Tactical Perimeter Defense
Warren Peterson Warren Peterson is the President of Security Certified Program, LLC and the founder of the Security Certified Program. Mr. Peterson regularly delivers standing-room only security presentations for government and corporate clients on subjects ranging from general security to the threats of Cyber terrorism. Mr. Peterson is an accomplished and experienced teacher who holds many industry certifications. His training methods have earned him the utmost respect and recognition from both his students and his peers. Even many years after courses have ended, many of Mr. Peterson’s students from around the world stay in touch with him. Mr. Peterson has developed instructional curriculum for customized courses, such as courses for Microsoft, Cisco, CompTIA, and various security programs. In addition to writing for magazines, such as Certification Magazine, he is the lead author for the Security Certified Program courses, including: Network Security Fundamentals, Hardening the Infrastructure, Network Defense and Countermeasures, Tactical Perimeter Defense, Strategic Infrastructure Security, Advanced Security Implementation, and Enterprise Security Solutions. Mr. Peterson includes the following personal thanks: Thank you to my wife, Carin, you and our girls give me constant support, and I thank you for your devotion. You remind me daily
why teaching is so important. I love you deeply, and look forward to seeing you again now that this writing phase is over! Thank you to Waleed, you have been the foundation behind more positive change than I can describe, knowing you and working with you has been a true pleasure. Thanks to Gene, for your trusted advice and mentoring; to Mark, for your passion and enthusiasm (go have another coffee!); to Tracy, for your loyalty and friendship, which are unmatched; to Joe, for your professionalism, and desire for the best; to Dave, for always being there, even early in the morning.
And, thanks to Charles, Shrinath, and Robert, time has moved us apart, but you have each made an impression on me, and I thank you for that.
TACTICAL PERIMETER DEFENSE Course Number: SCPTPD20 Course Edition: 2.0 For software version: N/A
ACKNOWLEDGEMENTS Project Team Curriculum and Technical Writers: Warren Peterson and Clay Scott • Copy Editor: Carin Peterson • Reviewing Editor: Sandy Castle-Rhoads • Technical Editor: Tracy Richter • Quality Assurance Analyst: David Young • Graphic Designer: Mark Patrick
Project Support Development Assistance: Ben Tchoubineh
NOTICES DISCLAIMER: While Security Certified Program LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Any name used in the data files for this course is that of a fictitious company. Any resemblance to current or future companies is purely coincidental. We do not believe we have used anyone’s name in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Security Certified Program LLC is an independent developer of courseware and certification programs for individuals, businesses, educational institutions, and government agencies. Use of screenshots, photographs of another entity’s products, or another entity’s product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by, nor any affiliation of such entity with Security Certified Program LLC. This courseware may contain links to sites on the Internet that are owned and operated by third parties (the “External Sites”). Security Certified Program LLC is not responsible for the availability of, or the content located on or through, any External Site. Please contact Security Certified Program LLC if you have any concerns regarding such links or External Sites. TRADEMARK NOTICES: The Security Certified Program, SCP, SCNS, SCNP, and SCNA are trademarks of The Security Certified Program, LLC in the U.S. and other countries; The Security Certified Program, SCP, SCNS, SCNP, products and services discussed or described may be trademarks of The Security Certified Program, LLC. All other product names and services used throughout this book may be common law or registered trademarks of their respective proprietors. Copyright © 2007 Security Certified Program, LLC. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publication or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express written permission of Security Certified Program LLC, 825 West State Street, Suite 204, Geneva, Illinois 60134, USA. (630) 208-5030. Security Certified Program LLC’s World Wide Web site is located at: www.SecurityCertified.Net. This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Security Certified Program LLC materials are being reproduced or transmitted without permission, please call 1-630-208-5030.
ii
Tactical Perimeter Defense
TACTICAL PERIMETER DEFENSE
CONTENT OVERVIEW
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Lesson 1: Network Defense Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Lesson 2: Advanced TCP/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Lesson 3: Routers and Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Lesson 4: Designing Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Lesson 5: Configuring Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Lesson 6: Implementing IPSec and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Lesson 7: Designing an Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . 369 Lesson 8: Configuring an IDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Lesson 9: Securing Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Contents
iii
CONTENTS
TACTICAL PERIMETER DEFENSE
CONTENTS About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Course Setup Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii How To Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xl
LESSON 1: NETWORK DEFENSE FUNDAMENTALS Topic 1A
Network Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Five Key Issues of Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Threats to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Defensive Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Defensive Strategy Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Task 1A-1 Identifying Non-repudiation Issues . . . . . . . . . . . . . . . . . . . 10
Topic 1B
10 10 11 11 12 12 13 14
Topic 1C
15 15 16 16 20
Topic 1D
21 21 21 22 22 22 23
Defensive Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Castle Analogy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attacking the Castle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Castle’s Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Castle’s Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Castle’s Back Doors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Defense Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1B-1 Describing the Layers of a Defended Network . . . . . . . . . . . .
Objectives of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1C-1 Describing the Challenge Response Token Process . . . . . . . . .
The Impact of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intrusion Detection Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1D-1 Describing the Problems of Additional Layers of Security . . . . .
Topic 1E
Network Auditing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Security Auditing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
iv
Tactical Perimeter Defense
Security Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Trails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Handling and Preserving Audit Data. . . . . . . . . . . . . . . . . . . . . . . . . . . Legal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1E-1 Describing Network Auditing . . . . . . . . . . . . . . . . . . . . . . . Lesson Review 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24 25 25 25 26 27
CONTENTS
LESSON 2: ADVANCED TCP/IP Topic 2A
33 36 36 40 42 42 43 44 44
Topic 2B
46 48 50 52 57 58 58 59 62 63 63 64 65
Topic 2C
Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 65 Task 2C-1 Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 67
Topic 2D
Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 68 Task 2D-1 Capturing and Identifying ICMP Messages . . . . . . . . . . . . . . . 69
Topic 2E
Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . . 70 Task 2E-1 Capturing and Identifying TCP Headers. . . . . . . . . . . . . . . . . 72
Topic 2F
Capturing and Identifying UDP Headers . . . . . . . . . . . . . . . . 73 Task 2F-1 Working with UDP Headers . . . . . . . . . . . . . . . . . . . . . . . . . 73
Topic 2G
Analyzing Packet Fragmentation. . . . . . . . . . . . . . . . . . . . . . . 74 Task 2G-1 Analyzing Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . 75
TCP/IP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Function of IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2A-1 Layering and Address Conversions . . . . . . . . . . . . . . . . . . . . Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLSM and CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X-casting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2A-2 Routers and Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . .
Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . . Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-1 Using Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-2 Installing and Starting Wireshark . . . . . . . . . . . . . . . . . . . . Wireshark Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-3 Using Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-4 Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . The Session Teardown Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-5 Analyzing the Session Teardown Process . . . . . . . . . . . . . . . .
Contents
v
CONTENTS
Topic 2H
Analyzing an Entire Session . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2H-1 Performing a Complete ICMP Session Analysis . . . . . . . . . . . . Continuing the Complete Session Analysis . . . . . . . . . . . . . . . . . . . . . . Task 2H-2 Performing a Complete FTP Session Analysis . . . . . . . . . . . . . Lesson Review 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
76 76 79 80 92
LESSON 3: ROUTERS AND ACCESS CONTROL LISTS Topic 3A
Fundamental Cisco Security. . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Configuring Access Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Task 3A-1 Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Implementing Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Implementing Cisco Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Task 3A-2 Configuring Login Banners . . . . . . . . . . . . . . . . . . . . . . . . . 103 SSH Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Router Configuration to use SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Task 3A-3 Configuring SSH on a Router . . . . . . . . . . . . . . . . . . . . . . . 105 Task 3A-4 Configuring the SSH Client . . . . . . . . . . . . . . . . . . . . . . . . . 107
Topic 3B
Routing Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 The ARP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 LAN-to-LAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 LAN-to-WAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Task 3B-1 Performing IP and MAC Analysis . . . . . . . . . . . . . . . . . . . . . 113 The Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Static and Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Comparing Routed Protocols and Routing Protocols . . . . . . . . . . . . . . 119 The Routing Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Task 3B-2 Viewing a RIP Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Task 3B-3 Viewing a RIPv2 Capture . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Topic 3C
Removing Protocols and Services . . . . . . . . . . . . . . . . . . . . . .128 CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Task 3C-1 Turning Off CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Task 3C-2 Hardening ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Source Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Small Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Remaining Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Task 3C-3 Removing Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 133 AutoSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
vi
Tactical Perimeter Defense
Topic 3D
Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . .134 Access Control List Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 The Access List Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 The Wildcard Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Task 3D-1 Creating Wildcard Masks . . . . . . . . . . . . . . . . . . . . . . . . . . 138
CONTENTS
Topic 3E
Implementing Access Control Lists . . . . . . . . . . . . . . . . . . . .138 Defending Against Attacks with ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . 142 Task 3E-1 Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 144 Context-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Topic 3F
Logging Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Task 3F-1 Configuring Buffered Logging . . . . . . . . . . . . . . . . . . . . . . . 149 ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Task 3F-2 Configuring Anti-spoofing Logging . . . . . . . . . . . . . . . . . . . 151 Lesson Review 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
LESSON 4: DESIGNING FIREWALLS Topic 4A
Firewall Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Firewall Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 What a Firewall Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Implementation Options for Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . 158 Task 4A-1 Firewall Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Topic 4B
Create a Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 Task 4B-1 Creating a Simple Firewall Policy . . . . . . . . . . . . . . . . . . . . . 167
Topic 4C
Rule Sets and Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . .168 Stateless and Stateful Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . 172 How Attackers Get Around Packet Filters . . . . . . . . . . . . . . . . . . . . . . . 175 Task 4C-1 Firewall Rule Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Topic 4D
Proxy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Proxy Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Proxy Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Proxy Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Task 4D-1 Diagram the Proxy Process . . . . . . . . . . . . . . . . . . . . . . . . . 179
Topic 4E
The Bastion Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 An Attack on the Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Task 4E-1 Describing a Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . 182
Topic 4F
The Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 What is a Honeypot? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Goals of the Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Contents
vii
CONTENTS
Legal Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Task 4F-1 Honeypot Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Lesson Review 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
LESSON 5: CONFIGURING FIREWALLS Topic 5A
Understanding Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Address, Port, Protocol, and Services: The Building Blocks of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Examining the Common Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . 196 Building Firewall Rules to Control Network Communications. . . . . . . . 201 Common Firewall Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Why Would I Want a Firewall on My Network? . . . . . . . . . . . . . . . . . . . 205 What Can a Firewall Not Protect You From? . . . . . . . . . . . . . . . . . . . . . 206 Things to Consider About Firewall Implementation . . . . . . . . . . . . . . . 207
Topic 5B
Configuring Microsoft ISA Server 2006 . . . . . . . . . . . . . . . . .210 Introduction to ISA Server 2006. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Task 5B-1 Preparing for the ISA Server 2006 . . . . . . . . . . . . . . . . . . . . 212 ISA Server Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Task 5B-2 Install Microsoft ISA Server 2006 . . . . . . . . . . . . . . . . . . . . 215 Configuring ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Task 5B-3 Exploring the Microsoft ISA Server 2006 Interface . . . . . . . . . 218 Exporting/Importing ISA Server 2006 Configurations as XML Files . . . 223 Task 5B-4 Exporting the Default Configuration . . . . . . . . . . . . . . . . . . 223 ISA Server 2006 Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Task 5B-5 Creating a Basic Access Rule . . . . . . . . . . . . . . . . . . . . . . . 226 ISA Server 2006 Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . 230 Task 5B-6 Creating a Protocol Rule Element . . . . . . . . . . . . . . . . . . . . 231 Task 5B-7 Creating a User Rule Element . . . . . . . . . . . . . . . . . . . . . . . 233 Content Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Task 5B-8 Creating a Content Group Rule Element . . . . . . . . . . . . . . . . 234 ISA Server 2006 Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Task 5B-9 Creating and Modifying Schedule Rule Elements. . . . . . . . . . . 236 Using Content Types and Schedules in Rules . . . . . . . . . . . . . . . . . . . . 237 Task 5B-10 Using Content Types and Schedules in Rules . . . . . . . . . . . . . 237 ISA Server 2006 Network Rule Elements. . . . . . . . . . . . . . . . . . . . . . . . 239 Task 5B-11 Creating a Network Rule Element . . . . . . . . . . . . . . . . . . . . 240 ISA Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Task 5B-12 Configuring a Web Publishing Rule . . . . . . . . . . . . . . . . . . . 242 ISA Server 2006 Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Task 5B-13 Enabling and Configuring Caching . . . . . . . . . . . . . . . . . . . . 245 Configuring ISA Server 2006 Network Templates . . . . . . . . . . . . . . . . . 249 Task 5B-14 Install Second Microsoft Loop Back Adapter and Assign an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Task 5B-15 Configure ISA Server 2006 in a Three-legged DMZ . . . . . . . . . 251
viii
Tactical Perimeter Defense
Configuring ISA Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Task 5B-16 Working with Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Task 5B-17 Working with Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 ISA Server 2006 Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Task 5B-18 Configuring Logging Options . . . . . . . . . . . . . . . . . . . . . . . 262 Additional Configuration Options for ISA Server 2006 . . . . . . . . . . . . . 265 Task 5B-19 Securing ISA Server 2006 with the Security Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Packet Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Task 5B-20 Configuring Packet Prioritization. . . . . . . . . . . . . . . . . . . . . 268 Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Task 5B-21 Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . 270
CONTENTS
Topic 5C
IPTables Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271 Firewalling in Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 The Flow of the Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 The iptables Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Rule Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Other Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Creating a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Deleting a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Flushing a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Checking for Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Negating Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Defining a Target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Complex Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Configuring Masquerading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Task 5C-1 Working with Chain Management . . . . . . . . . . . . . . . . . . . . 288
Topic 5D
Implementing Firewall Technologies . . . . . . . . . . . . . . . . . . .290 Lesson Review 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
LESSON 6: IMPLEMENTING IPSEC AND VPNS Topic 6A
Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 IPSec Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Task 6A-1 Describing the Need for IPSec . . . . . . . . . . . . . . . . . . . . . . 304
Topic 6B
IPSec Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 The MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Contents
ix
CONTENTS
Task 6B-1 Examining the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Task 6B-2 Identifying Default IPSec Security Policies . . . . . . . . . . . . . . 306 Saving the Customized MMC Configuration . . . . . . . . . . . . . . . . . . . . . 307 Task 6B-3 Saving a Customized MMC . . . . . . . . . . . . . . . . . . . . . . . . . 307 The Secure Server (Require Security) Policy . . . . . . . . . . . . . . . . . . . . . 307 Task 6B-4 Examining Security Methods. . . . . . . . . . . . . . . . . . . . . . . . 308 The Rules Tab for the Secure Server (Require Security) Policy. . . . . . . 309 Task 6B-5 Examining Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Topic 6C
IPSec AH Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Creating Custom IPSec Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Task 6C-1 Creating the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . 315 Editing Authentication Method Policies . . . . . . . . . . . . . . . . . . . . . . . . 317 Task 6C-2 Editing the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . . 318 Setting Up the Computer’s Response . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Task 6C-3 Configuring the Policy Response . . . . . . . . . . . . . . . . . . . . . 320 Configuring AH in Both Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Task 6C-4 Configuring the Second Computer . . . . . . . . . . . . . . . . . . . . 321 Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Task 6C-5 Setting Up the FTP Process . . . . . . . . . . . . . . . . . . . . . . . . 322 Implementing the IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Task 6C-6 Implementing the 1_REQUEST_AH(md5)_only Policy. . . . . . . . 324 Request-only Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Task 6C-7 Analyzing the Request-only Session. . . . . . . . . . . . . . . . . . . 325 Implementing a Request-and-Respond Policy . . . . . . . . . . . . . . . . . . . 325 Task 6C-8 Configuring a Request-and-Respond IPSec Session . . . . . . . . . 325 Request-and-Respond Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . 326 Task 6C-9 Analyzing the Request-and-Respond Session . . . . . . . . . . . . . 326
Topic 6D
Combining AH and ESP in IPSec . . . . . . . . . . . . . . . . . . . . . . .327 Task 6D-1 Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and the Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Configuring the IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Task 6D-2 Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy . . . . 330 AH and ESP IPSec Session Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Task 6D-3 Configuring and Analyzing an IPSec Session Using AH and ESP . 331 Configuring All the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Task 6D-4 Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy . 333 Configuring the AH-and-ESP IPSec Response Policy. . . . . . . . . . . . . . . 335 Task 6D-5 Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy . 335 Implementing the Full IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Task 6D-6 Implementing and Analyzing an AH(sha) and ESP(sha+3des) IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Topic 6E
VPN Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337 VPN Business Drivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 VPN Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
x
Tactical Perimeter Defense
VPN Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Tunneling and Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Task 6E-1 Defining Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . 341
CONTENTS
Topic 6F
Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 Point-to-Point Tunneling Protocol (PPTP) . . . . . . . . . . . . . . . . . . . . . . 342 Layer 2 Tunneling Protocol (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 IPSec Tunnel and Transport Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 IPSec and Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . 346 Task 6F-1 Assigning Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . 347
Topic 6G
VPN Design and Architecture. . . . . . . . . . . . . . . . . . . . . . . . . .348 VPN Implementation Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Task 6G-1 Examining VPN-related RFCs . . . . . . . . . . . . . . . . . . . . . . . . 349
Topic 6H
VPN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350 VPNs and Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 VPN Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Task 6H-1 Viewing Firewall-related RFCs . . . . . . . . . . . . . . . . . . . . . . . 353
Topic 6I
Configuring a VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 Task 6I-1 Configuring the VPN Server . . . . . . . . . . . . . . . . . . . . . . . . 354 VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Task 6I-2 Configuring VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Establishing the VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Task 6I-3 Establish the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Returning the Classroom Setup to its Original State . . . . . . . . . . . . . . 364 Task 6I-4 Restoring the Classroom Setup . . . . . . . . . . . . . . . . . . . . . . 364 Lesson Review 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
LESSON 7: DESIGNING AN INTRUSION DETECTION SYSTEM Topic 7A
The Goals of an Intrusion Detection System . . . . . . . . . . . . .371 What is Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Some Intrusion Detection Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 373 The IDS Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 IDS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Realistic Goals of IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Task 7A-1 Describing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Topic 7B
Technologies and Techniques of Intrusion Detection . . . . . .377 The Intrusion Detection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Behavioral Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Information Collection and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Task 7B-1 Discussing IDS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Contents
xi
CONTENTS
Topic 7C
Host-based Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . .384 Host-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Centralized Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Distributed Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Task 7C-1 Describing Centralized Host-based Intrusion Detection . . . . . . 387
Topic 7D
Network-based Intrusion Detection . . . . . . . . . . . . . . . . . . . .387 Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Traditional Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . 388 Distributed Network-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . 389 Task 7D-1 Discussing Sensor Placement . . . . . . . . . . . . . . . . . . . . . . . 390
Topic 7E
The Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 When to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Interval Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Real-time Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 How to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Signature Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 An Example Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Statistical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Task 7E-1 Discussing Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Topic 7F
How to Use an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Detection of Outside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Detection of Inside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Anticipation of Attack Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Surveillance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Task 7F-1 Discussing Intrusion Detection Uses . . . . . . . . . . . . . . . . . . 397
Topic 7G
What an IDS Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398 Provide the Magic Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Manage Hardware Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Investigate an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 100 Percent Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Task 7G-1 Discussing Incident Investigation . . . . . . . . . . . . . . . . . . . . 399 Lesson Review 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
LESSON 8: CONFIGURING AN IDS Topic 8A
Snort Foundations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 Snort Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 How Snort Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Snort Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Topic 8B
Snort Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406 Task 8B-1 Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Common Snort Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
xii
Tactical Perimeter Defense
Task 8B-2 Initial Snort Configuration . . . . . . . . . . . . . . . . . . . . . . . . 408 Using Snort as a Packet Sniffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Task 8B-3 Capturing Packets with Snort . . . . . . . . . . . . . . . . . . . . . . . 411 Task 8B-4 Capturing Packet Data with Snort . . . . . . . . . . . . . . . . . . . . 413 Task 8B-5 Logging with Snort. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
CONTENTS
Topic 8C
Snort as an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415 It’s All in the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Snort Rule IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Task 8C-1 Creating a Simple Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . 421 Task 8C-2 Testing the Ruleset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 More Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Task 8C-3 Examining Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . 426 Examine Denial of Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Task 8C-4 Examining DDoS Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Examine Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Task 8C-5 Examining Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . 427 Examine Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Task 8C-6 Examining Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . 428 Examine Web IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Task 8C-7 Examining IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Topic 8D
Configuring Snort to Use a Database . . . . . . . . . . . . . . . . . . .430 Snort Output Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Configure Snort to Use a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Task 8D-1 Editing Snort.Conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Installing MySQL for Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Task 8D-2 Installing MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Task 8D-3 Creating the Snort Database . . . . . . . . . . . . . . . . . . . . . . . . 432 MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Task 8D-4 Creating MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . 433 Snort to Database Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Task 8D-5 Testing the New Configuration . . . . . . . . . . . . . . . . . . . . . . 434 Snort as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Task 8D-6 Configuring Snort as a Service . . . . . . . . . . . . . . . . . . . . . . 434
Topic 8E
Running an IDS on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 LAMP On SuSe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Task 8E-1 Installing LAMP Components . . . . . . . . . . . . . . . . . . . . . . . 436 Apache and PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Task 8E-2 Apache and PHP Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Enable Snort on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Task 8E-3 Configure Snort on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Configuring MySQL on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Task 8E-4 Configuring MySQL for Snort. . . . . . . . . . . . . . . . . . . . . . . . 439 Connecting Snort to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Contents
xiii
CONTENTS
Task 8E-5 Testing Snort Connectivity to the Database. . . . . . . . . . . . . . 440 Installing ADOdb and BASE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Task 8E-6 Downloading ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . 441 Task 8E-7 Installing ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . . . 441 Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Task 8E-8 Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Task 8E-9 Configuring the Firewall to Allow HTTP . . . . . . . . . . . . . . . . 443 Generating Snort Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Task 8E-10 Generating Portscan Snort Events . . . . . . . . . . . . . . . . . . . . 443 Task 8E-11 Generating Web Snort Events . . . . . . . . . . . . . . . . . . . . . . . 444 Lesson Review 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
LESSON 9: SECURING WIRELESS NETWORKS Topic 9A
Wireless Networking Fundamentals . . . . . . . . . . . . . . . . . . . .448 Wireless Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 Wireless Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Task 9A-1 Examining Satellite Orbits . . . . . . . . . . . . . . . . . . . . . . . . . 456 Radio Wireless Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Short Message Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 IEEE 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Wireless Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Task 9A-2 Choosing a Wireless Media . . . . . . . . . . . . . . . . . . . . . . . . . 464
Topic 9B
Wireless LAN (WLAN) Fundamentals . . . . . . . . . . . . . . . . . . .465 Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 WLAN Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Lesson Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Prepare for the Ad-hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Task 9B-1 Installing the Linksys WPC54G WNIC . . . . . . . . . . . . . . . . . . 469 Configure the Second WNIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Task 9B-2 Installing the Netgear WPN511 . . . . . . . . . . . . . . . . . . . . . . 471 Enable the Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Task 9B-3 Enabling the Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . 474 802.11 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Task 9B-4 Installing the Linksys WAP54G Access Point . . . . . . . . . . . . . 482 Configure the Infrastructure Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Task 9B-5 Configuring the Linksys Client . . . . . . . . . . . . . . . . . . . . . . 485 Adding Infrastructure Network Clients . . . . . . . . . . . . . . . . . . . . . . . . . 487 Task 9B-6 Configuring the Netgear Client . . . . . . . . . . . . . . . . . . . . . . 487 WLAN Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
xiv
Tactical Perimeter Defense
Topic 9C
Wireless Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . .490 Wireless Transport Layer Security (WTLS) . . . . . . . . . . . . . . . . . . . . . . . 491 Fundamental Access Point Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Configure WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Task 9C-1 Installing the Netgear WPN824 Access Point . . . . . . . . . . . . . 502 Establishing the WEP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Task 9C-2 Configuring WEP on the Network Client . . . . . . . . . . . . . . . . 505 Temporal Key Integrity Protocol (TKIP) . . . . . . . . . . . . . . . . . . . . . . . . 506 Extensible Authentication Protocol (EAP) . . . . . . . . . . . . . . . . . . . . . . 506 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Configure WPA2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Task 9C-3 Configure WPA2 on the Access Point . . . . . . . . . . . . . . . . . . 509 Supplicants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Task 9C-4 Configuring WPA2 on the Network Client . . . . . . . . . . . . . . . 510 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
CONTENTS
Topic 9D
Wireless Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512 Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 NetStumbler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 Task 9D-1 Installing NetStumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Identify Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Task 9D-2 Identifying Wireless Networks . . . . . . . . . . . . . . . . . . . . . . 515 OmniPeek Personal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Task 9D-3 Installing OmniPeeK Personal . . . . . . . . . . . . . . . . . . . . . . . 516 WildPackets Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Task 9D-4 Viewing OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . 517 Live Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Task 9D-5 Viewing Live OmniPeek Personal Captures . . . . . . . . . . . . . . . 521 Non-802.11 Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Task 9D-6 Analyze Upper Layer Traffic . . . . . . . . . . . . . . . . . . . . . . . . 522 Decode WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Task 9D-7 Decrypting WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Aircrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 WEPCrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 AirSnort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Ekahau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Kismet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Topic 9E
Wireless Trusted Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . .528 802.1x and EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528 EAP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Lightweight EAP (LEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 EAP with Transport Layer Security (EAP-TLS) . . . . . . . . . . . . . . . . . . . . 530 EAP with Tunneled Transport Layer Security (EAP-TTLS) . . . . . . . . . . . 531 Protected EAP (PEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Contents
xv
CONTENTS
EAP Type Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Wireless Trusted Network Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 Task 9E-1 Choosing a Wireless Trusted Network . . . . . . . . . . . . . . . . . . 533 Lesson Review 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
xvi
Tactical Perimeter Defense
ABOUT THIS COURSE This course is the official courseware for the Security Certified Program SC0-451 certification exam. The Tactical Perimeter Defense course is designed to provide network administrators and certification candidates with hands-on tasks on the most fundamental perimeter security technologies. The network perimeter is often the first line of defense in an organization’s network, and this course covers the issues every administrator must be familiar with.
ABOUT THIS COURSE
What is the Security Certified Program (SCP)? Security Certified Program is both our company name and our program name. Security Certified Program, LLC a Chicago-based security training organization, has created the Security Certified Program (SCP) to help develop and validate your skills as a computer and network security professional. The SCP courses and certifications are designed not just around knowledge-based theory, like so many others, rather around the actual technical skills required by practitioners. The SCP structure is unique as it measures competence in core security skills as well as skills needed for specific security technologies, such as Packet Structure, Signature Analysis, Operating System Hardening, Router Security, Firewalls, Virtual Private Networks (VPNs), Intrusion Detection, Risk Analysis, Wireless Security, Digital Signatures and Certificates, Cryptography, Biometrics and Network Forensics. The SCP certifications include three vendor-neutral security certifications. The first certification is the Security Certified Network Specialist (SCNS), the next certification is Security Certified Network Professional (SCNP), and the third is Security Certified Network Architect (SCNA).
About This Course
xvii
The Security Certified Program Certification Path What is SCNS? The SCNS (Security Certified Network Specialist) is the SCP’s core certification. The primary focus is on the defense of the perimeter. This certification covers the core security technologies used in defending today’s business environments, including the following: Network Defense Fundamentals, Advanced TCP/IP, Router Security and Access Control Lists, Designing & Configuring Firewalls, Configuring Virtual Private Networks, Designing & Configuring Intrusion Detection Systems, and Securing Wireless Networks. What kind of experience do I need before I go for my SCNS? Before you begin the SCNS certification track, it is recommended that, at a minimum, you attain CompTIA’s Security+ certification or have equivalent training with hands-on experience. The SCNS training and certification build on concepts and skills covered in the Security+ certification. xviii
Tactical Perimeter Defense
How do I become SCNS certified? The SCNS certification is comprised of one exam, titled: Tactical Perimeter Defense (TPD). To become SCNS certified, candidates must complete this exam with a passing score. The TPD exam uses exam number: SC0-451. It is strongly recommended that candidates study this official courseware extensively, and implement the hands-on tasks repeatedly, before taking the exams. What are exams like? The exams are multiple-answer, often scenario-based tests. The TPD exam has 60 questions and the candidate has 90 minutes to complete the exam. At the time of this publication, the exam breakdown was as follows: Examination Domain
Percentage
1.0 – Network Defense Fundamentals 2.0 – Hardening Routers and Access Control Lists 3.0 – Implementing IPSec and Virtual Private Networks 4.0 – Advanced TCP/IP 5.0 – Security Wireless Networks 6.0 – Designing and Configuring Intrusion Detection Systems 7.0 – Designing and Configuring Firewall Systems
5% 10% 10% 15% 15% 20% 25%
Note that SCP exams are updated regularly to reflect changes in the network security industry. It is strongly recommended that potential candidates review the exam objectives at www.securitycertified.net/certifications.htm How do I take the exams? The SCP exams are available at any Prometric or VUE Testing center in over 7,400 locations around the world. There are several ways to register for SCP exams. To register for SCP exams over the Internet, visit Prometric at www.prometric.com/SCP or VUE at www. vue.com/scp/ and create and account with the vendor of your choice (if you don’t already have one). For International Exam Registration, please check with your preferred vendor’s Web site for more information. During the exam: • Read questions carefully. Don’t jump to any conclusions! •
Skip questions that you are unsure of, and come back to them at the end.
•
If you have time remaining, you will be given the opportunity to review your answers. Be sure to do so, and make sure you didn’t make any obvious mistakes.
•
If you come back to a question and are not sure about an answer, remember that your first hunch is more often correct than your second-choice answer (after overanalyzing the question)!
•
Be sure to answer all questions; unanswered questions count against your score, so if you don’t have an answer, try to eliminate any options that you know are wrong and make a best guess from whatever remains.
About This Course
xix
On your exam day, try to arrive 15 minutes early so you do not feel rushed or stressed by being late. This will also give you a few minutes to review any notes before beginning your exam. However, as the SCP exams are closed-book, notes or calculators may not be brought into the testing station and will have to be left with the facility’s faculty. Will my certificate expire? Yes. As technologies in the security field are constantly changing, your SCNS certificate will be valid for two years starting on the date you pass the Tactical Perimeter Defense exam. Candidates who have received their SCNS credential will need to retake the TPD exam before their SCNS certification expires. Candidates who are recertifying will be able to do so at a discounted exam rate. For more information on the current SCNS re-certification exam rate please email
[email protected]. What if I want to go further? After you have become SCNS-certified you will have the option of furthering your skills by moving on to the next level of SCP certification, the Security Certified Network Professional (SCNP) certificate. The Security Certified Network Professional (SCNP) certification is focused on infrastructure technologies. SCNP builds upon the security concepts and technologies covered in Tactical Perimeter Defense (TPD). The SCNP course, Strategic Infrastructure Security (SIS) covers several critical areas – Cryptography, Operating System Security (Windows 2003 and SuSe Linux), Attack Techniques, Internet and WWW Security, Risk Analysis, Security Policy Creation, and Analysis of Intrusion Signatures. To become a Security Certified Network Professional (SCNP), candidates must successfully pass one exam and hold a current Security Certified Network Specialist (SCNS) certification. Security Certified Program’s third certification is Security Certified Network Architect (SCNA). SCNA deals with more advanced security skills and concepts. Many enterprises are trying to integrate Digital Signatures, Digital Certificates, and Biometric and Smart Card Authentication systems into their infrastructures. These technologies are vital for businesses as they look to integrate their partners and suppliers into their business structures and provide real-time information and services to their customers. SCNA is about the fundamentals of building a trusted network, strong authentication techniques, encryption, biometrics, smart cards, and network forensics. SCNA includes two courses, Advanced Security Implementation (ASI) and Enterprise Security Solutions (ESS). Each course is a 40-hour program, and the content and hands-on labs are structures to develop the skills required by today’s top security experts. To become a Security Certified Network Architect (SCNA), candidates must pass two exams. The first is Enterprise Security Implementation (ESI), which covers the concepts and lab work covered in both the ASI and ESS courses, and the second is The Solutions Exam (TSE); which will cover all facets of technologies covered in all of the SCP courses. How do I prepare for the exam? The TPD exam will require that you be familiar with many technologies and utilities that are covered in this book. Further, the test was authored with the
xx
Tactical Perimeter Defense
intention that people who have not become familiar with the technologies and utilities covered will not find it as easy to pass the exam as those who have used the program and technologies in question. What does all this mean? It means that you really should use the utilities and programs that are covered here, rather than just read about them. You should become very familiar with all of the tasks in this book. If possible, create a home lab with at least two machines, and practice—repeatedly—the hands-on tasks in this book. Even using what you learned to help secure your own home network from hosts on the Internet will help you prepare for the exam Studying for the exam: 1. Read the book from start to finish completing all the tasks even if you are familiar with the technology in question. You never know when some new facet of a technology or program may be brought up and many of the lessons build upon the previous ones and it is easy to miss something if you skip around. 2.
Be sure to complete all hands-on tasks. Again, the SCP exams are based on knowledge and hands-on experience! Once you have completed a task, do it again until you are very comfortable with that task.
3.
Be sure to answer Topic Review questions within each lesson. Make note of the questions you answered incorrectly and study the appropriate sections again.
4.
Before taking the SCP exams, it is recommended that you take the practice exams available through MeasureUp. More information on officially recommended practice exams is available at: www.securitycertified.net/practice_ tests.htm.
But perhaps the best way to make sure that you reach your goal is to register for the exam and stick to the date you set forth. Nothing keeps you on your toes and working toward a goal like a deadline! Honestly measure your skills, make your study schedule, and set the date that you will be ready to take the exam and register for it. Practice exams The only provider of practice exams authorized and recommended by the creators of the SCP is MeasureUp. For more information visit www.securitycertified.net/ practice_tests.htm for more information. Contact Information The Security Certified Program US: 800-869-0025 International: 630-208-5030 Email:
[email protected] Website: www.SecurityCertified.Net
Course Prerequisites To ensure your success, we recommend that you have CompTIA’s Security+ certification, or have equivalent experience. This course assumes that the reader has fundamental working knowledge of networking concepts, and foundational security knowledge.
About This Course
xxi
Course Objectives When you’re done working your way through this course, you’ll be able to: •
Describe the core issues of building a perimeter network defense system.
•
Investigate the advanced concepts of the TCP/IP protocol suite.
•
Secure routers through hardening techniques and configure Access Control Lists.
•
Design and configure multiple firewall technologies.
•
Examine and implement IPSec and Virtual Private Networks.
•
Design and configure an Intrusion Detection System.
•
Secure wireless networks through the use of encryption systems.
COURSE SETUP INFORMATION Hardware and Software Requirements To run this course, you will need: •
Student machines, one per student, recommended minimum specifications: Pentium 4, 2.0 GHz processor. 512 MB of RAM. 50 GB hard drive. DVD-ROM drive. NIC, capable of promiscuous mode support. Integrated video card, capable of 32-bit video.
During the lesson on VPN, machines that are designated as VPN servers will require two network cards. Integrated and/or non-integrated network cards will work.
xxii
Tactical Perimeter Defense
•
Instructor machine, same configuration as student machines.
•
Three Cisco routers, 2500 Series preferred (used from a reseller is fine), running IOS 12.2 or greater, with IPSec/SSH support.
•
One Cisco console cable.
•
Two serial cables.
•
DCE to DTE, for connecting routers.
•
Three switches/hubs, 10/100 Mbps.
•
The firewall lesson will require Microsoft ISA Server 2006. This must be downloaded as a 180-day trial from Microsoft, or full ISA Server software must be provided for students.
•
During the VPN lesson, machines designated as VPN servers will require two NICs. The NICs can be either integrated or non-integrated.
•
During the VPN lesson, the instructor machine will need to be running the FTP Service. You may enable the service during your initial setup, or during the VPN lesson, as you prefer.
•
For class preparation, you will need the following tools. Note, where the tools are available as per open source licensing, they have been included on the course CD-ROM, all other tools should be downloaded and put in the
correct folder. All these tools should be copied to the C:\Tools or /Tools directories on your Windows and Linux systems accordingly. Lesson
Tool
Download Source
Lesson 2
WinPcap_4_0.exe wireshark-setup-0.99.5.exe tftp.cap fragment.cap ping.text ping.cap ftp.txt ftp.cap puTTY.exe ping_arp.mac.cap rip.update.cap ripv2withAuthentication.cap ISA Server 2006
SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD www.microsoft.com/isaserver/prodinfo/ default.mspx SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD SCNS Book CD www.omnipeek.com/downloads.php SCNS Book CD SCNS Book CD
Lesson 3
Lesson 5
Lesson 6
Lesson 8
Lesson 9
ISAScwHlpPack.exe rfc-index.wri rfc2547.txt rfc2979.txt Snort_2_6_1_2_Installer Snort Rules mysql-essential-5.0.27-win32 adodb493a.tgz base-1.2.7.tar.gz WildPackets_OmniPeek_Personal41 dotnetfx.exe NetStumbler
•
In this course, there are several wireless components utilized. Each training location can decide if they wish to acquire this equipment or use the content as the learning source. The equipment used in this lesson is:
—
Two laptops running Windows XP.
—
One Linksys WPC54G NIC and associated set-up CD-ROM.
—
One Netgear WPN511 NIC and associates set-up CD-ROM.
—
One Linksys WAP54G access point and associated set-up CD-ROM.
—
One Netgear WPN824 access point and associated set-up CD-ROM.
Class Requirements In order for the class to run properly, perform the procedures described below. Before you begin actually setting up the class, here are some recommendations for the classroom configuration and hardware preparation.
About This Course
xxiii
Recommendations for hardware preparation: •
The hardware requirements are listed earlier in this course. It is not advisable to use systems that do not meet these requirements.
•
It is recommended that all the computers be of the same or similar hardware configuration.
•
Configure the BIOS so that the boot order is 1: DVD-ROM, 2: floppy drive (if present), and 3: hard drive. Protect the student machines with a BIOS password.
Classroom Configuration The following graphic shows the recommended classroom configuration. Use this figure in conjunction with the IP addressing and naming schemes described in the following section.
Figure 0-1: Recommended classroom setup.
IP Addressing and Computer Naming Scheme Refer to the classroom configuration for the recommended IP addressing and computer naming schemes for this course. Use this pattern to develop the names and addresses for all machines, as required. The routers divide the classroom into two halves, LEFT and RIGHT, with the CENER router controlled by the instructor. The LEFT side is configured for subnet 172.16.0.0/16, the CENTER is configured for subnet 172.17.0.0/16, and the RIGHT side is configured for subnet 172.18.0.0/16. Students should have the passwords for the LEFT and RIGHT routers, as per their location in the classroom, but do not need the password for the CENTER router. This course uses two base operating systems, Windows Server 2003 and SuSe Linux Enterprise Server 10. Each machine will dual-boot to these two systems, using the name and IP addresses as per the following table.
xxiv
Tactical Perimeter Defense
Part of Classroom
Windows Name
Linux Name
IP Address
Default Gateway
LEFT LEFT LEFT RIGHT RIGHT RIGHT CENTER
WIN-L01 WIN-L02 WIN-L03 WIN-R01 WIN-R02 WIN-R03 WIN-C01
LIN-L01 LIN-L02 LIN-L03 LIN-R01 LIN-R02 LIN-R03 LIN-C01
172.16.10.1 172.16.10.2 172.16.10.3 172.18.10.1 172.18.10.2 172.18.10.3 172.17.10.1
172.16.0.1 172.16.0.1 172.16.0.1 172.18.0.1 172.18.0.1 172.18.0.1 172.17.0.1
Installing Windows 2003 R2 1.
Turn on the computer and insert the Windows Server 2003 R2 disc 1 into the CD-ROM drive.
2.
When the screen prompts to BOOT FROM CD press any key to continue booting. (Note, your system might boot automatically.)
3.
At the Windows 2003 Setup Screen, certain files will begin to load independently.
4.
At the Windows 2003 Standard Edition Setup screen, press Enter to set up Windows Server 2003.
5.
Read the Licensing Agreement, and then press F8 to accept the agreement.
6.
Windows 2003 Standard Edition Setup screen will reappear, press C to create a partition.
7.
In the Create Partition Of Size (In MB) text box type 25000 and press Enter.
8.
To set up Windows on the newly-created partition, select the new partition, and press Enter.
9.
Select Format The Partition Using The NTFS File System (default) and press Enter. After the partition has been formatted and files copied, the computer will reboot.
10. Windows Server 2003 will continue installation independently. You will be able to see the approximate time it will take to complete installation on the left side of your screen. 11. Windows Server 2003 will install devices independently. The screen may flash, or flicker, for several seconds during this process. 12. For Regional And Language Options, select your settings, and then click Next. 13. In the Personalize Your Settings screen, in the Name text box, type TEST, in the Organization text box, type SCP and click Next. 14. When prompted, enter the product key and click Next. About This Course
xxv
15. In the Licensing Modes screen, select the Per Device Or Per User radio button, and then click Next. 16. In the Computer Name dialog box, type WIN-XXX (replace XXX with your seat number, or as your instructor defines). The Administrator Password should be left blank, then click Next. 17. If the password is left blank, a screen will appear to confirm that you wish to leave the password blank, click Yes. (Note, the password is left blank for running the class, you would always have a password in a production environment.) 18. In the Date And Time Settings screen, select your time zone, set the date and time, and click Next. 19. Windows 2003 will begin installing network configurations. 20. In the Windows Server 2003 Setup Network Settings screen, select Typical Settings. Click Next. 21. In the Windows Server 2003 Setup Workgroup or Computer Domain screen, select Workgroup and then click Next. 22. Windows Server 2003 will finalize installation and reboot the computer independently. 23. After the system reboots, press Ctrl+Alt+Delete. 24. In the Log On To Windows screen, type Administrator and leave the password blank. Click OK. 25. The Personalized Setting will finalize independently. 26. When prompted, insert the Windows Server 2003 disc 2 into the CD-ROM drive and click OK. 27. In the Windows Server 2003 R2 Setup Wizard screen, click Next when prompted. (Note, do not check the box to create a desktop shortcut.) 28. In the Setup Summary screen, click Next to copy the files. 29. Windows Server 2003 will update your system independently. 30. In the Completing Windows Server 2003 R2 Setup screen, click Finish. 31. In the Windows Server Post-Setup Security Updates screen, click Finish. 32. When the Windows Server 2003 Post-Setup Security Updates screen appears, click Yes to close this dialog box. 33. Ensure that the Don’t Display This Page At Logon check box is not checked. 34. Close the Manage Your Server window. 35. Choose Start→Control Panel→Network Connections→Local Area Connection. xxvi
Tactical Perimeter Defense
36. Select TCP/IP and click Properties. 37. Select the Use The Following IP Address radio button. 38. In the IP Address text box type 172.X.X.X(your instructor will inform you what to enter in the last three octets based on your seat number). On the left side, your IP will be 172.16.x.x and on the right side, your IP will be 172. 18.x.x. 39. In the Subnet Mask text box, type 255.255.0.0 40. In the Default Gateway text box, type 172.16.0.1 if you are on the left side and type 172.18.0.1 if you are on the right side (if you are unsure, ask your instructor which side you are on). 41. In the Preferred DNS Server text box, type 127.0.0.1 and click OK twice. 42. If you receive the Pop-Up Warning, click Yes. 43. Close the Local Area Connection Properties screen.
Installing Network Monitor 1.
Choose Start→Control Panel→Add Or Remove Programs.
2.
Click the Add/Remove Windows Components button.
3.
In the Windows Components Wizard window, scroll down the list and highlight the Management And Monitoring Tools option.
4.
Click the Details button.
5.
Check the Network Monitor Tools check box and click OK.
6.
In the Windows Components Wizard window, click Next.
7.
If prompted to insert the CD, do so now and click OK. If you are not prompted for the CD, move on to the next step.
8.
Click Finish once the install has completed.
9.
Close the Add Or Remove Programs window.
10. Remove the Windows 2003 Server disc from your CD-ROM drive.
Installing Additional Tools for Windows 2003 Server 1.
Insert the SCP Tools & Resources disc that was provided with your book into your CD-ROM drive.
2.
Open the CD to show its contents.
3.
Create a folder on the Windows partition C:\Tools.
4.
Copy the files on the CD to C:\Tools.
About This Course
xxvii
Installing SUSE Linux Enterprise Server 10 1.
The installation of SUSE LINUX ENTERPRISE 10 must be done after the installation of Windows Server 2003.
2.
Insert the SUSE Linux Enterprise Server (SLES) 10 disc into the DVDROM drive.
3.
Restart the computer with the SLES disc in the drive. This will begin the installation.
4.
At the initial SLES install screen, select the Installation option, and press Enter. This step may take a few minutes while files are copied.
5.
Select your language option and click Next. These steps are based on English (US).
6.
Read the License Agreement, select the Yes, I Agree To The License Agreement radio button, and click Next.
7.
Leave the radio button selected for New Installation and click Next.
8.
Select your Region and Time Zone, and click Next.
9.
Accept the default installation settings, and click Accept.
10. Read the prompt about formatting your partitions, then click Install. 11. While the files are loading, you can watch the progress bar on the right side of the screen. This will note the approximate time remaining to finish the installation. (Note: Based on your system, this make take many minutes.) 12. When the files have finished loading, your system may reboot. Remove the disc from the DVD-ROM drive. If you do not remove the disc, the system will re-enter install mode. 13. At the boot loader, select the SUSE Linux Enterprise Server 10 line, and press Enter. The install process will continue. 14. Enter LIN-XXX as your Hostname. Replace XXX with your seat number in the class. For example, LIN-L01 or LIN-R03. 15. Enter SCPXXX as your Domain Name. Replace XXX to match your seat number in the class as in the previous step. For example, SCPL01 or SCPR03. 16. Once the Hostname and Domain name are entered, click Next. 17. Enter QWERTY1 as the password, and confirm the password in the second text box. Click Next. 18. The Network Configuration screen will take a moment as Linux determines your system configuration. Once complete, click Network Interfaces to edit the settings on your NIC. 19. To manually configure your NIC, click the Edit button.
xxviii
Tactical Perimeter Defense
20. With the Address tab active, select the Static Address Setup radio button. 21. In the IP Address text box, type 172.x.x.x (your instructor will inform you what to enter in the last three octets, it is based on your seat in the classroom. If you are on the left side, this will be 172.16.x.x, and if you are on the right side, this will be 172.18.x.x.) 22. Change the subnet mask to 255.255.0.0, and then click the Routing button. 23. In the Default Gateway text box, type 172.16.0.1 if you are on the left side of the network, and type 172.18.0.1 if you are on the right side of the network. If you are unsure, please ask your instructor prior to entering any DG addresses. 24. Once the Default Gateway address is entered, click OK, and then click Next. 25. At the Network Card Configuration Overview, verify your IP Address and Subnet Mask, and then click Next. 26. At the Network Configuration screen, click Next. Networking services will now be installed and configured. 27. Select the No, Skip This Test radio button, and click Next. 28. Accept the default CA Management Installation Settings, and click Next. 29. Accept the default Authentication Method Of Local (/etc/passwd), and click Next. 30. In the New Local User screen, enter the following information: •
User’s Full Name: SCP Test User
•
Username: test1
•
Password: 1test
•
Confirm Password: 1test
Click Next. 31. The system will now perform clean up of the installation. Read through the Release Notes, and then click Next. 32. Accept the default Hardware Configuration as it is detected, and click Next. If your system does not properly detect your hardware, you will need to locate the correct Linux drivers for your hardware. This setup guide does not include non-detected hardware environments. 33. The final setup files will be configured. Once done, you will see the Installation Completed screen. Click Finish to exit the Setup and log in to Linux. 34. After the files load, you will be at the login prompt. Enter root as the Username, and press Enter. 35. Enter QWERTY1 as the password, and press Enter. The default files will load, and you will now be logged into SUSE Linux Enterprise 10. About This Course
xxix
Installing Additional Tools for SUSE Linux Enterprise Server 10 1.
Insert the SCP Tools & Resources disc that was provided with your book into your CD-ROM drive.
2.
Open the CD to show its contents.
3.
Use the Nautilus File Manager and navigate to the / directory.
4.
Create a folder labeled Tools.
5.
Copy the files from the CD to the /Tools folder.
Configuring Cisco Routers Three Cisco routers are used in the classroom. The course is written based on the Cisco 2500 series, specifically the 2501, running IOS version 12.2 (with IPSec and SSH support). These routers can be easily found by many authorized resellers, and while they are not the most current Cisco routers, they work very well for the purposes of this class. There is no need to purchase or use newer routers for the classroom, but you are welcome to do so, if you so desire. During the configuration or the CENTER router, you must enter the IP Address for the gateway for the classroom. This is to allow Internet Access for the classroom, and you must configure the CENTER router as per your environment, if Internet Access is to be granted. Extensive routing configurations beyond what is listed here is not required for the class. • The LEFT router is for one half of the class to connect through. It should have the following configuration: —
Hostname and Routername: LEFT
—
Access List Configuration: Access-list 123 deny tcp any any eq 25 Access-list 123 permit ip any any INT S0: ip access-group 123 in
•
The CENTER router is for the Instructor to connect to the class. It should have the following configuration: —
Hostname and Routername: CENTER
—
Access List Configuration: Access-list 155 deny tcp any any eq 20 Access-list 155 deny tcp any any eq 21 Access-list 155 permit ip any any INT S0: ip access-group 155 in INT S1: ip access-group 155 in
•
The RIGHT router is for the other half of the class to connect through. It should have the following configuration: —
Hostname and Routername: RIGHT
—
Access List Configuration: Access-list 145 deny tcp any any eq 25 Access-list 145 permit ip any any INT S1: ip access-group 145 in
xxx
Tactical Perimeter Defense
The detailed configuration procedures are listed here in three main categories: •
Physical configuration
•
Router setup
•
Access list configuration
Physical Router Configuration The LEFT router is to be connected to the CENTER router via a Cisco serial cable. The RIGHT router is also to be connected to the CENTER router via a Cisco serial cable. All Ethernet connections are to be made through standard 10/100 BaseT cables.
1.
Study the class setup diagram provided in Classroom Configuration.
2.
Physically connect the three routers to each other, using serial crossover cables, so that the router designated as CENTER controls the clock rate. To do this, connect the DCE end of the serial cable to the serial interfaces on the CENTER router and the DTE ends to the LEFT’s and RIGHT’s appropriate serial interfaces.
3.
Connect the Ethernet interface on the CENTER router to the instructor machine via a crossover Ethernet cable.
4.
Connect the Ethernet interfaces on the LEFT and RIGHT routers to their respective hubs serving their side of the classroom.
Before You Start the Router Setup All routers should be cleared of any configs before setting up the class. If you have a configured router but you don’t know the password, perform the following steps: 1.
Console into the router.
2.
Enter the sh ver command, and record the configuration register setting (usually 0x2102).
3.
Power down the router, and then power it back up.
4.
After the amount of main memory is displayed, press the Break key (or Ctrl+Break). You should see the > prompt with no router name.
5.
Enter o/r 0x42 to boot from flash or o/r 0x41 to boot from the CD-ROM. Typically, you would boot from flash if it were intact.
6.
Enter i to force the router to reboot and ignore its saved config. About This Course
xxxi
7.
Answer no to all setup questions.
8.
When the Router> prompt is displayed, enter enable to switch to enable mode. The Router# prompt should now be displayed. Once you are in enable mode, you can view and change the password, and you can erase the config.
9.
To view the password, enter show config at the Router# prompt.
10. To change the password, from the Router# prompt: a.
Enter config mem to copy NVRAM to mem.
b.
Enter wr term
c.
Enter config term to enter config mode. The Router(config)# prompt is now displayed.
d.
If an enable secret password is set, enter enable secret newpassword or if there is no enable secret password, enter enable password newpassword where newpassword is the new password you want to use.
e.
To exit config mode press Ctrl+Z. The Router# prompt is now displayed.
f.
Enter write mem to commit the changes to mem. You should now be able to console in and configure the router.
11. To erase the config, from the Router# prompt: a.
Enter write erase
b.
Enter config term to enter config mode. The Router(config)# prompt is now displayed.
c.
Enter config-register 0x2102 or whatever the configuration register setting was when you began.
d.
To exit config mode, press Ctrl+Z. The Router# prompt is now displayed.
e.
Enter reload
f.
When you are prompted to save the modified system configuration, enter y
g.
When you are prompted to proceed with the reload, enter y
Setup for CENTER Router The CENTER router is used by the instructor to connect to the rest of the class. To set up the CENTER router:
xxxii
Tactical Perimeter Defense
1.
Boot up the router and console into it. You should be prompted to enter the initial configuration dialog. (If you are not, follow the procedures listed previously in the “Before You Start the Router Setup” section.)
2.
When you are prompted: a.
To enter the initial configuration dialog, enter y
b.
To enter basic management setup, enter n
c.
As to whether you want to see the current interface summary, press Enter.
d.
To enter the host name for [Router], enter CENTER
e.
To enter the enable secret password, enter instructor
f.
To enter the enable password, enter cisco1
g.
To enter the virtual terminal password, enter 2501
h.
To configure SNMP network management, enter n
i.
To configure LAT, enter n
j.
To configure bridging, press Enter to accept the default of No.
k.
To configure AppleTalk, press Enter to accept the default of No.
l.
To configure DECnet, press Enter to accept the default of No.
m. To configure IP, press Enter to accept the default of Yes. n.
To configure IGRP routing, enter n
o.
To configure RIP routing, enter y
p.
To configure CLNS, press Enter to accept the default of No.
q.
To configure IPX, press Enter to accept the default of No.
r.
To configure Vines, press Enter to accept the default of No.
s.
To configure XNS, press Enter to accept the default of No.
t.
To configure Apollo, press Enter to accept the default of No.
u.
If you are prompted to configure BRI, select switch type 0.
v.
To configure the Ethernet0 interface, press Enter to accept the default of Yes.
w.
To configure IP on this interface, press Enter to accept the default of Yes.
x.
For the IP address for this interface, enter 172.17.0.1
y.
For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0.
z.
To configure the Serial0 interface, press Enter to accept the default of Yes.
aa. To configure IP on this interface, press Enter to accept the default of Yes. ab. To configure IP unnumbered on this interface, press Enter to accept the default of No. ac. For the IP address for this interface, enter 192.168.20.2 ad. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0. ae. To configure the Serial1 interface, press Enter to accept the default of Yes. af. To configure IP on this interface, press Enter to accept the default of Yes. ag. To configure IP unnumbered on this interface, press Enter to accept the default of No. ah. For the IP address for this interface, enter 192.168.10.2 ai.
For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0.
About This Course
xxxiii
aj.
If you are prompted to configure any other serial interfaces, enter n until a configuration command script is generated, and you are prompted to make a selection regarding the next action.
ak. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the configuration. When the configuration build is complete, an OK message is displayed. al.
To press RETURN to get started, press Enter. The CENTER> prompt should now be displayed.
3.
At the CENTER> prompt, enter en to activate enable mode.
4.
When you are prompted for the password, enter instructor and the CENTER# prompt should now be displayed.
5.
At the CENTER# prompt, enter conf t to enter config mode. The CENTER(config)# prompt should now be displayed.
6.
At the CENTER(config)# prompt:
7.
8.
9.
a.
Enter no ip domain lookup
b.
Enter int s0 and the CENTER(config-if)# prompt should now be displayed.
At the CENTER(config-if)# prompt: a.
Enter no shut
b.
Enter clo ra 4000000
c.
Enter ban 10000000
d.
Enter int s1
e.
Enter no shut
f.
Enter clo ra 4000000
g.
Enter ban 10000000
h.
Enter exit and the CENTER(config)# prompt is now displayed.
At the CENTER(config)# prompt: a.
Enter ip route 0.0.0.0 0.0.0.0 a.b.c.d (note – you must replace a.b.c.d with the gateway to get out of the network to the Internet).
b.
Enter exit and the CENTER# prompt is now displayed.
At the CENTER# prompt: a.
Enter sh run and you should see a message indicating that the router is building the configuration.
b.
Enter copy ru st
10. When you are prompted for a destination filename, press Enter to accept the default of startup-config. You should again see a message indicating that the router is building the configuration.
xxxiv
Tactical Perimeter Defense
Setup for LEFT Router The LEFT router is used by half of the students to connect to the rest of the class. To set up the LEFT router: 1.
Boot up the router and console into it. You should be prompted to enter the initial configuration dialog. (If you are not, follow the procedures listed previously in the “Before You Start the Router Setup” section.)
2.
When you are prompted: a.
To enter the initial configuration dialog, enter y
b.
To enter basic management setup, enter n
c.
As to whether you want to see the current interface summary, press Enter.
d.
To enter the host name for [Router], enter LEFT
e.
To enter the enable secret password, enter cisco
f.
To enter the enable password, enter cisco1
g.
To enter the virtual terminal password, enter 2501
h.
To configure SNMP network management, enter n
i.
To configure LAT, enter n
j.
To configure bridging, press Enter to accept the default of No.
k.
To configure AppleTalk, press Enter to accept the default of No.
l.
To configure DECnet, press Enter to accept the default of No.
m. To configure IP, press Enter to accept the default of Yes. n.
To configure IGRP routing, enter n
o.
To configure RIP routing, enter y
p.
To configure CLNS, press Enter to accept the default of No.
q.
To configure IPX, press Enter to accept the default of No.
r.
To configure Vines, press Enter to accept the default of No.
s.
To configure XNS, press Enter to accept the default of No.
t.
To configure Apollo, press Enter to accept the default of No.
u.
If you are prompted to configure BRI, select switch type 0.
v.
To configure the Ethernet0 interface, press Enter to accept the default of Yes.
w.
To configure IP on this interface, press Enter to accept the default of Yes.
x.
For the IP address for this interface, enter 172.16.0.1
y.
For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0.
z.
To configure the Serial0 interface, press Enter to accept the default of Yes.
aa. To configure IP on this interface, press Enter to accept the default of Yes. ab. To configure IP unnumbered on this interface, press Enter to accept the default of No. About This Course
xxxv
ac. For the IP address for this interface, enter 192.168.10.1 ad. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0. ae. To configure the Serial1 interface, enter n af. If you are prompted to configure any other serial interfaces, enter n until a configuration command script is generated, and you are prompted to make a selection regarding the next action. ag. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the configuration. When the configuration build is complete, an OK message is displayed. ah. To press RETURN to get started, press Enter. The LEFT> prompt should now be displayed. 3.
At the LEFT> prompt, enter en to activate enable mode.
4.
When you are prompted for the password, enter cisco and the LEFT# prompt should now be displayed.
5.
At the LEFT# prompt, enter conf t to enter config mode. The LEFT(config)# prompt should now be displayed.
6.
At the LEFT(config)# prompt:
7.
8.
9.
a.
Enter no ip domain lookup
b.
Enter int s0 and the LEFT(config-if)# prompt should now be displayed.
At the LEFT(config-if)# prompt: a.
Enter no shut
b.
Enter ban 10000000
c.
Enter exit and the LEFT(config)# prompt is now displayed.
At the LEFT(config)# prompt: a.
Enter ip route 0.0.0.0 0.0.0.0 192.168.10.2
b.
Enter exit and the LEFT# prompt is now displayed.
At the LEFT# prompt: a.
Enter sh run and you should see a message indicating that the router is building the configuration.
b.
Enter copy ru st
10. When you are prompted for a destination filename, press Enter to accept the default of startup-config. You should again see a message indicating that the router is building the configuration.
Setup for RIGHT Router The RIGHT router is used by half of the students to connect to the rest of the class. To set up the RIGHT router:
xxxvi
Tactical Perimeter Defense
1.
Boot up the router and console into it. You should be prompted to enter the initial configuration dialog. (If you are not, follow the procedures listed previously in the “Before You Start the Router Setup” section.)
2.
When you are prompted: a.
To enter the initial configuration dialog, enter y
b.
To enter basic management setup, enter n
c.
As to whether you want to see the current interface summary, press Enter.
d.
To enter the host name for [Router], enter RIGHT
e.
To enter the enable secret password, enter cisco
f.
To enter the enable password, enter cisco1
g.
To enter the virtual terminal password, enter 2501
h.
To configure SNMP network management, enter n
i.
To configure LAT, enter n
j.
To configure bridging, press Enter to accept the default of No.
k.
To configure AppleTalk, press Enter to accept the default of No.
l.
To configure DECnet, press Enter to accept the default of No.
m. To configure IP, press Enter to accept the default of Yes. n.
To configure IGRP routing, enter n
o.
To configure RIP routing, enter y
p.
To configure CLNS, press Enter to accept the default of No.
q.
To configure IPX, press Enter to accept the default of No.
r.
To configure Vines, press Enter to accept the default of No.
s.
To configure XNS, press Enter to accept the default of No.
t.
To configure Apollo, press Enter to accept the default of No.
u.
If you are prompted to configure BRI, select switch type 0.
v.
To configure the Ethernet0 interface, press Enter to accept the default of Yes.
w.
To configure IP on this interface, press Enter to accept the default of Yes.
x.
For the IP address for this interface, enter 172.18.0.1
y.
For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0.
z.
To configure the Serial0 interface, enter n
aa. To configure the Serial1 interface, press Enter to accept the default of Yes. ab. To configure IP on this interface, press Enter to accept the default of Yes. ac. To configure IP unnumbered on this interface, press Enter to accept the default of No. ad. For the IP address for this interface, enter 192.168.20.1 ae. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0. About This Course
xxxvii
af. If you are prompted to configure any other serial interfaces, enter n until a configuration command script is generated, and you are prompted to make a selection regarding the next action. ag. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the configuration. When the configuration build is complete, an OK message is displayed. ah. To press RETURN to get started, press Enter. The RIGHT> prompt should now be displayed. 3.
At the RIGHT> prompt, enter en to activate enable mode.
4.
When you are prompted for the password, enter cisco and the RIGHT# prompt should now be displayed.
5.
At the RIGHT# prompt, enter conf t to enter config mode. The RIGHT(config)# prompt should now be displayed.
6.
At the RIGHT(config)# prompt:
7.
8.
9.
a.
Enter no ip domain lookup
b.
Enter int s1 and the RIGHT(config-if)# prompt should now be displayed.
At the RIGHT(config-if)# prompt: a.
Enter no shut
b.
Enter ban 10000000
c.
Enter exit and the RIGHT(config)# prompt is now displayed.
At the RIGHT(config)# prompt: a.
Enter ip route 0.0.0.0 0.0.0.0 192.168.20.2
b.
Enter exit and the RIGHT# prompt is now displayed.
At the RIGHT# prompt: a.
Enter sh run and you should see a message indicating that the router is building the configuration.
b.
Enter copy ru st
10. When you are prompted for a destination filename, press Enter to accept the default of startup-config. You should again see a message indicating that the router is building the configuration.
Configuring the Access Lists After the initial router setup and the basic configuration have been completed on all three routers, you need to enter the access lists for each of the routers. To do so: 1.
xxxviii
Tactical Perimeter Defense
To complete the LEFT Router Access Lists:
2.
3.
a.
At the LEFT# prompt, enter conf t to switch to config mode. The LEFT(config)# prompt is now displayed.
b.
At the LEFT(config)# prompt, enter access-list 123 deny tcp any any eq 25
c.
At the LEFT(config)# prompt, enter access-list 123 permit ip any any
d.
At the LEFT(config)# prompt, enter int S0 to configure the interface. The LEFT(config-if)# prompt is now displayed.
e.
At the LEFT(config-if)# prompt, enter ip access-group 123 in
f.
At the LEFT(config-if)# prompt, press Ctrl+Z to leave config mode. The LEFT# prompt is now displayed.
g.
At the LEFT# prompt, enter copy ru st and save the configuration changes to startup-config.
To complete the RIGHT Router Access Lists: a.
At the RIGHT# prompt, enter conf t to switch to config mode. The RIGHT(config)# prompt is now displayed.
b.
At the RIGHT(config)# prompt, enter access-list 145 deny tcp any any eq 25
c.
At the RIGHT(config)# prompt, enter access-list 145 permit ip any any
d.
At the RIGHT(config)# prompt, enter int S1 to configure the interface. The RIGHT(config-if)# prompt is now displayed.
e.
At the RIGHT(config-if)# prompt, enter ip access-group 145 in
f.
At the RIGHT(config-if)# prompt, press Ctrl+Z to leave config mode. The RIGHT# prompt is now displayed.
g.
At the RIGHT# prompt, enter copy ru st and save the configuration changes to startup-config.
To complete the CENTER Router Access Lists: a.
At the CENTER# prompt, enter conf t to switch to config mode. The CENTER(config)# prompt is now displayed.
b.
At the CENTER(config)# prompt, enter access-list 155 deny tcp any any eq 20
c.
At the CENTER(config)# prompt, enter access-list 155 deny tcp any any eq 21
d.
At the CENTER(config)# prompt, enter access-list 155 permit ip any any
e.
At the CENTER(config)# prompt, enter int S1 to configure the S1 interface. The CENTER(config-if)# prompt is now displayed.
f.
At the CENTER(config-if)# prompt, enter ip access-group 155 in
g.
At the CENTER(config-if)# prompt, enter int S0 to configure the S0 interface.
h.
At the CENTER(config-if)# prompt, enter ip access-group 155 in
i.
At the CENTER(config-if)# prompt, press Ctrl+Z to leave config mode. The CENTER# prompt is now displayed.
About This Course
xxxix
j. 4.
At the CENTER# prompt, enter copy ru st and save the configuration changes to startup-config.
Test the classroom setup, and troubleshoot as necessary. Once physical connectivity issues have been sorted out, you should be able to ping from one side of the classroom to the other. Specifically, the instructor machine should be able to ping every student machine and vice versa. Student machines from the left side of the classroom should be able to ping student machines on the right side of the classroom and vice versa.
List of Additional Files Printed with each lesson is a list of files students open to complete the tasks in that lesson. Many tasks also require additional files that students do not open, but are needed to support the file(s) students are working with. These supporting files are included with the student data files on the course CD-ROM or data disk. Do not delete these files.
HOW TO USE THIS BOOK You can use this book as a learning guide, a review tool, and a reference.
As a Learning Guide Each lesson covers one broad topic or set of related topics. Lessons are arranged in order of increasing proficiency with Tactical Perimeter Defense; skills you acquire in one lesson are used and developed in subsequent lessons. For this reason, you should work through the lessons in sequence. We organized each lesson into explanatory topics and step-by-step activities. Topics provide the theory you need to master Tactical Perimeter Defense, activities allow you to apply this theory to practical hands-on examples. You get to try out each new skill on a specially prepared sample file. This saves you typing time and allows you to concentrate on the technique at hand. Through the use of sample files, hands-on activities, illustrations that give you feedback at crucial steps, and supporting background information, this book provides you with the foundation and structure to learn about Tactical Perimeter Defense quickly and easily.
As a Review Tool Any method of instruction is only as effective as the time and effort you are willing to invest in it. For this reason, we encourage you to spend some time reviewing the book’s more challenging topics and activities.
As a Reference You can use the Concepts sections in this book as a first source for definitions of terms, background information on given topics, and summaries of procedures.
xl
Tactical Perimeter Defense
About This Course
xli
xlii
Tactical Perimeter Defense
Network Defense Fundamentals
LESSON
1 Data Files none
Overview
Lesson Time 2 hours
In this lesson, you will be introduced to the core concepts of network security. You will examine the technologies of defending a network, and how those technologies may be used to create a layered defense of the network. You will also identify the foundations of network auditing.
Objectives To define the concepts of defending a modern complex network, you will: 1A
Describe the five keys of network security. Given a network scenario, you will describe how the five keys of network security are integrated in a modern operational network.
1B
Describe the concepts of defensive technologies in creating a layered defense. Given a network analogy of a fortified castle, you will identify the function of defensive technologies in creating a secure layered defense.
1C
Describe the objectives of access control methods. Given a network scenario, you will describe the available access control methods and how they are implemented in the defense of the network.
1D
Identify the impact of a layered defense on the performance of the network. Given a network where a layered defensive system has been implemented, you will identify the performance impact of each layer on accessing resources in the network.
1E
Define concepts of auditing in a network. Given a network scenario, you will examine the concepts of network auditing, including handling of data and types of audits.
Lesson 1: Network Defense Fundamentals
1
Topic 1A Network Defense
network: Two or more machines interconnected for communications.
threat: The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security.
security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences.
network security: Protection of networks and their services from unauthorized modification, destruction, or disclosure, and provision of assurance that the network perform its critical functions correctly and there are no harmful side effects. Network security includes providing for data integrity.
2
Tactical Perimeter Defense
In today’s world, it is getting easier for attackers to infiltrate private networks. They have access to more tools, more powerful computers, and there are more networks to target. Sadly, many organizations simply do not take this threat seriously. They do not see the driving force to create a secure network. They do not see the need to spend money on a defense for their electronic assets. But the need is very real. Every year, the Computer Security Institute (CSI), and the Federal Bureau of Investigations (FBI), perform a survey of businesses, looking into the financial losses for theft of proprietary information, and other losses. Although only a handful of companies who participate in this survey have estimated their losses, the number has been in the tens to hundreds of millions of dollars. What makes these numbers even more serious is the fact that these are voluntary reports, and only a small number of businesses are involved. Many organizations are not eager, even in an anonymous setting, to disclose any losses due to computer crime. Even so, there is an obvious pattern here. The attacks against networks are getting more serious—with a greater loss to the business world than ever before. Even as organizations start to become more security conscious, the number of attackers grows. Clearly, defense is needed, and it is needed now. Network systems allow the enterprise to access information technology assets by authorized users quickly through seemingly secure methods. But as remote sites get interconnected through the Internet using non-dedicated lines to enterprise networks, many unauthorized users get connected and have access as well. Users may be naive at times about network security, because the assumption is often made that systems are needed, and are operational, to do their jobs. If they are on, some assume, they are secure. But administrators know that security is a real issue to address and no assumptions are going to make network security magically happen. They know that carefully planned steps must be taken to build a secure network system environment, where business transactions and support functions can occur within a system built on trust. They should have complete confidence in security. Network security must become a strategic initiative within the enterprise. It must begin as an integral part of the strategic planning process that leads to strategic action plans, resulting in budgeted tactical projects to initiate and implement network security. The defense of the network starts with the basic security issues all networks must address. These key issues are detailed in upcoming sections.
Five Key Issues of Network Security The five key issues of network security are: •
Authorization and availability
•
Authentication
•
Confidentiality
•
Integrity
•
Non-repudiation
Authorization and Availability First and foremost, network security systems must be operationally available in order to control who has access to what information technology (IT) assets, resources, files, directories, and processes within the network. The security must limit user privileges to minimize the risk of unauthorized access to sensitive information and areas of the network that only authorized users should be allowed to access. Additionally, it must make network systems available through the diligent exercise of security, but never hinder the performance of the network system to serve the authorized user. Authorization and availability also create system assurance, which ensures that: • Systems are available with required functionality present and correctly configured for implementation on an ongoing basis. •
There are adequate controls to protect against unauthorized user access and unintentional errors by users or software.
•
There are security measures in place to deter or stop intentional exploits by attackers.
availability: Assuring information and communications services will be ready for use when expected.
Assurance is absolutely necessary because without it, the other objectives of security will be difficult to meet. However, assurance cannot be a one-time promise but must be an ongoing effort to be most effective.
Authentication After controlling who has access, even authorized users must be authenticated to verify and prove their identity. Authentication verifies users to be who they say they are. In data communications, authenticating the sender is necessary to verify that the data came from the right source. The receiver is authenticated, as well, to verify that the data is going to the right destination. Public Key Infrastructure (PKI), is one of the best ways to ensure authentication through digital certificates and digital signatures. The number of factors used to show the identity of the user through authentication or proving the identity of the user through strong authentication determines how effective authentication can be. The three factors are: • One-factor authentication provides what you know—such as a password or PIN. It is strictly based on recalling a piece of information from one’s own memory or from writing it down (but that would defeat the purpose of providing only authorized access to networks based on using a password). •
authentication: To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
Two-factor authentication provides what you have in addition to what you know. Examples are a proximity card for door entry or an ATM card with a PIN. An RSA SecureID Token used in conjunction with a pass code, or a
Lesson 1: Network Defense Fundamentals
3
smart card that may carry all your security credentials in a secure way with a PIN used to access the credentials are the second factors. •
The third factor that provides strong authentication is proving the user’s identity, or who you are, by using biometrics. Biometrics uses a physiological characteristic to identify you, such as a fingerprint, retina scan, hand geometry, voice recognition, iris scan, or behavioral characteristics, such as keystroke recognition or signature recognition. It results in strong authentication, because users not only verify their digital identity through what they know and what they have, but they are proving their physical identity by verifying their biometric characteristics.
Confidentiality
confidentiality: Assuring information will be kept secret, with access limited to appropriate persons.
firewall: A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical firewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
hacker: A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the necessary minimum.
4
Tactical Perimeter Defense
Data communications, as well as email, needs to be protected for privacy and confidentiality. Network security must provide a secure channel for the transmission of data and email that does not allow eavesdropping by unauthorized users. Data confidentiality ensures the privacy of data on the network system. PKI can provide what is required to ensure the confidentiality and privacy of communications and data transmissions across networks. The following are the four basic types of information or data that require confidentiality: • Information that reveals technical data or source information. For example, the model number and software version of your firewall should be kept confidential because divulgence may give a potential attacker/hacker a way to an advantage to exploit your system. •
Information that may be time dependent. It may only be confidential for a given amount of time and then may not have any significance as private information after that, but until then must be kept confidential.
•
Information that may reveal organizational or systems relationships that through divulgence may give unauthorized users a channel for social engineering exploits or other opportunities.
•
Information that is private and confidential in its own right. Information that may be crucial in the operations of the enterprise and divulgence would surely give an attacker an easy exploitation opportunity.
Integrity Integrity is a security principle that ensures the continuous accuracy of data and information stored within network systems. Continuity of data integrity is paramount. Data must be kept from unauthorized modification, forgery, or any other form of corruption, regardless of whether these are from malicious threats or corruption that is accidental in nature. Upon receiving the email or data communication, integrity must be verified to ensure that the message has not been altered, modified, or added to or subtracted by unauthorized users while in transit. Again, PKI will ensure the integrity of messages through digital certificates and message digests. Integrity has two main objectives: •
Data integrity ensures that the data has not been altered in an unauthorized manner while in transit, during storage, or while being processed.
•
System integrity ensures that a system, while performing its intended processes and applications, provides support to authorized users free from unauthorized manipulation.
integrity: Assuring information will not be accidentally or maliciously altered or destroyed.
Non-repudiation Security must be established to prevent parties in a data transaction from denying their participation after the business transaction has occurred. Through PKI, the sender as well as the receiver are authenticated with regard to their respective identities, as well as tamperproof time stamping of the transaction, to ensure nonrepudiation from both parties. This establishes accountability for the transaction itself for all parties involved in the transaction. The three types of repudiation (or denial) to prevent are: • Repudiation of origin by the message creator who denies ever creating or writing the message itself. •
Repudiation of receipt by the receiver who denies ever receiving the message even after receiving it.
•
Repudiation of submission as to the time and date of the actual submission. The time stamp will help in non-repudiation for submission.
non-repudiation: Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender’s identity, so that neither can later deny having processed the data.
The Threats to Security Threats can come from myriad sources in our connected world. The Internet is not the only threat. An organization has to consider employees, contractors, and even the cleaning staff! Any of these people could potentially be a threat, and cause damage.
Lesson 1: Network Defense Fundamentals
5
Malicious threats are intentional in nature and can come from either internal or external users. When unauthorized users make attempts to find vulnerabilities in a network system and find them, they present themselves as a malicious threat trying to get access by whatever means available. A successful unauthorized access event is called an active threat. The malicious threat has now gained unauthorized access into your network and will exploit whatever assets can be accessed. Once accessed, the exploit can manifest itself as a passive or an active threat. • As a passive threat, the accessed data is viewed or intercepted but not modified. It does not change the operation of or the state of the system. passive threat: The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information.
breach: The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
•
If the data is intercepted and modified by an unauthorized user, it is said to be an active threat. It may also change the operation of or state of the system itself.
Whether accidental or malicious, the threat can come from either internal or external users and may be authorized or unauthorized users. Surveys have consistently shown that of all respondents who reported a security breach within the past year, close to 60 percent of these breaches were caused by inside users accessing unauthorized resources, and over 40 percent blamed accounts left open after an employee had left the company. Of all respondents, 20 percent reported that their companies were victims of an attempted or successful break-in by an angry former employee. Also, during most economic slowdowns, companies lay off employees in increasing numbers each week. Such breaches will only get worse during these periods. Network security administrators must: • Realize how to minimize, or mitigate, the effects of current and future threats upon their network. •
Realize what defensive strategies and techniques must be implemented to keep networks secure. This should be done to ensure the privacy, confidentiality, and protection of sensitive data and information technology assets.
Defensive Strategies If all threats to a network system were known, as well as all the vulnerabilities of the system itself, then a specific defensive posture could be deployed to guard and secure the system. It could even be a static defensive posture with definitive controls in place because the exact threat would be known. Perimeter security using a firewall is a good example of a static defensive posture. The threat is assumed to be known and rules are generated to allow the firewall to work. Unfortunately, if the threat is not known, any such assumptions can be fatal to the network. Administrators must take into consideration the following points when addressing and creating a defensive posture for the enterprise network.
Defense-in-Depth Defense-in-Depth states that all information technology assets within a protected network need to have the necessary amount of security protection to guard against direct attacks at whatever level the asset resides within the network. The assumption cannot be made that a firewall or some sort of all-encompassing perimeter security is enough to protect all information technology assets within the network.
6
Tactical Perimeter Defense
Active Defense-in-Depth An Active Defense-in-Depth is necessary as a defensive posture to think creatively and counter any and every threat, whether known or unknown. It is an active defense that changes its defensive posture based on the threat. Its defensive assets are able to flex in any direction, based on the disposition of the threat. The basis for Active Defense-in-Depth are the concepts of Defense-in-Depth. The requirement for securing network systems and their information technology assets against all current and future threats compels us to use multiple layers of security techniques that provide overlapping protection against attackers, hackers, and any other malicious threat that may attempt an exploit. This is a core requirement for any network taking active measures to protect its assets. This strategy not only recognizes the value of Defense-in-Depth, which states that every information technology asset within the network must have its own necessary and adequate protection, but that it is an active defense that takes whatever actions necessary to stop the threat by the utilization of multiple layers of security to include firewalls, intrusion detection, monitoring devices, and other techniques for network security. It recognizes that due to the highly interactive nature of the various systems and networks, any single system cannot be secured adequately unless all interconnecting systems are also secured adequately. It must take into consideration the context of a shared-risk environment that dictates protection of IT systems at all levels, because of the interactive and interconnected nature of today’s systems and networks. The strategy calls for use of multiple, overlapping protection approaches to ensure that the failure or bypass of any individual protection approach will not leave the system unprotected. Through user training and awareness, well thoughtout and planned policies, procedures and processes, as well as redundancy of protection mechanisms, the Active Defense-in-Depth strategy ensures the effective protection of information technology assets so the objective and purpose of the mission can be accomplished. An Active Defense-in-Depth utilizes the concept of addressing the largest vulnerability or the most dangerous threat first. The additional layers of security can take care of the remainder of the threats. Anything else is less of a threat and many times the perimeter defense with firewalls can take care of many of the everyday types of threats. There is a general flow of the Active Defense-in-Depth strategy. The first area is to advance the user’s security knowledge via training. Users must realize that the upcoming changes in the network are to protect them, and if they are required to act differently while online, then they must follow the security policy and do so.
intrusion detection: Pertaining to techniques that attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available.
vulnerability: Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to an AIS.
Lesson 1: Network Defense Fundamentals
7
attack: An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
Security must then be established with a strong perimeter system. Inside the network, the Intrusion Detection System is working hard to identify unauthorized attempts to use resources. The stated strategy will respond to an attack, again as per the defined security policy. Finally, further controls and systems will be in place to minimize the likelihood of further intrusions and create a more trusted environment. After each part of the defense strategy, the lessons that have been learned are used to strengthen the overall security of the network. Figure 1-1 illustrates this concept.
intrusion: Any set of actions that attempts to compromise the integrity, confidentiality, or availability of a resource.
Figure 1-1: The Active Defense-in-Depth model.
Defensive Strategy Requirements Any network that is going to deploy a defense system to protect their network must fulfill some common requirements if the defense is going to be successful. Although these are not written as hard and fast rules, they should be followed in nearly all organizations.
8
Tactical Perimeter Defense
Training and Awareness Training and awareness is the foundation for the Active Defense-in-Depth defensive posture because through training and awareness, cultural change within the enterprise occurs. A cultural change is required for all users to exercise security in their day-to-day operations and functions in execution of their processes. Military units that have a high rate of operational readiness for combat use a maxim that states, “Train like you fight because you will fight like you train.” There’s a lot to be learned from such a maxim. It means that training must be realistic and replicate battle conditions. Training must replicate the same scenarios that may expose vulnerabilities for attack by the threat. The same battle scenarios are presented in training to make attack response a second nature to the user, as well as the security professional overlooking the protection of the network.
Perimeter Security Perimeter security is the first line of defense for the network and usually is protected by a packet filtering or rules-based firewall. In order to be most effective, ensure that the firewall has the following properties and rules: • Base your packet filtering and traffic management rules according to an organizational security policy. •
Firewall defines all network connections.
•
All traffic from inside out and outside in must pass through the firewall.
Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) are a combination of hardware and software systems that monitor and collect network system information and analyze it to detect attacks or intrusions. Some IDSs can automatically respond to an intrusion or attack based on a collected library of attack signatures. IDSs use softwarebased scanners, such as an Internet scanner, that may be the primary tool for network vulnerability analysis. This type of scanner performs both scheduled and deliberate probes of the network infrastructure for flaws and vulnerabilities in operating systems, routers, applications, and communication devices.
packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message.
packet filtering: A feature incorporated into routers and bridges to limit the flow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet filters let the administrator limit protocol-specific traffic to one network segment, isolate email domains, and perform many other functions.
router: An interconnection device that is similar to a bridge, but serves packets or frames containing certain protocols. Routers link LANs at the network layer.
vulnerability analysis: Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Lesson 1: Network Defense Fundamentals
9
Attack Response
false positive: Occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action.
Attack response consists of many practices in response to attacks or incidents whether real, false, or simulated for training. All attacks are handled the same way until it is verified by the administrator that it is in fact a false positive or a simulated attack for training. In any case, the response itself needs to be kept secret from outside the security network as not to give any potential attackers an advantage or possible vulnerability to exploit. A ready response team should be designated and alerted in a timely fashion once any attack has been detected. This team must have senior management backing and technical training to include security policy creation, maintenance, enforcement, and escalation during response in case the team cannot handle the particular attack.
TASK 1A-1 Identifying Non-repudiation Issues 1.
What are the three potential problems a network could face if there is no assurance of non-repudiation, and what is the potential excuse for each problem? The following examples of excuses that people are known to routinely give each other are indicative of the potential problems in a network if nonrepudiation is not implemented: • Repudiation of origin: “I never sent it.” •
Repudiation of receipt: “I never received it.”
•
Repudiation of submission: “I sent it out a while back” versus “You say you sent it out when? I only received it yesterday.”
Topic 1B Defensive Technologies To have a network that can be considered well-secured requires a layered defense. The concepts of a layered defense are old and simple: The more layers an attacker will have to go through, the more difficult it is for the attack to be successful.
The Castle Analogy This concept can be traced back very far; for this discussion, we will go back to the days of castles and fortresses. These buildings often housed hundreds of people and their rulers. In some cases, the castle was the entire town, with small huts outside the castle boundaries. Needless to say, they required very good and reliable security.
10
Tactical Perimeter Defense
A castle’s defense system is the classic layered concept. The castle itself is built out of strong and very thick stone. The walls of the castle are very high. The towers of the castle are even higher and allow the guards to see intruders at a greater distance. Other guards are positioned inside to watch for imposters and other internal disruptions. Closer to the castle is the moat, a body of water surrounding the castle. The only entrance is the drawbridge, which can be raised so no one can enter or leave without permission. There is a massive door protecting the entrance past the drawbridge. Small arrow holes are hidden along the walls and in the towers for archers to use; these make it easy for arrows to get out of the castle but difficult to shoot an arrow into one of those holes. As you can see, each additional layer of defense created a more secure overall castle. The analogy is directly transferable to networking. No one single technology can create a secure network, just as a moat alone cannot create a secure castle.
Attacking the Castle If the castles were so well defended, then how and why did they eventually fall? With layers upon layers of defense, the castles seemed as if they could not fall into their enemy’s hands. History tells us otherwise. There were three basic approaches to bringing upon the downfall of a castle. • One was through a massive attack, where hundreds or thousands of soldiers would storm the castle, a constant attack until the massive door finally was penetrated. This method generally would cost many lives, but often was successful. •
The second approach was a variation of the first. Instead of actually storming the castle, a large army would simply lay siege to the castle for months until finally the defenders would give up.
•
The third method was to find the secret entrance(s). Often the castle needed secret alternate ways in and out for emergencies. Once the enemy found this second entrance, they could send a small force in to open the castle from inside. This would prove to be a more effective method, since the cost in lives to the attacker was far less.
Now, looking at this analogy, what are the defensive technologies employed in today’s network security terms? There are many similarities, as you may have noticed.
The Castle’s Firewall In the castle analogy, there is a definite firewall in place. The two parts would be the moat and the high stone walls. This is how the firewall should operate in a network—multiple parts. For example, you may have a firewall blocking ports, and another part of the firewall that is running Network Access Translation (NAT) to hide your internal IP addresses. These pieces are the classic perimeter security system, and all networks that are serious about security must have them.
Lesson 1: Network Defense Fundamentals
11
protocol: Agreed-upon methods of communications used by computers. A specification that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network.
back door: A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls.
Further analogies to the firewall are the arrow holes and the front door itself. These arrow holes are roughly equivalent to protocol port numbers, in that they are small and can be set up to be only one-way. Arrows go out, but they do not come back in. The front door can be opened to allow full two-way movement or communication.
The Castle’s Intrusion Detection The guards on the inside watching for an imposter or other internal problem are the intrusion detection. The guards high up in the watchtower are also part of the Intrusion Detection System, looking for attackers from the outside.
The Castle’s Back Doors One of the most serious problems with the security of a network is a back door. If a user installs a modem and makes an independent, direct connection to the Internet, all an attacker needs to do is find that back door. Once the back door is found, the attacker can come in and open up the entire network from the inside. This analogy is used to illustrate the need for a solid, well-planned, layered defense strategy for the network. Since any single point is subject to attack and potential failure, there must be other systems in place that work as defense for the network. Figure 1-2 is a graphical representation of the layered concept.
Figure 1-2: The layered defense concept.
12
Tactical Perimeter Defense
The Defense Technologies So, what exactly are the defensive technologies that can be deployed in a network? There are many, and some are not purely defensive, but they are used in the defense of the network.
Figure 1-3: The layers of defense in reaching a file. The best way of looking at the defense of the network is to start on the outside, at the perimeter, and work your way in to the target. The target may be a number of different things, but we will focus in this discussion on an application residing on a host computer. 1. The first aspect in the defense of the network does not even use electricity. It is the security policy. Many people consider the firewall the first line of defense, but this could be argued as incorrect. Without a policy, the firewall cannot be configured! So, the first item is the policy. There must be a clear understanding of the purpose of the security in the network. The policy must cover who can do what, when, and how. The policy also must state the clear objectives of each piece of equipment used in the defense of the network. As with many things in life, proper planning is required for successful implementation. 2.
host: A single computer or workstation; it can be connected to a network.
After the security policy has been created and agreed to, the implementation of the defense systems can begin. On the very edge of the network are the routers. These routers may be configured, via access control lists, to perform proxy: A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
Lesson 1: Network Defense Fundamentals
13
NAT and proxy services are covered in greater detail in upcoming lessons.
physical security: The measures used to provide physical protection of resources against deliberate and accidental threats.
part of the firewall system, and provide some level of packet filtering. The firewall may provide NAT and proxy services. NAT will ensure that the internal private addresses stay hidden, and the proxy services will make requests for resources on behalf of the internal clients. 3.
Moving through the layers, beyond the firewall, the next piece is the IDS. The IDS is in place to notify the security professionals when an intrusion has happened, and can perform this function both on the inside of the network, and also detect attempts on the outside of the network.
4.
Still deeper into the defense of the network is authentication. The host computer will require a form of authentication to gain access to the resources. Making it to the host is one thing, authenticating with the host and getting access is another.
5.
After authentication with the host is the file system security. Each file, or each resource, should be designed with its own security. This security dictates who has access to this file, and what kind of access each person has. The file security may even specify the times during the day that users have access to the file.
The physical security of the network, although not a specific technology, is worth mentioning. Physical security of the computers, routers, switches, and employees is critical to maintaining a well-defended network. There is no point in implementing all the above technologies, if anyone can walk into an office and browse a computer. Physical access must be part of the defense, and should be outlined in the security policy.
TASK 1B-1 Describing the Layers of a Defended Network 1.
Describe how an organization benefits from implementing each layer of a layered defense to protect their network. Benefits to implementing a layered defense include: • Security Policy: Organized defense.
14
Tactical Perimeter Defense
•
Perimeter Defense: Rule sets define what kind of traffıc is allowed in or out.
•
IDS: Monitoring of network or hosts to detect unusual behavior or attacks so that responses can be calculated, rather than remain arbitrary.
•
Authentication: Depending upon the level of authentication used (one-, two-, or three-factor), it can be very diffıcult for one user to impersonate another.
•
File System Security: Users with verified credentials are granted or denied access to certain resources.
•
Physical Security: Prevents access to machines by users with malicious intent.
Topic 1C Objectives of Access Control Every network, no matter how well it is defended, will require verification of the network user’s credentials. This is the process of access control. All networks need a system in place to be sure only authorized users have access to the network and its resources.
Access Control On the network, one of the critical areas of security is determining who has access to what. It is the security professional’s job to ensure that the policy guidelines are met and no unauthorized access of resources takes place. Or, as the definition of access control states, it is the prevention of unauthorized use by controlling the access to any protected system or resource. Access control systems are what help the security professional satisfy that requirement. There are two types of access control that may be implemented: Mandatory Access Control (MAC) and Discretionary Access Control (DAC). The policy in place determines which of these controls will be used.
Mandatory Access Control MAC is an access control policy that supports a system which generally handles highly sensitive or secret information. Government agencies typically use MAC. Also, the security classification of both the user, called a subject, and the data or resource being accessed, called an object, must be labeled as Top Secret, Secret, or Classified for security. These labels are security classifications for objects and security clearances for subjects. If only one level of security is maintained in a system, it is called a System High Policy, which requires all system users to have the appropriate clearance for the highest level of sensitive information that may be accessed. If Secret information is on this system, then all authorized users must have at least a Secret clearance level. If multiple levels of classified information are on a single system and requires users with different security clearances to access it, then a Multi-level Security Policy is enforced. To make this effective, the system typically has screened subnets by use of firewalls to allow access only to appropriate clearance-level users.
Discretionary Access Control DAC is an access control policy that uses the identity of the user or group in which they belong to allow authorized access. It is discretionary in that the administrator is able to control who has access, to what, and what type of access they will have, such as create or write, read, update, or delete. This is known as CRUD, which stands for Create, Read, Update, and Delete.
Lesson 1: Network Defense Fundamentals
15
Authentication Once the policies of access control are in place, there needs to be a mechanism that can verify the user who is requesting access. Having either DAC or MAC in the organization’s network is useless if the network cannot identify the users of the network. This is where authentication comes in. Although each operating system has its own methods of authentication, here we will discuss the concepts and methods of authentication. How is authentication defined? The basic definition is the process of determining the identity of a user that is attempting to access a system. (The word “system” in this case could be a router, server, workstation, and so on.) server: A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
Authentication occurs when a user provides the requested information to an authentication verification authority. The requested information can take many forms, as you will see. The verification authority can also take different forms, but is generally a server on the network. The traditional method of authentication is to provide a password. This password is a value that the user creates individually, or is generated for them. In any case, it is a value the user remembers and enters when requested. Systems can be as simple as having a single password to log in and use every resource available, or as complex as requiring one password to log in and different passwords to access specific resources. To increase the level of reliability and ease of use to users, biometric authentication can be introduced. When this type of system is added to the authentication scheme, it is considered to be strong authentication. The designation of strong is given since the user is not only identified digitally, but by their physical person via a physiological characteristic, such as a fingerprint scan, iris scan, or hand geometry.
Authentication Tokens For some organizations, the traditional methods of using passwords are not enough and the implementation of a biometric solution, such as fingerprint scanning, does not meet their policy requirements. These organizations may then look to tokens. Tokens come in different sizes and implementations. An authentication token is a portable device used for authenticating a user, thereby allowing authorized access into a network system. The tokens are literal physical devices and they operate by using systems such as challenge and response or time-based code sequences. One of the most well-known is the RSA SecureID Token.
Challenge Response Token The challenge response token is an authentication technique using a calculator type of token that contains identical security keys or algorithms as a Network Access Server (NAS). This sends an unpredictable challenge to the user, who computes a response using their authentication response token. This is shown in Figure 1-4.
16
Tactical Perimeter Defense
Figure 1-4: An example of a challenge response card from Cryptocard.
The Challenge Response Process Each challenge response token is pre-loaded with a Data Encryption Standard (DES) encryption key and a default user PIN unique to that token in association with a User Name. Neither of these items can be extracted from the token. Upon receiving a new token, the user must take the following steps to access a secured network using challenge/response technology: 1. Activate the token by changing the PIN to one known only by the user. User enters the chosen PIN on the token. 2.
The user begins the logon sequence.
3.
The user types in the User ID from the requesting PC.
4.
The NAS passes the PIN and User ID to the authentication server as part of the logon request.
5.
The authentication server generates a random challenge and sends it back to the user via the connection through the NAS.
6.
It is then sent to the user where it appears on the requesting PC screen.
7.
The user types the challenge into the token, which then encrypts it using its internal DES key.
8.
The token displays the encrypted response.
9.
The user types the encrypted response into the requesting PC keyboard.
10. The authentication server receives the response, and using the same DES key that the token used, processes it and verifies the user and the token. 11. The authentication server sends a message to the NAS to allow the user access.
DES: (Data Encryption Standard) Definition 1: An unclassified crypto algorithm adopted by the National Bureau of Standards for public use. Definition 2: A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
key: A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt.
Lesson 1: Network Defense Fundamentals
17
Figure 1-5: An example of the challenge response token authentication system.
Time-based Tokens The challenge response token system is widely used on many networks today. There is a different type of token that is also currently used. It is the time-based token. Where the challenge response token requires the user to enter data in the token and read data back out of the token, the user in the time-based token only reads data.
Figure 1-6: An example of the time-based token authentication system. The time-based token utilizes an authentication technique where the security token and the security server use an identical algorithm. To gain access, the user takes the code generated by the token and adds their user name and PIN to create a passcode. The passcode is combined with a seed value and the current time, which is then encrypted with an algorithm and sent to the server. The server authenticates the user by generating its own version of the valid code by accessing the pre-registered PIN and using the same seed value and algorithm to validate the user and their token.
Figure 1-7: An example of the RSA SecureID token. 18
Tactical Perimeter Defense
Time-based and challenge response tokens are both good examples of two-factor authentication. The server validates what they know (the user name and PIN) and what they have (the authentication token).
Software Tokens If an organization does not wish to purchase hardware tokens such as those described, they may opt for a software solution instead. A software token is an authentication technique using a portable device such as a Palm Pilot, Palm PC, or Wireless Telephone to carry the embedded software. When attempting to access the secured network, the user is prompted to provide their PIN (pre-registered with the server in association with the user name) and authentication code, which is generated by the software token. This information is routed to an access server such as an RSA ACE/Server for verification. If the PIN and authentication code are valid, the user is granted access. If not, the user is denied access to the network.
Figure 1-8: An example of a Palm Pilot running RSA security software.
Lesson 1: Network Defense Fundamentals
19
TASK 1C-1 Describing the Challenge Response Token Process 1.
Describe the Challenge Response token process between the user, client, and server. Each challenge/response token is pre-loaded with a DES (Data Encryption Standard) encryption key and a default user PIN unique to that token in association with a user name. Neither of these items can be extracted from the token. Upon receiving a new token, the user must follow several steps to access a secured network by using challenge/response technology.
2.
Place the following steps in the proper order. 7
The user types the challenge into the token, which then encrypts it using its internal DES key.
3
The user types in the User ID from the requesting PC.
10
20
Tactical Perimeter Defense
The authentication server receives the response and using the same DES key that the token used, processes it, and verifies the user and the token.
4
The NAS passes the PIN and User ID to the authentication server as part of the logon request.
8
The token displays the encrypted response.
11
The authentication server sends a message to the NAS to allow the user access.
1
The token is activated by changing the PIN to one known only to the user. User enters the chosen PIN on the token.
6
The challenge is sent to the user where it appears on the requesting PC screen.
2
The user begins the logon sequence.
9
The user types the encrypted response into the requesting PC keyboard.
5
The authentication server generates a random challenge and sends it back to the user via the connection through the NAS.
Topic 1D The Impact of Defense Network security protects all the information technology assets within the enterprise including computers, servers, databases, applications, peripherals, and perhaps most importantly, data or information. Network security allows authorized users to access IT assets quickly, whenever it’s needed, all the while improving communications with internal and external customers within a totally secure environment. Implementation of security controls, whether in a layered defense or any other mode, should not, in any way, hinder the functionality of the network. Networks must be secure, but the implementation of security cannot hinder the objective and purpose of the network itself. Of the different technologies discussed in this lesson, how many could have a negative impact on the performance of the network? If you answered all of them, you are correct. However, they do not have to have a negative impact on the network. Proper implementation of security controls will reduce the impact on the network. How exactly do these technologies impact the network in the first place? Let’s examine some of the technologies discussed previously.
Firewalls The firewall is the first line of defense for the network. All packets that enter the network should come through this point in a properly designed network. A modern firewall is generally a system of applications and hardware working together. The jobs a firewall can be asked to perform are packet filtering, network address translation, and proxy services. A firewall can have a negative impact on the network by blocking access to resources that should be accessible. It is possible that, because of improper configuration of a firewall, entire portions of a network become unavailable, in which case the performance hit is significant. Additionally, if an ordinary PC has been configured to be the firewall (a multihomed computer), it may not have the internal speed to perform all the functions of the firewall fast enough, resulting in latency.
Encryption The encryption process as a whole involves taking data that is readable in plain text, and using a mathematical calculation, make the text unreadable. The receiver then needs to perform a similar calculation to decrypt the message and read it in its plain text format. The performance hit is much more obvious with encryption. If the data packets are encrypted, the information that must be transmitted is larger, and more bandwidth will be consumed. Additionally, the devices that perform the encryption and decryption have more work to do in running the algorithms that perform the task. Networks that have systems at minimum levels will be affected the most by the addition of encryption. Lesson 1: Network Defense Fundamentals
21
Computers and routers that are asked to perform encryption must be able to handle the extra workload. It is not always the network that has a performance drop; it is often the computers themselves, as they struggle to keep up with all the extra processing required to encrypt and decrypt data. File system encryption can be as much of a performance hit as encrypted network traffic.
Passwords Forcing hard-to-remember passwords on users results in either the passwords being written down or frequent calls to the help desk to come and unlock their computer. This results in a performance hit on the overall functionality of the entire network. The password issue is a difficult one, as networks require strong passwords, but users have a hard time creating them. The network administration staff should take the time to educate users on creating strong passwords. One of the better methods of making strong passwords that users can remember is to use phrases instead of words (which should never be used). The phrase method requires the user to think of a phrase they will remember. This way it can be related to a user’s birthday and not be a security risk. For example, I was Born on June 27! could then be a password of IwBoJ27! This illustrates how easy it can be to generate secure passwords that can be remembered.
Intrusion Detection Systems Although some think that an IDS could not have an impact on a network, in reality, it can. It is true that the IDS does not have that much of an impact on the actual packets as they move about the network; however, this is not the only type of impact the network must manage. If an IDS is improperly configured, so that it is identifying traffic not indicative of an intrusion, and the security professionals spend their time investigating unneeded attacks, then the IDS has created a significant problem, not a solved one. An IDS that is constantly giving off false alarms is a bad thing for the network, as eventually the security team will stop responding, or respond slowly.
Auditing If a commonly used server has had every single auditing option turned on, the computer is going to suffer a performance hit in logging all that information. If it also happens to be a file server, chances are good that available disk space will be taken up by the log files, again resulting in calls to the help desk. This can also be a method of hiding an attacker’s tracks. If an attacker gains access to a server and enables every single auditing option, it will be much more work for the administrator to search the log files for the real evidence of the security breach.
22
Tactical Perimeter Defense
TASK 1D-1 Describing the Problems of Additional Layers of Security 1.
How could adding additional layers of defense cause problems for the users of a network? Answers may vary, but may include: Improper configuration of a firewall, NAT, or proxy can result in authorized users not being able to access resources they need to access or vice versa; users may not fully understand the modern key management process used in encryption systems, therefore, unless encryption is an integrated feature of the operating system, IP stack, or application, users may be inconvenienced; the user logon and verification process can also inconvenience users if it is too complicated.
2.
