Embed Size (px)
Citation preview
Tactical Perimeter Defense
Warren PetersonWarren Peterson is the President ofSecurity Certified Program, LLCand the founder of the SecurityCertified Program. Mr. Petersonregularly delivers standing-roomonly security presentations forgovernment and corporate clientson subjects ranging from generalsecurity to the threats of Cyberterrorism. Mr. Peterson is anaccomplished and experiencedteacher who holds many industrycertifications. His training methodshave earned him the utmost respectand recognition from both hisstudents and his peers. Even manyyears after courses have ended,many of Mr. Peterson’s studentsfrom around the world stay intouch with him.
Mr. Peterson has developedinstructional curriculum forcustomized courses, such ascourses for Microsoft, Cisco,CompTIA, and various securityprograms. In addition to writing formagazines, such as CertificationMagazine, he is the lead author forthe Security Certified Programcourses, including: NetworkSecurity Fundamentals, Hardeningthe Infrastructure, NetworkDefense and Countermeasures,Tactical Perimeter Defense,Strategic Infrastructure Security,Advanced Security Implementation,and Enterprise Security Solutions.
Mr. Peterson includes the followingpersonal thanks:
Thank you to my wife, Carin, youand our girls give me constantsupport, and I thank you for yourdevotion. You remind me daily
why teaching is so important. Ilove you deeply, and look forwardto seeing you again now that thiswriting phase is over!
Thank you to Waleed, you havebeen the foundation behind morepositive change than I can describe,knowing you and working withyou has been a true pleasure.Thanks to Gene, for your trustedadvice and mentoring; to Mark, foryour passion and enthusiasm (gohave another coffee!); to Tracy, foryour loyalty and friendship, whichare unmatched; to Joe, for yourprofessionalism, and desire for thebest; to Dave, for always beingthere, even early in the morning.
And, thanks to Charles, Shrinath,and Robert, time has moved usapart, but you have each made animpression on me, and I thank youfor that.
TACTICAL PERIMETER DEFENSE
For software version: N/A
ACKNOWLEDGEMENTS
Project Team
Curriculum and Technical Writers: Warren Peterson and Clay Scott • Copy Editor: Carin Peterson •Reviewing Editor: Sandy Castle-Rhoads • Technical Editor: Tracy Richter • Quality Assurance Analyst:David Young • Graphic Designer: Mark Patrick
Project Support
Development Assistance: Ben Tchoubineh
NOTICESDISCLAIMER: While Security Certified Program LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materialsare provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Any name used in thedata files for this course is that of a fictitious company. Any resemblance to current or future companies is purely coincidental. We do not believe we have used anyone’sname in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Security Certified Program LLC is anindependent developer of courseware and certification programs for individuals, businesses, educational institutions, and government agencies. Use of screenshots,photographs of another entity’s products, or another entity’s product name or service in this book is for editorial purposes only. No such use should be construed to implysponsorship or endorsement of the book by, nor any affiliation of such entity with Security Certified Program LLC. This courseware may contain links to sites on the Internetthat are owned and operated by third parties (the “External Sites”). Security Certified Program LLC is not responsible for the availability of, or the content located on orthrough, any External Site. Please contact Security Certified Program LLC if you have any concerns regarding such links or External Sites.
TRADEMARK NOTICES: The Security Certified Program, SCP, SCNS, SCNP, and SCNA are trademarks of The Security Certified Program, LLC in the U.S. and othercountries; The Security Certified Program, SCP, SCNS, SCNP, products and services discussed or described may be trademarks of The Security Certified Program, LLC. Allother product names and services used throughout this book may be common law or registered trademarks of their respective proprietors.
Copyright © 2007 Security Certified Program, LLC. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publicationor any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in aninformation retrieval system, or otherwise, without express written permission of Security Certified Program LLC, 825 West State Street, Suite 204, Geneva, Illinois 60134,USA. (630) 208-5030. Security Certified Program LLC’s World Wide Web site is located at: www.SecurityCertified.Net.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of theuser according to terms and conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other SecurityCertified Program LLC materials are being reproduced or transmitted without permission, please call 1-630-208-5030.
ii Tactical Perimeter Defense
Course Edition: 2.0Course Number: SCPTPD20
TACTICAL PERIMETER DEFENSE
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Lesson 1: Network Defense Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Lesson 2: Advanced TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Lesson 3: Routers and Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Lesson 4: Designing Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Lesson 5: Configuring Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Lesson 6: Implementing IPSec and VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Lesson 7: Designing an Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . 369
Lesson 8: Configuring an IDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Lesson 9: Securing Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
CONTENTOVERVIEW
Contents iii
TACTICAL PERIMETER DEFENSE
CONTENTSAbout This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiCourse Setup Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiHow To Use This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xl
LESSON 1: NETWORK DEFENSE FUNDAMENTALS
Topic 1A Network Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Five Key Issues of Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 3The Threats to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Defensive Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Defensive Strategy Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Task 1A-1 Identifying Non-repudiation Issues . . . . . . . . . . . . . . . . . . . 10
Topic 1B Defensive Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10The Castle Analogy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Attacking the Castle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11The Castle’s Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11The Castle’s Intrusion Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12The Castle’s Back Doors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12The Defense Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Task 1B-1 Describing the Layers of a Defended Network . . . . . . . . . . . . 14
Topic 1C Objectives of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 15Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Task 1C-1 Describing the Challenge Response Token Process . . . . . . . . . 20
Topic 1D The Impact of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Intrusion Detection Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Task 1D-1 Describing the Problems of Additional Layers of Security. . . . . 23
Topic 1E Network Auditing Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Security Auditing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
CONTENTS
iv Tactical Perimeter Defense
Security Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Audit Trails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Handling and Preserving Audit Data. . . . . . . . . . . . . . . . . . . . . . . . . . . 25Legal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Task 1E-1 Describing Network Auditing . . . . . . . . . . . . . . . . . . . . . . . 26Lesson Review 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
LESSON 2: ADVANCED TCP/IPTopic 2A TCP/IP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36The Function of IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36The Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Task 2A-1 Layering and Address Conversions . . . . . . . . . . . . . . . . . . . . 42Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42VLSM and CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43X-casting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Task 2A-2 Routers and Subnetting. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Topic 2B Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . . 46Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Task 2B-1 Using Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Task 2B-2 Installing and Starting Wireshark . . . . . . . . . . . . . . . . . . . . 58Wireshark Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Task 2B-3 Using Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Task 2B-4 Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . 63The Session Teardown Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Task 2B-5 Analyzing the Session Teardown Process. . . . . . . . . . . . . . . . 65
Topic 2C Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 65Task 2C-1 Capturing and Identifying IP Datagrams. . . . . . . . . . . . . . . . 67
Topic 2D Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 68Task 2D-1 Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 69
Topic 2E Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . . 70Task 2E-1 Capturing and Identifying TCP Headers. . . . . . . . . . . . . . . . . 72
Topic 2F Capturing and Identifying UDP Headers . . . . . . . . . . . . . . . . 73Task 2F-1 Working with UDP Headers. . . . . . . . . . . . . . . . . . . . . . . . . 73
Topic 2G Analyzing Packet Fragmentation. . . . . . . . . . . . . . . . . . . . . . . 74Task 2G-1 Analyzing Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . 75
CONTENTS
Contents v
Topic 2H Analyzing an Entire Session . . . . . . . . . . . . . . . . . . . . . . . . . . 76Task 2H-1 Performing a Complete ICMP Session Analysis . . . . . . . . . . . . 76
Continuing the Complete Session Analysis . . . . . . . . . . . . . . . . . . . . . . 79Task 2H-2 Performing a Complete FTP Session Analysis . . . . . . . . . . . . . 80
Lesson Review 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
LESSON 3: ROUTERS AND ACCESS CONTROL LISTS
Topic 3A Fundamental Cisco Security. . . . . . . . . . . . . . . . . . . . . . . . . . . 96Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Configuring Access Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Task 3A-1 Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Implementing Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Implementing Cisco Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Task 3A-2 Configuring Login Banners. . . . . . . . . . . . . . . . . . . . . . . . . 103SSH Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Router Configuration to use SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Task 3A-3 Configuring SSH on a Router . . . . . . . . . . . . . . . . . . . . . . . 105Task 3A-4 Configuring the SSH Client. . . . . . . . . . . . . . . . . . . . . . . . . 107
Topic 3B Routing Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108The ARP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108LAN-to-LAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110LAN-to-WAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Task 3B-1 Performing IP and MAC Analysis . . . . . . . . . . . . . . . . . . . . . 113The Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Static and Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Comparing Routed Protocols and Routing Protocols . . . . . . . . . . . . . . 119The Routing Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Task 3B-2 Viewing a RIP Capture. . . . . . . . . . . . . . . . . . . . . . . . . . . . 125RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Task 3B-3 Viewing a RIPv2 Capture . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Topic 3C Removing Protocols and Services . . . . . . . . . . . . . . . . . . . . . .128CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Task 3C-1 Turning Off CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Task 3C-2 Hardening ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Source Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Small Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Remaining Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Task 3C-3 Removing Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 133AutoSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
CONTENTS
vi Tactical Perimeter Defense
Topic 3D Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . .134Access Control List Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135The Access List Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135The Wildcard Mask. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Task 3D-1 Creating Wildcard Masks . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Topic 3E Implementing Access Control Lists . . . . . . . . . . . . . . . . . . . .138Defending Against Attacks with ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . 142
Task 3E-1 Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 144Context-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Topic 3F Logging Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Task 3F-1 Configuring Buffered Logging. . . . . . . . . . . . . . . . . . . . . . . 149ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Task 3F-2 Configuring Anti-spoofing Logging . . . . . . . . . . . . . . . . . . . 151Lesson Review 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
LESSON 4: DESIGNING FIREWALLS
Topic 4A Firewall Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156Firewall Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157What a Firewall Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Implementation Options for Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . 158
Task 4A-1 Firewall Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Topic 4B Create a Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163Task 4B-1 Creating a Simple Firewall Policy. . . . . . . . . . . . . . . . . . . . . 167
Topic 4C Rule Sets and Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . .168Stateless and Stateful Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . 172How Attackers Get Around Packet Filters . . . . . . . . . . . . . . . . . . . . . . . 175
Task 4C-1 Firewall Rule Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Topic 4D Proxy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176Proxy Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Proxy Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Proxy Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Task 4D-1 Diagram the Proxy Process . . . . . . . . . . . . . . . . . . . . . . . . . 179
Topic 4E The Bastion Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180An Attack on the Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Task 4E-1 Describing a Bastion Host . . . . . . . . . . . . . . . . . . . . . . . . . 182
Topic 4F The Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182What is a Honeypot? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Goals of the Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
CONTENTS
Contents vii
Legal Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Task 4F-1 Honeypot Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Lesson Review 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
LESSON 5: CONFIGURING FIREWALLS
Topic 5A Understanding Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190Address, Port, Protocol, and Services: The Building Blocks of FirewallRules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Examining the Common Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . 196Building Firewall Rules to Control Network Communications. . . . . . . . 201Common Firewall Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Why Would I Want a Firewall on My Network? . . . . . . . . . . . . . . . . . . . 205What Can a Firewall Not Protect You From? . . . . . . . . . . . . . . . . . . . . . 206Things to Consider About Firewall Implementation . . . . . . . . . . . . . . . 207
Topic 5B Configuring Microsoft ISA Server 2006 . . . . . . . . . . . . . . . . .210Introduction to ISA Server 2006. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Task 5B-1 Preparing for the ISA Server 2006 . . . . . . . . . . . . . . . . . . . . 212ISA Server Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Task 5B-2 Install Microsoft ISA Server 2006 . . . . . . . . . . . . . . . . . . . . 215Configuring ISA Server 2006. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Task 5B-3 Exploring the Microsoft ISA Server 2006 Interface . . . . . . . . . 218Exporting/Importing ISA Server 2006 Configurations as XML Files . . . 223
Task 5B-4 Exporting the Default Configuration . . . . . . . . . . . . . . . . . . 223ISA Server 2006 Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Task 5B-5 Creating a Basic Access Rule . . . . . . . . . . . . . . . . . . . . . . . 226ISA Server 2006 Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . 230
Task 5B-6 Creating a Protocol Rule Element . . . . . . . . . . . . . . . . . . . . 231Task 5B-7 Creating a User Rule Element . . . . . . . . . . . . . . . . . . . . . . . 233
Content Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Task 5B-8 Creating a Content Group Rule Element . . . . . . . . . . . . . . . . 234
ISA Server 2006 Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Task 5B-9 Creating and Modifying Schedule Rule Elements. . . . . . . . . . . 236
Using Content Types and Schedules in Rules . . . . . . . . . . . . . . . . . . . . 237Task 5B-10 Using Content Types and Schedules in Rules . . . . . . . . . . . . . 237
ISA Server 2006 Network Rule Elements. . . . . . . . . . . . . . . . . . . . . . . . 239Task 5B-11 Creating a Network Rule Element . . . . . . . . . . . . . . . . . . . . 240
ISA Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Task 5B-12 Configuring a Web Publishing Rule . . . . . . . . . . . . . . . . . . . 242
ISA Server 2006 Caching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Task 5B-13 Enabling and Configuring Caching . . . . . . . . . . . . . . . . . . . . 245
Configuring ISA Server 2006 Network Templates . . . . . . . . . . . . . . . . . 249Task 5B-14 Install Second Microsoft Loop Back Adapter and Assign an IP
Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Task 5B-15 Configure ISA Server 2006 in a Three-legged DMZ . . . . . . . . . 251
CONTENTS
viii Tactical Perimeter Defense
Configuring ISA Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Task 5B-16 Working with Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Task 5B-17 Working with Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
ISA Server 2006 Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Task 5B-18 Configuring Logging Options . . . . . . . . . . . . . . . . . . . . . . . 262
Additional Configuration Options for ISA Server 2006. . . . . . . . . . . . . 265Task 5B-19 Securing ISA Server 2006 with the Security Configuration
Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Packet Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Task 5B-20 Configuring Packet Prioritization. . . . . . . . . . . . . . . . . . . . . 268Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Task 5B-21 Uninstalling ISA Server 2006 . . . . . . . . . . . . . . . . . . . . . . . 270
Topic 5C IPTables Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271Firewalling in Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271The Flow of the Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277The iptables Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Rule Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Other Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Creating a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Deleting a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Flushing a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Checking for Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Negating Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Defining a Target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Complex Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Configuring Masquerading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Task 5C-1 Working with Chain Management . . . . . . . . . . . . . . . . . . . . 288
Topic 5D Implementing Firewall Technologies . . . . . . . . . . . . . . . . . . .290Lesson Review 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
LESSON 6: IMPLEMENTING IPSEC AND VPNS
Topic 6A Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .301Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302IPSec Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Task 6A-1 Describing the Need for IPSec . . . . . . . . . . . . . . . . . . . . . . 304
Topic 6B IPSec Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . .304The MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
CONTENTS
Contents ix
Task 6B-1 Examining the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Task 6B-2 Identifying Default IPSec Security Policies . . . . . . . . . . . . . . 306Saving the Customized MMC Configuration . . . . . . . . . . . . . . . . . . . . . 307
Task 6B-3 Saving a Customized MMC . . . . . . . . . . . . . . . . . . . . . . . . . 307The Secure Server (Require Security) Policy . . . . . . . . . . . . . . . . . . . . . 307
Task 6B-4 Examining Security Methods. . . . . . . . . . . . . . . . . . . . . . . . 308The Rules Tab for the Secure Server (Require Security) Policy. . . . . . . 309
Task 6B-5 Examining Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Topic 6C IPSec AH Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . .312Creating Custom IPSec Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Task 6C-1 Creating the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . 315Editing Authentication Method Policies . . . . . . . . . . . . . . . . . . . . . . . . 317
Task 6C-2 Editing the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . . 318Setting Up the Computer’s Response . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Task 6C-3 Configuring the Policy Response . . . . . . . . . . . . . . . . . . . . . 320Configuring AH in Both Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Task 6C-4 Configuring the Second Computer . . . . . . . . . . . . . . . . . . . . 321Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Task 6C-5 Setting Up the FTP Process . . . . . . . . . . . . . . . . . . . . . . . . 322Implementing the IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Task 6C-6 Implementing the 1_REQUEST_AH(md5)_only Policy. . . . . . . . 324Request-only Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Task 6C-7 Analyzing the Request-only Session. . . . . . . . . . . . . . . . . . . 325Implementing a Request-and-Respond Policy . . . . . . . . . . . . . . . . . . . 325
Task 6C-8 Configuring a Request-and-Respond IPSec Session . . . . . . . . . 325Request-and-Respond Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . 326
Task 6C-9 Analyzing the Request-and-Respond Session . . . . . . . . . . . . . 326
Topic 6D Combining AH and ESP in IPSec . . . . . . . . . . . . . . . . . . . . . . .327Task 6D-1 Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and
the Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Configuring the IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Task 6D-2 Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy . . . . 330AH and ESP IPSec Session Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Task 6D-3 Configuring and Analyzing an IPSec Session Using AH and ESP. 331Configuring All the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Task 6D-4 Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy . 333Configuring the AH-and-ESP IPSec Response Policy. . . . . . . . . . . . . . . 335
Task 6D-5 Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy . 335Implementing the Full IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Task 6D-6 Implementing and Analyzing an AH(sha) and ESP(sha+3des)IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Topic 6E VPN Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337VPN Business Drivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338VPN Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
CONTENTS
x Tactical Perimeter Defense
VPN Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Tunneling and Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Task 6E-1 Defining Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . 341
Topic 6F Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341Point-to-Point Tunneling Protocol (PPTP) . . . . . . . . . . . . . . . . . . . . . . 342Layer 2 Tunneling Protocol (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344IPSec Tunnel and Transport Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346IPSec and Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . 346
Task 6F-1 Assigning Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . 347
Topic 6G VPN Design and Architecture. . . . . . . . . . . . . . . . . . . . . . . . . .348VPN Implementation Challenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Task 6G-1 Examining VPN-related RFCs. . . . . . . . . . . . . . . . . . . . . . . . 349
Topic 6H VPN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350VPNs and Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351VPN Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Task 6H-1 Viewing Firewall-related RFCs . . . . . . . . . . . . . . . . . . . . . . . 353
Topic 6I Configuring a VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354Task 6I-1 Configuring the VPN Server . . . . . . . . . . . . . . . . . . . . . . . . 354
VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359Task 6I-2 Configuring VPN Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Establishing the VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361Task 6I-3 Establish the VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Returning the Classroom Setup to its Original State . . . . . . . . . . . . . . 364Task 6I-4 Restoring the Classroom Setup . . . . . . . . . . . . . . . . . . . . . . 364
Lesson Review 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
LESSON 7: DESIGNING AN INTRUSION DETECTION SYSTEM
Topic 7A The Goals of an Intrusion Detection System . . . . . . . . . . . . .371What is Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371Some Intrusion Detection Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 373The IDS Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373IDS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375Realistic Goals of IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Task 7A-1 Describing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Topic 7B Technologies and Techniques of Intrusion Detection . . . . . .377The Intrusion Detection Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378Behavioral Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Information Collection and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Task 7B-1 Discussing IDS Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 383
CONTENTS
Contents xi
Topic 7C Host-based Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . .384Host-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384Centralized Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 384Distributed Host-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Task 7C-1 Describing Centralized Host-based Intrusion Detection . . . . . . 387
Topic 7D Network-based Intrusion Detection . . . . . . . . . . . . . . . . . . . .387Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Traditional Network-based IDS Design . . . . . . . . . . . . . . . . . . . . . . . . . 388Distributed Network-based IDS Design. . . . . . . . . . . . . . . . . . . . . . . . . 389
Task 7D-1 Discussing Sensor Placement . . . . . . . . . . . . . . . . . . . . . . . 390
Topic 7E The Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391When to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391Interval Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391Real-time Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391How to Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Signature Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392An Example Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Statistical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Task 7E-1 Discussing Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Topic 7F How to Use an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394Detection of Outside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Detection of Inside Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396Anticipation of Attack Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397Surveillance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Task 7F-1 Discussing Intrusion Detection Uses . . . . . . . . . . . . . . . . . . 397
Topic 7G What an IDS Cannot Do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398Provide the Magic Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Manage Hardware Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Investigate an Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398100 Percent Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Task 7G-1 Discussing Incident Investigation . . . . . . . . . . . . . . . . . . . . 399Lesson Review 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
LESSON 8: CONFIGURING AN IDSTopic 8A Snort Foundations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Snort Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404How Snort Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404Snort Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Topic 8B Snort Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406Task 8B-1 Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Common Snort Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
CONTENTS
xii Tactical Perimeter Defense
Task 8B-2 Initial Snort Configuration . . . . . . . . . . . . . . . . . . . . . . . . 408Using Snort as a Packet Sniffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Task 8B-3 Capturing Packets with Snort . . . . . . . . . . . . . . . . . . . . . . . 411Task 8B-4 Capturing Packet Data with Snort . . . . . . . . . . . . . . . . . . . . 413Task 8B-5 Logging with Snort. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Topic 8C Snort as an IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415It’s All in the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Snort Rule IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Task 8C-1 Creating a Simple Ruleset . . . . . . . . . . . . . . . . . . . . . . . . . 421Task 8C-2 Testing the Ruleset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
More Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Task 8C-3 Examining Pre-configured Rules . . . . . . . . . . . . . . . . . . . . . 426Examine Denial of Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Task 8C-4 Examining DDoS Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 427Examine Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Task 8C-5 Examining Backdoor Rules . . . . . . . . . . . . . . . . . . . . . . . . . 427Examine Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Task 8C-6 Examining Web Attack Rules . . . . . . . . . . . . . . . . . . . . . . . 428Examine Web IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Task 8C-7 Examining IIS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Topic 8D Configuring Snort to Use a Database . . . . . . . . . . . . . . . . . . .430Snort Output Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430Configure Snort to Use a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Task 8D-1 Editing Snort.Conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431Installing MySQL for Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Task 8D-2 Installing MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431Task 8D-3 Creating the Snort Database. . . . . . . . . . . . . . . . . . . . . . . . 432
MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433Task 8D-4 Creating MySQL User Accounts . . . . . . . . . . . . . . . . . . . . . . 433
Snort to Database Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433Task 8D-5 Testing the New Configuration . . . . . . . . . . . . . . . . . . . . . . 434
Snort as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434Task 8D-6 Configuring Snort as a Service . . . . . . . . . . . . . . . . . . . . . . 434
Topic 8E Running an IDS on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435LAMP On SuSe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Task 8E-1 Installing LAMP Components . . . . . . . . . . . . . . . . . . . . . . . 436Apache and PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Task 8E-2 Apache and PHP Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437Enable Snort on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Task 8E-3 Configure Snort on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 438Configuring MySQL on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Task 8E-4 Configuring MySQL for Snort. . . . . . . . . . . . . . . . . . . . . . . . 439Connecting Snort to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
CONTENTS
Contents xiii
Task 8E-5 Testing Snort Connectivity to the Database. . . . . . . . . . . . . . 440Installing ADOdb and BASE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Task 8E-6 Downloading ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . 441Task 8E-7 Installing ADOdb and BASE . . . . . . . . . . . . . . . . . . . . . . . . 441
Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442Task 8E-8 Configuring BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442Task 8E-9 Configuring the Firewall to Allow HTTP . . . . . . . . . . . . . . . . 443
Generating Snort Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443Task 8E-10 Generating Portscan Snort Events . . . . . . . . . . . . . . . . . . . . 443Task 8E-11 Generating Web Snort Events . . . . . . . . . . . . . . . . . . . . . . . 444
Lesson Review 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
LESSON 9: SECURING WIRELESS NETWORKS
Topic 9A Wireless Networking Fundamentals . . . . . . . . . . . . . . . . . . . .448Wireless Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448Wireless Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Task 9A-1 Examining Satellite Orbits . . . . . . . . . . . . . . . . . . . . . . . . . 456Radio Wireless Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459Short Message Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459IEEE 802.11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460Wireless Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Task 9A-2 Choosing a Wireless Media . . . . . . . . . . . . . . . . . . . . . . . . . 464
Topic 9B Wireless LAN (WLAN) Fundamentals . . . . . . . . . . . . . . . . . . .465Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466WLAN Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466Lesson Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Prepare for the Ad-hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Task 9B-1 Installing the Linksys WPC54G WNIC . . . . . . . . . . . . . . . . . . 469Configure the Second WNIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Task 9B-2 Installing the Netgear WPN511. . . . . . . . . . . . . . . . . . . . . . 471Enable the Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Task 9B-3 Enabling the Ad-Hoc Network. . . . . . . . . . . . . . . . . . . . . . . 474802.11 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Task 9B-4 Installing the Linksys WAP54G Access Point . . . . . . . . . . . . . 482Configure the Infrastructure Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Task 9B-5 Configuring the Linksys Client . . . . . . . . . . . . . . . . . . . . . . 485Adding Infrastructure Network Clients . . . . . . . . . . . . . . . . . . . . . . . . . 487
Task 9B-6 Configuring the Netgear Client . . . . . . . . . . . . . . . . . . . . . . 487WLAN Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
CONTENTS
xiv Tactical Perimeter Defense
Topic 9C Wireless Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . .490Wireless Transport Layer Security (WTLS) . . . . . . . . . . . . . . . . . . . . . . . 491Fundamental Access Point Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 493Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494Configure WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Task 9C-1 Installing the Netgear WPN824 Access Point . . . . . . . . . . . . . 502Establishing the WEP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Task 9C-2 Configuring WEP on the Network Client . . . . . . . . . . . . . . . . 505Temporal Key Integrity Protocol (TKIP) . . . . . . . . . . . . . . . . . . . . . . . . 506Extensible Authentication Protocol (EAP) . . . . . . . . . . . . . . . . . . . . . . 506Wi-Fi Protected Access (WPA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507Configure WPA2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Task 9C-3 Configure WPA2 on the Access Point . . . . . . . . . . . . . . . . . . 509Supplicants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Task 9C-4 Configuring WPA2 on the Network Client . . . . . . . . . . . . . . . 510802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Topic 9D Wireless Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513NetStumbler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Task 9D-1 Installing NetStumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . 514Identify Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Task 9D-2 Identifying Wireless Networks . . . . . . . . . . . . . . . . . . . . . . 515OmniPeek Personal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Task 9D-3 Installing OmniPeeK Personal . . . . . . . . . . . . . . . . . . . . . . . 516WildPackets Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Task 9D-4 Viewing OmniPeek Personal Captures . . . . . . . . . . . . . . . . . . 517Live Captures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Task 9D-5 Viewing Live OmniPeek Personal Captures. . . . . . . . . . . . . . . 521Non-802.11 Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Task 9D-6 Analyze Upper Layer Traffic . . . . . . . . . . . . . . . . . . . . . . . . 522Decode WEP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Task 9D-7 Decrypting WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523Aircrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526WEPCrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527AirSnort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527Ekahau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527Kismet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Topic 9E Wireless Trusted Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . .528802.1x and EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528EAP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529Lightweight EAP (LEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529EAP with Transport Layer Security (EAP-TLS) . . . . . . . . . . . . . . . . . . . . 530EAP with Tunneled Transport Layer Security (EAP-TTLS) . . . . . . . . . . . 531Protected EAP (PEAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
CONTENTS
Contents xv
EAP Type Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532Wireless Trusted Network Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Task 9E-1 Choosing a Wireless Trusted Network . . . . . . . . . . . . . . . . . . 533Lesson Review 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
CONTENTS
xvi Tactical Perimeter Defense
ABOUT THIS COURSEThis course is the official courseware for the Security Certified Program SC0-451certification exam. The Tactical Perimeter Defense course is designed to providenetwork administrators and certification candidates with hands-on tasks on themost fundamental perimeter security technologies. The network perimeter is oftenthe first line of defense in an organization’s network, and this course covers theissues every administrator must be familiar with.
What is the Security Certified Program (SCP)?
Security Certified Program is both our company name and our program name.Security Certified Program, LLC a Chicago-based security training organization,has created the Security Certified Program (SCP) to help develop and validateyour skills as a computer and network security professional. The SCP courses andcertifications are designed not just around knowledge-based theory, like so manyothers, rather around the actual technical skills required by practitioners.
The SCP structure is unique as it measures competence in core security skills aswell as skills needed for specific security technologies, such as Packet Structure,Signature Analysis, Operating System Hardening, Router Security, Firewalls, Vir-tual Private Networks (VPNs), Intrusion Detection, Risk Analysis, WirelessSecurity, Digital Signatures and Certificates, Cryptography, Biometrics and Net-work Forensics.
The SCP certifications include three vendor-neutral security certifications. Thefirst certification is the Security Certified Network Specialist (SCNS), the nextcertification is Security Certified Network Professional (SCNP), and the third isSecurity Certified Network Architect (SCNA).
ABOUT THISCOURSE
About This Course xvii
The Security Certified Program Certification Path
What is SCNS?
The SCNS (Security Certified Network Specialist) is the SCP’s core certification.The primary focus is on the defense of the perimeter. This certification covers thecore security technologies used in defending today’s business environments,including the following: Network Defense Fundamentals, Advanced TCP/IP,Router Security and Access Control Lists, Designing & Configuring Firewalls,Configuring Virtual Private Networks, Designing & Configuring Intrusion Detec-tion Systems, and Securing Wireless Networks.
What kind of experience do I need before I go for my SCNS?
Before you begin the SCNS certification track, it is recommended that, at a mini-mum, you attain CompTIA’s Security+ certification or have equivalent trainingwith hands-on experience. The SCNS training and certification build on conceptsand skills covered in the Security+ certification.
xviii Tactical Perimeter Defense
How do I become SCNS certified?
The SCNS certification is comprised of one exam, titled: Tactical PerimeterDefense (TPD). To become SCNS certified, candidates must complete this examwith a passing score. The TPD exam uses exam number: SC0-451.
It is strongly recommended that candidates study this official courseware exten-sively, and implement the hands-on tasks repeatedly, before taking the exams.
What are exams like?
The exams are multiple-answer, often scenario-based tests. The TPD exam has 60questions and the candidate has 90 minutes to complete the exam.
At the time of this publication, the exam breakdown was as follows:
Examination Domain Percentage1.0 – Network Defense Fundamentals 5%2.0 – Hardening Routers and Access Control Lists 10%3.0 – Implementing IPSec and Virtual Private Networks 10%4.0 – Advanced TCP/IP 15%5.0 – Security Wireless Networks 15%6.0 – Designing and Configuring Intrusion Detection Systems 20%7.0 – Designing and Configuring Firewall Systems 25%
Note that SCP exams are updated regularly to reflect changes in the networksecurity industry. It is strongly recommended that potential candidates review theexam objectives at www.securitycertified.net/certifications.htm
How do I take the exams?
The SCP exams are available at any Prometric or VUE Testing center in over7,400 locations around the world.
There are several ways to register for SCP exams. To register for SCP examsover the Internet, visit Prometric at www.prometric.com/SCP or VUE at www.vue.com/scp/ and create and account with the vendor of your choice (if you don’talready have one).
For International Exam Registration, please check with your preferred vendor’sWeb site for more information.
During the exam:
• Read questions carefully. Don’t jump to any conclusions!
• Skip questions that you are unsure of, and come back to them at the end.
• If you have time remaining, you will be given the opportunity to reviewyour answers. Be sure to do so, and make sure you didn’t make any obviousmistakes.
• If you come back to a question and are not sure about an answer, rememberthat your first hunch is more often correct than your second-choice answer(after overanalyzing the question)!
• Be sure to answer all questions; unanswered questions count against yourscore, so if you don’t have an answer, try to eliminate any options that youknow are wrong and make a best guess from whatever remains.
About This Course xix
On your exam day, try to arrive 15 minutes early so you do not feel rushed orstressed by being late. This will also give you a few minutes to review any notesbefore beginning your exam. However, as the SCP exams are closed-book, notesor calculators may not be brought into the testing station and will have to be leftwith the facility’s faculty.
Will my certificate expire?
Yes. As technologies in the security field are constantly changing, your SCNScertificate will be valid for two years starting on the date you pass the TacticalPerimeter Defense exam. Candidates who have received their SCNS credentialwill need to retake the TPD exam before their SCNS certification expires. Candi-dates who are recertifying will be able to do so at a discounted exam rate. Formore information on the current SCNS re-certification exam rate please [email protected].
What if I want to go further?
After you have become SCNS-certified you will have the option of furtheringyour skills by moving on to the next level of SCP certification, the Security Certi-fied Network Professional (SCNP) certificate.
The Security Certified Network Professional (SCNP) certification is focused oninfrastructure technologies. SCNP builds upon the security concepts and technolo-gies covered in Tactical Perimeter Defense (TPD). The SCNP course, StrategicInfrastructure Security (SIS) covers several critical areas – Cryptography, Operat-ing System Security (Windows 2003 and SuSe Linux), Attack Techniques,Internet and WWW Security, Risk Analysis, Security Policy Creation, and Analy-sis of Intrusion Signatures.
To become a Security Certified Network Professional (SCNP), candidates mustsuccessfully pass one exam and hold a current Security Certified Network Spe-cialist (SCNS) certification.
Security Certified Program’s third certification is Security Certified NetworkArchitect (SCNA). SCNA deals with more advanced security skills and concepts.Many enterprises are trying to integrate Digital Signatures, Digital Certificates,and Biometric and Smart Card Authentication systems into their infrastructures.These technologies are vital for businesses as they look to integrate their partnersand suppliers into their business structures and provide real-time information andservices to their customers.
SCNA is about the fundamentals of building a trusted network, strong authentica-tion techniques, encryption, biometrics, smart cards, and network forensics.SCNA includes two courses, Advanced Security Implementation (ASI) and Enter-prise Security Solutions (ESS). Each course is a 40-hour program, and thecontent and hands-on labs are structures to develop the skills required by today’stop security experts.
To become a Security Certified Network Architect (SCNA), candidates must passtwo exams. The first is Enterprise Security Implementation (ESI), which coversthe concepts and lab work covered in both the ASI and ESS courses, and the sec-ond is The Solutions Exam (TSE); which will cover all facets of technologiescovered in all of the SCP courses.
How do I prepare for the exam?
The TPD exam will require that you be familiar with many technologies andutilities that are covered in this book. Further, the test was authored with the
xx Tactical Perimeter Defense
intention that people who have not become familiar with the technologies andutilities covered will not find it as easy to pass the exam as those who have usedthe program and technologies in question.
What does all this mean? It means that you really should use the utilities andprograms that are covered here, rather than just read about them. You shouldbecome very familiar with all of the tasks in this book. If possible, create a homelab with at least two machines, and practice—repeatedly—the hands-on tasks inthis book. Even using what you learned to help secure your own home networkfrom hosts on the Internet will help you prepare for the exam
Studying for the exam:
1. Read the book from start to finish completing all the tasks even if you arefamiliar with the technology in question. You never know when some newfacet of a technology or program may be brought up and many of the les-sons build upon the previous ones and it is easy to miss something if youskip around.
2. Be sure to complete all hands-on tasks. Again, the SCP exams are based onknowledge and hands-on experience! Once you have completed a task, do itagain until you are very comfortable with that task.
3. Be sure to answer Topic Review questions within each lesson. Make note ofthe questions you answered incorrectly and study the appropriate sectionsagain.
4. Before taking the SCP exams, it is recommended that you take the practiceexams available through MeasureUp. More information on officially recom-mended practice exams is available at: www.securitycertified.net/practice_tests.htm.
But perhaps the best way to make sure that you reach your goal is to register forthe exam and stick to the date you set forth. Nothing keeps you on your toes andworking toward a goal like a deadline! Honestly measure your skills, make yourstudy schedule, and set the date that you will be ready to take the exam and reg-ister for it.
Practice exams
The only provider of practice exams authorized and recommended by the creatorsof the SCP is MeasureUp. For more information visit www.securitycertified.net/practice_tests.htm for more information.
Contact Information
The Security Certified Program
US: 800-869-0025
International: 630-208-5030
Email: [email protected]
Website: www.SecurityCertified.Net
Course PrerequisitesTo ensure your success, we recommend that you have CompTIA’s Security+ cer-tification, or have equivalent experience. This course assumes that the reader hasfundamental working knowledge of networking concepts, and foundational secu-rity knowledge.
About This Course xxi
Course ObjectivesWhen you’re done working your way through this course, you’ll be able to:
• Describe the core issues of building a perimeter network defense system.
• Investigate the advanced concepts of the TCP/IP protocol suite.
• Secure routers through hardening techniques and configure Access ControlLists.
• Design and configure multiple firewall technologies.
• Examine and implement IPSec and Virtual Private Networks.
• Design and configure an Intrusion Detection System.
• Secure wireless networks through the use of encryption systems.
COURSE SETUP INFORMATIONHardware and Software RequirementsTo run this course, you will need:
• Student machines, one per student, recommended minimum specifications:
Pentium 4, 2.0 GHz processor.
512 MB of RAM.
50 GB hard drive.
DVD-ROM drive.
NIC, capable of promiscuous mode support.
Integrated video card, capable of 32-bit video.
• Instructor machine, same configuration as student machines.
• Three Cisco routers, 2500 Series preferred (used from a reseller is fine), run-ning IOS 12.2 or greater, with IPSec/SSH support.
• One Cisco console cable.
• Two serial cables.
• DCE to DTE, for connecting routers.
• Three switches/hubs, 10/100 Mbps.
• The firewall lesson will require Microsoft ISA Server 2006. This must bedownloaded as a 180-day trial from Microsoft, or full ISA Server softwaremust be provided for students.
• During the VPN lesson, machines designated as VPN servers will requiretwo NICs. The NICs can be either integrated or non-integrated.
• During the VPN lesson, the instructor machine will need to be running theFTP Service. You may enable the service during your initial setup, or duringthe VPN lesson, as you prefer.
• For class preparation, you will need the following tools. Note, where thetools are available as per open source licensing, they have been included onthe course CD-ROM, all other tools should be downloaded and put in the
During the lesson on VPN,machines that are designated
as VPN servers will requiretwo network cards. Integrated
and/or non-integratednetwork cards will work.
xxii Tactical Perimeter Defense
correct folder. All these tools should be copied to the C:\Tools or /Toolsdirectories on your Windows and Linux systems accordingly.
Lesson Tool Download SourceLesson 2 WinPcap_4_0.exe SCNS Book CD
wireshark-setup-0.99.5.exe SCNS Book CDtftp.cap SCNS Book CDfragment.cap SCNS Book CDping.text SCNS Book CDping.cap SCNS Book CDftp.txt SCNS Book CDftp.cap SCNS Book CD
Lesson 3 puTTY.exe SCNS Book CDping_arp.mac.cap SCNS Book CDrip.update.cap SCNS Book CDripv2withAuthentication.cap SCNS Book CD
Lesson 5 ISA Server 2006 www.microsoft.com/isaserver/prodinfo/default.mspx
ISAScwHlpPack.exe SCNS Book CDLesson 6 rfc-index.wri SCNS Book CD
rfc2547.txt SCNS Book CDrfc2979.txt SCNS Book CD
Lesson 8 Snort_2_6_1_2_Installer SCNS Book CDSnort Rules SCNS Book CDmysql-essential-5.0.27-win32 SCNS Book CDadodb493a.tgz SCNS Book CDbase-1.2.7.tar.gz SCNS Book CD
Lesson 9 WildPackets_OmniPeek_Personal41 www.omnipeek.com/downloads.phpdotnetfx.exe SCNS Book CDNetStumbler SCNS Book CD
• In this course, there are several wireless components utilized. Each traininglocation can decide if they wish to acquire this equipment or use the contentas the learning source. The equipment used in this lesson is:
— Two laptops running Windows XP.
— One Linksys WPC54G NIC and associated set-up CD-ROM.
— One Netgear WPN511 NIC and associates set-up CD-ROM.
— One Linksys WAP54G access point and associated set-up CD-ROM.
— One Netgear WPN824 access point and associated set-up CD-ROM.
Class RequirementsIn order for the class to run properly, perform the procedures described below.
Before you begin actually setting up the class, here are some recommendationsfor the classroom configuration and hardware preparation.
About This Course xxiii
Recommendations for hardware preparation:• The hardware requirements are listed earlier in this course. It is not advis-
able to use systems that do not meet these requirements.
• It is recommended that all the computers be of the same or similar hardwareconfiguration.
• Configure the BIOS so that the boot order is 1: DVD-ROM, 2: floppy drive(if present), and 3: hard drive. Protect the student machines with a BIOSpassword.
Classroom ConfigurationThe following graphic shows the recommended classroom configuration. Use thisfigure in conjunction with the IP addressing and naming schemes described in thefollowing section.
Figure 0-1: Recommended classroom setup.
IP Addressing and Computer Naming SchemeRefer to the classroom configuration for the recommended IP addressing andcomputer naming schemes for this course. Use this pattern to develop the namesand addresses for all machines, as required.
The routers divide the classroom into two halves, LEFT and RIGHT, with theCENER router controlled by the instructor. The LEFT side is configured forsubnet 172.16.0.0/16, the CENTER is configured for subnet 172.17.0.0/16, andthe RIGHT side is configured for subnet 172.18.0.0/16. Students should have thepasswords for the LEFT and RIGHT routers, as per their location in the class-room, but do not need the password for the CENTER router.
This course uses two base operating systems, Windows Server 2003 and SuSeLinux Enterprise Server 10. Each machine will dual-boot to these two systems,using the name and IP addresses as per the following table.
xxiv Tactical Perimeter Defense
Part ofClassroom
WindowsName
LinuxName IP Address Default Gateway
LEFT WIN-L01 LIN-L01 172.16.10.1 172.16.0.1LEFT WIN-L02 LIN-L02 172.16.10.2 172.16.0.1LEFT WIN-L03 LIN-L03 172.16.10.3 172.16.0.1RIGHT WIN-R01 LIN-R01 172.18.10.1 172.18.0.1RIGHT WIN-R02 LIN-R02 172.18.10.2 172.18.0.1RIGHT WIN-R03 LIN-R03 172.18.10.3 172.18.0.1CENTER WIN-C01 LIN-C01 172.17.10.1 172.17.0.1
Installing Windows 2003 R2
1. Turn on the computer and insert the Windows Server 2003 R2 disc 1into the CD-ROM drive.
2. When the screen prompts to BOOT FROM CD press any key to continuebooting. (Note, your system might boot automatically.)
3. At the Windows 2003 Setup Screen, certain files will begin to loadindependently.
4. At the Windows 2003 Standard Edition Setup screen, press Enter to set upWindows Server 2003.
5. Read the Licensing Agreement, and then press F8 to accept theagreement.
6. Windows 2003 Standard Edition Setup screen will reappear, press C to cre-ate a partition.
7. In the Create Partition Of Size (In MB) text box type 25000 and pressEnter.
8. To set up Windows on the newly-created partition, select the new partition,and press Enter.
9. Select Format The Partition Using The NTFS File System (default) andpress Enter. After the partition has been formatted and files copied, thecomputer will reboot.
10. Windows Server 2003 will continue installation independently. You will beable to see the approximate time it will take to complete installation on theleft side of your screen.
11. Windows Server 2003 will install devices independently. The screen mayflash, or flicker, for several seconds during this process.
12. For Regional And Language Options, select your settings, and then clickNext.
13. In the Personalize Your Settings screen, in the Name text box, type TEST,in the Organization text box, type SCP and click Next.
14. When prompted, enter the product key and click Next.
About This Course xxv
15. In the Licensing Modes screen, select the Per Device Or Per User radiobutton, and then click Next.
16. In the Computer Name dialog box, type WIN-XXX (replace XXX with yourseat number, or as your instructor defines). The Administrator Passwordshould be left blank, then click Next.
17. If the password is left blank, a screen will appear to confirm that you wishto leave the password blank, click Yes. (Note, the password is left blank forrunning the class, you would always have a password in a productionenvironment.)
18. In the Date And Time Settings screen, select your time zone, set the dateand time, and click Next.
19. Windows 2003 will begin installing network configurations.
20. In the Windows Server 2003 Setup Network Settings screen, select TypicalSettings. Click Next.
21. In the Windows Server 2003 Setup Workgroup or Computer Domain screen,select Workgroup and then click Next.
22. Windows Server 2003 will finalize installation and reboot the computerindependently.
23. After the system reboots, press Ctrl+Alt+Delete.
24. In the Log On To Windows screen, type Administrator and leave the pass-word blank. Click OK.
25. The Personalized Setting will finalize independently.
26. When prompted, insert the Windows Server 2003 disc 2 into theCD-ROM drive and click OK.
27. In the Windows Server 2003 R2 Setup Wizard screen, click Next whenprompted. (Note, do not check the box to create a desktop shortcut.)
28. In the Setup Summary screen, click Next to copy the files.
29. Windows Server 2003 will update your system independently.
30. In the Completing Windows Server 2003 R2 Setup screen, click Finish.
31. In the Windows Server Post-Setup Security Updates screen, click Finish.
32. When the Windows Server 2003 Post-Setup Security Updates screen appears,click Yes to close this dialog box.
33. Ensure that the Don’t Display This Page At Logon check box is notchecked.
34. Close the Manage Your Server window.
35. Choose Start→Control Panel→Network Connections→Local AreaConnection.
xxvi Tactical Perimeter Defense
36. Select TCP/IP and click Properties.
37. Select the Use The Following IP Address radio button.
38. In the IP Address text box type 172.X.X.X(your instructor will inform youwhat to enter in the last three octets based on your seat number). On the leftside, your IP will be 172.16.x.x and on the right side, your IP will be 172.18.x.x.
39. In the Subnet Mask text box, type 255.255.0.0
40. In the Default Gateway text box, type 172.16.0.1 if you are on the left sideand type 172.18.0.1 if you are on the right side (if you are unsure, askyour instructor which side you are on).
41. In the Preferred DNS Server text box, type 127.0.0.1 and click OK twice.
42. If you receive the Pop-Up Warning, click Yes.
43. Close the Local Area Connection Properties screen.
Installing Network Monitor
1. Choose Start→Control Panel→Add Or Remove Programs.
2. Click the Add/Remove Windows Components button.
3. In the Windows Components Wizard window, scroll down the list andhighlight the Management And Monitoring Tools option.
4. Click the Details button.
5. Check the Network Monitor Tools check box and click OK.
6. In the Windows Components Wizard window, click Next.
7. If prompted to insert the CD, do so now and click OK. If you are notprompted for the CD, move on to the next step.
8. Click Finish once the install has completed.
9. Close the Add Or Remove Programs window.
10. Remove the Windows 2003 Server disc from your CD-ROM drive.
Installing Additional Tools for Windows 2003 Server
1. Insert the SCP Tools & Resources disc that was provided with yourbook into your CD-ROM drive.
2. Open the CD to show its contents.
3. Create a folder on the Windows partition C:\Tools.
4. Copy the files on the CD to C:\Tools.
About This Course xxvii
Installing SUSE Linux Enterprise Server 10
1. The installation of SUSE LINUX ENTERPRISE 10 must be done after theinstallation of Windows Server 2003.
2. Insert the SUSE Linux Enterprise Server (SLES) 10 disc into the DVD-ROM drive.
3. Restart the computer with the SLES disc in the drive. This will begin theinstallation.
4. At the initial SLES install screen, select the Installation option, and pressEnter. This step may take a few minutes while files are copied.
5. Select your language option and click Next. These steps are based onEnglish (US).
6. Read the License Agreement, select the Yes, I Agree To The LicenseAgreement radio button, and click Next.
7. Leave the radio button selected for New Installation and click Next.
8. Select your Region and Time Zone, and click Next.
9. Accept the default installation settings, and click Accept.
10. Read the prompt about formatting your partitions, then click Install.
11. While the files are loading, you can watch the progress bar on the right sideof the screen. This will note the approximate time remaining to finish theinstallation. (Note: Based on your system, this make take many minutes.)
12. When the files have finished loading, your system may reboot. Remove thedisc from the DVD-ROM drive. If you do not remove the disc, the systemwill re-enter install mode.
13. At the boot loader, select the SUSE Linux Enterprise Server 10 line, andpress Enter. The install process will continue.
14. Enter LIN-XXX as your Hostname. Replace XXX with your seat numberin the class. For example, LIN-L01 or LIN-R03.
15. Enter SCPXXX as your Domain Name. Replace XXX to match your seatnumber in the class as in the previous step. For example, SCPL01 orSCPR03.
16. Once the Hostname and Domain name are entered, click Next.
17. Enter QWERTY1 as the password, and confirm the password in the sec-ond text box. Click Next.
18. The Network Configuration screen will take a moment as Linux determinesyour system configuration. Once complete, click Network Interfaces to editthe settings on your NIC.
19. To manually configure your NIC, click the Edit button.
xxviii Tactical Perimeter Defense
20. With the Address tab active, select the Static Address Setup radio button.
21. In the IP Address text box, type 172.x.x.x (your instructor will inform youwhat to enter in the last three octets, it is based on your seat in theclassroom. If you are on the left side, this will be 172.16.x.x, and if you areon the right side, this will be 172.18.x.x.)
22. Change the subnet mask to 255.255.0.0, and then click the Routingbutton.
23. In the Default Gateway text box, type 172.16.0.1 if you are on the left sideof the network, and type 172.18.0.1 if you are on the right side of thenetwork. If you are unsure, please ask your instructor prior to entering anyDG addresses.
24. Once the Default Gateway address is entered, click OK, and then clickNext.
25. At the Network Card Configuration Overview, verify your IP Address andSubnet Mask, and then click Next.
26. At the Network Configuration screen, click Next. Networking services willnow be installed and configured.
27. Select the No, Skip This Test radio button, and click Next.
28. Accept the default CA Management Installation Settings, and click Next.
29. Accept the default Authentication Method Of Local (/etc/passwd), andclick Next.
30. In the New Local User screen, enter the following information:
• User’s Full Name: SCP Test User
• Username: test1
• Password: 1test
• Confirm Password: 1test
Click Next.
31. The system will now perform clean up of the installation. Read through theRelease Notes, and then click Next.
32. Accept the default Hardware Configuration as it is detected, and clickNext. If your system does not properly detect your hardware, you will needto locate the correct Linux drivers for your hardware. This setup guide doesnot include non-detected hardware environments.
33. The final setup files will be configured. Once done, you will see the Installa-tion Completed screen. Click Finish to exit the Setup and log in to Linux.
34. After the files load, you will be at the login prompt. Enter root as theUsername, and press Enter.
35. Enter QWERTY1 as the password, and press Enter. The default files willload, and you will now be logged into SUSE Linux Enterprise 10.
About This Course xxix
Installing Additional Tools for SUSE Linux Enterprise Server 10
1. Insert the SCP Tools & Resources disc that was provided with yourbook into your CD-ROM drive.
2. Open the CD to show its contents.
3. Use the Nautilus File Manager and navigate to the / directory.
4. Create a folder labeled Tools.
5. Copy the files from the CD to the /Tools folder.
Configuring Cisco RoutersThree Cisco routers are used in the classroom. The course is written based on theCisco 2500 series, specifically the 2501, running IOS version 12.2 (with IPSecand SSH support). These routers can be easily found by many authorizedresellers, and while they are not the most current Cisco routers, they work verywell for the purposes of this class. There is no need to purchase or use newerrouters for the classroom, but you are welcome to do so, if you so desire.
During the configuration or the CENTER router, you must enter the IP Addressfor the gateway for the classroom. This is to allow Internet Access for the class-room, and you must configure the CENTER router as per your environment, ifInternet Access is to be granted. Extensive routing configurations beyond what islisted here is not required for the class.
• The LEFT router is for one half of the class to connect through. It shouldhave the following configuration:
— Hostname and Routername: LEFT
— Access List Configuration:
Access-list 123 deny tcp any any eq 25
Access-list 123 permit ip any any
INT S0: ip access-group 123 in
• The CENTER router is for the Instructor to connect to the class. It shouldhave the following configuration:
— Hostname and Routername: CENTER
— Access List Configuration:
Access-list 155 deny tcp any any eq 20
Access-list 155 deny tcp any any eq 21
Access-list 155 permit ip any any
INT S0: ip access-group 155 in
INT S1: ip access-group 155 in
• The RIGHT router is for the other half of the class to connect through. Itshould have the following configuration:
— Hostname and Routername: RIGHT
— Access List Configuration:
Access-list 145 deny tcp any any eq 25
Access-list 145 permit ip any any
INT S1: ip access-group 145 in
xxx Tactical Perimeter Defense
The detailed configuration procedures are listed here in three main categories:
• Physical configuration
• Router setup
• Access list configuration
Physical Router ConfigurationThe LEFT router is to be connected to the CENTER router via a Cisco serialcable. The RIGHT router is also to be connected to the CENTER router via aCisco serial cable. All Ethernet connections are to be made through standard10/100 BaseT cables.
1. Study the class setup diagram provided in Classroom Configuration.
2. Physically connect the three routers to each other, using serial crossovercables, so that the router designated as CENTER controls the clock rate.To do this, connect the DCE end of the serial cable to the serial interfaceson the CENTER router and the DTE ends to the LEFT’s and RIGHT’sappropriate serial interfaces.
3. Connect the Ethernet interface on the CENTER router to the instructormachine via a crossover Ethernet cable.
4. Connect the Ethernet interfaces on the LEFT and RIGHT routers totheir respective hubs serving their side of the classroom.
Before You Start the Router SetupAll routers should be cleared of any configs before setting up the class. If youhave a configured router but you don’t know the password, perform the followingsteps:
1. Console into the router.
2. Enter the sh ver command, and record the configuration register setting(usually 0x2102).
3. Power down the router, and then power it back up.
4. After the amount of main memory is displayed, press the Break key (orCtrl+Break). You should see the > prompt with no router name.
5. Enter o/r 0x42 to boot from flash or o/r 0x41 to boot from the CD-ROM.Typically, you would boot from flash if it were intact.
6. Enter i to force the router to reboot and ignore its saved config.
About This Course xxxi
7. Answer no to all setup questions.
8. When the Router> prompt is displayed, enter enable to switch to enablemode. The Router# prompt should now be displayed. Once you are in enablemode, you can view and change the password, and you can erase the config.
9. To view the password, enter show config at the Router# prompt.
10. To change the password, from the Router# prompt:
a. Enter config mem to copy NVRAM to mem.
b. Enter wr term
c. Enter config term to enter config mode. The Router(config)# prompt isnow displayed.
d. If an enable secret password is set, enter enable secret newpassword orif there is no enable secret password, enter enable passwordnewpassword where newpassword is the new password you want to use.
e. To exit config mode press Ctrl+Z. The Router# prompt is nowdisplayed.
f. Enter write mem to commit the changes to mem. You should now beable to console in and configure the router.
11. To erase the config, from the Router# prompt:
a. Enter write erase
b. Enter config term to enter config mode. The Router(config)# prompt isnow displayed.
c. Enter config-register 0x2102 or whatever the configuration register set-ting was when you began.
d. To exit config mode, press Ctrl+Z. The Router# prompt is nowdisplayed.
e. Enter reload
f. When you are prompted to save the modified system configuration,enter y
g. When you are prompted to proceed with the reload, enter y
Setup for CENTER RouterThe CENTER router is used by the instructor to connect to the rest of the class.To set up the CENTER router:
1. Boot up the router and console into it. You should be prompted to enterthe initial configuration dialog. (If you are not, follow the procedures listedpreviously in the “Before You Start the Router Setup” section.)
2. When you are prompted:
a. To enter the initial configuration dialog, enter y
b. To enter basic management setup, enter n
c. As to whether you want to see the current interface summary, pressEnter.
xxxii Tactical Perimeter Defense
d. To enter the host name for [Router], enter CENTER
e. To enter the enable secret password, enter instructor
f. To enter the enable password, enter cisco1
g. To enter the virtual terminal password, enter 2501
h. To configure SNMP network management, enter n
i. To configure LAT, enter n
j. To configure bridging, press Enter to accept the default of No.
k. To configure AppleTalk, press Enter to accept the default of No.
l. To configure DECnet, press Enter to accept the default of No.
m. To configure IP, press Enter to accept the default of Yes.
n. To configure IGRP routing, enter n
o. To configure RIP routing, enter y
p. To configure CLNS, press Enter to accept the default of No.
q. To configure IPX, press Enter to accept the default of No.
r. To configure Vines, press Enter to accept the default of No.
s. To configure XNS, press Enter to accept the default of No.
t. To configure Apollo, press Enter to accept the default of No.
u. If you are prompted to configure BRI, select switch type 0.
v. To configure the Ethernet0 interface, press Enter to accept the defaultof Yes.
w. To configure IP on this interface, press Enter to accept the default ofYes.
x. For the IP address for this interface, enter 172.17.0.1
y. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.0.0.
z. To configure the Serial0 interface, press Enter to accept the default ofYes.
aa. To configure IP on this interface, press Enter to accept the default ofYes.
ab. To configure IP unnumbered on this interface, press Enter to accept thedefault of No.
ac. For the IP address for this interface, enter 192.168.20.2
ad. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.255.0.
ae. To configure the Serial1 interface, press Enter to accept the default ofYes.
af. To configure IP on this interface, press Enter to accept the default ofYes.
ag. To configure IP unnumbered on this interface, press Enter to accept thedefault of No.
ah. For the IP address for this interface, enter 192.168.10.2
ai. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.255.0.
About This Course xxxiii
aj. If you are prompted to configure any other serial interfaces, enter nuntil a configuration command script is generated, and you areprompted to make a selection regarding the next action.
ak. To enter your selection, press Enter to accept the default of 2. Youshould see a message indicating that the router is building theconfiguration. When the configuration build is complete, an OK mes-sage is displayed.
al. To press RETURN to get started, press Enter. The CENTER> promptshould now be displayed.
3. At the CENTER> prompt, enter en to activate enable mode.
4. When you are prompted for the password, enter instructor and the CEN-TER# prompt should now be displayed.
5. At the CENTER# prompt, enter conf t to enter config mode. TheCENTER(config)# prompt should now be displayed.
6. At the CENTER(config)# prompt:
a. Enter no ip domain lookup
b. Enter int s0 and the CENTER(config-if)# prompt should now bedisplayed.
7. At the CENTER(config-if)# prompt:
a. Enter no shut
b. Enter clo ra 4000000
c. Enter ban 10000000
d. Enter int s1
e. Enter no shut
f. Enter clo ra 4000000
g. Enter ban 10000000
h. Enter exit and the CENTER(config)# prompt is now displayed.
8. At the CENTER(config)# prompt:
a. Enter ip route 0.0.0.0 0.0.0.0 a.b.c.d (note – you must replace a.b.c.dwith the gateway to get out of the network to the Internet).
b. Enter exit and the CENTER# prompt is now displayed.
9. At the CENTER# prompt:
a. Enter sh run and you should see a message indicating that the router isbuilding the configuration.
b. Enter copy ru st
10. When you are prompted for a destination filename, press Enter to acceptthe default of startup-config. You should again see a message indicating thatthe router is building the configuration.
xxxiv Tactical Perimeter Defense
Setup for LEFT RouterThe LEFT router is used by half of the students to connect to the rest of theclass. To set up the LEFT router:
1. Boot up the router and console into it. You should be prompted to enterthe initial configuration dialog. (If you are not, follow the procedures listedpreviously in the “Before You Start the Router Setup” section.)
2. When you are prompted:
a. To enter the initial configuration dialog, enter y
b. To enter basic management setup, enter n
c. As to whether you want to see the current interface summary, pressEnter.
d. To enter the host name for [Router], enter LEFT
e. To enter the enable secret password, enter cisco
f. To enter the enable password, enter cisco1
g. To enter the virtual terminal password, enter 2501
h. To configure SNMP network management, enter n
i. To configure LAT, enter n
j. To configure bridging, press Enter to accept the default of No.
k. To configure AppleTalk, press Enter to accept the default of No.
l. To configure DECnet, press Enter to accept the default of No.
m. To configure IP, press Enter to accept the default of Yes.
n. To configure IGRP routing, enter n
o. To configure RIP routing, enter y
p. To configure CLNS, press Enter to accept the default of No.
q. To configure IPX, press Enter to accept the default of No.
r. To configure Vines, press Enter to accept the default of No.
s. To configure XNS, press Enter to accept the default of No.
t. To configure Apollo, press Enter to accept the default of No.
u. If you are prompted to configure BRI, select switch type 0.
v. To configure the Ethernet0 interface, press Enter to accept the defaultof Yes.
w. To configure IP on this interface, press Enter to accept the default ofYes.
x. For the IP address for this interface, enter 172.16.0.1
y. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.0.0.
z. To configure the Serial0 interface, press Enter to accept the default ofYes.
aa. To configure IP on this interface, press Enter to accept the default ofYes.
ab. To configure IP unnumbered on this interface, press Enter to accept thedefault of No.
About This Course xxxv
ac. For the IP address for this interface, enter 192.168.10.1
ad. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.255.0.
ae. To configure the Serial1 interface, enter n
af. If you are prompted to configure any other serial interfaces, enter nuntil a configuration command script is generated, and you areprompted to make a selection regarding the next action.
ag. To enter your selection, press Enter to accept the default of 2. Youshould see a message indicating that the router is building theconfiguration. When the configuration build is complete, an OK mes-sage is displayed.
ah. To press RETURN to get started, press Enter. The LEFT> promptshould now be displayed.
3. At the LEFT> prompt, enter en to activate enable mode.
4. When you are prompted for the password, enter cisco and the LEFT#prompt should now be displayed.
5. At the LEFT# prompt, enter conf t to enter config mode. TheLEFT(config)# prompt should now be displayed.
6. At the LEFT(config)# prompt:
a. Enter no ip domain lookup
b. Enter int s0 and the LEFT(config-if)# prompt should now be displayed.
7. At the LEFT(config-if)# prompt:
a. Enter no shut
b. Enter ban 10000000
c. Enter exit and the LEFT(config)# prompt is now displayed.
8. At the LEFT(config)# prompt:
a. Enter ip route 0.0.0.0 0.0.0.0 192.168.10.2
b. Enter exit and the LEFT# prompt is now displayed.
9. At the LEFT# prompt:
a. Enter sh run and you should see a message indicating that the router isbuilding the configuration.
b. Enter copy ru st
10. When you are prompted for a destination filename, press Enter to acceptthe default of startup-config. You should again see a message indicating thatthe router is building the configuration.
Setup for RIGHT RouterThe RIGHT router is used by half of the students to connect to the rest of theclass. To set up the RIGHT router:
xxxvi Tactical Perimeter Defense
1. Boot up the router and console into it. You should be prompted to enterthe initial configuration dialog. (If you are not, follow the procedures listedpreviously in the “Before You Start the Router Setup” section.)
2. When you are prompted:
a. To enter the initial configuration dialog, enter y
b. To enter basic management setup, enter n
c. As to whether you want to see the current interface summary, pressEnter.
d. To enter the host name for [Router], enter RIGHT
e. To enter the enable secret password, enter cisco
f. To enter the enable password, enter cisco1
g. To enter the virtual terminal password, enter 2501
h. To configure SNMP network management, enter n
i. To configure LAT, enter n
j. To configure bridging, press Enter to accept the default of No.
k. To configure AppleTalk, press Enter to accept the default of No.
l. To configure DECnet, press Enter to accept the default of No.
m. To configure IP, press Enter to accept the default of Yes.
n. To configure IGRP routing, enter n
o. To configure RIP routing, enter y
p. To configure CLNS, press Enter to accept the default of No.
q. To configure IPX, press Enter to accept the default of No.
r. To configure Vines, press Enter to accept the default of No.
s. To configure XNS, press Enter to accept the default of No.
t. To configure Apollo, press Enter to accept the default of No.
u. If you are prompted to configure BRI, select switch type 0.
v. To configure the Ethernet0 interface, press Enter to accept the defaultof Yes.
w. To configure IP on this interface, press Enter to accept the default ofYes.
x. For the IP address for this interface, enter 172.18.0.1
y. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.0.0.
z. To configure the Serial0 interface, enter n
aa. To configure the Serial1 interface, press Enter to accept the default ofYes.
ab. To configure IP on this interface, press Enter to accept the default ofYes.
ac. To configure IP unnumbered on this interface, press Enter to accept thedefault of No.
ad. For the IP address for this interface, enter 192.168.20.1
ae. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.255.0.
About This Course xxxvii
af. If you are prompted to configure any other serial interfaces, enter nuntil a configuration command script is generated, and you areprompted to make a selection regarding the next action.
ag. To enter your selection, press Enter to accept the default of 2. Youshould see a message indicating that the router is building theconfiguration. When the configuration build is complete, an OK mes-sage is displayed.
ah. To press RETURN to get started, press Enter. The RIGHT> promptshould now be displayed.
3. At the RIGHT> prompt, enter en to activate enable mode.
4. When you are prompted for the password, enter cisco and the RIGHT#prompt should now be displayed.
5. At the RIGHT# prompt, enter conf t to enter config mode. TheRIGHT(config)# prompt should now be displayed.
6. At the RIGHT(config)# prompt:
a. Enter no ip domain lookup
b. Enter int s1 and the RIGHT(config-if)# prompt should now bedisplayed.
7. At the RIGHT(config-if)# prompt:
a. Enter no shut
b. Enter ban 10000000
c. Enter exit and the RIGHT(config)# prompt is now displayed.
8. At the RIGHT(config)# prompt:
a. Enter ip route 0.0.0.0 0.0.0.0 192.168.20.2
b. Enter exit and the RIGHT# prompt is now displayed.
9. At the RIGHT# prompt:
a. Enter sh run and you should see a message indicating that the router isbuilding the configuration.
b. Enter copy ru st
10. When you are prompted for a destination filename, press Enter to acceptthe default of startup-config. You should again see a message indicating thatthe router is building the configuration.
Configuring the Access ListsAfter the initial router setup and the basic configuration have been completed onall three routers, you need to enter the access lists for each of the routers. To doso:
1. To complete the LEFT Router Access Lists:
xxxviii Tactical Perimeter Defense
a. At the LEFT# prompt, enter conf t to switch to config mode. TheLEFT(config)# prompt is now displayed.
b. At the LEFT(config)# prompt, enter access-list 123 deny tcp any anyeq 25
c. At the LEFT(config)# prompt, enter access-list 123 permit ip any any
d. At the LEFT(config)# prompt, enter int S0 to configure the interface.The LEFT(config-if)# prompt is now displayed.
e. At the LEFT(config-if)# prompt, enter ip access-group 123 in
f. At the LEFT(config-if)# prompt, press Ctrl+Z to leave config mode.The LEFT# prompt is now displayed.
g. At the LEFT# prompt, enter copy ru st and save the configurationchanges to startup-config.
2. To complete the RIGHT Router Access Lists:
a. At the RIGHT# prompt, enter conf t to switch to config mode. TheRIGHT(config)# prompt is now displayed.
b. At the RIGHT(config)# prompt, enter access-list 145 deny tcp any anyeq 25
c. At the RIGHT(config)# prompt, enter access-list 145 permit ip any any
d. At the RIGHT(config)# prompt, enter int S1 to configure the interface.The RIGHT(config-if)# prompt is now displayed.
e. At the RIGHT(config-if)# prompt, enter ip access-group 145 in
f. At the RIGHT(config-if)# prompt, press Ctrl+Z to leave config mode.The RIGHT# prompt is now displayed.
g. At the RIGHT# prompt, enter copy ru st and save the configurationchanges to startup-config.
3. To complete the CENTER Router Access Lists:
a. At the CENTER# prompt, enter conf t to switch to config mode. TheCENTER(config)# prompt is now displayed.
b. At the CENTER(config)# prompt, enter access-list 155 deny tcp anyany eq 20
c. At the CENTER(config)# prompt, enter access-list 155 deny tcp anyany eq 21
d. At the CENTER(config)# prompt, enter access-list 155 permit ip anyany
e. At the CENTER(config)# prompt, enter int S1 to configure the S1interface. The CENTER(config-if)# prompt is now displayed.
f. At the CENTER(config-if)# prompt, enter ip access-group 155 in
g. At the CENTER(config-if)# prompt, enter int S0 to configure the S0interface.
h. At the CENTER(config-if)# prompt, enter ip access-group 155 in
i. At the CENTER(config-if)# prompt, press Ctrl+Z to leave configmode. The CENTER# prompt is now displayed.
About This Course xxxix
j. At the CENTER# prompt, enter copy ru st and save the configurationchanges to startup-config.
4. Test the classroom setup, and troubleshoot as necessary. Once physicalconnectivity issues have been sorted out, you should be able to ping fromone side of the classroom to the other. Specifically, the instructor machineshould be able to ping every student machine and vice versa. Studentmachines from the left side of the classroom should be able to ping studentmachines on the right side of the classroom and vice versa.
List of Additional FilesPrinted with each lesson is a list of files students open to complete the tasks inthat lesson. Many tasks also require additional files that students do not open, butare needed to support the file(s) students are working with. These supporting filesare included with the student data files on the course CD-ROM or data disk. Donot delete these files.
HOW TO USE THIS BOOKYou can use this book as a learning guide, a review tool, and a reference.
As a Learning GuideEach lesson covers one broad topic or set of related topics. Lessons are arrangedin order of increasing proficiency with Tactical Perimeter Defense; skills youacquire in one lesson are used and developed in subsequent lessons. For this rea-son, you should work through the lessons in sequence.
We organized each lesson into explanatory topics and step-by-step activities. Top-ics provide the theory you need to master Tactical Perimeter Defense, activitiesallow you to apply this theory to practical hands-on examples.
You get to try out each new skill on a specially prepared sample file. This savesyou typing time and allows you to concentrate on the technique at hand. Throughthe use of sample files, hands-on activities, illustrations that give you feedback atcrucial steps, and supporting background information, this book provides youwith the foundation and structure to learn about Tactical Perimeter Defensequickly and easily.
As a Review ToolAny method of instruction is only as effective as the time and effort you are will-ing to invest in it. For this reason, we encourage you to spend some timereviewing the book’s more challenging topics and activities.
As a ReferenceYou can use the Concepts sections in this book as a first source for definitions ofterms, background information on given topics, and summaries of procedures.
xl Tactical Perimeter Defense
About This Course xli
xlii Tactical Perimeter Defense
Network DefenseFundamentals
OverviewIn this lesson, you will be introduced to the core concepts of networksecurity. You will examine the technologies of defending a network, andhow those technologies may be used to create a layered defense of thenetwork. You will also identify the foundations of network auditing.
ObjectivesTo define the concepts of defending a modern complex network, you will:
1A Describe the five keys of network security.
Given a network scenario, you will describe how the five keys of networksecurity are integrated in a modern operational network.
1B Describe the concepts of defensive technologies in creating a layereddefense.
Given a network analogy of a fortified castle, you will identify the func-tion of defensive technologies in creating a secure layered defense.
1C Describe the objectives of access control methods.
Given a network scenario, you will describe the available access controlmethods and how they are implemented in the defense of the network.
1D Identify the impact of a layered defense on the performance of thenetwork.
Given a network where a layered defensive system has been imple-mented, you will identify the performance impact of each layer onaccessing resources in the network.
1E Define concepts of auditing in a network.
Given a network scenario, you will examine the concepts of networkauditing, including handling of data and types of audits.
Data Filesnone
Lesson Time2 hours
LESSON
1
Lesson 1: Network Defense Fundamentals 1
Topic 1ANetwork DefenseIn today’s world, it is getting easier for attackers to infiltrate private networks.They have access to more tools, more powerful computers, and there are morenetworks to target. Sadly, many organizations simply do not take this threatseriously. They do not see the driving force to create a secure network. They donot see the need to spend money on a defense for their electronic assets. But theneed is very real. Every year, the Computer Security Institute (CSI), and the Fed-eral Bureau of Investigations (FBI), perform a survey of businesses, looking intothe financial losses for theft of proprietary information, and other losses.Although only a handful of companies who participate in this survey have esti-mated their losses, the number has been in the tens to hundreds of millions ofdollars.
What makes these numbers even more serious is the fact that these are voluntaryreports, and only a small number of businesses are involved. Many organizationsare not eager, even in an anonymous setting, to disclose any losses due to com-puter crime.
Even so, there is an obvious pattern here. The attacks against networks are get-ting more serious—with a greater loss to the business world than ever before.Even as organizations start to become more security conscious, the number ofattackers grows. Clearly, defense is needed, and it is needed now.
Network systems allow the enterprise to access information technology assets byauthorized users quickly through seemingly secure methods. But as remote sitesget interconnected through the Internet using non-dedicated lines to enterprisenetworks, many unauthorized users get connected and have access as well.
Users may be naive at times about network security, because the assumption isoften made that systems are needed, and are operational, to do their jobs. If theyare on, some assume, they are secure. But administrators know that security is areal issue to address and no assumptions are going to make network securitymagically happen. They know that carefully planned steps must be taken to builda secure network system environment, where business transactions and supportfunctions can occur within a system built on trust. They should have completeconfidence in security.
Network security must become a strategic initiative within the enterprise. It mustbegin as an integral part of the strategic planning process that leads to strategicaction plans, resulting in budgeted tactical projects to initiate and implement net-work security.
The defense of the network starts with the basic security issues all networks mustaddress. These key issues are detailed in upcoming sections.
network:Two or more machines
interconnected forcommunications.
threat:The means through which
the ability or intent of athreat agent to adversely
affect an automated system,facility, or operation can be
manifest. A potentialviolation of security.
security:A condition that results from
the establishment andmaintenance of protective
measures that ensure a stateof inviolability from hostile
acts or influences.
network security:Protection of networks and
their services fromunauthorized modification,destruction, or disclosure,
and provision of assurancethat the network perform its
critical functions correctlyand there are no harmful
side effects. Network securityincludes providing for data
integrity.
2 Tactical Perimeter Defense
Five Key Issues of Network SecurityThe five key issues of network security are:
• Authorization and availability
• Authentication
• Confidentiality
• Integrity
• Non-repudiation
Authorization and AvailabilityFirst and foremost, network security systems must be operationally available inorder to control who has access to what information technology (IT) assets,resources, files, directories, and processes within the network. The security mustlimit user privileges to minimize the risk of unauthorized access to sensitiveinformation and areas of the network that only authorized users should beallowed to access. Additionally, it must make network systems available throughthe diligent exercise of security, but never hinder the performance of the networksystem to serve the authorized user.
Authorization and availability also create system assurance, which ensures that:
• Systems are available with required functionality present and correctly con-figured for implementation on an ongoing basis.
• There are adequate controls to protect against unauthorized user access andunintentional errors by users or software.
• There are security measures in place to deter or stop intentional exploits byattackers.
Assurance is absolutely necessary because without it, the other objectives of secu-rity will be difficult to meet. However, assurance cannot be a one-time promisebut must be an ongoing effort to be most effective.
AuthenticationAfter controlling who has access, even authorized users must be authenticated toverify and prove their identity. Authentication verifies users to be who they saythey are. In data communications, authenticating the sender is necessary to verifythat the data came from the right source. The receiver is authenticated, as well, toverify that the data is going to the right destination. Public Key Infrastructure(PKI), is one of the best ways to ensure authentication through digital certificatesand digital signatures. The number of factors used to show the identity of theuser through authentication or proving the identity of the user through strongauthentication determines how effective authentication can be. The three factorsare:
• One-factor authentication provides what you know—such as a password orPIN. It is strictly based on recalling a piece of information from one’s ownmemory or from writing it down (but that would defeat the purpose of pro-viding only authorized access to networks based on using a password).
• Two-factor authentication provides what you have in addition to what youknow. Examples are a proximity card for door entry or an ATM card with aPIN. An RSA SecureID Token used in conjunction with a pass code, or a
availability:Assuring information andcommunications services willbe ready for use whenexpected.
authentication:To positively verify theidentity of a user, device, orother entity in a computersystem, often as aprerequisite to allowingaccess to resources in asystem.
Lesson 1: Network Defense Fundamentals 3
smart card that may carry all your security credentials in a secure way witha PIN used to access the credentials are the second factors.
• The third factor that provides strong authentication is proving the user’sidentity, or who you are, by using biometrics. Biometrics uses a physiologi-cal characteristic to identify you, such as a fingerprint, retina scan, handgeometry, voice recognition, iris scan, or behavioral characteristics, such askeystroke recognition or signature recognition. It results in strong authentica-tion, because users not only verify their digital identity through what theyknow and what they have, but they are proving their physical identity byverifying their biometric characteristics.
ConfidentialityData communications, as well as email, needs to be protected for privacy andconfidentiality. Network security must provide a secure channel for the transmis-sion of data and email that does not allow eavesdropping by unauthorized users.Data confidentiality ensures the privacy of data on the network system. PKI canprovide what is required to ensure the confidentiality and privacy of communica-tions and data transmissions across networks. The following are the four basictypes of information or data that require confidentiality:
• Information that reveals technical data or source information. For example,the model number and software version of your firewall should be kept con-fidential because divulgence may give a potential attacker/hacker a way toan advantage to exploit your system.
• Information that may be time dependent. It may only be confidential for agiven amount of time and then may not have any significance as privateinformation after that, but until then must be kept confidential.
• Information that may reveal organizational or systems relationships thatthrough divulgence may give unauthorized users a channel for social engi-neering exploits or other opportunities.
• Information that is private and confidential in its own right. Information thatmay be crucial in the operations of the enterprise and divulgence wouldsurely give an attacker an easy exploitation opportunity.
confidentiality:Assuring information will be
kept secret, with accesslimited to appropriate
persons.
firewall:A system or combination of
systems that enforces aboundary between two or
more networks. Gateway thatlimits access between
networks in accordance withlocal security policy. The
typical firewall is aninexpensive micro-based
Unix box kept clean ofcritical data, with many
modems and public networkports on it, but just one
carefully watched connectionback to the rest of the
cluster.
hacker:A person who enjoys
exploring the details ofcomputers and how to
stretch their capabilities. Amalicious or inquisitive
meddler who tries todiscover information by
poking around. A personwho enjoys learning thedetails of programming
systems and how to stretchtheir capabilities, as opposed
to most users who prefer tolearn the necessary
minimum.
4 Tactical Perimeter Defense
IntegrityIntegrity is a security principle that ensures the continuous accuracy of data andinformation stored within network systems. Continuity of data integrity isparamount. Data must be kept from unauthorized modification, forgery, or anyother form of corruption, regardless of whether these are from malicious threatsor corruption that is accidental in nature. Upon receiving the email or data com-munication, integrity must be verified to ensure that the message has not beenaltered, modified, or added to or subtracted by unauthorized users while in transit.Again, PKI will ensure the integrity of messages through digital certificates andmessage digests. Integrity has two main objectives:
• Data integrity ensures that the data has not been altered in an unauthorizedmanner while in transit, during storage, or while being processed.
• System integrity ensures that a system, while performing its intended pro-cesses and applications, provides support to authorized users free fromunauthorized manipulation.
Non-repudiationSecurity must be established to prevent parties in a data transaction from denyingtheir participation after the business transaction has occurred. Through PKI, thesender as well as the receiver are authenticated with regard to their respectiveidentities, as well as tamperproof time stamping of the transaction, to ensure non-repudiation from both parties. This establishes accountability for the transactionitself for all parties involved in the transaction. The three types of repudiation (ordenial) to prevent are:
• Repudiation of origin by the message creator who denies ever creating orwriting the message itself.
• Repudiation of receipt by the receiver who denies ever receiving the mes-sage even after receiving it.
• Repudiation of submission as to the time and date of the actual submission.The time stamp will help in non-repudiation for submission.
The Threats to SecurityThreats can come from myriad sources in our connected world. The Internet isnot the only threat. An organization has to consider employees, contractors, andeven the cleaning staff! Any of these people could potentially be a threat, andcause damage.
integrity:Assuring information will notbe accidentally ormaliciously altered ordestroyed.
non-repudiation:Method by which the senderof data is provided withproof of delivery and therecipient is assured of thesender’s identity, so thatneither can later deny havingprocessed the data.
Lesson 1: Network Defense Fundamentals 5
Malicious threats are intentional in nature and can come from either internal orexternal users. When unauthorized users make attempts to find vulnerabilities in anetwork system and find them, they present themselves as a malicious threat try-ing to get access by whatever means available. A successful unauthorized accessevent is called an active threat. The malicious threat has now gained unauthorizedaccess into your network and will exploit whatever assets can be accessed. Onceaccessed, the exploit can manifest itself as a passive or an active threat.
• As a passive threat, the accessed data is viewed or intercepted but notmodified. It does not change the operation of or the state of the system.
• If the data is intercepted and modified by an unauthorized user, it is said tobe an active threat. It may also change the operation of or state of the sys-tem itself.
Whether accidental or malicious, the threat can come from either internal orexternal users and may be authorized or unauthorized users. Surveys have consis-tently shown that of all respondents who reported a security breach within thepast year, close to 60 percent of these breaches were caused by inside usersaccessing unauthorized resources, and over 40 percent blamed accounts left openafter an employee had left the company. Of all respondents, 20 percent reportedthat their companies were victims of an attempted or successful break-in by anangry former employee. Also, during most economic slowdowns, companies layoff employees in increasing numbers each week. Such breaches will only getworse during these periods.
Network security administrators must:
• Realize how to minimize, or mitigate, the effects of current and futurethreats upon their network.
• Realize what defensive strategies and techniques must be implemented tokeep networks secure. This should be done to ensure the privacy, confidenti-ality, and protection of sensitive data and information technology assets.
Defensive StrategiesIf all threats to a network system were known, as well as all the vulnerabilities ofthe system itself, then a specific defensive posture could be deployed to guardand secure the system. It could even be a static defensive posture with definitivecontrols in place because the exact threat would be known. Perimeter securityusing a firewall is a good example of a static defensive posture. The threat isassumed to be known and rules are generated to allow the firewall to work.
Unfortunately, if the threat is not known, any such assumptions can be fatal to thenetwork. Administrators must take into consideration the following points whenaddressing and creating a defensive posture for the enterprise network.
Defense-in-DepthDefense-in-Depth states that all information technology assets within a protectednetwork need to have the necessary amount of security protection to guardagainst direct attacks at whatever level the asset resides within the network. Theassumption cannot be made that a firewall or some sort of all-encompassingperimeter security is enough to protect all information technology assets withinthe network.
passive threat:The threat of unauthorizeddisclosure of information
without changing the state ofthe system. A type of threat
that involves the interception,not the alteration, of
information.
breach:The successful defeat of
security controls which couldresult in a penetration of the
system. A violation ofcontrols of a particular
information system such thatinformation assets or system
components are undulyexposed.
6 Tactical Perimeter Defense
Active Defense-in-DepthAn Active Defense-in-Depth is necessary as a defensive posture to think cre-atively and counter any and every threat, whether known or unknown. It is anactive defense that changes its defensive posture based on the threat. Its defensiveassets are able to flex in any direction, based on the disposition of the threat. Thebasis for Active Defense-in-Depth are the concepts of Defense-in-Depth.
The requirement for securing network systems and their information technologyassets against all current and future threats compels us to use multiple layers ofsecurity techniques that provide overlapping protection against attackers, hackers,and any other malicious threat that may attempt an exploit. This is a core require-ment for any network taking active measures to protect its assets.
This strategy not only recognizes the value of Defense-in-Depth, which states thatevery information technology asset within the network must have its own neces-sary and adequate protection, but that it is an active defense that takes whateveractions necessary to stop the threat by the utilization of multiple layers of securityto include firewalls, intrusion detection, monitoring devices, and other techniquesfor network security. It recognizes that due to the highly interactive nature of thevarious systems and networks, any single system cannot be secured adequatelyunless all interconnecting systems are also secured adequately. It must take intoconsideration the context of a shared-risk environment that dictates protection ofIT systems at all levels, because of the interactive and interconnected nature oftoday’s systems and networks.
The strategy calls for use of multiple, overlapping protection approaches toensure that the failure or bypass of any individual protection approach will notleave the system unprotected. Through user training and awareness, well thought-out and planned policies, procedures and processes, as well as redundancy ofprotection mechanisms, the Active Defense-in-Depth strategy ensures the effectiveprotection of information technology assets so the objective and purpose of themission can be accomplished.
An Active Defense-in-Depth utilizes the concept of addressing the largest vulner-ability or the most dangerous threat first. The additional layers of security cantake care of the remainder of the threats. Anything else is less of a threat andmany times the perimeter defense with firewalls can take care of many of theeveryday types of threats.
There is a general flow of the Active Defense-in-Depth strategy. The first area isto advance the user’s security knowledge via training. Users must realize that theupcoming changes in the network are to protect them, and if they are required toact differently while online, then they must follow the security policy and do so.
intrusion detection:Pertaining to techniques thatattempt to detect intrusioninto a computer or networkby observation of actions,security logs, or audit data.Detection of break-ins orattempts either manually orvia software expert systemsthat operate on logs or otherinformation available.
vulnerability:Hardware, firmware, orsoftware flow that leaves anAIS open for potentialexploitation. A weakness inautomated system securityprocedures, administrativecontrols, physical layout,internal controls, and soforth, that could be exploitedby a threat to gainunauthorized access to anAIS.
Lesson 1: Network Defense Fundamentals 7
Security must then be established with a strong perimeter system. Inside the net-work, the Intrusion Detection System is working hard to identify unauthorizedattempts to use resources. The stated strategy will respond to an attack, again asper the defined security policy. Finally, further controls and systems will be inplace to minimize the likelihood of further intrusions and create a more trustedenvironment.
After each part of the defense strategy, the lessons that have been learned areused to strengthen the overall security of the network. Figure 1-1 illustrates thisconcept.
Figure 1-1: The Active Defense-in-Depth model.
Defensive Strategy RequirementsAny network that is going to deploy a defense system to protect their networkmust fulfill some common requirements if the defense is going to be successful.Although these are not written as hard and fast rules, they should be followed innearly all organizations.
attack:An attempt to bypasssecurity controls on a
computer. The attack mayalter, release, or deny data.
Whether an attack willsucceed depends on the
vulnerability of the computersystem and the effectivenessof existing countermeasures.
intrusion:Any set of actions that
attempts to compromise theintegrity, confidentiality, or
availability of a resource.
8 Tactical Perimeter Defense
Training and AwarenessTraining and awareness is the foundation for the Active Defense-in-Depth defen-sive posture because through training and awareness, cultural change within theenterprise occurs. A cultural change is required for all users to exercise securityin their day-to-day operations and functions in execution of their processes. Mili-tary units that have a high rate of operational readiness for combat use a maximthat states, “Train like you fight because you will fight like you train.” There’s alot to be learned from such a maxim. It means that training must be realistic andreplicate battle conditions. Training must replicate the same scenarios that mayexpose vulnerabilities for attack by the threat. The same battle scenarios are pre-sented in training to make attack response a second nature to the user, as well asthe security professional overlooking the protection of the network.
Perimeter SecurityPerimeter security is the first line of defense for the network and usually is pro-tected by a packet filtering or rules-based firewall. In order to be most effective,ensure that the firewall has the following properties and rules:
• Base your packet filtering and traffic management rules according to an orga-nizational security policy.
• Firewall defines all network connections.
• All traffic from inside out and outside in must pass through the firewall.
Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS) are a combination of hardware and softwaresystems that monitor and collect network system information and analyze it todetect attacks or intrusions. Some IDSs can automatically respond to an intrusionor attack based on a collected library of attack signatures. IDSs use software-based scanners, such as an Internet scanner, that may be the primary tool fornetwork vulnerability analysis. This type of scanner performs both scheduled anddeliberate probes of the network infrastructure for flaws and vulnerabilities inoperating systems, routers, applications, and communication devices.
packet:A block of data sent over thenetwork transmitting theidentities of the sending andreceiving stations, error-control information, andmessage.
packet filtering:A feature incorporated intorouters and bridges to limitthe flow of information basedon pre-determinedcommunications such assource, destination, or typeof service being provided bythe network. Packet filters letthe administrator limitprotocol-specific traffic toone network segment, isolateemail domains, and performmany other functions.
router:An interconnection devicethat is similar to a bridge,but serves packets or framescontaining certain protocols.Routers link LANs at thenetwork layer.
vulnerability analysis:Systematic examination of anAIS or product to determinethe adequacy of securitymeasures, identify securitydeficiencies, provide datafrom which to predict theeffectiveness of proposedsecurity measures, andconfirm the adequacy ofsuch measures afterimplementation.
Lesson 1: Network Defense Fundamentals 9
Attack ResponseAttack response consists of many practices in response to attacks or incidentswhether real, false, or simulated for training. All attacks are handled the sameway until it is verified by the administrator that it is in fact a false positive or asimulated attack for training. In any case, the response itself needs to be keptsecret from outside the security network as not to give any potential attackers anadvantage or possible vulnerability to exploit. A ready response team should bedesignated and alerted in a timely fashion once any attack has been detected. Thisteam must have senior management backing and technical training to includesecurity policy creation, maintenance, enforcement, and escalation duringresponse in case the team cannot handle the particular attack.
TASK 1A-1Identifying Non-repudiation Issues
1. What are the three potential problems a network could face if there isno assurance of non-repudiation, and what is the potential excuse foreach problem?
The following examples of excuses that people are known to routinely giveeach other are indicative of the potential problems in a network if non-repudiation is not implemented:
• Repudiation of origin: “I never sent it.”
• Repudiation of receipt: “I never received it.”
• Repudiation of submission: “I sent it out a while back” versus “You sayyou sent it out when? I only received it yesterday.”
Topic 1BDefensive TechnologiesTo have a network that can be considered well-secured requires a layereddefense. The concepts of a layered defense are old and simple: The more layersan attacker will have to go through, the more difficult it is for the attack to besuccessful.
The Castle AnalogyThis concept can be traced back very far; for this discussion, we will go back tothe days of castles and fortresses. These buildings often housed hundreds ofpeople and their rulers. In some cases, the castle was the entire town, with smallhuts outside the castle boundaries. Needless to say, they required very good andreliable security.
false positive:Occurs when the system
classifies an action asanomalous (a possibleintrusion) when it is a
legitimate action.
10 Tactical Perimeter Defense
A castle’s defense system is the classic layered concept. The castle itself is builtout of strong and very thick stone. The walls of the castle are very high. Thetowers of the castle are even higher and allow the guards to see intruders at agreater distance. Other guards are positioned inside to watch for imposters andother internal disruptions.
Closer to the castle is the moat, a body of water surrounding the castle. The onlyentrance is the drawbridge, which can be raised so no one can enter or leavewithout permission. There is a massive door protecting the entrance past thedrawbridge. Small arrow holes are hidden along the walls and in the towers forarchers to use; these make it easy for arrows to get out of the castle but difficultto shoot an arrow into one of those holes.
As you can see, each additional layer of defense created a more secure overallcastle. The analogy is directly transferable to networking. No one single technol-ogy can create a secure network, just as a moat alone cannot create a securecastle.
Attacking the CastleIf the castles were so well defended, then how and why did they eventually fall?With layers upon layers of defense, the castles seemed as if they could not fallinto their enemy’s hands. History tells us otherwise.
There were three basic approaches to bringing upon the downfall of a castle.
• One was through a massive attack, where hundreds or thousands of soldierswould storm the castle, a constant attack until the massive door finally waspenetrated. This method generally would cost many lives, but often wassuccessful.
• The second approach was a variation of the first. Instead of actually storm-ing the castle, a large army would simply lay siege to the castle for monthsuntil finally the defenders would give up.
• The third method was to find the secret entrance(s). Often the castle neededsecret alternate ways in and out for emergencies. Once the enemy found thissecond entrance, they could send a small force in to open the castle frominside. This would prove to be a more effective method, since the cost inlives to the attacker was far less.
Now, looking at this analogy, what are the defensive technologies employed intoday’s network security terms? There are many similarities, as you may havenoticed.
The Castle’s FirewallIn the castle analogy, there is a definite firewall in place. The two parts would bethe moat and the high stone walls. This is how the firewall should operate in anetwork—multiple parts. For example, you may have a firewall blocking ports,and another part of the firewall that is running Network Access Translation (NAT)to hide your internal IP addresses. These pieces are the classic perimeter securitysystem, and all networks that are serious about security must have them.
Lesson 1: Network Defense Fundamentals 11
Further analogies to the firewall are the arrow holes and the front door itself.These arrow holes are roughly equivalent to protocol port numbers, in that theyare small and can be set up to be only one-way. Arrows go out, but they do notcome back in. The front door can be opened to allow full two-way movement orcommunication.
The Castle’s Intrusion DetectionThe guards on the inside watching for an imposter or other internal problem arethe intrusion detection. The guards high up in the watchtower are also part of theIntrusion Detection System, looking for attackers from the outside.
The Castle’s Back DoorsOne of the most serious problems with the security of a network is a back door.If a user installs a modem and makes an independent, direct connection to theInternet, all an attacker needs to do is find that back door. Once the back door isfound, the attacker can come in and open up the entire network from the inside.
This analogy is used to illustrate the need for a solid, well-planned, layereddefense strategy for the network. Since any single point is subject to attack andpotential failure, there must be other systems in place that work as defense forthe network. Figure 1-2 is a graphical representation of the layered concept.
Figure 1-2: The layered defense concept.
protocol:Agreed-upon methods ofcommunications used by
computers. A specificationthat describes the rules and
procedures that productsshould follow to perform
activities on a network, suchas transmitting data. If they
use the same protocols,products from different
vendors should be able tocommunicate on the same
network.
back door:A hole in the security of a
computer system deliberatelyleft in place by designers or
maintainers. Synonymouswith trap door; a hidden
software or hardwaremechanism used to
circumvent security controls.
12 Tactical Perimeter Defense
The Defense TechnologiesSo, what exactly are the defensive technologies that can be deployed in a net-work? There are many, and some are not purely defensive, but they are used inthe defense of the network.
Figure 1-3: The layers of defense in reaching a file.
The best way of looking at the defense of the network is to start on the outside,at the perimeter, and work your way in to the target. The target may be a numberof different things, but we will focus in this discussion on an application residingon a host computer.
1. The first aspect in the defense of the network does not even use electricity. Itis the security policy. Many people consider the firewall the first line ofdefense, but this could be argued as incorrect. Without a policy, the firewallcannot be configured! So, the first item is the policy. There must be a clearunderstanding of the purpose of the security in the network. The policy mustcover who can do what, when, and how. The policy also must state the clearobjectives of each piece of equipment used in the defense of the network. Aswith many things in life, proper planning is required for successfulimplementation.
2. After the security policy has been created and agreed to, the implementationof the defense systems can begin. On the very edge of the network are therouters. These routers may be configured, via access control lists, to perform
host:A single computer orworkstation; it can beconnected to a network.
proxy:A firewall mechanism thatreplaces the IP address of ahost on the internal(protected) network with itsown IP address for all trafficpassing through it. Asoftware agent that acts onbehalf of a user, typicalproxies accept a connectionfrom a user, make a decisionas to whether or not the useror client IP address ispermitted to use the proxy,perhaps does additionalauthentication, and thencompletes a connection onbehalf of the user to aremote destination.
Lesson 1: Network Defense Fundamentals 13
part of the firewall system, and provide some level of packet filtering. Thefirewall may provide NAT and proxy services. NAT will ensure that theinternal private addresses stay hidden, and the proxy services will makerequests for resources on behalf of the internal clients.
3. Moving through the layers, beyond the firewall, the next piece is the IDS.The IDS is in place to notify the security professionals when an intrusionhas happened, and can perform this function both on the inside of the net-work, and also detect attempts on the outside of the network.
4. Still deeper into the defense of the network is authentication. The host com-puter will require a form of authentication to gain access to the resources.Making it to the host is one thing, authenticating with the host and gettingaccess is another.
5. After authentication with the host is the file system security. Each file, oreach resource, should be designed with its own security. This security dic-tates who has access to this file, and what kind of access each person has.The file security may even specify the times during the day that users haveaccess to the file.
The physical security of the network, although not a specific technology, is worthmentioning. Physical security of the computers, routers, switches, and employeesis critical to maintaining a well-defended network. There is no point in imple-menting all the above technologies, if anyone can walk into an office and browsea computer. Physical access must be part of the defense, and should be outlinedin the security policy.
TASK 1B-1Describing the Layers of a Defended Network
1. Describe how an organization benefits from implementing each layer ofa layered defense to protect their network.
Benefits to implementing a layered defense include:
• Security Policy: Organized defense.
• Perimeter Defense: Rule sets define what kind of traffıc is allowed in orout.
• IDS: Monitoring of network or hosts to detect unusual behavior orattacks so that responses can be calculated, rather than remainarbitrary.
• Authentication: Depending upon the level of authentication used (one-,two-, or three-factor), it can be very diffıcult for one user to imperson-ate another.
• File System Security: Users with verified credentials are granted ordenied access to certain resources.
• Physical Security: Prevents access to machines by users with maliciousintent.
NAT and proxy services arecovered in greater detail in
upcoming lessons.
physical security:The measures used to
provide physical protectionof resources against
deliberate and accidentalthreats.
14 Tactical Perimeter Defense
Topic 1CObjectives of Access ControlEvery network, no matter how well it is defended, will require verification of thenetwork user’s credentials. This is the process of access control. All networksneed a system in place to be sure only authorized users have access to the net-work and its resources.
Access ControlOn the network, one of the critical areas of security is determining who hasaccess to what. It is the security professional’s job to ensure that the policyguidelines are met and no unauthorized access of resources takes place. Or, as thedefinition of access control states, it is the prevention of unauthorized use by con-trolling the access to any protected system or resource.
Access control systems are what help the security professional satisfy thatrequirement. There are two types of access control that may be implemented:Mandatory Access Control (MAC) and Discretionary Access Control (DAC). Thepolicy in place determines which of these controls will be used.
Mandatory Access ControlMAC is an access control policy that supports a system which generally handleshighly sensitive or secret information. Government agencies typically use MAC.Also, the security classification of both the user, called a subject, and the data orresource being accessed, called an object, must be labeled as Top Secret, Secret,or Classified for security. These labels are security classifications for objects andsecurity clearances for subjects. If only one level of security is maintained in asystem, it is called a System High Policy, which requires all system users to havethe appropriate clearance for the highest level of sensitive information that maybe accessed. If Secret information is on this system, then all authorized usersmust have at least a Secret clearance level. If multiple levels of classified infor-mation are on a single system and requires users with different security clearancesto access it, then a Multi-level Security Policy is enforced. To make this effective,the system typically has screened subnets by use of firewalls to allow access onlyto appropriate clearance-level users.
Discretionary Access ControlDAC is an access control policy that uses the identity of the user or group inwhich they belong to allow authorized access. It is discretionary in that theadministrator is able to control who has access, to what, and what type of accessthey will have, such as create or write, read, update, or delete. This is known asCRUD, which stands for Create, Read, Update, and Delete.
Lesson 1: Network Defense Fundamentals 15
AuthenticationOnce the policies of access control are in place, there needs to be a mechanismthat can verify the user who is requesting access. Having either DAC or MAC inthe organization’s network is useless if the network cannot identify the users ofthe network. This is where authentication comes in. Although each operating sys-tem has its own methods of authentication, here we will discuss the concepts andmethods of authentication.
How is authentication defined? The basic definition is the process of determiningthe identity of a user that is attempting to access a system. (The word “system”in this case could be a router, server, workstation, and so on.)
Authentication occurs when a user provides the requested information to anauthentication verification authority. The requested information can take manyforms, as you will see. The verification authority can also take different forms,but is generally a server on the network.
The traditional method of authentication is to provide a password. This passwordis a value that the user creates individually, or is generated for them. In any case,it is a value the user remembers and enters when requested. Systems can be assimple as having a single password to log in and use every resource available, oras complex as requiring one password to log in and different passwords to accessspecific resources.
To increase the level of reliability and ease of use to users, biometric authentica-tion can be introduced. When this type of system is added to the authenticationscheme, it is considered to be strong authentication. The designation of strong isgiven since the user is not only identified digitally, but by their physical personvia a physiological characteristic, such as a fingerprint scan, iris scan, or handgeometry.
Authentication TokensFor some organizations, the traditional methods of using passwords are notenough and the implementation of a biometric solution, such as fingerprint scan-ning, does not meet their policy requirements. These organizations may then lookto tokens. Tokens come in different sizes and implementations.
An authentication token is a portable device used for authenticating a user,thereby allowing authorized access into a network system. The tokens are literalphysical devices and they operate by using systems such as challenge andresponse or time-based code sequences. One of the most well-known is the RSASecureID Token.
Challenge Response TokenThe challenge response token is an authentication technique using a calculatortype of token that contains identical security keys or algorithms as a NetworkAccess Server (NAS). This sends an unpredictable challenge to the user, whocomputes a response using their authentication response token. This is shown inFigure 1-4.
server:A system that provides
network service such as diskstorage and file transfer, or a
program that provides such aservice. A kind of daemonthat performs a service forthe requester, which oftenruns on a computer other
than the client machine.
16 Tactical Perimeter Defense
Figure 1-4: An example of a challenge response card from Cryptocard.
The Challenge Response ProcessEach challenge response token is pre-loaded with a Data Encryption Standard(DES) encryption key and a default user PIN unique to that token in associationwith a User Name. Neither of these items can be extracted from the token.
Upon receiving a new token, the user must take the following steps to access asecured network using challenge/response technology:
1. Activate the token by changing the PIN to one known only by the user. Userenters the chosen PIN on the token.
2. The user begins the logon sequence.
3. The user types in the User ID from the requesting PC.
4. The NAS passes the PIN and User ID to the authentication server as part ofthe logon request.
5. The authentication server generates a random challenge and sends it back tothe user via the connection through the NAS.
6. It is then sent to the user where it appears on the requesting PC screen.
7. The user types the challenge into the token, which then encrypts it using itsinternal DES key.
8. The token displays the encrypted response.
9. The user types the encrypted response into the requesting PC keyboard.
10. The authentication server receives the response, and using the same DES keythat the token used, processes it and verifies the user and the token.
11. The authentication server sends a message to the NAS to allow the useraccess.
DES:(Data Encryption Standard)Definition 1: An unclassifiedcrypto algorithm adopted bythe National Bureau ofStandards for public use.Definition 2: A cryptographicalgorithm for the protectionof unclassified data,published in FederalInformation ProcessingStandard (FIPS) 46. TheDES, which was approved bythe National Institute ofStandards and Technology(NIST), is intended for publicand government use.
key:A symbol or sequence ofsymbols (or electrical ormechanical correlates ofsymbols) applied to text inorder to encrypt or decrypt.
Lesson 1: Network Defense Fundamentals 17
Figure 1-5: An example of the challenge response token authentication system.
Time-based TokensThe challenge response token system is widely used on many networks today.There is a different type of token that is also currently used. It is the time-basedtoken. Where the challenge response token requires the user to enter data in thetoken and read data back out of the token, the user in the time-based token onlyreads data.
Figure 1-6: An example of the time-based token authentication system.
The time-based token utilizes an authentication technique where the securitytoken and the security server use an identical algorithm. To gain access, the usertakes the code generated by the token and adds their user name and PIN to createa passcode. The passcode is combined with a seed value and the current time,which is then encrypted with an algorithm and sent to the server. The serverauthenticates the user by generating its own version of the valid code by access-ing the pre-registered PIN and using the same seed value and algorithm tovalidate the user and their token.
Figure 1-7: An example of the RSA SecureID token.
18 Tactical Perimeter Defense
Time-based and challenge response tokens are both good examples of two-factorauthentication. The server validates what they know (the user name and PIN) andwhat they have (the authentication token).
Software TokensIf an organization does not wish to purchase hardware tokens such as thosedescribed, they may opt for a software solution instead. A software token is anauthentication technique using a portable device such as a Palm Pilot, Palm PC,or Wireless Telephone to carry the embedded software.
When attempting to access the secured network, the user is prompted to providetheir PIN (pre-registered with the server in association with the user name) andauthentication code, which is generated by the software token. This information isrouted to an access server such as an RSA ACE/Server for verification. If the PINand authentication code are valid, the user is granted access. If not, the user isdenied access to the network.
Figure 1-8: An example of a Palm Pilot running RSA security software.
Lesson 1: Network Defense Fundamentals 19
TASK 1C-1Describing the Challenge Response Token Process
1. Describe the Challenge Response token process between the user, client,and server.
Each challenge/response token is pre-loaded with a DES (Data EncryptionStandard) encryption key and a default user PIN unique to that token inassociation with a user name. Neither of these items can be extracted fromthe token. Upon receiving a new token, the user must follow several steps toaccess a secured network by using challenge/response technology.
2. Place the following steps in the proper order.
7 The user types the challenge into the token, which then encrypts itusing its internal DES key.
3 The user types in the User ID from the requesting PC.
10 The authentication server receives the response and using the sameDES key that the token used, processes it, and verifies the user and thetoken.
4 The NAS passes the PIN and User ID to the authentication server aspart of the logon request.
8 The token displays the encrypted response.
11 The authentication server sends a message to the NAS to allow theuser access.
1 The token is activated by changing the PIN to one known only to theuser. User enters the chosen PIN on the token.
6 The challenge is sent to the user where it appears on the requesting PCscreen.
2 The user begins the logon sequence.
9 The user types the encrypted response into the requesting PC keyboard.
5 The authentication server generates a random challenge and sends itback to the user via the connection through the NAS.
20 Tactical Perimeter Defense
Topic 1DThe Impact of DefenseNetwork security protects all the information technology assets within the enter-prise including computers, servers, databases, applications, peripherals, andperhaps most importantly, data or information. Network security allows autho-rized users to access IT assets quickly, whenever it’s needed, all the whileimproving communications with internal and external customers within a totallysecure environment.
Implementation of security controls, whether in a layered defense or any othermode, should not, in any way, hinder the functionality of the network. Networksmust be secure, but the implementation of security cannot hinder the objectiveand purpose of the network itself.
Of the different technologies discussed in this lesson, how many could have anegative impact on the performance of the network? If you answered all of them,you are correct. However, they do not have to have a negative impact on thenetwork. Proper implementation of security controls will reduce the impact on thenetwork.
How exactly do these technologies impact the network in the first place? Let’sexamine some of the technologies discussed previously.
FirewallsThe firewall is the first line of defense for the network. All packets that enter thenetwork should come through this point in a properly designed network. A mod-ern firewall is generally a system of applications and hardware working together.The jobs a firewall can be asked to perform are packet filtering, network addresstranslation, and proxy services.
A firewall can have a negative impact on the network by blocking access toresources that should be accessible. It is possible that, because of improper con-figuration of a firewall, entire portions of a network become unavailable, in whichcase the performance hit is significant. Additionally, if an ordinary PC has beenconfigured to be the firewall (a multihomed computer), it may not have the inter-nal speed to perform all the functions of the firewall fast enough, resulting inlatency.
EncryptionThe encryption process as a whole involves taking data that is readable in plaintext, and using a mathematical calculation, make the text unreadable. The receiverthen needs to perform a similar calculation to decrypt the message and read it inits plain text format.
The performance hit is much more obvious with encryption. If the data packetsare encrypted, the information that must be transmitted is larger, and more band-width will be consumed. Additionally, the devices that perform the encryption anddecryption have more work to do in running the algorithms that perform the task.Networks that have systems at minimum levels will be affected the most by theaddition of encryption.
Lesson 1: Network Defense Fundamentals 21
Computers and routers that are asked to perform encryption must be able tohandle the extra workload. It is not always the network that has a performancedrop; it is often the computers themselves, as they struggle to keep up with allthe extra processing required to encrypt and decrypt data. File system encryptioncan be as much of a performance hit as encrypted network traffic.
PasswordsForcing hard-to-remember passwords on users results in either the passwordsbeing written down or frequent calls to the help desk to come and unlock theircomputer. This results in a performance hit on the overall functionality of theentire network. The password issue is a difficult one, as networks require strongpasswords, but users have a hard time creating them. The network administrationstaff should take the time to educate users on creating strong passwords.
One of the better methods of making strong passwords that users can rememberis to use phrases instead of words (which should never be used). The phrasemethod requires the user to think of a phrase they will remember. This way it canbe related to a user’s birthday and not be a security risk. For example, I wasBorn on June 27! could then be a password of IwBoJ27! This illustrates howeasy it can be to generate secure passwords that can be remembered.
Intrusion Detection SystemsAlthough some think that an IDS could not have an impact on a network, in real-ity, it can. It is true that the IDS does not have that much of an impact on theactual packets as they move about the network; however, this is not the only typeof impact the network must manage.
If an IDS is improperly configured, so that it is identifying traffic not indicativeof an intrusion, and the security professionals spend their time investigatingunneeded attacks, then the IDS has created a significant problem, not a solvedone. An IDS that is constantly giving off false alarms is a bad thing for the net-work, as eventually the security team will stop responding, or respond slowly.
