Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
System Managers Training
EXPLORING THE NETWORKThe Pieces of the Infrastructure
NACTT STAFF SYMPOSIUM
2014 Tampa
What is “The Network”
A web of devices (“hosts”) linked together by a variety of technologies and passing chunks of data back and forth.
WORKSTATIONS SWITCH
FIREWALL
ROUTERINTERNT
SERVERS
PRINTERS
INTERNET
● Ours are small office networks; they need not be excessively complex.● Elements to the left of the firewall constitute the Local Area Network
(LAN).● Elements to the right of the firewall constitute the Wide Area
Network (WAN).● Together, firewall and router link a private network (LAN) to a public
one (WAN).– The router figures out how to route packets between different
networks. – The firewall applies rules for the packets.
Consider: A “Typical” Trustee Network
Issue: Addressing
Each device in our network needs an IP address. The kind of IP address it has will determine with which other devices and network segments each device can communicate directly.
● IPv4 addresses are typically represented in dot-decimal notation: 4 decimal numbers, each ranging from 0 to 255, separated by dots. Each decimal represents an octet (8 bits).
● Subnetting limits the scope of a network, and allows address ranges to be sub-divided.
● LAN addresses should be chosen from IANA-reserved private network ranges:● 10.0.0.0 to 10.255.255.255 with default subnet mask 255.0.0.0.● 172.16.0.0 to 172.31.255.255 with default subnet mask 255.240.0.0.● 192.168.0.0 to 192.168.255.255 with default subnet mask
255.255.0.0.● WAN addresses are typically assigned by your ISP.● Online IP subnet calculators can be used to calculate an appropriate
address space for your network.● http://www.subnet-calculator.com● http://jodies.de/ipcalc
Issue: Addressing
Subnets are specified via a “subnet mask”: 4 bytes (octets) which limit the possible ranges of each 4 bytes of a network's IP addresses:
Example 1:
Network: 192.168.13.0 / 11000000.10101000.00001101.00000000Mask: 255.255.255.0 / 11111111.11111111.11111111.00000000
When all bits in an octet of the mask are “on” (1), the corresponding octet of the network IP address is fixed.
Resulting IP range: 192.168.13.1 to 192.168.13.254
Fourth octet can vary from 00000001 (1) to 11111110 (254).
192.168.13.255 (fourth octet is 11111111) is the broadcast address.192.168.13.0 (fourth octet is 00000000) is the network identifier address.These addresses are reserved and cannot be assigned to hosts.
Issue: Addressing
Subnets are specified via a “subnet mask”: 4 bytes (octets) which limit the possible ranges of each 4 bytes of a network's IP addresses:
Example 2:
Network: 192.168.13.0 / 11000000.10101000.00001101.00000000Mask: 255.255.255.240 / 11111111.11111111.11111111.11110000
Resulting IP range: 192.168.13.1 to 192.168.13.14
Fourth octet can vary from 00000001 (1) to 00001110 (14)
192.168.13.15 (fourth octet is 00001111) is the broadcast address.192.168.13.0 (fourth octet is 00000000) is the network identifier address.
WORKSTATIONS192.168.13.100 TO
192.168.13.199
LAN DEFAULT GATEWAY: 192.168.13.254
SWITCH192.168.13.253
FIREWALL ROUTER201.201.13.6
SERVERS192.168.13.1 TO 192.168.13.99
PRINTERS192.168.13.200
TO192.168.13.240
WAN INTERFACE201.201.13.2
LAN INTERFACE192.168.13.254
WAN DEFAULT GATEWAY: 201.201.13.6
INTERNET
● Default route or gateway specifies host to which packets with destination addresses outside of the local subnet (and for which no explicit route has been defined) should be routed.
Consider: Our Network with IP Addresses
Network Services
A Typical Scan of a Network Printer.
Network Services
A Typical Scan of a Windows PC.