How could adding additional layers of defense cause problems for the packet flow on the network? Answers may vary, but could include: Strong encryption can increase the actual network traffıc; more CPU cycles are required to generate encrypted traffıc and decipher them upon receipt; IDS systems running in a very paranoid mode may create excessive auditing and alerts, sometimes resulting in false alerts.
Topic 1E Network Auditing Concepts Auditing entails the recording, maintenance, and protection from unauthorized access, modification, or deletion of detailed access event logs of information technology assets and network systems to ensure compliance with an established security policy. Auditing within a network system’s environment involves much more than the typical recording of system activity.
Security Auditing Basics It would be useless to put a lock on a door if it was never checked to see if it was still locked or if it was unlocked, when it was unlocked, and by whom. In checking the security of a network, answers to the following questions need to be recorded and logged for use later in case of system compromise: • What was checked? •
Who did the checking?
•
When was it checked?
•
How was it checked?
•
Were there any findings?
compromise: An intrusion into a computer system where unauthorized disclosure, modification, or destruction of sensitive information may have occurred.
Lesson 1: Network Defense Fundamentals
23
security violation: An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to the system itself.
Besides the usual recording of logins, logouts, accessing files, directories and resources, and security violations, additional network security events must be audited on both sides of the network connection. Both sides means any establishing or dropping of network connections with other networks must be logged, as well as any failed network components and any misrouted or lost data while in transit. Auditing should capture the information of the following events: •
All access events with use of identification and authentication mechanisms.
•
Any deletion of files, data, or information.
•
Modification of directories.
•
Movement of large data assets into user’s address space.
•
Any security actions or other security-related events.
Each event should contain the following entries in the audit log: audit: The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
•
Date and time of the event.
•
Name of user creating the event, as well as event origin.
•
Event description and type.
•
Name of asset in case of deletion.
•
Event success or failure.
Security Audits Logged records of monitored events are kept on hand for auditing purposes. Although they can be conducted by either internal or external resources, the two typical types of security audits are operational or independent.
security audit: A search through a computer system for security problems and vulnerabilities.
Operational Audit This type of audit is usually done by internal resources to examine the operational and ongoing activities within a network system for compliance with an established security policy.
Independent Audit An independent audit is usually conducted by external or outside resources and may be a review or audit of detailed audit logs to: • Examine system activities and access logs.
24
Tactical Perimeter Defense
•
Assess the adequacy of security methods and controls.
•
Assess compliance with established enterprise network system policies and procedures.
•
Assess effectiveness of support, enabling, and core processes.
•
Recommend improvements in security processes, methods, and controls.
Whether an audit is done as an operational or independent audit, a thorough search through the system should be conducted to detect any flaws, vulnerabilities, or problems. An IDS can provide network system vulnerabilities, but a security audit should be conducted to find problems within the file systems on the network. Out of this audit should come detailed reports that may give you some clues as to possible existing or future problems. These may include: •
Accounts with no name or expired names of people that have left the company or group.
•
New accounts needing validation for authorized users.
•
Group accounts needing access control specifics to pinpoint who had access at what time and not just a group name logon.
•
Recent changes to file protection or changes in rights to large files.
•
Accounts with easily guessed passwords.
•
Accounts with expired or no passwords.
•
Any other suspicious user activity.
Audit Trails Network auditing still needs to log the audit trail or history of any network transaction. The requirement for any audit trail is that documentation be kept to record the historical use of the network system. But the primary purpose of a recorded audit trail is to be able to examine the detailed historical record of system use in order to replicate specific event scenarios after a compromise or exploit has occurred. An audit trail is the only way to examine the sequence of events that led up to the system’s compromise or exploitation. Without an audit trail, there would be no way to find out how a compromise or exploit of the system occurred, or when it actually happened.
Handling and Preserving Audit Data
audit trail: In computer security systems, a chronological record of system resource usage. This includes user login, file access, other various activities, and whether any actual or attempted security violations occurred.
Audit data should be some of the most carefully secured data at the site and in the backups. If an intruder were to gain access to audit logs, the systems themselves would be at risk, in addition to the data. Audit data may also become key to the investigation, apprehension, and prosecution of the perpetrator of an incident. For this reason, it is advisable to seek the advice of legal counsel when deciding how audit data should be handled. This should happen before an incident occurs. If a data-handling plan is not adequately defined prior to an incident, it could mean that there is no recourse in the aftermath of an event, and it may create liability resulting from improper treatment of the data.
perpetrator: The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker.
Legal Considerations Due to the content of audit data, there are a number of legal questions that arise which might need to be addressed by your legal counsel. If you collect and save audit data, you need to be prepared for consequences resulting both from its content as well as its existence.
Lesson 1: Network Defense Fundamentals
25
One area concerns the privacy of individuals. In certain instances, audit data may contain personal information. Searching through the data, even for a routine check of the system’s security, could represent an invasion of privacy. A second area of concern involves knowledge of intrusive behavior originating from your site. If an organization keeps audit data, is it responsible for examining it to search for incidents? If a host in one organization is used as a launching point for an attack against another organization, can the second organization use the audit data of the first organization to prove negligence on the part of that organization? These examples are not meant to be comprehensive, but should motivate your organization to consider the legal issues involved with audit data.
TASK 1E-1 Describing Network Auditing 1.
What are the benefits of auditing network traffic? Logs of audited network traffıc can be used to examine a detailed historical record of network and system use in order to reconstruct specific event scenarios after a compromise or exploit has occurred.
2.
What is a possible drawback to network auditing? If an intruder were to gain access to audit logs, the systems themselves would be at risk, in addition to the data.
3.
Why is the handling and storage of audit data so critical? Audit data may contain personal information. Searching through the data, even for a routine check of the system’s security, could represent an invasion of privacy. Apart from that, the very knowledge of intrusive behavior originating from your site raises the question of responsibility with regard to reporting the incident to a third party or maybe even an authority such as the FBI.
Summary In this lesson, you walked through the process of creating a layered defense. You are able to identify why the layered defense is important and the technologies used to create one. You also examined the concepts of network auditing, including handling of data and types of audits. You have defined the five keys of network defense, described the objectives of access control methods, and identified the impact of defense on the network.
26
Tactical Perimeter Defense
Lesson Review 1A What do authentication and availability create in the network? Authentication and availability in a network create system assurance. Describe the differences between one-, two-, and three-factor authentication. One-factor authentication provides “what you know,” such as a password or PIN. Two-factor authentication is providing “what you have,” like a smart card or a token in addition to “what you know.” The third factor which provides strong authentication is proving a user’s identity, or “who you are,” by using biometrics. Biometrics uses a physiological characteristic to identify you, such as a fingerprint, retina scan, hand geometry, voice recognition, iris scan, or behavioral characteristics such as keystroke recognition or signature recognition. Is it possible to have data confidentiality without having data integrity? No, however, it is possible to have data integrity without data confidentiality. What is the difference between a passive threat and an active threat? Simply put, in a passive threat, data is viewed, but in an active threat, data is modified.
1B What are the primary technologies used to create a layered defense? • A security policy implemented at various layers of the network. • Perimeter defenses, such as routers, firewalls, NAT, and proxies. • Intrusion Detection Systems (IDS) can be put in place to monitor network traffıc or hosts. • Authentication has to be regularized using one-, two-, or three-factor authentication methods depending upon the requirement (machinespecific authentication may be required in some cases). • File System Security should be in place once a user is logged in, to allow or deny access to resources. • Physical access/security to the network or individual machines should be addressed. What could be the result of skipping a layer of defense? • Security policy: Unstructured defense. •
Perimeter defense: Intruders will come in.
•
IDS: You won’t know that intruders have come in.
•
Authentication: Anyone can log in to your network.
•
File System Security: Anyone who has access to a machine can access everything on that machine.
•
Physical security: Anyone can access any machine.
Lesson 1: Network Defense Fundamentals
27
1C Name and describe the two methods of Access Control. • Mandatory Access Control, where subjects and objects are Classified, Secret, or Top Secret. • Discretionary Access Control, where a user’s identity is used in first determining certain user rights into the system, and then at each resource to see if the user has Create, Read, Update, or Delete (CRUD) privileges. Describe the process of authentication. Authentication is the process of determining the identity of a user who is attempting to access a system. A user provides the requested information to an authentication verification authority. The authentication verification authority uses this information, or a derivative of it, against a pre-configured database. If the values match, the user is issued appropriate credentials to access the system. The user then presents these credentials to access resources. What are software tokens, and how can an organization benefit by using them? A software token is an authentication technique using a portable device, such as a Palm Pilot or Palm PC. Since the token is generated via software, an organization does not have to be tied down to a particular hardware token generator. When circumstances change and they have to upgrade the strength of the token, for example, they just need to upgrade the software in the portable device rather than recall and reissue hardware devices.
1D How could a firewall have a negative impact on network performance? A firewall can have a negative impact on the network by blocking access to resources that should be accessible. It is possible that, because of improper configuration of a firewall, entire portions of a network become unavailable. Additionally, if an ordinary PC has been configured to be the firewall (a multihomed computer) it may not have the internal speed to perform all the functions of a firewall fast enough, resulting in latency. How can encryption affect network performance? If the data packets are encrypted, the information that must be transmitted is larger, and therefore more bandwidth will be consumed. How can encryption affect individual hosts? The devices that perform encryption and decryption have more work to do in running the algorithms that perform the task.
1E What are two of the events that can be captured with auditing? Answers may include the following: All access events with use of identification and authentication mechanisms; any deletion of files, data, or information; modification of directories; movement of large data assets into user’s address space; any security actions or other security-related events.
28
Tactical Perimeter Defense
What are two of the entries that should be captured in an event? Answers may include the following: Date and time of the event; name of user creating the event as well as event origin; event description and type; name of asset in case of deletion; event successful or failed. What are the two typical types of security audits? Operational and independent.
Lesson 1: Network Defense Fundamentals
29
30
Tactical Perimeter Defense
Advanced TCP/IP
LESSON
2 Overview There is one primary set of protocols that runs networks and the Internet today. In this lesson, you will work with those protocols: the Transmission Control Protocol (TCP) and the Internet Protocol (IP). In order to manage the security of a network, you must become familiar with the details of how TCP/IP functions, including core concepts, such as addressing and subnetting, and advanced concepts, such as session establishment and packet analysis.
Objectives
Data Files tftp.cap fragment.cap ping.txt ping.cap ftp.txt ftp.cap WinPcap Wireshark Lesson Time 6 hours
To better understand advanced TCP/IP concepts, you will: 2A
Define the core concepts of TCP/IP. Given a machine running TCP/IP, you will define the core concepts of TCP/IP, including the layering models, RFCs, addressing and subnetting, VLSM and CIDR, and the TCP/IP suite.
2B
Analyze sessions of TCP. Given a Windows Server 2003 computer, you will examine control flags, sequence numbers, and acknowledgement numbers, and you will use Network Monitor to view and analyze all of the fields of the three-way handshake and session teardowns.
2C
Analyze IP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of IP.
2D
Analyze ICMP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of ICMP.
2E
Analyze TCP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of TCP.
2F
Analyze UDP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of UDP.
Lesson 2: Advanced TCP/IP
31
2G
Analyze fragmentation. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze network traffic fragmentation.
2H
Complete a full session analysis. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze a complete FTP session, frame by frame.
32
Tactical Perimeter Defense
Topic 2A TCP/IP Concepts In order for two hosts to communicate, there must first be an agreed-upon method of communication for both hosts to use. The protocol that the Internet was built on, and the protocol that all hosts on the Internet use is TCP/IP, or Transmission Control Protocol/Internet Protocol. Because the two hosts agree on the protocol they will use, we can go right into the details of the protocol itself.
The TCP/IP Model
Many of the Concepts in this topic were covered in the prerequisite courses, but are provided here for review.
In order for data to move from one host to another, it must be transmitted and received. There are several ways this could happen, in theory. •
The data file could be sent as a whole file, intact, from one host to another.
•
The data file could be split in half and sent, sending and receiving two equal sized pieces.
•
The data file could be split into many smaller pieces, all sent and received in a specific sequence.
It is this last method that is actually used. For example, if a user is at a host and wants to view a web page on a different host, the request and subsequent response will take many small steps to complete. In Figure 2-1, you can see the four layers of the TCP/IP Model, along with the browser’s request for a web page going to the web server.
host: A single computer or workstation; it can be connected to a network.
server: A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
Figure 2-1: A web request moving along the TCP/IP Model. The four layers of the TCP/IP Model are: • The Application Layer •
The Transport Layer
•
The Internet Layer (also called the Network Layer)
•
The Network Access Layer (also called the Link Layer)
Lesson 2: Advanced TCP/IP
33
The reason that there are alternate names for these layers is that there has never been an agreed-upon standard for the names to which the industry agrees. Each of these layers are detailed as follows: • The Application Layer is the highest layer in the model, and communicates with the software that requires the network. In our example, the software is the web page request from a browser. network: Two or more machines interconnected for communications.
•
The Transport Layer is where the reliability of the communication is dealt with. There are two protocols that work at this layer, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). An immediate difference between the two is that TCP does provide for reliable delivery of data, whereas UDP provides no such guarantee.
•
The Internet Layer (or Network Layer) provides the mechanism required to address and move the data from one host to the other. The primary protocol you will examine at this layer is IP (Internet Protocol).
•
The Network Access Layer (or Link Layer) is where the data communication interacts with the physical medium of the network. This is the layer that does the actual sending and receiving of the data.
As you saw in Figure 2-1, as the web page request was initiated on the host, it moved down the layers, was transmitted across the network, and moved up the layers on the web server. These are the layers on which all network communication using TCP/IP is based. There is a different set of layers, however, called the OSI Model.
The OSI Model The TCP/IP Model works well for TCP/IP communications, but there are many protocols and methods of communication other than TCP/IP. A standard was needed to encompass all of the communication protocols. The standard developed by the International Organization for Standardization (ISO) is called the OSI Model.
OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components.
34
Tactical Perimeter Defense
The Open Systems Interconnect (OSI) Model has seven layers, compared to the four layers of the TCP/IP Model. The seven layers of the OSI Model are: • The Application Layer •
The Presentation Layer
•
The Session Layer
•
The Transport Layer
•
The Network Layer
•
The Data Link Layer
•
The Physical Layer
The names of these layers are fixed, as this is an agreed upon standard. The details of each layer are as follows: •
The Application Layer is the highest layer of the OSI Model, and deals with interaction between the software and the network.
•
The Presentation Layer is responsible for data services such as data compression and data encryption/decryption.
•
The Session Layer is responsible for establishing, managing (such as packet size), and ending a session between two hosts.
•
The Transport Layer is responsible for error control and data recovery between two hosts. Both TCP and UDP work at this layer.
•
The Network Layer is responsible for logical addressing, routing, and forwarding of datagrams. IP works at this layer.
•
The Data Link Layer is responsible for packaging data frames for transmission on the physical medium. Error control is added at this layer, often in the form of a Cyclic Redundancy Check (CRC). This layer is subdivided into the LLC (Logical Link Control) and MAC (Media Access Control) sublayers. The MAC sublayer is associated with the physical address of the network device and the LLC sublayer makes the association between this physical address (such as the 48-bit MAC address if using Ethernet) and the logical address (such as the 32-bit IP address if using IP) at the Network Layer.
•
The Physical Layer is responsible for the actual transmission and receipt of the data bit stream on the physical medium.
packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message.
The OSI Model and the TCP/IP Model do fit together. In Figure 2-2, you can see that the two primary layers of concern in the TCP/IP Model (the Transport and Internet Layers), match directly with the Transport and Network Layers of the OSI Model, while the other two TCP/IP Model layers encompass two or more layers of the OSI Model.
Figure 2-2: A comparison of the OSI and TCP/IP Models. As the data from one host flows down the layers of the model, each layer attaches a small piece of information relevant to that layer. This attachment is called the header. For example, the Network Layer header will identify the logical addresses (such as IP addresses) used for this transmission. This process of adding a header at each layer is called encapsulating. Figure 2-3 shows a visual representation of the header and the encapsulation process. Lesson 2: Advanced TCP/IP
35
Figure 2-3: Headers and the encapsulation process as data moves down the stack. When the second host receives the data, and as the data moves up the layers, each header will let the host know how to handle this piece of data. After all the headers have been removed, the receiving host is left with the data as it was sent.
RFCs With all the standards defined in the previous section, you may be asking where to go to find the standards. The answer is to the RFCs. A Request For Comments (RFC) is the industry location for standards relating to TCP/IP and the Internet. RFCs are freely available documents to read and study, and if you ever want to go directly to the source, be sure to use the RFC. Although you will find RFCs listed all over the Internet, to view them all online go to: www.rfc-editor.org. This is the website with a searchable index of all RFCs. There are several RFCs you should be familiar with, and that you should know by name to look up. This way you will not have to search hundreds of responses to find what you need. The RFCs you should know are: • The Internet Protocol (IP): RFC 791. •
The Internet Control Messaging Protocol (ICMP): RFC 792.
•
The Transmission Control Protocol (TCP): RFC 793.
•
The User Datagram Protocol (UDP): RFC 768.
The Function of IP The Internet Protocol (which works at the Network layer of both the OSI and the TCP/IP models), by definition, has a simple function. IP identifies the current host—via an address—and using addressing, moves a packet of information from one host to another. Each host on the network has a unique IP address, and each packet the host sends will contain its own IP address and the IP address to which the packet is destined. The packets are then directed, or routed, across the network, using the destination address, until they reach their final destination. The receiving host can read the IP address of the sender and send a response, if required.
36
Tactical Perimeter Defense
Although it sounds straightforward, and does work, there are drawbacks. For instance, when packets are sent from one host to another, they may be received out of order. IP has no mechanism for dealing with that problem. Also, packets can get lost or corrupted during transmission, again a problem IP does not manage. These problems are left to an upper protocol to manage. Often that protocol will be TCP, as you will see in the following topic.
Binary, Decimal, and Hexadecimal Conversions Even though you may be familiar with the concept of binary math, you may wish to review this section briefly. In binary, each bit has the ability to be either a 1 or a 0. In computers, these bits are stored in groups of 8. Since each bit can be either a 1 or a 0, each location is designated a power of 2. A byte, therefore, has binary values from 20 through 27 . In Figure 2-4, you can see the value of each of the 8 bits in a byte. When the bits are presented as a byte, the value of each of the 8 locations is added to present you with the decimal equivalent. For example, if all 8 bits were 1s, such as 11111111, then the decimal value would be 255 or 128+64+32+16+8+4+2+1. Here are a few other quick binary to decimal conversions: Binary 11000000 is decimal 192 or 128+64+0+0+0+0+0+0 Binary 10000000 is decimal 128 or 128+0+0+0+0+0+0+0 Binary 10000010 is decimal 130 or 128+0+0+0+0+0+2+0 Binary 01011010 is decimal 90 or 0+64+0+16+8+0+2+0 The IP addresses that are either manually or dynamically assigned to a host are 32-bit fields, often shown as four decimal values for ease of reading. For example, a common address would be 192.168.10.1. Each number is an 8-bit binary value, or an octet. In this example, the first octet is 192, the second 168, the third 10, and the fourth 1. Even though the fourth octet is given a decimal value of 1, it is still given an 8-bit value in IP addressing. Each bit of the 32-bit address must be represented, so the computer sees a decimal 1 in an IP address as 00000001. Keeping this in mind, the full decimal IP address of 192.168.10.1 is seen to the computer as binary IP address: 11000000.10101000.00001010.00000001 In tools that are designed to capture and analyze network traffic, the IP address is often represented in its hexadecimal (Hex) format. The ability to view and recognize addressing in Hex format is a useful skill to have when you are working with TCP/IP. In hexadecimal format, the IP address 192.168.10.1 is C0-A8-0A01. The following is a quick summary on Hex conversions.
Lesson 2: Advanced TCP/IP
37
To convert the decimal address 192.168.10.1 to hexadecimal, convert each of its octets, then combine the results, as follows: 1.
Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal 12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 is equal to Hex C0.
2.
Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal 10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 is equal to Hex A8.
3.
Decimal 10 is the same as Hex A.
4.
Decimal 1 is the same as Hex 1.
5.
Combining the results of each conversion shows that decimal 192.168.10.1 is equal to Hex C0A80A01.
Another way to derive this result is to first convert from decimal to binary, then convert binary to hexadecimal four bits at a time, and finally, combine the results, as shown here: 1.
Decimal 192 is the same as binary 11000000.
2.
Decimal 168 is the same as binary 10101000.
3.
Decimal 10 is the same as binary 00001010.
4.
Decimal 1 is the same as binary 00000001.
5.
Binary 1100 (the first four bits of the first octet) is the same as Hex C.
6.
Binary 0000 is the same as Hex 0.
7.
Binary 1010 is the same as Hex A.
8.
Binary 1000 is the same as Hex 8.
9.
Binary 0000 is the same as Hex 0.
10. Binary 1010 is the same as Hex A. 11. Binary 0000 is the same as Hex 0. 12. Binary 0001 is the same as Hex 1. 13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal to Hex C0A80A01.
IP Address Classes There are five defined classes of IP addresses: Class A, Class B, Class C, Class D, and Class E. The details of each class are as follows: • Class A IP addresses use the first 8 bits of an IP address to define the network, and the remaining 24 bits to define the host. This means there can be more than 16 million hosts in each Class A network (224–2, because all 1s and all 0s cannot be used as host addresses). All Class A IP addresses will have a first octet of 0xxxxxxx in binary format. 10.10.10.10 is an example of a Class A IP address.
38
Tactical Perimeter Defense
•
Class B IP addresses use the first 16 bits to define the network, and the remaining 16 bits to define the host. This means there can be more than 65,000 hosts in each Class B network (216–2). All Class B IP addresses will have a first octet of 10xxxxxx in binary format. 172.16.31.200 is an example of a Class B IP address.
•
Class C IP addresses use the first 24 bits to define the network, and the remaining 8 bits to define the host. This means there can be only 254 hosts
in each Class C network (28–2). All Class C IP addresses will have a first octet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class C IP address. •
Class D IP addressing is not used for hosts, but is often used for multicasting (which will be discussed later), where there is more than one recipient. The first-octet binary value of a Class D IP address is 1110xxxx. 224.0.0.9 is an example of a Class D IP address.
•
Class E IP addressing is used for experimental functions and for future use. It does have a defined first-octet binary value as well. All Class E IP addresses have a first octet binary value of 11110xxx. 241.1.2.3 is an example of a Class E IP address.
Figure 2-4: IP address classes and their first-octet values.
Private IP Addresses and Special-function IP Addresses There are several ranges of IP addresses that are not used on the Internet. These addresses are known as private, or reserved, IP addresses. Defined in RFC 1918, any host on any network can use these addresses, but these addresses are not meant to be used on the Internet, and most routers will not forward them. By using these reserved IP addresses, organizations do not have to be as concerned with address conflicts. The defined private addresses for the three main address classes (A, B, and C) are: • Class A: 10.0.0.0 to 10.255.255.255 •
Class B: 172.16.0.0 to 172.31.255.255
•
Class C: 192.168.0.0 to 192.168.255.255
In addition to the private address ranges listed, there are a few other address ranges that have other functions. The first, is the range of 127.0.0.0 to 127.255. 255.255. This address range is used for diagnostic purposes, with the common address of 127.0.0.1 used to identify IP on the host itself. The second range is 169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allocate addresses to hosts, for Automatic Private IP Addressing (APIPA).
Lesson 2: Advanced TCP/IP
39
The Subnet Mask Along with an IP address, each host that uses TCP/IP has a subnet mask. The subnet mask is used during a process called ANDing to determine the network to which the host belongs. The way the mask identifies the network is by the number of bits allocated, or masked, for the network. A bit that is masked is identified with a binary value of 1. By default, a Class A IP address has 8 bits masked to identify the network, a Class B IP address has 16 bits masked to identify the network, and a Class C IP address has 24 bits masked to identify the network. These default subnet masks use contiguous bits to create the full mask. The following table shows the default subnet masks for the three classes, first in binary, then in the more traditional dotted decimal format. Default Subnet Masks Class
Binary Format
Dotted Decimal Format
A B C
11111111.00000000.00000000.00000000 11111111.11111111.00000000.00000000 11111111.11111111.11111111.00000000
255.0.0.0 255.255.0.0 255.255.255.0
The subnet mask can be represented in different formats. For example, one common format is to list the IP address followed by the full subnet mask, such as this: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write, is to count and record the number of bits that are used as 1s in the subnet mask. For example, in the default subnet mask for Class C, there are 24 bits designated as 1. So, to use the second format, list the IP address followed by a slash and the number of bits masked, such as this: 192.168.10.1/24.
Subnetting Example In the event that you need to split a network into more than one range, such as having different buildings or floors, you will need to subdivide the network. The following example will step you through the process of splitting a network and creating the subnet mask necessary to support the resulting subnetworks. Let’s say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnet mask, and need to break this up into 12 network ranges to support, for example, the 12 major departments in your corporate building. Here’s what you should do: 1. Determine how many bits, in binary, it takes to make up the number of subnetworks you need to create. In binary, 12 is 1100, so you will need 4 bits. 2.
Take 4 bits from the host side of the subnet mask and, AND them to the network side, effectively changing your subnet mask from 255.0.0.0 to 255. 240.0.0. •
As you know, the subnet mask tells you where the dividing line between network and host bits reside. You started with a network ID of 10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this: 00001010.00000000.00000000.00000000 (IP address for network) 11111111.00000000.00000000.00000000 (subnet mask)
•
40
Tactical Perimeter Defense
Your dividing line is at the end of the first octet (eight bits starting from the left). You have one big network with a network ID of 10.0.0.0, a
range of usable addresses from: 10.0.0.1 to 10.255.255.254, and a broadcast address of 10.255.255.255. •
The new, divided network looks like this: 00001010.0000 0000.00000000.00000000 (IP address for network) 11111111.1111 0000.00000000.00000000 (subnet mask)
•
3.
Notice that the network/host dividing line is now in the middle of the second octet. All of your networks will have binary addresses that will look like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x represents one of the variable bits used to create your subnetworks and y represents a bit on the host side of the address.
Determine the subnetwork addresses by changing the value of the x bits. The first possible permutation is the 00001010.0000 network; the second is the 00001010.0001 network, and so forth. The following table lists all of the possible subnetwork addresses (notice the pattern?). Subnetwork
Binary Address
Decimal Address
First Second Third Fourth Fifth Sixth Seventh Eighth Ninth Tenth Eleventh Twelfth Thirteenth Fourteenth Fifteenth Sixteenth
00001010.0000 0000.00000000.00000000 00001010.0001 0000.00000000.00000000 00001010.0010 0000.00000000.00000000 00001010.0011 0000.00000000.00000000 00001010.0100 0000.00000000.00000000 00001010.0101 0000.00000000.00000000 00001010.0110 0000.00000000.00000000 00001010.0111 0000.00000000.00000000 00001010.1000 0000.00000000.00000000 00001010.1001 0000.00000000.00000000 00001010.1010 0000.00000000.00000000 00001010.1011 0000.00000000.00000000 00001010.1100 0000.00000000.00000000 00001010.1101 0000.00000000.00000000 00001010.1110 0000.00000000.00000000 00001010.1111 0000.00000000.00000000
10.0.0.0 10.16.0.0 10.32.0.0 10.48.0.0 10.64.0.0 10.80.0.0 10.96.0.0 10.112.0.0 10.128.0.0 10.144.0.0 10.160.0.0 10.176.0.0 10.192.0.0 10.208.0.0 10.224.0.0 10.240.0.0
For the first network, the network ID is 10.0.0.0 with a subnet mask of 255.240. 0.0. The first usable address is 10.0.0.1, and the last usable address is 10.15.255. 254. The broadcast address is 10.15.255.255 (the next possible IP address would be 10.16.0.0, which is the network ID of the second network). The second network has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and a broadcast address of 10.16.255.255. Notice that you needed only 12 networks, but you have 16. That can happen, depending on the number of networks needed. For example, if you had needed 20 networks, you would have needed to move the network/host dividing line over 5 bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, you would have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 that you used for the first example), which would have given you 32 subnetworks, even though you needed only 20. Consider it room for corporate growth!
Lesson 2: Advanced TCP/IP
41
Note that any combination of addressing can be represented in different text. For example, you may come across a resource that defines the IP address in decimal, and the subnet mask in hexadecimal. You must be able to quickly recognize the addressing as defined. Use the following task to test your ability to quickly perform these conversions.
TASK 2A-1 Layering and Address Conversions 1.
Describe how layering is beneficial to the function of networking. By using a layered model, network communications can be broken into smaller chunks. These smaller chunks can each have a specific purpose, or function, and in the event an error happens in one chunk, it is possible that only that error be addressed, instead of starting over from scratch.
2.
If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF00-00, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex, the network address is C0-A8-00-00.
3.
If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex the network address is C0-A8-00-00.
Routing You will get into routing in more detail later, but at this stage, you will address the basics. Being familiar with a network and how one host will communicate with another host within the same network, what do you think will happen if a host needs to send information to a host that is not in its network?
router: An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer.
42
Tactical Perimeter Defense
This is exactly the situation where routing is needed. You need to route that information from your network to the receiving host’s network. Of course, the device that makes this possible is the router. The first router you will encounter on your way out of your network is the default gateway. This is the device that your computer will send all traffic to, once it determines that the destination host is not local (on the same network as itself). After the default gateway gets a packet of information destined for host User1 on network X, it looks at its routing table (think of this as a sort of directory—telling the router that traffic destined for networks C, G, F, and X should go out interface 1, traffic destined for networks E, A, B, and R should go out interface 2, and so forth), then the router forwards the packet out through interface 1. The destination network may or may not be attached to interface 1—the router doesn’t really care at this point—it just forwards the packet on according to the information in its routing table. This process
repeats from one router to the next until the packet finally reaches the router that is attached to the same network as the destination host. When the packet reaches this router, which is usually also the destination host’s default gateway, it is sent out on the network as a unicast directed to the destination host User1.
VLSM and CIDR The standard methods of subnet masking discussed earlier are effective; however, there are instances where further subdividing is required, or more control of the addressing of the network is desired. In these cases, you can use either of the following two options: Variable Length Subnet Masking (VLSM) or Classless Interdomain Routing (CIDR). Think back to the previous example of subnet masking. In particular, let’s take a closer look at the fourth network. It was intended to be used by the IT staff; however, they want to break the rather large network block given to them into smaller, more manageable blocks. Specifically, they need five smaller subnetworks to be created from their network block of 10.48.0.0 with a subnet mask of 255.240.0.0. This time, let’s represent the IP addresses and subnet masks using the slash method: 10.48.0.0/12. Notice the IP address stays the same, but we replace the subnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, of course, corresponds to 255.240.0.0). Now, back to the IT staff’s networking issue. You have an already subnetted network (10.48.0.0/12) that you would like to split into five smaller networks. To begin, you need to ask the same starting question: How many bits does it take to make 5? In binary, 5 is 101, so you will need three bits. Then, add three bits to the present subnet mask (don’t worry that it has already been subnetted before— that doesn’t matter). So, now you have 10.48.0.0/15 as your first network address and new subnet mask. The new variable range is 00001010.0011xxx y.yyyyyyyy.yyyyyyyy, where the binary numbers will not change, x represents the variable bits that will make up the networks, and y designates the host bits. So, what are the new network addresses? Subnetwork
Binary Address
Decimal Address
First Second Third Fourth Fifth Sixth Seventh Eighth
00001010.0011000 0.00000000.00000000 00001010.0011001 0.00000000.00000000 00001010.0011010 0.00000000.00000000 00001010.0011011 0.00000000.00000000 00001010.0011100 0.00000000.00000000 00001010.0011101 0.00000000.00000000 00001010.0011110 0.00000000.00000000 00001010.0011111 0.00000000.00000000
10.48.0.0 10.50.0.0 10.52.0.0 10.54.0.0 10.56.0.0 10.58.0.0 10.60.0.0 10.62.0.0
Lesson 2: Advanced TCP/IP
43
For the first network, the network ID is 10.48.0.0, the usable addresses are 10.48. 0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second, the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254, and the broadcast address is 10.51.255.255, and so forth. Did you notice that you have eight possible networks when you needed only five? Again, you can consider it just having more room for expansion.
X-casting When a packet is sent from one host to another, the process of routing functions and the packet is sent as defined. However, the process is different if one host is trying to reach more than one destination, or if one message is to be received by every other host in the network. These types of communication are referred to as broadcasting, multicasting, and unicasting. •
Unicast is a term that was created after multicasting and broadcasting were already defined. A unicast is a directed communication between a single transmitter and a single receiver. This is how most communication between two hosts happens, with Host A specifically communicating with Host B.
•
A broadcast is a communication that is sent out from a single transmitting host and is destined for all possible receivers on a segment (generally, everyone in the network, since the routers that direct traffic from one network to another are generally used to stop broadcasts, thereby creating broadcast domain boundaries). Broadcasting can be done for many reasons, such as locating another host. For a MAC broadcast, the broadcast address used is FF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on the network settings. For example, if you are on network 192.168.10.0/24, the broadcast address is 192.168.10.255.
•
A multicast is a communication that is sent out to a group of receivers on the network. Multicasting is often implemented as a means for directing traffic from the presenter of a video conference to the audience. In comparison to the broadcast, which all receivers on the segment will receive, those who wish to receive a multicast must join a group to do so. Group membership is often very dynamic and controlled by a user or an application. Currently, Class D addresses are used for multicasting purposes. Remember, Class D has IP addresses in the range of 224.0.0.0 to 239.255.255.255.
TASK 2A-2 Routers and Subnetting 1.
You are using a host that has an IP address of 192.168.10.23 and a subnet mask of 255.255.255.0. You are trying to reach a host with the IP address 192.168.11.23. Will you need to go through a router? Explain your response. Yes, you will need to go through a router. Your subnet mask defines you as belonging to network 192.168.10.0, and the remote host you are trying to reach does not belong to your network.
2.
44
Tactical Perimeter Defense
Boot your computer to Windows Server 2003, and log on as Administrator, with a blank (null) password.
3.
Choose Start→Settings→Network Connections. Right-click the network interface and choose Properties.
4.
Select Internet Protocol (TCP/IP) and click Properties.
5.
Click the Advanced button, and verify that the IP Settings tab is displayed.
Be prepared to diagram or otherwise explain the classroom setup.
Under Default Gateways, record the IP address here: For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. For the RIGHT side, it is 172.18.0.1. 6.
Select the Default Gateway IP address you just recorded, and click Remove. Click OK twice and click Close twice.
7.
Open a command prompt and ping an address that is not on your local network. For instance, if you are on the LEFT side of the classroom, you could ping an address in the 172.18.10.0 network, and if you are on the RIGHT side of the classroom, you could ping an address in the 172.16.10.0 network.
8.
Observe the message you receive. The text “Destination Host unreachable” is displayed. Your computer knows that the ping packet is supposed to go to a computer that is outside your local network but it does not know how to get it there.
9.
Switch to the Network Connections Control Panel and display the properties of the network interface.
The recommended classroom layout is shown in the figure in the setup.
10. Select Internet Protocol (TCP/IP), click Properties, and then click Advanced. On the IP Settings tab, click the Add button found in the Default Gateway area. 11. In the TCP/IP Gateway Address box, enter the IP address you recorded earlier in the task and click Add. Click OK twice and click Close twice. 12. Switch back to the command prompt and try to ping the remote address again. 13. Observe the message you receive. This time, as long as the other computer’s default gateway is correctly configured, you should be successful in pinging the remote computer. This is because your computer now knows to send traffic to the router if that traffic is destined for another network. (How the routers know where to send the traffic is covered later in the course.) Contact your instructor if your ping attempt is not successful. 14. Close all open windows.
Students must be able to ping all computers within the classroom for the remaining tasks to work properly. If any students are not successful in the second ping attempt, help them troubleshoot the issue.
Lesson 2: Advanced TCP/IP
45
Topic 2B Analyzing the Three-way Handshake
security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences.
Although a great deal of emphasis is given to IP due to the addressing and masking issues, TCP deserves equal attention from the security professional. In addition to TCP, the other protocol that functions as a transport protocol is UDP. This topic will concentrate on TCP; however, a brief discussion on UDP is warranted. The following table provides a brief comparison of the two protocols. Comparing TCP and UDP TCP
UDP
Connection-oriented Slower communications Considered reliable Transport Layer
Connectionless Faster communications Considered unreliable Transport Layer
TCP provides a connection-oriented means of communication, whereas UDP provides connectionless communication. The connection-oriented function of TCP means it can ensure reliable transmission, and can recover if transmission errors occur. The connectionless function of UDP means that packets are sent with the understanding they will make it to the other host, with no means of ensuring the reliability of the transmission. UDP is considered faster because less work is done between the two hosts that are communicating. Host 1 simply sends a packet to the address of host 2. There is nothing built into UDP to provide for host 1 checking to see if host 2 received the packet, or for host 2 sending a message back to host 1, acknowledging receipt. TCP provides the functions of connection-oriented communication by using features such as the three-way handshake, acknowledgements, and sequence numbers. In addition to these features, a significant part of TCP is the use of control flags. There are six TCP control flags in a TCP header, each with a specific meaning.
46
Tactical Perimeter Defense
TCP Flags The TCP flags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These flags may also be identified as S, ack, F, R, P, and urg. Each of these flags occupies the space of one bit in the header, and if they are assigned a value of 1, they are considered on. The function of each flag is identified as follows: • The SYN, or S, flag represents the first part of establishing a connection. The synchronizing of communication will generally be in the first packet of communication. •
The ACK, or ack, flag represents acknowledgement of receipt of data from the sending host. This is sent during the second part of establishing a connection, in response to the sending host’s SYN request.
•
The FIN, or F, flag represents the sender’s intentions of terminating the communication in what is known as a graceful manner.
•
The RESET, or R, flag represents the sender’s intentions to reset the communication.
•
The PUSH, or P, flag is used when the sending host requires data to be pushed directly to the receiving application, and not fill in a buffer.
•
The URGENT, or urg, flag represents that this data should take precedence over other data transmissions.
Sequence and Acknowledgement Numbers In addition to the TCP flags, another critical issue of TCP is that of numbers: sequence and acknowledgement numbers, to be specific. Because TCP has been defined as a reliable protocol that has the ability to provide for connectionoriented communication, there must be a mechanism to provide these features. Sequence and acknowledgement numbers are what provide this.
Sequence Numbers The sequence number is found in the TCP header of each TCP packet and is a 32-bit value. These numbers allow the two hosts a common ground for communication, and allow for the hosts to identify packets sent and received. If a large web page requires several TCP packets for transmission, sequence numbers are used by the receiving host to reassemble the packets in the proper order and provide the full web page for viewing. When a host sends the request to initiate a new connection, an Initial Sequence Number (ISN) must be chosen. There are different algorithms by different vendors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a 32-bit number that increments by one every 4 microseconds.
Acknowledgement Numbers The acknowledgement number is also found in the TCP header of each TCP packet, and is also a 32-bit value. These numbers allow the two hosts to be given a receipt of data delivery. An acknowledgement number is in the packet header in response to a sequence number in the sending packet. In the event that the sending host does not receive an acknowledgement for a transmitted packet in the defined timeframe, the sender will retransmit the packet. This is how TCP provides reliable delivery. If a packet seems to have been lost, the sender will retransmit it.
Lesson 2: Advanced TCP/IP
47
Connections All communication in TCP/IP is done with connections between two hosts. Each connection is opened (or established), data is sent, and the connection is closed (or torn down). These connections have very specific rules they must follow. There are two different states of the open portion of this process: Passive Open and Active Open. •
Passive Open is when a running application tells TCP that it is ready to receive inbound requests via TCP. The application is assuming inbound requests are coming, and is prepared to serve those requests. This is also known as the listening state, as the application is listening for requests to communicate.
•
Active Open is when a running application tells TCP to start a communication session with a remote host (which is in Passive Open state). It is possible for two hosts in Active Open to begin communication. It is not a requirement that the remote host be in Passive Open, but that is the most common scenario.
Connection Establishment In order for the sequence and acknowledgement numbers to have any function, a session between the two hosts must be established. This connection establishment is called the three-way handshake. The three-way handshake involves three distinct steps, which are detailed as follows (please refer to Figure 2-5 when reading this section): 1. Host A sends a segment to Host C with the following: SYN = 1 (The session is being synchronized.) ACK = 0 (There is no value in the ACK field, so this flag is a 0.) Sequence Number = x, where x is a variable. (x is Host A’s ISN.) Acknowledgement Number = 0 2.
Host C receives Host A’s segment and responds to Host A with the following: SYN = 1 (The session is still being synchronized.) ACK = 1 (The acknowledgement flag is now set, as there is an ack value in this segment.) Sequence Number = y, where y is a variable. (y is Host C’s ISN.) Acknowledgement Number = x + 1 (The sequence number from Host A, plus 1.)
3.
Host A receives Host C’s segment and responds to Host C with the following: SYN = 0 (Session is synchronized with this segment; further requests are not needed.) ACK = 1 (The ack flag is set in response to the SYN from the previous segment.) Sequence Number = x + 1 (This is the next sequence number in series.) Acknowledgement Number = y + 1 (The sequence number from Host C, plus 1.)
At this point, the hosts are synchronized and the session is established in both directions, with data transfer to follow. 48
Tactical Perimeter Defense
Figure 2-5: The three-way handshake.
Connection Termination In addition to specific steps that are involved in the establishment of a session between two hosts, there are equally specific steps in the termination of the session. There are two methods of ending a session using TCP. One is considered graceful, and the other is non-graceful. A graceful shutdown happens when one host sends a message (using the FIN flag) to the other, stating it is time to end the session; the other acknowledges; and they both end the session. A non-graceful shutdown happens when one host simply sends a message (using the RESET flag) to the other, indicating the communication has stopped, with no acknowledgements and no further messages sent. In this section, we will investigate the details of the standard graceful termination. As you saw earlier, it requires three segments to establish a TCP session between two hosts. The other side of the session, the graceful termination, requires four segments. Four segments are required because TCP is a full-duplex communication protocol (meaning data can be flowing in both directions independently). As per the specifications of TCP, either end of a communication can end the session by sending a FIN, which has a sequence number just as a SYN has a sequence number. Similar to the Active and Passive Opens mentioned earlier, there are also Active and Passive Closes. The host that begins the termination sequence, by sending the first FIN, is the host performing the Active Close. The host that receives the first FIN is the host that is performing the Passive Close. The graceful teardown of a session is detailed as follows (please refer to Figure 2-6 when reading this section): 1. Host A initiates the session termination to Host C with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number, based on current communication.) Sequence Number (FIN number) = s (s is a variable based on the current communication.) Acknowledgement Number = p (p is a variable based on the current communication.) 2.
Host C receives Host A’s segment and replies with the following: FIN = 0 (This segment is not requesting closure of the session.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present (As there is no FIN, there is no sequence number required.) Lesson 2: Advanced TCP/IP
49
Acknowledgement Number = s + 1 (This is the response to Host A’s FIN.) 3.
Host C initiates the session termination in the opposite direction with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number.) Sequence Number = p (p is a variable based on the current communication.) Acknowledgement Number = s + 1 (This is the same as in the previous segment.)
4.
Host A receives the segments from Host C and replies with the following: FIN = 0 (This segment does not request a termination, there is no SYN.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present Acknowledgement Number = p + 1 (This is Host C’s sequence number, plus 1.)
At this point the session has been terminated. Communication in both directions has had a FIN requested and an acknowledgement to the FIN, closing the session.
Figure 2-6: Connection termination.
Ports You have been introduced to the fact that IP deals with addressing and the sending/receiving of data between two hosts, and you have been introduced to the fact that TCP can be selected to provide reliable delivery of data. However, if a client sends a request to a server that is running many services, such as WWW, NNTP, SMTP, and FTP, how does the server know which application is supposed to receive the request? The answer is by specifying ports.
50
Tactical Perimeter Defense
Port numbers are located in the TCP or UDP header, and they are 16-bit values, ranging from 0 to 65535. Port numbers can be assigned to specific functions or applications. Ports can also be left open for dynamic use by two hosts during communication. There are ranges of ports for each function. There are three main categories of ports: well-known, registered, and dynamic. •
The well-known ports (also called reserved ports by some) are those in the range of 0 to 1023. These port numbers are assigned to specific applications and need to remain constant for the primary services of the Internet to continue to provide the flexibility and usefulness it does today. For example, the WWW service is port 80, the Telnet service is port 23, the SMTP service is port 25, and so on. The well-known port list is maintained by the Internet Assigned Numbers Authority (IANA), and can be found here: www.iana.org/assignments/port-numbers.
•
Registered ports are those in the range of 1024 to 49151. These port numbers can be registered to a specific function, but are not defined or controlled by a governing body, so multiple functions could end up using the same port.
•
Dynamic ports (also called private ports) are those from 49152 to 65535. Any user of the Internet can use dynamic ports.
When a client connects to a server and requests a resource, that client also requires a port. The client ports (also called ephemeral ports by some) are used by a client during one specific connection; each subsequent connection will use a different port number. These ports are not assigned to any default service, and are usually a number greater than 1023. There is no defined range for client ports; they can cover the numbers of both the registered and dynamic port ranges. When a client begins a session by requesting a service from a server, such as the WWW service on port 80, the client uses an ephemeral port on the client side. This enables the server to respond to the client. Data is then exchanged between the two hosts using the port numbers established for that session: 80 on the server side, and a dynamic number greater than 1023 on the client side. The combination of the IP address and port is often referred to as a socket, and the two hosts together are using a socket pair to communicate for this session. The following table lists some of the well-known ports and their associated services. Some Well-known Ports and their Services Port
Service
23 80 443 20 and 21 53 25 119
Telnet HTTP (Standard web pages) Secure HTTP (Secure web pages) FTP (Data and control) DNS SMTP NNTP
Lesson 2: Advanced TCP/IP
51
In addition to known valid services, such as those listed previously, there are many Trojan Horse programs that use specific ports (although the port can usually be changed). Trojan Horse: An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.
Ports Associated with Trojan Horses Port Number
Name of Trojan Horse
12345 1243 27374 31337 54320 (TCP) 54321 (UDP)
NetBus Sub Seven Sub Seven 2.1 Back Orifice Back Orifice 2000 (BO2K) Back Orifice 2000 (BO2K)
Network Monitor There is a very valuable tool available with Windows called Network Monitor. This tool allows for full packet capture and lets the analyst (you) peer into the packet’s contents, examining both the payload, or data, and the headers, in detail. You can see any set flags’s defined sequence and acknowledgement numbers, packet size, and more. The following is a discussion on the use of Network Monitor, provided as background for you to be able to perform the tasks in this lesson. Some of the things you can do with Network Monitor are: •
Monitor real-time network traffic.
•
Analyze network traffic.
•
Filter specific protocols to capture.
In this lesson, you will be focusing on the capture and analysis of IP packets, and on the details of the protocol suite.
52
Tactical Perimeter Defense
Figure 2-7: The default view of Network Monitor, showing the various panes. In Figure 2-7, you can see the default view of Network Monitor. In this view, the screen is split into several sections. The top bar is the standard menu bar found in Microsoft programs. The basic functions on the toolbar that you will use in this lesson are contained in the File and Capture menus. • The File menu contains three commands: Open, Save As, and Exit.
•
—
Choose Open to open a previously saved Network Monitor capture.
—
Choose Save As to save a Network Monitor capture.
—
Choose Exit to exit.
The Capture menu has more commands: Start, Stop, Stop And View, Pause, and Continue. —
The Start, Pause, and Continue commands are self-explanatory.
—
The difference between Stop and Stop And View is that the Stop command ends the capture. The Stop And View command ends the capture and switches Network Monitor to its next mode, Display View.
The other sections of the Capture View are panes (windows in a window) called Graph, Session Stats, Station Stats, and Total Stats. • The Graph pane provides five bars that measure percentages of pre-defined metrics. —
The top graph indicates the percentage (%) of network utilization, meaning how much the network is being used.
—
The second graph indicates the number of frames per second, meaning frames transmitted per second over the network.
—
The third graph indicates the number of bytes per second that are transmitted over the network. Lesson 2: Advanced TCP/IP
53
—
The fourth graph indicates the number of broadcasts per second that are transmitted over the network.
—
The fifth graph indicates the number of multicasts per second that are transmitted over the network. While a capture is running, these graphs work in real time, providing current data.
•
The next pane is the Session Stats pane. In this pane, you can see the sessions that are taking place during the capture.
•
Following the Session Stats is the Station Stats pane. In this pane, you can see statistics per interface on the host, per broadcast, per multicast, and more.
•
The final pane in this view is the Total Stats pane. The Total Stats pane is subdivided into sections: Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics. From this pane, you can identify frames, broadcasts, multicasts, network utilization, errors, and more, all in real time during the capture.
Displaying Captures After you have captured network traffic, you can begin your analysis, which requires a different view of Network Monitor. You will need to use the Display View. You can switch to the Display View by either using the Capture→Stop And View command or by using the Display Captured Data command after a capture session has been stopped.
Figure 2-8: The Summary View of Network Monitor. When you first open the Summary View, as shown in Figure 2-8, you will see a timeline of packets captured. By double-clicking any packet that was captured, you can look into its details and bring up the next view of Network Monitor. Once you have selected a packet, Network Monitor displays three panes for presenting information to you. 54
Tactical Perimeter Defense
Figure 2-9: The details of a packet in Network Monitor. The top pane shown in Figure 2-9 is the Summary pane. This pane provides the basic details of a packet, such as: • Frame number •
Time the packet was captured
•
Destination and source MAC addresses
•
Protocol used
•
Destination and source IP addresses
The middle pane shown in Figure 2-9 is the Detail pane. This pane provides the actual details of the protocol for the selected packet. Any line that has a plus sign next to it can be expanded for further detail. The bottom pane in Figure 2-9 is the Hex pane. This pane provides the actual Hex value for the raw data that each frame is comprised of. When you select something in the Detail pane, it is highlighted in the Hex pane for comparison. Also, in this pane, the ASCII characters are visible. In the event that cleartext is captured, this is where it will be readable.
Network Monitor Filters Because Network Monitor has the ability to capture all network traffic, it would be very easy to capture too much information and have difficulty in finding what you were looking for. This is where filtering comes into play. There are two types of filters available in Network Monitor: capture filters and display filters. For example, if you wanted to capture only TCP messages, you could create a capture filter so that only TCP messages are captured. If you wanted to view only ICMP messages, you could create a display filter so that all you see are ICMP messages. Figure 2-10 and Figure 2-11 show the dialog boxes used for each filter type.
Lesson 2: Advanced TCP/IP
55
To create or use filters, choose Capture→Filter. Using filters not only makes it easier for you, as an analyst, to find what you are looking for, but they allow for the buffer that stores the capture to not be filled with useless information.
Figure 2-10: Network Monitor’s Capture Filter dialog box. Figure 2-11 shows the Display Filter dialog box.
Figure 2-11: Network Monitor’s Display Filter dialog box.
56
Tactical Perimeter Defense
When using filtering, you will likely use either protocol or address filtering. With protocol filtering, you identify a specific protocol to work with. With address filtering, you again define the specific address to filter. Filters can be implemented in different directions, either traffic into this host, outbound from this host, or in both directions. These options are implemented by selecting the appropriate arrow (one of these three: --->, ---<, or <-->) for the function you want to perform.
TASK 2B-1 Using Network Monitor 1.
Open a command prompt, and enter ipconfig /all If you are on the LEFT side of the classroom, your IP addresses will be 172. 16.10.x. If you are on the RIGHT side of the classroom, your IP addresses will be 172.18.10.x.
2.
Record the MAC and IP address for the network card in your computer. MAC address IP address
Each card will have a unique MAC address. Each card will have a unique IP address.
3.
Close the Command Prompt window.
4.
Open Network Monitor. (From the Start menu, choose All Programs→ Administrative Tools→Network Monitor.)
5.
If you see the Microsoft Network Monitor message box, click OK to display the Select A Network dialog box. Expand the + sign next to Local Computer, select the interface with the MAC address associated with the network interface you recorded in Step 2, and click OK.
6.
From the Capture menu, choose Start, or press F10 to start a capture.
7.
If you are on the LEFT side of the classroom, ping the IP address 172.16. 0.1. If you are on the RIGHT side of the classroom, ping the IP address 172.18.0.1. This will create network traffic for you to capture.
8.
Wait for 20 to 30 seconds. As you wait, watch the real time statistics change in the Network Monitor Capture window.
9.
Choose Capture→Stop And View. You should now see the Display View, including the timeline of the packets captured.
10. Double-click any packet to change to the Detail View. 11. Observe the structure of the three panes in this view, and expand any + signs displayed in the middle pane. 12. From the Display menu, choose Filter. 13. Highlight Protocol==Any, and click the Edit Expression button. Lesson 2: Advanced TCP/IP
57
14. With the Protocol tab selected, click the Disable All button. 15. Scroll down to ICMP, select ICMP, and click the Enable button. The Expression field at the top of the dialog box should now display Protocol == ICMP. Click OK. 16. Click OK to implement this filter on your capture. 17. Observe that only ICMP frames are visible in your window now. 18. From the File menu, choose Save As, and save the capture as First_ Capture.cap in the default location. 19. Close Network Monitor.
Wireshark Another product you can use to capture data is called Wireshark. (Wireshark was formerly known as Ethereal, with the name change taking place in 2006.) With Wireshark, data can be captured off the wire or read from a captured file. Data can also be saved to a file format that Microsoft Network Monitor can understand. Wireshark supports analysis on over 750 Data Link, Network, Transport, and Application layer protocols. Wireshark can be downloaded from www.wireshark.org
promiscuous mode: Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
58
Tactical Perimeter Defense
To perform promiscuous mode captures on a Windows machine, you have to first download and install the latest stable version of WinPcap; do not install any alpha or beta versions. WinPcap is the Windows equivalent of libpcap (LIBrary for Packet CAPtures) for Linux. It can be obtained from www.winpcap.org. In fact, you will use WinPcap later in the course, along with other tools such as windump, tcpdump, nmap, and snort.
TASK 2B-2 Installing and Starting Wireshark 1.
Choose Start→My Computer.
2.
Open C:\Tools\Lesson2.. Note: If you do not have a C:\Tools folder, please review the tools section of the Setup Guide.
3.
Double-click the WinPcap_4_0.exe file.
4.
In the WinPcap_4_0.exe Installer Welcome screen, click Next.
5.
In the WinPcap 4.0 Setup Wizard screen, click Next.
6.
Read the License Agreement, and click I Agree.
7.
To close the WinPcap install wizard, click Finish.
8.
Double click the Wireshark_setup-0.99.5.exe file.
9.
In the Wireshark Setup Wizard Welcome screen, click Next.
10. Read the License Agreement, and click I Agree. 11. Accept the Default Components (do not make any changes), and click Next. 12. Accept the Default Additional Tasks (do not make any changes), and click Next. 13. Accept the Default Destination Folder, and click Next. 14. You have already installed WinPcap, so do not check any boxes on the WinPcap screen, and click Install. 15. In the Installation Complete screen, click Next. 16. In the Completing The Wireshark 0.99.5 Setup Wizard, check the Run Wireshark0.99.5 check box and click Finish. 17. Leave Wireshark open for the following tasks.
Wireshark Overview When you first start Wireshark (formerly called Ethereal), you will see a GUI with three panes. The top pane lists the captured frames in sequence. When you highlight a frame, the middle pane provides protocol layer information about that frame, and the bottom pane shows the details of the frame in both Hex and ASCII values.
Figure 2-12: The Ethereal (Wireshark) GUI. Lesson 2: Advanced TCP/IP
59
At the top of the GUI there is a menu bar, with File, Edit, View, Go, Capture, Analyze, Statistics, and Help. Just above the top pane is a Filter button, a dropdown menu, an Expression button, a Clear button, and an Apply button. These buttons allow you to filter through the captured data, which as you will see, is a very important feature. When you wish to start a capture in Wireshark, you have several options. You can go to the Capture drop-down menu and select Start or you can simply press the third icon from the right in the icons listed just below the main menu bar. However, as this is the first time you are running Wireshark, you must define some options. A quick way to the option screen is to press Ctrl+K combination. When you do so, you will see a window that has many options, where you can make some specific selections, including the following: • The interface to capture packets from.
60
Tactical Perimeter Defense
•
The limit to the number of packets to capture (if any).
•
Whether you wish to capture packets in promiscuous mode or not.
•
Any filters you wish to use.
•
The file name for the capture file.
•
If you wish to view the packets onscreen in real time.
•
Parameters to define when the capture should stop.
•
Whether you wish to enable or disable name resolution at the Data Link, Network, and Transport layers.
Figure 2-13: Ethereal (Wireshark’s) Capture Options dialog box. When you click OK, capture will start on the selected network interface and you will see another pop-up informing you that. Wireshark will continue with the capture until you click the Stop button.
Figure 2-14: Ethereal (Wireshark) pop-up displaying capture information.
Lesson 2: Advanced TCP/IP
61
Once you have selected your options and clicked OK, the capture will start on the selected network interface, and you will see a pop-up window informing you of the capture in progress. Wireshark will continue with the capture until you press the Stop button or an option you configured tells the capture to stop.
Figure 2-15: The many Save As options in Ethereal (Wireshark). After you stop a capture, you can view and analyze the data for your current use. You when you are done and wish to save the file for future analysis, you have many options. Notice how many choices you have for saving a capture—you can save to Network Monitor’s format if you want. (Conversely, Wireshark will read a capture saved by any of the protocol analyzers in the list.) When you are done with capture and analysis and want to close the program, choose File→Quit or press Ctrl+Q.
TASK 2B-3 Using Wireshark Setup: Wireshark has been successfully installed and is running on your computer.
62
Tactical Perimeter Defense
1.
From the menu options, choose Capture→Options.
2.
In the Interface drop-down list, select you local area network adapter.
3.
Notice that when you select your adapter, directly below the word Interface, the program has listed your LAN address.
4.
Make sure that the Capture Packets In Promiscuous Mode check box is checked.
5.
Under Display Options, check the Update List Of Packets In Real Time check box.
6.
Click the Start button and open a command prompt.
7.
Ping your Default Gateway IP Address.
8.
When the ping has completed, close the command prompt, return to Wireshark, and choose Capture→Stop.
9.
Double-click any frame where your computer is the Source and the Destination is the Default Gateway IP Address you just pinged. The protocol will be listed as ICMP.
10. Expand and view the frame details. 11. Note that you can analyze data in a similar fashion as in Network Monitor. 12. Once you are done with this initial look at Wireshark, close the application. 13. Click the Continue Without Saving button.
TCP Connections Earlier, you were introduced to the function and the process of control flags, the three-way handshake, and the session teardown. In this section, you are going to use Network Monitor to view the three-way handshake, packet by packet, and to view the teardown, packet by packet. Remember, the three-way handshake is used by two hosts when they are creating a session. The first host begins by sending out a packet with the SYN flag set, and no other flags. The second packet is a response with both the SYN and ACK flags set. The third part of the session establishment will have the ACK flag set.
TASK 2B-4 Analyzing the Three-way Handshake 1.
Choose Start→Administrative Tools→Services.
2.
Right-click Telnet and choose Properties.
3.
In the Startup type drop-down menu, select manual.
4.
Click Apply.
5.
Click the Start button.
6.
Click OK.
Lesson 2: Advanced TCP/IP
63
7.
Close the Services window.
8.
Open Network Monitor, and start a capture.
9.
At a command prompt: If you are on the LEFT side of the classroom, enter telnet 172.16.0.1 If you are on the RIGHT side of the classroom, enter telnet 172.18.0.1 Enter y, at the Login type anonymous press Enter, and at the Password prompt, press Enter.
10. Press Enter repeatedly or a bad password until your connection to the host is lost. Your screen may resemble the following graphic.
Minimize the command prompt window. 11. Switch back to Network Monitor, and choose Capture→Stop And View. 12. In the Summary pane, identify the frames that are involved in the threeway handshake. 13. Once you have identified the frames that are part of the three-way handshake, based on the discussion, look for the following: a.
In the first frame, what are the SEQ number, ACK number, and flags?
b.
In the second frame, what are the SEQ number, ACK number, and flags?
c.
In the third frame, what are the SEQ number, ACK number, and flags?
14. Expand each of the three frames in the handshake, and examine them in greater detail in the Detail pane. 15. Using the Hex pane, identify the value for the flags that are set for each frame of the three-way handshake. 16. Leave Network Monitor open, along with this capture, for the next task.
The Session Teardown Process Previously, you examined the session teardown process. Here, you will examine the details of the session teardown. Remember, there are four parts of session teardown. 64
Tactical Perimeter Defense
TASK 2B-5 Analyzing the Session Teardown Process Setup: Network Monitor is running, and the last capture you performed is displayed. 1.
In the Summary pane, identify the frames that are involved in the session teardown.
2.
Once you have identified the frames, examine them in greater detail in the Detail pane.
3.
In each frame, identify at least the following: a. Flags that are set. b.
Sequence number.
c.
Acknowledgement number.
4.
Save the capture as TCP_Connections.cap and close the capture.
5.
Minimize Network Monitor.
Topic 2C Capturing and Identifying IP Datagrams Along with TCP, the protocol you will spend the most time analyzing will be IP. This protocol is the one that does the most work of the entire TCP/IP suite. In Figure 2-16, you can see the actual format of the IP datagram. There are seven rows of information in the figure, with the critical rows being the first five. When a computer receives an IP datagram, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on. To work with IP further, refer to RFC 791.
Lesson 2: Advanced TCP/IP
65
Figure 2-16: An IP datagram with all fields shown. Using Figure 2-16, we will move through the header, identifying the function of each area. After identifying the header fields, we will use Network Monitor to capture and analyze the IP header. • Starting on Row One, on the left side is a field called Version. This is a 4-bit field that defines the version of IP that is currently running. Right now, this will likely be a value of 4, as that is the current industry standard—IPv4, or IP version 4. Some instances may be using IP version 6, or IPv6, which you will examine later in the course.
66
Tactical Perimeter Defense
•
Moving to the right of the Version is a field called Header Length (IHL). This is a 4-bit field that defines the number of 32-bit words in the header itself, including options. In most captures, this value will be 5, for no options set, the normal value.
•
Continuing to the right of Header Length is a field called Type Of Service. This is an 8-bit field that defines the quality of service for this packet. Different applications may require different needs of available bandwidth, and Type Of Service is one way of addressing those needs.
•
The last field on Row One is the field called Total Length. This is a 16-bit field that defines the length of the entire IP datagram in bytes.
•
Starting on Row Two, on the left side is a field called Identification. This is a 16-bit field that defines each datagram sent by the host. The standard for this field is for the identification value to increment by one for every datagram sent.
•
Following the Identification field is a field called Flags. Not to be confused with the flags of TCP, which you have seen, this is a 3-bit field that is used in conjunction with fragmentation. The first of the three bits is to be set at 0,
as a default. The next bit is known as the DF bit, or Don’t Fragment. The third bit is known as the MF bit, or More Fragment. •
The last field on Row Two is a field called Fragment Offset. This is a 13-bit field that is used to define where in the datagram this fragment belongs. (If there is fragmentation, the first fragment will have an offset of 0.)
•
Starting on Row Three, on the left side, is a field called Time To Live. This is an 8-bit field that is used to define the maximum amount of time this datagram may be allowed to exist in the network. The TTL is created by the sender and lowers by 1 for every router that the datagram crosses. If the TTL reaches 0, the packet is to be discarded.
•
Moving to the right is a field called Protocol. This is an 8-bit field that is used to define the upper-layer protocol that is in use for this datagram. There are many unique protocol numbers, and if you wish to study all of the numbers, please refer to RFC 790. However, the following list identifies several important Protocol ID numbers:
•
—
Protocol ID Number 1: ICMP
—
Protocol ID Number 6: TCP
—
Protocol ID Number 17: UDP
The final field on Row Three is a field called Header Checksum. This is a 16-bit field that is used to provide a check on the IP header only; this is not a checksum for any data following the header. This checksum provides integrity for the header itself.
•
The Fourth Row is a single field, the Source IP Address. This field is a 32-bit value that identifies the IP address of the source host of this packet.
•
The Fifth Row is also a single field, the Destination IP Address. This field is a 32-bit value that identifies the IP address of the destination host for this packet.
•
The Sixth Row contains any options that may be present. This is a variable, with no absolute fixed size to the options. Some of the options that may be in this field are those that are related to routing or timekeeping. If options are used, there will be padding added so this field equals 32 bits in size.
•
The Seventh and final Row is the representation of the data. By this point, the header is complete and the data the user wishes to send or receive is stored in the packet.
integrity: Assuring information will not be accidentally or maliciously altered or destroyed.
TASK 2C-1 Capturing and Identifying IP Datagrams Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1.
In Network Monitor, start a new capture, and leave the capture running.
2.
Open a command prompt and enter ftp ip_address where ip_address is the address of a neighbor computer.
Lesson 2: Advanced TCP/IP
67
3.
At this time, the connection will not be successful, type bye and close the command prompt.
4.
Return to Network Monitor and choose Capture→Stop And View.
5.
Observe the Protocol column. Apply a filter to only show TCP. For the specific steps, see Task 2B-1, step 12 through step 16. Click any of the frames and observe that the TCP control bits includes FTP.
6.
Examine the IP header, compared to the discussion. Look for the following: a. Version Number.
7.
b.
Time To Live.
c.
Protocol ID.
d.
Source Address.
e.
Destination Address.
Once you are done examining the IP header, save the capture as IP_Header.cap and close the capture file.
Topic 2D Capturing and Identifying ICMP Messages When you are analyzing protocols, it should become immediately apparent that there are differences between ICMP and the other protocols discussed in this lesson. There is a similar concept in that the ICMP message is encapsulated in the IP datagram, just as you saw with TCP and UDP. In Figure 2-17, you can see the actual format of the ICMP message. There are only two rows of information shown in the figure. To work with ICMP further, refer to RFC 792.
Figure 2-17: An ICMP message with all fields shown.
68
Tactical Perimeter Defense
Using Figure 2-17, we will move through the header, identifying the function of each area. After identifying the header fields, we will use Network Monitor to capture and analyze an ICMP message. • Starting on Row One, on the left side, the first field is called Type. This is an 8-bit value that identifies the specific ICMP message. For example, a Type could be 3, which is a type of unreachable message. •
Following Type on Row One is a field called Code. This is an 8-bit value that works in conjunction with Type to define the specific details of the ICMP message. For example, using Type 3, the Code could be 1, which is destination host unreachable.
•
Moving along on Row One, the final field is called Checksum. This is a 16-bit value that checks the integrity of the entire ICMP message.
•
The Second Row has no fixed fields. Depending on the Type and Code of the ICMP message, this field may contain many things. One example of what may go in this field is the time stamping of messages.
TASK 2D-1 Capturing and Identifying ICMP Messages Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1.
Begin a new capture.
2.
Switch to the command prompt, and ping a valid IP address of another host in your subnet. Wait for the ping to finish, and then minimize the command prompt.
3.
In Network Monitor, stop and view the capture.
4.
Scroll down the packets captured to identify ICMP messages, or create an ICMP filter.
5.
Analyze the captured frames to identify the ping process between your computer and the host you pinged.
6.
Compare the messages to the discussion, looking for the following: a. Source IP Address. b.
Destination IP Address.
c.
Type.
d.
Code.
e.
Payload for ping.
7.
Save this capture as Valid_Ping.cap and close it. You are going to run another capture.
8.
Begin a new capture.
Lesson 2: Advanced TCP/IP
69
9.
Switch to the command prompt, ping a known invalid IP address for your network, wait for the ping to finish, and minimize the command prompt. For instance, if you were to ping the address 208.18.24.2, you should receive a message indicating that the request timed out. Or, if you are on the 172.16.10.0 network, you might try to ping the address 172.16.10. 201, as that address is unlikely to be in use on your network.
10. In Network Monitor, stop and view the capture. 11. Scroll down the packets captured to identify ICMP messages. Based on your network environment, you may not receive these ICMP messages.
12. Analyze the captured frames, and compare them to the discussion, looking for the following: a. Source IP Address. b.
Destination IP Address.
c.
Type.
d.
Code.
13. Save this capture as icmpheader.cap and close.
Topic 2E Capturing and Identifying TCP Headers When investigating TCP/IP, you will find that TCP data is encapsulated in the IP datagram. Since you have already looked into the IP datagram itself, at this stage you will examine TCP further. In Figure 2-18, you can see the actual format of the TCP header. There are seven rows of information in the figure, with the critical ones for this discussion being the first five. Just as with IP, when a computer receives the TCP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on. To work with TCP further, refer to RFC 793.
Figure 2-18: A TCP header with all fields shown.
70
Tactical Perimeter Defense
Using Figure 2-18, we will move through the header, identifying the function of each area. After identifying the header fields, we will use Network Monitor to capture and analyze the TCP header. • Starting on Row One, on the left side is a field called Source Port Number. This field is a 16-bit number that defines the upper-layer application that is using TCP on the source host. •
The second field on Row One is a field called Destination Port Number. This is a 16-bit field that defines the upper-layer application that is using TCP on the destination host. The combination of an IP address and a port number is often called a socket. A socket pair identifies both ends of a communication completely, by using the host IP address and port, and the destination IP address and port.
•
Moving onto Row Two, the entire row is a single field called Sequence Number. This is a 32-bit value that identifies the unique sequence number of this packet. The sequence numbers are used to track communication and are part of the reason TCP is considered a connection-oriented protocol.
•
In Row Three, you can see that the entire row is also a single field, called Acknowledgement Number. This is a 32-bit value that provides a response to a sequence number. Under normal operations, this value will be the value of the sequence number of the last packet received in this line of communication, plus 1. There will be a value in this field only if the ACK flag is turned on (flags are in the next row).
•
Continuing on to Row Four, starting on the left side is a field called Offset (sometimes also called Header Length). This is a 4-bit value that defines the size of the TCP header. Because this is a 4-bit value, the limit on the size of the header is 60 bytes. If there are no options set, the size of the header is 20 bytes.
•
Moving to the right is a field called Reserved. This is a 6-bit value that is always left at 0 for functioning hosts using TCP/IP. It is not used for any normal network traffic.
•
After the Reserved field are the six Control Flags. Each flag is only 1 bit, either on or off. There are six control flags, and they are listed as follows in the left-to-right order they occupy in the TCP header: —
URG: If this is a 1, the Urgent flag is set.
—
ACK: If this is a 1, the Acknowledgement flag is set.
—
PSH: If this is a 1, the Push flag is set.
—
RST: If this is a 1, the Reset flag is set.
—
SYN: If this is a 1, the Synchronize flag is set.
—
FIN: If this is a 1, the Finish flag is set. For a detailed discussion on the flags and their functions, please review that section earlier in this lesson.
•
Following the Control Flags on Row Four is a field called Window Size. This is a 16-bit value that identifies the number of bytes, starting with the one defined in the Acknowledgement field, that the sender of this segment is willing to accept.
•
Moving on to Row Five, on the left side, there is a field called TCP Checksum. This is a 16-bit value that is used to provide an integrity check
Lesson 2: Advanced TCP/IP
71
of the TCP header and the TCP data. The value is calculated by the sender, then stored and the receiver compares the value upon receipt. •
Following the TCP checksum on Row Five is a field called Urgent Pointer. This is a 16-bit value that is used if the sender must send emergency information. The pointer points to the sequence number of the byte that follows the urgent data, and is only active if the URG flag has been set.
•
The Sixth Row has only one field, called Options. This is a 32-bit value that is often used to define a maximum segment size (MSS). MSS is used so the sender can inform the receiver of the maximum segment size that the sender is going to receive on return communication. In the event that the options set do not take up all 32 bits, padding will be added to fill the field.
•
The Seventh and final Row is the representation of the data. By this point, the header is complete and the data the user wants to send or receive is stored in the packet.
TASK 2E-1 Capturing and Identifying TCP Headers Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1.
Begin a new capture.
2.
Switch to the command prompt and initiate a Telnet session to a neighboring host.
3.
To begin the Telnet session, type y, and press Enter
4.
At the login prompt, type Administrator, leave the password blank, and press Enter.
5.
If the Telnet session starts, exit the Telnet session; otherwise, close the command prompt.
6.
Stop and view the capture.
7.
Add a filter so that all you see are TCP frames. For the specific steps to add filters, see Task 2B-1, step 12 through step 16.
8.
Analyze the TCP headers in the frames.
9.
When analyzing the headers, look for the following: a. Sequence Numbers. b.
Acknowledgement Numbers.
c.
Source Port Numbers.
d.
Destination Port Numbers.
10. Once you have analyzed the header, save the capture as Telnet_Attempt.cap and close the capture file.
72
Tactical Perimeter Defense
Topic 2F Capturing and Identifying UDP Headers Compared to TCP, UDP is a very simple transport protocol. The UDP header and data will be completely encapsulated in the IP datagram, just as with TCP. In Figure 2-19, you can see the actual format of the UDP header. There are three rows of information in the figure. Just as with TCP, when a computer receives the UDP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on. To work with UDP further, refer to RFC 768.
Figure 2-19: A UDP header with all fields shown. Using Figure 2-19, we will move through the header, identifying the function of each area. After identifying the header fields, we will use Network Monitor to capture and analyze the UDP header. • Starting on Row One, on the left side is a field called Source Port Number. This field is a 16-bit value that defines the upper-layer application that is using UDP on the source host. •
The second field on Row One is called Destination Port Number. This field is a 16-bit value that defines the upper-layer application that is using UDP on the destination host.
•
On the Second Row, the field on the left is called UDP Length. This is a 16-bit value that identifies the length of the UDP data and the UDP header.
•
The second field on Row Two is a field called UDP Checksum. This is a 16-bit value that is used to provide an integrity check of the UDP header and the UDP data. The value is calculated by the sender, then stored, and the receiver compares the value upon receipt.
•
Row Three is where the actual user data is stored. It is possible for a user to send a UDP datagram with zero bytes of data.
TASK 2F-1 Working with UDP Headers Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1.
Browse to C:\Tools\Lesson2. In that folder is a file called tftp.cap. Open tftp.cap in Network Monitor.
Lesson 2: Advanced TCP/IP
73
2.
Expand the details of any UDP frame, and compare it to the discussion. Look for the following: a.
Source Port.
b.
Destination Port.
c.
What the actual UDP data is.
3.
As you are analyzing this traffic, verify that no session was established, as UDP is connectionless.
4.
Close the capture.
Topic 2G Analyzing Packet Fragmentation Packet-switched networks will all, at one time or another, experience fragmentation. This is due to the fact that all complex networks are made up of various physical media and configurations. So, a packet of a certain size might fit fine on one segment, but may suddenly be many times larger than the capacity of the next segment. The size limit that is allowed to exist on a network varies from network to network and is referred to as the Maximum Transmission Unit (MTU). In the event that a datagram gets fragmented, it is not reassembled until it reaches its final destination. When the datagram is fragmented, each fragment becomes its own unique packet—transmitted and received uniquely. TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio of segments to datagrams. Therefore, IP on the receiving end must completely reassemble the datagram before handing the segment to TCP. In the relationship between TCP and IP, the following rules that affect fragmentation are defined: • The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Size minus 40 octets. •
The default IP Maximum Datagram Size is 576 octets.
•
The default TCP Maximum Segment Size is 536 octets.
Fragmentation will rarely happen at the source of a datagram, but it is possible. For example, if a receiving host says it can accept segments that are many times larger than what the sender normally sends. Another example would be a host on a small-packet-sized network, such as PPP, and using an application with a fixedsize message.
The official minimum MTU is 68, and the maximum is 65535.
74
Tactical Perimeter Defense
The common location then for fragmentation is at a gateway, where the odds of different MTUs on different interfaces are very high. The following list shows the MTU for various media: • PPP: 296 bytes •
Ethernet: 1500 bytes
•
FDDI: 4352 bytes
•
Token Ring (4 MB/s): 4464 bytes
•
Token Ring (16 MB/s): 17914 bytes
Figure 2-20: How fragmentation works.
TASK 2G-1 Analyzing Fragmentation Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1.
Navigate to C:\Tools\Lesson2 and open fragment.cap in Network Monitor.
2.
Expand the details of frame 1, looking for the Fragment flag.
3.
Observe that, in frame 1, there is no Fragment Offset, as this is the first fragment.
4.
Select several consecutive frames. Observe that each successive frame has a higher Fragment Offset as it gets farther from the beginning of the original datagram.
5.
Observe that the IP ID stays constant for each fragment.
6.
Expand the details of frame 16.
7.
Observe that the Fragment flags are now both 0, indicating this is the last of the fragments.
8.
Close the capture.
Lesson 2: Advanced TCP/IP
75
Topic 2H Analyzing an Entire Session Now that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes, and teardowns, it is time to put them together. In this topic, you will follow along using two sample captures that were made specifically for this purpose. One capture is a PING capture, and the other is an FTP capture. By analyzing them, you will see how TCP/IP functions—from start to finish.
About the Tasks In the following tasks, Windows Server 2003 Network Monitor was used to capture a ping between two hosts and an ftp session between two hosts. The ping and ftp commands were run from the command prompt, and the output saved to the text files ping.txt and ftp.txt, respectively. The Network Monitor captures were saved to files ping.cap and ftp.cap, respectively. You can open the TXT files with Notepad to see the commands and responses. You can open the CAP files with Network Monitor and see the frames captured as a result. Let’s take a look.
TASK 2H-1 Performing a Complete ICMP Session Analysis Objective: To use the supplied capture and text files to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down. Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running.
76
Tactical Perimeter Defense
1.
Start Notepad and open the file ping.txt. This file is in C:\Tools\Lesson2. You should see the output shown in the following graphic.
2.
Keep this file open.
3.
Switch to Network Monitor, and open the file ping.cap. It’s also located in C:\Tools\Lesson2
4.
Observe that frame 1 is an Ethernet broadcast trying to resolve the target IP address to its MAC address.
5.
Observe that frame 2 is a reply from the target machine with the appropriate resolution. From now on, the two hosts can communicate.
Lesson 2: Advanced TCP/IP
77
78
Tactical Perimeter Defense
6.
Observe the next two frames. They are ICMP echo messages going back and forth between the two hosts, corresponding to the output in the text file. Examine the ICMP messages, and see the details in frames 3 and 4 as shown in the following graphics.
7.
Observe that, for the ping command, no session was set up or torn down— just a simple ICMP echo request, followed by an ICMP echo reply.
8.
Close ping.cap and ping.txt.
Continuing the Complete Session Analysis In the last task, one host successfully pinged another, in preparation for establishing an FTP transaction. We’ll look at the FTP portion of the session, but before we do, a quick differentiation between active and passive FTP is in order.
FTP Communication Up to this point you have been examining ICMP communication. Now you will examine an active FTP session. There are two different types of FTP, something that many administrators are unfamiliar with. The two FTP types are simply called passive and active. The mode most people think of with FTP is active FTP. In active FTP, a client makes a connection to the FTP server. The client uses a port higher than 1024 (we’ll call it X) to connect to the server, which then uses port 21, and the FTP command and control session is established. The server responds with the data transfer, sent on port 20. The client will receive the data transfer on a port one higher than the client used for command transfer, or X+1. In passive mode FTP, the client initiates both connections between the client and the server. When the FTP client begins an FTP session, the client opens two ports (again one higher than 1024, and the next port higher, or X and X+1). The first connection and port is the session to the server for command and control on server port 21. The server then opens a random port (again higher than 1024, referred to as Y in this section), and sends this port information back to the client. The client then requests the data transfer from client port X+1 to server port Y. When active FTP is used, there can be a situation that firewalls dislike. The first part of the FTP session, from client to server is not a problem. However, when the server responds to the client, it can seem to the firewall to be a new session started from an untrusted network, trying to gain access to the private network. Passive FTP solves this problem on the firewall, as both parts of the FTP session originate from the FTP client, and no session starts from an untrusted network. There is a different problem with passive FTP. This problem is not on the firewall, but on the server configuration itself. Because the FTP client starts both sessions, the FTP server must be able to listen on any high port, meaning all high ports must be open and available. To deal with this situation, many FTP applications now include features that limit the port range that the server can use.
Lesson 2: Advanced TCP/IP
79
TASK 2H-2 Performing a Complete FTP Session Analysis Objective: To use the supplied capture and text files to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down. Setup: You are logged on to Windows Server 2003 as Administrator. Notepad and Network Monitor are running.
80
Tactical Perimeter Defense
1.
Switch to Notepad and open ftp.txt. This file is located in C:\Tools\ Lesson2. You should see the results shown in the following graphic.
2.
Observe that, in this session, when the ftp server asks for a password, the user enters it but it is not recorded on screen.
3.
Switch to Network Monitor, and open ftp.cap in C:\Tools\Lesson2. You should see results similar to those shown in the following graphics. (Depending on the version of Network Monitor you are using, MAC and IP addresses might be displayed in Hex, and the time might be in a different format.) If you would like to change the format of the addresses from Hex to more readable names, choose Display→ Addresses, and click Add. In the box that is displayed, enter FTPSITE for the Name, add 002B32CFC72 for the Address, verify that the Type is Ethernet, and click OK. Click Add again, then enter LOCAL for the Name, add 0002B32C5B13 for the Address, verify that the Type is Ethernet, and click OK twice.
There are 51 frames involved in this capture. 4.
If you would like to change the color of the FTP packets for easier viewing, choose Display→Colors. Scroll down and select FTP; then, from the Background drop-down list, select a mild color such as gray or teal, and click OK. If you select a darker color, it might make it more difficult to read the text. Lesson 2: Advanced TCP/IP
81
5.
Observe that frames 3, 4, and 5 represent the TCP handshake involved in establishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19, 23, 29, 31-34, 38, 44, and 46-47) are all directly involved with the ftp application—authentication, ftp requests for directory information, an actual file transfer, followed by a quit, and bye response.
6.
Observe that in frame 8, you can see the user name being supplied.
7.
Observe that in frame 9, you can see the request for a password.
8.
Observe that in frame 11, you can see the password being supplied. Isn’t this a good enough reason to employ some secure authentication such as encryption?
9.
Let’s view the three-way handshake frames in a bit more detail.
Frame 3 starts the three-way handshake Active Open by setting the SYN bit to 1, offering source port no. 2025 (07E9 in Hex), while at the same time directing the request to port number 21 (15 in Hex) on the server. A sequence number 2052360112 (7A5487B0 in Hex) is associated with this frame to uniquely identify it, even in the event of multiple sessions between the same two hosts.
82
Tactical Perimeter Defense
10. Let’s look at the reply.
The reply from the ftp server in frame 4 includes an ACK, while simultaneously including a SYN. This is the Passive Open. 11. Observe that frame 5 includes an ACK from the client.
Once the session is established, FTP can continue on with its setup. This includes a login and a password (to be supplied if anonymous access in not supported), followed by file requests.
Lesson 2: Advanced TCP/IP
83
12. Observe that frame 6 shows the ftp server asking for user identification. Frame 8 shows the ftp client supplying the user name of test user.
13. Observe that this is met by the ftp server asking for the password in frame 9.
84
Tactical Perimeter Defense
14. Observe that in frame 11, you can see the password being offered. Because no secure methods for authentication were set up, you can see the actual password (the word “plaintext”).
15. Observe that once the user has been authenticated, the ftp session is allowed to continue. The ftp server puts out the welcome message shown in frame 12.
Lesson 2: Advanced TCP/IP
85
16. Observe that the rest of the frames dealing with FTP—frames 14, 16-19, 23, 29, 31-34, 38, and 44—have to do with directory listings and file transfers.
86
Tactical Perimeter Defense
Lesson 2: Advanced TCP/IP
87
17. Observe that in frame 38, you can see the actual contents of the file as it is being transferred In this case, and because it is just a text file, you can read the contents.
18. Observe that in frame 46, you can see the client attempt to close the connection with the Quit command.
88
Tactical Perimeter Defense
19. Observe that in frame 47, you can see the server communicate with the client with the message “See ya later.”
Lesson 2: Advanced TCP/IP
89
20. Observe that these messages are followed by TCP terminating the session from both ends in frames 48 and 49, and 50 and 51, respectively, where the FIN bits are set to 1 and the corresponding frame contains the ACK bit set to 1.
90
Tactical Perimeter Defense
21. Close Network Monitor. If you are prompted to save addresses, click No. 22. Close Notepad.
Lesson 2: Advanced TCP/IP
91
Summary In this lesson, you looked deep into the structure of the TCP/IP protocol. You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You then used Network Monitor and Wireshark to capture and analyze IP packets. You examined captures associated with network traffic. You learned to read the actual data being transmitted between two or more hosts. Finally, you analyzed a complete session, frame-by-frame.
Lesson Review 2A How many layers are in the OSI Model? Seven. How many layers are in the TCP/IP Model? Four. What are the assignable classes of IP addresses? A, B, and C. What are the three private ranges of IP addresses, as defined in the RFCs? a.
10.0.0.0 to 10.255.255.255
b.
172.16.0.0 to 172.131.255.255
c.
192.168.0.0 to 192.168.255.255
2B How many control flags are in a TCP header? Six. What is the function of an acknowledgement number? To provide an acknowledgement for a received packet. The value is usually tied into the SYN number on the received packet. How many steps are required to establish a TCP connection? Three. How many steps are required to tear down a TCP connection? Four. What are the two main views of Network Monitor? Display View and Capture View.
2C What is the first field that is read by the computer in the IP header? Version.
92
Tactical Perimeter Defense
What is the Protocol ID of ICMP in the IP header? 1. What is the Protocol ID of TCP in the IP header? 6. What is the Protocol ID of UDP in the IP header? 17.
2D What is the first field that is read by the computer in the ICMP message? Type. How many bits make up the Type field? Eight. How many bits make up the Code field? Eight.
2E What is the first field that is read by the computer in the TCP header? Source Port Number. How many control bits are in the TCP header? Six. How many bits is the Sequence Number? 32. How many bits is the Acknowledgement Number? 32.
2F What is the first field that is read by the computer in the UDP header? Source Port Number. What is the UDP header and data encapsulated in? An IP datagram. How many bits are both the source and destination port numbers? 16. What is in the payload of the tftp.cap file that you analyzed? Cisco Router Configuration and Access Lists.
2G In the fragment.cap file that you analyzed, how do you suppose this fragmentation happened? By a user sending a large ping. (See the file fragment.txt, in the same folder as fragment.cap, to understand how this was initiated.)
Lesson 2: Advanced TCP/IP
93
Why is there no upper-layer protocol list in the Detail pane for frames 2 through 13? These are the subsequent fragments whose upper-layer protocol is referred to in the first fragment; therefore, they do not have any header information other than IP. What was the upper-layer protocol that caused the fragmentation? ICMP.
2H In the FTP capture file that you analyzed in this topic, what pair of sockets are involved in the initial three-way handshake? On the client: IP address 172.16.30.2, port 2025. On the FTP Server: IP address 172.16.30.1, port 21. In the FTP capture file that you analyzed in this topic, what pair of sockets are involved in the exchange of FTP data in response to the request for directory listing? On the FTP Server: IP address 172.16.30.1, port 20. On the client: IP address 172.16.30.2, port 2026. In the FTP capture file that you analyzed in this topic, what frames indicate that a three-way handshake is taking place between the FTP server and the client in preparation for the sending of FTP data in response to the request for the file textfile.txt? Frames 35, 36, and 37.
94
Tactical Perimeter Defense
Routers and Access Control Lists Overview In this lesson, you will be introduced to the functioning of routers and routing protocols. The examples in this lesson are shown on Cisco Routers, specifically the 2500 series. You will examine the issues of securing routers and routing protocols. You will remove unneeded services and create access control lists to manage and secure the network. The lesson ends with the creation of logging options on the Cisco router.
LESSON
3 Data Files ping-arp-mac.cap rip update.cap ripv2withAuthentication. cap PuTTy.exe Lesson Time 6 hours
Objectives To understand the functions of routers and routing protocols, you will: 3A
Configure fundamental router security. You will create the required configurations to secure connections, create banners, and implement SSH.
3B
Examine principles of routing. You will capture routing protocols and analyze the IP and MAC relationship in a routed environment.
3C
Configure the removal of services and protocols. You will create the required configurations to harden the core services and protocols on a Cisco router.
3D
Examine the function of Access Control Lists on a Cisco router. You will create wildcard masks to be used in conjunction with the implementation of Access Control Lists.
3E
Implement Cisco Access Control Lists. You will create the required configurations to implement Access Control Lists to defend against network attacks on a Cisco router.
3F
Configure logging on a Cisco router. You will create the required configurations to enable logging on a Cisco router.
Lesson 3: Routers and Access Control Lists
95
Topic 3A Fundamental Cisco Security Although this lesson is not designed to make you a Cisco or a routing expert, you will become familiar with the core functions of routers and how to best harden this critical component of the infrastructure.
Cisco Router Language A Cisco router has one or more connections to networks. Each of these connections is referred to as an interface. To further define this interface concept, Cisco uses the type of interface as part of the name as well. Therefore: • An interface that is connected to an Ethernet segment of the network always starts with an E. •
A Fast Ethernet interface always starts with an F.
•
An interface that is connected to a serial connection always starts with an S.
•
An interface that is connected to a Token Ring segment always starts with To.
Along with the interface type, Cisco routers are numbered. The interface numbering begins with a zero. In other words: • The first Ethernet interface on the router is known as E0. •
Likewise, the first serial interface on the router is S0.
•
Finally, the first Token Ring interface on the router is To0.
Cisco Operating System The Cisco routers have their own operating system, which is known as the IOS (Internetworking Operating System). The IOS is found on all Cisco routers and can be uploaded to or downloaded from a tftp site. It is common to copy the IOS image to the tftp location as a quick backup in the event that the running IOS gets corrupted.
bug: An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction.
SNMP: (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP.
96
Tactical Perimeter Defense
Most of the current routers in production are running versions 11.x or 12.x of the Cisco IOS. When Cisco makes a major release of the IOS, it is assigned a number, such as 11 or 12. Major releases can also be added to the numbers, such as 11.2 or 12.2. You might also see an IOS listed as version 12.0(3). The 3 in parenthesis is the third maintenance revision of the major release. Maintenance revisions are released every eight weeks and contain bug fixes and/or updates, as Cisco dictates.
Accessing the Router Cisco provides a wide variety of access points for their routers. Each method of access can provide the ability to view the router differently. Some methods require the network to be functioning and active, while others do not require any network connectivity at all. The methods of access include the console port, the auxiliary port, or network access. Network access can, in turn, include VTY (terminal access), HTTP, TFTP, and SNMP. Each of these methods is detailed here: • The console port is the main point of access on a Cisco router. This is a direct physical connection, requiring the router to be in the presence of the person using the port. This is the connection method used to create the ini-
tial configuration and in the event of an emergency, such as password recovery. Because it has direct physical access, the console port should not be the primary method of accessing the router. •
The auxiliary port can be used to connect to the router via a modem. This can be a functional method of accessing the router if the primary network is down and you are not able to gain physical access to the router.
•
The VTY sessions provide for terminal access to the router. These connections require the network to be functioning to provide access. The most common method of accessing a VTY session is telnet, although—for security purposes—SSH is supported, and is recommended. There are five VTY ports on the router by default, and they are numbered 0 though 4. In this course, access will be provided by using VTY sessions.
•
Other network access points like HTTP, TFTP, and SNMP are also supported on newer versions of the IOS. HTTP can be used if the router runs as a web server, authenticating users for access. TFTP is used for loading IOS and configuration files, and SNMP can be used in full network management configurations.
Modes of Operation In the router, there are several different modes an administrator can use. These range from simple, informational modes, to the complex modes of router configuration. There are several examples of the different modes listed below: • User Mode: In this mode, users can see the configuration of the router, but will not be able to make any significant changes to the router. The prompt for User Mode looks like this: Router>. •
Enable Mode: In this mode, users can make more significant changes to the router, including some of the router configuration options. The prompt for Enable Mode looks like this: Router#.
•
Global Configuration Mode (also known as Configure Terminal Mode): In this mode, users can make configuration changes that will affect the entire router. The prompt for Global Mode looks like this: Router(config)#.
Generally, once you connect to the router, you will move to Enable Mode right away, since that is where much of the router management happens. As a side note, Enable Mode is often called Privileged Mode in text. So, you can consider Enable Mode and Privileged Mode to mean the same thing—the next level of router access beyond User Mode.
Configuration Fragments In this lesson, you will see many examples of configurations of the router. It is not practical to list every step and every line entered for every option. Therefore, what you will see are called configuration fragments. For example, to navigate to an Interface Mode of a router, the following commands are required: 1. Connect to the router via an access method, such as telnet: Telnet 10.10.10. 10. 2.
Enter the password for VTY access: L3tm3!n.
3.
Enter the password for Enable Mode: P0w3r.
4.
Enter the command for Configure Terminal Mode: Configure Terminal.
5.
Enter the command for Interface Mode: Interface Ethernet 0. Lesson 3: Routers and Access Control Lists
97
In this course, the command sequence listed previously will not be described lineby-line but with a configuration fragment. So, the steps to access Interface Mode will look like this: 1. Router#Config Terminal 2.
Router(Config)#Interface Ethernet0
This configuration fragment goes right to the concept, or function, of the discussion. In this example, you cannot be in Enable Mode (identified by the Router# prompt), without first accessing the router (probably by using Telnet), and entering the required credentials.
Navigating in the Router The Cisco router interface is a command-line interface, with a format that is similar to UNIX. For those of you getting started with the router, if you get lost in the command structure, here are some of the more common commands to learn and use. • First is the question mark (?). —
This simple single character command will list for you all the available options at a given point in the router. For example, if you enter the question mark at the User Mode prompt, like so: Router>?, you will be given an alphabetical list of the commands that are options at this point. This command will yield a different set of commands than using the same question mark at the Enable Mode prompt (Router#?).
—
If you recall the first letter of a command, but not the entire string, again the question mark can come in handy. For example, if you are trying to enter Enable Mode, but forgot how to spell enable, you can use the following command: Router>E? This command lists all the commands starting with the letter E with brief descriptions of their functions.
•
Other shortcuts to use are the Up Arrow and Down Arrow keys. Using these will scroll you through commands you have entered into the router for quick access.
•
Finally, using key combinations can be helpful as well. Two examples of key combinations are Ctrl+A and Ctrl+E. —
Using the Ctrl+A key combination moves the cursor to the beginning of a command line.
—
Using the Ctrl+E key combination moves the cursor to the end of a command line.
As an FYI, if the Up Arrow and Down Arrow keys do not function on your system, you can use the key combination Ctrl+P in place of the Up Arrow key, and Ctrl+N in place of the Down Arrow key.
Authentication and Authorization In order for someone to have access to control a router, there must be both authentication and authorization. It is important to not get these two confused, as they are so similar. Authentication is the process of identifying a user, generally granting or denying access. Authorization is the process of defining what a user can do or is authorized to do. So, a user gains access to the router via authentication and gains control of the router via authorization. 98
Tactical Perimeter Defense
In Cisco routers, there are two main categories of authentication. They are the AAA method and the non-AAA method (called traditional by some). AAA stands for Authentication, Authorization, and Accounting. • Earlier, you were introduced to the methods of access, such as console, auxiliary, and VTY sessions. These are considered non-AAA access methods. Another non-AAA access method is called Terminal Access Controller Access Control System, or TACACS for short. They use a local username and password for authentication. •
AAA methods include RADIUS and Kerberos. These methods provide for the full level of Authentication, Authorization, and Accounting that are required for AAA access methods.
Configuring Access Passwords Because there are several different methods of accessing the router, in order to provide security, you must be able to lock down these access points. The first line of defense is to provide a password for these forms of access.
Setting the Console Password Because the console-port connection is used for direct access, it must have a strong password. This can be, and usually is, created during the initial setup of the router. In order to set the Console password, you will need to enter Configure Terminal Mode, and then enter the command line console 0. This is what gets you into the mode where the password can be created. The login command tells the router that a password is required, and the password command is used to enter the actual password. The configuration fragment looks like this: Router#config terminal Router(config)#line console 0 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router#
Setting the Enable Passwords The process for setting the Enable password is similar to the process for setting the Console password. And, you will notice the process for the following sections are all similar, only the object (such as the console or vty) is the difference. As to the password itself, there are two different Enable passwords. The first is the standard Enable password; the second is the Enable Secret password. The standard Enable password is used only for backwards compatibility. If the Enable Secret password has been configured, it will take precedence. The reason that the Enable Secret password is used over the standard Enable password is that the Enable Secret password is encrypted and cannot be read in plaintext in the router. The configuration fragment for setting the Enable Secret password looks like this: Router#config terminal Router(config)#enable secret p@55w0rd Router(config)#login Router(config)#^Z Router#
Lesson 3: Routers and Access Control Lists
99
Setting the VTY Password Configuration of the password for the VTY sessions are similar to creating the Console password. Remember that there are five VTY sessions, numbered 0 through 4. When you are setting the VTY password, you can create a password for one or for all of these sessions. In this first configuration fragment, the password is set for just the first VTY session: Router#config terminal Router(config)#line vty 0 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router
In the following configuration fragment, the password is set for all VTY sessions, 0 through 4. Note that the process is nearly identical. Router#config terminal Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router
TASK 3A-1 Configuring Passwords 1.
Create the configuration fragment that you would use to set the Console password of ACC3$$, and to set all VTY sessions to use the password of +3ln3+. Router#configure terminal Router(config)#line console 0 Router(config-line)#login Router(config-line)#password ACC3$$ Router(config-line)#^Z Router# Router#configure terminal Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password +3ln3+ Router(config-line)#^Z Router#
Creating User Accounts Although for regular operation of the router, individual user accounts are not required, when you do add them, it allows for another level of control over the router and over router access. To create local user accounts, the command syntax is only one line. In organizations where there are multiple people managing the router, this is a solid practice. The following configuration fragment shows the creation of several user accounts:
100
Tactical Perimeter Defense
Router#configure terminal Router(conf)#username Auser Router(conf)#username Buser Router(conf)#username Cuser Router(conf)#username Duser Router(conf)#^Z Router#
password password password password
u$3r1 u$3r2 u$3r3 u$3r4
Implementing Banners In addition to having proper passwords on the router, it is important to have adequate warning banners. It is highly recommended that you view these banners as warning banners and not as welcome banners, as they used to be called. A warning banner is not designed to be the end-all of security; most people know a banner will not stop a determined attacker. However, a banner can provide some legal backing for you and your organization. There are four general functions that warning banners should provide. Although you should look to legal counsel for the exact wording, your banner should address each of these. The banner should: • Not provide useful technical or non-technical information that an attacker can use. •
Inform users of the system(s) that their actions are subject to recording, and may be used in a court of law.
•
Define who is and who is not an authorized user of the system(s).
•
Provide adequate legal standing to both prosecute offenders and protect the administrators of the equipment.
The following is an example of what a banner could look like for an organization: Warning!!! This system is designed solely for the authorized users of Company X on official business. Users of this system understand that there is no expectation of privacy, and that use of the system may be monitored and recorded. Use of this system is consent to said monitoring and recording. Users of this system acknowledge that if monitoring finds evidence of misuse, abuse, and/or criminal activity, that system operators may provide monitoring and recording data to law enforcement officials.
Implementing Cisco Banners On the Cisco router, there are several types of banners available: • MOTD banner: The MOTD banner is for setting Messages Of The Day. The MOTD banner is shown to all terminal users who are connected to the router, before they are asked to input username and password. This may not be an efficient location for your warning banner, if your company literally uses this banner to list day-to-day information. You do not want to be setting the warning banner each and every day, and worrying about missing a day.
Lesson 3: Routers and Access Control Lists
101
This banner is used for sending notices to users, such as if there is an upcoming system shutdown for upgrading the IOS. •
Login banner: The login banner is where the warning banner should be located. This banner will be shown to each user every time a login attempt happens. The banner is set in Configure Terminal Mode, and uses a beginning and ending delimiter character. The delimiter can cause confusion, but is quite simple. Any character can be used as a delimiter, just must make sure to use the same character at the beginning and the end. In the following configuration fragment, the letter C is used as the delimiter character: Router#configure terminal Router(config)#banner login C Warning!!! This system is designed solely for the authorized users of Company X on official business. Users of this system understand that there is no expectation of privacy, and that use of the system may be monitored and recorded. Use of this system is consent to said monitoring and recording. Users of this system acknowledge that if monitoring finds evidence of misuse, abuse, and/or criminal activity, that system operators may provide monitoring and recording data to law enforcement officials. C Router(config)#^Z Router#
•
EXEC banner: The EXEC banner is used for setting a message for users who enter EXEC, or Privileged, Mode. You can create a new banner; use the same warning banner, or whatever else you wish. The process for setting a new banner is nearly identical to the process for the login banner. The difference is in the command. Instead of the command banner login, you use the command banner exec. In the following configuration fragment, you can see the exec banner created, with a delimiter of the pound sign (#): Router#configure terminal Router(config)#banner exec # Reminder!!! When you logged into this system, you acknowledged that you are an authorized user of Company X systems. You also acknowledged that your use of this system may be monitored and recorded. Finally, you agreed that if misuse, abuse, and/or criminal activity are found while monitoring, that law enforcement officials may be contacted. # Router(config)#^Z Router#
102
Tactical Perimeter Defense
TASK 3A-2 Configuring Login Banners 1.