AuditingIf a commonly used server has had every single auditing option turned on, thecomputer is going to suffer a performance hit in logging all that information. If italso happens to be a file server, chances are good that available disk space willbe taken up by the log files, again resulting in calls to the help desk.
This can also be a method of hiding an attacker’s tracks. If an attacker gainsaccess to a server and enables every single auditing option, it will be much morework for the administrator to search the log files for the real evidence of thesecurity breach.
22 Tactical Perimeter Defense
TASK 1D-1Describing the Problems of Additional Layers ofSecurity
1. How could adding additional layers of defense cause problems for theusers of a network?
Answers may vary, but may include: Improper configuration of a firewall,NAT, or proxy can result in authorized users not being able to accessresources they need to access or vice versa; users may not fully understandthe modern key management process used in encryption systems, therefore,unless encryption is an integrated feature of the operating system, IP stack,or application, users may be inconvenienced; the user logon and verificationprocess can also inconvenience users if it is too complicated.
2. How could adding additional layers of defense cause problems for thepacket flow on the network?
Answers may vary, but could include: Strong encryption can increase theactual network traffıc; more CPU cycles are required to generate encryptedtraffıc and decipher them upon receipt; IDS systems running in a very para-noid mode may create excessive auditing and alerts, sometimes resulting infalse alerts.
Topic 1ENetwork Auditing ConceptsAuditing entails the recording, maintenance, and protection from unauthorizedaccess, modification, or deletion of detailed access event logs of information tech-nology assets and network systems to ensure compliance with an establishedsecurity policy. Auditing within a network system’s environment involves muchmore than the typical recording of system activity.
Security Auditing BasicsIt would be useless to put a lock on a door if it was never checked to see if itwas still locked or if it was unlocked, when it was unlocked, and by whom. Inchecking the security of a network, answers to the following questions need to berecorded and logged for use later in case of system compromise:
• What was checked?
• Who did the checking?
• When was it checked?
• How was it checked?
• Were there any findings?
compromise:An intrusion into a computersystem where unauthorizeddisclosure, modification, ordestruction of sensitiveinformation may haveoccurred.
Lesson 1: Network Defense Fundamentals 23
Besides the usual recording of logins, logouts, accessing files, directories andresources, and security violations, additional network security events must beaudited on both sides of the network connection. Both sides means any establish-ing or dropping of network connections with other networks must be logged, aswell as any failed network components and any misrouted or lost data while intransit. Auditing should capture the information of the following events:
• All access events with use of identification and authentication mechanisms.
• Any deletion of files, data, or information.
• Modification of directories.
• Movement of large data assets into user’s address space.
• Any security actions or other security-related events.
Each event should contain the following entries in the audit log:
• Date and time of the event.
• Name of user creating the event, as well as event origin.
• Event description and type.
• Name of asset in case of deletion.
• Event success or failure.
Security AuditsLogged records of monitored events are kept on hand for auditing purposes.Although they can be conducted by either internal or external resources, the twotypical types of security audits are operational or independent.
Operational AuditThis type of audit is usually done by internal resources to examine the opera-tional and ongoing activities within a network system for compliance with anestablished security policy.
Independent AuditAn independent audit is usually conducted by external or outside resources andmay be a review or audit of detailed audit logs to:
• Examine system activities and access logs.
• Assess the adequacy of security methods and controls.
• Assess compliance with established enterprise network system policies andprocedures.
• Assess effectiveness of support, enabling, and core processes.
• Recommend improvements in security processes, methods, and controls.
security violation:An instance in which a useror other person circumventsor defeats the controls of a
system to obtainunauthorized access to
information contained thereinor to the system itself.
audit:The independent examination
of records and activities toensure compliance with
established controls, policy,and operational procedures,
and to recommend anyindicated changes in
controls, policy, orprocedures.
security audit:A search through a computersystem for security problems
and vulnerabilities.
24 Tactical Perimeter Defense
Whether an audit is done as an operational or independent audit, a thoroughsearch through the system should be conducted to detect any flaws, vulnerabili-ties, or problems. An IDS can provide network system vulnerabilities, but asecurity audit should be conducted to find problems within the file systems on thenetwork. Out of this audit should come detailed reports that may give you someclues as to possible existing or future problems. These may include:
• Accounts with no name or expired names of people that have left the com-pany or group.
• New accounts needing validation for authorized users.
• Group accounts needing access control specifics to pinpoint who had accessat what time and not just a group name logon.
• Recent changes to file protection or changes in rights to large files.
• Accounts with easily guessed passwords.
• Accounts with expired or no passwords.
• Any other suspicious user activity.
Audit TrailsNetwork auditing still needs to log the audit trail or history of any networktransaction. The requirement for any audit trail is that documentation be kept torecord the historical use of the network system. But the primary purpose of arecorded audit trail is to be able to examine the detailed historical record of sys-tem use in order to replicate specific event scenarios after a compromise orexploit has occurred. An audit trail is the only way to examine the sequence ofevents that led up to the system’s compromise or exploitation. Without an audittrail, there would be no way to find out how a compromise or exploit of the sys-tem occurred, or when it actually happened.
Handling and Preserving Audit DataAudit data should be some of the most carefully secured data at the site and inthe backups. If an intruder were to gain access to audit logs, the systems them-selves would be at risk, in addition to the data.
Audit data may also become key to the investigation, apprehension, and prosecu-tion of the perpetrator of an incident. For this reason, it is advisable to seek theadvice of legal counsel when deciding how audit data should be handled. Thisshould happen before an incident occurs.
If a data-handling plan is not adequately defined prior to an incident, it couldmean that there is no recourse in the aftermath of an event, and it may createliability resulting from improper treatment of the data.
Legal ConsiderationsDue to the content of audit data, there are a number of legal questions that arisewhich might need to be addressed by your legal counsel. If you collect and saveaudit data, you need to be prepared for consequences resulting both from its con-tent as well as its existence.
audit trail:In computer securitysystems, a chronologicalrecord of system resourceusage. This includes userlogin, file access, othervarious activities, andwhether any actual orattempted security violationsoccurred.
perpetrator:The entity from the externalenvironment that is taken tobe the cause of a risk. Anentity in the externalenvironment that performs anattack, i.e. hacker.
Lesson 1: Network Defense Fundamentals 25
One area concerns the privacy of individuals. In certain instances, audit data maycontain personal information. Searching through the data, even for a routinecheck of the system’s security, could represent an invasion of privacy.
A second area of concern involves knowledge of intrusive behavior originatingfrom your site. If an organization keeps audit data, is it responsible for examiningit to search for incidents? If a host in one organization is used as a launchingpoint for an attack against another organization, can the second organization usethe audit data of the first organization to prove negligence on the part of thatorganization?
These examples are not meant to be comprehensive, but should motivate yourorganization to consider the legal issues involved with audit data.
TASK 1E-1Describing Network Auditing
1. What are the benefits of auditing network traffic?
Logs of audited network traffıc can be used to examine a detailed historicalrecord of network and system use in order to reconstruct specific event sce-narios after a compromise or exploit has occurred.
2. What is a possible drawback to network auditing?
If an intruder were to gain access to audit logs, the systems themselveswould be at risk, in addition to the data.
3. Why is the handling and storage of audit data so critical?
Audit data may contain personal information. Searching through the data,even for a routine check of the system’s security, could represent an invasionof privacy.
Apart from that, the very knowledge of intrusive behavior originating fromyour site raises the question of responsibility with regard to reporting theincident to a third party or maybe even an authority such as the FBI.
SummaryIn this lesson, you walked through the process of creating a layered defense.You are able to identify why the layered defense is important and the tech-nologies used to create one. You also examined the concepts of networkauditing, including handling of data and types of audits. You have definedthe five keys of network defense, described the objectives of access controlmethods, and identified the impact of defense on the network.
26 Tactical Perimeter Defense
Lesson Review1A What do authentication and availability create in the network?
Authentication and availability in a network create system assurance.
Describe the differences between one-, two-, and three-factorauthentication.
One-factor authentication provides “what you know,” such as a password orPIN. Two-factor authentication is providing “what you have,” like a smartcard or a token in addition to “what you know.” The third factor which pro-vides strong authentication is proving a user’s identity, or “who you are,”by using biometrics. Biometrics uses a physiological characteristic to iden-tify you, such as a fingerprint, retina scan, hand geometry, voice recognition,iris scan, or behavioral characteristics such as keystroke recognition or sig-nature recognition.
Is it possible to have data confidentiality without having data integrity?
No, however, it is possible to have data integrity without data confidentiality.
What is the difference between a passive threat and an active threat?
Simply put, in a passive threat, data is viewed, but in an active threat, datais modified.
1B What are the primary technologies used to create a layered defense?
• A security policy implemented at various layers of the network.
• Perimeter defenses, such as routers, firewalls, NAT, and proxies.
• Intrusion Detection Systems (IDS) can be put in place to monitor net-work traffıc or hosts.
• Authentication has to be regularized using one-, two-, or three-factorauthentication methods depending upon the requirement (machine-specific authentication may be required in some cases).
• File System Security should be in place once a user is logged in, toallow or deny access to resources.
• Physical access/security to the network or individual machines shouldbe addressed.
What could be the result of skipping a layer of defense?
• Security policy: Unstructured defense.
• Perimeter defense: Intruders will come in.
• IDS: You won’t know that intruders have come in.
• Authentication: Anyone can log in to your network.
• File System Security: Anyone who has access to a machine can accesseverything on that machine.
• Physical security: Anyone can access any machine.
Lesson 1: Network Defense Fundamentals 27
1C Name and describe the two methods of Access Control.
• Mandatory Access Control, where subjects and objects are Classified,Secret, or Top Secret.
• Discretionary Access Control, where a user’s identity is used in firstdetermining certain user rights into the system, and then at eachresource to see if the user has Create, Read, Update, or Delete (CRUD)privileges.
Describe the process of authentication.
Authentication is the process of determining the identity of a user who isattempting to access a system. A user provides the requested information toan authentication verification authority. The authentication verificationauthority uses this information, or a derivative of it, against a pre-configureddatabase. If the values match, the user is issued appropriate credentials toaccess the system. The user then presents these credentials to accessresources.
What are software tokens, and how can an organization benefit by usingthem?
A software token is an authentication technique using a portable device,such as a Palm Pilot or Palm PC. Since the token is generated via software,an organization does not have to be tied down to a particular hardwaretoken generator. When circumstances change and they have to upgrade thestrength of the token, for example, they just need to upgrade the software inthe portable device rather than recall and reissue hardware devices.
1D How could a firewall have a negative impact on network performance?
A firewall can have a negative impact on the network by blocking access toresources that should be accessible. It is possible that, because of improperconfiguration of a firewall, entire portions of a network become unavailable.Additionally, if an ordinary PC has been configured to be the firewall (amultihomed computer) it may not have the internal speed to perform all thefunctions of a firewall fast enough, resulting in latency.
How can encryption affect network performance?
If the data packets are encrypted, the information that must be transmitted islarger, and therefore more bandwidth will be consumed.
How can encryption affect individual hosts?
The devices that perform encryption and decryption have more work to do inrunning the algorithms that perform the task.
1E What are two of the events that can be captured with auditing?
Answers may include the following: All access events with use of identifica-tion and authentication mechanisms; any deletion of files, data, orinformation; modification of directories; movement of large data assets intouser’s address space; any security actions or other security-related events.
28 Tactical Perimeter Defense
What are two of the entries that should be captured in an event?
Answers may include the following: Date and time of the event; name ofuser creating the event as well as event origin; event description and type;name of asset in case of deletion; event successful or failed.
What are the two typical types of security audits?
Operational and independent.
Lesson 1: Network Defense Fundamentals 29
30 Tactical Perimeter Defense
Advanced TCP/IP
OverviewThere is one primary set of protocols that runs networks and the Internettoday. In this lesson, you will work with those protocols: the TransmissionControl Protocol (TCP) and the Internet Protocol (IP). In order to managethe security of a network, you must become familiar with the details of howTCP/IP functions, including core concepts, such as addressing andsubnetting, and advanced concepts, such as session establishment and packetanalysis.
ObjectivesTo better understand advanced TCP/IP concepts, you will:
2A Define the core concepts of TCP/IP.
Given a machine running TCP/IP, you will define the core concepts ofTCP/IP, including the layering models, RFCs, addressing and subnetting,VLSM and CIDR, and the TCP/IP suite.
2B Analyze sessions of TCP.
Given a Windows Server 2003 computer, you will examine control flags,sequence numbers, and acknowledgement numbers, and you will use Net-work Monitor to view and analyze all of the fields of the three-wayhandshake and session teardowns.
2C Analyze IP.
Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze all the fields of IP.
2D Analyze ICMP.
Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze all the fields of ICMP.
2E Analyze TCP.
Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze all the fields of TCP.
2F Analyze UDP.
Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze all the fields of UDP.
Data Filestftp.capfragment.capping.txtping.capftp.txtftp.capWinPcapWireshark
Lesson Time6 hours
LESSON
2
Lesson 2: Advanced TCP/IP 31
2G Analyze fragmentation.
Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze network traffic fragmentation.
2H Complete a full session analysis.
Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze a complete FTP session, frame by frame.
32 Tactical Perimeter Defense
Topic 2ATCP/IP ConceptsIn order for two hosts to communicate, there must first be an agreed-upon methodof communication for both hosts to use. The protocol that the Internet was builton, and the protocol that all hosts on the Internet use is TCP/IP, or TransmissionControl Protocol/Internet Protocol. Because the two hosts agree on the protocolthey will use, we can go right into the details of the protocol itself.
The TCP/IP ModelIn order for data to move from one host to another, it must be transmitted andreceived. There are several ways this could happen, in theory.
• The data file could be sent as a whole file, intact, from one host to another.
• The data file could be split in half and sent, sending and receiving two equalsized pieces.
• The data file could be split into many smaller pieces, all sent and received ina specific sequence.
It is this last method that is actually used. For example, if a user is at a host andwants to view a web page on a different host, the request and subsequentresponse will take many small steps to complete. In Figure 2-1, you can see thefour layers of the TCP/IP Model, along with the browser’s request for a web pagegoing to the web server.
Figure 2-1: A web request moving along the TCP/IP Model.
The four layers of the TCP/IP Model are:
• The Application Layer
• The Transport Layer
• The Internet Layer (also called the Network Layer)
• The Network Access Layer (also called the Link Layer)
Many of the Concepts inthis topic were covered inthe prerequisite courses,but are provided here forreview.
host:A single computer orworkstation; it can beconnected to a network.
server:A system that providesnetwork service such as diskstorage and file transfer, or aprogram that provides such aservice. A kind of daemonthat performs a service forthe requester, which oftenruns on a computer otherthan the client machine.
Lesson 2: Advanced TCP/IP 33
The reason that there are alternate names for these layers is that there has neverbeen an agreed-upon standard for the names to which the industry agrees. Eachof these layers are detailed as follows:
• The Application Layer is the highest layer in the model, and communicateswith the software that requires the network. In our example, the software isthe web page request from a browser.
• The Transport Layer is where the reliability of the communication is dealtwith. There are two protocols that work at this layer, TCP (TransmissionControl Protocol) and UDP (User Datagram Protocol). An immediate differ-ence between the two is that TCP does provide for reliable delivery of data,whereas UDP provides no such guarantee.
• The Internet Layer (or Network Layer) provides the mechanism required toaddress and move the data from one host to the other. The primary protocolyou will examine at this layer is IP (Internet Protocol).
• The Network Access Layer (or Link Layer) is where the data communicationinteracts with the physical medium of the network. This is the layer thatdoes the actual sending and receiving of the data.
As you saw in Figure 2-1, as the web page request was initiated on the host, itmoved down the layers, was transmitted across the network, and moved up thelayers on the web server. These are the layers on which all network communica-tion using TCP/IP is based. There is a different set of layers, however, called theOSI Model.
The OSI ModelThe TCP/IP Model works well for TCP/IP communications, but there are manyprotocols and methods of communication other than TCP/IP. A standard wasneeded to encompass all of the communication protocols. The standard developedby the International Organization for Standardization (ISO) is called the OSIModel.
The Open Systems Interconnect (OSI) Model has seven layers, compared to thefour layers of the TCP/IP Model. The seven layers of the OSI Model are:
• The Application Layer
• The Presentation Layer
• The Session Layer
• The Transport Layer
• The Network Layer
• The Data Link Layer
• The Physical Layer
network:Two or more machines
interconnected forcommunications.
OSI:(Open Systems
Interconnection) A set ofinternationally accepted andopenly developed standards
that meet the needs ofnetwork resource
administration and integratednetwork components.
34 Tactical Perimeter Defense
The names of these layers are fixed, as this is an agreed upon standard. Thedetails of each layer are as follows:
• The Application Layer is the highest layer of the OSI Model, and deals withinteraction between the software and the network.
• The Presentation Layer is responsible for data services such as data compres-sion and data encryption/decryption.
• The Session Layer is responsible for establishing, managing (such as packetsize), and ending a session between two hosts.
• The Transport Layer is responsible for error control and data recoverybetween two hosts. Both TCP and UDP work at this layer.
• The Network Layer is responsible for logical addressing, routing, and for-warding of datagrams. IP works at this layer.
• The Data Link Layer is responsible for packaging data frames for transmis-sion on the physical medium. Error control is added at this layer, often inthe form of a Cyclic Redundancy Check (CRC). This layer is subdividedinto the LLC (Logical Link Control) and MAC (Media Access Control)sublayers. The MAC sublayer is associated with the physical address of thenetwork device and the LLC sublayer makes the association between thisphysical address (such as the 48-bit MAC address if using Ethernet) and thelogical address (such as the 32-bit IP address if using IP) at the NetworkLayer.
• The Physical Layer is responsible for the actual transmission and receipt ofthe data bit stream on the physical medium.
The OSI Model and the TCP/IP Model do fit together. In Figure 2-2, you can seethat the two primary layers of concern in the TCP/IP Model (the Transport andInternet Layers), match directly with the Transport and Network Layers of theOSI Model, while the other two TCP/IP Model layers encompass two or morelayers of the OSI Model.
Figure 2-2: A comparison of the OSI and TCP/IP Models.
As the data from one host flows down the layers of the model, each layerattaches a small piece of information relevant to that layer. This attachment iscalled the header. For example, the Network Layer header will identify the logicaladdresses (such as IP addresses) used for this transmission. This process of add-ing a header at each layer is called encapsulating. Figure 2-3 shows a visualrepresentation of the header and the encapsulation process.
packet:A block of data sent over thenetwork transmitting theidentities of the sending andreceiving stations, error-control information, andmessage.
Lesson 2: Advanced TCP/IP 35
Figure 2-3: Headers and the encapsulation process as data moves down the stack.
When the second host receives the data, and as the data moves up the layers,each header will let the host know how to handle this piece of data. After all theheaders have been removed, the receiving host is left with the data as it was sent.
RFCsWith all the standards defined in the previous section, you may be asking whereto go to find the standards. The answer is to the RFCs. A Request For Comments(RFC) is the industry location for standards relating to TCP/IP and the Internet.RFCs are freely available documents to read and study, and if you ever want togo directly to the source, be sure to use the RFC.
Although you will find RFCs listed all over the Internet, to view them all onlinego to: www.rfc-editor.org. This is the website with a searchable index of allRFCs. There are several RFCs you should be familiar with, and that you shouldknow by name to look up. This way you will not have to search hundreds ofresponses to find what you need. The RFCs you should know are:
• The Internet Protocol (IP): RFC 791.
• The Internet Control Messaging Protocol (ICMP): RFC 792.
• The Transmission Control Protocol (TCP): RFC 793.
• The User Datagram Protocol (UDP): RFC 768.
The Function of IPThe Internet Protocol (which works at the Network layer of both the OSI and theTCP/IP models), by definition, has a simple function. IP identifies the currenthost—via an address—and using addressing, moves a packet of information fromone host to another. Each host on the network has a unique IP address, and eachpacket the host sends will contain its own IP address and the IP address to whichthe packet is destined.
The packets are then directed, or routed, across the network, using the destinationaddress, until they reach their final destination. The receiving host can read the IPaddress of the sender and send a response, if required.
36 Tactical Perimeter Defense
Although it sounds straightforward, and does work, there are drawbacks. Forinstance, when packets are sent from one host to another, they may be receivedout of order. IP has no mechanism for dealing with that problem. Also, packetscan get lost or corrupted during transmission, again a problem IP does notmanage. These problems are left to an upper protocol to manage. Often that pro-tocol will be TCP, as you will see in the following topic.
Binary, Decimal, and Hexadecimal ConversionsEven though you may be familiar with the concept of binary math, you may wishto review this section briefly. In binary, each bit has the ability to be either a 1 ora 0. In computers, these bits are stored in groups of 8. Since each bit can beeither a 1 or a 0, each location is designated a power of 2. A byte, therefore, hasbinary values from 20 through 27 . In Figure 2-4, you can see the value of eachof the 8 bits in a byte.
When the bits are presented as a byte, the value of each of the 8 locations isadded to present you with the decimal equivalent. For example, if all 8 bits were1s, such as 11111111, then the decimal value would be 255 or128+64+32+16+8+4+2+1. Here are a few other quick binary to decimal conver-sions:
Binary 11000000 is decimal 192 or 128+64+0+0+0+0+0+0
Binary 10000000 is decimal 128 or 128+0+0+0+0+0+0+0
Binary 10000010 is decimal 130 or 128+0+0+0+0+0+2+0
Binary 01011010 is decimal 90 or 0+64+0+16+8+0+2+0
The IP addresses that are either manually or dynamically assigned to a host are32-bit fields, often shown as four decimal values for ease of reading. Forexample, a common address would be 192.168.10.1. Each number is an 8-bitbinary value, or an octet. In this example, the first octet is 192, the second 168,the third 10, and the fourth 1.
Even though the fourth octet is given a decimal value of 1, it is still given an8-bit value in IP addressing. Each bit of the 32-bit address must be represented,so the computer sees a decimal 1 in an IP address as 00000001. Keeping this inmind, the full decimal IP address of 192.168.10.1 is seen to the computer asbinary IP address: 11000000.10101000.00001010.00000001
In tools that are designed to capture and analyze network traffic, the IP address isoften represented in its hexadecimal (Hex) format. The ability to view and recog-nize addressing in Hex format is a useful skill to have when you are workingwith TCP/IP. In hexadecimal format, the IP address 192.168.10.1 is C0-A8-0A-01. The following is a quick summary on Hex conversions.
Lesson 2: Advanced TCP/IP 37
To convert the decimal address 192.168.10.1 to hexadecimal, convert each of itsoctets, then combine the results, as follows:
1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 isequal to Hex C0.
2. Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 isequal to Hex A8.
3. Decimal 10 is the same as Hex A.
4. Decimal 1 is the same as Hex 1.
5. Combining the results of each conversion shows that decimal 192.168.10.1 isequal to Hex C0A80A01.
Another way to derive this result is to first convert from decimal to binary, thenconvert binary to hexadecimal four bits at a time, and finally, combine the results,as shown here:
1. Decimal 192 is the same as binary 11000000.
2. Decimal 168 is the same as binary 10101000.
3. Decimal 10 is the same as binary 00001010.
4. Decimal 1 is the same as binary 00000001.
5. Binary 1100 (the first four bits of the first octet) is the same as Hex C.
6. Binary 0000 is the same as Hex 0.
7. Binary 1010 is the same as Hex A.
8. Binary 1000 is the same as Hex 8.
9. Binary 0000 is the same as Hex 0.
10. Binary 1010 is the same as Hex A.
11. Binary 0000 is the same as Hex 0.
12. Binary 0001 is the same as Hex 1.
13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal toHex C0A80A01.
IP Address ClassesThere are five defined classes of IP addresses: Class A, Class B, Class C, ClassD, and Class E. The details of each class are as follows:
• Class A IP addresses use the first 8 bits of an IP address to define the net-work, and the remaining 24 bits to define the host. This means there can bemore than 16 million hosts in each Class A network (224–2, because all 1sand all 0s cannot be used as host addresses). All Class A IP addresses willhave a first octet of 0xxxxxxx in binary format. 10.10.10.10 is an exampleof a Class A IP address.
• Class B IP addresses use the first 16 bits to define the network, and theremaining 16 bits to define the host. This means there can be more than65,000 hosts in each Class B network (216–2). All Class B IP addresses willhave a first octet of 10xxxxxx in binary format. 172.16.31.200 is an exampleof a Class B IP address.
• Class C IP addresses use the first 24 bits to define the network, and theremaining 8 bits to define the host. This means there can be only 254 hosts
38 Tactical Perimeter Defense
in each Class C network (28–2). All Class C IP addresses will have a firstoctet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class CIP address.
• Class D IP addressing is not used for hosts, but is often used formulticasting (which will be discussed later), where there is more than onerecipient. The first-octet binary value of a Class D IP address is 1110xxxx.224.0.0.9 is an example of a Class D IP address.
• Class E IP addressing is used for experimental functions and for future use.It does have a defined first-octet binary value as well. All Class E IPaddresses have a first octet binary value of 11110xxx. 241.1.2.3 is anexample of a Class E IP address.
Figure 2-4: IP address classes and their first-octet values.
Private IP Addresses and Special-function IP AddressesThere are several ranges of IP addresses that are not used on the Internet. Theseaddresses are known as private, or reserved, IP addresses. Defined in RFC 1918,any host on any network can use these addresses, but these addresses are notmeant to be used on the Internet, and most routers will not forward them. Byusing these reserved IP addresses, organizations do not have to be as concernedwith address conflicts. The defined private addresses for the three main addressclasses (A, B, and C) are:
• Class A: 10.0.0.0 to 10.255.255.255
• Class B: 172.16.0.0 to 172.31.255.255
• Class C: 192.168.0.0 to 192.168.255.255
In addition to the private address ranges listed, there are a few other addressranges that have other functions. The first, is the range of 127.0.0.0 to 127.255.255.255. This address range is used for diagnostic purposes, with the commonaddress of 127.0.0.1 used to identify IP on the host itself. The second range is169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allo-cate addresses to hosts, for Automatic Private IP Addressing (APIPA).
Lesson 2: Advanced TCP/IP 39
The Subnet MaskAlong with an IP address, each host that uses TCP/IP has a subnet mask. Thesubnet mask is used during a process called ANDing to determine the network towhich the host belongs. The way the mask identifies the network is by the num-ber of bits allocated, or masked, for the network. A bit that is masked is identifiedwith a binary value of 1.
By default, a Class A IP address has 8 bits masked to identify the network, aClass B IP address has 16 bits masked to identify the network, and a Class C IPaddress has 24 bits masked to identify the network. These default subnet masksuse contiguous bits to create the full mask. The following table shows the defaultsubnet masks for the three classes, first in binary, then in the more traditional dot-ted decimal format.
Default Subnet Masks
Class Binary Format Dotted Decimal FormatA 11111111.00000000.00000000.00000000 255.0.0.0B 11111111.11111111.00000000.00000000 255.255.0.0C 11111111.11111111.11111111.00000000 255.255.255.0
The subnet mask can be represented in different formats. For example, one com-mon format is to list the IP address followed by the full subnet mask, such asthis: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write,is to count and record the number of bits that are used as 1s in the subnet mask.For example, in the default subnet mask for Class C, there are 24 bits designatedas 1. So, to use the second format, list the IP address followed by a slash and thenumber of bits masked, such as this: 192.168.10.1/24.
Subnetting ExampleIn the event that you need to split a network into more than one range, such ashaving different buildings or floors, you will need to subdivide the network. Thefollowing example will step you through the process of splitting a network andcreating the subnet mask necessary to support the resulting subnetworks.
Let’s say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnetmask, and need to break this up into 12 network ranges to support, for example,the 12 major departments in your corporate building. Here’s what you should do:
1. Determine how many bits, in binary, it takes to make up the number of sub-networks you need to create. In binary, 12 is 1100, so you will need 4 bits.
2. Take 4 bits from the host side of the subnet mask and, AND them to thenetwork side, effectively changing your subnet mask from 255.0.0.0 to 255.240.0.0.
• As you know, the subnet mask tells you where the dividing linebetween network and host bits reside. You started with a network ID of10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this:
00001010.00000000.00000000.00000000 (IP address for network)
11111111.00000000.00000000.00000000 (subnet mask)
• Your dividing line is at the end of the first octet (eight bits starting fromthe left). You have one big network with a network ID of 10.0.0.0, a
40 Tactical Perimeter Defense
range of usable addresses from: 10.0.0.1 to 10.255.255.254, and abroadcast address of 10.255.255.255.
• The new, divided network looks like this:
00001010.0000 0000.00000000.00000000 (IP address for network)
11111111.1111 0000.00000000.00000000 (subnet mask)
• Notice that the network/host dividing line is now in the middle of thesecond octet. All of your networks will have binary addresses that willlook like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x repre-sents one of the variable bits used to create your subnetworks and yrepresents a bit on the host side of the address.
3. Determine the subnetwork addresses by changing the value of the x bits. Thefirst possible permutation is the 00001010.0000 network; the second is the00001010.0001 network, and so forth. The following table lists all of thepossible subnetwork addresses (notice the pattern?).
Subnetwork Binary Address Decimal AddressFirst 00001010.0000 0000.00000000.00000000 10.0.0.0Second 00001010.0001 0000.00000000.00000000 10.16.0.0Third 00001010.0010 0000.00000000.00000000 10.32.0.0Fourth 00001010.0011 0000.00000000.00000000 10.48.0.0Fifth 00001010.0100 0000.00000000.00000000 10.64.0.0Sixth 00001010.0101 0000.00000000.00000000 10.80.0.0Seventh 00001010.0110 0000.00000000.00000000 10.96.0.0Eighth 00001010.0111 0000.00000000.00000000 10.112.0.0Ninth 00001010.1000 0000.00000000.00000000 10.128.0.0Tenth 00001010.1001 0000.00000000.00000000 10.144.0.0Eleventh 00001010.1010 0000.00000000.00000000 10.160.0.0Twelfth 00001010.1011 0000.00000000.00000000 10.176.0.0Thirteenth 00001010.1100 0000.00000000.00000000 10.192.0.0Fourteenth 00001010.1101 0000.00000000.00000000 10.208.0.0Fifteenth 00001010.1110 0000.00000000.00000000 10.224.0.0Sixteenth 00001010.1111 0000.00000000.00000000 10.240.0.0
For the first network, the network ID is 10.0.0.0 with a subnet mask of 255.240.0.0. The first usable address is 10.0.0.1, and the last usable address is 10.15.255.254. The broadcast address is 10.15.255.255 (the next possible IP address wouldbe 10.16.0.0, which is the network ID of the second network). The second net-work has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and abroadcast address of 10.16.255.255.
Notice that you needed only 12 networks, but you have 16. That can happen,depending on the number of networks needed. For example, if you had needed 20networks, you would have needed to move the network/host dividing line over 5bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, youwould have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 thatyou used for the first example), which would have given you 32 subnetworks,even though you needed only 20. Consider it room for corporate growth!
Lesson 2: Advanced TCP/IP 41
Note that any combination of addressing can be represented in different text. Forexample, you may come across a resource that defines the IP address in decimal,and the subnet mask in hexadecimal. You must be able to quickly recognize theaddressing as defined. Use the following task to test your ability to quickly per-form these conversions.
TASK 2A-1Layering and Address Conversions
1. Describe how layering is beneficial to the function of networking.
By using a layered model, network communications can be broken intosmaller chunks. These smaller chunks can each have a specific purpose, orfunction, and in the event an error happens in one chunk, it is possible thatonly that error be addressed, instead of starting over from scratch.
2. If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF-00-00, to which IP network does your computer belong? Provide bothdecimal and Hex notations.
In decimal, the network address is 192.168.0.0; in Hex, the network addressis C0-A8-00-00.
3. If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, towhich IP network does your computer belong? Provide both decimaland Hex notations.
In decimal, the network address is 192.168.0.0; in Hex the network addressis C0-A8-00-00.
RoutingYou will get into routing in more detail later, but at this stage, you will addressthe basics. Being familiar with a network and how one host will communicatewith another host within the same network, what do you think will happen if ahost needs to send information to a host that is not in its network?
This is exactly the situation where routing is needed. You need to route that infor-mation from your network to the receiving host’s network. Of course, the devicethat makes this possible is the router. The first router you will encounter on yourway out of your network is the default gateway. This is the device that your com-puter will send all traffic to, once it determines that the destination host is notlocal (on the same network as itself). After the default gateway gets a packet ofinformation destined for host User1 on network X, it looks at its routing table(think of this as a sort of directory—telling the router that traffic destined for net-works C, G, F, and X should go out interface 1, traffic destined for networks E,A, B, and R should go out interface 2, and so forth), then the router forwards thepacket out through interface 1. The destination network may or may not beattached to interface 1—the router doesn’t really care at this point—it just for-wards the packet on according to the information in its routing table. This process
router:An interconnection device
that is similar to a bridge butserves packets or frames
containing certain protocols.Routers link LANs at the
Network Layer.
42 Tactical Perimeter Defense
repeats from one router to the next until the packet finally reaches the router thatis attached to the same network as the destination host. When the packet reachesthis router, which is usually also the destination host’s default gateway, it is sentout on the network as a unicast directed to the destination host User1.
VLSM and CIDRThe standard methods of subnet masking discussed earlier are effective; however,there are instances where further subdividing is required, or more control of theaddressing of the network is desired. In these cases, you can use either of thefollowing two options: Variable Length Subnet Masking (VLSM) or ClasslessInterdomain Routing (CIDR).
Think back to the previous example of subnet masking. In particular, let’s take acloser look at the fourth network. It was intended to be used by the IT staff; how-ever, they want to break the rather large network block given to them intosmaller, more manageable blocks. Specifically, they need five smaller subnet-works to be created from their network block of 10.48.0.0 with a subnet mask of255.240.0.0.
This time, let’s represent the IP addresses and subnet masks using the slashmethod: 10.48.0.0/12. Notice the IP address stays the same, but we replace thesubnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, ofcourse, corresponds to 255.240.0.0).
Now, back to the IT staff’s networking issue. You have an already subnetted net-work (10.48.0.0/12) that you would like to split into five smaller networks. Tobegin, you need to ask the same starting question: How many bits does it take tomake 5? In binary, 5 is 101, so you will need three bits. Then, add three bits tothe present subnet mask (don’t worry that it has already been subnetted before—that doesn’t matter). So, now you have 10.48.0.0/15 as your first network addressand new subnet mask.
The new variable range is 00001010.0011xxx y.yyyyyyyy.yyyyyyyy, where thebinary numbers will not change, x represents the variable bits that will make upthe networks, and y designates the host bits.
So, what are the new network addresses?
Subnetwork Binary Address Decimal AddressFirst 00001010.0011000 0.00000000.00000000 10.48.0.0Second 00001010.0011001 0.00000000.00000000 10.50.0.0Third 00001010.0011010 0.00000000.00000000 10.52.0.0Fourth 00001010.0011011 0.00000000.00000000 10.54.0.0Fifth 00001010.0011100 0.00000000.00000000 10.56.0.0Sixth 00001010.0011101 0.00000000.00000000 10.58.0.0Seventh 00001010.0011110 0.00000000.00000000 10.60.0.0Eighth 00001010.0011111 0.00000000.00000000 10.62.0.0
Lesson 2: Advanced TCP/IP 43
For the first network, the network ID is 10.48.0.0, the usable addresses are 10.48.0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second,the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254,and the broadcast address is 10.51.255.255, and so forth. Did you notice that youhave eight possible networks when you needed only five? Again, you can con-sider it just having more room for expansion.
X-castingWhen a packet is sent from one host to another, the process of routing functionsand the packet is sent as defined. However, the process is different if one host istrying to reach more than one destination, or if one message is to be received byevery other host in the network. These types of communication are referred to asbroadcasting, multicasting, and unicasting.
• Unicast is a term that was created after multicasting and broadcasting werealready defined. A unicast is a directed communication between a singletransmitter and a single receiver. This is how most communication betweentwo hosts happens, with Host A specifically communicating with Host B.
• A broadcast is a communication that is sent out from a single transmittinghost and is destined for all possible receivers on a segment (generally, every-one in the network, since the routers that direct traffic from one network toanother are generally used to stop broadcasts, thereby creating broadcastdomain boundaries). Broadcasting can be done for many reasons, such aslocating another host. For a MAC broadcast, the broadcast address used isFF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on thenetwork settings. For example, if you are on network 192.168.10.0/24, thebroadcast address is 192.168.10.255.
• A multicast is a communication that is sent out to a group of receivers onthe network. Multicasting is often implemented as a means for directing traf-fic from the presenter of a video conference to the audience. In comparisonto the broadcast, which all receivers on the segment will receive, those whowish to receive a multicast must join a group to do so. Group membership isoften very dynamic and controlled by a user or an application. Currently,Class D addresses are used for multicasting purposes. Remember, Class Dhas IP addresses in the range of 224.0.0.0 to 239.255.255.255.
TASK 2A-2Routers and Subnetting
1. You are using a host that has an IP address of 192.168.10.23 and asubnet mask of 255.255.255.0. You are trying to reach a host with the IPaddress 192.168.11.23. Will you need to go through a router? Explainyour response.
Yes, you will need to go through a router. Your subnet mask defines you asbelonging to network 192.168.10.0, and the remote host you are trying toreach does not belong to your network.
2. Boot your computer to Windows Server 2003, and log on as Administra-tor, with a blank (null) password.
44 Tactical Perimeter Defense
3. Choose Start→Settings→Network Connections. Right-click the networkinterface and choose Properties.
4. Select Internet Protocol (TCP/IP) and click Properties.
5. Click the Advanced button, and verify that the IP Settings tab isdisplayed.
Under Default Gateways, record the IP address here:
For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. Forthe RIGHT side, it is 172.18.0.1.
6. Select the Default Gateway IP address you just recorded, and clickRemove. Click OK twice and click Close twice.
7. Open a command prompt and ping an address that is not on your localnetwork. For instance, if you are on the LEFT side of the classroom, youcould ping an address in the 172.18.10.0 network, and if you are on theRIGHT side of the classroom, you could ping an address in the 172.16.10.0network.
8. Observe the message you receive. The text “Destination Host unreachable”is displayed. Your computer knows that the ping packet is supposed to go toa computer that is outside your local network but it does not know how toget it there.
9. Switch to the Network Connections Control Panel and display the prop-erties of the network interface.
10. Select Internet Protocol (TCP/IP), click Properties, and then clickAdvanced. On the IP Settings tab, click the Add button found in theDefault Gateway area.
11. In the TCP/IP Gateway Address box, enter the IP address you recordedearlier in the task and click Add. Click OK twice and click Close twice.
12. Switch back to the command prompt and try to ping the remote addressagain.
13. Observe the message you receive. This time, as long as the other comput-er’s default gateway is correctly configured, you should be successful inpinging the remote computer. This is because your computer now knows tosend traffic to the router if that traffic is destined for another network. (Howthe routers know where to send the traffic is covered later in the course.)Contact your instructor if your ping attempt is not successful.
14. Close all open windows.
Be prepared to diagram orotherwise explain theclassroom setup.
The recommended classroomlayout is shown in the figurein the setup.
Students must be able toping all computers withinthe classroom for theremaining tasks to workproperly. If any students arenot successful in thesecond ping attempt, helpthem troubleshoot theissue.
Lesson 2: Advanced TCP/IP 45
Topic 2BAnalyzing the Three-way HandshakeAlthough a great deal of emphasis is given to IP due to the addressing and mask-ing issues, TCP deserves equal attention from the security professional. Inaddition to TCP, the other protocol that functions as a transport protocol is UDP.This topic will concentrate on TCP; however, a brief discussion on UDP iswarranted. The following table provides a brief comparison of the two protocols.
Comparing TCP and UDP
TCP UDPConnection-oriented ConnectionlessSlower communications Faster communicationsConsidered reliable Considered unreliableTransport Layer Transport Layer
TCP provides a connection-oriented means of communication, whereas UDP pro-vides connectionless communication. The connection-oriented function of TCPmeans it can ensure reliable transmission, and can recover if transmission errorsoccur. The connectionless function of UDP means that packets are sent with theunderstanding they will make it to the other host, with no means of ensuring thereliability of the transmission.
UDP is considered faster because less work is done between the two hosts thatare communicating. Host 1 simply sends a packet to the address of host 2. Thereis nothing built into UDP to provide for host 1 checking to see if host 2 receivedthe packet, or for host 2 sending a message back to host 1, acknowledgingreceipt.
TCP provides the functions of connection-oriented communication by using fea-tures such as the three-way handshake, acknowledgements, and sequencenumbers. In addition to these features, a significant part of TCP is the use of con-trol flags. There are six TCP control flags in a TCP header, each with a specificmeaning.
security:A condition that results from
the establishment andmaintenance of protective
measures that ensure a stateof inviolability from hostile
acts or influences.
46 Tactical Perimeter Defense
TCP FlagsThe TCP flags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These flagsmay also be identified as S, ack, F, R, P, and urg. Each of these flags occupiesthe space of one bit in the header, and if they are assigned a value of 1, they areconsidered on. The function of each flag is identified as follows:
• The SYN, or S, flag represents the first part of establishing a connection.The synchronizing of communication will generally be in the first packet ofcommunication.
• The ACK, or ack, flag represents acknowledgement of receipt of data fromthe sending host. This is sent during the second part of establishing a con-nection, in response to the sending host’s SYN request.
• The FIN, or F, flag represents the sender’s intentions of terminating the com-munication in what is known as a graceful manner.
• The RESET, or R, flag represents the sender’s intentions to reset thecommunication.
• The PUSH, or P, flag is used when the sending host requires data to bepushed directly to the receiving application, and not fill in a buffer.
• The URGENT, or urg, flag represents that this data should take precedenceover other data transmissions.
Sequence and Acknowledgement NumbersIn addition to the TCP flags, another critical issue of TCP is that of numbers:sequence and acknowledgement numbers, to be specific. Because TCP has beendefined as a reliable protocol that has the ability to provide for connection-oriented communication, there must be a mechanism to provide these features.Sequence and acknowledgement numbers are what provide this.
Sequence NumbersThe sequence number is found in the TCP header of each TCP packet and is a32-bit value. These numbers allow the two hosts a common ground for communi-cation, and allow for the hosts to identify packets sent and received. If a largeweb page requires several TCP packets for transmission, sequence numbers areused by the receiving host to reassemble the packets in the proper order and pro-vide the full web page for viewing.
When a host sends the request to initiate a new connection, an Initial SequenceNumber (ISN) must be chosen. There are different algorithms by different ven-dors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a32-bit number that increments by one every 4 microseconds.
Acknowledgement NumbersThe acknowledgement number is also found in the TCP header of each TCPpacket, and is also a 32-bit value. These numbers allow the two hosts to be givena receipt of data delivery. An acknowledgement number is in the packet header inresponse to a sequence number in the sending packet.
In the event that the sending host does not receive an acknowledgement for atransmitted packet in the defined timeframe, the sender will retransmit the packet.This is how TCP provides reliable delivery. If a packet seems to have been lost,the sender will retransmit it.
Lesson 2: Advanced TCP/IP 47
ConnectionsAll communication in TCP/IP is done with connections between two hosts. Eachconnection is opened (or established), data is sent, and the connection is closed(or torn down). These connections have very specific rules they must follow.There are two different states of the open portion of this process: Passive Openand Active Open.
• Passive Open is when a running application tells TCP that it is ready toreceive inbound requests via TCP. The application is assuming inboundrequests are coming, and is prepared to serve those requests. This is alsoknown as the listening state, as the application is listening for requests tocommunicate.
• Active Open is when a running application tells TCP to start a communica-tion session with a remote host (which is in Passive Open state). It ispossible for two hosts in Active Open to begin communication. It is not arequirement that the remote host be in Passive Open, but that is the mostcommon scenario.
Connection EstablishmentIn order for the sequence and acknowledgement numbers to have any function, asession between the two hosts must be established. This connection establishmentis called the three-way handshake. The three-way handshake involves three dis-tinct steps, which are detailed as follows (please refer to Figure 2-5 when readingthis section):
1. Host A sends a segment to Host C with the following:
SYN = 1 (The session is being synchronized.)
ACK = 0 (There is no value in the ACK field, so this flag is a 0.)
Sequence Number = x, where x is a variable. (x is Host A’s ISN.)
Acknowledgement Number = 0
2. Host C receives Host A’s segment and responds to Host A with the follow-ing:
SYN = 1 (The session is still being synchronized.)
ACK = 1 (The acknowledgement flag is now set, as there is an ackvalue in this segment.)
Sequence Number = y, where y is a variable. (y is Host C’s ISN.)
Acknowledgement Number = x + 1 (The sequence number from HostA, plus 1.)
3. Host A receives Host C’s segment and responds to Host C with the follow-ing:
SYN = 0 (Session is synchronized with this segment; further requestsare not needed.)
ACK = 1 (The ack flag is set in response to the SYN from the previoussegment.)
Sequence Number = x + 1 (This is the next sequence number in series.)
Acknowledgement Number = y + 1 (The sequence number from HostC, plus 1.)
At this point, the hosts are synchronized and the session is established in bothdirections, with data transfer to follow.
48 Tactical Perimeter Defense
Figure 2-5: The three-way handshake.
Connection TerminationIn addition to specific steps that are involved in the establishment of a sessionbetween two hosts, there are equally specific steps in the termination of thesession. There are two methods of ending a session using TCP. One is consideredgraceful, and the other is non-graceful.
A graceful shutdown happens when one host sends a message (using the FINflag) to the other, stating it is time to end the session; the other acknowledges;and they both end the session. A non-graceful shutdown happens when one hostsimply sends a message (using the RESET flag) to the other, indicating the com-munication has stopped, with no acknowledgements and no further messages sent.In this section, we will investigate the details of the standard graceful termination.
As you saw earlier, it requires three segments to establish a TCP session betweentwo hosts. The other side of the session, the graceful termination, requires foursegments. Four segments are required because TCP is a full-duplex communica-tion protocol (meaning data can be flowing in both directions independently). Asper the specifications of TCP, either end of a communication can end the sessionby sending a FIN, which has a sequence number just as a SYN has a sequencenumber.
Similar to the Active and Passive Opens mentioned earlier, there are also Activeand Passive Closes. The host that begins the termination sequence, by sending thefirst FIN, is the host performing the Active Close. The host that receives the firstFIN is the host that is performing the Passive Close. The graceful teardown of asession is detailed as follows (please refer to Figure 2-6 when reading this sec-tion):
1. Host A initiates the session termination to Host C with the following:
FIN = 1 (The session is being terminated.)
ACK = 1 (There is an ack number, based on current communication.)
Sequence Number (FIN number) = s (s is a variable based on the cur-rent communication.)
Acknowledgement Number = p (p is a variable based on the currentcommunication.)
2. Host C receives Host A’s segment and replies with the following:
FIN = 0 (This segment is not requesting closure of the session.)
ACK = 1 (This segment does contain an ack number.)
Sequence Number = Not Present (As there is no FIN, there is nosequence number required.)
Lesson 2: Advanced TCP/IP 49
Acknowledgement Number = s + 1 (This is the response to Host A’sFIN.)
3. Host C initiates the session termination in the opposite direction with thefollowing:
FIN = 1 (The session is being terminated.)
ACK = 1 (There is an ack number.)
Sequence Number = p (p is a variable based on the currentcommunication.)
Acknowledgement Number = s + 1 (This is the same as in the previoussegment.)
4. Host A receives the segments from Host C and replies with the following:
FIN = 0 (This segment does not request a termination, there is noSYN.)
ACK = 1 (This segment does contain an ack number.)
Sequence Number = Not Present
Acknowledgement Number = p + 1 (This is Host C’s sequence number,plus 1.)
At this point the session has been terminated. Communication in both directionshas had a FIN requested and an acknowledgement to the FIN, closing the session.
Figure 2-6: Connection termination.
PortsYou have been introduced to the fact that IP deals with addressing and thesending/receiving of data between two hosts, and you have been introduced to thefact that TCP can be selected to provide reliable delivery of data. However, if aclient sends a request to a server that is running many services, such as WWW,NNTP, SMTP, and FTP, how does the server know which application is supposedto receive the request? The answer is by specifying ports.
50 Tactical Perimeter Defense
Port numbers are located in the TCP or UDP header, and they are 16-bit values,ranging from 0 to 65535. Port numbers can be assigned to specific functions orapplications. Ports can also be left open for dynamic use by two hosts duringcommunication. There are ranges of ports for each function. There are three maincategories of ports: well-known, registered, and dynamic.
• The well-known ports (also called reserved ports by some) are those in therange of 0 to 1023. These port numbers are assigned to specific applicationsand need to remain constant for the primary services of the Internet to con-tinue to provide the flexibility and usefulness it does today. For example, theWWW service is port 80, the Telnet service is port 23, the SMTP service isport 25, and so on. The well-known port list is maintained by the InternetAssigned Numbers Authority (IANA), and can be found here:www.iana.org/assignments/port-numbers.
• Registered ports are those in the range of 1024 to 49151. These port num-bers can be registered to a specific function, but are not defined or controlledby a governing body, so multiple functions could end up using the sameport.
• Dynamic ports (also called private ports) are those from 49152 to 65535.Any user of the Internet can use dynamic ports.
When a client connects to a server and requests a resource, that client alsorequires a port. The client ports (also called ephemeral ports by some) are usedby a client during one specific connection; each subsequent connection will use adifferent port number. These ports are not assigned to any default service, and areusually a number greater than 1023. There is no defined range for client ports;they can cover the numbers of both the registered and dynamic port ranges.When a client begins a session by requesting a service from a server, such as theWWW service on port 80, the client uses an ephemeral port on the client side.This enables the server to respond to the client. Data is then exchanged betweenthe two hosts using the port numbers established for that session: 80 on theserver side, and a dynamic number greater than 1023 on the client side. The com-bination of the IP address and port is often referred to as a socket, and the twohosts together are using a socket pair to communicate for this session.
The following table lists some of the well-known ports and their associatedservices.
Some Well-known Ports and their Services
Port Service23 Telnet80 HTTP (Standard web pages)443 Secure HTTP (Secure web pages)20 and 21 FTP (Data and control)53 DNS25 SMTP119 NNTP
Lesson 2: Advanced TCP/IP 51
In addition to known valid services, such as those listed previously, there aremany Trojan Horse programs that use specific ports (although the port can usu-ally be changed).
Ports Associated with Trojan Horses
Port Number Name of Trojan Horse12345 NetBus1243 Sub Seven27374 Sub Seven 2.131337 Back Orifice54320 (TCP) Back Orifice 2000 (BO2K)54321 (UDP) Back Orifice 2000 (BO2K)
Network MonitorThere is a very valuable tool available with Windows called Network Monitor.This tool allows for full packet capture and lets the analyst (you) peer into thepacket’s contents, examining both the payload, or data, and the headers, in detail.You can see any set flags’s defined sequence and acknowledgement numbers,packet size, and more. The following is a discussion on the use of NetworkMonitor, provided as background for you to be able to perform the tasks in thislesson.
Some of the things you can do with Network Monitor are:
• Monitor real-time network traffic.
• Analyze network traffic.
• Filter specific protocols to capture.
In this lesson, you will be focusing on the capture and analysis of IP packets, andon the details of the protocol suite.
Trojan Horse:An apparently useful and
innocent program containingadditional hidden code which
allows the unauthorizedcollection, exploitation,
falsification, or destruction ofdata.
52 Tactical Perimeter Defense
Figure 2-7: The default view of Network Monitor, showing the various panes.
In Figure 2-7, you can see the default view of Network Monitor. In this view, thescreen is split into several sections.
The top bar is the standard menu bar found in Microsoft programs. The basicfunctions on the toolbar that you will use in this lesson are contained in the Fileand Capture menus.
• The File menu contains three commands: Open, Save As, and Exit.
— Choose Open to open a previously saved Network Monitor capture.
— Choose Save As to save a Network Monitor capture.
— Choose Exit to exit.
• The Capture menu has more commands: Start, Stop, Stop And View, Pause,and Continue.
— The Start, Pause, and Continue commands are self-explanatory.
— The difference between Stop and Stop And View is that the Stop com-mand ends the capture. The Stop And View command ends the captureand switches Network Monitor to its next mode, Display View.
The other sections of the Capture View are panes (windows in a window) calledGraph, Session Stats, Station Stats, and Total Stats.
• The Graph pane provides five bars that measure percentages of pre-definedmetrics.
— The top graph indicates the percentage (%) of network utilization,meaning how much the network is being used.
— The second graph indicates the number of frames per second, meaningframes transmitted per second over the network.
— The third graph indicates the number of bytes per second that are trans-mitted over the network.
Lesson 2: Advanced TCP/IP 53
— The fourth graph indicates the number of broadcasts per second that aretransmitted over the network.
— The fifth graph indicates the number of multicasts per second that aretransmitted over the network.
While a capture is running, these graphs work in real time, providingcurrent data.
• The next pane is the Session Stats pane. In this pane, you can see the ses-sions that are taking place during the capture.
• Following the Session Stats is the Station Stats pane. In this pane, you cansee statistics per interface on the host, per broadcast, per multicast, andmore.
• The final pane in this view is the Total Stats pane. The Total Stats pane issubdivided into sections: Network Statistics, Captured Statistics, Per SecondStatistics, Network Card (MAC) Statistics, and Network Card (MAC) ErrorStatistics. From this pane, you can identify frames, broadcasts, multicasts,network utilization, errors, and more, all in real time during the capture.
Displaying CapturesAfter you have captured network traffic, you can begin your analysis, whichrequires a different view of Network Monitor. You will need to use the DisplayView. You can switch to the Display View by either using the Capture→Stop AndView command or by using the Display Captured Data command after a capturesession has been stopped.
Figure 2-8: The Summary View of Network Monitor.
When you first open the Summary View, as shown in Figure 2-8, you will see atimeline of packets captured. By double-clicking any packet that was captured,you can look into its details and bring up the next view of Network Monitor.Once you have selected a packet, Network Monitor displays three panes for pre-senting information to you.
54 Tactical Perimeter Defense
Figure 2-9: The details of a packet in Network Monitor.
The top pane shown in Figure 2-9 is the Summary pane. This pane provides thebasic details of a packet, such as:
• Frame number
• Time the packet was captured
• Destination and source MAC addresses
• Protocol used
• Destination and source IP addresses
The middle pane shown in Figure 2-9 is the Detail pane. This pane provides theactual details of the protocol for the selected packet. Any line that has a plus signnext to it can be expanded for further detail.
The bottom pane in Figure 2-9 is the Hex pane. This pane provides the actualHex value for the raw data that each frame is comprised of. When you selectsomething in the Detail pane, it is highlighted in the Hex pane for comparison.Also, in this pane, the ASCII characters are visible. In the event that cleartext iscaptured, this is where it will be readable.
Network Monitor FiltersBecause Network Monitor has the ability to capture all network traffic, it wouldbe very easy to capture too much information and have difficulty in finding whatyou were looking for. This is where filtering comes into play. There are two typesof filters available in Network Monitor: capture filters and display filters. Forexample, if you wanted to capture only TCP messages, you could create a capturefilter so that only TCP messages are captured. If you wanted to view only ICMPmessages, you could create a display filter so that all you see are ICMPmessages. Figure 2-10 and Figure 2-11 show the dialog boxes used for each filtertype.
Lesson 2: Advanced TCP/IP 55
To create or use filters, choose Capture→Filter. Using filters not only makes iteasier for you, as an analyst, to find what you are looking for, but they allow forthe buffer that stores the capture to not be filled with useless information.
Figure 2-10: Network Monitor’s Capture Filter dialog box.
Figure 2-11 shows the Display Filter dialog box.
Figure 2-11: Network Monitor’s Display Filter dialog box.
56 Tactical Perimeter Defense
When using filtering, you will likely use either protocol or address filtering. Withprotocol filtering, you identify a specific protocol to work with. With address fil-tering, you again define the specific address to filter. Filters can be implementedin different directions, either traffic into this host, outbound from this host, or inboth directions. These options are implemented by selecting the appropriate arrow(one of these three: --->, ---<, or <-->) for the function you want toperform.
TASK 2B-1Using Network Monitor
1. Open a command prompt, and enter ipconfig /all
If you are on the LEFT side of the classroom, your IP addresses will be 172.16.10.x. If you are on the RIGHT side of the classroom, your IP addresseswill be 172.18.10.x.
2. Record the MAC and IP address for the network card in your computer.
MAC address Each card will have a unique MAC address.IP address Each card will have a unique IP address.
3. Close the Command Prompt window.
4. Open Network Monitor. (From the Start menu, choose All Programs→Administrative Tools→Network Monitor.)
5. If you see the Microsoft Network Monitor message box, click OK to displaythe Select A Network dialog box. Expand the + sign next to Local Com-puter, select the interface with the MAC address associated with thenetwork interface you recorded in Step 2, and click OK.
6. From the Capture menu, choose Start, or press F10 to start a capture.
7. If you are on the LEFT side of the classroom, ping the IP address 172.16.0.1. If you are on the RIGHT side of the classroom, ping the IP address172.18.0.1. This will create network traffic for you to capture.
8. Wait for 20 to 30 seconds. As you wait, watch the real time statisticschange in the Network Monitor Capture window.
9. Choose Capture→Stop And View. You should now see the Display View,including the timeline of the packets captured.
10. Double-click any packet to change to the Detail View.
11. Observe the structure of the three panes in this view, and expand any +signs displayed in the middle pane.
12. From the Display menu, choose Filter.
13. Highlight Protocol==Any, and click the Edit Expression button.
Lesson 2: Advanced TCP/IP 57
14. With the Protocol tab selected, click the Disable All button.
15. Scroll down to ICMP, select ICMP, and click the Enable button. TheExpression field at the top of the dialog box should now display Protocol ==ICMP. Click OK.
16. Click OK to implement this filter on your capture.
17. Observe that only ICMP frames are visible in your window now.
18. From the File menu, choose Save As, and save the capture as First_Capture.cap in the default location.
19. Close Network Monitor.
WiresharkAnother product you can use to capture data is called Wireshark. (Wireshark wasformerly known as Ethereal, with the name change taking place in 2006.) WithWireshark, data can be captured off the wire or read from a captured file. Datacan also be saved to a file format that Microsoft Network Monitor canunderstand. Wireshark supports analysis on over 750 Data Link, Network, Trans-port, and Application layer protocols. Wireshark can be downloaded fromwww.wireshark.org
To perform promiscuous mode captures on a Windows machine, you have to firstdownload and install the latest stable version of WinPcap; do not install any alphaor beta versions. WinPcap is the Windows equivalent of libpcap (LIBrary forPacket CAPtures) for Linux. It can be obtained from www.winpcap.org. In fact,you will use WinPcap later in the course, along with other tools such aswindump, tcpdump, nmap, and snort.
TASK 2B-2Installing and Starting Wireshark
1. Choose Start→My Computer.
2. Open C:\Tools\Lesson2.. Note: If you do not have a C:\Tools folder, pleasereview the tools section of the Setup Guide.
3. Double-click the WinPcap_4_0.exe file.
4. In the WinPcap_4_0.exe Installer Welcome screen, click Next.
5. In the WinPcap 4.0 Setup Wizard screen, click Next.
6. Read the License Agreement, and click I Agree.
7. To close the WinPcap install wizard, click Finish.
8. Double click the Wireshark_setup-0.99.5.exe file.
9. In the Wireshark Setup Wizard Welcome screen, click Next.
promiscuous mode:Normally an Ethernet
interface reads all addressinformation and accepts
follow-on packets onlydestined for itself, but when
the interface is inpromiscuous mode, it reads
all information (sniffer),regardless of its destination.
58 Tactical Perimeter Defense
10. Read the License Agreement, and click I Agree.
11. Accept the Default Components (do not make any changes), and click Next.
12. Accept the Default Additional Tasks (do not make any changes), and clickNext.
13. Accept the Default Destination Folder, and click Next.
14. You have already installed WinPcap, so do not check any boxes on theWinPcap screen, and click Install.
15. In the Installation Complete screen, click Next.
16. In the Completing The Wireshark 0.99.5 Setup Wizard, check the RunWireshark0.99.5 check box and click Finish.
17. Leave Wireshark open for the following tasks.
Wireshark OverviewWhen you first start Wireshark (formerly called Ethereal), you will see a GUIwith three panes. The top pane lists the captured frames in sequence. When youhighlight a frame, the middle pane provides protocol layer information about thatframe, and the bottom pane shows the details of the frame in both Hex andASCII values.
Figure 2-12: The Ethereal (Wireshark) GUI.
Lesson 2: Advanced TCP/IP 59
At the top of the GUI there is a menu bar, with File, Edit, View, Go, Capture,Analyze, Statistics, and Help. Just above the top pane is a Filter button, a drop-down menu, an Expression button, a Clear button, and an Apply button. Thesebuttons allow you to filter through the captured data, which as you will see, is avery important feature.
When you wish to start a capture in Wireshark, you have several options. Youcan go to the Capture drop-down menu and select Start or you can simply pressthe third icon from the right in the icons listed just below the main menu bar.However, as this is the first time you are running Wireshark, you must definesome options. A quick way to the option screen is to press Ctrl+K combination.When you do so, you will see a window that has many options, where you canmake some specific selections, including the following:
• The interface to capture packets from.
• The limit to the number of packets to capture (if any).
• Whether you wish to capture packets in promiscuous mode or not.
• Any filters you wish to use.
• The file name for the capture file.
• If you wish to view the packets onscreen in real time.
• Parameters to define when the capture should stop.
• Whether you wish to enable or disable name resolution at the Data Link,Network, and Transport layers.
60 Tactical Perimeter Defense
Figure 2-13: Ethereal (Wireshark’s) Capture Options dialog box.
When you click OK, capture will start on the selected network interface and youwill see another pop-up informing you that. Wireshark will continue with the cap-ture until you click the Stop button.
Figure 2-14: Ethereal (Wireshark) pop-up displaying capture information.
Lesson 2: Advanced TCP/IP 61
Once you have selected your options and clicked OK, the capture will start onthe selected network interface, and you will see a pop-up window informing youof the capture in progress. Wireshark will continue with the capture until youpress the Stop button or an option you configured tells the capture to stop.
Figure 2-15: The many Save As options in Ethereal (Wireshark).
After you stop a capture, you can view and analyze the data for your current use.You when you are done and wish to save the file for future analysis, you havemany options.
Notice how many choices you have for saving a capture—you can save to Net-work Monitor’s format if you want. (Conversely, Wireshark will read a capturesaved by any of the protocol analyzers in the list.) When you are done with cap-ture and analysis and want to close the program, choose File→Quit or pressCtrl+Q.
TASK 2B-3Using Wireshark
Setup: Wireshark has been successfully installed and is running onyour computer.
1. From the menu options, choose Capture→Options.
2. In the Interface drop-down list, select you local area network adapter.
3. Notice that when you select your adapter, directly below the word Inter-face, the program has listed your LAN address.
62 Tactical Perimeter Defense
4. Make sure that the Capture Packets In Promiscuous Mode check box ischecked.
5. Under Display Options, check the Update List Of Packets In Real Timecheck box.
6. Click the Start button and open a command prompt.
7. Ping your Default Gateway IP Address.
8. When the ping has completed, close the command prompt, return toWireshark, and choose Capture→Stop.
9. Double-click any frame where your computer is the Source and the Des-tination is the Default Gateway IP Address you just pinged. The protocolwill be listed as ICMP.
10. Expand and view the frame details.
11. Note that you can analyze data in a similar fashion as in NetworkMonitor.
12. Once you are done with this initial look at Wireshark, close the application.
13. Click the Continue Without Saving button.
TCP ConnectionsEarlier, you were introduced to the function and the process of control flags, thethree-way handshake, and the session teardown. In this section, you are going touse Network Monitor to view the three-way handshake, packet by packet, and toview the teardown, packet by packet.
Remember, the three-way handshake is used by two hosts when they are creatinga session. The first host begins by sending out a packet with the SYN flag set,and no other flags. The second packet is a response with both the SYN and ACKflags set. The third part of the session establishment will have the ACK flag set.
TASK 2B-4Analyzing the Three-way Handshake
1. Choose Start→Administrative Tools→Services.
2. Right-click Telnet and choose Properties.
3. In the Startup type drop-down menu, select manual.
4. Click Apply.
5. Click the Start button.
6. Click OK.
Lesson 2: Advanced TCP/IP 63
7. Close the Services window.
8. Open Network Monitor, and start a capture.
9. At a command prompt:
If you are on the LEFT side of the classroom, enter telnet 172.16.0.1
If you are on the RIGHT side of the classroom, enter telnet 172.18.0.1
Enter y, at the Login type anonymous press Enter, and at the Passwordprompt, press Enter.
10. Press Enter repeatedly or a bad password until your connection to thehost is lost. Your screen may resemble the following graphic.
Minimize the command prompt window.
11. Switch back to Network Monitor, and choose Capture→Stop And View.
12. In the Summary pane, identify the frames that are involved in the three-way handshake.
13. Once you have identified the frames that are part of the three-way hand-shake, based on the discussion, look for the following:
a. In the first frame, what are the SEQ number, ACK number, and flags?
b. In the second frame, what are the SEQ number, ACK number, andflags?
c. In the third frame, what are the SEQ number, ACK number, and flags?
14. Expand each of the three frames in the handshake, and examine them ingreater detail in the Detail pane.
15. Using the Hex pane, identify the value for the flags that are set for eachframe of the three-way handshake.
16. Leave Network Monitor open, along with this capture, for the next task.
The Session Teardown ProcessPreviously, you examined the session teardown process. Here, you will examinethe details of the session teardown. Remember, there are four parts of sessionteardown.
64 Tactical Perimeter Defense
TASK 2B-5Analyzing the Session Teardown Process
Setup: Network Monitor is running, and the last capture you per-formed is displayed.
1. In the Summary pane, identify the frames that are involved in the sessionteardown.
2. Once you have identified the frames, examine them in greater detail in theDetail pane.
3. In each frame, identify at least the following:
a. Flags that are set.
b. Sequence number.
c. Acknowledgement number.
4. Save the capture as TCP_Connections.cap and close the capture.
5. Minimize Network Monitor.
Topic 2CCapturing and Identifying IP DatagramsAlong with TCP, the protocol you will spend the most time analyzing will be IP.This protocol is the one that does the most work of the entire TCP/IP suite. InFigure 2-16, you can see the actual format of the IP datagram. There are sevenrows of information in the figure, with the critical rows being the first five. Whena computer receives an IP datagram, it will begin reading on Row One on the leftside, bit by bit. Once it reads through Row One, it will read Row Two, and soon.
To work with IP further, referto RFC 791.
Lesson 2: Advanced TCP/IP 65
Figure 2-16: An IP datagram with all fields shown.
Using Figure 2-16, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the IP header.
• Starting on Row One, on the left side is a field called Version. This is a 4-bitfield that defines the version of IP that is currently running. Right now, thiswill likely be a value of 4, as that is the current industry standard—IPv4, orIP version 4. Some instances may be using IP version 6, or IPv6, which youwill examine later in the course.
• Moving to the right of the Version is a field called Header Length (IHL).This is a 4-bit field that defines the number of 32-bit words in the headeritself, including options. In most captures, this value will be 5, for nooptions set, the normal value.
• Continuing to the right of Header Length is a field called Type Of Service.This is an 8-bit field that defines the quality of service for this packet. Dif-ferent applications may require different needs of available bandwidth, andType Of Service is one way of addressing those needs.
• The last field on Row One is the field called Total Length. This is a 16-bitfield that defines the length of the entire IP datagram in bytes.
• Starting on Row Two, on the left side is a field called Identification. This isa 16-bit field that defines each datagram sent by the host. The standard forthis field is for the identification value to increment by one for everydatagram sent.
• Following the Identification field is a field called Flags. Not to be confusedwith the flags of TCP, which you have seen, this is a 3-bit field that is usedin conjunction with fragmentation. The first of the three bits is to be set at 0,
66 Tactical Perimeter Defense
as a default. The next bit is known as the DF bit, or Don’t Fragment. Thethird bit is known as the MF bit, or More Fragment.
• The last field on Row Two is a field called Fragment Offset. This is a 13-bitfield that is used to define where in the datagram this fragment belongs. (Ifthere is fragmentation, the first fragment will have an offset of 0.)
• Starting on Row Three, on the left side, is a field called Time To Live. Thisis an 8-bit field that is used to define the maximum amount of time thisdatagram may be allowed to exist in the network. The TTL is created by thesender and lowers by 1 for every router that the datagram crosses. If theTTL reaches 0, the packet is to be discarded.
• Moving to the right is a field called Protocol. This is an 8-bit field that isused to define the upper-layer protocol that is in use for this datagram. Thereare many unique protocol numbers, and if you wish to study all of the num-bers, please refer to RFC 790. However, the following list identifies severalimportant Protocol ID numbers:
— Protocol ID Number 1: ICMP
— Protocol ID Number 6: TCP
— Protocol ID Number 17: UDP
• The final field on Row Three is a field called Header Checksum. This is a16-bit field that is used to provide a check on the IP header only; this is nota checksum for any data following the header. This checksum providesintegrity for the header itself.
• The Fourth Row is a single field, the Source IP Address. This field is a32-bit value that identifies the IP address of the source host of this packet.
• The Fifth Row is also a single field, the Destination IP Address. This field isa 32-bit value that identifies the IP address of the destination host for thispacket.
• The Sixth Row contains any options that may be present. This is a variable,with no absolute fixed size to the options. Some of the options that may bein this field are those that are related to routing or timekeeping. If optionsare used, there will be padding added so this field equals 32 bits in size.
• The Seventh and final Row is the representation of the data. By this point,the header is complete and the data the user wishes to send or receive isstored in the packet.
TASK 2C-1Capturing and Identifying IP Datagrams
Setup: You are logged on to Windows Server 2003 as Administrator.A command prompt and Network Monitor are running.
1. In Network Monitor, start a new capture, and leave the capturerunning.
2. Open a command prompt and enter ftp ip_address whereip_address is the address of a neighbor computer.
integrity:Assuring information will notbe accidentally ormaliciously altered ordestroyed.
Lesson 2: Advanced TCP/IP 67
3. At this time, the connection will not be successful, type bye and close thecommand prompt.
4. Return to Network Monitor and choose Capture→Stop And View.
5. Observe the Protocol column. Apply a filter to only show TCP. For thespecific steps, see Task 2B-1, step 12 through step 16. Click any of theframes and observe that the TCP control bits includes FTP.
6. Examine the IP header, compared to the discussion. Look for the following:
a. Version Number.
b. Time To Live.
c. Protocol ID.
d. Source Address.
e. Destination Address.
7. Once you are done examining the IP header, save the capture asIP_Header.cap and close the capture file.
Topic 2DCapturing and Identifying ICMP MessagesWhen you are analyzing protocols, it should become immediately apparent thatthere are differences between ICMP and the other protocols discussed in thislesson. There is a similar concept in that the ICMP message is encapsulated inthe IP datagram, just as you saw with TCP and UDP. In Figure 2-17, you can seethe actual format of the ICMP message. There are only two rows of informationshown in the figure.
Figure 2-17: An ICMP message with all fields shown.
To work with ICMP further,refer to RFC 792.
68 Tactical Perimeter Defense
Using Figure 2-17, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze an ICMP message.
• Starting on Row One, on the left side, the first field is called Type. This isan 8-bit value that identifies the specific ICMP message. For example, aType could be 3, which is a type of unreachable message.
• Following Type on Row One is a field called Code. This is an 8-bit valuethat works in conjunction with Type to define the specific details of theICMP message. For example, using Type 3, the Code could be 1, which isdestination host unreachable.
• Moving along on Row One, the final field is called Checksum. This is a16-bit value that checks the integrity of the entire ICMP message.
• The Second Row has no fixed fields. Depending on the Type and Code ofthe ICMP message, this field may contain many things. One example ofwhat may go in this field is the time stamping of messages.
TASK 2D-1Capturing and Identifying ICMP Messages
Setup: You are logged on to Windows Server 2003 as Administrator.A command prompt and Network Monitor are running.
1. Begin a new capture.
2. Switch to the command prompt, and ping a valid IP address of anotherhost in your subnet. Wait for the ping to finish, and then minimize thecommand prompt.
3. In Network Monitor, stop and view the capture.
4. Scroll down the packets captured to identify ICMP messages, or createan ICMP filter.
5. Analyze the captured frames to identify the ping process between yourcomputer and the host you pinged.
6. Compare the messages to the discussion, looking for the following:
a. Source IP Address.
b. Destination IP Address.
c. Type.
d. Code.
e. Payload for ping.
7. Save this capture as Valid_Ping.cap and close it. You are going to runanother capture.
8. Begin a new capture.
Lesson 2: Advanced TCP/IP 69
9. Switch to the command prompt, ping a known invalid IP address foryour network, wait for the ping to finish, and minimize the commandprompt. For instance, if you were to ping the address 208.18.24.2, youshould receive a message indicating that the request timed out. Or, if you areon the 172.16.10.0 network, you might try to ping the address 172.16.10.201, as that address is unlikely to be in use on your network.
10. In Network Monitor, stop and view the capture.
11. Scroll down the packets captured to identify ICMP messages.
12. Analyze the captured frames, and compare them to the discussion, look-ing for the following:
a. Source IP Address.
b. Destination IP Address.
c. Type.
d. Code.
13. Save this capture as icmpheader.cap and close.
Topic 2ECapturing and Identifying TCP HeadersWhen investigating TCP/IP, you will find that TCP data is encapsulated in the IPdatagram. Since you have already looked into the IP datagram itself, at this stageyou will examine TCP further. In Figure 2-18, you can see the actual format ofthe TCP header. There are seven rows of information in the figure, with the criti-cal ones for this discussion being the first five. Just as with IP, when a computerreceives the TCP header, it will begin reading on Row One on the left side, bitby bit. Once it reads through Row One, it will read Row Two, and so on.
Figure 2-18: A TCP header with all fields shown.
Based on your networkenvironment, you may not
receive these ICMPmessages.
To work with TCP further,refer to RFC 793.
70 Tactical Perimeter Defense
Using Figure 2-18, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the TCP header.
• Starting on Row One, on the left side is a field called Source Port Number.This field is a 16-bit number that defines the upper-layer application that isusing TCP on the source host.
• The second field on Row One is a field called Destination Port Number. Thisis a 16-bit field that defines the upper-layer application that is using TCP onthe destination host. The combination of an IP address and a port number isoften called a socket. A socket pair identifies both ends of a communicationcompletely, by using the host IP address and port, and the destination IPaddress and port.
• Moving onto Row Two, the entire row is a single field called SequenceNumber. This is a 32-bit value that identifies the unique sequence number ofthis packet. The sequence numbers are used to track communication and arepart of the reason TCP is considered a connection-oriented protocol.
• In Row Three, you can see that the entire row is also a single field, calledAcknowledgement Number. This is a 32-bit value that provides a response toa sequence number. Under normal operations, this value will be the value ofthe sequence number of the last packet received in this line of communica-tion, plus 1. There will be a value in this field only if the ACK flag is turnedon (flags are in the next row).
• Continuing on to Row Four, starting on the left side is a field called Offset(sometimes also called Header Length). This is a 4-bit value that defines thesize of the TCP header. Because this is a 4-bit value, the limit on the size ofthe header is 60 bytes. If there are no options set, the size of the header is20 bytes.
• Moving to the right is a field called Reserved. This is a 6-bit value that isalways left at 0 for functioning hosts using TCP/IP. It is not used for anynormal network traffic.
• After the Reserved field are the six Control Flags. Each flag is only 1 bit,either on or off. There are six control flags, and they are listed as follows inthe left-to-right order they occupy in the TCP header:
— URG: If this is a 1, the Urgent flag is set.
— ACK: If this is a 1, the Acknowledgement flag is set.
— PSH: If this is a 1, the Push flag is set.
— RST: If this is a 1, the Reset flag is set.
— SYN: If this is a 1, the Synchronize flag is set.
— FIN: If this is a 1, the Finish flag is set.
For a detailed discussion on the flags and their functions, please reviewthat section earlier in this lesson.
• Following the Control Flags on Row Four is a field called Window Size.This is a 16-bit value that identifies the number of bytes, starting with theone defined in the Acknowledgement field, that the sender of this segment iswilling to accept.
• Moving on to Row Five, on the left side, there is a field called TCPChecksum. This is a 16-bit value that is used to provide an integrity check
Lesson 2: Advanced TCP/IP 71
of the TCP header and the TCP data. The value is calculated by the sender,then stored and the receiver compares the value upon receipt.
• Following the TCP checksum on Row Five is a field called Urgent Pointer.This is a 16-bit value that is used if the sender must send emergencyinformation. The pointer points to the sequence number of the byte that fol-lows the urgent data, and is only active if the URG flag has been set.
• The Sixth Row has only one field, called Options. This is a 32-bit value thatis often used to define a maximum segment size (MSS). MSS is used so thesender can inform the receiver of the maximum segment size that the senderis going to receive on return communication. In the event that the options setdo not take up all 32 bits, padding will be added to fill the field.
• The Seventh and final Row is the representation of the data. By this point,the header is complete and the data the user wants to send or receive isstored in the packet.
TASK 2E-1Capturing and Identifying TCP Headers
Setup: You are logged on to Windows Server 2003 as Administrator.A command prompt and Network Monitor are running.
1. Begin a new capture.
2. Switch to the command prompt and initiate a Telnet session to a neigh-boring host.
3. To begin the Telnet session, type y, and press Enter
4. At the login prompt, type Administrator, leave the password blank, andpress Enter.
5. If the Telnet session starts, exit the Telnet session; otherwise, close thecommand prompt.
6. Stop and view the capture.
7. Add a filter so that all you see are TCP frames. For the specific steps toadd filters, see Task 2B-1, step 12 through step 16.
8. Analyze the TCP headers in the frames.
9. When analyzing the headers, look for the following:
a. Sequence Numbers.
b. Acknowledgement Numbers.
c. Source Port Numbers.
d. Destination Port Numbers.
10. Once you have analyzed the header, save the capture as Telnet_Attempt.capand close the capture file.
72 Tactical Perimeter Defense
Topic 2FCapturing and Identifying UDP HeadersCompared to TCP, UDP is a very simple transport protocol. The UDP header anddata will be completely encapsulated in the IP datagram, just as with TCP. In Fig-ure 2-19, you can see the actual format of the UDP header. There are three rowsof information in the figure. Just as with TCP, when a computer receives the UDPheader, it will begin reading on Row One on the left side, bit by bit. Once itreads through Row One, it will read Row Two, and so on.
Figure 2-19: A UDP header with all fields shown.
Using Figure 2-19, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the UDP header.
• Starting on Row One, on the left side is a field called Source Port Number.This field is a 16-bit value that defines the upper-layer application that isusing UDP on the source host.
• The second field on Row One is called Destination Port Number. This fieldis a 16-bit value that defines the upper-layer application that is using UDPon the destination host.
• On the Second Row, the field on the left is called UDP Length. This is a16-bit value that identifies the length of the UDP data and the UDP header.
• The second field on Row Two is a field called UDP Checksum. This is a16-bit value that is used to provide an integrity check of the UDP headerand the UDP data. The value is calculated by the sender, then stored, and thereceiver compares the value upon receipt.
• Row Three is where the actual user data is stored. It is possible for a user tosend a UDP datagram with zero bytes of data.
TASK 2F-1Working with UDP Headers
Setup: You are logged on to Windows Server 2003 as Administrator,and Network Monitor is running.
1. Browse to C:\Tools\Lesson2. In that folder is a file called tftp.cap. Opentftp.cap in Network Monitor.
To work with UDP further,refer to RFC 768.
Lesson 2: Advanced TCP/IP 73
2. Expand the details of any UDP frame, and compare it to the discussion.Look for the following:
a. Source Port.
b. Destination Port.
c. What the actual UDP data is.
3. As you are analyzing this traffic, verify that no session was established, asUDP is connectionless.
4. Close the capture.
Topic 2GAnalyzing Packet FragmentationPacket-switched networks will all, at one time or another, experiencefragmentation. This is due to the fact that all complex networks are made up ofvarious physical media and configurations. So, a packet of a certain size might fitfine on one segment, but may suddenly be many times larger than the capacity ofthe next segment. The size limit that is allowed to exist on a network varies fromnetwork to network and is referred to as the Maximum Transmission Unit(MTU).
In the event that a datagram gets fragmented, it is not reassembled until it reachesits final destination. When the datagram is fragmented, each fragment becomes itsown unique packet—transmitted and received uniquely.
TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio ofsegments to datagrams. Therefore, IP on the receiving end must completely reas-semble the datagram before handing the segment to TCP. In the relationshipbetween TCP and IP, the following rules that affect fragmentation are defined:
• The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Sizeminus 40 octets.
• The default IP Maximum Datagram Size is 576 octets.
• The default TCP Maximum Segment Size is 536 octets.
Fragmentation will rarely happen at the source of a datagram, but it is possible.For example, if a receiving host says it can accept segments that are many timeslarger than what the sender normally sends. Another example would be a host ona small-packet-sized network, such as PPP, and using an application with a fixed-size message.
The common location then for fragmentation is at a gateway, where the odds ofdifferent MTUs on different interfaces are very high. The following list shows theMTU for various media:
• PPP: 296 bytes
• Ethernet: 1500 bytes
• FDDI: 4352 bytes
• Token Ring (4 MB/s): 4464 bytes
• Token Ring (16 MB/s): 17914 bytes
The official minimum MTU is68, and the maximum is
65535.
74 Tactical Perimeter Defense
Figure 2-20: How fragmentation works.
TASK 2G-1Analyzing Fragmentation
Setup: You are logged on to Windows Server 2003 as Administrator,and Network Monitor is running.
1. Navigate to C:\Tools\Lesson2 and open fragment.cap in NetworkMonitor.
2. Expand the details of frame 1, looking for the Fragment flag.
3. Observe that, in frame 1, there is no Fragment Offset, as this is the firstfragment.
4. Select several consecutive frames. Observe that each successive frame hasa higher Fragment Offset as it gets farther from the beginning of the originaldatagram.
5. Observe that the IP ID stays constant for each fragment.
6. Expand the details of frame 16.
7. Observe that the Fragment flags are now both 0, indicating this is the last ofthe fragments.
8. Close the capture.
Lesson 2: Advanced TCP/IP 75
Topic 2HAnalyzing an Entire SessionNow that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes,and teardowns, it is time to put them together. In this topic, you will follow alongusing two sample captures that were made specifically for this purpose. One cap-ture is a PING capture, and the other is an FTP capture. By analyzing them, youwill see how TCP/IP functions—from start to finish.
About the TasksIn the following tasks, Windows Server 2003 Network Monitor was used to cap-ture a ping between two hosts and an ftp session between two hosts. The pingand ftp commands were run from the command prompt, and the output saved tothe text files ping.txt and ftp.txt, respectively. The Network Monitor captureswere saved to files ping.cap and ftp.cap, respectively. You can open the TXT fileswith Notepad to see the commands and responses. You can open the CAP fileswith Network Monitor and see the frames captured as a result. Let’s take a look.
TASK 2H-1Performing a Complete ICMP Session Analysis
Objective: To use the supplied capture and text files to examine theTCP/IP headers, in order to understand how a session is setup, used, and torn down.
Setup: You are logged on to Windows Server 2003 as Administrator,and Network Monitor is running.
1. Start Notepad and open the file ping.txt. This file is in C:\Tools\Lesson2.You should see the output shown in the following graphic.
2. Keep this file open.
3. Switch to Network Monitor, and open the file ping.cap. It’s also locatedin C:\Tools\Lesson2
76 Tactical Perimeter Defense
4. Observe that frame 1 is an Ethernet broadcast trying to resolve the target IPaddress to its MAC address.
5. Observe that frame 2 is a reply from the target machine with the appropriateresolution. From now on, the two hosts can communicate.
Lesson 2: Advanced TCP/IP 77
6. Observe the next two frames. They are ICMP echo messages going back andforth between the two hosts, corresponding to the output in the text file.Examine the ICMP messages, and see the details in frames 3 and 4 asshown in the following graphics.
7. Observe that, for the ping command, no session was set up or torn down—just a simple ICMP echo request, followed by an ICMP echo reply.
8. Close ping.cap and ping.txt.
78 Tactical Perimeter Defense
Continuing the Complete Session AnalysisIn the last task, one host successfully pinged another, in preparation for establish-ing an FTP transaction. We’ll look at the FTP portion of the session, but beforewe do, a quick differentiation between active and passive FTP is in order.
FTP CommunicationUp to this point you have been examining ICMP communication. Now you willexamine an active FTP session. There are two different types of FTP, somethingthat many administrators are unfamiliar with. The two FTP types are simplycalled passive and active.
The mode most people think of with FTP is active FTP. In active FTP, a clientmakes a connection to the FTP server. The client uses a port higher than 1024(we’ll call it X) to connect to the server, which then uses port 21, and the FTPcommand and control session is established. The server responds with the datatransfer, sent on port 20. The client will receive the data transfer on a port onehigher than the client used for command transfer, or X+1.
In passive mode FTP, the client initiates both connections between the client andthe server. When the FTP client begins an FTP session, the client opens two ports(again one higher than 1024, and the next port higher, or X and X+1). The firstconnection and port is the session to the server for command and control onserver port 21. The server then opens a random port (again higher than 1024,referred to as Y in this section), and sends this port information back to theclient. The client then requests the data transfer from client port X+1 to serverport Y.
When active FTP is used, there can be a situation that firewalls dislike. The firstpart of the FTP session, from client to server is not a problem. However, whenthe server responds to the client, it can seem to the firewall to be a new sessionstarted from an untrusted network, trying to gain access to the private network.
Passive FTP solves this problem on the firewall, as both parts of the FTP sessionoriginate from the FTP client, and no session starts from an untrusted network.There is a different problem with passive FTP. This problem is not on thefirewall, but on the server configuration itself. Because the FTP client starts bothsessions, the FTP server must be able to listen on any high port, meaning all highports must be open and available. To deal with this situation, many FTP applica-tions now include features that limit the port range that the server can use.
Lesson 2: Advanced TCP/IP 79
TASK 2H-2Performing a Complete FTP Session Analysis
Objective: To use the supplied capture and text files to examine theTCP/IP headers, in order to understand how a session is setup, used, and torn down.
Setup: You are logged on to Windows Server 2003 as Administrator.Notepad and Network Monitor are running.
1. Switch to Notepad and open ftp.txt. This file is located in C:\Tools\Lesson2. You should see the results shown in the following graphic.
2. Observe that, in this session, when the ftp server asks for a password, theuser enters it but it is not recorded on screen.
80 Tactical Perimeter Defense
3. Switch to Network Monitor, and open ftp.cap in C:\Tools\Lesson2. Youshould see results similar to those shown in the following graphics. (Depend-ing on the version of Network Monitor you are using, MAC and IPaddresses might be displayed in Hex, and the time might be in a differentformat.)
There are 51 frames involved in this capture.
4. If you would like to change the color of the FTP packets for easier viewing,choose Display→Colors. Scroll down and select FTP; then, from theBackground drop-down list, select a mild color such as gray or teal, andclick OK. If you select a darker color, it might make it more difficult to readthe text.
If you would like to changethe format of the addressesfrom Hex to more readablenames, choose Display→Addresses, and click Add. Inthe box that is displayed,enter FTPSITE for the Name,add 002B32CFC72 for theAddress, verify that the Typeis Ethernet, and click OK.Click Add again, then enterLOCAL for the Name, add0002B32C5B13 for theAddress, verify that the Typeis Ethernet, and click OKtwice.
Lesson 2: Advanced TCP/IP 81
5. Observe that frames 3, 4, and 5 represent the TCP handshake involved inestablishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19, 23,29, 31-34, 38, 44, and 46-47) are all directly involved with the ftpapplication—authentication, ftp requests for directory information, an actualfile transfer, followed by a quit, and bye response.
6. Observe that in frame 8, you can see the user name being supplied.
7. Observe that in frame 9, you can see the request for a password.
8. Observe that in frame 11, you can see the password being supplied. Isn’t thisa good enough reason to employ some secure authentication such as encryp-tion?
9. Let’s view the three-way handshake frames in a bit more detail.
Frame 3 starts the three-way handshake Active Open by setting the SYN bitto 1, offering source port no. 2025 (07E9 in Hex), while at the same timedirecting the request to port number 21 (15 in Hex) on the server. Asequence number 2052360112 (7A5487B0 in Hex) is associated with thisframe to uniquely identify it, even in the event of multiple sessions betweenthe same two hosts.
82 Tactical Perimeter Defense
10. Let’s look at the reply.
The reply from the ftp server in frame 4 includes an ACK, while simulta-neously including a SYN. This is the Passive Open.
11. Observe that frame 5 includes an ACK from the client.
Once the session is established, FTP can continue on with its setup. Thisincludes a login and a password (to be supplied if anonymous access in notsupported), followed by file requests.
Lesson 2: Advanced TCP/IP 83
12. Observe that frame 6 shows the ftp server asking for user identification.Frame 8 shows the ftp client supplying the user name of test user.
13. Observe that this is met by the ftp server asking for the password in frame9.
84 Tactical Perimeter Defense
14. Observe that in frame 11, you can see the password being offered. Becauseno secure methods for authentication were set up, you can see the actualpassword (the word “plaintext”).
15. Observe that once the user has been authenticated, the ftp session is allowedto continue. The ftp server puts out the welcome message shown in frame12.
Lesson 2: Advanced TCP/IP 85
16. Observe that the rest of the frames dealing with FTP—frames 14, 16-19, 23,29, 31-34, 38, and 44—have to do with directory listings and file transfers.
86 Tactical Perimeter Defense
Lesson 2: Advanced TCP/IP 87
17. Observe that in frame 38, you can see the actual contents of the file as it isbeing transferred In this case, and because it is just a text file, you can readthe contents.
18. Observe that in frame 46, you can see the client attempt to close the connec-tion with the Quit command.
88 Tactical Perimeter Defense
19. Observe that in frame 47, you can see the server communicate with the cli-ent with the message “See ya later.”
Lesson 2: Advanced TCP/IP 89
20. Observe that these messages are followed by TCP terminating the sessionfrom both ends in frames 48 and 49, and 50 and 51, respectively, where theFIN bits are set to 1 and the corresponding frame contains the ACK bit setto 1.
90 Tactical Perimeter Defense
21. Close Network Monitor. If you are prompted to save addresses, click No.
22. Close Notepad.
Lesson 2: Advanced TCP/IP 91
SummaryIn this lesson, you looked deep into the structure of the TCP/IP protocol.You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You thenused Network Monitor and Wireshark to capture and analyze IP packets.You examined captures associated with network traffic. You learned to readthe actual data being transmitted between two or more hosts. Finally, youanalyzed a complete session, frame-by-frame.
Lesson Review2A How many layers are in the OSI Model?
Seven.
How many layers are in the TCP/IP Model?
Four.
What are the assignable classes of IP addresses?
A, B, and C.
What are the three private ranges of IP addresses, as defined in theRFCs?
a. 10.0.0.0 to 10.255.255.255
b. 172.16.0.0 to 172.131.255.255
c. 192.168.0.0 to 192.168.255.255
2B How many control flags are in a TCP header?
Six.
What is the function of an acknowledgement number?
To provide an acknowledgement for a received packet. The value is usuallytied into the SYN number on the received packet.
How many steps are required to establish a TCP connection?
Three.
How many steps are required to tear down a TCP connection?
Four.
What are the two main views of Network Monitor?
Display View and Capture View.
2C What is the first field that is read by the computer in the IP header?
Version.
92 Tactical Perimeter Defense
What is the Protocol ID of ICMP in the IP header?
1.
What is the Protocol ID of TCP in the IP header?
6.
What is the Protocol ID of UDP in the IP header?
17.
2D What is the first field that is read by the computer in the ICMP mes-sage?
Type.
How many bits make up the Type field?
Eight.
How many bits make up the Code field?
Eight.
2E What is the first field that is read by the computer in the TCP header?
Source Port Number.
How many control bits are in the TCP header?
Six.
How many bits is the Sequence Number?
32.
How many bits is the Acknowledgement Number?
32.
2F What is the first field that is read by the computer in the UDP header?
Source Port Number.
What is the UDP header and data encapsulated in?
An IP datagram.
How many bits are both the source and destination port numbers?
16.
What is in the payload of the tftp.cap file that you analyzed?
Cisco Router Configuration and Access Lists.
2G In the fragment.cap file that you analyzed, how do you suppose thisfragmentation happened?
By a user sending a large ping. (See the file fragment.txt, in the same folderas fragment.cap, to understand how this was initiated.)
Lesson 2: Advanced TCP/IP 93
Why is there no upper-layer protocol list in the Detail pane for frames 2through 13?
These are the subsequent fragments whose upper-layer protocol is referredto in the first fragment; therefore, they do not have any header informationother than IP.
What was the upper-layer protocol that caused the fragmentation?
ICMP.
2H In the FTP capture file that you analyzed in this topic, what pair ofsockets are involved in the initial three-way handshake?
On the client: IP address 172.16.30.2, port 2025. On the FTP Server: IPaddress 172.16.30.1, port 21.
In the FTP capture file that you analyzed in this topic, what pair ofsockets are involved in the exchange of FTP data in response to therequest for directory listing?
On the FTP Server: IP address 172.16.30.1, port 20. On the client: IPaddress 172.16.30.2, port 2026.
In the FTP capture file that you analyzed in this topic, what framesindicate that a three-way handshake is taking place between the FTPserver and the client in preparation for the sending of FTP data inresponse to the request for the file textfile.txt?
Frames 35, 36, and 37.
94 Tactical Perimeter Defense
Routers and Access ControlLists
OverviewIn this lesson, you will be introduced to the functioning of routers and rout-ing protocols. The examples in this lesson are shown on Cisco Routers,specifically the 2500 series. You will examine the issues of securing routersand routing protocols. You will remove unneeded services and create accesscontrol lists to manage and secure the network. The lesson ends with thecreation of logging options on the Cisco router.
ObjectivesTo understand the functions of routers and routing protocols, you will:
3A Configure fundamental router security.
You will create the required configurations to secure connections, createbanners, and implement SSH.
3B Examine principles of routing.
You will capture routing protocols and analyze the IP and MAC relation-ship in a routed environment.
3C Configure the removal of services and protocols.
You will create the required configurations to harden the core servicesand protocols on a Cisco router.
3D Examine the function of Access Control Lists on a Cisco router.
You will create wildcard masks to be used in conjunction with the imple-mentation of Access Control Lists.
3E Implement Cisco Access Control Lists.
You will create the required configurations to implement Access ControlLists to defend against network attacks on a Cisco router.
3F Configure logging on a Cisco router.
You will create the required configurations to enable logging on a Ciscorouter.
Data Filesping-arp-mac.caprip update.capripv2withAuthentication.capPuTTy.exe
Lesson Time6 hours
LESSON
3
Lesson 3: Routers and Access Control Lists 95
Topic 3AFundamental Cisco SecurityAlthough this lesson is not designed to make you a Cisco or a routing expert, youwill become familiar with the core functions of routers and how to best hardenthis critical component of the infrastructure.
Cisco Router LanguageA Cisco router has one or more connections to networks. Each of these connec-tions is referred to as an interface. To further define this interface concept, Ciscouses the type of interface as part of the name as well. Therefore:
• An interface that is connected to an Ethernet segment of the network alwaysstarts with an E.
• A Fast Ethernet interface always starts with an F.
• An interface that is connected to a serial connection always starts with an S.
• An interface that is connected to a Token Ring segment always starts withTo.
Along with the interface type, Cisco routers are numbered. The interface number-ing begins with a zero. In other words:
• The first Ethernet interface on the router is known as E0.
• Likewise, the first serial interface on the router is S0.
• Finally, the first Token Ring interface on the router is To0.
Cisco Operating SystemThe Cisco routers have their own operating system, which is known as the IOS(Internetworking Operating System). The IOS is found on all Cisco routers andcan be uploaded to or downloaded from a tftp site. It is common to copy the IOSimage to the tftp location as a quick backup in the event that the running IOSgets corrupted.
Most of the current routers in production are running versions 11.x or 12.x of theCisco IOS. When Cisco makes a major release of the IOS, it is assigned a num-ber, such as 11 or 12. Major releases can also be added to the numbers, such as11.2 or 12.2. You might also see an IOS listed as version 12.0(3). The 3 in paren-thesis is the third maintenance revision of the major release. Maintenancerevisions are released every eight weeks and contain bug fixes and/or updates, asCisco dictates.
Accessing the RouterCisco provides a wide variety of access points for their routers. Each method ofaccess can provide the ability to view the router differently. Some methodsrequire the network to be functioning and active, while others do not require anynetwork connectivity at all. The methods of access include the console port, theauxiliary port, or network access. Network access can, in turn, include VTY (ter-minal access), HTTP, TFTP, and SNMP. Each of these methods is detailed here:
• The console port is the main point of access on a Cisco router. This is adirect physical connection, requiring the router to be in the presence of theperson using the port. This is the connection method used to create the ini-
bug:An unwanted and unintended
property of a program orpiece of hardware, especially
one that causes it tomalfunction.
SNMP:(Simple Network
Management Protocol)Software used to controlnetwork communications
devices using TCP/IP.
96 Tactical Perimeter Defense
tial configuration and in the event of an emergency, such as passwordrecovery. Because it has direct physical access, the console port should notbe the primary method of accessing the router.
• The auxiliary port can be used to connect to the router via a modem. Thiscan be a functional method of accessing the router if the primary network isdown and you are not able to gain physical access to the router.
• The VTY sessions provide for terminal access to the router. These connec-tions require the network to be functioning to provide access. The mostcommon method of accessing a VTY session is telnet, although—for securitypurposes—SSH is supported, and is recommended. There are five VTY portson the router by default, and they are numbered 0 though 4. In this course,access will be provided by using VTY sessions.
• Other network access points like HTTP, TFTP, and SNMP are also supportedon newer versions of the IOS. HTTP can be used if the router runs as a webserver, authenticating users for access. TFTP is used for loading IOS andconfiguration files, and SNMP can be used in full network managementconfigurations.
Modes of OperationIn the router, there are several different modes an administrator can use. Theserange from simple, informational modes, to the complex modes of routerconfiguration. There are several examples of the different modes listed below:
• User Mode: In this mode, users can see the configuration of the router, butwill not be able to make any significant changes to the router. The promptfor User Mode looks like this: Router>.
• Enable Mode: In this mode, users can make more significant changes to therouter, including some of the router configuration options. The prompt forEnable Mode looks like this: Router#.
• Global Configuration Mode (also known as Configure Terminal Mode): Inthis mode, users can make configuration changes that will affect the entirerouter. The prompt for Global Mode looks like this: Router(config)#.
Generally, once you connect to the router, you will move to Enable Mode rightaway, since that is where much of the router management happens. As a sidenote, Enable Mode is often called Privileged Mode in text. So, you can considerEnable Mode and Privileged Mode to mean the same thing—the next level ofrouter access beyond User Mode.
Configuration FragmentsIn this lesson, you will see many examples of configurations of the router. It isnot practical to list every step and every line entered for every option. Therefore,what you will see are called configuration fragments.
For example, to navigate to an Interface Mode of a router, the following com-mands are required:
1. Connect to the router via an access method, such as telnet: Telnet 10.10.10.10.
2. Enter the password for VTY access: L3tm3!n.
3. Enter the password for Enable Mode: P0w3r.
4. Enter the command for Configure Terminal Mode: Configure Terminal.
5. Enter the command for Interface Mode: Interface Ethernet 0.
Lesson 3: Routers and Access Control Lists 97
In this course, the command sequence listed previously will not be described line-by-line but with a configuration fragment. So, the steps to access Interface Modewill look like this:
1. Router#Config Terminal
2. Router(Config)#Interface Ethernet0
This configuration fragment goes right to the concept, or function, of thediscussion. In this example, you cannot be in Enable Mode (identified by theRouter# prompt), without first accessing the router (probably by using Telnet),and entering the required credentials.
Navigating in the RouterThe Cisco router interface is a command-line interface, with a format that is simi-lar to UNIX. For those of you getting started with the router, if you get lost inthe command structure, here are some of the more common commands to learnand use.
• First is the question mark (?).
— This simple single character command will list for you all the availableoptions at a given point in the router. For example, if you enter thequestion mark at the User Mode prompt, like so: Router>?, you willbe given an alphabetical list of the commands that are options at thispoint. This command will yield a different set of commands than usingthe same question mark at the Enable Mode prompt (Router#?).
— If you recall the first letter of a command, but not the entire string,again the question mark can come in handy. For example, if you aretrying to enter Enable Mode, but forgot how to spell enable, you canuse the following command: Router>E? This command lists all thecommands starting with the letter E with brief descriptions of theirfunctions.
• Other shortcuts to use are the Up Arrow and Down Arrow keys. Using thesewill scroll you through commands you have entered into the router for quickaccess.
• Finally, using key combinations can be helpful as well. Two examples of keycombinations are Ctrl+A and Ctrl+E.
— Using the Ctrl+A key combination moves the cursor to the beginning ofa command line.
— Using the Ctrl+E key combination moves the cursor to the end of acommand line.
As an FYI, if the Up Arrow and Down Arrow keys do not function on yoursystem, you can use the key combination Ctrl+P in place of the Up Arrowkey, and Ctrl+N in place of the Down Arrow key.
Authentication and AuthorizationIn order for someone to have access to control a router, there must be bothauthentication and authorization. It is important to not get these two confused, asthey are so similar. Authentication is the process of identifying a user, generallygranting or denying access. Authorization is the process of defining what a usercan do or is authorized to do. So, a user gains access to the router via authentica-tion and gains control of the router via authorization.
98 Tactical Perimeter Defense
In Cisco routers, there are two main categories of authentication. They are theAAA method and the non-AAA method (called traditional by some). AAA standsfor Authentication, Authorization, and Accounting.
• Earlier, you were introduced to the methods of access, such as console, aux-iliary, and VTY sessions. These are considered non-AAA access methods.Another non-AAA access method is called Terminal Access ControllerAccess Control System, or TACACS for short. They use a local usernameand password for authentication.
• AAA methods include RADIUS and Kerberos. These methods provide forthe full level of Authentication, Authorization, and Accounting that arerequired for AAA access methods.
Configuring Access PasswordsBecause there are several different methods of accessing the router, in order toprovide security, you must be able to lock down these access points. The first lineof defense is to provide a password for these forms of access.
Setting the Console PasswordBecause the console-port connection is used for direct access, it must have astrong password. This can be, and usually is, created during the initial setup ofthe router. In order to set the Console password, you will need to enter ConfigureTerminal Mode, and then enter the command line console 0. This is whatgets you into the mode where the password can be created. The login commandtells the router that a password is required, and the password command is used toenter the actual password. The configuration fragment looks like this:
Router#config terminalRouter(config)#line console 0Router(config-line)#loginRouter(config-line)#password l3tm3!nRouter(config-line)#^ZRouter#
Setting the Enable PasswordsThe process for setting the Enable password is similar to the process for settingthe Console password. And, you will notice the process for the following sectionsare all similar, only the object (such as the console or vty) is the difference.
As to the password itself, there are two different Enable passwords. The first isthe standard Enable password; the second is the Enable Secret password. Thestandard Enable password is used only for backwards compatibility. If the EnableSecret password has been configured, it will take precedence. The reason that theEnable Secret password is used over the standard Enable password is that theEnable Secret password is encrypted and cannot be read in plaintext in the router.The configuration fragment for setting the Enable Secret password looks like this:
Router#config terminalRouter(config)#enable secret p@55w0rdRouter(config)#loginRouter(config)#^ZRouter#
Lesson 3: Routers and Access Control Lists 99
Setting the VTY PasswordConfiguration of the password for the VTY sessions are similar to creating theConsole password. Remember that there are five VTY sessions, numbered 0through 4. When you are setting the VTY password, you can create a passwordfor one or for all of these sessions. In this first configuration fragment, the pass-word is set for just the first VTY session:
Router#config terminalRouter(config)#line vty 0Router(config-line)#loginRouter(config-line)#password l3tm3!nRouter(config-line)#^ZRouter
In the following configuration fragment, the password is set for all VTY sessions,0 through 4. Note that the process is nearly identical.
Router#config terminalRouter(config)#line vty 0 4Router(config-line)#loginRouter(config-line)#password l3tm3!nRouter(config-line)#^ZRouter
TASK 3A-1Configuring Passwords
1. Create the configuration fragment that you would use to set the Consolepassword of ACC3$$, and to set all VTY sessions to use the password of+3ln3+.
Router#configure terminalRouter(config)#line console 0Router(config-line)#loginRouter(config-line)#password ACC3$$Router(config-line)#^ZRouter#Router#configure terminalRouter(config)#line vty 0 4Router(config-line)#loginRouter(config-line)#password +3ln3+Router(config-line)#^ZRouter#
Creating User AccountsAlthough for regular operation of the router, individual user accounts are notrequired, when you do add them, it allows for another level of control over therouter and over router access.
To create local user accounts, the command syntax is only one line. In organiza-tions where there are multiple people managing the router, this is a solid practice.The following configuration fragment shows the creation of several user accounts:
100 Tactical Perimeter Defense
Router#configure terminalRouter(conf)#username Auser password u$3r1Router(conf)#username Buser password u$3r2Router(conf)#username Cuser password u$3r3Router(conf)#username Duser password u$3r4Router(conf)#^ZRouter#
Implementing BannersIn addition to having proper passwords on the router, it is important to haveadequate warning banners. It is highly recommended that you view these bannersas warning banners and not as welcome banners, as they used to be called. Awarning banner is not designed to be the end-all of security; most people know abanner will not stop a determined attacker. However, a banner can provide somelegal backing for you and your organization.
There are four general functions that warning banners should provide. Althoughyou should look to legal counsel for the exact wording, your banner shouldaddress each of these. The banner should:
• Not provide useful technical or non-technical information that an attackercan use.
• Inform users of the system(s) that their actions are subject to recording, andmay be used in a court of law.
• Define who is and who is not an authorized user of the system(s).
• Provide adequate legal standing to both prosecute offenders and protect theadministrators of the equipment.
The following is an example of what a banner could look like for an organiza-tion:
Warning!!! This system is designed solely for the authorizedusers of Company X on official business. Users of this systemunderstand that there is no expectation of privacy, and that useof the system may be monitored and recorded. Use of this systemis consent to said monitoring and recording. Users of thissystem acknowledge that if monitoring finds evidence of misuse,abuse, and/or criminal activity, that system operators mayprovide monitoring and recording data to law enforcementofficials.
Implementing Cisco BannersOn the Cisco router, there are several types of banners available:
• MOTD banner: The MOTD banner is for setting Messages Of The Day. TheMOTD banner is shown to all terminal users who are connected to therouter, before they are asked to input username and password. This may notbe an efficient location for your warning banner, if your company literallyuses this banner to list day-to-day information. You do not want to be settingthe warning banner each and every day, and worrying about missing a day.
Lesson 3: Routers and Access Control Lists 101
This banner is used for sending notices to users, such as if there is anupcoming system shutdown for upgrading the IOS.