Network Services
Address Provisioning and Host Naming.How should network addresses and configuration information be propagated to devices? How should network addresses be resolved to host names for user applications?
● Address Provisioning:● Manual, static configuration.● DHCP (Dynamic Host Configuration Protocol, a network service
traditionally operating on UDP port 67 for providing network addresses and configuration information to newly-connected hosts.● DHCP service is included with virtually all server operating
systems.● DHCP is built-in to many firewall and router appliances.
Network Services
Address Provisioning and Host Naming.How should network addresses and configuration information be propagated to devices? How should network addresses be resolved to host names?
● Host Naming:● Host files: static text tables on each host linking local IP addresses to
convenient host names.● Management becomes tedious.● Does not include hosts beyond the local network.
● DNS (Domain Name System) service, a network service traditionally operating on UDP port 53 for resolving host names to IP addresses and vice-versa.● Can be authoritative for your local network, and forward requests for
resolution of non-local addresses to outside servers.● DNS service is included with virtually all server operating systems.● DNS service is built-in to some firewall appliances.● DNS server information can be propagated to hosts along with IP
configuration information via DHCP.● Your ISP should provide DNS server IP addresses for you to use for
resolution of WAN addresses (or use free-to-use Google servers).
Network Services
Network Management Protocols.Used by network management applications to configure, monitor, and report on network-attached devices.
● Simple Network Management Protocol (SNMP). ● De facto standard for network management architectures.● Defines how management information is exchanged between network
management applications and management agents.● Commonly found in routers, switches, server management consoles,
printers, etc.● Considerable information disclosure; allows an attacker to quickly and
easily gain detailed knowledge of the network. ● Disable where possible!
Network Services
Zeroconf (zero-configuration) networking.A set of protocols and technologies for auto-configuration of network devices and auto-discovery of services offered by those devices (printers, game consoles, telephony servers, etc.).
● Multicast DNS (mDNS) ● A zeroconf host name resolution service.
● Link-local Multicast Name Resolution (LLMNR)● Windows zeroconf name resolution service.
● DNS Service Discovery (DNS-SD)● Allows clients to discover a named list of services by type in a domain
by using DNS queries. ● Simple Service Discovery Protocol (SSDP).
● HTTP-like protocol providing service discovery for UPnP (Universal Plug and Play) technology.
● Implementations include Bonjour, Avahi, Windows CE.
● All of these protocols are commonly enabled on network printers, all-in-one copiers, and other devices.
● These protocols assume the local network is trusted and allow an attacker to quickly gain detailed knowledge of the network.
● Disable where possible!
Network Services
E-Mail – The Trustee must have reliable, constant access to the NACTT Trustee mailing list.
E-mail involves a variety of network services and protocols:
● SMTP (Simple Mail Transfer Protocol) – the standard protocol for sending e-mail.● Traditionally operated on TCP port 25. Servers operating as the official
mail exchange for a given domain (which information is part of the DNS system) must accept connections on this port.
● May be encrypted via SSL-encapsulation as smtps, traditionally operated on TCP port 465.
● May be encrypted at the session level via TLS. ● Servers may require authentication to relay messages beyond the
domains for which the server is the exchange.● Relaying beyond local domains may be restricted by IP address criteria.● Relaying should always be somehow restricted.
Network Services
● POP3 (Post Office Protocol) – one protocol for retrieving e-mail from a mail server.● Traditionally operated on TCP port 110.● May be encrypted via SSL-encapsulation as pop3s, traditionally
operated on TCP port 995.● May be encrypted at the session level via TLS.● Retrieves whole messages from the server; often messages are
simultaneously deleted from the server.
E-Mail – The Trustee must have reliable, constant access to the NACTT Trustee mailing list.
E-mail involves a variety of network services and protocols:
Network Services
● IMAP (Internet Message Access Protocol) – protocol for accessing e-mail messages on a mail server.● Traditionally operated on TCP port 143.● May be encrypted via SSL-encapsulation as imaps, traditionally
operated on TCP port 993.● May be encrypted at the session level via TLS.● Differences from POP3:
● Leaves messages on the server.● Allows simultaneous access to e-mail folders from multiple devices.● Persistent connection.