Create the configuration fragment that you would use to create a login warning banner. You can include whatever text you like for the banner, but use the letter B as your delimiter. A possible response is: Router#configure terminal Router(config)#banner login B Warning!!! This is the login banner for the SCNS TPD class. If you are not a member of this class, you may not access this system. Users of this system are advised that nearly everyone is running packet-capturing utilities and everyone is watching you! B Router(config)#^Z Router#
SSH Overview Although Telnet is used in this course—and is often the method of choice for many administrators—from a security perspective, it is not a solid option. This is due to the fact that there is no encryption on the session; all commands and responses are cleartext and can be viewed by any packet-capture utility. SSH, or Secure Shell, provides for a higher level of security on remote connections to the router. Using RSA public key cryptography, SSH establishes a secure channel of communication between client and server. Cisco IOS support for SSH is not present in older versions of the IOS, such as 11.2 and 11.3. After version 12.0(5) with IPSec, support for SSH was included. And, only IOS versions that have IPSec will have SSH support. In order for SSH sessions to be established, there is some preparation that must take place on the router. The router must have usernames defined, must have a hostname defined, and must have a domain name set.
Not all versions of the IOS support SSH. Versions that support IPSec also support SSH.
Router Configuration to use SSH In implementing SSH, you should use Access Control Lists, controlling VTY access. A later section fully details an Access Control List (ACL). However, in brief, the ACL is used to regulate access (denial or permission) to an object on the router. In this configuration fragment, ACL 23 is used to define the host that is allowed to access the router for administration. The host name of the router is simply Router and the domain will be scp.mil. The username is SSHUser and the password for this user is No+3ln3+.
Lesson 3: Routers and Access Control Lists
103
Router#configure terminal Router(config)#ip domain-name scp.mil Router(config)#access-list 23 permit 192.168.51.45 Router(config)#line vty 0 4 Router(config-line)#access-class 23 in Router(config-line)#exit Router(config)#username SSHUser password No+3ln3+ Router(config)#line vty 0 4 Router(config-line)#login local Router(config-line)#exit Router(config)#
The router configuration is close to being finished, but there is still some work to be done. RSA must be enabled so that the key pair can be generated and used. When creating a new key pair, be aware that it may take some time for the pair to complete. In this fragment, all you will see is the command of creating the key pair crypto generate RSA and the use of 1024 as the number of bits (Cisco recommended minimum), and the OK when the calculation is done. Router#configure terminal Router(config)#crypto key generate rsa The name for the keys will be: Router.scp.mil Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] Router(config)#
You have now enabled SSH to run on your router. There are some commands that you can use to fine-tune the SSH function, and you will need to configure your client to use SSH. The following configuration fragment is used to define the time-out, in seconds, that the server will wait for the client to provide a password. The default is 120 seconds, and the Cisco recommended time is 90 seconds. In this fragment, the time has been changed to 45 seconds. Router#configure terminal Router(config)#ip ssh timeout 45 Router(config)#^Z Router#
The next fragment is used to define the number of retries that will be allowed before the router drops the connection. The default for this setting is 3, and the maximum is 5. This is a setting that you may rarely change, but in the fragment, the retries are set to 2, so after the second bad try, the connection is dropped: Router#configure terminal Router(config)#ip ssh authentication-retries 2 Router(config)#^Z Router#
Finally is the configuration to let the VTY sessions on the router accept both SSH and Telnet as valid connection types. If you want to have only SSH used, which is the point here, you would not add the word Telnet to the command.
104
Tactical Perimeter Defense
Router#configure terminal Router(config)#line vty 0 4 Router(config-line)#transport input ssh telnet Router(config-line)#^Z Router#
SSH Verification On the router, you will want to run some diagnostic commands to find out who is connected and how. These commands will show you the state of your SSH connections. There are some differences based on the IOS version you are running, so note that in the following. If you are running IOS version 12.1, and you want to see the state of SSH connections, including who is connected, use the command show ip ssh. The following fragment lists what this command will reveal. Router#show ip ssh Connection Version 0 1.5 Router#
Encryption 3DES
State 4
Username SSHUser
If you are running IOS version 12.2, there are two commands for viewing SSH information. First is the show ip ssh command, only here it lists the details, such as time-out and version. The second command is show ssh, and this shows the user connected. The following fragment shows both commands used, one after the other, and their result onscreen. Router#show ip ssh SSH Enabled - version 1.5 Authentication timeout: 45 secs; Authentication retries: 2 Router#show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started SSHUser Router#
INSTRUCTOR TASK 3A-3 Configuring SSH on a Router Setup: Observe as your instructor performs the SSH configuration on the LEFT and RIGHT routers. 1.
Console in to the LEFT router, and switch to EXEC mode.
2.
At the LEFT# prompt, enter conf t to switch to config mode. The LEFT(config)# prompt should be displayed.
3.
Enter ip domain-name left.com to provide a domain name.
4.
Enter crypto key generate rsa to create key pairs. When you are prompted for the number of bits in the modulus, press Enter to accept the default of 512.
5.
Enter ip ssh time-out 120 to set the time-out value to 2 minutes.
6.
Enter is ssh authentication-retries 3 to limit the number of unsuccessful attempts. Lesson 3: Routers and Access Control Lists
105
7.
Enter line vty 0 4 to begin the line configuration. The LEFT(config-line)# prompt is displayed.
8.
Enter transport input ssh to limit the VTY sessions to accept only SSH connections.
9.
Enter login local to provide for local login.
10. Enter exit to return to the LEFT(config)# prompt. 11. Enter username sshl01 privilege 15 password sshpass to assign a user name and password for student station L01. Repeat this command to assign user names and passwords for all other student stations on the left side of the classroom. 12. Enter exit to return to the LEFT# prompt. 13. Enter copy ru st to save the configuration changes. Press Enter to accept the default file name. 14. Enter exit to return to the LEFT> prompt. 15. Disconnect from the LEFT router, and console in to the RIGHT router. 16. Use the steps listed previously as a guide to set up SSH on the RIGHT router. Use the domain name right.com, and create user names such as sshr01, sshr02, and so forth. 17. Disconnect from the RIGHT router, and close the console. 18. Try to Telnet to either of the ssh-enabled routers, and ask students to do the same. None of the attempts should be successful, as you have blocked Telnet connections on both routers.
Client Configuration to use SSH Just as there was some configuration required on the server, some configuration is needed on the client side to run SSH. However, the configuration on the client is not nearly as complex. In general, a client SSH application must be installed, and the client must be configured to use the application in communication with the router. There are several SSH Client programs available, and in this example, the PuTTY program is used. Figure 3-1 shows an example of the settings for this application.
106
Tactical Perimeter Defense
Figure 3-1: The client configuration for an SSH session. During the configuration, you will be asked to provide input on the cryptography used, and you will select RSA. Additionally, you will be required to present proper credentials when connecting, meaning the local username on the router and the password. Once you enter the proper credentials, you will have secure access, and operation will be no different than using Telnet.
TASK 3A-4 Configuring the SSH Client Setup: You are logged on to Windows Server 2003 as the renamed Administrator account. The routers have a limited number of simultaneous logins, so you might need to take turns accessing the routers if your class has many students in it. 1.
Navigate to the putty.exe file located in C:\Tools\Lesson3.
2.
Double-click putty.exe.
3.
For Host Name, enter the IP address for your router. Your instructor will provide the router IP addresses. The router you use is named LEFT or RIGHT, based on your location in the classroom.
4.
Click SSH (Port 22).
5.
Click Open to initiate the connection.
Provide students with the location of the PuTTY installation program.
Provide students with the IP addresses for the LEFT and RIGHT routers.
Lesson 3: Routers and Access Control Lists
107
6.
When you are prompted, click Yes to accept the key, and click Yes to continue the connection. Press Enter to display the login prompt.
7.
Enter your ssh user name, such as sshl01. You should be prompted for a password.
8.
Enter sshpass to complete the login sequence.
9.
After authentication has taken place, log out and close PuTTY.
Topic 3B Routing Principles To be able to secure your routers and routed networks, you need to understand some basic principles related to routing in general. Let’s begin by looking at how routers and routing fit into the OSI Model.
The ARP Process Most people are aware that routers function at the Network layer, but that statement must be understood as routers route at the Network layer. Routers are affected by and operate at other layers as well, including the Data Link layer. The OSI model is the foundation of all network communication. Routers fit into the OSI model just as other devices do, with their primary functionality being at the Network layer. In this lesson, the vast majority of the content will be focusing on the Network layer; however, there are important areas of the Data Link layer that must be investigated as well.
The IEEE (Institute of Electrical and Electronic Engineers) issues MAC addresses to network hardware vendors to ensure that MAC addresses remain unique.
Layer Two addresses are used to get data packets from one local node to another local node, while Layer Three addresses are used to get data packets from one network to another network.
108
Tactical Perimeter Defense
MAC addresses are split into two parts, each containing six hexadecimal digits. The first six digits represent the vendor code (manufacturer indicator) or OUI (Organizational Unique identifier), and the second six are left for definition by the vendor and are often used as a serial number. These unique 48-bit numbers are designed to be globally unique, meaning that there is only one NIC with a given MAC address on the entire planet. ARP (RFC 826) is used to make the connection between the Layer Two and Layer Three addresses. ARP is used in the following examples of data moving from one host to another.
The first example shows data moving from node 1 to node 2 on a local network segment. In order for the data to arrive properly, the following steps must occur: 1.
Node 1 (knowing the Network layer address of node 2) sends a local broadcast on the LAN indicating that Node 1 wishes to learn the Data Link address for Node 2.
2.
Since Node 1 sent a broadcast, all nodes on the local segment receive and process the request, discarding it when they identify that the broadcast was not intended for them.
3.
Node 2 identifies the message requesting its MAC address and responds by sending its Data Link address. Node 2 also stores the MAC address of Node 1 for future use.
4.
Node 1 sends the packet directly to the Data link address of Node 2.
Figure 3-2 shows this process between Node 1 and Node 2 on the same segment.
Figure 3-2: This example shows the process of a local ARP broadcast between two nodes. To take this concept a bit further, let’s look at the process of MAC address resolution if Node 2 is not on the local segment (see Figure 3-3). In order for communication to take place between Nodes 1 and 2, the following steps must occur: 1. Node 1 determines that it needs to communicate with Node 2. As with all TCP/IP communication, Node 1 ANDs its IP address with its subnet mask, then it ANDs Node 2’s IP address with the Node 1 subnet mask. 2.
Node 1 compares the results of the two AND processes to determine if they are the same—meaning that the nodes are on the same network—or different—meaning that the nodes are on different networks. In this example, the results are different, so Node 1 can conclude that Node 2 is situated on a different network than Node 1.
3.
If Node 1’s TCP/IP stack is configured with a Default Gateway, Node 1 will use ARP resolution for the Default Gateway address, as explained in the previous example (because Node 1’s Default Gateway will most likely be on the same network as Node 1), and store the Default Gateway address as the address to use for reaching Node 2.
Lesson 3: Routers and Access Control Lists
109
Note: If a Default Gateway is not configured for Node 1, then Node 1 will not be able to communicate with Node 2. In fact, if a Default Gateway is not configured and Node 1 attempts to ping Node 2, it should receive a message stating that the destination host is unreachable. For a ping to be successful across a routed network such as the one in this example, Node 2 should also have an appropriate Default Gateway in its IP configuration. If Node 2 exists but is not configured with a Default Gateway, and if Node 1 attempts to ping Node 2, Node 1 should receive a message stating that the request timed out.
Figure 3-3: This example shows the process of a router returning the ARP request of a remote node. These examples are geared towards TCP/IP as a protocol, and we will use TCP/IP throughout this lesson. IP addressing is the primary example of Network layer addressing used today.
LAN-to-LAN Routing Process The process of moving data from one host to another and from LAN to LAN is not complex. In the example shown in Figure 3-4, there is one router connecting two networks. There are two hosts defined, one on either network, using TCP/IP.
110
Tactical Perimeter Defense
Figure 3-4: Two networks connected by a single router. From this diagram, you can see the networks are connected via a single router. Both interfaces are Ethernet interfaces, and the IP addresses are given. In this example, node 7 is trying to get a packet to node 10. Since the nodes are in different networks, the packet will need to be routed to reach its goal. An Ethernet packet will be generated at Node 7 with the IP source address as 10.0.10.115 and the source MAC address as Node 7. The destination IP address will be 20.0.20.207 with the destination MAC address still unknown. When the router hears the request for the MAC address of host 20.0.20.207, it replies to node 7 with its MAC address. Node 7 then sends the packet to the router with a destination IP address of 20.0.20.207 and the MAC address of the E0 interface of the router. Once the router receives the packet, it in turn sends a broadcast for the MAC address of 20.0.20.207. Node 10 responds to this request, and the router receives the response. A new packet is then generated by the router, addressed to IP address 20.0.20.207 from IP address 10.0.10.115 with the source MAC address of the router, and destination MAC address of Node 10. Node 10 receives the packet and responds, following the same steps.
Lesson 3: Routers and Access Control Lists
111
LAN-to-WAN Routing Process The LAN-to-WAN routing process is not much different than the previous example—there are simply more steps involved and the packet may change encapsulations along the way from Ethernet to something else and back to Ethernet. In the example shown in Figure 3-5, there is a routed network with two LANs connected via multiple routers in a WAN configuration.
Figure 3-5: Two end nodes connected over multiple routers in a WAN configuration.
112
Tactical Perimeter Defense
For a packet to get from Node 7 to Node 10 in this configuration, there are several steps that must happen: 1.
Node 7 creates a request for the MAC address of node 50.0.50.150.
2.
The router connected to Network 10.0.10.0 sees this request, and realizes it is the path to the destination network. It replies to Node 7 with its MAC address.
3.
Node 7 creates a packet with the source IP address of 10.0.10.115 and the destination IP address of 50.0.50.150 and a source MAC of Node 7 and destination MAC of the network 10.0.10.0 router.
4.
As the local router receives the packet, the IP source and destination IP addresses do not change. The encapsulation may change to fit the wire, PPP or Frame Relay for example.
5.
The packet is sent from one router to another, each time the IP address does not change.
6.
Once the packet reaches the router for segment 50.0.50.0, the encapsulation is removed, and you are left with an Ethernet packet with source IP address 10.0.10.115 and destination IP address 50.0.50.150, and source MAC of the local E0 interface of the local router and destination MAC address of Node 10.
TASK 3B-1 Performing IP and MAC Analysis Setup: You are logged on to Windows Server 2003 as the renamed Administrator account. 1.
Navigate to C:\Tools\Lesson3 and open ping-arp-mac.cap. The file should open in Network Monitor.
2.
Quickly scroll through the main capture, noting the frames and their functions. You will see it is a capture of an initial ARP process, then two consecutive pings (Echo and Echo:Reply) packets.
3.
Expand Frame Four.
4.
Record the source and destination IP addresses and the source and destination MAC addresses here: Source IP address: 172.16.10.1 Destination IP address: 172.17.10.1 Source MAC address: 00 D0 09 7F 0D 73 Destination MAC address: 00 00 0C 8D B8 54 If you need to, expand IP and Ethernet so that you can see the addresses.
5.
Expand Frame Five, and record those IP and MAC addresses as well.
Lesson 3: Routers and Access Control Lists
113
Source IP address: 172.17.10.1 Destination IP address: 172.16.10.1 Source MAC address: 00 00 0C 8D B8 54 Destination MAC address: 00 D0 09 7F 0D 73 6.
Observe that, when pinging 172.17.10.1 from 172.16.10.1, the destination MAC address is 00000C8DB854.
7.
Examine the exchanges in frames 6 and 7, 8 and 9, and 10 and 11 to see the ping process complete.
8.
Expand Frame Twelve, and record those IP and MAC addresses as well. Source IP address: 172.16.10.1 Destination IP address: 172.18.10.1 Source MAC address: 00 D0 09 7F 0D 73 Destination MAC address: 00 00 0C 8D B8 54
9.
Expand Frame Thirteen, and record those IP and MAC addresses as well. Source IP address: 172.18.10.1 Destination IP address: 172.16.10.1 Source MAC address: 00 00 0C 8D B8 54 Destination MAC address: 00 D0 09 7F 0D 73
10. Observe that when pinging 172.18.10.1 from 172.16.10.1, the destination MAC address is 00000C8DB854. 11. Examine the exchanges in frames 14 and 15, 16 and 17, and 18 and 19 to see the ping process complete. 12. Close the capture file, and leave Network Monitor open.
The Routing Process Figure 3-6 shows a complex network, with many possible paths for the data to take across the network. The routers will have to communicate with each other in order to determine the path for the given situation.
114
Tactical Perimeter Defense
Figure 3-6: Potential paths that data can take to get from one node to another. In order for the routers to exchange their data, they must have mutual paths of communication. These paths are the actual connections between the routers. By using logical addressing, the routers are able to have defined networks to transmit data on. The logical addressing minimizes the use of broadcasting, with the end result being more bandwidth for data transmission. In Figure 3-7, each segment with a letter is a unique Layer Three network segment.
Lesson 3: Routers and Access Control Lists
115
Figure 3-7: Logical network addressing used in an internetwork. The routers will use the information about the paths to which they are connected, including the type of connection and available bandwidth, to determine the routes for data to take. For example, the routers might now say for a packet to get from network A to network N that the packet should take network A to network B to network D to network H to network J to network K to network M to network N. There are many times when the fastest route is not a straight path!
Static and Dynamic Routing In order for the router to be able to make decisions on where data should go, it needs to consult its routing table. The routing table is the list of available networks and the paths to reach those networks. (Routing tables will be discussed in detail in the next topic.) Every time a packet reaches a router, the router needs to review the routing table to determine the appropriate path for the packet. The router must be aware of the other potential networks and the way to reach these networks.
Static Routes The creation of these paths can happen either dynamically (automatically) or statically (manually). The first of these two concepts, static routing, is defined here.
116
Tactical Perimeter Defense
A static route is a route that has been manually entered into the router to define the path to the remote network. Although its use is not desirable for every situation, static routing has many advantages, such as: • Precise control over the routes data will take across the network. •
Easy to configure in small networks.
•
Reduced bandwidth use, due to no excessive router traffic.
•
Reduced load on the routers, due to no need to make complex routing calculations.
Figure 3-8 shows a simple network configuration with two routers and their defined networks.
Figure 3-8: Two routers, Finance and Marketing, and the networks they connect. The configuration fragments for the static routes of the above routers look like the following: MarketingRouter#config terminal MarketingRouter(config)#ip route 10.0.10.0 255.255.255.0 20.0.20.1 MarketingRouter(config-line)#^Z MarketingRouter# FinanceRouter#config terminal FinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2 FinanceRouter(config-line)#^Z FinanceRouter#
Dynamic Routes From the previous example, you can see that the command syntax and time to enter the static routes is not complex and will not take a lot of time. However, the previous example is a very small simple network, and it is because of its simplicity that static routes will work. When the networks become more complex, static routing is not always a reasonable option. If there were a dozen routers, for example, each connected to several networks, static routing would become much more complex.
Lesson 3: Routers and Access Control Lists
117
This is where dynamic routing enters the equation. Dynamic routing protocols can change the configuration of the network when a link goes down. Dynamic routing protocols can converge to be sure that all routers have a consistent view of the network. And, dynamic routing protocols have the means to calculate the best path through an internetwork. Dynamic routing protocols use mathematical algorithms to determine routes and communicate with one another. These same routers exchange their information at defined intervals, and these updates are used to make decisions on routes to take and reconfiguration, when required. Because the routers are exchanging this data frequently, they are able to change paths and update as needed. This flexibility is what makes dynamic routing protocols so desirable. If a router goes down somewhere in the network, the remaining routers will reconfigure and find a way for the data to reach the other side of the network. An example of this is shown in Figure 3-9.
Figure 3-9: There are several routers and multiple paths data can take across this internetwork. In the event that Finance Router 2 goes offline, and these routers are using dynamic routing, the other routers will reconfigure themselves to use only the other Finance Router. When the offline router comes back online, the other routers in the network will reconfigure themselves accordingly.
118
Tactical Perimeter Defense
Comparing Routed Protocols and Routing Protocols One area where people tend to have confusion when dealing with routers is the difference between routed protocols and routing protocols. They are distinctly different. In this section, you will learn to differentiate between the two and draw the boundaries clearly around them so that you can easily and quickly identify one or the other.
What are Routed Protocols? For a protocol to be considered a routed protocol, it must have the following characteristics: •
It must contain Network-layer addressing information.
•
It must have a method of locating a single host on a given network.
Routed protocols are those that have the given information so that user data may have an addressing method to use in the transportation of data between and across networks. The routed protocols have enough internal information to define the structure and function of various fields inside a given packet. The most common routed protocol of today (and of the last decade) is the Internet Protocol, or IP. Other routed protocols are Novell’s IPX/SPX (Microsoft’s version of IPX/SPX is NWLink), and AppleTalk. TCP/IP, IXP/SPX, and AppleTalk all allow for addressing at the Network layer of the OSI model.
What are Routing Protocols? While a routed protocol is used to carry data from one host to another, a routing protocol is used to carry data from one network to another, across multiple routers. The routing protocol is also the method of transmitting the routing updates and messages between routers. Routers will use their assigned routing protocols to create, maintain, and exchange routing data. The routers can use the same routing protocols to actually forward the data packets from one network to another, including the decisions on which path is the best path to take for the data. These routing protocols can also be used by routers to learn the status and configurations of networks they are not directly connected to. In addition to learning about other remote networks, the routers will use their routing protocols to tell remote routers about networks that the remote router is not directly connected to. Regardless of the routing protocol chosen, the routers must have consistent and open communication between each other in order to maintain a reliable picture, or map, of the network. It is this map of the network that all the routers will use to assist in forwarding data packets from network to network. Some examples of routing protocols are RIP (Routing Information Protocol), IGRP (Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First). Whether the protocol used is RIP, IGRP, or OSPF, it is important to consider that there is no actual end-user data carried by the routing protocol messages. The user data is carried by the routed protocol.
Lesson 3: Routers and Access Control Lists
119
The Routing Protocols The last area to cover in this topic is the actual protocols themselves. Here, we will discuss the common types of protocols, and look at some examples of the protocols in action. The two common types of protocols are Distance Vector and Link-State. Regardless of whether the protocol is Distance Vector or Link-State, for dynamic routing to function, two critical router functions must exist: •
An updated and consistent routing table.
•
Scheduled updates between routers.
For the routing protocols to perform these two critical processes, they must conform to a given set of rules. These rules are part of the operation of the routing protocol. Examples of what rules these protocols can define include: •
The frequency of updates between routers.
•
The amount of data contained in the updates.
•
The process of finding proper recipients of the router data.
Calculation of the different data paths, and ultimately choosing the most efficient one based on the given protocol, requires a defined formula. The formula in the case of routers is known as a routing algorithm.
metric: A random variable x representing a quantitative measure accumulated over a period.
The routing algorithm is responsible for the actual calculation on determining the path the data will take as it moves throughout the network. To make this calculation, the algorithm must use certain variables to create what is known as a metric. The metric is then what is used in path determination. Some of the variables that are used to crate the overall metric of a given path are: • Hop Count: This is the number of routers that a data packet must go through to reach its destination. The formula is that the lower the number of hops, the lower the overall data has to travel, and therefore is the better path. •
Cost: The cost of a link can be defined by the administrator or calculated by the router. Generally the lower the cost, the faster the route.
•
Bandwidth: This variable is defined by the overall bandwidth that the link provides.
•
MTU (Maximum Transmission Unit): The MTU is the largest message size (in octets) that a link will route.
•
Load: This variable is based on the amount of work the CPU has to perform, and the number of packets the CPU must analyze and make calculations on.
Regardless of the routing protocol chosen, there is no single rule for selecting the best protocol based on its algorithm. The routing protocol must change to adapt to the network in the event there are network changes, and both Distance Vector and Link-State have this ability. When the routers change their tables based on this update information from the routing protocol, this is called convergence. When all routers have the same view of the network, the network is converged. It is the goal of all routing protocols to have fast convergence, so that the routers maintain a consistent view of the routes available to network segments, and do not use incorrect data to make routing decisions.
120
Tactical Perimeter Defense
Distance Vector Routing Distance Vector routing calculates the distance to a given network segment and the direction (or vector) required to reach the segment. The algorithm of Distance Vector (Bellman-Ford) is designed to pass the routing table from neighbor to neighbor. The passing of the routing table is called the update between routers. In the event there is a topology change, as a router goes offline, an update will be sent immediately from one router to another.
topology: The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information flows.
Figure 3-10: Routers passing the routing table. In Distance Vector routing, the routing table is passed between routers along the shared segments. In Figure 3-10, Router A and Router B will share their routing tables over the segment between them, out Interface E2 of Router A and out of Interface E0 of Router B. When the routers receive an update, they add any new information on how to get to new routes, or better paths (lower hop counts) to known routes. The algorithm adds one hop to the hop count for every hop that must be crossed to reach the destination. Figure 3-11 shows a basic routing table with hop count included.
Figure 3-11: A routing table with interfaces defined and hop counts. In this example, the routing table has been created, and convergence has been achieved. Both routers have a consistent view of the network, and the routing tables define the path to the networks and the interface to forward packets out to reach the required destinations.
Lesson 3: Routers and Access Control Lists
121
Link-State Routing Where Distance Vector routing uses hop counts to make the decisions in the routing table on path determination, Link-State routing uses a more complex metric system. In Link-State routing, all routers maintain a consistent view of the network, as they do in Distance Vector routing, but they also are all aware of the complete network topology. The Link-State routers know each network segment, and the different options for reaching each segment. Convergence is just as critical in Link-State routing, and in order to have a converged network, there are steps that must be followed. Figure 3-12 shows a complex network, and after the diagram, the steps for convergence will be outlined.
Figure 3-12: In this complex network, 7 routers and 14 network segments are defined. The steps for network convergence are as follows: 1. The routers identify the routers that are their direct neighbors. For example, Router 3 will identify Router 6 and Router 4 as neighbors.
122
Tactical Perimeter Defense
2.
The routers send LSP (Link State Packets) to the network. The LSPs contain data on which networks the router can reach. For example, Router 7 would send LSPs indicating that Router 7 is connected to segments 10.0.0.0, 11.0. 0.0, 12.0.0.0, and 14.0.0.0.
3.
The routers in the network accept all the LSPs and build a topology database of the network. The LSPs from all routers are used to build this consistent view.
4.
The SPF (Shortest Path First) algorithm is used to determine the accessibility of each network and the shortest path between networks. The SPF algorithm
is executed on all routers, so that they all end up with the same topology view of the network. Each router knows the best path to every segment. 5.
The router uses the SPF calculations to determine the best (shortest) path for reaching each destination network on the internetwork.
Common Protocols Here is a quick list of common routing protocols used on Cisco routers: •
RIP (Routing Information Protocol) is a Distance-Vector protocol that uses hop count as its metric.
•
IGRP (Interior Gateway Routing Protocol) is a routing protocol that uses a combined metric for routing decisions.
•
EIGRP (Enhanced Interior Gateway Routing Protocol) is an enhanced version of IGRP that combines properties of Link-State and Distance Vector protocols.
•
OSPF (Open Shortest Path First) is a Link-State protocol that commonly replaces RIP in growing internetworks.
•
BGP (Border Gateway Protocol) is an interdomain routing protocol often used by Internet Service Providers.
•
RTMP (Routing Table Maintenance Protocol) is Apple’s routing protocol. RTMP routers dynamically update topology changes in the network.
Administrative Distances As the router has the ability to use static routes, dynamic routes, and multiple protocols, the ability to see the current routing table becomes even more critical as the network’s complexity increases. There is a function in the router called administrative distance. The administrative distance function has one obvious use, and that is managing when two or more methods in the router are aware of a path to a destination. For example, if you entered a static route on how to get to a location, then RIP identified a route to that location, which route should the router use? This is where the administrative distance comes into play. The lower a value, the higher the level of trust the router places in that route. Some default administrative distances are listed in the following table. Route Type
Distance
Directly connected interface Static route IGRP route OSPF route RIP route
0 1 100 110 120
Therefore, if you had a static route and a RIP route, the static route would be the preferred route that the router uses. When viewing the routing table, not only will you be shown the current routes to destination networks, but you will also see the method used. The following configuration fragments show a portion of the routing tables for three routers in a network:
Lesson 3: Routers and Access Control Lists
123
LEFT#show ip route R 192.168.10.0/24 [120/1] via 192.168.20.2, 00:00:13, Serial1 C 192.168.20.0/24 is directly connected, Serial1 C 172.16.0.0/16 is directly connected, Ethernet0 R 172.17.0.0/16 [120/1] via 192.168.20.2, 00:00:13, Serial1 R 172.18.0.0/16 [120/2] via 192.168.20.2, 00:00:13, Serial1 CENTER#show ip route C 192.168.10.0/24 is directly connected, Serial1 C 192.168.20.0/24 is directly connected, Serial0 R 172.16.0.0/16 [120/1] via 192.168.20.1, 00:00:13, Serial0 C 172.17.0.0/16 is directly connected, Ethernet0 R 172.18.0.0/16 [120/1] via 192.168.10.1, 00:00:18, Serial1 RIGHTt#show ip route C 192.168.10.0/24 is directly connected, Serial0 R 192.168.20.0/24 [120/1] via 192.168.10.2, 00:00:20, Serial0 R 172.16.0.0/16 [120/2] via 192.168.10.2, 00:00:20, Serial0 R 172.17.0.0/16 [120/1] via 192.168.10.2, 00:00:20, Serial0 C 172.18.0.0/16 is directly connected, Ethernet0
In these fragments, you can identify the routes on each router. You can also identify the routes that are directly connected and the routes that are using RIP. The way that you identify this is by the letter in front of each route. For example, in these examples, all routes with a letter C are connected interfaces. Routes with an R are using RIP. If a route had been input statically, it would have an S in front of it. For the RIP routes shown, note that the number 120 is displayed in brackets after the route. The 120 is an indicator of the administrative distance of this route. (The number following the slash is the hop count.)
RIP RIP, or the Routing Information Protocol, is one of the most straightforward routing protocols that can be implemented. It also has no significant security, is broadcast-based, and is noisy. RIP functions by informing neighboring routers of the routers that the current router can reach. The current routes are created during the simple configuration process of setting up RIP in the router. The following configuration fragments show the configuration of RIP on three routers, LEFT, RIGHT, and CENTER: LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT# RIGHT#configure terminal RIGHT(config)#router rip RIGHT(config-router)#network 172.18.0.0
124
Tactical Perimeter Defense
RIGHT(config-router)#network 192.168.20.0 RIGHT(config-router)^Z RIGHT# CENTER#configure terminal CENTER(config)#router rip CENTER(config-router)#network 172.17.0.0 CENTER(config-router)#network 192.168.10.0 CENTER(config-router)#network 192.168.20.0 CENTER(config-router)^Z CENTER#
In these fragments, RIP routing has been configured with the networks that each router can reach. For example, the LEFT router will announce that if there is a packet destined for network 172.16.0.0, then the other routers should send it to the LEFT router. Because RIP is broadcast-based, any host on a segment where RIP broadcasts are sent can receive the update. Only the router has a legitimate routing function, but an attacker can learn valuable information, such as the configuration and addressing of a network.
TASK 3B-2 Viewing a RIP Capture Setup: You are logged on to Windows Server 2003 as the renamed Administrator account, and Network Monitor is running. 1.
Open rip update.cap located in C:\Tools\Lesson3.
2.
Expand Frame One, and observe the contents of the packet.
3.
Look for the destination address of the packet. Find the IP and MAC destination addresses.
4.
Observe the source address. You can conclude that this is likely the source address of a router in the network.
5.
Expand the RIP portion of the frame capture.
6.
Examine the network details sent in the packet. Even though you are a random user on the network, you have captured the packet and are able to learn quite a few things about the network in a very short amount of time.
7.
Close the capture file, and leave Network Monitor open.
RIPv2 In order to address some of the issues associated with RIP, RIPv2 was introduced as a routing protocol. A security advantage was the ability to require and use authentication for RIP updates. From a networking perspective, the configuration is very similar to RIPv1, as shown previously. The following configuration fragment shows the same three routers configured to use RIPv2 instead of RIPv1: Lesson 3: Routers and Access Control Lists
125
LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#version 2 LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT# RIGHT#configure terminal RIGHT(config)#router rip RIGHT(config-router)#version 2 RIGHT(config-router)#network 172.18.0.0 RIGHT(config-router)#network 192.168.20.0 RIGHT(config-router)^Z RIGHT# CENTER#configure terminal CENTER(config)#router rip CENTER(config-router)#version CENTER(config-router)#network CENTER(config-router)#network CENTER(config-router)#network CENTER(config-router)^Z CENTER#
2 172.17.0.0 192.168.10.0 192.168.20.0
The authentication used is a key and MD5. The following configuration fragment shows the setup of RIPv2 authentication. In this fragment, first the router is told that RIP authentication is required, then the key (the word “strongpassword”) is created. Router#configure terminal Router(config)#interface ethernet0 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#exit Router(config)# interface serial0 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#exit Router(config)# interface serial1 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#^Z Router#configure terminal Router(config)#key chain 3 Router(config-keychain)#key 1 Router(config-keychain-key)#key-string strongpassword Router(config-keychain-key)#^Z Router#
All routers that will exchange routing updates on the same network must use the same configuration, so the authentication will match. Once the router is configured, if you were to enter the show running-config command, you would get the following new pieces in the output:
126
Tactical Perimeter Defense
enable secret 5 $1$v13S$Nk8zY5NcYor5VvAfcfZCn0 enable password 2501 ! ! key chain 3 key 1 key-string strongpassword ! interface Ethernet0 ip address 172.16.0.1 255.255.0.0 ip rip authentication mode md5 ip rip authentication key-chain 3 no mop enabled interface Serial0 no ip address shutdown
TASK 3B-3 Viewing a RIPv2 Capture Setup: You are logged on to Windows Server 2003 as the renamed Administrator account, and Network Monitor is running. 1.
Open ripv2withAuthentication.cap, located in C:\Tools\Lesson3.
2.
Expand Frame One (the only frame) and observe the contents of the packet.
3.
Look for the destination address of the packet. Find the IP and MAC destination addresses.
4.
Observe the source address. You can conclude that this is likely the source address of a router in the network.
5.
Expand the RIP portion of the frame capture.
6.
Examine the network details sent in the packet.
7.
Observe the addition of the Authentication portion of the capture and the additional fields not present in the RIPv1 packet. Second, observe that the Routing Data is still visible.
8.
Close Network Monitor.
Lesson 3: Routers and Access Control Lists
127
Topic 3C Removing Protocols and Services The fundamental concept of hardening the router is no different than hardening Linux or Windows. You must remove all of the protocols and services that are unused. You must configure the required protocols and services so that they are secured for access. In this topic, you will look at removing many of the protocols and services that are often not used on a router and continue to harden the device.
CDP The Cisco Discovery Protocol (CDP) is a protocol used by Cisco routers to exchange information, such as platform information and status, with each other. In general, CDP can be a useful thing to use when troubleshooting in a simple environment. Unfortunately, like most things that can make our lives as administrators a little easier, CDP can make an attacker’s job a little easier because it gives out important information such as the IOS version that the router is running. And, of course, knowing what IOS version is running makes an attacker’s job much easier since he or she will have a much better idea of what exploits will work against such a target. In the following configuration fragment, you can see that turning off CDP for the entire router is not a complex set of commands—only two commands are required: Router#config terminal Router(config)#no cdp run Router(config)#^Z Router#
However, it may be desirable to stop CDP only on those interfaces that are not connected directly to another router. Perhaps there is only a direct link between two serial interfaces, and you want to allow CDP to run there, but not on the internal Ethernet network. In the following configuration fragment, CDP is disabled just for the Ethernet interface. Note that the only addition is the defining of the interface, and the command is no cdp enable, instead of no cdp run: Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no cdp enable Router(config-if)#^Z Router#
128
Tactical Perimeter Defense
TASK 3C-1 Turning Off CDP 1.
Create the configuration fragment that you would use for turning off CDP on Ethernet 0, Ethernet 1, and Serial 1. Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no cdp enable Router(config-if)#interface Ethernet 1 Router(config-if)#no cdp enable Router(config-if)#interface Serial 1 Router(config-if)#no cdp enable Router(config-if)#^Z Router#
ICMP ICMP provides, among other functions, the ability to use the often-required ping and traceroute commands. However, ICMP has become one of the most misused of all protocols. DoS and DDoS attacks use ICMP, and more and more attacks take advantage of this function of the network. In this section, only a few examples of hardening ICMP are discussed.
ICMP Directed Broadcast Smurf is an attack that takes advantage of ICMP. Specifically, what Smurf does is to get many machines to flood a single host with ICMP packets, effectively shutting down that host. The way this attack works is to ping an entire network, using a spoofed IP address. When every host of the network responds to the IP address, that machine has been attacked. This can easily lead to hundreds of machines responding to a host simultaneously.
traceroute: An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination.
The following configuration fragment shows the disabling of ICMP directed broadcasts on the Serial 1, Serial 0, and Ethernet 0 interfaces. To protect fully against this attack, you should turn off broadcasts like this on all interfaces. Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#^Z Router#
ICMP Unreachable Another very common attack is for a potential intruder to scan your system(s) looking for services that are open and that can be exploited. It is common to use ICMP to perform these scans of systems. If you remove the ICMP Unreachable message, be aware that your system will not respond to desired unreachable mes-
Lesson 3: Routers and Access Control Lists
129
sages, such as when your internal users legitimately need them, such as during time-outs. The following configuration fragment shows the disabling of ICMP Unreachable messages on the Serial 0 interface. To remove ICMP Unreachable messages on the entire router, this command needs to be entered for each interface. Router#config terminal Router(config)#interface Serial 0 Router(config-if)#no ip unreachables Router(config-if)#^Z Router
TASK 3C-2 Hardening ICMP 1.
Create the configuration fragment that you would use to disable ICMP Directed Broadcasts and ICMP Unreachable messages on the entire router, which has the Ethernet 0, Serial 0, and Serial 1 interfaces. Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config-if)#^Z Router#
Source Routing A feature that was added to routers to increase the control administrators had over the network was source routing. This feature has become a vulnerability that attackers now use. Source routing is used to allow a packet to dictate the path it should take through a routed network. This packet does not follow the routing tables as designated by the routing protocols. Doing so may allow an attacker to bypass critical systems, such as a firewall or an IDS. In most situations, there is no need for source routing to be allowed on any router. The configuration fragment that follows shows the disabling of the source routing service: Router#config terminal Router(config)#no ip source-route Router(config)#^Z Router#
130
Tactical Perimeter Defense
Small Services TCP and UDP small services are enabled on some routers by default (generally IOS 11.3 and previous versions). Small services are not often used anymore and include echo, discard, daytime, and chargen. On most routers, be sure to disable these services. The configuration fragment that follows shows the disabling of small services for both TCP and UDP:
Small services are also known as small servers.
Router#config terminal Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#^Z Router#
Finger Finger is another older service that is rarely used in modern networks. The Finger service is used to find information about users who are logged into a router. On older versions of the IOS (11.2 and older), Finger is disabled by using the no service finger command. On newer versions of the IOS (11.3 and newer), Finger is disabled by using the no ip finger command. In the following code, the first configuration fragment shows the removal of the Finger service from an older router, and the second fragment shows the removal of the Finger service from a newer router: Router#config terminal Router(config)#no service finger Router(config)#^Z Router# Router#config terminal Router(config)#no ip finger Router(config)#^Z Router#
Lesson 3: Routers and Access Control Lists
131
Remaining Services As a security professional, you know that hardening a piece of equipment means disabling or removing all of the services and protocols that you are not using. In this section, you will see several other services that you should consider disabling for your router. In consideration of space, every service and protocol cannot be listed in this section—only several of the significant services can be highlighted.
When NTP is used in conjunction with syslog services, therefore keeping accurate timestamps on log entries, it can be useful for forensic purposes.
•
The BootP service is used to remotely boot computers via the network. This service can be disabled by using the no ip bootp server command.
•
The DNS function is enabled on Cisco routers, but there is no defined name server. The net result is broadcasting for all DNS requests. To disable this function, use the no ip name-server command.
•
The Network Time Protocol (NTP) is used for time synchronization on the network. This service can be disabled by using no ntp server. If you want to disable this protocol for only a single interface, use ntp disable, when you are in the Interface Mode.
•
The Simple Network Management Protocol (SNMP) is used to communicate between network devices. SNMP left as-is on routers can provide information about the router to attackers. Disable SNMP by using no snmp-server.
•
HTTP is used on some routers to allow for remote access and management. Unless specifically required in your organization, this should be disabled. To disable HTTP, use no ip http server.
The configuration fragment that will disable all of the above services will look like this: Router#config terminal Router(config)#no ip bootp server Router(config)#no ip name-server Router(config)#no ntp server Router(config)#no snmp-server Router(config)#no ip http server Router(config)#^Z Router#
132
Tactical Perimeter Defense
TASK 3C-3 Removing Unneeded Services 1.
Create the configuration fragment that you would use to remove the following services from the whole IOS v12.x router: CDP, ICMP Directed Broadcasts, Small Servers, Source Routing, and Finger. For this exercise, you can assume that the interfaces are named E0, S0, and S1. Router#config terminal Router(config)#no cdp run Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#^Z Router# Router#config terminal Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#no ip source-route Router(config)#no ip finger Router(config)#^Z Router#
AutoSecure A newer security feature, built into the IOS starting with version 12.3(1) is called AutoSecure. AutoSecure is essentially a script designed to help you secure the router by following a set of questions versus coding line-by-line the services and interfaces you want to secure. AutoSecure can also address your passwords, ensuring that no simple words are used, prompt for the configuration of SSH, and can enable console logging, among other security issues. AutoSecure has its security features divided into two core groups (Cisco calls these groups: Planes). These two groups are called the Management Plane and the Forwarding Plane.
The Management Plane The Management Plane of the AutoSecure feature is where the majority of your services are addressed. Both the global services, and the services that are unique to each interface are dealt with in this Plane. The following list details the services that are specific to each interface that can be disabled with AutoSecure: • ICMP (including redirects, unreachables, and mask replies) •
Directed broadcasts
•
Maintenance Operations Protocol (MOP) services
•
Proxy-Arp
Lesson 3: Routers and Access Control Lists
133
You know by now that there are many more security issues other than the ones addressed in the previous list. The following list, details the services that are global, to the whole router, which can be disabled with AutoSecure: • BootP •
CDP
•
Finger
•
HTTP Server
•
IdentD protocol
•
Network Time Protocol (NTP)
•
Packet Assembler and Disassembler (PAD)
•
Source Routing
•
Small Servers (both TCP and UDP)
The Forwarding Plane In the context of this course, the only feature of The Forwarding Plane that will be discussed is the Context-based Access Control (CBAC). If you are using this feature, AutoSecure will prompt you through the configurations. CBAC will be addressed later in this lesson.
Topic 3D Creating Access Control Lists Access Control Lists (ACLs) enable network administrators to not only control access from a security standpoint, but also can be used to restrict bandwidth use on critical links. In this and the following topic, the discussion will be on IP access lists, but be aware that access lists can exist for other routed protocols, such as AppleTalk and IPX/SPX.
packet filter: Inspects each packet for user defined content, such as an IP address, but does not track the state of sessions. This is one of the least secure types of firewall.
134
Tactical Perimeter Defense
An ACL is a packet filter that compares a packet with a given set of criteria. The ACL checks the packet and acts upon the packet as defined by the list. Access Control Lists are divided into several main categories, and for this course, you will focus on three categories: Standard ACLs, Extended ACLs, and Contextbased ACLs. • Standard ACLs are designed to look at the source address of a packet that has been received by the router. The result of the list is to either permit or deny the packet based on the subnet, host, or network address. A standard access list takes effect for the full IP protocol stack. •
Extended ACLs are designed to look at both the source and destination packet addresses. Not limited to source IP address, extended lists allow for checking of protocol, port number, and destination address. This additional flexibility is the reason that many administrators implement extended lists on their networks.
•
Context-based ACLs are designed to look at information from layer 3 all the way through layer 7. This becomes the Cisco IOS stateful firewall function inside the Cisco Router.
Access Control List Operation The function of an access list is the same internally in the router, regardless of the type of list (standard, extended, and so on). An ACL can be designed to function for both inbound and outbound packets. When an ACL is checking inbound packets, the list is checked to see if the packet is allowed prior to the router checking to see if the packet has a destination in the routing table. When an ACL is checking outbound packets, the packet will first run through the router’s table, looking for a match. If there is a route for the packet, then the ACL is applied to the outbound packet.
Figure 3-13: The Access Control List process. Figure 3-13 illustrates this outbound process. A packet is taken in via Interface E0. In this example, the packet is incoming on Interface Ethernet 0 and destined to be outgoing on Interface Ethernet 1. Because the list is used to determine whether or not the packet is to exit on interface Ethernet 1, this list can be determined to be an outgoing list.
The Access List Process A critical component of access list is to understand that they operate in sequence, from the top down. In other words, the first statement of an access list is checked. If the packet does not match the rules of that statement, then the packet is sent to the next statement, and on and on, until there is a match. Once there is a match, the packet will follow that rule. In the event that there are two rules that can apply to the same packet, whichever rule the packet hits first is the one that it will follow. There will always be a match, since the end of every access list is an implicit deny, meaning that every list must have at least one permit statement or all packets will be denied! Figure 3-14 shows a graphical example of an access list statement process.
Lesson 3: Routers and Access Control Lists
135
Figure 3-14: The list process of an ACL.
The Wildcard Mask IP access lists use a value known as the wildcard mask to determine whether or not a packet matches a given statement in the list. The wildcard mask uses 1s and 0s to identify the defined IP address(es) for permission or denial. Wildcard masks are 32-bit values that look like traditional subnet masks, but they do not function in the same manner. A wildcard mask uses the 1s and 0s to match defined bits of an IP address. The rules of the bits of a wildcard mask are as follows: • If the wildcard mask bit is a 1, then do not check the corresponding bit of the IP address for a match. •
If the wildcard mask bit is a 0, then do check the corresponding bit of the IP address for a match.
The chart in Figure 3-15 shows several examples of the wildcard mask checking options. Where there is a 0, the values are checked for a match, and where there is a 1, the value is not checked.
136
Tactical Perimeter Defense
Figure 3-15: Examples of wildcard masks. As you can see from this chart, if there were a mask of 11111111, then none of the eight bits of the corresponding IP address would be checked. Likewise, if there were a wildcard mask of 00000000, then all eight bits of the corresponding IP address would be checked.
Wildcard Mask Examples If an administrator wanted to have an access list statement match a single host in a network, the following wildcard mask could be used. Item
Value
IP Address Subnet Mask Wildcard Mask
10.15.10.187 255.255.255.0 0.0.0.0
This tells the router to check every bit of the IP address, and if those bits are 10.15.10.187, then this access list statement applies to this host. If the goal is to have an access list statement match an entire network, the following wildcard mask could be used. Item
Value
IP Network Subnet Mask Wildcard Mask
10.15.10.0 255.255.255.0 0.0.0.255
This tells the router to check only the first 24 bits of the IP address, and if the decimal value of those bits are 10.15.10, then this access list statement applies to this host. If the goal is to block a specified subnet, the mask requires a bit more calculation, but still functions the same way. In the event that the administrator wants to have subnet 10.15.10.32 match an access list statement, the mask would be as follows. Item
Value
IP Subnet Address
10.15.10.32
Lesson 3: Routers and Access Control Lists
137
Item
Value
Subnet Mask Wildcard Mask
255.255.255.224 0.0.0.31
This tells the router to check all but the last five bits of the fourth octet. If the checked bit equals 10.15.10.32, then the access list statement applies to this host.
TASK 3D-1 Creating Wildcard Masks 1.
If your goal is to block out a single host, such as 192.168.27.93, that uses 255.255.255.0 as the subnet mask, what wildcard mask would you use? 0.0.0.255
2.
If your goal is to block out a subnet of 10.12.24.0 that uses 255.255.248.0 as the subnet mask, what wildcard mask would you use? 0.0.7.255
3.
If your goal is to block out network 172.168.32.0 that uses 255.255.255.0 as the subnet mask, what wildcard mask would you use? 0.0.0.255
Topic 3E Implementing Access Control Lists In this topic, we will detail the implementation of and rule-creation for access lists. There will be examples of access lists and their syntax on a Cisco router. Examples will include both standard and extended IP access lists, the most common lists for networks connected to the Internet today. Although you have the option of using standard or extended access lists, the extended lists are preferred because they provide more granularity when you are permitting and denying traffic.
Access Control Lists are implemented in two stages on Cisco routers. The first stage is to create the list, including all of its statements. The second stage is the implementation of the list on an interface of a router, defining whether the list is to filter packets as an inbound or outgoing list.
Standard Access Control List Command Syntax To create a standard ACL, the following line shows the proper syntax. Items in italics are variables to be filled in. Router(config)#access-list access-list-number {permit|deny} source [ source-mask ]
138
Tactical Perimeter Defense
Where: •
access-list is the actual command to create a list.
•
access-list-number is a value between 1 and 99, that is selected to create a standard ACL.
•
permit|deny is the value that defines whether the list will grant or block access.
•
source is the value that is the actual source address to match.
•
source-mask is the value that specifies the wildcard mask for the defined host.
Once the list has been created, the second stage is to apply the list to an interface. Before you do this, however, make sure that you have specified the interface that you want to be affected by the list. The syntax for list application is shown here. Again, items in italics are variables to be filled in. Router(config-if)#ip access-group access-list-number {in|out} Where: •
ip access-group is the command to link (implement) a list to an interface.
•
access-list-number is the value assigned to the actual list to be implemented on this interface.
•
in|out is the value that defines whether the list will filter inbound or outbound packets.
Extended Access Control List Syntax To create an extended ACL, the following line shows the proper syntax. Remember, items in italics are variables to be filled in. Router(config)#access-list access-list-number {permit|deny} protocol source source-mask destination destination-mask [operator|operand] Where: • access-list is the actual command to create a list. •
access-list-number is a value between 100 and 199, that is selected to create an extended ACL.
•
permit|deny is the value that defines whether the list will grant or block access.
•
protocol is the value that defines what protocol to filter.
•
source is the value that defines the source IP address.
•
source-mask is the value that defines the wildcard mask for the source.
•
destination is the value that defines the destination IP address.
•
destination-mask is the value that defines the wildcard mask for the destination.
•
operator|operand is the value that defines the options for the list. Options include: —
GT—Greater than
—
LT—Less than Lesson 3: Routers and Access Control Lists
139
—
EQ—Equal to
—
NEQ—Not Equal to
Once the list has been created, the second stage is to apply the list to an interface. The syntax for list application is shown. As before, items in italics are variables to be filled in. Router(config-if)#ip access-group access-list-number {in|out} Where: •
ip access-group is the command to link (implement) a list to an interface.
•
access-list-number is the value assigned to the actual list to be implemented on this interface.
•
in|out is the value that defines whether the list will filter inbound or outbound packets.
Figure 3-16: A sample network for ACL implementation. Use Figure 3-16 with the network and host IP addresses defined to look at several examples of access lists. The same figure will be used for all examples, only with different lists, different goals, and different implementations. These examples will be using both standard and extended IP access lists.
Denial of a Specific Host Our first example will be the simple denial of a defined host into the router. This can be accomplished by using a standard ACL.
140
Tactical Perimeter Defense
The configuration fragment for this example is: Router#configure terminal Router(config)#access-list 23 deny 192.168.10.7 0.0.0.0 Router(config)#access-list 23 permit 0.0.0.0 255.255.255.255 Router(config)#interface Ethernet 0 Router(config-if)#ip access-group 23 in Router(config-if)#^Z Router#
The third line is permitting all traffic not denied by the second line. The word “any” can be used in place of “0.0. 0.0 255.255.255.255.”
Denial of a Subnet Our second example will be the denial of a defined host out to the Internet and the denial of an entire network to the Internet. This can also be accomplished by using a standard ACL. The configuration fragment for this example is: Router#configure terminal Router(config)#access-list 45 deny 192.168.10.7 0.0.0.0 Router(config)#access-list 45 deny 192.168.20.0 0.0.0.255 Router(config)#access-list 45 permit 0.0.0.0 255.255.255.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 45 out Router(config-if)#^Z Router#
The fourth line is permitting all traffic not denied by the second and third lines.
Denial of a Network Our third example will be the denial of an entire network from another network. This can be accomplished by using a standard ACL. The configuration fragment for this example is: Router#configure terminal Router(config)#access-list 57 deny 192.168.20.0 0.0.0.255 Router(config)#access-list 57 deny 192.168.10.0 0.0.0.255 Router(config)#access-list 57 permit 0.0.0.0 255.255.255.255 Router(config)#interface Ethernet 0 Router(config-if)#ip access-group 57 out Router(config-if)#interface Ethernet 1 Router(config-if)#ip access-group 57 out Router(config-if)#^Z Router#
Granting Telnet from One Specific Host Our fourth example will be limiting the permission of given hosts to telnet to the Internet and the denial of a network telnetting to the Internet. This can be accomplished by using an extended ACL, due to the need to control access to individual ports. The configuration fragment for this example is: Router#configure terminal Router(config)#access-list 123 permit tcp 192.168.20.16 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 permit tcp 192.168.10.7 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 deny tcp 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 123 out Router(config-if)#^Z Router#
For the fifth line, permit ip any any could be used to shorten the syntax.
Lesson 3: Routers and Access Control Lists
141
Granting FTP to a Subnet Our fifth example will be granting one subnet the ability to ftp to the Internet, while denying the other subnet. Again, this can be accomplished by an extended ACL, due to the need to control access to individual ports. The configuration fragment for this example is: Router#configure terminal Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 20 Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 21 Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 20 Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 21 Router(config)#access-list 145 permit ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 145 out Router(config-if)#^Z Router#
Defending Against Attacks with ACLs ACLs can be used for much more than simply granting or denying access to a service or utility. They can be used to guard against known attacks on the network, such as SYN and DoS attacks. This is due to the fact that many tools use known and identifiable patterns in their attacks.
Anti-DoS ACLs These ACLs work by recognizing the protocol and port selection of the DoS attack. It is possible that by using these ACLs, you may block legitimate applications that have chosen the same high port values, so that must be taken into account. In order to prevent hosts inside the network from participating in a DoS on an Internet host, you should consider placing these on all interfaces, in both directions. At the minimum, you will place these lists on the inbound interfaces that are connected to the Internet. In the configuration fragment that follows, the first section (ports 27665, 31335, 27444) of the list is designed to block the TRINOO DDoS, and the second section (ports 6776, 6669, 2222, 7000) is designed to block the SubSeven DDoS. Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list
160 160 160 160 160 160 160
deny deny deny deny deny deny deny
tcp udp udp tcp tcp tcp tcp
any any any any any any any
any any any any any any any
eq eq eq eq eq eq eq
27665 31335 27444 6776 6669 2222 7000
Anti-SYN ACLs The TCP SYN attack is where the attacker floods the target host and disallows any legitimate connections to be made by the target host. To work on blocking this, the ACL must allow legitimate TCP connections, which are created by hosts inside the network, but disallow connections to those hosts from outside (like on the Internet). 142
Tactical Perimeter Defense
In this first configuration fragment, traffic that is established internally is allowed out, and incoming connections are not able to create new sessions. Router#configure terminal Router(config)#access-list 170 permit tcp any 192.168.20.0 0.0.0.255 established Router(config)#access-list 170 deny ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 170 in Router(config-if)#^Z Router#
Anti-Land ACLs Another type of attack that has been around for some time is the Land attack. The Land attack is rather simple in design, but it can cause serious network damage to unprotected systems. The attack works by sending a packet from an IP address to the same IP address, and using the same ports. So, a packet would be sent from 10.10.10.10:5700 to 10.10.10.10:5700 causing a significant slowdown or DoS of the target. The following configuration fragment shows the defense against a Land attack on host 10.20.30.50, which is an IP address of an external interface on the router. Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip address 10.20.30.50 255.255.255.0 Router(config-if)#exit Router(config)# Router(config)#access-list 110 deny ip host 10.20.30.50 host 10.20.30.50 log Router(config)#access-list 110 permit ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 110 in Router(config-if)#^Z Router#
Anti-spoofing ACLs Spoofing of packets has become more commonplace due to the increased number of tools that provide this function. You can use your router to combat this issue by not allowing packets to enter the network if they are coming from an internal IP address. When you create these lists, you want them to be complete. In other words, do not forget to block the broadcast addresses (to prevent attacks like the Smurf attack), the network addresses themselves, and private or reserved addresses. In the following configuration fragment, the internal network is 152.148.10.0/24, and you will see that there are quite a few lines necessary to provide for full spoof protection:
Lesson 3: Routers and Access Control Lists
143
Router#configure terminal Router(config)#access-list 130 deny ip 152.148.10.0 0.0.0.255 any Router(config)#access-list 130 deny ip 127.0.0.0 0.255.255.255 any Router(config)#access-list 130 deny ip 0.0.0.0 255.255.255.255 any Router(config)#access-list 130 deny ip 10.0.0.0 0.255.255.255 any Router(config)#access-list 130 deny ip 172.16.0.0 0.0.240.255 any Router(config)#access-list 130 deny ip 192.168.0.0 0.0.255.255 any Router(config)#access-list 130 deny ip host 255.255.255.255 any Router(config)#access-list 130 permit ip any 152.148.10.0 0.0.0.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 130 in Router(config-if)#^Z Router#
TASK 3E-1 Creating Access Control Lists Setup: Use the network as diagrammed in Figure 3-16 for this task. 1.
Create the configuration fragment that you would use to create an Access Control List to prevent a SYN attack coming from the Internet into the private networks. Router#configure terminal Router(config)#access-list 135 permit tcp any 192.168.20.0 0.0.0.255 established Router(config)#access-list 135 permit tcp any 192.168.10.0 0.0.0.255 established Router(config)#access-list 135 deny ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 135 in Router(config-if)#^Z Router#
Context-based Access Control Although a detailed discussion of Cisco’s Context-based Access Control is out of the scope of this book, this feature is quite valuable, and worth some investigation. The Cisco Context-based Access Control Lists function is part of the Cisco IOS Firewall Feature Set, and provides powerful options if your router is going to play a signification part of your firewall system.
144
Tactical Perimeter Defense
Cisco Context-based Access Control (CBAC) works by filtering TCP, UDP, and in more recent revisions, ICMP network traffic. CBAC is able to inspect “inside” the packet looking at the actual application. CBAC essentially works by creating a dynamic (temporary) connection in your router, by keeping track of the state of your network traffic. For example, assume you had an access control list that said no Telnet connections are to be accepted inbound from the Internet to your router. With CBAC, you can build your system to allow an inbound Telnet connection, IF the router recognizes that packet as the return traffic of a session that was started by an authorized internal user. When packets enter the router, they are first processed through the running of access control lists. If a packet is denied, it will not move on to the CBAC inspection. If the packet is allowed after running through the ACLs, then that packet will move on to CBAC inspection.
Since UDP communications do not establish a session, the CBAC system approximates the time (as defined by the administrator) a “session” should remain open.
Topic 3F Logging Concepts Although it does not get the credit or generate a high level of interest, logging on the router is a critical aspect of router hardening. Logs enable you to investigate attacks, find problems in the network, and analyze the network. When you are configuring the logging options on a router, just as logging elsewhere in the network, you must walk a fine line between gathering too much and too little information. Log too much, and you will have a difficult time finding that single piece of critical information you need to make a decision or to perform an action. Log too little, and you do not have enough information to make an informed decision or to take proper action. There are many different kinds of logging applications and software products that can track and record logs from all over the network. These applications can then send messages to a pager or cell phone when significant events happen. In this section, you will look at just the options that the actual router can manage, without using any major third-party applications.
Cisco Logging Options On a Cisco router, the device can log information using several different methods, such as: • Console Logging: Log messages are sent to the console port directly. •
Terminal Logging: Log messages are sent to the VTY sessions.
•
Buffered Logging: Log messages are kept in the RAM on the router. Once the buffer fills, the oldest messages are overwritten by newer messages.
•
Syslog Logging: Log messages can be sent to an external syslog server to store and sort the messages there.
•
SNMP Logging: Log messages are sent (by using SNMP traps) to an SNMP server on the network.
Lesson 3: Routers and Access Control Lists
145
Log Priority The router has a built-in function of priority listing for log messages. The levels range from 0 to 7. If a message is given a lower number, it is considered to be a more critical message. So, Level 1 is more critical than Level 6. When you select a level, that level and all others of a lower number will be displayed. For example, if you select level 3, you will be presented with messages from level 3 to 0. If you select level 7, you will be presented with messages from level 7 to 0. The following table lists the level of logs, along with their titles and descriptions. Level
Title
Description
0 1 2 3 4 5 6 7
Emergencies Alerts Critical Errors Warnings Notifications Informational Debugging
System is (or is becoming) unusable. Immediate action is needed. A critical condition has occurred. An error condition has occurred. A warning condition has occurred. Normal, but noteworthy event. Informative message. Debugging message.
The following table lists an example event for each level of severity. Level
Example
0 1 2 3 4 5 6 7
The IOS was unable to initialize. The core router temperature is too high. A problem in assigning memory occurred. The memory size allocated is invalid. Cryptography operation is unable to complete. An interface changed state to up or down. (This is a very common event.) A packet has been denied by an Access Control List. No event triggers this level; debug messages are displayed only when the debug option is used.
An example of what a log line will look like in the router is: %SYS-5-CONFIG_I: Configured from console by vty1 (172.16.10.1)
In this line, the %SYS-5-CONFIG_I indicates that a Level 5 message was logged. Following the colon is the message itself. In this case, the router had a configuration change made via a VTY session using IP address 172.16.10.1.
146
Tactical Perimeter Defense
Configuring Logging In the following examples, you will see how to configure different forms of logging. Some will use the buffer, others the console. Viewing the configuration fragments through this section will enable you to determine which type of logging you will use in given situations. On the Cisco router, the command to enable logging is entered in Global Configuration Mode, using the logging on command.
Timestamping In order for you to properly analyze the logs, you will need to know what happened when, not just that something happened. The assignment of a time that an event occurred, or to timestamp, is an option in the router. The Cisco command to configure the timestamp option is service timestamp log datetime. There are three options that can be added to this message. •
The msec option will include the millisecond in a log entry. This may or may not be required, based on your goals. If not added, the log will round the event to the nearest full second.
•
The localtime option will make the router stamp the logs using the local time, so that it is easier for people to read and analyze the logs. When using a syslog server, this option is often left off.
•
The show-timezone option adds the time zone to the log message. This can be useful when working with log files from many locations and regions.
When you are configuring logging in IOS 11.3 and earlier versions, the command must include the name of the level, such as Alerts. In IOS 12.0 and newer versions, you can use either the name of the level or the number of the level.
Console Logging Console logging is perhaps the most straightforward of all of the logging options in the Cisco router. The following configuration fragment shows logging set to level 5 and to use the console as the method. Router#configure terminal Router(config)#logging on Router(config)#logging console notification Router(config)#^Z Router#
In this example, level 5 logging has been configured, This means that items in the access list level will not be logged, nor will any debug messages. Had the goal been to see only those log messages that are level 2 or more critical, the proper command would have been logging console critical.
Buffered Logging Buffered logging requires you to define the memory size that will be used for the logs. The general formula that many follow is that if the router has less than 16 MB of RAM, your log can be 16 kilobytes. If your router has more than 16 MB of RAM, then your log can go as high as 32 or even 64 KB. On all logs, the time and date can be added to the messages, which is a recommended procedure. On buffered logging, however, it goes from a recommended to a required procedure. This is due to the fact that the router discards old messages and replaces them with new messages, when the buffer space is filled. So, the time of the log is a critical component to buffered logging. The following configuration fragment shows logging set to level 2, and using a timestamp.
Lesson 3: Routers and Access Control Lists
147
Router#configure terminal Router(config)#logging on Router(config)#logging buffered 16000 critical Router(config)#service timestamp log date msec localtime show-timezone Router(config)#^Z Router#
In this example, the amount of memory that has been allocated is 16 KB. The logs will go to the buffer and will be recorded if they are level 2 (Critical) or higher. Finally, full timestamping is used, including the local time and the time zone options.
Terminal Logging Normally, there are no messages sent to terminal sessions. This is for bandwidth purposes and, in some situations, security purposes. In order to allow logging to be visible on a VTY session, the terminal monitor command must be used. The following configuration fragment shows logging set to level 5, and to be sent to the VTY sessions. Router#configure terminal Router(config)#logging on Router(config)#logging monitor 5 Router(config)#^Z Router#terminal monitor Router#
In this example, the terminal session will receive all level 5 and higher messages. This is the first example that uses the numeric value of the level instead of the name, an indicator that the router must be at least IOS version 12.0. There is a second part for terminal logging. The above fragment will tell the router to log messages to the VTY sessions, but the VTY sessions have not been configured to see the messages. The terminal monitor command enables the VTY session to actually view the messages on screen. In the event that the logs become to numerous or are no longer needed, the terminal no monitor command can be used to stop viewing the logs on the VTY session.
Syslog Logging Cisco routers have the ability to send their log messages to a server that is running as a syslog server. This is a highly recommended method of logging in a production environment. Routers collect the log messages, just as they normally do. However, instead of showing them on the console, or storing them in memory, they are sent to a server that will manage the messages and store them to the server’s hard drive. This will allow for long-term storage and analysis of the information and will not be subject to real time analysis or memory constraints. Most UNIX and Linux servers have some version of the syslog server function, and there are many syslog applications for Windows systems on the market.
148
Tactical Perimeter Defense
To configure syslog logging on a Cisco router, there are four components: •
The destination host is any host that can be located using a host name, DNS name, or an IP address.
•
The syslog facility is the name to use to configure the storage of the messages on the syslog server. Although there are quite a few facility names, the routers will use the ones named Local0 through Local7.
•
The severity level of the logs can be viewed as similar to that of the other log messages, using the Cisco severity levels.
•
The source interface for the messages is the actual network interface that will send the messages to the Syslog server.
The following configuration fragment shows the setup of a router to use a syslog server. Router#configure terminal Router(config)#logging on Router(config)#logging trap 5 Router(config)#logging host 10.20.30.45 Router(config)#logging facility Local5 Router(config)#logging origin-id hostname Router(config)#logging source-interface Ethernet 0 Router(config)#^Z Router#
In this example, logging has been enabled. Logging is going to be sent to a syslog server, logging messages that are level 5 or more critical. The IP address of the syslog server is 10.20.30.45. (Additional servers can be used with multiple commands using different IP addresses here, for redundancy.) The facility on the syslog server is Local5, the origin-id is the hostname (Router in this example), and the source for these messages is Ethernet 0 on the router.
TASK 3F-1 Configuring Buffered Logging 1.
Create the configuration fragment you would use for buffered logging, using 32 kilobytes of memory. Include all timestamping options and log level 4 events. Assume that the router is running IOS version 12.2. Router#configure terminal Router(config)#logging on Router(config)#logging buffered 32000 4 Router(config)#service timestamp log date msec localtime show-timezone Router(config)#^Z Router#
ACL Logging The previous section on logging focused on the system log events, critical errors, and messages. Another important area to investigate is the use of logging in relationship to your Access Control Lists. When implemented, ACL logs are listed as Level 6 events. Lesson 3: Routers and Access Control Lists
149
In order to implement ACL logging, the commands are very simple. All you need to add is the keyword log or log-input to the end of the ACL statements. You do not want to add this line to all your ACL statements, however, or you will flood your logs with so much information that you will be virtually unable to identify anything useful. Use of the log keyword will list the type, date, and time in the ACL log, and is a valid option only for standard ACLs on IOS version 12.0 and newer. The log-input keyword adds information on the interface and source MAC address, and an example of the use of this is if the same ACL is to be applied to more than one interface. Logging may be one reason that you do not count on the default deny all rule of an ACL. If a packet is dropped due to the default deny all statement, that packet will not be logged. If, however, you add the following line as your last statement in the ACL, then packets will be logged: access-list 123 deny ip any any log.
Anti-spoofing Logging Earlier, you looked at the creation of anti-spoofing ACLs. In this section, you will see these ACLs used with the logging function to gather information for analysis. In these examples, assume that the internal network is 172.16.0.0/16. First, the configuration fragment of the list itself: Router#configure terminal Router(config)#access-list any log-input Router(config)#access-list Router(config)#access-list any log-input Router(config)#access-list Router(config)#^Z Router#
123 deny ip 172.16.0.0 0.0.255.255 123 permit ip any any 145 permit ip 172.16.0.0 0.0.255.255 145 deny ip any any log-input
For the next example, assume that the router has one internal Ethernet interface (where the trusted network is located) and has two external serial interfaces. The following configuration fragment shows the application of the ACLs, first list 123 then list 145, on their proper interfaces. Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip access-group 123 in Router(config-if)#exit Router(config)#interface Serial 1 Router(config-if)# ip access-group 123 in Router(config-if)#exit Router(config)#interface Serial 0 Router(config-if)# ip access-group 145 out Router(config)#^Z Router#
VTY Logging When gaining access to the router, a primary method used was through VTY sessions. These sessions may come under frequent attacks at larger organizations. You will want to know who is and who is not successful at gaining access via VTY sessions—again, logging is the answer to that need.
150
Tactical Perimeter Defense
In this example, you will again assume the internal network 172.16.0.0/16, and that there is only one trusted host that has authorized VTY access, 172.16.23.45. With those variables defined, the following is the configuration fragment that will log VTY sessions on the router. Router#configure terminal Router(config)#access-list 155 permit host 172.16.23.45 any log-input Router(config)#access-list 155 deny ip any any log-input Router(config)#^Z Router#
Once you have created the list, as shown, you will need to apply the list. In the following configuration fragment, the list is applied to VTY sessions 0 through 4. Router#configure terminal Router(config)#line vty 0 4 Router(config)#access-class 155 in Router(config)#^Z Router#
TASK 3F-2 Configuring Anti-spoofing Logging 1.
Create a logged ACL that is used for anti-spoofing, using the following information: The router has interfaces Ethernet0, Serial0, and Serial1. Ethernet0 is connected to the only trusted network, which has the IP address 192.168.45.0/24. For this exercise, and in the interest of time, only create anti-spoofing for the defined network. If you want to expand this to include all private and reserved networks, you can do so, but it is not required. Router#configure terminal Router(config)#access-list 160 deny ip 192.168.45.0 0.255.255.255 any log-input Router(config)#access-list 160 permit ip any any Router(config)#access-list 170 permit ip 192.168.45.0 0.255.255.255 any log-input Router(config)#access-list 170 deny ip any any log-input Router(config)#^Z Router# Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip access-group 160 in Router(config-if)#exit Router(config)#interface Serial 1 Router(config-if)# ip access-group 160 in Router(config-if)#exit Router(config)#interface Serial 0 Router(config-if)# ip access-group 170 out Router(config)#^Z Router#
Lesson 3: Routers and Access Control Lists
151
Summary In this lesson, you examined the fundamentals of router security and the principles of routing. You created the configurations that are required to harden a Cisco router and configured the removal of services and protocols. You examined the process of the wildcard mask and how it relates to the Cisco ACL. You created the configurations for ACLs to defend the network against attacks. Finally, you examined the process of logging on a Cisco router and configured buffered and anti-spoofing logging.
Lesson Review 3A What is authentication? Authentication is the process of identifying a user, generally granting or denying access. What is authorization? Authorization is the process of defining what a user can do, or is authorized to do. What is AAA? Authentication, Authorization, and Accounting. What are the methods of access to a Cisco router? • Console port •
Auxiliary port
•
VTY sessions
•
HTTP
•
TFTP
•
SNMP
3B List some of the advantages of using static routing. Responses might include: • Precise control over the routes that data will take across the network. •
Easy to configure in small networks.
•
Reduced bandwidth use, due to no excessive router traffıc.
•
Reduced load on the routers, due to no need to make complex routing calculations.
What is a security advantage to using RIPv2 over RIPv1? Using RIPv2 provides the security advantage of authentication, enabling the routers to identify who is and who is not able to update routing information.
152
Tactical Perimeter Defense
3C What is a security reason for disabling CDP? CDP might be broadcasting information about the router that is not intended to be public knowledge. What is an attack that you can defend against by disabling ICMP directed broadcasts? Smurf.
3D What type of Access Control List allows for the checking of port numbers? Extended ACLs allow for port checking. When a packet enters the router, what is the first thing the router will check regarding that packet? Is there a route for this packet? If yes, send to the ACLs if there are any; if no, discard the packet (and respond to the sender if need be).
3E What is the syntax for a standard Access Control List? Router(config)#access-list access-list-number {permit|deny} source [source-mask]
What is the syntax for an extended Access Control List? Router(config)#access-list access-list-number {permit|deny}protocol source source-mask destination destination-mask [operator|operand]
What is the syntax for implementation of a standard Access Control List? Router(config-if)#ip access-group access-list-number {in|out}
3F When a configuration change is made to the router, such as an interface being brought down, what level of message will this generate? Level 5. What is the command for an access list to be implemented on the VTY sessions? access-class [access list number] in
Lesson 3: Routers and Access Control Lists
153
154
Tactical Perimeter Defense
Designing Firewalls
LESSON
4 Overview In this lesson, you will be introduced to the concepts and technologies used in designing firewall systems. You will identify the methods of implementing firewalls in different scenarios, using different technologies. The strategies and concepts in this lesson are important in understanding later lessons.
Data Files none Lesson Time 2 hours
Objectives To identify the design and implementation issues of firewall systems, you will: 4A
Examine the principles of firewall design and implementation. Given a firewall system, you will identify and describe methodologies of firewall function and implementation.
4B
Create a firewall policy based on provided statements. Given the answers to questions regarding the firewall, you will create a firewall policy statement.
4C
Create a rule set to be used with a packet filter. Given a network scenario, you will create a rule set for a packet filtering firewall.
4D
Describe the function of a proxy server. Given a network scenario, you will describe the process of internal clients using a proxy server to access Internet web pages.
4E
Describe how a bastion host is included in the security of a network. Given a network scenario, you will describe how the creation of a bastion host functions in the security of the network.
4F
Describe the function of a honeypot in a network environment. Given a network running Windows 2003, describe the function of an effective honeypot in the security of the network.
Lesson 4: Designing Firewalls
155
Topic 4A Firewall Components The concept of Network Security today is a varied and challenging topic to discuss. There are so many different areas of the network architecture to be concerned with, ranging from messaging systems to databases, from file and print solutions to remote network access. In between these areas of our network, we find things such as access control solutions, user control policies (group policies in a Windows environment), and a host of settings, functionality and options that serve to confuse and confound the average user of a computer in a domain based network today. It was not that long ago that security and the protection of network based assets was clearly the domain of the network engineer, that person who was technically savvy, highly skilled, and often times hard to talk to and understand if you were not also a network engineer. The challenges faced by these network engineers, access control, asset protection, and risk mitigation, have not changed at all, and yet at the same time, the technology used to address these issues has undergone startling transformations in both the areas of complexity, as well as capability. One need only look at the advances in the area of the firewall to see all too clearly how this transformation has had a direct, undeniable, and profound impact both on network security and on user’s perceptions of that security, and the people that provide it. The following image in an example of a simple firewall
Figure 4-1: An example of a single firewall. The firewall itself is positioned logically between the internal network (the LAN) and the external network (the WAN). The firewall sits there performing its job, denying and granting access based on rules that the network/security administrator has created and assigned to the device.
156
Tactical Perimeter Defense
Over the last few years, providing this option to simply grant or deny access has typically been enough to provide a basic level of security and protection to most, if not all of our networks. The challenge that has been steadily rising in relation to the provision of basic security, has been that the hackers and the enemies of the networks that are protected by firewalls have not been content to sit back and quit trying to figure out how to “ break “ the security afforded by the firewalls. As a result, the addition of new features and options for the firewall has become a very important part of the continuing evolution of network security overall, and the ability to protect our networks from unauthorized and unwanted network access and traffic in particular. In addition to denying and granting access, now a firewall may offer one or more of the following services: • Network Access Translation (NAT): NAT is used by the router to translate internal private IP addresses to external IP addresses. •
Data Caching: This option allows the router to store data that is accessed often by network clients.
•
Restriction on Content: This option is available in many newer systems, allowing the administrator to control Internet access based on keyword restrictions.
Firewall Methodologies Firewalls have two general methods of implementing security within a network. Although there are variations of these two, most modifications still boil down to one or the other. They are: • Packet filtering •
Proxy servers (application gateway)
Packet filtering was the first type of firewall used by many organizations to protect their networks. The general method of implementing a packet filter was to use a router. These routers had the ability to either permit or deny packets, based on simple rules the administrator would create. Even though these firewalls could perform this type of filtering, they were limited by the fact that they were designed to look at the header information of the packet only. An example of this drawback would be that a filter could block FTP access but could not block only a PUT command in FTP. The addition of proxy server (also known as an application gateway) capabilities to the firewalls created a much more solid security product than a pure packet filter was capable of providing on its own. The proxy software can make decisions based on more than the header of a packet. Proxy servers use software to intercept network traffic that is destined for a given application. The proxy recognizes the request, and on behalf of the client makes the request to the server. In this case, the internal client never makes a direct connection to the external server. Instead of a direct connection, the proxy functions as the man-in-the-middle and speaks to both the client and server, relaying their messages back and forth. The major advantage to this is that the proxy software can be instructed to permit or deny traffic based upon the actual data in the packet, not simply the header. In other words, the proxy is aware of communication methods, and will respond accordingly, not just open and close a port in a given direction. Lesson 4: Designing Firewalls
157
What a Firewall Cannot Do So if a firewall can use packet filtering, proxy services, a combination of both, or custom filtering to create secure environments for our data, the logical question that we have to ask is “what can’t a firewall do to protect the network?“ All too often a network/security administrator is told to go and buy a firewall to secure the network. Unfortunately, as is usually the case, this is the extent of the conversation. No other discussion(s) takes place that would allow the network/security administrator to gain a better understanding of the reason(s) behind the need for a firewall, and what the goal of placing the firewall within the network topology is supposed to accomplish. In relation to our network/security administrator, and their quandary about having to purchase a device that will do a large number of things, all, or most of which, might or might not be necessary for the network security issue(s) in question, it will be helpful for us to briefly look at what a firewall cannot do, so we can begin to understand what it can do. A few areas where a firewall will have difficulty in securing the network are as follows: • Viruses: Some firewalls do have the ability to detect virus traffic, however attackers can package a virus in so many forms and firewalls are not designed as anti-virus systems, that this is not a primary function of a firewall. Your firewalls may be able to identify some virus traffic, but you should always use internal anti-virus software. •
Employee misuse: This is a hard point, but a valid one. Employees often do things unknowingly. They may respond to forged email addresses, or they may run programs that come from friends, assuming they are safe.
•
Secondary connections: If employees have modems in their computers and/or are able to use a wireless network connection, they may make new connections to the Internet for personal reasons. These connections render much of the firewall useless to this client. If File and Print Sharing is turned on, this can lead to adverse results, while the firewall itself may be properly configured.
•
Social engineering: If the network administrators gave out firewall information to someone calling from your ISP, with no verification, there is a serious problem.
•
Poor architecture: Without a well thought out and vetted firewall design, it becomes very difficult, maybe even impossible to configure the firewall properly in order to ensure that the necessary security precautions are in place within the network at all times.
Implementation Options for Firewalls There is no one correct standard for implementing a firewall within a network. The following concepts show several different possibilities for firewall implementations.
158
Tactical Perimeter Defense
A Single Packet Filtering Device As shown in the following figure, the network has been protected by a single device configured as a packet filter, permitting or denying access based on the contents of the packet headers.
Figure 4-2: An example of a single packet filtering device.
A Multi-homed Device As shown in the following figure, the network is being protected by a device (most likely a computer) that has been configured with multiple network interfaces. Proxy software will run on the device to forward packets between the interfaces.
Figure 4-3: An example of a single multi-homed device as a proxy server.
Lesson 4: Designing Firewalls
159
A Screened Host As shown in the following figure, the network is protected by combining the functions of proxy servers and the function of packet filtering. The packet filter accepts incoming traffic from the proxy only. If a client directly communicates with the proxy filter, the data will be discarded.
Figure 4-4: An example of a screened host running behind a packet filtering device.
A Demilitarized Zone (DMZ) In the following figure, the network has a special “zone,” or area, that has been created to allow for the placement of servers that need to be accessed by both Internet and intranet based clients. This special zone, the DMZ, requires two “filtering” devices, (firewalls will traditionally be used for this) and can have multiple machines existing within its boundary.
160
Tactical Perimeter Defense
Figure 4-5: An example of a Demilitarized Zone (DMZ).
Lesson 4: Designing Firewalls
161
TASK 4A-1 Firewall Planning Objective: In order to implement firewall systems, you will need to be able to diagram the different methods used for implementation. 1.
162
Tactical Perimeter Defense
Diagram the method described in this topic for the firewall implementation that most accurately reflects your current network design.
If you had a “blank check” and could design a firewall implementation for your network, what would that design look like? If it differs from your current design, please diagram the new solution that you would build.
Topic 4B Create a Firewall Policy Before you can identify configuration options, or implementation techniques, you must have a firewall policy. In many instances, organizations rush into firewall selection and installation, without enough thought on how this complex device is to be used. For a firewall to be designed and deployed correctly, there must be a firewall policy in place. While not as complete as an organizational security policy, the firewall policy has its place. The policy items in place for the firewall are part of the overall security policy the organization uses. The firewall policy can generally have one of two viewpoints: either deny everything except what is explicitly allowed, or permit everything except what is explicitly denied. It is general consensus that the former of the two viewpoints is used.
Lesson 4: Designing Firewalls
163
It is a good starting point to assume that all traffic is to be denied, except that which the policy has identified as explicitly being allowed. This also usually turns out to be less work for the network/security administrator. Imagine creating a list of all the ports Trojans use, and all the ports for applications your users are not authorized to use, and then creating rules to block each of them. Compare that to creating a list of what the users are allowed to use, and granting them access to those services and applications explicitly. There are different names for the items that can be included in the security policy, and the ones that follow are very common. The items include the Acceptable Usage Statement, the Network Connection Statement, the Contracted Worker Statement, and the Firewall Administrator Statement. After building the overall security policy, if it becomes very large (some organizations have policies that are hundreds of pages long), you may want to pull out and copy the sections related to the firewall and have a separate subdocument for the firewall alone. Having subdocuments is not a requirement, but it makes reading the policy much easier. The subdocuments are easier to index, reference, and view. Many organizations now run an internal web server to house important documents, such as the policies, for employees. The policy is one of those documents, and the subdocuments are easier to view and read when only a handful of pages, versus scrolling through 200 pages of content.
The Acceptable Use Statement This portion of the policy can take the most time, energy, meetings, and effort to create. To be able to describe, in detail, the proper usages of a computer within the network is a difficult task for some organizations. There is a necessary balance that must be achieved between wanting to maintain tight security and giving employees the ability to do their jobs. Of all the potential devices in an organization however, the computer is often the most misused. It is this misuse that the security policy attempts to control. Several points to consider when creating this portion of the policy are as follows: • Applications other than those supplied by, or approved by the company are not to be installed on any computer. This includes any programs that can be downloaded from the Internet or brought in on CD-ROM, DVD-ROM, USB device, or floppy disk. •
164
Tactical Perimeter Defense
Applications that have been provided for the individual computer in the organization may not, under any circumstances, be copied or installed onto any other computer, including the user’s home computer, unless the organization has made it clear, through written policy, and participation in an appropriate licensing program authorized by the vendor, that employees have the ability to exercise “Home Use Rights “ for the particular software in
question. If a backup copy is required for archive, the organization will be responsible for creating and storing the archive copy. •
Computers may not be left unattended with a user account still logged on. If a user is temporarily away from the computer, the computer must be left in a locked state. Screensavers must employ the password protection option.
•
The computer and its installed applications are to be used for organizational related activity only.
•
The computer and its installed applications may not be used in any way to threaten or harass another individual.
•
The installed email application is the only authorized email service allowed for use, and employees may not use this email service for personal use.
From this list, you can see the types of things that are to be covered in the policy. If there are examples that cannot be implemented on the firewall, even in part, they may be best located in the overall security policy document for the organization. Some of the examples given in the previous list fall into that category; for example, screensavers, installing applications at home, or threatening of individuals. These items clearly must be in the security policy, but may not be items that can be directly implemented on the firewall.
The Network Connection Statement This portion of the policy involves the types of devices that are to be granted connections to the network. Here is where you can define the issues related to the network operating systems, devices that use the network, and how those devices must be configured in order to use the network in a secure fashion.
Lesson 4: Designing Firewalls
165
This section may have the most functional use on the firewall, as this section is defining actual network traffic. Some of the items that may be included in this portion are: • Network scanning is not to be permitted by any user of the network, other than those in network administration roles. •
Users may access FTP sites to upload and download needed files, but internal user computers may not have FTP server software installed and running.
•
Users may access WWW on port 80 as required.
•
Users may access email on port 25 as required.
•
Users may not access NNTP on any port.
•
Users in subnet 10.0.10.0 are allowed to use SSH for remote administration purposes.
•
Users not in subnet 10.0.10.0 are not allowed to use SSH to connect to any location or device.
•
Users may not run any form of chat software to the Internet, including, but not limited to, AOL Instant Messenger, Yahoo Chat, IRC, ICQ, and MSN Chat.
•
Users may not download files over 5 MB in size.
•
Anti-virus software must be installed and running on all computers.
•
Anti-virus updates are required weekly on user computers.
•
Anti-virus updates are required daily on all servers.
•
No new hardware (including network cards and modems) may be installed in any computer by any party other than the network administrators.
•
No unauthorized links to the Internet from any computer are allowed under any circumstances.
As you can see this list could go on and on. These are only examples to get you started. This section can get technical, as in deciding which ports to allow to and from subnets or computers in the network. This may be where you spend the most time developing the firewall policy, as it is most relevant to implementation on the firewall.
The Contracted Worker Statement This portion of the policy is often overlooked. The policy must address the issue of contracted, or temporary, workers. These individuals may require only occasional access to resources on the network. The list of items for the contracted worker statement may overlap with other areas of the policy but this does not present a problem. Obviously, the feature or rule would only be implemented once, but it is better to list an item twice than to assume the item has been covered elsewhere.
166
Tactical Perimeter Defense
Some examples of items in the contracted worker statement portion of the policy are: •
No contractors or temporary workers shall have access to unauthorized resources.
•
No contractor or temporary worker shall be permitted to scan the network.
•
No contractor or temporary worker shall copy data from a computer to a form of removable media, such as CD-ROM, DVD-ROM, USB device, or floppy disk.
•
No contractor or temporary worker may use FTP, unless specifically granted permission in writing.
•
No contractor or temporary worker will have access to Telnet or SSH unless specifically granted permission in writing.
From these examples, you can see that there are areas which overlap. As the saying goes, it is better to be safe than sorry.
The Firewall Administrator Statement Some organizations may not have a separate statement for the administrator of the firewall itself. If yours is one that will require such a statement, here are some possible examples of the items that could appear in it: • The firewall administrator must be certified by the vendor of the firewall. •
The firewall administrator must have SCNA certification.
•
The firewall administrator must know all the applications authorized to be installed on computers in the network.
•
The firewall administrator shall report directly to the Chief Security Officer.
•
The firewall administrator must be reachable at all times—24 hours a day, 7 days a week.
As you can see, this area can almost be considered the job role of the firewall administrator. Some organizations will have such a policy, others will not. It can be a benefit in a large organization to know these items, and to have them written in the policy. From these examples, you can start to build the framework for the security policy, and, in this case, the specific firewall portion of the policy. The firewall policy should be a working document that can be modified on a regular basis. The security world is ever-changing, so be sure your policy changes with it!
TASK 4B-1 Creating a Simple Firewall Policy 1.
Read through the following scenario of a corporate network. The network is a single office, with 200 nodes. Currently, it is connected to the Internet through a single 64K ISDN, but they are getting 1.5M SDSL installed in a week, and want to use a firewall on their new connection. The network is a single Windows NT 4.0 domain with an internal web server and an internal email server. The internal servers are accessed by employees and customers over the Internet. Lesson 4: Designing Firewalls
167
The CEO has stated that email must not be used for personal use and that no one can download anything harmful to the network or organization. You are the firewall administrator and have given the CEO a more specific set of questions, which are answered here: Your Question
The CEO’s Answer
Can the users use newsgroups? Can the users run Telnet to the Internet? Can the users visit external websites? Are there any websites to be defined as off limits? Can users use Instant Messaging software? Can users upload to FTP? Can users download from FTP? Can users access external email servers? Who is the firewall administrator? Is 24x7 firewall support expected?
No. No. Yes. Anything pornographic. Only internally. No. Only if it is not a dangerous file. Yes, if it is company-related. You are. Yes.
Topic 4C Rule Sets and Packet Filters Having a solid policy is one important part of preparing to implement the firewall. Another, is being aware of the different types of firewalls that exist. We briefly discussed firewall methodologies earlier, and now we will focus on packet filtering. Packet filters were the first types of firewalls used to protect networks. Traditionally, packet filters were (and are still) implemented as access control lists on routers. This single border security device was all that was needed for quite some time. The router becomes the single access point to the network, and the place where the packet filtering functions. In the following figure, you can see examples of where the router may be located. The function of the packet filter will differ based on its location in the scheme of the network.
168
Tactical Perimeter Defense
Figure 4-6: An example of the location of packet filters. In the first example, there is only a single device running as the packet filter for the network. This device will have to be configured very well, as the security of the network is riding on its rules. In the second example, the packet filter must be carefully configured not to allow direct access from clients on the internal network to the Internet. Likewise, it must be configured so that traffic from the Internet cannot directly reach the internal clients. In the third example, a DMZ has been created. This requires the two devices to be configured differently. As such, the packet filter directly connected to the Internet must be secured to allow access to the hosts on the DMZ, but not the internal network. The packet filter connected to the internal network must be secured so that clients can access the hosts on the DMZ, but not the Internet directly.
The Packet Filter Rules Regardless of the implementation of packet filter that is used, there must be a set of rules in place for the packet filter to use in making decisions. For creating the rules, you can consult your firewall policy, as discussed earlier. The general questions that should be answered are: • Which services are to be allowed to access the Internet from the intranet? •
Which services are to be allowed to access the intranet from the Internet?
•
Which hosts are allowed specific access that others do not have?
Lesson 4: Designing Firewalls
169
Although each product will have different methods of implementing these rules, there are some basic considerations that apply to nearly all packet filtering devices. They include: • The interface to which the rule will apply. For example, is it the internal network interface, or the external Internet connection? •
The direction of the packet. Will this rule apply to packets that are entering on the defined interface, or does it apply to packets that are leaving on the interface?
•
Addresses used to make the decision. Will the rule base its decision on the source IP address, destination IP address, or both?
•
Ports used to make the decision. Will the rule base its decision on the source port, destination port, or both?
•
Higher level protocols. Is this rule to be based on the protocol using IP, such as UDP or TCP?
Ports and Sockets Before we can get into the specifics of the rules, we need to review TCP/IP, ports, and sockets. This is shown in the following figure. The IP address specifies the host that is communicating, and the port identifies the actual end-points of the network communication. Ports allow for multiple connections to different applications via the same two hosts at any given moment. A socket is an IP address combined with a port number. Since the first 1023 ports are defined as privileged, ports higher than 1023 must be used for return communication of common protocols. In other words, when you request a web page at port 80, it is returned to you at a port higher than 1023.
Figure 4-7: An example showing ports in exchange of a web page. Keeping this in mind, let’s look at some rules that can be created with the packet filter. Assume it is the goal to only allow access to web pages on the Internet and the DMZ; the Internet can access web pages on the web server, and all other services are not to be allowed access to the Internet. The following figure depicts rules for a firewall.
170
Tactical Perimeter Defense
Figure 4-8: Building rules for the firewall. In this case, the first rule allows the Internet to access port 80 of the web server, which can respond on any port higher than 1023, the second rule. The third rule allows outbound requests to external web servers on port 80, and the fourth allows those requests to be returned. The final rule disallows all other traffic. Is this a good set of rules? No! While it may initially look like it does the requested job, it has in fact left most of the network side open. The firewall will accept connections from the whole world on ports higher than 1023. This was not the intention. A simple Trojan horse program could take the network down, as if there were no firewall in place. To increase the security of the network then, another level is required. This next level is used to define the source and destination ports. For example, rule number 2 should add port information for both the source and destination. It could then state: outbound traffic is fine to go to ports higher than 1023, if the data originated from port 80. Likewise, rule 4 could state that data may be accepted higher than 1023 if it came from port 80. You’ll see an example of what rule 4 should not look like in the following figure.
Figure 4-9: The highlighting of rule 4, adding source and destination ports. Note this example leaves the high ports open, which is not considered good security. These additions increase the security of the rule set substantially. There should never be an open rule like rule number 4 shown here.
The Ack Bits Another option to add to the rule set that can increase security involves the ack bit. This bit is set only in response to a request. When a packet is sent to establish the connection, this bit is a zero; when the reply is returned, the bit is set to a one. Your firewall can examine this bit to ensure that the packet is indeed a reply to communication that originated inside the network. Adding the ack bit on top of the source and destination ports in the previous example increases security. An example of what this rule may now look like is shown in the following figure.
Lesson 4: Designing Firewalls
171
Figure 4-10: Rule 4, with the additional ACK bit. Now if we look at this same rule with our added functions of source and destination port, and the inclusion of the ack bit, we can see that the firewall rule has become more secure. In order for a packet to meet this rule, it must have originated from port 80, have the ack bit set, and a destination port higher than 1023. We can feel comfortable with this rule now that it has been tightened.
Stateless and Stateful Packet Inspection Now that you have an idea of where and how packet filters can be placed in the defense of a network, we will discuss the types of packet filters. Packet filters fall into one of two major categories: • Stateless packet filters, sometimes called standard packet filter. •
Stateful packet filters.
Stateless Packet Filters As we have discussed, packet filters are generally implemented on border routers, using a given set of rules. The theory behind a packet filter is that it may make a decision about a packet based on any portion of the protocol header; however, the vast majority of filters are based on the most significant information in the header. Those areas being: • IP address filtering. •
TCP or UDP port numbers.
•
Protocol type.
•
Fragmentation.
IP Address Filtering IP address filtering is perhaps the oldest form of packet filtering. If you want to block access to a specific host, create a rule that says that IP address is off-limits. If you want to grant access to an entire subnet, create a rule that says that subnet has access. The IP address filters allow for permitting or denial of addresses, using only the IP address to make the decision. If the filter were to try to define all the hosts that are to be denied, the rule set would get very long, and a rule like that for individual hosts in a large organization is unreasonable. Since the rule set can get very long, the odds of making a mistake are increased, and therefore, it is not a good way to implement strong security in a large organization. Using the filter to specifically grant access by an IP address, on the other hand, can be much more effective. The areas that hosts will be allowed to access will be, by the very nature of security, a lesser number than the areas in which hosts are not allowed access.
172
Tactical Perimeter Defense
Using primarily allowed addresses over denied addresses makes the implementation of the rules easier. And, it makes the task of the attacker a bit harder. The attacker would have to learn the list of approved addresses to attempt an attack. When the attacker does finally learn the addresses, he or she can spoof the source IP address and get a packet past the filter. If the attacker was trying to execute a denial of service attack (DoS), this will get them past the packet filter with no problems. If the attacker was performing a different type of attack, where the return packet was not needed, this type of filter is easily bypassed with spoofed source packets.
TCP and/or UDP Port Numbers Dealing with the Internet, using TCP and/or UDP port numbers in the packet filter will increase its effectiveness. Filtering at this level, in addition to the IP address, is commonly used in most networks today. If the host is running only the WWW service, there is no need to have any port open other than 80 (or 443, if SSL has been added). As with IP addresses, it is much easier to open the ports that are needed, versus closing the ports that are to be denied. With over 65,000 ports to open or close, no doubt most people would agree.
Protocol Filtering In the event that using port numbers of UDP and TCP are still not enough, you can resort to protocol filtering. Packet filtering of this type investigates the contents of the header to determine the upper layer protocol used. If there is a match, accept or discard. The protocols you may choose to block or accept are few: • TCP •
UDP
•
ICMP
•
IGMP
Although this type of filtering can be used, it is very limiting—use caution when employing this strategy. If you have a server running a service that uses UDP, and that is the only authorized service on the server, then allow only UDP. But, be aware that such a move removes the option of troubleshooting utilities such as ping, due to the lack of ICMP.
Fragmentation When networks and routing were first developed, many of the links used had very small bandwidth capabilities. Due to this, large files transmitted across the Internet had to be broken into several pieces. This is known as fragmentation. When packet filters inspect the header, if the packet is a fragment, they will see the port number, protocol type, IP address, and an indicator that this is fragment 0. Herein lies the problem: fragments 1 through x do not contain this same information, so the packet filter has nothing to use in making a decision. The packet filters would drop fragment 0, and allow the remaining packets through. The logic was that without the fragment 0, the packet could not be used. This was not always the case.
Lesson 4: Designing Firewalls
173
Smart and very TCP/IP savvy attackers would create entire attacks that begin with fragment 1. The attackers were aware that many versions of TCP/IP would go ahead and reassemble fragments even if fragment 0 was missing. These attacks would pass through the packet filter as if it were not even there.
Stateful Packet Filters It should be obvious by now, that despite their best efforts, stateless packet filters simply are not good enough for the security needs of today’s networks. The logic a stateless packet filter employs is not complete. Stateful packet filters still employ the same techniques as stateless packet filters, but they do not base their decisions on single packets. A decision cannot be made on a single packet-by-packet basis alone, if the network is expected to be safe. That single packet does not describe the overall communication that is occurring between the two hosts. The way that stateful packet filters have increased security is by remembering the state of connections at the network and the session layers as they pass through the filter. This session information is stored and analyzed on all packets moving through the filter. For example, if a client on the internal network initiates a connection to an unknown host on the Internet, it sends the SYN along with the IP address and port number for the destination host. As this packet passes through the filter, an entry is made into the state table logging the connection information. When the filter receives the return packet, it can look at its table and see that the address, port number, and SYN/ACK setting match what is expected. In the event that a packet is received and there is no entry in the table for this packet, then the packet is dropped. The following figure shows an example of the steps of the stateful packet inspection.
Figure 4-11: The Stateful Packet Filter function.
174
Tactical Perimeter Defense
The stateful packet filter will remove entries in the state table if there is no response, usually within a few minutes. This is to ensure there are no holes left open for an attacker to exploit. The rules are programmed into the stateful packet filter, just as they are in a stateless packet filter, although they may be called policies instead of rules.
How Attackers Get Around Packet Filters Although packet filters are solid security devices, they need to be supplemented with other services the firewall can perform, such as proxy and NAT. Still, you may be wondering how attackers get around packet filters. Some of the exploits are due to poor design by the firewall administrator, yet others are limitations imposed by packet filtering itself. Many packet filters will drop fragment 0 (called the 0th fragment), but allow the remaining fragments through. This can be a serious security hole, so be sure to check how your firewall handles fragmentation. The attacker can simply place a whole valid packet in one that has been marked as fragment 1, effectively bypassing the security of the packet filter completely. One of the most critical errors is not in the technology, but in the implementation of the filter. If you had only a web server and email server on your network, and you configured the packet filter to only allow ports 80, 443, and 25 in, all other inbound ports were closed, and all outbound ports open, you have a very insecure network. The outgoing ports are as critical to configure as the inbound ports. Make sure you do not fall into this trap of blocking only inbound ports. It may look secure, but it is not. These are two examples of how packet filtering can be bypassed, and examples of why additional security services are needed.
TASK 4C-1 Firewall Rule Creation 1.
Read through the following scenario of a corporate network. Your network is a mixed environment of Windows NT, Windows 2000, UNIX, and Linux. Your users in the network need to access FTP sites for upload and download, websites, and email servers on the Internet. Your net-
Lesson 4: Designing Firewalls
175
work provides a web server and email server that need to be accessed by the Internet.
2.
Based on this scenario, create a sample rule set, or portion thereof, needed for this packet filter.
Topic 4D Proxy Server As you have seen, packet filters are a great start to securing the network with a firewall. But, they also require help to create a more secure environment. One of the ways to increase security is to add the services of a proxy server. Proxy servers were initially used to cache commonly visited web pages, speeding up the network and Internet use. They have evolved to not only cache web pages, but have become part of the security system of a network. The packet filter, as discussed, works by inspecting the header information and basing the decision on defined rules or policies. The proxy works at the application layer, and is able to provide services to the network. The proxy acts as a sort of gateway (which is why it is also called an application gateway), for all packets to flow through. When a proxy is configured and running on the network, there is no direct communication between the client and the server. The packet filter allows for this direct communication, while the proxy prevents it. A significant distinction then between a packet filter and a proxy server is that the proxy understands the application or service that is used, and the packet filter does not. The proxy server can then permit or deny access, based on what actual function the user is trying to perform.
