Security Labs in OPNET IT Guru - read.pudn.comread.pudn.com/downloads193/doc/comm/906403/INTRO.pdf · The first two parts are a short installation manual and an introduction to OPNET

Security Labs in OPNET IT Guru

Enginyeria i Arquitectura La Salle

Universitat Ramon Llull

Barcelona 2004

Security labs Enginyeria i Arquitectura La Salle

-I-

Security Labs in OPNET IT Guru

Authors:

Cesc Canet

Juan Agustín Zaballos

Translation from Catalan:

Cesc Canet

Overview

This project consists in practical networking scenarios to be done with OPNET IT Guru

Academic Edition, with a particular interest in security issues.

The first two parts are a short installation manual and an introduction to OPNET. After

that there are 10 Labs that bring into practice different networking technologies. Every

Lab consists in a theoretical introduction, a step-by-step construction of the scenario

and finally Q&A referring to the issues exposed.

Lab 1: ICMP Ping, we study Ping traces and link failures.

Lab 2: Subnetting and OSI Model, we study tiers 1,2 and 3 of the OSI model, and

the Packet Analyzer tool to observe TCP connections.

Lab 3: Firewalls, we begin with proxies and firewalls. We will deny multimedia traffic

with a proxy, and study the link usage performance.

Lab 4: RIP explains the RIP routing protocol, and how to create timed link failures

and recoveries.

Lab 5: OSPF compares RIP. We study areas and Load Balancing.

Lab 6: VPN studies secure non-local connections. A Hacker will try to access into a

server that we will try to protect using virtual private networks.

Lab 7: VLAN creates user logical groups with Virtual LANs. Studies One-Armed-

Router interconnections.

Lab 8: Dual Homed Router/Host, Lab 9: Screened Host/Subnet. DMZ and Lab

10: Collapsed DMZ explains the static routing tables, ACLs, proxies and internal vs.

perimetric security. Lab 10 is 100% practical, we want you to create it on your own, a

piece of cake if you did the other Labs!


-I-

Overview .......................................................................................................... 1

I. Installing OPNET IT Guru ................................................................................. 2

II. OPNET IT Guru Overview................................................................................ 7

Lab 1: ICMP Ping ............................................................................................. 22

Lab 2 Subnetting & OSI model........................................................................... 28

Lab 3 Firewalls ................................................................................................ 43

Lab 4: RIP ...................................................................................................... 56

Lab 5: OSPF.................................................................................................... 68

Lab 6: VPN...................................................................................................... 79

Lab 7: VLANs .................................................................................................. 93

Lab 8: Dual-Homed Router and Host ................................................................ 109

Lab 9: Screened Host / Subnet (DMZ) .............................................................. 125

Lab 10: Collapsed DMZ................................................................................... 142


-2-

I. Installing OPNET IT Guru

Download the files from http://www.opnet.com/services/university/itg_panko.html

Click at “Download the academic version of IT Guru and follow the step-by-step

software installation instructions to get started right away!”

1. Fill up the form:

I.1 Registry form

Remember that every time we create a OPNET IT Guru Academic Edition

account to have a license, this can be used only once. Thereafter, if we want to

install the application in several computers we will need several e-mail

accounts to register with, otherwise we won’t be able to register anymore.

After a couple of minutes we will receive an e-mail telling us the account is

created. Besides, this e-mail will assign a password to identify us.


-3-

I.2 Confirmation e-mail

Now click on the hyperlink on the message body: http://www.opnet.com/itguru-

academic/download.html

The link bring us to a new web site where we can log in using the username and

password we received before:

I.3 Log in the OPNET server

After that, we can download the software. The application installer is 47MB long.

We need Administrator rights to install it.

Once the license contract is read and accepted, we store the installer executable

(ITG_Academic_Edition_v1992.exe). If we want to install the program on several

computers, all we will need are several e-mail accounts to create several OPNET

accounts, but we won’t have to download the binaries anymore.


-4-

I.4 Saving the executable file on the local disk

2. It is recommendable to download the Lab Manuals and Lab Files as well. This

can be done starting at Step 2 at the first link.