E-Mail – The Trustee must have reliable, constant access to the NACTT Trustee mailing list.
E-mail involves a variety of network services and protocols:
Network Services
● E-mail services are included with some server operating systems.● Commonly used e-mail server software includes:
● Microsoft Exchange – complete e-mail server suite; non-free.● Postfix – SMTP service; free, open source.● Sendmail – SMTP service; free, open source.● Qmail – SMTP and POP3 services; free, open source.● Dovecot – POP3 and IMAP services; free, open source.● Courier – complete e-mail server suite; free, open source.
● Hosting your own e-mail necessitates a spam-filtering solution.● 3rd-party e-mail gateways or “cloud” services.● E-mail gateway appliance (Barracuda, etc.)● Spam filtering software products.
E-Mail – The Trustee must have reliable, constant access to the NACTT Trustee mailing list.
Network Services
WORKSTATIONS AND PRINTERS chapter13.local
SWITCH192.168.13.253
FIREWALL ROUTER201.201.13.6
SERVERSchapter13.local
WAN INTERFACE201.201.13.2
LAN INTERFACE192.168.13.254
WAN DEFAULT GATEWAY: 201.201.13.6
DHCP SERVICE:LISTENS ON LAN INTERFACE ONLY
ASSIGNS FROM IP RANGE 192.168.13.100 TO 192.168.13.199
GATEWAY: 192.168.13.254DNS SERVER: 192.168.13.1
DNS SERVICE:RUNNING ON 192.168.13.1
RESOLVES FOR 192.168.13.0/chapter13.localFORWARDS TO 8.8.8.8 AND 8.8.4.4
EMAIL SERVICES:RUNNING ON 192.168.13.1
INCLUDES SMTP, SMTPS, POP3, POP3S IMAP, IMAPS
POLICY:WAN INTERFACE: DEFAULT DENY ALLLAN INTERFACE: ALLOW OUTGOING
RULES:NAT 192.168.13.0/255.255.255.0
THRU 201.201.13.2WAN ALLOW SMTP. SMTPS, POP3S, IMAPS
PORT FORWARDS: SMTP, SMTPS, POP3S, IMAPS FOR 201.201.13.2
FORWARD TO 192.168.13.1
INTERNET
Network Services
● WAN clients access e-mail services through WAN interface.● LAN clients access e-mail services through LAN address.● Firewall port forwarding to internal network services represents
holes in the firewall.
● If services running on internal servers can be compromised by an attacker, the internal network itself can be compromised.
● Consider deploying internet-facing services within a DMZ (de-militarized zone).
Our Network with initial network services:
WORKSTATIONS AND PRINTERS chapter13.local
SWITCH192.168.13.253
ROUTER201.201.13.6
SERVERSchapter13.local
EMAIL SERVICES:RUNNING ON 192.168.14.1INCLUDES SMTP, SMTPS,
POP3, POP3S, IMAP, IMAPS
SERVERchapter13.dmz
192.168.14.1
FIREWALL
DHCP SERVICE:LAN INTERFACE ONLY
ASSIGNS FROM IP RANGE 192.168.13.100 TO 192.168.13.199
GATEWAY: 192.168.13.254DNS SERVER: 192.168.13.1
LAN INTERFACE192.168.13.254
WAN INTERFACE201.201.13.2
DMZ INTERFACE192.168.14.254
SWITCH192.168.14.253
POLICY:WAN INTERFACE: DEFAULT DENY ALLLAN INTERFACE: ALLOW OUTGOINGDMZ INTERFACE: ALLOW OUTGOING
RULES:NAT 192.168.13.0/255.255.255.0
THRU 201.201.13.2NAT 192.168.14.0/255.255.255.0
THRU 201.201.13.2WAN ALLOW SMTP. SMTPS, POP3S, IMAPS
PORT FORWARDS: SMTP, SMTPS, POP3S, IMAPS
FOR 201.201.13.2 FORWARD TO 192.168.14.1
DNS SERVICE:RUNNING ON 192.168.13.1
RESOLVES FOR 192.168.13.0/chapter13.local
FORWARDS TO 8.8.8.8 AND 8.8.4.4INTERNET
Network Services in DMZ
Network Services in DMZ
● Isolates public network services from internal network with live trust data.