• Login banner: The login banner is where the warning banner should belocated. This banner will be shown to each user every time a login attempthappens. The banner is set in Configure Terminal Mode, and uses a begin-ning and ending delimiter character. The delimiter can cause confusion, butis quite simple. Any character can be used as a delimiter, just must makesure to use the same character at the beginning and the end. In the followingconfiguration fragment, the letter C is used as the delimiter character:
Router#configure terminalRouter(config)#banner login CWarning!!! This system is designed solely for the authorizedusers of Company X on official business. Users of this systemunderstand that there is no expectation of privacy, and thatuse of the system may be monitored and recorded. Use of thissystem is consent to said monitoring and recording. Users ofthis system acknowledge that if monitoring finds evidence ofmisuse, abuse, and/or criminal activity, that systemoperators may provide monitoring and recording data to lawenforcement officials.CRouter(config)#^ZRouter#
• EXEC banner: The EXEC banner is used for setting a message for userswho enter EXEC, or Privileged, Mode. You can create a new banner; use thesame warning banner, or whatever else you wish. The process for setting anew banner is nearly identical to the process for the login banner. The differ-ence is in the command. Instead of the command banner login, you usethe command banner exec. In the following configuration fragment, youcan see the exec banner created, with a delimiter of the pound sign (#):
Router#configure terminalRouter(config)#banner exec #Reminder!!! When you logged into this system, youacknowledged that you are an authorized user of Company Xsystems. You also acknowledged that your use of this systemmay be monitored and recorded. Finally, you agreed that ifmisuse, abuse, and/or criminal activity are found whilemonitoring, that law enforcement officials may be contacted.#Router(config)#^ZRouter#
102 Tactical Perimeter Defense
TASK 3A-2Configuring Login Banners
1. Create the configuration fragment that you would use to create a loginwarning banner. You can include whatever text you like for the banner,but use the letter B as your delimiter.
A possible response is:
Router#configure terminalRouter(config)#banner login BWarning!!! This is the login banner for the SCNS TPD class.If you are not a member of this class, you may not accessthis system. Users of this system are advised that nearlyeveryone is running packet-capturing utilities and everyoneis watching you!BRouter(config)#^ZRouter#
SSH OverviewAlthough Telnet is used in this course—and is often the method of choice formany administrators—from a security perspective, it is not a solid option. This isdue to the fact that there is no encryption on the session; all commands andresponses are cleartext and can be viewed by any packet-capture utility.
SSH, or Secure Shell, provides for a higher level of security on remote connec-tions to the router. Using RSA public key cryptography, SSH establishes a securechannel of communication between client and server.
Cisco IOS support for SSH is not present in older versions of the IOS, such as11.2 and 11.3. After version 12.0(5) with IPSec, support for SSH was included.And, only IOS versions that have IPSec will have SSH support.
In order for SSH sessions to be established, there is some preparation that musttake place on the router. The router must have usernames defined, must have ahostname defined, and must have a domain name set.
Router Configuration to use SSHIn implementing SSH, you should use Access Control Lists, controlling VTYaccess. A later section fully details an Access Control List (ACL). However, inbrief, the ACL is used to regulate access (denial or permission) to an object onthe router.
In this configuration fragment, ACL 23 is used to define the host that is allowedto access the router for administration. The host name of the router is simplyRouter and the domain will be scp.mil. The username is SSHUser and the pass-word for this user is No+3ln3+.
Not all versions of the IOSsupport SSH. Versions thatsupport IPSec also supportSSH.
Lesson 3: Routers and Access Control Lists 103
Router#configure terminalRouter(config)#ip domain-name scp.milRouter(config)#access-list 23 permit 192.168.51.45Router(config)#line vty 0 4Router(config-line)#access-class 23 inRouter(config-line)#exitRouter(config)#username SSHUser password No+3ln3+Router(config)#line vty 0 4Router(config-line)#login localRouter(config-line)#exitRouter(config)#
The router configuration is close to being finished, but there is still some work tobe done. RSA must be enabled so that the key pair can be generated and used.When creating a new key pair, be aware that it may take some time for the pairto complete. In this fragment, all you will see is the command of creating the keypair crypto generate RSA and the use of 1024 as the number of bits (Cisco rec-ommended minimum), and the OK when the calculation is done.
Router#configure terminalRouter(config)#crypto key generate rsaThe name for the keys will be: Router.scp.milChoose the size of the key modulus in the range of 360 to 2048for your General Purpose Keys. Choosing a key modulus greaterthan 512 may take a few minutes.How many bits in the modulus [512]: 1024Generating RSA keys ...[OK]Router(config)#
You have now enabled SSH to run on your router. There are some commandsthat you can use to fine-tune the SSH function, and you will need to configureyour client to use SSH.
The following configuration fragment is used to define the time-out, in seconds,that the server will wait for the client to provide a password. The default is 120seconds, and the Cisco recommended time is 90 seconds. In this fragment, thetime has been changed to 45 seconds.
Router#configure terminalRouter(config)#ip ssh timeout 45Router(config)#^ZRouter#
The next fragment is used to define the number of retries that will be allowedbefore the router drops the connection. The default for this setting is 3, and themaximum is 5. This is a setting that you may rarely change, but in the fragment,the retries are set to 2, so after the second bad try, the connection is dropped:
Router#configure terminalRouter(config)#ip ssh authentication-retries 2Router(config)#^ZRouter#
Finally is the configuration to let the VTY sessions on the router accept both SSHand Telnet as valid connection types. If you want to have only SSH used, whichis the point here, you would not add the word Telnet to the command.
104 Tactical Perimeter Defense
Router#configure terminalRouter(config)#line vty 0 4Router(config-line)#transport input ssh telnetRouter(config-line)#^ZRouter#
SSH VerificationOn the router, you will want to run some diagnostic commands to find out who isconnected and how. These commands will show you the state of your SSHconnections. There are some differences based on the IOS version you are run-ning, so note that in the following.
If you are running IOS version 12.1, and you want to see the state of SSH con-nections, including who is connected, use the command show ip ssh. Thefollowing fragment lists what this command will reveal.
Router#show ip sshConnection Version Encryption State Username
0 1.5 3DES 4 SSHUserRouter#
If you are running IOS version 12.2, there are two commands for viewing SSHinformation. First is the show ip ssh command, only here it lists the details,such as time-out and version. The second command is show ssh, and thisshows the user connected. The following fragment shows both commands used,one after the other, and their result onscreen.
Router#show ip sshSSH Enabled - version 1.5Authentication timeout: 45 secs; Authentication retries: 2Router#show sshConnection Version Encryption State Username
0 1.5 3DES Session Started SSHUserRouter#
INSTRUCTOR TASK 3A-3Configuring SSH on a Router
Setup: Observe as your instructor performs the SSH configuration onthe LEFT and RIGHT routers.
1. Console in to the LEFT router, and switch to EXEC mode.
2. At the LEFT# prompt, enter conf t to switch to config mode. TheLEFT(config)# prompt should be displayed.
3. Enter ip domain-name left.com to provide a domain name.
4. Enter crypto key generate rsa to create key pairs. When you are promptedfor the number of bits in the modulus, press Enter to accept the default of512.
5. Enter ip ssh time-out 120 to set the time-out value to 2 minutes.
6. Enter is ssh authentication-retries 3 to limit the number of unsuccessfulattempts.
Lesson 3: Routers and Access Control Lists 105
7. Enter line vty 0 4 to begin the line configuration. The LEFT(config-line)#prompt is displayed.
8. Enter transport input ssh to limit the VTY sessions to accept only SSHconnections.
9. Enter login local to provide for local login.
10. Enter exit to return to the LEFT(config)# prompt.
11. Enter username sshl01 privilege 15 password sshpass to assign a user nameand password for student station L01.
Repeat this command to assign user names and passwords for all otherstudent stations on the left side of the classroom.
12. Enter exit to return to the LEFT# prompt.
13. Enter copy ru st to save the configuration changes. Press Enter to acceptthe default file name.
14. Enter exit to return to the LEFT> prompt.
15. Disconnect from the LEFT router, and console in to the RIGHT router.
16. Use the steps listed previously as a guide to set up SSH on the RIGHTrouter. Use the domain name right.com, and create user names such assshr01, sshr02, and so forth.
17. Disconnect from the RIGHT router, and close the console.
18. Try to Telnet to either of the ssh-enabled routers, and ask students to dothe same. None of the attempts should be successful, as you have blockedTelnet connections on both routers.
Client Configuration to use SSHJust as there was some configuration required on the server, some configuration isneeded on the client side to run SSH. However, the configuration on the client isnot nearly as complex. In general, a client SSH application must be installed, andthe client must be configured to use the application in communication with therouter. There are several SSH Client programs available, and in this example, thePuTTY program is used. Figure 3-1 shows an example of the settings for thisapplication.
106 Tactical Perimeter Defense
Figure 3-1: The client configuration for an SSH session.
During the configuration, you will be asked to provide input on the cryptographyused, and you will select RSA. Additionally, you will be required to presentproper credentials when connecting, meaning the local username on the routerand the password. Once you enter the proper credentials, you will have secureaccess, and operation will be no different than using Telnet.
TASK 3A-4Configuring the SSH Client
Setup: You are logged on to Windows Server 2003 as the renamedAdministrator account. The routers have a limited number ofsimultaneous logins, so you might need to take turns accessingthe routers if your class has many students in it.
1. Navigate to the putty.exe file located in C:\Tools\Lesson3.
2. Double-click putty.exe.
3. For Host Name, enter the IP address for your router. Your instructor willprovide the router IP addresses. The router you use is named LEFT orRIGHT, based on your location in the classroom.
4. Click SSH (Port 22).
5. Click Open to initiate the connection.
Provide students with thelocation of the PuTTYinstallation program.
Provide students with theIP addresses for the LEFTand RIGHT routers.
Lesson 3: Routers and Access Control Lists 107
6. When you are prompted, click Yes to accept the key, and click Yes to con-tinue the connection. Press Enter to display the login prompt.
7. Enter your ssh user name, such as sshl01. You should be prompted for apassword.
8. Enter sshpass to complete the login sequence.
9. After authentication has taken place, log out and close PuTTY.
Topic 3BRouting PrinciplesTo be able to secure your routers and routed networks, you need to understandsome basic principles related to routing in general. Let’s begin by looking at howrouters and routing fit into the OSI Model.
The ARP ProcessMost people are aware that routers function at the Network layer, but that state-ment must be understood as routers route at the Network layer. Routers areaffected by and operate at other layers as well, including the Data Link layer.
The OSI model is the foundation of all network communication. Routers fit intothe OSI model just as other devices do, with their primary functionality being atthe Network layer. In this lesson, the vast majority of the content will be focusingon the Network layer; however, there are important areas of the Data Link layerthat must be investigated as well.
MAC addresses are split into two parts, each containing six hexadecimal digits.The first six digits represent the vendor code (manufacturer indicator) or OUI(Organizational Unique identifier), and the second six are left for definition by thevendor and are often used as a serial number. These unique 48-bit numbers aredesigned to be globally unique, meaning that there is only one NIC with a givenMAC address on the entire planet.
ARP (RFC 826) is used to make the connection between the Layer Two andLayer Three addresses. ARP is used in the following examples of data movingfrom one host to another.
The IEEE (Institute ofElectrical and ElectronicEngineers) issues MAC
addresses to networkhardware vendors to ensurethat MAC addresses remain
unique.
Layer Two addresses areused to get data packets
from one local node toanother local node, while
Layer Three addresses areused to get data packets
from one network to anothernetwork.
108 Tactical Perimeter Defense
The first example shows data moving from node 1 to node 2 on a local networksegment. In order for the data to arrive properly, the following steps must occur:
1. Node 1 (knowing the Network layer address of node 2) sends a local broad-cast on the LAN indicating that Node 1 wishes to learn the Data Linkaddress for Node 2.
2. Since Node 1 sent a broadcast, all nodes on the local segment receive andprocess the request, discarding it when they identify that the broadcast wasnot intended for them.
3. Node 2 identifies the message requesting its MAC address and responds bysending its Data Link address. Node 2 also stores the MAC address of Node1 for future use.
4. Node 1 sends the packet directly to the Data link address of Node 2.
Figure 3-2 shows this process between Node 1 and Node 2 on the same segment.
Figure 3-2: This example shows the process of a local ARP broadcast between two nodes.
To take this concept a bit further, let’s look at the process of MAC address reso-lution if Node 2 is not on the local segment (see Figure 3-3). In order forcommunication to take place between Nodes 1 and 2, the following steps mustoccur:
1. Node 1 determines that it needs to communicate with Node 2. As with allTCP/IP communication, Node 1 ANDs its IP address with its subnet mask,then it ANDs Node 2’s IP address with the Node 1 subnet mask.
2. Node 1 compares the results of the two AND processes to determine if theyare the same—meaning that the nodes are on the same network—ordifferent—meaning that the nodes are on different networks. In this example,the results are different, so Node 1 can conclude that Node 2 is situated on adifferent network than Node 1.
3. If Node 1’s TCP/IP stack is configured with a Default Gateway, Node 1 willuse ARP resolution for the Default Gateway address, as explained in the pre-vious example (because Node 1’s Default Gateway will most likely be onthe same network as Node 1), and store the Default Gateway address as theaddress to use for reaching Node 2.
Lesson 3: Routers and Access Control Lists 109
Note: If a Default Gateway is not configured for Node 1, then Node 1 will not beable to communicate with Node 2. In fact, if a Default Gateway is not configuredand Node 1 attempts to ping Node 2, it should receive a message stating that thedestination host is unreachable. For a ping to be successful across a routed net-work such as the one in this example, Node 2 should also have an appropriateDefault Gateway in its IP configuration. If Node 2 exists but is not configured witha Default Gateway, and if Node 1 attempts to ping Node 2, Node 1 should receive amessage stating that the request timed out.
Figure 3-3: This example shows the process of a router returning the ARP request of aremote node.
These examples are geared towards TCP/IP as a protocol, and we will useTCP/IP throughout this lesson. IP addressing is the primary example of Networklayer addressing used today.
LAN-to-LAN Routing ProcessThe process of moving data from one host to another and from LAN to LAN isnot complex. In the example shown in Figure 3-4, there is one router connectingtwo networks. There are two hosts defined, one on either network, using TCP/IP.
110 Tactical Perimeter Defense
Figure 3-4: Two networks connected by a single router.
From this diagram, you can see the networks are connected via a single router.Both interfaces are Ethernet interfaces, and the IP addresses are given. In thisexample, node 7 is trying to get a packet to node 10. Since the nodes are in dif-ferent networks, the packet will need to be routed to reach its goal.
An Ethernet packet will be generated at Node 7 with the IP source address as10.0.10.115 and the source MAC address as Node 7. The destination IP addresswill be 20.0.20.207 with the destination MAC address still unknown.
When the router hears the request for the MAC address of host 20.0.20.207, itreplies to node 7 with its MAC address. Node 7 then sends the packet to therouter with a destination IP address of 20.0.20.207 and the MAC address of theE0 interface of the router.
Once the router receives the packet, it in turn sends a broadcast for the MACaddress of 20.0.20.207. Node 10 responds to this request, and the router receivesthe response. A new packet is then generated by the router, addressed to IPaddress 20.0.20.207 from IP address 10.0.10.115 with the source MAC address ofthe router, and destination MAC address of Node 10. Node 10 receives the packetand responds, following the same steps.
Lesson 3: Routers and Access Control Lists 111
LAN-to-WAN Routing ProcessThe LAN-to-WAN routing process is not much different than the previousexample—there are simply more steps involved and the packet may changeencapsulations along the way from Ethernet to something else and back toEthernet. In the example shown in Figure 3-5, there is a routed network with twoLANs connected via multiple routers in a WAN configuration.
Figure 3-5: Two end nodes connected over multiple routers in a WAN configuration.
112 Tactical Perimeter Defense
For a packet to get from Node 7 to Node 10 in this configuration, there are sev-eral steps that must happen:
1. Node 7 creates a request for the MAC address of node 50.0.50.150.
2. The router connected to Network 10.0.10.0 sees this request, and realizes itis the path to the destination network. It replies to Node 7 with its MACaddress.
3. Node 7 creates a packet with the source IP address of 10.0.10.115 and thedestination IP address of 50.0.50.150 and a source MAC of Node 7 and des-tination MAC of the network 10.0.10.0 router.
4. As the local router receives the packet, the IP source and destination IPaddresses do not change. The encapsulation may change to fit the wire, PPPor Frame Relay for example.
5. The packet is sent from one router to another, each time the IP address doesnot change.
6. Once the packet reaches the router for segment 50.0.50.0, the encapsulationis removed, and you are left with an Ethernet packet with source IP address10.0.10.115 and destination IP address 50.0.50.150, and source MAC of thelocal E0 interface of the local router and destination MAC address of Node10.
TASK 3B-1Performing IP and MAC Analysis
Setup: You are logged on to Windows Server 2003 as the renamedAdministrator account.
1. Navigate to C:\Tools\Lesson3 and open ping-arp-mac.cap. The file shouldopen in Network Monitor.
2. Quickly scroll through the main capture, noting the frames and theirfunctions. You will see it is a capture of an initial ARP process, then twoconsecutive pings (Echo and Echo:Reply) packets.
3. Expand Frame Four.
4. Record the source and destination IP addresses and the source and des-tination MAC addresses here:
Source IP address: 172.16.10.1
Destination IP address: 172.17.10.1
Source MAC address: 00 D0 09 7F 0D 73
Destination MAC address: 00 00 0C 8D B8 54
If you need to, expand IP and Ethernet so that you can see the addresses.
5. Expand Frame Five, and record those IP and MAC addresses as well.
Lesson 3: Routers and Access Control Lists 113
Source IP address: 172.17.10.1
Destination IP address: 172.16.10.1
Source MAC address: 00 00 0C 8D B8 54
Destination MAC address: 00 D0 09 7F 0D 73
6. Observe that, when pinging 172.17.10.1 from 172.16.10.1, the destinationMAC address is 00000C8DB854.
7. Examine the exchanges in frames 6 and 7, 8 and 9, and 10 and 11 to seethe ping process complete.
8. Expand Frame Twelve, and record those IP and MAC addresses as well.
Source IP address: 172.16.10.1
Destination IP address: 172.18.10.1
Source MAC address: 00 D0 09 7F 0D 73
Destination MAC address: 00 00 0C 8D B8 54
9. Expand Frame Thirteen, and record those IP and MAC addresses aswell.
Source IP address: 172.18.10.1
Destination IP address: 172.16.10.1
Source MAC address: 00 00 0C 8D B8 54
Destination MAC address: 00 D0 09 7F 0D 73
10. Observe that when pinging 172.18.10.1 from 172.16.10.1, the destinationMAC address is 00000C8DB854.
11. Examine the exchanges in frames 14 and 15, 16 and 17, and 18 and 19to see the ping process complete.
12. Close the capture file, and leave Network Monitor open.
The Routing ProcessFigure 3-6 shows a complex network, with many possible paths for the data totake across the network. The routers will have to communicate with each other inorder to determine the path for the given situation.
114 Tactical Perimeter Defense
Figure 3-6: Potential paths that data can take to get from one node to another.
In order for the routers to exchange their data, they must have mutual paths ofcommunication. These paths are the actual connections between the routers. Byusing logical addressing, the routers are able to have defined networks to transmitdata on. The logical addressing minimizes the use of broadcasting, with the endresult being more bandwidth for data transmission. In Figure 3-7, each segmentwith a letter is a unique Layer Three network segment.
Lesson 3: Routers and Access Control Lists 115
Figure 3-7: Logical network addressing used in an internetwork.
The routers will use the information about the paths to which they are connected,including the type of connection and available bandwidth, to determine the routesfor data to take. For example, the routers might now say for a packet to get fromnetwork A to network N that the packet should take network A to network B tonetwork D to network H to network J to network K to network M to network N.There are many times when the fastest route is not a straight path!
Static and Dynamic RoutingIn order for the router to be able to make decisions on where data should go, itneeds to consult its routing table. The routing table is the list of available net-works and the paths to reach those networks. (Routing tables will be discussed indetail in the next topic.)
Every time a packet reaches a router, the router needs to review the routing tableto determine the appropriate path for the packet. The router must be aware of theother potential networks and the way to reach these networks.
Static RoutesThe creation of these paths can happen either dynamically (automatically) orstatically (manually). The first of these two concepts, static routing, is definedhere.
116 Tactical Perimeter Defense
A static route is a route that has been manually entered into the router to definethe path to the remote network. Although its use is not desirable for every situa-tion, static routing has many advantages, such as:
• Precise control over the routes data will take across the network.
• Easy to configure in small networks.
• Reduced bandwidth use, due to no excessive router traffic.
• Reduced load on the routers, due to no need to make complex routingcalculations.
Figure 3-8 shows a simple network configuration with two routers and theirdefined networks.
Figure 3-8: Two routers, Finance and Marketing, and the networks they connect.
The configuration fragments for the static routes of the above routers look likethe following:
MarketingRouter#config terminalMarketingRouter(config)#ip route 10.0.10.0 255.255.255.020.0.20.1MarketingRouter(config-line)#^ZMarketingRouter#
FinanceRouter#config terminalFinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2FinanceRouter(config-line)#^ZFinanceRouter#
Dynamic RoutesFrom the previous example, you can see that the command syntax and time toenter the static routes is not complex and will not take a lot of time. However,the previous example is a very small simple network, and it is because of its sim-plicity that static routes will work.
When the networks become more complex, static routing is not always a reason-able option. If there were a dozen routers, for example, each connected to severalnetworks, static routing would become much more complex.
Lesson 3: Routers and Access Control Lists 117
This is where dynamic routing enters the equation. Dynamic routing protocolscan change the configuration of the network when a link goes down. Dynamicrouting protocols can converge to be sure that all routers have a consistent viewof the network. And, dynamic routing protocols have the means to calculate thebest path through an internetwork.
Dynamic routing protocols use mathematical algorithms to determine routes andcommunicate with one another. These same routers exchange their information atdefined intervals, and these updates are used to make decisions on routes to takeand reconfiguration, when required.
Because the routers are exchanging this data frequently, they are able to changepaths and update as needed. This flexibility is what makes dynamic routing proto-cols so desirable. If a router goes down somewhere in the network, the remainingrouters will reconfigure and find a way for the data to reach the other side of thenetwork. An example of this is shown in Figure 3-9.
Figure 3-9: There are several routers and multiple paths data can take across thisinternetwork.
In the event that Finance Router 2 goes offline, and these routers are usingdynamic routing, the other routers will reconfigure themselves to use only theother Finance Router. When the offline router comes back online, the other rout-ers in the network will reconfigure themselves accordingly.
118 Tactical Perimeter Defense
Comparing Routed Protocols and Routing ProtocolsOne area where people tend to have confusion when dealing with routers is thedifference between routed protocols and routing protocols. They are distinctlydifferent. In this section, you will learn to differentiate between the two and drawthe boundaries clearly around them so that you can easily and quickly identifyone or the other.
What are Routed Protocols?For a protocol to be considered a routed protocol, it must have the followingcharacteristics:
• It must contain Network-layer addressing information.
• It must have a method of locating a single host on a given network.
Routed protocols are those that have the given information so that user data mayhave an addressing method to use in the transportation of data between andacross networks. The routed protocols have enough internal information to definethe structure and function of various fields inside a given packet.
The most common routed protocol of today (and of the last decade) is theInternet Protocol, or IP. Other routed protocols are Novell’s IPX/SPX (Microsoft’sversion of IPX/SPX is NWLink), and AppleTalk. TCP/IP, IXP/SPX, andAppleTalk all allow for addressing at the Network layer of the OSI model.
What are Routing Protocols?While a routed protocol is used to carry data from one host to another, a routingprotocol is used to carry data from one network to another, across multiplerouters. The routing protocol is also the method of transmitting the routingupdates and messages between routers.
Routers will use their assigned routing protocols to create, maintain, andexchange routing data. The routers can use the same routing protocols to actuallyforward the data packets from one network to another, including the decisions onwhich path is the best path to take for the data.
These routing protocols can also be used by routers to learn the status and con-figurations of networks they are not directly connected to. In addition to learningabout other remote networks, the routers will use their routing protocols to tellremote routers about networks that the remote router is not directly connected to.
Regardless of the routing protocol chosen, the routers must have consistent andopen communication between each other in order to maintain a reliable picture,or map, of the network. It is this map of the network that all the routers will useto assist in forwarding data packets from network to network.
Some examples of routing protocols are RIP (Routing Information Protocol),IGRP (Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First).
Whether the protocol used is RIP, IGRP, or OSPF, it is important to consider thatthere is no actual end-user data carried by the routing protocol messages. Theuser data is carried by the routed protocol.
Lesson 3: Routers and Access Control Lists 119
The Routing ProtocolsThe last area to cover in this topic is the actual protocols themselves. Here, wewill discuss the common types of protocols, and look at some examples of theprotocols in action. The two common types of protocols are Distance Vector andLink-State.
Regardless of whether the protocol is Distance Vector or Link-State, for dynamicrouting to function, two critical router functions must exist:
• An updated and consistent routing table.
• Scheduled updates between routers.
For the routing protocols to perform these two critical processes, they must con-form to a given set of rules. These rules are part of the operation of the routingprotocol. Examples of what rules these protocols can define include:
• The frequency of updates between routers.
• The amount of data contained in the updates.
• The process of finding proper recipients of the router data.
Calculation of the different data paths, and ultimately choosing the most efficientone based on the given protocol, requires a defined formula. The formula in thecase of routers is known as a routing algorithm.
The routing algorithm is responsible for the actual calculation on determining thepath the data will take as it moves throughout the network. To make this calcula-tion, the algorithm must use certain variables to create what is known as a metric.The metric is then what is used in path determination.
Some of the variables that are used to crate the overall metric of a given path are:
• Hop Count: This is the number of routers that a data packet must go throughto reach its destination. The formula is that the lower the number of hops,the lower the overall data has to travel, and therefore is the better path.
• Cost: The cost of a link can be defined by the administrator or calculated bythe router. Generally the lower the cost, the faster the route.
• Bandwidth: This variable is defined by the overall bandwidth that the linkprovides.
• MTU (Maximum Transmission Unit): The MTU is the largest message size(in octets) that a link will route.
• Load: This variable is based on the amount of work the CPU has to perform,and the number of packets the CPU must analyze and make calculations on.
Regardless of the routing protocol chosen, there is no single rule for selecting thebest protocol based on its algorithm. The routing protocol must change to adaptto the network in the event there are network changes, and both Distance Vectorand Link-State have this ability. When the routers change their tables based onthis update information from the routing protocol, this is called convergence.When all routers have the same view of the network, the network is converged.
It is the goal of all routing protocols to have fast convergence, so that the routersmaintain a consistent view of the routes available to network segments, and donot use incorrect data to make routing decisions.
metric:A random variable x
representing a quantitativemeasure accumulated over a
period.
120 Tactical Perimeter Defense
Distance Vector RoutingDistance Vector routing calculates the distance to a given network segment andthe direction (or vector) required to reach the segment. The algorithm of DistanceVector (Bellman-Ford) is designed to pass the routing table from neighbor toneighbor. The passing of the routing table is called the update between routers. Inthe event there is a topology change, as a router goes offline, an update will besent immediately from one router to another.
Figure 3-10: Routers passing the routing table.
In Distance Vector routing, the routing table is passed between routers along theshared segments. In Figure 3-10, Router A and Router B will share their routingtables over the segment between them, out Interface E2 of Router A and out ofInterface E0 of Router B.
When the routers receive an update, they add any new information on how to getto new routes, or better paths (lower hop counts) to known routes. The algorithmadds one hop to the hop count for every hop that must be crossed to reach thedestination. Figure 3-11 shows a basic routing table with hop count included.
Figure 3-11: A routing table with interfaces defined and hop counts.
In this example, the routing table has been created, and convergence has beenachieved. Both routers have a consistent view of the network, and the routingtables define the path to the networks and the interface to forward packets out toreach the required destinations.
topology:The map or plan of thenetwork. The physicaltopology describes how thewires or cables are laid out,and the logical or electricaltopology describes how theinformation flows.
Lesson 3: Routers and Access Control Lists 121
Link-State RoutingWhere Distance Vector routing uses hop counts to make the decisions in the rout-ing table on path determination, Link-State routing uses a more complex metricsystem. In Link-State routing, all routers maintain a consistent view of the net-work, as they do in Distance Vector routing, but they also are all aware of thecomplete network topology.
The Link-State routers know each network segment, and the different options forreaching each segment. Convergence is just as critical in Link-State routing, andin order to have a converged network, there are steps that must be followed. Fig-ure 3-12 shows a complex network, and after the diagram, the steps forconvergence will be outlined.
Figure 3-12: In this complex network, 7 routers and 14 network segments are defined.
The steps for network convergence are as follows:
1. The routers identify the routers that are their direct neighbors. For example,Router 3 will identify Router 6 and Router 4 as neighbors.
2. The routers send LSP (Link State Packets) to the network. The LSPs containdata on which networks the router can reach. For example, Router 7 wouldsend LSPs indicating that Router 7 is connected to segments 10.0.0.0, 11.0.0.0, 12.0.0.0, and 14.0.0.0.
3. The routers in the network accept all the LSPs and build a topology databaseof the network. The LSPs from all routers are used to build this consistentview.
4. The SPF (Shortest Path First) algorithm is used to determine the accessibilityof each network and the shortest path between networks. The SPF algorithm
122 Tactical Perimeter Defense
is executed on all routers, so that they all end up with the same topologyview of the network. Each router knows the best path to every segment.
5. The router uses the SPF calculations to determine the best (shortest) path forreaching each destination network on the internetwork.
Common ProtocolsHere is a quick list of common routing protocols used on Cisco routers:
• RIP (Routing Information Protocol) is a Distance-Vector protocol that useshop count as its metric.
• IGRP (Interior Gateway Routing Protocol) is a routing protocol that uses acombined metric for routing decisions.
• EIGRP (Enhanced Interior Gateway Routing Protocol) is an enhanced ver-sion of IGRP that combines properties of Link-State and Distance Vectorprotocols.
• OSPF (Open Shortest Path First) is a Link-State protocol that commonlyreplaces RIP in growing internetworks.
• BGP (Border Gateway Protocol) is an interdomain routing protocol oftenused by Internet Service Providers.
• RTMP (Routing Table Maintenance Protocol) is Apple’s routing protocol.RTMP routers dynamically update topology changes in the network.
Administrative DistancesAs the router has the ability to use static routes, dynamic routes, and multipleprotocols, the ability to see the current routing table becomes even more criticalas the network’s complexity increases.
There is a function in the router called administrative distance. The administrativedistance function has one obvious use, and that is managing when two or moremethods in the router are aware of a path to a destination. For example, if youentered a static route on how to get to a location, then RIP identified a route tothat location, which route should the router use?
This is where the administrative distance comes into play. The lower a value, thehigher the level of trust the router places in that route. Some default administra-tive distances are listed in the following table.
Route Type DistanceDirectly connected interface 0Static route 1IGRP route 100OSPF route 110RIP route 120
Therefore, if you had a static route and a RIP route, the static route would be thepreferred route that the router uses. When viewing the routing table, not only willyou be shown the current routes to destination networks, but you will also see themethod used. The following configuration fragments show a portion of the rout-ing tables for three routers in a network:
Lesson 3: Routers and Access Control Lists 123
LEFT#show ip routeR 192.168.10.0/24 [120/1] via 192.168.20.2, 00:00:13, Serial1C 192.168.20.0/24 is directly connected, Serial1C 172.16.0.0/16 is directly connected, Ethernet0R 172.17.0.0/16 [120/1] via 192.168.20.2, 00:00:13, Serial1R 172.18.0.0/16 [120/2] via 192.168.20.2, 00:00:13, Serial1
CENTER#show ip routeC 192.168.10.0/24 is directly connected, Serial1C 192.168.20.0/24 is directly connected, Serial0R 172.16.0.0/16 [120/1] via 192.168.20.1, 00:00:13, Serial0C 172.17.0.0/16 is directly connected, Ethernet0R 172.18.0.0/16 [120/1] via 192.168.10.1, 00:00:18, Serial1
RIGHTt#show ip routeC 192.168.10.0/24 is directly connected, Serial0R 192.168.20.0/24 [120/1] via 192.168.10.2, 00:00:20, Serial0R 172.16.0.0/16 [120/2] via 192.168.10.2, 00:00:20, Serial0R 172.17.0.0/16 [120/1] via 192.168.10.2, 00:00:20, Serial0C 172.18.0.0/16 is directly connected, Ethernet0
In these fragments, you can identify the routes on each router. You can also iden-tify the routes that are directly connected and the routes that are using RIP. Theway that you identify this is by the letter in front of each route. For example, inthese examples, all routes with a letter C are connected interfaces. Routes with anR are using RIP. If a route had been input statically, it would have an S in frontof it.
For the RIP routes shown, note that the number 120 is displayed in brackets afterthe route. The 120 is an indicator of the administrative distance of this route.(The number following the slash is the hop count.)
RIPRIP, or the Routing Information Protocol, is one of the most straightforward rout-ing protocols that can be implemented. It also has no significant security, isbroadcast-based, and is noisy.
RIP functions by informing neighboring routers of the routers that the currentrouter can reach. The current routes are created during the simple configurationprocess of setting up RIP in the router.
The following configuration fragments show the configuration of RIP on threerouters, LEFT, RIGHT, and CENTER:
LEFT#configure terminalLEFT(config)#router ripLEFT(config-router)#network 172.16.0.0LEFT(config-router)#network 192.168.10.0LEFT(config-router)^ZLEFT#
RIGHT#configure terminalRIGHT(config)#router ripRIGHT(config-router)#network 172.18.0.0
124 Tactical Perimeter Defense
RIGHT(config-router)#network 192.168.20.0RIGHT(config-router)^ZRIGHT#
CENTER#configure terminalCENTER(config)#router ripCENTER(config-router)#network 172.17.0.0CENTER(config-router)#network 192.168.10.0CENTER(config-router)#network 192.168.20.0CENTER(config-router)^ZCENTER#
In these fragments, RIP routing has been configured with the networks that eachrouter can reach. For example, the LEFT router will announce that if there is apacket destined for network 172.16.0.0, then the other routers should send it tothe LEFT router.
Because RIP is broadcast-based, any host on a segment where RIP broadcasts aresent can receive the update. Only the router has a legitimate routing function, butan attacker can learn valuable information, such as the configuration and address-ing of a network.
TASK 3B-2Viewing a RIP Capture
Setup: You are logged on to Windows Server 2003 as the renamedAdministrator account, and Network Monitor is running.
1. Open rip update.cap located in C:\Tools\Lesson3.
2. Expand Frame One, and observe the contents of the packet.
3. Look for the destination address of the packet. Find the IP and MACdestination addresses.
4. Observe the source address. You can conclude that this is likely the sourceaddress of a router in the network.
5. Expand the RIP portion of the frame capture.
6. Examine the network details sent in the packet. Even though you are arandom user on the network, you have captured the packet and are able tolearn quite a few things about the network in a very short amount of time.
7. Close the capture file, and leave Network Monitor open.
RIPv2In order to address some of the issues associated with RIP, RIPv2 was introducedas a routing protocol. A security advantage was the ability to require and useauthentication for RIP updates. From a networking perspective, the configurationis very similar to RIPv1, as shown previously. The following configuration frag-ment shows the same three routers configured to use RIPv2 instead of RIPv1:
Lesson 3: Routers and Access Control Lists 125
LEFT#configure terminalLEFT(config)#router ripLEFT(config-router)#version 2LEFT(config-router)#network 172.16.0.0LEFT(config-router)#network 192.168.10.0LEFT(config-router)^ZLEFT#
RIGHT#configure terminalRIGHT(config)#router ripRIGHT(config-router)#version 2RIGHT(config-router)#network 172.18.0.0RIGHT(config-router)#network 192.168.20.0RIGHT(config-router)^ZRIGHT#
CENTER#configure terminalCENTER(config)#router ripCENTER(config-router)#version 2CENTER(config-router)#network 172.17.0.0CENTER(config-router)#network 192.168.10.0CENTER(config-router)#network 192.168.20.0CENTER(config-router)^ZCENTER#
The authentication used is a key and MD5. The following configuration fragmentshows the setup of RIPv2 authentication. In this fragment, first the router is toldthat RIP authentication is required, then the key (the word “strongpassword”) iscreated.
Router#configure terminalRouter(config)#interface ethernet0Router(config-if)#ip rip authentication key-chain 3Router(config-if)#ip rip authentication mode md5Router(config-if)#exitRouter(config)# interface serial0Router(config-if)#ip rip authentication key-chain 3Router(config-if)#ip rip authentication mode md5Router(config-if)#exitRouter(config)# interface serial1Router(config-if)#ip rip authentication key-chain 3Router(config-if)#ip rip authentication mode md5Router(config-if)#^ZRouter#configure terminalRouter(config)#key chain 3Router(config-keychain)#key 1Router(config-keychain-key)#key-string strongpasswordRouter(config-keychain-key)#^ZRouter#
All routers that will exchange routing updates on the same network must use thesame configuration, so the authentication will match. Once the router is config-ured, if you were to enter the show running-config command, you wouldget the following new pieces in the output:
126 Tactical Perimeter Defense
enable secret 5 $1$v13S$Nk8zY5NcYor5VvAfcfZCn0enable password 2501!!key chain 3key 1key-string strongpassword
!interface Ethernet0ip address 172.16.0.1 255.255.0.0ip rip authentication mode md5ip rip authentication key-chain 3no mop enabledinterface Serial0no ip addressshutdown
TASK 3B-3Viewing a RIPv2 Capture
Setup: You are logged on to Windows Server 2003 as the renamedAdministrator account, and Network Monitor is running.
1. Open ripv2withAuthentication.cap, located in C:\Tools\Lesson3.
2. Expand Frame One (the only frame) and observe the contents of thepacket.
3. Look for the destination address of the packet. Find the IP and MACdestination addresses.
4. Observe the source address. You can conclude that this is likely the sourceaddress of a router in the network.
5. Expand the RIP portion of the frame capture.
6. Examine the network details sent in the packet.
7. Observe the addition of the Authentication portion of the capture and theadditional fields not present in the RIPv1 packet. Second, observe that theRouting Data is still visible.
8. Close Network Monitor.
Lesson 3: Routers and Access Control Lists 127
Topic 3CRemoving Protocols and ServicesThe fundamental concept of hardening the router is no different than hardeningLinux or Windows. You must remove all of the protocols and services that areunused. You must configure the required protocols and services so that they aresecured for access. In this topic, you will look at removing many of the protocolsand services that are often not used on a router and continue to harden thedevice.
CDPThe Cisco Discovery Protocol (CDP) is a protocol used by Cisco routers toexchange information, such as platform information and status, with each other.In general, CDP can be a useful thing to use when troubleshooting in a simpleenvironment. Unfortunately, like most things that can make our lives as adminis-trators a little easier, CDP can make an attacker’s job a little easier because itgives out important information such as the IOS version that the router isrunning. And, of course, knowing what IOS version is running makes an attack-er’s job much easier since he or she will have a much better idea of what exploitswill work against such a target.
In the following configuration fragment, you can see that turning off CDP for theentire router is not a complex set of commands—only two commands arerequired:
Router#config terminalRouter(config)#no cdp runRouter(config)#^ZRouter#
However, it may be desirable to stop CDP only on those interfaces that are notconnected directly to another router. Perhaps there is only a direct link betweentwo serial interfaces, and you want to allow CDP to run there, but not on theinternal Ethernet network. In the following configuration fragment, CDP is dis-abled just for the Ethernet interface. Note that the only addition is the defining ofthe interface, and the command is no cdp enable, instead of no cdp run:
Router#config terminalRouter(config)#interface Ethernet 0Router(config-if)#no cdp enableRouter(config-if)#^ZRouter#
128 Tactical Perimeter Defense
TASK 3C-1Turning Off CDP
1. Create the configuration fragment that you would use for turning offCDP on Ethernet 0, Ethernet 1, and Serial 1.
Router#config terminalRouter(config)#interface Ethernet 0Router(config-if)#no cdp enableRouter(config-if)#interface Ethernet 1Router(config-if)#no cdp enableRouter(config-if)#interface Serial 1Router(config-if)#no cdp enableRouter(config-if)#^ZRouter#
ICMPICMP provides, among other functions, the ability to use the often-required pingand traceroute commands. However, ICMP has become one of the most misusedof all protocols. DoS and DDoS attacks use ICMP, and more and more attackstake advantage of this function of the network. In this section, only a fewexamples of hardening ICMP are discussed.
ICMP Directed BroadcastSmurf is an attack that takes advantage of ICMP. Specifically, what Smurf does isto get many machines to flood a single host with ICMP packets, effectively shut-ting down that host. The way this attack works is to ping an entire network, usinga spoofed IP address. When every host of the network responds to the IP address,that machine has been attacked. This can easily lead to hundreds of machinesresponding to a host simultaneously.
The following configuration fragment shows the disabling of ICMP directedbroadcasts on the Serial 1, Serial 0, and Ethernet 0 interfaces. To protect fullyagainst this attack, you should turn off broadcasts like this on all interfaces.
Router#config terminalRouter(config)#interface Ethernet 0Router(config-if)#no ip directed broadcastRouter(config)#interface Serial 0Router(config-if)#no ip directed broadcastRouter(config)#interface Serial 1Router(config-if)#no ip directed broadcastRouter(config-if)#^ZRouter#
ICMP UnreachableAnother very common attack is for a potential intruder to scan your system(s)looking for services that are open and that can be exploited. It is common to useICMP to perform these scans of systems. If you remove the ICMP Unreachablemessage, be aware that your system will not respond to desired unreachable mes-
traceroute:An operation of sendingtrace packets for determininginformation; traces the routeof UDP packets for the localhost to a remote host.Normally traceroute displaysthe time and location of theroute taken to reach itsdestination.
Lesson 3: Routers and Access Control Lists 129
sages, such as when your internal users legitimately need them, such as duringtime-outs. The following configuration fragment shows the disabling of ICMPUnreachable messages on the Serial 0 interface. To remove ICMP Unreachablemessages on the entire router, this command needs to be entered for eachinterface.
Router#config terminalRouter(config)#interface Serial 0Router(config-if)#no ip unreachablesRouter(config-if)#^ZRouter
TASK 3C-2Hardening ICMP
1. Create the configuration fragment that you would use to disable ICMPDirected Broadcasts and ICMP Unreachable messages on the entirerouter, which has the Ethernet 0, Serial 0, and Serial 1 interfaces.
Router#config terminalRouter(config)#interface Ethernet 0Router(config-if)#no ip directed broadcastRouter(config-if)#no ip unreachablesRouter(config)#interface Serial 0Router(config-if)#no ip directed broadcastRouter(config-if)#no ip unreachablesRouter(config)#interface Serial 1Router(config-if)#no ip directed broadcastRouter(config-if)#no ip unreachablesRouter(config-if)#^ZRouter#
Source RoutingA feature that was added to routers to increase the control administrators had overthe network was source routing. This feature has become a vulnerability thatattackers now use. Source routing is used to allow a packet to dictate the path itshould take through a routed network. This packet does not follow the routingtables as designated by the routing protocols. Doing so may allow an attacker tobypass critical systems, such as a firewall or an IDS. In most situations, there isno need for source routing to be allowed on any router. The configuration frag-ment that follows shows the disabling of the source routing service:
Router#config terminalRouter(config)#no ip source-routeRouter(config)#^ZRouter#
130 Tactical Perimeter Defense
Small ServicesTCP and UDP small services are enabled on some routers by default (generallyIOS 11.3 and previous versions). Small services are not often used anymore andinclude echo, discard, daytime, and chargen. On most routers, be sure to disablethese services. The configuration fragment that follows shows the disabling ofsmall services for both TCP and UDP:
Router#config terminalRouter(config)#no service tcp-small-serversRouter(config)#no service udp-small-serversRouter(config)#^ZRouter#
FingerFinger is another older service that is rarely used in modern networks. The Fingerservice is used to find information about users who are logged into a router. Onolder versions of the IOS (11.2 and older), Finger is disabled by using theno service finger command. On newer versions of the IOS (11.3 andnewer), Finger is disabled by using the no ip finger command. In the fol-lowing code, the first configuration fragment shows the removal of the Fingerservice from an older router, and the second fragment shows the removal of theFinger service from a newer router:
Router#config terminalRouter(config)#no service fingerRouter(config)#^ZRouter#
Router#config terminalRouter(config)#no ip fingerRouter(config)#^ZRouter#
Small services are alsoknown as small servers.
Lesson 3: Routers and Access Control Lists 131
Remaining ServicesAs a security professional, you know that hardening a piece of equipment meansdisabling or removing all of the services and protocols that you are not using. Inthis section, you will see several other services that you should consider disablingfor your router. In consideration of space, every service and protocol cannot belisted in this section—only several of the significant services can be highlighted.
• The BootP service is used to remotely boot computers via the network. Thisservice can be disabled by using the no ip bootp server command.
• The DNS function is enabled on Cisco routers, but there is no defined nameserver. The net result is broadcasting for all DNS requests. To disable thisfunction, use the no ip name-server command.
• The Network Time Protocol (NTP) is used for time synchronization on thenetwork. This service can be disabled by using no ntp server. If youwant to disable this protocol for only a single interface, use ntp disable,when you are in the Interface Mode.
• The Simple Network Management Protocol (SNMP) is used to communicatebetween network devices. SNMP left as-is on routers can provide informa-tion about the router to attackers. Disable SNMP by usingno snmp-server.
• HTTP is used on some routers to allow for remote access and management.Unless specifically required in your organization, this should be disabled. Todisable HTTP, use no ip http server.
The configuration fragment that will disable all of the above services will looklike this:
Router#config terminalRouter(config)#no ip bootp serverRouter(config)#no ip name-serverRouter(config)#no ntp serverRouter(config)#no snmp-serverRouter(config)#no ip http serverRouter(config)#^ZRouter#
When NTP is used inconjunction with syslog
services, therefore keepingaccurate timestamps on logentries, it can be useful for
forensic purposes.
132 Tactical Perimeter Defense
TASK 3C-3Removing Unneeded Services
1. Create the configuration fragment that you would use to remove the fol-lowing services from the whole IOS v12.x router: CDP, ICMP DirectedBroadcasts, Small Servers, Source Routing, and Finger. For this exercise,you can assume that the interfaces are named E0, S0, and S1.
Router#config terminalRouter(config)#no cdp runRouter(config)#interface Ethernet 0Router(config-if)#no ip directed broadcastRouter(config)#interface Serial 0Router(config-if)#no ip directed broadcastRouter(config)#interface Serial 1Router(config-if)#no ip directed broadcastRouter(config-if)#^ZRouter#Router#config terminalRouter(config)#no service tcp-small-serversRouter(config)#no service udp-small-serversRouter(config)#no ip source-routeRouter(config)#no ip fingerRouter(config)#^ZRouter#
AutoSecureA newer security feature, built into the IOS starting with version 12.3(1) is calledAutoSecure. AutoSecure is essentially a script designed to help you secure therouter by following a set of questions versus coding line-by-line the services andinterfaces you want to secure.
AutoSecure can also address your passwords, ensuring that no simple words areused, prompt for the configuration of SSH, and can enable console logging,among other security issues. AutoSecure has its security features divided into twocore groups (Cisco calls these groups: Planes). These two groups are called theManagement Plane and the Forwarding Plane.
The Management PlaneThe Management Plane of the AutoSecure feature is where the majority of yourservices are addressed. Both the global services, and the services that are uniqueto each interface are dealt with in this Plane. The following list details the ser-vices that are specific to each interface that can be disabled with AutoSecure:
• ICMP (including redirects, unreachables, and mask replies)
• Directed broadcasts
• Maintenance Operations Protocol (MOP) services
• Proxy-Arp
Lesson 3: Routers and Access Control Lists 133
You know by now that there are many more security issues other than the onesaddressed in the previous list. The following list, details the services that are glo-bal, to the whole router, which can be disabled with AutoSecure:
• BootP
• CDP
• Finger
• HTTP Server
• IdentD protocol
• Network Time Protocol (NTP)
• Packet Assembler and Disassembler (PAD)
• Source Routing
• Small Servers (both TCP and UDP)
The Forwarding PlaneIn the context of this course, the only feature of The Forwarding Plane that willbe discussed is the Context-based Access Control (CBAC). If you are using thisfeature, AutoSecure will prompt you through the configurations. CBAC will beaddressed later in this lesson.
Topic 3DCreating Access Control ListsAccess Control Lists (ACLs) enable network administrators to not only controlaccess from a security standpoint, but also can be used to restrict bandwidth useon critical links. In this and the following topic, the discussion will be on IPaccess lists, but be aware that access lists can exist for other routed protocols,such as AppleTalk and IPX/SPX.
An ACL is a packet filter that compares a packet with a given set of criteria. TheACL checks the packet and acts upon the packet as defined by the list. AccessControl Lists are divided into several main categories, and for this course, youwill focus on three categories: Standard ACLs, Extended ACLs, and Context-based ACLs.
• Standard ACLs are designed to look at the source address of a packet thathas been received by the router. The result of the list is to either permit ordeny the packet based on the subnet, host, or network address. A standardaccess list takes effect for the full IP protocol stack.
• Extended ACLs are designed to look at both the source and destinationpacket addresses. Not limited to source IP address, extended lists allow forchecking of protocol, port number, and destination address. This additionalflexibility is the reason that many administrators implement extended lists ontheir networks.
• Context-based ACLs are designed to look at information from layer 3 all theway through layer 7. This becomes the Cisco IOS stateful firewall functioninside the Cisco Router.
packet filter:Inspects each packet for user
defined content, such as anIP address, but does not
track the state of sessions.This is one of the leastsecure types of firewall.
134 Tactical Perimeter Defense
Access Control List OperationThe function of an access list is the same internally in the router, regardless ofthe type of list (standard, extended, and so on). An ACL can be designed to func-tion for both inbound and outbound packets. When an ACL is checking inboundpackets, the list is checked to see if the packet is allowed prior to the routerchecking to see if the packet has a destination in the routing table.
When an ACL is checking outbound packets, the packet will first run through therouter’s table, looking for a match. If there is a route for the packet, then theACL is applied to the outbound packet.
Figure 3-13: The Access Control List process.
Figure 3-13 illustrates this outbound process. A packet is taken in via InterfaceE0. In this example, the packet is incoming on Interface Ethernet 0 and destinedto be outgoing on Interface Ethernet 1. Because the list is used to determinewhether or not the packet is to exit on interface Ethernet 1, this list can be deter-mined to be an outgoing list.
The Access List ProcessA critical component of access list is to understand that they operate in sequence,from the top down. In other words, the first statement of an access list ischecked. If the packet does not match the rules of that statement, then the packetis sent to the next statement, and on and on, until there is a match.
Once there is a match, the packet will follow that rule. In the event that there aretwo rules that can apply to the same packet, whichever rule the packet hits first isthe one that it will follow.
There will always be a match, since the end of every access list is an implicitdeny, meaning that every list must have at least one permit statement or all pack-ets will be denied! Figure 3-14 shows a graphical example of an access liststatement process.
Lesson 3: Routers and Access Control Lists 135
Figure 3-14: The list process of an ACL.
The Wildcard MaskIP access lists use a value known as the wildcard mask to determine whether ornot a packet matches a given statement in the list. The wildcard mask uses 1s and0s to identify the defined IP address(es) for permission or denial.
Wildcard masks are 32-bit values that look like traditional subnet masks, but theydo not function in the same manner. A wildcard mask uses the 1s and 0s to matchdefined bits of an IP address. The rules of the bits of a wildcard mask are as fol-lows:
• If the wildcard mask bit is a 1, then do not check the corresponding bit ofthe IP address for a match.
• If the wildcard mask bit is a 0, then do check the corresponding bit of the IPaddress for a match.
The chart in Figure 3-15 shows several examples of the wildcard mask checkingoptions. Where there is a 0, the values are checked for a match, and where thereis a 1, the value is not checked.
136 Tactical Perimeter Defense
Figure 3-15: Examples of wildcard masks.
As you can see from this chart, if there were a mask of 11111111, then none ofthe eight bits of the corresponding IP address would be checked. Likewise, ifthere were a wildcard mask of 00000000, then all eight bits of the correspondingIP address would be checked.
Wildcard Mask ExamplesIf an administrator wanted to have an access list statement match a single host ina network, the following wildcard mask could be used.
Item ValueIP Address 10.15.10.187Subnet Mask 255.255.255.0Wildcard Mask 0.0.0.0
This tells the router to check every bit of the IP address, and if those bits are10.15.10.187, then this access list statement applies to this host.
If the goal is to have an access list statement match an entire network, the fol-lowing wildcard mask could be used.
Item ValueIP Network 10.15.10.0Subnet Mask 255.255.255.0Wildcard Mask 0.0.0.255
This tells the router to check only the first 24 bits of the IP address, and if thedecimal value of those bits are 10.15.10, then this access list statement applies tothis host.
If the goal is to block a specified subnet, the mask requires a bit more calcula-tion, but still functions the same way. In the event that the administrator wants tohave subnet 10.15.10.32 match an access list statement, the mask would be asfollows.
Item ValueIP Subnet Address 10.15.10.32
Lesson 3: Routers and Access Control Lists 137
Item ValueSubnet Mask 255.255.255.224Wildcard Mask 0.0.0.31
This tells the router to check all but the last five bits of the fourth octet. If thechecked bit equals 10.15.10.32, then the access list statement applies to this host.
TASK 3D-1Creating Wildcard Masks
1. If your goal is to block out a single host, such as 192.168.27.93, that uses255.255.255.0 as the subnet mask, what wildcard mask would you use?
0.0.0.255
2. If your goal is to block out a subnet of 10.12.24.0 that uses 255.255.248.0as the subnet mask, what wildcard mask would you use?
0.0.7.255
3. If your goal is to block out network 172.168.32.0 that uses 255.255.255.0as the subnet mask, what wildcard mask would you use?
0.0.0.255
Topic 3EImplementing Access Control ListsIn this topic, we will detail the implementation of and rule-creation for accesslists. There will be examples of access lists and their syntax on a Cisco router.Examples will include both standard and extended IP access lists, the most com-mon lists for networks connected to the Internet today.
Access Control Lists are implemented in two stages on Cisco routers. The firststage is to create the list, including all of its statements. The second stage is theimplementation of the list on an interface of a router, defining whether the list isto filter packets as an inbound or outgoing list.
Standard Access Control List Command SyntaxTo create a standard ACL, the following line shows the proper syntax. Items initalics are variables to be filled in.
Router(config)#access-list access-list-number {permit|deny}source [ source-mask ]
Although you have theoption of using standard or
extended access lists, theextended lists are preferredbecause they provide more
granularity when you arepermitting and denying
traffic.
138 Tactical Perimeter Defense
Where:
• access-list is the actual command to create a list.
• access-list-number is a value between 1 and 99, that is selected to create astandard ACL.
• permit|deny is the value that defines whether the list will grant or blockaccess.
• source is the value that is the actual source address to match.
• source-mask is the value that specifies the wildcard mask for the definedhost.
Once the list has been created, the second stage is to apply the list to aninterface. Before you do this, however, make sure that you have specified theinterface that you want to be affected by the list. The syntax for list application isshown here. Again, items in italics are variables to be filled in.
Router(config-if)#ip access-group access-list-number{in|out}
Where:
• ip access-group is the command to link (implement) a list to aninterface.
• access-list-number is the value assigned to the actual list to be implementedon this interface.
• in|out is the value that defines whether the list will filter inbound or out-bound packets.
Extended Access Control List SyntaxTo create an extended ACL, the following line shows the proper syntax. Remem-ber, items in italics are variables to be filled in.
Router(config)#access-list access-list-number {permit|deny}protocol source source-mask destination destination-mask[operator|operand]
Where:
• access-list is the actual command to create a list.
• access-list-number is a value between 100 and 199, that is selected to createan extended ACL.
• permit|deny is the value that defines whether the list will grant or blockaccess.
• protocol is the value that defines what protocol to filter.
• source is the value that defines the source IP address.
• source-mask is the value that defines the wildcard mask for the source.
• destination is the value that defines the destination IP address.
• destination-mask is the value that defines the wildcard mask for thedestination.
• operator|operand is the value that defines the options for the list.Options include:
— GT—Greater than
— LT—Less than
Lesson 3: Routers and Access Control Lists 139
— EQ—Equal to
— NEQ—Not Equal to
Once the list has been created, the second stage is to apply the list to aninterface. The syntax for list application is shown. As before, items in italics arevariables to be filled in.
Router(config-if)#ip access-group access-list-number{in|out}
Where:
• ip access-group is the command to link (implement) a list to aninterface.
• access-list-number is the value assigned to the actual list to be implementedon this interface.
• in|out is the value that defines whether the list will filter inbound or out-bound packets.
Figure 3-16: A sample network for ACL implementation.
Use Figure 3-16 with the network and host IP addresses defined to look at severalexamples of access lists. The same figure will be used for all examples, only withdifferent lists, different goals, and different implementations. These examples willbe using both standard and extended IP access lists.
Denial of a Specific HostOur first example will be the simple denial of a defined host into the router. Thiscan be accomplished by using a standard ACL.
140 Tactical Perimeter Defense
The configuration fragment for this example is:
Router#configure terminalRouter(config)#access-list 23 deny 192.168.10.7 0.0.0.0Router(config)#access-list 23 permit 0.0.0.0 255.255.255.255Router(config)#interface Ethernet 0Router(config-if)#ip access-group 23 inRouter(config-if)#^ZRouter#
Denial of a SubnetOur second example will be the denial of a defined host out to the Internet andthe denial of an entire network to the Internet. This can also be accomplished byusing a standard ACL. The configuration fragment for this example is:
Router#configure terminalRouter(config)#access-list 45 deny 192.168.10.7 0.0.0.0Router(config)#access-list 45 deny 192.168.20.0 0.0.0.255Router(config)#access-list 45 permit 0.0.0.0 255.255.255.255Router(config)#interface Serial 0Router(config-if)#ip access-group 45 outRouter(config-if)#^ZRouter#
Denial of a NetworkOur third example will be the denial of an entire network from another network.This can be accomplished by using a standard ACL. The configuration fragmentfor this example is:
Router#configure terminalRouter(config)#access-list 57 deny 192.168.20.0 0.0.0.255Router(config)#access-list 57 deny 192.168.10.0 0.0.0.255Router(config)#access-list 57 permit 0.0.0.0 255.255.255.255Router(config)#interface Ethernet 0Router(config-if)#ip access-group 57 outRouter(config-if)#interface Ethernet 1Router(config-if)#ip access-group 57 outRouter(config-if)#^ZRouter#
Granting Telnet from One Specific HostOur fourth example will be limiting the permission of given hosts to telnet to theInternet and the denial of a network telnetting to the Internet. This can be accom-plished by using an extended ACL, due to the need to control access to individualports. The configuration fragment for this example is:
Router#configure terminalRouter(config)#access-list 123 permit tcp 192.168.20.16 0.0.0.00.0.0.0 255.255.255.255 eq 23Router(config)#access-list 123 permit tcp 192.168.10.7 0.0.0.00.0.0.0 255.255.255.255 eq 23Router(config)#access-list 123 deny tcp 192.168.0.0 0.0.255.2550.0.0.0 255.255.255.255 eq 23Router(config)#access-list 123 permit ip 0.0.0.0 255.255.255.2550.0.0.0 255.255.255.255Router(config)#interface Serial 0Router(config-if)#ip access-group 123 outRouter(config-if)#^ZRouter#
The third line is permittingall traffic not denied by thesecond line. The word “any”can be used in place of “0.0.0.0 255.255.255.255.”
The fourth line is permittingall traffic not denied by thesecond and third lines.
For the fifth line, permitip any any could beused to shorten the syntax.
Lesson 3: Routers and Access Control Lists 141
Granting FTP to a SubnetOur fifth example will be granting one subnet the ability to ftp to the Internet,while denying the other subnet. Again, this can be accomplished by an extendedACL, due to the need to control access to individual ports. The configurationfragment for this example is:
Router#configure terminalRouter(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.2550.0.0.0 255.255.255.255 eq 20Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.2550.0.0.0 255.255.255.255 eq 21Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.2550.0.0.0 255.255.255.255 eq 20Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.2550.0.0.0 255.255.255.255 eq 21Router(config)#access-list 145 permit ip any anyRouter(config)#interface Serial 0Router(config-if)#ip access-group 145 outRouter(config-if)#^ZRouter#
Defending Against Attacks with ACLsACLs can be used for much more than simply granting or denying access to aservice or utility. They can be used to guard against known attacks on the net-work, such as SYN and DoS attacks. This is due to the fact that many tools useknown and identifiable patterns in their attacks.
Anti-DoS ACLsThese ACLs work by recognizing the protocol and port selection of the DoSattack. It is possible that by using these ACLs, you may block legitimate applica-tions that have chosen the same high port values, so that must be taken intoaccount. In order to prevent hosts inside the network from participating in a DoSon an Internet host, you should consider placing these on all interfaces, in bothdirections. At the minimum, you will place these lists on the inbound interfacesthat are connected to the Internet.
In the configuration fragment that follows, the first section (ports 27665, 31335,27444) of the list is designed to block the TRINOO DDoS, and the second sec-tion (ports 6776, 6669, 2222, 7000) is designed to block the SubSeven DDoS.
Router(config)#access-list 160 deny tcp any any eq 27665Router(config)#access-list 160 deny udp any any eq 31335Router(config)#access-list 160 deny udp any any eq 27444Router(config)#access-list 160 deny tcp any any eq 6776Router(config)#access-list 160 deny tcp any any eq 6669Router(config)#access-list 160 deny tcp any any eq 2222Router(config)#access-list 160 deny tcp any any eq 7000
Anti-SYN ACLsThe TCP SYN attack is where the attacker floods the target host and disallowsany legitimate connections to be made by the target host. To work on blockingthis, the ACL must allow legitimate TCP connections, which are created by hostsinside the network, but disallow connections to those hosts from outside (like onthe Internet).
142 Tactical Perimeter Defense
In this first configuration fragment, traffic that is established internally is allowedout, and incoming connections are not able to create new sessions.
Router#configure terminalRouter(config)#access-list 170 permit tcp any 192.168.20.00.0.0.255 establishedRouter(config)#access-list 170 deny ip any anyRouter(config)#interface Serial 0Router(config-if)#ip access-group 170 inRouter(config-if)#^ZRouter#
Anti-Land ACLsAnother type of attack that has been around for some time is the Land attack.The Land attack is rather simple in design, but it can cause serious network dam-age to unprotected systems. The attack works by sending a packet from an IPaddress to the same IP address, and using the same ports. So, a packet would besent from 10.10.10.10:5700 to 10.10.10.10:5700 causing a significant slowdownor DoS of the target.
The following configuration fragment shows the defense against a Land attack onhost 10.20.30.50, which is an IP address of an external interface on the router.
Router#configure terminalRouter(config)#interface Serial 0Router(config-if)#ip address 10.20.30.50 255.255.255.0Router(config-if)#exitRouter(config)#Router(config)#access-list 110 deny ip host 10.20.30.50 host10.20.30.50 logRouter(config)#access-list 110 permit ip any anyRouter(config)#interface Serial 0Router(config-if)#ip access-group 110 inRouter(config-if)#^ZRouter#
Anti-spoofing ACLsSpoofing of packets has become more commonplace due to the increased numberof tools that provide this function. You can use your router to combat this issueby not allowing packets to enter the network if they are coming from an internalIP address.
When you create these lists, you want them to be complete. In other words, donot forget to block the broadcast addresses (to prevent attacks like the Smurfattack), the network addresses themselves, and private or reserved addresses. Inthe following configuration fragment, the internal network is 152.148.10.0/24, andyou will see that there are quite a few lines necessary to provide for full spoofprotection:
Lesson 3: Routers and Access Control Lists 143
Router#configure terminalRouter(config)#access-list 130 deny ip 152.148.10.0 0.0.0.255 anyRouter(config)#access-list 130 deny ip 127.0.0.0 0.255.255.255anyRouter(config)#access-list 130 deny ip 0.0.0.0 255.255.255.255anyRouter(config)#access-list 130 deny ip 10.0.0.0 0.255.255.255 anyRouter(config)#access-list 130 deny ip 172.16.0.0 0.0.240.255 anyRouter(config)#access-list 130 deny ip 192.168.0.0 0.0.255.255anyRouter(config)#access-list 130 deny ip host 255.255.255.255 anyRouter(config)#access-list 130 permit ip any 152.148.10.00.0.0.255Router(config)#interface Serial 0Router(config-if)#ip access-group 130 inRouter(config-if)#^ZRouter#
TASK 3E-1Creating Access Control Lists
Setup: Use the network as diagrammed in Figure 3-16 for this task.
1. Create the configuration fragment that you would use to create anAccess Control List to prevent a SYN attack coming from the Internetinto the private networks.
Router#configure terminalRouter(config)#access-list 135 permit tcp any 192.168.20.00.0.0.255 establishedRouter(config)#access-list 135 permit tcp any 192.168.10.00.0.0.255 establishedRouter(config)#access-list 135 deny ip any anyRouter(config)#interface Serial 0Router(config-if)#ip access-group 135 inRouter(config-if)#^ZRouter#
Context-based Access ControlAlthough a detailed discussion of Cisco’s Context-based Access Control is out ofthe scope of this book, this feature is quite valuable, and worth someinvestigation. The Cisco Context-based Access Control Lists function is part ofthe Cisco IOS Firewall Feature Set, and provides powerful options if your routeris going to play a signification part of your firewall system.
144 Tactical Perimeter Defense
Cisco Context-based Access Control (CBAC) works by filtering TCP, UDP, andin more recent revisions, ICMP network traffic. CBAC is able to inspect “inside”the packet looking at the actual application.
CBAC essentially works by creating a dynamic (temporary) connection in yourrouter, by keeping track of the state of your network traffic. For example, assumeyou had an access control list that said no Telnet connections are to be acceptedinbound from the Internet to your router. With CBAC, you can build your systemto allow an inbound Telnet connection, IF the router recognizes that packet as thereturn traffic of a session that was started by an authorized internal user.
When packets enter the router, they are first processed through the running ofaccess control lists. If a packet is denied, it will not move on to the CBACinspection. If the packet is allowed after running through the ACLs, then thatpacket will move on to CBAC inspection.
Topic 3FLogging ConceptsAlthough it does not get the credit or generate a high level of interest, logging onthe router is a critical aspect of router hardening. Logs enable you to investigateattacks, find problems in the network, and analyze the network.
When you are configuring the logging options on a router, just as logging else-where in the network, you must walk a fine line between gathering too much andtoo little information. Log too much, and you will have a difficult time findingthat single piece of critical information you need to make a decision or to per-form an action. Log too little, and you do not have enough information to makean informed decision or to take proper action.
There are many different kinds of logging applications and software products thatcan track and record logs from all over the network. These applications can thensend messages to a pager or cell phone when significant events happen. In thissection, you will look at just the options that the actual router can manage, with-out using any major third-party applications.
Cisco Logging OptionsOn a Cisco router, the device can log information using several different methods,such as:
• Console Logging: Log messages are sent to the console port directly.
• Terminal Logging: Log messages are sent to the VTY sessions.
• Buffered Logging: Log messages are kept in the RAM on the router. Oncethe buffer fills, the oldest messages are overwritten by newer messages.
• Syslog Logging: Log messages can be sent to an external syslog server tostore and sort the messages there.
• SNMP Logging: Log messages are sent (by using SNMP traps) to an SNMPserver on the network.
Since UDP communicationsdo not establish a session,the CBAC systemapproximates the time (asdefined by the administrator)a “session” should remainopen.
Lesson 3: Routers and Access Control Lists 145
Log PriorityThe router has a built-in function of priority listing for log messages. The levelsrange from 0 to 7. If a message is given a lower number, it is considered to be amore critical message. So, Level 1 is more critical than Level 6.
When you select a level, that level and all others of a lower number will bedisplayed. For example, if you select level 3, you will be presented with mes-sages from level 3 to 0. If you select level 7, you will be presented withmessages from level 7 to 0.
The following table lists the level of logs, along with their titles and descriptions.
Level Title Description0 Emergencies System is (or is becoming) unusable.1 Alerts Immediate action is needed.2 Critical A critical condition has occurred.3 Errors An error condition has occurred.4 Warnings A warning condition has occurred.5 Notifications Normal, but noteworthy event.6 Informational Informative message.7 Debugging Debugging message.
The following table lists an example event for each level of severity.
Level Example0 The IOS was unable to initialize.1 The core router temperature is too high.2 A problem in assigning memory occurred.3 The memory size allocated is invalid.4 Cryptography operation is unable to complete.5 An interface changed state to up or down. (This is a very common event.)6 A packet has been denied by an Access Control List.7 No event triggers this level; debug messages are displayed only when the debug
option is used.
An example of what a log line will look like in the router is:
%SYS-5-CONFIG_I: Configured from console by vty1 (172.16.10.1)
In this line, the %SYS-5-CONFIG_I indicates that a Level 5 message was logged.Following the colon is the message itself. In this case, the router had a configura-tion change made via a VTY session using IP address 172.16.10.1.
146 Tactical Perimeter Defense
Configuring LoggingIn the following examples, you will see how to configure different forms oflogging. Some will use the buffer, others the console. Viewing the configurationfragments through this section will enable you to determine which type of log-ging you will use in given situations. On the Cisco router, the command to enablelogging is entered in Global Configuration Mode, using the logging oncommand.
TimestampingIn order for you to properly analyze the logs, you will need to know what hap-pened when, not just that something happened. The assignment of a time that anevent occurred, or to timestamp, is an option in the router. The Cisco commandto configure the timestamp option is service timestamp log datetime.There are three options that can be added to this message.
• The msec option will include the millisecond in a log entry. This may ormay not be required, based on your goals. If not added, the log will roundthe event to the nearest full second.
• The localtime option will make the router stamp the logs using the localtime, so that it is easier for people to read and analyze the logs. When usinga syslog server, this option is often left off.
• The show-timezone option adds the time zone to the log message. Thiscan be useful when working with log files from many locations and regions.
Console LoggingConsole logging is perhaps the most straightforward of all of the logging optionsin the Cisco router. The following configuration fragment shows logging set tolevel 5 and to use the console as the method.
Router#configure terminalRouter(config)#logging onRouter(config)#logging console notificationRouter(config)#^ZRouter#
In this example, level 5 logging has been configured, This means that items in theaccess list level will not be logged, nor will any debug messages. Had the goalbeen to see only those log messages that are level 2 or more critical, the propercommand would have been logging console critical.
Buffered LoggingBuffered logging requires you to define the memory size that will be used for thelogs. The general formula that many follow is that if the router has less than 16MB of RAM, your log can be 16 kilobytes. If your router has more than 16 MBof RAM, then your log can go as high as 32 or even 64 KB.
On all logs, the time and date can be added to the messages, which is a recom-mended procedure. On buffered logging, however, it goes from a recommended toa required procedure. This is due to the fact that the router discards old messagesand replaces them with new messages, when the buffer space is filled. So, thetime of the log is a critical component to buffered logging. The following con-figuration fragment shows logging set to level 2, and using a timestamp.
When you are configuringlogging in IOS 11.3 andearlier versions, thecommand must include thename of the level, such asAlerts. In IOS 12.0 andnewer versions, you can useeither the name of the levelor the number of the level.
Lesson 3: Routers and Access Control Lists 147
Router#configure terminalRouter(config)#logging onRouter(config)#logging buffered 16000 criticalRouter(config)#service timestamp log date msec localtimeshow-timezoneRouter(config)#^ZRouter#
In this example, the amount of memory that has been allocated is 16 KB. Thelogs will go to the buffer and will be recorded if they are level 2 (Critical) orhigher. Finally, full timestamping is used, including the local time and the timezone options.
Terminal LoggingNormally, there are no messages sent to terminal sessions. This is for bandwidthpurposes and, in some situations, security purposes. In order to allow logging tobe visible on a VTY session, the terminal monitor command must be used.The following configuration fragment shows logging set to level 5, and to be sentto the VTY sessions.
Router#configure terminalRouter(config)#logging onRouter(config)#logging monitor 5Router(config)#^ZRouter#terminal monitorRouter#
In this example, the terminal session will receive all level 5 and higher messages.This is the first example that uses the numeric value of the level instead of thename, an indicator that the router must be at least IOS version 12.0. There is asecond part for terminal logging. The above fragment will tell the router to logmessages to the VTY sessions, but the VTY sessions have not been configured tosee the messages. The terminal monitor command enables the VTY sessionto actually view the messages on screen. In the event that the logs become tonumerous or are no longer needed, the terminal no monitor command canbe used to stop viewing the logs on the VTY session.
Syslog LoggingCisco routers have the ability to send their log messages to a server that is run-ning as a syslog server. This is a highly recommended method of logging in aproduction environment. Routers collect the log messages, just as they normallydo. However, instead of showing them on the console, or storing them inmemory, they are sent to a server that will manage the messages and store themto the server’s hard drive.
This will allow for long-term storage and analysis of the information and will notbe subject to real time analysis or memory constraints. Most UNIX and Linuxservers have some version of the syslog server function, and there are manysyslog applications for Windows systems on the market.
148 Tactical Perimeter Defense
To configure syslog logging on a Cisco router, there are four components:
• The destination host is any host that can be located using a host name, DNSname, or an IP address.
• The syslog facility is the name to use to configure the storage of the mes-sages on the syslog server. Although there are quite a few facility names, therouters will use the ones named Local0 through Local7.
• The severity level of the logs can be viewed as similar to that of the otherlog messages, using the Cisco severity levels.
• The source interface for the messages is the actual network interface thatwill send the messages to the Syslog server.
The following configuration fragment shows the setup of a router to use a syslogserver.
Router#configure terminalRouter(config)#logging onRouter(config)#logging trap 5Router(config)#logging host 10.20.30.45Router(config)#logging facility Local5Router(config)#logging origin-id hostnameRouter(config)#logging source-interface Ethernet 0Router(config)#^ZRouter#
In this example, logging has been enabled. Logging is going to be sent to asyslog server, logging messages that are level 5 or more critical. The IP addressof the syslog server is 10.20.30.45. (Additional servers can be used with multiplecommands using different IP addresses here, for redundancy.) The facility on thesyslog server is Local5, the origin-id is the hostname (Router in this example),and the source for these messages is Ethernet 0 on the router.
TASK 3F-1Configuring Buffered Logging
1. Create the configuration fragment you would use for buffered logging,using 32 kilobytes of memory. Include all timestamping options and loglevel 4 events. Assume that the router is running IOS version 12.2.
Router#configure terminalRouter(config)#logging onRouter(config)#logging buffered 32000 4Router(config)#service timestamp log date msec localtimeshow-timezoneRouter(config)#^ZRouter#
ACL LoggingThe previous section on logging focused on the system log events, critical errors,and messages. Another important area to investigate is the use of logging in rela-tionship to your Access Control Lists. When implemented, ACL logs are listed asLevel 6 events.
Lesson 3: Routers and Access Control Lists 149
In order to implement ACL logging, the commands are very simple. All you needto add is the keyword log or log-input to the end of the ACL statements.You do not want to add this line to all your ACL statements, however, or youwill flood your logs with so much information that you will be virtually unable toidentify anything useful.
Use of the log keyword will list the type, date, and time in the ACL log, and isa valid option only for standard ACLs on IOS version 12.0 and newer. Thelog-input keyword adds information on the interface and source MACaddress, and an example of the use of this is if the same ACL is to be applied tomore than one interface.
Logging may be one reason that you do not count on the default deny all rule ofan ACL. If a packet is dropped due to the default deny all statement, that packetwill not be logged. If, however, you add the following line as your last statementin the ACL, then packets will be logged: access-list 123 deny ipany any log.
Anti-spoofing LoggingEarlier, you looked at the creation of anti-spoofing ACLs. In this section, you willsee these ACLs used with the logging function to gather information for analysis.In these examples, assume that the internal network is 172.16.0.0/16. First, theconfiguration fragment of the list itself:
Router#configure terminalRouter(config)#access-list 123 deny ip 172.16.0.0 0.0.255.255any log-inputRouter(config)#access-list 123 permit ip any anyRouter(config)#access-list 145 permit ip 172.16.0.0 0.0.255.255any log-inputRouter(config)#access-list 145 deny ip any any log-inputRouter(config)#^ZRouter#
For the next example, assume that the router has one internal Ethernet interface(where the trusted network is located) and has two external serial interfaces. Thefollowing configuration fragment shows the application of the ACLs, first list 123then list 145, on their proper interfaces.
Router#configure terminalRouter(config)#interface Serial 0Router(config-if)#ip access-group 123 inRouter(config-if)#exitRouter(config)#interface Serial 1Router(config-if)# ip access-group 123 inRouter(config-if)#exitRouter(config)#interface Serial 0Router(config-if)# ip access-group 145 outRouter(config)#^ZRouter#
VTY LoggingWhen gaining access to the router, a primary method used was through VTYsessions. These sessions may come under frequent attacks at larger organizations.You will want to know who is and who is not successful at gaining access viaVTY sessions—again, logging is the answer to that need.
150 Tactical Perimeter Defense
In this example, you will again assume the internal network 172.16.0.0/16, andthat there is only one trusted host that has authorized VTY access, 172.16.23.45.With those variables defined, the following is the configuration fragment that willlog VTY sessions on the router.
Router#configure terminalRouter(config)#access-list 155 permit host 172.16.23.45 anylog-inputRouter(config)#access-list 155 deny ip any any log-inputRouter(config)#^ZRouter#
Once you have created the list, as shown, you will need to apply the list. In thefollowing configuration fragment, the list is applied to VTY sessions 0 through 4.
Router#configure terminalRouter(config)#line vty 0 4Router(config)#access-class 155 inRouter(config)#^ZRouter#
TASK 3F-2Configuring Anti-spoofing Logging
1. Create a logged ACL that is used for anti-spoofing, using the followinginformation: The router has interfaces Ethernet0, Serial0, and Serial1.Ethernet0 is connected to the only trusted network, which has the IPaddress 192.168.45.0/24. For this exercise, and in the interest of time,only create anti-spoofing for the defined network. If you want to expandthis to include all private and reserved networks, you can do so, but it isnot required.
Router#configure terminalRouter(config)#access-list 160 deny ip 192.168.45.00.255.255.255 any log-inputRouter(config)#access-list 160 permit ip any anyRouter(config)#access-list 170 permit ip 192.168.45.00.255.255.255 any log-inputRouter(config)#access-list 170 deny ip any any log-inputRouter(config)#^ZRouter#Router#configure terminalRouter(config)#interface Serial 0Router(config-if)#ip access-group 160 inRouter(config-if)#exitRouter(config)#interface Serial 1Router(config-if)# ip access-group 160 inRouter(config-if)#exitRouter(config)#interface Serial 0Router(config-if)# ip access-group 170 outRouter(config)#^ZRouter#
Lesson 3: Routers and Access Control Lists 151
SummaryIn this lesson, you examined the fundamentals of router security and theprinciples of routing. You created the configurations that are required toharden a Cisco router and configured the removal of services and protocols.You examined the process of the wildcard mask and how it relates to theCisco ACL. You created the configurations for ACLs to defend the networkagainst attacks. Finally, you examined the process of logging on a Ciscorouter and configured buffered and anti-spoofing logging.
Lesson Review3A What is authentication?
Authentication is the process of identifying a user, generally granting ordenying access.
What is authorization?
Authorization is the process of defining what a user can do, or is authorizedto do.
What is AAA?
Authentication, Authorization, and Accounting.
What are the methods of access to a Cisco router?
• Console port
• Auxiliary port
• VTY sessions
• HTTP
• TFTP
• SNMP
3B List some of the advantages of using static routing.
Responses might include:
• Precise control over the routes that data will take across the network.
• Easy to configure in small networks.
• Reduced bandwidth use, due to no excessive router traffıc.
• Reduced load on the routers, due to no need to make complex routingcalculations.
What is a security advantage to using RIPv2 over RIPv1?
Using RIPv2 provides the security advantage of authentication, enabling therouters to identify who is and who is not able to update routing information.
152 Tactical Perimeter Defense
3C What is a security reason for disabling CDP?
CDP might be broadcasting information about the router that is not intendedto be public knowledge.
What is an attack that you can defend against by disabling ICMPdirected broadcasts?
Smurf.
3D What type of Access Control List allows for the checking of port num-bers?
Extended ACLs allow for port checking.
When a packet enters the router, what is the first thing the router willcheck regarding that packet?
Is there a route for this packet? If yes, send to the ACLs if there are any; ifno, discard the packet (and respond to the sender if need be).
3E What is the syntax for a standard Access Control List?
Router(config)#access-list access-list-number{permit|deny} source [source-mask]
What is the syntax for an extended Access Control List?
Router(config)#access-list access-list-number{permit|deny}protocol source source-mask destinationdestination-mask[operator|operand]
What is the syntax for implementation of a standard Access ControlList?
Router(config-if)#ip access-group access-list-number{in|out}
3F When a configuration change is made to the router, such as an interfacebeing brought down, what level of message will this generate?
Level 5.
What is the command for an access list to be implemented on the VTYsessions?
access-class [access list number] in
Lesson 3: Routers and Access Control Lists 153
154 Tactical Perimeter Defense
Designing Firewalls
OverviewIn this lesson, you will be introduced to the concepts and technologies usedin designing firewall systems. You will identify the methods of implement-ing firewalls in different scenarios, using different technologies. Thestrategies and concepts in this lesson are important in understanding laterlessons.
ObjectivesTo identify the design and implementation issues of firewall systems, you will:
4A Examine the principles of firewall design and implementation.
Given a firewall system, you will identify and describe methodologies offirewall function and implementation.
4B Create a firewall policy based on provided statements.
Given the answers to questions regarding the firewall, you will create afirewall policy statement.
4C Create a rule set to be used with a packet filter.
Given a network scenario, you will create a rule set for a packet filteringfirewall.
4D Describe the function of a proxy server.
Given a network scenario, you will describe the process of internal clientsusing a proxy server to access Internet web pages.
4E Describe how a bastion host is included in the security of a network.
Given a network scenario, you will describe how the creation of a bastionhost functions in the security of the network.
4F Describe the function of a honeypot in a network environment.
Given a network running Windows 2003, describe the function of aneffective honeypot in the security of the network.
Data Filesnone
Lesson Time2 hours
LESSON
4
Lesson 4: Designing Firewalls 155
Topic 4AFirewall ComponentsThe concept of Network Security today is a varied and challenging topic todiscuss. There are so many different areas of the network architecture to be con-cerned with, ranging from messaging systems to databases, from file and printsolutions to remote network access. In between these areas of our network, wefind things such as access control solutions, user control policies (group policiesin a Windows environment), and a host of settings, functionality and options thatserve to confuse and confound the average user of a computer in a domain basednetwork today.
It was not that long ago that security and the protection of network based assetswas clearly the domain of the network engineer, that person who was technicallysavvy, highly skilled, and often times hard to talk to and understand if you werenot also a network engineer.
The challenges faced by these network engineers, access control, asset protection,and risk mitigation, have not changed at all, and yet at the same time, the tech-nology used to address these issues has undergone startling transformations inboth the areas of complexity, as well as capability. One need only look at theadvances in the area of the firewall to see all too clearly how this transformationhas had a direct, undeniable, and profound impact both on network security andon user’s perceptions of that security, and the people that provide it.
The following image in an example of a simple firewall
Figure 4-1: An example of a single firewall.
The firewall itself is positioned logically between the internal network (the LAN)and the external network (the WAN). The firewall sits there performing its job,denying and granting access based on rules that the network/security administra-tor has created and assigned to the device.
156 Tactical Perimeter Defense
Over the last few years, providing this option to simply grant or deny access hastypically been enough to provide a basic level of security and protection to most,if not all of our networks. The challenge that has been steadily rising in relationto the provision of basic security, has been that the hackers and the enemies ofthe networks that are protected by firewalls have not been content to sit back andquit trying to figure out how to “ break “ the security afforded by the firewalls.As a result, the addition of new features and options for the firewall has becomea very important part of the continuing evolution of network security overall, andthe ability to protect our networks from unauthorized and unwanted networkaccess and traffic in particular.
In addition to denying and granting access, now a firewall may offer one or moreof the following services:
• Network Access Translation (NAT): NAT is used by the router to translateinternal private IP addresses to external IP addresses.
• Data Caching: This option allows the router to store data that is accessedoften by network clients.
• Restriction on Content: This option is available in many newer systems,allowing the administrator to control Internet access based on keywordrestrictions.
Firewall MethodologiesFirewalls have two general methods of implementing security within a network.Although there are variations of these two, most modifications still boil down toone or the other. They are:
• Packet filtering
• Proxy servers (application gateway)
Packet filtering was the first type of firewall used by many organizations to pro-tect their networks. The general method of implementing a packet filter was touse a router. These routers had the ability to either permit or deny packets, basedon simple rules the administrator would create.
Even though these firewalls could perform this type of filtering, they were limitedby the fact that they were designed to look at the header information of thepacket only. An example of this drawback would be that a filter could block FTPaccess but could not block only a PUT command in FTP.
The addition of proxy server (also known as an application gateway) capabilitiesto the firewalls created a much more solid security product than a pure packetfilter was capable of providing on its own. The proxy software can make deci-sions based on more than the header of a packet.
Proxy servers use software to intercept network traffic that is destined for a givenapplication. The proxy recognizes the request, and on behalf of the client makesthe request to the server. In this case, the internal client never makes a direct con-nection to the external server. Instead of a direct connection, the proxy functionsas the man-in-the-middle and speaks to both the client and server, relaying theirmessages back and forth.
The major advantage to this is that the proxy software can be instructed to permitor deny traffic based upon the actual data in the packet, not simply the header. Inother words, the proxy is aware of communication methods, and will respondaccordingly, not just open and close a port in a given direction.
Lesson 4: Designing Firewalls 157
What a Firewall Cannot DoSo if a firewall can use packet filtering, proxy services, a combination of both, orcustom filtering to create secure environments for our data, the logical questionthat we have to ask is “what can’t a firewall do to protect the network?“ All toooften a network/security administrator is told to go and buy a firewall to securethe network.
Unfortunately, as is usually the case, this is the extent of the conversation. Noother discussion(s) takes place that would allow the network/security administra-tor to gain a better understanding of the reason(s) behind the need for a firewall,and what the goal of placing the firewall within the network topology is supposedto accomplish.
In relation to our network/security administrator, and their quandary about havingto purchase a device that will do a large number of things, all, or most of which,might or might not be necessary for the network security issue(s) in question, itwill be helpful for us to briefly look at what a firewall cannot do, so we canbegin to understand what it can do.
A few areas where a firewall will have difficulty in securing the network are asfollows:
• Viruses: Some firewalls do have the ability to detect virus traffic, howeverattackers can package a virus in so many forms and firewalls are notdesigned as anti-virus systems, that this is not a primary function of afirewall. Your firewalls may be able to identify some virus traffic, but youshould always use internal anti-virus software.
• Employee misuse: This is a hard point, but a valid one. Employees often dothings unknowingly. They may respond to forged email addresses, or theymay run programs that come from friends, assuming they are safe.
• Secondary connections: If employees have modems in their computersand/or are able to use a wireless network connection, they may make newconnections to the Internet for personal reasons. These connections rendermuch of the firewall useless to this client. If File and Print Sharing is turnedon, this can lead to adverse results, while the firewall itself may be properlyconfigured.
• Social engineering: If the network administrators gave out firewall informa-tion to someone calling from your ISP, with no verification, there is aserious problem.
• Poor architecture: Without a well thought out and vetted firewall design, itbecomes very difficult, maybe even impossible to configure the firewallproperly in order to ensure that the necessary security precautions are inplace within the network at all times.
Implementation Options for FirewallsThere is no one correct standard for implementing a firewall within a network.The following concepts show several different possibilities for firewallimplementations.
158 Tactical Perimeter Defense
A Single Packet Filtering DeviceAs shown in the following figure, the network has been protected by a singledevice configured as a packet filter, permitting or denying access based on thecontents of the packet headers.
Figure 4-2: An example of a single packet filtering device.
A Multi-homed DeviceAs shown in the following figure, the network is being protected by a device(most likely a computer) that has been configured with multiple networkinterfaces. Proxy software will run on the device to forward packets between theinterfaces.
Figure 4-3: An example of a single multi-homed device as a proxy server.
Lesson 4: Designing Firewalls 159
A Screened HostAs shown in the following figure, the network is protected by combining thefunctions of proxy servers and the function of packet filtering. The packet filteraccepts incoming traffic from the proxy only. If a client directly communicateswith the proxy filter, the data will be discarded.
Figure 4-4: An example of a screened host running behind a packet filtering device.
A Demilitarized Zone (DMZ)In the following figure, the network has a special “zone,” or area, that has beencreated to allow for the placement of servers that need to be accessed by bothInternet and intranet based clients. This special zone, the DMZ, requires two “fil-tering” devices, (firewalls will traditionally be used for this) and can havemultiple machines existing within its boundary.
160 Tactical Perimeter Defense
Figure 4-5: An example of a Demilitarized Zone (DMZ).
Lesson 4: Designing Firewalls 161
TASK 4A-1Firewall Planning
Objective: In order to implement firewall systems, you will need to beable to diagram the different methods used for implementation.
1. Diagram the method described in this topic for the firewall implementa-tion that most accurately reflects your current network design.
162 Tactical Perimeter Defense
If you had a “blank check” and could design a firewall implementationfor your network, what would that design look like? If it differs fromyour current design, please diagram the new solution that you wouldbuild.
Topic 4BCreate a Firewall PolicyBefore you can identify configuration options, or implementation techniques, youmust have a firewall policy. In many instances, organizations rush into firewallselection and installation, without enough thought on how this complex device isto be used.
For a firewall to be designed and deployed correctly, there must be a firewallpolicy in place. While not as complete as an organizational security policy, thefirewall policy has its place. The policy items in place for the firewall are part ofthe overall security policy the organization uses.
The firewall policy can generally have one of two viewpoints: either deny every-thing except what is explicitly allowed, or permit everything except what isexplicitly denied. It is general consensus that the former of the two viewpoints isused.
Lesson 4: Designing Firewalls 163
It is a good starting point to assume that all traffic is to be denied, except thatwhich the policy has identified as explicitly being allowed. This also usually turnsout to be less work for the network/security administrator. Imagine creating a listof all the ports Trojans use, and all the ports for applications your users are notauthorized to use, and then creating rules to block each of them. Compare that tocreating a list of what the users are allowed to use, and granting them access tothose services and applications explicitly.
There are different names for the items that can be included in the securitypolicy, and the ones that follow are very common. The items include the Accept-able Usage Statement, the Network Connection Statement, the Contracted WorkerStatement, and the Firewall Administrator Statement.
After building the overall security policy, if it becomes very large (some organi-zations have policies that are hundreds of pages long), you may want to pull outand copy the sections related to the firewall and have a separate subdocument forthe firewall alone.
Having subdocuments is not a requirement, but it makes reading the policy mucheasier. The subdocuments are easier to index, reference, and view. Many organi-zations now run an internal web server to house important documents, such as thepolicies, for employees. The policy is one of those documents, and thesubdocuments are easier to view and read when only a handful of pages, versusscrolling through 200 pages of content.
The Acceptable Use StatementThis portion of the policy can take the most time, energy, meetings, and effort tocreate. To be able to describe, in detail, the proper usages of a computer withinthe network is a difficult task for some organizations. There is a necessary bal-ance that must be achieved between wanting to maintain tight security and givingemployees the ability to do their jobs.
Of all the potential devices in an organization however, the computer is often themost misused. It is this misuse that the security policy attempts to control.
Several points to consider when creating this portion of the policy are as follows:
• Applications other than those supplied by, or approved by the company arenot to be installed on any computer. This includes any programs that can bedownloaded from the Internet or brought in on CD-ROM, DVD-ROM, USBdevice, or floppy disk.
• Applications that have been provided for the individual computer in theorganization may not, under any circumstances, be copied or installed ontoany other computer, including the user’s home computer, unless the organi-zation has made it clear, through written policy, and participation in anappropriate licensing program authorized by the vendor, that employees havethe ability to exercise “Home Use Rights “ for the particular software in
164 Tactical Perimeter Defense
question. If a backup copy is required for archive, the organization will beresponsible for creating and storing the archive copy.
• Computers may not be left unattended with a user account still logged on. Ifa user is temporarily away from the computer, the computer must be left in alocked state. Screensavers must employ the password protection option.
• The computer and its installed applications are to be used for organizationalrelated activity only.
• The computer and its installed applications may not be used in any way tothreaten or harass another individual.
• The installed email application is the only authorized email service allowedfor use, and employees may not use this email service for personal use.
From this list, you can see the types of things that are to be covered in the policy.If there are examples that cannot be implemented on the firewall, even in part,they may be best located in the overall security policy document for theorganization. Some of the examples given in the previous list fall into that cat-egory; for example, screensavers, installing applications at home, or threateningof individuals. These items clearly must be in the security policy, but may not beitems that can be directly implemented on the firewall.
The Network Connection StatementThis portion of the policy involves the types of devices that are to be grantedconnections to the network. Here is where you can define the issues related to thenetwork operating systems, devices that use the network, and how those devicesmust be configured in order to use the network in a secure fashion.
Lesson 4: Designing Firewalls 165
This section may have the most functional use on the firewall, as this section isdefining actual network traffic. Some of the items that may be included in thisportion are:
• Network scanning is not to be permitted by any user of the network, otherthan those in network administration roles.
• Users may access FTP sites to upload and download needed files, but inter-nal user computers may not have FTP server software installed and running.
• Users may access WWW on port 80 as required.
• Users may access email on port 25 as required.
• Users may not access NNTP on any port.
• Users in subnet 10.0.10.0 are allowed to use SSH for remote administrationpurposes.
• Users not in subnet 10.0.10.0 are not allowed to use SSH to connect to anylocation or device.
• Users may not run any form of chat software to the Internet, including, butnot limited to, AOL Instant Messenger, Yahoo Chat, IRC, ICQ, and MSNChat.
• Users may not download files over 5 MB in size.
• Anti-virus software must be installed and running on all computers.
• Anti-virus updates are required weekly on user computers.
• Anti-virus updates are required daily on all servers.
• No new hardware (including network cards and modems) may be installed inany computer by any party other than the network administrators.
• No unauthorized links to the Internet from any computer are allowed underany circumstances.
As you can see this list could go on and on. These are only examples to get youstarted. This section can get technical, as in deciding which ports to allow to andfrom subnets or computers in the network. This may be where you spend themost time developing the firewall policy, as it is most relevant to implementationon the firewall.
The Contracted Worker StatementThis portion of the policy is often overlooked. The policy must address the issueof contracted, or temporary, workers. These individuals may require only occa-sional access to resources on the network.
The list of items for the contracted worker statement may overlap with otherareas of the policy but this does not present a problem. Obviously, the feature orrule would only be implemented once, but it is better to list an item twice than toassume the item has been covered elsewhere.
166 Tactical Perimeter Defense
Some examples of items in the contracted worker statement portion of the policyare:
• No contractors or temporary workers shall have access to unauthorizedresources.
• No contractor or temporary worker shall be permitted to scan the network.
• No contractor or temporary worker shall copy data from a computer to aform of removable media, such as CD-ROM, DVD-ROM, USB device, orfloppy disk.
• No contractor or temporary worker may use FTP, unless specifically grantedpermission in writing.
• No contractor or temporary worker will have access to Telnet or SSH unlessspecifically granted permission in writing.
From these examples, you can see that there are areas which overlap. As the say-ing goes, it is better to be safe than sorry.
The Firewall Administrator StatementSome organizations may not have a separate statement for the administrator ofthe firewall itself. If yours is one that will require such a statement, here are somepossible examples of the items that could appear in it:
• The firewall administrator must be certified by the vendor of the firewall.
• The firewall administrator must have SCNA certification.
• The firewall administrator must know all the applications authorized to beinstalled on computers in the network.
• The firewall administrator shall report directly to the Chief Security Officer.
• The firewall administrator must be reachable at all times—24 hours a day, 7days a week.
As you can see, this area can almost be considered the job role of the firewalladministrator. Some organizations will have such a policy, others will not. It canbe a benefit in a large organization to know these items, and to have them writtenin the policy.
From these examples, you can start to build the framework for the securitypolicy, and, in this case, the specific firewall portion of the policy. The firewallpolicy should be a working document that can be modified on a regular basis.The security world is ever-changing, so be sure your policy changes with it!
TASK 4B-1Creating a Simple Firewall Policy
1. Read through the following scenario of a corporate network.
The network is a single office, with 200 nodes. Currently, it is connected tothe Internet through a single 64K ISDN, but they are getting 1.5M SDSLinstalled in a week, and want to use a firewall on their new connection. Thenetwork is a single Windows NT 4.0 domain with an internal web server andan internal email server. The internal servers are accessed by employees andcustomers over the Internet.
Lesson 4: Designing Firewalls 167
The CEO has stated that email must not be used for personal use and that noone can download anything harmful to the network or organization. You arethe firewall administrator and have given the CEO a more specific set ofquestions, which are answered here:
Your Question The CEO’s AnswerCan the users use newsgroups? No.Can the users run Telnet to the Internet? No.Can the users visit external websites? Yes.Are there any websites to be defined as offlimits?
Anything pornographic.
Can users use Instant Messaging software? Only internally.Can users upload to FTP? No.Can users download from FTP? Only if it is not a dangerous file.Can users access external email servers? Yes, if it is company-related.Who is the firewall administrator? You are.Is 24x7 firewall support expected? Yes.
Topic 4CRule Sets and Packet FiltersHaving a solid policy is one important part of preparing to implement thefirewall. Another, is being aware of the different types of firewalls that exist. Webriefly discussed firewall methodologies earlier, and now we will focus on packetfiltering.
Packet filters were the first types of firewalls used to protect networks. Tradition-ally, packet filters were (and are still) implemented as access control lists onrouters. This single border security device was all that was needed for quite sometime.
The router becomes the single access point to the network, and the place wherethe packet filtering functions. In the following figure, you can see examples ofwhere the router may be located. The function of the packet filter will differbased on its location in the scheme of the network.
168 Tactical Perimeter Defense
Figure 4-6: An example of the location of packet filters.
In the first example, there is only a single device running as the packet filter forthe network. This device will have to be configured very well, as the security ofthe network is riding on its rules.
In the second example, the packet filter must be carefully configured not to allowdirect access from clients on the internal network to the Internet. Likewise, itmust be configured so that traffic from the Internet cannot directly reach the inter-nal clients.
In the third example, a DMZ has been created. This requires the two devices tobe configured differently. As such, the packet filter directly connected to theInternet must be secured to allow access to the hosts on the DMZ, but not theinternal network. The packet filter connected to the internal network must besecured so that clients can access the hosts on the DMZ, but not the Internetdirectly.
The Packet Filter RulesRegardless of the implementation of packet filter that is used, there must be a setof rules in place for the packet filter to use in making decisions. For creating therules, you can consult your firewall policy, as discussed earlier.
The general questions that should be answered are:
• Which services are to be allowed to access the Internet from the intranet?
• Which services are to be allowed to access the intranet from the Internet?
• Which hosts are allowed specific access that others do not have?
Lesson 4: Designing Firewalls 169
Although each product will have different methods of implementing these rules,there are some basic considerations that apply to nearly all packet filteringdevices. They include:
• The interface to which the rule will apply. For example, is it the internalnetwork interface, or the external Internet connection?
• The direction of the packet. Will this rule apply to packets that are enteringon the defined interface, or does it apply to packets that are leaving on theinterface?
• Addresses used to make the decision. Will the rule base its decision on thesource IP address, destination IP address, or both?
• Ports used to make the decision. Will the rule base its decision on the sourceport, destination port, or both?
• Higher level protocols. Is this rule to be based on the protocol using IP, suchas UDP or TCP?
Ports and SocketsBefore we can get into the specifics of the rules, we need to review TCP/IP,ports, and sockets. This is shown in the following figure. The IP address specifiesthe host that is communicating, and the port identifies the actual end-points of thenetwork communication. Ports allow for multiple connections to different applica-tions via the same two hosts at any given moment. A socket is an IP addresscombined with a port number.
Since the first 1023 ports are defined as privileged, ports higher than 1023 mustbe used for return communication of common protocols. In other words, whenyou request a web page at port 80, it is returned to you at a port higher than1023.
Figure 4-7: An example showing ports in exchange of a web page.
Keeping this in mind, let’s look at some rules that can be created with the packetfilter. Assume it is the goal to only allow access to web pages on the Internet andthe DMZ; the Internet can access web pages on the web server, and all other ser-vices are not to be allowed access to the Internet. The following figure depictsrules for a firewall.
170 Tactical Perimeter Defense
Figure 4-8: Building rules for the firewall.
In this case, the first rule allows the Internet to access port 80 of the web server,which can respond on any port higher than 1023, the second rule. The third ruleallows outbound requests to external web servers on port 80, and the fourthallows those requests to be returned. The final rule disallows all other traffic.
Is this a good set of rules? No! While it may initially look like it does therequested job, it has in fact left most of the network side open. The firewall willaccept connections from the whole world on ports higher than 1023. This was notthe intention. A simple Trojan horse program could take the network down, as ifthere were no firewall in place.
To increase the security of the network then, another level is required. This nextlevel is used to define the source and destination ports. For example, rule number2 should add port information for both the source and destination. It could thenstate: outbound traffic is fine to go to ports higher than 1023, if the data origi-nated from port 80. Likewise, rule 4 could state that data may be accepted higherthan 1023 if it came from port 80. You’ll see an example of what rule 4 shouldnot look like in the following figure.
Figure 4-9: The highlighting of rule 4, adding source and destination ports. Note thisexample leaves the high ports open, which is not considered good security.
These additions increase the security of the rule set substantially. There shouldnever be an open rule like rule number 4 shown here.
The Ack BitsAnother option to add to the rule set that can increase security involves the ackbit. This bit is set only in response to a request. When a packet is sent to estab-lish the connection, this bit is a zero; when the reply is returned, the bit is set toa one. Your firewall can examine this bit to ensure that the packet is indeed areply to communication that originated inside the network.
Adding the ack bit on top of the source and destination ports in the previousexample increases security. An example of what this rule may now look like isshown in the following figure.
Lesson 4: Designing Firewalls 171
Figure 4-10: Rule 4, with the additional ACK bit.
Now if we look at this same rule with our added functions of source and destina-tion port, and the inclusion of the ack bit, we can see that the firewall rule hasbecome more secure. In order for a packet to meet this rule, it must have origi-nated from port 80, have the ack bit set, and a destination port higher than 1023.We can feel comfortable with this rule now that it has been tightened.
Stateless and Stateful Packet InspectionNow that you have an idea of where and how packet filters can be placed in thedefense of a network, we will discuss the types of packet filters.
Packet filters fall into one of two major categories:
• Stateless packet filters, sometimes called standard packet filter.
• Stateful packet filters.
Stateless Packet FiltersAs we have discussed, packet filters are generally implemented on border routers,using a given set of rules. The theory behind a packet filter is that it may make adecision about a packet based on any portion of the protocol header; however, thevast majority of filters are based on the most significant information in theheader. Those areas being:
• IP address filtering.
• TCP or UDP port numbers.
• Protocol type.
• Fragmentation.
IP Address FilteringIP address filtering is perhaps the oldest form of packet filtering. If you want toblock access to a specific host, create a rule that says that IP address is off-limits.If you want to grant access to an entire subnet, create a rule that says that subnethas access. The IP address filters allow for permitting or denial of addresses,using only the IP address to make the decision.
If the filter were to try to define all the hosts that are to be denied, the rule setwould get very long, and a rule like that for individual hosts in a large organiza-tion is unreasonable. Since the rule set can get very long, the odds of making amistake are increased, and therefore, it is not a good way to implement strongsecurity in a large organization.
Using the filter to specifically grant access by an IP address, on the other hand,can be much more effective. The areas that hosts will be allowed to access willbe, by the very nature of security, a lesser number than the areas in which hostsare not allowed access.
172 Tactical Perimeter Defense
Using primarily allowed addresses over denied addresses makes the implementa-tion of the rules easier. And, it makes the task of the attacker a bit harder. Theattacker would have to learn the list of approved addresses to attempt an attack.When the attacker does finally learn the addresses, he or she can spoof the sourceIP address and get a packet past the filter.
If the attacker was trying to execute a denial of service attack (DoS), this will getthem past the packet filter with no problems. If the attacker was performing adifferent type of attack, where the return packet was not needed, this type of filteris easily bypassed with spoofed source packets.
TCP and/or UDP Port NumbersDealing with the Internet, using TCP and/or UDP port numbers in the packet fil-ter will increase its effectiveness. Filtering at this level, in addition to the IPaddress, is commonly used in most networks today. If the host is running only theWWW service, there is no need to have any port open other than 80 (or 443, ifSSL has been added).
As with IP addresses, it is much easier to open the ports that are needed, versusclosing the ports that are to be denied. With over 65,000 ports to open or close,no doubt most people would agree.
Protocol FilteringIn the event that using port numbers of UDP and TCP are still not enough, youcan resort to protocol filtering. Packet filtering of this type investigates the con-tents of the header to determine the upper layer protocol used. If there is a match,accept or discard. The protocols you may choose to block or accept are few:
• TCP
• UDP
• ICMP
• IGMP
Although this type of filtering can be used, it is very limiting—use caution whenemploying this strategy. If you have a server running a service that uses UDP,and that is the only authorized service on the server, then allow only UDP. But,be aware that such a move removes the option of troubleshooting utilities such asping, due to the lack of ICMP.
FragmentationWhen networks and routing were first developed, many of the links used hadvery small bandwidth capabilities. Due to this, large files transmitted across theInternet had to be broken into several pieces. This is known as fragmentation.
When packet filters inspect the header, if the packet is a fragment, they will seethe port number, protocol type, IP address, and an indicator that this is fragment0. Herein lies the problem: fragments 1 through x do not contain this same infor-mation, so the packet filter has nothing to use in making a decision.
The packet filters would drop fragment 0, and allow the remaining packetsthrough. The logic was that without the fragment 0, the packet could not be used.This was not always the case.
Lesson 4: Designing Firewalls 173
Smart and very TCP/IP savvy attackers would create entire attacks that beginwith fragment 1. The attackers were aware that many versions of TCP/IP wouldgo ahead and reassemble fragments even if fragment 0 was missing. Theseattacks would pass through the packet filter as if it were not even there.
Stateful Packet FiltersIt should be obvious by now, that despite their best efforts, stateless packet filterssimply are not good enough for the security needs of today’s networks. The logica stateless packet filter employs is not complete.
Stateful packet filters still employ the same techniques as stateless packet filters,but they do not base their decisions on single packets. A decision cannot be madeon a single packet-by-packet basis alone, if the network is expected to be safe.That single packet does not describe the overall communication that is occurringbetween the two hosts.
The way that stateful packet filters have increased security is by remembering thestate of connections at the network and the session layers as they pass throughthe filter. This session information is stored and analyzed on all packets movingthrough the filter.
For example, if a client on the internal network initiates a connection to anunknown host on the Internet, it sends the SYN along with the IP address andport number for the destination host. As this packet passes through the filter, anentry is made into the state table logging the connection information. When thefilter receives the return packet, it can look at its table and see that the address,port number, and SYN/ACK setting match what is expected.
In the event that a packet is received and there is no entry in the table for thispacket, then the packet is dropped. The following figure shows an example of thesteps of the stateful packet inspection.
Figure 4-11: The Stateful Packet Filter function.
174 Tactical Perimeter Defense
The stateful packet filter will remove entries in the state table if there is noresponse, usually within a few minutes. This is to ensure there are no holes leftopen for an attacker to exploit. The rules are programmed into the stateful packetfilter, just as they are in a stateless packet filter, although they may be called poli-cies instead of rules.
How Attackers Get Around Packet FiltersAlthough packet filters are solid security devices, they need to be supplementedwith other services the firewall can perform, such as proxy and NAT. Still, youmay be wondering how attackers get around packet filters. Some of the exploitsare due to poor design by the firewall administrator, yet others are limitationsimposed by packet filtering itself.
Many packet filters will drop fragment 0 (called the 0th fragment), but allow theremaining fragments through. This can be a serious security hole, so be sure tocheck how your firewall handles fragmentation. The attacker can simply place awhole valid packet in one that has been marked as fragment 1, effectively bypass-ing the security of the packet filter completely.
One of the most critical errors is not in the technology, but in the implementationof the filter. If you had only a web server and email server on your network, andyou configured the packet filter to only allow ports 80, 443, and 25 in, all otherinbound ports were closed, and all outbound ports open, you have a very insecurenetwork. The outgoing ports are as critical to configure as the inbound ports.Make sure you do not fall into this trap of blocking only inbound ports. It maylook secure, but it is not.