I.5 Downloading the Load Files and Load Manuals

We can even download all the Lab Manuals at the same time, and all the IT

Guru Lab files at the same time, both compressed in two single files.

Once we have downloaded the installer, we can execute it and follow the

installation steps.


-5-

I.6 Starting the program using the start bar

We execute the program and afterwards click on “License Management”.

I.7 License Management

After this dialog another one will pop up. We will click on “Next” and finally we

will get a new dialog such as this:

I.8 License Transaction (step 1)

Now we are doing the application License Transaction in order to identify us as

OPNET users. Now we have to write down the License Request Code (or click


-6-

“Copy to Clipboard” and click “Next”). In a while the explorer will be launched.

It is very important to request the License Activation Code after obtaining the

License Request Code. Every time we start OPNET without being logged before,

a new License Request Code will be created.

I.9 License Transaction (step 2)

Now we can launch OPNET IT Guru Academic Edition 9.1!


-7-

II. OPNET IT Guru Overview

Main features

OPNET IT Guru is a virtual environment for modeling, analyzing and performance

prediction of IT infrastructures, including applications, servers and network

technologies.

This OPNET academic version is based upon the commercial version IT Guru 9.1. It

can be downloaded from the web site and used for free with some license constraints.

The Academic Edition has Application Characterization Environment (ACE) and

Wireless modules integrated, with some usage limitations.

The OPNET Academic Edition license lasts for 6 months, but can be renewed for free.

Constraints

This academic version of OPNET IT Guru has some limited features:

• Importing limitations: the scenarios created in any other commercial version of

OPNET cannot be imported. We can only import scenarios created with the

academic version.

• Exporting limitations: the scenarios created with the Academic Edition cannot

be exported to other commercial versions of the software, therefore it is not

possible to prepare scenarios at home and simulate them using all the licenses

at University (e.g.: MPLS).

• Modeling limitations: this version does not include some modules like Flow

Analysis, Net Doctor, Terrain Modeling, etc. This version is not the Modeler, so

models cannot be modified. It is not possible neither to import a model created


-8-

using OPNET Modeler, nor create multicast scenarios.

• ACE limitations: it can only work with predetermined application captures,

included in the tutorials.

• Wireless features limitations: Pipe-line stages, used in the Wireless model,

cannot be modified (as in the Modeler). This way all the transmissions will use

the space loss attenuation model. We neither have the antennas editor,

therefore all the Wireless nodes will use the isotropic antenna model.

• Can create mobile nodes, but not satellite nodes as in the Modeler.

• The projects created with the Academic Edition are limited in the number of

multi-port devices. We can run small simulations with a reasonable number of

routing elements (20) for educational purposes, but not for commercial studies.

• Analysis limitations: although we have the animation generation option in the

menus, this feature is not available. This option may be included in next

editions of this software.

• There’s not many documentation for this version, all we have is a brief

explanation of the editors and a short PDF tutorial.


-9-

Simulator usage

To simulate the network performance we will follow these steps:

II.1 Project simulation steps

• First of all we create a project. A project is a set of scenarios with a common

target. Each Lab is a project itself.

• Create the first scenario (or the only one). If we create a project to see the

OSPF protocol, the first scenario could explain a specific feature of this

technology. Sometimes we will have only a single scenario, but if we have

many, then the first one will be used as a start point for the next ones.

Creating a new scenario involves choosing the scenario dimensions and

background, naming the scenario, deploying the network elements, creating

profiles and application demands, etc.

Scenario creation/modification

Choose statistics

Simulation execution

Results analysis

Scenario duplication

Project creation

What If ..?


-10-

• The next step is to choose the statistics. So far we have only created the

scenario with the elementary components, but now we have to set the

parameters we want to calculate: link throughput (packets/sec), access delay

into a web page, routing tables updates (per sec), etc.

• Now we can continue the project simulation by executing the simulation, or

either duplicating the scenario. To duplicate the scenario means creating a

new scenario starting from another scenario. For example, when we study the

OSPF Lab we create a scenario to study the Load Balancing starting from

another scenario where we studied OSPF without Load Balancing, and then we

have two independent scenarios. We can repeat this process as many times as

we want.

• All the scenarios have to be simulated at the end (similar to compiling a

program). OPNET will do a performance prediction with all the information

about the scenarios, the traffic demands, the statistics chosen, etc.