● Services in DMZ accessible by LAN clients and WAN clients through WAN interface (beware firewall policy about LAN client access direct to WAN interface).
● Firewall must have three interfaces; commonly called “three-legged” network architecture.
● Dual-firewall architecture is also common for DMZs.● LAN/DMZ switching can be accomplished with a single physical
switch employing VLANS (Virtual LAN).● Not as secure as separate physical switches.● May be prone to VLAN hopping.
DMZ creates third zone with private network.
Network Services – Remote Access
Remote Access
UST recommends use of a Virtual Private Network (VPN):
● Only trustee-owned devices should be used to remotely access trusted systems on the trustee's internal network.
● VPN solution authenticates remote users and encrypts network communications to the trustee's office network.
● VPN solution supports two-factor authentication and uses the most current FIPS-compliant encryption module.
● VPN service is installed on a dedicated server (such as a VPN appliance) along with an appropriately configured firewall.
● Trustee should maintain separate user accounts and passwords for VPN access/authentication.
● Solution should deny to remote users the ability to change or set security or access rights to trusted systems.
INTERNET
LAN192.168.13.0/255.255.255.0
FIREWALLW/ INTEGRATED
VPNDECRYPTS WAN
PACKET PAYLOAD, ROUTES TUNNELED PACKET ONTO LAN
LAN INTERFACE192.168.13.254
WAN INTERFACE201.201.13.2
REMOTE USER@ 1.2.3.4,
VPN ADDRESS:192.168.13.199
PACKETSOURCE: 1.2.3.4
DEST: 201.201.13.2
PACKET (ENCRYPTED)SOURCE: 192.168.13.199
DEST: 192.168.13.1
INTERNET
Network Services – Remote Access
What is a VPN?
● Joins remote networks/devices across public networks over encrypted channels.
● Reiteration of IP stack encapsulated inside secure tunneling protocol.● Remote computer joined to internal LAN, with access to all network
resources.
INTERNET
LAN192.168.13.0/255.255.255.0
FIREWALLW/ INTEGRATED
VPNDECRYPTS WAN
PACKET PAYLOAD, ROUTES TUNNELED PACKET ONTO LAN
LAN INTERFACE192.168.13.254
WAN INTERFACE201.201.13.2
REMOTE USER@ 1.2.3.4,
VPN ADDRESS:192.168.13.199
PACKETSOURCE: 1.2.3.4
DEST: 201.201.13.2
PACKET (ENCRYPTED)SOURCE: 192.168.13.199
DEST: 192.168.13.1
Network Services – Remote Access
What is a VPN?
● Can log into LAN computers/servers via RDP, VNC, etc..● Beware of split-tunneling on VPN clients.● VPN service is built-in to many firewall appliances.
Wireless
ALL wireless clients are remote clients.
● Do not attach WAP (wireless access point) to internal (trust data) network directly.
● Create wireless network within DMZ.● Wireless clients must authenticate and access internal resources through
VPN like remote clients.● Beware of WEP security (inadequate); use WPA2 or better.● Beware of UST “mandatory requirements”.