176
Tactical Perimeter Defense
Proxy Process In this example, the client has requested a web page, and identified the server that has the web page. The request for the web page is passed to the proxy server. At this point, the proxy server does not act as a router and forward the packet. What it does is consult its set of rules regarding this service (WWW in this case), and decide if the request is to be granted or not. Once the proxy has made the decision to allow the request, a new packet is created with a source IP address of the proxy server. This new packet is the request for the web page from the destination server. The web server receives the request, and returns the web page to the requesting host. Since the proxy is running, the requesting host is the proxy server. When the proxy receives the web page, it checks its rules to see if this page is to be allowed. Once the decision is made to proceed, the proxy makes a new packet with the web page as the payload, and sends this to the original client. The following figure is an illustration of the basic function that a proxy server plays in the network. Notice the client packet never directly reaches the server, and vice versa.
Figure 4-12: A WWW proxy running in a network. This type of service can increase the security of the network considerably, as no packets can pass directly from the client to the server. The proxy service will need to be configured for each type of service that is allowed. For example, a separate proxy will be needed for SMTP, WWW, FTP, and Telnet, if all these services are to be used. The proxy server needs to be configured to work in both directions, just as a packet filter. This is the only way to be sure no packets are passed by the proxy server.
Lesson 4: Designing Firewalls
177
Proxy Benefits There are several benefits to the network, from a security point of view, that a proxy can provide. The list of advantages can be large; provided are the major benefits: • Client invisibility. •
Content filtering.
•
Single point of logging.
Client Invisibility The basic proxy process highlights this feature. The ability to have the client’s inside IP address never appear to the Internet is a great benefit. Attackers not knowing the internal structure of the network have a harder time gaining access and attacking internal clients.
Content Filtering In the modern era, businesses have to be very sensitive to the needs of employees. This includes exposure to any offensive material, as much as can be prevented. Content filters can be programmed for many types of inspection. They may be programmed to look for certain keywords or phrases. Many employers use filtering to block the websites of major headhunters and resume posting sites. These filters can also be used to prevent Active-X controls from being downloaded, Java Applets being run, or executables being attached to email.
Single Point of Logging One of the more significant benefits of proxy servers may be the ability to have a single point of reference for logging data. Since all traffic is flowing through a single point, it is relatively easy to re-create an entire session of web browsing for a user to identify problems.
Proxy Problems Even though it seems as if there are only benefits to adding proxies, and in most cases this may be true, you need to be aware of potential problems of using proxies. As with all technologies, there are possible issues that may arise, such as: • Single point of failure. •
A proxy for each service.
•
Default configurations.
Single Point of Failure Perhaps one of the most serious issues with a proxy server is the creation of a single point of failure. If the entire network is running through the same proxy, that machine becomes quite critical, and must be configured properly. A common mistake is to forget that the proxy itself is unprotected. Although it is protecting the internal network, if there is an interface directly connected to the Internet, it is wide-open to attack, both to Denial of Service and intrusion attempts. 178
Tactical Perimeter Defense
Be sure that the proxy is, in addition to other security mechanisms (such as a packet filter), used to reduce the likelihood of a direct intrusion attack on the proxy. If the entire network is dependent on this machine, you need to take good care of it!
A Proxy for Each Service More of a configuration issue, but still worth noting, is that the proxy must be configured for each service. If the network is allowing many different types of services in both directions, this can create considerable work. When services are added, it is important that the proxy server remain securely configured.
Default Configurations The majority of proxy server software is designed for functionality over security. The applications are created to get users up and running quickly, and give them access to the resources they need. This is the opposite of security. Therefore, when implementing a proxy, it is recommended to not use the default configurations. Take the time to implement the rules and restrictions, as they are needed.
TASK 4D-1 Diagram the Proxy Process 1.
Diagram the process of an internal client in the network requesting an email message from the remote server running SMTP.
Lesson 4: Designing Firewalls
179
Topic 4E The Bastion Host In order to create a firewall or proxy, there must be a platform for the software to use. In some instances, there is a dedicated piece of hardware that will run the firewall software. In this topic, you will learn about the process of setting up a server to run the software. This server is called the bastion host. Bastion host is a term used for a computer that has been hardened in a manner much more securely than any other computers in the network. This server is using every security option that comes with the operating system to the maximum that it can be used. All auditing has been configured, all authentication has been configured, and encryption (where relevant) has been configured. Further configuration would be the removal of all services and applications not deemed absolutely necessary for the server to function. All user accounts are removed, except for those required for server management. Every service, application, and user account that is removed is one less target for a potential attacker. Once the computer has been configured, then the software may be installed and configured on top of the base operating system. This computer should not be considered the single line of defense, but rather, one link in a chain. The security of the network cannot rely on a single component, so the bastion host is one of several in a well designed network, as shown in the following figure. The first line of defense is the router, connecting the network to the Internet, which should be configured with appropriate packet filtering. Following the packet filtering router is where the bastion host running proxy services is located. If the network is small, one bastion host running the proxy services for the entire network may be fine. In a large network, there are likely to be many bastion hosts, each running different proxy services.
Figure 4-13: : The most likely location of a bastion host.
180
Tactical Perimeter Defense
The basic steps that must be followed in setting up a host as a Bastion are: •
Remove unused applications.
•
Remove unused services.
•
Remove unused user accounts.
•
Enable auditing.
Other standard techniques for creating a Bastion host to run as a firewall are: •
Install the operating system from scratch, formatting the disk first.
•
Do not use a dual-boot computer.
•
Remove unused hardware, such as modems or sound cards.
•
Use very strong authentication methods, such as a tokens or biometrics.
•
Implement a utility to check files for tampering, such as TripWire.
An Attack on the Bastion Host Since this computer is the machine that is providing many services to your network, it is likely to be the target for many different attacks. However, since you have set up the computer properly ahead of time, you have the ability to deal with these attacks. Since you have enabled logging and auditing, the intrusion should be detected quickly with a scan of the logs and generated reports. Inevitably, there may be an attack you do not catch right away. It is this part of security that drives administrators mad. Once you catch the intrusion, you must investigate further to determine the cause. This is where your file tampering software comes into play. You must identify if there has been a Trojan placed on the host, or if any system files have been accessed. Once the bastion host has had an intrusion, it is critical that the remaining computers in the DMZ or network, be examined quickly for possible intrusions. A compromised bastion host often leads to a compromised network. An important point that must be made is in relation to the knee-jerk reaction that many administrators have in these situations, which is to attempt the restoration of the system from backup once it has been compromised. Unless you can identify the date that the intrusion happened, how can you be sure your backup is not also infected? The best solution is to begin from scratch and re-create the bastion host, starting with formatting the disk. It will take time, but it is the best way to restore this host to the network.
Lesson 4: Designing Firewalls
181
TASK 4E-1 Describing a Bastion Host 1.
Describe the function of a bastion host in creating a secure network environment. Bastion host is a term used for a computer that has one or more network interfaces exposed to the Internet. The OS (typically a server OS) on such a device is hardened in a much more secure manner than any other computers in the network. Further configuration would be the removal of all services and applications not deemed absolutely necessary for the server to function. Once the computer has been configured, then the software that dictates rule sets for internal or external traffıc may be installed and configured on top of the hardened OS.
Topic 4F The Honeypot One area that is the subject of much discussion in security circles is the use and deployment of honeypots. For some security professionals, network security is not fully functional without one, while others feel it is an unneeded and potentially dangerous part of the network.
What is a Honeypot? Just as honey attracts bears, a honeypot is a computer designed to attract attackers. If an attacker has managed to get past your packet filter into your DMZ and is scanning for options, the honeypot should be the one computer that sticks out. This is depicted in Figure 4-14.
182
Tactical Perimeter Defense
Figure 4-14: Two examples of where the honeypot may be located.
Goals of the Honeypot There are several goals for the honeypot. You would like the honeypot to provide enough of a lure that attackers stay away from your other equipment. You want the attacker to see a vulnerability that they know they can exploit and use to gain access to the computer. This vulnerability needs to be such that the attacker focuses their energy on exploiting this computer, as opposed to the email server (for example) sitting right next to it. In addition to trying to keep attackers away from your more secure systems, one of the goals of a honeypot is for logging. Knowing that this system is one that will be attacked, you can take extra measures in logging. These logs should be moved off the system frequently, perhaps hourly or daily if your network is a high profile target. Another goal of the honeypot is to increase the ability to detect and respond to incidents. The theory is that if you are aware of what the attacker is doing to your honeypot, you can be better prepared to defend or, if possible, prevent that attack from being carried out successfully against your production systems. To take the concept of the honeypot further, there are instances of honeynets. A honeynet is an entire network designed to be an attractive alternative to the production network(s) it is deployed to screen from view. The premise is the same, only the scale is bigger.
Lesson 4: Designing Firewalls
183
Legal Issues A discussion of honeypots would not be complete without a discussion of the legal issues surrounding this use of technology. Perhaps the single biggest issue involving a honeypot today is the issue of entrapment. Some people feel that the setup of a honeypot is entrapment, and therefore, the same rules apply as in the real world. Up to this point, that is not yet the case. Although, it should be noted that defense attorneys have tried using entrapment as a defense. Another issue is that of privacy. If an attacker were to set up an IRC server on the honeypot, it is possible for the administrator to log all conversations on that server. For now, this issue is more of a moral and ethical dilemma than a legal one, since there is no defined law regarding this subject. However, it should be noted again that this could be a viable defense for an attorney to work with. The current standard for this issue is the Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. This publication is by the Computer Crime and Intellectual Property Section, Criminal Division, United States Department of Justice, and is part of the Computer Crime and Intellectual Property Section (CCIPS). The entire document can be found atwww.usdoj.gov/ criminal/cybercrime/searching.html#searchmanual
TASK 4F-1 Honeypot Configuration 1.
What are the services most likely to be enabled in creating a honeypot, and why? Most likely services would include the normal WWW, TFP, SMTP, POP3,and Telnet. It is important to offer the normal services, since the honeypot must appear to be a productive, live computer in the network, and should be configured the same as a production WWW server, perhaps with looser permissions and solid logging.
Summary In this lesson, you identified the major components used in building firewall systems; you learned to detail the methods used to create a firewall policy in a network scenario. You now know how packet filters are used in firewall systems. You can also describe the process of creating a bastion host, as well as how to use proxy servers in firewall systems. You are also aware of the process involved in creating a honeypot and can differentiate between a honeypot and a honeynet.
184
Tactical Perimeter Defense
Lesson Review 4A Name two methodologies for firewalls. Packet filtering and proxy servers (application gateway). What are three services a firewall can provide? Network Access Translation (NAT), data caching, and restricting access to content. How can a second connection to a client computer make an impact on firewall security? A second connection will render much of the firewall useless to this client, and maybe even the network. Name four different methods of implementing a firewall. • A Single Packet Filtering Device. •
A Multi-homed Device.
•
A Screened Host.
•
A Demilitarized Zone.
4B What is the difference between a firewall policy and a security policy? A firewall policy is generally a subset of the overall security policy. List three items that should be in a security policy, but not part of a firewall policy. Many portions of the following items may address issues broader than that addressed by the Firewall policy: • The Acceptable Use Statement. •
The Network Connection Statement.
•
The Contracted Worker Statement.
List at least three items that would be specific to the firewall policy. Answers may include: Users may access WWW on port 80 as required; users may not access NNTP on any port; users not in subnet 10.0.10.0 are not allowed to Telnet to any location; any policies dealing with firewall administration.
4C What is the primary difference between stateful and stateless packet filters? Stateless packet filters make a decision about a packet based on any portion of the protocol header; however, the vast majority of filters are based on the most significant information in the header. Stateful packet filters encompass the techniques used by stateless packet filters; however, they do not base their decisions on individual packets. Stateful packet filters increase security by remembering the state of connections at the network and the session layers as they pass through the filter. This session information is stored and analyzed on all packets moving through the filter. Lesson 4: Designing Firewalls
185
In addition to IP addresses, what else can a packet filter use to make a decision on a packet? Fragmentation, IP Protocol ID, Protocol Type, and TCP or UDP Port Numbers. How can an attacker use fragmentation to get through a packet filter? By encapsulating the entire payload in one or more fragments following the first fragment.
4D What are the benefits of implementing a proxy server? While packet filters allow for direct communication between a client and a server, proxy servers prevent it. The proxy works at the application layer (application gateway). Proxies can inspect packet content and make decisions based on this inspection. Describe three potential problem issues for proxy servers. Single point of failure: If the entire network is running through the same proxy, that machine becomes quite critical, and must be configured properly. The proxy itself is unprotected if there is an interface directly connected to the Internet. You have to add at least a packet filter in front of the proxy. A proxy for each service: The proxy must be configured for each service. If the network allows many different types of services in both directions, this can create considerable work. Default configuration: Using the default (out-ofthe-box) configuration is generally not secure.
4E What are the steps that must be followed to create a bastion host? 1. Remove unused applications. 2. Remove unused services. 3. Remove unused user accounts. 4. Enable auditing. What are some additional steps that are recommended in securing the bastion host? Install the operating system from scratch, formatting the disk first. Do not use a dual-boot computer. Remove unused hardware, such as modems or sound cards. Use very strong authentication methods, such as a tokens or biometrics. Implement a utility to check files for tampering, such as TripWire. How should a compromised bastion host be recovered? A compromised bastion host often leads to a compromised network. Once the bastion host has had an intrusion, it is critical that the remaining computers in the DMZ or network be examined quickly for possible intrusions. Identify the date of the intrusion before you restore the bastion host from backup. The best solution is to begin from scratch and re-create the bastion host, starting with formatting the disk.
4F Where should a honeypot be located in the network? In the screened subnet or DMZ.
186
Tactical Perimeter Defense
What are two of the goals of a honeypot? Answers may include: Lure the attacker; log visits; and respond to incidents. What are some potential legal issues of honeypots? Entrapment and privacy issues.
Lesson 4: Designing Firewalls
187
188
Tactical Perimeter Defense
Configuring Firewalls
LESSON
5 Overview In this lesson, you will first review firewalls from a conceptual viewpoint to learn about the types of firewalls, how each of these types work, and what protection they can provide for your network. After you have the foundational concepts under your belt, you will go through a series of exercises to actually implement two different firewall solutions: Microsoft’s Internet Security and Acceleration server, which runs on top of the Windows platform; and IPTables, which runs on top of the Linux platform. This will provide you with the practical working knowledge to implement a firewall in your network environment.
Data Files ISAScwHlpPack.exe Lesson Time 5 hours
Objectives To configure network firewalls in the defense of a network, you will: 5A
Describe standard firewall functionality and common implementation practices. Firewalls come in a wide variety of flavors today. In addition to the many vendor offerings, there are also many versions of build your own firewalls. Regardless of the firewall implementation you are working with, there are commonalities between them, both functionally and in implementation methodologies. Exploring these commonalities will provide you with a solid foundation for developing mastery of firewall implementation.
5B
Install, configure, and monitor Microsoft ISA Server 2006. In this topic, you will install Microsoft ISA Server 2006 and work with the built-in configuration tools. In addition, you will explore options for managing, monitoring, and auditing ISA Server 2006.
5C
Examine the concepts of Linux IPTables. In this topic, you will examine how IPTables creates a “chain” of rules that can control the egress and ingress of specific network traffic. IPTables is a popular build-your-own type of firewall that you will find implemented in many networks.
5D
Apply firewall concepts and knowledge to a scenario. In this topic, you will be given a specific network situation, and you will then design firewall topology and rule sets to create the required firewall security posture.
Lesson 5: Configuring Firewalls
189
Topic 5A Understanding Firewalls Technology-based firewalls first appeared on the networking scene in the early 1990s. As the Internet and networks in general have developed and progressed, so have the potential digital dangers. Firewalls have progressed right along side, developing from simple gatekeepers to comprehensive security tools that can work in conjunction with intrusion detection systems and malware scanners. Security has become increasingly problematic for systems connected to the Internet. Network intrusions and attacks have now become so common that the risk is understood as an unavoidable part of conducting business in the digital age. In a modern network, firewall technology is a mainline component for any organization that has defined a network security architecture. Even home users connected to the Internet through commercial ISP connections regularly install software and hardware firewalls to provide a measure of protection for their personal systems. Fear not—in this module we are going to lift the veil of mystery and discover what a firewall does and how firewalls actually work. Firewalls generally comprise the first line of defense for a network and, therefore, a solid working understanding of firewalls is essential in today’s modern networked world. You will also examine how to implement and configure two popular platform specific firewalls: Microsoft Internet Acceleration Server 2006 and the built-in Linux firewall, IPTables. Let’s examine some firewall basics now.
Firewall Basics A basic understanding of what firewalls are and how they work will give us a common framework of reference. We can then build our practical skills on top of this framework when we investigate how to implement and configure our two firewalls. This will be most effective if we can derive the answers to the following questions: • What is a network firewall? •
What are common firewall related terms?
•
What are the basic functions of a firewall?
•
What do addresses, ports, protocols, and services have to do with a firewall?
•
What are the common types of firewalls?
•
How are firewall “rules” built?
•
What are the common firewall network topologies?
•
Why would I want a firewall?
•
What can a firewall not protect me from?
What is a Network Firewall? A firewall can be described as a security mechanism that places limitation controls on all inbound and outbound network communications between individual systems or entire networks of systems by permitting, denying, or acting as a proxy for all data connections.
190
Tactical Perimeter Defense
Figure 5-1: Firewalls control network communication. A firewall is generally comprised of a software program (code) that works in conjunction with a hardware device that is responsible for physically transmitting network data. Firewalls can exist as a software program installed on top of an operating system or as a specialized hardware device running proprietary code. Depending on the size and complexity of the environment being protected, firewalls can be configured as a single system or have multiple systems working in concert. Many firewalls are capable of handling multiple types of transport protocols (TCP/IP, IPX/SPX, etc.). However, for the purposes of our discussion here, we will operate under the assumption that you are going to be using the current industry standard, TCP/IP, as your network transport protocol of choice.
Firewall Terms We know that networks are made up of multiple connected systems, all with varying degrees or levels of trust between them. Your daily interactions with the “network” of humans around you is a good illustration of the principal of networked trust. For example, you might trust your best friend with the keys to your car, but certainly not the person who you just met at the car wash. In a networked environment, these areas of interaction can be referred to as “zones of trust.” Some common examples of these zones would be the Internet, which is a zone with little or no trust; and your internal network, which would a zone with a high level of trust.
Figure 5-2: Firewalls separate zones of trust.
Lesson 5: Configuring Firewalls
191
The networking world has spawned a variety of terms such as Internet, Extranet, intranet, and DMZ. We can use these terms to define the zones of trust that commonly occur in any given network environment. • Internet: This zone of trust corresponds to the worldwide public network of systems. Since this zone is accessible by anyone, it is our least trusted zone. In firewall terminology, this is often referred to as an unprotected or external network. •
Intranet: An intranet is a private network that is used to securely share an organization’s information or operations within the organization. In firewall terminology, this is often referred to as a protected or internal network.
•
Extranet: This zone of trust is a semi-private network that an organization creates to share parts of their private network with business partners such as customers, suppliers, or other collaborative partners. Basically, this is an extension of the private zone of trust to include specific types of access to approved outside entities.
•
DMZ: The “Demilitarized Zone” of trust is a network segment or segments located between protected and unprotected networks. DMZs are generally configured in one of two basic topologies: chained and three-legged. A chained DMZ is isolated in a linear fashion between the trusted and un-trusted zones by a firewall on either side, whereas a three-legged DMZ is connected to a third interface off of a single firewall that separates the trusted and un-trusted zones creating a third network spoke off of the firewall.
Basic Functions of a Firewall A firewall’s primary function is to control the communications between systems and or networks that exist in zones with differing trust levels. The firewall’s control of network communication across zones of trust allows us to enforce our security policy. This enables us to create a network connectivity model based on the principle of least privilege and set up varying levels of access based on the source, destination, and type of network communication.
Figure 5-3: Firewalls enforce access rules between zones of trust.
192
Tactical Perimeter Defense
Address, Port, Protocol, and Services: The Building Blocks of Firewall Rules In order to really understand what a firewall does, it will be helpful to take a quick review of how network communications work, especially in respect to the Internet Protocol. All Internet Protocol communications have several properties in common. It is these common properties that allow a firewall to perform most of its functionality. There are five basic commonalities generally present in network communications over the Internet Protocol: •
Source address: This is where the communication originated from.
•
Destination address: This is where the communication is going to.
•
Protocol used: This could be TCP, UDP, ICMP, IGMP, etc.
•
Target port: A port is an endpoint to a logical network connection. This port number is how a network request specifies a specific service from a remote resource on a network. (IANA RFC 1700 specifies well known port numbers.)
•
Service: This is the application that is offering the data or functionality requested by the connection. Generally, services listen for requests on a specific port over a specific protocol.
We use similar types of mechanisms in our non-digital daily lives to move information from one place to another. A good example of this would be returning a defective computer part to a manufacturer. • We know that we are sending the part from ourselves (the Source). •
Then, we obtain the manufacturers address (the Destination).
•
We decide on a shipper: FedEx , UPS, DHL, etc. (the Protocol).
•
We also add “Attention: RMA department” to the label (the Port).
•
Because of how we addressed, shipped, and labeled the package, when it arrives at the manufacturer, it will be handed over to the warranty service department for repair or replacement (the Service).
From this example, you can see that the concepts of source, destination, protocol, port, and service are commonly used in our daily lives. In relationship to a firewall, these commonalities that occur in network communication form the building blocks of “rule sets” that firewalls use to control access to and from network entities.
Firewalls and the OSI Model To simplify the complexities of networking heterogeneous systems it is often useful to use the Open Systems Interconnect (OSI) model as a frame of reference. The OSI model is an abstraction of network communications between computer systems and network devices.
Lesson 5: Configuring Firewalls
193
Figure 5-4: The Open Systems Interconnection (OSI) model. In a nutshell, the layers of the OSI model perform the following functions: • Layer 7: Application - Interface from network to applications •
Layer 6: Presentation - Handles data representation and encryption
•
Layer 5: Session - Manages connections between applications
•
Layer 4: Transport - Provides end-to-end connections and reliability
•
Layer 3: Network - Path determination and logical addressing (IP)
•
Layer 2: Data Link - Physical addressing (MAC & LLC)
•
Layer 1: Physical - Media, signal, and binary transmission
A full discussion of the OSI model is outside the scope of this module, but those layers relevant to the topic of firewalls will help us understand how they function. Current firewall technology operates on the OSI model layers as shown in the following figure.
Figure 5-5: Firewalls operate at Layers 2, 3, 4, and 7 of the OSI model.
194
Tactical Perimeter Defense
Firewalls generally operate at the levels corresponding to OSI Layers, 2, 3, 4, and 7. The common network functionalities of source and destination address, protocol, port, and services that we examined earlier are described as operating on these layers of the OSI model. Layer 2 (Data Link) is the lowest layer that contains addressing that can uniquely identify a single specific source or destination. These addresses are the MAC, or Media Access Control addresses, and are assigned to physical network interfaces. For example, a MAC address belonging to a standard Ethernet card is an example of a Layer 2 address. This is one layer that can be used by a firewall to discriminate source and destination addresses for communications control. Layer 3 (Network) is the layer that handles the delivery of network traffic by providing switching and routing technologies, creating virtual circuits (logical paths), and transmitting data from node to node. Source and destination addressing, routing, forwarding, packet sequencing, error handling, and flow control are handled at this layer. Like layer 2, Layer 3 can also be used by a firewall to discriminate source and destination addresses for communications control. Layer 4 (Transport) is the layer that identifies end-to-end network communication mechanisms and communication sessions. This is the layer where the transport protocol is assigned, e.g. TCP, UDP, ICMP, etc., and the source and destination ports are specified. Firewalls can examine the protocol and port information from Layer 4 and use these values to control network communication. Layer 7 (Application) supports both application (service) and end-user processes. This layer is where such things as communication partners, authentication, quality of service, and any data syntax constraints are identified. Everything at this layer is application specific. Data is passed from the program in an application-specific format, then encapsulated and passed to the layers below. Firewalls can use a host of information, such as service specific information that occurs at the application layer to inspect and control inbound and outbound data communication to enhance your security posture. The additional layer coverage enables the firewall to handle advanced applications and protocols. A good example of this would be user authentication. A simple firewall that functions only on Layers 2 and 3 will not normally be able to distinguish individual users, whereas a firewall with awareness of the application level (level 7) can enforce communications policies based on user authentication.
Classifying Firewalls Firewalls have continued to evolve since their inception and are continuing to grow more sophisticated. As with any sophisticated system, a methodology for classification can facilitate understanding. The simplest way for you to classify firewalls is by how they handle the process of controlling network communications. • Is the communication control being done between a single system and a network, or between two or more network segments?
•
•
Firewalls that control communication with a single system are generally called Personal Firewalls.
•
Firewalls that control communication between network segments are called Network Firewalls.
Is the communication intercepted and inspected at the network layer or at the application layer? •
Network-layer firewalls are called Packet Filter Firewalls. Lesson 5: Configuring Firewalls
195
• •
Application-layer firewalls are called Application Gateways or Proxy Firewalls.
Is the communication state being tracked and maintained by the firewall? •
If the firewall does not track the communication state, it is classified as a Stateless Firewall.
•
If the firewall tracks the state of connections, it is classified as a Stateful Firewall.
Examining the Common Types of Firewalls For both Personal Firewalls and Network Firewalls, there are three common types of firewalls in general use today: Simple Packet Filter Firewalls, Stateful Packet Filter Firewalls, and Application Level Firewalls. Let’s examine the strengths and weaknesses of each of these types of firewalls.
Simple Packet Filtering Firewalls Simple packet filters are the most fundamental type of firewall. They inspect the individual inbound or outbound packets of network data and compare them against a “rule” set to determine if the packet should be permitted or denied. In their most basic form, packet filter firewalls operate at the OSI model Layers 2 (Data Link) and 3 (Network). They provide network access control by comparing the rule set to information contained in the network packet such as:
196
Tactical Perimeter Defense
•
The source address of the packet, which is the IP address of the system the network packet originated from.
•
The destination address of the packet, which is the IP address of the system the network packet is sent to.
•
The network protocol being used to communicate between the source and destination addresses.
•
Some simple packet filters will also include some characteristics of Layer 4 communications such as the source and destination ports of the connection.
•
If the firewall is multi-homed to three or more network segments (such as in a three-legged DMZ configuration), a packet filter firewall also reads the packet information pertaining to which interface of the firewall the source packet arrived from and which interface of the firewall the packet is destined for.
Figure 5-6: OSI Layers of inspection for a Simple Packet Filter Firewall.
Weaknesses of Simple Packet Filter Firewalls If you are using a simple packet filter firewall, there are several inherent weaknesses in this type of firewall that you should be aware of and take special care to overcome where possible. • Application Specific Vulnerabilities: Packet filter firewalls do not inspect upper layer data, and therefore cannot protect against intrusions that make use of application specific vulnerabilities. •
Limited Logging: Since so little information is gathered by the firewall, the simple packet filter has limited logging capabilities, which limits the data available for policy making decisions and can hamper intrusion investigations.
•
No Authentication: Because they operate at the OSI layers below where authentication happens, simple packet filter firewalls cannot generally make use of user authentication as part of their control mechanisms.
•
Vulnerable to Spoofing: There are several weaknesses in the TCP/IP specification and protocol stack that packet filters have a tough time overcoming. A good example of this would be network layer address spoofing. Many simple packet filter firewalls cannot detect whether the OSI Layer 3 addressing information in a packet has been altered. This leaves them vulnerable to spoofing attacks.
•
Large Attack Surface: Another weakness of simple packet filter firewalls is due to the way that TCP connections are established. In general, network services are requested on a well-known low numbered port (<1023) and the return client connection is established on a random high numbered port (>1023). So if you are using a simple packet filter firewall, you normally have to open all ports greater than 1023 inbound so they are available for return client connections. This leaves a very large attack surface exposed to the outside network.
•
Easy to Misconfigure: Simple packet filter firewalls have very few variables to use for inspection and rule set creation. When attempting to create complex and comprehensive rule sets, it is easy to accidentally configure a rule
Lesson 5: Configuring Firewalls
197
to either allow or fail to deny network traffic that your network policy states should be denied. Conversely, it is also easy to block traffic that should be permitted.
Stateful Packet Filter Firewalls We have already discovered that simple packet filter firewalls operate across levels 2 and 3 of the OSI model. The stateful packet firewall adds level 4 awareness in addition to levels 2 and 3. Because they can keep track of logical virtual connection circuits, these firewalls are also sometimes referred to as Circuit Level firewalls.
Figure 5-7: OSI Layers of inspection for a Stateful Packet Filter Firewall. Stateful packet filters control traffic in basically the same manner as a simple packet filter by using rule sets, but they have additional intelligence in their logic that enhances their performance and solves several challenges with simple packet filter firewalls. The “stateful” moniker comes from the fact that these firewalls keep track of the state of all “accepted” connections in a data table that resides in memory. This enables the firewall to determine if an incoming packet is either a new connection or is part of an existing established connection. Once the connection session has ended or has timed out, its corresponding entry in the state-table is discarded. Some applications can send periodic keepalive packets in order to stop a firewall from dropping the connection during periods of low user-activity.
198
Tactical Perimeter Defense
Figure 5-8: Example of a connection state table. This ability to discriminate between new connections and existing ones brings several advantages to this type of firewall over a simple packet filter. • Lower Attack Footprint: Stateful firewalls can take additional actions based on data residing in the state tables such as ″dynamically″ opening return client ports for each individual connection. This lowers your attack footprint, which increases your security posture. •
Less Susceptible to Spoofing: A stateful firewall is able to hold in memory key attributes of individual connections. These attributes help the firewall track the state of the connection. Attributes stored in memory include the IP addresses and ports for both ends of the connection and also the sequence numbers of the data packets sent through the connection. The stateful firewalls awareness of IP addresses and sequence numbers makes it far less susceptible to spoofing.
•
Easy Black hole configuration: Stateful firewalls can easily be configured to pass all outgoing packets through, but to only permit incoming packets if they are part of an established connection that is listed in the state table. This prevents intruders from starting unsolicited connections to resources in the protected network. Coupled with a rule to discard unsolicited packets, this turns your network into a black hole on the Internet.
•
Less Resource Intensive: Tracking the connection state gives stateful firewalls an increased efficiency in their packet inspection process. Packets for existing connections through the firewall only have to be checked against the state table, which is less resource intensive than checking the packet against the firewall’s filter rules set.
Stateful inspection firewalls share some of the weaknesses of packet filter firewalls; however, the advantages created by the state table implementation means that stateful inspection firewalls are generally more secure than simple packet filter firewalls.
Application Level Firewalls Application level firewalls (also sometimes called Application-Proxy Gateways) are sophisticated firewalls that combine inspection of both the lower layer access controls with the upper 7th layer of the OSI model (Application Layer). Application level firewalls control the routing of packets between the trusted and un-trusted zones configured on the firewall based on what application or service is sending or receiving the data packets. All network data packets that pass through the firewall do so under the control of the application-proxy software.
Lesson 5: Configuring Firewalls
199
Figure 5-9: OSI Layers of inspection for an Application Level Firewall. Application level firewalls are capable of doing deep packet inspection in order to make accurate appraisals of which connections to allow and which to deny. By reading the actual data inside of a packet, application level firewalls are able to detect bypass attempts such as masking non-permitted communications inside of packets sent over permitted ports, for example, hiding IRC communications packets by using port 80 to masquerade as http. Traditional stateful firewalls cannot detect this, while an application level firewall can inspect and deny HTTP packets if the content does not match the packet type. Application level firewalls also generally have the ability to require authentication of each user or system attempting to transmit data across the firewall. A wide variety of authentication forms are available, including: • User ID and Password Authentication •
Hardware or Software Token Authentication
•
Source Address Authentication
•
Biometric Authentication
Application level firewalls have several advantages over both types of lower level packet filter firewalls we previously examined. • Extensive Logging Capabilities: Application level firewalls have extensive logging capabilities because the firewall is able to examine the entire network packet contents instead of just the lower level network addresses and ports. Application level firewall logs often will contain application-specific commands issued over the network data packets. This can be very useful for both policy management and intrusion incident investigation.
200
Tactical Perimeter Defense
•
Enforcement of Authentication: The authentication capabilities built into application level firewalls are vastly superior to those found in packet filter or stateful inspection packet filter firewalls. Application level firewalls allow you to set enforcement rules on the available types of authentication that are most appropriate for a network environment as opposed to just using lower level source, destination, and port addresses.
•
Less Susceptible to TCP/IP Vulnerabilities: Application level firewalls can inspect the entire contents of a packet to ensure that the contents are appro-
priate for the target destination. This greatly improves the firewall’s ability to block spoofing attacks and other TCP/IP vulnerabilities. The deep packet inspection of an application level firewall can be a resourceintensive to process. Therefore, most application level firewalls include stateful inspection to optimize resource utilization. One potential danger to application level firewalls is that savvy intruders may attempt to defeat the deep level inspection by encrypting their packet contents such as tunneling with SSL. This is why it is important for application level firewalls to create a rule that denies any inbound encrypted communication unless the connection originated from inside the trusted zone and is listed in the state table.
Building Firewall Rules to Control Network Communications We have discovered that modern firewalls can control network traffic based on a wide range of packet or application attributes contained in the layers discussed previously. When a packet is received by the firewall, it inspects the packet’s attributes that were included in the packet as it passed through the various networking layers. This information is then compared to “rules” that have been configured for the firewall. Based on the outcome of the comparison, the communications traffic packet can be handled in any of the following manners by the firewall. • Accept: The firewall passes the packet through the firewall to the destination requested by the packet. •
Deny: The firewall drops the packet, without passing it through the firewall. After the firewall drops the packet, an error message is returned to the source address.
•
Discard: The firewall drops the packet, but does not return an error message to the source address. This creates the appearance that the firewall is not even on the network, and it is often referred to as a ″black hole″ because it does not reveal its presence by error messages.
Lesson 5: Configuring Firewalls
201
A partial list of attributes that can be examined by a firewall and used for rule set comparison would look like this: •
Source address
•
Destination address
•
Protocol
•
Source port
•
Destination port
•
Source service
•
Destination service
•
TTL values
•
Originators netblock
•
Destination netblock
•
Domain name of the source
•
Domain name of the destination
•
Application source
•
Application destination
•
Authentication
•
And many other attributes
Firewall rules are the heart of your firewall system. These rules build on one another and are generally parsed in sequence. The first rule the firewall discovers that matches the attributes of the data packet is the rule that will be applied first. Most firewalls will have a configuration option that allows you to manage the flow of how rules are parsed within a give rule set. Ordering your firewall sets correctly is an important step in ensuring that the firewall behaves as expected. View the following figure and look at rule number seven (the default deny rule). This rule is the last rule in the set. If this rule was placed anywhere but last in the list, all other rules below it would not have any effect, because all traffic is denied by this rule. Without careful ordering of your rules, you will find your firewall producing unexpected results. One thing you can count on is that a firewall will do exactly what you tell it to do. It is a wise firewall administrator who plans his or her rules carefully and keeps them well documented!
Figure 5-10: Example firewall rule set. 202
Tactical Perimeter Defense
Common Firewall Topologies Firewalls can be configured in a variety of topologies to meet the needs of any size or style of network environment. There are three standard firewall topology configurations that are commonly used in modern networks. Each of these topologies is applicable to a specific network environment. Choosing the correct firewall topology for your network is the first step in successfully implementing a firewall on your network. We have discovered that firewalls are used to enforce access controls between systems or network segments linked across zones with varying levels of trust. It should not be surprising, therefore, when we examine the common firewall topologies to find a firewall at each location where different trust zones connect. Perimeter Firewall: The perimeter firewall topology (also referred to as edge configuration, bastion host, or screened configuration) is the most common firewall topology. This topology places a single firewall directly between the trusted and un-trusted systems or networks.
Figure 5-11: Example of a perimeter firewall topology. Perimeter firewalls are the simplest configuration to use when no trusted resources need to be available to the un-trusted network. One exception would be remote users; in this case, the firewall is often combined with VPN technology to allow external users to securely access the internal network. This is a good choice for a topology when you want to allow access to the Internet from your trusted network, but do not wish to make internal resources available to users on the Internet. You can configure a perimeter firewall to allow access to specific internal resources by creating firewall rules that allow outside access to only those resources, such as an SMTP server or web server. In fact, many people do exactly that. Be aware, however, that if the internal resource should be compromised over the externally accessible resource port, it opens your whole network to further attacks. If you need to make resources available to users on un-trusted networks, the best choice is to choose one of the following DMZ configurations. Three-Legged (DMZ) Firewall Topology: The three-legged DMZ topology is commonly used where you need to publish resources to an un-trusted network such as the Internet. This topology uses a single firewall such as the perimeter topology; however, in this configuration, the firewall has an additional network interface that is connected to a network containing the externally available resources.
Lesson 5: Configuring Firewalls
203
Figure 5-12: Example of a three-legged (DMZ) firewall topology. The three-legged firewall topology allows you to publish resources while still blocking all inbound access to your internal network. In this topology, the firewall rules are configured differently for the internal and DMZ interfaces. The internal interface is configured to deny external access to the internal network, while the DMZ interface is configured to allow access to specific resources in the DMZ from the external network. This configuration increases the security posture of your internal network by removing the need to open any inbound ports to the internal network other than for client return connections. An additional security benefit of this topology is that if one of the publicly accessible resources is compromised, your internal network remains secure. Chained (DMZ) Firewall Topology: Another firewall DMZ topology commonly used where you need to publish resources to an un-trusted network such as the Internet is the chained DMZ. This topology uses a pair of firewalls to create the DMZ. The two firewalls “sandwich” the DMZ between the internal and external networks. Since this configuration contains two firewalls and subsequently two sets of firewall rules, it can be considerably more complex to setup. However, when this topology is correctly configured, it brings a high level of protection to your network.
Figure 5-13: Example of a chained (DMZ) firewall topology.
204
Tactical Perimeter Defense
This topology is commonly used where both the external network and the internal network need to access to resources in the DMZ, and those DMZ resources also require communication with other servers and services that reside inside the internal network. A good example of this would be a mail server that needs to authenticate internal users against a directory service that resides on a server in the internal network. The mail server in this scenario has two requirements. It must be able to exchange inbound and outbound SMTP packets with the Internet and be able to authenticate internal users against a directory service that resides on a server in the internal network. Another situation where this topology would be an appropriate choice is where you have an e-commerce site that connects to a database containing sensitive customer information. In this scenario, you would place the front end web server in the DMZ behind the front side firewall; then place the database server on the segment behind the backside firewall. The front side firewall rules would be configured to only allow inbound TCP port 80 and port 443 to the web server, while the backside firewall rules would only allow the web server to query the backend database server, effectively isolating the database server from the Internet. When correctly configured, the chained DMZ firewall topology offers a high level of threat protection from external network access, while providing ample flexibility for communications between the DMZ and the internal network.
Why Would I Want a Firewall on My Network? The Wild Frontier The Internet is sometimes referred to as the new frontier. And like any frontier setting, it has its share of undesirable elements. Out on the frontier, the only safety that you can count on is the safety you create for yourself. Placing a firewall on your network is like the old time explorers building a fort for protection. It does not guarantee total immunity, but it provides much more safety than a canvas tent when danger approaches. Like the frontier, the Internet is filled with opportunity. This includes the opportunity to carry out business, to learn, grow, discover, and connect with new people. But close on the heels of frontier-style opportunity come the scavengers and villains. Almost any day, in almost any media you care to name, you will find a new report about some digital danger that has reared its ugly head on the Internet. The net is a representation of society in all its glory and disgrace. From nuisance hackers to serious criminals, the complete gamut of less than well-adjusted societal members can be found. In our normal lives, we install locks on our houses and employ police forces to deter would-be vandals and thieves from taking or damaging our property. Firewalls fulfill this role on our networks. If you don’t protect it, you won’t own it for long.
Lesson 5: Configuring Firewalls
205
Regulatory Compliance The prominence of Internet dangers has even prompted legislation in many countries that places responsibilities for data protection on the organization that owns the information. This is especially true of government, banking, and the healthcare industries. Organizations now find themselves with compliance responsibilities for protecting sensitive data that sometimes carry stiff penalties for noncompliance. This has spawned a general move in most organizations towards a formal set of computing security policies. These policies dictate how an organization’s resources must be protected and show that they are meeting regulatory compliance. A firewall is one of the key elements in enforcing the organization’s written policy.
Public Image A firewall can also serve to protect not only your organization’s data, but also its public image. Almost every organization has a website today. If these publicly accessible resources are not protected and get hacked, either through defacement or denial of service attacks, the organization’s image will be tarnished in the eyes of the website users. This impact can, and usually does, make itself felt on the organization’s bottom line—either through your customers going to the competition because they lost trust in your organization as the result of website defacement or data theft or through lost sales as the result of a denial of service attack on your e-commerce site. Firewalls can’t always prevent this, but they can mitigate the dangers down to an acceptable level of risk.
What Can a Firewall Not Protect You From? A firewall is a powerful tool in your security tool box, but there are certain types of dangers that a firewall can do nothing about. For example, because the purpose of a firewall is to control and limit inbound and outbound network communications between networks or systems of differing trust levels, it stands to reason that it cannot protect against attacks that don’t traverse your firewall. The following is a partial list of things that a firewall cannot protect you from: • Firewalls cannot protect against internal threats: This type of threat originates from the zone of trust where the attack is targeted. This would include such things as:
•
•
Disgruntled or unscrupulous workers. This is actually one of the greatest dangers to any network and coincidently how the greatest number of intrusions actually occur.
•
Weak password policies or other poor system administration practices. Firewalls will not be very effective in securing something that has gaping security holes in it to start with. Make sure you follow industry standard best practices throughout your network environment.
Firewalls cannot protect against attacks that don’t traverse your firewall: •
206
Tactical Perimeter Defense
Personal Modem or Wireless connections. It is worth noting that this issue has evolved into a real danger in the era of mobile wireless Internet access. A mobile user who attaches his or her laptop to your trusted network and then connects to the Internet via a 3G GSM satel-
lite or other wireless connection has effectively punched a hole right through your carefully configured security measures. •
•
Social engineering. This is a proven methodology to break into networks that are otherwise secured. It is simply astounding what villainous social engineers can get a user (or even a sys admin), who is otherwise an intelligent human being, to reveal about his or her computing environment. Your best line of defense against this type of attack is user education.
Cannot protect against attacks on services that are allowed through your firewall: •
Allowed inbound traffıc. This would include attacks on web and email services that external access to has been permitted to. If you allow access to your web server through the firewall, and the web server has an un-patched vulnerability that works over port 80 (http), your firewall cannot protect the web server from that type of attack.
•
Malware and browser threats. Firewalls cannot protect your network against threats that the user brings into the network themselves. This includes the many forms of malware such as email viruses, Trojans, browser-based attacks, spyware, and phishing sites. Again, we are back to defense in depth and user education as our best defense against these types of threats.
To have the best chance at defending your network, a well-configured firewall must be augmented by good configuration control, secure OS baselines, patch management, anti-malware programs, sound network administration basics, and a user education program. Defense in depth is the security-conscious administrators motto.
Things to Consider About Firewall Implementation Before we move on to the next topic, let’s discuss a few simple concepts concerning the real world implementation of a firewall in your network. If you keep these concepts in mind when you work with an organization’s firewall, you will enjoy greater success in securing the network, while keeping management and your users content and supportive.
Firewalls are an Enforcement Tool for Security Policies A firewall enforces your inter-network access security policy. If you didn’t have an access security policy before you put the firewall in place, you do now. It may not be a written policy, but effectively it’s still an access security policy. If you haven’t made explicit decisions about what you want your inter-network access security policy to be, you will likely wind up with less than optimal configurations on your firewall, and it will certainly be more difficult for you to maintain its effectiveness over time. In order to have an effective firewall, you really do need a good security policy—one that is well thought out, written down, and widely agreed to and supported within your organization.
Some modern application layer firewalls capable of deep packet inspection also have varying levels of intrusion detection capabilities built in. These firewalls can potentially mitigate this type of risk. But better safe than sorry. Patch, Patch, Patch!
Some modern application layer firewalls capable of deep packet inspection also have varying levels of malware detection capabilities built in. These firewalls can potentially mitigate this type of risk. But again, better safe than sorry. Always use anti-malware software and keep it up-todate!
It is almost axiomatic in the security field that if you do not have published, formal, written security policies that have received full management approval and support, implementing a firewall will max your job pain threshold. This is primarily because your users (and management) will not understand why the network “doesn’t work like it used to” and the ill will and blame will wind up on your door step. Before implementing the firewall, you should have created a written Lesson 5: Configuring Firewalls
207
policy that explicitly outlines your overall security goals, policies, and procedures including your firewall configuration and rule sets. Obtaining management support and backing for the policy is critical, as they are the ones with the final authority and responsibility for the organizations operations and information.
A Firewall by Itself is Not a Security Solution Firewalls can only protect networks and information from certain types of digital dangers. They are designed to control and limit external access to resources. Firewalls can only protect you against threats they can detect, and unfortunately there are no magical all-seeing firewalls. Also, a firewall cannot protect against internal attacks against your network or data. To gain maximum effect, your firewall should be just one layer in a comprehensive defense in depth security program. Remember that an attacker doesn’t often go through security but looks for ways to go around it! Make it difficult by having more than one layer of defense.
Use a Deny All, Permit by Exception Approach This is a tried and true approach to configuring firewalls safely. If you deny everything and only allow what you know to be secure or mandatory, you will spend much less time reconfiguring the firewall or responding to intrusions. New vulnerabilities continually pop up in the digital world; the “permit all, deny what is dangerous approach” means you will have a constant battle to keep up. The “permit all, deny dangerous” methodology would only work if you knew every danger—past, present, and future. This is just not a realistic approach to security.
Enforce the Least Privilege Rule This is a basic axiom of all forms of security, regardless of if it is physical security; user accounts; file, share, and applications permissions; or firewall transversal access. You should only grant users, systems, and applications the least amount of privileges or access that they require to carry out their functions. Be leery of anything that requires high levels of privilege or access to function. You can only empty the vault if you have access and the keys.
Be Gracious, but Not Compliant Enforcing security and dealing with user requests is a delicate balancing act with a little public relations magic sprinkled in. This is especially true if you are trying to secure a network that has been insecure before. Some people will simply not care if what they do create security risks if it makes their life more convenient. If you open up the firewall a little more at every user’s request, you will wind up with a wide open network in the end. At the same time, if you always deny requests, people will turn bitter. It is a simple fact of life that people who feel they can’t work with you will find a way to work around you. Security is always a tradeoff against convenience. It is not convenient to have to reach into your pocket to get your house keys to unlock the house when your arms are full of grocery bags after you arrive home from the market. However, we tolerate this inconvenience because we value the items in our house. User education and gracious manners when you deal with users will go a long way to meeting both their needs and keeping the network risks at an acceptable level. Remember, the network is there to meet the business needs of the organization, not because the organization needs a secure data vault. You need to find ways to meet the user’s needs while controlling the risks.
208
Tactical Perimeter Defense
Firewalls Are Not Just Perimeter Protection Last, but certainly not least, expand your view of what firewalls can be used for. In general, we think of firewalls in the context of perimeter protection when connecting to external networks . However, this is a very limited view of a firewalls’ usefulness in a modern networked environment. It is becoming more and more common for organizations to employ additional firewalls within their internal networks (intranet) to control data flow and protect critical resources or information from unauthorized internal access. For example, an organization might employ an internal firewall to provide an additional layer of security for its financial or human resources information. Examine the following figure and notice the network segments the internal firewall is placed between.
Figure 5-14: Using an internal firewall to secure sensitive internal resources. In this context, the firewalls are not only controlling access from the external network, the DMZ, and the partner networks, but also from within the organization’s internal network itself. Employing firewalls in this manner can significantly increase the security of your sensitive data against internal attacks.
Lesson 5: Configuring Firewalls
209
Topic 5B Configuring Microsoft ISA Server 2006 Introduction to ISA Server 2006 Microsoft’s Internet Security and Acceleration Server (ISA) 2006 is what Microsoft calls its integrated edge security gateway. Microsoft’s security offerings in the firewall arena have come a long way since its release of Proxy Server 2.0, which had firewall style features. This continued development has resulted in ISA Server 2006 being a robust and mature multilayer firewall. It has a wide range of features and capabilities that will meet the needs of almost any network environment: from small businesses to global enterprises. ISA Server 2006 features the following functionalities: • Internet Access Control (Proxy) •
Flexible Configuration Controls Including Easy-to-use Wizards
•
Configuration Export/Import to XML
•
Customizable Protocol Definitions
•
Secure Application Publishing
•
Server Publishing
•
Web Publishing
•
SharePoint Publishing
•
SSL Bridging
•
Application Layer Filtering (Deep Packet Inspection)
•
Intrusion Detection Capabilities
•
Flood Resiliency Configuration
•
Forward and Reverse Web Caching
•
Remote User or Branch Office VPN Capability
Common Deployment Scenarios for ISA Server 2006 Networking professionals around the world have had long-standing concerns about performance impact, operational costs, and manageability whenever they deploy a new technology on their networks. This is especially true when you need to deploy a firewall for security purposes. Microsoft spent considerable research effort to discover what the real pain points are when deploying a firewall solution. Fortunately, the ISA Server 2006 design team was the recipient of all this research. Their efforts at making ISA Server 2006 highly deployable in the most common scenarios is evident. They targeted their efforts to make ISA Server 2006 very straightforward to deploy in several common scenarios. • Protecting your network against external and internal Internet based threats. •
Publishing content to external consumers in a secure fashion.
•
Securely connecting remote branch offices.
•
Providing secure access to remote users of the internal network.
In each one of these scenarios, ISA Server 2006 provides a robust solution with streamlined deployment, configuration, management, and reporting. 210
Tactical Perimeter Defense
Protecting Your Network Against External and Internal Internet-Based Threats Organizations can use ISA Server 2006 to mitigate or eliminate damage to their network resources from the Internet including unauthorized access and even malware attacks by using the full-featured suite of tools in ISA Server 2006 to inspect for and block harmful network traffic and content. With its hybrid firewall-proxy architecture, application level deep content packet inspection, granular security policies, comprehensive monitoring, and alerting capabilities, ISA Server 2006 makes it easier to protect and manage your connected network resources. Some of the features that enable ISA Server 2006 to protect your network are: • Simplified Management Tools: ISA Server 2006 has a suite of management tools that simplify configuration and ongoing administration. As firewall tools go, these tools are relatively intuitive and have a very low learning curve. •
Multilayer deep content inspection: ISA Server 2006 has a comprehensive set of customizable policies, customizable protocol filters, and network topology relationship models that allow you to thoroughly inspect and control the traffic that transverses the firewall.
•
Flood resiliency: ISA Server 2006 now features enhanced flood resiliency for network event handling and monitoring. This feature provides a more robust firewall resistance to threats such as denial of service and/or distributed denial of service attacks.
•
Unified management and monitoring with MOM: For those organizations that have deployed the Management Pack for Microsoft Operations Manager, ISA Server 2006 can be integrated into your enterprise- and array-level policies. This gives administrators the ability to easily control security and ISA access rules throughout the organization.
•
Enhanced worm resiliency: ISA Server 2006 can help to mitigate the overall damage an infected computer will have on the network. This is accomplished through client IP alert pooling and connection quotas that monitor and block unusual connection patterns.
•
Quicker attack response times: ISA Server 2006 has a comprehensive set of alert triggers with configurable responses. When configured, this can quickly notify you of network threats targeted against your network.
•
Extensive software developer’s kit (SDK): The ISA Server 2006 SDK aids third parties in the development of ISA Server 2006 add-ons. These add-ons enrich the feature set of ISA Server 2006 by providing a wide range of additional protections such as anti-virus or custom web filtering controls.
•
Improved resource management: ISA Server 2006 gives you extensive log throttling, memory consumption control, and pending DNS queries. This improved resource management contributes to ISA Server’s greater overall performance levels.
Versions of ISA Server 2006 Before you deploy ISA Server 2006, you will need to decide which version to purchase. ISA Server 2006 is available in two versions: Standard and Enterprise. You should install the version that is appropriate for your network environment and security needs. A short comparison of the two versions follows:
Lesson 5: Configuring Firewalls
211
Figure 5-15: ISA Server 2006 version comparison chart. Several manufacturers such as HP, Avantis, Whale, Celestix, SecureGUARD, and OSST now offer ISA Server 2006 in a firewall appliance. This combines the power and configuration ease of ISA Server and the convenience of an appliance.
212
Tactical Perimeter Defense
TASK 5B-1 Preparing for the ISA Server 2006 Setup: Lab Prerequisites Task Note: Firewalls are primarily designed to control network traffic between network segments, so you will need to have more than one network adapter in your computer in order to configure ISA Server 2006 in the most common firewall topologies. Since the classroom computers have only one physical network card, we will install and configure the Microsoft Loopback Adapter to represent our “internal” network interface, while configuring the physical network card as our “external” network interface. 1.
Choose Start→Control Panel→Add Hardware.
2.
In the Welcome dialog box, click Next, the wizard will search for your hardware.
3.
Select Yes, I Have Already Connected The Hardware, then click Next.
4.
Scroll to the bottom of the Installed Hardware list box and select Add A New Hardware Device. Then, click Next.
5.
Select Install The Hardware That I Manually Select From A List (Advanced) option, then click Next.
6.
Under Common Hardware Types select Network Adapters, and click Next.
7.
Under Manufacturer, select Microsoft.
8.
Under Network Adapter, select Microsoft Loopback Adapter.
9.
Click Next twice.
10. If prompted, click OK in the Insert Disk dialog box, enter the path to the Windows 2003 Server installation source files in the Files Needed dialog box, and then click OK. 11. Click Finish. 12. Choose Start→Control Panel→Network Connections→Local Area Connection 2. 13. In the Local Area Connection 2 dialog box, click Properties. 14. In the This Connection Uses The Following Items list, select Internet Protocol (TCP/IP) and then click Properties. 15. On the General tab select Use The Following IP Address and then enter the address from the following table that corresponds to your computer name. WIN-R01 - 10.16.1.1/24 WIN-R02 - 10.16.2.1/24 WIN-R03 - 10.16.3.1/24 WIN-R04 - 10.16.4.1/24 WIN-R05 - 10.16.5.1/24 WIN-R06 - 10.16.6.1/24 WIN-R07 - 10.16.7.1/24 WIN-R08 - 10.16.7.1/24
WIN-L01 – 10.18.1.1/24 WIN-L02 – 10.18.2.1/24 WIN-L03 – 10.18.3.1/24 WIN-L04 – 10.18.4.1/24 WIN-L05 – 10.18.5.1/24 WIN-L06 – 10.18.6.1/24 WIN-L07 – 10.18.7.1/24 WIN-L08 – 10.18.8.1/24
Lesson 5: Configuring Firewalls
213
16. Leave the DNS value blank and then click OK. 17. Click OK, and close the Local Area Connection 2 Properties window. The subnet mask is 255.255. 255.0 for all these IPs.
18. Choose Start→Control Panel and right-click Network Connections. From the pop-up context menu, choose Open. 19. Right-click the Local Area Connection and choose Rename. 20. Name the connection External 21. Right-click the Local Area Connection 2 choose Rename. 22. Name the connection Internal 23. Close the Network Connections window. You have now installed the Microsoft loopback adapter and assigned it a unique IP address. We will be using this adapter to function as our internal network adapter for ISA Server 2006. You also renamed the two available network connections so they can easily be identified as either the external or internal networks.
ISA Server Installation Requirements System Requirements for ISA:
Figure 5-16: ISA Server hardware requirements.
214
Tactical Perimeter Defense
TASK 5B-2 Install Microsoft ISA Server 2006 Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous task. This task requires you have the Microsoft ISA Server 2006 software available. 1.
Browse to the location of the ISA Server 2006 installation files and double-click isaautorun.exe.
2.
Click the Install ISA Server 2006 link.
3.
At the Installation Wizard, click Next.
4.
Read the License Agreement, select I Accept Terms In The License Agreement and click Next.
Lesson 5: Configuring Firewalls
215
216
Tactical Perimeter Defense
5.
In the Customer Information dialog box, enter your name, company, and license if necessary, and then click Next.
6.
In the Setup Type dialog box, select the Typical radio button, then click Next.
7.
In the Internal Network dialog box, click the Add button.
8.
In the Addresses dialog box, click the Add Adapter button.
9.
In the Select Network Adapters dialog box, check the box next to your Internal network card, and then click OK.
10. In the Addresses dialog box, click OK. 11. In the Internal Network dialog box, click Next. 12. In the Firewall Clients dialog box, accept the default and click Next. (Do not check the box to Allow non-encrypted Firewall Client Connections.) 13. Read the Services warning dialog box and then click Next. 14. In the Ready to Install the Program dialog box, click Install. (The Microsoft ISA Server 2006 - Installation Wizard will start and a File Progress window will appear. Be patient, it will take several minutes to install all the components.) 15. In the Installation Wizard Finished dialog box, click Finish. 16. In the pop-up window, click OK. The Windows Internet Explorer window opens with some information on how to protect ISA. Read the page and then close the Internet Explorer window. 17. Close the Microsoft ISA Server 2006 Setup dialog. ISA Server 2006 is now installed.
Configuring ISA Server 2006 There are five basic steps to configuring your ISA Server 2006 Firewall. The ISA Server Getting Started guide provides a simple path through these processes to ensure that you can configure your ISA Server firewall with a minimum of confusion. The five basic steps to configure an ISA Server 2006 firewall are: 1. Define your ISA Server network configuration. 2.
Create Firewall Policy Rules.
3.
Define how ISA Server caches web content.
4.
Configure VPN access (if required).
5.
Set up Monitoring on your ISA Server.
Each of these tasks has a configuration page that guides you step by step through the various wizards and configuration pages associated with the individual tasks. In the following tasks, you will explore the ISA Server Management Console and configure each of these options for your ISA Server 2006 firewall.
Understanding the ISA Server Management Console You manage your ISA Server 2006 firewall through the ISA Server Management Console. This console has three basic areas that you can use to navigate and configure ISA Server 2006: • Console Tree (left pane) •
Details pane (center pane)
•
Tasks pane (right pane)
Lesson 5: Configuring Firewalls
217
Figure 5-17: The ISA Server Management Console panes. In the following task, you will explore the ISA Server Management Console and familiarize yourself with its functions and behaviors. The tool is very intuitive, but it does have a lot of moving parts, so the more time you spend getting comfortable with it, the more efficient you will become at configuring ISA Server.
TASK 5B-3 Exploring the Microsoft ISA Server 2006 Interface Setup: You must be logged on to Windows 2003 Server as an administrator and have completed task 3B-2.
218
Tactical Perimeter Defense
1.
Choose Start→All Programs→Microsoft ISA Server→ISA Server Management.
2.
Notice that the ISA Server Management console is divided into three panes: • The left hand pane is your Console Tree pane. This pane contains a short list of navigable containers. The containers in this pane logically group related management or configuration settings. •
The center pane is your Details pane. For each container in the Console Tree pane, the Details pane will contain information related to the configuration container selected in the Console Tree. Depending on the configuration container selected, the Details pane may have multiple tabs of information.
•
The right pane is your Tasks pane. The Tasks pane contains two tabs— the Tasks tab has a list of relevant tasks that can be performed for the selected container in the Tree pane. If the configuration container
selected in the Tasks pane shows multiple tabs of information in the Details pane, the Tasks tab is contextual, that is, it will contain Tasks that can be performed for any selected tab in the Details pane of a particular configuration container. In addition, the Tasks pane also contains a Help tab with context-sensitive help for the selected Details pane tab. 3.
Notice that the Details pane defaults to the Welcome information. In this section, you can find links to guides on Getting Started, Securing your ISA Server, and Internet Websites with ISA Server Information.
4.
In the Console Tree pane, expand the container with your server name by clicking the + symbol.
5.
In the Console Tree pane, expand the Configuration container by clicking the + symbol. •
You have now exposed the whole configuration container chain for a standalone ISA Server 2006 firewall. The Console Tree can/will contain other items if the ISA Server is part of an ISA Array in a domain.
6.
In the Console pane, select the WIN-R01 configuration container.
7.
Notice that this places the “Getting Started” information in the Details pane. This lists out the five configuration steps for ISA Server. Briefly read down the list of items in the Details pane.
8.
In the Details pane, click the Define Your ISA Server Network Configuration link.
9.
Notice that the selected container in the Console Tree pane changed to the Networks container. • The three panes found in the ISA Server Management console are linked. Clicking a link in any of the panes will take you to the correct configuration container for the property you are trying to configure.
10. Explore the four tabs in the Details pane of the Networks container.
Lesson 5: Configuring Firewalls
219
11. Notice that as you move between tabs in the Details pane, the Tasks pane changes to show contextually relevant links for each tab.
12. On the middle of the vertical divider between the Details pane and the Task pane, click the arrow icon. Notice that the Tasks pane collapses to create a larger viewable area for the Details pane. 13. Click the arrow icon again. The Tasks pane expands again to allow access to the tasks listed for the Details pane tab. 14. In the Console Tree pane, select the Monitoring container. 15. Notice that this container has seven tabs in the Details pane. 16. In the Details pane, select the Services tab. 17. On the Services tab, select the Microsoft Firewall item. 18. On the Task pane under Services Tasks, click the Stop Selected Service link. 19. Notice that after the service stops, the Tasks link changes context from Stop to Start. 20. Restart the service after it stops by clicking the Start Selected Service link. 21. In the Details pane, after the service restarts, click the Alerts tab. 22. On the Tasks pane, click the Refresh now link. 23. Notice that the action of starting and stopping the service generated an alert entry. 24. Click the Dashboard tab.
220
Tactical Perimeter Defense
25. Notice that Alerts is one of the items on the Dashboard. The Dashboard gives you a quick overview of the current state of activity on your ISA Server. 26. In the Console Tree pane, select the Firewall Policy container. 27. Notice in the Details pane that one rule, the “Default Rule” of deny all traffic for all networks, exists.
ISA Server installs only this default Deny All rule during installation. To allow traffic to pass through the ISA Server, you must configure rules to permit it to pass. 28. Notice on the Tasks pane for the Firewall Policy container that there is a long list of tasks that can be performed. 29. Explore the list of tasks in the Firewall Policy Tasks section of the Task pane. 30. Notice that these tasks are broken down into four categories: •
Firewall Policy Tasks
•
Policy Editing Tasks
•
System Policy Tasks
•
Related Items
Again, the Tasks pane is context sensitive to the container selected in the Console Tree pane and the tab selected in the Details pane. If you are having trouble locating a task, be sure you have selected the right container and Details tab. 31. Notice that the Tasks pane now has a third tab called Toolbox. 32. Select the Toolbox tab in the Tasks pane. 33. Notice that the Toolbox tab has five expandable sections.
Lesson 5: Configuring Firewalls
221
34. Browse through the Toolbox tab sections. Be sure to expand and explore a few sub-containers under the various sections also.
222
Tactical Perimeter Defense
35. Explore the remaining Console Tree pane configuration containers and their associated Details and Tasks panes. 36. After you have explored a bit, close the ISA Server 2006 Management console window.
Exporting/Importing ISA Server 2006 Configurations as XML Files One of the features that makes ISA Server 2006 easy to manage is the ability of ISA Server to export the current configuration as an XML file. It is now simpler than ever to back up and restore your firewall configuration. To return to that configuration, you simply import the XML configuration file back into ISA Server. Exporting your “working” configuration before making any adjustments to the firewall configuration is always a good idea, especially when the firewall policy is complex with many layers of rules applied. This will ensure that you can return to the “last known good” configuration with a minimum of hassle or down time.
TASK 5B-4
This configuration area of the ISA Server Management console is where you can create and manage all of the various items that can be used in firewall policy rule configurations. A strong familiarity with these items will greatly benefit you when you create custom firewall policy rules for your network. We will return to this area later when we create custom rules.
Right-clicking any item in a container in the toolbox will give you a context menu listing available actions that can be taken on that object.
Exporting the Default Configuration Setup: You must be logged on to Windows 2003 Server as an administrator and have completed task 3B-2. 1.
Choose Start→All Programs→Microsoft ISA Server→ISA Server Management.
2.
In the Console Tree pane, select the container with your ISA server name.
3.
On the Tasks tab, click the Export (Backup) this ISA Server Configuration link.
4.
In the Export Wizard dialog box, click Next.
5.
In the Export Preferences dialog box, select Export User Permissions. We have no confidential information, such as user passwords and certificates, to export so we will leave that check box unchecked.
6.
Click Next.
7.
In the Save The Data To This File field, enter C:\originalcfg.xml and click Next.
8.
Click Finish.
9.
After the file finishes exporting, click OK.
Be sure to cancel out of any dialog boxes you may open and discard any changes to the configuration. This is important so that your firewall will behave as expected in the remaining ISA task exercises.
10. Close the ISA Server 2006 Management Console.
Lesson 5: Configuring Firewalls
223
We now have the ability to return to our default configuration if we accidentally misconfigure our firewall. Adding the exported ISA Server configuration XML files to your regular backups would be a good configuration management tool and policy.
ISA Server 2006 Firewall Policies ISA Server 2006 manages network access through the firewall using layered firewall policies. These firewall policies can contain a set of access rules, publishing rules, and network rules. Each type of rule in a policy controls a different form of access across the firewall. These rules contained within an ISA Server firewall policy determine how and what network traffic can access resources through the firewall.
Access Rules In ISA Server 2006 (like most other firewalls), the access rules are built from the following building blocks: •
Rule Name
•
Rule Action (Allow, Deny)
•
Protocol and Port
•
Traffic Source
•
Traffic Destination
•
User Sets
•
Content Groups
The parameters specified during the rules construction will create the constraint set that the rule set will enforce through the firewall policy of the ISA Server that the rule was created on. A best practice is to evaluate, define, and document each rule before you implement it in ISA Server. This will ensure you get the expected results by applying the rule. Some firewall administrators find it helpful to diagram the rule and include the diagram with the rule documentation. ISA Server has three basic types of rules: • Access rules: In ISA Server, an access rule controls what network traffic from the internal network is allowed to access the external network. Access rules can apply to all traffic, to only a selected set of protocols, or to all traffic except a selected set of protocols. The same thing applies to source, destination, or user sets. A rule can apply to all, only a selected subset, or all but a selected subset.
224
Tactical Perimeter Defense
•
Publishing rules: ISA Server defines publishing rules as rules that control access requests from the external network for internal resources. This type of rule is applied to a web server that you want to provide public access to or to an SMTP server that needs to accept inbound mail delivery. In actuality, these are simply access rules applied to inbound traffic as opposed to outbound traffic. They can apply to the full set of rule building blocks or a selected subset just like access rules.
•
Network rules: ISA Server network rules are built by defining the traffic source, traffic destination, and the network relationship (how the traffic is handled, for example, NAT or Routed). Network rules can be combined with access or publishing rules to provide granular control over the traffic that transverses the ISA Server firewall.
Processing Firewall Policies ISA Server deals with access requests in two directions: outgoing requests and incoming requests. As ISA Server receives a request and it processes the information contained in the packet and compares it against the firewall policy that contains the configured rule set.
Outgoing Requests The process of access control for outgoing requests looks like this: •
ISA Server first checks any defined network rules and verifies that the two networks are connected. If a common connection between the source and destination network exists, ISA Server will then process the access policy rule set. If no connection is defined in the network rules, the packet is dropped.
•
ISA Server now parses the access rules in the order that they are configured. If an allow rule applies to the request, ISA Server will allow the request. The first rule that is a match for the traffic being inspected is the rule that will apply. This is why ordering is important. ISA Server checks the rule elements that make up an access rule in this order: •
Protocol
•
Source address and port
•
Schedule
•
Destination address
•
User set
•
Content groups
Incoming Requests ISA Server calls rules that control incoming requests publishing rules. These rules are designed to allow you to securely allow access to servers by clients on a different network. Incoming requests are controlled by the ISA Server publishing policy. The publishing policy is built from web publishing rules, server publishing rules, secure web publishing rules, and mail server publishing rules. These rules, in addition to any web chaining rules, control how incoming requests to published servers are handled. ISA Server has several types of publishing rules that you can use to control how resources are accessed. These are: • Web publishing rules. Used to publish web server content. •
Secure web publishing servers. To publish Secure Sockets Layer (SSL) content.
•
Mail Server publishing rules: Used to publish Mail servers across ISA Server.
•
Server publishing rules. Used to publish all other internal resource content.
Access rules that deny traffic are processed before publishing rules that allow traffic. If a request matches a deny access rule, the request will be denied, because ISA Server will never get to the publishing rule that would have permitted the request.
Remember that access rules that deny traffic are processed before publishing rules that permit traffic. Your access rules must not explicitly deny any traffic that you intend to publish.
Lesson 5: Configuring Firewalls
225
TASK 5B-5 Creating a Basic Access Rule Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will work with a partner in the classroom to test your configuration of an access rule. You will need to ask your partner for his or her IP address before you being the task. 1.
Choose Start→All Programs→Microsoft ISA Server→ISA Server Management.
2.
In the Console Tree pane, expand the container named after your server.
3.
Select the Firewall Policy container.
4.
Notice in the Details pane that the only rule that exists is the default deny rule.
5.
Open a command prompt.
6.
Type ipconfig and then press Enter.
7.
Ping your default gateway. What was your result? Outbound Ping Allowed from your ISA Server.
8.
Ping your partner’s External IP address. What was your result? Your partners ISA Server blocked the inbound Ping request on his or her external interface.
9.
Minimize the command prompt.
10. In the Tasks pane, under Firewall Policy Tasks, click the Create Access Rule link.
226
Tactical Perimeter Defense
11. On the New Access Rule Wizard dialog box, in the Access Rule Name field,enter Inbound Ping to External Interface and then click Next.
12. In the Rule Action dialog box, select the Allow option and then click Next. 13. In the Protocols dialog box, click the Add button. 14. In the Add Protocols dialog box, expand Common Protocols and select PING, click Add, and then click Close.
15. In the Protocols dialog box, click Next.
Lesson 5: Configuring Firewalls
227
16. In the Access Rule Sources dialog box, click the Add button. 17. In the Network Entities dialog box, expand Networks, select External, and click Add. Then, click Close. 18. In the Access Rule Sources dialog box, click Next. 19. In the Access Rule Destination dialog box, click the Add button. 20. In the Network Entities dialog box, expand Network Sets, select All Protected Networks, and click Add. Then, click Close. 21. In the Access Rule Destination dialog box, click Next. 22. In the User Sets dialog box, accept the default of All Users and click Next. 23. Click Finish. 24. At the top of the Firewall Policy Details pane, click Apply. 25. In the Saving Configuration Changes dialog box click OK. 26. Wait at this step until both partners have completed the previous steps. 27. Restore the command prompt. 28. Ping your partner’s external IP address. What was your result? Ping was allowed to the external interface of your partner. 29. Minimize the command prompt. 30. In the Details pane, select the Inbound Ping To External Interface rule.
228
Tactical Perimeter Defense
31. In the Tasks pane, click the Disable Selected Rules link.
32. At the top of the Firewall Policy Details pane, click Apply. 33. In the Saving Configuration Changes dialog box, read the note below the progress bar and then click OK. 34. Wait at this step until both partners have completed the previous step. 35. Restore the command prompt. 36. Ping your partner’s external IP address. What was your result? Ping was allowed to the external interface of your partner even though the rule was disabled. This is because you already had an existing connection to your partner from the initial successful ping test. Note: If you are not able to ping your partner’s IP address, enable the rule again, ping your partner, and then disable the rule. 37. Choose Start→Control Panel→Network Connections→External. 38. In the External Status dialog box, click the Disable button. This will break your existing connection to your partner. 39. Wait at this step until both partners have completed the previous step of disabling the External NIC. 40. Choose Start→Control Panel→Network Connections→External. This will enable your external connection. 41. Wait at this step until both partners have completed the previous step. 42. Restore the command prompt. Lesson 5: Configuring Firewalls
229
43. Ping your partner’s external IP address. What was your result Ping is now blocked again by the ISA Server firewall policy. 44. In the Details pane, select the Inbound Ping To External Interface rule. 45. In the Tasks pane, click the Delete Selected Rules link. 46. In the Confirm Delete dialog box, click Yes. 47. At the top of the Firewall Policy Details pane, click Apply. 48. In the Saving Configuration Changes dialog box, click OK. 49. Close all open windows. It is important to remember that any rules you add to the firewall policy will not take effect on any connections that are already established. This is because ISA Server 2006 is a stateful firewall and those connections are currently listed in the state tables. Stateful firewalls consult the state tables before parsing the firewall rules. If the connection is listed in the state table, it will not be checked against the rule set again until it is removed from the state table either through a time out or by the source terminating the connection. You can force the state table to reset for all connections by disabling and enabling the network interface that the connection is associated with.
ISA Server 2006 Access Rule Elements There are eight basic access rule elements that are used to build ISA Server 2006 access rules when creating a firewall policy. These elements describe specific characteristics of a network traffic packet that ISA Server can inspect and use for rule comparison. The elements that ISA Server 2006 uses to create a protocol rule are: • Name: This is used by ISA Server to display the rules contained in the firewall policy container in the management console. Using descriptive, easy to understand names will help you keep track of what each rule is intended to do. •
Action: This is the action ISA Server will take when the rule is triggered by a match. The two possible actions are Allow or Deny. Action elements can also be configured to log requests that match a rule or redirect HTTP requests on a rule match to a web page.
•
Protocols: This element describes the protocol and port that the rule will match.
•
Network: These elements describe the device addresses or network nodes that the rule will apply to. It is used in building the following two rule elements: •
230
Tactical Perimeter Defense
Source: This element describes where the packet is coming from.
•
Destination: This element describes where the packet is going to.
•
Users: This element describes the user or groups of users that the rule will apply to.
•
Schedule: This element describes the days and times that the rule will be enforced.
•
Content Types: This element describes the network data packet contents that the rule will be applied to.
ISA Server 2006 has a robust set of access rule elements pre-configured when it is installed. However, you can easily create additional rule elements that meet your specific requirements when the default rule elements will not address the rule you are trying to create. Since it is impossible to predict what type of traffic any given network may require, the ability to create additional rule elements gives ISA Server 2006 the flexibility to adapt to any requirements.
TASK 5B-6 Creating a Protocol Rule Element Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create a custom protocol element that you could use to network traffic for a custom network application that uses TCP port 2120 inbound across your firewall with return client connections dynamically established across the range of 49152-65535. 1.
Choose Start→All Programs→Microsoft ISA Server→ISA Server Management.
2.
Expand the Console Tree pane and select the Firewall Policy container.
3.
In the Tasks pane, select the Toolbox tab.
4.
On the Toolbox tab, expand the Protocols container.
5.
Explore the various default protocol elements that are defined by default.
6.
On the Toolbox tab, under the Protocols container, click the New dropdown menu, and select Protocols.
7.
In the New Protocol Definition Wizard dialog box, in the Protocol Definition Name field, type Custom Application Protocol and then click Next.
8.
In the Primary Connection Information dialog box, click the New button.
9.
In the New/Edit Protocol Connection dialog box, enter the following values and then click OK. • Protocol type: TCP •
Direction: Inbound
•
Port Range: —
From: 2120 Lesson 5: Configuring Firewalls
231
—
To: 2120
10. In the Primary Connection Information dialog box, click Next. 11. In the Secondary Connections dialog box, under Do You Want To Use Secondary Connections? select the Yes radio button, and then click New. 12. In the New/Edit Protocol Connection dialog box, enter the following values and then click OK. •
Protocol type: TCP
•
Direction: Outbound
•
Port Range: —
From: 49152
—
To: 65535
13. In the Secondary Connection Information dialog box, click Next. 14. In the New Protocol Definition Wizard, click Finish. 15. Notice that your new User-Defined protocol now shows in the Toolbox Protocols area. 16. At the top of the Details pane, click the Apply button. 17. In the Saving Configuration Changes dialog box, click OK. 18. Close the ISA Server 2006 Management console.
232
Tactical Perimeter Defense
TASK 5B-7 Creating a User Rule Element Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create a user element just for the administrator account. As an example, this user element could then be used in an access rule to deny the administrator account access to any external resources on the external network. 1.
Choose Start→All Programs→Microsoft ISA Server→ISA Server Management.
2.
Expand the Console Tree pane and select the Firewall Policy container.
3.
In the Task pane, select the Toolbox tab and then expand the Users container.
4.
Notice that ISA Server has three default user elements pre-defined.
5.
At the top of the Users container, click the New link.
6.
In the New User Set Wizard, in the User Set Name field, type Administrator Account and then click Next.
7.
In the Users dialog box, click the Add button, and from the pop-up menu, choose Windows Users And Groups.
8.
In the Select User Or Groups dialog box, click the Advanced button.
9.
In the Select User Or Groups dialog box, click the Find Now button.
10. In the Search results list, select the Administrator account and then click OK. Note, be sure you do not select the Administrators Group. 11. In the Select User Or Groups dialog box, verify that the Administrator account appears and then click OK. 12. In the Users dialog box, click Next. 13. In the New Users Set dialog box, click Finish. 14. Notice that your new user set appears in the toolbox pane.
Lesson 5: Configuring Firewalls
233
15. At the top of the Details pane, click the Apply button. 16. In the Saving Configuration Changes dialog box, click OK. 17. Close the ISA Server 2006 Management console.
Content Types ISA Server 2006 comes preconfigured with a variety of content types by default. If your targeted content type is not already defined, it is an easy task to configure a custom content type to suit your organization’s needs. ISA Server 2006’s deep packet inspection allows ISA Server to control not only traffic based not only on source, destination, protocol and port, but also on content type. This is useful in enforcing an organization’s security policy when it forbids certain types of content for security or other reasons. For example, your organization’s security policy forbids the downloading of executable .exe files from the Internet. You could create a content type for .exe files and then assign the new content type to a deny access rule to block any content that contains a .exe file.
TASK 5B-8 Creating a Content Group Rule Element Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks.
234
Tactical Perimeter Defense
1.
Choose Start→All Programs→Microsoft ISA Server→ISA Server Management.
2.
Expand the Console Tree pane and select the Firewall Policy container.
3.
In the Task pane, select the Toolbox tab.
4.
In the Toolbox tab of the Task pane, expand the Content Types section.
5.
Examine the pre-defined content types. Notice that .exe files are not defined.
6.
Under the Content Types heading, click the New link.
7.
In the New Content Type Set dialog box, in the Name field, type Exe Files
8.
In the New Content Type Set dialog box, from the Available Types dropdown list, select the .exe type and then click Add.
9.
In the New Content Type Set dialog box, click OK. The new Exe Files content type appears in the Content Types list.
10. At the top of the Details pane, click Apply. 11. In the Saving Configuration Changes dialog box, click OK.
Lesson 5: Configuring Firewalls
235
ISA Server 2006 Scheduling ISA Server 2003 has the ability to create and use schedules to control when certain access rules are in effect. Schedules can be used in conjunction with other access rule components when creating an access rule to specify the times and/or days that the rule is enforced.
TASK 5B-9 Creating and Modifying Schedule Rule Elements Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1.
In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container.
2.
In the Task pane, select the Toolbox tab.
3.
In the Toolbox tab of the Task pane, expand the Schedules section.
4.
Notice that there are two pre-defined schedules: Weekends and Work Hours.
5.
Select the Work hours schedule and then click the Edit link.
6.
In the Work hours Properties dialog box, click the Schedule tab.
7.
Notice that the schedule contains a grid comprised of 7 week days and 24 hours in one-hour increments.
8.
Notice that each one-hour block of time can be set to either Active or Inactive on the schedule.
9.
Click and drag your cursor from Monday 8:00 A.M. to Friday 8:00 P.M. and then click the Active radio button to extend the work hours to start at 8:00 A.M. instead of 9:00 A.M, and extend to 9 P.M. Monday through Friday.
10. Click and drag your cursor from Monday 12:00 P.M. to Friday 12:00 P.M. and then click the Inactive radio button to remove the lunch hour from the Work hours schedule. 11. Click OK to close the Work Hours Properties dialog box. 12. On the Toolbox tab, under the Schedules area, click the New link. 13. In the New schedule dialog box, in the Name field, type After hours 14. Click and drag your mouse pointer in the schedule field from Monday at 8:00 A.M. to Friday at 8:00 P.M. to cover the workday hours and then click the Inactive radio button. 15. In the New Schedule dialog box, click OK.
236
Tactical Perimeter Defense
16. At the top of the Details pane, click Apply. 17. In the Saving Configuration Changes dialog box, click OK. You have now modified the existing Work hours schedule and created a new schedule for After hours. These schedules can be used in rule creation to control what times a rule is enforced by ISA Server 2006. This adds a great deal of flexibility to your ability to configure and enforce firewall policies.
Using Content Types and Schedules in Rules You have discovered that ISA Server has Content Types and Schedules that can be used in rule creation. As a practical example, these objects could be used to enforce an organization’s acceptable use policy that states that viewing video content is prohibited during normal work hours but allows video content during lunch and after hours. Using the schedule feature in ISA Server 2006 allows you to create a schedule that can be incorporated into a rule governing video content to enforce the organization’s acceptable use policy.
TASK 5B-10 Using Content Types and Schedules in Rules Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1.
In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container.
2.
In the Task pane, select the Tasks tab.
3.
In the Tasks pane, under Firewall Policy Tasks, click the Create Access Rule link.
Lesson 5: Configuring Firewalls
237
4.
In the New Access Rule Wizard dialog box, in the Access Rule Name fieldtype Enforce Video Content Policy and click Next.
5.
In the Rule Action dialog box, select the Deny radio button and then click Next.
6.
In the Protocols dialog box, from the This Rule Applies To drop-down list, select All Outbound Traffic and then click Next.
7.
In the Access Rule Sources dialog box, click the Add button.
8.
In the Network Entities dialog box, expand Network Sets, select All Protected Networks, click Add, and then click Close.
9.
In the Access Rule Sources dialog box, click Next.
10. In the Access Rule Destination dialog box, click the Add button. 11. In the Network Entities dialog box, expand Network Sets, select All Networks (and Local Host), and click Add. Then, click Close. 12. In the Access Rule Destination dialog box, click Next. 13. In the User Sets dialog box, accept the default of All Users and click Next. 14. Click Finish. 15. On the Tasks tab, under Policy Editing Tasks, click the Edit Selected Rule link.
238
Tactical Perimeter Defense
16. Notice that the rule property dialog box has tabs for each of the items we configured during rule creation (General, Action, Protocols, From, To and Users) and it also contains two additional tabs: Schedule and Content type.
17. Click the Schedule tab, and from the Schedule drop-down list, select Work hours. 18. Click the Content Types tab and select the Selected content type radio button. 19. Scroll down in the Content Types list and select the Video Content Type and then click OK. 20. At the top of the Firewall Policy Details pane, click Apply. 21. In the Saving Configuration Changes dialog box, click OK. 22. The ISA Server firewall will now enforce our video policy during work hours.
ISA Server 2006 Network Rule Elements You have discovered that ISA Server 2006 uses a set of elements as the building blocks for access rules. Networks are rule elements, which are made up of one or more ranges of network IP addresses or other network identifier characteristics.
Lesson 5: Configuring Firewalls
239
ISA Server 2006 network elements include one or more computers, typically corresponding to a physical network. You can apply rules to one or more networks or to all addresses except those in the specified network. ISA Server 2006 creates network elements for the following objects: • Networks •
Network Sets
•
Computers
•
Address Ranges
•
Subnets
•
Computer Sets
•
URL Sets
•
Domain Name Sets
•
Web Listeners
•
Server Farms
ISA Server 2006 has a set of default network elements that are pre-defined. You can use these default elements as part of an access rule definition or you can create custom network elements to meet your specific needs.
TASK 5B-11 Creating a Network Rule Element Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous task.
240
Tactical Perimeter Defense
1.
In ISA Server Management, Expand the Console Tree pane and select the Firewall Policy container.
2.
In the Task pane, select the Toolbox tab.
3.
In the Toolbox tab of the Task pane, expand the Network Objects container.
4.
Examine the pre-defined Network Objects.
5.
On the Toolbox tab, at the top of the Network Objects container, click the New drop-down menu, and choose Computer from the pop-up menu.
6.
In the New Computer Rule Element dialog box, enter the following values and then click OK: • Name: [Your computer name] •
Computer IP Address: [Your computer IP address]
•
Description: ISA Firewall
7.
At the top of the Firewall Policy Details pane, click Apply.
8.
In the Saving Configuration Changes dialog box, click OK.
We could now use this new Network Object as an element in an access rule that would only apply to the ISA Server 2006 firewall at our IP address.
Lesson 5: Configuring Firewalls
241
ISA Server Publishing Rules Up to this point, we have primarily been concerned with access rules and their constituent elements. Access rules in ISA Server 2006 are designed to control traffic that transverses the firewall from the unprotected network (external) to the protected network (internal). But how does ISA Server 2006 make protected resources, such as a web server, available to external access? For this external access purpose, ISA Server has publishing rules. Publishing rules apply to traffic requests for resources on the internal protected network. Publishing rules are made up of similar elements to an access rule with one notable exception: Publishing rules require a Listener element to be created. The listener element describes what interface ISA Server should be listening on for access requests to the internal resource defined in the publishing rule.
Figure 5-18: Features and benefits of ISA Server content publishing.
TASK 5B-12 Configuring a Web Publishing Rule Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this exercise, you will create an ISA Server publishing rule to allow external access to an internal website.
242
Tactical Perimeter Defense
1.
In ISA Server Management, expand the Console Tree pane and select the Firewall Policy container.
2.
In the Tasks pane, select the Tasks tab.
3.
On the Tasks tab, under the Firewall Policy Task section, click the Publish Web Sites link.
4.
In the New Web Publishing Rule Wizard, in the Web Publishing Rule Name field, type Public Web Server and click Next.
5.
In the Select Rule Action dialog box, select the Allow radio button and click Next.
6.
In the Publishing Type dialog box, select the Publish A Single Web Site Or Load Balancer option and click Next.
7.
On the Connection Security tab, select the Use Non-secured Connections To The Published Web Server Or Server Farm option and then click Next.
8.
In the Internal Publishing Details dialog box, enter the following values: •
Internal site name: www.securitycertified.net.
•
Computer name or IP address: 10.X.Y.100 (Where X and Y are the second and third octets of your internal interface (loopback adapter).
Click Next. 9.
In the Internal Publishing Details dialog box, in the Path (Optional) field, type /* and click Next.
10. In the Public Name Details dialog box, in the Public Name field, type www. securitycertified.net and click Next. 11. In the Select Web Listener dialog box, click the New button. Lesson 5: Configuring Firewalls
243
12. In the New Web Listener Definition Wizard dialog box, in the Web Listener Name field, type Public Web Listener and click Next. 13. In the Client Connection Security dialog box, select the Do Not Require SSL Secured Connections With Clients option and click Next. 14. In the Web Listener IP Addresses dialog box, select the External Network and click Next. 15. In the Authentication Settings dialog box, from the Select How Clients Will Provide Credentials To ISA Server drop-down list, select No Authentication and click Next. 16. Read the Single Sign On Settings dialog box and then click Next. 17. In the Completing The New Web Listener Wizard, click Finish. 18. In the Select Web Listener dialog box, click Next. 19. In the Authentication Delegation dialog box, select the No Delegation, and client cannot authenticate directly option and click Next. 20. In the User Sets dialog box, accept the default of All Users and click Next. 21. In the Completing the New Web Publishing Rule Wizard dialog box, click Finish. 22. At the top of the Firewall Policy Details pane, click Apply. 23. In the Saving Configuration Changes dialog box, click OK. 24. The new publishing rule appears at the top of the Details pane. 25. In the Tasks pane, click the Toolbox tab and then expand the Network Objects container. 26. Expand the Web Listener container. (Note: you may need to refresh your screen with F5 to perform this step.) 27. The web listener created during the publishing rule creation is now listed. You may have to click another container in the Console Tree pane and then reselect the Firewall Policy container to refresh the screen. You have now configured a Web Publishing rule that will use a web listener to listen for inbound requests from the external network for www.securitycertified. net and then forward them to the internal web server. Since only port 80 is exposed to the external network, and ISA Server is inspecting the inbound HTTP packets before passing them on to the internal web server, the security footprint of your web server is greatly enhanced.
244
Tactical Perimeter Defense
ISA Server 2006 Caching Caching is a method where frequent requests for remote resources or content are stored locally on the ISA Server. By maintaining a centralized cache of frequently requested content, both network bandwidth consumption and browser performance are enhanced. Caching is disabled by default when you install ISA Server 2006, so you will need to enable and configure caching if you want to take advantage of the performance benefits this feature offers. ISA Server supports two types of caching: forward caching and reverse caching. Forward caching provides internal clients with improved access times to external resources, while reverse caching provides the same benefits to external clients accessing web content that has been published through ISA Server. When you create a cache rule, it applies to all applies to requested sites, regardless of the source network. ISA Server allows organizations to configure caching to preload entire websites into cache on a defined schedule. Scheduling cache downloads will help keep cache content up-to-date for your users and also ensure that content for offline web servers that have been cached is available to your users. ISA Server has a caching algorithm that allows it to make intelligent decisions about when certain content is no longer requested on a regular basis. This algorithm enables ISA Server to flush low request content from RAM cache to disk cache so that cache remains as efficient as possible. ISA Server has three main configuration items for controlling caching: • Cache Drive Settings •
Cache Drive Rules
•
Content Download Jobs
TASK 5B-13 Enabling and Configuring Caching Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1.
In ISA Server Management, expand the Console Tree pane and select the Cache container.
2.
Notice that the Cache container has a red down arrow on it in the Console Tree pane, indicating that it is currently not enabled.
3.
Notice that the Details pane contains three tabs corresponding to the three configuration items for caching discussed earlier.
4.
Notice that the Cache Size on NTFS Drives is currently zero.
5.
In the Tasks pane, under Cache Drive Tasks, click the Define Cache Drives (Enable Caching) link.
6.
In the Define Cache Drives dialog box, in the Maximum Cache Size (MB) field, type 100 and then click the Set button.
Lesson 5: Configuring Firewalls
245
7.
Drive C now shows a cache size of 100. If you had multiple drive arrays on your ISA Server, each partition formatted with NTFS would show as an option in this dialog box.
8.
In the Define Cache Drives dialog box, click OK.
9.
At the top of the Firewall Policy Details pane, click Apply.
10. In the ISA Server Warning dialog box, select Save The Changes And Restart The Services radio button and click OK. (This may take a moment—be patient!) 11. In the Saving Configuration Changes dialog box, click OK. 12. In the Details pane, click the Cache Rules tab. 13. Notice that two default rules have been pre-defined.
ISA Server comes with a pre-defined cache rule for the Microsoft Update site. This can help speed up automatic downloads of patches by clients or WUS servers. 14. On the Tasks tab, under the Cache Rules Tasks, click the Create A Cache Rule link. 15. In the New Cache Rule Wizard, in the Cache Rule Name field, type Security Certified Web Site and click Next. 16. In the Cache Rule Destination dialog box, click Add. 17. In the Add Network Entities dialog box, expand the Network Sets object. 18. In the Add Network Entities dialog box, select the All Protected Networks object. 19. In the Add Network Entities dialog box, click Add . 20. In the Add Network Entities dialog box, click Close. 21. In the Cache Rule Destination dialog box, click Next. 22. In the Content Retrieval dialog box, select the Only If A Valid Version Of The Object Exists In The Cache. If No Valid Version Exists, Route The Request To The Server. option and then click Next. 23. In the Cache Content dialog box, check the Dynamic Content check box.
246
Tactical Perimeter Defense
24. In the Cache Content dialog box, check the Content For Offline Browsing (302, 307 Responses) check box and click Next.
25. In the Cache Advanced Configuration dialog box, click Next. 26. In the HTTP Caching dialog box, accept the defaults and click Next. 27. In the FTP Caching dialog box, deselect the Enable FTP Caching option and then click Next. 28. In the New Cache Rule Wizard dialog box, click Finish. 29. At the top of the Details pane, click the Apply button. 30. In the Saving Configuration Changes dialog box, click OK. 31. In the Details pane, select the Content Download Jobs tab. 32. In the Tasks pane, click the Schedule A Content Download Job link. 33. Read the Enable Schedule Content Download Jobs dialog box and then click Yes. (This will configure the required options to schedule a content download job.)
34. At the top of the Details pane, click the Apply button. Lesson 5: Configuring Firewalls
247
35. In the Saving Configuration Changes dialog box, click OK. 36. In the Task pane, click the Schedule A Content Download Job link. 37. In New Content Download Job Wizard dialog box, in the Content Download Job Name field, type Security Certified Web Site Download and click Next. 38. In the Download Frequency dialog box, select the Daily option and click Next. 39. In the Daily Frequency dialog box, under the Job Start Date field, set the date to start tomorrow and then click Next. 40. In the Content Download dialog box, type http://www.securitycertified.net as the URL, select the Do Not Follow Link Outside The Specified URL Domain Name option. 41. In the Content Download dialog box, select the Maximum Depth Of Links Per Page option. 42. In the Content Download dialog box set the Maximum Depth Of Links Per Page value to 4 and click Next.
43. In the Content Caching dialog box, accept the default Cache Content and TTL settings and click Next. 44. In the Completing the Scheduled Content Download Job Wizard dialog box, click Finish. 45. Your new content download job appears in the details pane. 46. Close ISA Server 2006 Management console.
248
Tactical Perimeter Defense
Configuring ISA Server 2006 Network Templates Earlier in this topic, we discovered that ISA Server 2006 uses rule elements called networks to define one or more ranges of IP addresses. Networks usually correspond to a physical network. In addition to the access rule network element, ISA Server 2006 includes a new feature: network templates, which are aligned to the common firewall network topologies. These network templates can be used to configure the firewall policy required rule elements that are used in ISA rulesbased traffic control between networks. The Console Tree pane networks container provides you with three tabs in the Details pane that allow you to configure your network elements. These configuration tabs are: •
Network Sets
•
Network Rules
•
Web Chaining
Currently, our ISA Server firewall is configured as a perimeter or edge firewall. If we add a third network interface to the ISA Server, we can then re-configure the network topology to include a DMZ and create a three-legged DMZ firewall topology. This type of upgrade is not uncommon in the real world. ISA Server makes it easy to re-configure through the use of pre-defined network templates.
TASK 5B-14 Install Second Microsoft Loop Back Adapter and Assign an IP Address Setup: You must be logged on to Windows 2003 Server as an administrator, have completed the previous tasks, and have access to the Windows 2003 Server installation source files. 1.
Choose Start→Control Panel→Add Hardware.
2.
In the Welcome dialog box, click Next.
3.
Select Yes, I Have Already Connected The Hardware and click Next.
4.
Scroll to the bottom of the Installed Hardware list box and select Add A New Hardware Device. Then, click Next.
5.
Select the Install The Hardware That I Manually Select From A List (Advanced) option and click Next.
6.
Under Common Hardware Types, select Network Adapters, and then click Next.
7.
Under Manufacturer, select Microsoft.
8.
Under Network Adapter, select Microsoft Loopback Adapter.
9.
Click Next twice.
10. If required, click OK in the Insert Disk dialog box. Lesson 5: Configuring Firewalls
249
11. Enter the path to the Windows 2003 Server installation source files in the Files Needed dialog box and then click OK. (Windows Server 2003 should remember that source path from the first loopback adapter we installed earlier). 12. Click Finish. 13. Choose Start→Control Panel→Network Connections→Local Area Connection. 14. In the Local Area Connection dialog box, click Properties. 15. In the This Connection Uses The Following Items list, select Internet Protocol (TCP/IP) and then click Properties. 16. On the General tab, select Use The Following IP Address and enter the address from the table below that corresponds to your computer name. WIN-R01 - 192.168.16.1/24 WIN-R02 - 192.168.16.2/24 WIN-R03 - 192.168.16.3/24 WIN-R04 - 192.168.16.4/24 WIN-R05 - 192.168.16.5/24 WIN-R06 - 192.168.16.7/24 WIN-R07 - 192.168.16.8/24 WIN-R08 - 192.168.16.8/24
WIN-L01 – 192.168.18.1/24 WIN-L02 – 192.168.18..2/24 WIN-L03 – 192.168.18.3/24 WIN-L04 – 192.168.18.4/24 WIN-L05 – 192.168.18.5/24 WIN-L06 – 192.168.18.6/24 WIN-L07 – 192.168.18.7/24 WIN-L08 – 192.168.18.8/24
Note that the subnet mask is 255.255.255.0 for all these IPs. 17. Leave the DNS value blank and then click OK. 18. Click Close to close the NIC Properties. 19. Choose Start→Control Panel and right-click Network Connections. From the context menu, choose Open. 20. Right-click the Local Area Connection, and from the context menu, choose Rename. 21. Name the connection DMZ 22. Close the Network Connections window. You have now installed a second Microsoft Loopback adapter and assigned it a unique IP address. We will be using this adapter to function as our DMZ network adapter to configure ISA server 2006 in a three-legged DMZ.
250
Tactical Perimeter Defense
TASK 5B-15 Configure ISA Server 2006 in a Three-legged DMZ Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You will reconfigure your network as a three-legged DMZ topology. To accomplish this, you must first import the originalcfg.xml file to remove the web access policy listener that you configured in the publishing task. 1.
Choose Start→All Programs→Microsoft ISA Server→ISA Server Management.
2.
In the Console Tree pane, select the [Your Server Name] container.
3.
In the Tasks pane, click the Import (Restore) This ISA Server Configuration link.
4.
In the Import Wizard dialog box, click Next.
5.
In the Select The Import File dialog box, in the File Name field, type C:\originalcfg.xml and click Next. Alternatively, you could use the Browse button to locate the file.
6.
In the Import Action dialog box, select the Overwrite (Restore) option and then click Next.
7.
In the Import Preferences dialog box, check the Import User Permission Settings check box, and then click Next.
8.
In the Completing The Import Wizard dialog box, click Finish.
9.
Read the ISA Server warning dialog box and then click OK twice.
10. At the top of the Details pane, click the Apply button. 11. In the Saving Configuration Changes dialog box, click OK. 12. In the Console Tree pane, select the Firewall Policy container. Notice that the firewall rule sets in the Details pane are back to the defaults. 13. In the Console Tree pane, select the Networks container. 14. In the Tasks pane, expand Configuration, and select the Templates tab.
Lesson 5: Configuring Firewalls
251
15. On the Templates tab, select the 3-Leg Perimeter template.
16. In the Welcome To The Network Template Wizard dialog box, click Next. 17. In the Export The ISA Server Configuration dialog box, click Next. 18. In the Internal Network IP Addresses dialog box, click Next. 19. In the Perimeter Network IP Addresses dialog box, click Add Adapter. 20. In the Select Network Adapters dialog box, select the DMZ network and click OK. 21. In the Perimeter Network IP Addresses dialog box, click Next. 22. In the Select A Firewall Policy dialog box, scroll down and select the Allow Limited Web Access policy. Then, click Next. 23. In the Completing The Network Template Wizard dialog box, click Finish. 24. At the top of the Details pane, click the Apply button. 25. In the Saving Configuration Changes dialog box, click OK. 26. In the Console Tree pane, select the Firewall Policy container. 27. Highlight the Web Access Only Firewall Policy. 28. Notice that there are new access rules configured based on the template options we chose in the previous steps.
252
Tactical Perimeter Defense
Configuring ISA Server Monitoring ISA Server 2006 has a robust set of monitoring features. By configuring alerts, reporting, performance monitoring and logging, you can see at a glance the status and health of your ISA Server 2006 firewall. The Monitoring Details pane has the largest number of tabs associated with it of any of the ISA Console Tree pane containers. Spend plenty of time learning about each of the monitoring features and working with their configuration. The more skilled you are with this toolset, the easier it is to manage your ISA Server 2006 firewall. These features are summarized in the following table.
Figure 5-19: ISA Server 2006 monitoring features. The ISA Server 2006 Management console can be used to gather “at a glance” information on the status of your ISA Server. To view the real-time monitoring information, open the Management console and select the Monitoring container from the Console Tree pane. This will activate the Monitoring Details pane. On the Dashboard tab of the Monitoring Details pane, you will find visual displays of current monitoring information. The refresh rate of this display is configurable in the task pane. Each of the individual information displays can also be collapsed to make more screen room for other displays.
Lesson 5: Configuring Firewalls
253
Figure 5-20: The Monitoring Details pane Dashboard tab.
TASK 5B-16 Working with Alerts Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will configure a custom alert for network disconnections and assign it actions to perform when the alert is triggered.
254
Tactical Perimeter Defense
1.
In ISA Server, with the Console Tree pane open, select the Monitoring container.
2.
In the Details pane, select the Alerts tab.
3.
In the Tasks pane, click the Configure Alert Definitions link.
4.
In the Alerts Properties dialog box, scroll briefly though the list and look at the wide range of pre-configured alerts in ISA Server. Then, click Add.
5.
In the New Alert Wizard dialog box, in the Alert Name field, type Network Interface Disconnected and click Next.
6.
In the Events And Conditions dialog box, from the Event drop-down list, select Network Configuration Changed, from the Additional Condition drop-down list, select Network Disconnected. Click Next.
7.
