performs decompression, decryption, and moves the data up to the higher layers. The RP also performs message checking to verify the message has not been altered. Once the RP has done its job, it will deliver the data to the four higher-level clients of WTLS.
Figure 9-22: The components of WTLS. There are four higher-level clients in the design of WTLS: handshake protocol, alert protocol, application protocol, and change cipher specic protocol. Although the extensive details of each of these are beyond the scope of this book, you should be familiar with the function of each client.
Figure 9-23: The WTLS handshake process. There are several steps to the handshake of WTLS. The rst step is done from the client, just as in SSL, the client initiates the communication by sending a hello message, called ClientHello, to the server. The server responds with a ServerHello message. Between these two hello messages, the client and server are agreeing upon the session conguration. When the client sends the initial hello message, the client will indicate the cryptographic algorithms that the client supports, and the server hello message will include the algorithm chosen in the response. After the initial hello phase the server will send its certicate, called ServerCerticate, and will request the clients certicate. At this time, the server will also send the ServerKeyExchange, which is used to give the client the public key, which will be used to exchange the pre-master secret value. The master secret value will be the nal piece used in the session. The server will then send a ServerHelloDone message, indicating to the client to move on to the next step in the handshake. Upon receipt of the ServerHelloDone message, the client proceeds to send the requested certicate and a ClientKeyExchange. The ClientKeyExchange contains either the pre-master secret value (encrypted with the servers public key) or other information to use in completing the key exchange. The client then sends an optional ChangeCipherSpec message. Finally, the client will send a Finished message to the server. The Finished message contains a verication of the agreed upon information for the session. The server will respond with a Finished message as well, verifying the security and session parameters. The server will also send a ChangeCipherSpec message, and the session will be established.
492
In the event that the session gets disrupted during communication, there is a means to re-establish the session without a complete new handshake. During a session, there is a SessionID assigned to the communication between the two end points. If communication is cut, the client will send a ClientHello message, only this time it will include the previous SessionID. The server responds with a ServerHello, also with the SessionID. Upon matching the session, a ChangeCipherSpec message will be sent, and then the session can be resumed without the complete handshake.
The MAC address ltering is a bit more tedious, but provides a bit more control and security over the network. The process of ltering is very direct, you create a list of addresses, then dene that as allowed or disallowed. The common implementation of the MAC address lter is to build the list of allowed addresses and mark them as allowed. Your lter then denes all other addresses as disallowed. This is not a solution to rely on as your main system since MAC addresses can be spoofed. Neither SSID broadcast disabling nor MAC address ltering are enough protection for you to consider your wireless network secure, but they are reasonable layers you can add to your defense. The key to protecting your enterprise is to create layer upon layer that work together to protect your resources, and these are two small options that add layers.
494
Figure 9-24: The standard operation of a stream cipher. The stream cipher takes the short secret key and extends that into a larger value, the same length as the message, just like a one-time pad. This extension is created using a pseudorandom number generator (PRNG). To summarize, the sender XORs the plaintext with the key stream to produce the cipher text, and the receiver uses the identical key stream in reverse to produce the original plaintext. Since the stream cipher works by reversing the equation on the receiving end, the key is the critical component. The receiver will use the same key stream as the sender, and simply XORs the ciphertext to arrive at the plaintext message. Since the XORs cancel each other, if the plaintext=P, the ciphertext=C, and the key stream=K, then assume the following equation: P = C XOR K = P XOR K XOR K = P Take the key stream, K, and two encrypted messages, P1 and P2 , which go through the process to become C1 and C2 . If this is the case, C1 = P1 XOR K, and C2 = P2 XOR K. Since the K is the same, and the XOR process is well known, you can assume then that the following equation is true: C1 XOR C2 = P1 XOR K XOR P2 XOR K = P1 XOR P2 This means the attacker has now learned the XOR of two plaintext messages, without any difficulty. This example highlights why a stream cipher such as this should never encrypt two messages with the same K.
495
40-bit WEP comes from. In order to extend the life of WEP, several vendors moved to offer 128-bit WEP, of which only 104 bits were used for the shared secret key. If you are wondering where the extra bits that are not used for the keys are going, they are going to what is called the Initialization Vector (IV). In order to protect network transmissions from pure brute-force decryption attacks, WEP is designed with the option of using a set of keys. Four keys can be generated, and WEP can cycle through those four keys.
496
Figure 9-25: The WEP encryption process. The process begins when the sender initiates the system for transmitting a message. At this time, the plaintext is run through an integrity check algorithm to create the Integrity Check Value (ICV). The 802.11 specications dene the use of CRC-32 for this function. The ICV is then appended to the end of the original plaintext message. A 24-bit random (more on this in a moment) Initialization Vector (IV) number is generated and added to the front of the secret key. (In this example the standard 40-bit secret key value is used.) The IV and secret key combo are input into the Key Scheduling Algorithm (KSA). The KSA is used to generate a seed value that will be used by the PRNG. The following key sequence uses the value generated by the PRNG to create the key stream that will match the length of the plaintext. Once the key stream has been generated, it is XORed with the plaintext/ICV to produce the encrypted portion of the message. The same IV that was input to the KSA is prepended to the front of the encrypted message, a standard header and FCS are added to the message, and it is transmitted.
497
Figure 9-26: The WEP decryption process. Upon receipt of the message at the destination, the process is essentially done in reverse. In order for the destination node to generate the symmetric key stream, the variable IV must be used. This is the reason that the IV must be sent in unencrypted form; the destination needs this value. Using the shared secret key, the destination takes the IV and runs it through the same KSA, PRNG, and key sequencing to get the key stream. The key stream and the ciphertext are then XORed, and the resulting Plaintext and ICV are calculated. Finally, the destination node computes a new ICV, and checks to see if this new value matches the sent ICV. If there is a match, then the receiving node will accept and process the message.
WEP Weakness
So, throughout this discussion, you may be wondering where the weakness is found. Actually, there is more than one weakness, but the problems really start to show when looking at the implementation of the IV.
498
The IV is a 24-bit eld, regardless of the number of bits allocated to the secret key. Therefore, when you implement 64-bit WEP, only 40-bits are for the key, and 24-bits are for the IV. When you implement 128-bit WEP, only 104-bits are for the key, and 24-bits are for the IV. A 24-bit eld does not yield very many possibilities, only 16,777,216 possible combinations. This means that every 16.7 million times the IV is used it will have no choice but to repeat itself. Busy networks will transmit that many packets in a matter of hours at the most, and due to randomness it is likely that values will be reused long before the 16 million mark. But, in most networks the attacker will not have to wait for nearly 17 million transmissions to nd a duplicate IV. This is because many WNICs reset the IV to 0 when the card is reinitialized. As WNICs are reinitialized frequently in busy networks, nding a repeating pattern may take a very short time. If an attacker has any idea of the contents of the plaintext message, then the job of breaking WEP is that much easier. This can be accomplished by the attacker being the one to generate the plaintext message such as send an email or ping into the WEP-protected network, and sniffing the result. Knowing the formatting of messages sent and received will also increase the attackers success rate. Given that message formatting is known, such as the rst byte of plaintext data being the SNAP header, this is not a difficult assumption. Once the attacker has built up a table of mapping known as plaintext to the ciphertext, the key streams can be stored.
An IV collision is when the IV is reused.
