NACTT STAFF SYMPOSIUM

System Managers Training

EXPLORING THE NETWORKThe Pieces of the Infrastructure

NACTT STAFF SYMPOSIUM

2014 Tampa

What is “The Network”

A web of devices (“hosts”) linked together by a variety of technologies and passing chunks of data back and forth.

WORKSTATIONS SWITCH

FIREWALL

ROUTERINTERNT

SERVERS

PRINTERS

INTERNET

● Ours are small office networks; they need not be excessively complex.● Elements to the left of the firewall constitute the Local Area Network

(LAN).● Elements to the right of the firewall constitute the Wide Area

Network (WAN).● Together, firewall and router link a private network (LAN) to a public

one (WAN).– The router figures out how to route packets between different

networks. – The firewall applies rules for the packets.

Consider: A “Typical” Trustee Network

Issue: Addressing

Each device in our network needs an IP address. The kind of IP address it has will determine with which other devices and network segments each device can communicate directly.

● IPv4 addresses are typically represented in dot-decimal notation: 4 decimal numbers, each ranging from 0 to 255, separated by dots. Each decimal represents an octet (8 bits).

● Subnetting limits the scope of a network, and allows address ranges to be sub-divided.

● LAN addresses should be chosen from IANA-reserved private network ranges:● 10.0.0.0 to 10.255.255.255 with default subnet mask 255.0.0.0.● 172.16.0.0 to 172.31.255.255 with default subnet mask 255.240.0.0.● 192.168.0.0 to 192.168.255.255 with default subnet mask

255.255.0.0.● WAN addresses are typically assigned by your ISP.● Online IP subnet calculators can be used to calculate an appropriate

address space for your network.● http://www.subnet-calculator.com● http://jodies.de/ipcalc

Issue: Addressing

Subnets are specified via a “subnet mask”: 4 bytes (octets) which limit the possible ranges of each 4 bytes of a network's IP addresses:

Example 1:

Network: 192.168.13.0 / 11000000.10101000.00001101.00000000Mask: 255.255.255.0 / 11111111.11111111.11111111.00000000

When all bits in an octet of the mask are “on” (1), the corresponding octet of the network IP address is fixed.

Resulting IP range: 192.168.13.1 to 192.168.13.254

Fourth octet can vary from 00000001 (1) to 11111110 (254).

192.168.13.255 (fourth octet is 11111111) is the broadcast address.192.168.13.0 (fourth octet is 00000000) is the network identifier address.These addresses are reserved and cannot be assigned to hosts.

http://www.subnet-calculator.com/

Issue: Addressing

Subnets are specified via a “subnet mask”: 4 bytes (octets) which limit the possible ranges of each 4 bytes of a network's IP addresses:

Example 2:

Network: 192.168.13.0 / 11000000.10101000.00001101.00000000Mask: 255.255.255.240 / 11111111.11111111.11111111.11110000

Resulting IP range: 192.168.13.1 to 192.168.13.14

Fourth octet can vary from 00000001 (1) to 00001110 (14)

192.168.13.15 (fourth octet is 00001111) is the broadcast address.192.168.13.0 (fourth octet is 00000000) is the network identifier address.

WORKSTATIONS192.168.13.100 TO

192.168.13.199

LAN DEFAULT GATEWAY: 192.168.13.254

SWITCH192.168.13.253

FIREWALL ROUTER201.201.13.6

SERVERS192.168.13.1 TO 192.168.13.99

PRINTERS192.168.13.200

TO192.168.13.240

WAN INTERFACE201.201.13.2

LAN INTERFACE192.168.13.254

WAN DEFAULT GATEWAY: 201.201.13.6

INTERNET

● Default route or gateway specifies host to which packets with destination addresses outside of the local subnet (and for which no explicit route has been defined) should be routed.

Consider: Our Network with IP Addresses

Network Services

A Typical Scan of a Network Printer.

Network Services

A Typical Scan of a Windows PC.

Network Services

Address Provisioning and Host Naming.How should network addresses and configuration information be propagated to devices? How should network addresses be resolved to host names for user applications?

● Address Provisioning:● Manual, static configuration.● DHCP (Dynamic Host Configuration Protocol, a network service

traditionally operating on UDP port 67 for providing network addresses and configuration information to newly-connected hosts.● DHCP service is included with virtually all server operating

systems.● DHCP is built-in to many firewall and router appliances.

Network Services

Address Provisioning and Host Naming.How should network addresses and configuration information be propagated to devices? How should network addresses be resolved to host names?

● Host Naming:● Host files: static text tables on each host linking local IP addresses to

convenient host names.● Management becomes tedious.● Does not include hosts beyond the local network.