These are two examples of how packet filtering can be bypassed, and examplesof why additional security services are needed.
TASK 4C-1Firewall Rule Creation
1. Read through the following scenario of a corporate network.
Your network is a mixed environment of Windows NT, Windows 2000,UNIX, and Linux. Your users in the network need to access FTP sites forupload and download, websites, and email servers on the Internet. Your net-
Lesson 4: Designing Firewalls 175
work provides a web server and email server that need to be accessed by theInternet.
2. Based on this scenario, create a sample rule set, or portion thereof,needed for this packet filter.
Topic 4DProxy ServerAs you have seen, packet filters are a great start to securing the network with afirewall. But, they also require help to create a more secure environment. One ofthe ways to increase security is to add the services of a proxy server.
Proxy servers were initially used to cache commonly visited web pages, speedingup the network and Internet use. They have evolved to not only cache web pages,but have become part of the security system of a network.
The packet filter, as discussed, works by inspecting the header information andbasing the decision on defined rules or policies. The proxy works at the applica-tion layer, and is able to provide services to the network. The proxy acts as a sortof gateway (which is why it is also called an application gateway), for all packetsto flow through.
When a proxy is configured and running on the network, there is no direct com-munication between the client and the server. The packet filter allows for thisdirect communication, while the proxy prevents it.
A significant distinction then between a packet filter and a proxy server is that theproxy understands the application or service that is used, and the packet filterdoes not. The proxy server can then permit or deny access, based on what actualfunction the user is trying to perform.
176 Tactical Perimeter Defense
Proxy ProcessIn this example, the client has requested a web page, and identified the server thathas the web page. The request for the web page is passed to the proxy server. Atthis point, the proxy server does not act as a router and forward the packet. Whatit does is consult its set of rules regarding this service (WWW in this case), anddecide if the request is to be granted or not.
Once the proxy has made the decision to allow the request, a new packet is cre-ated with a source IP address of the proxy server. This new packet is the requestfor the web page from the destination server. The web server receives the request,and returns the web page to the requesting host. Since the proxy is running, therequesting host is the proxy server.
When the proxy receives the web page, it checks its rules to see if this page is tobe allowed. Once the decision is made to proceed, the proxy makes a new packetwith the web page as the payload, and sends this to the original client.
The following figure is an illustration of the basic function that a proxy serverplays in the network. Notice the client packet never directly reaches the server,and vice versa.
Figure 4-12: A WWW proxy running in a network.
This type of service can increase the security of the network considerably, as nopackets can pass directly from the client to the server. The proxy service willneed to be configured for each type of service that is allowed. For example, aseparate proxy will be needed for SMTP, WWW, FTP, and Telnet, if all theseservices are to be used.
The proxy server needs to be configured to work in both directions, just as apacket filter. This is the only way to be sure no packets are passed by the proxyserver.
Lesson 4: Designing Firewalls 177
Proxy BenefitsThere are several benefits to the network, from a security point of view, that aproxy can provide. The list of advantages can be large; provided are the majorbenefits:
• Client invisibility.
• Content filtering.
• Single point of logging.
Client InvisibilityThe basic proxy process highlights this feature. The ability to have the client’sinside IP address never appear to the Internet is a great benefit. Attackers notknowing the internal structure of the network have a harder time gaining accessand attacking internal clients.
Content FilteringIn the modern era, businesses have to be very sensitive to the needs ofemployees. This includes exposure to any offensive material, as much as can beprevented.
Content filters can be programmed for many types of inspection. They may beprogrammed to look for certain keywords or phrases. Many employers use filter-ing to block the websites of major headhunters and resume posting sites.
These filters can also be used to prevent Active-X controls from being down-loaded, Java Applets being run, or executables being attached to email.
Single Point of LoggingOne of the more significant benefits of proxy servers may be the ability to have asingle point of reference for logging data. Since all traffic is flowing through asingle point, it is relatively easy to re-create an entire session of web browsingfor a user to identify problems.
Proxy ProblemsEven though it seems as if there are only benefits to adding proxies, and in mostcases this may be true, you need to be aware of potential problems of usingproxies. As with all technologies, there are possible issues that may arise, suchas:
• Single point of failure.
• A proxy for each service.
• Default configurations.
Single Point of FailurePerhaps one of the most serious issues with a proxy server is the creation of asingle point of failure. If the entire network is running through the same proxy,that machine becomes quite critical, and must be configured properly.
A common mistake is to forget that the proxy itself is unprotected. Although it isprotecting the internal network, if there is an interface directly connected to theInternet, it is wide-open to attack, both to Denial of Service and intrusionattempts.
178 Tactical Perimeter Defense
Be sure that the proxy is, in addition to other security mechanisms (such as apacket filter), used to reduce the likelihood of a direct intrusion attack on theproxy. If the entire network is dependent on this machine, you need to take goodcare of it!
A Proxy for Each ServiceMore of a configuration issue, but still worth noting, is that the proxy must beconfigured for each service. If the network is allowing many different types ofservices in both directions, this can create considerable work. When services areadded, it is important that the proxy server remain securely configured.
Default ConfigurationsThe majority of proxy server software is designed for functionality over security.The applications are created to get users up and running quickly, and give themaccess to the resources they need.
This is the opposite of security. Therefore, when implementing a proxy, it is rec-ommended to not use the default configurations. Take the time to implement therules and restrictions, as they are needed.
TASK 4D-1Diagram the Proxy Process
1. Diagram the process of an internal client in the network requesting anemail message from the remote server running SMTP.
Lesson 4: Designing Firewalls 179
Topic 4EThe Bastion HostIn order to create a firewall or proxy, there must be a platform for the software touse. In some instances, there is a dedicated piece of hardware that will run thefirewall software. In this topic, you will learn about the process of setting up aserver to run the software. This server is called the bastion host.
Bastion host is a term used for a computer that has been hardened in a mannermuch more securely than any other computers in the network. This server isusing every security option that comes with the operating system to the maximumthat it can be used. All auditing has been configured, all authentication has beenconfigured, and encryption (where relevant) has been configured.
Further configuration would be the removal of all services and applications notdeemed absolutely necessary for the server to function. All user accounts areremoved, except for those required for server management. Every service, appli-cation, and user account that is removed is one less target for a potential attacker.
Once the computer has been configured, then the software may be installed andconfigured on top of the base operating system. This computer should not be con-sidered the single line of defense, but rather, one link in a chain. The security ofthe network cannot rely on a single component, so the bastion host is one of sev-eral in a well designed network, as shown in the following figure.
The first line of defense is the router, connecting the network to the Internet,which should be configured with appropriate packet filtering. Following thepacket filtering router is where the bastion host running proxy services is located.If the network is small, one bastion host running the proxy services for the entirenetwork may be fine. In a large network, there are likely to be many bastionhosts, each running different proxy services.
Figure 4-13: : The most likely location of a bastion host.
180 Tactical Perimeter Defense
The basic steps that must be followed in setting up a host as a Bastion are:
• Remove unused applications.
• Remove unused services.
• Remove unused user accounts.
• Enable auditing.
Other standard techniques for creating a Bastion host to run as a firewall are:
• Install the operating system from scratch, formatting the disk first.
• Do not use a dual-boot computer.
• Remove unused hardware, such as modems or sound cards.
• Use very strong authentication methods, such as a tokens or biometrics.
• Implement a utility to check files for tampering, such as TripWire.
An Attack on the Bastion HostSince this computer is the machine that is providing many services to your net-work, it is likely to be the target for many different attacks.
However, since you have set up the computer properly ahead of time, you havethe ability to deal with these attacks. Since you have enabled logging and audit-ing, the intrusion should be detected quickly with a scan of the logs andgenerated reports.
Inevitably, there may be an attack you do not catch right away. It is this part ofsecurity that drives administrators mad. Once you catch the intrusion, you mustinvestigate further to determine the cause. This is where your file tampering soft-ware comes into play. You must identify if there has been a Trojan placed on thehost, or if any system files have been accessed. Once the bastion host has had anintrusion, it is critical that the remaining computers in the DMZ or network, beexamined quickly for possible intrusions. A compromised bastion host often leadsto a compromised network.
An important point that must be made is in relation to the knee-jerk reaction thatmany administrators have in these situations, which is to attempt the restorationof the system from backup once it has been compromised. Unless you can iden-tify the date that the intrusion happened, how can you be sure your backup is notalso infected?
The best solution is to begin from scratch and re-create the bastion host, startingwith formatting the disk. It will take time, but it is the best way to restore thishost to the network.
Lesson 4: Designing Firewalls 181
TASK 4E-1Describing a Bastion Host
1. Describe the function of a bastion host in creating a secure networkenvironment.
Bastion host is a term used for a computer that has one or more networkinterfaces exposed to the Internet. The OS (typically a server OS) on such adevice is hardened in a much more secure manner than any other computersin the network. Further configuration would be the removal of all servicesand applications not deemed absolutely necessary for the server to function.Once the computer has been configured, then the software that dictates rulesets for internal or external traffıc may be installed and configured on top ofthe hardened OS.
Topic 4FThe HoneypotOne area that is the subject of much discussion in security circles is the use anddeployment of honeypots. For some security professionals, network security isnot fully functional without one, while others feel it is an unneeded and poten-tially dangerous part of the network.
What is a Honeypot?Just as honey attracts bears, a honeypot is a computer designed to attractattackers. If an attacker has managed to get past your packet filter into your DMZand is scanning for options, the honeypot should be the one computer that sticksout. This is depicted in Figure 4-14.
182 Tactical Perimeter Defense
Figure 4-14: Two examples of where the honeypot may be located.
Goals of the HoneypotThere are several goals for the honeypot. You would like the honeypot to provideenough of a lure that attackers stay away from your other equipment. You wantthe attacker to see a vulnerability that they know they can exploit and use to gainaccess to the computer. This vulnerability needs to be such that the attackerfocuses their energy on exploiting this computer, as opposed to the email server(for example) sitting right next to it.
In addition to trying to keep attackers away from your more secure systems, oneof the goals of a honeypot is for logging. Knowing that this system is one thatwill be attacked, you can take extra measures in logging. These logs should bemoved off the system frequently, perhaps hourly or daily if your network is ahigh profile target.
Another goal of the honeypot is to increase the ability to detect and respond toincidents. The theory is that if you are aware of what the attacker is doing toyour honeypot, you can be better prepared to defend or, if possible, prevent thatattack from being carried out successfully against your production systems.
To take the concept of the honeypot further, there are instances of honeynets. Ahoneynet is an entire network designed to be an attractive alternative to the pro-duction network(s) it is deployed to screen from view. The premise is the same,only the scale is bigger.
Lesson 4: Designing Firewalls 183
Legal IssuesA discussion of honeypots would not be complete without a discussion of thelegal issues surrounding this use of technology. Perhaps the single biggest issueinvolving a honeypot today is the issue of entrapment. Some people feel that thesetup of a honeypot is entrapment, and therefore, the same rules apply as in thereal world. Up to this point, that is not yet the case. Although, it should be notedthat defense attorneys have tried using entrapment as a defense.
Another issue is that of privacy. If an attacker were to set up an IRC server onthe honeypot, it is possible for the administrator to log all conversations on thatserver. For now, this issue is more of a moral and ethical dilemma than a legalone, since there is no defined law regarding this subject. However, it should benoted again that this could be a viable defense for an attorney to work with.
The current standard for this issue is the Searching and Seizing Computers andObtaining Electronic Evidence in Criminal Investigations. This publication is bythe Computer Crime and Intellectual Property Section, Criminal Division, UnitedStates Department of Justice, and is part of the Computer Crime and IntellectualProperty Section (CCIPS). The entire document can be found atwww.usdoj.gov/criminal/cybercrime/searching.html#searchmanual
TASK 4F-1Honeypot Configuration
1. What are the services most likely to be enabled in creating a honeypot,and why?
Most likely services would include the normal WWW, TFP, SMTP, POP3,andTelnet. It is important to offer the normal services, since the honeypot mustappear to be a productive, live computer in the network, and should be con-figured the same as a production WWW server, perhaps with looserpermissions and solid logging.
SummaryIn this lesson, you identified the major components used in building firewallsystems; you learned to detail the methods used to create a firewall policy ina network scenario. You now know how packet filters are used in firewallsystems. You can also describe the process of creating a bastion host, aswell as how to use proxy servers in firewall systems. You are also aware ofthe process involved in creating a honeypot and can differentiate between ahoneypot and a honeynet.
184 Tactical Perimeter Defense
Lesson Review4A Name two methodologies for firewalls.
Packet filtering and proxy servers (application gateway).
What are three services a firewall can provide?
Network Access Translation (NAT), data caching, and restricting access tocontent.
How can a second connection to a client computer make an impact onfirewall security?
A second connection will render much of the firewall useless to this client,and maybe even the network.
Name four different methods of implementing a firewall.
• A Single Packet Filtering Device.
• A Multi-homed Device.
• A Screened Host.
• A Demilitarized Zone.
4B What is the difference between a firewall policy and a security policy?
A firewall policy is generally a subset of the overall security policy.
List three items that should be in a security policy, but not part of afirewall policy.
Many portions of the following items may address issues broader than thataddressed by the Firewall policy:
• The Acceptable Use Statement.
• The Network Connection Statement.
• The Contracted Worker Statement.
List at least three items that would be specific to the firewall policy.
Answers may include: Users may access WWW on port 80 as required; usersmay not access NNTP on any port; users not in subnet 10.0.10.0 are notallowed to Telnet to any location; any policies dealing with firewalladministration.
4C What is the primary difference between stateful and stateless packet fil-ters?
Stateless packet filters make a decision about a packet based on any portionof the protocol header; however, the vast majority of filters are based on themost significant information in the header.
Stateful packet filters encompass the techniques used by stateless packet fil-ters; however, they do not base their decisions on individual packets. Statefulpacket filters increase security by remembering the state of connections atthe network and the session layers as they pass through the filter. This ses-sion information is stored and analyzed on all packets moving through thefilter.
Lesson 4: Designing Firewalls 185
In addition to IP addresses, what else can a packet filter use to make adecision on a packet?
Fragmentation, IP Protocol ID, Protocol Type, and TCP or UDP PortNumbers.
How can an attacker use fragmentation to get through a packet filter?
By encapsulating the entire payload in one or more fragments following thefirst fragment.
4D What are the benefits of implementing a proxy server?
While packet filters allow for direct communication between a client and aserver, proxy servers prevent it. The proxy works at the application layer(application gateway). Proxies can inspect packet content and make deci-sions based on this inspection.
Describe three potential problem issues for proxy servers.
Single point of failure: If the entire network is running through the sameproxy, that machine becomes quite critical, and must be configured properly.The proxy itself is unprotected if there is an interface directly connected tothe Internet. You have to add at least a packet filter in front of the proxy. Aproxy for each service: The proxy must be configured for each service. If thenetwork allows many different types of services in both directions, this cancreate considerable work. Default configuration: Using the default (out-of-the-box) configuration is generally not secure.
4E What are the steps that must be followed to create a bastion host?
1. Remove unused applications.
2. Remove unused services.
3. Remove unused user accounts.
4. Enable auditing.
What are some additional steps that are recommended in securing thebastion host?
Install the operating system from scratch, formatting the disk first. Do notuse a dual-boot computer. Remove unused hardware, such as modems orsound cards. Use very strong authentication methods, such as a tokens orbiometrics. Implement a utility to check files for tampering, such asTripWire.
How should a compromised bastion host be recovered?
A compromised bastion host often leads to a compromised network. Once thebastion host has had an intrusion, it is critical that the remaining computersin the DMZ or network be examined quickly for possible intrusions. Identifythe date of the intrusion before you restore the bastion host from backup.The best solution is to begin from scratch and re-create the bastion host,starting with formatting the disk.
4F Where should a honeypot be located in the network?
In the screened subnet or DMZ.
186 Tactical Perimeter Defense
What are two of the goals of a honeypot?
Answers may include: Lure the attacker; log visits; and respond to incidents.
What are some potential legal issues of honeypots?
Entrapment and privacy issues.
Lesson 4: Designing Firewalls 187
188 Tactical Perimeter Defense
Configuring Firewalls
OverviewIn this lesson, you will first review firewalls from a conceptual viewpoint tolearn about the types of firewalls, how each of these types work, and whatprotection they can provide for your network. After you have the founda-tional concepts under your belt, you will go through a series of exercises toactually implement two different firewall solutions: Microsoft’s InternetSecurity and Acceleration server, which runs on top of the Windows plat-form; and IPTables, which runs on top of the Linux platform. This willprovide you with the practical working knowledge to implement a firewallin your network environment.
ObjectivesTo configure network firewalls in the defense of a network, you will:
5A Describe standard firewall functionality and common implementationpractices.
Firewalls come in a wide variety of flavors today. In addition to the manyvendor offerings, there are also many versions of build your ownfirewalls. Regardless of the firewall implementation you are working with,there are commonalities between them, both functionally and in imple-mentation methodologies. Exploring these commonalities will provide youwith a solid foundation for developing mastery of firewallimplementation.
5B Install, configure, and monitor Microsoft ISA Server 2006.
In this topic, you will install Microsoft ISA Server 2006 and work withthe built-in configuration tools. In addition, you will explore options formanaging, monitoring, and auditing ISA Server 2006.
5C Examine the concepts of Linux IPTables.
In this topic, you will examine how IPTables creates a “chain” of rulesthat can control the egress and ingress of specific network traffic.IPTables is a popular build-your-own type of firewall that you will findimplemented in many networks.
5D Apply firewall concepts and knowledge to a scenario.
In this topic, you will be given a specific network situation, and you willthen design firewall topology and rule sets to create the required firewallsecurity posture.
Data FilesISAScwHlpPack.exe
Lesson Time5 hours
LESSON
5
Lesson 5: Configuring Firewalls 189
Topic 5AUnderstanding FirewallsTechnology-based firewalls first appeared on the networking scene in the early1990s. As the Internet and networks in general have developed and progressed, sohave the potential digital dangers. Firewalls have progressed right along side,developing from simple gatekeepers to comprehensive security tools that canwork in conjunction with intrusion detection systems and malware scanners.
Security has become increasingly problematic for systems connected to theInternet. Network intrusions and attacks have now become so common that therisk is understood as an unavoidable part of conducting business in the digitalage. In a modern network, firewall technology is a mainline component for anyorganization that has defined a network security architecture. Even home usersconnected to the Internet through commercial ISP connections regularly installsoftware and hardware firewalls to provide a measure of protection for their per-sonal systems.
Fear not—in this module we are going to lift the veil of mystery and discoverwhat a firewall does and how firewalls actually work. Firewalls generally com-prise the first line of defense for a network and, therefore, a solid workingunderstanding of firewalls is essential in today’s modern networked world. Youwill also examine how to implement and configure two popular platform specificfirewalls: Microsoft Internet Acceleration Server 2006 and the built-in Linuxfirewall, IPTables. Let’s examine some firewall basics now.
Firewall BasicsA basic understanding of what firewalls are and how they work will give us acommon framework of reference. We can then build our practical skills on top ofthis framework when we investigate how to implement and configure our twofirewalls. This will be most effective if we can derive the answers to the follow-ing questions:
• What is a network firewall?
• What are common firewall related terms?
• What are the basic functions of a firewall?
• What do addresses, ports, protocols, and services have to do with a firewall?
• What are the common types of firewalls?
• How are firewall “rules” built?
• What are the common firewall network topologies?
• Why would I want a firewall?
• What can a firewall not protect me from?
What is a Network Firewall?A firewall can be described as a security mechanism that places limitation con-trols on all inbound and outbound network communications between individualsystems or entire networks of systems by permitting, denying, or acting as aproxy for all data connections.
190 Tactical Perimeter Defense
Figure 5-1: Firewalls control network communication.
A firewall is generally comprised of a software program (code) that works in con-junction with a hardware device that is responsible for physically transmittingnetwork data. Firewalls can exist as a software program installed on top of anoperating system or as a specialized hardware device running proprietary code.Depending on the size and complexity of the environment being protected,firewalls can be configured as a single system or have multiple systems workingin concert.
Many firewalls are capable of handling multiple types of transport protocols(TCP/IP, IPX/SPX, etc.). However, for the purposes of our discussion here, wewill operate under the assumption that you are going to be using the currentindustry standard, TCP/IP, as your network transport protocol of choice.
Firewall TermsWe know that networks are made up of multiple connected systems, all withvarying degrees or levels of trust between them. Your daily interactions with the“network” of humans around you is a good illustration of the principal ofnetworked trust. For example, you might trust your best friend with the keys toyour car, but certainly not the person who you just met at the car wash.
In a networked environment, these areas of interaction can be referred to as“zones of trust.” Some common examples of these zones would be the Internet,which is a zone with little or no trust; and your internal network, which would azone with a high level of trust.
Figure 5-2: Firewalls separate zones of trust.
Lesson 5: Configuring Firewalls 191
The networking world has spawned a variety of terms such as Internet, Extranet,intranet, and DMZ. We can use these terms to define the zones of trust that com-monly occur in any given network environment.
• Internet: This zone of trust corresponds to the worldwide public network ofsystems. Since this zone is accessible by anyone, it is our least trusted zone.In firewall terminology, this is often referred to as an unprotected or externalnetwork.
• Intranet: An intranet is a private network that is used to securely share anorganization’s information or operations within the organization. In firewallterminology, this is often referred to as a protected or internal network.
• Extranet: This zone of trust is a semi-private network that an organizationcreates to share parts of their private network with business partners such ascustomers, suppliers, or other collaborative partners. Basically, this is anextension of the private zone of trust to include specific types of access toapproved outside entities.
• DMZ: The “Demilitarized Zone” of trust is a network segment or segmentslocated between protected and unprotected networks. DMZs are generallyconfigured in one of two basic topologies: chained and three-legged. Achained DMZ is isolated in a linear fashion between the trusted andun-trusted zones by a firewall on either side, whereas a three-legged DMZ isconnected to a third interface off of a single firewall that separates thetrusted and un-trusted zones creating a third network spoke off of thefirewall.
Basic Functions of a FirewallA firewall’s primary function is to control the communications between systemsand or networks that exist in zones with differing trust levels. The firewall’s con-trol of network communication across zones of trust allows us to enforce oursecurity policy. This enables us to create a network connectivity model based onthe principle of least privilege and set up varying levels of access based on thesource, destination, and type of network communication.
Figure 5-3: Firewalls enforce access rules between zones of trust.
192 Tactical Perimeter Defense
Address, Port, Protocol, and Services: The BuildingBlocks of Firewall RulesIn order to really understand what a firewall does, it will be helpful to take aquick review of how network communications work, especially in respect to theInternet Protocol. All Internet Protocol communications have several properties incommon. It is these common properties that allow a firewall to perform most ofits functionality. There are five basic commonalities generally present in networkcommunications over the Internet Protocol:
• Source address: This is where the communication originated from.
• Destination address: This is where the communication is going to.
• Protocol used: This could be TCP, UDP, ICMP, IGMP, etc.
• Target port: A port is an endpoint to a logical network connection. This portnumber is how a network request specifies a specific service from a remoteresource on a network. (IANA RFC 1700 specifies well known portnumbers.)
• Service: This is the application that is offering the data or functionalityrequested by the connection. Generally, services listen for requests on a spe-cific port over a specific protocol.
We use similar types of mechanisms in our non-digital daily lives to move infor-mation from one place to another. A good example of this would be returning adefective computer part to a manufacturer.
• We know that we are sending the part from ourselves (the Source).
• Then, we obtain the manufacturers address (the Destination).
• We decide on a shipper: FedEx , UPS, DHL, etc. (the Protocol).
• We also add “Attention: RMA department” to the label (the Port).
• Because of how we addressed, shipped, and labeled the package, when itarrives at the manufacturer, it will be handed over to the warranty servicedepartment for repair or replacement (the Service).
From this example, you can see that the concepts of source, destination, protocol,port, and service are commonly used in our daily lives. In relationship to afirewall, these commonalities that occur in network communication form thebuilding blocks of “rule sets” that firewalls use to control access to and from net-work entities.
Firewalls and the OSI ModelTo simplify the complexities of networking heterogeneous systems it is often use-ful to use the Open Systems Interconnect (OSI) model as a frame of reference.The OSI model is an abstraction of network communications between computersystems and network devices.
Lesson 5: Configuring Firewalls 193
Figure 5-4: The Open Systems Interconnection (OSI) model.
In a nutshell, the layers of the OSI model perform the following functions:
• Layer 7: Application - Interface from network to applications
• Layer 6: Presentation - Handles data representation and encryption
• Layer 5: Session - Manages connections between applications
• Layer 4: Transport - Provides end-to-end connections and reliability
• Layer 3: Network - Path determination and logical addressing (IP)
• Layer 2: Data Link - Physical addressing (MAC & LLC)
• Layer 1: Physical - Media, signal, and binary transmission
A full discussion of the OSI model is outside the scope of this module, but thoselayers relevant to the topic of firewalls will help us understand how they function.Current firewall technology operates on the OSI model layers as shown in thefollowing figure.
Figure 5-5: Firewalls operate at Layers 2, 3, 4, and 7 of the OSI model.
194 Tactical Perimeter Defense
Firewalls generally operate at the levels corresponding to OSI Layers, 2, 3, 4, and7. The common network functionalities of source and destination address, proto-col, port, and services that we examined earlier are described as operating onthese layers of the OSI model.
Layer 2 (Data Link) is the lowest layer that contains addressing that can uniquelyidentify a single specific source or destination. These addresses are the MAC, orMedia Access Control addresses, and are assigned to physical network interfaces.For example, a MAC address belonging to a standard Ethernet card is an exampleof a Layer 2 address. This is one layer that can be used by a firewall to discrimi-nate source and destination addresses for communications control.
Layer 3 (Network) is the layer that handles the delivery of network traffic by pro-viding switching and routing technologies, creating virtual circuits (logical paths),and transmitting data from node to node. Source and destination addressing, rout-ing, forwarding, packet sequencing, error handling, and flow control are handledat this layer. Like layer 2, Layer 3 can also be used by a firewall to discriminatesource and destination addresses for communications control.
Layer 4 (Transport) is the layer that identifies end-to-end network communicationmechanisms and communication sessions. This is the layer where the transportprotocol is assigned, e.g. TCP, UDP, ICMP, etc., and the source and destinationports are specified. Firewalls can examine the protocol and port information fromLayer 4 and use these values to control network communication.
Layer 7 (Application) supports both application (service) and end-user processes.This layer is where such things as communication partners, authentication, qualityof service, and any data syntax constraints are identified. Everything at this layeris application specific. Data is passed from the program in an application-specificformat, then encapsulated and passed to the layers below. Firewalls can use a hostof information, such as service specific information that occurs at the applicationlayer to inspect and control inbound and outbound data communication toenhance your security posture.
The additional layer coverage enables the firewall to handle advanced applicationsand protocols. A good example of this would be user authentication. A simplefirewall that functions only on Layers 2 and 3 will not normally be able to distin-guish individual users, whereas a firewall with awareness of the application level(level 7) can enforce communications policies based on user authentication.
Classifying FirewallsFirewalls have continued to evolve since their inception and are continuing togrow more sophisticated. As with any sophisticated system, a methodology forclassification can facilitate understanding. The simplest way for you to classifyfirewalls is by how they handle the process of controlling networkcommunications.
• Is the communication control being done between a single system and a net-work, or between two or more network segments?
• Firewalls that control communication with a single system are generallycalled Personal Firewalls.
• Firewalls that control communication between network segments arecalled Network Firewalls.
• Is the communication intercepted and inspected at the network layer or at theapplication layer?
• Network-layer firewalls are called Packet Filter Firewalls.
Lesson 5: Configuring Firewalls 195
• Application-layer firewalls are called Application Gateways or ProxyFirewalls.
• Is the communication state being tracked and maintained by the firewall?
• If the firewall does not track the communication state, it is classified asa Stateless Firewall.
• If the firewall tracks the state of connections, it is classified as aStateful Firewall.
Examining the Common Types of FirewallsFor both Personal Firewalls and Network Firewalls, there are three common typesof firewalls in general use today: Simple Packet Filter Firewalls, Stateful PacketFilter Firewalls, and Application Level Firewalls. Let’s examine the strengths andweaknesses of each of these types of firewalls.
Simple Packet Filtering FirewallsSimple packet filters are the most fundamental type of firewall. They inspect theindividual inbound or outbound packets of network data and compare themagainst a “rule” set to determine if the packet should be permitted or denied.
In their most basic form, packet filter firewalls operate at the OSI model Layers 2(Data Link) and 3 (Network). They provide network access control by comparingthe rule set to information contained in the network packet such as:
• The source address of the packet, which is the IP address of the system thenetwork packet originated from.
• The destination address of the packet, which is the IP address of the systemthe network packet is sent to.
• The network protocol being used to communicate between the source anddestination addresses.
• Some simple packet filters will also include some characteristics of Layer 4communications such as the source and destination ports of the connection.
• If the firewall is multi-homed to three or more network segments (such as ina three-legged DMZ configuration), a packet filter firewall also reads thepacket information pertaining to which interface of the firewall the sourcepacket arrived from and which interface of the firewall the packet is destinedfor.
196 Tactical Perimeter Defense
Figure 5-6: OSI Layers of inspection for a Simple Packet Filter Firewall.
Weaknesses of Simple Packet Filter FirewallsIf you are using a simple packet filter firewall, there are several inherent weak-nesses in this type of firewall that you should be aware of and take special careto overcome where possible.
• Application Specific Vulnerabilities: Packet filter firewalls do not inspectupper layer data, and therefore cannot protect against intrusions that makeuse of application specific vulnerabilities.
• Limited Logging: Since so little information is gathered by the firewall, thesimple packet filter has limited logging capabilities, which limits the dataavailable for policy making decisions and can hamper intrusioninvestigations.
• No Authentication: Because they operate at the OSI layers below whereauthentication happens, simple packet filter firewalls cannot generally makeuse of user authentication as part of their control mechanisms.
• Vulnerable to Spoofing: There are several weaknesses in the TCP/IP specifi-cation and protocol stack that packet filters have a tough time overcoming. Agood example of this would be network layer address spoofing. Many simplepacket filter firewalls cannot detect whether the OSI Layer 3 addressinginformation in a packet has been altered. This leaves them vulnerable tospoofing attacks.
• Large Attack Surface: Another weakness of simple packet filter firewalls isdue to the way that TCP connections are established. In general, networkservices are requested on a well-known low numbered port (<1023) and thereturn client connection is established on a random high numbered port(>1023). So if you are using a simple packet filter firewall, you normallyhave to open all ports greater than 1023 inbound so they are available forreturn client connections. This leaves a very large attack surface exposed tothe outside network.
• Easy to Misconfigure: Simple packet filter firewalls have very few variablesto use for inspection and rule set creation. When attempting to create com-plex and comprehensive rule sets, it is easy to accidentally configure a rule
Lesson 5: Configuring Firewalls 197
to either allow or fail to deny network traffic that your network policy statesshould be denied. Conversely, it is also easy to block traffic that should bepermitted.
Stateful Packet Filter FirewallsWe have already discovered that simple packet filter firewalls operate across lev-els 2 and 3 of the OSI model. The stateful packet firewall adds level 4 awarenessin addition to levels 2 and 3. Because they can keep track of logical virtual con-nection circuits, these firewalls are also sometimes referred to as Circuit Levelfirewalls.
Figure 5-7: OSI Layers of inspection for a Stateful Packet Filter Firewall.
Stateful packet filters control traffic in basically the same manner as a simplepacket filter by using rule sets, but they have additional intelligence in their logicthat enhances their performance and solves several challenges with simple packetfilter firewalls.
The “stateful” moniker comes from the fact that these firewalls keep track of thestate of all “accepted” connections in a data table that resides in memory. Thisenables the firewall to determine if an incoming packet is either a new connectionor is part of an existing established connection.
Once the connection session has ended or has timed out, its corresponding entryin the state-table is discarded. Some applications can send periodic keepalivepackets in order to stop a firewall from dropping the connection during periods oflow user-activity.
198 Tactical Perimeter Defense
Figure 5-8: Example of a connection state table.
This ability to discriminate between new connections and existing ones bringsseveral advantages to this type of firewall over a simple packet filter.
• Lower Attack Footprint: Stateful firewalls can take additional actions basedon data residing in the state tables such as ″dynamically″ opening return cli-ent ports for each individual connection. This lowers your attack footprint,which increases your security posture.
• Less Susceptible to Spoofing: A stateful firewall is able to hold in memorykey attributes of individual connections. These attributes help the firewalltrack the state of the connection. Attributes stored in memory include the IPaddresses and ports for both ends of the connection and also the sequencenumbers of the data packets sent through the connection. The statefulfirewalls awareness of IP addresses and sequence numbers makes it far lesssusceptible to spoofing.
• Easy Black hole configuration: Stateful firewalls can easily be configured topass all outgoing packets through, but to only permit incoming packets ifthey are part of an established connection that is listed in the state table.This prevents intruders from starting unsolicited connections to resources inthe protected network. Coupled with a rule to discard unsolicited packets,this turns your network into a black hole on the Internet.
• Less Resource Intensive: Tracking the connection state gives statefulfirewalls an increased efficiency in their packet inspection process. Packetsfor existing connections through the firewall only have to be checked againstthe state table, which is less resource intensive than checking the packetagainst the firewall’s filter rules set.
Stateful inspection firewalls share some of the weaknesses of packet filterfirewalls; however, the advantages created by the state table implementationmeans that stateful inspection firewalls are generally more secure than simplepacket filter firewalls.
Application Level FirewallsApplication level firewalls (also sometimes called Application-Proxy Gateways)are sophisticated firewalls that combine inspection of both the lower layer accesscontrols with the upper 7th layer of the OSI model (Application Layer). Applica-tion level firewalls control the routing of packets between the trusted andun-trusted zones configured on the firewall based on what application or serviceis sending or receiving the data packets. All network data packets that passthrough the firewall do so under the control of the application-proxy software.
Lesson 5: Configuring Firewalls 199
Figure 5-9: OSI Layers of inspection for an Application Level Firewall.
Application level firewalls are capable of doing deep packet inspection in order tomake accurate appraisals of which connections to allow and which to deny. Byreading the actual data inside of a packet, application level firewalls are able todetect bypass attempts such as masking non-permitted communications inside ofpackets sent over permitted ports, for example, hiding IRC communications pack-ets by using port 80 to masquerade as http. Traditional stateful firewalls cannotdetect this, while an application level firewall can inspect and deny HTTP packetsif the content does not match the packet type.
Application level firewalls also generally have the ability to require authenticationof each user or system attempting to transmit data across the firewall. A widevariety of authentication forms are available, including:
• User ID and Password Authentication
• Hardware or Software Token Authentication
• Source Address Authentication
• Biometric Authentication
Application level firewalls have several advantages over both types of lower levelpacket filter firewalls we previously examined.
• Extensive Logging Capabilities: Application level firewalls have extensivelogging capabilities because the firewall is able to examine the entire net-work packet contents instead of just the lower level network addresses andports. Application level firewall logs often will contain application-specificcommands issued over the network data packets. This can be very useful forboth policy management and intrusion incident investigation.
• Enforcement of Authentication: The authentication capabilities built intoapplication level firewalls are vastly superior to those found in packet filteror stateful inspection packet filter firewalls. Application level firewalls allowyou to set enforcement rules on the available types of authentication that aremost appropriate for a network environment as opposed to just using lowerlevel source, destination, and port addresses.
• Less Susceptible to TCP/IP Vulnerabilities: Application level firewalls caninspect the entire contents of a packet to ensure that the contents are appro-
200 Tactical Perimeter Defense
priate for the target destination. This greatly improves the firewall’s ability toblock spoofing attacks and other TCP/IP vulnerabilities.
The deep packet inspection of an application level firewall can be a resource-intensive to process. Therefore, most application level firewalls include statefulinspection to optimize resource utilization.
One potential danger to application level firewalls is that savvy intruders mayattempt to defeat the deep level inspection by encrypting their packet contentssuch as tunneling with SSL. This is why it is important for application levelfirewalls to create a rule that denies any inbound encrypted communication unlessthe connection originated from inside the trusted zone and is listed in the statetable.
Building Firewall Rules to Control NetworkCommunicationsWe have discovered that modern firewalls can control network traffic based on awide range of packet or application attributes contained in the layers discussedpreviously. When a packet is received by the firewall, it inspects the packet’sattributes that were included in the packet as it passed through the various net-working layers. This information is then compared to “rules” that have beenconfigured for the firewall. Based on the outcome of the comparison, the commu-nications traffic packet can be handled in any of the following manners by thefirewall.
• Accept: The firewall passes the packet through the firewall to the destinationrequested by the packet.
• Deny: The firewall drops the packet, without passing it through the firewall.After the firewall drops the packet, an error message is returned to thesource address.
• Discard: The firewall drops the packet, but does not return an error messageto the source address. This creates the appearance that the firewall is noteven on the network, and it is often referred to as a ″black hole″ because itdoes not reveal its presence by error messages.
Lesson 5: Configuring Firewalls 201
A partial list of attributes that can be examined by a firewall and used for rule setcomparison would look like this:
• Source address
• Destination address
• Protocol
• Source port
• Destination port
• Source service
• Destination service
• TTL values
• Originators netblock
• Destination netblock
• Domain name of the source
• Domain name of the destination
• Application source
• Application destination
• Authentication
• And many other attributes
Firewall rules are the heart of your firewall system. These rules build on oneanother and are generally parsed in sequence. The first rule the firewall discoversthat matches the attributes of the data packet is the rule that will be applied first.Most firewalls will have a configuration option that allows you to manage theflow of how rules are parsed within a give rule set.
Ordering your firewall sets correctly is an important step in ensuring that thefirewall behaves as expected. View the following figure and look at rule numberseven (the default deny rule). This rule is the last rule in the set. If this rule wasplaced anywhere but last in the list, all other rules below it would not have anyeffect, because all traffic is denied by this rule. Without careful ordering of yourrules, you will find your firewall producing unexpected results. One thing you cancount on is that a firewall will do exactly what you tell it to do. It is a wisefirewall administrator who plans his or her rules carefully and keeps them welldocumented!
Figure 5-10: Example firewall rule set.
202 Tactical Perimeter Defense
Common Firewall TopologiesFirewalls can be configured in a variety of topologies to meet the needs of anysize or style of network environment. There are three standard firewall topologyconfigurations that are commonly used in modern networks. Each of these topolo-gies is applicable to a specific network environment. Choosing the correct firewalltopology for your network is the first step in successfully implementing a firewallon your network.
We have discovered that firewalls are used to enforce access controls betweensystems or network segments linked across zones with varying levels of trust. Itshould not be surprising, therefore, when we examine the common firewalltopologies to find a firewall at each location where different trust zones connect.
Perimeter Firewall: The perimeter firewall topology (also referred to as edge con-figuration, bastion host, or screened configuration) is the most common firewalltopology. This topology places a single firewall directly between the trusted andun-trusted systems or networks.
Figure 5-11: Example of a perimeter firewall topology.
Perimeter firewalls are the simplest configuration to use when no trustedresources need to be available to the un-trusted network. One exception would beremote users; in this case, the firewall is often combined with VPN technology toallow external users to securely access the internal network. This is a good choicefor a topology when you want to allow access to the Internet from your trustednetwork, but do not wish to make internal resources available to users on theInternet.
You can configure a perimeter firewall to allow access to specific internalresources by creating firewall rules that allow outside access to only thoseresources, such as an SMTP server or web server. In fact, many people do exactlythat. Be aware, however, that if the internal resource should be compromised overthe externally accessible resource port, it opens your whole network to furtherattacks. If you need to make resources available to users on un-trusted networks,the best choice is to choose one of the following DMZ configurations.
Three-Legged (DMZ) Firewall Topology: The three-legged DMZ topology is com-monly used where you need to publish resources to an un-trusted network such asthe Internet. This topology uses a single firewall such as the perimeter topology;however, in this configuration, the firewall has an additional network interfacethat is connected to a network containing the externally available resources.
Lesson 5: Configuring Firewalls 203
Figure 5-12: Example of a three-legged (DMZ) firewall topology.
The three-legged firewall topology allows you to publish resources while stillblocking all inbound access to your internal network. In this topology, the firewallrules are configured differently for the internal and DMZ interfaces. The internalinterface is configured to deny external access to the internal network, while theDMZ interface is configured to allow access to specific resources in the DMZfrom the external network.
This configuration increases the security posture of your internal network byremoving the need to open any inbound ports to the internal network other thanfor client return connections. An additional security benefit of this topology isthat if one of the publicly accessible resources is compromised, your internal net-work remains secure.
Chained (DMZ) Firewall Topology: Another firewall DMZ topology commonlyused where you need to publish resources to an un-trusted network such as theInternet is the chained DMZ. This topology uses a pair of firewalls to create theDMZ. The two firewalls “sandwich” the DMZ between the internal and externalnetworks. Since this configuration contains two firewalls and subsequently twosets of firewall rules, it can be considerably more complex to setup. However,when this topology is correctly configured, it brings a high level of protection toyour network.
Figure 5-13: Example of a chained (DMZ) firewall topology.
204 Tactical Perimeter Defense
This topology is commonly used where both the external network and the internalnetwork need to access to resources in the DMZ, and those DMZ resources alsorequire communication with other servers and services that reside inside the inter-nal network.
A good example of this would be a mail server that needs to authenticate internalusers against a directory service that resides on a server in the internal network.The mail server in this scenario has two requirements. It must be able toexchange inbound and outbound SMTP packets with the Internet and be able toauthenticate internal users against a directory service that resides on a server inthe internal network.
Another situation where this topology would be an appropriate choice is whereyou have an e-commerce site that connects to a database containing sensitive cus-tomer information. In this scenario, you would place the front end web server inthe DMZ behind the front side firewall; then place the database server on the seg-ment behind the backside firewall. The front side firewall rules would beconfigured to only allow inbound TCP port 80 and port 443 to the web server,while the backside firewall rules would only allow the web server to query thebackend database server, effectively isolating the database server from theInternet.
When correctly configured, the chained DMZ firewall topology offers a high levelof threat protection from external network access, while providing ample flexibil-ity for communications between the DMZ and the internal network.
Why Would I Want a Firewall on My Network?
The Wild FrontierThe Internet is sometimes referred to as the new frontier. And like any frontiersetting, it has its share of undesirable elements. Out on the frontier, the onlysafety that you can count on is the safety you create for yourself. Placing afirewall on your network is like the old time explorers building a fort forprotection. It does not guarantee total immunity, but it provides much more safetythan a canvas tent when danger approaches.
Like the frontier, the Internet is filled with opportunity. This includes the opportu-nity to carry out business, to learn, grow, discover, and connect with new people.But close on the heels of frontier-style opportunity come the scavengers andvillains. Almost any day, in almost any media you care to name, you will find anew report about some digital danger that has reared its ugly head on theInternet.
The net is a representation of society in all its glory and disgrace. From nuisancehackers to serious criminals, the complete gamut of less than well-adjusted soci-etal members can be found. In our normal lives, we install locks on our housesand employ police forces to deter would-be vandals and thieves from taking ordamaging our property. Firewalls fulfill this role on our networks. If you don’tprotect it, you won’t own it for long.
Lesson 5: Configuring Firewalls 205
Regulatory ComplianceThe prominence of Internet dangers has even prompted legislation in many coun-tries that places responsibilities for data protection on the organization that ownsthe information. This is especially true of government, banking, and thehealthcare industries. Organizations now find themselves with compliance respon-sibilities for protecting sensitive data that sometimes carry stiff penalties for non-compliance.
This has spawned a general move in most organizations towards a formal set ofcomputing security policies. These policies dictate how an organization’sresources must be protected and show that they are meeting regulatorycompliance. A firewall is one of the key elements in enforcing the organization’swritten policy.
Public ImageA firewall can also serve to protect not only your organization’s data, but also itspublic image. Almost every organization has a website today. If these publiclyaccessible resources are not protected and get hacked, either through defacementor denial of service attacks, the organization’s image will be tarnished in the eyesof the website users.
This impact can, and usually does, make itself felt on the organization’s bottomline—either through your customers going to the competition because they losttrust in your organization as the result of website defacement or data theft orthrough lost sales as the result of a denial of service attack on your e-commercesite. Firewalls can’t always prevent this, but they can mitigate the dangers downto an acceptable level of risk.
What Can a Firewall Not Protect You From?A firewall is a powerful tool in your security tool box, but there are certain typesof dangers that a firewall can do nothing about. For example, because the purposeof a firewall is to control and limit inbound and outbound network communica-tions between networks or systems of differing trust levels, it stands to reasonthat it cannot protect against attacks that don’t traverse your firewall. The follow-ing is a partial list of things that a firewall cannot protect you from:
• Firewalls cannot protect against internal threats: This type of threat origi-nates from the zone of trust where the attack is targeted. This would includesuch things as:
• Disgruntled or unscrupulous workers. This is actually one of the great-est dangers to any network and coincidently how the greatest number ofintrusions actually occur.
• Weak password policies or other poor system administration practices.Firewalls will not be very effective in securing something that has gap-ing security holes in it to start with. Make sure you follow industrystandard best practices throughout your network environment.
• Firewalls cannot protect against attacks that don’t traverse your firewall:
• Personal Modem or Wireless connections. It is worth noting that thisissue has evolved into a real danger in the era of mobile wirelessInternet access. A mobile user who attaches his or her laptop to yourtrusted network and then connects to the Internet via a 3G GSM satel-
206 Tactical Perimeter Defense
lite or other wireless connection has effectively punched a hole rightthrough your carefully configured security measures.
• Social engineering. This is a proven methodology to break into net-works that are otherwise secured. It is simply astounding whatvillainous social engineers can get a user (or even a sys admin), who isotherwise an intelligent human being, to reveal about his or her comput-ing environment. Your best line of defense against this type of attack isuser education.
• Cannot protect against attacks on services that are allowed through yourfirewall:
• Allowed inbound traffıc. This would include attacks on web and emailservices that external access to has been permitted to. If you allowaccess to your web server through the firewall, and the web server hasan un-patched vulnerability that works over port 80 (http), your firewallcannot protect the web server from that type of attack.
• Malware and browser threats. Firewalls cannot protect your networkagainst threats that the user brings into the network themselves. Thisincludes the many forms of malware such as email viruses, Trojans,browser-based attacks, spyware, and phishing sites. Again, we are backto defense in depth and user education as our best defense against thesetypes of threats.
To have the best chance at defending your network, a well-configured firewallmust be augmented by good configuration control, secure OS baselines, patchmanagement, anti-malware programs, sound network administration basics, and auser education program. Defense in depth is the security-conscious administratorsmotto.
Things to Consider About Firewall ImplementationBefore we move on to the next topic, let’s discuss a few simple concepts con-cerning the real world implementation of a firewall in your network. If you keepthese concepts in mind when you work with an organization’s firewall, you willenjoy greater success in securing the network, while keeping management andyour users content and supportive.
Firewalls are an Enforcement Tool for Security PoliciesA firewall enforces your inter-network access security policy. If you didn’t havean access security policy before you put the firewall in place, you do now. It maynot be a written policy, but effectively it’s still an access security policy. If youhaven’t made explicit decisions about what you want your inter-network accesssecurity policy to be, you will likely wind up with less than optimal configura-tions on your firewall, and it will certainly be more difficult for you to maintainits effectiveness over time. In order to have an effective firewall, you really doneed a good security policy—one that is well thought out, written down, andwidely agreed to and supported within your organization.
It is almost axiomatic in the security field that if you do not have published, for-mal, written security policies that have received full management approval andsupport, implementing a firewall will max your job pain threshold. This is prima-rily because your users (and management) will not understand why the network“doesn’t work like it used to” and the ill will and blame will wind up on yourdoor step. Before implementing the firewall, you should have created a written
Some modern applicationlayer firewalls capable ofdeep packet inspection alsohave varying levels ofintrusion detectioncapabilities built in. Thesefirewalls can potentiallymitigate this type of risk. Butbetter safe than sorry. Patch,Patch, Patch!
Some modern applicationlayer firewalls capable ofdeep packet inspection alsohave varying levels ofmalware detectioncapabilities built in. Thesefirewalls can potentiallymitigate this type of risk. Butagain, better safe than sorry.Always use anti-malwaresoftware and keep it up-to-date!
Lesson 5: Configuring Firewalls 207
policy that explicitly outlines your overall security goals, policies, and proceduresincluding your firewall configuration and rule sets. Obtaining management sup-port and backing for the policy is critical, as they are the ones with the finalauthority and responsibility for the organizations operations and information.
A Firewall by Itself is Not a Security SolutionFirewalls can only protect networks and information from certain types of digitaldangers. They are designed to control and limit external access to resources.Firewalls can only protect you against threats they can detect, and unfortunatelythere are no magical all-seeing firewalls. Also, a firewall cannot protect againstinternal attacks against your network or data. To gain maximum effect, yourfirewall should be just one layer in a comprehensive defense in depth securityprogram. Remember that an attacker doesn’t often go through security but looksfor ways to go around it! Make it difficult by having more than one layer ofdefense.
Use a Deny All, Permit by Exception ApproachThis is a tried and true approach to configuring firewalls safely. If you denyeverything and only allow what you know to be secure or mandatory, you willspend much less time reconfiguring the firewall or responding to intrusions. Newvulnerabilities continually pop up in the digital world; the “permit all, deny whatis dangerous approach” means you will have a constant battle to keep up. The“permit all, deny dangerous” methodology would only work if you knew everydanger—past, present, and future. This is just not a realistic approach to security.
Enforce the Least Privilege RuleThis is a basic axiom of all forms of security, regardless of if it is physical secu-rity; user accounts; file, share, and applications permissions; or firewalltransversal access. You should only grant users, systems, and applications theleast amount of privileges or access that they require to carry out their functions.Be leery of anything that requires high levels of privilege or access to function.You can only empty the vault if you have access and the keys.
Be Gracious, but Not CompliantEnforcing security and dealing with user requests is a delicate balancing act witha little public relations magic sprinkled in. This is especially true if you are tryingto secure a network that has been insecure before. Some people will simply notcare if what they do create security risks if it makes their life more convenient. Ifyou open up the firewall a little more at every user’s request, you will wind upwith a wide open network in the end. At the same time, if you always denyrequests, people will turn bitter. It is a simple fact of life that people who feelthey can’t work with you will find a way to work around you.
Security is always a tradeoff against convenience. It is not convenient to have toreach into your pocket to get your house keys to unlock the house when yourarms are full of grocery bags after you arrive home from the market. However,we tolerate this inconvenience because we value the items in our house. Usereducation and gracious manners when you deal with users will go a long way tomeeting both their needs and keeping the network risks at an acceptable level.Remember, the network is there to meet the business needs of the organization,not because the organization needs a secure data vault. You need to find ways tomeet the user’s needs while controlling the risks.
208 Tactical Perimeter Defense
Firewalls Are Not Just Perimeter ProtectionLast, but certainly not least, expand your view of what firewalls can be used for.In general, we think of firewalls in the context of perimeter protection when con-necting to external networks . However, this is a very limited view of a firewalls’usefulness in a modern networked environment. It is becoming more and morecommon for organizations to employ additional firewalls within their internal net-works (intranet) to control data flow and protect critical resources or informationfrom unauthorized internal access. For example, an organization might employ aninternal firewall to provide an additional layer of security for its financial orhuman resources information.
Examine the following figure and notice the network segments the internalfirewall is placed between.
Figure 5-14: Using an internal firewall to secure sensitive internal resources.
In this context, the firewalls are not only controlling access from the external net-work, the DMZ, and the partner networks, but also from within the organization’sinternal network itself. Employing firewalls in this manner can significantlyincrease the security of your sensitive data against internal attacks.
Lesson 5: Configuring Firewalls 209
Topic 5BConfiguring Microsoft ISA Server 2006
Introduction to ISA Server 2006Microsoft’s Internet Security and Acceleration Server (ISA) 2006 is whatMicrosoft calls its integrated edge security gateway. Microsoft’s security offeringsin the firewall arena have come a long way since its release of Proxy Server 2.0,which had firewall style features. This continued development has resulted in ISAServer 2006 being a robust and mature multilayer firewall. It has a wide range offeatures and capabilities that will meet the needs of almost any network environ-ment: from small businesses to global enterprises. ISA Server 2006 features thefollowing functionalities:
• Internet Access Control (Proxy)
• Flexible Configuration Controls Including Easy-to-use Wizards
• Configuration Export/Import to XML
• Customizable Protocol Definitions
• Secure Application Publishing
• Server Publishing
• Web Publishing
• SharePoint Publishing
• SSL Bridging
• Application Layer Filtering (Deep Packet Inspection)
• Intrusion Detection Capabilities
• Flood Resiliency Configuration
• Forward and Reverse Web Caching
• Remote User or Branch Office VPN Capability
Common Deployment Scenarios for ISA Server 2006Networking professionals around the world have had long-standing concernsabout performance impact, operational costs, and manageability whenever theydeploy a new technology on their networks. This is especially true when youneed to deploy a firewall for security purposes. Microsoft spent considerableresearch effort to discover what the real pain points are when deploying a firewallsolution. Fortunately, the ISA Server 2006 design team was the recipient of allthis research. Their efforts at making ISA Server 2006 highly deployable in themost common scenarios is evident. They targeted their efforts to make ISA Server2006 very straightforward to deploy in several common scenarios.
• Protecting your network against external and internal Internet based threats.
• Publishing content to external consumers in a secure fashion.
• Securely connecting remote branch offices.
• Providing secure access to remote users of the internal network.
In each one of these scenarios, ISA Server 2006 provides a robust solution withstreamlined deployment, configuration, management, and reporting.
210 Tactical Perimeter Defense
Protecting Your Network Against External and InternalInternet-Based ThreatsOrganizations can use ISA Server 2006 to mitigate or eliminate damage to theirnetwork resources from the Internet including unauthorized access and evenmalware attacks by using the full-featured suite of tools in ISA Server 2006 toinspect for and block harmful network traffic and content.
With its hybrid firewall-proxy architecture, application level deep content packetinspection, granular security policies, comprehensive monitoring, and alertingcapabilities, ISA Server 2006 makes it easier to protect and manage your con-nected network resources. Some of the features that enable ISA Server 2006 toprotect your network are:
• Simplified Management Tools: ISA Server 2006 has a suite of managementtools that simplify configuration and ongoing administration. As firewalltools go, these tools are relatively intuitive and have a very low learningcurve.
• Multilayer deep content inspection: ISA Server 2006 has a comprehensiveset of customizable policies, customizable protocol filters, and networktopology relationship models that allow you to thoroughly inspect and con-trol the traffic that transverses the firewall.
• Flood resiliency: ISA Server 2006 now features enhanced flood resiliencyfor network event handling and monitoring. This feature provides a morerobust firewall resistance to threats such as denial of service and/or distrib-uted denial of service attacks.
• Unified management and monitoring with MOM: For those organizations thathave deployed the Management Pack for Microsoft Operations Manager, ISAServer 2006 can be integrated into your enterprise- and array-level policies.This gives administrators the ability to easily control security and ISA accessrules throughout the organization.
• Enhanced worm resiliency: ISA Server 2006 can help to mitigate the overalldamage an infected computer will have on the network. This is accom-plished through client IP alert pooling and connection quotas that monitorand block unusual connection patterns.
• Quicker attack response times: ISA Server 2006 has a comprehensive set ofalert triggers with configurable responses. When configured, this can quicklynotify you of network threats targeted against your network.
• Extensive software developer’s kit (SDK): The ISA Server 2006 SDK aidsthird parties in the development of ISA Server 2006 add-ons. These add-onsenrich the feature set of ISA Server 2006 by providing a wide range of addi-tional protections such as anti-virus or custom web filtering controls.
• Improved resource management: ISA Server 2006 gives you extensive logthrottling, memory consumption control, and pending DNS queries. Thisimproved resource management contributes to ISA Server’s greater overallperformance levels.
Versions of ISA Server 2006Before you deploy ISA Server 2006, you will need to decide which version topurchase. ISA Server 2006 is available in two versions: Standard and Enterprise.You should install the version that is appropriate for your network environmentand security needs. A short comparison of the two versions follows:
Lesson 5: Configuring Firewalls 211
Figure 5-15: ISA Server 2006 version comparison chart.
TASK 5B-1Preparing for the ISA Server 2006
Setup: Lab Prerequisites Task Note: Firewalls are primarily designedto control network traffic between network segments, so youwill need to have more than one network adapter in your com-puter in order to configure ISA Server 2006 in the mostcommon firewall topologies. Since the classroom computershave only one physical network card, we will install and con-figure the Microsoft Loopback Adapter to represent our“internal” network interface, while configuring the physicalnetwork card as our “external” network interface.
1. Choose Start→Control Panel→Add Hardware.
2. In the Welcome dialog box, click Next, the wizard will search for yourhardware.
3. Select Yes, I Have Already Connected The Hardware, then click Next.
4. Scroll to the bottom of the Installed Hardware list box and select Add ANew Hardware Device. Then, click Next.
5. Select Install The Hardware That I Manually Select From A List(Advanced) option, then click Next.
6. Under Common Hardware Types select Network Adapters, and click Next.
7. Under Manufacturer, select Microsoft.
Several manufacturers suchas HP, Avantis, Whale,
Celestix, SecureGUARD, andOSST now offer ISA Server
2006 in a firewall appliance.This combines the powerand configuration ease of
ISA Server and theconvenience of an appliance.
212 Tactical Perimeter Defense
8. Under Network Adapter, select Microsoft Loopback Adapter.
9. Click Next twice.
10. If prompted, click OK in the Insert Disk dialog box, enter the path to theWindows 2003 Server installation source files in the Files Needed dialogbox, and then click OK.
11. Click Finish.
12. Choose Start→Control Panel→Network Connections→Local Area Con-nection 2.
13. In the Local Area Connection 2 dialog box, click Properties.
14. In the This Connection Uses The Following Items list, select Internet Pro-tocol (TCP/IP) and then click Properties.
15. On the General tab select Use The Following IP Address and then enterthe address from the following table that corresponds to your computername.
WIN-R01 - 10.16.1.1/24 WIN-L01 – 10.18.1.1/24WIN-R02 - 10.16.2.1/24 WIN-L02 – 10.18.2.1/24WIN-R03 - 10.16.3.1/24 WIN-L03 – 10.18.3.1/24WIN-R04 - 10.16.4.1/24 WIN-L04 – 10.18.4.1/24WIN-R05 - 10.16.5.1/24 WIN-L05 – 10.18.5.1/24WIN-R06 - 10.16.6.1/24 WIN-L06 – 10.18.6.1/24WIN-R07 - 10.16.7.1/24 WIN-L07 – 10.18.7.1/24WIN-R08 - 10.16.7.1/24 WIN-L08 – 10.18.8.1/24
Lesson 5: Configuring Firewalls 213
16. Leave the DNS value blank and then click OK.
17. Click OK, and close the Local Area Connection 2 Properties window.
18. Choose Start→Control Panel and right-click Network Connections. Fromthe pop-up context menu, choose Open.
19. Right-click the Local Area Connection and choose Rename.
20. Name the connection External
21. Right-click the Local Area Connection 2 choose Rename.
22. Name the connection Internal
23. Close the Network Connections window.
You have now installed the Microsoft loopback adapter and assigned it a uniqueIP address. We will be using this adapter to function as our internal networkadapter for ISA Server 2006. You also renamed the two available network con-nections so they can easily be identified as either the external or internalnetworks.
ISA Server Installation RequirementsSystem Requirements for ISA:
Figure 5-16: ISA Server hardware requirements.
The subnet mask is 255.255.255.0 for all these IPs.
214 Tactical Perimeter Defense
TASK 5B-2Install Microsoft ISA Server 2006
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous task. This taskrequires you have the Microsoft ISA Server 2006 softwareavailable.
1. Browse to the location of the ISA Server 2006 installation files anddouble-click isaautorun.exe.
2. Click the Install ISA Server 2006 link.
3. At the Installation Wizard, click Next.
4. Read the License Agreement, select I Accept Terms In The LicenseAgreement and click Next.
Lesson 5: Configuring Firewalls 215
5. In the Customer Information dialog box, enter your name, company, andlicense if necessary, and then click Next.
6. In the Setup Type dialog box, select the Typical radio button, then clickNext.
7. In the Internal Network dialog box, click the Add button.
8. In the Addresses dialog box, click the Add Adapter button.
9. In the Select Network Adapters dialog box, check the box next to yourInternal network card, and then click OK.
216 Tactical Perimeter Defense
10. In the Addresses dialog box, click OK.
11. In the Internal Network dialog box, click Next.
12. In the Firewall Clients dialog box, accept the default and click Next. (Donot check the box to Allow non-encrypted Firewall Client Connections.)
13. Read the Services warning dialog box and then click Next.
14. In the Ready to Install the Program dialog box, click Install. (The MicrosoftISA Server 2006 - Installation Wizard will start and a File Progress windowwill appear. Be patient, it will take several minutes to install all thecomponents.)
15. In the Installation Wizard Finished dialog box, click Finish.
16. In the pop-up window, click OK. The Windows Internet Explorer windowopens with some information on how to protect ISA. Read the page andthen close the Internet Explorer window.
17. Close the Microsoft ISA Server 2006 Setup dialog. ISA Server 2006 isnow installed.
Configuring ISA Server 2006There are five basic steps to configuring your ISA Server 2006 Firewall. The ISAServer Getting Started guide provides a simple path through these processes toensure that you can configure your ISA Server firewall with a minimum ofconfusion.
The five basic steps to configure an ISA Server 2006 firewall are:
1. Define your ISA Server network configuration.
2. Create Firewall Policy Rules.
3. Define how ISA Server caches web content.
4. Configure VPN access (if required).
5. Set up Monitoring on your ISA Server.
Each of these tasks has a configuration page that guides you step by step throughthe various wizards and configuration pages associated with the individual tasks.In the following tasks, you will explore the ISA Server Management Console andconfigure each of these options for your ISA Server 2006 firewall.
Understanding the ISA Server Management ConsoleYou manage your ISA Server 2006 firewall through the ISA Server ManagementConsole. This console has three basic areas that you can use to navigate and con-figure ISA Server 2006:
• Console Tree (left pane)
• Details pane (center pane)
• Tasks pane (right pane)
Lesson 5: Configuring Firewalls 217
Figure 5-17: The ISA Server Management Console panes.
In the following task, you will explore the ISA Server Management Console andfamiliarize yourself with its functions and behaviors. The tool is very intuitive,but it does have a lot of moving parts, so the more time you spend getting com-fortable with it, the more efficient you will become at configuring ISA Server.
TASK 5B-3Exploring the Microsoft ISA Server 2006 Interface
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed task 3B-2.
1. Choose Start→All Programs→Microsoft ISA Server→ISA ServerManagement.
2. Notice that the ISA Server Management console is divided into threepanes:
• The left hand pane is your Console Tree pane. This pane contains ashort list of navigable containers. The containers in this pane logicallygroup related management or configuration settings.
• The center pane is your Details pane. For each container in the ConsoleTree pane, the Details pane will contain information related to the con-figuration container selected in the Console Tree. Depending on theconfiguration container selected, the Details pane may have multipletabs of information.
• The right pane is your Tasks pane. The Tasks pane contains two tabs—the Tasks tab has a list of relevant tasks that can be performed for theselected container in the Tree pane. If the configuration container
218 Tactical Perimeter Defense
selected in the Tasks pane shows multiple tabs of information in theDetails pane, the Tasks tab is contextual, that is, it will contain Tasksthat can be performed for any selected tab in the Details pane of a par-ticular configuration container. In addition, the Tasks pane also containsa Help tab with context-sensitive help for the selected Details pane tab.
3. Notice that the Details pane defaults to the Welcome information. In thissection, you can find links to guides on Getting Started, Securing your ISAServer, and Internet Websites with ISA Server Information.
4. In the Console Tree pane, expand the container with your server name byclicking the + symbol.
5. In the Console Tree pane, expand the Configuration container by clickingthe + symbol.
• You have now exposed the whole configuration container chain for astandalone ISA Server 2006 firewall. The Console Tree can/will containother items if the ISA Server is part of an ISA Array in a domain.
6. In the Console pane, select the WIN-R01 configuration container.
7. Notice that this places the “Getting Started” information in the Details pane.This lists out the five configuration steps for ISA Server. Briefly read downthe list of items in the Details pane.
8. In the Details pane, click the Define Your ISA Server Network Configura-tion link.
9. Notice that the selected container in the Console Tree pane changed to theNetworks container.
• The three panes found in the ISA Server Management console arelinked. Clicking a link in any of the panes will take you to the correctconfiguration container for the property you are trying to configure.
10. Explore the four tabs in the Details pane of the Networks container.
Lesson 5: Configuring Firewalls 219
11. Notice that as you move between tabs in the Details pane, the Tasks panechanges to show contextually relevant links for each tab.
12. On the middle of the vertical divider between the Details pane and the Taskpane, click the arrow icon. Notice that the Tasks pane collapses to create alarger viewable area for the Details pane.
13. Click the arrow icon again. The Tasks pane expands again to allow accessto the tasks listed for the Details pane tab.
14. In the Console Tree pane, select the Monitoring container.
15. Notice that this container has seven tabs in the Details pane.
16. In the Details pane, select the Services tab.
17. On the Services tab, select the Microsoft Firewall item.
18. On the Task pane under Services Tasks, click the Stop Selected Servicelink.
19. Notice that after the service stops, the Tasks link changes context from Stopto Start.
20. Restart the service after it stops by clicking the Start Selected Servicelink.
21. In the Details pane, after the service restarts, click the Alerts tab.
22. On the Tasks pane, click the Refresh now link.
23. Notice that the action of starting and stopping the service generated an alertentry.
24. Click the Dashboard tab.
220 Tactical Perimeter Defense
25. Notice that Alerts is one of the items on the Dashboard. The Dashboardgives you a quick overview of the current state of activity on your ISAServer.
26. In the Console Tree pane, select the Firewall Policy container.
27. Notice in the Details pane that one rule, the “Default Rule” of deny all traf-fic for all networks, exists.
ISA Server installs only this default Deny All rule during installation. Toallow traffic to pass through the ISA Server, you must configure rules to per-mit it to pass.
28. Notice on the Tasks pane for the Firewall Policy container that there is along list of tasks that can be performed.
29. Explore the list of tasks in the Firewall Policy Tasks section of the Taskpane.
30. Notice that these tasks are broken down into four categories:
• Firewall Policy Tasks
• Policy Editing Tasks
• System Policy Tasks
• Related Items
Again, the Tasks pane is context sensitive to the container selected in theConsole Tree pane and the tab selected in the Details pane. If you are havingtrouble locating a task, be sure you have selected the right container andDetails tab.
31. Notice that the Tasks pane now has a third tab called Toolbox.
32. Select the Toolbox tab in the Tasks pane.
33. Notice that the Toolbox tab has five expandable sections.
Lesson 5: Configuring Firewalls 221
34. Browse through the Toolbox tab sections. Be sure to expand and explore afew sub-containers under the various sections also.
222 Tactical Perimeter Defense
35. Explore the remaining Console Tree pane configuration containers andtheir associated Details and Tasks panes.
36. After you have explored a bit, close the ISA Server 2006 Managementconsole window.
Exporting/Importing ISA Server 2006 Configurationsas XML FilesOne of the features that makes ISA Server 2006 easy to manage is the ability ofISA Server to export the current configuration as an XML file. It is now simplerthan ever to back up and restore your firewall configuration. To return to thatconfiguration, you simply import the XML configuration file back into ISAServer. Exporting your “working” configuration before making any adjustments tothe firewall configuration is always a good idea, especially when the firewallpolicy is complex with many layers of rules applied. This will ensure that youcan return to the “last known good” configuration with a minimum of hassle ordown time.
TASK 5B-4Exporting the Default Configuration
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed task 3B-2.
1. Choose Start→All Programs→Microsoft ISA Server→ISA ServerManagement.
2. In the Console Tree pane, select the container with your ISA server name.
3. On the Tasks tab, click the Export (Backup) this ISA Server Configura-tion link.
4. In the Export Wizard dialog box, click Next.
5. In the Export Preferences dialog box, select Export User Permissions. Wehave no confidential information, such as user passwords and certificates, toexport so we will leave that check box unchecked.
6. Click Next.
7. In the Save The Data To This File field, enter C:\originalcfg.xml and clickNext.
8. Click Finish.
9. After the file finishes exporting, click OK.
10. Close the ISA Server 2006 Management Console.
This configuration area of theISA Server Managementconsole is where you cancreate and manage all of thevarious items that can beused in firewall policy ruleconfigurations. A strongfamiliarity with these itemswill greatly benefit you whenyou create custom firewallpolicy rules for your network.We will return to this arealater when we create customrules.
Right-clicking any item in acontainer in the toolbox willgive you a context menulisting available actions thatcan be taken on that object.
Be sure to cancel out of anydialog boxes you may openand discard any changes tothe configuration. This isimportant so that yourfirewall will behave asexpected in the remainingISA task exercises.
Lesson 5: Configuring Firewalls 223
We now have the ability to return to our default configuration if we accidentallymisconfigure our firewall. Adding the exported ISA Server configuration XMLfiles to your regular backups would be a good configuration management tool andpolicy.
ISA Server 2006 Firewall PoliciesISA Server 2006 manages network access through the firewall using layeredfirewall policies. These firewall policies can contain a set of access rules, publish-ing rules, and network rules. Each type of rule in a policy controls a differentform of access across the firewall. These rules contained within an ISA Serverfirewall policy determine how and what network traffic can access resourcesthrough the firewall.
Access RulesIn ISA Server 2006 (like most other firewalls), the access rules are built from thefollowing building blocks:
• Rule Name
• Rule Action (Allow, Deny)
• Protocol and Port
• Traffic Source
• Traffic Destination
• User Sets
• Content Groups
The parameters specified during the rules construction will create the constraintset that the rule set will enforce through the firewall policy of the ISA Server thatthe rule was created on. A best practice is to evaluate, define, and document eachrule before you implement it in ISA Server. This will ensure you get the expectedresults by applying the rule. Some firewall administrators find it helpful to dia-gram the rule and include the diagram with the rule documentation.
ISA Server has three basic types of rules:
• Access rules: In ISA Server, an access rule controls what network trafficfrom the internal network is allowed to access the external network. Accessrules can apply to all traffic, to only a selected set of protocols, or to all traf-fic except a selected set of protocols. The same thing applies to source,destination, or user sets. A rule can apply to all, only a selected subset, or allbut a selected subset.
• Publishing rules: ISA Server defines publishing rules as rules that controlaccess requests from the external network for internal resources. This type ofrule is applied to a web server that you want to provide public access to orto an SMTP server that needs to accept inbound mail delivery. In actuality,these are simply access rules applied to inbound traffic as opposed to out-bound traffic. They can apply to the full set of rule building blocks or aselected subset just like access rules.
• Network rules: ISA Server network rules are built by defining the trafficsource, traffic destination, and the network relationship (how the traffic ishandled, for example, NAT or Routed). Network rules can be combined withaccess or publishing rules to provide granular control over the traffic thattransverses the ISA Server firewall.
224 Tactical Perimeter Defense
Processing Firewall PoliciesISA Server deals with access requests in two directions: outgoing requests andincoming requests. As ISA Server receives a request and it processes the informa-tion contained in the packet and compares it against the firewall policy thatcontains the configured rule set.
Outgoing RequestsThe process of access control for outgoing requests looks like this:
• ISA Server first checks any defined network rules and verifies that the twonetworks are connected. If a common connection between the source anddestination network exists, ISA Server will then process the access policyrule set. If no connection is defined in the network rules, the packet isdropped.
• ISA Server now parses the access rules in the order that they are configured.If an allow rule applies to the request, ISA Server will allow the request.The first rule that is a match for the traffic being inspected is the rule thatwill apply. This is why ordering is important. ISA Server checks the ruleelements that make up an access rule in this order:
• Protocol
• Source address and port
• Schedule
• Destination address
• User set
• Content groups
Incoming RequestsISA Server calls rules that control incoming requests publishing rules. These rulesare designed to allow you to securely allow access to servers by clients on a dif-ferent network. Incoming requests are controlled by the ISA Server publishingpolicy. The publishing policy is built from web publishing rules, server publishingrules, secure web publishing rules, and mail server publishing rules. These rules,in addition to any web chaining rules, control how incoming requests to pub-lished servers are handled.
ISA Server has several types of publishing rules that you can use to control howresources are accessed. These are:
• Web publishing rules. Used to publish web server content.
• Secure web publishing servers. To publish Secure Sockets Layer (SSL)content.
• Mail Server publishing rules: Used to publish Mail servers across ISAServer.
• Server publishing rules. Used to publish all other internal resource content.
Remember that access rules that deny traffic are processed before publishing rulesthat permit traffic. Your access rules must not explicitly deny any traffic that youintend to publish.
Access rules that deny trafficare processed beforepublishing rules that allowtraffic. If a request matches adeny access rule, the requestwill be denied, because ISAServer will never get to thepublishing rule that wouldhave permitted the request.
Lesson 5: Configuring Firewalls 225
TASK 5B-5Creating a Basic Access Rule
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. In this task,you will work with a partner in the classroom to test your con-figuration of an access rule. You will need to ask your partnerfor his or her IP address before you being the task.
1. Choose Start→All Programs→Microsoft ISA Server→ISA ServerManagement.
2. In the Console Tree pane, expand the container named after your server.
3. Select the Firewall Policy container.
4. Notice in the Details pane that the only rule that exists is the default denyrule.
5. Open a command prompt.
6. Type ipconfig and then press Enter.
7. Ping your default gateway.
What was your result?
Outbound Ping Allowed from your ISA Server.
8. Ping your partner’s External IP address.
What was your result?
Your partners ISA Server blocked the inbound Ping request on his or herexternal interface.
9. Minimize the command prompt.
10. In the Tasks pane, under Firewall Policy Tasks, click the Create AccessRule link.
226 Tactical Perimeter Defense
11. On the New Access Rule Wizard dialog box, in the Access Rule Namefield,enter Inbound Ping to External Interface and then click Next.
12. In the Rule Action dialog box, select the Allow option and then click Next.
13. In the Protocols dialog box, click the Add button.
14. In the Add Protocols dialog box, expand Common Protocols and selectPING, click Add, and then click Close.
15. In the Protocols dialog box, click Next.
Lesson 5: Configuring Firewalls 227
16. In the Access Rule Sources dialog box, click the Add button.
17. In the Network Entities dialog box, expand Networks, select External, andclick Add. Then, click Close.
18. In the Access Rule Sources dialog box, click Next.
19. In the Access Rule Destination dialog box, click the Add button.
20. In the Network Entities dialog box, expand Network Sets, select All Pro-tected Networks, and click Add. Then, click Close.
21. In the Access Rule Destination dialog box, click Next.
22. In the User Sets dialog box, accept the default of All Users and clickNext.
23. Click Finish.
24. At the top of the Firewall Policy Details pane, click Apply.
25. In the Saving Configuration Changes dialog box click OK.
26. Wait at this step until both partners have completed the previous steps.
27. Restore the command prompt.
28. Ping your partner’s external IP address.
What was your result?
Ping was allowed to the external interface of your partner.
29. Minimize the command prompt.
30. In the Details pane, select the Inbound Ping To External Interface rule.
228 Tactical Perimeter Defense
31. In the Tasks pane, click the Disable Selected Rules link.
32. At the top of the Firewall Policy Details pane, click Apply.
33. In the Saving Configuration Changes dialog box, read the note below theprogress bar and then click OK.
34. Wait at this step until both partners have completed the previous step.
35. Restore the command prompt.
36. Ping your partner’s external IP address.
What was your result?
Ping was allowed to the external interface of your partner even though therule was disabled. This is because you already had an existing connection toyour partner from the initial successful ping test.
Note: If you are not able to ping your partner’s IP address, enable the ruleagain, ping your partner, and then disable the rule.
37. Choose Start→Control Panel→Network Connections→External.
38. In the External Status dialog box, click the Disable button. This will breakyour existing connection to your partner.
39. Wait at this step until both partners have completed the previous step ofdisabling the External NIC.
40. Choose Start→Control Panel→Network Connections→External. Thiswill enable your external connection.
41. Wait at this step until both partners have completed the previous step.
42. Restore the command prompt.
Lesson 5: Configuring Firewalls 229
43. Ping your partner’s external IP address.
What was your result
Ping is now blocked again by the ISA Server firewall policy.
44. In the Details pane, select the Inbound Ping To External Interface rule.
45. In the Tasks pane, click the Delete Selected Rules link.
46. In the Confirm Delete dialog box, click Yes.
47. At the top of the Firewall Policy Details pane, click Apply.
48. In the Saving Configuration Changes dialog box, click OK.
49. Close all open windows.
It is important to remember that any rules you add to the firewall policy will nottake effect on any connections that are already established. This is because ISAServer 2006 is a stateful firewall and those connections are currently listed in thestate tables. Stateful firewalls consult the state tables before parsing the firewallrules. If the connection is listed in the state table, it will not be checked againstthe rule set again until it is removed from the state table either through a time outor by the source terminating the connection. You can force the state table to resetfor all connections by disabling and enabling the network interface that the con-nection is associated with.
ISA Server 2006 Access Rule ElementsThere are eight basic access rule elements that are used to build ISA Server 2006access rules when creating a firewall policy. These elements describe specificcharacteristics of a network traffic packet that ISA Server can inspect and use forrule comparison. The elements that ISA Server 2006 uses to create a protocol ruleare:
• Name: This is used by ISA Server to display the rules contained in thefirewall policy container in the management console. Using descriptive, easyto understand names will help you keep track of what each rule is intendedto do.
• Action: This is the action ISA Server will take when the rule is triggered bya match. The two possible actions are Allow or Deny. Action elements canalso be configured to log requests that match a rule or redirect HTTPrequests on a rule match to a web page.
• Protocols: This element describes the protocol and port that the rule willmatch.
• Network: These elements describe the device addresses or network nodesthat the rule will apply to. It is used in building the following two rule ele-ments:
• Source: This element describes where the packet is coming from.
230 Tactical Perimeter Defense
• Destination: This element describes where the packet is going to.
• Users: This element describes the user or groups of users that the rule willapply to.
• Schedule: This element describes the days and times that the rule will beenforced.
• Content Types: This element describes the network data packet contents thatthe rule will be applied to.
ISA Server 2006 has a robust set of access rule elements pre-configured when itis installed. However, you can easily create additional rule elements that meetyour specific requirements when the default rule elements will not address therule you are trying to create. Since it is impossible to predict what type of trafficany given network may require, the ability to create additional rule elementsgives ISA Server 2006 the flexibility to adapt to any requirements.
TASK 5B-6Creating a Protocol Rule Element
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. In thisexercise, you will create a custom protocol element that youcould use to network traffic for a custom network applicationthat uses TCP port 2120 inbound across your firewall withreturn client connections dynamically established across therange of 49152-65535.
1. Choose Start→All Programs→Microsoft ISA Server→ISA ServerManagement.
2. Expand the Console Tree pane and select the Firewall Policy container.
3. In the Tasks pane, select the Toolbox tab.
4. On the Toolbox tab, expand the Protocols container.
5. Explore the various default protocol elements that are defined by default.
6. On the Toolbox tab, under the Protocols container, click the New drop-down menu, and select Protocols.
7. In the New Protocol Definition Wizard dialog box, in the Protocol DefinitionName field, type Custom Application Protocol and then click Next.
8. In the Primary Connection Information dialog box, click the New button.
9. In the New/Edit Protocol Connection dialog box, enter the following valuesand then click OK.
• Protocol type: TCP
• Direction: Inbound
• Port Range:
— From: 2120
Lesson 5: Configuring Firewalls 231
— To: 2120
10. In the Primary Connection Information dialog box, click Next.
11. In the Secondary Connections dialog box, under Do You Want To Use Sec-ondary Connections? select the Yes radio button, and then click New.
12. In the New/Edit Protocol Connection dialog box, enter the following valuesand then click OK.
• Protocol type: TCP
• Direction: Outbound
• Port Range:
— From: 49152
— To: 65535
13. In the Secondary Connection Information dialog box, click Next.
14. In the New Protocol Definition Wizard, click Finish.
15. Notice that your new User-Defined protocol now shows in the Toolbox Pro-tocols area.
16. At the top of the Details pane, click the Apply button.
17. In the Saving Configuration Changes dialog box, click OK.
18. Close the ISA Server 2006 Management console.
232 Tactical Perimeter Defense
TASK 5B-7Creating a User Rule Element
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. In thisexercise, you will create a user element just for the administra-tor account. As an example, this user element could then beused in an access rule to deny the administrator account accessto any external resources on the external network.
1. Choose Start→All Programs→Microsoft ISA Server→ISA ServerManagement.
2. Expand the Console Tree pane and select the Firewall Policy container.
3. In the Task pane, select the Toolbox tab and then expand the Userscontainer.
4. Notice that ISA Server has three default user elements pre-defined.
5. At the top of the Users container, click the New link.
6. In the New User Set Wizard, in the User Set Name field, type AdministratorAccount and then click Next.
7. In the Users dialog box, click the Add button, and from the pop-upmenu, choose Windows Users And Groups.
8. In the Select User Or Groups dialog box, click the Advanced button.
9. In the Select User Or Groups dialog box, click the Find Now button.
10. In the Search results list, select the Administrator account and then clickOK. Note, be sure you do not select the Administrators Group.
11. In the Select User Or Groups dialog box, verify that the Administratoraccount appears and then click OK.
12. In the Users dialog box, click Next.
13. In the New Users Set dialog box, click Finish.
14. Notice that your new user set appears in the toolbox pane.
Lesson 5: Configuring Firewalls 233
15. At the top of the Details pane, click the Apply button.
16. In the Saving Configuration Changes dialog box, click OK.
17. Close the ISA Server 2006 Management console.
Content TypesISA Server 2006 comes preconfigured with a variety of content types by default.If your targeted content type is not already defined, it is an easy task to configurea custom content type to suit your organization’s needs.
ISA Server 2006’s deep packet inspection allows ISA Server to control not onlytraffic based not only on source, destination, protocol and port, but also on con-tent type. This is useful in enforcing an organization’s security policy when itforbids certain types of content for security or other reasons. For example, yourorganization’s security policy forbids the downloading of executable .exe filesfrom the Internet. You could create a content type for .exe files and then assignthe new content type to a deny access rule to block any content that contains a.exe file.
TASK 5B-8Creating a Content Group Rule Element
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks.
1. Choose Start→All Programs→Microsoft ISA Server→ISA ServerManagement.
2. Expand the Console Tree pane and select the Firewall Policy container.
3. In the Task pane, select the Toolbox tab.
4. In the Toolbox tab of the Task pane, expand the Content Types section.
5. Examine the pre-defined content types. Notice that .exe files are notdefined.
234 Tactical Perimeter Defense
6. Under the Content Types heading, click the New link.
7. In the New Content Type Set dialog box, in the Name field, type Exe Files
8. In the New Content Type Set dialog box, from the Available Types drop-down list, select the .exe type and then click Add.
9. In the New Content Type Set dialog box, click OK. The new Exe Files con-tent type appears in the Content Types list.
10. At the top of the Details pane, click Apply.
11. In the Saving Configuration Changes dialog box, click OK.
Lesson 5: Configuring Firewalls 235
ISA Server 2006 SchedulingISA Server 2003 has the ability to create and use schedules to control when cer-tain access rules are in effect. Schedules can be used in conjunction with otheraccess rule components when creating an access rule to specify the times and/ordays that the rule is enforced.
TASK 5B-9Creating and Modifying Schedule Rule Elements
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks.
1. In ISA Server Management, expand the Console Tree pane and select theFirewall Policy container.
2. In the Task pane, select the Toolbox tab.
3. In the Toolbox tab of the Task pane, expand the Schedules section.
4. Notice that there are two pre-defined schedules: Weekends and Work Hours.
5. Select the Work hours schedule and then click the Edit link.
6. In the Work hours Properties dialog box, click the Schedule tab.
7. Notice that the schedule contains a grid comprised of 7 week days and 24hours in one-hour increments.
8. Notice that each one-hour block of time can be set to either Active or Inac-tive on the schedule.
9. Click and drag your cursor from Monday 8:00 A.M. to Friday 8:00 P.M.and then click the Active radio button to extend the work hours to start at8:00 A.M. instead of 9:00 A.M, and extend to 9 P.M. Monday throughFriday.
10. Click and drag your cursor from Monday 12:00 P.M. to Friday 12:00P.M. and then click the Inactive radio button to remove the lunch hourfrom the Work hours schedule.
11. Click OK to close the Work Hours Properties dialog box.
12. On the Toolbox tab, under the Schedules area, click the New link.
13. In the New schedule dialog box, in the Name field, type After hours
14. Click and drag your mouse pointer in the schedule field from Mondayat 8:00 A.M. to Friday at 8:00 P.M. to cover the workday hours and thenclick the Inactive radio button.
15. In the New Schedule dialog box, click OK.
236 Tactical Perimeter Defense
16. At the top of the Details pane, click Apply.
17. In the Saving Configuration Changes dialog box, click OK.
You have now modified the existing Work hours schedule and created a newschedule for After hours. These schedules can be used in rule creation to controlwhat times a rule is enforced by ISA Server 2006. This adds a great deal of flex-ibility to your ability to configure and enforce firewall policies.
Using Content Types and Schedules in RulesYou have discovered that ISA Server has Content Types and Schedules that canbe used in rule creation. As a practical example, these objects could be used toenforce an organization’s acceptable use policy that states that viewing video con-tent is prohibited during normal work hours but allows video content duringlunch and after hours. Using the schedule feature in ISA Server 2006 allows youto create a schedule that can be incorporated into a rule governing video contentto enforce the organization’s acceptable use policy.
TASK 5B-10Using Content Types and Schedules in Rules
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks.
1. In ISA Server Management, expand the Console Tree pane and select theFirewall Policy container.
2. In the Task pane, select the Tasks tab.
3. In the Tasks pane, under Firewall Policy Tasks, click the Create AccessRule link.
Lesson 5: Configuring Firewalls 237
4. In the New Access Rule Wizard dialog box, in the Access Rule Namefieldtype Enforce Video Content Policy and click Next.
5. In the Rule Action dialog box, select the Deny radio button and then clickNext.
6. In the Protocols dialog box, from the This Rule Applies To drop-down list,select All Outbound Traffic and then click Next.
7. In the Access Rule Sources dialog box, click the Add button.
8. In the Network Entities dialog box, expand Network Sets, select All Pro-tected Networks, click Add, and then click Close.
9. In the Access Rule Sources dialog box, click Next.
10. In the Access Rule Destination dialog box, click the Add button.
11. In the Network Entities dialog box, expand Network Sets, select All Net-works (and Local Host), and click Add. Then, click Close.
12. In the Access Rule Destination dialog box, click Next.
13. In the User Sets dialog box, accept the default of All Users and clickNext.
14. Click Finish.
15. On the Tasks tab, under Policy Editing Tasks, click the Edit Selected Rulelink.
238 Tactical Perimeter Defense
16. Notice that the rule property dialog box has tabs for each of the items weconfigured during rule creation (General, Action, Protocols, From, To andUsers) and it also contains two additional tabs: Schedule and Content type.
17. Click the Schedule tab, and from the Schedule drop-down list, select Workhours.
18. Click the Content Types tab and select the Selected content type radiobutton.
19. Scroll down in the Content Types list and select the Video Content Typeand then click OK.
20. At the top of the Firewall Policy Details pane, click Apply.
21. In the Saving Configuration Changes dialog box, click OK.
22. The ISA Server firewall will now enforce our video policy during workhours.
ISA Server 2006 Network Rule ElementsYou have discovered that ISA Server 2006 uses a set of elements as the buildingblocks for access rules. Networks are rule elements, which are made up of one ormore ranges of network IP addresses or other network identifier characteristics.
Lesson 5: Configuring Firewalls 239
ISA Server 2006 network elements include one or more computers, typically cor-responding to a physical network. You can apply rules to one or more networksor to all addresses except those in the specified network. ISA Server 2006 createsnetwork elements for the following objects:
• Networks
• Network Sets
• Computers
• Address Ranges
• Subnets
• Computer Sets
• URL Sets
• Domain Name Sets
• Web Listeners
• Server Farms
ISA Server 2006 has a set of default network elements that are pre-defined. Youcan use these default elements as part of an access rule definition or you can cre-ate custom network elements to meet your specific needs.
TASK 5B-11Creating a Network Rule Element
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous task.
1. In ISA Server Management, Expand the Console Tree pane and select theFirewall Policy container.
2. In the Task pane, select the Toolbox tab.
3. In the Toolbox tab of the Task pane, expand the Network Objectscontainer.
4. Examine the pre-defined Network Objects.
240 Tactical Perimeter Defense
5. On the Toolbox tab, at the top of the Network Objects container, click theNew drop-down menu, and choose Computer from the pop-up menu.
6. In the New Computer Rule Element dialog box, enter the following valuesand then click OK:
• Name: [Your computer name]
• Computer IP Address: [Your computer IP address]
• Description: ISA Firewall
7. At the top of the Firewall Policy Details pane, click Apply.
8. In the Saving Configuration Changes dialog box, click OK.
We could now use this new Network Object as an element in an access rule thatwould only apply to the ISA Server 2006 firewall at our IP address.
Lesson 5: Configuring Firewalls 241
ISA Server Publishing RulesUp to this point, we have primarily been concerned with access rules and theirconstituent elements. Access rules in ISA Server 2006 are designed to controltraffic that transverses the firewall from the unprotected network (external) to theprotected network (internal). But how does ISA Server 2006 make protectedresources, such as a web server, available to external access? For this externalaccess purpose, ISA Server has publishing rules. Publishing rules apply to trafficrequests for resources on the internal protected network.
Publishing rules are made up of similar elements to an access rule with onenotable exception: Publishing rules require a Listener element to be created. Thelistener element describes what interface ISA Server should be listening on foraccess requests to the internal resource defined in the publishing rule.
Figure 5-18: Features and benefits of ISA Server content publishing.
TASK 5B-12Configuring a Web Publishing Rule
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. In thisexercise, you will create an ISA Server publishing rule toallow external access to an internal website.
1. In ISA Server Management, expand the Console Tree pane and select theFirewall Policy container.
2. In the Tasks pane, select the Tasks tab.
242 Tactical Perimeter Defense
3. On the Tasks tab, under the Firewall Policy Task section, click the PublishWeb Sites link.
4. In the New Web Publishing Rule Wizard, in the Web Publishing Rule Namefield, type Public Web Server and click Next.
5. In the Select Rule Action dialog box, select the Allow radio button andclick Next.
6. In the Publishing Type dialog box, select the Publish A Single Web Site OrLoad Balancer option and click Next.
7. On the Connection Security tab, select the Use Non-secured ConnectionsTo The Published Web Server Or Server Farm option and then clickNext.
8. In the Internal Publishing Details dialog box, enter the following values:
• Internal site name: www.securitycertified.net.
• Computer name or IP address: 10.X.Y.100 (Where X and Y are the sec-ond and third octets of your internal interface (loopback adapter).
Click Next.
9. In the Internal Publishing Details dialog box, in the Path (Optional) field,type /* and click Next.
10. In the Public Name Details dialog box, in the Public Name field, type www.securitycertified.net and click Next.
11. In the Select Web Listener dialog box, click the New button.
Lesson 5: Configuring Firewalls 243
12. In the New Web Listener Definition Wizard dialog box, in the Web ListenerName field, type Public Web Listener and click Next.
13. In the Client Connection Security dialog box, select the Do Not RequireSSL Secured Connections With Clients option and click Next.
14. In the Web Listener IP Addresses dialog box, select the External Networkand click Next.
15. In the Authentication Settings dialog box, from the Select How Clients WillProvide Credentials To ISA Server drop-down list, select No Authenticationand click Next.
16. Read the Single Sign On Settings dialog box and then click Next.
17. In the Completing The New Web Listener Wizard, click Finish.
18. In the Select Web Listener dialog box, click Next.
19. In the Authentication Delegation dialog box, select the No Delegation, andclient cannot authenticate directly option and click Next.
20. In the User Sets dialog box, accept the default of All Users and clickNext.
21. In the Completing the New Web Publishing Rule Wizard dialog box, clickFinish.
22. At the top of the Firewall Policy Details pane, click Apply.
23. In the Saving Configuration Changes dialog box, click OK.
24. The new publishing rule appears at the top of the Details pane.
25. In the Tasks pane, click the Toolbox tab and then expand the NetworkObjects container.
26. Expand the Web Listener container. (Note: you may need to refresh yourscreen with F5 to perform this step.)
27. The web listener created during the publishing rule creation is now listed.You may have to click another container in the Console Tree pane and thenreselect the Firewall Policy container to refresh the screen.
You have now configured a Web Publishing rule that will use a web listener tolisten for inbound requests from the external network for www.securitycertified.net and then forward them to the internal web server. Since only port 80 isexposed to the external network, and ISA Server is inspecting the inbound HTTPpackets before passing them on to the internal web server, the security footprintof your web server is greatly enhanced.
244 Tactical Perimeter Defense
ISA Server 2006 CachingCaching is a method where frequent requests for remote resources or content arestored locally on the ISA Server. By maintaining a centralized cache of frequentlyrequested content, both network bandwidth consumption and browser perfor-mance are enhanced. Caching is disabled by default when you install ISA Server2006, so you will need to enable and configure caching if you want to takeadvantage of the performance benefits this feature offers.
ISA Server supports two types of caching: forward caching and reverse caching.Forward caching provides internal clients with improved access times to externalresources, while reverse caching provides the same benefits to external clientsaccessing web content that has been published through ISA Server. When youcreate a cache rule, it applies to all applies to requested sites, regardless of thesource network.
ISA Server allows organizations to configure caching to preload entire websitesinto cache on a defined schedule. Scheduling cache downloads will help keepcache content up-to-date for your users and also ensure that content for offlineweb servers that have been cached is available to your users.
ISA Server has a caching algorithm that allows it to make intelligent decisionsabout when certain content is no longer requested on a regular basis. This algo-rithm enables ISA Server to flush low request content from RAM cache to diskcache so that cache remains as efficient as possible.
ISA Server has three main configuration items for controlling caching:
• Cache Drive Settings
• Cache Drive Rules
• Content Download Jobs
TASK 5B-13Enabling and Configuring Caching
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks.
1. In ISA Server Management, expand the Console Tree pane and select theCache container.
2. Notice that the Cache container has a red down arrow on it in the ConsoleTree pane, indicating that it is currently not enabled.
3. Notice that the Details pane contains three tabs corresponding to the threeconfiguration items for caching discussed earlier.
4. Notice that the Cache Size on NTFS Drives is currently zero.
5. In the Tasks pane, under Cache Drive Tasks, click the Define Cache Drives(Enable Caching) link.
6. In the Define Cache Drives dialog box, in the Maximum Cache Size (MB)field, type 100 and then click the Set button.
Lesson 5: Configuring Firewalls 245
7. Drive C now shows a cache size of 100. If you had multiple drive arrays onyour ISA Server, each partition formatted with NTFS would show as anoption in this dialog box.
8. In the Define Cache Drives dialog box, click OK.
9. At the top of the Firewall Policy Details pane, click Apply.
10. In the ISA Server Warning dialog box, select Save The Changes AndRestart The Services radio button and click OK. (This may take amoment—be patient!)
11. In the Saving Configuration Changes dialog box, click OK.
12. In the Details pane, click the Cache Rules tab.
13. Notice that two default rules have been pre-defined.
ISA Server comes with a pre-defined cache rule for the Microsoft Updatesite. This can help speed up automatic downloads of patches by clients orWUS servers.
14. On the Tasks tab, under the Cache Rules Tasks, click the Create A CacheRule link.
15. In the New Cache Rule Wizard, in the Cache Rule Name field, type SecurityCertified Web Site and click Next.
16. In the Cache Rule Destination dialog box, click Add.
17. In the Add Network Entities dialog box, expand the Network Sets object.
18. In the Add Network Entities dialog box, select the All Protected Networksobject.
19. In the Add Network Entities dialog box, click Add .
20. In the Add Network Entities dialog box, click Close.
21. In the Cache Rule Destination dialog box, click Next.
22. In the Content Retrieval dialog box, select the Only If A Valid Version OfThe Object Exists In The Cache. If No Valid Version Exists, Route TheRequest To The Server. option and then click Next.
23. In the Cache Content dialog box, check the Dynamic Content check box.
246 Tactical Perimeter Defense
24. In the Cache Content dialog box, check the Content For Offline Browsing(302, 307 Responses) check box and click Next.
25. In the Cache Advanced Configuration dialog box, click Next.
26. In the HTTP Caching dialog box, accept the defaults and click Next.
27. In the FTP Caching dialog box, deselect the Enable FTP Caching optionand then click Next.
28. In the New Cache Rule Wizard dialog box, click Finish.
29. At the top of the Details pane, click the Apply button.
30. In the Saving Configuration Changes dialog box, click OK.
31. In the Details pane, select the Content Download Jobs tab.
32. In the Tasks pane, click the Schedule A Content Download Job link.
33. Read the Enable Schedule Content Download Jobs dialog box and thenclick Yes. (This will configure the required options to schedule a contentdownload job.)
34. At the top of the Details pane, click the Apply button.
Lesson 5: Configuring Firewalls 247
35. In the Saving Configuration Changes dialog box, click OK.
36. In the Task pane, click the Schedule A Content Download Job link.
37. In New Content Download Job Wizard dialog box, in the Content DownloadJob Name field, type Security Certified Web Site Download and click Next.
38. In the Download Frequency dialog box, select the Daily option and clickNext.
39. In the Daily Frequency dialog box, under the Job Start Date field, set thedate to start tomorrow and then click Next.
40. In the Content Download dialog box, type http://www.securitycertified.net asthe URL, select the Do Not Follow Link Outside The Specified URLDomain Name option.
41. In the Content Download dialog box, select the Maximum Depth Of LinksPer Page option.
42. In the Content Download dialog box set the Maximum Depth Of LinksPer Page value to 4 and click Next.
43. In the Content Caching dialog box, accept the default Cache Content andTTL settings and click Next.
44. In the Completing the Scheduled Content Download Job Wizard dialog box,click Finish.
45. Your new content download job appears in the details pane.
46. Close ISA Server 2006 Management console.
248 Tactical Perimeter Defense
Configuring ISA Server 2006 Network TemplatesEarlier in this topic, we discovered that ISA Server 2006 uses rule elementscalled networks to define one or more ranges of IP addresses. Networks usuallycorrespond to a physical network. In addition to the access rule network element,ISA Server 2006 includes a new feature: network templates, which are aligned tothe common firewall network topologies. These network templates can be used toconfigure the firewall policy required rule elements that are used in ISA rules-based traffic control between networks.
The Console Tree pane networks container provides you with three tabs in theDetails pane that allow you to configure your network elements. These configura-tion tabs are:
• Network Sets
• Network Rules
• Web Chaining
Currently, our ISA Server firewall is configured as a perimeter or edge firewall. Ifwe add a third network interface to the ISA Server, we can then re-configure thenetwork topology to include a DMZ and create a three-legged DMZ firewalltopology. This type of upgrade is not uncommon in the real world. ISA Servermakes it easy to re-configure through the use of pre-defined network templates.
TASK 5B-14Install Second Microsoft Loop Back Adapter and Assignan IP Address
Setup: You must be logged on to Windows 2003 Server as an admin-istrator, have completed the previous tasks, and have access tothe Windows 2003 Server installation source files.
1. Choose Start→Control Panel→Add Hardware.
2. In the Welcome dialog box, click Next.
3. Select Yes, I Have Already Connected The Hardware and click Next.
4. Scroll to the bottom of the Installed Hardware list box and select Add ANew Hardware Device. Then, click Next.
5. Select the Install The Hardware That I Manually Select From A List(Advanced) option and click Next.
6. Under Common Hardware Types, select Network Adapters, and then clickNext.
7. Under Manufacturer, select Microsoft.
8. Under Network Adapter, select Microsoft Loopback Adapter.
9. Click Next twice.
10. If required, click OK in the Insert Disk dialog box.
Lesson 5: Configuring Firewalls 249
11. Enter the path to the Windows 2003 Server installation source files inthe Files Needed dialog box and then click OK. (Windows Server 2003should remember that source path from the first loopback adapter weinstalled earlier).
12. Click Finish.
13. Choose Start→Control Panel→Network Connections→Local AreaConnection.
14. In the Local Area Connection dialog box, click Properties.
15. In the This Connection Uses The Following Items list, select Internet Pro-tocol (TCP/IP) and then click Properties.
16. On the General tab, select Use The Following IP Address and enter theaddress from the table below that corresponds to your computer name.
WIN-R01 - 192.168.16.1/24 WIN-L01 – 192.168.18.1/24WIN-R02 - 192.168.16.2/24 WIN-L02 – 192.168.18..2/24WIN-R03 - 192.168.16.3/24 WIN-L03 – 192.168.18.3/24WIN-R04 - 192.168.16.4/24 WIN-L04 – 192.168.18.4/24WIN-R05 - 192.168.16.5/24 WIN-L05 – 192.168.18.5/24WIN-R06 - 192.168.16.7/24 WIN-L06 – 192.168.18.6/24WIN-R07 - 192.168.16.8/24 WIN-L07 – 192.168.18.7/24WIN-R08 - 192.168.16.8/24 WIN-L08 – 192.168.18.8/24
Note that the subnet mask is 255.255.255.0 for all these IPs.
17. Leave the DNS value blank and then click OK.
18. Click Close to close the NIC Properties.
19. Choose Start→Control Panel and right-click Network Connections.From the context menu, choose Open.
20. Right-click the Local Area Connection, and from the context menu,choose Rename.
21. Name the connection DMZ
22. Close the Network Connections window.
You have now installed a second Microsoft Loopback adapter and assigned it aunique IP address. We will be using this adapter to function as our DMZ networkadapter to configure ISA server 2006 in a three-legged DMZ.
250 Tactical Perimeter Defense
TASK 5B-15Configure ISA Server 2006 in a Three-legged DMZ
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. You willreconfigure your network as a three-legged DMZ topology. Toaccomplish this, you must first import the originalcfg.xml fileto remove the web access policy listener that you configuredin the publishing task.
1. Choose Start→All Programs→Microsoft ISA Server→ISA ServerManagement.
2. In the Console Tree pane, select the [Your Server Name] container.
3. In the Tasks pane, click the Import (Restore) This ISA Server Configura-tion link.
4. In the Import Wizard dialog box, click Next.
5. In the Select The Import File dialog box, in the File Name field, typeC:\originalcfg.xml and click Next. Alternatively, you could use the Browsebutton to locate the file.
6. In the Import Action dialog box, select the Overwrite (Restore) option andthen click Next.
7. In the Import Preferences dialog box, check the Import User PermissionSettings check box, and then click Next.
8. In the Completing The Import Wizard dialog box, click Finish.
9. Read the ISA Server warning dialog box and then click OK twice.
10. At the top of the Details pane, click the Apply button.
11. In the Saving Configuration Changes dialog box, click OK.
12. In the Console Tree pane, select the Firewall Policy container. Notice thatthe firewall rule sets in the Details pane are back to the defaults.
13. In the Console Tree pane, select the Networks container.
14. In the Tasks pane, expand Configuration, and select the Templates tab.
Lesson 5: Configuring Firewalls 251
15. On the Templates tab, select the 3-Leg Perimeter template.
16. In the Welcome To The Network Template Wizard dialog box, click Next.
17. In the Export The ISA Server Configuration dialog box, click Next.
18. In the Internal Network IP Addresses dialog box, click Next.
19. In the Perimeter Network IP Addresses dialog box, click Add Adapter.
20. In the Select Network Adapters dialog box, select the DMZ network andclick OK.
21. In the Perimeter Network IP Addresses dialog box, click Next.
22. In the Select A Firewall Policy dialog box, scroll down and select theAllow Limited Web Access policy. Then, click Next.
23. In the Completing The Network Template Wizard dialog box, click Finish.
24. At the top of the Details pane, click the Apply button.
25. In the Saving Configuration Changes dialog box, click OK.
26. In the Console Tree pane, select the Firewall Policy container.
27. Highlight the Web Access Only Firewall Policy.
28. Notice that there are new access rules configured based on the templateoptions we chose in the previous steps.
252 Tactical Perimeter Defense
Configuring ISA Server MonitoringISA Server 2006 has a robust set of monitoring features. By configuring alerts,reporting, performance monitoring and logging, you can see at a glance the statusand health of your ISA Server 2006 firewall. The Monitoring Details pane has thelargest number of tabs associated with it of any of the ISA Console Tree panecontainers. Spend plenty of time learning about each of the monitoring featuresand working with their configuration. The more skilled you are with this toolset,the easier it is to manage your ISA Server 2006 firewall.
These features are summarized in the following table.
Figure 5-19: ISA Server 2006 monitoring features.
The ISA Server 2006 Management console can be used to gather “at a glance”information on the status of your ISA Server. To view the real-time monitoringinformation, open the Management console and select the Monitoring containerfrom the Console Tree pane. This will activate the Monitoring Details pane. Onthe Dashboard tab of the Monitoring Details pane, you will find visual displays ofcurrent monitoring information. The refresh rate of this display is configurable inthe task pane. Each of the individual information displays can also be collapsedto make more screen room for other displays.
Lesson 5: Configuring Firewalls 253
Figure 5-20: The Monitoring Details pane Dashboard tab.
TASK 5B-16Working with Alerts
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. In this task,you will configure a custom alert for network disconnectionsand assign it actions to perform when the alert is triggered.
1. In ISA Server, with the Console Tree pane open, select the Monitoringcontainer.
2. In the Details pane, select the Alerts tab.
3. In the Tasks pane, click the Configure Alert Definitions link.
254 Tactical Perimeter Defense
4. In the Alerts Properties dialog box, scroll briefly though the list and lookat the wide range of pre-configured alerts in ISA Server. Then, clickAdd.
5. In the New Alert Wizard dialog box, in the Alert Name field, type NetworkInterface Disconnected and click Next.
6. In the Events And Conditions dialog box, from the Event drop-down list,select Network Configuration Changed, from the Additional Conditiondrop-down list, select Network Disconnected. Click Next.
7. In the Category And Severity dialog box, from the Category drop-down list,select Network Load Balancing, from the Severity drop-down list, selectError and click Next.
8. In the Actions dialog box, select the Send An E-mail Message and theReport The Event To The Windows Event Log options and then clickNext.
Lesson 5: Configuring Firewalls 255
9. In the Sending E-mail Messages dialog box, enter the following values:
• SMTP server: smtp.securitycertified.net
• From: [email protected]
• To: [email protected]
Click Next.
10. In the Completing The New Alert Configuration Wizard, click Finish.
11. In the Alerts Properties dialog box, scroll down and ensure that your newNetwork Interface Disconnected alert is selected, then click OK.
12. At the top of the Details pane, click the Apply button.
13. In the Saving Configuration Changes dialog box, click OK.
14. You have now configured ISA Server 2006 alerts to send you an email mes-sage and log a Windows Event Viewer event whenever a network interfaceis disconnected. This could speed up your response time to physical prob-lems with the ISA Server network segments.
15. Minimize your ISA Server 2006 Management console.
Alerts associated with actions such as sending an email will help you respond tocritical ISA Server events in a timely fashion. Even configuring certain warningitems to send an email alert can help you take proactive steps to ensure the ISAServer 2006 firewall remains in optimum condition.
256 Tactical Perimeter Defense
TASK 5B-17Working with Reports
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. You willconfigure ISA Server 2006 to create a one-time report and tocreate scheduled reports for monitoring baselines and securityperformance evaluations.