499
Earlier, you looked at some of the given equations of WEP. Recall that C1 = P1 XOR K and C2 = P2 XOR K, therefore, C1 XOR C2 = P1 XOR P2 . Therefore, sniffing both sides of the AP will give the attacker the keystream when the attacker XORs the ciphertext with the plaintext. The attacker need not decrypt the stream; only know what the stream is. By doing this enough times, the attacker can build what is called a decryption dictionary. The decryption dictionary is a table that the attacker has built that stores all the keystreams, mapping the IP and the key. Due to the WEP implementation, there are a maximum of 224 entries in the dictionary. Once the dictionary is full, then the attacker can decrypt all WEP traffic. If the system is fast enough, it may even happen in close to real-time. If you recall that many systems reset their IV to 0 each time, this makes for a much smaller keyspace used. Another problem is that systems are not required to change the IV on each packet, again making smaller and smaller spaces that require attacking. Take a look at the following equation, to see how this works out in simple binary. In this case, you are looking at just two bytes, but the process is identical for larger amounts of data. Assume for this equation, you are the attacker. 0110100001101001 Known plaintext. (Known because you sent it.) This is P1 . 0110100111000101 Known ciphertext. (Known because you are sniffing it.) This is C1 . 1010001110101100 Learned stream. (Learned by XORing the plaintext with the ciphertext.) This is now K.
500
The attacker can simply perform this type of operation over and over, until all the keystreams are identied. After the keystream is known, the attacker can take any WEP message, look up the known data in the dictionary, and XOR the ciphertext to get the plaintext. The attacker did not spend time trying to decrypt the key. In this case, the attacker does not care what the key is, only the value of the key stream. The nal big push that led to the downfall of WEP as the primary security system for wireless communications came in August of 2001. A paper was published by Scott Fluhrer, Itsik Mantin, and Adi Shamir titled Weaknesses in the Key Scheduling Algorithm of RC4. This paper included theoretical attacks on WEP. One of the focus points in the paper was that of weak IVs. Since 802.11 uses LLC encapsulation, there are weaknesses in the known formatting issues, such as the plaintext of the rst byte known to be 0xAA (this is the rst byte of the SNAP header.) Knowing the plaintext value of the rst byte, an attacker can simply XOR the rst byte of the Cipherstream with the known data to reveal the key stream for that byte. In the paper, this class of weak keys is analyzed. Every weak IV is used to attack a specic byte of the RC4 key that is secret. The bytes of the key are numbered, starting from zero. In a 40-bit WEP implementation there are 1,280 weak IVs. You should be aware that the number of weak IVs that exist varies based on the key length. Therefore, if you elect to use the 128-bit WEP, the overall number of weak IVs that exist increases. The 128-bit WEP has more than twice the number of weak IVs than the 40-bit WEP. In the 128-bit WEP implementation (which uses 104 bits for the key), there are 4,096 weak IVs.
WEP Conclusion
Although by now you may feel that there is no practical value in utilizing WEP, you should still take advantage of this option. Adding this layer of security should be one of the starting points in the security of your wireless network, not the end. By having WEP on the network, you may be able to remove the casual attacker from any interest in your network.
Configure WEP
Up to this point, you have seen the creation of an ad-hoc wireless network, and the creation of an infrastructure network. Although effective for fast setup and simple congurations, this provides no security. The only time you should run an unprotected network is in a controlled lab environment, where access to any production machine of any type is impossible. In this section, you will see the process of enabling WEP. Even though youve learned that WEP can be cracked, if your wireless system does not support any more robust security features, you must implement WEP as your bare minimum. In this task, 128-bit WEP will be congured. The AP that will be congured to use WEP is a Netgear WPN824.
501
TASK 9C-1
Installing the Netgear WPN824 Access Point
1. 2. 3. 4. Log on to your Windows 2003 Server as Administrator. Open the Network Properties of your LAN adapter. Select TCP/IP, and click Properties. Congure your LAN IP Address to allow you access to the Internet, click OK twice, and then click Close. Note In these tasks, the Netgear AP will recongure the Server to use DHCP by default to connect to the AP. Insert the Netgear CD-ROM in the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the Autorun.exe le. From the main menu, click Setup. Read the Before You Begin instructions, and click Next. Record your current network settings, as shown, and click Next. The system will recongure to use DHCP as required. Once the system has conrmed your setup and Internet connection, click Yes.
5. 6. 7. 8. 9.
10. In the Overview screen, click Next. 11. Review the screen to turn off the broadband modem, and click Next. 12. Review the disconnection of the Ethernet cable screen, and click Next. 13. Connect the Netgear Router to the Broadband connection, and click Next. 14. Connect your Server to the Netgear Router, then click Next. 15. Power on the Broadband device, then power on the router, and click Next.
502
16. Wait while the system resets, and when you are at the Welcome screen click the Advanced User URL that is shown in the window.
17. For User Name, type admin and for the Password, type password (these are the defaults), and click OK. 18. If you receive a rmware update notice, check the Do Not Display Again check box, and click Close Window. If you do not receive a rmware update notice, move to the next step. 19. Type an IP Address of 10.0.10.50 a Subnet Mask of 255.255.255.0 and a Gateway IP Address of 10.0.10.2 Congure the DNS Settings for your network. Then, click Apply. If you are prompted for the user name and password, use the same credentials you used earlier in step 17. 20. From the menu on the left side of the screen, click the Wireless Settings link. 21. In the Name (SSID) text box type SCP-2 Leave the Channel and Mode at their defaults. 22. Under Security Options, select the WEP radio button. The WEP options will be enabled when you make this selection. 23. Keep the default Authentication Type as Automatic, and in the Encryption Strength drop-down list, select 128bit.
503
24. Select the Key 1 radio button, and in the Passphrase text box type SECRET1 and click the Generate button. (Note the system is designed to only populate one Key eld at a time, but at times the system will populate all elds. If this is the case copy and Paste each key to Notepad.) 25. Select the Key 2 radio button, and in the Passphrase text box type SECRET2 and click the Generate button. Repeat this pattern for Keys 3 and 4. 26. Once all four keys are entered, click Apply.
27. Enter the Netgear credentials, and click OK. The settings will be updated.
504
TASK 9C-2
Configuring WEP on the Network Client
1. 2. 3. 4. Log on to the computer that has the Netgear WPN511 installed. In the Windows system tray, click the Netgear WPN511 Smart Wizard icon. Click the Networks tab. Click the Scan button to locate the new network. Note that the new WEP network is located.
5.
Select the SCP-2 network, and click the Connect button. Note that you are brought to the main Settings tab when you do this, and that both the SSID and WEP options have been selected. In the Passphrase drop-down list, select 128 bits. Verify that Key 1 highlighted under the Enter Key Manually drop-down list, and in the Passphrase text box type SECRET1 (notice that the Key is automatically generated.) Select Key 2 in the drop-down list, and type SECRET2 in the Passphrase text box. Select Key 3 in the drop-down list, and type SECRET3 in the Passphrase text box.
6. 7.
8. 9.
505
10. Select Key 4 in the drop-down list, and type SECRET4 in the Passphrase text box, then click the Apply button. You are now connected to the WEP network.
11. If you wish, open a Command Prompt and ping 10.0.10.2 (the AP) to verify the connection.
506
EAP is not tied to a specic authentication technology, meaning that it will work with certicates, smart cards, tokens, challenge/response systems, and so on. In the case of wireless security, EAP has been applied to authenticating remote wireless users.
507
Figure 9-28: The Enterprise implementation steps of WPA. In the Enterprise, there are several more steps in the overall process. The rst step is the association of the client to the AP. Once the client associates, the second step is for the AP to prevent the client from accessing the LAN segment until the client has authentication. The third step is the client providing authentication credentials to the authentication server. If the client successfully authenticates, then the process moves to step four, if the client does not authenticate, then the client will remain blocked from the LAN segment. The fourth step is for the authentication server to distribute the required cryptographic keys to the AP and the client. The fth step is for the client to join the LAN, using the keys to encrypt all the communications between the AP and the client.
Hardware Requirements
In order to take advantage of all that WPA offers, you will need to be sure that your network is able to run WPA. Access Points and other wireless equipment will have to have been enabled to use WPA. Most newer devices are enabled for WPA, but older models may require upgrades to support it. In addition to the APs and clients supporting WPA, you will need an authentication server. This should be any strong authentication server, such as a RADIUS server.