• At the end, the results analysis is done with graphics, statistics and the

Simulation Log.

• OPNET is designed for network analysis and designs. If the simulation results

are not the ones expected, then we will change the model until we get what we

are looking for, according to the specifications. We can even do analysis in

order to test how would our model would behave if some conditions were

changed (What-If analysis).


-11-

Graphic Interface

The main window in OPNET IT Guru is the System window. Projects are created and

opened here, working directories are changed, etc.

II.2 System Window

From the System window we can create a new project with File��New��Project.

Project Editor

The Project Editor is a window we can use to create new scenarios, select statistics,

run the simulation, etc. It is the window we will work with.

II.3 Project Editor


-12-

The working zone of the Project Editor is the zone underneath, and is called the Grid.

We can change the metric units of the grid, the background map, the map dimensions,

etc. At the top part of the Project Editor we have a action buttons bar we can use to

work with the project.

II.4 Action Buttons

The meaning of each button is the following:

• Object Palette: It is a palette we can use to deploy elements on the

scenario: workstations, servers, links, traffic demands,...

• Check Links: This tool checks out if all the links of the network are

correct. It is very useful to use it when we finish creating the scenario, before

running up the simulation, because we can have problems if a link is not set

properly (e.g.: we are using 100BaseT wire in a PPP_DS1 interface).

• Link Failure: This tool simulates failures to the links we have selected.

We can study the scenario performance if a link stop working.

• Link recovery: Recovers links deactivated by the Link Failure.

• Return to Parent Subnet: When a scenario grows (not very often in this

version of OPNET) we may need to group elements into subnets. A Subnet is a

set of stations and links interconnected each other, but graphically grouped

into one icon.

II.5 Subnet

We could do big networks this way. If the Subnet Campus Network from

picture II.5 has a router called node_6 then the real name of the node would

be Campus Network.node_6.


-13-

• Zoom/Unzoom: To zoom in and out of the scenario.

• Configure/Run Simulation: Opens up a dialog we can use to configure

the simulation of the scenario we are working in. We can set the simulation

length, the seed, the routing protocols’ Sim Efficiency, etc.

• View Results: Once the simulation is run, we can see the graphic results

of the statistics we have chosen.

• Hide/Show All Graphs: The results’ graphics will remain open as long

as we don’t close them. We can hide them without closing them, and show

them up again later on with this button.

Creating a Project

The first step to create a project is to run OPNET: Start Bar��Programs��OPNET IT

Guru Academic Edition 9.1.

This will open the System window. Now we can create a new project by clicking

File��New. At the selection dialog we choose Project and OK. Then we write the

name of the project and the name of the first scenario:

II.6 Writing down the names of the project and the first scenario

The next step is the Startup Wizard, a series of dialogs where we shall insert the

parameters of the initial configuration of the scenario (press Next to advance).The

first dialog is the Initial Topology. We will usually choose Create Empty Scenario.

The Import From ACE option is used to import traffic captures with sniffing

programs.


-14-

II.7 Initial Topology

Coming up next is the Choose Network Scale dialog, where we can change the

initial scenario dimensions: we select Office or Campus for LANs, and World or

Choose From Maps for WANs.

II.7 Choose Network Scale

This last option opens up a new dialog where we can choose a map from some

regions.

II.8 Choose Map

The next dialog is Select Technologies. We can create a bespoke palette for the

Object Palette from here, including nodes with the technologies set to include: Yes.

Can be faster to search for components.


-15-

II.9 Select Technologies

At the end we have a dialog we can confirm by pressing OK to accept changes. This

finishes the project settings, and then the Project Editor will open, and the Object

Palette will appear as in picture II.10.

II.10 The project once configured

Now we place all the components of our network over the Grid, drag and dropping

from the Object Palette. If any device is not in the selected palette, we can change the

palette as we can see in picture II.11:

II.11 Deploying all the palettes of the Object Palette

Grouped into palettes in the Object Palette we can see links, routers, workstations,

switches, bridges, hubs, etc. The palette Sm_Int_Model_List has a set of simple

components to create typical LANs.