● DNS (Domain Name System) service, a network service traditionally operating on UDP port 53 for resolving host names to IP addresses and vice-versa.● Can be authoritative for your local network, and forward requests for

resolution of non-local addresses to outside servers.● DNS service is included with virtually all server operating systems.● DNS service is built-in to some firewall appliances.● DNS server information can be propagated to hosts along with IP

configuration information via DHCP.● Your ISP should provide DNS server IP addresses for you to use for

resolution of WAN addresses (or use free-to-use Google servers).

Network Services

Network Management Protocols.Used by network management applications to configure, monitor, and report on network-attached devices.

● Simple Network Management Protocol (SNMP). ● De facto standard for network management architectures.● Defines how management information is exchanged between network

management applications and management agents.● Commonly found in routers, switches, server management consoles,

printers, etc.● Considerable information disclosure; allows an attacker to quickly and

easily gain detailed knowledge of the network. ● Disable where possible!

Network Services

Zeroconf (zero-configuration) networking.A set of protocols and technologies for auto-configuration of network devices and auto-discovery of services offered by those devices (printers, game consoles, telephony servers, etc.).

● Multicast DNS (mDNS) ● A zeroconf host name resolution service.

● Link-local Multicast Name Resolution (LLMNR)● Windows zeroconf name resolution service.

● DNS Service Discovery (DNS-SD)● Allows clients to discover a named list of services by type in a domain

by using DNS queries. ● Simple Service Discovery Protocol (SSDP).

● HTTP-like protocol providing service discovery for UPnP (Universal Plug and Play) technology.

● Implementations include Bonjour, Avahi, Windows CE.

● All of these protocols are commonly enabled on network printers, all-in-one copiers, and other devices.

● These protocols assume the local network is trusted and allow an attacker to quickly gain detailed knowledge of the network.

● Disable where possible!

Network Services

E-Mail – The Trustee must have reliable, constant access to the NACTT Trustee mailing list.

E-mail involves a variety of network services and protocols:

● SMTP (Simple Mail Transfer Protocol) – the standard protocol for sending e-mail.● Traditionally operated on TCP port 25. Servers operating as the official

mail exchange for a given domain (which information is part of the DNS system) must accept connections on this port.

● May be encrypted via SSL-encapsulation as smtps, traditionally operated on TCP port 465.

● May be encrypted at the session level via TLS. ● Servers may require authentication to relay messages beyond the

domains for which the server is the exchange.● Relaying beyond local domains may be restricted by IP address criteria.● Relaying should always be somehow restricted.

Network Services

● POP3 (Post Office Protocol) – one protocol for retrieving e-mail from a mail server.● Traditionally operated on TCP port 110.● May be encrypted via SSL-encapsulation as pop3s, traditionally

operated on TCP port 995.● May be encrypted at the session level via TLS.● Retrieves whole messages from the server; often messages are

simultaneously deleted from the server.



Network Services

● IMAP (Internet Message Access Protocol) – protocol for accessing e-mail messages on a mail server.● Traditionally operated on TCP port 143.● May be encrypted via SSL-encapsulation as imaps, traditionally

operated on TCP port 993.● May be encrypted at the session level via TLS.● Differences from POP3:

● Leaves messages on the server.● Allows simultaneous access to e-mail folders from multiple devices.● Persistent connection.



Network Services

● E-mail services are included with some server operating systems.● Commonly used e-mail server software includes:

● Microsoft Exchange – complete e-mail server suite; non-free.● Postfix – SMTP service; free, open source.● Sendmail – SMTP service; free, open source.● Qmail – SMTP and POP3 services; free, open source.● Dovecot – POP3 and IMAP services; free, open source.● Courier – complete e-mail server suite; free, open source.

● Hosting your own e-mail necessitates a spam-filtering solution.● 3rd-party e-mail gateways or “cloud” services.● E-mail gateway appliance (Barracuda, etc.)● Spam filtering software products.