508
WEP
40-bit keys Static key Manual key distribution
WPA
128-bit keys Dynamic keys Automatic key distribution
Looking at those three points alone should provide ample reason for migrating the enterprise to WPA as a security solution over WEP. A nal point is the authentication systemsin WEP there is no unique authentication required by the users, whereas in WPA the user must authenticate with the authentication server.
Configure WPA2
For this task, it is assumed that the initial WAP54G installation and conguration is nished, and the task is specically designed to congure WPA. Once the AP is congured to utilize WPA, then the WNICs will be congured to connect to the WPA-protected network.
TASK 9C-3
Configure WPA2 on the Access Point
1. 2. 3. 4. Log on to your Windows 2003 Server as Administrator. Open a web browser, and point to http://10.0.10.1 (or, if different, whatever IP Address you assigned to the WAP54G). Leave the User Name empty, and type admin as the Password, then click OK Click the Wireless tab, and under the Basic Wireless Settings, change the Network Name (SSID) to SCP-3 and click the Save Settings button. When you get the prompt that your changes have been saved, click Continue. On the Wireless tab, click the Wireless Security option. In the Security Mode drop-down list, select WPA2-Mixed. In the Passphrase text box, type SCNP4ME! Click the Save Settings button. When you get the prompt that your changes have been saved, click Continue.
5. 6. 7. 8.
Supplicants
While several makers of wireless networking equipment have made their cards able to understand the higher-level security features, such as WPA, there are issues currently in getting the WNIC to connect to the AP using WPA. The use of supplicant applications helps to smooth out this process.
Lesson 9: Securing Wireless Networks
509
It is important to note that you may need to download a supplicant in order to get WPA running on your system. The supplicant is the piece of code that allows your new card to actually use the features of WPA. This is especially true in legacy systems, such as Windows 2000. Microsoft has released a WPA patch for Windows systems, and Funks Software has released a third party solution called: Odyssey. With the AP now congured to use WPA2, you need to congure your client computers to match this security setting. In this next task, you will congure the Linksys WNIC client to use WPA2 security.
TASK 9C-4
Configuring WPA2 on the Network Client
1. 2. 3. Log on to the computer that has the Linksys WPC54G installed. In the Windows system tray, right-click the Linksys WPC54G monitor icon, and choose Open The Monitor. Click the Site Survey tab. Notice the new WPA2 security-enabled AP is listed.
4.
510
5.
Verify that the WPA2-Personal option is selected, type SCNP4ME! Iin the Passphrase text box, and click Connect.
6. 7.
In the Congratulations screen, click Connect To Network. In the Link Information screen note that you are now connected to the Access Point. Click the More Information button.
8.
If you wish, open a Command Prompt and ping 10.0.10.1 (the AP) to verify the connection.
511
802.1x
While industry groups such as the Wi-Fi Alliance are working on security solutions, so is the IEEE. The 802.11i working group is focused on the security issues of the 802.11 wireless networking standards. The group is working towards the 802.1x standard, which will dene the authentication framework of the 802.11based networks. The 802.1x standard is based upon EAP, and will provide for the exibility to use multiple authentication algorithms, since it is an open standard. Vendors will be able to implement and advance the technology in along the standard. In this system there are three primary components, the end client, the access point, and the authentication server. Although it is common for the authentication server to be a RADIUS server, there are no specications requiring RADIUS. This leaves the design open to t your specic situation.
Topic 9D
Wireless Auditing
Since the wireless network is so dynamic, in order to maintain proper security, regular auditing is required. This is in addition to the normal auditing and analysis of your wired network. Since the wireless network has no true boundary, your auditing must be specically targeted towards this segment of the enterprise. A complete audit of the wireless network should inform you of all the APs all the WNICs and any other signicant information, for example, are the APs in the network broadcasting their SSID? One method of attack is to add a rogue AP on the edge of your network, allowing for the range to be increased across the street or into another building. Without proper auditing, you may nd this out only after it is too late.
Site Survey
One of the primary, and most basic, wireless auditing tasks is called the site survey. This is a primary task because the wireless network is an ever-changing network, with dynamic boundaries. Even if the nodes in the network remain static, the bandwidth use may be dynamic, causing transmission rates to modify during the course of communication. The BSS and ESS that are running in the wireless network can recongure themselves to use the lowest common denominator of bandwidth when associating with nodes and other APs. Analyzing the packets on a given channel of an AP can indicate the strength of the signal and the size of the packets transmitted. If it seems that all the packets are small in size, then there is the possibility that interference is causing the small size. Through your analysis you can now alter the settings of the AP or move it to a different physical location.
512
WNIC Chipsets
Although not specic to the concept of auditing or the wireless network, you need to be aware of the WNIC chipsets in order to utilize many of the wireless auditing tools. The reason for this is that there are several different manufacturers of wireless chipsets, and this is important because the tools and drivers are actually interacting with the chipset itself. When looking for interoperability with your O/S or auditing tool, you may need to know which chipset is in your card, and which chipsets are compatible with that specic tool. For 802.11b networks, two common chipsets are Prism and Hermes. The Prism chipset is on a wide variety of cards, such as Linksys, D-Link, and Netgear. The Hermes chipset is often found in Proxim cards, specically the ORiNOCO cards. Many wireless tools work best (and, for some tools, only) with the ORiNOCO card. For 802.11g networks, two common chipsets are Atheros and Broadcom. Many different card vendors use these different chipsets. In this lesson, both the Linksys and Netgear client cards use an Atheros chipset.
Wireshark
Wireshark is one of the leading network analysis tools, and runs on both Windows and Linux platforms. Wireshark can capture all the packets on a network card, and present those packets for analysis. Complete details on Wireshark network analysis is out of the scope of this book. Even though Wireshark runs on both Windows and Linux, the support for analyzing 802.11 packets is better on Linux.
NetStumbler
Perhaps one of the most famous wireless tools, NetStumbler should be a part of all wireless auditing tool kits. NetStumbler works with a wide variety of cards, with a full is available here: www.stumbler.net/compat This tool, once loaded on your computer can detect 802.11 networks, identify the SSIDs, identify the security in place, identify the channel used, and so on. There is a mapping function in NetStumbler that creates a graphical image, on a map of the area, of the location of APs. Since the tool allows for GPS integration, you can even use a GPS device to identify the exact longitude and latitude of the AP for plotting onto a map. Furthermore, you can output your results to the mapping software MapPoint. NetStumbler will identify, on screen, the SSIDs of the networks that it nds, and will report whether or not that network is using WEP. If the AP is using WEP, a small lock icon will appear in the circle next to the MAC address of the AP. Installing NetStumbler is very simple, just execute the application and a desktop icon will be created. Double-click the desktop icon, and NetStumbler is ready to go. The only issue is making sure that the WNIC you use is supported by NetStumbler. Supported cards require no additional steps, NetStumbler will simply use the card upon running the application. The web site, www.netstumbler.com, is where you can go to nd the current updates regarding the supported cards.
513
TASK 9D-1
Installing NetStumbler
1. 2. Log on to the computer with the Linksys WPC54G installed. On your course CD-ROM, navigate to C:\Tools\Lesson9\ NetStumblerInstaller_0_4_0.exe (note if you do not have this le, you may download it from www.stumbler.net). Double click the NetStumbler_0_4_0.exe le to begin the installation. Read the License Agreement, and click I Agree. Leave the default selection of a Complete Install, and click Next. Accept the default installation directory, and click Install. Once the install is complete, click Close. If you wish, read through the Release Notes, then close the Release Notes window.
3. 4. 5. 6. 7. 8.
In the previous gure, you can see that NetStumbler has located three APs nearby. NetStumbler has identied the SSID, Channel and MAC address. The vendor name is estimated based on the MAC address, as specic MAC addresses are assigned to specic vendors. This is not always accurate however, as MAC addresses can be changed. In the test lab for this gure, two APs are Linksys, and one is Netgear. When using NetStumbler, you are able to identify if you are associated with a network by looking to see if your MAC address is in bold. In the example gure, the MAC address 0018390FFA5D is bolded, to the machine that created this example is associated to the network on Channel 6, and using SSID SCP-3.