1. From the Start menu, open Windows Explorer.
2. Create the directory C:\ISA-Reports.
3. Minimize Windows Explorer.
4. Maximize your ISA Server.
5. Expand the Console Tree pane and select the Monitoring container.
6. In the Details pane, select the Reports tab.
7. On the Tasks tab, click the Generate A New Report link.
8. In the New Report Wizard dialog box, in the Report Name field, type Snap-shot Report and click Next.
9. In the Report Content dialog box, accept the default of all content choicesand click Next.
10. In the Report Period, leave the default start and stop date and click Next.
11. In the Report Publishing dialog box, check the Publish reports to a direc-tory check box.
12. In the Report Publishing dialog box, click the Browse button.
13. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it,and click OK.
14. In the Report Publishing dialog box, check the Publish Using This Accountcheck box and then click the Set Account button.
15. In the Set Account dialog box, click the Browse button.
16. In the Select User dialog box, in the Enter The Object Name To Select field,type Administrator and then click Check Name. Click OK.
17. In the Password and Confirm Password fields, type the Administrator pass-word and then click OK. (Your password should be blank.)
Lesson 5: Configuring Firewalls 257
18. In the Report Publishing dialog box, click Next.
19. In the Send E-mail Notification dialog box, leave the defaults blank, andclick Next.
20. In the Completing The New Report Wizard dialog box, click Finish.
21. Restore your minimized Windows Explorer and browse to the C:\ISA-Reports directory.
22. Open the Snapshot Report [Date Range] folder and double-click thecontents.htm file.
23. Right-click the Allow Blocked Content bar at the top of the browserscreen and choose Allow Blocked Content. Then, click Yes.
24. On the Summary page, click the Protocols link. Scroll through the reportand examine the types of items that are reported.
25. The report contains no significant data because your ISA Server has notpassed a large number of packets to register monitoring statistics yet.
258 Tactical Perimeter Defense
26. When you finished examining the report, close your Internet Explorer win-dows and close Windows Explorer.
27. In the Tasks pane, click the Create And Configure Report Jobs link.
28. In the Report Jobs Properties dialog box, click Add.
29. In the New Report Job Wizard dialog box, in the Report Job Name field,enter Daily Report and click Next.
30. In the New Report Content dialog box, accept the default all content typesand click Next.
31. In the Report Job Schedule dialog box, select the Daily option and clickNext.
32. In the Reports Publishing dialog box, check the Publish Reports To ADirectory check box.
33. In the Report Publishing dialog box, click the Browse button.
34. In the Browse For Folder dialog box, browse to C:\ISA-Reports, select it,and then click OK.
35. In the Report Publishing dialog box, check the Publish Using This Accountcheck box and then click the Set Account button.
36. In the Set Account dialog box, click the Browse button.
37. In the Select User dialog box, in the Enter The Object Name To Select field,type Administrator and then click Check Name. Type Administrator (nopassword) and click OK.
Lesson 5: Configuring Firewalls 259
38. In the Report Publishing dialog box, click Next.
39. In the Send E-Mail Notification dialog box, leave the defaults blank, andclick Next.
40. In the Completing The New Report Job Wizard dialog box, click Finish.
41. In the Report Jobs Properties dialog box, select the Daily Report optionand click OK.
42. At the top of the Details pane, click the Apply button.
43. In the Saving Configuration Changes dialog box, click OK.
In this task, you successfully configured ISA Server 2006 reporting options. Youexamined a snapshot report and created a scheduled reporting job. ISA Serverreports are very comprehensive and can give you an accurate picture of what istaking place on your ISA Server firewall.
ISA Server 2006 LoggingWhile alerts give you real-time notification of ISA Server events, logging allowsyou to view events in an historical fashion. This can help you analyze the trafficpatterns on your network for such purposes as: policy formulation, intrusionattempt analysis, network usage analysis, and as an aid in troubleshooting ISAServer.
260 Tactical Perimeter Defense
Figure 5-21: ISA Server 2006 logging features.
ISA Server divides logging into two logs: the Web Proxy logs, which record ISAServer traffic handled by Web Proxy Filter; and the Firewall service logs, whichrecord ISA Server traffic handled by the Microsoft Firewall service.
ISA Server features a variety of log storage options that enable you to the tracktraffic that has been handled by ISA Server. The default ISA Server 2006 logginglocation is to a local MSDE database on the ISA Server. This database file for thelogs can be found in the C:\Program Files\Microsoft ISA Server\ISALogs folderand will be named ISALOG_yyyymmdd_xxx_nnn. Where:
• yyyy = year
• mm = month
• dd = date
• xxx = Log file type (ISA or WEB)
• nnn = order number for sequencing daily logs
Using a database for logging instead of logging to a text file gives ISA Serverpowerful reporting capabilities for the log information. ISA Server can redirectthe log file storage location to either a SQL database or to text files. The abilityto use a single SQL database server for multiple ISA servers allows you to cen-tralize the management, auditing, and backup of the ISA logs. And of course, ifyou need the log files to be stored in a .txt file format for any reason, that optionis available. If you choose to store the ISA Server logs on a centralized SQLserver, you need to ensure that ISA Server and the SQL Server have reliablehigh-speed Internet connections between them. This precludes ISA from loggingto SQL over a slow WAN link. Microsoft recommends that you have a minimumof 100 mbps connection speed between ISA and SQL.
It is also worth noting that by default access rules are configured to report pack-ets for that match that specific rule. If you don’t want logging to record actionsfor a specific access rule in your firewall policy, then you must disable this optionon the Actions tab of the rule property sheet.
Lesson 5: Configuring Firewalls 261
Figure 5-22: ISA Server 2006 Rule logging options are enabled by default.
TASK 5B-18Configuring Logging Options
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. In this task,you will examine ISA Server 2003 logging options.
1. In ISA Server, expand the Console Tree pane and select the Monitoringcontainer.
2. On the Details pane, select the Logging tab.
3. On the Tasks tab, click the Edit Filter link.
4. In the Edit Filter dialog box, under the Filter By column, select the Actionfilter and then click the Remove button.
5. In the Edit Filter dialog box, from the Filter By drop-down list, selectProtocol.
6. In the Edit Filter dialog box, from the Condition drop-down list, selectContains.
262 Tactical Perimeter Defense
7. In the Edit Filter dialog click, from the Value drop-down list, selectNetBIOS Name Service and then click the Add To List button.
8. In the Edit Filter dialog box, click the Start Query button.
9. Notice that the Details pane now reports Fetching Results.
10. Open a command prompt and arrange your desktop where you can seethe results section of the Details pane while typing in the commandprompt.
11. In the command prompt, type NET VIEW and then press Enter.
Lesson 5: Configuring Firewalls 263
12. Wait until logging events show in the Details pane and then close thecommand prompt.
13. In the Task pane, click the Stop Query link.
14. In the Task pane, click the Configure Firewall Logging link.
15. The Log tab of the Firewall Logging Properties dialog box is where youwould change what log file format ISA Server uses. Examine the availableproperties and then click the Fields tab.
16. Examine the list of available logging fields that are available in ISAServer 2006.
17. Scroll down in the Fields tab and check the Network Interface checkbox. Then, click OK.
18. At the top of the Details pane, click the Apply button.
19. In the Saving Configuration Changes dialog box, click OK.
20. In the Task pane, click the Configure Web Proxy Logging link.
21. The Log tab of the Web Proxy Logging Properties dialog is where youwould change what log file format ISA Server uses. Examine the availableproperties and then click the Fields tab.
22. Examine the list of available logging fields that are available in ISAServer 2006.
23. Scroll down in the Fields tab and check the Service check box, and thenclick OK.
24. At the top of the Details pane, click the Apply button.
264 Tactical Perimeter Defense
25. In the Saving Configuration Changes dialog box, click OK.
26. Close the ISA Server 2006 Management console.
You have now successfully used ISA logging to review real-time events and alsoconfigured both the Firewall logging and Web Proxy logging to log additionalevents. One useful tip to keep in mind is that if you are using database format asyour logging method, you can use Access or other front-end tools to create cus-tom queries and reports from the ISA Server log databases.
Additional Configuration Options for ISA Server 2006ISA Server 2006 contains many more configuration options than can be coveredin the scope of this course. There are a few options, however, that are worth tak-ing your time here to discover and examine. The three options we are going todiscuss are:
• Securing the ISA Server OS with the Security Configuration Wizard
• ISA Server Packet Prioritization
• Uninstalling ISA Server 2006
ISA Server 2006 runs on top of the Windows Server 2003 operating system. Inorder for ISA Server to be secure, the underlying OS must also be secured. Win-dows Server 2003 Service Pack 1 included an attack surface reduction tool calledthe Security Configuration Wizard. The Security Configuration Wizard allows youto select a role for the server OS and then secure it based on the template youchoose. It does this by determining the minimum functionality required in theOS, and then disables functions that are not required. The default templatesincluded with the Security Configuration Wizard do not contain a configurationfor ISA Server 2006; however, you can download an update package from theMicrosoft TechNet website that will update the Security Configuration Wizardwith templates for ISA Server 2006. This can greatly simplify the process ofsecuring the underlying OS for ISA Server.
In order to use the Security Configuration Wizard (or update it), you must firstinstall it from the Add/Remove Windows Components control panel applet. Evenif you have already secured the OS before installing ISA Server, the SecurityConfiguration Wizard can ensure that you have not overlooked anything. Also,running a scan against the ISA Server OS using MBSA (Microsoft Baseline Secu-rity Analyzer) or other vulnerability scanning tool will help ensure that ISAServer is as solid as you can make it.
Lesson 5: Configuring Firewalls 265
TASK 5B-19Securing ISA Server 2006 with the SecurityConfiguration Wizard
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks. You must alsohave access to the Windows Server 2003 source installationfiles and the ISA Server 2006 Security Configuration Wizardupdate package (IsaScwHlpPack.EXE).
1. Choose Start→Control Panel→Add Remove Programs.
2. Click the Add/Remove Windows Components button.
3. In the Add/Remove Windows Components dialog box, scroll down andcheck the Security Configuration Wizard check box and then click Next.
4. If required, enter the path to the Windows Server 2003 source files.
5. Click Finish and then close the Add Remove Programs control panelapplet.
6. Double-click the IsaScwHlpPack.exe located in C:\Tools\Lesson5.
7. In the ISA Server Security Configuration Wizard Update dialog box, clickYes.
8. In the ISA Server Security Configuration Wizard Update dialog box, typeC:\Update for the path and then click OK.
9. To create the C:\Update folder, Click Yes, and then click OK in the suc-cess dialog box.
10. Choose Start→Administrative Tools→Security Configuration Wizard.
11. In the Security Configuration Wizard dialog box, click Next.
12. Select the Create A New Security Policy radio button and click Next.
13. In the Select Sever dialog box, verify the name of your server and thenclick Next.
14. In the Processing Security Configuration Database dialog box, click Next.
15. In the Role-Based Service Collection dialog box, click Next.
16. In the Select Server Roles dialog box, de-select all options exceptMicrosoft Internet Security and Acceleration Server 2004 and click Next.(ISA 2004 and ISA 2006 have the same OS requirements so the same tem-plate works for both.)
17. In the Select Client Features dialog box, de-select all options except Auto-matic Update Client and click Next.
266 Tactical Perimeter Defense
18. In the Select Administration And Other Options dialog box, accept thedefaults and click Next.
19. In the Select Additional Services dialog box, accept the defaults and clickNext.
20. In the Handling Unspecified Services dialog box, select the Disable TheService option and click Next.
21. In the Confirm Service Changes dialog box, scroll through and review thechanges that will be made and then click Next.
22. In the Network Security dialog box, ensure that the Skip This Sectionoption is selected and then click Next. (ISA will handle our firewallrequirements. We don’t want to create conflicts with the built in WindowsFirewall.)
23. In the Registry Settings dialog box, leave the Skip option unselected andthen click Next.
24. In the Require SMB Security Signatures dialog box, check both optionboxes and then click Next.
25. In the Outbound Authentication Methods dialog box, select the LocalAccounts On The Remote Computers option and then click Next.
26. In the Outbound Authentication Methods dialog box, select the Clocks ThatAre Synchronized With The Selected Server’s Clock option and thenclick Next.
27. In the Inbound Authentication Methods dialog box, accept the defaults andthen click Next.
28. In the Registry Settings Summary dialog box, review the changes and thenclick Next.
29. In the Audit Policy dialog box, ensure that the Skip option is not selectedand then click Next.
30. In the System Audit Policy section, select the Audit Successful And Unsuc-cessful Activities radio button and then click Next.
31. In the Audit Policy Summary dialog box, read the summary and then clickNext.
32. In the Save Security Policy dialog box, click Next.
33. In the Security Policy File Name dialog box, append \ISAConfiguration tothe path and then click Next.
34. In the Apply Security Policy dialog box, select the Apply Now option andthen click Next.
35. In the Completing The Security Configuration Wizard dialog box, click theFinish button.
Lesson 5: Configuring Firewalls 267
You have successfully used the Security Configuration Wizard to configure theoptimum security configuration settings for the Windows Server 2003 operatingsystem that ISA Server 2006 is running on top of.
Packet PrioritizationNot all traffic that passes through your ISA Server 2006 firewall will have thesame importance. This can be a real issue for an organization with limited out-bound bandwidth. For example, a brokerage firm branch office might need toaccess up to the second information offered up over by a web service at the mainoffice. This data would be considered high priority in making fast decisions whenwatching trading prices or other important financial data. Ensuring that requeststo this web service get high priority would be beneficial to the brokerage firm.ISA Server 2006 provides packet prioritization for limited bandwidth scenarios byimplementing the Differentiated Services (DiffServ) protocol. The DiffServ proto-col provides a framework that enables deployment of scalable servicediscrimination over the Internet. DiffServ uses a marker in the IP header of eachpacket to assign it a priority level.
It is important to note that this is a global setting and not assigned to a specificrule. ISA Server packet prioritization is a policy setting for HTTP traffic. It willapply to all HTTP traffic that traversing your ISA Server. The DiffServ web filter,built into ISA Server, will scan packets containing a specific set of URLs or fordomain names and assign those packets a priority.
The DiffServ filter has a high priority in ISA Server because it must be aware ofthe size of both the request and the response. To gain this awareness, DiffServmust inspect the HTTP packets at the point where ISA Server sends or receivesthe traffic.
ISA Server can only add DiffServ bits to HTTP or HTTPS traffic. It does not flagany other protocols with a priority level nor does Microsoft guarantee that ISAServer will transmit DiffServ bits on any other protocol it receives. For packetprioritization to work, the routers in the traffic transit path must support the QoS(Quality of Service) functionality.
Once you enable DiffServ on ISA Server, you can then configure the URLsand/or domains you want to prioritize.
TASK 5B-20Configuring Packet Prioritization
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks.
1. Choose Start→All Programs→Microsoft ISA Server→ISA ServerManagement.
2. Expand the Console Tree pane, expand Configuration, and select theGeneral container.
3. In the Details pane, under Global HTTP Policy Settings, select the SpecifyDiffServ Preferences.
This wizard only makesconfiguration changes. It
does not apply securitypatches or updates. You
must also make sure yourOS is kept up-to-date with
the latest patches.
268 Tactical Perimeter Defense
4. In the HTTP DiffServ dialog box, select the Enable Network TrafficPrioritization According To DiffServ (Quality Of Service) Bits option.
5. Click the Priorities tab and then click Add.
6. In the Add Priority dialog box, in the Priority Name field, type BranchOffice Priority and then in the DiffServ Bits field, type 010100 and clickOK. (The DiffServ bits value would correspond to the value set on yourrouters.)
7. Click the URLs tab and then click Add.
8. On the Add URL Priority tab, in the URL field, type brokeragehouse.securitycertified.net
9. On the Add URL Priority tab, from the Priority drop-down list, selectBranch Office Priority and then click OK.
10. In the HTTP DiffServ dialog box, click the Network tab, select the Exter-nal network, and then click OK.
11. In the dialog box warning you that DiffServ is currently disabled, click Yes.
12. At the top of the Details pane, click Apply.
13. In the Saving Configuration Changes dialog box, click OK.
14. Close the ISA Server 2006 Management console.
The ISA Server 2006 DiffServ filter is now enabled and configured to prioritizeHTTP packets sent to the URL http://brokeragehouse.securitycertified.net.
Uninstalling ISA Server 2006Like most Microsoft programs, ISA Server 2006 is relatively easy to uninstall.The methodology for uninstalling is similar to most programs and is accom-plished through the Add/Remove Programs control panel applet. One thing tokeep in mind is that in addition to removing ISA Server 2006, you may also needto change the security configuration of the underlying OS before you can use the
Lesson 5: Configuring Firewalls 269
server for a different purpose. However, as you discovered in an earlier exercise,the Security Configuration Wizard makes this process relatively painless. Just rollback the configuration that you used for ISA Server and apply the template that isappropriate for the servers new role on your network.
TASK 5B-21Uninstalling ISA Server 2006
Setup: You must be logged on to Windows 2003 Server as an admin-istrator and have completed the previous tasks.
1. Choose Start→All Programs→Control Panel→Add Or RemovePrograms.
2. In the Currently Installed Programs list, select Microsoft ISA Server 2006and then click Change/Remove.
3. When the Microsoft ISA Server 2006 - Installation Wizard dialog boxappears, click Next.
4. In the Program Maintenance window, select the Remove radio button andthen click Next.
5. In the Generated Files Removal dialog box, accept the defaults, and clickNext.
6. In the Remove The Program dialog box, click Remove.
7. In the Installation Wizard Completed dialog box, click the Finish button.
8. Close the Add Or Remove Programs control panel applet.
9. Choose Start→Administrative Tools→Security Configuration Wizard.
10. In the Welcome To The Security Configuration Wizard, click Next.
11. In the Configuration Action dialog box, select the Rollback The LastApplied Security Policy option and then click Next.
12. In the Select Server dialog box, verify your server name and then clickNext.
13. In the Rollback Security Configuration dialog box, click Next. (If you wish,you may view the rollback file before clicking Next.)
14. In the Completing The Security Configuration Wizard dialog box, clickFinish.
15. You have successfully removed ISA Server 2006 and the security configura-tions from your server.
16. Choose Start→Control Panel, right-click Network Connections, andchoose Open.
270 Tactical Perimeter Defense
17. Right-click each of the loopback adapters and choose Disable.
18. Close the Network Connections window.
19. If you would like to confirm that these connections are disabled attempt toping them in a command prompt. You should not receive a response.
20. Close all open windows.
Topic 5CIPTables ConceptsOne of the primary benefits touted for the Open Source model of Linux is itsability to adapt and change as people come up with bright ideas. This ability hasallowed for security features to be created and modified as industry requirementsand Internet threats evolve. Linux has the capacity to behave as a router, a NATserver, and a packet-filtering device. All these features are built into the coreoperating system.
Firewalling in LinuxElementary firewalling via an application called ipfwadm was included in earlierkernel versions. With the development of kernel version 2.2, the firewall wasbuilt with IPChains. From kernel version 2.4 and up, IPChains is replaced withIPTables. One of the big differences between IPChains and IPTables is that thelatter can be configured to be a stateful packet filter.
At its very essence, the way that IPTables works is extremely simple. The head-ers within a packet are examined against a known set of rules (also referred to asa chain), in sequence. If the packet matches a certain rule, a decision is made forthat packet based on what is specified (also referred to as the target). If a matchis not found, then the packet is examined against the next rule in the sequence.This continues until all the rules are exhausted. At this point, IPTables looks tothe default policy in order to make a decision.
As a packet-filtering firewall, IPTables checks its rules on packets as they enter orleave an interface. Because IPTables is part of the kernel, the processing of thepackets is very fast. IPTables’ ability to perform NAT is referred to asmasquerading.
Lesson 5: Configuring Firewalls 271
Essentially, there are three sets of tables that are part of IPTables: Filter, NAT,and Mangle. Throughout this topic, you will mostly discuss the Filter aspect ofIPTables. NAT tables are used when IP addresses need to be substituted. Thistypically happens when you want to hide internal hosts from the Internet. Mangletables are used when certain fields in the headers need to be changed, such as theTTL or TOS fields.
Depending upon the table chosen, you can manipulate certain built-in chains. Forexample, built into the Filter table are three rule sets (chains) that cannot bedeleted: Input, Forward, and Output. If you’re dealing with the NAT table, youwill have to deal with the Prerouting and Postrouting built-in chains.
If a packet is directed to the firewall, as it enters the computer via an interface,the Input chain is used to determine the fate of the packet. If a packet originatesat the firewall, the Output chain will be checked. When the packet requires rout-ing to another location, the Forward chain will be used.
If the packet reaches the end of one of the chains and there has been no match,whatever default policy exists is used. These default policies exist only on thedefault chains, and the options are typically Accept and Drop. You set the defaultpolicy for the built-in chains to one of the above, and in the absence of any otherrule, the action stated by the default policy is carried out. If a match is found in arule for a packet, then the appropriate action is carried out. The action to be takenwhen a match is found is also referred to as target. The target could be Accept orDrop—or even another chain altogether.
Apart from the built-in chains, a firewall administrator can create user-definedchains. You identify such chains with a name. Unlike the built-in chains, user-defined chains do not have a default policy. If a packet reaches the end of a user-defined chain without any decision made about it, then the packet will return tothe chain that was examining it previously, and start on the next rule in thatchain.
Process of the PacketAs far as the network interfaces on a firewall are concerned, all packets are eitherinbound or outbound. Typically, a majority of packets received by an interface ina firewall are passed on to another interface to be sent onward. At such a time,the firewall has to decide how the packet is going to be passed on to the otherinterface. Packets might be simply routed from one interface to the other (for-warded), or certain information in the packet headers might have to be stripped,replaced with new information, and then sent onward, as with NAT (masquerade/de-masquerade).
The following set of figures (the circle represents a Linux box with three inter-faces) show the basic movement of packets through a system running IPTables.First, let’s look at inbound flow, in the following figure.
To be able to use IPTables,the kernel must be compiled
to include support forfirewalling. In this course,
the version of Linux used isSUSE Enterprise Server 10,which includes IPTables. If
you are using a differentLinux distribution, you will
need to verify if IPTables hasbeen installed. If it has not,
you will have to install it.
272 Tactical Perimeter Defense
Figure 5-23: A packet’s inbound flow.
Figure 5-24: A packet’s outbound flow.
Lesson 5: Configuring Firewalls 273
Finally, let’s look at routing and NAT flow. The following shows packets beingrouting, or forwarded.
Figure 5-25: A packet’s routing (forwarding) or NAT (masquerading/de-masquerading) flow.
Figure 5-26: The multiple decisions that have to be made about a packet by a firewall.
274 Tactical Perimeter Defense
When a packet first enters an interface, the system verifies the checksum value. Ifthe checksum is correct, the packet moves to the Sanity check. The Sanity checkis a feature that checks for incorrectly formed packets.
After the Sanity check, the packet is moved to the Input chain. It will go throughthe chain, and if there is a match at any point, it follows the instructions set forthfor that rule. If there is no match, then the default policy applies. If the packet’sdestination is the firewall itself, then the Input chain is the only chain processed.If the packet is destined for another host, the routing processes take over. This isto determine if the packet is to be forwarded to another machine or to a differentlocal process. A local process would be one that can send and receive packets.The routing process looks to the Forward chain. The packet moves down therules in the Forward chain, and the system checks for matches. If there is amatch, the matching rule specifies where the packet should go. If the packet doesnot match, then the default policy of the Forward chain takes effect. The Outputchain consists of rules that examine packets generated by the firewall.
The Flow of the ChainsUpon entering an interface, a packet destined for the firewall is processed by theInput chain. The packet is passed down the list, one rule at a time, until a matchhas been found. When there is a match, the packet follows the rule assigned tothe target. The target specifies what will become of the packet, as far as that ruleis concerned. For example, the target might state that the packet can be accepted,dropped, or it could be a user-defined chain. A rule in one user-defined chain canspecify another user-defined chain as the target.
Figure 5-27: The Input chain accepting a packet at the third rule.
The target names are straightforward—Accept and Drop. A couple of extensionsto the target are also available—Log and Reject. A small clarification is neededon the difference between Drop and Reject. As with Microsoft’s ISA Server, theend result (as far as the packet is concerned) is that the packet does not getthrough. However, by default, when TCP/IP is communicating, there is two-way
Please note that the methodof checking packets againstthe built-in chains inIPTables is very differentfrom the method employedby IPChains.
Lesson 5: Configuring Firewalls 275
communication. When the target is set to Drop and a matching packet is found,that packet is silently dropped. When this happens, technically the function ofTCP has been broken. The TCP standard states that if a connection cannot beestablished, an ICMP message is to be returned to the host; this is useful fortroubleshooting purposes. Due to this, the second option of Reject is included.When the target is set at Reject and a matching packet is found, the packet is stilldropped, but an ICMP message is sent to the host, closing the communication.
The choice is yours to make. Reject might be the nice way to drop a packet, butfrom a security standpoint, Drop provides less information. Each rule must becreated with a target, and because rules are numbered and sequential, it is criticalthat the correct order be maintained. You do not want an error in the rule order tomistakenly block a subnet or grant access where it should not be granted. If thedefault rules do not provide the level of control that is required, administratorscan create their own chains and apply detailed rules to them.
Figure 5-28: The Input chain finds a match and targets the packet to a user chain.
Configuring chains can quickly become an involved task. For example, the Inputchain receives a packet and finds a match on the fourth rule, sending the packetto a user chain. That same packet then goes through the user chain, where theremight be a match sending it to a different chain, or even back to the Input chain.Remember, if a packet does not match any of the rules in a user-defined chain, itis sent back to the previous chain, where it picks up at the rule that sent it to theuser-defined chain in the first place—see the following figure.
276 Tactical Perimeter Defense
Figure 5-29: A packet being examined by first the Input chain, then a user-defined chain,and going back to the Input chain.
It is possible for an administrator to write rules that will cause the process ofpacket examination to loop. If this happens, the packet will be dropped.
Configuration OptionsThis section covers the configuration options most often used in day-to-day envi-ronments running IPTables. Not all of the options available in IPTables arecovered here. For a more detailed study of IPTables, you should look around atthe various sources of information available to you. To start with, the man pagesfor IPTables are quite extensive and worth reading. For detailed syntax issues thatare not covered here, issuing the man iptables command is a good place to start.If you do not have a Linux box handy, go to www.iptables.org orwww.netfilter.org and read or download articles dealing with setting up a Linuxbox as a firewall by using IPTables.
There are configuration options for creating, viewing, and managing chains. Thefirst command switch is in uppercase. There are command switches for managingthe individual rules as well, and these also use uppercase. Within the rules, vari-ous operations are defined by using lowercase.
The iptables CommandThe basic syntax of the command is:
iptables command_switch parameters [options]
The following figure shows an example of an IPTables command.
Figure 5-30: Sample command syntax for IPTables.
Lesson 5: Configuring Firewalls 277
Cisco gurus will quickly latch on to the syntax similarities between IPTables andCisco Access Control Lists. Basically, you’re dealing with some conditions, and ifthose conditions are met, then this rule says, “Accept the packet.” The followingfigure shows several examples of usage syntax.
Figure 5-31: Examples of usage syntax for IPTables.
Chain ManagementThe following table lists some of the command switches for managing the chains.(Italicized words are variables.)
Figure 5-32: Chain management command switches.
278 Tactical Perimeter Defense
Figure 5-33: Available options for IPTables.
Rule ManagementThe basic structure for the rule commands is the same as for the chain com-mands, as shown in the following table.
Figure 5-34: Example rule commands.
The previous command switches are used in managing the rules, and they are inuppercase. The following table lists commands for creating the actual rulesthemselves.
Rule CreationThe previous command switches are used in managing the rules, and they are inuppercase. The following table lists commands for creating the actual rulesthemselves.
Lesson 5: Configuring Firewalls 279
Figure 5-35: Rule creation commands.
Figure 5-36: Configuration options for rules in IPTables.
Other OptionsIn the rule sets, port numbers are configured as two values, source port, or sport,and destination port, or dport. For example, if you want a rule to govern sourceports 2100 through 2200, inclusive, you can use the syntax --sport 2100:2200.Notice that two hyphens are used. Similarly, if you want a rule to address desti-nation port 31337, you can use the syntax --dport 31337.
Another very useful and important rule configuration tool is the bang (!) entry.This value, with spaces on either side, negates whatever follows it. Think of arule as being divided into a number of fields that more or less correspond to theheaders in a packet. Now, imagine that each of these fields can have certainspecifications. Sometimes you might want to negate what’s specified (anythingbut this). This is where the ! comes in. The ! negates the values specified in thatfield. For example, the syntax to specify any host other than 172.16.23.44 is !172.16.23.44.
While discussing IP addresses in IPTables, the ability to specify any IP address isincluded as well. To do so, you can use 0/0.
When choosing to block ping packets, more specifically ICMP packets, be carefulthat you are blocking what you mean to block. Because the ICMP protocol isused for many different parts of communication, it is important that you areaware of what could happen if you blocked all ICMP traffic—host unreachable
280 Tactical Perimeter Defense
messages would not come through, source-quench messages would not comethrough, time-exceeded messages would not come through, and so forth. Youneed to specify that part of ICMP you want to work with, just as you specifyports for TCP. The syntax is to use is icmp-type typename, where typename isone of the following:
• Destination-unreachable
• Source-quench
• Time-exceeded
• Parameter-problem
• Echo-request
• Echo-reply
There are several other switches that can be used; again, check the man pages fora comprehensive list. One more that is worth mentioning is the -l option. Thisoption turns on kernel logging of the packets that match the rule. It is possible tocreate a rule and use the logging feature, but have no target for the packet. Thisis done for tracking purposes, such as to track the number of packets that are fora particular service on a given host.
To save your IPTables configuration, use the command iptables-save filename tosave the current configuration to the defined file. To restore this configuration, usethe command iptables-restore filename.
Rule ExamplesSo that the syntax can make a bit more sense, we will look at some ruleexamples in their syntax form, and discuss the result of each rule. By the timeyou reach the end of this section, you should have a solid grasp of the IPTablessyntax.
Modifying a Default ChainA simple start to working with the syntax is to modify the behavior of a defaultchain. As you remember, there are only three default chains: Input, Output, andForward. In this example, we will modify the setting of the default Input chain tochange the default setting to Drop. This is a common modification of the chain,and is a requirement for a secure system. You do not want to keep the default ofAccept on the Input chain. The syntax to accomplish this is:
iptables -P INPUT DROP
For this chain:
• -P sets the default policy of a specified chain.
• INPUT is the chain that is getting modified.
• DROP is the target.
Therefore, the default policy of the Input chain is now set to Drop all packets. Ifthis is the only configuration of the Input chain, then all packets trying to reachthe firewall will be dropped! You must create rules where the targets are otherthan Drop if you want communications to take place at all.
Lesson 5: Configuring Firewalls 281
The end result of this modification is that when a packet reaches the end of theInput chain, it will be discarded. Because the default setting of Accept canpresent a security risk, changing the setting to Drop is a good idea from a secu-rity perspective.
Creating a ChainIf you need to create a new chain, the syntax is:
iptables -N chainname
For this chain:
• -N indicates that this is a new chain.
• chainname is the name of the new chain.
Deleting a ChainTo delete a chain, use the syntax:
iptables -X chainname
For this chain:
• -X indicates that you want to delete a chain command.
• chainname is the name of the chain that you want to delete.
A chain cannot have any rules in it prior to deletion. If rules exist, you can usethe Flush command.
Flushing a ChainIf you need to delete a chain, and there are still rules in the chain, you can firstflush the chain. Because flushing removes all rules from a chain, be careful thatyou do not perform something unexpected. Plan carefully when deleting chains,particularly on a production machine. To flush a chain, use the syntax:
iptables -F chainname
For this chain:
• -F indicates that you want to flush all rules.
• chainname is the name of the chain that you want to flush.
Checking for ConnectionsIf you want to be sure that inbound packets are not trying to establish connec-tions, you can check the SYN flag. This flag alone would only be set on theinitial part transmission of the three-way handshake. Checking for this flag is agood way to keep inbound connections from passing through the rule sets, whileleaving the same port open for return communication. To check for connections,use the syntax:
iptables -A chainname -p TCP -s 10.0.10.10 --syn -j DROP
282 Tactical Perimeter Defense
For this chain:
• -A indicates that you want to append a rule to a chain.
• chainname is the name of the chain that you want to add the new rule to.
• -p indicates that you want to check a protocol.
• TCP defines the protocol that you want to check.
• -s indicates that you want to check a source address.
• 10.0.10.10 is the source IP address that you want to check.
• --syn indicates that you want to check the SYN flag.
• -j indicates that you want to define a target for matches.
• DROP defines the target.
The meaning of this rule is A packet coming from 10.0.10.10 that is trying toinitiate a connection is to be dropped.
Negating ValuesHere is an example of syntax that negates a value:
iptables -A OUTPUT -p TCP -d ! 172.16.35.40 --dport 80 -j ACCEPT
For this chain:
• -A OUTPUT specifies that you want to append a rule to the OUTPUT chain.
• -p TCP indicates that you want to check the TCP protocol.
• -d 172.16.35.40 specifies the destination that you want to check. However,because there is a ! before the destination, the rule is stating any destinationother than the specified address.
• --dport 80 indicates that you want to check for WWW packets.
• -j ACCEPT defines the target as Accept.
In essence, this rule states that all TCP packets can get to the WWW service onany computer—except for 172.16.35.40.
The final example of negating that we will look at also introduces the lo option,which is used to define the loopback adapter. Here is the command:
iptables -A INPUT -i ! lo -j DROP
For this chain:
• -A INPUT indicates that you want to modify the default INPUT chain byappending a rule.
• -i indicates that you want to check an incoming interface, and lo defines theincoming interface that you want to check. The ! negates the definition.
• -j DROP defines the target as Drop.
In essence, this rule state that all incoming traffic will be denied—except for traf-fic on the loopback interface.
Lesson 5: Configuring Firewalls 283
Defining a TargetTo define a target, use the following syntax:
iptables -A INPUT -s 10.0.10.100 -j DROP
For this chain:
• -A INPUT indicates that you want to modify the default INPUT chain byappending a rule.
• -s 10.0.10.100 defines the IP address to match.
• -j DROP defines the target as Drop.
The meaning of this rule is: All packets that are from the address 10.0.10.100 areto be denied.
Here is another example of defining a target that also includes a port number:
iptables -A INPUT -p TCP -d 0/0 --dport 12345 -j DROP
The meaning of this rule is: All packets that are destined for any IP address andto port 12345 are to be denied.
Complex RulesThe different parts of the rules discussed herein can be combined to create overallrules as needed. Here are some examples of more complex rules:
iptables -A OUTPUT -p TCP -s 10.0.10.0/24 -d 0/0 --dport 80 -jACCEPT
This rule for the OUTPUT chain states that any TCP traffic from the 10.0.10.0network and destined for any IP address on port 80 is to be accepted:
iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport31337 -j DROP
This rule for the INPUT chain states that any TCP traffic from any IP addressdestined for the 10.0.10.0 network on port 31337 is to be denied:
iptables -A INPUT -p TCP -s 0.0.0.0/0 -d 10.0.10.0/24 --dport5000:10000 -j DROP
Similar to the previous command, the only syntax difference here is in the portnumbers defined. In this rule, all ports from 5000 to 10000 are to be denied.
Configuring MasqueradingLinux does have the ability to perform IP Masquerading, which is a form ofNAT. It is not difficult to implement, and the syntax is:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
284 Tactical Perimeter Defense
For this command:
• -t nat indicates that you want to configure the NAT table.
• -A POSTROUTING indicates that you want to append a rule after routingdecisions are made.
• -o ppp0 indicates the outgoing interface that should be used; in this case, thePPP dialup link.
• -j MASQUERADE defines the target; in this case, that the source IP addressin the IP header should be masked by the IP address of ppp0.
Case StudyThis section involves review of a case study of IPTables in a workingenvironment. In this example, there is a single computer running as the firewallwith two Ethernet interfaces. The Ethernet 0 Interface (172.168.25.40) goes to theInternet, and the Ethernet 1 Interface goes to the internal network. A diagram ofthe network is shown in the following figure.
Figure 5-37: An example network for firewall implementation.
First, we need to define the overall goals of the firewall. This should be done dur-ing the creation of the security policy, and specifically during the creation of thefirewall policy.
Lesson 5: Configuring Firewalls 285
Firewall GoalsThe intended goals of this firewall are:
• We have decided to allow ICMP pings (echo requests and echo replies)through the firewall.
• We will allow our external clients access to the email server.
• Internal clients cannot use email servers on the Internet.
• We will allow external clients to reach our web server.
• We will block attempts to spoof internal addresses.
ConfigurationFirst, we will configure the default policies to deny all traffic:
iptables -P INPUT -j DROPiptables -P OUTPUT -j DROPiptables -P FORWARD -j DROP
Next, we will configure user-defined chains. This is done to make the chainseasier to work with. For these user-defined chains, us is internal, and them isexternal:
iptables -N us-themiptables -N them-us
Next, we will create the jumps for the different networks:
iptables -A INPUT -s 10.0.20.0/24 -d ! 10.0.20.0/24 -j us-themiptables -A INPUT -s ! 10.0.20.0/24 -d 10.0.20.0/24 -j them-us
In the first line, if the source is us and the destination is not us (that is, them),then the target is the user chain us-them. In the second line, if the source is notus (them), and the destination is us, then the target is the user chain them-us.Next, we will configure the internal (us) to external (them) chain. We start bydefining the general rules:
• Allow internal machines WWW access to the outside.
• Allow internal machines to be able to ping hosts on the outside.
• Disallow all other outgoing traffic.
Once we know our general rules, we can configure the chain:
iptables -A us-them -p TCP -d 0/0 --dport 80 -j ACCEPTiptables -A us-them -p ICMP -d 0/0 -j ACCEPT
Next, we will configure the external (them) to internal (us) chain. Again, we willdefine the general rules first:
• Allow hosts on the outside WWW access to the Web server.
• Allow hosts on the outside to access the email server.
• Allow ping.
• Block internal address spoofing.
• Disallow all other incoming traffic.
Once we know our general rules, we can configure the chain:
Note, this is for you tomanage a simple network
resource, in your productionenvironment; you would
likely not allow ICMPthrough the firewall.
286 Tactical Perimeter Defense
iptables -A them-us -p TCP -d 10.0.20.22 --dport 25 -j ACCEPTiptables -A them-us -p TCP -d 10.0.20.22 --dport 110 -j ACCEPTiptables -A them-us -p TCP -d 10.0.20.21 --dport 80 -j ACCEPTiptables -A them-us -p ICMP -d 10.0.20.0/24 -j ACCEPTiptables -A them-us -s 10.0.20.0/24 -j DROP
Case Study SummaryAfter reviewing this case study, you should be able to identify the steps of creat-ing a basic firewall by using IPTables. To summarize:
1. The overall goals and policies of the firewall were identified.
2. The default policies were changed to be very restrictive.
3. New chains were created for ease of management.
4. The INPUT policy was configured to jump to the new user chains.
5. The user-defined chains were configured to conform to the determinedsettings.
6. The chains were verified with the -L switch.
This study was designed to be a simple example of one possibility toimplementation. Other options that could be added include:
• Adding full anti-spoofing, thus blocking any packet from outside that has anaddress of inside.
• Opening ports for return communication on the high ports.
• Adding checks for the SYN option.
• Defining IP Masquerading.
As you can see, there are always options in firewall design. Chances are goodthat while the end result may be the same, no two people will configure thefirewall in the exact same fashion every time. Rules may be in different orders,for example (as long as they filter properly, of course). Or, perhaps someone isfiltering everything on the INPUT chain and not making smaller chains. The flex-ibility is yours to use as you see fit.
Lesson 5: Configuring Firewalls 287
TASK 5C-1Working with Chain Management
Objective: To review a sample chain, and determine the effect it will haveon traffic.
Setup: The following is an example chain. Review it and identifywhat has been implemented. Using the space provided, dia-gram this network and answer the questions that follow.
1. Examine the following chain:
INPUT DROPFORWARD ACCEPTOUTPUT ACCEPTiptables -A INPUT -p 6 -s 0.0.0.0/0 -d 192.20.0.1/32 --dport23:23 -j ACCEPTiptables -A INPUT -p 6 -s 0.0.0.0/0 -d 10.168.0.3/32 --dport80:80 -j ACCEPTiptables -A INPUT -s 10.168.0.0/24 -d 0/0 -i eth0 -j DROPiptables -A INPUT -s 127.0.0.0/8 -d 0/0 -i eth0 -j DROPiptables -A INPUT -s 127.0.0.0/8 -d 0/0 -i eth1 -j DROPiptables -A INPUT -s ! 10.168.0.0/24 -d 0/0 -i eth1 -j DROPiptables -A INPUT -p 6 -s 0/0 -d 192.20.0.1/32 ! --dport23:23 -j DROP -y
288 Tactical Perimeter Defense
iptables -A INPUT -p 6 -s 0/0 -d 192.20.0.1/32 --dport1024:65535 -j ACCEPT ! -yiptables -A INPUT -p 17 -s 0/0 -d 192.20.0.1/32 --dport1024:65535 -j ACCEPT ! -yiptables -A INPUT -p 6 -s 0/0 -d 10.168.0.0/24 --dport1024:65535 -j ACCEPTiptables -A INPUT -p 17 -s 0/0 -d 10.168.0.0/24 --dport1024:65535 -j ACCEPTiptables -A INPUT -p 1 -s 0/0 -d 0/0 -j ACCEPTiptables -A INPUT -s 10.168.0.0/24 -d ! 192.20.0.1/32 -jACCEPT
2. Diagram the network here or on another sheet. Assume the Class Caddress 192.20.0.1 is an external address.
What effect does this set of rules have on the network?
Telnet and web traffıc are allowed to defined hosts. Anti-IP-spoofing rulesare in place. High-level ports are allowed for the return of web traffıc.
What services, if any, are running on the internal network?
At least web and Telnet services.
What are the internal clients allowed to access externally?
Web and Telnet services.
Is IP spoofing prevention in place?
Yes.
If an internal client ran a server, would external clients be able to accessit? Why or why not?
They could not, since the ports required to be outgoing for a server are notopen.
Lesson 5: Configuring Firewalls 289
Topic 5DImplementing Firewall TechnologiesIn the previous topics, you were introduced to the concepts and configuration ofFireWall-1, ISA Server 2006, and IPTables. In this topic, you will put that knowl-edge to use.
ScenarioThe following conceptualization will be used for configuring the firewall for thisscenario. Review the network diagram and the required rules, and then proceed.
Figure 5-38: The conceptual network.
In this activity, you will be creating the configuration first for the internal firewalland then for the external firewall.
Firewall RulesThe following figure represents the policies that have been decided upon for theinternal firewall.
Figure 5-39: Internal firewall rules.
The following figure represents the policies that have been decided upon for theexternal firewall.
290 Tactical Perimeter Defense
Figure 5-40: External firewall rules.
Configuring the Internal FirewallThe IP addresses that will be used for this are listed in the following table.
Use IP Address Subnet MaskInternal Subnet 172.16.10.0 255.255.255.0Security Host 172.16.10.10 255.255.255.0Internal Web Server 172.16.100.100 255.255.0.0Internal Firewall int 1 172.16.100.1 255.255.0.0Internal Firewall int 2 192.168.10.1 255.255.255.0DMZ Email Server 192.168.10.100 255.255.255.0DMZ Web Server 192.168.10.101 255.255.255.0External Firewall int 3 192.168.10.2 255.255.255.0External Firewall int 4 10.10.10.10 255.255.0.0
First of all, you need to plan the chains and rules that you will use. Decide if youwill create new chains, or use the default chains. Record, on paper, the chainsand/or rule sets, and determine if they are correct before you beginimplementation. You should always plan the whole process first. Here are somegeneral steps to guide you in this first activity.
1. Decide if you will modify the default policies, and write down what youwould modify them to.
2. Decide if you want to create new rules/chains for management, and writethem down.
3. In Linux, if you created new chains, define the jumps to these chains.
4. Define the general goals of the firewall.
5. Write down the rules you will configure.
6. Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for configuration. Using theabove steps as your general guidelines, go ahead and configure the firewall tomeet the goals you outlined. Remember, there may be several ways to accomplishthe overall goals, so no one way is to be considered correct over another. If thegoals are met efficiently, then the rules and chains are correct for that scenario.
Lesson 5: Configuring Firewalls 291
Suggested SolutionsThe following are suggested solutions to the scenario for IPTables. Feel free tocompare your results to the suggested results. Again, even though they may bedifferent, as long as the goals are met, the rules and chains are a success.
Configure the default policies to be more restrictive, by using the DROP target:
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP
Create new chains to make configuration easier:
iptables -N in-dmziptables -N dmz-iniptables -N net-in
Configure the jumps to the new chains:
iptables -A INPUT -s 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-dmziptables -A INPUT -s 192.168.10.0/24 -d 172.16.0.0/16 -j dmz-iniptables -A INPUT -s 0/0 -d 172.16.10.0/0 -j net-in
Define the overall goals. In this scenario, you are dealing with the packets thatare moving between the internal network to the DMZ, the DMZ to the internalnetwork, and the Internet to the internal network. Identify what traffic is allowedin different directions.
From the guidelines given, we can identify the following:
• The internal network can access the WWW server on the DMZ and theInternet.
• The DMZ and Internet cannot access WWW on the internal network.
• The internal network can access the email server on the DMZ, but not onthe Internet.
• The DMZ and Internet cannot access email on the internal network.
• The Security Host can Telnet to the DMZ and the Internet.
• The DMZ and Internet cannot telnet to the internal network.
• The defined internal subnet can FTP to the DMZ and the Internet.
• The DMZ and Internet cannot FTP to the internal network.
• Ping is allowed in both directions.
• Configure the rules.
Based on the guidelines, the following configuration is one suggestion for solvingthis scenario. Configure one chain at a time:
iptables -A in-dmz -p TCP -d 192.168.10.101 --dport www -j ACCEPTiptables -A in-dmz -p TCP -d 192.168.10.100 --dport smtp -jACCEPTiptables -A in-dmz -p TCP -d 192.168.10.100 --dport pop3 -jACCEPTiptables -A in-dmz -p TCP -s 172.16.10.10/32 -d 0/0 --dporttelnet -j ACCEPTiptables -A in-dmz -p TCP -s 172.16.10.0/24 -d 192.168.10.0/24--dport 20:21 -j ACCEPTiptables -A in-dmz -p TCP -d 0/0 --dport www -j ACCEPTiptables -A in-dmz -p ICMP -d 0/0 -j ACCEPTiptables -A in-dmz -p 6 -d 0/0 --dport 1024:65535 ! --syn -j
292 Tactical Perimeter Defense
ACCEPTiptables -A in-dmz -p 17 -d 0/0 --dport 1024:65535 -j ACCEPTiptables -A dmz-in -p ICMP -d 172.16.0.0/16 -j ACCEPTiptables -A dmz-in -p TCP -d 172.16.0.0/16 --dport 1024:65535 !--syn -j ACCEPTiptables -A dmz-in -p UDP -d 172.16.0.0/16 --dport 1024:65535 -jACCEPTiptables -A net-in -p 1 -d 172.16.0.0/16 -j ACCEPTiptables -A net-in -p 6 -d 172.16.0.0/16 --dport 1024:65535 !--syn -j ACCEPTiptables -A net-in -p 17 -d 172.16.0.0/16 --dport 1024:65535 -jACCEPT
As was stated before, this isn’t only one possible solution. Compare the solutionsyou came up with to this one and to the others in the class. Discuss with eachother the different points in each solution.
Configuring the External FirewallAfter you have configured your firewall to simulate the first scenario, you areready to move on to the second scenario. The premise is the same, and the net-work layout is the same. The only difference is that this time you are configuringthe rules on the external firewall.
Before we can proceed to configure the rules, we need to remove the chains thatare currently in place. Again, there are different ways to accomplish this, but hereis a suggestion:
1. Flush all rules from all the chains you have created, by using the iptables–Fchainname command.
2. Delete the chains after the rules have been flushed, by using the iptables–Xchainname command.
3. Modify the default policies back to Accept, so that the system is back to thestate it was when you began this topic (as if no rules or modifications havetaken place at all). Use the iptables –P chain ACCEPT command.
The IP addresses that will be used for this are listed in the following table.
Use IP Address Subnet MaskInternal Subnet 172.16.10.0 255.255.255.0Security Host 172.16.10.10 255.255.255.0Internal Web Server 172.16.100.100 255.255.0.0Internal Firewall int 1 172.16.100.1 255.255.0.0Internal Firewall int 2 192.168.10.1 255.255.255.0DMZ Email Server 192.168.10.100 255.255.255.0DMZ Web Server 192.168.10.101 255.255.255.0External Firewall int 3 192.168.10.2 255.255.255.0External Firewall int 4 10.10.10.10 255.255.0.0
Lesson 5: Configuring Firewalls 293
First of all, you need to plan the chains and rules that you will use. Decide if youwill create new chains, or use the default chains. Record, on paper, the chainsand/or rule sets, and determine if they are correct before you beginimplementation. You should always plan the whole process first. Here are somegeneral steps to guide you in this first activity:
• Decide if you will modify the default policies, and write down what youwould modify them to.
• Decide if you want to create new rules/chains for management, and writethem down.
• In Linux, if you created new chains, define the jumps to these chains.
• Define the general goals of the firewall.
• Write down the rules you will configure.
• Describe how you will verify that the rules and chains are correct.
Once you have your plan written down, it is time for configuration. Using theabove steps as your general guidelines, go ahead and configure the firewall tomeet the goals you outlined. Remember, there may be several ways to accomplishthe overall goals, so no one way is to be considered correct over another. If thegoals are met efficiently, then the rules and chains are correct for that scenario.
Suggested SolutionsThe following are suggested solutions to the scenario for IPTables. Feel free tocompare your results to the suggested results. Again, even though they may bedifferent, as long as the goals are met, the rules and chains are a success.
Configure the default policies to be more restrictive, by using the DROP target:
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP
Create new chains to make configuration easier:
iptables -N in-netiptables -N dmz-netiptables -N net-dmziptables -N net-in
Configure the jumps to the new chains, and configure IP spoofing rules:
iptables -A INPUT -s 172.16.0.0/16 -d 0/0 -i eth1 -j DROPiptables -A INPUT -s 192.168.0.0/16 -d 0/0 -i eth1 -j DROPiptables -A INPUT -s 127.0.0.0/8 -d 0/0 -i eth1 -j DROPiptables -A INPUT -s 172.16.0.0/16 -d ! 172.16.0.0/16 -j in-netiptables -A INPUT -s 192.168.10.0/24 -d ! 192.168.10.0/24 -jdmz-netiptables -A INPUT -s 0/0 -d 192.168.10.0/24 -j net-dmziptables -A INPUT -s 0/0 -d 172.16.0.0/16 -j net-in
Define the overall goals. In this scenario, you are dealing with the packets thatare moving between the Internet, the internal network, and the DMZ. Identifywhat traffic is allowed in different directions.
294 Tactical Perimeter Defense
From the guidelines given, we can identify the following:
• The internal network can access the WWW service on the Internet.
• The internal network cannot access email on the Internet.
• The internal subnet can access FTP on the Internet.
• The Security Host can access Telnet on the Internet.
• The internal network can ping the Internet.
• The DMZ can ping the Internet.
• The Internet can access the WWW server on the DMZ.
• The Internet can access the email server on the DMZ.
• The Internet cannot ping the DMZ.
• The Internet cannot ping the internal network.
• Configure the rules.
Based on the above guidelines, the following configuration is one suggestion forsolving this scenario. Configure one chain at a time:
iptables -A in-net -p TCP -d 0/0 --dport www -j ACCEPTiptables -A in-net -p TCP -s 172.16.10.0/24 -d 0/0 --dport 20:21-j ACCEPTiptables -A in-net -p TCP -s 172.16.10.10/32 -d 0/0 --dporttelnet -j ACCEPTiptables -A in-net -p ICMP -d 0/0 -j ACCEPTiptables -A in-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -jACCEPTiptables -A in-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPTiptables -A dmz-net -p ICMP -d 0/0 -j ACCEPTiptables -A dmz-net -p TCP -d 0/0 --dport 1024:65535 ! --syn -jACCEPTiptables -A dmz-net -p UDP -d 0/0 --dport 1024:65565 -j ACCEPTiptables -A net-dmz -p TCP -d 192.168.10.100 --dport pop3 -jACCEPT
As was stated before, this isn’t the only possible solution. Compare the solutionsyou came up with to this one and to the others in the class. Discuss with eachother the different points in each solution.
SummaryIn this lesson, you worked with standard firewall implementation practices.You learned that vendors implement their firewall products slightly differ-ently from each other, but that they do follow some standard implementationpractices in most situations. You worked with two industry leaders infirewall systems: Microsoft’s ISA Server 2006, and Linux’s embeddedfirewall, IPTables.
Lesson 5: Configuring Firewalls 295
Lesson Review5A What is a network firewall?
A firewall can be described as a security mechanism that places limitationcontrols on all inbound and outbound network communications between indi-vidual systems or entire networks of systems by permitting, denying, oracting as a proxy for all data connections.
What is a firewall’s primary responsibility?
Controlling access requests across differing “zones of trust.”
Name six basic building blocks or “elements” of firewall access rules.
Source Address, Destination Address, Protocol, Source Port, DestinationPort, and Service.
What layers of the OSI model do firewalls operate on?
Data Link, Network, Transport, Session and Application Layers (2, 3, 4, and7).
What does it mean when a firewall is stateful?
The firewall keeps track of the state of all “accepted” connections in a datatable that resides in memory. This enables the firewall to determine if anincoming packet is either a new connection or is part of an existing estab-lished connection.
What are the three common firewall topologies?
Perimeter topology, three-legged DMZ topology, and chained DMZ topology.
5B True or False? You need to have the install partition formatted to NTFSwhen installing ISA Server 2006 on a Windows 2003 Server.
True
Is ISA Server Firewall available in a firewall appliance?
Yes! There are a wide range of manufacturers that offer ISA-basedappliances.
What are the three panes in the ISA Server 2006 Management console?
Console Tree, Details, and Task panes.
List some things that can be a trigger for an ISA alert.
Responses might include Event Log Failure, Intrusion Detected, IP Spoofing,and Oversize UDP Packet.
How do you back up or restore the configuration of ISA Server 2006?
By exporting or importing the configuration to an XML file.
296 Tactical Perimeter Defense
What is difference between an access rule and a publishing rule in ISAServer 2006?
Access rules control outbound communication, while publishing rules controlinbound communication.
What are the features in ISA Server 2006 that can help manage band-width consumption?
Forward and reverse caching and packet prioritization.
5C What is the difference between the DROP target and the REJECT tar-get?
Dropping the connection complies with TCP/IP rules of communication—anICMP message is sent back to the packet’s origin. Rejecting the connectionsimply drops a packet and does not inform the sender.
What must be done before a chain can be deleted?
You must flush the rules.
What is the switch for deleting a rule?
-D deletes a rule (-F flushes and -X deletes a chain).
5D What is the function of --dport 1024:65535 ! -syn in the exercises?
Destination port should be in the range 1024-65535, but without the SYNflag set.
Why is the filtering of ping done in two lines, first disallowingechorequests, and then allowing ICMP?
Because there are many uses for ICMP other than ping, such as Timed Outand Host Unreachable messages, closing all ICMP would cause problems.
Why is it a good idea to configure the default policies first?
Because those configurations are instant, no one can sneak through thefirewall while the policies are being created.
Lesson 5: Configuring Firewalls 297
298 Tactical Perimeter Defense
Implementing IPSec andVPNs
OverviewIn this lesson, you will be introduced to the concepts of IPSec. You willexamine and configure the Microsoft Management Console and identify thepredefined IPSec policies in Windows Server 2003. You will create newpolicies and implement IPSec to specifically use AH, ESP, or both, in Trans-port Mode. Finally, you will analyze IPSec traffic in Network Monitor.
In this lesson, you will examine Virtual Private Networks (VPNs) and someof the security issues related to them.
ObjectivesTo be able to implement IPSec and Virtual Private Networks, you will:
6A Define the function of IPSec in a networked environment.
Given a running network, you will examine the IPSec structure, cryptog-raphy, the Encapsulating Security Payload, the Authentication Header, theInternet Key Exchange, and modes of Implementation.
6B Examine IPSec policy management.
Given a running network, you will examine the IPSec structure, cryptog-raphy, the Encapsulating Security Payload, the Authentication Header, theInternet Key Exchange, and modes of implementation.
6C Implement and examine IPSec AH configurations.
Given a Windows 2003 computer, you will implement and analyze IPSecAH sessions.
6D Implement and examine IPSec AH and ESP configurations.
Given a Windows 2003 computer, you will implement and analyze IPSecAH and ESP sessions.
6E Examine the business drivers and technology components for a VPN.
In this topic, you will examine standard business drivers and technologycomponents in order to successfully implement a VPN solution.
6F Examine the concepts of IPSec and other tunneling protocols.
In this topic, you will investigate the components of IPSec, how IPSecworks and identify other VPN tunneling protocols, such as Point-to-PointTunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
Data FilesRFCs
Lesson Time3 hours
LESSON
6
Lesson 6: Implementing IPSec and VPNs 299
6G Analyze secure VPN design and implementation issues.
In this topic, you will take the necessary steps required to analyze secureVPN design objectives and VPN implementation issues.
6H Examine the issues of VPN and firewall architecture and VPNauthentication.
In this topic, you will address various VPN and firewall architectures andexamine issues related to authentication.
6I Configure VPN options built into Windows 2003.
In this topic, you will perform tasks related to setting up VPN optionsbuilt into Windows 2003 Server related to VPNs.
300 Tactical Perimeter Defense
Topic 6AInternet Protocol SecurityThe Internet Protocol (IP) by itself has no security. There are no built-in mecha-nisms to ensure the security of the packets. It has become possible for attackersto create bogus packets, posing as IP addresses that they are not. It has alsobecome possible for attackers to intercept packets as they are transmitted on theInternet, and read into the payload of the packets. Due to the above-mentionedpoints, there is no way for the security professional to guarantee any of the fol-lowing:
• That a packet is from the source IP address.
• That a packet was not copied or intercepted by a third party duringtransmission.
• That a packet holds the original data that was transmitted.
These issues combine to illustrate that security of the packets themselves isrequired.
IPSec, or IP Security (described in detail in RFC 2401), can provide this security.In the simplest definition, IPSec protects IP datagrams. In a more detailed defini-tion, IPSec provides confidentiality, integrity, and authentication.
• Confidentiality means there is a system of making the data unreadable byunauthorized individuals.
• Integrity means that there is a guarantee that data is not altered between thesender and the receiver.
• Authentication means that the receiver is guaranteed that the sender is not animposter.
The way that IPSec is able to provide this protection is by specifying how thenetwork traffic is going to be protected, and to whom the traffic will be sent. Theway the traffic is going to be protected will be through an IPSec protocol such asthe Authentication Header (AH) or the Encapsulating Security Payload (ESP).
The operation of IPSec is completely transparent to the end-user. This is due tothe fact that IPSec functions just above the Network layer (the IPSec protocolsAH and ESP have their own IP protocol IDs), so they are well under the Applica-tion layer. Providing this automatic protection is significant in the choice ofwhether or not to implement IPSec. The end result is that network traffic isencrypted on one end and decrypted on the other, without the upper-layer applica-tions at either end worrying about the complexities of the encryption/decryptionprocesses.
Lesson 6: Implementing IPSec and VPNs 301
Cryptography and KeysIPSec is able to provide protection by encrypting and decrypting data. Although adetailed discussion of cryptography is beyond the scope of this book, the verybasics are required. (A detailed discussion and hands-on study of cryptographyand encryption techniques will be undertaken in Level 2 of the SCP.)
Any file before encryption is typically referred to as plaintext. Once that file isencrypted, using a mathematical algorithm, it is referred to as ciphertext. In orderto decrypt this file (or message), you must have a key that can reverse theencryption. You can think of an encryption algorithm as a lock and the key as thelock’s combination. If a document is locked, you need a key to unlock it. Oftenin cryptography, one key is used to lock (encrypt) the document, and the samekey or a different key is used to unlock (decrypt) the document, depending uponthe methodology chosen. If a different key is used, the two keys are linked toeach other via the algorithm and the associated mathematical functions.
IPSec requires that users have a method of exchanging (sometimes called negoti-ating) their keys.
• One method is called manual distribution. In the simplest definition, this lit-erally means each user manually giving every other user his or her key.Manual distribution will more likely be done with what is called a KDC, orKey Distribution Center.
• The second method is automatic distribution. With automatic distribution, theconcept is that keys are exchanged only when needed. The default IPSecimplementation of automatic key distribution is called Internet KeyExchange (IKE). You can also implement an automated version of the KDC,such as Kerberos implementation.
ModesIPSec has the ability to protect either the complete IP packet or just the upper-layer protocols. The distinction between the two creates two different modes ofimplementation.
• One mode is called Transport Mode. In this implementation, IPSec is pro-tecting upper-layer protocols.
• The other mode is called Tunnel Mode. In this implementation, IPSec pro-tects the entire (tunneled) IP payload.
When Transport Mode is used, the IPSec headers (AH and/or ESP) are insertedbetween the IP header and the TCP header. When Tunnel Mode is used, theIPSec header is inserted between the original IP header (now tunneled) and a newIP header. Tunnel Mode is commonly used to create VPNs between networks.
Along with specifying a mode, the actual decision on the use of AH and/or ESP(or the other way around) is required. Since there are two modes of implementa-tion, and two protocols that can be selected, there are four possible methods ofprotection using IPSec. You can use any of the following:
• ESP in Transport Mode
• ESP in Tunnel Mode
• AH in Transport Mode
• AH in Tunnel Mode
cryptography:The art of science
concerning the principles,means, and methods for
rendering plaintextunintelligible and forconverting encrypted
messages into intelligibleform.
plaintext:Unencrypted data.
key:A symbol or sequence ofsymbols (or electrical ormechanical correlates of
symbols) applied to text inorder to encrypt or decrypt.
302 Tactical Perimeter Defense
Over and above that, ESP offers message integrity (authentication) and confidenti-ality (encryption). AH offers only message integrity. Tunnel Mode ESP encryptionencrypts all of the tunneled data (that is, tunneled IP header and everythingwithin), while Transport Mode ESP does not—and cannot—encrypt the IP header.Thus the IPSec implementation that offers the maximum protection is ESP inTunnel Mode.
ESP in Transport ModeIn Transport Mode, ESP encrypts and authenticates application data, such asemail, web pages, and so forth; however, it does not protect the IP addresses. If apacket is captured and analyzed by an attacker, although the data is encrypted,the sender and receiver IP address information is freely available. Both hosts whoare in communication must have IPSec installed and configured to prevent thisfrom occurring.
ESP in Tunnel ModeIn Tunnel Mode, ESP encrypts and authenticates application data, just as inTransport Mode. In this situation, the ultimate source and destination IP addressesare also encrypted because they are encapsulated (tunneled). The reason for thisis that IPSec is implemented on the tunnel endpoints, and not required on thehosts themselves. If this packet is captured and analyzed by an attacker, theattacker will be able to determine only that a packet was sent. None of the con-tents, including the original source and destination, can be found freely. Ofcourse, the external IP headers (that of the tunnel endpoints) can be read.
AH in Transport ModeAH provides authentication of application data. AH does not provide encryptionservices like ESP, only authentication services (as the name indicates). In Trans-port Mode, there is similarity to ESP, though, in that both end users must haveIPSec installed and configured.
AH in Tunnel ModeIn Tunnel Mode, AH authenticates application data from one endpoint to another,often network gateways or firewalls. There is no encryption provided, onlyauthentication. If ESP authentication is turned on, then AH is rarely implementedin Tunnel Mode.
IPSec ImplementationAs you identified in the previous section, there are various modes of implement-ing IPSec. One of the primary questions to answer is: Where are the endpoints inyour network going to be? Are the endpoints the actual hosts? Or, are theendpoints the firewalls?
If true end-to-end security is required between two hosts, then implementingIPSec on each host is the way to go. However, scaling that up to all the hosts inthe network can become difficult to implement and manage.
Imagine that you and your coworkers all pass open notes to each other in yourorganization. In order to prevent a third user from seeing the note sent betweenany two users, you build an infrastructure of opaque PVC pipes between eachcoworker in your organization. If there are a total of five workers, you have to
authenticate:To establish the validity of aclaimed user or object.
firewall:A system or combination ofsystems that enforces aboundary between two ormore networks. A gatewaythat limits access betweennetworks in accordance withlocal security policy. Thetypical firewall is aninexpensive micro-basedUNIX box kept clean ofcritical data, with manymodems and public networkports on it, but just onecarefully watched connectionback to the rest of thecluster.
Lesson 6: Implementing IPSec and VPNs 303
have an infrastructure of [5 x (5–1)]/2—or 10 pipes. In this office, each personholds four pipes. Now, increase the number of workers to 100. You will need aninfrastructure of [100 x (100–1)]/2—or 4950 pipes, and each person holds 99pipes. Lots of secure links to pass things back and forth through, but not that effi-cient overall.
This is what happens when you implement IPSec in Transport Mode—you basi-cally create many virtual secure pipes between each host and the rest of the hosts.
If host-to-host implementation is chosen, the likely solution will be to use theIPSec function of the OS, such as Windows 2000. If this is the case, IPSec func-tions normally, at the Network layer, performing its function and moving on.
Sometimes though, IPSec may be implemented underneath an existing implemen-tation of the IP protocol stack, between the native IP and the local networkdrivers (see RFC 2401). In such a scenario, this is referred to as a “Bump in theStack” implementation.
Yet another option for IPSec implementation is to use a dedicated piece ofhardware. This equipment would attach to an interface, or a router, and performthe specific encryption functions externally of other components. This is called a“Bump in the Wire” implementation. This offers excellent performance in regardsto the processing of encryption and decryption. It is not suitable for all imple-mentations, however, as adding a physical dedicated piece of equipment to linksmay not be a budgetary option for an organization.
TASK 6A-1Describing the Need for IPSec
1. Why is IPSec becoming a requirement in networks that need securecommunication?
There is no security in the standard IP that is used today. IP can be cap-tured, analyzed, and more with no prevention. IPSec allows for the securityof the actual packets themselves, without relying on Application-levelencryption.
Topic 6BIPSec Policy ManagementImplementing and managing IPSec policies in Windows is accomplished by usingthe Microsoft Management Console. In this topic, you will use the MMC to per-form the many tasks of IPSec implementation.
The MMCMicrosoft introduced the Microsoft Management Console (MMC) in WindowsNT. The MMC is a highly configurable tool used to manage and configure systemand application settings.
304 Tactical Perimeter Defense
In the first task, you will become familiar with the MMC configuration optionsand create some customized settings. The MMC, as you first use it, will beblank—you select the configuration options. In Figure 6-1, you will see that thereare two places to use a drop-down menu. The first is the overall MMC, calledConsole1 by default. This menu bar has three menus: Console, Window, andHelp. The second menu bar contains the commands from the current option, alsocalled a plug-in. The default plug-in is called Console Root. This has three com-mands: Action, View, and Favorites.
In the default plug-in, Console Root, there are two tabs: Tree and Favorites. TheTree tab shows the items that are available in this plug-in. Items can include fold-ers, web pages, other snap-ins, and more. The Favorites tab is used to manageshortcuts to items in the Console Tree. This enables you to create a customizedgrouping of tools and shortcuts that you frequently use to manage aspects of yoursystem.
The Tree and Favorites tabs are located in what is called the Left Pane of thesnap-in. This is where the options are expanded, selected, and possibly added toFavorites. On the right side of the dividing line is what is called the Right Pane.In the Right Pane, you will find the details of any object that is selected in theLeft Pane.
Figure 6-1: The blank MMC console.
TASK 6B-1Examining the MMC
Setup: You are logged on to Windows 2003 Server as Administrator.
1. Choose Start→Run.
2. In the Run box, type mmc to start the Microsoft Management Console.
3. Choose File→Add/Remove Snap-In.
Lesson 6: Implementing IPSec and VPNs 305
4. On the Standalone tab, click Add.
5. Scroll down, select IP Security Policy Management, and click Add.
6. If necessary, select Local Computer, and click Finish.
7. Click Close to close the Add Standalone Snap-in dialog box.
8. Click OK, and leave the MMC open for the next task.
IPSec PoliciesIn Windows 2003, there are predefined IPSec security policies. These policiesallow for implementation of IPSec with minimal effort on the part of theadministrator. As an administrator, you must identify the needs for IPSec in yourenvironment, then enable the proper policy to meet those needs. The three pre-defined policies are:
• Client (Respond Only): The policy of Client (Respond Only) is used for nor-mal communication, which is not secured. What this means is that anyWindows 2003 machine (Professional or Server) with this policy enabledwill have the ability to communicate using IPSec if required or requested.Such a machine will not enforce IPSec when initiating communications withany other machine.
• Secure Server (Require Security): The policy of Secure Server (RequireSecurity) is used when all IP network traffic is secured. What this means isthat any Windows 2003 machine (Professional or Server) with this policyenabled will always enforce secure communications using IPSec. It willnever fall back to unsecured communications.
• Server (Request Security): The policy of Server (Request Security) is usedwhen IP network traffic is to be secured, and to allow unsecured communica-tion with clients that do not respond to the request. What this means is thatany Windows 2003 machine (Professional or Server) with this policy enabledwill first look to enforce communications using IPSec. If the other machinecannot use IPSec, the first machine will fall back to unsecuredcommunications.
TASK 6B-2Identifying Default IPSec Security Policies
Setup: You are logged on to Windows 2003 Server as Administrator,the MMC is running, and the IP Security Policy Managementsnap-in has been added.
1. In the left pane, select IP Security Policies On Local Machine. Three poli-cies are shown in the right pane.
security policies:The set of laws, rules, andpractices that regulate how
an organization manages,protects, and distributes
sensitive information.
These policies are alsoavailable in Windows XP.
306 Tactical Perimeter Defense
2. Examine the three policies to see if any are currently assigned.
By default, they are not assigned.
3. Leave the MMC open for the next task.
Saving the Customized MMC ConfigurationSince you have configured the MMC just as you wish, you should save this con-figuration so that it is easy to bring back up. Although you can go through thesteps of adding the snap-in as you did earlier, to do so each time is cumbersome,and is not required.
TASK 6B-3Saving a Customized MMC
Setup: You are logged on to Windows 2003 Server as Administrator,the MMC is running, and the IP Security Policy Managementsnap-in has been added.
1. Choose File→Exit.
2. When you are asked if you wish to save the console settings, click Yes.
3. Save the file to the desktop as ipsec.mmc.msc
4. Verify the new addition by double-clicking the new ipsec.mmc.msc fileon the desktop. Your saved MMC opens just as you had customized it to doso.
The Secure Server (Require Security) PolicyIn the following sections, you will examine the settings of each of the three pre-defined policies. The most secure policy, Secure Server (Require Security), is thepolicy that states that all communication must be secured, with no exceptions.
The General TabAs the name implies, the General tab provides general information and configura-tion options for the Secure Server (Require Security) policy.
Lesson 6: Implementing IPSec and VPNs 307
Figure 6-2 shows the settings for Key Exchange. Keys are used as part of thedifferent forms of encryption that can be implemented in the IPSec policy. IKEstands for Internet Key Exchange, and deals with the method of exchanging thecryptographic key(s). SHA1 and MD5 are both algorithms that are used to verifythe integrity of a message. 3DES and DES are the actual encryption algorithmsthat can be used, and finally, Diffie-Hellman Group will dictate the overallstrength of the encryption.
Figure 6-2: The Key Exchange Security Methods dialog box.
These settings work together to determine the integrity, confidentiality, andstrength of the secured communication.
• Integrity is determined by the SHA1 or MD5 algorithm.
• Confidentiality is determined by the 3DES or DES algorithm.
• Strength is determined by the Diffie-Hellman Group, which can be either96-bit (the low setting) or 128-bit (the high setting) key lengths.
TASK 6B-4Examining Security Methods
Setup: You are logged on to Windows 2003 Server as Administrator,and the ipsec.mmc.msc console is open.
1. In the right pane, right-click Secure Server (Require Security), andchoose Properties.
2. Select the General tab.
3. Observe that the default value for Check For Policy Changes Every is 180minutes. Every 3 hours, the machine (if it is a domain member) will checkwith Windows Active Directory to see if this policy, when assigned, haschanged.
DES:(Data Encryption Standard)
Definition 1: An unclassifiedcrypto algorithm adopted by
the National Bureau ofStandards for public use.
Definition 2: A cryptographicalgorithm for the protection
of unclassified data,published in Federal
Information ProcessingStandard (FIPS) 46. The
DES, which was approved bythe National Institute of
Standards and Technology(NIST), is intended for public
and government use.
308 Tactical Perimeter Defense
4. Under Perform Key Exchange Using Additional Settings, click Settings.
5. In the Key Exchange Settings dialog box, click Methods.
6. Examine the default settings for the security used in Secure Server(Require Security).
7. Close all windows without changing the properties.
The Rules Tab for the Secure Server (Require Security)PolicyThe Rules section of an IPSec policy—in this case, the Secure Server (RequireSecurity) policy—contains the actual security sections of the policy pertaining totraffic and actions. The IP Filter List is used to define the types of network trafficthat are to be affected by this policy. The predefined rules in a policy can bemodified, but cannot be removed. The default rules are for All IP Traffic, AllICMP Traffic, and <Dynamic>.
In addition to the IP Filter List is the Filter Action. In other words, what does thesystem do when a match to the rule is found, such as IP Traffic. There are threeactions, which are listed as:
• Permit: Allow unsecured IP packets to pass.
• Require Security: Requires secured communication.
• Default Response: Follow the negotiations as initiated by the other computer.This is especially useful when no other rule applies. In fact, it is the onlyfilter action for the Client (Respond Only) predefined policy.
Lesson 6: Implementing IPSec and VPNs 309
Figure 6-3: The default filter lists and filter actions, as shown on the Require Security Rulestab.
In addition to the IP Filter List and the Filter Actions on the Rules tab shown inFigure 6-3, there are other sections that deserve noting. These are the Authentica-tion, Tunnel Setting, and Connection Type options, described in the followingsection and shown in Figure 6-4.
• The Authentication Methods are used to define how a trust will be estab-lished between the two communicating hosts. By default, this is the
310 Tactical Perimeter Defense
Kerberos method. The other valid options (in addition to Kerberos) are touse a certificate from a Certificate Authority (CA), or to use a predefinedshared key string.
• The Tunnel Setting is used to define if this communication is to use a tunnel,and if so, what the IP address for the end of the tunnel is. The endpoint isthe tunnel computer that is closest to the IP traffic destination.
• The Connection Type is used to define the types of connections to which therule will apply. For example, the default setting is All Network Connections.The second option is to have the rule apply only to Local Area Network(LAN) traffic, and the third option is to have the rule only apply to RemoteAccess traffic.
Figure 6-4: The authentication methods, tunnel settings, and connection types, as shown onthe Require Security Rules tab.
TASK 6B-5Examining Policy Rules
Setup: You are logged on to Windows 2003 Server as Administrator.
1. Reopen the ipsec.mmc.msc console.
2. In the right pane, right-click Secure Server (Require Security), andchoose Properties.
3. If necessary, select the Rules tab.
LAN:(Local Area Network) Acomputer communicationsystem limited to no morethan a few miles and usinghigh-speed connections (2 to100 megabits per second). Ashort-haul communicationsystem that connects ADPdevices in a building orgroup of buildings within afew square kilometers,including workstations, front-end processors, controllers,and servers.
Lesson 6: Implementing IPSec and VPNs 311
4. Examine the default settings for IP Filter List, Filter Action, Authentica-tion Methods, Tunnel Setting, and Connection Type.
5. Select the All IP Traffic rule, and click the Edit button.
6. Observe the configuration options that can be adjusted in this section.
7. When you are done reviewing the configuration options, click Cancel toclose the Secure Server Properties, without making changes.
8. Close the ipsec.mmc.msc console without saving changes.
Topic 6CIPSec AH ImplementationYou now have all of the information and tools you need to be able to implementIPSec. Let’s try it out.
About the TasksFor the following tasks, you will work in pairs. The text and activities refer to thetwo machines as Student_P and Student_Q.
Student_P will initiate communication with Student_Q. Student_Q will dictatewhether it has an IPSec policy enabled. If so, it then determines if it shouldrequest or require Student_P to do the same. On Student_P, at first you will haveno IPSec Respond policy activated, but later you will have a Respond policy. Youwill capture traffic between these two computers using Network Monitor, and per-form an analysis on the traffic.
You will also use the options for configuring policies. You will use just the AHprotocol (authenticity/integrity). Then, you will use just the ESP protocol(confidentiality). Following that, you will use AH with ESP. Also, ESP will beconfigured to use its integrity algorithm. Finally, because the integrity algorithmscan be implemented in two flavors (SHA-1 or MD5) and the encryption algo-rithms for confidentiality can also be implemented in two flavors (DES or 3DES),you’ll use combinations of these.
As a policy maker for a company, you’ll have to make such decisions before youimplement IPSec. These are the actual tools you can use in Windows 2003 toimplement your policies.
Creating Custom IPSec PoliciesIn the previous topic, you examined the default IPSec policies in Windows 2003.For the remainder of the lesson, you will create and use your own customizedIPSec policies. This will enable you to fully create and secure network trafficbased on your unique configuration requirements. The following figures can beused as a reference while performing the tasks of this section.
312 Tactical Perimeter Defense
Figure 6-5: Opting not to use the Add Wizard.
When you are creating a new policy, you will need to add and configure all theoptions you previously examined. In these tasks, you will be customizing thepolicies, one by one, and do not want to use the Add Wizard, because the AddWizard will walk you through specific predefined steps. At this stage, you want toperform everything manually.
Lesson 6: Implementing IPSec and VPNs 313
Figure 6-6: The Security Methods tab, showing the leftmost part of the Security MethodPreference Order.
During policy creation, you will be presented with the Security Methods tab. Atthis stage, you will see five columns presented: Type, AH Integrity, ESP Confi-dentiality, ESP Integrity, and Key Lifetimes (KB/Sec), but you might need toscroll to see all five.
314 Tactical Perimeter Defense
Figure 6-7: The Security Methods tab, showing the right-most part of the Security MethodPreference Order.
Security methods are listed in order of preference that this machine will use whenattempting to negotiate IP Security when dealing with another machine thatresponds that it can use IPSec, too. You can add, edit, or remove any of thesemethods. In this case, since you will have named this policy 1_REQUEST_AH(md5)_only, you will simplify the list and offer exactly one choice: Request IPSecurity that relies only on AH Integrity using the MD5 hashing algorithm. Donot worry about key lifetimes at this stage.
TASK 6C-1Creating the 1_REQUEST_AH(md5)_only Policy
Note: Perform this task only if you are designated as Student_Q.
1. Open the ipsec.mmc.msc console.
2. In the right pane, right-click and choose Create IP Security Policy, thenclick Next.
3. For the IP Security Policy Name, type 1_REQUEST_AH(md5)_only andclick Next.
4. Uncheck Activate The Default Response Rule and click Next.
5. Uncheck Edit Properties and click Finish.
Lesson 6: Implementing IPSec and VPNs 315
6. Double-click the new policy 1_REQUEST_AH(md5)_only.
7. On the Rules tab, uncheck Use Add Wizard and click Add.
8. On the IP Filter List tab, click the radio button for All IP Traffic.
9. Switch to the Filter Action tab.
10. Click the radio button for Request Security (Optional).
11. Click Edit.
12. Verify that the radio button for Negotiate Security is selected.
13. Read the options presented to you under Security Method PreferenceOrder.
14. Remove all but one Security Method by holding down the Shift key,selecting all but one of the choices, and clicking Remove. You can leaveany one of the Security Methods.
15. When prompted with Are You Sure?, click Yes.
16. Select the remaining method, and click Edit.
17. Under Security Method, click the Settings button found under Custom (ForExpert Users)—as you’re on your way to becoming an expert on IPSec.
18. Verify that AH is checked and that the integrity algorithm is MD5.
19. If necessary, uncheck ESP.
20. Under Session Key Settings, uncheck both check boxes.
316 Tactical Perimeter Defense
21. Click OK three times to return to the New Rule Properties dialog box.
22. Leave the New Rule Properties open for the next task.
Editing Authentication Method PoliciesWhen you are creating this customized policy, you are going to use only AH, andnot ESP. So, when you are customizing the settings, be sure to uncheck the ESPoptions and to check the AH options. You should also clear the check boxes forgenerating new keys, both for size (Kbytes) and time (seconds).
Figure 6-8: The Authentication Method tab.
Notice that three authentication methods are supported: Kerberos, Certificates, andPreshared Keys. You will use the third method, as it is simple to implement, fornow. In a production environment, if you have a homogenous Windows 2003domain implementation, you could leave it at the default Kerberos; in a heteroge-neous network, you could choose to set up a CA and distribute IPSec certificates.
Lesson 6: Implementing IPSec and VPNs 317
TASK 6C-2Editing the 1_REQUEST_AH(md5)_only Policy
Note: Perform this task only if you are designated as Student_Q.
1. Verify that the New Rule Properties are displayed.
2. Select the Authentication Methods tab.
3. Click Edit.
4. Select the Use This String To Protect The Key Exchange (PresharedKey) radio button, and in the box, type Purple Enigma to provide text forthe preshared key.
Click OK to close the Edit Authentication Methods Properties dialog box.
5. Switch to the Tunnel Setting tab, but leave the settings alone. You will beworking in Transport Mode only.
6. Switch to the Connection Type tab, but leave the settings alone. You willuse the default of All Network Connections.
7. Click Close to close the Rule Properties. Keep the Policy Properties openfor the next task.
Setting Up the Computer’s ResponseYou have just configured a policy where Student_Q will request any other com-puters that attempt to communicate with it to implement AH by using the MD5algorithm. Let’s assume that this policy is put into effect, and another computersays that it can communicate with Student_Q by using AH, as well. Student_Qshould be in a position to respond to this. Therefore, you should now configurethe Default Response rule in this policy for Student_Q.
318 Tactical Perimeter Defense
Figure 6-9: Preparing to modify the default response.
To modify the rule, you will not use the Add Wizard. Once you click Edit, youwill again be presented with the tabs for Security Methods, Authentication Meth-ods, and Connection Types.
Figure 6-10: Editing security methods.
Lesson 6: Implementing IPSec and VPNs 319
Under Security Methods, you will again see five columns presented: Type, AHIntegrity, ESP Confidentiality, ESP Integrity, and Key Lifetimes (KB/Sec). Asbefore, you can add, edit, or remove any of these methods.
In this case, this policy is named 1_REQUEST_AH(md5)_only, but because it willalso have to respond to the request it made, you’ll simplify the list and offerexactly one choice: Respond to IP Security that relies only on AH integrity usingthe MD5 hashing algorithm. As before, you don’t need to worry about the keylifetimes.
TASK 6C-3Configuring the Policy Response
Note: Perform this task only if you are designated as Student_Q.
1. Verify that the properties for the 1_REQUEST_AH(md5)_only policyare displayed.
2. On the Rules tab, check <Dynamic> Default Response, and click Edit.(The Use Add Wizard check box should remain unchecked.)
3. Remove all but one Security Method by holding down the Shift key,selecting all but one of the choices, and clicking Remove.
4. When prompted with Are You Sure?, click Yes.
5. Select the remaining method, and click Edit.
6. Under Security Method, click the Settings button found under Custom.
7. Verify that the box beside AH is checked and that the integrity algo-rithm is MD5.
8. Verify that ESP is unchecked.
9. Under Session Key Settings, verify that the options for generating newkeys for both size and time are unchecked.
10. Click OK twice to return to the Edit Rule Properties.
11. Switch to the Authentication Methods tab.
12. Click Edit.
13. Click the Use This String To Protect The Key Exchange (Preshared Key)radio button, and in the box, type Purple Enigma to provide the text forthe preshared key.
14. Click OK twice to return to the policy properties.
15. Double-click All IP Traffic.
16. Switch to the Connection Type tab and verify that the setting is thedefault of All Network Connections.
320 Tactical Perimeter Defense
17. Click OK, and then click OK to close.
18. Close the ipsec.mmc.msc console without saving changes.
Configuring AH in Both DirectionsYou have configured a policy where Student_Q will request other computers thatattempt to communicate with it to implement AH by using the MD5 algorithm;Student_Q is also in a position to respond by using this algorithm. Now, let’sconfigure Student_P to follow Student_Q’s lead.
TASK 6C-4Configuring the Second Computer
Note: Perform this task only if you are designated as Student_P.
1. Open the ipsec.mmc.msc console. In the right pane, right-click and chooseCreate IP Security Policy. Click Next.
2. For the IP Security Policy Name, type 1_RESPOND_AH(md5)_only andclick Next.
3. Uncheck Activate The Default Response Rule and click Next.
4. Uncheck Edit Properties and click Finish.
5. Double-click the new policy 1_RESPOND_AH(md5)_only.
6. On the Rules tab, uncheck Use Add Wizard, check <Dynamic> DefaultResponse, and click Edit.
7. Remove all choices but one by holding down the Shift key, selecting allbut one of the choices, and clicking Remove.
8. When prompted with Are You Sure?, click Yes.
9. Select the remaining method and click Edit.
10. Under Security Method, click the Settings button found under Custom(For Expert Users).
11. Verify that AH is checked and that the integrity algorithm is MD5.
12. Verify that ESP is unchecked.
13. Under Session Key Settings, verify that the boxes for generating new keysfor both time and size are unchecked.
14. Click OK twice to return to the Rule Properties.
15. Switch to the Authentication Methods tab.
Lesson 6: Implementing IPSec and VPNs 321
16. Click Edit.
17. Click the Use This String To Protect The Key Exchange (Preshared Key)radio button, and in the box, type Purple Enigma to provide the text forthe preshared key.
18. Click OK.
19. Click OK twice, and then click Close to finish the creation of the policy.
20. Close the ipsec.mmc.msc console without saving changes.
Configuring FTPNow that IPSec policies are configured on two machines, you need to test thepolicies to ensure that they work as you intended them to work. To do this, you’llbring up an FTP site on Student_Q and attempt to access this FTP site fromStudent_P. You’ll do this with IPSec implemented on one machine and then onthe other. You’ll run Network Monitor to capture and record traffic between thetwo machines. You’ll examine these captures and see where (in the packet) theIPSec headers reside. For greater clarity, we can verify this with the RFCs associ-ated with IPSec, as well.
TASK 6C-5Setting Up the FTP Process
Note: Perform step 1 through step 17 only if you are designated as Student_Q.
1. Choose Start→Control Panel→Add Or Remove Programs.
2. Click the Add/Remove Windows Components button.
3. Click Application Server, and click the Details button.
4. Check the Internet Information Services (IIS) check box. Note, that whenyou select this option, COM+ is selected by default.
5. With IIS selected, click the Details button.
6. Check the File Transfer Protocol (FTP) Service check box and click OK.Click OK again to return to the Windows Components screen.
7. Click Next. You may be prompted for your Windows Server 2003CD-ROM.
8. Once the installation is complete, click Finish.
9. Close the Add Or Remove Programs window.
10. Choose Start→Administrative Tools→Internet Information ServicesManager.
322 Tactical Perimeter Defense
11. In the left pane expand your Server name.
12. Expand FTP Sites, right-click Default FTP Site, and choose Properties.
13. Click the Home Directory tab and verify the location of the FTP folder.The default location is C:\Inetpub\ftproot.
14. Close the IIS Manager.
15. In Explorer, locate and navigate to the folder designated as the FTPhome directory.
16. In this folder, create a text document. Edit this document to input sometext and save it as text1.txt
17. Create and save three more similar text documents in the same folder.Use text2.txt, text3.txt, and text4.txt as the file names.
Note: Perform step 18 through step 23 only if you are designated as Student_P.
18. Open a command prompt.
19. Enter ftp IP_address_of_Student_Q to ftp to Student_Q’s FTPsite.
20. Log on as anonymous with no password.
21. Verify that you can access the text documents created on the Student_Qcomputer by using the DIR command.
22. Once you have verified that you can access the text documents, quit the ftpsession by entering bye at the ftp prompt.
23. Leave this command prompt open.
Implementing the IPSec PolicyYou have just tested a plain text ftp session. The following tasks will walk youthrough the process of implementing IPSec, and testing the results in bothdirections. First, you will prove that you can connect, even though IPSec isimplemented on only one of the hosts.
Lesson 6: Implementing IPSec and VPNs 323
TASK 6C-6Implementing the 1_REQUEST_AH(md5)_only Policy
Note: Perform step 1 through step 4 only if you are designated as Student_Q.
1. Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_AH(md5)_only policy and choose Assign.
2. Close the ipsec.mmc.msc console. If you are prompted to save changes,click No.
3. Start Network Monitor, and verify that it is going to collect packetsfrom the interface connected to Student_P.
4. Start a new capture, and allow Network Monitor to capture packetsuntil Student_P has completed step 5 through step 9.
Note: Perform step 5 through step 9 only if you are designated as Student_P.
5. At the command prompt, again enter ftpIP_address_of_Student_Q
You should be able to successfully ftp to Student_Q after a very brief delay,even though an IPSec policy is assigned on Student_Q.
6. Log on as anonymous with no password.
7. Enter dir to see a list of files hosted on the ftp site.
8. Exit the ftp session.
9. Leave the command prompt open.
Request-only Session AnalysisWhy was your attempt successful? What is the reason for the brief delay? This isbecause the policy is designed to request only—not demand—IPSec. If theremote machine trying to communicate with Student_Q is not IPSec-aware ordoes not have a policy assigned to do so, then Student_Q will fall back to regu-lar, insecure IP. The brief delay occurred because Student_Q was trying toestablish an IPSec communication with Student_P.
You will be using NetworkMonitor repeatedly
throughout this course, soyou might want to create a
shortcut for it on theWindows desktop.
324 Tactical Perimeter Defense
TASK 6C-7Analyzing the Request-only Session
Note: Perform this task only if you are designated as Student_Q.
1. In Network Monitor, stop and view the capture.
2. Observe that, after the ARP resolution has taken place (in frames 1 and 2),Student_P attempts to initiate a three-way handshake with Student_Q (inframe 3). Because the policy on Student_Q says to request IPSec communi-cation, Student_Q begins the negotiation process (in frame 4).
3. In frame 4, observe that the protocol is ISAKMP (UDP port 500). When itdoes not hear from Student_P, it tries again approximately a second later.When it does not hear from Student_P again, it falls back to insecure com-munication, and the three-way handshake proceeds as before (in frames 6, 7,and 8). Once the connection is made, the session is established in clear text,with no IPSec. You are able to see the payload and full headers of all thepackets, with no evidence of IPSec.
4. Close Network Monitor. You can save your capture to a file, if you like.
Implementing a Request-and-Respond PolicyIn the previous task, you saw that even though you had IPSec enabled in onedirection, the policy allowed for unsecured communication. When Student_Presponded with no IPSec, Student_Q went ahead and accepted the session, andtraffic continued without IPSec. In the next task, you will configure Student_P torespond to Student_Q’s IPSec policy.
TASK 6C-8Configuring a Request-and-Respond IPSec Session
Note: Perform step 1 only if you are designated as Student_P.
1. Open your ipsec.mmc.msc console. Right-click 1_RESPOND_AH(md5)_only policy, and choose Assign. Close the ipsec.mmc.msc console, withoutsaving changes.
Then, wait until Student_Q performs the next step.
Note: Perform step 2 only if you are designated as Student_Q.
2. Activate Network Monitor, and start a capture.
Note: Perform the rest of this task only if you are designated as Student_P.
Based on your networktraffic, you might havedifferent Frame numbers inyour packet captures.
For this step, andsubsequent steps that dealwith the ISAKMP protocol,your classroomconfiguration might notyield the expected results,due to timing issues as thestudents complete theirassigned steps. You canhave them try to restart thecomputer, and then tryredoing the activity.
Lesson 6: Implementing IPSec and VPNs 325
3. At the command prompt, again enter ftpIP_address_of_Student_Q
You should be able to successfully ftp to Student_Q.
4. Log on as anonymous with no password.
5. Enter dir to see a list of files hosted on the ftp site.
6. Exit the ftp session.
7. Close the command prompt.
Request-and-Respond Session AnalysisIn the second attempt at communication, the temporary delay that was visible inthe earlier task was not present. This is because the second host was now able torespond to the IPSec request initiated by the ftp server. There was no need tomove down the list to a different method of communication, therefore, saving abit of time. In the following task, you will use Network Monitor to analyze thissession, and to see how the IPSec policy was implemented.
Some things to look for during this analysis include:
• IP identifies AH with a protocol ID of 0x33 (51).
• AH identifies TCP with a Next Header of 0x6 (6).
• TCP identifies FTP with a destination port of 0x15 (21).
TASK 6C-9Analyzing the Request-and-Respond Session
Note: Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.
1. In Network Monitor, stop and view the capture.
2. Observe that, after the ARP resolution has taken place (in frames 1 and 2),Student_P attempts to initiate a three-way handshake with Student_Q (inframe 3).
3. Observe that, because the policy on Student_Q says to request IPSec com-munication, Student_Q begins the negotiation process (in frame 4) by usingthe ISAKMP protocol (UDP port 500).
4. Observe that, when Student_P agrees to comply with the IPSec request (inframe 5), there is an ISAKMP interplay between the two machines for thenext few frames to negotiate and establish the IPSec protocol.
5. Observe that the actual three-way handshake is now completed in frames 14and 15. If your network traffic is different, your frame numbers will bedifferent.
Based on your networktraffic, you might have
different Frame numbers inyour packet captures.
ARP and ISAKMP may bedifferent on your system.
326 Tactical Perimeter Defense
6. Observe that, from frame 16 onward until the session teardown, the AHensures integrity of communication between the two machines.
7. Double-click a frame whose protocol is identified by Network Monitor asFTP.
8. Observe the sequence of protocol identification: Ethernet, then IP, then AH,then TCP, then FTP. As noted earlier:
• Ethernet identifies the protocol IP with an Ethertype of 0x800.
• IP identifies AH with a protocol ID of 0x33 (51).
• AH identifies TCP with a Next Header of 0x6 (6).
• TCP identifies FTP with a destination port of 0x15 (21).
9. Observe that there is no encryption—the AH only signs the packet; it doesnot encrypt it.
10. In fact, look around frame 33. Near there, you should be able to see thename of the text file in response to the dir (LIST) command.
11. Close Network Monitor. You can save your capture to a file if you like.
Topic 6DCombining AH and ESP in IPSecIn the previous topic, you examined the implementation of AH in WindowsServer 2003, including viewing packet data in Network Monitor. In older sys-tems, such as Windows 2000, you could create IPSec policies that were ESP only,but these are no longer an option. The ESP implementation in Windows Server2003 now requires the use of the Authentication Header. In the following sectionof tasks, you will enable different options in the establishment of IPSec betweentwo computers.
You have configured and analyzed IPSec traffic by using AH, and IPSec traffic byusing ESP. In this topic, you will configure and analyze network traffic that com-bines AH and ESP. When you are using both AH and ESP, you are configuringIPSec to its fullest strength.
TASK 6D-1Creating the 5_REQUEST_AH(md5)+ESP(des) IPSecPolicy and the Response Policy
Note: Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.
1. Open your ipsec.mmc.msc console. In the right pane, unassign the cur-rent policy, and then create another IP Security Policy. Click Next.
Lesson 6: Implementing IPSec and VPNs 327
2. For the IP Security Policy Name, type 5_REQUEST_AH(md5)+ESP(des)and click Next.
3. Uncheck Activate The Default Response Rule, and click Next.
4. Uncheck Edit Properties, and click Finish.
5. Double-click the new policy.
6. On the Rules tab, verify that Use Add Wizard is unchecked, and clickAdd.
7. On the IP Filter List tab, select the All IP Traffic radio button.
8. Switch to the Filter Action tab.
9. Select the Request Security (Optional) radio button.
10. Click Edit.
11. Leave the radio button selected for Negotiate Security.
12. Read the options presented to you under Security Method PreferenceOrder.
13. Remove all but one method by holding the Shift key, selecting all butone of the choices, and clicking Remove. Some configurations might haveonly one option. If so, skip the next step.
14. When prompted with Are You Sure?, click Yes.
15. Select the remaining method, and click Edit.
16. Under Security Method, click the Settings button found under Custom.
17. Verify that AH is checked.
18. Select the integrity algorithm MD5.
19. Verify that ESP is checked.
20. Leave ESP’s integrity algorithm set to <None>.
21. For Encryption Algorithm, select DES.
22. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.
23. Click OK three times to return to the Rule Properties.
24. Switch to the Authentication Methods tab.
25. Click Edit.
26. Select the Use This String To Protect The Key Exchange (PresharedKey) radio button, and in the box, type Purple Enigma to provide the textfor the preshared key.
328 Tactical Perimeter Defense
27. Click OK, and then click Close to return to the Policy Properties.
28. On the Rules tab, check <Dynamic> Default Response, and click Edit.The Use Add Wizard check box should remain unchecked.
29. Under Security Methods, hold the Shift key, select all but one of thechoices, and click Remove.
30. Select the remaining method, and click Edit.
31. Under Security Method, click the Settings button found under Custom.
32. Verify that AH is checked.
33. Select the integrity algorithm MD5.
34. Verify that ESP is checked.
35. Leave ESP’s integrity algorithm set to <None>.
36. For Encryption Algorithm, select DES.
37. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.
38. Click OK twice to return to the Rule Properties.
39. Switch to the Authentication Methods tab.
40. Click Edit.
41. Select the Use This String To Protect The Key Exchange (PresharedKey) radio button, and in the box, type Purple Enigma to provide the textfor the preshared key.
42. Click OK three times to close the Policy Properties.
43. Close the console without saving settings.
Configuring the IPSec ResponseYou have configured a policy where Student_Q will request other computers thatattempt to communicate with it to implement AH by using the MD5 integrityalgorithm and ESP by using the DES encryption algorithm; Student_Q is also ina position to respond by using this algorithm. Let’s configure Student_P to followStudent_Q’s lead.
Lesson 6: Implementing IPSec and VPNs 329
TASK 6D-2Creating the 5_RESPOND_AH(md5)+ESP(des) IPSecPolicy
Note: Perform this task only if you are designated as Student_P. Student_Q isadvised to follow along.
1. Open your ipsec.mmc.msc console. In the right pane, create another IPSecurity Policy. Click Next.
2. For the IP Security Policy Name, type 5_RESPOND_AH(md5)+ESP(des)and click Next.
3. Uncheck Activate The Default Response Rule, and click Next.
4. Uncheck Edit Properties, and click Finish.
5. Double-click the new policy.
6. On the Rules tab, verify that Use Add Wizard is unchecked, check<Dynamic> Default Response, and click Edit.
7. Remove all but one security method by holding the Shift key, selectingall but one of the choices, and clicking Remove.
8. When prompted with Are You Sure?, click Yes.
9. Select the remaining method, and click Edit.
10. Under Security Method, click the Settings button found under Custom.
11. Verify that AH is checked.
12. Select the integrity algorithm MD5.
13. Verify that ESP is checked.
14. Leave ESP’s integrity algorithm set to <None>.
15. For Encryption Algorithm, select DES.
16. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.
17. Click OK twice to return to the Rule Properties.
18. Switch to the Authentication Methods tab.
19. Click Edit.
20. Select the Use This String To Protect The Key Exchange (PresharedKey) radio button, and in the box, type Purple Enigma to provide the textfor the preshared key.
330 Tactical Perimeter Defense
21. Click OK three times to close the Policy Properties.
22. Close the console without saving settings.
AH and ESP IPSec Session AnalysisYou have just gone through the steps of configuring IPSec on both Student_P andStudent_Q. In the next task, you will initiate a communication between the twohosts, and analyze the communication in Network Monitor.
The initial communication will be an attempt at using FTP. As with the1_REQUEST_AH(md5)_only policy, this transaction is also successful betweenStudent_P and Student_Q because Student_Q’s policy is designed to request—notdemand—IPSec. If a remote machine trying to communicate with Student_Q isnot IPSec-aware or does not have a policy assigned to do so, then Student_Q willfall back to regular, insecure IP. The brief delay occurs because Student_Q is try-ing to establish an IPSec communication with Student_P. Once the connection ismade, the second computer will be configured to respond to the first properly.
During the session analysis, try to note the differences from the earlier captures—those resulting from the AH_only policy. Here, you are not able to see any of theTCP flags, connection setup, three-way handshake completion, or datatransfer—in fact, you will see nothing but encrypted stuff! The protocol is listedsimply as ESP. If you check the details within the IP header, IP points to AH—IPprotocol ID 51 (0x33) and AH points to ESP—IP protocol ID 50 (0x32). Afterthe IP header is AH/ESP. No one but these two endpoints can decrypt packetsdestined for them.
TASK 6D-3Configuring and Analyzing an IPSec Session Using AHand ESP
Note: Perform step 1 through step 2 only if you are designated as Student_Q.
1. Open your ipsec.mmc.msc console. Right-click the 5_REQUEST_AH(md5)+ESP(des) policy and choose Assign. Close the console.
2. Start Network Monitor, and start a capture.
Note: Perform step 3 through step 8 only if you are designated as Student_P.
3. At the command prompt, again enter ftpIP_address_of_Student_Q
You should be able to successfully ftp to Student_Q after a very brief delay,even though an IPSec policy is assigned on Student_Q.
4. Log on as anonymous with no password.
5. Enter dir to see a list of files hosted on the ftp site.
6. Exit the ftp session.
As you assign and unassignpolicies, you might need toissue the command:gpupdate /force to initializethose policies right away.
Lesson 6: Implementing IPSec and VPNs 331
7. Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_AH(md5)+ESP(des) policy, and choose Assign.
8. Open a command prompt and enter the following commandgpupdate /force (this will ensure that your newly assigned policy willstart right away).
Note: Perform step 9 through step 11 only if you are designated as Student_Q.
9. In Network Monitor, stop and view the capture.
10. Observe the session between the two hosts. Note that encryption is not usedand that commands are visible in clear text.
11. Start a new capture (save the previous capture if you like).
Note: Perform step 12 through step 15 on Student_P.
12. At the command prompt, again enter ftpIP_address_of_Student_Q
You should be able to successfully ftp to Student_Q.
13. Log on as anonymous with no password.
14. Enter dir to see a list of files hosted on the ftp site.
15. Exit the ftp session.
Note: Perform step 16 through step 19 only if you are designated as Student_Q.
16. In Network Monitor, stop and view the capture.
17. Search the packets, and try to look for the name of the text file inresponse to the dir (LIST) command.
18. Observe that AH ensures integrity and ESP ensures confidentiality of com-munication between the two machines.
19. Close Network Monitor. You can save your capture to a file if you like.
Note: Perform the following step only if you are designated as Student_P.
20. Open your ipsec.mmc.msc console, unassign the 5_RESPOND_AH(md5)+ESP(des) policy, and close the console.
332 Tactical Perimeter Defense
Configuring All the OptionsNow, let’s step up the requirements for IPSec. Let’s say you were paranoid andwanted to use all the features set to their highest security settings. You will con-figure an IPSec policy on Student_Q that will use the SHA-1 algorithm to ensureintegrity and 3DES to ensure confidentiality. You will then configure Student_Qto demand IPSec of other computers. To do so, you will use a Require policyinstead of a Request policy. Finally, on Student_P, you will implement a corre-sponding Respond policy and establish communications with Student_Q.
Someone may bring up the question, “Hey, why would you use the integrity algo-rithm twice?” At this point, we’ll leave the answer as a smug “Because we can!”Actually, there is a more simplified explanation.
Most books on IPSec recommend using AH to ensure the integrity of the entirepacket and ESP just for confidentiality of the payload. Most books on IPSec alsosimply say that ESP “...can also be used for integrity.” Let’s look at this a littlemore carefully.
The AH’s function is to sign the entire packet, including the IP header. However,there are certain fields in the IP header that have to be excluded because they aredesigned to change. One example of this is when traversing a routed environ-ment, the 8-bit TTL field will decrement by 1 at each hop. The values containedwithin these fields cannot be signed, as the received value would not match thevalue at origin.
The ESP’s function is to encrypt and/or sign everything but the IP header. InTransport Mode, using ESP’s signing functionality might be considered redundantwhen AH is around to do the job, especially when AH can sign even the IP head-ers (mostly).
It’s when IPSec is implemented in Tunnel Mode, as with a VPN solution, thatESP’s signing functionality has some meaning over and above that of AH. InTunnel Mode, there are two IP headers in each packet. The outer IP header is theone used by the tunnel endpoints to communicate with each other. Encapsulatedwithin this as payload data is the IP header, IP protocol, and the actual data of thetwo hosts communicating end-to-end via the tunnel. Therefore, when the tunnelendpoints use ESP’s integrity algorithm, the internal IP headers are treated as dataand will be completely signed.
By the way, before you get carried away with IPSec, it is also recommend thatyou read Bruce Schneier’s excellent critique on IPSec. You can find it at his com-pany’s website, www.counterpane.com.
TASK 6D-4Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy
Note: Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.
1. Create another IP Security Policy. Click Next.
Lesson 6: Implementing IPSec and VPNs 333
2. For the IP Security Policy Name, type 7_REQUIRE_AH(sha)+ESP(sha+3des) and click Next.
3. Uncheck Activate The Default Response Rule, and click Next.
4. Uncheck Edit Properties, and click Finish.
5. Double-click the new policy.
6. On the Rules tab, verify that Use Add Wizard is unchecked, and clickAdd.
7. On the IP Filter List tab, select the All IP Traffic radio button.
8. Switch to the Filter Action tab.
9. Select the Require Security radio button.
10. Click Edit.
11. Leave the radio button selected for Negotiate Security.
12. If necessary, remove all but one security method.
13. Select the remaining method, and click Edit.
14. Under Security Method, click the Settings button found under Custom.
15. Verify that AH is checked.
16. Select the integrity algorithm as SHA1.
17. Verify that ESP is checked.
18. Select ESP’s integrity algorithm as SHA1.
19. For Encryption Algorithm, select 3DES.
20. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.
21. Click OK three times to return to the Rule Properties.
22. Switch to the Authentication Methods tab.
23. Click Edit.
24. Select the Use This String To Protect The Key Exchange (PresharedKey) radio button, and in the box, type Purple Enigma to provide the textfor the preshared key.
25. Click OK, click Close, then click OK to exit the Policy Properties.
334 Tactical Perimeter Defense
Configuring the AH-and-ESP IPSec Response PolicyIn order for the two hosts to communicate, they must have compatible IPSecpolicies implemented. By now, you are familiar with the procedure, so the fol-lowing task should be rather straightforward.
TASK 6D-5Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy
Note: Perform this task only if you are designated as Student_P. Student_Q isadvised to follow along.
1. Create another IP Security Policy. Click Next.
2. For the IP Security Policy Name, type 7_RESPOND_AH(sha)+ESP(sha+3des) and click Next.
3. Uncheck Activate The Default Response Rule, and click Next.
4. Uncheck Edit Properties, and click Finish.
5. Double-click the new policy.
6. On the Rules tab, verify that Use Add Wizard is unchecked, check<Dynamic> Default Response, and click Edit.
7. Remove all but one security method.
8. Select the remaining method, and click Edit.
9. Under Security Method, click the Settings button found under Custom.
10. Verify that AH is checked.
11. Select the integrity algorithm as SHA1.
12. Verify that ESP is checked.
13. Select ESP’s integrity algorithm as SHA1.
14. For Encryption Algorithm, select 3DES.
15. Under Session Key settings, verify that the two boxes for generating newkeys for both time and size are unchecked.
16. Click OK twice to return to the Rule Properties.
17. Switch to the Authentication Methods tab.
18. Click Edit.
Lesson 6: Implementing IPSec and VPNs 335
19. Select the Use This String To Protect The Key Exchange (PresharedKey) radio button, and in the box, type Purple Enigma to provide the textfor the preshared key.
20. Click OK twice, and then click Close to exit the Policy Properties.
21. Close the console without saving settings.
Implementing the Full IPSec SessionSo far, you have configured a policy where Student_Q will require other comput-ers that attempt to communicate with it to implement AH by using the SHA-1algorithm and ESP by using both the SHA-1 and 3DES algorithms; Student_Qalso will respond only by using this algorithm. Now, let’s see what happens whenStudent_P follows Student_Q’s lead.