Wireless Networking
The Network: Putting it All Together
WAP
WORKSTATIONS AND PRINTERS chapter13.local
SWITCH192.168.13.253
ROUTER201.201.13.6
SERVERSchapter13.local
SERVERchapter13.dmz
192.168.14.1
FIREWALL
LAN INTERFACE192.168.13.254
WAN INTERFACE201.201.13.2
DMZ INTERFACE192.168.14.254
SWITCH192.168.14.253
WIFI CLIENT192.168.14.199
VPN ADDR192.168.13.199
INTERNET
The Network – Useful Tools
Included in most server operating systems:● ping, ping -t
● The knock-knock of your network toolbox. See “ping /?” on Windows; “man ping” on UNIX-based systems (linux, iOS, OSX, AIX, Solaris, etc.) for usage information.
● netstat, netstat -an, netstat -ban● A Swiss Army Knife for the tool box. Displays currently active
network connections, bound ports (and the processes that own them), routing tables, etc.. See “netstat /?”, “man netstat”.
● traceroute/tracert (UNIX/Windows)● A troubleshooting tool for tracing a packet's bounces across networks.
● arp -a● print the MAC address of devices in the ARP table with their IP
address (ping an IP address to populate a record in the table).● ipconfig /all
● A Windows tool for querying IP configuration information of a system's network interfaces.
● ifconfig● A UNIX tool for querying and modifying IP configuration of a system's
network interfaces.
The Network – Useful Tools
Included in most server operating systems:● route, route -print
● A tool for direct manipulation of network routing tables.● telnet – traditionally a protocol for remote shell access (now considered
insufficiently secure), telnet is still useful for connecting to other listening services directly (or testing that services are listening and reachable on expected ports); for example, one can connect to an SMTP service and conduct a mail exchange conversation directly with the server.
● nslookup <ip_or_hostname>● Used to query hostname and IP address information from DNS
servers.● Use interactively with no arguments; type “set type=ZZ” then enter
a domain name to query different DNS record types:● Replace ZZ with MX to get the address of the mail server for the
domain name entered.● SOA to get the authoritative DNS server.● A for the default hostname lookup.
The Network – Useful Tools
Available for most server operating systems:● nmap – a highly configurable and extremely powerful port scanner.
Free and open-source, it is available for both UNIX and Windows systems.
● Nessus – a comprehensive vulnerability scanner. Versions 2.2.11 and earlier are open-source; most recent versions have a proprietary license but are “free to use for personal use” in “non-enterprise” environments.
● Wireshark – an open-source packet analyzer (i.e., “sniffer”), useful for capturing and analyzing raw network traffic.
● Sysinternals suite from Microsoft:● Procexp – interactive enhanced Task Manager.● Tcpview – interactive network status with process info, like netstat
-ban.● AccessEnum – recursively list owner and file permissions, export to
Excel.
The Network – Keeping It Organized
● Maintain an inventory● Spreadsheet, database, etc.● Servers, workstations, mobile devices, other network devices (switches,
routers, printers, WAPs, multi-function devices).● Include IP information.● Include installed operating system and version, and installed
software.● Include brand, model, and serial number where applicable.
● Diagram your network; keep it current!
● Establish a repository for software licenses.
The Network – Keeping It Organized
● Keep a master password list.● Include all administrative credentials to trust computers (servers,
workstations).● Include credentials for all network devices:
● Switches, routers, copier/multi-purpose devices, printers WAPs.● Include credentials for vendor and bank web sites, ISP, etc..● Keep the list secure.
● Encrypt file locally (via PGP or equivalent).● Whenever passwords change, create two hard copies.
● Put copies in sealed envelopes; date the envelopes with current date.● Give both copies to the Trustee.
● One should be kept securely on-site, in office safe, etc..● One should be kept securely off-site, with bank, Trustee residential
safe, etc..
The Network – Keeping It Organized● Consider an administrative task list:
● Track execution of admin tasks with differing frequency:● AV software/signature updates.● Backups, backup testing.● Patch management.● Log reviews.● Account Management.
System Managers Training
http://www.ch13stl.com/2014symposium
NACTT STAFF SYMPOSIUM
2014 Tampa