514 Tactical Perimeter Defense
Notice as well that NetStumbler has identied the Encryption on SCP-2 and SCP-3 as WEP. While SCP-2 is using WEP, the SCP-3 network is using WPA2, so although NetStumbler did correctly identify that encryption was in use, it did not delineate the difference between a WEP and WPA2 encrypted connection. You should keep this in mind as you are using your wireless tools. While not clearly dened from a legal viewpoint, connecting to an Access Point may be considered unauthorized access. If your WNIC is set to DHCP, your system may associate and you may be given an IP Address very quickly. Be careful that you do no associate and join a network that you had no intention of using.
If you have time, visit the site: www.wigle.net There is an interactive map that you can zoom in on down to the level of seeing the name of individual SSIDs that have been discovered via wardriving.
TASK 9D-2
Identifying Wireless Networks
1. 2. 3. 4. Log on to the system that has NetStumbler installed. Double-click the NetStumbler desktop icon. (If no icon was installed, you can nd NetStumbler in your Programs menu.) NetStumbler will automatically run a scan and locate active Access Points within range of your system. Examine the results and locate the following information: What are the network types identied? 5. What are the channels used? Is your system associated with any network? Which networks are using encryption?
Close the NetStumbler application. At this time, there is no need to save the le results, unless you wish to have them for later analysis.
OmniPeek Personal
There are many products designed to perform wireless network analysis directly, and one of them is part of a bigger product called OmniPeek, a commercial product from Wildpackets. OmniPeek Personal can be downloaded for free for personal use only from the WildPackets site: www.omnipeek.com. To use OmniPeek in a commercial environment, you must buy a license to the OmniPeek Workgroup or Enterprise products. One thing OmniPeek Personal is not designed to do is to crack WEP. There are other tools designed for this purpose. If you have WEP running in your network, you can however, input the WEP keys and OmniPeek Personal will decrypt those packets on screen. By decrypting the WEP signals, you can use OmniPeek Personal to analyze higher layer communications as well.
515
Installation of OmniPeek Personal is very straightforward. OmniPeek Personal will not work with every WNIC made, but supports quite a few brands and types of cards. OmniPeek Personal supports various 802.11a, 802.11b, 802.11g, and 802.11 combo cards. You will need to be sure that your card is one that is supported. Once you know that your card is supported, you will then update the WNIC with a WildPackets driver for that specic card. Once the driver is installed, then OmniPeek Personal is ready to run on your system.
TASK 9D-3
Installing OmniPeeK Personal
Setup: OmniPeek Personal requires Microsoft .NET Framework 2.0. If your system does not have this installed, please visit www.omnipeek.com/downloads.php and follow the link to Microsoft to download the current version. 1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the system that has the Linksys WPC54G installed From C:\Tools\Lesson9, double-click WildPackets_OmniPeek_ Personal41.exe. If your security system generates a Security Warning pop-up, click Run. If no pop-up is created, proceed to the next step. In the InstallShield Wizard, click Next. In the Name text box, type your rst name and in the Company Name text boxtype, SCP and click Next. If you wish to receive WildPackets updates, click Next. If you do not wish to receive WildPackets updates, uncheck the check box, then click Next. Read the features offer in the OmniPeek Workgroup Pro upgrade, and click Next. Read the terms of the License Agreement, select the radio button if you accept, and click Next. Read through the Installation Notes, and click Next.
10. If your system does not have Microsoft .NET Framework 2.0 installed, you will be prompted to download .NET 2.0. If you do need to perform this download, click OK. If your system already has .NET installed, skip to the next step. 11. Leave the default selection of a Complete Install, and click Next. 12. Conrm your settings, and click Next to begin copying les. The software will now be installed to your system. 13. Once the install is complete, uncheck the box to view the Readme, uncheck the box to Launch OmniPeek, and click Finish.
516
WildPackets Drivers
OmniPeek Personal requires the installation of a special WildPackets driver in order to use a wireless card with an Atheros chipset. Note, that once you have installed the WildPackets driver, if you wish to revert to your previous conguration, you will need to reinstall the factory drivers that came with your WNIC. In this book, you will be using the OmniPeek les that are included as samples, so no driver installation is required.
TASK 9D-4
Viewing OmniPeek Personal Captures
1. 2. Log on to the system where you have installed OmniPeek Personal. Navigate from the Start menu to the WildPackets OmniPeek Personal installation.
517
3.
The rst time the application runs, you must dene a network adapter. In this course, you will not be using an adapter. In the Monitor Options screen, select None, and click OK.
4. 5. 6. 7.
Choose FileOpen. Navigate to the folder location where you installed OmniPeek Personal. Open \OmniPeek Personal\Samples\Wireless. Select association.apc and click Open. What is the function of the packet found in line 4? It is the broadcast looking for a wireless network to join. This broadcast is called the probe request.
8.
What is the MAC address of the node that sent the Probe Request? 00:A0:F8:9B:B9:AA
9.
What is the function of the packet found in line 5? It is the response from the AP that it will accept connections. This response is called the probe response.
10. What is the function of the packet found in line 8? A request to use open authentication.
518
11. Right-click line 8 and choose Select Related PacketsBy Flow. Click the Hide Unselected button. You will be left with only the packets related to that specic conversation.
12. What is the subtype of the authentication request in line 8? It is Subtype: 1011 (Authentication). 13. What is the status code of the authentication response in line 10? It is listed as Successful, so this packet is to inform the client that the request is granted. 14. Choose EditUnhide All Packets. 15. Double-click line 3, which is a Beacon packet.
16. Note the type and subtype of this packet. 17. Click the green right-arrow. This arrow is found two rows under the File menu.
519
18. What is the type and subtype of this packet? Type 00 (Management) and 0100 (Probe Request). Continue to click the green arrow, noting the different Types and Subtypes, as they are associated to different packets. 19. What is the type and subtype for a probe response? Type 00 (Management) and 0101 (Probe Response). 20. What is the type and subtype for an 802.11 acknowledgement? Type 01 (Control) and 1101 (Acknowledgement). 21. What is the type and subtype for a beacon? Type 00 (Management) and 1000 (Beacon). 22. What is the type and subtype for an 802.11 authentication packet? Type 00 (Management) and 1011 (Authentication). 23. What is the type and subtype for an association request? Type 00 (Management) and 0000 (Association Request). 24. What is the type and subtype for an association response? Type 00 (Management) and 0001 (Association Response). 25. Choose FileClose to close the packet details. 26. From the left menu, under Statistics, click Protocols.
27. Notice the percentages of each protocol in this capture. When nished, choose FileClose. Keep OmniPeek Personal open for subsequent tasks.
520
Live Captures
Although it may not be a part of your daily tasks, there will be times when you wish to view captures as they happen. These live captures can then be saved for later analysis, or you can look for trends as they are happening. There is a feature built into the program to simulate the live capture of packets, so you do not need to have a suitable WNIC installed.
TASK 9D-5
Viewing Live OmniPeek Personal Captures
1. 2. Choose CaptureStart Capture. In the Monitor Options, select the File option, and click OK.
3.
In the File Name box, browse to \WildPackets\OmniPeek Personal\ Samples\Wireless\Demo.apc, and click Open. (Note you may need to change the le type to view .apc les.) Choose CaptureStart Capture. Click the green Start Capture button. Allow the capture to run for some time. When you reach approximately 700 packets, click the red Stop Capture button. Leave the application open for upcoming tasks.
4. 5. 6. 7.