When you perform the final analysis in Network Monitor, keep the following inmind: If you were to perform a Hex-to-Hex comparison of the two captures, youwould see that due to the additional overhead imposed by the 7_REQUIRE_AH(sha)+ESP(sha+3des) policy over the 6_REQUIRE_AH(md5)+ESP(des)policy, the actual number of bits is greater. In fact, if you had tried to actuallytransfer large files between the two machines, then the number of frames wouldhave actually been greater.
TASK 6D-6Implementing and Analyzing an AH(sha) andESP(sha+3des) IPSec Session
Note: Perform step 1 through step 2 only if you are designated as Student_Q.
1. Open your ipsec.mmc.msc console. Assign the 7_REQUIRE_AH(sha)+ESP(sha+3des) policy. When you assign this policy, thepreviously assigned policy is automatically unassigned.
2. Start Network Monitor, and start a capture.
Note: Perform step 3 through step 7 only if you are designated as Student_P.
3. Open your ipsec.mmc.msc console. Assign the 7_RESPOND_AH(sha)+ESP(sha+3des) policy.
4. At the command prompt, enter ftp IP_address_of_Student_Q
You should be able to successfully ftp to Student_Q.
5. Log on as anonymous with no password.
6. Enter dir to see a list of files hosted on the ftp site.
7. Exit the ftp session.
336 Tactical Perimeter Defense
Note: Perform the rest of this task only if you are designated as Student_Q.
8. In Network Monitor, stop and view the capture.
9. Observe that once ISAKMP establishes the encryption method, all data isencrypted with ESP.
10. Identify any differences with respect to the negotiation process, encryp-tion, or integrity algorithms.
11. Where does the Packet identify that AH is in use?
In the IP Header.
What is the Protocol ID assigned to AH?
(0x33)
Where does the AH information define the use of ESP?
In the AH Next Header.
What is the Protocol ID assigned to ESP?
50 (0x32)
12. Close Network Monitor. You can save your capture to a file if you like.
13. Unassign all IPSec policies on all machines.
Topic 6EVPN FundamentalsA Virtual Private Network (VPN) provides a private tunnel through a publiccloud (such as the Internet). A VPN enables a group of two or more computersystems to communicate over the Internet or any other public network. VPNs canexist between an individual machine and a private network (client-to-server) or aremote LAN (like a branch office) and a private, enterprise network (server-to-server). Secure VPNs make use of tunneling and security protocols to maintainthe privacy of data transactions over the Internet.
A VPN is virtual, as opposed to a real private network. The idea is to make aprivate network that provides a secure tunnel for the exchange of data betweentwo or more parties. If this were done over a real private network, the dedicatedlines/bandwidth and service would make it cost prohibitive. But when this idea ofa secure tunnel is implemented over a public network such as the Internet, thecosts as well as the bandwidth are spread among many users, thus creating a Vir-tual Private Network.
LAN:(Local Area Network) Acomputer communicationsystem limited to no morethan a few miles and usinghigh-speed connections (2 to100 megabits per second). Ashort-haul communicationsystem that connects ADPdevices in a building orgroup of buildings within afew square kilometers,including workstations, front-end processors, controllers,and servers.
Lesson 6: Implementing IPSec and VPNs 337
VPN Business DriversVPNs are popular today for a number of reasons, including:
• Mature standards, protocols, and technology.
• Significant cost savings.
• Reduction in network complexity, resulting in lower network operation costs.
• Increased security and encryption capabilities.
The Need for Remote AccessRemote access is a business requirement today—required for both communicationand interaction. To determine whether or not a VPN is a good answer to yourcompany’s needs for remote connectivity, consider your specific technical require-ments, along with the pros and cons of VPN use.
Some advantages to using VPNs include:
• The ability to securely connect high-speed remote users over broadbandtechnology, including cable modems and DSL lines, that was not possiblebefore the advent of VPNs. VPNs will work with any last-mile technologyas long as IP is running over the connection.
• No administrative headaches for managing direct access telephone lines(dedicated leased lines), ISDN, T1, or PRI lines used for data, or for theRAS equipment (modems or other network access servers). Terminating thephone calls creates potential cost savings, especially if many of your remoteusers are located outside your local calling area.
Some disadvantages include:
• Potentially lower bandwidth available to remote users over a VPN connec-tion, as compared to a direct dial-in line.
• Inconsistent remote access performance due to changes in Internetconnectivity. To counteract this, you can have your users choose ISPs thathave higher levels of service, perhaps the same ISP from which you pur-chase your corporate Internet connection, to keep the majority of your trafficon the same backbone.
• No entrance into the network if the Internet connection is broken. Someadministrators choose to leave a limited amount of dial-in access for emer-gency access.
The Need for ExtranetsMost VPNs can be designed to work as an extranet. But not all extranets areVPNs. Although there are several different meanings attributed to the term, itcommonly refers to a type of network that gives outside users—such as custom-ers, clients, and business associates—access to data residing on a corporation’snetwork. Users access the data through a web browser over the Internet and typi-cally need to enter a user name and password before access to the data is granted.Depending on the level of security needed, a company could choose to use anextranet approach or a customized approach that combines password protection ofnetwork servers with third-party authentication systems.
A VPN can be used in a similar manner, but a VPN typically has much highersecurity associated with it. Specifically, a VPN typically requires the establish-ment of a tunnel into the corporate network and the encryption of data passedbetween the user’s PC and corporate servers.
338 Tactical Perimeter Defense
VPN TypesEven though the number of solutions is steadily increasing, VPNs fall under threemain types:
• Hardware-based VPNs, for use in gateway-to-gateway configuration.
• Firewall-based VPNs.
• Software-based VPN applications, for use in client-to-client configuration.
Most hardware-based VPN systems are encrypting routers. Dedicated hardwareVPN products offer better performance, security, reliability, and scalability thansoftware-based solutions running on conventional servers and operating systems.They offer better performance and are more scalable because they are custom-built to perform essential tasks, such as encryption and decryption, as quickly aspossible, often by having dedicated chips to carry out these functions. Their secu-rity is better because they are not vulnerable to weaknesses in an underlyingoperating system or hard disks that can fail or run out of space. The best hard-ware VPN packages offer software-only clients for remote installation, andincorporate some of the access control features more traditionally managed byfirewalls or other perimeter security devices. However, they may not be as flex-ible as software-based VPNs.
Firewall-based VPNs take advantage of the firewall’s security mechanisms,including controlling access to the internal network. They also perform NetworkAddress Translation (NAT), satisfy requirements for strong authentication, andserve up real-time alarms along with audit logs. Most commercial firewalls alsoharden the host operating system kernel by stripping out unnecessary services,such as default accounts for guest users that is a clear vulnerability for exploita-tion, thus providing additional security for the VPN server. Operating systemprotection is a major plus, since very few VPN application vendors supply guid-ance on operating system security. Performance may be a concern, especially ifthe firewall is already configured; however, some firewall vendors offer hardware-based encryption processors to minimize the impact of VPN management on thesystem.
Software-based VPNs are ideal in situations where both user and destinationendpoints of the VPN are not controlled by the same organization, and when dif-ferent firewalls and routers are implemented within the same organization. At themoment, stand-alone VPNs offer the most flexibility in how network traffic ismanaged. Many software-based products allow traffic to be tunneled based on IPaddress or protocol—unlike hardware-based products, which generally tunnel alltraffic they handle regardless of protocol. Tunneling specific traffic types is advan-tageous in situations where remote sites may see a mix of traffic—some that needtransport over a VPN to access data or some that do not, as in simple websurfing. In situations where performance requirements are not heavy, software-based VPNs may be the best choice.
A disadvantage might be that software-based systems are generally harder tomanage than encrypting routers. They require familiarity with the host operatingsystem, the application itself, and appropriate security mechanisms must be inplace. Also, most software-based VPN packages require changes to routing tablesand network addressing schemes.
As the VPN market evolves, the distinctions between VPN architectures arebecoming less clearly defined. Some hardware vendors have added software cli-ents to their product offerings, and extended their server capabilities to includesome of the security features more traditionally offered by software- or firewall-
Lesson 6: Implementing IPSec and VPNs 339
based VPNs. A few stand-alone products have added support for hardware-basedencryptors to improve their performance. For all types of VPNs, further imple-mentation of the proposed IP Security Protocol (IPSec) is making interoperabilityeasier with different VPN products by softening the lines of distinction betweenthem.
VPN ElementsThe critical elements of a VPN connection are described in the following table.
Name DescriptionVPN server Accepts connections from VPN clients and can also provide VPN connections
between routers.VPN client Initiates the VPN connection that ends up at the VPN server. A VPN client can
be an end-user system, such as Windows 2000 or Windows XP, or it can be arouter that gets a router-to-router connection. A VPN client can be a Point-to-Point Tunneling Protocol (PPTP) client or a Layer 2 Tunneling Protocol(L2TP) client using IPSec.
Tunnel The part of the connection where the data is encapsulated.VPN connection The part of the connection where the data is encrypted. The data must be both
encrypted and encapsulated along the same part of the connection for theconnection to be considered a secure VPN connection.
Tunneling protocols The communication standard used to manage the tunnel and encapsulate thedata. For example, Windows 2003 supports PPTP and L2TP tunnelingprotocols.
Tunneled data Is sent across the private point-to-point link.Transit network The IP internetwork (for example, the Internet) that connects the VPN client
with the VPN server.
Each of the different types of VPN configurations can be enabled by using somecombination of the following technology components:
• Dedicated VPN gateways
• IPSec-enabled routers and firewalls
• VPN client software
• IPSec-enabled operating systems, such as Windows 2003
A number of security applications combine VPN and firewall functionality into asingle box. This is very useful for branch offices communicating with centraloffice gateways.
340 Tactical Perimeter Defense
Tunneling and Security ProtocolsTunneling is a technique where a data packet is transferred inside the frame orpacket of another protocol. Therefore, the infrastructure of one network is used totravel to another. A tunnel can be thought of as a session pipe. A VPN client con-nects to a VPN server through a tunnel using a tunneling protocol. The logicalpath along which the encapsulated packet is routed is called the tunnel. Tunnelingdescribes the entire process.
• Encapsulation of the data packet at the source.
• Transmission of the data packet through the tunnel.
• Un-encapsulation of the data packet at the destination.
In a VPN connection, encrypted data is sent through the tunnel. Both the tunnelclient and the tunnel server must use the same tunneling protocols. The majortunneling protocols for VPNs are:
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• IP Security Protocol (IPSec)
Tunneling mechanisms differ in terms of:
• What is done to the data for encryption and authentication.
• The OSI layer at which they operate.
• The headers that describe the data transmission and authentication.
TASK 6E-1Defining Tunneling Protocols
1. Define the three major tunneling protocols for VPNs:
Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol(L2TP), and IP Security Protocol (IPSec)
Topic 6FTunneling ProtocolsEarlier in the course, you studied the IPSec protocol intensively, by working withvarious IPSec policy settings and testing their validity. The policies, however,were tested only in Transport Mode. When IPSec is used to secure VPN commu-nication, it is used in Tunnel Mode.
IP Security Protocol (IPSec) is an evolving security protocol from the InternetEngineering Task Force (IETF) that provides authentication and encryption overthe Internet. Normal IPv4 packets consist of headers and payload, both of whichcontain information of value to an attacker. The header contains source and desti-nation IP addresses, which are required for routing, but may be spoofed or alteredin what are known as man-in-the-middle attacks. The payload consists of infor-mation that may be confidential to a particular organization.
OSI:(Open SystemsInterconnection) A set ofinternationally accepted andopenly developed standardsthat meet the needs ofnetwork resourceadministration and integratednetwork components.
Lesson 6: Implementing IPSec and VPNs 341
The two prime functions of IPSec are to ensure data security and data integrity.Security is achieved through data encryption techniques, and integrity through acombination of techniques that authenticate the data sender. IPSec is a set ofindustry standards for cryptography-based protection services and protocols.
As mentioned in the previous topic, the major tunneling protocols for VPNs arePPTP, L2TP, and IPSec. Each of the three VPN protocols provides different levelsof security and ease of deployment. The standardization process has made theLayer 2 Tunneling Protocol (L2TP) and IPSec the protocols of choice. PPTP iswidely used for remote access connections, primarily because of its integration inthe Microsoft operating systems.
PPTP, L2TP, and Cisco’s Layer 2 Forwarding Protocol (L2F) are all designed towork at Layer 2 of the OSI model. IPSec is the only protocol engineered to workat Layer 3 of the OSI model. IPSec is fast emerging as the protocol of choice tobuild the best VPN system because it supports:
• Strong security
• Encryption
• Authentication
• Key management
When dealing with VPNs in a multi-protocol non-IP network environment, PPTPor L2TP may be a better choice. Both PPTP and L2TP are strictly tunnelingprotocols. Since IPSec was designed for the IP protocol, it has wide industry sup-port and is expected to eventually become the standard for VPNs on the Internet.
Other tunneling protocols include:
• Secure Shell (SSH)
• Socks v5
These offer Application layer tunnels, as well as various implementations of tun-nels, such as cascaded tunnels, nested tunnels, or end-to-end tunnels. The SSHprotocol is a widely used Application layer tunneling protocol that uses a publickey cryptographic system to ensure security. SSH is freely available as a directresult of OpenSSH initiatives. The SSH protocol suite offers a secure replacementfor Telnet, rlogin, FTP, and other programs, in addition to tunneling capabilities.Socks v5 offers an Application layer VPN by providing desktop-to-server authen-tication and encryption. While both SSH and Socks v5 are exceptional application(session)-tunneling protocols, they are not widely deployed in strategic enterpriseVPN solutions.
Point-to-Point Tunneling Protocol (PPTP)The PPTP Forum developed the Point-to-Point Tunneling Protocol (PPTP)specification. This forum included Ascend Communications, 3Com/PrimaryAccess, ECI Telematics, U.S. Robotics, and Microsoft. PPTP has fast become themost widely used protocol for creating dial-in remote access VPNs. A key reasonfor the success of PPTP for dial-in remote access has been support for the proto-col by Microsoft. Microsoft supports PPTP on the NT Server platform version 4.0and above and includes a free PPTP client in the desktop operating system. TheMicrosoft version of PPTP is its own version of the IETF PPTP protocol, and itis the Microsoft version that is the de facto standard for PPTP deployments. Mostvendor products use Microsoft’s version of the protocol.
cryptography:The art of science
concerning the principles,means, and methods for
rendering plain textunintelligible and forconverting encrypted
messages into intelligibleform.
SSH:(Secure Shell) A completelyencrypted shell connection
between two machinesprotected by a super long
pass-phrase.
342 Tactical Perimeter Defense
Working at Layer 2 of the OSI model, PPTP encapsulates PPP packets using amodified version of Generic Routing Encapsulation (GRE), which gives PPTP thecapability to handle any supported network layer protocol such as IP, IPX, andNetBEUI.
While PPTP is best suited for remote access VPNs, there are some security issuesrelated to it. These issues relate to vulnerabilities associated with the Challenge/Response Authentication Protocol (Microsoft CHAP), as well as the RC4-basedencryption protocol (MPPE). Even though there have been security updates andenhancements by Microsoft, it is still recommended that Microsoft’s PPTP proto-col not be used in VPN systems where there is a strong need to protect sensitivedata. PPTP may be an appropriate solution to deploy in smaller organizations thatmay only need a limited regional VPN, supporting small numbers of mobileusers.
Layer 2 Tunneling Protocol (L2TP)Layer 2 Tunneling Protocol (L2TP), defined in RFC 2661, is a protocol for tun-neling PPP sessions across a variety of network protocols such as IP, FrameRelay, or ATM. The IETF working group joined the PPTP group efforts withCisco’s Layer 2 Forwarding Protocol’s (L2Fs) initiatives to develop L2TP. L2TPis the successor to PPTP and L2F.
L2TP was specifically designed for client-to-gateway and gateway-to-gatewayconnections with broad tunneling and security interoperability. L2TP has widevendor support because it addresses the IPSec shortcomings of client-to-gatewayand gateway-to-gateway connections. L2TP tunnels appear as IP packets, soIPSec Transport Mode provides authenticity, integrity, and confidentiality securitycontrols.
L2TP tunneled-in IP, using UDP port 1701, is used as the VPN tunneling protocolover the Internet for tunnel maintenance. Compressed or encrypted PPP framesencapsulated in L2TP also use UDP to transmit tunneled data.
Lesson 6: Implementing IPSec and VPNs 343
IPSecIPSec in Tunnel Mode secures TCP/IP-based protocols using Layer 2 TunnelingProtocol (L2TP). Three main components form the building blocks of the IPSecprotocol suite.
Component DescriptionAuthentication Header (AH) Provides authentication, integrity, and anti-replay protection for
both the IP header and the data payload. It does not provideconfidentiality.
Encapsulating Security Payload(ESP)
Provides confidentiality and/or authentication. Data is encryptedbefore it is transmitted.
Security Association (SA) Defines the security policy to be used in managing the securecommunication between two nodes.
Keep in mind that you can use IPSec itself as the tunneling protocol, or you canuse L2TP to create the tunnel and let IPSec provide data encryption. L2TP doesnot provide its own encryption service; it uses IPSec’s ESP protocol to encryptand authenticate the entire UDP datagram, thereby protecting it from compromiseby unauthorized users. You can create L2TP tunnels without encryption, but thisis technically not a VPN because the data is not protected.
Authentication Header (AH)IPSec provides mechanisms to protect both header and payload data. The IPSecAuthentication Header (AH) provides a mechanism for data integrity and dataorigin authentication for IP packets using the hashing algorithms Hash-basedMessage Authentication Code (HMAC) with MD5 or HMAC with Secure HashAlgorithm 1 (SHA-1). Use of the IP AH is indicated with the value 51 in theIPv4 Protocol field or IPv6 Next Header field in the IP packet header.
AH digitally signs the outbound packet, both data payload and headers, with ahash value appended to the packet, verifying the identity of the source and desti-nation machines and the integrity of the payload.
Encapsulating Security Payload (ESP)The IPSec Encapsulating Security Payload (ESP) guarantees the integrity andconfidentiality of the data in the original message by combining a secure hashand encryption of either the original payload by itself, or a combination of boththe headers and payload of the original packet. As in AH, ESP uses HMAC withMD5 or SHA-1 authentication; privacy is provided using DES-CBC encryption.Placing a value of 50 in the IPv4 Protocol field or IPv6 Next Header field in theIP packet header indicates use of the IP ESP format. Both AH and ESP providesequence numbers in each packet—this prevents a replay attack.
Security Association (SA) and Key ExchangeBefore two parties can exchange secure data that is authenticated and encrypted,those parties need to determine:
• Which algorithms will be used for the session.
• How the key exchange will take place.
• How often keys will need to change.
AH:(Authentication Header) A
field that immediately followsthe IP header in an IP
datagram and providesauthentication and integritychecking for the datagram.
ESP:(Encapsulating Security
Payload) A mechanism toprovide confidentiality and
integrity protection to IPdatagrams.
344 Tactical Perimeter Defense
Then, the two parties need to actually exchange the keys. These values are pack-aged together in a Security Association (SA) to facilitate secure communicationbetween the two systems. Authentication and confidentiality using AH or ESP useSAs. A primary role of IPSec key exchange is to establish and maintain SAs. SAsare logical, uniquely defined and uni-directional, or one-way connections betweentwo communicating IP endpoints that provide security services to the traffic itcarries using either AH or ESP procedures. The endpoints of the tunnel can be anIP host or IP security gateway, which is a VPN-enabled network device. Provid-ing security to the more typical scenario of two-way (bi-directional)communication between two endpoints requires the establishment of two SAs(one in each direction).
Two types of SAs are defined in IPSec, regardless of whether AH or ESP is usedfor the session. A Transport Mode SA is a security association between two hoststhat provide the authentication and/or encryption service to the higher layerprotocol. Only IPSec hosts support this mode of operation. A Tunnel Mode SA isa security association applied to an IP tunnel. In this mode, an IP header specifiesthe IPSec destination and an encapsulated IP header specifies the destination forthe IP packet. Both hosts and security gateways support this mode of operationand it is considered the more secure of the two.
IPSec is controlled specifically by a security policy of both sender and receiverand one or more Security Associations (SA) negotiated between them. An SAbetween the sending and receiving parties provides access control based on thedistribution of cryptographic key and traffic management relative to the AH andESP security protocols. The SA is either one, one-way relationship or two one-way relationships in complimentary directions. A Security Parameter Index (SPI)uniquely distinguishes each SA from other SAs. The IPSec security policy con-sists of a filter list and associated actions.
For a successful deployment of IPSec, a scalable, automated SA and key manage-ment scheme is necessary. Several protocols have been defined for thesefunctions:
• The Internet Security Association and Key Management Protocol (ISAKMP)defines procedures and packet formats to establish, negotiate, modify, anddelete SAs. It also provides the framework for exchanging information aboutauthentication and key management, but it is completely separate from keyexchange.
• The Oakley Key Determination Protocol (Oakley) describes a scheme bywhich two authenticated parties can exchange key information. Oakley usesthe Diffie-Hellman key exchange algorithm.
• The Internet Key Exchange (IKE) algorithm is the default automated keymanagement protocol for IPSec, which is the result of combining bothISAKMP and Oakley protocols.
Key exchange is closely related to the management of SAs. When you need tocreate an SA, you need to exchange keys, and IKE is the framework that wrapstogether all the required pieces and delivers them as an integrated package.
IPSec ComponentsThe key IPSec components are described in the following table.
Component UseIPSec driver Monitors, filters, and secures IP traffic.
Lesson 6: Implementing IPSec and VPNs 345
Component UseThe Internet Security AssociationKey Management Protocol(ISAKMP/Oakley)
Key exchange and management services to oversee securitynegotiations between hosts.
IP Policy Agent Looks for appropriate policies and delivesr these policies to theIPSec driver and ISAKMP.
IP Security Policy and SecurityAssociation
Defines the security environment in which the two hosts mustcommunicate.
Security Association API Provides the programming interface that will be used between theIPSec driver, ISAKMP, and the Policy Agent.
Management Tools Creates policies, tracks IP security statistics, and creates and logsappropriate IP security events.
IPSec Tunnel and Transport ModesIn IPSec Tunnel Mode, one packet is encapsulated or tunneled in another packet,while IPSec Transport Mode secures the packet exchange end-to-end, source todestination. IPSec Tunnel Mode is used primarily for link-to-link packetexchanges between intermediary devices, like routers and gateways, while Trans-port Mode provides the security service between the two communicatingendpoints.
Either mode can use ESP or AH packet types. Both modes require that the twoclients engage in a complex negotiation involving the IKE protocol and PKI cer-tificates for mutual authentication.
In Transport Mode, both of the end systems must support IPSec, but the interme-diate systems do not have to support IPSec because they simply forward packets.
Tunnel Mode is intended for gateway-to-gateway links. In Tunnel Mode, thesender encapsulates the entire IP datagram by creating a completely new header.The ESP protocol encrypts the entire datagram, including the original IP headerand the AH protocol, generates a signature for the entire packet, including boththe original IP header and the new one. Therefore, the encapsulation and encryp-tion processes create a secure tunnel through an inherently insecure network. InTunnel Mode, only the gateways providing the security services must supportIPSec. The end systems (ultimate source and ultimate destination systems) do nothave to support IPSec.
IPSec and Network Address Translation (NAT)Network Address Translation (NAT) is not compatible with the AuthenticationHeader (AH) protocol, whether used in Transport or Tunnel Mode. An IPSecVPN using the AH protocol digitally signs the outbound packet, which includesboth data payload and headers by appending a hash value to the packet. Whenusing the AH protocol, the data payload within the packet is not encrypted.
346 Tactical Perimeter Defense
The compatibility problem stems from the fact that a NAT device in between theIPSec endpoints will rewrite either the source or destination address with one ofits own choosing. The VPN device at the receiving end will verify the integrity ofthe incoming packet by computing its own hash value, and will complain that thehash value appended to the received packet doesn’t match. The VPN device atthe receiving end doesn’t know about the NAT in the middle, so it assumes thatthe data has been altered while in transit.
IPSec, using ESP in Tunnel Mode, encapsulates the entire original packet (includ-ing headers) in a new IP packet. The new IP packet’s source address is theoutbound address of the sending VPN gateway, and its destination address is theinbound address of the VPN device at the receiving end. When using ESP proto-col with authentication, the packet contents (in this case, the entire originalpacket) are encrypted. The encrypted contents, but not the new headers, aresigned with a hash value appended to the packet.
This mode (Tunnel Mode ESP with authentication) is compatible with NAT,because integrity checks are performed over the combination of the originalheader plus the original payload, which is unchanged by a NAT device. TransportMode ESP with authentication is also compatible with NAT, but it is not oftenused by itself. Since the hash is computed only over the original payload, originalheaders can be rewritten.
TASK 6F-1Assigning Tunneling Protocols
1. In the table provided here, assign the tunneling protocols: IPSec, PPTP,L2TP, SSH and Socks v5 to their corresponding OSI layers.
Layer Number Name Protocols7 Application SSH, Socks v5SSH, Socks v56 Presentation5 Session4 Transport3 Network IPSec2 Data Link PPTP, L2TP1 Physical
Lesson 6: Implementing IPSec and VPNs 347
Topic 6GVPN Design and ArchitectureVPN configuration is often complex. Conflicts between NAT and IPSec can causelegitimate packets to be refused or dropped. Further, strong authentication of aVPN client is critical. If the client is not strongly authenticated, the enterprise isat risk of an intruder remotely taking control of the client system and gaining anopen tunnel into the enterprise network.
One VPN design choice would be to require a personal firewall with built-inintrusion detection on the remote client. The personal firewall would block anyinbound communication, and when intrusions are detected, it would report backto the logging server on the enterprise network.
The problem with this design is guaranteeing that the personal firewall software isalways present or functional on the client side. Further, how does the enterprisenetwork force a disconnect of the tunnel session? How does it deactivate theuser’s account?
Designing an IPSec-based VPN solution involves addressing the following objec-tives:
• Designing an IPSec encryption scheme.
• Designing an IPSec management strategy.
• Designing negotiation policies.
• Designing security policies.
• Designing IP filters.
• Defining security levels.
VPN Implementation ChallengesMost organizations experience challenges with rolling out and deploying a VPN.In this section, you will examine some key VPN challenges and provide guide-lines to minimize implementation-related problems and issues.
Typical challenges experienced with VPN deployment include:
• Difficulty with centralized management of client policy, configuration, andstrong authentication requirements.
• Lack of protocol interoperability (for example, interoperability between NAT,IPSec, and PPTP).
• Complexity of infrastructure.
Specific challenges that an organization may experience in the process of deploy-ing a VPN include:
• Addressing and routing.
• Administration.
Common addressing methods for VPNs include DHCP and NAT address pools.The problem is that NAT and IPSec have had compatibility problems. Some ven-dors, such as Cisco, are solving the problem by licensing an IPSec-over-UDPclient that allows IPSec connections through NAT. The IETF is working to intro-
security level:The combination of a
hierarchical classificationand a set of non-hierarchicalcategories that represents the
sensitivity of information.
348 Tactical Perimeter Defense
duce new standards for IPSec and NAT to work together better. According toRFC 2026, established SAs would no longer be bound to IP addresses. Instead,SAs would be controlled via Host Identity Tags (HIT) and Scope Identity fields.Therefore, a VPN client system could conceivably change its IP address usingMobile IP, DHCP, PPP, or even IPv6, and still maintain the same SA with itscommunication partner.
Also, a draft protocol called the Host Identity Protocol (HIP) would be integratedinto existing IKE code, allowing IKE to work across NAT devices as well. TheIETF is also working on long-term solutions to make NAT and IPSec worktogether better. Until new standards are established, the most popular way toovercome problems with IPSec Tunnel Mode with NAT is to use ESP TransportMode. This allows the VPN to traverse a NAT device, such as a gateway. How-ever, client authentication cannot be guaranteed because IP headers are notverified upon receipt. The inability to authenticate communication partners in aVPN tunnel compromises the purpose of IPSec.
The challenge for administration is to make sure that remote VPN clients haveinstalled and configured their VPN software correctly. Also, they need to havesecurity mechanisms in place to make sure that the client host is secure againstattacks that might use the VPN connection to access the corporate network.
Other VPN challenges include:
• Authentication and key management
• Fault tolerance
• Performance
• Reliable transport
• VPN architecture
TASK 6G-1Examining VPN-related RFCs
1. Navigate to C:\Tools\Lesson6\RFCs then open rfc-index.wri.
2. Perform a search using the keyword VPN
You should see RFC 2547 highlighted. RFC 2547 describes a method bywhich an Internet Service Provider may provide VPNs for its customers.
3. Identify the method used, and then close the file.
4. In C:\Tools\Lesson6\RFCs, scroll down to rfc2547.txt.
5. Scroll down to the third paragraph in section 1.1, and read the defini-tions for intranet and extranet. Note if these compare to yourunderstanding of these terms.
6. Close all open windows.
Lesson 6: Implementing IPSec and VPNs 349
Topic 6HVPN SecurityA VPN is not necessarily secure. This is because a VPN is typically protected bynothing more than a weak password. Sending information over the Internet is notsecure, and therefore, has the corporate world concerned—even with the adventof VPNs. In practical terms, information passing over a secure VPN will poten-tially be routed across several networks that are not under the control of thesender. An important part of any VPN is the encryption that will secure the datapayload from unauthorized users.
Although most of the VPN solutions delivered today use Triple-DES encryption,there is a widely used, older, weaker type of encryption called DES, or Single-DES. Triple-DES, which is the type of encryption normally implemented intoday’s solutions, is much more secure than Single-DES, and has never beenbroken. That’s how safe data passing through a secure VPN is.
Virtually all of the common encryption technologies can be used in a VPN. MostVPN equipment vendors give the user a choice. IT managers can often selectanything from the 40-bit built-in encryption offered by Microsoft under Windows95 to more robust encryption technologies like Triple-DES.
VPN vendors support a number of different authentication methods. Many ven-dors now support a wide range of authentication techniques and products,including such things as Kerberos, tokens, and software- and hardware-baseddynamic passwords.
The primary purpose of a VPN is to secure the data in transmission. Four criticalfunctions must be in place to ensure this.
• Data encryption, which ensures that no one who intercepts data as it travelsthrough the Internet can read it. Most solutions delivered today use Triple-DES encryption, which is so strong that it has never been broken.
• Data integrity, which checks each data packet received from the Internet tomake sure that it has not been modified during transit.
• User authentication, which ensures that only authorized people can gainaccess to corporate resources through a VPN. There are many different meth-ods in which users can authenticate themselves, from very basic user nameand password authentication to much more secure methods, such as digitalcertificates, smart cards, SecureID tokens, biometrics, and others.
• Access control, which restricts unauthorized access to the network.
A VPN must secure the data against eavesdropping and tampering by unautho-rized parties. Depending on the VPN solution being implemented, there are a fewways to control the type of traffic sent over a VPN session. Many VPN devicesallow you to define a user- or group-based filter, which can control IP addressand protocol/port services allowed through a tunnel. In addition, IPSec-basedVPNs allow you to define a list of networks to which traffic can be passed (Secu-rity Associations). The first mechanism allows the administrator to limit access tospecific networks/machines and applications on their network. The second usuallyprovides full connectivity to the private network. Allowing VPN access only inconjunction with strong authentication also prevents an intruder from successfullyauthenticating to your network, even if they somehow configured/captured a VPNsession.
350 Tactical Perimeter Defense
VPNs and FirewallsTwo of the most common configurations for a VPN device providing corporateremote access are to run a VPN device either in parallel to an existing firewall orbehind an existing firewall. Terminating VPN sessions in front of a firewall or ona firewall itself is not as popular. There are pros and cons for all implementations.
• Placing a VPN device in parallel to an existing firewall requires no changesto an existing firewall infrastructure, but it also means that you will havetwo entry points into your private network. On most VPN devices, youshould verify that they block all non-VPN traffic to minimize the additionalsecurity risk. Depending on how your network is set up, this will probablyalso require the VPN device to do some sort of address translation, or tohave the ability to redirect this traffic to an existing firewall.
• Placing a VPN device behind an existing firewall forces you to makechanges to the configuration of your firewall. You will also need a firewallsmart enough to be able to configure a filter to pass the VPN traffic. Depend-ing on how your network is set up, this may also allow you to make use ofonly one of the two or more Ethernet ports on your VPN device. This con-figuration is sometimes known as one-arm-routing.
• Placing a VPN device in front of your firewall terminates secure traffic in apublic zone. You will need to assign addresses to users from a certain blockof IP addresses and open a large hole in the firewall for access from these IPaddresses. A potential advantage to doing this would be that you could thenuse your existing firewall to control the destination of traffic, but most VPNboxes will also allow you to do this. This type of application may makemore sense for trading-partner connectivity, as opposed to connectivity forremote access users.
• Implementing a VPN on an existing firewall adds some intense processing toa device whose original purpose was, simply speaking, to control networkaccess. Some people like the simplicity of adding a service to an existingdevice on the network perimeter.
The use of encryption adds some additional overhead to a session. Most VPNdevices, whether hardware- or software-based, will be able to process encryptionfor connections up to 10Base-T speeds. On a lower-speed connection like amodem, VPN processing is much faster than delays introduced by the limitedbandwidth availability. Often, performance is potentially affected more by packetloss and latency on bad Internet connections than by the encryption overhead.
A VPN client typically establishes a connection with a VPN server using eitherL2TP over IPSec or PPTP. Keep in mind the following information related toPPTP, as it may be required for defining packet filters for VPN traffic on firewallsystems:
• TCP port 1723 allows PPTP tunnel maintenance traffic to move from thePPTP client to the PPTP server.
• IP protocol type 47 allows the PPTP tunneled data to move from the PPTPclient to the PPTP server.
Lesson 6: Implementing IPSec and VPNs 351
The following information may be required for defining packet filters for L2TPover IPSec VPN traffic on firewall systems:
• UDP port 500 allows the Internet Key Exchange (IKE) traffic to access theVPN server.
• UDP port 1701 allows L2TP traffic to move from the VPN client to the VPNserver.
• IP protocol ID 50 allows IPSec ESP traffic to move from the VPN server tothe VPN client.
At the firewall, typically all L2TP traffic, including tunnel maintenance and tun-neled data, is encrypted as an IPSec ESP payload. Figure 6-11 depicts ports andprotocols associated with tunneling protocols.
Figure 6-11: Ports and protocols associated with tunneling protocols.
VPN AuthenticationIn general, user authentication is based on the following principle: An entity hasauthenticating knowledge (what you know), possession of an authenticatingdevice (what you have), or exhibits a required physiological characteristic (whatyou are). Strong authentication requires that at least two of the three factors bedemonstrated.
VPN authentication protocols, which operate at the Data Link layer, include:
• Password Authentication Protocol (PAP). PAP is a weak method for authenti-cation as it uses a cleartext authentication scheme.
• Challenge Handshake Authentication Protocol (CHAP). CHAP does nottransmit the actual password and is a stronger authentication protocol than isPAP. With CHAP, remote customers use a Message Digest 5 (MD5) hash oftheir credentials in response to a challenge by a network access server.
• Shiva Password Authentication Protocol (SPAP). SPAP is used in mixedenvironments that support the Shiva Local Area Network Rover software.
• Extensible Authentication Protocol-Transaction Level Security (EAP-TLS).EAP-TLS is a Microsoft implementation of a strong authentication methodthat uses public key certificates.
352 Tactical Perimeter Defense
The IPSec authentication scheme for both AH and ESP uses the Hash-based Mes-sage Authentication Code (HMAC) authentication code, which uses a sharedsecret key between two parties, rather than public key methods, for messageauthentication. The generic HMAC procedure can be used with just about anyhash algorithm, although IPSec specifies support for at least MD5 and SecureHash Algorithm 1 (SHA-1) because of their widespread use. In HMAC, both par-ties share a secret key. The secret key is employed with the hash algorithm in away that provides mutual authentication, but at the same time prevents the keyfrom being transmitted on the line. IPSec key management procedures are used tomanage key exchanges between the two parties via Security Associations (SA).
Key LengthData is transmitted securely in a VPN by using industry standard IPSec tunneling,encryption services using DES and 3DES, and MD5 and SHA-1 for messageauthentication. IPSec creates private end-to-end pipes, or tunnels, through the IPnetwork, connecting the designated VPN sites to each other. Unauthorized accessto the information is prevented by the encryption and authentication services,which are applied.
Encryption systems depend on two mechanisms to guarantee data confidentiality.The encryption algorithm provides the mathematical rules that convert theplaintext message to a random ciphertext message. The algorithm provides stepsfor converting the plaintext message with an encryption key, a block of alphanu-meric data that introduces the random element into the ciphertext message. Thelonger the secret key is, the more time it takes for an attacker to test all possiblevalues of the key, and determine the plaintext content of the message. In otherwords, data that will be of value to an attacker for a long time should beencrypted with longer keys.
TASK 6H-1Viewing Firewall-related RFCs
1. Navigate to C:\Tools\Lesson6\RFCs and open rfc-index.wri.
2. Perform a search using the keyword firewall
If you keep clicking Find Next, you will see many hits. Stop when you seeRFC 2979 highlighted. RFC 2979 describes the behavior of and require-ments for Internet firewalls.
3. Close the file.
4. Navigate to C:\Tools\Lesson6\RFCs and open rfc2979.txt in Notepad.
5. Scroll down to the second paragraph in section 3.1.1, and read thetransparency rule for firewalls.
6. Close all open windows.
Lesson 6: Implementing IPSec and VPNs 353
Topic 6IConfiguring a VPNBuilt into Windows 2003’s Routing And Remote Access Service (RRAS) is asingle, integrated service that terminates connections from either dial-up or Vir-tual Private Network (VPN) clients. With RRAS, your Windows 2003 Server canfunction as a remote access server, a VPN server, a gateway, or a branch-officerouter. You can allow users ready access to the network through the Internet byimplementing a VPN, therefore, greatly reducing direct dial-up costs. Windows2003 VPNs can be created by using either PPTP or L2TP.
In this topic, you will build a VPN, and the tasks will require three computers.One computer will be configured as the internal resource, a simple FTP site. Thesecond computer will be the VPN Server, and this machine will require two net-work cards. One of the cards on this server will be the connection to the privatenetwork, and the other will be the connection to the remote client. The third com-puter will function as the network client, the one making the access via the VPN.The computers will be called: VPN Server, Internal Server, and VPN Client.
About the TasksIn this task, you will work in pairs, with one student configuring the VPN Serverand the other configuring the VPN Client. The Internal Server is a simple webpage, or ftp site, hosted on the instructor computer, as part of the internalnetwork.
TASK 6I-1Configuring the VPN Server
Note: Complete this task only if you are designated as the VPN Server
Note: The VPN Server in these tasks requires a second network card. This can bean integrated or non-integrated network card. Upon completion of the VPN tasks,this second network card can be either removed or disabled for the remainder ofthe class.
1. Enable the second network card on the server.
2. Assign the second network card with the following IP Address informa-tion:
• IP 10.0.10.x (replace x with your seat number)
• SM 255.255.255.0
• DG This can be left blank
3. Open a command prompt and verify your NIC and IP Address configu-ration, by entering the command ipconfig /all
354 Tactical Perimeter Defense
4. Verify that you have one NIC with an address of 172.16.x.x or 172.18.x.xbased on your location in the classroom. Your second NIC has an addressof 10.0.10.x based on your location in the classroom.
5. Write down your 172.16.x.x address as your Internal NIC and your 10.0.10.x address as your External NIC.
6. Choose Start→Administrative Tools→Configure Your Server Wizard. Atthe Welcome screen, click Next.
7. Verify you have met the requirements at the Preliminary Steps screen, andclick Next. The system will now detect your network settings andconfiguration.
8. Select the Custom Configuration radio button, and click Next.
9. Select the Remote Access / VPN Server, and click Next.
10. In the Summary Of Selections, verify that you are going to run the Rout-ing and Remote Access Server to setup routing and VPN, then clickNext. The RRAS Wizard will open at this time.
11. At the RRAS Setup Wizard, click Next.
Lesson 6: Implementing IPSec and VPNs 355
12. Select the Virtual Private Network (VPN) Access and NAT radio button,and click Next.
13. Select your VPN Network adapter. In this task, this is the NIC that youhave assigned the 10.0.10.x IP address to.
14. Leave the Basic Firewall check box checked, and click Next.
356 Tactical Perimeter Defense
15. Select your internal network for the clients to connect to, and click Next.
16. In the IP Address Assignment screen, select the From A Specified RangeOf Addresses radio button and click Next.
17. In the Address Range Assignment screen, click the New button.
18. These are the IP Addresses of the internal network.
Enter a small range, based on your seating in the classroom, click OK,verify your addresses are correct, and click Next.
Lesson 6: Implementing IPSec and VPNs 357
19. At the Network Selection window, select the network that has access tothe Internet, and click Next. This is usually the same network as yourinternal resource network.
20. At the Name & Address Translation Services window, leave the default ofbasic name and address Services, and click Next. If your system does notshow this window, continue to the next step.
21. Review the Address Assignment Range, and click Next. If your systemdoes not show this window, continue to the next step.
22. For this lesson, you will authenticate locally, so leave the No, Use RRASTo Authenticate Connection Requests radio button selected, and clickNext.
23. Review your settings, and click Finish. (If you get a prompt to configurerelaying of DHCP messages, click OK.)
358 Tactical Perimeter Defense
24. The Remote Access / VPN Server will now start. Click Finish.
25. Close the Manage Your Server window.
VPN ClientsGenerally, the configuration on the client side of the VPN is minimal. The clientneeds to know how to make the connection, and needs proper credentials toauthenticate and use the VPN. In the following task, you will prepare the VPNServer to accept VPN clients.
TASK 6I-2Configuring VPN Clients
Setup: Complete this task if you are designated as the VPN Server.
1. Choose Start→Administrative Tools→Computer Management.
2. Expand Local Users And Groups (under system tools).
3. Right-click Users and choose New User.
4. In the User Name text box, type VPN1 and enter and confirm a passwordof QWERTY1
Uncheck the box to change password at next logon, and click Create.
5. Click Close. One client account is enough for testing purposes.
6. Double-click the new VPN1 user account, and click the Dial-in tab.
Lesson 6: Implementing IPSec and VPNs 359
7. Select the Allow Access radio button and click OK.
8. Close the Computer Management window.
9. Choose Start→Administrative Tools→Routing And Remote Access.
10. Expand your server_name and click Remote Access Policies.
11. Right-click Remote Access Policies, and choose New Remote AccessPolicy.
12. In the New Remote Access Policy Wizard, click Next.
13. Leave the Use The Wizard To Set Up A Typical Policy For A CommonScenario radio button selected.
14. In the Policy Name text box type VPN_Policy_1 and click Next.
15. In the Access Method window, select the VPN radio button and clickNext.
16. In the User Or Group Access window, select the User radio button andclick Next.
17. For the Authentication Method, ensure that only MS-CHAPv2 is checked,and click Next.
360 Tactical Perimeter Defense
18. For the Policy Encryption Level, only check the box for Strongest Encryp-tion (MPPE 128-bit) and click Next.
19. Review the settings for this policy, and click Finish.
Establishing the VPNThe following task will require steps on both the VPN Server and on the VPNClient computers. The VPN Client will connect to the VPN Server, receive an IPAddress and join the private network. The VPN Server will verify the connectionis active, and the VPN Client will then access a resource located on the InternalServer.
In addition to the VPN Client and the VPN Server, to show the VPN to a higherlevel, if there is enough time in the class, create a resource server for the VPNclient to connect to. In the following task, the FTP Server is designed to be run-ning on the instructor machine, in the middle segment.
Lesson 6: Implementing IPSec and VPNs 361
TASK 6I-3Establish the VPN
Note: Perform step 1 through step 15 on the VPN Client.
1. Open the TCP/IP Properties of your network card. Edit the IP Addressto be a node on the 10.0.10.X/24 network. You can replace the X withyour seat number.
2. Close the properties of your network card.
3. Open a command prompt.
4. Enter ipconfig to verify your IP Address configuration.
5. Choose Start→Control Panel→Network Connections→New ConnectionWizard.
6. In the New Connection Wizard, click Next.
7. Select the Connect To The Network At My Workplace radio button andclick Next.
8. Select the Virtual Private Network Connection radio button and clickNext.
The Instructor machinerequires a resource for theVPN client to connect into.Enable the FTP Service on
your machine, and use thatfor your students. If your
class has enough time, runa packet capture on each
machine to perform apacket analysis of the
connection and ftp siteaccess.
362 Tactical Perimeter Defense
9. In the Company Name text box, type SCP VPN and click Next.
10. Enter the IP Address that is assigned to the External NIC of the VPNServer, and then click Next.
Note: The external IP Address is the one in the 10.0.10.x range.
11. Select the My Use Only radio button and click Next.
12. To complete the creation of the new connection, click Finish.
13. In the screen to connect to the SCP VPN, in the User Name field, typeVPN1, in the Password field, type QWERTY1, and then click Connect.
14. Open a command prompt, and enter ipconfig /all
Lesson 6: Implementing IPSec and VPNs 363
15. Note that you have been assigned an IP Address from the VPN Server,and that the IP Address is part of the Internal network.
Note: Perform step 16 through step 19 on the VPN Server
16. Choose Start→Administrative Tools→Routing And Remote Access.
17. Expand your Server name.
18. Click Remote Access Clients.
19. In the right pane, double-click the connection to see the IP Address thatwas assigned, and other statistics.
Note: Perform step 20 through step 24 on the VPN Client
20. In the command prompt, enter ftp 172.17.10.1
(If your instructor changed the IP Address of the Internal Server, use theaddress as provided.)
21. Enter annonymous as the username with no password.
22. Once connected, enter dir to list the contents of the ftp site.
23. When done browsing the ftp site, enter bye to end the session.
24. Close all windows.
Returning the Classroom Setup to its Original StateTo ensure the remaining tasks in this course work properly, the VPN implementa-tion lab must be torn down, and the classroom environment returned to itsoriginal state. Be sure not to skip this quick section.
TASK 6I-4Restoring the Classroom Setup
1. On the VPN Server, choose Start→Administrative Tools→Configure YourServer Wizard.
2. In the Welcome Screen, click Next.
3. In the Preliminary Steps Wizard, click Next.
4. Click Remote Access / VPN Server, and click Next.
5. Check the Remove The Remote Access/VPN Server Role check box andclick Next.
6. At the prompt that you are disabling the router, click Yes.
364 Tactical Perimeter Defense
7. When the VPN Server Role has been removed, click Finish.
8. Disable the External NIC on the VPN Server.
9. Open a command prompt, and ensure that you are only running theInternal NIC with the 172.x.x.x address by entering ipconfig
10. On the VPN Client, choose Start→Connect To→Show All Connections.
11. Right-click the SCP VPN connection, and choose Delete.
12. In the confirmation prompt, click Yes.
13. Open the properties of your NIC and return the IP Address to youroriginal configuration, then click OK. (The 172.x.x.x address.)
14. Close all windows.
SummaryIn this lesson, you worked with a Microsoft Management Console (MMC).You configured an MMC and viewed the default or built-in IPSec policies.You then created custom IPSec policies. You implemented and tested thesepolicies. You also took a first look at implementing filter lists and experi-mented with a couple of authentication methods—preshared keys andcertificates.
Lesson Review6A What are the two protocols in IPSec that are used to protect network
traffic?
The Encapsulating Security Protocol (ESP) and the Authentication Header(AH).
What are the two main modes of implementation for IPSec?
Transport Mode and Tunnel Mode.
If you are going to set up a VPN with IPSec, what mode will you prob-ably use?
Tunnel Mode.
6B What are the three default IPSec policies in Windows 2003?
Server (Require Security), Server (Request Security), and Client (RespondOnly).
What integrity algorithms are supported in Windows 2003 IPSec?
MD5 and SHA-1.
Perform step 10 through step14 on the VPN Client.
Lesson 6: Implementing IPSec and VPNs 365
What encryption algorithms are supported in Windows 2003 IPSec?
DES and 3DES.
6C What authentication methods are supported in Windows 2003 imple-mentation of IPSec?
Kerberos, Certificates, and Preshared Keys.
What are the default key lifetimes?
A new key is generated for every 100 MB of data exchanged between thetwo IPSec devices or every 15 minutes, whichever is earlier.
6D When would ESP’s integrity check be most usefully employed?
When implementing IPSec in Tunnel Mode. ESP’s integrity check at the tun-nel endpoint will ensure the integrity of the payload (including theencapsulated packet, internal IP headers, and all other data).
Using filters, it is possible to explicitly control IPSec traffic.
6E Describe all of the key components of a VPN.
VPN server, VPN client, tunnel, VPN connection, tunneling protocols, tun-neled data, and transit network.
Identify the key VPN tunneling protocols.
PPTP, L2TP, and IPSec.
6F What are the differences between the tunneling protocols PPTP andL2TP?
PPTP uses separate channels—a control stream that runs over TCP, and adata stream that runs over GRE. L2TP uses UDP. PPTP is generally associ-ated with Microsoft, and Microsoft uses MPPE for encryption. L2TP usesIPSec for encryption.
What are the differences between IPSec Tunnel and Transport Modes?
In IPSec Tunnel Mode, one packet is encapsulated or tunneled in another;while IPSec Transport Mode secures the packet exchange end-to-end, sourceto destination. IPSec Tunnel Mode is used primarily for link-to-link packetexchanges between intermediary devices like routers and gateways. Trans-port Mode provides the security service between the two communicatingendpoints.
What is a Security Association (SA)?
A Security Association (such as ISAKMP) determines which algorithms willbe used for the session, how the key exchange will take place, and how oftenkeys will need to change.
What are the two types of SAs?
Transport Mode SA and Tunnel Mode SA.
366 Tactical Perimeter Defense
How does IKE relate to ISAKMP and Oakley?
ISAKMP defines procedures and packet formats to establish, negotiate,modify, and delete SAs. It also provides the framework for exchanging infor-mation about authentication and key management, but it is completelyseparate from key exchange. Oakley describes a scheme by which twoauthenticated parties can exchange key information. Oakley uses the Diffıe-Hellman key exchange algorithm. IKE is the result of combining bothISAKMP and Oakley protocols.
6G Identify key design issues related to IPSec VPNs.
IPSec encryption scheme, IPSec management strategy, negotiation policies,security policies, IP filters, and security levels.
Identify specific challenges associated with VPN implementation.
Diffıculty with centralized management of client policy, configuration andstrong authentication requirements; lack of protocol interoperability (forexample, interoperability between NAT, IPSec, and PPTP), complexity ofinfrastructure, addressing and routing, and administration.
6H What is PAP? What is CHAP? Briefly describe the differences betweenthem.
PAP and CHAP are both authentication protocols. PAP uses cleartextauthentication, while CHAP relies on encryption mechanisms.
Describe the security issues related to having a VPN server in front ofthe firewall (exposed to the Internet connection) or having a VPN server(in the DMZ) behind the firewall.
By placing a VPN device in front of your firewall, you will be terminatingsecure traffıc in a public zone. You will need to assign addresses to usersfrom a certain block of IP addresses and open a large hole in the firewallfor access from these IP addresses. A potential advantage to doing thiswould be that you could then use your existing firewall to control the desti-nation of traffıc, but most VPN boxes will also allow you to do this.
By placing a VPN device behind an existing firewall, you will need tochange the configuration of your firewall. You will also need a firewall smartenough to be able to configure a filter to pass the VPN traffıc. Depending onhow your network is set up, this may also allow you to make use of only oneof the two or more Ethernet ports on your VPN device.
If a VPN server is using PPTP, which ports would you need to provideaccess through a firewall system?
TCP port 1723 allows PPTP tunnel maintenance traffıc to move from thePPTP client to the PPTP server.
IP protocol type 47 allows the PPTP tunneled data to move from the PPTPclient to the PPTP server.
Lesson 6: Implementing IPSec and VPNs 367
Which ports are associated with L2TP and a VPN?
UDP port 500 allows the Internet Key Exchange (IKE) traffıc to access theVPN server.
UDP port 1701 allows L2TP traffıc to move from the VPN client to the VPNserver. IP protocol ID 50 allows IPSec ESP traffıc to move from the VPNserver to the VPN client.
What are security vulnerabilities of a VPN? What technologies can beused with a VPN to make it more secure?
Key management is a critical security vulnerability of a VPN. PKI technolo-gies can be used with a VPN to make it more secure.
6I What is the encryption standard supported by Microsoft’s implementa-tion of PPTP?
MPPE.
What are the transport protocols used by PPTP and L2TP?
PPTP uses TCP, and L2TP uses UDP.
368 Tactical Perimeter Defense
Designing an IntrusionDetection System
OverviewIn this lesson, you will be introduced to the concepts surrounding one of theareas critical to the defensive network protection scheme—the IntrusionDetection System. This system, in conjunction with the firewall technologiesin place, is the basis for a very solidly defended network. The IntrusionDetection System will be used to detect when an intruder is attempting pen-etration of the network or tampering with the firewalls.
ObjectivesTo design an Intrusion Detection System, you will:
7A Examine the goals of Intrusion Detection Systems.
Given the components of Intrusion Detection Systems, you will describehow the components interact to accomplish the goals of intrusiondetection.
7B Describe the technologies and techniques of intrusion detection.
Given a scenario of users in a network, you will examine the process ofintrusion detection and how behavioral use is implemented in the IDS.
7C Describe host-based IDSs.
Given a network of connected hosts, you will describe how host-basedIDSs identify an intrusion.
7D Describe network-based IDSs.
Given a network of connected hosts, you will describe how network-based intrusion detection systems identify an intrusion.
7E Examine the principles of intrusion detection data analysis.
Given an example signature of an incident, you will examine the conceptsand methods of data analysis.
7F Describe the methods of using an IDS.
Given network scenarios, you will identify multiple uses of IDS fordetection of, monitoring of, and anticipation of attacks.
Data Filesnone
Lesson Time2 hours
LESSON
7
Lesson 7: Designing an Intrusion Detection System 369
7G Define what an IDS cannot do.
Given a network situation, you will identify the functions an IDS cannotcomplete.
370 Tactical Perimeter Defense
Topic 7AThe Goals of an Intrusion Detection SystemAs the months and years go by, security professionals have an increasingly diffi-cult task of keeping the network secure. What makes this job so difficult? Is it thefact that there are more threats than ever? Perhaps, but there is more to it thanthat. Is it the fact that there are more people on the Internet year after year? Itcontributes, but there is more to it than that, too.
As you build complex interconnected networks, where partners from the outsiderequire access to the inside, where you have employees telecommuting, andwhere you have internal connections to external suppliers, the problem grows. Itis the very nature of the industry to be even more connected.
This connection comes with a price. The price is the extreme difficulty in secur-ing the network. In order for networks to continue to grow and be functional,there must be a certain degree of trust built into the systems. However, on top ofthe level of trust, there must be verification of this trust. The method most oftenemployed by organizations these days is a solid Intrusion Detection System(IDS).
The three general components of network security from a need perspective areshown in Figure 7-1.
Figure 7-1: Components of network security.
Most security analysts and professionals are at least familiar with these concepts.Over the last 30 years or so, most organizations had focused the vast majority oftheir time, energy, and budget on prevention. The logic seemed obvious—if itwere possible to stop the majority of threats from getting in, then the networkcould be reasonably secured.
Then came the networks of today. These complex, interconnected networks donot have this clear-cut boundary, where the goal is to keep the bad people out andthe good people in. Reliance on perimeter defense of a firewall alone is no longeradequate.
Perhaps even more of an issue is the fact that most organizations do not havesystems in place to detect the very attacks that can lead to financial loss. Thisagain proves that the firewall defense is not enough. The ability to detect intru-sion through defense is critical to the overall security of the network.
What is Intrusion Detection?Before you can get into a detailed definition of intrusion detection, let’s returnbriefly to the standard network defense system. The common method for protect-ing the network is to follow the layered defense policy. While this is a solid baseto network security, it does have its limitations.
Lesson 7: Designing an Intrusion Detection System 371
A common analogy to this problem is to investigate the castle structure (or for-tress structure) of centuries ago. As you discussed earlier, the fortress would havea large, thick stone wall surrounding the main structure. There would perhaps bea large moat on the outside of the wall, with only a large drawbridge as anentrance.
This presented a solid defense, and there are many instances recorded of a smallgroup of soldiers holding off many times the number of attackers. The questionthen arises, if the defense was so strong, why did the fortress model fade away?
The attackers got smarter. They realized that attacking the front door was effec-tive at times, but the losses could be enormous to gain entry. The attackers alsorealized that the soldiers inside the fortress seemed to be getting new supplies,but no one was seen going through the front door. This indicated a hidden doorelsewhere, as was often the case. This hidden back door would be the key to theattackers capturing the fortress.
What is the solution to the back door? Many in the fortress assumed the backdoor was secure, and with all the fighting on the front, there were little resourcesleft to guard the hidden entrance.
The swarming attackers, once inside, would seize the fortress from the inside out,and quickly overwhelm the one soldier left there to guard this door. Had solidintrusion detection systems been in place, odds are that the fortress would not beso quick to fall.
Although this is a fun analogy (except for the soldiers!), it is quite correct.Today’s modern networks are well guarded with firewalls. But, there needs to bea way to know if someone is trying to get through a side door, a hole in thefirewall, or if people on the “inside” of the firewall need monitoring.
The solution of adding layers may help with the defense, but as layers are added,the function of the network often suffers. It becomes more tedious to allow asingle connection through from a remote supplier when there are five layers tonavigate.
This is where intrusion detection comes in. By itself, intrusion detection will notprevent access to resources. However, it is a method to use in identification ofcriminal activity, assistance in gathering evidence, and, perhaps most importantly,indication of attacks in progress.
Intrusion detection is the process of detecting and responding to computer and/ornetwork misuse. Throughout this lesson, you will be introduced to the differentoptions of detection and the ways to define misuse. Some of the questions youwill need to answer are:
• What constitutes an intrusion?
• What is our definition of detection?
• What is our definition of misuse?
• How will we define a false-positive?
• How will we define a false-negative?
372 Tactical Perimeter Defense
Some Intrusion Detection DefinitionsAs you get further into this lesson, you need to be aware of some of the commonIDS terms and their definitions. There are many definitions of IDS terms; theones that follow are intended to give you a basic level of understanding. This isnot intended to be a complete glossary, but the terms that are required for thislesson and the discussion of IDSs are listed in the following table.
Term DefinitionIntrusion Unauthorized access to, and/or activity in, an information system.Misuse Improper use of resources inside the organization, regardless of
intention.Intrusion detection The process of detecting unauthorized access or attempted
unauthorized access to resources.Misuse detection The process of detecting unauthorized activity that matches
known patterns of misuse.Anomaly detection The process of detecting any variations from acceptable network
use and activity, based on known patterns of use.Vulnerability scanners The process of examining systems to locate problems or areas
that could indicate security vulnerabilities.Security vulnerabilities A feature or error found in system software or system
configurations that provides a method of entry for an attacker, orprovides for an opportunity for misuse.
Some of the groups that you might want to research for further definitions andstandards on IDS are: the Recent Advances in Intrusion Detection (RAID) group,the Intrusion Detection Sub-Group (IDSG) of the President’s National SecurityTelecommunications Advisory Committee (NSTAC), and the Intrusion DetectionSystems Consortium (IDSC).
The IDS MatrixFigure 7-2 is an interesting true-false matrix showing the relationship betweenIDS configurations and alarms going on or off in response. Very simply put, anyIDS has to be trained to look for trouble, by programming in one or more signa-tures, where a signature can be considered a representation of patterns of trafficor behavior that spells trouble.
Lesson 7: Designing an Intrusion Detection System 373
Figure 7-2: The classic true-false matrix of IDS.
Think of a police officer who has just pulled over a car. The officer walks overand asks the driver for his license and registration. The driver starts to reach intohis jacket.
To a trained officer, this is a signature action representative of someone reachingfor a handgun. According to the training the officer has received, an alarm shouldgo off in his head. He should yell at the driver to freeze, and then very firmlyorder the driver to step out and search him for a handgun.
Now, in the above scenario, if the officer does discover a handgun, it is represen-tative of a true-positive. If there is no handgun, it is representative of a false-positive.
Let’s change the scenario a bit. If the officer is not trained well, the action of thedriver reaching into his jacket will not be seen as a signature action of someonereaching for a handgun. According to the training the officer has received, noalarms go off in his head. He doesn’t yell at the driver to freeze. You might sayhere that the officer has been inadequately programmed.
In this changed scenario, the officer does not see the action of the driver reachinginto his jacket as a threat, and if the driver simply pulls out his license and regis-tration from his jacket, it is representative of a true-negative. However, if thedriver does pull out a handgun, it is a false-negative!
As much as most of us would want to live in a world of the true-negative, it isunfortunately not the case. There are large numbers of true-positives (still OK)and many false-positives that you have to put up with. Then there is the compla-cent but dangerous world of false-negatives.
To summarize:
• If the configuration of signatures is done right for the environment that theIDS is in, the state of the IDS is TRUE.
• If the configuration of signatures is not done right for the environment thatthe IDS is in, the state of the IDS is FALSE.
• If the alarms go off as programmed, it’s said to be POSITIVE.
• If the alarms do not go off as programmed, it’s said to be NEGATIVE.
Given the previous analogy with respect to an IDS, you can define the states inthe following table.
374 Tactical Perimeter Defense
State DescriptionTrue-positive The event when an alarm is indicating an intrusion when there is an actual
intrusion.False-positive The event when an alarm is indicating an intrusion when there is no actual
intrusion.True-negative The event when an alarm does not occur and there is no actual intrusion.False-negative The event when an alarm does not occur when an actual intrusion is carried
out.
IDS ComponentsAn IDS in a network of today is a group of processes working together, and, invirtually every case, these processes are on different computers and devicesacross the network. The very nature of an IDS has grown from its rather simplename. Today’s IDS is much more than a detection of intrusion. Most IDSs willhave the abilities to do one or more of the following:
• Recognition of patterns associated with known attacks.
• Statistical analysis of abnormal traffic patterns.
• Assessment and integrity checking of defined files.
• Monitoring and analysis of user and system activity.
• Network traffic analysis.
• Event log analysis.
Although the systems vary from vendor to vendor, these features of IDSs havesimilar requirements for implementation. These components are generic, meaningthat most IDS applications will have these in one form or another.
The Command ConsoleThe command console is where the IDS is monitored and managed. It maintainscontrol over the IDS components, and the console should be accessible from anylocation. Generally, the command console will maintain open channels betweennetwork sensors over encrypted paths, and is a dedicated machine.
The Network SensorNetwork sensors are programs that run on network devices or dedicatedmachines, or both, on essential network segments. The network sensors may bedefined as agents, and they are often configured in promiscuous mode. Sensorplacement is critical in the network because there could be thousands of targetsthat need monitoring.
When all networks used hubs, you could place a sensor on any port of the hub,since all traffic is sent out from all ports of a hub, and the tap could detect anyanomalous traffic. However, when the conversion to switches happened, thischanged things for the hub. Switches send traffic only to the correct host, and soa tap may miss communication on a switch.
To address this issue, a common configuration technique is to use switches thathave an expansion port on them (much of the newer networking equipment hasthis), and connect the IDS to this expansion port.
Lesson 7: Designing an Intrusion Detection System 375
These ports are known as Switched Port ANalyzer (SPAN) ports. SPAN ports canbe configured by the security professional to mirror all switch transmissions sothat the single port can be used by the IDS to monitor designated traffic.
The Network TapThe network tap is a hardware device that sits on the network, can be rackmounted, and—to the untrained eye—can appear to be a hub or a switch. As partof an IDS, the network tap, which has no IP address, sniffs network traffic andsends an alert when an intrusion is detected.
Having a network tap in your network-based IDS will make the overall systemmore secure, as attacking the hardware device is not an effective technique forthe vast majority of attackers. Although widely considered a solid tool in yourIDS arsenal, there are design issues you will have to overcome for proper tapdeployment.
Network taps require the monitoring of two data streams, for the two directionsof your full duplex network traffic. Although you will be able to monitor yournetwork’s traffic using two streams, this might present a cumbersome solution foryour environment. Newer products are designed to combine the two streams sothat you will need only one connection from the tap to monitor all traffic.
Alert NotificationAlert notification is the portion of the system that is responsible for contactingthe incident handler. Modern IDSs can provide alerts via many options such aspop-up windows, audible tones, paging, email, and Simple Network ManagementProtocol (SNMP).
Realistic Goals of IDSAlthough there are varied goals for intrusion detection from organization to orga-nization, there are two that can generally be counted on being present. The twogeneral goals—aside from the initial detection itself—are response andaccountability.
The IDS ResponseWhen discussing the response of an IDS, one must recognize first what it is. Aresponse is the end result of an IDS analyzing data. The end result is a resultcalling for action. The action is what must be defined.
The most common response is not quite as exciting as many security profession-als would like—it is a simple entry placed in the log file. Even though the logfile entry does not have the glamour of a Hollywood intrusion response, it mayturn out to be the most useful. The log file report has the data that many organi-zations will use in determining the overall IT security budget.
Other responses can include a trigger that will issue a call to the security archi-tect’s pager, or even a pop-up window or email message. During an attack, theresponse can also be the ability to have the network modify itself. A commandmay be issued to change or block port numbers, or to disable services. Thisresponse during an attack can prove to be the vital element that keeps the net-work from compromise.
SNMP:(Simple Network
Management Protocol)Software used to controlnetwork communications
devices using TCP/IP.
Exercise caution indetermining the level of
response to incidents.Aggressive or offensive
responses may open up theorganization to serious legal
issues. It is suggested thatlegal counsel is consulted
during response decisions.
376 Tactical Perimeter Defense
AccountabilityHaving the response options is a valuable portion of all IDSs and should be con-figured as part of the network security policy, but many systems must provideproper accountability as well. This accountability provides the option to trace themisuse event of intrusion to the responsible party.
Accountability is one of the hardest tasks in implementing an IDS, given thatusers change systems and attacks can come from spoofed sources. This is a criti-cal step in the overall protection of a network, however, and this becomes evenmore evident in the event that the organization pursues legal avenues against anattacker. Ideally, the accountability system will enable the Security Professional tolocate not only the computer used in the attack, but its physical location and, ifpossible, the user who initiated the attack.
TASK 7A-1Describing Alarms
1. Describe the differences between a false-positive alarm and a false-negative alarm.
A false-positive is when an alarm indicates an intrusion when there is noactual intrusion. A false-negative is when an alarm does not occur when anactual intrusion is carried out.
Topic 7BTechnologies and Techniques of IntrusionDetectionNow that you are armed with the basics of intrusion detection, let’s build on yournew knowledge. The next step is to investigate the technologies and techniquescommonly associated with IDSs.
Lesson 7: Designing an Intrusion Detection System 377
The Intrusion Detection ProcessTo further define how IDS functions, let’s examine a case with IDS in action. Inthis example, you will look at a system in an Ethernet network with the sensorrunning in promiscuous mode, sniffing packets off the local segment.
1. A host creates a network packet. So far, nothing is known other than apacket exists that was sent from a host in the network.
2. The sensor on the network reads the packet in real time off the networksegment. This sensor needs to be placed so it can read the packet.
3. The detection program in the sensor matches the packet with known signa-tures of misuse. When a signature is detected, an alert is generated, which issent to the command console.
4. The command console receives the alert, and in turn notifies the designatedperson or group of the detection. (The alert is done via a predefined method,email, pop-up window, page, and so on.)
5. The response is created in accordance with the programmed response for thismatching signature.
6. The alert is logged for future reference, either locally or in a database.
7. A summary report is created with the incident detailed.
8. The alert is viewed with other historical data to determine if there is a pat-tern of misuse or to indicate a slow attack.
promiscuous mode:Normally, an Ethernet
interface reads all addressinformation and accepts
follow-on packets onlydestined for itself, but when
the interface is inpromiscuous mode, it reads
all information (sniffer),regardless of its destination.
378 Tactical Perimeter Defense
Figure 7-3: A visual example of the IDS process.
Figure 7-3 is only one example of the potential process of the IDS. As youprogress through this lesson, you will see different processes.
Behavioral UseFor the system to generate the correct response in the correct situation, it must beprogrammed with starting data. The starting data is where misuse is defined(along with alerts and response techniques). If the system is expected to deter-mine misuse, then the individual who programs this data needs to know how theorganization defines misuse.
Lesson 7: Designing an Intrusion Detection System 379
A starting point for this process is to determine the network activity that the IDSwill attempt to deal with. The following diagrams illustrate the various steps indetermining use, both acceptable and unacceptable. Figure 7-4 shows all the usesof a network.
Figure 7-4: All of the uses of the network.
In Figure 7-5, you can see that a basic clarification between acceptable and unac-ceptable use has been made, according to the security policies that are applicableto the usage categories. (Only some of the options that the security policy maycover are included in this example.)
The security policy for this organization might include the following:
• No users are allowed to telnet to remote hosts.
• Users can open only the files they are allowed to open.
• Users can access network printers only in their allocated areas.
• Users can execute only those applications they have been granted access touse.
380 Tactical Perimeter Defense
Figure 7-5: The dividing line between acceptable and unacceptable use of resources.
In order to meet these policy requirements, you must divide network and resourceaccess to acceptable and unacceptable use. At this point, you have categorizedresource use to define what is considered acceptable and unacceptable. This is ageneralization for the entire network, with the given that there will be exceptionsmade for specific users.
From this diagram, you can see that the dividing line specifies that telnet is unac-ceptable, as is opening of unauthorized files, trying to execute applicationswithout permission to do so, or attempting to use unauthorized network printers.
Once this dividing line has been created, the rules for the IDS can beimplemented. This is where the task increases, as the number of signatures ofknown attacks and intrusions is the limitation. If the company has unique applica-tions, the IDS must be made aware of the corresponding signatures. Remember,an IDS can only do what it is told to do, just like any other component of thenetwork.
Although the line in our example is a nice solid line between acceptable andunacceptable, in reality, there are times when the line is not so clear. Crossingover the line is when false signals might be sent, as shown in Figure 7-6. In otherwords, if something that the policy has identified as acceptable has not beenentered into the IDS and therefore is not known as acceptable, the IDS mightsend an alarm indicating an incident. This is known as a false-positive. False-positives take time and energy, and as much as possible, they should beminimized by proper policy making and data entry in the IDS.
A false-negative, on the other hand, is more than lost time and energy. In fact, afalse-negative does not equate lost time and energy, since no one is aware that thecondition happened. In other words, a false-negative is when an incident shouldcause an alarm, but it does not. This is a serious issue, and those responsible forthe IDS of an organization need to be sure that the policies created—and therules implemented—minimize the opportunities for false-negatives to occur.
Lesson 7: Designing an Intrusion Detection System 381
Figure 7-6: False situations, both positive and negative.
Since, in reality, the dividing line is not so clear, it becomes important for thesecurity professional to be aware of the applications running and the current secu-rity policies of the organization. The same security professional needs to be madeaware of any unusual activity that might take place in the network.
For example, if the organization has recently hired 20 new Help Desk users, theirtrainer might be showing them various options and situations in the network, suchas what it looks like to attempt access to unauthorized files, or to attempt to logon as a different user. The security professionals in the network need to know thisis happening, so that their response is correct for the situation.
Information Collection and AnalysisAs you begin to work with the tools available to you, you will need to becomecomfortable with data collection and analysis. In this section, you will not go intosignificant detail on the headers and data content—that will be addressedelsewhere. Instead, you will discuss the concepts of data collection and the con-cepts of data analysis.
With all the sources available to work with, an intimidating problem can arisequickly to the security professional working on the IDS of an organization. Someof the many questions that will arise are:
• What is to be collected?
• What data is to be discarded?
• What is to be identified in the data that is collected?
• Once I do identify certain things in the data, are they good, bad, or neutral?
382 Tactical Perimeter Defense
We previously defined an intrusion as anything from threats, to theft, to misuse—but now you must define analysis. What actually is analysis? Although theremight be many different meanings, in this discussion, you will identify analysis asthe concept of organizing and categorizing data according to the security policiespresent for the network.
The analysis must identify the intrusions as previously defined. These intrusions,then, are the actual data collected. They can either be about a user, a node, an IPaddress, or any other given variable, again meeting the requirements of thepolicy.
In order to begin the analysis process, there must first be an analysis system inplace. The analysis system can be as simple as reading a single log file at night,or as complex as multiple IDSs submitting data to an external database for futuredata mining.
Regardless of the scale of the system, there are certain variables that must bemet, and all systems have these in common. These are the ability to generate theinitial data, categorize the data based on given rules, and process the data onceorganized.
The collection of the data will be identified by the IDS, based on the rule set inplace for the policy. This data collection can be either user misuse of resources,actual data theft, denial of service, or any of the types of data you have discussedthat might be part of the IDS.
Once the data has been collected, it must be organized in a usable format. Thiscategorization can generally be defined by the cause of alarm and filedaccordingly. Two general categories that are commonly used are Misuse OfResources and Threats.
It is also common to organize the data by the type of signature present. If theattack was of a known signature, such as a Ping of Death DoS attack, it can beclassified as such. By organizing the data using these known signatures, theanalysis phase can be a more efficient process, as the data is in the order ofattack.
TASK 7B-1Discussing IDS Concepts
1. What are the differences between misuse and intrusion?
Misuse can occur if a user has access to a resource but uses that resourcefor a purpose not intended by the owner of that resource. However, if a userdoes not have access to a resource but gains access by subverting the net-work’s or resource’s security, or by any other devious means, this isconsidered intrusion.
2. Describe behavioral use in terms of an IDS.
First, categorize all network and resource usage into a set. Then, divide net-work and resource access into two categories—acceptable and unacceptableuse—based on policies that have been agreed to. This is a generalization forthe entire network, with the given that there will be exceptions made for spe-cific users. Over a period of time, look for patterns of usage of theseresources to build a database of behavioral use.
Remember, not all misusedetection is a threat.
Lesson 7: Designing an Intrusion Detection System 383
Topic 7CHost-based Intrusion DetectionNow that the fundamental issues of intrusion detection have been covered, youwill examine the actual options for implementation. In this topic, you will detailthe host-based IDS.
Host-based IDS is where the data that will be analyzed is generated by hosts(computers) in the network. This system has many variables in data collection,since the source is so varied. A host-based system can be collecting data fromapplication logs, such as Web servers. At the same time, it is collecting data fromoperating system logs.
Because the system is host based, it is generally quite good at detecting internalmisuse of resources. The event logs of each host can generate data on filesaccessed, by whom, on what date, and at what time. This provides excellenttracking data of misuse, and in the event of compromise, evidence of the attack.
Host-based IDS DesignHost-based IDS uses what are known as agents (also called sensors). Theseagents are small programs running on the hosts, and they communicate with thecommand console (remember, this is the central computer controlling the IDS).
There are two basic forms of design of the host-based IDS—centralized anddistributed. One difference to keep in mind as you go through the steps of each isthat centralized design requires the data from the host to be sent to the commandconsole for analysis, and distributed design states that the host will analyze thedata in real time and send only alert notifications to the command console.
Centralized Host-based IDS DesignAs mentioned, a centralized design dictates that the data will be collected by thehost and sent over the network to the command console for analysis. Because thedata is gathered and sent from the host, there is no significant performance dropon the hosts, or agents. However, there also is no possibility of real-time detec-tion and response.
384 Tactical Perimeter Defense
The following steps highlight the process of centralized design, and are shown inFigure 7-7.
1. The host detects that an event has happened (such as opening a file, or log-ging on to a user account). The event is written as an event record. Therecord is written to a secured file on the host.
2. At a predefined time, the host sends its records to the command console overthe network, using a secured (encrypted) link.
3. The command console receives the records and submits the data to thedetection engine.
4. The detection engine analyzes the data for known signatures.
5. The command console generates a log of its work as a data archive.
6. If an intrusion is detected, the command console generates an alert, and theprogrammed notification is used.
7. The security professional receives the notification.
8. A response to the alert is created. The response used by the console has beenpreviously programmed by the security team for this type of intrusion event.
9. The alert is stored in a secured database.
10. The data used for generating the alert is archived.
11. The console generates a report of the alert activities.
12. Long-term analysis is used to determine if this alert is part of a biggerintrusion.
Figure 7-7: Centralized host-based IDS example.
Lesson 7: Designing an Intrusion Detection System 385
Distributed Host-based IDS DesignThe primary difference between centralized and distributed host-based IDS iswhere the detection engine and analysis take place. In the distributed design, theagents of hosts are the ones that perform the analysis.
There is a significant advantage to this method. The intrusion data can be moni-tored in real time. The flip side to this is that the hosts themselves can experiencea performance drop, as their computer is engaged in this work constantly.
The following steps highlight the process of distributed design, and are shown inFigure 7-8.
1. The host detects that an event has happened.
2. The event is processed in real time in the detection engine, and is analyzedfor known signatures.
3. If an intrusion is detected, a notification is sent. (Some vendors have thehost generate the notification; others have the command console generate thenotification.)
4. A response to the intrusion is created. This can be from the host or console.
5. The alert of the intrusion is created and sent to the console, where it isarchived.
6. Long-term analysis is used to determine if this is part of a bigger intrusion.(The analysis can consist only of alert data, so it might be limited.)
Figure 7-8: Distributed host-based IDS example.
386 Tactical Perimeter Defense
TASK 7C-1Describing Centralized Host-based Intrusion Detection
1. Describe where and how data is collected in a centralized host-basedIDS.
1. The host detects that an event has happened. The event is written as anevent record. The record is written to a secured file on the host.
2. At a predefined time, the host sends its records to the command consoleover the network, using a secured (encrypted) link.
3. The command console receives the records and submits the data to thedetection engine.
4. The detection engine analyzes the data for known signatures.
5. The command console generates a log of its work as a data archive.
6. If an intrusion is detected, the command console generates an alert,and the programmed notification is used.
7. The security professional receives the notification.
8. A response to the alert is created. The response used by the console hasbeen programmed by the security team for this type of intrusion event.
9. The alert is stored in a secured database.
10. The data used for generating the alert is archived.
11. The console generates a report of the alert activities.
12. Long-term analysis is used to determine if this alert is part of a biggerintrusion.
Topic 7DNetwork-based Intrusion DetectionThe concepts and implementation of the host-based IDS might lead you tobelieve that it is the best way to run your IDS. This might not be the case.Although there are advantages to running a host-based system, it does not suitevery situation or meet every need.
If you require the IDS in your organization to analyze the actual TCP/IP traffic,then network-based IDS is your choice. The IDS in a network-based design issuch that it will sniff the packets off the wire. Hardware devices, such as switchesand routers, can also be programmed to send this data directly to the IDS.
A significant difference between host- and network-based IDS is the actual loca-tion of the agents. In host-based IDS, the agents, or sensors, are placed directlyon the hosts. In network-based IDS, the source of the detection is often placed sothat it can sense the external traffic, or the intrusion attempts from the outside.This allows the network-based system to detect what the host-based normallycannot, such as a DoS.
Lesson 7: Designing an Intrusion Detection System 387
Another example of a difference between these two implementations would be thedetection of attempted access to a system by an attacker. Suppose, for a moment,that an attacker breaks into the network and attempts to log in to a host. Thehost-based system will not report, or have the ability to identify, anything untilthe actual login request happens. The network-based system will identify the pat-tern of the request itself, before (ideally) the attacker has successfully logged in.
Network-based IDS DesignThe physical layout of the network-based IDS is such that sensors are installed inkey positions throughout the network, and they all report to the commandconsole. In this case, the sensors are full detection engines that have the ability tosniff the packets, analyze for known signatures, and notify the console with analert if an intrusion is detected.
There are two basic forms of design of network-based IDS: traditional anddistributed. The traditional design uses sensors in promiscuous mode, sometimescalled network taps. The distributed design employs agents throughout the net-work to sense network traffic that is destined for the host itself.
Traditional Network-based IDS DesignTraditional design of network-based IDS uses sensors in the network. A sensor isa host that is configured to run the IDS software and is usually a stand-alonecomputer. Further, each specific host (sensor) has a network card (and software)installed that can run in promiscuous mode, to sniff the network traffic. The pack-ets are then fed directly into the detection engine, where analysis can happen. Thegeneral theory on sensor placement is that there should be one on each criticalsegment of the network. The alarms generated are then sent to the commandconsole. This design is depicted in Figure 7-9.
The following steps highlight the process of the traditional design:
1. A network packet is sent from one host to another in the network (this caninclude a packet from the Internet to a firewall).
2. The packet is pulled off the network in real time by the network sensor,which is generally positioned between the two communicating hosts.
3. The packet is processed in real time in the detection engine, and is analyzedfor known signatures.
4. If a signature match is detected, an alert is created and forwarded to thecommand console.
5. The security professional is notified of the alert.
6. A response to the alert is created. The response used by the console has beenprogrammed by the security team for this type of intrusion event.
7. The alert is archived for later analysis, and a report of the incident iscreated.
8. Long-term analysis is used to determine if this is part of a bigger intrusion.
388 Tactical Perimeter Defense
Figure 7-9: Traditional network-based IDS example.
Distributed Network-based IDS DesignDespite the effectiveness of the traditional design in collecting network packets, itis susceptible to packet loss on network segments. A variation of the traditionaldesign was introduced to address this situation—distributed design. In the distrib-uted design, a sensor is installed on each host in the network, instead of on eachsegment of the network. The sensors then communicate with each other in theevent of an intrusion, and uses the command console as a center of operations,and for alarms.
As you might imagine, this type of design has led to much confusion on the dis-tinction between network- and host-based IDS. What you must realize is that thelocation of the sensor, or agent, is not the determining factor in what type ofdesign is implemented.
If the IDS is running on each computer and those computers are analyzing tasksof the operating system, then it is host-based. If the IDS is running on each com-puter and those computers are analyzing the packets with the Ethernet device,then it is network-based. This is important to remember, specifically when dealingwith IDS vendors. Be sure that if you buy a commercial product, you get exactlywhat you want. The process is depicted in Figure 7-10.
The following steps highlight the process of the distributed design:
1. A network packet is sent from one host to another in the network (this caninclude a packet from the Internet to a firewall).
2. The packet is pulled off the network in real time by the network sensor, onthe individual host.
3. The packet is processed in real time in the detection engine, and is analyzedfor known signatures.
4. If a signature match is detected, an alert is created and forwarded to thecommand console.
5. The security professional is notified of the alert.
6. A response to the alert is created. The response used by the console has beenprogrammed by the security team for this type of intrusion event.
7. The alert is archived for later analysis, and a report of the incident iscreated.
8. Long-term analysis is used to determine if this is part of a bigger intrusion.
Lesson 7: Designing an Intrusion Detection System 389
Figure 7-10: Distributed network-based IDS example.
TASK 7D-1Discussing Sensor Placement
1. Is the location of the sensor the determining factor in deciding if theIDS is host-based or network-based? Explain your response.
No. If the IDS is running on each computer and those computers are analyz-ing intrusion attempts on the operating system, then it is host-based. If theIDS is running on each computer and those computers are analyzing thepackets with the Ethernet device, then it is network-based.
2. Describe the process of a traditional network-based IDS.
1. A network packet is sent from one host to another in the network (thiscan include a packet from the Internet to a firewall).
2. The packet is pulled off the network in real time by the network sensor,generally positioned between the two communicating hosts.
3. The packet is processed in real time in the detection engine, and is ana-lyzed for known signatures.
4. If a signature match is detected, an alert is created and forwarded tothe command console.
5. The security professional is notified of the alert.
6. A response to the alert is created. The response used by the console hasbeen programmed by the security team for this type of intrusion event.
7. The alert is archived for later analysis, and a report of the incident iscreated.
8. Long-term analysis is used to determine if this is part of a biggerintrusion.
390 Tactical Perimeter Defense
Topic 7EThe AnalysisIn the previous topic, you examined the processes of the different types of IDSimplementation. One common point in all of them was the analysis of data onceit has been collected. In this topic, you will look into the analysis process itself.
When to AnalyzeAfter the agents, or sensors, have been set in place, the timing of analysis mustbe defined. While this might be part of the architecture chosen, it is worth notingthe options and their strong and weak points.
Interval AnalysisThis method of analysis uses the internal operating system (or other host-based)audit logs to capture the events, and the IDS, at given intervals, analyzes the datain the logs for signatures of intrusion.
Using this method of analysis is effective in organizations where the perceivedthreat is low and the potential loss from a single attack is high, such as a very-well-guarded server that holds the organization’s most secret data. Those runningthis type of analysis are more concerned with the data collected and accuracythan speed. The data collected in this case is often, if secured properly, used inlegal proceedings during criminal prosecution.
Another strong point of interval analysis is that there is less of a burden placedon the individual hosts to perform the analysis, since it is not in real time. And,this type of analysis is a benefit to organizations that are not large enough to havea full-time employee or consultant watching for intrusion signatures.
On the other hand, there are weaknesses to this type of analysis. An incident isusually not identified until after it has occurred, which presents obvious problems.Because the analysis is in intervals, the ability to notice and respond to an inci-dent quickly—or as it is happening—is close to nonexistent. Additionally, if thehosts that are running the analysis do not have sufficient disk space to hold theevents, problems can occur.
Real-time AnalysisAs an alternative to interval analysis, there is real-time analysis. This involves, asthe name implies, data being analyzed for signatures as it is collected.
Real-time analysis runs continuously—collecting, analyzing, reporting, andresponding (if programmed to do so). Do not misunderstand the term real-time tomean same-time. An event cannot be countered the exact moment it happens.However, the concept behind real time is such that an attack should be dealt withas it is happening, and if the system knows the signature, stop the attack before itcan complete and compromise a host.
Lesson 7: Designing an Intrusion Detection System 391
This type of analysis has the ability to respond in real time, via the methods pre-viously discussed (email, pages, and even telephone calls). The real-time natureof this analysis means that security professionals can respond while an attack isunderway, and stop it. An additional benefit to real-time analysis is that hosts canbe recovered quickly in the event of a compromise, because there is no need towait for the analysis to find out what has been compromised.
However, just as there are benefits, there are weaknesses to this type of analysis.One of the more critical weaknesses might be the extra resources used by thehosts. More memory and processing will be required.
Because the systems can be programmed to provide an automated response, thismust be planned carefully. Unless you can guarantee the system will analyze thedata correctly, and respond as expected, the automatic response needs to be con-sidered cautiously. A response of disconnecting a distribution partner over theInternet due to an error in analysis could be very costly.
How to AnalyzeYou have discussed the methods of when to have the IDS analyze data, but it isjust as critical to determine how the analysis is going to happen. Again, thismight be part of the architecture of the design, but the individual points must bedescribed.
Signature AnalysisThe common element that most IDS products have in common is signatureanalysis. The signature is a known event or pattern of events that correspond toacknowledged or known attacks. These signatures can be very simple to detect,like a flood of ICMP requests to a given server, or much more subtle, like afailed login request on a server three times in a week from an external source.
Signature analysis is the process of matching the known attacks against the datacollected in the network. If there is a match, then that is a trigger for an intru-sion, and an alarm might be the result.
Most commercial IDS vendors have a list of known signatures, much like theantivirus industry. The big difference is that the majority of the antivirus compa-nies have lists of over 20,000 known signatures for viruses and Trojan horses,and, these companies can react very quickly, and have the signatures uploaded towebites for users to download.
By way of comparison, an IDS might have only a few hundred signatures to use.The users of the IDS are then left to download further signatures when they areavailable, or analyze the data and create their own signatures.
An Example SignatureAlthough the signatures that an IDS uses can be complex, you can use parts of asignature to illustrate how the analysis works. Suppose that the data displayed inFigure 7-11 is collected by the IDS.
392 Tactical Perimeter Defense
Figure 7-11: An example of data collected by an IDS.
If this signature was not in the database of known signatures to the IDS, thesecurity professional running the IDS should still be able to identify the attack.Let’s perform a brief analysis of this data. You can identify that the sourceaddress is 172.168.30.23. You would check the IP address to see if there is anyhistorical data regarding this IP address. The IDs are sequential, corresponding tothe time of the event. This indicates a very fast event, as all IDs are less than onesecond apart (event starting at 8:52:52 and ending at 8:52:53). The destinationport tells us the source is running a scan to see what hosts have a telnet serverrunning. The scan is a scan of the entire network of IP addresses, 1 through 254.
Our brief analysis of this event, then, is: At 8:52:52, the network 192.168.10.0/24was scanned to see which computers were running telnet servers. The scan con-cluded at 8:52:53. The likelihood that the source IP address was spoofed is low,because the attacker would need the scan to return data on hosts running telnet.Because none of the computers scanned run telnet, the risk from this event indi-vidually, is low. There is no historical data to indicate previous activity from thissource IP address. However, it is now recorded that there is intrusion activityfrom 172.168.30.23, and future attempts will correlate with this data.
The previous example illustrates the process of analyzing signatures. The IDS canonly detect the signatures it is aware of; other activity will need to be identifiedby the professionals using the system.
Statistical AnalysisA common scientific method, not often implemented in commercial IDS products,but worth discussing, is statistical analysis. The basic concept of statistical analy-sis is to find a deviation from a known pattern of behavior. Using this method, anIDS would create profiles of user behavior. Examples of the types of behaviormight include login times, amount of time on the network, and the amount ofbandwidth used.
Lesson 7: Designing an Intrusion Detection System 393
This data is then described as the normal usage of this profile. When an eventhappens that is not in the normal usage pattern, a possible intrusion is the result.The normal example of this would be login times. If a user has consistentlylogged in only between 8:30 A.M. and 6:30 P.M. for the last year, if that accounttries to login at 2:00 A.M., a possible intrusion is happening, and an alert wouldbe issued.
TASK 7E-1Discussing Data Analysis
1. Which type of data analysis is often used as the method of analysis forlegal proceedings involving IDSs?
Interval analysis.
Topic 7FHow to Use an IDSIn this topic, you will be introduced to the different methodologies of intrusiondetection. While there are no methods set in stone, this topic attempts to outlineseveral examples for you to use in the future. These detailed intrusion examplesinclude DoS, network sweeps, and internal misuse of resources.
Detection of Outside ThreatsOne of the issues of ever-increasing trouble for networks is Denial of Serviceattacks. When attackers choose to block service without attempting network pen-etration, it can be a difficult problem to solve.
Imagine the following scenario:
It is 4:40 P.M. on Friday. You are about to go home and enjoy the weekend. Youhear your incoming mail sound, and look at the new message. Incoming ICMPpackets, lots of them. You are not going home after all.
You begin your investigation. It seems the ICMP packets have been detected as aDenial of Service attack. You have seen this before, and are familiar with thesigns.
As you investigate further, you realize it is more than a simple ping attack. Itseems to be a Distributed Denial of Service. The IDS is alarming with signs ofattack from 101 distinct IP addresses.
You continue to dig, as you read the log files, and it turns out although there are101 addresses listed, they all register to the same local ISP. By now, you’re think-ing, “I hope Saturday afternoon will be nice.”
The pings pause for a minute. Unusual, you think. It is almost like the attackerdid not enter enough packets to maintain the high DDoS attack. About 10 min-utes later, it starts again. You have been on the phone this entire time with yourISP trying to get them to block ICMP requests.
profile:Patterns of a user’s activity
which can detect changes innormal routines.
penetration:The successful unauthorized
access to an automatedsystem.
394 Tactical Perimeter Defense
Back to the log files, where you see the attacks coming from the same group ofnodes. The attacker must have re-entered the script, perhaps this time with ahigher count. Now, your ISP is noticing, and they indicate they will open a ticketto investigate.
Back to the log files, where further investigation confirms the IP addresses usedare all in the same block from the same local ISP. You get on the phone to thelocal ISP. They are helpful and willing to work with you to locate the offendingIP addresses. They confirm that those addresses are all in their range.
Since the local ISP is only a few miles away, and the IP addresses in question areall local, you are thinking the attacker must have targeted your network on pur-pose, and you are not the victim of a random DDoS. On the other hand, yourorganization has not lost a verifiable amount of money over the attack so far, soFBI involvement will probably not be needed.
The local ISP administrator is helpful and works with you on helping to locate asource. The pings stop again. Even though they went longer this time, they stillstopped. Again, there is a pause in the action for a while, and it picks up again.
Back to the log files. Again, you find 101 addresses in the attack. The local ISPadministrator calls to tell you there is no new news yet. Into the night, youdecide to leave and come back in the morning.
Returning in the morning, you turn to the log files. The log files indicate that theattacks continued throughout the night, 101 addresses every time, yet each attackrunning only for 10 minutes.
You dump the logs into a database for analysis, and you decide to see whichaddresses were involved in each attack. This turns out to be the break you werelooking for.
In the data logs, it turned out that only three IP addresses were involved in everyattack. Working with the local ISP, you identify that two of the addresses aredial-up accounts and rarely on. The third is a DSL user who is always connected.
You suspect this user is the culprit. Although the local ISP will not reveal theidentity of the user to you, they had helped you as much as you could hope for.Now, you are onto internal research.
You begin by combing through the current employee list and checking for homeemail addresses. The company is not all that large, so it is an easy task. You viewthe list from top to bottom and find nothing.
Next, you decide to go through the list of past employees, starting with peoplewho were let go or who resigned in the last six months. This is a much smallerlist, only 17 names.
There it is—in black and white. There is one ex-employee who was fired only amonth ago. The home email address does indeed come from the same local ISP.You pull out a saved email from the archive and check the headers. Sure enough,the IP address matches. You are hot on the trail of the attacker and have enoughevidence to go to the next level.
Now, imagine this scenario without the IDS running. What would the situation bein this case? The network would seem slower, but it would take time to isolatewhere it is slowing down. Without IDS, you would not have the head start, youwould not have logging of the IP addresses, and you might have a hard timetracking down not only the cause, but you would have a hard time deciding on aresponse and solution.
Lesson 7: Designing an Intrusion Detection System 395
Detection of Inside ThreatsLet’s now look at an example of how IDS can work to detect inside threats. Thisis one of the difficult areas of security. Because these users already have somelevel of access to the network, dealing with inside threats can be more complexthan outside.
A reason that this is a difficult area of security is the term threat. In this case, athreat is not always someone stealing data, more the inappropriate use of com-pany resources. So, for this example, you will look at a user who is misusingresources, not attempting data thievery.
At 11:30 A.M. on a Tuesday, you are notified that two of the color laser printersare running out of toner every Monday. Because the company has laser printersall over the office and only a few people are granted permission to each printer,this is unusual. It should be several months before the printers need refilling.
However, every Monday two of them are nearly out and end up getting refilled.You are investigating to find out the culprit, but cannot find anything right away.You add the IP address of the laser printers to the IDS to track who is sendingwhat to the printers, and when.
Every night, you check the logs and find nothing out of the ordinary. By Fridaynight, you are wondering if perhaps the printer is malfunctioning. You remotelyconnect into the network over the weekend and check the logs on Saturday night.Still, you find nothing.
Sunday night, around 11:30 P.M., you remotely connect into the network again tocheck the logs. Again, there is nothing to report as unusual. You go to bed, won-dering what the situation will be like in the morning.
When you get to work on Monday, you are pulled into a meeting that lasts until1:00 P.M. When you finally get out of the meeting, you see a note on your moni-tor that states, “Yes, we just had to replace the toner again. What did you find?”
You get on the network and head right to the log files. Finally, there it is. Thereis an enormous print job sent at 7:00 A.M. It took over two hours to finishprinting. You quickly identify the IP address and host name of the computer thatsent the data.
You inform the network administrators of what you found, and the two of youtake a walk. When you get to the cube of the worker who used that computer,you can see the evidence quite clearly.
All over the walls are glossy printed photographs; they are 11x17 full colorphotographs. Stacks of 11x17 photos are on the desk.
After a conversation, you find out that this employee has taken up digital photog-raphy as a new hobby. And, every weekend this employee shoots hundreds ofpictures, only to come in to work first thing in the morning, and print out asmany as possible. (“Until the colors are not as crisp and bright on the printout,and then I stop,” you are told.)
This is a classic example of resource misuse, which can be identified with theIDS in place. Without the IDS, this task is much more complex, and perhapssomeone would be asked to physically watch the printer for use in this fashion.
396 Tactical Perimeter Defense
Anticipation of Attack MonitoringOne of the standard attack sequences for hackers just starting out is the pingsweep for live hosts. Not complex, or difficult, but worth noting in any event.The ping sweep simply pings a given range of IP addresses. The nodes thatrespond are active, and might be potential targets.
Virtually all IDS systems will pick up and notify on ping sweeps. This type oftraffic can lead to nothing, or it could be the early attempt to map the network forfurther attacks. The IDS will recognize the signature of sequential ping packets inrapid succession, and an alarm will sound.
By recognizing a ping sweep, the organization can decide their proper response.Perhaps they respond with a message to the ISP that holds the IP address, or per-haps they simply monitor for further traffic from that IP address. In any case, theability to choose a course of action exists due to the presence and function of theIDS.
Surveillance MonitoringWhen there has been some indication of either a threat of a break-in, resourcemisuse, or some other unauthorized activity, the IDS can be used in a mode ofsurveillance. At first glance, this might seem to be the entire function of the IDSin the first place. However, in this particular area, the reference is to more of anincreased level of awareness. Beyond the normal day-to-day monitoring that hap-pens, this is when a threat has been identified.
Take the following situation as an example: A company has had the same senior-level network administrator for five years. Recently, this administrator was foundto be working part-time for another company. Because this person was at a seniorlevel and had an exclusive contract, he had to be let go.
The release was not a pleasant one, but no threats or poor language was usedtowards either party. This situation would, however, be cause to put the IDS intoa surveillance mode, with the specific goals being to monitor traffic that could becoming from the released employee.
The task of detecting an ex-employee can be difficult (even more so if it is atechnical person) because this person is aware of the internals of the network.Nonetheless, this situation would require an IDS on a higher alert.
TASK 7F-1Discussing Intrusion Detection Uses
1. Describe how an IDS can be used to detect an outside threat.
Answers will vary, but may include: To identify attack signatures that areoriginating from IP addresses other than your internal private range.
Lesson 7: Designing an Intrusion Detection System 397
Topic 7GWhat an IDS Cannot DoThroughout this lesson, you have identified and discussed the abilities of IDSs.As good as they are, and as helpful to the security of the network as they are,they do have limitations. An IDS can only do what it is designed to do—do notexpect more from it. In this topic, you will examine some of the things an IDScannot do.
Provide the Magic SolutionAlthough some IDS vendors might try to convince you of this, an IDS is not amagic solution. It does not have the ability to bring the security of your networkto perfection. An IDS cannot, and should not, be expected to suddenly noticeevery single event that you might consider to be an intrusion or misuse. It canperform only as it is programmed. If a new type of intrusion is created today, theIDS cannot magically be configured to know this signature by this afternoon.
Relying on the IDS to an extreme can create security professionals that get com-placent and miss new or unusual intrusions when they occur. Your skill andknowledge as a security professional must remain at the highest level, regardlessof the equipment in the organization.
Manage Hardware FailuresThis might seem like an obvious point, but let’s define it a bit further. If a newattack comes into your network, suddenly hits your 1,000 Linux Workstations (allnodes), and they all crash, there are no nodes available to inform the IDS of anintrusion.
Yes, the IDS (if on a different platform) might still be on, and you might get apage that states, “All of your Linux computers are gone,” but you cannot expectthe IDS to manage any of those failures. The IDS might inform you that theevent happened, but don’t expect more.
Investigate an AttackThere are options for what an IDS can do to respond to an attack. But respondingis not the same as investigating. An IDS cannot notice a SYN flood coming fromthe same IP address, and follow up on it. The IDS will inform you of the SYNflood, and it will be up to you to follow up.
The IDS will provide the data for the investigation, but do not expect the IDS toperform any of the investigation itself. Although, if that day ever comes, therewill be some interesting ramifications of it. Imagine your IDS paging you tostate, “You had a SYN flood at 2 A.M. I traced the IP address, sent a message totheir ISP, and had the attacker arrested. Have a nice day!”
crash:A sudden, usually drastic
failure of a computer system.
SYN flood:When the SYN queue is
flooded, no new connectioncan be opened.
398 Tactical Perimeter Defense
100 Percent AnalysisOnce the data has been collected by the IDS, then some serious investigationmust happen. There must be a way of analyzing all the collected data. Becausemost organizations do not have a full-time (24 hours a day, 7 days a week)human monitoring the IDS statistics, analysis of the data is required.
To expect the IDS to perform a perfect 100 percent analysis on the data is unreal-istic, as the amount of data would be too high. The computers running theanalysis would not be able to keep up with that high volume of traffic. To say tothe IDS, “Here is all the data collected in the last week, tell me everything thathappened,” and think you can then sit back and watch for the results of theanalysis is also unrealistic.
TASK 7G-1Discussing Incident Investigation
1. Describe why an IDS cannot investigate an intrusion attempt.
The IDS is able to identify an attack, even in real time; however, it cannotinvestigate the attack. It might be able to respond, by closing ports, or pag-ing the security professional. There is no mechanism in modern IDS systemsfor tracking down IP addresses, contacting the correct ISP, or explaining anintrusion attempt to the FBI.
SummaryIn this lesson, you were introduced to the concepts and technologies ofIDSs. You examined the differences between using host-based and network-based IDSs, and how each of them can be implemented. You examined thetypes of data analysis. You identified multiple scenarios of an IDS in use,and how each one presents a different situation to the IDS. Finally, youexamined the situations an IDS cannot help with, and the tasks an IDS can-not perform.
Lesson Review7A What are the major components of an IDS?
Prevention, detection, and response.
What is one reason you need to be careful with the response of the IDS?
You have to exercise caution in determining the level of response to inci-dents, since aggressive or offensive responses may open up the organizationto serious legal issues.
Lesson 7: Designing an Intrusion Detection System 399
What’s worse: a false-negative or a true-positive?
A false-negative, as it signifies that an alarm was not generated when a con-dition should have been alerted.
7B Describe how an Ethernet host, running in promiscuous mode as anIDS, sniffs packets off the local segment.
1. A host creates a network packet. So far, nothing is known other than apacket exists that was sent from a host in the network.
2. The IDS host reads the packet in real time off the network segment.
3. The detection program in the sensor matches the packet with knownsignatures of misuse. When a signature is detected, an alert is gener-ated and sent to the command console.
4. The command console receives the alert and notifies the designated per-son or group of the detection.
5. The response is created in accordance with the programmed responsefor this matching signature.
6. The alert is logged for future reference.
7. A summary report is created.
8. The alert is viewed with other historical data to determine if there is apattern of misuse or to indicate a slow attack.
7C Describe the general process of host-based IDS.
Host-based IDS uses what are known as agents (also called sensors), whichare small programs running on the hosts that are programmed to detectintrusions upon the host. They communicate with the command console.
What are the different designs of host-based IDS?
Centralized and distributed.
Describe the advantages and disadvantages of each design of host-basedIDS.
In centralized design, the data is gathered and sent from the host to a cen-tralized location. There is no significant performance drop on the hostsbecause the agents simply gather information and send it elsewhere foranalysis. However, due to the nature of the design, there is no possibility ofreal-time detection and response.
In distributed design, the agents of the hosts are the ones that perform theanalysis. There is a significant advantage to this method. The intrusion datacan be monitored in real time. The flip side to this is that the hosts them-selves can experience a bit of a performance drop as their computer isengaged in this work constantly.
7D Describe the general process of network-based IDS.
In network-based IDS, sensors are installed in key positions throughout thenetwork, and they all report to the command console. The sensors are fulldetection engines that have the ability to sniff network packets, analyze forknown signatures, and notify the console with an alert if an intrusion isdetected.
400 Tactical Perimeter Defense
What are the differences between host-based and network-based IDS?
Host-based IDS is designed to detect intrusions on a host, whether theattempt to intrude comes through a network interface or the keyboard.Network-based IDS is designed to detect intrusions in a network by analyz-ing network traffıc, regardless of any specific host.
What are the different designs of network-based IDS?
Traditional and distributed.
Describe the advantages of each design of network-based IDS.
In the traditional design of network-based IDS, sensors are used in the net-work where a sensor is a host that is configured to run the IDS software.This is usually a stand-alone computer. Each sensor runs in promiscuousmode. Packets are then fed directly into the detection engine for analysis. Ingeneral, there should be one sensor in each critical segment of the network.Any alarms that are generated are sent to the command console. In the dis-tributed design of network-based IDS, a sensor is installed on each host inthe network, instead of on each segment of the network. The sensors thencommunicate with each other in the event of an intrusion, and use the com-mand console as a center of operations, and for alarms. This provides theopportunity to detect packets that might otherwise have been lost or missedby the traditional design IDS.
7E What is the difference between interval and real-time analysis?
In interval analysis, the operating system (or other host-based) audit logsare used to capture the events, and the IDS, at given intervals, analyzes thedata in the logs for signatures of intrusion. With real-time analysis, data isanalyzed for intrusion signatures as it is collected.
What is the difference between statistical and signature analysis?
In signature analysis, known attack signatures are compared against datacollected in the network. A match results in a trigger for an intrusion, andan alarm might follow. Statistical analysis attempts to find deviations fromknown patterns of behavior. Using this method, an IDS would create profilesof user behavior. This data is then described as the normal usage for thisprofile. When an event happens that deviates from the normal usage pattern,it could mean a possible intrusion.
7F Describe the process of detecting internal misuse.
Most internal threats are network or resource misuse. This is one of the diffı-cult areas of security. Since the users already have some level of access tothe network, dealing with inside threats can be quite a bit more complexthan outside. A reason that this is a diffıcult area of security is that thethreat does not always result in someone stealing data, more the inappropri-ate use of company resources. Detecting internal misuse might requireauditing of network resources such as file and print servers, and so on.
Lesson 7: Designing an Intrusion Detection System 401
Describe the difference between surveillance and normal IDS operation.
When there has been some indication of either a threat of break-in, resourcemisuse, or some other unauthorized activity, the IDS can be used in surveil-lance mode. While this might seem to be the entire function of the IDS in thefirst place, the reference is to more of an increased level of awareness versusnormal mode of operation.
7G What is the reason an IDS cannot manage hardware failures?
The IDS might be able only to inform you that an event happened. If theresponse is not programmed to thwart the attack and if the attack results inthe shutting down of the system running the IDS, then obviously futureattacks cannot be analyzed as well.
What is the reason an IDS cannot provide 100 percent analysis?
While it might be mathematically possible to gather 100 percent of the net-work traffıc and 100 percent of host-based activity, it is unrealistic to expectthe computer to process all of it.
402 Tactical Perimeter Defense
Configuring an IDS
OverviewIn this lesson, you will implement IDS. There are many different types ofIDSes, and for this lesson, you will use perhaps the most famous free IDStool—Snort. Snort is a tool that is designed to monitor TCP/IP networks,looking for suspicious traffic and direct network attacks. It enables systemadministrators to collect enough data to make informed decisions on the bestcourse of action in the event that an intrusion is detected.
ObjectivesTo configure IDSs, you will:
8A Describe how Snort works as an IDS.
You will describe how Snort works as an IDS, including the pros andcons of implementation in a production network environment.
8B Install Snort on a stand-alone computer.
Given a computer running Windows in a networked environment, youwill install the Snort intrusion detection application.
8C Describe the rules used in Snort.
On a computer running Snort, you will create and test a ruleset to checkthe effectiveness of the installation.
8D Configure Snort IDS to use a MySQL database.
Given a computer running Windows, you will install MySQL and config-ure Snort to send alert data to the database.
8E Configure a full IDS on Linux.
Given a computer running SuSe Linux, you will configure Snort,MySQL, and the BASE Console to view alerts.