In the Category And Severity dialog box, from the Category drop-down list, select Network Load Balancing, from the Severity drop-down list, select Error and click Next.
8.
In the Actions dialog box, select the Send An E-mail Message and the Report The Event To The Windows Event Log options and then click Next.
Lesson 5: Configuring Firewalls
255
9.
In the Sending E-mail Messages dialog box, enter the following values: •
SMTP server: smtp.securitycertified.net
•
From:
[email protected]
•
To:
[email protected]
Click Next. 10. In the Completing The New Alert Configuration Wizard, click Finish. 11. In the Alerts Properties dialog box, scroll down and ensure that your new Network Interface Disconnected alert is selected, then click OK. 12. At the top of the Details pane, click the Apply button. 13. In the Saving Configuration Changes dialog box, click OK. 14. You have now configured ISA Server 2006 alerts to send you an email message and log a Windows Event Viewer event whenever a network interface is disconnected. This could speed up your response time to physical problems with the ISA Server network segments. 15. Minimize your ISA Server 2006 Management console. Alerts associated with actions such as sending an email will help you respond to critical ISA Server events in a timely fashion. Even configuring certain warning items to send an email alert can help you take proactive steps to ensure the ISA Server 2006 firewall remains in optimum condition.
256
Tactical Perimeter Defense
TASK 5B-17 Working with Reports Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You will configure ISA Server 2006 to create a one-time report and to create scheduled reports for monitoring baselines and security performance evaluations. 1.
From the Start menu, open Windows Explorer.
2.
Create the directory C:\ISA-Reports.
3.
Minimize Windows Explorer.
4.
Maximize your ISA Server.
5.
Expand the Console Tree pane and select the Monitoring container.
6.
In the Details pane, select the Reports tab.
7.
On the Tasks tab, click the Generate A New Report link.
8.
In the New Report Wizard dialog box, in the Report Name field, type Snapshot Report and click Next.
9.
In the Report Content dialog box, accept the default of all content choices and click Next.
10. In the Report Period, leave the default start and stop date and click Next. 11. In the Report Publishing dialog box, check the Publish reports to a directory check box. 12. In the Report Publishing dialog box, click the Browse button. 13. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it, and click OK. 14. In the Report Publishing dialog box, check the Publish Using This Account check box and then click the Set Account button. 15. In the Set Account dialog box, click the Browse button. 16. In the Select User dialog box, in the Enter The Object Name To Select field, type Administrator and then click Check Name. Click OK. 17. In the Password and Confirm Password fields, type the Administrator password and then click OK. (Your password should be blank.)
Lesson 5: Configuring Firewalls
257
18. In the Report Publishing dialog box, click Next.
19. In the Send E-mail Notification dialog box, leave the defaults blank, and click Next. 20. In the Completing The New Report Wizard dialog box, click Finish. 21. Restore your minimized Windows Explorer and browse to the C:\ISAReports directory. 22. Open the Snapshot Report [Date Range] folder and double-click the contents.htm file. 23. Right-click the Allow Blocked Content bar at the top of the browser screen and choose Allow Blocked Content. Then, click Yes.
24. On the Summary page, click the Protocols link. Scroll through the report and examine the types of items that are reported. 25. The report contains no significant data because your ISA Server has not passed a large number of packets to register monitoring statistics yet. 258
Tactical Perimeter Defense
26. When you finished examining the report, close your Internet Explorer windows and close Windows Explorer. 27. In the Tasks pane, click the Create And Configure Report Jobs link. 28. In the Report Jobs Properties dialog box, click Add. 29. In the New Report Job Wizard dialog box, in the Report Job Name field, enter Daily Report and click Next. 30. In the New Report Content dialog box, accept the default all content types and click Next. 31. In the Report Job Schedule dialog box, select the Daily option and click Next. 32. In the Reports Publishing dialog box, check the Publish Reports To A Directory check box. 33. In the Report Publishing dialog box, click the Browse button. 34. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it, and then click OK. 35. In the Report Publishing dialog box, check the Publish Using This Account check box and then click the Set Account button. 36. In the Set Account dialog box, click the Browse button. 37. In the Select User dialog box, in the Enter The Object Name To Select field, type Administrator and then click Check Name. Type Administrator (no password) and click OK.
Lesson 5: Configuring Firewalls
259
38. In the Report Publishing dialog box, click Next.
39. In the Send E-Mail Notification dialog box, leave the defaults blank, and click Next. 40. In the Completing The New Report Job Wizard dialog box, click Finish. 41. In the Report Jobs Properties dialog box, select the Daily Report option and click OK. 42. At the top of the Details pane, click the Apply button. 43. In the Saving Configuration Changes dialog box, click OK. In this task, you successfully configured ISA Server 2006 reporting options. You examined a snapshot report and created a scheduled reporting job. ISA Server reports are very comprehensive and can give you an accurate picture of what is taking place on your ISA Server firewall.
ISA Server 2006 Logging While alerts give you real-time notification of ISA Server events, logging allows you to view events in an historical fashion. This can help you analyze the traffic patterns on your network for such purposes as: policy formulation, intrusion attempt analysis, network usage analysis, and as an aid in troubleshooting ISA Server.
260
Tactical Perimeter Defense
Figure 5-21: ISA Server 2006 logging features. ISA Server divides logging into two logs: the Web Proxy logs, which record ISA Server traffic handled by Web Proxy Filter; and the Firewall service logs, which record ISA Server traffic handled by the Microsoft Firewall service. ISA Server features a variety of log storage options that enable you to the track traffic that has been handled by ISA Server. The default ISA Server 2006 logging location is to a local MSDE database on the ISA Server. This database file for the logs can be found in the C:\Program Files\Microsoft ISA Server\ISALogs folder and will be named ISALOG_yyyymmdd_xxx_nnn. Where: • yyyy = year •
mm = month
•
dd = date
•
xxx = Log file type (ISA or WEB)
•
nnn = order number for sequencing daily logs
Using a database for logging instead of logging to a text file gives ISA Server powerful reporting capabilities for the log information. ISA Server can redirect the log file storage location to either a SQL database or to text files. The ability to use a single SQL database server for multiple ISA servers allows you to centralize the management, auditing, and backup of the ISA logs. And of course, if you need the log files to be stored in a .txt file format for any reason, that option is available. If you choose to store the ISA Server logs on a centralized SQL server, you need to ensure that ISA Server and the SQL Server have reliable high-speed Internet connections between them. This precludes ISA from logging to SQL over a slow WAN link. Microsoft recommends that you have a minimum of 100 mbps connection speed between ISA and SQL. It is also worth noting that by default access rules are configured to report packets for that match that specific rule. If you don’t want logging to record actions for a specific access rule in your firewall policy, then you must disable this option on the Actions tab of the rule property sheet.
Lesson 5: Configuring Firewalls
261
Figure 5-22: ISA Server 2006 Rule logging options are enabled by default.
TASK 5B-18 Configuring Logging Options Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. In this task, you will examine ISA Server 2003 logging options.
262
Tactical Perimeter Defense
1.
In ISA Server, expand the Console Tree pane and select the Monitoring container.
2.
On the Details pane, select the Logging tab.
3.
On the Tasks tab, click the Edit Filter link.
4.
In the Edit Filter dialog box, under the Filter By column, select the Action filter and then click the Remove button.
5.
In the Edit Filter dialog box, from the Filter By drop-down list, select Protocol.
6.
In the Edit Filter dialog box, from the Condition drop-down list, select Contains.
7.
In the Edit Filter dialog click, from the Value drop-down list, select NetBIOS Name Service and then click the Add To List button.
8.
In the Edit Filter dialog box, click the Start Query button.
9.
Notice that the Details pane now reports Fetching Results.
10. Open a command prompt and arrange your desktop where you can see the results section of the Details pane while typing in the command prompt. 11. In the command prompt, type NET VIEW and then press Enter.
Lesson 5: Configuring Firewalls
263
12. Wait until logging events show in the Details pane and then close the command prompt.
13. In the Task pane, click the Stop Query link. 14. In the Task pane, click the Configure Firewall Logging link. 15. The Log tab of the Firewall Logging Properties dialog box is where you would change what log file format ISA Server uses. Examine the available properties and then click the Fields tab. 16. Examine the list of available logging fields that are available in ISA Server 2006. 17. Scroll down in the Fields tab and check the Network Interface check box. Then, click OK. 18. At the top of the Details pane, click the Apply button. 19. In the Saving Configuration Changes dialog box, click OK. 20. In the Task pane, click the Configure Web Proxy Logging link. 21. The Log tab of the Web Proxy Logging Properties dialog is where you would change what log file format ISA Server uses. Examine the available properties and then click the Fields tab. 22. Examine the list of available logging fields that are available in ISA Server 2006. 23. Scroll down in the Fields tab and check the Service check box, and then click OK. 24. At the top of the Details pane, click the Apply button. 264
Tactical Perimeter Defense
25. In the Saving Configuration Changes dialog box, click OK. 26. Close the ISA Server 2006 Management console. You have now successfully used ISA logging to review real-time events and also configured both the Firewall logging and Web Proxy logging to log additional events. One useful tip to keep in mind is that if you are using database format as your logging method, you can use Access or other front-end tools to create custom queries and reports from the ISA Server log databases.
Additional Configuration Options for ISA Server 2006 ISA Server 2006 contains many more configuration options than can be covered in the scope of this course. There are a few options, however, that are worth taking your time here to discover and examine. The three options we are going to discuss are: • Securing the ISA Server OS with the Security Configuration Wizard •
ISA Server Packet Prioritization
•
Uninstalling ISA Server 2006
ISA Server 2006 runs on top of the Windows Server 2003 operating system. In order for ISA Server to be secure, the underlying OS must also be secured. Windows Server 2003 Service Pack 1 included an attack surface reduction tool called the Security Configuration Wizard. The Security Configuration Wizard allows you to select a role for the server OS and then secure it based on the template you choose. It does this by determining the minimum functionality required in the OS, and then disables functions that are not required. The default templates included with the Security Configuration Wizard do not contain a configuration for ISA Server 2006; however, you can download an update package from the Microsoft TechNet website that will update the Security Configuration Wizard with templates for ISA Server 2006. This can greatly simplify the process of securing the underlying OS for ISA Server. In order to use the Security Configuration Wizard (or update it), you must first install it from the Add/Remove Windows Components control panel applet. Even if you have already secured the OS before installing ISA Server, the Security Configuration Wizard can ensure that you have not overlooked anything. Also, running a scan against the ISA Server OS using MBSA (Microsoft Baseline Security Analyzer) or other vulnerability scanning tool will help ensure that ISA Server is as solid as you can make it.
Lesson 5: Configuring Firewalls
265
TASK 5B-19 Securing ISA Server 2006 with the Security Configuration Wizard Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. You must also have access to the Windows Server 2003 source installation files and the ISA Server 2006 Security Configuration Wizard update package (IsaScwHlpPack.EXE). 1.
Choose Start→Control Panel→Add Remove Programs.
2.
Click the Add/Remove Windows Components button.
3.
In the Add/Remove Windows Components dialog box, scroll down and check the Security Configuration Wizard check box and then click Next.
4.
If required, enter the path to the Windows Server 2003 source files.
5.
Click Finish and then close the Add Remove Programs control panel applet.
6.
Double-click the IsaScwHlpPack.exe located in C:\Tools\Lesson5.
7.
In the ISA Server Security Configuration Wizard Update dialog box, click Yes.
8.
In the ISA Server Security Configuration Wizard Update dialog box, type C:\Update for the path and then click OK.
9.
To create the C:\Update folder, Click Yes, and then click OK in the success dialog box.
10. Choose Start→Administrative Tools→Security Configuration Wizard. 11. In the Security Configuration Wizard dialog box, click Next. 12. Select the Create A New Security Policy radio button and click Next. 13. In the Select Sever dialog box, verify the name of your server and then click Next. 14. In the Processing Security Configuration Database dialog box, click Next. 15. In the Role-Based Service Collection dialog box, click Next. 16. In the Select Server Roles dialog box, de-select all options except Microsoft Internet Security and Acceleration Server 2004 and click Next. (ISA 2004 and ISA 2006 have the same OS requirements so the same template works for both.) 17. In the Select Client Features dialog box, de-select all options except Automatic Update Client and click Next.
266
Tactical Perimeter Defense
18. In the Select Administration And Other Options dialog box, accept the defaults and click Next. 19. In the Select Additional Services dialog box, accept the defaults and click Next. 20. In the Handling Unspecified Services dialog box, select the Disable The Service option and click Next. 21. In the Confirm Service Changes dialog box, scroll through and review the changes that will be made and then click Next. 22. In the Network Security dialog box, ensure that the Skip This Section option is selected and then click Next. (ISA will handle our firewall requirements. We don’t want to create conflicts with the built in Windows Firewall.) 23. In the Registry Settings dialog box, leave the Skip option unselected and then click Next. 24. In the Require SMB Security Signatures dialog box, check both option boxes and then click Next. 25. In the Outbound Authentication Methods dialog box, select the Local Accounts On The Remote Computers option and then click Next. 26. In the Outbound Authentication Methods dialog box, select the Clocks That Are Synchronized With The Selected Server’s Clock option and then click Next. 27. In the Inbound Authentication Methods dialog box, accept the defaults and then click Next. 28. In the Registry Settings Summary dialog box, review the changes and then click Next. 29. In the Audit Policy dialog box, ensure that the Skip option is not selected and then click Next. 30. In the System Audit Policy section, select the Audit Successful And Unsuccessful Activities radio button and then click Next. 31. In the Audit Policy Summary dialog box, read the summary and then click Next. 32. In the Save Security Policy dialog box, click Next. 33. In the Security Policy File Name dialog box, append \ISAConfiguration to the path and then click Next. 34. In the Apply Security Policy dialog box, select the Apply Now option and then click Next. 35. In the Completing The Security Configuration Wizard dialog box, click the Finish button.
Lesson 5: Configuring Firewalls
267
You have successfully used the Security Configuration Wizard to configure the optimum security configuration settings for the Windows Server 2003 operating system that ISA Server 2006 is running on top of. This wizard only makes configuration changes. It does not apply security patches or updates. You must also make sure your OS is kept up-to-date with the latest patches.
Packet Prioritization Not all traffic that passes through your ISA Server 2006 firewall will have the same importance. This can be a real issue for an organization with limited outbound bandwidth. For example, a brokerage firm branch office might need to access up to the second information offered up over by a web service at the main office. This data would be considered high priority in making fast decisions when watching trading prices or other important financial data. Ensuring that requests to this web service get high priority would be beneficial to the brokerage firm. ISA Server 2006 provides packet prioritization for limited bandwidth scenarios by implementing the Differentiated Services (DiffServ) protocol. The DiffServ protocol provides a framework that enables deployment of scalable service discrimination over the Internet. DiffServ uses a marker in the IP header of each packet to assign it a priority level. It is important to note that this is a global setting and not assigned to a specific rule. ISA Server packet prioritization is a policy setting for HTTP traffic. It will apply to all HTTP traffic that traversing your ISA Server. The DiffServ web filter, built into ISA Server, will scan packets containing a specific set of URLs or for domain names and assign those packets a priority. The DiffServ filter has a high priority in ISA Server because it must be aware of the size of both the request and the response. To gain this awareness, DiffServ must inspect the HTTP packets at the point where ISA Server sends or receives the traffic. ISA Server can only add DiffServ bits to HTTP or HTTPS traffic. It does not flag any other protocols with a priority level nor does Microsoft guarantee that ISA Server will transmit DiffServ bits on any other protocol it receives. For packet prioritization to work, the routers in the traffic transit path must support the QoS (Quality of Service) functionality. Once you enable DiffServ on ISA Server, you can then configure the URLs and/or domains you want to prioritize.
TASK 5B-20 Configuring Packet Prioritization Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks.
268
Tactical Perimeter Defense
1.
Choose Start→All Programs→Microsoft ISA Server→ISA Server Management.
2.
Expand the Console Tree pane, expand Configuration, and select the General container.
3.
In the Details pane, under Global HTTP Policy Settings, select the Specify DiffServ Preferences.
4.
In the HTTP DiffServ dialog box, select the Enable Network Traffic Prioritization According To DiffServ (Quality Of Service) Bits option.
5.
Click the Priorities tab and then click Add.
6.
In the Add Priority dialog box, in the Priority Name field, type Branch Office Priority and then in the DiffServ Bits field, type 010100 and click OK. (The DiffServ bits value would correspond to the value set on your routers.)
7.
Click the URLs tab and then click Add.
8.
On the Add URL Priority tab, in the URL field, type brokeragehouse. securitycertified.net
9.
On the Add URL Priority tab, from the Priority drop-down list, select Branch Office Priority and then click OK.
10. In the HTTP DiffServ dialog box, click the Network tab, select the External network, and then click OK. 11. In the dialog box warning you that DiffServ is currently disabled, click Yes. 12. At the top of the Details pane, click Apply. 13. In the Saving Configuration Changes dialog box, click OK. 14. Close the ISA Server 2006 Management console. The ISA Server 2006 DiffServ filter is now enabled and configured to prioritize HTTP packets sent to the URL http://brokeragehouse.securitycertified.net.
Uninstalling ISA Server 2006 Like most Microsoft programs, ISA Server 2006 is relatively easy to uninstall. The methodology for uninstalling is similar to most programs and is accomplished through the Add/Remove Programs control panel applet. One thing to keep in mind is that in addition to removing ISA Server 2006, you may also need to change the security configuration of the underlying OS before you can use the Lesson 5: Configuring Firewalls
269
server for a different purpose. However, as you discovered in an earlier exercise, the Security Configuration Wizard makes this process relatively painless. Just roll back the configuration that you used for ISA Server and apply the template that is appropriate for the servers new role on your network.
TASK 5B-21 Uninstalling ISA Server 2006 Setup: You must be logged on to Windows 2003 Server as an administrator and have completed the previous tasks. 1.
Choose Start→All Programs→Control Panel→Add Or Remove Programs.
2.
In the Currently Installed Programs list, select Microsoft ISA Server 2006 and then click Change/Remove.
3.
When the Microsoft ISA Server 2006 - Installation Wizard dialog box appears, click Next.
4.
In the Program Maintenance window, select the Remove radio button and then click Next.
5.
In the Generated Files Removal dialog box, accept the defaults, and click Next.
6.
In the Remove The Program dialog box, click Remove.
7.
In the Installation Wizard Completed dialog box, click the Finish button.
8.
Close the Add Or Remove Programs control panel applet.
9.
Choose Start→Administrative Tools→Security Configuration Wizard.
10. In the Welcome To The Security Configuration Wizard, click Next. 11. In the Configuration Action dialog box, select the Rollback The Last Applied Security Policy option and then click Next. 12. In the Select Server dialog box, verify your server name and then click Next. 13. In the Rollback Security Configuration dialog box, click Next. (If you wish, you may view the rollback file before clicking Next.) 14. In the Completing The Security Configuration Wizard dialog box, click Finish. 15. You have successfully removed ISA Server 2006 and the security configurations from your server. 16. Choose Start→Control Panel, right-click Network Connections, and choose Open.
270
Tactical Perimeter Defense
17. Right-click each of the loopback adapters and choose Disable. 18. Close the Network Connections window. 19. If you would like to confirm that these connections are disabled attempt to ping them in a command prompt. You should not receive a response. 20. Close all open windows.
Topic 5C IPTables Concepts One of the primary benefits touted for the Open Source model of Linux is its ability to adapt and change as people come up with bright ideas. This ability has allowed for security features to be created and modified as industry requirements and Internet threats evolve. Linux has the capacity to behave as a router, a NAT server, and a packet-filtering device. All these features are built into the core operating system.
Firewalling in Linux Elementary firewalling via an application called ipfwadm was included in earlier kernel versions. With the development of kernel version 2.2, the firewall was built with IPChains. From kernel version 2.4 and up, IPChains is replaced with IPTables. One of the big differences between IPChains and IPTables is that the latter can be configured to be a stateful packet filter. At its very essence, the way that IPTables works is extremely simple. The headers within a packet are examined against a known set of rules (also referred to as a chain), in sequence. If the packet matches a certain rule, a decision is made for that packet based on what is specified (also referred to as the target). If a match is not found, then the packet is examined against the next rule in the sequence. This continues until all the rules are exhausted. At this point, IPTables looks to the default policy in order to make a decision. As a packet-filtering firewall, IPTables checks its rules on packets as they enter or leave an interface. Because IPTables is part of the kernel, the processing of the packets is very fast. IPTables’ ability to perform NAT is referred to as masquerading.
Lesson 5: Configuring Firewalls
271
Essentially, there are three sets of tables that are part of IPTables: Filter, NAT, and Mangle. Throughout this topic, you will mostly discuss the Filter aspect of IPTables. NAT tables are used when IP addresses need to be substituted. This typically happens when you want to hide internal hosts from the Internet. Mangle tables are used when certain fields in the headers need to be changed, such as the TTL or TOS fields. To be able to use IPTables, the kernel must be compiled to include support for firewalling. In this course, the version of Linux used is SUSE Enterprise Server 10, which includes IPTables. If you are using a different Linux distribution, you will need to verify if IPTables has been installed. If it has not, you will have to install it.
Depending upon the table chosen, you can manipulate certain built-in chains. For example, built into the Filter table are three rule sets (chains) that cannot be deleted: Input, Forward, and Output. If you’re dealing with the NAT table, you will have to deal with the Prerouting and Postrouting built-in chains. If a packet is directed to the firewall, as it enters the computer via an interface, the Input chain is used to determine the fate of the packet. If a packet originates at the firewall, the Output chain will be checked. When the packet requires routing to another location, the Forward chain will be used. If the packet reaches the end of one of the chains and there has been no match, whatever default policy exists is used. These default policies exist only on the default chains, and the options are typically Accept and Drop. You set the default policy for the built-in chains to one of the above, and in the absence of any other rule, the action stated by the default policy is carried out. If a match is found in a rule for a packet, then the appropriate action is carried out. The action to be taken when a match is found is also referred to as target. The target could be Accept or Drop—or even another chain altogether. Apart from the built-in chains, a firewall administrator can create user-defined chains. You identify such chains with a name. Unlike the built-in chains, userdefined chains do not have a default policy. If a packet reaches the end of a userdefined chain without any decision made about it, then the packet will return to the chain that was examining it previously, and start on the next rule in that chain.
Process of the Packet As far as the network interfaces on a firewall are concerned, all packets are either inbound or outbound. Typically, a majority of packets received by an interface in a firewall are passed on to another interface to be sent onward. At such a time, the firewall has to decide how the packet is going to be passed on to the other interface. Packets might be simply routed from one interface to the other (forwarded), or certain information in the packet headers might have to be stripped, replaced with new information, and then sent onward, as with NAT (masquerade/ de-masquerade). The following set of figures (the circle represents a Linux box with three interfaces) show the basic movement of packets through a system running IPTables. First, let’s look at inbound flow, in the following figure.
272
Tactical Perimeter Defense
Figure 5-23: A packet’s inbound flow.
Figure 5-24: A packet’s outbound flow.
Lesson 5: Configuring Firewalls
273
Finally, let’s look at routing and NAT flow. The following shows packets being routing, or forwarded.
Figure 5-25: A packet’s routing (forwarding) or NAT (masquerading/de-masquerading) flow.
Figure 5-26: The multiple decisions that have to be made about a packet by a firewall.
274
Tactical Perimeter Defense
When a packet first enters an interface, the system verifies the checksum value. If the checksum is correct, the packet moves to the Sanity check. The Sanity check is a feature that checks for incorrectly formed packets. After the Sanity check, the packet is moved to the Input chain. It will go through the chain, and if there is a match at any point, it follows the instructions set forth for that rule. If there is no match, then the default policy applies. If the packet’s destination is the firewall itself, then the Input chain is the only chain processed. If the packet is destined for another host, the routing processes take over. This is to determine if the packet is to be forwarded to another machine or to a different local process. A local process would be one that can send and receive packets. The routing process looks to the Forward chain. The packet moves down the rules in the Forward chain, and the system checks for matches. If there is a match, the matching rule specifies where the packet should go. If the packet does not match, then the default policy of the Forward chain takes effect. The Output chain consists of rules that examine packets generated by the firewall.
The Flow of the Chains Upon entering an interface, a packet destined for the firewall is processed by the Input chain. The packet is passed down the list, one rule at a time, until a match has been found. When there is a match, the packet follows the rule assigned to the target. The target specifies what will become of the packet, as far as that rule is concerned. For example, the target might state that the packet can be accepted, dropped, or it could be a user-defined chain. A rule in one user-defined chain can specify another user-defined chain as the target.
Please note that the method of checking packets against the built-in chains in IPTables is very different from the method employed by IPChains.
Figure 5-27: The Input chain accepting a packet at the third rule. The target names are straightforward—Accept and Drop. A couple of extensions to the target are also available—Log and Reject. A small clarification is needed on the difference between Drop and Reject. As with Microsoft’s ISA Server, the end result (as far as the packet is concerned) is that the packet does not get through. However, by default, when TCP/IP is communicating, there is two-way Lesson 5: Configuring Firewalls
275
communication. When the target is set to Drop and a matching packet is found, that packet is silently dropped. When this happens, technically the function of TCP has been broken. The TCP standard states that if a connection cannot be established, an ICMP message is to be returned to the host; this is useful for troubleshooting purposes. Due to this, the second option of Reject is included. When the target is set at Reject and a matching packet is found, the packet is still dropped, but an ICMP message is sent to the host, closing the communication. The choice is yours to make. Reject might be the nice way to drop a packet, but from a security standpoint, Drop provides less information. Each rule must be created with a target, and because rules are numbered and sequential, it is critical that the correct order be maintained. You do not want an error in the rule order to mistakenly block a subnet or grant access where it should not be granted. If the default rules do not provide the level of control that is required, administrators can create their own chains and apply detailed rules to them.
Figure 5-28: The Input chain finds a match and targets the packet to a user chain. Configuring chains can quickly become an involved task. For example, the Input chain receives a packet and finds a match on the fourth rule, sending the packet to a user chain. That same packet then goes through the user chain, where there might be a match sending it to a different chain, or even back to the Input chain. Remember, if a packet does not match any of the rules in a user-defined chain, it is sent back to the previous chain, where it picks up at the rule that sent it to the user-defined chain in the first place—see the following figure.
276
Tactical Perimeter Defense
Figure 5-29: A packet being examined by first the Input chain, then a user-defined chain, and going back to the Input chain. It is possible for an administrator to write rules that will cause the process of packet examination to loop. If this happens, the packet will be dropped.
Configuration Options This section covers the configuration options most often used in day-to-day environments running IPTables. Not all of the options available in IPTables are covered here. For a more detailed study of IPTables, you should look around at the various sources of information available to you. To start with, the man pages for IPTables are quite extensive and worth reading. For detailed syntax issues that are not covered here, issuing the man iptables command is a good place to start. If you do not have a Linux box handy, go to www.iptables.org or www.netfilter.org and read or download articles dealing with setting up a Linux box as a firewall by using IPTables. There are configuration options for creating, viewing, and managing chains. The first command switch is in uppercase. There are command switches for managing the individual rules as well, and these also use uppercase. Within the rules, various operations are defined by using lowercase.
The iptables Command The basic syntax of the command is: iptables command_switch parameters [options]
The following figure shows an example of an IPTables command.
Figure 5-30: Sample command syntax for IPTables. Lesson 5: Configuring Firewalls
277
Cisco gurus will quickly latch on to the syntax similarities between IPTables and Cisco Access Control Lists. Basically, you’re dealing with some conditions, and if those conditions are met, then this rule says, “Accept the packet.” The following figure shows several examples of usage syntax.
Figure 5-31: Examples of usage syntax for IPTables.
Chain Management The following table lists some of the command switches for managing the chains. (Italicized words are variables.)
Figure 5-32: Chain management command switches.
278
Tactical Perimeter Defense
Figure 5-33: Available options for IPTables.
Rule Management The basic structure for the rule commands is the same as for the chain commands, as shown in the following table.
Figure 5-34: Example rule commands. The previous command switches are used in managing the rules, and they are in uppercase. The following table lists commands for creating the actual rules themselves.
Rule Creation The previous command switches are used in managing the rules, and they are in uppercase. The following table lists commands for creating the actual rules themselves.
Lesson 5: Configuring Firewalls
279
Figure 5-35: Rule creation commands.
Figure 5-36: Configuration options for rules in IPTables.
Other Options In the rule sets, port numbers are configured as two values, source port, or sport, and destination port, or dport. For example, if you want a rule to govern source ports 2100 through 2200, inclusive, you can use the syntax --sport 2100:2200. Notice that two hyphens are used. Similarly, if you want a rule to address destination port 31337, you can use the syntax --dport 31337. Another very useful and important rule configuration tool is the bang (!) entry. This value, with spaces on either side, negates whatever follows it. Think of a rule as being divided into a number of fields that more or less correspond to the headers in a packet. Now, imagine that each of these fields can have certain specifications. Sometimes you might want to negate what’s specified (anything but this). This is where the ! comes in. The ! negates the values specified in that field. For example, the syntax to specify any host other than 172.16.23.44 is ! 172.16.23.44. While discussing IP addresses in IPTables, the ability to specify any IP address is included as well. To do so, you can use 0/0. When choosing to block ping packets, more specifically ICMP packets, be careful that you are blocking what you mean to block. Because the ICMP protocol is used for many different parts of communication, it is important that you are aware of what could happen if you blocked all ICMP traffic—host unreachable 280
Tactical Perimeter Defense
messages would not come through, source-quench messages would not come through, time-exceeded messages would not come through, and so forth. You need to specify that part of ICMP you want to work with, just as you specify ports for TCP. The syntax is to use is icmp-type typename, where typename is one of the following: •
Destination-unreachable
•
Source-quench
•
Time-exceeded
•
Parameter-problem
•
Echo-request
•
Echo-reply
There are several other switches that can be used; again, check the man pages for a comprehensive list. One more that is worth mentioning is the -l option. This option turns on kernel logging of the packets that match the rule. It is possible to create a rule and use the logging feature, but have no target for the packet. This is done for tracking purposes, such as to track the number of packets that are for a particular service on a given host. To save your IPTables configuration, use the command iptables-save filename to save the current configuration to the defined file. To restore this configuration, use the command iptables-restore filename.
Rule Examples So that the syntax can make a bit more sense, we will look at some rule examples in their syntax form, and discuss the result of each rule. By the time you reach the end of this section, you should have a solid grasp of the IPTables syntax.
Modifying a Default Chain A simple start to working with the syntax is to modify the behavior of a default chain. As you remember, there are only three default chains: Input, Output, and Forward. In this example, we will modify the setting of the default Input chain to change the default setting to Drop. This is a common modification of the chain, and is a requirement for a secure system. You do not want to keep the default of Accept on the Input chain. The syntax to accomplish this is: iptables -P INPUT DROP
For this chain: • -P sets the default policy of a specified chain. •
INPUT is the chain that is getting modified.
•
DROP is the target.
Therefore, the default policy of the Input chain is now set to Drop all packets. If this is the only configuration of the Input chain, then all packets trying to reach the firewall will be dropped! You must create rules where the targets are other than Drop if you want communications to take place at all.
Lesson 5: Configuring Firewalls
281
The end result of this modification is that when a packet reaches the end of the Input chain, it will be discarded. Because the default setting of Accept can present a security risk, changing the setting to Drop is a good idea from a security perspective.
Creating a Chain If you need to create a new chain, the syntax is: iptables -N chainname
For this chain: •
-N indicates that this is a new chain.
•
chainname is the name of the new chain.
Deleting a Chain To delete a chain, use the syntax: iptables -X chainname
For this chain: • -X indicates that you want to delete a chain command. •
chainname is the name of the chain that you want to delete.
A chain cannot have any rules in it prior to deletion. If rules exist, you can use the Flush command.
Flushing a Chain If you need to delete a chain, and there are still rules in the chain, you can first flush the chain. Because flushing removes all rules from a chain, be careful that you do not perform something unexpected. Plan carefully when deleting chains, particularly on a production machine. To flush a chain, use the syntax: iptables -F chainname
For this chain: • -F indicates that you want to flush all rules. •
chainname is the name of the chain that you want to flush.
Checking for Connections If you want to be sure that inbound packets are not trying to establish connections, you can check the SYN flag. This flag alone would only be set on the initial part transmission of the three-way handshake. Checking for this flag is a good way to keep inbound connections from passing through the rule sets, while leaving the same port open for return communication. To check for connections, use the syntax: iptables -A chainname -p TCP -s 10.0.10.10 --syn -j DROP
282
Tactical Perimeter Defense
For this chain: •
-A indicates that you want to append a rule to a chain.
•
chainname is the name of the chain that you want to add the new rule to.
•
-p indicates that you want to check a protocol.
•
TCP defines the protocol that you want to check.
•
-s indicates that you want to check a source address.
•
10.0.10.10 is the source IP address that you want to check.
•
--syn indicates that you want to check the SYN flag.
•
-j indicates that you want to define a target for matches.
•
DROP defines the target.
The meaning of this rule is A packet coming from 10.0.10.10 that is trying to initiate a connection is to be dropped.
Negating Values Here is an example of syntax that negates a value: iptables -A OUTPUT -p TCP -d ! 172.16.35.40 --dport 80 -j ACCEPT
For this chain: • -A OUTPUT specifies that you want to append a rule to the OUTPUT chain. •
-p TCP indicates that you want to check the TCP protocol.
•
-d 172.16.35.40 specifies the destination that you want to check. However, because there is a ! before the destination, the rule is stating any destination other than the specified address.
•
--dport 80 indicates that you want to check for WWW packets.
•
-j ACCEPT defines the target as Accept.
In essence, this rule states that all TCP packets can get to the WWW service on any computer—except for 172.16.35.40. The final example of negating that we will look at also introduces the lo option, which is used to define the loopback adapter. Here is the command: iptables -A INPUT -i ! lo -j DROP
For this chain: • -A INPUT indicates that you want to modify the default INPUT chain by appending a rule. •
-i indicates that you want to check an incoming interface, and lo defines the incoming interface that you want to check. The ! negates the definition.
•
-j DROP defines the target as Drop.
In essence, this rule state that all incoming traffic will be denied—except for traffic on the loopback interface.
Lesson 5: Configuring Firewalls
283
Defining a Target To define a target, use the following syntax: iptables -A INPUT -s 10.0.10.100 -j DROP
For this chain: •
-A INPUT indicates that you want to modify the default INPUT chain by appending a rule.
•
-s 10.0.10.100 defines the IP address to match.
•
-j DROP defines the target as Drop.
The meaning of this rule is: All packets that are from the address 10.0.10.100 are to be denied. Here is another example of defining a target that also includes a port number: iptables -A INPUT -p TCP -d 0/0 --dport 12345 -j DROP
The meaning of this rule is: All packets that are destined for any IP address and to port 12345 are to be denied.
Complex Rules The different parts of the rules discussed herein can be combined to create overall rules as needed. Here are some examples of more complex rules: iptables -A OUTPUT -p TCP -s 10.0.10.0/24 -d 0/0 --dport 80 -j ACCEPT
This rule for the OUTPUT chain states that any TCP traffic from the 10.0.10.0 network and destined for any IP address on port 80 is to be accepted: iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport 31337 -j DROP
This rule for the INPUT chain states that any TCP traffic from any IP address destined for the 10.0.10.0 network on port 31337 is to be denied: iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport 5000:10000 -j DROP
Similar to the previous command, the only syntax difference here is in the port numbers defined. In this rule, all ports from 5000 to 10000 are to be denied.
Configuring Masquerading Linux does have the ability to perform IP Masquerading, which is a form of NAT. It is not difficult to implement, and the syntax is: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
284
Tactical Perimeter Defense
For this command: •
-t nat indicates that you want to configure the NAT table.
•
-A POSTROUTING indicates that you want to append a rule after routing decisions are made.
•
-o ppp0 indicates the outgoing interface that should be used; in this case, the PPP dialup link.
•
-j MASQUERADE defines the target; in this case, that the source IP address in the IP header should be masked by the IP address of ppp0.
Case Study This section involves review of a case study of IPTables in a working environment. In this example, there is a single computer running as the firewall with two Ethernet interfaces. The Ethernet 0 Interface (172.168.25.40) goes to the Internet, and the Ethernet 1 Interface goes to the internal network. A diagram of the network is shown in the following figure.
Figure 5-37: An example network for firewall implementation. First, we need to define the overall goals of the firewall. This should be done during the creation of the security policy, and specifically during the creation of the firewall policy.
Lesson 5: Configuring Firewalls
285
Firewall Goals The intended goals of this firewall are:
Note, this is for you to manage a simple network resource, in your production environment; you would likely not allow ICMP through the firewall.
•
We have decided to allow ICMP pings (echo requests and echo replies) through the firewall.
•
We will allow our external clients access to the email server.
•
Internal clients cannot use email servers on the Internet.
•
We will allow external clients to reach our web server.
•
We will block attempts to spoof internal addresses.
Configuration First, we will configure the default policies to deny all traffic: iptables -P INPUT -j DROP iptables -P OUTPUT -j DROP iptables -P FORWARD -j DROP
Next, we will configure user-defined chains. This is done to make the chains easier to work with. For these user-defined chains, us is internal, and them is external: iptables -N us-them iptables -N them-us
Next, we will create the jumps for the different networks: iptables -A INPUT -s 10.0.20.0/24 -d ! 10.0.20.0/24 -j us-them iptables -A INPUT -s ! 10.0.20.0/24 -d 10.0.20.0/24 -j them-us
In the first line, if the source is us and the destination is not us (that is, them), then the target is the user chain us-them. In the second line, if the source is not us (them), and the destination is us, then the target is the user chain them-us. Next, we will configure the internal (us) to external (them) chain. We start by defining the general rules: • Allow internal machines WWW access to the outside. •
Allow internal machines to be able to ping hosts on the outside.
•
Disallow all other outgoing traffic.
Once we know our general rules, we can configure the chain: iptables -A us-them -p TCP -d 0/0 --dport 80 -j ACCEPT iptables -A us-them -p ICMP -d 0/0 -j ACCEPT
Next, we will configure the external (them) to internal (us) chain. Again, we will define the general rules first: • Allow hosts on the outside WWW access to the Web server. •
Allow hosts on the outside to access the email server.
•
Allow ping.
•
Block internal address spoofing.
•
Disallow all other incoming traffic.
Once we know our general rules, we can configure the chain:
286
Tactical Perimeter Defense
iptables iptables iptables iptables iptables
-A -A -A -A -A
them-us them-us them-us them-us them-us
-p -p -p -p -s
TCP -d 10.0.20.22 --dport 25 -j ACCEPT TCP -d 10.0.20.22 --dport 110 -j ACCEPT TCP -d 10.0.20.21 --dport 80 -j ACCEPT ICMP -d 10.0.20.0/24 -j ACCEPT 10.0.20.0/24 -j DROP
Case Study Summary After reviewing this case study, you should be able to identify the steps of creating a basic firewall by using IPTables. To summarize: 1.
The overall goals and policies of the firewall were identified.
2.
The default policies were changed to be very restrictive.
3.
New chains were created for ease of management.
4.
The INPUT policy was configured to jump to the new user chains.
5.
The user-defined chains were configured to conform to the determined settings.
6.
The chains were verified with the -L switch.
This study was designed to be a simple example of one possibility to implementation. Other options that could be added include: • Adding full anti-spoofing, thus blocking any packet from outside that has an address of inside. •
Opening ports for return communication on the high ports.
•
Adding checks for the SYN option.
•
Defining IP Masquerading.
As you can see, there are always options in firewall design. Chances are good that while the end result may be the same, no two people will configure the firewall in the exact same fashion every time. Rules may be in different orders, for example (as long as they filter properly, of course). Or, perhaps someone is filtering everything on the INPUT chain and not making smaller chains. The flexibility is yours to use as you see fit.
Lesson 5: Configuring Firewalls
287
TASK 5C-1 Working with Chain Management Objective: To review a sample chain, and determine the effect it will have on traffic. Setup: The following is an example chain. Review it and identify what has been implemented. Using the space provided, diagram this network and answer the questions that follow. 1.
Examine the following chain: INPUT DROP FORWARD ACCEPT OUTPUT ACCEPT iptables -A INPUT 23:23 -j ACCEPT iptables -A INPUT 80:80 -j ACCEPT iptables -A INPUT iptables -A INPUT iptables -A INPUT iptables -A INPUT iptables -A INPUT 23:23 -j DROP -y
288
Tactical Perimeter Defense
-p 6 -s 0.0.0.0/0 -d 192.20.0.1/32 --dport -p 6 -s 0.0.0.0/0 -d 10.168.0.3/32 --dport -s -s -s -s -p
10.168.0.0/24 -d 0/0 -i eth0 -j DROP 127.0.0.0/8 -d 0/0 -i eth0 -j DROP 127.0.0.0/8 -d 0/0 -i eth1 -j DROP ! 10.168.0.0/24 -d 0/0 -i eth1 -j DROP 6 -s 0/0 -d 192.20.0.1/32 ! --dport
iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p 1024:65535 -j ACCEPT iptables -A INPUT -p iptables -A INPUT -s ACCEPT
2.
6 -s 0/0 -d 192.20.0.1/32 --dport ! -y 17 -s 0/0 -d 192.20.0.1/32 --dport ! -y 6 -s 0/0 -d 10.168.0.0/24 --dport 17 -s 0/0 -d 10.168.0.0/24 --dport 1 -s 0/0 -d 0/0 -j ACCEPT 10.168.0.0/24 -d ! 192.20.0.1/32 -j
Diagram the network here or on another sheet. Assume the Class C address 192.20.0.1 is an external address.
What effect does this set of rules have on the network? Telnet and web traffıc are allowed to defined hosts. Anti-IP-spoofing rules are in place. High-level ports are allowed for the return of web traffıc. What services, if any, are running on the internal network? At least web and Telnet services. What are the internal clients allowed to access externally? Web and Telnet services. Is IP spoofing prevention in place? Yes. If an internal client ran a server, would external clients be able to access it? Why or why not? They could not, since the ports required to be outgoing for a server are not open.
Lesson 5: Configuring Firewalls
289
Topic 5D Implementing Firewall Technologies In the previous topics, you were introduced to the concepts and configuration of FireWall-1, ISA Server 2006, and IPTables. In this topic, you will put that knowledge to use.
Scenario The following conceptualization will be used for configuring the firewall for this scenario. Review the network diagram and the required rules, and then proceed.
Figure 5-38: The conceptual network. In this activity, you will be creating the configuration first for the internal firewall and then for the external firewall.
Firewall Rules The following figure represents the policies that have been decided upon for the internal firewall.
Figure 5-39: Internal firewall rules. The following figure represents the policies that have been decided upon for the external firewall.
290
Tactical Perimeter Defense
Figure 5-40: External firewall rules.
Configuring the Internal Firewall The IP addresses that will be used for this are listed in the following table. Use IP
Address
Subnet Mask
Internal Subnet Security Host Internal Web Server Internal Firewall int Internal Firewall int DMZ Email Server DMZ Web Server External Firewall int 3 External Firewall int 4
172.16.10.0 172.16.10.10 172.16.100.100 1 172.16.100.1 2 192.168.10.1 192.168.10.100 192.168.10.101 192.168.10.2 10.10.10.10
255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0
First of all, you need to plan the chains and rules that you will use. Decide if you will create new chains, or use the default chains. Record, on paper, the chains and/or rule sets, and determine if they are correct before you begin implementation. You should always plan the whole process first. Here are some general steps to guide you in this first activity. 1. Decide if you will modify the default policies, and write down what you would modify them to. 2.
Decide if you want to create new rules/chains for management, and write them down.
3.
In Linux, if you created new chains, define the jumps to these chains.
4.
Define the general goals of the firewall.
5.
Write down the rules you will configure.
6.
Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for configuration. Using the above steps as your general guidelines, go ahead and configure the firewall to meet the goals you outlined. Remember, there may be several ways to accomplish the overall goals, so no one way is to be considered correct over another. If the goals are met efficiently, then the rules and chains are correct for that scenario.
Lesson 5: Configuring Firewalls
291
Suggested Solutions The following are suggested solutions to the scenario for IPTables. Feel free to compare your results to the suggested results. Again, even though they may be different, as long as the goals are met, the rules and chains are a success. Configure the default policies to be more restrictive, by using the DROP target: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Create new chains to make configuration easier: iptables -N in-dmz iptables -N dmz-in iptables -N net-in
Configure the jumps to the new chains: iptables -A INPUT -s 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-dmz iptables -A INPUT -s 192.168.10.0/24 -d 172.16.0.0/16 -j dmz-in iptables -A INPUT -s 0/0 -d 172.16.10.0/0 -j net-in
Define the overall goals. In this scenario, you are dealing with the packets that are moving between the internal network to the DMZ, the DMZ to the internal network, and the Internet to the internal network. Identify what traffic is allowed in different directions. From the guidelines given, we can identify the following: • The internal network can access the WWW server on the DMZ and the Internet. •
The DMZ and Internet cannot access WWW on the internal network.
•
The internal network can access the email server on the DMZ, but not on the Internet.
•
The DMZ and Internet cannot access email on the internal network.
•
The Security Host can Telnet to the DMZ and the Internet.
•
The DMZ and Internet cannot telnet to the internal network.
•
The defined internal subnet can FTP to the DMZ and the Internet.
•
The DMZ and Internet cannot FTP to the internal network.
•
Ping is allowed in both directions.
•
Configure the rules.
Based on the guidelines, the following configuration is one suggestion for solving this scenario. Configure one chain at a time: iptables -A in-dmz -p TCP -d 192.168.10.101 --dport www -j ACCEPT iptables -A in-dmz -p TCP -d 192.168.10.100 --dport smtp -j ACCEPT iptables -A in-dmz -p TCP -d 192.168.10.100 --dport pop3 -j ACCEPT iptables -A in-dmz -p TCP -s 172.16.10.10/32 -d 0/0 --dport telnet -j ACCEPT iptables -A in-dmz -p TCP -s 172.16.10.0/24 -d 192.168.10.0/24 --dport 20:21 -j ACCEPT iptables -A in-dmz -p TCP -d 0/0 --dport www -j ACCEPT iptables -A in-dmz -p ICMP -d 0/0 -j ACCEPT iptables -A in-dmz -p 6 -d 0/0 --dport 1024:65535 ! --syn -j
292
Tactical Perimeter Defense
ACCEPT iptables iptables iptables --syn -j iptables ACCEPT iptables iptables --syn -j iptables ACCEPT
-A in-dmz -A dmz-in -A dmz-in ACCEPT -A dmz-in
-p 17 -d 0/0 --dport 1024:65535 -j ACCEPT -p ICMP -d 172.16.0.0/16 -j ACCEPT -p TCP -d 172.16.0.0/16 --dport 1024:65535 ! -p UDP -d 172.16.0.0/16 --dport 1024:65535 -j
-A net-in -p 1 -d 172.16.0.0/16 -j ACCEPT -A net-in -p 6 -d 172.16.0.0/16 --dport 1024:65535 ! ACCEPT -A net-in -p 17 -d 172.16.0.0/16 --dport 1024:65535 -j
As was stated before, this isn’t only one possible solution. Compare the solutions you came up with to this one and to the others in the class. Discuss with each other the different points in each solution.
Configuring the External Firewall After you have configured your firewall to simulate the first scenario, you are ready to move on to the second scenario. The premise is the same, and the network layout is the same. The only difference is that this time you are configuring the rules on the external firewall. Before we can proceed to configure the rules, we need to remove the chains that are currently in place. Again, there are different ways to accomplish this, but here is a suggestion: 1. Flush all rules from all the chains you have created, by using the iptables–F chainname command. 2.
Delete the chains after the rules have been flushed, by using the iptables–X chainname command.
3.
Modify the default policies back to Accept, so that the system is back to the state it was when you began this topic (as if no rules or modifications have taken place at all). Use the iptables –P chain ACCEPT command.
The IP addresses that will be used for this are listed in the following table. Use
IP Address
Subnet Mask
Internal Subnet Security Host Internal Web Server Internal Firewall int 1 Internal Firewall int 2 DMZ Email Server DMZ Web Server External Firewall int 3 External Firewall int 4
172.16.10.0 172.16.10.10 172.16.100.100 172.16.100.1 192.168.10.1 192.168.10.100 192.168.10.101 192.168.10.2 10.10.10.10
255.255.255.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0
Lesson 5: Configuring Firewalls
293
First of all, you need to plan the chains and rules that you will use. Decide if you will create new chains, or use the default chains. Record, on paper, the chains and/or rule sets, and determine if they are correct before you begin implementation. You should always plan the whole process first. Here are some general steps to guide you in this first activity: •
Decide if you will modify the default policies, and write down what you would modify them to.
•
Decide if you want to create new rules/chains for management, and write them down.
•
In Linux, if you created new chains, define the jumps to these chains.
•
Define the general goals of the firewall.
•
Write down the rules you will configure.
•
Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for configuration. Using the above steps as your general guidelines, go ahead and configure the firewall to meet the goals you outlined. Remember, there may be several ways to accomplish the overall goals, so no one way is to be considered correct over another. If the goals are met efficiently, then the rules and chains are correct for that scenario.
Suggested Solutions The following are suggested solutions to the scenario for IPTables. Feel free to compare your results to the suggested results. Again, even though they may be different, as long as the goals are met, the rules and chains are a success. Configure the default policies to be more restrictive, by using the DROP target: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Create new chains to make configuration easier: iptables iptables iptables iptables
-N -N -N -N
in-net dmz-net net-dmz net-in
Configure the jumps to the new chains, and configure IP spoofing rules: iptables iptables iptables iptables iptables dmz-net iptables iptables
-A -A -A -A -A
INPUT INPUT INPUT INPUT INPUT
-s -s -s -s -s
172.16.0.0/16 -d 0/0 -i eth1 -j DROP 192.168.0.0/16 -d 0/0 -i eth1 -j DROP 127.0.0.0/8 -d 0/0 -i eth1 -j DROP 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-net 192.168.10.0/24 -d ! 192.168.10.0/24 -j
-A INPUT -s 0/0 -d 192.168.10.0/24 -j net-dmz -A INPUT -s 0/0 -d 172.16.0.0/16 -j net-in
Define the overall goals. In this scenario, you are dealing with the packets that are moving between the Internet, the internal network, and the DMZ. Identify what traffic is allowed in different directions.
294
Tactical Perimeter Defense
From the guidelines given, we can identify the following: •
The internal network can access the WWW service on the Internet.
•
The internal network cannot access email on the Internet.
•
The internal subnet can access FTP on the Internet.
•
The Security Host can access Telnet on the Internet.
•
The internal network can ping the Internet.
•
The DMZ can ping the Internet.
•
The Internet can access the WWW server on the DMZ.
•
The Internet can access the email server on the DMZ.
•
The Internet cannot ping the DMZ.
•
The Internet cannot ping the internal network.
•
Configure the rules.
Based on the above guidelines, the following configuration is one suggestion for solving this scenario. Configure one chain at a time: iptables -A in-net -p TCP -d 0/0 --dport www -j ACCEPT iptables -A in-net -p TCP -s 172.16.10.0/24 -d 0/0 --dport 20:21 -j ACCEPT iptables -A in-net -p TCP -s 172.16.10.10/32 -d 0/0 --dport telnet -j ACCEPT iptables -A in-net -p ICMP -d 0/0 -j ACCEPT iptables -A in-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -j ACCEPT iptables -A in-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPT iptables -A dmz-net -p ICMP -d 0/0 -j ACCEPT iptables -A dmz-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -j ACCEPT iptables -A dmz-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPT iptables -A net-dmz -p TCP -d 192.168.10.100 --dport pop3 -j ACCEPT
As was stated before, this isn’t the only possible solution. Compare the solutions you came up with to this one and to the others in the class. Discuss with each other the different points in each solution.
Summary In this lesson, you worked with standard firewall implementation practices. You learned that vendors implement their firewall products slightly differently from each other, but that they do follow some standard implementation practices in most situations. You worked with two industry leaders in firewall systems: Microsoft’s ISA Server 2006, and Linux’s embedded firewall, IPTables.
Lesson 5: Configuring Firewalls
295
Lesson Review 5A What is a network firewall? A firewall can be described as a security mechanism that places limitation controls on all inbound and outbound network communications between individual systems or entire networks of systems by permitting, denying, or acting as a proxy for all data connections. What is a firewall’s primary responsibility? Controlling access requests across differing “zones of trust.” Name six basic building blocks or “elements” of firewall access rules. Source Address, Destination Address, Protocol, Source Port, Destination Port, and Service. What layers of the OSI model do firewalls operate on? Data Link, Network, Transport, Session and Application Layers (2, 3, 4, and 7). What does it mean when a firewall is stateful? The firewall keeps track of the state of all “accepted” connections in a data table that resides in memory. This enables the firewall to determine if an incoming packet is either a new connection or is part of an existing established connection. What are the three common firewall topologies? Perimeter topology, three-legged DMZ topology, and chained DMZ topology.
5B True or False? You need to have the install partition formatted to NTFS when installing ISA Server 2006 on a Windows 2003 Server. True Is ISA Server Firewall available in a firewall appliance? Yes! There are a wide range of manufacturers that offer ISA-based appliances. What are the three panes in the ISA Server 2006 Management console? Console Tree, Details, and Task panes. List some things that can be a trigger for an ISA alert. Responses might include Event Log Failure, Intrusion Detected, IP Spoofing, and Oversize UDP Packet. How do you back up or restore the configuration of ISA Server 2006? By exporting or importing the configuration to an XML file.
296
Tactical Perimeter Defense
What is difference between an access rule and a publishing rule in ISA Server 2006? Access rules control outbound communication, while publishing rules control inbound communication. What are the features in ISA Server 2006 that can help manage bandwidth consumption? Forward and reverse caching and packet prioritization.
5C What is the difference between the DROP target and the REJECT target? Dropping the connection complies with TCP/IP rules of communication—an ICMP message is sent back to the packet’s origin. Rejecting the connection simply drops a packet and does not inform the sender. What must be done before a chain can be deleted? You must flush the rules. What is the switch for deleting a rule? -D deletes a rule (-F flushes and -X deletes a chain).
5D What is the function of --dport 1024:65535 ! -syn in the exercises? Destination port should be in the range 1024-65535, but without the SYN flag set. Why is the filtering of ping done in two lines, first disallowing echorequests, and then allowing ICMP? Because there are many uses for ICMP other than ping, such as Timed Out and Host Unreachable messages, closing all ICMP would cause problems. Why is it a good idea to configure the default policies first? Because those configurations are instant, no one can sneak through the firewall while the policies are being created.
Lesson 5: Configuring Firewalls
297
298
Tactical Perimeter Defense
Implementing IPSec and VPNs
LESSON
6 Data Files RFCs
Overview In this lesson, you will be introduced to the concepts of IPSec. You will examine and configure the Microsoft Management Console and identify the predefined IPSec policies in Windows Server 2003. You will create new policies and implement IPSec to specifically use AH, ESP, or both, in Transport Mode. Finally, you will analyze IPSec traffic in Network Monitor.
Lesson Time 3 hours
In this lesson, you will examine Virtual Private Networks (VPNs) and some of the security issues related to them.
Objectives To be able to implement IPSec and Virtual Private Networks, you will: 6A
Define the function of IPSec in a networked environment. Given a running network, you will examine the IPSec structure, cryptography, the Encapsulating Security Payload, the Authentication Header, the Internet Key Exchange, and modes of Implementation.
6B
Examine IPSec policy management. Given a running network, you will examine the IPSec structure, cryptography, the Encapsulating Security Payload, the Authentication Header, the Internet Key Exchange, and modes of implementation.
6C
Implement and examine IPSec AH configurations. Given a Windows 2003 computer, you will implement and analyze IPSec AH sessions.
6D
Implement and examine IPSec AH and ESP configurations. Given a Windows 2003 computer, you will implement and analyze IPSec AH and ESP sessions.
6E
Examine the business drivers and technology components for a VPN. In this topic, you will examine standard business drivers and technology components in order to successfully implement a VPN solution.
6F
Examine the concepts of IPSec and other tunneling protocols. In this topic, you will investigate the components of IPSec, how IPSec works and identify other VPN tunneling protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). Lesson 6: Implementing IPSec and VPNs
299
6G
Analyze secure VPN design and implementation issues. In this topic, you will take the necessary steps required to analyze secure VPN design objectives and VPN implementation issues.
6H
Examine the issues of VPN and firewall architecture and VPN authentication. In this topic, you will address various VPN and firewall architectures and examine issues related to authentication.
6I
Configure VPN options built into Windows 2003. In this topic, you will perform tasks related to setting up VPN options built into Windows 2003 Server related to VPNs.
300
Tactical Perimeter Defense
Topic 6A Internet Protocol Security The Internet Protocol (IP) by itself has no security. There are no built-in mechanisms to ensure the security of the packets. It has become possible for attackers to create bogus packets, posing as IP addresses that they are not. It has also become possible for attackers to intercept packets as they are transmitted on the Internet, and read into the payload of the packets. Due to the above-mentioned points, there is no way for the security professional to guarantee any of the following: • That a packet is from the source IP address. •
That a packet was not copied or intercepted by a third party during transmission.
•
That a packet holds the original data that was transmitted.
These issues combine to illustrate that security of the packets themselves is required. IPSec, or IP Security (described in detail in RFC 2401), can provide this security. In the simplest definition, IPSec protects IP datagrams. In a more detailed definition, IPSec provides confidentiality, integrity, and authentication. • Confidentiality means there is a system of making the data unreadable by unauthorized individuals. •
Integrity means that there is a guarantee that data is not altered between the sender and the receiver.
•
Authentication means that the receiver is guaranteed that the sender is not an imposter.
The way that IPSec is able to provide this protection is by specifying how the network traffic is going to be protected, and to whom the traffic will be sent. The way the traffic is going to be protected will be through an IPSec protocol such as the Authentication Header (AH) or the Encapsulating Security Payload (ESP). The operation of IPSec is completely transparent to the end-user. This is due to the fact that IPSec functions just above the Network layer (the IPSec protocols AH and ESP have their own IP protocol IDs), so they are well under the Application layer. Providing this automatic protection is significant in the choice of whether or not to implement IPSec. The end result is that network traffic is encrypted on one end and decrypted on the other, without the upper-layer applications at either end worrying about the complexities of the encryption/decryption processes.
Lesson 6: Implementing IPSec and VPNs
301
Cryptography and Keys
cryptography: The art of science concerning the principles, means, and methods for rendering plaintext unintelligible and for converting encrypted messages into intelligible form.
plaintext: Unencrypted data.
key: A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt.
IPSec is able to provide protection by encrypting and decrypting data. Although a detailed discussion of cryptography is beyond the scope of this book, the very basics are required. (A detailed discussion and hands-on study of cryptography and encryption techniques will be undertaken in Level 2 of the SCP.) Any file before encryption is typically referred to as plaintext. Once that file is encrypted, using a mathematical algorithm, it is referred to as ciphertext. In order to decrypt this file (or message), you must have a key that can reverse the encryption. You can think of an encryption algorithm as a lock and the key as the lock’s combination. If a document is locked, you need a key to unlock it. Often in cryptography, one key is used to lock (encrypt) the document, and the same key or a different key is used to unlock (decrypt) the document, depending upon the methodology chosen. If a different key is used, the two keys are linked to each other via the algorithm and the associated mathematical functions. IPSec requires that users have a method of exchanging (sometimes called negotiating) their keys. •
One method is called manual distribution. In the simplest definition, this literally means each user manually giving every other user his or her key. Manual distribution will more likely be done with what is called a KDC, or Key Distribution Center.
•
The second method is automatic distribution. With automatic distribution, the concept is that keys are exchanged only when needed. The default IPSec implementation of automatic key distribution is called Internet Key Exchange (IKE). You can also implement an automated version of the KDC, such as Kerberos implementation.
Modes IPSec has the ability to protect either the complete IP packet or just the upperlayer protocols. The distinction between the two creates two different modes of implementation. • One mode is called Transport Mode. In this implementation, IPSec is protecting upper-layer protocols. •
The other mode is called Tunnel Mode. In this implementation, IPSec protects the entire (tunneled) IP payload.
When Transport Mode is used, the IPSec headers (AH and/or ESP) are inserted between the IP header and the TCP header. When Tunnel Mode is used, the IPSec header is inserted between the original IP header (now tunneled) and a new IP header. Tunnel Mode is commonly used to create VPNs between networks. Along with specifying a mode, the actual decision on the use of AH and/or ESP (or the other way around) is required. Since there are two modes of implementation, and two protocols that can be selected, there are four possible methods of protection using IPSec. You can use any of the following: • ESP in Transport Mode
302
Tactical Perimeter Defense
•
ESP in Tunnel Mode
•
AH in Transport Mode
•
AH in Tunnel Mode
Over and above that, ESP offers message integrity (authentication) and confidentiality (encryption). AH offers only message integrity. Tunnel Mode ESP encryption encrypts all of the tunneled data (that is, tunneled IP header and everything within), while Transport Mode ESP does not—and cannot—encrypt the IP header. Thus the IPSec implementation that offers the maximum protection is ESP in Tunnel Mode.
ESP in Transport Mode In Transport Mode, ESP encrypts and authenticates application data, such as email, web pages, and so forth; however, it does not protect the IP addresses. If a packet is captured and analyzed by an attacker, although the data is encrypted, the sender and receiver IP address information is freely available. Both hosts who are in communication must have IPSec installed and configured to prevent this from occurring.
authenticate: To establish the validity of a claimed user or object.
ESP in Tunnel Mode In Tunnel Mode, ESP encrypts and authenticates application data, just as in Transport Mode. In this situation, the ultimate source and destination IP addresses are also encrypted because they are encapsulated (tunneled). The reason for this is that IPSec is implemented on the tunnel endpoints, and not required on the hosts themselves. If this packet is captured and analyzed by an attacker, the attacker will be able to determine only that a packet was sent. None of the contents, including the original source and destination, can be found freely. Of course, the external IP headers (that of the tunnel endpoints) can be read.
AH in Transport Mode AH provides authentication of application data. AH does not provide encryption services like ESP, only authentication services (as the name indicates). In Transport Mode, there is similarity to ESP, though, in that both end users must have IPSec installed and configured.
AH in Tunnel Mode In Tunnel Mode, AH authenticates application data from one endpoint to another, often network gateways or firewalls. There is no encryption provided, only authentication. If ESP authentication is turned on, then AH is rarely implemented in Tunnel Mode.
IPSec Implementation As you identified in the previous section, there are various modes of implementing IPSec. One of the primary questions to answer is: Where are the endpoints in your network going to be? Are the endpoints the actual hosts? Or, are the endpoints the firewalls? If true end-to-end security is required between two hosts, then implementing IPSec on each host is the way to go. However, scaling that up to all the hosts in the network can become difficult to implement and manage. Imagine that you and your coworkers all pass open notes to each other in your organization. In order to prevent a third user from seeing the note sent between any two users, you build an infrastructure of opaque PVC pipes between each coworker in your organization. If there are a total of five workers, you have to
firewall: A system or combination of systems that enforces a boundary between two or more networks. A gateway that limits access between networks in accordance with local security policy. The typical firewall is an inexpensive micro-based UNIX box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
Lesson 6: Implementing IPSec and VPNs
303
have an infrastructure of [5 x (5–1)]/2—or 10 pipes. In this office, each person holds four pipes. Now, increase the number of workers to 100. You will need an infrastructure of [100 x (100–1)]/2—or 4950 pipes, and each person holds 99 pipes. Lots of secure links to pass things back and forth through, but not that efficient overall. This is what happens when you implement IPSec in Transport Mode—you basically create many virtual secure pipes between each host and the rest of the hosts. If host-to-host implementation is chosen, the likely solution will be to use the IPSec function of the OS, such as Windows 2000. If this is the case, IPSec functions normally, at the Network layer, performing its function and moving on. Sometimes though, IPSec may be implemented underneath an existing implementation of the IP protocol stack, between the native IP and the local network drivers (see RFC 2401). In such a scenario, this is referred to as a “Bump in the Stack” implementation. Yet another option for IPSec implementation is to use a dedicated piece of hardware. This equipment would attach to an interface, or a router, and perform the specific encryption functions externally of other components. This is called a “Bump in the Wire” implementation. This offers excellent performance in regards to the processing of encryption and decryption. It is not suitable for all implementations, however, as adding a physical dedicated piece of equipment to links may not be a budgetary option for an organization.
TASK 6A-1 Describing the Need for IPSec 1.
Why is IPSec becoming a requirement in networks that need secure communication? There is no security in the standard IP that is used today. IP can be captured, analyzed, and more with no prevention. IPSec allows for the security of the actual packets themselves, without relying on Application-level encryption.
Topic 6B IPSec Policy Management Implementing and managing IPSec policies in Windows is accomplished by using the Microsoft Management Console. In this topic, you will use the MMC to perform the many tasks of IPSec implementation.
The MMC Microsoft introduced the Microsoft Management Console (MMC) in Windows NT. The MMC is a highly configurable tool used to manage and configure system and application settings.
304
Tactical Perimeter Defense
In the first task, you will become familiar with the MMC configuration options and create some customized settings. The MMC, as you first use it, will be blank—you select the configuration options. In Figure 6-1, you will see that there are two places to use a drop-down menu. The first is the overall MMC, called Console1 by default. This menu bar has three menus: Console, Window, and Help. The second menu bar contains the commands from the current option, also called a plug-in. The default plug-in is called Console Root. This has three commands: Action, View, and Favorites. In the default plug-in, Console Root, there are two tabs: Tree and Favorites. The Tree tab shows the items that are available in this plug-in. Items can include folders, web pages, other snap-ins, and more. The Favorites tab is used to manage shortcuts to items in the Console Tree. This enables you to create a customized grouping of tools and shortcuts that you frequently use to manage aspects of your system. The Tree and Favorites tabs are located in what is called the Left Pane of the snap-in. This is where the options are expanded, selected, and possibly added to Favorites. On the right side of the dividing line is what is called the Right Pane. In the Right Pane, you will find the details of any object that is selected in the Left Pane.
Figure 6-1: The blank MMC console.
TASK 6B-1 Examining the MMC Setup: You are logged on to Windows 2003 Server as Administrator. 1.
Choose Start→Run.
2.
In the Run box, type mmc to start the Microsoft Management Console.
3.
Choose File→Add/Remove Snap-In.
Lesson 6: Implementing IPSec and VPNs
305
4.
On the Standalone tab, click Add.
5.
Scroll down, select IP Security Policy Management, and click Add.
6.
If necessary, select Local Computer, and click Finish.
7.
Click Close to close the Add Standalone Snap-in dialog box.
8.
Click OK, and leave the MMC open for the next task.
IPSec Policies
security policies: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
These policies are also available in Windows XP.
In Windows 2003, there are predefined IPSec security policies. These policies allow for implementation of IPSec with minimal effort on the part of the administrator. As an administrator, you must identify the needs for IPSec in your environment, then enable the proper policy to meet those needs. The three predefined policies are: • Client (Respond Only): The policy of Client (Respond Only) is used for normal communication, which is not secured. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will have the ability to communicate using IPSec if required or requested. Such a machine will not enforce IPSec when initiating communications with any other machine. •
Secure Server (Require Security): The policy of Secure Server (Require Security) is used when all IP network traffic is secured. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will always enforce secure communications using IPSec. It will never fall back to unsecured communications.
•
Server (Request Security): The policy of Server (Request Security) is used when IP network traffic is to be secured, and to allow unsecured communication with clients that do not respond to the request. What this means is that any Windows 2003 machine (Professional or Server) with this policy enabled will first look to enforce communications using IPSec. If the other machine cannot use IPSec, the first machine will fall back to unsecured communications.
TASK 6B-2 Identifying Default IPSec Security Policies Setup: You are logged on to Windows 2003 Server as Administrator, the MMC is running, and the IP Security Policy Management snap-in has been added. 1.
306
Tactical Perimeter Defense
In the left pane, select IP Security Policies On Local Machine. Three policies are shown in the right pane.
2.
Examine the three policies to see if any are currently assigned.
By default, they are not assigned. 3.
Leave the MMC open for the next task.
Saving the Customized MMC Configuration Since you have configured the MMC just as you wish, you should save this configuration so that it is easy to bring back up. Although you can go through the steps of adding the snap-in as you did earlier, to do so each time is cumbersome, and is not required.
TASK 6B-3 Saving a Customized MMC Setup: You are logged on to Windows 2003 Server as Administrator, the MMC is running, and the IP Security Policy Management snap-in has been added. 1.
Choose File→Exit.
2.
When you are asked if you wish to save the console settings, click Yes.
3.
Save the file to the desktop as ipsec.mmc.msc
4.
Verify the new addition by double-clicking the new ipsec.mmc.msc file on the desktop. Your saved MMC opens just as you had customized it to do so.
The Secure Server (Require Security) Policy In the following sections, you will examine the settings of each of the three predefined policies. The most secure policy, Secure Server (Require Security), is the policy that states that all communication must be secured, with no exceptions.
The General Tab As the name implies, the General tab provides general information and configuration options for the Secure Server (Require Security) policy.
Lesson 6: Implementing IPSec and VPNs
307
Figure 6-2 shows the settings for Key Exchange. Keys are used as part of the different forms of encryption that can be implemented in the IPSec policy. IKE stands for Internet Key Exchange, and deals with the method of exchanging the cryptographic key(s). SHA1 and MD5 are both algorithms that are used to verify the integrity of a message. 3DES and DES are the actual encryption algorithms that can be used, and finally, Diffie-Hellman Group will dictate the overall strength of the encryption.
Figure 6-2: The Key Exchange Security Methods dialog box. These settings work together to determine the integrity, confidentiality, and strength of the secured communication. • Integrity is determined by the SHA1 or MD5 algorithm.
DES: (Data Encryption Standard) Definition 1: An unclassified crypto algorithm adopted by the National Bureau of Standards for public use. Definition 2: A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
308
Tactical Perimeter Defense
•
Confidentiality is determined by the 3DES or DES algorithm.
•
Strength is determined by the Diffie-Hellman Group, which can be either 96-bit (the low setting) or 128-bit (the high setting) key lengths.
TASK 6B-4 Examining Security Methods Setup: You are logged on to Windows 2003 Server as Administrator, and the ipsec.mmc.msc console is open. 1.
In the right pane, right-click Secure Server (Require Security), and choose Properties.
2.
Select the General tab.
3.
Observe that the default value for Check For Policy Changes Every is 180 minutes. Every 3 hours, the machine (if it is a domain member) will check with Windows Active Directory to see if this policy, when assigned, has changed.
4.
Under Perform Key Exchange Using Additional Settings, click Settings.
5.
In the Key Exchange Settings dialog box, click Methods.
6.
Examine the default settings for the security used in Secure Server (Require Security).
7.
Close all windows without changing the properties.
The Rules Tab for the Secure Server (Require Security) Policy The Rules section of an IPSec policy—in this case, the Secure Server (Require Security) policy—contains the actual security sections of the policy pertaining to traffic and actions. The IP Filter List is used to define the types of network traffic that are to be affected by this policy. The predefined rules in a policy can be modified, but cannot be removed. The default rules are for All IP Traffic, All ICMP Traffic, and
. In addition to the IP Filter List is the Filter Action. In other words, what does the system do when a match to the rule is found, such as IP Traffic. There are three actions, which are listed as: • Permit: Allow unsecured IP packets to pass. •
Require Security: Requires secured communication.
•
Default Response: Follow the negotiations as initiated by the other computer. This is especially useful when no other rule applies. In fact, it is the only filter action for the Client (Respond Only) predefined policy.
Lesson 6: Implementing IPSec and VPNs
309
Figure 6-3: The default filter lists and filter actions, as shown on the Require Security Rules tab. In addition to the IP Filter List and the Filter Actions on the Rules tab shown in Figure 6-3, there are other sections that deserve noting. These are the Authentication, Tunnel Setting, and Connection Type options, described in the following section and shown in Figure 6-4. • The Authentication Methods are used to define how a trust will be established between the two communicating hosts. By default, this is the
310
Tactical Perimeter Defense
Kerberos method. The other valid options (in addition to Kerberos) are to use a certificate from a Certificate Authority (CA), or to use a predefined shared key string. •
The Tunnel Setting is used to define if this communication is to use a tunnel, and if so, what the IP address for the end of the tunnel is. The endpoint is the tunnel computer that is closest to the IP traffic destination.
•
The Connection Type is used to define the types of connections to which the rule will apply. For example, the default setting is All Network Connections. The second option is to have the rule apply only to Local Area Network (LAN) traffic, and the third option is to have the rule only apply to Remote Access traffic.
LAN: (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, frontend processors, controllers, and servers.
Figure 6-4: The authentication methods, tunnel settings, and connection types, as shown on the Require Security Rules tab.
TASK 6B-5 Examining Policy Rules Setup: You are logged on to Windows 2003 Server as Administrator. 1.
Reopen the ipsec.mmc.msc console.
2.
In the right pane, right-click Secure Server (Require Security), and choose Properties.
3.
If necessary, select the Rules tab.
Lesson 6: Implementing IPSec and VPNs
311
4.
Examine the default settings for IP Filter List, Filter Action, Authentication Methods, Tunnel Setting, and Connection Type.
5.
Select the All IP Traffic rule, and click the Edit button.
6.
Observe the configuration options that can be adjusted in this section.
7.
When you are done reviewing the configuration options, click Cancel to close the Secure Server Properties, without making changes.
8.
Close the ipsec.mmc.msc console without saving changes.
Topic 6C IPSec AH Implementation You now have all of the information and tools you need to be able to implement IPSec. Let’s try it out.
About the Tasks For the following tasks, you will work in pairs. The text and activities refer to the two machines as Student_P and Student_Q. Student_P will initiate communication with Student_Q. Student_Q will dictate whether it has an IPSec policy enabled. If so, it then determines if it should request or require Student_P to do the same. On Student_P, at first you will have no IPSec Respond policy activated, but later you will have a Respond policy. You will capture traffic between these two computers using Network Monitor, and perform an analysis on the traffic. You will also use the options for configuring policies. You will use just the AH protocol (authenticity/integrity). Then, you will use just the ESP protocol (confidentiality). Following that, you will use AH with ESP. Also, ESP will be configured to use its integrity algorithm. Finally, because the integrity algorithms can be implemented in two flavors (SHA-1 or MD5) and the encryption algorithms for confidentiality can also be implemented in two flavors (DES or 3DES), you’ll use combinations of these. As a policy maker for a company, you’ll have to make such decisions before you implement IPSec. These are the actual tools you can use in Windows 2003 to implement your policies.
Creating Custom IPSec Policies In the previous topic, you examined the default IPSec policies in Windows 2003. For the remainder of the lesson, you will create and use your own customized IPSec policies. This will enable you to fully create and secure network traffic based on your unique configuration requirements. The following figures can be used as a reference while performing the tasks of this section.
312
Tactical Perimeter Defense
Figure 6-5: Opting not to use the Add Wizard. When you are creating a new policy, you will need to add and configure all the options you previously examined. In these tasks, you will be customizing the policies, one by one, and do not want to use the Add Wizard, because the Add Wizard will walk you through specific predefined steps. At this stage, you want to perform everything manually.
Lesson 6: Implementing IPSec and VPNs
313
Figure 6-6: The Security Methods tab, showing the leftmost part of the Security Method Preference Order. During policy creation, you will be presented with the Security Methods tab. At this stage, you will see five columns presented: Type, AH Integrity, ESP Confidentiality, ESP Integrity, and Key Lifetimes (KB/Sec), but you might need to scroll to see all five.
314
Tactical Perimeter Defense
Figure 6-7: The Security Methods tab, showing the right-most part of the Security Method Preference Order. Security methods are listed in order of preference that this machine will use when attempting to negotiate IP Security when dealing with another machine that responds that it can use IPSec, too. You can add, edit, or remove any of these methods. In this case, since you will have named this policy 1_REQUEST_ AH(md5)_only, you will simplify the list and offer exactly one choice: Request IP Security that relies only on AH Integrity using the MD5 hashing algorithm. Do not worry about key lifetimes at this stage.
TASK 6C-1 Creating the 1_REQUEST_AH(md5)_only Policy Note: Perform this task only if you are designated as Student_Q. 1.
Open the ipsec.mmc.msc console.
2.
In the right pane, right-click and choose Create IP Security Policy, then click Next.
3.
For the IP Security Policy Name, type 1_REQUEST_AH(md5)_only and click Next.
4.
Uncheck Activate The Default Response Rule and click Next.
5.
Uncheck Edit Properties and click Finish. Lesson 6: Implementing IPSec and VPNs
315
6.
Double-click the new policy 1_REQUEST_AH(md5)_only.
7.
On the Rules tab, uncheck Use Add Wizard and click Add.
8.
On the IP Filter List tab, click the radio button for All IP Traffic.
9.
Switch to the Filter Action tab.
10. Click the radio button for Request Security (Optional). 11. Click Edit. 12. Verify that the radio button for Negotiate Security is selected. 13. Read the options presented to you under Security Method Preference Order. 14. Remove all but one Security Method by holding down the Shift key, selecting all but one of the choices, and clicking Remove. You can leave any one of the Security Methods. 15. When prompted with Are You Sure?, click Yes. 16. Select the remaining method, and click Edit. 17. Under Security Method, click the Settings button found under Custom (For Expert Users)—as you’re on your way to becoming an expert on IPSec. 18. Verify that AH is checked and that the integrity algorithm is MD5. 19. If necessary, uncheck ESP. 20. Under Session Key Settings, uncheck both check boxes.
316
Tactical Perimeter Defense
21. Click OK three times to return to the New Rule Properties dialog box. 22. Leave the New Rule Properties open for the next task.
Editing Authentication Method Policies When you are creating this customized policy, you are going to use only AH, and not ESP. So, when you are customizing the settings, be sure to uncheck the ESP options and to check the AH options. You should also clear the check boxes for generating new keys, both for size (Kbytes) and time (seconds).
Figure 6-8: The Authentication Method tab. Notice that three authentication methods are supported: Kerberos, Certificates, and Preshared Keys. You will use the third method, as it is simple to implement, for now. In a production environment, if you have a homogenous Windows 2003 domain implementation, you could leave it at the default Kerberos; in a heterogeneous network, you could choose to set up a CA and distribute IPSec certificates.
Lesson 6: Implementing IPSec and VPNs
317
TASK 6C-2 Editing the 1_REQUEST_AH(md5)_only Policy Note: Perform this task only if you are designated as Student_Q. 1.
Verify that the New Rule Properties are displayed.
2.
Select the Authentication Methods tab.
3.
Click Edit.
4.
Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide text for the preshared key. Click OK to close the Edit Authentication Methods Properties dialog box.
5.
Switch to the Tunnel Setting tab, but leave the settings alone. You will be working in Transport Mode only.
6.
Switch to the Connection Type tab, but leave the settings alone. You will use the default of All Network Connections.
7.
Click Close to close the Rule Properties. Keep the Policy Properties open for the next task.
Setting Up the Computer’s Response You have just configured a policy where Student_Q will request any other computers that attempt to communicate with it to implement AH by using the MD5 algorithm. Let’s assume that this policy is put into effect, and another computer says that it can communicate with Student_Q by using AH, as well. Student_Q should be in a position to respond to this. Therefore, you should now configure the Default Response rule in this policy for Student_Q.
318
Tactical Perimeter Defense
Figure 6-9: Preparing to modify the default response. To modify the rule, you will not use the Add Wizard. Once you click Edit, you will again be presented with the tabs for Security Methods, Authentication Methods, and Connection Types.
Figure 6-10: Editing security methods. Lesson 6: Implementing IPSec and VPNs
319
Under Security Methods, you will again see five columns presented: Type, AH Integrity, ESP Confidentiality, ESP Integrity, and Key Lifetimes (KB/Sec). As before, you can add, edit, or remove any of these methods. In this case, this policy is named 1_REQUEST_AH(md5)_only, but because it will also have to respond to the request it made, you’ll simplify the list and offer exactly one choice: Respond to IP Security that relies only on AH integrity using the MD5 hashing algorithm. As before, you don’t need to worry about the key lifetimes.
TASK 6C-3 Configuring the Policy Response Note: Perform this task only if you are designated as Student_Q. 1.
Verify that the properties for the 1_REQUEST_AH(md5)_only policy are displayed.
2.
On the Rules tab, check Default Response, and click Edit. (The Use Add Wizard check box should remain unchecked.)
3.
Remove all but one Security Method by holding down the Shift key, selecting all but one of the choices, and clicking Remove.
4.
When prompted with Are You Sure?, click Yes.
5.
Select the remaining method, and click Edit.
6.
Under Security Method, click the Settings button found under Custom.
7.
Verify that the box beside AH is checked and that the integrity algorithm is MD5.
8.
Verify that ESP is unchecked.
9.
Under Session Key Settings, verify that the options for generating new keys for both size and time are unchecked.
10. Click OK twice to return to the Edit Rule Properties. 11. Switch to the Authentication Methods tab. 12. Click Edit. 13. Click the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 14. Click OK twice to return to the policy properties. 15. Double-click All IP Traffic. 16. Switch to the Connection Type tab and verify that the setting is the default of All Network Connections. 320
Tactical Perimeter Defense
17. Click OK, and then click OK to close. 18. Close the ipsec.mmc.msc console without saving changes.
Configuring AH in Both Directions You have configured a policy where Student_Q will request other computers that attempt to communicate with it to implement AH by using the MD5 algorithm; Student_Q is also in a position to respond by using this algorithm. Now, let’s configure Student_P to follow Student_Q’s lead.
TASK 6C-4 Configuring the Second Computer Note: Perform this task only if you are designated as Student_P. 1.
Open the ipsec.mmc.msc console. In the right pane, right-click and choose Create IP Security Policy. Click Next.
2.
For the IP Security Policy Name, type 1_RESPOND_AH(md5)_only and click Next.
3.
Uncheck Activate The Default Response Rule and click Next.
4.
Uncheck Edit Properties and click Finish.
5.
Double-click the new policy 1_RESPOND_AH(md5)_only.
6.
On the Rules tab, uncheck Use Add Wizard, check Default Response, and click Edit.
7.
Remove all choices but one by holding down the Shift key, selecting all but one of the choices, and clicking Remove.
8.
When prompted with Are You Sure?, click Yes.
9.
Select the remaining method and click Edit.
10. Under Security Method, click the Settings button found under Custom (For Expert Users). 11. Verify that AH is checked and that the integrity algorithm is MD5. 12. Verify that ESP is unchecked. 13. Under Session Key Settings, verify that the boxes for generating new keys for both time and size are unchecked. 14. Click OK twice to return to the Rule Properties. 15. Switch to the Authentication Methods tab.
Lesson 6: Implementing IPSec and VPNs
321
16. Click Edit. 17. Click the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 18. Click OK. 19. Click OK twice, and then click Close to finish the creation of the policy. 20. Close the ipsec.mmc.msc console without saving changes.
Configuring FTP Now that IPSec policies are configured on two machines, you need to test the policies to ensure that they work as you intended them to work. To do this, you’ll bring up an FTP site on Student_Q and attempt to access this FTP site from Student_P. You’ll do this with IPSec implemented on one machine and then on the other. You’ll run Network Monitor to capture and record traffic between the two machines. You’ll examine these captures and see where (in the packet) the IPSec headers reside. For greater clarity, we can verify this with the RFCs associated with IPSec, as well.
TASK 6C-5 Setting Up the FTP Process Note: Perform step 1 through step 17 only if you are designated as Student_Q. 1.
Choose Start→Control Panel→Add Or Remove Programs.
2.
Click the Add/Remove Windows Components button.
3.
Click Application Server, and click the Details button.
4.
Check the Internet Information Services (IIS) check box. Note, that when you select this option, COM+ is selected by default.
5.
With IIS selected, click the Details button.
6.
Check the File Transfer Protocol (FTP) Service check box and click OK. Click OK again to return to the Windows Components screen.
7.
Click Next. You may be prompted for your Windows Server 2003 CD-ROM.
8.
Once the installation is complete, click Finish.
9.
Close the Add Or Remove Programs window.
10. Choose Start→Administrative Tools→Internet Information Services Manager.
322
Tactical Perimeter Defense
11. In the left pane expand your Server name. 12. Expand FTP Sites, right-click Default FTP Site, and choose Properties. 13. Click the Home Directory tab and verify the location of the FTP folder. The default location is C:\Inetpub\ftproot. 14. Close the IIS Manager. 15. In Explorer, locate and navigate to the folder designated as the FTP home directory. 16. In this folder, create a text document. Edit this document to input some text and save it as text1.txt 17. Create and save three more similar text documents in the same folder. Use text2.txt, text3.txt, and text4.txt as the file names. Note: Perform step 18 through step 23 only if you are designated as Student_P. 18. Open a command prompt. 19. Enter ftp IP_address_of_Student_Q to ftp to Student_Q’s FTP site. 20. Log on as anonymous with no password. 21. Verify that you can access the text documents created on the Student_Q computer by using the DIR command. 22. Once you have verified that you can access the text documents, quit the ftp session by entering bye at the ftp prompt. 23. Leave this command prompt open.
Implementing the IPSec Policy You have just tested a plain text ftp session. The following tasks will walk you through the process of implementing IPSec, and testing the results in both directions. First, you will prove that you can connect, even though IPSec is implemented on only one of the hosts.
Lesson 6: Implementing IPSec and VPNs
323
TASK 6C-6 Implementing the 1_REQUEST_AH(md5)_only Policy Note: Perform step 1 through step 4 only if you are designated as Student_Q.
You will be using Network Monitor repeatedly throughout this course, so you might want to create a shortcut for it on the Windows desktop.
1.
Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_ AH(md5)_only policy and choose Assign.
2.
Close the ipsec.mmc.msc console. If you are prompted to save changes, click No.
3.
Start Network Monitor, and verify that it is going to collect packets from the interface connected to Student_P.
4.
Start a new capture, and allow Network Monitor to capture packets until Student_P has completed step 5 through step 9.
Note: Perform step 5 through step 9 only if you are designated as Student_P. 5.
At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q.
6.
Log on as anonymous with no password.
7.
Enter dir to see a list of files hosted on the ftp site.
8.
Exit the ftp session.
9.
Leave the command prompt open.
Request-only Session Analysis Why was your attempt successful? What is the reason for the brief delay? This is because the policy is designed to request only—not demand—IPSec. If the remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will fall back to regular, insecure IP. The brief delay occurred because Student_Q was trying to establish an IPSec communication with Student_P.
324
Tactical Perimeter Defense
TASK 6C-7 Analyzing the Request-only Session Note: Perform this task only if you are designated as Student_Q.
Based on your network traffic, you might have different Frame numbers in your packet captures.
1.
In Network Monitor, stop and view the capture.
2.
Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). Because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4).
3.
In frame 4, observe that the protocol is ISAKMP (UDP port 500). When it does not hear from Student_P, it tries again approximately a second later. When it does not hear from Student_P again, it falls back to insecure communication, and the three-way handshake proceeds as before (in frames 6, 7, and 8). Once the connection is made, the session is established in clear text, with no IPSec. You are able to see the payload and full headers of all the packets, with no evidence of IPSec.
4.
Close Network Monitor. You can save your capture to a file, if you like.
Implementing a Request-and-Respond Policy In the previous task, you saw that even though you had IPSec enabled in one direction, the policy allowed for unsecured communication. When Student_P responded with no IPSec, Student_Q went ahead and accepted the session, and traffic continued without IPSec. In the next task, you will configure Student_P to respond to Student_Q’s IPSec policy.
For this step, and subsequent steps that deal with the ISAKMP protocol, your classroom configuration might not yield the expected results, due to timing issues as the students complete their assigned steps. You can have them try to restart the computer, and then try redoing the activity.
TASK 6C-8 Configuring a Request-and-Respond IPSec Session Note: Perform step 1 only if you are designated as Student_P. 1.
Open your ipsec.mmc.msc console. Right-click 1_RESPOND_AH(md5)_ only policy, and choose Assign. Close the ipsec.mmc.msc console, without saving changes. Then, wait until Student_Q performs the next step.
Note: Perform step 2 only if you are designated as Student_Q. 2.
Activate Network Monitor, and start a capture.
Note: Perform the rest of this task only if you are designated as Student_P.
Lesson 6: Implementing IPSec and VPNs
325
3.
At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q.
4.
Log on as anonymous with no password.
5.
Enter dir to see a list of files hosted on the ftp site.
6.
Exit the ftp session.
7.
Close the command prompt.
Request-and-Respond Session Analysis In the second attempt at communication, the temporary delay that was visible in the earlier task was not present. This is because the second host was now able to respond to the IPSec request initiated by the ftp server. There was no need to move down the list to a different method of communication, therefore, saving a bit of time. In the following task, you will use Network Monitor to analyze this session, and to see how the IPSec policy was implemented. Some things to look for during this analysis include: • IP identifies AH with a protocol ID of 0x33 (51). •
AH identifies TCP with a Next Header of 0x6 (6).
•
TCP identifies FTP with a destination port of 0x15 (21).
TASK 6C-9 Analyzing the Request-and-Respond Session Based on your network traffic, you might have different Frame numbers in your packet captures.
ARP and ISAKMP may be different on your system.
326
Tactical Perimeter Defense
Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1.
In Network Monitor, stop and view the capture.
2.
Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3).
3.
Observe that, because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4) by using the ISAKMP protocol (UDP port 500).
4.
Observe that, when Student_P agrees to comply with the IPSec request (in frame 5), there is an ISAKMP interplay between the two machines for the next few frames to negotiate and establish the IPSec protocol.
5.
Observe that the actual three-way handshake is now completed in frames 14 and 15. If your network traffic is different, your frame numbers will be different.
6.
Observe that, from frame 16 onward until the session teardown, the AH ensures integrity of communication between the two machines.
7.
Double-click a frame whose protocol is identified by Network Monitor as FTP.
8.
Observe the sequence of protocol identification: Ethernet, then IP, then AH, then TCP, then FTP. As noted earlier: • Ethernet identifies the protocol IP with an Ethertype of 0x800.
9.
•
IP identifies AH with a protocol ID of 0x33 (51).
•
AH identifies TCP with a Next Header of 0x6 (6).
•
TCP identifies FTP with a destination port of 0x15 (21).
Observe that there is no encryption—the AH only signs the packet; it does not encrypt it.
10. In fact, look around frame 33. Near there, you should be able to see the name of the text file in response to the dir (LIST) command. 11. Close Network Monitor. You can save your capture to a file if you like.
Topic 6D Combining AH and ESP in IPSec In the previous topic, you examined the implementation of AH in Windows Server 2003, including viewing packet data in Network Monitor. In older systems, such as Windows 2000, you could create IPSec policies that were ESP only, but these are no longer an option. The ESP implementation in Windows Server 2003 now requires the use of the Authentication Header. In the following section of tasks, you will enable different options in the establishment of IPSec between two computers. You have configured and analyzed IPSec traffic by using AH, and IPSec traffic by using ESP. In this topic, you will configure and analyze network traffic that combines AH and ESP. When you are using both AH and ESP, you are configuring IPSec to its fullest strength.
TASK 6D-1 Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and the Response Policy Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1.
Open your ipsec.mmc.msc console. In the right pane, unassign the current policy, and then create another IP Security Policy. Click Next.
Lesson 6: Implementing IPSec and VPNs
327
2.
For the IP Security Policy Name, type 5_REQUEST_AH(md5)+ESP(des) and click Next.
3.
Uncheck Activate The Default Response Rule, and click Next.
4.
Uncheck Edit Properties, and click Finish.
5.
Double-click the new policy.
6.
On the Rules tab, verify that Use Add Wizard is unchecked, and click Add.
7.
On the IP Filter List tab, select the All IP Traffic radio button.
8.
Switch to the Filter Action tab.
9.
Select the Request Security (Optional) radio button.
10. Click Edit. 11. Leave the radio button selected for Negotiate Security. 12. Read the options presented to you under Security Method Preference Order. 13. Remove all but one method by holding the Shift key, selecting all but one of the choices, and clicking Remove. Some configurations might have only one option. If so, skip the next step. 14. When prompted with Are You Sure?, click Yes. 15. Select the remaining method, and click Edit. 16. Under Security Method, click the Settings button found under Custom. 17. Verify that AH is checked. 18. Select the integrity algorithm MD5. 19. Verify that ESP is checked. 20. Leave ESP’s integrity algorithm set to . 21. For Encryption Algorithm, select DES. 22. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 23. Click OK three times to return to the Rule Properties. 24. Switch to the Authentication Methods tab. 25. Click Edit. 26. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 328
Tactical Perimeter Defense
27. Click OK, and then click Close to return to the Policy Properties. 28. On the Rules tab, check Default Response, and click Edit. The Use Add Wizard check box should remain unchecked. 29. Under Security Methods, hold the Shift key, select all but one of the choices, and click Remove. 30. Select the remaining method, and click Edit. 31. Under Security Method, click the Settings button found under Custom. 32. Verify that AH is checked. 33. Select the integrity algorithm MD5. 34. Verify that ESP is checked. 35. Leave ESP’s integrity algorithm set to . 36. For Encryption Algorithm, select DES. 37. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 38. Click OK twice to return to the Rule Properties. 39. Switch to the Authentication Methods tab. 40. Click Edit. 41. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 42. Click OK three times to close the Policy Properties. 43. Close the console without saving settings.
Configuring the IPSec Response You have configured a policy where Student_Q will request other computers that attempt to communicate with it to implement AH by using the MD5 integrity algorithm and ESP by using the DES encryption algorithm; Student_Q is also in a position to respond by using this algorithm. Let’s configure Student_P to follow Student_Q’s lead.
Lesson 6: Implementing IPSec and VPNs
329
TASK 6D-2 Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy Note: Perform this task only if you are designated as Student_P. Student_Q is advised to follow along. 1.
Open your ipsec.mmc.msc console. In the right pane, create another IP Security Policy. Click Next.
2.
For the IP Security Policy Name, type 5_RESPOND_AH(md5)+ESP(des) and click Next.
3.
Uncheck Activate The Default Response Rule, and click Next.
4.
Uncheck Edit Properties, and click Finish.
5.
Double-click the new policy.
6.
On the Rules tab, verify that Use Add Wizard is unchecked, check Default Response, and click Edit.
7.
Remove all but one security method by holding the Shift key, selecting all but one of the choices, and clicking Remove.
8.
When prompted with Are You Sure?, click Yes.
9.
Select the remaining method, and click Edit.
10. Under Security Method, click the Settings button found under Custom. 11. Verify that AH is checked. 12. Select the integrity algorithm MD5. 13. Verify that ESP is checked. 14. Leave ESP’s integrity algorithm set to . 15. For Encryption Algorithm, select DES. 16. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 17. Click OK twice to return to the Rule Properties. 18. Switch to the Authentication Methods tab. 19. Click Edit. 20. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key.
330
Tactical Perimeter Defense
21. Click OK three times to close the Policy Properties. 22. Close the console without saving settings.
AH and ESP IPSec Session Analysis You have just gone through the steps of configuring IPSec on both Student_P and Student_Q. In the next task, you will initiate a communication between the two hosts, and analyze the communication in Network Monitor. The initial communication will be an attempt at using FTP. As with the 1_REQUEST_AH(md5)_only policy, this transaction is also successful between Student_P and Student_Q because Student_Q’s policy is designed to request—not demand—IPSec. If a remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will fall back to regular, insecure IP. The brief delay occurs because Student_Q is trying to establish an IPSec communication with Student_P. Once the connection is made, the second computer will be configured to respond to the first properly. During the session analysis, try to note the differences from the earlier captures— those resulting from the AH_only policy. Here, you are not able to see any of the TCP flags, connection setup, three-way handshake completion, or data transfer—in fact, you will see nothing but encrypted stuff! The protocol is listed simply as ESP. If you check the details within the IP header, IP points to AH—IP protocol ID 51 (0x33) and AH points to ESP—IP protocol ID 50 (0x32). After the IP header is AH/ESP. No one but these two endpoints can decrypt packets destined for them.
TASK 6D-3 Configuring and Analyzing an IPSec Session Using AH and ESP Note: Perform step 1 through step 2 only if you are designated as Student_Q. 1.
Open your ipsec.mmc.msc console. Right-click the 5_REQUEST_ AH(md5)+ESP(des) policy and choose Assign. Close the console.
2.
Start Network Monitor, and start a capture.
As you assign and unassign policies, you might need to issue the command: gpupdate /force to initialize those policies right away.
Note: Perform step 3 through step 8 only if you are designated as Student_P. 3.
At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q.
4.
Log on as anonymous with no password.
5.
Enter dir to see a list of files hosted on the ftp site.
6.
Exit the ftp session. Lesson 6: Implementing IPSec and VPNs
331
7.
Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_ AH(md5)+ESP(des) policy, and choose Assign.
8.
Open a command prompt and enter the following command gpupdate /force (this will ensure that your newly assigned policy will start right away).
Note: Perform step 9 through step 11 only if you are designated as Student_Q. 9.
In Network Monitor, stop and view the capture.
10. Observe the session between the two hosts. Note that encryption is not used and that commands are visible in clear text. 11. Start a new capture (save the previous capture if you like). Note: Perform step 12 through step 15 on Student_P. 12. At the command prompt, again enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q. 13. Log on as anonymous with no password. 14. Enter dir to see a list of files hosted on the ftp site. 15. Exit the ftp session. Note: Perform step 16 through step 19 only if you are designated as Student_Q. 16. In Network Monitor, stop and view the capture. 17. Search the packets, and try to look for the name of the text file in response to the dir (LIST) command. 18. Observe that AH ensures integrity and ESP ensures confidentiality of communication between the two machines. 19. Close Network Monitor. You can save your capture to a file if you like. Note: Perform the following step only if you are designated as Student_P. 20. Open your ipsec.mmc.msc console, unassign the 5_RESPOND_ AH(md5)+ESP(des) policy, and close the console.
332
Tactical Perimeter Defense
Configuring All the Options Now, let’s step up the requirements for IPSec. Let’s say you were paranoid and wanted to use all the features set to their highest security settings. You will configure an IPSec policy on Student_Q that will use the SHA-1 algorithm to ensure integrity and 3DES to ensure confidentiality. You will then configure Student_Q to demand IPSec of other computers. To do so, you will use a Require policy instead of a Request policy. Finally, on Student_P, you will implement a corresponding Respond policy and establish communications with Student_Q. Someone may bring up the question, “Hey, why would you use the integrity algorithm twice?” At this point, we’ll leave the answer as a smug “Because we can!” Actually, there is a more simplified explanation. Most books on IPSec recommend using AH to ensure the integrity of the entire packet and ESP just for confidentiality of the payload. Most books on IPSec also simply say that ESP “...can also be used for integrity.” Let’s look at this a little more carefully. The AH’s function is to sign the entire packet, including the IP header. However, there are certain fields in the IP header that have to be excluded because they are designed to change. One example of this is when traversing a routed environment, the 8-bit TTL field will decrement by 1 at each hop. The values contained within these fields cannot be signed, as the received value would not match the value at origin. The ESP’s function is to encrypt and/or sign everything but the IP header. In Transport Mode, using ESP’s signing functionality might be considered redundant when AH is around to do the job, especially when AH can sign even the IP headers (mostly). It’s when IPSec is implemented in Tunnel Mode, as with a VPN solution, that ESP’s signing functionality has some meaning over and above that of AH. In Tunnel Mode, there are two IP headers in each packet. The outer IP header is the one used by the tunnel endpoints to communicate with each other. Encapsulated within this as payload data is the IP header, IP protocol, and the actual data of the two hosts communicating end-to-end via the tunnel. Therefore, when the tunnel endpoints use ESP’s integrity algorithm, the internal IP headers are treated as data and will be completely signed. By the way, before you get carried away with IPSec, it is also recommend that you read Bruce Schneier’s excellent critique on IPSec. You can find it at his company’s website, www.counterpane.com.
TASK 6D-4 Implementing the 7_REQUIRE_ AH(sha)+ESP(sha+3des) Policy Note: Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1.
Create another IP Security Policy. Click Next.
Lesson 6: Implementing IPSec and VPNs
333
2.
For the IP Security Policy Name, type 7_REQUIRE_ AH(sha)+ESP(sha+3des) and click Next.
3.
Uncheck Activate The Default Response Rule, and click Next.
4.
Uncheck Edit Properties, and click Finish.
5.
Double-click the new policy.
6.
On the Rules tab, verify that Use Add Wizard is unchecked, and click Add.
7.
On the IP Filter List tab, select the All IP Traffic radio button.
8.
Switch to the Filter Action tab.
9.
Select the Require Security radio button.
10. Click Edit. 11. Leave the radio button selected for Negotiate Security. 12. If necessary, remove all but one security method. 13. Select the remaining method, and click Edit. 14. Under Security Method, click the Settings button found under Custom. 15. Verify that AH is checked. 16. Select the integrity algorithm as SHA1. 17. Verify that ESP is checked. 18. Select ESP’s integrity algorithm as SHA1. 19. For Encryption Algorithm, select 3DES. 20. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 21. Click OK three times to return to the Rule Properties. 22. Switch to the Authentication Methods tab. 23. Click Edit. 24. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 25. Click OK, click Close, then click OK to exit the Policy Properties.