521
Non-802.11 Packets
Although you may wish to spend the majority of your time analyzing the 802.11 packets and associated wireless networking issues, OmniPeek Personal can capture all traffic. This allows you to perform analysis on all network traffic if you wish. In the following task, you will examine all the traffic captured, and view the OmniPeek Personal options for analysis.
TASK 9D-6
Analyze Upper Layer Traffic
Setup: This task assumes that the Demo.apc le is open. 1. 2. 3. Right-click line 16 and choose Select Related PacketsBy Flow. Click the Hide Unselected button. What are the IP Addresses of the nodes in this conversation? 4. 192.168.0.11 192.216.124.4
Which packets dene the three-way handshake? Packets 16, 19, and 21.
5.
What website is being accessed in these packets? www.wildpackets.com (This is the maker of OmniPeek Personal.)
6.
Double-click any HTTP packet. What is the type and subtype of the packet? Type 10 (Data) and 0000 (Data Only).
7.
522
Looking at the MAC addresses and last bit of the frame control ags, do you suspect this to be an ad-hoc or an infrastructure network? An infrastructure network, there are three addresses in use, and the ToDS bit is set to 1. 8. 9. Choose FileClose. Click No, as you do not need to save this capture le. Leave OmniPeek Personal open for the next task.
Decode WEP
If you are analyzing traffic on your network, you know what the WEP key is. In this case, you are not cracking, but you will utilize the key to decrypt WEPprotected data on screen. OmniPeek Personal has an option to UnWEP packets, allowing you have the required key.
TASK 9D-7
Decrypting WEP
1. 2. 3. If it is not already open, open OmniPeek Personal. Choose FileOpen. Browse to \WildPackets\OmniPeek Personal\Samples\Wireless\telnetwep.apc and click Open. Notice that under the Protocol column, no protocol information for higher layers is available. (You can reorder the columns, if you wish).
4. 5.
Double-click packet 6. What is the type and subtype of this packet? Type 10 (Data) and Subtype 0000 (Data Only).
523
6.
According to the frame control ags, is WEP enabled, and is this likely for an ad-hoc or an infrastructure network? Yes, WEP is enabled, and the ToDS bit is set, so this is an infrastructure network.
7.
8. 9.
To get back to the main packet list, close the packet details. Choose ToolsDecrypt WLAN Packets.
10. Select the Encrypted Only radio button and click the button to the right of the Use Key Set text box. 11. Click the Insert button. 12. In the Name text box, type UnWEP1 In the Key 1 text box, type 0123456789 and in the Key 2 text box, type 9876543210 Click OK. These values are part of the OmniPeek Personal demo.
524
13. In the Key Sets window, click your newly created unWEP1 set, and click OK.
14. In the Decrypt WLAN Packets window, click OK to perform the decryption with the UnWEP1 keyset. It will only take a brief moment to perform the decryption. You will see right away that the packets are decrypted, and the protocols and other details are now exposed.
15. Starting with packet 1, what are the other packect involved in the threeway handshake? Packets 1, 2, and 3. 16. What IP address is associated with the Telnet client? 192.168.0.11 17. What packet holds the login request from the Telnet server? Packet 8.
525
18. Examine the details of lines 9, 12, 15, 18, 20, 24, 27, 30. What can you learn from the information in these lines? You can learn the login is sysadmin. (Note Look at the values presented in the Line 1 eld of these packets together.) 19. What does it appear that the password is for this login session? The password looks like foo. From lines 36, 39, and 42. (Note Look at the values presented in the line 1 eld of these packets together.) 20. Which packets are used to end the Telnet session? Packets 63, 64, 65, and 66. 21. Double-click line 63. This is the Ack/Fin to close the session from the Telnet server. 22. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 0 and the FromDS bit is set to 1. 23. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 64, the return Ack to the server. 24. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 1 and the FromDS bit is set to 0. 25. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 65, the Ack/Fin from the client to the server. 26. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 1 and the FromDS bit is set to 0. 27. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 66, the return Ack from the server. 28. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 0 and the FromDS bit is set to 1. 29. After you identify the bit setting, click the green right-arrow to move to the next packet. 30. Close all open windows. Click No if you are prompted to save the le, and click Yes to Exit OmniPeek Personal.
Aircrack
Aircrack is a whole set of wireless tools, that work in 802.11a/b/g networks. Included in this suite is Airodump, a wireless packet capture program and Aireplay, which is a wireless packet injection tool, and the ability to crack WEP encryption. By using packet injection, the tool can ensure that enough packets are available for decryption.
526
WEPCrack
As the name directly implies, WEPCrack, which runs best on UNIX systems, is a wireless tool designed to crack WEP keys. One thing to note, is that this tool will require a lot of packets to do its job. It must sniff and analyze the packets, searching for the weak IV it can exploit. The amount of data that you need to capture before WEPCrack can crack the code can be seven or eight gigabytes. Of course it is possible that redundancy will be found earlier, but you should be aware that this is not a fast or instantaneous process like some of the online password cracking utilities.
AirSnort
AirSnort, like WEPCrack, can crack WEP keys, and is also designed to run on Linux. AirSnort, once activated, can crack WEP automatically without user input. This tool will run on both the ORiNOCO and Prism chipsets, but seems to have a preference towards using the ORiNOCO cards. If not already, you can expect AirSnort to become a required tool in all wireless analysts tool kits in the very near future.
Ekahau
Ekahau is a wireless auditing tool that allows you to pinpoint the actual physical location of wireless devices in your network. Using this tool, you make a map of your office, and then perform a survey of the office. Once the survey is done, the system is aware of the wireless network in the space. When the map is complete, you can identify specic nodes in the network. In the event that you identify an unknown node, you can use this tool to locate that node. The accuracy is listed within a few feet. You then can simply walk up to the person using the network with the unidentied node and say hello.
Kismet
Kismet is a powerful wireless network tool, that can perform network sniffing, log data in a Wireshark format for simple analysis, and can enable you to plot wireless data and detected networks directly to downloaded maps.
527
Topic 9E
Wireless Trusted Networks
While there have been many advances in securing the wireless networks over WEP, some of which you have examined in this lesson, there is more work to be done before an enterprise will trust wireless networking for any critical application. This is the realm of the 802.11i working group.
802.1x allows for port-based access control and EAP allows for mutual authentication.
Figure 9-29: The location of EAP 802.1x and the physical 802.11 network.
528
By implementing this type of security, you have achieved several goals that are not possible in open wireless networks. These are some of the goals that are met with this system: 1. Mutual authentication between the client and the authentication server before network access is granted. 2. 3. 4. User authentication is required, not simple system authentication. Keys are generated dynamically. Strong encryption, with the ability to ensure data integrity.
There is similarity to the WPA security system you examined earlier. A signicant difference is that to build a wireless PKI, you will need to use and congure digital certicates. WPA operates by using a shared key, whereas you will not have that type of manually-input shared key used in a trusted wireless network. There are enough similarities however, that the nal security implementation based on the technologies in this lesson will be called WPA-2. There are three primary components of the trusted wireless network; they are the end client, the access point, and the authentication server. The authentication server is commonly a RADIUS server but may be congured to your networks needs. You may see the client referred to as the supplicant in some text, because it is technically the software that is involved in the process not the client, and the software is called the supplicant.
EAP Types
There are four primary EAP types for wireless networking implementation. They are EAP with Transport Layer Security (EAP-TLS), EAP with Tunneled Transport Layer Security (EAP-TTLS), Ciscos Lightweight EAP (LEAP), and Protected EAP (PEAP). Each type has a unique combination of requirements for the client, authentication server, and delivery of the key. It is worth noting that there is another type of EAP, called EAP-MD5. Although a valid EAP type, it is not used in trusted wireless networking. This is because the authentication of the clients is done by hashing the users password with MD5, and transmitting the hash. The RADIUS, or whatever authentication server is in use, checks the MD5 hash for a match and, if there is authentication, is successful. In a controlled physical network, such as Ethernet, this may have a place, but in the wireless world, where traffic can be sniffed from the air, this is not a good system for implementing security. Due to this, you should not implement security based on EAP-MD5 in your wireless network.