-16-

II.12 Creating a simple network with Sm_Int_Model_List components

To link workstations, we only have to select the wires we want (10BaseT) and click on

the start node and destination node of the cable. Once the devices are deployed on

the scenario we can edit the Attributes: Right click on the node, unfold the menu and

go to Edit Attributes. Now we can change the properties of a component instance.

II.13 Editing attributes


-17-

Attributes are organized in hierarchies. We have fields where we can change values,

and this fields can be into branches and more branches. The small question-mark

symbol on left is a little help of the field.

At the bottom-left side, we can tip Apply Changes to Selected Objects to allow

changes to be applied to all the nodes that are selected in the project (we can select

many objects pressing the CTRL key, and then click on Edit Attributes on any, and

change the attributes to all of them).

On picture II.13 we can see the IP Host Parameters��Interface

Information��Subnet Mask field unfold, to change the network mask of a server.

The number of fields can be very big if we have many-interfaced components such as

switches and routers, where we have to configure the parameters of any individual

interface. That’s why it can be helpful to know the interface name of every interface of

a router/switch. This information can be seen using the tool tip window that pops up

when holding the mouse pointer for a couple of seconds on a component in our

scenario. OPNET assigns interface names automatically, depending on the order the

nodes were created. Thus, we can have identical scenarios with the same components

and results but with interface names different.

II.14 Interfaces of a link

Sometimes we have some fields including rows, with a number of rows that can be set

by the user. The following picture shows how we can edit the Access Control List of a

router, by changing the attribute IP Routing Parameters��Extended ACL

Configuration. For each ACL we have to create a new row. At the example below we

create two rows (0 and 1). Inside each row we can have more rows (in this case, ACL

rules).

II.15 Rows


-18-

There are two specific elements that we have included in the scenario that are not

stations, they are Controls. In this palette we have Sm_Application_Config and

Sm_Profile_Config, two types of Application_Config and Profile_Config controls we can

find in the internet_toolbox palette.

The Application Config is used to define the applications that every station will run like

email clients, web browsers, etc.

II.16 Attributes of control Sm_Application_Config

The applications itself are defined at the Application Definitions branch. Inside every

type of application we define the load on the network that the application is giving.

The Sm_Application_Config control is an Application_Config control with 16 model

applications.

The Profile Config is used to define profiles. Profiles are groups of applications that the

end-users will use. For instance we can define an Engineer profile admitting Web

Browsing, Email and File Transfer. These applications have to be defined in the

Application_Config control previously, otherwise they’re not available on

Profile_Config.


-19-

II.17 Profile_Config profiles

Sm_Profile_Config is a Profile_Config with 5 profiles with the Sm_Application_Config

applications. Before we need to select Profile Configuration: Sample Profiles.

Once profiles and applications are defined we need to import them to every single

individual stations, at the Application: Supported Profiles attribute of the

workstations. In order to set up the server to give service to specific applications, we

have to edit the attribute Application: Supported Services for each server.

II.18 Assigning Supported Services

Setting up the Simulation

Two steps:

• Choose the simulation statistics. This can be relative to a node (right

click��Choose Individual Statistics) or referring to the whole scenario (the

same with the right button on the Grid, in a blank zone).

• Anyhow this will open the dialog Choose Results in which we can select the

statistics we want.


-20-

II.19 Choose Results

• Configure the simulation: By clicking on configure/run simulation we

have access to a dialog to define the basic simulation parameters. To start the

simulation we click on Run.

II.20 Configure the Simulation


-21-

Results analysis

When the simulation is finished, we can see the statistics simulated by clicking on the

elements with the right button and going to View Results. Here we can configure the

type of graphic to visualize, compare graphics, etc.

II.21 View Results

The Simulation Log console (right button on the Grid�Open Simulation Log)

summarizes the simulation errors (no server found giving service to the requested

application, a router is rejecting packets, etc). These messages are not error

messages always, sometimes they indicate that the simulation is working correctly.

They give the ping traces as well.

II.22 Simulation Log

Documents

Security Labs in OPNET IT Guru - read.pudn.comread.pudn.com/downloads193/doc/comm/906403/INTRO.pdf · The first two parts are a short installation manual and an introduction to OPNET