334
Tactical Perimeter Defense
Configuring the AH-and-ESP IPSec Response Policy In order for the two hosts to communicate, they must have compatible IPSec policies implemented. By now, you are familiar with the procedure, so the following task should be rather straightforward.
TASK 6D-5 Implementing the 7_RESPOND_ AH(sha)+ESP(sha+3des) Policy Note: Perform this task only if you are designated as Student_P. Student_Q is advised to follow along. 1.
Create another IP Security Policy. Click Next.
2.
For the IP Security Policy Name, type 7_RESPOND_ AH(sha)+ESP(sha+3des) and click Next.
3.
Uncheck Activate The Default Response Rule, and click Next.
4.
Uncheck Edit Properties, and click Finish.
5.
Double-click the new policy.
6.
On the Rules tab, verify that Use Add Wizard is unchecked, check Default Response, and click Edit.
7.
Remove all but one security method.
8.
Select the remaining method, and click Edit.
9.
Under Security Method, click the Settings button found under Custom.
10. Verify that AH is checked. 11. Select the integrity algorithm as SHA1. 12. Verify that ESP is checked. 13. Select ESP’s integrity algorithm as SHA1. 14. For Encryption Algorithm, select 3DES. 15. Under Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 16. Click OK twice to return to the Rule Properties. 17. Switch to the Authentication Methods tab. 18. Click Edit.
Lesson 6: Implementing IPSec and VPNs
335
19. Select the Use This String To Protect The Key Exchange (Preshared Key) radio button, and in the box, type Purple Enigma to provide the text for the preshared key. 20. Click OK twice, and then click Close to exit the Policy Properties. 21. Close the console without saving settings.
Implementing the Full IPSec Session So far, you have configured a policy where Student_Q will require other computers that attempt to communicate with it to implement AH by using the SHA-1 algorithm and ESP by using both the SHA-1 and 3DES algorithms; Student_Q also will respond only by using this algorithm. Now, let’s see what happens when Student_P follows Student_Q’s lead. When you perform the final analysis in Network Monitor, keep the following in mind: If you were to perform a Hex-to-Hex comparison of the two captures, you would see that due to the additional overhead imposed by the 7_REQUIRE_ AH(sha)+ESP(sha+3des) policy over the 6_REQUIRE_AH(md5)+ESP(des) policy, the actual number of bits is greater. In fact, if you had tried to actually transfer large files between the two machines, then the number of frames would have actually been greater.
TASK 6D-6 Implementing and Analyzing an AH(sha) and ESP(sha+3des) IPSec Session Note: Perform step 1 through step 2 only if you are designated as Student_Q. 1.
Open your ipsec.mmc.msc console. Assign the 7_REQUIRE_ AH(sha)+ESP(sha+3des) policy. When you assign this policy, the previously assigned policy is automatically unassigned.
2.
Start Network Monitor, and start a capture.
Note: Perform step 3 through step 7 only if you are designated as Student_P. 3.
Open your ipsec.mmc.msc console. Assign the 7_RESPOND_ AH(sha)+ESP(sha+3des) policy.
4.
At the command prompt, enter ftp IP_address_of_Student_Q You should be able to successfully ftp to Student_Q.
336
Tactical Perimeter Defense
5.
Log on as anonymous with no password.
6.
Enter dir to see a list of files hosted on the ftp site.
7.
Exit the ftp session.
Note: Perform the rest of this task only if you are designated as Student_Q. 8.
In Network Monitor, stop and view the capture.
9.
Observe that once ISAKMP establishes the encryption method, all data is encrypted with ESP.
10. Identify any differences with respect to the negotiation process, encryption, or integrity algorithms. 11. Where does the Packet identify that AH is in use? In the IP Header. What is the Protocol ID assigned to AH? (0x33) Where does the AH information define the use of ESP? In the AH Next Header. What is the Protocol ID assigned to ESP? 50 (0x32) 12. Close Network Monitor. You can save your capture to a file if you like. 13. Unassign all IPSec policies on all machines.
Topic 6E VPN Fundamentals A Virtual Private Network (VPN) provides a private tunnel through a public cloud (such as the Internet). A VPN enables a group of two or more computer systems to communicate over the Internet or any other public network. VPNs can exist between an individual machine and a private network (client-to-server) or a remote LAN (like a branch office) and a private, enterprise network (server-toserver). Secure VPNs make use of tunneling and security protocols to maintain the privacy of data transactions over the Internet. A VPN is virtual, as opposed to a real private network. The idea is to make a private network that provides a secure tunnel for the exchange of data between two or more parties. If this were done over a real private network, the dedicated lines/bandwidth and service would make it cost prohibitive. But when this idea of a secure tunnel is implemented over a public network such as the Internet, the costs as well as the bandwidth are spread among many users, thus creating a Virtual Private Network.
LAN: (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, frontend processors, controllers, and servers.
Lesson 6: Implementing IPSec and VPNs
337
VPN Business Drivers VPNs are popular today for a number of reasons, including: •
Mature standards, protocols, and technology.
•
Significant cost savings.
•
Reduction in network complexity, resulting in lower network operation costs.
•
Increased security and encryption capabilities.
The Need for Remote Access Remote access is a business requirement today—required for both communication and interaction. To determine whether or not a VPN is a good answer to your company’s needs for remote connectivity, consider your specific technical requirements, along with the pros and cons of VPN use. Some advantages to using VPNs include: • The ability to securely connect high-speed remote users over broadband technology, including cable modems and DSL lines, that was not possible before the advent of VPNs. VPNs will work with any last-mile technology as long as IP is running over the connection. •
No administrative headaches for managing direct access telephone lines (dedicated leased lines), ISDN, T1, or PRI lines used for data, or for the RAS equipment (modems or other network access servers). Terminating the phone calls creates potential cost savings, especially if many of your remote users are located outside your local calling area.
Some disadvantages include: • Potentially lower bandwidth available to remote users over a VPN connection, as compared to a direct dial-in line. •
Inconsistent remote access performance due to changes in Internet connectivity. To counteract this, you can have your users choose ISPs that have higher levels of service, perhaps the same ISP from which you purchase your corporate Internet connection, to keep the majority of your traffic on the same backbone.
•
No entrance into the network if the Internet connection is broken. Some administrators choose to leave a limited amount of dial-in access for emergency access.
The Need for Extranets Most VPNs can be designed to work as an extranet. But not all extranets are VPNs. Although there are several different meanings attributed to the term, it commonly refers to a type of network that gives outside users—such as customers, clients, and business associates—access to data residing on a corporation’s network. Users access the data through a web browser over the Internet and typically need to enter a user name and password before access to the data is granted. Depending on the level of security needed, a company could choose to use an extranet approach or a customized approach that combines password protection of network servers with third-party authentication systems. A VPN can be used in a similar manner, but a VPN typically has much higher security associated with it. Specifically, a VPN typically requires the establishment of a tunnel into the corporate network and the encryption of data passed between the user’s PC and corporate servers. 338
Tactical Perimeter Defense
VPN Types Even though the number of solutions is steadily increasing, VPNs fall under three main types: •
Hardware-based VPNs, for use in gateway-to-gateway configuration.
•
Firewall-based VPNs.
•
Software-based VPN applications, for use in client-to-client configuration.
Most hardware-based VPN systems are encrypting routers. Dedicated hardware VPN products offer better performance, security, reliability, and scalability than software-based solutions running on conventional servers and operating systems. They offer better performance and are more scalable because they are custombuilt to perform essential tasks, such as encryption and decryption, as quickly as possible, often by having dedicated chips to carry out these functions. Their security is better because they are not vulnerable to weaknesses in an underlying operating system or hard disks that can fail or run out of space. The best hardware VPN packages offer software-only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices. However, they may not be as flexible as software-based VPNs. Firewall-based VPNs take advantage of the firewall’s security mechanisms, including controlling access to the internal network. They also perform Network Address Translation (NAT), satisfy requirements for strong authentication, and serve up real-time alarms along with audit logs. Most commercial firewalls also harden the host operating system kernel by stripping out unnecessary services, such as default accounts for guest users that is a clear vulnerability for exploitation, thus providing additional security for the VPN server. Operating system protection is a major plus, since very few VPN application vendors supply guidance on operating system security. Performance may be a concern, especially if the firewall is already configured; however, some firewall vendors offer hardwarebased encryption processors to minimize the impact of VPN management on the system. Software-based VPNs are ideal in situations where both user and destination endpoints of the VPN are not controlled by the same organization, and when different firewalls and routers are implemented within the same organization. At the moment, stand-alone VPNs offer the most flexibility in how network traffic is managed. Many software-based products allow traffic to be tunneled based on IP address or protocol—unlike hardware-based products, which generally tunnel all traffic they handle regardless of protocol. Tunneling specific traffic types is advantageous in situations where remote sites may see a mix of traffic—some that need transport over a VPN to access data or some that do not, as in simple web surfing. In situations where performance requirements are not heavy, softwarebased VPNs may be the best choice. A disadvantage might be that software-based systems are generally harder to manage than encrypting routers. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms must be in place. Also, most software-based VPN packages require changes to routing tables and network addressing schemes. As the VPN market evolves, the distinctions between VPN architectures are becoming less clearly defined. Some hardware vendors have added software clients to their product offerings, and extended their server capabilities to include some of the security features more traditionally offered by software- or firewallLesson 6: Implementing IPSec and VPNs
339
based VPNs. A few stand-alone products have added support for hardware-based encryptors to improve their performance. For all types of VPNs, further implementation of the proposed IP Security Protocol (IPSec) is making interoperability easier with different VPN products by softening the lines of distinction between them.
VPN Elements The critical elements of a VPN connection are described in the following table. Name
Description
VPN server
Accepts connections from VPN clients and can also provide VPN connections between routers. Initiates the VPN connection that ends up at the VPN server. A VPN client can be an end-user system, such as Windows 2000 or Windows XP, or it can be a router that gets a router-to-router connection. A VPN client can be a Point-toPoint Tunneling Protocol (PPTP) client or a Layer 2 Tunneling Protocol (L2TP) client using IPSec. The part of the connection where the data is encapsulated. The part of the connection where the data is encrypted. The data must be both encrypted and encapsulated along the same part of the connection for the connection to be considered a secure VPN connection. The communication standard used to manage the tunnel and encapsulate the data. For example, Windows 2003 supports PPTP and L2TP tunneling protocols. Is sent across the private point-to-point link. The IP internetwork (for example, the Internet) that connects the VPN client with the VPN server.
VPN client
Tunnel VPN connection
Tunneling protocols
Tunneled data Transit network
Each of the different types of VPN configurations can be enabled by using some combination of the following technology components: • Dedicated VPN gateways •
IPSec-enabled routers and firewalls
•
VPN client software
•
IPSec-enabled operating systems, such as Windows 2003
A number of security applications combine VPN and firewall functionality into a single box. This is very useful for branch offices communicating with central office gateways.
340
Tactical Perimeter Defense
Tunneling and Security Protocols Tunneling is a technique where a data packet is transferred inside the frame or packet of another protocol. Therefore, the infrastructure of one network is used to travel to another. A tunnel can be thought of as a session pipe. A VPN client connects to a VPN server through a tunnel using a tunneling protocol. The logical path along which the encapsulated packet is routed is called the tunnel. Tunneling describes the entire process. •
Encapsulation of the data packet at the source.
•
Transmission of the data packet through the tunnel.
•
Un-encapsulation of the data packet at the destination.
In a VPN connection, encrypted data is sent through the tunnel. Both the tunnel client and the tunnel server must use the same tunneling protocols. The major tunneling protocols for VPNs are: • Point-to-Point Tunneling Protocol (PPTP) •
Layer 2 Tunneling Protocol (L2TP)
•
IP Security Protocol (IPSec)
Tunneling mechanisms differ in terms of: • What is done to the data for encryption and authentication. •
The OSI layer at which they operate.
•
The headers that describe the data transmission and authentication. OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components.
TASK 6E-1 Defining Tunneling Protocols 1.
Define the three major tunneling protocols for VPNs: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP Security Protocol (IPSec)
Topic 6F Tunneling Protocols Earlier in the course, you studied the IPSec protocol intensively, by working with various IPSec policy settings and testing their validity. The policies, however, were tested only in Transport Mode. When IPSec is used to secure VPN communication, it is used in Tunnel Mode. IP Security Protocol (IPSec) is an evolving security protocol from the Internet Engineering Task Force (IETF) that provides authentication and encryption over the Internet. Normal IPv4 packets consist of headers and payload, both of which contain information of value to an attacker. The header contains source and destination IP addresses, which are required for routing, but may be spoofed or altered in what are known as man-in-the-middle attacks. The payload consists of information that may be confidential to a particular organization. Lesson 6: Implementing IPSec and VPNs
341
cryptography: The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form.
The two prime functions of IPSec are to ensure data security and data integrity. Security is achieved through data encryption techniques, and integrity through a combination of techniques that authenticate the data sender. IPSec is a set of industry standards for cryptography-based protection services and protocols. As mentioned in the previous topic, the major tunneling protocols for VPNs are PPTP, L2TP, and IPSec. Each of the three VPN protocols provides different levels of security and ease of deployment. The standardization process has made the Layer 2 Tunneling Protocol (L2TP) and IPSec the protocols of choice. PPTP is widely used for remote access connections, primarily because of its integration in the Microsoft operating systems. PPTP, L2TP, and Cisco’s Layer 2 Forwarding Protocol (L2F) are all designed to work at Layer 2 of the OSI model. IPSec is the only protocol engineered to work at Layer 3 of the OSI model. IPSec is fast emerging as the protocol of choice to build the best VPN system because it supports: •
Strong security
•
Encryption
•
Authentication
•
Key management
When dealing with VPNs in a multi-protocol non-IP network environment, PPTP or L2TP may be a better choice. Both PPTP and L2TP are strictly tunneling protocols. Since IPSec was designed for the IP protocol, it has wide industry support and is expected to eventually become the standard for VPNs on the Internet. Other tunneling protocols include: • Secure Shell (SSH) • SSH: (Secure Shell) A completely encrypted shell connection between two machines protected by a super long pass-phrase.
Socks v5
These offer Application layer tunnels, as well as various implementations of tunnels, such as cascaded tunnels, nested tunnels, or end-to-end tunnels. The SSH protocol is a widely used Application layer tunneling protocol that uses a public key cryptographic system to ensure security. SSH is freely available as a direct result of OpenSSH initiatives. The SSH protocol suite offers a secure replacement for Telnet, rlogin, FTP, and other programs, in addition to tunneling capabilities. Socks v5 offers an Application layer VPN by providing desktop-to-server authentication and encryption. While both SSH and Socks v5 are exceptional application (session)-tunneling protocols, they are not widely deployed in strategic enterprise VPN solutions.
Point-to-Point Tunneling Protocol (PPTP) The PPTP Forum developed the Point-to-Point Tunneling Protocol (PPTP) specification. This forum included Ascend Communications, 3Com/Primary Access, ECI Telematics, U.S. Robotics, and Microsoft. PPTP has fast become the most widely used protocol for creating dial-in remote access VPNs. A key reason for the success of PPTP for dial-in remote access has been support for the protocol by Microsoft. Microsoft supports PPTP on the NT Server platform version 4.0 and above and includes a free PPTP client in the desktop operating system. The Microsoft version of PPTP is its own version of the IETF PPTP protocol, and it is the Microsoft version that is the de facto standard for PPTP deployments. Most vendor products use Microsoft’s version of the protocol.
342
Tactical Perimeter Defense
Working at Layer 2 of the OSI model, PPTP encapsulates PPP packets using a modified version of Generic Routing Encapsulation (GRE), which gives PPTP the capability to handle any supported network layer protocol such as IP, IPX, and NetBEUI. While PPTP is best suited for remote access VPNs, there are some security issues related to it. These issues relate to vulnerabilities associated with the Challenge/ Response Authentication Protocol (Microsoft CHAP), as well as the RC4-based encryption protocol (MPPE). Even though there have been security updates and enhancements by Microsoft, it is still recommended that Microsoft’s PPTP protocol not be used in VPN systems where there is a strong need to protect sensitive data. PPTP may be an appropriate solution to deploy in smaller organizations that may only need a limited regional VPN, supporting small numbers of mobile users.
Layer 2 Tunneling Protocol (L2TP) Layer 2 Tunneling Protocol (L2TP), defined in RFC 2661, is a protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM. The IETF working group joined the PPTP group efforts with Cisco’s Layer 2 Forwarding Protocol’s (L2Fs) initiatives to develop L2TP. L2TP is the successor to PPTP and L2F. L2TP was specifically designed for client-to-gateway and gateway-to-gateway connections with broad tunneling and security interoperability. L2TP has wide vendor support because it addresses the IPSec shortcomings of client-to-gateway and gateway-to-gateway connections. L2TP tunnels appear as IP packets, so IPSec Transport Mode provides authenticity, integrity, and confidentiality security controls. L2TP tunneled-in IP, using UDP port 1701, is used as the VPN tunneling protocol over the Internet for tunnel maintenance. Compressed or encrypted PPP frames encapsulated in L2TP also use UDP to transmit tunneled data.
Lesson 6: Implementing IPSec and VPNs
343
IPSec IPSec in Tunnel Mode secures TCP/IP-based protocols using Layer 2 Tunneling Protocol (L2TP). Three main components form the building blocks of the IPSec protocol suite. AH: (Authentication Header) A field that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram.
ESP: (Encapsulating Security Payload) A mechanism to provide confidentiality and integrity protection to IP datagrams.
Component
Description
Authentication Header (AH)
Provides authentication, integrity, and anti-replay protection for both the IP header and the data payload. It does not provide confidentiality. Provides confidentiality and/or authentication. Data is encrypted before it is transmitted. Defines the security policy to be used in managing the secure communication between two nodes.
Encapsulating Security Payload (ESP) Security Association (SA)
Keep in mind that you can use IPSec itself as the tunneling protocol, or you can use L2TP to create the tunnel and let IPSec provide data encryption. L2TP does not provide its own encryption service; it uses IPSec’s ESP protocol to encrypt and authenticate the entire UDP datagram, thereby protecting it from compromise by unauthorized users. You can create L2TP tunnels without encryption, but this is technically not a VPN because the data is not protected.
Authentication Header (AH) IPSec provides mechanisms to protect both header and payload data. The IPSec Authentication Header (AH) provides a mechanism for data integrity and data origin authentication for IP packets using the hashing algorithms Hash-based Message Authentication Code (HMAC) with MD5 or HMAC with Secure Hash Algorithm 1 (SHA-1). Use of the IP AH is indicated with the value 51 in the IPv4 Protocol field or IPv6 Next Header field in the IP packet header. AH digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, verifying the identity of the source and destination machines and the integrity of the payload.
Encapsulating Security Payload (ESP) The IPSec Encapsulating Security Payload (ESP) guarantees the integrity and confidentiality of the data in the original message by combining a secure hash and encryption of either the original payload by itself, or a combination of both the headers and payload of the original packet. As in AH, ESP uses HMAC with MD5 or SHA-1 authentication; privacy is provided using DES-CBC encryption. Placing a value of 50 in the IPv4 Protocol field or IPv6 Next Header field in the IP packet header indicates use of the IP ESP format. Both AH and ESP provide sequence numbers in each packet—this prevents a replay attack.
Security Association (SA) and Key Exchange Before two parties can exchange secure data that is authenticated and encrypted, those parties need to determine: • Which algorithms will be used for the session.
344
Tactical Perimeter Defense
•
How the key exchange will take place.
•
How often keys will need to change.
Then, the two parties need to actually exchange the keys. These values are packaged together in a Security Association (SA) to facilitate secure communication between the two systems. Authentication and confidentiality using AH or ESP use SAs. A primary role of IPSec key exchange is to establish and maintain SAs. SAs are logical, uniquely defined and uni-directional, or one-way connections between two communicating IP endpoints that provide security services to the traffic it carries using either AH or ESP procedures. The endpoints of the tunnel can be an IP host or IP security gateway, which is a VPN-enabled network device. Providing security to the more typical scenario of two-way (bi-directional) communication between two endpoints requires the establishment of two SAs (one in each direction). Two types of SAs are defined in IPSec, regardless of whether AH or ESP is used for the session. A Transport Mode SA is a security association between two hosts that provide the authentication and/or encryption service to the higher layer protocol. Only IPSec hosts support this mode of operation. A Tunnel Mode SA is a security association applied to an IP tunnel. In this mode, an IP header specifies the IPSec destination and an encapsulated IP header specifies the destination for the IP packet. Both hosts and security gateways support this mode of operation and it is considered the more secure of the two. IPSec is controlled specifically by a security policy of both sender and receiver and one or more Security Associations (SA) negotiated between them. An SA between the sending and receiving parties provides access control based on the distribution of cryptographic key and traffic management relative to the AH and ESP security protocols. The SA is either one, one-way relationship or two oneway relationships in complimentary directions. A Security Parameter Index (SPI) uniquely distinguishes each SA from other SAs. The IPSec security policy consists of a filter list and associated actions. For a successful deployment of IPSec, a scalable, automated SA and key management scheme is necessary. Several protocols have been defined for these functions: • The Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify, and delete SAs. It also provides the framework for exchanging information about authentication and key management, but it is completely separate from key exchange. •
The Oakley Key Determination Protocol (Oakley) describes a scheme by which two authenticated parties can exchange key information. Oakley uses the Diffie-Hellman key exchange algorithm.
•
The Internet Key Exchange (IKE) algorithm is the default automated key management protocol for IPSec, which is the result of combining both ISAKMP and Oakley protocols.
Key exchange is closely related to the management of SAs. When you need to create an SA, you need to exchange keys, and IKE is the framework that wraps together all the required pieces and delivers them as an integrated package.
IPSec Components The key IPSec components are described in the following table. Component
Use
IPSec driver
Monitors, filters, and secures IP traffic.
Lesson 6: Implementing IPSec and VPNs
345
Component
Use
The Internet Security Association Key Management Protocol (ISAKMP/Oakley) IP Policy Agent
Key exchange and management services to oversee security negotiations between hosts.
IP Security Policy and Security Association Security Association API Management Tools
Looks for appropriate policies and delivesr these policies to the IPSec driver and ISAKMP. Defines the security environment in which the two hosts must communicate. Provides the programming interface that will be used between the IPSec driver, ISAKMP, and the Policy Agent. Creates policies, tracks IP security statistics, and creates and logs appropriate IP security events.
IPSec Tunnel and Transport Modes In IPSec Tunnel Mode, one packet is encapsulated or tunneled in another packet, while IPSec Transport Mode secures the packet exchange end-to-end, source to destination. IPSec Tunnel Mode is used primarily for link-to-link packet exchanges between intermediary devices, like routers and gateways, while Transport Mode provides the security service between the two communicating endpoints. Either mode can use ESP or AH packet types. Both modes require that the two clients engage in a complex negotiation involving the IKE protocol and PKI certificates for mutual authentication. In Transport Mode, both of the end systems must support IPSec, but the intermediate systems do not have to support IPSec because they simply forward packets. Tunnel Mode is intended for gateway-to-gateway links. In Tunnel Mode, the sender encapsulates the entire IP datagram by creating a completely new header. The ESP protocol encrypts the entire datagram, including the original IP header and the AH protocol, generates a signature for the entire packet, including both the original IP header and the new one. Therefore, the encapsulation and encryption processes create a secure tunnel through an inherently insecure network. In Tunnel Mode, only the gateways providing the security services must support IPSec. The end systems (ultimate source and ultimate destination systems) do not have to support IPSec.
IPSec and Network Address Translation (NAT) Network Address Translation (NAT) is not compatible with the Authentication Header (AH) protocol, whether used in Transport or Tunnel Mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, which includes both data payload and headers by appending a hash value to the packet. When using the AH protocol, the data payload within the packet is not encrypted.
346
Tactical Perimeter Defense
The compatibility problem stems from the fact that a NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and will complain that the hash value appended to the received packet doesn’t match. The VPN device at the receiving end doesn’t know about the NAT in the middle, so it assumes that the data has been altered while in transit. IPSec, using ESP in Tunnel Mode, encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet’s source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. This mode (Tunnel Mode ESP with authentication) is compatible with NAT, because integrity checks are performed over the combination of the original header plus the original payload, which is unchanged by a NAT device. Transport Mode ESP with authentication is also compatible with NAT, but it is not often used by itself. Since the hash is computed only over the original payload, original headers can be rewritten.
TASK 6F-1 Assigning Tunneling Protocols 1.
In the table provided here, assign the tunneling protocols: IPSec, PPTP, L2TP, SSH and Socks v5 to their corresponding OSI layers. Layer Number
Name
Protocols
7 6 5 4 3 2 1
Application Presentation Session Transport Network Data Link Physical
SSH, Socks v5SSH, Socks v5
IPSec PPTP, L2TP
Lesson 6: Implementing IPSec and VPNs
347
Topic 6G VPN Design and Architecture VPN configuration is often complex. Conflicts between NAT and IPSec can cause legitimate packets to be refused or dropped. Further, strong authentication of a VPN client is critical. If the client is not strongly authenticated, the enterprise is at risk of an intruder remotely taking control of the client system and gaining an open tunnel into the enterprise network. One VPN design choice would be to require a personal firewall with built-in intrusion detection on the remote client. The personal firewall would block any inbound communication, and when intrusions are detected, it would report back to the logging server on the enterprise network. The problem with this design is guaranteeing that the personal firewall software is always present or functional on the client side. Further, how does the enterprise network force a disconnect of the tunnel session? How does it deactivate the user’s account? Designing an IPSec-based VPN solution involves addressing the following objectives: • Designing an IPSec encryption scheme.
security level: The combination of a hierarchical classification and a set of non-hierarchical categories that represents the sensitivity of information.
•
Designing an IPSec management strategy.
•
Designing negotiation policies.
•
Designing security policies.
•
Designing IP filters.
•
Defining security levels.
VPN Implementation Challenges Most organizations experience challenges with rolling out and deploying a VPN. In this section, you will examine some key VPN challenges and provide guidelines to minimize implementation-related problems and issues. Typical challenges experienced with VPN deployment include: • Difficulty with centralized management of client policy, configuration, and strong authentication requirements. •
Lack of protocol interoperability (for example, interoperability between NAT, IPSec, and PPTP).
•
Complexity of infrastructure.
Specific challenges that an organization may experience in the process of deploying a VPN include: • Addressing and routing. •
Administration.
Common addressing methods for VPNs include DHCP and NAT address pools. The problem is that NAT and IPSec have had compatibility problems. Some vendors, such as Cisco, are solving the problem by licensing an IPSec-over-UDP client that allows IPSec connections through NAT. The IETF is working to intro348
Tactical Perimeter Defense
duce new standards for IPSec and NAT to work together better. According to RFC 2026, established SAs would no longer be bound to IP addresses. Instead, SAs would be controlled via Host Identity Tags (HIT) and Scope Identity fields. Therefore, a VPN client system could conceivably change its IP address using Mobile IP, DHCP, PPP, or even IPv6, and still maintain the same SA with its communication partner. Also, a draft protocol called the Host Identity Protocol (HIP) would be integrated into existing IKE code, allowing IKE to work across NAT devices as well. The IETF is also working on long-term solutions to make NAT and IPSec work together better. Until new standards are established, the most popular way to overcome problems with IPSec Tunnel Mode with NAT is to use ESP Transport Mode. This allows the VPN to traverse a NAT device, such as a gateway. However, client authentication cannot be guaranteed because IP headers are not verified upon receipt. The inability to authenticate communication partners in a VPN tunnel compromises the purpose of IPSec. The challenge for administration is to make sure that remote VPN clients have installed and configured their VPN software correctly. Also, they need to have security mechanisms in place to make sure that the client host is secure against attacks that might use the VPN connection to access the corporate network. Other VPN challenges include: • Authentication and key management •
Fault tolerance
•
Performance
•
Reliable transport
•
VPN architecture
TASK 6G-1 Examining VPN-related RFCs 1.
Navigate to C:\Tools\Lesson6\RFCs then open rfc-index.wri.
2.
Perform a search using the keyword VPN You should see RFC 2547 highlighted. RFC 2547 describes a method by which an Internet Service Provider may provide VPNs for its customers.
3.
Identify the method used, and then close the file.
4.
In C:\Tools\Lesson6\RFCs, scroll down to rfc2547.txt.
5.
Scroll down to the third paragraph in section 1.1, and read the definitions for intranet and extranet. Note if these compare to your understanding of these terms.
6.
Close all open windows.
Lesson 6: Implementing IPSec and VPNs
349
Topic 6H VPN Security A VPN is not necessarily secure. This is because a VPN is typically protected by nothing more than a weak password. Sending information over the Internet is not secure, and therefore, has the corporate world concerned—even with the advent of VPNs. In practical terms, information passing over a secure VPN will potentially be routed across several networks that are not under the control of the sender. An important part of any VPN is the encryption that will secure the data payload from unauthorized users. Although most of the VPN solutions delivered today use Triple-DES encryption, there is a widely used, older, weaker type of encryption called DES, or SingleDES. Triple-DES, which is the type of encryption normally implemented in today’s solutions, is much more secure than Single-DES, and has never been broken. That’s how safe data passing through a secure VPN is. Virtually all of the common encryption technologies can be used in a VPN. Most VPN equipment vendors give the user a choice. IT managers can often select anything from the 40-bit built-in encryption offered by Microsoft under Windows 95 to more robust encryption technologies like Triple-DES. VPN vendors support a number of different authentication methods. Many vendors now support a wide range of authentication techniques and products, including such things as Kerberos, tokens, and software- and hardware-based dynamic passwords. The primary purpose of a VPN is to secure the data in transmission. Four critical functions must be in place to ensure this. • Data encryption, which ensures that no one who intercepts data as it travels through the Internet can read it. Most solutions delivered today use TripleDES encryption, which is so strong that it has never been broken. •
Data integrity, which checks each data packet received from the Internet to make sure that it has not been modified during transit.
•
User authentication, which ensures that only authorized people can gain access to corporate resources through a VPN. There are many different methods in which users can authenticate themselves, from very basic user name and password authentication to much more secure methods, such as digital certificates, smart cards, SecureID tokens, biometrics, and others.
•
Access control, which restricts unauthorized access to the network.
A VPN must secure the data against eavesdropping and tampering by unauthorized parties. Depending on the VPN solution being implemented, there are a few ways to control the type of traffic sent over a VPN session. Many VPN devices allow you to define a user- or group-based filter, which can control IP address and protocol/port services allowed through a tunnel. In addition, IPSec-based VPNs allow you to define a list of networks to which traffic can be passed (Security Associations). The first mechanism allows the administrator to limit access to specific networks/machines and applications on their network. The second usually provides full connectivity to the private network. Allowing VPN access only in conjunction with strong authentication also prevents an intruder from successfully authenticating to your network, even if they somehow configured/captured a VPN session. 350
Tactical Perimeter Defense
VPNs and Firewalls Two of the most common configurations for a VPN device providing corporate remote access are to run a VPN device either in parallel to an existing firewall or behind an existing firewall. Terminating VPN sessions in front of a firewall or on a firewall itself is not as popular. There are pros and cons for all implementations. • Placing a VPN device in parallel to an existing firewall requires no changes to an existing firewall infrastructure, but it also means that you will have two entry points into your private network. On most VPN devices, you should verify that they block all non-VPN traffic to minimize the additional security risk. Depending on how your network is set up, this will probably also require the VPN device to do some sort of address translation, or to have the ability to redirect this traffic to an existing firewall. •
Placing a VPN device behind an existing firewall forces you to make changes to the configuration of your firewall. You will also need a firewall smart enough to be able to configure a filter to pass the VPN traffic. Depending on how your network is set up, this may also allow you to make use of only one of the two or more Ethernet ports on your VPN device. This configuration is sometimes known as one-arm-routing.
•
Placing a VPN device in front of your firewall terminates secure traffic in a public zone. You will need to assign addresses to users from a certain block of IP addresses and open a large hole in the firewall for access from these IP addresses. A potential advantage to doing this would be that you could then use your existing firewall to control the destination of traffic, but most VPN boxes will also allow you to do this. This type of application may make more sense for trading-partner connectivity, as opposed to connectivity for remote access users.
•
Implementing a VPN on an existing firewall adds some intense processing to a device whose original purpose was, simply speaking, to control network access. Some people like the simplicity of adding a service to an existing device on the network perimeter.
The use of encryption adds some additional overhead to a session. Most VPN devices, whether hardware- or software-based, will be able to process encryption for connections up to 10Base-T speeds. On a lower-speed connection like a modem, VPN processing is much faster than delays introduced by the limited bandwidth availability. Often, performance is potentially affected more by packet loss and latency on bad Internet connections than by the encryption overhead. A VPN client typically establishes a connection with a VPN server using either L2TP over IPSec or PPTP. Keep in mind the following information related to PPTP, as it may be required for defining packet filters for VPN traffic on firewall systems: • TCP port 1723 allows PPTP tunnel maintenance traffic to move from the PPTP client to the PPTP server. •
IP protocol type 47 allows the PPTP tunneled data to move from the PPTP client to the PPTP server.
Lesson 6: Implementing IPSec and VPNs
351
The following information may be required for defining packet filters for L2TP over IPSec VPN traffic on firewall systems: •
UDP port 500 allows the Internet Key Exchange (IKE) traffic to access the VPN server.
•
UDP port 1701 allows L2TP traffic to move from the VPN client to the VPN server.
•
IP protocol ID 50 allows IPSec ESP traffic to move from the VPN server to the VPN client.
At the firewall, typically all L2TP traffic, including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP payload. Figure 6-11 depicts ports and protocols associated with tunneling protocols.
Figure 6-11: Ports and protocols associated with tunneling protocols.
VPN Authentication In general, user authentication is based on the following principle: An entity has authenticating knowledge (what you know), possession of an authenticating device (what you have), or exhibits a required physiological characteristic (what you are). Strong authentication requires that at least two of the three factors be demonstrated. VPN authentication protocols, which operate at the Data Link layer, include: • Password Authentication Protocol (PAP). PAP is a weak method for authentication as it uses a cleartext authentication scheme.
352
Tactical Perimeter Defense
•
Challenge Handshake Authentication Protocol (CHAP). CHAP does not transmit the actual password and is a stronger authentication protocol than is PAP. With CHAP, remote customers use a Message Digest 5 (MD5) hash of their credentials in response to a challenge by a network access server.
•
Shiva Password Authentication Protocol (SPAP). SPAP is used in mixed environments that support the Shiva Local Area Network Rover software.
•
Extensible Authentication Protocol-Transaction Level Security (EAP-TLS). EAP-TLS is a Microsoft implementation of a strong authentication method that uses public key certificates.
The IPSec authentication scheme for both AH and ESP uses the Hash-based Message Authentication Code (HMAC) authentication code, which uses a shared secret key between two parties, rather than public key methods, for message authentication. The generic HMAC procedure can be used with just about any hash algorithm, although IPSec specifies support for at least MD5 and Secure Hash Algorithm 1 (SHA-1) because of their widespread use. In HMAC, both parties share a secret key. The secret key is employed with the hash algorithm in a way that provides mutual authentication, but at the same time prevents the key from being transmitted on the line. IPSec key management procedures are used to manage key exchanges between the two parties via Security Associations (SA).
Key Length Data is transmitted securely in a VPN by using industry standard IPSec tunneling, encryption services using DES and 3DES, and MD5 and SHA-1 for message authentication. IPSec creates private end-to-end pipes, or tunnels, through the IP network, connecting the designated VPN sites to each other. Unauthorized access to the information is prevented by the encryption and authentication services, which are applied. Encryption systems depend on two mechanisms to guarantee data confidentiality. The encryption algorithm provides the mathematical rules that convert the plaintext message to a random ciphertext message. The algorithm provides steps for converting the plaintext message with an encryption key, a block of alphanumeric data that introduces the random element into the ciphertext message. The longer the secret key is, the more time it takes for an attacker to test all possible values of the key, and determine the plaintext content of the message. In other words, data that will be of value to an attacker for a long time should be encrypted with longer keys.
TASK 6H-1 Viewing Firewall-related RFCs 1.
Navigate to C:\Tools\Lesson6\RFCs and open rfc-index.wri.
2.
Perform a search using the keyword firewall If you keep clicking Find Next, you will see many hits. Stop when you see RFC 2979 highlighted. RFC 2979 describes the behavior of and requirements for Internet firewalls.
3.
Close the file.
4.
Navigate to C:\Tools\Lesson6\RFCs and open rfc2979.txt in Notepad.
5.
Scroll down to the second paragraph in section 3.1.1, and read the transparency rule for firewalls.
6.
Close all open windows.
Lesson 6: Implementing IPSec and VPNs
353
Topic 6I Configuring a VPN Built into Windows 2003’s Routing And Remote Access Service (RRAS) is a single, integrated service that terminates connections from either dial-up or Virtual Private Network (VPN) clients. With RRAS, your Windows 2003 Server can function as a remote access server, a VPN server, a gateway, or a branch-office router. You can allow users ready access to the network through the Internet by implementing a VPN, therefore, greatly reducing direct dial-up costs. Windows 2003 VPNs can be created by using either PPTP or L2TP. In this topic, you will build a VPN, and the tasks will require three computers. One computer will be configured as the internal resource, a simple FTP site. The second computer will be the VPN Server, and this machine will require two network cards. One of the cards on this server will be the connection to the private network, and the other will be the connection to the remote client. The third computer will function as the network client, the one making the access via the VPN. The computers will be called: VPN Server, Internal Server, and VPN Client.
About the Tasks In this task, you will work in pairs, with one student configuring the VPN Server and the other configuring the VPN Client. The Internal Server is a simple web page, or ftp site, hosted on the instructor computer, as part of the internal network.
TASK 6I-1 Configuring the VPN Server Note: Complete this task only if you are designated as the VPN Server Note: The VPN Server in these tasks requires a second network card. This can be an integrated or non-integrated network card. Upon completion of the VPN tasks, this second network card can be either removed or disabled for the remainder of the class. 1.
Enable the second network card on the server.
2.
Assign the second network card with the following IP Address information: • IP 10.0.10.x (replace x with your seat number)
3.
354
Tactical Perimeter Defense
•
SM 255.255.255.0
•
DG This can be left blank
Open a command prompt and verify your NIC and IP Address configuration, by entering the command ipconfig /all
4.
Verify that you have one NIC with an address of 172.16.x.x or 172.18.x.x based on your location in the classroom. Your second NIC has an address of 10.0.10.x based on your location in the classroom.
5.
Write down your 172.16.x.x address as your Internal NIC and your 10.0. 10.x address as your External NIC.
6.
Choose Start→Administrative Tools→Configure Your Server Wizard. At the Welcome screen, click Next.
7.
Verify you have met the requirements at the Preliminary Steps screen, and click Next. The system will now detect your network settings and configuration.
8.
Select the Custom Configuration radio button, and click Next.
9.
Select the Remote Access / VPN Server, and click Next.
10. In the Summary Of Selections, verify that you are going to run the Routing and Remote Access Server to setup routing and VPN, then click Next. The RRAS Wizard will open at this time. 11. At the RRAS Setup Wizard, click Next.
Lesson 6: Implementing IPSec and VPNs
355
12. Select the Virtual Private Network (VPN) Access and NAT radio button, and click Next.
13. Select your VPN Network adapter. In this task, this is the NIC that you have assigned the 10.0.10.x IP address to.
14. Leave the Basic Firewall check box checked, and click Next.
356
Tactical Perimeter Defense
15. Select your internal network for the clients to connect to, and click Next.
16. In the IP Address Assignment screen, select the From A Specified Range Of Addresses radio button and click Next. 17. In the Address Range Assignment screen, click the New button. 18. These are the IP Addresses of the internal network.
Enter a small range, based on your seating in the classroom, click OK, verify your addresses are correct, and click Next.
Lesson 6: Implementing IPSec and VPNs
357
19. At the Network Selection window, select the network that has access to the Internet, and click Next. This is usually the same network as your internal resource network.
20. At the Name & Address Translation Services window, leave the default of basic name and address Services, and click Next. If your system does not show this window, continue to the next step. 21. Review the Address Assignment Range, and click Next. If your system does not show this window, continue to the next step. 22. For this lesson, you will authenticate locally, so leave the No, Use RRAS To Authenticate Connection Requests radio button selected, and click Next. 23. Review your settings, and click Finish. (If you get a prompt to configure relaying of DHCP messages, click OK.)
358
Tactical Perimeter Defense
24. The Remote Access / VPN Server will now start. Click Finish.
25. Close the Manage Your Server window.
VPN Clients Generally, the configuration on the client side of the VPN is minimal. The client needs to know how to make the connection, and needs proper credentials to authenticate and use the VPN. In the following task, you will prepare the VPN Server to accept VPN clients.
TASK 6I-2 Configuring VPN Clients Setup: Complete this task if you are designated as the VPN Server. 1.
Choose Start→Administrative Tools→Computer Management.
2.
Expand Local Users And Groups (under system tools).
3.
Right-click Users and choose New User.
4.
In the User Name text box, type VPN1 and enter and confirm a password of QWERTY1 Uncheck the box to change password at next logon, and click Create.
5.
Click Close. One client account is enough for testing purposes.
6.
Double-click the new VPN1 user account, and click the Dial-in tab. Lesson 6: Implementing IPSec and VPNs
359
7.
Select the Allow Access radio button and click OK.
8.
Close the Computer Management window.
9.
Choose Start→Administrative Tools→Routing And Remote Access.
10. Expand your server_name and click Remote Access Policies. 11. Right-click Remote Access Policies, and choose New Remote Access Policy. 12. In the New Remote Access Policy Wizard, click Next. 13. Leave the Use The Wizard To Set Up A Typical Policy For A Common Scenario radio button selected. 14. In the Policy Name text box type VPN_Policy_1 and click Next. 15. In the Access Method window, select the VPN radio button and click Next. 16. In the User Or Group Access window, select the User radio button and click Next. 17. For the Authentication Method, ensure that only MS-CHAPv2 is checked, and click Next.
360
Tactical Perimeter Defense
18. For the Policy Encryption Level, only check the box for Strongest Encryption (MPPE 128-bit) and click Next.
19. Review the settings for this policy, and click Finish.
Establishing the VPN The following task will require steps on both the VPN Server and on the VPN Client computers. The VPN Client will connect to the VPN Server, receive an IP Address and join the private network. The VPN Server will verify the connection is active, and the VPN Client will then access a resource located on the Internal Server. In addition to the VPN Client and the VPN Server, to show the VPN to a higher level, if there is enough time in the class, create a resource server for the VPN client to connect to. In the following task, the FTP Server is designed to be running on the instructor machine, in the middle segment.
Lesson 6: Implementing IPSec and VPNs
361
TASK 6I-3 Establish the VPN The Instructor machine requires a resource for the VPN client to connect into. Enable the FTP Service on your machine, and use that for your students. If your class has enough time, run a packet capture on each machine to perform a packet analysis of the connection and ftp site access.
362
Tactical Perimeter Defense
Note: Perform step 1 through step 15 on the VPN Client. 1.
Open the TCP/IP Properties of your network card. Edit the IP Address to be a node on the 10.0.10.X/24 network. You can replace the X with your seat number.
2.
Close the properties of your network card.
3.
Open a command prompt.
4.
Enter ipconfig to verify your IP Address configuration.
5.
Choose Start→Control Panel→Network Connections→New Connection Wizard.
6.
In the New Connection Wizard, click Next.
7.
Select the Connect To The Network At My Workplace radio button and click Next.
8.
Select the Virtual Private Network Connection radio button and click Next.
9.
In the Company Name text box, type SCP VPN and click Next.
10. Enter the IP Address that is assigned to the External NIC of the VPN Server, and then click Next. Note: The external IP Address is the one in the 10.0.10.x range. 11. Select the My Use Only radio button and click Next. 12. To complete the creation of the new connection, click Finish. 13. In the screen to connect to the SCP VPN, in the User Name field, type VPN1, in the Password field, type QWERTY1, and then click Connect.
14. Open a command prompt, and enter ipconfig /all Lesson 6: Implementing IPSec and VPNs
363
15. Note that you have been assigned an IP Address from the VPN Server, and that the IP Address is part of the Internal network. Note: Perform step 16 through step 19 on the VPN Server 16. Choose Start→Administrative Tools→Routing And Remote Access. 17. Expand your Server name. 18. Click Remote Access Clients. 19. In the right pane, double-click the connection to see the IP Address that was assigned, and other statistics. Note: Perform step 20 through step 24 on the VPN Client 20. In the command prompt, enter ftp 172.17.10.1 (If your instructor changed the IP Address of the Internal Server, use the address as provided.) 21. Enter annonymous as the username with no password. 22. Once connected, enter dir to list the contents of the ftp site. 23. When done browsing the ftp site, enter bye to end the session. 24. Close all windows.
Returning the Classroom Setup to its Original State To ensure the remaining tasks in this course work properly, the VPN implementation lab must be torn down, and the classroom environment returned to its original state. Be sure not to skip this quick section.
TASK 6I-4 Restoring the Classroom Setup
364
Tactical Perimeter Defense
1.
On the VPN Server, choose Start→Administrative Tools→Configure Your Server Wizard.
2.
In the Welcome Screen, click Next.
3.
In the Preliminary Steps Wizard, click Next.
4.
Click Remote Access / VPN Server, and click Next.
5.
Check the Remove The Remote Access/VPN Server Role check box and click Next.
6.
At the prompt that you are disabling the router, click Yes.
7.
When the VPN Server Role has been removed, click Finish.
8.
Disable the External NIC on the VPN Server.
9.
Open a command prompt, and ensure that you are only running the Internal NIC with the 172.x.x.x address by entering ipconfig
10. On the VPN Client, choose Start→Connect To→Show All Connections. Perform step 10 through step 14 on the VPN Client.
11. Right-click the SCP VPN connection, and choose Delete. 12. In the confirmation prompt, click Yes. 13. Open the properties of your NIC and return the IP Address to your original configuration, then click OK. (The 172.x.x.x address.) 14. Close all windows.
Summary In this lesson, you worked with a Microsoft Management Console (MMC). You configured an MMC and viewed the default or built-in IPSec policies. You then created custom IPSec policies. You implemented and tested these policies. You also took a first look at implementing filter lists and experimented with a couple of authentication methods—preshared keys and certificates.
Lesson Review 6A What are the two protocols in IPSec that are used to protect network traffic? The Encapsulating Security Protocol (ESP) and the Authentication Header (AH). What are the two main modes of implementation for IPSec? Transport Mode and Tunnel Mode. If you are going to set up a VPN with IPSec, what mode will you probably use? Tunnel Mode.
6B What are the three default IPSec policies in Windows 2003? Server (Require Security), Server (Request Security), and Client (Respond Only). What integrity algorithms are supported in Windows 2003 IPSec? MD5 and SHA-1. Lesson 6: Implementing IPSec and VPNs
365
What encryption algorithms are supported in Windows 2003 IPSec? DES and 3DES.
6C What authentication methods are supported in Windows 2003 implementation of IPSec? Kerberos, Certificates, and Preshared Keys. What are the default key lifetimes? A new key is generated for every 100 MB of data exchanged between the two IPSec devices or every 15 minutes, whichever is earlier.
6D When would ESP’s integrity check be most usefully employed? When implementing IPSec in Tunnel Mode. ESP’s integrity check at the tunnel endpoint will ensure the integrity of the payload (including the encapsulated packet, internal IP headers, and all other data). Using filters, it is possible to explicitly control IPSec traffic.
6E Describe all of the key components of a VPN. VPN server, VPN client, tunnel, VPN connection, tunneling protocols, tunneled data, and transit network. Identify the key VPN tunneling protocols. PPTP, L2TP, and IPSec.
6F What are the differences between the tunneling protocols PPTP and L2TP? PPTP uses separate channels—a control stream that runs over TCP, and a data stream that runs over GRE. L2TP uses UDP. PPTP is generally associated with Microsoft, and Microsoft uses MPPE for encryption. L2TP uses IPSec for encryption. What are the differences between IPSec Tunnel and Transport Modes? In IPSec Tunnel Mode, one packet is encapsulated or tunneled in another; while IPSec Transport Mode secures the packet exchange end-to-end, source to destination. IPSec Tunnel Mode is used primarily for link-to-link packet exchanges between intermediary devices like routers and gateways. Transport Mode provides the security service between the two communicating endpoints. What is a Security Association (SA)? A Security Association (such as ISAKMP) determines which algorithms will be used for the session, how the key exchange will take place, and how often keys will need to change. What are the two types of SAs? Transport Mode SA and Tunnel Mode SA.
366
Tactical Perimeter Defense
How does IKE relate to ISAKMP and Oakley? ISAKMP defines procedures and packet formats to establish, negotiate, modify, and delete SAs. It also provides the framework for exchanging information about authentication and key management, but it is completely separate from key exchange. Oakley describes a scheme by which two authenticated parties can exchange key information. Oakley uses the DiffıeHellman key exchange algorithm. IKE is the result of combining both ISAKMP and Oakley protocols.
6G Identify key design issues related to IPSec VPNs. IPSec encryption scheme, IPSec management strategy, negotiation policies, security policies, IP filters, and security levels. Identify specific challenges associated with VPN implementation. Diffıculty with centralized management of client policy, configuration and strong authentication requirements; lack of protocol interoperability (for example, interoperability between NAT, IPSec, and PPTP), complexity of infrastructure, addressing and routing, and administration.
6H What is PAP? What is CHAP? Briefly describe the differences between them. PAP and CHAP are both authentication protocols. PAP uses cleartext authentication, while CHAP relies on encryption mechanisms. Describe the security issues related to having a VPN server in front of the firewall (exposed to the Internet connection) or having a VPN server (in the DMZ) behind the firewall. By placing a VPN device in front of your firewall, you will be terminating secure traffıc in a public zone. You will need to assign addresses to users from a certain block of IP addresses and open a large hole in the firewall for access from these IP addresses. A potential advantage to doing this would be that you could then use your existing firewall to control the destination of traffıc, but most VPN boxes will also allow you to do this. By placing a VPN device behind an existing firewall, you will need to change the configuration of your firewall. You will also need a firewall smart enough to be able to configure a filter to pass the VPN traffıc. Depending on how your network is set up, this may also allow you to make use of only one of the two or more Ethernet ports on your VPN device. If a VPN server is using PPTP, which ports would you need to provide access through a firewall system? TCP port 1723 allows PPTP tunnel maintenance traffıc to move from the PPTP client to the PPTP server. IP protocol type 47 allows the PPTP tunneled data to move from the PPTP client to the PPTP server.
Lesson 6: Implementing IPSec and VPNs
367
Which ports are associated with L2TP and a VPN? UDP port 500 allows the Internet Key Exchange (IKE) traffıc to access the VPN server. UDP port 1701 allows L2TP traffıc to move from the VPN client to the VPN server. IP protocol ID 50 allows IPSec ESP traffıc to move from the VPN server to the VPN client. What are security vulnerabilities of a VPN? What technologies can be used with a VPN to make it more secure? Key management is a critical security vulnerability of a VPN. PKI technologies can be used with a VPN to make it more secure.
6I What is the encryption standard supported by Microsoft’s implementation of PPTP? MPPE. What are the transport protocols used by PPTP and L2TP? PPTP uses TCP, and L2TP uses UDP.
368
Tactical Perimeter Defense
Designing an Intrusion Detection System
LESSON
7 Data Files none
Overview In this lesson, you will be introduced to the concepts surrounding one of the areas critical to the defensive network protection scheme—the Intrusion Detection System. This system, in conjunction with the firewall technologies in place, is the basis for a very solidly defended network. The Intrusion Detection System will be used to detect when an intruder is attempting penetration of the network or tampering with the firewalls.
Lesson Time 2 hours
Objectives To design an Intrusion Detection System, you will: 7A
Examine the goals of Intrusion Detection Systems. Given the components of Intrusion Detection Systems, you will describe how the components interact to accomplish the goals of intrusion detection.
7B
Describe the technologies and techniques of intrusion detection. Given a scenario of users in a network, you will examine the process of intrusion detection and how behavioral use is implemented in the IDS.
7C
Describe host-based IDSs. Given a network of connected hosts, you will describe how host-based IDSs identify an intrusion.
7D
Describe network-based IDSs. Given a network of connected hosts, you will describe how networkbased intrusion detection systems identify an intrusion.
7E
Examine the principles of intrusion detection data analysis. Given an example signature of an incident, you will examine the concepts and methods of data analysis.
7F
Describe the methods of using an IDS. Given network scenarios, you will identify multiple uses of IDS for detection of, monitoring of, and anticipation of attacks.
Lesson 7: Designing an Intrusion Detection System
369
7G
Define what an IDS cannot do. Given a network situation, you will identify the functions an IDS cannot complete.
370
Tactical Perimeter Defense
Topic 7A The Goals of an Intrusion Detection System As the months and years go by, security professionals have an increasingly difficult task of keeping the network secure. What makes this job so difficult? Is it the fact that there are more threats than ever? Perhaps, but there is more to it than that. Is it the fact that there are more people on the Internet year after year? It contributes, but there is more to it than that, too. As you build complex interconnected networks, where partners from the outside require access to the inside, where you have employees telecommuting, and where you have internal connections to external suppliers, the problem grows. It is the very nature of the industry to be even more connected. This connection comes with a price. The price is the extreme difficulty in securing the network. In order for networks to continue to grow and be functional, there must be a certain degree of trust built into the systems. However, on top of the level of trust, there must be verification of this trust. The method most often employed by organizations these days is a solid Intrusion Detection System (IDS). The three general components of network security from a need perspective are shown in Figure 7-1.
Figure 7-1: Components of network security. Most security analysts and professionals are at least familiar with these concepts. Over the last 30 years or so, most organizations had focused the vast majority of their time, energy, and budget on prevention. The logic seemed obvious—if it were possible to stop the majority of threats from getting in, then the network could be reasonably secured. Then came the networks of today. These complex, interconnected networks do not have this clear-cut boundary, where the goal is to keep the bad people out and the good people in. Reliance on perimeter defense of a firewall alone is no longer adequate. Perhaps even more of an issue is the fact that most organizations do not have systems in place to detect the very attacks that can lead to financial loss. This again proves that the firewall defense is not enough. The ability to detect intrusion through defense is critical to the overall security of the network.
What is Intrusion Detection? Before you can get into a detailed definition of intrusion detection, let’s return briefly to the standard network defense system. The common method for protecting the network is to follow the layered defense policy. While this is a solid base to network security, it does have its limitations.
Lesson 7: Designing an Intrusion Detection System
371
A common analogy to this problem is to investigate the castle structure (or fortress structure) of centuries ago. As you discussed earlier, the fortress would have a large, thick stone wall surrounding the main structure. There would perhaps be a large moat on the outside of the wall, with only a large drawbridge as an entrance. This presented a solid defense, and there are many instances recorded of a small group of soldiers holding off many times the number of attackers. The question then arises, if the defense was so strong, why did the fortress model fade away? The attackers got smarter. They realized that attacking the front door was effective at times, but the losses could be enormous to gain entry. The attackers also realized that the soldiers inside the fortress seemed to be getting new supplies, but no one was seen going through the front door. This indicated a hidden door elsewhere, as was often the case. This hidden back door would be the key to the attackers capturing the fortress. What is the solution to the back door? Many in the fortress assumed the back door was secure, and with all the fighting on the front, there were little resources left to guard the hidden entrance. The swarming attackers, once inside, would seize the fortress from the inside out, and quickly overwhelm the one soldier left there to guard this door. Had solid intrusion detection systems been in place, odds are that the fortress would not be so quick to fall. Although this is a fun analogy (except for the soldiers!), it is quite correct. Today’s modern networks are well guarded with firewalls. But, there needs to be a way to know if someone is trying to get through a side door, a hole in the firewall, or if people on the “inside” of the firewall need monitoring. The solution of adding layers may help with the defense, but as layers are added, the function of the network often suffers. It becomes more tedious to allow a single connection through from a remote supplier when there are five layers to navigate. This is where intrusion detection comes in. By itself, intrusion detection will not prevent access to resources. However, it is a method to use in identification of criminal activity, assistance in gathering evidence, and, perhaps most importantly, indication of attacks in progress. Intrusion detection is the process of detecting and responding to computer and/or network misuse. Throughout this lesson, you will be introduced to the different options of detection and the ways to define misuse. Some of the questions you will need to answer are: • What constitutes an intrusion?
372
Tactical Perimeter Defense
•
What is our definition of detection?
•
What is our definition of misuse?
•
How will we define a false-positive?
•
How will we define a false-negative?
Some Intrusion Detection Definitions As you get further into this lesson, you need to be aware of some of the common IDS terms and their definitions. There are many definitions of IDS terms; the ones that follow are intended to give you a basic level of understanding. This is not intended to be a complete glossary, but the terms that are required for this lesson and the discussion of IDSs are listed in the following table. Term
Definition
Intrusion Misuse
Unauthorized access to, and/or activity in, an information system. Improper use of resources inside the organization, regardless of intention. The process of detecting unauthorized access or attempted unauthorized access to resources. The process of detecting unauthorized activity that matches known patterns of misuse. The process of detecting any variations from acceptable network use and activity, based on known patterns of use. The process of examining systems to locate problems or areas that could indicate security vulnerabilities. A feature or error found in system software or system configurations that provides a method of entry for an attacker, or provides for an opportunity for misuse.
Intrusion detection Misuse detection Anomaly detection Vulnerability scanners Security vulnerabilities
Some of the groups that you might want to research for further definitions and standards on IDS are: the Recent Advances in Intrusion Detection (RAID) group, the Intrusion Detection Sub-Group (IDSG) of the President’s National Security Telecommunications Advisory Committee (NSTAC), and the Intrusion Detection Systems Consortium (IDSC).
The IDS Matrix Figure 7-2 is an interesting true-false matrix showing the relationship between IDS configurations and alarms going on or off in response. Very simply put, any IDS has to be trained to look for trouble, by programming in one or more signatures, where a signature can be considered a representation of patterns of traffic or behavior that spells trouble.
Lesson 7: Designing an Intrusion Detection System
373
Figure 7-2: The classic true-false matrix of IDS. Think of a police officer who has just pulled over a car. The officer walks over and asks the driver for his license and registration. The driver starts to reach into his jacket. To a trained officer, this is a signature action representative of someone reaching for a handgun. According to the training the officer has received, an alarm should go off in his head. He should yell at the driver to freeze, and then very firmly order the driver to step out and search him for a handgun. Now, in the above scenario, if the officer does discover a handgun, it is representative of a true-positive. If there is no handgun, it is representative of a falsepositive. Let’s change the scenario a bit. If the officer is not trained well, the action of the driver reaching into his jacket will not be seen as a signature action of someone reaching for a handgun. According to the training the officer has received, no alarms go off in his head. He doesn’t yell at the driver to freeze. You might say here that the officer has been inadequately programmed. In this changed scenario, the officer does not see the action of the driver reaching into his jacket as a threat, and if the driver simply pulls out his license and registration from his jacket, it is representative of a true-negative. However, if the driver does pull out a handgun, it is a false-negative! As much as most of us would want to live in a world of the true-negative, it is unfortunately not the case. There are large numbers of true-positives (still OK) and many false-positives that you have to put up with. Then there is the complacent but dangerous world of false-negatives. To summarize: •
If the configuration of signatures is done right for the environment that the IDS is in, the state of the IDS is TRUE.
•
If the configuration of signatures is not done right for the environment that the IDS is in, the state of the IDS is FALSE.
•
If the alarms go off as programmed, it’s said to be POSITIVE.
•
If the alarms do not go off as programmed, it’s said to be NEGATIVE.
Given the previous analogy with respect to an IDS, you can define the states in the following table.
374
Tactical Perimeter Defense
State
Description
True-positive
The event when an alarm is indicating an intrusion when there is an actual intrusion. The event when an alarm is indicating an intrusion when there is no actual intrusion. The event when an alarm does not occur and there is no actual intrusion. The event when an alarm does not occur when an actual intrusion is carried out.
False-positive True-negative False-negative
IDS Components An IDS in a network of today is a group of processes working together, and, in virtually every case, these processes are on different computers and devices across the network. The very nature of an IDS has grown from its rather simple name. Today’s IDS is much more than a detection of intrusion. Most IDSs will have the abilities to do one or more of the following: • Recognition of patterns associated with known attacks. •
Statistical analysis of abnormal traffic patterns.
•
Assessment and integrity checking of defined files.
•
Monitoring and analysis of user and system activity.
•
Network traffic analysis.
•
Event log analysis.
Although the systems vary from vendor to vendor, these features of IDSs have similar requirements for implementation. These components are generic, meaning that most IDS applications will have these in one form or another.
The Command Console The command console is where the IDS is monitored and managed. It maintains control over the IDS components, and the console should be accessible from any location. Generally, the command console will maintain open channels between network sensors over encrypted paths, and is a dedicated machine.
The Network Sensor Network sensors are programs that run on network devices or dedicated machines, or both, on essential network segments. The network sensors may be defined as agents, and they are often configured in promiscuous mode. Sensor placement is critical in the network because there could be thousands of targets that need monitoring. When all networks used hubs, you could place a sensor on any port of the hub, since all traffic is sent out from all ports of a hub, and the tap could detect any anomalous traffic. However, when the conversion to switches happened, this changed things for the hub. Switches send traffic only to the correct host, and so a tap may miss communication on a switch. To address this issue, a common configuration technique is to use switches that have an expansion port on them (much of the newer networking equipment has this), and connect the IDS to this expansion port.
Lesson 7: Designing an Intrusion Detection System
375
These ports are known as Switched Port ANalyzer (SPAN) ports. SPAN ports can be configured by the security professional to mirror all switch transmissions so that the single port can be used by the IDS to monitor designated traffic.
The Network Tap The network tap is a hardware device that sits on the network, can be rack mounted, and—to the untrained eye—can appear to be a hub or a switch. As part of an IDS, the network tap, which has no IP address, sniffs network traffic and sends an alert when an intrusion is detected. Having a network tap in your network-based IDS will make the overall system more secure, as attacking the hardware device is not an effective technique for the vast majority of attackers. Although widely considered a solid tool in your IDS arsenal, there are design issues you will have to overcome for proper tap deployment. Network taps require the monitoring of two data streams, for the two directions of your full duplex network traffic. Although you will be able to monitor your network’s traffic using two streams, this might present a cumbersome solution for your environment. Newer products are designed to combine the two streams so that you will need only one connection from the tap to monitor all traffic.
Alert Notification
SNMP: (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP.
Alert notification is the portion of the system that is responsible for contacting the incident handler. Modern IDSs can provide alerts via many options such as pop-up windows, audible tones, paging, email, and Simple Network Management Protocol (SNMP).
Realistic Goals of IDS Although there are varied goals for intrusion detection from organization to organization, there are two that can generally be counted on being present. The two general goals—aside from the initial detection itself—are response and accountability.
The IDS Response When discussing the response of an IDS, one must recognize first what it is. A response is the end result of an IDS analyzing data. The end result is a result calling for action. The action is what must be defined. Exercise caution in determining the level of response to incidents. Aggressive or offensive responses may open up the organization to serious legal issues. It is suggested that legal counsel is consulted during response decisions.
376
Tactical Perimeter Defense
The most common response is not quite as exciting as many security professionals would like—it is a simple entry placed in the log file. Even though the log file entry does not have the glamour of a Hollywood intrusion response, it may turn out to be the most useful. The log file report has the data that many organizations will use in determining the overall IT security budget. Other responses can include a trigger that will issue a call to the security architect’s pager, or even a pop-up window or email message. During an attack, the response can also be the ability to have the network modify itself. A command may be issued to change or block port numbers, or to disable services. This response during an attack can prove to be the vital element that keeps the network from compromise.
Accountability Having the response options is a valuable portion of all IDSs and should be configured as part of the network security policy, but many systems must provide proper accountability as well. This accountability provides the option to trace the misuse event of intrusion to the responsible party. Accountability is one of the hardest tasks in implementing an IDS, given that users change systems and attacks can come from spoofed sources. This is a critical step in the overall protection of a network, however, and this becomes even more evident in the event that the organization pursues legal avenues against an attacker. Ideally, the accountability system will enable the Security Professional to locate not only the computer used in the attack, but its physical location and, if possible, the user who initiated the attack.
TASK 7A-1 Describing Alarms 1.
Describe the differences between a false-positive alarm and a falsenegative alarm. A false-positive is when an alarm indicates an intrusion when there is no actual intrusion. A false-negative is when an alarm does not occur when an actual intrusion is carried out.
Topic 7B Technologies and Techniques of Intrusion Detection Now that you are armed with the basics of intrusion detection, let’s build on your new knowledge. The next step is to investigate the technologies and techniques commonly associated with IDSs.
Lesson 7: Designing an Intrusion Detection System
377
The Intrusion Detection Process
promiscuous mode: Normally, an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
378
Tactical Perimeter Defense
To further define how IDS functions, let’s examine a case with IDS in action. In this example, you will look at a system in an Ethernet network with the sensor running in promiscuous mode, sniffing packets off the local segment. 1. A host creates a network packet. So far, nothing is known other than a packet exists that was sent from a host in the network. 2.
The sensor on the network reads the packet in real time off the network segment. This sensor needs to be placed so it can read the packet.
3.
The detection program in the sensor matches the packet with known signatures of misuse. When a signature is detected, an alert is generated, which is sent to the command console.
4.
The command console receives the alert, and in turn notifies the designated person or group of the detection. (The alert is done via a predefined method, email, pop-up window, page, and so on.)
5.
The response is created in accordance with the programmed response for this matching signature.
6.
The alert is logged for future reference, either locally or in a database.
7.
A summary report is created with the incident detailed.
8.
The alert is viewed with other historical data to determine if there is a pattern of misuse or to indicate a slow attack.
Figure 7-3: A visual example of the IDS process. Figure 7-3 is only one example of the potential process of the IDS. As you progress through this lesson, you will see different processes.
Behavioral Use For the system to generate the correct response in the correct situation, it must be programmed with starting data. The starting data is where misuse is defined (along with alerts and response techniques). If the system is expected to determine misuse, then the individual who programs this data needs to know how the organization defines misuse.
Lesson 7: Designing an Intrusion Detection System
379
A starting point for this process is to determine the network activity that the IDS will attempt to deal with. The following diagrams illustrate the various steps in determining use, both acceptable and unacceptable. Figure 7-4 shows all the uses of a network.
Figure 7-4: All of the uses of the network. In Figure 7-5, you can see that a basic clarification between acceptable and unacceptable use has been made, according to the security policies that are applicable to the usage categories. (Only some of the options that the security policy may cover are included in this example.) The security policy for this organization might include the following: • No users are allowed to telnet to remote hosts.
380
Tactical Perimeter Defense
•
Users can open only the files they are allowed to open.
•
Users can access network printers only in their allocated areas.
•
Users can execute only those applications they have been granted access to use.
Figure 7-5: The dividing line between acceptable and unacceptable use of resources. In order to meet these policy requirements, you must divide network and resource access to acceptable and unacceptable use. At this point, you have categorized resource use to define what is considered acceptable and unacceptable. This is a generalization for the entire network, with the given that there will be exceptions made for specific users. From this diagram, you can see that the dividing line specifies that telnet is unacceptable, as is opening of unauthorized files, trying to execute applications without permission to do so, or attempting to use unauthorized network printers. Once this dividing line has been created, the rules for the IDS can be implemented. This is where the task increases, as the number of signatures of known attacks and intrusions is the limitation. If the company has unique applications, the IDS must be made aware of the corresponding signatures. Remember, an IDS can only do what it is told to do, just like any other component of the network. Although the line in our example is a nice solid line between acceptable and unacceptable, in reality, there are times when the line is not so clear. Crossing over the line is when false signals might be sent, as shown in Figure 7-6. In other words, if something that the policy has identified as acceptable has not been entered into the IDS and therefore is not known as acceptable, the IDS might send an alarm indicating an incident. This is known as a false-positive. Falsepositives take time and energy, and as much as possible, they should be minimized by proper policy making and data entry in the IDS. A false-negative, on the other hand, is more than lost time and energy. In fact, a false-negative does not equate lost time and energy, since no one is aware that the condition happened. In other words, a false-negative is when an incident should cause an alarm, but it does not. This is a serious issue, and those responsible for the IDS of an organization need to be sure that the policies created—and the rules implemented—minimize the opportunities for false-negatives to occur.
Lesson 7: Designing an Intrusion Detection System
381
Figure 7-6: False situations, both positive and negative. Since, in reality, the dividing line is not so clear, it becomes important for the security professional to be aware of the applications running and the current security policies of the organization. The same security professional needs to be made aware of any unusual activity that might take place in the network. For example, if the organization has recently hired 20 new Help Desk users, their trainer might be showing them various options and situations in the network, such as what it looks like to attempt access to unauthorized files, or to attempt to log on as a different user. The security professionals in the network need to know this is happening, so that their response is correct for the situation.
Information Collection and Analysis As you begin to work with the tools available to you, you will need to become comfortable with data collection and analysis. In this section, you will not go into significant detail on the headers and data content—that will be addressed elsewhere. Instead, you will discuss the concepts of data collection and the concepts of data analysis. With all the sources available to work with, an intimidating problem can arise quickly to the security professional working on the IDS of an organization. Some of the many questions that will arise are: • What is to be collected?
382
Tactical Perimeter Defense
•
What data is to be discarded?
•
What is to be identified in the data that is collected?
•
Once I do identify certain things in the data, are they good, bad, or neutral?
We previously defined an intrusion as anything from threats, to theft, to misuse— but now you must define analysis. What actually is analysis? Although there might be many different meanings, in this discussion, you will identify analysis as the concept of organizing and categorizing data according to the security policies present for the network. The analysis must identify the intrusions as previously defined. These intrusions, then, are the actual data collected. They can either be about a user, a node, an IP address, or any other given variable, again meeting the requirements of the policy. In order to begin the analysis process, there must first be an analysis system in place. The analysis system can be as simple as reading a single log file at night, or as complex as multiple IDSs submitting data to an external database for future data mining. Regardless of the scale of the system, there are certain variables that must be met, and all systems have these in common. These are the ability to generate the initial data, categorize the data based on given rules, and process the data once organized. The collection of the data will be identified by the IDS, based on the rule set in place for the policy. This data collection can be either user misuse of resources, actual data theft, denial of service, or any of the types of data you have discussed that might be part of the IDS. Once the data has been collected, it must be organized in a usable format. This categorization can generally be defined by the cause of alarm and filed accordingly. Two general categories that are commonly used are Misuse Of Resources and Threats. It is also common to organize the data by the type of signature present. If the attack was of a known signature, such as a Ping of Death DoS attack, it can be classified as such. By organizing the data using these known signatures, the analysis phase can be a more efficient process, as the data is in the order of attack.
Remember, not all misuse detection is a threat.
TASK 7B-1 Discussing IDS Concepts 1.
What are the differences between misuse and intrusion? Misuse can occur if a user has access to a resource but uses that resource for a purpose not intended by the owner of that resource. However, if a user does not have access to a resource but gains access by subverting the network’s or resource’s security, or by any other devious means, this is considered intrusion.
2.
Describe behavioral use in terms of an IDS. First, categorize all network and resource usage into a set. Then, divide network and resource access into two categories—acceptable and unacceptable use—based on policies that have been agreed to. This is a generalization for the entire network, with the given that there will be exceptions made for specific users. Over a period of time, look for patterns of usage of these resources to build a database of behavioral use. Lesson 7: Designing an Intrusion Detection System
383
Topic 7C Host-based Intrusion Detection Now that the fundamental issues of intrusion detection have been covered, you will examine the actual options for implementation. In this topic, you will detail the host-based IDS. Host-based IDS is where the data that will be analyzed is generated by hosts (computers) in the network. This system has many variables in data collection, since the source is so varied. A host-based system can be collecting data from application logs, such as Web servers. At the same time, it is collecting data from operating system logs. Because the system is host based, it is generally quite good at detecting internal misuse of resources. The event logs of each host can generate data on files accessed, by whom, on what date, and at what time. This provides excellent tracking data of misuse, and in the event of compromise, evidence of the attack.
Host-based IDS Design Host-based IDS uses what are known as agents (also called sensors). These agents are small programs running on the hosts, and they communicate with the command console (remember, this is the central computer controlling the IDS). There are two basic forms of design of the host-based IDS—centralized and distributed. One difference to keep in mind as you go through the steps of each is that centralized design requires the data from the host to be sent to the command console for analysis, and distributed design states that the host will analyze the data in real time and send only alert notifications to the command console.
Centralized Host-based IDS Design As mentioned, a centralized design dictates that the data will be collected by the host and sent over the network to the command console for analysis. Because the data is gathered and sent from the host, there is no significant performance drop on the hosts, or agents. However, there also is no possibility of real-time detection and response.
384
Tactical Perimeter Defense
The following steps highlight the process of centralized design, and are shown in Figure 7-7. 1.
The host detects that an event has happened (such as opening a file, or logging on to a user account). The event is written as an event record. The record is written to a secured file on the host.
2.
At a predefined time, the host sends its records to the command console over the network, using a secured (encrypted) link.
3.
The command console receives the records and submits the data to the detection engine.
4.
The detection engine analyzes the data for known signatures.
5.
The command console generates a log of its work as a data archive.
6.
If an intrusion is detected, the command console generates an alert, and the programmed notification is used.
7.
The security professional receives the notification.
8.
A response to the alert is created. The response used by the console has been previously programmed by the security team for this type of intrusion event.
9.
The alert is stored in a secured database.
10. The data used for generating the alert is archived. 11. The console generates a report of the alert activities. 12. Long-term analysis is used to determine if this alert is part of a bigger intrusion.
Figure 7-7: Centralized host-based IDS example.
Lesson 7: Designing an Intrusion Detection System
385
Distributed Host-based IDS Design The primary difference between centralized and distributed host-based IDS is where the detection engine and analysis take place. In the distributed design, the agents of hosts are the ones that perform the analysis. There is a significant advantage to this method. The intrusion data can be monitored in real time. The flip side to this is that the hosts themselves can experience a performance drop, as their computer is engaged in this work constantly. The following steps highlight the process of distributed design, and are shown in Figure 7-8. 1.
The host detects that an event has happened.
2.
The event is processed in real time in the detection engine, and is analyzed for known signatures.
3.
If an intrusion is detected, a notification is sent. (Some vendors have the host generate the notification; others have the command console generate the notification.)
4.
A response to the intrusion is created. This can be from the host or console.
5.
The alert of the intrusion is created and sent to the console, where it is archived.
6.
Long-term analysis is used to determine if this is part of a bigger intrusion. (The analysis can consist only of alert data, so it might be limited.)
Figure 7-8: Distributed host-based IDS example.
386
Tactical Perimeter Defense
TASK 7C-1 Describing Centralized Host-based Intrusion Detection 1.
Describe where and how data is collected in a centralized host-based IDS. 1.
The host detects that an event has happened. The event is written as an event record. The record is written to a secured file on the host.
2.
At a predefined time, the host sends its records to the command console over the network, using a secured (encrypted) link.
3.
The command console receives the records and submits the data to the detection engine.
4.
The detection engine analyzes the data for known signatures.
5.
The command console generates a log of its work as a data archive.
6.
If an intrusion is detected, the command console generates an alert, and the programmed notification is used.
7.
The security professional receives the notification.
8.
A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event.
9.
The alert is stored in a secured database.
10. The data used for generating the alert is archived. 11. The console generates a report of the alert activities. 12. Long-term analysis is used to determine if this alert is part of a bigger intrusion.
Topic 7D Network-based Intrusion Detection The concepts and implementation of the host-based IDS might lead you to believe that it is the best way to run your IDS. This might not be the case. Although there are advantages to running a host-based system, it does not suit every situation or meet every need. If you require the IDS in your organization to analyze the actual TCP/IP traffic, then network-based IDS is your choice. The IDS in a network-based design is such that it will sniff the packets off the wire. Hardware devices, such as switches and routers, can also be programmed to send this data directly to the IDS. A significant difference between host- and network-based IDS is the actual location of the agents. In host-based IDS, the agents, or sensors, are placed directly on the hosts. In network-based IDS, the source of the detection is often placed so that it can sense the external traffic, or the intrusion attempts from the outside. This allows the network-based system to detect what the host-based normally cannot, such as a DoS.
Lesson 7: Designing an Intrusion Detection System
387
Another example of a difference between these two implementations would be the detection of attempted access to a system by an attacker. Suppose, for a moment, that an attacker breaks into the network and attempts to log in to a host. The host-based system will not report, or have the ability to identify, anything until the actual login request happens. The network-based system will identify the pattern of the request itself, before (ideally) the attacker has successfully logged in.
Network-based IDS Design The physical layout of the network-based IDS is such that sensors are installed in key positions throughout the network, and they all report to the command console. In this case, the sensors are full detection engines that have the ability to sniff the packets, analyze for known signatures, and notify the console with an alert if an intrusion is detected. There are two basic forms of design of network-based IDS: traditional and distributed. The traditional design uses sensors in promiscuous mode, sometimes called network taps. The distributed design employs agents throughout the network to sense network traffic that is destined for the host itself.
Traditional Network-based IDS Design Traditional design of network-based IDS uses sensors in the network. A sensor is a host that is configured to run the IDS software and is usually a stand-alone computer. Further, each specific host (sensor) has a network card (and software) installed that can run in promiscuous mode, to sniff the network traffic. The packets are then fed directly into the detection engine, where analysis can happen. The general theory on sensor placement is that there should be one on each critical segment of the network. The alarms generated are then sent to the command console. This design is depicted in Figure 7-9. The following steps highlight the process of the traditional design: 1. A network packet is sent from one host to another in the network (this can include a packet from the Internet to a firewall).
388
Tactical Perimeter Defense
2.
The packet is pulled off the network in real time by the network sensor, which is generally positioned between the two communicating hosts.
3.
The packet is processed in real time in the detection engine, and is analyzed for known signatures.
4.
If a signature match is detected, an alert is created and forwarded to the command console.
5.
The security professional is notified of the alert.
6.
A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event.
7.
The alert is archived for later analysis, and a report of the incident is created.
8.
Long-term analysis is used to determine if this is part of a bigger intrusion.
Figure 7-9: Traditional network-based IDS example.
Distributed Network-based IDS Design Despite the effectiveness of the traditional design in collecting network packets, it is susceptible to packet loss on network segments. A variation of the traditional design was introduced to address this situation—distributed design. In the distributed design, a sensor is installed on each host in the network, instead of on each segment of the network. The sensors then communicate with each other in the event of an intrusion, and uses the command console as a center of operations, and for alarms. As you might imagine, this type of design has led to much confusion on the distinction between network- and host-based IDS. What you must realize is that the location of the sensor, or agent, is not the determining factor in what type of design is implemented. If the IDS is running on each computer and those computers are analyzing tasks of the operating system, then it is host-based. If the IDS is running on each computer and those computers are analyzing the packets with the Ethernet device, then it is network-based. This is important to remember, specifically when dealing with IDS vendors. Be sure that if you buy a commercial product, you get exactly what you want. The process is depicted in Figure 7-10. The following steps highlight the process of the distributed design: 1. A network packet is sent from one host to another in the network (this can include a packet from the Internet to a firewall). 2.
The packet is pulled off the network in real time by the network sensor, on the individual host.
3.
The packet is processed in real time in the detection engine, and is analyzed for known signatures.
4.
If a signature match is detected, an alert is created and forwarded to the command console.
5.
The security professional is notified of the alert.
6.
A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event.
7.
The alert is archived for later analysis, and a report of the incident is created.
8.
Long-term analysis is used to determine if this is part of a bigger intrusion. Lesson 7: Designing an Intrusion Detection System
389
Figure 7-10: Distributed network-based IDS example.
TASK 7D-1 Discussing Sensor Placement 1.
Is the location of the sensor the determining factor in deciding if the IDS is host-based or network-based? Explain your response. No. If the IDS is running on each computer and those computers are analyzing intrusion attempts on the operating system, then it is host-based. If the IDS is running on each computer and those computers are analyzing the packets with the Ethernet device, then it is network-based.
2.
390
Tactical Perimeter Defense
Describe the process of a traditional network-based IDS. 1. A network packet is sent from one host to another in the network (this can include a packet from the Internet to a firewall). 2.
The packet is pulled off the network in real time by the network sensor, generally positioned between the two communicating hosts.
3.
The packet is processed in real time in the detection engine, and is analyzed for known signatures.
4.
If a signature match is detected, an alert is created and forwarded to the command console.
5.
The security professional is notified of the alert.
6.
A response to the alert is created. The response used by the console has been programmed by the security team for this type of intrusion event.
7.
The alert is archived for later analysis, and a report of the incident is created.
8.
Long-term analysis is used to determine if this is part of a bigger intrusion.
Topic 7E The Analysis In the previous topic, you examined the processes of the different types of IDS implementation. One common point in all of them was the analysis of data once it has been collected. In this topic, you will look into the analysis process itself.
When to Analyze After the agents, or sensors, have been set in place, the timing of analysis must be defined. While this might be part of the architecture chosen, it is worth noting the options and their strong and weak points.
Interval Analysis This method of analysis uses the internal operating system (or other host-based) audit logs to capture the events, and the IDS, at given intervals, analyzes the data in the logs for signatures of intrusion. Using this method of analysis is effective in organizations where the perceived threat is low and the potential loss from a single attack is high, such as a verywell-guarded server that holds the organization’s most secret data. Those running this type of analysis are more concerned with the data collected and accuracy than speed. The data collected in this case is often, if secured properly, used in legal proceedings during criminal prosecution. Another strong point of interval analysis is that there is less of a burden placed on the individual hosts to perform the analysis, since it is not in real time. And, this type of analysis is a benefit to organizations that are not large enough to have a full-time employee or consultant watching for intrusion signatures. On the other hand, there are weaknesses to this type of analysis. An incident is usually not identified until after it has occurred, which presents obvious problems. Because the analysis is in intervals, the ability to notice and respond to an incident quickly—or as it is happening—is close to nonexistent. Additionally, if the hosts that are running the analysis do not have sufficient disk space to hold the events, problems can occur.
Real-time Analysis As an alternative to interval analysis, there is real-time analysis. This involves, as the name implies, data being analyzed for signatures as it is collected. Real-time analysis runs continuously—collecting, analyzing, reporting, and responding (if programmed to do so). Do not misunderstand the term real-time to mean same-time. An event cannot be countered the exact moment it happens. However, the concept behind real time is such that an attack should be dealt with as it is happening, and if the system knows the signature, stop the attack before it can complete and compromise a host.
Lesson 7: Designing an Intrusion Detection System
391
This type of analysis has the ability to respond in real time, via the methods previously discussed (email, pages, and even telephone calls). The real-time nature of this analysis means that security professionals can respond while an attack is underway, and stop it. An additional benefit to real-time analysis is that hosts can be recovered quickly in the event of a compromise, because there is no need to wait for the analysis to find out what has been compromised. However, just as there are benefits, there are weaknesses to this type of analysis. One of the more critical weaknesses might be the extra resources used by the hosts. More memory and processing will be required. Because the systems can be programmed to provide an automated response, this must be planned carefully. Unless you can guarantee the system will analyze the data correctly, and respond as expected, the automatic response needs to be considered cautiously. A response of disconnecting a distribution partner over the Internet due to an error in analysis could be very costly.
How to Analyze You have discussed the methods of when to have the IDS analyze data, but it is just as critical to determine how the analysis is going to happen. Again, this might be part of the architecture of the design, but the individual points must be described.
Signature Analysis The common element that most IDS products have in common is signature analysis. The signature is a known event or pattern of events that correspond to acknowledged or known attacks. These signatures can be very simple to detect, like a flood of ICMP requests to a given server, or much more subtle, like a failed login request on a server three times in a week from an external source. Signature analysis is the process of matching the known attacks against the data collected in the network. If there is a match, then that is a trigger for an intrusion, and an alarm might be the result. Most commercial IDS vendors have a list of known signatures, much like the antivirus industry. The big difference is that the majority of the antivirus companies have lists of over 20,000 known signatures for viruses and Trojan horses, and, these companies can react very quickly, and have the signatures uploaded to webites for users to download. By way of comparison, an IDS might have only a few hundred signatures to use. The users of the IDS are then left to download further signatures when they are available, or analyze the data and create their own signatures.
An Example Signature Although the signatures that an IDS uses can be complex, you can use parts of a signature to illustrate how the analysis works. Suppose that the data displayed in Figure 7-11 is collected by the IDS.
392
Tactical Perimeter Defense
Figure 7-11: An example of data collected by an IDS. If this signature was not in the database of known signatures to the IDS, the security professional running the IDS should still be able to identify the attack. Let’s perform a brief analysis of this data. You can identify that the source address is 172.168.30.23. You would check the IP address to see if there is any historical data regarding this IP address. The IDs are sequential, corresponding to the time of the event. This indicates a very fast event, as all IDs are less than one second apart (event starting at 8:52:52 and ending at 8:52:53). The destination port tells us the source is running a scan to see what hosts have a telnet server running. The scan is a scan of the entire network of IP addresses, 1 through 254. Our brief analysis of this event, then, is: At 8:52:52, the network 192.168.10.0/24 was scanned to see which computers were running telnet servers. The scan concluded at 8:52:53. The likelihood that the source IP address was spoofed is low, because the attacker would need the scan to return data on hosts running telnet. Because none of the computers scanned run telnet, the risk from this event individually, is low. There is no historical data to indicate previous activity from this source IP address. However, it is now recorded that there is intrusion activity from 172.168.30.23, and future attempts will correlate with this data. The previous example illustrates the process of analyzing signatures. The IDS can only detect the signatures it is aware of; other activity will need to be identified by the professionals using the system.
Statistical Analysis A common scientific method, not often implemented in commercial IDS products, but worth discussing, is statistical analysis. The basic concept of statistical analysis is to find a deviation from a known pattern of behavior. Using this method, an IDS would create profiles of user behavior. Examples of the types of behavior might include login times, amount of time on the network, and the amount of bandwidth used.
Lesson 7: Designing an Intrusion Detection System
393
profile: Patterns of a user’s activity which can detect changes in normal routines.
This data is then described as the normal usage of this profile. When an event happens that is not in the normal usage pattern, a possible intrusion is the result. The normal example of this would be login times. If a user has consistently logged in only between 8:30 A.M. and 6:30 P.M. for the last year, if that account tries to login at 2:00 A.M., a possible intrusion is happening, and an alert would be issued.
TASK 7E-1 Discussing Data Analysis 1.
Which type of data analysis is often used as the method of analysis for legal proceedings involving IDSs? Interval analysis.
Topic 7F How to Use an IDS In this topic, you will be introduced to the different methodologies of intrusion detection. While there are no methods set in stone, this topic attempts to outline several examples for you to use in the future. These detailed intrusion examples include DoS, network sweeps, and internal misuse of resources.
Detection of Outside Threats One of the issues of ever-increasing trouble for networks is Denial of Service attacks. When attackers choose to block service without attempting network penetration, it can be a difficult problem to solve. penetration: The successful unauthorized access to an automated system.
Imagine the following scenario: It is 4:40 P.M. on Friday. You are about to go home and enjoy the weekend. You hear your incoming mail sound, and look at the new message. Incoming ICMP packets, lots of them. You are not going home after all. You begin your investigation. It seems the ICMP packets have been detected as a Denial of Service attack. You have seen this before, and are familiar with the signs. As you investigate further, you realize it is more than a simple ping attack. It seems to be a Distributed Denial of Service. The IDS is alarming with signs of attack from 101 distinct IP addresses. You continue to dig, as you read the log files, and it turns out although there are 101 addresses listed, they all register to the same local ISP. By now, you’re thinking, “I hope Saturday afternoon will be nice.” The pings pause for a minute. Unusual, you think. It is almost like the attacker did not enter enough packets to maintain the high DDoS attack. About 10 minutes later, it starts again. You have been on the phone this entire time with your ISP trying to get them to block ICMP requests.
394
Tactical Perimeter Defense
Back to the log files, where you see the attacks coming from the same group of nodes. The attacker must have re-entered the script, perhaps this time with a higher count. Now, your ISP is noticing, and they indicate they will open a ticket to investigate. Back to the log files, where further investigation confirms the IP addresses used are all in the same block from the same local ISP. You get on the phone to the local ISP. They are helpful and willing to work with you to locate the offending IP addresses. They confirm that those addresses are all in their range. Since the local ISP is only a few miles away, and the IP addresses in question are all local, you are thinking the attacker must have targeted your network on purpose, and you are not the victim of a random DDoS. On the other hand, your organization has not lost a verifiable amount of money over the attack so far, so FBI involvement will probably not be needed. The local ISP administrator is helpful and works with you on helping to locate a source. The pings stop again. Even though they went longer this time, they still stopped. Again, there is a pause in the action for a while, and it picks up again. Back to the log files. Again, you find 101 addresses in the attack. The local ISP administrator calls to tell you there is no new news yet. Into the night, you decide to leave and come back in the morning. Returning in the morning, you turn to the log files. The log files indicate that the attacks continued throughout the night, 101 addresses every time, yet each attack running only for 10 minutes. You dump the logs into a database for analysis, and you decide to see which addresses were involved in each attack. This turns out to be the break you were looking for. In the data logs, it turned out that only three IP addresses were involved in every attack. Working with the local ISP, you identify that two of the addresses are dial-up accounts and rarely on. The third is a DSL user who is always connected. You suspect this user is the culprit. Although the local ISP will not reveal the identity of the user to you, they had helped you as much as you could hope for. Now, you are onto internal research. You begin by combing through the current employee list and checking for home email addresses. The company is not all that large, so it is an easy task. You view the list from top to bottom and find nothing. Next, you decide to go through the list of past employees, starting with people who were let go or who resigned in the last six months. This is a much smaller list, only 17 names. There it is—in black and white. There is one ex-employee who was fired only a month ago. The home email address does indeed come from the same local ISP. You pull out a saved email from the archive and check the headers. Sure enough, the IP address matches. You are hot on the trail of the attacker and have enough evidence to go to the next level. Now, imagine this scenario without the IDS running. What would the situation be in this case? The network would seem slower, but it would take time to isolate where it is slowing down. Without IDS, you would not have the head start, you would not have logging of the IP addresses, and you might have a hard time tracking down not only the cause, but you would have a hard time deciding on a response and solution.
Lesson 7: Designing an Intrusion Detection System
395
Detection of Inside Threats Let’s now look at an example of how IDS can work to detect inside threats. This is one of the difficult areas of security. Because these users already have some level of access to the network, dealing with inside threats can be more complex than outside. A reason that this is a difficult area of security is the term threat. In this case, a threat is not always someone stealing data, more the inappropriate use of company resources. So, for this example, you will look at a user who is misusing resources, not attempting data thievery. At 11:30 A.M. on a Tuesday, you are notified that two of the color laser printers are running out of toner every Monday. Because the company has laser printers all over the office and only a few people are granted permission to each printer, this is unusual. It should be several months before the printers need refilling. However, every Monday two of them are nearly out and end up getting refilled. You are investigating to find out the culprit, but cannot find anything right away. You add the IP address of the laser printers to the IDS to track who is sending what to the printers, and when. Every night, you check the logs and find nothing out of the ordinary. By Friday night, you are wondering if perhaps the printer is malfunctioning. You remotely connect into the network over the weekend and check the logs on Saturday night. Still, you find nothing. Sunday night, around 11:30 P.M., you remotely connect into the network again to check the logs. Again, there is nothing to report as unusual. You go to bed, wondering what the situation will be like in the morning. When you get to work on Monday, you are pulled into a meeting that lasts until 1:00 P.M. When you finally get out of the meeting, you see a note on your monitor that states, “Yes, we just had to replace the toner again. What did you find?” You get on the network and head right to the log files. Finally, there it is. There is an enormous print job sent at 7:00 A.M. It took over two hours to finish printing. You quickly identify the IP address and host name of the computer that sent the data. You inform the network administrators of what you found, and the two of you take a walk. When you get to the cube of the worker who used that computer, you can see the evidence quite clearly. All over the walls are glossy printed photographs; they are 11x17 full color photographs. Stacks of 11x17 photos are on the desk. After a conversation, you find out that this employee has taken up digital photography as a new hobby. And, every weekend this employee shoots hundreds of pictures, only to come in to work first thing in the morning, and print out as many as possible. (“Until the colors are not as crisp and bright on the printout, and then I stop,” you are told.) This is a classic example of resource misuse, which can be identified with the IDS in place. Without the IDS, this task is much more complex, and perhaps someone would be asked to physically watch the printer for use in this fashion.
396
Tactical Perimeter Defense
Anticipation of Attack Monitoring One of the standard attack sequences for hackers just starting out is the ping sweep for live hosts. Not complex, or difficult, but worth noting in any event. The ping sweep simply pings a given range of IP addresses. The nodes that respond are active, and might be potential targets. Virtually all IDS systems will pick up and notify on ping sweeps. This type of traffic can lead to nothing, or it could be the early attempt to map the network for further attacks. The IDS will recognize the signature of sequential ping packets in rapid succession, and an alarm will sound. By recognizing a ping sweep, the organization can decide their proper response. Perhaps they respond with a message to the ISP that holds the IP address, or perhaps they simply monitor for further traffic from that IP address. In any case, the ability to choose a course of action exists due to the presence and function of the IDS.
Surveillance Monitoring When there has been some indication of either a threat of a break-in, resource misuse, or some other unauthorized activity, the IDS can be used in a mode of surveillance. At first glance, this might seem to be the entire function of the IDS in the first place. However, in this particular area, the reference is to more of an increased level of awareness. Beyond the normal day-to-day monitoring that happens, this is when a threat has been identified. Take the following situation as an example: A company has had the same seniorlevel network administrator for five years. Recently, this administrator was found to be working part-time for another company. Because this person was at a senior level and had an exclusive contract, he had to be let go. The release was not a pleasant one, but no threats or poor language was used towards either party. This situation would, however, be cause to put the IDS into a surveillance mode, with the specific goals being to monitor traffic that could be coming from the released employee. The task of detecting an ex-employee can be difficult (even more so if it is a technical person) because this person is aware of the internals of the network. Nonetheless, this situation would require an IDS on a higher alert.
TASK 7F-1 Discussing Intrusion Detection Uses 1.
Describe how an IDS can be used to detect an outside threat. Answers will vary, but may include: To identify attack signatures that are originating from IP addresses other than your internal private range.
Lesson 7: Designing an Intrusion Detection System
397
Topic 7G What an IDS Cannot Do Throughout this lesson, you have identified and discussed the abilities of IDSs. As good as they are, and as helpful to the security of the network as they are, they do have limitations. An IDS can only do what it is designed to do—do not expect more from it. In this topic, you will examine some of the things an IDS cannot do.
Provide the Magic Solution Although some IDS vendors might try to convince you of this, an IDS is not a magic solution. It does not have the ability to bring the security of your network to perfection. An IDS cannot, and should not, be expected to suddenly notice every single event that you might consider to be an intrusion or misuse. It can perform only as it is programmed. If a new type of intrusion is created today, the IDS cannot magically be configured to know this signature by this afternoon. Relying on the IDS to an extreme can create security professionals that get complacent and miss new or unusual intrusions when they occur. Your skill and knowledge as a security professional must remain at the highest level, regardless of the equipment in the organization.
Manage Hardware Failures
crash: A sudden, usually drastic failure of a computer system.
This might seem like an obvious point, but let’s define it a bit further. If a new attack comes into your network, suddenly hits your 1,000 Linux Workstations (all nodes), and they all crash, there are no nodes available to inform the IDS of an intrusion. Yes, the IDS (if on a different platform) might still be on, and you might get a page that states, “All of your Linux computers are gone,” but you cannot expect the IDS to manage any of those failures. The IDS might inform you that the event happened, but don’t expect more.
Investigate an Attack
SYN flood: When the SYN queue is flooded, no new connection can be opened.
398
Tactical Perimeter Defense
There are options for what an IDS can do to respond to an attack. But responding is not the same as investigating. An IDS cannot notice a SYN flood coming from the same IP address, and follow up on it. The IDS will inform you of the SYN flood, and it will be up to you to follow up. The IDS will provide the data for the investigation, but do not expect the IDS to perform any of the investigation itself. Although, if that day ever comes, there will be some interesting ramifications of it. Imagine your IDS paging you to state, “You had a SYN flood at 2 A.M. I traced the IP address, sent a message to their ISP, and had the attacker arrested. Have a nice day!”
100 Percent Analysis Once the data has been collected by the IDS, then some serious investigation must happen. There must be a way of analyzing all the collected data. Because most organizations do not have a full-time (24 hours a day, 7 days a week) human monitoring the IDS statistics, analysis of the data is required. To expect the IDS to perform a perfect 100 percent analysis on the data is unrealistic, as the amount of data would be too high. The computers running the analysis would not be able to keep up with that high volume of traffic. To say to the IDS, “Here is all the data collected in the last week, tell me everything that happened,” and think you can then sit back and watch for the results of the analysis is also unrealistic.
TASK 7G-1 Discussing Incident Investigation 1.
Describe why an IDS cannot investigate an intrusion attempt. The IDS is able to identify an attack, even in real time; however, it cannot investigate the attack. It might be able to respond, by closing ports, or paging the security professional. There is no mechanism in modern IDS systems for tracking down IP addresses, contacting the correct ISP, or explaining an intrusion attempt to the FBI.
Summary In this lesson, you were introduced to the concepts and technologies of IDSs. You examined the differences between using host-based and networkbased IDSs, and how each of them can be implemented. You examined the types of data analysis. You identified multiple scenarios of an IDS in use, and how each one presents a different situation to the IDS. Finally, you examined the situations an IDS cannot help with, and the tasks an IDS cannot perform.
Lesson Review 7A What are the major components of an IDS? Prevention, detection, and response. What is one reason you need to be careful with the response of the IDS? You have to exercise caution in determining the level of response to incidents, since aggressive or offensive responses may open up the organization to serious legal issues.
Lesson 7: Designing an Intrusion Detection System
399
What’s worse: a false-negative or a true-positive? A false-negative, as it signifies that an alarm was not generated when a condition should have been alerted.
7B Describe how an Ethernet host, running in promiscuous mode as an IDS, sniffs packets off the local segment. 1. A host creates a network packet. So far, nothing is known other than a packet exists that was sent from a host in the network. 2. The IDS host reads the packet in real time off the network segment. 3. The detection program in the sensor matches the packet with known signatures of misuse. When a signature is detected, an alert is generated and sent to the command console. 4. The command console receives the alert and notifies the designated person or group of the detection. 5. The response is created in accordance with the programmed response for this matching signature. 6. The alert is logged for future reference. 7. A summary report is created. 8. The alert is viewed with other historical data to determine if there is a pattern of misuse or to indicate a slow attack. 7C Describe the general process of host-based IDS. Host-based IDS uses what are known as agents (also called sensors), which are small programs running on the hosts that are programmed to detect intrusions upon the host. They communicate with the command console. What are the different designs of host-based IDS? Centralized and distributed. Describe the advantages and disadvantages of each design of host-based IDS. In centralized design, the data is gathered and sent from the host to a centralized location. There is no significant performance drop on the hosts because the agents simply gather information and send it elsewhere for analysis. However, due to the nature of the design, there is no possibility of real-time detection and response. In distributed design, the agents of the hosts are the ones that perform the analysis. There is a significant advantage to this method. The intrusion data can be monitored in real time. The flip side to this is that the hosts themselves can experience a bit of a performance drop as their computer is engaged in this work constantly.
7D Describe the general process of network-based IDS. In network-based IDS, sensors are installed in key positions throughout the network, and they all report to the command console. The sensors are full detection engines that have the ability to sniff network packets, analyze for known signatures, and notify the console with an alert if an intrusion is detected.
400
Tactical Perimeter Defense
What are the differences between host-based and network-based IDS? Host-based IDS is designed to detect intrusions on a host, whether the attempt to intrude comes through a network interface or the keyboard. Network-based IDS is designed to detect intrusions in a network by analyzing network traffıc, regardless of any specific host. What are the different designs of network-based IDS? Traditional and distributed. Describe the advantages of each design of network-based IDS. In the traditional design of network-based IDS, sensors are used in the network where a sensor is a host that is configured to run the IDS software. This is usually a stand-alone computer. Each sensor runs in promiscuous mode. Packets are then fed directly into the detection engine for analysis. In general, there should be one sensor in each critical segment of the network. Any alarms that are generated are sent to the command console. In the distributed design of network-based IDS, a sensor is installed on each host in the network, instead of on each segment of the network. The sensors then communicate with each other in the event of an intrusion, and use the command console as a center of operations, and for alarms. This provides the opportunity to detect packets that might otherwise have been lost or missed by the traditional design IDS.
7E What is the difference between interval and real-time analysis? In interval analysis, the operating system (or other host-based) audit logs are used to capture the events, and the IDS, at given intervals, analyzes the data in the logs for signatures of intrusion. With real-time analysis, data is analyzed for intrusion signatures as it is collected. What is the difference between statistical and signature analysis? In signature analysis, known attack signatures are compared against data collected in the network. A match results in a trigger for an intrusion, and an alarm might follow. Statistical analysis attempts to find deviations from known patterns of behavior. Using this method, an IDS would create profiles of user behavior. This data is then described as the normal usage for this profile. When an event happens that deviates from the normal usage pattern, it could mean a possible intrusion.