There are ve EAP types, but EAP-MD5 is not recommended for wireless PKI so it is not included as one of the main EAP types.
Since the single shared password exists, there is the possibility to a man-in-themiddle attack, and the issue of password reuse. LEAP is denitely a step in the right direction and provides better security than WEP, but it is recommended that for your wireless PKI you move forward to other systems.
Figure 9-30: The process of a client using an EAP-TLS protected network. In the EAP-TLS example, the client begins the process by associating with the AP. The AP will block any further access until an accept message is sent from the authentication server to the AP. The AP responds to the client, essentially telling the client to send the EAP required initial request, which the AP then forwards on to the authentication server. The server receives the request and responds by sending the servers digital certicate to the client. Once the client validates the information on the servers certicate, the client responds with the client digital certicate. Once the server validates the clients certicate, the server begins the process of creating the mutual key to use. This is done following standards public key cryptography systems. Once the key is generated, the server sends a message to the AP that authentication is successful, with the AP then informing the client of the successful authentication. The client proceeds to use the generated key to encrypt traffic and the AP allows the client access to the LAN.
530
Figure 9-31: The process of a client using an EAP-TTLS protected network. The process begins with the client associating with the AP, and then being required to begin the EAP-TTLS process. The server sends the server certicate, which the client validates, and then the client and server build an encrypted tunnel. This is very similar to how a tunnel is created with SSL. Once the tunnel is created, the client will present whatever credentials are required (certicate, token, standard password, and so on), using the algorithm that the administrator has chosen. In the tunnel, most algorithms will function without any difficulty, such as PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MD5, and so on. When the user has successfully authenticated, the server sends the success message to the AP, who in turn sends the success message to the client. Now that the client has successfully gone through this process, messages can be encrypted and sent to the LAN through the AP.
531
The client begins the process by associating with the AP. The AP will block any further access until an accept message is sent from the authentication server to the AP. The AP responds to the client, essentially telling the client to send the EAP required initial request, which the AP then forwards on to the authentication server. The server receives the request and responds by sending the servers digital certicate to the client. Once the client validates the information on the servers certicate, the client responds with whatever authentication system is called for. This may be certicates, tokens, passwords, and so on. Once the server validates the clients authentication information, the server begins the process of creating the mutual key to use. This is done following standard public key cryptography systems. Once the key is generated, the server sends a message to the AP that authentication is successful, with the AP then informing the client of the successful authentication. The client then proceeds to use the generated key to encrypt traffic and the AP allows the client access to the LAN.
LEAP
Cisco All Win32
EAP-TLS
WindowsXP/ 2003/2000 All Win32, Mac OS X, Linux, BSD Microsoft, Cisco, Funk, and others Cisco, Funk, Microsoft, others Public Key Certicate Public Key Certicate Yes Yes Yes Strongest
EAP-TTLS
None All Win32, Mac OS X, Linux, BSD Microsoft, Funk, and others Funk, and others
PEAP
WindowsXP/2003/ 2000 All Win32
None Cisco, Funk, and others Password Hash Password Hash Yes No Yes Moderate
Dynamic Key Use Open Standard Unique Key per User Over Security Level
Public Key Certicate PAP, CHAP, MSCHAP, EAP, and others Yes Yes Yes High
Microsoft, Funk, and others Cisco, Funk, Microsoft, and others Public Key Certicate Varies as per implementation. Yes Yes Yes High
532
TASK 9E-1
Choosing a Wireless Trusted Network
1. Consider the following scenario: You work for a company that is a global enterprise. The company is often listed in the top 50 companies in the world. You work out of the corporate office, based in Chicago, IL. There are 300 regional offices, and over 2,000 small satellite offices. In the HQ, there is discussion of conguring a new wireless network. This new wireless network is going to be a case study, and if all goes well, similar systems will be implemented in all the regional offices, and eventually in the satellite offices. The current discussion is on the security of the wireless network. For the case study, the implementation will be a single le server, which local network clients will need to access frequently. During the case study, there will be approximately 75 users participating (all of whom are running Windows 2000 or Windows XP), spread throughout two different oors of the HQ. During the discussion it is agreed quickly that WEP will not be used, and now the discussion is moving towards the specic security system to use. To provide the maximum level of security, which security system will you recommend for the implementation? Even though this is a case study, you realize that if successful, the security system will be duplicated worldwide. Your goal is to provide the maximum level of security, so your choice is to go with an EAP-TLS implementation. This will allow for full use of certicates, on both the client and server.
533
Summary
In this lesson, you examined the fundamental issues of wireless networking, including the required equipment and transmission media of wireless networks. You then identied WLAN issues such as the function of the AP, the conguration of SSIDs, and the choices between an ad-hoc and infrastructure network. You detailed the 802.11 framing and use of multiple MAC addresses. You then identied the security solutions for the wireless networks, including WEP, WPA, and WTLS. You examined the tools for performing security audits, and the methods available for creating a trusted wireless network using digital certicates.
Lesson Review
9A Which type of spread spectrum signal uses multiple frequencies at the same time?
Direct Sequence Spread Spectrum (DSSS). Why is 802.11a incompatible with 802.11b? They use different spread spectrum techniques. What are the two primary pieces of equipment for the wireless network to be operational? The Access Point and the Wireless Network Interface Card (WNIC). What language is used to create web content for handheld devices, such as cell phones, when they connect to the Internet? WML.
9B What is association?
The process of a WNIC associating with an AP in order to use the wireless network. What are the two WLAN topologies? Ad-hoc mode and infrastructure mode. What is the name assigned to people who search out WLANs? War drivers.
9C What additional piece of software is required to congure WPA on Windows 2000 WNIC clients?
Supplicants. What component of WEP is the cause of its weakness? The Initialization Vector (IV).
534
9D What tool used in lesson provides you with a fast scan of the APs in your area?
NetStumbler. What tools can be used to break WEP? Aircrack, AirSnort and WEPCrack. What tool can provide you with the physical positioning of a wireless node in the network? Ekahau. What tool allows you to perform full wireless packet capture and analysis? OmniPeek Personal
535
536
GLOSSARY
attack An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures. audit trail In computer security systems, a chronological record of system resource usage. This includes user login, le access, other various activities, and whether any actual or attempted security violations occurred. audit The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures. authentication To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. availability Assuring information and communications services will be ready for use when expected. back door A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls. breach The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed. bug An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction. compromise An intrusion into a computer system where unauthorized disclosure, modication, or destruction of sensitive information may have occurred. confidentiality Assuring information will be kept secret, with access limited to appropriate persons. cryptography The art of science concerning the principles, means, and methods for rendering plaintext unintelligible and for converting encrypted messages into intelligible form. DES (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use. false positive Occurs when the system classies an action as anomalous (a possible intrusion) when it is a legitimate action. firewall A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
Glossary 537
GLOSSARY
hacker A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the necessary minimum. host A single computer or workstation; it can be connected to a network. host A single computer or workstation; it can be connected to a network. integrity Assuring information will not be accidentally or maliciously altered or destroyed. intrusion detection Pertaining to techniques that attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available. intrusion Any set of actions that attempts to compromise the integrity, condentiality, or availability of a resource. key A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt. key A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt. network security Protection of networks and their services from unauthorized modication, destruction, or disclosure, and provision of assurance that the network perform its critical functions correctly and there are no harmful side effects. Network security includes providing for data integrity. network Two or more machines interconnected for communications. network Two or more machines interconnected for communications. AH (Authentication Header) A eld that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram. authenticate To establish the validity of a claimed user or object. crash A sudden, usually drastic failure of a computer system. cryptography The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form. DES (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
538
GLOSSARY
ESP (Encapsulating Security Payload) A mechanism to provide condentiality and integrity protection to IP datagrams. firewall A system or combination of systems that enforces a boundary between two or more networks. A gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based UNIX box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster. integrity Assuring information will not be accidentally or maliciously altered or destroyed. LAN (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, and servers. LAN (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, and servers. metric A random variable x representing a quantitative measure accumulated over a period. non-repudiation Method by which the sender of data is provided with proof of delivery and the recipient is assured of the senders identity, so that neither can later deny having processed the data. OSI (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. OSI (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. packet filter Inspects each packet for user dened content, such as an IP address, but does not track the state of sessions. This is one of the least secure types of rewall. packet filtering A feature incorporated into routers and bridges to limit the ow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet lters let the administrator limit protocolspecic traffic to one network segment, isolate email domains, and perform many other functions. packet sniffer A device or program that monitors the data traveling between computers on a network. packet A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
Glossary
539
GLOSSARY
packet A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message. passive threat The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information. penetration The successful unauthorized access to an automated system. perpetrator The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker. physical security The measures used to provide physical protection of resources against deliberate and accidental threats. plaintext Unencrypted data. profile Patterns of a users activity which can detect changes in normal routines. promiscuous mode Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination. promiscuous mode Normally, an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination. protocol Agreed-upon methods of communications used by computers. A specication that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network. proxy A rewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination. router An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer. router An interconnection device that is similar to a bridge, but serves packets or frames containing certain protocols. Routers link LANs at the network layer. security audit A search through a computer system for security problems and vulnerabilities.