Network Services

WORKSTATIONS AND PRINTERS chapter13.local

SWITCH192.168.13.253

FIREWALL ROUTER201.201.13.6

SERVERSchapter13.local



WAN DEFAULT GATEWAY: 201.201.13.6

DHCP SERVICE:LISTENS ON LAN INTERFACE ONLY

ASSIGNS FROM IP RANGE 192.168.13.100 TO 192.168.13.199

GATEWAY: 192.168.13.254DNS SERVER: 192.168.13.1

DNS SERVICE:RUNNING ON 192.168.13.1

RESOLVES FOR 192.168.13.0/chapter13.localFORWARDS TO 8.8.8.8 AND 8.8.4.4

EMAIL SERVICES:RUNNING ON 192.168.13.1

INCLUDES SMTP, SMTPS, POP3, POP3S IMAP, IMAPS

POLICY:WAN INTERFACE: DEFAULT DENY ALLLAN INTERFACE: ALLOW OUTGOING

RULES:NAT 192.168.13.0/255.255.255.0

THRU 201.201.13.2WAN ALLOW SMTP. SMTPS, POP3S, IMAPS

PORT FORWARDS: SMTP, SMTPS, POP3S, IMAPS FOR 201.201.13.2

FORWARD TO 192.168.13.1

INTERNET

Network Services

● WAN clients access e-mail services through WAN interface.● LAN clients access e-mail services through LAN address.● Firewall port forwarding to internal network services represents

holes in the firewall.

● If services running on internal servers can be compromised by an attacker, the internal network itself can be compromised.

● Consider deploying internet-facing services within a DMZ (de-militarized zone).

Our Network with initial network services:


SWITCH192.168.13.253

ROUTER201.201.13.6


EMAIL SERVICES:RUNNING ON 192.168.14.1INCLUDES SMTP, SMTPS,

POP3, POP3S, IMAP, IMAPS

SERVERchapter13.dmz

192.168.14.1

FIREWALL

DHCP SERVICE:LAN INTERFACE ONLY

ASSIGNS FROM IP RANGE 192.168.13.100 TO 192.168.13.199

GATEWAY: 192.168.13.254DNS SERVER: 192.168.13.1



DMZ INTERFACE192.168.14.254

SWITCH192.168.14.253

POLICY:WAN INTERFACE: DEFAULT DENY ALLLAN INTERFACE: ALLOW OUTGOINGDMZ INTERFACE: ALLOW OUTGOING

RULES:NAT 192.168.13.0/255.255.255.0

THRU 201.201.13.2NAT 192.168.14.0/255.255.255.0

THRU 201.201.13.2WAN ALLOW SMTP. SMTPS, POP3S, IMAPS

PORT FORWARDS: SMTP, SMTPS, POP3S, IMAPS

FOR 201.201.13.2 FORWARD TO 192.168.14.1

DNS SERVICE:RUNNING ON 192.168.13.1

RESOLVES FOR 192.168.13.0/chapter13.local

FORWARDS TO 8.8.8.8 AND 8.8.4.4INTERNET

Network Services in DMZ

Network Services in DMZ

● Isolates public network services from internal network with live trust data.

● Services in DMZ accessible by LAN clients and WAN clients through WAN interface (beware firewall policy about LAN client access direct to WAN interface).

● Firewall must have three interfaces; commonly called “three-legged” network architecture.

● Dual-firewall architecture is also common for DMZs.● LAN/DMZ switching can be accomplished with a single physical

switch employing VLANS (Virtual LAN).● Not as secure as separate physical switches.● May be prone to VLAN hopping.

DMZ creates third zone with private network.

Network Services – Remote Access

Remote Access

UST recommends use of a Virtual Private Network (VPN):

● Only trustee-owned devices should be used to remotely access trusted systems on the trustee's internal network.

● VPN solution authenticates remote users and encrypts network communications to the trustee's office network.

● VPN solution supports two-factor authentication and uses the most current FIPS-compliant encryption module.

● VPN service is installed on a dedicated server (such as a VPN appliance) along with an appropriately configured firewall.

● Trustee should maintain separate user accounts and passwords for VPN access/authentication.

● Solution should deny to remote users the ability to change or set security or access rights to trusted systems.

INTERNET

LAN192.168.13.0/255.255.255.0

FIREWALLW/ INTEGRATED

VPNDECRYPTS WAN

PACKET PAYLOAD, ROUTES TUNNELED PACKET ONTO LAN



REMOTE USER@ 1.2.3.4,

VPN ADDRESS:192.168.13.199

PACKETSOURCE: 1.2.3.4

DEST: 201.201.13.2

PACKET (ENCRYPTED)SOURCE: 192.168.13.199

DEST: 192.168.13.1

INTERNET


What is a VPN?

● Joins remote networks/devices across public networks over encrypted channels.

● Reiteration of IP stack encapsulated inside secure tunneling protocol.● Remote computer joined to internal LAN, with access to all network

resources.

INTERNET

LAN192.168.13.0/255.255.255.0

FIREWALLW/ INTEGRATED

VPNDECRYPTS WAN

PACKET PAYLOAD, ROUTES TUNNELED PACKET ONTO LAN



REMOTE USER@ 1.2.3.4,

VPN ADDRESS:192.168.13.199

PACKETSOURCE: 1.2.3.4

DEST: 201.201.13.2

PACKET (ENCRYPTED)SOURCE: 192.168.13.199

DEST: 192.168.13.1


What is a VPN?