7F Describe the process of detecting internal misuse. Most internal threats are network or resource misuse. This is one of the diffıcult areas of security. Since the users already have some level of access to the network, dealing with inside threats can be quite a bit more complex than outside. A reason that this is a diffıcult area of security is that the threat does not always result in someone stealing data, more the inappropriate use of company resources. Detecting internal misuse might require auditing of network resources such as file and print servers, and so on.
Lesson 7: Designing an Intrusion Detection System
401
Describe the difference between surveillance and normal IDS operation. When there has been some indication of either a threat of break-in, resource misuse, or some other unauthorized activity, the IDS can be used in surveillance mode. While this might seem to be the entire function of the IDS in the first place, the reference is to more of an increased level of awareness versus normal mode of operation.
7G What is the reason an IDS cannot manage hardware failures? The IDS might be able only to inform you that an event happened. If the response is not programmed to thwart the attack and if the attack results in the shutting down of the system running the IDS, then obviously future attacks cannot be analyzed as well. What is the reason an IDS cannot provide 100 percent analysis? While it might be mathematically possible to gather 100 percent of the network traffıc and 100 percent of host-based activity, it is unrealistic to expect the computer to process all of it.
402
Tactical Perimeter Defense
Configuring an IDS
LESSON
8 Overview In this lesson, you will implement IDS. There are many different types of IDSes, and for this lesson, you will use perhaps the most famous free IDS tool—Snort. Snort is a tool that is designed to monitor TCP/IP networks, looking for suspicious traffic and direct network attacks. It enables system administrators to collect enough data to make informed decisions on the best course of action in the event that an intrusion is detected.
Objectives
Data Files Snort_2_6_1_2_Installer Rules directory mysql-essential-5.0.27win32 adodb493a.tgz base-1.2.7.tar.gz Lesson Time 6 hours
To configure IDSs, you will: 8A
Describe how Snort works as an IDS. You will describe how Snort works as an IDS, including the pros and cons of implementation in a production network environment.
8B
Install Snort on a stand-alone computer. Given a computer running Windows in a networked environment, you will install the Snort intrusion detection application.
8C
Describe the rules used in Snort. On a computer running Snort, you will create and test a ruleset to check the effectiveness of the installation.
8D
Configure Snort IDS to use a MySQL database. Given a computer running Windows, you will install MySQL and configure Snort to send alert data to the database.
8E
Configure a full IDS on Linux. Given a computer running SuSe Linux, you will configure Snort, MySQL, and the BASE Console to view alerts.
Lesson 8: Configuring an IDS
403
Topic 8A Snort Foundations In the world of intrusion detection tools, administrators and analysts have many choices. One of the choices is cost. Another critical choice is speed of response to new types of incidents, such as Code Red and the quick follow-up of Code Red II. It is in this conversation that an open-source tool such as Snort really shines. This tool and the associated applications that go along with it can be found at www.snort.org. •
The cost issue should be obvious to everyone, and free can’t be beat! When commercial IDS products can be a few thousand dollars on the low end and over a hundred thousand dollars towards the high end, free is clearly a driving force for some.
•
The other primary benefit is the fact that the open-source format allows for fast modifications. The rules that Snort uses to make decisions can be made by anyone and then posted to the web. If a new threat is identified in the morning, an administrator can create a new rule and post it by that afternoon. The Snort community can then analyze the rule, and when it is determined to be correct, the rule can be downloaded and implemented. A threat can be minimized the very day it is announced. This is a significant benefit.
Snort Deployment Snort can be deployed on just about any host on the network. The actual Snort program is very small and does not use enough resources to cause any significant issues with the base operating system. It is possible to install and configure Snort and let it run for days with no intervention from the administrator. At a later date, the administrator can view and analyze the data collected. Although Snort can be installed on almost any host in the network, the choice for placement is important. Snort uses an interface in promiscuous mode (meaning that it captures all the packets seen by the NIC), and one installation of Snort per collision domain might be sufficient. It can also be a benefit to have an IDS placed just inside and just outside of the firewall. This way, you can identify the attacks that are blocked by the firewall, not just those internal threats.
sniffer: A program to capture data across a computer network. Used by hackers to capture user ID names and passwords. Software tool that audits and identifies network traffic packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems.
404
Tactical Perimeter Defense
The interface that is in promiscuous mode is acting as a sniffer, capturing all the network traffic that the NIC sees. If your network is switched, make sure that you have at least one host running Snort on each segment. The host itself need not be an overly powerful machine; however, it is advisable that sufficient disk space be available to store data and that the processor be able to keep up with analysis of the packets.
How Snort Works Snort functions as a network sniffer and logger that can be implemented as a network-based IDS. (Snort is not a host-based IDS.) Snort uses crafted rules, which are matched against the packets as they are captured. If the rule matches, the user-defined action in the rule is executed.
Limitations on what the rules can check for are limited by the administrator’s imagination and the fact that Snort can only identify TCP, UDP, IP, and ICMP. There is currently no support for routing protocols. The types of rules that can be created are therefore quite varied. Examples are buffer overflows, port scanning, network mapping, SMB probes, NetBIOS scans, and so on. The way that Snort is able to use such flexible rules is due to the way Snort functions. Snort can look inside a packet and examine its contents. Snort is not limited to an examination of headers only. This function is called payload inspection. It is due to this payload inspection that Snort can achieve such flexible rules.
Snort Fundamentals Snort has four main pieces that combine to provide you with solid IDS functionality. The first is the actual packet capture piece, utilizing LibPcap or WinPcap, where raw packets are pulled off the wire. The second is the preprocessor where packets are examined prior to handoff to the actual detection engine. The third is the actual detection engine. This is where your Snort rules are in action, with the detection engine looking at the parts of the packets, as you have defined. Last is the Output piece. If the packet is run through the detection engine and an alert is generated, or if logging is defined, the Output piece is where that takes place. The main file that contains the core Snort configuration is called snort.conf. This file has several primary parts, some of which you will not make any adjustments to in this course. Note: If you wish to go into great depth with Snort, you are recommended to start with the official documentation found at www.snort.org. The primary parts to the snort.conf file are: • Variables •
Preprocessors
•
Output Plug-ins
•
Rulesets
There are many variables used in Snort, which then can be referenced later. Some common variables are var HOME_NET, which is used to define your local network, and var EXTERNAL_NET, which is used to define your external network. Preprocessors are filters used by Snort to perform actions on a packet prior to full Snort engine. This is useful for speeding up Snort, when preprocessing can exclude a packet before Snort rules are required to look “inside” the payload to perform content and other matching. Output plug-ins are used by Snort to determine alerting and logging features and what format to use when Snort is going to dump collected data. You will define the location of the rulesets that you wish to use in the snort.conf file. Although you could write rules into this file, that practice is not encouraged. By writing individual rule files, you are able to maintain better control over your configuration. You define the location of the ruleset in the snort.conf file, and then the individual rules you require are located in that separate ruleset file.
Lesson 8: Configuring an IDS
405
Prior to running tasks on Snort, you will need to perform some initial configurations. The first thing to alter is called the Home Network. This line tells Snort what your network’s IP configuration is, so that Snort will only sniff traffic on your network, versus all traffic. If you wish to sniff all traffic, you may use a home network of any. In this classroom, there are two student networks; the LEFT side uses the 172.16. 10.0/24 network and the RIGHT side uses the 172.18.10.0/24 network. If your system is part of the LEFT network, you will configure Snort to use this line: var HOME_NET 172.16.10.0/24. If your system is part of the RIGHT network, you will configure Snort to use this line: var HOME_NET 172.18.10.0/24. Snort runs on both Linux and Windows platforms, and for this lesson, the tasks are run on a Windows system. There are other Snort configuration lines that require editing because you are running on a Windows system. Two of these other lines are: include classification.config include reference.config These need to be changed to define the full Snort path on your system. You will need to change these lines to read as follows: include C:\Snort\etc\classification.config include C:\Snort\etc\reference.config
Topic 8B Snort Installation Another benefit of Snort might be its ease of installation. The overall process of installation takes only a few minutes. A few more minutes of configuration, and Snort is up and running.
For tips on loading Snort on Windows machines, visit www.silicondefense.com.
406
Tactical Perimeter Defense
In this section, you will be installing Snort on a Windows computer, and then later in the lesson, you will perform a full installation on SuSe Linux. You will require two things for the installation on Windows: • LibPcap for Windows. You will use a packet capture driver called WinPcap for this function. (Further WinPcap information is available from the Computer Network and Network Intelligence Group of Politecnico di Torino.) This simple, self-extracting executable file can be found at www.snort.org or in other Internet archives. •
The Snort application file itself. This is an executable file that can also be found at www.snort.org.
TASK 8B-1 Installing Snort 1.
If required (you should have installed WinPcap earlier in the course), run the WinPcap installation file to install the Windows version of the LibPcap driver. Note that the filename is WinPcap_4_0.exe.
2.
From the C:\Tools\Lesson8 folder, double-click the Snort installer file. The full filename is Snort_2_6_1_2_Installer.exe.
3.
Read the License Agreement, and if you agree, click the I Agree button to continue the installation.
4.
Keep the I Do Not Plan To Log To A Database radio button selected and click Next. Note that later in the lesson you will work with a MySQL database.
5.
Keep all the default selected components checked, and click Next.
6.
Accept the default install location, and click Next.
7.
When the install is complete, click Close to exit the Setup program.
8.
In the successful install window, click OK. If you get a pop-up about WinPcap, click OK.
9.
Open My Computer, and navigate to the C:\Snort folder. Note the directory structure that was created during the install: • C:\Snort\bin •
C:\Snort\contrib
•
C:\Snort\doc
•
C:\Snort\etc
•
C:\Snort\lib
•
C:\Snort\log
•
C:\Snort\rules
•
C:\Snort\schemas
It is a good idea for the students to save current versions of their snort.conf file during this lesson. If an error occurs, they only have to go back the last known good file.
10. In the C:\Snort\bin folder, create a folder named log (this will have a path of C:\Snort\bin\log). 11. In the C:\Snort\log folder (note this is not the folder created in Step 10), create a file named alert.ids and click Yes to accept that you are going to change the file name extension. You will need this file later in the lesson. 12. Choose Start→Administrative Tools→Services. 13. Scroll to the Messenger service. 14. Right-click the Messenger service and choose Properties. 15. Change the Startup type to Automatic.
Lesson 8: Configuring an IDS
407
16. Click Apply. 17. Click Start. 18. Click OK. 19. Close the Services window.
Common Snort Commands When running Snort, there are some common switches and commands you should be aware of. In this course, you will not use all of these, but will use the most common ones. These switches include: • -v.: This is the basic command, putting Snort in packet sniffing mode. •
-d: This is the command to display IP, TCP, ICMP, and UDP headers.
•
-e: This is the command to display the packet data along with the headers.
•
-l: This is the command to enable logging. After the -l command, you must define the location of the logs.
•
-c: This command is what essentially turns on the IDS of Snort, versus running it as a packet sniffer. After the -c command, you must define the location of the rules file that Snort is to use for IDS functions.
•
-W: This command will list the network interfaces that are available to Snort.
•
-iX: This command will tell Snort which network interface to use when you replace the X variable with the number of the network interface.
TASK 8B-2 Initial Snort Configuration When editing Snort lines, be sure you edit the actual lines used, not the lines that are designated with a # comment.
408
Tactical Perimeter Defense
1.
Open My Computer and navigate to the C:\Snort\etc folder.
2.
Right-click the snort.conf file, and choose Copy.
3.
Right-click in the C:\Snort\etc folder and choose Paste.
4.
Rename the copy of snort.conf file as snort.conf.bak. (Click Yes, if you receive a Rename warning prompt.) In the event that you run into difficulty with your snort.conf file, you will have this file as a backup.
5.
Double-click the original snort.conf file.
6.
Select the Select The Program From A List radio button and click OK.
7.
Select WordPad as the program to use and click OK. You may leave the check box checked to always use this program to open this file type.
8.
9.
Scroll down to var HOME_NET any and replace “any” with your home network. •
If you are in the LEFT network, use: var HOME_NET 172.16.0.0/16
•
If you are in the RIGHT network, use: var HOME_NET 172.18.0.0/16
Search for the variable var EXTERNAL_NET any and change it to read var EXTERNAL_NET !$HOME_NET
10. Search for the variable include classification.config and change it to read include C:\Snort\etc\classification.config 11. Search for the variable include reference.config and change it to read include C:\Snort\etc\reference.config 12. Search for the variable var RULE_PATH ../rules and change it to read var RULE_PATH C:\Snort\rules 13. Change # include threshold.conf to read include C:\Snort\etc\threshold.conf 14. There are two other lines where you must replace the default line to a specific Windows path. The following two steps show the before and after of these two configuration lines. 15. Change dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ to read dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor 16. Change dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so to read dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll 17. Once you have made these changes, save and close the snort.conf file. 18. Open two command prompts. One will be used to run Snort and the other to run ping commands. 19. At one of the command prompts, navigate to the C:\Snort\bin folder, and enter snort -W You will see a list of available adapters on which you could install the sensor. The adapters are numbered 1, 2, 3, and so forth. In this lesson, you will be using the NIC. Write the number associated to that adapter here: _______ 20. At the C:\Snort\bin prompt, enter snort -v -iX where X is the number of the NIC that you recorded in the previous step. 21. Switch to your other open command prompt, and ping any other computer in the network. When the ping is complete, switch back to the command prompt that is running Snort. Lesson 8: Configuring an IDS
409
22. In the Snort command prompt, press Ctrl+C to stop Snort. 23. Review the summary information, noting the packets that Snort captured in this test. 24. Close all open windows.
Using Snort as a Packet Sniffer
packet sniffer: A device or program that monitors the data traveling between computers on a network.
In our first example of working with Snort, you will use it for packet sniffıng. Using a command prompt, you will capture headers. This can produce a lot of information quickly, so make sure that you change the buffer size of the command prompt to a very high value; even 5000 or more is fine. An example of packet sniffing by Snort is shown in Figure 8-1.
Figure 8-1: An example of Snort being turned on as a packet sniffer.
About the Tasks For many of the activities in this topic, you will work in pairs. Each student computer should have two command prompt windows open: one for running Snort commands and the other for running pings and other network commands. Your instructor will designate one student in each pair to act as Host One; the other will be Host Two. Remember which is which, and only perform those steps that apply to your specific machine.
410
Tactical Perimeter Defense
TASK 8B-3 Capturing Packets with Snort Setup: Snort has been installed and tested, and your instructor has designated you as Host One or Host Two. Note: Perform the following step on all student computers. 1.
Open two command prompts.
Note: Perform the following step only if you are designated as Host One. 2.
Change to the c:\snort\bin directory. Enter snort -v -ix (remember to use the adapter number in place of the x). The -v switch prints the headers on the screen.
Note: Perform the following step only if you are designated as Host Two. 3.
As soon as Host One has pressed Enter, ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One. 4.
As soon as the ping is completed, press Ctrl+C to stop the packet capture. Leave the used windows open, and switch to the unused command prompt.
Note: Perform the following step only if you are designated as Host Two. 5.
Switch to the unused command prompt. Change to the c:\snort\bin directory. Enter snort -v -ix (remember to use the adapter number in place of the x).
Note: Perform the following step only if you are designated as Host One. 6.
As soon as Host Two has pressed Enter, ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 7.
As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers. 8.
Minimize the command prompt window used for pinging, and focus on the window in which Snort was running. Browse the file, and try to identify the ping packets sent between Host One and Host Two.
Packet Data Capture When Snort is first stopped, it lists some statistics about the capturing session that just ended. This statistical analysis is for a quick overview of the kinds of traffic that were captured, and it looks like Figure 8-2. Lesson 8: Configuring an IDS
411
Figure 8-2: An example of the statistics after a packet capture has completed. In this example, no packets were dropped, and the vast majority of packets captured were TCP. This screenshot was generated on a Windows 2000 computer, after running for about 20 seconds in a controlled environment. Figure 8-3 shows a portion of the packet headers that were captured, specifically the ping packets. This is what the goal of the previous exercise was—to identify the ping packets. From this screenshot, you can identify that the ping initiated from host 10.0.10.115 and was sent to 10.0.10.213. You should be able to see that the packets were correctly identified as ICMP, and the ID numbers are going up as expected: 2635 on the first request shown, 2636 on the second, and so on. The reply packets also follow the ICMP rules: ID 53820 followed by 53821. The sequence numbers are also correct, again incrementing by one, as expected.
412
Tactical Perimeter Defense
Figure 8-3: An example of a ping sequence between two hosts captured by Snort. Although the capture of header information is an excellent way to craft the IDS for an organization, more might be required, such as examining the contents of packets and determining if the content matches any rule. If this is the case, then another switch is needed to see the packet data in Snort. The switch to add is the -d switch.
TASK 8B-4 Capturing Packet Data with Snort Note: Perform the following step only if you are designated as Host One. 1.
If necessary, change to the directory where you installed Snort. Remember, the directory is c:\snort\bin. Enter snort -ix -v -d. Using the -d switch enables you to see the packet data in Snort.
Note: Perform the following step only if you are designated as Host Two. 2.
Don’t forget, the x in the switch -ix is the number of your network interface.
As soon as Host One has pressed Enter, ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One. 3.
As soon as the ping is completed, press Ctrl+C to stop the packet capture. Leave this window open, and switch to the other command prompt.
Note: Perform the following step only if you are designated as Host Two. 4.
Switch to the other command prompt. If necessary, change to the directory where you installed Snort. Enter snort -ix -v -d. Lesson 8: Configuring an IDS
413
Note: Perform the following step only if you are designated as Host One. 5.
As soon as Host Two has pressed Enter, ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 6.
As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers. 7.
Minimize the command prompt that you used for pinging, and focus on the window in which Snort was running. Browse the file, and try to identify the ping packets sent between Host One and Host Two. Because the contents of the packet are captured this time, the screen looks different. You should still be able to identify the ping sequence, though. The difference that should be obvious is the payload data itself. Because the data is ping, the payload is filled with padding—in this case, letters from the English alphabet. In both command prompt windows, use the cls command to clear the screen and prepare for the next task.
Logging with Snort Using packet capture enables the security professional to gather data to look for misuse of resources and network intrusions. However, it is impractical to expect anyone to watch the screen for intrusions, not to mention that the speed at which the packets are captured is quite fast (as you might have already seen). It is much more logical to record these packets to the hard drive for future analysis. The process is pretty simple—provide a log directory and tell Snort to perform logging. If you start the Snort program, telling it to log, and there is no such directory, Snort will exit with an error. Snort is designed to create a folder hierarchy of the packets it captures. The folder structure in the log directory uses IP addresses for simple searching at a later time.
TASK 8B-5 Logging with Snort Setup: Two clean command prompt windows are open. Note: Perform the following step only if you are designated as Host One. 1.
If necessary, change to the directory where you installed Snort. Enter snort -ix -dev -l \snort\log to start Snort and instruct it to record headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host Two.
414
Tactical Perimeter Defense
2.
Ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One. 3.
Switch to the other prompt, and ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 4.
Change to the directory where you installed Snort, and enter snort -ix -dev -l \snort\log to start Snort and instruct it to record headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host One. 5.
Ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two. 6.
Ping Host One by its IP address.
Note: Perform the rest of this task on all student computers. 7.
Press Ctrl+C to stop Snort.
8.
Start Windows Explorer, and navigate to the snort\log folder.
9.
Locate your log file, it will have a name such as snort.log.116850130.
10. Choose Start→All Programs→Wireshark→Wireshark. 11. Choose File→Open. 12. Navigate to your new log file and click Open. 13. Review the packet capture, and compare what was captured with the ping commands you sent between you and your partner. 14. Close all windows.
Topic 8C Snort as an IDS Up to this point, you have been using Snort to capture packets and then examining the contents of those packets. Although this can be quite useful, it is not a practical way to deploy an IDS. An IDS needs rules to follow and a way to alert the administrator when a rule is matched. In this topic, you will take Snort to the next level: IDS.
Lesson 8: Configuring an IDS
415
It’s All in the Rules As stated earlier, Snort uses rules to match for signatures of misuse. These rules can be created or modified for use as they come in the application. You will look at both scenarios. An example of the syntax to use Snort as an IDS is as follows: %systemroot%\snort\snort -dev -l \snort\log -c snort.conf
In this example, the new addition to the line is the -c switch, followed by the snort.conf file. As you might remember, the snort.conf file is used to define configuration variables that will be used for Snort. Earlier, all that the snort.conf file was used for was to specify the Home_Net variable by changing it to refer to the correct IP address. In this case, adding the -c switch tells Snort to apply the rules that are in the snort.conf file to the packets as they are processed by Snort. Before we get too far ahead of ourselves, let’s back up and look at the basics of the Snort rules. The rules of Snort are made up of two distinct parts: • Rule Header: The Rule Header is where the rule’s action, protocol, directional operator, source and destination IP addresses (with subnet mask), and the source and destination ports are identified. •
Rule Options: The Rule Options are where the rule’s alert messages and specifications on what parts of the packet are to be matched to determine if there is a rule match.
Here is an example rule: The ⇒ symbol represents that all code shown belongs on the same line. It is shown here on more than one line due to margin constraints.
alert tcp any any -> any 80 (content: "adult"; msg: "Adult ⇒ Site Access";)
The syntax breakdown of this example is as follows: • The text up to the first parenthesis is the Rule Header. •
The section enclosed inside the parentheses are the Rule Options. Rule Options are not required by any rule, but they provide much information and might be the reason for creating the rule itself.
So, the end result of this rule is to create an alert if TCP traffic from any IP address and any port is sent to any host at port 80, where the word Adult is in the payload. If this rule is met, a message of Adult Site Access will be placed in the logs with this packet.
The Rule Header Let’s look at the Rule Header in more detail. As mentioned previously, the Rule Header for our example is composed of the following information: alert tcp any any -> any 80
The first part of this syntax, alert, is known as a rule action. The rule actions in the header defines what is to be done when a packet that matches the rule is found. There are five actions that can be defined.
416
Tactical Perimeter Defense
Rule Action
Description
Alert
Creates an alert using whatever method has been defined. Also logs the packet using whatever method has been defined.
Rule Action
Description
Log
Logs the packet using whatever method has been defined. Tells Snort to ignore this packet. Creates an alert and turns on a dynamic rule. Remains unused unless another rule calls it. If called, it acts similarly to a log rule.
Pass Activate Dynamic
After the action has been defined, the next step is to define the protocol. In our example, the protocol defined is TCP. Currently, Snort supports defining the TCP, UDP, ICMP, and IP protocols. After the action and protocol are defined, Snort requires the IP addresses to be used. A valid statement is to use the word any, meaning any IP address. Snort uses the netmask format of specifying the subnet mask. Following this, a full Class A IP address will have a netmask of /8, a full Class B will have a netmask of /16, and a full Class C will have a netmask of /24. Single hosts might be specified with a /32 netmask. In addition to defining a single host or a single subnet of addresses, Snort can work with groups of IP addresses in a single rule. This is called creating an IP list. The IP list can be created by enclosing the list, with addresses separated by commas, in square brackets. An example of using an IP list is: Alert tcp any any -> [10.0.10.0/24, 10.10.10.0/24] any ⇒ (content: "Password"; msg:"Password Transfer Possible!";)
Note: Although the previous line is split in two lines, in the editor it can be entered as a long line. Versions of Snort, pre-1.8, required a slash symbol (\) between lines of a single rule. It is acceptable now to have a rule span multiple lines, but in most editors, a long line is easy to work with. After IP addresses have been specified, you need to tell Snort which port you want to check. When you are working with Snort rule syntax, ports can be defined in several ways. Single static ports are common, as in port 80, port 23, and so on. The rule can also define the keyword any, again meaning any port. Ranges of ports can also be defined using a colon to separate the start and end points of the range. Here are several examples of different port definitions: • To log any traffic from any IP address and any port to port 23 of the 10.0. 10.0/24 network: Log tcp any any -> 10.0.10.0/24 23
•
To log any traffic from any IP address to any port between (and including) 1 and 1024 on any host in the 10.0.10.0/24 network: Log tcp any any -> 10.0.10.0/24 1:1024
•
To log any traffic from any IP address where the port number is less than or equal to 1024 and is destined for any host in the 10.0.10.0/24 network with a destination port equal to and greater than 1024: Log tcp any :1024 -> 10.0.10.0/24 1024:
Lesson 8: Configuring an IDS
417
In the rules of Snort, there is an option to negate a port or IP address. By using the exclamation point (!), the rule will perform a negate. This is similar to the negate option in the IPTables rulesets. For example: • To log any tcp traffic from any host other than 172.16.40.50 using any port to any host on the 10.0.10.0/24 network using any port: Log tcp ! 172.16.40.50/32 any -> 10.0.10.0/24 any
•
To log any tcp traffic from any host using any port to the 10.0.10.0/24 network to any port other than 23: Log tcp any any -> 10.0.10.0/24 !23
By now, through these examples you should be able to identify the directional option. The direction is defined with ->. This means coming from the left and going to the right, so to speak. It is possible to have Snort check the packet for IP addresses and ports in both directions. This can be a benefit for analysis of both sides of a session. The following example uses the bi-directional option to record both ends of a telnet session: Log tcp 10.0.10.0/24 any <> 172.16.30.0/24 23
The Rule Options Where Snort can really start to show its flexibility and function is in the Rule Options. All of the Rule Options are separated by using a semicolon (;). Rule Option keywords are separated from their arguments with a colon (:). The following table lists some of the available keywords. Keyword
Description
msg ttl id flags ack content
Prints a message, as defined in the alert and packet logs. Used to match the IP header’s Time To Live value. Used to match a specific IP header fragment value. Used to match tcp flags for defined values. Used to match the TCP ack setting for a defined value. Used to match a defined value in a packet’s payload.
There are more keywords. It is advisable that you check the man pages (if you are using a Linux box) or the Help pages (if you are using a Windows box) for the remaining list of keywords. When the msg option is used in a rule, it tells the logging and alerting engine that there is a message that should be inserted along with a packet dump or in an alert. Here is a sample syntax for the msg option: msg: "text here";
When the ttl option is used in a rule, it tells Snort that there is a specific Time To Live value to match. Only successful on an exact match, this can be useful for detecting traceroute attempts. Here is a sample syntax for the ttl option: ttl: "time-value";
When the id option is used in a rule, it tells Snort to match an exact value in the IP header Fragment field. Here is a sample syntax for the id option: id: "id-value";
418
Tactical Perimeter Defense
For the flags option, there are several suboptions, which include the flags that can be matched. The flags are defined in the rule by their single letter, as listed here: •
F for FIN
•
S for SYN
•
R for RST
•
P for PSH
•
A for ACK
•
U for URG
•
2 for Reserved bit 2
•
1 for Reserved bit 1
•
0 for no tcp flags set
The standard logical operators are also valid for flags: the + for matching all flags, the * for matching any flag, and the ! for matching all except the defined flag. The reserved bits can be used to detect scans or IP stack fingerprinting. Here is a sample syntax for the flags option: flags: value(s);
The following rule example shows a syntax that could be used to detect SYNFIN scans: Alert any any -> 10.0.10.0/24 any (flags: SF; msg: "SYN FIN ⇒ Scan Possible";)
When the ack option is used in a rule, it tells Snort to match a specific ACK value in the TCP header of a packet. The network mapping tool Nmap uses the ACK flag to determine if a remote host is active. Here is a sample syntax for the ack option: ack: "ack-value";
The content keyword might be the most important keyword that Snort has available. When you use this option in a rule, it enables Snort to examine the payload of a packet and perform checks against the contents based on this keyword. Snort uses a pattern-match function called Boyer-Moore. (This matching function can be more intense than all the other options, so take care not to overuse this option on slower machines.) This rule is case-sensitive, so matching the word Test and the word test are two different things. The complexity of this option comes into play with the definition of the data for the match. Although it can be entered in plaintext, it can also be entered as mixed binary bytecode. (Bytecode data is a hexadecimal representation of binary data.) The basic syntax of this option is similar to the other options: content:"content value";
Simple Rule Examples This section details several rule examples, followed by brief descriptions of their functions. You can use these as a template for creating your own simple rules. • To log all traffic trying to connect to the telnet port:
Lesson 8: Configuring an IDS
419
Log tcp any any -> 10.0.10.0/24 23
•
To log ICMP traffic towards the 10.0.10.0 network: Log icmp any any -> 10.0.10.0/24 any
Even when using ICMP, Snort requires ports to be defined, so use the word any.
•
To allow all web browsing to go through without logging: Pass tcp any 80 -> any 80
•
To create an alert with a message: Alert tcp any any -> any 23 (msg: "Telnet Connection ⇒ Attempt";)
•
To find SYN/FIN scans of the network: Alert tcp any any -> 10.0.10.0/24 any (msg: "SYN-FIN ⇒ scan detected"; flags: SF;)
•
To find TCP NULL scans of the network: Alert tcp any any -> 10.0.10.0/24 any (msg: "NULL scan ⇒ detected"; flags: 0;)
•
To find attempts at OS fingerprinting: Alert tcp any any -> 10.0.10.0/24 (msg: "O/S Fingerprint ⇒ detected"; flags: S12;)
• This example uses the Home_Net variable instead of defining the IP address.
To perform content filtering: alert tcp any $HOME_NET -> !$HOME_NET any (content: ⇒ "Hello"; msg:"Hello Packet";)
Now that you have looked at several example rules, let’s put them together and create a ruleset for Snort.
Snort Rule IDs An option was added to Snort to categorize all the various Snort rules. This allows for people from all over the ability to use the same number for their rules, and it helps keep the rules organized. There are a few ranges of the Snort ID that you need to be aware of. These ranges are: • Less than 100: Reserved for future Snort use. •
101 through 1,000,000: Reserved for direct Snort.org distribution rules.
•
1,000,001 and greater: These numbers are for the custom local rules.
A great resource called www.bleedingsnort.com uses rules in the 2,000,000 range. When you develop your own local rules, as long as you use a unique number for every rule, and that number is greater than one million, your rule will not have a SID problem. However, it is a good idea to use a higher number such as four million and up, because organizations who write rules, such as Bleeding Snort, might be in the lower ranges.
420
Tactical Perimeter Defense
TASK 8C-1 Creating a Simple Ruleset Objective: To create a rule that logs all TCP traffic, alerts to ping, and alerts to the use of the word “password.” 1.
Open Notepad and enter the following: log tcp any any <> any any (msg: "TCP Traffic Logged"; sid:10000001;)⇒ alert icmp any any <> any any (msg: "ICMP Traffic Alerted"; sid: 10000002;)⇒ alert tcp any any <> any any (content: "password"; msg: "Possible Password Transmitted"; sid:10000003;)⇒
2.
Due to space constraints, code appearing with the ⇒ character at the end of the line should appear on one line in Notepad.
Save the file as C:\Snort\rules\“myrule.rules” and close Notepad. Be sure to type the quotes so that Windows will not assign a file name extension, keeping rules as the extension.
Testing a Rule Set After you have created a ruleset and have saved it in the Snort folder, it is time to test this ruleset. You can do so at the command prompt. Just be sure that the command prompt buffer is set high enough.
TASK 8C-2 Testing the Ruleset Note: Perform the following step on all student computers. 1.
Clear the \snort\log folder and open two command prompts. If you want to save the old logs to another location, go ahead and do so.
Note: Perform the following step only if you are designated as Host One. 2.
If necessary, change to the directory where you installed Snort. Enter snort -d -e -v -iX -c \Snort\rules\myrule.rules -l \Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host Two. 3.
Once Host One is running Snort, ping Host One by its IP address. Then, enter net send [ip_address] Here is my password In this case, [ip_address] is the IP address of your partner’s computer.
Note: Perform the following step only if you are designated as Host One. 4.
When you receive the message, click OK, and then stop Snort by pressing Ctrl+C.
Lesson 8: Configuring an IDS
421
Note: Perform the following step only if you are designated as Host Two. 5.
If necessary, change to the directory where you installed Snort. Enter snort -d -e -v -iX -c \Snort\rules\myrule.rules -l \Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host One. 6.
Once Host Two is running Snort, ping Host Two by its IP address. Then, enter net send [ip_address] Here is my password In this case, [ip_address] is the IP address of your partner’s computer.
Note: Perform the following step only if you are designated as Host Two. 7.
When you receive the message, click OK, and stop Snort by pressing Ctrl+C.
Note: Perform the following step on all student computers. 8.
Examine the log files for the alerts and logs that were generated. Compare them to the ruleset and your scan from earlier. Then, close all open windows.
9.
To look at the alert data that was generated, right-click the alert.ids file, open it with WordPad, and examine the alert.
More Rule Options Up to this point, you have seen very simple rules, and while these are good for getting used to Snort, the example rules so far have been very limited. Snort can work with much more complex rulesets, and as you will see in the following section; the only limitation is your imagination and knowledge of your environment. As discussed, the Snort rule is broken into two primary parts, the header and the options. Where the header details the IP, port number, direction, and so on, the options are where you can get very specific with the rule. There are many choices of what you can place in the options part of the rule, and for the context of this lesson, you will examine two of them: Metadata Options and Payload Detection Options.
422
Tactical Perimeter Defense
Metadata Options Metadata Options are where you detail characteristics about the rule. One example of a Metadata Option is the Message (msg), which you looked at previously in this lesson. Another example is the Snort Rule ID (sid). You could also define a reference URL for more information about the event. Here is a quick list of Metadata Options: •
“msg:”: This option is used to insert a message in human-readable language.
•
“sid:”: This option is used to define the unique Snort Rule ID for the specific rule.
•
“classtype:”: This option is used to classify the specific type of event.
•
“priority:”: This option is used to define the priority level of the event.
•
“reference:”: This option is used to define a reference URL for more information about the event.
•
“rev:”: This option is used to define a revision number to the rule.
Classtypes Classtype and priority level can go together, with the classification of an event being tied to a priority level. There are three default levels of priority (low, medium, and high), but you are able to define these further using the “priority:” option in your rule. The default priorities have a numeric value of 1 (high), 2 (medium), and 3 (low). The Classtype is used to categorize events. There are many preconfigured classtypes, and these are assigned to one of the three default priority levels. The following table details some of the default classtypes Classtype
Description
Priority
Attempted-admin Attempted-user Shellcode-detect Successful-admin Trojan-activity Web-application-attack Attempted-recon Suspicious-login
Attempted administrator privilege gain. Attempted user privilege gain. Executable code was detected. Successful administrator privilege gain. A network Trojan was detected. Web application attack. Attempted information leak. An attempted login using a suspicious user name detected. Denial-of-service attack. A network client was using an unusual port. Generic ICMP event. Detection of a network scan.
High High High High High High Medium Medium
Successful-dos Unusual-client-port-connection Icmp-activity Network-scan
Medium Medium Low Low
Here is an example rule with the addition of these new options: Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80 (msg:"Sample web access alert"; classtype:web-application-activity; reference:url,http://www.securitycertified.net; sid:10000023; rev:2;)
Lesson 8: Configuring an IDS
423
Walking through this rule from the beginning: This is an alert rule, looking at TCP as the protocol. It is designed to alert on traffic from the external network on any port to the machine at 192.168.10.1 on port 80. There is a simple message that states “Sample web access alert”, and the classtype has been defined as the built-in web-application-activity. As a reference for more information, a URL has been given, www.securitycertified.net, and this is the second revision to the rule, which has a Snort Rule ID of 10000023
Rule Payload The core of many IDSes is to examine the actual contents, or payload, of each packet. Snort can look inside the packet at the payload details to make a determination about that specific packet. There are many options for Snort here, and in this lesson, you will focus on a few specific options.
Content Keyword In Snort, the Content keyword might be the most important of all the keywords. The Content keyword is how you define the specific content inside the packet’s payload that Snort should look at for rule matching. A critical issue to keep in mind when defining content is that the data can be either text or binary data. Your binary data is normally provided in bytecode format, and it is enclosed within the pipe ( | ) character. Bytecode is a way of representing binary data in hexadecimal format. When you enter your content information, if you require the “:” character, such as in a URL, use instead the |3a| notation. Using the “:” character in content matching will cause problems because the “:” character is used after each keyword.
Other Keywords The content keyword matches either text or binary data.
The “nocase” keyword simply tells Snort to ignore case when looking into a packet. Nocase is a modifier, used after the content keyword. The “depth” keyword tells Snort how far into a packet it should look to find the pattern, or content match. If you inserted a value of 5 here, then Snort would only look for the pattern within the first 5 bytes of the packet payload. Like nocase, the depth keyword is a modifier used after the content keyword. The “offset” keyword tells Snort to ignore a defined number of bytes before looking into a packet. If you inserted a value of 5 here, then Snort would start to look for the pattern, or content match, after the first 5 bytes of packet payload. Offset is also a modifier and must be used after the content keyword. Here is an example rule with the addition of these new options: Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80 (msg:"Sample web access alert"; content:"http|3a|//www.securitycertified.net/ ⇒test.cgi?id=r00t"; nocase; offset:2; classtype: ⇒web-application-activity; reference:url,http://www. ⇒securitycertified.net; sid:10000025; rev:2;)
This rule is the same as the previous example, with some additions. The first is the content keyword. This rule is looking for content that includes a URL with the id=r00t in the payload. Note that the “:” character you would normally put in a URL has been replaced with the |3a| notation. You cannot use the “:” character inside the content keyword. This rule is skipping the case sensitivity and is ignoring the first 2 bytes of each payload. Lastly, as this is a different rule, there is a different sid assigned. 424
Tactical Perimeter Defense
Flow Control The “flow” keyword gives you the flexibility to define packets with Snort in terms of their direction between the client and the server. This option works on TCP streams, and there are several choices for you, if you wish to use the flow keyword. The following list identifies the flow control options, with a brief comment about each option: •
to_client: This matches a server response to a client.
•
to_server: This matches a request from a client to a server.
•
from_client: This matches packets sent from the client. Similar function as the to_server option.
•
from_server: This matches packets sent from the server. Similar function as the to_client option.
•
only_stream: This matches only on reassembled stream packets.
•
no_stream: This does not match reassembled stream packets.
•
established: This matches on packets that are part of an established TCP connection.
•
stateless: This matches packets without regard of state.
While there is no one correct way to write a Snort rule, there are some general guidelines that will make your writing more efficient and accurate. To start with, you want to be as precise as possible with your content matching. This will cut down on false matches and will cut down on the load on your system. A second guideline is to create rules to match the vulnerability, not the specific exploit. Writing rules that look for matches to the vulnerability will allow your IDS to still match traffic, even if an attacker makes a modification to the exploit.
Pre-configured Rules It is vital that you know how to create rules for Snort, but no one wants to build something from scratch when it is already available and you can get it with very little effort. The same thought applies for basic rules for Snort. The default Snort installation comes with a selection of IDS rules for you to pick through and use, and there are several more available for download at www.snort.org. There are several options for you to choose from when you wish to receive Snort rules. If you need to have real-time rules, with the most current options available, you must become a subscriber to receive the Sourcefire VRT-certified rules. The Subscriber rules are the ones you need if you are looking to address security issues as they arise, often with a new rule available within days of a new vulnerability being introduced. The second method to download pre-configured rules is to become a registered user at www.snort.org. Registered users are able to receive all the latest snort rules, but the rules are available 30 days after they are made available to Sourcefire subscribers. The third way to download pre-configured rules from Snort is as an unregistered user. Unregistered users are able to download the ruleset that is available with every major Snort release.
Lesson 8: Configuring an IDS
425
In addition to the rules that are available from Snort, there are rules available from www.bleedingsnort.com The bleedingsnort.com rules are very current and are submitted from people all over the net. If you need absolute up-to-the-minute, experimental, and test rules, this is the location to find them. In this lesson, you will work with Snort rules that are made available to everyone (unregistered) from www.snort.org.
TASK 8C-3 Examining Pre-configured Rules 1.
Navigate to C:\Tools\Lesson8\Rules.
2.
Copy all the .rules files to the C:\Snort\rules folder.
3.
Navigate to the C:\Snort\rules folder.
4.
Open the folder, and browse through the pre-configured rules. You will come back to these files in a moment.
Examine Denial of Service Rules As you can see, there are many very detailed default rules for you to work with. One section of the pre-configured rules deals with Denial of Service attacks. Here is a sample rule from this file: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;) Starting at the beginning of this rule, you can see that it is an alert, matching tcp as the protocol. Traffic on the external network, on any port going to the internal network, on port number 27665 is what Snort will be looking at. This rule is looking for an established TCP connection, with traffic going to the server. The content is listed as: betaalmostdone. Since this incident would be an attempt at denial of service, this rule appropriately is given the classtype of attempted-dos, has a reference you can check the Arachnids database, number 197 (Arachnids was an incident database, more current data is found on the CVE list), has been given a Snort rule ID of 233, and this is the third revision of the rule.
426
Tactical Perimeter Defense
TASK 8C-4 Examining DDoS Rules 1.
Navigate to the C:\Snort\rules folder.
2.
Open the ddos.rules file with WordPad.
3.
Based on these rules, what three ports does the DDoS tool Trin00 utilize? UDP 31335, TCP 27665, and UDP 27444.
4.
Based on these rules, what icmp_id numbers does the DDoS tool Stacheldraht utilize? Icmp_ids: 666, 667, 668, 669, 1000, 6666, 6667.
Examine Backdoor Rules Just as there are pre-configured rules for Distributed Denial of Service, there are extensive rules designed for matching backdoor attacks. These rules will generally be more complex than a DoS rule because the content matching often requires more information. Here is a sample rule from the backdoor.rules file: alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;) This rule is an alert looking for matches on the TCP protocol. In this case, it is traffic from your internal network on port 12345 or 12346 to the external network on any port. The Netbus server actually resides on the compromised host, in this case, inside your network. The traffic flow is from the server (compromised host), and it is an established connection. The content that is being looked for is NetBus. This alert is characterized as a misc-activity, has a Snort rule ID of 109, and is the fifth revision of the rule.
TASK 8C-5 Examining Backdoor Rules 1.
Navigate to the C:\Snort\rules folder.
2.
Open the backdoor.rules file with WordPad.
Lesson 8: Configuring an IDS
427
3.
Based on this rule set, what service and port are the majority of the Linux rootkit attempts using? Telent, on port 23.
4.
Is the second Subseven rule with SID 107 looking for an attempt to place a Trojan on a computer in your network or looking for evidence that a Trojan has already been placed on a computer in your network? Looking for evidence that a Trojan is already in the network.
Examine Web Attack Rules One of the fastest growing areas of attack is on web servers. Since these are exposed, they are often the targets of attacks from every skill level, from scriptkiddies to more experience attackers. Snort has many rules designed to look for web attacks. Here is one example rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;)
This rule is an alert, looking at TCP traffic from the external network on any port to your web servers on your web server ports. The web servers and web server ports are defined in your variables. The flow of this traffic is to the web server, and it would be an established connection. The attacker is looking for the /etc/ shadow file on a Linux/UNIX system. Case sensitivity is not taken into consideration with this rule, it has been given a Snort Rule ID of 1372, and is the fifth revision to the rule. This specific rule is listing the classtype as webapplication-activity, but you might want to consider this potentially a recon event. If you have an older rule set, your web attack rules may vary.
TASK 8C-6 Examining Web Attack Rules 1.
Navigate to the C:\Snort\rules folder.
2.
Open the web-attacks.rules file.
3.
Which rule is watching for an attacker adding a user account to the administrators group? SID 1357.
4.
In SID 1335, an attacker would send the command /bin/kill. What operating system is the web server likely running? Linux/UNIX.
5.
Many of these rules contain the “%20” characters. What does this mean? This means that the Snort rule is looking to match a “space” where the “%20” resides in the content portion of the rule.
428
Tactical Perimeter Defense
Examine Web IIS Rules As the Microsoft IIS Web Server grows in popularity, the attacks seem to grow exponentially. Because of this, there is a ruleset dedicated to rules for the IIS Server. Here is one example of an IIS Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;) This rule addresses a rather famous exploit where a person could simply put in the URL a line that would give them access to the computer. This is called the Directory Transversal Attack, where in the URL the attacker uses ../.. in the URL as part of the attack. In this rule, the alert is acting on TCP traffic in the direction of the external network on any port towards the web servers on web server ports. The connection must be established and is in the direction towards the server. The key point in this rule is the content of “..|5C|..” This would be a double-dot then a / then a double-dot to the server. Since the rule requires the ASCII conversion, the rule has the pipe symbol, 5C, then the pipe symbol, as / in ASCII is 5C. This is classified as a web attack, has a Snort ID of 974, and is the tenth revision of the rule.
TASK 8C-7 Examining IIS Rules 1.
Navigate to the C:\Snort\rules folder.
2.
Open the web-iis.rules file with WordPad
3.
The Code Red exploit has .ida? in the payload. Which SID would you look up online for more information about the rule to match Code Red attacks? SID 1243.
4.
The Code Red II exploit attempted to use /root.exe and has a Snort Rule ID of 1256. If you wanted to learn more about this exploit, what URL would you use to find more information about Code Red? www.cert.org/advisories/CA-2001-19.html
Lesson 8: Configuring an IDS
429
Topic 8D Configuring Snort to Use a Database Snort Output Plug-ins By now you can see that Snort will be able to generate large volumes of data in the form of alerts, logs, and so on. Reading this data on screen while Snort is running isn’t realistic, so you will need to use some means of reading the data that Snort collects. Snort provides several output options through the use of output plug-ins. In this section, you will configure Snort to output information to a MySQL database. Snort is not limited to using a MySQL database, that is simply the choice for this lesson. You could output Snort to Oracle, SQL Server, any UNIX ODBCcompliant database, and so on. In addition to sending logs and alerts to a database, you could instruct Snort to send this data to a remote logging server via Syslog. This is the command to output locally to a Syslog format: output alert_syslog: LOG_LOCAL2 LOG_ALERT. If you wish to send this data to a remote server, you will need to replace the local information with the remote server information. Another option, if you desire, is to output directly in a binary format that tcpdump works well with. This is the command to output in tcpdump format: output log_tcpdump: snort.dump In the snort.conf file, you will configure the type of output you wish to use. Remember, the output is detailed in the snort.conf file, not with a command-line switch. For this lesson, you will be configuring the system to output to a database. The following example shows what a basic entry for database logging would like in the snort.conf file: • output database: log, mysql, user=username •
password=password dbname=snortdb host=localhost
Configure Snort to Use a Database Since you are going to configure a MySQL database to accept data, you must inform Snort about the database and give it the information required to make the connection. In this following task, you will reconfigure the snort.conf file to include the output to the database.
430
Tactical Perimeter Defense
TASK 8D-1 Editing Snort.Conf 1.
Navigate to the C:\Snort\etc folder.
2.
Open the Snort.conf file with WordPad.
3.
Scroll down in the file to the Output database plug-in section.
4.
Add the following line: Output database: log, mysql, user=snort password=snortpass dbname=snortdb1 host=localhost
5.
Save and close the snort.conf file.
Installing MySQL for Snort In order for Snort to utilize a database, you must build one. In this lesson you will work with the freely available and widely popular MySQL database. Keep in mind that Windows, Snort, and MySQL can take a lot of computing resources on a busy network, so a dedicated machine with a good processor and lots of memory would be a good base platform.
TASK 8D-2 Installing MySQL 1.
Navigate to the C:\Tools\Lesson8 folder.
2.
Double-click the mysql-essentials-5.0.27-win32.msi file.
3.
In the Welcome screen, click Next.
4.
Select the Custom radio button and click Next.
5.
Click the Change button. You are going to install to a location you choose.
6.
In the Folder Name text box, type C:\Snort\mysql and click OK, and then click Next.
7.
Verify the install directory location and click Install.
8.
Once MySQL is installed, select the Skip Sign-Up radio button and click Next.
9.
Verify that the Configure MySQL Server Now check box is checked, and click Finish.
10. In the Welcome screen, click Next. 11. Select the Standard Configuration radio button, and click Next. Lesson 8: Configuring an IDS
431
12. Check the Include BIN Directory In Windows PATH check box, and click Next. (Note: leave the box checked next to Install As Windows Service.) 13. In the Root Password and the Confirm text boxes, type and re-type sqlpass Do not check the box to Enable Root Access or Create An Anonymous Account, and then click Next. 14. To start the configuration, click Execute, and then click Finish to end the installation. With MySQL now installed with the base configuration, you will need to create the actual database that Snort is going to work with. In the following task, you will use both the MySQL command line and the Snort command line. Snort comes with a script to build the database in MySQL, complete with the appropriate tables. This script was generated during the install of Snort. If you recall, you had the option to define the database/logging that you would use, and you selected the option that included support for MySQL.
TASK 8D-3 Creating the Snort Database 1.
Navigate to the C:\Snort\schemas directory. Note the file create_mysql. This is the file you will use to build the database.
2.
Choose Start→All Programs→MySQL→MySQL Server 5.0→MySQL Command Line Client.
3.
Enter your MySQL root password. Note: This should be sqlpass from the previous task.
4.
Enter create database snortdb1;
5.
Enter show databases;
6.
Verify that your two new databases are listed.
7.
To switch to the new database, enter connect snortdb1;
8.
To populate the database, enter source C:\Snort\schemas\create_mysql
9.
To show the tables that were created during the execution of the previous script, enter show tables;
10. At the mysql> prompt, enter quit;
432
Tactical Perimeter Defense
MySQL User Accounts MySQL needs several user accounts for the full functionality of this lesson. You will need to configure the accounts so that MySQL will accept the data that Snort is sending, and so that later, if you were to use an analysis program such as BASE (which you will see later), you would need these accounts to connect to the database to pull the required data.
TASK 8D-4 Creating MySQL User Accounts 1.
Choose Start→All Programs→MySQL→MySQL Server 5.0→MySQL Command Line Client.
2.
Enter your MySQL root password. Note: This should be sqlpass.
3.
At the mysql> prompt, enter show databases;
4.
Enter grant INSERT,SELECT,UPDATE on snortdb1.* to snort identified by ‘snortpass’;
5.
Enter grant INSERT,SELECT,UPDATE on snortdb1.* to snort@localhost identified by ‘snortpass’;
6.
Enter flush privileges;
7.
Enter exit;
8.
Navigate to the C:\Snort\mysql folder.
9.
Right-click my.ini and open the file with WordPad.
10. Change the following line: • Before: sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_ ⇒USER,NO_ENGINE_SUBSTITUTION"
•
After: sql-mode="NO_AUTO_CREATE_USER,NO_ENGINE_ ⇒SUBSTITUTION"
11. Save and close the my.ini file.
Snort to Database Connectivity Now that you have a database installed and have configured Snort to communicate with the database, you need to test this connectivity. The following quick task is a simple loading of the snort.conf file to check to see if the connection to the database is functional. You do not want to go further in your configuration if you are unable to get the connection between MySQL and Snort to function.
Lesson 8: Configuring an IDS
433
TASK 8D-5 Testing the New Configuration If you receive a winpcap error, you can try using winpcap_3_1.exe.
1.
Open a command prompt.
2.
Navigate to the C:\Snort\bin folder.
3.
Enter snort -d -e -v -iX (remember to change X to use your network interface as before).
4.
Watch to see that Snort is functional and is showing packets on screen. If you need to generate network traffic, ping a neighbor computer.
5.
Press Ctrl+C to end Snort.
6.
To see the full Snort system running, enter snort -d -e -v -iX -c C:\Snort\etc\snort.conf -l C:\Snort\log
7.
Press Ctrl+C to stop Snort.
8.
To see where Snort made the connection to the database, scroll through the commands.
Snort as a Service While it may work for you to manually start and stop Snort to perform the occasional packet capture, in a working environment, you will likely want Snort on all the time. One way to achieve this is to install Snort as a service in Windows. The following task will walk you through the steps of adding a service, and then verify that it starts automatically.
TASK 8D-6 Configuring Snort as a Service 1.
Open a command prompt.
2.
Navigate to the C:\Snort\bin> folder.
3.
At the C:\Snort\bin> prompt, enter snort /SERVICE /INSTALL -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii -iX (Remember to change X to use your network interface as before.) You will receive a prompt that the SNORT_SERVICE has been successfully installed.
434
Tactical Perimeter Defense
4.
Close the command prompt.
5.
Choose Start→Administrative Tools→Services.
6.
In the right pane, scroll down to and double-click the Snort service.
7.
In the Startup Type, change the setting from Manual to Automatic.
8.
Click Apply.
9.
To close the Snort Properties window, click OK. Do NOT click Start at this time.
10. Close the Services window. 11. To verify that the Snort service starts automatically, restart your server. 12. When the server restarts, log on as Administrator. 13. Right-click the taskbar and choose Task Manager. 14. Select the Processes tab, and verify that both Snort and mysql are started and running. 15. Select the Snort process, and note the amount of memory that is allocated to Snort. As you can see, Snort is a memory-intensive process. 16. Close the Task Manager.
Topic 8E Running an IDS on Linux LAMP On SuSe While this lesson, up to this point, has focused on the use of Snort, in order to make the system more functional, you will need a system in place to read, sort, and view all the data that Snort is able to collect. In the previous section you saw how to set up Snort to interact with a MySQL database, while running on a Windows system. In this section, you will configure Linux with the background system to read the Snort data via a web browser. This requires the building of a LAMP server. LAMP stands for Linux, Apache, MySQL, and PHP (you may see the ‘P’ also refer to Python or Perl, but in this case it is PHP). In addition to the LAMP components, you will install nmap, a tool you will use later in the lesson to generate network scanning traffic. In SuSe Linux 10, many of the components required to build the environment for Snort are available and ready for installation. Other components will require you to connect to the Internet to get the current version. In this lesson, the specific versions are detailed. Please keep in mind that in the event that you use a different version, it is possible, and even likely, that these steps will not work.
Lesson 8: Configuring an IDS
435
TASK 8E-1 Installing LAMP Components 1.
Log in to your Linux server as root.
2.
From the Computer menu, choose Install Software.
3.
In the Software list, scroll down and check the following check boxes: • lamp_server (i586) •
nmap (i586)
•
php5-gd (i586)
•
php5-mysql (i586)
•
php5-mysqli (i586)
•
php5-pear (i586)
•
snort (i586)
•
webalizer (i586)
4.
Verify that you have checked these components, and click Install.
5.
The additional packages that are required for these components to run properly are listed. Review the list to see how many “smaller” pieces are required, and then click Apply.
6.
If you are prompted for the Novell media, insert the CD or DVD now, and click OK. Note: it may take several minutes to install these packages.
7.
Once the files have been copied, you will see an Installation Was Successful prompt. Click Close.
8.
Close the Software Installer.
Apache and PHP One of the critical components you just installed was PHP. PHP is a server-side scripting language. PHP is used to provide dynamic web page content to end users, without the end users having any new software to install on their system. The end user will connect to the server with a web browser, and the PHP scripting on the server’s side will generate the response to deliver to the end user. If you manually build your server, meaning if you install these components individually on their won versus through the SuSe installer, you will need to configure Apache to use PHP. This is done by editing the httpd file and adding the line for your version of PHP. You would also need to edit the PHP configuration file. During the installation, a file called php.ini-dist will be installed, and you would rename this file to php.ini. In the php.ini file, you need to tell PHP where to find the PHP extensions and where to find a temporary directory. In this task, since you used the SuSe installer, these steps are taken care of and you will not need to manually configure the php.ini file.
436
Tactical Perimeter Defense
In the following task, you will turn on your Apache server and verify that PHP is properly installed and running. If your server does not reply with the test screen, you must check your installation. Without a functional PHP and Apache Server, you will not be able to complete the tasks in this topic.
TASK 8E-2 Apache and PHP Test 1.
From the Computer menu, choose YaST.
2.
On the left side, click System, and then click System Services (Runlevel).
3.
Scroll down and highlight apache2.
4.
Click Enable, and if you see a pop-up message about dependencies, click Continue.
5.
In the success pop-up, click OK.
6.
To close the System Services window, click Finish.
7.
To save the Runlevel changes, click Yes.
8.
Close YaST.
9.
From the Computer menu, choose Firefox.
10. In the address bar, enter http://localhost 11. If your server is running, you will get the message, “It works!” If not, carefully repeat the installation steps. 12. Close the browser, and navigate to the /srv/www/htdocs directory. 13. Inside /srv/www/htdocs, create a new document named info.php 14. Right-click this document and open it with Gedit. 15. Enter and then save and close the file. (Note – If you made your file using the File Manager, you must right-click and edit the permissions so that the Others group has read access.) 16. Open the web browser. 17. In the address bar, enter http://localhost/info.php 18. You will see a screen that presents all the local PHP information. This summary screen details the PHP install on your system. 19. Close the Web Browser.
Lesson 8: Configuring an IDS
437
Enable Snort on Linux Now that you have verified that your web server is running, and you have verified that PHP is enabled and functional for your server, you can move on to the next section. In this section, you will configure Snort and enable MySQL. Previously, you configured these on Windows, so the steps should be familiar to you. First, you will configure Snort, then you will enable both Snort and MySQL in YaST. The steps to enable these services are critical. If you forget to enable both Snort and MySQL under System Services, you can expect to run into some errors later in the topic!
TASK 8E-3 Configure Snort on Linux 1.
Open your file browser, and navigate to /etc/snort.
2.
To open the file with Gedit, double-click snort.conf.
3.
Edit these lines in your snort.conf file: var HOME_NET 172.X.0.0/16 (replace the X based on your address in the network) var EXTERNAL_NET !$HOME_NET var RULE_PATH /etc/snort/rules output database: log, mysql, user=snort password=snortpass dbname=snortdb1 host=localhost
4.
Save and close the file.
5.
From the Computer menu, choose YaST.
6.
Click System, then click System Services (Runlevel).
7.
Scroll down, highlight mysql, and click Enable. Click Continue To Enable The Dependencies, and then click OK.
8.
Scroll down and highlight Snort, and click Enable. Note the message prompt, and click OK.
9.
Click Finish, and then click Yes to save the changes to the run levels, and then close YaST.
Configuring MySQL on Linux With the basic Snort configuration ready, next you must create the MySQL database for Snort to use. The script for building the database is included in Snort when Snort is compiled for use with a database. The default installation includes the scripts for a MySQL database.
438
Tactical Perimeter Defense
Remember that when you work with MySQL, each of your commands end with the “;” character. If your install is not done on the SuSe platform with the software installer, the location of your Snort files will likely be different. In this task, you will assign a password to the root account, create and assign a password to the snort account, and build the database.
TASK 8E-4 Configuring MySQL for Snort 1.
Open a Terminal
2.
Enter the following commands (press Enter after each command): mysql SET PASSWORD FOR root@localhost=PASSWORD('rootpass'); create database snortdb1; grant ALL on root.* to snortdb1@localhost; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.* ⇒to snort identified by 'snortpass'; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.* ⇒to snort@localhost identified by 'snortpass'; exit mysql -u root -p rootpass connect snortdb1; source /usr/share/doc/packages/snort/schemas/create_mysql; show databases; use snortdb1; show tables;
3.
If you see the table, with 16 rows, you have successfully created the database and you can proceed. If not, please follow this task again carefully; every step must be exact.
4.
At the mysql> prompt, enter exit
5.
Close the Terminal window.
Connecting Snort to a Database Now that you have configured Snort to connect to the database, and you have configured the database to accept the connections from Snort, you should test this configuration. You do not want to get too far into this configuration only to find an error from the beginning. Note that in the tasks here, you are issuing the full command syntax in Snort to see the results on screen. In your production environment, you would most likely not include the option to see this information on screen, as you would have little use for seeing that information on screen. In this following task, you will run a test to confirm that Snort can connect to the database. If you do not make the connection to the database, you must stop here and go back through the tasks to find the error. Once connected, you will exit the Snort process. At this time, do not leave Snort running. Lesson 8: Configuring an IDS
439
TASK 8E-5 Testing Snort Connectivity to the Database 1.
Open a Terminal window.
2.
Enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort
3.
It may take a moment, but you should see Snort load and make the connection to the database. If you get an error message, verify that all the lines are correct in your snort.conf file and that your MySQL is configured properly.
4.
Press Ctrl+Z to stop Snort. Scroll up to see where Snort made the connection to the database.
5.
Once successful, close the Terminal window.
Installing ADOdb and BASE Since you have configured several components up to this point, now is a good time to review. First, you installed and configured Apache to start up. You then configured PHP to work with the server, and verified that PHP is working with a simple test page. Next, you configured Snort for your system, and configured MySQL to work with Snort by creating the appropriate database. Lastly, you ran a connectivity test to ensure that Snort can connect to the MySQL database that you created. With those pieces in place, you are ready to install what is called the Basic Analysis and Security Engine, or BASE for short. You use BASE through your web browser to analyze the data that Snort is sending to your MySQL database. The team at www.sourceforge.net describes BASE as follows: “BASE is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.” ACID was the original web front-end for Snort results and has evolved into BASE. ACID is still used by many organizations. Another component you will need to download is called ADOdb. ADOdb is used by BASE with PHP to perform the actual queries of the Snort database. Since PHP’s database access abilities are not standardized, there needs to be some means of access, and this is where ADOdb comes into place. You will need to download two more parts for this section to be operational. These files have already been downloaded and are on the SCNS Course CD, the task will simulate the location you may download files to on your local computer. If you download new files, be sure you use the exact file names in this task; if not, it is possible that your BASE console will not function as expected. Here are the locations for these two files: • http://sourceforge.net/projects/adodb (this is where you can download ADOdb) •
440
Tactical Perimeter Defense
http://sourceforge.net/projects/secureideas (this is where you can download BASE)
TASK 8E-6 Downloading ADOdb and BASE 1.
Open a Terminal window.
2.
Enter the following commands: cd / mkdir download cd /download ls cd /Tools/Lesson8 ls cp adodb493a.gz /download cp base-1.2.7.tar.gz /download cd /download ls
With these two files downloaded, you are now ready to install them. The install steps are straightforward; however, there is one configuration file for BASE that you will need to configure. This file, called base_conf.php, needs to know where your adodb is installed and needs to know how to connect to the Snort databse you made in MySQL. In the following task, you will install these two files and configure the BASE php file.
TASK 8E-7 Installing ADOdb and BASE 1. 2.
Open a Terminal window. Enter the following commands:
Be sure you type these commands exactly.
cd /download cp adodb493a.gz /srv/www cd /srv/www tar -xvzf adodb493a.gz rm -rf adodb493a.gz cd /download cp base-1.2.7.tar.gz /srv/www/htdocs cd /srv/www/htdocs tar -xvzf base-1.2.7.tar.gz rm -rf base-1.2.7.tar.gz mv base-1.2.7 base cd /srv/www/htdocs/base cp base_conf.php.dist base_conf.php
3.
Once you have created the new base_conf.php file by copying it, you can close the Terminal window.
4.
In the file browser, navigate to /srv/www/htdocs/base and open base_conf. php with Gedit.
Lesson 8: Configuring an IDS
441
5.
Edit the file so that the following changes take place: •
$BASE_urlpath = ‘/base’;
•
$Dblib_path = ‘/srv/www/adodb/’;
•
$alert_dbname = ‘snortdb1’;
•
$alert_host = ‘localhost’;
•
$alert_port = ‘’;
•
$aler_user = ‘snort’;
•
$alert_password = ‘snortpass’;
6.
Save and close the base_conf.php file.
7.
Restart your server.
Configuring BASE You have just about finished with the steps to getting your system operational. There is one last configuration that is required once the BASE console is running. In this last task, you will need to tell BASE how to set up the database. Once this last step is complete, your system will be ready to go.
TASK 8E-8 Configuring BASE 1.
Open a web browser.
2.
In the address bar, enter http://localhost/base/base_main.php
3.
You will receive a message that the underlying database appears to be incomplete/invalid.
4.
Click the Setup Page link.
5.
On the next page, click the Create BASE AG button on the right side of the page. If you get a Security Warning, click Continue.
6.
The required items will be successfully created. Click the Main Page link at the bottom of the page.
7.
You are now at the default page of your new BASE console.
This next task is not a requirement specific to the BASE console, but it is required for remote access to your web server. Later in this lesson, you are going to generate some events through the web server. In order for a simulated attacker to be able to connect to your web server, it must be enabled for others to access. By default, the firewall in your installation does not allow this. In the following task, you will turn on the HTTP service through the firewall.
442
Tactical Perimeter Defense
TASK 8E-9 Configuring the Firewall to Allow HTTP 1.
From the Computer menu, choose YaST.
2.
Click Security And Users, and then click Firewall.
3.
On the left side, click Allowed Services.
4.
From the Service To Allow drop-down list, select HTTP Server.
5.
Click the Add button to the right of the drop-down list.
6.
Click Next, and then click Accept.
7.
Close YaST.
Generating Snort Events At this time, you have configured Snort, MySQL, PHP, APACHE, ADOdb, and BASE. However, you likely had no data in your BASE console when you loaded it because there were no events present to cause a trigger. In the following section, you will start Snort, your instructor will generate some simple events, and you will then view this data in your BASE console.
TASK 8E-10 Generating Portscan Snort Events Setup: This task requires students to work in pairs. 1.
Right-click the desktop and open a Terminal.
2.
To start Snort, enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort
3.
Keep the Snort window open.
4.
Right-click the desktop and open a second Terminal.
5.
Verify that your partner has Snort started.
6.
In your second Terminal, replacing a.b.c.d with your partner’s IP address, enter nmap nmap nmap nmap nmap
7.
-sS a.b.c.d --system-dns -sX a.b.c.d --system-dns -sN a.b.c.d --system-dns -sF a.b.c.d --system-dns -O a.b.c.d --system-dns
When your partner has finished running these nmap scans, close your nmap Terminal, and proceed to the next step. Lesson 8: Configuring an IDS
443
8.
In your Snort Terminal, press Ctrl+Z to stop Snort.
9.
Open a web browser, and enter http://localhost/base/base_main.php in the address bar.
10. Note that you will have new Portscan Traffic found (you may need to scroll down in your window to see this). 11. Scroll down in your browser, and click the Percentage link to the right of Portscan Traffic. 12. Here you can see the scans that were detected. Click any of the event IDs on the left side. These will likely start with #0, or something similar, on your system. 13. Review the details of this event. 14. Keep your Snort Terminal open, keep the BASE console open, and open a second web browser for the next task. In the previous task, you generated simple Portscan traffic, which Snort reported and which you analyzed in your BASE console. In this next task, you will generate web attack traffic. These will be simple URL requests to your web server. You will start Snort in your Terminal window, then open a web browser and make several requests of your partner’s server. You will then view the results of these actions in your BASE console.
TASK 8E-11 Generating Web Snort Events Setup: This task requires students to work in pairs. One student running the Snort IDS, and the other an attacking Windows machine. It is suggested to go through the task twice, with students switching roles the second time through.
Steps 2 through 6 are to be done on the Windows Server 2003 machine.
1.
On the Linux Machine, running Snort, open your Snort Terminal, and enter snort -d -e -v -c /etc/snort/snort.conf -l /var/log/snort
2.
On the Windows Server 2003 machine, verify that your partner has started Snort.
3.
Open a web browser, and connect to http://your.partner’s.ip.address.
4.
Verify that you see the “It works!” default page. If you do not see this message, check that the HTTP service is allowed on the web server.
5.
In the web browser, enter the following URL requests. Note: These will be unsuccessful, which is fine for this task: • http://your.partner’s.ip.address/../../ • .
444
Tactical Perimeter Defense
http://your.partner’s.ip.address/../../bin/sh
6.
Close the web browser.
7.
On the Linux machine, running the Snort IDS, switch to your Snort Terminal, and press Ctrl+Z.
8.
Open your BASE console.
9.
Notice that you now have new alerts, this time they are TCP alerts.
Steps 7 through 12 are to be done on the Linux IDS machine.
10. Click the percentage next to TCP to analyze the alerts. 11. Answer the following questions: What is the name of this signature? (http_inspect) WEBROOT DIRECTORY TRAVERSAL How can you learn more about this event through BASE? Click the Snort link next to the name. What flags were set on this event? ACK and PSH. 12. Close all open windows. You have now configured all the components of running a full-fledged Network Intrusion Detection System. The default configuration of Snort uses many different rulesets, which you can define in the snort.conf file. In your environment, you will need to craft rules for your specific requirements or use the predefined rulesets.
Summary
If you have time, have your students turn on Snort again, and then you can generate some events, scanning, web events, etc. Ask your students to identify what you did by analyzing their BASE consoles.
In this lesson, you identified that there are many different types of IDSes, and you implemented the world’s favorite free IDS—Snort. You used Snort as a network-based IDS tool that is designed to monitor TCP/IP networks, looking for suspicious traffic and direct network attacks. You learned that Snort enables system administrators to collect enough data to make informed decisions on the best course of action when an intrusion is detected. You then built a full functional network IDS on Linux, including the BASE console for alert analysis.
Lesson 8: Configuring an IDS
445
Lesson Review 8A What protocols does Snort support? TCP, UDP, IP, and ICMP. What are the four primary parts of the Snort.conf file? Variables, preprocessors, output plug-ins, and rulesets
8B What must be installed in Windows prior to installing snort? LibPcap for Windows (also known as WinPcap).
8C How do you negate an option in Snort? By using the exclamation point (!) symbol.
8D What Snort file must you edit in order to have Snort connect to a database? Snort.conf At the mysql prompt, what is the command to make a new database, called snortdb1? create database snortdb1;
8E What scripting does Apache need to have configured in order for your BASE console to work? PHP What are the components of a LAMP server? Linux, Apache, MySQL, and PHP
446
Tactical Perimeter Defense
Securing Wireless Networks
LESSON
9 Overview In this lesson, you will learn to implement and secure a wireless network. You will examine the components of the network, and how to configure these components. You will detail the security options required for making wireless networks part of your trusted enterprise. You will perform wireless network analysis using leading wireless tools, and examine how to create a trusted wireless network.
Data Files dotnetfx.exe NetStumblerInstaller_0_ 4_0 Lesson Time 8 hours
Objectives To secure a wireless network, you will: 9A
Examine the fundamental issues of wireless networking. You will identify and examine the equipment, media, and systems of wireless networking.
9B
Describe the fundamentals of wireless local area networks. You will describe how WLANs function, including the 802.11 framing options, the essentials of WLAN configurations, and the threats that exist to the WLAN.
9C
Implement wireless security solutions. You will implement WEP, SSID broadcast disabling, MAC address filtering, and WPA as security solutions to the wireless network.
9D
Audit the wireless network. You will use leading tools, such as OmniPeek Personal and NetStumbler, to audit a wireless network.
9E
Describe the implementation of a wireless trusted network, a wireless PKI. You will examine the components required to implement and the procedure for implementing a wireless trusted network.
Lesson 9: Securing Wireless Networks
447
Topic 9A Wireless Networking Fundamentals Not too long ago, the concept of a network inside an office that had no wires running to and from the client computers seemed a bit far-fetched. Perhaps in the future, many people said, but not for a while. Fast forward only a few short years, and you are in the future. Wireless networks are here now. The idea now of a mobile workforce, able to move through an office, city, or country, and connect no matter where they are located has become very desirable to many organizations. The enterprise network now must include options for users to move, and have their connection stay with them. In addition to the idea of a mobile workforce, other factors are pushing the implementation of wireless networks. New networks can be deployed faster, and often cheaper, if they are wireless versus wired. Buildings where running cable is cost prohibitive, such as offices across a street or city block, are finding wireless the best option. Companies that have chosen architectural buildings for their appearance may find those buildings marked as historical landmarks, and running cables may not be allowed. All of these reasons will make the option of a network without wires seem like the perfect solution. But what may seem like a perfect solution has serious issues upon closer inspection. Even though the network experience may seem the same to end users, there are major differences in wireless networks from their wired counterparts. Where two computers communicating in a wired network have a single cable connecting each end point, there is no such cable for the wireless network. It is this lack of cable that causes the problems. For most enterprises, not much of the security policy and effort will be spent on the physical medium. There may be systems in place to try to prevent cable splicing, or physical security systems that guard the cable. The wireless network cannot employ these systems.
Wireless Equipment As you may expect, there are unique pieces of equipment used to run the wireless network. Although many of these pieces perform tasks similar to their wired counterparts, the wireless network equipment requires specific examination. The physical pieces used in the wireless network require careful placement because the location of the devices can affect security and performance of the network.
Access Points The centerpiece, literally, of the wireless network is the Wireless Access Point. The full acronym for this is WAP, but in the context of this lesson, the acronym AP (for access point) will be used. This is to eliminate confusion with the other wireless networking acronym of the same name, which is Wireless Application Protocol. The function of the AP in the wireless network is similar to that of the switch in the wired network. Individual components of the network communicate to and from the AP in order to communicate with other network components. Each AP will have at least one, and usually two antennas. By having multiple antennas, the AP is able to cancel out any duplicating radio waves that may reach the AP. 448
Tactical Perimeter Defense
Figure 9-1: Linksys Wireless Access Point, model: WAP54G.
Wireless Network Cards (WNIC) Just as a network card is required to connect to the cable in the wired network, a network card is required to connect to the wireless network media. These cards can be installed in desktop or laptop computers, or even embedded into appliances. The majority of newer laptop computers have built-in wireless network capability options as well.
Figure 9-2: Netgear wireless network card.
Antennas Whereas the AP of the wireless network is similar to the switch in the wired network, and the network cards of both the wireless and wired networks have the same functionality, there is one component of the wireless network that is not found in the wired networks. This component is the antenna. The antenna itself becomes an extension of the transmitter or receiver. When an access point transmits a signal it is passed from the internal signal generation components to the antenna, then transmitted through the air to a receiving antenna, which pulls the signal into the device. You can use an antenna that is designed to increase its ability to pull in a good signal in its construction and aiming. This increase is called the gain of the antenna. Although there are many subtypes of antennas, there are three common types of antennas used to increase the range of wireless networks. These are the: yagi, parabolic, and omni-directional antennas. The yagi antenna is one that is designed to be very directional. Yagi antennas may be enclosed in a tube, as shown in Figure 9-3, or they may be open, like the traditional over-the-air television antennas. Yagi antennas are perfect for direct point-to-point communication, such as a bridge connecting two offices.
Lesson 9: Securing Wireless Networks
449
Figure 9-3: A yagi antenna, manufactured by Telex Wireless. The second common antenna is the parabolic antenna. This antenna is also a good choice for bridging two networks, and has a greater range than the yagi antenna. The parabolic dish antenna is able to create gains that can be twice that of the yagi antenna.
Figure 9-4: A parabolic dish antenna, manufactured by Telex Wireless.
450
Tactical Perimeter Defense
The third common antenna is the omni-directional antenna. The omni-directional antenna is often used in conjunction with an AP to increase the local connection ability of the wireless network. This antenna type is usually mounted high above the group of end points that will communicate with the wireless network. The gain of the omni-directional antenna can approach that of some yagi antennas, but is quite a bit less than the gains of the parabolic antennas.
Figure 9-5: An omni-directional antenna, manufactured by Telex Wireless.
Association A unique aspect of the wireless network is that nodes that are going to use an access point must first associate with an access point. In the wired network, the node is simply turned on and plugged into the cable, there is no association required for the local hub or switch. In the wireless network, the node must be turned on, and then associate, or join, a wireless access point. This process of association is accomplished by the wireless node knowing what its alphanumeric identifier is, and looking for an alphanumeric identifier that matches. The vast majority of network cards now include an option that scans the local radio waves and lists the possible networks that the WNIC can attempt to associate with. It is an attempt to associate first; the WNIC must be authenticated as well, and then association can be successful.
Wireless Media In the traditional network, the cable can be guarded and cable runs carefully controlled; in the wireless network there is no cable. This presents the problem of wireless security in a very general way. The problem is how to secure that which you cannot see, and cannot control.
Lesson 9: Securing Wireless Networks
451
Although the media cannot be seen, there are similarities between the wired and wireless networks. In both networks, a signal is sent from one computer to another computer, there must be a common method of communication, and there must be a common method of delivery and receipt. In the wireless network, the media used to carry the signals from one wireless device to another can vary. In this course, you will examine the three wireless media: infrared, microwave, and radio waves. There are significant differences in these media, in how they work, and what they can do for your network.
Figure 9-6: The electromagnetic spectrum.
452
Tactical Perimeter Defense
Infrared Wireless Media Infrared wireless technology has been around for many years. The most common example of infrared technology is in electronic remote controls. The signals used for infrared signals are in the terahertz range, and this allows for solid communication. The infrared signal is pure light, usually electromagnetic waves or photons from a small section of the electromagnetic spectrum. Infrared is a simple wireless technology that uses pulses of light. If a binary one is required, the light is on; if a binary zero is required, the light is off. An emitter on one device (normally an LED) sends the light and a detector receives the light signal and reproduces the correct signal (either the one or the zero). The two common methods of wireless infrared communication are line-of-sight and diffused (also called broadcast). Line-of-sight (sometimes called point-to-point) requires the emitter and detector to be directly in line with each other. If any object passes between the two points, no matter how brief, the line-of-sight is broken and the transmission will be interrupted. Due to this, any networking service that requires high degrees of reliability will likely not use this implementation. Infrared is most often used today to network devices such as digital cameras, scanners, PDAs, and other devices to computers. These types of devices can be held in close proximity to one another so the odds of an object getting between the emitter and detector are very low. From a security perspective, infrared line-of-sight is an acceptable choice. This is because the single beam between the two end points must be constant. There is no sniffing option, as the light beam is direct and focused. It is possible to split the beam, but that would require physical access to the beam between the two end points. The beam splitter is often a prism, normally designed as a right-angle triangle, with a mirror on a 45-degree surface. The beam goes through the prism, and reflects a small amount of the signal to a third point. This third point can then put the signal back together. Note, the splitter must be physically placed in the beam, so any enterprise with adequate physical security should prevent this type of sniffing.
Figure 9-7: A beam splitter.
Lesson 9: Securing Wireless Networks
453
Although the prism is the most common form of a beam splitter, there are also beam splitters that are simple mirrors with a high degree of translucency. The mirror is placed at an angle in the stream, and functions just as the prism does. Just as the line-of-sight cannot be sniffed, the infrared signal cannot penetrate walls, therefore, the infrared transmission cannot be listened in on from a neighboring room or outside office. Another strong point for the infrared line-of-sight is that outside interference is minimal; other radio waves will have no noticeable effect on the signal. The security advantages of infrared wireless are offset by the limitations of infrared. Infrared cannot provide any mobility to the devices, and the pure lineof-sight issue causes too much disruption in most office settings. Similar to local line-of-sight, infrared networks are laser communications. Laser communications work by using a powerful directed beam between two points, with the unique difference being that the distances covered are much greater. Laser line-of-sight transmissions can cover miles, as long as the direct and uninterrupted line-of-sight is clear and available. Diffused infrared technologies overcomes some of the limitations of the line-ofsight communication. In the broadcast network, there still are two end points, the emitter and detector. However, the emitter does not send the signal directly to the detector. Instead, the signal is sent out to the network, and can bounce off walls and other objects in the room. The detector receives the signal and processes the information just as if it were line-of-sight. A big difference between line-of-sight and diffused infrared is speed. Because the signal has to travel farther and bounce off surfaces, it is a weaker signal when the receiving node detects the transmission. A second difference is that because the signal is broadcast, end points other than the intended recipient are able to receive the transmission. These issues combine to limit most use of infrared in wireless networking to the small local devices. As more and more people use small devices, you can expect infrared technology to remain a part of wireless networking for some time.
Microwave Wireless Media Where as infrared wireless networking serves the individual devices, such as PDA communication to a PC, it is usually not used to build the network infrastructure. One of the technologies that is used for this purpose is microwave technology. Microwave wireless networks allow for two end points to be placed far apart from one another. The connection is still made between two end points, one sending and one receiving node. There are two main types of microwave systems used in wireless networking: terrestrial and satellite. Terrestrial microwave systems usually use a directional antenna to send and receive network transmissions directly from one to another. These systems are designed to be direct line-of-sight, although they can use relay towers to extend the range or to move the signal around obstacles. Weather can have an affect on these signals, although not to the degree the weather has on infrared. Depending on the laws in your area, you may need to get a license to operate a microwave transmitter. There are usually strengths and frequencies that do not require licensing. Even though it may not be required, you may wish to pursue licensing so you can protect the frequency for that area, and prevent others from using the same frequency. 454
Tactical Perimeter Defense
Satellite Microwave When you have extreme distance to cover, the only choice is satellite. Satellites are the equivalent of the transmitter and receiver stationed high in the sky. By placing the transmitter and receiver higher, more ground can be covered by the same point. This allows an enterprise with one office in New York to have a single hop to a second office in London.
Figure 9-8: Example of satellite microwave networking. There are multiple orbits a satellite might take around the Earth. Geostationary orbits (GEOs) are those that circle Earth directly above the equator. A benefit of gravity and orbiting is that once at a specific point, the geostationary satellite will achieve a fixed position. This position is approximately 22,200 miles (or 36,000 km) above the Earth’s surface. Being placed at such an altitude, the satellite will be able to cover about one-third of the Earth’s surface. You could, therefore, place three satellites 120 degrees apart and cover the entire planet, except for the extreme northern and southern latitudes. Today there are hundreds of GEOs in the sky above you. There is also an orbital pattern called the Highly Elliptical Orbits (HEOs). These orbits do not orbit the Earth in a circle around the equator. Instead, these satellites orbit in an oval-shaped pattern. The oval is not equal around the Earth, instead the satellite will pass close to the Earth (at its closest, is called the perigee of the orbit), and will then move further away from Earth (at its furthest, it is called the apogee of the orbit).
Lesson 9: Securing Wireless Networks
455
Finally there are Low Earth Orbits (LEOs). These orbits are between 124 and 15,900 miles above the Earth’s surface (between 200 and 25,589 km). Most of the satellites in this range are at the low end, from 124 to 1,490 miles (200 to 2,400 km). These satellites can move very fast, and can be visible with the naked eye standing on Earth. A satellite in LEO may be able to circle the entire earth in 90 minutes. LEOs are not restricted to equatorial orbits.
TASK 9A-1 Examining Satellite Orbits 1.
Open Internet Explorer, and connect to http://science.nasa.gov/Realtime/ JTrack/3D/JTrack3D.html
2.
In the dialog box asking you to perform an install, click No. Wait for a moment, the JTrack satellite applet will open and load satellite data.
3.
Maximize the applet.
4.
Once the applet loads, press Ctrl and click the mouse (Ctrl-click) to move the Earth back and to see the orbital path of the GEOs. Examine the distance to the GEO orbits in relation to the size of the Earth.
5.
Click any small white dot to see the orbital path of the satellite.
6.
Click the mouse in the applet and drag to rotate the Earth and notice the GEOs all are lined in a similar pattern.
7.
Ctrl-click until the Earth is small in the applet.
8.
Click a white dot that seems further away from Earth, and not in the same circle pattern of the GEOs.
9.
Try to find Chandra, AO-40, and Integral. Examine the orbital patterns of these HEO satellites.
10. Shift-click to move in towards Earth until the continents are clearly visible. 11. Click any white dot that is near Earth, and examine the orbital patterns of these LEO satellites. 12. Shift-click until the Earth fills the applet window. 13. Choose Options→Update Rate→1⁄4 Second. 14. Choose Options→Timing→Real-time. 15. Note the movement of the satellites in LEO. 16. Choose Options→Timing→X100. 17. Note the movements of the LEO satellites at 100 times real-time speed.
456
Tactical Perimeter Defense
18. When you have finished examining the orbital patterns of the satellites, close the JTrack3d Applet and close Internet Explorer. 19. What type of satellite orbit, the LEO or the GEO, will introduce the largest delay in packet transmission? The GEOs produce the highest delay in packet transmission. You may be able to get high speeds, but the distance alone dictates that there will be considerable delay in the network packet transmission.
Radio Wireless Media Although infrared and satellite communications have their place in the wireless world, the emphasis today in regards to security is on radio waves. This is because the vast majority of wireless network communications take place on radio waves. Although people often think of the analogy of water waves, this is not quite accurate. Radio waves do not require a physical surface, such as the water wave. Rather, the radio waves ride on an electromagnetic (EM) wave, referred to as the EM field. Waves in the electromagnetic spectrum move at the speed of light, or 186,000 miles per second. There is similarity with the water wave in dissipation, however. If you throw a rock into water, a wave starts in a circular pattern and radiates out from where the rock entered the water. The circular waves get smaller, or dissipate, as they get farther away from the source. Radio waves are similar. They are broadcast from a source, and radiate out away from the source. The farther away from the source, the weaker the signal becomes, until it cannot be located. In the water, waves reflect off of surfaces, and can even bounce back onto another wave. This can happen with radio waves as well. If two waves collide at the right time, with both waves at their peak, the end result is that the waves are added (called in phase), resulting in a bigger wave. If two waves collide at the right time, with one wave at a peak and one wave at a trough (called out of phase), the end result is that the waves cancel each other out. Reflecting waves can cause problems for wireless networks, therefore, the device manufacturers have addressed this issue. One problem is that a signal can be broadcast, and due to bouncing off surfaces, will reach the access point multiple times and at different times. These bouncing waves cause interference, and in wireless networking this is called multipath interference. By using multiple antennas on the access point, the access point is able to compensate for the reception of multipath interference. Another form of interference that wireless networks must deal with is RF interference in the EM field. Devices such as cordless phones and microwave ovens produce signals in the EM field that are used by the wireless network. Devices in the 900 MHz and 2.4 GHz ranges are in the Industry, Science, & Medical (ISM) band, while devices in the 5 GHz range are in the Unregulated National Information Infrastructure (U-NII) band. The technology used to minimize the effect of these other devices is called spread spectrum technology.
Spread Spectrum Spread spectrum technology allows for bandwidth to be shared by multiple devices, so your microwave and wireless network are not going to battle over the exact same frequency at the exact same time. Spread spectrum works by splitting the information over multiple channels of communication. By splitting the inforLesson 9: Securing Wireless Networks
457
mation over different channels, if a person is sniffing one specific channel, they will not get useful information from that channel, only tiny pieces of larger transmissions. There are two primary methods of spread spectrum used in wireless networks: Frequency Hopping Spread Spectrum (FHSS), and Direct Sequence Spread Spectrum (DSSS).
Frequency Hopping Spread Spectrum (FHSS) During World War II, the emphasis on secure communications and transmissions was extremely high. Hedy Lamar and George Anthell came up with the idea of FHSS to keep enemies from jamming radios. The idea was to use a range of frequencies, and to send (or burst) a short amount of information on one frequency, then switch to another frequency, send (burst) some information, then switch frequencies again and send another burst of information, and so on.
Figure 9-9: Multiple signal bursts sent as an example of FHSS. During FHSS, the time that is spent on any one frequency is called the dwell time, and the amount of time that it takes to move from one frequency to another is called the hop time. A device using FHSS will transmit on the designated frequency and then move to the next frequency using the pre-defined sequence. Once the device reaches the last frequency, the device loops to the first frequency and starts the process over again. The sequence of frequency hopping creates a single channel.
Direct Sequence Spread Spectrum (DSSS) The DSSS system works differently from FHSS. Instead of hopping from one frequency for a burst, and then another, DSSS transmits on multiple frequencies together. These multiple frequencies are grouped together and called a band. Instead of sending the raw data, DSS performs an XOR calculation on the data at transmission.
458
Tactical Perimeter Defense
Figure 9-10: The XOR process of DSSS communications. This added data used in the XOR process is called the chipping code. By adding these codes, the original data is spread out, which increases the likelihood that the data will be received properly. The number of bits (chips) in the chipping code compared to the raw data is referred to as the spread ratio; higher spread ratios means higher chances of successful communication. The 802.11 specifications dictate that there are to be 11 chipping bits per raw data bit. Due to issues such as the use of multiple frequencies, and the inclusion of the chipping code, DSSS is able to achieve higher rates of transmission than FHSS. You should not think of either FHSS or DSSS as better than one another. Instead, you should realize that they are used for different functions. FHSS generally costs less to build, is used for devices that require shorter transmission distances, and has a lower overall speed. DSSS generally cost more to build, is used in devices that require greater transmission distances, and offers greater speed. From an administrative viewpoint, you may never deal directly with spread spectrum issues, they are more in the realm of the product manufacturer.
Bluetooth Although it is the most common technology for wireless networking, 802.11 is not the only wireless standard. Another common standard is Bluetooth. Bluetooth devices are generally FHSS devices, and are used in close proximity from one another. Bluetooth has found a market in device-to-device communications, such as PDA to computer, computer to a printer, automobile to phone headset, and so on. Bluetooth functions in the 2.4 GHz range, and has low-speed bandwidth, when compared to 802.11 standards, especially 802.11g. For these reasons, Bluetooth is not designed to be directly competitive with 802.11, rather a complimentary technology used for different purposes.
Short Message Service As devices continue to become smaller, and as people expect to be able to do more with their devices, new technologies are required. In wireless networking, one of these technologies is called the Short Message Service (SMS).
Lesson 9: Securing Wireless Networks
459
SMS is used to send and receive the short (up to 160 characters) text-only messages on devices like cell phones, pagers, and PDAs. This technology uses a store and forward system, which means that if the intended recipient is not available, the message can be stored for later transmission. Nearly all providers of cellular services offer support for SMS today, and security problems exist here just as they do with all other forms of wireless communication. Although SMS security is out of the scope of this course, here are a few examples of SMS security issues: • A Norwegian company found that a specific message sent via SMS to certain cell phones would freeze the phones, with the only solution being to remove the batteries. •
A virus called Timofon.A sends short SMS messages to random numbers. By itself, this is not a true virus, as users have to run a VBS script, but it hints at the potential.
•
SMS Bombers are being built to flood networks with messages.
IEEE 802.11 All forms of networking that have any success are built upon standards, and wireless networking is no different. The primary standard in the world of wireless networking is the 802.11 standard. The 802 LAN standards committee was created in 1980 by the Institute of Electrical and Electronic Engineers (IEEE), and in 1990 the committee created the 802.11 working group to discuss and define issues surrounding wireless networking. In 1997, the 802.11 working group finalized their first standard. The IEEE 802.11 standard was to address the Media Access Control (MAC) and Physical (PHY) Layers of network communication. 802.11 described three specific types of transmissions to take place at the PHY Layer: • Diffused Infrared, utilizing infrared transmissions. •
Direct Sequence Spread Spectrum (DSSS), utilizing radio transmissions.
•
Frequency Hopping Spread Spectrum (FHSS), utilizing radio transmissions.
The 802.11 working group quickly found that the project was growing at such a rate, and the amount of issues to discuss was growing. The solution to this problem was to create subgroups to handle each issue independently. These groups have been assigned a letter and appended to the 802.11 name. Several of these groups have produced standards that are used in the industry today, others are on the horizon, and others still will become obsolete.
802.11a In 1999, IEEE approved the 802.11a standard, calling it: High-speed Physical Layer in the 5 GHz Band. This standard utilizes Coded Orthogonal Frequency Multiplexing (COFM), and supports multiple data transmission rates. Supported rates are: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Two 802.11a devices will connect using the fastest data rate (based on things like distance between nodes and signal strength), with a maximum rate of 54 Mbps. Work on this standard is considered complete.
460
Tactical Perimeter Defense
802.11b Also published in 1999, but slightly ahead of 802.11a, was the IEEE approved 802.11b standard, called: Higher-speed Layer Extensions in the 2.4 GHz Band. This standard utilizes High-Rate Direct Sequence Spread Spectrum (HR-DSS), and supports multiple transmission rates. Supported rates are: 1, 2, 5, and 11 Mbps. Work on this standard is considered complete.
802.11c The 802.11c working group was developed to manage MAC bridging operations. This type of standard is used by developers of hardware. The 802.11c working group on its own is complete, with continued discussion on this subject folded into the 802.11d working group.
802.11d As wireless networking came on the scene, and the 802.11 standard was available, there were only a few economies (such as the United States, Europe, and Japan) that had regulations on the use of the radio waves. In order for wireless networking to become global, standards would be required that comply with regulation of transmissions in various countries. The 802.11d working group is focused on the international regulations for the use of wireless networking.
802.11e An important issue in all of networking is Quality of Service (QoS). By ensuring high QoS, transmitting other types of information such as audio and video can be accomplished through a wireless network. The 802.11e group is working on standards to prioritize network traffic through the wireless network, to improve QoS. 802.11e addresses the MAC layer, and as such it will be compatible with all 802.11 PHJY networks.
802.11f The development of the original 802.11 standard did not address the communications between individual access points. This was done to provide for the maximum flexibility in an enterprise implementing various vendors’ products. This causes difficulty though, when there are many different types of vendor equipment in the network, that may have different methods of communicating. 802.11f is working to define the standards of communication between access points so that roaming wireless clients do not experience network problems, or have communications cut off. It is suggested that until this standard is complete, and all vendors comply, that you should use a single vendor to provide your wireless infrastructure.
802.11g A problem that developed during the initial standards process was that 802.11a and 802.11b did not communicate. So, although the ability to add the higher bandwidth of 802.11a was appealing to some, the lack of interoperability discouraged others. 802.11g provides the standards to provide higher speed, while being able to interoperate with other wireless networks. 802.11g utilizes OFDM to manage communications, provides for transmission rates of up to 54 Mbps, and operates in the 2.4 GHz range.
Lesson 9: Securing Wireless Networks
461
802.11h Specific European regulatory issues are discussed in the 802.11h working group. In Europe, there is a strong possibility that 802.11a devices, which operate in the 5 GHz range, will interfere with satellite communications, which are designated as primary use. Many European countries label wireless networking as secondary use.
802.11i There are serious security issues associated with wired equivalent privacy (WEP). The 802.11i working group was designed to address these issues. The result of the group’s efforts is a stronger security standard, including all the options that exist in Wi-Fi Protected Access (WPA), and adding the use of the Advanced Encryption Standard (AES). Some, including the Wi-Fi Alliance refer to 802.11i as WPA2.
802.11n With the ever-growing demands on wireless networks, speed is always an issue. The 802.11n working group develops enhancements to wireless networking technologies to achieve a higher throughput. The speed estimates out this standard at a 200+ Mbps rate. Through the use of multiple antennas, some vendors are claiming speed into the 400+ Mbps range.
Wireless Application Protocol The Wireless Application Protocol (WAP), detailed at the Wapforum (www.wapforum.org), is a specification that is open and utilized globally. Handheld devices, such as mobile phones, pagers, and PDAs, can interact with networks, such as the Internet through WAP. It is compatible with many wireless networking technologies including Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), and Global Systems for Mobile Communications (GSM). As of this writing, there was an estimated 855 million worldwide GSM users, 162 million CDMA users, and 124 million TDMA users.
web pages written in WML are called decks, and decks are constructed using cards.
462
Tactical Perimeter Defense
Since WAP is a protocol and application environment, it has the ability to be built into any operating system that is designed to use it. It is currently used in operating systems such as: WindowsCE, PalmOS, JavaOS, and OS/9. Mobile devices work by using WAP microbrowsers that are built into the device. These are similar to the full-scale Internet browsers, such as Netscape and Internet Explorer, only scaled down to the minimum requirements. Many mobile devices can communicate via HTML and/or XML, but there is a language specifically for the wireless devices. That language is called Wireless Markup Language (WML). WML is based on XML, and web content accessed via WML will have the .wml extension, similar to the .html extension of web pages. The programming of WML looks very similar to that of HTML or XML. There are in fact XML tags in WML pages. The following code example shows what two WML cards look like in a WML deck:
<wml> Hello World!
This is the second card text!
WAP itself, like all specifications, has gone through several versions since it was first introduced. WAP v1.0 was introduced in April 1998, WAP v1.1 in June 1999, WAP v1.2 in November 1999, and WAP v2.0 in the summer of 2001. The 1.0 version of WAP used a WAP gateway, often a separate computer to act as the literal gateway between the WAP client and the web server hosting the files.
Figure 9-11: The original WAP architecture. In the original WAP architecture, protocol conversion was required at the WAP gateway. This is due to the WAP devices not speaking the language of the Internet. With WAP v2.0 devices, the gateway protocol conversion is not required. This is due to devices running the WAP v2.0 stack being able to utilize TCP/IP, and speak through a proxy to the Internet.
Lesson 9: Securing Wireless Networks
463
Figure 9-12: The two common stacks of WAP.
TASK 9A-2 Choosing a Wireless Media 1.
You have been contracted to design the wireless network for your new client. This client has three offices, all within the same two-block radius. They are three independent offices, each in a multistory building, which do not require frequent resource access to any of the other offices. The only authorized communications that can be sent from one office to another are email or other approved instant messages. There are some slight obstructions, such as trees, that prevent perfect line-ofsight between all three buildings. You have asked the client, and have been informed that removal of the trees is not permitted. Based on this information, which media type will you recommend to the client, and why? You will recommend using radio waves as the media, by configuring the networks to use radio waves and a directional antenna, such as a yagi, to increase the strength and range. The radio wave option should provide the client with an inexpensive solution.
464
Tactical Perimeter Defense
Topic 9B Wireless LAN (WLAN) Fundamentals WLANs are built upon the 802.11 standards and are designed to operate similarly to their wired counterparts, running the 802.3 (Ethernet) standard. One difference (other than the lack of those pesky wires!) is that 802.11 networks use Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA), whereas the 802.3 networks use Carrier Sense Multiple Access/Collision Detection (CSMA/CD). In the CSMA/CD networks, the nodes listen to the wire to see if it is clear to transmit. Since the 802.11 nodes are not on a single physical media like the 802.3 networks, CSMA/CD will not work. Instead, the WLANs use CSMA/CA where each node sends a short broadcast preceding each transmission.
The Access Points The AP in the network is what the end nodes will be communicating within the network. Placement of the AP can have a significant effect on the overall speed and transmission in the WLAN. If the AP is placed near a source of high EMI, then the network will be negatively affected. Likewise, the height of the AP may have an effect. For many network administrators, the AP placement is a process of trial and error. First decide on the placement as best you can by analyzing the layout, trying to avoid anything that will cause interference. After the AP is placed, run bandwidth tests from various locations, where the end nodes will likely be located. Then, move the AP to a different location, perhaps moving it higher on the wall, and run the bandwidth tests again. After you have run a group of tests, you will know the optimal placement for your unique situation.
SSID Wireless networks have a component called the Service Set Identifier, or SSID. The SSID is a 32-character unique identifier that gets attached to the header of WLAN packets. The SSID is designed to identify individual WLANs, so that devices connect to the proper WLAN. This is a value that should be configured upon setting up security on a WLAN. The SSIDs are well known for many manufacturers, and changing this value to one that is not well known is one of your initial steps in your WLAN security. Access Points are configured, usually by default, to broadcast their SSID in what are called beacon frames. This function allows authorized users to find their proper WLAN easily, but also informs any attacker the name of the WLAN segment. The beacon frames are broadcast in plaintext; there is no encryption of these transmissions. Most WLAN analyzing software will listen for SSID beacon frames, and report that information back, making the location of the networks simple. If your network will allow for it, you should turn off the SSID beacon frame broadcast.
Lesson 9: Securing Wireless Networks
465
Association A unique aspect of the wireless network is that nodes that are going to use an access point must first associate with an access point. In the wired network, the node is simply turned on and plugged into the cable, there is no association required for the local hub or switch. In the wireless network, the node must be turned on, and then associate or join, a wireless access point. Association is the process of a WLAN client associating with an AP in the WLAN.
This process of association is accomplished by the wireless node knowing what its SSID value is, and looking for an SSID value that matches its known value. The vast majority of network cards now include an option that scans the local radio waves and lists the possible networks that the WNIC can attempt to associate with. It is an attempt to associate first; the WNIC must be authenticated as well, and then association can be successful.
Authentication One step in the WLAN client being able to use the WLAN is association, but that may not be enough. The second step that may be required in the network is authentication. Authentication can happen in one of two general methods, as per the IEEE 802.11 specification: open system authentication and shared-key authentication. Open system authentication is simply when there is no encryption and all communication is done in clear text. The WLAN client can authenticate in the open system without having to know any key information. In the shared-key authentication system, a key is required, and the key system must be used on both ends of the communication, meaning both the AP and the WLAN client must be using the same system.
WLAN Topologies When building your WLAN, you have two major types of networks to build. You can build a WLAN in either ad-hoc mode or in infrastructure mode. Neither of these topologies are right or wrong, they just have different functions.
Ad-hoc Mode The ad-hoc is perhaps the fastest WLAN to build. No APs are required from the ad-hoc mode WLAN. In this case, you install and configure the wireless network card on multiple end nodes, and they all have the ability to interact directly with any other node. This is a true peer-to-peer network with no single point in control.
466
Tactical Perimeter Defense
Figure 9-13: An example of an ad-hoc WLAN configuration. When you group several end nodes together in the ad-hoc mode those nodes create what is called an Independent Basic Service Set (IBSS). These nodes are grouped together by all using the same SSID.
Infrastructure Mode Although the ad-hoc mode may be the fastest for you to set up, it is not likely the mode you will use in a production environment. In the enterprise, you are much more likely to use the infrastructure mode. In the infrastructure mode, your network clients are configured with the SSID of an AP. All the clients who are going to be grouped together have the same SSID. The AP then acts as the central point in the network. The request of each node is received by the AP, and then transmitted to the network. If you have a single AP, that does not overlap with any other WLAN segments, then you have created a Basic Service Set (BSS). You can create an Extended Service Set (ESS) by grouping BSS to form a single subnetwork. Just about all APs that are made today have at least one Ethernet port on them, allowing you to seamlessly connect your wired clients into your wireless network. You will usually connect the Ethernet port of the AP to a hub, switch, or other network connecting device.