540
GLOSSARY
security level The combination of a hierarchical classication and a set of non-hierarchical categories that represents the sensitivity of information. security policies The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. security violation An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to the system itself. security A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences. security A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences. server A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine. server A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine. sniffer A program to capture data across a computer network. Used by hackers to capture user ID names and passwords. Software tool that audits and identies network trafc packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems. SNMP (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP. SNMP (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP. SSH (Secure Shell) A completely encrypted shell connection between two machines protected by a super long pass-phrase. SYN flood When the SYN queue is ooded, no new connection can be opened. threat The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security. topology The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information ows. traceroute An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination.
Glossary 541
GLOSSARY
Trojan Horse An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsication, or destruction of data. vulnerability analysis Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deciencies, provide data from which to predict the effectiveness of proposed security measures, and conrm the adequacy of such measures after implementation. vulnerability Hardware, rmware, or software ow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to an AIS.
542
INDEX
3DES, 353 802.11 addressing, 478-481 802.11 framing, 476-481 frame details, 476-478 frame format, 476 802.11a standard, 460 802.11b standard, 461 802.11c standard, 461 802.11d standard, 461 802.11e standard, 461 802.11f standard, 461 802.11g standard, 461 802.11h standard, 462 802.11i standard, 462 802.11n standard, 462 802.1x, 512 AH and ESP in IPSec, 327-329 response policy, 335-336 session analysis, 331-332 Aircrack, 526 AirSnort, 527 alert, 416-418 alert notication, 376 analysis, 382-383, 391 anomaly detection, 373 anti-spoong logging, 150 APs, 448-449 conguration, 482-485 ARP process, 108-110 attack monitoring, 397 attack response, 10 audit data handling, 25 preserving, 25 audit trails, 25 auditing, 22-23 authentication, 3-5, 16, 98-99, 303, 352-353 Authentication Header, 344 Also see: AH authentication methods editing policies, 317-318 authentication tokens, 16-20 authorization, 98-99 authorization and availability, 3-5 awareness, 9
A
access control, 15 access points, 448-449 Also see: APs accountability, 377 acknowledgement numbers, 47 ACL anti-DoS, 142 anti-Land, 143 anti-spoong, 143-144 anti-SYN, 142-143 command syntax, 138-139 creating, 134-135 defending against attacks, 142-144 extended syntax, 139-140 implementing, 138-142 logging, 149-151 operation, 135 activate, 416-418 Active Defense-in-Depth, 7-8 active open connection, 48-50 administrative distance, 123-124 AH, 344 combine with ESP in IPSec, 327-329 conguring, 321-322 Transport mode, 303 Tunnel mode, 303
B
banners, 101 basics, 42-43 behavioral use, 379-382 binary conversion, 37-38 Bluetooth, 459 breach, 5-6 broadcast, 44-45 buffered logging, 147-148 bug, 96 business drivers for a VPN, 338
Index
543
INDEX
C
capture packet data, 411-413 captures displaying, 54-55 castle analogy, 10-11 CDP, 128-129 centralized host-based design, 384-385 Challenge Handshake Authentication Protocol, 352-353 Also see: CHAP Challenge Response Process, 17-18 challenge response token, 16-17 CHAP, 352-353 CIDR, 43-44 Cisco banners, 101-103 logging, 145-146 OS, 96 router language, 96 Cisco Discovery Protocol See: CDP Classless Interdomain Routing See: CIDR Client policy, 306-307 collection, 382-383 command console, 375 condentiality, 3-5 conguration fragments, 97-98 connection, 48-50 establishing, 48-49 terminating, 49-50 connections TCP, 63-64 console logging, 147 console password, 99 cryptography, 302 defense technologies, 13-14 Defense-in-Depth, 6 defensive strategy, 8-10 denial of host, 140-141 denial of network, 141 denial of subnet, 141 DES, 307-308, 353 detection, 371 Direct Sequence Spread Spectrum, 458-459 Also see: DSSS Discretionary Access Control, 15 Also see: DAC distance vector routing, 121 distributed host-based design, 386-387 DSSS, 458-459 dynamic, 416-418 dynamic routing, 116-118
E
EAP, 506-507 comparison of types, 532-533 Lightweight, 529-530 Also see: LEAP Protected, 531-532 Also see: PEAP types, 529 with Transport Layer Security, 530 Also see: EAP-TLS with Tunneled Transport Layer Security, 531 Also see: EAP-TTLS EAP-TLS, 352-353, 530 EAP-TTLS, 531 Ekahau, 527 enable password, 99 Encapsulating Security Payload, 344 Also see: ESP encryption, 21-22 ESP, 344 combine with AH in IPSec, 327-329 Transport mode, 303 Tunnel mode, 303 Ethereal, 58-59 Extensible Authentication Protocol, 506-507 Also see: EAP
D
DAC, 15 Data Encryption Standard See: DES decimal conversion, 37-38 Default Response, 318-321
544
INDEX
Extensible Authentication Protocol-Transaction Level Security, 352-353 Also see: EAP-TLS extranet, 338 detecting, 396 integrity, 3-5, 65-68 Internet Protocol See: IP Internet Security Association Key Management Protocol (ISAKMP/Oakley), 345-346 interval analysis, 391 intrusion, 373 intrusion detection, 7-8 denitions, 373 techniques, 378-379 technologies, 378-379 Intrusion Detection, 371-373 Intrusion Detection System, 371 Also see: IDS Intrusion Detection Systems See: IDS IP, 36-39 address classes, 38-39 datagram, 65-68 private addresses, 39 security, 301-302 special-function addresses, 39 IP Policy Agent, 345-346 IP Security Policy and Security Association, 345-346 IP Security Protocol (IPSec), 341 IPSec, 341, 344-346 AH implementation, 312 and NAT, 346-347 components, 345-346 conguring a response, 329-331 conguring options, 333-334 custom policies, 312-317 driver, 345-346 full session, 336-337 implementing, 303-304, 323-324 modes, 302-303 policies, 306-307 Transport Mode, 346 Tunnel Mode, 346 IPSec ESP payload, 351-352 IPSec-enabled operating systems, 340 IPSec-enabled routers and rewalls, 340
F
false-negative, 373-375 false-positive, 373-375 FHSS, 458 nger, 131 rewall, 303 Firewall-based VPNs, 339-340 rewalls, 21 Frequency Hopping Spread Spectrum, 458 Also see: FHSS FTP capture, 76-78 conguring, 322-323 granting, 142 session analysis, 79 Fundamental Access Point Security, 493-494