Data FilesSnort_2_6_1_2_InstallerRules directorymysql-essential-5.0.27-win32adodb493a.tgzbase-1.2.7.tar.gz
Lesson Time6 hours
LESSON
8
Lesson 8: Configuring an IDS 403
Topic 8ASnort FoundationsIn the world of intrusion detection tools, administrators and analysts have manychoices. One of the choices is cost. Another critical choice is speed of response tonew types of incidents, such as Code Red and the quick follow-up of Code RedII. It is in this conversation that an open-source tool such as Snort really shines.This tool and the associated applications that go along with it can be found atwww.snort.org.
• The cost issue should be obvious to everyone, and free can’t be beat! Whencommercial IDS products can be a few thousand dollars on the low end andover a hundred thousand dollars towards the high end, free is clearly a driv-ing force for some.
• The other primary benefit is the fact that the open-source format allows forfast modifications. The rules that Snort uses to make decisions can be madeby anyone and then posted to the web. If a new threat is identified in themorning, an administrator can create a new rule and post it by thatafternoon. The Snort community can then analyze the rule, and when it isdetermined to be correct, the rule can be downloaded and implemented. Athreat can be minimized the very day it is announced. This is a significantbenefit.
Snort DeploymentSnort can be deployed on just about any host on the network. The actual Snortprogram is very small and does not use enough resources to cause any significantissues with the base operating system. It is possible to install and configure Snortand let it run for days with no intervention from the administrator. At a later date,the administrator can view and analyze the data collected.
Although Snort can be installed on almost any host in the network, the choice forplacement is important. Snort uses an interface in promiscuous mode (meaningthat it captures all the packets seen by the NIC), and one installation of Snort percollision domain might be sufficient. It can also be a benefit to have an IDSplaced just inside and just outside of the firewall. This way, you can identify theattacks that are blocked by the firewall, not just those internal threats.
The interface that is in promiscuous mode is acting as a sniffer, capturing all thenetwork traffic that the NIC sees. If your network is switched, make sure that youhave at least one host running Snort on each segment. The host itself need not bean overly powerful machine; however, it is advisable that sufficient disk space beavailable to store data and that the processor be able to keep up with analysis ofthe packets.
How Snort WorksSnort functions as a network sniffer and logger that can be implemented as anetwork-based IDS. (Snort is not a host-based IDS.) Snort uses crafted rules,which are matched against the packets as they are captured. If the rule matches,the user-defined action in the rule is executed.
sniffer:A program to capture data
across a computer network.Used by hackers to capture
user ID names andpasswords. Software tool thataudits and identifies network
traffic packets. Is also usedlegitimately by network
operations and maintenancepersonnel to troubleshoot
network problems.
404 Tactical Perimeter Defense
Limitations on what the rules can check for are limited by the administrator’simagination and the fact that Snort can only identify TCP, UDP, IP, and ICMP.There is currently no support for routing protocols.
The types of rules that can be created are therefore quite varied. Examples arebuffer overflows, port scanning, network mapping, SMB probes, NetBIOS scans,and so on.
The way that Snort is able to use such flexible rules is due to the way Snortfunctions. Snort can look inside a packet and examine its contents. Snort is notlimited to an examination of headers only. This function is called payloadinspection. It is due to this payload inspection that Snort can achieve such flex-ible rules.
Snort FundamentalsSnort has four main pieces that combine to provide you with solid IDSfunctionality. The first is the actual packet capture piece, utilizing LibPcap orWinPcap, where raw packets are pulled off the wire. The second is the preproces-sor where packets are examined prior to handoff to the actual detection engine.The third is the actual detection engine. This is where your Snort rules are inaction, with the detection engine looking at the parts of the packets, as you havedefined. Last is the Output piece. If the packet is run through the detection engineand an alert is generated, or if logging is defined, the Output piece is where thattakes place.
The main file that contains the core Snort configuration is called snort.conf. Thisfile has several primary parts, some of which you will not make any adjustmentsto in this course. Note: If you wish to go into great depth with Snort, you arerecommended to start with the official documentation found at www.snort.org.The primary parts to the snort.conf file are:
• Variables
• Preprocessors
• Output Plug-ins
• Rulesets
There are many variables used in Snort, which then can be referenced later. Somecommon variables are var HOME_NET, which is used to define your local net-work, and var EXTERNAL_NET, which is used to define your external network.
Preprocessors are filters used by Snort to perform actions on a packet prior to fullSnort engine. This is useful for speeding up Snort, when preprocessing canexclude a packet before Snort rules are required to look “inside” the payload toperform content and other matching.
Output plug-ins are used by Snort to determine alerting and logging features andwhat format to use when Snort is going to dump collected data.
You will define the location of the rulesets that you wish to use in the snort.conffile. Although you could write rules into this file, that practice is not encouraged.By writing individual rule files, you are able to maintain better control over yourconfiguration. You define the location of the ruleset in the snort.conf file, andthen the individual rules you require are located in that separate ruleset file.
Lesson 8: Configuring an IDS 405
Prior to running tasks on Snort, you will need to perform some initialconfigurations. The first thing to alter is called the Home Network. This line tellsSnort what your network’s IP configuration is, so that Snort will only sniff trafficon your network, versus all traffic. If you wish to sniff all traffic, you may use ahome network of any.
In this classroom, there are two student networks; the LEFT side uses the 172.16.10.0/24 network and the RIGHT side uses the 172.18.10.0/24 network. If yoursystem is part of the LEFT network, you will configure Snort to use this line:var HOME_NET 172.16.10.0/24. If your system is part of the RIGHT net-work, you will configure Snort to use this line: var HOME_NET172.18.10.0/24.
Snort runs on both Linux and Windows platforms, and for this lesson, the tasksare run on a Windows system. There are other Snort configuration lines thatrequire editing because you are running on a Windows system. Two of theseother lines are:
include classification.config
include reference.config
These need to be changed to define the full Snort path on your system. You willneed to change these lines to read as follows:
include C:\Snort\etc\classification.config
include C:\Snort\etc\reference.config
Topic 8BSnort InstallationAnother benefit of Snort might be its ease of installation. The overall process ofinstallation takes only a few minutes. A few more minutes of configuration, andSnort is up and running.
In this section, you will be installing Snort on a Windows computer, and thenlater in the lesson, you will perform a full installation on SuSe Linux. You willrequire two things for the installation on Windows:
• LibPcap for Windows. You will use a packet capture driver called WinPcapfor this function. (Further WinPcap information is available from the Com-puter Network and Network Intelligence Group of Politecnico di Torino.)This simple, self-extracting executable file can be found at www.snort.orgor in other Internet archives.
• The Snort application file itself. This is an executable file that can also befound at www.snort.org.
For tips on loading Snort onWindows machines, visit
www.silicondefense.com.
406 Tactical Perimeter Defense
TASK 8B-1Installing Snort
1. If required (you should have installed WinPcap earlier in the course), runthe WinPcap installation file to install the Windows version of theLibPcap driver. Note that the filename is WinPcap_4_0.exe.
2. From the C:\Tools\Lesson8 folder, double-click the Snort installer file. Thefull filename is Snort_2_6_1_2_Installer.exe.
3. Read the License Agreement, and if you agree, click the I Agree buttonto continue the installation.
4. Keep the I Do Not Plan To Log To A Database radio button selected andclick Next. Note that later in the lesson you will work with a MySQLdatabase.
5. Keep all the default selected components checked, and click Next.
6. Accept the default install location, and click Next.
7. When the install is complete, click Close to exit the Setup program.
8. In the successful install window, click OK. If you get a pop-up aboutWinPcap, click OK.
9. Open My Computer, and navigate to the C:\Snort folder. Note the direc-tory structure that was created during the install:
• C:\Snort\bin
• C:\Snort\contrib
• C:\Snort\doc
• C:\Snort\etc
• C:\Snort\lib
• C:\Snort\log
• C:\Snort\rules
• C:\Snort\schemas
10. In the C:\Snort\bin folder, create a folder named log (this will have a pathof C:\Snort\bin\log).
11. In the C:\Snort\log folder (note this is not the folder created in Step 10), cre-ate a file named alert.ids and click Yes to accept that you are going tochange the file name extension. You will need this file later in the lesson.
12. Choose Start→Administrative Tools→Services.
13. Scroll to the Messenger service.
14. Right-click the Messenger service and choose Properties.
15. Change the Startup type to Automatic.
It is a good idea for thestudents to save currentversions of their snort.conffile during this lesson. If anerror occurs, they onlyhave to go back the lastknown good file.
Lesson 8: Configuring an IDS 407
16. Click Apply.
17. Click Start.
18. Click OK.
19. Close the Services window.
Common Snort CommandsWhen running Snort, there are some common switches and commands you shouldbe aware of. In this course, you will not use all of these, but will use the mostcommon ones. These switches include:
• -v.: This is the basic command, putting Snort in packet sniffing mode.
• -d: This is the command to display IP, TCP, ICMP, and UDP headers.
• -e: This is the command to display the packet data along with the headers.
• -l: This is the command to enable logging. After the -l command, you mustdefine the location of the logs.
• -c: This command is what essentially turns on the IDS of Snort, versus run-ning it as a packet sniffer. After the -c command, you must define thelocation of the rules file that Snort is to use for IDS functions.
• -W: This command will list the network interfaces that are available toSnort.
• -iX: This command will tell Snort which network interface to use when youreplace the X variable with the number of the network interface.
TASK 8B-2Initial Snort Configuration
1. Open My Computer and navigate to the C:\Snort\etc folder.
2. Right-click the snort.conf file, and choose Copy.
3. Right-click in the C:\Snort\etc folder and choose Paste.
4. Rename the copy of snort.conf file as snort.conf.bak. (Click Yes, if youreceive a Rename warning prompt.) In the event that you run into difficultywith your snort.conf file, you will have this file as a backup.
5. Double-click the original snort.conf file.
6. Select the Select The Program From A List radio button and click OK.
7. Select WordPad as the program to use and click OK. You may leave thecheck box checked to always use this program to open this file type.
When editing Snort lines, besure you edit the actual lines
used, not the lines that aredesignated with a #
comment.
408 Tactical Perimeter Defense
8. Scroll down to var HOME_NET any and replace “any” with your homenetwork.
• If you are in the LEFT network, use: var HOME_NET172.16.0.0/16
• If you are in the RIGHT network, use: var HOME_NET172.18.0.0/16
9. Search for the variable var EXTERNAL_NET any and change it toread var EXTERNAL_NET !$HOME_NET
10. Search for the variable include classification.config andchange it to read includeC:\Snort\etc\classification.config
11. Search for the variable include reference.config and change itto read include C:\Snort\etc\reference.config
12. Search for the variable var RULE_PATH ../rules and change it toread var RULE_PATH C:\Snort\rules
13. Change # include threshold.conf to read includeC:\Snort\etc\threshold.conf
14. There are two other lines where you must replace the default line to a spe-cific Windows path. The following two steps show the before and after ofthese two configuration lines.
15. Change dynamicpreprocessor directory/usr/local/lib/snort_dynamicpreprocessor/ to readdynamicpreprocessor directoryC:\Snort\lib\snort_dynamicpreprocessor
16. Change dynamicengine/usr/local/lib/snort_dynamicengine/libsf_engine.so toread dynamicengineC:\Snort\lib\snort_dynamicengine\sf_engine.dll
17. Once you have made these changes, save and close the snort.conf file.
18. Open two command prompts. One will be used to run Snort and the otherto run ping commands.
19. At one of the command prompts, navigate to the C:\Snort\bin folder, andenter snort -W
You will see a list of available adapters on which you could install thesensor. The adapters are numbered 1, 2, 3, and so forth. In this lesson, youwill be using the NIC. Write the number associated to that adapter here:_______
20. At the C:\Snort\bin prompt, enter snort -v -iX where X is the numberof the NIC that you recorded in the previous step.
21. Switch to your other open command prompt, and ping any other com-puter in the network. When the ping is complete, switch back to thecommand prompt that is running Snort.
Lesson 8: Configuring an IDS 409
22. In the Snort command prompt, press Ctrl+C to stop Snort.
23. Review the summary information, noting the packets that Snort cap-tured in this test.
24. Close all open windows.
Using Snort as a Packet SnifferIn our first example of working with Snort, you will use it for packet sniffıng.Using a command prompt, you will capture headers. This can produce a lot ofinformation quickly, so make sure that you change the buffer size of the com-mand prompt to a very high value; even 5000 or more is fine. An example ofpacket sniffing by Snort is shown in Figure 8-1.
Figure 8-1: An example of Snort being turned on as a packet sniffer.
About the TasksFor many of the activities in this topic, you will work in pairs. Each student com-puter should have two command prompt windows open: one for running Snortcommands and the other for running pings and other network commands. Yourinstructor will designate one student in each pair to act as Host One; the otherwill be Host Two. Remember which is which, and only perform those steps thatapply to your specific machine.
packet sniffer:A device or program that
monitors the data travelingbetween computers on a
network.
410 Tactical Perimeter Defense
TASK 8B-3Capturing Packets with Snort
Setup: Snort has been installed and tested, and your instructor hasdesignated you as Host One or Host Two.
Note: Perform the following step on all student computers.
1. Open two command prompts.
Note: Perform the following step only if you are designated as Host One.
2. Change to the c:\snort\bin directory. Enter snort -v -ix (rememberto use the adapter number in place of the x). The -v switch prints the head-ers on the screen.
Note: Perform the following step only if you are designated as Host Two.
3. As soon as Host One has pressed Enter, ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One.
4. As soon as the ping is completed, press Ctrl+C to stop the packet capture.Leave the used windows open, and switch to the unused commandprompt.
Note: Perform the following step only if you are designated as Host Two.
5. Switch to the unused command prompt. Change to the c:\snort\bindirectory. Enter snort -v -ix (remember to use the adapter number inplace of the x).
Note: Perform the following step only if you are designated as Host One.
6. As soon as Host Two has pressed Enter, ping Host Two by its IPaddress.
Note: Perform the following step only if you are designated as Host Two.
7. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers.
8. Minimize the command prompt window used for pinging, and focus onthe window in which Snort was running. Browse the file, and try toidentify the ping packets sent between Host One and Host Two.
Packet Data CaptureWhen Snort is first stopped, it lists some statistics about the capturing session thatjust ended. This statistical analysis is for a quick overview of the kinds of trafficthat were captured, and it looks like Figure 8-2.
Lesson 8: Configuring an IDS 411
Figure 8-2: An example of the statistics after a packet capture has completed.
In this example, no packets were dropped, and the vast majority of packets cap-tured were TCP. This screenshot was generated on a Windows 2000 computer,after running for about 20 seconds in a controlled environment.
Figure 8-3 shows a portion of the packet headers that were captured, specificallythe ping packets. This is what the goal of the previous exercise was—to identifythe ping packets. From this screenshot, you can identify that the ping initiatedfrom host 10.0.10.115 and was sent to 10.0.10.213.
You should be able to see that the packets were correctly identified as ICMP, andthe ID numbers are going up as expected: 2635 on the first request shown, 2636on the second, and so on. The reply packets also follow the ICMP rules: ID53820 followed by 53821. The sequence numbers are also correct, againincrementing by one, as expected.
412 Tactical Perimeter Defense
Figure 8-3: An example of a ping sequence between two hosts captured by Snort.
Although the capture of header information is an excellent way to craft the IDSfor an organization, more might be required, such as examining the contents ofpackets and determining if the content matches any rule. If this is the case, thenanother switch is needed to see the packet data in Snort. The switch to add is the-d switch.
TASK 8B-4Capturing Packet Data with Snort
Note: Perform the following step only if you are designated as Host One.
1. If necessary, change to the directory where you installed Snort. Remem-ber, the directory is c:\snort\bin. Enter snort -ix -v -d.
Using the -d switch enables you to see the packet data in Snort.
Note: Perform the following step only if you are designated as Host Two.
2. As soon as Host One has pressed Enter, ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One.
3. As soon as the ping is completed, press Ctrl+C to stop the packet capture.Leave this window open, and switch to the other command prompt.
Note: Perform the following step only if you are designated as Host Two.
4. Switch to the other command prompt. If necessary, change to the direc-tory where you installed Snort. Enter snort -ix -v -d.
Don’t forget, the x in theswitch -ix is the number ofyour network interface.
Lesson 8: Configuring an IDS 413
Note: Perform the following step only if you are designated as Host One.
5. As soon as Host Two has pressed Enter, ping Host Two by its IPaddress.
Note: Perform the following step only if you are designated as Host Two.
6. As soon as the ping is completed, press Ctrl+C to stop the packet capture.
Note: Perform the following step on all student computers.
7. Minimize the command prompt that you used for pinging, and focus onthe window in which Snort was running. Browse the file, and try toidentify the ping packets sent between Host One and Host Two. Becausethe contents of the packet are captured this time, the screen looks different.You should still be able to identify the ping sequence, though. The differencethat should be obvious is the payload data itself. Because the data is ping,the payload is filled with padding—in this case, letters from the Englishalphabet.
In both command prompt windows, use the cls command to clear thescreen and prepare for the next task.
Logging with SnortUsing packet capture enables the security professional to gather data to look formisuse of resources and network intrusions. However, it is impractical to expectanyone to watch the screen for intrusions, not to mention that the speed at whichthe packets are captured is quite fast (as you might have already seen).
It is much more logical to record these packets to the hard drive for futureanalysis. The process is pretty simple—provide a log directory and tell Snort toperform logging. If you start the Snort program, telling it to log, and there is nosuch directory, Snort will exit with an error.
Snort is designed to create a folder hierarchy of the packets it captures. Thefolder structure in the log directory uses IP addresses for simple searching at alater time.
TASK 8B-5Logging with Snort
Setup: Two clean command prompt windows are open.
Note: Perform the following step only if you are designated as Host One.
1. If necessary, change to the directory where you installed Snort. Entersnort -ix -dev -l \snort\log to start Snort and instruct it torecord headers and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host Two.
414 Tactical Perimeter Defense
2. Ping Host One by its IP address.
Note: Perform the following step only if you are designated as Host One.
3. Switch to the other prompt, and ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two.
4. Change to the directory where you installed Snort, and enter snort-ix -dev -l \snort\log to start Snort and instruct it to recordheaders and data in the \snort\log folder.
Note: Perform the following step only if you are designated as Host One.
5. Ping Host Two by its IP address.
Note: Perform the following step only if you are designated as Host Two.
6. Ping Host One by its IP address.
Note: Perform the rest of this task on all student computers.
7. Press Ctrl+C to stop Snort.
8. Start Windows Explorer, and navigate to the snort\log folder.
9. Locate your log file, it will have a name such as snort.log.116850130.
10. Choose Start→All Programs→Wireshark→Wireshark.
11. Choose File→Open.
12. Navigate to your new log file and click Open.
13. Review the packet capture, and compare what was captured with theping commands you sent between you and your partner.
14. Close all windows.
Topic 8CSnort as an IDSUp to this point, you have been using Snort to capture packets and then examin-ing the contents of those packets. Although this can be quite useful, it is not apractical way to deploy an IDS. An IDS needs rules to follow and a way to alertthe administrator when a rule is matched. In this topic, you will take Snort to thenext level: IDS.
Lesson 8: Configuring an IDS 415
It’s All in the RulesAs stated earlier, Snort uses rules to match for signatures of misuse. These rulescan be created or modified for use as they come in the application. You will lookat both scenarios.
An example of the syntax to use Snort as an IDS is as follows:
%systemroot%\snort\snort -dev -l \snort\log -c snort.conf
In this example, the new addition to the line is the -c switch, followed by thesnort.conf file. As you might remember, the snort.conf file is used to define con-figuration variables that will be used for Snort. Earlier, all that the snort.conf filewas used for was to specify the Home_Net variable by changing it to refer to thecorrect IP address.
In this case, adding the -c switch tells Snort to apply the rules that are in thesnort.conf file to the packets as they are processed by Snort. Before we get toofar ahead of ourselves, let’s back up and look at the basics of the Snort rules. Therules of Snort are made up of two distinct parts:
• Rule Header: The Rule Header is where the rule’s action, protocol, direc-tional operator, source and destination IP addresses (with subnet mask), andthe source and destination ports are identified.
• Rule Options: The Rule Options are where the rule’s alert messages andspecifications on what parts of the packet are to be matched to determine ifthere is a rule match.
Here is an example rule:
alert tcp any any -> any 80 (content: "adult"; msg: "Adult ⇒Site Access";)
The syntax breakdown of this example is as follows:
• The text up to the first parenthesis is the Rule Header.
• The section enclosed inside the parentheses are the Rule Options. RuleOptions are not required by any rule, but they provide much information andmight be the reason for creating the rule itself.
So, the end result of this rule is to create an alert if TCP traffic from any IPaddress and any port is sent to any host at port 80, where the word Adult is in thepayload. If this rule is met, a message of Adult Site Access will be placed in thelogs with this packet.
The Rule HeaderLet’s look at the Rule Header in more detail. As mentioned previously, the RuleHeader for our example is composed of the following information:
alert tcp any any -> any 80
The first part of this syntax, alert, is known as a rule action. The rule actionsin the header defines what is to be done when a packet that matches the rule isfound. There are five actions that can be defined.
Rule Action DescriptionAlert Creates an alert using whatever method has been
defined. Also logs the packet using whatevermethod has been defined.
The ⇒ symbol representsthat all code shown belongs
on the same line. It is shownhere on more than one linedue to margin constraints.
416 Tactical Perimeter Defense
Rule Action DescriptionLog Logs the packet using whatever method has been
defined.Pass Tells Snort to ignore this packet.Activate Creates an alert and turns on a dynamic rule.Dynamic Remains unused unless another rule calls it. If
called, it acts similarly to a log rule.
After the action has been defined, the next step is to define the protocol. In ourexample, the protocol defined is TCP. Currently, Snort supports defining the TCP,UDP, ICMP, and IP protocols.
After the action and protocol are defined, Snort requires the IP addresses to beused. A valid statement is to use the word any, meaning any IP address. Snortuses the netmask format of specifying the subnet mask. Following this, a fullClass A IP address will have a netmask of /8, a full Class B will have a netmaskof /16, and a full Class C will have a netmask of /24. Single hosts might bespecified with a /32 netmask.
In addition to defining a single host or a single subnet of addresses, Snort canwork with groups of IP addresses in a single rule. This is called creating an IPlist. The IP list can be created by enclosing the list, with addresses separated bycommas, in square brackets. An example of using an IP list is:
Alert tcp any any -> [10.0.10.0/24, 10.10.10.0/24] any ⇒(content: "Password"; msg:"Password Transfer Possible!";)
Note: Although the previous line is split in two lines, in the editor it can be enteredas a long line. Versions of Snort, pre-1.8, required a slash symbol (\) between linesof a single rule. It is acceptable now to have a rule span multiple lines, but in mosteditors, a long line is easy to work with.
After IP addresses have been specified, you need to tell Snort which port youwant to check. When you are working with Snort rule syntax, ports can bedefined in several ways. Single static ports are common, as in port 80, port 23,and so on. The rule can also define the keyword any, again meaning any port.Ranges of ports can also be defined using a colon to separate the start and endpoints of the range. Here are several examples of different port definitions:
• To log any traffic from any IP address and any port to port 23 of the 10.0.10.0/24 network:
Log tcp any any -> 10.0.10.0/24 23
• To log any traffic from any IP address to any port between (and including) 1and 1024 on any host in the 10.0.10.0/24 network:
Log tcp any any -> 10.0.10.0/24 1:1024
• To log any traffic from any IP address where the port number is less than orequal to 1024 and is destined for any host in the 10.0.10.0/24 network witha destination port equal to and greater than 1024:
Log tcp any :1024 -> 10.0.10.0/24 1024:
Lesson 8: Configuring an IDS 417
In the rules of Snort, there is an option to negate a port or IP address. By usingthe exclamation point (!), the rule will perform a negate. This is similar to thenegate option in the IPTables rulesets. For example:
• To log any tcp traffic from any host other than 172.16.40.50 using any portto any host on the 10.0.10.0/24 network using any port:
Log tcp ! 172.16.40.50/32 any -> 10.0.10.0/24 any
• To log any tcp traffic from any host using any port to the 10.0.10.0/24 net-work to any port other than 23:
Log tcp any any -> 10.0.10.0/24 !23
By now, through these examples you should be able to identify the directionaloption. The direction is defined with ->. This means coming from the left andgoing to the right, so to speak. It is possible to have Snort check the packet forIP addresses and ports in both directions. This can be a benefit for analysis ofboth sides of a session. The following example uses the bi-directional option torecord both ends of a telnet session:
Log tcp 10.0.10.0/24 any <> 172.16.30.0/24 23
The Rule OptionsWhere Snort can really start to show its flexibility and function is in the RuleOptions. All of the Rule Options are separated by using a semicolon (;). RuleOption keywords are separated from their arguments with a colon (:). The follow-ing table lists some of the available keywords.
Keyword Descriptionmsg Prints a message, as defined in the alert and packet logs.ttl Used to match the IP header’s Time To Live value.id Used to match a specific IP header fragment value.flags Used to match tcp flags for defined values.ack Used to match the TCP ack setting for a defined value.content Used to match a defined value in a packet’s payload.
There are more keywords. It is advisable that you check the man pages (if youare using a Linux box) or the Help pages (if you are using a Windows box) forthe remaining list of keywords.
When the msg option is used in a rule, it tells the logging and alerting enginethat there is a message that should be inserted along with a packet dump or in analert. Here is a sample syntax for the msg option:
msg: "text here";
When the ttl option is used in a rule, it tells Snort that there is a specific Time ToLive value to match. Only successful on an exact match, this can be useful fordetecting traceroute attempts. Here is a sample syntax for the ttl option:
ttl: "time-value";
When the id option is used in a rule, it tells Snort to match an exact value in theIP header Fragment field. Here is a sample syntax for the id option:
id: "id-value";
418 Tactical Perimeter Defense
For the flags option, there are several suboptions, which include the flags that canbe matched. The flags are defined in the rule by their single letter, as listed here:
• F for FIN
• S for SYN
• R for RST
• P for PSH
• A for ACK
• U for URG
• 2 for Reserved bit 2
• 1 for Reserved bit 1
• 0 for no tcp flags set
The standard logical operators are also valid for flags: the + for matching allflags, the * for matching any flag, and the ! for matching all except the definedflag. The reserved bits can be used to detect scans or IP stack fingerprinting. Hereis a sample syntax for the flags option:
flags: value(s);
The following rule example shows a syntax that could be used to detect SYN-FIN scans:
Alert any any -> 10.0.10.0/24 any (flags: SF; msg: "SYN FIN ⇒Scan Possible";)
When the ack option is used in a rule, it tells Snort to match a specific ACKvalue in the TCP header of a packet. The network mapping tool Nmap uses theACK flag to determine if a remote host is active. Here is a sample syntax for theack option:
ack: "ack-value";
The content keyword might be the most important keyword that Snort hasavailable. When you use this option in a rule, it enables Snort to examine thepayload of a packet and perform checks against the contents based on thiskeyword. Snort uses a pattern-match function called Boyer-Moore. (This match-ing function can be more intense than all the other options, so take care not tooveruse this option on slower machines.) This rule is case-sensitive, so matchingthe word Test and the word test are two different things.
The complexity of this option comes into play with the definition of the data forthe match. Although it can be entered in plaintext, it can also be entered as mixedbinary bytecode. (Bytecode data is a hexadecimal representation of binary data.)The basic syntax of this option is similar to the other options:
content:"content value";
Simple Rule ExamplesThis section details several rule examples, followed by brief descriptions of theirfunctions. You can use these as a template for creating your own simple rules.
• To log all traffic trying to connect to the telnet port:
Lesson 8: Configuring an IDS 419
Log tcp any any -> 10.0.10.0/24 23
• To log ICMP traffic towards the 10.0.10.0 network:
Log icmp any any -> 10.0.10.0/24 any
• To allow all web browsing to go through without logging:
Pass tcp any 80 -> any 80
• To create an alert with a message:
Alert tcp any any -> any 23 (msg: "Telnet Connection ⇒Attempt";)
• To find SYN/FIN scans of the network:
Alert tcp any any -> 10.0.10.0/24 any (msg: "SYN-FIN ⇒scan detected"; flags: SF;)
• To find TCP NULL scans of the network:
Alert tcp any any -> 10.0.10.0/24 any (msg: "NULL scan ⇒detected"; flags: 0;)
• To find attempts at OS fingerprinting:
Alert tcp any any -> 10.0.10.0/24 (msg: "O/S Fingerprint ⇒detected"; flags: S12;)
• To perform content filtering:
alert tcp any $HOME_NET -> !$HOME_NET any (content: ⇒"Hello"; msg:"Hello Packet";)
Now that you have looked at several example rules, let’s put them together andcreate a ruleset for Snort.
Snort Rule IDsAn option was added to Snort to categorize all the various Snort rules. Thisallows for people from all over the ability to use the same number for their rules,and it helps keep the rules organized. There are a few ranges of the Snort ID thatyou need to be aware of. These ranges are:
• Less than 100: Reserved for future Snort use.
• 101 through 1,000,000: Reserved for direct Snort.org distribution rules.
• 1,000,001 and greater: These numbers are for the custom local rules.
A great resource called www.bleedingsnort.com uses rules in the 2,000,000range. When you develop your own local rules, as long as you use a unique num-ber for every rule, and that number is greater than one million, your rule will nothave a SID problem. However, it is a good idea to use a higher number such asfour million and up, because organizations who write rules, such as BleedingSnort, might be in the lower ranges.
Even when using ICMP,Snort requires ports to be
defined, so use the word any.
This example uses theHome_Net variable insteadof defining the IP address.
420 Tactical Perimeter Defense
TASK 8C-1Creating a Simple Ruleset
Objective: To create a rule that logs all TCP traffic, alerts to ping, andalerts to the use of the word “password.”
1. Open Notepad and enter the following:
log tcp any any <> any any (msg: "TCP Traffic Logged";sid:10000001;)⇒alert icmp any any <> any any (msg: "ICMP Traffic Alerted";sid: 10000002;)⇒alert tcp any any <> any any (content: "password"; msg:"Possible Password Transmitted"; sid:10000003;)⇒
2. Save the file as C:\Snort\rules\“myrule.rules” and close Notepad. Be sureto type the quotes so that Windows will not assign a file name extension,keeping rules as the extension.
Testing a Rule SetAfter you have created a ruleset and have saved it in the Snort folder, it is timeto test this ruleset. You can do so at the command prompt. Just be sure that thecommand prompt buffer is set high enough.
TASK 8C-2Testing the Ruleset
Note: Perform the following step on all student computers.
1. Clear the \snort\log folder and open two command prompts. If you wantto save the old logs to another location, go ahead and do so.
Note: Perform the following step only if you are designated as Host One.
2. If necessary, change to the directory where you installed Snort. Entersnort -d -e -v -iX -c \Snort\rules\myrule.rules -l\Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host Two.
3. Once Host One is running Snort, ping Host One by its IP address. Then,enter net send [ip_address] Here is my password
In this case, [ip_address] is the IP address of your partner’s computer.
Note: Perform the following step only if you are designated as Host One.
4. When you receive the message, click OK, and then stop Snort by pressingCtrl+C.
Due to space constraints,code appearing with the ⇒character at the end of theline should appear on oneline in Notepad.
Lesson 8: Configuring an IDS 421
Note: Perform the following step only if you are designated as Host Two.
5. If necessary, change to the directory where you installed Snort. Entersnort -d -e -v -iX -c \Snort\rules\myrule.rules -l\Snort\log to run Snort using the new ruleset.
Note: Perform the following step only if you are designated as Host One.
6. Once Host Two is running Snort, ping Host Two by its IP address. Then,enter net send [ip_address] Here is my password
In this case, [ip_address] is the IP address of your partner’s computer.
Note: Perform the following step only if you are designated as Host Two.
7. When you receive the message, click OK, and stop Snort by pressingCtrl+C.
Note: Perform the following step on all student computers.
8. Examine the log files for the alerts and logs that were generated. Comparethem to the ruleset and your scan from earlier. Then, close all openwindows.
9. To look at the alert data that was generated, right-click the alert.ids file,open it with WordPad, and examine the alert.
More Rule OptionsUp to this point, you have seen very simple rules, and while these are good forgetting used to Snort, the example rules so far have been very limited. Snort canwork with much more complex rulesets, and as you will see in the following sec-tion; the only limitation is your imagination and knowledge of your environment.
As discussed, the Snort rule is broken into two primary parts, the header and theoptions. Where the header details the IP, port number, direction, and so on, theoptions are where you can get very specific with the rule. There are many choicesof what you can place in the options part of the rule, and for the context of thislesson, you will examine two of them: Metadata Options and Payload DetectionOptions.
422 Tactical Perimeter Defense
Metadata OptionsMetadata Options are where you detail characteristics about the rule. Oneexample of a Metadata Option is the Message (msg), which you looked at previ-ously in this lesson. Another example is the Snort Rule ID (sid). You could alsodefine a reference URL for more information about the event. Here is a quick listof Metadata Options:
• “msg:”: This option is used to insert a message in human-readable language.
• “sid:”: This option is used to define the unique Snort Rule ID for the specificrule.
• “classtype:”: This option is used to classify the specific type of event.
• “priority:”: This option is used to define the priority level of the event.
• “reference:”: This option is used to define a reference URL for more infor-mation about the event.
• “rev:”: This option is used to define a revision number to the rule.
ClasstypesClasstype and priority level can go together, with the classification of an eventbeing tied to a priority level. There are three default levels of priority (low,medium, and high), but you are able to define these further using the “priority:”option in your rule. The default priorities have a numeric value of 1 (high), 2(medium), and 3 (low).
The Classtype is used to categorize events. There are many preconfiguredclasstypes, and these are assigned to one of the three default priority levels. Thefollowing table details some of the default classtypes
Classtype Description PriorityAttempted-admin Attempted administrator privilege gain. HighAttempted-user Attempted user privilege gain. HighShellcode-detect Executable code was detected. HighSuccessful-admin Successful administrator privilege gain. HighTrojan-activity A network Trojan was detected. HighWeb-application-attack Web application attack. HighAttempted-recon Attempted information leak. MediumSuspicious-login An attempted login using a suspicious
user name detected.Medium
Successful-dos Denial-of-service attack. MediumUnusual-client-port-connection A network client was using an unusual
port.Medium
Icmp-activity Generic ICMP event. LowNetwork-scan Detection of a network scan. Low
Here is an example rule with the addition of these new options:
Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80(msg:"Sample web access alert";classtype:web-application-activity;reference:url,http://www.securitycertified.net;sid:10000023; rev:2;)
Lesson 8: Configuring an IDS 423
Walking through this rule from the beginning: This is an alert rule, looking atTCP as the protocol. It is designed to alert on traffic from the external network onany port to the machine at 192.168.10.1 on port 80. There is a simple messagethat states “Sample web access alert”, and the classtype has been defined as thebuilt-in web-application-activity. As a reference for more information, a URL hasbeen given, www.securitycertified.net, and this is the second revision to the rule,which has a Snort Rule ID of 10000023
Rule PayloadThe core of many IDSes is to examine the actual contents, or payload, of eachpacket. Snort can look inside the packet at the payload details to make a determi-nation about that specific packet. There are many options for Snort here, and inthis lesson, you will focus on a few specific options.
Content KeywordIn Snort, the Content keyword might be the most important of all the keywords.The Content keyword is how you define the specific content inside the packet’spayload that Snort should look at for rule matching. A critical issue to keep inmind when defining content is that the data can be either text or binary data.Your binary data is normally provided in bytecode format, and it is enclosedwithin the pipe ( | ) character. Bytecode is a way of representing binary data inhexadecimal format.
When you enter your content information, if you require the “:” character, suchas in a URL, use instead the |3a| notation. Using the “:” character in contentmatching will cause problems because the “:” character is used after eachkeyword.
Other KeywordsThe “nocase” keyword simply tells Snort to ignore case when looking into apacket. Nocase is a modifier, used after the content keyword.
The “depth” keyword tells Snort how far into a packet it should look to find thepattern, or content match. If you inserted a value of 5 here, then Snort wouldonly look for the pattern within the first 5 bytes of the packet payload. Likenocase, the depth keyword is a modifier used after the content keyword.
The “offset” keyword tells Snort to ignore a defined number of bytes before look-ing into a packet. If you inserted a value of 5 here, then Snort would start to lookfor the pattern, or content match, after the first 5 bytes of packet payload. Offsetis also a modifier and must be used after the content keyword.
Here is an example rule with the addition of these new options:
Alert tcp $EXTERNAL_NET any -> 192.168.10.1 80 (msg:"Sample webaccess alert"; content:"http|3a|//www.securitycertified.net/⇒test.cgi?id=r00t"; nocase; offset:2; classtype:⇒web-application-activity; reference:url,http://www.⇒securitycertified.net; sid:10000025; rev:2;)
This rule is the same as the previous example, with some additions. The first isthe content keyword. This rule is looking for content that includes a URL withthe id=r00t in the payload. Note that the “:” character you would normally put ina URL has been replaced with the |3a| notation. You cannot use the “:” characterinside the content keyword. This rule is skipping the case sensitivity and is ignor-ing the first 2 bytes of each payload. Lastly, as this is a different rule, there is adifferent sid assigned.
The content keywordmatches either text or binary
data.
424 Tactical Perimeter Defense
Flow ControlThe “flow” keyword gives you the flexibility to define packets with Snort interms of their direction between the client and the server. This option works onTCP streams, and there are several choices for you, if you wish to use the flowkeyword. The following list identifies the flow control options, with a brief com-ment about each option:
• to_client: This matches a server response to a client.
• to_server: This matches a request from a client to a server.
• from_client: This matches packets sent from the client. Similar function asthe to_server option.
• from_server: This matches packets sent from the server. Similar function asthe to_client option.
• only_stream: This matches only on reassembled stream packets.
• no_stream: This does not match reassembled stream packets.
• established: This matches on packets that are part of an established TCPconnection.
• stateless: This matches packets without regard of state.
While there is no one correct way to write a Snort rule, there are some generalguidelines that will make your writing more efficient and accurate. To start with,you want to be as precise as possible with your content matching. This will cutdown on false matches and will cut down on the load on your system.
A second guideline is to create rules to match the vulnerability, not the specificexploit. Writing rules that look for matches to the vulnerability will allow yourIDS to still match traffic, even if an attacker makes a modification to the exploit.
Pre-configured RulesIt is vital that you know how to create rules for Snort, but no one wants to buildsomething from scratch when it is already available and you can get it with verylittle effort. The same thought applies for basic rules for Snort. The default Snortinstallation comes with a selection of IDS rules for you to pick through and use,and there are several more available for download at www.snort.org.
There are several options for you to choose from when you wish to receive Snortrules. If you need to have real-time rules, with the most current options available,you must become a subscriber to receive the Sourcefire VRT-certified rules. TheSubscriber rules are the ones you need if you are looking to address securityissues as they arise, often with a new rule available within days of a new vulner-ability being introduced.
The second method to download pre-configured rules is to become a registereduser at www.snort.org. Registered users are able to receive all the latest snortrules, but the rules are available 30 days after they are made available toSourcefire subscribers.
The third way to download pre-configured rules from Snort is as an unregistereduser. Unregistered users are able to download the ruleset that is available withevery major Snort release.
Lesson 8: Configuring an IDS 425
In addition to the rules that are available from Snort, there are rules availablefrom www.bleedingsnort.com The bleedingsnort.com rules are very current andare submitted from people all over the net. If you need absolute up-to-the-minute,experimental, and test rules, this is the location to find them.
In this lesson, you will work with Snort rules that are made available to everyone(unregistered) from www.snort.org.
TASK 8C-3Examining Pre-configured Rules
1. Navigate to C:\Tools\Lesson8\Rules.
2. Copy all the .rules files to the C:\Snort\rules folder.
3. Navigate to the C:\Snort\rules folder.
4. Open the folder, and browse through the pre-configured rules. You willcome back to these files in a moment.
Examine Denial of Service RulesAs you can see, there are many very detailed default rules for you to work with.One section of the pre-configured rules deals with Denial of Service attacks. Hereis a sample rule from this file:
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665(msg:"DDOS Trin00 Attacker to Master default startuppassword"; flow:established,to_server;content:"betaalmostdone"; reference:arachnids,197;classtype:attempted-dos; sid:233; rev:3;)
Starting at the beginning of this rule, you can see that it is an alert, matching tcpas the protocol. Traffic on the external network, on any port going to the internalnetwork, on port number 27665 is what Snort will be looking at. This rule islooking for an established TCP connection, with traffic going to the server. Thecontent is listed as: betaalmostdone. Since this incident would be an attempt atdenial of service, this rule appropriately is given the classtype of attempted-dos,has a reference you can check the Arachnids database, number 197 (Arachnidswas an incident database, more current data is found on the CVE list), has beengiven a Snort rule ID of 233, and this is the third revision of the rule.
426 Tactical Perimeter Defense
TASK 8C-4Examining DDoS Rules
1. Navigate to the C:\Snort\rules folder.
2. Open the ddos.rules file with WordPad.
3. Based on these rules, what three ports does the DDoS tool Trin00 uti-lize?
UDP 31335, TCP 27665, and UDP 27444.
4. Based on these rules, what icmp_id numbers does the DDoS toolStacheldraht utilize?
Icmp_ids: 666, 667, 668, 669, 1000, 6666, 6667.
Examine Backdoor RulesJust as there are pre-configured rules for Distributed Denial of Service, there areextensive rules designed for matching backdoor attacks. These rules will gener-ally be more complex than a DoS rule because the content matching oftenrequires more information. Here is a sample rule from the backdoor.rules file:
alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any(msg:"BACKDOOR netbus active";flow:from_server,established; content:"NetBus";reference:arachnids,401; classtype:misc-activity;sid:109; rev:5;)
This rule is an alert looking for matches on the TCP protocol. In this case, it istraffic from your internal network on port 12345 or 12346 to the external networkon any port. The Netbus server actually resides on the compromised host, in thiscase, inside your network. The traffic flow is from the server (compromised host),and it is an established connection. The content that is being looked for isNetBus. This alert is characterized as a misc-activity, has a Snort rule ID of 109,and is the fifth revision of the rule.
TASK 8C-5Examining Backdoor Rules
1. Navigate to the C:\Snort\rules folder.
2. Open the backdoor.rules file with WordPad.
Lesson 8: Configuring an IDS 427
3. Based on this rule set, what service and port are the majority of theLinux rootkit attempts using?
Telent, on port 23.
4. Is the second Subseven rule with SID 107 looking for an attempt toplace a Trojan on a computer in your network or looking for evidencethat a Trojan has already been placed on a computer in your network?
Looking for evidence that a Trojan is already in the network.
Examine Web Attack RulesOne of the fastest growing areas of attack is on web servers. Since these areexposed, they are often the targets of attacks from every skill level, from script-kiddies to more experience attackers. Snort has many rules designed to look forweb attacks. Here is one example rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS(msg:"WEB-ATTACKS /etc/shadow access";flow:to_server,established; content:"/etc/shadow"; nocase;classtype:web-application-activity; sid:1372; rev:5;)
This rule is an alert, looking at TCP traffic from the external network on any portto your web servers on your web server ports. The web servers and web serverports are defined in your variables. The flow of this traffic is to the web server,and it would be an established connection. The attacker is looking for the /etc/shadow file on a Linux/UNIX system. Case sensitivity is not taken intoconsideration with this rule, it has been given a Snort Rule ID of 1372, and is thefifth revision to the rule. This specific rule is listing the classtype as web-application-activity, but you might want to consider this potentially a recon event.
TASK 8C-6Examining Web Attack Rules
1. Navigate to the C:\Snort\rules folder.
2. Open the web-attacks.rules file.
3. Which rule is watching for an attacker adding a user account to theadministrators group?
SID 1357.
4. In SID 1335, an attacker would send the command /bin/kill. What oper-ating system is the web server likely running?
Linux/UNIX.
5. Many of these rules contain the “%20” characters. What does thismean?
This means that the Snort rule is looking to match a “space” where the“%20” resides in the content portion of the rule.
If you have an older rule set,your web attack rules may
vary.
428 Tactical Perimeter Defense
Examine Web IIS RulesAs the Microsoft IIS Web Server grows in popularity, the attacks seem to growexponentially. Because of this, there is a ruleset dedicated to rules for the IISServer. Here is one example of an IIS Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS$HTTP_PORTS (msg:"WEB-IIS Directory transversalattempt"; flow:to_server,established;content:"..|5C|.."; reference:bugtraq,2218;reference:cve,1999-0229;classtype:web-application-attack; sid:974; rev:10;)
This rule addresses a rather famous exploit where a person could simply put inthe URL a line that would give them access to the computer. This is called theDirectory Transversal Attack, where in the URL the attacker uses ../.. in the URLas part of the attack.
In this rule, the alert is acting on TCP traffic in the direction of the external net-work on any port towards the web servers on web server ports. The connectionmust be established and is in the direction towards the server. The key point inthis rule is the content of “..|5C|..” This would be a double-dot then a / then adouble-dot to the server. Since the rule requires the ASCII conversion, the rulehas the pipe symbol, 5C, then the pipe symbol, as / in ASCII is 5C. This is clas-sified as a web attack, has a Snort ID of 974, and is the tenth revision of the rule.
TASK 8C-7Examining IIS Rules
1. Navigate to the C:\Snort\rules folder.
2. Open the web-iis.rules file with WordPad
3. The Code Red exploit has .ida? in the payload. Which SID would youlook up online for more information about the rule to match Code Redattacks?
SID 1243.
4. The Code Red II exploit attempted to use /root.exe and has a Snort RuleID of 1256. If you wanted to learn more about this exploit, what URLwould you use to find more information about Code Red?
www.cert.org/advisories/CA-2001-19.html
Lesson 8: Configuring an IDS 429
Topic 8DConfiguring Snort to Use a Database
Snort Output Plug-insBy now you can see that Snort will be able to generate large volumes of data inthe form of alerts, logs, and so on. Reading this data on screen while Snort isrunning isn’t realistic, so you will need to use some means of reading the datathat Snort collects.
Snort provides several output options through the use of output plug-ins. In thissection, you will configure Snort to output information to a MySQL database.Snort is not limited to using a MySQL database, that is simply the choice for thislesson. You could output Snort to Oracle, SQL Server, any UNIX ODBC-compliant database, and so on.
In addition to sending logs and alerts to a database, you could instruct Snort tosend this data to a remote logging server via Syslog. This is the command to out-put locally to a Syslog format: output alert_syslog: LOG_LOCAL2LOG_ALERT. If you wish to send this data to a remote server, you will need toreplace the local information with the remote server information.
Another option, if you desire, is to output directly in a binary format thattcpdump works well with. This is the command to output in tcpdump format:output log_tcpdump: snort.dump
In the snort.conf file, you will configure the type of output you wish to use.Remember, the output is detailed in the snort.conf file, not with a command-lineswitch. For this lesson, you will be configuring the system to output to adatabase. The following example shows what a basic entry for database loggingwould like in the snort.conf file:
• output database: log, mysql, user=username
• password=password dbname=snortdb host=localhost
Configure Snort to Use a DatabaseSince you are going to configure a MySQL database to accept data, you mustinform Snort about the database and give it the information required to make theconnection. In this following task, you will reconfigure the snort.conf file toinclude the output to the database.
430 Tactical Perimeter Defense
TASK 8D-1Editing Snort.Conf
1. Navigate to the C:\Snort\etc folder.
2. Open the Snort.conf file with WordPad.
3. Scroll down in the file to the Output database plug-in section.
4. Add the following line:
Output database: log, mysql, user=snort password=snortpassdbname=snortdb1 host=localhost
5. Save and close the snort.conf file.
Installing MySQL for SnortIn order for Snort to utilize a database, you must build one. In this lesson youwill work with the freely available and widely popular MySQL database. Keep inmind that Windows, Snort, and MySQL can take a lot of computing resources ona busy network, so a dedicated machine with a good processor and lots ofmemory would be a good base platform.
TASK 8D-2Installing MySQL
1. Navigate to the C:\Tools\Lesson8 folder.
2. Double-click the mysql-essentials-5.0.27-win32.msi file.
3. In the Welcome screen, click Next.
4. Select the Custom radio button and click Next.
5. Click the Change button. You are going to install to a location you choose.
6. In the Folder Name text box, type C:\Snort\mysql and click OK, and thenclick Next.
7. Verify the install directory location and click Install.
8. Once MySQL is installed, select the Skip Sign-Up radio button and clickNext.
9. Verify that the Configure MySQL Server Now check box is checked, andclick Finish.
10. In the Welcome screen, click Next.
11. Select the Standard Configuration radio button, and click Next.
Lesson 8: Configuring an IDS 431
12. Check the Include BIN Directory In Windows PATH check box, andclick Next. (Note: leave the box checked next to Install As WindowsService.)
13. In the Root Password and the Confirm text boxes, type and re-type sqlpass
Do not check the box to Enable Root Access or Create An AnonymousAccount, and then click Next.
14. To start the configuration, click Execute, and then click Finish to end theinstallation.
With MySQL now installed with the base configuration, you will need to createthe actual database that Snort is going to work with. In the following task, youwill use both the MySQL command line and the Snort command line. Snortcomes with a script to build the database in MySQL, complete with the appropri-ate tables. This script was generated during the install of Snort. If you recall, youhad the option to define the database/logging that you would use, and youselected the option that included support for MySQL.
TASK 8D-3Creating the Snort Database
1. Navigate to the C:\Snort\schemas directory. Note the file create_mysql.This is the file you will use to build the database.
2. Choose Start→All Programs→MySQL→MySQL Server 5.0→MySQLCommand Line Client.
3. Enter your MySQL root password. Note: This should be sqlpass fromthe previous task.
4. Enter create database snortdb1;
5. Enter show databases;
6. Verify that your two new databases are listed.
7. To switch to the new database, enter connect snortdb1;
8. To populate the database, enter sourceC:\Snort\schemas\create_mysql
9. To show the tables that were created during the execution of the previousscript, enter show tables;
10. At the mysql> prompt, enter quit;
432 Tactical Perimeter Defense
MySQL User AccountsMySQL needs several user accounts for the full functionality of this lesson. Youwill need to configure the accounts so that MySQL will accept the data that Snortis sending, and so that later, if you were to use an analysis program such asBASE (which you will see later), you would need these accounts to connect tothe database to pull the required data.
TASK 8D-4Creating MySQL User Accounts
1. Choose Start→All Programs→MySQL→MySQL Server 5.0→MySQLCommand Line Client.
2. Enter your MySQL root password. Note: This should be sqlpass.
3. At the mysql> prompt, enter show databases;
4. Enter grant INSERT,SELECT,UPDATE on snortdb1.* tosnort identified by ‘snortpass’;
5. Enter grant INSERT,SELECT,UPDATE on snortdb1.* tosnort@localhost identified by ‘snortpass’;
6. Enter flush privileges;
7. Enter exit;
8. Navigate to the C:\Snort\mysql folder.
9. Right-click my.ini and open the file with WordPad.
10. Change the following line:
• Before:
sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_⇒USER,NO_ENGINE_SUBSTITUTION"
• After:
sql-mode="NO_AUTO_CREATE_USER,NO_ENGINE_⇒SUBSTITUTION"
11. Save and close the my.ini file.
Snort to Database ConnectivityNow that you have a database installed and have configured Snort to communi-cate with the database, you need to test this connectivity. The following quicktask is a simple loading of the snort.conf file to check to see if the connection tothe database is functional. You do not want to go further in your configuration ifyou are unable to get the connection between MySQL and Snort to function.
Lesson 8: Configuring an IDS 433
TASK 8D-5Testing the New Configuration
1. Open a command prompt.
2. Navigate to the C:\Snort\bin folder.
3. Enter snort -d -e -v -iX (remember to change X to use your net-work interface as before).
4. Watch to see that Snort is functional and is showing packets on screen.If you need to generate network traffic, ping a neighbor computer.
5. Press Ctrl+C to end Snort.
6. To see the full Snort system running, enter snort -d -e -v -iX -cC:\Snort\etc\snort.conf -l C:\Snort\log
7. Press Ctrl+C to stop Snort.
8. To see where Snort made the connection to the database, scroll through thecommands.
Snort as a ServiceWhile it may work for you to manually start and stop Snort to perform the occa-sional packet capture, in a working environment, you will likely want Snort onall the time. One way to achieve this is to install Snort as a service in Windows.The following task will walk you through the steps of adding a service, and thenverify that it starts automatically.
TASK 8D-6Configuring Snort as a Service
1. Open a command prompt.
2. Navigate to the C:\Snort\bin> folder.
3. At the C:\Snort\bin> prompt, enter snort /SERVICE /INSTALL -cC:\Snort\etc\snort.conf -l C:\Snort\log -K ascii -iX(Remember to change X to use your network interface as before.)
You will receive a prompt that the SNORT_SERVICE has been successfullyinstalled.
4. Close the command prompt.
5. Choose Start→Administrative Tools→Services.
6. In the right pane, scroll down to and double-click the Snort service.
If you receive a winpcaperror, you can try using
winpcap_3_1.exe.
434 Tactical Perimeter Defense
7. In the Startup Type, change the setting from Manual to Automatic.
8. Click Apply.
9. To close the Snort Properties window, click OK. Do NOT click Start at thistime.
10. Close the Services window.
11. To verify that the Snort service starts automatically, restart your server.
12. When the server restarts, log on as Administrator.
13. Right-click the taskbar and choose Task Manager.
14. Select the Processes tab, and verify that both Snort and mysql arestarted and running.
15. Select the Snort process, and note the amount of memory that is allo-cated to Snort. As you can see, Snort is a memory-intensive process.
16. Close the Task Manager.
Topic 8ERunning an IDS on Linux
LAMP On SuSeWhile this lesson, up to this point, has focused on the use of Snort, in order tomake the system more functional, you will need a system in place to read, sort,and view all the data that Snort is able to collect. In the previous section you sawhow to set up Snort to interact with a MySQL database, while running on a Win-dows system.
In this section, you will configure Linux with the background system to read theSnort data via a web browser. This requires the building of a LAMP server.LAMP stands for Linux, Apache, MySQL, and PHP (you may see the ‘P’ alsorefer to Python or Perl, but in this case it is PHP). In addition to the LAMP com-ponents, you will install nmap, a tool you will use later in the lesson to generatenetwork scanning traffic.
In SuSe Linux 10, many of the components required to build the environment forSnort are available and ready for installation. Other components will require youto connect to the Internet to get the current version. In this lesson, the specificversions are detailed. Please keep in mind that in the event that you use a differ-ent version, it is possible, and even likely, that these steps will not work.
Lesson 8: Configuring an IDS 435
TASK 8E-1Installing LAMP Components
1. Log in to your Linux server as root.
2. From the Computer menu, choose Install Software.
3. In the Software list, scroll down and check the following check boxes:
• lamp_server (i586)
• nmap (i586)
• php5-gd (i586)
• php5-mysql (i586)
• php5-mysqli (i586)
• php5-pear (i586)
• snort (i586)
• webalizer (i586)
4. Verify that you have checked these components, and click Install.
5. The additional packages that are required for these components to run prop-erly are listed. Review the list to see how many “smaller” pieces arerequired, and then click Apply.
6. If you are prompted for the Novell media, insert the CD or DVD now, andclick OK. Note: it may take several minutes to install these packages.
7. Once the files have been copied, you will see an Installation Was Successfulprompt. Click Close.
8. Close the Software Installer.
Apache and PHPOne of the critical components you just installed was PHP. PHP is a server-sidescripting language. PHP is used to provide dynamic web page content to endusers, without the end users having any new software to install on their system.The end user will connect to the server with a web browser, and the PHP script-ing on the server’s side will generate the response to deliver to the end user.
If you manually build your server, meaning if you install these components indi-vidually on their won versus through the SuSe installer, you will need toconfigure Apache to use PHP. This is done by editing the httpd file and addingthe line for your version of PHP. You would also need to edit the PHP configura-tion file. During the installation, a file called php.ini-dist will be installed, andyou would rename this file to php.ini. In the php.ini file, you need to tell PHPwhere to find the PHP extensions and where to find a temporary directory. In thistask, since you used the SuSe installer, these steps are taken care of and you willnot need to manually configure the php.ini file.
436 Tactical Perimeter Defense
In the following task, you will turn on your Apache server and verify that PHP isproperly installed and running. If your server does not reply with the test screen,you must check your installation. Without a functional PHP and Apache Server,you will not be able to complete the tasks in this topic.
TASK 8E-2Apache and PHP Test
1. From the Computer menu, choose YaST.
2. On the left side, click System, and then click System Services (Runlevel).
3. Scroll down and highlight apache2.
4. Click Enable, and if you see a pop-up message about dependencies, clickContinue.
5. In the success pop-up, click OK.
6. To close the System Services window, click Finish.
7. To save the Runlevel changes, click Yes.
8. Close YaST.
9. From the Computer menu, choose Firefox.
10. In the address bar, enter http://localhost
11. If your server is running, you will get the message, “It works!” If not, care-fully repeat the installation steps.
12. Close the browser, and navigate to the /srv/www/htdocs directory.
13. Inside /srv/www/htdocs, create a new document named info.php
14. Right-click this document and open it with Gedit.
15. Enter <?php phpinfo(); ?> and then save and close the file. (Note –If you made your file using the File Manager, you must right-click and editthe permissions so that the Others group has read access.)
16. Open the web browser.
17. In the address bar, enter http://localhost/info.php
18. You will see a screen that presents all the local PHP information. This sum-mary screen details the PHP install on your system.
19. Close the Web Browser.
Lesson 8: Configuring an IDS 437
Enable Snort on LinuxNow that you have verified that your web server is running, and you have veri-fied that PHP is enabled and functional for your server, you can move on to thenext section. In this section, you will configure Snort and enable MySQL. Previ-ously, you configured these on Windows, so the steps should be familiar to you.First, you will configure Snort, then you will enable both Snort and MySQL inYaST.
The steps to enable these services are critical. If you forget to enable both Snortand MySQL under System Services, you can expect to run into some errors laterin the topic!
TASK 8E-3Configure Snort on Linux
1. Open your file browser, and navigate to /etc/snort.
2. To open the file with Gedit, double-click snort.conf.
3. Edit these lines in your snort.conf file:
var HOME_NET 172.X.0.0/16 (replace the X based on youraddress in the network)var EXTERNAL_NET !$HOME_NETvar RULE_PATH /etc/snort/rulesoutput database: log, mysql, user=snort password=snortpassdbname=snortdb1 host=localhost
4. Save and close the file.
5. From the Computer menu, choose YaST.
6. Click System, then click System Services (Runlevel).
7. Scroll down, highlight mysql, and click Enable. Click Continue ToEnable The Dependencies, and then click OK.
8. Scroll down and highlight Snort, and click Enable. Note the messageprompt, and click OK.
9. Click Finish, and then click Yes to save the changes to the run levels, andthen close YaST.
Configuring MySQL on LinuxWith the basic Snort configuration ready, next you must create the MySQL data-base for Snort to use. The script for building the database is included in Snortwhen Snort is compiled for use with a database. The default installation includesthe scripts for a MySQL database.
438 Tactical Perimeter Defense
Remember that when you work with MySQL, each of your commands end withthe “;” character. If your install is not done on the SuSe platform with the soft-ware installer, the location of your Snort files will likely be different. In this task,you will assign a password to the root account, create and assign a password tothe snort account, and build the database.
TASK 8E-4Configuring MySQL for Snort
1. Open a Terminal
2. Enter the following commands (press Enter after each command):
mysqlSET PASSWORD FOR root@localhost=PASSWORD('rootpass');create database snortdb1;grant ALL on root.* to snortdb1@localhost;grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.*⇒to snort identified by 'snortpass';grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb1.*⇒to snort@localhost identified by 'snortpass';exitmysql -u root -prootpassconnect snortdb1;source /usr/share/doc/packages/snort/schemas/create_mysql;show databases;use snortdb1;show tables;
3. If you see the table, with 16 rows, you have successfully created thedatabase and you can proceed. If not, please follow this task again care-fully; every step must be exact.
4. At the mysql> prompt, enter exit
5. Close the Terminal window.
Connecting Snort to a DatabaseNow that you have configured Snort to connect to the database, and you haveconfigured the database to accept the connections from Snort, you should test thisconfiguration. You do not want to get too far into this configuration only to findan error from the beginning.
Note that in the tasks here, you are issuing the full command syntax in Snort tosee the results on screen. In your production environment, you would most likelynot include the option to see this information on screen, as you would have littleuse for seeing that information on screen.
In this following task, you will run a test to confirm that Snort can connect to thedatabase. If you do not make the connection to the database, you must stop hereand go back through the tasks to find the error. Once connected, you will exit theSnort process. At this time, do not leave Snort running.
Lesson 8: Configuring an IDS 439
TASK 8E-5Testing Snort Connectivity to the Database
1. Open a Terminal window.
2. Enter snort -d -e -v -c /etc/snort/snort.conf -l/var/log/snort
3. It may take a moment, but you should see Snort load and make the connec-tion to the database. If you get an error message, verify that all the linesare correct in your snort.conf file and that your MySQL is configuredproperly.
4. Press Ctrl+Z to stop Snort. Scroll up to see where Snort made the con-nection to the database.
5. Once successful, close the Terminal window.
Installing ADOdb and BASESince you have configured several components up to this point, now is a goodtime to review. First, you installed and configured Apache to start up. You thenconfigured PHP to work with the server, and verified that PHP is working with asimple test page. Next, you configured Snort for your system, and configuredMySQL to work with Snort by creating the appropriate database. Lastly, you rana connectivity test to ensure that Snort can connect to the MySQL database thatyou created.
With those pieces in place, you are ready to install what is called the BasicAnalysis and Security Engine, or BASE for short. You use BASE through yourweb browser to analyze the data that Snort is sending to your MySQL database.The team at www.sourceforge.net describes BASE as follows: “BASE is basedon the code from the Analysis Console for Intrusion Databases (ACID) project.This application provides a web front-end to query and analyze the alerts comingfrom a SNORT IDS system.” ACID was the original web front-end for Snortresults and has evolved into BASE. ACID is still used by many organizations.
Another component you will need to download is called ADOdb. ADOdb is usedby BASE with PHP to perform the actual queries of the Snort database. SincePHP’s database access abilities are not standardized, there needs to be somemeans of access, and this is where ADOdb comes into place.
You will need to download two more parts for this section to be operational.These files have already been downloaded and are on the SCNS Course CD, thetask will simulate the location you may download files to on your local computer.If you download new files, be sure you use the exact file names in this task; ifnot, it is possible that your BASE console will not function as expected. Here arethe locations for these two files:
• http://sourceforge.net/projects/adodb (this is where you can downloadADOdb)
• http://sourceforge.net/projects/secureideas (this is where you can downloadBASE)
440 Tactical Perimeter Defense
TASK 8E-6Downloading ADOdb and BASE
1. Open a Terminal window.
2. Enter the following commands:
cd /mkdir downloadcd /downloadlscd /Tools/Lesson8lscp adodb493a.gz /downloadcp base-1.2.7.tar.gz /downloadcd /downloadls
With these two files downloaded, you are now ready to install them. The installsteps are straightforward; however, there is one configuration file for BASE thatyou will need to configure. This file, called base_conf.php, needs to know whereyour adodb is installed and needs to know how to connect to the Snort databseyou made in MySQL. In the following task, you will install these two files andconfigure the BASE php file.
TASK 8E-7Installing ADOdb and BASE
1. Open a Terminal window.
2. Enter the following commands:
cd /downloadcp adodb493a.gz /srv/wwwcd /srv/wwwtar -xvzf adodb493a.gzrm -rf adodb493a.gzcd /downloadcp base-1.2.7.tar.gz /srv/www/htdocscd /srv/www/htdocstar -xvzf base-1.2.7.tar.gzrm -rf base-1.2.7.tar.gzmv base-1.2.7 basecd /srv/www/htdocs/basecp base_conf.php.dist base_conf.php
3. Once you have created the new base_conf.php file by copying it, you canclose the Terminal window.
4. In the file browser, navigate to /srv/www/htdocs/base and open base_conf.php with Gedit.
Be sure you type thesecommands exactly.
Lesson 8: Configuring an IDS 441
5. Edit the file so that the following changes take place:
• $BASE_urlpath = ‘/base’;
• $Dblib_path = ‘/srv/www/adodb/’;
• $alert_dbname = ‘snortdb1’;
• $alert_host = ‘localhost’;
• $alert_port = ‘’;
• $aler_user = ‘snort’;
• $alert_password = ‘snortpass’;
6. Save and close the base_conf.php file.
7. Restart your server.
Configuring BASEYou have just about finished with the steps to getting your system operational.There is one last configuration that is required once the BASE console is running.In this last task, you will need to tell BASE how to set up the database. Oncethis last step is complete, your system will be ready to go.
TASK 8E-8Configuring BASE
1. Open a web browser.
2. In the address bar, enter http://localhost/base/base_main.php
3. You will receive a message that the underlying database appears to beincomplete/invalid.
4. Click the Setup Page link.
5. On the next page, click the Create BASE AG button on the right side ofthe page. If you get a Security Warning, click Continue.
6. The required items will be successfully created. Click the Main Page linkat the bottom of the page.
7. You are now at the default page of your new BASE console.
This next task is not a requirement specific to the BASE console, but it isrequired for remote access to your web server. Later in this lesson, you are goingto generate some events through the web server. In order for a simulated attackerto be able to connect to your web server, it must be enabled for others to access.By default, the firewall in your installation does not allow this. In the followingtask, you will turn on the HTTP service through the firewall.
442 Tactical Perimeter Defense
TASK 8E-9Configuring the Firewall to Allow HTTP
1. From the Computer menu, choose YaST.
2. Click Security And Users, and then click Firewall.
3. On the left side, click Allowed Services.
4. From the Service To Allow drop-down list, select HTTP Server.
5. Click the Add button to the right of the drop-down list.
6. Click Next, and then click Accept.
7. Close YaST.
Generating Snort EventsAt this time, you have configured Snort, MySQL, PHP, APACHE, ADOdb, andBASE. However, you likely had no data in your BASE console when you loadedit because there were no events present to cause a trigger. In the following sec-tion, you will start Snort, your instructor will generate some simple events, andyou will then view this data in your BASE console.
TASK 8E-10Generating Portscan Snort Events
Setup: This task requires students to work in pairs.
1. Right-click the desktop and open a Terminal.
2. To start Snort, enter snort -d -e -v -c/etc/snort/snort.conf -l /var/log/snort
3. Keep the Snort window open.
4. Right-click the desktop and open a second Terminal.
5. Verify that your partner has Snort started.
6. In your second Terminal, replacing a.b.c.d with your partner’s IP address,enter
nmap -sS a.b.c.d --system-dnsnmap -sX a.b.c.d --system-dnsnmap -sN a.b.c.d --system-dnsnmap -sF a.b.c.d --system-dnsnmap -O a.b.c.d --system-dns
7. When your partner has finished running these nmap scans, close yournmap Terminal, and proceed to the next step.
Lesson 8: Configuring an IDS 443
8. In your Snort Terminal, press Ctrl+Z to stop Snort.
9. Open a web browser, and enter http://localhost/base/base_main.php inthe address bar.
10. Note that you will have new Portscan Traffic found (you may need to scrolldown in your window to see this).
11. Scroll down in your browser, and click the Percentage link to the rightof Portscan Traffic.
12. Here you can see the scans that were detected. Click any of the event IDson the left side. These will likely start with #0, or something similar, onyour system.
13. Review the details of this event.
14. Keep your Snort Terminal open, keep the BASE console open, and opena second web browser for the next task.
In the previous task, you generated simple Portscan traffic, which Snort reportedand which you analyzed in your BASE console. In this next task, you will gener-ate web attack traffic. These will be simple URL requests to your web server. Youwill start Snort in your Terminal window, then open a web browser and makeseveral requests of your partner’s server. You will then view the results of theseactions in your BASE console.
TASK 8E-11Generating Web Snort Events
Setup: This task requires students to work in pairs. One student run-ning the Snort IDS, and the other an attacking Windowsmachine. It is suggested to go through the task twice, withstudents switching roles the second time through.
1. On the Linux Machine, running Snort, open your Snort Terminal, andenter snort -d -e -v -c /etc/snort/snort.conf -l/var/log/snort
2. On the Windows Server 2003 machine, verify that your partner hasstarted Snort.
3. Open a web browser, and connect to http://your.partner’s.ip.address.
4. Verify that you see the “It works!” default page. If you do not see thismessage, check that the HTTP service is allowed on the web server.
5. In the web browser, enter the following URL requests. Note: These will beunsuccessful, which is fine for this task:
• http://your.partner’s.ip.address/../../
• http://your.partner’s.ip.address/../../bin/sh
.
Steps 2 through 6 are to bedone on the Windows Server
2003 machine.
444 Tactical Perimeter Defense
6. Close the web browser.
7. On the Linux machine, running the Snort IDS, switch to your Snort Termi-nal, and press Ctrl+Z.
8. Open your BASE console.
9. Notice that you now have new alerts, this time they are TCP alerts.
10. Click the percentage next to TCP to analyze the alerts.
11. Answer the following questions:
What is the name of this signature?
(http_inspect) WEBROOT DIRECTORY TRAVERSAL
How can you learn more about this event through BASE?
Click the Snort link next to the name.
What flags were set on this event?
ACK and PSH.
12. Close all open windows.
You have now configured all the components of running a full-fledged NetworkIntrusion Detection System. The default configuration of Snort uses many differ-ent rulesets, which you can define in the snort.conf file. In your environment, youwill need to craft rules for your specific requirements or use the predefinedrulesets.
SummaryIn this lesson, you identified that there are many different types of IDSes,and you implemented the world’s favorite free IDS—Snort. You used Snortas a network-based IDS tool that is designed to monitor TCP/IP networks,looking for suspicious traffic and direct network attacks. You learned thatSnort enables system administrators to collect enough data to makeinformed decisions on the best course of action when an intrusion isdetected. You then built a full functional network IDS on Linux, includingthe BASE console for alert analysis.
Steps 7 through 12 are to bedone on the Linux IDSmachine.
If you have time, have yourstudents turn on Snortagain, and then you cangenerate some events,scanning, web events, etc.Ask your students toidentify what you did byanalyzing their BASEconsoles.
Lesson 8: Configuring an IDS 445
Lesson Review8A What protocols does Snort support?
TCP, UDP, IP, and ICMP.
What are the four primary parts of the Snort.conf file?
Variables, preprocessors, output plug-ins, and rulesets
8B What must be installed in Windows prior to installing snort?
LibPcap for Windows (also known as WinPcap).
8C How do you negate an option in Snort?
By using the exclamation point (!) symbol.
8D What Snort file must you edit in order to have Snort connect to a data-base?
Snort.conf
At the mysql prompt, what is the command to make a new database,called snortdb1?
create database snortdb1;
8E What scripting does Apache need to have configured in order for yourBASE console to work?
PHP
What are the components of a LAMP server?
Linux, Apache, MySQL, and PHP
446 Tactical Perimeter Defense
Securing Wireless Networks
OverviewIn this lesson, you will learn to implement and secure a wireless network.You will examine the components of the network, and how to configurethese components. You will detail the security options required for makingwireless networks part of your trusted enterprise. You will perform wirelessnetwork analysis using leading wireless tools, and examine how to create atrusted wireless network.
ObjectivesTo secure a wireless network, you will:
9A Examine the fundamental issues of wireless networking.
You will identify and examine the equipment, media, and systems ofwireless networking.
9B Describe the fundamentals of wireless local area networks.
You will describe how WLANs function, including the 802.11 framingoptions, the essentials of WLAN configurations, and the threats that existto the WLAN.
9C Implement wireless security solutions.
You will implement WEP, SSID broadcast disabling, MAC address filter-ing, and WPA as security solutions to the wireless network.
9D Audit the wireless network.
You will use leading tools, such as OmniPeek Personal and NetStumbler,to audit a wireless network.
9E Describe the implementation of a wireless trusted network, a wirelessPKI.
You will examine the components required to implement and the proce-dure for implementing a wireless trusted network.
Data Filesdotnetfx.exeNetStumblerInstaller_0_4_0
Lesson Time8 hours
LESSON
9
Lesson 9: Securing Wireless Networks 447
Topic 9AWireless Networking FundamentalsNot too long ago, the concept of a network inside an office that had no wires run-ning to and from the client computers seemed a bit far-fetched. Perhaps in thefuture, many people said, but not for a while. Fast forward only a few shortyears, and you are in the future. Wireless networks are here now.
The idea now of a mobile workforce, able to move through an office, city, orcountry, and connect no matter where they are located has become very desirableto many organizations. The enterprise network now must include options for usersto move, and have their connection stay with them.
In addition to the idea of a mobile workforce, other factors are pushing theimplementation of wireless networks. New networks can be deployed faster, andoften cheaper, if they are wireless versus wired. Buildings where running cable iscost prohibitive, such as offices across a street or city block, are finding wirelessthe best option. Companies that have chosen architectural buildings for theirappearance may find those buildings marked as historical landmarks, and runningcables may not be allowed. All of these reasons will make the option of a net-work without wires seem like the perfect solution.
But what may seem like a perfect solution has serious issues upon closerinspection. Even though the network experience may seem the same to end users,there are major differences in wireless networks from their wired counterparts.Where two computers communicating in a wired network have a single cableconnecting each end point, there is no such cable for the wireless network.
It is this lack of cable that causes the problems. For most enterprises, not muchof the security policy and effort will be spent on the physical medium. There maybe systems in place to try to prevent cable splicing, or physical security systemsthat guard the cable. The wireless network cannot employ these systems.
Wireless EquipmentAs you may expect, there are unique pieces of equipment used to run the wirelessnetwork. Although many of these pieces perform tasks similar to their wiredcounterparts, the wireless network equipment requires specific examination. Thephysical pieces used in the wireless network require careful placement becausethe location of the devices can affect security and performance of the network.
Access PointsThe centerpiece, literally, of the wireless network is the Wireless Access Point.The full acronym for this is WAP, but in the context of this lesson, the acronymAP (for access point) will be used. This is to eliminate confusion with the otherwireless networking acronym of the same name, which is Wireless ApplicationProtocol.
The function of the AP in the wireless network is similar to that of the switch inthe wired network. Individual components of the network communicate to andfrom the AP in order to communicate with other network components. Each APwill have at least one, and usually two antennas. By having multiple antennas, theAP is able to cancel out any duplicating radio waves that may reach the AP.
448 Tactical Perimeter Defense
Figure 9-1: Linksys Wireless Access Point, model: WAP54G.
Wireless Network Cards (WNIC)Just as a network card is required to connect to the cable in the wired network, anetwork card is required to connect to the wireless network media. These cardscan be installed in desktop or laptop computers, or even embedded intoappliances. The majority of newer laptop computers have built-in wireless net-work capability options as well.
Figure 9-2: Netgear wireless network card.
AntennasWhereas the AP of the wireless network is similar to the switch in the wired net-work, and the network cards of both the wireless and wired networks have thesame functionality, there is one component of the wireless network that is notfound in the wired networks. This component is the antenna.
The antenna itself becomes an extension of the transmitter or receiver. When anaccess point transmits a signal it is passed from the internal signal generationcomponents to the antenna, then transmitted through the air to a receivingantenna, which pulls the signal into the device.
You can use an antenna that is designed to increase its ability to pull in a goodsignal in its construction and aiming. This increase is called the gain of theantenna. Although there are many subtypes of antennas, there are three commontypes of antennas used to increase the range of wireless networks. These are the:yagi, parabolic, and omni-directional antennas.
The yagi antenna is one that is designed to be very directional. Yagi antennasmay be enclosed in a tube, as shown in Figure 9-3, or they may be open, like thetraditional over-the-air television antennas. Yagi antennas are perfect for directpoint-to-point communication, such as a bridge connecting two offices.
Lesson 9: Securing Wireless Networks 449
Figure 9-3: A yagi antenna, manufactured by Telex Wireless.
The second common antenna is the parabolic antenna. This antenna is also agood choice for bridging two networks, and has a greater range than the yagiantenna. The parabolic dish antenna is able to create gains that can be twice thatof the yagi antenna.
Figure 9-4: A parabolic dish antenna, manufactured by Telex Wireless.
450 Tactical Perimeter Defense
The third common antenna is the omni-directional antenna. The omni-directionalantenna is often used in conjunction with an AP to increase the local connectionability of the wireless network. This antenna type is usually mounted high abovethe group of end points that will communicate with the wireless network. Thegain of the omni-directional antenna can approach that of some yagi antennas, butis quite a bit less than the gains of the parabolic antennas.
Figure 9-5: An omni-directional antenna, manufactured by Telex Wireless.
AssociationA unique aspect of the wireless network is that nodes that are going to use anaccess point must first associate with an access point. In the wired network, thenode is simply turned on and plugged into the cable, there is no associationrequired for the local hub or switch. In the wireless network, the node must beturned on, and then associate, or join, a wireless access point.
This process of association is accomplished by the wireless node knowing whatits alphanumeric identifier is, and looking for an alphanumeric identifier thatmatches. The vast majority of network cards now include an option that scans thelocal radio waves and lists the possible networks that the WNIC can attempt toassociate with. It is an attempt to associate first; the WNIC must be authenticatedas well, and then association can be successful.
Wireless MediaIn the traditional network, the cable can be guarded and cable runs carefully con-trolled; in the wireless network there is no cable. This presents the problem ofwireless security in a very general way. The problem is how to secure that whichyou cannot see, and cannot control.
Lesson 9: Securing Wireless Networks 451
Although the media cannot be seen, there are similarities between the wired andwireless networks. In both networks, a signal is sent from one computer toanother computer, there must be a common method of communication, and theremust be a common method of delivery and receipt.
In the wireless network, the media used to carry the signals from one wirelessdevice to another can vary. In this course, you will examine the three wirelessmedia: infrared, microwave, and radio waves. There are significant differences inthese media, in how they work, and what they can do for your network.
Figure 9-6: The electromagnetic spectrum.
452 Tactical Perimeter Defense
Infrared Wireless MediaInfrared wireless technology has been around for many years. The most commonexample of infrared technology is in electronic remote controls. The signals usedfor infrared signals are in the terahertz range, and this allows for solidcommunication. The infrared signal is pure light, usually electromagnetic wavesor photons from a small section of the electromagnetic spectrum.
Infrared is a simple wireless technology that uses pulses of light. If a binary oneis required, the light is on; if a binary zero is required, the light is off. An emitteron one device (normally an LED) sends the light and a detector receives the lightsignal and reproduces the correct signal (either the one or the zero). The twocommon methods of wireless infrared communication are line-of-sight and dif-fused (also called broadcast).
Line-of-sight (sometimes called point-to-point) requires the emitter and detectorto be directly in line with each other. If any object passes between the two points,no matter how brief, the line-of-sight is broken and the transmission will beinterrupted. Due to this, any networking service that requires high degrees of reli-ability will likely not use this implementation.
Infrared is most often used today to network devices such as digital cameras,scanners, PDAs, and other devices to computers. These types of devices can beheld in close proximity to one another so the odds of an object getting betweenthe emitter and detector are very low.
From a security perspective, infrared line-of-sight is an acceptable choice. This isbecause the single beam between the two end points must be constant. There isno sniffing option, as the light beam is direct and focused. It is possible to splitthe beam, but that would require physical access to the beam between the twoend points.
The beam splitter is often a prism, normally designed as a right-angle triangle,with a mirror on a 45-degree surface. The beam goes through the prism, andreflects a small amount of the signal to a third point. This third point can then putthe signal back together. Note, the splitter must be physically placed in the beam,so any enterprise with adequate physical security should prevent this type ofsniffing.
Figure 9-7: A beam splitter.
Lesson 9: Securing Wireless Networks 453
Although the prism is the most common form of a beam splitter, there are alsobeam splitters that are simple mirrors with a high degree of translucency. Themirror is placed at an angle in the stream, and functions just as the prism does.
Just as the line-of-sight cannot be sniffed, the infrared signal cannot penetratewalls, therefore, the infrared transmission cannot be listened in on from a neigh-boring room or outside office. Another strong point for the infrared line-of-sightis that outside interference is minimal; other radio waves will have no noticeableeffect on the signal.
The security advantages of infrared wireless are offset by the limitations ofinfrared. Infrared cannot provide any mobility to the devices, and the pure line-of-sight issue causes too much disruption in most office settings.
Similar to local line-of-sight, infrared networks are laser communications. Lasercommunications work by using a powerful directed beam between two points,with the unique difference being that the distances covered are much greater.Laser line-of-sight transmissions can cover miles, as long as the direct and unin-terrupted line-of-sight is clear and available.
Diffused infrared technologies overcomes some of the limitations of the line-of-sight communication. In the broadcast network, there still are two end points, theemitter and detector. However, the emitter does not send the signal directly to thedetector. Instead, the signal is sent out to the network, and can bounce off wallsand other objects in the room. The detector receives the signal and processes theinformation just as if it were line-of-sight.
A big difference between line-of-sight and diffused infrared is speed. Because thesignal has to travel farther and bounce off surfaces, it is a weaker signal when thereceiving node detects the transmission. A second difference is that because thesignal is broadcast, end points other than the intended recipient are able toreceive the transmission.
These issues combine to limit most use of infrared in wireless networking to thesmall local devices. As more and more people use small devices, you can expectinfrared technology to remain a part of wireless networking for some time.
Microwave Wireless MediaWhere as infrared wireless networking serves the individual devices, such asPDA communication to a PC, it is usually not used to build the networkinfrastructure. One of the technologies that is used for this purpose is microwavetechnology.
Microwave wireless networks allow for two end points to be placed far apartfrom one another. The connection is still made between two end points, one send-ing and one receiving node. There are two main types of microwave systemsused in wireless networking: terrestrial and satellite.
Terrestrial microwave systems usually use a directional antenna to send andreceive network transmissions directly from one to another. These systems aredesigned to be direct line-of-sight, although they can use relay towers to extendthe range or to move the signal around obstacles. Weather can have an affect onthese signals, although not to the degree the weather has on infrared.
Depending on the laws in your area, you may need to get a license to operate amicrowave transmitter. There are usually strengths and frequencies that do notrequire licensing. Even though it may not be required, you may wish to pursuelicensing so you can protect the frequency for that area, and prevent others fromusing the same frequency.
454 Tactical Perimeter Defense
Satellite MicrowaveWhen you have extreme distance to cover, the only choice is satellite. Satellitesare the equivalent of the transmitter and receiver stationed high in the sky. Byplacing the transmitter and receiver higher, more ground can be covered by thesame point. This allows an enterprise with one office in New York to have asingle hop to a second office in London.
Figure 9-8: Example of satellite microwave networking.
There are multiple orbits a satellite might take around the Earth. Geostationaryorbits (GEOs) are those that circle Earth directly above the equator. A benefit ofgravity and orbiting is that once at a specific point, the geostationary satellite willachieve a fixed position. This position is approximately 22,200 miles (or 36,000km) above the Earth’s surface. Being placed at such an altitude, the satellite willbe able to cover about one-third of the Earth’s surface. You could, therefore,place three satellites 120 degrees apart and cover the entire planet, except for theextreme northern and southern latitudes. Today there are hundreds of GEOs in thesky above you.
There is also an orbital pattern called the Highly Elliptical Orbits (HEOs). Theseorbits do not orbit the Earth in a circle around the equator. Instead, these satellitesorbit in an oval-shaped pattern. The oval is not equal around the Earth, insteadthe satellite will pass close to the Earth (at its closest, is called the perigee of theorbit), and will then move further away from Earth (at its furthest, it is called theapogee of the orbit).
Lesson 9: Securing Wireless Networks 455
Finally there are Low Earth Orbits (LEOs). These orbits are between 124 and15,900 miles above the Earth’s surface (between 200 and 25,589 km). Most ofthe satellites in this range are at the low end, from 124 to 1,490 miles (200 to2,400 km). These satellites can move very fast, and can be visible with the nakedeye standing on Earth. A satellite in LEO may be able to circle the entire earth in90 minutes. LEOs are not restricted to equatorial orbits.
TASK 9A-1Examining Satellite Orbits
1. Open Internet Explorer, and connect to http://science.nasa.gov/Realtime/JTrack/3D/JTrack3D.html
2. In the dialog box asking you to perform an install, click No. Wait for amoment, the JTrack satellite applet will open and load satellite data.
3. Maximize the applet.
4. Once the applet loads, press Ctrl and click the mouse (Ctrl-click) tomove the Earth back and to see the orbital path of the GEOs. Examine thedistance to the GEO orbits in relation to the size of the Earth.
5. Click any small white dot to see the orbital path of the satellite.
6. Click the mouse in the applet and drag to rotate the Earth and notice theGEOs all are lined in a similar pattern.
7. Ctrl-click until the Earth is small in the applet.
8. Click a white dot that seems further away from Earth, and not in thesame circle pattern of the GEOs.
9. Try to find Chandra, AO-40, and Integral. Examine the orbital patternsof these HEO satellites.
10. Shift-click to move in towards Earth until the continents are clearlyvisible.
11. Click any white dot that is near Earth, and examine the orbital patternsof these LEO satellites.
12. Shift-click until the Earth fills the applet window.
13. Choose Options→Update Rate→1⁄4 Second.
14. Choose Options→Timing→Real-time.
15. Note the movement of the satellites in LEO.
16. Choose Options→Timing→X100.
17. Note the movements of the LEO satellites at 100 times real-time speed.
456 Tactical Perimeter Defense
18. When you have finished examining the orbital patterns of the satellites, closethe JTrack3d Applet and close Internet Explorer.
19. What type of satellite orbit, the LEO or the GEO, will introduce thelargest delay in packet transmission?
The GEOs produce the highest delay in packet transmission. You may beable to get high speeds, but the distance alone dictates that there will beconsiderable delay in the network packet transmission.
Radio Wireless MediaAlthough infrared and satellite communications have their place in the wirelessworld, the emphasis today in regards to security is on radio waves. This isbecause the vast majority of wireless network communications take place onradio waves. Although people often think of the analogy of water waves, this isnot quite accurate. Radio waves do not require a physical surface, such as thewater wave. Rather, the radio waves ride on an electromagnetic (EM) wave,referred to as the EM field. Waves in the electromagnetic spectrum move at thespeed of light, or 186,000 miles per second. There is similarity with the waterwave in dissipation, however.
If you throw a rock into water, a wave starts in a circular pattern and radiates outfrom where the rock entered the water. The circular waves get smaller, or dissi-pate, as they get farther away from the source. Radio waves are similar. They arebroadcast from a source, and radiate out away from the source. The farther awayfrom the source, the weaker the signal becomes, until it cannot be located.
In the water, waves reflect off of surfaces, and can even bounce back ontoanother wave. This can happen with radio waves as well. If two waves collide atthe right time, with both waves at their peak, the end result is that the waves areadded (called in phase), resulting in a bigger wave. If two waves collide at theright time, with one wave at a peak and one wave at a trough (called out ofphase), the end result is that the waves cancel each other out.
Reflecting waves can cause problems for wireless networks, therefore, the devicemanufacturers have addressed this issue. One problem is that a signal can bebroadcast, and due to bouncing off surfaces, will reach the access point multipletimes and at different times. These bouncing waves cause interference, and inwireless networking this is called multipath interference. By using multiple anten-nas on the access point, the access point is able to compensate for the receptionof multipath interference.
Another form of interference that wireless networks must deal with is RF interfer-ence in the EM field. Devices such as cordless phones and microwave ovensproduce signals in the EM field that are used by the wireless network. Devices inthe 900 MHz and 2.4 GHz ranges are in the Industry, Science, & Medical (ISM)band, while devices in the 5 GHz range are in the Unregulated National Informa-tion Infrastructure (U-NII) band. The technology used to minimize the effect ofthese other devices is called spread spectrum technology.
Spread SpectrumSpread spectrum technology allows for bandwidth to be shared by multipledevices, so your microwave and wireless network are not going to battle over theexact same frequency at the exact same time. Spread spectrum works by splittingthe information over multiple channels of communication. By splitting the infor-
Lesson 9: Securing Wireless Networks 457
mation over different channels, if a person is sniffing one specific channel, theywill not get useful information from that channel, only tiny pieces of largertransmissions. There are two primary methods of spread spectrum used in wire-less networks: Frequency Hopping Spread Spectrum (FHSS), and DirectSequence Spread Spectrum (DSSS).
Frequency Hopping Spread Spectrum (FHSS)During World War II, the emphasis on secure communications and transmissionswas extremely high. Hedy Lamar and George Anthell came up with the idea ofFHSS to keep enemies from jamming radios. The idea was to use a range of fre-quencies, and to send (or burst) a short amount of information on one frequency,then switch to another frequency, send (burst) some information, then switch fre-quencies again and send another burst of information, and so on.
Figure 9-9: Multiple signal bursts sent as an example of FHSS.
During FHSS, the time that is spent on any one frequency is called the dwelltime, and the amount of time that it takes to move from one frequency to anotheris called the hop time. A device using FHSS will transmit on the designated fre-quency and then move to the next frequency using the pre-defined sequence.Once the device reaches the last frequency, the device loops to the first frequencyand starts the process over again. The sequence of frequency hopping creates asingle channel.
Direct Sequence Spread Spectrum (DSSS)The DSSS system works differently from FHSS. Instead of hopping from onefrequency for a burst, and then another, DSSS transmits on multiple frequenciestogether. These multiple frequencies are grouped together and called a band.Instead of sending the raw data, DSS performs an XOR calculation on the data attransmission.
458 Tactical Perimeter Defense
Figure 9-10: The XOR process of DSSS communications.
This added data used in the XOR process is called the chipping code. By addingthese codes, the original data is spread out, which increases the likelihood that thedata will be received properly. The number of bits (chips) in the chipping codecompared to the raw data is referred to as the spread ratio; higher spread ratiosmeans higher chances of successful communication. The 802.11 specificationsdictate that there are to be 11 chipping bits per raw data bit. Due to issues suchas the use of multiple frequencies, and the inclusion of the chipping code, DSSSis able to achieve higher rates of transmission than FHSS.
You should not think of either FHSS or DSSS as better than one another. Instead,you should realize that they are used for different functions. FHSS generally costsless to build, is used for devices that require shorter transmission distances, andhas a lower overall speed. DSSS generally cost more to build, is used in devicesthat require greater transmission distances, and offers greater speed. From anadministrative viewpoint, you may never deal directly with spread spectrumissues, they are more in the realm of the product manufacturer.
BluetoothAlthough it is the most common technology for wireless networking, 802.11 isnot the only wireless standard. Another common standard is Bluetooth. Bluetoothdevices are generally FHSS devices, and are used in close proximity from oneanother.
Bluetooth has found a market in device-to-device communications, such as PDAto computer, computer to a printer, automobile to phone headset, and so on.Bluetooth functions in the 2.4 GHz range, and has low-speed bandwidth, whencompared to 802.11 standards, especially 802.11g. For these reasons, Bluetooth isnot designed to be directly competitive with 802.11, rather a complimentary tech-nology used for different purposes.
Short Message ServiceAs devices continue to become smaller, and as people expect to be able to domore with their devices, new technologies are required. In wireless networking,one of these technologies is called the Short Message Service (SMS).
Lesson 9: Securing Wireless Networks 459
SMS is used to send and receive the short (up to 160 characters) text-only mes-sages on devices like cell phones, pagers, and PDAs. This technology uses a storeand forward system, which means that if the intended recipient is not available,the message can be stored for later transmission.
Nearly all providers of cellular services offer support for SMS today, and securityproblems exist here just as they do with all other forms of wirelesscommunication. Although SMS security is out of the scope of this course, hereare a few examples of SMS security issues:
• A Norwegian company found that a specific message sent via SMS to cer-tain cell phones would freeze the phones, with the only solution being toremove the batteries.
• A virus called Timofon.A sends short SMS messages to random numbers. Byitself, this is not a true virus, as users have to run a VBS script, but it hintsat the potential.
• SMS Bombers are being built to flood networks with messages.
IEEE 802.11All forms of networking that have any success are built upon standards, and wire-less networking is no different. The primary standard in the world of wirelessnetworking is the 802.11 standard. The 802 LAN standards committee was cre-ated in 1980 by the Institute of Electrical and Electronic Engineers (IEEE), and in1990 the committee created the 802.11 working group to discuss and defineissues surrounding wireless networking.
In 1997, the 802.11 working group finalized their first standard. The IEEE 802.11standard was to address the Media Access Control (MAC) and Physical (PHY)Layers of network communication. 802.11 described three specific types of trans-missions to take place at the PHY Layer:
• Diffused Infrared, utilizing infrared transmissions.
• Direct Sequence Spread Spectrum (DSSS), utilizing radio transmissions.
• Frequency Hopping Spread Spectrum (FHSS), utilizing radio transmissions.
The 802.11 working group quickly found that the project was growing at such arate, and the amount of issues to discuss was growing. The solution to this prob-lem was to create subgroups to handle each issue independently. These groupshave been assigned a letter and appended to the 802.11 name. Several of thesegroups have produced standards that are used in the industry today, others are onthe horizon, and others still will become obsolete.
802.11aIn 1999, IEEE approved the 802.11a standard, calling it: High-speed PhysicalLayer in the 5 GHz Band. This standard utilizes Coded Orthogonal FrequencyMultiplexing (COFM), and supports multiple data transmission rates. Supportedrates are: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Two 802.11a devices will con-nect using the fastest data rate (based on things like distance between nodes andsignal strength), with a maximum rate of 54 Mbps. Work on this standard is con-sidered complete.
460 Tactical Perimeter Defense
802.11bAlso published in 1999, but slightly ahead of 802.11a, was the IEEE approved802.11b standard, called: Higher-speed Layer Extensions in the 2.4 GHz Band.This standard utilizes High-Rate Direct Sequence Spread Spectrum (HR-DSS),and supports multiple transmission rates. Supported rates are: 1, 2, 5, and 11Mbps. Work on this standard is considered complete.
802.11cThe 802.11c working group was developed to manage MAC bridging operations.This type of standard is used by developers of hardware. The 802.11c workinggroup on its own is complete, with continued discussion on this subject foldedinto the 802.11d working group.
802.11dAs wireless networking came on the scene, and the 802.11 standard was avail-able, there were only a few economies (such as the United States, Europe, andJapan) that had regulations on the use of the radio waves. In order for wirelessnetworking to become global, standards would be required that comply with regu-lation of transmissions in various countries. The 802.11d working group isfocused on the international regulations for the use of wireless networking.
802.11eAn important issue in all of networking is Quality of Service (QoS). By ensuringhigh QoS, transmitting other types of information such as audio and video can beaccomplished through a wireless network. The 802.11e group is working on stan-dards to prioritize network traffic through the wireless network, to improve QoS.802.11e addresses the MAC layer, and as such it will be compatible with all802.11 PHJY networks.
802.11fThe development of the original 802.11 standard did not address the communica-tions between individual access points. This was done to provide for themaximum flexibility in an enterprise implementing various vendors’ products.This causes difficulty though, when there are many different types of vendorequipment in the network, that may have different methods of communicating.
802.11f is working to define the standards of communication between accesspoints so that roaming wireless clients do not experience network problems, orhave communications cut off. It is suggested that until this standard is complete,and all vendors comply, that you should use a single vendor to provide yourwireless infrastructure.
802.11gA problem that developed during the initial standards process was that 802.11aand 802.11b did not communicate. So, although the ability to add the higherbandwidth of 802.11a was appealing to some, the lack of interoperability discour-aged others. 802.11g provides the standards to provide higher speed, while beingable to interoperate with other wireless networks. 802.11g utilizes OFDM to man-age communications, provides for transmission rates of up to 54 Mbps, andoperates in the 2.4 GHz range.
Lesson 9: Securing Wireless Networks 461
802.11hSpecific European regulatory issues are discussed in the 802.11h working group.In Europe, there is a strong possibility that 802.11a devices, which operate in the5 GHz range, will interfere with satellite communications, which are designatedas primary use. Many European countries label wireless networking as secondaryuse.
802.11iThere are serious security issues associated with wired equivalent privacy (WEP).The 802.11i working group was designed to address these issues. The result ofthe group’s efforts is a stronger security standard, including all the options thatexist in Wi-Fi Protected Access (WPA), and adding the use of the AdvancedEncryption Standard (AES). Some, including the Wi-Fi Alliance refer to 802.11ias WPA2.
802.11nWith the ever-growing demands on wireless networks, speed is always an issue.The 802.11n working group develops enhancements to wireless networking tech-nologies to achieve a higher throughput. The speed estimates out this standard ata 200+ Mbps rate. Through the use of multiple antennas, some vendors are claim-ing speed into the 400+ Mbps range.
Wireless Application ProtocolThe Wireless Application Protocol (WAP), detailed at the Wapforum(www.wapforum.org), is a specification that is open and utilized globally.Handheld devices, such as mobile phones, pagers, and PDAs, can interact withnetworks, such as the Internet through WAP. It is compatible with many wirelessnetworking technologies including Code Division Multiple Access (CDMA), TimeDivision Multiple Access (TDMA), and Global Systems for Mobile Communica-tions (GSM).
Since WAP is a protocol and application environment, it has the ability to be builtinto any operating system that is designed to use it. It is currently used in operat-ing systems such as: WindowsCE, PalmOS, JavaOS, and OS/9.
Mobile devices work by using WAP microbrowsers that are built into the device.These are similar to the full-scale Internet browsers, such as Netscape andInternet Explorer, only scaled down to the minimum requirements. Many mobiledevices can communicate via HTML and/or XML, but there is a language specifi-cally for the wireless devices. That language is called Wireless Markup Language(WML). WML is based on XML, and web content accessed via WML will havethe .wml extension, similar to the .html extension of web pages.
The programming of WML looks very similar to that of HTML or XML. Thereare in fact XML tags in WML pages. The following code example shows whattwo WML cards look like in a WML deck:
As of this writing, there wasan estimated 855 million
worldwide GSM users, 162million CDMA users, and124 million TDMA users.
web pages written in WMLare called decks, and decks
are constructed using cards.
462 Tactical Perimeter Defense
<wml>
<card id="no1" title="Card 1"><p>Hello World!</p></card>
<card id="no2" title="Card 2"><p>This is the second card text!</p></card>
</wml>
WAP itself, like all specifications, has gone through several versions since it wasfirst introduced. WAP v1.0 was introduced in April 1998, WAP v1.1 in June 1999,WAP v1.2 in November 1999, and WAP v2.0 in the summer of 2001. The 1.0version of WAP used a WAP gateway, often a separate computer to act as theliteral gateway between the WAP client and the web server hosting the files.
Figure 9-11: The original WAP architecture.
In the original WAP architecture, protocol conversion was required at the WAPgateway. This is due to the WAP devices not speaking the language of theInternet. With WAP v2.0 devices, the gateway protocol conversion is not required.This is due to devices running the WAP v2.0 stack being able to utilize TCP/IP,and speak through a proxy to the Internet.
Lesson 9: Securing Wireless Networks 463
Figure 9-12: The two common stacks of WAP.
TASK 9A-2Choosing a Wireless Media
1. You have been contracted to design the wireless network for your newclient. This client has three offices, all within the same two-block radius.They are three independent offices, each in a multistory building, which donot require frequent resource access to any of the other offices. The onlyauthorized communications that can be sent from one office to another areemail or other approved instant messages.
There are some slight obstructions, such as trees, that prevent perfect line-of-sight between all three buildings. You have asked the client, and have beeninformed that removal of the trees is not permitted.
Based on this information, which media type will you recommend to theclient, and why?
You will recommend using radio waves as the media, by configuring the net-works to use radio waves and a directional antenna, such as a yagi, toincrease the strength and range. The radio wave option should provide theclient with an inexpensive solution.
464 Tactical Perimeter Defense
Topic 9BWireless LAN (WLAN) FundamentalsWLANs are built upon the 802.11 standards and are designed to operate similarlyto their wired counterparts, running the 802.3 (Ethernet) standard. One difference(other than the lack of those pesky wires!) is that 802.11 networks use CarrierSense Multiple Access/Collision Avoidance (CSMA/CA), whereas the 802.3 net-works use Carrier Sense Multiple Access/Collision Detection (CSMA/CD).
In the CSMA/CD networks, the nodes listen to the wire to see if it is clear totransmit. Since the 802.11 nodes are not on a single physical media like the 802.3networks, CSMA/CD will not work. Instead, the WLANs use CSMA/CA whereeach node sends a short broadcast preceding each transmission.
The Access PointsThe AP in the network is what the end nodes will be communicating within thenetwork. Placement of the AP can have a significant effect on the overall speedand transmission in the WLAN. If the AP is placed near a source of high EMI,then the network will be negatively affected. Likewise, the height of the AP mayhave an effect.
For many network administrators, the AP placement is a process of trial anderror. First decide on the placement as best you can by analyzing the layout, try-ing to avoid anything that will cause interference. After the AP is placed, runbandwidth tests from various locations, where the end nodes will likely belocated. Then, move the AP to a different location, perhaps moving it higher onthe wall, and run the bandwidth tests again. After you have run a group of tests,you will know the optimal placement for your unique situation.
SSIDWireless networks have a component called the Service Set Identifier, or SSID.The SSID is a 32-character unique identifier that gets attached to the header ofWLAN packets. The SSID is designed to identify individual WLANs, so thatdevices connect to the proper WLAN.
This is a value that should be configured upon setting up security on a WLAN.The SSIDs are well known for many manufacturers, and changing this value toone that is not well known is one of your initial steps in your WLAN security.
Access Points are configured, usually by default, to broadcast their SSID in whatare called beacon frames. This function allows authorized users to find theirproper WLAN easily, but also informs any attacker the name of the WLANsegment. The beacon frames are broadcast in plaintext; there is no encryption ofthese transmissions. Most WLAN analyzing software will listen for SSID beaconframes, and report that information back, making the location of the networkssimple. If your network will allow for it, you should turn off the SSID beaconframe broadcast.
Lesson 9: Securing Wireless Networks 465
AssociationA unique aspect of the wireless network is that nodes that are going to use anaccess point must first associate with an access point. In the wired network, thenode is simply turned on and plugged into the cable, there is no associationrequired for the local hub or switch. In the wireless network, the node must beturned on, and then associate or join, a wireless access point.
This process of association is accomplished by the wireless node knowing whatits SSID value is, and looking for an SSID value that matches its known value.The vast majority of network cards now include an option that scans the localradio waves and lists the possible networks that the WNIC can attempt to associ-ate with. It is an attempt to associate first; the WNIC must be authenticated aswell, and then association can be successful.
AuthenticationOne step in the WLAN client being able to use the WLAN is association, but thatmay not be enough. The second step that may be required in the network isauthentication. Authentication can happen in one of two general methods, as perthe IEEE 802.11 specification: open system authentication and shared-keyauthentication.
Open system authentication is simply when there is no encryption and all com-munication is done in clear text. The WLAN client can authenticate in the opensystem without having to know any key information. In the shared-key authenti-cation system, a key is required, and the key system must be used on both endsof the communication, meaning both the AP and the WLAN client must be usingthe same system.
WLAN TopologiesWhen building your WLAN, you have two major types of networks to build. Youcan build a WLAN in either ad-hoc mode or in infrastructure mode. Neither ofthese topologies are right or wrong, they just have different functions.
Ad-hoc ModeThe ad-hoc is perhaps the fastest WLAN to build. No APs are required from thead-hoc mode WLAN. In this case, you install and configure the wireless networkcard on multiple end nodes, and they all have the ability to interact directly withany other node. This is a true peer-to-peer network with no single point incontrol.
Association is the process ofa WLAN client associatingwith an AP in the WLAN.
466 Tactical Perimeter Defense
Figure 9-13: An example of an ad-hoc WLAN configuration.
When you group several end nodes together in the ad-hoc mode those nodes cre-ate what is called an Independent Basic Service Set (IBSS). These nodes aregrouped together by all using the same SSID.
Infrastructure ModeAlthough the ad-hoc mode may be the fastest for you to set up, it is not likelythe mode you will use in a production environment. In the enterprise, you aremuch more likely to use the infrastructure mode. In the infrastructure mode, yournetwork clients are configured with the SSID of an AP. All the clients who aregoing to be grouped together have the same SSID. The AP then acts as the cen-tral point in the network.
The request of each node is received by the AP, and then transmitted to thenetwork. If you have a single AP, that does not overlap with any other WLANsegments, then you have created a Basic Service Set (BSS). You can create anExtended Service Set (ESS) by grouping BSS to form a single subnetwork.
Just about all APs that are made today have at least one Ethernet port on them,allowing you to seamlessly connect your wired clients into your wireless network.You will usually connect the Ethernet port of the AP to a hub, switch, or othernetwork connecting device.
Lesson 9: Securing Wireless Networks 467
Figure 9-14: An example of an infrastructure mode WLAN configuration.
Lesson ConfigurationThere is quite a bit of hardware used in this lesson. For the tasks and screenshotsthere were multiple WNICs and APs used, and both ad-hoc and infrastructuremode will be used. For this lesson, there are two configured clients, one LinksysWPC54G and one Netgear WPN824, used in laptop computers.
Prepare for the Ad-hoc NetworkThe first network type you will configure is an ad-hoc network. This will allowfor a small network to be established in a very short amount of time. This firstnetwork will not have security running, and can be viewed as a guide of the stepsrequired to get an ad-hoc network operational. In this first task, you will config-ure the Linksys 54G card, which can run 802.11b and 802.11g.
Note — as most of the machines you will configure wireless networking uponwill be clients, these tasks have been written using laptops running Windows XP.For the SCP certifications questions about the wireless networks are based on thewireless tools and techniques shown here, not on the built-in Windows wirelessnetworking solution.
468 Tactical Perimeter Defense
TASK 9B-1Installing the Linksys WPC54G WNIC
Setup: This task is performed on the first Windows XP laptop.
1. Log on to Windows XP Professional.
2. Insert the Linksys WPC54G setup CD-ROM into the CD-ROM drive. Ifthe setup program does not autorun, navigate to the CD, and double-clickthe Setup.exe file.
3. In the Linksys Welcome screen, click the Click Here To Start button.
4. Read the License Agreement, and click Next. The setup files will now beinstalled to your computer.
5. When prompted, insert the WNIC into the computer, then click Next.
6. The Linksys Available Wireless Network screen will open. Click theManual Setup button to create a profile.
7. Select the Specify Network Settings radio button:
• In the IP Address text box, type: 10.0.10.30
• In the Subnet Mask text box, type: 255.255.255.0
• In the Default Gateway text box, type: 10.0.10.1
8. Leave the DNS text boxes blank, and click Next.
9. Select the Ad-Hoc Mode radio button.
Lesson 9: Securing Wireless Networks 469
10. In the SSID text box, type Ad_Hoc_1 and click Next.
11. In the Channel drop-down list, select Channel 3 and click Next.
12. In the Security drop-down list, select Disabled and click Next. (You willadd security features later in the lesson.)
13. Confirm your settings are correct, and click Save.
470 Tactical Perimeter Defense
14. Verify your IP Address settings via Windows Networking. Note, on somesystems the Linksys configuration tool will not configure the Windows IPsettings. In this case you will be required to manually configure the WNIC.IP: 10.0.10.30 / 24 DG: 10.0.10.1
15. Leave the screen open, as you will return to it shortly.
Configure the Second WNICFor the ad-hoc network to function, you need at least two WNICs to communi-cate with each other. Now that you have installed and configured on single nodein the network, you need to configure a second node. Once both are configuredproperly, then the ad-hoc network can begin.
TASK 9B-2Installing the Netgear WPN511
Setup: This task is performed on the second Windows XP laptop.
1. Log on to Windows XP Professional.
2. Insert the Netgear WPN511 CD-ROM into the CD-ROM drive. If thesetup program does not autorun, navigate to the CD, and double-click theautorun.exe file.
3. In the Netgear SmartWizard screen, click the Install Software button.
4. In the Welcome screen, click Next.
5. Read the License Agreement, and click Accept.
6. Accept the default Destination Folder, and click Next. The setup files willnow be copied to your computer.
7. Once the software installation is complete, click Next. The setup files willfinish their installation.
8. Insert your Netgear WPN511 card into your computer, and click Next.
9. In the Country drop-down list, select your country, and click Agree.
Lesson 9: Securing Wireless Networks 471
10. Keep the default selection to use the Netgear Smart Wizard for your wirelessconnection, and click Next.
11. Select the No, I Want To Configure It Myself radio button, and clickNext.
12. Choose Start→All Programs→Netgear WPN511 Smart Wizard→NetgearSmart Wizard. The tool to configure the Netgear WNIC will open.