Lesson 9: Securing Wireless Networks
467
Figure 9-14: An example of an infrastructure mode WLAN configuration.
Lesson Configuration There is quite a bit of hardware used in this lesson. For the tasks and screenshots there were multiple WNICs and APs used, and both ad-hoc and infrastructure mode will be used. For this lesson, there are two configured clients, one Linksys WPC54G and one Netgear WPN824, used in laptop computers.
Prepare for the Ad-hoc Network The first network type you will configure is an ad-hoc network. This will allow for a small network to be established in a very short amount of time. This first network will not have security running, and can be viewed as a guide of the steps required to get an ad-hoc network operational. In this first task, you will configure the Linksys 54G card, which can run 802.11b and 802.11g. Note — as most of the machines you will configure wireless networking upon will be clients, these tasks have been written using laptops running Windows XP. For the SCP certifications questions about the wireless networks are based on the wireless tools and techniques shown here, not on the built-in Windows wireless networking solution.
468
Tactical Perimeter Defense
TASK 9B-1 Installing the Linksys WPC54G WNIC Setup: This task is performed on the first Windows XP laptop. 1.
Log on to Windows XP Professional.
2.
Insert the Linksys WPC54G setup CD-ROM into the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the Setup.exe file.
3.
In the Linksys Welcome screen, click the Click Here To Start button.
4.
Read the License Agreement, and click Next. The setup files will now be installed to your computer.
5.
When prompted, insert the WNIC into the computer, then click Next.
6.
The Linksys Available Wireless Network screen will open. Click the Manual Setup button to create a profile.
7.
Select the Specify Network Settings radio button: • In the IP Address text box, type: 10.0.10.30 •
In the Subnet Mask text box, type: 255.255.255.0
•
In the Default Gateway text box, type: 10.0.10.1
8.
Leave the DNS text boxes blank, and click Next.
9.
Select the Ad-Hoc Mode radio button.
Lesson 9: Securing Wireless Networks
469
10. In the SSID text box, type Ad_Hoc_1 and click Next.
11. In the Channel drop-down list, select Channel 3 and click Next. 12. In the Security drop-down list, select Disabled and click Next. (You will add security features later in the lesson.) 13. Confirm your settings are correct, and click Save.
470
Tactical Perimeter Defense
14. Verify your IP Address settings via Windows Networking. Note, on some systems the Linksys configuration tool will not configure the Windows IP settings. In this case you will be required to manually configure the WNIC. IP: 10.0.10.30 / 24 DG: 10.0.10.1 15. Leave the screen open, as you will return to it shortly.
Configure the Second WNIC For the ad-hoc network to function, you need at least two WNICs to communicate with each other. Now that you have installed and configured on single node in the network, you need to configure a second node. Once both are configured properly, then the ad-hoc network can begin.
TASK 9B-2 Installing the Netgear WPN511 Setup: This task is performed on the second Windows XP laptop. 1.
Log on to Windows XP Professional.
2.
Insert the Netgear WPN511 CD-ROM into the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the autorun.exe file.
3.
In the Netgear SmartWizard screen, click the Install Software button.
4.
In the Welcome screen, click Next.
5.
Read the License Agreement, and click Accept.
6.
Accept the default Destination Folder, and click Next. The setup files will now be copied to your computer.
7.
Once the software installation is complete, click Next. The setup files will finish their installation.
8.
Insert your Netgear WPN511 card into your computer, and click Next.
9.
In the Country drop-down list, select your country, and click Agree.
Lesson 9: Securing Wireless Networks
471
10. Keep the default selection to use the Netgear Smart Wizard for your wireless connection, and click Next.
11. Select the No, I Want To Configure It Myself radio button, and click Next. 12. Choose Start→All Programs→Netgear WPN511 Smart Wizard→Netgear Smart Wizard. The tool to configure the Netgear WNIC will open. 13. In the Network Name text box, type Ad_Hoc_1 14. In the Network Type section, select the Computer-to-Computer (Ad Hoc) radio button.
15. Click the Initiate Ad Hoc button.
472
Tactical Perimeter Defense
16. From the Channel drop-down list, select Channel 3 and click OK.
17. Click the Apply button. 18. Open the Windows Network Connections window, right-click the newly installed Netgear WNIC, and choose Properties. 19. Select Internet Protocol (TCP/IP), and click Properties. 20. Select the Use The Following IP Address radio button. 21. Enter the following configuration: IP 10.0.10.31, SM 255.255.255.0, DG 10.0.10.1, click OK, click Close, and close the Network Connections window. 22. In the Netgear WPN511 Smart Wizard window, select the Networks tab. 23. Select the Ad_Hoc_1 network, and click the Connect button. (If no network is listed, click the Find a Network button.)
Lesson 9: Securing Wireless Networks
473
24. Click the Apply button. You will be connected to the Ad_Hoc_1 network from this computer.
25. Leave the Wireless Network Connection window open for subsequent tasks.
Enable the Ad-Hoc Network Now that you have both WNIC installed and the Netgear card is connected to the Ad-hoc network, you need to simply connect the “other” side of the network. In the following task, you will connect the Linksys WNIC, thus enabling the Ad Hoc network.
TASK 9B-3 Enabling the Ad-Hoc Network
474
Tactical Perimeter Defense
1.
Verify that you are at the computer with the Linksys WNIC installed.
2.
In the Site Survey screen of the Linksys Network Monitor Tool, click the Refresh button. You should now see the Ad-Hoc_1 network available.
3.
Select the Ad-Hoc_1 network, and click Connect.
4.
Once connected, you will see that you have successfully joined the Ad-Hoc network.
5.
Click the More Information button to see the details of this connection.
6.
If you wish, open a command prompt and perform a ping test from one computer to the other to confirm the wireless network is functional.
Lesson 9: Securing Wireless Networks
475
802.11 Framing Although you will likely never directly work with the design or physical architecture of any wireless network device, you do need a strong understanding of how the 802.11 network functions in order to implement solid networks. At first glance, it seems that the 802.11 network functions in the exact same way as the Ethernet networks. Upon further investigation you will notice that, although the appearance is the same, the 802.11 network has very real differences from the Ethernet network. The Ethernet network framing is essentially to take the data, add a preamble, add the required addressing information, such as IP, and add an integrity check (or Frame Check Sequence) on the end. The wireless network however, must add more information than that. In the 802.11 network there are multiple frame types. The three 802.11 frame types are: data frames, control frames, and management frames. The data frames are the frames that you will see on the network the most, these carry the actual data from one node to another. The control frames are for functions like carrier-sensing (like modems) and acknowledgement. The management frames are what a node uses to join (or associate) and to leave (or disassociate) an access point.
Frame Format The first thing you will notice when looking at the 802.11 frame is that the MAC uses four address fields. Every 802.11 frame will not use all four fields, and values that are assigned to the different address fields can actually change based on the type of MAC frame that is being transmitted.
Figure 9-15: The format of an 802.11 MAC frame.
Frame Details An in-depth discussion of the 802.11 framing format is beyond the scope of this course.
476
Tactical Perimeter Defense
Every 802.11 frame begins with a two-byte frame control subfield that is divided into several different subfields. One of the subfields is the protocol version. The protocol version subfield is a two-bit value, which indicates what version of the 802.11 MAC is found in the frame. Currently, there is only one supported version of the 802.11 MAC, and that has been given a protocol ID of 0.
Figure 9-16: The frame control of the 802.11 frame, expanded showing its internal contents. The second subfield is the type. This indicates the type of subtype to follow. If this is set to 00, then management frames are to follow. If this is set to 01 then control frames are to follow, and if this is set to 10, then data frames are to follow. The third subfield is called the subtype, which is related to the type of field just discussed. This subfield is a four-bit value, which indicates the subtype of the frame. Management subtypes are identified in the following table. Management Subtype Value
Subtype Name
0000 0001 0010 0011 0100 0101 1000 1001 1010 1011 1100
Association request Association response Reassociation request Reassociation response Probe request Probe response Beacon Announcement traffic indication message Disassociation Authentication Deauthentication
Using the table as reference, you can identify two common subtypes: The association request (0000), and the beacon (1000). Another subfield is the WEP field. When this is set to 1, WEP is in use, and when this is set to 0, WEP is not in use.
The Beacon Subtype Value is 1000.
Lesson 9: Securing Wireless Networks
477
By now you have noticed that there are multiple entries for addresses in the frame format. The 802.11 frame can use up to four address fields, generally numbered one through four. Address field one is a receiver, address field two is a transmitter (or sender), address field three is filtering, and address field four is optional. The sequence control field is used for multiple purposes. It uses 4 bits to manage fragmentation and 12 bits to manage sequence numbers. If a higher-level packet needs to be fragmented, the sequence number will be constant for all the fragments, but the 4-bit fragment number will increase by 1 for every new fragment. The data field is where the upper layer payload goes for transmission. This field has a maximum payload value of 2304 bytes of data, and has a maximum size of 2312 bytes. The additional 8 bytes are to allow for the extra information required of WEP, which must be supported. Finally, there is a frame check sequence (FCS) field. This is similar to the FCS in Ethernet and other networking systems. The FCS allows for an integrity check on the frame, but there is a difference in the wireless network. The difference in the 802.11 format, is that there is no negative ACK if a frame fails the FCS. Instead the nodes must wait for an ACK timeout before they retransmit.
802.11 Addressing As you saw earlier, there are four address fields in the frame, all of which do not have to be used in each transmission. Before you can make a connection between an address and an address filed, you need to be aware that there are multiple types of addresses in the 802.11 wireless networks. These addresses can be given the DA, RA, SA, and TA acronyms. Their definitions are as follows: • Destination Address (DA): This is the MAC address of the node that is to ultimately process the frame. •
Receiving Address (RA): This is the MAC address of the node that will receive the frame. Note, this does not have to match the DA.
•
Source Address (SA): This is the MAC address of the node that created the frame.
•
Transmitting Address (TA): This is the MAC address of the node that transmitted the frame. Note, this does not have to match the SA.
The address fields will change based on the frame format. For example, the third field can hold the SSID address, the DA, or the SA, based on the frame. Where there is consistency is in the field that holds the transmitting address, this is address field two. Address field one is designed for the recipient of the frame, which you must note does not mean the final destination of the frame, only the recipient of the current frame. The SSID used in MAC address field is not the same as the manually entered SSID value.
478
Tactical Perimeter Defense
When the network is in infrastructure mode, the address used is the SSID address. This is not the same as the SSID that has been manually assigned to the network, such as the default Linksys. The interface on the physical AP requires a MAC address, just as any other interface does. In Infrastructure mode, the SSID address is the MAC address of the AP that is participating in the Infrastructure network.
One reason that there are multiple options here for the addressing is that there are multiple methods for establishing a wireless network. For example, in the most straightforward network, all the nodes simply talk directly to one another; this is the ad-hoc network. Another network could be where all the end nodes communicate only with the Access Point. Finally, you could link two (or more) wireless networks together, with the Access Point of each one functioning as a bridge to the other network. Figure 9-17 identifies the addresses that would be assigned to each of the four address fields, and the DS settings, based on the function.
Figure 9-17: The settings of the address fields, based on the frame function. From this figure, you can identify that the most basic addressing is in ad-hoc mode, where the frame has a simple DA and SA. This is the closest to the traditional Ethernet network that most network professionals are familiar with. Of note in this table are the configurations of the ToDS and FromDS bits. DS is the Distribution System, for example the Ethernet network that is connected to the wired side of an AP. If both the ToDS and FromDS bits are set to 0, then the frame is on an ad-hoc network. When the ToDS is 1 and the FromDS is 0, this indicates a frame that is transmitted from a node to an infrastructure network. Conversely, when the ToDS is 0 and the FromDS is 1, this indicates a frame that is received for a node in an infrastructure network. Finally, when both the ToDS and FromDS are set to 1, then the frame is on a wireless bridge, from one wireless network to another.
When the ToDS and FromDS are both set to zero; the frames are for a network running in ad-hoc mode.
Lesson 9: Securing Wireless Networks
479
Figure 9-18: The addressing of two nodes in an ad-hoc network. When two nodes are communicating in ad-hoc mode, the addressing is clear-cut. The SSID is identified in the third address field, and the receiver and transmitter addresses are entered. This is the most straightforward of all the addressing options.
Figure 9-19: The addressing of two nodes and one AP in an infrastructure network. In this second example (an infrastructure network), the addressing becomes more complex. When the two end nodes initiate their communication, the ToDS bit is set to 1 and the FromDS bit is set to 0, which indicates a frame sent to an infrastructure network. The address field one is the receiving address (RA), which is the SSID, and address field two is the source address (SA). In this case the node 480
Tactical Perimeter Defense
that originated the frame is the SA; this is because the frame is sent to the network, not directly to the end node. Notice that address field three is used; in this case it holds the destination address of the frame. The destination address is for the node that is to ultimately process the frame. As the frames are moved from the AP to the respective end nodes, you can see that the ToDS bit is now set to 0 and the FromDS bit is now set to 1. This indicates the frame is intended for an end node, coming from the infrastructure network. Address field one now contains the address for the actual intended node that will process the frame. Address field two contains the SSID, where the frame was transmitted from, and address field three contains the source address, where the frame originated.
In infrastructure mode, when a frame is sent to the AP, address field one contains the SSID address.
In infrastructure mode, when a frame is sent from the AP, address field one contains the destination address.
Figure 9-20: The addressing of frames in a wireless bridge network. In the final addressing example, you have two APs in wireless bridge mode that are connecting two wireless networks. In this example, you have frames that are of different functions in the network. The frame that leaves the node that started the transmission sends a frame that is in infrastructure mode, and is sent to the AP, with the final destination address in the third address field. When the frame gets to the AP, the network is in bridge mode between the two points, and the ToDS and FromDS are now both 1s. It is at this time that all the address fields are used, and it is here that the distinction between transmitting and sending and receiving and destination addresses are clear. At the AP, with MACs 2345 and 3456, the frame has a receiving address of 4567, the MAC on the other side of the bridge. The final destination address is 6789, this is how the addressing makes the difference between a point receiving the frame, and the end node that is to finally process the frame. Also at the AP, the frame has a sending address of 1234, as that is where the frame originated, but the transmitting address is 3456, the AP that is sending the frame to the next access point. When the frame is received at the second AP, the frame is then formatted as a frame in infrastructure mode, with the ToDS set to 0 and the FromDS set to 1. This frame is then sent to the node that will process the frame, and the series of frames are complete. In the event that a response to the original sender is required, the same process will happen, only in reverse.
Lesson 9: Securing Wireless Networks
481
Access Point Configuration In order for the network to evolve from an ad-hoc to an infrastructure network, you need at least one AP. In this section, you will walk through the steps required to configure an AP with basic settings. At this time, the goal is to create a simple infrastructure network, running with one single AP, without WEP or any other advanced configuration. Most APs will have one of two methods of connecting, and performing the initial configuration. One of the methods is to connect a USB cable from the AP to a computer that will run the configuration. A second method is to connect via a network protocol, with the AP connected using a Cat5 cable versus a USB cable. This second method, of connecting through the network, generally through a web browser is becoming very common. In this task, the steps for installing and configuring the first AP are shown. This lesson has two different APs installed, and you will walk through the steps of installing each AP. The Linksys AP requires a connection through the 192.168.1.0 / 24 network, so you must configure your computer to this network for the initial communication.
TASK 9B-4 Installing the Linksys WAP54G Access Point 1.
Log on to Windows 2003 Server as Administrator.
2.
Open the Properties of your LAN adapter.
3.
Select TCP/IP, and click Properties.
4.
Enter the following IP Addressing information: • IP Address: 192.168.1.145 •
Subnet Mask: 255.255.255.0
•
Default Gateway: This may be left blank
5.
Click OK twice, and then click Close.
6.
Physically locate the WAP54G access point where you want it in the room. If possible, this should be a high point in the room, and not near any source of EMI.
7.
Insert the Linksys CD-ROM into the CD-Rom drive. If the setup program does not autorun, navigate to the CD, and double-click the Setup.exe file.
8.
In the Welcome screen, click the Click Here To Start button.
9.
Plug in the WAP54G power cord and plug in the supplied network cable, then click Next.
10. Connect the WAP54G to the network, and click Next. 11. Connect the WAP54G to an outlet, and click Next.
482
Tactical Perimeter Defense
12. Verify all three LEDs are lit on the front panel, and click Next. 13. Note the status of the new AP, including the default IP Address, and click Yes.
14. Type the default password of admin and click Enter. For ease of running the course, you will leave the default password in place. In a production environment, you would use a strong password here. 15. In the IP Address text box, type 10.0.10.1 16. In the Subnet Mask text box, type 255.255.255.0
Lesson 9: Securing Wireless Networks
483
17. Leave the Default Gateway text box empty. Once you have entered this information, click Next.
18. In the Configure Wireless Settings window, click the Enter Wireless Setting Manually button. 19. In the SSID text box, type SCP_1 20. Leave the Channel drop-down list on Channel 6. 21. In the Network Mode drop-down list, select G-only, then click Next.
484
Tactical Perimeter Defense
22. At this time, you are not configuring Security options, select the Disable radio button, and click Next. 23. Confirm your settings, and click Yes.
24. Click Exit to close the Access Point configuration tool.
Configure the Infrastructure Clients Once the AP is configured and running in the network, there needs to be clients connected to make the Infrastructure network functional. In this section, you will reconfigure the client computers to associate with the AP, establishing the infrastructure network. It is assumed that the initial installation of the clients have been completed, and in these tasks, you will move directly to the client configuration.
TASK 9B-5 Configuring the Linksys Client 1.
Log on to the computer with the Linksys WPC54G installed.
2.
In the Windows system tray, right-click the Linksys WPC54G monitor icon, and choose Open The Monitor.
Lesson 9: Securing Wireless Networks
485
486
Tactical Perimeter Defense
3.
Click the Site Survey tab. You will now see the new AP that has recently been configured.
4.
Click the Profiles tab.
5.
Click the New option. Type SCP-1 in the text box, and click OK.
6.
Select the SCP-1 network, and click Connect.
7.
Once you are connected in Infrastructure Mode, click the More Information button to see the details of the connection.
Adding Infrastructure Network Clients To make your network more functional, you will need other clients. You currently have one AP and one Infrastructure client. In the following task, you will configure the second wireless networking client.
TASK 9B-6 Configuring the Netgear Client 1.
Log on to the computer with the Netgear WPN511 installed.
2.
In the Windows system tray, click the Netgear WPN511 Smart Wizard icon.
3.
Click the Networks tab, and highlight the SCP-1 network by clicking on it.
4.
Click the Connect button. The adapter will now connect to the SCP-1 network.
Lesson 9: Securing Wireless Networks
487
5.
To make the changes to the adapter’s configuration, click the Apply button. You are now connected in Infrastructure mode.
6.
If you wish, open a command prompt and perform a ping test from one computer to the other, and to the access point itself, to confirm the wireless network is functional.
WLAN Threats The threats facing the WLAN are similar to those facing the LAN, with some variation due to the open medium of the wireless network. The techniques used to counter the threats will be discussed later in this lesson. You will start with some of the passive threats.
Eavesdropping and Analysis One threat that is very prevalent in the WLAN is that of passive eavesdropping and analysis. Passive eavesdropping is the easiest of all the threats to the WLAN. A person with a laptop and a wireless network card in promiscuous mode can simply sit outside of the physical boundary of your network and receive packets. The attacker does not need to attempt to connect to the network at this time, only listen. By receiving packets, a skilled attacker can then analyze the network traffic. This may lead to the attacker learning protocol information and operating system information. Attackers can increase the range from which they can receive a signal by using specialized antennas. These antennas can pull in signals from well outside the range of the normal WLAN client. Attackers do not need to buy expensive antennas for this; there are reports of people making successful longrange antennas out of aluminum cans, washers, and pipes.
488
Tactical Perimeter Defense
War Driving Something that may not be a specific threat to the WLAN, but in the same category is that of war driving. War driving is the practice of building a mobile wireless machine, with software designed to learn and map wireless networks. In addition, war drivers may have a powerful external antenna and a Global Positioning System (GPS) device. Using a GPS, the attacker can record the exact longitude and latitude of the network that was found while driving. Along with war driving is a practice called war chalking. War chalking is where a person who has found a WLAN via war driving marks the location with a symbol. These symbols represent open networks, closed networks, protected networks, and more. The growing list of symbols used to identify networks is changing frequently.
Figure 9-21: Example of the three main symbols of war chalking. In the figure, the symbol on the left indicates an open network, where the SSID is being broadcast by the AP. When chalked, the symbol will include the actual SSID located and the bandwidth at that point. The middle symbol is a closed network, where the AP is not broadcasting the SSID. This symbol will also list the SSID, once discovered, and the speed of the connection. The symbol on the right is one that is protected using the Wired Equivalent Privacy (WEP). WEP will be discussed in more detail later in this lesson. The WEP symbol, along with the others, may also contain other information; there is no restriction on what can be written down. If you come into the office and see a symbol like this near your network, you should address the security of the network right away.
Gaining Access An interesting problem that is unique to the WLAN versus the wired network is that of DHCP. If the WLAN is using DHCP, then any client that turns on in range and asks for an IP address will be given one. This may include attacker computers. In some instances, the entire job of the attacker gaining unauthorized access is to simply find a WLAN, and there are many tools available to locate WLANs.
Lesson 9: Securing Wireless Networks
489
Networks that use DHCP must employ another system to defend their wireless network; otherwise any client may gain access. Even if there were operating system level security measures in place to prevent unauthorized users from accessing a server, they would be in the network. Furthermore, you could have two or more users accessing the network and communicating with each other, happily using up your wireless bandwidth. The man-in-the-middle attack is one that exists on the wired network, and exists in the wireless world as well. For this to work, the attacker is positioned between two end points, which is trivial on the wireless network, as being between the two points does not mean a straight line. The attacker breaks the connection that is established between the target node and the AP. (The connection can be broken using an RF Jammer or other form of electrical interference.) The attacker then configures the attacking machine as the new local AP for the target, and allows the target to successfully associate with the attacker machine. The attacker will then route the packets through to the legitimate AP. All packets can then be stored and analyzed for whatever purpose the attacker has in mind can be carried out.
Denial of Service One common threat for all forms of networking is the denial of service. For the WLAN this can take on new meaning, as there are natural bandwidth restrictions on the network to begin with. The WLAN has a limited amount of bandwidth to share among all the WLAN clients. This is due to the physical restriction on the number of radio waves available to carry data. Unlike the wired network, where each node to the switch may have dedicated bandwidth, in the WLAN all nodes share the same 10 MB, and this is amplified when you consider the devices are half-duplex. This is a perfect example of why two nodes connecting via DHCP can cause problems on the network, even if they do not attempt to gain access to servers. Simply performing large file transfers can tie up the network, or setting up a continuous ping sequence, or transmitting large malformed packets.
Topic 9C Wireless Security Solutions Although there are risks to using wireless networking, there are also solutions to make the wireless network secure. It can be argued that the wireless network can never be as secure as the wired network, but there are solutions that you can implement to provide reasonable levels of security on your wireless networks. In this topic you will examine and implement several of these solutions.
490
Tactical Perimeter Defense
Wireless Transport Layer Security (WTLS) As the WLAN grows and becomes more a part of our everyday life, and as remote devices use WAP more, security of these networks is of obvious importance. One tool available to the security professional is Wireless Transport Layer Security (WTLS). WTLS has basic goals: to provide data integrity, privacy for the two end points, and authentication between the two end points. The WTLS stack is designed specifically for the low bandwidth and high latency networks that are used for wireless communication.
WTLS Origins WTLS is considered a security protocol for wireless networking, most specifically applying to WAP, and is sponsored by the WAPforum. WTLS is designed to provide for the assurance that messages sent to and from end points in the wireless network have not been modified. WTLS is based on TLS, which is based upon SSL.
WTLS Authentication When moving towards the security of a trusted network, authentication is a requirement. WTLS is no different. The method of authentication used in WTLS is certificates. It is possible to implement WTLS to not require certificates, but in order to increase the security, certificates are recommended. Various formats of certificates are allowed in WTLS, including the X.509v3 format.
WTLS Components WTLS is split into multiple components. The lower layer is called the Record Protocol (RP). The RP takes the raw data from the higher layers, performs compression, encryption, and transmits the data. Likewise, upon receipt the RP takes the data, performs decompression, decryption, and moves the data up to the higher layers. The RP also performs message checking to verify the message has not been altered. Once the RP has done its job, it will deliver the data to the four higher-level clients of WTLS.
Figure 9-22: The components of WTLS. There are four higher-level clients in the design of WTLS: handshake protocol, alert protocol, application protocol, and change cipher specific protocol. Although the extensive details of each of these are beyond the scope of this book, you should be familiar with the function of each client.
WTLS Handshake Protocol The WTLS handshake protocol client allows the two end points in the communication to agree upon the security parameters of the communication. This includes issues such as the protocol version used, cryptographic algorithms used, and the handshake procedure. Lesson 9: Securing Wireless Networks
491
Figure 9-23: The WTLS handshake process. There are several steps to the handshake of WTLS. The first step is done from the client, just as in SSL, the client initiates the communication by sending a hello message, called ClientHello, to the server. The server responds with a ServerHello message. Between these two hello messages, the client and server are agreeing upon the session configuration. When the client sends the initial hello message, the client will indicate the cryptographic algorithms that the client supports, and the server hello message will include the algorithm chosen in the response. After the initial hello phase the server will send its certificate, called ServerCertificate, and will request the client’s certificate. At this time, the server will also send the ServerKeyExchange, which is used to give the client the public key, which will be used to exchange the pre-master secret value. The master secret value will be the final piece used in the session. The server will then send a ServerHelloDone message, indicating to the client to move on to the next step in the handshake. Upon receipt of the ServerHelloDone message, the client proceeds to send the requested certificate and a ClientKeyExchange. The ClientKeyExchange contains either the pre-master secret value (encrypted with the server’s public key) or other information to use in completing the key exchange. The client then sends an optional ChangeCipherSpec message. Finally, the client will send a Finished message to the server. The Finished message contains a verification of the agreed upon information for the session. The server will respond with a Finished message as well, verifying the security and session parameters. The server will also send a ChangeCipherSpec message, and the session will be established.
492
Tactical Perimeter Defense
In the event that the session gets disrupted during communication, there is a means to re-establish the session without a complete new handshake. During a session, there is a SessionID assigned to the communication between the two end points. If communication is cut, the client will send a ClientHello message, only this time it will include the previous SessionID. The server responds with a ServerHello, also with the SessionID. Upon matching the session, a ChangeCipherSpec message will be sent, and then the session can be resumed without the complete handshake.
WTLS Change Cipher Specific Protocol The ChangeCipherSpec Protocol message can be sent by either the client or the server. This message indicates a change in the cipher used for the communication. The changing of the cipher can happen upon the re-establishment of a session, but is most often part of the original handshake process.
WTLS Alert Protocol The WTLS Alert Protocol is what manages error handling in the session. There are three states of alert messages: warning, critical, and fatal. These messages are sent in whatever the current state the session is in, encrypted, non-encrypted, and so on. The warning message is a standard message warning of an existing condition. If a critical alert message is sent, then both ends ensure the secure communication is terminated. However, other connections are allowed to continue using the secure session, and the existing SessionID may be used to establish a new secure connection. If a fatal alert message is sent, then both ends ensure the secure connection is terminated. Other connections between the two ends using the same secure session may continue, but the SessionID associated with the fatal alert is invalidated, meaning the terminated connection cannot be used for new secure connections.
WTLS Application Protocol In WTLS, the Application Protocol is simply a means for interfacing with the upper layers. In the context of this course there are no security ramifications or technical issues that network administrators and professionals will have to configure.
Fundamental Access Point Security On most modern access points there are a few things, outside of cryptography, that you can do to increase the security of your wireless network. One is to disable the SSID broadcast, removing the constant announcement that you have a wireless network available. Another is to enable MAC address filtering, which allows you to list the allowed and/or disallowed MAC addresses for your network. By disabling the SSID broadcast you are taking a simple step by removing the AP that constantly sends out frames to the world that your wireless network is here, this is the SSID, and to please try to associate. It is better to keep that quiet. Allow the end node to send a frame to the AP, and let the AP respond. An attacker that is listening to the radio waves around your network will still likely get this SSID information, but at least your APs are not specifically trying to contact the attacker. Lesson 9: Securing Wireless Networks
493
The MAC address filtering is a bit more tedious, but provides a bit more control and security over the network. The process of filtering is very direct, you create a list of addresses, then define that as allowed or disallowed. The common implementation of the MAC address filter is to build the list of allowed addresses and mark them as allowed. Your filter then defines all other addresses as disallowed. This is not a solution to rely on as your main system since MAC addresses can be spoofed. Neither SSID broadcast disabling nor MAC address filtering are enough protection for you to consider your wireless network secure, but they are reasonable layers you can add to your defense. The key to protecting your enterprise is to create layer upon layer that work together to protect your resources, and these are two small options that add layers.
Wired Equivalent Privacy (WEP) When the 802.11 standard was created, those involved in the project were very aware of the problems of wireless communications in regards to security. In the wireless network, the word broadcast takes on a whole new meaning. WEP was designed to provide levels of confidence in the security of the radio signals, as they would be encrypted. The initial response to WEP was positive, that WEP would ensure the security of the wireless transmissions, and nearly all equipment vendors support WEP. However, the one thing that is true regarding cryptography is that there is no perfect system. Eventually flaws and modern technology will force the move to new forms of cryptography. This usually takes some time, but for WEP the time went by very quickly. The general points regarding the implementation of WEP shows some weakness in the overall design. For example, WEP is not a security system that is turned on by default. It is up to administrators and/or users to enable WEP, and then up to those same people to properly configure it. Also, WEP utilizes a pre-shared key, where both the AP and WNIC must be made aware of the key, or series of available keys.
Cryptography and WEP WEP uses a symmetric key system, where the secret key is shared between the two end points, the AP and the WNIC. There is no standard system for exchanging the secret key data, so the most common method is to simply manually configure the two nodes with the correct key(s). To provide the encryption in WEP, the RC4 cipher is used. This particular cipher is a symmetric stream cipher, and follows all the standard uses of symmetric key cryptography. RC4 is a well-known cipher, used in many secure systems such as SSL. The problem in WEP is not the RC4 cipher, rather the implementation of the cipher. Implementation is generally where the problems with encryption come into play, and WEP is the prime example of this situation. Before moving into further detail on WEP, you must examine stream ciphers. The stream ciphers, as the name implies, stream the bits through the cryptosystem one at a time. The raw data is then combined with the Key stream in an exclusive OR (XOR) operation to produce the Cipher stream. The Cipher stream is then transmitted to the receiving node, where the process is repeated in reverse to produce the raw data.
494
Tactical Perimeter Defense
Figure 9-24: The standard operation of a stream cipher. The stream cipher takes the short secret key and extends that into a larger value, the same length as the message, just like a one-time pad. This extension is created using a pseudorandom number generator (PRNG). To summarize, the sender XORs the plaintext with the key stream to produce the cipher text, and the receiver uses the identical key stream in reverse to produce the original plaintext. Since the stream cipher works by reversing the equation on the receiving end, the key is the critical component. The receiver will use the same key stream as the sender, and simply XORs the ciphertext to arrive at the plaintext message. Since the XORs cancel each other, if the plaintext=P, the ciphertext=C, and the key stream=K, then assume the following equation: P = C XOR K = P XOR K XOR K = P Take the key stream, K, and two encrypted messages, P1 and P2 , which go through the process to become C1 and C2 . If this is the case, C1 = P1 XOR K, and C2 = P2 XOR K. Since the K is the same, and the XOR process is well known, you can assume then that the following equation is true: C1 XOR C2 = P1 XOR K XOR P2 XOR K = P1 XOR P2 This means the attacker has now learned the XOR of two plaintext messages, without any difficulty. This example highlights why a stream cipher such as this should never encrypt two messages with the same K.
WEP and Key Lengths The standard implementations of WEP utilize 64-bit shared RC4 keys. Many people consider a 64-bit key to be weak, and those people have serious issues with how WEP implements those 64-bits, and for good reason! Of the 64 available bits, 40 are assigned to the shared secret key value. This is where the term
Lesson 9: Securing Wireless Networks
495
40-bit WEP comes from. In order to extend the life of WEP, several vendors moved to offer 128-bit WEP, of which only 104 bits were used for the shared secret key. If you are wondering where the extra bits that are not used for the keys are going, they are going to what is called the Initialization Vector (IV). In order to protect network transmissions from pure brute-force decryption attacks, WEP is designed with the option of using a set of keys. Four keys can be generated, and WEP can cycle through those four keys.
The WEP Process As the RC4 cipher has been shown over time to be a solid cipher, the WEP problem is found in the process, in the way that WEP attempts to protect data. Understanding the process is critical in order to follow the steps of cracking WEP, and making the realization that WEP provides little security. For WEP to function, the two ends of the communication will have established their secret key already. This is done by manually entering the single key that is used, or by having a sequence of predefined keys to use. Many networks that implement WEP use the single secret key option. Administrators of these networks take some time to create a long and complex key, using the full alphanumeric options. Using the single key, and a strong one at that, is nice. However, as you will see, there is actually not much added security by using such a strong single key. The other option of having a series of keys to use provides for a slightly higher level of security, as the single key is not reused for every single wireless transmission. Here again however, you will see that the implementation of WEP is such that the rolling key option does not provide much more security.
496
Tactical Perimeter Defense
Figure 9-25: The WEP encryption process. The process begins when the sender initiates the system for transmitting a message. At this time, the plaintext is run through an integrity check algorithm to create the Integrity Check Value (ICV). The 802.11 specifications define the use of CRC-32 for this function. The ICV is then appended to the end of the original plaintext message. A 24-bit random (more on this in a moment) Initialization Vector (IV) number is generated and added to the front of the secret key. (In this example the standard 40-bit secret key value is used.) The IV and secret key combo are input into the Key Scheduling Algorithm (KSA). The KSA is used to generate a seed value that will be used by the PRNG. The following key sequence uses the value generated by the PRNG to create the key stream that will match the length of the plaintext. Once the key stream has been generated, it is XORed with the plaintext/ICV to produce the encrypted portion of the message. The same IV that was input to the KSA is prepended to the front of the encrypted message, a standard header and FCS are added to the message, and it is transmitted.
Lesson 9: Securing Wireless Networks
497
Figure 9-26: The WEP decryption process. Upon receipt of the message at the destination, the process is essentially done in reverse. In order for the destination node to generate the symmetric key stream, the variable IV must be used. This is the reason that the IV must be sent in unencrypted form; the destination needs this value. Using the shared secret key, the destination takes the IV and runs it through the same KSA, PRNG, and key sequencing to get the key stream. The key stream and the ciphertext are then XORed, and the resulting Plaintext and ICV are calculated. Finally, the destination node computes a new ICV, and checks to see if this new value matches the sent ICV. If there is a match, then the receiving node will accept and process the message.
WEP Weakness So, throughout this discussion, you may be wondering where the weakness is found. Actually, there is more than one weakness, but the problems really start to show when looking at the implementation of the IV.
498
Tactical Perimeter Defense
The IV is a 24-bit field, regardless of the number of bits allocated to the secret key. Therefore, when you implement 64-bit WEP, only 40-bits are for the key, and 24-bits are for the IV. When you implement 128-bit WEP, only 104-bits are for the key, and 24-bits are for the IV. A 24-bit field does not yield very many possibilities, only 16,777,216 possible combinations. This means that every 16.7 million times the IV is used it will have no choice but to repeat itself. Busy networks will transmit that many packets in a matter of hours at the most, and due to randomness it is likely that values will be reused long before the 16 million mark. But, in most networks the attacker will not have to wait for nearly 17 million transmissions to find a duplicate IV. This is because many WNICs reset the IV to 0 when the card is reinitialized. As WNICs are reinitialized frequently in busy networks, finding a repeating pattern may take a very short time.
An IV collision is when the IV is reused.
If an attacker has any idea of the contents of the plaintext message, then the job of breaking WEP is that much easier. This can be accomplished by the attacker being the one to generate the plaintext message such as send an email or ping into the WEP-protected network, and sniffing the result. Knowing the formatting of messages sent and received will also increase the attacker’s success rate. Given that message formatting is known, such as the first byte of plaintext data being the SNAP header, this is not a difficult assumption. Once the attacker has built up a table of mapping known as plaintext to the ciphertext, the key streams can be stored.
Lesson 9: Securing Wireless Networks
499
Figure 9-27: Example of the plaintext/ciphertext attack on WEP. When emailing the target, sending a message of a string of the same character (such as all 5s) makes comparison between plaintext and ciphertext a bit simpler.
Earlier, you looked at some of the given equations of WEP. Recall that C1 = P1 XOR K and C2 = P2 XOR K, therefore, C1 XOR C2 = P1 XOR P2 . Therefore, sniffing both sides of the AP will give the attacker the keystream when the attacker XORs the ciphertext with the plaintext. The attacker need not decrypt the stream; only know what the stream is. By doing this enough times, the attacker can build what is called a decryption dictionary. The decryption dictionary is a table that the attacker has built that stores all the keystreams, mapping the IP and the key. Due to the WEP implementation, there are a maximum of 224 entries in the dictionary. Once the dictionary is full, then the attacker can decrypt all WEP traffic. If the system is fast enough, it may even happen in close to real-time. If you recall that many systems reset their IV to 0 each time, this makes for a much smaller keyspace used. Another problem is that systems are not required to change the IV on each packet, again making smaller and smaller spaces that require attacking. Take a look at the following equation, to see how this works out in simple binary. In this case, you are looking at just two bytes, but the process is identical for larger amounts of data. Assume for this equation, you are the attacker. • 0110100001101001 Known plaintext. (Known because you sent it.) This is P1 .
500
Tactical Perimeter Defense
•
0110100111000101 Known ciphertext. (Known because you are sniffing it.) This is C1 .
•
1010001110101100 Learned stream. (Learned by XORing the plaintext with the ciphertext.) This is now K.
The attacker can simply perform this type of operation over and over, until all the keystreams are identified. After the keystream is known, the attacker can take any WEP message, look up the known data in the dictionary, and XOR the ciphertext to get the plaintext. The attacker did not spend time trying to decrypt the key. In this case, the attacker does not care what the key is, only the value of the key stream. The final big push that led to the downfall of WEP as the primary security system for wireless communications came in August of 2001. A paper was published by Scott Fluhrer, Itsik Mantin, and Adi Shamir titled “Weaknesses in the Key Scheduling Algorithm of RC4.” This paper included theoretical attacks on WEP. One of the focus points in the paper was that of weak IVs. Since 802.11 uses LLC encapsulation, there are weaknesses in the known formatting issues, such as the plaintext of the first byte known to be 0xAA (this is the first byte of the SNAP header.) Knowing the plaintext value of the first byte, an attacker can simply XOR the first byte of the Cipherstream with the known data to reveal the key stream for that byte. In the paper, this class of weak keys is analyzed. Every weak IV is used to attack a specific byte of the RC4 key that is secret. The bytes of the key are numbered, starting from zero. In a 40-bit WEP implementation there are 1,280 weak IVs. You should be aware that the number of weak IVs that exist varies based on the key length. Therefore, if you elect to use the 128-bit WEP, the overall number of weak IVs that exist increases. The 128-bit WEP has more than twice the number of weak IVs than the 40-bit WEP. In the 128-bit WEP implementation (which uses 104 bits for the key), there are 4,096 weak IVs.
WEP Conclusion Although by now you may feel that there is no practical value in utilizing WEP, you should still take advantage of this option. Adding this layer of security should be one of the starting points in the security of your wireless network, not the end. By having WEP on the network, you may be able to remove the casual attacker from any interest in your network.
Configure WEP Up to this point, you have seen the creation of an ad-hoc wireless network, and the creation of an infrastructure network. Although effective for fast setup and simple configurations, this provides no security. The only time you should run an unprotected network is in a controlled lab environment, where access to any production machine of any type is impossible. In this section, you will see the process of enabling WEP. Even though you’ve learned that WEP can be cracked, if your wireless system does not support any more robust security features, you must implement WEP as your bare minimum. In this task, 128-bit WEP will be configured. The AP that will be configured to use WEP is a Netgear WPN824.
Lesson 9: Securing Wireless Networks
501
TASK 9C-1 Installing the Netgear WPN824 Access Point 1.
Log on to your Windows 2003 Server as Administrator.
2.
Open the Network Properties of your LAN adapter.
3.
Select TCP/IP, and click Properties.
4.
Configure your LAN IP Address to allow you access to the Internet, click OK twice, and then click Close. Note – In these tasks, the Netgear AP will reconfigure the Server to use DHCP by default to connect to the AP.
5.
Insert the Netgear CD-ROM in the CD-ROM drive. If the setup program does not autorun, navigate to the CD, and double-click the Autorun.exe file.
6.
From the main menu, click Setup.
7.
Read the Before You Begin instructions, and click Next.
8.
Record your current network settings, as shown, and click Next. The system will reconfigure to use DHCP as required.
9.
Once the system has confirmed your setup and Internet connection, click Yes.
10. In the Overview screen, click Next. 11. Review the screen to turn off the broadband modem, and click Next. 12. Review the disconnection of the Ethernet cable screen, and click Next. 13. Connect the Netgear Router to the Broadband connection, and click Next. 14. Connect your Server to the Netgear Router, then click Next. 15. Power on the Broadband device, then power on the router, and click Next.
502
Tactical Perimeter Defense
16. Wait while the system resets, and when you are at the Welcome screen click the Advanced User URL that is shown in the window.
17. For User Name, type admin and for the Password, type password (these are the defaults), and click OK. 18. If you receive a firmware update notice, check the Do Not Display Again check box, and click Close Window. If you do not receive a firmware update notice, move to the next step. 19. Type an IP Address of 10.0.10.50 a Subnet Mask of 255.255.255.0 and a Gateway IP Address of 10.0.10.2 Configure the DNS Settings for your network. Then, click Apply. If you are prompted for the user name and password, use the same credentials you used earlier in step 17. 20. From the menu on the left side of the screen, click the Wireless Settings link. 21. In the Name (SSID) text box type SCP-2 Leave the Channel and Mode at their defaults. 22. Under Security Options, select the WEP radio button. The WEP options will be enabled when you make this selection. 23. Keep the default Authentication Type as Automatic, and in the Encryption Strength drop-down list, select 128bit.
Lesson 9: Securing Wireless Networks
503
24. Select the Key 1 radio button, and in the Passphrase text box type SECRET1 and click the Generate button. (Note – the system is designed to only populate one Key field at a time, but at times the system will populate all fields. If this is the case copy and Paste each key to Notepad.) 25. Select the Key 2 radio button, and in the Passphrase text box type SECRET2 and click the Generate button. Repeat this pattern for Keys 3 and 4. 26. Once all four keys are entered, click Apply.
27. Enter the Netgear credentials, and click OK. The settings will be updated.
Establishing the WEP Network With the Access Point installed and configured to use WEP, you will now need to configure the clients to use the same security settings. Since the AP is configured to use four different WEP keys, these exact same keys will be required on each WEP client. The client to be configured will be the Netgear Client. The WEP clients and APs use the same keys. You will use the following keyphrases and keys: • SECRET1 - D26BC1D2A0BFE7F09BBF02349C
504
Tactical Perimeter Defense
•
SECRET2 - 30FC02118708A87A1A2CB06E1B
•
SECRET3 - 014DAAF8F9BEECA7E046D7C2AC
•
SECRET4 - F41FB818ED33EDD64D38E62BA0
TASK 9C-2 Configuring WEP on the Network Client 1.
Log on to the computer that has the Netgear WPN511 installed.
2.
In the Windows system tray, click the Netgear WPN511 Smart Wizard icon.
3.
Click the Networks tab.
4.
Click the Scan button to locate the new network. Note that the new WEP network is located.
5.
Select the SCP-2 network, and click the Connect button. Note that you are brought to the main Settings tab when you do this, and that both the SSID and WEP options have been selected.
6.
In the Passphrase drop-down list, select 128 bits.
7.
Verify that Key 1 highlighted under the Enter Key Manually drop-down list, and in the Passphrase text box type SECRET1 (notice that the Key is automatically generated.)
8.
Select Key 2 in the drop-down list, and type SECRET2 in the Passphrase text box.
9.
Select Key 3 in the drop-down list, and type SECRET3 in the Passphrase text box.
Lesson 9: Securing Wireless Networks
505
10. Select Key 4 in the drop-down list, and type SECRET4 in the Passphrase text box, then click the Apply button. You are now connected to the WEP network.
11. If you wish, open a Command Prompt and ping 10.0.10.2 (the AP) to verify the connection.
Temporal Key Integrity Protocol (TKIP) TKIP is not specific to Wi-Fi Protected Access (WPA), but is utilized by WPA. TKIP was developed to correct some of the weaknesses found in the WEP RC4 process. TKIP still uses RC4 as the core cipher, but from there the process changes. TKIP forces a new key to be generated every 10,000 packets, and it hashes the IV so that the IV becomes encrypted, and therefore not as easy to sniff. The simple step of hashing the IV means that the previous problem of turning a 64-bit key into a 24-bit plaintext and 40-bit secret is now gone. TKIP also includes a method of verifying the integrity of the data called the Message Integrity Check (MIC). The MIC will allow for confirmation that the packet has not been altered during transit.
TKIP is not a replacement for WEP.
Although TKIP strengthens (not replaces) the WEP process, and provides an increase in the security of the network transmissions, it should not be considered the ending solution to the security of the wireless network communication. This is because the system still will fall to the cracking of the single password (or keyphrase) that was used to initiate the whole system. If that secret is discovered, the entire system is compromised.
Extensible Authentication Protocol (EAP) Extensible Authentication Protocol (EAP) is not a wireless-specific protocol. EAP is used in many different systems, both wired and wireless. EAP, in the simplest definition is a means of validating a remote access connection.
506
Tactical Perimeter Defense
EAP is not tied to a specific authentication technology, meaning that it will work with certificates, smart cards, tokens, challenge/response systems, and so on. In the case of wireless security, EAP has been applied to authenticating remote wireless users.
Wi-Fi Protected Access (WPA) WEP is not the only solution to securing your wireless communications. Another solution is called Wi-Fi Protected Access (WPA). Behind WPA is the Wi-Fi Alliance, which is an organization deeply involved in wireless interoperability issues. WPA is designed to meet two goals: strong protection via encryption, and strong access control via user authentication. The first goal of user authentication is provided with the use of 802.1x + Extensible Authentication Protocol (EAP). The second goal of encryption is provided with three items: Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC)—called Michael, and 802.1x dynamic key distribution. This means WPA = 802.1x + EAP + TKIP + MIC.
The WPA Process There is a sequence of steps involved in the WPA process. These steps are different for an Enterprise implementation and a Small Office Home Office (SOHO) implementation. In the SOHO implementation, a matching password is configured on the AP and the client. When the passwords are checked and matched, then cryptographic keys are exchanged and the encrypted session begins. Although the authentication is simplified to the matching password for the SOHO implementation, the encryption process is the same for the SOHO as the Enterprise.
The formula for WPA is: WPA = 802.1x + EAP + TKIP + MIC
Lesson 9: Securing Wireless Networks
507
Figure 9-28: The Enterprise implementation steps of WPA. In the Enterprise, there are several more steps in the overall process. The first step is the association of the client to the AP. Once the client associates, the second step is for the AP to prevent the client from accessing the LAN segment until the client has authentication. The third step is the client providing authentication credentials to the authentication server. If the client successfully authenticates, then the process moves to step four, if the client does not authenticate, then the client will remain blocked from the LAN segment. The fourth step is for the authentication server to distribute the required cryptographic keys to the AP and the client. The fifth step is for the client to join the LAN, using the keys to encrypt all the communications between the AP and the client.
Hardware Requirements In order to take advantage of all that WPA offers, you will need to be sure that your network is able to run WPA. Access Points and other wireless equipment will have to have been enabled to use WPA. Most newer devices are enabled for WPA, but older models may require upgrades to support it. In addition to the APs and clients supporting WPA, you will need an authentication server. This should be any strong authentication server, such as a RADIUS server.
WEP and WPA Comparison Although the technologies are different, there is a natural tendency to compare WEP directly with WPA. Here is a quick comparison of some of the primary points between these two security mechanisms.
508
Tactical Perimeter Defense
WEP
WPA
40-bit keys Static key Manual key distribution
128-bit keys Dynamic keys Automatic key distribution
Looking at those three points alone should provide ample reason for migrating the enterprise to WPA as a security solution over WEP. A final point is the authentication systems—in WEP there is no unique authentication required by the users, whereas in WPA the user must authenticate with the authentication server.
Configure WPA2 For this task, it is assumed that the initial WAP54G installation and configuration is finished, and the task is specifically designed to configure WPA. Once the AP is configured to utilize WPA, then the WNICs will be configured to connect to the WPA-protected network.
TASK 9C-3 Configure WPA2 on the Access Point 1.
Log on to your Windows 2003 Server as Administrator.
2.
Open a web browser, and point to http://10.0.10.1 (or, if different, whatever IP Address you assigned to the WAP54G).
3.
Leave the User Name empty, and type admin as the Password, then click OK
4.
Click the Wireless tab, and under the Basic Wireless Settings, change the Network Name (SSID) to SCP-3 and click the Save Settings button. When you get the prompt that your changes have been saved, click Continue.
5.
On the Wireless tab, click the Wireless Security option.
6.
In the Security Mode drop-down list, select WPA2-Mixed.
7.
In the Passphrase text box, type SCNP4ME!
8.
Click the Save Settings button. When you get the prompt that your changes have been saved, click Continue.
Supplicants While several makers of wireless networking equipment have made their cards able to understand the higher-level security features, such as WPA, there are issues currently in getting the WNIC to connect to the AP using WPA. The use of supplicant applications helps to smooth out this process. Lesson 9: Securing Wireless Networks
509
It is important to note that you may need to download a supplicant in order to get WPA running on your system. The supplicant is the piece of code that allows your new card to actually use the features of WPA. This is especially true in legacy systems, such as Windows 2000. Microsoft has released a WPA patch for Windows systems, and Funk’s Software has released a third party solution called: Odyssey. With the AP now configured to use WPA2, you need to configure your client computers to match this security setting. In this next task, you will configure the Linksys WNIC client to use WPA2 security.
TASK 9C-4 Configuring WPA2 on the Network Client
510
Tactical Perimeter Defense
1.
Log on to the computer that has the Linksys WPC54G installed.
2.
In the Windows system tray, right-click the Linksys WPC54G monitor icon, and choose Open The Monitor.
3.
Click the Site Survey tab. Notice the new WPA2 security-enabled AP is listed.
4.
Select the SCP-3 WPA2 secured network, and click Connect.
5.
Verify that the WPA2-Personal option is selected, type SCNP4ME! Iin the Passphrase text box, and click Connect.
6.
In the Congratulations screen, click Connect To Network.
7.
In the Link Information screen note that you are now connected to the Access Point. Click the More Information button.
8.
If you wish, open a Command Prompt and ping 10.0.10.1 (the AP) to verify the connection.
Lesson 9: Securing Wireless Networks
511
802.1x While industry groups such as the Wi-Fi Alliance are working on security solutions, so is the IEEE. The 802.11i working group is focused on the security issues of the 802.11 wireless networking standards. The group is working towards the 802.1x standard, which will define the authentication framework of the 802.11based networks. The 802.1x standard is based upon EAP, and will provide for the flexibility to use multiple authentication algorithms, since it is an open standard. Vendors will be able to implement and advance the technology in along the standard. In this system there are three primary components, the end client, the access point, and the authentication server. Although it is common for the authentication server to be a RADIUS server, there are no specifications requiring RADIUS. This leaves the design open to fit your specific situation.
Topic 9D Wireless Auditing Since the wireless network is so dynamic, in order to maintain proper security, regular auditing is required. This is in addition to the normal auditing and analysis of your wired network. Since the wireless network has no true boundary, your auditing must be specifically targeted towards this segment of the enterprise. A complete audit of the wireless network should inform you of all the APs all the WNICs and any other significant information, for example, are the APs in the network broadcasting their SSID? One method of attack is to add a rogue AP on the edge of your network, allowing for the range to be increased across the street or into another building. Without proper auditing, you may find this out only after it is too late.
Site Survey One of the primary, and most basic, wireless auditing tasks is called the site survey. This is a primary task because the wireless network is an ever-changing network, with dynamic boundaries. Even if the nodes in the network remain static, the bandwidth use may be dynamic, causing transmission rates to modify during the course of communication. The BSS and ESS that are running in the wireless network can reconfigure themselves to use the lowest common denominator of bandwidth when associating with nodes and other APs. Analyzing the packets on a given channel of an AP can indicate the strength of the signal and the size of the packets transmitted. If it seems that all the packets are small in size, then there is the possibility that interference is causing the small size. Through your analysis you can now alter the settings of the AP or move it to a different physical location.
512
Tactical Perimeter Defense
WNIC Chipsets Although not specific to the concept of auditing or the wireless network, you need to be aware of the WNIC chipsets in order to utilize many of the wireless auditing tools. The reason for this is that there are several different manufacturers of wireless chipsets, and this is important because the tools and drivers are actually interacting with the chipset itself. When looking for interoperability with your O/S or auditing tool, you may need to know which chipset is in your card, and which chipsets are compatible with that specific tool. For 802.11b networks, two common chipsets are Prism and Hermes. The Prism chipset is on a wide variety of cards, such as Linksys, D-Link, and Netgear. The Hermes chipset is often found in Proxim cards, specifically the ORiNOCO cards. Many wireless tools work best (and, for some tools, only) with the ORiNOCO card. For 802.11g networks, two common chipsets are Atheros and Broadcom. Many different card vendors use these different chipsets. In this lesson, both the Linksys and Netgear client cards use an Atheros chipset.
Wireshark Wireshark is one of the leading network analysis tools, and runs on both Windows and Linux platforms. Wireshark can capture all the packets on a network card, and present those packets for analysis. Complete details on Wireshark network analysis is out of the scope of this book. Even though Wireshark runs on both Windows and Linux, the support for analyzing 802.11 packets is better on Linux.
NetStumbler Perhaps one of the most famous wireless tools, NetStumbler should be a part of all wireless auditing tool kits. NetStumbler works with a wide variety of cards, with a full is available here: www.stumbler.net/compat This tool, once loaded on your computer can detect 802.11 networks, identify the SSIDs, identify the security in place, identify the channel used, and so on. There is a mapping function in NetStumbler that creates a graphical image, on a map of the area, of the location of APs. Since the tool allows for GPS integration, you can even use a GPS device to identify the exact longitude and latitude of the AP for plotting onto a map. Furthermore, you can output your results to the mapping software MapPoint. NetStumbler will identify, on screen, the SSIDs of the networks that it finds, and will report whether or not that network is using WEP. If the AP is using WEP, a small lock icon will appear in the circle next to the MAC address of the AP. Installing NetStumbler is very simple, just execute the application and a desktop icon will be created. Double-click the desktop icon, and NetStumbler is ready to go. The only issue is making sure that the WNIC you use is supported by NetStumbler. Supported cards require no additional steps, NetStumbler will simply use the card upon running the application. The web site, www.netstumbler.com, is where you can go to find the current updates regarding the supported cards.
Lesson 9: Securing Wireless Networks
513
TASK 9D-1 Installing NetStumbler 1.
Log on to the computer with the Linksys WPC54G installed.
2.
On your course CD-ROM, navigate to C:\Tools\Lesson9\ NetStumblerInstaller_0_4_0.exe (note – if you do not have this file, you may download it from www.stumbler.net).
3.
Double click the NetStumbler_0_4_0.exe file to begin the installation.
4.
Read the License Agreement, and click I Agree.
5.
Leave the default selection of a Complete Install, and click Next.
6.
Accept the default installation directory, and click Install.
7.
Once the install is complete, click Close.
8.
If you wish, read through the Release Notes, then close the Release Notes window.
Identify Wireless Networks After you have NetStumbler installed, you can quickly analyze your network to find active access points. Once you have identified an access point, you can dig a bit deeper to determine the MAC address, the SSID, encryption use, signal strength, and (if you have GPS connectivity) the longitude and latitude of the AP.
In the previous figure, you can see that NetStumbler has located three APs nearby. NetStumbler has identified the SSID, Channel and MAC address. The vendor name is estimated based on the MAC address, as specific MAC addresses are assigned to specific vendors. This is not always accurate however, as MAC addresses can be changed. In the test lab for this figure, two APs are Linksys, and one is Netgear. When using NetStumbler, you are able to identify if you are associated with a network by looking to see if your MAC address is in bold. In the example figure, the MAC address 0018390FFA5D is bolded, to the machine that created this example is associated to the network on Channel 6, and using SSID SCP-3. 514
Tactical Perimeter Defense
Notice as well that NetStumbler has identified the Encryption on SCP-2 and SCP-3 as WEP. While SCP-2 is using WEP, the SCP-3 network is using WPA2, so although NetStumbler did correctly identify that encryption was in use, it did not delineate the difference between a WEP and WPA2 encrypted connection. You should keep this in mind as you are using your wireless tools. While not clearly defined from a legal viewpoint, connecting to an Access Point may be considered unauthorized access. If your WNIC is set to DHCP, your system may associate and you may be given an IP Address very quickly. Be careful that you do no associate and join a network that you had no intention of using. If you have time, visit the site: www.wigle.net There is an interactive map that you can zoom in on down to the level of seeing the name of individual SSIDs that have been discovered via wardriving.
TASK 9D-2 Identifying Wireless Networks 1.
Log on to the system that has NetStumbler installed.
2.
Double-click the NetStumbler desktop icon. (If no icon was installed, you can find NetStumbler in your Programs menu.)
3.
NetStumbler will automatically run a scan and locate active Access Points within range of your system.
4.
Examine the results and locate the following information: • What are the network types identified?
5.
•
What are the channels used?
•
Is your system associated with any network?
•
Which networks are using encryption?
Close the NetStumbler application. At this time, there is no need to save the file results, unless you wish to have them for later analysis.
OmniPeek Personal There are many products designed to perform wireless network analysis directly, and one of them is part of a bigger product called OmniPeek, a commercial product from Wildpackets. OmniPeek Personal can be downloaded for free for personal use only from the WildPackets site: www.omnipeek.com. To use OmniPeek in a commercial environment, you must buy a license to the OmniPeek Workgroup or Enterprise products. One thing OmniPeek Personal is not designed to do is to crack WEP. There are other tools designed for this purpose. If you have WEP running in your network, you can however, input the WEP keys and OmniPeek Personal will decrypt those packets on screen. By decrypting the WEP signals, you can use OmniPeek Personal to analyze higher layer communications as well.
Lesson 9: Securing Wireless Networks
515
Installation of OmniPeek Personal is very straightforward. OmniPeek Personal will not work with every WNIC made, but supports quite a few brands and types of cards. OmniPeek Personal supports various 802.11a, 802.11b, 802.11g, and 802.11 combo cards. You will need to be sure that your card is one that is supported. Once you know that your card is supported, you will then update the WNIC with a WildPackets driver for that specific card. Once the driver is installed, then OmniPeek Personal is ready to run on your system.
TASK 9D-3 Installing OmniPeeK Personal Setup: OmniPeek Personal requires Microsoft .NET Framework 2.0. If your system does not have this installed, please visit www.omnipeek.com/downloads.php and follow the link to Microsoft to download the current version. 1.
Log on to the system that has the Linksys WPC54G installed
2.
From C:\Tools\Lesson9, double-click WildPackets_OmniPeek_ Personal41.exe.
3.
If your security system generates a Security Warning pop-up, click Run. If no pop-up is created, proceed to the next step.
4.
In the InstallShield Wizard, click Next.
5.
In the Name text box, type your first name and in the Company Name text boxtype, SCP and click Next.
6.
If you wish to receive WildPackets updates, click Next. If you do not wish to receive WildPackets updates, uncheck the check box, then click Next.
7.
Read the features offer in the OmniPeek Workgroup Pro upgrade, and click Next.
8.
Read the terms of the License Agreement, select the radio button if you accept, and click Next.
9.
Read through the Installation Notes, and click Next.
10. If your system does not have Microsoft .NET Framework 2.0 installed, you will be prompted to download .NET 2.0. If you do need to perform this download, click OK. If your system already has .NET installed, skip to the next step. 11. Leave the default selection of a Complete Install, and click Next. 12. Confirm your settings, and click Next to begin copying files. The software will now be installed to your system. 13. Once the install is complete, uncheck the box to view the Readme, uncheck the box to Launch OmniPeek, and click Finish.
516
Tactical Perimeter Defense
WildPackets Drivers OmniPeek Personal requires the installation of a special WildPackets driver in order to use a wireless card with an Atheros chipset. Note, that once you have installed the WildPackets driver, if you wish to revert to your previous configuration, you will need to reinstall the factory drivers that came with your WNIC. In this book, you will be using the OmniPeek files that are included as samples, so no driver installation is required.
OmniPeek Personal Captures OmniPeek Personal has several configured packet captures saved for you to use. Viewing these sample captures will give you an insight into the process of using OmniPeek Personal, without the requirement of you setting up a complex wireless lab. If you are going to move further in your career as a wireless network analyst, you will build and manage your own lab, so this is not an issue, but for the classroom, these captures are a great tool. OmniPeek Personal can work as a network troubleshooting and maintenance tool, in addition to providing the information you need to run security audits. The tool can tell you bandwidth use, packet transmissions, and errors all through it easy to read visual gauges. The full details of this tool are beyond the scope of this course, but one of the features you will likely want to familiarize yourself with is the peer map. The OmniPeek Personal peer map will help you to actually visualize the traffic in your network. Connections are given colored lines, with the line getting thicker based on utilization. In the peer map, you can grab a node with your mouse and move it on screen, with the lines moving in relation, and allowing you to adjust the view to your liking.
TASK 9D-4 Viewing OmniPeek Personal Captures 1.
Log on to the system where you have installed OmniPeek Personal.
2.
Navigate from the Start menu to the WildPackets OmniPeek Personal installation.
Lesson 9: Securing Wireless Networks
517
3.
The first time the application runs, you must define a network adapter. In this course, you will not be using an adapter. In the Monitor Options screen, select None, and click OK.
4.
Choose File→Open.
5.
Navigate to the folder location where you installed OmniPeek Personal. Open \OmniPeek Personal\Samples\Wireless.
6.
Select association.apc and click Open.
7.
What is the function of the packet found in line 4? It is the broadcast looking for a wireless network to join. This broadcast is called the probe request.
8.
What is the MAC address of the node that sent the Probe Request? 00:A0:F8:9B:B9:AA
9.
What is the function of the packet found in line 5? It is the response from the AP that it will accept connections. This response is called the probe response.
10. What is the function of the packet found in line 8? A request to use open authentication.
518
Tactical Perimeter Defense
11. Right-click line 8 and choose Select Related Packets→By Flow. Click the Hide Unselected button. You will be left with only the packets related to that specific conversation.
12. What is the subtype of the authentication request in line 8? It is Subtype: 1011 (Authentication). 13. What is the status code of the authentication response in line 10? It is listed as Successful, so this packet is to inform the client that the request is granted. 14. Choose Edit→Unhide All Packets. 15. Double-click line 3, which is a Beacon packet.
16. Note the type and subtype of this packet. 17. Click the green right-arrow. This arrow is found two rows under the File menu.
Lesson 9: Securing Wireless Networks
519
18. What is the type and subtype of this packet? Type 00 (Management) and 0100 (Probe Request). Continue to click the green arrow, noting the different Types and Subtypes, as they are associated to different packets. 19. What is the type and subtype for a probe response? Type 00 (Management) and 0101 (Probe Response). 20. What is the type and subtype for an 802.11 acknowledgement? Type 01 (Control) and 1101 (Acknowledgement). 21. What is the type and subtype for a beacon? Type 00 (Management) and 1000 (Beacon). 22. What is the type and subtype for an 802.11 authentication packet? Type 00 (Management) and 1011 (Authentication). 23. What is the type and subtype for an association request? Type 00 (Management) and 0000 (Association Request). 24. What is the type and subtype for an association response? Type 00 (Management) and 0001 (Association Response). 25. Choose File→Close to close the packet details. 26. From the left menu, under Statistics, click Protocols.
27. Notice the percentages of each protocol in this capture. When finished, choose File→Close. Keep OmniPeek Personal open for subsequent tasks.
520
Tactical Perimeter Defense
Live Captures Although it may not be a part of your daily tasks, there will be times when you wish to view captures as they happen. These live captures can then be saved for later analysis, or you can look for trends as they are happening. There is a feature built into the program to simulate the live capture of packets, so you do not need to have a suitable WNIC installed.
TASK 9D-5 Viewing Live OmniPeek Personal Captures 1.
Choose Capture→Start Capture.
2.
In the Monitor Options, select the File option, and click OK.
3.
In the File Name box, browse to \WildPackets\OmniPeek Personal\ Samples\Wireless\Demo.apc, and click Open. (Note – you may need to change the file type to view .apc files.)
4.
Choose Capture→Start Capture.
5.
Click the green Start Capture button.
6.
Allow the capture to run for some time. When you reach approximately 700 packets, click the red Stop Capture button.
7.
Leave the application open for upcoming tasks.
Lesson 9: Securing Wireless Networks
521
Non-802.11 Packets Although you may wish to spend the majority of your time analyzing the 802.11 packets and associated wireless networking issues, OmniPeek Personal can capture all traffic. This allows you to perform analysis on all network traffic if you wish. In the following task, you will examine all the traffic captured, and view the OmniPeek Personal options for analysis.
TASK 9D-6 Analyze Upper Layer Traffic Setup: This task assumes that the Demo.apc file is open. 1.
Right-click line 16 and choose Select Related Packets→By Flow.
2.
Click the Hide Unselected button.
3.
What are the IP Addresses of the nodes in this conversation?
4.
•
192.168.0.11
•
192.216.124.4
Which packets define the three-way handshake? Packets 16, 19, and 21.
5.
What website is being accessed in these packets? www.wildpackets.com (This is the maker of OmniPeek Personal.)
6.
Double-click any HTTP packet. What is the type and subtype of the packet? Type 10 (Data) and 0000 (Data Only).
7.
522
Tactical Perimeter Defense
Double-click line 23.
Looking at the MAC addresses and last bit of the frame control flags, do you suspect this to be an ad-hoc or an infrastructure network? An infrastructure network, there are three addresses in use, and the ToDS bit is set to 1. 8.
Choose File→Close. Click No, as you do not need to save this capture file.
9.
Leave OmniPeek Personal open for the next task.
Decode WEP If you are analyzing traffic on your network, you know what the WEP key is. In this case, you are not cracking, but you will utilize the key to decrypt WEPprotected data on screen. OmniPeek Personal has an option to UnWEP packets, allowing you have the required key.
TASK 9D-7 Decrypting WEP 1.
If it is not already open, open OmniPeek Personal.
2.
Choose File→Open.
3.
Browse to \WildPackets\OmniPeek Personal\Samples\Wireless\telnetwep.apc and click Open. Notice that under the Protocol column, no protocol information for higher layers is available. (You can reorder the columns, if you wish).
4.
Double-click packet 6.
5.
What is the type and subtype of this packet? Type 10 (Data) and Subtype 0000 (Data Only).
Lesson 9: Securing Wireless Networks
523
6.
According to the frame control flags, is WEP enabled, and is this likely for an ad-hoc or an infrastructure network? Yes, WEP is enabled, and the ToDS bit is set, so this is an infrastructure network.
7.
What is the WEP IV for this packet? 0x050100
8.
To get back to the main packet list, close the packet details.
9.
Choose Tools→Decrypt WLAN Packets.
10. Select the Encrypted Only radio button and click the “…” button to the right of the Use Key Set text box. 11. Click the Insert button. 12. In the Name text box, type UnWEP1 In the Key 1 text box, type 0123456789 and in the Key 2 text box, type 9876543210 Click OK. These values are part of the OmniPeek Personal demo.
524
Tactical Perimeter Defense
13. In the Key Sets window, click your newly created unWEP1 set, and click OK.
14. In the Decrypt WLAN Packets window, click OK to perform the decryption with the UnWEP1 keyset. It will only take a brief moment to perform the decryption. You will see right away that the packets are decrypted, and the protocols and other details are now exposed.
15. Starting with packet 1, what are the other packect involved in the threeway handshake? Packets 1, 2, and 3. 16. What IP address is associated with the Telnet client? 192.168.0.11 17. What packet holds the login request from the Telnet server? Packet 8.
Lesson 9: Securing Wireless Networks
525
18. Examine the details of lines 9, 12, 15, 18, 20, 24, 27, 30. What can you learn from the information in these lines? You can learn the login is sysadmin. (Note — Look at the values presented in the Line 1 field of these packets together.) 19. What does it appear that the password is for this login session? The password looks like foo. From lines 36, 39, and 42. (Note – Look at the values presented in the line 1 field of these packets together.) 20. Which packets are used to end the Telnet session? Packets 63, 64, 65, and 66. 21. Double-click line 63. This is the Ack/Fin to close the session from the Telnet server. 22. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 0 and the FromDS bit is set to 1. 23. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 64, the return Ack to the server. 24. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 1 and the FromDS bit is set to 0. 25. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 65, the Ack/Fin from the client to the server. 26. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 1 and the FromDS bit is set to 0. 27. After you identify the bit setting, click the green right-arrow to move to the next packet. This is packet 66, the return Ack from the server. 28. What is the setting of the ToDS bit and the FromDS bit? The ToDS bit is set to 0 and the FromDS bit is set to 1. 29. After you identify the bit setting, click the green right-arrow to move to the next packet. 30. Close all open windows. Click No if you are prompted to save the file, and click Yes to Exit OmniPeek Personal.
Aircrack Aircrack is a whole set of wireless tools, that work in 802.11a/b/g networks. Included in this suite is Airodump, a wireless packet capture program and Aireplay, which is a wireless packet injection tool, and the ability to crack WEP encryption. By using packet injection, the tool can ensure that enough packets are available for decryption.
526
Tactical Perimeter Defense
WEPCrack As the name directly implies, WEPCrack, which runs best on UNIX systems, is a wireless tool designed to crack WEP keys. One thing to note, is that this tool will require a lot of packets to do its job. It must sniff and analyze the packets, searching for the weak IV it can exploit. The amount of data that you need to capture before WEPCrack can crack the code can be seven or eight gigabytes. Of course it is possible that redundancy will be found earlier, but you should be aware that this is not a fast or instantaneous process like some of the online password cracking utilities.
AirSnort AirSnort, like WEPCrack, can crack WEP keys, and is also designed to run on Linux. AirSnort, once activated, can crack WEP automatically without user input. This tool will run on both the ORiNOCO and Prism chipsets, but seems to have a preference towards using the ORiNOCO cards. If not already, you can expect AirSnort to become a required tool in all wireless analysts tool kits in the very near future.
Ekahau Ekahau is a wireless auditing tool that allows you to pinpoint the actual physical location of wireless devices in your network. Using this tool, you make a map of your office, and then perform a survey of the office. Once the survey is done, the system is aware of the wireless network in the space. When the map is complete, you can identify specific nodes in the network. In the event that you identify an unknown node, you can use this tool to locate that node. The accuracy is listed within a few feet. You then can simply walk up to the person using the network with the unidentified node and say hello.
Kismet Kismet is a powerful wireless network tool, that can perform network sniffing, log data in a Wireshark format for simple analysis, and can enable you to plot wireless data and detected networks directly to downloaded maps.
Lesson 9: Securing Wireless Networks
527
Topic 9E Wireless Trusted Networks While there have been many advances in securing the wireless networks over WEP, some of which you have examined in this lesson, there is more work to be done before an enterprise will trust wireless networking for any critical application. This is the realm of the 802.11i working group.
802.1x and EAP 802.11i will employ multiple types of security, to allow for flexibility in deployment, and stronger security. When the attacker has one single attack point, such as WEP, their job is easier. By allowing for different implementations, the job of attacking 802.11i networks will be much more difficult.
802.1x allows for port-based access control and EAP allows for mutual authentication.
In order to meet the goals of solid wireless security, 802.11i will employ 802.1x and EAP. 802.1x as the authentication technology that requires mutual authentication before allowing the client to progress further into the network, called portbased access control. EAP is the extensible Authentication Protocol that allows for the use of different authentication solutions, and is currently most well known for its use in PPP (point-to-point protocol). You can consider this method of security as built upon three layers. One layer is the 802.11 physical carrier of the network traffic. On top of the 802.11 physical carrier, you have the 802.1x authentication system, which can use the various EAP implementations. Combined, these mechanisms provide for solid wireless security.
Figure 9-29: The location of EAP 802.1x and the physical 802.11 network.
528
Tactical Perimeter Defense
By implementing this type of security, you have achieved several goals that are not possible in open wireless networks. These are some of the goals that are met with this system: 1. Mutual authentication between the client and the authentication server before network access is granted. 2.
User authentication is required, not simple system authentication.
3.
Keys are generated dynamically.
4.
Strong encryption, with the ability to ensure data integrity.
There is similarity to the WPA security system you examined earlier. A significant difference is that to build a wireless PKI, you will need to use and configure digital certificates. WPA operates by using a shared key, whereas you will not have that type of manually-input shared key used in a trusted wireless network. There are enough similarities however, that the final security implementation based on the technologies in this lesson will be called WPA-2. There are three primary components of the trusted wireless network; they are the end client, the access point, and the authentication server. The authentication server is commonly a RADIUS server but may be configured to your network’s needs. You may see the client referred to as the supplicant in some text, because it is technically the software that is involved in the process not the client, and the software is called the supplicant.
EAP Types There are four primary EAP types for wireless networking implementation. They are EAP with Transport Layer Security (EAP-TLS), EAP with Tunneled Transport Layer Security (EAP-TTLS), Cisco’s Lightweight EAP (LEAP), and Protected EAP (PEAP). Each type has a unique combination of requirements for the client, authentication server, and delivery of the key. It is worth noting that there is another type of EAP, called EAP-MD5. Although a valid EAP type, it is not used in trusted wireless networking. This is because the authentication of the clients is done by hashing the user’s password with MD5, and transmitting the hash. The RADIUS, or whatever authentication server is in use, checks the MD5 hash for a match and, if there is authentication, is successful. In a controlled physical network, such as Ethernet, this may have a place, but in the wireless world, where traffic can be sniffed from the air, this is not a good system for implementing security. Due to this, you should not implement security based on EAP-MD5 in your wireless network.
There are five EAP types, but EAP-MD5 is not recommended for wireless PKI so it is not included as one of the main EAP types.
Lightweight EAP (LEAP) Cisco has led the development of LEAP. LEAP requires a mutual password for authentication. This password is manually configured on the client and the authentication server. When the authentication server challenges the client, the password is returned. Although this provided good security at a time when the WEP implementation was cracked, it is not strong enough for a trusted network. This is because of the reliance on the shared password. A benefit of LEAP is that, even though it is not built into operating systems, Cisco has provided for enough support that implementation on most platforms is not an issue. Lesson 9: Securing Wireless Networks
529
Since the single shared password exists, there is the possibility to a man-in-themiddle attack, and the issue of password reuse. LEAP is definitely a step in the right direction and provides better security than WEP, but it is recommended that for your wireless PKI you move forward to other systems.
EAP with Transport Layer Security (EAP-TLS) EAP-TLS is a system that fits into the trusted network as it utilizes X.509 certificates with both the client and the server needing unique certificates. Both sides of the communication must prove their identity to the other party. There is very little information that can be sniffed in this system. One of the few things that an attacker could sniff is the name of the client node. Figure 9-30 shows the steps of the EAP_TLS process.
Figure 9-30: The process of a client using an EAP-TLS protected network. In the EAP-TLS example, the client begins the process by associating with the AP. The AP will block any further access until an accept message is sent from the authentication server to the AP. The AP responds to the client, essentially telling the client to send the EAP required initial request, which the AP then forwards on to the authentication server. The server receives the request and responds by sending the server’s digital certificate to the client. Once the client validates the information on the server’s certificate, the client responds with the client digital certificate. Once the server validates the client’s certificate, the server begins the process of creating the mutual key to use. This is done following standards public key cryptography systems. Once the key is generated, the server sends a message to the AP that authentication is successful, with the AP then informing the client of the successful authentication. The client proceeds to use the generated key to encrypt traffic and the AP allows the client access to the LAN.
530
Tactical Perimeter Defense
EAP with Tunneled Transport Layer Security (EAPTTLS) EAP-TTLS takes the fundamental process of EAP-TLS and modifies it a bit. The primary difference between EAP-TLS and EAP-TTLS is that in the EAP-TTLS system only the server is required to authenticate itself, the client certificate is not required. This does not mean that the client never has to provide authentication data; only that it is not required during this initial setup.
Figure 9-31: The process of a client using an EAP-TTLS protected network. The process begins with the client associating with the AP, and then being required to begin the EAP-TTLS process. The server sends the server certificate, which the client validates, and then the client and server build an encrypted tunnel. This is very similar to how a tunnel is created with SSL. Once the tunnel is created, the client will present whatever credentials are required (certificate, token, standard password, and so on), using the algorithm that the administrator has chosen. In the tunnel, most algorithms will function without any difficulty, such as PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MD5, and so on. When the user has successfully authenticated, the server sends the success message to the AP, who in turn sends the success message to the client. Now that the client has successfully gone through this process, messages can be encrypted and sent to the LAN through the AP.
Protected EAP (PEAP) PEAP was jointly developed by Microsoft, Cisco, and RSA Security, and combines different existing security mechanisms. There are two parts to the PEAP process, with the first being similar to that or EAP-TLS. The second is similar to EAP-TTLS in that multiple authentication systems are supported.
Lesson 9: Securing Wireless Networks
531
The client begins the process by associating with the AP. The AP will block any further access until an accept message is sent from the authentication server to the AP. The AP responds to the client, essentially telling the client to send the EAP required initial request, which the AP then forwards on to the authentication server. The server receives the request and responds by sending the server’s digital certificate to the client. Once the client validates the information on the server’s certificate, the client responds with whatever authentication system is called for. This may be certificates, tokens, passwords, and so on. Once the server validates the client’s authentication information, the server begins the process of creating the mutual key to use. This is done following standard public key cryptography systems. Once the key is generated, the server sends a message to the AP that authentication is successful, with the AP then informing the client of the successful authentication. The client then proceeds to use the generated key to encrypt traffic and the AP allows the client access to the LAN.
EAP Type Comparison Looking at these systems, it may be a bit overwhelming to put them in perspective and decide what you should implement. Part of your decision may be based on hardware. For example, if you are running all Cisco networking equipment, you have the choice of LEAP, EAP-TLS, and EAP-TTLS installed on all their current adapters. If you are running all Linux nodes, you are limited to EAP-TLS and EAP-TTLS. On the other hand, only PEAP and EAP-TLS are embedded in Windows XP, 2000, and 2003. Type
LEAP
EAP-TLS
EAP-TTLS
PEAP
Embedded O/S Clients
Cisco
None
O/S Clients, when using third-party supplicants Supplicant Vendor
All Win32
WindowsXP/2003/ 2000 All Win32
RADIUS Support
Cisco, Funk, and others
WindowsXP/ 2003/2000 All Win32, Mac OS X, Linux, BSD Microsoft, Cisco, Funk, and others Cisco, Funk, Microsoft, others
Server Authentication
Password Hash Password Hash
Public Key Certificate Public Key Certificate
Yes No Yes Moderate
Yes Yes Yes Strongest
Client Authentication
Dynamic Key Use Open Standard Unique Key per User Over Security Level
532
Tactical Perimeter Defense
None
All Win32, Mac OS X, Linux, BSD Microsoft, Funk, and others Funk, and others
Public Key Certificate PAP, CHAP, MSCHAP, EAP, and others Yes Yes Yes High
Microsoft, Funk, and others Cisco, Funk, Microsoft, and others Public Key Certificate Varies as per implementation. Yes Yes Yes High
Wireless Trusted Network Summary If your enterprise requires a wireless component, you should implement a wireless PKI, or else be aware of the high levels of risk. If you already have a PKI running, the addition of the wireless PKI component is a natural extension. If you do not have a PKI running, and do not want to implement a full-scale trusted network, you can implement a PKI just for your wireless network. The Funk Software company makes a tool called Odyssey that will fill this purpose. You can run Odyssey on a machine, as your authentication server, and utilize the security features of PKI on your wireless clients alone. This will enable you to take advantage of all that wireless networking has to offer, and have a secure network at the same time.
TASK 9E-1 Choosing a Wireless Trusted Network 1.
Consider the following scenario: You work for a company that is a global enterprise. The company is often listed in the top 50 companies in the world. You work out of the corporate office, based in Chicago, IL. There are 300 regional offices, and over 2,000 small satellite offices. In the HQ, there is discussion of configuring a new wireless network. This new wireless network is going to be a case study, and if all goes well, similar systems will be implemented in all the regional offices, and eventually in the satellite offices. The current discussion is on the security of the wireless network. For the case study, the implementation will be a single file server, which local network clients will need to access frequently. During the case study, there will be approximately 75 users participating (all of whom are running Windows 2000 or Windows XP), spread throughout two different floors of the HQ. During the discussion it is agreed quickly that WEP will not be used, and now the discussion is moving towards the specific security system to use. To provide the maximum level of security, which security system will you recommend for the implementation? Even though this is a case study, you realize that if successful, the security system will be duplicated worldwide. Your goal is to provide the maximum level of security, so your choice is to go with an EAP-TLS implementation. This will allow for full use of certificates, on both the client and server.
Lesson 9: Securing Wireless Networks
533
Summary In this lesson, you examined the fundamental issues of wireless networking, including the required equipment and transmission media of wireless networks. You then identified WLAN issues such as the function of the AP, the configuration of SSIDs, and the choices between an ad-hoc and infrastructure network. You detailed the 802.11 framing and use of multiple MAC addresses. You then identified the security solutions for the wireless networks, including WEP, WPA, and WTLS. You examined the tools for performing security audits, and the methods available for creating a trusted wireless network using digital certificates.
Lesson Review 9A Which type of spread spectrum signal uses multiple frequencies at the same time? Direct Sequence Spread Spectrum (DSSS). Why is 802.11a incompatible with 802.11b? They use different spread spectrum techniques. What are the two primary pieces of equipment for the wireless network to be operational? The Access Point and the Wireless Network Interface Card (WNIC). What language is used to create web content for handheld devices, such as cell phones, when they connect to the Internet? WML.
9B What is association? The process of a WNIC associating with an AP in order to use the wireless network. What are the two WLAN topologies? Ad-hoc mode and infrastructure mode. What is the name assigned to people who search out WLANs? War drivers.
9C What additional piece of software is required to configure WPA on Windows 2000 WNIC clients? Supplicants. What component of WEP is the cause of its weakness? The Initialization Vector (IV).
534
Tactical Perimeter Defense
What cipher does WEP utilize? RC4.
9D What tool used in lesson provides you with a fast scan of the APs in your area? NetStumbler. What tools can be used to break WEP? Aircrack, AirSnort and WEPCrack. What tool can provide you with the physical positioning of a wireless node in the network? Ekahau. What tool allows you to perform full wireless packet capture and analysis? OmniPeek Personal
9E What does 802.1x provide? Port-based access control. What does EAP provide? Authentication. Why is EAP-MD5 not suitable for trusted wireless networks? The shared password hash is susceptible to sniffıng and other attacks. Why is EAP-TLS considered the strongest for wireless trusted network implementation? Because certificates are required on both the client and the server.
Lesson 9: Securing Wireless Networks
535
536
Tactical Perimeter Defense
GLOSSARY attack An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures. audit trail In computer security systems, a chronological record of system resource usage. This includes user login, file access, other various activities, and whether any actual or attempted security violations occurred. audit The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures. authentication To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. availability Assuring information and communications services will be ready for use when expected. back door A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls. breach The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
bug An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction. compromise An intrusion into a computer system where unauthorized disclosure, modification, or destruction of sensitive information may have occurred. confidentiality Assuring information will be kept secret, with access limited to appropriate persons. cryptography The art of science concerning the principles, means, and methods for rendering plaintext unintelligible and for converting encrypted messages into intelligible form. DES (Data Encryption Standard) Definition 1: An unclassified crypto algorithm adopted by the National Bureau of Standards for public use. Definition 2: A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use. false positive Occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action. firewall A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical firewall is an inexpensive micro-based Unix box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster. Glossary
537
GLOSSARY hacker A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the necessary minimum. host A single computer or workstation; it can be connected to a network. host A single computer or workstation; it can be connected to a network. integrity Assuring information will not be accidentally or maliciously altered or destroyed. intrusion detection Pertaining to techniques that attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available. intrusion Any set of actions that attempts to compromise the integrity, confidentiality, or availability of a resource. key A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt. key A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt.
538
Tactical Perimeter Defense
network security Protection of networks and their services from unauthorized modification, destruction, or disclosure, and provision of assurance that the network perform its critical functions correctly and there are no harmful side effects. Network security includes providing for data integrity. network Two or more machines interconnected for communications. network Two or more machines interconnected for communications. AH (Authentication Header) A field that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram. authenticate To establish the validity of a claimed user or object. crash A sudden, usually drastic failure of a computer system. cryptography The art of science concerning the principles, means, and methods for rendering plain text unintelligible and for converting encrypted messages into intelligible form. DES (Data Encryption Standard) Definition 1: An unclassified crypto algorithm adopted by the National Bureau of Standards for public use. Definition 2: A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
GLOSSARY ESP (Encapsulating Security Payload) A mechanism to provide confidentiality and integrity protection to IP datagrams. firewall A system or combination of systems that enforces a boundary between two or more networks. A gateway that limits access between networks in accordance with local security policy. The typical firewall is an inexpensive micro-based UNIX box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster. integrity Assuring information will not be accidentally or maliciously altered or destroyed. LAN (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, and servers. LAN (Local Area Network) A computer communication system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communication system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, front-end processors, controllers, and servers. metric A random variable x representing a quantitative measure accumulated over a period.
non-repudiation Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender’s identity, so that neither can later deny having processed the data. OSI (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. OSI (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. packet filter Inspects each packet for user defined content, such as an IP address, but does not track the state of sessions. This is one of the least secure types of firewall. packet filtering A feature incorporated into routers and bridges to limit the flow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet filters let the administrator limit protocolspecific traffic to one network segment, isolate email domains, and perform many other functions. packet sniffer A device or program that monitors the data traveling between computers on a network. packet A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
Glossary
539
GLOSSARY packet A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message. passive threat The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information. penetration The successful unauthorized access to an automated system. perpetrator The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker. physical security The measures used to provide physical protection of resources against deliberate and accidental threats. plaintext Unencrypted data. profile Patterns of a user’s activity which can detect changes in normal routines. promiscuous mode Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
promiscuous mode Normally, an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination. protocol Agreed-upon methods of communications used by computers. A specification that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network. proxy A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination. router An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer. router An interconnection device that is similar to a bridge, but serves packets or frames containing certain protocols. Routers link LANs at the network layer. security audit A search through a computer system for security problems and vulnerabilities.
540
Tactical Perimeter Defense
GLOSSARY security level The combination of a hierarchical classification and a set of non-hierarchical categories that represents the sensitivity of information. security policies The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. security violation An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to the system itself. security A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. security A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. server A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine. server A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
sniffer A program to capture data across a computer network. Used by hackers to capture user ID names and passwords. Software tool that audits and identifies network traffic packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems. SNMP (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP. SNMP (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP. SSH (Secure Shell) A completely encrypted shell connection between two machines protected by a super long pass-phrase. SYN flood When the SYN queue is flooded, no new connection can be opened. threat The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security. topology The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information flows. traceroute An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination. Glossary
541
GLOSSARY Trojan Horse An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. vulnerability analysis Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. vulnerability Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to an AIS.
542
Tactical Perimeter Defense
INDEX 3DES, 353 802.11 addressing, 478-481 802.11 framing, 476-481 frame details, 476-478 frame format, 476 802.11a standard, 460 802.11b standard, 461 802.11c standard, 461 802.11d standard, 461 802.11e standard, 461 802.11f standard, 461 802.11g standard, 461 802.11h standard, 462 802.11i standard, 462 802.11n standard, 462 802.1x, 512
A access control, 15 access points, 448-449 Also see: APs accountability, 377 acknowledgement numbers, 47 ACL anti-DoS, 142 anti-Land, 143 anti-spoofing, 143-144 anti-SYN, 142-143 command syntax, 138-139 creating, 134-135 defending against attacks, 142-144 extended syntax, 139-140 implementing, 138-142 logging, 149-151 operation, 135 activate, 416-418 Active Defense-in-Depth, 7-8 active open connection, 48-50 administrative distance, 123-124 AH, 344 combine with ESP in IPSec, 327-329 configuring, 321-322 Transport mode, 303 Tunnel mode, 303
AH and ESP in IPSec, 327-329 response policy, 335-336 session analysis, 331-332 Aircrack, 526 AirSnort, 527 alert, 416-418 alert notification, 376 analysis, 382-383, 391 anomaly detection, 373 anti-spoofing logging, 150 APs, 448-449 configuration, 482-485 ARP process, 108-110 attack monitoring, 397 attack response, 10 audit data handling, 25 preserving, 25 audit trails, 25 auditing, 22-23 authentication, 3-5, 16, 98-99, 303, 352-353 Authentication Header, 344 Also see: AH authentication methods editing policies, 317-318 authentication tokens, 16-20 authorization, 98-99 authorization and availability, 3-5 awareness, 9
B banners, 101 basics, 42-43 behavioral use, 379-382 binary conversion, 37-38 Bluetooth, 459 breach, 5-6 broadcast, 44-45 buffered logging, 147-148 bug, 96 business drivers for a VPN, 338
Index
543
INDEX C capture packet data, 411-413 captures displaying, 54-55 castle analogy, 10-11 CDP, 128-129 centralized host-based design, 384-385 Challenge Handshake Authentication Protocol, 352-353 Also see: CHAP Challenge Response Process, 17-18 challenge response token, 16-17 CHAP, 352-353 CIDR, 43-44 Cisco banners, 101-103 logging, 145-146 OS, 96 router language, 96 Cisco Discovery Protocol See: CDP Classless Interdomain Routing See: CIDR Client policy, 306-307 collection, 382-383 command console, 375 confidentiality, 3-5 configuration fragments, 97-98 connection, 48-50 establishing, 48-49 terminating, 49-50 connections TCP, 63-64 console logging, 147 console password, 99 cryptography, 302
D DAC, 15 Data Encryption Standard See: DES decimal conversion, 37-38 Default Response, 318-321
544
Tactical Perimeter Defense
defense technologies, 13-14 Defense-in-Depth, 6 defensive strategy, 8-10 denial of host, 140-141 denial of network, 141 denial of subnet, 141 DES, 307-308, 353 detection, 371 Direct Sequence Spread Spectrum, 458-459 Also see: DSSS Discretionary Access Control, 15 Also see: DAC distance vector routing, 121 distributed host-based design, 386-387 DSSS, 458-459 dynamic, 416-418 dynamic routing, 116-118
E EAP, 506-507 comparison of types, 532-533 Lightweight, 529-530 Also see: LEAP Protected, 531-532 Also see: PEAP types, 529 with Transport Layer Security, 530 Also see: EAP-TLS with Tunneled Transport Layer Security, 531 Also see: EAP-TTLS EAP-TLS, 352-353, 530 EAP-TTLS, 531 Ekahau, 527 enable password, 99 Encapsulating Security Payload, 344 Also see: ESP encryption, 21-22 ESP, 344 combine with AH in IPSec, 327-329 Transport mode, 303 Tunnel mode, 303 Ethereal, 58-59 Extensible Authentication Protocol, 506-507 Also see: EAP
INDEX Extensible Authentication Protocol-Transaction Level Security, 352-353 Also see: EAP-TLS extranet, 338
F false-negative, 373-375 false-positive, 373-375 FHSS, 458 finger, 131 firewall, 303 Firewall-based VPNs, 339-340 firewalls, 21 Frequency Hopping Spread Spectrum, 458 Also see: FHSS FTP capture, 76-78 configuring, 322-323 granting, 142 session analysis, 79 Fundamental Access Point Security, 493-494
H Hardware-based VPNs, 339-340 hexadecimal conversion, 37-38 host, 33-36 host-based intrusion detection, 384
I ICMP, 129-130 direct broadcast, 129 session analysis, 76 unreachable, 129-130 ICMP messages, 68-70 IDS, 9, 22, 371 components, 375-376 goals of, 376-377 matrix, 373-375 response, 376 IEEE 802.11 standard, 460-462 independent audit, 24-25 infrared wireless media, 453-454 inside threats
detecting, 396 integrity, 3-5, 65-68 Internet Protocol See: IP Internet Security Association Key Management Protocol (ISAKMP/Oakley), 345-346 interval analysis, 391 intrusion, 373 intrusion detection, 7-8 definitions, 373 techniques, 378-379 technologies, 378-379 Intrusion Detection, 371-373 Intrusion Detection System, 371 Also see: IDS Intrusion Detection Systems See: IDS IP, 36-39 address classes, 38-39 datagram, 65-68 private addresses, 39 security, 301-302 special-function addresses, 39 IP Policy Agent, 345-346 IP Security Policy and Security Association, 345-346 IP Security Protocol (IPSec), 341 IPSec, 341, 344-346 AH implementation, 312 and NAT, 346-347 components, 345-346 configuring a response, 329-331 configuring options, 333-334 custom policies, 312-317 driver, 345-346 full session, 336-337 implementing, 303-304, 323-324 modes, 302-303 policies, 306-307 Transport Mode, 346 Tunnel Mode, 346 IPSec ESP payload, 351-352 IPSec-enabled operating systems, 340 IPSec-enabled routers and firewalls, 340
Index
545
INDEX K key exchange, 344-345 key length, 353 keys, 302 Kismet, 527
L L2TP, 341, 343, 351-352 LAN, 309-312 LAN-to-LAN routing, 110-111 LAN-to-WAN routing, 112-114 Layer 2 Forwarding Protocol (L2F), 341-342 Layer 2 Tunneling Protocol (L2TP), 341 LEAP, 529-530 link state routing, 122-123 Local Area Network See: LAN log, 416-418 log priority, 146 logging, 145-146 ACL, 149-151 anti-spoofing, 150 buffered, 147-148 configuring, 147-149 console, 147 syslog, 148-149 terminal, 148 VTY, 150-151
M MAC, 15 man-in-the-middle attacks, 341-342 management tools, 345-346 Mandatory Access Control, 15 Also see: MAC MD5, 353 metric, 120-124 Microsoft Management Console See: MMC microwave systems satellite, 455-456 terrestrial, 454 microwave wireless media, 454
546
Tactical Perimeter Defense
misuse, 373 misuse detection, 373 MMC, 304-306 customized configuration, 307 multicast, 44-45
N NetStumbler, 513-514 network, 33-34 network defense, 2 Network Monitor, 52-58 Display view, 54-55 filters, 55-57 network security five key issues, 3-5 network sensor, 375-376 network tap, 376 network-based design, 388 distributed, 389-390 traditional, 388-389 network-based intrusion detection, 387-388 non-repudiation, 3-5
O OmniPeek Personal, 515-516 captures, 517-520 live captures, 521 Open Systems Interconnection See: OSI operating modes, 97 operational audit, 24 OSI model, 34-36 outside threats detecting, 394-395
P packet, 34-36 packet filter, 134-135 packet filtering, 9 packet fragmentation, 74-75 PAP, 352-353 pass, 416-418 passive open connection, 48-50
INDEX passive threat, 5-6 Password Authentication Protocol, 352-353 Also see: PAP passwords, 22 PEAP, 531-532 perimeter security, 9 PING capture, 76-78 plaintext, 302 Point-to-Point Tunneling Protocol (PPTP), 341 ports, 50-52 PPTP, 341, 342-343, 351-352 pre-configured rules, 425-426 prevention, 371 profile, 393-394 promiscuous mode, 58-59 protocol, 33-36
Q QoS, 461
R radio, 457-459 real-time analysis, 391-392 remote access, 338 remove unneeded services, 132-133 Request For Comments See: RFC Request-and-Respond policy, 325-326 session analysis, 326-327 Request-only session analysis, 324-325 response, 371 RFC, 36 RIP, 124-125 RIPv2, 125-127 routed protocols, 119 router, 42-43 access passwords, 99-100 accessing, 96-97 banners, 101 navigating, 98 user accounts, 100-101 routing, 42-43
process, 114-116 protocols, 119, 120-124 Routing Information Protocol See: RIP RSA SecureID token, 18-19 Rule Header, 416-418 Rule Options, 418-419 rule set testing, 421 ruleset examples, 419-420
S SA, 344-345 Secure Server policy, 306-307, 309-312 Secure Shell, 342 Also see: SSH security, 46-47 Security Association, 344-345 Also see: SA Security Association API, 345-346 security audit, 24-25 security auditing basics, 23-24 security policies, 306-307 security protocols, 341 security threats, 5-6 security vulnerabilities, 373 sequence numbers, 47 server, 33-34 Server policy, 306-307 Service Set Identifier, 465 Also see: SSID session teardown process, 64-65 SHA-1, 353 Shiva Password Authentication Protocol, 352-353 Also see: SPAP Also see: SPAP Short Message Service, 459-460 Also see: SMS signature analysis, 392 Simple Network Management Protocol See: SNMP site surveys, 512
Index
547
INDEX small services, 131 SMS, 459-460 SNMP, 96-97 Snort, 404 architecture, 405-406 as a packet sniffer, 410-411 as an IDS, 415 deploying, 404 function, 404-405 installing, 406-408 logging with, 414 Socks v5, 342 software tokens, 19 Software-based VPN applications, 339-340 source routing, 130 spread spectrum technology, 457-458 SSH, 103, 342 client configuration, 106-107 router configuration, 103-106 verification, 105 SSID, 465 static routing, 116-118 statistical analysis, 393-394 subnet mask, 40-42 subnetting, 40-42 surveillance monitoring, 397 syslog logging, 148-149
T TCP, 46-47 connections, 63-64 flags, 47 headers, 70-72 TCP/IP model, 33-34 Telnet granting, 141 Temporal Key Integrity Protocol, 506 Also see: TKIP terminal logging, 148 three-way handshake, 46-47 Time-based Tokens, 18-19 timestamp, 147 TKIP, 506 topology, 121
548
Tactical Perimeter Defense
traceroute, 129-130 training, 9 transit network, 340 Transport mode, 302-303 AH, 303 ESP, 303 Trojan Horse, 50-52 true-negative, 373-375 true-positive, 373-375 tunnel, 340 protocols, 340 Tunnel mode, 302-303 AH, 303 ESP, 303 tunneled data, 340 tunneling protocols, 341
U UDP, 46-47 UDP headers, 73-74 unicast, 44-45
V Variable Length Subnet Masking See: VLSM VLSM, 43-44 VPN client, 340 client software, 340 configuring, 354-359 connection, 340 dedicated gateways, 340 design and architecture, 348 elements, 340 gateway, 346-347 implementation challenges, 348-349 security, 350 server, 340 types, 339-340 VPN fundamentals, 337 VPNs and firewalls, 351-352 VTY logging, 150-151 VTY password, 100
INDEX vulnerability scanners, 373
W WAP, 462-464 war driving, 489 WEP, 494-501 configuring, 501-504 cryptography, 494-495 decrypting, 523-526 key lengths, 495-496 process, 496-498 weaknesses, 498-501 WEPCrack, 527 Wi-Fi Protected Access, 507-509 Also see: WPA wildcard mask, 136-138 Wired Equivalent Privacy, 494-501 Also see: WEP Wireless Access Points, 448-449 Wireless Application Protocol, 462-464 Also see: WAP wireless auditing, 512-513 Wireless Markup Language, 462-464 Also see: WML wireless media, 451-457 infrared, 453-454 radio, 457-459 wireless network cards, 449 Also see: WNICs wireless networking access points, 448-449 equipment, 448-451 wireless networks antennas, 449-451 association, 451 identifying, 514-515 microwave technology, 454 trusted, 528 Wireless Transport Layer Security, 491-493 Also see: WTLS Wireshark, 513 GUI, 59-63 WLANs ad-hoc mode, 466-467
APs, 465 associations, 466 authentication, 466 denial of service attacks, 490 essentials, 465 gaining access, 489-490 infrastructure mode, 467-468 threats, 488-490 topologies, 466-468 WML, 462-464 WNIC chipsets, 513 WNICs, 449 WPA, 507-509 configuring, 509 hardware requirements, 508 process, 507-508 supplicants, 509-511 vs. WEP, 508-509 WTLS, 491-493 Alert Protocol, 493 Application Protocol, 493 authentication, 491 Change Cipher Specific Protocol, 493 components, 491 handshake protocol, 491-493 origins, 491
X x-cast, 44-45
Index
549
SCPTPD20iePB