H
Hardware-based VPNs, 339-340 hexadecimal conversion, 37-38 host, 33-36 host-based intrusion detection, 384
I
ICMP, 129-130 direct broadcast, 129 session analysis, 76 unreachable, 129-130 ICMP messages, 68-70 IDS, 9, 22, 371 components, 375-376 goals of, 376-377 matrix, 373-375 response, 376 IEEE 802.11 standard, 460-462 independent audit, 24-25 infrared wireless media, 453-454 inside threats
Index
545
INDEX
K
key exchange, 344-345 key length, 353 keys, 302 Kismet, 527 misuse, 373 misuse detection, 373 MMC, 304-306 customized conguration, 307 multicast, 44-45
L
L2TP, 341, 343, 351-352 LAN, 309-312 LAN-to-LAN routing, 110-111 LAN-to-WAN routing, 112-114 Layer 2 Forwarding Protocol (L2F), 341-342 Layer 2 Tunneling Protocol (L2TP), 341 LEAP, 529-530 link state routing, 122-123 Local Area Network See: LAN log, 416-418 log priority, 146 logging, 145-146 ACL, 149-151 anti-spoong, 150 buffered, 147-148 conguring, 147-149 console, 147 syslog, 148-149 terminal, 148 VTY, 150-151
N
NetStumbler, 513-514 network, 33-34 network defense, 2 Network Monitor, 52-58 Display view, 54-55 lters, 55-57 network security ve key issues, 3-5 network sensor, 375-376 network tap, 376 network-based design, 388 distributed, 389-390 traditional, 388-389 network-based intrusion detection, 387-388 non-repudiation, 3-5
O
OmniPeek Personal, 515-516 captures, 517-520 live captures, 521 Open Systems Interconnection See: OSI operating modes, 97 operational audit, 24 OSI model, 34-36 outside threats detecting, 394-395
M
MAC, 15 man-in-the-middle attacks, 341-342 management tools, 345-346 Mandatory Access Control, 15 Also see: MAC MD5, 353 metric, 120-124 Microsoft Management Console See: MMC microwave systems satellite, 455-456 terrestrial, 454 microwave wireless media, 454
P
packet, 34-36 packet lter, 134-135 packet ltering, 9 packet fragmentation, 74-75 PAP, 352-353 pass, 416-418 passive open connection, 48-50
546
INDEX
passive threat, 5-6 Password Authentication Protocol, 352-353 Also see: PAP passwords, 22 PEAP, 531-532 perimeter security, 9 PING capture, 76-78 plaintext, 302 Point-to-Point Tunneling Protocol (PPTP), 341 ports, 50-52 PPTP, 341, 342-343, 351-352 pre-congured rules, 425-426 prevention, 371 prole, 393-394 promiscuous mode, 58-59 protocol, 33-36 process, 114-116 protocols, 119, 120-124 Routing Information Protocol See: RIP RSA SecureID token, 18-19 Rule Header, 416-418 Rule Options, 418-419 rule set testing, 421 ruleset examples, 419-420
S
SA, 344-345 Secure Server policy, 306-307, 309-312 Secure Shell, 342 Also see: SSH security, 46-47 Security Association, 344-345 Also see: SA Security Association API, 345-346 security audit, 24-25 security auditing basics, 23-24 security policies, 306-307 security protocols, 341 security threats, 5-6 security vulnerabilities, 373 sequence numbers, 47 server, 33-34 Server policy, 306-307 Service Set Identier, 465 Also see: SSID session teardown process, 64-65 SHA-1, 353 Shiva Password Authentication Protocol, 352-353 Also see: SPAP Also see: SPAP Short Message Service, 459-460 Also see: SMS signature analysis, 392 Simple Network Management Protocol See: SNMP site surveys, 512
Q
QoS, 461
R
radio, 457-459 real-time analysis, 391-392 remote access, 338 remove unneeded services, 132-133 Request For Comments See: RFC Request-and-Respond policy, 325-326 session analysis, 326-327 Request-only session analysis, 324-325 response, 371 RFC, 36 RIP, 124-125 RIPv2, 125-127 routed protocols, 119 router, 42-43 access passwords, 99-100 accessing, 96-97 banners, 101 navigating, 98 user accounts, 100-101 routing, 42-43
Index
547
INDEX
small services, 131 SMS, 459-460 SNMP, 96-97 Snort, 404 architecture, 405-406 as a packet sniffer, 410-411 as an IDS, 415 deploying, 404 function, 404-405 installing, 406-408 logging with, 414 Socks v5, 342 software tokens, 19 Software-based VPN applications, 339-340 source routing, 130 spread spectrum technology, 457-458 SSH, 103, 342 client conguration, 106-107 router conguration, 103-106 verication, 105 SSID, 465 static routing, 116-118 statistical analysis, 393-394 subnet mask, 40-42 subnetting, 40-42 surveillance monitoring, 397 syslog logging, 148-149 traceroute, 129-130 training, 9 transit network, 340 Transport mode, 302-303 AH, 303 ESP, 303 Trojan Horse, 50-52 true-negative, 373-375 true-positive, 373-375 tunnel, 340 protocols, 340 Tunnel mode, 302-303 AH, 303 ESP, 303 tunneled data, 340 tunneling protocols, 341
U
UDP, 46-47 UDP headers, 73-74 unicast, 44-45
V
Variable Length Subnet Masking See: VLSM VLSM, 43-44 VPN client, 340 client software, 340 conguring, 354-359 connection, 340 dedicated gateways, 340 design and architecture, 348 elements, 340 gateway, 346-347 implementation challenges, 348-349 security, 350 server, 340 types, 339-340 VPN fundamentals, 337 VPNs and rewalls, 351-352 VTY logging, 150-151 VTY password, 100
T
TCP, 46-47 connections, 63-64 ags, 47 headers, 70-72 TCP/IP model, 33-34 Telnet granting, 141 Temporal Key Integrity Protocol, 506 Also see: TKIP terminal logging, 148 three-way handshake, 46-47 Time-based Tokens, 18-19 timestamp, 147 TKIP, 506 topology, 121
548
INDEX
vulnerability scanners, 373
W
WAP, 462-464 war driving, 489 WEP, 494-501 conguring, 501-504 cryptography, 494-495 decrypting, 523-526 key lengths, 495-496 process, 496-498 weaknesses, 498-501 WEPCrack, 527 Wi-Fi Protected Access, 507-509 Also see: WPA wildcard mask, 136-138 Wired Equivalent Privacy, 494-501 Also see: WEP Wireless Access Points, 448-449 Wireless Application Protocol, 462-464 Also see: WAP wireless auditing, 512-513 Wireless Markup Language, 462-464 Also see: WML wireless media, 451-457 infrared, 453-454 radio, 457-459 wireless network cards, 449 Also see: WNICs wireless networking access points, 448-449 equipment, 448-451 wireless networks antennas, 449-451 association, 451 identifying, 514-515 microwave technology, 454 trusted, 528 Wireless Transport Layer Security, 491-493 Also see: WTLS Wireshark, 513 GUI, 59-63 WLANs ad-hoc mode, 466-467
APs, 465 associations, 466 authentication, 466 denial of service attacks, 490 essentials, 465 gaining access, 489-490 infrastructure mode, 467-468 threats, 488-490 topologies, 466-468 WML, 462-464 WNIC chipsets, 513 WNICs, 449 WPA, 507-509 conguring, 509 hardware requirements, 508 process, 507-508 supplicants, 509-511 vs. WEP, 508-509 WTLS, 491-493 Alert Protocol, 493 Application Protocol, 493 authentication, 491 Change Cipher Specic Protocol, 493 components, 491 handshake protocol, 491-493 origins, 491
X
x-cast, 44-45
Index
549
SCPTPD20iePB