13. In the Network Name text box, type Ad_Hoc_1
14. In the Network Type section, select the Computer-to-Computer (Ad Hoc)radio button.
15. Click the Initiate Ad Hoc button.
472 Tactical Perimeter Defense
16. From the Channel drop-down list, select Channel 3 and click OK.
17. Click the Apply button.
18. Open the Windows Network Connections window, right-click the newlyinstalled Netgear WNIC, and choose Properties.
19. Select Internet Protocol (TCP/IP), and click Properties.
20. Select the Use The Following IP Address radio button.
21. Enter the following configuration: IP 10.0.10.31, SM 255.255.255.0, DG10.0.10.1, click OK, click Close, and close the Network Connectionswindow.
22. In the Netgear WPN511 Smart Wizard window, select the Networks tab.
23. Select the Ad_Hoc_1 network, and click the Connect button. (If no net-work is listed, click the Find a Network button.)
Lesson 9: Securing Wireless Networks 473
24. Click the Apply button. You will be connected to the Ad_Hoc_1 networkfrom this computer.
25. Leave the Wireless Network Connection window open for subsequenttasks.
Enable the Ad-Hoc NetworkNow that you have both WNIC installed and the Netgear card is connected to theAd-hoc network, you need to simply connect the “other” side of the network. Inthe following task, you will connect the Linksys WNIC, thus enabling the AdHoc network.
TASK 9B-3Enabling the Ad-Hoc Network
1. Verify that you are at the computer with the Linksys WNIC installed.
2. In the Site Survey screen of the Linksys Network Monitor Tool, click theRefresh button. You should now see the Ad-Hoc_1 network available.
3. Select the Ad-Hoc_1 network, and click Connect.
474 Tactical Perimeter Defense
4. Once connected, you will see that you have successfully joined theAd-Hoc network.
5. Click the More Information button to see the details of this connection.
6. If you wish, open a command prompt and perform a ping test from onecomputer to the other to confirm the wireless network is functional.
Lesson 9: Securing Wireless Networks 475
802.11 FramingAlthough you will likely never directly work with the design or physical architec-ture of any wireless network device, you do need a strong understanding of howthe 802.11 network functions in order to implement solid networks. At firstglance, it seems that the 802.11 network functions in the exact same way as theEthernet networks. Upon further investigation you will notice that, although theappearance is the same, the 802.11 network has very real differences from theEthernet network.
The Ethernet network framing is essentially to take the data, add a preamble, addthe required addressing information, such as IP, and add an integrity check (orFrame Check Sequence) on the end. The wireless network however, must addmore information than that. In the 802.11 network there are multiple frame types.The three 802.11 frame types are: data frames, control frames, and managementframes.
The data frames are the frames that you will see on the network the most, thesecarry the actual data from one node to another. The control frames are for func-tions like carrier-sensing (like modems) and acknowledgement. The managementframes are what a node uses to join (or associate) and to leave (or disassociate)an access point.
Frame FormatThe first thing you will notice when looking at the 802.11 frame is that the MACuses four address fields. Every 802.11 frame will not use all four fields, and val-ues that are assigned to the different address fields can actually change based onthe type of MAC frame that is being transmitted.
Figure 9-15: The format of an 802.11 MAC frame.
Frame DetailsEvery 802.11 frame begins with a two-byte frame control subfield that is dividedinto several different subfields. One of the subfields is the protocol version. Theprotocol version subfield is a two-bit value, which indicates what version of the802.11 MAC is found in the frame. Currently, there is only one supported versionof the 802.11 MAC, and that has been given a protocol ID of 0.
An in-depth discussion ofthe 802.11 framing format is
beyond the scope of thiscourse.
476 Tactical Perimeter Defense
Figure 9-16: The frame control of the 802.11 frame, expanded showing its internalcontents.
The second subfield is the type. This indicates the type of subtype to follow. Ifthis is set to 00, then management frames are to follow. If this is set to 01 thencontrol frames are to follow, and if this is set to 10, then data frames are tofollow. The third subfield is called the subtype, which is related to the type offield just discussed. This subfield is a four-bit value, which indicates the subtypeof the frame. Management subtypes are identified in the following table.
Management Subtype Value Subtype Name0000 Association request0001 Association response0010 Reassociation request0011 Reassociation response0100 Probe request0101 Probe response1000 Beacon1001 Announcement traffic indication message1010 Disassociation1011 Authentication1100 Deauthentication
Using the table as reference, you can identify two common subtypes: The asso-ciation request (0000), and the beacon (1000). Another subfield is the WEP field.When this is set to 1, WEP is in use, and when this is set to 0, WEP is not inuse. The Beacon Subtype Value is
1000.
Lesson 9: Securing Wireless Networks 477
By now you have noticed that there are multiple entries for addresses in theframe format. The 802.11 frame can use up to four address fields, generally num-bered one through four. Address field one is a receiver, address field two is atransmitter (or sender), address field three is filtering, and address field four isoptional.
The sequence control field is used for multiple purposes. It uses 4 bits to managefragmentation and 12 bits to manage sequence numbers. If a higher-level packetneeds to be fragmented, the sequence number will be constant for all the frag-ments, but the 4-bit fragment number will increase by 1 for every new fragment.
The data field is where the upper layer payload goes for transmission. This fieldhas a maximum payload value of 2304 bytes of data, and has a maximum size of2312 bytes. The additional 8 bytes are to allow for the extra information requiredof WEP, which must be supported.
Finally, there is a frame check sequence (FCS) field. This is similar to the FCS inEthernet and other networking systems. The FCS allows for an integrity check onthe frame, but there is a difference in the wireless network. The difference in the802.11 format, is that there is no negative ACK if a frame fails the FCS. Insteadthe nodes must wait for an ACK timeout before they retransmit.
802.11 AddressingAs you saw earlier, there are four address fields in the frame, all of which do nothave to be used in each transmission. Before you can make a connection betweenan address and an address filed, you need to be aware that there are multipletypes of addresses in the 802.11 wireless networks. These addresses can be giventhe DA, RA, SA, and TA acronyms. Their definitions are as follows:
• Destination Address (DA): This is the MAC address of the node that is toultimately process the frame.
• Receiving Address (RA): This is the MAC address of the node that willreceive the frame. Note, this does not have to match the DA.
• Source Address (SA): This is the MAC address of the node that created theframe.
• Transmitting Address (TA): This is the MAC address of the node that trans-mitted the frame. Note, this does not have to match the SA.
The address fields will change based on the frame format. For example, the thirdfield can hold the SSID address, the DA, or the SA, based on the frame. Wherethere is consistency is in the field that holds the transmitting address, this isaddress field two. Address field one is designed for the recipient of the frame,which you must note does not mean the final destination of the frame, only therecipient of the current frame.
When the network is in infrastructure mode, the address used is the SSIDaddress. This is not the same as the SSID that has been manually assigned to thenetwork, such as the default Linksys. The interface on the physical AP requires aMAC address, just as any other interface does. In Infrastructure mode, the SSIDaddress is the MAC address of the AP that is participating in the Infrastructurenetwork.
The SSID used in MACaddress field is not the same
as the manually enteredSSID value.
478 Tactical Perimeter Defense
One reason that there are multiple options here for the addressing is that there aremultiple methods for establishing a wireless network. For example, in the moststraightforward network, all the nodes simply talk directly to one another; this isthe ad-hoc network. Another network could be where all the end nodes communi-cate only with the Access Point. Finally, you could link two (or more) wirelessnetworks together, with the Access Point of each one functioning as a bridge tothe other network.
Figure 9-17 identifies the addresses that would be assigned to each of the fouraddress fields, and the DS settings, based on the function.
Figure 9-17: The settings of the address fields, based on the frame function.
From this figure, you can identify that the most basic addressing is in ad-hocmode, where the frame has a simple DA and SA. This is the closest to the tradi-tional Ethernet network that most network professionals are familiar with. Of notein this table are the configurations of the ToDS and FromDS bits. DS is the Dis-tribution System, for example the Ethernet network that is connected to the wiredside of an AP.
If both the ToDS and FromDS bits are set to 0, then the frame is on an ad-hocnetwork. When the ToDS is 1 and the FromDS is 0, this indicates a frame that istransmitted from a node to an infrastructure network. Conversely, when the ToDSis 0 and the FromDS is 1, this indicates a frame that is received for a node in aninfrastructure network. Finally, when both the ToDS and FromDS are set to 1,then the frame is on a wireless bridge, from one wireless network to another.
When the ToDS and FromDSare both set to zero; theframes are for a networkrunning in ad-hoc mode.
Lesson 9: Securing Wireless Networks 479
Figure 9-18: The addressing of two nodes in an ad-hoc network.
When two nodes are communicating in ad-hoc mode, the addressing is clear-cut.The SSID is identified in the third address field, and the receiver and transmitteraddresses are entered. This is the most straightforward of all the addressingoptions.
Figure 9-19: The addressing of two nodes and one AP in an infrastructure network.
In this second example (an infrastructure network), the addressing becomes morecomplex. When the two end nodes initiate their communication, the ToDS bit isset to 1 and the FromDS bit is set to 0, which indicates a frame sent to an infra-structure network. The address field one is the receiving address (RA), which isthe SSID, and address field two is the source address (SA). In this case the node
480 Tactical Perimeter Defense
that originated the frame is the SA; this is because the frame is sent to the net-work, not directly to the end node. Notice that address field three is used; in thiscase it holds the destination address of the frame. The destination address is forthe node that is to ultimately process the frame.
As the frames are moved from the AP to the respective end nodes, you can seethat the ToDS bit is now set to 0 and the FromDS bit is now set to 1. This indi-cates the frame is intended for an end node, coming from the infrastructurenetwork. Address field one now contains the address for the actual intended nodethat will process the frame. Address field two contains the SSID, where the framewas transmitted from, and address field three contains the source address, wherethe frame originated.
Figure 9-20: The addressing of frames in a wireless bridge network.
In the final addressing example, you have two APs in wireless bridge mode thatare connecting two wireless networks. In this example, you have frames that areof different functions in the network. The frame that leaves the node that startedthe transmission sends a frame that is in infrastructure mode, and is sent to theAP, with the final destination address in the third address field. When the framegets to the AP, the network is in bridge mode between the two points, and theToDS and FromDS are now both 1s. It is at this time that all the address fieldsare used, and it is here that the distinction between transmitting and sending andreceiving and destination addresses are clear.
At the AP, with MACs 2345 and 3456, the frame has a receiving address of4567, the MAC on the other side of the bridge. The final destination address is6789, this is how the addressing makes the difference between a point receivingthe frame, and the end node that is to finally process the frame. Also at the AP,the frame has a sending address of 1234, as that is where the frame originated,but the transmitting address is 3456, the AP that is sending the frame to the nextaccess point.
When the frame is received at the second AP, the frame is then formatted as aframe in infrastructure mode, with the ToDS set to 0 and the FromDS set to 1.This frame is then sent to the node that will process the frame, and the series offrames are complete. In the event that a response to the original sender isrequired, the same process will happen, only in reverse.
In infrastructure mode, whena frame is sent to the AP,address field one containsthe SSID address.
In infrastructure mode, whena frame is sent from the AP,address field one containsthe destination address.
Lesson 9: Securing Wireless Networks 481
Access Point ConfigurationIn order for the network to evolve from an ad-hoc to an infrastructure network,you need at least one AP. In this section, you will walk through the steps requiredto configure an AP with basic settings. At this time, the goal is to create a simpleinfrastructure network, running with one single AP, without WEP or any otheradvanced configuration.
Most APs will have one of two methods of connecting, and performing the initialconfiguration. One of the methods is to connect a USB cable from the AP to acomputer that will run the configuration. A second method is to connect via anetwork protocol, with the AP connected using a Cat5 cable versus a USB cable.This second method, of connecting through the network, generally through a webbrowser is becoming very common.
In this task, the steps for installing and configuring the first AP are shown. Thislesson has two different APs installed, and you will walk through the steps ofinstalling each AP. The Linksys AP requires a connection through the 192.168.1.0/ 24 network, so you must configure your computer to this network for the initialcommunication.
TASK 9B-4Installing the Linksys WAP54G Access Point
1. Log on to Windows 2003 Server as Administrator.
2. Open the Properties of your LAN adapter.
3. Select TCP/IP, and click Properties.
4. Enter the following IP Addressing information:
• IP Address: 192.168.1.145
• Subnet Mask: 255.255.255.0
• Default Gateway: This may be left blank
5. Click OK twice, and then click Close.
6. Physically locate the WAP54G access point where you want it in theroom. If possible, this should be a high point in the room, and not near anysource of EMI.
7. Insert the Linksys CD-ROM into the CD-Rom drive. If the setup programdoes not autorun, navigate to the CD, and double-click the Setup.exe file.
8. In the Welcome screen, click the Click Here To Start button.
9. Plug in the WAP54G power cord and plug in the supplied networkcable, then click Next.
10. Connect the WAP54G to the network, and click Next.
11. Connect the WAP54G to an outlet, and click Next.
482 Tactical Perimeter Defense
12. Verify all three LEDs are lit on the front panel, and click Next.
13. Note the status of the new AP, including the default IP Address, and clickYes.
14. Type the default password of admin and click Enter. For ease of runningthe course, you will leave the default password in place. In a productionenvironment, you would use a strong password here.
15. In the IP Address text box, type 10.0.10.1
16. In the Subnet Mask text box, type 255.255.255.0
Lesson 9: Securing Wireless Networks 483
17. Leave the Default Gateway text box empty. Once you have entered thisinformation, click Next.
18. In the Configure Wireless Settings window, click the Enter Wireless Set-ting Manually button.
19. In the SSID text box, type SCP_1
20. Leave the Channel drop-down list on Channel 6.
21. In the Network Mode drop-down list, select G-only, then click Next.
484 Tactical Perimeter Defense
22. At this time, you are not configuring Security options, select the Disableradio button, and click Next.
23. Confirm your settings, and click Yes.
24. Click Exit to close the Access Point configuration tool.
Configure the Infrastructure ClientsOnce the AP is configured and running in the network, there needs to be clientsconnected to make the Infrastructure network functional. In this section, you willreconfigure the client computers to associate with the AP, establishing the infra-structure network. It is assumed that the initial installation of the clients havebeen completed, and in these tasks, you will move directly to the clientconfiguration.
TASK 9B-5Configuring the Linksys Client
1. Log on to the computer with the Linksys WPC54G installed.
2. In the Windows system tray, right-click the Linksys WPC54G monitoricon, and choose Open The Monitor.
Lesson 9: Securing Wireless Networks 485
3. Click the Site Survey tab. You will now see the new AP that has recentlybeen configured.
4. Click the Profiles tab.
5. Click the New option. Type SCP-1 in the text box, and click OK.
6. Select the SCP-1 network, and click Connect.
7. Once you are connected in Infrastructure Mode, click the More Informa-tion button to see the details of the connection.
486 Tactical Perimeter Defense
Adding Infrastructure Network ClientsTo make your network more functional, you will need other clients. You currentlyhave one AP and one Infrastructure client. In the following task, you will config-ure the second wireless networking client.
TASK 9B-6Configuring the Netgear Client
1. Log on to the computer with the Netgear WPN511 installed.
2. In the Windows system tray, click the Netgear WPN511 Smart Wizardicon.
3. Click the Networks tab, and highlight the SCP-1 network by clicking onit.
4. Click the Connect button. The adapter will now connect to the SCP-1network.
Lesson 9: Securing Wireless Networks 487
5. To make the changes to the adapter’s configuration, click the Apply button.You are now connected in Infrastructure mode.
6. If you wish, open a command prompt and perform a ping test from onecomputer to the other, and to the access point itself, to confirm the wire-less network is functional.
WLAN ThreatsThe threats facing the WLAN are similar to those facing the LAN, with somevariation due to the open medium of the wireless network. The techniques usedto counter the threats will be discussed later in this lesson. You will start withsome of the passive threats.
Eavesdropping and AnalysisOne threat that is very prevalent in the WLAN is that of passive eavesdroppingand analysis. Passive eavesdropping is the easiest of all the threats to the WLAN.A person with a laptop and a wireless network card in promiscuous mode cansimply sit outside of the physical boundary of your network and receive packets.The attacker does not need to attempt to connect to the network at this time, onlylisten.
By receiving packets, a skilled attacker can then analyze the network traffic. Thismay lead to the attacker learning protocol information and operating systeminformation. Attackers can increase the range from which they can receive a sig-nal by using specialized antennas. These antennas can pull in signals from welloutside the range of the normal WLAN client. Attackers do not need to buyexpensive antennas for this; there are reports of people making successful long-range antennas out of aluminum cans, washers, and pipes.
488 Tactical Perimeter Defense
War DrivingSomething that may not be a specific threat to the WLAN, but in the same cat-egory is that of war driving. War driving is the practice of building a mobilewireless machine, with software designed to learn and map wireless networks. Inaddition, war drivers may have a powerful external antenna and a Global Posi-tioning System (GPS) device. Using a GPS, the attacker can record the exactlongitude and latitude of the network that was found while driving.
Along with war driving is a practice called war chalking. War chalking is where aperson who has found a WLAN via war driving marks the location with asymbol. These symbols represent open networks, closed networks, protected net-works, and more. The growing list of symbols used to identify networks ischanging frequently.
Figure 9-21: Example of the three main symbols of war chalking.
In the figure, the symbol on the left indicates an open network, where the SSID isbeing broadcast by the AP. When chalked, the symbol will include the actualSSID located and the bandwidth at that point. The middle symbol is a closed net-work, where the AP is not broadcasting the SSID. This symbol will also list theSSID, once discovered, and the speed of the connection. The symbol on the rightis one that is protected using the Wired Equivalent Privacy (WEP). WEP will bediscussed in more detail later in this lesson. The WEP symbol, along with theothers, may also contain other information; there is no restriction on what can bewritten down. If you come into the office and see a symbol like this near yournetwork, you should address the security of the network right away.
Gaining AccessAn interesting problem that is unique to the WLAN versus the wired network isthat of DHCP. If the WLAN is using DHCP, then any client that turns on inrange and asks for an IP address will be given one. This may include attackercomputers. In some instances, the entire job of the attacker gaining unauthorizedaccess is to simply find a WLAN, and there are many tools available to locateWLANs.
Lesson 9: Securing Wireless Networks 489
Networks that use DHCP must employ another system to defend their wirelessnetwork; otherwise any client may gain access. Even if there were operating sys-tem level security measures in place to prevent unauthorized users from accessinga server, they would be in the network. Furthermore, you could have two or moreusers accessing the network and communicating with each other, happily using upyour wireless bandwidth.
The man-in-the-middle attack is one that exists on the wired network, and existsin the wireless world as well. For this to work, the attacker is positioned betweentwo end points, which is trivial on the wireless network, as being between thetwo points does not mean a straight line. The attacker breaks the connection thatis established between the target node and the AP. (The connection can be brokenusing an RF Jammer or other form of electrical interference.)
The attacker then configures the attacking machine as the new local AP for thetarget, and allows the target to successfully associate with the attacker machine.The attacker will then route the packets through to the legitimate AP. All packetscan then be stored and analyzed for whatever purpose the attacker has in mindcan be carried out.
Denial of ServiceOne common threat for all forms of networking is the denial of service. For theWLAN this can take on new meaning, as there are natural bandwidth restrictionson the network to begin with. The WLAN has a limited amount of bandwidth toshare among all the WLAN clients. This is due to the physical restriction on thenumber of radio waves available to carry data. Unlike the wired network, whereeach node to the switch may have dedicated bandwidth, in the WLAN all nodesshare the same 10 MB, and this is amplified when you consider the devices arehalf-duplex.
This is a perfect example of why two nodes connecting via DHCP can causeproblems on the network, even if they do not attempt to gain access to servers.Simply performing large file transfers can tie up the network, or setting up a con-tinuous ping sequence, or transmitting large malformed packets.
Topic 9CWireless Security SolutionsAlthough there are risks to using wireless networking, there are also solutions tomake the wireless network secure. It can be argued that the wireless network cannever be as secure as the wired network, but there are solutions that you canimplement to provide reasonable levels of security on your wireless networks. Inthis topic you will examine and implement several of these solutions.
490 Tactical Perimeter Defense
Wireless Transport Layer Security (WTLS)As the WLAN grows and becomes more a part of our everyday life, and asremote devices use WAP more, security of these networks is of obviousimportance. One tool available to the security professional is Wireless TransportLayer Security (WTLS). WTLS has basic goals: to provide data integrity, privacyfor the two end points, and authentication between the two end points. TheWTLS stack is designed specifically for the low bandwidth and high latency net-works that are used for wireless communication.
WTLS OriginsWTLS is considered a security protocol for wireless networking, most specificallyapplying to WAP, and is sponsored by the WAPforum. WTLS is designed to pro-vide for the assurance that messages sent to and from end points in the wirelessnetwork have not been modified. WTLS is based on TLS, which is based uponSSL.
WTLS AuthenticationWhen moving towards the security of a trusted network, authentication is arequirement. WTLS is no different. The method of authentication used in WTLSis certificates. It is possible to implement WTLS to not require certificates, but inorder to increase the security, certificates are recommended. Various formats ofcertificates are allowed in WTLS, including the X.509v3 format.
WTLS ComponentsWTLS is split into multiple components. The lower layer is called the RecordProtocol (RP). The RP takes the raw data from the higher layers, performs com-pression, encryption, and transmits the data. Likewise, upon receipt the RP takesthe data, performs decompression, decryption, and moves the data up to thehigher layers. The RP also performs message checking to verify the message hasnot been altered. Once the RP has done its job, it will deliver the data to the fourhigher-level clients of WTLS.
Figure 9-22: The components of WTLS.
There are four higher-level clients in the design of WTLS: handshake protocol,alert protocol, application protocol, and change cipher specific protocol. Althoughthe extensive details of each of these are beyond the scope of this book, youshould be familiar with the function of each client.
WTLS Handshake ProtocolThe WTLS handshake protocol client allows the two end points in the communi-cation to agree upon the security parameters of the communication. This includesissues such as the protocol version used, cryptographic algorithms used, and thehandshake procedure.
Lesson 9: Securing Wireless Networks 491
Figure 9-23: The WTLS handshake process.
There are several steps to the handshake of WTLS. The first step is done fromthe client, just as in SSL, the client initiates the communication by sending ahello message, called ClientHello, to the server. The server responds with aServerHello message. Between these two hello messages, the client and server areagreeing upon the session configuration. When the client sends the initial hellomessage, the client will indicate the cryptographic algorithms that the client sup-ports, and the server hello message will include the algorithm chosen in theresponse.
After the initial hello phase the server will send its certificate, calledServerCertificate, and will request the client’s certificate. At this time, the serverwill also send the ServerKeyExchange, which is used to give the client the publickey, which will be used to exchange the pre-master secret value. The mastersecret value will be the final piece used in the session. The server will then senda ServerHelloDone message, indicating to the client to move on to the next stepin the handshake.
Upon receipt of the ServerHelloDone message, the client proceeds to send therequested certificate and a ClientKeyExchange. The ClientKeyExchange containseither the pre-master secret value (encrypted with the server’s public key) orother information to use in completing the key exchange. The client then sendsan optional ChangeCipherSpec message. Finally, the client will send a Finishedmessage to the server. The Finished message contains a verification of the agreedupon information for the session.
The server will respond with a Finished message as well, verifying the securityand session parameters. The server will also send a ChangeCipherSpec message,and the session will be established.
492 Tactical Perimeter Defense
In the event that the session gets disrupted during communication, there is ameans to re-establish the session without a complete new handshake. During asession, there is a SessionID assigned to the communication between the two endpoints. If communication is cut, the client will send a ClientHello message, onlythis time it will include the previous SessionID. The server responds with aServerHello, also with the SessionID. Upon matching the session, aChangeCipherSpec message will be sent, and then the session can be resumedwithout the complete handshake.
WTLS Change Cipher Specific ProtocolThe ChangeCipherSpec Protocol message can be sent by either the client or theserver. This message indicates a change in the cipher used for the communication.The changing of the cipher can happen upon the re-establishment of a session,but is most often part of the original handshake process.
WTLS Alert ProtocolThe WTLS Alert Protocol is what manages error handling in the session. Thereare three states of alert messages: warning, critical, and fatal. These messages aresent in whatever the current state the session is in, encrypted, non-encrypted, andso on. The warning message is a standard message warning of an existingcondition.
If a critical alert message is sent, then both ends ensure the secure communica-tion is terminated. However, other connections are allowed to continue using thesecure session, and the existing SessionID may be used to establish a new secureconnection.
If a fatal alert message is sent, then both ends ensure the secure connection isterminated. Other connections between the two ends using the same secure ses-sion may continue, but the SessionID associated with the fatal alert is invalidated,meaning the terminated connection cannot be used for new secure connections.
WTLS Application ProtocolIn WTLS, the Application Protocol is simply a means for interfacing with theupper layers. In the context of this course there are no security ramifications ortechnical issues that network administrators and professionals will have toconfigure.
Fundamental Access Point SecurityOn most modern access points there are a few things, outside of cryptography,that you can do to increase the security of your wireless network. One is to dis-able the SSID broadcast, removing the constant announcement that you have awireless network available. Another is to enable MAC address filtering, whichallows you to list the allowed and/or disallowed MAC addresses for yournetwork.
By disabling the SSID broadcast you are taking a simple step by removing theAP that constantly sends out frames to the world that your wireless network ishere, this is the SSID, and to please try to associate. It is better to keep that quiet.Allow the end node to send a frame to the AP, and let the AP respond. Anattacker that is listening to the radio waves around your network will still likelyget this SSID information, but at least your APs are not specifically trying to con-tact the attacker.
Lesson 9: Securing Wireless Networks 493
The MAC address filtering is a bit more tedious, but provides a bit more controland security over the network. The process of filtering is very direct, you create alist of addresses, then define that as allowed or disallowed. The common imple-mentation of the MAC address filter is to build the list of allowed addresses andmark them as allowed. Your filter then defines all other addresses as disallowed.This is not a solution to rely on as your main system since MAC addresses canbe spoofed.
Neither SSID broadcast disabling nor MAC address filtering are enough protec-tion for you to consider your wireless network secure, but they are reasonablelayers you can add to your defense. The key to protecting your enterprise is tocreate layer upon layer that work together to protect your resources, and these aretwo small options that add layers.
Wired Equivalent Privacy (WEP)When the 802.11 standard was created, those involved in the project were veryaware of the problems of wireless communications in regards to security. In thewireless network, the word broadcast takes on a whole new meaning. WEP wasdesigned to provide levels of confidence in the security of the radio signals, asthey would be encrypted.
The initial response to WEP was positive, that WEP would ensure the security ofthe wireless transmissions, and nearly all equipment vendors support WEP. How-ever, the one thing that is true regarding cryptography is that there is no perfectsystem. Eventually flaws and modern technology will force the move to newforms of cryptography. This usually takes some time, but for WEP the time wentby very quickly.
The general points regarding the implementation of WEP shows some weaknessin the overall design. For example, WEP is not a security system that is turned onby default. It is up to administrators and/or users to enable WEP, and then up tothose same people to properly configure it. Also, WEP utilizes a pre-shared key,where both the AP and WNIC must be made aware of the key, or series of avail-able keys.
Cryptography and WEPWEP uses a symmetric key system, where the secret key is shared between thetwo end points, the AP and the WNIC. There is no standard system for exchang-ing the secret key data, so the most common method is to simply manuallyconfigure the two nodes with the correct key(s). To provide the encryption inWEP, the RC4 cipher is used. This particular cipher is a symmetric stream cipher,and follows all the standard uses of symmetric key cryptography.
RC4 is a well-known cipher, used in many secure systems such as SSL. Theproblem in WEP is not the RC4 cipher, rather the implementation of the cipher.Implementation is generally where the problems with encryption come into play,and WEP is the prime example of this situation. Before moving into further detailon WEP, you must examine stream ciphers.
The stream ciphers, as the name implies, stream the bits through the cryptosystemone at a time. The raw data is then combined with the Key stream in an exclu-sive OR (XOR) operation to produce the Cipher stream. The Cipher stream isthen transmitted to the receiving node, where the process is repeated in reverse toproduce the raw data.
494 Tactical Perimeter Defense
Figure 9-24: The standard operation of a stream cipher.
The stream cipher takes the short secret key and extends that into a larger value,the same length as the message, just like a one-time pad. This extension is cre-ated using a pseudorandom number generator (PRNG). To summarize, the senderXORs the plaintext with the key stream to produce the cipher text, and thereceiver uses the identical key stream in reverse to produce the original plaintext.
Since the stream cipher works by reversing the equation on the receiving end, thekey is the critical component. The receiver will use the same key stream as thesender, and simply XORs the ciphertext to arrive at the plaintext message. Sincethe XORs cancel each other, if the plaintext=P, the ciphertext=C, and the keystream=K, then assume the following equation:
P = C XOR K = P XOR K XOR K = P
Take the key stream, K, and two encrypted messages, P1 and P2 , which gothrough the process to become C1 and C2 . If this is the case, C1 = P1 XOR K,and C2 = P2 XOR K. Since the K is the same, and the XOR process is wellknown, you can assume then that the following equation is true:
C1 XOR C2 = P1 XOR K XOR P2 XOR K = P1 XOR P2
This means the attacker has now learned the XOR of two plaintext messages,without any difficulty. This example highlights why a stream cipher such as thisshould never encrypt two messages with the same K.
WEP and Key LengthsThe standard implementations of WEP utilize 64-bit shared RC4 keys. Manypeople consider a 64-bit key to be weak, and those people have serious issueswith how WEP implements those 64-bits, and for good reason! Of the 64 avail-able bits, 40 are assigned to the shared secret key value. This is where the term
Lesson 9: Securing Wireless Networks 495
40-bit WEP comes from. In order to extend the life of WEP, several vendorsmoved to offer 128-bit WEP, of which only 104 bits were used for the sharedsecret key. If you are wondering where the extra bits that are not used for thekeys are going, they are going to what is called the Initialization Vector (IV).
In order to protect network transmissions from pure brute-force decryptionattacks, WEP is designed with the option of using a set of keys. Four keys can begenerated, and WEP can cycle through those four keys.
The WEP ProcessAs the RC4 cipher has been shown over time to be a solid cipher, the WEP prob-lem is found in the process, in the way that WEP attempts to protect data.Understanding the process is critical in order to follow the steps of crackingWEP, and making the realization that WEP provides little security.
For WEP to function, the two ends of the communication will have establishedtheir secret key already. This is done by manually entering the single key that isused, or by having a sequence of predefined keys to use. Many networks thatimplement WEP use the single secret key option. Administrators of these net-works take some time to create a long and complex key, using the fullalphanumeric options.
Using the single key, and a strong one at that, is nice. However, as you will see,there is actually not much added security by using such a strong single key. Theother option of having a series of keys to use provides for a slightly higher levelof security, as the single key is not reused for every single wireless transmission.Here again however, you will see that the implementation of WEP is such thatthe rolling key option does not provide much more security.
496 Tactical Perimeter Defense
Figure 9-25: The WEP encryption process.
The process begins when the sender initiates the system for transmitting amessage. At this time, the plaintext is run through an integrity check algorithm tocreate the Integrity Check Value (ICV). The 802.11 specifications define the useof CRC-32 for this function. The ICV is then appended to the end of the originalplaintext message.
A 24-bit random (more on this in a moment) Initialization Vector (IV) number isgenerated and added to the front of the secret key. (In this example the standard40-bit secret key value is used.) The IV and secret key combo are input into theKey Scheduling Algorithm (KSA).
The KSA is used to generate a seed value that will be used by the PRNG. Thefollowing key sequence uses the value generated by the PRNG to create the keystream that will match the length of the plaintext.
Once the key stream has been generated, it is XORed with the plaintext/ICV toproduce the encrypted portion of the message. The same IV that was input to theKSA is prepended to the front of the encrypted message, a standard header andFCS are added to the message, and it is transmitted.
Lesson 9: Securing Wireless Networks 497
Figure 9-26: The WEP decryption process.
Upon receipt of the message at the destination, the process is essentially done inreverse. In order for the destination node to generate the symmetric key stream,the variable IV must be used. This is the reason that the IV must be sent inunencrypted form; the destination needs this value.
Using the shared secret key, the destination takes the IV and runs it through thesame KSA, PRNG, and key sequencing to get the key stream. The key streamand the ciphertext are then XORed, and the resulting Plaintext and ICV arecalculated. Finally, the destination node computes a new ICV, and checks to seeif this new value matches the sent ICV. If there is a match, then the receivingnode will accept and process the message.
WEP WeaknessSo, throughout this discussion, you may be wondering where the weakness isfound. Actually, there is more than one weakness, but the problems really start toshow when looking at the implementation of the IV.
498 Tactical Perimeter Defense
The IV is a 24-bit field, regardless of the number of bits allocated to the secretkey. Therefore, when you implement 64-bit WEP, only 40-bits are for the key,and 24-bits are for the IV. When you implement 128-bit WEP, only 104-bits arefor the key, and 24-bits are for the IV.
A 24-bit field does not yield very many possibilities, only 16,777,216 possiblecombinations. This means that every 16.7 million times the IV is used it willhave no choice but to repeat itself. Busy networks will transmit that many pack-ets in a matter of hours at the most, and due to randomness it is likely that valueswill be reused long before the 16 million mark.
But, in most networks the attacker will not have to wait for nearly 17 milliontransmissions to find a duplicate IV. This is because many WNICs reset the IV to0 when the card is reinitialized. As WNICs are reinitialized frequently in busynetworks, finding a repeating pattern may take a very short time.
If an attacker has any idea of the contents of the plaintext message, then the jobof breaking WEP is that much easier. This can be accomplished by the attackerbeing the one to generate the plaintext message such as send an email or pinginto the WEP-protected network, and sniffing the result. Knowing the formattingof messages sent and received will also increase the attacker’s success rate. Giventhat message formatting is known, such as the first byte of plaintext data beingthe SNAP header, this is not a difficult assumption. Once the attacker has built upa table of mapping known as plaintext to the ciphertext, the key streams can bestored.
An IV collision is when theIV is reused.
Lesson 9: Securing Wireless Networks 499
Figure 9-27: Example of the plaintext/ciphertext attack on WEP.
Earlier, you looked at some of the given equations of WEP. Recall that C1 = P1
XOR K and C2 = P2 XOR K, therefore, C1 XOR C2 = P1 XOR P2 . Therefore,sniffing both sides of the AP will give the attacker the keystream when theattacker XORs the ciphertext with the plaintext. The attacker need not decrypt thestream; only know what the stream is.
By doing this enough times, the attacker can build what is called a decryptiondictionary. The decryption dictionary is a table that the attacker has built thatstores all the keystreams, mapping the IP and the key. Due to the WEP imple-mentation, there are a maximum of 224 entries in the dictionary. Once thedictionary is full, then the attacker can decrypt all WEP traffic. If the system isfast enough, it may even happen in close to real-time.
If you recall that many systems reset their IV to 0 each time, this makes for amuch smaller keyspace used. Another problem is that systems are not required tochange the IV on each packet, again making smaller and smaller spaces thatrequire attacking.
Take a look at the following equation, to see how this works out in simple binary.In this case, you are looking at just two bytes, but the process is identical forlarger amounts of data. Assume for this equation, you are the attacker.
• 0110100001101001 Known plaintext. (Known because you sent it.) Thisis P1 .
• 0110100111000101 Known ciphertext. (Known because you are sniffingit.) This is C1 .
• 1010001110101100 Learned stream. (Learned by XORing the plaintextwith the ciphertext.) This is now K.
When emailing the target,sending a message of a
string of the same character(such as all 5s) makes
comparison betweenplaintext and ciphertext a bit
simpler.
500 Tactical Perimeter Defense
The attacker can simply perform this type of operation over and over, until all thekeystreams are identified. After the keystream is known, the attacker can take anyWEP message, look up the known data in the dictionary, and XOR the ciphertextto get the plaintext. The attacker did not spend time trying to decrypt the key. Inthis case, the attacker does not care what the key is, only the value of the keystream.
The final big push that led to the downfall of WEP as the primary security sys-tem for wireless communications came in August of 2001. A paper was publishedby Scott Fluhrer, Itsik Mantin, and Adi Shamir titled “Weaknesses in the KeyScheduling Algorithm of RC4.” This paper included theoretical attacks on WEP.
One of the focus points in the paper was that of weak IVs. Since 802.11 usesLLC encapsulation, there are weaknesses in the known formatting issues, such asthe plaintext of the first byte known to be 0xAA (this is the first byte of theSNAP header.) Knowing the plaintext value of the first byte, an attacker can sim-ply XOR the first byte of the Cipherstream with the known data to reveal the keystream for that byte.
In the paper, this class of weak keys is analyzed. Every weak IV is used to attacka specific byte of the RC4 key that is secret. The bytes of the key are numbered,starting from zero. In a 40-bit WEP implementation there are 1,280 weak IVs.You should be aware that the number of weak IVs that exist varies based on thekey length.
Therefore, if you elect to use the 128-bit WEP, the overall number of weak IVsthat exist increases. The 128-bit WEP has more than twice the number of weakIVs than the 40-bit WEP. In the 128-bit WEP implementation (which uses 104bits for the key), there are 4,096 weak IVs.
WEP ConclusionAlthough by now you may feel that there is no practical value in utilizing WEP,you should still take advantage of this option. Adding this layer of securityshould be one of the starting points in the security of your wireless network, notthe end. By having WEP on the network, you may be able to remove the casualattacker from any interest in your network.
Configure WEPUp to this point, you have seen the creation of an ad-hoc wireless network, andthe creation of an infrastructure network. Although effective for fast setup andsimple configurations, this provides no security. The only time you should run anunprotected network is in a controlled lab environment, where access to any pro-duction machine of any type is impossible.
In this section, you will see the process of enabling WEP. Even though you’velearned that WEP can be cracked, if your wireless system does not support anymore robust security features, you must implement WEP as your bare minimum.In this task, 128-bit WEP will be configured. The AP that will be configured touse WEP is a Netgear WPN824.
Lesson 9: Securing Wireless Networks 501
TASK 9C-1Installing the Netgear WPN824 Access Point
1. Log on to your Windows 2003 Server as Administrator.
2. Open the Network Properties of your LAN adapter.
3. Select TCP/IP, and click Properties.
4. Configure your LAN IP Address to allow you access to the Internet,click OK twice, and then click Close. Note – In these tasks, the NetgearAP will reconfigure the Server to use DHCP by default to connect to the AP.
5. Insert the Netgear CD-ROM in the CD-ROM drive. If the setup programdoes not autorun, navigate to the CD, and double-click the Autorun.exe file.
6. From the main menu, click Setup.
7. Read the Before You Begin instructions, and click Next.
8. Record your current network settings, as shown, and click Next. Thesystem will reconfigure to use DHCP as required.
9. Once the system has confirmed your setup and Internet connection, clickYes.
10. In the Overview screen, click Next.
11. Review the screen to turn off the broadband modem, and click Next.
12. Review the disconnection of the Ethernet cable screen, and click Next.
13. Connect the Netgear Router to the Broadband connection, and clickNext.
14. Connect your Server to the Netgear Router, then click Next.
15. Power on the Broadband device, then power on the router, and clickNext.
502 Tactical Perimeter Defense
16. Wait while the system resets, and when you are at the Welcome screen clickthe Advanced User URL that is shown in the window.
17. For User Name, type admin and for the Password, type password (these arethe defaults), and click OK.
18. If you receive a firmware update notice, check the Do Not Display Againcheck box, and click Close Window. If you do not receive a firmwareupdate notice, move to the next step.
19. Type an IP Address of 10.0.10.50 a Subnet Mask of 255.255.255.0 and aGateway IP Address of 10.0.10.2
Configure the DNS Settings for your network. Then, click Apply. If youare prompted for the user name and password, use the same credentials youused earlier in step 17.
20. From the menu on the left side of the screen, click the Wireless Settingslink.
21. In the Name (SSID) text box type SCP-2
Leave the Channel and Mode at their defaults.
22. Under Security Options, select the WEP radio button. The WEP optionswill be enabled when you make this selection.
23. Keep the default Authentication Type as Automatic, and in the EncryptionStrength drop-down list, select 128bit.
Lesson 9: Securing Wireless Networks 503
24. Select the Key 1 radio button, and in the Passphrase text box typeSECRET1 and click the Generate button. (Note – the system is designedto only populate one Key field at a time, but at times the system will popu-late all fields. If this is the case copy and Paste each key to Notepad.)
25. Select the Key 2 radio button, and in the Passphrase text box typeSECRET2 and click the Generate button. Repeat this pattern for Keys 3and 4.
26. Once all four keys are entered, click Apply.
27. Enter the Netgear credentials, and click OK. The settings will be updated.
Establishing the WEP NetworkWith the Access Point installed and configured to use WEP, you will now need toconfigure the clients to use the same security settings. Since the AP is configuredto use four different WEP keys, these exact same keys will be required on eachWEP client. The client to be configured will be the Netgear Client.
The WEP clients and APs use the same keys. You will use the followingkeyphrases and keys:
• SECRET1 - D26BC1D2A0BFE7F09BBF02349C
• SECRET2 - 30FC02118708A87A1A2CB06E1B
• SECRET3 - 014DAAF8F9BEECA7E046D7C2AC
• SECRET4 - F41FB818ED33EDD64D38E62BA0
504 Tactical Perimeter Defense
TASK 9C-2Configuring WEP on the Network Client
1. Log on to the computer that has the Netgear WPN511 installed.
2. In the Windows system tray, click the Netgear WPN511 Smart Wizardicon.
3. Click the Networks tab.
4. Click the Scan button to locate the new network. Note that the new WEPnetwork is located.
5. Select the SCP-2 network, and click the Connect button. Note that youare brought to the main Settings tab when you do this, and that both theSSID and WEP options have been selected.
6. In the Passphrase drop-down list, select 128 bits.
7. Verify that Key 1 highlighted under the Enter Key Manually drop-downlist, and in the Passphrase text box type SECRET1 (notice that the Key isautomatically generated.)
8. Select Key 2 in the drop-down list, and type SECRET2 in thePassphrase text box.
9. Select Key 3 in the drop-down list, and type SECRET3 in thePassphrase text box.
Lesson 9: Securing Wireless Networks 505
10. Select Key 4 in the drop-down list, and type SECRET4 in thePassphrase text box, then click the Apply button. You are now connectedto the WEP network.
11. If you wish, open a Command Prompt and ping 10.0.10.2 (the AP) toverify the connection.
Temporal Key Integrity Protocol (TKIP)TKIP is not specific to Wi-Fi Protected Access (WPA), but is utilized by WPA.TKIP was developed to correct some of the weaknesses found in the WEP RC4process. TKIP still uses RC4 as the core cipher, but from there the processchanges. TKIP forces a new key to be generated every 10,000 packets, and ithashes the IV so that the IV becomes encrypted, and therefore not as easy tosniff.
The simple step of hashing the IV means that the previous problem of turning a64-bit key into a 24-bit plaintext and 40-bit secret is now gone. TKIP alsoincludes a method of verifying the integrity of the data called the Message Integ-rity Check (MIC). The MIC will allow for confirmation that the packet has notbeen altered during transit.
Although TKIP strengthens (not replaces) the WEP process, and provides anincrease in the security of the network transmissions, it should not be consideredthe ending solution to the security of the wireless network communication. Thisis because the system still will fall to the cracking of the single password (orkeyphrase) that was used to initiate the whole system. If that secret is discovered,the entire system is compromised.
Extensible Authentication Protocol (EAP)Extensible Authentication Protocol (EAP) is not a wireless-specific protocol. EAPis used in many different systems, both wired and wireless. EAP, in the simplestdefinition is a means of validating a remote access connection.
TKIP is not a replacement forWEP.
506 Tactical Perimeter Defense
EAP is not tied to a specific authentication technology, meaning that it will workwith certificates, smart cards, tokens, challenge/response systems, and so on. Inthe case of wireless security, EAP has been applied to authenticating remote wire-less users.
Wi-Fi Protected Access (WPA)WEP is not the only solution to securing your wireless communications. Anothersolution is called Wi-Fi Protected Access (WPA). Behind WPA is the Wi-Fi Alli-ance, which is an organization deeply involved in wireless interoperability issues.WPA is designed to meet two goals: strong protection via encryption, and strongaccess control via user authentication.
The first goal of user authentication is provided with the use of 802.1x + Exten-sible Authentication Protocol (EAP). The second goal of encryption is providedwith three items: Temporal Key Integrity Protocol (TKIP), Message IntegrityCheck (MIC)—called Michael, and 802.1x dynamic key distribution. This meansWPA = 802.1x + EAP + TKIP + MIC.
The WPA ProcessThere is a sequence of steps involved in the WPA process. These steps are differ-ent for an Enterprise implementation and a Small Office Home Office (SOHO)implementation. In the SOHO implementation, a matching password is configuredon the AP and the client. When the passwords are checked and matched, thencryptographic keys are exchanged and the encrypted session begins. Although theauthentication is simplified to the matching password for the SOHO implementa-tion, the encryption process is the same for the SOHO as the Enterprise.
The formula for WPA is:WPA = 802.1x + EAP + TKIP+ MIC
Lesson 9: Securing Wireless Networks 507
Figure 9-28: The Enterprise implementation steps of WPA.
In the Enterprise, there are several more steps in the overall process. The firststep is the association of the client to the AP. Once the client associates, the sec-ond step is for the AP to prevent the client from accessing the LAN segment untilthe client has authentication. The third step is the client providing authenticationcredentials to the authentication server. If the client successfully authenticates,then the process moves to step four, if the client does not authenticate, then theclient will remain blocked from the LAN segment. The fourth step is for theauthentication server to distribute the required cryptographic keys to the AP andthe client. The fifth step is for the client to join the LAN, using the keys toencrypt all the communications between the AP and the client.
Hardware RequirementsIn order to take advantage of all that WPA offers, you will need to be sure thatyour network is able to run WPA. Access Points and other wireless equipmentwill have to have been enabled to use WPA. Most newer devices are enabled forWPA, but older models may require upgrades to support it. In addition to the APsand clients supporting WPA, you will need an authentication server. This shouldbe any strong authentication server, such as a RADIUS server.
WEP and WPA ComparisonAlthough the technologies are different, there is a natural tendency to compareWEP directly with WPA. Here is a quick comparison of some of the primarypoints between these two security mechanisms.
508 Tactical Perimeter Defense
WEP WPA40-bit keys 128-bit keysStatic key Dynamic keysManual key distribution Automatic key distribution
Looking at those three points alone should provide ample reason for migratingthe enterprise to WPA as a security solution over WEP. A final point is theauthentication systems—in WEP there is no unique authentication required by theusers, whereas in WPA the user must authenticate with the authentication server.
Configure WPA2For this task, it is assumed that the initial WAP54G installation and configurationis finished, and the task is specifically designed to configure WPA. Once the APis configured to utilize WPA, then the WNICs will be configured to connect tothe WPA-protected network.
TASK 9C-3Configure WPA2 on the Access Point
1. Log on to your Windows 2003 Server as Administrator.
2. Open a web browser, and point to http://10.0.10.1 (or, if different, what-ever IP Address you assigned to the WAP54G).
3. Leave the User Name empty, and type admin as the Password, then clickOK
4. Click the Wireless tab, and under the Basic Wireless Settings, change theNetwork Name (SSID) to SCP-3 and click the Save Settings button.When you get the prompt that your changes have been saved, clickContinue.
5. On the Wireless tab, click the Wireless Security option.
6. In the Security Mode drop-down list, select WPA2-Mixed.
7. In the Passphrase text box, type SCNP4ME!
8. Click the Save Settings button. When you get the prompt that yourchanges have been saved, click Continue.
SupplicantsWhile several makers of wireless networking equipment have made their cardsable to understand the higher-level security features, such as WPA, there areissues currently in getting the WNIC to connect to the AP using WPA. The use ofsupplicant applications helps to smooth out this process.
Lesson 9: Securing Wireless Networks 509
It is important to note that you may need to download a supplicant in order to getWPA running on your system. The supplicant is the piece of code that allowsyour new card to actually use the features of WPA. This is especially true inlegacy systems, such as Windows 2000. Microsoft has released a WPA patch forWindows systems, and Funk’s Software has released a third party solution called:Odyssey.
With the AP now configured to use WPA2, you need to configure your clientcomputers to match this security setting. In this next task, you will configure theLinksys WNIC client to use WPA2 security.
TASK 9C-4Configuring WPA2 on the Network Client
1. Log on to the computer that has the Linksys WPC54G installed.
2. In the Windows system tray, right-click the Linksys WPC54G monitoricon, and choose Open The Monitor.
3. Click the Site Survey tab. Notice the new WPA2 security-enabled AP islisted.
4. Select the SCP-3 WPA2 secured network, and click Connect.
510 Tactical Perimeter Defense
5. Verify that the WPA2-Personal option is selected, type SCNP4ME! Iinthe Passphrase text box, and click Connect.
6. In the Congratulations screen, click Connect To Network.
7. In the Link Information screen note that you are now connected to theAccess Point. Click the More Information button.
8. If you wish, open a Command Prompt and ping 10.0.10.1 (the AP) toverify the connection.
Lesson 9: Securing Wireless Networks 511
802.1xWhile industry groups such as the Wi-Fi Alliance are working on security solu-tions, so is the IEEE. The 802.11i working group is focused on the security issuesof the 802.11 wireless networking standards. The group is working towards the802.1x standard, which will define the authentication framework of the 802.11-based networks.
The 802.1x standard is based upon EAP, and will provide for the flexibility to usemultiple authentication algorithms, since it is an open standard. Vendors will beable to implement and advance the technology in along the standard.
In this system there are three primary components, the end client, the accesspoint, and the authentication server. Although it is common for the authenticationserver to be a RADIUS server, there are no specifications requiring RADIUS.This leaves the design open to fit your specific situation.
Topic 9DWireless AuditingSince the wireless network is so dynamic, in order to maintain proper security,regular auditing is required. This is in addition to the normal auditing and analy-sis of your wired network. Since the wireless network has no true boundary, yourauditing must be specifically targeted towards this segment of the enterprise.
A complete audit of the wireless network should inform you of all the APs all theWNICs and any other significant information, for example, are the APs in thenetwork broadcasting their SSID? One method of attack is to add a rogue AP onthe edge of your network, allowing for the range to be increased across the streetor into another building. Without proper auditing, you may find this out only afterit is too late.
Site SurveyOne of the primary, and most basic, wireless auditing tasks is called the sitesurvey. This is a primary task because the wireless network is an ever-changingnetwork, with dynamic boundaries. Even if the nodes in the network remainstatic, the bandwidth use may be dynamic, causing transmission rates to modifyduring the course of communication.
The BSS and ESS that are running in the wireless network can reconfigure them-selves to use the lowest common denominator of bandwidth when associatingwith nodes and other APs. Analyzing the packets on a given channel of an APcan indicate the strength of the signal and the size of the packets transmitted.
If it seems that all the packets are small in size, then there is the possibility thatinterference is causing the small size. Through your analysis you can now alterthe settings of the AP or move it to a different physical location.
512 Tactical Perimeter Defense
WNIC ChipsetsAlthough not specific to the concept of auditing or the wireless network, youneed to be aware of the WNIC chipsets in order to utilize many of the wirelessauditing tools. The reason for this is that there are several different manufacturersof wireless chipsets, and this is important because the tools and drivers are actu-ally interacting with the chipset itself. When looking for interoperability withyour O/S or auditing tool, you may need to know which chipset is in your card,and which chipsets are compatible with that specific tool.
For 802.11b networks, two common chipsets are Prism and Hermes. The Prismchipset is on a wide variety of cards, such as Linksys, D-Link, and Netgear. TheHermes chipset is often found in Proxim cards, specifically the ORiNOCO cards.Many wireless tools work best (and, for some tools, only) with the ORiNOCOcard.
For 802.11g networks, two common chipsets are Atheros and Broadcom. Manydifferent card vendors use these different chipsets. In this lesson, both the Linksysand Netgear client cards use an Atheros chipset.
WiresharkWireshark is one of the leading network analysis tools, and runs on both Win-dows and Linux platforms. Wireshark can capture all the packets on a networkcard, and present those packets for analysis. Complete details on Wireshark net-work analysis is out of the scope of this book. Even though Wireshark runs onboth Windows and Linux, the support for analyzing 802.11 packets is better onLinux.
NetStumblerPerhaps one of the most famous wireless tools, NetStumbler should be a part ofall wireless auditing tool kits. NetStumbler works with a wide variety of cards,with a full is available here: www.stumbler.net/compat This tool, once loaded onyour computer can detect 802.11 networks, identify the SSIDs, identify the secu-rity in place, identify the channel used, and so on.
There is a mapping function in NetStumbler that creates a graphical image, on amap of the area, of the location of APs. Since the tool allows for GPS integra-tion, you can even use a GPS device to identify the exact longitude and latitudeof the AP for plotting onto a map. Furthermore, you can output your results tothe mapping software MapPoint.
NetStumbler will identify, on screen, the SSIDs of the networks that it finds, andwill report whether or not that network is using WEP. If the AP is using WEP, asmall lock icon will appear in the circle next to the MAC address of the AP.
Installing NetStumbler is very simple, just execute the application and a desktopicon will be created. Double-click the desktop icon, and NetStumbler is ready togo. The only issue is making sure that the WNIC you use is supported byNetStumbler. Supported cards require no additional steps, NetStumbler will sim-ply use the card upon running the application. The web site,www.netstumbler.com, is where you can go to find the current updates regardingthe supported cards.
Lesson 9: Securing Wireless Networks 513
TASK 9D-1Installing NetStumbler
1. Log on to the computer with the Linksys WPC54G installed.
2. On your course CD-ROM, navigate to C:\Tools\Lesson9\NetStumblerInstaller_0_4_0.exe (note – if you do not have this file, youmay download it from www.stumbler.net).
3. Double click the NetStumbler_0_4_0.exe file to begin the installation.
4. Read the License Agreement, and click I Agree.
5. Leave the default selection of a Complete Install, and click Next.
6. Accept the default installation directory, and click Install.
7. Once the install is complete, click Close.
8. If you wish, read through the Release Notes, then close the Release Noteswindow.
Identify Wireless NetworksAfter you have NetStumbler installed, you can quickly analyze your network tofind active access points. Once you have identified an access point, you can dig abit deeper to determine the MAC address, the SSID, encryption use, signalstrength, and (if you have GPS connectivity) the longitude and latitude of the AP.
In the previous figure, you can see that NetStumbler has located three APsnearby. NetStumbler has identified the SSID, Channel and MAC address. Thevendor name is estimated based on the MAC address, as specific MAC addressesare assigned to specific vendors. This is not always accurate however, as MACaddresses can be changed. In the test lab for this figure, two APs are Linksys, andone is Netgear.
When using NetStumbler, you are able to identify if you are associated with anetwork by looking to see if your MAC address is in bold. In the example figure,the MAC address 0018390FFA5D is bolded, to the machine that created thisexample is associated to the network on Channel 6, and using SSID SCP-3.
514 Tactical Perimeter Defense
Notice as well that NetStumbler has identified the Encryption on SCP-2 andSCP-3 as WEP. While SCP-2 is using WEP, the SCP-3 network is using WPA2,so although NetStumbler did correctly identify that encryption was in use, it didnot delineate the difference between a WEP and WPA2 encrypted connection.
You should keep this in mind as you are using your wireless tools. While notclearly defined from a legal viewpoint, connecting to an Access Point may beconsidered unauthorized access. If your WNIC is set to DHCP, your system mayassociate and you may be given an IP Address very quickly. Be careful that youdo no associate and join a network that you had no intention of using.
TASK 9D-2Identifying Wireless Networks
1. Log on to the system that has NetStumbler installed.
2. Double-click the NetStumbler desktop icon. (If no icon was installed, youcan find NetStumbler in your Programs menu.)
3. NetStumbler will automatically run a scan and locate active AccessPoints within range of your system.
4. Examine the results and locate the following information:
• What are the network types identified?
• What are the channels used?
• Is your system associated with any network?
• Which networks are using encryption?
5. Close the NetStumbler application. At this time, there is no need to savethe file results, unless you wish to have them for later analysis.
OmniPeek PersonalThere are many products designed to perform wireless network analysis directly,and one of them is part of a bigger product called OmniPeek, a commercial prod-uct from Wildpackets. OmniPeek Personal can be downloaded for free forpersonal use only from the WildPackets site: www.omnipeek.com. To useOmniPeek in a commercial environment, you must buy a license to theOmniPeek Workgroup or Enterprise products.
One thing OmniPeek Personal is not designed to do is to crack WEP. There areother tools designed for this purpose. If you have WEP running in your network,you can however, input the WEP keys and OmniPeek Personal will decrypt thosepackets on screen. By decrypting the WEP signals, you can use OmniPeek Per-sonal to analyze higher layer communications as well.
If you have time, visit thesite: www.wigle.net Thereis an interactive map thatyou can zoom in on downto the level of seeing thename of individual SSIDsthat have been discoveredvia wardriving.
Lesson 9: Securing Wireless Networks 515
Installation of OmniPeek Personal is very straightforward. OmniPeek Personalwill not work with every WNIC made, but supports quite a few brands and typesof cards. OmniPeek Personal supports various 802.11a, 802.11b, 802.11g, and802.11 combo cards. You will need to be sure that your card is one that issupported. Once you know that your card is supported, you will then update theWNIC with a WildPackets driver for that specific card. Once the driver isinstalled, then OmniPeek Personal is ready to run on your system.
TASK 9D-3Installing OmniPeeK Personal
Setup: OmniPeek Personal requires Microsoft .NET Framework 2.0.If your system does not have this installed, please visitwww.omnipeek.com/downloads.php and follow the link toMicrosoft to download the current version.
1. Log on to the system that has the Linksys WPC54G installed
2. From C:\Tools\Lesson9, double-click WildPackets_OmniPeek_Personal41.exe.
3. If your security system generates a Security Warning pop-up, click Run. Ifno pop-up is created, proceed to the next step.
4. In the InstallShield Wizard, click Next.
5. In the Name text box, type your first name and in the Company Name textboxtype, SCP and click Next.
6. If you wish to receive WildPackets updates, click Next. If you do not wishto receive WildPackets updates, uncheck the check box, then click Next.
7. Read the features offer in the OmniPeek Workgroup Pro upgrade, andclick Next.
8. Read the terms of the License Agreement, select the radio button if youaccept, and click Next.
9. Read through the Installation Notes, and click Next.
10. If your system does not have Microsoft .NET Framework 2.0 installed, youwill be prompted to download .NET 2.0. If you do need to perform thisdownload, click OK. If your system already has .NET installed, skip tothe next step.
11. Leave the default selection of a Complete Install, and click Next.
12. Confirm your settings, and click Next to begin copying files. The softwarewill now be installed to your system.
13. Once the install is complete, uncheck the box to view the Readme,uncheck the box to Launch OmniPeek, and click Finish.
516 Tactical Perimeter Defense
WildPackets DriversOmniPeek Personal requires the installation of a special WildPackets driver inorder to use a wireless card with an Atheros chipset. Note, that once you haveinstalled the WildPackets driver, if you wish to revert to your previous configura-tion, you will need to reinstall the factory drivers that came with your WNIC. Inthis book, you will be using the OmniPeek files that are included as samples, sono driver installation is required.
OmniPeek Personal CapturesOmniPeek Personal has several configured packet captures saved for you to use.Viewing these sample captures will give you an insight into the process of usingOmniPeek Personal, without the requirement of you setting up a complex wire-less lab. If you are going to move further in your career as a wireless networkanalyst, you will build and manage your own lab, so this is not an issue, but forthe classroom, these captures are a great tool.
OmniPeek Personal can work as a network troubleshooting and maintenance tool,in addition to providing the information you need to run security audits. The toolcan tell you bandwidth use, packet transmissions, and errors all through it easy toread visual gauges.
The full details of this tool are beyond the scope of this course, but one of thefeatures you will likely want to familiarize yourself with is the peer map. TheOmniPeek Personal peer map will help you to actually visualize the traffic inyour network. Connections are given colored lines, with the line getting thickerbased on utilization. In the peer map, you can grab a node with your mouse andmove it on screen, with the lines moving in relation, and allowing you to adjustthe view to your liking.
TASK 9D-4Viewing OmniPeek Personal Captures
1. Log on to the system where you have installed OmniPeek Personal.
2. Navigate from the Start menu to the WildPackets OmniPeek Personalinstallation.
Lesson 9: Securing Wireless Networks 517
3. The first time the application runs, you must define a network adapter. Inthis course, you will not be using an adapter. In the Monitor Options screen,select None, and click OK.
4. Choose File→Open.
5. Navigate to the folder location where you installed OmniPeek Personal.Open \OmniPeek Personal\Samples\Wireless.
6. Select association.apc and click Open.
7. What is the function of the packet found in line 4?
It is the broadcast looking for a wireless network to join. This broadcast iscalled the probe request.
8. What is the MAC address of the node that sent the Probe Request?
00:A0:F8:9B:B9:AA
9. What is the function of the packet found in line 5?
It is the response from the AP that it will accept connections. This responseis called the probe response.
10. What is the function of the packet found in line 8?
A request to use open authentication.
518 Tactical Perimeter Defense
11. Right-click line 8 and choose Select Related Packets→By Flow. Click theHide Unselected button. You will be left with only the packets related tothat specific conversation.
12. What is the subtype of the authentication request in line 8?
It is Subtype: 1011 (Authentication).
13. What is the status code of the authentication response in line 10?
It is listed as Successful, so this packet is to inform the client that therequest is granted.
14. Choose Edit→Unhide All Packets.
15. Double-click line 3, which is a Beacon packet.
16. Note the type and subtype of this packet.
17. Click the green right-arrow. This arrow is found two rows under the Filemenu.
Lesson 9: Securing Wireless Networks 519
18. What is the type and subtype of this packet?
Type 00 (Management) and 0100 (Probe Request).
Continue to click the green arrow, noting the different Types and Sub-types, as they are associated to different packets.
19. What is the type and subtype for a probe response?
Type 00 (Management) and 0101 (Probe Response).
20. What is the type and subtype for an 802.11 acknowledgement?
Type 01 (Control) and 1101 (Acknowledgement).
21. What is the type and subtype for a beacon?
Type 00 (Management) and 1000 (Beacon).
22. What is the type and subtype for an 802.11 authentication packet?
Type 00 (Management) and 1011 (Authentication).
23. What is the type and subtype for an association request?
Type 00 (Management) and 0000 (Association Request).
24. What is the type and subtype for an association response?
Type 00 (Management) and 0001 (Association Response).
25. Choose File→Close to close the packet details.
26. From the left menu, under Statistics, click Protocols.
27. Notice the percentages of each protocol in this capture. When finished,choose File→Close. Keep OmniPeek Personal open for subsequent tasks.
520 Tactical Perimeter Defense
Live CapturesAlthough it may not be a part of your daily tasks, there will be times when youwish to view captures as they happen. These live captures can then be saved forlater analysis, or you can look for trends as they are happening. There is a featurebuilt into the program to simulate the live capture of packets, so you do not needto have a suitable WNIC installed.
TASK 9D-5Viewing Live OmniPeek Personal Captures
1. Choose Capture→Start Capture.
2. In the Monitor Options, select the File option, and click OK.
3. In the File Name box, browse to \WildPackets\OmniPeek Personal\Samples\Wireless\Demo.apc, and click Open. (Note – you may need tochange the file type to view .apc files.)
4. Choose Capture→Start Capture.
5. Click the green Start Capture button.
6. Allow the capture to run for some time. When you reach approximately700 packets, click the red Stop Capture button.
7. Leave the application open for upcoming tasks.
Lesson 9: Securing Wireless Networks 521
Non-802.11 PacketsAlthough you may wish to spend the majority of your time analyzing the 802.11packets and associated wireless networking issues, OmniPeek Personal can cap-ture all traffic. This allows you to perform analysis on all network traffic if youwish. In the following task, you will examine all the traffic captured, and viewthe OmniPeek Personal options for analysis.
TASK 9D-6Analyze Upper Layer Traffic
Setup: This task assumes that the Demo.apc file is open.
1. Right-click line 16 and choose Select Related Packets→By Flow.
2. Click the Hide Unselected button.
3. What are the IP Addresses of the nodes in this conversation?
• 192.168.0.11
• 192.216.124.4
4. Which packets define the three-way handshake?
Packets 16, 19, and 21.
5. What website is being accessed in these packets?
www.wildpackets.com (This is the maker of OmniPeek Personal.)
6. Double-click any HTTP packet.
What is the type and subtype of the packet?
Type 10 (Data) and 0000 (Data Only).
7. Double-click line 23.
522 Tactical Perimeter Defense
Looking at the MAC addresses and last bit of the frame control flags, doyou suspect this to be an ad-hoc or an infrastructure network?
An infrastructure network, there are three addresses in use, and the ToDS bitis set to 1.
8. Choose File→Close. Click No, as you do not need to save this capture file.
9. Leave OmniPeek Personal open for the next task.
Decode WEPIf you are analyzing traffic on your network, you know what the WEP key is. Inthis case, you are not cracking, but you will utilize the key to decrypt WEP-protected data on screen. OmniPeek Personal has an option to UnWEP packets,allowing you have the required key.
TASK 9D-7Decrypting WEP
1. If it is not already open, open OmniPeek Personal.
2. Choose File→Open.
3. Browse to \WildPackets\OmniPeek Personal\Samples\Wireless\telnet-wep.apc and click Open. Notice that under the Protocol column, noprotocol information for higher layers is available. (You can reorder the col-umns, if you wish).
4. Double-click packet 6.
5. What is the type and subtype of this packet?
Type 10 (Data) and Subtype 0000 (Data Only).
Lesson 9: Securing Wireless Networks 523
6. According to the frame control flags, is WEP enabled, and is this likelyfor an ad-hoc or an infrastructure network?
Yes, WEP is enabled, and the ToDS bit is set, so this is an infrastructurenetwork.
7. What is the WEP IV for this packet?
0x050100
8. To get back to the main packet list, close the packet details.
9. Choose Tools→Decrypt WLAN Packets.
10. Select the Encrypted Only radio button and click the “…” button to theright of the Use Key Set text box.
11. Click the Insert button.
12. In the Name text box, type UnWEP1
In the Key 1 text box, type 0123456789 and in the Key 2 text box, type9876543210
Click OK. These values are part of the OmniPeek Personal demo.
524 Tactical Perimeter Defense
13. In the Key Sets window, click your newly created unWEP1 set, and clickOK.
14. In the Decrypt WLAN Packets window, click OK to perform thedecryption with the UnWEP1 keyset. It will only take a brief moment toperform the decryption. You will see right away that the packets aredecrypted, and the protocols and other details are now exposed.
15. Starting with packet 1, what are the other packect involved in the three-way handshake?
Packets 1, 2, and 3.
16. What IP address is associated with the Telnet client?
192.168.0.11
17. What packet holds the login request from the Telnet server?
Packet 8.
Lesson 9: Securing Wireless Networks 525
18. Examine the details of lines 9, 12, 15, 18, 20, 24, 27, 30. What can youlearn from the information in these lines?
You can learn the login is sysadmin. (Note — Look at the values presentedin the Line 1 field of these packets together.)
19. What does it appear that the password is for this login session?
The password looks like foo. From lines 36, 39, and 42. (Note – Look at thevalues presented in the line 1 field of these packets together.)
20. Which packets are used to end the Telnet session?
Packets 63, 64, 65, and 66.
21. Double-click line 63. This is the Ack/Fin to close the session from theTelnet server.
22. What is the setting of the ToDS bit and the FromDS bit?
The ToDS bit is set to 0 and the FromDS bit is set to 1.
23. After you identify the bit setting, click the green right-arrow to move tothe next packet. This is packet 64, the return Ack to the server.
24. What is the setting of the ToDS bit and the FromDS bit?
The ToDS bit is set to 1 and the FromDS bit is set to 0.
25. After you identify the bit setting, click the green right-arrow to move tothe next packet. This is packet 65, the Ack/Fin from the client to the server.
26. What is the setting of the ToDS bit and the FromDS bit?
The ToDS bit is set to 1 and the FromDS bit is set to 0.
27. After you identify the bit setting, click the green right-arrow to move tothe next packet. This is packet 66, the return Ack from the server.
28. What is the setting of the ToDS bit and the FromDS bit?
The ToDS bit is set to 0 and the FromDS bit is set to 1.
29. After you identify the bit setting, click the green right-arrow to move tothe next packet.
30. Close all open windows. Click No if you are prompted to save the file,and click Yes to Exit OmniPeek Personal.
AircrackAircrack is a whole set of wireless tools, that work in 802.11a/b/g networks.Included in this suite is Airodump, a wireless packet capture program andAireplay, which is a wireless packet injection tool, and the ability to crack WEPencryption. By using packet injection, the tool can ensure that enough packets areavailable for decryption.
526 Tactical Perimeter Defense
WEPCrackAs the name directly implies, WEPCrack, which runs best on UNIX systems, is awireless tool designed to crack WEP keys. One thing to note, is that this tool willrequire a lot of packets to do its job. It must sniff and analyze the packets,searching for the weak IV it can exploit.
The amount of data that you need to capture before WEPCrack can crack thecode can be seven or eight gigabytes. Of course it is possible that redundancywill be found earlier, but you should be aware that this is not a fast or instanta-neous process like some of the online password cracking utilities.
AirSnortAirSnort, like WEPCrack, can crack WEP keys, and is also designed to run onLinux. AirSnort, once activated, can crack WEP automatically without user input.This tool will run on both the ORiNOCO and Prism chipsets, but seems to have apreference towards using the ORiNOCO cards. If not already, you can expectAirSnort to become a required tool in all wireless analysts tool kits in the verynear future.
EkahauEkahau is a wireless auditing tool that allows you to pinpoint the actual physicallocation of wireless devices in your network. Using this tool, you make a map ofyour office, and then perform a survey of the office. Once the survey is done, thesystem is aware of the wireless network in the space.
When the map is complete, you can identify specific nodes in the network. In theevent that you identify an unknown node, you can use this tool to locate thatnode. The accuracy is listed within a few feet. You then can simply walk up tothe person using the network with the unidentified node and say hello.
KismetKismet is a powerful wireless network tool, that can perform network sniffing,log data in a Wireshark format for simple analysis, and can enable you to plotwireless data and detected networks directly to downloaded maps.
Lesson 9: Securing Wireless Networks 527
Topic 9EWireless Trusted NetworksWhile there have been many advances in securing the wireless networks overWEP, some of which you have examined in this lesson, there is more work to bedone before an enterprise will trust wireless networking for any criticalapplication. This is the realm of the 802.11i working group.
802.1x and EAP802.11i will employ multiple types of security, to allow for flexibility in deploy-ment, and stronger security. When the attacker has one single attack point, suchas WEP, their job is easier. By allowing for different implementations, the job ofattacking 802.11i networks will be much more difficult.
In order to meet the goals of solid wireless security, 802.11i will employ 802.1xand EAP. 802.1x as the authentication technology that requires mutual authentica-tion before allowing the client to progress further into the network, called port-based access control. EAP is the extensible Authentication Protocol that allowsfor the use of different authentication solutions, and is currently most well knownfor its use in PPP (point-to-point protocol).
You can consider this method of security as built upon three layers. One layer isthe 802.11 physical carrier of the network traffic. On top of the 802.11 physicalcarrier, you have the 802.1x authentication system, which can use the variousEAP implementations. Combined, these mechanisms provide for solid wirelesssecurity.
Figure 9-29: The location of EAP 802.1x and the physical 802.11 network.
802.1x allows for port-basedaccess control and EAP
allows for mutualauthentication.
528 Tactical Perimeter Defense
By implementing this type of security, you have achieved several goals that arenot possible in open wireless networks. These are some of the goals that are metwith this system:
1. Mutual authentication between the client and the authentication server beforenetwork access is granted.
2. User authentication is required, not simple system authentication.
3. Keys are generated dynamically.
4. Strong encryption, with the ability to ensure data integrity.
There is similarity to the WPA security system you examined earlier. A significantdifference is that to build a wireless PKI, you will need to use and configure digi-tal certificates. WPA operates by using a shared key, whereas you will not havethat type of manually-input shared key used in a trusted wireless network. Thereare enough similarities however, that the final security implementation based onthe technologies in this lesson will be called WPA-2.
There are three primary components of the trusted wireless network; they are theend client, the access point, and the authentication server. The authenticationserver is commonly a RADIUS server but may be configured to your network’sneeds. You may see the client referred to as the supplicant in some text, becauseit is technically the software that is involved in the process not the client, and thesoftware is called the supplicant.
EAP TypesThere are four primary EAP types for wireless networking implementation. Theyare EAP with Transport Layer Security (EAP-TLS), EAP with Tunneled TransportLayer Security (EAP-TTLS), Cisco’s Lightweight EAP (LEAP), and ProtectedEAP (PEAP). Each type has a unique combination of requirements for the client,authentication server, and delivery of the key.
It is worth noting that there is another type of EAP, called EAP-MD5. Although avalid EAP type, it is not used in trusted wireless networking. This is because theauthentication of the clients is done by hashing the user’s password with MD5,and transmitting the hash. The RADIUS, or whatever authentication server is inuse, checks the MD5 hash for a match and, if there is authentication, issuccessful. In a controlled physical network, such as Ethernet, this may have aplace, but in the wireless world, where traffic can be sniffed from the air, this isnot a good system for implementing security. Due to this, you should not imple-ment security based on EAP-MD5 in your wireless network.
Lightweight EAP (LEAP)Cisco has led the development of LEAP. LEAP requires a mutual password forauthentication. This password is manually configured on the client and theauthentication server. When the authentication server challenges the client, thepassword is returned.
Although this provided good security at a time when the WEP implementationwas cracked, it is not strong enough for a trusted network. This is because of thereliance on the shared password. A benefit of LEAP is that, even though it is notbuilt into operating systems, Cisco has provided for enough support that imple-mentation on most platforms is not an issue.
There are five EAP types, butEAP-MD5 is notrecommended for wirelessPKI so it is not included asone of the main EAP types.
Lesson 9: Securing Wireless Networks 529
Since the single shared password exists, there is the possibility to a man-in-the-middle attack, and the issue of password reuse. LEAP is definitely a step in theright direction and provides better security than WEP, but it is recommended thatfor your wireless PKI you move forward to other systems.
EAP with Transport Layer Security (EAP-TLS)EAP-TLS is a system that fits into the trusted network as it utilizes X.509 certifi-cates with both the client and the server needing unique certificates. Both sides ofthe communication must prove their identity to the other party. There is very littleinformation that can be sniffed in this system. One of the few things that anattacker could sniff is the name of the client node. Figure 9-30 shows the steps ofthe EAP_TLS process.
Figure 9-30: The process of a client using an EAP-TLS protected network.
In the EAP-TLS example, the client begins the process by associating with theAP. The AP will block any further access until an accept message is sent from theauthentication server to the AP. The AP responds to the client, essentially tellingthe client to send the EAP required initial request, which the AP then forwards onto the authentication server.
The server receives the request and responds by sending the server’s digital cer-tificate to the client. Once the client validates the information on the server’scertificate, the client responds with the client digital certificate. Once the servervalidates the client’s certificate, the server begins the process of creating themutual key to use. This is done following standards public key cryptographysystems. Once the key is generated, the server sends a message to the AP thatauthentication is successful, with the AP then informing the client of the success-ful authentication. The client proceeds to use the generated key to encrypt trafficand the AP allows the client access to the LAN.
530 Tactical Perimeter Defense
EAP with Tunneled Transport Layer Security (EAP-TTLS)EAP-TTLS takes the fundamental process of EAP-TLS and modifies it a bit. Theprimary difference between EAP-TLS and EAP-TTLS is that in the EAP-TTLSsystem only the server is required to authenticate itself, the client certificate is notrequired. This does not mean that the client never has to provide authenticationdata; only that it is not required during this initial setup.
Figure 9-31: The process of a client using an EAP-TTLS protected network.
The process begins with the client associating with the AP, and then beingrequired to begin the EAP-TTLS process. The server sends the server certificate,which the client validates, and then the client and server build an encryptedtunnel. This is very similar to how a tunnel is created with SSL.
Once the tunnel is created, the client will present whatever credentials arerequired (certificate, token, standard password, and so on), using the algorithmthat the administrator has chosen. In the tunnel, most algorithms will functionwithout any difficulty, such as PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MD5,and so on.
When the user has successfully authenticated, the server sends the success mes-sage to the AP, who in turn sends the success message to the client. Now that theclient has successfully gone through this process, messages can be encrypted andsent to the LAN through the AP.
Protected EAP (PEAP)PEAP was jointly developed by Microsoft, Cisco, and RSA Security, and com-bines different existing security mechanisms. There are two parts to the PEAPprocess, with the first being similar to that or EAP-TLS. The second is similar toEAP-TTLS in that multiple authentication systems are supported.
Lesson 9: Securing Wireless Networks 531
The client begins the process by associating with the AP. The AP will block anyfurther access until an accept message is sent from the authentication server tothe AP. The AP responds to the client, essentially telling the client to send theEAP required initial request, which the AP then forwards on to the authenticationserver.
The server receives the request and responds by sending the server’s digital cer-tificate to the client. Once the client validates the information on the server’scertificate, the client responds with whatever authentication system is called for.This may be certificates, tokens, passwords, and so on. Once the server validatesthe client’s authentication information, the server begins the process of creatingthe mutual key to use. This is done following standard public key cryptographysystems. Once the key is generated, the server sends a message to the AP thatauthentication is successful, with the AP then informing the client of the success-ful authentication. The client then proceeds to use the generated key to encrypttraffic and the AP allows the client access to the LAN.
EAP Type ComparisonLooking at these systems, it may be a bit overwhelming to put them in perspec-tive and decide what you should implement. Part of your decision may be basedon hardware. For example, if you are running all Cisco networking equipment,you have the choice of LEAP, EAP-TLS, and EAP-TTLS installed on all theircurrent adapters. If you are running all Linux nodes, you are limited to EAP-TLSand EAP-TTLS. On the other hand, only PEAP and EAP-TLS are embedded inWindows XP, 2000, and 2003.
Type LEAP EAP-TLS EAP-TTLS PEAPEmbedded O/S Clients Cisco WindowsXP/
2003/2000None WindowsXP/2003/
2000O/S Clients, whenusing third-partysupplicants
All Win32 All Win32, MacOS X, Linux,BSD
All Win32, MacOS X, Linux,BSD
All Win32
Supplicant Vendor None Microsoft, Cisco,Funk, and others
Microsoft, Funk,and others
Microsoft, Funk, andothers
RADIUS Support Cisco, Funk,and others
Cisco, Funk,Microsoft, others
Funk, and others Cisco, Funk,Microsoft, andothers
Server Authentication PasswordHash
Public KeyCertificate
Public KeyCertificate
Public KeyCertificate
Client Authentication PasswordHash
Public KeyCertificate
PAP, CHAP, MS-CHAP, EAP, andothers
Varies as perimplementation.
Dynamic Key Use Yes Yes Yes YesOpen Standard No Yes Yes YesUnique Key per User Yes Yes Yes YesOver Security Level Moderate Strongest High High
532 Tactical Perimeter Defense
Wireless Trusted Network SummaryIf your enterprise requires a wireless component, you should implement a wire-less PKI, or else be aware of the high levels of risk. If you already have a PKIrunning, the addition of the wireless PKI component is a natural extension. If youdo not have a PKI running, and do not want to implement a full-scale trustednetwork, you can implement a PKI just for your wireless network.
The Funk Software company makes a tool called Odyssey that will fill thispurpose. You can run Odyssey on a machine, as your authentication server, andutilize the security features of PKI on your wireless clients alone. This willenable you to take advantage of all that wireless networking has to offer, andhave a secure network at the same time.
TASK 9E-1Choosing a Wireless Trusted Network
1. Consider the following scenario:
You work for a company that is a global enterprise. The company is oftenlisted in the top 50 companies in the world. You work out of the corporateoffice, based in Chicago, IL. There are 300 regional offices, and over 2,000small satellite offices. In the HQ, there is discussion of configuring a newwireless network.
This new wireless network is going to be a case study, and if all goes well,similar systems will be implemented in all the regional offices, and eventu-ally in the satellite offices. The current discussion is on the security of thewireless network. For the case study, the implementation will be a single fileserver, which local network clients will need to access frequently.
During the case study, there will be approximately 75 users participating (allof whom are running Windows 2000 or Windows XP), spread throughouttwo different floors of the HQ. During the discussion it is agreed quicklythat WEP will not be used, and now the discussion is moving towards thespecific security system to use.
To provide the maximum level of security, which security system willyou recommend for the implementation?
Even though this is a case study, you realize that if successful, the securitysystem will be duplicated worldwide. Your goal is to provide the maximumlevel of security, so your choice is to go with an EAP-TLS implementation.This will allow for full use of certificates, on both the client and server.
Lesson 9: Securing Wireless Networks 533
SummaryIn this lesson, you examined the fundamental issues of wireless networking,including the required equipment and transmission media of wirelessnetworks. You then identified WLAN issues such as the function of the AP,the configuration of SSIDs, and the choices between an ad-hoc and infra-structure network. You detailed the 802.11 framing and use of multipleMAC addresses. You then identified the security solutions for the wirelessnetworks, including WEP, WPA, and WTLS. You examined the tools forperforming security audits, and the methods available for creating a trustedwireless network using digital certificates.
Lesson Review9A Which type of spread spectrum signal uses multiple frequencies at the
same time?
Direct Sequence Spread Spectrum (DSSS).
Why is 802.11a incompatible with 802.11b?
They use different spread spectrum techniques.
What are the two primary pieces of equipment for the wireless networkto be operational?
The Access Point and the Wireless Network Interface Card (WNIC).
What language is used to create web content for handheld devices, suchas cell phones, when they connect to the Internet?
WML.
9B What is association?
The process of a WNIC associating with an AP in order to use the wirelessnetwork.
What are the two WLAN topologies?
Ad-hoc mode and infrastructure mode.
What is the name assigned to people who search out WLANs?
War drivers.
9C What additional piece of software is required to configure WPA on Win-dows 2000 WNIC clients?
Supplicants.
What component of WEP is the cause of its weakness?
The Initialization Vector (IV).
534 Tactical Perimeter Defense
What cipher does WEP utilize?
RC4.
9D What tool used in lesson provides you with a fast scan of the APs inyour area?
NetStumbler.
What tools can be used to break WEP?
Aircrack, AirSnort and WEPCrack.
What tool can provide you with the physical positioning of a wirelessnode in the network?
Ekahau.
What tool allows you to perform full wireless packet capture and analy-sis?
OmniPeek Personal
9E What does 802.1x provide?
Port-based access control.
What does EAP provide?
Authentication.
Why is EAP-MD5 not suitable for trusted wireless networks?
The shared password hash is susceptible to sniffıng and other attacks.
Why is EAP-TLS considered the strongest for wireless trusted networkimplementation?
Because certificates are required on both the client and the server.
Lesson 9: Securing Wireless Networks 535
536 Tactical Perimeter Defense
attackAn attempt to bypass security controls on acomputer. The attack may alter, release, ordeny data. Whether an attack will succeeddepends on the vulnerability of the com-puter system and the effectiveness ofexisting countermeasures.
audit trailIn computer security systems, a chronologi-cal record of system resource usage. Thisincludes user login, file access, other vari-ous activities, and whether any actual orattempted security violations occurred.
auditThe independent examination of recordsand activities to ensure compliance withestablished controls, policy, and operationalprocedures, and to recommend any indi-cated changes in controls, policy, orprocedures.
authenticationTo positively verify the identity of a user,device, or other entity in a computer sys-tem, often as a prerequisite to allowingaccess to resources in a system.
availabilityAssuring information and communicationsservices will be ready for use whenexpected.
back doorA hole in the security of a computer sys-tem deliberately left in place by designersor maintainers. Synonymous with trapdoor; a hidden software or hardwaremechanism used to circumvent securitycontrols.
breachThe successful defeat of security controlswhich could result in a penetration of thesystem. A violation of controls of a particu-lar information system such thatinformation assets or system componentsare unduly exposed.
bugAn unwanted and unintended property of aprogram or piece of hardware, especiallyone that causes it to malfunction.
compromiseAn intrusion into a computer system whereunauthorized disclosure, modification, ordestruction of sensitive information mayhave occurred.
confidentialityAssuring information will be kept secret,with access limited to appropriate persons.
cryptographyThe art of science concerning the prin-ciples, means, and methods for renderingplaintext unintelligible and for convertingencrypted messages into intelligible form.
DES(Data Encryption Standard) Definition 1:An unclassified crypto algorithm adoptedby the National Bureau of Standards forpublic use. Definition 2: A cryptographicalgorithm for the protection of unclassifieddata, published in Federal Information Pro-cessing Standard (FIPS) 46. The DES,which was approved by the National Insti-tute of Standards and Technology (NIST),is intended for public and government use.
false positiveOccurs when the system classifies an actionas anomalous (a possible intrusion) when itis a legitimate action.
firewallA system or combination of systems thatenforces a boundary between two or morenetworks. Gateway that limits accessbetween networks in accordance with localsecurity policy. The typical firewall is aninexpensive micro-based Unix box keptclean of critical data, with many modemsand public network ports on it, but just onecarefully watched connection back to therest of the cluster.
GLOSSARY
Glossary 537
hackerA person who enjoys exploring the detailsof computers and how to stretch theircapabilities. A malicious or inquisitivemeddler who tries to discover informationby poking around. A person who enjoyslearning the details of programming sys-tems and how to stretch their capabilities,as opposed to most users who prefer tolearn the necessary minimum.
hostA single computer or workstation; it can beconnected to a network.
hostA single computer or workstation; it can beconnected to a network.
integrityAssuring information will not be acciden-tally or maliciously altered or destroyed.
intrusion detectionPertaining to techniques that attempt todetect intrusion into a computer or networkby observation of actions, security logs, oraudit data. Detection of break-ins orattempts either manually or via softwareexpert systems that operate on logs or otherinformation available.
intrusionAny set of actions that attempts to compro-mise the integrity, confidentiality, oravailability of a resource.
keyA symbol or sequence of symbols (or elec-trical or mechanical correlates of symbols)applied to text in order to encrypt ordecrypt.
keyA symbol or sequence of symbols (or elec-trical or mechanical correlates of symbols)applied to text in order to encrypt ordecrypt.
network securityProtection of networks and their servicesfrom unauthorized modification, destruc-tion, or disclosure, and provision ofassurance that the network perform its criti-cal functions correctly and there are noharmful side effects. Network securityincludes providing for data integrity.
networkTwo or more machines interconnected forcommunications.
networkTwo or more machines interconnected forcommunications.
AH(Authentication Header) A field that imme-diately follows the IP header in an IPdatagram and provides authentication andintegrity checking for the datagram.
authenticateTo establish the validity of a claimed useror object.
crashA sudden, usually drastic failure of a com-puter system.
cryptographyThe art of science concerning the prin-ciples, means, and methods for renderingplain text unintelligible and for convertingencrypted messages into intelligible form.
DES(Data Encryption Standard) Definition 1:An unclassified crypto algorithm adoptedby the National Bureau of Standards forpublic use. Definition 2: A cryptographicalgorithm for the protection of unclassifieddata, published in Federal Information Pro-cessing Standard (FIPS) 46. The DES,which was approved by the National Insti-tute of Standards and Technology (NIST),is intended for public and government use.
GLOSSARY
538 Tactical Perimeter Defense
ESP(Encapsulating Security Payload) A mecha-nism to provide confidentiality andintegrity protection to IP datagrams.
firewallA system or combination of systems thatenforces a boundary between two or morenetworks. A gateway that limits accessbetween networks in accordance with localsecurity policy. The typical firewall is aninexpensive micro-based UNIX box keptclean of critical data, with many modemsand public network ports on it, but just onecarefully watched connection back to therest of the cluster.
integrityAssuring information will not be acciden-tally or maliciously altered or destroyed.
LAN(Local Area Network) A computer commu-nication system limited to no more than afew miles and using high-speed connec-tions (2 to 100 megabits per second). Ashort-haul communication system that con-nects ADP devices in a building or groupof buildings within a few square kilome-ters, including workstations, front-endprocessors, controllers, and servers.
LAN(Local Area Network) A computer commu-nication system limited to no more than afew miles and using high-speed connec-tions (2 to 100 megabits per second). Ashort-haul communication system that con-nects ADP devices in a building or groupof buildings within a few square kilome-ters, including workstations, front-endprocessors, controllers, and servers.
metricA random variable x representing a quanti-tative measure accumulated over a period.
non-repudiationMethod by which the sender of data is pro-vided with proof of delivery and therecipient is assured of the sender’s identity,so that neither can later deny having pro-cessed the data.
OSI(Open Systems Interconnection) A set ofinternationally accepted and openly devel-oped standards that meet the needs ofnetwork resource administration and inte-grated network components.
OSI(Open Systems Interconnection) A set ofinternationally accepted and openly devel-oped standards that meet the needs ofnetwork resource administration and inte-grated network components.
packet filterInspects each packet for user defined con-tent, such as an IP address, but does nottrack the state of sessions. This is one ofthe least secure types of firewall.
packet filteringA feature incorporated into routers andbridges to limit the flow of informationbased on pre-determined communicationssuch as source, destination, or type of ser-vice being provided by the network. Packetfilters let the administrator limit protocol-specific traffic to one network segment,isolate email domains, and perform manyother functions.
packet snifferA device or program that monitors the datatraveling between computers on a network.
packetA block of data sent over the networktransmitting the identities of the sendingand receiving stations, error-control infor-mation, and message.
GLOSSARY
Glossary 539
packetA block of data sent over the networktransmitting the identities of the sendingand receiving stations, error-control infor-mation, and message.
passive threatThe threat of unauthorized disclosure ofinformation without changing the state ofthe system. A type of threat that involvesthe interception, not the alteration, ofinformation.
penetrationThe successful unauthorized access to anautomated system.
perpetratorThe entity from the external environmentthat is taken to be the cause of a risk. Anentity in the external environment that per-forms an attack, i.e. hacker.
physical securityThe measures used to provide physical pro-tection of resources against deliberate andaccidental threats.
plaintextUnencrypted data.
profilePatterns of a user’s activity which candetect changes in normal routines.
promiscuous modeNormally an Ethernet interface reads alladdress information and accepts follow-onpackets only destined for itself, but whenthe interface is in promiscuous mode, itreads all information (sniffer), regardless ofits destination.
promiscuous modeNormally, an Ethernet interface reads alladdress information and accepts follow-onpackets only destined for itself, but whenthe interface is in promiscuous mode, itreads all information (sniffer), regardless ofits destination.
protocolAgreed-upon methods of communicationsused by computers. A specification thatdescribes the rules and procedures thatproducts should follow to perform activitieson a network, such as transmitting data. Ifthey use the same protocols, products fromdifferent vendors should be able to commu-nicate on the same network.
proxyA firewall mechanism that replaces the IPaddress of a host on the internal (protected)network with its own IP address for alltraffic passing through it. A software agentthat acts on behalf of a user, typical prox-ies accept a connection from a user, makea decision as to whether or not the user orclient IP address is permitted to use theproxy, perhaps does additional authentica-tion, and then completes a connection onbehalf of the user to a remote destination.
routerAn interconnection device that is similar toa bridge but serves packets or frames con-taining certain protocols. Routers linkLANs at the Network Layer.
routerAn interconnection device that is similar toa bridge, but serves packets or frames con-taining certain protocols. Routers linkLANs at the network layer.
security auditA search through a computer system forsecurity problems and vulnerabilities.
GLOSSARY
540 Tactical Perimeter Defense
security levelThe combination of a hierarchical classifi-cation and a set of non-hierarchicalcategories that represents the sensitivity ofinformation.
security policiesThe set of laws, rules, and practices thatregulate how an organization manages, pro-tects, and distributes sensitive information.
security violationAn instance in which a user or other per-son circumvents or defeats the controls of asystem to obtain unauthorized access toinformation contained therein or to the sys-tem itself.
securityA condition that results from the establish-ment and maintenance of protectivemeasures that ensure a state of inviolabilityfrom hostile acts or influences.
securityA condition that results from the establish-ment and maintenance of protectivemeasures that ensure a state of inviolabilityfrom hostile acts or influences.
serverA system that provides network servicesuch as disk storage and file transfer, or aprogram that provides such a service. Akind of daemon that performs a service forthe requester, which often runs on a com-puter other than the client machine.
serverA system that provides network servicesuch as disk storage and file transfer, or aprogram that provides such a service. Akind of daemon that performs a service forthe requester, which often runs on a com-puter other than the client machine.
snifferA program to capture data across a com-puter network. Used by hackers to captureuser ID names and passwords. Softwaretool that audits and identifies network traf-fic packets. Is also used legitimately bynetwork operations and maintenance per-sonnel to troubleshoot network problems.
SNMP(Simple Network Management Protocol)Software used to control network commu-nications devices using TCP/IP.
SNMP(Simple Network Management Protocol)Software used to control network commu-nications devices using TCP/IP.
SSH(Secure Shell) A completely encrypted shellconnection between two machines pro-tected by a super long pass-phrase.
SYN floodWhen the SYN queue is flooded, no newconnection can be opened.
threatThe means through which the ability orintent of a threat agent to adversely affectan automated system, facility, or operationcan be manifest. A potential violation ofsecurity.
topologyThe map or plan of the network. Thephysical topology describes how the wiresor cables are laid out, and the logical orelectrical topology describes how the infor-mation flows.
tracerouteAn operation of sending trace packets fordetermining information; traces the route ofUDP packets for the local host to a remotehost. Normally traceroute displays the timeand location of the route taken to reach itsdestination.
GLOSSARY
Glossary 541
Trojan HorseAn apparently useful and innocent programcontaining additional hidden code whichallows the unauthorized collection, exploi-tation, falsification, or destruction of data.
vulnerability analysisSystematic examination of an AIS or prod-uct to determine the adequacy of securitymeasures, identify security deficiencies,provide data from which to predict theeffectiveness of proposed security mea-sures, and confirm the adequacy of suchmeasures after implementation.
vulnerabilityHardware, firmware, or software flow thatleaves an AIS open for potentialexploitation. A weakness in automated sys-tem security procedures, administrativecontrols, physical layout, internal controls,and so forth, that could be exploited by athreat to gain unauthorized access to anAIS.
GLOSSARY
542 Tactical Perimeter Defense
3DES, 353
802.11 addressing, 478-481
802.11 framing, 476-481
frame details, 476-478
frame format, 476
802.11a standard, 460
802.11b standard, 461
802.11c standard, 461
802.11d standard, 461
802.11e standard, 461
802.11f standard, 461
802.11g standard, 461
802.11h standard, 462
802.11i standard, 462
802.11n standard, 462
802.1x, 512
Aaccess control, 15
access points, 448-449
Also see: APs
accountability, 377
acknowledgement numbers, 47
ACL
anti-DoS, 142
anti-Land, 143
anti-spoofing, 143-144
anti-SYN, 142-143
command syntax, 138-139
creating, 134-135
defending against attacks, 142-144
extended syntax, 139-140
implementing, 138-142
logging, 149-151
operation, 135
activate, 416-418
Active Defense-in-Depth, 7-8
active open connection, 48-50
administrative distance, 123-124
AH, 344
combine with ESP in IPSec, 327-329
configuring, 321-322
Transport mode, 303
Tunnel mode, 303
AH and ESP
in IPSec, 327-329
response policy, 335-336
session analysis, 331-332
Aircrack, 526
AirSnort, 527
alert, 416-418
alert notification, 376
analysis, 382-383, 391
anomaly detection, 373
anti-spoofing logging, 150
APs, 448-449
configuration, 482-485
ARP process, 108-110
attack monitoring, 397
attack response, 10
audit data
handling, 25
preserving, 25
audit trails, 25
auditing, 22-23
authentication, 3-5, 16, 98-99, 303, 352-353
Authentication Header, 344
Also see: AH
authentication methods
editing policies, 317-318
authentication tokens, 16-20
authorization, 98-99
authorization and availability, 3-5
awareness, 9
Bbanners, 101
basics, 42-43
behavioral use, 379-382
binary conversion, 37-38
Bluetooth, 459
breach, 5-6
broadcast, 44-45
buffered logging, 147-148
bug, 96
business drivers
for a VPN, 338
INDEX
Index 543
Ccapture packet data, 411-413
captures
displaying, 54-55
castle analogy, 10-11
CDP, 128-129
centralized host-based design, 384-385
Challenge Handshake Authentication Protocol,352-353
Also see: CHAP
Challenge Response Process, 17-18
challenge response token, 16-17
CHAP, 352-353
CIDR, 43-44
Cisco
banners, 101-103
logging, 145-146
OS, 96
router language, 96
Cisco Discovery Protocol
See: CDP
Classless Interdomain Routing
See: CIDR
Client policy, 306-307
collection, 382-383
command console, 375
confidentiality, 3-5
configuration fragments, 97-98
connection, 48-50
establishing, 48-49
terminating, 49-50
connections
TCP, 63-64
console logging, 147
console password, 99
cryptography, 302
DDAC, 15
Data Encryption Standard
See: DES
decimal conversion, 37-38
Default Response, 318-321
defense technologies, 13-14
Defense-in-Depth, 6
defensive strategy, 8-10
denial of host, 140-141
denial of network, 141
denial of subnet, 141
DES, 307-308, 353
detection, 371
Direct Sequence Spread Spectrum, 458-459
Also see: DSSS
Discretionary Access Control, 15
Also see: DAC
distance vector routing, 121
distributed host-based design, 386-387
DSSS, 458-459
dynamic, 416-418
dynamic routing, 116-118
EEAP, 506-507
comparison of types, 532-533
Lightweight, 529-530
Also see: LEAP
Protected, 531-532
Also see: PEAP
types, 529
with Transport Layer Security, 530
Also see: EAP-TLS
with Tunneled Transport Layer Security, 531
Also see: EAP-TTLS
EAP-TLS, 352-353, 530
EAP-TTLS, 531
Ekahau, 527
enable password, 99
Encapsulating Security Payload, 344
Also see: ESP
encryption, 21-22
ESP, 344
combine with AH in IPSec, 327-329
Transport mode, 303
Tunnel mode, 303
Ethereal, 58-59
Extensible Authentication Protocol, 506-507
Also see: EAP
INDEX
544 Tactical Perimeter Defense
Extensible Authentication Protocol-Transaction LevelSecurity, 352-353
Also see: EAP-TLS
extranet, 338
Ffalse-negative, 373-375
false-positive, 373-375
FHSS, 458
finger, 131
firewall, 303
Firewall-based VPNs, 339-340
firewalls, 21
Frequency Hopping Spread Spectrum, 458
Also see: FHSS
FTP
capture, 76-78
configuring, 322-323
granting, 142
session analysis, 79
Fundamental Access Point Security, 493-494
HHardware-based VPNs, 339-340
hexadecimal conversion, 37-38
host, 33-36
host-based intrusion detection, 384
IICMP, 129-130
direct broadcast, 129
session analysis, 76
unreachable, 129-130
ICMP messages, 68-70
IDS, 9, 22, 371
components, 375-376
goals of, 376-377
matrix, 373-375
response, 376
IEEE 802.11 standard, 460-462
independent audit, 24-25
infrared wireless media, 453-454
inside threats
detecting, 396
integrity, 3-5, 65-68
Internet Protocol
See: IP
Internet Security Association Key Management Proto-col (ISAKMP/Oakley), 345-346
interval analysis, 391
intrusion, 373
intrusion detection, 7-8
definitions, 373
techniques, 378-379
technologies, 378-379
Intrusion Detection, 371-373
Intrusion Detection System, 371
Also see: IDS
Intrusion Detection Systems
See: IDS
IP, 36-39
address classes, 38-39
datagram, 65-68
private addresses, 39
security, 301-302
special-function addresses, 39
IP Policy Agent, 345-346
IP Security Policy and Security Association, 345-346
IP Security Protocol (IPSec), 341
IPSec, 341, 344-346
AH implementation, 312
and NAT, 346-347
components, 345-346
configuring a response, 329-331
configuring options, 333-334
custom policies, 312-317
driver, 345-346
full session, 336-337
implementing, 303-304, 323-324
modes, 302-303
policies, 306-307
Transport Mode, 346
Tunnel Mode, 346
IPSec ESP payload, 351-352
IPSec-enabled operating systems, 340
IPSec-enabled routers and firewalls, 340
INDEX
Index 545
Kkey exchange, 344-345
key length, 353
keys, 302
Kismet, 527
LL2TP, 341, 343, 351-352
LAN, 309-312
LAN-to-LAN routing, 110-111
LAN-to-WAN routing, 112-114
Layer 2 Forwarding Protocol (L2F), 341-342
Layer 2 Tunneling Protocol (L2TP), 341
LEAP, 529-530
link state routing, 122-123
Local Area Network
See: LAN
log, 416-418
log priority, 146
logging, 145-146
ACL, 149-151
anti-spoofing, 150
buffered, 147-148
configuring, 147-149
console, 147
syslog, 148-149
terminal, 148
VTY, 150-151
MMAC, 15
man-in-the-middle attacks, 341-342
management tools, 345-346
Mandatory Access Control, 15
Also see: MAC
MD5, 353
metric, 120-124
Microsoft Management Console
See: MMC
microwave systems
satellite, 455-456
terrestrial, 454
microwave wireless media, 454
misuse, 373
misuse detection, 373
MMC, 304-306
customized configuration, 307
multicast, 44-45
NNetStumbler, 513-514
network, 33-34
network defense, 2
Network Monitor, 52-58
Display view, 54-55
filters, 55-57
network security
five key issues, 3-5
network sensor, 375-376
network tap, 376
network-based design, 388
distributed, 389-390
traditional, 388-389
network-based intrusion detection, 387-388
non-repudiation, 3-5
OOmniPeek Personal, 515-516
captures, 517-520
live captures, 521
Open Systems Interconnection
See: OSI
operating modes, 97
operational audit, 24
OSI model, 34-36
outside threats
detecting, 394-395
Ppacket, 34-36
packet filter, 134-135
packet filtering, 9
packet fragmentation, 74-75
PAP, 352-353
pass, 416-418
passive open connection, 48-50
INDEX
546 Tactical Perimeter Defense
passive threat, 5-6
Password Authentication Protocol, 352-353
Also see: PAP
passwords, 22
PEAP, 531-532
perimeter security, 9
PING capture, 76-78
plaintext, 302
Point-to-Point Tunneling Protocol (PPTP), 341
ports, 50-52
PPTP, 341, 342-343, 351-352
pre-configured rules, 425-426
prevention, 371
profile, 393-394
promiscuous mode, 58-59
protocol, 33-36
QQoS, 461
Rradio, 457-459
real-time analysis, 391-392
remote access, 338
remove unneeded services, 132-133
Request For Comments
See: RFC
Request-and-Respond
policy, 325-326
session analysis, 326-327
Request-only
session analysis, 324-325
response, 371
RFC, 36
RIP, 124-125
RIPv2, 125-127
routed protocols, 119
router, 42-43
access passwords, 99-100
accessing, 96-97
banners, 101
navigating, 98
user accounts, 100-101
routing, 42-43
process, 114-116
protocols, 119, 120-124
Routing Information Protocol
See: RIP
RSA SecureID token, 18-19
Rule Header, 416-418
Rule Options, 418-419
rule set
testing, 421
ruleset
examples, 419-420
SSA, 344-345
Secure Server policy, 306-307, 309-312
Secure Shell, 342
Also see: SSH
security, 46-47
Security Association, 344-345
Also see: SA
Security Association API, 345-346
security audit, 24-25
security auditing
basics, 23-24
security policies, 306-307
security protocols, 341
security threats, 5-6
security vulnerabilities, 373
sequence numbers, 47
server, 33-34
Server policy, 306-307
Service Set Identifier, 465
Also see: SSID
session teardown process, 64-65
SHA-1, 353
Shiva Password Authentication Protocol, 352-353
Also see: SPAP
Also see: SPAP
Short Message Service, 459-460
Also see: SMS
signature analysis, 392
Simple Network Management Protocol
See: SNMP
site surveys, 512
INDEX
Index 547
small services, 131
SMS, 459-460
SNMP, 96-97
Snort, 404
architecture, 405-406
as a packet sniffer, 410-411
as an IDS, 415
deploying, 404
function, 404-405
installing, 406-408
logging with, 414
Socks v5, 342
software tokens, 19
Software-based VPN applications, 339-340
source routing, 130
spread spectrum technology, 457-458
SSH, 103, 342
client configuration, 106-107
router configuration, 103-106
verification, 105
SSID, 465
static routing, 116-118
statistical analysis, 393-394
subnet mask, 40-42
subnetting, 40-42
surveillance monitoring, 397
syslog logging, 148-149
TTCP, 46-47
connections, 63-64
flags, 47
headers, 70-72
TCP/IP model, 33-34
Telnet
granting, 141
Temporal Key Integrity Protocol, 506
Also see: TKIP
terminal logging, 148
three-way handshake, 46-47
Time-based Tokens, 18-19
timestamp, 147
TKIP, 506
topology, 121
traceroute, 129-130
training, 9
transit network, 340
Transport mode, 302-303
AH, 303
ESP, 303
Trojan Horse, 50-52
true-negative, 373-375
true-positive, 373-375
tunnel, 340
protocols, 340
Tunnel mode, 302-303
AH, 303
ESP, 303
tunneled data, 340
tunneling protocols, 341
UUDP, 46-47
UDP headers, 73-74
unicast, 44-45
VVariable Length Subnet Masking
See: VLSM
VLSM, 43-44
VPN
client, 340
client software, 340
configuring, 354-359
connection, 340
dedicated gateways, 340
design and architecture, 348
elements, 340
gateway, 346-347
implementation challenges, 348-349
security, 350
server, 340
types, 339-340
VPN fundamentals, 337
VPNs
and firewalls, 351-352
VTY logging, 150-151
VTY password, 100
INDEX
548 Tactical Perimeter Defense
vulnerability scanners, 373
WWAP, 462-464
war driving, 489
WEP, 494-501
configuring, 501-504
cryptography, 494-495
decrypting, 523-526
key lengths, 495-496
process, 496-498
weaknesses, 498-501
WEPCrack, 527
Wi-Fi Protected Access, 507-509
Also see: WPA
wildcard mask, 136-138
Wired Equivalent Privacy, 494-501
Also see: WEP
Wireless Access Points, 448-449
Wireless Application Protocol, 462-464
Also see: WAP
wireless auditing, 512-513
Wireless Markup Language, 462-464
Also see: WML
wireless media, 451-457
infrared, 453-454
radio, 457-459
wireless network cards, 449
Also see: WNICs
wireless networking
access points, 448-449
equipment, 448-451
wireless networks
antennas, 449-451
association, 451
identifying, 514-515
microwave technology, 454
trusted, 528
Wireless Transport Layer Security, 491-493
Also see: WTLS
Wireshark, 513
GUI, 59-63
WLANs
ad-hoc mode, 466-467
APs, 465
associations, 466
authentication, 466
denial of service attacks, 490
essentials, 465
gaining access, 489-490
infrastructure mode, 467-468
threats, 488-490
topologies, 466-468
WML, 462-464
WNIC chipsets, 513
WNICs, 449
WPA, 507-509
configuring, 509
hardware requirements, 508
process, 507-508
supplicants, 509-511
vs. WEP, 508-509
WTLS, 491-493
Alert Protocol, 493
Application Protocol, 493
authentication, 491
Change Cipher Specific Protocol, 493
components, 491
handshake protocol, 491-493
origins, 491
Xx-cast, 44-45
INDEX
Index 549
SCPTPD20iePB