● Can log into LAN computers/servers via RDP, VNC, etc..● Beware of split-tunneling on VPN clients.● VPN service is built-in to many firewall appliances.

Wireless

ALL wireless clients are remote clients.

● Do not attach WAP (wireless access point) to internal (trust data) network directly.

● Create wireless network within DMZ.● Wireless clients must authenticate and access internal resources through

VPN like remote clients.● Beware of WEP security (inadequate); use WPA2 or better.● Beware of UST “mandatory requirements”.

Wireless Networking

The Network: Putting it All Together

WAP


SWITCH192.168.13.253

ROUTER201.201.13.6


SERVERchapter13.dmz

192.168.14.1

FIREWALL



DMZ INTERFACE192.168.14.254

SWITCH192.168.14.253

WIFI CLIENT192.168.14.199

VPN ADDR192.168.13.199

INTERNET

The Network – Useful Tools

Included in most server operating systems:● ping, ping -t

● The knock-knock of your network toolbox. See “ping /?” on Windows; “man ping” on UNIX-based systems (linux, iOS, OSX, AIX, Solaris, etc.) for usage information.

● netstat, netstat -an, netstat -ban● A Swiss Army Knife for the tool box. Displays currently active

network connections, bound ports (and the processes that own them), routing tables, etc.. See “netstat /?”, “man netstat”.

● traceroute/tracert (UNIX/Windows)● A troubleshooting tool for tracing a packet's bounces across networks.

● arp -a● print the MAC address of devices in the ARP table with their IP

address (ping an IP address to populate a record in the table).● ipconfig /all

● A Windows tool for querying IP configuration information of a system's network interfaces.

● ifconfig● A UNIX tool for querying and modifying IP configuration of a system's

network interfaces.


Included in most server operating systems:● route, route -print

● A tool for direct manipulation of network routing tables.● telnet – traditionally a protocol for remote shell access (now considered

insufficiently secure), telnet is still useful for connecting to other listening services directly (or testing that services are listening and reachable on expected ports); for example, one can connect to an SMTP service and conduct a mail exchange conversation directly with the server.

● nslookup <ip_or_hostname>● Used to query hostname and IP address information from DNS

servers.● Use interactively with no arguments; type “set type=ZZ” then enter

a domain name to query different DNS record types:● Replace ZZ with MX to get the address of the mail server for the

domain name entered.● SOA to get the authoritative DNS server.● A for the default hostname lookup.


Available for most server operating systems:● nmap – a highly configurable and extremely powerful port scanner.

Free and open-source, it is available for both UNIX and Windows systems.

● Nessus – a comprehensive vulnerability scanner. Versions 2.2.11 and earlier are open-source; most recent versions have a proprietary license but are “free to use for personal use” in “non-enterprise” environments.

● Wireshark – an open-source packet analyzer (i.e., “sniffer”), useful for capturing and analyzing raw network traffic.

● Sysinternals suite from Microsoft:● Procexp – interactive enhanced Task Manager.● Tcpview – interactive network status with process info, like netstat

-ban.● AccessEnum – recursively list owner and file permissions, export to

Excel.

The Network – Keeping It Organized

● Maintain an inventory● Spreadsheet, database, etc.● Servers, workstations, mobile devices, other network devices (switches,

routers, printers, WAPs, multi-function devices).● Include IP information.● Include installed operating system and version, and installed

software.● Include brand, model, and serial number where applicable.

● Diagram your network; keep it current!

● Establish a repository for software licenses.

The Network – Keeping It Organized

● Keep a master password list.● Include all administrative credentials to trust computers (servers,

workstations).● Include credentials for all network devices:

● Switches, routers, copier/multi-purpose devices, printers WAPs.● Include credentials for vendor and bank web sites, ISP, etc..● Keep the list secure.

● Encrypt file locally (via PGP or equivalent).● Whenever passwords change, create two hard copies.

● Put copies in sealed envelopes; date the envelopes with current date.● Give both copies to the Trustee.

● One should be kept securely on-site, in office safe, etc..● One should be kept securely off-site, with bank, Trustee residential

safe, etc..

The Network – Keeping It Organized● Consider an administrative task list:

● Track execution of admin tasks with differing frequency:● AV software/signature updates.● Backups, backup testing.● Patch management.● Log reviews.● Account Management.

System Managers Training

http://www.ch13stl.com/2014symposium

NACTT STAFF SYMPOSIUM

2014 Tampa

Documents

NACTT STAFF SYMPOSIUM